P2P: Fix preferred frequency list size handling in p2p_check_pref_chan()
Currently, the P2P GO (Group Owner) prefers the PCL (Preferred Channel
List) from the driver to select the operating channel for group
formation. However, wpa_supplicant is limiting the maximum allowed
channels to "num_pref_freq", even though the driver may return a longer
list.
To fix this, update the logic in p2p_check_pref_chan() to use
ARRAY_SIZE(p2p->pref_freq_list) when passing the size to
get_pref_freq_list(), and update p2p->num_pref_freq based on the value
returned by the driver function. This ensures the preferred frequency
list is sized correctly according to the driver response.
Cancel pending connect radio work when network is removed
When a network is removed it is not desired to proceed the connect
process. So cancel corresponding pending connect work when the related
network is removed.
Jay Shukla [Mon, 9 Jun 2025 18:25:04 +0000 (23:55 +0530)]
Add QCA vendor interface for configuring feature control configurations
Add QCA_NL80211_VENDOR_SUBCMD_FEATURE_CONFIG to control the features
enablement based on the OUI data and capabilities advertised by the AP
in its Beacon and Probe Response frames.
Signed-off-by: Jay Shukla <jayshukl@qti.qualcomm.com>
AP MLD: Deinitt BSS link if starting beaconing fails
In the current implementation, when hostapd_start_beacon() fails during
AP MLD setup, it flushes old station entries, deauthentcates all
stations, and frees hapd data. However, it does not unlink the
associated BSS from the AP MLD structure.
While performing wifi stability testing during interface down/up, this
retains a stale reference to the freed BSS. Subsequent attempts to
access MLD links post-failure lead to a segmentation fault due to this
use-after-free condition.
Fix this by unlinking the BSS from the AP MLD on failure paths to
prevent potential use-after-free scenarios.
Kashish Awasthi [Wed, 25 Jun 2025 09:02:51 +0000 (14:32 +0530)]
Add QCA vendor attributes for DAR configurations
Add Dynamic Analytics Report (DAR) configuration subcommand based on
Wi-Fi Alliance QoS Management specification to initiate DAR request or
terminate existing DAR session.
Implementation and scheduling of DAR statistics is present in the
driver/firmware. DAR reports and control plane events attribute are
filled in the driver. This interface is used to configure the required
parameters to the driver/firmware for DAR request and DAR session
terminate frames.
Add QCA_NL80211_VENDOR_SUBCMD_LINK_STATE_CHANGE event to notify the
current active and inactive links among the affiliated MLO links. This
event is sent to userspace when there is a change in the status of the
links along with the reason for the link status change.
Add QCA vendor subcommand/event and attributes for telemetry statistics
Add two new vendor subcommand/events for telemetry statistics request.
1. QCA_NL80211_VENDOR_SUBCMD_WLAN_TELEMETRY_WIPHY
2. QCA_NL80211_VENDOR_SUBCMD_WLAN_TELEMETRY_WDEV
Currently in the vendor subcmd processing one subcommand can support
either wireless_dev(WDEV) or WIPHY based on the flags set in
wiphy_vendor_command. Hence to support both WDEV and WIPHY two vendor NL
subcommands were added.
This vendor subcommand/event enables the collection of WLAN statistics
across multiple hierarchical levels listed below within the driver.
This is a non-blocking request where the driver responds asynchronously
with a vendor event containing the requested statistics.
In this initial phase, only the attributes for basic RX statistics such
as RXDMA errors and REO errors are included. Keeping this as a base,
additional statistics and attributes will be added incrementally in the
future.
ACS: Fix incorrect call to hostapd_config_check_bss_6g()
In ap_drv_ops.c, the call to hostapd_config_check_bss_6g() is executed
unconditionally. However, it should only be used when the BSS is
actually configured on a 6 GHz operating class. This leads to false
configuration errors in setups where the 6 GHz BSS has proper settings
but other bands (2.4/5 GHz) share the same config structure.
Add the missing is_6ghz_op_class() condition, mirroring how it's already
used elsewhere in the codebase (e.g., in ap_config.c).
Fix verified on OpenWRT 24.10-SNAPSHOT using Mediatek Wi-Fi 7 hardware.
Fixes: 02a8d40c9ffb ("ACS: Validate 6 GHz AP criteria before ACS") Signed-off-by: Christopher Söllinger <christopher.soellinger@gmail.com>
SCS: Renegotiate configured SCS policies with new AP after roaming
After STA roams to a new AP, previously configured SCS policies were not
automatically reapplied, as neither IEEE 802.11 nor WFA mandates policy
persistence across roaming events. However, it can be better for real
use cases to maintain the same configuration whenever possible.
Furthermore, the previously negotiated SCS session might still appear to
be active in wpa_supplicant status after roaming even when it was not
really in use anymore.
Ensures that active SCS rules are retriggered post-roaming to maintain
the agreed QoS levels, preserving consistent performance.
tests: Add PASN tests with user-specified authentication parameters
Introduce test cases for PASN authentication using user-preferred
network parameters such as AKMP, cipher, password, and comeback
cookie data.
These tests validate the ability to initiate PASN from the driver
with full parameter control, ensuring compatibility with recent
control interface enhancements.
PASN: Testing support for PASN with user-specified parameters
Extend control interface support to allow PASN authentication with
user-defined network parameters such as AKMP, cipher, password, and
comeback cookie to be tested with the PASN_AUTH driver event.
Update the pasn_sae_driver test case to align with these control
interface changes.
This enhancement modifies the existing PASN_DRIVER command to accept
additional parameters beyond just the peer BSSID, which was a limitation
in the earlier implementation. This command is included only in
CONFIG_TESTING_OPTIONS builds.
Allow PASN Authentication with a comeback request after the AP's
requested comeback time, as indicated in the status report of the PASN
handshake. Also enable the comeback mechanism by including comeback time
and cookie in the status report to extend PASN Authentication with
comeback.
PASN: Authentication with user-specified network parameters
Allow PASN Authentication with user requested network parameters such
as AKMP, cipher, and password in driver initiated cases.
These changes will allow user to choose which AKMP and cipher to use
with PASN Authentication and also to specified the password in case of
PASN-SAE. When the password is supplied a temporary network block is
created and used to perform PASN. Any temporary network block that is
created will be destroyed after PASN regardless of whether PASN succeeds
or fails.
nl80211: Propagate newly introduced parameters for PASN events
Allow the driver to initiate PASN Authentication using user-preferred
AKMP, cipher for secure ranging, and password for SAE-tunneled PASN
authentication in the cases that use driver event to trigger PASN.
These helper functions for converting between cipher/AKM suites and
internal bitmaps should not be limited to cases where a pointer to a
buffer containing the suite selector is used. Split them into separate
functions that enable more convenient reuse in other places.
Shivani Baranwal [Wed, 11 Jun 2025 05:35:30 +0000 (11:05 +0530)]
tests: Remove setting of P2P pairing setup and pairing cache config
The P2P_SET control interface command for manual configuration of P2P2
pairing setup and caching has been removed. Remove setting of these
parameters from test cases.
Shivani Baranwal [Wed, 11 Jun 2025 05:09:46 +0000 (10:39 +0530)]
P2P2: Remove P2P_SET setting of pairing_setup and pairing_cache
Pairing setup and cache are now derived from driver capabilities. Remove
the control iface P2P_SET commands to set P2P pairing_setup and
pairing_cache.
Shivani Baranwal [Wed, 28 May 2025 09:58:11 +0000 (15:28 +0530)]
P2P2: Remove configuration params p2p_pairing_setup and p2p_pairing_cache
These configuration parameters were added initially to configure them
through wpa_supplicant configutation files. These are not being used as
now the p2p_pairing_setup and p2p_pairing_cache are being configured
based on driver capabilities.
Nirav Shah [Fri, 30 May 2025 16:30:06 +0000 (22:00 +0530)]
Add QCA vendor attributes for latency based power save mode
Add QCA vendor attributes
QCA_WLAN_VENDOR_ATTR_CONFIG_OPM_LATENCY_TOLERANCE and
QCA_WLAN_VENDOR_ATTR_CONFIG_OPM_LEVEL to configure
latency based power save mode.
Shubham Joshi [Tue, 17 Jun 2025 05:46:48 +0000 (11:16 +0530)]
Preserve user roaming configuration across connection state changes
Prevent unintended roaming re-enablement after connection state
changes, even when user configuration disables it.
If user disables roaming, but after each state change post-connection,
wpa_supplicant re-enables roaming when bssid_set is false. This migh
cause the driver to send a roam enable configuration to the firmware,
overriding the user's intent.
Fix this by ensuring wpa_supplicant logic to check both bssid_set and
the user’s roaming configuration (`SET roaming`) after each connection
state change. Ensure roaming is only re-enabled if explicitly
configured, allowing the driver to maintain the intended roaming state
throughout the connection.
Mohan Kumar G [Tue, 17 Jun 2025 15:01:01 +0000 (20:31 +0530)]
Avoid set beacon operations when color change is in progress
Avoid setting beacon during BSS Color Change Announcement (CCA), similar
to Channel Switch Announcement (CSA), as beacon updates to the
corresponding BSSes are not allowed during this period.
Signed-off-by: Mohan Kumar G <mkumarg@qti.qualcomm.com>
Kavita Kavita [Thu, 19 Jun 2025 08:20:47 +0000 (13:50 +0530)]
PASN: Check auth alg to avoid unnecessary Authentication frames parsing
PASN authentication frames are processed before SAE authentication
frames for driver-to-userspace offloased case without verifying the
authentication algorithm in the received frame. This results in
unnecessary frame parsing for non-PASN frames and potentially confusing
debug log entries.
Check the the authentication algorithm before the PASN frame parsing to
ensure only PASN Authentication frames are processed, avoiding
unnecessary parsing.
Benjamin Berg [Wed, 18 Jun 2025 12:22:04 +0000 (14:22 +0200)]
tests: Use logger.exception to dump full traceback
The log sometimes does not contain relevant information. Switch to use
logger.exception which dumps the full exception information. Note that
the logging happens with level ERROR, so it will be dumped to the
stdout/stderr by default.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 12 Jun 2025 08:10:21 +0000 (10:10 +0200)]
tests: Permit multiple GO negotiation failures
In this test the station will do a P2P find and then send a GO
negotiation request. However, the other station may not be on the listen
channel at the time when the action frame is transmitted. In this case,
the find/GO neg request sequence is restarted.
The test currently times out if this sequence fails twice in a row. Be
more tolerant to this type of failure and increase the timeout.
It may also be possible to improve the retransmit strategy.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Thu, 12 Jun 2025 08:10:20 +0000 (10:10 +0200)]
RRM: Send a refuse reply if the measurement scan failed
If the scan is aborted or missing the expected TSF BSSID, then still
send a REFUSED reply to the AP to let it know. It can request another
measurement if it wants to.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Benjamin Berg [Thu, 12 Jun 2025 08:10:19 +0000 (10:10 +0200)]
WPS: Fix leak of dh_ctx in error cases
Usually the dh_ctx is passed into the WPS state and is freed in that
case. However, under some circumstances this may not happen and then a
leak can occur.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:29 +0000 (10:47 +0200)]
tests: Permit encryption of Deauthentication frame
The test does not intentionally send an unencrypted frame. This seems to
simply be done because the parameter value is not obvious. Change it to
permit encryption so that the frame can be sent directly rather than
going through the monitor interface.
This really doesn't make a difference overall, but it is closer to what
was intended here.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:28 +0000 (10:47 +0200)]
tests: Ensure the RoC is setup when the NAN frame arrives
At least in UML it could sometimes happen that the RoC is ready only
slightly after the NAN frame is TXed (a few microseconds). Insert
a short sleep to prevent this race from happening.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:27 +0000 (10:47 +0200)]
tests: Generate proper dependencies for all tests
The object files were not getting any dependency information as they
were using BUILDOBJ directly. Move the rules into a separate include
file and also generate the proper dependency include so that the tests
are rebuild correctly.
This changes building of some tests slightly as their rules were using
$< instead of $^. However, it should not cause any harm.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:26 +0000 (10:47 +0200)]
tests: Improve tshark boolean output support
Newer tshark versions are exporting some values as boolean with a
False/True string value. Add a helper that accepts an integer of any
base and also a "True"/"False" string.
Update various places to use the new helper.
Fixes: bf67d09e587a ("tests: Handle newer tshark version returning boolean values") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:25 +0000 (10:47 +0200)]
tests: Add sleep to ensure wlantest processed packets
At least with EEVDF it appears to occasionally happen that wlantest has
not processed all packets but does respond to the command to query the
BSS counter. Fix this by inserting a sleep.
An alternative approach could be to force command handling into a
timeout or introducing a priority concept to eloop.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:24 +0000 (10:47 +0200)]
tests: Ensure D-Bus property change notifications happen in VM
When running in a VM (UML time-travel to be exact), it may happen that
not enough time passes and the 5 ms timeout for property notification
causes compression of events. However, some tests will check that all
property notifications were done and this compression can cause test
failures.
Work around this by simply inserting a 5 ms sleep for any signal handler
call.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:23 +0000 (10:47 +0200)]
tests: Use clear_regdom ()helper in ap_vht tests
In some places, the code did not wait for the regulatory domain change.
Replace the cleanup code with calls to clear_regdom as that does the
right thing, which should avoid errors in UML with time-travel mode.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Mohan Kumar G [Mon, 16 Jun 2025 11:22:51 +0000 (16:52 +0530)]
AP MLD: Include BPCC only in (Re)Associtiation Response frames
Currently in ML Probe response, the per-STA Profile STA control has BSS
Parameters Change Count (BPCC) present by default for all frames.
As per IEEE P802.11be/D7.0, 9.4.2.322.2.4, AP sets this field to 1 in
(Re)Association Response frame and sets to 0 in other frames.
Hence, update this by including the BPCC present bitmask and BPCC value
in STA Info field for ML (Re)Association Response frames only. However,
since this seems to break interoperability with the current mac80211
implementation for processing Link Reconfiguration Response frames,
leave BPCC present in the Basic MLE in those frames as a workaround for
now.
Signed-off-by: Mohan Kumar G <mkumarg@qti.qualcomm.com> Signed-off-by: Yuvarani V <yuvarani@qti.qualcomm.com> Signed-off-by: Manish Dharanenthiran <manish.dharanenthiran@oss.qualcomm.com>
For calculation ML STA profile, currently there are two macros,
EHT_ML_STA_INFO_LEN and EHT_ML_STA_INFO_LENGTH. Both points to same
length, hence remove the later and use EHT_ML_STA_INFO_LEN macro length
definition only.
PASN: Reuse existing PTKSA cache keys instead of redoing PASN
When a successful PASN exchange has already occurred with a peer,
the derived keys are stored in the PTKSA cache. If another PASN
request is received for the same peer, these cached keys should
be reused. However, the cache was previously bypassed due to the
incorrect pairwise cipher argument.
Ensure the correct parameters are set in advance, from the RSNE data
allowing the cache to be used when appropriate.
tests: Fix pasn_sae_driver to clear PTKSA cache after first PASN exchange
The test pasn_sae_driver triggers PASN for the same peers twice. In the
current implementation, when PASN succeeds, the keys generated are
stored in the PTKSA cache.
The function wpas_pasn_configure_next_peer() shows an issue where it
does not reuse keys from a previous PASN exchange, even when those keys
are available in the cache. Instead, it initiates a new PASN exchange
unnecessarily.
Fix the test case by deleting the keys from the cache after the first
PASN attempt. This ensures a full PASN exchange can occur again. A
subsequent commit will address the API behavior to reuse keys from the
cache when available.
Benjamin Berg [Tue, 10 Jun 2025 15:08:57 +0000 (17:08 +0200)]
tests: Try next tshark filter for UnknownFieldsException
The intention in commit cc35ed3e257a ("tests: Permit passing multiple
valid tshark filters") was to permit passing multiple filters in order
to permit compatibility with older tshark versions. However, this did
not work as expected for the UnknownFieldsException.
Fix that by storing it in last_exception as for other errors. This fixes
running some EHT tests with older tshark versions.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Tue, 10 Jun 2025 15:08:55 +0000 (17:08 +0200)]
ctrl_iface: Report all TBTT info elements from RNR
The existing code would only report the first TBTT entry of the first
RNR element. Add the code to first iterate all RNR elements and then
also iterate all TBTT entries for each AP information block.
Fixes: e3e68668c1f6 ("ctrl_iface: Report RNR and ML in BSS command") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Kellen Gattis [Fri, 23 May 2025 05:46:12 +0000 (22:46 -0700)]
RADIUS: Fix long extended type encoding
Using wpa_psk_radius=3 can lead to malformed RADIUS packets that do not
conform to the standard for "Long Extended Type" as defined in RFC 6929.
This was observed when using wpa_psk_radius=3 in conjunction with
wpa_key_mgmt=WPA-PSK FT-PSK that resulted in a RADIUS attribute for
245.26.11344.2 that was 256 octets in size. The expected outcome was two
fragments containing data sizes of 251 and 5 octets, but hostapd instead
created a fragment of 256 octets (exceeded the size limit) followed by a
fragment of 5 octets.
Fix the fragments preceding the final fragment to have the correct data
size by using alen instead of data_len when calling wpabuf_put_data().
Andrew Pope [Fri, 9 May 2025 00:00:30 +0000 (10:00 +1000)]
nl80211: Accept a global nl80211 event to a bridged interface
Global events originating/directed toward a bridged (i.e., WDS) station
are ignored by hostapd. These events are currently considered 'foreign'
and are dropped.
This problem was initially discovered while testing the configuration
parameter 'disassoc_low_ack=1' for bridged stations. It was observed
that the event 'STATION_LOW_ACK', communicated in
'NL80211_CMD_NOTIFY_CQM', would be ignored and the AP would fail to
disassociate the low ack station from the BSS.
Signed-off-by: Andrew Pope <andrew.pope@morsemicro.com>
Matej Vrba [Tue, 1 Apr 2025 13:19:01 +0000 (13:19 +0000)]
ACS: Fix using 20 MHz channels in 6 GHz
When configured to use ACS with 20 MHz channels, hostapd incorrectly
rejects half of the available channels with an error messages "Channel
XX: not allowed as primary channel for 40 MHz bandwidth." This includes
all PSC channels.
Signed-off-by: Matěj Vrba <matej.vrba@advantech.cz> Reviewed-by: Nicolas Escande <nico.escande@gmail.com>
Yan Zihan [Tue, 15 Apr 2025 08:49:25 +0000 (16:49 +0800)]
DPP: Conditionally add cipher support based on driver capabilities
By default, wpa_supplicant sets the pairwise and group ciphers to CCMP
(or CCMP+TKIP) when provisioning a network via DPP. As a result,
DPP-provisioned clients are unable to connect to networks that require
GCMP or GCMP-256 ciphers due to cipher mismatch. This issue does not
affect manually-configured network profiles, where supported cipher
suites can be explicitly specified.
Addresse the issue by conditionally enabling the appropriate cipher
suites in the DPP-generated network profile, based on driver
capabilities.
Tested on various chipsets with different cipher capabilities:
Richard Yu [Tue, 15 Apr 2025 11:29:06 +0000 (19:29 +0800)]
AP MLD: Ensure hostapd_deinit_driver() is called when driver_init() fails
Ensure hostapd_deinit_driver() is called when driver_init() fails in
both hostapd_enable_iface() and hostapd_add_iface().
When initializing an AP MLD interface, driver_init() first assigns a
valid private driver interface data pointer (drv_priv) to the
hostapd_iface structure. It then attempts to add a link by calling
hostapd_drv_link_add(). This call may fail under certain conditions,
such as ENETDOWN, EALREADY, or other transient errors.
In such failure cases, the hostapd interface retains a valid drv_priv
pointer, but no cleanup is performed. This results in an untracked
reference to the private driver interface data. While the memory backing
drv_priv will eventually be freed when the last interface sharing it is
deinitialized, the lack of cleanup in early failure paths can lead to
invalid memory access, potentially resulting in a segmentation fault.
Ensure that hostapd_deinit_driver() is invoked in both failure paths to
properly release driver resources and maintain consistency across
interface initialization routines.
Signed-off-by: Richard Yu <richard.yu@mitrastar.com.tw>
Marek Zarychta [Tue, 22 Apr 2025 21:13:42 +0000 (23:13 +0200)]
BSD: Handle systems without legacy IP support
Currently, wpa_supplicant fails to operate when legacy IP support is
disabled (i.e., the system is built with WITHOUT_INET and the kernel is
configured with nooptions INET). Address the issue by enabling
wpa_supplicant to run and connect to wireless networks even in the
absence of AF_INET, as long as AF_INET6 is available.
Signed-off-by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Pooventhiran G [Wed, 18 Jun 2025 19:05:09 +0000 (00:35 +0530)]
AP MLD: Remove Link STA on Group KDE length check failure
If accepting an add-request in Link Reconfiguration causes the Group KDE
Length subfield to exceed max length, the request is rejected, but the
link STA will already have been added to the kernel driver.
Hence, remove the link STA on max length check failure.
Fixes: 60b3884948c6 ("AP MLD: Validate Link Reconfiguration Request frame after parsing") Signed-off-by: Pooventhiran G <pooventh@qti.qualcomm.com>
Mohan Kumar G [Mon, 16 Jun 2025 11:19:04 +0000 (16:49 +0530)]
tests: ML Setup Link Reconfiguration
Add a test case to connect AP and STA in two links and perform ML Setup
Link Reconfiguration to remove a link and add the link back.
Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Mohan Kumar G <quic_mkumarg@quicinc.com>
Mohan Kumar G [Mon, 16 Jun 2025 11:19:03 +0000 (16:49 +0530)]
AP MLD: Control interface events for ML Setup Link Reconfiguration
Add control interface events in hostapd for link STA removal and
addition operations from link reconfiguration.
Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Mohan Kumar G <quic_mkumarg@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:19:00 +0000 (16:49 +0530)]
AP MLD: Check if non-AP STA in reconfig add-request already exists
As per IEEE P802.11be/D7.0, the non-AP STA requested in ML Setup link
reconfiguration for "add" operation should not have the (link) MAC address
associated to any non-AP STA which is either affiliated or not to a
non-AP MLD on the corresponding AP link affiliated with the AP MLD.
Enforce this condition and reject the operation otherwise.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:18:59 +0000 (16:48 +0530)]
AP MLD: Process TX status for Link Reconfiguration Response frame
When a Link Reconfiguration Response frame is ACK-ed, the AP MLD can
complete reconfiguration operations. Process the accepted del-link
requests, and if the link that is removed is the association link,
assign a new (soft) association link to maintain ML setup and APIs.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:18:57 +0000 (16:48 +0530)]
AP MLD: Validate Link Reconfiguration Request frame after parsing
When a Link Reconfiguration Request frame is successfully parsed and set
up with context, validate the request to verify links requested for
operation(s) are valid.
While at it, if accepting the request after current validation tends to
leave the ML Setup with no remaining links, recover from the situation
by rejecting a "delete" link request. Currently, the "delete" link
request with the lowest link ID will be rejected.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:18:56 +0000 (16:48 +0530)]
AP MLD: Process Link Reconfiguration Request frame for ML Setup links
A non-AP MLD can change the ML setup links (adding a new link or
removing an existing link) by using the Link Reconfiguration to Setup
Links procedure, as per IEEE P802.11be/D7.0.
Add support for an AP MLD to parse the Link Reconfiguration Request
frame and set up context with necessary information.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
nl80211: Set to AP mode before adding to bridge during AP interface addition
Commit dd1587c91541 ("hostapd: Allow reuse of existing interface for AP
MLD") added support to change mode to AP if it is already not while
adding the interface. However, this is currently done after bridge
addition is done. Now, in a few systems, bridge addition fails with
following:
nl80211: Driver for phy phy0 already exist
nl80211: Create interface iftype 3 (AP)
Failed to create interface wlan0: -23 (Too many open files in system)
nl80211: Continue using existing interface wlan0
nl80211: Adding interface wlan0 into bridge br-lan
Could not add interface wlan0 into bridge br-lan: Not supported
nl80211: Failed to add interface wlan0 into bridge br-lan: Not supported
nl80211: Set mode ifindex 17 iftype 3 (AP)
nl80211: Failed to set interface 17 to mode 3: -16 (Resource busy)
Failed to add BSS (BSSID=AA:BB:CC:DD:EE:FF)
Hence, to avoid this issue, move logic to set mode to AP before adding
to bridge. Since BSS needs to be partially initialized before attempting
to set mode, move the certain assignments as well above it.
Yuvarani V [Sun, 1 Jun 2025 17:18:08 +0000 (22:48 +0530)]
WNM: Disassociate STA only when Link Removal Imminent is 0 in BTM Request frame
When BSS Transition Management (BTM) Request frame is sent by an AP MLD
with disassociation timer set, it is expected to arm disassociation
timer for the STA and eventually disassociate it once the timer expires.
The current code avoids this by assuming that the ML association is not
being terminated and only the link is being removed. However, link
removal is scheduled only when Link Removal Imminent field is set in BTM
request, as per IEEE P802.11be/D7.0 - 9.6.13.9 (BSS Transition
Management Request frame format). If the Link Removal Imminent field in
the Request Mode field is set to 1, the BSS Termination Included field
indicates that the BSS, whose AP transmits this BSS Transition
Management Request frame, is shutting down. In this case, the STA
associated with the AP or the non-AP MLD that has set up only this link
will be disassociated and the non-AP MLD that has set up more than this
link remains associated to the AP MLD with the remaining setup link(s).
Hence, schedule disassociation for STA unless Link Removal Imminent bit
is set to 1 in the BTM Request frame.
Signed-off-by: Yuvarani V <yuvarani@qti.qualcomm.com>
Hu Wang [Fri, 30 May 2025 03:24:24 +0000 (20:24 -0700)]
Delete PMKID from driver when PMKSA entry is freed in Authenticator
For SME-in-driver, external SAE authentication (i.e., the driver
offloading SAE processing to hostapd) the PMKID is configured to the
driver on successful completion, but this is not cleared when hostapd
frees its PMKSA entry. This causes the driver and hostapd to get out of
sync.
This can result in the driver accepting an association with an unknown
(to hostapd) PMKID, but hostapd ending up using Deauthentication frame
due to that unknown PMKID. iPhone as a client seems to only clear its
PMKSA entry based on with asssociation rejection and thus, it might
retry again and again with the same unknown-to-hostapd PMKID.
Remove the PMKID from the driver when the matching PMKSA is remove from
hostapd to avoid this.
Ainy Kumari [Thu, 22 May 2025 12:51:40 +0000 (18:21 +0530)]
SAE: Fix AKM suite selector for external authentication compatibility
Kernel commit 4f4d8be6dc37 ("wifi: nl80211: force WLAN_AKM_SUITE_SAE in
big endian in NL80211_CMD_EXTERNAL_AUTH") enforces WLAN_AKM_SUITE_SAE to
be passed in big-endian format in NL80211_CMD_EXTERNAL_AUTH for all
drivers. This is causing issues for cross-AKM roaming cases (e.g.,
roaming from SAE-EXT-KEY AP to SAE AP) with current wpa_supplicant
implementation since it is considering the connected AP AKM as the
target AP AKM when WLAN_AKM_SUITE_SAE is indicated in big-endian format
in NL80211_CMD_EXTERNAL_AUTH.
To fix this, always set external authentication AKM as
WLAN_AKM_SUITE_SAE when WLAN_AKM_SUITE_SAE indicated in big endian
format in NL80211_CMD_EXTERNAL_AUTH.
This change is still compatible with old drivers since there is no
change in SAE authentication procedure when the target AP AKM is SAE or
FT-SAE.
Kavita Kavita [Wed, 14 May 2025 08:52:03 +0000 (14:22 +0530)]
hostapd: Allow channel switch between hw_modes
Commit 3e2758b19a75 ("hostapd: Avoid channel selection across underlying
hardware index") enforcing target channel to be present in the current
hw_mode even though the hostapd_iface can support multiple hw_modes. Due
to this channel switch request between different hw_modes getting
rejected always.
To fix this, determine the target hw_mode of the channel switch request
and use it for validating against current underlying hardware index.
nakul kachhwaha [Tue, 6 May 2025 05:20:48 +0000 (10:50 +0530)]
Fix QCA vendor attribute documentation
Fix the list of valid values for the attribute
QCA_WLAN_VENDOR_ATTR_TWT_NUDGE_NEXT_TWT_SIZE in the comment section.
This was not supposed to be a bitmap, but a consecutive sequence of
integers. The previously defined value has not been used.
Chenming Huang [Fri, 16 May 2025 01:57:27 +0000 (07:27 +0530)]
AP MLD: Use hostapd-based ACL for MLO cases
Currently NL80211_CMD_SET_MAC_ACL is not supported for MLO cases.
Since this command has no upstream driver support, further extension
might not be accepted and this command itself may be removed in the
future, too.
To support the same ACL setting from hostapd control interface, use
hostapd-based ACL instead when comes to MLO case. In addition, verify
both the link addresses and MLD MAC addresses of the non-AP MLD.
Chenming Huang [Wed, 14 May 2025 02:02:09 +0000 (10:02 +0800)]
P2P: Allow upgrade to 160 MHz if 80 MHz allowed and AUTO_BW flag is set
Upgrade to 160 MHz when AUTO_BW flag is set in contiguous frequency
range. This is needed to allow regdb rules for 160 MHz channels to be
used correctly when some of the differences between the 80 MHz parts of
the full channel has resulted in AUTO_BW flag being used.
Currently, hostapd tries to access MLO related functions and structures
even when 'ieee80211be' is unset, as 'mld_ap' is set. This is wrong and
at times, it leads to unexpected issues.
Address this by rejecting the configuration when mld_ap is set, while
'ieee80211be' is unset or disable_11be is set.
While at it, clear the mld_ap while disable_11be flag is modified during
configuration validation.
AP MLD: Correct link handling for MLO Disassociation
When transmitting a Disassociation frame, MLD link_id was not
considered, default value of -1 sent. Because of this, the first link
was always used to send Disassociation frames.
Address this by sending the corressponding 'mld_link_id' to the driver
if the Disassociation frame is sent by an AP MLD.
Muna Sinada [Wed, 28 May 2025 15:43:05 +0000 (21:13 +0530)]
Do not add Channel Switch Wrapper element without VHT/HE/EHT
Only include the Channel Switch Wrapper element in Beacon and Probe
Response frames when at least one of the PHY modes IEEE 802.11ac, IEEE
802.11ax, or IEEE 802.11be is enabled and not explicitly disabled in the
configuration.
This avoids unnecessary inclusion of the Channel Switch Wrapper element
when none of these modes are active, ensuring better compliance with the
capabilities advertised by the AP.
Kavita Kavita [Fri, 9 May 2025 15:50:30 +0000 (21:20 +0530)]
MLD: Clear group keys for removed links
For AP link removal case, group keys (e.g., GTK, IGTK, BIGTK, etc.) were
not cleared for links that were removed in the NL80211_CMD_LINKS_REMOVED
event. Since the links are already removed, we should clear the keys
associated with these links for proper cleanup.
This functionality was missing in the current implementation, so address
this by clearing group keys for the removed links.
Kavita Kavita [Fri, 9 May 2025 15:50:29 +0000 (21:20 +0530)]
MLD: Handle link reconfiguration updates from the driver
Processess the NL80211_CMD_ASSOC_MLO_RECONF event from the driver. This
event includes information about added links and the link
reconfiguration response frame from the AP MLD. The event can be
triggered by either wpa_supplicant or driver-initiated link
reconfiguration updates.
Also install group keys (e.g., GTK, IGTK, BIGTK, etc.) received with the
link reconfiguration response frame for the newly added links.
For removed links, the existing NL80211_CMD_LINKS_REMOVED event is used,
requiring no additional changes in wpa_supplicant for both
wpa_supplicant and driver-initiated link reconfiguration updates.
Kavita Kavita [Fri, 9 May 2025 15:50:28 +0000 (21:20 +0530)]
MLD STA: Add SETUP_LINK_RECONFIG control interface command
Add support for SETUP_LINK_RECONFIG control interface command
that allows users to add new setup links and/or remove existing
ones for the current MLO connection in STA mode.
Shivani Baranwal [Tue, 20 May 2025 09:36:56 +0000 (15:06 +0530)]
P2P2: Set p2p_mode to WPA_P2P_MODE_WFD_R2 upon receiving PASN Auth
This is required during P2P2 verification on the responder side where
p2p_mode may not be initialized to WFD_R2 by default. Ensure the mode is
set correctly when PASN Auth RX is received to support P2P2 operation.
P2P2: Enable support for setting PMKSA in P2P Client mode
When a device does not support separate group interface creation for the
group role, the existing P2P interface mode is switched from device mode
to client mode before invoking wpa_driver_nl80211_connect().
Additionally, drivers only permit configuring PMKSA in P2P client mode.
Therefore, PMKSA should be set in wpas_start_assoc_cb() for drivers that
offload SME from wpa_supplicant.
dbus: Update D-Bus interface description for bootstrapping indications
Update the description of D-Bus interface for bootstrapping indications
to match the implementation change as this has not yet been used and is
a recently added parameter.
P2P2: Include the requested method in the bootstrap response notification
In the bootstrap response indication, send the requested bootstrap
method by the device to align with config method indicated in P2P-R1
provision discovery indication to the applications.
Jouni Malinen [Tue, 27 May 2025 20:12:33 +0000 (23:12 +0300)]
DPP: Enable GAS server in hostapd without CONFIG_INTERWORKING=y
CONFIG_DPP=y was sufficient to include the GAS server functionality into
the hostapd build, but a couple of the calls did not cover the
possibility of CONFIG_DPP=y being used without CONFIG_INTERWORKING=y. In
practice, this prevented hostapd from operating as the DPP Configurator
without CONFIG_INTERWORKING=y.
Fix this by enabling GAS server if either CONFIG_INTERWORKING or
CONFIG_DPP have been defined consistently.
AP: Advertise the LCI and civic location capabilities
Currently, for Fine Time Measurement (FTM), hostapd configures Location
Configuration Information (LCI) and civic location values without
advertising capabilities in the Extended Capabilities and RM Enabled
Capabilities elements. According to IEEE Std 802.11-2024, 11.21.6.7 (LCI
and Location Civic retrieval using FTM procedure), to use LCI and Civic
subelements in FTM frames, the AP must advertise these capabilities.
Advertise LCI and civic measurement capabilities in the Extended
Capabilities and RM Enabled Capabilities elements when these values are
available.
Jouni Malinen [Fri, 23 May 2025 12:37:06 +0000 (15:37 +0300)]
Discard unrecognized Action frames without returning them
IEEE Std 802.11-2024 changed this behavior in 10.28.4 (Response to an
invalid Action and Action No Ack frame) to discard the received frame
without returning it to the source with the MSB set to 1, so update
implementation to match by removing the case that would have returned
the unrecognized frame.
This had previously been modified to avoid potential security
vulnerabilties by discarding the case when an SA was in place, but the
REVme update went beyond that and completely removed this behavior of
returning the frame with MSB set to 1 since no clear use for that could
be identified.
Kavita Kavita [Wed, 7 May 2025 10:08:52 +0000 (15:38 +0530)]
P2P GO: Use driver preferred frequency instead of ACS when band is specified
ACS was enabled by default when the band is specified as 2 or 5 in the
"freq" parameter for P2P_GROUP_ADD control interface command. Use the
driver preferred frequency list instead of ACS when the driver preferred
frequency list is available. This allows the GO to be started more
quickly.
Kavita Kavita [Sun, 4 May 2025 11:26:53 +0000 (16:56 +0530)]
P2P GO: Add support for handling 6 GHz band in freq parameter
Add support for handling 6 GHz band in freq parameter while selecting
the P2P GO frequency in cases where the driver has indicated a list of
preferred channels.
Enhance throughput estimation for punctured EHT APs
When an EHT AP is advertising punctured channel widths, the throughput
estimation algorithm did not take it into account. This may lead to
picking a punctured AP with less effective bandwidth over an unpunctured
AP with more effective bandwidth.
For example, an EHT320 AP provides more resources for transmission than
an EHT320 AP with 120 MHz punctured (as it effectively has only 200
MHz).
Enhance the algorithm to compute appropriate throughput by considering
punctured bitmap as well so that the selected AP will have more
effective bandwidth.
Mohan Kumar G [Thu, 8 May 2025 17:27:15 +0000 (22:57 +0530)]
Fix channel number in MBSSID RNR after channel switch
When channel switch happened in an MBSSID case, the non-transmitting
partial profile RNR element of the first few Beacon frames in the new
channel used the old channel number. This is because after channel
switch, the new MBSSID and RNR elements are not updated immediately as
during channel switch, the new MBSSID and RNR elements are not passed to
the driver together with other beacon data. So beaconing first starts
with old MBSSID and RNR data. Only after channel switch completes and
beacon is set again, these elements are passed to the driver. This delay
causes the first few beacons to contain old RNR and MBSSID elements.
Address this issue by passing the new MBSSID and RNR elements during the
CSA settings itself, thus post channel switch, Beacon frames will have
the new MBSSID and RNR data.
Signed-off-by: Mohan Kumar G <mkumarg@qti.qualcomm.com> Signed-off-by: Manish Dharanenthiran <manish.dharanenthiran@oss.qualcomm.com>
Add a separate data structure for MBSSID parameters
The MBSSID related parameters are present under struct
wpa_driver_ap_params, but this is not extensible for certain use cases
like updating the MBSSID and RNR elements post channel switch. Hence,
move this into a separate data structure named mbssid_data to hold all
MBSSID related parameters in a manner that can be used more easily
elsewhere.
Remove redundant management group cipher suite selector writing
Remove the default BIP (AES-128-CMAC) from the code writing the group
management cipher selector into an RSNE since this field is omitted when
the default value is used. This case was unreachable due to the earlier
if statement skipping this switch statement.
projects / thirdparty / hostap.git / log
