PR: Fix population of 'Number of channel entries' field
The 'Number of channel entries' field used in multiple attributes of the
Proximity Ranging element was incorrectly populated with an empty
buffer. Ensure the size of field is limited to one byte and correctly
reflects the count of channel entries that follow.
Amith A [Thu, 16 Oct 2025 06:59:53 +0000 (12:29 +0530)]
EHT: Fix punct_update_legacy_bw_80() to correctly handle bitmap 0x9
punct_update_legacy_bw_80() is part of bandwidth downgrade mechanism
when preamble puncturing is applied on an 80 MHz wide channel.
Puncturing disables specific 20 MHz subchannels within its 80 MHz
bandwidth to mitigate interference. Depending on which subchannels are
affected, the bandwidth may be reduced to 40 MHz or 20 MHz. The
interference pattern is conveyed via a bitmap passed to this function.
Currently, the function yields incorrect results for a bitmap value of
0x9, which indicates interference in the first and fourth subchannels
of the 80 MHz band. This leaves only the middle two subchannels
available, which cannot form a valid 40 MHz channel. This scenario is
analogous to the case of bitmap 0x6, where the middle two subchannels
are punctured, also resulting in an invalid configuration.
To address this, the fix sets seg0 = 0 when the bitmap is 0x9,
consistent with the handling of bitmap 0x6, thereby ensuring the
bandwidth is correctly downgraded to 20 MHz.
Fixes: 46a5d989d4c1 ("EHT: Downgrade bandwidths for VHT and HE when using puncturing") Signed-off-by: Amith A <amitajit@qti.qualcomm.com>
Jouni Malinen [Mon, 27 Oct 2025 11:44:27 +0000 (13:44 +0200)]
SAE: Password identifier changing (STA)
Add support for changing the SAE password identifier value that is sent
in SAE commit messages for privacy protection in cases where random MAC
addresses are used with per-STA (or per-user) SAE password identifiers.
At least for now, this functionality is disabled by default and needs to
be enabled with sae_password_id_change=1 in a network profile that uses
an SAE password identifier (sae_password_id=..). This mechanism might
get enabled by default in the future once the protocol specification
becomes more mature and there has been interoperability testing between
different implementations.
The implemented functionality is for the definition that were added in
IEEE P802.11bi/D2.1.
Jouni Malinen [Mon, 27 Oct 2025 11:44:27 +0000 (13:44 +0200)]
SAE: Password identifier changing (AP)
Add support for changing the SAE password identifier value that is sent
in SAE commit messages for privacy protection in cases where random MAC
addresses are used with per-STA (or per-user) SAE password identifiers.
This functionality can be enabled by setting the new hostapd
configuration parameter sae_pw_id_num and sae_pw_id_key.
The implemented functionality is for the definition that were added in
IEEE P802.11bi/D2.1.
Jouni Malinen [Mon, 27 Oct 2025 11:44:27 +0000 (13:44 +0200)]
SAE: Process password identifier as an octet string
Replace the nul terminated character string design with a pointer to the
beginning of an octet string and an explicit length indication for the
SAE password identifier. This is needed to be able to add support for
changing SAE password identifiers that might not use character strings.
Jouni Malinen [Fri, 24 Oct 2025 13:31:55 +0000 (16:31 +0300)]
NAN USD: Allow services to disable listen operation during SDF exchange
The new stop-listen commands (through wpa_supplicant control interface
or D-Bus) can be used by an upper layer service implementation to stop a
listen operation (i.e., wait for a response SDF from the peer) in the
driver to free up the radio for other parallel operations at points in
the SDF exchange when the service knows the peer is not expected to send
any further SDFs before an SDF is sent to it.
This can be used, e.g., to optimize radio use during provisioning
exchange where the SDF exchange is stopped in the middle during the
connection attempt and the result of that connection attempt is
reporting later within that same SDF exchange.
Jouni Malinen [Fri, 24 Oct 2025 12:33:13 +0000 (15:33 +0300)]
tests: Scanning frequencies from network blocks
These test cases are mainly to allow manual checking of scanning
frequencies when wpa_supplicant configuration includes two network
profiles and only the selected one has a single scan_freq value.
OS: Resolve redefinition of ‘testing_test_fail’ compilation error
Building the source tree with WPA_TRACE, but without WPA_TRACE_BFD and
CONFIG_TESTING_OPTIONS leads to a compilation error:
../src/utils/os_unix.c:720:19: error: redefinition of ‘testing_test_fail’
static inline int testing_test_fail(const char *tag, bool is_alloc)
^~~~~~~~~~~~~~~~~
In file included from ../src/utils/os_unix.c:26:0:
../src/utils/os.h:696:19: note: previous definition of ‘testing_test_fail’
was here
static inline int testing_test_fail(const char *tag, bool is_alloc)
^~~~~~~~~~~~~~~~~
Fix this by removing redefinition in os_unix.c since recent commit 126f243eb767 ("trace: Define TEST_FAIL and TEST_FAIL_TAG as inline
function") has added a static declaration already in os.h.
Fixes: 126f243eb767 ("trace: Define TEST_FAIL and TEST_FAIL_TAG as inline function") Signed-off-by: Aditya Kumar Singh <aditya.kumar.singh@oss.qualcomm.com>
Benjamin Berg [Mon, 20 Oct 2025 13:15:25 +0000 (15:15 +0200)]
PR: Permit interface initialization without PR support
wpas_pr_init() should not fail if CONFIG_PR is not set. Adjust the
return value in the stub to 0 so that interface initialization can
continue when Proximity Ranging is not enabled in the configuration.
Fixes: ae3b00be3532 ("PR: Initialize Proximity Ranging global context") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Jay Shukla [Wed, 24 Sep 2025 07:11:43 +0000 (12:41 +0530)]
Add QCA vendor attributes for PPDUs count for different MCS and bandwidths
Add QCA vendor attributes for the cumulative count of PPDUs for
different MCS and bandwidths for vendor subcommand
QCA_NL80211_VENDOR_SUBCMD_GET_STA_INFO.
Signed-off-by: Jay Shukla <jayshukl@qti.qualcomm.com>
Benjamin Berg [Tue, 7 Oct 2025 11:31:09 +0000 (13:31 +0200)]
P2P: Fix PASN related memory leaks
The hwsim tests randomly expose a memory leak in a P2P test.
Unfortunately, it is not clear which exact flow or test is triggering
this memory leak. As such, this just fixes the leaks themselves rather
than adding, e.g., a wpa_pasn_reset() call to fix it that way.
Fixes: e147d24a0775 ("P2P2: Add support for GO Negotiation wrapped in PASN auth frame") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> CC: Shivani Baranwal <quic_shivbara@quicinc.com>
Jouni Malinen [Sat, 18 Oct 2025 15:19:51 +0000 (18:19 +0300)]
PASN: Clear extra_ies_len to 0 on freeing extra_ies
There is no point in setting extra_ies_len to the new value in
pasn_set_extra_ies() at the point when the old value is freed. This
setting happens already at the appropriate place after the new value has
been successfully assigned. Set extra_ies_len to 0 here so that it will
have value 0 in case the allocation fails and leaves extra_ies to NULL.
Jouni Malinen [Sat, 18 Oct 2025 08:18:42 +0000 (11:18 +0300)]
PASN: Fix testing code parsing for PASN_DRIVER
Incorrect indentation level hid the issue with the peer pointer not
being verified correctly. Fix the indentation level to make it clear
that peer might be NULL here and reject the cases that would have
resulted in dereferencting a NULL pointer. This code is included only
with CONFIG_TESTING_OPTIONS.
Fixes: ba7d967da46d ("PASN: Testing support for PASN with user-specified parameters") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 18 Oct 2025 10:05:58 +0000 (13:05 +0300)]
MLD: Fix MLE STA Info length check in association failure cases
The checks for this field were not complete when the earlier strict
length enforcement was removed. Allow flexibility for a longer field
while still validating the value properly.
Fixes: a58a0c592e20 ("MLD: Fix Multi-Link element parsing for association failures") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 18 Oct 2025 09:34:28 +0000 (12:34 +0300)]
AP MLD: Update partner link wpa_sm pointers more consistently
This case of calling wpa_auth_sta_deinit(sta->wpa_sm) was the only one
missing a call to clear_wpa_sm_for_each_partner_link(hapd, sta). Add
that call to make sure no stale sta->wpa_sm pointers are left behind.
For the case where the assoc_wpa_sm is used, the same setting is applied
to all partner links.
Fixes: 03cf2b60194f ("AP MLD: Never keep a per-link wpa_sm") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 18 Oct 2025 08:08:10 +0000 (11:08 +0300)]
Check hostapd_mld_get_link_bss() return value for NULL
Even though this should not really return NULL for a case where a STA
link has already been checked to be valid, it is better to be
consistently checking for the theoretical NULL value from
hostapd_mld_get_link_bss() (if for no other reason, then at least to
silence warnings from static analyzers).
Jouni Malinen [Fri, 17 Oct 2025 14:18:16 +0000 (17:18 +0300)]
Fix compiler warning on unused function
hostapd_ctrl_iface_set_bw() is called only if CONFIG_TESTING_OPTIONS is
defined. Move it to be under matching build configuration conditions.
Fixes: 261fab94c180 ("AP: Support bandwidth changes without CSA through control interface") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Benjamin Berg [Tue, 14 Oct 2025 08:09:43 +0000 (10:09 +0200)]
trace: Define TEST_FAIL and TEST_FAIL_TAG as inline function
While these macros are usually used in conditions, they can also simply
be used as a statement in order to check whether a certain code path was
taken. In that case, using a macro that turns into a constant 0 may
cause a compiler warning.
Avoid that issue by using a static inline function that returns 0. This
fixes a build regression introduced by f5790e97cd64 ("nl80211: Delay
event processing during command handling").
Fixes: f5790e97cd64 ("nl80211: Delay event processing during command handling") Reported-by: Ben Greear <greearb@candelatech.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Huang Chenming [Tue, 14 Oct 2025 11:41:33 +0000 (17:11 +0530)]
P2P: Ignore association events when GO is not active
Address an issue observed in the following scenario:
- DUT operating in STA+AP SCC mode on 5200 MHz, with P2P GO initially
on 5745 MHz.
- Driver PCL restrictions forced GO to switch to 5200 MHz.
- hostapd attempted to revert to 5745 MHz, as 5200 MHz was listed in the
avoid frequency range reported by the driver.
- Driver again enforced SCC on 5200 MHz.
- Channel switch triggered from hostapd and driver again and again.
- Leftover association events triggered crashes during channel switch
failure and group restart.
Fix: Add an early check in hostapd_notif_assoc() to ignore association
events when the P2P GO instance is not started or has been disabled.
After reading the ctrl, the pointer wasn't advanced. Any of the optional
fields following this point would have been parsed from incorrect offset
resulting in likely rejection of the message. Fix it.
Fixes: 9eb0bc1f0ae8 ("NAN: Unsynchronized service discovery (USD)") Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
menyua [Wed, 15 Oct 2025 07:23:16 +0000 (15:23 +0800)]
RADIUS server: Check for NULL pointer in a theoretical error case
Since there is a special case with a call to
radius_server_free_clients() using data == NULL for a parsing failure,
radius_server_session_free() should check that data is set before
dereferencing it. It does not look like this case would be reachable in
practice, though, since this would require there to be an ongoing RADIUS
session which cannot really be established without the client
configuration file having been successfully parsed.
PR: Control interface support to trigger PR PASN Authentication
The new command PR_PASN_START can now be used to trigger PR PASN
Authentication. The arguments for the command include ranging role
(ISTA/RSTA), ranging type(EDCA/NTB), frequency to perform PASN on, and
such.
PR: Compare PR capabilities of Auth frame and USD info of peer
The Proximity Ranging capabilities present in PR element of PASN Auth
frames need to match the capabilities that were advertised by the peer
in the discovery frames.
PASN Auth M3 contains operation mode attribute and status attribute with
value set to success in case of success or just status attribute with
value set as failure in case of negotiation failure. The received
operation mode is validated. The successful M3 validation will give the
agreed upon ranging role, ranging type, and ranging channel.
PR: Handle PR element in PASN Auth M2 and prepare M3
PASN Auth M2 frame is processed and then M3 is prepared based on the
operation mode received in M2 and capabilities received in M2 are also
validated. If an operation mode could not be decided or validation of
capabilities has failed, the status is set as failure and M3 is sent. If
PR capabilities are valid and operation mode received in M2 can be
honored, the status is set as success and operation mode is set in M3.
PR: Handle PR element in PASN Auth M1 and prepare M2
Validate the PR element received in PASN Auth M1. Attributes such as
capabilities and ranging capabilities are validated. In case where
validation of the PR element fails or processing of M1 frame fails or
operation mode could not be derived, status is set as failure and M2 is
sent. In case a PR elements could be validated and operation mode could
be derived, capabilities and preferred ranging type capabilities,
operation mode, and status as success are added to the PR element for M2
and sent.
PR: Deliver received PR PASN auth frames for processing
If a Proximity Ranging element is present in the PASN frame, it is
processed by proximity ranging implementation. Deliver the frame there
instead of the generic PASN processing. The actual PR processing will be
added in separate commits.
Proximity Ranging parameters present in PASN request frame need to be
validated. This validation is done be comparing the capabilities present
in PASN frames with the capabilities advertised in USD, if the proposed
role is not feasible then the PASN is deemed to fail.
Add the Proximity Ranging element into the PASN Auth1 frame. This frame
includes ranging capabilities, capabilities specific to ranging type
(EDCA/NTB), and the proposed operation mode.
The operation mode contains the proposed ranging role, ranging type, and
channel list. These parameters will be negotiated through subsequent
PASN Authentication frames.
PR: PASN authentication initialization for Proximity Ranging
Proximity Ranging negotiation is performed by wrapping PR element(s)
onto PASN Authentication frames. Add functionality to initiate PASN and
enable this negotiation process.
The negotiation determines the roles, the type of ranging, and
the channel on which the ranging should be conducted.
Parse and validate the Proximity Ranging Device Identity Resolution
Attribute (PR DIRA). Compare the received Tag against a Tag derived
using each DIK in the list stored in the global Proximity Ranging
context. If the tags match, the device identity is confirmed and any
data associated with the matching DIK is retrieved for later use.
PR: Process 11az NTB Capability Attribute from USD PR element
Parse part of Proximity Ranging element corresponding to the Proximity
Ranging 11az NTB Capability Attribute and store the corresponding data
in a structure. This attribute contains capabilities that tell if the
device can act as an NTB ranging initiator or NTB ranging responder, a
list of channels on which the device supports NTB ranging, and other
device specific capabilities.
PR: Process EDCA Capability Attribute from USD PR element
Parse part of Proximity Ranging element corresponding to the Proximity
Ranging EDCA Capability Attribute and store the corresponding data in a
structure. This attribute contains capabilities that tell if the device
can act as an EDCA based ranging initiator, EDCA based ranging
responder, and a list of channels on which the device supports EDCA
based ranging and other device specific capabilities.
PR: Process Capability Attribute from USD PR element
Parse part of Proximity Ranging element corresponding to the Proximity
Ranging Capability Attribute and store the corresponding data in a
structure. This attribute contains capabilities such as EDCA based
ranging support, NTB based ranging support, and such.
PR: Attribute parsing for Proximity Ranging element
Add functionality to locate the Proximity Ranging element, and parse the
attributes from this element. This element contains ranging
capabilities, device identity resolution attribute, and such. This is
also stored in a message structure to be processed further.
Add functionality for adding and clearing the Device Identity Key (DIK),
password, and PMK. These are associated with the DIK and are stored in a
list that is linked to the global Proximity Ranging context.
Derive the Device Identity Resolution Attribute (DIRA) and add it to the
Proximity Ranging element. The DIRA attribute is used to resolve the
identity of a device even when MAC randomization causes the peer
device's MAC address to change. The DIRA attribute includes fields such
as the cipher version, a nonce, and a tag.
Create a buffer that contains the NTB (802.11az) ranging capabilities of
a device. This buffer will be part of the Proximity Ranging Information
element used to advertise the device's ranging capabilities. These
capabilities are added to USD frames to enable their exchange with peer
devices.
The NTB-based ranging capabilities include attributes such as the
ability to act as an NTB ranging initiator, the ability to act as an NTB
ranging responder, the channels on which NTB ranging is supported by the
device, and other device-specific capabilities.
Create a buffer that contains EDCA (802.11mc) based ranging capabilities
of a device which will be part of a Proximity Ranging element used to
advertise ranging capabilities of a device. These capabilities are added
to USD frames to enable their exchange with peer devices. The EDCA based
ranging capabilities have attributes such as the ability to act as an
EDCA based ranging initiator, the ability to act as a EDCA based ranging
responder, the channels on which the EDCA Ranging is supported by the
device and other device specific capabilities.
Create Proximity Ranging capability buffer that will be a part of a
larger Proximity Ranging element that is used to advertise the ranging
capabilities of the device. The capabilities are fetched from the global
proximity ranging context. The capabilities include name of the device,
PASN authentication support, EDCA ranging support, NTB ranging support,
and such.
Add changes needed to process Proximity Ranging attributes present in
USD frames. USD is performed with the PR attribute to exchange
capabilities specific to proximity ranging. The discovered device
capabilities along with the other details such as address and name are
stored in a list present within the proximity ranging global context.
This commit includes only the base framework for getting the information
into appropriate places. Actual processing of the elements will be added
in separate commits.
USD is used to discover peers capable of Proximity Ranging (PR). Update
NAN USD implementation to cover the additional cases to encapsulate PR
data with a new identifier and also to add Proximity Ranging data to USD
frames.
PR: Determine channels that are supported to perform ranging
Fetch supported channels for ranging and store them in Proximity Ranging
global context. This includes channels where Enhanced Distributed
channel Access (EDCA-802.11mc) is supported as well channels where
Non-Trigger Based (NTB-802.11az) ranging is supported based on the
corresponding format and bandwidth.
PR: Update PR device configs and capabilities from driver
Fetch device configurations, capabilities, and supported channels for
ranging and store them in Proximity Ranging global context. This
includes propagation of Enhanced Distributed channel Access
(EDCA-802.11mc) based ranging capabilities as well as Non-Trigger Based
(NTB-802.11az) ranging capabilities.
This commit does not include the actual driver interface specific
changes to fill in the values.
Add changes to initialize and deinitialize the Proximity Ranging (PR)
global context and Makefile changes to enable the compilation of this
feature. The Proximity Ranging context will be global making it common
to all interfaces.
The compilation of changes related to Proximity Ranging can be
enabled using the CONFIG_PR flag.
Jouni Malinen [Thu, 16 Oct 2025 20:24:56 +0000 (23:24 +0300)]
PASN: Allocate a copy of pasn_groups list into pasn_data
Instead of pointing at an external memory location that might get
invalidated (e.g., by being actually in stack instead of long term heap
allocation as seems to be the case in src/p2p/p2p.c), allocate a copy of
the list PASN groups into struct pasn_data.
Jouni Malinen [Thu, 16 Oct 2025 20:23:12 +0000 (23:23 +0300)]
Replace configuration int lists with int_arrays
This cleans up implementation by getting rid of very similar
construction of a list of int values. hostapd used to terminate the
lists with -1 while int_array were terminated with 0. There are no cases
where 0 is needed to be included, so all these can be converted into the
existing int_array design.
AP MLD: Handle ML probe request for non-transmitting BSS
Currently, when a non-transmitting BSS in an MBSSID AP MLD receives a
Probe Request frame with AP MLD ID set, the Probe Response frame is sent
only with Basic MLE for the transmitting BSS.
Update Basic MLE of non-TX BSS if Probe Request frame is received with
AP MLD ID set, along with full STA profile info of the solicited AP MLD,
carried in the Probe Response frame body. If TX BSS is also affiliated
with an AP MLD, add the Basic MLE of the TX BSS without any STA profile
info.
With this, a non-AP MLD sending ML Probe Request frame targeting a
non-TX BSS in an AP MLD, can correctly identify the AP MLD with which
the AP corressponding to the non-TX BSS is affiliated based on the AP
MLD ID subfield.
AP MLD: Add helper function to get non-TX BSS based on MBSSID index
During ML Probe Request, a non-AP MLD might specify an AP MLD ID to let
the AP MLD know for which non-TX BSS it is requesting information.
Currently, while parsing the ML Probe Request frame, partner BSS
information is getting used to fetch the non-TX BSS requested by the
non-AP MLD.
However, relying on the partner information to fetch the non-TX BSS is
not correct in all the cases. Hence, remove fetching non-TX BSS from the
partner interface list and use MBSSID index received in the Probe
Request frame to get requested non-TX BSS data.
Address this by adding a new helper function to get the non-TX BSS from
the MBSSID index received in the Probe Request frame.
Currently, hostapd_get_mld_id() returns 0 by default if mld_ap is set.
Update this function to correctly fetch the MBSSID Index based on the
hostapd data.
Define a QCA vendor subcmd QCA_NL80211_VENDOR_SUBCMD_ATF_OFFLOAD_OPS and
attributes for for Airtime Fairness (ATF) offload operations. This
command enables configuration and control of ATF features, which aim to
managing airtime distribution across various entities such as SSIDs,
SSID groups, peers, and access categories.
This interface is intended for use to dynamically manage airtime
distribution based on scheduling policy (if configured) across various
entities such as SSIDs, SSID groups, peers, and access categories.
Define new values to support additional disconnection reasons. This adds
new values QCA_DISCONNECT_REASON_KEY_FAIL_TO_INSTALL,
QCA_DISCONNECT_REASON_FW_TRIGGERED_LINK_SWITCH,
QCA_DISCONNECT_REASON_HOST_TRIGGERED_LINK_DELETE,
QCA_DISCONNECT_REASON_HOST_OCI_MISMATCH to map the disconnection
failures scenarios.
P2P2: Use peer listen frequency when initiating PASN authentication
While initiating PASN authentication during P2P connect, use the peer’s
listen frequency instead of the previously used force_freq. The
force_freq is intended to be used as operating channel for the P2P group
formation, it may not match the peer’s current listen channel and can
lead to off-channel PASN attempts.
Shivani Baranwal [Fri, 10 Oct 2025 07:09:56 +0000 (12:39 +0530)]
P2P2: Omit RSNXE in P2P Auto GO PCC mode
Omit the RSNXE when operating in P2P Auto GO PCC (Persistent Client
Connectivity) mode (i.e., when RSN overriding is enabled) by setting
rsn_override_omit_rsnxe config. This improves interoperability with STAs
that might not be able handle RSNXE in this configuration.
nl80211: Ignore global regulatory change for self managed drivers
For drivers with self managed regulatory support enabled, private
regdomain is the only valid domain. Hence, ignore the global regulatory
domain change event (NL80211_CMD_REG_CHANGE) if the driver is enabled
with self managed regulatory domain, as the regulatory domain for those
drivers will be updated via NL80211_CMD_WIPHY_REG_CHANGE.
Jouni Malinen [Thu, 9 Oct 2025 22:08:24 +0000 (01:08 +0300)]
Debug print op_class changes from setting new frequency
Since the recent addition of update op_class here in commit 3bc01a901803
("Update conf->op_class in hostapd_change_config_freq()") has needed at
least two fixes, it is good to get clear debug prints from it to be able
to figure out any potential remaining issues more easily.
Jouni Malinen [Thu, 9 Oct 2025 22:06:56 +0000 (01:06 +0300)]
DFS: Update operating class on channel changes in the fallback case
Some of the DFS channel change operations seemed to fail when moving to
new channel based on radar detection without updating the op_class
configuration to match the new channel. Address these by updating
op_class in addition to the channel number in this additional fallback
case.
Fixes: 3bc01a901803 ("Update conf->op_class in hostapd_change_config_freq()") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Jouni Malinen [Thu, 9 Oct 2025 21:41:23 +0000 (00:41 +0300)]
PASN: Fix buffer tailroom validation in wpa_pasn_add_wrapped_data()
While the initial tailroom checks covers the unfragmented case
accurately, the length of the fragment header was not counted correctly
for the case where the Wrapped Data element needs to be fragmented. This
could theoretically result in missing a case where the target buffer is
a bit shorter than all the needed fragments and the following
wpabuf_put*() operation could resulted in terminating the process due to
the additional check to prevent buffer overflows.
The existing use cases for this function within wpa_supplicant do not
seem to generate buffers that would be even close to reaching this limit
due to large buffer size used for the target. Anyway, this check needs
to be fixed to avoid any potential issues in the future or in external
uses for this function.
Jouni Malinen [Thu, 9 Oct 2025 21:29:58 +0000 (00:29 +0300)]
PASN: Fix buffer tailroom validation in wpa_pasn_add_extra_ies()
The length of the additional elements was not used correctly, so the
check for remaining tailroom would not have caught cases where there is
not enough remaining room in the buffer and the following
wpabuf_put_data() operation would have resulted in terminating the
process due to the additional check to prevent buffer overflows.
The existing use cases for this function within wpa_supplicant do not
seem to generate buffers that would be even close to reaching this limit
due to large buffer size used for the target. Anyway, this check needs
to be fixed to avoid any potential issues in the future or in external
uses for this function.
Fixes: b1ed44b6a699 ("PASN: Allow extra elements to be added into PASN Authentication frames") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Jouni Malinen [Thu, 9 Oct 2025 14:12:09 +0000 (17:12 +0300)]
WPS ER: Clear HTTP socket on NOTIFY processing errors
Since we process only a single request from the socket, there is no need
to maintain the HTTP socket when we detect an error. That will just
delay closing of the socket until WPS ER is stopped. Instead, close the
socket immediately on detecting the error to match the behavior for
unsupported HTTP request types and any cases where we send a response.
Jouni Malinen [Thu, 9 Oct 2025 10:03:39 +0000 (13:03 +0300)]
Reduce debug logging of configuration file details in wpa_supplicant
Avoid printing some of the details about parsing failures and invalid
data read from a configuration file when parsing it for normal
wpa_supplicant operation. This helps in reducing risk for leaking
information about files that the wpa_supplicant process itself might be
able to read, but the process requesting a new interface to be added
(e.g., though a control interface operation) might not have privileges
to read.
This does not remove all the prints in all cases, but reduces debug
prints significantly for cases where the specified configuration file is
does not use the same syntax as a valid wpa_supplicant configuration
file would.
The previously available level of detailed parsing information is
available for debugging purposes by running wpa_supplicant separately
for this without requesting any actual operation to be started. This can
be done, e.g., with the following command:
wpa_supplicant -c /tmp/test.conf -d
In addition to the debug information printed to stdout, the return code
from the process indicates whether the full configuration file was
parsed successfully.
It is also possible to explicitly request the parsing details to be
included in the debug log from normal operation by adding -y to the
command line. This is meant only for systems here the debug log is not
exposed to users that do not have access to the same set of files as the
wpa_supplicant process has.
MBSSID: Use probed hostapd context during probe response generation
While filling MBSSID elements during Probe Response frame generation,
the TX BSS context is passed to hostapd_eid_mbssid() and
hostapd_eid_mbssid_len(), but for a Probe Request frame directed to a
non-TX BSS, these functions need probed hostapd context as well.
Hence, make changes to pass the probed hostapd context while generating
Probe Response frames.
MBSSID: Send probe response only from transmitting BSS for MBSSID
In MBSSID enabled case, when a Probe Request frame with A3=wildcard
BSSID is received and the SSID matches that of a non-TX BSS, the Probe
Response frmae is queued to the driver with non-TX BSS context. But,
mgmt->sa will be set to the TX BSS as it should be used to build the
Probe Response frame. This leads to TX failure as kernel checks the
management address with that of the BSS address, in this case it is the
non-TX BSS address.
Fix this issue by using the TX BSS for queuing the Probe Response frame
to the driver.
Jouni Malinen [Wed, 8 Oct 2025 16:38:31 +0000 (19:38 +0300)]
DFS: Update operating class on channel changes
Some of the DFS channel change operations seemed to fail when moving to
a new channel based on radar detection without updating the op_class
configuration to match the new channel. Address these by updating
op_class in addition to the channel number.
Update conf->op_class in hostapd_change_config_freq()
Some cases of channel switching, e.g., when changing from a 320 MHz
channel to a 80 MHz channel in the 6 GHz band, has been observed to
cause disconnections due to non-AP MLDs getting confused with inaccurate
information.
On the AP side, the new target channel's ccfs0 and ccfs1 have incorrect
values in the EHT Operating Information element. This is because,
in hostapd_eid_eht_operation(), the ch_width is calculated based on
conf->op_class and during the channel switch, hostapd_change_config_freq()
does not assign the target channel's op_class to conf->op_class during
the construction of the Beacon frame template.
Fix this issue by assigning conf->op_class in
hostapd_change_config_freq().
Also, change the datatype of channel in hostapd_change_config_freq()
from int to u8, as IEEE 802.11 channel numbers are represented with 8
bits, and can only be between 1 to 255.
When wpa_auth was reconfigured, its configuration was regenerated and
applied directly. This can result in the state machine being initialized
with parameters that exceed the driver’s supported capabilities.
Consequently, some kernel requests might get rejected, causing the state
machine to enter a failure state—preventing any client from connecting
post-reconfiguration.
However, during a normal bring-up sequence, the generated configuration
is first updated based on the interface’s capabilities. This ensures
that the initial setup of the wpa_auth state machine remains within
supported limits and succeeds.
Hence fix this issue by moving the configuration updating part to a
helper function and call it during initial as well as during
reconfiguration time.
PASN: Extend PASN support for SAE-EXT-KEY in Responder mode
The previous PASN implementation had checks only for SAE as the base
AKMP. Update PASN logic to treat SAE-EXT-KEY as a valid base AKM
alongside SAE in Responder cases, enabling PASN operations with the
extended SAE key management suite. This aligns with IEEE Std 802.11-2024
updates to PASN with SAE.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com> Signed-off-by: Rohan Dutta <drohan@qti.qualcomm.com>
Ainy Kumari [Fri, 3 Oct 2025 06:28:36 +0000 (11:58 +0530)]
PASN: SAE-EXT-KEY AKM support for PASN Authentication in Initiator mode
Add support for WPA_KEY_MGMT_SAE_EXT_KEY in PASN authentication in
initiator mode. Update PASN logic to treat SAE-EXT-KEY as a valid base
AKM alongside SAE, enabling PASN operations with the extended SAE key
management suite. This aligns with IEEE Std 802.11-2024 updates to PASN
with SAE.
Define a new vendor subcommand QCA_NL80211_VENDOR_SUBCMD_GET_COEX_STATS
to retrieve Wi-Fi and Bluetooth coexistence statistics from the driver.
This subcommand allows userspace applications to query information about
the current Bluetooth Coexistence (BTC) mode and policy settings. The
implementation provides the following information:
- PDEV ID
- Current BTC mode
- Current BTC policy
This subcommand helps diagnose interference issues between Wi-Fi and
Bluetooth, monitor coexistence mechanisms, and optimize performance when
both radios are operating simultaneously.
David Benjamin [Mon, 6 Oct 2025 15:18:39 +0000 (11:18 -0400)]
crypto: Remove some unreachable algorithms
The tls_ciphers table contained a number of algorithms that weren't
referenced in tls_cipher_suites. Remove those. That includes
TLS_CIPHER_IDEA_CBC, which was probably always broken because it was
mapped to CRYPTO_CIPHER_NULL. It also removes RC2, which is an
export-only cipher, despite the file saying it doesn't bother with
exportable ciphers.
That, in turn, removes all references to CRYPTO_CIPHER_ALG_RC2, so
remove that too. The OpenSSL port of CRYPTO_CIPHER_ALG_RC2 probably
never worked anyway because it uses RC2 in ECB mode instead of CBC.
It's likely other removals are possible. tlsv1_common.c has single-DES
ciphers, but tlsv1_client.c and tlsv1_server.c only configure a much
smaller list. There's also a lot of code for TLS_KEY_X_DH_anon, but
those ciphers aren't configured. I've left those alone because I'm not
sure how all this code is used.
Signed-off-by: David Benjamin <davidben@google.com>
Rathan Appana [Thu, 2 Oct 2025 17:01:25 +0000 (19:01 +0200)]
OpenSSL: Enforce leaf cert expiry check with server cert pinning
When wpa_supplicant is configured to use EAP authentication with
ca_cert="hash://server/sha256/<hex>", the connection is set to
server_cert_only mode. In this mode, all leaf certificate validation
errors are currently ignored if the hash matches. This behavior was
introduced in commit 00033a0903f6 ("OpenSSL: Always accept pinned
certificates") to ignore chain validation problems [1], but it also
unintentionally ignores expiry and not-yet-valid errors on the leaf
certificate.
This patch changes the validation logic under servert_cert_only mode so
that expiry (X509_V_ERR_CERT_HAS_EXPIRED) and not-yet-valid
(X509_V_ERR_CERT_NOT_YET_VALID) errors are not ignored, while other
validation errors continue to be bypassed if the hash matches. If expiry
checks must be disabled, the existing tls_disable_time_checks option can
still be used.
OpenSSL: Leaf certificate time validity check when no CA is configured
When ca_cert_verify=0 (CA is not configured) the callback overrides all
OpenSSL errors, including time validity. Add an explicit leaf (depth 0)
check and do not override X509_V_ERR_CERT_HAS_EXPIRED/NOT_YET_VALID,
unless TLS_CONN_DISABLE_TIME_CHECKS is set.
This preserves the existing behavior of ignoring chain/issuer errors in
no-CA mode; pinning/CRL/OCSP/name checks are unchanged.
Benjamin Berg [Thu, 7 Aug 2025 11:25:57 +0000 (13:25 +0200)]
nl80211: Delay event processing during command handling
Unrelated nl80211 events may arrive while the driver is waiting for the
confirmation of another command. These events must not be delivered
immediately as they may confuse the internal state machine. They also
must be delivered, but some commands would cause them to be dropped.
Fix this up by queuing all events for later processing. Note that this
code is not very elegant as libnl does not export the nl_cb_call()
function. Add a hook into the two relevant functions that process
events. This hook will forward command replies to the correct handler
and queue the event if they should not be processed immediately.
Note that in a lot of cases this cannot happen because different nl80211
sockets are used for different purposes. However, the EAPOL frames
specifically have to be delivered over the same socket that all
connection related commands are done. So for these notifications the
race condition can happen and could cause a state confusion in
wpa_supplicant.
An example of this happening was observed in the autogo_pbc test where
wpa_supplicant would initiate a deauth and during that time also handle
an EAPOL frame that itself caused another deauthentication. This
resulted in a double free of wpa_s->current_ssid.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
projects / thirdparty / hostap.git / log
