During high battery voltage scenario, higher MCS data rate leads to poor
EVM accuracy which causes poor user experience. Hence to provide better
user experience, EVM accuracy needs to be improved by adjusting TX power
for MCS rate of specific band/radio chain. To achieve this, add a new
vendor command to configure required parameters in the WLAN driver.
Jouni Malinen [Thu, 15 Feb 2024 15:41:05 +0000 (17:41 +0200)]
NAN: USD in hostapd
Add hostapd support for interacting with the NAN discovery engine to
allow single-channel (i.e., the AP's operating channel) USD as Publisher
or Subscriber.
Jouni Malinen [Sat, 3 Feb 2024 18:13:46 +0000 (20:13 +0200)]
FT: Allow wpa_supplicant to be configured to prepend PMKR1Name
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.
wpa_supplicant has replaced the PMKID List contents from (Re)Association
Request frame with PMKR1Name when generating EAPOL-Key msg 2/4 for FT.
Allow it to be configured (ft_prepend_pmkid=1) to prepend the PMKR1Name
without removing the PMKIDs from (Re)Association Request frame.
Jouni Malinen [Sat, 3 Feb 2024 18:39:56 +0000 (20:39 +0200)]
FT: Allow PMKIDs from AssocReq to be in EAPOL-Key msg 2/4
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.
hostapd used to require that only the PMKR1Name is included in the PMKID
List of RSNE in EAPOL-Key msg 2/4. Extend this to allow the PMKIDs that
were included in the (Re)Association Request frame to be present as long
as the correct PMKR1Name is also present. This would allow PMKSA caching
to be used in initial mobility domain association with supplicant
implementations that insert the PMKR1Name without removing the PMKIDs
used in the (Re)Association Request frame. wpa_supplicant did not use to
that, but other implementations might.
Chenming Huang [Thu, 23 Nov 2023 09:49:22 +0000 (15:19 +0530)]
AP MLD: Handle EAPOL only on the association link
For some implementation, there is no link id in EAPOL event, e.g., use
drv_event_eapol_rx for receiving. Current design for such case is switch
to a link that stores the peer. However, this is error-prone because for
non-AP MLD case, sta_info is stored in all valid links but EAPOL sm is
only initialized in the association link. If EAPOL RX event is handled
in a non-association link, it will be discarded and this leads to EAPOL
timeout.
So find the association link to handle received EAPOL frame in such
case. This replaces the previously used workaround for RSN/wpa_sm for
the no link id specified case.
Chenming Huang [Wed, 20 Dec 2023 08:39:18 +0000 (14:09 +0530)]
AP MLD: Do not allow disabling first interface affiliated with an AP MLD
Disabling the first interface calls hapd_deinit(), which causes some
issues, e.g., failure when trying to disable other interfaces due to
NULL drv_priv.
So check that all other interfaces are already disabled before disable
the first interface.
AP MLD: Add support for hostapd_cli to disable/enable AP MLD
Existing commands ENABLE/DISABLE only enable/disable the corresponding
link. To disable all links, multiple calls from different control
interfaces would be needed.
Add new commands "disable_mld" and "enable_mld" for hostapd_cli to
support disabling/enabling AP MLD for convenience.
Jouni Malinen [Fri, 2 Feb 2024 20:26:29 +0000 (22:26 +0200)]
hostapd: Do not use prefix matching for ENABLE/RELOAD/DISABLE
These control interface commands do not take any parameters and as such,
do not need to use a prefix match. Replace that with an exact string
match to avoid matching other potential command strings.
Jouni Malinen [Fri, 2 Feb 2024 15:50:40 +0000 (17:50 +0200)]
Handle both HT40+ and HT40- allowed consistently in channel check
Return the result from the first hostapd_is_usable_chan() call instead
of the following attempts in case of ht40_plus_minus_allowed to have
consistent behavior with the case where only one option is specified.
This allows the fallback to 20 MHz to work in additional cases.
Jouni Malinen [Thu, 1 Feb 2024 17:51:56 +0000 (19:51 +0200)]
wlantest: Fix TK iteration based on the PTK file
Use of ptk_len is not valid here to check what is the length of the
actual TK. Fix this by using ptk->tk_len instead so that the appropriate
decryption function can be selected for cases where the TKs are
configured through the PTK file.
Fixes: ce7bdb54e5c9 ("wlantest: Extend Management frame decryption to support GCMP and CCMP-256") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Wed, 31 Jan 2024 10:16:36 +0000 (12:16 +0200)]
tests: Close wpa_supplicant control interface sockets at the end
Close all the control interface sockets and delete the client socket
files explicitly at the end of the test loop. This removes needs for
various workarounds that tried to force WpaSupplicant and Ctrl class
__del__() to remove the sockets.
Johannes Berg [Tue, 30 Jan 2024 16:21:29 +0000 (17:21 +0100)]
test: dbus: Wait for connection before disconnect (again)
The same thing as we did previously in dbus_p2p_autogo_pbc
can evidently also happen in dbus_p2p_autogo.
The test here wants to connect and then disconnect again,
but it's driven only by the GO side, so the client may end
up (with UML time-travel) not fully connecting, and then
it all fails. Wait for the client to have connected first.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Sun, 28 Jan 2024 19:59:09 +0000 (20:59 +0100)]
test: dbus: Wait for connection before disconnect
The test here wants to connect and then disconnect again, but it's
driven only by the GO side, so the client may end up (with UML
time-travel) not fully connecting, and then it all fails. Wait for the
client to have connected first.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Sun, 28 Jan 2024 18:18:07 +0000 (20:18 +0200)]
OpenSSL: Use library functions for HPKE when possible
OpenSSL 3.2 added support for HPKE. Use that implementation when
possible. At least for now, the internal version needs to be included as
well to be able to cover the special DPP use case with brainpool curves.
Jouni Malinen [Sun, 28 Jan 2024 17:15:08 +0000 (19:15 +0200)]
Remove forgotted STAKey related functionality in EAPOL-Key Request
The use of a MAC KDE in the Key Data field of an EAPOL-Key Request frame
was only for the STAKey handshake. That handshake was implemented in
2005 as an experimental functionality and it was then removed in 2006.
However, this part of the functionality was forgotten. This does not do
anything in practice, so simplify the implementation and remove it.
Jouni Malinen [Sun, 28 Jan 2024 16:56:47 +0000 (18:56 +0200)]
FILS: Fix EAPOL-Key request generation
The Encrypted Key Data field need to be set to 1 whenever using an AEAD
cipher. Without this, the Authenticator would discard the EAPOL-Key
request frame when using FILS.
Jouni Malinen [Sun, 28 Jan 2024 16:41:06 +0000 (18:41 +0200)]
Discard EAPOL-Key request without Secure=1
EAPOL-Key request is accepted only if the MIC has been verified, so PTK
must have already been derived and Secure=1 needs to be used. Check the
Secure bit explicitly for completeness even though the MIC verification
is already taking care of validating that the sender is in the
possession of valid keys.
Jouni Malinen [Sun, 28 Jan 2024 16:32:03 +0000 (18:32 +0200)]
Discard EAPOL-Key Request frames during 4-way handshake
While the Authenticator state machine conditions are already checking
for sm->EAPOLKeyRequest, it seems clearer to explicitly discard any
EAPOL-Key Request frame that is received unexpectedly during a 4-way
handshake.
Jouni Malinen [Sun, 28 Jan 2024 09:26:16 +0000 (11:26 +0200)]
Check Key Descriptor Version value earlier in the process
There is no need to try to process the EAPOL-Key frame if it has an
unexpected Key Descriptor Version value. Move these checks to happen
earlier in the sequence. In adition, use a separate helper function for
this to simplify wpa_receive() a bit.
Jouni Malinen [Sun, 28 Jan 2024 09:22:47 +0000 (11:22 +0200)]
Reject undefined Key Descriptor Version values explicitly
Check that the EAPOL-Key frame Key Descriptor Version value is one of
the defined values explicitly instead of failing to process the Key Data
field later (or end up ignoring the unexpected value if no processing of
Key Data is needed).
Jouni Malinen [Sun, 28 Jan 2024 09:18:40 +0000 (11:18 +0200)]
Use more generic checks for Key Descriptor Version 2 and 3
IEEE Std 802.11-2020 describes the rule based on not-TKIP for value 2
and no pairwise cipher condition on value 3, so use that set of more
generic rules here.
Jouni Malinen [Sat, 27 Jan 2024 09:35:31 +0000 (11:35 +0200)]
tests: Use the provided timeout for P2P peer discovery
p2p_go_neg_init() ignored the provided timeout value and used the
default 15 second timeout in discover_peer(). This did not allow the
recently added go_neg_pbc() timeout increase for concurrent cases to be
used fully.
Muna Sinada [Wed, 17 Jan 2024 03:30:21 +0000 (19:30 -0800)]
Add a QCA vendor attribute to determine QCA device
Add a new attribute for
%QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION subcommand. This
attribute is an 8 bit unsigned value used to specify whether an
associated peer is a QCA device.
Jouni Malinen [Fri, 26 Jan 2024 15:12:16 +0000 (17:12 +0200)]
P2P: Accept P2P SD response without TX status
If a GAS response is received for a pending SD query, process it even if
the TX status event for the query has not yet been received. It is
possible for the TX status and RX events to be reordered especially when
using UML time-travel, so this is needed to avoid race conditions to
make SD more robust.
Jouni Malinen [Fri, 26 Jan 2024 10:26:36 +0000 (12:26 +0200)]
nl80211: Increase the hard scan timeout for initial attempt
If both 6 GHz and S1G channels are included, the previously used timeout
was not long enough at least with mac80211_hwsim. Increase the initial
timeout to allow such a scan to be completed.
Jouni Malinen [Fri, 26 Jan 2024 10:18:32 +0000 (12:18 +0200)]
tests: Allow more time for chirping in dpp_chirp_ap_5g
The full scan at the beginning of the chirping step can take over 15
seconds when 6 GHz and S1G channels are included and the timeout here is
not enough to handle that.
Jouni Malinen [Fri, 26 Jan 2024 10:10:41 +0000 (12:10 +0200)]
tests: Flush scan cache for rrm_beacon_req_table_detail
Explicitly flush the scan cache in wpa_supplicant and cfg80211 to avoid
test failures here. An additional BSS table entry from a scan based on a
previous test case could result in causing this test case to report
failure since each beacon response could include multiple entries and
the check for the details would fail due to the unexpected data.
Jouni Malinen [Fri, 26 Jan 2024 09:18:24 +0000 (11:18 +0200)]
tests: Add more time for concurrent GO group negotiation cases
It is possible for the parallel connection attempt with an AP and P2P
device discovery with P2P search on social channels to take close to the
15 second timeout and these test cases could fail because of that
instead of a real issue. Increase the timeout to make this less likely
to cause test failures. In addition, add a debug entry to the log on the
r_dev timeout to avoid confusing print from the i_dev thread reporting a
timeout even when the first timeout was on the rdev_
Send actual BTM capability when the driver takes care of BSS selection
wpa_supplicant disables BTM capability in Extended Capabilities element
when wpa_supplicant selects a misbehaving MBO/OCE AP that uses RSN
without PMF, but this is disabling BTM support for whole ESS connection
lifetime though the BTM support can be enabled when the driver takes
care of BSS selection and selects/roams to a BSS which is MBO and OCE
specification compliant. Thus, always set the actual BTM capability in
Extended Capabilities element when the driver takes care of BSS
selection.
wlantest: Adjust kdk_len according to RSNX capability for FT
Commit 0660f31ba0d0 ("wlantest: wlantest: Adjust kdk_len according to
RSNX capability") added support for PTK derivation and the additional
KDK component when Secure LTF support is used in the non-FT case.
Cover the same for the FT case to derive the correct PTK and consider
the additional KDK component when Secure LTF support is used.
Johannes Berg [Wed, 24 Jan 2024 16:12:48 +0000 (17:12 +0100)]
tests: FST: Leave time to process session request
Due to scheduling in UML time-travel, the test may continue
running and find that the failure didn't trigger when really
the frame just didn't make it through to the other side. Add
some time for the necessary processing.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Mon, 22 Jan 2024 20:02:39 +0000 (22:02 +0200)]
Make test code easier for static analyzers
The previous os_strncmp() calls have already verified that there is a
space in the string, so this os_strchr() call cannot really return NULL.
Anyway, make this easier for static analyzers to understand.
Jouni Malinen [Mon, 22 Jan 2024 19:30:10 +0000 (21:30 +0200)]
FT: Fix architecture for RxKH loading from a file
src/ap/ap_config.c is not really supposed to call directly into a
function in hostapd/config_file.c. Furthermore, the wrapper through
ap_config.c did not really have any real value since it just called a
function that is within hostapd/*.c and that wrapper was called from
hostapd/*.c.
Instead of the wrapper, just call the function directly within the
hostapd directory.
Fixes: 392114a17960 ("FT: Add dynamic reload of RxKH definitions from file") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Mon, 22 Jan 2024 16:27:24 +0000 (18:27 +0200)]
tests: Allow valgrind suppressions to be used
This makes valgrind reports somewhat cleaner when external libraries
have memory leaks that are not straighforward to fix. In addition,
increase the number of functions to include backtraces since the default
was not large enough to cover some cases.
Jouni Malinen [Mon, 22 Jan 2024 15:14:53 +0000 (17:14 +0200)]
dbus: Avoid memory leak on error when signaling PropertiesChanged
put_changed_properties() might fail, e.g., due to memory allocation
failure or a failure in a property getter function. Such an error case
would have leaked the message iteration container since the call to
dbus_message_iter_close_container() would have been skipped.
Jouni Malinen [Mon, 22 Jan 2024 12:39:54 +0000 (14:39 +0200)]
nl80211: Fix wiphy event handling when the driver is deinitialized
Radar detection event could have resulted in the driver interface
instance getting deinitialized and the related memory freed in the
middle of the loop. This was not an issue when the event was passed only
into a single interface, but it became an issue when the loop tried to
send it to all interfaces. If the driver were removed, that loop check
would have used freed memory. Avoid this by explicitly checking that the
driver interface instance is still valid.
Fixes: f13683720239 ("nl80211: Pass wiphy events to all affected interfaces") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Mon, 22 Jan 2024 11:59:03 +0000 (13:59 +0200)]
DPP: Avoid a potential use-after-free on an error path in AP
The TX status handler for DPP Authentication Confirm message might have
resulted in use-after-free if the start of a GAS query were to fail,
e.g., due to being somehow unable to transmit the initial request. Avoid
this by explicitly confirming that the authentication session was not
removed.
Jouni Malinen [Mon, 22 Jan 2024 11:11:17 +0000 (13:11 +0200)]
DPP: Fix use-after-free in connection status reporting when using TCP
The current connection (struct dpp_connection) might get removed during
the dpp_tcp_send_msg() call, so the code setting the
on_tcp_tx_complete_remove flag needs to check whether that happened to
avoid a potential use-after-free.
Fixes: 33cb47cf0191 ("DPP: Fix connection result reporting when using TCP") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Mon, 22 Jan 2024 10:41:02 +0000 (12:41 +0200)]
DPP3: Fix potential use-after-free on push button bootstrap info
When removing the bootstrap info for the PB context, all the possible
pointers to that information needs to be cleared to avoid accesses to
freed memory.
Jouni Malinen [Mon, 22 Jan 2024 09:47:00 +0000 (11:47 +0200)]
EAP-SIM/AKA peer: Fix use-after-free for privacy identity
When the privacy protected itentity is used for EAP-SIM/AKA, the buffer
containing the identity was freed just before its use. Fix that by
reordering the operations.
Jouni Malinen [Mon, 22 Jan 2024 09:35:51 +0000 (11:35 +0200)]
nl80211: Fix memory leak on libnl nl_cb
nl_socket_get_cb() increases cb_refcnf for the cb that is bound to a
socket and as such, nl_cb_put() needs to be used with the returned cb
after having cloned it to avoid leaking memory due to cb_refcnt never
getting back to 0.
Fixes: da0d51fee74b ("nl80211: Use socket cb instead of global->nl_cb in send_and_recv()") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Sun, 21 Jan 2024 20:24:08 +0000 (22:24 +0200)]
AP MLD: Optimize struct mld_link_info size
Use smaller variables when possible and reorder the variables to avoid
unnecessary padding. This drops struct mld_link_info size from 64 to 48
bytes and removes 240 bytes from struct sta_info.
Jouni Malinen [Sun, 21 Jan 2024 19:06:18 +0000 (21:06 +0200)]
AP MLD: Reduce struct mld_link_info size
Replace the fixed length maximum buffer size for STA profile with
dynamically allocated buffers for active links. This reduces struct
mld_link_info size by almost 16 kB and drops the per-STA information in
struct sta_info to a more reasonable size to avoid the almost 10x
increase from MLO support.
In addition, free the resp_sta_profile buffers as soon as the ML element
has bee generated for (Re)Association Response frame since those buffers
are not needed after that.
Jouni Malinen [Sun, 21 Jan 2024 19:00:57 +0000 (21:00 +0200)]
AP MLD: Fix RADIUS deinit
The singleton RADIUS client design did not address the deinit path
properly. Since hapd->radius could be shared with another links, the
pointer on all those other links needs to be cleared before freeing the
RADIUS client context. Without this, deinit path could have ended trying
to use freed memory when clearing STA entries from other links and
trying to flush any pending RADIUS client messages.
Fixes: a213fee11da3 ("AP: MLO: Make IEEE 802.1X SM, authserv, and RADIUS client singletons") Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 21 Jan 2024 10:17:07 +0000 (12:17 +0200)]
tests: Association comeback mechanism in wpa_supplicant
Allow the Timeout Interval Type field in the Timeout Interval element to
be overridden with a different value for testing purposes to be able to
bypass the association comeback processing in mac80211. This allows the
wpa_supplicant internal functionality to be tested.
Harry Bock [Wed, 10 Jan 2024 19:09:09 +0000 (14:09 -0500)]
SME: Handle PMF association comeback when not handled in driver
In associations using PMF (IEEE 802.11w/MFP), the infrastructure
implements SA teardown protection by rejecting an (Re)Association
Request frame from an already-associated client. The AP responds with
error 30 (Association request rejected temporarily) to instruct the
(potentially spoofing) client to back off, while it issues an SA Query
procedure to the already-associated client. If the client can respond to
it within the back-off period, it considers the new association to be a
spoof attempt.
However, there are cases where a legitimate client might need to
handle this error response - consider if the STA has deauthenticated,
but the AP cannot hear it (out of range). If the MFP STA has deleted
its keys, it cannot respond to the SA Query procedure.
This association comeback process has commonly been implemented in the
driver, e.g., within mac80211 in case of the Linux drivers that use SME
in userspace. However, there are drivers that do not implement this
functionality. Extended wpa_supplicant to cover such cases as well.
The current implementation interprets this association error as a true
error, and will either add the BSS to the list of ignored BSSIDs, or
continue to try other BSSes. This can cause wpa_supplicant to back off
trying to reconnect for progressively longer intervals, depending on the
infrastructure's configured comeback timeout.
Allow wpa_supplicant to interpret the error, searching for the Timeout
Interval element in the (Re)Association Response frame and starting a
timer in the SME layer to re-associate after the timeout. This can be a
long delay (1-4 seconds in my experience), but it is likely much shorter
than bouncing between nearby BSSes.
This does not change behavior for drivers that implement association
comeback timer internally since they do not report the temporary
association rejection status code to user space.
Damien Dejean [Fri, 19 Jan 2024 15:52:54 +0000 (15:52 +0000)]
D-Bus: Add a signal for HS2.0 terms and conditions
Add HS20TermsAndConditions signal to D-Bus API to allow clients to be
notified when the network requires the acceptance of terms and
conditions. The URL of the T&C page is provided as a signal parameter.
Jouni Malinen [Sat, 20 Jan 2024 17:45:20 +0000 (19:45 +0200)]
wlantest: Do not decrease debug level for test vectors
The CCMP PV1 test vector dropped debugging verbosity at the end. This
was not really supposed to be done since these test vectors are expected
to print at EXCESSIVE verbosity.
Henry Ptasinski [Thu, 11 Jan 2024 01:20:55 +0000 (17:20 -0800)]
wlantest: Add test vectors for S1G BIP
- CMAC and GMAC modes
- 128-bit and 256-bit modes
- normal BIP and BIP using BCE
- test vectors with minimum and optional additional header elements in
S1G beacon frames
- S1G Beacon Compatibility element in some cases, no other beacon body
components
Signed-off-by: Henry Ptasinski <henry@e78com.com> Signed-off-by: Andrew Pope <andrew.pope@morsemicro.com> Signed-off-by: David Goodall <dave@morsemicro.com>
Henry Ptasinski [Thu, 11 Jan 2024 01:20:55 +0000 (17:20 -0800)]
wlantest: Fix the cipher name in a BIP-GMAC-256 test vector
Signed-off-by: Henry Ptasinski <henry@e78com.com> Signed-off-by: Andrew Pope <andrew.pope@morsemicro.com> Signed-off-by: David Goodall <dave@morsemicro.com>
Dariusz Kopka [Mon, 15 Jan 2024 13:16:00 +0000 (14:16 +0100)]
FT: Add dynamic reload of RxKH definitions from file
hostapd reads the list of Rx Key Holders from hostapd.conf file.
However, for systems where topology changes dynamically, the update
of RxKHs list is required without reloading the whole configuration.
Introduce a new source of RxKH definition with original syntax:
- rxkh_file - Path to a file containing a list of RxKHs.
In addition, add a control interface command RELOAD_RXKHS to
reload RxKHs definition from the file specified in `rxkh_file`.
This allows hostapd to properly distribute Rx keys even after topology
change (assuming rxkh_file is updated and reload_rxkhs command issued).
Syntax of rxkh_file is the same as extraction of r0kh and r1kh options
from original hostapd.conf file.
Jouke Witteveen [Mon, 15 Jan 2024 17:57:52 +0000 (18:57 +0100)]
Fix building against OpenSSL 3
Smartcard support uses the ENGINE API of OpenSSL, which has been
deprecated as of OpenSSL 3. Rather than migrating the code to the new API
or pretending that we do not support OpenSSL 3, accept that we use
deprecated functionality.
Benjamin Berg [Wed, 17 Jan 2024 19:04:28 +0000 (20:04 +0100)]
nl80211: Avoid NL80211_WPA_VERSION_3 on older kernel versions
NL80211_WPA_VERSION_3 was only added in kernel 5.2 so it should not be
set for older kernel versions. There is no direct way to check if the
value is supported. However, we can use the new infrastructure to check
whether the kernel has the NL80211_ATTR_SAE_PASSWORD attribute. It is
related and was added at the same time.
Fixes: 6cc78b3945d3 ("nl80211: Set NL80211_WPA_VERSION_2 vs. _3 based on AKM") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
projects / thirdparty / hostap.git / log
