Michael-CY Lee [Tue, 14 May 2024 01:20:35 +0000 (09:20 +0800)]
nl80211: AP MLD: Reassign drv->ctx correctly to prevent hostapd crash
When the first link is deleted and there are still remaining links,
drv->ctx should be updated to the new default link on the bss.
Otherwise, drv->ctx points to the address that has already been freed
and makes hostapd crash.
Fixes: d2b62b3fe500 ("AP MLD: Support link removal before removing interface") Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
tests: Make SSID verification through beacon protection more robust
Clear scan results at the beginning of the test case to avoid incorrect
behavior if there are multiple entries for the same BSS. In addition,
use a bit longer wait for receiving an updated Beacon frame in scan
results.
Make Beacon frame checks less frequent for SSID verification
Instead of checking the latest scan results every second indefinitely,
add more latency between the checks in case the driver does not update
the time stamp value (i.e., does not report new Beacon frames during an
association).
Ilan Peer [Wed, 1 May 2024 07:19:53 +0000 (10:19 +0300)]
tests: Fix run_eht_mld_sae_two_links()
In the case that the AP MLD is disabled and enabled again, flush
the wpa_supplicant BSS table before reconnecting as otherwise
the previous AP MLD BSSs would be in the BSS table and the wpa_supplicant
would try to connect to them.
tests: Use different groups in test_sae_no_ffc_by_default
The test assumes that STA will try to reconnect with the same SAE group
after the first authentication attempt is rejected due to unsupported
group. Since this behaviour is fixed in the previous patch, configure
two different groups to trigger the second authentication attempt.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
wpa_supplicant: Always clear SAE rejected groups on roaming to another BSS
SAE rejected groups were not cleared in case of re-association to the
same ESS. Since new BSS can support different groups, keeping rejected
groups doesn't make sense and may result in AP rejecting the
authentication. Fix it.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Currently, when the ACS is updating the puncturing bitmap, the function
acs_update_puncturing_bitmap() sets the primary channel bitmap to 0.
This leads to a potential issue where the primary channel could be
punctured if ACS selects a different best channel within the same
segment.
To fix this issue, ensure that the primary channel bitmap is correctly
set by calculating the index of the primary channel based on the
frequency difference between the current channel and the best channel in
the segment, and is then passed to acs_update_puncturing_bitmap().
Fixes: af0f60e7dd00 ("EHT: Calculate puncturing bitmap for ACS") Signed-off-by: Hari Naraayana Desikan Kannan <quic_hnaraaya@quicinc.com>
The current ACS algorithm incorrectly returns success even when there is
no survey list, leading to improper interference factor calculation.
This leads to treating 0 as a valid interference factor, which affects
channel selection judgment.
Fix the issue by ensuring success is only returned when the survey list
is not empty, thereby ignoring non-zero values in the interference
factor calculation.
Signed-off-by: Hari Naraayana Desikan Kannan <quic_hnaraaya@quicinc.com>
Hu Wang [Tue, 9 Jul 2024 07:55:28 +0000 (00:55 -0700)]
MLO: Swap Tx/Rx keys for GTK TKIP Michael MIC in MLO GTK KDE
While TKIP should not really be used at all anymore and is not allowed
for WPA3 (which is required for Wi-Fi 7), there are some deployed APs
that allow WPA2 PSK to be used with MLO and even allowing WPA+WPA2 mode
with TKIP as the group cipher). IEEE P802.11be/D5.0 does not seem to
explicitly disallow this combination, so handle the MLO GTK KDE key
processing similarly to the way GTK KDE is processed, i.e., including
swapping of Michael MIC Tx and Rx keys for TKIP.
This fixes issues with Michael MIC failures if TKIP is used as a group
cipher for a multi-link association.
Fix this by enabling HT by default if HE is enabled in the 2.4 GHz and 5
GHz bands. Similarly, enable VHT by default when HE is enabled in the 5
GHz band.
When the wiphy supports multiple bands and reports different capability
values between 5 GHz and 6 GHz channels, the 6 GHz mesh interface is
unable to correctly map the channel width in function
ibss_mesh_setup_freq(). This issue arises because the modes of 5 GHz and
6 GHz interfaces are the same (HOSTAPD_MODE_IEEE80211A) in supported
modes.
To address this, use function get_mode() to determine the appropriate
mode during mesh setup. This will iterates through all the hw_features
sets and ensures compatibility with the band of the channel supported in
hw_features set.
If SSID was not verified during the initial setup of an association, but
beacon protection was negotiated, try verify the SSID based on Beacon
frames that have been received after the first BIGTK has been
configured.
This is a variant of wpa_bss_get_ie() to allow IEs to be checked from
only Beacon frames similarly to how wpa_bss_get_vendor_ie_beacon()
behaves for vendor specific elements.
The new "bigtk_set=1" entry in the control interface STATUS command
output indicates that a BIGTK has been successfully configured. This
shows that beacon protection has been enabled for the current
association.
Indicate if SSID has been verified in STATUS output
Add a new "ssid_verified=1" entry into the control interface STATUS
command output if the SSID has been verified for the current
association. This verification may have been done implicitly (e.g., with
SAE H2E and FT protocol binding in the SSID into key derivation or with
FILS protecting the SSID element in the (Re)Association Request frame)
or explicitly with the recently added SSID protection mechanism during
the 4-way handshake.
PASN: Derive KDK on AP only when both ends support SecureLTF
On the AP responder side, KDK was derived if the driver advertises
WPA_DRIVER_FLAGS2_SEC_LTF_AP. That is not correct, i.e., this needs to
also depend on the initiator indicating support for this in the RSNXE of
PASN authentication frame 1.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Benjamin Berg [Fri, 14 Jun 2024 08:13:50 +0000 (10:13 +0200)]
trace: Only permit explicit prefix matching for functions
The matching code currently only tests whether the prefix of a function
matches. Make this more strict by ensuring that the function name is not
longer.
However, as this breaks some tests (due to inlining), add the ability to
do an explicit prefix match by appending a '*' to the function name. Use
this to change the eap_eke_prf match to eap_eke_prf_* in order to match
one of the actual implementations.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Fri, 14 Jun 2024 08:13:49 +0000 (10:13 +0200)]
trace: Use strncmp() to match function names
The functions specified by the user might be longer than the function in
the backtrace, potentially overflowing the memcmp(). In practice, it
should not be a relevant out-of-memory read. However, we can use
strncmp() instead.
Note that, as before, this is only a prefix match. If a function name is
longer in the backtrace it will still match.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Fri, 14 Jun 2024 08:13:48 +0000 (10:13 +0200)]
tests: Use sha256_prf_bits for failure stack matching
It seems that sha256_prf may not always be in the stack trace for
failure checking, possibly due to tail call optimization as it simply
calls sha256_prf_bits with updated parameters. Simply match against
sha256_prf_bits directly to avoid issues due to optimizations.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Fri, 14 Jun 2024 08:13:47 +0000 (10:13 +0200)]
tests: Remove duplicate fail test check
The wpas_p2p_nfc_handover failure test and the more specific
wps_build_nfc_handover_req_p2p were effectively the same as the matching
currently does a prefix match. The code-path tested in these two cases
only hit a single TEST_FAIL macro in openssl_digest_vector.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Fri, 14 Jun 2024 08:13:46 +0000 (10:13 +0200)]
tests: Use more specific alloc_fail location
The test here is triggering the allocation failure in the static
wpa_config_parse_password() helper. Use this and decrease the count
instead of matching both wpa_config_set_quoted() and wpa_config_set()
and counting down based on that.
This is in preparation to fix the failure function matching to not do a
prefix match.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Fri, 14 Jun 2024 08:13:45 +0000 (10:13 +0200)]
tests: Specify correct function name for failure
The test expects rsn_pmkid_suite_b_192() to fail but specified only
rsn_pmkid_suite_b without the _192 postfix. Add the postfix so that the
function matching can be fixed later.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Fri, 14 Jun 2024 08:13:44 +0000 (10:13 +0200)]
PMKSA: Guard against NULL KCK for memcpy()
If the kck_len is 0 then the pointer may be NULL. If that happens UBSAN
complains about the NULL pointer as memcpy() has the arguments declared
to never be NULL even if the copied number of bytes were zero.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Fri, 14 Jun 2024 08:13:43 +0000 (10:13 +0200)]
MLD: Ensure link_bssid array has space for sentinel
The consumer of the link_bssid array assumes it is a NULL terminated
array of BSSIDs. As such, add one to the maximum number of links to
ensure that there is always a sentinel value.
Fixes: 5af986c75af4 ("MLD: Also mark links as failed after association failure") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Fri, 14 Jun 2024 08:13:42 +0000 (10:13 +0200)]
MLD: Ensure link BSSIDs remain on stack for ignore
When ignoring a link BSSID the multi-link information was parsed out
into a struct ml_sta_link_info on the stack. However, this stack
variable went out of scope before it was used by passing the link_bssids
pointer array to another function.
Fixes: 5af986c75af4 ("MLD: Also mark links as failed after association failure") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
dbus: Make sure ServiceDiscoveryRequest/Result does not override pointers
Explicitly free the previously allocated copy if ServiceDiscoveryRequest
or Service DiscvoveryResponse parsing loop finds multiple instances of
the same dict entry.
Davide Caratti [Thu, 30 May 2024 08:46:33 +0000 (10:46 +0200)]
dbus: Fix memory leak in case dbus provides 'tlvs' in invalid P2P SD response
Using D-Bus it is possible to request an invalid SD response where
"tlvs" is specified and there is an unknown key (e.g. "bar": "foo"). In
this case, "tlv" is allocated and then never used nor freed. Valgrind
complains as follows:
36 bytes in 1 blocks are definitely lost in loss record 20 of 74
at 0x484C214: calloc (vg_replace_malloc.c:1675)
by 0x41C673: wpabuf_alloc (wpabuf.c:124)
by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
by 0x54FB94: wpas_dbus_handler_p2p_service_sd_res (dbus_new_handlers_p2p.c:3016)
by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
by 0x5495DF: dispatch_data (dbus_common.c:37)
by 0x5495DF: process_watch (dbus_common.c:73)
by 0x5495DF: process_watch_read (dbus_common.c:89)
by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
by 0x41FA46: eloop_run (eloop.c:1233)
by 0x56A3EE: wpa_supplicant_run (wpa_supplicant.c:8074)
by 0x40DB06: main (main.c:393)
Fix it ensuring that "tlv" is freed both in the error and non-error path
of wpas_dbus_handler_p2p_service_sd_res(). Also, add a test case in
test_dbus.py to verify correct behavior.
Davide Caratti [Thu, 30 May 2024 08:46:32 +0000 (10:46 +0200)]
dbus: Fix memory leak in case dbus provides tlv in P2P UPnP SD request
Using D-Bus it is possible to trigger a valid UPnP SD request where
"tlv" is specified: in this case "tlv" is allocated, and then not used
nor freed. Valgrind complains as follows:
72 bytes in 2 blocks are definitely lost in loss record 46 of 68
at 0x484C214: calloc (vg_replace_malloc.c:1675)
by 0x41C673: wpabuf_alloc (wpabuf.c:124)
by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
by 0x54F8B5: wpas_dbus_handler_p2p_service_sd_req (dbus_new_handlers_p2p.c:2928)
by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
by 0x5495DF: dispatch_data (dbus_common.c:37)
by 0x5495DF: process_watch (dbus_common.c:73)
by 0x5495DF: process_watch_read (dbus_common.c:89)
by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
by 0x41FA46: eloop_run (eloop.c:1233)
by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
by 0x40DB06: main (main.c:393)
Fix it ensuring that "tlv" is freed, both in the error and non-error
path of wpas_dbus_handler_p2p_service_sd_req(). Also, add a test case in
test_dbus.py to verify correct behavior.
Sascha Hauer [Thu, 30 May 2024 12:31:05 +0000 (14:31 +0200)]
nl80211: Use actual number of supported AKMs for AP setup
Since 0ce1545dcb8 ("nl80211: Determine maximum number of supported
AKMs") we get the maximum number of supported AKMs from the kernel.
Let's use that instead of the legacy NL80211_MAX_NR_AKM_SUITES when
setting up AP mode operation.
SecureLTF: Work around misbehaving STAs for PTK derivation without KDK
Some deployed STAs that advertise SecureLTF support in the RSNXE in
(Re)Association Request frames, do not derive KDK during PTK generation.
Since the correct key calculations in the AP includes an additional KDK
generation in such cases, this causes different PTK-KCK being derived
and the AP ultimately discarding EAPOL-Key message 2/4 due to MIC
validation failure.
Try to derive a PTK without KDK as a workaround in such cases and allow
the 4-way handshake to continue if this results in a matching MIC.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Hu Wang [Wed, 5 Jun 2024 05:21:02 +0000 (22:21 -0700)]
Do not derive SAE PT if the network profile does not include SAE
wpa_s_setup_sae_pt() derived SAE PT even when the configured key
management options did not include SAE if the global sae_pwe
configuration parameter had been changed to enable H2E. This adds
unnecessary extra delay, so derive PT only if SAE is actually enabled in
the network profile.
nl80211: AP MLD: Parse link ID to determine the BSS for color event
When an HE BSS color event is received from the driver, the event was
delevered to the first link BSS ctx. To support HE BSS color with MLO,
there is a need to identify the correct link for which the event is
intended.
Add link ID parsing support in the event handler and pass the link ID
(if included) down to the event handler so that appropriate link can be
selected.
nl80211: Refactor color collision related nl80211 commands handling
Almost same logic is there in handling four different commands related
to color collision. Later when link ID needs to be parsed, it would be
more duplicate logic at four different places. Hence refactor and bring
it in a single function.
hostapd: Fix updating Beacon frames during association handling
In function handle_assoc(), ieee802_11_update_beacons() was used to
update the Beacon frames. However, with commit a5d0bb42a226 ("Reduce
delay between Association Request and Association Response"), it was
changed to ieee802_11_set_beacons() which basically overturned what
commit e59d2a31cfb4 ("hostapd: Fix premature beacon set during
association handling") did which is not correct.
Fix this and use ieee802_11_update_beacons() instead of
ieee802_11_set_beacons().
Fixes: a5d0bb42a226 ("Reduce delay between Association Request and Association Response") Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
SAE: Reject invalid Rejected Groups element in the parser
There is no need to depend on all uses (i.e., both hostapd and
wpa_supplicant) to verify that the length of the Rejected Groups field
in the Rejected Groups element is valid (i.e., a multiple of two octets)
since the common parser can reject the message when detecting this.
SAE: Check for invalid Rejected Groups element length explicitly on STA
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.
Fixes: 444d76f74f65 ("SAE: Check that peer's rejected groups are not enabled") Signed-off-by: Jouni Malinen <j@w1.fi>
nl80211: Send link ID with NL80211_CMD_TDLS_MGMT to enable TDLS with MLO
The latest Linux kernel is mandating link ID with NL80211_CMD_TDLS_MGMT
for MLO connections. This resulted in not being able to perform TDLS
operations during a multi-link association.
Fix this by sending link ID in NL80211_CMD_TDLS_MGMT when available. If
link ID info is not available, send the link ID of the association link.
Jouni Malinen [Sun, 17 Mar 2024 08:47:58 +0000 (10:47 +0200)]
RADIUS: Check Message-Authenticator if it is present even if not required
Always check the Message-Authenticator attribute in a received RADIUS
message if it is present. Previously, this would have been skipped if
the attribute was not required to be present.
Jouni Malinen [Sun, 17 Mar 2024 08:42:56 +0000 (10:42 +0200)]
RADIUS: Require Message-Authenticator attribute in MAC ACL cases
hostapd required Message-Authenticator attribute to be included in EAP
authentication cases, but that requirement was not in place for MAC ACL
cases. Start requiring Message-Authenticator attribute for MAC ACL by
default. Unlike the EAP case, this can still be disabled with
radius_require_message_authenticator=1 to maintain compatibility with
some RADIUS servers when used in a network where the connection to such
a server is secure.
Jouni Malinen [Sat, 16 Mar 2024 09:31:37 +0000 (11:31 +0200)]
Require Message-Authenticator in Access-Reject even without EAP-Message
Do not allow the exception for missing Message-Authenticator in
Access-Reject without EAP-Message. While such exception is allowed in
RADIUS definition, there is no strong reason to maintain this since
Access-Reject is supposed to include EAP-Message and even if it doesn't,
discarding Access-Reject will result in the connection not completing.
Jouni Malinen [Sat, 16 Mar 2024 09:26:58 +0000 (11:26 +0200)]
RADIUS DAS: Move Message-Authenticator attribute to be the first one
Even if this might not be strictly speaking necessary for mitigating
certain RADIUS protocol attacks, be consistent with the RADIUS server
behavior and move the Message-Authenticator attribute to be the first
attribute in the RADIUS DAS responses from hostapd.
Jouni Malinen [Sat, 16 Mar 2024 09:22:43 +0000 (11:22 +0200)]
hostapd: Move Message-Authenticator attribute to be the first one in req
Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client in hostapd.
Jouni Malinen [Sat, 16 Mar 2024 09:16:12 +0000 (11:16 +0200)]
eapol_test: Move Message-Authenticator attribute to be the first one
Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client.
Jouni Malinen [Sat, 16 Mar 2024 09:11:44 +0000 (11:11 +0200)]
RADIUS: Allow Message-Authenticator attribute as the first attribute
If a Message-Authenticator attribute was already added to a RADIUS
message, use that attribute instead of adding a new one when finishing
message building. This allows the Message-Authenticator attribute to be
placed as the first attribute in the message.
SAE: Clear rejected groups list on completing authentication
The rejected groups list is valid only during each individual SAE
authentication instance and it should not be maintained between separate
instances. In particular, it should not be maintained when roaming to
another AP since the APs might use different configuration for the
allowed SAE groups.
SAE: Clear rejected groups list on continuous failures
wpa_supplicant used to maintain the list of rejected groups for SAE over
multiple failed attempts. This could have some DoS issues, so clear this
list if SAE authentication attempts fails continuously.
SAE: Clear peer_rejected_groups when no element is included
When parsing a SAE Commit message, the temporary peer_rejected_groups
parameter was left to its old value in cases where the new SAE Commit
message did not include the Rejected Groups element. This could result
in unexpected behavior if a previously processed SAE Commit message
included a Rejected Groups element that claimed one of the enabled
groups to be rejected.
Explicitly clear the peer_rejected_groups value when parsing an SAE
Commit message without a Rejected Groups element to avoid rejecting the
new message based on some previously received incorrect information.
This avoids some potential denial-of-service issues during the lifetime
of the SAE temporary data.
SAE: Check for invalid Rejected Groups element length explicitly
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.
Vendor command extension for Responder PM Mode bit in TWT SET Request
Use the existing QCA_WLAN_VENDOR_ATTR_TWT_SETUP_RESPONDER_PM_MODE
attribute for TWT setup request to configure the Responder PM Mode bit
in the control field of the TWT element or broadcast TWT schedule.
Add vendor flag to indicate unavailability mode in TWT responder mode
Add a flag attribute
QCA_WLAN_VENDOR_ATTR_TWT_SET_PARAM_UNAVAILABILITY_MODE into enum
qca_wlan_vendor_attr_twt_set_param to configure the TWT responder
unavailability outside of the SPs of its broadcast TWT schedule.
Chenming Huang [Fri, 31 May 2024 02:28:36 +0000 (07:58 +0530)]
SAE: Free password identifier if SAE commit is rejected due to it
Authentication rejection was found when doing fuzz testing even with a
valid SAE commit message when it was sent after a SAE commit message
that included an incorrect password identifier. The test steps for this
are as below:
1. Peer sends an abnormal commit message with incorrect password
identifier
2. APUT rejects as expected
3. Peer sends a valid commit message
4. APUT rejects again, which is not expected
In step 2, as the abnormal data fakes an empty password identifier
element, it passes sae_is_password_id_elem() checking. Memory is then
allocated for sae->tmp->pw_id. The authentication process then fails
due to no available password with this invalid password identifier.
In step 4, though the peer sends a valid commit message, APUT rejects
this SAE commit again due to no password identifier element (due to that
sae->tmp->pw_id being set), which is not expected.
Free the sae->tmp->pw_id field and set it to NULL when SAE commit
message processing fails due to an unknown password identifier so that
the bogus value is not used as a requirement for any consecutive SAE
commit from the same STA before the STA entry gets cleared.
Jouni Malinen [Tue, 18 Jun 2024 22:09:52 +0000 (01:09 +0300)]
SSID protection in 4-way handshake on AP
Add support for SSID protection in 4-way handshake based on the
mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against
CVE-2023-52424 (a.k.a. the SSID Confusion Attack).
This functionality is disabled by default and can be enabled with
ssid_protection=1. Once there has been more testing of this to confirm
there is no significant interoperability issues, the goal is to be able
to change this to be enabled by default.
Jouni Malinen [Tue, 18 Jun 2024 22:07:36 +0000 (01:07 +0300)]
SSID protection in 4-way handshake on STA
Add support for SSID protection in 4-way handshake based on the
mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against
CVE-2023-52424 (a.k.a. the SSID Confusion Attack).
This functionality is disabled by default and can be enabled with
ssid_protection=1 in the network profile. Once there has been more
testing of this to confirm there is no significant interoperability
issues, the goal is to be able to change this to be enabled by default.
STA: Update scan results when BSS entry with current SSID is not found
wpa_supplicant might use a wrong BSS entry with the SSID different from
the current SSID of the current BSS while processing a roam event from
the driver when wpa_supplicant has a stale BSS entry with the old SSID
and the driver roams to the same BSS after it is restarted with a new
SSID.
To avoid this, update scan results from the driver when a BSS entry is
not found with the current SSID and try to fetch the BSS entry again
with the current SSID after this.
Also, with this change wpa_supplicant_get_new_bss() itself will update
the BSS table and search for the current BSS entry if it is not found in
the BSS table. So, remove the BSS table update and search logic from the
callers of wpa_supplicant_get_new_bss().
Once CCA is finished, Beacon frames need to be updated. The BCCA element
needs to be removed and the new color value shall be advertised in the
BSS Color Information field of the HE Operation element.
ACS: Handle scan start request failure with error code -EBUSY
Currently, if ACS scan request fails, states are cleared and returned.
However, in case of MLO, there is a possibilty of getting return value
of -EBUSY. In this case, ACS can retry the scan request after some time
similary to the HT40 scan.
Hence, retry the scan after 5 seconds if -EBUSY is returned. Maximum of
15 re-attempts are made before giving up.
AP MLD: Fix deferred first link BSS's authentication server init
Currently, RADIUS client, auth server, and 802.1X are copied from the
first link's BSS into the non-first link during its setup. However,
there could be a case where the first link is not initialized fully
because of ACS/HT40 SCAN/DFS. Hence, in such cases, NULL is getting
copied and later it leads to segmentation fault.
Initialize those on behalf of the first link in such case and update it
so that the next time other non-first link can use it.
Add a new QCA vendor attribute to set interface offload type
Userspace tools can use QCA_WLAN_VENDOR_ATTR_CONFIG_IF_OFFLOAD_TYPE to
configure the different below acceleration features (hardware, software)
on a per interface basis.
0 - No acceleration Packets are processed through the Linux kernel
networking stack.
1 - Software based acceleration: Packets are processed through the
shortcut forwarding engine (SFE) to bypass the Linux networking stack
for improved throughput performance. This option is applicable for AP,
STA, and Mesh mode and available for all radio designs. From the
performance aspect, this option consumes more CPU compared to the other
two options. Linux traffic control can be further applied with this
option to have more control on the traffic flows.
2 - Hybrid acceleration (software and hardware acceleration combined):
Packets are processed through both hardware and software in this case.
Packet classification is done by the hardware and then the packets are
delivered to software along with classification results as meta data.
Software can choose to do more classification/QoS based on use cases.
This is applicable for AP, STA, and Mesh modes and is available for all
radio designs. From the performance aspect, this option consumes
relatively less CPU compared to the SFE option above. Linux traffic
control rules cannot be applied with this option.
3 - Hardware based acceleration : Packets are processed through special
hardware (Direct Switch) rings which can directly forward the packets
between ethernet hardware and Wi-Fi hardware with very less software
involvement. This is applicable only for AP and STA modes; not
applicable for Mesh mode. From the performance aspect, this option
consumes very much less CPU compared to the other options. Linux traffic
control rules cannot be applied when this option is used. This option is
applicable only for specific radio designs. When this option is not
available, the default option (SFE) would be configured.
Jianmin Zhu [Tue, 7 May 2024 09:53:44 +0000 (02:53 -0700)]
Add vendor attributes to detect data stall for consecutive TX no ack
Add following vendor attributes to dynamically configure parameters to
detect data stall for consecutive TX no ack.
- QCA_WLAN_VENDOR_ATTR_CONFIG_CONSECUTIVE_TX_NO_ACK_DURATION
- QCA_WLAN_VENDOR_ATTR_CONFIG_CONSECUTIVE_TX_NO_ACK_THRESHOLD
Jouni Malinen [Wed, 29 May 2024 16:40:27 +0000 (19:40 +0300)]
WNM: Allow a specific BSS max idle period to be requested
Add a new wpa_supplicant network profile parameter max_idle that can be
used to specify a specific maximum idle period in units of 1000 TUs
(1.024 s) for associations.
Jouni Malinen [Wed, 29 May 2024 09:57:08 +0000 (12:57 +0300)]
WNM: Group rekeying skipping with BSS max idle period management
Allow hostapd to be configured to not disconnect a STA if the STA fails
to reply to a group key handshake when BSS max idle period management is
used. This might be needed for some STAs that use aggressive power
saving (e.g., battery powered IoT devices).
This is disabled by default since this can delayed group rekeying
slightly and also to maintain the previous behavior. The more relaxed
operation can be enabled with the new configuration parameter
no_disconnect_on_group_keyerror=1.
Jouni Malinen [Wed, 29 May 2024 09:41:51 +0000 (12:41 +0300)]
WNM: Configurable BSS Max Idle Period management on AP
Allow AP's behavior for BSS Max Idle Period management to be configured.
Previously, this was automatically enabled for all CONFIG_WNM_AP=y
builds. This can now be changed with the new hostapd configuration
parameter bss_max_idle:
0 = BSS Max Idle Period management disabled
1 = BSS Max Idle Period management enabled
(default and the previous behavior)
2 = BSS Max Idle Period management enabled with requirement for
protected keep-alive frames
Aditya Kodukula [Wed, 8 May 2024 01:04:31 +0000 (18:04 -0700)]
Add vendor attributes to configure TX/RX NSS and chains per band
Add attributes to QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION
vendor command to configure asymmetric TX/RX NSS and chains per band.
Also document driver's response when existing attributes to configure
TX/RX NSS and chains for all the bands 2.4 GHz and 5/6 GHz are used in
the same command.
Aditya Kodukula [Tue, 7 May 2024 19:48:42 +0000 (12:48 -0700)]
Add kernel documentation for nss and chain configuration vendor command
Add kernel documentation to the attributes used in the vendor command
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION to configure the NSS
and chains values used for transmitting and receiving the data.
mtk30479 [Wed, 24 Jan 2024 03:51:43 +0000 (11:51 +0800)]
P2P: Fix fast IP address allocation for invitation of a persistent group
Allocate static IPv4 address in EAPOL frames during 4-way handshake
instead of DHCP when using P2P invitation. wpa_s->current_bss needs to
be set for the P2P specific IP address assignment mechanism to be used
in wpa_supplicant_rsn_supp_set_config(). This worked for the initial P2P
connection, but not for some cases reinvoking a persistent group.
Since there is only one AP (P2P GO) in the P2P client case, the
conditions added in commit 4d3be9cdd143 ("Postpone updating of
wpa_s->current_bss till association event") are not needed and the
easiest approach for this is to allow current_bss to be set for
p2p_in_invitation cases. If the GO P2P Interface Address (BSSID) could
be determined for all the related cases, this could be addressed a bit
more cleanly by setting the go_bssid argument for
wpas_start_p2p_client(), but that can be left as a possible future step.
Signed-off-by: tzu-meng wang <tzu-meng.wang@mediatek.com>
projects / thirdparty / hostap.git / log
