P2P2: Allow device address change when reinvoking a persistent group
In P2P-R2 while reinvoking a persistent group, the devices of the group
can have a different P2P device address for the invite session. As
devices supports MAC randomization, we should identify the peers based
on the device identity key. Hence, remove the ether_addr_equal() check.
P2P2: Store device identity key in wpa_supplicant configuration
When persistence is enabled, store the identity key into wpa_supplicant
configuration file since this information is needed for pairing
verification to invoke the persistent group and that can happen after
the wpa_supplicant process has been restarted.
Shivani Baranwal [Mon, 18 Nov 2024 06:00:26 +0000 (11:30 +0530)]
P2P2: Store WPA3 connection credentials in the configuration
Persistent connection details were stored only for WPA2-PSK mode. Enable
the storage of WPA3 sae_password, authentication algorithm, key
management, and protocol type. Also, allow credentials without
sae_password for the pmk_valid case.
hostapd: Pass link ID for non-link agnostic Action frames
With the recently added support for passing Link ID for transmitting
Action frames, pass the Link ID is if the Action frame is not link
agnostic.
According to IEEE P802.11be/D7.0, 35.3.14 (MLD individually addressed
Management frame delivery), between an AP MLD and a non-AP MLD, certain
Action frames such as Block Ack Action frame, SA Query Action frame, and
WNM Sleep Mode Request/Response frame, etc. which are individually
addressed MMPDUs, are intended for an MLD. Therefore, there is no need
to pass the Link ID for these types of frames.
However, for rest of the Action frames since it is not said to be
intended for an MLD, use the link ID.
Hu Wang [Wed, 6 Nov 2024 10:50:04 +0000 (02:50 -0800)]
AP: Avoid double free of key data buffer if AES unwrap fails
key_data_buf was freed when aes_unwrap() failed, and then after goto
out, key_data_buf would be freed again. The separate feeing on
aes_unwrap() failure is not needed, so remove it.
Fixes: 4abc37e67b ("Support Key Data field decryption for EAPOL-Key msg 2/4 and 4/4") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Hu Wang [Wed, 6 Nov 2024 10:39:05 +0000 (02:39 -0800)]
AP: NULL pointer check for bssid in hostapd_mgmt_tx_cb()
The BSSID pointer returned by get_hdr_bssid() may be NULL and it could
have been dereferenced by ether_addr_equal() here at least in theory
(though this is based only on the TX status events, i.e., own frames).
Add an explicit check to avoid that.
Fixes: d75ebe23d8 ("AP: Handle Management frame TX status for AP MLD address") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Hu Wang [Wed, 6 Nov 2024 10:17:04 +0000 (02:17 -0800)]
nl80211: NULL pointer check for msg in i802_flush()
Pointer 'msg' from nl80211_bss_msg() might be NULL and might be
dereferenced by nla_put_u8(), so need to check for memory allocation
failure explicitly here.
Jouni Malinen [Wed, 6 Nov 2024 17:41:44 +0000 (19:41 +0200)]
Convert wpa_s->hw_capab into a bitmap and add HE and EHT
This makes wpa_s->hw_capab more useful for determining local
capabilities, e.g., for reporting them using Wi-Fi Alliance generational
capabilities indication.
Jouni Malinen [Tue, 5 Nov 2024 16:45:10 +0000 (18:45 +0200)]
Wi-Fi Generational Capabilities Indication transmission on STA
Add support to send generational capabilities indication to the
associated AP. This includes generation of the Generational Capabilities
Indication attribute and sending it in either the (Re)Association Request
frame or the W-Fi Capabilities frame.
By default, this functionality is disabled. It can be enabled by setting
the global wpa_supplicant configuration parameter wfa_gen_capa to either
1 (protected) or 2 (unprotected) and setting the supported (and
optionally also certified) generational capabilities in
wfa_gen_capa_supp (and wfa_gen_capa_cert).
Jouni Malinen [Tue, 5 Nov 2024 16:42:51 +0000 (18:42 +0200)]
Wi-Fi Generational Capabilities Indication reception on AP
Process the received generational capabilities indication on AP. This
covers the Generational Capabilities Indication attribute parsing in
both (Re)Association Request frames and W-Fi Capabilities frames.
Jouni Malinen [Tue, 5 Nov 2024 16:48:20 +0000 (18:48 +0200)]
AP: Update the list of Action frame categories that are not robust
Number of new Action frame categories have been identified as being not
robust, i.e., not using management frame protection. Update AP mode
implementation to cover those to allow reception unprotection Action
frames from those categories.
Jouni Malinen [Tue, 5 Nov 2024 17:01:34 +0000 (19:01 +0200)]
tests: Remove registration for Vendor Specific Protected action frames
This additional registration is not needed anymore since hostapd
registers for these frames internally. In fact, this additional
registration is now failing.
Jouni Malinen [Tue, 5 Nov 2024 16:39:07 +0000 (18:39 +0200)]
nl80211: Register to receive Vendor Specific Protected action frames
This is needed to be able to process Vendor Specific Protection action
frames. In particular, this is needed for the Wi-Fi Alliance
Capabilities frame on an AP.
Shivani Baranwal [Sun, 18 Aug 2024 10:54:23 +0000 (16:24 +0530)]
Control interface command to generate new random MAC address
Add NEW_RANDOM_MAC_ADDRESS command to allow wpa_supplicant to be
requested to change the currently used MAC address to a random one. This
is applicable only when not connected (or trying to connect).
Jouni Malinen [Mon, 4 Nov 2024 21:03:19 +0000 (23:03 +0200)]
NAN: Do not expire USD services based on last TX/RX message
This behavior is not described in the Wi-Fi Aware specification, so
remove it and instead, expect services to terminate USD explicitly when
no further Follow-up messages are needed.
Jouni Malinen [Mon, 4 Nov 2024 20:42:44 +0000 (22:42 +0200)]
NAN: Make DE aware of maximum driver supported listen time
This can be used to optimize listen operations to be as long as the
driver supports instead of having to use a small enough value to work
with all drivers.
Jouni Malinen [Mon, 4 Nov 2024 20:05:29 +0000 (22:05 +0200)]
NAN: Do not unpause publisher on fixed Follow-up message timeout
Do not unpause publisher if more than one second has passed from the
last Follow-up message TX or RX. There is no such behavior described in
the Wi-Fi Aware specification and it is possible for a service to need
more time to generate Follow-up messages. Leave it to the service itself
to force timeout, if desired, or terminate pauseState after the 60
second overall timeout.
Jouni Malinen [Mon, 4 Nov 2024 21:01:58 +0000 (23:01 +0200)]
tests: Do not expect NAN USD services to terminate automatically
If further service discovery is needed, the USD services will not be
expiring automatically based on the last exchanged message, so modify
the test cases to explicitly terminate USD instead of waiting for the
timeout.
Shivani Baranwal [Thu, 29 Aug 2024 06:08:46 +0000 (11:38 +0530)]
Channel Usage, peer-to-peer TWT and TWT requester support
Add config support for channel usage procedure and peer-to-peer TWT on
AP and TWT Requester support on STA. The actual functionality of these
operations is expected to be implemented within the drivers.
Jouni Malinen [Fri, 1 Nov 2024 19:58:07 +0000 (21:58 +0200)]
Avoid undefined behavior in RSNXE capability bit checker
Integer promotion converts u8 rsnxe[i] to an int which is not
sufficiently large to be able to handle the maximum shift left of 24
bits here. Type cast rsnxe[i] to u32 explicitly to get rid of the sign
bit and avoid this undefined behavior from the shift operation.
Credit to OSS-Fuzz: https://issues.oss-fuzz.com/issues/376786400 Fixes: d675d3b15b40 ("Add helper functions for parsing RSNXE capabilities") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
P2P2: Add device identity block to wpa_supplicant configuration
Add device identity block to store DIK, PMK, PMKID, and cipher version.
This persistent data is used during pairing verification of previously
paired peers. This commit defines the data structures and adds reading
and writing routines. The actual use of the information will be added in
following commits.
Shivani Baranwal [Sun, 18 Aug 2024 10:54:23 +0000 (16:24 +0530)]
P2P2: Update P2P Device Address when changing netdev address
P2P2 adds support for privacy and needs ability to update the P2P Device
Address. Update that whenever changing the interface address in
wpa_supplicant for other (non-P2P) MAC address randomization purposes.
Jouni Malinen [Fri, 1 Nov 2024 10:24:34 +0000 (12:24 +0200)]
tests: Update sae_password_id_pwe_looping to match implementation
Now that hostapd was changed to explicitly reject attempts of using SAE
password identifiers without H2E, this test case needs to be updated to
not expect connection.
Jouni Malinen [Fri, 1 Nov 2024 10:06:10 +0000 (12:06 +0200)]
SAE: Do not allow password identifier to be used without H2E
When the concept of SAE password identifiers was introduced in IEEE
P802.11REVme/D1.0, there was no requirement to use H2E with them.
However, this was changed for the published IEEE Std 802.11-2020 to
require H2E to avoid certain cases where the password identifier could
not have been parsed robustly.
Commit e36a5894d0c0 ("SAE: Use H2E whenever Password Identifier is
used") started forcing H2E to be used when password identifiers were in
use with SAE. However, it did not enforce rejection of cases where H2E
was not enabled by a non-compliant implementation. Add that explicit
check during parsing of SAE commit messages.
Jouni Malinen [Fri, 1 Nov 2024 10:18:41 +0000 (12:18 +0200)]
SAE: Send Commit message with unknown-password-id from Nothing state
The unknown-password-id case (i.e., BadId indicator in the SAE finite
state machine in the standard) is supposed to have different behavior
based on whether the current state is Nothing or Committed. The previous
hostapd implementation did not send a response Authentication frame in
either case, but the standard describes that behavior only for the
Committed state while the Nothing state is expected to report the
failure.
Update hostapd to send the Authentication frame with status code
indicating unknown password identifier when processing a Commit message
in the Nothing state.
Jouni Malinen [Thu, 31 Oct 2024 21:59:45 +0000 (23:59 +0200)]
SAE: Do not use the wpa_passphrase if SAE password identifier was used
Sharing of the WPA-PSK passphrase as the SAE password is only for the
case where no SAE password identifiers are used. Do not consider that on
an AP if a STA includes SAE password identifier in an SAE commit
message. This avoids confusing cases where SAE would be allowed to
continue with the AP and the STA using different password identifier
which is going to fail in the end.
Kashish Awasthi [Wed, 23 Oct 2024 19:25:48 +0000 (00:55 +0530)]
Add new QCA vendor attributes for TWT statistics
Add the following vendor attributes to get TWT early service period
termination metrices in enum qca_wlan_vendor_attr_twt_stats.
- QCA_WLAN_VENDOR_ATTR_TWT_STATS_AVG_EOSP_DUR_US
- QCA_WLAN_VENDOR_ATTR_TWT_STATS_EOSP_COUNT
Kashish Awasthi [Tue, 29 Oct 2024 13:26:47 +0000 (18:56 +0530)]
Add new QCA vendor TWT status values
Add the following new status values in enum qca_wlan_vendor_twt_status
to enhance TWT session and operation handling, to cover various
scenarios such as peer rejections, timeouts and local teardown requests.
- QCA_WLAN_VENDOR_TWT_STATUS_TWT_ALREADY_RESUMED
- QCA_WLAN_VENDOR_TWT_STATUS_PEER_REJECTED
- QCA_WLAN_VENDOR_TWT_STATUS_TIMEOUT
Shivani Baranwal [Thu, 24 Oct 2024 14:10:42 +0000 (19:40 +0530)]
Add QCA vendor interface for additional TWT Setup command types
Add support to include TWT setup command type TWT Grouping, Accept TWT,
Alternate TWT, Dictate TWT, and Reject TWT. These commands are valid if
the TWT Request field is 0.
In P2P2, the PMKSA is generated through the PASN frame exchange during
the pairing process. Once pairing and group negotiation are successful,
the P2P Client initiates a connection with the P2P GO using the PMKID
derived during the pairing process. In the case of AP SME offload to the
driver, the driver handles the Association Request and Response frames
and needs to be able to determine whether the provided PMKID is known.
Therefore, configure the PMKID to the driver on the P2P GO to allow
association with the P2P Client.
Shivani Baranwal [Wed, 30 Oct 2024 13:26:14 +0000 (18:56 +0530)]
Control interface command to flush NAN publish and subscribe sessions
Add a control interface command for NAN_FLUSH to terminate all the
publish and subscribe sessions. This was previously done as a part of
the complete FLUSH operation, but it can be useful to be able to do this
specifically for NAN services without impacting other areas.
Shivani Baranwal [Thu, 17 Oct 2024 09:41:53 +0000 (15:11 +0530)]
P2P2: Fix pairing verification without encrypted elements
During the pairing verification process, the KEK might not be derived,
and the PASN encrypted elements are absent in the P2P2 IE. Therefore, it
is necessary to permit other attributes such as PCEA and the Action
Frame Wrapper attribute in the Authentication frame for the invitation
process.
P2P2: Determine PASN KEK derivation based on peer capabilities
P2P pairing setup requires KEK derivation during PTK generation in PASN,
as the Encrypted PASN element is needed to share the Device Identity Key
or opportunistic SAE password for association. However, during the
pairing verification process, the P2P peer might not indicate support
for KEK derivation in its capabilities since strictly speaking KEK is
not needed in that case even when the STAs are capable for deriving it.
Therefore, based on the peer's capabilities, avoid generating KEK while
deriving PTK.
P2P2: Support for GO to allow a client to join the group
Enable P2P GO to authorize a client device to join the group. In the
case of opportunistic bootstrapping, P2P GO must share the password with
the client device during PASN authentication in an Encrypted Data
element. P2P GO retrieves the ssid->sae_password and stores it in
p2p->dev_sae_password and authorizes the client. The SAE password and
the random passphrase derived for WPA-PSK connection are same. This
allows use of the get_passphrase API to connect a P2P-R1 and P2P-R2
client in PCC mode which will be covered in separate commits.
The P2P Client initiates PASN authentication with the GO using either
the password or opportunistic bootstrapping method. In the password
method, the client initiates PASN authentication with SAE tunneling
using the password and proceeds with the connection using open
authentication. In the opportunistic bootstrapping method, the client
obtains the SAE password from the GO and initiates the connection with
SAE authentication.
Add the PMKSA on the P2P2 GO when a new P2P2 Client joins the group
instead of going through the WPS step. This commit is adding just the
mechanism to add the PMKSA and the actual use for this is in a separate
commit.
Jouni Malinen [Tue, 29 Oct 2024 10:27:12 +0000 (12:27 +0200)]
P2P2: Fix peer entry generation based on USD
All cases calling dev_found() for a P2P peer will need to set the peer
flags to indicate it has been reported. In particular, this is needed to
avoid memory leaks in D-Bus code and in P2P peer cleanup. The recently
added P2P2 case using USD did not update the flags, so fix it to match
other cases.
Fixes: b4f9742ee246 ("P2P2: Process Element container attribute from NAN SDFs") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Wed, 30 Oct 2024 10:04:01 +0000 (12:04 +0200)]
Remove STA entries if association is not completed in 60 seconds
While the IEEE 802.11 standard allows STAs to authenticate with multiple
APs and later associate with one such AP, it is not really good for an
AP to maintain STA entries for not fully associated STA for significant
amount of time. Time out such STA entries in hostapd to clean state and
resources.
Jouni Malinen [Wed, 30 Oct 2024 10:30:35 +0000 (12:30 +0200)]
SAE: More robust password identifier checks for AP mode
Do not update the more persistent sae->tmp->pw_id value based on each
received SAE commit message before having successfully processed the
commit. In particular, this includes checking for a matcing password
identifier in cases where the AP has enabled one or more SAE passwords
with identifiers.
A per-received message sae->tmp->parsed_pw_id is used during parsing and
processing of each individual message and sae->tmp->pw_id is set only
after having successfully processed a commit message. This avoids
getting sae->tmp->pw_id being bound to an unknown value.
An earlier commit addressed some of the sequences that could have this
issue, but it missed some cases. This newer more robust version covers
what the earlier commit did, so that part can be removed with the new
design.
Fixes: 761041b18ab2 ("SAE: Free password identifier if SAE commit is rejected due to it") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Wed, 30 Oct 2024 09:33:44 +0000 (11:33 +0200)]
SAE: Reject unexpected password identifier in commit message parser
While the list of possible SAE password identifiers might not be
available at the time of parsing a SAE commit message, an AP knows
whether any password identifiers have been enabled (since it has to
advertise that in the Beacon frames). When parsing a commit message on
an AP with no password identifiers in use, the parser can already reject
the unexpected case of an SAE password identifier.
Check for this specific case and reject the SAE commit based on unknown
password identifier if the received value cannot be for an enabled
password. This prevents some cases where an active attacker might have
been able to cause DoS by binding an STA entry in hostapd to a specific
SAE password identifier even when that identifier is not in use.
Jouni Malinen [Thu, 31 Oct 2024 09:11:46 +0000 (11:11 +0200)]
tests: Enable SAE Pw Id on AP in sae_proto_hostapd_valid_commit_after_fail
This is in preparation to implementation changes that use knowledge of
whether SAE Password Identifiers have been enabled to reject unexpected
commit messages.
Jouni Malinen [Wed, 30 Oct 2024 09:05:50 +0000 (11:05 +0200)]
SAE: Avoid duplicated debug entries for IEs in SAE commit messages
Print the "SAE: Possible elements at the end of the frame" debug message
only once (and only if there is actually some additional data) instead
of printing it for each element separately. There was some use for the
separated prints earlier, but that is not really helpful anymore with
the reduced mixing of IEs and non-IE fields at the end of the SAE commit
messages.
Stone Zhang [Mon, 14 Oct 2024 10:47:32 +0000 (18:47 +0800)]
hostapd: Fix clearing up settings for color switch
Settings for color switch (struct cca_settings settings)
is used without zero clearing, which causes the member
settings->ubpr->unsol_bcast_probe_resp_intervalettings
to be a random value. It is againsts the NLA policy of
NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT and causes
BSS color switch failure.
Fixes: 654d2395dddf ("BSS coloring: Handling of collision events and triggering CCA") Signed-off-by: Stone Zhang <quic_stonez@quicinc.com>
Shivani Baranwal [Tue, 15 Oct 2024 06:13:14 +0000 (11:43 +0530)]
P2P2: Fix to check if sae_password is present
Fix the check for whether sae_password is present. Instead of checking
the static array's address which is always going to be true, verify that
the string is not empty.
Jouni Malinen [Wed, 23 Oct 2024 20:49:45 +0000 (23:49 +0300)]
tests: Use pasn_data_deinit() in pasn-resp fuzzing tester
The fuzzing tester for PASN responder needs to use pasn_data_deinit() to
free allocated memory in struct pasn_data after recent changes of adding
more allocated items into the struct. Without this, fuzz testing will
cause false positives due to memory leaks.
P2P2: Add a SAE password in PASN Encrypted Data element
This is added for opportunistic bootstrapping cases. In addition,
generate a random SAE password for pairing when needed, i.e., when the
request is not for an existing GO.
P2P2: Parser function for PASN Encrypted Data element and DevIK
Parse the encrypted P2P2 IE from PASN authentication frames and store a
copy of DevIK information so that this is available for use if the
connection succeeds for a persistent group.
projects / thirdparty / hostap.git / log
