sunilravi [Fri, 21 Mar 2025 22:23:03 +0000 (22:23 +0000)]
Prevent mesh_fwding field in network config when CONFIG_MESH is disabled
mesh_fwding and no_auto_peer configuration items are parsed within ifdef
CONFIG_MESH, but they are written without matching conditional
compilation. This could result in configuration files that cannot be
read back by the same wpa_supplicant binary if either of those
configuration values could end up getting modified.
Make the configuration file writing code use matching ifdef CONFIG_MESH
for these parameters to be consistent with the configuration reader.
sunilravi [Fri, 21 Mar 2025 02:14:23 +0000 (02:14 +0000)]
OpenSSL: Fix EAP-TLS connection failure in Android
In Android, the client private key is stored in the keystore engine and
the code depends on OPENSSL_NO_ENGINE defined in BoringSSL to load the
private key.
Commit 400b89162294 ("OpenSSL: Use pkcs11-provider when
OPENSSL_NO_ENGINE is defined" broke the logic to load the client private
key in Android which resulted in EAP-TLS connection failure. With this
change pkcs11-provider is used when OPENSSL_NO_ENGINE is defined.
Fix the issue by adding conditional compilation check for Android
platform to avoid using Provider API.
Fixes: 400b89162294 ("OpenSSL: Use pkcs11-provider when OPENSSL_NO_ENGINE is defined") Signed-off-by: sunilravi <sunilravi@google.com>
Jouni Malinen [Sun, 23 Mar 2025 08:25:34 +0000 (10:25 +0200)]
Revert "OpenSSL: Fix EAP-TLS connection failure in Android"
This reverts commit b5c7f20804655de31114e17524735691cf0e2798 to allow a
more complete change to be used for addressing the issue with the
earlier commit on Android.
sunilravi [Fri, 21 Mar 2025 18:07:37 +0000 (18:07 +0000)]
P2P2: Fix the argument list in wpas_p2p_usd_elems() for non-P2P build
The wpas_p2p_usd_elems() expects two arguments. But the stub function in
p2p_supplicant.h when CONFIG_P2P is disabled has only one argument. Fix
the build error by adding the service name argument in the
wpas_p2p_usd_elems().
Fixes: c96fd75b1841 ("P2P2: Add USD service hash in the P2P2 PASN M1 frame") Signed-off-by: sunilravi <sunilravi@google.com>
sunilravi [Fri, 21 Mar 2025 02:14:23 +0000 (02:14 +0000)]
OpenSSL: Fix EAP-TLS connection failure in Android
In Android, the client private key is stored in the keystore engine and
the code depends on OPENSSL_NO_ENGINE defined in BoringSSL to load the
private key.
Commit 400b89162294 ("OpenSSL: Use pkcs11-provider when
OPENSSL_NO_ENGINE is defined" broke the logic to load the client private
key in Android which resulted in EAP-TLS connection failure. With this
change pkcs11-provider is used when OPENSSL_NO_ENGINE is defined.
Fix the issue by adding conditional compilation check for Android
platform to avoid using Provider API.
Fixes: 400b89162294 ("OpenSSL: Use pkcs11-provider when OPENSSL_NO_ENGINE is defined") Signed-off-by: sunilravi <sunilravi@google.com>
Rohan Dutta [Fri, 21 Mar 2025 09:38:04 +0000 (15:08 +0530)]
Fix sibling scan results update criteria for different channels
When scan results are received for a wpa_s instance, currently, other
wpa_s instances sharing the radio (siblings) will get updated with the
same scan results to reduce scan time.
But if the scan frequencies included in the requests for these siblings
are different, especially when they are exclusive when one wpa_s is a
non-AP MLD with 2.4 GHz and 5 GHz links and another wpa_s is a single
link non-AP MLD with 6 GHz link, the siblings will lose scan results for
the desired frequencies. Fix the sibling scan results update by checking
that they scan the same frequencies and they are not MANUAL_SCAN.
Fixes: 6859f1cb2407 ("Enable sharing of scan result events among virtual interfaces") Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Aaradhana Sahu [Fri, 21 Mar 2025 04:42:13 +0000 (10:12 +0530)]
AP MLD: Fix DFS error message during per station profile generation
When two or more radios are configured in automatic channel selection (ACS)
mode, one radio completes ACS and starts generating per-station profiles
for all links during the beacon frame set. However, the other radio is
still in ACS mode, resulting in the following error messages in the
hostapd log:
Failed to check if DFS is required; ret=-1
To address this, generate per-station profiles for the links that have
already completed ACS.
Jouni Malinen [Thu, 20 Mar 2025 21:18:52 +0000 (23:18 +0200)]
tests: Fix eap_proto special cases for EAP ID
The EAP-Success cases with id off by 2 or 3 need to handle the special
cases where the id wraps around over the maximum value to avoid failures
when the random id value from hostapd ends up being close enough to the
maximum value.
RSNO: Set STA MFP flag based on the RSN/override negotiation
Currently, while determining the management frame protection (MFP)
setting for a STA, if any of ieee80211w/rsn_override_mfp/override_mfp_2
is set, it is assumed that the AP is MFP capable/required.
In case the AP has following configuration:
ieee80211w=0
rsn_override_mpf=1
rsn_override_mfp_2
and the station has set MFPC in its RSNE and not using RSNO, the AP
determines this association to use MFP and sends IGTK to this station as
well as sets the MFP flag for this STA in the driver.
Since the STA is not using RSNO and has seen MFPC set to 0 in the RSNE
of AP's beacon/probe it will consider the association as non-MFP. This
results in drop of robust Management frame between the AP and the STA.
Fix this by determining AP MFP capability based on the station's RSN
negotiation method (RSNE/RSNOE/RSNO2E) and set the STA MFP flag
accordingly.
Fixes: 12f1edc9e94a ("RSNO: Generate IGTK if any of the RSN variants has PMF enabled") Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
AP MLD: Avoid deletion of ML station if some links are rejected
When a non-AP MLD requests ML association, an AP MLD will validate the
association request elements present in the parent profile as well as
the elements present in each STA profile of MLE to decide if link(s) can
be accepted. While doing so if some of the mandatory elements (say,
Capabilities, Basic rates, RSNEs, etc.) don't satisfy the necessary
conditions for the affiliated AP of the AP MLD to accept the link, the
link will be rejected.
In ieee80211_ml_process_links() this rejection happens even before the
link station entry is added to the driver and while trying to free this
sta object, __ap_free_sta() tries to delete the link station from the
driver which was never added at all and eventually this operation fails.
Currently if deletion of a link station fails hostapd deletes the whole
ML station from the driver but in the above scenario the other link(s)
are accepted. Such deletion results in complete association failure.
Fix this by not proceeding to delete the ML station completely if a
deletion of a link station fails. By design each link station entry of
hostapd should be scheduled for deletion and when the association link
station entry is scheduled for deletion, the ML station will be deleted
from the driver.
Fixes: a6d92da9aa44 ("AP MLD: Support removal of link station from AP") Signed-off-by: Gautham Kumar Senthilkumaran <quic_gauthamk@quicinc.com> Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Michael-CY Lee [Thu, 20 Mar 2025 00:53:28 +0000 (08:53 +0800)]
AP MLD: Always process every link in association request
Error might happen when handling one of the link(s) in association
request, but immediately returning causes missing of status code of
the unprocessed link(s) in association response.
Always processing every link in association request ensures that every
link has it status code in the association response.
Fixes: 03e89de47b6c ("AP MLD: Process link info when handling new STA event with driver SME") Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com> Signed-off-by: Money Wang <money.wang@mediatek.com>
Jouni Malinen [Wed, 19 Mar 2025 19:21:01 +0000 (21:21 +0200)]
tests: Allow more time for connection in sae_anti_clogging_during_attack
This almost-a-busy-loop approach for testing SAE anti-clogging token
under an attack is not really robust with UML time-travel. Add a
time-based option for continuing the test instead of just fixed limit on
the number of loop iterations to make this somewhat more likely to
succeed.
Benjamin Berg [Tue, 18 Mar 2025 10:19:56 +0000 (11:19 +0100)]
SAE: Explicitly clear SAE(k)
The code never cleared SAE(k) and the data could remain on the stack for
a longer period of time. This caused a test failure when running with
ASAN enabled.
Explicitly clear the variable to ensure no data is leaked.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
nl80211: Set bss flink frequency for non-ML AP BSS
Currently nl80211 BSSs (struct i802_bss) flink->freq is initialized to
drv->first_bss->flink->freq in wpa_driver_nl80211_if_add(). In case of
single drv model, this results in frequency of the first BSS of the
first radio (say, on the 2.4 GHz band) being set to all the BSSs of the
drv though they can belong to different radios and thereby operating on
different frequencies.
wpa_driver_nl80211_send_mlme() uses bss->flink->freq to send Management
frames to the driver which fails as the driver complains that the TX
frequency doesn't match its operating frequency.
Currently in wpa_driver_nl80211_set_ap(), for ML BSS the above mentioned
default value is overridden whenever beacon is set. Fix this by
overriding link frequency also for non-ML BSSs.
Jouni Malinen [Tue, 18 Mar 2025 09:17:36 +0000 (11:17 +0200)]
AP MLD: Cancel per-STA eloop timeouts for all wpa_auth instances
Now that AP MLD can use shated wpa_auth instances, the eloop timeouts
registered for wpa_auth,sm tuples might end up getting registered and
unregistered with different wpa_auth instance. Use the ELOOP_ALL_CTX
wildcard to ensure the per-STA timeouts do actually get canceled. This
avoids some cases where hostapd could have crashed due to leaving behind
a reference to wpa_auth,sm pointers that might get freed.
Jouni Malinen [Mon, 17 Mar 2025 20:52:17 +0000 (22:52 +0200)]
tests: Use proper EAP identifier tracking in eap_proto testing
There is not really any need to maintain the identifier context over
multiple processed EAP message when the previously used value is
available from the response message from the peer.
Replace ctx['id'] with hardcoded start point and incrementation with
parsing the identifier from the received message. Use that ID in
EAP-Success and EAP-Failure and that id+1 (mod 256) in other EAP
messages.
This simplifies the implementation a bit and makes the EAP server behave
according to the EAP specification (with the couple of exceptions in
places where special corner cases are validated). For most parts, this
is a direct replacement of the previous ctx['id'] with id/id_prev
derived from the received message, but a couple of places where using a
bit strange constructs to work around constraints in the previous
design. Using proper ID values in the EAP header removes need for such
workarounds.
Vinay Gannevaram [Sun, 26 Jan 2025 19:33:13 +0000 (01:03 +0530)]
Add QCA vendor attribute for NDP latency and throughput configuration
Introduce a vendor attribute for NDP to configure dynamic parameters
using the subcommand QCA_WLAN_VENDOR_NDP_SUB_CMD_UPDATE_CONFIG. The
maximum latency for NAN data packet transmission and reception, and
the expected throughput can be configured after the NDP setup
establishment using update configuration command with given NDP
instance ID.
Drivers would modify or adjust the NDP slots to meet the latency and
throughput requirements.
P2P2: Get ID of device identity block from wpas_p2p_validate_dira()
Upper layer components can now use the P2P_VALIDATE_DIRA command to
retrieve the device identity key identifier, which is necessary to
initiate P2P reinvoke to an existing group.
Vinay Gannevaram [Sun, 19 Jan 2025 08:01:58 +0000 (13:31 +0530)]
nl80211: Determine capability for P2P-R2 and PCC mode
Set the capability flag based on the nl80211 vendor feature
advertisement for P2P-R2 and PCC modes. By default, enable this for all
other drivers (i.e., any driver not supporting the QCA feature
capability indication) until a specific capability is defined to enable
or disable it.
Vinay Gannevaram [Thu, 20 Feb 2025 06:20:22 +0000 (11:50 +0530)]
P2P2: Add support to fetch the P2P2 and PCC capability
Add support to fetch the P2P2 and PCC capability from wpa_supplicant.
This defines the driver capability bits for this and the control
interface extension. The actual driver capability fetching will be
handled in future commit(s).
Vinay Gannevaram [Thu, 20 Feb 2025 09:58:08 +0000 (15:28 +0530)]
P2P2: Indicate bootstrapping comeback response to upper layers
The bootstrapping comeback response is managed by wpa_supplicant and is
not communicated to the upper layers. However, it is essential for the
upper layers to be aware of the status of ongoing bootstrapping requests.
Notify the upper layers of the bootstrapping comeback response. Modify
the D-Bus interface for bootstrapping indications (instead of providing
a new signal such for this new extended purpose) as this has not yet
been used and is a recently added parameter.
Jouni Malinen [Wed, 5 Mar 2025 17:04:41 +0000 (19:04 +0200)]
tests: Use more specific validation for beacon protection
Instead of requiring the driver to reported unprotect Beacon frame,
include CSA and ECSA in the bogus Beacon frames and verify that the
driver does not indicate start of a channel switch.
AP MLD: Fix hostapd crash during interface deinit with non-ML BSS
Currently a single drv object (wpa_driver_nl80211_data) is shared across
different hostapd interfaces (struct hostapd_iface) if all the
interfaces belong to same underlying wiphy. When hostapd process is
killed, interfaces are deinitialized one after other in a loop. If the
first BSS of an interface is a non-ML BSS, in hostapd_cleanup_driver()
the shared drv is freed up while cleaning up the first interface itself
and the rest of the interfaces try to access/free the same drv object
resulting in segmentation fault.
To fix this, check if the drv is still shared with any other interface
regardless of MLO (currently this check is done only if the first BSS of
an interface is an ML BSS). If drv is shared, reset its reference and
allow the last interfaces that is using the drv to free the same.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com> Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
BSS: Validate partner link BSSs while parsing Basic MLE
When the Basic MLE from the AP is parsed, wpa_scan_res_match() is called
for only the association link when the BSS params from the RNR element
is set with colocated AP or same SSID bits. Even if the affiliated APs
of the AP MLD have configurations incompatible with the non-AP MLD,
association will be attempted with all the links. An AP MLD is required
to have compatible parameters in all affiliated APs, but it is not
guaranteed that all deployed AP MLDs are compliant with this
requirement.
Enable wpa_scan_res_match() for affiliated AP BSSs as well by removing
RNR BSS params check so that the affiliated APs that fail the checks are
skipped and connection is downgraded to a smaller number of links by
including only the links with compatible configuration. BSSs are still
filtered from the RNR TBTT info based on the MLD ID subfield contained
in the MLD params subfield. While at it, skip some checks for other
affiliated APs which are meant only for the association link.
Fixes: a3020f852e1c ("MLD: Use BSS Parameters in TBTT Info to check SSID match") Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Co-developed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Thirusenthil Kumaran J <quic_thirusen@quicinc.com>
Jouni Malinen [Mon, 3 Mar 2025 18:32:23 +0000 (20:32 +0200)]
MLD: Verify Per-STA Profile subelement length in reconf MLE
Strictly speaking, it is not sufficient to verify that there is enough
space in the Link Info field, but the legth of the Per-STA Profile
subelement needs to be checked as well before using the STA Control
field value. There could be another subelement after the Per-STA Profile
subelement and if the Per-STA Profile subelement would be too short,
data from that following subelement could have been used. This is a
theoretical case, but anyway, better be stricter in verifying the length
fields in this type of cases.
Pooventhiran G [Sat, 1 Mar 2025 05:52:51 +0000 (11:22 +0530)]
MLD: Fix Reconfiguration Multi-Link element parsing on non-AP MLD
The Common Info field in the Reconfiguration Multi-Link element is
extensible with its Length subfield indicating the total length of the
field. Accept any value of Length subfield larger than the calculated
length based on the presence bitmap to support extensibility. Use the
value of the Length subfield instead of the calculated minimum length
when determining where the following Link Info field starts.
Vinay Gannevaram [Fri, 14 Feb 2025 12:34:28 +0000 (18:04 +0530)]
Update the link BSS pointer during BSS reallocation on scan results
When updating the BSS during a scan results event, reallocation of the
BSS due to needing more room for IEs results in a new allocation and the
pointer changing. Update the link BSS pointer to the newly allocated BSS
similarly to the other cases that were covered previously. This is
needed to avoid use of freed memory in some MLO cases.
MartÃnek Petr [Tue, 25 Feb 2025 08:18:06 +0000 (08:18 +0000)]
MACsec: Add option to always include ICV Indicator
Some older MACsec switches incorrectly require ICV Indicator to be
present even when ICV has default length (Cisco C3560CX). To allow
communication with such devices option include-icv-indicator was added
to always include ICV Indicator.
Similar option is found in configuration of some other switches:
Cisco:
include-icv-indicator - this parameter configures inclusion of the
optional ICV Indicator as part of the transmitted MACsec Key Agreement
PDU (MKPDU). This configuration is necessary for MACsec to interoperate
with routers that run software prior to IOS XR version 6.1.3. This
configuration is also important in a service provider WAN setup where
MACsec interoperates with other vendor MACsec implementations that
expect ICV indicator to be present in the MKPDU.
fortiswitch:
include-mka-icv-ind: The MACsec Key Agreement (MKA) integrity check
value (ICV) indicator is always included. (enabled by default)
Signed-off-by: Petr MartÃnek <petr.martinek at elvac.eu>
Dávid Benko [Sun, 23 Feb 2025 22:42:39 +0000 (23:42 +0100)]
authsrv: Log RADIUS accounting data
Add option to log all received RADIUS accounting information. This is
a follow-up patch for a new `acct_req_cb` in RADIUS server implementation.
The callback logs all accounting status codes. Invalid requests are
discarded as of RFC 2866. Logged data include:
- NAS identification (NAS-Identifier, NAS-IP-Address or NAS-IPv6-Address)
- session ID (Acct-Session-Id)
- username
- device identification (Calling-Station-Id)
- session time
- input/output packet and byte counters (including gigawords as of
RFC 2869)
This may be a base for possible extensions of RADIUS accounting in
hostapd. However, since there are far more robust alternatives (namely
FreeRADIUS) and hostapd is primarily used for restricted and/or simple
deployments, I don't consider them necessary. Other use cases can be
covered by a custom reimplementation of binary and a different
acct_req_cb callback.
Dávid Benko [Sun, 23 Feb 2025 22:39:55 +0000 (23:39 +0100)]
RADIUS server: Add accounting message callback
Add a configurable callback for incoming Accounting-Request messages to
the integrated RADIUS server. This approach allows different
implementation by hostapd itself and other binaries built on top of
hostapd, e.g., OpenWrt's RADIUS server.
Jouni Malinen [Sat, 1 Mar 2025 18:29:45 +0000 (20:29 +0200)]
OpenSSL: Enable HMAC with short salt in FIPS configuration
OpenSSL fips provider prevents use of HMAC with key size smaller than
112 bits. This would be fine for actual cases that use HMAC with a key,
but there are cases that use a shorter salt (e.g., SAE PWE derivation).
Allow those cases to use the OpenSSL default provider instead of the
fips provider in builds that do not use CONFIG_FIPS=y.
Jouni Malinen [Sat, 1 Mar 2025 18:28:45 +0000 (20:28 +0200)]
OpenSSL: Use default provider instead of fips provider for DH group 5
In builds without CONFIG_FIPS=y, use the OpenSSL default provider
instead of the fips provider for DH group 5 operation since that is not
available in the fips provider.
Jouni Malinen [Sat, 1 Mar 2025 18:24:13 +0000 (20:24 +0200)]
OpenSSL: Allow MD5 if FIPS mode or FIPS provider is set externally
Systemwide OpenSSL configuration might be used to enable FIPS mode or
loading of only the FIPS provider. These would result in MD5 not being
available and that would break quite a few protocols that are used with
Wi-Fi. Make MD5 available in such cases for builds without CONFIG_FIPS=y
by disabling FIPS mode in OpenSSL and explicitly loading and using the
default provider instead of the fips provider for MD5 caes.
Jouni Malinen [Sat, 1 Mar 2025 18:19:38 +0000 (20:19 +0200)]
OpenSSL: Disable FIPS mode if MD4 is needed
It is possible for a systemwide configuration to enforce use of FIPS
mode in OpenSSL and that would break various commonly used crypto
operations in Wi-Fi related protocols. Disable OpenSSL FIPS mode
automatically in builds that do not define CONFIG_FIPS=y to avoid this.
Jouni Malinen [Sat, 1 Mar 2025 18:22:18 +0000 (20:22 +0200)]
OpenSSL: Print more failure details for EC failures
These cases can fail when OpenSSL is forced to use FIPS mode or FIPS
provider. It is helpful to get more explicit error details about these
cases into the debug log.
Jouni Malinen [Sat, 1 Mar 2025 18:14:11 +0000 (20:14 +0200)]
SAE: Add an explicit debug print for failure to derive PWE
The needed HMAC-SHA256 operation with short salt is something that can
fail if OpenSSL is forced to use the fips provider, so it is helpful to
get this failure case clearer in the debug log.
Jouni Malinen [Sat, 1 Mar 2025 10:07:45 +0000 (12:07 +0200)]
SAE: Do not mark SAE enabled network disabled if PSK is not set
SAE does not PSK, i.e., it is sufficient for the passphrase to be set in
cases where the psk parameter instead of the SAE specific sae_password
is used.
Jouni Malinen [Sat, 1 Mar 2025 10:05:48 +0000 (12:05 +0200)]
OpenSSL: More debug prints on EVP digest/cipher failures
The EVP operations may fail if OpenSSL is configured to reject
deprecated algorithms or parameters (e.g., key sizes). Make such errors
easier to understand in debug log.
Jouni Malinen [Sat, 1 Mar 2025 10:04:10 +0000 (12:04 +0200)]
RADIUS: Check MD5 processing result
The MD5 functions may fail, e.g., if the used crypto library is
configured to reject deprecated old algorithms. Check for this more
consistently in RADIUS routines and make it obvious in the debug log if
this is causing operations to fail instead of trying to proceed and hide
the issue.
Add new roam trigger vendor attribute values to configure the roaming
parameters dynamically. QCA_ROAM_TRIGGER_REASON_WTC, trigger roam on
wireless-to-cellular BSS transition request.
QCA_ROAM_TRIGGER_REASON_BT_ACTIVITY, trigger roam on Bluetooth
connection, when station is on the 2.4 GHz band.
Jouni Malinen [Thu, 27 Feb 2025 09:06:40 +0000 (11:06 +0200)]
Share wpa_init() error path handling
Use a single place to handle cleanup after failures instead of multiple
copies of this code. Also share the wpa_auth->group deinit routine with
wpa_deinit() even though there cannot be multiple groups or initialized
keys in the wpa_init() case.
Chenming Huang [Wed, 26 Feb 2025 14:32:27 +0000 (20:02 +0530)]
AP MLD: Search MLD-level and per-link PMKSA caches
There are cases where non-AP MLD first associates with MLO but
reassociates with non-MLO using PMKSA caching. Since the standard does
not explicity disallow such cases, it makes sense to have additional
code to check the MLD level PMKSA cache as well even when processing
non-ML associations. Same would apply in the other direction, i.e., ML
association with PMKSA caching should search all affiliated APs of the
AP MLD for a PMKID match.
Check both the MLD-level and per-link PMKSA caches when trying to find a
match for an PMKID in (Re)Association Request frame.
Chenming Huang [Wed, 26 Feb 2025 14:32:26 +0000 (20:02 +0530)]
AP MLD: Store PMKSA from DPP to both per-link and MLD-level cache
When we cannot determine whether the peer is non-AP MLD (which is the
case with DPP AKM), store the PMKSA into both the MLD-level and per-link
caches when operating as an AP MLD.
Chenming Huang [Wed, 26 Feb 2025 14:32:24 +0000 (20:02 +0530)]
AP MLD: Mark STA as MLD before checking association IEs
In __check_assoc_ies(), ap_sta_is_mld() is already being used to
determine whether a peer is an MLD or not. However, when calling
__check_assoc_ies() from ieee80211_ml_process_link(),
ap_sta_set_mld() is not yet called. So inside __check_assoc_ies()
the sta entry is treated as non-MLD, which leads to wrongly
fetching PMKSA entry from regular pmksa entry list instead of
ml_pmksa. That results in a connection failure.
Move ap_sta_set_mld() to be used earlier since we already know it is an
MLD peer at that point.
Chenming Huang [Wed, 26 Feb 2025 14:32:20 +0000 (20:02 +0530)]
AP MLD: Define a new MLD-level PMKSA cache shared by all links
Currently PMKSA is only cached on the association link. Subsequent
connections may happen on other links if peer is a non-AP MLD.
Association using SAE might get rejected due to PMKID not found in such
cases.
Define a new PMKSA entry list in struct wpa_authenticator which will be
used in subsequent commits. Initialize ml_pmksa only on the primary link
authenticator and deinitialize it when the last link authenticator is
deinitialized. Other affiliated links share the same instance.
Jouni Malinen [Wed, 26 Feb 2025 10:02:37 +0000 (12:02 +0200)]
Fix current_bss use in checking whether SSID has been verified
The call to wpa_supplicant_update_scan_resuls() might change
wpa_s->current_bss, so need to fetch the ssid/ssid_len again after that
all to avoid potential use of freed memory.
Fixes: 5452a4a30204 ("SSID verification based on beacon protection") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Tue, 25 Feb 2025 21:44:47 +0000 (23:44 +0200)]
ERP: Initialize hapd->erp_keys earlier to avoid undefined behavior
This dl_list needs to be initialized earlier since
ieee802_1x_erp_flush() is trying to clear it even in case of failed
interface start that might not have made it all the way to the place
which the dl_list was previously initialized.
Jouni Malinen [Tue, 25 Feb 2025 21:19:30 +0000 (23:19 +0200)]
Avoid undefined behavior in get_vendor_ie()
This might be called with ies == NULL and for_each_element_id() would
try to calculate NULL + 0 in that case. That would be undefined
behavior. Avoid that by checking for ies == NULL just like the other
get_ie*() functions already did.
Jouni Malinen [Tue, 25 Feb 2025 21:01:40 +0000 (23:01 +0200)]
Remove undefined behavior from ieee802_11_defrag()
ieee802_11_defrag() might be called with data == NULL and that would
result in trying to calculate end = data + len = NULL + 0 which is
undefined behavior. Calculate the end pointer only after data has been
checked to not be NULL to avoid this.
Fixes: ec03b71ee999 ("common: Refactor element defragmentation") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Tue, 25 Feb 2025 20:57:40 +0000 (22:57 +0200)]
Fix wpa_supplicant global config bool reading/writing
The generic int parser cannot be used with bool variables since it is
possible for the bool variables to be shorter in size and result in
misaligned read/write. Use a separate set of routines for handling bool
variables to avoid this.
Jouni Malinen [Tue, 25 Feb 2025 20:36:54 +0000 (22:36 +0200)]
mesh: Fix mesh_external_pmksa_cache initialization to cover error cases
The dl_list needs to be initialized before wpa_supplicant_cleanup() can
be called, e.g., due to an early termination caused by failure to
initialize the interface.
Jouni Malinen [Tue, 25 Feb 2025 09:42:02 +0000 (11:42 +0200)]
FT: Do not discard EAPOL-Start frame during initial MD association
Commit c97168f58ae9 ("FT: Discard EAPOL-Start frames when FT was used
for association") started discard EAPOL-Start frames in all cases where
FT is used, including the initial MD association. The exact IEEE 802.11
standard language requiring the STA to perform a new FT initial MD
association when its Supplicant triggers sending of an EAPOL-Start frame
has a condition on this being "after a successful initial mobility
domain association domain", so this would not really apply during the
initial MD association itself.
Relax the conditions on processing EAPOL-Start frames so that they are
still processed during the FT initial mobility domain association, but
are then discarded after that succeeds (i.e., during rest of that
association and any future association started using FT protocol).
- For SUITEB128 the 128-bit strength ciphersuites should appears first
in the list
- Update RSA key strengths
- Update ECC key strengths
- Update tests to pass with wolfSSL. wolfSSL fails as soon as the key is
being loaded if it doesn't match the minimum key strength requirements.
nl80211: Mark HT disabled on channel switch to a 6 GHz channel
During channel switch processing ht_enabled was left enabled for 6 GHz
channels since those cases do not use NL80211_CHAN_NO_HT. This would
show incorrect channel information in the STATUS control interface
command.
Fix this by clearing ht_enabled when a channel switch event is
indicating a switch to a 6 GHz channel.
nl80211: Fix hostapd crash when managing AP MLD interfaces
hostapd crash has been observed in the following scenario: bring up
multiple AP MLD interfaces, delete all AP MLD interfaces using another
user space application like 'iw', and then remove all interfaces in
hostapd.
When deleting an AP MLD interface using another user space application,
the kernel sends the NL80211_CMD_STOP_AP event for each link to hostapd,
hostapd resets valid_links, and sends a remove link command to the
kernel. valid_links will become zero after all the links are removed,
but bss interface will not be removed in hostapd.
In the current design, when removing the link bss interface, the
interface is not removed if the link is not available. When the
interface, which was not removed, is added, it accesses a dangling
pointer of the AP MLD interface and causes the crash.
Fix this by removing the interface even if there are no more links. This
ensures that the AP MLD interface is properly removed, preventing access
to a dangling pointer and avoiding the crash.
With Wireshark 4.4.0 and above, there are slight changes in the filters for
fetching multi-link control elements and STA profile ID lists. Add support
for these updates to ensure the test cases are compatible with the latest
version of Wireshark.
The changes are:
* Multi-Link Control:
wlan.eht.multi_link.control instead of wlan.eht.multi_link_control
* STA Profiles LinkIds: It is now Character string.
Jouni Malinen [Sun, 23 Feb 2025 15:00:09 +0000 (17:00 +0200)]
EAP-TEAP: Check session_id length explicitly to avoid warnings
Some static analyzers might expect tls_get_tls_unique() to be able to
return arbitrarily large values and warn about integer overflow here.
Avoid such incorrect warnings with an explicit check.
Jouni Malinen [Sun, 23 Feb 2025 14:38:11 +0000 (16:38 +0200)]
RNR: Silence static analyzer warnings
The !tbtt_count check seemed to be too complex for static analyzers to
understand that len and total_len have been incremented by at least
RNR_TBTT_HEADER_LEN. Silence the incorrect warning about interget
overflow with explicit checks.
Jouni Malinen [Sun, 23 Feb 2025 14:27:03 +0000 (16:27 +0200)]
nl80211: Debug print setsockopt() failures for NETLINK_EXT_ACK
Even though we explicitly ignore these errors, it is better to print
them into the debug log if for no other reason than to get rid of some
static analyzer warnings about unchecked reutrn values.
Jouni Malinen [Sun, 23 Feb 2025 14:21:45 +0000 (16:21 +0200)]
MLD: Try to avoid static analyzer warnings about tainted variable
*pos was already checked above, but some static analyzers might not
understand that construction when the 8-bit value from the buffer is
assigned after the checks, so check again explicitly to get rid of
incorrect error reports.
Jouni Malinen [Sun, 23 Feb 2025 14:14:50 +0000 (16:14 +0200)]
Use pointer to Action frame body instead of Category field
This will hopefully silence some incorrect static analyzer warnings
about out-of-bounds reads since mgmt->u.action.category is an u8 while
this is really getting a pointer to that location in the Action frame
body and not just the 8-bit Category field.
Jouni Malinen [Sun, 23 Feb 2025 10:44:50 +0000 (12:44 +0200)]
P2P2: Check ssid != NULL more consistently in wpas_p2p_invite()
The recently added !ssid check here could make static analyzers complain
about dereferencing ssid in the function, so instead of covering just
the special P2P2 case, check explicitly for ssid == NULL for all cases.
Jouni Malinen [Sun, 23 Feb 2025 10:41:16 +0000 (12:41 +0200)]
mka: Simplify dl_list entry freeing
There is no need to call both dl_list_empty() and dl_list_entry()
separately in this manner since dl_list_first() is for that exact
purpose. Simplify this and also make it easier for static analyzers.
Jouni Malinen [Sun, 23 Feb 2025 10:03:40 +0000 (12:03 +0200)]
Make eht_cap != NULL check explicit to help static analyzers
data->eht_enabled was used to avoid getting here with eht_cap == NULL,
but that was too complex for some static analyzers. Make this more
explicit to avoid false reports.
Jouni Malinen [Sun, 23 Feb 2025 09:59:47 +0000 (11:59 +0200)]
PASN: Make ssid != NULL check easier for static analyzers
wpas_pasn_sae_setup_pt() would dereference ssid so it cannot be NULL in
the call. That was already taken care of by removing WPA_KEY_MGMT_*SAE*
in the ssid == NULL case. Anyway, adding an explicit check for !ssid
here gets rid of incorrect static analyzer reports.
Jouni Malinen [Sun, 23 Feb 2025 09:56:16 +0000 (11:56 +0200)]
P2P: Initialize new_ssid explicitly to make this easier for analyzers
new_ssid_len == 0 was used to skip reference to new_ssid in
p2p_build_invitation_resp(). This was too complex for some static
analyzers to notice, so initialize new_ssid as well to avoid false
reports.
Jouni Malinen [Sun, 23 Feb 2025 09:53:36 +0000 (11:53 +0200)]
P2P: Make sure go_dev_addr is initialized
wpas_p2p_persistent_group() does not set go_dev_addr if the group is no
persistent. Initialize go_dev_addr explicitly to all zeroes before that
call to make sure it cannot be uninitialized here.
Jouni Malinen [Sun, 23 Feb 2025 09:36:03 +0000 (11:36 +0200)]
Check network configuration availability before use in MAC randomization
wpas_update_random_addr_disassoc() could call wpas_update_random_addr()
with ssid == NULL, so need to be more careful here when comparing the
pregenerated address.
Fixes: bdbb6e0035ae ("wpa_supplicant: Handle MAC address randomization changes for same ESS") Signed-off-by: Jouni Malinen <j@w1.fi>
projects / thirdparty / hostap.git / log
