Jouni Malinen [Sun, 22 Dec 2024 08:49:27 +0000 (10:49 +0200)]
AP MLD: Do not try to set hapd->mld multiple times
Now that there is more than one path that could end up calling
hostapd_bss_setup_multi_link(), it looks like it was possible to end up
allocating the MLD context twice and that resulted in resource leaks.
Avoid this by explicitly checking that hapd->mld is not set before
trying to determine whether to set it to an existing context or create a
new one.
Jouni Malinen [Sat, 21 Dec 2024 20:31:07 +0000 (22:31 +0200)]
tests: Make country code clearing in dbus_interface more robust
Wait for the specific CTRL-EVENT-REGDOM-CHANGE events to try to avoid
test failures due to some race conditions and the US country code being
left effective at the end of the test case.
Jouni Malinen [Sat, 21 Dec 2024 10:19:03 +0000 (12:19 +0200)]
tests: More robust way of killing hung UML VMs
The uml_mconsole halt command may hang when trying to terminate a hung
UML VM, so check for a timeout on that operation and kill the UML
process directly if that happens. In addition, do not try to terminate a
specific VM more than once to avoid confusing debug log entries.
Allen Ye [Thu, 5 Sep 2024 05:55:30 +0000 (13:55 +0800)]
hostapd: Fix wrong puncturing bitmap in Bandwidth Indication subelement
The Bandwidth Indication subelement should present the puncturing bitmap
of channel switch request, but the bitmap returned by
hostapd_get_punct_bitmap() is the original one.
Co-developed-by: Money Wang <money.wang@mediatek.com> Signed-off-by: Allen Ye <allen.ye@mediatek.com>
hostapd: Fix length of Bandwidth Indication subelement
The default length of the Bandwidth Indication subelement should be
equal to the minimum size of ieee80211_bw_ind_element structure. The
previously used value truncated this subelement by one octet.
Fixes: c7e704bdf9c3 ("hostapd: Add Bandwidth Indication subelement support for channel switch") Signed-off-by: Shayne Chen <shayne.chen@mediatek.com> Signed-off-by: Allen Ye <allen.ye@mediatek.com>
Avoid EAPOL trigger in reassoc path for AP with 4-way handshake offload
Currently avoiding of EAPOL exchange for AP with 4-way handshake offload
is handled only in the new STA assoc path. Extended this to cover
skipping authentication trigger in case reassoc path without
disconnection as well.
In case of an AP MLD it is assumed that the multi link information
(hapd->mld) is already initialized by the time this function is called.
However, if the interface is added without bss_config parameter,
hostapd_bss_setup_multi_link() would bail out immediately as mld_ap
parameter isn't set yet. When the interface gets enabled later,
hapd->mld would be NULL resulting in NULL dereference.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Sun, 1 Sep 2024 16:31:34 +0000 (19:31 +0300)]
BSS: MLD: Parse all TBTT entries after an invalid link
We would incorrectly exit the loop that iterates all TBTT entries if an
entry is found with an invalid link ID. This commonly happens if the AP
reports a link for another AP (or just another AP in the same MBSSID
set). Change it to continue with the next TBTT entry so that all entries
are parsed and all links can be found.
Fixes: de5e01010cb2 ("wpa_supplicant: Support ML probe request") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Sun, 1 Sep 2024 16:31:33 +0000 (19:31 +0300)]
BSS: MLD: Limit TBTT parsing to correct length
Logically, it makes more sense to pass the ap_info_len as that is the
length that the function is permitted to process. Effectively it does
not make a difference and the code was entirely safe, but change it
nontheless to be more correct.
Fixes: de5e01010cb2 ("wpa_supplicant: Support ML probe request") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Jintao Lin [Wed, 7 Aug 2024 21:48:01 +0000 (21:48 +0000)]
P2P: Consult driver capabilities before setting HE bit in GO's conf
p2p_go_he could be set to 1 in the global config file while the device
might only has a VHT Wi-Fi NIC. Consult driver capabilities before
setting the HE bit for the GO's configuration so that latter AP
configuration does not fail due to wrong AP configuration, like
hostapd_get_oper_centr_freq_seg0_idx().
This config bit is checked and set in wpa_supplicant_conf_ap_ht() based
on a more recent commit 3459c54ac78b ("mesh: Add support for HE mode"),
Thus there is no need to override this bit specifically for P2P GO using
this older approach.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
Jouni Malinen [Thu, 19 Dec 2024 23:06:57 +0000 (01:06 +0200)]
tests: Clear AP scan cache in prefer_ht40
It was possible for the HT40+ AP to fail to start 40 MHz channel due to
a conflicting AP in the scan results from a previous test case. This
happened, e.g., with the following test case sequence:
olbc prefer_ht40
Jouni Malinen [Thu, 19 Dec 2024 22:45:25 +0000 (00:45 +0200)]
tests: Disconnect after OCV tests showing valid OCI
These test cases that used external EAPOL handling to test hostapd
behavior left the STA in associated state at the end and that could
result in race conditions showing up as a new association related event
in the following test case. Minimize risk of that resulting in test case
failures by explicit disconnecting at the end of the test case.
This was found with this test case sequence:
autogo_many wpa2_ocv_ap_unexpected1 wpa2_ocv_sta_override_eapol
mesh: Use the correct 6 GHz operating class 137 for 320 MHz bandwidth
The 320 MHz case was not yet handled for setting the global operating
class for mesh in the 6 GHz band. That needs to use the operating class
137 instead of the default 131.
When requested to disconnect a station also handle the corresponding MLD
stations. This was previously done in commit c6f519ff15b2 ("AP: Support
deauthenticate/disassociate with MLD") for ap_sta_disassociate() and
ap_sta_deauthenticate(), but similar handling is needed for
ap_sta_disconnect() as well to cover some disconnection cases especially
from the Authenticator functionality.
Shivani Baranwal [Tue, 10 Dec 2024 09:51:37 +0000 (15:21 +0530)]
P2P: Check P2P 6 GHz capability to start P2P GO
Currently, when no forced channel frequency is included with the start
an autonomous P2P GO command, a 6 GHz channel might get selected if it
is a shared radio frequency irrespective of P2P 6 GHz capability. In
these cases we need to check whether P2P 6 GHz capability is supported
before proceeding with P2P GO start on a 6 GHz channel.
Wu Gao [Fri, 13 Dec 2024 07:16:24 +0000 (23:16 -0800)]
Add QCA vendor attributes to configure antenna selection
Add following attributes to configure antenna selection:
QCA_WLAN_VENDOR_ATTR_CONFIG_ANT_DIV_PROBE_COUNT_WLAN
QCA_WLAN_VENDOR_ATTR_CONFIG_ANT_DIV_PROBE_COUNT_BT
QCA_WLAN_VENDOR_ATTR_CONFIG_ANT_DIV_PROBE_WLAN_RSSI_THRESHOLD
QCA_WLAN_VENDOR_ATTR_CONFIG_ANT_DIV_PROBE_BT_RSSI_THRESHOLD
QCA_WLAN_VENDOR_ATTR_CONFIG_ANT_DIV_SWITCH_WLAN_RSSI_DIFF
QCA_WLAN_VENDOR_ATTR_CONFIG_ANT_DIV_SWITCH_BT_RSSI_DIFF
If WLAN or BT RSSI is lower than the threshold, the firmware will start
a probe and then get RSSI of other antenna, and then select a better
antenna if RSSI difference is larger than the setting.
Jouni Malinen [Wed, 18 Dec 2024 11:07:43 +0000 (13:07 +0200)]
tests: Add some more longer duration test cases to long_tests
These test cases seemed to take longer time with UML time-travel and it
is more efficient to run them in the beginning of the test sequence to
avoid leaving a single VM delaying completion of a parallel test run
with large number of VMs. In addition, it looks like some of these test
cases are much more reliable and faster to run at the beginning of a VM
lifetime than at the end.
Jouni Malinen [Wed, 18 Dec 2024 10:43:32 +0000 (12:43 +0200)]
tests: Terminate UML VM automatically if it seems to have stopped
There have been number of cases in which a UML VM seems to hang. Make
parallel-vm.py track how long it has been since last stdout input from a
VM and terminate the VM using uml_mconsole if there has been no updates
in ten seconds. This is in use only with UML, i.e., only if time-travel
is enabled, so 120 seconds of real calendar time should be enough time
for any test case to be completed.
Jouni Malinen [Tue, 17 Dec 2024 22:19:34 +0000 (00:19 +0200)]
tests: Check whether a terminated VM completed the last test case
If the VM process (e.g., UML) hangs and gets terminated forcefully,
parallel-vm.py did not report this as a failure. Check whether the last
started test case was completed when a VM terminates and if not, report
it as a test failure.
Jouni Malinen [Tue, 17 Dec 2024 22:14:41 +0000 (00:14 +0200)]
tests: Fix unexpected exit handling
Calculation of remaining VMs seemed to have been messed up in some of
the earlier design changes. Iterate over all VMs instead of check the
terminated VM context data multiple times.
Jouni Malinen [Tue, 17 Dec 2024 18:02:03 +0000 (20:02 +0200)]
tests: Run test cases that read process memory in the beginning
Those test cases seem to have some resource issues (i.e., taking
unexpectedly large amount of memory) with newer software versions
(showed up when upgrading from Ubuntu 22.04 to 24.04; maybe due to newer
python3 version?). This might be related to memory fragmentation and
allocated memory from hostapd/wpa_supplicant not getting fully freed in
a sense of minimizing the read process memory. Running the key lifetime
test cases in the beginning of each VM seems to avoid resource issues,
so reorder the test cases to do that.
Jouni Malinen [Tue, 17 Dec 2024 17:46:43 +0000 (19:46 +0200)]
tests: Work around compiler differences in forcing failures
Something in the compiler update when moving from Ubuntu 22.04 to 24.04
made these test cases unable to trigger one of the failure sequences.
Modify the failure pattern to avoid this.
Jouni Malinen [Sat, 14 Dec 2024 08:53:58 +0000 (10:53 +0200)]
tests: Get rid of invalid escape sequences
These started to show up as SyntaxWarning prints with a newer python3
version and there is really no need to maintain the old versions, so get
rid of the invalid escape sequences.
Vinay Gannevaram [Wed, 11 Dec 2024 19:41:43 +0000 (01:11 +0530)]
P2P2: Allow P2P2 client to connect to GO with preconfigured credentials
A P2P2 GO in PCC mode will allow connecting P2P and P2P2 clients. Such
GO can allow connections with P2P clients by skipping the provisioning
procedure. Add support to allow P2P client to initiate such direct
connection with preconfigured credentials.
Vinay Gannevaram [Wed, 11 Dec 2024 19:41:43 +0000 (01:11 +0530)]
P2P2: Handle join case without pending GO interface address
Fetch a BSS entry using bssid = NULL instead of 00:00:00:00:00:00 when
starting join without a specific GO interface address. This is needed
for P2P2 client joining a group with preconfigured credentials (i.e.,
skipping the provisioning step).
EHT: Fix HE center frequency for EHT 320 MHz with puncturing
Currently, oper_chwidth holds 320 MHz and he_oper_centr_freq_seg0_idx
holds the center frequency of the primary 160 MHz, causing the
calculation of the wrong seg0 from punct_update_legacy_bw() and
leading to connectivity issues with HE STA.
Start with the HE operating bandwidth instead of EHT operating bandwidth
to calculate seg0 to update the correct center frequency in HE Operation
element.
Mohan Kumar G [Fri, 6 Dec 2024 06:14:05 +0000 (11:44 +0530)]
AP MLD: Fix radar event processing
When a radar event is received in an AP MLD operating on a DFS channel,
nl80211_radar_event() iterates over all the BSSs available in drv to
find a link matching the frequency of the event. If a link match is
found, the radar handler function tries to switch to a new channel with
the same bandwidth. In case no valid channels are available it disables
and re-enables the interface, reallocating the drv BSSs. However, the
loop in nl80211_radar_event() function continues to access the old
deallocated BSSs' address in the next iteration, causing a crash.
Since the radar handler function handles the event for all BSSs in an
interface, there is no need to call it again once a link match is found.
Hence, fix this issue by exiting the loop after calling the handler if a
link match is found for the radar event.
Also, since the loop already checks all the BSSs, remove the handler
present before the loop.
Fixes: bfc89d757b72 ("nl80211: Handle radar event properly during MLO") Signed-off-by: Mohan Kumar G <quic_mkumarg@quicinc.com>
EHT: Update legacy bandwidth when puncturing is set in 320 MHz
Update lower bandwidth without puncturing for legacy clients when
the puncturing bitmap is set in 320 MHz. This updates the lower
bandwidth in HE and VHT Operation elements when the puncturing
bitmap is set in EHT 320 MHz.
EHT: Update legacy bandwidth for 320 MHz in Wide Bandwidth subelement
As per IEEE P802.11be/D7.0, 35.15.3, for EHT BSS operating channel width
wider than 160 MHz, the Bandwidth Indication subelement in the Channel
Switch Wrapper element indicates the EHT bandwidth to EHT clients. The
announced BSS bandwidth in the Wide Bandwidth Channel Switch subelement
should be less than the BSS bandwidth in the Bandwidth Indication
subelement.
Update the Wide Bandwidth Channel Switch subelement to the lower
bandwidth of 160 MHz if the new channel bandwidth is 320 MHz.
tests: Add simple MLO test case to exercise single drv
Add MLO test case to test one one-link MLD and one two-link MLD
coexisting case in such a way that single drv path can be exercised.
Connect ML STA to each and verify traffic.
nl80211: Use nl80211_bss_msg() helper wherever BSS is accessible
With single drv changes, the drv structure is no longer tightly coupled
with a single radio. Currently, many nl80211 commands assume this
coupling and send commands to drv->first_bss or drv->ifindex, which may
not be the intended BSS. Consequently, the kernel rejects these
commands.
To resolve this issue, use the provided BSS or bss->ifindex to construct
the message, ensuring it is sent to the correct radio's interface.
hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces
Currently, the first BSS of each hostapd interface (struct hostapd_iface)
creates a new driver data object (struct wpa_driver_nl80211_data, referred
to as drv). When a non-first BSS of an interface initializes, it copies the
drv_priv and thus uses the first BSS’s drv object. This can lead to
situations where multiple drv objects are maintained for the same
underlying hardware in hostapd.
Some of such situations are:
1. Two different configs for two different wlanX interface but on the
same underlying radio. In this case, two drv objects will be
maintained.
2. MLO case - 5 GHz config having two BSS. 6 GHz config having one BSS.
5 GHz's second BSS is partnering with 6 GHz's BSS and forming MLD.
And 6 GHz config is enabled first and then 5 GHz. In this case, two
different driver instance will be maintained - one having 5 GHz BSS
and other having 5 GHz + 6 GHz MLO BSS. To visualize this:
Assumption: Only 1 phy (say phy0 exist on system). On this phy, the driver
has grouped both 5 GHz and 6 GHz underlying radio as a single
radio.
Config:
+--------------------+ +------------------+
| 5 GHz config | | 6 GHz config |
| | | |
| | | |
| +----------------+ | | |
| | BSS 1 | | | |
| | ssid: guest_ap | | | |
| +----------------+ | | |
| | | |
+------------------------------------------------------------------+
| | +----------------+ | | +--------------+ | |
| | | BSS 2 | | | | BSS 1 | | |
| | | ssid: mlo_ap | | | | ssid: mlo_ap | | 2 Link MLO AP |
| | +----------------+ | | +--------------+ | |
| +--------------------+ +------------------+ |
+------------------------------------------------------------------+
With this change, it will behave as per the expectation.
3. Three different underlying hardwares - 2.4 GHz, 5 GHz, 6 GHz, capable
of three different bands and they are grouped together and advertised
as single hardware supporting all bands to upper layer. In this case,
if one interface (wlanX) is enabled in each hardware (three
independent configs) three different drv will be maintained.
Because of this, at times during de-initialization, proper
deinitialization will not happen and WPA_TRACE could be seen:
Also, for situation #3, during handling of incoming NL commands, the
above is causing issue in routing the events. This is because since all
underlying hardwares are part of same phy, phy index is same in all the
drv objects. Hence when the event comes, it will be given to the first
drv which might not be having the intended BSS. For example, 5 GHz DFS
events (which does not have if_idx). The event can be passed to driver
having 2.4 GHz's BSS or 6 GHz's depending upon which was enabled first.
Hence to avoid these situations, try to maintain single drv object as
much as possible.
Liangwei Dong [Tue, 26 Nov 2024 09:50:38 +0000 (17:50 +0800)]
Add a vendor attribute to disable DFS owner capability
Add a u8 attribute QCA_WLAN_VENDOR_ATTR_CONFIG_DFS_OWNER_DISABLE to
disable DFS owner capability dynamically:
1: disable DFS owner capability in the driver.
0: reset DFS owner capability to the default DFS owner capability of
the driver.
If DFS owner capability is disabled, the driver will not start AP mode
operations on DFS channels, and all the features depending on DFS owner
functionality will not be supported.
Kashish Awasthi [Thu, 28 Nov 2024 06:15:32 +0000 (11:45 +0530)]
Add new QCA vendor attributes for TWT session updatability
Add the following new QCA vendor attributes to set whether
the TWT session is implicit and can be updated:
QCA_WLAN_VENDOR_ATTR_TWT_SETUP_UPDATABLE
QCA_WLAN_VENDOR_ATTR_TWT_SETUP_IMPLICIT
Hu Wang [Thu, 7 Nov 2024 07:00:03 +0000 (23:00 -0800)]
QCA vendor attribute to configure operating type for monitor mode
Extend monitor mode configuration from commit 1518638b70 ("QCA vendor
command to configure the parameters for monitor mode") to allow
monitoring operating type to be configured.
Yuvarani V [Mon, 23 Sep 2024 14:27:27 +0000 (19:57 +0530)]
AP MLD: Fix max number of simultaneous links in MLE during CAC
The Maximum Number Of Simultaneous Links field in MLD Capabilities And
Operations subfield in MLE is currently advertised as `num_links - 1`,
where `num_links` is the number of links added to the AP MLD. However,
when the 5 GHz band link is waiting for CAC timeout, this results in an
incorrect value being advertised for the maximum number of simultaneous
links in MLE, as the 5 GHz link is not active.
For example, an AP MLD with 3 links (2.4 GHz, 5 GHz (waiting for CAC
timeout), and 6 GHz) during bringup has `num_links` set to 3.
Consequently, the maximum number of simultaneous links in MLE is
advertised as 2 according to the current code, despite the 5 GHz link
being in CAC timeout. The field should have been set to 1 to indicate
maximum of 2 links.
Fix this issue by determining the number of currently active links of
the AP MLD (instead of hapd->num_links which may include currently
inactive links) and use it to set the value for the maximum number of
simultaneous links in MLE.
Signed-off-by: Yuvarani V <quic_yuvarani@quicinc.com>
Jouni Malinen [Sat, 30 Nov 2024 09:51:44 +0000 (11:51 +0200)]
tests: Make autogo_interworking more robust
Clear scan cache to avoid issues with older BSS entries with the same
BSSID from causing test failures due to not finding the expected
Interworking element.
AP: Fix dangling pointer access during 6 GHz NO_IR channel list update
Whenever the channel list change event is received along with regulatory
domain set initiated by the driver for the 6 GHz band, memory is
reallocated for new hw modes to update the no_ir channel list, but the
interface current_mode pointer is still referring the old memory
allocation which can cause a dangling pointer access and crash.
Use locally allocated data to update the no_ir channel list to avoid
this and later regdomain changes are properly updated using setup
interface subroutine.
Fixes: 0837863fbc62 ("AP: Handle 6 GHz AP state machine with NO_IR flags") Signed-off-by: Govindaraj Saminathan <quic_gsaminat@quicinc.com>
Amith A [Fri, 30 Aug 2024 04:36:59 +0000 (10:06 +0530)]
Force a global operating class to be used with Wi-Fi Agile Multiband
Wi-Fi Agile Multiband spec requires the AP to set the last octet of the
Country String to 0x04, i.e., to use a global operating class from Table
E-4. Enforce this similarly to the way the 6 GHz case was already done.
Signed-off-by: Amith A <quic_amitajit@quicinc.com>
SAE: Reject association for no PMKID match only for PMKSA caching
Authenticator needs to have a PMKSA corresponding to a PMKID (if
present) included by the STA in (Re)Association Request frame if PMKSA
caching is attempted to be used. In case of SAE, this follows Open
System authentication. IEEE Std 802.11 mandates the AP to reject
(re)association trying to use PMKSA caching for SAE authentication.
While the PMKID (if any) in the RSNE in (Re)Association Request frame
following SAE authentication (i.e., in the case of no PMKSA caching) is
not really supposed to include an unknown PMKID, the standard does not
require the AP to reject association. The PMKSA that was just derived
using SAE authentication can be used regardless of which PMKID(s) are
indicated in the (Re)Association Request frame.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Arunpandi Kannan [Tue, 28 May 2024 12:42:48 +0000 (18:12 +0530)]
DPP: Deinit Configurator process if Config Requst is not received
After DPP authentication success, if the Configurator did not receive
the Config Request (GAS query request) due to some reason (e.g., a frame
is lost over the air or Enrollee abandoned the DPP process), it would
have waited indefinitely in the same auth process, as there is no
timeout function running to clear the existing DPP process. Due to this
the subsequent DPP authentication requests gets rejected.
Terminate the DPP process, if no Config Request is received within ten
seconds after successful completion of the DPP authentication exchange.
Ajith C [Tue, 3 Sep 2024 05:09:05 +0000 (10:39 +0530)]
AP MLD: Fix crash during config reload from non-ML to ML
When an AP switches from a non-ML to an ML configuration, hostapd
crashes. The crash occurs because the memory allocation for the 'mld'
structure happens only during the AP’s startup if the 'mld_ap' option is
enabled. Consequently, when hostapd transitions from a non-ML to an ML
configuration, the MLD structure’s memory remains unallocated, leading
to a crash when accessed.
Fix this by initiating hostapd_init() whenever the AP transitions
between ML and non-ML configurations to ensure proper memory allocation
for the MLD structure.
AP: Handle (Re)Association Response frame if rsn_override_omit_rsnxe is set
When rsn_override_omit_rsnxe is set, exclude the RSNXE from the IE
template that is configured to the drivers that generate (Re)Association
Response frame internally. This was previously done only for the case of
hostapd generated (Re)Association Response frames.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
P2P: Avoid infinite loop with radio_remove_works(p2p-listen)
Commit 3242793cb8df ("P2P: Remove pending p2p-listen radio work on
stopping listen") added removal of all pending p2p-listen radio works
when P2P listen is stopped. It looks like there is a possible code path
that results in wpas_p2p_listen_work_done() not being able to mark the
possibly pending and already started p2p-listen radio work completed.
It is not clear what exactly could cause this, but if something manages
to clear wpa_s->p2p_listen_work, this could happen. Theoretically,
having two started p2p-listen works might also cause something like
this, but that should not happen either. In any case, if this happens,
the call to radio_remove_works() from wpas_stop_listen() would end up
calling the radio work callback handler (i.e., wpas_start_listen_cb() in
this case) to deinit the work for the same work multiple times and if
that radio work item has been started, this would result in a recursive
call back to wpas_stop_listen() and infinite recursion killing the
process.
Even though the desired fix would be to get rid of whatever ends up
messing up wpa_s->p2p_listen_work, it is not clear what that could be.
Regardless, since this has show up in testing, recover from this cleanly
without hitting infinite recursion.
Pavithra Ganesan [Mon, 11 Nov 2024 03:42:21 +0000 (09:12 +0530)]
AP MLD: Remove common elements from per STA profile
Even when an element and its contents in the reported link match those
in the reporting link, the element was still added to the per-STA
profile of the reported link. This occurs because the parsed bitmap is
not updated when a match is found, resulting in the element being added
later. This results in per STA profile carrying extra information which
it should not.
Fix this issue by updating the parsed element ID bitmap accordingly.
Fixes: b5359d01ed55 ("AP MLD: Intersect per STA profile with the reporting BSS") Signed-off-by: Pavithra Ganesan <quic_pavigane@quicinc.com> Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
AP MLD: Send EML capabilities of an ML station to the driver
When EMLSR is enabled for an ML association, the EML capabilities
advertised by an ML station needs to be updated to the driver to enable
EMLSR operation and to transmit and receive initial Control frame and
Data frames.
Send EML capabilities advertised by an ML station during association to
the underlying driver via the NL80211_ATTR_EML_CAPABILITY attribute.
AP MLD: Add NULL check for mld pointer during MLD link removal
MLD control interface creation failed randomly because the existing
control interface was not properly cleaned up. During the failure case
handling, the memory allocated for hapd->mld is freed in
hostapd_bss_setup_multi_link(). Subsequently, when performing MLD link
removal during the interface down, hostapd_mld_remove_link() attempts to
access the mld pointer without NULL check, causing a segmentation fault.
To prevent this issue, add a validation to check if the mld pointer
is NULL before accessing it.
AP MLD: Remove unnecessary wpa_group get and put for ML cases
Remove unnecessary wpa_group_get() and wpa_group_put() calls where the
arguments are ML wpa_auth and wpa_auth->group, which are bound to be
no-op since such cases are not icluded in the references counter.
In practice, this reverts the third item listed in the commit message
for commit 3ea7cf11db4a ("AP MLD: Enhance authenticator state machine").
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
AP MLD: Remove unnecessary outer for loop in authorizing ML STA
Remove unnecessary outer for loop in ieee802_1x_ml_set_sta_authorized().
The inner for loop in this function is what actually iterates over the
partner links. The outer for loop did not have any relevance. Fix this.
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Shivani Baranwal [Sat, 31 Aug 2024 16:51:26 +0000 (22:21 +0530)]
P2P2: Set P2P mode (R1 vs. R2) in the driver
Add support to set P2P mode in which P2P interface should be brought up.
It has Wi-Fi Direct R1 only mode, Wi-Fi Direct R2 only mode, and P2P
connection compatibility mode which support both R1 and R2. PCC mode is
applicable only for the Group Owner.
For now, this can be configured only with a QCA vendor command.
Shivani Baranwal [Thu, 10 Oct 2024 15:16:42 +0000 (20:46 +0530)]
P2P2: P2P connection compatibility mode with RSN overriding
P2P2 GO supporting PCC mode operates in WPA3-Personal Compatibility Mode
and allows both P2P2 (WFD-R2) and WFD-R1 clients to connect. P2P2
clients that support RSN overriding will connect with WPA3 SAE
authentication, while the legacy clients connect with WPA2-PSK.
Aditya Kodukula [Mon, 4 Nov 2024 18:19:09 +0000 (10:19 -0800)]
Add new QCA vendor attributes for TWT setup parameters
Add downlink and uplink TID vendor attributes to enum
qca_wlan_vendor_attr_twt_setup for setting up restricted TWT schedules.
Extend the range of Broadcast TWT Recommendation field values to include
the new value 4 defined in IEEE P802.11be/D7.0.
Jouni Malinen [Wed, 20 Nov 2024 11:11:45 +0000 (13:11 +0200)]
P2P: Clear wpa_s->p2p2 for NFC cases
wpa_s->p2p2 is used to track whether a new P2P connection is using P2P2.
However, it was not cleared in some cases and that could result in
unexpected behavior and failures, e.g., with NFC-initiated P2P.
Clear wpa_s->p2p2 for the operations that start NFC-based P2P
connection. In addition, clear it on the FLUSH control interface
command.
This showed up with the following test case sequence:
p2p_pairing_opportunistic nfc_p2p_static_handover_tagdev_client
Jouni Malinen [Wed, 20 Nov 2024 10:30:05 +0000 (12:30 +0200)]
wlantest: Use AP's RSNXOE for capabilities when RSNO is used
If an association uses RSN overriding and the AP advertises an RSNXOE,
use the RSNXOE instead of the RSNXE when determining AP's RSN
capabilities. In particular, this is needed to determine the correct KDK
length for PTK derivation in a case where the RSNXOE advertises support
for secure ranging while the RSNXE does not.
Shivani Baranwal [Thu, 14 Nov 2024 08:37:34 +0000 (14:07 +0530)]
NAN USD: Use different group address for P2P2
P2P2 uses USD with a different group address than the NAN Network ID
defined in the Wi-Fi Aware specification. Select the group address based
on whether USD is used with P2P2 or something else. This changes
behavior only for the P2P2 cases.
P2P2: Allow device address change when reinvoking a persistent group
In P2P-R2 while reinvoking a persistent group, the devices of the group
can have a different P2P device address for the invite session. As
devices supports MAC randomization, we should identify the peers based
on the device identity key. Hence, remove the ether_addr_equal() check.
P2P2: Store device identity key in wpa_supplicant configuration
When persistence is enabled, store the identity key into wpa_supplicant
configuration file since this information is needed for pairing
verification to invoke the persistent group and that can happen after
the wpa_supplicant process has been restarted.
Shivani Baranwal [Mon, 18 Nov 2024 06:00:26 +0000 (11:30 +0530)]
P2P2: Store WPA3 connection credentials in the configuration
Persistent connection details were stored only for WPA2-PSK mode. Enable
the storage of WPA3 sae_password, authentication algorithm, key
management, and protocol type. Also, allow credentials without
sae_password for the pmk_valid case.
hostapd: Pass link ID for non-link agnostic Action frames
With the recently added support for passing Link ID for transmitting
Action frames, pass the Link ID is if the Action frame is not link
agnostic.
According to IEEE P802.11be/D7.0, 35.3.14 (MLD individually addressed
Management frame delivery), between an AP MLD and a non-AP MLD, certain
Action frames such as Block Ack Action frame, SA Query Action frame, and
WNM Sleep Mode Request/Response frame, etc. which are individually
addressed MMPDUs, are intended for an MLD. Therefore, there is no need
to pass the Link ID for these types of frames.
However, for rest of the Action frames since it is not said to be
intended for an MLD, use the link ID.
Hu Wang [Wed, 6 Nov 2024 10:50:04 +0000 (02:50 -0800)]
AP: Avoid double free of key data buffer if AES unwrap fails
key_data_buf was freed when aes_unwrap() failed, and then after goto
out, key_data_buf would be freed again. The separate feeing on
aes_unwrap() failure is not needed, so remove it.
Fixes: 4abc37e67b ("Support Key Data field decryption for EAPOL-Key msg 2/4 and 4/4") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Hu Wang [Wed, 6 Nov 2024 10:39:05 +0000 (02:39 -0800)]
AP: NULL pointer check for bssid in hostapd_mgmt_tx_cb()
The BSSID pointer returned by get_hdr_bssid() may be NULL and it could
have been dereferenced by ether_addr_equal() here at least in theory
(though this is based only on the TX status events, i.e., own frames).
Add an explicit check to avoid that.
Fixes: d75ebe23d8 ("AP: Handle Management frame TX status for AP MLD address") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Hu Wang [Wed, 6 Nov 2024 10:17:04 +0000 (02:17 -0800)]
nl80211: NULL pointer check for msg in i802_flush()
Pointer 'msg' from nl80211_bss_msg() might be NULL and might be
dereferenced by nla_put_u8(), so need to check for memory allocation
failure explicitly here.
Jouni Malinen [Wed, 6 Nov 2024 17:41:44 +0000 (19:41 +0200)]
Convert wpa_s->hw_capab into a bitmap and add HE and EHT
This makes wpa_s->hw_capab more useful for determining local
capabilities, e.g., for reporting them using Wi-Fi Alliance generational
capabilities indication.
Jouni Malinen [Tue, 5 Nov 2024 16:45:10 +0000 (18:45 +0200)]
Wi-Fi Generational Capabilities Indication transmission on STA
Add support to send generational capabilities indication to the
associated AP. This includes generation of the Generational Capabilities
Indication attribute and sending it in either the (Re)Association Request
frame or the W-Fi Capabilities frame.
By default, this functionality is disabled. It can be enabled by setting
the global wpa_supplicant configuration parameter wfa_gen_capa to either
1 (protected) or 2 (unprotected) and setting the supported (and
optionally also certified) generational capabilities in
wfa_gen_capa_supp (and wfa_gen_capa_cert).
projects / thirdparty / hostap.git / log
