P2P2: Support for GO to allow a client to join the group
Enable P2P GO to authorize a client device to join the group. In the
case of opportunistic bootstrapping, P2P GO must share the password with
the client device during PASN authentication in an Encrypted Data
element. P2P GO retrieves the ssid->sae_password and stores it in
p2p->dev_sae_password and authorizes the client. The SAE password and
the random passphrase derived for WPA-PSK connection are same. This
allows use of the get_passphrase API to connect a P2P-R1 and P2P-R2
client in PCC mode which will be covered in separate commits.
The P2P Client initiates PASN authentication with the GO using either
the password or opportunistic bootstrapping method. In the password
method, the client initiates PASN authentication with SAE tunneling
using the password and proceeds with the connection using open
authentication. In the opportunistic bootstrapping method, the client
obtains the SAE password from the GO and initiates the connection with
SAE authentication.
Add the PMKSA on the P2P2 GO when a new P2P2 Client joins the group
instead of going through the WPS step. This commit is adding just the
mechanism to add the PMKSA and the actual use for this is in a separate
commit.
Jouni Malinen [Tue, 29 Oct 2024 10:27:12 +0000 (12:27 +0200)]
P2P2: Fix peer entry generation based on USD
All cases calling dev_found() for a P2P peer will need to set the peer
flags to indicate it has been reported. In particular, this is needed to
avoid memory leaks in D-Bus code and in P2P peer cleanup. The recently
added P2P2 case using USD did not update the flags, so fix it to match
other cases.
Fixes: b4f9742ee246 ("P2P2: Process Element container attribute from NAN SDFs") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Wed, 30 Oct 2024 10:04:01 +0000 (12:04 +0200)]
Remove STA entries if association is not completed in 60 seconds
While the IEEE 802.11 standard allows STAs to authenticate with multiple
APs and later associate with one such AP, it is not really good for an
AP to maintain STA entries for not fully associated STA for significant
amount of time. Time out such STA entries in hostapd to clean state and
resources.
Jouni Malinen [Wed, 30 Oct 2024 10:30:35 +0000 (12:30 +0200)]
SAE: More robust password identifier checks for AP mode
Do not update the more persistent sae->tmp->pw_id value based on each
received SAE commit message before having successfully processed the
commit. In particular, this includes checking for a matcing password
identifier in cases where the AP has enabled one or more SAE passwords
with identifiers.
A per-received message sae->tmp->parsed_pw_id is used during parsing and
processing of each individual message and sae->tmp->pw_id is set only
after having successfully processed a commit message. This avoids
getting sae->tmp->pw_id being bound to an unknown value.
An earlier commit addressed some of the sequences that could have this
issue, but it missed some cases. This newer more robust version covers
what the earlier commit did, so that part can be removed with the new
design.
Fixes: 761041b18ab2 ("SAE: Free password identifier if SAE commit is rejected due to it") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Wed, 30 Oct 2024 09:33:44 +0000 (11:33 +0200)]
SAE: Reject unexpected password identifier in commit message parser
While the list of possible SAE password identifiers might not be
available at the time of parsing a SAE commit message, an AP knows
whether any password identifiers have been enabled (since it has to
advertise that in the Beacon frames). When parsing a commit message on
an AP with no password identifiers in use, the parser can already reject
the unexpected case of an SAE password identifier.
Check for this specific case and reject the SAE commit based on unknown
password identifier if the received value cannot be for an enabled
password. This prevents some cases where an active attacker might have
been able to cause DoS by binding an STA entry in hostapd to a specific
SAE password identifier even when that identifier is not in use.
Jouni Malinen [Thu, 31 Oct 2024 09:11:46 +0000 (11:11 +0200)]
tests: Enable SAE Pw Id on AP in sae_proto_hostapd_valid_commit_after_fail
This is in preparation to implementation changes that use knowledge of
whether SAE Password Identifiers have been enabled to reject unexpected
commit messages.
Jouni Malinen [Wed, 30 Oct 2024 09:05:50 +0000 (11:05 +0200)]
SAE: Avoid duplicated debug entries for IEs in SAE commit messages
Print the "SAE: Possible elements at the end of the frame" debug message
only once (and only if there is actually some additional data) instead
of printing it for each element separately. There was some use for the
separated prints earlier, but that is not really helpful anymore with
the reduced mixing of IEs and non-IE fields at the end of the SAE commit
messages.
Stone Zhang [Mon, 14 Oct 2024 10:47:32 +0000 (18:47 +0800)]
hostapd: Fix clearing up settings for color switch
Settings for color switch (struct cca_settings settings)
is used without zero clearing, which causes the member
settings->ubpr->unsol_bcast_probe_resp_intervalettings
to be a random value. It is againsts the NLA policy of
NL80211_UNSOL_BCAST_PROBE_RESP_ATTR_INT and causes
BSS color switch failure.
Fixes: 654d2395dddf ("BSS coloring: Handling of collision events and triggering CCA") Signed-off-by: Stone Zhang <quic_stonez@quicinc.com>
Shivani Baranwal [Tue, 15 Oct 2024 06:13:14 +0000 (11:43 +0530)]
P2P2: Fix to check if sae_password is present
Fix the check for whether sae_password is present. Instead of checking
the static array's address which is always going to be true, verify that
the string is not empty.
Jouni Malinen [Wed, 23 Oct 2024 20:49:45 +0000 (23:49 +0300)]
tests: Use pasn_data_deinit() in pasn-resp fuzzing tester
The fuzzing tester for PASN responder needs to use pasn_data_deinit() to
free allocated memory in struct pasn_data after recent changes of adding
more allocated items into the struct. Without this, fuzz testing will
cause false positives due to memory leaks.
P2P2: Add a SAE password in PASN Encrypted Data element
This is added for opportunistic bootstrapping cases. In addition,
generate a random SAE password for pairing when needed, i.e., when the
request is not for an existing GO.
P2P2: Parser function for PASN Encrypted Data element and DevIK
Parse the encrypted P2P2 IE from PASN authentication frames and store a
copy of DevIK information so that this is available for use if the
connection succeeds for a persistent group.
Jouni Malinen [Thu, 10 Oct 2024 09:10:21 +0000 (12:10 +0300)]
FILS: Verify RSNXE when processing (Re)Association Response frame
IEEE Std 802.11ai-2016 did not cover this since the RSNXE did not exist
at the time FILS was designed and IEEE Std 802.11-2020 did not seem to
catch this case either. However, the AP's RSNXE should be verified in
FILS in a similar manner to how the AP's RSNE is verified.
Add code to verify the RSNXE in FILS. However, since this has not been
clear in the standard and there has been hostapd releases that might
omit the RSNXE from (Re)Association Response frame when the STA does not
include the RSNXE in (Re)Association Request frame, do not reject
association based on this comparison result if the STA did not include
an RSNXE in the (Re)Association Request frame. This workaround might be
removed in the future.
Jouni Malinen [Thu, 10 Oct 2024 08:53:29 +0000 (11:53 +0300)]
RSNO: Omit RSNXE in (Re)Association Response frame like in Beacon frame
When rsn_override_omit_rsnxe=1 is used to omit the RSNXE from Beacon and
Probe Response frames, it should also be omitted from (Re)Association
Response frames since there is a general expectation on the RSNXE being
used consistently between these frames. This is unlikely to have much of
a difference for most use cases in practice, but this could impact FILS
association if the non-AP STA were to confirm that the unprotected and
protected version of the RSNXE from the AP were identical.
Fixes: 8b2ddfdbb688 ("RSNO: Allow RSNXE to be omitted") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Thu, 10 Oct 2024 08:29:01 +0000 (11:29 +0300)]
FT: Omit RSNXE from Reassociation Response frame only with FT protocol
The special case for having to omit the RSNXE from Reassociation
Response frames applies only for FT protocol. This was incorrectly
applied to all cases where the (Re)Association Request frame did not
include an RSNXE. This should not have changed behavior for the FT initial
mobility domain association or any non-FT association.
Fix the conditions for omitting the RSNXE to apply only when actually
going through FT protocol. While this does not really have much, if any,
impact to most cases since non-AP STAs that do not include the RSNXE in
Association Request frame are unlikely to do anything with this element
(or its omission), this could have significant impact to FILS
authentication. The current IEEE 802.11 standard does not actually say
anything about validating the RSNXE in FILS (Re)Association Response
frame, but it should really be verified in the same manner as the RSNE
is (i.e., compared against the RSNXE in the Beacon frame) and that
should happen even if the non-AP STA does not include the RSNXE.
Fixes: b7366a942a58 ("FT: Omit RSNXE from FT protocol Reassociation Response when needed") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Wed, 9 Oct 2024 17:05:32 +0000 (20:05 +0300)]
AP: Use helper functions in ap_sta_disconnect()
There is a long history with ap_sta_disconnect() being added as the
handler for Disconnect operation from the RSN Authenticator state
machine and then evolving over years with
ap_sta_deauthenticate/disassociate() doing very similar operations, but
not exactly identical. This mess should really be cleaned up since many
of the differences are unlikely to be on purpose. As a step towards
that, use shared helper functions to make these functions avoid
duplicated implementation for the clearly common parts.
Jouni Malinen [Wed, 9 Oct 2024 16:46:23 +0000 (19:46 +0300)]
AP: Clean up MLD changes that modified skipping DMG deauthentication
Commit 05e5e615e6a2 ("AP: Skip authentication/deauthentication phase for
DMG/IEEE 802.11ad") added the check for DMG in the beginnign of
ap_sta_deauthenticate() to convert that call to ap_sta_disassociate()
since deauthentication is not used in DMG. Commit c6f519ff15b2 ("AP:
Support deauthenticate/disassociate with MLD") ended up moving this DMG
check into the ap_sta_handle_deauthenticate() function that gets called
once for each link. This is confusing even though DMG is not really used
in MLD.
Move the DMG check back to the beginning of ap_sta_deauthenticate() to
make this clearer.
Sunil Ravi [Fri, 20 Sep 2024 19:24:55 +0000 (19:24 +0000)]
Avoid memcmp() with NULL pointer even if for zero length
Explicitly check for last_ssid->ssid to be set in wpa_bss_flush_by_age()
before using memcmp() to compare the SSID against the one in the BSS
entry. This is not really expected to do any real comparison here since
the case where last_ssid->ssid is NULL implies bss->ssid_len to be 0.
Anyway, avoid the unexpected memcmp(ptr, NULL, 0) call in such a case to
avoid issues with C libraries that might prevent such as unexpected
behavior.
wpa_supplicant: 320 MHz bandwidth support for mesh
Mesh supported a maximum operational channel width of up to 160 or 80+80
MHz. Extend this to support a maximum operational channel width of up to
320 MHz.
AP MLD: Allow link ID to be specified for Action frame TX operations
The Action frame sent by hostapd currently lacks a link ID, causing the
driver to independently determine the link ID based on available data.
This can sometimes result in the driver selecting an unintended link for
the Action frame transmission. To address this, add support to allow
hostapd to send the link ID along with Action frames to the driver.
This commit introduces only the function arguments to allow the link ID
to be provided. A subsequent commit will fill the link ID based on the
required conditions.
Currently, the driver while sending an NL80211_CMD_RADAR_DETECT command
does not send a link ID at all. Hence the condition on whether the link
ID is passed is not required. At the same time, for certain commands,
if_idx will not be given and hence the event will be routed to the drv's
first BSS only which might not have any 5 GHz link. Hence there is need
to refactor the logic for such cases and identify the intended BSS
properly and then pass the event to it.
Hence,
* identify the link ID based on the freq info present in the event.
* identify the correct BSS to which the event should be routed in case
the event comes without any if_idx.
* check for the underlying link even when the link is not operating on
the same frequency for events like NL80211_RADAR_NOP_FINISHED.
Ajith C [Wed, 21 Aug 2024 04:09:01 +0000 (09:39 +0530)]
hostapd: Fix clearing old BSS during config reload
After a configuration reload, stations that were previously associated
with the AP could have failed to reconnect under the new configuration.
This issue arises because the new configuration is assigned to the
interface’s configuration pointer too early. The old configuration needs
to remain in the pointer until all existing stations are cleared.
Resolve this issue by assigning the new configuration only after all
existing stations have been cleared.
Fixes: b37c3fbad4a4 ("hostapd: Add config_id parameter") Signed-off-by: Ajith C <quic_ajithc@quicinc.com>
In hostapd, when a scan was initiated, the link ID parameter was not
populated in all scenarios, such as ACS. Additionally, each caller of
hostapd_driver_scan() provided the link ID. However, since
hostapd_driver_scan() has access to the hapd pointer, it can populate
the link ID itself.
And from wpa_supplicant, link ID was passed as 0 which does not seem to
be correct. Fix that as well.
Add a QCA vendor event to indicate status of the idle shutdown
If there are no active Wi-Fi interfaces for a certain duration, the host
driver triggers idle shutdown. Add a new vendor event
QCA_NL80211_VENDOR_SUBCMD_IDLE_SHUTDOWN to indicate user space when the
idle shutdown is started or completed.
This uses attributes defined in enum qca_wlan_vendor_attr_idle_shutdown.
Update documentation of the QCA vendor ACS channel list attributes
Add more detailed documentation for QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST
and QCA_WLAN_VENDOR_ATTR_ACS_FREQ_LIST attributes on how the specified
channel list information is used by the driver during the ACS function.
The specified channel list represents the allowed channels for the
primary and non-primary channel operations. If any channel is not
present in the allowed channel list it shouldn't be used as a primary or
non-primary channel.
Jouni Malinen [Wed, 2 Oct 2024 17:01:22 +0000 (20:01 +0300)]
wlantest: Fix BIP replay protection check
IPN/BIPN are encoded using little endian byte order, so memcmp() cannot
be used to check the validity of a received IPN/BIPN. Fix this by
converting IPN/BIPN into an integer in host byte order for processing.
Fixes: bacc31286cd1 ("wlantest: Validate MMIE MIC") Fixes: faf6894f35f6 ("wlantest: BIGTK fetching and Beacon protection validation") Fixes: 2e4c34691b73 ("wlantest: Add support for protecting injected broadcast frames") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
FT: Do not omit RSNXE from FT initial mobility domain association
The special case for having to omit the RSNXE from Reassociation Request
frames applies only for FT protocol. This was incorrectly applied to all
cases using FT, i.e., both the initial mobility domain association and
FT protocol. This should not have changed behavior for the initial
mobility domain association regardless of whether Association Request
frame or Reassociation Request frame is used.
Fix the conditions for omitting the RSNXE to apply only when actually
going through FT protocol.
Fixes: 6140cca8191e ("FT: Omit RSNXE from FT protocol Reassociation Request when needed") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a location for storing expiration time for DevIK. For now, this is
hardcoded to 24 hours and the value will be used in a subsequence commit
to construct the indication to the peer.
Commit 891bb1305bbd ("P2P: Enforce SAE-H2E for P2P GO in 6 GHz")
introduced a network profile specific sae_pwe to avoid having to change
the global sae_pwe parameter. However, this was enabled only for AP/P2P
GO mode. Extend that to cover STA mode as well.
Extend EAPOL frames processing workaround for reassociation to same AP
With commit 3ab35a660364 ("Extend EAPOL frames processing workaround for
roaming cases") wpa_supplicant postpones EAPOL frame processing till
roam indication from the driver when the source address of EAPOL frame
does not match the current BSSID/AP MLD MAC address.
However, this does not handle the cases in which STA tries to
reassociate with the current AP. When STA tries to reassociate with the
current AP, the source address of the EAPOL frame will be same as the
current BSSID. So, wpa_supplicant does not postpone the EAPOL frame from
the current connected AP since AP might have sent the EAPOL frame for
PTK rekey.
To address this issue, add additional support for reassociating to the
same AP case. Check if replay counter value of the new EAPOL frame is
greater than the reply counter of the last EAPOL frame, and if the new
EAPOL frame replay counter is less, postpone the new EAPOL frame
processing until roam indication from the driver.
STA: Update driver roaming policy on connection completion
When the network profile is configured with BSSID before connection,
roaming policy in the driver (for driver-based BSS selection) doesn't
get updated if the same BSSID is configured after connection. Update
roaming policy to the driver on connection completion to cover this
case.
Add TEST_RSNXE_DATA for RSNXE testing of AP functionality
Add support to set test data in the default RSNXE with wpa_supplicant
control interface command "TEST_RSNXE_DATA <data hexdump> <mask
hexdump>". This can be used to do protocol testing of AP side processing
of RSNXE.
Add QCA vendor status for TWT termination due to multiple MLO links activated
Add a new status value
QCA_WLAN_VENDOR_TWT_STATUS_MULTIPLE_LINKS_ACTIVE_TERMINATE to indicate
the TWT session termination due to more than one MLO link being in
active state.
NAN: Handle A3 copying internally to simplify control interface
There is no need to copy the A3 value for follow-up frames through the
control interface events and commands since it can be handled internally
in the service with sufficient accuracy. More parallel operations with
multiple peers might need per-peer information, but that can be extended
in the future, if that level of complexity is really needed in practice.
This reverts commit 81322fa43d1d ("tests: Copy A3 into NAN SDF
Follow-up") to allow simplification of the control interface by removing
the external A3 copying.
NAN: Update A3 for USD to use NAN Network ID or NAN Cluster ID in A3
Wi-Fi Aware spec v4.0 was not clear on all cases and used a bit unclear
definition of A3 use in Table 5 (Address field definiton for NAN SDF
frames in USD). That resulted in the initial implementation using
Wildcard BSSID to comply with the IEEE 802.11 rules on Public Action
frame addressing.
For USD to have chances of working with synchronized NNA devices, A3
needs to be set to the NAN Cluster ID when replying to a frame received
from a synchronized NAN device. While there is no cluster ID for USD,
this can be done by copying the A3 from the received frame. For the
cases where sending out an unsolicited multicast frame, the NAN Network
ID should be used instead of the Wildcard BSSID.
While this behavior is not strictly speaking compliant with the IEEE
802.11 standard, this is the expected behavior for NAN devices, so
update the USD implementation to match.
hostapd: Add drv_send_action variant for forcing A3
This is needed for cases that are not compliant with the IEEE 802.11
standard rules for Public Action frame addressing. For example, NAN USD
needs this.
NAN: Process received NAN SDFs with NAN Network ID in A3 on AP
hostapd did not accept NAN SDFs that used NAN Network ID instead of
Wildcard BSSID in A3. Extend this to process NAN Network ID just like
Wildcard BSSID for these frames to allow the specific group address to
be used.
SAE: Recognize Basic MLE in Authentication frames even without H2E
IEEE P802.11be requires H2E to be used whenever SAE is used for ML
association. However, some early Wi-Fi 7 APs enable MLO without H2E.
Recognize this special case based on the fixed length Basic Multi-Link
element being at the end of the data that would contain the unknown
variable length Anti-Clogging Token field. The Basic Multi-Link element
in Authentication frames include the MLD MAC addreess in the Common Info
field and all subfields of the Presence Bitmap subfield of the
Multi-Link Control field of the element zero and consequently, has a
fixed length of 12 octets.
FT: Discard EAPOL-Start frames when FT was used for association
When FT is used, reauthentication to generate a new PMK-R0 would be
complicated since the current AP might not be the one with which the
currently used PMK-R0 was generated. IEEE Std 802.11-2020, 13.4.2 (FT
initial mobility domain association in an RSN) mandates STA to perform a
new FT initial mobility domain association whenever its Supplicant would
trigger sending of an EAPOL-Start frame.
Discard received EAPOL-Start frames from STAs that use FT to avoid
unexpected behavior. This is important in particular if a driver were to
allow unprotected EAPOL-Start frames to be processed when TK has been
configured.
nl80211: Remove nl_msg free on send failure for NAN USD commands
Remove nl_msg_free() after send failure for NAN USD commands. Freeing
the nl_msg is already taken care as part of send_and_recv_cmd() for both
success and failure cases.
Fixes: 58f04221fdef ("nl80211: NAN USD commands for offloading") Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
The recently added calls to src/ap/pmksa_cache_auth.c needs to be faked
to allow pasn-resp to be built without having to pull in multiple
additional files from src/ap.
Fixes: b7de417c8a47 ("PASN: Define PMKSA helper functions for initiator and responder") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
projects / thirdparty / hostap.git / log
