Jouni Malinen [Wed, 27 Mar 2024 18:35:25 +0000 (20:35 +0200)]
OpenSSL: Fix a memory leak in CMAC
The OpenSSL 3.0 (or newer) version of omac1_aes_vector() did not free
the EVP_MAC. This resulted in a memory leak that shows up in a bit
strange way in valgrind reports and because of that, was not caught
during automated testing.
Fixes: 0c61f6234fd2 ("OpenSSL: Implement CMAC using the EVP_MAC API") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Whenever ap_free_sta() was called, it deleted the whole station entry
from the kernel as well. However, with MLD stations, there is a
requirement to delete only the link station.
Add support to remove the link station alone from an MLD station. If the
link going to be removed is the association link, the whole station
entry will be removed.
When the first link BSS of an interface was de-initialized/disabled, the
whole MLD was brought down. All other links were stopped beaconing and
links were removed. And if the non-first link BSS was
de-initialized/disabled, nothing happened. Even beaconing was not
stopped which is wrong.
Fix this by properly bringing down the intended link alone from the
interface.
Previously, hostapd directly advertised the MLD capabilities received
from the driver. Since this information is exchanged during
initialization time only, the driver will advertise the maximum
supported values. hostapd should parse it and then based on the current
situation fill the values accordingly.
For example, the maximum number of simultaneous links is supposed to be
a value between 0 and 14, which is the number of affiliated APs minus 1.
The driver advertises this value as 5 and hostapd, irrespective of the
current active links, puts 5 in the frames.
Fix this by parsing the value from the driver capabilities and then
using the values as per the current situation of the links. The
advertised values will be used as the upper limit.
AP MLD: Refresh beacons for other links when one gets disabled/enabled
If one or more BSS from the interface is partnering with BSSs from
another interface and if this interface gets disabled, the Beacon frames
need to be refreshed for other interfaces. Similar thing should happen
when it gets enabled.
Add logic to refresh other interface Beacon frames when one of the
interfaces is disabled or enabled.
AP MLD: Support link removal before removing interface
Previously, whenever if_remove() was called, the whole interface was
deleted. In an AP MLD, all partner BSS use the same driver private
context and hence removing the interface when only one of the links goes
down should be avoided.
Add a helper function to remove a link first whenever if_remove() is
called. Later while handling it, if the number of active links goes to
0, if_remove() would be called to clean up the interface.
This helper function will be used later when co-hosted AP MLD support is
added and as well later during ML reconfiguration support.
nl80211: Remove AP MLD links while removing the interface
When the interface was removed, the added links were not removed. While
removing the interface, kernel has removed the stale links but hostapd
has not. This is wrong since hostapd should remove and do the clean ups
properly while removing the interface.
Hence, remove the links when interface is removed.
nl80211: Re-factor nl80211_remove_links() function
nl80211_remove_links() iterated over all active links in the given BSS
and removed all of them. However, at times it is required to remove only
one link and not all links.
Add a helper function nl80211_remove_link() which will remove just the
given link_id from the passed BSS. nl80211_remove_links() will use this
and will call this for each of the active links to be removed.
nl80211: Remove redundant put_freq call in set_ap() for AP MLD
wpa_driver_nl80211_set_ap() called nl80211_put_freq_params() twice if AP
is an AP MLD. It called once while putting the MLO link ID and the other
time in the normal flow if frequency info is present. Doing this twice
is not required.
Call put_freq once during the normal flow only and separately of that,
add the link ID for AP MLD.
Jouni Malinen [Wed, 27 Mar 2024 09:31:25 +0000 (11:31 +0200)]
nl80211: Fix set_ap() to add frequency without CONFIG_IEEE80211AX
This call was added within a conditional CONFIG_IEEE80211AX block even
though this can apply without that build option. Move this outside that
conditional block.
Fixes: b3921db426ea ("nl80211: Add frequency info in start AP command") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
nl80211: Cache hostapd_data context in per link BSS struct for AP MLD
Cache the corresponding hostapd_data struct context into the link entry
within the driver wrapper. This will be useful for driver events
callback processing.
AP MLD: Clean up MLD when not required any further
Currently, whenever a new BSS is created, if it is an EHT BSS it is tied
to a corresponding MLD structure. If the structure does not exist
already, a new one is created and tied to it. Accordingly, the link ID
is assigned as well. However, when the BSS is deleted, the MLD structure
is not freed and when it is again created the next time, the link ID is
incremented further and the BSS gets a wrong link ID.
For example, 2.4 GHz single link AP MLD case: First ADD, link ID 0 would
be assigned and MLD interface wlan0 would be created. When REMOVE is
issued, the BSS would be deleted but MLD wlan0 will not. When ADD is
issued again, the BSS will tie back to MLD wlan0 but this time the link
ID will be incremented again and 1 would be assigned. Hence, at
subsequent REMOVE/ADD, the link ID keeps on incrementing.
Since the link ID remains same for the full lifetime of the BSS and MLD,
the next link ID counter cannot be just reset back to 0 when a BSS is
deleted. Otherwise, in interleaved link enable/disable case, the link ID
would be changed.
To overcome this situation, whenever a BSS is deleted, if the MLD is not
referenced by any other existing BSS, delete the MLD structure itself.
To know how many BSSs are referring a given MLD, introduce a new member
refcount in MLD. If the value is 0 it is safe to delete the MLD.
Link ID was assigned when BSS is going through setup and the driver
interface init. Later if interface is disabled and enabled again, setup
BSS is called which will give a new link ID to it. However, Link ID
should be same for a BSS affliated to an AP MLD for the full lifetime of
the BSS.
Hence, assign the link ID during BSS creation itself. And it will remain
until BSS entry is completely freed. Hence, link ID will not change as
part of disable/enable.
Also, since link ID would be decided now, it will help in creating link
level control sockets in a subsequent patch.
MLD level information like MLD MAC address, next link ID, etc. was
stored in each BSS. However, only the first link BSS assigns values to
these members and the other link BSSs store references to the first BSS.
However, if the first BSS is disabled, the first BSS reference in all
BSS should be updated which is an overhead. Also, this does not seem to
scale.
Instead, a separate MLD level structure can be maintained which can
store all this ML related information. All affiliated link BSSs can keep
reference to this MLD structure.
This commit adds that MLD level structure. However, assigning values to
it and using that instead of BSS level members will be done in
subsequent commits.
Sriram R [Wed, 6 Mar 2024 06:36:33 +0000 (12:06 +0530)]
hostapd: MLO: Avoid use of mld_id as user configuration
mld_id was provided as a user configuration to identify partner BSS
belonging to the same AP MLD. The same id is used at the protocol level
also to indicate the AP MLD ID of the MLD.
But, in general mld_id is a relative reference of the MLD where 0 is
used as the mld_id to represent the self MLD and in case of MLO MBSSID
mld_id of a non transmitted BSS affiliated to an AP MLD is based on the
relative BSS index of the non transmitted BSS from the transmitted BSS.
Hence mld_id need not be fetched from users, rather it can be identified
wherever required.
To verify if the partners belong to the same AP MLD the interface name
can be checked, since all link BSS partners of the same AP MLD belong to
the same interface.
Hence, remove use of mld_id user config and instead introduce two
functions hostapd_is_ml_partner() and hostapd_get_mld_id(). The former
is used to verify whether partners belong to the same AP MLD and the
latter is used to get the MLD ID of the BSS.
Signed-off-by: Sriram R <quic_srirrama@quicinc.com> Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
nl80211: Fix potential NULL pointer dereference in set_ap()
In the code review, it was found that param->freq is accessed without
NULL check in wpa_driver_nl80211_set_ap(), while in other sections of
the code, freq is accessed only after NULL validation. This situation
could result in a segmentation fault at least in theory.
Add a NULL check for freq before accessing it to be consistent with the
other uses.
Fixes: 0c6c948047de ("nl80211: Support setting up an AP on a specified link") Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Chenming Huang [Wed, 13 Mar 2024 12:38:26 +0000 (18:08 +0530)]
nl80211: Fix AP MLD frequency update on channel switch
mlme_event() calls nl80211_get_link_id_by_freq() to determine the link
to handle reported events. However, in channel switch event it is always
setting freq to the default link that leads to the issue that all other
events that go to mlme_event() will be handled in the default link.
Fix this by setting freq to the correct link specified by the link ID
when processing the event for a completed channel switch.
Jouni Malinen [Sat, 23 Mar 2024 20:22:07 +0000 (22:22 +0200)]
tests: Make rrm_reassociation more robust
It was possible for this test case to fail if a previously executed test
case left another BSS entry for the BSSID used by the second AP here.
That could have skipped the needed scan with scan_for_bss(bssid2). Force
this command to run a new scan to discover the second AP correctly.
Nikita Chernikov [Mon, 11 Mar 2024 16:58:21 +0000 (18:58 +0200)]
nl80211: Fix sending NL80211_CMD_DEL_BEACON command to wrong interface
The NL80211_CMD_DEL_BEACON command was always sent to the main interface
of the radio instead of the desired BSS interface, e.g., when sending a
STOP_AP control interface command from upper layer.
Shailendra Singh [Fri, 23 Feb 2024 11:49:32 +0000 (17:19 +0530)]
Add a vendor attribute per MLO link ratemask bitmap configuration
Define attribute QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_LINK_ID in
enum qca_wlan_vendor_attr_ratemask_params to configure ratemask
per MLO link. If the attribute is not provided, ratemask will be
applied for setup link.
Add QCA vendor sub-command and attribute for spectral scan completion
Add a new QCA vendor sub-command
QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_COMPLETE which will be used as a
netlink event to indicate the completion of a spectral scan request.
This event can also be sent incase of the spectral scan request timeout.
To be able to configure the timeout the value, add a new vendor
attribute QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_COMPLETION_TIMEOUT in
enum qca_wlan_vendor_attr_spectral_scan.
Add QCA vendor attribute indicating the spectral transport mode
Add a vendor attribute QCA_WLAN_VENDOR_ATTR_SPECTRAL_DATA_TRANSPORT_MODE
to indicate the current spectral data transport mechanism to be used to
get spectral scan samples from the driver to userspace.
Jouni Malinen [Wed, 20 Mar 2024 16:13:08 +0000 (18:13 +0200)]
tests: Clear scan cache for SAE-EXT-KEY tests
These test cases check the BSS entry information and if the kernel scan
cache maintains an old BSS entry for a previous test case for the same
BSSID this can result in a false failure.
Jouni Malinen [Wed, 20 Mar 2024 09:20:43 +0000 (11:20 +0200)]
Optimize internal BSS table updates based on a specific BSSID
When wpa_supplicant needed to update the internal BSS table with the
latest scan results from the driver, it fetched all BSSs and processed
them all. This is unnecessary for cases where an update is needed only
for a specific BSS. Optimize this by filtering out the unnecessary
entries from the results.
Jouni Malinen [Wed, 20 Mar 2024 09:08:16 +0000 (11:08 +0200)]
Update BSS entry on roaming only for actual BSS frequency change
Commit 117e812d06e6 ("Update BSS table entry if roaming event indicates
frequency change") added wpa_supplicant BSS table update based on the
latest driver scan results whenever processing an association event that
results in the current operating channel changing. While that is needed
to cover the case where an AP changes its own operating channel (and
that is noticed as a roam or new connection instead of a channel switch
event), this should not really be needed for cases where the
wpa_supplicant entry for the new BSS is already up to date.
Skip the full BSS table update on association event if the event is for
a roaming case to a different BSS and the BSS entry for the target is
already available and for the current operating channel. This avoids
undesired latency when processing the association event.
Manoj Sekar [Mon, 26 Feb 2024 12:59:13 +0000 (18:29 +0530)]
Multi-AP: WPS support for different Multi-AP profiles
Update EAP-WSC parameters to include Multi-AP profile info to pass the
profile information through the provisioning steps. This is needed for
provisioning the STA configuration when different profiles are used.
Manoj Sekar [Mon, 26 Feb 2024 12:56:38 +0000 (18:26 +0530)]
Multi-AP: Add support for VLAN related information
Add support to fill "multi_ap_vlanid" info to the hostapd config file.
Add the Multi-AP Default 802.1Q Setting subelement into Multi-AP element
generating and parsing.
Manoj Sekar [Mon, 26 Feb 2024 12:51:33 +0000 (18:21 +0530)]
Multi-AP: Add hostapd config option to disallow certain profiles
Add a new config option "multi_ap_client_disallow" to control allowing
backhaul STA with certain profiles alone to associate. This is done to
adhere to Wi-Fi EasyMesh specification which defined rules to
allow/disallow association of backhaul STA of certain profiles.
Manoj Sekar [Mon, 26 Feb 2024 12:48:21 +0000 (18:18 +0530)]
Multi-AP: Allow supported profile to be configured
Allow both hostapd and wpa_supplicant to be configured with the
supported Multi-AP profile. The configured value will be advertised in
the Multi-AP element.
Jouni Malinen [Tue, 19 Mar 2024 14:44:00 +0000 (16:44 +0200)]
Multi-AP: Use proper length for remaining buffer for the element
Replace the hardcoded buffer length with the actually number of
remaining bytes on the buffer. This is needed to be able to do real
buffer size validation within add_multi_ap_ie().
Furthermore, make hostapd_eid_multi_ap() static since it is not used
outside this file.
Jouni Malinen [Sun, 17 Mar 2024 17:55:11 +0000 (19:55 +0200)]
tests: cfg80211_tx_frame: filter frames based on SA
This makes the test care less likely to fail due to another STA
happening to be listening for Public Action frames and replying to the
P2P GO Negotiation Request.
Jouni Malinen [Sun, 17 Mar 2024 13:20:26 +0000 (15:20 +0200)]
tests: Verify test case function documentation
Check that each test case function includes a title in __doc__ and also
verify that the same test case is not added multiple times from
different files.
Evan Benn [Mon, 4 Mar 2024 02:24:31 +0000 (13:24 +1100)]
DPP: Emit a DPP PB_STATUS event when push button starts
To implement an action script that listens for DPP push button events
and for example blinks a LED it is useful to know when push button has
started. Emit an event when push button starts.
Johannes Berg [Mon, 29 Jan 2024 18:26:39 +0000 (19:26 +0100)]
tests: Set valid configuration for EHT puncturing tests
When puncturing is used on EHT, the HT/VHT/HE channel configuration must
not encompass the punctured subchannel, so must use a lower bandwidth.
Change the puncturing tests accordingly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Fri, 8 Mar 2024 08:03:41 +0000 (10:03 +0200)]
Revert "tests: Remove eht_5ghz_80mhz_puncturing_override_1 for now"
This reverts commit eecaceed8f03cee676d47dd9fb70efd25d50e3e9. This test
case can now be restored since hostapd is modified to allow test cases
changes to be done to cover the special impact from EHT puncturing to
available HT/VHT/HE channel bandwidth in this particular case.
Jouni Malinen [Wed, 6 Mar 2024 20:38:09 +0000 (22:38 +0200)]
tests: Remove eht_5ghz_80mhz_puncturing_override_1 for now
mac80211 has been modified to reject the configuration that is used in
this test case. For now, remove this until the puncturing of the second
20 MHz segment can be handled in a manner that allows mac80211 STA to
use EHT.
Jouni Malinen [Wed, 6 Mar 2024 20:34:57 +0000 (22:34 +0200)]
EHT: Use eht_oper_puncturing_override when constructing VHT elements
The testing functionality for overriding EHT puncturing bitmap was
applied only for the EHT elements. The mac80211 has been updated to
enforce compartibility between EHT and HT/VHT information and that made
the related test cases fail. Apply the override value for VHT element
generation to avoid some of those issues.
Jouni Malinen [Wed, 6 Mar 2024 17:32:16 +0000 (19:32 +0200)]
tests: Do not drop HT capability on CS to avoid test failures
Leave the HT capability of the AP as-is when running channel switch test
cases that started failing with a recent kernel change that disconnects
on such "unexpected" change in AP capabilities.
Jouni Malinen [Wed, 6 Mar 2024 15:36:10 +0000 (17:36 +0200)]
tests: Fix fuzzing tester for WNM
Processing of WNM frames can results in a lookup of the current BSS
table. As such, the testing tool needs to initialize the BSS table to
avoid NULL pointer dereferences. This is not an issue that would show up
with real production uses with wpa_supplicant since wpa_bss_init() is
called there.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67244 Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Tue, 5 Mar 2024 15:02:45 +0000 (17:02 +0200)]
tests: Update Supported Operating Classes element validation
The wpa_supplicant implementation for building the Supported Operating
Classes element was modified to add support for 80 MHz and wider
bandwidth on the 6 GHz band, 2-octet operating classes, and freq_list on
the 6 GHz band. Update the test cases that verify exact encoding of this
information to match the implementation changes.
Jouni Malinen [Tue, 5 Mar 2024 15:01:30 +0000 (17:01 +0200)]
Handle 6 GHz channels in Supported Operating Classes with freq_list
Only the 2.4 and 5 GHz channels were handled previously when removing
operating classes from the Supported Operating Classes element based on
the freq_list parameter. Extend this to include the 6 GHz band as well.
Jouni Malinen [Tue, 5 Mar 2024 14:07:22 +0000 (16:07 +0200)]
2-octet operating classes in Support Operating Classes element
A previous workaround was used to move the special operating class 130
to the end of the Supported Operating Classes element to avoid getting
any following entry being ignored or misunderstood. That is not really
the correct way of encoding the special cases, i.e., 80+80 MHz channels
that use two nonadjacent frequency segments.
Add support for encoding the 80+80 MHz channel with the 2-octet
operating class design using the Operating Class Duple sequence field of
the Supported Operating Classes element instead of listing the operating
classes that have the 80+ behavior limit set indication in Table E-4
(i.e., opclass 130 and 135) as 1-octet operating classes in the
Operating Classes field.
Fixes: a92660a00e10 ("Work around Supported Operating Classes element issues for 6 GHz") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Ainy Kumari [Thu, 22 Feb 2024 04:02:04 +0000 (09:32 +0530)]
Extend support for the 6 GHz operating class 137 (320 MHz)
Commit 085a3fc76e6b ("EHT: Add 320 channel width support") added this in
various places, but it did not cover everything. Extend this support to
be more complete. In particular, this allows wpa_supplicant to report
the operating class 137 in the Supported Operating Classes element and
to use it when processing beacon requests.
short_ssid in the own neighbor report might get out of sync, causing
advertising RNR element based on the old SSID, when SSID is changed
either with control interface command SET or with SIGHUP. Therefore,
sync the own report entry by removing the old entry and setting own
report again if the short SSID value has changed.
Michael-CY Lee [Thu, 15 Feb 2024 07:36:41 +0000 (15:36 +0800)]
AP MLD: Set link address only when non-AP MLD is not added to driver
Once the non-AP MLD is added to the driver, the driver handles the
address translation so that hostapd receives Management frames with
SA/DA being translated into MLD MAC addresses.
If the Authentication frmae is retransmitted with transaction being 1,
SA of the retransmitted Authentication frame is translated into the MLD
MAC address by the driver, and then in the function handle_auth(),
sta->mld_info.links[].peer_addr would be replaced by the MLD MAC address
even though it is supposed to be the link address.
Therefore, update the MLD information only when the STA has not yet been
added into the driver to avoid replacing the previously determined link
address with the MLD MAC address.
Fixes: bcbe80a66 ("AP: MLO: Handle Multi-Link element during authentication") Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
Fix INTERFACES command buffer size to allow more data
reply_size instead sizeof(buffer) should be provided to
hostapd_global_ctrl_iface_interfaces() when processing INTERFACES
commands. The previous use of sizeof(buffer) used a significantly
shorter limit (256 vs. 4096 bytes) for the output and this could have
resulted in unnecessary truncation of the output.
Jouni Malinen [Sun, 3 Mar 2024 18:01:27 +0000 (20:01 +0200)]
Use os_snprintf_error() more consistently in STA output generation
In theory, os_snprintf() could return a negative value and as such,
os_snprintf_error() should be used in all cases where the buffer might
not be large enough.
Jouni Malinen [Sun, 3 Mar 2024 17:55:45 +0000 (19:55 +0200)]
Do not change out-of-range configuration parameters
The INT_RANGE() cases for wpa_supplicant global and network profile
parameters ended up changing the configured value to the minimum value
if the provided value was too small or to the maximum value if the
provided value was too large. This does not seem most logical. Change
this to not change the configured value at all if the provided value is
outside the valid range.
Jouni Malinen [Sun, 3 Mar 2024 16:15:18 +0000 (18:15 +0200)]
Enforce valid range check for SET mbo_cell_capa and oce
These parameters have both a separate SET command handler and a global
configuration parameter handler. Only the global configuration parameter
handler for enforcing valid range checking. Do that for the SET command
as well.
Chien Wong [Thu, 29 Feb 2024 13:08:31 +0000 (21:08 +0800)]
wpa_supplicant: Fix ignoring boundary 0 in config parser
The following config file contains invalid items:
----
filter_rssi=1234 # should be rejected
network={
mode=-1 # should be rejected
ssid="ssid"
psk="password"
}
----
But it is accepted by the config parser. The issue is due to using NULL
to represent no limit. If a boundary is set to 0, it's disregarded.
Fix this.
Note that string parser is not affected as length cannot be negative and
we are not limiting any string to be always empty.
Jouni Malinen [Sat, 2 Mar 2024 19:04:30 +0000 (21:04 +0200)]
P2P: Fix pri/sec channel switch skipping for GO
Use of wpa_s->p2p_go_no_pri_sec_switch needs to be conditional on
CONFIG_P2P being defined for the build to avoid a compilation error and
ssid->p2p_group to avoid using this for non-P2P AP mode case in
wpa_supplicant. Furthermore, it is better to clear this flag when
stopping a P2P GO to reduce risk of this getting used for a separate
instance of starting a GO.
Fixes: b18d95759375 ("P2P: Disable pri/sec channel switch for GO with forced frequency") Signed-off-by: Jouni Malinen <j@w1.fi>
Benjamin Berg [Tue, 20 Feb 2024 13:18:27 +0000 (14:18 +0100)]
WNM: Keep BTM information until connection completes
In the MLD case, the information from the transition management request
is relevant during the association process in order to filter out links
that were disallowed by the BTM request. Also, the information remains
useful should a connection attempt fail.
To enable these scenarios, keep the information around until the
connection has completed. As this might make it impossible to establish
a connection, also clear this information at the same time that a normal
BSS ignore is cleared to avoid getting stuck in case the transition
fails unexpectedly.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Tue, 20 Feb 2024 13:18:26 +0000 (14:18 +0100)]
WNM: Follow BTM procedure if the last link is dropped
If the last link is dropped, it makes sense to follow the BTM procedure.
However, in that case we need to prevent reconnection to this link
specifically, while if the AP MLD is terminating we need to forbid
connecting to the AP MLD.
As such, add a new variable to track the BSSID or AP MLD MAC address.
Which one it refers to depends on whether wnm_link_removal is set.
This also simplifies the check in wnm_is_bss_excluded() and untangles it
from wpa_s->current_bss.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Tue, 20 Feb 2024 13:18:25 +0000 (14:18 +0100)]
WNM: Remove dialog_token parameter
All callers of wnm_send_bss_transition_mgmt_resp() are explicitly
passing wpa_s->wnm_dialog_token. As such, we might as well not pass it
and use the variable directly.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
projects / thirdparty / hostap.git / log
