Benjamin Berg [Tue, 10 Jun 2025 15:08:57 +0000 (17:08 +0200)]
tests: Try next tshark filter for UnknownFieldsException
The intention in commit cc35ed3e257a ("tests: Permit passing multiple
valid tshark filters") was to permit passing multiple filters in order
to permit compatibility with older tshark versions. However, this did
not work as expected for the UnknownFieldsException.
Fix that by storing it in last_exception as for other errors. This fixes
running some EHT tests with older tshark versions.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Tue, 10 Jun 2025 15:08:55 +0000 (17:08 +0200)]
ctrl_iface: Report all TBTT info elements from RNR
The existing code would only report the first TBTT entry of the first
RNR element. Add the code to first iterate all RNR elements and then
also iterate all TBTT entries for each AP information block.
Fixes: e3e68668c1f6 ("ctrl_iface: Report RNR and ML in BSS command") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Kellen Gattis [Fri, 23 May 2025 05:46:12 +0000 (22:46 -0700)]
RADIUS: Fix long extended type encoding
Using wpa_psk_radius=3 can lead to malformed RADIUS packets that do not
conform to the standard for "Long Extended Type" as defined in RFC 6929.
This was observed when using wpa_psk_radius=3 in conjunction with
wpa_key_mgmt=WPA-PSK FT-PSK that resulted in a RADIUS attribute for
245.26.11344.2 that was 256 octets in size. The expected outcome was two
fragments containing data sizes of 251 and 5 octets, but hostapd instead
created a fragment of 256 octets (exceeded the size limit) followed by a
fragment of 5 octets.
Fix the fragments preceding the final fragment to have the correct data
size by using alen instead of data_len when calling wpabuf_put_data().
Andrew Pope [Fri, 9 May 2025 00:00:30 +0000 (10:00 +1000)]
nl80211: Accept a global nl80211 event to a bridged interface
Global events originating/directed toward a bridged (i.e., WDS) station
are ignored by hostapd. These events are currently considered 'foreign'
and are dropped.
This problem was initially discovered while testing the configuration
parameter 'disassoc_low_ack=1' for bridged stations. It was observed
that the event 'STATION_LOW_ACK', communicated in
'NL80211_CMD_NOTIFY_CQM', would be ignored and the AP would fail to
disassociate the low ack station from the BSS.
Signed-off-by: Andrew Pope <andrew.pope@morsemicro.com>
Matej Vrba [Tue, 1 Apr 2025 13:19:01 +0000 (13:19 +0000)]
ACS: Fix using 20 MHz channels in 6 GHz
When configured to use ACS with 20 MHz channels, hostapd incorrectly
rejects half of the available channels with an error messages "Channel
XX: not allowed as primary channel for 40 MHz bandwidth." This includes
all PSC channels.
Signed-off-by: Matěj Vrba <matej.vrba@advantech.cz> Reviewed-by: Nicolas Escande <nico.escande@gmail.com>
Yan Zihan [Tue, 15 Apr 2025 08:49:25 +0000 (16:49 +0800)]
DPP: Conditionally add cipher support based on driver capabilities
By default, wpa_supplicant sets the pairwise and group ciphers to CCMP
(or CCMP+TKIP) when provisioning a network via DPP. As a result,
DPP-provisioned clients are unable to connect to networks that require
GCMP or GCMP-256 ciphers due to cipher mismatch. This issue does not
affect manually-configured network profiles, where supported cipher
suites can be explicitly specified.
Addresse the issue by conditionally enabling the appropriate cipher
suites in the DPP-generated network profile, based on driver
capabilities.
Tested on various chipsets with different cipher capabilities:
Richard Yu [Tue, 15 Apr 2025 11:29:06 +0000 (19:29 +0800)]
AP MLD: Ensure hostapd_deinit_driver() is called when driver_init() fails
Ensure hostapd_deinit_driver() is called when driver_init() fails in
both hostapd_enable_iface() and hostapd_add_iface().
When initializing an AP MLD interface, driver_init() first assigns a
valid private driver interface data pointer (drv_priv) to the
hostapd_iface structure. It then attempts to add a link by calling
hostapd_drv_link_add(). This call may fail under certain conditions,
such as ENETDOWN, EALREADY, or other transient errors.
In such failure cases, the hostapd interface retains a valid drv_priv
pointer, but no cleanup is performed. This results in an untracked
reference to the private driver interface data. While the memory backing
drv_priv will eventually be freed when the last interface sharing it is
deinitialized, the lack of cleanup in early failure paths can lead to
invalid memory access, potentially resulting in a segmentation fault.
Ensure that hostapd_deinit_driver() is invoked in both failure paths to
properly release driver resources and maintain consistency across
interface initialization routines.
Signed-off-by: Richard Yu <richard.yu@mitrastar.com.tw>
Marek Zarychta [Tue, 22 Apr 2025 21:13:42 +0000 (23:13 +0200)]
BSD: Handle systems without legacy IP support
Currently, wpa_supplicant fails to operate when legacy IP support is
disabled (i.e., the system is built with WITHOUT_INET and the kernel is
configured with nooptions INET). Address the issue by enabling
wpa_supplicant to run and connect to wireless networks even in the
absence of AF_INET, as long as AF_INET6 is available.
Signed-off-by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Pooventhiran G [Wed, 18 Jun 2025 19:05:09 +0000 (00:35 +0530)]
AP MLD: Remove Link STA on Group KDE length check failure
If accepting an add-request in Link Reconfiguration causes the Group KDE
Length subfield to exceed max length, the request is rejected, but the
link STA will already have been added to the kernel driver.
Hence, remove the link STA on max length check failure.
Fixes: 60b3884948c6 ("AP MLD: Validate Link Reconfiguration Request frame after parsing") Signed-off-by: Pooventhiran G <pooventh@qti.qualcomm.com>
Mohan Kumar G [Mon, 16 Jun 2025 11:19:04 +0000 (16:49 +0530)]
tests: ML Setup Link Reconfiguration
Add a test case to connect AP and STA in two links and perform ML Setup
Link Reconfiguration to remove a link and add the link back.
Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Mohan Kumar G <quic_mkumarg@quicinc.com>
Mohan Kumar G [Mon, 16 Jun 2025 11:19:03 +0000 (16:49 +0530)]
AP MLD: Control interface events for ML Setup Link Reconfiguration
Add control interface events in hostapd for link STA removal and
addition operations from link reconfiguration.
Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Mohan Kumar G <quic_mkumarg@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:19:00 +0000 (16:49 +0530)]
AP MLD: Check if non-AP STA in reconfig add-request already exists
As per IEEE P802.11be/D7.0, the non-AP STA requested in ML Setup link
reconfiguration for "add" operation should not have the (link) MAC address
associated to any non-AP STA which is either affiliated or not to a
non-AP MLD on the corresponding AP link affiliated with the AP MLD.
Enforce this condition and reject the operation otherwise.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:18:59 +0000 (16:48 +0530)]
AP MLD: Process TX status for Link Reconfiguration Response frame
When a Link Reconfiguration Response frame is ACK-ed, the AP MLD can
complete reconfiguration operations. Process the accepted del-link
requests, and if the link that is removed is the association link,
assign a new (soft) association link to maintain ML setup and APIs.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:18:57 +0000 (16:48 +0530)]
AP MLD: Validate Link Reconfiguration Request frame after parsing
When a Link Reconfiguration Request frame is successfully parsed and set
up with context, validate the request to verify links requested for
operation(s) are valid.
While at it, if accepting the request after current validation tends to
leave the ML Setup with no remaining links, recover from the situation
by rejecting a "delete" link request. Currently, the "delete" link
request with the lowest link ID will be rejected.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:18:56 +0000 (16:48 +0530)]
AP MLD: Process Link Reconfiguration Request frame for ML Setup links
A non-AP MLD can change the ML setup links (adding a new link or
removing an existing link) by using the Link Reconfiguration to Setup
Links procedure, as per IEEE P802.11be/D7.0.
Add support for an AP MLD to parse the Link Reconfiguration Request
frame and set up context with necessary information.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
nl80211: Set to AP mode before adding to bridge during AP interface addition
Commit dd1587c91541 ("hostapd: Allow reuse of existing interface for AP
MLD") added support to change mode to AP if it is already not while
adding the interface. However, this is currently done after bridge
addition is done. Now, in a few systems, bridge addition fails with
following:
nl80211: Driver for phy phy0 already exist
nl80211: Create interface iftype 3 (AP)
Failed to create interface wlan0: -23 (Too many open files in system)
nl80211: Continue using existing interface wlan0
nl80211: Adding interface wlan0 into bridge br-lan
Could not add interface wlan0 into bridge br-lan: Not supported
nl80211: Failed to add interface wlan0 into bridge br-lan: Not supported
nl80211: Set mode ifindex 17 iftype 3 (AP)
nl80211: Failed to set interface 17 to mode 3: -16 (Resource busy)
Failed to add BSS (BSSID=AA:BB:CC:DD:EE:FF)
Hence, to avoid this issue, move logic to set mode to AP before adding
to bridge. Since BSS needs to be partially initialized before attempting
to set mode, move the certain assignments as well above it.
Yuvarani V [Sun, 1 Jun 2025 17:18:08 +0000 (22:48 +0530)]
WNM: Disassociate STA only when Link Removal Imminent is 0 in BTM Request frame
When BSS Transition Management (BTM) Request frame is sent by an AP MLD
with disassociation timer set, it is expected to arm disassociation
timer for the STA and eventually disassociate it once the timer expires.
The current code avoids this by assuming that the ML association is not
being terminated and only the link is being removed. However, link
removal is scheduled only when Link Removal Imminent field is set in BTM
request, as per IEEE P802.11be/D7.0 - 9.6.13.9 (BSS Transition
Management Request frame format). If the Link Removal Imminent field in
the Request Mode field is set to 1, the BSS Termination Included field
indicates that the BSS, whose AP transmits this BSS Transition
Management Request frame, is shutting down. In this case, the STA
associated with the AP or the non-AP MLD that has set up only this link
will be disassociated and the non-AP MLD that has set up more than this
link remains associated to the AP MLD with the remaining setup link(s).
Hence, schedule disassociation for STA unless Link Removal Imminent bit
is set to 1 in the BTM Request frame.
Signed-off-by: Yuvarani V <yuvarani@qti.qualcomm.com>
Hu Wang [Fri, 30 May 2025 03:24:24 +0000 (20:24 -0700)]
Delete PMKID from driver when PMKSA entry is freed in Authenticator
For SME-in-driver, external SAE authentication (i.e., the driver
offloading SAE processing to hostapd) the PMKID is configured to the
driver on successful completion, but this is not cleared when hostapd
frees its PMKSA entry. This causes the driver and hostapd to get out of
sync.
This can result in the driver accepting an association with an unknown
(to hostapd) PMKID, but hostapd ending up using Deauthentication frame
due to that unknown PMKID. iPhone as a client seems to only clear its
PMKSA entry based on with asssociation rejection and thus, it might
retry again and again with the same unknown-to-hostapd PMKID.
Remove the PMKID from the driver when the matching PMKSA is remove from
hostapd to avoid this.
Ainy Kumari [Thu, 22 May 2025 12:51:40 +0000 (18:21 +0530)]
SAE: Fix AKM suite selector for external authentication compatibility
Kernel commit 4f4d8be6dc37 ("wifi: nl80211: force WLAN_AKM_SUITE_SAE in
big endian in NL80211_CMD_EXTERNAL_AUTH") enforces WLAN_AKM_SUITE_SAE to
be passed in big-endian format in NL80211_CMD_EXTERNAL_AUTH for all
drivers. This is causing issues for cross-AKM roaming cases (e.g.,
roaming from SAE-EXT-KEY AP to SAE AP) with current wpa_supplicant
implementation since it is considering the connected AP AKM as the
target AP AKM when WLAN_AKM_SUITE_SAE is indicated in big-endian format
in NL80211_CMD_EXTERNAL_AUTH.
To fix this, always set external authentication AKM as
WLAN_AKM_SUITE_SAE when WLAN_AKM_SUITE_SAE indicated in big endian
format in NL80211_CMD_EXTERNAL_AUTH.
This change is still compatible with old drivers since there is no
change in SAE authentication procedure when the target AP AKM is SAE or
FT-SAE.
Kavita Kavita [Wed, 14 May 2025 08:52:03 +0000 (14:22 +0530)]
hostapd: Allow channel switch between hw_modes
Commit 3e2758b19a75 ("hostapd: Avoid channel selection across underlying
hardware index") enforcing target channel to be present in the current
hw_mode even though the hostapd_iface can support multiple hw_modes. Due
to this channel switch request between different hw_modes getting
rejected always.
To fix this, determine the target hw_mode of the channel switch request
and use it for validating against current underlying hardware index.
nakul kachhwaha [Tue, 6 May 2025 05:20:48 +0000 (10:50 +0530)]
Fix QCA vendor attribute documentation
Fix the list of valid values for the attribute
QCA_WLAN_VENDOR_ATTR_TWT_NUDGE_NEXT_TWT_SIZE in the comment section.
This was not supposed to be a bitmap, but a consecutive sequence of
integers. The previously defined value has not been used.
Chenming Huang [Fri, 16 May 2025 01:57:27 +0000 (07:27 +0530)]
AP MLD: Use hostapd-based ACL for MLO cases
Currently NL80211_CMD_SET_MAC_ACL is not supported for MLO cases.
Since this command has no upstream driver support, further extension
might not be accepted and this command itself may be removed in the
future, too.
To support the same ACL setting from hostapd control interface, use
hostapd-based ACL instead when comes to MLO case. In addition, verify
both the link addresses and MLD MAC addresses of the non-AP MLD.
Chenming Huang [Wed, 14 May 2025 02:02:09 +0000 (10:02 +0800)]
P2P: Allow upgrade to 160 MHz if 80 MHz allowed and AUTO_BW flag is set
Upgrade to 160 MHz when AUTO_BW flag is set in contiguous frequency
range. This is needed to allow regdb rules for 160 MHz channels to be
used correctly when some of the differences between the 80 MHz parts of
the full channel has resulted in AUTO_BW flag being used.
Currently, hostapd tries to access MLO related functions and structures
even when 'ieee80211be' is unset, as 'mld_ap' is set. This is wrong and
at times, it leads to unexpected issues.
Address this by rejecting the configuration when mld_ap is set, while
'ieee80211be' is unset or disable_11be is set.
While at it, clear the mld_ap while disable_11be flag is modified during
configuration validation.
AP MLD: Correct link handling for MLO Disassociation
When transmitting a Disassociation frame, MLD link_id was not
considered, default value of -1 sent. Because of this, the first link
was always used to send Disassociation frames.
Address this by sending the corressponding 'mld_link_id' to the driver
if the Disassociation frame is sent by an AP MLD.
Muna Sinada [Wed, 28 May 2025 15:43:05 +0000 (21:13 +0530)]
Do not add Channel Switch Wrapper element without VHT/HE/EHT
Only include the Channel Switch Wrapper element in Beacon and Probe
Response frames when at least one of the PHY modes IEEE 802.11ac, IEEE
802.11ax, or IEEE 802.11be is enabled and not explicitly disabled in the
configuration.
This avoids unnecessary inclusion of the Channel Switch Wrapper element
when none of these modes are active, ensuring better compliance with the
capabilities advertised by the AP.
Kavita Kavita [Fri, 9 May 2025 15:50:30 +0000 (21:20 +0530)]
MLD: Clear group keys for removed links
For AP link removal case, group keys (e.g., GTK, IGTK, BIGTK, etc.) were
not cleared for links that were removed in the NL80211_CMD_LINKS_REMOVED
event. Since the links are already removed, we should clear the keys
associated with these links for proper cleanup.
This functionality was missing in the current implementation, so address
this by clearing group keys for the removed links.
Kavita Kavita [Fri, 9 May 2025 15:50:29 +0000 (21:20 +0530)]
MLD: Handle link reconfiguration updates from the driver
Processess the NL80211_CMD_ASSOC_MLO_RECONF event from the driver. This
event includes information about added links and the link
reconfiguration response frame from the AP MLD. The event can be
triggered by either wpa_supplicant or driver-initiated link
reconfiguration updates.
Also install group keys (e.g., GTK, IGTK, BIGTK, etc.) received with the
link reconfiguration response frame for the newly added links.
For removed links, the existing NL80211_CMD_LINKS_REMOVED event is used,
requiring no additional changes in wpa_supplicant for both
wpa_supplicant and driver-initiated link reconfiguration updates.
Kavita Kavita [Fri, 9 May 2025 15:50:28 +0000 (21:20 +0530)]
MLD STA: Add SETUP_LINK_RECONFIG control interface command
Add support for SETUP_LINK_RECONFIG control interface command
that allows users to add new setup links and/or remove existing
ones for the current MLO connection in STA mode.
Shivani Baranwal [Tue, 20 May 2025 09:36:56 +0000 (15:06 +0530)]
P2P2: Set p2p_mode to WPA_P2P_MODE_WFD_R2 upon receiving PASN Auth
This is required during P2P2 verification on the responder side where
p2p_mode may not be initialized to WFD_R2 by default. Ensure the mode is
set correctly when PASN Auth RX is received to support P2P2 operation.
P2P2: Enable support for setting PMKSA in P2P Client mode
When a device does not support separate group interface creation for the
group role, the existing P2P interface mode is switched from device mode
to client mode before invoking wpa_driver_nl80211_connect().
Additionally, drivers only permit configuring PMKSA in P2P client mode.
Therefore, PMKSA should be set in wpas_start_assoc_cb() for drivers that
offload SME from wpa_supplicant.
dbus: Update D-Bus interface description for bootstrapping indications
Update the description of D-Bus interface for bootstrapping indications
to match the implementation change as this has not yet been used and is
a recently added parameter.
P2P2: Include the requested method in the bootstrap response notification
In the bootstrap response indication, send the requested bootstrap
method by the device to align with config method indicated in P2P-R1
provision discovery indication to the applications.
Jouni Malinen [Tue, 27 May 2025 20:12:33 +0000 (23:12 +0300)]
DPP: Enable GAS server in hostapd without CONFIG_INTERWORKING=y
CONFIG_DPP=y was sufficient to include the GAS server functionality into
the hostapd build, but a couple of the calls did not cover the
possibility of CONFIG_DPP=y being used without CONFIG_INTERWORKING=y. In
practice, this prevented hostapd from operating as the DPP Configurator
without CONFIG_INTERWORKING=y.
Fix this by enabling GAS server if either CONFIG_INTERWORKING or
CONFIG_DPP have been defined consistently.
AP: Advertise the LCI and civic location capabilities
Currently, for Fine Time Measurement (FTM), hostapd configures Location
Configuration Information (LCI) and civic location values without
advertising capabilities in the Extended Capabilities and RM Enabled
Capabilities elements. According to IEEE Std 802.11-2024, 11.21.6.7 (LCI
and Location Civic retrieval using FTM procedure), to use LCI and Civic
subelements in FTM frames, the AP must advertise these capabilities.
Advertise LCI and civic measurement capabilities in the Extended
Capabilities and RM Enabled Capabilities elements when these values are
available.
Jouni Malinen [Fri, 23 May 2025 12:37:06 +0000 (15:37 +0300)]
Discard unrecognized Action frames without returning them
IEEE Std 802.11-2024 changed this behavior in 10.28.4 (Response to an
invalid Action and Action No Ack frame) to discard the received frame
without returning it to the source with the MSB set to 1, so update
implementation to match by removing the case that would have returned
the unrecognized frame.
This had previously been modified to avoid potential security
vulnerabilties by discarding the case when an SA was in place, but the
REVme update went beyond that and completely removed this behavior of
returning the frame with MSB set to 1 since no clear use for that could
be identified.
Kavita Kavita [Wed, 7 May 2025 10:08:52 +0000 (15:38 +0530)]
P2P GO: Use driver preferred frequency instead of ACS when band is specified
ACS was enabled by default when the band is specified as 2 or 5 in the
"freq" parameter for P2P_GROUP_ADD control interface command. Use the
driver preferred frequency list instead of ACS when the driver preferred
frequency list is available. This allows the GO to be started more
quickly.
Kavita Kavita [Sun, 4 May 2025 11:26:53 +0000 (16:56 +0530)]
P2P GO: Add support for handling 6 GHz band in freq parameter
Add support for handling 6 GHz band in freq parameter while selecting
the P2P GO frequency in cases where the driver has indicated a list of
preferred channels.
Enhance throughput estimation for punctured EHT APs
When an EHT AP is advertising punctured channel widths, the throughput
estimation algorithm did not take it into account. This may lead to
picking a punctured AP with less effective bandwidth over an unpunctured
AP with more effective bandwidth.
For example, an EHT320 AP provides more resources for transmission than
an EHT320 AP with 120 MHz punctured (as it effectively has only 200
MHz).
Enhance the algorithm to compute appropriate throughput by considering
punctured bitmap as well so that the selected AP will have more
effective bandwidth.
Mohan Kumar G [Thu, 8 May 2025 17:27:15 +0000 (22:57 +0530)]
Fix channel number in MBSSID RNR after channel switch
When channel switch happened in an MBSSID case, the non-transmitting
partial profile RNR element of the first few Beacon frames in the new
channel used the old channel number. This is because after channel
switch, the new MBSSID and RNR elements are not updated immediately as
during channel switch, the new MBSSID and RNR elements are not passed to
the driver together with other beacon data. So beaconing first starts
with old MBSSID and RNR data. Only after channel switch completes and
beacon is set again, these elements are passed to the driver. This delay
causes the first few beacons to contain old RNR and MBSSID elements.
Address this issue by passing the new MBSSID and RNR elements during the
CSA settings itself, thus post channel switch, Beacon frames will have
the new MBSSID and RNR data.
Signed-off-by: Mohan Kumar G <mkumarg@qti.qualcomm.com> Signed-off-by: Manish Dharanenthiran <manish.dharanenthiran@oss.qualcomm.com>
Add a separate data structure for MBSSID parameters
The MBSSID related parameters are present under struct
wpa_driver_ap_params, but this is not extensible for certain use cases
like updating the MBSSID and RNR elements post channel switch. Hence,
move this into a separate data structure named mbssid_data to hold all
MBSSID related parameters in a manner that can be used more easily
elsewhere.
Remove redundant management group cipher suite selector writing
Remove the default BIP (AES-128-CMAC) from the code writing the group
management cipher selector into an RSNE since this field is omitted when
the default value is used. This case was unreachable due to the earlier
if statement skipping this switch statement.
Kashish Awasthi [Wed, 7 May 2025 14:39:47 +0000 (20:09 +0530)]
Add new QCA vendor attributes for roaming configurations
Add new roam control vendor attributes to configure the roaming
parameters dynamically.
QCA_ATTR_ROAM_CONTROL_CANDIDATE_SCORE_MIN_DELTA_THRESHOLD
controls the minimum required score threshold for an AP to be
considered as a roaming candidate.
QCA_ATTR_ROAM_CONTROL_CONNECTED_BSS_RECONNECT_DISALLOW_PERIOD
configures time to enable reconnection again to the current BSSID.
P2P2: Enable P2P2 and PCC only for SME non-offload drivers by default
Enable P2P2 and PCC support by default for SME non-offload drivers.
Other drivers will enable support for P2P2 and PCC from the driver
capabilities.
This is needed to avoid enabling P2P2 functionality for SME-in-driver
cases where the driver is not actually capable of all the needed
functionality and there is no explicit driver capability indication to
determine this.
P2P2: Initialize peer PASN data and set P2P2 on P2P PASN auth frame RX
During PASN pairing verification, the PASN authentication frame is
received without the need for provision discovery. If the pairing
initiator's peer entry is removed and added again or the MAC address
is randomized, the Authentication frame is discarded because the PASN
data is not initialized. Therefore, ensure that the PASN data for the
peer is initialized if it is not already present. Also set the P2P2
bool variable to true.
P2P2: Remove setting of PMK/PMKID from validate_dira()
Split setting of PMK/PMKID from validate_dira() to set_pmksa() to avoid
setting PMK/PMKID when DIRA is validated with each USD frame. Also set
PMK/PMKID from configuration during PASN verification.
NAN USD: Trigger USD offload cancellation upon timer expiration
Trigger USD offload cancellation when the timer expires. This ensures
that the USD is canceled for drivers that do not implement a timer to
stop discovery upon timer expiration.
Add MLD information in RNR partial profile, TBTTs, and ML Partner
reporting TBTTs, if a reported AP is an MLD AP. Remove AP MLD checks to
allow non-MLD transmitting interface to include nontransmitting profiles
which are part of an MLD.
MBSSID: Calculate length for MLE in Beacon and Probe Response frames
While building the MLE for Beacon and Probe Response frames, length of
256 is allocated statically but for EMA length of MBSSID IE determines
the periodicity and hence considering a static length for the non
transmitting profile's MLE affects the whole EMA logic.
Fix this by calculating the exact length of the MLE that is to be added
for a BSS.
MBSSID: Add link id for transmitting interface in an AP MLD
Transmitting interface of an MBSSID group can be part of an MLD, hence
interface index is not enough to identify the correct link. Store and
pass the link ID of the transmitted interface to the kernel when
configuring a new non-transmitting profile for an AP MLD.
Logapriya P [Wed, 30 Apr 2025 07:26:25 +0000 (12:56 +0530)]
Add vendor NL event for primary link migration notification
In scenarios where the user application is responsible for load
balancing and communicating the destination MAC address (MLD peer MAC
address) and its primary link ID to the Ethernet-side QCA driver, there
is a need for a notification mechanism to ensure the primary link
changes in WLAN subsystem are communicated to user applications and also
to manage the load of that primary link in a better way.
This vendor NL event addresses above requirement by providing a way for
the user application to be notified about primary link migrations,
allowing it to update its configuration and ensure that other
subsystems, such as Ethernet, use the correct link for communication.
Modify the comments section to extend the usage of the vendor command
QCA_NL80211_VENDOR_SUBCMD_PRI_LINK_MIGRATE as an event to notify user
applications when the primary link has changed.
This event will send the MLD MAC address of the peer and the new link ID
which is set as the primary link.
Signed-off-by: Logapriya P <quic_logapriy@quicinc.com>
nl80211: Fix use-after-free during wiphy event handling
When processing a NL80211_CMD_RADAR_DETECT event, the current driver
interface instance may be deinitialized during the event handler.
The event loop still holds a pointer to the old driver interface,
but using it after deinit can cause a crash.
A previous attempt to fix this relied on checking whether the
interface pointer still appeared in the list of interfaces.
However, that approach is incomplete: if malloc() returns the same
pointer for a newly added interface (as observed occasionally on
glibc 2.31), the check incorrectly assumes the original instance
still exists.
To fix this reliably, this commit introduces a unique instance ID
in the wpa_driver_nl80211_data struct and uses that ID to check
whether the original driver instance is still present in the list.
Fixes: f13683720239 ("nl80211: Pass wiphy events to all affected interfaces") Signed-off-by: Gwen Weinholt <gwen@weinholt.net>
Yuvarani V [Wed, 23 Apr 2025 07:14:47 +0000 (12:44 +0530)]
nl80211: Fix crash by clearing link from valid links after stopping beaconing
During link disable in nl80211_remove_link(), the link to be disabled is
cleared from the valid links before calling
nl80211_update_active_links(). This sequence leads to stopping beaconing
on flink, which results in set beacon failure and causes hostapd to
crash when the removed link is enabled.
Fix this by clearing the link from valid links map after the
nl80211_update_active_links() call.
Fixes: 2fe31050c248 ("nl80211: Use active_links to notify start/stop state of links") Signed-off-by: Yuvarani V <quic_yuvarani@quicinc.com>
Add link ID QCA vendor attributes for MLO SR operation
Add a link ID attribute and nesting to support per link spatial reuse
operation for MLO STA and MLO SAP modes.
Per-link SR parameters are encapsulated within
QCA_WLAN_VENDOR_ATTR_SR_MLO_LINKS nested attribute. Each record includes a
link ID specified by the QCA_WLAN_VENDOR_ATTR_SR_MLO_LINK_ID attribute.
Initialize the skip_buf[] array before using it with EVP_CipherUpdate()
to skip the initial segment of RC4 output. This does not change actual
behavior since the output of that call is not used and it is only there
for changing the internal state of the RC4 cipher. However, this avoids
uninitialized element issues reported in MISRA.
At least some of the previous versions have expired, so need to re-sign
these to avoid EAP test case failures. This contains updates from
running tests/hwsim/auth_server/update.sh.
Add new QCA vendor status codes for TWT session terminate event
Add new status codes QCA_WLAN_VENDOR_TWT_STATUS_CHAN_SWITCH_24GHZ,
QCA_WLAN_VENDOR_TWT_STATUS_MLO_LINK_INACTIVE, and extend
QCA_WLAN_VENDOR_TWT_STATUS_SCAN_IN_PROGRESS to use with TWT session
terminate event.
Tx Power Boost is a feature where the driver will send IQ samples data
to the userspace application.
Upon receiving the NL event from the driver, user space application
can read the IQ samples from the memory mapped IO file /dev/txpb and
perform the inference.
Once the inference result is available, user space application can
send NL command with infered result Tx EVM (Error Vector Magnitude) and
Tx Mask Margin values to the driver to boost Tx power.
With commit 00c2c20d74ee ("hostapd: Maintain single
wpa_driver_nl80211_data (drv) object across interfaces"), EAPOL frame
reception is always handled by the first bss of wpa_driver_nl80211_data
(drv). Issue is seen when OWE Transition mode is enabled and a peer
connects in OWE BSS (the second BSS) but recieved EAPOL frames are
wrongly handled in the open BSS (the first BSS). Iterate all BSSs to
handle EAPOL frame reception to fix that.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
nl80211: Use i802_bss in nl80211 commands/events for correct ifindex
struct wpa_driver_nl80211_data is used in most of the nl80211 vendor
commands and events. With refactoring of struct wpa_driver_nl80211_data
through commmit 00c2c20d74ee ("hostapd: Maintain single
wpa_driver_nl80211_data (drv) object across interfaces"), a single
struct wpa_driver_nl80211_data instance is maintained for each phy.
Since, per BSS context is not present with struct
wpa_driver_nl80211_data, during nl80211 vendor commands and events the
default ifindex associated with per phy struct wpa_driver_nl80211_data
gets used. Thus, this results in sending/receiving of nl80211 messages
on an incorrect interface.
Since i802_bss list maintains the common struct wpa_driver_nl80211_data
context, use it in appropriate APIs to process nl80211 vendor
events/commands.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com> Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
hostapd: Allow reuse of existing interface for AP MLD
Commit 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data
(drv) object across interfaces") adds 2nd AP MLD interface as a new
interface. However, in cases where the interface is already created and
are supposed to be reused, due to the new interface request, addition of
a new AP MLD fails.
Leverage the reuse parameter and handle the additional error code during
interface add for such cases and update the interface mode to
NL80211_IFTYPE_AP.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com> Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
tests: Per-STA Profile subelement fragmentation in MLE
Note that the current mac80211 snapshot does not copy the
non-association link extra IEs and as such, this test case does not
actually end up fragmenting the subelement without a mac80211 fix.
Testing capability to add extra IEs to per-STA profiles in assoc req
Allow wpa_supplicant builds with CONFIG_TESTING_OPTIONS=y to be
configured to add extra IEs to the per-STA profiles in Association
Request frames. This can be used for testing AP MLD behavior.
Pooventhiran G [Fri, 11 Apr 2025 11:28:36 +0000 (16:58 +0530)]
MLD: Defragment Reconfiguration Multi-Link element subelements
While parsing the Reconfiguration Multi-Link element, subelements
carried in the Multi-Link element were not defragmented. Fix this by
defragmenting the subelement before processing to avoid parsing issues.
Pooventhiran G [Fri, 11 Apr 2025 11:28:35 +0000 (16:58 +0530)]
MLD: Defragment MLE subelements in ASSOC-REJECT event parsing
While parsing the Multi-Link element in ASSOC-REJECT event, subelements
carried in the Multi-Link element were not defragmented, rather the
Fragment subelements were skipped. Fix this by defragmenting the
subelement before processing to avoid parsing issues.
Fixes: 5af986c75af4 ("MLD: Also mark links as failed after association failure") Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Fri, 11 Apr 2025 11:28:34 +0000 (16:58 +0530)]
nl80211: Defragment MLE subelements in CONNECT event parsing
While parsing the Multi-Link element in CONNECT event, subelements
carried in the Multi-Link element are not defragmented. Fix this by
defragmenting the subelement before processing to avoid parsing issues.
Fixes: cc2236299f99 ("nl80211: Get all requested MLO links information from (re)association events") Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Fri, 11 Apr 2025 11:28:33 +0000 (16:58 +0530)]
AP MLD: Defragment MLE subelements while updating Link Status
While updating link status from the (Re)Association Response frame
elements, subelements carried in the Multi-Link element are not
defragged. Fix this by defragmenting the subelement before processing to
avoid parsing issues.
Fixes: d320692d918a ("AP MLD: Handle new STA event when using SME offload to the driver") Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Fri, 11 Apr 2025 11:28:32 +0000 (16:58 +0530)]
AP MLD: Defragment MLE subelements in (Re)Association Request
The subelements carried within a Multi-Link element can pack more than
255 bytes, and this is achieved using Fragment subelement similar to how
the Multi-Link element uses Fragment element. However, the current
implementation does not defragment the Fragment subelements and hence
when encountered, parsing fails leading to failing connection.
Fix this by defragmenting the subelements before processing to get a
complete stream of subelement data.
Fixes: 7a7a2256c0ea ("common: Support parsing link specific association request") Fixes: 5f5db9366cde ("AP: MLO: Process Multi-Link element from (Re)Association Request frame") Co-developed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Fri, 11 Apr 2025 11:28:31 +0000 (16:58 +0530)]
Helper function for defragmenting of Multi-Link element subelements
Subelements contained within an Multi-Link element can themselves be
fragmented if they pack more than 255 bytes of data using a Fragment
subelement similar to how the Multi-Link element uses a Fragment
element. Add a helper function to enable this nested defragmentation by
parsing subelements in a defragmented Multi-Link element.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
tests: More scan result flushing to make testing more robust
Test case sequence 'scan_chan_switch ssid_utf8' was failing due to a
scan result surviving from the first test case to the second and the old
entry ended up breaking check for the UTF-8 flag. Fix this by explicitly
flushing old scan results.
tests: Verify AP MLD connection with link rejection
Add a test case to simulate rejection of all links other than the one
where association is requested in an ML association and verify
successful connection on accepted links.
AP MLD: Fix Link KDE validation in EAPOL-Key msg 2/4
As per IEEE Std 802.11be-2024, for MLO, when more than one link is
requested and the message 2 is used for the initial 4-way handshake, an
MLO Link KDE for each affiliated STA link containing the affiliated STA
MAC address shall be included by the non-AP MLD for all the affiliated
links present in the Multi-Link element of (Re)Association Request
frame.
When a subset of links are rejected by AP MLD in association response,
its corresponding authenticator object and valid flag is reset in
wpa_state_machine(sm->mld_links[]). n_mld_affiliated_links also gets
decremented.
This causes EAPOL-Key msg 2/4 failure as the non-AP MLD will include
Link KDEs for all affiliated links that it requested in association
request, whereas the AP MLD is expecting it only for accepted links. Fix
this by not decrementing n_mld_affiliated_links when a subset of links
is rejected during association and skipping Link KDE validation for
rejected links.
Currently, for 160 MHz and 320 MHz bandwidths in mesh, availability of
80 MHz subchannels might be validated for wrong 80 MHz subchannels. Due
to this, the final bandwidth selected may be downgraded. Fix this by
validating the correct 80 MHz subchannels.
Signed-off-by: Suraj P Kizhakkethil <quic_surapk@quicinc.com>
mesh: Fix channel bandwidth configuration for mesh on 6 GHz
Currently, when mesh interface is configured in 80 MHz, the interface is
coming up in 320 MHz bandwidth if the driver supports 320 MHz bandwidth.
Fix this by selecting the correct bandwidth based on max_oper_chwidth
configuration parameter.
Signed-off-by: Suraj P Kizhakkethil <quic_surapk@quicinc.com>
mesh: Add support for 160 MHz bandwidth in 5 GHz band for mesh
Add support for 160 MHz in 5 GHz band for mesh. Use max_oper_chwidth for
160 MHz bandwidth selection.
Currently, in the hwsim test cases mesh_secure_ocv_mix_legacy and
mesh_secure_ocv_mix_ht, dev0 is configured in 160 MHz bandwidth which
includes DFS channels. But the test case lacks DFS checks and since the
bandwidth downgrades to 80 MHz which excludes any DFS channels, the test
cases pass. With the addition of 160 MHz support, the test cases fail
due to the lack of DFS checks, as dev0 takes longer time to enable. Add
DFS checks to the test cases mesh_secure_ocv_mix_legacy and
mesh_secure_ocv_mix_ht.
For the test cases mesh_secure_ocv_mix_legacy and
mesh_secure_ocv_mix_ht, the regulatory domain is set using iw reg set
which does not update the country in the wpa_s structure, causing the
DFS channels to be disabled. Use control interface to update the
regulatory domain.
Signed-off-by: Suraj P Kizhakkethil <quic_surapk@quicinc.com>
P Praneesh [Thu, 10 Apr 2025 11:11:21 +0000 (16:41 +0530)]
mesh: Handle DFS CAC for secondary 80 MHz in 160 MHz cases
Current implementation of DFS channel validation for mesh checks whether
DFS channels are present or not only for the primary 80 MHz channel in
160 MHz bandwidth, but this approach will fail for channels having
non-DFS channels in primary 80 MHz channel and DFS channels in secondary
80 MHz channel in 160 MHz bandwidth. Example: channel 36. Add DFS check
for both primary 80 MHz and secondary 80 MHz channels in 160 MHz
bandwidth to avoid this issue.
Signed-off-by: P Praneesh <quic_ppranees@quicinc.com> Signed-off-by: Suraj P Kizhakkethil <quic_surapk@quicinc.com>
P Praneesh [Thu, 10 Apr 2025 11:11:21 +0000 (16:41 +0530)]
mesh: Set VHT/HE channel information for 80 MHz and 160 MHz
For 80 MHz and 160 MHz bandwidths in mesh, CAC needs to be performed for
the DFS channels before the start of transmission. CAC check is based on
hostapd_config structure. Add center frequency segment index and
bandwidth to perform CAC.
Signed-off-by: P Praneesh <quic_ppranees@quicinc.com> Signed-off-by: Suraj P Kizhakkethil <quic_surapk@quicinc.com>
Pooventhiran G [Wed, 9 Apr 2025 18:43:13 +0000 (00:13 +0530)]
Remove duplicate definition of Reconfiguration Multi-Link STA control fields
Definitions for STA Control field contained in the Reconfiguration
Multi-Link element are defined twice. So, remove the duplicate
definitions.
Fixes: d95838b7932b ("AP: Add support for testing ML link removal") Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
nl80211: Use active_links to notify start/stop state of links
During nl80211_stop_ap(), the link map for all valid links is being
cleared. Following this, in the remove interface sequence, since
valid links are not set, driver_nl80211_link_remove() is called,
which removes the BSS for all links, leading to a dangling pointer
access and causing hostapd to crash.
To address this, introduce a separate active_links link map for
struct i802_bss and update this link map only during nl80211_stop_ap()
and when bringing the link back up. The valid_links link map of
struct i802_bss should be used only during the initialization and
deinitialization of the links.
Fixes: e1bf37022e01 ("nl80211: MLO: Process stop AP event on link basis") Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
projects / thirdparty / hostap.git / log
