Jouni Malinen [Fri, 28 Mar 2025 08:33:18 +0000 (10:33 +0200)]
Prefer GCMP-256 over CCMP-256 as the pairwise/group cipher
While there is not any significant reason from the protocol or security
view points, there is significant difference in how much testing and
deployment there has been for these cipher suites. GCMP-256 is the
expected cipher suite to be used for new Wi-Fi 7 deployments and there
is more or less no deploymeny of CCMP-256 or plans for trying to change
that.
While selecting either option in cases where both ciphers have been
enabled, likelihood of interoperability issues due to limited testing is
higher with CCMP-256. As such, prefer GCMP-256 over it whenever there is
option to select either of those two ciphers.
Adam Baumann [Thu, 27 Mar 2025 02:57:27 +0000 (13:57 +1100)]
DPP: Stop scheduled scans from blocking the PB discovery scan
DPP PB interactions cannot start during a scheduled scan as the initial
discovery scan will be blocked indefinitely. This can be fixed by
canceling an ongoing scheduled scan before performing the DPP PB
discovery scan.
Signed-off-by: Adam Baumann <adam.baumann@morsemicro.com>
Kashish Awasthi [Tue, 18 Feb 2025 09:28:51 +0000 (14:58 +0530)]
Add new QCA vendor roam control attributes
Add new roam control vendor attributes to configure the roaming
parameters dynamically.
QCA_ATTR_ROAM_CONTROL_CANDIDATE_SCORE_WEIGHTAGE_2P4GHZ,
QCA_ATTR_ROAM_CONTROL_CANDIDATE_SCORE_WEIGHTAGE_5GHZ and
QCA_ATTR_ROAM_CONTROL_CANDIDATE_SCORE_WEIGHTAGE_6GHZ controls the
band weightage given for candidate APs on 2.4 GHz, 5 GHz and 6 GHz
respectively.
QCA_ATTR_ROAM_CONTROL_CANDIDATE_SCORE_THRESHOLD_PERCENTAGE
controls the minimum required score threshold in percentage for an AP to
be considered as a roaming candidate.
QCA_ATTR_ROAM_CONTROL_CONNECTED_LOW_RSSI_THRESHOLD_DECREMENT configures
the decremental RSSI value to be used for next low RSSI roam scan
trigger.
QCA_ATTR_ROAM_CONTROL_PERIODIC_ROAM_SCAN_INTERVAL sets the
interval for repeated roam scans until a candidate found.
Aloka Dixit [Thu, 6 Mar 2025 21:09:49 +0000 (13:09 -0800)]
hostapd: Use EHT params for punct_update_legacy_bw()
Puncturing is supported from EHT onwards hence legacy bandwidths need to
be downgraded in case of a non-zero puncturing bitmap.
hostapd_eid_vht_operation() passes VHT bandwidth, seg0, and seg1 while
calling punct_update_legacy_bw() but puncturing bitmap is from EHT. This
may result in incorrect calculations.
Issue is more obvious in case of 320 MHz where starting VHT bandwidth
can be 160 MHz as 320 MHz is not supported. Value for EHT 'bitmap' can
have 16 valid bits but punct_update_legacy_bw() considers only lower 8
bits as VHT 'width' is passed which is is 160 MHz. It may still work if
the primary channel is in the lower 160 MHz because then VHT bandwidth
spans only lower 8 bits of the bitmap. But if the primary channel is in
higher 160 MHz, and if the bitmap has any of the higher 8 bits set to 1,
expectation is VHT bandwidth should be downgraded even further to 80
MHz. But punct_update_legacy_bw() returns without taking any action as
the higher 8 bits of the bitmap get completely ignored.
Use all EHT parameters instead of VHT to calculate legacy bandwidths.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Hu Wang [Tue, 25 Mar 2025 06:12:03 +0000 (23:12 -0700)]
hostapd: Fix static analyzer issue for CHAN_SWITCH 6 GHz bw
Static analyzer complains:
In hostapd_ctrl_check_freq_params(), Array 'bw_idx' of size 5
may use index value(s) 5.
The highest value that center_idx_to_bw_6ghz(idx) can currently return
is 4, so this is not really able to trigger read beyond the end of the
array. In any case, the bounds check is clearly incorrect and needs to
be fixed so that this is able to handle any potential future extension.
Wu Gao [Tue, 18 Mar 2025 03:20:17 +0000 (20:20 -0700)]
Add vendor attribute to enable DFS No Wait support
This change adds QCA_WLAN_VENDOR_ATTR_CONFIG_DFS_NO_WAIT_SUPPORT to
enable DFS No Wait support.
If an AP starts on a channel with a bandwidth larger than 20 MHz,
which includes both DFS required and non DFS required subsets, it
should begin beaconing immediately on the non DFS required subset
while simultaneously monitoring for radar events once the DFS No Wait
feature is enabled.
Karthik M [Tue, 18 Mar 2025 11:20:33 +0000 (16:50 +0530)]
AP MLD: Fix ACS and HT scan related issues
1. hostapd crash due to NULL pointer access:
When the AP is configured with auto channel selection in the 2.4 GHz
band and a static channel in the 5 GHz band with a bandwidth greater
than 20 MHz, hostapd crashes due to a NULL pointer access in the
hostapd_event_get_survey() function. The ACS is activated for the 2.4
GHz band, initiating a scan with a 20-second timeout. The 2.4 GHz band
updates the scan context accordingly. When the 5 GHz band is
initialized, a 5 GHz HT40 scan is attempted due to the bandwidth
exceeding 20 MHz. However, the driver returns a "Resource busy" message
because of the ongoing ACS scan. A 5 GHz HT40 scan starts an eloop timer
for a retry. The 5 GHz HT40 scan retry timer is triggered, and in the
meantime, ACS scan results for the 2.4 GHz band are received. The 5 GHz
HT40 scan is then prioritized, and the driver initiates a scan,
overriding the scan context of the 5 GHz band.
When the ACS event survey is processed, it uses the updated scan
context. During the survey event processing, the scan callback for the
partner link (2.4 GHz ACS) is handled, which leads to a crash.
Crash backtrace:
0x00000055851dce94 in dl_list_add
(list=0x0, item=0x7f87e82378)
0x00000055851dcef4 in dl_list_add_tail
(list=0x7f8802baa8, item=0x7f87e82378)
0x00000055851e2ac8 in hostapd_event_get_survey
(iface=0x7f8805c020, survey_results=0x7ff1940ef8)
0x00000055851e4de4 in hostapd_wpa_event
(ctx=0x7f88060b50, event=EVENT_SURVEY, data=0x7ff1940ef8)
0x00000055852bd918 in wpa_driver_nl80211_get_survey
(priv=0x7f880c7390, freq=0, acs_exclude_6ghz_non_psc=false)
0x0000005585378e84 in hostapd_set_oper_centr_freq_seg0_idx
(conf=0x7f886e7070, oper_centr_freq_seg0_idx=0 '\000')
0x000000558537bf8c in acs_study
(iface=0x7f886f0030)
0x00000055851e48a0 in hostapd_wpa_event
(ctx=0x7f88060b50, event=EVENT_SCAN_RESULTS, data=0x7ff19411e8)
0x00000055852d3364 in send_scan_event
(bss=0x7f880c7390, aborted=0, tb=0x7ff1941878, external_scan=0)
0x00000055852d8570 in do_process_drv_event
(bss=0x7f880c7390, cmd=34, tb=0x7ff1941878)
0x00000055852d8fec in process_global_event
(msg=0x7f87fbddb0, arg=0x7f88119540)
2. Intermittent 5 GHz link bringup failure:
In a 16 AP MLD and one monitor VAP configuration, there is an
intermittent 5 GHz low or 5 GHz high link bringup failure observed on a
5 GHz low - 5 GHz high supported RDP due to CAC start failure.
When a scan trigger is done by hostapd for link 0 (low radio),
bss->scan_link is of link 0. Since the scan of link 0 is completed in
kernel/MAC80211, -EBUSY is not returned by hostapd_driver_scan()
function. A scan trigger is done by hostapd for link 2 (high radio).
Now, bss->scan_link is of link 2. Meanwhile, scan results are received
in the hostapd from the kernel for low radio frequencies. Since
bss->scan_link is of link 2, mld_link ctx is stored for link 2 instead
of link 0. This leads to interface bringup of the high radio
frequencies, and CAC start is done, leading to a scan in progress error
from the kernel.
Fix both the issues by starting the driver scan within
hostapd_driver_scan() function only if the scan is completed in the
partner links. If the scan is still in progress, return -EBUSY. The
callers of hostapd_driver_scan, which are ieee80211n_check_40mhz()
function and ap_ht40_scan_retry() function in this case, will call
ap_ht40_scan_retry() function after a timeout.
sunilravi [Fri, 21 Mar 2025 22:23:03 +0000 (22:23 +0000)]
Prevent mesh_fwding field in network config when CONFIG_MESH is disabled
mesh_fwding and no_auto_peer configuration items are parsed within ifdef
CONFIG_MESH, but they are written without matching conditional
compilation. This could result in configuration files that cannot be
read back by the same wpa_supplicant binary if either of those
configuration values could end up getting modified.
Make the configuration file writing code use matching ifdef CONFIG_MESH
for these parameters to be consistent with the configuration reader.
sunilravi [Fri, 21 Mar 2025 02:14:23 +0000 (02:14 +0000)]
OpenSSL: Fix EAP-TLS connection failure in Android
In Android, the client private key is stored in the keystore engine and
the code depends on OPENSSL_NO_ENGINE defined in BoringSSL to load the
private key.
Commit 400b89162294 ("OpenSSL: Use pkcs11-provider when
OPENSSL_NO_ENGINE is defined" broke the logic to load the client private
key in Android which resulted in EAP-TLS connection failure. With this
change pkcs11-provider is used when OPENSSL_NO_ENGINE is defined.
Fix the issue by adding conditional compilation check for Android
platform to avoid using Provider API.
Fixes: 400b89162294 ("OpenSSL: Use pkcs11-provider when OPENSSL_NO_ENGINE is defined") Signed-off-by: sunilravi <sunilravi@google.com>
Jouni Malinen [Sun, 23 Mar 2025 08:25:34 +0000 (10:25 +0200)]
Revert "OpenSSL: Fix EAP-TLS connection failure in Android"
This reverts commit b5c7f20804655de31114e17524735691cf0e2798 to allow a
more complete change to be used for addressing the issue with the
earlier commit on Android.
sunilravi [Fri, 21 Mar 2025 18:07:37 +0000 (18:07 +0000)]
P2P2: Fix the argument list in wpas_p2p_usd_elems() for non-P2P build
The wpas_p2p_usd_elems() expects two arguments. But the stub function in
p2p_supplicant.h when CONFIG_P2P is disabled has only one argument. Fix
the build error by adding the service name argument in the
wpas_p2p_usd_elems().
Fixes: c96fd75b1841 ("P2P2: Add USD service hash in the P2P2 PASN M1 frame") Signed-off-by: sunilravi <sunilravi@google.com>
sunilravi [Fri, 21 Mar 2025 02:14:23 +0000 (02:14 +0000)]
OpenSSL: Fix EAP-TLS connection failure in Android
In Android, the client private key is stored in the keystore engine and
the code depends on OPENSSL_NO_ENGINE defined in BoringSSL to load the
private key.
Commit 400b89162294 ("OpenSSL: Use pkcs11-provider when
OPENSSL_NO_ENGINE is defined" broke the logic to load the client private
key in Android which resulted in EAP-TLS connection failure. With this
change pkcs11-provider is used when OPENSSL_NO_ENGINE is defined.
Fix the issue by adding conditional compilation check for Android
platform to avoid using Provider API.
Fixes: 400b89162294 ("OpenSSL: Use pkcs11-provider when OPENSSL_NO_ENGINE is defined") Signed-off-by: sunilravi <sunilravi@google.com>
Rohan Dutta [Fri, 21 Mar 2025 09:38:04 +0000 (15:08 +0530)]
Fix sibling scan results update criteria for different channels
When scan results are received for a wpa_s instance, currently, other
wpa_s instances sharing the radio (siblings) will get updated with the
same scan results to reduce scan time.
But if the scan frequencies included in the requests for these siblings
are different, especially when they are exclusive when one wpa_s is a
non-AP MLD with 2.4 GHz and 5 GHz links and another wpa_s is a single
link non-AP MLD with 6 GHz link, the siblings will lose scan results for
the desired frequencies. Fix the sibling scan results update by checking
that they scan the same frequencies and they are not MANUAL_SCAN.
Fixes: 6859f1cb2407 ("Enable sharing of scan result events among virtual interfaces") Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Aaradhana Sahu [Fri, 21 Mar 2025 04:42:13 +0000 (10:12 +0530)]
AP MLD: Fix DFS error message during per station profile generation
When two or more radios are configured in automatic channel selection (ACS)
mode, one radio completes ACS and starts generating per-station profiles
for all links during the beacon frame set. However, the other radio is
still in ACS mode, resulting in the following error messages in the
hostapd log:
Failed to check if DFS is required; ret=-1
To address this, generate per-station profiles for the links that have
already completed ACS.
Jouni Malinen [Thu, 20 Mar 2025 21:18:52 +0000 (23:18 +0200)]
tests: Fix eap_proto special cases for EAP ID
The EAP-Success cases with id off by 2 or 3 need to handle the special
cases where the id wraps around over the maximum value to avoid failures
when the random id value from hostapd ends up being close enough to the
maximum value.
RSNO: Set STA MFP flag based on the RSN/override negotiation
Currently, while determining the management frame protection (MFP)
setting for a STA, if any of ieee80211w/rsn_override_mfp/override_mfp_2
is set, it is assumed that the AP is MFP capable/required.
In case the AP has following configuration:
ieee80211w=0
rsn_override_mpf=1
rsn_override_mfp_2
and the station has set MFPC in its RSNE and not using RSNO, the AP
determines this association to use MFP and sends IGTK to this station as
well as sets the MFP flag for this STA in the driver.
Since the STA is not using RSNO and has seen MFPC set to 0 in the RSNE
of AP's beacon/probe it will consider the association as non-MFP. This
results in drop of robust Management frame between the AP and the STA.
Fix this by determining AP MFP capability based on the station's RSN
negotiation method (RSNE/RSNOE/RSNO2E) and set the STA MFP flag
accordingly.
Fixes: 12f1edc9e94a ("RSNO: Generate IGTK if any of the RSN variants has PMF enabled") Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
AP MLD: Avoid deletion of ML station if some links are rejected
When a non-AP MLD requests ML association, an AP MLD will validate the
association request elements present in the parent profile as well as
the elements present in each STA profile of MLE to decide if link(s) can
be accepted. While doing so if some of the mandatory elements (say,
Capabilities, Basic rates, RSNEs, etc.) don't satisfy the necessary
conditions for the affiliated AP of the AP MLD to accept the link, the
link will be rejected.
In ieee80211_ml_process_links() this rejection happens even before the
link station entry is added to the driver and while trying to free this
sta object, __ap_free_sta() tries to delete the link station from the
driver which was never added at all and eventually this operation fails.
Currently if deletion of a link station fails hostapd deletes the whole
ML station from the driver but in the above scenario the other link(s)
are accepted. Such deletion results in complete association failure.
Fix this by not proceeding to delete the ML station completely if a
deletion of a link station fails. By design each link station entry of
hostapd should be scheduled for deletion and when the association link
station entry is scheduled for deletion, the ML station will be deleted
from the driver.
Fixes: a6d92da9aa44 ("AP MLD: Support removal of link station from AP") Signed-off-by: Gautham Kumar Senthilkumaran <quic_gauthamk@quicinc.com> Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Michael-CY Lee [Thu, 20 Mar 2025 00:53:28 +0000 (08:53 +0800)]
AP MLD: Always process every link in association request
Error might happen when handling one of the link(s) in association
request, but immediately returning causes missing of status code of
the unprocessed link(s) in association response.
Always processing every link in association request ensures that every
link has it status code in the association response.
Fixes: 03e89de47b6c ("AP MLD: Process link info when handling new STA event with driver SME") Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com> Signed-off-by: Money Wang <money.wang@mediatek.com>
Jouni Malinen [Wed, 19 Mar 2025 19:21:01 +0000 (21:21 +0200)]
tests: Allow more time for connection in sae_anti_clogging_during_attack
This almost-a-busy-loop approach for testing SAE anti-clogging token
under an attack is not really robust with UML time-travel. Add a
time-based option for continuing the test instead of just fixed limit on
the number of loop iterations to make this somewhat more likely to
succeed.
Benjamin Berg [Tue, 18 Mar 2025 10:19:56 +0000 (11:19 +0100)]
SAE: Explicitly clear SAE(k)
The code never cleared SAE(k) and the data could remain on the stack for
a longer period of time. This caused a test failure when running with
ASAN enabled.
Explicitly clear the variable to ensure no data is leaked.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
nl80211: Set bss flink frequency for non-ML AP BSS
Currently nl80211 BSSs (struct i802_bss) flink->freq is initialized to
drv->first_bss->flink->freq in wpa_driver_nl80211_if_add(). In case of
single drv model, this results in frequency of the first BSS of the
first radio (say, on the 2.4 GHz band) being set to all the BSSs of the
drv though they can belong to different radios and thereby operating on
different frequencies.
wpa_driver_nl80211_send_mlme() uses bss->flink->freq to send Management
frames to the driver which fails as the driver complains that the TX
frequency doesn't match its operating frequency.
Currently in wpa_driver_nl80211_set_ap(), for ML BSS the above mentioned
default value is overridden whenever beacon is set. Fix this by
overriding link frequency also for non-ML BSSs.
Jouni Malinen [Tue, 18 Mar 2025 09:17:36 +0000 (11:17 +0200)]
AP MLD: Cancel per-STA eloop timeouts for all wpa_auth instances
Now that AP MLD can use shated wpa_auth instances, the eloop timeouts
registered for wpa_auth,sm tuples might end up getting registered and
unregistered with different wpa_auth instance. Use the ELOOP_ALL_CTX
wildcard to ensure the per-STA timeouts do actually get canceled. This
avoids some cases where hostapd could have crashed due to leaving behind
a reference to wpa_auth,sm pointers that might get freed.
Jouni Malinen [Mon, 17 Mar 2025 20:52:17 +0000 (22:52 +0200)]
tests: Use proper EAP identifier tracking in eap_proto testing
There is not really any need to maintain the identifier context over
multiple processed EAP message when the previously used value is
available from the response message from the peer.
Replace ctx['id'] with hardcoded start point and incrementation with
parsing the identifier from the received message. Use that ID in
EAP-Success and EAP-Failure and that id+1 (mod 256) in other EAP
messages.
This simplifies the implementation a bit and makes the EAP server behave
according to the EAP specification (with the couple of exceptions in
places where special corner cases are validated). For most parts, this
is a direct replacement of the previous ctx['id'] with id/id_prev
derived from the received message, but a couple of places where using a
bit strange constructs to work around constraints in the previous
design. Using proper ID values in the EAP header removes need for such
workarounds.
Vinay Gannevaram [Sun, 26 Jan 2025 19:33:13 +0000 (01:03 +0530)]
Add QCA vendor attribute for NDP latency and throughput configuration
Introduce a vendor attribute for NDP to configure dynamic parameters
using the subcommand QCA_WLAN_VENDOR_NDP_SUB_CMD_UPDATE_CONFIG. The
maximum latency for NAN data packet transmission and reception, and
the expected throughput can be configured after the NDP setup
establishment using update configuration command with given NDP
instance ID.
Drivers would modify or adjust the NDP slots to meet the latency and
throughput requirements.
P2P2: Get ID of device identity block from wpas_p2p_validate_dira()
Upper layer components can now use the P2P_VALIDATE_DIRA command to
retrieve the device identity key identifier, which is necessary to
initiate P2P reinvoke to an existing group.
Vinay Gannevaram [Sun, 19 Jan 2025 08:01:58 +0000 (13:31 +0530)]
nl80211: Determine capability for P2P-R2 and PCC mode
Set the capability flag based on the nl80211 vendor feature
advertisement for P2P-R2 and PCC modes. By default, enable this for all
other drivers (i.e., any driver not supporting the QCA feature
capability indication) until a specific capability is defined to enable
or disable it.
Vinay Gannevaram [Thu, 20 Feb 2025 06:20:22 +0000 (11:50 +0530)]
P2P2: Add support to fetch the P2P2 and PCC capability
Add support to fetch the P2P2 and PCC capability from wpa_supplicant.
This defines the driver capability bits for this and the control
interface extension. The actual driver capability fetching will be
handled in future commit(s).
Vinay Gannevaram [Thu, 20 Feb 2025 09:58:08 +0000 (15:28 +0530)]
P2P2: Indicate bootstrapping comeback response to upper layers
The bootstrapping comeback response is managed by wpa_supplicant and is
not communicated to the upper layers. However, it is essential for the
upper layers to be aware of the status of ongoing bootstrapping requests.
Notify the upper layers of the bootstrapping comeback response. Modify
the D-Bus interface for bootstrapping indications (instead of providing
a new signal such for this new extended purpose) as this has not yet
been used and is a recently added parameter.
Jouni Malinen [Wed, 5 Mar 2025 17:04:41 +0000 (19:04 +0200)]
tests: Use more specific validation for beacon protection
Instead of requiring the driver to reported unprotect Beacon frame,
include CSA and ECSA in the bogus Beacon frames and verify that the
driver does not indicate start of a channel switch.
AP MLD: Fix hostapd crash during interface deinit with non-ML BSS
Currently a single drv object (wpa_driver_nl80211_data) is shared across
different hostapd interfaces (struct hostapd_iface) if all the
interfaces belong to same underlying wiphy. When hostapd process is
killed, interfaces are deinitialized one after other in a loop. If the
first BSS of an interface is a non-ML BSS, in hostapd_cleanup_driver()
the shared drv is freed up while cleaning up the first interface itself
and the rest of the interfaces try to access/free the same drv object
resulting in segmentation fault.
To fix this, check if the drv is still shared with any other interface
regardless of MLO (currently this check is done only if the first BSS of
an interface is an ML BSS). If drv is shared, reset its reference and
allow the last interfaces that is using the drv to free the same.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com> Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
BSS: Validate partner link BSSs while parsing Basic MLE
When the Basic MLE from the AP is parsed, wpa_scan_res_match() is called
for only the association link when the BSS params from the RNR element
is set with colocated AP or same SSID bits. Even if the affiliated APs
of the AP MLD have configurations incompatible with the non-AP MLD,
association will be attempted with all the links. An AP MLD is required
to have compatible parameters in all affiliated APs, but it is not
guaranteed that all deployed AP MLDs are compliant with this
requirement.
Enable wpa_scan_res_match() for affiliated AP BSSs as well by removing
RNR BSS params check so that the affiliated APs that fail the checks are
skipped and connection is downgraded to a smaller number of links by
including only the links with compatible configuration. BSSs are still
filtered from the RNR TBTT info based on the MLD ID subfield contained
in the MLD params subfield. While at it, skip some checks for other
affiliated APs which are meant only for the association link.
Fixes: a3020f852e1c ("MLD: Use BSS Parameters in TBTT Info to check SSID match") Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Co-developed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Thirusenthil Kumaran J <quic_thirusen@quicinc.com>
Jouni Malinen [Mon, 3 Mar 2025 18:32:23 +0000 (20:32 +0200)]
MLD: Verify Per-STA Profile subelement length in reconf MLE
Strictly speaking, it is not sufficient to verify that there is enough
space in the Link Info field, but the legth of the Per-STA Profile
subelement needs to be checked as well before using the STA Control
field value. There could be another subelement after the Per-STA Profile
subelement and if the Per-STA Profile subelement would be too short,
data from that following subelement could have been used. This is a
theoretical case, but anyway, better be stricter in verifying the length
fields in this type of cases.
Pooventhiran G [Sat, 1 Mar 2025 05:52:51 +0000 (11:22 +0530)]
MLD: Fix Reconfiguration Multi-Link element parsing on non-AP MLD
The Common Info field in the Reconfiguration Multi-Link element is
extensible with its Length subfield indicating the total length of the
field. Accept any value of Length subfield larger than the calculated
length based on the presence bitmap to support extensibility. Use the
value of the Length subfield instead of the calculated minimum length
when determining where the following Link Info field starts.
Vinay Gannevaram [Fri, 14 Feb 2025 12:34:28 +0000 (18:04 +0530)]
Update the link BSS pointer during BSS reallocation on scan results
When updating the BSS during a scan results event, reallocation of the
BSS due to needing more room for IEs results in a new allocation and the
pointer changing. Update the link BSS pointer to the newly allocated BSS
similarly to the other cases that were covered previously. This is
needed to avoid use of freed memory in some MLO cases.
MartÃnek Petr [Tue, 25 Feb 2025 08:18:06 +0000 (08:18 +0000)]
MACsec: Add option to always include ICV Indicator
Some older MACsec switches incorrectly require ICV Indicator to be
present even when ICV has default length (Cisco C3560CX). To allow
communication with such devices option include-icv-indicator was added
to always include ICV Indicator.
Similar option is found in configuration of some other switches:
Cisco:
include-icv-indicator - this parameter configures inclusion of the
optional ICV Indicator as part of the transmitted MACsec Key Agreement
PDU (MKPDU). This configuration is necessary for MACsec to interoperate
with routers that run software prior to IOS XR version 6.1.3. This
configuration is also important in a service provider WAN setup where
MACsec interoperates with other vendor MACsec implementations that
expect ICV indicator to be present in the MKPDU.
fortiswitch:
include-mka-icv-ind: The MACsec Key Agreement (MKA) integrity check
value (ICV) indicator is always included. (enabled by default)
Signed-off-by: Petr MartÃnek <petr.martinek at elvac.eu>
Dávid Benko [Sun, 23 Feb 2025 22:42:39 +0000 (23:42 +0100)]
authsrv: Log RADIUS accounting data
Add option to log all received RADIUS accounting information. This is
a follow-up patch for a new `acct_req_cb` in RADIUS server implementation.
The callback logs all accounting status codes. Invalid requests are
discarded as of RFC 2866. Logged data include:
- NAS identification (NAS-Identifier, NAS-IP-Address or NAS-IPv6-Address)
- session ID (Acct-Session-Id)
- username
- device identification (Calling-Station-Id)
- session time
- input/output packet and byte counters (including gigawords as of
RFC 2869)
This may be a base for possible extensions of RADIUS accounting in
hostapd. However, since there are far more robust alternatives (namely
FreeRADIUS) and hostapd is primarily used for restricted and/or simple
deployments, I don't consider them necessary. Other use cases can be
covered by a custom reimplementation of binary and a different
acct_req_cb callback.
Dávid Benko [Sun, 23 Feb 2025 22:39:55 +0000 (23:39 +0100)]
RADIUS server: Add accounting message callback
Add a configurable callback for incoming Accounting-Request messages to
the integrated RADIUS server. This approach allows different
implementation by hostapd itself and other binaries built on top of
hostapd, e.g., OpenWrt's RADIUS server.
Jouni Malinen [Sat, 1 Mar 2025 18:29:45 +0000 (20:29 +0200)]
OpenSSL: Enable HMAC with short salt in FIPS configuration
OpenSSL fips provider prevents use of HMAC with key size smaller than
112 bits. This would be fine for actual cases that use HMAC with a key,
but there are cases that use a shorter salt (e.g., SAE PWE derivation).
Allow those cases to use the OpenSSL default provider instead of the
fips provider in builds that do not use CONFIG_FIPS=y.
Jouni Malinen [Sat, 1 Mar 2025 18:28:45 +0000 (20:28 +0200)]
OpenSSL: Use default provider instead of fips provider for DH group 5
In builds without CONFIG_FIPS=y, use the OpenSSL default provider
instead of the fips provider for DH group 5 operation since that is not
available in the fips provider.
Jouni Malinen [Sat, 1 Mar 2025 18:24:13 +0000 (20:24 +0200)]
OpenSSL: Allow MD5 if FIPS mode or FIPS provider is set externally
Systemwide OpenSSL configuration might be used to enable FIPS mode or
loading of only the FIPS provider. These would result in MD5 not being
available and that would break quite a few protocols that are used with
Wi-Fi. Make MD5 available in such cases for builds without CONFIG_FIPS=y
by disabling FIPS mode in OpenSSL and explicitly loading and using the
default provider instead of the fips provider for MD5 caes.
Jouni Malinen [Sat, 1 Mar 2025 18:19:38 +0000 (20:19 +0200)]
OpenSSL: Disable FIPS mode if MD4 is needed
It is possible for a systemwide configuration to enforce use of FIPS
mode in OpenSSL and that would break various commonly used crypto
operations in Wi-Fi related protocols. Disable OpenSSL FIPS mode
automatically in builds that do not define CONFIG_FIPS=y to avoid this.
Jouni Malinen [Sat, 1 Mar 2025 18:22:18 +0000 (20:22 +0200)]
OpenSSL: Print more failure details for EC failures
These cases can fail when OpenSSL is forced to use FIPS mode or FIPS
provider. It is helpful to get more explicit error details about these
cases into the debug log.
Jouni Malinen [Sat, 1 Mar 2025 18:14:11 +0000 (20:14 +0200)]
SAE: Add an explicit debug print for failure to derive PWE
The needed HMAC-SHA256 operation with short salt is something that can
fail if OpenSSL is forced to use the fips provider, so it is helpful to
get this failure case clearer in the debug log.
Jouni Malinen [Sat, 1 Mar 2025 10:07:45 +0000 (12:07 +0200)]
SAE: Do not mark SAE enabled network disabled if PSK is not set
SAE does not PSK, i.e., it is sufficient for the passphrase to be set in
cases where the psk parameter instead of the SAE specific sae_password
is used.
Jouni Malinen [Sat, 1 Mar 2025 10:05:48 +0000 (12:05 +0200)]
OpenSSL: More debug prints on EVP digest/cipher failures
The EVP operations may fail if OpenSSL is configured to reject
deprecated algorithms or parameters (e.g., key sizes). Make such errors
easier to understand in debug log.
Jouni Malinen [Sat, 1 Mar 2025 10:04:10 +0000 (12:04 +0200)]
RADIUS: Check MD5 processing result
The MD5 functions may fail, e.g., if the used crypto library is
configured to reject deprecated old algorithms. Check for this more
consistently in RADIUS routines and make it obvious in the debug log if
this is causing operations to fail instead of trying to proceed and hide
the issue.
Add new roam trigger vendor attribute values to configure the roaming
parameters dynamically. QCA_ROAM_TRIGGER_REASON_WTC, trigger roam on
wireless-to-cellular BSS transition request.
QCA_ROAM_TRIGGER_REASON_BT_ACTIVITY, trigger roam on Bluetooth
connection, when station is on the 2.4 GHz band.
Jouni Malinen [Thu, 27 Feb 2025 09:06:40 +0000 (11:06 +0200)]
Share wpa_init() error path handling
Use a single place to handle cleanup after failures instead of multiple
copies of this code. Also share the wpa_auth->group deinit routine with
wpa_deinit() even though there cannot be multiple groups or initialized
keys in the wpa_init() case.
Chenming Huang [Wed, 26 Feb 2025 14:32:27 +0000 (20:02 +0530)]
AP MLD: Search MLD-level and per-link PMKSA caches
There are cases where non-AP MLD first associates with MLO but
reassociates with non-MLO using PMKSA caching. Since the standard does
not explicity disallow such cases, it makes sense to have additional
code to check the MLD level PMKSA cache as well even when processing
non-ML associations. Same would apply in the other direction, i.e., ML
association with PMKSA caching should search all affiliated APs of the
AP MLD for a PMKID match.
Check both the MLD-level and per-link PMKSA caches when trying to find a
match for an PMKID in (Re)Association Request frame.
Chenming Huang [Wed, 26 Feb 2025 14:32:26 +0000 (20:02 +0530)]
AP MLD: Store PMKSA from DPP to both per-link and MLD-level cache
When we cannot determine whether the peer is non-AP MLD (which is the
case with DPP AKM), store the PMKSA into both the MLD-level and per-link
caches when operating as an AP MLD.
Chenming Huang [Wed, 26 Feb 2025 14:32:24 +0000 (20:02 +0530)]
AP MLD: Mark STA as MLD before checking association IEs
In __check_assoc_ies(), ap_sta_is_mld() is already being used to
determine whether a peer is an MLD or not. However, when calling
__check_assoc_ies() from ieee80211_ml_process_link(),
ap_sta_set_mld() is not yet called. So inside __check_assoc_ies()
the sta entry is treated as non-MLD, which leads to wrongly
fetching PMKSA entry from regular pmksa entry list instead of
ml_pmksa. That results in a connection failure.
Move ap_sta_set_mld() to be used earlier since we already know it is an
MLD peer at that point.
Chenming Huang [Wed, 26 Feb 2025 14:32:20 +0000 (20:02 +0530)]
AP MLD: Define a new MLD-level PMKSA cache shared by all links
Currently PMKSA is only cached on the association link. Subsequent
connections may happen on other links if peer is a non-AP MLD.
Association using SAE might get rejected due to PMKID not found in such
cases.
Define a new PMKSA entry list in struct wpa_authenticator which will be
used in subsequent commits. Initialize ml_pmksa only on the primary link
authenticator and deinitialize it when the last link authenticator is
deinitialized. Other affiliated links share the same instance.
Jouni Malinen [Wed, 26 Feb 2025 10:02:37 +0000 (12:02 +0200)]
Fix current_bss use in checking whether SSID has been verified
The call to wpa_supplicant_update_scan_resuls() might change
wpa_s->current_bss, so need to fetch the ssid/ssid_len again after that
all to avoid potential use of freed memory.
Fixes: 5452a4a30204 ("SSID verification based on beacon protection") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Tue, 25 Feb 2025 21:44:47 +0000 (23:44 +0200)]
ERP: Initialize hapd->erp_keys earlier to avoid undefined behavior
This dl_list needs to be initialized earlier since
ieee802_1x_erp_flush() is trying to clear it even in case of failed
interface start that might not have made it all the way to the place
which the dl_list was previously initialized.
Jouni Malinen [Tue, 25 Feb 2025 21:19:30 +0000 (23:19 +0200)]
Avoid undefined behavior in get_vendor_ie()
This might be called with ies == NULL and for_each_element_id() would
try to calculate NULL + 0 in that case. That would be undefined
behavior. Avoid that by checking for ies == NULL just like the other
get_ie*() functions already did.
Jouni Malinen [Tue, 25 Feb 2025 21:01:40 +0000 (23:01 +0200)]
Remove undefined behavior from ieee802_11_defrag()
ieee802_11_defrag() might be called with data == NULL and that would
result in trying to calculate end = data + len = NULL + 0 which is
undefined behavior. Calculate the end pointer only after data has been
checked to not be NULL to avoid this.
Fixes: ec03b71ee999 ("common: Refactor element defragmentation") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Jouni Malinen [Tue, 25 Feb 2025 20:57:40 +0000 (22:57 +0200)]
Fix wpa_supplicant global config bool reading/writing
The generic int parser cannot be used with bool variables since it is
possible for the bool variables to be shorter in size and result in
misaligned read/write. Use a separate set of routines for handling bool
variables to avoid this.
Jouni Malinen [Tue, 25 Feb 2025 20:36:54 +0000 (22:36 +0200)]
mesh: Fix mesh_external_pmksa_cache initialization to cover error cases
The dl_list needs to be initialized before wpa_supplicant_cleanup() can
be called, e.g., due to an early termination caused by failure to
initialize the interface.
Jouni Malinen [Tue, 25 Feb 2025 09:42:02 +0000 (11:42 +0200)]
FT: Do not discard EAPOL-Start frame during initial MD association
Commit c97168f58ae9 ("FT: Discard EAPOL-Start frames when FT was used
for association") started discard EAPOL-Start frames in all cases where
FT is used, including the initial MD association. The exact IEEE 802.11
standard language requiring the STA to perform a new FT initial MD
association when its Supplicant triggers sending of an EAPOL-Start frame
has a condition on this being "after a successful initial mobility
domain association domain", so this would not really apply during the
initial MD association itself.
Relax the conditions on processing EAPOL-Start frames so that they are
still processed during the FT initial mobility domain association, but
are then discarded after that succeeds (i.e., during rest of that
association and any future association started using FT protocol).
- For SUITEB128 the 128-bit strength ciphersuites should appears first
in the list
- Update RSA key strengths
- Update ECC key strengths
- Update tests to pass with wolfSSL. wolfSSL fails as soon as the key is
being loaded if it doesn't match the minimum key strength requirements.
nl80211: Mark HT disabled on channel switch to a 6 GHz channel
During channel switch processing ht_enabled was left enabled for 6 GHz
channels since those cases do not use NL80211_CHAN_NO_HT. This would
show incorrect channel information in the STATUS control interface
command.
Fix this by clearing ht_enabled when a channel switch event is
indicating a switch to a 6 GHz channel.
nl80211: Fix hostapd crash when managing AP MLD interfaces
hostapd crash has been observed in the following scenario: bring up
multiple AP MLD interfaces, delete all AP MLD interfaces using another
user space application like 'iw', and then remove all interfaces in
hostapd.
When deleting an AP MLD interface using another user space application,
the kernel sends the NL80211_CMD_STOP_AP event for each link to hostapd,
hostapd resets valid_links, and sends a remove link command to the
kernel. valid_links will become zero after all the links are removed,
but bss interface will not be removed in hostapd.
In the current design, when removing the link bss interface, the
interface is not removed if the link is not available. When the
interface, which was not removed, is added, it accesses a dangling
pointer of the AP MLD interface and causes the crash.
Fix this by removing the interface even if there are no more links. This
ensures that the AP MLD interface is properly removed, preventing access
to a dangling pointer and avoiding the crash.
With Wireshark 4.4.0 and above, there are slight changes in the filters for
fetching multi-link control elements and STA profile ID lists. Add support
for these updates to ensure the test cases are compatible with the latest
version of Wireshark.
The changes are:
* Multi-Link Control:
wlan.eht.multi_link.control instead of wlan.eht.multi_link_control
* STA Profiles LinkIds: It is now Character string.
Jouni Malinen [Sun, 23 Feb 2025 15:00:09 +0000 (17:00 +0200)]
EAP-TEAP: Check session_id length explicitly to avoid warnings
Some static analyzers might expect tls_get_tls_unique() to be able to
return arbitrarily large values and warn about integer overflow here.
Avoid such incorrect warnings with an explicit check.
Jouni Malinen [Sun, 23 Feb 2025 14:38:11 +0000 (16:38 +0200)]
RNR: Silence static analyzer warnings
The !tbtt_count check seemed to be too complex for static analyzers to
understand that len and total_len have been incremented by at least
RNR_TBTT_HEADER_LEN. Silence the incorrect warning about interget
overflow with explicit checks.
Jouni Malinen [Sun, 23 Feb 2025 14:27:03 +0000 (16:27 +0200)]
nl80211: Debug print setsockopt() failures for NETLINK_EXT_ACK
Even though we explicitly ignore these errors, it is better to print
them into the debug log if for no other reason than to get rid of some
static analyzer warnings about unchecked reutrn values.
Jouni Malinen [Sun, 23 Feb 2025 14:21:45 +0000 (16:21 +0200)]
MLD: Try to avoid static analyzer warnings about tainted variable
*pos was already checked above, but some static analyzers might not
understand that construction when the 8-bit value from the buffer is
assigned after the checks, so check again explicitly to get rid of
incorrect error reports.
Jouni Malinen [Sun, 23 Feb 2025 14:14:50 +0000 (16:14 +0200)]
Use pointer to Action frame body instead of Category field
This will hopefully silence some incorrect static analyzer warnings
about out-of-bounds reads since mgmt->u.action.category is an u8 while
this is really getting a pointer to that location in the Action frame
body and not just the 8-bit Category field.
projects / thirdparty / hostap.git / log
