NAN USD: Trigger USD offload cancellation upon timer expiration
Trigger USD offload cancellation when the timer expires. This ensures
that the USD is canceled for drivers that do not implement a timer to
stop discovery upon timer expiration.
Add MLD information in RNR partial profile, TBTTs, and ML Partner
reporting TBTTs, if a reported AP is an MLD AP. Remove AP MLD checks to
allow non-MLD transmitting interface to include nontransmitting profiles
which are part of an MLD.
MBSSID: Calculate length for MLE in Beacon and Probe Response frames
While building the MLE for Beacon and Probe Response frames, length of
256 is allocated statically but for EMA length of MBSSID IE determines
the periodicity and hence considering a static length for the non
transmitting profile's MLE affects the whole EMA logic.
Fix this by calculating the exact length of the MLE that is to be added
for a BSS.
MBSSID: Add link id for transmitting interface in an AP MLD
Transmitting interface of an MBSSID group can be part of an MLD, hence
interface index is not enough to identify the correct link. Store and
pass the link ID of the transmitted interface to the kernel when
configuring a new non-transmitting profile for an AP MLD.
Logapriya P [Wed, 30 Apr 2025 07:26:25 +0000 (12:56 +0530)]
Add vendor NL event for primary link migration notification
In scenarios where the user application is responsible for load
balancing and communicating the destination MAC address (MLD peer MAC
address) and its primary link ID to the Ethernet-side QCA driver, there
is a need for a notification mechanism to ensure the primary link
changes in WLAN subsystem are communicated to user applications and also
to manage the load of that primary link in a better way.
This vendor NL event addresses above requirement by providing a way for
the user application to be notified about primary link migrations,
allowing it to update its configuration and ensure that other
subsystems, such as Ethernet, use the correct link for communication.
Modify the comments section to extend the usage of the vendor command
QCA_NL80211_VENDOR_SUBCMD_PRI_LINK_MIGRATE as an event to notify user
applications when the primary link has changed.
This event will send the MLD MAC address of the peer and the new link ID
which is set as the primary link.
Signed-off-by: Logapriya P <quic_logapriy@quicinc.com>
nl80211: Fix use-after-free during wiphy event handling
When processing a NL80211_CMD_RADAR_DETECT event, the current driver
interface instance may be deinitialized during the event handler.
The event loop still holds a pointer to the old driver interface,
but using it after deinit can cause a crash.
A previous attempt to fix this relied on checking whether the
interface pointer still appeared in the list of interfaces.
However, that approach is incomplete: if malloc() returns the same
pointer for a newly added interface (as observed occasionally on
glibc 2.31), the check incorrectly assumes the original instance
still exists.
To fix this reliably, this commit introduces a unique instance ID
in the wpa_driver_nl80211_data struct and uses that ID to check
whether the original driver instance is still present in the list.
Fixes: f13683720239 ("nl80211: Pass wiphy events to all affected interfaces") Signed-off-by: Gwen Weinholt <gwen@weinholt.net>
Yuvarani V [Wed, 23 Apr 2025 07:14:47 +0000 (12:44 +0530)]
nl80211: Fix crash by clearing link from valid links after stopping beaconing
During link disable in nl80211_remove_link(), the link to be disabled is
cleared from the valid links before calling
nl80211_update_active_links(). This sequence leads to stopping beaconing
on flink, which results in set beacon failure and causes hostapd to
crash when the removed link is enabled.
Fix this by clearing the link from valid links map after the
nl80211_update_active_links() call.
Fixes: 2fe31050c248 ("nl80211: Use active_links to notify start/stop state of links") Signed-off-by: Yuvarani V <quic_yuvarani@quicinc.com>
Add link ID QCA vendor attributes for MLO SR operation
Add a link ID attribute and nesting to support per link spatial reuse
operation for MLO STA and MLO SAP modes.
Per-link SR parameters are encapsulated within
QCA_WLAN_VENDOR_ATTR_SR_MLO_LINKS nested attribute. Each record includes a
link ID specified by the QCA_WLAN_VENDOR_ATTR_SR_MLO_LINK_ID attribute.
Initialize the skip_buf[] array before using it with EVP_CipherUpdate()
to skip the initial segment of RC4 output. This does not change actual
behavior since the output of that call is not used and it is only there
for changing the internal state of the RC4 cipher. However, this avoids
uninitialized element issues reported in MISRA.
At least some of the previous versions have expired, so need to re-sign
these to avoid EAP test case failures. This contains updates from
running tests/hwsim/auth_server/update.sh.
Add new QCA vendor status codes for TWT session terminate event
Add new status codes QCA_WLAN_VENDOR_TWT_STATUS_CHAN_SWITCH_24GHZ,
QCA_WLAN_VENDOR_TWT_STATUS_MLO_LINK_INACTIVE, and extend
QCA_WLAN_VENDOR_TWT_STATUS_SCAN_IN_PROGRESS to use with TWT session
terminate event.
Tx Power Boost is a feature where the driver will send IQ samples data
to the userspace application.
Upon receiving the NL event from the driver, user space application
can read the IQ samples from the memory mapped IO file /dev/txpb and
perform the inference.
Once the inference result is available, user space application can
send NL command with infered result Tx EVM (Error Vector Magnitude) and
Tx Mask Margin values to the driver to boost Tx power.
With commit 00c2c20d74ee ("hostapd: Maintain single
wpa_driver_nl80211_data (drv) object across interfaces"), EAPOL frame
reception is always handled by the first bss of wpa_driver_nl80211_data
(drv). Issue is seen when OWE Transition mode is enabled and a peer
connects in OWE BSS (the second BSS) but recieved EAPOL frames are
wrongly handled in the open BSS (the first BSS). Iterate all BSSs to
handle EAPOL frame reception to fix that.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
nl80211: Use i802_bss in nl80211 commands/events for correct ifindex
struct wpa_driver_nl80211_data is used in most of the nl80211 vendor
commands and events. With refactoring of struct wpa_driver_nl80211_data
through commmit 00c2c20d74ee ("hostapd: Maintain single
wpa_driver_nl80211_data (drv) object across interfaces"), a single
struct wpa_driver_nl80211_data instance is maintained for each phy.
Since, per BSS context is not present with struct
wpa_driver_nl80211_data, during nl80211 vendor commands and events the
default ifindex associated with per phy struct wpa_driver_nl80211_data
gets used. Thus, this results in sending/receiving of nl80211 messages
on an incorrect interface.
Since i802_bss list maintains the common struct wpa_driver_nl80211_data
context, use it in appropriate APIs to process nl80211 vendor
events/commands.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com> Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
hostapd: Allow reuse of existing interface for AP MLD
Commit 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data
(drv) object across interfaces") adds 2nd AP MLD interface as a new
interface. However, in cases where the interface is already created and
are supposed to be reused, due to the new interface request, addition of
a new AP MLD fails.
Leverage the reuse parameter and handle the additional error code during
interface add for such cases and update the interface mode to
NL80211_IFTYPE_AP.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com> Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
tests: Per-STA Profile subelement fragmentation in MLE
Note that the current mac80211 snapshot does not copy the
non-association link extra IEs and as such, this test case does not
actually end up fragmenting the subelement without a mac80211 fix.
Testing capability to add extra IEs to per-STA profiles in assoc req
Allow wpa_supplicant builds with CONFIG_TESTING_OPTIONS=y to be
configured to add extra IEs to the per-STA profiles in Association
Request frames. This can be used for testing AP MLD behavior.
Pooventhiran G [Fri, 11 Apr 2025 11:28:36 +0000 (16:58 +0530)]
MLD: Defragment Reconfiguration Multi-Link element subelements
While parsing the Reconfiguration Multi-Link element, subelements
carried in the Multi-Link element were not defragmented. Fix this by
defragmenting the subelement before processing to avoid parsing issues.
Pooventhiran G [Fri, 11 Apr 2025 11:28:35 +0000 (16:58 +0530)]
MLD: Defragment MLE subelements in ASSOC-REJECT event parsing
While parsing the Multi-Link element in ASSOC-REJECT event, subelements
carried in the Multi-Link element were not defragmented, rather the
Fragment subelements were skipped. Fix this by defragmenting the
subelement before processing to avoid parsing issues.
Fixes: 5af986c75af4 ("MLD: Also mark links as failed after association failure") Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Fri, 11 Apr 2025 11:28:34 +0000 (16:58 +0530)]
nl80211: Defragment MLE subelements in CONNECT event parsing
While parsing the Multi-Link element in CONNECT event, subelements
carried in the Multi-Link element are not defragmented. Fix this by
defragmenting the subelement before processing to avoid parsing issues.
Fixes: cc2236299f99 ("nl80211: Get all requested MLO links information from (re)association events") Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Fri, 11 Apr 2025 11:28:33 +0000 (16:58 +0530)]
AP MLD: Defragment MLE subelements while updating Link Status
While updating link status from the (Re)Association Response frame
elements, subelements carried in the Multi-Link element are not
defragged. Fix this by defragmenting the subelement before processing to
avoid parsing issues.
Fixes: d320692d918a ("AP MLD: Handle new STA event when using SME offload to the driver") Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Fri, 11 Apr 2025 11:28:32 +0000 (16:58 +0530)]
AP MLD: Defragment MLE subelements in (Re)Association Request
The subelements carried within a Multi-Link element can pack more than
255 bytes, and this is achieved using Fragment subelement similar to how
the Multi-Link element uses Fragment element. However, the current
implementation does not defragment the Fragment subelements and hence
when encountered, parsing fails leading to failing connection.
Fix this by defragmenting the subelements before processing to get a
complete stream of subelement data.
Fixes: 7a7a2256c0ea ("common: Support parsing link specific association request") Fixes: 5f5db9366cde ("AP: MLO: Process Multi-Link element from (Re)Association Request frame") Co-developed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Fri, 11 Apr 2025 11:28:31 +0000 (16:58 +0530)]
Helper function for defragmenting of Multi-Link element subelements
Subelements contained within an Multi-Link element can themselves be
fragmented if they pack more than 255 bytes of data using a Fragment
subelement similar to how the Multi-Link element uses a Fragment
element. Add a helper function to enable this nested defragmentation by
parsing subelements in a defragmented Multi-Link element.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
tests: More scan result flushing to make testing more robust
Test case sequence 'scan_chan_switch ssid_utf8' was failing due to a
scan result surviving from the first test case to the second and the old
entry ended up breaking check for the UTF-8 flag. Fix this by explicitly
flushing old scan results.
tests: Verify AP MLD connection with link rejection
Add a test case to simulate rejection of all links other than the one
where association is requested in an ML association and verify
successful connection on accepted links.
AP MLD: Fix Link KDE validation in EAPOL-Key msg 2/4
As per IEEE Std 802.11be-2024, for MLO, when more than one link is
requested and the message 2 is used for the initial 4-way handshake, an
MLO Link KDE for each affiliated STA link containing the affiliated STA
MAC address shall be included by the non-AP MLD for all the affiliated
links present in the Multi-Link element of (Re)Association Request
frame.
When a subset of links are rejected by AP MLD in association response,
its corresponding authenticator object and valid flag is reset in
wpa_state_machine(sm->mld_links[]). n_mld_affiliated_links also gets
decremented.
This causes EAPOL-Key msg 2/4 failure as the non-AP MLD will include
Link KDEs for all affiliated links that it requested in association
request, whereas the AP MLD is expecting it only for accepted links. Fix
this by not decrementing n_mld_affiliated_links when a subset of links
is rejected during association and skipping Link KDE validation for
rejected links.
Currently, for 160 MHz and 320 MHz bandwidths in mesh, availability of
80 MHz subchannels might be validated for wrong 80 MHz subchannels. Due
to this, the final bandwidth selected may be downgraded. Fix this by
validating the correct 80 MHz subchannels.
Signed-off-by: Suraj P Kizhakkethil <quic_surapk@quicinc.com>
mesh: Fix channel bandwidth configuration for mesh on 6 GHz
Currently, when mesh interface is configured in 80 MHz, the interface is
coming up in 320 MHz bandwidth if the driver supports 320 MHz bandwidth.
Fix this by selecting the correct bandwidth based on max_oper_chwidth
configuration parameter.
Signed-off-by: Suraj P Kizhakkethil <quic_surapk@quicinc.com>
mesh: Add support for 160 MHz bandwidth in 5 GHz band for mesh
Add support for 160 MHz in 5 GHz band for mesh. Use max_oper_chwidth for
160 MHz bandwidth selection.
Currently, in the hwsim test cases mesh_secure_ocv_mix_legacy and
mesh_secure_ocv_mix_ht, dev0 is configured in 160 MHz bandwidth which
includes DFS channels. But the test case lacks DFS checks and since the
bandwidth downgrades to 80 MHz which excludes any DFS channels, the test
cases pass. With the addition of 160 MHz support, the test cases fail
due to the lack of DFS checks, as dev0 takes longer time to enable. Add
DFS checks to the test cases mesh_secure_ocv_mix_legacy and
mesh_secure_ocv_mix_ht.
For the test cases mesh_secure_ocv_mix_legacy and
mesh_secure_ocv_mix_ht, the regulatory domain is set using iw reg set
which does not update the country in the wpa_s structure, causing the
DFS channels to be disabled. Use control interface to update the
regulatory domain.
Signed-off-by: Suraj P Kizhakkethil <quic_surapk@quicinc.com>
P Praneesh [Thu, 10 Apr 2025 11:11:21 +0000 (16:41 +0530)]
mesh: Handle DFS CAC for secondary 80 MHz in 160 MHz cases
Current implementation of DFS channel validation for mesh checks whether
DFS channels are present or not only for the primary 80 MHz channel in
160 MHz bandwidth, but this approach will fail for channels having
non-DFS channels in primary 80 MHz channel and DFS channels in secondary
80 MHz channel in 160 MHz bandwidth. Example: channel 36. Add DFS check
for both primary 80 MHz and secondary 80 MHz channels in 160 MHz
bandwidth to avoid this issue.
Signed-off-by: P Praneesh <quic_ppranees@quicinc.com> Signed-off-by: Suraj P Kizhakkethil <quic_surapk@quicinc.com>
P Praneesh [Thu, 10 Apr 2025 11:11:21 +0000 (16:41 +0530)]
mesh: Set VHT/HE channel information for 80 MHz and 160 MHz
For 80 MHz and 160 MHz bandwidths in mesh, CAC needs to be performed for
the DFS channels before the start of transmission. CAC check is based on
hostapd_config structure. Add center frequency segment index and
bandwidth to perform CAC.
Signed-off-by: P Praneesh <quic_ppranees@quicinc.com> Signed-off-by: Suraj P Kizhakkethil <quic_surapk@quicinc.com>
Pooventhiran G [Wed, 9 Apr 2025 18:43:13 +0000 (00:13 +0530)]
Remove duplicate definition of Reconfiguration Multi-Link STA control fields
Definitions for STA Control field contained in the Reconfiguration
Multi-Link element are defined twice. So, remove the duplicate
definitions.
Fixes: d95838b7932b ("AP: Add support for testing ML link removal") Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
nl80211: Use active_links to notify start/stop state of links
During nl80211_stop_ap(), the link map for all valid links is being
cleared. Following this, in the remove interface sequence, since
valid links are not set, driver_nl80211_link_remove() is called,
which removes the BSS for all links, leading to a dangling pointer
access and causing hostapd to crash.
To address this, introduce a separate active_links link map for
struct i802_bss and update this link map only during nl80211_stop_ap()
and when bringing the link back up. The valid_links link map of
struct i802_bss should be used only during the initialization and
deinitialization of the links.
Fixes: e1bf37022e01 ("nl80211: MLO: Process stop AP event on link basis") Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
When a non-AP MLD requests ML association, the wpa_state_machine
(sta->wpa_sm) object for the STA is created while processing IEs of the
link in which the (Re)Association Request frame is received and all link
information is updated to sm->mld_links[].
Later while processing STA profiles, links that don't satisfy the
necessary conditions for the affiliated AP of the AP MLD to accept the
links will be rejected, but these links are still marked as valid in
wpa_sm. This results in unnecessary link KDE mismatch in EAPOL 2/4 and
additional Group KDEs in EAPOL 3/4.
Reset the valid flag of rejected links in wpa_sm and release its wpa
group references.
AP MLD: Avoid reusing ML wpa state machine for non-ML STA
When a STA tries to associate as an MLD initially but doesn't complete
EAPOL due to some reason and reassociates (with the same MAC address)
as a non-ML STA, EAPOL 2/4 fails during MIC verification.
This is because the wpa_state_machine(sta->wpa_sm) is created when the
STA first associates as an ML STA and sm->mld_assoc_link_id is set. Now
when the STA reassociates in non-ML mode (sends Authentication and
Association Request frames without an MLE) the previous STA instance as
well as its previously created wpa_sm will be reused and hence AP MLD's
MLD MAC address is used as AA to derive PTK.
To fix this, reset the sta->wpa_sm if a non MFP or non authorized STA
tries to reassociate.
Also since now sm object is freed directly (without ap_free_sta()),
reset valid flag and release group references for all links.
nl80211: Use active_links to notify start/stop state of links
During nl80211_stop_ap(), the link map for all valid links is being
cleared. Following this, in the remove interface sequence, since
valid links are not set, driver_nl80211_link_remove() is called,
which removes the BSS for all links, leading to a dangling pointer
access and causing hostapd to crash.
To address this, introduce a separate active_links link map for
struct i802_bss and update this link map only during nl80211_stop_ap()
and when bringing the link back up. The valid_links link map of
struct i802_bss should be used only during the initialization and
deinitialization of the links.
Fixes: e1bf37022e01 ("nl80211: MLO: Process stop AP event on link basis") Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Jay Shukla [Thu, 20 Feb 2025 10:36:24 +0000 (16:06 +0530)]
nl80211: Send allowed BSSIDs, if set, for an NL80211_CMD_CONNECT command
Add support for configuring the allowed BSSIDs to the driver with the
vendor command QCA_NL80211_VENDOR_SUBCMD_CONNECT_EXT when using
NL80211_CMD_CONNECT for the connection. This limits which BSSIDs the
driver-based SME can consider for the connection similarly to the
wpa_supplicant-based SME design.
Jay Shukla [Thu, 20 Feb 2025 07:18:36 +0000 (12:48 +0530)]
Add vendor attribute for configuring allowed BSSIDs for connect command
Add a nested attribute of BSSIDs to indicate allowed BSSIDs for
association in QCA_NL80211_VENDOR_SUBCMD_CONNECT_EXT that will provide
an additional constraint for an NL80211_CMD_CONNECT command.
Rohan Dutta [Fri, 28 Mar 2025 14:15:53 +0000 (19:45 +0530)]
BSS: Validate intersected key management of AP MLD links
While parsing Basic MLE from BSS of an AP affiliated to an AP MLD, the
current link (association link) BSS RSNE alone is checked for a matching
key management (key_mgmt) with non-AP MLD. If partner link BSSs of the
current link do not have matching key_mgmt as that of the current link
BSS or non-AP MLD network config, ML Setup still considers all links.
Check AKM suites from all link BSSs and consider only links that have a
common AKM suite that matches the local configuration for ML setup.
Links that do not have compatible RSN parameters are dropped from the
setup.
While fetching key_mgmt from RSN, select which one of the RSNE, RSNOE,
or RSNO2E to use based on what was selected for the association link.
This is needed to verify consistent RSN overriding behavior for ML
associations.
Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Pooventhiran G [Fri, 28 Mar 2025 14:15:52 +0000 (19:45 +0530)]
BSS: Move RSNE validation during Basic MLE parsing to a new function
While parsing the Basic Multi-link element, key management of the
association link is validated against the network config passed. Move
these checks to a new function to allow them to be used more easily for
checking other affiliated links.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Tianfeng Ren [Wed, 26 Mar 2025 05:42:02 +0000 (11:12 +0530)]
ACS: Validate 6 GHz AP criteria before ACS
Ensure that the 6 GHz AP criteria (RSN parameters) are met before
selecting the ACS candidate channels. Currently, hostapd includes 6 GHz
channels as ACS candidates. However, if the BSS configuration does not
comply with 6 GHz AP criteria, ACS might inadvertently start an 6 GHz AP
with configuration that does not meet RSN configuration requirements for
the 6 GHz band.
Add a validation step to check 6 GHz AP criteria before ACS candidates
channel selection.
Jouni Malinen [Fri, 28 Mar 2025 08:33:18 +0000 (10:33 +0200)]
Prefer GCMP-256 over CCMP-256 as the pairwise/group cipher
While there is not any significant reason from the protocol or security
view points, there is significant difference in how much testing and
deployment there has been for these cipher suites. GCMP-256 is the
expected cipher suite to be used for new Wi-Fi 7 deployments and there
is more or less no deploymeny of CCMP-256 or plans for trying to change
that.
While selecting either option in cases where both ciphers have been
enabled, likelihood of interoperability issues due to limited testing is
higher with CCMP-256. As such, prefer GCMP-256 over it whenever there is
option to select either of those two ciphers.
Adam Baumann [Thu, 27 Mar 2025 02:57:27 +0000 (13:57 +1100)]
DPP: Stop scheduled scans from blocking the PB discovery scan
DPP PB interactions cannot start during a scheduled scan as the initial
discovery scan will be blocked indefinitely. This can be fixed by
canceling an ongoing scheduled scan before performing the DPP PB
discovery scan.
Signed-off-by: Adam Baumann <adam.baumann@morsemicro.com>
Kashish Awasthi [Tue, 18 Feb 2025 09:28:51 +0000 (14:58 +0530)]
Add new QCA vendor roam control attributes
Add new roam control vendor attributes to configure the roaming
parameters dynamically.
QCA_ATTR_ROAM_CONTROL_CANDIDATE_SCORE_WEIGHTAGE_2P4GHZ,
QCA_ATTR_ROAM_CONTROL_CANDIDATE_SCORE_WEIGHTAGE_5GHZ and
QCA_ATTR_ROAM_CONTROL_CANDIDATE_SCORE_WEIGHTAGE_6GHZ controls the
band weightage given for candidate APs on 2.4 GHz, 5 GHz and 6 GHz
respectively.
QCA_ATTR_ROAM_CONTROL_CANDIDATE_SCORE_THRESHOLD_PERCENTAGE
controls the minimum required score threshold in percentage for an AP to
be considered as a roaming candidate.
QCA_ATTR_ROAM_CONTROL_CONNECTED_LOW_RSSI_THRESHOLD_DECREMENT configures
the decremental RSSI value to be used for next low RSSI roam scan
trigger.
QCA_ATTR_ROAM_CONTROL_PERIODIC_ROAM_SCAN_INTERVAL sets the
interval for repeated roam scans until a candidate found.
Aloka Dixit [Thu, 6 Mar 2025 21:09:49 +0000 (13:09 -0800)]
hostapd: Use EHT params for punct_update_legacy_bw()
Puncturing is supported from EHT onwards hence legacy bandwidths need to
be downgraded in case of a non-zero puncturing bitmap.
hostapd_eid_vht_operation() passes VHT bandwidth, seg0, and seg1 while
calling punct_update_legacy_bw() but puncturing bitmap is from EHT. This
may result in incorrect calculations.
Issue is more obvious in case of 320 MHz where starting VHT bandwidth
can be 160 MHz as 320 MHz is not supported. Value for EHT 'bitmap' can
have 16 valid bits but punct_update_legacy_bw() considers only lower 8
bits as VHT 'width' is passed which is is 160 MHz. It may still work if
the primary channel is in the lower 160 MHz because then VHT bandwidth
spans only lower 8 bits of the bitmap. But if the primary channel is in
higher 160 MHz, and if the bitmap has any of the higher 8 bits set to 1,
expectation is VHT bandwidth should be downgraded even further to 80
MHz. But punct_update_legacy_bw() returns without taking any action as
the higher 8 bits of the bitmap get completely ignored.
Use all EHT parameters instead of VHT to calculate legacy bandwidths.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Hu Wang [Tue, 25 Mar 2025 06:12:03 +0000 (23:12 -0700)]
hostapd: Fix static analyzer issue for CHAN_SWITCH 6 GHz bw
Static analyzer complains:
In hostapd_ctrl_check_freq_params(), Array 'bw_idx' of size 5
may use index value(s) 5.
The highest value that center_idx_to_bw_6ghz(idx) can currently return
is 4, so this is not really able to trigger read beyond the end of the
array. In any case, the bounds check is clearly incorrect and needs to
be fixed so that this is able to handle any potential future extension.
Wu Gao [Tue, 18 Mar 2025 03:20:17 +0000 (20:20 -0700)]
Add vendor attribute to enable DFS No Wait support
This change adds QCA_WLAN_VENDOR_ATTR_CONFIG_DFS_NO_WAIT_SUPPORT to
enable DFS No Wait support.
If an AP starts on a channel with a bandwidth larger than 20 MHz,
which includes both DFS required and non DFS required subsets, it
should begin beaconing immediately on the non DFS required subset
while simultaneously monitoring for radar events once the DFS No Wait
feature is enabled.
Karthik M [Tue, 18 Mar 2025 11:20:33 +0000 (16:50 +0530)]
AP MLD: Fix ACS and HT scan related issues
1. hostapd crash due to NULL pointer access:
When the AP is configured with auto channel selection in the 2.4 GHz
band and a static channel in the 5 GHz band with a bandwidth greater
than 20 MHz, hostapd crashes due to a NULL pointer access in the
hostapd_event_get_survey() function. The ACS is activated for the 2.4
GHz band, initiating a scan with a 20-second timeout. The 2.4 GHz band
updates the scan context accordingly. When the 5 GHz band is
initialized, a 5 GHz HT40 scan is attempted due to the bandwidth
exceeding 20 MHz. However, the driver returns a "Resource busy" message
because of the ongoing ACS scan. A 5 GHz HT40 scan starts an eloop timer
for a retry. The 5 GHz HT40 scan retry timer is triggered, and in the
meantime, ACS scan results for the 2.4 GHz band are received. The 5 GHz
HT40 scan is then prioritized, and the driver initiates a scan,
overriding the scan context of the 5 GHz band.
When the ACS event survey is processed, it uses the updated scan
context. During the survey event processing, the scan callback for the
partner link (2.4 GHz ACS) is handled, which leads to a crash.
Crash backtrace:
0x00000055851dce94 in dl_list_add
(list=0x0, item=0x7f87e82378)
0x00000055851dcef4 in dl_list_add_tail
(list=0x7f8802baa8, item=0x7f87e82378)
0x00000055851e2ac8 in hostapd_event_get_survey
(iface=0x7f8805c020, survey_results=0x7ff1940ef8)
0x00000055851e4de4 in hostapd_wpa_event
(ctx=0x7f88060b50, event=EVENT_SURVEY, data=0x7ff1940ef8)
0x00000055852bd918 in wpa_driver_nl80211_get_survey
(priv=0x7f880c7390, freq=0, acs_exclude_6ghz_non_psc=false)
0x0000005585378e84 in hostapd_set_oper_centr_freq_seg0_idx
(conf=0x7f886e7070, oper_centr_freq_seg0_idx=0 '\000')
0x000000558537bf8c in acs_study
(iface=0x7f886f0030)
0x00000055851e48a0 in hostapd_wpa_event
(ctx=0x7f88060b50, event=EVENT_SCAN_RESULTS, data=0x7ff19411e8)
0x00000055852d3364 in send_scan_event
(bss=0x7f880c7390, aborted=0, tb=0x7ff1941878, external_scan=0)
0x00000055852d8570 in do_process_drv_event
(bss=0x7f880c7390, cmd=34, tb=0x7ff1941878)
0x00000055852d8fec in process_global_event
(msg=0x7f87fbddb0, arg=0x7f88119540)
2. Intermittent 5 GHz link bringup failure:
In a 16 AP MLD and one monitor VAP configuration, there is an
intermittent 5 GHz low or 5 GHz high link bringup failure observed on a
5 GHz low - 5 GHz high supported RDP due to CAC start failure.
When a scan trigger is done by hostapd for link 0 (low radio),
bss->scan_link is of link 0. Since the scan of link 0 is completed in
kernel/MAC80211, -EBUSY is not returned by hostapd_driver_scan()
function. A scan trigger is done by hostapd for link 2 (high radio).
Now, bss->scan_link is of link 2. Meanwhile, scan results are received
in the hostapd from the kernel for low radio frequencies. Since
bss->scan_link is of link 2, mld_link ctx is stored for link 2 instead
of link 0. This leads to interface bringup of the high radio
frequencies, and CAC start is done, leading to a scan in progress error
from the kernel.
Fix both the issues by starting the driver scan within
hostapd_driver_scan() function only if the scan is completed in the
partner links. If the scan is still in progress, return -EBUSY. The
callers of hostapd_driver_scan, which are ieee80211n_check_40mhz()
function and ap_ht40_scan_retry() function in this case, will call
ap_ht40_scan_retry() function after a timeout.
sunilravi [Fri, 21 Mar 2025 22:23:03 +0000 (22:23 +0000)]
Prevent mesh_fwding field in network config when CONFIG_MESH is disabled
mesh_fwding and no_auto_peer configuration items are parsed within ifdef
CONFIG_MESH, but they are written without matching conditional
compilation. This could result in configuration files that cannot be
read back by the same wpa_supplicant binary if either of those
configuration values could end up getting modified.
Make the configuration file writing code use matching ifdef CONFIG_MESH
for these parameters to be consistent with the configuration reader.
sunilravi [Fri, 21 Mar 2025 02:14:23 +0000 (02:14 +0000)]
OpenSSL: Fix EAP-TLS connection failure in Android
In Android, the client private key is stored in the keystore engine and
the code depends on OPENSSL_NO_ENGINE defined in BoringSSL to load the
private key.
Commit 400b89162294 ("OpenSSL: Use pkcs11-provider when
OPENSSL_NO_ENGINE is defined" broke the logic to load the client private
key in Android which resulted in EAP-TLS connection failure. With this
change pkcs11-provider is used when OPENSSL_NO_ENGINE is defined.
Fix the issue by adding conditional compilation check for Android
platform to avoid using Provider API.
Fixes: 400b89162294 ("OpenSSL: Use pkcs11-provider when OPENSSL_NO_ENGINE is defined") Signed-off-by: sunilravi <sunilravi@google.com>
Jouni Malinen [Sun, 23 Mar 2025 08:25:34 +0000 (10:25 +0200)]
Revert "OpenSSL: Fix EAP-TLS connection failure in Android"
This reverts commit b5c7f20804655de31114e17524735691cf0e2798 to allow a
more complete change to be used for addressing the issue with the
earlier commit on Android.
sunilravi [Fri, 21 Mar 2025 18:07:37 +0000 (18:07 +0000)]
P2P2: Fix the argument list in wpas_p2p_usd_elems() for non-P2P build
The wpas_p2p_usd_elems() expects two arguments. But the stub function in
p2p_supplicant.h when CONFIG_P2P is disabled has only one argument. Fix
the build error by adding the service name argument in the
wpas_p2p_usd_elems().
Fixes: c96fd75b1841 ("P2P2: Add USD service hash in the P2P2 PASN M1 frame") Signed-off-by: sunilravi <sunilravi@google.com>
sunilravi [Fri, 21 Mar 2025 02:14:23 +0000 (02:14 +0000)]
OpenSSL: Fix EAP-TLS connection failure in Android
In Android, the client private key is stored in the keystore engine and
the code depends on OPENSSL_NO_ENGINE defined in BoringSSL to load the
private key.
Commit 400b89162294 ("OpenSSL: Use pkcs11-provider when
OPENSSL_NO_ENGINE is defined" broke the logic to load the client private
key in Android which resulted in EAP-TLS connection failure. With this
change pkcs11-provider is used when OPENSSL_NO_ENGINE is defined.
Fix the issue by adding conditional compilation check for Android
platform to avoid using Provider API.
Fixes: 400b89162294 ("OpenSSL: Use pkcs11-provider when OPENSSL_NO_ENGINE is defined") Signed-off-by: sunilravi <sunilravi@google.com>
Rohan Dutta [Fri, 21 Mar 2025 09:38:04 +0000 (15:08 +0530)]
Fix sibling scan results update criteria for different channels
When scan results are received for a wpa_s instance, currently, other
wpa_s instances sharing the radio (siblings) will get updated with the
same scan results to reduce scan time.
But if the scan frequencies included in the requests for these siblings
are different, especially when they are exclusive when one wpa_s is a
non-AP MLD with 2.4 GHz and 5 GHz links and another wpa_s is a single
link non-AP MLD with 6 GHz link, the siblings will lose scan results for
the desired frequencies. Fix the sibling scan results update by checking
that they scan the same frequencies and they are not MANUAL_SCAN.
Fixes: 6859f1cb2407 ("Enable sharing of scan result events among virtual interfaces") Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
Aaradhana Sahu [Fri, 21 Mar 2025 04:42:13 +0000 (10:12 +0530)]
AP MLD: Fix DFS error message during per station profile generation
When two or more radios are configured in automatic channel selection (ACS)
mode, one radio completes ACS and starts generating per-station profiles
for all links during the beacon frame set. However, the other radio is
still in ACS mode, resulting in the following error messages in the
hostapd log:
Failed to check if DFS is required; ret=-1
To address this, generate per-station profiles for the links that have
already completed ACS.
Jouni Malinen [Thu, 20 Mar 2025 21:18:52 +0000 (23:18 +0200)]
tests: Fix eap_proto special cases for EAP ID
The EAP-Success cases with id off by 2 or 3 need to handle the special
cases where the id wraps around over the maximum value to avoid failures
when the random id value from hostapd ends up being close enough to the
maximum value.
RSNO: Set STA MFP flag based on the RSN/override negotiation
Currently, while determining the management frame protection (MFP)
setting for a STA, if any of ieee80211w/rsn_override_mfp/override_mfp_2
is set, it is assumed that the AP is MFP capable/required.
In case the AP has following configuration:
ieee80211w=0
rsn_override_mpf=1
rsn_override_mfp_2
and the station has set MFPC in its RSNE and not using RSNO, the AP
determines this association to use MFP and sends IGTK to this station as
well as sets the MFP flag for this STA in the driver.
Since the STA is not using RSNO and has seen MFPC set to 0 in the RSNE
of AP's beacon/probe it will consider the association as non-MFP. This
results in drop of robust Management frame between the AP and the STA.
Fix this by determining AP MFP capability based on the station's RSN
negotiation method (RSNE/RSNOE/RSNO2E) and set the STA MFP flag
accordingly.
Fixes: 12f1edc9e94a ("RSNO: Generate IGTK if any of the RSN variants has PMF enabled") Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
AP MLD: Avoid deletion of ML station if some links are rejected
When a non-AP MLD requests ML association, an AP MLD will validate the
association request elements present in the parent profile as well as
the elements present in each STA profile of MLE to decide if link(s) can
be accepted. While doing so if some of the mandatory elements (say,
Capabilities, Basic rates, RSNEs, etc.) don't satisfy the necessary
conditions for the affiliated AP of the AP MLD to accept the link, the
link will be rejected.
In ieee80211_ml_process_links() this rejection happens even before the
link station entry is added to the driver and while trying to free this
sta object, __ap_free_sta() tries to delete the link station from the
driver which was never added at all and eventually this operation fails.
Currently if deletion of a link station fails hostapd deletes the whole
ML station from the driver but in the above scenario the other link(s)
are accepted. Such deletion results in complete association failure.
Fix this by not proceeding to delete the ML station completely if a
deletion of a link station fails. By design each link station entry of
hostapd should be scheduled for deletion and when the association link
station entry is scheduled for deletion, the ML station will be deleted
from the driver.
Fixes: a6d92da9aa44 ("AP MLD: Support removal of link station from AP") Signed-off-by: Gautham Kumar Senthilkumaran <quic_gauthamk@quicinc.com> Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Michael-CY Lee [Thu, 20 Mar 2025 00:53:28 +0000 (08:53 +0800)]
AP MLD: Always process every link in association request
Error might happen when handling one of the link(s) in association
request, but immediately returning causes missing of status code of
the unprocessed link(s) in association response.
Always processing every link in association request ensures that every
link has it status code in the association response.
Fixes: 03e89de47b6c ("AP MLD: Process link info when handling new STA event with driver SME") Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com> Signed-off-by: Money Wang <money.wang@mediatek.com>
Jouni Malinen [Wed, 19 Mar 2025 19:21:01 +0000 (21:21 +0200)]
tests: Allow more time for connection in sae_anti_clogging_during_attack
This almost-a-busy-loop approach for testing SAE anti-clogging token
under an attack is not really robust with UML time-travel. Add a
time-based option for continuing the test instead of just fixed limit on
the number of loop iterations to make this somewhat more likely to
succeed.
Benjamin Berg [Tue, 18 Mar 2025 10:19:56 +0000 (11:19 +0100)]
SAE: Explicitly clear SAE(k)
The code never cleared SAE(k) and the data could remain on the stack for
a longer period of time. This caused a test failure when running with
ASAN enabled.
Explicitly clear the variable to ensure no data is leaked.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
nl80211: Set bss flink frequency for non-ML AP BSS
Currently nl80211 BSSs (struct i802_bss) flink->freq is initialized to
drv->first_bss->flink->freq in wpa_driver_nl80211_if_add(). In case of
single drv model, this results in frequency of the first BSS of the
first radio (say, on the 2.4 GHz band) being set to all the BSSs of the
drv though they can belong to different radios and thereby operating on
different frequencies.
wpa_driver_nl80211_send_mlme() uses bss->flink->freq to send Management
frames to the driver which fails as the driver complains that the TX
frequency doesn't match its operating frequency.
Currently in wpa_driver_nl80211_set_ap(), for ML BSS the above mentioned
default value is overridden whenever beacon is set. Fix this by
overriding link frequency also for non-ML BSSs.
Jouni Malinen [Tue, 18 Mar 2025 09:17:36 +0000 (11:17 +0200)]
AP MLD: Cancel per-STA eloop timeouts for all wpa_auth instances
Now that AP MLD can use shated wpa_auth instances, the eloop timeouts
registered for wpa_auth,sm tuples might end up getting registered and
unregistered with different wpa_auth instance. Use the ELOOP_ALL_CTX
wildcard to ensure the per-STA timeouts do actually get canceled. This
avoids some cases where hostapd could have crashed due to leaving behind
a reference to wpa_auth,sm pointers that might get freed.
Jouni Malinen [Mon, 17 Mar 2025 20:52:17 +0000 (22:52 +0200)]
tests: Use proper EAP identifier tracking in eap_proto testing
There is not really any need to maintain the identifier context over
multiple processed EAP message when the previously used value is
available from the response message from the peer.
Replace ctx['id'] with hardcoded start point and incrementation with
parsing the identifier from the received message. Use that ID in
EAP-Success and EAP-Failure and that id+1 (mod 256) in other EAP
messages.
This simplifies the implementation a bit and makes the EAP server behave
according to the EAP specification (with the couple of exceptions in
places where special corner cases are validated). For most parts, this
is a direct replacement of the previous ctx['id'] with id/id_prev
derived from the received message, but a couple of places where using a
bit strange constructs to work around constraints in the previous
design. Using proper ID values in the EAP header removes need for such
workarounds.
Vinay Gannevaram [Sun, 26 Jan 2025 19:33:13 +0000 (01:03 +0530)]
Add QCA vendor attribute for NDP latency and throughput configuration
Introduce a vendor attribute for NDP to configure dynamic parameters
using the subcommand QCA_WLAN_VENDOR_NDP_SUB_CMD_UPDATE_CONFIG. The
maximum latency for NAN data packet transmission and reception, and
the expected throughput can be configured after the NDP setup
establishment using update configuration command with given NDP
instance ID.
Drivers would modify or adjust the NDP slots to meet the latency and
throughput requirements.
P2P2: Get ID of device identity block from wpas_p2p_validate_dira()
Upper layer components can now use the P2P_VALIDATE_DIRA command to
retrieve the device identity key identifier, which is necessary to
initiate P2P reinvoke to an existing group.
Vinay Gannevaram [Sun, 19 Jan 2025 08:01:58 +0000 (13:31 +0530)]
nl80211: Determine capability for P2P-R2 and PCC mode
Set the capability flag based on the nl80211 vendor feature
advertisement for P2P-R2 and PCC modes. By default, enable this for all
other drivers (i.e., any driver not supporting the QCA feature
capability indication) until a specific capability is defined to enable
or disable it.
Vinay Gannevaram [Thu, 20 Feb 2025 06:20:22 +0000 (11:50 +0530)]
P2P2: Add support to fetch the P2P2 and PCC capability
Add support to fetch the P2P2 and PCC capability from wpa_supplicant.
This defines the driver capability bits for this and the control
interface extension. The actual driver capability fetching will be
handled in future commit(s).
Vinay Gannevaram [Thu, 20 Feb 2025 09:58:08 +0000 (15:28 +0530)]
P2P2: Indicate bootstrapping comeback response to upper layers
The bootstrapping comeback response is managed by wpa_supplicant and is
not communicated to the upper layers. However, it is essential for the
upper layers to be aware of the status of ongoing bootstrapping requests.
Notify the upper layers of the bootstrapping comeback response. Modify
the D-Bus interface for bootstrapping indications (instead of providing
a new signal such for this new extended purpose) as this has not yet
been used and is a recently added parameter.
Jouni Malinen [Wed, 5 Mar 2025 17:04:41 +0000 (19:04 +0200)]
tests: Use more specific validation for beacon protection
Instead of requiring the driver to reported unprotect Beacon frame,
include CSA and ECSA in the bogus Beacon frames and verify that the
driver does not indicate start of a channel switch.
AP MLD: Fix hostapd crash during interface deinit with non-ML BSS
Currently a single drv object (wpa_driver_nl80211_data) is shared across
different hostapd interfaces (struct hostapd_iface) if all the
interfaces belong to same underlying wiphy. When hostapd process is
killed, interfaces are deinitialized one after other in a loop. If the
first BSS of an interface is a non-ML BSS, in hostapd_cleanup_driver()
the shared drv is freed up while cleaning up the first interface itself
and the rest of the interfaces try to access/free the same drv object
resulting in segmentation fault.
To fix this, check if the drv is still shared with any other interface
regardless of MLO (currently this check is done only if the first BSS of
an interface is an ML BSS). If drv is shared, reset its reference and
allow the last interfaces that is using the drv to free the same.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com> Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
BSS: Validate partner link BSSs while parsing Basic MLE
When the Basic MLE from the AP is parsed, wpa_scan_res_match() is called
for only the association link when the BSS params from the RNR element
is set with colocated AP or same SSID bits. Even if the affiliated APs
of the AP MLD have configurations incompatible with the non-AP MLD,
association will be attempted with all the links. An AP MLD is required
to have compatible parameters in all affiliated APs, but it is not
guaranteed that all deployed AP MLDs are compliant with this
requirement.
Enable wpa_scan_res_match() for affiliated AP BSSs as well by removing
RNR BSS params check so that the affiliated APs that fail the checks are
skipped and connection is downgraded to a smaller number of links by
including only the links with compatible configuration. BSSs are still
filtered from the RNR TBTT info based on the MLD ID subfield contained
in the MLD params subfield. While at it, skip some checks for other
affiliated APs which are meant only for the association link.
Fixes: a3020f852e1c ("MLD: Use BSS Parameters in TBTT Info to check SSID match") Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Co-developed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Thirusenthil Kumaran J <quic_thirusen@quicinc.com>
Jouni Malinen [Mon, 3 Mar 2025 18:32:23 +0000 (20:32 +0200)]
MLD: Verify Per-STA Profile subelement length in reconf MLE
Strictly speaking, it is not sufficient to verify that there is enough
space in the Link Info field, but the legth of the Per-STA Profile
subelement needs to be checked as well before using the STA Control
field value. There could be another subelement after the Per-STA Profile
subelement and if the Per-STA Profile subelement would be too short,
data from that following subelement could have been used. This is a
theoretical case, but anyway, better be stricter in verifying the length
fields in this type of cases.
Pooventhiran G [Sat, 1 Mar 2025 05:52:51 +0000 (11:22 +0530)]
MLD: Fix Reconfiguration Multi-Link element parsing on non-AP MLD
The Common Info field in the Reconfiguration Multi-Link element is
extensible with its Length subfield indicating the total length of the
field. Accept any value of Length subfield larger than the calculated
length based on the presence bitmap to support extensibility. Use the
value of the Length subfield instead of the calculated minimum length
when determining where the following Link Info field starts.
Vinay Gannevaram [Fri, 14 Feb 2025 12:34:28 +0000 (18:04 +0530)]
Update the link BSS pointer during BSS reallocation on scan results
When updating the BSS during a scan results event, reallocation of the
BSS due to needing more room for IEs results in a new allocation and the
pointer changing. Update the link BSS pointer to the newly allocated BSS
similarly to the other cases that were covered previously. This is
needed to avoid use of freed memory in some MLO cases.
Martínek Petr [Tue, 25 Feb 2025 08:18:06 +0000 (08:18 +0000)]
MACsec: Add option to always include ICV Indicator
Some older MACsec switches incorrectly require ICV Indicator to be
present even when ICV has default length (Cisco C3560CX). To allow
communication with such devices option include-icv-indicator was added
to always include ICV Indicator.
Similar option is found in configuration of some other switches:
Cisco:
include-icv-indicator - this parameter configures inclusion of the
optional ICV Indicator as part of the transmitted MACsec Key Agreement
PDU (MKPDU). This configuration is necessary for MACsec to interoperate
with routers that run software prior to IOS XR version 6.1.3. This
configuration is also important in a service provider WAN setup where
MACsec interoperates with other vendor MACsec implementations that
expect ICV indicator to be present in the MKPDU.
fortiswitch:
include-mka-icv-ind: The MACsec Key Agreement (MKA) integrity check
value (ICV) indicator is always included. (enabled by default)
Signed-off-by: Petr Martínek <petr.martinek at elvac.eu>
projects / thirdparty / hostap.git / log
