Ainy Kumari [Tue, 27 Jan 2026 10:50:11 +0000 (02:50 -0800)]
Use MLD MAC address in wpa_sm_store_ptk() to support MLO in PTKSA cache
For MLO connections, the PTK is derived for the MLD and should be
associated with the MLD MAC address rather than the per-link BSSID.
Update the logic to use the MLD MAC address for MLO and BSSID for
non-MLO scenarios, respectively.
Amith A [Thu, 29 Jan 2026 16:15:24 +0000 (21:45 +0530)]
Add QCA vendor attributes for Estimated Service Parameters (ESP) feature
Add new vendor attributes for Estimated Service Parameters (ESP) related
parameters such as airtime fraction, PPDU duration, Block Ack (BA)
window size, and ESP Inbound element advertisement enable status. These
attributes can be used to configure or report values of ESP parameters
between userspace and the driver/firmware.
Meng Yuan [Thu, 15 Jan 2026 03:02:33 +0000 (11:02 +0800)]
Introduce a new QCA vendor command for host driver TX/RX counters
Add new vendor TX/RX counters to retrieve host/driver side specific
counters and drop counts.
Standard interfaces (e.g., station dump) typically reports aggregated
HW+SW statistics. This interface exposes separate host-side counters
to allow userspace to obtain host-level specific data, distinguished
from firmware/hardware statistics.
nl80211: Configure 'enable DW notification' NAN flag
Add enable_dw_notif flag to NAN cluster configuration parameters. This
flag is needed to toggle DW notifications generated by kernel in case
user space DE implementation is used.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Currently, NAN support is assumed if NAN device interface is supported.
Since wpa_supplicant NAN implementation is intended to work with new
drivers and kernel only, make sure
WPA_DRIVER_FLAGS_NAN_SUPPORT_SYNC_CONFIG flag is set.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add new NAN driver flags to indicate support for:
- Synchronization offload and support for additional NAN sync
parameters.
- Support for user space NAN DE implementation which requires the
driver to send DW notification and be able to transmit and receive
SDF frames over NAN device interface with the correct timing.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
To support synchronized NAN Discovery Engine (DE) in wpa_supplicant, the
driver will report two new events:
NAN_CLUSTER_JOIN: This event is sent whenever a new NAN cluster is
started or joined. This event carries the new cluster id, which will be
used to construct SDFs.
NAN_NEXT_DW: A notification about an upcoming Discovery Window (DW).
This event is optional and may be turned on and off. It is used to
trigger multicast SDF transmissions during the upcoming DW.
Define these events and add the functions needed for delivering thenm to
nan_supplicant.c
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Tue, 23 Dec 2025 11:45:58 +0000 (13:45 +0200)]
nl80211: Support NAN Device interface
Add support for getting NAN Device interface capabilities from the
kernel and support adding a NAN Device interface.
As the NAN device interface is created with NL80211_ATTR_SOCKET_OWNER,
meaning that the NAN events would be sent on the socket that was used
for creating the interface, use a dedicated socket for the NAN Device
interface creation, to avoid races between kernel asynchronous events,
and kernel responses for commands sent from wpa_supplicant.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Tue, 23 Dec 2025 11:45:57 +0000 (13:45 +0200)]
NAN: Add wpa_supplicant control interface commands for NAN
Add control interface commands to start/stop NAN operation. All the NAN
commands should be handled only on the control interface associated with
the NAN Device interface.
Add indication for NAN support when querying for capabilities.
Priyansha Tiwari [Tue, 27 Jan 2026 11:52:09 +0000 (17:22 +0530)]
Fix SIGSEGV in eloop during shutdown
eloop_destroy() frees the eloop.signals array but was not unregistering
the signal handlers. A signal received during shutdown could trigger
eloop_handle_signal(), accessing the freed memory and causing a crash
(Use-After-Free).
This fix unregisters all signals (resets to SIG_DFL) in eloop_destroy()
before freeing eloop.signals to ensure safe shutdown.
Jouni Malinen [Mon, 26 Jan 2026 17:39:58 +0000 (19:39 +0200)]
tests: Fix nan_usd_match_p2p termination
The NAN subscribe and publish cancellation commands used incorrect
parameter names and there was not enough time to allow the cancellation
to occur before terminating the parallel group. Fix these to avoid
reporting failures due to a race condition and parallel operations in
the end.
Benjamin Berg [Fri, 21 Nov 2025 10:05:53 +0000 (11:05 +0100)]
AP: Keep channel survey over regulatory changes
When updatig the HW modes after a regulatory change, the internal lists
for the current survey would be lost, resulting in a crash when fetching
the survey results later on. This can happen if the regulatory changes
because of the ACS scan.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Fri, 21 Nov 2025 10:05:52 +0000 (11:05 +0100)]
AP: Guard against survey list not being initialized
Do not try to store survey information in the unusual event that the
channels survey_list is not initialized. That should not usually happen,
but could, e.g., be the case if the regulatory changes and new channels
are added after the ACS scan was started.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
LibreSSL: Fix compilation against LibreSSL >= 4.2.0
The type for the callback function in SSL_set_session_secret_cb() was
changed following the newer OpenSSL and BoringSSL scheme. Fix this by
adding the new LibreSSL version to the existing versions checks.
Signed-off-by: Johannes Nixdorf <johannes@nixdorf.dev>
Jouni Malinen [Mon, 26 Jan 2026 17:02:03 +0000 (19:02 +0200)]
wpa_passphrase: Fix reading password without TTY
Terminal echo disabling ended up breaking the cases where a password is
read from a file redirection or pipe. Fix this by skipping that change
if there is no TTY.
Fixes: 5102d7411f01 ("wpa_passphrase: Disable terminal echo when reading from stdin") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Benjamin Berg [Thu, 30 Oct 2025 17:56:06 +0000 (18:56 +0100)]
tests: Add test that fails the MLD association after hostapd success
This test checks the flow where an error happens on the first
association attempt but everything looks fine from the perspective of
the AP. In this case, the AP will receive a second authentication even
though it thinks the client is already associated.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Jouni Malinen [Sun, 25 Jan 2026 18:17:24 +0000 (20:17 +0200)]
AP MLD: Clear wpa_sm entries for all STAs when freeing a wpa_sm
While the use of clear_wpa_sm_for_each_partner_link() is supposed to
handle this, add a more robust approach for making sure no pointers to
freed wpa_sm instances are left behind regardless of how the non-AP MLD
partner STA entries are handled in cases where the same MAC address is
used in ML and non-ML cases.
Jouni Malinen [Sun, 25 Jan 2026 18:05:01 +0000 (20:05 +0200)]
AP MLD: Cover wpa_sm clearing in authentication handling for ML STA
Clearing of wpa_sm for non-ML STAs ended up with possibility for a
previously generated ML STA entry to free sta->wpa_sm on one of the
links while leaving the other links potentially pointing to the freed
wpa_sm. Fix that by reordering code to allow the STA entry to be marked
to be for a non-AP MLD before calling
clear_wpa_sm_for_each_partner_link().
Fixes: 9603a83a1e3f ("AP MLD: Avoid reusing ML wpa state machine for non-ML STA") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Benjamin Berg [Thu, 30 Oct 2025 12:29:57 +0000 (13:29 +0100)]
AP MLD: Send TTLM if a link is indicated as disabled
When a link is indicated as disabled, a corresponding TTLM should be
sent. Add the appropriate code to generate the TTLM in the testing cases
where hostapd is explicitly configured with mld_indicate_disabled=1.
Co-authored-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Thu, 23 Oct 2025 10:45:31 +0000 (13:45 +0300)]
USD: Improve concurrency with other interfaces
Notify USD logic about interface state changes so it could configure the
USD (and NAN DE) operation to take into consideration the concurrency
with other interfaces sharing the same radio.
In particular:
- Consider P2P state to allow P2P2 handshakes to complete during USD
channel dwells.
- When a peer is locally authorized for connection, consider this as an
indication that USD dwell time should be longer to allow the complete
pairing, etc.
Ilan Peer [Thu, 23 Oct 2025 10:45:29 +0000 (13:45 +0300)]
USD: Support suspending USD operations
Based on the USD specification, the device should always be either on
the default channel or one of the configured channels. However, to
allow operation of other interfaces, configure the NAN Discovery
Engine (DE) to relax the USD availability requirements:
- Allow to configure N-Min and N-Max to different values than the
default ones, to increase availability for the other interfaces
(by configuring lower values).
- Allow to configure a suspend cycle, where after a certain amount of
time that USD is active, it would be suspended for a certain amount
of time.
While this might reduce the availability of USD, it allows the
operation of other interfaces that share the same radio.
Dan Callaghan [Mon, 10 Nov 2025 03:08:02 +0000 (14:08 +1100)]
P2P: Add missing NULL check in p2p_ctrl_flush()
When wpa_supplicant is compiled with CONFIG_TESTING_OPTIONS and receives
a FLUSH command from wpa_cli, p2p_ctrl_flush() may crash due to passing
a NULL pointer into p2p_set_invitation_op_freq().
Add a NULL pointer check, similar to the other NULL pointer check
already in p2p_ctrl_flush().
Fixes: 475f50d71001 ("P2P2: Allow op class and channel override for Invitation Response") Signed-off-by: Dan Callaghan <dan.callaghan@morsemicro.com>
Benjamin Berg [Thu, 18 Dec 2025 16:19:34 +0000 (17:19 +0100)]
AP: Do not store RSNXE for WPA 1
If the connection is using WPA 1, then the RSNXE will not be inclued in
the KDE. So do not store it to not trigger a verification mismatch later
because the RSNXE is not in the KDE as would be expected otherwise.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 18 Dec 2025 16:19:33 +0000 (17:19 +0100)]
SME: Do not send RSNXE for WPA 1 connections
The element is not applicable to WPA 1 and it will not be included in
the KDE later on. However, hostapd checks that the KDE and the
association request match and deauthenticates the station if it sent the
RSNXE in the association request.
So omit sending it if the protocol is WPA_PROTO_WPA.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Determine NSS and bandwidth for each setup link on association event
Parse the MLE from the (Re)Association Request and Response frames to
get the channel bandwidth and maximum number of spatial streams for each
setup link of an ML association.
Add an explicit check for MLE subelement defragmentation
While the ieee802_11_defrag_mle_subelem() checks that the subelements
are present, an explicit check for the length in the caller makes this
more obvious.
Fix ieee802_11_defrag_mle_subelem() check on remaining buffer
The end pointer moves as well when cutting out a subelement
header. While the previous version checked against the original full
buffer, it is more accurate to check against the updated end of the
buffer.
Allow incompatible SAE H2E conf if there is a non-SAE alternative
Currently, if a configuration forces SAE H2E and SAE is among the key
management authorized, wpa_supplicant will skip a network that does not
support SAE H2E, even if that network does not support SAE or has
alternatives AKMs that could work with the configuration.
Skip a network only if a configuration requires a SAE key management.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
Allen Ye [Wed, 14 Jan 2026 09:20:07 +0000 (17:20 +0800)]
AP MLD: Handle group init on first STA association on all links
Currently, only the association link sets the first_sta_seen flag in an
ML association. That allows the GTK of the other links to be reset if
another station associates with the other links.
Initialize the GTK and set the first_sta_seen flag for all links in an
ML association to avoid this.
Reviewed-by: Money Wang <money.wang@mediatek.com> Signed-off-by: Allen Ye <allen.ye@mediatek.com>
Defer EAPOL frames during ext auth SAE reassociation to the same AP
With commit 3ab35a660364 ("Extend EAPOL frames processing workaround
for roaming cases") wpa_supplicant postpones EAPOL frame processing
till roam indication from the driver when the source address of EAPOL
frame does not match the current BSSID/AP MLD MAC address.
In driver-based SME, the FT roaming is handled at the driver/firmware.
However, when there is a deauth from the FT AP, the driver/firmware
attempts reassociation via full SAE to the same connected AP. In such
cases, the device offloads the EAPOL handling of FT AKMs to the
wpa_supplicant. If the M1 frame is received before the roamed event,
the wpa_supplicant treats this EAPOL frame as PTK rekey frame and
replies with the M2 frame. Roam event gets processed next(before M3)
which resets the temporary PTK derived from M1. Without this TPTK,
the MIC validation in M3 fails and leads to disconnection.
To fix this, extend the current EAPOL-defer logic to defer the
frames received after a successful external authentication to the
same AP until the roamed event is processed.
Shivani Baranwal [Fri, 19 Dec 2025 05:35:58 +0000 (11:05 +0530)]
P2P: Fragment P2P IE in invitation frames if it exceeds 255 bytes
The P2P IE in Invitation Request and Response frames is constructed by
concatenating several subelements. If the total length of these
subelements exceeds the maximum IE length of 255 bytes, the resulting
frame becomes invalid. This can occur in scenarios with a large number
of subelements, such as when including many preferred channels or large
vendor-specific attributes.
Fragment the P2P sub-elements into multiple P2P IEs if the total size
exceeds the 255-byte limit, ensuring the generated Invitation Request
and Response frames remain valid.
Jouni Malinen [Fri, 23 Jan 2026 15:22:42 +0000 (17:22 +0200)]
tests: Avoid a race condition in dpp_hostapd_enrollee_gas_proto
A GAS frame from the previous iteration could have been processed when
the last step of the test case was supposed to process DPP
Authentication messages. Add a short wait to make that less likely. In
addition, explicitly check that the processed frame is indeed of
expected type to make the error cases on race conditions more obvious.
Jouni Malinen [Fri, 23 Jan 2026 15:21:50 +0000 (17:21 +0200)]
DPP: Add some more debug prints on GAS frame parsing errors
These cases were referenced in a hwsim test case
dpp_hostapd_enrollee_gas_proto, but hostapd did not actually print the
matching strings into debug log.
Jouni Malinen [Fri, 23 Jan 2026 14:28:13 +0000 (16:28 +0200)]
tests: Avoid race condition in ap_open_tdls_external_control
Make this test case wait for the kernel STA entries to be ready for Data
frames before initiating TDLS setup similarly to the other TDLS test
cases. This avoids issues where "dropped frame to 02:00:00:00:01:00
(unauthorized port)" is seen in kernel log and the TDLS setup does not
complete in time.
VLAN: Use appropriate group instead of the default VLAN group
The current implementation in the GTK rekey path refers to the default
VLAN group instead of the VLAN to which the STA is bound. For instance,
the GKeyDoneStations count is incorrectly incremented/decremented for
partner links in the default VLAN group always, even when the station
has associated on the non-zero VLAN. This can result in inconsistencies
during GTK rekey for stations connected on non-zero VLAN where the new
group keys are installed to the driver even before they could be
communicated to the stations on these VLANs through a group handshake
message 1.
At all of those places, let the correct VLAN group be referenced based
on the vlan_id to which the station is connected, instead of using the
default VLAN.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
VLAN: Group state machine data creation for partner AP MLD links
In EAPOL-Key msg 3/4 and group handshake message 1, the AP needs to
populate group keys from the appropriate VLAN group state machine data
(wpa_group) for each of the setup links. In the existing dynamic VLAN
implementation, when a multi-link STA associates on a particular VLAN,
VLAN group is created for the association link, but the same is not
created for partner links. As a result, in the absence of VLAN group
state machine data in partner authenticator object, at the time of
fetching group keys for the non-association links, in
wpa_auth_ml_get_key_info(), the helper function
wpa_select_vlan_wpa_group() fetches group keys on non-association links
from the default VLAN group.
Address this by allowing the ap_sta_set_vlan() and ap_sta_bind_vlan()
functionality to repeat for each of the setup links, i.e., as part of
ap_sta_set_vlan(), perform VLAN assignment to STA object in each of the
setup links and also allow VLAN group state machine data creation in the
partner authenticators as part of ap_sta_bind_vlan().
Fixes: dd65e53c9476 ("VLAN: Use VLAN group keys for EAPOL frames and FT reassoc for MLO") Co-developed-by: Adil Saeed Musthafa <adilm@qti.qualcomm.com> Signed-off-by: Adil Saeed Musthafa <adilm@qti.qualcomm.com> Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
tests: Extend MBSSID testing for beacon protection
Add a new test case for MBSSID with beacon protection enabled with a STA
associating on the non-transmitting BSS followed by a STA association on
the transmitting BSS.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
MBSSID: Re-initialize group keys on the first STA seen in the MBSSID set
In the current implementation, group keys are re-initialized for the
first station association (first_sta_seen) in the BSS. In a scenario
where the non-transmitting BSS sees a client association before the
transmitting BSS, group keys (GTK/IGTK) are re-initialized in
wpa_gtk_update() for the non-Tx BSS. It is checked if a BIGTK key is
already set on the Tx BSS (bigtk_set). Since BIGTK was set for the Tx
BSS during its bringup time, it simply returns from wpa_gtk_update() for
the non-Tx BSS.
If this is followed by the first station association on the Tx BSS, a
new BIGTK key is generated for the Tx BSS in wpa_gtk_update() and the
same is installed to the driver. This would mean that the Beacon frames
are being sent using the new BIGTK that is not known to the stations
associated to the non-Tx BSSs, posing the risk for a potential beacon
miss due to beacon protection validation failures.
Fix this by allowing re-initialization of group keys if and only if it
is the first station association seen across the entire MBSSID set.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
AP: Fetch BIGTK PN from the transmitting BSS in non-MLO cases
BIGTK is set and configured to the driver on the transmitting BSS and
the non-transmitting BSSs use the BIGTK key from the Tx BSS, so use the
Tx BSS authenticator while fetching BIGTK PN in ieee80211w_kde_add() for
non-MLO cases.
For MLO cases this is already handled correctly in
wpa_auth_ml_get_key_info().
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
Shivani Baranwal [Mon, 19 Jan 2026 06:59:26 +0000 (12:29 +0530)]
Add QCA vendor config to allow SCC with indoor channel per peer protocol
Define bitmap config attribute
QCA_WLAN_VENDOR_ATTR_CONFIG_ALLOW_PEER_PROTOCOL_INDOOR_CH_STA_SCC to
support STA connected indoor channel for peer protocol like P2P
and NAN.
The bitmap definition:
- bit 0: Setting bit0 indicates to allow SCC with STA connected indoor
channel for P2P
- bit 1: Setting bit1 indicates to allow SCC with STA connected indoor
channel for NAN
This attribute provides more granular control over which peer to peer
protocols can operate in SCC mode with STA connected indoor channels
compared to the previously added
QCA_WLAN_VENDOR_ATTR_CONFIG_ALLOW_STA_INDOOR_CH_SCC.
Priyansha Tiwari [Wed, 21 Jan 2026 12:21:14 +0000 (17:51 +0530)]
Add QCA vendor PHY mode enums for EHT
Add vendor specific enum qca_wlan_vendor_phy_mode values for IEEE
802.11be EHT PHY modes. This extends the existing enum to support EHT
bandwidth modes (20/40/80/80+80/160/320 MHz) allowing userspace to
explicitly configure PHY mode for EHT operation.
Pabitra Dash [Tue, 13 Jan 2026 11:21:47 +0000 (16:51 +0530)]
Define QCA vendor attribute for QSH Wi-Fi scan control
Context-aware modules like Qualcomm Sensing Hub (QSH) run in low-power
domains (e.g., Sensor DSP) and require Wi-Fi scan and ranging services
for location and context-awareness purposes. These services often
operate continuously, even while the host system is in power-save sleep
mode, without involving the host subsystem.
However, during critical latency-sensitive use cases, the host subsystem
needs to temporarily suspend these services. To enable that, add an
attribute QCA_WLAN_VENDOR_ATTR_CONFIG_QSH_SCAN_CTRL in the existing
vendor subcmd QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION for
managing QSH Wi-Fi scanning.
Pabitra Dash [Tue, 13 Jan 2026 10:52:29 +0000 (16:22 +0530)]
Define QCA vendor subcommand to fetch QSH Wi-Fi statistics
Context-aware modules like Qualcomm Sensing Hub (QSH) run in low-power
domains (e.g., Sensor DSP) and require Wi-Fi scan and ranging services
for location and context-awareness purposes. These services often
operate continuously, even while the host system is in power-save sleep
mode, without involving the host subsystem.
However, sometimes the host subsystem needs to monitor these services.
To enable monitoring, introduce a vendor subcommand to the QCA nl80211
vendor interface.
QCA_NL80211_VENDOR_SUBCMD_QSH_GET_STATS:
Retrieves the Wi-Fi scan count from the sensor (currently only scan
count; might be extended to include additional statistics in the
future), enabling analysis of power usage related to QSH-driven scans.
This enhancement improves visibility into QSH scan behavior for better
performance in resource-constrained and latency-critical scenarios.
Jianmin Zhu [Thu, 25 Dec 2025 03:58:51 +0000 (19:58 -0800)]
Add QCA vendor attributes for P2P GO NoA cancellation
Add QCA_WLAN_VENDOR_ATTR_P2P_SET_GO_CANCEL_ONE_SHOT_NOA and
QCA_WLAN_VENDOR_ATTR_P2P_SET_GC_KEEP_AWAKE_DURING_ONE_SHOT_NOA to
support firmware-managed automatic cancellation of P2P GO Notice of
Absence (NoA) schedules in multi-channel concurrency (MCC) scenarios.
Background:
In P2P GO + STA MCC scenarios (e.g., Miracast), when a local STA
interface sharing the same radio with the P2P GO performs
connection/roaming operations on a different channel, the firmware
automatically starts a one-shot NoA schedule on the P2P GO to facilitate
the STA's channel operations. This firmware-initiated NoA can cause:
- Delayed data transmission to P2P clients during the absence period
- Connection timeouts on P2P clients during extended absence
- Poor user experience during critical operations like video streaming
Why configurable instead of automatic:
While the firmware initiates NoA automatically, cancellation requires
explicit configuration because:
1. This optimization should only be enabled when both the P2P GO and all
connected P2P Clients support this capability
2. Peer capability is determined by userspace through OUI-based device
whitelists or vendor-specific information elements
3. The feature is intended for specific use cases (e.g., Miracast 1:1
scenarios) where both devices are known to support early NoA
cancellation
Scope and limitations:
This feature can be used when a P2P GO and all its connected P2P Clients
support this capability. Since NoA configuration affects all clients in
the group, the feature should only be enabled when all connected clients
are verified to support early NoA cancellation.
Peer capability is not standardized in P2P yet; for now, the GO/client is
expected to know peer client/GO capability via vendor-specific userspace
policy/mechanisms, e.g., device model / OUI based whitelists or out of band
capability handshake via Bluetooth.
Solution:
Add two new vendor attributes to the existing
QCA_NL80211_VENDOR_SUBCMD_P2P_SET_NOA command:
1. QCA_WLAN_VENDOR_ATTR_P2P_SET_GO_CANCEL_ONE_SHOT_NOA (for P2P GO):
When enabled (value=1):
- The firmware will cancel the current firmware-initiated one-shot NoA
schedule when the local STA interface completes its
connection/roaming operation
- The cancellation will be reflected in subsequent beacons (typically
the next beacon, though timing may vary based on beacon scheduling)
- This unblocks P2P data transmission immediately after the STA
operation completes
When disabled (value=0, default): NoA behavior remains unchanged.
2. QCA_WLAN_VENDOR_ATTR_P2P_SET_GC_KEEP_AWAKE_DURING_ONE_SHOT_NOA
(for P2P GC):
When enabled (value=1):
- The client will stay awake during one-shot NoA periods instead of
entering sleep
- This allows the client to immediately receive frames when the GO
cancels NoA early, without waiting for the originally configured NoA
duration to expire
When disabled (value=0, default): GC enters sleep during NoA as usual.
Feature capability advertisement:
Two new feature flags are added to allow devices to advertise support:
- QCA_WLAN_VENDOR_FEATURE_SUPPORT_P2P_GO_CANCEL_ONE_SHOT_NOA
- QCA_WLAN_VENDOR_FEATURE_SUPPORT_P2P_GC_KEEP_AWAKE_DURING_ONE_SHOT_NOA
These flags can be used by userspace to determine local device
capabilities.
Jouni Malinen [Mon, 19 Jan 2026 21:15:23 +0000 (23:15 +0200)]
wlantest: Decrypt (Re)Association Request frame when EPPKE is used
This extends wlantest support for additional Management frame encryption
cases: association frames with EPPKE (IEEE 802.11bi). When a valid TK is
available, (Re)Association Request/Response frames are now decrypted
before processing.
Jouni Malinen [Mon, 19 Jan 2026 21:06:02 +0000 (23:06 +0200)]
Update define name for Protected Frame field in Frame Control field
The WEP field was renamed already in IEEE Std 802.11i-2004 to the
Protected Frame field, so better rename the define for this field use
the current name after 20 years..
Add QCA driver feature flag for P2P assisted DFS support
Add QCA_WLAN_VENDOR_FEATURE_SUPPORT_P2P_ASSISTED_DFS feature flag to
indicate that the driver supports AP assisted DFS channel operation
for P2P connections.
This feature flag allows userspace applications to determine if the
driver can handle P2P operations as a P2P GO on DFS channels with
assistance from a DFS AP, enabling DFS channels usage for P2P.
Add a new vendor command QCA_NL80211_VENDOR_SUBCMD_DCS_CONFIG to allow
applications to get and set Dynamic Channel Selection (DCS)
configuration parameters through the nl80211 vendor interface.
DCS monitors the operating channel of an AP or P2P GO for interference
and can steer the interface to a cleaner channel when policy thresholds
are met.
Move beacon transmit rate configuration from radio level to BSS level
This enables control of the beacon transmission rate on a per-BSS basis.
Refactor beacon rate handling by moving the beacon_rate and rate_type
fields from struct hostapd_config to the per-BSS struct
hostapd_bss_config structure. This change ensures that beacon rate
settings are applied at BSS level, allowing multiple BSS instances to
have independent configurations. This updates the configuration parsing
logic to set these values in BSS context and adjusts beacon parameter
building to reference the BSS-level fields.
Move supported/basic rate set configuration to be per-BSS
hostapd currently handles supported and basic rate sets at the
radio/interface level, causing all BSSs on the same interface to share
the same configuration. This prevents per‑BSS customization of rate
advertising and enforcement.
Move supported_rates and basic_rates from the per-interface struct
hostapd_config into per-BSS struct hostapd_bss_config and prepare
filtered, per‑BSS rate tables in struct hostapd_data. The per‑BSS rates
are then used when configuring basic rate set to the driver, when
constructing Beacon and Probe Response frames, when initializing station
defaults, and when reporting via ctrl_iface status. AP/mesh paths in
wpa_supplicant are updated to set BSS‑level rate arrays, and memory
management is adjusted accordingly to avoid iface‑level storage.
If a BSS does not explicitly configure basic_rates, defaults are chosen
based on the current hardware mode in the same manner as was done
previously at per-interface level.
Yu Tian [Tue, 16 Dec 2025 03:17:20 +0000 (19:17 -0800)]
Add QCA vendor attributes for MSDU/MPDU RX statistics
Add vendor attributes for MPDU/MSDU RX statistics:
QCA_WLAN_VENDOR_ATTR_LL_STATS_RX_DRIVER_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that
were received from hardware fast receiving rings.
QCA_WLAN_VENDOR_ATTR_LL_STATS_RX_DRIVER_MPDU_CNT:
Unsigned 32 bit value. It represents the number of MPDUs that
were received from hardware fast receiving rings.
Add vendor specific config actions to allow/disallow NSS > 2
Introduce two actions in enum qca_wlan_vendor_feature_config_action to
control spatial stream (NSS) usage for STA connections:
- QCA_WLAN_VENDOR_FEATURE_CONFIG_ACTION_ALLOW_NSS_GT_2:
Permit RX/TX NSS greater than 2 only if the AP matches an entry in the
configuration data list.
- QCA_WLAN_VENDOR_FEATURE_CONFIG_ACTION_DISALLOW_NSS_GT_2:
Restrict RX/TX NSS to 2 or below if the AP matches an entry in the
configuration data list.
- Configuring allow clears any existing disallow configuration.
- Configuring disallow clears any existing allow configuration.
- Default NSS negotiation applies when neither action is configured.
Signed-off-by: Venkata Sai Teja Bathini <vbathini@qti.qualcomm.com>
Ainy Kumari [Thu, 27 Nov 2025 00:16:16 +0000 (05:46 +0530)]
PASN: Support specifying variable length KCK
The current PASN definition uses a fixed length KCK, but that does not
feel ideal for some use cases, e.g., with the PASN-based EPPKE. Add
support for specifying the KCK length when calculating the MIC for PASN
Authentication frames. The actual calculation of the MIC is still
requiring the hardcoded 32 octet length to be used, i.e., this does not
change the actual behavior yet, but is a step towards making it easier
to support variable length KCK in the future, if needed.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com> Signed-off-by: Ainy Kumari <ainy.kumari@oss.qualcomm.com>
Ainy Kumari [Thu, 27 Nov 2025 00:16:16 +0000 (05:46 +0530)]
PASN: Extend hash algorithm selection to cover SAE-EXT-KEY AKMs
Updates PASN key derivation to support SAE-EXT-KEY AKMs and hash
algorithm selection in line with IEEE Std 802.11-2024, 12.13.8, 12.13.9
and 12.4.2. Select the appropriate hash algorithm
(SHA-256/SHA-384/SHA-512) for PTK derivation based on the PMK length
when using SAE-EXT-KEY so that the longer key length cases with groups
20 and 21 are covered.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com> Signed-off-by: Ainy Kumari <ainy.kumari@oss.qualcomm.com>
Jouni Malinen [Thu, 18 Dec 2025 09:26:55 +0000 (11:26 +0200)]
PASN: Specify hash algorithm in calls to helper functions
Instead of determine which hash algorithm to use separately for
calculating the MIC and Auth1 hash values, specify the hash algorithm in
the function calls using the algorithm selected during PTK derivation.
Ainy Kumari [Thu, 27 Nov 2025 00:16:16 +0000 (05:46 +0530)]
PASN: Move MIC element check to be after PTK derivation
This makes it more convenient to determine which hash algorithm to use
during PTK derivation instead of having to figure that out multiple
times based on different information.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com> Signed-off-by: Ainy Kumari <ainy.kumari@oss.qualcomm.com>
Jouni Malinen [Wed, 17 Dec 2025 20:06:14 +0000 (22:06 +0200)]
PASN: Calculate Auth1 hash after PTK derivation
It is more convenient to wait with the Auth1 hash calculation to avoid
having to figure out which hash algorithm to use before the PTK is
derived. Auth1 hash is defined to use the same hash algorithm as the one
that was used during PTK derivation. This requires a bit more memory,
but that is justifiable with the simplified implementation.
Correct the logic in p2p_pref_channel_filter() to ensure that operating
classes are added contiguously to the result pref_chanlist. Previously,
if an operating class had no matching channels after filtering, its slot
in the result was effectively skipped, leading to incorrect indexing and
potential loss of valid subsequent operating classes.
Fixes: 4383528e0195 ("P2P: Use weighted preferred channel list for channel selection") Signed-off-by: Shivani Baranwal <shivbara@qti.qualcomm.com>
Miaoqing Pan [Thu, 11 Dec 2025 07:07:31 +0000 (15:07 +0800)]
defconfig: Uncomment CONFIG_IEEE80211BE=y
wpa_supplicant has supported IEEE 802.11be (Wi-Fi 7) for over three
years. With growing market demand for Wi-Fi 7, it is now an appropriate
time to enable IEEE 802.11be support. This is needed mainly to enable AP
mode functionality in wpa_supplicant.
Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
Miaoqing Pan [Thu, 11 Dec 2025 07:07:30 +0000 (15:07 +0800)]
defconfig: Document IEEE 802.11be as a published amendment
The comment about the IEEE 802.11be functionality being experimental
and based on a not yet finalized standard is not accurate anymore
since IEEE Std 802.11be-2024 has already been published. Remove this
outdated comment.
Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
Miaoqing Pan [Thu, 11 Dec 2025 06:11:05 +0000 (14:11 +0800)]
defconfig: Update Opportunistic Wireless Encryption (OWE) state
OWE enhances privacy in public and enterprise environments where open
networks are prevalent. Enabling OWE aligns with modern security best
practices and supports the testing and development of OWE-capable
devices.
OWE is now standardized in IEEE Std 802.11-2024 while it was originally
specified in IETF RFC 8110 (updated by RFC 9672). It is not experimental
anymore, i.e., there has been significant interoperability testing and
there are deployed cases.
Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
Jouni Malinen [Thu, 11 Dec 2025 18:39:37 +0000 (20:39 +0200)]
proc_coord: Testing and example use of process coordination
Add hwsim testing for proc_coord to enable automated testing of this
functionality. In addition, this shows a simple example on how the
defined proc_coord API can be used.
Jouni Malinen [Wed, 10 Dec 2025 10:38:23 +0000 (12:38 +0200)]
proc_coord: Process coordination for hostapd and wpa_supplicant instances
Add a framework for coordinating operations between multiple hostapd and
wpa_supplicant processes running on the same CPU. This provides
functionality for performing request/response operations and sending
event messages between the processes. This could be used, e.g., to
coordinate channel selection between multiple hostapd instances
operating BSSs on the same radio or between hostapd and wpa_supplicant
processes to coordinate channel switching of the AP interface based on
backhaul connection switching its operating channel.
UNIX domain sockets are used for sending the messages between processes.
The new command line argument -z<directory> can be used to enable this
functionality in hostapd and wpa_supplicant. The directory needs to be
created before starting hostapd/wpa_supplicant and the permissions for
that directory should be set in a manner that prevents access from
untrusted processes. There is no additional access control for this
within hostapd/wpa_supplicant.
The messages exchanged between the processes are assuming the same
source code snapshot and build parameters are used in all participating
processes. The encoding of the messages and the performed functions can
be modified from one snapshot to another and from one build
configuration to another and any kind of mixing of different versions or
build configurations is not supported and can result in unexpected
behavior.
Benjamin Berg [Thu, 30 Oct 2025 08:24:49 +0000 (09:24 +0100)]
common: Use signed return value for ieee802_11_defrag_mle_subelem
The function returns -1 on error which is not a valid value for size_t.
Fix this by returning ssize_t.
Fixes: 88f7d4cedfea ("Helper function for defragmenting of Multi-Link element subelements") CC: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:48 +0000 (09:24 +0100)]
common: Fix definition of EHT_ML_EML_CAPA_RESERVED
The 0x0080 bit was accidentally added in commit d0bd79a2d684 ("BSS:
Verify the ML common info for links") even though it is not reserved
and maps to EHT_ML_EML_CAPA_EMLMR_SUPP already.
Fixes: d0bd79a2d684 "BSS: Verify the ML common info for links") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:47 +0000 (09:24 +0100)]
tests: Add network to P2P device
If this test is run with a P2P Device Interface, the network must be
specified in the commands. Change the test to use the appropriate
functions so that it works in all cases.
Fixes: 24a33f7ca4cf ("tests: Verify P2P2 PCC Auto GO and PCC client join") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 30 Oct 2025 08:24:46 +0000 (09:24 +0100)]
P2P2: Handle identity ID consistently within files
Using an ID to reference a specific identity= block within the same file
for the DIK has the problem that it requires the IDs to be stable.
However, we also use a static int for the ID enumeration in case
multiple files are read.
Overall, it seems like it could be better to use the DIK as an
identifier. However, we do not, so the numbering needs to be restored
consistently within the file. The straight forward way to achieve this
is to store the base of the counter as a static variable and adding it
to both the go_dik_id and the id of the identity= blocks.
For all of this to work, we also need to make sure that we write out the
values with file-local indices. As such, we need to use the position in
the internal list rather than the assigned ID when writing the values.
Fixes: 417c67468b8d ("P2P2: Add device identity block to wpa_supplicant configuration") Fixes: ec4569174750 ("P2P2: Store ID of Device Identity block in network block") CC: Shivani Baranwal <quic_shivbara@quicinc.com> CC: Vinay Gannevaram <quic_vganneva@quicinc.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
projects / thirdparty / hostap.git / log
