Yu Wang [Tue, 12 Aug 2025 12:30:02 +0000 (05:30 -0700)]
Add QCA vendor attributes for MSDU TX statistics
Add vendor attributes for MSDU TX statistics, including:
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_RETRY_MSDU_CNT: Unsigned 32 bit value.
It represents the number of MSDUs sent by the driver that were
retransmitted and eventually transmitted successfully.
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_SUCC_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that were
successfully transmitted by the driver, including those that were
retransmitted and eventually succeeded.
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_FW_DROP_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that were
handed off by the driver for transmission but were ultimately dropped by
the firmware.
QCA_WLAN_VENDOR_ATTR_LL_STATS_TX_DRIVER_DROP_MSDU_CNT:
Unsigned 32 bit value. It represents the number of MSDUs that were
intended for transmission but were dropped by the driver before being
handed off to the firmware.
hostapd_cli: Open a new hostapd connection on ping failure when using -a
When hostapd_cli is started with the -a option, the process enters an
eloop. Every ping interval (five seconds) hostapd_cli sends a PING to
hostapd and waits to receive a response. In a particular issue scenario,
the hostapd_cli control interface socket file in /tmp/wpa_ctrl_xx gets
deleted due to which hostapd is no longer able respond to the PING.
hostapd_cli times out waiting for the socket to become ready for read
and terminates from eloop causing the hostapd_cli process to exit.
hostapd_cli in interactive mode handles a PING response failure by
closing the current connection and opening a new connection using
hostapd_cli_reconnect(). Adopt the same approach for the action file
case instead of terminating the process.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
DPP: Avoid generating DPP shared secret(z) for non-association links
In an AP, DPP shared secret (z) for Network Introduction Protocol with
PFS is generated using the public key of a station (M) received in the
Public Key field of Diffie-Hellman Parameter element in the
(Re)Association Request frame and the AP's private key (n). In a STA,
DPP shared secret (z) is generated using the public key of the AP (N)
received in the Public Key field of Diffie-Hellman Parameter element in
the (Re)Association Response frame and the station's private key (m).
When a (Re)Association Request frame is received for ML association, the
AP MLD parses the elements in __check_assoc_ies() for the association
link and then for each of the other setup links. When the Diffie-Hellman
Parameter element is parsed on the association link, the AP MLD
generates a private key, a public key, and a shared secret (n,N,
z(n,M)). When the Diffie-Hellman Parameter element is parsed on other
links, another set of a different private key, public key, and shared
secret is derived (n1,N1, z1(n1,M)). This is not correct behavior.
In wpa_state_machine (sta->wpa_sm), store the DPP shared secret (z)
generated for the association link and skip generating it for other
partner BSS links. This will ensure that the public key shared with the
station in the (Re)Association Response is derived from the same private
key that is used to derive the DHss component used in PTK calculation.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
Khanjan Desai [Wed, 4 Dec 2024 13:05:39 +0000 (18:35 +0530)]
PASN: Clear driver/firwmare ranging context if PASN Auth 1 fails
When PASN auth 1 frame does not get an ack or gets failure, the call to
ap_free_sta() clears the hostapd context but the driver/firmware is not
aware of this and as such, still holds the context making it impossible
to initiate next PASN request.
Clear PASN context in underlying drivers by setting NULL context with
hostapd_drv_set_secure_ranging_ctx().
Use SCS reconfiguration logic under CONFIG_NO_ROBUST_AV
Fix build failure caused by missing SCS renegotiation logic under
CONFIG_NO_ROBUST_AV. Commit 1adffc200 (SCS: Renegotiate configured SCS
policies with new AP after roaming) introduced logic for SCS
renegotiation for roaming but did not include corresponding changes
for CONFIG_NO_ROBUST_AV.
Add the necessary handling to ensure consistent behavior and successful
builds when this flag is enabled.
Fixes: 1adffc200 ("SCS: Renegotiate configured SCS policies with new AP after roaming") Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Increase buffer size to handle long freq_list entries in config
When all common frequency bands (2.4 GHz, 5 GHz, and 6 GHz) are included
in the freq_list configuration, parsing might fail due to the buffer
being too small to accommodate the full list. This results in partial
and incorrect frequency values being read, which might be subsequently
rejected by the kernel as it cannot find a valid channel for the
malformed frequency.
Fix this by increasing the buffer size to a sufficient length in
wpa_config_read().
AP MLD: Fix STA's flag wrongly updated in SME-in-driver cases
In ieee802_1x_ml_set_sta_authorized() when trying to update partner link
STA's flag, AID checking is not sufficient enough as AID is always 0 for
SME-in-driver cases.
Check for STA MLD address to avoid wrongly update other STA's flag.
AP MLD: Properly deinit sm of non-ML STA connected to ML AP
Currently, when a non-ML client connects to an ML AP and the connection
is not fully established, ap_sta_disconnect_common() is triggered.
However, the state machine (sm) is not deinitialized because the AP is
an MLD and the assoc link ID does not match the connected link ID. This
results in sm being set to NULL, and later during ap_free_sta(), the
deinit function exits early due to sm being NULL, causing a memory leak.
Fix this issue by checking whether the connected client is an ML client
instead of checking if the AP is an ML AP just like how it is done in
ap_free_sta() as well.
QCA vendor attribute to configure BTM MLD Recommendation For Multiple APs support
Define a QCA vendor attribute to configure BTM MLD Recommendation For
Multiple APs support within the Extended MLD capability of Multi-link
element in the Association Request frame for testing purposes.
Add QCA vendor attribute to configure EHT RTWT support
Define a QCA vendor attribute to configure RTWT support subfield within
the EHT capabilities element of the Association Request frame for
testing purposes.
Add test case ap_acs_exclude_6g_non_psc to verify ACS behavior when
acs_exclude_6ghz_non_psc configuration option is enabled.
The test validates whether, in the 6 GHz band, AP comes up in a
preferred scanning channel (PSC), when acs_exclude_6ghz_non_psc
configuration option is enabled.
Signed-off-by: Suraj P Kizhakkethil <suraj.kizhakkethil@oss.qualcomm.com>
ACS: Extend support to exclude 6 GHz non-PSC in non-offloaded ACS
Currently, support to exclude non-PSC 6 GHz channels is implemented
only for offloaded ACS. Extend the support to non-offloaded ACS using
the acs_exclude_6ghz_non_psc configuration option.
Signed-off-by: Suraj P Kizhakkethil <suraj.kizhakkethil@oss.qualcomm.com>
ACS: Validate all channels in a segment before selection
Currently, ACS validates only the first channel in a segment against
the current configuration. If this validation passes, the channel
with the lowest interference factor within that segment is selected
as the potential primary channel. However, this can result in selecting
a primary channel that does not comply with the current configuration.
For example, in 6 GHz band with 320 MHz bandwidth, if the chanlist is
set to 33-93, ACS may select a primary channel outside the given
chanlist, in the range 97-125.
Additionally, if the first channel fails validation, the other channels
in the segment are ignored, even if they have a lower interference
factor and meets the requirements of the current configuration.
For example, in 5 GHz band with 80 MHz bandwidth, if the chanlist is
set to 153-161, the AP fails to come up because the first channel of
the segment (149) is not present in the chanlist.
Fix this issue by validating all channels in a segment. If DFS,
max_tx_power or indoor channel validation fails for any channel in
a segment, skip the segment. If chanlist/freqlist validation fails for
any channel in a segment, choose another channel in the same segment.
Signed-off-by: Suraj P Kizhakkethil <suraj.kizhakkethil@oss.qualcomm.com>
ACS: Fix incorrect index calculation for primary channel
Currently, in the calculation of the index of the primary channel,
the best frequency, which is the primary channel frequency, is
always greater than the frequency of the first channel in
the bandwidth. As a result, the computed value of the index of
the primary channel would be negative, which is incorrect.
Fix bug in the calculation of the index of the primary channel.
Fixes: 627b67f29b1e ("ACS: Fix primary channel puncturing in ACS") Signed-off-by: Suraj P Kizhakkethil <suraj.kizhakkethil@oss.qualcomm.com>
nl80211: Use i802_bss in qca_set_allowed_ap_freqs() to use correct ifindex
With commit 00c2c20d74ee ("hostapd: Maintain single
wpa_driver_nl80211_data (drv) object across interfaces"), allowed
frequencies are configured only on the first interface.
Use i802_bss context for preparing nlmsg with correct ifindex.
Fixes: 00c2c20d74ee ("hostapd: Maintain single wpa_driver_nl80211_data (drv) object across interfaces") Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Girish Kumar M P [Thu, 12 Jun 2025 11:25:23 +0000 (16:55 +0530)]
Add QCA vendor attribute to disable A-MSDU address check validation
Add a new u8 vendor attribute in the subcommand,
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION,
QCA_WLAN_VENDOR_ATTR_CONFIG_AMSDU_ADDR_CHECK_VALIDATION, which enables
or disables additional validation for Destination Address (DA) and
Receiver Address (RA) for A-MSDUs. Such validation may have
interoperability issues with deployed devices that intentionally send
3-address frames with different SA and DA, which are being dropped due
to this additional validation.
To work around this, the additional checks can be disabled using the MAC
address of the peer. The separate LLC/SNAP validation for A-MSDUs
mitigates the PP A-MSDU not protected vulnerability. This extra layer of
protection, we check the SA/DA against the TA/RA respectively. Enabling
that by default ensures enhanced security while allowing flexibility for
specific already deployed device behavior to function correctly by
disabling the additional validation as needed.
Signed-off-by: Girish Kumar M P <gmp@qti.qualcomm.com>
P2P: Fix preferred frequency list size handling in p2p_check_pref_chan()
Currently, the P2P GO (Group Owner) prefers the PCL (Preferred Channel
List) from the driver to select the operating channel for group
formation. However, wpa_supplicant is limiting the maximum allowed
channels to "num_pref_freq", even though the driver may return a longer
list.
To fix this, update the logic in p2p_check_pref_chan() to use
ARRAY_SIZE(p2p->pref_freq_list) when passing the size to
get_pref_freq_list(), and update p2p->num_pref_freq based on the value
returned by the driver function. This ensures the preferred frequency
list is sized correctly according to the driver response.
Cancel pending connect radio work when network is removed
When a network is removed it is not desired to proceed the connect
process. So cancel corresponding pending connect work when the related
network is removed.
Jay Shukla [Mon, 9 Jun 2025 18:25:04 +0000 (23:55 +0530)]
Add QCA vendor interface for configuring feature control configurations
Add QCA_NL80211_VENDOR_SUBCMD_FEATURE_CONFIG to control the features
enablement based on the OUI data and capabilities advertised by the AP
in its Beacon and Probe Response frames.
Signed-off-by: Jay Shukla <jayshukl@qti.qualcomm.com>
AP MLD: Deinitt BSS link if starting beaconing fails
In the current implementation, when hostapd_start_beacon() fails during
AP MLD setup, it flushes old station entries, deauthentcates all
stations, and frees hapd data. However, it does not unlink the
associated BSS from the AP MLD structure.
While performing wifi stability testing during interface down/up, this
retains a stale reference to the freed BSS. Subsequent attempts to
access MLD links post-failure lead to a segmentation fault due to this
use-after-free condition.
Fix this by unlinking the BSS from the AP MLD on failure paths to
prevent potential use-after-free scenarios.
Kashish Awasthi [Wed, 25 Jun 2025 09:02:51 +0000 (14:32 +0530)]
Add QCA vendor attributes for DAR configurations
Add Dynamic Analytics Report (DAR) configuration subcommand based on
Wi-Fi Alliance QoS Management specification to initiate DAR request or
terminate existing DAR session.
Implementation and scheduling of DAR statistics is present in the
driver/firmware. DAR reports and control plane events attribute are
filled in the driver. This interface is used to configure the required
parameters to the driver/firmware for DAR request and DAR session
terminate frames.
Add QCA_NL80211_VENDOR_SUBCMD_LINK_STATE_CHANGE event to notify the
current active and inactive links among the affiliated MLO links. This
event is sent to userspace when there is a change in the status of the
links along with the reason for the link status change.
Add QCA vendor subcommand/event and attributes for telemetry statistics
Add two new vendor subcommand/events for telemetry statistics request.
1. QCA_NL80211_VENDOR_SUBCMD_WLAN_TELEMETRY_WIPHY
2. QCA_NL80211_VENDOR_SUBCMD_WLAN_TELEMETRY_WDEV
Currently in the vendor subcmd processing one subcommand can support
either wireless_dev(WDEV) or WIPHY based on the flags set in
wiphy_vendor_command. Hence to support both WDEV and WIPHY two vendor NL
subcommands were added.
This vendor subcommand/event enables the collection of WLAN statistics
across multiple hierarchical levels listed below within the driver.
This is a non-blocking request where the driver responds asynchronously
with a vendor event containing the requested statistics.
In this initial phase, only the attributes for basic RX statistics such
as RXDMA errors and REO errors are included. Keeping this as a base,
additional statistics and attributes will be added incrementally in the
future.
ACS: Fix incorrect call to hostapd_config_check_bss_6g()
In ap_drv_ops.c, the call to hostapd_config_check_bss_6g() is executed
unconditionally. However, it should only be used when the BSS is
actually configured on a 6 GHz operating class. This leads to false
configuration errors in setups where the 6 GHz BSS has proper settings
but other bands (2.4/5 GHz) share the same config structure.
Add the missing is_6ghz_op_class() condition, mirroring how it's already
used elsewhere in the codebase (e.g., in ap_config.c).
Fix verified on OpenWRT 24.10-SNAPSHOT using Mediatek Wi-Fi 7 hardware.
Fixes: 02a8d40c9ffb ("ACS: Validate 6 GHz AP criteria before ACS") Signed-off-by: Christopher Söllinger <christopher.soellinger@gmail.com>
SCS: Renegotiate configured SCS policies with new AP after roaming
After STA roams to a new AP, previously configured SCS policies were not
automatically reapplied, as neither IEEE 802.11 nor WFA mandates policy
persistence across roaming events. However, it can be better for real
use cases to maintain the same configuration whenever possible.
Furthermore, the previously negotiated SCS session might still appear to
be active in wpa_supplicant status after roaming even when it was not
really in use anymore.
Ensures that active SCS rules are retriggered post-roaming to maintain
the agreed QoS levels, preserving consistent performance.
tests: Add PASN tests with user-specified authentication parameters
Introduce test cases for PASN authentication using user-preferred
network parameters such as AKMP, cipher, password, and comeback
cookie data.
These tests validate the ability to initiate PASN from the driver
with full parameter control, ensuring compatibility with recent
control interface enhancements.
PASN: Testing support for PASN with user-specified parameters
Extend control interface support to allow PASN authentication with
user-defined network parameters such as AKMP, cipher, password, and
comeback cookie to be tested with the PASN_AUTH driver event.
Update the pasn_sae_driver test case to align with these control
interface changes.
This enhancement modifies the existing PASN_DRIVER command to accept
additional parameters beyond just the peer BSSID, which was a limitation
in the earlier implementation. This command is included only in
CONFIG_TESTING_OPTIONS builds.
Allow PASN Authentication with a comeback request after the AP's
requested comeback time, as indicated in the status report of the PASN
handshake. Also enable the comeback mechanism by including comeback time
and cookie in the status report to extend PASN Authentication with
comeback.
PASN: Authentication with user-specified network parameters
Allow PASN Authentication with user requested network parameters such
as AKMP, cipher, and password in driver initiated cases.
These changes will allow user to choose which AKMP and cipher to use
with PASN Authentication and also to specified the password in case of
PASN-SAE. When the password is supplied a temporary network block is
created and used to perform PASN. Any temporary network block that is
created will be destroyed after PASN regardless of whether PASN succeeds
or fails.
nl80211: Propagate newly introduced parameters for PASN events
Allow the driver to initiate PASN Authentication using user-preferred
AKMP, cipher for secure ranging, and password for SAE-tunneled PASN
authentication in the cases that use driver event to trigger PASN.
These helper functions for converting between cipher/AKM suites and
internal bitmaps should not be limited to cases where a pointer to a
buffer containing the suite selector is used. Split them into separate
functions that enable more convenient reuse in other places.
Shivani Baranwal [Wed, 11 Jun 2025 05:35:30 +0000 (11:05 +0530)]
tests: Remove setting of P2P pairing setup and pairing cache config
The P2P_SET control interface command for manual configuration of P2P2
pairing setup and caching has been removed. Remove setting of these
parameters from test cases.
Shivani Baranwal [Wed, 11 Jun 2025 05:09:46 +0000 (10:39 +0530)]
P2P2: Remove P2P_SET setting of pairing_setup and pairing_cache
Pairing setup and cache are now derived from driver capabilities. Remove
the control iface P2P_SET commands to set P2P pairing_setup and
pairing_cache.
Shivani Baranwal [Wed, 28 May 2025 09:58:11 +0000 (15:28 +0530)]
P2P2: Remove configuration params p2p_pairing_setup and p2p_pairing_cache
These configuration parameters were added initially to configure them
through wpa_supplicant configutation files. These are not being used as
now the p2p_pairing_setup and p2p_pairing_cache are being configured
based on driver capabilities.
Nirav Shah [Fri, 30 May 2025 16:30:06 +0000 (22:00 +0530)]
Add QCA vendor attributes for latency based power save mode
Add QCA vendor attributes
QCA_WLAN_VENDOR_ATTR_CONFIG_OPM_LATENCY_TOLERANCE and
QCA_WLAN_VENDOR_ATTR_CONFIG_OPM_LEVEL to configure
latency based power save mode.
Shubham Joshi [Tue, 17 Jun 2025 05:46:48 +0000 (11:16 +0530)]
Preserve user roaming configuration across connection state changes
Prevent unintended roaming re-enablement after connection state
changes, even when user configuration disables it.
If user disables roaming, but after each state change post-connection,
wpa_supplicant re-enables roaming when bssid_set is false. This migh
cause the driver to send a roam enable configuration to the firmware,
overriding the user's intent.
Fix this by ensuring wpa_supplicant logic to check both bssid_set and
the user’s roaming configuration (`SET roaming`) after each connection
state change. Ensure roaming is only re-enabled if explicitly
configured, allowing the driver to maintain the intended roaming state
throughout the connection.
Mohan Kumar G [Tue, 17 Jun 2025 15:01:01 +0000 (20:31 +0530)]
Avoid set beacon operations when color change is in progress
Avoid setting beacon during BSS Color Change Announcement (CCA), similar
to Channel Switch Announcement (CSA), as beacon updates to the
corresponding BSSes are not allowed during this period.
Signed-off-by: Mohan Kumar G <mkumarg@qti.qualcomm.com>
Kavita Kavita [Thu, 19 Jun 2025 08:20:47 +0000 (13:50 +0530)]
PASN: Check auth alg to avoid unnecessary Authentication frames parsing
PASN authentication frames are processed before SAE authentication
frames for driver-to-userspace offloased case without verifying the
authentication algorithm in the received frame. This results in
unnecessary frame parsing for non-PASN frames and potentially confusing
debug log entries.
Check the the authentication algorithm before the PASN frame parsing to
ensure only PASN Authentication frames are processed, avoiding
unnecessary parsing.
Benjamin Berg [Wed, 18 Jun 2025 12:22:04 +0000 (14:22 +0200)]
tests: Use logger.exception to dump full traceback
The log sometimes does not contain relevant information. Switch to use
logger.exception which dumps the full exception information. Note that
the logging happens with level ERROR, so it will be dumped to the
stdout/stderr by default.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 12 Jun 2025 08:10:21 +0000 (10:10 +0200)]
tests: Permit multiple GO negotiation failures
In this test the station will do a P2P find and then send a GO
negotiation request. However, the other station may not be on the listen
channel at the time when the action frame is transmitted. In this case,
the find/GO neg request sequence is restarted.
The test currently times out if this sequence fails twice in a row. Be
more tolerant to this type of failure and increase the timeout.
It may also be possible to improve the retransmit strategy.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Thu, 12 Jun 2025 08:10:20 +0000 (10:10 +0200)]
RRM: Send a refuse reply if the measurement scan failed
If the scan is aborted or missing the expected TSF BSSID, then still
send a REFUSED reply to the AP to let it know. It can request another
measurement if it wants to.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Benjamin Berg [Thu, 12 Jun 2025 08:10:19 +0000 (10:10 +0200)]
WPS: Fix leak of dh_ctx in error cases
Usually the dh_ctx is passed into the WPS state and is freed in that
case. However, under some circumstances this may not happen and then a
leak can occur.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:29 +0000 (10:47 +0200)]
tests: Permit encryption of Deauthentication frame
The test does not intentionally send an unencrypted frame. This seems to
simply be done because the parameter value is not obvious. Change it to
permit encryption so that the frame can be sent directly rather than
going through the monitor interface.
This really doesn't make a difference overall, but it is closer to what
was intended here.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:28 +0000 (10:47 +0200)]
tests: Ensure the RoC is setup when the NAN frame arrives
At least in UML it could sometimes happen that the RoC is ready only
slightly after the NAN frame is TXed (a few microseconds). Insert
a short sleep to prevent this race from happening.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:27 +0000 (10:47 +0200)]
tests: Generate proper dependencies for all tests
The object files were not getting any dependency information as they
were using BUILDOBJ directly. Move the rules into a separate include
file and also generate the proper dependency include so that the tests
are rebuild correctly.
This changes building of some tests slightly as their rules were using
$< instead of $^. However, it should not cause any harm.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:26 +0000 (10:47 +0200)]
tests: Improve tshark boolean output support
Newer tshark versions are exporting some values as boolean with a
False/True string value. Add a helper that accepts an integer of any
base and also a "True"/"False" string.
Update various places to use the new helper.
Fixes: bf67d09e587a ("tests: Handle newer tshark version returning boolean values") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:25 +0000 (10:47 +0200)]
tests: Add sleep to ensure wlantest processed packets
At least with EEVDF it appears to occasionally happen that wlantest has
not processed all packets but does respond to the command to query the
BSS counter. Fix this by inserting a sleep.
An alternative approach could be to force command handling into a
timeout or introducing a priority concept to eloop.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:24 +0000 (10:47 +0200)]
tests: Ensure D-Bus property change notifications happen in VM
When running in a VM (UML time-travel to be exact), it may happen that
not enough time passes and the 5 ms timeout for property notification
causes compression of events. However, some tests will check that all
property notifications were done and this compression can cause test
failures.
Work around this by simply inserting a 5 ms sleep for any signal handler
call.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 11 Jun 2025 08:47:23 +0000 (10:47 +0200)]
tests: Use clear_regdom ()helper in ap_vht tests
In some places, the code did not wait for the regulatory domain change.
Replace the cleanup code with calls to clear_regdom as that does the
right thing, which should avoid errors in UML with time-travel mode.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Mohan Kumar G [Mon, 16 Jun 2025 11:22:51 +0000 (16:52 +0530)]
AP MLD: Include BPCC only in (Re)Associtiation Response frames
Currently in ML Probe response, the per-STA Profile STA control has BSS
Parameters Change Count (BPCC) present by default for all frames.
As per IEEE P802.11be/D7.0, 9.4.2.322.2.4, AP sets this field to 1 in
(Re)Association Response frame and sets to 0 in other frames.
Hence, update this by including the BPCC present bitmask and BPCC value
in STA Info field for ML (Re)Association Response frames only. However,
since this seems to break interoperability with the current mac80211
implementation for processing Link Reconfiguration Response frames,
leave BPCC present in the Basic MLE in those frames as a workaround for
now.
Signed-off-by: Mohan Kumar G <mkumarg@qti.qualcomm.com> Signed-off-by: Yuvarani V <yuvarani@qti.qualcomm.com> Signed-off-by: Manish Dharanenthiran <manish.dharanenthiran@oss.qualcomm.com>
For calculation ML STA profile, currently there are two macros,
EHT_ML_STA_INFO_LEN and EHT_ML_STA_INFO_LENGTH. Both points to same
length, hence remove the later and use EHT_ML_STA_INFO_LEN macro length
definition only.
PASN: Reuse existing PTKSA cache keys instead of redoing PASN
When a successful PASN exchange has already occurred with a peer,
the derived keys are stored in the PTKSA cache. If another PASN
request is received for the same peer, these cached keys should
be reused. However, the cache was previously bypassed due to the
incorrect pairwise cipher argument.
Ensure the correct parameters are set in advance, from the RSNE data
allowing the cache to be used when appropriate.
tests: Fix pasn_sae_driver to clear PTKSA cache after first PASN exchange
The test pasn_sae_driver triggers PASN for the same peers twice. In the
current implementation, when PASN succeeds, the keys generated are
stored in the PTKSA cache.
The function wpas_pasn_configure_next_peer() shows an issue where it
does not reuse keys from a previous PASN exchange, even when those keys
are available in the cache. Instead, it initiates a new PASN exchange
unnecessarily.
Fix the test case by deleting the keys from the cache after the first
PASN attempt. This ensures a full PASN exchange can occur again. A
subsequent commit will address the API behavior to reuse keys from the
cache when available.
Benjamin Berg [Tue, 10 Jun 2025 15:08:57 +0000 (17:08 +0200)]
tests: Try next tshark filter for UnknownFieldsException
The intention in commit cc35ed3e257a ("tests: Permit passing multiple
valid tshark filters") was to permit passing multiple filters in order
to permit compatibility with older tshark versions. However, this did
not work as expected for the UnknownFieldsException.
Fix that by storing it in last_exception as for other errors. This fixes
running some EHT tests with older tshark versions.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Tue, 10 Jun 2025 15:08:55 +0000 (17:08 +0200)]
ctrl_iface: Report all TBTT info elements from RNR
The existing code would only report the first TBTT entry of the first
RNR element. Add the code to first iterate all RNR elements and then
also iterate all TBTT entries for each AP information block.
Fixes: e3e68668c1f6 ("ctrl_iface: Report RNR and ML in BSS command") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Kellen Gattis [Fri, 23 May 2025 05:46:12 +0000 (22:46 -0700)]
RADIUS: Fix long extended type encoding
Using wpa_psk_radius=3 can lead to malformed RADIUS packets that do not
conform to the standard for "Long Extended Type" as defined in RFC 6929.
This was observed when using wpa_psk_radius=3 in conjunction with
wpa_key_mgmt=WPA-PSK FT-PSK that resulted in a RADIUS attribute for
245.26.11344.2 that was 256 octets in size. The expected outcome was two
fragments containing data sizes of 251 and 5 octets, but hostapd instead
created a fragment of 256 octets (exceeded the size limit) followed by a
fragment of 5 octets.
Fix the fragments preceding the final fragment to have the correct data
size by using alen instead of data_len when calling wpabuf_put_data().
Andrew Pope [Fri, 9 May 2025 00:00:30 +0000 (10:00 +1000)]
nl80211: Accept a global nl80211 event to a bridged interface
Global events originating/directed toward a bridged (i.e., WDS) station
are ignored by hostapd. These events are currently considered 'foreign'
and are dropped.
This problem was initially discovered while testing the configuration
parameter 'disassoc_low_ack=1' for bridged stations. It was observed
that the event 'STATION_LOW_ACK', communicated in
'NL80211_CMD_NOTIFY_CQM', would be ignored and the AP would fail to
disassociate the low ack station from the BSS.
Signed-off-by: Andrew Pope <andrew.pope@morsemicro.com>
Matej Vrba [Tue, 1 Apr 2025 13:19:01 +0000 (13:19 +0000)]
ACS: Fix using 20 MHz channels in 6 GHz
When configured to use ACS with 20 MHz channels, hostapd incorrectly
rejects half of the available channels with an error messages "Channel
XX: not allowed as primary channel for 40 MHz bandwidth." This includes
all PSC channels.
Signed-off-by: Matěj Vrba <matej.vrba@advantech.cz> Reviewed-by: Nicolas Escande <nico.escande@gmail.com>
Yan Zihan [Tue, 15 Apr 2025 08:49:25 +0000 (16:49 +0800)]
DPP: Conditionally add cipher support based on driver capabilities
By default, wpa_supplicant sets the pairwise and group ciphers to CCMP
(or CCMP+TKIP) when provisioning a network via DPP. As a result,
DPP-provisioned clients are unable to connect to networks that require
GCMP or GCMP-256 ciphers due to cipher mismatch. This issue does not
affect manually-configured network profiles, where supported cipher
suites can be explicitly specified.
Addresse the issue by conditionally enabling the appropriate cipher
suites in the DPP-generated network profile, based on driver
capabilities.
Tested on various chipsets with different cipher capabilities:
Richard Yu [Tue, 15 Apr 2025 11:29:06 +0000 (19:29 +0800)]
AP MLD: Ensure hostapd_deinit_driver() is called when driver_init() fails
Ensure hostapd_deinit_driver() is called when driver_init() fails in
both hostapd_enable_iface() and hostapd_add_iface().
When initializing an AP MLD interface, driver_init() first assigns a
valid private driver interface data pointer (drv_priv) to the
hostapd_iface structure. It then attempts to add a link by calling
hostapd_drv_link_add(). This call may fail under certain conditions,
such as ENETDOWN, EALREADY, or other transient errors.
In such failure cases, the hostapd interface retains a valid drv_priv
pointer, but no cleanup is performed. This results in an untracked
reference to the private driver interface data. While the memory backing
drv_priv will eventually be freed when the last interface sharing it is
deinitialized, the lack of cleanup in early failure paths can lead to
invalid memory access, potentially resulting in a segmentation fault.
Ensure that hostapd_deinit_driver() is invoked in both failure paths to
properly release driver resources and maintain consistency across
interface initialization routines.
Signed-off-by: Richard Yu <richard.yu@mitrastar.com.tw>
Marek Zarychta [Tue, 22 Apr 2025 21:13:42 +0000 (23:13 +0200)]
BSD: Handle systems without legacy IP support
Currently, wpa_supplicant fails to operate when legacy IP support is
disabled (i.e., the system is built with WITHOUT_INET and the kernel is
configured with nooptions INET). Address the issue by enabling
wpa_supplicant to run and connect to wireless networks even in the
absence of AF_INET, as long as AF_INET6 is available.
Signed-off-by: Marek Zarychta <zarychtam@plan-b.pwste.edu.pl>
Pooventhiran G [Wed, 18 Jun 2025 19:05:09 +0000 (00:35 +0530)]
AP MLD: Remove Link STA on Group KDE length check failure
If accepting an add-request in Link Reconfiguration causes the Group KDE
Length subfield to exceed max length, the request is rejected, but the
link STA will already have been added to the kernel driver.
Hence, remove the link STA on max length check failure.
Fixes: 60b3884948c6 ("AP MLD: Validate Link Reconfiguration Request frame after parsing") Signed-off-by: Pooventhiran G <pooventh@qti.qualcomm.com>
Mohan Kumar G [Mon, 16 Jun 2025 11:19:04 +0000 (16:49 +0530)]
tests: ML Setup Link Reconfiguration
Add a test case to connect AP and STA in two links and perform ML Setup
Link Reconfiguration to remove a link and add the link back.
Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Mohan Kumar G <quic_mkumarg@quicinc.com>
Mohan Kumar G [Mon, 16 Jun 2025 11:19:03 +0000 (16:49 +0530)]
AP MLD: Control interface events for ML Setup Link Reconfiguration
Add control interface events in hostapd for link STA removal and
addition operations from link reconfiguration.
Co-developed-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com> Signed-off-by: Mohan Kumar G <quic_mkumarg@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:19:00 +0000 (16:49 +0530)]
AP MLD: Check if non-AP STA in reconfig add-request already exists
As per IEEE P802.11be/D7.0, the non-AP STA requested in ML Setup link
reconfiguration for "add" operation should not have the (link) MAC address
associated to any non-AP STA which is either affiliated or not to a
non-AP MLD on the corresponding AP link affiliated with the AP MLD.
Enforce this condition and reject the operation otherwise.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:18:59 +0000 (16:48 +0530)]
AP MLD: Process TX status for Link Reconfiguration Response frame
When a Link Reconfiguration Response frame is ACK-ed, the AP MLD can
complete reconfiguration operations. Process the accepted del-link
requests, and if the link that is removed is the association link,
assign a new (soft) association link to maintain ML setup and APIs.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:18:57 +0000 (16:48 +0530)]
AP MLD: Validate Link Reconfiguration Request frame after parsing
When a Link Reconfiguration Request frame is successfully parsed and set
up with context, validate the request to verify links requested for
operation(s) are valid.
While at it, if accepting the request after current validation tends to
leave the ML Setup with no remaining links, recover from the situation
by rejecting a "delete" link request. Currently, the "delete" link
request with the lowest link ID will be rejected.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Pooventhiran G [Mon, 16 Jun 2025 11:18:56 +0000 (16:48 +0530)]
AP MLD: Process Link Reconfiguration Request frame for ML Setup links
A non-AP MLD can change the ML setup links (adding a new link or
removing an existing link) by using the Link Reconfiguration to Setup
Links procedure, as per IEEE P802.11be/D7.0.
Add support for an AP MLD to parse the Link Reconfiguration Request
frame and set up context with necessary information.
Reviewed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
nl80211: Set to AP mode before adding to bridge during AP interface addition
Commit dd1587c91541 ("hostapd: Allow reuse of existing interface for AP
MLD") added support to change mode to AP if it is already not while
adding the interface. However, this is currently done after bridge
addition is done. Now, in a few systems, bridge addition fails with
following:
nl80211: Driver for phy phy0 already exist
nl80211: Create interface iftype 3 (AP)
Failed to create interface wlan0: -23 (Too many open files in system)
nl80211: Continue using existing interface wlan0
nl80211: Adding interface wlan0 into bridge br-lan
Could not add interface wlan0 into bridge br-lan: Not supported
nl80211: Failed to add interface wlan0 into bridge br-lan: Not supported
nl80211: Set mode ifindex 17 iftype 3 (AP)
nl80211: Failed to set interface 17 to mode 3: -16 (Resource busy)
Failed to add BSS (BSSID=AA:BB:CC:DD:EE:FF)
Hence, to avoid this issue, move logic to set mode to AP before adding
to bridge. Since BSS needs to be partially initialized before attempting
to set mode, move the certain assignments as well above it.
Yuvarani V [Sun, 1 Jun 2025 17:18:08 +0000 (22:48 +0530)]
WNM: Disassociate STA only when Link Removal Imminent is 0 in BTM Request frame
When BSS Transition Management (BTM) Request frame is sent by an AP MLD
with disassociation timer set, it is expected to arm disassociation
timer for the STA and eventually disassociate it once the timer expires.
The current code avoids this by assuming that the ML association is not
being terminated and only the link is being removed. However, link
removal is scheduled only when Link Removal Imminent field is set in BTM
request, as per IEEE P802.11be/D7.0 - 9.6.13.9 (BSS Transition
Management Request frame format). If the Link Removal Imminent field in
the Request Mode field is set to 1, the BSS Termination Included field
indicates that the BSS, whose AP transmits this BSS Transition
Management Request frame, is shutting down. In this case, the STA
associated with the AP or the non-AP MLD that has set up only this link
will be disassociated and the non-AP MLD that has set up more than this
link remains associated to the AP MLD with the remaining setup link(s).
Hence, schedule disassociation for STA unless Link Removal Imminent bit
is set to 1 in the BTM Request frame.
Signed-off-by: Yuvarani V <yuvarani@qti.qualcomm.com>
Hu Wang [Fri, 30 May 2025 03:24:24 +0000 (20:24 -0700)]
Delete PMKID from driver when PMKSA entry is freed in Authenticator
For SME-in-driver, external SAE authentication (i.e., the driver
offloading SAE processing to hostapd) the PMKID is configured to the
driver on successful completion, but this is not cleared when hostapd
frees its PMKSA entry. This causes the driver and hostapd to get out of
sync.
This can result in the driver accepting an association with an unknown
(to hostapd) PMKID, but hostapd ending up using Deauthentication frame
due to that unknown PMKID. iPhone as a client seems to only clear its
PMKSA entry based on with asssociation rejection and thus, it might
retry again and again with the same unknown-to-hostapd PMKID.
Remove the PMKID from the driver when the matching PMKSA is remove from
hostapd to avoid this.
Ainy Kumari [Thu, 22 May 2025 12:51:40 +0000 (18:21 +0530)]
SAE: Fix AKM suite selector for external authentication compatibility
Kernel commit 4f4d8be6dc37 ("wifi: nl80211: force WLAN_AKM_SUITE_SAE in
big endian in NL80211_CMD_EXTERNAL_AUTH") enforces WLAN_AKM_SUITE_SAE to
be passed in big-endian format in NL80211_CMD_EXTERNAL_AUTH for all
drivers. This is causing issues for cross-AKM roaming cases (e.g.,
roaming from SAE-EXT-KEY AP to SAE AP) with current wpa_supplicant
implementation since it is considering the connected AP AKM as the
target AP AKM when WLAN_AKM_SUITE_SAE is indicated in big-endian format
in NL80211_CMD_EXTERNAL_AUTH.
To fix this, always set external authentication AKM as
WLAN_AKM_SUITE_SAE when WLAN_AKM_SUITE_SAE indicated in big endian
format in NL80211_CMD_EXTERNAL_AUTH.
This change is still compatible with old drivers since there is no
change in SAE authentication procedure when the target AP AKM is SAE or
FT-SAE.
Kavita Kavita [Wed, 14 May 2025 08:52:03 +0000 (14:22 +0530)]
hostapd: Allow channel switch between hw_modes
Commit 3e2758b19a75 ("hostapd: Avoid channel selection across underlying
hardware index") enforcing target channel to be present in the current
hw_mode even though the hostapd_iface can support multiple hw_modes. Due
to this channel switch request between different hw_modes getting
rejected always.
To fix this, determine the target hw_mode of the channel switch request
and use it for validating against current underlying hardware index.
nakul kachhwaha [Tue, 6 May 2025 05:20:48 +0000 (10:50 +0530)]
Fix QCA vendor attribute documentation
Fix the list of valid values for the attribute
QCA_WLAN_VENDOR_ATTR_TWT_NUDGE_NEXT_TWT_SIZE in the comment section.
This was not supposed to be a bitmap, but a consecutive sequence of
integers. The previously defined value has not been used.
Chenming Huang [Fri, 16 May 2025 01:57:27 +0000 (07:27 +0530)]
AP MLD: Use hostapd-based ACL for MLO cases
Currently NL80211_CMD_SET_MAC_ACL is not supported for MLO cases.
Since this command has no upstream driver support, further extension
might not be accepted and this command itself may be removed in the
future, too.
To support the same ACL setting from hostapd control interface, use
hostapd-based ACL instead when comes to MLO case. In addition, verify
both the link addresses and MLD MAC addresses of the non-AP MLD.
Chenming Huang [Wed, 14 May 2025 02:02:09 +0000 (10:02 +0800)]
P2P: Allow upgrade to 160 MHz if 80 MHz allowed and AUTO_BW flag is set
Upgrade to 160 MHz when AUTO_BW flag is set in contiguous frequency
range. This is needed to allow regdb rules for 160 MHz channels to be
used correctly when some of the differences between the 80 MHz parts of
the full channel has resulted in AUTO_BW flag being used.
Currently, hostapd tries to access MLO related functions and structures
even when 'ieee80211be' is unset, as 'mld_ap' is set. This is wrong and
at times, it leads to unexpected issues.
Address this by rejecting the configuration when mld_ap is set, while
'ieee80211be' is unset or disable_11be is set.
While at it, clear the mld_ap while disable_11be flag is modified during
configuration validation.
AP MLD: Correct link handling for MLO Disassociation
When transmitting a Disassociation frame, MLD link_id was not
considered, default value of -1 sent. Because of this, the first link
was always used to send Disassociation frames.
Address this by sending the corressponding 'mld_link_id' to the driver
if the Disassociation frame is sent by an AP MLD.
Muna Sinada [Wed, 28 May 2025 15:43:05 +0000 (21:13 +0530)]
Do not add Channel Switch Wrapper element without VHT/HE/EHT
Only include the Channel Switch Wrapper element in Beacon and Probe
Response frames when at least one of the PHY modes IEEE 802.11ac, IEEE
802.11ax, or IEEE 802.11be is enabled and not explicitly disabled in the
configuration.
This avoids unnecessary inclusion of the Channel Switch Wrapper element
when none of these modes are active, ensuring better compliance with the
capabilities advertised by the AP.
projects / thirdparty / hostap.git / log
