When wpa_psk_file is used, there is a chance that no PSK is set. This means
that the FT key will be generated using only the mobility domain which
could be considered a security vulnerability but only for a very specific
and niche config.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
802.11r can not be used when selecting WPA. It needs at least WPA2.
This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.
Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
[Upstream Backport]
The range for the 5 GHz channel 118 was encoded with an incorrect
channel number.
Fixes: ed8e13decc71 (ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan())
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Make the call deferred instead of blocking to avoid deadlock issues
Fixes: 3df9322771 ("hostapd: make ubus calls to wpa_supplicant asynchronous")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This reverts commit b7f9742da8.
There are several reports of regressions with this commit. Will be added
back once I've figured out and fixed the cause
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This fixes a deadlock issue where depending on the setup order, hostapd and
wpa_supplicant could end up waiting for each other
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This is not activated by default and must be explicitly enabled via ubus
It supports reporting log messages and netlink packets
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Currently for 802.1s only, for wifi 2.4GHz in g/n mode, 40MHz is never
permitted.
This is probably due to the complexity of setting periodic check for the
intolerant bit. When noscan option is set, we ignore the presence of the
intoleran bit in near AP, so we can enable 40MHz and ignore any complex
logic for checking.
Fixes: #13112
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Also channel 7 for 2.4GHz can be set to HT40PLUS. Permit this and add it
to the list of the channels.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
noscan option for mesh was broken and actually never applied.
This is caused by a typo where ssid->noscan value is check instead of
conf->noscan resulting in the logic swapped and broken.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl/ath11k
based adapters. The reason for it is hostapd tries to install additional
IEs for scanning while the driver does not support this.
The kernel indicates the maximum number of bytes for additional scan IEs
using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
only add additional scan IEs in case the driver can accommodate these
additional IEs.
Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
Bug-Debian: https://bugs.debian.org/1004524
Bug-ArchLinux: https://bugs.archlinux.org/task/73495
Upstream-Status: Changes Requested [https://patchwork.ozlabs.org/project/hostap/patch/20220130192200.10883-1-mail@david-bauer.net]
Reported-by: Étienne Morice <neon.emorice@mail.com>
Tested-by: Étienne Morice <neon.emorice@mail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The code for hostapd-mbedtls did not work when used for OWE association.
When handling association requests, the buffer offsets and length
assumptions were incorrect, leading to never calculating the y point,
thus denying association.
Also when crafting the association response, the buffer contained the
trailing key-type.
Fix up both issues to adhere to the specification and make
hostapd-mbedtls work with the OWE security type.
Signed-off-by: David Bauer <mail@david-bauer.net>
Recent hostapd changes just edited the ucode files. It is required to
bump the PKG_RELEASE to include the newest changes in the latest builds.
Signed-off-by: Nick Hainke <vincent@systemli.org>
If the full interface is restarted while bringing up an AP, it can trigger a
wpa_supplicant interface start before wpa_supplicant is notified of the
allocated mac addresses.
Fix this by moving the iface_update_supplicant_macaddr call to just after
the point where mac addresses are allocated.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The patch refresh accidentally moved the hostapd_ucode_free_iface call to
the wrong function
Fixes: e9722aef9e ("hostapd: fix a crash when disabling an interface during channel list update")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When STA is disconnected, ensure that the interface is in a cleanly stopped
state:
- if in regular enable/disable state, stop beacons if necessary
- in any other state, disable the interface
When the STA is up, ignore repeated start commands for the same channel, in
order to avoid unnecessary AP restarts
Signed-off-by: Felix Fietkau <nbd@nbd.name>
8e6485a1bcb0 PEAP client: Update Phase 2 authentication requirements
de9a11f4dde9 TTLS client: Support phase2_auth=2
b2a1e7fe7ab9 tests: PEAP and TTLS phase2_auth behavior
518ae8c7cca8 P2P: Do not print control characters in debug
a4c133ea73c7 WPS: Optimize attribute parsing workaround
7a37a94eaa0d Check whether element parsing has failed
f80d83368818 ACS: Remove invalid debug print
fb2b7858a728 FILS: Fix HE MCS field initialization
50ee26fc7044 P2P: Check p2p_channel_select() return value
a50d1ea6a2b3 Add QCA vendor attributes for user defined power save parameters
4636476b7f22 Set RRM used config if the (Re)Association Request frame has RRM IE
e53d44ac63e8 AP MLD: Use STA assoc link address in external auth status to the driver
99a96b2f9df7 AP MLD: OWE when SME is offloaded to the driver
96deacf5d710 nl80211: Skip STA MLO link channel switch handling in AP mode
d320692d918a AP MLD: Handle new STA event when using SME offload to the driver
faee8b99e928 tests: Fix eht_mld_sae_legacy_client to restore sae_pwe
c3f465c56c94 wlantest: Handle variable length MIC field in EAPOL-Key with OWE
605034240e0c wlantest: Support multiple input files
053bd8af8ed2 Recognize FTE MLO subelements
43b5f11d969a Defragmentation of FTE
3973300b8ded FTE protected element check for MLO Reassociation Response frame
74e4a0a6f1e4 wlantest: Learn AP MLD MAC address from Beacon frames
a5a0b2cf7b1b wlantest: Find non-AP MLD only from affiliated BSSs of the AP MLD
74472758584d wlantest: Recognize non-AP MLD based on any link address for decryption
1ffabd697c67 wlantest: Learn non-AP MLD MAC address from (Re)Association Request frames
4e8e515f92b9 wlantest: Use MLO search for the STA in reassociation
49bf9f2df95a wlantest: Use the MLD MAC address as well for matching STA entries
5434a42ec69c wlantest: Search for FT Target AP using MLD MAC address as well
a19fcf685cae wlantest: Include the MLD MAC address of the AP MLD in new-STA prints
709d46da73da wlantest: Do not claim update to AP MD MAC address if no change
770760454f9e wlantest: Do not update BSS entries for other AP MLDs in PTK cloning
084745ffc508 Add QCA vendor attributes for NDP setup
bf9cbb462fd9 Fix writing of BIGTK in FT protocol
011775af9443 tests: Check for beacon loss when using beacon protection
8f148d51322f Fix a compiler warning on prototype mismatch
b7db495ad9c9 AP: Fix ieee802_1x_ml_set_sta_authorized()
232667eafe0d Fix CCMP test vector issues
30771e6e05ed Include PTID in PV1 nonce construction for CCMP test vector
34841cfd9aba Minor formatting changes to CCMP test vectors
a685d84139e6 BSS coloring: Fix CCA with multiple BSS
bc0636841a70 wpa_supplicant: Fix configuration parsing error for tx_queue_*
2763d1d97e66 hostapd: Fix AID assignment in multiple BSSID
763a19286e2f AP: Add configuration option to specify the desired MLD address
bd209633eb10 AP: Use is_zero_ether_addr() to check if BSSID is NULL
bc0268d053b4 wlantest: Guess SAE/OWE group from EAPOL-Key length mismatch
a94ba5322803 EHT: Support puncturing for 320 MHz channel bandwidth
7e1f5c44c97e EHT: 320 MHz DFS support
6f293b32112a QCA vendor attributes for updating roaming AP BSSID info
5856373554eb Extend QCA vendor command to include more parameters for netdev events
e080930aa0a5 Define QCA vendor roam control RSSI attributes
fe72afe713ad Define QCA vendor attribute for high RSSI roam trigger threshold
47a65ccbfde2 P2P: Clean wpa_s->last_ssid when removing a temporary group network
884125ab7d21 tests: P2P autonomous GO and clearing of networking information
7637d0f25053 P2P: Do not filter pref_freq_list if the driver does not provide one
dd1330b502ff Fix hostapd interface cleanup with multiple interfaces
0a6842d5030e nl80211: Fix beacon rate configuration for legacy rates 36, 48, 54 Mbps
d606efe054d5 tests: Beacon rate configuration for 54 Mbps
f91d10c0e6aa tests: Update RSA 3k certificates
07d3c1177bbb tests: Make sae_proto_hostapd_status_* more robust
1085e3bdc6f6 Update iface->current_mode when fetching new hw_features
338a78846b44 Add a QCA vendor sub command for transmit latency statistics
9318db7c38bc wlantest: Use local variables for AA/SPA in FT Request/Response processing
628b9f10223d wlantest: Derive PMK-R1 and PTK using AA/SPA for MLO FT over-the-DS
104aa291e5c8 wlantest: Fix FT over-the-DS decryption
37c87efecfe3 wlantest: Search SPA using MLO aware find for FT Request/Response frame
19f33d7929e8 wlantest: Learn the Link ID for AP MLD affiliated BSSs
6ae43bb10323 wlantest: Learn link address for assoc link from (Re)Association Request
4c079dcc64da Increment hmac_sha*_vector() maximum num_elem value to 25
e6f64a8e1daf FT: FTE MIC calculation for MLO Reassociation Request frame
a83575df5994 wlantest: FTE MIC calculation for MLO Reassociation Request frames
ff02f734baf8 wlantest: Allow specific link BSS to be found with bss_find_mld()
7381c60db8f0 FT: Make FTE MIC calculation more flexible
ac9bf1cc2a4c Decrement hmac_sha*_vector() maximum num_elem value to 11
aa08d9d76803 Fix use of defragmented FTE information
78b153f90a74 Calculate defragmented FTE length during IE parsing
8cf919ffd5c4 wlantest: FTE MIC calculation for MLO Reassociation Response frame
d12a3dce82a9 wlantest: Store and check SNonce/ANonce for FT Authentication
20febfd7838d wlantest: Dump MLO association information in debug
609864d6a8a1 Add QCA vendor attribute to configure MLD ID in ML probe request
12154861e24a Add support for conversion to little endian for 24 bits
c437665041c0 Add Non EHT SCS Capability in (Re)Association Request frames
33da386553b7 SCS: Add support for QoS Characteristics in SCS request
edfca280cbe8 SCS: Add support for optional QoS Charateristics parameters
32dcec9529ec Send actual MFP configuration when driver takes care of BSS selection
123d16d860fa Update hw_mode when CSA finishes
b3d852560bda Change QCA vendor configure attribution name of peer MAC address
12fabc4765c2 Add QCA vendor attribute for configuring max A-MPDU aggregation count
f6eaa7b729cb Add QCA vendor attribute for TTLM negotiation support type
f6dcd326fea7 wlantest: Indicate ToDS/FromDS values for BSS DATA entries
6ce745bb87d4 wlantest: MLO support for decrypting 4-address frames
850dc1482953 wlantest: Remove duplicated A1/A2/A3 override detection for MLO
770e5a808fbb wlantest: Determine whether A1 points to STA once in rx_data_bss_prot()
377d617b574a Define new BSS command info mask for AP MLD address
d3ab6e001f62 wlantest: Use non-AP MLD's MLD MAC address in FT over-the-air derivation
a845601ffe32 wlantest: Derive PTK in MLO using MLD MAC addresses for FT over-the-air
0cd2bfc8a402 wlantest: Fix FTE MIC calculation for MLO Reassociation Response frames
528abdeb673b wlantest: Learn group keys from MLO FT Reassociation Response frames
990600753dd9 wlantest: Defragment Basic MLE before processing
de043ec01ab5 wlantest: Defragment the Per-STA Profile subelement
bae1ec693c44 wlantest: Minimal parsing of Basic MLE STA Profile
ba1579f3bf7c Clear BIGTK values from wpa_supplicant state machine when not needed
b46c4b9a916a tests: Beacon protection and reconnection
3e71516936b7 Document per-ESS MAC address (mac_addr=3 and mac_value)
f85b2b2dee3b Extend wpa_parse_kde_ies() to include EHT capabilities
e3a68081bc1e driver: Add option for link ID to be specified for send_tdls_mgmt()
c7561502f2e8 nl80211: Use a QCA vendor command to set the link for TDLS Discovery Response
a41c8dbdd84e TDLS: Copy peer's EHT capabilities
626501434be1 TDLS: Learn MLD link ID from TDLS Discovery Response
5f30f62eead7 TDLS: Reply to Discovery Request on the link with matching BSSID
940ef9a05c0f TDLS: Use link-specific BSSID instead of sm->bssid for MLO cases
f429064189c3 TDLS: Set EHT/MLO information for TDLS STA into the driver
dd25885a9daa Remove space-before-tab in QCA vendor related definitions
af6e0306b2a9 Fix typos in QCA vendor related definitions
4c9af238c1e4 Fix inconsistent whitespace use in QCA vendor related definitions
e5ccbfc69ecf Split long comment lines in QCA vendor related definitions
Signed-off-by: Felix Fietkau <nbd@nbd.name>
MAC address and interface name assigned by mac80211.sh depend on the order in
which interfaces are brought up. This order changes when interfaces get added
or removed, which can cause unnecessary reload churn.
One part of the fix it making MAC address allocation more dynamic in both
wpa_supplicant and hostapd, by ignoring the provided MAC address using
the next available one, whenever the config does not explicitly specify one.
The other part is making use of support for renaming netdevs at runtime and
preserving the MAC address for renamed netdevs.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
set_config causes the ucode bss resource to be re-created and because of that
the bss list needs to be updated as well
Signed-off-by: Felix Fietkau <nbd@nbd.name>
