diff mbox series

[11/13] mbssid: hidden SSID support

Message ID 20220302222634.22185-12-quic_alokad@quicinc.com
State Changes Requested
Headers show
Series hostapd: MBSSID and EMA support | expand

Commit Message

Aloka Dixit March 2, 2022, 10:26 p.m. UTC 
Hidden nontransmitted BSSID profiles will be included in the beacons
and probe responses but SSID value will be removed or set to all
zeros depending on the configured value of 'ignore_broadcast_ssid'.
If complete profiles are omitted, clients cannot stay connected to
the AP.
For unicast probe requests with SSID set to a hidden nontransmitted
BSS, complete SSID should be included in the response.

Co-developed-by: Sowmiya Sree Elavalagan <quic_ssreeela@quicinc.com>
Signed-off-by: Sowmiya Sree Elavalagan <quic_ssreeela@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
---
 src/ap/beacon.c     | 25 +++++++++++++++++++------
 src/ap/ieee802_11.c | 24 +++++++++++++++++++-----
 2 files changed, 38 insertions(+), 11 deletions(-)

Comments

Jouni Malinen April 7, 2022, 8:48 p.m. UTC | #1 
On Wed, Mar 02, 2022 at 02:26:32PM -0800, Aloka Dixit wrote:
> Hidden nontransmitted BSSID profiles will be included in the beacons
> and probe responses but SSID value will be removed or set to all
> zeros depending on the configured value of 'ignore_broadcast_ssid'.
> If complete profiles are omitted, clients cannot stay connected to
> the AP.
> For unicast probe requests with SSID set to a hidden nontransmitted
> BSS, complete SSID should be included in the response.

Do we really need this functionality with MBSSID? Hidden SSID is not
compliant with the IEEE 802.11 standard, does not provide any real
security, causes issues for stations, and should not really have been
ever deployed in the first place.
Aloka Dixit April 21, 2022, 6:08 p.m. UTC | #2 
On 4/7/2022 1:48 PM, Jouni Malinen wrote:
> On Wed, Mar 02, 2022 at 02:26:32PM -0800, Aloka Dixit wrote:
>> Hidden nontransmitted BSSID profiles will be included in the beacons
>> and probe responses but SSID value will be removed or set to all
>> zeros depending on the configured value of 'ignore_broadcast_ssid'.
>> If complete profiles are omitted, clients cannot stay connected to
>> the AP.
>> For unicast probe requests with SSID set to a hidden nontransmitted
>> BSS, complete SSID should be included in the response.
> 
> Do we really need this functionality with MBSSID? Hidden SSID is not
> compliant with the IEEE 802.11 standard, does not provide any real
> security, causes issues for stations, and should not really have been
> ever deployed in the first place.
> 

For now, I need to add the support for MBSSID case as well because we 
don't want the configuration ignored if it is set in the user config.
If we do remove the whole functionality in future, then MBSSID part can 
be removed at the same time.
Jouni Malinen April 21, 2022, 9:33 p.m. UTC | #3 
On Thu, Apr 21, 2022 at 11:08:50AM -0700, Aloka Dixit wrote:
> On 4/7/2022 1:48 PM, Jouni Malinen wrote:
> > Do we really need this functionality with MBSSID? Hidden SSID is not
> > compliant with the IEEE 802.11 standard, does not provide any real
> > security, causes issues for stations, and should not really have been
> > ever deployed in the first place.
> 
> For now, I need to add the support for MBSSID case as well because we don't
> want the configuration ignored if it is set in the user config.
> If we do remove the whole functionality in future, then MBSSID part can be
> removed at the same time.

That does not sound like the best approach to address that. It would
seem simpler to reject the MBSSID configuration if it tries to use a
hidden SSID.
diff mbox series

Patch

diff --git a/src/ap/beacon.c b/src/ap/beacon.c
index be0f0658155a..5f22dfc8cde2 100644
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
@@ -547,6 +547,7 @@  static u8 * hostapd_gen_probe_resp(struct hostapd_data *hapd,
 	struct ieee80211_mgmt *resp;
 	u8 *pos, *epos, *csa_pos, *ext_cap_pos;
 	size_t buflen;
+	struct hostapd_data *hapd_probed = hapd;
 
 	hapd = hostapd_mbssid_get_tx_bss(hapd);
 
@@ -584,7 +585,8 @@  static u8 * hostapd_gen_probe_resp(struct hostapd_data *hapd,
 	}
 #endif /* CONFIG_IEEE80211AX */
 
-	buflen += hostapd_eid_mbssid_len(hapd, WLAN_FC_STYPE_PROBE_RESP, NULL);
+	buflen += hostapd_eid_mbssid_len(hapd_probed, WLAN_FC_STYPE_PROBE_RESP,
+					 NULL);
 	buflen += hostapd_eid_rnr_len(hapd, WLAN_FC_STYPE_PROBE_RESP);
 	buflen += hostapd_mbo_ie_len(hapd);
 	buflen += hostapd_eid_owe_trans_len(hapd);
@@ -612,9 +614,20 @@  static u8 * hostapd_gen_probe_resp(struct hostapd_data *hapd,
 
 	pos = resp->u.probe_resp.variable;
 	*pos++ = WLAN_EID_SSID;
-	*pos++ = hapd->conf->ssid.ssid_len;
-	os_memcpy(pos, hapd->conf->ssid.ssid, hapd->conf->ssid.ssid_len);
-	pos += hapd->conf->ssid.ssid_len;
+	if (hapd->conf->ignore_broadcast_ssid && hapd != hapd_probed) {
+		if (hapd->conf->ignore_broadcast_ssid == 2) {
+			*pos++ = hapd->conf->ssid.ssid_len;
+			os_memset(pos, 0, hapd->conf->ssid.ssid_len);
+			pos += hapd->conf->ssid.ssid_len;
+		} else {
+			*pos++ = 0; /* empty SSID */
+		}
+	} else {
+		*pos++ = hapd->conf->ssid.ssid_len;
+		os_memcpy(pos, hapd->conf->ssid.ssid,
+			  hapd->conf->ssid.ssid_len);
+		pos += hapd->conf->ssid.ssid_len;
+	}
 
 	/* Supported rates */
 	pos = hostapd_eid_supp_rates(hapd, pos);
@@ -653,8 +666,8 @@  static u8 * hostapd_gen_probe_resp(struct hostapd_data *hapd,
 	pos = hostapd_eid_supported_op_classes(hapd, pos);
 	pos = hostapd_eid_ht_capabilities(hapd, pos);
 	pos = hostapd_eid_ht_operation(hapd, pos);
-	pos = hostapd_eid_mbssid(hapd, pos, epos, WLAN_FC_STYPE_PROBE_RESP, 0,
-				 NULL);
+	pos = hostapd_eid_mbssid(hapd_probed, pos, epos,
+				 WLAN_FC_STYPE_PROBE_RESP, 0, NULL);
 
 	ext_cap_pos = pos;
 	pos = hostapd_eid_ext_capab(hapd, pos);
diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 3365b48fa639..36d6831b2376 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -7490,11 +7490,16 @@  static size_t hostapd_eid_mbssid_elem_len(struct hostapd_data *hapd,
 		 * Sublement ID: 1 byte
 		 * Length: 1 byte
 		 * Nontransmitted capabilities: 4 bytes
-		 * SSID element: 2 + variable
+		 * SSID element: 2 + variable (except for hidden BSS)
 		 * Multiple BSSID Index Element: 3 bytes (+2 bytes in beacons)
 		 * Fixed length = 1 + 1 + 4 + 2 + 3 = 11
 		 */
-		nontx_profile_len = 11 + bss->conf->ssid.ssid_len;
+		nontx_profile_len = 11;
+
+		if (!bss->conf->ignore_broadcast_ssid ||
+		    bss->conf->ignore_broadcast_ssid == 2 ||
+		    (frame_type == WLAN_FC_STYPE_PROBE_RESP && bss == hapd))
+			nontx_profile_len += bss->conf->ssid.ssid_len;
 
 		if (frame_type == WLAN_FC_STYPE_BEACON)
 			nontx_profile_len += 2;
@@ -7593,9 +7598,18 @@  static u8 * hostapd_eid_mbssid_elem(struct hostapd_data *hapd, u8 *eid, u8 *end,
 		eid += sizeof(capab_info);
 
 		*eid++ = WLAN_EID_SSID;
-		*eid++ = conf->ssid.ssid_len;
-		os_memcpy(eid, conf->ssid.ssid, conf->ssid.ssid_len);
-		eid += conf->ssid.ssid_len;
+		if (!conf->ignore_broadcast_ssid ||
+		    (frame_type == WLAN_FC_STYPE_PROBE_RESP && bss == hapd)) {
+			*eid++ = conf->ssid.ssid_len;
+			os_memcpy(eid, conf->ssid.ssid, conf->ssid.ssid_len);
+			eid += conf->ssid.ssid_len;
+		} else if (conf->ignore_broadcast_ssid == 2) {
+			*eid++ = conf->ssid.ssid_len;
+			os_memset(eid, 0, conf->ssid.ssid_len);
+			eid += conf->ssid.ssid_len;
+		} else {
+			*eid++ = 0;
+		}
 
 		*eid++ = WLAN_EID_MULTIPLE_BSSID_INDEX;
 		if (frame_type == WLAN_FC_STYPE_BEACON) {