When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.
hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).
This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).
Signed-hostap: Jouni Malinen <j@w1.fi>
Currently by default, all BSS share the bridge brvlan%d.
While this is sane when no tagged-interface is given, this
is insane when different tagged interfaces are given, as
it would result in bridging those tagged interfaces.
This patch therefore uses br%s%d with %s=tagged_interface
and %d=VLAN ID as bridge name when a tagged-interface is given.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
Currently, when different BSS using different tagged vlan
interfaces, they are forced to share the bridge brvlan#,
which is not desirable.
This patch fixes this by making the bridge name configurable.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
This cleans up debug log by not including comments about failed
operations in case the operation is known to fail due to not being
supported by the driver.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This was previously claimed to be in ms, but the field in BSS Transition
Management Request frame is in number of TBTTs (beacon interval). Use
that unit in the ESS_DISASSOC control interface command to be able to
specify any value and just modify the timeout value to be calculated
based on beacon interval.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This is needed to avoid allowing the STA to reconnect using a cached
PMKSA. ESS disassoc imminent notification is normally used to indicate
that the STA session will be terminated and as such, requiring full
authentication through the authentication server after this is needed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The hostapd_cli ess_disassoc command now takes three arguments (STA MAC
address, timeout in ms, URL) and the STA is disconnected after the
specified timeout.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
This function can be used instead of wpa_msg() and wpa_msg_ctrl() to
indicate that an event is not specific to a network interface.
Signed-hostap: Jouni Malinen <j@w1.fi>
This updates hostapd to build using the new keystore header file
location and adds a note that the old frameworks/base/cmds/keystore can
be removed at some point in the future when old Android releases do not
need to be supported.
Signed-hostap: Jouni Malinen <j@w1.fi>
This patch is based on the original work by Boris Presman and
Victor Goldenshtein. Channel Switch Announcement support has been
removed and event handling as well as channel set handling was
changed, among various other changes.
Cc: Boris Presman <boris.presman@ti.com>
Cc: Victor Goldenshtein <victorg@ti.com>
Signed-hostap: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
For some testing it can be useful to force the Key MIC in group
EAPOL-Key frames to be corrupt. Add an option to allow setting a
probability for corrupting the Key MIC and use it in the WPA code,
increasing the first byte of the MIC by one to corrupt it if desired.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Previously, this was initialized partially, but the interface was
not really started. That could result in eloop_run() returning
immediately and hostapd process getting stopped without any clear
indication of a failure. [Bug 479]
Signed-hostap: Jouni Malinen <j@w1.fi>
My APs generate their configuration on their own using a different
number of (vlan-enabled) bss. Currently, all my vlan_file files consist
of a single line: the wildcard line. Configuration file generation would
be easier, if the hostapd configuration file would not depend on those
simple vlan_file files.
This patch removes the need for those one-line files by using the
<device>.<vlan> naming scheme if no vlan_file is given (or that file is
empty). This should not break any existing setup, as using dynamic_vlan
with no vlan configured does not make sense anyway.
Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
In order to test clients in scenarios where APs may (randomly)
drop certain management frames, introduce some testing options
into the hostapd configuration that can make it ignore certain
frames. For now, these are probe requests, authentication and
(re)association frames.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
Some extended capabilities (I'm currently interested in "Operating Mode
Notification" for VHT) are implemented by the kernel driver and exported
in nl80211. Use these in hostapd/wpa_supplicant.
Signed-hostap: Johannes Berg <johannes.berg@intel.com>
The new wps_independent=1 configuration parameter can be used to remove
interfaces from the shared hostapd process WPS control (i.e., to apply
WPS operations only to a subset of interfaces instead of all).
Signed-hostap: Jouni Malinen <j@w1.fi>
The new -G<group> command line argument can now be used to set the group
for the control interfaces to enable cases where hostapd is used without
a configuration file and the controlling program is not running with
root user privileges.
Signed-hostap: Jouni Malinen <j@w1.fi>
Replace CONFIG_IEEE80211V with CONFIG_WNM to get more consistent build
options for WNM-Sleep Mode operations. This is similar to the Makefile
change in commit ad3872a372.
Signed-hostap: Jouni Malinen <j@w1.fi>
This is needed to avoid errors when reporting the result of an NFC
connection handover that failed.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
The last couple of changes to the control interface commands for NFC
connection handover had not yet been documented.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
"WPS_NFC_TOKEN <WPS/NDEF>" used to generate a new NFC password token
regardless of whether there was a pre-configured token in the
configuration. Change this to use the pre-configured value, if
available, instead. This allows the same command to be used to write the
password token to an NFC tag more conveniently.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Instead of reporting only one connection handover message, report
completion of NFC connection handover with carrier record from both the
request and select messages.
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Control interface command "NFC_GET_HANDOVER_SEL NDEF WPS-CR" can now be
used to fetch WPS carrier record from hostapd.
Signed-hostap: Jouni Malinen <j@w1.fi>
This allows FFC groups to be used with SAE. Though, these groups are not
included in the default sae_groups value based on what is available
since the FFC groups have the additional requirement of using a safe
prime with the current implementation (or specification of the group
order).
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd.conf sae_groups parameter can now be used to limit the set of
groups that the AP allows for SAE. Similarly, sae_groups parameter is
wpa_supplicant.conf can be used to set the preferred order of groups. By
default, all implemented groups are enabled.
Signed-hostap: Jouni Malinen <j@w1.fi>
hostapd can now be configured to use anti-clogging mechanism based on
the new sae_anti_clogging_threshold parameter (which is
dot11RSNASAEAntiCloggingThreshold in the standard). The token is
generated using a temporary key and the peer station's MAC address.
wpa_supplicant will re-try SAE authentication with the token included if
commit message is rejected with a token request.
Signed-hostap: Jouni Malinen <j@w1.fi>