Commit graph

145 commits

Author SHA1 Message Date
Jouni Malinen
d3bddd8b84 ERP: Add support for ERP on EAP server and authenticator
Derive rRK and rIK on EAP server if ERP is enabled and use these keys to
allow EAP re-authentication to be used and to derive rMSK.

The new hostapd configuration parameter eap_server_erp=1 can now be used
to configure the integrated EAP server to derive EMSK, rRK, and rIK at
the successful completion of an EAP authentication method. This
functionality is not included in the default build and can be enabled
with CONFIG_ERP=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:27 +02:00
Jouni Malinen
2a5156a66c ERP: Add optional EAP-Initiate/Re-auth-Start transmission
hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start
before EAP-Request/Identity to try to initiate ERP. This is disabled by
default and can be enabled with erp_send_reauth_start=1 and optional
erp_reauth_start_domain=<domain>.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:08:56 +02:00
Jouni Malinen
0ecff8d7c3 Add hostapd driver_params config parameter
This is mainly for development testing purposes to allow driver_nl80211
behavior to be modified.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 13:24:42 +02:00
Jouni Malinen
ebd557288c Remove forgotten driver_test.c variables
hostapd was still providing couple of parameters that were used only in
the already removed driver_test.c framework.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 12:49:55 +02:00
Jouni Malinen
01b32d5e36 Remove references to madwifi from various files
Number of documentation and configuration files had references to the
madwifi driver interface that was removed in the previous commit. Remove
these references as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-01 16:15:53 +02:00
Kyeyoon Park
7d597d4617 AP: Add support for Proxy ARP, DHCP snooping mechanism
Proxy ARP allows the AP devices to keep track of the hardware address to
IP address mapping of the STA devices within the BSS. When a request for
such information is made (i.e., ARP request, Neighbor Solicitation), the
AP will respond on behalf of the STA device within the BSS. Such
requests could originate from a device within the BSS or also from the
bridge. In the process of the AP replying to the request (i.e., ARP
reply, Neighbor Advertisement), the AP will drop the original request
frame. The relevant STA will not even know that such information was
ever requested.

This feature is a requirement for Hotspot 2.0, and is defined in IEEE
Std 802.11-2012, 10.23.13. While the Proxy ARP support code mainly
resides in the kernel bridge code, in order to optimize the performance
and simplify kernel implementation, the DHCP snooping code was added to
the hostapd.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-10-28 01:08:29 +02:00
Kyeyoon Park
ec8f36afca AP: Add support for BSS load element (STA Count, Channel Utilization)
The new "bss_load_update_period" parameter can be used to configure
hostapd to advertise its BSS Load element in Beacon and Probe Response
frames. This parameter is in the units of BUs (Beacon Units).

When enabled, the STA Count and the Channel Utilization value will be
updated periodically in the BSS Load element. The AAC is set to 0 sinze
explicit admission control is not supported. Channel Utilization is
calculated based on the channel survey information from the driver and
as such, requires a driver that supports providing that information for
the current operating channel.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-10-21 23:25:48 +03:00
Jouni Malinen
f8995f8f1c hostapd: Allow OpenSSL cipherlist string to be configured
The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled when hostapd is used as an EAP
server with OpenSSL as the TLS library.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-12 11:52:05 +03:00
Jouni Malinen
1dde5b5cdd Remove PSMP option from ht_capab
This was used to fill in the "PSMP support" subfield that was defined
during P802.11n development. However, this subfield was marked reserved
in the published IEEE Std 802.11n-2009 and it is not supported by
current drivers that use hostapd for SME either. As such, there is not
much point in maintaining this field as ht_capab parameter within
hostapd either.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-07 22:02:14 +03:00
Jouni Malinen
978c673052 Add a note on using 'iw list' to determine multi-BSS support
This adds a pointer to hostapd.conf to using 'iw list' with the current
nl80211 drivers to determine supported interface combinations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-25 23:58:22 +02:00
Jouni Malinen
b7a8d67f5b Allow hostapd to advertise 40 MHz intolerant HT capability
ht_capab=[40-INTOLERANT] can now be used to advertise that the BSS is 40
MHz intolerant to prevent other 20/40 MHz co-ex compliant APs from using
40 MHz channel bandwidth.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-23 23:50:37 +02:00
Jouni Malinen
8b6b6d8238 Fix hostapd.conf description of HT40+
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-21 20:04:01 +02:00
Jouni Malinen
8dd9f9cdde Allow management group cipher to be configured
This allows hostapd to set a different management group cipher than the
previously hardcoded default BIP (AES-128-CMAC). The new configuration
file parameter group_mgmt_cipher can be set to BIP-GMAC-128,
BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in
IEEE Std 802.11ac-2013.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-14 21:58:45 +02:00
Ben Greear
cfc393a645 hostapd: Document interworking realm EAP Method types
Add link to the EAP type definitions document.

Signed-hostap: Ben Greear <greearb@candelatech.com>
2014-03-11 19:27:55 +02:00
Simon Wunderlich
70ee1be248 hostapd: Add config option chanlist for DFS channels
Different channels allow different transmission power, at least in ETSI
countries. Also, ETSI requires a "channel plan" for DFS operation, and
channels should be randomly choosen from these channels.

Add a channel list configuration option for users to add channels
hostapd may pick from.

Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
2014-03-11 18:59:40 +02:00
Jouni Malinen
ae6d15c722 HS 2.0R2 AP: Add OSU Providers list ANQP element
hostapd can now be configured to advertise OSU Providers with the
new osu_* confgiuration parameters.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:25 +02:00
Jouni Malinen
f7bd7a01a8 HS 2.0R2 AP: Add Icon Request and Icon binary File ANQP elements
hostapd can now be configured to provide access for icon files
(hs20_icon config file parameter) for OSU. The hs20_icon data contains
additional meta data about the icon that is not yet used, but it will be
needed for the OSU Providers list ANQP element.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:25 +02:00
Jouni Malinen
8e1146d9da HS 2.0R2 AP: Add support for deauthentication request
If the RADIUS server includes deauthentication request in Access-Accept,
send a WNM-Notification frame to the station after 4-way handshake and
disconnect the station after configurable timeout.

A new control interface command, WNM_DEAUTH_REQ, is added for testing
purposes to allow the notification frame to sent based on local request.
This case does not disconnect the station automatically, i.e., a
separate control interface command would be needed for that.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
a14896e8bb HS 2.0R2 AP: Add OSEN implementation
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
d5d24784e6 HS 2.0R2 AP: Update HS 2.0 Indication element to Release 2
The HS 2.0 Indication element from hostapd now includes the release
number field and the new ANQP Domain ID field. This ID can be configured
with anqp_domain_id parameter in hostapd.conf.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Chaitanya T K
3d7ad2f681 hostapd: Configure spectrum management capability
Add configuration of Spectrum Management subfield in the Capability
Information of Beacon, Probe Response, and Association Response frames.
Spectrum Management bit is set when directly requested by new
configuration option spectrum_mgmt_required=1 or when AP is running on
DFS channels. In the future, also TPC shall require this bit to be set.

Signed-hostap: Srinivasan <srinivasanb@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
Signed-hostap: Marek Puzyniak <marek.puzyniak@tieto.com>
2014-02-25 00:54:59 +02:00
Srinivasan B
e0392f825d hostapd: Add Power Constraint element
Add Power Constraint information element to Beacon and Probe Response
frames when hostapd is configured on 5 GHz band and Country information
element is also added. According to IEEE Std 802.11-2012 a STA shall
determine a local maximum transmit power for the current channel based
on information derived from Country and Power Constraint elements.

In order to add Power Constraint element ieee80211d option need to be
enabled and new local_pwr_constraint config option need to be set to
unsigned value in units of decibels. For now this value is statically
configured but the future goal is to implement dynamic TPC algorithm
to control local power constraint.

Signed-hostap: Srinivasan <srinivasanb@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
Signed-hostap: Marek Puzyniak <marek.puzyniak@tieto.com>
2014-02-24 23:51:23 +02:00
Jouni Malinen
a1dd890a85 RADIUS: Add minimal accounting server support
This can be used to test RADIUS Accounting in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-15 16:26:48 +02:00
Jouni Malinen
a1a31b6c3f Remove hostapd dump_file functionality
This debugging mechanism has now been deprecated by the control
interface commands that can be used to fetch same internal information
from hostapd in a more convenient way. Leave the empty USR1 signal
handler and configuration file parameter for backwards compatibility.
They can be removed in future versions of hostapd.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-02 18:15:07 +02:00
Paul Stewart
c101bb9d23 hostapd: Add option to send OBSS scan params
Add a parameter to send the overlapping BSS scan parameter
information element. This will require clients to perform
background scans to check for neigbors overlapping this
HT40 BSS. Since the implementation is incomplete it should
only be used for testing.

Signed-hostap: Paul Stewart <pstew@chromium.org>
2013-11-07 14:05:41 +02:00
Jouni Malinen
9bc33868bf Add test option for specifying hardcoded BSS Load element
The new bss_load_test parameter can be used to configure hostapd to
advertise a fixed BSS Load element in Beacon and Probe Response frames
for testing purposes. This functionality is disabled in the build by
default and can be enabled with CONFIG_TESTING_OPTIONS=y.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-18 14:13:45 +03:00
Kyeyoon Park
c551700f1f Interworking: Add support for QoS Mapping functionality for the AP
This allows QoS Map Set element to be added to (Re)Association Response
frames and in QoS Map Configure frame. The QoS Mapping parameters are
also made available for the driver interface.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-18 14:13:45 +03:00
Kyeyoon Park
f224cf05ab HS 2.0: Allow printf format parsing with language:name strings
This allows Hotspot 2.0 and Interworking strings that use language:name
string (e.g., venue_name) to be encoded using printf format to enter
special characters like newline.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-09-25 14:43:40 +03:00
Michal Kazior
50f4f2a066 hostapd: Add Automatic Channel Selection (ACS) support
This adds ACS support to hostapd. Currently only survey-based
algorithm is available.

To use ACS you need to enable CONFIG_ACS=y in .config and use
channel=0 (or channel=acs_survey) in hostapd.conf.

For more details see wiki page [1] or comments in src/ap/acs.c.

[1]: http://wireless.kernel.org/en/users/Documentation/acs

Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
2013-08-31 11:51:06 +03:00
Sujith Manoharan
3f9a8137f5 hostapd: Add a config option to control beaconing
In a AP/STA concurrent setup, if the STA interface is continually
scanning, trying to connect to a network, the AP interface
is basically broken since beaconing would be erratic.

This option can be used in a WDS setup where one AP acts as a
Client/AP-Repeater. The Repeater AP interface has to start beaconing
only after the Client interface has established a WDS link with the
"Root AP".

Signed-hostap: Sujith Manoharan <c_manoha@qca.qualcomm.com>
2013-07-20 17:20:43 +03:00
Jouni Malinen
67fe933d40 Add server identity configuration for EAP server
The new server_id parameter in hostapd.conf can now be used to specify
which identity is delivered to the EAP peer with EAP methods that
support authenticated server identity.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-07-07 20:30:10 +03:00
Jouni Malinen
080585c01a Add support for OCSP stapling to validate server certificate
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.

hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).

This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-06-30 01:01:15 +03:00
Michael Braun
459eee923c bridge: Use safe default bridge interface
Currently by default, all BSS share the bridge brvlan%d.
While this is sane when no tagged-interface is given, this
is insane when different tagged interfaces are given, as
it would result in bridging those tagged interfaces.

This patch therefore uses br%s%d with %s=tagged_interface
and %d=VLAN ID as bridge name when a tagged-interface is given.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2013-06-25 11:10:00 +03:00
Michael Braun
2aaeedfa07 bridge: Give bridge name in per-bss configuration
Currently, when different BSS using different tagged vlan
interfaces, they are forced to share the bridge brvlan#,
which is not desirable.

This patch fixes this by making the bridge name configurable.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2013-06-25 11:09:01 +03:00
Simon Wunderlich
b113a171ac DFS: Add ieee80211h hostapd configuration parameter
This patch is based on the original work by Boris Presman and
Victor Goldenshtein. Channel Switch Announcement support has been
removed and event handling as well as channel set handling was
changed, among various other changes.

Cc: Boris Presman <boris.presman@ti.com>
Cc: Victor Goldenshtein <victorg@ti.com>
Signed-hostap: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
2013-05-09 20:14:53 +03:00
Johannes Berg
7af092a015 hostapd: Add Key MIC in group EAPOL-Key frames corruption test option
For some testing it can be useful to force the Key MIC in group
EAPOL-Key frames to be corrupt. Add an option to allow setting a
probability for corrupting the Key MIC and use it in the WPA code,
increasing the first byte of the MIC by one to corrupt it if desired.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-05-04 11:45:03 +03:00
Michael Braun
7ca902b53e Make vlan_file optional if dynamic_vlan is used
My APs generate their configuration on their own using a different
number of (vlan-enabled) bss. Currently, all my vlan_file files consist
of a single line: the wildcard line. Configuration file generation would
be easier, if the hostapd configuration file would not depend on those
simple vlan_file files.

This patch removes the need for those one-line files by using the
<device>.<vlan> naming scheme if no vlan_file is given (or that file is
empty). This should not break any existing setup, as using dynamic_vlan
with no vlan configured does not make sense anyway.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2013-04-27 22:53:34 +03:00
Johannes Berg
c2aff6b1d1 hostapd: Add some testing options
In order to test clients in scenarios where APs may (randomly)
drop certain management frames, introduce some testing options
into the hostapd configuration that can make it ignore certain
frames. For now, these are probe requests, authentication and
(re)association frames.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2013-04-23 17:51:28 +03:00
Jouni Malinen
a679c0f284 WPS: Allow hostapd process to control independent WPS interfaces
The new wps_independent=1 configuration parameter can be used to remove
interfaces from the shared hostapd process WPS control (i.e., to apply
WPS operations only to a subset of interfaces instead of all).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-03-31 12:34:35 +03:00
Jouni Malinen
625f202a74 SAE: Allow enabled groups to be configured
hostapd.conf sae_groups parameter can now be used to limit the set of
groups that the AP allows for SAE. Similarly, sae_groups parameter is
wpa_supplicant.conf can be used to set the preferred order of groups. By
default, all implemented groups are enabled.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:53 +02:00
Jouni Malinen
d136c376f2 SAE: Add support for Anti-Clogging mechanism
hostapd can now be configured to use anti-clogging mechanism based on
the new sae_anti_clogging_threshold parameter (which is
dot11RSNASAEAntiCloggingThreshold in the standard). The token is
generated using a temporary key and the peer station's MAC address.
wpa_supplicant will re-try SAE authentication with the token included if
commit message is rejected with a token request.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-01-12 17:51:52 +02:00
Jouni Malinen
2049a875bc WNM: Additional BSS Transition Management capability
Add some more functionality for BSS Transition Management:
- advertise support for BSS Transition Management in extended
  capabilities element
- add hostapd.conf parameter bss_transition=1 for enabling support
  for BSS Transition Management
- add "hostapd_cli disassoc_imminent <STA> <num TBTTs>" for sending
  disassociation imminent notifications for testing purposes
- wpa_supplicant: trigger a new scan to find another BSS if the
  current AP indicates disassociation imminent (TODO: the old AP needs
  to be marked to use lower priority to avoid re-selecting it)

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-22 20:27:30 +02:00
Vladimir Kondratiev
7829894c21 Introduce 60 GHz band
Basic support for the 60 GHz band. Neither P2P nor WPS are yet taken
care off. Allows to start AP with very simple config:

network={
        ssid="test"
        mode=2
        frequency=60480
        key_mgmt=NONE
}

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-12-18 11:50:35 +02:00
Jouni Malinen
b93c8509cc Add support for advertising UTF-8 SSID extended capability
This field can be used to indicate that UTF-8 encoding is used in the
SSID field.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 20:46:51 +02:00
Jouni Malinen
c79938a584 WNM: Enable WNM-Sleep Mode configuration with hostapd SME/MLME
This allows hostapd to process WNM-Sleep Mode Request when using the
internal SME/MLME.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-12-16 19:16:17 +02:00
Johannes Berg
3117ad4283 hostapd: Add second VHT frequency segment config
Add the configuration option vht_oper_centr_freq_seg1_idx
for the second segment of an 80+80 MHz channel and use it
when building the VHT operation IE.

Signed-hostap: Johannes Berg <johannes.berg@intel.com>
2012-11-24 18:02:29 +02:00
Jouni Malinen
ee431d77a5 Add preliminary support for using SQLite for eap_user database
CONFIG_SQLITE=y option can now be used to allow the eap_user_file text
file to be replaced with a SQLite database
(eap_user_file=sqlite:/path/to/sqlite.db). hostapd.eap_user_sqlite
shows an example of how the database tables can be created for this
purpose. This commit does not yet include full functionality of the
text file format, but at least basic EAP-TTLS/MSCHAPv2 style
authentication mechanisms with plaintext passwords can be used for
tests.

Signed-hostap: Jouni Malinen <j@w1.fi>
2012-11-21 00:47:47 +02:00
Jouni Malinen
66979bb833 EAP-SIM DB: Optional use of SQLite database for pseudonyms
This allows hostapd to use an SQLite database for storing EAP-SIM/AKA
pseudonyms over process restarts. CONFIG_SQLITE=y build option adds
support for this and the SQLite database file is specified in eap_sib_db
configuration parameter.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-30 16:04:52 +03:00
Jouni Malinen
b52f084cfa Add parameter for vendor specific elements into Beacon/Probe Response
The new vendor_elements parameter in hostapd.conf can be used to add new
vendor specific element(s) into Beacon and Probe Response frames.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-27 16:20:10 +03:00
Jay Katabathuni
8047b18691 Interworking: Add advertising of NAI Realm list
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2012-08-26 18:59:12 +03:00