Commit graph

370 commits

Author SHA1 Message Date
Liangwei Dong
a5b2faa714 AP: Add op_class config item to specify 6 GHz channels uniquely
Add hostapd config option "op_class" for fixed channel selection along
with existing "channel" option. "op_class" and "channel" config options
together can specify channels across 2.4 GHz, 5 GHz, and 6 GHz bands
uniquely.

Signed-off-by: Liangwei Dong <liangwei@codeaurora.org>
Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
a36e13a7cd SAE: Add sae_pwe configuration parameter for hostapd
This parameter can be used to specify which PWE derivation mechanism(s)
is enabled. This commit is only introducing the new parameter; actual
use of it will be address in separate commits.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-15 15:39:22 +03:00
Jouni Malinen
f7fe055224 SAE: Allow AP behavior for SAE Confirm to be configured
hostapd is by default waiting STA to send SAE Confirm before sending the
SAE Confirm. This can now be configured with sae_confirm_immediate=1
resulting in hostapd sending out SAE Confirm immediately after sending
SAE Commit.

These are the two different message sequences:

sae_confirm_immediate=0
STA->AP: SAE Commit
AP->STA: SAE Commit
STA->AP: SAE Confirm
AP->STA: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response

sae_confirm_immediate=1
STA->AP: SAE Commit
AP->STA: SAE Commit
AP->STA: SAE Confirm
STA->AP: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-10-10 15:38:26 +03:00
Alexei Avshalom Lazar
5c5ff22efc hostapd: Add EDMG channel configuration parameters
Add two new configuration parameters for hostapd:
enable_edmg: Enable EDMG capability for AP mode in the 60 GHz band
edmg_channel: Configure channel bonding for AP mode in the 60 GHz band

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
2019-10-07 16:46:29 +03:00
Jouni Malinen
5a5639b068 DPP: Allow name and mudurl to be configured for Config Request
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-09-19 00:21:47 +03:00
Jouni Malinen
018edec9b2 Remove IAPP functionality from hostapd
IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been
maintained nor is there any expectation of the withdrawn trial-use
recommended practice to be maintained in the future. Furthermore,
implementation of IAPP in hostapd was not complete, i.e., only parts of
the recommended practice were included. The main item of some real use
long time ago was the Layer 2 Update frame to update bridges when a STA
roams within an ESS, but that functionality has, in practice, been moved
to kernel drivers to provide better integration with the networking
stack.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-11 13:11:03 +03:00
Jouni Malinen
7d2ed8bae8 Remove CONFIG_IEEE80211W build parameter
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:33:40 +03:00
Jouni Malinen
8d76e0ad7b EAP server: Configurable maximum number of authentication message rounds
Allow the previously hardcoded maximum numbers of EAP message rounds to
be configured in hostapd EAP server. This can be used, e.g., to increase
the default limits if very large X.509 certificates are used for EAP
authentication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-01 17:19:35 +03:00
Jouni Malinen
e54cfbb56a EAP-TEAP server: Allow a specific Identity-Type to be requested/required
The new hostapd configuration parameter eap_teap_id can be used to
configure the expected behavior for used identity type.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-20 02:13:22 +03:00
Jouni Malinen
76ddfae6eb EAP-TEAP server: Testing mechanism for Result TLV in a separate message
The new eap_teap_separate_result=1 hostapd configuration parameter can
be used to test TEAP exchange where the Intermediate-Result TLV and
Crypto-Binding TLV are send in one message exchange while the Result TLV
exchange in done after that in a separate message exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-17 00:08:47 +03:00
Jouni Malinen
6bb11c7a40 EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabled
The new hostapd configuration option eap_sim_id can now be used to
disable use of pseudonym and/or fast reauthentication with EAP-SIM,
EAP-AKA, and EAP-AKA'.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-08-01 10:36:11 +03:00
Terry Burton
f4111ff3d1 Extra RADIUS request attributes from SQLite
Add an SQLite table for defining per station MAC address version of
radius_auth_req_attr/radius_acct_req_attr information. Create the
necessary table and index where this doesn't exist. Select attributes
from the table keyed by station MAC address and request type (auth or
acct), parse and apply to a RADIUS message.

Add radius_req_attr_sqlite hostapd config option for SQLite database
file. Open/close RADIUS attribute database for a lifetime of a BSS and
invoke functions to add extra attributes during RADIUS auth and
accounting request generation.

Signed-off-by: Terry Burton <tez@terryburton.co.uk>
2019-07-30 19:58:09 +03:00
Terry Burton
74707def8f Move hostapd_parse_radius_attr() into ap_config.c
We will want to parse RADIUS attributes in config file format when
retrieving them from an SQLite database.

Signed-off-by: Terry Burton <tez@terryburton.co.uk>
2019-07-30 19:42:48 +03:00
Jouni Malinen
e2722bf81d OpenSSL: Allow two server certificates/keys to be configured on server
hostapd EAP server can now be configured with two separate server
certificates/keys to enable parallel operations using both RSA and ECC
public keys. The server will pick which one to use based on the client
preferences for the cipher suite (in the TLS ClientHello message). It
should be noted that number of deployed EAP peer implementations do not
filter out the cipher suite list based on their local configuration and
as such, configuration of alternative types of certificates on the
server may result in interoperability issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-12 18:13:10 +03:00
Jouni Malinen
0ed57c5ea8 EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.

This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:56:02 +03:00
leiwei
29c832d0ea macsec: Add configuration parameters for hostapd
Signed-off-by: leiwei <leiwei@codeaurora.org>
2019-06-03 20:27:44 +03:00
John Crispin
4f3f33804a HE: Make the basic NSS/MCS configurable
Add a config option to allow setting a custom Basic NSS/MCS set. As a
default we use single stream HE-MCS 0-7.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 17:45:04 +03:00
John Crispin
05b28306f5 HE: Add HE channel management configuration options
These are symmetric with the VHT ones.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-27 16:30:05 +03:00
John Crispin
ad5224dd43 HE: Fix typo srp -> spr in hostapd configuration parameters
The initial commit used srp instead of spr for the spatial reuse
configuration prefix.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-05-05 00:59:18 +03:00
Toke Høiland-Jørgensen
ef7217518b hostapd: Add airtime policy configuration support
This adds support to hostapd for configuring airtime policy settings for
stations as they connect to the access point. This is the userspace
component of the airtime policy enforcement system PoliFi described in
this paper: https://arxiv.org/abs/1902.03439

The Linux kernel part has been merged into mac80211 for the 5.1 dev
cycle.

The configuration mechanism has three modes: Static, dynamic and limit.
In static mode, weights can be set in the configuration file for
individual MAC addresses, which will be applied when the configured
stations connect.

In dynamic mode, weights are instead set per BSS, which will be scaled
by the number of active stations on that BSS, achieving the desired
aggregate weighing between the configured BSSes. Limit mode works like
dynamic mode, except that any BSS *not* marked as 'limited' is allowed
to exceed its configured share if a per-station fairness share would
assign more airtime to that BSS. See the paper for details on these
modes.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
2019-05-02 14:57:43 +03:00
John Crispin
2ec71488b5 HE: Add Spatial Reuse Parameter Set element to the Beacon frames
SPR allows us to detect OBSS overlaps and allows us to do adaptive CCA
thresholds. For this to work the AP needs to broadcast the element
first.

Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
2019-04-25 12:15:36 +03:00
Jouni Malinen
e00f780e2b DPP2: hostapd as TCP Relay
The new hostapd configuration parameter dpp_controller can now be used
with the following subparameter values: ipaddr=<IP address>
pkhash=<hexdump>. This adds a new Controller into the configuration
(i.e., more than one can be configured) and all incoming DPP exchanges
that match the specified Controller public key hash are relayed to the
particular Controller.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-22 21:08:59 +03:00
Brendan Jackman
bbed23aee6 hostapd: Reduce minimum beacon interval from 15 to 10 TUs
Very short beacon intervals can be useful for certain scenarios such
as minimising association time on PBSSs. Linux supports a minimum of
10[1] so let's reduce the minimum to match that.

[1] https://elixir.bootlin.com/linux/latest/ident/cfg80211_validate_beacon_int

Signed-off-by: Brendan Jackman <brendan.jackman@bluwireless.co.uk>
2019-04-06 17:05:09 +03:00
Jared Bents
841205a1ce OpenSSL: Add 'check_cert_subject' support for TLS server
This patch added 'check_cert_subject' support to match the value of
every field against the DN of the subject in the client certificate. If
the values do not match, the certificate verification will fail and will
reject the user.

This option allows hostapd to match every individual field in the right
order, also allow '*' character as a wildcard (e.g OU=Development*).

Note: hostapd will match string up to 'wildcard' against the DN of the
subject in the client certificate for every individual field.

Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-03-11 14:09:45 +02:00
Jouni Malinen
fc30f99b34 WPS: Allow AP SAE configuration to be added automatically for PSK
The new hostapd configuration parameter wps_cred_add_sae=1 can be used
to request hostapd to add SAE configuration whenever WPS is used to
configure the AP to use WPA2-PSK and the credential includes a
passphrase (instead of PSK). This can be used to enable WPA3-Personal
transition mode with both SAE and PSK enabled and PMF enabled for PSK
and required for SAE associations.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-06 21:52:43 +02:00
Davina Lu
66819b07b5 hostapd: Support Multi-AP backhaul STA onboarding with WPS
The Wi-Fi Alliance Multi-AP Specification v1.0 allows onboarding of a
backhaul STA through WPS. To enable this, the WPS Registrar offers a
different set of credentials (backhaul credentials instead of fronthaul
credentials) when the Multi-AP subelement is present in the WFA vendor
extension element of the WSC M1 message.

Add new configuration options to specify the backhaul credentials for
the hostapd internal registrar: multi_ap_backhaul_ssid,
multi_ap_backhaul_wpa_psk, multi_ap_backhaul_wpa_passphrase. These are
only relevant for a fronthaul SSID, i.e., where multi_ap is set to 2 or
3. When these options are set, pass the backhaul credentials instead of
the normal credentials when the Multi-AP subelement is present.

Ignore the Multi-AP subelement if the backhaul config options are not
set. Note that for an SSID which is fronthaul and backhaul at the same
time (i.e., multi_ap == 3), this results in the correct credentials
being sent anyway.

The security to be used for the backaul BSS is fixed to WPA2PSK. The
Multi-AP Specification only allows Open and WPA2PSK networks to be
configured. Although not stated explicitly, the backhaul link is
intended to be always encrypted, hence WPA2PSK.

To build the credentials, the credential-building code is essentially
copied and simplified. Indeed, the backhaul credentials are always
WPA2PSK and never use per-device PSK. All the options set for the
fronthaul BSS WPS are simply ignored.

Signed-off-by: Davina Lu <ylu@quantenna.com>
Signed-off-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Marianna Carrera <marianna.carrera.so@quantenna.com>
2019-02-18 22:35:41 +02:00
Jouni Malinen
b0e91e3877 SAE: VLAN assignment based on SAE Password Identifier
The new sae_password parameter [|vlanid=<VLAN ID>] can now be used to
assign stations to a specific VLAN based on which SAE Password
Identifier they use. This is similar to the WPA2-Enterprise case where
the RADIUS server can assign stations to different VLANs and the
WPA2-Personal case where vlanid parameter in wpa_psk_file is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-17 17:24:23 +02:00
Jouni Malinen
fe468b0714 HE: Fix set_he_cap() parsing of config options for MU EDCA Params
When I replaced the POS() function with ffs() when applying relevant
parts from the original patch, this ended up breaking the frame
construction since the POS() function was supposed to count the bit
offset for the mask with 0 being the LSB instead of 1 returned by ffs().
Furthermore, ffs() is not available in all C libraries (e.g., not
directly exposed by strings.h on Android), so better not depend on that
or compiler builtins for this since there is no need for this to be as
fast as possible in configuration parsing.

Fix this with a simple function to determine the number of bits the
value needs to be shifted left to align with the mask.

Fixes: 11ce7a1bc3 ("HE: Add MU EDCA Parameter Set element (AP)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-02-12 01:23:30 +02:00
Jared Bents
159a7fbdea crl_reload_interval: Add CRL reloading support
This patch adds a new flag 'crl_reload_interval' to reload CRL
periodically. This can be used to reload ca_cert file and the included
CRL information on every new TLS session if difference between the last
reload and the current time in seconds is greater than
crl_reload_interval.

This reloading is used for cases where check_crl is 1 or 2 and the CRL
is included in the ca_file.

Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
2019-01-27 18:45:07 +02:00
Ian Archer
9758b08bcf hostapd: Add support for setting pbss option from config file
There is currently no support for setting hostapd_bss_config.pbss from a
config file, i.e., it was used only based on automatic logic in
wpa_supplicant. This patch adds a key naturally called "pbss" which can
be used to set it.

Cc: Antony King <antony.king@bluwirelesstechnology.com>
Signed-off-by: Brendan Jackman <brendan.jackman@bluwirelesstechnology.com>
2019-01-21 12:35:59 +02:00
Siva Mullati
11ce7a1bc3 HE: Add MU EDCA Parameter Set element (AP)
Add support for configuring parameters for the MU EDCA Parameter Set
element per IEEE P802.11ax/D3.0.

Signed-off-by: Siva Mullati <siva.mullati@intel.com>
2019-01-08 17:22:43 +02:00
Jouni Malinen
cc9c4feccc OpenSSL: Allow systemwide policies to be overridden
Some distributions (e.g., Debian) have started introducting systemwide
OpenSSL policies to disable older protocol versions and ciphers
throughout all programs using OpenSSL. This can result in significant
number of interoperability issues with deployed EAP implementations.

Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server)
parameters to be used to request systemwide policies to be overridden if
older versions are needed to be able to interoperate with devices that
cannot be updated to support the newer protocol versions or keys. The
default behavior is not changed here, i.e., the systemwide policies will
be followed if no explicit override configuration is used. The overrides
should be used only if really needed since they can result in reduced
security.

In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network
profile parameter can be used to explicitly enable TLS versions that are
disabled in the systemwide configuration. For example,
phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS
v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces
TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter
can be used to override systemwide policy, e.g., with
openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1
in Debian to allow shorter keys to be used.

In hostapd, tls_flags parameter can be used to configure similar
options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1]

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-05 17:14:26 +02:00
Beni Lev
076f1ea1d9 OCE: Add RSSI based association rejection support (AP)
An AP might reject a STA association request due to low RSSI. In such
case, the AP informs the STA the desired RSSI improvement and a retry
timeout. The STA might retry to associate even if the RSSI hasn't
improved if the retry timeout expired.

Signed-off-by: Beni Lev <beni.lev@intel.com>
2019-01-01 18:18:50 +02:00
Sam Voss
dd5d325b0a hostapd: Add configuration option check_crl_strict
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.

This causes the following:

- This setting does nothing when CRL checking is not enabled.

- When CRL is enabled, "strict mode" will cause CRL time errors to not
  be ignored and will continue behaving as it currently does.

- When CRL is enabled, disabling strict mode will cause CRL time
  errors to be ignored and will allow connections.

By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.

Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
2018-12-31 12:51:51 +02:00
Hristo Venev
d01203cafc hostapd: Add openssl_ecdh_curves configuration parameter
This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc.
It should be noted that when using Suite B, different mechanism is used
to specify the allowed ECDH curves and this new parameter must not be
used in such cases.

Signed-off-by: Hristo Venev <hristo@venev.name>
2018-12-30 17:27:34 +02:00
Felix Fietkau
4d663233e6 hostapd: Support for overriding the bridge name per VLAN via vlan_file
This makes it easier to integrate dynamic VLANs in custom network
configurations. The bridge name is added after the interface name in the
vlan_file line, also separated by whitespace.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-12-21 12:02:57 +02:00
Venkateswara Naralasetty
9c06f0f6ae hostapd: Add Multi-AP protocol support
The purpose of Multi-AP specification is to enable inter-operability
across Wi-Fi access points (APs) from different vendors.

This patch introduces one new configuration parameter 'multi_ap' to
enable Multi-AP functionality and to configure the BSS as a backhaul
and/or fronthaul BSS.

Advertise vendor specific Multi-AP capabilities in (Re)Association
Response frame, if Multi-AP functionality is enabled through the
configuration parameter.

A backhaul AP must support receiving both 3addr and 4addr frames from a
backhaul STA, so create a VLAN for it just like is done for WDS, i.e.,
by calling hostapd_set_wds_sta(). Since Multi-AP requires WPA2 (never
WEP), we can safely call hostapd_set_wds_encryption() as well and we can
reuse the entire WDS condition.

To parse the Multi-AP Extension subelement, we use get_ie(): even though
that function is meant for parsing IEs, it works for subelements.

Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2018-12-20 01:04:14 +02:00
Mathy Vanhoef
9c55fdb023 OCV: Add hostapd config parameter
Add hostapd.conf parameter ocv to disable or enable Operating Channel
Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:31:21 +02:00
Jouni Malinen
7bd8c76a4f HS 2.0 server: RADIUS server support for SIM provisioning
This adds support for hostapd-as-RADIUS-authentication-server to request
subscription remediation for SIM-based credentials. The new hostapd.conf
parameter hs20_sim_provisioning_url is used to set the URL prefix for
the remediation server for SIM provisioning. The random
hotspot2dot0-mobile-identifier-hash value will be added to the end of
this URL prefix and the same value is stored in a new SQLite database
table sim_provisioning for the subscription server implementation to
use.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-15 18:01:38 +02:00
Jouni Malinen
6ae04d7b34 HS 2.0: Allow Hotspot 2.0 release number to be configured
The new hostapd configuration parameter hs20_release can be used to
configure the AP to advertise a specific Hotspot 2.0 release number
instead of the latest supported release. This is mainly for testing
purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:54 +02:00
Jouni Malinen
678d8410af Move send_probe_response parameter to BSS specific items
This can be more convenient for testing Multiple BSSID functionality.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-07 15:03:11 +02:00
Jouni Malinen
d514b50265 WNM: Collocated Interference Reporting
Add support for negotiating WNM Collocated Interference Reporting. This
allows hostapd to request associated STAs to report their collocated
interference information and wpa_supplicant to process such request and
reporting. The actual values (Collocated Interference Report Elements)
are out of scope of hostapd and wpa_supplicant, i.e., external
components are expected to generated and process these.

For hostapd/AP, this mechanism is enabled by setting
coloc_intf_reporting=1 in configuration. STAs are requested to perform
reporting with "COLOC_INTF_REQ <addr> <Automatic Report Enabled> <Report
Timeout>" control interface command. The received reports are indicated
as control interface events "COLOC-INTF-REPORT <addr> <dialog token>
<hexdump of report elements>".

For wpa_supplicant/STA, this mechanism is enabled by setting
coloc_intf_reporting=1 in configuration and setting Collocated
Interference Report Elements as a hexdump with "SET coloc_intf_elems
<hexdump>" control interface command. The hexdump can contain one or
more Collocated Interference Report Elements (each including the
information element header). For additional testing purposes, received
requests are reported with "COLOC-INTF-REQ <dialog token> <automatic
report enabled> <report timeout>" control interface events and
unsolicited reports can be sent with "COLOC_INTF_REPORT <hexdump>".

This commit adds support for reporting changes in the collocated
interference (Automatic Report Enabled == 1 and partial 3), but not for
periodic reports (2 and other part of 3).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-30 14:07:51 +02:00
Jouni Malinen
cad810a98f HS 2.0: OSU Provider NAI List advertisement
Extend hostapd to allow the new OSU Provider NAI List ANQP-element to be
advertised in addition to the previously used OSU Providers list
ANQP-element. The new osu_nai2 configurator parameter option is used to
specify the OSU_NAI value for the shared BSS (Single SSID) case while
osu_nai remains to be used for the separate OSU BSS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 20:49:42 +03:00
Hai Shalom
560e30bf3b Parse sae_password option when CONFIG_SAE is enabled
Call to parse_sae_password was incorrectly depending
on CONFIG_TESTING_OPTIONS and CONFIG_SAE. Should
depend only on the latter.

Fixes: 2377c1caef ("SAE: Allow SAE password to be configured separately (AP)")
Signed-off-by: Hai Shalom <haishalom@google.com>
2018-09-02 12:30:37 +03:00
Sathishkumar Muruganandam
47abe29aa9 hostapd: SET ht_capab support for disabling 40 MHz bandwidth
'hostapd_cli SET ht_capab' only checked for [HT40+] or [HT40-] or both
to be present. Based on the offset + or -, secondary_channel is updated
but HT20/VHT20 mode can be brought up only from config file and can't be
done using the SET command when the current HT mode is HT40+ or HT40-.

When managing AP+STA mode from userspace doing hostapd_cli: "disable ->
set channel, ht_capab -> enable" sequence, channel switch from
HT40/VHT40 to HT20/VHT20 was not possible with this SET ht_capab
limitation.

Cover this additional case by resetting secondary_channel to 0 for
HT20/VHT20 when ht_capab has neither [HT40+] nor [HT40-] present.

Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
2018-08-21 19:04:44 +03:00
Jouni Malinen
c6f2eceb8b FT: Add key management value FT-EAP-SHA384 for hostapd
This allows hostapd to be configuted to use the SHA384-based FT AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
8d660a4bac HS 2.0: Allow OSEN connection to be enabled in an RSN BSS
This allows a single BSS/SSID to be used for both data connection and
OSU. Instead of hostapd configuration osen=1, wpa_key_mgmt=OSEN (or more
likely, wpa_key_mgmt=WPA-EAP OSEN) is used to enable this new option.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-05-29 23:34:22 +03:00
Dan Harkins
d52ead3db7 EAP-pwd server: Add support for salted password databases
These changes add support for salted password databases to EAP-pwd per
RFC 8146. This commits introduces the framework for enabling this and
the salting mechanisms based on SHA-1, SHA256, and SHA512 hash
algorithms.

Signed-off-by: Dan Harkins <dharkins@lounge.org>
2018-05-28 22:08:51 +03:00
Jouni Malinen
9be19d0b9c SAE: Add support for using the optional Password Identifier
This extends the SAE implementation in both infrastructure and mesh BSS
cases to allow an optional Password Identifier to be used. This uses the
mechanism added in P802.11REVmd/D1.0. The Password Identifier is
configured in a wpa_supplicant network profile as a new string parameter
sae_password_id. In hostapd configuration, the existing sae_password
parameter has been extended to allow the password identifier (and also a
peer MAC address) to be set. In addition, multiple sae_password entries
can now be provided to hostapd to allow multiple per-peer and
per-identifier passwords to be set.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-05-19 17:30:29 +03:00
Jouni Malinen
d501c27cfe EAP-TLS server: Disable TLS v1.3 by default
The current EAP peer implementation is not yet ready for the TLS v1.3
changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for
this EAP method for now.

While the current EAP-TLS implementation is more or less complete for
TLS v1.3, there has been no interoperability testing with other
implementations, so disable for by default for now until there has been
chance to confirm that no significant interoperability issues show up
with TLS version update. tls_flags=[ENABLE-TLSv1.3] configuration
parameter can be used to enable TLS v1.3 (assuming the TLS library
supports it; e.g., when using OpenSSL 1.1.1).

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 22:13:38 +03:00
Jouni Malinen
bbbc7e8016 EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabled
This may be needed to avoid interoperability issues with the new
protocol version and significant changes for EAP use cases in both key
derivation and handshake termination.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 22:13:38 +03:00
Jouni Malinen
8760b9848c HS 2.0: Send Terms and Conditions Acceptance notification
This extends hostapd Access-Accept processing to check if the RADIUS
server indicated that Terms and Conditions Acceptance is required. The
new hs20_t_c_server_url parameter is used to specify the server URL
template that the STA is requested to visit.

This commit does not enable any kind of filtering, i.e., only the part
of forwarding a request from Access-Accept to the STA using
WNM-Notification is covered.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:47 +03:00
Jouni Malinen
6cb8f4f382 HS 2.0: Terms and Conditions attributes in Access-Request messages
This extends hostapd with two new configuration parameters
(hs20_t_c_filename and hs20_t_c_timestamp) that can be used to specify
that the Terms and Conditions attributes are to be added into all
Access-Request messages for Hotspot 2.0 STAs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:47 +03:00
Jouni Malinen
0e450db285 HS 2.0: Allow configuration of operator icons
This extends hostapd Hotspot 2.0 implementation to allow operator icons
to be made available. The existing hs20_icon parameter is used to define
the icons and the new operator_icon parameter (zero or more entries) is
used to specify which of the available icons are operator icons. The
operator icons are advertised in the Operator Icon Metadata ANQP-element
while the icon data can be fetched using the same mechanism (icon
request/binary file) that was added for the OSU Providers icons.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Michael Braun
3a3e28320b FT: Add expiration to PMK-R0 and PMK-R1 cache
IEEE Std 802.11-2016, 12.7.1.7.1 indicates that the lifetime of the
PMK-R0 (and PMK-R1) is bound to the lifetime of PSK or MSK from which
the key was derived. This is currently stored in r0_key_lifetime, but
cache entries are not actually removed.

This commit uses the r0_key_lifetime configuration parameter when
wpa_auth_derive_ptk_ft() is called. This may need to be extended to use
the MSK lifetime, if provided by an external authentication server, with
some future changes. For PSK, there is no such lifetime, but it also
matters less as FT-PSK can be achieved without inter-AP communication.

The expiration timeout is then passed from R0KH to R1KH. The R1KH verifies
that the given timeout for sanity, it may not exceed the locally configured
r1_max_key_lifetime.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-05 13:58:20 +03:00
Michael Braun
83fe4bd3bf FT: Convert r0_key_lifetime to seconds
Add a new configuration option ft_r0_key_lifetime that deprecates
r0_key_lifetime. Though, the old configuration is still accepted for
backwards compatibility.

This simplifies testing. All other items are in seconds as well. In
addition, this makes dot11FTR0KeyLifetime comment match with what got
standardized in the end in IEEE Std 802.11r-2008.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-05 13:47:23 +03:00
Jouni Malinen
7e1d3ee963 Add hostapd.conf venue_url to set Venue URL ANQP-element
The new venue_url parameter can now be used to set the Venue URL ANQP
information instead of having to construct the data and use
anqp_elem=277:<hexdump> to set the raw value.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-26 16:10:47 +03:00
Jouni Malinen
0fa669bcae Fix a resource leak on hostapd maclist parsing error path
The open file needs to be closed in error case. The conversion to using
a new helper function (hostapd_add_acl_maclist) somehow managed to
remove the neede fclose(f) call. Bring it back to fix this.

Fixes: 3988046de5 ("hostapd: Dynamic MAC ACL management over control interface")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-21 22:34:09 +02:00
Jouni Malinen
427729ee67 Reject eap_server_erp hostapd.conf parameter without CONFIG_ERP=y
This provides an explicit error report if runtime configuration is not
valid and ERP server functionality cannot be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-28 13:09:07 +02:00
Tamizh chelvam
3988046de5 hostapd: Dynamic MAC ACL management over control interface
Previously, MAC ACL could be modified only through file operations
(modify accept/deny_mac_file and reload it to hostapd). Extend this to
allow MAC ACL to be modified and displayed through new control interface
commands:

ACCEPT_ACL <subcmd> [argument]
DENY_ACL <subcmd> [argument]

subcmd: ADD_MAC <addr>[ VLAN_ID=<id>]|DEL_MAC <addr>|SHOW|CLEAR

Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
2018-02-07 19:45:21 +02:00
Jouni Malinen
ba3d435fe4 SAE: Add option to require MFP for SAE associations
The new hostapd.conf parameter sae_require_pmf=<0/1> can now be used to
enforce negotiation of MFP for all associations that negotiate use of
SAE. This is used in cases where SAE-capable devices are known to be
MFP-capable and the BSS is configured with optional MFP (ieee80211w=1)
for legacy support. The non-SAE stations can connect without MFP while
SAE stations are required to negotiate MFP if sae_require_mfp=1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 18:27:58 +02:00
Jouni Malinen
d8b841eba8 SAE: Make dot11RSNASAESync configurable
The new hostapd.conf parameter sae_sync (default: 5) can now be used to
configure the dot11RSNASAESync value to specify the maximum number of
synchronization errors that are allowed to happen prior to
disassociation of the offending SAE peer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-26 12:46:22 +02:00
Bhagavathi Perumal S
af832aa998 hostapd: Add average channel utilization in STATUS
This allows external programs to get the average channel utilization.
The average channel utilization is calculated and reported through
STATUS command. Users need to configure chan_util_avg_period and
bss_load_update_period in hostapd config to get the average channel
utilization.

Signed-off-by: Bhagavathi Perumal S <bperumal@qti.qualcomm.com>
2017-12-12 00:48:27 +02:00
Jouni Malinen
778d87054e Fix error handling in bss_load_update_period parser
Do not update the configuration parameter before having verified the
value to be in the valid range.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-12-12 00:46:21 +02:00
Jouni Malinen
27781c0ab5 Allow group cipher selection to be overridden
The new hostapd configuration parameter group_cipher can now be used to
override the automatic cipher selection based on enabled pairwise
ciphers. It should be noted that selecting an unexpected group cipher
can result in interoperability issues and this new capability is mainly
for testing purposes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 12:31:41 +02:00
Jouni Malinen
348c93847a AP-side workaround for WNM-Sleep Mode GTK/IGTK reinstallation issues
Normally, WNM-Sleep Mode exit with management frame protection
negotiated would result in the current GTK/IGTK getting added into the
WNM-Sleep Mode Response frame. Some station implementations may have a
vulnerability that results in GTK/IGTK reinstallation based on this
frame being replayed. Add a new hostapd configuration parameter that can
be used to disable that behavior and use EAPOL-Key frames for GTK/IGTK
update instead. This would likely be only used with
wpa_disable_eapol_key_retries=1 that enables a workaround for similar
issues with EAPOL-Key. This is related to station side vulnerabilities
CVE-2017-13087 and CVE-2017-13088. To enable this AP-side workaround,
set wnm_sleep_mode_no_keys=1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-29 17:13:54 +02:00
Jouni Malinen
6f234c1e2e Optional AP side workaround for key reinstallation attacks
This adds a new hostapd configuration parameter
wpa_disable_eapol_key_retries=1 that can be used to disable
retransmission of EAPOL-Key frames that are used to install
keys (EAPOL-Key message 3/4 and group message 1/2). This is
similar to setting wpa_group_update_count=1 and
wpa_pairwise_update_count=1, but with no impact to message 1/4
retries and with extended timeout for messages 4/4 and group
message 2/2 to avoid causing issues with stations that may use
aggressive power saving have very long time in replying to the
EAPOL-Key messages.

This option can be used to work around key reinstallation attacks
on the station (supplicant) side in cases those station devices
cannot be updated for some reason. By removing the
retransmissions the attacker cannot cause key reinstallation with
a delayed frame transmission. This is related to the station side
vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, and CVE-2017-13081.

This workaround might cause interoperability issues and reduced
robustness of key negotiation especially in environments with
heavy traffic load due to the number of attempts to perform the
key exchange is reduced significantly. As such, this workaround
is disabled by default (unless overridden in build
configuration). To enable this, set the parameter to 1.

It is also possible to enable this in the build by default by
adding the following to the build configuration:

CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-17 00:06:26 +03:00
Jouni Malinen
a0bf1b68c0 Remove all PeerKey functionality
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.

This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.

Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
2377c1caef SAE: Allow SAE password to be configured separately (AP)
The new sae_password hostapd configuration parameter can now be used to
set the SAE password instead of the previously used wpa_passphrase
parameter. This allows shorter than 8 characters and longer than 63
characters long passwords to be used. In addition, this makes it
possible to configure a BSS with both WPA-PSK and SAE enabled to use
different passphrase/password based on which AKM is selected.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-11 23:10:19 +03:00
Jouni Malinen
91cc34bf32 OWE: Allow set of enabled DH groups to be limited on AP
The new hostapd configuration parameter owe_groups can be used to
specify a subset of the allowed DH groups as a space separated list of
group identifiers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-10 21:03:57 +03:00
Jouni Malinen
c77e2ff096 DPP: Remove C-sign-key expiry
This was removed in DPP tech spec v0.2.3.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-10 01:17:33 +03:00
Jouni Malinen
a891388184 OWE: Transition mode information based on BSS ifname
The owe_transition_bssid and owe_transition_ssid parameters can now be
replace with owe_transition_ifname to clone the BSSID/SSID information
automatically in case the same hostapd process manages both the OWE and
open BSS for transition mode.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 13:39:23 +03:00
Jouni Malinen
ea079153f4 OWE: Add AP support for transition mode
The new owe_transition_bssid and owe_transition_ssid parameters can be
used to configure hostapd to advertise the OWE Transition Mode element.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Jouni Malinen
a7297ae5cb Fix hostapd debug messages on wpa_pairwise and rsn_pairwise parsing
Incorrect value was printed out as the line number for this messages.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-09-22 18:43:41 +03:00
Jouni Malinen
2ed70c7586 OpenSSL: Add option to disable ECDHE with Suite B RSA
The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network
profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite
B RSA constraints with ECDHE disabled. This is mainly to allow
the DHE TLS cipher suite to be tested.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
6418400db9 Add hostapd tls_flags parameter
This can be used to set the TLS flags for authentication server.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
3648d8a185 SAE: Allow commit fields to be overridden for testing purposes
The new sae_commit_override=<hexdump> parameter can be used to force
hostapd to override SAE commit message fields for testing purposes. This
is included only in CONFIG_TESTING_OPTIONS=y builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-04 13:32:03 +03:00
Jouni Malinen
e75335384a SAE: Add testing code for reflection attack
Allow hostapd to be configured to perform SAE reflection attack for SAE
testing purposes with sae_reflection_attack=1 configuration parameter.
This is included only in CONFIG_TESTING_OPTIONS=y builds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-04 13:32:03 +03:00
Jouni Malinen
ae048257cb WPS: Interpret zero length ap_pin hostapd.conf parameter as "unset"
hostapd allows arbitrary AP PIN to be used in WPS. This means that
setting ap_pin to a zero length string ends up enabling AP PIN so that
external registrars can use this specific zero lenth ap_pin value. There
are apparently some APs that have used this invalid configuration with
unintended results. While the proper fix for that is to fix the
component that generates the invalid configuration, hostapd can also
reject such values since the likelihood of a real world use case for
zero length AP PIN (Device Password) is minimal.

Start interpreting zero length ap_pin parameter value as a request to
"unset" the previously set value in hostapd.conf (or if not previously
set, leave it unset). With this, a hostapd.conf file including the
"ap_pin=" line will end up getting interpretted just like that same file
with the ap_pin parameter completely removed, i.e., with AP PIN being
disabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-08-14 21:07:09 +03:00
Avraham Stern
b5bf84ba39 WNM: Differentiate between WNM for station and for AP in build
Previously, CONFIG_WNM enabled build that supports WNM for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode WNM is required and there is no need for AP mode WNM.

Add support to differentiate between station mode WNM and AP mode
WNM in wpa_supplicant builds by adding CONFIG_WNM_AP that should be
used when AP mode WNM support is required in addition to station mode
WNM. This allows binary size to be reduced for builds that require
only the station side WNM functionality.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-07-18 13:28:09 +03:00
Ashwini Patil
65833d71a5 OCE: Add hostapd mode OCE capability indication if enabled
Add OCE IE in Beacon, Probe Response, and (Re)Association Response
frames if OCE is enabled in the configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-14 21:27:00 +03:00
Jouni Malinen
90f837b0bf Update default wpa_group_rekey to once-per-day when using CCMP/GCMP
The default value for GTK rekeying period was previously hardcoded to
600 seconds for all cases. Leave that short value only for TKIP as group
cipher while moving to the IEEE 802.11 default value of 86400 seconds
(once-per-day) for CCMP/GCMP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 13:42:55 +03:00
Jouni Malinen
56c7549587 DPP: AP parameters for DPP AKM
Extend hostapd configuration to include parameters needed for the DPP
AKM: dpp_connector, dpp_netaccesskey, dpp_netaccesskey_expiry,
dpp_csign, dpp_csign_expiry.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Jouni Malinen
567da5bbd0 DPP: Add new AKM
This new AKM is used with DPP when using the signed Connector to derive
a PMK. Since the KCK, KEK, and MIC lengths are variable within a single
AKM, this needs number of additional changes to get the PMK length
delivered to places that need to figure out the lengths of the PTK
components.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Sunil Dutt
2d18ab4082 Add a config parameter to exclude DFS channels from ACS
The new acs_exclude_dfs=1 parameter can be used to request hostapd to
exclude all DFS channels from ACS consideration. This is mainly of use
for cases where the driver supports DFS channels, but for some reason a
non-DFS channel is desired when using automatic channel selection.
Previously, the chanlist parameter could have been used for this, but
that required listing all the acceptable channels. The new parameter
allows this to be done without such a list.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-27 11:50:21 +03:00
Michael Braun
3a46cf93d0 FT: Add support for wildcard R0KH/R1KH
Enable use of FT RRB without configuring each other AP locally. Instead,
broadcast messages are exchanged to discover APs within the local
network.

When an R0KH or R1KH is discovered, it is cached for one day.

When a station uses an invalid or offline r0kh_id, requests are always
broadcast. In order to avoid this, if r0kh does not reply, a temporary
blacklist entry is added to r0kh_list.

To avoid blocking a valid r0kh when a non-existing pmk_r0_name is
requested, r0kh is required to always reply using a NAK. Resend requests
a few times to ensure blacklisting does not happen due to small packet
loss.

To free newly created stations later, the r*kh_list start pointer in
conf needs to be updateable from wpa_auth_ft.c, where only wconf is
accessed.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-05-03 22:16:14 +03:00
Michael Braun
245fc96e5f FT: New RRB message format
Convert FT RRB into a new TLV based format. Use AES-SIV as AEAD cipher
to protect the messages.

This needs at least 32 byte long keys. These can be provided either
by a config file change or letting a KDF derive the 32 byte key used
from the 16 byte key given.

This breaks backward compatibility, i.e., hostapd needs to be updated on
all APs at the same time to allow FT to remain functional.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-05-03 21:55:29 +03:00
Peng Xu
ec27b04e60 hostapd: Select a valid secondary channel if both enabled
When starting AP in HT40 mode and both HT40+ and HT40- options are
specified in hostapd.conf, select a valid secondary channel for the AP
automatically.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-04-29 16:35:23 +03:00
Jouni Malinen
1764559eef FILS: Add FILS SK auth PFS support in AP mode
This adds an option to configure hostapd to enable use of perfect
forward secrecy option in FILS shared key authentication. A new build
option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A
new runtime configuration parameter fils_dh_group is used to enable this
by specifying which DH group to use. For example, fils_dh_group=19 would
allow FILS SK PFS to be used with a 256-bit random ECP group.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 23:20:32 +02:00
Jouni Malinen
a1ea1b4522 OWE: Define and parse OWE AKM selector
This adds a new RSN AKM "OWE".

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 19:24:11 +02:00
Jouni Malinen
941caed980 MBO: Add MBO ANQP-element processing on AP
This extends the GAS server to process MBO ANQP-elements and reply to a
query for the Cellular Data Connection Preference (if configured). The
new configuration parameter mbo_cell_data_conn_pref can be used to set
the value (0, 1, or 255) for the preference to indicate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-10 18:33:51 +02:00
Johannes Berg
a1f11e34c4 Use os_memdup()
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.

The mechanical conversions all over the code were done with
the following spatch:

    @@
    expression SIZE, SRC;
    expression a;
    @@
    -a = os_malloc(SIZE);
    +a = os_memdup(SRC, SIZE);
    <...
    if (!a) {...}
    ...>
    -os_memcpy(a, SRC, SIZE);

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:19:10 +02:00
Jouni Malinen
ff936bc753 Make the third octet of Country String configurable
The new hostapd.conf parameter country3 can now be used to configure the
third octet of the Country String that was previously hardcoded to ' '
(= 0x20).

For example:

All environments of the current frequency band and country (default)
country3=0x20

Outdoor environment only
country3=0x4f

Indoor environment only
country3=0x49

Noncountry entity (country_code=XX)
country3=0x58

IEEE 802.11 standard Annex E table indication: 0x01 .. 0x1f
Annex E, Table E-4 (Global operating classes)
country3=0x04

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-01 10:58:15 +02:00
Jouni Malinen
57a2aacabf Add option to disable broadcast deauth in hostapd on AP start/stop
The new broadcast_deauth parameter can be used to disable sending of the
Deauthentication frame whenever AP is started or stopped. The default
behavior remains identical to the past behavior (broadcast_deauth=1).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:05:40 +02:00
Peng Xu
94380cb40a hostapd: Initial IEEE 802.11ax (HE) definitions
Add IEEE 802.11ax definitions for config, IEEE structures, and
constants. These are still subject to change in the IEEE process.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:37:52 +02:00
Günther Kelleter
41f140d386 Add hostapd options wpa_group_update_count and wpa_pairwise_update_count
wpa_group_update_count and wpa_pairwise_update_count can now be used to
set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount
and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current
hardcoded value (4).

Some stations may suffer from frequent deauthentications due to GTK
rekey failures: EAPOL 1/2 frame is not answered during the total timeout
period of currently ~3.5 seconds. For example, a Galaxy S6 with Android
6.0.1 appears to go into power save mode for up to 5 seconds. Increasing
wpa_group_update_count to 6 fixed this issue.

Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2017-02-07 00:25:36 +02:00
Jouni Malinen
91d91abf6f FILS: DHCP relay for HLP requests
The new dhcp_server configuration parameter can now be used to configure
hostapd to act as a DHCP relay for DHCPDISCOVER messages received as
FILS HLP requests. The dhcp_rapid_commit_proxy=1 parameter can be used
to configure hostapd to convert 4 message DHCP exchange into a 2 message
exchange in case the DHCP server does not support DHCP rapid commit
option.

The fils_hlp_wait_time parameter can be used to set the time hostapd
waits for an HLP response. This matches the dot11HLPWaitTime in IEEE Std
802.11ai-2016.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-01 18:17:39 +02:00
Jouni Malinen
73a27a6345 Add hostapd configuration parameter rrm_beacon_report
rrm_beacon_report=1 can now be used to make hostapd advertise capability
for beacon reports (passive, active, table). Actual mechanism for
sending out beacon requests will be added in separate commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 16:02:58 +02:00
Jouni Malinen
2977f5193a GAS: Remove unnecessarily duplicate gas_frag_limit configuration
The actual BSS configuration parameter can be updated with the SET
control interface command, so there is no need to maintain a separate
per-BSS parameter and a separate control interface handling for this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-30 00:23:10 +02:00
Jouni Malinen
78022c8366 Fix memory leak on hostapd eap_user_file parsing error paths
Need to free all the pending completed EAP users if a parsing error
prevents the file from being used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:47:00 +02:00