Commit graph

294 commits

Author SHA1 Message Date
Jouni Malinen
b0e91e3877 SAE: VLAN assignment based on SAE Password Identifier
The new sae_password parameter [|vlanid=<VLAN ID>] can now be used to
assign stations to a specific VLAN based on which SAE Password
Identifier they use. This is similar to the WPA2-Enterprise case where
the RADIUS server can assign stations to different VLANs and the
WPA2-Personal case where vlanid parameter in wpa_psk_file is used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-02-17 17:24:23 +02:00
Jouni Malinen
fe468b0714 HE: Fix set_he_cap() parsing of config options for MU EDCA Params
When I replaced the POS() function with ffs() when applying relevant
parts from the original patch, this ended up breaking the frame
construction since the POS() function was supposed to count the bit
offset for the mask with 0 being the LSB instead of 1 returned by ffs().
Furthermore, ffs() is not available in all C libraries (e.g., not
directly exposed by strings.h on Android), so better not depend on that
or compiler builtins for this since there is no need for this to be as
fast as possible in configuration parsing.

Fix this with a simple function to determine the number of bits the
value needs to be shifted left to align with the mask.

Fixes: 11ce7a1bc3 ("HE: Add MU EDCA Parameter Set element (AP)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-02-12 01:23:30 +02:00
Jared Bents
159a7fbdea crl_reload_interval: Add CRL reloading support
This patch adds a new flag 'crl_reload_interval' to reload CRL
periodically. This can be used to reload ca_cert file and the included
CRL information on every new TLS session if difference between the last
reload and the current time in seconds is greater than
crl_reload_interval.

This reloading is used for cases where check_crl is 1 or 2 and the CRL
is included in the ca_file.

Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
2019-01-27 18:45:07 +02:00
Ian Archer
9758b08bcf hostapd: Add support for setting pbss option from config file
There is currently no support for setting hostapd_bss_config.pbss from a
config file, i.e., it was used only based on automatic logic in
wpa_supplicant. This patch adds a key naturally called "pbss" which can
be used to set it.

Cc: Antony King <antony.king@bluwirelesstechnology.com>
Signed-off-by: Brendan Jackman <brendan.jackman@bluwirelesstechnology.com>
2019-01-21 12:35:59 +02:00
Siva Mullati
11ce7a1bc3 HE: Add MU EDCA Parameter Set element (AP)
Add support for configuring parameters for the MU EDCA Parameter Set
element per IEEE P802.11ax/D3.0.

Signed-off-by: Siva Mullati <siva.mullati@intel.com>
2019-01-08 17:22:43 +02:00
Jouni Malinen
cc9c4feccc OpenSSL: Allow systemwide policies to be overridden
Some distributions (e.g., Debian) have started introducting systemwide
OpenSSL policies to disable older protocol versions and ciphers
throughout all programs using OpenSSL. This can result in significant
number of interoperability issues with deployed EAP implementations.

Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server)
parameters to be used to request systemwide policies to be overridden if
older versions are needed to be able to interoperate with devices that
cannot be updated to support the newer protocol versions or keys. The
default behavior is not changed here, i.e., the systemwide policies will
be followed if no explicit override configuration is used. The overrides
should be used only if really needed since they can result in reduced
security.

In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network
profile parameter can be used to explicitly enable TLS versions that are
disabled in the systemwide configuration. For example,
phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS
v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces
TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter
can be used to override systemwide policy, e.g., with
openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1
in Debian to allow shorter keys to be used.

In hostapd, tls_flags parameter can be used to configure similar
options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1]

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-01-05 17:14:26 +02:00
Beni Lev
076f1ea1d9 OCE: Add RSSI based association rejection support (AP)
An AP might reject a STA association request due to low RSSI. In such
case, the AP informs the STA the desired RSSI improvement and a retry
timeout. The STA might retry to associate even if the RSSI hasn't
improved if the retry timeout expired.

Signed-off-by: Beni Lev <beni.lev@intel.com>
2019-01-01 18:18:50 +02:00
Sam Voss
dd5d325b0a hostapd: Add configuration option check_crl_strict
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.

This causes the following:

- This setting does nothing when CRL checking is not enabled.

- When CRL is enabled, "strict mode" will cause CRL time errors to not
  be ignored and will continue behaving as it currently does.

- When CRL is enabled, disabling strict mode will cause CRL time
  errors to be ignored and will allow connections.

By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.

Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
2018-12-31 12:51:51 +02:00
Hristo Venev
d01203cafc hostapd: Add openssl_ecdh_curves configuration parameter
This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc.
It should be noted that when using Suite B, different mechanism is used
to specify the allowed ECDH curves and this new parameter must not be
used in such cases.

Signed-off-by: Hristo Venev <hristo@venev.name>
2018-12-30 17:27:34 +02:00
Felix Fietkau
4d663233e6 hostapd: Support for overriding the bridge name per VLAN via vlan_file
This makes it easier to integrate dynamic VLANs in custom network
configurations. The bridge name is added after the interface name in the
vlan_file line, also separated by whitespace.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-12-21 12:02:57 +02:00
Venkateswara Naralasetty
9c06f0f6ae hostapd: Add Multi-AP protocol support
The purpose of Multi-AP specification is to enable inter-operability
across Wi-Fi access points (APs) from different vendors.

This patch introduces one new configuration parameter 'multi_ap' to
enable Multi-AP functionality and to configure the BSS as a backhaul
and/or fronthaul BSS.

Advertise vendor specific Multi-AP capabilities in (Re)Association
Response frame, if Multi-AP functionality is enabled through the
configuration parameter.

A backhaul AP must support receiving both 3addr and 4addr frames from a
backhaul STA, so create a VLAN for it just like is done for WDS, i.e.,
by calling hostapd_set_wds_sta(). Since Multi-AP requires WPA2 (never
WEP), we can safely call hostapd_set_wds_encryption() as well and we can
reuse the entire WDS condition.

To parse the Multi-AP Extension subelement, we use get_ie(): even though
that function is meant for parsing IEs, it works for subelements.

Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2018-12-20 01:04:14 +02:00
Mathy Vanhoef
9c55fdb023 OCV: Add hostapd config parameter
Add hostapd.conf parameter ocv to disable or enable Operating Channel
Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:31:21 +02:00
Jouni Malinen
7bd8c76a4f HS 2.0 server: RADIUS server support for SIM provisioning
This adds support for hostapd-as-RADIUS-authentication-server to request
subscription remediation for SIM-based credentials. The new hostapd.conf
parameter hs20_sim_provisioning_url is used to set the URL prefix for
the remediation server for SIM provisioning. The random
hotspot2dot0-mobile-identifier-hash value will be added to the end of
this URL prefix and the same value is stored in a new SQLite database
table sim_provisioning for the subscription server implementation to
use.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-15 18:01:38 +02:00
Jouni Malinen
6ae04d7b34 HS 2.0: Allow Hotspot 2.0 release number to be configured
The new hostapd configuration parameter hs20_release can be used to
configure the AP to advertise a specific Hotspot 2.0 release number
instead of the latest supported release. This is mainly for testing
purposes.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-08 14:06:54 +02:00
Jouni Malinen
678d8410af Move send_probe_response parameter to BSS specific items
This can be more convenient for testing Multiple BSSID functionality.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-07 15:03:11 +02:00
Jouni Malinen
d514b50265 WNM: Collocated Interference Reporting
Add support for negotiating WNM Collocated Interference Reporting. This
allows hostapd to request associated STAs to report their collocated
interference information and wpa_supplicant to process such request and
reporting. The actual values (Collocated Interference Report Elements)
are out of scope of hostapd and wpa_supplicant, i.e., external
components are expected to generated and process these.

For hostapd/AP, this mechanism is enabled by setting
coloc_intf_reporting=1 in configuration. STAs are requested to perform
reporting with "COLOC_INTF_REQ <addr> <Automatic Report Enabled> <Report
Timeout>" control interface command. The received reports are indicated
as control interface events "COLOC-INTF-REPORT <addr> <dialog token>
<hexdump of report elements>".

For wpa_supplicant/STA, this mechanism is enabled by setting
coloc_intf_reporting=1 in configuration and setting Collocated
Interference Report Elements as a hexdump with "SET coloc_intf_elems
<hexdump>" control interface command. The hexdump can contain one or
more Collocated Interference Report Elements (each including the
information element header). For additional testing purposes, received
requests are reported with "COLOC-INTF-REQ <dialog token> <automatic
report enabled> <report timeout>" control interface events and
unsolicited reports can be sent with "COLOC_INTF_REPORT <hexdump>".

This commit adds support for reporting changes in the collocated
interference (Automatic Report Enabled == 1 and partial 3), but not for
periodic reports (2 and other part of 3).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-30 14:07:51 +02:00
Jouni Malinen
cad810a98f HS 2.0: OSU Provider NAI List advertisement
Extend hostapd to allow the new OSU Provider NAI List ANQP-element to be
advertised in addition to the previously used OSU Providers list
ANQP-element. The new osu_nai2 configurator parameter option is used to
specify the OSU_NAI value for the shared BSS (Single SSID) case while
osu_nai remains to be used for the separate OSU BSS.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-10-05 20:49:42 +03:00
Hai Shalom
560e30bf3b Parse sae_password option when CONFIG_SAE is enabled
Call to parse_sae_password was incorrectly depending
on CONFIG_TESTING_OPTIONS and CONFIG_SAE. Should
depend only on the latter.

Fixes: 2377c1caef ("SAE: Allow SAE password to be configured separately (AP)")
Signed-off-by: Hai Shalom <haishalom@google.com>
2018-09-02 12:30:37 +03:00
Sathishkumar Muruganandam
47abe29aa9 hostapd: SET ht_capab support for disabling 40 MHz bandwidth
'hostapd_cli SET ht_capab' only checked for [HT40+] or [HT40-] or both
to be present. Based on the offset + or -, secondary_channel is updated
but HT20/VHT20 mode can be brought up only from config file and can't be
done using the SET command when the current HT mode is HT40+ or HT40-.

When managing AP+STA mode from userspace doing hostapd_cli: "disable ->
set channel, ht_capab -> enable" sequence, channel switch from
HT40/VHT40 to HT20/VHT20 was not possible with this SET ht_capab
limitation.

Cover this additional case by resetting secondary_channel to 0 for
HT20/VHT20 when ht_capab has neither [HT40+] nor [HT40-] present.

Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
2018-08-21 19:04:44 +03:00
Jouni Malinen
c6f2eceb8b FT: Add key management value FT-EAP-SHA384 for hostapd
This allows hostapd to be configuted to use the SHA384-based FT AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-06-05 20:16:37 +03:00
Jouni Malinen
8d660a4bac HS 2.0: Allow OSEN connection to be enabled in an RSN BSS
This allows a single BSS/SSID to be used for both data connection and
OSU. Instead of hostapd configuration osen=1, wpa_key_mgmt=OSEN (or more
likely, wpa_key_mgmt=WPA-EAP OSEN) is used to enable this new option.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-05-29 23:34:22 +03:00
Dan Harkins
d52ead3db7 EAP-pwd server: Add support for salted password databases
These changes add support for salted password databases to EAP-pwd per
RFC 8146. This commits introduces the framework for enabling this and
the salting mechanisms based on SHA-1, SHA256, and SHA512 hash
algorithms.

Signed-off-by: Dan Harkins <dharkins@lounge.org>
2018-05-28 22:08:51 +03:00
Jouni Malinen
9be19d0b9c SAE: Add support for using the optional Password Identifier
This extends the SAE implementation in both infrastructure and mesh BSS
cases to allow an optional Password Identifier to be used. This uses the
mechanism added in P802.11REVmd/D1.0. The Password Identifier is
configured in a wpa_supplicant network profile as a new string parameter
sae_password_id. In hostapd configuration, the existing sae_password
parameter has been extended to allow the password identifier (and also a
peer MAC address) to be set. In addition, multiple sae_password entries
can now be provided to hostapd to allow multiple per-peer and
per-identifier passwords to be set.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-05-19 17:30:29 +03:00
Jouni Malinen
d501c27cfe EAP-TLS server: Disable TLS v1.3 by default
The current EAP peer implementation is not yet ready for the TLS v1.3
changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for
this EAP method for now.

While the current EAP-TLS implementation is more or less complete for
TLS v1.3, there has been no interoperability testing with other
implementations, so disable for by default for now until there has been
chance to confirm that no significant interoperability issues show up
with TLS version update. tls_flags=[ENABLE-TLSv1.3] configuration
parameter can be used to enable TLS v1.3 (assuming the TLS library
supports it; e.g., when using OpenSSL 1.1.1).

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 22:13:38 +03:00
Jouni Malinen
bbbc7e8016 EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabled
This may be needed to avoid interoperability issues with the new
protocol version and significant changes for EAP use cases in both key
derivation and handshake termination.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-05-01 22:13:38 +03:00
Jouni Malinen
8760b9848c HS 2.0: Send Terms and Conditions Acceptance notification
This extends hostapd Access-Accept processing to check if the RADIUS
server indicated that Terms and Conditions Acceptance is required. The
new hs20_t_c_server_url parameter is used to specify the server URL
template that the STA is requested to visit.

This commit does not enable any kind of filtering, i.e., only the part
of forwarding a request from Access-Accept to the STA using
WNM-Notification is covered.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:47 +03:00
Jouni Malinen
6cb8f4f382 HS 2.0: Terms and Conditions attributes in Access-Request messages
This extends hostapd with two new configuration parameters
(hs20_t_c_filename and hs20_t_c_timestamp) that can be used to specify
that the Terms and Conditions attributes are to be added into all
Access-Request messages for Hotspot 2.0 STAs.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-24 00:35:47 +03:00
Jouni Malinen
0e450db285 HS 2.0: Allow configuration of operator icons
This extends hostapd Hotspot 2.0 implementation to allow operator icons
to be made available. The existing hs20_icon parameter is used to define
the icons and the new operator_icon parameter (zero or more entries) is
used to specify which of the available icons are operator icons. The
operator icons are advertised in the Operator Icon Metadata ANQP-element
while the icon data can be fetched using the same mechanism (icon
request/binary file) that was added for the OSU Providers icons.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-04-17 16:40:47 +03:00
Michael Braun
3a3e28320b FT: Add expiration to PMK-R0 and PMK-R1 cache
IEEE Std 802.11-2016, 12.7.1.7.1 indicates that the lifetime of the
PMK-R0 (and PMK-R1) is bound to the lifetime of PSK or MSK from which
the key was derived. This is currently stored in r0_key_lifetime, but
cache entries are not actually removed.

This commit uses the r0_key_lifetime configuration parameter when
wpa_auth_derive_ptk_ft() is called. This may need to be extended to use
the MSK lifetime, if provided by an external authentication server, with
some future changes. For PSK, there is no such lifetime, but it also
matters less as FT-PSK can be achieved without inter-AP communication.

The expiration timeout is then passed from R0KH to R1KH. The R1KH verifies
that the given timeout for sanity, it may not exceed the locally configured
r1_max_key_lifetime.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-05 13:58:20 +03:00
Michael Braun
83fe4bd3bf FT: Convert r0_key_lifetime to seconds
Add a new configuration option ft_r0_key_lifetime that deprecates
r0_key_lifetime. Though, the old configuration is still accepted for
backwards compatibility.

This simplifies testing. All other items are in seconds as well. In
addition, this makes dot11FTR0KeyLifetime comment match with what got
standardized in the end in IEEE Std 802.11r-2008.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2018-04-05 13:47:23 +03:00
Jouni Malinen
7e1d3ee963 Add hostapd.conf venue_url to set Venue URL ANQP-element
The new venue_url parameter can now be used to set the Venue URL ANQP
information instead of having to construct the data and use
anqp_elem=277:<hexdump> to set the raw value.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-26 16:10:47 +03:00
Jouni Malinen
0fa669bcae Fix a resource leak on hostapd maclist parsing error path
The open file needs to be closed in error case. The conversion to using
a new helper function (hostapd_add_acl_maclist) somehow managed to
remove the neede fclose(f) call. Bring it back to fix this.

Fixes: 3988046de5 ("hostapd: Dynamic MAC ACL management over control interface")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-03-21 22:34:09 +02:00
Jouni Malinen
427729ee67 Reject eap_server_erp hostapd.conf parameter without CONFIG_ERP=y
This provides an explicit error report if runtime configuration is not
valid and ERP server functionality cannot be used.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-02-28 13:09:07 +02:00
Tamizh chelvam
3988046de5 hostapd: Dynamic MAC ACL management over control interface
Previously, MAC ACL could be modified only through file operations
(modify accept/deny_mac_file and reload it to hostapd). Extend this to
allow MAC ACL to be modified and displayed through new control interface
commands:

ACCEPT_ACL <subcmd> [argument]
DENY_ACL <subcmd> [argument]

subcmd: ADD_MAC <addr>[ VLAN_ID=<id>]|DEL_MAC <addr>|SHOW|CLEAR

Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
2018-02-07 19:45:21 +02:00
Jouni Malinen
ba3d435fe4 SAE: Add option to require MFP for SAE associations
The new hostapd.conf parameter sae_require_pmf=<0/1> can now be used to
enforce negotiation of MFP for all associations that negotiate use of
SAE. This is used in cases where SAE-capable devices are known to be
MFP-capable and the BSS is configured with optional MFP (ieee80211w=1)
for legacy support. The non-SAE stations can connect without MFP while
SAE stations are required to negotiate MFP if sae_require_mfp=1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 18:27:58 +02:00
Jouni Malinen
d8b841eba8 SAE: Make dot11RSNASAESync configurable
The new hostapd.conf parameter sae_sync (default: 5) can now be used to
configure the dot11RSNASAESync value to specify the maximum number of
synchronization errors that are allowed to happen prior to
disassociation of the offending SAE peer.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-26 12:46:22 +02:00
Bhagavathi Perumal S
af832aa998 hostapd: Add average channel utilization in STATUS
This allows external programs to get the average channel utilization.
The average channel utilization is calculated and reported through
STATUS command. Users need to configure chan_util_avg_period and
bss_load_update_period in hostapd config to get the average channel
utilization.

Signed-off-by: Bhagavathi Perumal S <bperumal@qti.qualcomm.com>
2017-12-12 00:48:27 +02:00
Jouni Malinen
778d87054e Fix error handling in bss_load_update_period parser
Do not update the configuration parameter before having verified the
value to be in the valid range.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-12-12 00:46:21 +02:00
Jouni Malinen
27781c0ab5 Allow group cipher selection to be overridden
The new hostapd configuration parameter group_cipher can now be used to
override the automatic cipher selection based on enabled pairwise
ciphers. It should be noted that selecting an unexpected group cipher
can result in interoperability issues and this new capability is mainly
for testing purposes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-11-17 12:31:41 +02:00
Jouni Malinen
348c93847a AP-side workaround for WNM-Sleep Mode GTK/IGTK reinstallation issues
Normally, WNM-Sleep Mode exit with management frame protection
negotiated would result in the current GTK/IGTK getting added into the
WNM-Sleep Mode Response frame. Some station implementations may have a
vulnerability that results in GTK/IGTK reinstallation based on this
frame being replayed. Add a new hostapd configuration parameter that can
be used to disable that behavior and use EAPOL-Key frames for GTK/IGTK
update instead. This would likely be only used with
wpa_disable_eapol_key_retries=1 that enables a workaround for similar
issues with EAPOL-Key. This is related to station side vulnerabilities
CVE-2017-13087 and CVE-2017-13088. To enable this AP-side workaround,
set wnm_sleep_mode_no_keys=1.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-29 17:13:54 +02:00
Jouni Malinen
6f234c1e2e Optional AP side workaround for key reinstallation attacks
This adds a new hostapd configuration parameter
wpa_disable_eapol_key_retries=1 that can be used to disable
retransmission of EAPOL-Key frames that are used to install
keys (EAPOL-Key message 3/4 and group message 1/2). This is
similar to setting wpa_group_update_count=1 and
wpa_pairwise_update_count=1, but with no impact to message 1/4
retries and with extended timeout for messages 4/4 and group
message 2/2 to avoid causing issues with stations that may use
aggressive power saving have very long time in replying to the
EAPOL-Key messages.

This option can be used to work around key reinstallation attacks
on the station (supplicant) side in cases those station devices
cannot be updated for some reason. By removing the
retransmissions the attacker cannot cause key reinstallation with
a delayed frame transmission. This is related to the station side
vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, and CVE-2017-13081.

This workaround might cause interoperability issues and reduced
robustness of key negotiation especially in environments with
heavy traffic load due to the number of attempts to perform the
key exchange is reduced significantly. As such, this workaround
is disabled by default (unless overridden in build
configuration). To enable this, set the parameter to 1.

It is also possible to enable this in the build by default by
adding the following to the build configuration:

CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-17 00:06:26 +03:00
Jouni Malinen
a0bf1b68c0 Remove all PeerKey functionality
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.

This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.

Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
2377c1caef SAE: Allow SAE password to be configured separately (AP)
The new sae_password hostapd configuration parameter can now be used to
set the SAE password instead of the previously used wpa_passphrase
parameter. This allows shorter than 8 characters and longer than 63
characters long passwords to be used. In addition, this makes it
possible to configure a BSS with both WPA-PSK and SAE enabled to use
different passphrase/password based on which AKM is selected.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-11 23:10:19 +03:00
Jouni Malinen
91cc34bf32 OWE: Allow set of enabled DH groups to be limited on AP
The new hostapd configuration parameter owe_groups can be used to
specify a subset of the allowed DH groups as a space separated list of
group identifiers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-10 21:03:57 +03:00
Jouni Malinen
c77e2ff096 DPP: Remove C-sign-key expiry
This was removed in DPP tech spec v0.2.3.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-10 01:17:33 +03:00
Jouni Malinen
a891388184 OWE: Transition mode information based on BSS ifname
The owe_transition_bssid and owe_transition_ssid parameters can now be
replace with owe_transition_ifname to clone the BSSID/SSID information
automatically in case the same hostapd process manages both the OWE and
open BSS for transition mode.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 13:39:23 +03:00
Jouni Malinen
ea079153f4 OWE: Add AP support for transition mode
The new owe_transition_bssid and owe_transition_ssid parameters can be
used to configure hostapd to advertise the OWE Transition Mode element.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Jouni Malinen
a7297ae5cb Fix hostapd debug messages on wpa_pairwise and rsn_pairwise parsing
Incorrect value was printed out as the line number for this messages.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-09-22 18:43:41 +03:00
Jouni Malinen
2ed70c7586 OpenSSL: Add option to disable ECDHE with Suite B RSA
The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network
profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite
B RSA constraints with ECDHE disabled. This is mainly to allow
the DHE TLS cipher suite to be tested.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00
Jouni Malinen
6418400db9 Add hostapd tls_flags parameter
This can be used to set the TLS flags for authentication server.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-18 12:12:48 +03:00