Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.
To allow affected users to mitigate the issues, add a new hostapd
configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys
with disconnection. This requires the station to reassociate to get
connected again and as such, can result in connectivity issues as well.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Hardcoded CONFIG_IEEE80211N to be included to clean up implementation.
More or less all new devices support IEEE 802.11n (HT) and there is not
much need for being able to remove that functionality from the build.
Included this unconditionally to get rid of one more build options and
to keep things simpler.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a new hostapd configuration parameter beacon_prot=<0/1> to allow
Beacon protection to be enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not use VERSION_STR directly as the format string to printf() since
it is possible for that string to contain '%'.
Signed-off-by: Didier Raboud <odyx@debian.org>
SM Power Save was described in somewhat unclear manner in IEEE Std
802.11n-2009 as far the use of it locally in an AP to save power. That
was clarified in IEEE Std 802.11-2016 to allow only a non-AP STA to use
SMPS while the AP is required to support an associated STA doing so. The
AP itself cannot use SMPS locally and the HT Capability advertisement
for this is not appropriate.
Remove the parts of SMPS support that involve the AP using it locally.
In practice, this reverts the following commits:
04ee647d58 ("HT: Let the driver advertise its supported SMPS modes for AP mode")
8f461b50cf ("HT: Pass the smps_mode in AP parameters")
da1080d721 ("nl80211: Advertise and configure SMPS modes")
Signed-off-by: Jouni Malinen <j@w1.fi>
The HE Operation field for BSS color consists of a disabled, a partial,
and 6 color bits. The original commit adding support for BSS color
considered this to be a u8. This commit changes this to the actual
bits/values.
This adds an explicit config parameter for the partial bit. The disabled
is set to 0 implicitly if a bss_color is defined.
Interoperability testing showed that stations will require a BSS color
to be set even if the feature is disabled. Hence the default color is 1
when none is defined inside the config file.
Signed-off-by: John Crispin <john@phrozen.org>
By default, when configuration file set wpa_psk_file, hostapd generated
a random PSK for each Enrollee provisioned using WPS and appended that
PSK to wpa_psk_file.
Changes that behavior by adding a new step. WPS will first try to use a
PSK from wpa_psk_file. It will only try PSKs with wps=1 tag.
Additionally it'll try to match enrollee's MAC address (if provided). If
it fails to find an appropriate PSK, it falls back to generating a new
PSK.
Signed-off-by: Tomasz Jankowski <tomasz.jankowski@plume.com>
Add new control interface commands "DPP_NFC_HANDOVER_REQ own=<id>
uri=<URI>" and "DPP_NFC_HANDOVER_SEL own=<id> uri=<URI>" to support NFC
negotiated connection handover. These commands are used to report a DPP
URI received from a peer NFC Device in Handover Request and Handover
Select messages. The commands return peer bootstrapping information ID
or FAIL on failure. The returned ID is used similarly to any other
bootstrapping information to initiate DPP authentication.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Initial OWE implementation used SHA256 when deriving the PTK for all OWE
groups. This was supposed to change to SHA384 for group 20 and SHA512
for group 21. The new owe_ptk_workaround parameter can be used to enable
workaround for interoperability with stations that use SHA256 with
groups 20 and 21. By default, only the appropriate hash function is
accepted. When workaround is enabled (owe_ptk_workaround=1), the
appropriate hash function is tried first and if that fails, SHA256-based
PTK derivation is attempted. This workaround can result in reduced
security for groups 20 and 21, but is required for interoperability with
older implementations. There is no impact to group 19 behavior.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This has nothing to do with OWE and parsing of this value was not
supposed to be within an ifdef CONFIG_OWE block.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add the new set_key() parameter "key_flag" to provide more specific
description of what type of a key is being configured. This is needed to
be able to add support for "Extended Key ID for Individually Addressed
Frames" from IEEE Std 802.11-2016. In addition, this may be used to
replace the set_tx boolean eventually once all the driver wrappers have
moved to using the new key_flag.
The following flag are defined:
KEY_FLAG_MODIFY
Set when an already installed key must be updated.
So far the only use-case is changing RX/TX status of installed
keys. Must not be set when deleting a key.
KEY_FLAG_DEFAULT
Set when the key is also a default key. Must not be set when
deleting a key. (This is the replacement for set_tx.)
KEY_FLAG_RX
The key is valid for RX. Must not be set when deleting a key.
KEY_FLAG_TX
The key is valid for TX. Must not be set when deleting a key.
KEY_FLAG_GROUP
The key is a broadcast or group key.
KEY_FLAG_PAIRWISE
The key is a pairwise key.
KEY_FLAG_PMK
The key is a Pairwise Master Key (PMK).
Predefined and needed flag combinations so far are:
KEY_FLAG_GROUP_RX_TX
WEP key not used as default key (yet).
KEY_FLAG_GROUP_RX_TX_DEFAULT
Default WEP or WPA-NONE key.
KEY_FLAG_GROUP_RX
GTK key valid for RX only.
KEY_FLAG_GROUP_TX_DEFAULT
GTK key valid for TX only, immediately taking over TX.
KEY_FLAG_PAIRWISE_RX_TX
Pairwise key immediately becoming the active pairwise key.
KEY_FLAG_PAIRWISE_RX
Pairwise key not yet valid for TX. (Only usable with Extended Key ID
support.)
KEY_FLAG_PAIRWISE_RX_TX_MODIFY
Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX.
KEY_FLAG_RX_TX
Not a valid standalone key type and can only used in combination
with other flags to mark a key for RX/TX.
This commit is not changing any functionality. It just adds the new
key_flag to all hostapd/wpa_supplicant set_key() functions without using
it, yet.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
This is in preparation for adding support to use a single WLAN netdev
with VLAN operations offloaded to the driver. No functional changes are
included in this commit.
Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
Application Extension attribute is defined in WSC tech spec v2.07 page
104. Allow hostapd to be configured to add this extension into WPS IE in
Beacon and Probe Response frames. The implementation is very similar to
vendor extension.
A new optional entry called "wps_application_ext" is added to hostapd
config file to configure this. It enodes the payload of the Application
Extension attribute in hexdump format.
Signed-off-by: Veli Demirel <veli.demirel@airties.com>
Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
The new hostapd gtk_rsc_override and igtk_rsc_override configuration
parameters can be used to set an override value for the RSC that the AP
advertises for STAs for GTK/IGTK. The contents of those parameters is a
hexdump of the RSC in little endian byte order.
This functionality is available only in CONFIG_TESTING_OPTIONS=y builds.
This can be used to verify that stations implement initial RSC
configuration correctly for GTK/ and IGTK.
Signed-off-by: Jouni Malinen <j@w1.fi>
Merge hostapd_drv_send_mlme_csa() functionality into
hostapd_drv_send_mlme() to get a single driver ops handler function for
hostapd. In addition, add a new no_encrypt parameter in preparation for
functionality that is needed to get rid of the separate send_frame()
driver op.
Signed-off-by: Jouni Malinen <j@w1.fi>
These are certainly not error conditions, but normal cases for starting
up. Drop the message from ERROR to DEBUG.
Signed-off-by: Jouni Malinen <j@w1.fi>
This can be used in the future to implement support for RNR and scanning
extensions using a shorter field for the SSID.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
If hostapd or wpa_supplicant is started with both -s and -f command line
arguments, debug log ended up being written only into syslog and the log
file was left empty. Change this so that the log entries will be written
to both places. Either -s or -f (or both) results in debug log to stdout
being disabled which was already the case.
Signed-off-by: Jouni Malinen <j@w1.fi>
This lets one know the current neighbor list, and could be used
to populate the neighbor list of other hostapd processes.
For instance:
$ hostapd_cli -i vap0001 show_neighbor
04:f0:21:1e:ae:b0 ssid=04f0211eaeb0af190000802809 nr=04f0211eaeb0af1900008028090603022a00
$ hostapd_cli -i vap0000 set_neighbor 04:f0:21:1e:ae:b0 ssid=04f0211eaeb0af190000802809 nr=04f0211eaeb0af1900008028090603022a00
OK
$ hostapd_cli -i vap0000 show_neighbor
04:f0:21:1e:ae:b0 ssid=04f0211eaeb0af190000802809 nr=04f0211eaeb0af1900008028090603022a00
04:f0:21:c3:b2:b0 ssid=04f021c3b2b0af190000802809 nr=04f021c3b2b0af1900008028090603022a00
Signed-off-by: Ben Greear <greearb@candelatech.com>
Let users delete a neighbor by BSSID alone if they prefer. The
underlying code already properly handled a NULL SSID, so just relax the
control interface command calling restrictions.
Signed-off-by: Ben Greear <greearb@candelatech.com>
When the newly added "-r" parameter is used, both clis will try to
reconnect forever on connection lost until signalled (ctrl+c) or
terminated. This is useful only when used with -a to take action to
retrieve events or get status and the cli process stays even if
hostapd/wpa_supplicant daemons restart for some reason (e.g.,
configuration change).
Signed-off-by: Veli Demirel <veli.demirel@airties.com>
Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
Add support to exclude non-PSC 6 GHz channels from the input frequency
list to ACS. The new acs_exclude_6ghz_non_psc=1 parameter can be used by
6 GHz only APs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The channel numbers are duplicated between 2.4 GHz / 5 GHz bands and 6
GHz band. Hence, add support to configure a list of frequencies to ACS
(freqlist) instead of a list of channel numbers (chanlist). Also, both 5
GHz and 6 GHz channels are referred by HOSTAPD_MODE_IEEE80211A. The 6
GHz channels alone can be configured by using both mode and frequency
list.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This new hostapd configuration parameter rsnxe_override_eapol=<hexdump>
can be used to override RSNXE value in EAPOL-Key msg 3/4 for testing
purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd and wpa_supplicant DPP implementation to allow the
bootstrapping URI to be generated for and parsed from an NFC Tag with an
NFC URI Record. This is similar to the way the bootstrapping URI is used
with QR Code for unidirectional authentication.
The DPP_BOOTSTRAP_GEN command uses "type=nfc-uri" to request the URI to
be assigned for NFC URI Record. In practice, the URI is generated
identically to the QR Code case, but the internal entry maintains the
NFC-URI type.
A new command "DPP_NFC_URI <uri>" can now be used to parse the URI read
from an NFC Tag with the NFC URI Record. This is similar to the
DPP_QR_CODE command.
Other commands (mainly, DPP_LISTEN and DPP_AUTH_INIT) are used for NFC
URI in the same way as they are used for QR Code.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit 844dfeb804 ("QCA vendor command support to set band to driver")
added a vendor command to pass 'SET setband' command information to the
driver in wpa_supplicant. Add similar changes to hostapd control
interface.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, wpa_msg_register_cb() was called only from successful
completion of per-interface control interface initialization. This would
leave the callback unregistered in case only the global control
interface is used which would result in not delivering control interface
events on the global interface. Fix this by registering the callback
handler also from successful initialization of the global control
interface.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Previously, hostapd sent only WPA_MSG_ONLY_GLOBAL type notifications to
the global control interface and all other notifications to
per-interface control interface. Extend this by making it similar to
wpa_supplicant global control interface notifications handling. With
this hostapd now sends all notifications except WPA_MSG_NO_GLOBAL to the
global control interface. In addition, WPA_MSG_PER_INTERFACE type
messages will be prefixed with "IFNAME=<interface name> " while sending
to the global control interface to indicate that the message is
interface specific.
Signed-off-by: Veerendranath Jakkam <vjakkam@codeaurora.org>
Otherwise, we may get linker failures:
ld.lld: error: unable to find library -lbfd
While we're at it, pull in the library selection fixes from commit
848905b12a ("Avoid undefined references with CONFIG_WPA_TRACE_BFD=y").
Signed-off-by: Brian Norris <briannorris@chromium.org>
Add support for new hardware mode for 6 GHz band. 6 GHz operation is
defined in IEEE P802.11ax/D4.3. 6 GHz band adds global operating classes
131-135 that define channels in frequency range from 5940 MHz to 7105
MHz.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
- Remove HOSTAPD_MODE_IEEE80211AX mode
- Replace check for HOSTAPD_MODE_IEEE80211AX with is_6ghz_freq()
- Move center_idx_to_bw_6ghz() to ieee802_11_common.c file
Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
This parameter can be used to specify which PWE derivation mechanism(s)
is enabled. This commit is only introducing the new parameter; actual
use of it will be address in separate commits.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
hostapd is by default waiting STA to send SAE Confirm before sending the
SAE Confirm. This can now be configured with sae_confirm_immediate=1
resulting in hostapd sending out SAE Confirm immediately after sending
SAE Commit.
These are the two different message sequences:
sae_confirm_immediate=0
STA->AP: SAE Commit
AP->STA: SAE Commit
STA->AP: SAE Confirm
AP->STA: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response
sae_confirm_immediate=1
STA->AP: SAE Commit
AP->STA: SAE Commit
AP->STA: SAE Confirm
STA->AP: SAE Confirm
STA->AP: Association Request
AP->STA: Association Response
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add two new configuration parameters for hostapd:
enable_edmg: Enable EDMG capability for AP mode in the 60 GHz band
edmg_channel: Configure channel bonding for AP mode in the 60 GHz band
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been
maintained nor is there any expectation of the withdrawn trial-use
recommended practice to be maintained in the future. Furthermore,
implementation of IAPP in hostapd was not complete, i.e., only parts of
the recommended practice were included. The main item of some real use
long time ago was the Layer 2 Update frame to update bridges when a STA
roams within an ESS, but that functionality has, in practice, been moved
to kernel drivers to provide better integration with the networking
stack.
Signed-off-by: Jouni Malinen <j@w1.fi>
Fix CONFIG_DPP=y build for cases where the needed dependencies were not
pulled in by other optional build parameters.
Signed-off-by: Jouni Malinen <j@w1.fi>
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow the previously hardcoded maximum numbers of EAP message rounds to
be configured in hostapd EAP server. This can be used, e.g., to increase
the default limits if very large X.509 certificates are used for EAP
authentication.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new eap_teap_id=5 hostapd configuration parameter value can be used
to configure EAP-TEAP server to request and require user and machine
credentials within the tunnel. This can be done either with Basic
Password Authentication or with inner EAP authentication methods.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter eap_teap_id can be used to
configure the expected behavior for used identity type.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new eap_teap_separate_result=1 hostapd configuration parameter can
be used to test TEAP exchange where the Intermediate-Result TLV and
Crypto-Binding TLV are send in one message exchange while the Result TLV
exchange in done after that in a separate message exchange.
Signed-off-by: Jouni Malinen <j@w1.fi>
This version of TLS PRF is needed when using TEAP with TLS ciphersuites
that are defined to use SHA384 instead of SHA256.
Signed-off-by: Jouni Malinen <j@w1.fi>
The OpenSSL error codes used here were for certificates, not CRLs. Fix
that to refer to CRL being expired or not yet valid.
Signed-off-by: Jouni Malinen <j@w1.fi>
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration option eap_sim_id can now be used to
disable use of pseudonym and/or fast reauthentication with EAP-SIM,
EAP-AKA, and EAP-AKA'.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add an SQLite table for defining per station MAC address version of
radius_auth_req_attr/radius_acct_req_attr information. Create the
necessary table and index where this doesn't exist. Select attributes
from the table keyed by station MAC address and request type (auth or
acct), parse and apply to a RADIUS message.
Add radius_req_attr_sqlite hostapd config option for SQLite database
file. Open/close RADIUS attribute database for a lifetime of a BSS and
invoke functions to add extra attributes during RADIUS auth and
accounting request generation.
Signed-off-by: Terry Burton <tez@terryburton.co.uk>
We will want to parse RADIUS attributes in config file format when
retrieving them from an SQLite database.
Signed-off-by: Terry Burton <tez@terryburton.co.uk>
hostapd EAP server can now be configured with two separate server
certificates/keys to enable parallel operations using both RSA and ECC
public keys. The server will pick which one to use based on the client
preferences for the cipher suite (in the TLS ClientHello message). It
should be noted that number of deployed EAP peer implementations do not
filter out the cipher suite list based on their local configuration and
as such, configuration of alternative types of certificates on the
server may result in interoperability issues.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.
This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant already included support for this, but hostapd
DATA_TEST_* commands did not yet have support for using a shorter test
frame. This is needed for MACsec testing.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a config option to allow setting a custom Basic NSS/MCS set. As a
default we use single stream HE-MCS 0-7.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
Add ability to use UPDATE_BEACON with hostapd_cli. The option has been
exposed in ctrl_iface already.
Signed-off-by: Alona Solntseva <alona.solntseva@tandemg.com>
Signed-off-by: Simon Dinkin <simon.dinkin@tandemg.com>
The initial commit used srp instead of spr for the spatial reuse
configuration prefix.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
This adds support to hostapd for configuring airtime policy settings for
stations as they connect to the access point. This is the userspace
component of the airtime policy enforcement system PoliFi described in
this paper: https://arxiv.org/abs/1902.03439
The Linux kernel part has been merged into mac80211 for the 5.1 dev
cycle.
The configuration mechanism has three modes: Static, dynamic and limit.
In static mode, weights can be set in the configuration file for
individual MAC addresses, which will be applied when the configured
stations connect.
In dynamic mode, weights are instead set per BSS, which will be scaled
by the number of active stations on that BSS, achieving the desired
aggregate weighing between the configured BSSes. Limit mode works like
dynamic mode, except that any BSS *not* marked as 'limited' is allowed
to exceed its configured share if a per-station fairness share would
assign more airtime to that BSS. See the paper for details on these
modes.
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
This field needs to be set to a value within 1-63 range, i.e., 0 is not
a valid value and does not indicate that BSS color is disabled. B7 of
the BSS Color octet is used to indicate that the BSS Color is
_temporarily_ disabled, but that is something that would happen
automatically based on detecting a collision in the used BSS colors and
not something that would be configured.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Start sharing common SAE and EAP-pwd functionality by adding a new
source code file that can be included into both. This first step is
bringing in a shared function to check whether a group is suitable.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
SPR allows us to detect OBSS overlaps and allows us to do adaptive CCA
thresholds. For this to work the AP needs to broadcast the element
first.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com>
Signed-off-by: John Crispin <john@phrozen.org>
The new hostapd configuration parameter dpp_controller can now be used
with the following subparameter values: ipaddr=<IP address>
pkhash=<hexdump>. This adds a new Controller into the configuration
(i.e., more than one can be configured) and all incoming DPP exchanges
that match the specified Controller public key hash are relayed to the
particular Controller.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be used to provide configurable parameter to the global DPP
context. This initial commit introduces the msg_ctx context pointer for
wpa_msg().
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.7 and v2.8.
Signed-off-by: Jouni Malinen <j@w1.fi>
The TSF field in BSS termination information was not cleared correctly.
It was supposed to be cleared to all zeros, but the memset call did not
point at offset 2; instead, it cleared it with 0x02 octets and also
cleared the subelement header with 0x02 octets while leaving two last
octets uninitialized.
Fixes: a30dff07fb ("Add BSS_TM_REQ command to send BSS Transition Management Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Very short beacon intervals can be useful for certain scenarios such
as minimising association time on PBSSs. Linux supports a minimum of
10[1] so let's reduce the minimum to match that.
[1] https://elixir.bootlin.com/linux/latest/ident/cfg80211_validate_beacon_int
Signed-off-by: Brendan Jackman <brendan.jackman@bluwireless.co.uk>
Merge the practically copy-pasted implementations in wpa_supplicant and
hostapd into a single shared implementation in dpp.c for managing
configurator and boostrapping information. This avoid unnecessary code
duplication and provides a convenient location for adding new global DPP
data.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
"GET_CAPABILITY dpp" can now be used to determine which version number
of DPP is supported in the build.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new CONFIG_DPP2=y build option for hostapd and wpa_supplicant is
used to control whether new functionality defined after the DPP
specification v1.0 is included. All such functionality are considered
experimental and subject to change without notice and as such, not
suitable for production use.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This patch added 'check_cert_subject' support to match the value of
every field against the DN of the subject in the client certificate. If
the values do not match, the certificate verification will fail and will
reject the user.
This option allows hostapd to match every individual field in the right
order, also allow '*' character as a wildcard (e.g OU=Development*).
Note: hostapd will match string up to 'wildcard' against the DN of the
subject in the client certificate for every individual field.
Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter wps_cred_add_sae=1 can be used
to request hostapd to add SAE configuration whenever WPS is used to
configure the AP to use WPA2-PSK and the credential includes a
passphrase (instead of PSK). This can be used to enable WPA3-Personal
transition mode with both SAE and PSK enabled and PMF enabled for PSK
and required for SAE associations.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Change the AP mode default for SAE to enable only the group 19 instead
of enabling all ECC groups that are supported by the used crypto library
and the SAE implementations. The main reason for this is to avoid
enabling groups that are not as strong as the mandatory-to-support group
19 (i.e., groups 25 and 26). In addition, this disables heavier groups
by default.
In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24
based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the
MODP groups were already disabled by default and would have needed
explicit configuration to be allowed.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Document what hostapd and wpa_supplicant do for Multi-AP.
This is only included in hostapd, since a Multi-AP device is always an
access point so it should have hostapd.
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
The Wi-Fi Alliance Multi-AP Specification v1.0 allows onboarding of a
backhaul STA through WPS. To enable this, the WPS Registrar offers a
different set of credentials (backhaul credentials instead of fronthaul
credentials) when the Multi-AP subelement is present in the WFA vendor
extension element of the WSC M1 message.
Add new configuration options to specify the backhaul credentials for
the hostapd internal registrar: multi_ap_backhaul_ssid,
multi_ap_backhaul_wpa_psk, multi_ap_backhaul_wpa_passphrase. These are
only relevant for a fronthaul SSID, i.e., where multi_ap is set to 2 or
3. When these options are set, pass the backhaul credentials instead of
the normal credentials when the Multi-AP subelement is present.
Ignore the Multi-AP subelement if the backhaul config options are not
set. Note that for an SSID which is fronthaul and backhaul at the same
time (i.e., multi_ap == 3), this results in the correct credentials
being sent anyway.
The security to be used for the backaul BSS is fixed to WPA2PSK. The
Multi-AP Specification only allows Open and WPA2PSK networks to be
configured. Although not stated explicitly, the backhaul link is
intended to be always encrypted, hence WPA2PSK.
To build the credentials, the credential-building code is essentially
copied and simplified. Indeed, the backhaul credentials are always
WPA2PSK and never use per-device PSK. All the options set for the
fronthaul BSS WPS are simply ignored.
Signed-off-by: Davina Lu <ylu@quantenna.com>
Signed-off-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Cc: Marianna Carrera <marianna.carrera.so@quantenna.com>
The new sae_password parameter [|vlanid=<VLAN ID>] can now be used to
assign stations to a specific VLAN based on which SAE Password
Identifier they use. This is similar to the WPA2-Enterprise case where
the RADIUS server can assign stations to different VLANs and the
WPA2-Personal case where vlanid parameter in wpa_psk_file is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
Extend wpa_psk_file to allow an optional VLAN ID to be specified with
"vlanid=<VLAN ID>" prefix on the line. If VLAN ID is specified and the
particular wpa_psk_file entry is used for a station, that station is
bound to the specified VLAN. This can be used to operate a single
WPA2-Personal BSS with multiple VLANs based on the used passphrase/PSK.
This is similar to the WPA2-Enterprise case where the RADIUS server can
assign stations to different VLANs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When I replaced the POS() function with ffs() when applying relevant
parts from the original patch, this ended up breaking the frame
construction since the POS() function was supposed to count the bit
offset for the mask with 0 being the LSB instead of 1 returned by ffs().
Furthermore, ffs() is not available in all C libraries (e.g., not
directly exposed by strings.h on Android), so better not depend on that
or compiler builtins for this since there is no need for this to be as
fast as possible in configuration parsing.
Fix this with a simple function to determine the number of bits the
value needs to be shifted left to align with the mask.
Fixes: 11ce7a1bc3 ("HE: Add MU EDCA Parameter Set element (AP)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This patch adds a new flag 'crl_reload_interval' to reload CRL
periodically. This can be used to reload ca_cert file and the included
CRL information on every new TLS session if difference between the last
reload and the current time in seconds is greater than
crl_reload_interval.
This reloading is used for cases where check_crl is 1 or 2 and the CRL
is included in the ca_file.
Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
The wpa_psk_file can now be modified and hostapd can be told to re-read
it with the control interface RELOAD_WPA_PSK command:
$ hostapd_cli reload_wpa_psk
It must be noted special care must be taken if WPS is configured
(wps_state=2, eap_server=1) because WPS appends PMKs to the
wpa_psk_file.
Signed-off-by: Michal Kazior <michal@plume.com>
It is now possible to optionally specify keyid for
each wpa_psk_file entry:
keyid=something 00:00:00:00:00:00 secretpassphrase
When station connects and the passphrase it used
has an associated keyid it will be appended to the
AP-STA-CONNECTED event string:
wlan0: AP-STA-CONNECTED 00:36:76:21:dc:7b keyid=something
It's also possible to retrieve it through the control interface:
$ hostapd_cli all_sta
Selected interface 'ap0'
00:36:76:21:dc:7b
...
keyid=something
New hostapd is able to read old wpa_psk_file. However, old hostapd will
not be able to read the new wpa_psk_file if it includes keyids.
Signed-off-by: Michal Kazior <michal@plume.com>
The standard amendment has been published and there has been sufficient
amount of interoperability testing for FILS to expect the protocol not
to be changed anymore, so remove the notes claiming this to be
experimental and not suitable for production use.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is currently no support for setting hostapd_bss_config.pbss from a
config file, i.e., it was used only based on automatic logic in
wpa_supplicant. This patch adds a key naturally called "pbss" which can
be used to set it.
Cc: Antony King <antony.king@bluwirelesstechnology.com>
Signed-off-by: Brendan Jackman <brendan.jackman@bluwirelesstechnology.com>
Add support for configuring parameters for the MU EDCA Parameter Set
element per IEEE P802.11ax/D3.0.
Signed-off-by: Siva Mullati <siva.mullati@intel.com>
There is no need to allow symlink dereferencing in these cases where a
file (including directories and sockets) are created by the same
process, so use the safer lchown() variant to avoid leaving potential
windows for something external to replace the file before the chown()
call. The particular locations used here should not have write
permissions enabled for processes with less privileges, so this may not
be needed, but anyway, it is better to make these more restrictive
should there be cases where directory permissions are not as expected
for a good deployment.
Signed-off-by: Jouni Malinen <j@w1.fi>
Some distributions (e.g., Debian) have started introducting systemwide
OpenSSL policies to disable older protocol versions and ciphers
throughout all programs using OpenSSL. This can result in significant
number of interoperability issues with deployed EAP implementations.
Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server)
parameters to be used to request systemwide policies to be overridden if
older versions are needed to be able to interoperate with devices that
cannot be updated to support the newer protocol versions or keys. The
default behavior is not changed here, i.e., the systemwide policies will
be followed if no explicit override configuration is used. The overrides
should be used only if really needed since they can result in reduced
security.
In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network
profile parameter can be used to explicitly enable TLS versions that are
disabled in the systemwide configuration. For example,
phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS
v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces
TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter
can be used to override systemwide policy, e.g., with
openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1
in Debian to allow shorter keys to be used.
In hostapd, tls_flags parameter can be used to configure similar
options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1]
Signed-off-by: Jouni Malinen <j@w1.fi>
The documentation in the hostapd.conf file says that the dynamic_vlan
variable is used to control whether VLAN assignments are accepted from a
RADIUS server. The implication seems to be that a static VLAN assignment
will come from the accept_mac_file if dynamic_vlan is set to 0, and a
dynamic assignment will come from the RADIUS server if dynamic_vlan is
set to 1. Instead, I'm seeing that the static settings from the
accept_mac_file are ignored if dynamic_vlan is set to 0, but used if
dynamic_vlan is set to 1. If dynamic_vlan is set to 1 and the RADIUS
server does not provide a VLAN, then the accept_mac_file assignment is
overridden and the STA is assigned to the default non-VLANed interface.
If my understanding of the expected behavior is correct, then I believe
the problem is in ap_sta_set_vlan(). That routine checks the
dynamic_vlan setting, but has no way of determining whether the incoming
vlan_desc is static (i.e., from accept_mac_file) or dynamic (i.e., from
a RADIUS server).
I've attached a patch that gets hostapd working as I believe it's meant
to, and updates the documentation to make the implicit behavior
explicit.
The functional changes are:
- hostapd_allowed_address() will always extract the vlan_id from the
accept_macs file. It will not update the vlan_id from the RADIUS cache
if dynamic_vlan is DISABLED.
- hostapd_acl_recv_radius() will not update the cached vlan_id if
dynamic_vlan is DISABLED.
- ieee802_1x_receive_auth() will not update the vlan_id if dynamic_vlan
is DISABLED.
More cosmetic:
Most of the delta is just moving code out of ieee802_1x_receive_auth()
into a new ieee802_1x_update_vlan() routine. While I initially did this
because the new DISABLED check introduced excessive indentation, it has
the added advantage of eliminating the vlan_description allocation and
os_memset() call for all DYNAMIC_VLAN_DISABLED configs.
I've done a couple rounds of review offline with Michael Braun (who has
done much of the work in this part of the code) and incorporated his
feedback.
If dynamic_vlan=0 (disabled), vlan assignments will be managed using the
local accept_mac_file ACL file, even if a RADIUS server is being used
for user authentication. This allows us to manage users and devices
independently.
Signed-off-by: Nils Nieuwejaar <nils.nieuwejaar@gmail.com>
According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:
"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."
An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.
It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).
Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
An AP might reject a STA association request due to low RSSI. In such
case, the AP informs the STA the desired RSSI improvement and a retry
timeout. The STA might retry to associate even if the RSSI hasn't
improved if the retry timeout expired.
Signed-off-by: Beni Lev <beni.lev@intel.com>
Add the ability to ignore time-based CRL errors from OpenSSL by
specifying a new configuration parameter, check_crl_strict=0.
This causes the following:
- This setting does nothing when CRL checking is not enabled.
- When CRL is enabled, "strict mode" will cause CRL time errors to not
be ignored and will continue behaving as it currently does.
- When CRL is enabled, disabling strict mode will cause CRL time
errors to be ignored and will allow connections.
By default, check_crl_strict is set to 1, or strict mode, to keep
current functionality.
Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc.
It should be noted that when using Suite B, different mechanism is used
to specify the allowed ECDH curves and this new parameter must not be
used in such cases.
Signed-off-by: Hristo Venev <hristo@venev.name>
This makes it easier to integrate dynamic VLANs in custom network
configurations. The bridge name is added after the interface name in the
vlan_file line, also separated by whitespace.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The back-end support for DPP self configuration was already present in
hostapd and wpa_supplicant. However, the command to invoke DPP self
configuration was not available in hostapd_cli and wpa_cli. Add the
command "dpp_configurator_sign" in them.
Signed-off-by: Prasad, Jagadeesh <Jagadeesh_Prasad@comcast.com>
Make this command more convenient to use by not requiring two space
characters between the command and the first parameter.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The purpose of Multi-AP specification is to enable inter-operability
across Wi-Fi access points (APs) from different vendors.
This patch introduces one new configuration parameter 'multi_ap' to
enable Multi-AP functionality and to configure the BSS as a backhaul
and/or fronthaul BSS.
Advertise vendor specific Multi-AP capabilities in (Re)Association
Response frame, if Multi-AP functionality is enabled through the
configuration parameter.
A backhaul AP must support receiving both 3addr and 4addr frames from a
backhaul STA, so create a VLAN for it just like is done for WDS, i.e.,
by calling hostapd_set_wds_sta(). Since Multi-AP requires WPA2 (never
WEP), we can safely call hostapd_set_wds_encryption() as well and we can
reuse the entire WDS condition.
To parse the Multi-AP Extension subelement, we use get_ie(): even though
that function is meant for parsing IEs, it works for subelements.
Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This adds support for hostapd-as-RADIUS-authentication-server to request
subscription remediation for SIM-based credentials. The new hostapd.conf
parameter hs20_sim_provisioning_url is used to set the URL prefix for
the remediation server for SIM provisioning. The random
hotspot2dot0-mobile-identifier-hash value will be added to the end of
this URL prefix and the same value is stored in a new SQLite database
table sim_provisioning for the subscription server implementation to
use.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new hostapd configuration parameter hs20_release can be used to
configure the AP to advertise a specific Hotspot 2.0 release number
instead of the latest supported release. This is mainly for testing
purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Also add the ChangeLog entries for both hostapd and wpa_supplicant to
describe main changes between v2.6 and v2.7.
Signed-off-by: Jouni Malinen <j@w1.fi>
libnl 3.2 release is much more likely to be used nowadays than the
versions using the older API, so uncomment this in wpa_supplicant and
hostapd defconfig.
Signed-off-by: Jouni Malinen <j@w1.fi>
The option to get DPP configurator key in hostapd_cli was named
incorrectly. It was wrongly pointing to dpp_configurator_remove. Fix
this by using the correct name.
Signed-off-by: Rohit Damodaran <Rohit_Damodaran@comcast.com>
Earlier, the OCE flags were checked during hostapd initialization. This
doesn't address few cases like for example when the interface is added
from control interface. Move the OCE flag checks to the functions that
are forming the MBO/OCE IEs to cover all the different paths for
enabling a BSS. Also use macros as appropriate for readability.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add support for negotiating WNM Collocated Interference Reporting. This
allows hostapd to request associated STAs to report their collocated
interference information and wpa_supplicant to process such request and
reporting. The actual values (Collocated Interference Report Elements)
are out of scope of hostapd and wpa_supplicant, i.e., external
components are expected to generated and process these.
For hostapd/AP, this mechanism is enabled by setting
coloc_intf_reporting=1 in configuration. STAs are requested to perform
reporting with "COLOC_INTF_REQ <addr> <Automatic Report Enabled> <Report
Timeout>" control interface command. The received reports are indicated
as control interface events "COLOC-INTF-REPORT <addr> <dialog token>
<hexdump of report elements>".
For wpa_supplicant/STA, this mechanism is enabled by setting
coloc_intf_reporting=1 in configuration and setting Collocated
Interference Report Elements as a hexdump with "SET coloc_intf_elems
<hexdump>" control interface command. The hexdump can contain one or
more Collocated Interference Report Elements (each including the
information element header). For additional testing purposes, received
requests are reported with "COLOC-INTF-REQ <dialog token> <automatic
report enabled> <report timeout>" control interface events and
unsolicited reports can be sent with "COLOC_INTF_REPORT <hexdump>".
This commit adds support for reporting changes in the collocated
interference (Automatic Report Enabled == 1 and partial 3), but not for
periodic reports (2 and other part of 3).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend hostapd to allow the new OSU Provider NAI List ANQP-element to be
advertised in addition to the previously used OSU Providers list
ANQP-element. The new osu_nai2 configurator parameter option is used to
specify the OSU_NAI value for the shared BSS (Single SSID) case while
osu_nai remains to be used for the separate OSU BSS.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Call to parse_sae_password was incorrectly depending
on CONFIG_TESTING_OPTIONS and CONFIG_SAE. Should
depend only on the latter.
Fixes: 2377c1caef ("SAE: Allow SAE password to be configured separately (AP)")
Signed-off-by: Hai Shalom <haishalom@google.com>
'hostapd_cli SET ht_capab' only checked for [HT40+] or [HT40-] or both
to be present. Based on the offset + or -, secondary_channel is updated
but HT20/VHT20 mode can be brought up only from config file and can't be
done using the SET command when the current HT mode is HT40+ or HT40-.
When managing AP+STA mode from userspace doing hostapd_cli: "disable ->
set channel, ht_capab -> enable" sequence, channel switch from
HT40/VHT40 to HT20/VHT20 was not possible with this SET ht_capab
limitation.
Cover this additional case by resetting secondary_channel to 0 for
HT20/VHT20 when ht_capab has neither [HT40+] nor [HT40-] present.
Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
Clarify that wpa=2 (i.e., RSN) is used for WPA3 and list previously
undocumented wpa_key_mgmt values.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new DAC_REQUEST control interface command can now be used to request
hostapd to send out Disconnect-Request and CoA-Request packets for an
existing session.
DAC_REQUEST <disconnect|coa> <MAC Address> [t_c_clear]
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows hostapd DAS to be configured to allow any DAC (with the
matching shared secret) to send Disconnect-Request and CoA-Request
packets.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This can be used to track active sessions, e.g., for the purpose of
issuing RADIUS DAS commands (Disconnect-Request or CoA-Request).
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it more convenient to generate the URL in a way that
interoperates between different vendors. The AP is simply copying the
already constructed URL as-is from Access-Accept to WNM-Notification.
This means that the HO AAA can generate the URL in a manner that works
for the associated T&C Server without having to coordinate with each AP.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows a single BSS/SSID to be used for both data connection and
OSU. Instead of hostapd configuration osen=1, wpa_key_mgmt=OSEN (or more
likely, wpa_key_mgmt=WPA-EAP OSEN) is used to enable this new option.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
These changes add support for salted password databases to EAP-pwd per
RFC 8146. This commits introduces the framework for enabling this and
the salting mechanisms based on SHA-1, SHA256, and SHA512 hash
algorithms.
Signed-off-by: Dan Harkins <dharkins@lounge.org>
This extends the SAE implementation in both infrastructure and mesh BSS
cases to allow an optional Password Identifier to be used. This uses the
mechanism added in P802.11REVmd/D1.0. The Password Identifier is
configured in a wpa_supplicant network profile as a new string parameter
sae_password_id. In hostapd configuration, the existing sae_password
parameter has been extended to allow the password identifier (and also a
peer MAC address) to be set. In addition, multiple sae_password entries
can now be provided to hostapd to allow multiple per-peer and
per-identifier passwords to be set.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, hostapd CHAN_SWITCH command did not effect VHT configuration
for the following:
When VHT is currently disabled (ieee80211ac=0),
1. hostapd_cli -p /var/run/hostapd chan_switch 10 5180 \
sec_channel_offset=1 center_freq1=5190 bandwidth=40 ht
====> Comes up in HT40
2. hostapd_cli -p /var/run/hostapd chan_switch 10 5765 \
sec_channel_offset=-1 center_freq1=5775 bandwidth=40 vht
====> Comes up in HT40
3. hostapd_cli -p /var/run/hostapd chan_switch 10 5200 center_freq1=5200 \
bandwidth=20 vht
====> Comes up in HT20
When VHT is currently enabled (ieee80211ac=1),
1. hostapd_cli -p /var/run/hostapd chan_switch 10 5180 \
sec_channel_offset=1 center_freq1=5190 bandwidth=40 ht
====> Comes up in VHT40
2. hostapd_cli -p /var/run/hostapd chan_switch 10 5200 center_freq1=5200 \
bandwidth=20 ht
====> Comes up in VHT20
This is since VHT config from chan_switch is processed only for
bandwidths 80 and above (80P80, 160) and for VHT20, VHT40 cases, only
NLA chan type and chan width are updated.
There is no NL attribute for determining if it is HT or VHT for
bandwidths 20 & 40 and currently they are updated as HT20, HT40 (+ or -
depending on offset). Same is notified back via
NL80211_CMD_CH_SWITCH_NOTIFY.
Instead of adding new NL attribute for tracking HT/VHT enabled config,
we are adding new hostapd VHT config parameter to save the chan_switch
config and use only for chan_switch case of VHT20 and VHT40.
Tested with all combinations of chan_switch (noHT->20->40->80->) HT/VHT
and confirmed to be working.
Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
The current EAP peer implementation is not yet ready for the TLS v1.3
changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for
this EAP method for now.
While the current EAP-TLS implementation is more or less complete for
TLS v1.3, there has been no interoperability testing with other
implementations, so disable for by default for now until there has been
chance to confirm that no significant interoperability issues show up
with TLS version update. tls_flags=[ENABLE-TLSv1.3] configuration
parameter can be used to enable TLS v1.3 (assuming the TLS library
supports it; e.g., when using OpenSSL 1.1.1).
Signed-off-by: Jouni Malinen <j@w1.fi>
This may be needed to avoid interoperability issues with the new
protocol version and significant changes for EAP use cases in both key
derivation and handshake termination.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new SQLite table pending_tc is used to maintain a list of sessions
that need to accept Terms and Conditions. This information can be used
on an external Terms and Conditions server to map the incoming MAC
address information into user identity.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Allow hostapd RADIUS authentication server with SQLite EAP user DB to be
used for testing Terms and Conditions functionality. This could be used
for the HO AAA part of functionality (merging HO AAA and SP AAA into a
single component to avoid separate RADIUS proxy in testing setup).
A T&C server with HTTPS processing is needed to allow this to be used
for full over-the-air testing. This commit adds sufficient functionality
to allow hwsim test cases to cover the RADIUS server part.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd Access-Accept processing to check if the RADIUS
server indicated that Terms and Conditions Acceptance is required. The
new hs20_t_c_server_url parameter is used to specify the server URL
template that the STA is requested to visit.
This commit does not enable any kind of filtering, i.e., only the part
of forwarding a request from Access-Accept to the STA using
WNM-Notification is covered.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd with two new configuration parameters
(hs20_t_c_filename and hs20_t_c_timestamp) that can be used to specify
that the Terms and Conditions attributes are to be added into all
Access-Request messages for Hotspot 2.0 STAs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd Hotspot 2.0 implementation to allow operator icons
to be made available. The existing hs20_icon parameter is used to define
the icons and the new operator_icon parameter (zero or more entries) is
used to specify which of the available icons are operator icons. The
operator icons are advertised in the Operator Icon Metadata ANQP-element
while the icon data can be fetched using the same mechanism (icon
request/binary file) that was added for the OSU Providers icons.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Even with
CONFIG_TLS=gnutls
CONFIG_CRYPTO=gnutls
in .config, nt_password_hash was linked with libcrypto instead of
libgcrypt, which caused linkage failure.
Signed-off-by: Andrey Utkin <andrey_utkin@gentoo.org>
IEEE Std 802.11-2016, 12.7.1.7.1 indicates that the lifetime of the
PMK-R0 (and PMK-R1) is bound to the lifetime of PSK or MSK from which
the key was derived. This is currently stored in r0_key_lifetime, but
cache entries are not actually removed.
This commit uses the r0_key_lifetime configuration parameter when
wpa_auth_derive_ptk_ft() is called. This may need to be extended to use
the MSK lifetime, if provided by an external authentication server, with
some future changes. For PSK, there is no such lifetime, but it also
matters less as FT-PSK can be achieved without inter-AP communication.
The expiration timeout is then passed from R0KH to R1KH. The R1KH verifies
that the given timeout for sanity, it may not exceed the locally configured
r1_max_key_lifetime.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Add a new configuration option ft_r0_key_lifetime that deprecates
r0_key_lifetime. Though, the old configuration is still accepted for
backwards compatibility.
This simplifies testing. All other items are in seconds as well. In
addition, this makes dot11FTR0KeyLifetime comment match with what got
standardized in the end in IEEE Std 802.11r-2008.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
The new venue_url parameter can now be used to set the Venue URL ANQP
information instead of having to construct the data and use
anqp_elem=277:<hexdump> to set the raw value.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
