Commit graph

261 commits

Author SHA1 Message Date
Jouni Malinen
a0bf1b68c0 Remove all PeerKey functionality
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.

This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.

Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
2377c1caef SAE: Allow SAE password to be configured separately (AP)
The new sae_password hostapd configuration parameter can now be used to
set the SAE password instead of the previously used wpa_passphrase
parameter. This allows shorter than 8 characters and longer than 63
characters long passwords to be used. In addition, this makes it
possible to configure a BSS with both WPA-PSK and SAE enabled to use
different passphrase/password based on which AKM is selected.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-11 23:10:19 +03:00
Jouni Malinen
91cc34bf32 OWE: Allow set of enabled DH groups to be limited on AP
The new hostapd configuration parameter owe_groups can be used to
specify a subset of the allowed DH groups as a space separated list of
group identifiers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-10 21:03:57 +03:00
Jouni Malinen
a891388184 OWE: Transition mode information based on BSS ifname
The owe_transition_bssid and owe_transition_ssid parameters can now be
replace with owe_transition_ifname to clone the BSSID/SSID information
automatically in case the same hostapd process manages both the OWE and
open BSS for transition mode.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-09 13:39:23 +03:00
Jouni Malinen
ea079153f4 OWE: Add AP support for transition mode
The new owe_transition_bssid and owe_transition_ssid parameters can be
used to configure hostapd to advertise the OWE Transition Mode element.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Beniamino Galvani
2b9891bd6e OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".

This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.

[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-07-17 11:55:22 +03:00
Ashwini Patil
65833d71a5 OCE: Add hostapd mode OCE capability indication if enabled
Add OCE IE in Beacon, Probe Response, and (Re)Association Response
frames if OCE is enabled in the configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-14 21:27:00 +03:00
Jouni Malinen
90f837b0bf Update default wpa_group_rekey to once-per-day when using CCMP/GCMP
The default value for GTK rekeying period was previously hardcoded to
600 seconds for all cases. Leave that short value only for TKIP as group
cipher while moving to the IEEE 802.11 default value of 86400 seconds
(once-per-day) for CCMP/GCMP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-07-03 13:42:55 +03:00
Sunil Dutt
2d18ab4082 Add a config parameter to exclude DFS channels from ACS
The new acs_exclude_dfs=1 parameter can be used to request hostapd to
exclude all DFS channels from ACS consideration. This is mainly of use
for cases where the driver supports DFS channels, but for some reason a
non-DFS channel is desired when using automatic channel selection.
Previously, the chanlist parameter could have been used for this, but
that required listing all the acceptable channels. The new parameter
allows this to be done without such a list.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-05-27 11:50:21 +03:00
Michael Braun
3a46cf93d0 FT: Add support for wildcard R0KH/R1KH
Enable use of FT RRB without configuring each other AP locally. Instead,
broadcast messages are exchanged to discover APs within the local
network.

When an R0KH or R1KH is discovered, it is cached for one day.

When a station uses an invalid or offline r0kh_id, requests are always
broadcast. In order to avoid this, if r0kh does not reply, a temporary
blacklist entry is added to r0kh_list.

To avoid blocking a valid r0kh when a non-existing pmk_r0_name is
requested, r0kh is required to always reply using a NAK. Resend requests
a few times to ensure blacklisting does not happen due to small packet
loss.

To free newly created stations later, the r*kh_list start pointer in
conf needs to be updateable from wpa_auth_ft.c, where only wconf is
accessed.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-05-03 22:16:14 +03:00
Michael Braun
245fc96e5f FT: New RRB message format
Convert FT RRB into a new TLV based format. Use AES-SIV as AEAD cipher
to protect the messages.

This needs at least 32 byte long keys. These can be provided either
by a config file change or letting a KDF derive the 32 byte key used
from the 16 byte key given.

This breaks backward compatibility, i.e., hostapd needs to be updated on
all APs at the same time to allow FT to remain functional.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-05-03 21:55:29 +03:00
Jouni Malinen
1764559eef FILS: Add FILS SK auth PFS support in AP mode
This adds an option to configure hostapd to enable use of perfect
forward secrecy option in FILS shared key authentication. A new build
option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A
new runtime configuration parameter fils_dh_group is used to enable this
by specifying which DH group to use. For example, fils_dh_group=19 would
allow FILS SK PFS to be used with a 256-bit random ECP group.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-03-12 23:20:32 +02:00
Jouni Malinen
941caed980 MBO: Add MBO ANQP-element processing on AP
This extends the GAS server to process MBO ANQP-elements and reply to a
query for the Cellular Data Connection Preference (if configured). The
new configuration parameter mbo_cell_data_conn_pref can be used to set
the value (0, 1, or 255) for the preference to indicate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-10 18:33:51 +02:00
Jouni Malinen
ff936bc753 Make the third octet of Country String configurable
The new hostapd.conf parameter country3 can now be used to configure the
third octet of the Country String that was previously hardcoded to ' '
(= 0x20).

For example:

All environments of the current frequency band and country (default)
country3=0x20

Outdoor environment only
country3=0x4f

Indoor environment only
country3=0x49

Noncountry entity (country_code=XX)
country3=0x58

IEEE 802.11 standard Annex E table indication: 0x01 .. 0x1f
Annex E, Table E-4 (Global operating classes)
country3=0x04

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-01 10:58:15 +02:00
Jouni Malinen
57a2aacabf Add option to disable broadcast deauth in hostapd on AP start/stop
The new broadcast_deauth parameter can be used to disable sending of the
Deauthentication frame whenever AP is started or stopped. The default
behavior remains identical to the past behavior (broadcast_deauth=1).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:05:40 +02:00
Peng Xu
94380cb40a hostapd: Initial IEEE 802.11ax (HE) definitions
Add IEEE 802.11ax definitions for config, IEEE structures, and
constants. These are still subject to change in the IEEE process.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:37:52 +02:00
Günther Kelleter
4bb9b674c8 Add a log message when GTK rekeying failed
It can happen if the station is unreachable or sleeping longer than
the actual total GTK rekey timeout. To fix the latter case
wpa_group_update_count may be increased.

Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2017-02-07 00:25:36 +02:00
Günther Kelleter
41f140d386 Add hostapd options wpa_group_update_count and wpa_pairwise_update_count
wpa_group_update_count and wpa_pairwise_update_count can now be used to
set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount
and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current
hardcoded value (4).

Some stations may suffer from frequent deauthentications due to GTK
rekey failures: EAPOL 1/2 frame is not answered during the total timeout
period of currently ~3.5 seconds. For example, a Galaxy S6 with Android
6.0.1 appears to go into power save mode for up to 5 seconds. Increasing
wpa_group_update_count to 6 fixed this issue.

Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2017-02-07 00:25:36 +02:00
Jouni Malinen
91d91abf6f FILS: DHCP relay for HLP requests
The new dhcp_server configuration parameter can now be used to configure
hostapd to act as a DHCP relay for DHCPDISCOVER messages received as
FILS HLP requests. The dhcp_rapid_commit_proxy=1 parameter can be used
to configure hostapd to convert 4 message DHCP exchange into a 2 message
exchange in case the DHCP server does not support DHCP rapid commit
option.

The fils_hlp_wait_time parameter can be used to set the time hostapd
waits for an HLP response. This matches the dot11HLPWaitTime in IEEE Std
802.11ai-2016.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-01 18:17:39 +02:00
Jouni Malinen
73a27a6345 Add hostapd configuration parameter rrm_beacon_report
rrm_beacon_report=1 can now be used to make hostapd advertise capability
for beacon reports (passive, active, table). Actual mechanism for
sending out beacon requests will be added in separate commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 16:02:58 +02:00
Jouni Malinen
d8de904872 Remove deprecated tx_queue_* params from hostapd.conf notes
The after_beacon and beacon TX queue parameters has not been
configurable through this mechanism for years, so do not list them in
hostapd.conf notes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-28 14:47:00 +02:00
Jouni Malinen
26bf70e3d2 FILS: Separate FILS realm configuration from ERP domain
The new hostapd configuration parameter fils_realm=<realm> can now be
used to configure one or more FILS realms to advertise for ERP domains
when using FILS. This replaces the use of erp_domain=<domain> parameter
for the FILS use case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-17 22:08:23 +02:00
Michael Braun
34f7c699a6 Add multicast to unicast support
This adds support for nl80211 NL80211_CMD_SET_MULTICAST_TO_UNICAST
command.

By setting the new hostapd configuration option multicast_to_unicast=1,
hostapd configures this AP to perform multicast to unicast conversion.

When enabled, all multicast packets with ethertype ARP, IPv4, or IPv6
(possibly within an 802.1Q header) will be sent out to each station once
with the destination (multicast) MAC address replaced by the station's
MAC address. Note that this may break certain expectations of the
receiver, e.g., the ability to drop unicast IP packets encapsulated in
multicast L2 frames, or the ability to not send destination unreachable
messages in such cases.

This also does not implement Directed Multicast Service (DMS).

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-12-04 21:00:06 +02:00
Purushottam Kushwaha
29483a5678 Add support for user configurable Beacon frame data rate for AP mode
Allow configuration of Beacon frame TX rate from hostapd.conf with
"beacon_rate=xx" option. The following format is used to set
legacy/HT/VHT beacon rates:

Legacy (CCK/OFDM rates):
	beacon_rate=<legacy rate in 100 kbps>
HT:
	beacon_rate=ht:<HT MCS>
VHT:
	beacon_rate=vht:<VHT MCS>

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-11-25 23:12:30 +02:00
David Spinadel
451a27b1ad hostapd: Add a configuration to set an AP as stationary
Add a configuration option in hostapd.conf and in neighbor report that
sets an AP as stationary. To enable this option on the current AP set
the config option stationary_ap to 1. To set a neighbor entry to be
marked as stationary add the word stat to the SET_NEIGHBOR command. This
option tells hostapd to send LCI data even if it is older than requested
by max age subelement in RRM request.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-10-29 19:16:47 +03:00
Jouni Malinen
903ecbe8da FILS: Add hostapd configuration options
This adds CONFIG_FILS=y build configuration option and new key
management options for FILS authentication.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-10-10 21:11:27 +03:00
Michael Braun
96590564d6 FT: Allow PMK-R0 and PMK-R1 for FT-PSK to be generated locally
Station should be able to connect initially without ft_pmk_cache filled,
so the target AP has the PSK available and thus the same information as
the origin AP. Therefore neither caching nor communication between the
APs with respect to PMK-R0 or PMK-R1 or VLANs is required if the target
AP derives the required PMKs locally.

This patch introduces the generation of the required PMKs locally for
FT-PSK. Additionally, PMK-R0 is not stored (and thus pushed) for FT-PSK.

So for FT-PSK networks, no configuration of inter-AP communication is
needed anymore when using ft_psk_generate_local=1 configuration. The
default behavior (ft_psk_generate_local=0) remains to use the pull/push
protocol.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-10-09 11:57:56 +03:00
Lior David
faecb39236 hostapd: Allow FTM functionality to be published
Add configuration options that control publishing of fine timing
measurement (FTM) responder and initiator functionality via bits 70, 71
of Extended Capabilities element. Typically, FTM functionality is
controlled by a location framework outside hostapd. When framework is
activated, it will use hostapd to configure the AP to publish the FTM
functionality. See IEEE P802.11-REVmc/D7.0, 9.4.2.27.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
2016-09-05 21:23:07 +03:00
Tamizh chelvam
fc72a48a63 hostapd: Use stations nsts capability in (Re)Association Response frame
Some deployed stations incorrectly consider nsts capability in
(Re)Association Response frame as required capability instead of maximum
capability and if it is greater than station's capability then beamform
will not happen in uplink traffic.

This commit adds support for an optional workaround to use station's
nsts capability in (Re)Association Response frame if the station's nsts
is less than AP by using the use_sta_nsts=1 configuration parameter.
This configuration is introduced in this commit and it is disabled by
default.

Signed-off-by: Tamizh chelvam <c_traja@qti.qualcomm.com>
2016-09-05 21:14:40 +03:00
Nick Lowe
42d30e9ea0 Add a require_message_authenticator configuration option
This can be used to mandate the presence of the Message-Authenticator
attribute on CoA/Disconnect-Request packets.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
2016-08-08 00:36:17 +03:00
Tim Kourt
31d3692fe5 hostapd: Add comment about '-i' parameter in hostapd.conf
Signed-off-by: Tim Kourt <tim.a.kourt@linux.intel.com>
2016-06-13 01:16:20 +03:00
Jouni Malinen
8359472589 hostapd Make GAS Address3 field selection behavior configurable
gas_address3=1 can now be used to force hostapd to use the IEEE 802.11
standards compliant Address 3 field value (Wildcard BSSID when not
associated) even if the GAS request uses non-compliant address (AP
BSSID).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-06-10 22:13:37 +03:00
Bala Krishna Bhamidipati
a911227061 Add assocresp_elements parameter for hostapd
This new parameter allows hostapd to add Vendor Specific elements into
(Re)Association Response frames similarly to the way vendor_elements
parameter can be used for Beacon and Probe Response frames.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-04-20 13:12:50 +03:00
David Spinadel
010182120d hostapd: Extend the configuration of RRM capabilities
Extend the radio_measurements parameter to save all the supported
RRM capabilities as it's used in RM enabled capabilities element.

Make this parameter not directly configurable via config file (though,
keep the radio_measurements parameter for some time for backwards
compatibility). Instead, add a configuration option to enable neighbor
report via radio measurements. Other features can be added later as
well.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-16 21:05:39 +03:00
David Spinadel
74e982d8d7 hostapd: Set LCI and Location Civic information in configuration
Enable configuration of LCI and location civic information in
hostapd.conf.

Signed-off-by: David Spinadel <david.spinadel@intel.com>
2016-04-09 11:18:55 +03:00
Eliad Peller
6448e06415 hostapd: Allow use of driver-generated interface addresses
Add a new 'use_driver_iface_addr' configuration parameter to allow use
of the default interface address generated by the driver on interface
creation. This can be useful when specific MAC addresses were allocated
to the device and we want to use them for multi-BSS operation.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2016-03-06 20:00:40 +02:00
Jouni Malinen
251953bcb6 Document nas_identifier requirements for RADIUS accounting
nas_identifier needs to be set to a unique value for RADIUS accounting
to work properly. This needs to be unique for each BSS.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-02-28 21:19:14 +02:00
Michael Braun
d48d1b88d0 FT: Use BSSID as r1_key_holder if no value is configured
r1_key_holder is an identifier that was always set to zero if unless
configured before.

See 11.6.1.7.4 of IEEE Std 802.11-2012 which reads
 "R1KH-ID is a MAC address of the holder of the PMK-R1 in the
  Authenticator of the AP"
See 12.2.2 of IEEE Std 802.11-2012 which reads
 "Each R0KH-ID and R1KH-ID is assumed to be expressed as a unique
  identifier within the mobility domain."
 "The R1KH-ID shall be set to a MAC address of the physical entity
  that stores the PMK-R1 ..."

Defaulting this to BSSID is a more reasonable value since we have not
rejected the missing r1_key_holder as invalid configuration.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-28 17:56:42 +02:00
Michael Braun
8be640b780 VLAN: Add per-STA vif option
This allows the stations to be assigned to their own vif. It does not
need dynamic_vlan to be set. Make hostapd call ap_sta_set_vlan even if
!vlan_desc.notempty, so vlan_id can be assigned regardless.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-02-17 11:46:13 +02:00
Jouni Malinen
2da4a56f22 Add more hostapd.conf documentation for hw_mode with HT/VHT
Try to make it more obvious that hw_mode=a needs to be used with HT and
VHT when using the 5 GHz band.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-01-06 12:50:56 +02:00
Jouni Malinen
5addb0df59 Server configuration for OCSP stapling with ocsp_multi (RFC 6961)
This adds a new hostapd configuration parameter
ocsp_stapling_response_multi that can be used similarly to the existing
ocsp_stapling_response, but for the purpose of providing multiple cached
OCSP responses. This commit adds only the configuration parameter, but
does not yet add support for this mechanism with any of the supported
TLS implementations.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-12-22 19:42:07 +02:00
Frederic Leroy
7b0f5500b0 eap_sim_db: Implement eap_sim_db_expire_pending()
Expire pending DB request for EAP-SIM/AKA/AKA'. Timeout defaults to 1
second and is user configurable in hostapd.conf (eap_sim_db_timeout).

Signed-off-by: Frederic Leroy <frederic.leroy@b-com.com>
2015-10-31 16:28:16 +02:00
Matthias May
95be79f1f8 Allow -1 as value to disable frag_threshold
To be consistent with the internal representation of how to disable
framentation, allow -1 as a value to disable it in configuration.

Signed-off-by: Matthias May <matthias.may@neratec.com>
2015-10-28 20:53:15 +02:00
Matthias May
bc50bb0ada Extend the range of values for the RTS threshold
Since we have HT rates the maximum framesize is no longer 2346. The
usual maximum size of an A-MPDU is 65535. To disable RTS, the value -1
is already internally used. Allow it in the configuration parameter.

Signed-off-by: Matthias May <matthias.may@neratec.com>
2015-10-28 20:53:15 +02:00
Jouni Malinen
9b7a1bd7ed Option to reduce Probe Response frame responses during max STA
The new hostapd configuration parameter no_probe_resp_if_max_sta=1 can
be used to request hostapd not to reply to broadcast Probe Request
frames from unassociated STA if there is no room for additional stations
(max_num_sta). This can be used to discourage a STA from trying to
associate with this AP if the association would be rejected due to
maximum STA limit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-10-17 19:30:49 +03:00
Jouni Malinen
695dbbea88 Interworking: Add support for configuring arbitrary ANQP-elements
The new hostapd configuration parameter anqp_elem can now be used to
configure arbitrary ANQP-elements for the GAS/ANQP server. In addition
to supporting new elements, this can be used to override previously
supported elements if some special values are needed (mainly for testing
purposes).

The parameter uses following format:
anqp_elem=<InfoID>:<hexdump of payload>

For example, AP Geospatial Location ANQP-element with unknown location:
anqp_elem=265:0000
and AP Civic Location ANQP-element with unknown location:
anqp_elem=266:000000

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-10-07 17:07:21 +03:00
Maneesh Jain
234a17cc13 Fix couple of typos in hostapd.conf file
Signed-off-by: Maneesh Jain <maneesh.jain@samsung.com>
2015-10-06 23:10:17 +03:00
Johannes Berg
2b6e121676 hostapd: Add testing option to use only ECSA
Some APs don't include a CSA IE when an ECSA IE is generated,
and mac80211 used to fail following their channel switch. Add
a testing option to hostapd to allow reproducing the behavior.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2015-10-03 21:37:17 +03:00
Jouni Malinen
0e2412d086 Add option to reject authentication on 2.4 GHz from dualband STA
The new no_auth_if_seen_on=<ifname> parameter can now be used to
configure hostapd to reject authentication from a station that was seen
on another radio.

This can be used with enabled track_sta_max_num configuration on another
interface controlled by the same hostapd process to reject
authentication attempts from a station that has been detected to be
capable of operating on another band, e.g., to try to reduce likelihood
of the station selecting a 2.4 GHz BSS when the AP operates both a 2.4
GHz and 5 GHz BSS concurrently.

Note: Enabling this can cause connectivity issues and increase latency for
connecting with the AP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-09-05 19:11:02 +03:00
Jouni Malinen
964f64e2ee Add option to ignore Probe Request frames on 2.4 GHz from dualband STA
The new no_probe_resp_if_seen_on=<ifname> parameter can now be used to
configure hostapd to not reply to group-addressed Probe Request from a
station that was seen on another radio.

This can be used with enabled track_sta_max_num configuration on another
interface controlled by the same hostapd process to restrict Probe
Request frame handling from replying to group-addressed Probe Request
frames from a station that has been detected to be capable of operating
on another band, e.g., to try to reduce likelihood of the station
selecting a 2.4 GHz BSS when the AP operates both a 2.4 GHz and 5 GHz
BSS concurrently.

Note: Enabling this can cause connectivity issues and increase latency
for discovering the AP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-09-05 17:53:15 +03:00
Jouni Malinen
a65a9b8d67 hostapd: Add mechanism to track unconnected stations
hostapd can now be configured to track unconnected stations based on
Probe Request frames seen from them. This can be used, e.g., to detect
dualband capable station before they have associated. Such information
could then be used to provide guidance on which colocated BSS to use in
case of a dualband AP that operates concurrently on multiple bands under
the control of a single hostapd process.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-09-05 17:11:11 +03:00
Jouni Malinen
681e199dfb EAP server: Add tls_session_lifetime configuration
This new hostapd configuration parameter can be used to enable TLS
session resumption. This commit adds the configuration parameter through
the configuration system and RADIUS/EAPOL/EAP server components. The
actual changes to enable session caching will be addressed in followup
commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-08-24 02:29:30 +03:00
Vivek Natarajan
442ffc51ac hostapd: Extend the sounding and BF steering capabilities
Depending on the number of antennas, the txbf sounding
and steering capabilites need to be extended.

Signed-off-by: Vivek Natarajan <nataraja@qti.qualcomm.com>
2015-07-17 23:58:15 +03:00
Jouni Malinen
898a9790ad Document hostapd ft_over_ds configuration parameter
This had been forgotten from hostapd.conf.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-17 11:16:15 +03:00
Anton Nayshtut
104bef453b FST: hostapd configuration parameters
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-07-16 18:26:15 +03:00
Jouni Malinen
6c7314917b AP: Increase maximum value accepted for cwmin/cwmax
The cwmin/cwmax parameters were limited more than is needed. Allow the
full range (0..15 for wmm_ac_??_{cwmin,cwmax} and 1..32767 for
tx_queue_data?_{cwmin,cwmax}) to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-06-27 23:34:49 +03:00
Jouni Malinen
ee120ff381 Remove [MU-BEAMFORMEE] option from hostapd vht_capab parameter
The standard hardcodes the MU Beamformee Capable subfield is hardcoded
to 0 when transmitting by an AP, so there is no need to provide a
configuration parameter for setting this to one.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-06-10 13:41:54 +03:00
Peng Xu
3784c0589e Extend hw_mode to support any band for offloaded ACS case
When device supports dual band operations with offloaded ACS, hw_mode
can now be set to any band (hw_mode=any) in order to allow ACS to select
the best channel from any band. After a channel is selected, the hw_mode
is updated for hostapd.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-05-27 12:17:57 +03:00
Jouni Malinen
7f2f3a67d2 Increase DH key size in the hostapd.conf example
OpenSSL is moving to use 2048-bit DH key size as the default with
dhparam. Increase the value in the hostapd.conf to match that to reduce
likelihood of ending up using a shorter key.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-05-24 10:47:21 +03:00
Hamad Kadmany
01a025937c WPS: Add support for 60 GHz band
Handling of WPS RF band for 60 GHz was missing. Add it in all relevant
places and also map "AES" as the cipher to GCMP instead of CCMP when
operating on the 60 GHz band.

Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
2015-04-28 00:22:16 +03:00
Jouni Malinen
4a7ce98469 Make IPv6 NA multicast-to-unicast conversion configurable
This can be used with Proxy ARP to allow multicast NAs to be forwarded
to associated STAs using link layer unicast delivery. This used to be
hardcoded to be enabled, but it is now disabled by default and can be
enabled with na_mcast_to_ucast=1. This functionality may not be desired
in all networks and most cases work without it, so the new
default-to-disabled is more appropriate.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-04-27 12:30:09 +03:00
Manikandan Mohan
857d94225a Extend offloaded ACS QCA vendor command to support VHT
Update ACS driver offload feature for VHT configuration. In addition,
this allows the chanlist parameter to be used to specify which channels
are included as options for the offloaded ACS case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-23 12:18:05 +02:00
Jouni Malinen
9836cb5387 Add option to force a specific RADIUS client address to be used
The new hostapd.conf parameter radius_client_addr can now be used to
select a specific local IP address to be used as the RADIUS client
address.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-01 22:36:52 +02:00
Jouni Malinen
68fa00c341 ACS: Allow specific channels to be preferred
The new acs_chan_bias configuration parameter is a space-separated list
of <channel>:<bias> pairs. It can be used to increase (or decrease) the
likelihood of a specific channel to be selected by the ACS algorithm.
The total interference factor for each channel gets multiplied by the
specified bias value before finding the channel with the lowest value.
In other words, values between 0.0 and 1.0 can be used to make a channel
more likely to be picked while values larger than 1.0 make the specified
channel less likely to be picked. This can be used, e.g., to prefer the
commonly used 2.4 GHz band channels 1, 6, and 11 (which is the default
behavior on 2.4 GHz band if no acs_chan_bias parameter is specified).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-06 17:59:57 +02:00
Jouni Malinen
d2ca6baa56 Fix hostapd obss_interval documentation
This parameter has been available for more than just testing purposes,
i.e., OBSS scanning has already been used to enable 20-to-40 MHz channel
changes on 2.4 GHz.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 12:32:37 +02:00
Adrien Decostre
1648cc6427 ACS: Allow subset of channels to be configured
Add the possibility to define a subset of channels used by the ACS
engine when not operating on DFS channels.

Signed-off-by: Adrien Decostre <ad.decostre@gmail.com>
2015-01-19 02:35:43 +02:00
Jouni Malinen
d3bddd8b84 ERP: Add support for ERP on EAP server and authenticator
Derive rRK and rIK on EAP server if ERP is enabled and use these keys to
allow EAP re-authentication to be used and to derive rMSK.

The new hostapd configuration parameter eap_server_erp=1 can now be used
to configure the integrated EAP server to derive EMSK, rRK, and rIK at
the successful completion of an EAP authentication method. This
functionality is not included in the default build and can be enabled
with CONFIG_ERP=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:27 +02:00
Jouni Malinen
2a5156a66c ERP: Add optional EAP-Initiate/Re-auth-Start transmission
hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start
before EAP-Request/Identity to try to initiate ERP. This is disabled by
default and can be enabled with erp_send_reauth_start=1 and optional
erp_reauth_start_domain=<domain>.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:08:56 +02:00
Jouni Malinen
0ecff8d7c3 Add hostapd driver_params config parameter
This is mainly for development testing purposes to allow driver_nl80211
behavior to be modified.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 13:24:42 +02:00
Jouni Malinen
ebd557288c Remove forgotten driver_test.c variables
hostapd was still providing couple of parameters that were used only in
the already removed driver_test.c framework.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 12:49:55 +02:00
Jouni Malinen
01b32d5e36 Remove references to madwifi from various files
Number of documentation and configuration files had references to the
madwifi driver interface that was removed in the previous commit. Remove
these references as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-01 16:15:53 +02:00
Kyeyoon Park
7d597d4617 AP: Add support for Proxy ARP, DHCP snooping mechanism
Proxy ARP allows the AP devices to keep track of the hardware address to
IP address mapping of the STA devices within the BSS. When a request for
such information is made (i.e., ARP request, Neighbor Solicitation), the
AP will respond on behalf of the STA device within the BSS. Such
requests could originate from a device within the BSS or also from the
bridge. In the process of the AP replying to the request (i.e., ARP
reply, Neighbor Advertisement), the AP will drop the original request
frame. The relevant STA will not even know that such information was
ever requested.

This feature is a requirement for Hotspot 2.0, and is defined in IEEE
Std 802.11-2012, 10.23.13. While the Proxy ARP support code mainly
resides in the kernel bridge code, in order to optimize the performance
and simplify kernel implementation, the DHCP snooping code was added to
the hostapd.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-10-28 01:08:29 +02:00
Kyeyoon Park
ec8f36afca AP: Add support for BSS load element (STA Count, Channel Utilization)
The new "bss_load_update_period" parameter can be used to configure
hostapd to advertise its BSS Load element in Beacon and Probe Response
frames. This parameter is in the units of BUs (Beacon Units).

When enabled, the STA Count and the Channel Utilization value will be
updated periodically in the BSS Load element. The AAC is set to 0 sinze
explicit admission control is not supported. Channel Utilization is
calculated based on the channel survey information from the driver and
as such, requires a driver that supports providing that information for
the current operating channel.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-10-21 23:25:48 +03:00
Jouni Malinen
f8995f8f1c hostapd: Allow OpenSSL cipherlist string to be configured
The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled when hostapd is used as an EAP
server with OpenSSL as the TLS library.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-10-12 11:52:05 +03:00
Jouni Malinen
1dde5b5cdd Remove PSMP option from ht_capab
This was used to fill in the "PSMP support" subfield that was defined
during P802.11n development. However, this subfield was marked reserved
in the published IEEE Std 802.11n-2009 and it is not supported by
current drivers that use hostapd for SME either. As such, there is not
much point in maintaining this field as ht_capab parameter within
hostapd either.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-04-07 22:02:14 +03:00
Jouni Malinen
978c673052 Add a note on using 'iw list' to determine multi-BSS support
This adds a pointer to hostapd.conf to using 'iw list' with the current
nl80211 drivers to determine supported interface combinations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-25 23:58:22 +02:00
Jouni Malinen
b7a8d67f5b Allow hostapd to advertise 40 MHz intolerant HT capability
ht_capab=[40-INTOLERANT] can now be used to advertise that the BSS is 40
MHz intolerant to prevent other 20/40 MHz co-ex compliant APs from using
40 MHz channel bandwidth.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-23 23:50:37 +02:00
Jouni Malinen
8b6b6d8238 Fix hostapd.conf description of HT40+
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-21 20:04:01 +02:00
Jouni Malinen
8dd9f9cdde Allow management group cipher to be configured
This allows hostapd to set a different management group cipher than the
previously hardcoded default BIP (AES-128-CMAC). The new configuration
file parameter group_mgmt_cipher can be set to BIP-GMAC-128,
BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in
IEEE Std 802.11ac-2013.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-14 21:58:45 +02:00
Ben Greear
cfc393a645 hostapd: Document interworking realm EAP Method types
Add link to the EAP type definitions document.

Signed-hostap: Ben Greear <greearb@candelatech.com>
2014-03-11 19:27:55 +02:00
Simon Wunderlich
70ee1be248 hostapd: Add config option chanlist for DFS channels
Different channels allow different transmission power, at least in ETSI
countries. Also, ETSI requires a "channel plan" for DFS operation, and
channels should be randomly choosen from these channels.

Add a channel list configuration option for users to add channels
hostapd may pick from.

Signed-hostap: Simon Wunderlich <sw@simonwunderlich.de>
2014-03-11 18:59:40 +02:00
Jouni Malinen
ae6d15c722 HS 2.0R2 AP: Add OSU Providers list ANQP element
hostapd can now be configured to advertise OSU Providers with the
new osu_* confgiuration parameters.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:25 +02:00
Jouni Malinen
f7bd7a01a8 HS 2.0R2 AP: Add Icon Request and Icon binary File ANQP elements
hostapd can now be configured to provide access for icon files
(hs20_icon config file parameter) for OSU. The hs20_icon data contains
additional meta data about the icon that is not yet used, but it will be
needed for the OSU Providers list ANQP element.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:25 +02:00
Jouni Malinen
8e1146d9da HS 2.0R2 AP: Add support for deauthentication request
If the RADIUS server includes deauthentication request in Access-Accept,
send a WNM-Notification frame to the station after 4-way handshake and
disconnect the station after configurable timeout.

A new control interface command, WNM_DEAUTH_REQ, is added for testing
purposes to allow the notification frame to sent based on local request.
This case does not disconnect the station automatically, i.e., a
separate control interface command would be needed for that.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
a14896e8bb HS 2.0R2 AP: Add OSEN implementation
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Jouni Malinen
d5d24784e6 HS 2.0R2 AP: Update HS 2.0 Indication element to Release 2
The HS 2.0 Indication element from hostapd now includes the release
number field and the new ANQP Domain ID field. This ID can be configured
with anqp_domain_id parameter in hostapd.conf.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2014-02-26 01:24:24 +02:00
Chaitanya T K
3d7ad2f681 hostapd: Configure spectrum management capability
Add configuration of Spectrum Management subfield in the Capability
Information of Beacon, Probe Response, and Association Response frames.
Spectrum Management bit is set when directly requested by new
configuration option spectrum_mgmt_required=1 or when AP is running on
DFS channels. In the future, also TPC shall require this bit to be set.

Signed-hostap: Srinivasan <srinivasanb@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
Signed-hostap: Marek Puzyniak <marek.puzyniak@tieto.com>
2014-02-25 00:54:59 +02:00
Srinivasan B
e0392f825d hostapd: Add Power Constraint element
Add Power Constraint information element to Beacon and Probe Response
frames when hostapd is configured on 5 GHz band and Country information
element is also added. According to IEEE Std 802.11-2012 a STA shall
determine a local maximum transmit power for the current channel based
on information derived from Country and Power Constraint elements.

In order to add Power Constraint element ieee80211d option need to be
enabled and new local_pwr_constraint config option need to be set to
unsigned value in units of decibels. For now this value is statically
configured but the future goal is to implement dynamic TPC algorithm
to control local power constraint.

Signed-hostap: Srinivasan <srinivasanb@posedge.com>
Signed-hostap: Chaitanya T K <chaitanyatk@posedge.com>
Signed-hostap: Marek Puzyniak <marek.puzyniak@tieto.com>
2014-02-24 23:51:23 +02:00
Jouni Malinen
a1dd890a85 RADIUS: Add minimal accounting server support
This can be used to test RADIUS Accounting in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-15 16:26:48 +02:00
Jouni Malinen
a1a31b6c3f Remove hostapd dump_file functionality
This debugging mechanism has now been deprecated by the control
interface commands that can be used to fetch same internal information
from hostapd in a more convenient way. Leave the empty USR1 signal
handler and configuration file parameter for backwards compatibility.
They can be removed in future versions of hostapd.

Signed-hostap: Jouni Malinen <j@w1.fi>
2014-01-02 18:15:07 +02:00
Paul Stewart
c101bb9d23 hostapd: Add option to send OBSS scan params
Add a parameter to send the overlapping BSS scan parameter
information element. This will require clients to perform
background scans to check for neigbors overlapping this
HT40 BSS. Since the implementation is incomplete it should
only be used for testing.

Signed-hostap: Paul Stewart <pstew@chromium.org>
2013-11-07 14:05:41 +02:00
Jouni Malinen
9bc33868bf Add test option for specifying hardcoded BSS Load element
The new bss_load_test parameter can be used to configure hostapd to
advertise a fixed BSS Load element in Beacon and Probe Response frames
for testing purposes. This functionality is disabled in the build by
default and can be enabled with CONFIG_TESTING_OPTIONS=y.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-18 14:13:45 +03:00
Kyeyoon Park
c551700f1f Interworking: Add support for QoS Mapping functionality for the AP
This allows QoS Map Set element to be added to (Re)Association Response
frames and in QoS Map Configure frame. The QoS Mapping parameters are
also made available for the driver interface.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-10-18 14:13:45 +03:00
Kyeyoon Park
f224cf05ab HS 2.0: Allow printf format parsing with language:name strings
This allows Hotspot 2.0 and Interworking strings that use language:name
string (e.g., venue_name) to be encoded using printf format to enter
special characters like newline.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-09-25 14:43:40 +03:00
Michal Kazior
50f4f2a066 hostapd: Add Automatic Channel Selection (ACS) support
This adds ACS support to hostapd. Currently only survey-based
algorithm is available.

To use ACS you need to enable CONFIG_ACS=y in .config and use
channel=0 (or channel=acs_survey) in hostapd.conf.

For more details see wiki page [1] or comments in src/ap/acs.c.

[1]: http://wireless.kernel.org/en/users/Documentation/acs

Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
2013-08-31 11:51:06 +03:00
Sujith Manoharan
3f9a8137f5 hostapd: Add a config option to control beaconing
In a AP/STA concurrent setup, if the STA interface is continually
scanning, trying to connect to a network, the AP interface
is basically broken since beaconing would be erratic.

This option can be used in a WDS setup where one AP acts as a
Client/AP-Repeater. The Repeater AP interface has to start beaconing
only after the Client interface has established a WDS link with the
"Root AP".

Signed-hostap: Sujith Manoharan <c_manoha@qca.qualcomm.com>
2013-07-20 17:20:43 +03:00
Jouni Malinen
67fe933d40 Add server identity configuration for EAP server
The new server_id parameter in hostapd.conf can now be used to specify
which identity is delivered to the EAP peer with EAP methods that
support authenticated server identity.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-07-07 20:30:10 +03:00
Jouni Malinen
080585c01a Add support for OCSP stapling to validate server certificate
When using OpenSSL with TLS-based EAP methods, wpa_supplicant can now be
configured to use OCSP stapling (TLS certificate status request) with
ocsp=1 network block parameter. ocsp=2 can be used to require valid OCSP
response before connection is allowed to continue.

hostapd as EAP server can be configured to return cached OCSP response
using the new ocsp_stapling_response parameter and an external mechanism
for updating the response data (e.g., "openssl ocsp ..." command).

This allows wpa_supplicant to verify that the server certificate has not
been revoked as part of the EAP-TLS/PEAP/TTLS/FAST handshake before
actual data connection has been established (i.e., when a CRL could not
be fetched even if a distribution point were specified).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-06-30 01:01:15 +03:00
Michael Braun
459eee923c bridge: Use safe default bridge interface
Currently by default, all BSS share the bridge brvlan%d.
While this is sane when no tagged-interface is given, this
is insane when different tagged interfaces are given, as
it would result in bridging those tagged interfaces.

This patch therefore uses br%s%d with %s=tagged_interface
and %d=VLAN ID as bridge name when a tagged-interface is given.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2013-06-25 11:10:00 +03:00
Michael Braun
2aaeedfa07 bridge: Give bridge name in per-bss configuration
Currently, when different BSS using different tagged vlan
interfaces, they are forced to share the bridge brvlan#,
which is not desirable.

This patch fixes this by making the bridge name configurable.

Signed-hostap: Michael Braun <michael-dev@fami-braun.de>
2013-06-25 11:09:01 +03:00