aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2017-03-12 20:40:56 (GMT)
committerJouni Malinen <j@w1.fi>2017-03-12 21:20:32 (GMT)
commit1764559eef3020afebb427d48799c13514f45de0 (patch)
treed9efa2fda85c13b1cd85030eeaa9ceb890cc6291 /hostapd
parentcad291d671434b4edffeaa40100c1adad92e4ed9 (diff)
downloadhostap-1764559eef3020afebb427d48799c13514f45de0.zip
hostap-1764559eef3020afebb427d48799c13514f45de0.tar.gz
hostap-1764559eef3020afebb427d48799c13514f45de0.tar.bz2
FILS: Add FILS SK auth PFS support in AP mode
This adds an option to configure hostapd to enable use of perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime configuration parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would allow FILS SK PFS to be used with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'hostapd')
-rw-r--r--hostapd/Android.mk4
-rw-r--r--hostapd/Makefile4
-rw-r--r--hostapd/config_file.c2
-rw-r--r--hostapd/defconfig2
-rw-r--r--hostapd/hostapd.conf5
5 files changed, 17 insertions, 0 deletions
diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index 10018bc..b1940f8 100644
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -272,6 +272,10 @@ L_CFLAGS += -DCONFIG_FILS
OBJS += src/ap/fils_hlp.c
NEED_SHA384=y
NEED_AES_SIV=y
+ifdef CONFIG_FILS_SK_PFS
+L_CFLAGS += -DCONFIG_FILS_SK_PFS
+NEED_ECC=y
+endif
endif
ifdef CONFIG_WNM
diff --git a/hostapd/Makefile b/hostapd/Makefile
index 34a0e68..c443618 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -316,6 +316,10 @@ CFLAGS += -DCONFIG_FILS
OBJS += ../src/ap/fils_hlp.o
NEED_SHA384=y
NEED_AES_SIV=y
+ifdef CONFIG_FILS_SK_PFS
+CFLAGS += -DCONFIG_FILS_SK_PFS
+NEED_ECC=y
+endif
endif
ifdef CONFIG_WNM
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 2e4433d..7b43806 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -3658,6 +3658,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
} else if (os_strcmp(buf, "fils_realm") == 0) {
if (parse_fils_realm(bss, pos) < 0)
return 1;
+ } else if (os_strcmp(buf, "fils_dh_group") == 0) {
+ bss->fils_dh_group = atoi(pos);
} else if (os_strcmp(buf, "dhcp_server") == 0) {
if (hostapd_parse_ip_addr(pos, &bss->dhcp_server)) {
wpa_printf(MSG_ERROR,
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 2370fc1..521d877 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -358,6 +358,8 @@ CONFIG_IPV6=y
# Note: This is an experimental and not yet complete implementation. This
# should not be enabled for production use.
#CONFIG_FILS=y
+# FILS shared key authentication with PFS
+#CONFIG_FILS_SK_PFS=y
# Include internal line edit mode in hostapd_cli. This can be used to provide
# limited command line editing and history support.
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 19596ce..18c330b 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1393,6 +1393,11 @@ own_ip_addr=127.0.0.1
#fils_realm=example.com
#fils_realm=example.org
+# FILS DH Group for PFS
+# 0 = PFS disabled with FILS shared key authentication (default)
+# 1-65535 DH Group to use for FILS PFS
+#fils_dh_group=0
+
# DHCP server for FILS HLP
# If configured, hostapd will act as a DHCP relay for all FILS HLP requests
# that include a DHCPDISCOVER message and send them to the specific DHCP