aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd
Commit message (Collapse)AuthorAgeFilesLines
* Add testing functionality for resetting PN/IPN for configured keysJouni Malinen2017-10-161-0/+87
| | | | | | | | | | | | | This can be used to test replay protection. The "RESET_PN" command in wpa_supplicant and "RESET_PN <addr>" command in hostapd resets the local counters to zero for the last configured key. For hostapd, the address parameter specifies which STA this operation is for or selects GTK ("ff:ff:ff:ff:ff:ff") or IGTK ("ff:ff:ff:ff:ff:ff IGTK"). This functionality is for testing purposes and included only in builds with CONFIG_TESTING_OPTIONS=y. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove all PeerKey functionalityJouni Malinen2017-10-156-25/+2
| | | | | | | | | | | | | | | | | | | | | | | | This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add MGMT_TX_STATUS_PROCESS command for testing purposesJouni Malinen2017-10-151-0/+65
| | | | | | | | This allows ext_mgmt_frame_handling=1 cases with hostapd to process TX status events based on external processing. This is useful for increased test coverage of management frame processing. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Allow SAE password to be configured separately (AP)Jouni Malinen2017-10-112-0/+12
| | | | | | | | | | | The new sae_password hostapd configuration parameter can now be used to set the SAE password instead of the previously used wpa_passphrase parameter. This allows shorter than 8 characters and longer than 63 characters long passwords to be used. In addition, this makes it possible to configure a BSS with both WPA-PSK and SAE enabled to use different passphrase/password based on which AKM is selected. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Allow set of enabled DH groups to be limited on APJouni Malinen2017-10-102-1/+16
| | | | | | | | The new hostapd configuration parameter owe_groups can be used to specify a subset of the allowed DH groups as a space separated list of group identifiers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove C-sign-key expiryJouni Malinen2017-10-091-2/+0
| | | | | | This was removed in DPP tech spec v0.2.3. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Transition mode information based on BSS ifnameJouni Malinen2017-10-092-0/+7
| | | | | | | | | The owe_transition_bssid and owe_transition_ssid parameters can now be replace with owe_transition_ifname to clone the BSSID/SSID information automatically in case the same hostapd process manages both the OWE and open BSS for transition mode. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in AP modeJouni Malinen2017-10-082-0/+10
| | | | | | | This extends OWE support in hostapd to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Add AP support for transition modeJouni Malinen2017-10-082-0/+28
| | | | | | | The new owe_transition_bssid and owe_transition_ssid parameters can be used to configure hostapd to advertise the OWE Transition Mode element. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Fix hostapd debug messages on wpa_pairwise and rsn_pairwise parsingJouni Malinen2017-09-221-2/+2
| | | | | | Incorrect value was printed out as the line number for this messages. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Add option to disable ECDHE with Suite B RSAJouni Malinen2017-09-181-0/+2
| | | | | | | | | The hostapd.conf tls_flags=[SUITEB-NO-ECDH] and wpa_supplicant network profile phase1="tls_suiteb_no_ecdh=1" can now be used to configure Suite B RSA constraints with ECDHE disabled. This is mainly to allow the DHE TLS cipher suite to be tested. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add hostapd tls_flags parameterJouni Malinen2017-09-181-0/+26
| | | | | | This can be used to set the TLS flags for authentication server. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SAE: Allow commit fields to be overridden for testing purposesJouni Malinen2017-09-041-0/+3
| | | | | | | | The new sae_commit_override=<hexdump> parameter can be used to force hostapd to override SAE commit message fields for testing purposes. This is included only in CONFIG_TESTING_OPTIONS=y builds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SAE: Add testing code for reflection attackJouni Malinen2017-09-041-0/+2
| | | | | | | | Allow hostapd to be configured to perform SAE reflection attack for SAE testing purposes with sae_reflection_attack=1 configuration parameter. This is included only in CONFIG_TESTING_OPTIONS=y builds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add base64 dependency in makefilesJouni Malinen2017-09-042-0/+2
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Remove devices object from the connectorJouni Malinen2017-08-221-3/+0
| | | | | | | This was removed from the draft DPP tech spec, so remove it from the implementation as well. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Interpret zero length ap_pin hostapd.conf parameter as "unset"Jouni Malinen2017-08-141-1/+4
| | | | | | | | | | | | | | | | | | | | hostapd allows arbitrary AP PIN to be used in WPS. This means that setting ap_pin to a zero length string ends up enabling AP PIN so that external registrars can use this specific zero lenth ap_pin value. There are apparently some APs that have used this invalid configuration with unintended results. While the proper fix for that is to fix the component that generates the invalid configuration, hostapd can also reject such values since the likelihood of a real world use case for zero length AP PIN (Device Password) is minimal. Start interpreting zero length ap_pin parameter value as a request to "unset" the previously set value in hostapd.conf (or if not previously set, leave it unset). With this, a hostapd.conf file including the "ap_pin=" line will end up getting interpretted just like that same file with the ap_pin parameter completely removed, i.e., with AP PIN being disabled. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Remove some obsolete information from hostapd README fileJouni Malinen2017-08-021-20/+8
| | | | | | | Number of the URLs were not valid anymore and some of the notes have been obsolete for years. Signed-off-by: Jouni Malinen <j@w1.fi>
* WNM: Differentiate between WNM for station and for AP in buildAvraham Stern2017-07-184-8/+8
| | | | | | | | | | | | | | Previously, CONFIG_WNM enabled build that supports WNM for both station mode and AP mode. However, in most wpa_supplicant cases only station mode WNM is required and there is no need for AP mode WNM. Add support to differentiate between station mode WNM and AP mode WNM in wpa_supplicant builds by adding CONFIG_WNM_AP that should be used when AP mode WNM support is required in addition to station mode WNM. This allows binary size to be reduced for builds that require only the station side WNM functionality. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* OpenSSL: Add build option to select default ciphersBeniamino Galvani2017-07-174-1/+14
| | | | | | | | | | | | | | Add a build option to select different default ciphers for OpenSSL instead of the hardcoded default "DEFAULT:!EXP:!LOW". This new option is useful on distributions where the security level should be consistent for all applications, as in Fedora [1]. In such cases the new configuration option would be set to "" or "PROFILE=SYSTEM" to select the global crypto policy by default. [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
* OCE: Add hostapd mode OCE capability indication if enabledAshwini Patil2017-07-143-2/+32
| | | | | | | Add OCE IE in Beacon, Probe Response, and (Re)Association Response frames if OCE is enabled in the configuration. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add control interface commands into hostapd_cliJouni Malinen2017-07-041-0/+97
| | | | | | These are copied from wpa_cli. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: DPP_BOOTSTRAP_INFO for hostapdJouni Malinen2017-07-041-0/+3
| | | | | | | This extends the hostapd control interface to support the DPP_BOOTSTRAP_INFO command that was recently added for wpa_supplicant. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Update default wpa_group_rekey to once-per-day when using CCMP/GCMPJouni Malinen2017-07-032-1/+5
| | | | | | | | | The default value for GTK rekeying period was previously hardcoded to 600 seconds for all cases. Leave that short value only for TKIP as group cipher while moving to the IEEE 802.11 default value of 86400 seconds (once-per-day) for CCMP/GCMP. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Update hostapd configurator parameters to match wpa_supplicantJouni Malinen2017-07-031-0/+5
| | | | | | | This updates the previously copied implementation to be up-to-date with the more recent wpa_supplicant changes. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Configurator in hostapdJouni Malinen2017-07-031-0/+12
| | | | | | | This integrates DPP configuration request processing into hostapd GAS server implementation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: PKEX in hostapdJouni Malinen2017-07-031-0/+12
| | | | | | | Allow hostapd to initiate and respond with PKEX bootstrapping similarly to how this was implemented in wpa_supplicant. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Increase hostapd_cli buffer limitsJouni Malinen2017-07-021-2/+2
| | | | | | This is needed for DPP events/commands. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: AP parameters for DPP AKMJouni Malinen2017-06-191-0/+15
| | | | | | | | Extend hostapd configuration to include parameters needed for the DPP AKM: dpp_connector, dpp_netaccesskey, dpp_netaccesskey_expiry, dpp_csign, dpp_csign_expiry. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Allow PMKSA cache entries to be added through hostapd ctrl_ifaceJouni Malinen2017-06-191-0/+3
| | | | | | | | This allows external programs to generate and add PMKSA cache entries into hostapd. The main use for this is to run external DPP processing (network introduction) and testing. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add new AKMJouni Malinen2017-06-192-0/+13
| | | | | | | | | | This new AKM is used with DPP when using the signed Connector to derive a PMK. Since the KCK, KEK, and MIC lengths are variable within a single AKM, this needs number of additional changes to get the PMK length delivered to places that need to figure out the lengths of the PTK components. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Integration for hostapdJouni Malinen2017-06-193-0/+95
| | | | | | | This adds DPP bootstrapping, authentication, and configuration into hostapd similarly to how the design was integrated in wpa_supplicant. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add JavaScript Object Notation (JSON) parser (RFC7159)Jouni Malinen2017-06-172-0/+10
| | | | | | This is needed for DPP configuration attributes/objects. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Extend SHA-384 and SHA-512 support to match SHA-256Jouni Malinen2017-06-172-0/+33
| | | | | | | The additional SHA-384 and SHA-512 functionality is needed to support DPP with various ECC curves. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add a config parameter to exclude DFS channels from ACSSunil Dutt2017-05-272-0/+7
| | | | | | | | | | | | The new acs_exclude_dfs=1 parameter can be used to request hostapd to exclude all DFS channels from ACS consideration. This is mainly of use for cases where the driver supports DFS channels, but for some reason a non-DFS channel is desired when using automatic channel selection. Previously, the chanlist parameter could have been used for this, but that required listing all the acceptable channels. The new parameter allows this to be done without such a list. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FT: Add support for wildcard R0KH/R1KHMichael Braun2017-05-032-0/+32
| | | | | | | | | | | | | | | | | | | | | | | Enable use of FT RRB without configuring each other AP locally. Instead, broadcast messages are exchanged to discover APs within the local network. When an R0KH or R1KH is discovered, it is cached for one day. When a station uses an invalid or offline r0kh_id, requests are always broadcast. In order to avoid this, if r0kh does not reply, a temporary blacklist entry is added to r0kh_list. To avoid blocking a valid r0kh when a non-existing pmk_r0_name is requested, r0kh is required to always reply using a NAK. Resend requests a few times to ensure blacklisting does not happen due to small packet loss. To free newly created stations later, the r*kh_list start pointer in conf needs to be updateable from wpa_auth_ft.c, where only wconf is accessed. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: New RRB message formatMichael Braun2017-05-034-8/+41
| | | | | | | | | | | | | | Convert FT RRB into a new TLV based format. Use AES-SIV as AEAD cipher to protect the messages. This needs at least 32 byte long keys. These can be provided either by a config file change or letting a KDF derive the 32 byte key used from the 16 byte key given. This breaks backward compatibility, i.e., hostapd needs to be updated on all APs at the same time to allow FT to remain functional. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Replace inter-AP protocol with use of OUI Extended EthertypeMichael Braun2017-05-033-0/+15
| | | | | | | | | | | | | | | | | | Replace the previously used extension of IEEE 802.11 managed Ethertype 89-0d (originally added for Remote Request/Response in IEEE 802.11r) with Ethertype 88-b7 (OUI Extended EtherType) for FT inter-AP communication. The new design uses a more properly assigned identifier for the messages. This assigns the OUI 00:13:74 vendor-specific subtype 0x0001 for the new hostapd AP-to-AP communication purposes. Subtypes 1 (PULL), 2 (RESP), and 3 (PUSH) are also assigned in this commit for the R0KH-R1KH protocol. This breaks backward compatibility, i.e., hostapd needs to be updated on all APs at the same time to allow FT to remain functional. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* hostapd: Select a valid secondary channel if both enabledPeng Xu2017-04-291-0/+4
| | | | | | | | When starting AP in HT40 mode and both HT40+ and HT40- options are specified in hostapd.conf, select a valid secondary channel for the AP automatically. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Add FILS SK auth PFS support in AP modeJouni Malinen2017-03-125-0/+17
| | | | | | | | | | | This adds an option to configure hostapd to enable use of perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime configuration parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would allow FILS SK PFS to be used with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Add CONFIG_OWE=y build optionJouni Malinen2017-03-124-0/+20
| | | | | | | This can be used to enable OWE support in hostapd and wpa_supplicant builds. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Define and parse OWE AKM selectorJouni Malinen2017-03-122-0/+13
| | | | | | This adds a new RSN AKM "OWE". Signed-off-by: Jouni Malinen <j@w1.fi>
* common: Add candidate list parsing helper functionAvraham Stern2017-03-111-97/+7
| | | | | | | | | | Add a helper function that parses candidate list from command line arguments. This function will be used (in the following commits) to add a candidate list to BSS transition management query. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* MBO: Add MBO ANQP-element processing on APJouni Malinen2017-03-102-0/+15
| | | | | | | | | This extends the GAS server to process MBO ANQP-elements and reply to a query for the Cellular Data Connection Preference (if configured). The new configuration parameter mbo_cell_data_conn_pref can be used to set the value (0, 1, or 255) for the preference to indicate. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Use os_memdup()Johannes Berg2017-03-071-6/+3
| | | | | | | | | | | | | | | | | | | | | | This leads to cleaner code overall, and also reduces the size of the hostapd and wpa_supplicant binaries (in hwsim test build on x86_64) by about 2.5 and 3.5KiB respectively. The mechanical conversions all over the code were done with the following spatch: @@ expression SIZE, SRC; expression a; @@ -a = os_malloc(SIZE); +a = os_memdup(SRC, SIZE); <... if (!a) {...} ...> -os_memcpy(a, SRC, SIZE); Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* Make the third octet of Country String configurableJouni Malinen2017-03-012-2/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | The new hostapd.conf parameter country3 can now be used to configure the third octet of the Country String that was previously hardcoded to ' ' (= 0x20). For example: All environments of the current frequency band and country (default) country3=0x20 Outdoor environment only country3=0x4f Indoor environment only country3=0x49 Noncountry entity (country_code=XX) country3=0x58 IEEE 802.11 standard Annex E table indication: 0x01 .. 0x1f Annex E, Table E-4 (Global operating classes) country3=0x04 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* af_alg: Crypto wrappers for Linux kernel crypto (AF_ALG)Jouni Malinen2017-02-282-0/+61
| | | | | | | | | | | CONFIG_TLS=linux can now be used to select the crypto implementation that uses the user space socket interface (AF_ALG) for the Linux kernel crypto implementation. This commit includes some of the cipher, hash, and HMAC functions. The functions that are not available through AF_ALG (e.g., the actual TLS implementation) use the internal implementation (CONFIG_TLS=internal). Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix AES-SIV build dependenciesJouni Malinen2017-02-262-6/+12
| | | | | | | | | | aes-siv.c needs functions from aes-ctr.c and aes-omac1.c, so set NEED_AES_CTR=y and NEED_AES_OMAC1=y if NEED_AES_SIV is defined. This fixes some build configuration combinations where either of those dependencies were not pulled in through other parameters. For example, some CONFIG_FILS=y cases were impacted. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add option to disable broadcast deauth in hostapd on AP start/stopJouni Malinen2017-02-262-0/+6
| | | | | | | | The new broadcast_deauth parameter can be used to disable sending of the Deauthentication frame whenever AP is started or stopped. The default behavior remains identical to the past behavior (broadcast_deauth=1). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Add IEEE 802.11ax HE IEs into Beacon/Probe Response framesPeng Xu2017-02-192-0/+5
| | | | | | | | | IEEE 802.11ax HE changes to include HE IEs in Beacon and Probe Response frames. These elements are using vendor specific forms for now since the IEEE 802.11ax draft is not yet finalized and the element contents is subject to change. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>