aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd
Commit message (Collapse)AuthorAgeFilesLines
* Uncomment CONFIG_LIBNL32=y in defconfigJouni Malinen2018-12-021-1/+1
| | | | | | | | libnl 3.2 release is much more likely to be used nowadays than the versions using the older API, so uncomment this in wpa_supplicant and hostapd defconfig. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix hostapd testing functionality for setting key/seqJouni Malinen2018-11-301-1/+1
| | | | | | Use sizeof() correctly on seq[]. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix a typo in a commentJouni Malinen2018-11-251-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix dpp_configurator_get_key command name in hostapd_cliDamodaran, Rohit (Contractor)2018-11-221-1/+1
| | | | | | | | The option to get DPP configurator key in hostapd_cli was named incorrectly. It was wrongly pointing to dpp_configurator_remove. Fix this by using the correct name. Signed-off-by: Rohit Damodaran <Rohit_Damodaran@comcast.com>
* OCE: Move OCE checks to IE formation from hostapd initializationAnkita Bajaj2018-10-301-21/+2
| | | | | | | | | | Earlier, the OCE flags were checked during hostapd initialization. This doesn't address few cases like for example when the interface is added from control interface. Move the OCE flag checks to the functions that are forming the MBO/OCE IEs to cover all the different paths for enabling a BSS. Also use macros as appropriate for readability. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WNM: Collocated Interference ReportingJouni Malinen2018-10-302-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for negotiating WNM Collocated Interference Reporting. This allows hostapd to request associated STAs to report their collocated interference information and wpa_supplicant to process such request and reporting. The actual values (Collocated Interference Report Elements) are out of scope of hostapd and wpa_supplicant, i.e., external components are expected to generated and process these. For hostapd/AP, this mechanism is enabled by setting coloc_intf_reporting=1 in configuration. STAs are requested to perform reporting with "COLOC_INTF_REQ <addr> <Automatic Report Enabled> <Report Timeout>" control interface command. The received reports are indicated as control interface events "COLOC-INTF-REPORT <addr> <dialog token> <hexdump of report elements>". For wpa_supplicant/STA, this mechanism is enabled by setting coloc_intf_reporting=1 in configuration and setting Collocated Interference Report Elements as a hexdump with "SET coloc_intf_elems <hexdump>" control interface command. The hexdump can contain one or more Collocated Interference Report Elements (each including the information element header). For additional testing purposes, received requests are reported with "COLOC-INTF-REQ <dialog token> <automatic report enabled> <report timeout>" control interface events and unsolicited reports can be sent with "COLOC_INTF_REPORT <hexdump>". This commit adds support for reporting changes in the collocated interference (Automatic Report Enabled == 1 and partial 3), but not for periodic reports (2 and other part of 3). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WMM: Update WMM parameter advertisement on the flyBeni Lev2018-10-161-0/+6
| | | | | | | Update the Beacon frame template once WMM parameters have been changed and the AP is already up. Signed-off-by: Beni Lev <beni.lev@intel.com>
* HS 2.0: OSU Provider NAI List advertisementJouni Malinen2018-10-052-1/+25
| | | | | | | | | | Extend hostapd to allow the new OSU Provider NAI List ANQP-element to be advertised in addition to the previously used OSU Providers list ANQP-element. The new osu_nai2 configurator parameter option is used to specify the OSU_NAI value for the shared BSS (Single SSID) case while osu_nai remains to be used for the separate OSU BSS. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Parse sae_password option when CONFIG_SAE is enabledHai Shalom2018-09-021-1/+1
| | | | | | | | | Call to parse_sae_password was incorrectly depending on CONFIG_TESTING_OPTIONS and CONFIG_SAE. Should depend only on the latter. Fixes: 2377c1caef77 ("SAE: Allow SAE password to be configured separately (AP)") Signed-off-by: Hai Shalom <haishalom@google.com>
* hostapd: SET ht_capab support for disabling 40 MHz bandwidthSathishkumar Muruganandam2018-08-211-0/+2
| | | | | | | | | | | | | | | | | 'hostapd_cli SET ht_capab' only checked for [HT40+] or [HT40-] or both to be present. Based on the offset + or -, secondary_channel is updated but HT20/VHT20 mode can be brought up only from config file and can't be done using the SET command when the current HT mode is HT40+ or HT40-. When managing AP+STA mode from userspace doing hostapd_cli: "disable -> set channel, ht_capab -> enable" sequence, channel switch from HT40/VHT40 to HT20/VHT20 was not possible with this SET ht_capab limitation. Cover this additional case by resetting secondary_channel to 0 for HT20/VHT20 when ht_capab has neither [HT40+] nor [HT40-] present. Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
* Provide more details of WPA3 modes in hostapd.confJouni Malinen2018-08-011-1/+17
| | | | | | | Clarify that wpa=2 (i.e., RSN) is used for WPA3 and list previously undocumented wpa_key_mgmt values. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS: Add DAC implementation in hostapd(AS)Jouni Malinen2018-06-221-0/+5
| | | | | | | | | | The new DAC_REQUEST control interface command can now be used to request hostapd to send out Disconnect-Request and CoA-Request packets for an existing session. DAC_REQUEST <disconnect|coa> <MAC Address> [t_c_clear] Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS: Allow 0.0.0.0 to be used as wildard radius_das_clientJouni Malinen2018-06-221-0/+2
| | | | | | | | This allows hostapd DAS to be configured to allow any DAC (with the matching shared secret) to send Disconnect-Request and CoA-Request packets. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS server: Add current_sessions SQLite tableJouni Malinen2018-06-221-0/+10
| | | | | | | This can be used to track active sessions, e.g., for the purpose of issuing RADIUS DAS commands (Disconnect-Request or CoA-Request). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Move Terms and Conditions Server URL generation from AP to ASJouni Malinen2018-06-211-1/+2
| | | | | | | | | | This makes it more convenient to generate the URL in a way that interoperates between different vendors. The AP is simply copying the already constructed URL as-is from Access-Accept to WNM-Notification. This means that the HO AAA can generate the URL in a manner that works for the associated T&C Server without having to coordinate with each AP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Add key management value FT-EAP-SHA384 for hostapdJouni Malinen2018-06-052-2/+14
| | | | | | This allows hostapd to be configuted to use the SHA384-based FT AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0: Allow OSEN connection to be enabled in an RSN BSSJouni Malinen2018-05-291-0/+4
| | | | | | | | This allows a single BSS/SSID to be used for both data connection and OSU. Instead of hostapd configuration osen=1, wpa_key_mgmt=OSEN (or more likely, wpa_key_mgmt=WPA-EAP OSEN) is used to enable this new option. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd server: Add support for salted password databasesDan Harkins2018-05-281-0/+75
| | | | | | | | | These changes add support for salted password databases to EAP-pwd per RFC 8146. This commits introduces the framework for enabling this and the salting mechanisms based on SHA-1, SHA256, and SHA512 hash algorithms. Signed-off-by: Dan Harkins <dharkins@lounge.org>
* SAE: Add support for using the optional Password IdentifierJouni Malinen2018-05-192-4/+83
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Fix CHAN_SWITCH command for VHT20 and VHT40Sathishkumar Muruganandam2018-05-151-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, hostapd CHAN_SWITCH command did not effect VHT configuration for the following: When VHT is currently disabled (ieee80211ac=0), 1. hostapd_cli -p /var/run/hostapd chan_switch 10 5180 \ sec_channel_offset=1 center_freq1=5190 bandwidth=40 ht ====> Comes up in HT40 2. hostapd_cli -p /var/run/hostapd chan_switch 10 5765 \ sec_channel_offset=-1 center_freq1=5775 bandwidth=40 vht ====> Comes up in HT40 3. hostapd_cli -p /var/run/hostapd chan_switch 10 5200 center_freq1=5200 \ bandwidth=20 vht ====> Comes up in HT20 When VHT is currently enabled (ieee80211ac=1), 1. hostapd_cli -p /var/run/hostapd chan_switch 10 5180 \ sec_channel_offset=1 center_freq1=5190 bandwidth=40 ht ====> Comes up in VHT40 2. hostapd_cli -p /var/run/hostapd chan_switch 10 5200 center_freq1=5200 \ bandwidth=20 ht ====> Comes up in VHT20 This is since VHT config from chan_switch is processed only for bandwidths 80 and above (80P80, 160) and for VHT20, VHT40 cases, only NLA chan type and chan width are updated. There is no NL attribute for determining if it is HT or VHT for bandwidths 20 & 40 and currently they are updated as HT20, HT40 (+ or - depending on offset). Same is notified back via NL80211_CMD_CH_SWITCH_NOTIFY. Instead of adding new NL attribute for tracking HT/VHT enabled config, we are adding new hostapd VHT config parameter to save the chan_switch config and use only for chan_switch case of VHT20 and VHT40. Tested with all combinations of chan_switch (noHT->20->40->80->) HT/VHT and confirmed to be working. Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
* wolfSSL: Remove aes-omac1.o from hostapd buildSean Parkinson2018-05-021-0/+2
| | | | | | Avoid duplicated omac1_*() functions when building hostapd with wolfSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* EAP-TLS server: Disable TLS v1.3 by defaultJouni Malinen2018-05-011-0/+7
| | | | | | | | | | | | | | | | The current EAP peer implementation is not yet ready for the TLS v1.3 changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for this EAP method for now. While the current EAP-TLS implementation is more or less complete for TLS v1.3, there has been no interoperability testing with other implementations, so disable for by default for now until there has been chance to confirm that no significant interoperability issues show up with TLS version update. tls_flags=[ENABLE-TLSv1.3] configuration parameter can be used to enable TLS v1.3 (assuming the TLS library supports it; e.g., when using OpenSSL 1.1.1). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabledJouni Malinen2018-05-011-0/+2
| | | | | | | | This may be needed to avoid interoperability issues with the new protocol version and significant changes for EAP use cases in both key derivation and handshake termination. Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0: Maintain a database of pending T&C acceptance sessionsJouni Malinen2018-04-301-0/+5
| | | | | | | | | The new SQLite table pending_tc is used to maintain a list of sessions that need to accept Terms and Conditions. This information can be used on an external Terms and Conditions server to map the incoming MAC address information into user identity. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Terms and Conditions testing feature in authentication serverJouni Malinen2018-04-261-1/+2
| | | | | | | | | | | | | Allow hostapd RADIUS authentication server with SQLite EAP user DB to be used for testing Terms and Conditions functionality. This could be used for the HO AAA part of functionality (merging HO AAA and SP AAA into a single component to avoid separate RADIUS proxy in testing setup). A T&C server with HTTPS processing is needed to allow this to be used for full over-the-air testing. This commit adds sufficient functionality to allow hwsim test cases to cover the RADIUS server part. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Send Terms and Conditions Acceptance notificationJouni Malinen2018-04-232-0/+10
| | | | | | | | | | | | | This extends hostapd Access-Accept processing to check if the RADIUS server indicated that Terms and Conditions Acceptance is required. The new hs20_t_c_server_url parameter is used to specify the server URL template that the STA is requested to visit. This commit does not enable any kind of filtering, i.e., only the part of forwarding a request from Access-Accept to the STA using WNM-Notification is covered. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Terms and Conditions attributes in Access-Request messagesJouni Malinen2018-04-232-0/+17
| | | | | | | | | This extends hostapd with two new configuration parameters (hs20_t_c_filename and hs20_t_c_timestamp) that can be used to specify that the Terms and Conditions attributes are to be added into all Access-Request messages for Hotspot 2.0 STAs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Allow configuration of operator iconsJouni Malinen2018-04-172-1/+30
| | | | | | | | | | | | This extends hostapd Hotspot 2.0 implementation to allow operator icons to be made available. The existing hs20_icon parameter is used to define the icons and the new operator_icon parameter (zero or more entries) is used to specify which of the available icons are operator icons. The operator icons are advertised in the Operator Icon Metadata ANQP-element while the icon data can be fetched using the same mechanism (icon request/binary file) that was added for the OSU Providers icons. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix building nt_password_hash with gnutlsAndrey Utkin2018-04-151-3/+2
| | | | | | | | | | | | Even with CONFIG_TLS=gnutls CONFIG_CRYPTO=gnutls in .config, nt_password_hash was linked with libcrypto instead of libgcrypt, which caused linkage failure. Signed-off-by: Andrey Utkin <andrey_utkin@gentoo.org>
* FT: Add expiration to PMK-R0 and PMK-R1 cacheMichael Braun2018-04-052-0/+8
| | | | | | | | | | | | | | | | | | | IEEE Std 802.11-2016, 12.7.1.7.1 indicates that the lifetime of the PMK-R0 (and PMK-R1) is bound to the lifetime of PSK or MSK from which the key was derived. This is currently stored in r0_key_lifetime, but cache entries are not actually removed. This commit uses the r0_key_lifetime configuration parameter when wpa_auth_derive_ptk_ft() is called. This may need to be extended to use the MSK lifetime, if provided by an external authentication server, with some future changes. For PSK, there is no such lifetime, but it also matters less as FT-PSK can be achieved without inter-AP communication. The expiration timeout is then passed from R0KH to R1KH. The R1KH verifies that the given timeout for sanity, it may not exceed the locally configured r1_max_key_lifetime. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Convert r0_key_lifetime to secondsMichael Braun2018-04-052-2/+6
| | | | | | | | | | | | Add a new configuration option ft_r0_key_lifetime that deprecates r0_key_lifetime. Though, the old configuration is still accepted for backwards compatibility. This simplifies testing. All other items are in seconds as well. In addition, this makes dot11FTR0KeyLifetime comment match with what got standardized in the end in IEEE Std 802.11r-2008. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Add hostapd.conf venue_url to set Venue URL ANQP-elementJouni Malinen2018-03-262-0/+50
| | | | | | | | The new venue_url parameter can now be used to set the Venue URL ANQP information instead of having to construct the data and use anqp_elem=277:<hexdump> to set the raw value. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add NOTE control interface command for hostapdJouni Malinen2018-03-261-0/+2
| | | | | | | This does the same as the matching command in wpa_supplicant, i.e., add a note in the debug log. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix a resource leak on hostapd maclist parsing error pathJouni Malinen2018-03-211-1/+3
| | | | | | | | | The open file needs to be closed in error case. The conversion to using a new helper function (hostapd_add_acl_maclist) somehow managed to remove the neede fclose(f) call. Bring it back to fix this. Fixes: 3988046de538 ("hostapd: Dynamic MAC ACL management over control interface") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add hostapd_cli poll_sta commandBhagavathi Perumal S2018-03-191-0/+9
| | | | | | | | This uses the already existing POLL_STA control interface to poll an associated station to check connectivity. Signed-off-by: Bhagavathi Perumal S <bperumal@codeaurora.org> Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
* DPP: Support retrieving of configurator's private keyPurushottam Kushwaha2018-03-162-0/+14
| | | | | | | | | | | | | | | | | | To retain configurator information across hostapd/wpa_supplicant restart, private key need to be maintained to generate a valid pair of authentication keys (connector, netaccess_key, csign) for new enrollees in the network. Add a DPP_CONFIGURATOR_GET_KEY control interface API through which the private key of an existing configurator can be fetched. Command format: DPP_CONFIGURATOR_GET_KEY <configurator_id> The output from this command can then be used with "DPP_CONFIGURATOR_ADD key=<hexdump>" to create the same key again. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add support for wolfSSL cryptographic librarySean Parkinson2018-03-031-1/+45
| | | | | | | Allow hostapd/wpa_supplicant to be compiled with the wolfSSL cryptography and TLS library. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* Reject eap_server_erp hostapd.conf parameter without CONFIG_ERP=yJouni Malinen2018-02-281-0/+2
| | | | | | | This provides an explicit error report if runtime configuration is not valid and ERP server functionality cannot be used. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Do not include common/dpp.h without CONFIG_DPP=yJouni Malinen2018-02-171-0/+2
| | | | | | | | This header file pulls in an OpenSSL header file and as such, should not be included without CONFIG_DPP=y to avoid bringing in an unnecessary build dependency on OpenSSL header files. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Dynamic MAC ACL management over control interfaceTamizh chelvam2018-02-074-53/+218
| | | | | | | | | | | | | | Previously, MAC ACL could be modified only through file operations (modify accept/deny_mac_file and reload it to hostapd). Extend this to allow MAC ACL to be modified and displayed through new control interface commands: ACCEPT_ACL <subcmd> [argument] DENY_ACL <subcmd> [argument] subcmd: ADD_MAC <addr>[ VLAN_ID=<id>]|DEL_MAC <addr>|SHOW|CLEAR Signed-off-by: Tamizh chelvam <tamizhr@codeaurora.org>
* GnuTLS: Add option to build with libnettle instead of libgcryptJouni Malinen2017-12-292-4/+28
| | | | | | | | | | | | | GnuTLS-based builds can now be done using either libnettle or libgcrypt for crypto functionality: CONFIG_TLS=gnutls CONFIG_CRYPTO=nettle CONFIG_TLS=gnutls CONFIG_CRYPTO=gnutls Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement HMAC functions using libgcryptJouni Malinen2017-12-272-0/+20
| | | | | | | Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with the ones from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement sha{256,384,512}_vector() using libgcryptJouni Malinen2017-12-272-2/+0
| | | | | | | Replace the internal SHA256 implementation with the one from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Add option to require MFP for SAE associationsJouni Malinen2017-12-272-0/+10
| | | | | | | | | | | The new hostapd.conf parameter sae_require_pmf=<0/1> can now be used to enforce negotiation of MFP for all associations that negotiate use of SAE. This is used in cases where SAE-capable devices are known to be MFP-capable and the BSS is configured with optional MFP (ieee80211w=1) for legacy support. The non-SAE stations can connect without MFP while SAE stations are required to negotiate MFP if sae_require_mfp=1. Signed-off-by: Jouni Malinen <j@w1.fi>
* SAE: Make dot11RSNASAESync configurableJouni Malinen2017-12-262-0/+7
| | | | | | | | | The new hostapd.conf parameter sae_sync (default: 5) can now be used to configure the dot11RSNASAESync value to specify the maximum number of synchronization errors that are allowed to happen prior to disassociation of the offending SAE peer. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Use abstract crypto APISean Parkinson2017-12-242-0/+2
| | | | | | | This makes it easier to use EAP-pwd with other crypto libraries than OpenSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* hostapd: Add average channel utilization in STATUSBhagavathi Perumal S2017-12-112-0/+16
| | | | | | | | | | This allows external programs to get the average channel utilization. The average channel utilization is calculated and reported through STATUS command. Users need to configure chan_util_avg_period and bss_load_update_period in hostapd config to get the average channel utilization. Signed-off-by: Bhagavathi Perumal S <bperumal@qti.qualcomm.com>
* Fix error handling in bss_load_update_period parserJouni Malinen2017-12-111-4/+5
| | | | | | | Do not update the configuration parameter before having verified the value to be in the valid range. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd_cli: Add dpp_listen and dpp_stop_listenJouni Malinen2017-12-111-0/+18
| | | | | | | | Now that hostapd exposes the DPP_LISTEN and DPP_STOP_LISTEN commands similarly to wpa_supplicant, expose these through proper hostapd_cli commands as well to match wpa_cli functionality. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Android: Set CONFIG_NO_RANDOM_POOL=yJeff Vander Stoep2017-12-092-1/+7
| | | | | | | | | | Wpa_supplicant's random pool is not necessary on Android. Randomness is already provided by the entropymixer service which ensures sufficient entropy is maintained across reboots. Commit b410eb1913 'Initialize /dev/urandom earlier in boot' seeds /dev/urandom with that entropy before either wpa_supplicant or hostapd are run. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>