path: root/hostapd
Commit message (Collapse)AuthorAgeFilesLines
* Remove CONFIG_IEEE80211W build parameterJouni Malinen2019-09-087-88/+0
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Configurable maximum number of authentication message roundsJouni Malinen2019-09-012-0/+10
| | | | | | | | | Allow the previously hardcoded maximum numbers of EAP message rounds to be configured in hostapd EAP server. This can be used, e.g., to increase the default limits if very large X.509 certificates are used for EAP authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Add support for requiring user and machine credentialsJouni Malinen2019-08-241-0/+1
| | | | | | | | | The new eap_teap_id=5 hostapd configuration parameter value can be used to configure EAP-TEAP server to request and require user and machine credentials within the tunnel. This can be done either with Basic Password Authentication or with inner EAP authentication methods. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Allow a specific Identity-Type to be requested/requiredJouni Malinen2019-08-192-0/+10
| | | | | | | The new hostapd configuration parameter eap_teap_id can be used to configure the expected behavior for used identity type. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Testing mechanism for Result TLV in a separate messageJouni Malinen2019-08-162-0/+7
| | | | | | | | | The new eap_teap_separate_result=1 hostapd configuration parameter can be used to test TEAP exchange where the Intermediate-Result TLV and Crypto-Binding TLV are send in one message exchange while the Result TLV exchange in done after that in a separate message exchange. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add TLS-PRF using HMAC with P_SHA384 for TEAPJouni Malinen2019-08-162-0/+10
| | | | | | | This version of TLS PRF is needed when using TEAP with TLS ciphersuites that are defined to use SHA384 instead of SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix a typo in hostapd config documentationJouni Malinen2019-08-111-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix check_crl_strict documentationJouni Malinen2019-08-111-1/+1
| | | | | | | The OpenSSL error codes used here were for certificates, not CRLs. Fix that to refer to CRL being expired or not yet valid. Signed-off-by: Jouni Malinen <j@w1.fi>
* Preparations for v2.8 releasehostap_2_9Jouni Malinen2019-08-071-0/+24
| | | | | | | | Update the version number for the build and also add the ChangeLog entries for both hostapd and wpa_supplicant to describe main changes between v2.7 and v2.8. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabledJouni Malinen2019-08-012-0/+9
| | | | | | | | The new hostapd configuration option eap_sim_id can now be used to disable use of pseudonym and/or fast reauthentication with EAP-SIM, EAP-AKA, and EAP-AKA'. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Extra RADIUS request attributes from SQLiteTerry Burton2019-07-302-0/+14
| | | | | | | | | | | | | | | Add an SQLite table for defining per station MAC address version of radius_auth_req_attr/radius_acct_req_attr information. Create the necessary table and index where this doesn't exist. Select attributes from the table keyed by station MAC address and request type (auth or acct), parse and apply to a RADIUS message. Add radius_req_attr_sqlite hostapd config option for SQLite database file. Open/close RADIUS attribute database for a lifetime of a BSS and invoke functions to add extra attributes during RADIUS auth and accounting request generation. Signed-off-by: Terry Burton <tez@terryburton.co.uk>
* Move hostapd_parse_radius_attr() into ap_config.cTerry Burton2019-07-301-77/+0
| | | | | | | We will want to parse RADIUS attributes in config file format when retrieving them from an SQLite database. Signed-off-by: Terry Burton <tez@terryburton.co.uk>
* OpenSSL: Allow two server certificates/keys to be configured on serverJouni Malinen2019-07-122-0/+26
| | | | | | | | | | | | | hostapd EAP server can now be configured with two separate server certificates/keys to enable parallel operations using both RSA and ECC public keys. The server will pick which one to use based on the client preferences for the cipher suite (in the TLS ClientHello message). It should be noted that number of deployed EAP peer implementations do not filter out the cipher suite list based on their local configuration and as such, configuration of alternative types of certificates on the server may result in interoperability issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server and peer implementation (RFC 7170)Jouni Malinen2019-07-096-0/+59
| | | | | | | | | | | | | | | | | This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove obsolete defconfig notes regarding EAP-FAST support in OpenSSLJouni Malinen2019-07-091-3/+0
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Shorter TX/RX test frame support for hostapdJouni Malinen2019-06-031-12/+35
| | | | | | | | wpa_supplicant already included support for this, but hostapd DATA_TEST_* commands did not yet have support for using a shorter test frame. This is needed for MACsec testing. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapdleiwei2019-06-031-0/+9
| | | | Signed-off-by: leiwei <leiwei@codeaurora.org>
* macsec: Add configuration parameters for hostapdleiwei2019-06-032-0/+137
| | | | Signed-off-by: leiwei <leiwei@codeaurora.org>
* HE: Make the basic NSS/MCS configurableJohn Crispin2019-05-272-0/+8
| | | | | | | | Add a config option to allow setting a custom Basic NSS/MCS set. As a default we use single stream HE-MCS 0-7. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* HE: Add HE channel management configuration optionsJohn Crispin2019-05-272-0/+11
| | | | | | | These are symmetric with the VHT ones. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* hostapd_cli: Add update_beacon commandAlona Solntseva2019-05-251-0/+9
| | | | | | | | Add ability to use UPDATE_BEACON with hostapd_cli. The option has been exposed in ctrl_iface already. Signed-off-by: Alona Solntseva <alona.solntseva@tandemg.com> Signed-off-by: Simon Dinkin <simon.dinkin@tandemg.com>
* HE: Fix typo srp -> spr in hostapd configuration parametersJohn Crispin2019-05-042-8/+8
| | | | | | | | The initial commit used srp instead of spr for the spatial reuse configuration prefix. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* hostapd: Add airtime policy configuration supportToke Høiland-Jørgensen2019-05-024-0/+112
| | | | | | | | | | | | | | | | | | | | | | | | | This adds support to hostapd for configuring airtime policy settings for stations as they connect to the access point. This is the userspace component of the airtime policy enforcement system PoliFi described in this paper: https://arxiv.org/abs/1902.03439 The Linux kernel part has been merged into mac80211 for the 5.1 dev cycle. The configuration mechanism has three modes: Static, dynamic and limit. In static mode, weights can be set in the configuration file for individual MAC addresses, which will be applied when the configured stations connect. In dynamic mode, weights are instead set per BSS, which will be scaled by the number of active stations on that BSS, achieving the desired aggregate weighing between the configured BSSes. Limit mode works like dynamic mode, except that any BSS *not* marked as 'limited' is allowed to exceed its configured share if a per-station fairness share would assign more airtime to that BSS. See the paper for details on these modes. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* HE: Fix he_bss_color documentationJouni Malinen2019-04-251-4/+2
| | | | | | | | | | | This field needs to be set to a value within 1-63 range, i.e., 0 is not a valid value and does not indicate that BSS color is disabled. B7 of the BSS Color octet is used to indicate that the BSS Color is _temporarily_ disabled, but that is something that would happen automatically based on detecting a collision in the used BSS colors and not something that would be configured. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Share common SAE and EAP-pwd functionality: suitable groupsJouni Malinen2019-04-252-0/+12
| | | | | | | | Start sharing common SAE and EAP-pwd functionality by adding a new source code file that can be included into both. This first step is bringing in a shared function to check whether a group is suitable. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HE: Add Spatial Reuse Parameter Set element to the Beacon framesJohn Crispin2019-04-252-0/+14
| | | | | | | | | SPR allows us to detect OBSS overlaps and allows us to do adaptive CCA thresholds. For this to work the AP needs to broadcast the element first. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* DPP2: hostapd as TCP RelayJouni Malinen2019-04-221-0/+35
| | | | | | | | | | | The new hostapd configuration parameter dpp_controller can now be used with the following subparameter values: ipaddr=<IP address> pkhash=<hexdump>. This adds a new Controller into the configuration (i.e., more than one can be configured) and all incoming DPP exchanges that match the specified Controller public key hash are relayed to the particular Controller. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Add configuration structure to dpp_global_init()Jouni Malinen2019-04-211-1/+6
| | | | | | | | This can be used to provide configurable parameter to the global DPP context. This initial commit introduces the msg_ctx context pointer for wpa_msg(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Preparations for v2.8 releasehostap_2_8Jouni Malinen2019-04-211-0/+55
| | | | | | | | Update the version number for the build and also add the ChangeLog entries for both hostapd and wpa_supplicant to describe main changes between v2.7 and v2.8. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix hostapd BSS_TM_REQ handling of bss_term parameterJouni Malinen2019-04-151-1/+1
| | | | | | | | | | | The TSF field in BSS termination information was not cleared correctly. It was supposed to be cleared to all zeros, but the memset call did not point at offset 2; instead, it cleared it with 0x02 octets and also cleared the subelement header with 0x02 octets while leaving two last octets uninitialized. Fixes: a30dff07fb18 ("Add BSS_TM_REQ command to send BSS Transition Management Request") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Reduce minimum beacon interval from 15 to 10 TUsBrendan Jackman2019-04-061-3/+4
| | | | | | | | | | Very short beacon intervals can be useful for certain scenarios such as minimising association time on PBSSs. Linux supports a minimum of 10[1] so let's reduce the minimum to match that. [1] https://elixir.bootlin.com/linux/latest/ident/cfg80211_validate_beacon_int Signed-off-by: Brendan Jackman <brendan.jackman@bluwireless.co.uk>
* DPP: Common configurator/bootstrapping data managementJouni Malinen2019-03-242-13/+22
| | | | | | | | | | Merge the practically copy-pasted implementations in wpa_supplicant and hostapd into a single shared implementation in dpp.c for managing configurator and boostrapping information. This avoid unnecessary code duplication and provides a convenient location for adding new global DPP data. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Make DPP version number support available over control interfaceJouni Malinen2019-03-141-0/+31
| | | | | | | "GET_CAPABILITY dpp" can now be used to determine which version number of DPP is supported in the build. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Build configuration flags for DPP version 2 supportJouni Malinen2019-03-132-0/+6
| | | | | | | | | | The new CONFIG_DPP2=y build option for hostapd and wpa_supplicant is used to control whether new functionality defined after the DPP specification v1.0 is included. All such functionality are considered experimental and subject to change without notice and as such, not suitable for production use. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Add 'check_cert_subject' support for TLS serverJared Bents2019-03-112-0/+36
| | | | | | | | | | | | | | | | | This patch added 'check_cert_subject' support to match the value of every field against the DN of the subject in the client certificate. If the values do not match, the certificate verification will fail and will reject the user. This option allows hostapd to match every individual field in the right order, also allow '*' character as a wildcard (e.g OU=Development*). Note: hostapd will match string up to 'wildcard' against the DN of the subject in the client certificate for every individual field. Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com> Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com> Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Allow AP SAE configuration to be added automatically for PSKJouni Malinen2019-03-062-0/+10
| | | | | | | | | | | The new hostapd configuration parameter wps_cred_add_sae=1 can be used to request hostapd to add SAE configuration whenever WPS is used to configure the AP to use WPA2-PSK and the credential includes a passphrase (instead of PSK). This can be used to enable WPA3-Personal transition mode with both SAE and PSK enabled and PMF enabled for PSK and required for SAE associations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Enable only group 19 by default in AP modeJouni Malinen2019-03-051-5/+9
| | | | | | | | | | | | | | | | Change the AP mode default for SAE to enable only the group 19 instead of enabling all ECC groups that are supported by the used crypto library and the SAE implementations. The main reason for this is to avoid enabling groups that are not as strong as the mandatory-to-support group 19 (i.e., groups 25 and 26). In addition, this disables heavier groups by default. In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24 based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the MODP groups were already disabled by default and would have needed explicit configuration to be allowed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Add README-MULTI-APArnout Vandecappelle (Essensium/Mind)2019-02-181-0/+160
| | | | | | | | | Document what hostapd and wpa_supplicant do for Multi-AP. This is only included in hostapd, since a Multi-AP device is always an access point so it should have hostapd. Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* hostapd: Support Multi-AP backhaul STA onboarding with WPSDavina Lu2019-02-182-0/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Wi-Fi Alliance Multi-AP Specification v1.0 allows onboarding of a backhaul STA through WPS. To enable this, the WPS Registrar offers a different set of credentials (backhaul credentials instead of fronthaul credentials) when the Multi-AP subelement is present in the WFA vendor extension element of the WSC M1 message. Add new configuration options to specify the backhaul credentials for the hostapd internal registrar: multi_ap_backhaul_ssid, multi_ap_backhaul_wpa_psk, multi_ap_backhaul_wpa_passphrase. These are only relevant for a fronthaul SSID, i.e., where multi_ap is set to 2 or 3. When these options are set, pass the backhaul credentials instead of the normal credentials when the Multi-AP subelement is present. Ignore the Multi-AP subelement if the backhaul config options are not set. Note that for an SSID which is fronthaul and backhaul at the same time (i.e., multi_ap == 3), this results in the correct credentials being sent anyway. The security to be used for the backaul BSS is fixed to WPA2PSK. The Multi-AP Specification only allows Open and WPA2PSK networks to be configured. Although not stated explicitly, the backhaul link is intended to be always encrypted, hence WPA2PSK. To build the credentials, the credential-building code is essentially copied and simplified. Indeed, the backhaul credentials are always WPA2PSK and never use per-device PSK. All the options set for the fronthaul BSS WPS are simply ignored. Signed-off-by: Davina Lu <ylu@quantenna.com> Signed-off-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Cc: Marianna Carrera <marianna.carrera.so@quantenna.com>
* SAE: VLAN assignment based on SAE Password IdentifierJouni Malinen2019-02-172-9/+25
| | | | | | | | | | The new sae_password parameter [|vlanid=<VLAN ID>] can now be used to assign stations to a specific VLAN based on which SAE Password Identifier they use. This is similar to the WPA2-Enterprise case where the RADIUS server can assign stations to different VLANs and the WPA2-Personal case where vlanid parameter in wpa_psk_file is used. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Document openssl_ecdh_curves configuration parameterHristo Venev2019-02-171-0/+13
| | | | Signed-off-by: Hristo Venev <hristo@venev.name>
* VLAN assignment based on used WPA/WPA2 passphrase/PSKJouni Malinen2019-02-142-0/+5
| | | | | | | | | | | | Extend wpa_psk_file to allow an optional VLAN ID to be specified with "vlanid=<VLAN ID>" prefix on the line. If VLAN ID is specified and the particular wpa_psk_file entry is used for a station, that station is bound to the specified VLAN. This can be used to operate a single WPA2-Personal BSS with multiple VLANs based on the used passphrase/PSK. This is similar to the WPA2-Enterprise case where the RADIUS server can assign stations to different VLANs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HE: Fix set_he_cap() parsing of config options for MU EDCA ParamsJouni Malinen2019-02-111-1/+17
| | | | | | | | | | | | | | | | | When I replaced the POS() function with ffs() when applying relevant parts from the original patch, this ended up breaking the frame construction since the POS() function was supposed to count the bit offset for the mask with 0 being the LSB instead of 1 returned by ffs(). Furthermore, ffs() is not available in all C libraries (e.g., not directly exposed by strings.h on Android), so better not depend on that or compiler builtins for this since there is no need for this to be as fast as possible in configuration parsing. Fix this with a simple function to determine the number of bits the value needs to be shifted left to align with the mask. Fixes: 11ce7a1bc3e2 ("HE: Add MU EDCA Parameter Set element (AP)") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* crl_reload_interval: Add CRL reloading supportJared Bents2019-01-272-1/+14
| | | | | | | | | | | | | | This patch adds a new flag 'crl_reload_interval' to reload CRL periodically. This can be used to reload ca_cert file and the included CRL information on every new TLS session if difference between the last reload and the current time in seconds is greater than crl_reload_interval. This reloading is used for cases where check_crl is 1 or 2 and the CRL is included in the ca_file. Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com> Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
* AP: Add wpa_psk_file reloading in runtimeMichal Kazior2019-01-262-0/+69
| | | | | | | | | | | | | The wpa_psk_file can now be modified and hostapd can be told to re-read it with the control interface RELOAD_WPA_PSK command: $ hostapd_cli reload_wpa_psk It must be noted special care must be taken if WPS is configured (wps_state=2, eap_server=1) because WPS appends PMKs to the wpa_psk_file. Signed-off-by: Michal Kazior <michal@plume.com>
* AP: Allow identifying which passphrase station used with wpa_psk_fileMichal Kazior2019-01-261-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | It is now possible to optionally specify keyid for each wpa_psk_file entry: keyid=something 00:00:00:00:00:00 secretpassphrase When station connects and the passphrase it used has an associated keyid it will be appended to the AP-STA-CONNECTED event string: wlan0: AP-STA-CONNECTED 00:36:76:21:dc:7b keyid=something It's also possible to retrieve it through the control interface: $ hostapd_cli all_sta Selected interface 'ap0' 00:36:76:21:dc:7b ... keyid=something New hostapd is able to read old wpa_psk_file. However, old hostapd will not be able to read the new wpa_psk_file if it includes keyids. Signed-off-by: Michal Kazior <michal@plume.com>
* tests: Use python3 compatible print statementMasashi Honma2019-01-261-25/+25
| | | | | | | | This patch is made by using 2to3 command. $ find . -name *.py | xargs 2to3 -f print -w -n Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* tests: Use python3 compatible "except" statementMasashi Honma2019-01-261-6/+6
| | | | | | | | This patch is made by using 2to3 command. $ find . -name *.py | xargs 2to3 -f except -w -n Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* FILS: Remove notes about experimental implementationJouni Malinen2019-01-221-2/+0
| | | | | | | | | The standard amendment has been published and there has been sufficient amount of interoperability testing for FILS to expect the protocol not to be changed anymore, so remove the notes claiming this to be experimental and not suitable for production use. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Add support for setting pbss option from config fileIan Archer2019-01-211-0/+2
| | | | | | | | | | There is currently no support for setting hostapd_bss_config.pbss from a config file, i.e., it was used only based on automatic logic in wpa_supplicant. This patch adds a key naturally called "pbss" which can be used to set it. Cc: Antony King <antony.king@bluwirelesstechnology.com> Signed-off-by: Brendan Jackman <brendan.jackman@bluwirelesstechnology.com>