aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd
Commit message (Collapse)AuthorAgeFilesLines
* HE: Add MU EDCA Parameter Set element (AP)Siva Mullati2019-01-082-0/+116
| | | | | | | Add support for configuring parameters for the MU EDCA Parameter Set element per IEEE P802.11ax/D3.0. Signed-off-by: Siva Mullati <siva.mullati@intel.com>
* Use lchown() instead of chown() for self-created filesJouni Malinen2019-01-061-15/+15
| | | | | | | | | | | | | | There is no need to allow symlink dereferencing in these cases where a file (including directories and sockets) are created by the same process, so use the safer lchown() variant to avoid leaving potential windows for something external to replace the file before the chown() call. The particular locations used here should not have write permissions enabled for processes with less privileges, so this may not be needed, but anyway, it is better to make these more restrictive should there be cases where directory permissions are not as expected for a good deployment. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Allow systemwide policies to be overriddenJouni Malinen2019-01-052-0/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some distributions (e.g., Debian) have started introducting systemwide OpenSSL policies to disable older protocol versions and ciphers throughout all programs using OpenSSL. This can result in significant number of interoperability issues with deployed EAP implementations. Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server) parameters to be used to request systemwide policies to be overridden if older versions are needed to be able to interoperate with devices that cannot be updated to support the newer protocol versions or keys. The default behavior is not changed here, i.e., the systemwide policies will be followed if no explicit override configuration is used. The overrides should be used only if really needed since they can result in reduced security. In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network profile parameter can be used to explicitly enable TLS versions that are disabled in the systemwide configuration. For example, phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter can be used to override systemwide policy, e.g., with openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1 in Debian to allow shorter keys to be used. In hostapd, tls_flags parameter can be used to configure similar options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1] Signed-off-by: Jouni Malinen <j@w1.fi>
* Allow remote RADIUS authentication with local VLAN managementNils Nieuwejaar2019-01-021-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The documentation in the hostapd.conf file says that the dynamic_vlan variable is used to control whether VLAN assignments are accepted from a RADIUS server. The implication seems to be that a static VLAN assignment will come from the accept_mac_file if dynamic_vlan is set to 0, and a dynamic assignment will come from the RADIUS server if dynamic_vlan is set to 1. Instead, I'm seeing that the static settings from the accept_mac_file are ignored if dynamic_vlan is set to 0, but used if dynamic_vlan is set to 1. If dynamic_vlan is set to 1 and the RADIUS server does not provide a VLAN, then the accept_mac_file assignment is overridden and the STA is assigned to the default non-VLANed interface. If my understanding of the expected behavior is correct, then I believe the problem is in ap_sta_set_vlan(). That routine checks the dynamic_vlan setting, but has no way of determining whether the incoming vlan_desc is static (i.e., from accept_mac_file) or dynamic (i.e., from a RADIUS server). I've attached a patch that gets hostapd working as I believe it's meant to, and updates the documentation to make the implicit behavior explicit. The functional changes are: - hostapd_allowed_address() will always extract the vlan_id from the accept_macs file. It will not update the vlan_id from the RADIUS cache if dynamic_vlan is DISABLED. - hostapd_acl_recv_radius() will not update the cached vlan_id if dynamic_vlan is DISABLED. - ieee802_1x_receive_auth() will not update the vlan_id if dynamic_vlan is DISABLED. More cosmetic: Most of the delta is just moving code out of ieee802_1x_receive_auth() into a new ieee802_1x_update_vlan() routine. While I initially did this because the new DISABLED check introduced excessive indentation, it has the added advantage of eliminating the vlan_description allocation and os_memset() call for all DYNAMIC_VLAN_DISABLED configs. I've done a couple rounds of review offline with Michael Braun (who has done much of the work in this part of the code) and incorporated his feedback. If dynamic_vlan=0 (disabled), vlan assignments will be managed using the local accept_mac_file ACL file, even if a RADIUS server is being used for user authentication. This allows us to manage users and devices independently. Signed-off-by: Nils Nieuwejaar <nils.nieuwejaar@gmail.com>
* hostapd_cli: Add option to send beacon report requestAvraham Stern2019-01-021-0/+9
| | | | | | This new 'req_beacon' command is useful for testing. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* crypto: Add option to use getrandom()Lubomir Rintel2019-01-012-0/+8
| | | | | | | | | | | | | | | | | | | | | According to random(4) manual, /dev/random is essentially deprecated on Linux for quite some time: "The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized." An attempt to use it would cause unnecessary blocking on machines without a good hwrng even when it shouldn't be needed. Since Linux 3.17, a getrandom(2) call is available that will block only until the randomness pool has been seeded. It is probably not a good default yet as it requires a fairly recent kernel and glibc (3.17 and 2.25 respectively). Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
* Update copyright notices for the new year 2019Jouni Malinen2019-01-013-5/+5
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* OCE: Add RSSI based association rejection support (AP)Beni Lev2019-01-012-0/+19
| | | | | | | | | An AP might reject a STA association request due to low RSSI. In such case, the AP informs the STA the desired RSSI improvement and a retry timeout. The STA might retry to associate even if the RSSI hasn't improved if the retry timeout expired. Signed-off-by: Beni Lev <beni.lev@intel.com>
* hostapd: Add configuration option check_crl_strictSam Voss2018-12-312-0/+9
| | | | | | | | | | | | | | | | | | | | Add the ability to ignore time-based CRL errors from OpenSSL by specifying a new configuration parameter, check_crl_strict=0. This causes the following: - This setting does nothing when CRL checking is not enabled. - When CRL is enabled, "strict mode" will cause CRL time errors to not be ignored and will continue behaving as it currently does. - When CRL is enabled, disabling strict mode will cause CRL time errors to be ignored and will allow connections. By default, check_crl_strict is set to 1, or strict mode, to keep current functionality. Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
* hostapd: Add openssl_ecdh_curves configuration parameterHristo Venev2018-12-301-0/+3
| | | | | | | | | This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc. It should be noted that when using Suite B, different mechanism is used to specify the allowed ECDH curves and this new parameter must not be used in such cases. Signed-off-by: Hristo Venev <hristo@venev.name>
* hostapd: Support for overriding the bridge name per VLAN via vlan_fileFelix Fietkau2018-12-212-2/+14
| | | | | | | | This makes it easier to integrate dynamic VLANs in custom network configurations. The bridge name is added after the interface name in the vlan_file line, also separated by whitespace. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* DPP: Add self configuration command in hostapd_cli and wpa_cliPrasad, Jagadeesh (Contractor)2018-12-211-0/+9
| | | | | | | | | The back-end support for DPP self configuration was already present in hostapd and wpa_supplicant. However, the command to invoke DPP self configuration was not available in hostapd_cli and wpa_cli. Add the command "dpp_configurator_sign" in them. Signed-off-by: Prasad, Jagadeesh <Jagadeesh_Prasad@comcast.com>
* DPP: Accept DPP_CONFIGURATION_SIGN without double space before parametersJouni Malinen2018-12-211-1/+1
| | | | | | | Make this command more convenient to use by not requiring two space characters between the command and the first parameter. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Add Multi-AP protocol supportVenkateswara Naralasetty2018-12-192-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | The purpose of Multi-AP specification is to enable inter-operability across Wi-Fi access points (APs) from different vendors. This patch introduces one new configuration parameter 'multi_ap' to enable Multi-AP functionality and to configure the BSS as a backhaul and/or fronthaul BSS. Advertise vendor specific Multi-AP capabilities in (Re)Association Response frame, if Multi-AP functionality is enabled through the configuration parameter. A backhaul AP must support receiving both 3addr and 4addr frames from a backhaul STA, so create a VLAN for it just like is done for WDS, i.e., by calling hostapd_set_wds_sta(). Since Multi-AP requires WPA2 (never WEP), we can safely call hostapd_set_wds_encryption() as well and we can reuse the entire WDS condition. To parse the Multi-AP Extension subelement, we use get_ie(): even though that function is meant for parsing IEs, it works for subelements. Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* OCV: Add utility functions to insert OCI elementsMathy Vanhoef2018-12-162-0/+2
| | | | | | | This commit adds utility functions to insert various encoding of the OCI element. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add hostapd config parameterMathy Vanhoef2018-12-162-0/+13
| | | | | | | Add hostapd.conf parameter ocv to disable or enable Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add build configuration for channel validation supportMathy Vanhoef2018-12-164-0/+16
| | | | | | Add compilation flags for Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* HS 2.0 server: RADIUS server support for SIM provisioningJouni Malinen2018-12-151-0/+3
| | | | | | | | | | | | | This adds support for hostapd-as-RADIUS-authentication-server to request subscription remediation for SIM-based credentials. The new hostapd.conf parameter hs20_sim_provisioning_url is used to set the URL prefix for the remediation server for SIM provisioning. The random hotspot2dot0-mobile-identifier-hash value will be added to the end of this URL prefix and the same value is stored in a new SQLite database table sim_provisioning for the subscription server implementation to use. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Allow Hotspot 2.0 release number to be configuredJouni Malinen2018-12-081-0/+10
| | | | | | | | | The new hostapd configuration parameter hs20_release can be used to configure the AP to advertise a specific Hotspot 2.0 release number instead of the latest supported release. This is mainly for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Move send_probe_response parameter to BSS specific itemsJouni Malinen2018-12-071-1/+1
| | | | | | This can be more convenient for testing Multiple BSSID functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Update version to v2.7 and copyright years to include 2018hostap_2_7Jouni Malinen2018-12-024-5/+60
| | | | | | | Also add the ChangeLog entries for both hostapd and wpa_supplicant to describe main changes between v2.6 and v2.7. Signed-off-by: Jouni Malinen <j@w1.fi>
* Uncomment CONFIG_LIBNL32=y in defconfigJouni Malinen2018-12-021-1/+1
| | | | | | | | libnl 3.2 release is much more likely to be used nowadays than the versions using the older API, so uncomment this in wpa_supplicant and hostapd defconfig. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix hostapd testing functionality for setting key/seqJouni Malinen2018-11-301-1/+1
| | | | | | Use sizeof() correctly on seq[]. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix a typo in a commentJouni Malinen2018-11-251-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix dpp_configurator_get_key command name in hostapd_cliDamodaran, Rohit (Contractor)2018-11-221-1/+1
| | | | | | | | The option to get DPP configurator key in hostapd_cli was named incorrectly. It was wrongly pointing to dpp_configurator_remove. Fix this by using the correct name. Signed-off-by: Rohit Damodaran <Rohit_Damodaran@comcast.com>
* OCE: Move OCE checks to IE formation from hostapd initializationAnkita Bajaj2018-10-301-21/+2
| | | | | | | | | | Earlier, the OCE flags were checked during hostapd initialization. This doesn't address few cases like for example when the interface is added from control interface. Move the OCE flag checks to the functions that are forming the MBO/OCE IEs to cover all the different paths for enabling a BSS. Also use macros as appropriate for readability. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WNM: Collocated Interference ReportingJouni Malinen2018-10-302-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for negotiating WNM Collocated Interference Reporting. This allows hostapd to request associated STAs to report their collocated interference information and wpa_supplicant to process such request and reporting. The actual values (Collocated Interference Report Elements) are out of scope of hostapd and wpa_supplicant, i.e., external components are expected to generated and process these. For hostapd/AP, this mechanism is enabled by setting coloc_intf_reporting=1 in configuration. STAs are requested to perform reporting with "COLOC_INTF_REQ <addr> <Automatic Report Enabled> <Report Timeout>" control interface command. The received reports are indicated as control interface events "COLOC-INTF-REPORT <addr> <dialog token> <hexdump of report elements>". For wpa_supplicant/STA, this mechanism is enabled by setting coloc_intf_reporting=1 in configuration and setting Collocated Interference Report Elements as a hexdump with "SET coloc_intf_elems <hexdump>" control interface command. The hexdump can contain one or more Collocated Interference Report Elements (each including the information element header). For additional testing purposes, received requests are reported with "COLOC-INTF-REQ <dialog token> <automatic report enabled> <report timeout>" control interface events and unsolicited reports can be sent with "COLOC_INTF_REPORT <hexdump>". This commit adds support for reporting changes in the collocated interference (Automatic Report Enabled == 1 and partial 3), but not for periodic reports (2 and other part of 3). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WMM: Update WMM parameter advertisement on the flyBeni Lev2018-10-161-0/+6
| | | | | | | Update the Beacon frame template once WMM parameters have been changed and the AP is already up. Signed-off-by: Beni Lev <beni.lev@intel.com>
* HS 2.0: OSU Provider NAI List advertisementJouni Malinen2018-10-052-1/+25
| | | | | | | | | | Extend hostapd to allow the new OSU Provider NAI List ANQP-element to be advertised in addition to the previously used OSU Providers list ANQP-element. The new osu_nai2 configurator parameter option is used to specify the OSU_NAI value for the shared BSS (Single SSID) case while osu_nai remains to be used for the separate OSU BSS. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Parse sae_password option when CONFIG_SAE is enabledHai Shalom2018-09-021-1/+1
| | | | | | | | | Call to parse_sae_password was incorrectly depending on CONFIG_TESTING_OPTIONS and CONFIG_SAE. Should depend only on the latter. Fixes: 2377c1caef77 ("SAE: Allow SAE password to be configured separately (AP)") Signed-off-by: Hai Shalom <haishalom@google.com>
* hostapd: SET ht_capab support for disabling 40 MHz bandwidthSathishkumar Muruganandam2018-08-211-0/+2
| | | | | | | | | | | | | | | | | 'hostapd_cli SET ht_capab' only checked for [HT40+] or [HT40-] or both to be present. Based on the offset + or -, secondary_channel is updated but HT20/VHT20 mode can be brought up only from config file and can't be done using the SET command when the current HT mode is HT40+ or HT40-. When managing AP+STA mode from userspace doing hostapd_cli: "disable -> set channel, ht_capab -> enable" sequence, channel switch from HT40/VHT40 to HT20/VHT20 was not possible with this SET ht_capab limitation. Cover this additional case by resetting secondary_channel to 0 for HT20/VHT20 when ht_capab has neither [HT40+] nor [HT40-] present. Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
* Provide more details of WPA3 modes in hostapd.confJouni Malinen2018-08-011-1/+17
| | | | | | | Clarify that wpa=2 (i.e., RSN) is used for WPA3 and list previously undocumented wpa_key_mgmt values. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS: Add DAC implementation in hostapd(AS)Jouni Malinen2018-06-221-0/+5
| | | | | | | | | | The new DAC_REQUEST control interface command can now be used to request hostapd to send out Disconnect-Request and CoA-Request packets for an existing session. DAC_REQUEST <disconnect|coa> <MAC Address> [t_c_clear] Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS: Allow 0.0.0.0 to be used as wildard radius_das_clientJouni Malinen2018-06-221-0/+2
| | | | | | | | This allows hostapd DAS to be configured to allow any DAC (with the matching shared secret) to send Disconnect-Request and CoA-Request packets. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* RADIUS server: Add current_sessions SQLite tableJouni Malinen2018-06-221-0/+10
| | | | | | | This can be used to track active sessions, e.g., for the purpose of issuing RADIUS DAS commands (Disconnect-Request or CoA-Request). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Move Terms and Conditions Server URL generation from AP to ASJouni Malinen2018-06-211-1/+2
| | | | | | | | | | This makes it more convenient to generate the URL in a way that interoperates between different vendors. The AP is simply copying the already constructed URL as-is from Access-Accept to WNM-Notification. This means that the HO AAA can generate the URL in a manner that works for the associated T&C Server without having to coordinate with each AP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Add key management value FT-EAP-SHA384 for hostapdJouni Malinen2018-06-052-2/+14
| | | | | | This allows hostapd to be configuted to use the SHA384-based FT AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0: Allow OSEN connection to be enabled in an RSN BSSJouni Malinen2018-05-291-0/+4
| | | | | | | | This allows a single BSS/SSID to be used for both data connection and OSU. Instead of hostapd configuration osen=1, wpa_key_mgmt=OSEN (or more likely, wpa_key_mgmt=WPA-EAP OSEN) is used to enable this new option. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd server: Add support for salted password databasesDan Harkins2018-05-281-0/+75
| | | | | | | | | These changes add support for salted password databases to EAP-pwd per RFC 8146. This commits introduces the framework for enabling this and the salting mechanisms based on SHA-1, SHA256, and SHA512 hash algorithms. Signed-off-by: Dan Harkins <dharkins@lounge.org>
* SAE: Add support for using the optional Password IdentifierJouni Malinen2018-05-192-4/+83
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Fix CHAN_SWITCH command for VHT20 and VHT40Sathishkumar Muruganandam2018-05-151-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, hostapd CHAN_SWITCH command did not effect VHT configuration for the following: When VHT is currently disabled (ieee80211ac=0), 1. hostapd_cli -p /var/run/hostapd chan_switch 10 5180 \ sec_channel_offset=1 center_freq1=5190 bandwidth=40 ht ====> Comes up in HT40 2. hostapd_cli -p /var/run/hostapd chan_switch 10 5765 \ sec_channel_offset=-1 center_freq1=5775 bandwidth=40 vht ====> Comes up in HT40 3. hostapd_cli -p /var/run/hostapd chan_switch 10 5200 center_freq1=5200 \ bandwidth=20 vht ====> Comes up in HT20 When VHT is currently enabled (ieee80211ac=1), 1. hostapd_cli -p /var/run/hostapd chan_switch 10 5180 \ sec_channel_offset=1 center_freq1=5190 bandwidth=40 ht ====> Comes up in VHT40 2. hostapd_cli -p /var/run/hostapd chan_switch 10 5200 center_freq1=5200 \ bandwidth=20 ht ====> Comes up in VHT20 This is since VHT config from chan_switch is processed only for bandwidths 80 and above (80P80, 160) and for VHT20, VHT40 cases, only NLA chan type and chan width are updated. There is no NL attribute for determining if it is HT or VHT for bandwidths 20 & 40 and currently they are updated as HT20, HT40 (+ or - depending on offset). Same is notified back via NL80211_CMD_CH_SWITCH_NOTIFY. Instead of adding new NL attribute for tracking HT/VHT enabled config, we are adding new hostapd VHT config parameter to save the chan_switch config and use only for chan_switch case of VHT20 and VHT40. Tested with all combinations of chan_switch (noHT->20->40->80->) HT/VHT and confirmed to be working. Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
* wolfSSL: Remove aes-omac1.o from hostapd buildSean Parkinson2018-05-021-0/+2
| | | | | | Avoid duplicated omac1_*() functions when building hostapd with wolfSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* EAP-TLS server: Disable TLS v1.3 by defaultJouni Malinen2018-05-011-0/+7
| | | | | | | | | | | | | | | | The current EAP peer implementation is not yet ready for the TLS v1.3 changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for this EAP method for now. While the current EAP-TLS implementation is more or less complete for TLS v1.3, there has been no interoperability testing with other implementations, so disable for by default for now until there has been chance to confirm that no significant interoperability issues show up with TLS version update. tls_flags=[ENABLE-TLSv1.3] configuration parameter can be used to enable TLS v1.3 (assuming the TLS library supports it; e.g., when using OpenSSL 1.1.1). Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TLS: Extend TLS version config to allow TLS v1.3 to be disabledJouni Malinen2018-05-011-0/+2
| | | | | | | | This may be needed to avoid interoperability issues with the new protocol version and significant changes for EAP use cases in both key derivation and handshake termination. Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0: Maintain a database of pending T&C acceptance sessionsJouni Malinen2018-04-301-0/+5
| | | | | | | | | The new SQLite table pending_tc is used to maintain a list of sessions that need to accept Terms and Conditions. This information can be used on an external Terms and Conditions server to map the incoming MAC address information into user identity. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Terms and Conditions testing feature in authentication serverJouni Malinen2018-04-261-1/+2
| | | | | | | | | | | | | Allow hostapd RADIUS authentication server with SQLite EAP user DB to be used for testing Terms and Conditions functionality. This could be used for the HO AAA part of functionality (merging HO AAA and SP AAA into a single component to avoid separate RADIUS proxy in testing setup). A T&C server with HTTPS processing is needed to allow this to be used for full over-the-air testing. This commit adds sufficient functionality to allow hwsim test cases to cover the RADIUS server part. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Send Terms and Conditions Acceptance notificationJouni Malinen2018-04-232-0/+10
| | | | | | | | | | | | | This extends hostapd Access-Accept processing to check if the RADIUS server indicated that Terms and Conditions Acceptance is required. The new hs20_t_c_server_url parameter is used to specify the server URL template that the STA is requested to visit. This commit does not enable any kind of filtering, i.e., only the part of forwarding a request from Access-Accept to the STA using WNM-Notification is covered. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Terms and Conditions attributes in Access-Request messagesJouni Malinen2018-04-232-0/+17
| | | | | | | | | This extends hostapd with two new configuration parameters (hs20_t_c_filename and hs20_t_c_timestamp) that can be used to specify that the Terms and Conditions attributes are to be added into all Access-Request messages for Hotspot 2.0 STAs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Allow configuration of operator iconsJouni Malinen2018-04-172-1/+30
| | | | | | | | | | | | This extends hostapd Hotspot 2.0 implementation to allow operator icons to be made available. The existing hs20_icon parameter is used to define the icons and the new operator_icon parameter (zero or more entries) is used to specify which of the available icons are operator icons. The operator icons are advertised in the Operator Icon Metadata ANQP-element while the icon data can be fetched using the same mechanism (icon request/binary file) that was added for the OSU Providers icons. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix building nt_password_hash with gnutlsAndrey Utkin2018-04-151-3/+2
| | | | | | | | | | | | Even with CONFIG_TLS=gnutls CONFIG_CRYPTO=gnutls in .config, nt_password_hash was linked with libcrypto instead of libgcrypt, which caused linkage failure. Signed-off-by: Andrey Utkin <andrey_utkin@gentoo.org>