aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd
Commit message (Collapse)AuthorAgeFilesLines
* hostapd: Validate the country_code parameter valueSriram R2 days1-0/+7
| | | | | | | | | cfg80211/regulatory supports only ISO 3166-1 alpha2 country code and that's what this parameter is supposed to use, so validate the country code input before accepting the value. Only characters A..Z are accepted. Signed-off-by: Sriram R <srirrama@codeaurora.org>
* hostapd: Add support for DFS channels in CHAN_SWITCHSergey Matyukevich3 days1-0/+59
| | | | | | | | | | | | Enable support for DFS channels in the CHAN_SWITCH command. Perform CAC instead of CSA if DFS channel is selected. Then restart normal AP operations. Note that the current implementation provides a simplified approach. It does not check if the selected DFS channel block is already in the HOSTAPD_CHAN_DFS_AVAILABLE state. CAC procedure is restarted anyway. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* hostapd: Basic channel check for CHAN_SWITCH parametersSergey Matyukevich3 days1-0/+97
| | | | | | | | | Implement channel sanity check for the CHAN_SWITCH command. Verify provided values for bandwidth, frequencies, and secondary channel offset. Reject requested channel switch operation if basic constraints on frequencies and bandwidth are not fulfilled. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* Add a hostapd testing option for skipping association pruningJouni Malinen4 days1-0/+2
| | | | | | | | | | The new skip_prune_assoc=1 parameter can be used to configure hostapd not to prune associations from other BSSs operated by the same process when a station associates with another BSS. This can be helpful in testing roaming cases where association and authorization state is maintained in an AP when the stations returns. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP2: Allow AP to require or reject PFSJouni Malinen4 days2-0/+16
| | | | | | | | | | The new hostapd configuration parameter dpp_pfs can be used to specify how PFS is applied to associations. The default behavior (dpp_pfs=0) remains same as it was previously, i.e., allow the station to decide whether to use PFS. PFS use can now be required (dpp_pfs=1) or rejected (dpp_pfs=2). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Configurator Connectivity indicationJouni Malinen5 days2-0/+7
| | | | | | | | Add a new hostapd configuration parameter dpp_configurator_connectivity=1 to request Configurator connectivity to be advertised for chirping Enrollees. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Add DPP_BOOTSTRAP_SET commandJouni Malinen5 days1-0/+5
| | | | | | | | "DPP_BOOTSTRAP_SET <ID> <configurator parameters..>" can now be used to set peer specific configurator parameters which will override any global parameters from dpp_configurator_params. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Fix Extended Key ID parameter checkAlexander Wetzel7 days1-2/+2
| | | | | | Check the new variable to be set instead the current setting. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Allow hostapd AP to advertise Transition Disable KDEJouni Malinen7 days2-0/+19
| | | | | | | | | The new hostapd configuration parameter transition_disable can now be used to configure the AP to advertise that use of a transition mode is disabled. This allows stations to automatically disable transition mode by disabling less secure network profile parameters. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Support Extended Key IDAlexander Wetzel9 days3-0/+29
| | | | | | | | | | | Support Extended Key ID in hostapd according to IEEE Std 802.11-2016. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing an AP to serve STAs with and without Extended Key ID support in the same BSS. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Allow RSNXE to be removed from Beacon frames for testing purposesJouni Malinen12 days1-0/+2
| | | | | | | | The new hostapd configuration parameter no_beacon_rsnxe=1 can be used to remove RSNXE from Beacon frames. This can be used to test protection mechanisms for downgrade attacks. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow RSNE/RSNXE to be replaced in FT protocol Reassocation Response frameJouni Malinen2020-03-151-0/+6
| | | | | | | This can be used to test station side behavior for FT protocol validation steps. Signed-off-by: Jouni Malinen <j@w1.fi>
* Allow RSNE in EAPOL-Key msg 3/4 to be replaced for testing purposesJouni Malinen2020-03-071-0/+3
| | | | | | | | | | | The new hostapd configuration parameter rsne_override_eapol can now be used similarly to the previously added rsnxe_override_eapol to override (replace contents or remove) RSNE in EAPOL-Key msg 3/4. This can be used for station protocol testing to verify sufficient checks for RSNE modification between the Beacon/Probe Response frames and EAPOL-Key msg 3/4. Signed-off-by: Jouni Malinen <j@w1.fi>
* Make WEP functionality an optional build parameterJouni Malinen2020-02-295-0/+30
| | | | | | | | | WEP should not be used for anything anymore. As a step towards removing it completely, move all WEP related functionality to be within CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y is explicitly set in build configuration. Signed-off-by: Jouni Malinen <j@w1.fi>
* Simplify wpa_deny_ptk0_rekey documentationAlexander Wetzel2020-02-231-18/+4
| | | | Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Add wpa_deny_ptk0_rekey to AP get_config() outputAlexander Wetzel2020-02-231-0/+8
| | | | Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* hostapd: Replace UDP ctrl_iface global cookies with per-instance onesJanusz Dziedzic2020-02-231-20/+21
| | | | | | | | | | | | | | | The cookie values for UDP control interface commands was defined as a static global array. This did not allow multi-BSS test cases to be executed with UDP control interface. For example, after hapd1 = hostapd.add_bss(apdev[0], ifname1, 'bss-1.conf') hapd2 = hostapd.add_bss(apdev[0], ifname2, 'bss-2.conf') hapd1->ping() did not work. Move those cookie values to per-instance location in struct hapd_interfaces and struct hostapd_data to fix this. Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
* Use IFNAME= prefix for global UDP control interface eventsJanusz Dziedzic2020-02-231-5/+0
| | | | | | | | | | | | | | | | | There does not seem to be a good reason for using the different IFACE= prefix on the UDP control interface. This got added when the UDP interface in wpa_supplicant was extended in commit f0e5d3b5c6c7 ("wpa_supplicant: Share attach/detach/send UDP ctrl_iface functions") and that was then extended to hostapd in commit e9208056856c ("hostapd: Extend global control interface notifications"). Replace the IFACE= prefix in UDP case with IFNAME= to be consistent with the UNIX domain socket based control interface. This fixes a problem when at least one test case fail (hapd_ctrl_sta) when remote/udp used. This also fixes test_connectivity(). Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
* AP: Allow PTK rekeying without Ext KeyID to be disabled as a workaroundAlexander Wetzel2020-02-232-0/+43
| | | | | | | | | | | | | | | Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new hostapd configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with disconnection. This requires the station to reassociate to get connected again and as such, can result in connectivity issues as well. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Remove CONFIG_IEEE80211N build optionJouni Malinen2020-02-225-22/+0
| | | | | | | | | | Hardcoded CONFIG_IEEE80211N to be included to clean up implementation. More or less all new devices support IEEE 802.11n (HT) and there is not much need for being able to remove that functionality from the build. Included this unconditionally to get rid of one more build options and to keep things simpler. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd configuration for Beacon protectionJouni Malinen2020-02-172-0/+8
| | | | | | | Add a new hostapd configuration parameter beacon_prot=<0/1> to allow Beacon protection to be enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix VERSION_STR printf() calls in case the postfix strings include %Didier Raboud2020-02-171-2/+3
| | | | | | | Do not use VERSION_STR directly as the format string to printf() since it is possible for that string to contain '%'. Signed-off-by: Didier Raboud <odyx@debian.org>
* HT: Remove SMPS in AP modeJouni Malinen2020-02-163-11/+0
| | | | | | | | | | | | | | | | | SM Power Save was described in somewhat unclear manner in IEEE Std 802.11n-2009 as far the use of it locally in an AP to save power. That was clarified in IEEE Std 802.11-2016 to allow only a non-AP STA to use SMPS while the AP is required to support an associated STA doing so. The AP itself cannot use SMPS locally and the HT Capability advertisement for this is not appropriate. Remove the parts of SMPS support that involve the AP using it locally. In practice, this reverts the following commits: 04ee647d58a2 ("HT: Let the driver advertise its supported SMPS modes for AP mode") 8f461b50cfe4 ("HT: Pass the smps_mode in AP parameters") da1080d7215f ("nl80211: Advertise and configure SMPS modes") Signed-off-by: Jouni Malinen <j@w1.fi>
* HE: Extend BSS color supportJohn Crispin2020-02-162-1/+7
| | | | | | | | | | | | | | | | The HE Operation field for BSS color consists of a disabled, a partial, and 6 color bits. The original commit adding support for BSS color considered this to be a u8. This commit changes this to the actual bits/values. This adds an explicit config parameter for the partial bit. The disabled is set to 0 implicitly if a bss_color is defined. Interoperability testing showed that stations will require a BSS color to be set even if the feature is disabled. Hence the default color is 1 when none is defined inside the config file. Signed-off-by: John Crispin <john@phrozen.org>
* WPS: Make it possible to use PSKs loaded from the PSK fileTomasz Jankowski2020-02-151-0/+6
| | | | | | | | | | | | | | By default, when configuration file set wpa_psk_file, hostapd generated a random PSK for each Enrollee provisioned using WPS and appended that PSK to wpa_psk_file. Changes that behavior by adding a new step. WPS will first try to use a PSK from wpa_psk_file. It will only try PSKs with wps=1 tag. Additionally it'll try to match enrollee's MAC address (if provided). If it fails to find an appropriate PSK, it falls back to generating a new PSK. Signed-off-by: Tomasz Jankowski <tomasz.jankowski@plume.com>
* Add GET_PMK for fetching the current PMK for a STA from hostapdJouni Malinen2020-02-101-0/+31
| | | | | | | This test functionality (CONFIG_TESTING_OPTIONS=y) can be used to fetch the current PMK for a STA. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Add ASN.1 support into buildJouni Malinen2020-01-312-3/+13
| | | | | | This will be needed in following patches to process DPPEnvelopedData. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: NFC negotiated connection handoverJouni Malinen2020-01-271-0/+18
| | | | | | | | | | | | Add new control interface commands "DPP_NFC_HANDOVER_REQ own=<id> uri=<URI>" and "DPP_NFC_HANDOVER_SEL own=<id> uri=<URI>" to support NFC negotiated connection handover. These commands are used to report a DPP URI received from a peer NFC Device in Handover Request and Handover Select messages. The commands return peer bootstrapping information ID or FAIL on failure. The returned ID is used similarly to any other bootstrapping information to initiate DPP authentication. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OWE: PTK derivation workaround in AP modeJouni Malinen2020-01-232-0/+15
| | | | | | | | | | | | | | | Initial OWE implementation used SHA256 when deriving the PTK for all OWE groups. This was supposed to change to SHA384 for group 20 and SHA512 for group 21. The new owe_ptk_workaround parameter can be used to enable workaround for interoperability with stations that use SHA256 with groups 20 and 21. By default, only the appropriate hash function is accepted. When workaround is enabled (owe_ptk_workaround=1), the appropriate hash function is tried first and if that fails, SHA256-based PTK derivation is attempted. This workaround can result in reduced security for groups 20 and 21, but is required for interoperability with older implementations. There is no impact to group 19 behavior. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix a typo in an example configuration file commentJouni Malinen2020-01-231-1/+1
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix coloc_intf_reporting config param in hostapd in non-OWE buildsJouni Malinen2020-01-231-1/+1
| | | | | | | This has nothing to do with OWE and parsing of this value was not supposed to be within an ifdef CONFIG_OWE block. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Use H2E whenever Password Identifier is usedJouni Malinen2020-01-211-2/+4
| | | | | | | | | | IEEE P802.11-REVmd was modified to require H2E to be used whenever Password Identifier is used with SAE. See this document for more details of the approved changes: https://mentor.ieee.org/802.11/dcn/19/11-19-2154-02-000m-sae-anti-clogging-token.docx Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Fix a typo in sample configurationDaniel Golle2020-01-201-1/+1
| | | | | | 'assocition' -> 'association' Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* tests: Set key_flag when using SET_KEYAlexander Wetzel2020-01-091-3/+15
| | | | Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Introduce and add key_flagAlexander Wetzel2020-01-091-11/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add the new set_key() parameter "key_flag" to provide more specific description of what type of a key is being configured. This is needed to be able to add support for "Extended Key ID for Individually Addressed Frames" from IEEE Std 802.11-2016. In addition, this may be used to replace the set_tx boolean eventually once all the driver wrappers have moved to using the new key_flag. The following flag are defined: KEY_FLAG_MODIFY Set when an already installed key must be updated. So far the only use-case is changing RX/TX status of installed keys. Must not be set when deleting a key. KEY_FLAG_DEFAULT Set when the key is also a default key. Must not be set when deleting a key. (This is the replacement for set_tx.) KEY_FLAG_RX The key is valid for RX. Must not be set when deleting a key. KEY_FLAG_TX The key is valid for TX. Must not be set when deleting a key. KEY_FLAG_GROUP The key is a broadcast or group key. KEY_FLAG_PAIRWISE The key is a pairwise key. KEY_FLAG_PMK The key is a Pairwise Master Key (PMK). Predefined and needed flag combinations so far are: KEY_FLAG_GROUP_RX_TX WEP key not used as default key (yet). KEY_FLAG_GROUP_RX_TX_DEFAULT Default WEP or WPA-NONE key. KEY_FLAG_GROUP_RX GTK key valid for RX only. KEY_FLAG_GROUP_TX_DEFAULT GTK key valid for TX only, immediately taking over TX. KEY_FLAG_PAIRWISE_RX_TX Pairwise key immediately becoming the active pairwise key. KEY_FLAG_PAIRWISE_RX Pairwise key not yet valid for TX. (Only usable with Extended Key ID support.) KEY_FLAG_PAIRWISE_RX_TX_MODIFY Enable TX for a pairwise key installed with KEY_FLAG_PAIRWISE_RX. KEY_FLAG_RX_TX Not a valid standalone key type and can only used in combination with other flags to mark a key for RX/TX. This commit is not changing any functionality. It just adds the new key_flag to all hostapd/wpa_supplicant set_key() functions without using it, yet. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Add vlan_id to driver set_key() operationGurumoorthi Gnanasambandhan2020-01-081-17/+18
| | | | | | | | This is in preparation for adding support to use a single WLAN netdev with VLAN operations offloaded to the driver. No functional changes are included in this commit. Signed-off-by: Gurumoorthi Gnanasambandhan <gguru@codeaurora.org>
* WPS: Add application extension data to WPS IEBilal Hatipoglu2020-01-042-0/+10
| | | | | | | | | | | | | | Application Extension attribute is defined in WSC tech spec v2.07 page 104. Allow hostapd to be configured to add this extension into WPS IE in Beacon and Probe Response frames. The implementation is very similar to vendor extension. A new optional entry called "wps_application_ext" is added to hostapd config file to configure this. It enodes the payload of the Application Extension attribute in hexdump format. Signed-off-by: Veli Demirel <veli.demirel@airties.com> Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
* Allow testing override for GTK/IGTK RSC from AP to STAJouni Malinen2020-01-041-0/+6
| | | | | | | | | | | | | The new hostapd gtk_rsc_override and igtk_rsc_override configuration parameters can be used to set an override value for the RSC that the AP advertises for STAs for GTK/IGTK. The contents of those parameters is a hexdump of the RSC in little endian byte order. This functionality is available only in CONFIG_TESTING_OPTIONS=y builds. This can be used to verify that stations implement initial RSC configuration correctly for GTK/ and IGTK. Signed-off-by: Jouni Malinen <j@w1.fi>
* Make hostapd_drv_send_mlme() more genericJouni Malinen2020-01-031-1/+1
| | | | | | | | | | Merge hostapd_drv_send_mlme_csa() functionality into hostapd_drv_send_mlme() to get a single driver ops handler function for hostapd. In addition, add a new no_encrypt parameter in preparation for functionality that is needed to get rid of the separate send_frame() driver op. Signed-off-by: Jouni Malinen <j@w1.fi>
* BSD: Use struct ip rather than struct iphdrRoy Marples2020-01-021-17/+21
| | | | | | | As we define __FAVOR_BSD use the BSD IP header. Compile tested on NetBSD, DragonFlyBSD, and Linux. Signed-off-by: Roy Marples <roy@marples.name>
* Drop debug print level for informative debug messagesJouni Malinen2020-01-021-1/+1
| | | | | | | These are certainly not error conditions, but normal cases for starting up. Drop the message from ERROR to DEBUG. Signed-off-by: Jouni Malinen <j@w1.fi>
* AP: Determine Short SSID value for the BSSAndrei Otcheretianski2019-12-282-0/+2
| | | | | | | This can be used in the future to implement support for RNR and scanning extensions using a shorter field for the SSID. Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* Allow debug log to be written to both syslog and fileJouni Malinen2019-12-281-1/+1
| | | | | | | | | | If hostapd or wpa_supplicant is started with both -s and -f command line arguments, debug log ended up being written only into syslog and the log file was left empty. Change this so that the log entries will be written to both places. Either -s or -f (or both) results in debug log to stdout being disabled which was already the case. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Support showing neighbor list through hostapd_cliBen Greear2019-12-262-0/+26
| | | | | | | | | | | | | | | | | This lets one know the current neighbor list, and could be used to populate the neighbor list of other hostapd processes. For instance: $ hostapd_cli -i vap0001 show_neighbor 04:f0:21:1e:ae:b0 ssid=04f0211eaeb0af190000802809 nr=04f0211eaeb0af1900008028090603022a00 $ hostapd_cli -i vap0000 set_neighbor 04:f0:21:1e:ae:b0 ssid=04f0211eaeb0af190000802809 nr=04f0211eaeb0af1900008028090603022a00 OK $ hostapd_cli -i vap0000 show_neighbor 04:f0:21:1e:ae:b0 ssid=04f0211eaeb0af190000802809 nr=04f0211eaeb0af1900008028090603022a00 04:f0:21:c3:b2:b0 ssid=04f021c3b2b0af190000802809 nr=04f021c3b2b0af1900008028090603022a00 Signed-off-by: Ben Greear <greearb@candelatech.com>
* Allow removing neighbor DB entries by BSSID aloneBen Greear2019-12-262-21/+11
| | | | | | | | Let users delete a neighbor by BSSID alone if they prefer. The underlying code already properly handled a NULL SSID, so just relax the control interface command calling restrictions. Signed-off-by: Ben Greear <greearb@candelatech.com>
* Add "reconnect" cmdline argument to hostapd_cli/wpa_cliBilal Hatipoglu2019-12-251-6/+18
| | | | | | | | | | | | When the newly added "-r" parameter is used, both clis will try to reconnect forever on connection lost until signalled (ctrl+c) or terminated. This is useful only when used with -a to take action to retrieve events or get status and the cli process stays even if hostapd/wpa_supplicant daemons restart for some reason (e.g., configuration change). Signed-off-by: Veli Demirel <veli.demirel@airties.com> Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
* More detailed documentation on ieee80211w configuration parameterJouni Malinen2019-12-231-0/+6
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Allow non-PCS 6 GHz channels to be excluded from ACSAnkita Bajaj2019-12-202-0/+9
| | | | | | | | Add support to exclude non-PSC 6 GHz channels from the input frequency list to ACS. The new acs_exclude_6ghz_non_psc=1 parameter can be used by 6 GHz only APs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow ACS channel list to be configured as frequencies (in MHz)Ankita Bajaj2019-12-202-0/+15
| | | | | | | | | | | The channel numbers are duplicated between 2.4 GHz / 5 GHz bands and 6 GHz band. Hence, add support to configure a list of frequencies to ACS (freqlist) instead of a list of channel numbers (chanlist). Also, both 5 GHz and 6 GHz channels are referred by HOSTAPD_MODE_IEEE80211A. The 6 GHz channels alone can be configured by using both mode and frequency list. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE H2E: RSNXE override in EAPOL-Key msg 3/4Jouni Malinen2019-12-071-0/+3
| | | | | | | | This new hostapd configuration parameter rsnxe_override_eapol=<hexdump> can be used to override RSNXE value in EAPOL-Key msg 3/4 for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>