path: root/hostapd/config_file.c
Commit message (Collapse)AuthorAgeFilesLines
* AP: Add op_class config item to specify 6 GHz channels uniquelyLiangwei Dong31 hours1-0/+2
| | | | | | | | | | Add hostapd config option "op_class" for fixed channel selection along with existing "channel" option. "op_class" and "channel" config options together can specify channels across 2.4 GHz, 5 GHz, and 6 GHz bands uniquely. Signed-off-by: Liangwei Dong <liangwei@codeaurora.org> Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
* SAE: Add sae_pwe configuration parameter for hostapdJouni Malinen31 hours1-0/+2
| | | | | | | | This parameter can be used to specify which PWE derivation mechanism(s) is enabled. This commit is only introducing the new parameter; actual use of it will be address in separate commits. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Allow AP behavior for SAE Confirm to be configuredJouni Malinen6 days1-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | hostapd is by default waiting STA to send SAE Confirm before sending the SAE Confirm. This can now be configured with sae_confirm_immediate=1 resulting in hostapd sending out SAE Confirm immediately after sending SAE Commit. These are the two different message sequences: sae_confirm_immediate=0 STA->AP: SAE Commit AP->STA: SAE Commit STA->AP: SAE Confirm AP->STA: SAE Confirm STA->AP: Association Request AP->STA: Association Response sae_confirm_immediate=1 STA->AP: SAE Commit AP->STA: SAE Commit AP->STA: SAE Confirm STA->AP: SAE Confirm STA->AP: Association Request AP->STA: Association Response Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Add EDMG channel configuration parametersAlexei Avshalom Lazar9 days1-0/+4
| | | | | | | | Add two new configuration parameters for hostapd: enable_edmg: Enable EDMG capability for AP mode in the 60 GHz band edmg_channel: Configure channel bonding for AP mode in the 60 GHz band Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* DPP: Allow name and mudurl to be configured for Config RequestJouni Malinen2019-09-181-0/+6
| | | | | | | | | | | The new hostapd and wpa_supplicant configuration parameters dpp_name and dpp_mud_url can now be used to set a specific name and MUD URL for the Enrollee to use in the Configuration Request. dpp_name replaces the previously hardcoded "Test" string (which is still the default if an explicit configuration entry is not included). dpp_mud_url can optionally be used to add a MUD URL to describe the Enrollee device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Remove IAPP functionality from hostapdJouni Malinen2019-09-111-2/+1
| | | | | | | | | | | | | | IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been maintained nor is there any expectation of the withdrawn trial-use recommended practice to be maintained in the future. Furthermore, implementation of IAPP in hostapd was not complete, i.e., only parts of the recommended practice were included. The main item of some real use long time ago was the Layer 2 Update frame to update bridges when a STA roams within an ESS, but that functionality has, in practice, been moved to kernel drivers to provide better integration with the networking stack. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove CONFIG_IEEE80211W build parameterJouni Malinen2019-09-081-4/+0
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Configurable maximum number of authentication message roundsJouni Malinen2019-09-011-0/+4
| | | | | | | | | Allow the previously hardcoded maximum numbers of EAP message rounds to be configured in hostapd EAP server. This can be used, e.g., to increase the default limits if very large X.509 certificates are used for EAP authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Allow a specific Identity-Type to be requested/requiredJouni Malinen2019-08-191-0/+2
| | | | | | | The new hostapd configuration parameter eap_teap_id can be used to configure the expected behavior for used identity type. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Testing mechanism for Result TLV in a separate messageJouni Malinen2019-08-161-0/+2
| | | | | | | | | The new eap_teap_separate_result=1 hostapd configuration parameter can be used to test TEAP exchange where the Intermediate-Result TLV and Crypto-Binding TLV are send in one message exchange while the Result TLV exchange in done after that in a separate message exchange. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabledJouni Malinen2019-08-011-0/+2
| | | | | | | | The new hostapd configuration option eap_sim_id can now be used to disable use of pseudonym and/or fast reauthentication with EAP-SIM, EAP-AKA, and EAP-AKA'. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Extra RADIUS request attributes from SQLiteTerry Burton2019-07-301-0/+3
| | | | | | | | | | | | | | | Add an SQLite table for defining per station MAC address version of radius_auth_req_attr/radius_acct_req_attr information. Create the necessary table and index where this doesn't exist. Select attributes from the table keyed by station MAC address and request type (auth or acct), parse and apply to a RADIUS message. Add radius_req_attr_sqlite hostapd config option for SQLite database file. Open/close RADIUS attribute database for a lifetime of a BSS and invoke functions to add extra attributes during RADIUS auth and accounting request generation. Signed-off-by: Terry Burton <tez@terryburton.co.uk>
* Move hostapd_parse_radius_attr() into ap_config.cTerry Burton2019-07-301-77/+0
| | | | | | | We will want to parse RADIUS attributes in config file format when retrieving them from an SQLite database. Signed-off-by: Terry Burton <tez@terryburton.co.uk>
* OpenSSL: Allow two server certificates/keys to be configured on serverJouni Malinen2019-07-121-0/+9
| | | | | | | | | | | | | hostapd EAP server can now be configured with two separate server certificates/keys to enable parallel operations using both RSA and ECC public keys. The server will pick which one to use based on the client preferences for the cipher suite (in the TLS ClientHello message). It should be noted that number of deployed EAP peer implementations do not filter out the cipher suite list based on their local configuration and as such, configuration of alternative types of certificates on the server may result in interoperability issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server and peer implementation (RFC 7170)Jouni Malinen2019-07-091-0/+14
| | | | | | | | | | | | | | | | | This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
* macsec: Add configuration parameters for hostapdleiwei2019-06-031-0/+87
| | | | Signed-off-by: leiwei <leiwei@codeaurora.org>
* HE: Make the basic NSS/MCS configurableJohn Crispin2019-05-271-0/+2
| | | | | | | | Add a config option to allow setting a custom Basic NSS/MCS set. As a default we use single stream HE-MCS 0-7. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* HE: Add HE channel management configuration optionsJohn Crispin2019-05-271-0/+6
| | | | | | | These are symmetric with the VHT ones. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* HE: Fix typo srp -> spr in hostapd configuration parametersJohn Crispin2019-05-041-4/+4
| | | | | | | | The initial commit used srp instead of spr for the spatial reuse configuration prefix. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* hostapd: Add airtime policy configuration supportToke Høiland-Jørgensen2019-05-021-0/+68
| | | | | | | | | | | | | | | | | | | | | | | | | This adds support to hostapd for configuring airtime policy settings for stations as they connect to the access point. This is the userspace component of the airtime policy enforcement system PoliFi described in this paper: https://arxiv.org/abs/1902.03439 The Linux kernel part has been merged into mac80211 for the 5.1 dev cycle. The configuration mechanism has three modes: Static, dynamic and limit. In static mode, weights can be set in the configuration file for individual MAC addresses, which will be applied when the configured stations connect. In dynamic mode, weights are instead set per BSS, which will be scaled by the number of active stations on that BSS, achieving the desired aggregate weighing between the configured BSSes. Limit mode works like dynamic mode, except that any BSS *not* marked as 'limited' is allowed to exceed its configured share if a per-station fairness share would assign more airtime to that BSS. See the paper for details on these modes. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* HE: Add Spatial Reuse Parameter Set element to the Beacon framesJohn Crispin2019-04-251-0/+8
| | | | | | | | | SPR allows us to detect OBSS overlaps and allows us to do adaptive CCA thresholds. For this to work the AP needs to broadcast the element first. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* DPP2: hostapd as TCP RelayJouni Malinen2019-04-221-0/+35
| | | | | | | | | | | The new hostapd configuration parameter dpp_controller can now be used with the following subparameter values: ipaddr=<IP address> pkhash=<hexdump>. This adds a new Controller into the configuration (i.e., more than one can be configured) and all incoming DPP exchanges that match the specified Controller public key hash are relayed to the particular Controller. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Reduce minimum beacon interval from 15 to 10 TUsBrendan Jackman2019-04-061-3/+4
| | | | | | | | | | Very short beacon intervals can be useful for certain scenarios such as minimising association time on PBSSs. Linux supports a minimum of 10[1] so let's reduce the minimum to match that. [1] https://elixir.bootlin.com/linux/latest/ident/cfg80211_validate_beacon_int Signed-off-by: Brendan Jackman <brendan.jackman@bluwireless.co.uk>
* OpenSSL: Add 'check_cert_subject' support for TLS serverJared Bents2019-03-111-0/+10
| | | | | | | | | | | | | | | | | This patch added 'check_cert_subject' support to match the value of every field against the DN of the subject in the client certificate. If the values do not match, the certificate verification will fail and will reject the user. This option allows hostapd to match every individual field in the right order, also allow '*' character as a wildcard (e.g OU=Development*). Note: hostapd will match string up to 'wildcard' against the DN of the subject in the client certificate for every individual field. Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com> Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com> Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Allow AP SAE configuration to be added automatically for PSKJouni Malinen2019-03-061-0/+2
| | | | | | | | | | | The new hostapd configuration parameter wps_cred_add_sae=1 can be used to request hostapd to add SAE configuration whenever WPS is used to configure the AP to use WPA2-PSK and the credential includes a passphrase (instead of PSK). This can be used to enable WPA3-Personal transition mode with both SAE and PSK enabled and PMF enabled for PSK and required for SAE associations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Support Multi-AP backhaul STA onboarding with WPSDavina Lu2019-02-181-0/+50
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Wi-Fi Alliance Multi-AP Specification v1.0 allows onboarding of a backhaul STA through WPS. To enable this, the WPS Registrar offers a different set of credentials (backhaul credentials instead of fronthaul credentials) when the Multi-AP subelement is present in the WFA vendor extension element of the WSC M1 message. Add new configuration options to specify the backhaul credentials for the hostapd internal registrar: multi_ap_backhaul_ssid, multi_ap_backhaul_wpa_psk, multi_ap_backhaul_wpa_passphrase. These are only relevant for a fronthaul SSID, i.e., where multi_ap is set to 2 or 3. When these options are set, pass the backhaul credentials instead of the normal credentials when the Multi-AP subelement is present. Ignore the Multi-AP subelement if the backhaul config options are not set. Note that for an SSID which is fronthaul and backhaul at the same time (i.e., multi_ap == 3), this results in the correct credentials being sent anyway. The security to be used for the backaul BSS is fixed to WPA2PSK. The Multi-AP Specification only allows Open and WPA2PSK networks to be configured. Although not stated explicitly, the backhaul link is intended to be always encrypted, hence WPA2PSK. To build the credentials, the credential-building code is essentially copied and simplified. Indeed, the backhaul credentials are always WPA2PSK and never use per-device PSK. All the options set for the fronthaul BSS WPS are simply ignored. Signed-off-by: Davina Lu <ylu@quantenna.com> Signed-off-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Cc: Marianna Carrera <marianna.carrera.so@quantenna.com>
* SAE: VLAN assignment based on SAE Password IdentifierJouni Malinen2019-02-171-0/+8
| | | | | | | | | | The new sae_password parameter [|vlanid=<VLAN ID>] can now be used to assign stations to a specific VLAN based on which SAE Password Identifier they use. This is similar to the WPA2-Enterprise case where the RADIUS server can assign stations to different VLANs and the WPA2-Personal case where vlanid parameter in wpa_psk_file is used. Signed-off-by: Jouni Malinen <j@w1.fi>
* HE: Fix set_he_cap() parsing of config options for MU EDCA ParamsJouni Malinen2019-02-111-1/+17
| | | | | | | | | | | | | | | | | When I replaced the POS() function with ffs() when applying relevant parts from the original patch, this ended up breaking the frame construction since the POS() function was supposed to count the bit offset for the mask with 0 being the LSB instead of 1 returned by ffs(). Furthermore, ffs() is not available in all C libraries (e.g., not directly exposed by strings.h on Android), so better not depend on that or compiler builtins for this since there is no need for this to be as fast as possible in configuration parsing. Fix this with a simple function to determine the number of bits the value needs to be shifted left to align with the mask. Fixes: 11ce7a1bc3e2 ("HE: Add MU EDCA Parameter Set element (AP)") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* crl_reload_interval: Add CRL reloading supportJared Bents2019-01-271-0/+2
| | | | | | | | | | | | | | This patch adds a new flag 'crl_reload_interval' to reload CRL periodically. This can be used to reload ca_cert file and the included CRL information on every new TLS session if difference between the last reload and the current time in seconds is greater than crl_reload_interval. This reloading is used for cases where check_crl is 1 or 2 and the CRL is included in the ca_file. Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com> Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com>
* hostapd: Add support for setting pbss option from config fileIan Archer2019-01-211-0/+2
| | | | | | | | | | There is currently no support for setting hostapd_bss_config.pbss from a config file, i.e., it was used only based on automatic logic in wpa_supplicant. This patch adds a key naturally called "pbss" which can be used to set it. Cc: Antony King <antony.king@bluwirelesstechnology.com> Signed-off-by: Brendan Jackman <brendan.jackman@bluwirelesstechnology.com>
* HE: Add MU EDCA Parameter Set element (AP)Siva Mullati2019-01-081-0/+92
| | | | | | | Add support for configuring parameters for the MU EDCA Parameter Set element per IEEE P802.11ax/D3.0. Signed-off-by: Siva Mullati <siva.mullati@intel.com>
* OpenSSL: Allow systemwide policies to be overriddenJouni Malinen2019-01-051-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some distributions (e.g., Debian) have started introducting systemwide OpenSSL policies to disable older protocol versions and ciphers throughout all programs using OpenSSL. This can result in significant number of interoperability issues with deployed EAP implementations. Allow explicit wpa_supplicant (EAP peer) and hostapd (EAP server) parameters to be used to request systemwide policies to be overridden if older versions are needed to be able to interoperate with devices that cannot be updated to support the newer protocol versions or keys. The default behavior is not changed here, i.e., the systemwide policies will be followed if no explicit override configuration is used. The overrides should be used only if really needed since they can result in reduced security. In wpa_supplicant, tls_disable_tlsv1_?=0 value in the phase1 network profile parameter can be used to explicitly enable TLS versions that are disabled in the systemwide configuration. For example, phase1="tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0" would request TLS v1.0 and TLS v1.1 to be enabled even if the systemwide policy enforces TLS v1.2 as the minimum version. Similarly, openssl_ciphers parameter can be used to override systemwide policy, e.g., with openssl_ciphers="DEFAULT@SECLEVEL=1" to drop from security level 2 to 1 in Debian to allow shorter keys to be used. In hostapd, tls_flags parameter can be used to configure similar options. E.g., tls_flags=[ENABLE-TLSv1.0][ENABLE-TLSv1.1] Signed-off-by: Jouni Malinen <j@w1.fi>
* OCE: Add RSSI based association rejection support (AP)Beni Lev2019-01-011-0/+4
| | | | | | | | | An AP might reject a STA association request due to low RSSI. In such case, the AP informs the STA the desired RSSI improvement and a retry timeout. The STA might retry to associate even if the RSSI hasn't improved if the retry timeout expired. Signed-off-by: Beni Lev <beni.lev@intel.com>
* hostapd: Add configuration option check_crl_strictSam Voss2018-12-311-0/+2
| | | | | | | | | | | | | | | | | | | | Add the ability to ignore time-based CRL errors from OpenSSL by specifying a new configuration parameter, check_crl_strict=0. This causes the following: - This setting does nothing when CRL checking is not enabled. - When CRL is enabled, "strict mode" will cause CRL time errors to not be ignored and will continue behaving as it currently does. - When CRL is enabled, disabling strict mode will cause CRL time errors to be ignored and will allow connections. By default, check_crl_strict is set to 1, or strict mode, to keep current functionality. Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
* hostapd: Add openssl_ecdh_curves configuration parameterHristo Venev2018-12-301-0/+3
| | | | | | | | | This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc. It should be noted that when using Suite B, different mechanism is used to specify the allowed ECDH curves and this new parameter must not be used in such cases. Signed-off-by: Hristo Venev <hristo@venev.name>
* hostapd: Support for overriding the bridge name per VLAN via vlan_fileFelix Fietkau2018-12-211-2/+13
| | | | | | | | This makes it easier to integrate dynamic VLANs in custom network configurations. The bridge name is added after the interface name in the vlan_file line, also separated by whitespace. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: Add Multi-AP protocol supportVenkateswara Naralasetty2018-12-191-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | The purpose of Multi-AP specification is to enable inter-operability across Wi-Fi access points (APs) from different vendors. This patch introduces one new configuration parameter 'multi_ap' to enable Multi-AP functionality and to configure the BSS as a backhaul and/or fronthaul BSS. Advertise vendor specific Multi-AP capabilities in (Re)Association Response frame, if Multi-AP functionality is enabled through the configuration parameter. A backhaul AP must support receiving both 3addr and 4addr frames from a backhaul STA, so create a VLAN for it just like is done for WDS, i.e., by calling hostapd_set_wds_sta(). Since Multi-AP requires WPA2 (never WEP), we can safely call hostapd_set_wds_encryption() as well and we can reuse the entire WDS condition. To parse the Multi-AP Extension subelement, we use get_ie(): even though that function is meant for parsing IEs, it works for subelements. Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* OCV: Add hostapd config parameterMathy Vanhoef2018-12-161-0/+6
| | | | | | | Add hostapd.conf parameter ocv to disable or enable Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* HS 2.0 server: RADIUS server support for SIM provisioningJouni Malinen2018-12-151-0/+3
| | | | | | | | | | | | | This adds support for hostapd-as-RADIUS-authentication-server to request subscription remediation for SIM-based credentials. The new hostapd.conf parameter hs20_sim_provisioning_url is used to set the URL prefix for the remediation server for SIM provisioning. The random hotspot2dot0-mobile-identifier-hash value will be added to the end of this URL prefix and the same value is stored in a new SQLite database table sim_provisioning for the subscription server implementation to use. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: Allow Hotspot 2.0 release number to be configuredJouni Malinen2018-12-081-0/+10
| | | | | | | | | The new hostapd configuration parameter hs20_release can be used to configure the AP to advertise a specific Hotspot 2.0 release number instead of the latest supported release. This is mainly for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Move send_probe_response parameter to BSS specific itemsJouni Malinen2018-12-071-1/+1
| | | | | | This can be more convenient for testing Multiple BSSID functionality. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WNM: Collocated Interference ReportingJouni Malinen2018-10-301-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add support for negotiating WNM Collocated Interference Reporting. This allows hostapd to request associated STAs to report their collocated interference information and wpa_supplicant to process such request and reporting. The actual values (Collocated Interference Report Elements) are out of scope of hostapd and wpa_supplicant, i.e., external components are expected to generated and process these. For hostapd/AP, this mechanism is enabled by setting coloc_intf_reporting=1 in configuration. STAs are requested to perform reporting with "COLOC_INTF_REQ <addr> <Automatic Report Enabled> <Report Timeout>" control interface command. The received reports are indicated as control interface events "COLOC-INTF-REPORT <addr> <dialog token> <hexdump of report elements>". For wpa_supplicant/STA, this mechanism is enabled by setting coloc_intf_reporting=1 in configuration and setting Collocated Interference Report Elements as a hexdump with "SET coloc_intf_elems <hexdump>" control interface command. The hexdump can contain one or more Collocated Interference Report Elements (each including the information element header). For additional testing purposes, received requests are reported with "COLOC-INTF-REQ <dialog token> <automatic report enabled> <report timeout>" control interface events and unsolicited reports can be sent with "COLOC_INTF_REPORT <hexdump>". This commit adds support for reporting changes in the collocated interference (Automatic Report Enabled == 1 and partial 3), but not for periodic reports (2 and other part of 3). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HS 2.0: OSU Provider NAI List advertisementJouni Malinen2018-10-051-0/+21
| | | | | | | | | | Extend hostapd to allow the new OSU Provider NAI List ANQP-element to be advertised in addition to the previously used OSU Providers list ANQP-element. The new osu_nai2 configurator parameter option is used to specify the OSU_NAI value for the shared BSS (Single SSID) case while osu_nai remains to be used for the separate OSU BSS. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Parse sae_password option when CONFIG_SAE is enabledHai Shalom2018-09-021-1/+1
| | | | | | | | | Call to parse_sae_password was incorrectly depending on CONFIG_TESTING_OPTIONS and CONFIG_SAE. Should depend only on the latter. Fixes: 2377c1caef77 ("SAE: Allow SAE password to be configured separately (AP)") Signed-off-by: Hai Shalom <haishalom@google.com>
* hostapd: SET ht_capab support for disabling 40 MHz bandwidthSathishkumar Muruganandam2018-08-211-0/+2
| | | | | | | | | | | | | | | | | 'hostapd_cli SET ht_capab' only checked for [HT40+] or [HT40-] or both to be present. Based on the offset + or -, secondary_channel is updated but HT20/VHT20 mode can be brought up only from config file and can't be done using the SET command when the current HT mode is HT40+ or HT40-. When managing AP+STA mode from userspace doing hostapd_cli: "disable -> set channel, ht_capab -> enable" sequence, channel switch from HT40/VHT40 to HT20/VHT20 was not possible with this SET ht_capab limitation. Cover this additional case by resetting secondary_channel to 0 for HT20/VHT20 when ht_capab has neither [HT40+] nor [HT40-] present. Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
* FT: Add key management value FT-EAP-SHA384 for hostapdJouni Malinen2018-06-051-1/+5
| | | | | | This allows hostapd to be configuted to use the SHA384-based FT AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
* HS 2.0: Allow OSEN connection to be enabled in an RSN BSSJouni Malinen2018-05-291-0/+4
| | | | | | | | This allows a single BSS/SSID to be used for both data connection and OSU. Instead of hostapd configuration osen=1, wpa_key_mgmt=OSEN (or more likely, wpa_key_mgmt=WPA-EAP OSEN) is used to enable this new option. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-pwd server: Add support for salted password databasesDan Harkins2018-05-281-0/+75
| | | | | | | | | These changes add support for salted password databases to EAP-pwd per RFC 8146. This commits introduces the framework for enabling this and the salting mechanisms based on SHA-1, SHA256, and SHA512 hash algorithms. Signed-off-by: Dan Harkins <dharkins@lounge.org>
* SAE: Add support for using the optional Password IdentifierJouni Malinen2018-05-191-2/+62
| | | | | | | | | | | | | | This extends the SAE implementation in both infrastructure and mesh BSS cases to allow an optional Password Identifier to be used. This uses the mechanism added in P802.11REVmd/D1.0. The Password Identifier is configured in a wpa_supplicant network profile as a new string parameter sae_password_id. In hostapd configuration, the existing sae_password parameter has been extended to allow the password identifier (and also a peer MAC address) to be set. In addition, multiple sae_password entries can now be provided to hostapd to allow multiple per-peer and per-identifier passwords to be set. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* EAP-TLS server: Disable TLS v1.3 by defaultJouni Malinen2018-05-011-0/+7
| | | | | | | | | | | | | | | | The current EAP peer implementation is not yet ready for the TLS v1.3 changes with EAP-TTLS, EAP-PEAP, and EAP-FAST, so disable TLS v1.3 for this EAP method for now. While the current EAP-TLS implementation is more or less complete for TLS v1.3, there has been no interoperability testing with other implementations, so disable for by default for now until there has been chance to confirm that no significant interoperability issues show up with TLS version update. tls_flags=[ENABLE-TLSv1.3] configuration parameter can be used to enable TLS v1.3 (assuming the TLS library supports it; e.g., when using OpenSSL 1.1.1). Signed-off-by: Jouni Malinen <j@w1.fi>