aboutsummaryrefslogtreecommitdiffstats
path: root/hostapd/config_file.c
Commit message (Collapse)AuthorAgeFilesLines
* SAE-PK: Add support to skip sae_pk password check for testing purposesShaakir Mohamed11 days1-1/+7
| | | | | | | | Add support to skip sae_pk password check under compile flag CONFIG_TESTING_OPTIONS which allows AP to be configured with sae_pk enabled but a password that is invalid for sae_pk. Signed-off-by: Shaakir Mohamed <smohamed@codeaurora.org>
* EAP-TEAP (server): Allow Phase 2 skip based on client certificateJouni Malinen2020-06-201-1/+1
| | | | | | | | eap_teap_auth=2 can now be used to configure hostapd to skip Phase 2 if the peer can be authenticated based on client certificate during Phase 1. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove unused enum valuesJouni Malinen2020-06-081-8/+0
| | | | | | | | The last user of these was removed in commit 17fbb751e174 ("Remove user space client MLME") and there is no need to maintain these unused values anymore. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Move local TX queue parameter parser into a common fileSubrat Dash2020-06-081-91/+1
| | | | | | | This allows the same implementation to be used for wpa_supplicant as well. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Testing functionality to allow behavior overridesJouni Malinen2020-06-081-0/+4
| | | | | | | | The new sae_commit_status and sae_pk_omit configuration parameters and an extra key at the end of sae_password pk argument can be used to override SAE-PK behavior for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: AP functionalityJouni Malinen2020-06-021-0/+41
| | | | | | | | This adds AP side functionality for SAE-PK. The new sae_password configuration parameters can now be used to enable SAE-PK mode whenever SAE is enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OCV: Allow OCI channel to be overridden for testing (AP)Jouni Malinen2020-05-291-0/+14
| | | | | | | | | Add hostapd configuration parameters oci_freq_override_* to allow the OCI channel information to be overridden for various frames for testing purposes. This can be set in the configuration and also updated during the runtime of a BSS. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Testing override for RSNXE Used subfield in FTE (AP)Jouni Malinen2020-04-161-0/+2
| | | | | | | | Allow hostapd to be requested to override the RSNXE Used subfield in FT reassociation case for testing purposes with "ft_rsnxe_used=<0/1/2>" where 0 = no override, 1 = override to 1, and 2 = override to 0. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Validate the country_code parameter valueSriram R2020-03-301-0/+7
| | | | | | | | | cfg80211/regulatory supports only ISO 3166-1 alpha2 country code and that's what this parameter is supposed to use, so validate the country code input before accepting the value. Only characters A..Z are accepted. Signed-off-by: Sriram R <srirrama@codeaurora.org>
* Add a hostapd testing option for skipping association pruningJouni Malinen2020-03-281-0/+2
| | | | | | | | | | The new skip_prune_assoc=1 parameter can be used to configure hostapd not to prune associations from other BSSs operated by the same process when a station associates with another BSS. This can be helpful in testing roaming cases where association and authorization state is maintained in an AP when the stations returns. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP2: Allow AP to require or reject PFSJouni Malinen2020-03-281-0/+10
| | | | | | | | | | The new hostapd configuration parameter dpp_pfs can be used to specify how PFS is applied to associations. The default behavior (dpp_pfs=0) remains same as it was previously, i.e., allow the station to decide whether to use PFS. PFS use can now be required (dpp_pfs=1) or rejected (dpp_pfs=2). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Configurator Connectivity indicationJouni Malinen2020-03-271-0/+2
| | | | | | | | Add a new hostapd configuration parameter dpp_configurator_connectivity=1 to request Configurator connectivity to be advertised for chirping Enrollees. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Fix Extended Key ID parameter checkAlexander Wetzel2020-03-251-2/+2
| | | | | | Check the new variable to be set instead the current setting. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Allow hostapd AP to advertise Transition Disable KDEJouni Malinen2020-03-251-0/+2
| | | | | | | | | The new hostapd configuration parameter transition_disable can now be used to configure the AP to advertise that use of a transition mode is disabled. This allows stations to automatically disable transition mode by disabling less secure network profile parameters. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Support Extended Key IDAlexander Wetzel2020-03-231-0/+10
| | | | | | | | | | | Support Extended Key ID in hostapd according to IEEE Std 802.11-2016. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing an AP to serve STAs with and without Extended Key ID support in the same BSS. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Allow RSNXE to be removed from Beacon frames for testing purposesJouni Malinen2020-03-201-0/+2
| | | | | | | | The new hostapd configuration parameter no_beacon_rsnxe=1 can be used to remove RSNXE from Beacon frames. This can be used to test protection mechanisms for downgrade attacks. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow RSNE/RSNXE to be replaced in FT protocol Reassocation Response frameJouni Malinen2020-03-151-0/+6
| | | | | | | This can be used to test station side behavior for FT protocol validation steps. Signed-off-by: Jouni Malinen <j@w1.fi>
* Allow RSNE in EAPOL-Key msg 3/4 to be replaced for testing purposesJouni Malinen2020-03-071-0/+3
| | | | | | | | | | | The new hostapd configuration parameter rsne_override_eapol can now be used similarly to the previously added rsnxe_override_eapol to override (replace contents or remove) RSNE in EAPOL-Key msg 3/4. This can be used for station protocol testing to verify sufficient checks for RSNE modification between the Beacon/Probe Response frames and EAPOL-Key msg 3/4. Signed-off-by: Jouni Malinen <j@w1.fi>
* Make WEP functionality an optional build parameterJouni Malinen2020-02-291-0/+6
| | | | | | | | | WEP should not be used for anything anymore. As a step towards removing it completely, move all WEP related functionality to be within CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y is explicitly set in build configuration. Signed-off-by: Jouni Malinen <j@w1.fi>
* AP: Allow PTK rekeying without Ext KeyID to be disabled as a workaroundAlexander Wetzel2020-02-231-0/+9
| | | | | | | | | | | | | | | Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new hostapd configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with disconnection. This requires the station to reassociate to get connected again and as such, can result in connectivity issues as well. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Remove CONFIG_IEEE80211N build optionJouni Malinen2020-02-221-4/+0
| | | | | | | | | | Hardcoded CONFIG_IEEE80211N to be included to clean up implementation. More or less all new devices support IEEE 802.11n (HT) and there is not much need for being able to remove that functionality from the build. Included this unconditionally to get rid of one more build options and to keep things simpler. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd configuration for Beacon protectionJouni Malinen2020-02-171-0/+2
| | | | | | | Add a new hostapd configuration parameter beacon_prot=<0/1> to allow Beacon protection to be enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HT: Remove SMPS in AP modeJouni Malinen2020-02-161-8/+0
| | | | | | | | | | | | | | | | | SM Power Save was described in somewhat unclear manner in IEEE Std 802.11n-2009 as far the use of it locally in an AP to save power. That was clarified in IEEE Std 802.11-2016 to allow only a non-AP STA to use SMPS while the AP is required to support an associated STA doing so. The AP itself cannot use SMPS locally and the HT Capability advertisement for this is not appropriate. Remove the parts of SMPS support that involve the AP using it locally. In practice, this reverts the following commits: 04ee647d58a2 ("HT: Let the driver advertise its supported SMPS modes for AP mode") 8f461b50cfe4 ("HT: Pass the smps_mode in AP parameters") da1080d7215f ("nl80211: Advertise and configure SMPS modes") Signed-off-by: Jouni Malinen <j@w1.fi>
* HE: Extend BSS color supportJohn Crispin2020-02-161-1/+4
| | | | | | | | | | | | | | | | The HE Operation field for BSS color consists of a disabled, a partial, and 6 color bits. The original commit adding support for BSS color considered this to be a u8. This commit changes this to the actual bits/values. This adds an explicit config parameter for the partial bit. The disabled is set to 0 implicitly if a bss_color is defined. Interoperability testing showed that stations will require a BSS color to be set even if the feature is disabled. Hence the default color is 1 when none is defined inside the config file. Signed-off-by: John Crispin <john@phrozen.org>
* OWE: PTK derivation workaround in AP modeJouni Malinen2020-01-231-0/+2
| | | | | | | | | | | | | | | Initial OWE implementation used SHA256 when deriving the PTK for all OWE groups. This was supposed to change to SHA384 for group 20 and SHA512 for group 21. The new owe_ptk_workaround parameter can be used to enable workaround for interoperability with stations that use SHA256 with groups 20 and 21. By default, only the appropriate hash function is accepted. When workaround is enabled (owe_ptk_workaround=1), the appropriate hash function is tried first and if that fails, SHA256-based PTK derivation is attempted. This workaround can result in reduced security for groups 20 and 21, but is required for interoperability with older implementations. There is no impact to group 19 behavior. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Fix coloc_intf_reporting config param in hostapd in non-OWE buildsJouni Malinen2020-01-231-1/+1
| | | | | | | This has nothing to do with OWE and parsing of this value was not supposed to be within an ifdef CONFIG_OWE block. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* WPS: Add application extension data to WPS IEBilal Hatipoglu2020-01-041-0/+3
| | | | | | | | | | | | | | Application Extension attribute is defined in WSC tech spec v2.07 page 104. Allow hostapd to be configured to add this extension into WPS IE in Beacon and Probe Response frames. The implementation is very similar to vendor extension. A new optional entry called "wps_application_ext" is added to hostapd config file to configure this. It enodes the payload of the Application Extension attribute in hexdump format. Signed-off-by: Veli Demirel <veli.demirel@airties.com> Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
* Allow testing override for GTK/IGTK RSC from AP to STAJouni Malinen2020-01-041-0/+6
| | | | | | | | | | | | | The new hostapd gtk_rsc_override and igtk_rsc_override configuration parameters can be used to set an override value for the RSC that the AP advertises for STAs for GTK/IGTK. The contents of those parameters is a hexdump of the RSC in little endian byte order. This functionality is available only in CONFIG_TESTING_OPTIONS=y builds. This can be used to verify that stations implement initial RSC configuration correctly for GTK/ and IGTK. Signed-off-by: Jouni Malinen <j@w1.fi>
* Allow non-PCS 6 GHz channels to be excluded from ACSAnkita Bajaj2019-12-201-0/+2
| | | | | | | | Add support to exclude non-PSC 6 GHz channels from the input frequency list to ACS. The new acs_exclude_6ghz_non_psc=1 parameter can be used by 6 GHz only APs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow ACS channel list to be configured as frequencies (in MHz)Ankita Bajaj2019-12-201-0/+7
| | | | | | | | | | | The channel numbers are duplicated between 2.4 GHz / 5 GHz bands and 6 GHz band. Hence, add support to configure a list of frequencies to ACS (freqlist) instead of a list of channel numbers (chanlist). Also, both 5 GHz and 6 GHz channels are referred by HOSTAPD_MODE_IEEE80211A. The 6 GHz channels alone can be configured by using both mode and frequency list. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE H2E: RSNXE override in EAPOL-Key msg 3/4Jouni Malinen2019-12-071-0/+3
| | | | | | | | This new hostapd configuration parameter rsnxe_override_eapol=<hexdump> can be used to override RSNXE value in EAPOL-Key msg 3/4 for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Add op_class config item to specify 6 GHz channels uniquelyLiangwei Dong2019-10-151-0/+2
| | | | | | | | | | Add hostapd config option "op_class" for fixed channel selection along with existing "channel" option. "op_class" and "channel" config options together can specify channels across 2.4 GHz, 5 GHz, and 6 GHz bands uniquely. Signed-off-by: Liangwei Dong <liangwei@codeaurora.org> Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
* SAE: Add sae_pwe configuration parameter for hostapdJouni Malinen2019-10-151-0/+2
| | | | | | | | This parameter can be used to specify which PWE derivation mechanism(s) is enabled. This commit is only introducing the new parameter; actual use of it will be address in separate commits. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Allow AP behavior for SAE Confirm to be configuredJouni Malinen2019-10-101-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | hostapd is by default waiting STA to send SAE Confirm before sending the SAE Confirm. This can now be configured with sae_confirm_immediate=1 resulting in hostapd sending out SAE Confirm immediately after sending SAE Commit. These are the two different message sequences: sae_confirm_immediate=0 STA->AP: SAE Commit AP->STA: SAE Commit STA->AP: SAE Confirm AP->STA: SAE Confirm STA->AP: Association Request AP->STA: Association Response sae_confirm_immediate=1 STA->AP: SAE Commit AP->STA: SAE Commit AP->STA: SAE Confirm STA->AP: SAE Confirm STA->AP: Association Request AP->STA: Association Response Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Add EDMG channel configuration parametersAlexei Avshalom Lazar2019-10-071-0/+4
| | | | | | | | Add two new configuration parameters for hostapd: enable_edmg: Enable EDMG capability for AP mode in the 60 GHz band edmg_channel: Configure channel bonding for AP mode in the 60 GHz band Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* DPP: Allow name and mudurl to be configured for Config RequestJouni Malinen2019-09-181-0/+6
| | | | | | | | | | | The new hostapd and wpa_supplicant configuration parameters dpp_name and dpp_mud_url can now be used to set a specific name and MUD URL for the Enrollee to use in the Configuration Request. dpp_name replaces the previously hardcoded "Test" string (which is still the default if an explicit configuration entry is not included). dpp_mud_url can optionally be used to add a MUD URL to describe the Enrollee device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Remove IAPP functionality from hostapdJouni Malinen2019-09-111-2/+1
| | | | | | | | | | | | | | IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been maintained nor is there any expectation of the withdrawn trial-use recommended practice to be maintained in the future. Furthermore, implementation of IAPP in hostapd was not complete, i.e., only parts of the recommended practice were included. The main item of some real use long time ago was the Layer 2 Update frame to update bridges when a STA roams within an ESS, but that functionality has, in practice, been moved to kernel drivers to provide better integration with the networking stack. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove CONFIG_IEEE80211W build parameterJouni Malinen2019-09-081-4/+0
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Configurable maximum number of authentication message roundsJouni Malinen2019-09-011-0/+4
| | | | | | | | | Allow the previously hardcoded maximum numbers of EAP message rounds to be configured in hostapd EAP server. This can be used, e.g., to increase the default limits if very large X.509 certificates are used for EAP authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Allow a specific Identity-Type to be requested/requiredJouni Malinen2019-08-191-0/+2
| | | | | | | The new hostapd configuration parameter eap_teap_id can be used to configure the expected behavior for used identity type. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Testing mechanism for Result TLV in a separate messageJouni Malinen2019-08-161-0/+2
| | | | | | | | | The new eap_teap_separate_result=1 hostapd configuration parameter can be used to test TEAP exchange where the Intermediate-Result TLV and Crypto-Binding TLV are send in one message exchange while the Result TLV exchange in done after that in a separate message exchange. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabledJouni Malinen2019-08-011-0/+2
| | | | | | | | The new hostapd configuration option eap_sim_id can now be used to disable use of pseudonym and/or fast reauthentication with EAP-SIM, EAP-AKA, and EAP-AKA'. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Extra RADIUS request attributes from SQLiteTerry Burton2019-07-301-0/+3
| | | | | | | | | | | | | | | Add an SQLite table for defining per station MAC address version of radius_auth_req_attr/radius_acct_req_attr information. Create the necessary table and index where this doesn't exist. Select attributes from the table keyed by station MAC address and request type (auth or acct), parse and apply to a RADIUS message. Add radius_req_attr_sqlite hostapd config option for SQLite database file. Open/close RADIUS attribute database for a lifetime of a BSS and invoke functions to add extra attributes during RADIUS auth and accounting request generation. Signed-off-by: Terry Burton <tez@terryburton.co.uk>
* Move hostapd_parse_radius_attr() into ap_config.cTerry Burton2019-07-301-77/+0
| | | | | | | We will want to parse RADIUS attributes in config file format when retrieving them from an SQLite database. Signed-off-by: Terry Burton <tez@terryburton.co.uk>
* OpenSSL: Allow two server certificates/keys to be configured on serverJouni Malinen2019-07-121-0/+9
| | | | | | | | | | | | | hostapd EAP server can now be configured with two separate server certificates/keys to enable parallel operations using both RSA and ECC public keys. The server will pick which one to use based on the client preferences for the cipher suite (in the TLS ClientHello message). It should be noted that number of deployed EAP peer implementations do not filter out the cipher suite list based on their local configuration and as such, configuration of alternative types of certificates on the server may result in interoperability issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server and peer implementation (RFC 7170)Jouni Malinen2019-07-091-0/+14
| | | | | | | | | | | | | | | | | This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
* macsec: Add configuration parameters for hostapdleiwei2019-06-031-0/+87
| | | | Signed-off-by: leiwei <leiwei@codeaurora.org>
* HE: Make the basic NSS/MCS configurableJohn Crispin2019-05-271-0/+2
| | | | | | | | Add a config option to allow setting a custom Basic NSS/MCS set. As a default we use single stream HE-MCS 0-7. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* HE: Add HE channel management configuration optionsJohn Crispin2019-05-271-0/+6
| | | | | | | These are symmetric with the VHT ones. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* HE: Fix typo srp -> spr in hostapd configuration parametersJohn Crispin2019-05-041-4/+4
| | | | | | | | The initial commit used srp instead of spr for the spatial reuse configuration prefix. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>