path: root/hostapd
Commit message (Collapse)AuthorAgeFilesLines
* Fix hostapd build with CONFIG_WPA_TRACE but no CONFIG_WPA_TRACE_BFDBrian Norris2019-10-251-1/+1
| | | | | | | | | | | Otherwise, we may get linker failures: ld.lld: error: unable to find library -lbfd While we're at it, pull in the library selection fixes from commit 848905b12abf ("Avoid undefined references with CONFIG_WPA_TRACE_BFD=y"). Signed-off-by: Brian Norris <briannorris@chromium.org>
* AP: Add initial support for 6 GHz bandAndrei Otcheretianski2019-10-151-1/+7
| | | | | | | | | | | | | | | Add support for new hardware mode for 6 GHz band. 6 GHz operation is defined in IEEE P802.11ax/D4.3. 6 GHz band adds global operating classes 131-135 that define channels in frequency range from 5940 MHz to 7105 MHz. Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> - Remove HOSTAPD_MODE_IEEE80211AX mode - Replace check for HOSTAPD_MODE_IEEE80211AX with is_6ghz_freq() - Move center_idx_to_bw_6ghz() to ieee802_11_common.c file Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
* AP: Add op_class config item to specify 6 GHz channels uniquelyLiangwei Dong2019-10-152-0/+8
| | | | | | | | | | Add hostapd config option "op_class" for fixed channel selection along with existing "channel" option. "op_class" and "channel" config options together can specify channels across 2.4 GHz, 5 GHz, and 6 GHz bands uniquely. Signed-off-by: Liangwei Dong <liangwei@codeaurora.org> Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
* SAE: Derive H2E PT in AP when starting the APJouni Malinen2019-10-151-0/+5
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Add sae_pwe configuration parameter for hostapdJouni Malinen2019-10-152-0/+10
| | | | | | | | This parameter can be used to specify which PWE derivation mechanism(s) is enabled. This commit is only introducing the new parameter; actual use of it will be address in separate commits. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Allow AP behavior for SAE Confirm to be configuredJouni Malinen2019-10-102-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | hostapd is by default waiting STA to send SAE Confirm before sending the SAE Confirm. This can now be configured with sae_confirm_immediate=1 resulting in hostapd sending out SAE Confirm immediately after sending SAE Commit. These are the two different message sequences: sae_confirm_immediate=0 STA->AP: SAE Commit AP->STA: SAE Commit STA->AP: SAE Confirm AP->STA: SAE Confirm STA->AP: Association Request AP->STA: Association Response sae_confirm_immediate=1 STA->AP: SAE Commit AP->STA: SAE Commit AP->STA: SAE Confirm STA->AP: SAE Confirm STA->AP: Association Request AP->STA: Association Response Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Add EDMG channel configuration parametersAlexei Avshalom Lazar2019-10-072-0/+17
| | | | | | | | Add two new configuration parameters for hostapd: enable_edmg: Enable EDMG capability for AP mode in the 60 GHz band edmg_channel: Configure channel bonding for AP mode in the 60 GHz band Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
* DPP: Allow name and mudurl to be configured for Config RequestJouni Malinen2019-09-182-0/+20
| | | | | | | | | | | The new hostapd and wpa_supplicant configuration parameters dpp_name and dpp_mud_url can now be used to set a specific name and MUD URL for the Enrollee to use in the Configuration Request. dpp_name replaces the previously hardcoded "Test" string (which is still the default if an explicit configuration entry is not included). dpp_mud_url can optionally be used to add a MUD URL to describe the Enrollee device. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Remove IAPP functionality from hostapdJouni Malinen2019-09-117-27/+1
| | | | | | | | | | | | | | IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been maintained nor is there any expectation of the withdrawn trial-use recommended practice to be maintained in the future. Furthermore, implementation of IAPP in hostapd was not complete, i.e., only parts of the recommended practice were included. The main item of some real use long time ago was the Layer 2 Update frame to update bridges when a STA roams within an ESS, but that functionality has, in practice, been moved to kernel drivers to provide better integration with the networking stack. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP: Fix hostapd build dependencies for DPP-only buildJouni Malinen2019-09-082-0/+2
| | | | | | | Fix CONFIG_DPP=y build for cases where the needed dependencies were not pulled in by other optional build parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove CONFIG_IEEE80211W build parameterJouni Malinen2019-09-087-88/+0
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP server: Configurable maximum number of authentication message roundsJouni Malinen2019-09-012-0/+10
| | | | | | | | | Allow the previously hardcoded maximum numbers of EAP message rounds to be configured in hostapd EAP server. This can be used, e.g., to increase the default limits if very large X.509 certificates are used for EAP authentication. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Add support for requiring user and machine credentialsJouni Malinen2019-08-241-0/+1
| | | | | | | | | The new eap_teap_id=5 hostapd configuration parameter value can be used to configure EAP-TEAP server to request and require user and machine credentials within the tunnel. This can be done either with Basic Password Authentication or with inner EAP authentication methods. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Allow a specific Identity-Type to be requested/requiredJouni Malinen2019-08-192-0/+10
| | | | | | | The new hostapd configuration parameter eap_teap_id can be used to configure the expected behavior for used identity type. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server: Testing mechanism for Result TLV in a separate messageJouni Malinen2019-08-162-0/+7
| | | | | | | | | The new eap_teap_separate_result=1 hostapd configuration parameter can be used to test TEAP exchange where the Intermediate-Result TLV and Crypto-Binding TLV are send in one message exchange while the Result TLV exchange in done after that in a separate message exchange. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add TLS-PRF using HMAC with P_SHA384 for TEAPJouni Malinen2019-08-162-0/+10
| | | | | | | This version of TLS PRF is needed when using TEAP with TLS ciphersuites that are defined to use SHA384 instead of SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix a typo in hostapd config documentationJouni Malinen2019-08-111-1/+1
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix check_crl_strict documentationJouni Malinen2019-08-111-1/+1
| | | | | | | The OpenSSL error codes used here were for certificates, not CRLs. Fix that to refer to CRL being expired or not yet valid. Signed-off-by: Jouni Malinen <j@w1.fi>
* Preparations for v2.8 releasehostap_2_9Jouni Malinen2019-08-071-0/+24
| | | | | | | | Update the version number for the build and also add the ChangeLog entries for both hostapd and wpa_supplicant to describe main changes between v2.7 and v2.8. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-SIM/AKA server: Allow pseudonym/fast reauth to be disabledJouni Malinen2019-08-012-0/+9
| | | | | | | | The new hostapd configuration option eap_sim_id can now be used to disable use of pseudonym and/or fast reauthentication with EAP-SIM, EAP-AKA, and EAP-AKA'. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Extra RADIUS request attributes from SQLiteTerry Burton2019-07-302-0/+14
| | | | | | | | | | | | | | | Add an SQLite table for defining per station MAC address version of radius_auth_req_attr/radius_acct_req_attr information. Create the necessary table and index where this doesn't exist. Select attributes from the table keyed by station MAC address and request type (auth or acct), parse and apply to a RADIUS message. Add radius_req_attr_sqlite hostapd config option for SQLite database file. Open/close RADIUS attribute database for a lifetime of a BSS and invoke functions to add extra attributes during RADIUS auth and accounting request generation. Signed-off-by: Terry Burton <tez@terryburton.co.uk>
* Move hostapd_parse_radius_attr() into ap_config.cTerry Burton2019-07-301-77/+0
| | | | | | | We will want to parse RADIUS attributes in config file format when retrieving them from an SQLite database. Signed-off-by: Terry Burton <tez@terryburton.co.uk>
* OpenSSL: Allow two server certificates/keys to be configured on serverJouni Malinen2019-07-122-0/+26
| | | | | | | | | | | | | hostapd EAP server can now be configured with two separate server certificates/keys to enable parallel operations using both RSA and ECC public keys. The server will pick which one to use based on the client preferences for the cipher suite (in the TLS ClientHello message). It should be noted that number of deployed EAP peer implementations do not filter out the cipher suite list based on their local configuration and as such, configuration of alternative types of certificates on the server may result in interoperability issues. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server and peer implementation (RFC 7170)Jouni Malinen2019-07-096-0/+59
| | | | | | | | | | | | | | | | | This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove obsolete defconfig notes regarding EAP-FAST support in OpenSSLJouni Malinen2019-07-091-3/+0
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Shorter TX/RX test frame support for hostapdJouni Malinen2019-06-031-12/+35
| | | | | | | | wpa_supplicant already included support for this, but hostapd DATA_TEST_* commands did not yet have support for using a shorter test frame. This is needed for MACsec testing. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapdleiwei2019-06-031-0/+9
| | | | Signed-off-by: leiwei <leiwei@codeaurora.org>
* macsec: Add configuration parameters for hostapdleiwei2019-06-032-0/+137
| | | | Signed-off-by: leiwei <leiwei@codeaurora.org>
* HE: Make the basic NSS/MCS configurableJohn Crispin2019-05-272-0/+8
| | | | | | | | Add a config option to allow setting a custom Basic NSS/MCS set. As a default we use single stream HE-MCS 0-7. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* HE: Add HE channel management configuration optionsJohn Crispin2019-05-272-0/+11
| | | | | | | These are symmetric with the VHT ones. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* hostapd_cli: Add update_beacon commandAlona Solntseva2019-05-251-0/+9
| | | | | | | | Add ability to use UPDATE_BEACON with hostapd_cli. The option has been exposed in ctrl_iface already. Signed-off-by: Alona Solntseva <alona.solntseva@tandemg.com> Signed-off-by: Simon Dinkin <simon.dinkin@tandemg.com>
* HE: Fix typo srp -> spr in hostapd configuration parametersJohn Crispin2019-05-042-8/+8
| | | | | | | | The initial commit used srp instead of spr for the spatial reuse configuration prefix. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* hostapd: Add airtime policy configuration supportToke Høiland-Jørgensen2019-05-024-0/+112
| | | | | | | | | | | | | | | | | | | | | | | | | This adds support to hostapd for configuring airtime policy settings for stations as they connect to the access point. This is the userspace component of the airtime policy enforcement system PoliFi described in this paper: https://arxiv.org/abs/1902.03439 The Linux kernel part has been merged into mac80211 for the 5.1 dev cycle. The configuration mechanism has three modes: Static, dynamic and limit. In static mode, weights can be set in the configuration file for individual MAC addresses, which will be applied when the configured stations connect. In dynamic mode, weights are instead set per BSS, which will be scaled by the number of active stations on that BSS, achieving the desired aggregate weighing between the configured BSSes. Limit mode works like dynamic mode, except that any BSS *not* marked as 'limited' is allowed to exceed its configured share if a per-station fairness share would assign more airtime to that BSS. See the paper for details on these modes. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* HE: Fix he_bss_color documentationJouni Malinen2019-04-251-4/+2
| | | | | | | | | | | This field needs to be set to a value within 1-63 range, i.e., 0 is not a valid value and does not indicate that BSS color is disabled. B7 of the BSS Color octet is used to indicate that the BSS Color is _temporarily_ disabled, but that is something that would happen automatically based on detecting a collision in the used BSS colors and not something that would be configured. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Share common SAE and EAP-pwd functionality: suitable groupsJouni Malinen2019-04-252-0/+12
| | | | | | | | Start sharing common SAE and EAP-pwd functionality by adding a new source code file that can be included into both. This first step is bringing in a shared function to check whether a group is suitable. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* HE: Add Spatial Reuse Parameter Set element to the Beacon framesJohn Crispin2019-04-252-0/+14
| | | | | | | | | SPR allows us to detect OBSS overlaps and allows us to do adaptive CCA thresholds. For this to work the AP needs to broadcast the element first. Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
* DPP2: hostapd as TCP RelayJouni Malinen2019-04-221-0/+35
| | | | | | | | | | | The new hostapd configuration parameter dpp_controller can now be used with the following subparameter values: ipaddr=<IP address> pkhash=<hexdump>. This adds a new Controller into the configuration (i.e., more than one can be configured) and all incoming DPP exchanges that match the specified Controller public key hash are relayed to the particular Controller. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Add configuration structure to dpp_global_init()Jouni Malinen2019-04-211-1/+6
| | | | | | | | This can be used to provide configurable parameter to the global DPP context. This initial commit introduces the msg_ctx context pointer for wpa_msg(). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Preparations for v2.8 releasehostap_2_8Jouni Malinen2019-04-211-0/+55
| | | | | | | | Update the version number for the build and also add the ChangeLog entries for both hostapd and wpa_supplicant to describe main changes between v2.7 and v2.8. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix hostapd BSS_TM_REQ handling of bss_term parameterJouni Malinen2019-04-151-1/+1
| | | | | | | | | | | The TSF field in BSS termination information was not cleared correctly. It was supposed to be cleared to all zeros, but the memset call did not point at offset 2; instead, it cleared it with 0x02 octets and also cleared the subelement header with 0x02 octets while leaving two last octets uninitialized. Fixes: a30dff07fb18 ("Add BSS_TM_REQ command to send BSS Transition Management Request") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Reduce minimum beacon interval from 15 to 10 TUsBrendan Jackman2019-04-061-3/+4
| | | | | | | | | | Very short beacon intervals can be useful for certain scenarios such as minimising association time on PBSSs. Linux supports a minimum of 10[1] so let's reduce the minimum to match that. [1] https://elixir.bootlin.com/linux/latest/ident/cfg80211_validate_beacon_int Signed-off-by: Brendan Jackman <brendan.jackman@bluwireless.co.uk>
* DPP: Common configurator/bootstrapping data managementJouni Malinen2019-03-242-13/+22
| | | | | | | | | | Merge the practically copy-pasted implementations in wpa_supplicant and hostapd into a single shared implementation in dpp.c for managing configurator and boostrapping information. This avoid unnecessary code duplication and provides a convenient location for adding new global DPP data. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Make DPP version number support available over control interfaceJouni Malinen2019-03-141-0/+31
| | | | | | | "GET_CAPABILITY dpp" can now be used to determine which version number of DPP is supported in the build. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Build configuration flags for DPP version 2 supportJouni Malinen2019-03-132-0/+6
| | | | | | | | | | The new CONFIG_DPP2=y build option for hostapd and wpa_supplicant is used to control whether new functionality defined after the DPP specification v1.0 is included. All such functionality are considered experimental and subject to change without notice and as such, not suitable for production use. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Add 'check_cert_subject' support for TLS serverJared Bents2019-03-112-0/+36
| | | | | | | | | | | | | | | | | This patch added 'check_cert_subject' support to match the value of every field against the DN of the subject in the client certificate. If the values do not match, the certificate verification will fail and will reject the user. This option allows hostapd to match every individual field in the right order, also allow '*' character as a wildcard (e.g OU=Development*). Note: hostapd will match string up to 'wildcard' against the DN of the subject in the client certificate for every individual field. Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com> Signed-off-by: Jared Bents <jared.bents@rockwellcollins.com> Signed-off-by: Jouni Malinen <j@w1.fi>
* WPS: Allow AP SAE configuration to be added automatically for PSKJouni Malinen2019-03-062-0/+10
| | | | | | | | | | | The new hostapd configuration parameter wps_cred_add_sae=1 can be used to request hostapd to add SAE configuration whenever WPS is used to configure the AP to use WPA2-PSK and the credential includes a passphrase (instead of PSK). This can be used to enable WPA3-Personal transition mode with both SAE and PSK enabled and PMF enabled for PSK and required for SAE associations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Enable only group 19 by default in AP modeJouni Malinen2019-03-051-5/+9
| | | | | | | | | | | | | | | | Change the AP mode default for SAE to enable only the group 19 instead of enabling all ECC groups that are supported by the used crypto library and the SAE implementations. The main reason for this is to avoid enabling groups that are not as strong as the mandatory-to-support group 19 (i.e., groups 25 and 26). In addition, this disables heavier groups by default. In addition, add a warning about MODP groups 1, 2, 5, 22, 23, and 24 based on "MUST NOT" or "SHOULD NOT" categorization in RFC 8247. All the MODP groups were already disabled by default and would have needed explicit configuration to be allowed. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Add README-MULTI-APArnout Vandecappelle (Essensium/Mind)2019-02-181-0/+160
| | | | | | | | | Document what hostapd and wpa_supplicant do for Multi-AP. This is only included in hostapd, since a Multi-AP device is always an access point so it should have hostapd. Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* hostapd: Support Multi-AP backhaul STA onboarding with WPSDavina Lu2019-02-182-0/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Wi-Fi Alliance Multi-AP Specification v1.0 allows onboarding of a backhaul STA through WPS. To enable this, the WPS Registrar offers a different set of credentials (backhaul credentials instead of fronthaul credentials) when the Multi-AP subelement is present in the WFA vendor extension element of the WSC M1 message. Add new configuration options to specify the backhaul credentials for the hostapd internal registrar: multi_ap_backhaul_ssid, multi_ap_backhaul_wpa_psk, multi_ap_backhaul_wpa_passphrase. These are only relevant for a fronthaul SSID, i.e., where multi_ap is set to 2 or 3. When these options are set, pass the backhaul credentials instead of the normal credentials when the Multi-AP subelement is present. Ignore the Multi-AP subelement if the backhaul config options are not set. Note that for an SSID which is fronthaul and backhaul at the same time (i.e., multi_ap == 3), this results in the correct credentials being sent anyway. The security to be used for the backaul BSS is fixed to WPA2PSK. The Multi-AP Specification only allows Open and WPA2PSK networks to be configured. Although not stated explicitly, the backhaul link is intended to be always encrypted, hence WPA2PSK. To build the credentials, the credential-building code is essentially copied and simplified. Indeed, the backhaul credentials are always WPA2PSK and never use per-device PSK. All the options set for the fronthaul BSS WPS are simply ignored. Signed-off-by: Davina Lu <ylu@quantenna.com> Signed-off-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be> Cc: Marianna Carrera <marianna.carrera.so@quantenna.com>
* SAE: VLAN assignment based on SAE Password IdentifierJouni Malinen2019-02-172-9/+25
| | | | | | | | | | The new sae_password parameter [|vlanid=<VLAN ID>] can now be used to assign stations to a specific VLAN based on which SAE Password Identifier they use. This is similar to the WPA2-Enterprise case where the RADIUS server can assign stations to different VLANs and the WPA2-Personal case where vlanid parameter in wpa_psk_file is used. Signed-off-by: Jouni Malinen <j@w1.fi>