path: root/hostapd
Commit message (Collapse)AuthorAgeFilesLines
* SAE-PK: Add support to skip sae_pk password check for testing purposesShaakir Mohamed12 days1-1/+7
| | | | | | | | Add support to skip sae_pk password check under compile flag CONFIG_TESTING_OPTIONS which allows AP to be configured with sae_pk enabled but a password that is invalid for sae_pk. Signed-off-by: Shaakir Mohamed <smohamed@codeaurora.org>
* DPP: Remove unnecessary dpp_global_config parametersJouni Malinen2020-08-251-1/+0
| | | | | | | | | These were not really used anymore since the AP/Relay case did not set msg_ctx or process_conf_obj in the global DPP context. Get the appropriate pointers more directly from the more specific data structures instead and remove these global values. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Controller support in hostapdJouni Malinen2020-08-251-0/+8
| | | | | | | | Extend hostapd support for DPP Controller to cover the DPP_CONTROLLER_* cases that were previously implemented only in wpa_supplicant. This allows hostapd/AP to be provisioned using DPP over TCP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Update design for fingerprint encoding into passwordJouni Malinen2020-08-051-17/+53
| | | | | | | | | | Update the SAE-PK implementation to match the changes in the protocol design: - allow only Sec values 3 and 5 and encode this as a single bit field with multiple copies - add a checksum character Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Extend GET_PMK to check PMKSA cache on the APJouni Malinen2020-08-031-3/+17
| | | | | | | | This allows the testing command GET_PMK to return a PMK in cases where the association fails (e.g., when using SAE and getting a valid PMKSA entry added before association) or after the association has been lost. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Rename temporary blocking of nonresponsive R0KHJouni Malinen2020-07-241-1/+1
| | | | | | Avoid use of the "blacklist" term here to reduce undesired connotations. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* 6 GHz: Change 6 GHz channels per IEEE P802.11ax/D6.1Wu Gao2020-06-231-4/+4
| | | | | | | | | | | The channel numbering/center frequencies was changed in IEEE P802.11ax/D6.1. The center frequencies of the channels were shifted by 10 MHz. Also, a new operating class 136 was defined with a single channel 2. Add required support to change the channelization as per IEEE P802.11ax/D6.1. Signed-off-by: Wu Gao<wugao@codeaurora.org> Signed-off-by: Vamsi Krishna <vamsin@codeaurora.org>
* EAP-TEAP (server): Allow Phase 2 skip based on client certificateJouni Malinen2020-06-202-1/+3
| | | | | | | | eap_teap_auth=2 can now be used to configure hostapd to skip Phase 2 if the peer can be authenticated based on client certificate during Phase 1. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove unused enum valuesJouni Malinen2020-06-081-8/+0
| | | | | | | | The last user of these was removed in commit 17fbb751e174 ("Remove user space client MLME") and there is no need to maintain these unused values anymore. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Move local TX queue parameter parser into a common fileSubrat Dash2020-06-081-91/+1
| | | | | | | This allows the same implementation to be used for wpa_supplicant as well. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Testing functionality to allow behavior overridesJouni Malinen2020-06-081-0/+4
| | | | | | | | The new sae_commit_status and sae_pk_omit configuration parameters and an extra key at the end of sae_password pk argument can be used to override SAE-PK behavior for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow transition_disable updates during the lifetime of a BSSJouni Malinen2020-06-071-0/+3
| | | | | | | This is mainly for testing purposes to allow more convenient checking of station behavior when a transition mode is disabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: A tool for generating SAE-PK Modifier and passwordJouni Malinen2020-06-022-0/+194
| | | | | | | | | | | | | | | sae_pk_gen can be used to generate Modifier (M) and password for SAE-PK based on a previously generated EC private key, Sec value (2..5), and SSID. For example, these commands can be used to generate the private key and the needed hostapd configuration parameter options: make sae_pk_gen openssl ecparam -genkey -outform DER -out saepk.der -name prime256v1 ./sae_pk_gen saepk.der 3 "SAE-PK test" Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: AP functionalityJouni Malinen2020-06-022-1/+43
| | | | | | | | This adds AP side functionality for SAE-PK. The new sae_password configuration parameters can now be used to enable SAE-PK mode whenever SAE is enabled. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Extend SAE functionality for AP validationJouni Malinen2020-06-022-0/+8
| | | | | | | | | This adds core SAE functionality for a new mode of using SAE with a specially constructed password that contains a fingerprint for an AP public key and that public key being used to validate an additional signature in SAE confirm from the AP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OCV: Allow OCI channel to be overridden for testing (AP)Jouni Malinen2020-05-292-0/+30
| | | | | | | | | Add hostapd configuration parameters oci_freq_override_* to allow the OCI channel information to be overridden for various frames for testing purposes. This can be set in the configuration and also updated during the runtime of a BSS. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* hostapd: Extend RESET_PN for BIGTKJohannes Berg2020-05-161-0/+26
| | | | | | | Extend the RESET_PN command to allow resetting the BIGTK PN for testing. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* DPP2: Chirping in hostapd EnrolleeJouni Malinen2020-05-132-0/+11
| | | | | | | | | | | | Add a new hostapd control interface command "DPP_CHIRP own=<BI ID> iter=<count>" to request chirping, i.e., sending of Presence Announcement frames, to be started. This follows the model of similar wpa_supplicant functionality from commit 562f77144cd2 ("DPP2: Chirping in wpa_supplicant Enrollee"). The hostapd case requires the AP to be started without beaconing, i.e., with start_disabled=1 in hostapd configuration, to allow iteration of channels needed for chirping. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Handle hostapd_for_each_interface() at the process terminationJouni Malinen2020-05-131-0/+3
| | | | | | | | | | Clean struct hapd_interfaces pointers and interface count during deinitialization at the end of theh ostapd process termination so that a call to hostapd_for_each_interface() after this does not end up dereferencing freed memory. Such cases do not exist before this commit, but can be added after this, e.g., for DPP needs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Move TCP encapsulation into a separate source code fileJouni Malinen2020-05-112-0/+2
| | | | | | This continues splitting dpp.c into smaller pieces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Move configurator backup into a separate source code fileJouni Malinen2020-05-112-0/+2
| | | | | | This continues splitting dpp.c into smaller pieces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Move authentication functionality into a separate source code fileJouni Malinen2020-05-112-0/+2
| | | | | | This continues splitting dpp.c into smaller pieces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Reconfig Announcement transmissionJouni Malinen2020-05-112-0/+2
| | | | | | | | | Extend DPP chirping mechanism to allow Reconfig Announcement frames to be transmitted instead of the Presence Announcement frames. Add a new wpa_supplicant control interface command "DPP_RECONFIG <network id>" to initiate reconfiguration for a specific network profile. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Move PKEX functionality into a separate source code fileJouni Malinen2020-05-112-0/+2
| | | | | | This continues splitting dpp.c into smaller pieces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Move crypto routines into a separate source code fileJouni Malinen2020-05-112-0/+2
| | | | | | | This is an initial step in splitting the overly long dpp.c into smaller pieces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Allow version number to be overridden for testing purposesJouni Malinen2020-05-031-0/+7
| | | | | | | | | "SET dpp_version_override <ver>" can now be used to request wpa_supplicant and hostapd to support a subset of DPP versions. In practice, the only valid case for now is to fall back from DPP version 2 support to version 1 in builds that include CONFIG_DPP2=y. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Silence compiler warning in no-NEED_AP_MLME hostapd buildsJouni Malinen2020-04-191-0/+2
| | | | | | | | The static function hostapd_ctrl_check_freq_params() was called only within #ifdef NEED_AP_MLME block so the function needs to be defined under matching condition. Signed-off-by: Jouni Malinen <j@w1.fi>
* driver: Add second driver capability flags bitmapJouni Malinen2020-04-192-0/+32
| | | | | | | All 64 bits of the capability flags bitmap are used, so add a new variable to hold future capability bits. Signed-off-by: Jouni Malinen <j@w1.fi>
* Allow TKIP support to be removed from buildDisha Das2020-04-173-0/+15
| | | | | | | | | Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from hostapd and wpa_supplicant builds. This disables use of TKIP as both the pairwise and group cipher. The end result does not interoperate with a WPA(v1)-only device or WPA+WPA2 mixed modes. Signed-off-by: Disha Das <dishad@codeaurora.org>
* FT: Testing override for RSNXE Used subfield in FTE (AP)Jouni Malinen2020-04-162-0/+8
| | | | | | | | Allow hostapd to be requested to override the RSNXE Used subfield in FT reassociation case for testing purposes with "ft_rsnxe_used=<0/1/2>" where 0 = no override, 1 = override to 1, and 2 = override to 0. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Fix build without DPP/OWE/ERPJouni Malinen2020-04-042-0/+2
| | | | | | SAE needs sha256-kdf.c to be included in the build. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Validate the country_code parameter valueSriram R2020-03-301-0/+7
| | | | | | | | | cfg80211/regulatory supports only ISO 3166-1 alpha2 country code and that's what this parameter is supposed to use, so validate the country code input before accepting the value. Only characters A..Z are accepted. Signed-off-by: Sriram R <srirrama@codeaurora.org>
* hostapd: Add support for DFS channels in CHAN_SWITCHSergey Matyukevich2020-03-291-0/+59
| | | | | | | | | | | | Enable support for DFS channels in the CHAN_SWITCH command. Perform CAC instead of CSA if DFS channel is selected. Then restart normal AP operations. Note that the current implementation provides a simplified approach. It does not check if the selected DFS channel block is already in the HOSTAPD_CHAN_DFS_AVAILABLE state. CAC procedure is restarted anyway. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* hostapd: Basic channel check for CHAN_SWITCH parametersSergey Matyukevich2020-03-291-0/+97
| | | | | | | | | Implement channel sanity check for the CHAN_SWITCH command. Verify provided values for bandwidth, frequencies, and secondary channel offset. Reject requested channel switch operation if basic constraints on frequencies and bandwidth are not fulfilled. Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
* Add a hostapd testing option for skipping association pruningJouni Malinen2020-03-281-0/+2
| | | | | | | | | | The new skip_prune_assoc=1 parameter can be used to configure hostapd not to prune associations from other BSSs operated by the same process when a station associates with another BSS. This can be helpful in testing roaming cases where association and authorization state is maintained in an AP when the stations returns. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP2: Allow AP to require or reject PFSJouni Malinen2020-03-282-0/+16
| | | | | | | | | | The new hostapd configuration parameter dpp_pfs can be used to specify how PFS is applied to associations. The default behavior (dpp_pfs=0) remains same as it was previously, i.e., allow the station to decide whether to use PFS. PFS use can now be required (dpp_pfs=1) or rejected (dpp_pfs=2). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Configurator Connectivity indicationJouni Malinen2020-03-272-0/+7
| | | | | | | | Add a new hostapd configuration parameter dpp_configurator_connectivity=1 to request Configurator connectivity to be advertised for chirping Enrollees. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Add DPP_BOOTSTRAP_SET commandJouni Malinen2020-03-271-0/+5
| | | | | | | | "DPP_BOOTSTRAP_SET <ID> <configurator parameters..>" can now be used to set peer specific configurator parameters which will override any global parameters from dpp_configurator_params. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Fix Extended Key ID parameter checkAlexander Wetzel2020-03-251-2/+2
| | | | | | Check the new variable to be set instead the current setting. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Allow hostapd AP to advertise Transition Disable KDEJouni Malinen2020-03-252-0/+19
| | | | | | | | | The new hostapd configuration parameter transition_disable can now be used to configure the AP to advertise that use of a transition mode is disabled. This allows stations to automatically disable transition mode by disabling less secure network profile parameters. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Support Extended Key IDAlexander Wetzel2020-03-233-0/+29
| | | | | | | | | | | Support Extended Key ID in hostapd according to IEEE Std 802.11-2016. Extended Key ID allows to rekey pairwise keys without the otherwise unavoidable MPDU losses on a busy link. The standard is fully backward compatible, allowing an AP to serve STAs with and without Extended Key ID support in the same BSS. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Allow RSNXE to be removed from Beacon frames for testing purposesJouni Malinen2020-03-201-0/+2
| | | | | | | | The new hostapd configuration parameter no_beacon_rsnxe=1 can be used to remove RSNXE from Beacon frames. This can be used to test protection mechanisms for downgrade attacks. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow RSNE/RSNXE to be replaced in FT protocol Reassocation Response frameJouni Malinen2020-03-151-0/+6
| | | | | | | This can be used to test station side behavior for FT protocol validation steps. Signed-off-by: Jouni Malinen <j@w1.fi>
* Allow RSNE in EAPOL-Key msg 3/4 to be replaced for testing purposesJouni Malinen2020-03-071-0/+3
| | | | | | | | | | | The new hostapd configuration parameter rsne_override_eapol can now be used similarly to the previously added rsnxe_override_eapol to override (replace contents or remove) RSNE in EAPOL-Key msg 3/4. This can be used for station protocol testing to verify sufficient checks for RSNE modification between the Beacon/Probe Response frames and EAPOL-Key msg 3/4. Signed-off-by: Jouni Malinen <j@w1.fi>
* Make WEP functionality an optional build parameterJouni Malinen2020-02-295-0/+30
| | | | | | | | | WEP should not be used for anything anymore. As a step towards removing it completely, move all WEP related functionality to be within CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y is explicitly set in build configuration. Signed-off-by: Jouni Malinen <j@w1.fi>
* Simplify wpa_deny_ptk0_rekey documentationAlexander Wetzel2020-02-231-18/+4
| | | | Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* Add wpa_deny_ptk0_rekey to AP get_config() outputAlexander Wetzel2020-02-231-0/+8
| | | | Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
* hostapd: Replace UDP ctrl_iface global cookies with per-instance onesJanusz Dziedzic2020-02-231-20/+21
| | | | | | | | | | | | | | | The cookie values for UDP control interface commands was defined as a static global array. This did not allow multi-BSS test cases to be executed with UDP control interface. For example, after hapd1 = hostapd.add_bss(apdev[0], ifname1, 'bss-1.conf') hapd2 = hostapd.add_bss(apdev[0], ifname2, 'bss-2.conf') hapd1->ping() did not work. Move those cookie values to per-instance location in struct hapd_interfaces and struct hostapd_data to fix this. Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
* Use IFNAME= prefix for global UDP control interface eventsJanusz Dziedzic2020-02-231-5/+0
| | | | | | | | | | | | | | | | | There does not seem to be a good reason for using the different IFACE= prefix on the UDP control interface. This got added when the UDP interface in wpa_supplicant was extended in commit f0e5d3b5c6c7 ("wpa_supplicant: Share attach/detach/send UDP ctrl_iface functions") and that was then extended to hostapd in commit e9208056856c ("hostapd: Extend global control interface notifications"). Replace the IFACE= prefix in UDP case with IFNAME= to be consistent with the UNIX domain socket based control interface. This fixes a problem when at least one test case fail (hapd_ctrl_sta) when remote/udp used. This also fixes test_connectivity(). Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
* AP: Allow PTK rekeying without Ext KeyID to be disabled as a workaroundAlexander Wetzel2020-02-232-0/+43
| | | | | | | | | | | | | | | Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken implementations and should be avoided when using or interacting with one. The effects can be triggered by either end of the connection and range from hardly noticeable disconnects over long connection freezes up to leaking clear text MPDUs. To allow affected users to mitigate the issues, add a new hostapd configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with disconnection. This requires the station to reassociate to get connected again and as such, can result in connectivity issues as well. Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>