pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Add support for IMSI privacy in the EAP-SIM/AKA server implementation.
If the new hostapd configuration parameter imsi_privacy_key is used to
specify an RSA private key, that key will be used to decrypt encrypted
permanent identity.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add compilation support for IEEE 802.11be along with options to enable
EHT support per radio and disable per interface.
Enabling HE is mandatory to enable EHT mode.
Tested-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Allow hostapd configuration to specify use of the 6 GHz band with the
specific op_class values without having to set the hw_mode=a parameter
explicitly.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Unsolicited broadcast Probe Response frame configuration did not work in
hostapd due fils_discovery_min_int being used by mistake where
fils_discovery_max_int should have been used in checking for conflicting
configuration. The latter is the one used to decide whether FILS
discovery is enabled or not.
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Add an alternative sequence for performing the RADIUS ACL check and PSK
fetch. The previously used (macaddr_acl=2, wpa_psk_radius=2) combination
does this during IEEE 802.11 Authentication frame exchange while the new
option (wpa_psk_radius=3) does this during the 4-way handshake. This
allows some more information to be provided to the RADIUS authentication
server.
Signed-off-by: Jouni Malinen <j@w1.fi>
The check for PSK/passphrase not being present was considering only the
WPA-PSK AKM, but the same check should be applied for all other AKMs
that can use a PSK.
Signed-off-by: Jouni Malinen <j@w1.fi>
Reduced neighbor report has a field to indicate whether unsolicited
Probe Response transmission is active. Add a check to return failure if
both FILS discovery and unsolicited Probe Response are enabled at the
same time to ensure that RNR includes valid data.
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Commit 0cb39f4fd5 ("HE: Extend BSS color support") sets the BSS Color
default value to 1 as "Interoperability testing showed that stations
will require a BSS color to be set even if the feature is disabled."
A new interop issue was observed with hardcoded BSS color value of 1:
- REF device using one interface (e.g., wlan0) to connect to an HE
AP, whose BSS color is enabled and value is 1.
- REF device using another interface (e.g., p2p0) to connect to a
P2P GO using BSS color default settings.
(i.e., BSS color disabled and value is 1).
- REF device checks both AP's and P2P GO's BSS Color values even though
GO's BSS color is disabled. This causes collision of the BSS
color somehow causing RX problems.
For DUT as a P2P GO, its firmware uses default BSS color value 1 from
wpa_supplicant, then triggers a timer (e.g., 120 s) to update its BSS
color values based on its neighboring BSSes. To reduce the likelihood of
BSS color collision with REF device before that, use a random BSS Color
if not defined in the config file.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add user configuration he_twt_responder for enabling/disabling TWT
responder role, in addition to checking the driver's capability. The
default configuration is to enable TWT responder role when the driver
supports this.
Signed-off-by: Mohammad Asaad Akram <asadkrm@codeaurora.org>
Reuse the SAE anti-clogging token implementation to support similar
design with the PASN comeback cookie.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
PASN authentication mandates support for comeback flow, which
among others can be used for anti-clogging purposes.
As the SAE support for anti clogging can also be used for PASN,
start modifying the source code so the anti clogging support
can be used for both SAE and PASN.
As a start, rename some variables/functions etc. so that they would not
be SAE specific. The configuration variable is also renamed, but the old
version remains available for backwards compatibility.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Allow the RADIUS client socket to be bound to a specific netdev. This
helps hostapd work better in VRF and other fancy network environments.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Andreas Tobler <andreas.tobler at onway.ch>
Add hostapd configuration parameters for FILS Discovery frame
transmission interval and prepare a template for FILS Discovery frame
for the driver interface. The actual driver interface changes are not
included in this commit.
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Enable user to configure Maximum MPDU Length, Maximum A-MPDU Length
Exponent, Rx Antenna Pattern Consistency, and Tx Antenna Pattern
Consistency of 6 GHz capability through config file.
Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
Add the ability to disable HT/VHT/HE for specific BSS from hostapd.conf.
- Add disable_11ax boolean to hostapd_bss_config.
- Change disable_11n and disable_11ac to bool in hostapd_bss_config.
- Add configuration option to set these disable_11* parameters
(which were previously used only automatically based on incompatible
security parameters to disable HT/VHT).
Signed-off-by: Shay Bar <shay.bar@celeno.com>
Add support to skip sae_pk password check under compile flag
CONFIG_TESTING_OPTIONS which allows AP to be configured with
sae_pk enabled but a password that is invalid for sae_pk.
Signed-off-by: Shaakir Mohamed <smohamed@codeaurora.org>
This prevents use of a SAE-PK style password as the WPA-PSK passphrase
only if the same password is not also enabled through sae_password for
use with SAE-PK.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new sae_commit_status and sae_pk_omit configuration parameters and
an extra key at the end of sae_password pk argument can be used to
override SAE-PK behavior for testing purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds AP side functionality for SAE-PK. The new sae_password
configuration parameters can now be used to enable SAE-PK mode whenever
SAE is enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from
hostapd and wpa_supplicant builds. This disables use of TKIP as both the
pairwise and group cipher. The end result does not interoperate with a
WPA(v1)-only device or WPA+WPA2 mixed modes.
Signed-off-by: Disha Das <dishad@codeaurora.org>
The new hostapd configuration parameter rsne_override_eapol can now be
used similarly to the previously added rsnxe_override_eapol to override
(replace contents or remove) RSNE in EAPOL-Key msg 3/4. This can be used
for station protocol testing to verify sufficient checks for RSNE
modification between the Beacon/Probe Response frames and EAPOL-Key msg
3/4.
Signed-off-by: Jouni Malinen <j@w1.fi>
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.
To allow affected users to mitigate the issues, add a new hostapd
configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys
with disconnection. This requires the station to reassociate to get
connected again and as such, can result in connectivity issues as well.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Hardcoded CONFIG_IEEE80211N to be included to clean up implementation.
More or less all new devices support IEEE 802.11n (HT) and there is not
much need for being able to remove that functionality from the build.
Included this unconditionally to get rid of one more build options and
to keep things simpler.
Signed-off-by: Jouni Malinen <j@w1.fi>
The HE Operation field for BSS color consists of a disabled, a partial,
and 6 color bits. The original commit adding support for BSS color
considered this to be a u8. This commit changes this to the actual
bits/values.
This adds an explicit config parameter for the partial bit. The disabled
is set to 0 implicitly if a bss_color is defined.
Interoperability testing showed that stations will require a BSS color
to be set even if the feature is disabled. Hence the default color is 1
when none is defined inside the config file.
Signed-off-by: John Crispin <john@phrozen.org>
By default, when configuration file set wpa_psk_file, hostapd generated
a random PSK for each Enrollee provisioned using WPS and appended that
PSK to wpa_psk_file.
Changes that behavior by adding a new step. WPS will first try to use a
PSK from wpa_psk_file. It will only try PSKs with wps=1 tag.
Additionally it'll try to match enrollee's MAC address (if provided). If
it fails to find an appropriate PSK, it falls back to generating a new
PSK.
Signed-off-by: Tomasz Jankowski <tomasz.jankowski@plume.com>
The new sae_pwe=3 mode can be used to test non-compliant behavior with
SAE Password Identifiers. This can be used to force use of
hunting-and-pecking loop for PWE derivation when Password Identifier is
used. This is not allowed by the standard and as such, this
functionality is aimed at compliance testing.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Application Extension attribute is defined in WSC tech spec v2.07 page
104. Allow hostapd to be configured to add this extension into WPS IE in
Beacon and Probe Response frames. The implementation is very similar to
vendor extension.
A new optional entry called "wps_application_ext" is added to hostapd
config file to configure this. It enodes the payload of the Application
Extension attribute in hexdump format.
Signed-off-by: Veli Demirel <veli.demirel@airties.com>
Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
The new hostapd gtk_rsc_override and igtk_rsc_override configuration
parameters can be used to set an override value for the RSC that the AP
advertises for STAs for GTK/IGTK. The contents of those parameters is a
hexdump of the RSC in little endian byte order.
This functionality is available only in CONFIG_TESTING_OPTIONS=y builds.
This can be used to verify that stations implement initial RSC
configuration correctly for GTK/ and IGTK.
Signed-off-by: Jouni Malinen <j@w1.fi>
The channel numbers are duplicated between 2.4 GHz / 5 GHz bands and 6
GHz band. Hence, add support to configure a list of frequencies to ACS
(freqlist) instead of a list of channel numbers (chanlist). Also, both 5
GHz and 6 GHz channels are referred by HOSTAPD_MODE_IEEE80211A. The 6
GHz channels alone can be configured by using both mode and frequency
list.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This new hostapd configuration parameter rsnxe_override_eapol=<hexdump>
can be used to override RSNXE value in EAPOL-Key msg 3/4 for testing
purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, nonzero sae_h2e parameter values were used to perform SAE
H2E specific operations (deriving PT, adding RSNXE, adding H2E-only BSS
membership selector) in AP mode even if SAE was not enabled for the
network. This could result in unexpected behavior if sae_pwe=1 or
sae_pwe=2 were set in the configuration. Fix this by making the SAE
operations conditional on SAE being actually enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new hostapd and wpa_supplicant configuration parameters dpp_name and
dpp_mud_url can now be used to set a specific name and MUD URL for the
Enrollee to use in the Configuration Request. dpp_name replaces the
previously hardcoded "Test" string (which is still the default if an
explicit configuration entry is not included). dpp_mud_url can
optionally be used to add a MUD URL to describe the Enrollee device.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow the previously hardcoded maximum numbers of EAP message rounds to
be configured in hostapd EAP server. This can be used, e.g., to increase
the default limits if very large X.509 certificates are used for EAP
authentication.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration option eap_sim_id can now be used to
disable use of pseudonym and/or fast reauthentication with EAP-SIM,
EAP-AKA, and EAP-AKA'.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add an SQLite table for defining per station MAC address version of
radius_auth_req_attr/radius_acct_req_attr information. Create the
necessary table and index where this doesn't exist. Select attributes
from the table keyed by station MAC address and request type (auth or
acct), parse and apply to a RADIUS message.
Add radius_req_attr_sqlite hostapd config option for SQLite database
file. Open/close RADIUS attribute database for a lifetime of a BSS and
invoke functions to add extra attributes during RADIUS auth and
accounting request generation.
Signed-off-by: Terry Burton <tez@terryburton.co.uk>
We will want to parse RADIUS attributes in config file format when
retrieving them from an SQLite database.
Signed-off-by: Terry Burton <tez@terryburton.co.uk>
hostapd EAP server can now be configured with two separate server
certificates/keys to enable parallel operations using both RSA and ECC
public keys. The server will pick which one to use based on the client
preferences for the cipher suite (in the TLS ClientHello message). It
should be noted that number of deployed EAP peer implementations do not
filter out the cipher suite list based on their local configuration and
as such, configuration of alternative types of certificates on the
server may result in interoperability issues.
Signed-off-by: Jouni Malinen <j@w1.fi>