Add support for additional (vendor) elements to be added
to only Probe Response frames, for testing.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Allow both hostapd and wpa_supplicant to be configured with the
supported Multi-AP profile. The configured value will be advertised in
the Multi-AP element.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
This adds initial parts for RADIUS/TLS support in the RADIUS client.
This can be used with eapol_test and hostapd. This functionality is not
included by default and CONFIG_RADIUS_TLS=y in .config can be used to
enable it.
This version does not yet include all the needed functionality for TLS
validation and the rules for dropping a TCP connection based on invalid
RADIUS attributes.
Signed-off-by: Jouni Malinen <j@w1.fi>
src/ap/ap_config.c is not really supposed to call directly into a
function in hostapd/config_file.c. Furthermore, the wrapper through
ap_config.c did not really have any real value since it just called a
function that is within hostapd/*.c and that wrapper was called from
hostapd/*.c.
Instead of the wrapper, just call the function directly within the
hostapd directory.
Fixes: 392114a179 ("FT: Add dynamic reload of RxKH definitions from file")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow the Timeout Interval Type field in the Timeout Interval element to
be overridden with a different value for testing purposes to be able to
bypass the association comeback processing in mac80211. This allows the
wpa_supplicant internal functionality to be tested.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd reads the list of Rx Key Holders from hostapd.conf file.
However, for systems where topology changes dynamically, the update
of RxKHs list is required without reloading the whole configuration.
Introduce a new source of RxKH definition with original syntax:
- rxkh_file - Path to a file containing a list of RxKHs.
In addition, add a control interface command RELOAD_RXKHS to
reload RxKHs definition from the file specified in `rxkh_file`.
This allows hostapd to properly distribute Rx keys even after topology
change (assuming rxkh_file is updated and reload_rxkhs command issued).
Syntax of rxkh_file is the same as extraction of r0kh and r1kh options
from original hostapd.conf file.
```
r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
```
Signed-off-by: Dariusz Kopka <dariusz@plume.com>
Allow additional elements and KDEs to be added to EAPOL-Key msg 1/4 and
3/4 and allow EAPOL-Key msg 3/4 Key Data field to be not encrypted.
These are for testing purposes to enable a convenient mechanism for
testing supplicant behavior with either potential future extensions or
incorrect Authenticator behavior.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This was done with spatch using the following semantic patch and minor
manual edits to clean up coding style and avoid compiler warnings in
driver_wext.c:
@@
expression a,b;
@@
- os_memcmp(a, b, ETH_ALEN) == 0
+ ether_addr_equal(a, b)
@@
expression a,b;
@@
- os_memcmp(a, b, ETH_ALEN) != 0
+ !ether_addr_equal(a, b)
@@
expression a,b;
@@
- !os_memcmp(a, b, ETH_ALEN)
+ ether_addr_equal(a, b)
Signed-off-by: Jouni Malinen <j@w1.fi>
Introduce a new configuration option, "eht_bw320_offset", which enables
devices to specify a preferred channelization for 320 MHz BSSs when
using automatic channel selection (ACS). This option is applicable only
when the channel is not already decided and the bandwidth is set to 320
MHz.
The value and meaning of the option:
0: auto-detected by ACS
1: 320 MHz-1
2: 320 MHz-2
Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
If the regulatory client EIRP PSD values advertised by an AP that is a
standard power AP or indoor standard power AP are insufficient to ensure
that regulatory client limits on total EIRP are always met for all
transmission bandwidths within the bandwidth of the AP’s BSS, the AP
shall also send a TPE element in Beacon and Probe Response frames as
that depicts the regulatory client EIRP limit.
Add support for this.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add configuration options for setting the Tx Power value
in the Transmit Power Envelope for 6 GHz:
- The Tx power value for default client where the transmit
power interpretation is "Regulatory Client EIRP PSD"
- The Tx power value for subordinate client where the transmit
power interpretation is "Regulatory Client EIRP PSD"
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Update the HE regulatory information AP types based on IEEE
P802.11-REVme/D4.0. Set the default AP type to VLP. Check for valid
values when setting 'he_6ghz_reg_pwr_type' in the interface
configuration.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Allow the EAP-SIM/AKA server to be configured to use a smaller limit for
the number of times fast re-authentication can be used before falling
back to running full authentication. This is particularly useful for EAP
peer testing to cover cases when falling back from fast
re-authentication to full authentication in various different cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Per IEEE P802.11az/D7.0, 12.12.3.2 (PASN Frame Construction and
Processing), responder should REFUSE PASN authentication frame 1 with
Base AKM as PASN AKM if dot11NoAuthPASNActivated is false. That
configuration was not previously available and hostapd was hardcoded
with dot11NoAuthPASNActivated being true.
Allow this to be configured and reject PASN authentication frame 1 from
initiator if pasn_noauth=0 and Base AKM in RSNE of this frame is PASN.
The default value for pasn_noauth is 1 to maintain previous
functionality even though the dot11NoAuthPASNActivated is defined to
have default value of false.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
FILS discovery frame generation currently assumes HE support for
calculating the number of spatial streams. Add a check to reject
the configuration if the feature is enabled without enabling HE.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Add configuration option 'mbssid' used to enable multiple BSSID (MBSSID)
and enhanced multiple BSSID advertisements (EMA) features.
Reject the configuration if any of the BSSes have hidden SSID enabled.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Even if the use of H2E isn't strictly mandatory when using SAE on 6 GHz,
WPA3-Personal pushes it on 6 GHz. So lets automatically enable it by
setting sae_pwe=2. This will allow both the hunting-and-pecking and
hash-to-element to work (and be backward compatible).
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
The new SAE AKM suites are defined to use H2E, so ignore the sae_pwe
value when these AKM suites are used similarly to the way H2E gets
enabled when SAE Password Identifiers are used.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This allows the DPP Configuration Request Object from an Enrollee to be
extended with 3rd party information. The new dpp_extra_conf_req_name and
dpp_extra_conf_req_value configuration parameters specify the name of
the added JSON node and its contents. For example:
dpp_extra_conf_req_name=org.example
dpp_extra_conf_req_value={"a":1,"b":"test"}
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Add support for IMSI privacy in the EAP-SIM/AKA server implementation.
If the new hostapd configuration parameter imsi_privacy_key is used to
specify an RSA private key, that key will be used to decrypt encrypted
permanent identity.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add compilation support for IEEE 802.11be along with options to enable
EHT support per radio and disable per interface.
Enabling HE is mandatory to enable EHT mode.
Tested-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Allow hostapd configuration to specify use of the 6 GHz band with the
specific op_class values without having to set the hw_mode=a parameter
explicitly.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Unsolicited broadcast Probe Response frame configuration did not work in
hostapd due fils_discovery_min_int being used by mistake where
fils_discovery_max_int should have been used in checking for conflicting
configuration. The latter is the one used to decide whether FILS
discovery is enabled or not.
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
Add an alternative sequence for performing the RADIUS ACL check and PSK
fetch. The previously used (macaddr_acl=2, wpa_psk_radius=2) combination
does this during IEEE 802.11 Authentication frame exchange while the new
option (wpa_psk_radius=3) does this during the 4-way handshake. This
allows some more information to be provided to the RADIUS authentication
server.
Signed-off-by: Jouni Malinen <j@w1.fi>
The check for PSK/passphrase not being present was considering only the
WPA-PSK AKM, but the same check should be applied for all other AKMs
that can use a PSK.
Signed-off-by: Jouni Malinen <j@w1.fi>
Reduced neighbor report has a field to indicate whether unsolicited
Probe Response transmission is active. Add a check to return failure if
both FILS discovery and unsolicited Probe Response are enabled at the
same time to ensure that RNR includes valid data.
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Commit 0cb39f4fd5 ("HE: Extend BSS color support") sets the BSS Color
default value to 1 as "Interoperability testing showed that stations
will require a BSS color to be set even if the feature is disabled."
A new interop issue was observed with hardcoded BSS color value of 1:
- REF device using one interface (e.g., wlan0) to connect to an HE
AP, whose BSS color is enabled and value is 1.
- REF device using another interface (e.g., p2p0) to connect to a
P2P GO using BSS color default settings.
(i.e., BSS color disabled and value is 1).
- REF device checks both AP's and P2P GO's BSS Color values even though
GO's BSS color is disabled. This causes collision of the BSS
color somehow causing RX problems.
For DUT as a P2P GO, its firmware uses default BSS color value 1 from
wpa_supplicant, then triggers a timer (e.g., 120 s) to update its BSS
color values based on its neighboring BSSes. To reduce the likelihood of
BSS color collision with REF device before that, use a random BSS Color
if not defined in the config file.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add user configuration he_twt_responder for enabling/disabling TWT
responder role, in addition to checking the driver's capability. The
default configuration is to enable TWT responder role when the driver
supports this.
Signed-off-by: Mohammad Asaad Akram <asadkrm@codeaurora.org>
Reuse the SAE anti-clogging token implementation to support similar
design with the PASN comeback cookie.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
PASN authentication mandates support for comeback flow, which
among others can be used for anti-clogging purposes.
As the SAE support for anti clogging can also be used for PASN,
start modifying the source code so the anti clogging support
can be used for both SAE and PASN.
As a start, rename some variables/functions etc. so that they would not
be SAE specific. The configuration variable is also renamed, but the old
version remains available for backwards compatibility.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Allow the RADIUS client socket to be bound to a specific netdev. This
helps hostapd work better in VRF and other fancy network environments.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Andreas Tobler <andreas.tobler at onway.ch>
Add hostapd configuration parameters for FILS Discovery frame
transmission interval and prepare a template for FILS Discovery frame
for the driver interface. The actual driver interface changes are not
included in this commit.
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Enable user to configure Maximum MPDU Length, Maximum A-MPDU Length
Exponent, Rx Antenna Pattern Consistency, and Tx Antenna Pattern
Consistency of 6 GHz capability through config file.
Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
Add the ability to disable HT/VHT/HE for specific BSS from hostapd.conf.
- Add disable_11ax boolean to hostapd_bss_config.
- Change disable_11n and disable_11ac to bool in hostapd_bss_config.
- Add configuration option to set these disable_11* parameters
(which were previously used only automatically based on incompatible
security parameters to disable HT/VHT).
Signed-off-by: Shay Bar <shay.bar@celeno.com>
Add support to skip sae_pk password check under compile flag
CONFIG_TESTING_OPTIONS which allows AP to be configured with
sae_pk enabled but a password that is invalid for sae_pk.
Signed-off-by: Shaakir Mohamed <smohamed@codeaurora.org>
This prevents use of a SAE-PK style password as the WPA-PSK passphrase
only if the same password is not also enabled through sae_password for
use with SAE-PK.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new sae_commit_status and sae_pk_omit configuration parameters and
an extra key at the end of sae_password pk argument can be used to
override SAE-PK behavior for testing purposes.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds AP side functionality for SAE-PK. The new sae_password
configuration parameters can now be used to enable SAE-PK mode whenever
SAE is enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from
hostapd and wpa_supplicant builds. This disables use of TKIP as both the
pairwise and group cipher. The end result does not interoperate with a
WPA(v1)-only device or WPA+WPA2 mixed modes.
Signed-off-by: Disha Das <dishad@codeaurora.org>
The new hostapd configuration parameter rsne_override_eapol can now be
used similarly to the previously added rsnxe_override_eapol to override
(replace contents or remove) RSNE in EAPOL-Key msg 3/4. This can be used
for station protocol testing to verify sufficient checks for RSNE
modification between the Beacon/Probe Response frames and EAPOL-Key msg
3/4.
Signed-off-by: Jouni Malinen <j@w1.fi>
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
