Extend hostapd to allow the new OSU Provider NAI List ANQP-element to be
advertised in addition to the previously used OSU Providers list
ANQP-element. The new osu_nai2 configurator parameter option is used to
specify the OSU_NAI value for the shared BSS (Single SSID) case while
osu_nai remains to be used for the separate OSU BSS.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Clarify that wpa=2 (i.e., RSN) is used for WPA3 and list previously
undocumented wpa_key_mgmt values.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows hostapd DAS to be configured to allow any DAC (with the
matching shared secret) to send Disconnect-Request and CoA-Request
packets.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This makes it more convenient to generate the URL in a way that
interoperates between different vendors. The AP is simply copying the
already constructed URL as-is from Access-Accept to WNM-Notification.
This means that the HO AAA can generate the URL in a manner that works
for the associated T&C Server without having to coordinate with each AP.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends the SAE implementation in both infrastructure and mesh BSS
cases to allow an optional Password Identifier to be used. This uses the
mechanism added in P802.11REVmd/D1.0. The Password Identifier is
configured in a wpa_supplicant network profile as a new string parameter
sae_password_id. In hostapd configuration, the existing sae_password
parameter has been extended to allow the password identifier (and also a
peer MAC address) to be set. In addition, multiple sae_password entries
can now be provided to hostapd to allow multiple per-peer and
per-identifier passwords to be set.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd Access-Accept processing to check if the RADIUS
server indicated that Terms and Conditions Acceptance is required. The
new hs20_t_c_server_url parameter is used to specify the server URL
template that the STA is requested to visit.
This commit does not enable any kind of filtering, i.e., only the part
of forwarding a request from Access-Accept to the STA using
WNM-Notification is covered.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd with two new configuration parameters
(hs20_t_c_filename and hs20_t_c_timestamp) that can be used to specify
that the Terms and Conditions attributes are to be added into all
Access-Request messages for Hotspot 2.0 STAs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd Hotspot 2.0 implementation to allow operator icons
to be made available. The existing hs20_icon parameter is used to define
the icons and the new operator_icon parameter (zero or more entries) is
used to specify which of the available icons are operator icons. The
operator icons are advertised in the Operator Icon Metadata ANQP-element
while the icon data can be fetched using the same mechanism (icon
request/binary file) that was added for the OSU Providers icons.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
IEEE Std 802.11-2016, 12.7.1.7.1 indicates that the lifetime of the
PMK-R0 (and PMK-R1) is bound to the lifetime of PSK or MSK from which
the key was derived. This is currently stored in r0_key_lifetime, but
cache entries are not actually removed.
This commit uses the r0_key_lifetime configuration parameter when
wpa_auth_derive_ptk_ft() is called. This may need to be extended to use
the MSK lifetime, if provided by an external authentication server, with
some future changes. For PSK, there is no such lifetime, but it also
matters less as FT-PSK can be achieved without inter-AP communication.
The expiration timeout is then passed from R0KH to R1KH. The R1KH verifies
that the given timeout for sanity, it may not exceed the locally configured
r1_max_key_lifetime.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Add a new configuration option ft_r0_key_lifetime that deprecates
r0_key_lifetime. Though, the old configuration is still accepted for
backwards compatibility.
This simplifies testing. All other items are in seconds as well. In
addition, this makes dot11FTR0KeyLifetime comment match with what got
standardized in the end in IEEE Std 802.11r-2008.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
The new venue_url parameter can now be used to set the Venue URL ANQP
information instead of having to construct the data and use
anqp_elem=277:<hexdump> to set the raw value.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new hostapd.conf parameter sae_require_pmf=<0/1> can now be used to
enforce negotiation of MFP for all associations that negotiate use of
SAE. This is used in cases where SAE-capable devices are known to be
MFP-capable and the BSS is configured with optional MFP (ieee80211w=1)
for legacy support. The non-SAE stations can connect without MFP while
SAE stations are required to negotiate MFP if sae_require_mfp=1.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd.conf parameter sae_sync (default: 5) can now be used to
configure the dot11RSNASAESync value to specify the maximum number of
synchronization errors that are allowed to happen prior to
disassociation of the offending SAE peer.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows external programs to get the average channel utilization.
The average channel utilization is calculated and reported through
STATUS command. Users need to configure chan_util_avg_period and
bss_load_update_period in hostapd config to get the average channel
utilization.
Signed-off-by: Bhagavathi Perumal S <bperumal@qti.qualcomm.com>
The new hostapd configuration parameter group_cipher can now be used to
override the automatic cipher selection based on enabled pairwise
ciphers. It should be noted that selecting an unexpected group cipher
can result in interoperability issues and this new capability is mainly
for testing purposes.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Normally, WNM-Sleep Mode exit with management frame protection
negotiated would result in the current GTK/IGTK getting added into the
WNM-Sleep Mode Response frame. Some station implementations may have a
vulnerability that results in GTK/IGTK reinstallation based on this
frame being replayed. Add a new hostapd configuration parameter that can
be used to disable that behavior and use EAPOL-Key frames for GTK/IGTK
update instead. This would likely be only used with
wpa_disable_eapol_key_retries=1 that enables a workaround for similar
issues with EAPOL-Key. This is related to station side vulnerabilities
CVE-2017-13087 and CVE-2017-13088. To enable this AP-side workaround,
set wnm_sleep_mode_no_keys=1.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds a new hostapd configuration parameter
wpa_disable_eapol_key_retries=1 that can be used to disable
retransmission of EAPOL-Key frames that are used to install
keys (EAPOL-Key message 3/4 and group message 1/2). This is
similar to setting wpa_group_update_count=1 and
wpa_pairwise_update_count=1, but with no impact to message 1/4
retries and with extended timeout for messages 4/4 and group
message 2/2 to avoid causing issues with stations that may use
aggressive power saving have very long time in replying to the
EAPOL-Key messages.
This option can be used to work around key reinstallation attacks
on the station (supplicant) side in cases those station devices
cannot be updated for some reason. By removing the
retransmissions the attacker cannot cause key reinstallation with
a delayed frame transmission. This is related to the station side
vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
CVE-2017-13080, and CVE-2017-13081.
This workaround might cause interoperability issues and reduced
robustness of key negotiation especially in environments with
heavy traffic load due to the number of attempts to perform the
key exchange is reduced significantly. As such, this workaround
is disabled by default (unless overridden in build
configuration). To enable this, set the parameter to 1.
It is also possible to enable this in the build by default by
adding the following to the build configuration:
CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
Signed-off-by: Jouni Malinen <j@w1.fi>
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.
This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.
Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new sae_password hostapd configuration parameter can now be used to
set the SAE password instead of the previously used wpa_passphrase
parameter. This allows shorter than 8 characters and longer than 63
characters long passwords to be used. In addition, this makes it
possible to configure a BSS with both WPA-PSK and SAE enabled to use
different passphrase/password based on which AKM is selected.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new hostapd configuration parameter owe_groups can be used to
specify a subset of the allowed DH groups as a space separated list of
group identifiers.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The owe_transition_bssid and owe_transition_ssid parameters can now be
replace with owe_transition_ifname to clone the BSSID/SSID information
automatically in case the same hostapd process manages both the OWE and
open BSS for transition mode.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new owe_transition_bssid and owe_transition_ssid parameters can be
used to configure hostapd to advertise the OWE Transition Mode element.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".
This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.
[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy
Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
Add OCE IE in Beacon, Probe Response, and (Re)Association Response
frames if OCE is enabled in the configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The default value for GTK rekeying period was previously hardcoded to
600 seconds for all cases. Leave that short value only for TKIP as group
cipher while moving to the IEEE 802.11 default value of 86400 seconds
(once-per-day) for CCMP/GCMP.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new acs_exclude_dfs=1 parameter can be used to request hostapd to
exclude all DFS channels from ACS consideration. This is mainly of use
for cases where the driver supports DFS channels, but for some reason a
non-DFS channel is desired when using automatic channel selection.
Previously, the chanlist parameter could have been used for this, but
that required listing all the acceptable channels. The new parameter
allows this to be done without such a list.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Enable use of FT RRB without configuring each other AP locally. Instead,
broadcast messages are exchanged to discover APs within the local
network.
When an R0KH or R1KH is discovered, it is cached for one day.
When a station uses an invalid or offline r0kh_id, requests are always
broadcast. In order to avoid this, if r0kh does not reply, a temporary
blacklist entry is added to r0kh_list.
To avoid blocking a valid r0kh when a non-existing pmk_r0_name is
requested, r0kh is required to always reply using a NAK. Resend requests
a few times to ensure blacklisting does not happen due to small packet
loss.
To free newly created stations later, the r*kh_list start pointer in
conf needs to be updateable from wpa_auth_ft.c, where only wconf is
accessed.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Convert FT RRB into a new TLV based format. Use AES-SIV as AEAD cipher
to protect the messages.
This needs at least 32 byte long keys. These can be provided either
by a config file change or letting a KDF derive the 32 byte key used
from the 16 byte key given.
This breaks backward compatibility, i.e., hostapd needs to be updated on
all APs at the same time to allow FT to remain functional.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
This adds an option to configure hostapd to enable use of perfect
forward secrecy option in FILS shared key authentication. A new build
option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A
new runtime configuration parameter fils_dh_group is used to enable this
by specifying which DH group to use. For example, fils_dh_group=19 would
allow FILS SK PFS to be used with a 256-bit random ECP group.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends the GAS server to process MBO ANQP-elements and reply to a
query for the Cellular Data Connection Preference (if configured). The
new configuration parameter mbo_cell_data_conn_pref can be used to set
the value (0, 1, or 255) for the preference to indicate.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new hostapd.conf parameter country3 can now be used to configure the
third octet of the Country String that was previously hardcoded to ' '
(= 0x20).
For example:
All environments of the current frequency band and country (default)
country3=0x20
Outdoor environment only
country3=0x4f
Indoor environment only
country3=0x49
Noncountry entity (country_code=XX)
country3=0x58
IEEE 802.11 standard Annex E table indication: 0x01 .. 0x1f
Annex E, Table E-4 (Global operating classes)
country3=0x04
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new broadcast_deauth parameter can be used to disable sending of the
Deauthentication frame whenever AP is started or stopped. The default
behavior remains identical to the past behavior (broadcast_deauth=1).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add IEEE 802.11ax definitions for config, IEEE structures, and
constants. These are still subject to change in the IEEE process.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It can happen if the station is unreachable or sleeping longer than
the actual total GTK rekey timeout. To fix the latter case
wpa_group_update_count may be increased.
Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
wpa_group_update_count and wpa_pairwise_update_count can now be used to
set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount
and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current
hardcoded value (4).
Some stations may suffer from frequent deauthentications due to GTK
rekey failures: EAPOL 1/2 frame is not answered during the total timeout
period of currently ~3.5 seconds. For example, a Galaxy S6 with Android
6.0.1 appears to go into power save mode for up to 5 seconds. Increasing
wpa_group_update_count to 6 fixed this issue.
Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
The new dhcp_server configuration parameter can now be used to configure
hostapd to act as a DHCP relay for DHCPDISCOVER messages received as
FILS HLP requests. The dhcp_rapid_commit_proxy=1 parameter can be used
to configure hostapd to convert 4 message DHCP exchange into a 2 message
exchange in case the DHCP server does not support DHCP rapid commit
option.
The fils_hlp_wait_time parameter can be used to set the time hostapd
waits for an HLP response. This matches the dot11HLPWaitTime in IEEE Std
802.11ai-2016.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
rrm_beacon_report=1 can now be used to make hostapd advertise capability
for beacon reports (passive, active, table). Actual mechanism for
sending out beacon requests will be added in separate commits.
Signed-off-by: Jouni Malinen <j@w1.fi>
The after_beacon and beacon TX queue parameters has not been
configurable through this mechanism for years, so do not list them in
hostapd.conf notes.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new hostapd configuration parameter fils_realm=<realm> can now be
used to configure one or more FILS realms to advertise for ERP domains
when using FILS. This replaces the use of erp_domain=<domain> parameter
for the FILS use case.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds support for nl80211 NL80211_CMD_SET_MULTICAST_TO_UNICAST
command.
By setting the new hostapd configuration option multicast_to_unicast=1,
hostapd configures this AP to perform multicast to unicast conversion.
When enabled, all multicast packets with ethertype ARP, IPv4, or IPv6
(possibly within an 802.1Q header) will be sent out to each station once
with the destination (multicast) MAC address replaced by the station's
MAC address. Note that this may break certain expectations of the
receiver, e.g., the ability to drop unicast IP packets encapsulated in
multicast L2 frames, or the ability to not send destination unreachable
messages in such cases.
This also does not implement Directed Multicast Service (DMS).
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Allow configuration of Beacon frame TX rate from hostapd.conf with
"beacon_rate=xx" option. The following format is used to set
legacy/HT/VHT beacon rates:
Legacy (CCK/OFDM rates):
beacon_rate=<legacy rate in 100 kbps>
HT:
beacon_rate=ht:<HT MCS>
VHT:
beacon_rate=vht:<VHT MCS>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add a configuration option in hostapd.conf and in neighbor report that
sets an AP as stationary. To enable this option on the current AP set
the config option stationary_ap to 1. To set a neighbor entry to be
marked as stationary add the word stat to the SET_NEIGHBOR command. This
option tells hostapd to send LCI data even if it is older than requested
by max age subelement in RRM request.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
This adds CONFIG_FILS=y build configuration option and new key
management options for FILS authentication.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Station should be able to connect initially without ft_pmk_cache filled,
so the target AP has the PSK available and thus the same information as
the origin AP. Therefore neither caching nor communication between the
APs with respect to PMK-R0 or PMK-R1 or VLANs is required if the target
AP derives the required PMKs locally.
This patch introduces the generation of the required PMKs locally for
FT-PSK. Additionally, PMK-R0 is not stored (and thus pushed) for FT-PSK.
So for FT-PSK networks, no configuration of inter-AP communication is
needed anymore when using ft_psk_generate_local=1 configuration. The
default behavior (ft_psk_generate_local=0) remains to use the pull/push
protocol.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Add configuration options that control publishing of fine timing
measurement (FTM) responder and initiator functionality via bits 70, 71
of Extended Capabilities element. Typically, FTM functionality is
controlled by a location framework outside hostapd. When framework is
activated, it will use hostapd to configure the AP to publish the FTM
functionality. See IEEE P802.11-REVmc/D7.0, 9.4.2.27.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Some deployed stations incorrectly consider nsts capability in
(Re)Association Response frame as required capability instead of maximum
capability and if it is greater than station's capability then beamform
will not happen in uplink traffic.
This commit adds support for an optional workaround to use station's
nsts capability in (Re)Association Response frame if the station's nsts
is less than AP by using the use_sta_nsts=1 configuration parameter.
This configuration is introduced in this commit and it is disabled by
default.
Signed-off-by: Tamizh chelvam <c_traja@qti.qualcomm.com>
This can be used to mandate the presence of the Message-Authenticator
attribute on CoA/Disconnect-Request packets.
Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>
gas_address3=1 can now be used to force hostapd to use the IEEE 802.11
standards compliant Address 3 field value (Wildcard BSSID when not
associated) even if the GAS request uses non-compliant address (AP
BSSID).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>