[wpa_supplicant] Cumulative patch from b8491ae5a
Also revert local solution for encrypted IMSI and use the upstream version.
Bug: 134177972
Test: Device boots up and connects to WPA3/OWE wifi networks, run traffic.
Test: Able to turn on/off softap, associate wifi STA, run traffic.
Test: Regression test passed (Bug: 137653009)
Change-Id: Ie34a0138a3a2039b03101c788b43acbb33f8332a
diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index df3542a..c283754 100644
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -280,6 +280,7 @@
OBJS += src/common/sae.c
NEED_ECC=y
NEED_DH_GROUPS=y
+NEED_DRAGONFLY=y
endif
ifdef CONFIG_OWE
@@ -473,6 +474,7 @@
OBJS += src/eap_server/eap_server_pwd.c src/eap_common/eap_pwd_common.c
NEED_SHA256=y
NEED_ECC=y
+NEED_DRAGONFLY=y
endif
ifdef CONFIG_EAP_EKE
@@ -496,6 +498,16 @@
NEED_AES_UNWRAP=y
endif
+ifdef CONFIG_EAP_TEAP
+L_CFLAGS += -DEAP_SERVER_TEAP
+OBJS += src/eap_server/eap_server_teap.c
+OBJS += src/eap_common/eap_teap_common.c
+TLS_FUNCS=y
+NEED_T_PRF=y
+NEED_SHA384=y
+NEED_AES_UNWRAP=y
+endif
+
ifdef CONFIG_WPS
L_CFLAGS += -DCONFIG_WPS -DEAP_SERVER_WSC
OBJS += src/utils/uuid.c
@@ -606,6 +618,10 @@
L_CFLAGS += -DPKCS12_FUNCS
endif
+ifdef NEED_DRAGONFLY
+OBJS += src/common/dragonfly.c
+endif
+
ifdef MS_FUNCS
OBJS += src/crypto/ms_funcs.c
NEED_DES=y
diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index f1366b4..327ee3b 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -1,5 +1,60 @@
ChangeLog for hostapd
+2019-04-21 - v2.8
+ * SAE changes
+ - added support for SAE Password Identifier
+ - changed default configuration to enable only group 19
+ (i.e., disable groups 20, 21, 25, 26 from default configuration) and
+ disable all unsuitable groups completely based on REVmd changes
+ - improved anti-clogging token mechanism and SAE authentication
+ frame processing during heavy CPU load; this mitigates some issues
+ with potential DoS attacks trying to flood an AP with large number
+ of SAE messages
+ - added Finite Cyclic Group field in status code 77 responses
+ - reject use of unsuitable groups based on new implementation guidance
+ in REVmd (allow only FFC groups with prime >= 3072 bits and ECC
+ groups with prime >= 256)
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-1/] (CVE-2019-9494)
+ - fixed confirm message validation in error cases
+ [https://w1.fi/security/2019-3/] (CVE-2019-9496)
+ * EAP-pwd changes
+ - minimize timing and memory use differences in PWE derivation
+ [https://w1.fi/security/2019-2/] (CVE-2019-9495)
+ - verify peer scalar/element
+ [https://w1.fi/security/2019-4/] (CVE-2019-9497 and CVE-2019-9498)
+ - fix message reassembly issue with unexpected fragment
+ [https://w1.fi/security/2019-5/]
+ - enforce rand,mask generation rules more strictly
+ - fix a memory leak in PWE derivation
+ - disallow ECC groups with a prime under 256 bits (groups 25, 26, and
+ 27)
+ * Hotspot 2.0 changes
+ - added support for release number 3
+ - reject release 2 or newer association without PMF
+ * added support for RSN operating channel validation
+ (CONFIG_OCV=y and configuration parameter ocv=1)
+ * added Multi-AP protocol support
+ * added FTM responder configuration
+ * fixed build with LibreSSL
+ * added FT/RRB workaround for short Ethernet frame padding
+ * fixed KEK2 derivation for FILS+FT
+ * added RSSI-based association rejection from OCE
+ * extended beacon reporting functionality
+ * VLAN changes
+ - allow local VLAN management with remote RADIUS authentication
+ - add WPA/WPA2 passphrase/PSK -based VLAN assignment
+ * OpenSSL: allow systemwide policies to be overridden
+ * extended PEAP to derive EMSK to enable use with ERP/FILS
+ * extended WPS to allow SAE configuration to be added automatically
+ for PSK (wps_cred_add_sae=1)
+ * fixed FT and SA Query Action frame with AP-MLME-in-driver cases
+ * OWE: allow Diffie-Hellman Parameter element to be included with DPP
+ in preparation for DPP protocol extension
+ * RADIUS server: started to accept ERP keyName-NAI as user identity
+ automatically without matching EAP database entry
+ * fixed PTK rekeying with FILS and FT
+
2018-12-02 - v2.7
* fixed WPA packet number reuse with replayed messages and key
reinstallation
diff --git a/hostapd/Makefile b/hostapd/Makefile
index 6e263c5..2a6bd7a 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -313,6 +313,7 @@
NEED_ECC=y
NEED_DH_GROUPS=y
NEED_AP_MLME=y
+NEED_DRAGONFLY=y
endif
ifdef CONFIG_OWE
@@ -326,6 +327,11 @@
NEED_SHA512=y
endif
+ifdef CONFIG_AIRTIME_POLICY
+CFLAGS += -DCONFIG_AIRTIME_POLICY
+OBJS += ../src/ap/airtime_policy.o
+endif
+
ifdef CONFIG_FILS
CFLAGS += -DCONFIG_FILS
OBJS += ../src/ap/fils_hlp.o
@@ -496,6 +502,7 @@
OBJS += ../src/eap_server/eap_server_pwd.o ../src/eap_common/eap_pwd_common.o
NEED_SHA256=y
NEED_ECC=y
+NEED_DRAGONFLY=y
endif
ifdef CONFIG_EAP_EKE
@@ -519,6 +526,16 @@
NEED_AES_UNWRAP=y
endif
+ifdef CONFIG_EAP_TEAP
+CFLAGS += -DEAP_SERVER_TEAP
+OBJS += ../src/eap_server/eap_server_teap.o
+OBJS += ../src/eap_common/eap_teap_common.o
+TLS_FUNCS=y
+NEED_T_PRF=y
+NEED_SHA384=y
+NEED_AES_UNWRAP=y
+endif
+
ifdef CONFIG_WPS
CFLAGS += -DCONFIG_WPS -DEAP_SERVER_WSC
OBJS += ../src/utils/uuid.o
@@ -613,6 +630,15 @@
endif
endif
+ifdef CONFIG_MACSEC
+CFLAGS += -DCONFIG_MACSEC
+OBJS += ../src/ap/wpa_auth_kay.o
+OBJS += ../src/pae/ieee802_1x_cp.o
+OBJS += ../src/pae/ieee802_1x_kay.o
+OBJS += ../src/pae/ieee802_1x_key.o
+OBJS += ../src/pae/ieee802_1x_secy_ops.o
+endif
+
# Basic EAP functionality is needed for EAPOL
OBJS += eap_register.o
OBJS += ../src/eap_server/eap_server.o
@@ -629,6 +655,10 @@
CFLAGS += -DPKCS12_FUNCS
endif
+ifdef NEED_DRAGONFLY
+OBJS += ../src/common/dragonfly.o
+endif
+
ifdef MS_FUNCS
OBJS += ../src/crypto/ms_funcs.o
NEED_DES=y
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 42f3b40..df41f14 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -2313,6 +2313,42 @@
#endif /* EAP_SERVER */
+#ifdef CONFIG_AIRTIME_POLICY
+static int add_airtime_weight(struct hostapd_bss_config *bss, char *value)
+{
+ struct airtime_sta_weight *wt;
+ char *pos, *next;
+
+ wt = os_zalloc(sizeof(*wt));
+ if (!wt)
+ return -1;
+
+ /* 02:01:02:03:04:05 10 */
+ pos = value;
+ next = os_strchr(pos, ' ');
+ if (next)
+ *next++ = '\0';
+ if (!next || hwaddr_aton(pos, wt->addr)) {
+ wpa_printf(MSG_ERROR, "Invalid station address: '%s'", pos);
+ os_free(wt);
+ return -1;
+ }
+
+ pos = next;
+ wt->weight = atoi(pos);
+ if (!wt->weight) {
+ wpa_printf(MSG_ERROR, "Invalid weight: '%s'", pos);
+ os_free(wt);
+ return -1;
+ }
+
+ wt->next = bss->airtime_weight_list;
+ bss->airtime_weight_list = wt;
+ return 0;
+}
+#endif /* CONFIG_AIRTIME_POLICY */
+
+
#ifdef CONFIG_SAE
static int parse_sae_password(struct hostapd_bss_config *bss, const char *val)
{
@@ -2376,6 +2412,36 @@
#endif /* CONFIG_SAE */
+#ifdef CONFIG_DPP2
+static int hostapd_dpp_controller_parse(struct hostapd_bss_config *bss,
+ const char *pos)
+{
+ struct dpp_controller_conf *conf;
+ char *val;
+
+ conf = os_zalloc(sizeof(*conf));
+ if (!conf)
+ return -1;
+ val = get_param(pos, "ipaddr=");
+ if (!val || hostapd_parse_ip_addr(val, &conf->ipaddr))
+ goto fail;
+ os_free(val);
+ val = get_param(pos, "pkhash=");
+ if (!val || os_strlen(val) != 2 * SHA256_MAC_LEN ||
+ hexstr2bin(val, conf->pkhash, SHA256_MAC_LEN) < 0)
+ goto fail;
+ os_free(val);
+ conf->next = bss->dpp_controller;
+ bss->dpp_controller = conf;
+ return 0;
+fail:
+ os_free(val);
+ os_free(conf);
+ return -1;
+}
+#endif /* CONFIG_DPP2 */
+
+
static int hostapd_config_fill(struct hostapd_config *conf,
struct hostapd_bss_config *bss,
const char *buf, char *pos, int line)
@@ -2496,7 +2562,11 @@
} else if (os_strcmp(buf, "eapol_version") == 0) {
int eapol_version = atoi(pos);
+#ifdef CONFIG_MACSEC
+ if (eapol_version < 1 || eapol_version > 3) {
+#else /* CONFIG_MACSEC */
if (eapol_version < 1 || eapol_version > 2) {
+#endif /* CONFIG_MACSEC */
wpa_printf(MSG_ERROR,
"Line %d: invalid EAPOL version (%d): '%s'.",
line, eapol_version, pos);
@@ -2519,12 +2589,21 @@
} else if (os_strcmp(buf, "server_cert") == 0) {
os_free(bss->server_cert);
bss->server_cert = os_strdup(pos);
+ } else if (os_strcmp(buf, "server_cert2") == 0) {
+ os_free(bss->server_cert2);
+ bss->server_cert2 = os_strdup(pos);
} else if (os_strcmp(buf, "private_key") == 0) {
os_free(bss->private_key);
bss->private_key = os_strdup(pos);
+ } else if (os_strcmp(buf, "private_key2") == 0) {
+ os_free(bss->private_key2);
+ bss->private_key2 = os_strdup(pos);
} else if (os_strcmp(buf, "private_key_passwd") == 0) {
os_free(bss->private_key_passwd);
bss->private_key_passwd = os_strdup(pos);
+ } else if (os_strcmp(buf, "private_key_passwd2") == 0) {
+ os_free(bss->private_key_passwd2);
+ bss->private_key_passwd2 = os_strdup(pos);
} else if (os_strcmp(buf, "check_cert_subject") == 0) {
if (!pos[0]) {
wpa_printf(MSG_ERROR, "Line %d: unknown check_cert_subject '%s'",
@@ -2605,6 +2684,20 @@
} else if (os_strcmp(buf, "pac_key_refresh_time") == 0) {
bss->pac_key_refresh_time = atoi(pos);
#endif /* EAP_SERVER_FAST */
+#ifdef EAP_SERVER_TEAP
+ } else if (os_strcmp(buf, "eap_teap_auth") == 0) {
+ int val = atoi(pos);
+
+ if (val < 0 || val > 1) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: Invalid eap_teap_auth value",
+ line);
+ return 1;
+ }
+ bss->eap_teap_auth = val;
+ } else if (os_strcmp(buf, "eap_teap_pac_no_inner") == 0) {
+ bss->eap_teap_pac_no_inner = atoi(pos);
+#endif /* EAP_SERVER_TEAP */
#ifdef EAP_SERVER_SIM
} else if (os_strcmp(buf, "eap_sim_db") == 0) {
os_free(bss->eap_sim_db);
@@ -3442,6 +3535,8 @@
conf->he_op.he_twt_required = atoi(pos);
} else if (os_strcmp(buf, "he_rts_threshold") == 0) {
conf->he_op.he_rts_threshold = atoi(pos);
+ } else if (os_strcmp(buf, "he_basic_mcs_nss_set") == 0) {
+ conf->he_op.he_basic_mcs_nss_set = atoi(pos);
} else if (os_strcmp(buf, "he_mu_edca_qos_info_param_count") == 0) {
conf->he_mu_edca.he_qos_info |=
set_he_cap(atoi(pos), HE_QOS_INFO_EDCA_PARAM_SET_COUNT);
@@ -3526,6 +3621,20 @@
} else if (os_strcmp(buf, "he_mu_edca_ac_vo_timer") == 0) {
conf->he_mu_edca.he_mu_ac_vo_param[HE_MU_AC_PARAM_TIMER_IDX] =
atoi(pos) & 0xff;
+ } else if (os_strcmp(buf, "he_spr_sr_control") == 0) {
+ conf->spr.sr_control = atoi(pos) & 0xff;
+ } else if (os_strcmp(buf, "he_spr_non_srg_obss_pd_max_offset") == 0) {
+ conf->spr.non_srg_obss_pd_max_offset = atoi(pos);
+ } else if (os_strcmp(buf, "he_spr_srg_obss_pd_min_offset") == 0) {
+ conf->spr.srg_obss_pd_min_offset = atoi(pos);
+ } else if (os_strcmp(buf, "he_spr_srg_obss_pd_max_offset") == 0) {
+ conf->spr.srg_obss_pd_max_offset = atoi(pos);
+ } else if (os_strcmp(buf, "he_oper_chwidth") == 0) {
+ conf->he_oper_chwidth = atoi(pos);
+ } else if (os_strcmp(buf, "he_oper_centr_freq_seg0_idx") == 0) {
+ conf->he_oper_centr_freq_seg0_idx = atoi(pos);
+ } else if (os_strcmp(buf, "he_oper_centr_freq_seg1_idx") == 0) {
+ conf->he_oper_centr_freq_seg1_idx = atoi(pos);
#endif /* CONFIG_IEEE80211AX */
} else if (os_strcmp(buf, "max_listen_interval") == 0) {
bss->max_listen_interval = atoi(pos);
@@ -4298,6 +4407,11 @@
} else if (os_strcmp(buf, "dpp_csign") == 0) {
if (parse_wpabuf_hex(line, buf, &bss->dpp_csign, pos))
return 1;
+#ifdef CONFIG_DPP2
+ } else if (os_strcmp(buf, "dpp_controller") == 0) {
+ if (hostapd_dpp_controller_parse(bss, pos))
+ return 1;
+#endif /* CONFIG_DPP2 */
#endif /* CONFIG_DPP */
#ifdef CONFIG_OWE
} else if (os_strcmp(buf, "owe_transition_bssid") == 0) {
@@ -4349,6 +4463,121 @@
conf->rssi_reject_assoc_timeout = atoi(pos);
} else if (os_strcmp(buf, "pbss") == 0) {
bss->pbss = atoi(pos);
+#ifdef CONFIG_AIRTIME_POLICY
+ } else if (os_strcmp(buf, "airtime_mode") == 0) {
+ int val = atoi(pos);
+
+ if (val < 0 || val > AIRTIME_MODE_MAX) {
+ wpa_printf(MSG_ERROR, "Line %d: Unknown airtime_mode",
+ line);
+ return 1;
+ }
+ conf->airtime_mode = val;
+ } else if (os_strcmp(buf, "airtime_update_interval") == 0) {
+ conf->airtime_update_interval = atoi(pos);
+ } else if (os_strcmp(buf, "airtime_bss_weight") == 0) {
+ bss->airtime_weight = atoi(pos);
+ } else if (os_strcmp(buf, "airtime_bss_limit") == 0) {
+ int val = atoi(pos);
+
+ if (val < 0 || val > 1) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: Invalid airtime_bss_limit (must be 0 or 1)",
+ line);
+ return 1;
+ }
+ bss->airtime_limit = val;
+ } else if (os_strcmp(buf, "airtime_sta_weight") == 0) {
+ if (add_airtime_weight(bss, pos) < 0) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: Invalid airtime weight '%s'",
+ line, pos);
+ return 1;
+ }
+#endif /* CONFIG_AIRTIME_POLICY */
+#ifdef CONFIG_MACSEC
+ } else if (os_strcmp(buf, "macsec_policy") == 0) {
+ int macsec_policy = atoi(pos);
+
+ if (macsec_policy < 0 || macsec_policy > 1) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: invalid macsec_policy (%d): '%s'.",
+ line, macsec_policy, pos);
+ return 1;
+ }
+ bss->macsec_policy = macsec_policy;
+ } else if (os_strcmp(buf, "macsec_integ_only") == 0) {
+ int macsec_integ_only = atoi(pos);
+
+ if (macsec_integ_only < 0 || macsec_integ_only > 1) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: invalid macsec_integ_only (%d): '%s'.",
+ line, macsec_integ_only, pos);
+ return 1;
+ }
+ bss->macsec_integ_only = macsec_integ_only;
+ } else if (os_strcmp(buf, "macsec_replay_protect") == 0) {
+ int macsec_replay_protect = atoi(pos);
+
+ if (macsec_replay_protect < 0 || macsec_replay_protect > 1) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: invalid macsec_replay_protect (%d): '%s'.",
+ line, macsec_replay_protect, pos);
+ return 1;
+ }
+ bss->macsec_replay_protect = macsec_replay_protect;
+ } else if (os_strcmp(buf, "macsec_replay_window") == 0) {
+ bss->macsec_replay_window = atoi(pos);
+ } else if (os_strcmp(buf, "macsec_port") == 0) {
+ int macsec_port = atoi(pos);
+
+ if (macsec_port < 1 || macsec_port > 65534) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: invalid macsec_port (%d): '%s'.",
+ line, macsec_port, pos);
+ return 1;
+ }
+ bss->macsec_port = macsec_port;
+ } else if (os_strcmp(buf, "mka_priority") == 0) {
+ int mka_priority = atoi(pos);
+
+ if (mka_priority < 0 || mka_priority > 255) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: invalid mka_priority (%d): '%s'.",
+ line, mka_priority, pos);
+ return 1;
+ }
+ bss->mka_priority = mka_priority;
+ } else if (os_strcmp(buf, "mka_cak") == 0) {
+ size_t len = os_strlen(pos);
+
+ if (len > 2 * MACSEC_CAK_MAX_LEN ||
+ (len != 2 * 16 && len != 2 * 32) ||
+ hexstr2bin(pos, bss->mka_cak, len / 2)) {
+ wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CAK '%s'.",
+ line, pos);
+ return 1;
+ }
+ bss->mka_cak_len = len / 2;
+ bss->mka_psk_set |= MKA_PSK_SET_CAK;
+ } else if (os_strcmp(buf, "mka_ckn") == 0) {
+ size_t len = os_strlen(pos);
+
+ if (len > 2 * MACSEC_CKN_MAX_LEN || /* too long */
+ len < 2 || /* too short */
+ len % 2 != 0 /* not an integral number of bytes */) {
+ wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
+ line, pos);
+ return 1;
+ }
+ bss->mka_ckn_len = len / 2;
+ if (hexstr2bin(pos, bss->mka_ckn, bss->mka_ckn_len)) {
+ wpa_printf(MSG_ERROR, "Line %d: Invalid MKA-CKN '%s'.",
+ line, pos);
+ return -1;
+ }
+ bss->mka_psk_set |= MKA_PSK_SET_CKN;
+#endif /* CONFIG_MACSEC */
} else {
wpa_printf(MSG_ERROR,
"Line %d: unknown configuration item '%s'",
diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index e4b16e6..0f6dfa1 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -1830,26 +1830,40 @@
struct iphdr ip;
const u8 *pos;
unsigned int i;
+ char extra[30];
- if (len != HWSIM_PACKETLEN)
+ if (len < sizeof(*eth) + sizeof(ip) || len > HWSIM_PACKETLEN) {
+ wpa_printf(MSG_DEBUG,
+ "test data: RX - ignore unexpected length %d",
+ (int) len);
return;
+ }
eth = (const struct ether_header *) buf;
os_memcpy(&ip, eth + 1, sizeof(ip));
pos = &buf[sizeof(*eth) + sizeof(ip)];
if (ip.ihl != 5 || ip.version != 4 ||
- ntohs(ip.tot_len) != HWSIM_IP_LEN)
+ ntohs(ip.tot_len) > HWSIM_IP_LEN) {
+ wpa_printf(MSG_DEBUG,
+ "test data: RX - ignore unexpect IP header");
return;
+ }
- for (i = 0; i < HWSIM_IP_LEN - sizeof(ip); i++) {
- if (*pos != (u8) i)
+ for (i = 0; i < ntohs(ip.tot_len) - sizeof(ip); i++) {
+ if (*pos != (u8) i) {
+ wpa_printf(MSG_DEBUG,
+ "test data: RX - ignore mismatching payload");
return;
+ }
pos++;
}
- wpa_msg(hapd->msg_ctx, MSG_INFO, "DATA-TEST-RX " MACSTR " " MACSTR,
- MAC2STR(eth->ether_dhost), MAC2STR(eth->ether_shost));
+ extra[0] = '\0';
+ if (ntohs(ip.tot_len) != HWSIM_IP_LEN)
+ os_snprintf(extra, sizeof(extra), " len=%d", ntohs(ip.tot_len));
+ wpa_msg(hapd->msg_ctx, MSG_INFO, "DATA-TEST-RX " MACSTR " " MACSTR "%s",
+ MAC2STR(eth->ether_dhost), MAC2STR(eth->ether_shost), extra);
}
@@ -1894,7 +1908,7 @@
static int hostapd_ctrl_iface_data_test_tx(struct hostapd_data *hapd, char *cmd)
{
u8 dst[ETH_ALEN], src[ETH_ALEN];
- char *pos;
+ char *pos, *pos2;
int used;
long int val;
u8 tos;
@@ -1903,11 +1917,12 @@
struct iphdr *ip;
u8 *dpos;
unsigned int i;
+ size_t send_len = HWSIM_IP_LEN;
if (hapd->l2_test == NULL)
return -1;
- /* format: <dst> <src> <tos> */
+ /* format: <dst> <src> <tos> [len=<length>] */
pos = cmd;
used = hwaddr_aton2(pos, dst);
@@ -1921,11 +1936,19 @@
return -1;
pos += used;
- val = strtol(pos, NULL, 0);
+ val = strtol(pos, &pos2, 0);
if (val < 0 || val > 0xff)
return -1;
tos = val;
+ pos = os_strstr(pos2, " len=");
+ if (pos) {
+ i = atoi(pos + 5);
+ if (i < sizeof(*ip) || i > HWSIM_IP_LEN)
+ return -1;
+ send_len = i;
+ }
+
eth = (struct ether_header *) &buf[2];
os_memcpy(eth->ether_dhost, dst, ETH_ALEN);
os_memcpy(eth->ether_shost, src, ETH_ALEN);
@@ -1936,17 +1959,17 @@
ip->version = 4;
ip->ttl = 64;
ip->tos = tos;
- ip->tot_len = htons(HWSIM_IP_LEN);
+ ip->tot_len = htons(send_len);
ip->protocol = 1;
ip->saddr = htonl(192U << 24 | 168 << 16 | 1 << 8 | 1);
ip->daddr = htonl(192U << 24 | 168 << 16 | 1 << 8 | 2);
ip->check = ipv4_hdr_checksum(ip, sizeof(*ip));
dpos = (u8 *) (ip + 1);
- for (i = 0; i < HWSIM_IP_LEN - sizeof(*ip); i++)
+ for (i = 0; i < send_len - sizeof(*ip); i++)
*dpos++ = i;
if (l2_packet_send(hapd->l2_test, dst, ETHERTYPE_IP, &buf[2],
- HWSIM_PACKETLEN) < 0)
+ sizeof(struct ether_header) + send_len) < 0)
return -1;
wpa_dbg(hapd->msg_ctx, MSG_DEBUG, "test data: TX dst=" MACSTR
diff --git a/hostapd/defconfig b/hostapd/defconfig
index ea5e2c9..01871c9 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -108,11 +108,18 @@
#CONFIG_EAP_GPSK_SHA256=y
# EAP-FAST for the integrated EAP server
-# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
-# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
-# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
#CONFIG_EAP_FAST=y
+# EAP-TEAP for the integrated EAP server
+# Note: The current EAP-TEAP implementation is experimental and should not be
+# enabled for production use. The IETF RFC 7170 that defines EAP-TEAP has number
+# of conflicting statements and missing details and the implementation has
+# vendor specific workarounds for those and as such, may not interoperate with
+# any other implementation. This should not be used for anything else than
+# experimentation and interoperability testing until those issues has been
+# resolved.
+#CONFIG_EAP_TEAP=y
+
# Wi-Fi Protected Setup (WPS)
#CONFIG_WPS=y
# Enable UPnP support for external WPS Registrars
@@ -376,6 +383,9 @@
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y
+# Airtime policy support
+#CONFIG_AIRTIME_POLICY=y
+
# Override default value for the wpa_disable_eapol_key_retries configuration
# parameter. See that parameter in hostapd.conf for more details.
#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
diff --git a/hostapd/eap_register.c b/hostapd/eap_register.c
index 8477c21..3e870c7 100644
--- a/hostapd/eap_register.c
+++ b/hostapd/eap_register.c
@@ -121,6 +121,11 @@
ret = eap_server_fast_register();
#endif /* EAP_SERVER_FAST */
+#ifdef EAP_SERVER_TEAP
+ if (ret == 0)
+ ret = eap_server_teap_register();
+#endif /* EAP_SERVER_TEAP */
+
#ifdef EAP_SERVER_WSC
if (ret == 0)
ret = eap_server_wsc_register();
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index f8caa56..f2d5873 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -782,10 +782,8 @@
# 1 = supported
#he_mu_beamformer=1
-# he_bss_color: BSS color
-# 0 = no BSS color (default)
-# unsigned integer = BSS color
-#he_bss_color=0
+# he_bss_color: BSS color (1-63)
+#he_bss_color=1
#he_default_pe_duration: The duration of PE field in an HE PPDU in us
# Possible values are 0 us (default), 4 us, 8 us, 12 us, and 16 us
@@ -801,6 +799,17 @@
# unsigned integer = duration in units of 16 us
#he_rts_threshold=0
+# HE operating channel information; see matching vht_* parameters for details.
+#he_oper_chwidth
+#he_oper_centr_freq_seg0_idx
+#he_oper_centr_freq_seg1_idx
+
+#he_basic_mcs_nss_set: Basic NSS/MCS set
+# 16-bit combination of 2-bit values of Max HE-MCS For 1..8 SS; each 2-bit
+# value having following meaning:
+# 0 = HE-MCS 0-7, 1 = HE-MCS 0-9, 2 = HE-MCS 0-11, 3 = not supported
+#he_basic_mcs_nss_set
+
#he_mu_edca_qos_info_param_count
#he_mu_edca_qos_info_q_ack
#he_mu_edca_qos_info_queue_request=1
@@ -825,6 +834,12 @@
#he_mu_edca_ac_vo_ecwmax=15
#he_mu_edca_ac_vo_timer=255
+# Spatial Reuse Parameter Set
+#he_spr_sr_control
+#he_spr_non_srg_obss_pd_max_offset
+#he_spr_srg_obss_pd_min_offset
+#he_spr_srg_obss_pd_max_offset
+
##### IEEE 802.1X-2004 related configuration ##################################
# Require IEEE 802.1X authorization
@@ -836,6 +851,8 @@
# the new version number correctly (they seem to drop the frames completely).
# In order to make hostapd interoperate with these clients, the version number
# can be set to the older version (1) with this configuration value.
+# Note: When using MACsec, eapol_version shall be set to 3, which is
+# defined in IEEE Std 802.1X-2010.
#eapol_version=2
# Optional displayable message sent with EAP Request-Identity. The first \0
@@ -879,6 +896,54 @@
# ERP is enabled (eap_server_erp=1).
#erp_domain=example.com
+##### MACsec ##################################################################
+
+# macsec_policy: IEEE 802.1X/MACsec options
+# This determines how sessions are secured with MACsec (only for MACsec
+# drivers).
+# 0: MACsec not in use (default)
+# 1: MACsec enabled - Should secure, accept key server's advice to
+# determine whether to use a secure session or not.
+#
+# macsec_integ_only: IEEE 802.1X/MACsec transmit mode
+# This setting applies only when MACsec is in use, i.e.,
+# - macsec_policy is enabled
+# - the key server has decided to enable MACsec
+# 0: Encrypt traffic (default)
+# 1: Integrity only
+#
+# macsec_replay_protect: IEEE 802.1X/MACsec replay protection
+# This setting applies only when MACsec is in use, i.e.,
+# - macsec_policy is enabled
+# - the key server has decided to enable MACsec
+# 0: Replay protection disabled (default)
+# 1: Replay protection enabled
+#
+# macsec_replay_window: IEEE 802.1X/MACsec replay protection window
+# This determines a window in which replay is tolerated, to allow receipt
+# of frames that have been misordered by the network.
+# This setting applies only when MACsec replay protection active, i.e.,
+# - macsec_replay_protect is enabled
+# - the key server has decided to enable MACsec
+# 0: No replay window, strict check (default)
+# 1..2^32-1: number of packets that could be misordered
+#
+# macsec_port: IEEE 802.1X/MACsec port
+# Port component of the SCI
+# Range: 1-65534 (default: 1)
+#
+# mka_priority (Priority of MKA Actor)
+# Range: 0..255 (default: 255)
+#
+# mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode
+# This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
+# In this mode, instances of hostapd can act as MACsec peers. The peer
+# with lower priority will become the key server and start distributing SAKs.
+# mka_cak (CAK = Secure Connectivity Association Key) takes a 16-byte (128-bit)
+# hex-string (32 hex-digits) or a 32-byte (256-bit) hex-string (64 hex-digits)
+# mka_ckn (CKN = CAK Name) takes a 1..32-bytes (8..256 bit) hex-string
+# (2..64 hex-digits)
+
##### Integrated EAP server ###################################################
# Optionally, hostapd can be configured to use an integrated EAP server
@@ -912,6 +977,23 @@
# Passphrase for private key
#private_key_passwd=secret passphrase
+# An alternative server certificate and private key can be configured with the
+# following parameters (with values just like the parameters above without the
+# '2' suffix). The ca_cert file (in PEM encoding) is used to add the trust roots
+# for both server certificates and/or client certificates).
+#
+# The main use case for this alternative server certificate configuration is to
+# enable both RSA and ECC public keys. The server will pick which one to use
+# based on the client preferences for the cipher suite (in the TLS ClientHello
+# message). It should be noted that number of deployed EAP peer implementations
+# do not filter out the cipher suite list based on their local configuration and
+# as such, configuration of alternative types of certificates on the server may
+# result in interoperability issues.
+#server_cert2=/etc/hostapd.server-ecc.pem
+#private_key2=/etc/hostapd.server-ecc.prv
+#private_key_passwd2=secret passphrase
+
+
# Server identity
# EAP methods that provide mechanism for authenticated server identity delivery
# use this value. If not set, "hostapd" is used as a default.
@@ -1109,6 +1191,16 @@
# (or fewer) of the lifetime remains.
#pac_key_refresh_time=86400
+# EAP-TEAP authentication type
+# 0 = inner EAP (default)
+# 1 = Basic-Password-Auth
+#eap_teap_auth=0
+
+# EAP-TEAP authentication behavior when using PAC
+# 0 = perform inner authentication (default)
+# 1 = skip inner authentication (inner EAP/Basic-Password-Auth)
+#eap_teap_pac_no_inner=0
+
# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND
# (default: 0 = disabled).
#eap_sim_aka_result_ind=1
@@ -2492,6 +2584,42 @@
# that allows sending of such data. Default: 0.
#stationary_ap=0
+##### Airtime policy configuration ###########################################
+
+# Set the airtime policy operating mode:
+# 0 = disabled (default)
+# 1 = static config
+# 2 = per-BSS dynamic config
+# 3 = per-BSS limit mode
+#airtime_mode=0
+
+# Interval (in milliseconds) to poll the kernel for updated station activity in
+# dynamic and limit modes
+#airtime_update_interval=200
+
+# Static configuration of station weights (when airtime_mode=1). Kernel default
+# weight is 256; set higher for larger airtime share, lower for smaller share.
+# Each entry is a MAC address followed by a weight.
+#airtime_sta_weight=02:01:02:03:04:05 256
+#airtime_sta_weight=02:01:02:03:04:06 512
+
+# Per-BSS airtime weight. In multi-BSS mode, set for each BSS and hostapd will
+# configure station weights to enforce the correct ratio between BSS weights
+# depending on the number of active stations. The *ratios* between different
+# BSSes is what's important, not the absolute numbers.
+# Must be set for all BSSes if airtime_mode=2 or 3, has no effect otherwise.
+#airtime_bss_weight=1
+
+# Whether the current BSS should be limited (when airtime_mode=3).
+#
+# If set, the BSS weight ratio will be applied in the case where the current BSS
+# would exceed the share defined by the BSS weight ratio. E.g., if two BSSes are
+# set to the same weights, and one is set to limited, the limited BSS will get
+# no more than half the available airtime, but if the non-limited BSS has more
+# stations active, that *will* be allowed to exceed its half of the available
+# airtime.
+#airtime_bss_limit=1
+
##### TESTING OPTIONS #########################################################
#
# The options in this section are only available when the build configuration
diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c
index 23c592a..0460243 100644
--- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c
@@ -1214,6 +1214,13 @@
}
+static int hostapd_cli_cmd_update_beacon(struct wpa_ctrl *ctrl, int argc,
+ char *argv[])
+{
+ return wpa_ctrl_command(ctrl, "UPDATE_BEACON");
+}
+
+
static int hostapd_cli_cmd_vendor(struct wpa_ctrl *ctrl, int argc, char *argv[])
{
char cmd[256];
@@ -1617,6 +1624,8 @@
"= reload configuration for current interface" },
{ "disable", hostapd_cli_cmd_disable, NULL,
"= disable hostapd on current interface" },
+ { "update_beacon", hostapd_cli_cmd_update_beacon, NULL,
+ "= update Beacon frame contents\n"},
{ "erp_flush", hostapd_cli_cmd_erp_flush, NULL,
"= drop all ERP keys"},
{ "log_level", hostapd_cli_cmd_log_level, NULL,
diff --git a/hostapd/main.c b/hostapd/main.c
index b9df584..11a1515 100644
--- a/hostapd/main.c
+++ b/hostapd/main.c
@@ -655,6 +655,9 @@
int start_ifaces_in_sync = 0;
char **if_names = NULL;
size_t if_names_size = 0;
+#ifdef CONFIG_DPP
+ struct dpp_global_config dpp_conf;
+#endif /* CONFIG_DPP */
if (os_program_init())
return -1;
@@ -674,7 +677,9 @@
dl_list_init(&interfaces.eth_p_oui);
#endif /* CONFIG_ETH_P_OUI */
#ifdef CONFIG_DPP
- interfaces.dpp = dpp_global_init();
+ os_memset(&dpp_conf, 0, sizeof(dpp_conf));
+ /* TODO: dpp_conf.msg_ctx? */
+ interfaces.dpp = dpp_global_init(&dpp_conf);
if (!interfaces.dpp)
return -1;
#endif /* CONFIG_DPP */