[wpa_supplicant] Cumulative patch from commit d68c0dd4d
Bug: 156933657
Test: Verify Passpoint ANQP functionality and Passpoint association
Test: Connect to Passpoint, Open, WPA2, WPA3 networks and run traffic
Test: Regression test passed (Bug: 171270733)
BYPASS_INCLUSIVE_LANGUAGE_REASON=Merged from Open source
d68c0dd4d build: lib.rules: Add common-clean
d34b33451 wpa_supplicant: Fix frequency config for VHT/HE cases
0747432ef Fix spelling of "unexpected" in messages
d720de929 hostapd: Fix typos
4c66894fa eap_peer: Add .gitignore with *.so
13256b8cf P2P: Stop old listen radio work before go to WAIT_PEER_IDLE state
0f7989d8a MSCS: Fix decapsulating subelements from MSCS descriptor
cc3d6efa8 Add QCA interface for driver to report various connect fail reason codes
39748963d build: Fix libeap_peer.a build
c3f37c35f DFS: Use helper functions for VHT/HE parameters
a72599b31 hw_features: Better debug messages for some error cases
5965c7da5 wpa_supplicant: Enable VHT and HE in default config parameters
df6745e8c wpa_supplicant: Handle HT40 and mode downgrade in AP mode
93da12fd9 mesh: Fix channel init order, disable pri/sec channel switch
7f8ac02e8 HE/VHT: Fix frequency setup with HE enabled
0f07230eb DPP2: Add privacyProtectionKey into Configurator backup/restore
a0ccc4017 DPP2: Use ppKey to decrypt E'-id on Configurator
99d7bf234 DPP2: Use the new privacy protection key to protect E-id on Enrollee
37df40845 DPP2: Copy received ppKey into wpa_supplicant network profile
a8ee2292b DPP2: Parse ppKey from Connector
2a8c92887 DPP2: Add ppKey into Connector
9c1fbff07 DPP2: Generate a privacy protection key for Configurator
1d1475845 DPP: Make dpp_keygen_configurator() a static function
1d0d8888a build: Make more library things common
f4b3d14e9 build: Make a common library build
ac1447ae9 build: Rebuild libs all the time
6c41d43f1 mesh: Stop SAE auth timer when mesh node is removed
154b18d95 build: Fix dependency file inclusion
79db311e8 macsec_linux: Fix receive-lowest-PN setting
e3b47cdf8 DPP2: Add DPP_CHIRP commands to hostapd_cli and wpa_cli
cb3b70936 P2P: Set ap_configured_cb during group reform process
0e9f62e51 P2P: Fallback to GO negotiation after running out of GO scan attempts
1a0169695 hostapd_cli: Add dpp_bootstrap_set command
7e4ed93d3 wpa_cli: Add dpp_bootstrap_set command
283eee8ee gitignore: Clean up a bit
ae0b90dfa mesh: Allow channel switch command
87098d332 build: Put archive files into build/ folder too
00b5e99b6 build: Use the new build system for fuzz tests
a49f62884 wolfSSL: Fix wrong types in tls_wolfssl.c
58c18bcf8 hostapd: Fix error message for radius_accept_attr config option
52a1b2834 nl80211: Unbreak mode processing due to presence of S1G band
4b96fafcd D-Bus: Share 'remove all networks' with CLI
2818e9ca9 wpa_supplicant: Do not retry scan if operation is not supported
c0b88d129 P2P: Limit P2P_DEVICE name to appropriate ifname size
566ea1b7c mesh: Set correct address for mesh default broadcast/multicast keys
17d6ba4c9 DBus: Add "Roam" command support
6e757bba8 Use consistent spelling of "homogeneous"
cff545720 wpa_supplicant: Clear blacklist when SSID configs change
bbbb3c04e wpa_supplicant: Add new blacklist tests
164b8dd8e wpa_supplicant: Add wpa_blacklist_update()
d53011002 wpa_supplicant: Implement time-based blacklisting
2fd35d985 wpa_supplicant: Track consecutive connection failures
6d6310701 Fix STA mode default TXOP Limit values for AC_VI and AC_VO
dcc5288e5 gitignore: Add various things
ce963433b build: Allow overriding BUILDDIR from command line
ad6e4a5c5 build: Remove hostapd vs. wpa_supplicant build checks
6acda5322 build: Add .config file to dependencies
722138cd2 build: Put object files into build/ folder
0464d5d5d build: Move config file handling into build.rules
0430bc826 build: Add a common-clean target
06a6adb54 build: Use build.rules in lib.rules
3ff115db6 build: Disable built-in rules
a41a29192 build: Pull common fragments into a build.rules file
21cc50a43 HS 2.0 server: Add a .gitignore file
a28d127b1 AP: Reflect status code in SAE reflection attack test
e8b85c078 iface match: Unspecified matched interfaces should not log driver fails
83fa0a100 op_classes: Don't report an error when there are none to add
8776551bf BSD: don't log SIOCG80211 errors during interface setup
41d20df7f D-Bus: Allow empty string in dbus network properties
4756ecabc Allow bgscan parameters to be reconfigured
922fa0997 Global parser functions to return 1 when property unchanged
a87173b1d D-Bus: Skip property update actions when wpa_config_set() returns 1
1c58317f5 D-Bus: Allow changing an interface bridge via D-Bus
14318ccff P2P: Add configuration support to disable P2P in 6 GHz band
debf3e216 OCV: Work around for misbehaving STAs that indicate OCVC=1 without OCI
d48a3a676 FT: Modify status code in FT Reassoc frame for invalid OCI channel info
0e8d569d4 DPP2: Presence Announcement notification in STA
980c4da41 DPP2: Presence Announcement notification in AP
8b667bfa1 DPP2: Presence Announcement notification
cf3d260c3 DPP2: Fix hostapd crash setting global configurator params on chirp RX
a8f304228 Document the missing ignore_broadcast_ssid network profile parameter
aa704020a DBus: Update dont_quote[] with ignore_broadcast_ssid parameter
88d3f43bd DPP2: Replace OneAsymmetricKey version number (v2 to v1)
8e5739c3a DPP2: Check channel 6 validity before adding it to chirp channel list
5c6c0d569 DPP: Fix GAS fragmentation for DPP Config Response from hostapd
a7f55f7f6 WPS: Enable SA Query checks for WPS AP
43ef227e9 P2P: Make use wpas_p2p_reconsider_moving_go timeout gets canceled
57536a567 P2P: Fix P2P interface remuval through wpa_supplicant_remove_iface()
760d10cde P2P: Include channels 149 to 161 for operating classes 128 and 130
ac882374a SAE: Fix error path handling for SSWU
e8a1e6a4a P2P: Fix a typo in a comment
fa63284af Add additional roam triggers to qca_vendor_roam_triggers
13feeaa10 Add a new status code to represent an already suspended TWT session
8175c2654 Add test configuration attr to start/stop transmitting FD frames
90e478aa0 DPP2: Use the PFS fallback if multiple key_mgmt values are enabled
cab139ebc Fix a typo in a comment
7e20502f7 hostapd: Resolved compiler uninitialized warning
e3ba0c4cd Do not start SA Query procedure without keys
a92660a00 Work around Supported Operating Classes element issues for 6 GHz
fd4a58ccd Additional attributes to QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_CONTROL
8a6a2894d Add new QCA vendor attributes to get thermal level
41f818905 SAE-PK: Add support to skip sae_pk password check for testing purposes
a71b100c3 OCV: Allow connecting MFP incapable OCV STA when OCV is disabled in AP
5ecb45a41 OCV: Use more granular error codes for OCI validation failures
10c3e58b2 DPP2: Include E-nonce in reconfig ke derivation
4ae5e459d DPP2: Move E-nonce to be outside wrapped data in Reconfig Auth Resp
0ebf5aa34 DPP2: Replace I/R-nonce with C/E-nonce in reconfiguration
99f8506d3 Add QCA_NL80211_VENDOR_SUBCMD_MBSSID_TX_VDEV_STATUS
93a73ce02 MSCS: Fix issues due to incorrect usage of wpa_hexdump_buf()
9afb68b03 OpenSSL: Allow systemwide secpolicy overrides for TLS version
c85206ba4 QCA vendor attributes for setting ANI level
d335ca953 Update QCA vendor interface for GPIO configuration
7ddb71224 DPP2: Support QR mutual auth scan-during-auth-exchange (hostapd)
c043b1e00 DPP: Remove unnecessary dpp_global_config parameters
4ecb6dd16 DPP2: Controller support in hostapd
cd17f6877 Add QCA vendor event for firmware statistics
ba3081f1d dpp-nfc: Start listen operation more completely for NFC Tag write cases
e4adbacaf GAS: Fix memory leak on some DPP error paths
8aa91282a Fix EAPOL-Key msg 1/4 processing in a corner case
96e63008f OWE: Do not add DH Params element in AssocResp with PMKSA caching
9bc881153 DPP2: Fix build without IEEE8021X_EAPOL
2caff11d7 LibreSSL: Fix build with LibreSSL versions older than 2.9.1
55a366d7a dpp-nfc: Fix recv_octets() regression
90e05626f Add test configuration to ignore SA Query timeout
a2d35b49e Fix documentation for the test configuration attributes of FT-SAE/OCV
5d2218e61 Add get_sta_info vendor attrs to get BIP failure counters for STA mode
c6a760b9c DPP: Add process_conf_obj into TCP connection data struct
7f366fcbd DPP: Add msg_ctx into TCP connection data struct
6aa7aa808 DPP2: hostapd/AP as Enrollee/Initiator over TCP
d21dde9da MSCS: Send MSCS change/remove frames only if MSCS setup exists
af8ab3208 MSCS: Parse result of MSCS setup in (Re)Association Response frames
c504ff539 MSCS: Add support to populate MSCS Descriptor IE in (Re)AssocReq
bbd3178af MSCS: Add support to process MSCS Response frames
a11804724 MSCS: Add support to send MSCS Request frames
1733e356e dpp-nfc: Fix handover client wait for receiving handover select
596d99567 SME: Process channel switch event in SME only when supplicant's SME is used
0fa274d2b Derive seg0_idx and seg1_idx for 6 GHz when processing channel switch
5644b23de QCA vendor command to update SSID
cd708e8ff Add a vendor command for medium assessment
cc9fe46b3 Add AllPlay type to the QCA vendor element
170775232 ANQP: Add support to specify frequency in ANQP_GET command
43106e122 GAS: Update source MAC address on preassoc_mac_addr randomization
1289ecf4c GAS: Ignore preassoc_mac_addr when gas_rand_mac_addr enabled
dbe485a35 SAE-PK: Check psk param also to look for SAE-PK acceptable BSS
f5388b34e Add channel TX/RX times to QCA vendor interface of LL stats
9f9c11048 Fix QCA_WLAN_VENDOR_ATTR_LL_STATS_CH_INFO interface documentation
096456c0c Enhancements to the TWT attributes/parameters (vendor command)
3adc1c623 DPP2: Disconnect before starting reconfiguration
574a8fa6c DPP: Do not interpret unknown channel as missing channel list for NFC
fc3efe083 DPP2: Support mutual auth with QR in scan-during-auth-exchange case
2e956c37d DPP2: Do not close TCP socket when waiting for full Auth Resp
e4e95aabb DPP2: Allow Controller to be configured to require QR mutual auth
61c249c49 Add QCA vendor attribute to configure number of TX/RX chains
86fd6755c dpp-nfc: Use --altchan value in handover server
315422196 dpp-nfc: Update listen channel based on channel list when writing a tag
66ffe9d24 DPP2: Update Reconfig Flags attribute format
5caf4e094 DPP2: Support RA/CA functionality in Controller initiated case
9304d1b3c DPP2: Regenerate Reconfig Announcement for each transmission
b591810f9 DPP2: Add DPP Status attribute into Reconfig Auth Confirm
6d0217119 DPP2: Allow iteration count to be configured for DPP_RECONFIG
c6d0e5a93 DPP2: Add E-id in Reconfig Announcement
e5be6e68c DPP2: Add Enrollee netAccessKey group into Reconfig Announcement
2a58968d3 SAE-PK: Allow SAE-PK password to be set using the psk parameter
7ca81190a SAE-PK: Allow SAE-PK style wpa_passphrase if SAE-PK is enabled with same
844ecc70a Additional TWT attributes for response path and resume
0a9d7b169 SAE-PK: Update design for fingerprint encoding into password
2f858254c Extend GET_PMK to check PMKSA cache on the AP
b28b9dfcb OCV: OCI channel override support for testing (STA)
d309dd52b Fix the documentation for QCA_WLAN_VENDOR_ATTR_CONFIG_UDP_QOS_UPGRADE
87971ff05 SAE-PK: Fix SAE confirm writing in some AP cases with transition mode
240e9af4d SAE-PK: Make no-KEK debug prints distinct
38ef655eb dpp-nfc: Report negotiated connection handover result
4d5461842 dpp-nfc: Stop only_one run after failed handover attempt
f7b5a1d34 dpp-nfc: Do not indicate no initial HS as failure if alt HR will be sent
475b34665 dpp-nfc: Improved version of HandoverServer::serve()
dc0795e4f dpp-nfc: Stop process after successful handover client completion
b00bbbfe5 dpp-nfc: Optimize HandoverClient message receiving for alternative HR case
bbfb7b9fe dpp-nfc: Use a single handover client thread
aaa8638ed dpp-nfc: Add a class for maintaining connection handover state
66d74626b dpp-nfc: Reuse the same handover client for alternative URI
6e904441c dpp-nfc: Add peer URI into the HS in testing mode
3021b14c4 dpp-nfc: Enable more verbose nfcpy debugging
7c04bab71 tests: AES-CTR encrypt test vectors
1d3e16d0b dpp-nfc: Skip P2P management interfaces
e9c192ffc dpp-nfc: Ignore (no) response to initial handover request
7d27bcb8e dpp-nfc: Do not allow more than one alternative channel proposal
6eaee933d dpp-nfc: Add test mode for negotiated connection handover
730fc307b Update documentation for vendor attributes to ignore BSSIDs during roaming
f4877083e Rename driver op for temporarily disallowed BSSIDs
f8c756c5b FT: Rename temporary blocking of nonresponsive R0KH
15018d4f4 DPP2: Fix auth termination after receiving Configurator backup
74cd38ac6 dpp-nfc: Return failure status if operation fails
7e2edfbc1 dpp-nfc: Add color and details for interactive operations
09c22bb78 dpp-nfc: Fix regression in NFC Tag writing
1e4a42c74 dpp-nfc: Detect a non-NDEF tag when trying to write
288c0ffaa dpp-nfc: Do not hardcode netrole for NFC Tag writing cases
ebd5e764f Vendor attribute to configure QoS/AC upgrade for UDP frames
d91fb3ce3 Add a vendor command to fetch the currently enabled band(s)
29e47c416 Vendor command to configure TWT
8f396ad68 Enhance the qca_set_band enum values to be used as a bitmap
cc6153a8a nl80211: Fix sending proper VLAN ID attr value when using VLAN offload
a57f98754 Fix enabling 40/80 MHz bandwidth support in the 6 GHz band
885097125 mesh: Fix peer link counting when removing a mesh peer
8632dea4a DPP2: Make sure dpp_auth gets cleared with external config processing
a7ae42296 DPP2: Do not allow reconfiguration to be started with pending auth
d93df9989 DPP2: Debug print reason for rejecting reconfiguration
5d8c5f344 SAE-PK: Fix password validation check for Sec
0ce6883f6 tests: Fix SAE-PK password module tests
c9dc075fc dpp-nfc: Fix connection handover renegotiation
d0819a11c FILS: Use FILS auth alg when connecting using PMKSA caching
70b80c31f nl80211: Do not send FILS ERP sequence number without rRK
52a325762 6 GHz: Change 6 GHz channels per IEEE P802.11ax/D6.1
5908fedc1 dpp-nfc: Support channel list negotiation
eddf22e1f dpp-nfc: Update debug print for tag-read-only operation
b62e46f69 DPP2: Fix DPP_CA_SET processing with authentication not having peer BI
4f4a52c3c DPP: Clear bootstrap entries only after clearing authentication state
67efd19e0 nl80211: Use control port TX (status) in AP mode if possible
569497bf4 nl80211: Work around misdelivered control port TX status
87065881b nl80211: Use ext ack handler for TX control port
6f19cc4d7 nl80211: Handle control port TX status events over nl80211
f7c657b79 nl80211: Add custom ack handler arguments to send_and_recv()
73ea1ad7f nl80211: Clean up SO_WIFI_STATUS error reporting
cd99a8c43 EAP-TEAP (server): Allow Phase 2 skip based on client certificate
519629392 EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is used
9593ce658 OpenSSL: Provide access to peer subject and own certificate use
b5dab03a1 Convert int to bool for throughput estimate tables
b97aa038b Add WPA_EVENT_{DO,SKIP}_ROAM events
d6b450e89 Refactor wpa_supplicant_need_to_roam()
2ff5a1fdb Use lookup-table instead of macro for TX rate estimates
fa09b85c4 DPP2: Remove forgetten development time debug prints
0bbab6465 DPP2: Fix dot1x config object parsing without trustedEapServerName
8f88dcf05 DPP2: Add an automatic peer_bi entry for CSR matching if needed
b25ddfe9d DPP2: Add Enrollee name into CSR as the commonName
11aa77e00 DPP2: GAS comeback response processing for Enrollee over TCP
18e013a93 DPP2: GAS comeback request processing for Configurator over TCP
68d9586a4 DPP2: GAS Comeback Request for the TCP case
a352c7230 DPP2: Comeback delay response for certificate in over TCP case
0f9463d6e DPP2: CSR wait in Configurator when using TCP
1f86b2c24 DPP2: CSR generation in TCP Client/Enrollee
697fa0c4b DPP2: Do not try to proceed with GAS client if CSR building fails
ffc8ae507 Define a new QCA vendor attribute for Optimized Power Management
3a3eded0d DPP2: Allow CSR processing by CA/RA to reject configuration
3b60f1174 DPP2: Validate CSR on Configurator before forwarding to CA/RA
c98db9f1f DPP2: Add challengePassword into CSR
dbbb0d5b8 OpenSSL: Use EVP-based interface for ECDSA sign/verify
ace3723d9 DPP2: Enterprise provisioning (Enrollee)
6568e5d20 DPP2: Enterprise provisioning (Configurator)
4643b2fee DPP2: Enterprise provisioning definitions for dot1x AKM
812d52ae2 OpenSSL: Support EC key from private_key blob
4b834df5e OpenSSL: Support PEM encoded chain from client_cert blob
68ac45d53 GAS server: Support comeback delay from the request handler
608adae5b JSON: Add base64 helper functions
c7e6dbdad base64: Add no-LF variant for encoding
6dc2c0118 Update DFS terminology in attribute value documentation
621745917 Allow HE-without-VHT to add the Channel Switch Wrapper element
d51b1b7a6 Move hostapd_eid_wb_chsw_wrapper() to non-VHT-specific file
1f72bbbef AP: Reject association request upon invalid HE capabilities
088bef178 AP: Restrict Vendor VHT to 2.4 GHz only
6a34bd300 HE: Use device HE capability instead of HT/VHT for 6 GHz IEs
9272ebae8 nl80211: Fetch HE 6 GHz capability from the driver
f25c51a9f Sync with mac80211-next.git include/uapi/linux/nl80211.h
518be614f SAE-PK: Advertise RSNXE capability bit in STA mode
a77d6d220 SAE-PK: Update SAE confirm IE design
363dbf1ec SAE-PK: Remove requirement of SAE group matching SAE-PK (K_AP) group
2e80aeae4 WPS UPnP: Support build on OS X
f119f8a04 WPS UPnP: Fix FreeBSD build
cc2d03601 HS 2.0: Use global pmf=2 for the created network block
790026c3d Allow TX queue parameters to be configured for wpa_supplicant AP/P2P GO
c7cb42d53 Remove unused enum values
411e42673 Move local TX queue parameter parser into a common file
fcef598ea Do not try to connect with zero-length SSID
85aac526a WPS UPnP: Handle HTTP initiation failures for events more properly
f7d268864 WPS UPnP: Fix event message generation using a long URL path
5b78c8f96 WPS UPnP: Do not allow event subscriptions with URLs to other networks
e30dcda3b SAE-PK: Fix FILS Public Key element Key Type for ECDSA
4c3fbb234 SAE-PK: Check minimum password length more accurate
43a191b89 tests: Remove too short SAE-PK passwords
4ff0df39e SAE-PK: Testing functionality to allow behavior overrides
0c4ffce46 Allow transition_disable updates during the lifetime of a BSS
5f48d36b4 SAE-PK: Select SAE-PK network over SAE without PK
d654ca24d Clean up wpa_scan_res_match()
9ad010c29 SAE-PK: Allow automatic SAE-PK to be disabled
85ca13ebc wpa_cli: Add all_bss command to print all scan results (BSS entries)
215b4d8a7 FT: Do not add PMKID to the driver for FT-EAP if caching is disabled
5cf91afee QCA vendor attribute for dynamic bandwidth adjustment
1a28589b2 QCA vendor attributes for setting channel width
63653307d Add support for indicating missing driver AKM capability flags
18f3f99ac Add vendor attributes to configure testing functionality for FT/OCV/SAE
e53756a64 Fix a typo vendor attribute documentation
960e8e533 QCA vendor attribute to configure NSS
8d1cbaaff SAE-PK: Transition mode disabled indication processing
a75269529 SAE: Add sae_h2e and sae_pk to wpa_supplicant STATUS command
cc22fb1b8 SAE: Move H2E and PK flags to main sae_data
bc908daac Document more network profile parameters
1c846d647 SAE-PK: Allow SAE authentication without PK to be disabled
40240735b WPS UPnP: Do not update Beacon frames unnecessarily on subscription removal
c85b39ec5 SAE-PK: Increment the minimum password length to 9
2c7b5a2c5 tests: Skip too short SAE-PK passwords in positive testing
d777156e1 SAE-PK: Determine hash algorithm from K_AP group instead of SAE group
fb09ec87f SAE-PK: A tool for generating SAE-PK Modifier and password
b6bcd74e5 Show SAE capabilities in control interface
9bf576870 Show SAE flags in scan results
e7aeb6d8a SAE-PK: STA functionality
20ccf97b3 SAE-PK: AP functionality
00e4fbdcc tests: Module test for SAE-PK
6b9e99e57 SAE-PK: Extend SAE functionality for AP validation
b6dcbd01a SAE-PK: Identifier definitions
aed01b82d OpenSSL: Additional EC functionality for SAE-PK
8c1f61e82 OCV: Report OCI validation failures with OCV-FAILURE messages (STA)
661e66118 OCV: Allow OCI channel to be overridden for testing (AP)
d10a57f6e DPP2: Derive a separate key for enveloped data
32d3360f3 DPP: Fix a typo in a comment
5a7bcb772 OSEN: Do not send the actual BIGTK to OSEN STAs
2d6cc0e67 FT: Do not expose GTK/IGTK in FT Reassociation Response frame in OSEN
a99833789 WNM: Do not expose GTK/IGTK in WNM Sleep Mode Response frame in OSEN
d578e890e OWE: Skip beacon update of transition BSS if it is not yet enabled
88436baaa Add a vendor attribute to get OEM data
3f9a89ca1 Vendor attributes for configuring LDPC, TX STBC, RX STBC
8ee0bc622 OCV: Disconnect STAs that do not use SA Query after CSA
01ceb88c7 OCV: Report validation errors for (Re)Association Request frames
a3556d581 OCV: Report validation errors for EAPOL-Key messages in AP mode
d52067a5b OCV: Report validation errors for SA Query Request/Response in AP mode
52579be86 OCV: Move "OCV failed" prefix to callers
2d118f557 OCV: Add support to override channel info OCI element (STA)
c2080e865 Clear current PMKSA cache selection on association/roam
d9532eb70 Debug print PMK-R0/R1 and PMKR0/R1Name in the helper functions
5ab8ad4cf Vendor attributes for ssetting TX A-MSDU and RX A-MSDU parameters
f7a904a28 QCA vendor command for adding and deleting TSPEC
82867456e Vendor attributes to configure PMF protection and disassoc Tx for testing
e5e275745 Add QCA vendor interface support to configure PHY modes
db0d0b84a nl80211: Control the registration for RRM frame with driver_param
Change-Id: I07d9feb8f019a22917ffc0088126c04b7d80115a
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 9fae06d..bf89fbc 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -1202,7 +1202,7 @@
# should be unique across all issuing servers. In theory, this is a variable
# length field, but due to some existing implementations requiring A-ID to be
# 16 octets in length, it is strongly recommended to use that length for the
-# field to provid interoperability with deployed peer implementations. This
+# field to provide interoperability with deployed peer implementations. This
# field is configured in hex format.
#eap_fast_a_id=101112131415161718191a1b1c1d1e1f
@@ -1229,6 +1229,8 @@
# EAP-TEAP authentication type
# 0 = inner EAP (default)
# 1 = Basic-Password-Auth
+# 2 = Do not require Phase 2 authentication if client can be authenticated
+# during Phase 1
#eap_teap_auth=0
# EAP-TEAP authentication behavior when using PAC
@@ -1730,6 +1732,19 @@
# Enabling this automatically also enables ieee80211w, if not yet enabled.
# 0 = disabled (default)
# 1 = enabled
+# 2 = enabled in workaround mode - Allow STA that claims OCV capability to
+# connect even if the STA doesn't send OCI or negotiate PMF. This
+# workaround is to improve interoperability with legacy STAs which are
+# wrongly copying reserved bits of RSN capabilities from the AP's
+# RSNE into (Re)Association Request frames. When this configuration is
+# enabled, the AP considers STA is OCV capable only when the STA indicates
+# MFP capability in (Re)Association Request frames and sends OCI in
+# EAPOL-Key msg 2/4/FT Reassociation Request frame/FILS (Re)Association
+# Request frame; otherwise, the AP disables OCV for the current connection
+# with the STA. Enabling this workaround mode reduced OCV protection to
+# some extend since it allows misbehavior to go through. As such, this
+# should be enabled only if interoperability with misbehaving STAs is
+# needed.
#ocv=1
# disable_pmksa_caching: Disable PMKSA caching
@@ -1761,7 +1776,7 @@
# be followed by optional peer MAC address (dot11RSNAConfigPasswordPeerMac) and
# by optional password identifier (dot11RSNAConfigPasswordIdentifier). In
# addition, an optional VLAN ID specification can be used to bind the station
-# to the specified VLAN whenver the specific SAE password entry is used.
+# to the specified VLAN whenever the specific SAE password entry is used.
#
# If the peer MAC address is not included or is set to the wildcard address
# (ff:ff:ff:ff:ff:ff), the entry is available for any station to use. If a
@@ -1776,7 +1791,8 @@
# special meaning of removing all previously added entries.
#
# sae_password uses the following encoding:
-#<password/credential>[|mac=<peer mac>][|vlanid=<VLAN ID>][|id=<identifier>]
+#<password/credential>[|mac=<peer mac>][|vlanid=<VLAN ID>]
+#[|pk=<m:ECPrivateKey-base64>][|id=<identifier>]
# Examples:
#sae_password=secret
#sae_password=really secret|mac=ff:ff:ff:ff:ff:ff
@@ -1965,7 +1981,7 @@
# Wildcard entry:
# Upon receiving a response from R0KH, it will be added to this list, so
# subsequent requests won't be broadcast. If R0KH does not reply, it will be
-# blacklisted.
+# temporarily blocked (see rkh_neg_timeout).
#r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
# List of R1KHs in the same Mobility Domain
@@ -2021,7 +2037,7 @@
#ft_psk_generate_local=0
##### Neighbor table ##########################################################
-# Maximum number of entries kept in AP table (either for neigbor table or for
+# Maximum number of entries kept in AP table (either for neighbor table or for
# detecting Overlapping Legacy BSS Condition). The oldest entry will be
# removed when adding a new entry that would make the list grow over this
# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is