path: root/hostapd/Android.mk
Commit message (Collapse)AuthorAgeFilesLines
* GnuTLS: Add option to build with libnettle instead of libgcryptJouni Malinen2017-12-291-2/+14
| | | | | | | | | | | | | GnuTLS-based builds can now be done using either libnettle or libgcrypt for crypto functionality: CONFIG_TLS=gnutls CONFIG_CRYPTO=nettle CONFIG_TLS=gnutls CONFIG_CRYPTO=gnutls Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement HMAC functions using libgcryptJouni Malinen2017-12-271-0/+10
| | | | | | | Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with the ones from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement sha{256,384,512}_vector() using libgcryptJouni Malinen2017-12-271-1/+0
| | | | | | | Replace the internal SHA256 implementation with the one from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Use abstract crypto APISean Parkinson2017-12-241-0/+1
| | | | | | | This makes it easier to use EAP-pwd with other crypto libraries than OpenSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* Android: Move hostapd to vendor partitionPo-Chien Hsueh2017-12-091-0/+2
| | | | | | Move hostapd to /vendor/bin/ because it's only used by WIFI HAL. Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
* Remove all PeerKey functionalityJouni Malinen2017-10-151-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in AP modeJouni Malinen2017-10-081-0/+5
| | | | | | | This extends OWE support in hostapd to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add base64 dependency in makefilesJouni Malinen2017-09-041-0/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Differentiate between WNM for station and for AP in buildAvraham Stern2017-07-181-1/+1
| | | | | | | | | | | | | | Previously, CONFIG_WNM enabled build that supports WNM for both station mode and AP mode. However, in most wpa_supplicant cases only station mode WNM is required and there is no need for AP mode WNM. Add support to differentiate between station mode WNM and AP mode WNM in wpa_supplicant builds by adding CONFIG_WNM_AP that should be used when AP mode WNM support is required in addition to station mode WNM. This allows binary size to be reduced for builds that require only the station side WNM functionality. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* OpenSSL: Add build option to select default ciphersBeniamino Galvani2017-07-171-0/+4
| | | | | | | | | | | | | | Add a build option to select different default ciphers for OpenSSL instead of the hardcoded default "DEFAULT:!EXP:!LOW". This new option is useful on distributions where the security level should be consistent for all applications, as in Fedora [1]. In such cases the new configuration option would be set to "" or "PROFILE=SYSTEM" to select the global crypto policy by default. [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
* DPP: Integration for hostapdJouni Malinen2017-06-191-0/+20
| | | | | | | This adds DPP bootstrapping, authentication, and configuration into hostapd similarly to how the design was integrated in wpa_supplicant. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add JavaScript Object Notation (JSON) parser (RFC7159)Jouni Malinen2017-06-171-0/+5
| | | | | | This is needed for DPP configuration attributes/objects. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Extend SHA-384 and SHA-512 support to match SHA-256Jouni Malinen2017-06-171-0/+18
| | | | | | | The additional SHA-384 and SHA-512 functionality is needed to support DPP with various ECC curves. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FT: New RRB message formatMichael Braun2017-05-031-0/+3
| | | | | | | | | | | | | | Convert FT RRB into a new TLV based format. Use AES-SIV as AEAD cipher to protect the messages. This needs at least 32 byte long keys. These can be provided either by a config file change or letting a KDF derive the 32 byte key used from the 16 byte key given. This breaks backward compatibility, i.e., hostapd needs to be updated on all APs at the same time to allow FT to remain functional. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Replace inter-AP protocol with use of OUI Extended EthertypeMichael Braun2017-05-031-0/+6
| | | | | | | | | | | | | | | | | | Replace the previously used extension of IEEE 802.11 managed Ethertype 89-0d (originally added for Remote Request/Response in IEEE 802.11r) with Ethertype 88-b7 (OUI Extended EtherType) for FT inter-AP communication. The new design uses a more properly assigned identifier for the messages. This assigns the OUI 00:13:74 vendor-specific subtype 0x0001 for the new hostapd AP-to-AP communication purposes. Subtypes 1 (PULL), 2 (RESP), and 3 (PUSH) are also assigned in this commit for the R0KH-R1KH protocol. This breaks backward compatibility, i.e., hostapd needs to be updated on all APs at the same time to allow FT to remain functional. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FILS: Add FILS SK auth PFS support in AP modeJouni Malinen2017-03-121-0/+4
| | | | | | | | | | | This adds an option to configure hostapd to enable use of perfect forward secrecy option in FILS shared key authentication. A new build option CONFIG_FILS_SK_PFS=y can be used to include this functionality. A new runtime configuration parameter fils_dh_group is used to enable this by specifying which DH group to use. For example, fils_dh_group=19 would allow FILS SK PFS to be used with a 256-bit random ECP group. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Add CONFIG_OWE=y build optionJouni Malinen2017-03-121-0/+6
| | | | | | | This can be used to enable OWE support in hostapd and wpa_supplicant builds. Signed-off-by: Jouni Malinen <j@w1.fi>
* Fix AES-SIV build dependenciesJouni Malinen2017-02-261-3/+6
| | | | | | | | | | aes-siv.c needs functions from aes-ctr.c and aes-omac1.c, so set NEED_AES_CTR=y and NEED_AES_OMAC1=y if NEED_AES_SIV is defined. This fixes some build configuration combinations where either of those dependencies were not pulled in through other parameters. For example, some CONFIG_FILS=y cases were impacted. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Add IEEE 802.11ax HE IEs into Beacon/Probe Response framesPeng Xu2017-02-191-0/+4
| | | | | | | | | IEEE 802.11ax HE changes to include HE IEs in Beacon and Probe Response frames. These elements are using vendor specific forms for now since the IEEE 802.11ax draft is not yet finalized and the element contents is subject to change. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Initial IEEE 802.11ax (HE) definitionsPeng Xu2017-02-191-0/+4
| | | | | | | Add IEEE 802.11ax definitions for config, IEEE structures, and constants. These are still subject to change in the IEEE process. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add HMAC-SHA384 with internal cryptoJouni Malinen2017-02-161-0/+3
| | | | | | | This is a copy of the internal HMAC-SHA256 implementation with the hash block size and output length updated to match SHA384 parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* FILS: Remove CRC32 dependency from buildJouni Malinen2017-02-131-5/+0
| | | | | | | | The published P802.11ai version does not use CRC32 anymore, so remove inclusion of crc32.o into wpa_supplicant and hostapd builds based on CONFIG_FILS=y. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Move HLP request handling into a separate fileJouni Malinen2017-01-311-0/+1
| | | | | | | | This is independent functionality from the core IEEE 802.11 management handling and will increase significantly in size, so it is cleaner to maintain this in a separate source code file. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Add possibility to send debug messages to syslogWojciech Dubowik2017-01-291-0/+4
| | | | | | | | | | We can only send module specific messages to syslog and not debug messages printed with wpa_printf. Add an extra command line parameter '-s' to allow it. The feature is enabled with compile flag CONFIG_DEBUG_SYSLOG as for wpa_supplicant and behaves in the same manner as the wpa_supplicant -s command line argument. Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@neratec.com>
* FT: Differentiate between FT for station and for AP in buildIlan Peer2016-10-291-1/+1
| | | | | | | | | | | | | | Previously, CONFIG_IEEE80211R enabled build that supports FT for both station mode and AP mode. However, in most wpa_supplicant cases only station mode FT is required and there is no need for AP mode FT. Add support to differentiate between station mode FT and AP mode FT in wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used when AP mode FT support is required in addition to station mode FT. This allows binary size to be reduced for builds that require only the station side FT functionality. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* hostapd_cli: Enable command completion and history for AndroidMikael Kanstrup2016-10-161-0/+3
| | | | Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
* FILS: Use AEAD cipher to check received EAPOL-Key frames (AP)Jouni Malinen2016-10-101-0/+4
| | | | | | | | | | | | This changes 4-way handshake authenticator processing to decrypt the EAPOL-Key frames using an AEAD cipher (AES-SIV with FILS AKMs) before processing the Key Data field. This replaces Key MIC validation for the cases where AEAD cipher is used. This needs to move the EAPOL-Key msg 2/4 RSN element processing to happen only after the PTK has been derived and validated. That is done for all AKMs to avoid extra complexity with having to maintain two code paths for this. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FILS: Add hostapd configuration optionsJouni Malinen2016-10-101-0/+10
| | | | | | | This adds CONFIG_FILS=y build configuration option and new key management options for FILS authentication. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add init fragment for hostapd on AndroidChristopher Wiley2016-08-181-0/+1
| | | | | | | | | | This fragment defines how the Android init system should start hostapd as a standalone service. Previously, hostapd was fork/exec'd from Android's netd. This left hostapd with some dangling file descriptors and a process parent minimally interested in acting as init for child processes. Signed-off-by: Christopher Wiley <wiley@google.com>
* Move parts of wpa_cli to a new common fileMikael Kanstrup2016-08-061-1/+4
| | | | | | | | In preparation for adding further command completion support to hostapd_cli move some cli related utility functions out of wpa_cli into a new common cli file. Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
* hostapd: Handle Neighbor Report Request frameDavid Spinadel2016-04-171-0/+1
| | | | | | | Process Neighbor Report Request frame and send Neighbor Report Response frame based on the configured neighbor report data. Signed-off-by: David Spinadel <david.spinadel@intel.com>
* hostapd: Add a database of neighboring APsDavid Spinadel2016-04-161-0/+1
| | | | | | | | | | | | | | | | | Add a configurable neighbor database that includes the content of Nighbor Report element, LCI and Location Civic subelements and SSID. All parameters for a neighbor must be updated at once; Neighbor Report element and SSID are mandatory, LCI and civic are optional. The age of LCI is set to the time of neighbor update. The control interface API is: SET_NEIGHBOR <BSSID> <ssid=SSID> <nr=data> [lci=<data>] [civic=<data>] To delete a neighbor use: REMOVE_NEIGHBOR <BSSID> <SSID> Signed-off-by: David Spinadel <david.spinadel@intel.com>
* vlan: Move ifconfig helpers to a separate fileJouni Malinen2016-03-251-0/+1
| | | | | | This removes final ioctl() use within vlan_init.c. Signed-off-by: Jouni Malinen <j@w1.fi>
* vlan: Move CONFIG_FULL_DYNAMIC_VLAN functionality into a separate fileJouni Malinen2016-03-251-0/+1
| | | | | | | This cleans up vlan_init.c by removing number of C pre-processor dependencies. Signed-off-by: Jouni Malinen <j@w1.fi>
* vlan: Clean up netlink vs. ioctl API implementationJouni Malinen2016-03-251-8/+6
| | | | | | | | | | | Move the ioctl-based VLAN implementation to a separate file to avoid need for conditional blocks within vlan_ioctl.c. This removes the internal CONFIG_VLAN_NETLINK define, i.e., this is now used only in build configuration (.config) to select whether to include the vlan_util.c (netlink) or vlan_ioctl.c (ioctl) implementation of the functions. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Use common functions for ctrl_ifaceJanusz Dziedzic2016-03-051-0/+1
| | | | | | Use the common functions, structures when UNIX socket ctrl_iface used. Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
* Android: Remove superfluous OpenSSL include pathsAdam Langley2016-03-031-1/+0
| | | | | | | | The libcrypto and libssl modules (and their respective static and host versions) use LOCAL_EXPORT_C_INCLUDE_DIRS thus just including the module is sufficient. Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
* MBO: Track STA cellular data capability from association requestJouni Malinen2016-02-221-0/+1
| | | | | | | | This makes hostapd parse the MBO attribute in (Re)Association Request frame and track the cellular data capability (mbo_cell_capa=<val> in STA control interface command). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Add MBO IE to Beacon, Probe Response, Association ResponseAvraham Stern2016-02-221-0/+4
| | | | | | | | | | | | | | | | | | Add MBO IE with AP capability attribute to Beacon, Probe Response, and (Re)Association Response frames to indicate the AP supports MBO. Add option to add Association Disallowed attribute to Beacon, Probe Response, and (Re)Association Response frames. Usage: SET mbo_assoc_disallow <reason code> Valid reason code values are between 1-5. Setting the reason code to 0 will remove the Association Disallowed attribute from the MBO IE and will allow new associations. MBO functionality is enabled by setting "mbo=1" in the config file. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* VLAN: Separate station grouping and uplink configurationMichael Braun2016-02-171-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Separate uplink configuration (IEEE 802.1q VID) and grouping of stations into AP_VLAN interfaces. The int vlan_id will continue to identify the AP_VLAN interface the station should be assigned to. Each AP_VLAN interface corresponds to an instance of struct hostapd_vlan that is uniquely identified by int vlan_id within an BSS. New: Each station and struct hostapd_vlan holds a struct vlan_description vlan_desc member that describes the uplink configuration requested. Currently this is just an int untagged IEEE 802.1q VID, but can be extended to tagged VLANs and other settings easily. When the station was about to be assigned its vlan_id, vlan_desc and vlan_id will now be set simultaneously by ap_sta_set_vlan(). So sta->vlan_id can still be tested for whether the station needs to be moved to an AP_VLAN interface. To ease addition of tagged VLAN support, a member notempty is added to struct vlan_description. Is is set to 1 if an untagged or tagged VLAN assignment is requested and needs to be validated. The inverted form allows os_zalloc() to initialize an empty description. Though not depended on by the code, vlan_id assignment ensures: * vlan_id = 0 will continue to mean no AP_VLAN interface * vlan_id < 4096 will continue to mean vlan_id = untagged vlan id with no per_sta_vif and no extra tagged vlan. * vlan_id > 4096 will be used for per_sta_vif and/or tagged vlans. This way struct wpa_group and drivers API do not need to be changed in order to implement tagged VLANs or per_sta_vif support. DYNAMIC_VLAN_* will refer to (struct vlan_description).notempty only, thus grouping of the stations for per_sta_vif can be used with DYNAMIC_VLAN_DISABLED, but not with CONFIG_NO_VLAN, as struct hostapd_vlan is still used to manage AP_VLAN interfaces. MAX_VLAN_ID will be checked in hostapd_vlan_valid and during setup of VLAN interfaces and refer to IEEE 802.1q VID. VLAN_ID_WILDCARD will continue to refer to int vlan_id. Renaming vlan_id to vlan_desc when type changed from int to struct vlan_description was avoided when vlan_id was also used in a way that did not depend on its type (for example, when passed to another function). Output of "VLAN ID %d" continues to refer to int vlan_id, while "VLAN %d" will refer to untagged IEEE 802.1q VID. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* BoringSSL: Move OCSP implementation into a separate fileJouni Malinen2015-12-041-0/+1
| | | | | | | | This makes it easier to share the OCSP implementation needed for BoringSSL outside tls_openssl.c. For now, this is mainly for http_curl.c. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add SHA384 and SHA512 implementations from LibTomCrypt libraryPali Rohár2015-11-291-0/+12
| | | | | | | These will be used with the internal TLS implementation to extend hash algorithm support for new certificates and TLS v1.2. Signed-off-by: Pali Rohár <pali.rohar@gmail.com>
* Fix key derivation for Suite B 192-bit AKM to use SHA384Jouni Malinen2015-08-271-0/+1
| | | | | | | | | While the EAPOL-Key MIC derivation was already changed from SHA256 to SHA384 for the Suite B 192-bit AKM, KDF had not been updated similarly. Fix this by using HMAC-SHA384 instead of HMAC-SHA256 when deriving PTK from PMK when using the Suite B 192-bit AKM. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add build option to remove all internal RC4 usesJouni Malinen2015-08-021-0/+6
| | | | | | | | | | | | The new CONFIG_NO_RC4=y build option can be used to remove all internal hostapd and wpa_supplicant uses of RC4. It should be noted that external uses (e.g., within a TLS library) do not get disabled when doing this. This removes capability of supporting WPA/TKIP, dynamic WEP keys with IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password changes. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Add SHA256 support in openssl_tls_prf() for TLSv1.2Jouni Malinen2015-07-281-0/+2
| | | | | | | | This is needed when enabling TLSv1.2 support for EAP-FAST since the SSL_export_keying_material() call does not support the needed parameters for TLS PRF and the external-to-OpenSSL PRF needs to be used instead. Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Add build options for selecting eloop typeJouni Malinen2015-07-231-0/+9
| | | | | | | | This adds CONFIG_ELOOP_POLL=y and CONFIG_ELOOP_EPOLL=y options to hostapd build options similarly to how these were implemented for wpa_supplicant. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FST: Testing supportAnton Nayshtut2015-07-161-0/+3
| | | | | | This patch introduces infrastructure needed for FST module tests. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FST: Add build rules for hostapdAnton Nayshtut2015-07-161-0/+13
| | | | | | This patch integrates the FST into the hostapd. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Android: Rename ANDROID_P2P_STUB to ANDROID_LIB_STUBKevin Cernekee2015-06-261-1/+2
| | | | | | | | | | If BOARD_HOSTAPD_PRIVATE_LIB is not used on an Android build, we will need to replace both the p2p functions *and* wpa_driver_nl80211_driver_cmd in order to successfully link. Let's make the name more generic so it is more obvious what it is used for. Suggested-by: Dmitry Shmidt <dimitrysh@google.com> Signed-off-by: Kevin Cernekee <cernekee@google.com>
* Clear allocated debug message buffers explicitlyJouni Malinen2015-06-171-0/+1
| | | | | | | | | | | | When hostapd or wpa_supplicant is run in debug more with key material prints allowed (-K on the command line), it is possible for passwords and keying material to show up in debug prints. Since some of the debug cases end up allocating a temporary buffer from the heap for processing purposes, a copy of such password may remain in heap. Clear these temporary buffers explicitly to avoid causing issues for hwsim test cases that verify contents of memory against unexpected keys. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>