path: root/hostapd/Makefile
Commit message (Collapse)AuthorAgeFilesLines
* Add PTKSA cache to hostapdIlan Peer2021-01-251-0/+2
| | | | Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* AP: Add support for configuring PASNIlan Peer2021-01-251-0/+8
| | | | Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* hostapd: Fix typosYegor Yefremov2020-10-161-1/+1
| | | | Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
* build: Remove hostapd vs. wpa_supplicant build checksJohannes Berg2020-10-101-9/+1
| | | | | | | | These are no longer needed now. Note that this was never actually sufficient since src/drivers/ isn't the only thing shared, and thus a cross-build detection didn't work in all cases. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Put object files into build/ folderJohannes Berg2020-10-101-5/+17
| | | | | | | | | | | | | | | | Instead of building in the source tree, put most object files into the build/ folder at the root, and put each thing that's being built into a separate folder. This then allows us to build hostapd and wpa_supplicant (or other combinations) without "make clean" inbetween. For the tests keep the objects in place for now (and to do that, add the build rule) so that we don't have to rewrite all of that with $(call BUILDOBJS,...) which is just noise there. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Move config file handling into build.rulesJohannes Berg2020-10-101-12/+1
| | | | | | | This will make it easier to split out the handling in a proper way, and handle common cflags/dependencies. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Add a common-clean targetJohannes Berg2020-10-101-3/+2
| | | | | | | | Clean up in a more common fashion as well, initially for ../src/. Also add $(Q) to the clean target in src/ Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* build: Pull common fragments into a build.rules fileJohannes Berg2020-10-101-31/+3
| | | | | | | Some things are used by most of the binaries, pull them into a common rule fragment that we can use properly. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* SAE-PK: A tool for generating SAE-PK Modifier and passwordJouni Malinen2020-06-021-0/+34
| | | | | | | | | | | | | | | sae_pk_gen can be used to generate Modifier (M) and password for SAE-PK based on a previously generated EC private key, Sec value (2..5), and SSID. For example, these commands can be used to generate the private key and the needed hostapd configuration parameter options: make sae_pk_gen openssl ecparam -genkey -outform DER -out saepk.der -name prime256v1 ./sae_pk_gen saepk.der 3 "SAE-PK test" Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE-PK: Extend SAE functionality for AP validationJouni Malinen2020-06-021-0/+4
| | | | | | | | | This adds core SAE functionality for a new mode of using SAE with a specially constructed password that contains a fingerprint for an AP public key and that public key being used to validate an additional signature in SAE confirm from the AP. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Move TCP encapsulation into a separate source code fileJouni Malinen2020-05-111-0/+1
| | | | | | This continues splitting dpp.c into smaller pieces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Move configurator backup into a separate source code fileJouni Malinen2020-05-111-0/+1
| | | | | | This continues splitting dpp.c into smaller pieces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Move authentication functionality into a separate source code fileJouni Malinen2020-05-111-0/+1
| | | | | | This continues splitting dpp.c into smaller pieces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Reconfig Announcement transmissionJouni Malinen2020-05-111-0/+1
| | | | | | | | | Extend DPP chirping mechanism to allow Reconfig Announcement frames to be transmitted instead of the Presence Announcement frames. Add a new wpa_supplicant control interface command "DPP_RECONFIG <network id>" to initiate reconfiguration for a specific network profile. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Move PKEX functionality into a separate source code fileJouni Malinen2020-05-111-0/+1
| | | | | | This continues splitting dpp.c into smaller pieces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Move crypto routines into a separate source code fileJouni Malinen2020-05-111-0/+1
| | | | | | | This is an initial step in splitting the overly long dpp.c into smaller pieces. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow TKIP support to be removed from buildDisha Das2020-04-171-0/+4
| | | | | | | | | Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from hostapd and wpa_supplicant builds. This disables use of TKIP as both the pairwise and group cipher. The end result does not interoperate with a WPA(v1)-only device or WPA+WPA2 mixed modes. Signed-off-by: Disha Das <dishad@codeaurora.org>
* SAE: Fix build without DPP/OWE/ERPJouni Malinen2020-04-041-0/+1
| | | | | | SAE needs sha256-kdf.c to be included in the build. Signed-off-by: Jouni Malinen <j@w1.fi>
* Make WEP functionality an optional build parameterJouni Malinen2020-02-291-0/+4
| | | | | | | | | WEP should not be used for anything anymore. As a step towards removing it completely, move all WEP related functionality to be within CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y is explicitly set in build configuration. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove CONFIG_IEEE80211N build optionJouni Malinen2020-02-221-6/+0
| | | | | | | | | | Hardcoded CONFIG_IEEE80211N to be included to clean up implementation. More or less all new devices support IEEE 802.11n (HT) and there is not much need for being able to remove that functionality from the build. Included this unconditionally to get rid of one more build options and to keep things simpler. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP: Add ASN.1 support into buildJouni Malinen2020-01-311-2/+7
| | | | | | This will be needed in following patches to process DPPEnvelopedData. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* AP: Determine Short SSID value for the BSSAndrei Otcheretianski2019-12-281-0/+1
| | | | | | | This can be used in the future to implement support for RNR and scanning extensions using a shorter field for the SSID. Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* Fix hostapd build with CONFIG_WPA_TRACE but no CONFIG_WPA_TRACE_BFDBrian Norris2019-10-251-1/+1
| | | | | | | | | | | Otherwise, we may get linker failures: ld.lld: error: unable to find library -lbfd While we're at it, pull in the library selection fixes from commit 848905b12abf ("Avoid undefined references with CONFIG_WPA_TRACE_BFD=y"). Signed-off-by: Brian Norris <briannorris@chromium.org>
* Remove IAPP functionality from hostapdJouni Malinen2019-09-111-5/+0
| | | | | | | | | | | | | | IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been maintained nor is there any expectation of the withdrawn trial-use recommended practice to be maintained in the future. Furthermore, implementation of IAPP in hostapd was not complete, i.e., only parts of the recommended practice were included. The main item of some real use long time ago was the Layer 2 Update frame to update bridges when a STA roams within an ESS, but that functionality has, in practice, been moved to kernel drivers to provide better integration with the networking stack. Signed-off-by: Jouni Malinen <j@w1.fi>
* DPP: Fix hostapd build dependencies for DPP-only buildJouni Malinen2019-09-081-0/+1
| | | | | | | Fix CONFIG_DPP=y build for cases where the needed dependencies were not pulled in by other optional build parameters. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove CONFIG_IEEE80211W build parameterJouni Malinen2019-09-081-33/+0
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add TLS-PRF using HMAC with P_SHA384 for TEAPJouni Malinen2019-08-161-0/+5
| | | | | | | This version of TLS PRF is needed when using TEAP with TLS ciphersuites that are defined to use SHA384 instead of SHA256. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-TEAP server and peer implementation (RFC 7170)Jouni Malinen2019-07-091-0/+10
| | | | | | | | | | | | | | | | | This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible Authentication Protocol). This should be considered experimental since RFC 7170 has number of conflicting statements and missing details to allow unambiguous interpretation. As such, there may be interoperability issues with other implementations and this version should not be deployed for production purposes until those unclear areas are resolved. This does not yet support use of NewSessionTicket message to deliver a new PAC (either in the server or peer implementation). In other words, only the in-tunnel distribution of PAC-Opaque is supported for now. Use of the NewSessionTicket mechanism would require TLS library support to allow arbitrary data to be specified as the contents of the message. Signed-off-by: Jouni Malinen <j@w1.fi>
* macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapdleiwei2019-06-031-0/+9
| | | | Signed-off-by: leiwei <leiwei@codeaurora.org>
* hostapd: Add airtime policy configuration supportToke Høiland-Jørgensen2019-05-021-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | This adds support to hostapd for configuring airtime policy settings for stations as they connect to the access point. This is the userspace component of the airtime policy enforcement system PoliFi described in this paper: https://arxiv.org/abs/1902.03439 The Linux kernel part has been merged into mac80211 for the 5.1 dev cycle. The configuration mechanism has three modes: Static, dynamic and limit. In static mode, weights can be set in the configuration file for individual MAC addresses, which will be applied when the configured stations connect. In dynamic mode, weights are instead set per BSS, which will be scaled by the number of active stations on that BSS, achieving the desired aggregate weighing between the configured BSSes. Limit mode works like dynamic mode, except that any BSS *not* marked as 'limited' is allowed to exceed its configured share if a per-station fairness share would assign more airtime to that BSS. See the paper for details on these modes. Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
* Share common SAE and EAP-pwd functionality: suitable groupsJouni Malinen2019-04-251-0/+6
| | | | | | | | Start sharing common SAE and EAP-pwd functionality by adding a new source code file that can be included into both. This first step is bringing in a shared function to check whether a group is suitable. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Build configuration flags for DPP version 2 supportJouni Malinen2019-03-131-0/+3
| | | | | | | | | | The new CONFIG_DPP2=y build option for hostapd and wpa_supplicant is used to control whether new functionality defined after the DPP specification v1.0 is included. All such functionality are considered experimental and subject to change without notice and as such, not suitable for production use. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* crypto: Add option to use getrandom()Lubomir Rintel2019-01-011-0/+3
| | | | | | | | | | | | | | | | | | | | | According to random(4) manual, /dev/random is essentially deprecated on Linux for quite some time: "The /dev/random interface is considered a legacy interface, and /dev/urandom is preferred and sufficient in all use cases, with the exception of applications which require randomness during early boot time; for these applications, getrandom(2) must be used instead, because it will block until the entropy pool is initialized." An attempt to use it would cause unnecessary blocking on machines without a good hwrng even when it shouldn't be needed. Since Linux 3.17, a getrandom(2) call is available that will block only until the randomness pool has been seeded. It is probably not a good default yet as it requires a fairly recent kernel and glibc (3.17 and 2.25 respectively). Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
* OCV: Add utility functions to insert OCI elementsMathy Vanhoef2018-12-161-0/+1
| | | | | | | This commit adds utility functions to insert various encoding of the OCI element. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Add build configuration for channel validation supportMathy Vanhoef2018-12-161-0/+5
| | | | | | Add compilation flags for Operating Channel Verification (OCV) support. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* wolfSSL: Remove aes-omac1.o from hostapd buildSean Parkinson2018-05-021-0/+2
| | | | | | Avoid duplicated omac1_*() functions when building hostapd with wolfSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* Fix building nt_password_hash with gnutlsAndrey Utkin2018-04-151-3/+2
| | | | | | | | | | | | Even with CONFIG_TLS=gnutls CONFIG_CRYPTO=gnutls in .config, nt_password_hash was linked with libcrypto instead of libgcrypt, which caused linkage failure. Signed-off-by: Andrey Utkin <andrey_utkin@gentoo.org>
* Add support for wolfSSL cryptographic librarySean Parkinson2018-03-031-1/+45
| | | | | | | Allow hostapd/wpa_supplicant to be compiled with the wolfSSL cryptography and TLS library. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* GnuTLS: Add option to build with libnettle instead of libgcryptJouni Malinen2017-12-291-2/+14
| | | | | | | | | | | | | GnuTLS-based builds can now be done using either libnettle or libgcrypt for crypto functionality: CONFIG_TLS=gnutls CONFIG_CRYPTO=nettle CONFIG_TLS=gnutls CONFIG_CRYPTO=gnutls Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement HMAC functions using libgcryptJouni Malinen2017-12-271-0/+10
| | | | | | | Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with the ones from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* GnuTLS: Implement sha{256,384,512}_vector() using libgcryptJouni Malinen2017-12-271-1/+0
| | | | | | | Replace the internal SHA256 implementation with the one from libgcrypt and also add the SHA384 and SHA512 versions. Signed-off-by: Jouni Malinen <j@w1.fi>
* EAP-pwd: Use abstract crypto APISean Parkinson2017-12-241-0/+1
| | | | | | | This makes it easier to use EAP-pwd with other crypto libraries than OpenSSL. Signed-off-by: Sean Parkinson <sean@wolfssl.com>
* Remove all PeerKey functionalityJouni Malinen2017-10-151-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in AP modeJouni Malinen2017-10-081-0/+5
| | | | | | | This extends OWE support in hostapd to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* DPP: Add base64 dependency in makefilesJouni Malinen2017-09-041-0/+1
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WNM: Differentiate between WNM for station and for AP in buildAvraham Stern2017-07-181-1/+1
| | | | | | | | | | | | | | Previously, CONFIG_WNM enabled build that supports WNM for both station mode and AP mode. However, in most wpa_supplicant cases only station mode WNM is required and there is no need for AP mode WNM. Add support to differentiate between station mode WNM and AP mode WNM in wpa_supplicant builds by adding CONFIG_WNM_AP that should be used when AP mode WNM support is required in addition to station mode WNM. This allows binary size to be reduced for builds that require only the station side WNM functionality. Signed-off-by: Avraham Stern <avraham.stern@intel.com>
* OpenSSL: Add build option to select default ciphersBeniamino Galvani2017-07-171-0/+4
| | | | | | | | | | | | | | Add a build option to select different default ciphers for OpenSSL instead of the hardcoded default "DEFAULT:!EXP:!LOW". This new option is useful on distributions where the security level should be consistent for all applications, as in Fedora [1]. In such cases the new configuration option would be set to "" or "PROFILE=SYSTEM" to select the global crypto policy by default. [1] https://fedoraproject.org/wiki/Changes/CryptoPolicy Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
* DPP: Integration for hostapdJouni Malinen2017-06-191-0/+20
| | | | | | | This adds DPP bootstrapping, authentication, and configuration into hostapd similarly to how the design was integrated in wpa_supplicant. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add JavaScript Object Notation (JSON) parser (RFC7159)Jouni Malinen2017-06-171-0/+5
| | | | | | This is needed for DPP configuration attributes/objects. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Extend SHA-384 and SHA-512 support to match SHA-256Jouni Malinen2017-06-171-0/+15
| | | | | | | The additional SHA-384 and SHA-512 functionality is needed to support DPP with various ECC curves. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>