path: root/src/ap/wpa_auth_glue.c
Commit message (Collapse)AuthorAgeFilesLines
* SAE: Add sae_pwe configuration parameter for hostapdJouni Malinen7 days1-0/+1
| | | | | | | | This parameter can be used to specify which PWE derivation mechanism(s) is enabled. This commit is only introducing the new parameter; actual use of it will be address in separate commits. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Remove CONFIG_IEEE80211W build parameterJouni Malinen2019-09-081-6/+0
| | | | | | | | | Hardcode this to be defined and remove the separate build options for PMF since this functionality is needed with large number of newer protocol extensions and is also something that should be enabled in all WPA2/WPA3 networks. Signed-off-by: Jouni Malinen <j@w1.fi>
* macsec: Do not change eapol_version for non-MACsec cases in hostapdJouni Malinen2019-06-031-0/+4
| | | | | | | | It is safer to maintain the old EAPOL version (2) in EAPOL frames that are not related to MACsec and only update the version to 3 for the MACsec specific cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* VLAN assignment based on used WPA/WPA2 passphrase/PSKJouni Malinen2019-02-141-2/+49
| | | | | | | | | | | | Extend wpa_psk_file to allow an optional VLAN ID to be specified with "vlanid=<VLAN ID>" prefix on the line. If VLAN ID is specified and the particular wpa_psk_file entry is used for a station, that station is bound to the specified VLAN. This can be used to operate a single WPA2-Personal BSS with multiple VLANs based on the used passphrase/PSK. This is similar to the WPA2-Enterprise case where the RADIUS server can assign stations to different VLANs. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FT: Allow STA entry to be removed/re-added with FT-over-the-DSJouni Malinen2019-01-041-0/+6
| | | | | | | | | | | | | | FT-over-the-DS has a special case where the STA entry (and as such, the TK) has not yet been configured to the driver depending on which driver interface is used. For that case, allow add-STA operation to be used (instead of set-STA). This is needed to allow mac80211-based drivers to accept the STA parameter configuration. Since this is after a new FT-over-DS exchange, a new TK has been derived after the last STA entry was added to the driver, so key reinstallation is not a concern for this case. Fixes: 0e3bd7ac684a ("hostapd: Avoid key reinstallation in FT handshake") Signed-off-by: Jouni Malinen <j@w1.fi>
* OCV: Add function to derive Tx parameters to a specific STAMathy Vanhoef2018-12-171-0/+26
| | | | | | | | | | Use the information elements that were present in the (Re)Association Request frame to derive the maximum bandwidth the AP will use to transmit frames to a specific STA. By using this approach, we don't need to query the kernel for this information, and avoid having to add a driver API for that. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* OCV: Advertise OCV capability in RSN capabilities (AP)Mathy Vanhoef2018-12-161-0/+3
| | | | | | | | Set the OCV bit in RSN capabilities (RSNE) based on AP mode configuration. Do the same for OSEN since it follows the RSNE field definitions. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* Make channel_info available to authenticatorMathy Vanhoef2018-12-161-0/+8
| | | | | | | | This adds the necessary functions and callbacks to make the channel_info driver API available to the authenticator state machine that implements the 4-way and group key handshake. This is needed for OCV. Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
* FT: Add set/get session_timeout callback functionsMichael Braun2018-04-061-0/+46
| | | | | | | These are needed to allow wpa_auth_ft.c to control session_timeout values for STAs. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Add set/get identity/radius_cui callback functionsMichael Braun2018-04-061-0/+146
| | | | | | | These are needed to allow wpa_auth_ft.c to control identity/radius_cui values for STAs. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Add set_vlan()/get_vlan() callback functionsMichael Braun2018-04-051-0/+54
| | | | | | | These are needed to allow wpa_auth_ft.c to control VLAN assignment for STAs. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Add expiration to PMK-R0 and PMK-R1 cacheMichael Braun2018-04-051-0/+1
| | | | | | | | | | | | | | | | | | | IEEE Std 802.11-2016, indicates that the lifetime of the PMK-R0 (and PMK-R1) is bound to the lifetime of PSK or MSK from which the key was derived. This is currently stored in r0_key_lifetime, but cache entries are not actually removed. This commit uses the r0_key_lifetime configuration parameter when wpa_auth_derive_ptk_ft() is called. This may need to be extended to use the MSK lifetime, if provided by an external authentication server, with some future changes. For PSK, there is no such lifetime, but it also matters less as FT-PSK can be achieved without inter-AP communication. The expiration timeout is then passed from R0KH to R1KH. The R1KH verifies that the given timeout for sanity, it may not exceed the locally configured r1_max_key_lifetime. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Use correct WPA_ALG_* values to compare for enum wpa_algPurushottam Kushwaha2018-03-121-4/+4
| | | | | | | | | | enum wpa_alg was being compared with WPA_CIPHER_* values. That does not work here and strict compilers will report this as an error. Fix the comparision to use proper WPA_ALG_* values. This fixes testing capability for resetting IPN for BIP. Fixes: 16579769ff7b ("Add testing functionality for resetting PN/IPN for configured keys") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Add option to require MFP for SAE associationsJouni Malinen2017-12-271-0/+1
| | | | | | | | | | | The new hostapd.conf parameter sae_require_pmf=<0/1> can now be used to enforce negotiation of MFP for all associations that negotiate use of SAE. This is used in cases where SAE-capable devices are known to be MFP-capable and the BSS is configured with optional MFP (ieee80211w=1) for legacy support. The non-SAE stations can connect without MFP while SAE stations are required to negotiate MFP if sae_require_mfp=1. Signed-off-by: Jouni Malinen <j@w1.fi>
* Optional AP side workaround for key reinstallation attacksJouni Malinen2017-10-161-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a new hostapd configuration parameter wpa_disable_eapol_key_retries=1 that can be used to disable retransmission of EAPOL-Key frames that are used to install keys (EAPOL-Key message 3/4 and group message 1/2). This is similar to setting wpa_group_update_count=1 and wpa_pairwise_update_count=1, but with no impact to message 1/4 retries and with extended timeout for messages 4/4 and group message 2/2 to avoid causing issues with stations that may use aggressive power saving have very long time in replying to the EAPOL-Key messages. This option can be used to work around key reinstallation attacks on the station (supplicant) side in cases those station devices cannot be updated for some reason. By removing the retransmissions the attacker cannot cause key reinstallation with a delayed frame transmission. This is related to the station side vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, and CVE-2017-13081. This workaround might cause interoperability issues and reduced robustness of key negotiation especially in environments with heavy traffic load due to the number of attempts to perform the key exchange is reduced significantly. As such, this workaround is disabled by default (unless overridden in build configuration). To enable this, set the parameter to 1. It is also possible to enable this in the build by default by adding the following to the build configuration: CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1 Signed-off-by: Jouni Malinen <j@w1.fi>
* Add testing functionality for resetting PN/IPN for configured keysJouni Malinen2017-10-161-0/+31
| | | | | | | | | | | | | This can be used to test replay protection. The "RESET_PN" command in wpa_supplicant and "RESET_PN <addr>" command in hostapd resets the local counters to zero for the last configured key. For hostapd, the address parameter specifies which STA this operation is for or selects GTK ("ff:ff:ff:ff:ff:ff") or IGTK ("ff:ff:ff:ff:ff:ff IGTK"). This functionality is for testing purposes and included only in builds with CONFIG_TESTING_OPTIONS=y. Signed-off-by: Jouni Malinen <j@w1.fi>
* Remove all PeerKey functionalityJouni Malinen2017-10-151-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | This was originally added to allow the IEEE 802.11 protocol to be tested, but there are no known fully functional implementations based on this nor any known deployments of PeerKey functionality. Furthermore, PeerKey design in the IEEE Std 802.11-2016 standard has already been marked as obsolete for DLS and it is being considered for complete removal in REVmd. This implementation did not really work, so it could not have been used in practice. For example, key configuration was using incorrect algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in mapping to an invalid WPA_ALG_* value for the actual driver operation. As such, the derived key could not have been successfully set for the link. Since there are bugs in this implementation and there does not seem to be any future for the PeerKey design with DLS (TDLS being the future for DLS), the best approach is to simply delete all this code to simplify the EAPOL-Key handling design and to get rid of any potential issues if these code paths were accidentially reachable. Signed-off-by: Jouni Malinen <j@w1.fi>
* OWE: PMKSA caching in AP modeJouni Malinen2017-10-091-0/+11
| | | | | | This extends OWE support in hostapd to allow PMKSA caching to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in AP modeJouni Malinen2017-10-081-2/+8
| | | | | | | This extends OWE support in hostapd to allow DH groups 20 and 21 to be used in addition to the mandatory group 19 (NIST P-256). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* SAE: Fix PMKSA caching behavior in AP modeJouni Malinen2017-09-041-0/+5
| | | | | | | | Add PMKID into EAPOL-Key 1/4 when using SAE and fix the PMK-from-PMKSA selection in some cases where PSK (from passphrase) could have been used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FT: Add support for wildcard R0KH/R1KHMichael Braun2017-05-031-2/+6
| | | | | | | | | | | | | | | | | | | | | | | Enable use of FT RRB without configuring each other AP locally. Instead, broadcast messages are exchanged to discover APs within the local network. When an R0KH or R1KH is discovered, it is cached for one day. When a station uses an invalid or offline r0kh_id, requests are always broadcast. In order to avoid this, if r0kh does not reply, a temporary blacklist entry is added to r0kh_list. To avoid blocking a valid r0kh when a non-existing pmk_r0_name is requested, r0kh is required to always reply using a NAK. Resend requests a few times to ensure blacklisting does not happen due to small packet loss. To free newly created stations later, the r*kh_list start pointer in conf needs to be updateable from wpa_auth_ft.c, where only wconf is accessed. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT RRB: Add msg replay and msg delay protectionMichael Braun2017-05-031-0/+20
| | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a counter and adds sequence numbering to FT RRB packets. The sequence number is checked against r0kh/r1kh sequence number cache. Special attention is needed in case the remote AP reboots and thus loses its state. I prefer it to recover automatically even without synchronized clocks. Therefore an identifier called dom is generated randomly along the initial sequence number. If the dom transmitted does not match or the sequence number is not in the range currently expected, the sender is asked for a fresh confirmation of its currently used sequence numbers. The packet that triggered this is cached and processed again later. Additionally, in order to ensure freshness, the remote AP includes an timestamp with its messages. It is then verified that the received messages are indeed fresh by comparing it to the older timestamps received and the time elapsed since then. Therefore FT_RRB_TIMESTAMP is no longer needed. This assigns new OUI 00:13:74 vendor-specific subtype 0x0001 subtypes: 4 (SEQ_REQ) and 5 (SEQ_RESP). This breaks backward compatibility, i.e., hostapd needs to be updated on all APs at the same time to allow FT to remain functional. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Replace inter-AP protocol with use of OUI Extended EthertypeMichael Braun2017-05-031-3/+214
| | | | | | | | | | | | | | | | | | Replace the previously used extension of IEEE 802.11 managed Ethertype 89-0d (originally added for Remote Request/Response in IEEE 802.11r) with Ethertype 88-b7 (OUI Extended EtherType) for FT inter-AP communication. The new design uses a more properly assigned identifier for the messages. This assigns the OUI 00:13:74 vendor-specific subtype 0x0001 for the new hostapd AP-to-AP communication purposes. Subtypes 1 (PULL), 2 (RESP), and 3 (PUSH) are also assigned in this commit for the R0KH-R1KH protocol. This breaks backward compatibility, i.e., hostapd needs to be updated on all APs at the same time to allow FT to remain functional. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Schedule wpa_ft_rrb_rx() through eloop in intra-process communicationMichael Braun2017-04-011-14/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | With AP-AP communication, when hapd0 sends a packet, hapd1 can receive it immediately and send a response. But hapd0 will only read and process the response after it has returned from the sending context, that is entered eloop again. So one does not need to consider the RX function of the reply to run for the request sending hapd before the send calling function has returned. Previously, with intra-process communication, the packet is not scheduled through eloop. Thus the RX handler of the reply might be run while the sending context of the original request has not returned. This might become problematic, e.g., when deferring a management frame processing until an RRB response is received and then have the request restarted and finished before the original request handling has been stopped. I'm not aware of any concrete bug this is currently triggering but came across it while thinking of FT RRB AP-AP sequence numbering. I think the non-eloop scheduling approach might be error-prone and thus propose to model it more closely to the way the message would be received from a socket. Additionally, this ensures that the tests model AP-AP communication more closely to real world. Solution: queue these packets through eloop. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* OWE: Process Diffie-Hellman Parameter element in AP modeJouni Malinen2017-03-121-0/+6
| | | | | | | | This adds AP side processing for OWE Diffie-Hellman Parameter element in (Re)Association Request frame and adding it in (Re)Association Response frame. Signed-off-by: Jouni Malinen <j@w1.fi>
* FILS: Find PMKSA cache entries on AP based on FILS Cache IdentifierJouni Malinen2017-02-211-0/+5
| | | | | | | | This allows PMKSA cache entries to be shared between all the BSSs operated by the same hostapd process when those BSSs use the same FILS Cache Identifier value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add hostapd options wpa_group_update_count and wpa_pairwise_update_countGünther Kelleter2017-02-061-0/+2
| | | | | | | | | | | | | | | wpa_group_update_count and wpa_pairwise_update_count can now be used to set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current hardcoded value (4). Some stations may suffer from frequent deauthentications due to GTK rekey failures: EAPOL 1/2 frame is not answered during the total timeout period of currently ~3.5 seconds. For example, a Galaxy S6 with Android 6.0.1 appears to go into power save mode for up to 5 seconds. Increasing wpa_group_update_count to 6 fixed this issue. Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
* wpa_auth: Make struct wpa_auth_callbacks constJohannes Berg2017-01-291-23/+22
| | | | | | | | | Instead of copying the struct wpa_auth_callbacks, just keep a pointer to it, keep the context pointer separate, and let the user just provide a static const structure. This reduces the attack surface of heap overwrites, since the function pointers move elsewhere. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* FT: Differentiate between FT for station and for AP in buildIlan Peer2016-10-291-14/+14
| | | | | | | | | | | | | | Previously, CONFIG_IEEE80211R enabled build that supports FT for both station mode and AP mode. However, in most wpa_supplicant cases only station mode FT is required and there is no need for AP mode FT. Add support to differentiate between station mode FT and AP mode FT in wpa_supplicant builds by adding CONFIG_IEEE80211R_AP that should be used when AP mode FT support is required in addition to station mode FT. This allows binary size to be reduced for builds that require only the station side FT functionality. Signed-off-by: Ilan Peer <ilan.peer@intel.com>
* FT: Allow PMK-R0 and PMK-R1 for FT-PSK to be generated locallyMichael Braun2016-10-091-0/+1
| | | | | | | | | | | | | | | | | | Station should be able to connect initially without ft_pmk_cache filled, so the target AP has the PSK available and thus the same information as the origin AP. Therefore neither caching nor communication between the APs with respect to PMK-R0 or PMK-R1 or VLANs is required if the target AP derives the required PMKs locally. This patch introduces the generation of the required PMKs locally for FT-PSK. Additionally, PMK-R0 is not stored (and thus pushed) for FT-PSK. So for FT-PSK networks, no configuration of inter-AP communication is needed anymore when using ft_psk_generate_local=1 configuration. The default behavior (ft_psk_generate_local=0) remains to use the pull/push protocol. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Fix RRB for FT over-the-air caseGünther Kelleter2016-04-181-1/+1
| | | | | | | | | | Commit 66d464067d626cc64c5a543a8f91fe58727f4e5e ('FT: Register RRB l2_packet only if FT-over-DS is enabled') disabled RRB l2_packet socket if ft_over_ds is disabled, but this socket is required for FT over-the-air, too (FT key distribution). Enable the socket regardless of ft_over_ds setting if FT is enabled. Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
* FT: Check destination MAC address on RRB receiveMichael Braun2016-02-281-0/+3
| | | | | | | | | | | | | | As the Linux variant of l2_packet_init() does not use its own_addr argument and l2_packet_receive() does not filter on destination MAC address, this needs to be checked in the callback. If there are multiple BSSes listening for FT RRB packets, all their BSSIDs need to be local to the bridge interface. As l2_packet_init() is going to receive all of them going for any local address, those RRB messages started turning up on BSSes that were not destinated for and cluttering logs. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* Defer passphrase-to-PSK hashing out of 802.11 authentication ACL checkMichael Braun2016-02-281-0/+8
| | | | | | | | | | | | | | Hashing takes quite some time (can be about one second on a low-power CPU for each passphrase provided), so hostapd can easily hit the 900 ms Wi-Fi client authentication deadline (mac80211 uses 3x 300 ms). This can be fixed by storing the passphrase instead of PSK with the STA and defer the hashing into the WPA/RSN 4-way handshake, when enumerating all PSKs. This applies for the case where a RADIUS server is used to store the per-STA passphrases and this passphrase is delivered as part of the MAC ACL check during IEEE 802.11 Authentication frame processing. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* FT: Check hapd->wpa_auth before RRB internal deliveryMichael Braun2016-02-281-0/+2
| | | | | | | | | | | | | A malicious station could try to do FT-over-DS with a non WPA-enabled BSS. When this BSS is located in the same hostapd instance, internal RRB delivery will be used and thus the FT Action Frame will be processed by a non-WPA enabled BSS. This processing used to crash hostapd as hapd->wpa_auth is NULL. If the target BSS is on a different hostapd instance, it will not listen for these packets and thus not crash. Fix this by checking hapd->wpa_auth before delivery. Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
* hostapd: Fix WPA, IEEE 802.1X, and WPS deinit in cases where init failsJouni Malinen2015-10-141-2/+3
| | | | | | | | | | | | With driver wrappers that implement set_privacy(), set_generic_elem(), set_ieee8021x(), or set_ap_wps_ie(), it was possible to hit a NULL pointer dereference in error cases where interface setup failed and the network configuration used WPA/WPA2, IEEE 802.1X, or WPS. Fix this by skipping the driver operations in case the driver interface is not initialized. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Add testing option to override own WPA/RSN IE(s)Jouni Malinen2015-08-081-0/+7
| | | | | | | | This allows the new own_ie_override=<hexdump> configuration parameter to be used to replace the normally generated WPA/RSN IE(s) for testing purposes in CONFIG_TESTING_OPTIONS=y builds. Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Register RRB l2_packet only if FT-over-DS is enabledJouni Malinen2015-07-171-1/+2
| | | | | | | There is no need to waste resources for this packet socket if FT-over-DS is disabled or when operating P2P GO or AP mode in wpa_supplicant. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Replace SSID_LEN with SSID_MAX_LENJouni Malinen2015-04-221-2/+2
| | | | | | This makes source code more consistent. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add a AP mode event message for possible PSK/passphrase mismatchJouni Malinen2015-03-191-0/+10
| | | | | | | | | | If the AP/Authenticator receives an EAPOL-Key msg 2/4 for an association that negotiated use of PSK and the EAPOL-Key MIC does not match, it is likely that the station is trying to use incorrect PSK/passphrase. Report this with "AP-STA-POSSIBLE-PSK-MISMATCH <STA addr>" control interface event. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Debug messages for dodgy RADIUS serversBen Greear2015-01-221-2/+7
| | | | | | | These were helpful when tracking down why hostapd did not work properly with a RADIUS server. Signed-hostap: Ben Greear <greearb@candelatech.com>
* Add external EAPOL transmission option for testing purposesJouni Malinen2014-10-101-0/+30
| | | | | | | | | | The new ext_eapol_frame_io parameter can be used to configure hostapd and wpa_supplicant to use control interface for receiving and transmitting EAPOL frames. This makes it easier to implement automated test cases for protocol testing. This functionality is included only in CONFIG_TESTING_OPTIONS=y builds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Allow management group cipher to be configuredJouni Malinen2014-03-141-0/+1
| | | | | | | | | | This allows hostapd to set a different management group cipher than the previously hardcoded default BIP (AES-128-CMAC). The new configuration file parameter group_mgmt_cipher can be set to BIP-GMAC-128, BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in IEEE Std 802.11ac-2013. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* HS 2.0R2 AP: Add OSEN implementationJouni Malinen2014-02-251-0/+13
| | | | Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Add support for IP address assignment in 4-way handshakeJouni Malinen2014-01-271-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | This new mechanism allows P2P Client to request an IPv4 address from the GO as part of the 4-way handshake to avoid use of DHCP exchange after 4-way handshake. If the new mechanism is used, the assigned IP address is shown in the P2P-GROUP-STARTED event on the client side with following new parameters: ip_addr, ip_mask, go_ip_addr. The assigned IP address is included in the AP-STA-CONNECTED event on the GO side as a new ip_addr parameter. The IP address is valid for the duration of the association. The IP address pool for this new mechanism is configured as global wpa_supplicant configuration file parameters ip_addr_go, ip_addr_mask, ip_addr_star, ip_addr_end. For example: ip_addr_go= ip_addr_mask= ip_addr_start= ip_addr_end= DHCP mechanism is expected to be enabled at the same time to support P2P Devices that do not use the new mechanism. The easiest way of managing the IP addresses is by splitting the IP address range into two parts and assign a separate range for wpa_supplicant and DHCP server. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* Include driver.h in hostapd.hAndrei Otcheretianski2013-12-241-1/+0
| | | | | | | This allows use of structs (and not only pointers) defined in drivers.h. Remove also some not needed forward declarations and redundant includes. Signed-hostap: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
* hostapd: Fix couple of deinit path cases to clear pointersJouni Malinen2013-09-251-0/+1
| | | | | | | | This fixes some issues where dynamic interface enable/disable cycles could end up trying to free resources twice and crash the process while doing so. Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Select PSK based on Device Address instead of Interface AddressJouni Malinen2013-09-011-1/+2
| | | | | | | | | When using per-device PSKs, select the PSK based on the P2P Device Address of the connecting client if that client is a P2P Device. This allows the P2P Interface Address to be changed between P2P group connections which may happen especially when using persistent groups. Signed-hostap: Jouni Malinen <j@w1.fi>
* P2P: Make peer's P2P Device Address available to authenticatorJouni Malinen2013-09-011-1/+1
| | | | | | | This can be used to implement per-device PSK selection based on the peer's P2P Device Address instead of P2P Interface Address. Signed-hostap: Jouni Malinen <j@w1.fi>
* hostapd: Add Key MIC in group EAPOL-Key frames corruption test optionJohannes Berg2013-05-041-2/+7
| | | | | | | | | For some testing it can be useful to force the Key MIC in group EAPOL-Key frames to be corrupt. Add an option to allow setting a probability for corrupting the Key MIC and use it in the WPA code, increasing the first byte of the MIC by one to corrupt it if desired. Signed-hostap: Johannes Berg <johannes.berg@intel.com>
* SAE: Use PMK in 4-way handshakeJouni Malinen2013-01-121-2/+13
| | | | | | | Use the PMK that is derived as part of the SAE authentication in the 4-way handshake instead of the PSK. Signed-hostap: Jouni Malinen <j@w1.fi>