Commit graph

296 commits

Author SHA1 Message Date
Ilan Peer
2c963a117a AP: Add support for configuring PASN
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2021-01-25 19:15:47 +02:00
Yegor Yefremov
d720de929f hostapd: Fix typos
Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
2020-10-16 12:45:24 +03:00
Johannes Berg
ad6e4a5c59 build: Remove hostapd vs. wpa_supplicant build checks
These are no longer needed now. Note that this was never actually
sufficient since src/drivers/ isn't the only thing shared, and thus a
cross-build detection didn't work in all cases.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:53:38 +03:00
Johannes Berg
722138cd25 build: Put object files into build/ folder
Instead of building in the source tree, put most object
files into the build/ folder at the root, and put each
thing that's being built into a separate folder.

This then allows us to build hostapd and wpa_supplicant
(or other combinations) without "make clean" inbetween.

For the tests keep the objects in place for now (and to
do that, add the build rule) so that we don't have to
rewrite all of that with $(call BUILDOBJS,...) which is
just noise there.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:51:39 +03:00
Johannes Berg
0464d5d5d6 build: Move config file handling into build.rules
This will make it easier to split out the handling in
a proper way, and handle common cflags/dependencies.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:49:31 +03:00
Johannes Berg
0430bc8267 build: Add a common-clean target
Clean up in a more common fashion as well, initially for ../src/.

Also add $(Q) to the clean target in src/

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:48:41 +03:00
Johannes Berg
a41a29192e build: Pull common fragments into a build.rules file
Some things are used by most of the binaries, pull them
into a common rule fragment that we can use properly.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2020-10-10 12:47:29 +03:00
Jouni Malinen
fb09ec87f2 SAE-PK: A tool for generating SAE-PK Modifier and password
sae_pk_gen can be used to generate Modifier (M) and password for SAE-PK
based on a previously generated EC private key, Sec value (2..5), and
SSID.

For example, these commands can be used to generate the private key and
the needed hostapd configuration parameter options:

make sae_pk_gen
openssl ecparam -genkey -outform DER -out saepk.der -name prime256v1
./sae_pk_gen saepk.der 3 "SAE-PK test"

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-02 23:25:22 +03:00
Jouni Malinen
6b9e99e571 SAE-PK: Extend SAE functionality for AP validation
This adds core SAE functionality for a new mode of using SAE with a
specially constructed password that contains a fingerprint for an AP
public key and that public key being used to validate an additional
signature in SAE confirm from the AP.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-06-02 23:25:22 +03:00
Jouni Malinen
3aaf269f67 DPP: Move TCP encapsulation into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
21c612017b DPP: Move configurator backup into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
fdbbb74064 DPP: Move authentication functionality into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 17:26:11 +03:00
Jouni Malinen
0c043d9de7 DPP2: Reconfig Announcement transmission
Extend DPP chirping mechanism to allow Reconfig Announcement frames to
be transmitted instead of the Presence Announcement frames. Add a new
wpa_supplicant control interface command "DPP_RECONFIG <network id>" to
initiate reconfiguration for a specific network profile.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
d4ae12355a DPP: Move PKEX functionality into a separate source code file
This continues splitting dpp.c into smaller pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 16:41:33 +03:00
Jouni Malinen
87b6572616 DPP: Move crypto routines into a separate source code file
This is an initial step in splitting the overly long dpp.c into smaller
pieces.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-05-11 12:09:24 +03:00
Disha Das
6b1c590ebb Allow TKIP support to be removed from build
Add a build flag CONFIG_NO_TKIP=y to remove all TKIP functionality from
hostapd and wpa_supplicant builds. This disables use of TKIP as both the
pairwise and group cipher. The end result does not interoperate with a
WPA(v1)-only device or WPA+WPA2 mixed modes.

Signed-off-by: Disha Das <dishad@codeaurora.org>
2020-04-17 23:51:58 +03:00
Jouni Malinen
97beccc838 SAE: Fix build without DPP/OWE/ERP
SAE needs sha256-kdf.c to be included in the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-04-04 18:11:11 +03:00
Jouni Malinen
200c7693c9 Make WEP functionality an optional build parameter
WEP should not be used for anything anymore. As a step towards removing
it completely, move all WEP related functionality to be within
CONFIG_WEP blocks. This will be included in builds only if CONFIG_WEP=y
is explicitly set in build configuration.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-29 17:45:25 +02:00
Jouni Malinen
f3bcd69603 Remove CONFIG_IEEE80211N build option
Hardcoded CONFIG_IEEE80211N to be included to clean up implementation.
More or less all new devices support IEEE 802.11n (HT) and there is not
much need for being able to remove that functionality from the build.
Included this unconditionally to get rid of one more build options and
to keep things simpler.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
312eac1d1e DPP: Add ASN.1 support into build
This will be needed in following patches to process DPPEnvelopedData.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-31 23:16:05 +02:00
Andrei Otcheretianski
522450b7b1 AP: Determine Short SSID value for the BSS
This can be used in the future to implement support for RNR and scanning
extensions using a shorter field for the SSID.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-12-28 22:32:14 +02:00
Brian Norris
a32acf3918 Fix hostapd build with CONFIG_WPA_TRACE but no CONFIG_WPA_TRACE_BFD
Otherwise, we may get linker failures:

  ld.lld: error: unable to find library -lbfd

While we're at it, pull in the library selection fixes from commit
848905b12a ("Avoid undefined references with CONFIG_WPA_TRACE_BFD=y").

Signed-off-by: Brian Norris <briannorris@chromium.org>
2019-10-25 16:03:37 +03:00
Jouni Malinen
018edec9b2 Remove IAPP functionality from hostapd
IEEE Std 802.11F-2003 was withdrawn in 2006 and as such it has not been
maintained nor is there any expectation of the withdrawn trial-use
recommended practice to be maintained in the future. Furthermore,
implementation of IAPP in hostapd was not complete, i.e., only parts of
the recommended practice were included. The main item of some real use
long time ago was the Layer 2 Update frame to update bridges when a STA
roams within an ESS, but that functionality has, in practice, been moved
to kernel drivers to provide better integration with the networking
stack.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-11 13:11:03 +03:00
Jouni Malinen
6bf6c6feca DPP: Fix hostapd build dependencies for DPP-only build
Fix CONFIG_DPP=y build for cases where the needed dependencies were not
pulled in by other optional build parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:46:55 +03:00
Jouni Malinen
7d2ed8bae8 Remove CONFIG_IEEE80211W build parameter
Hardcode this to be defined and remove the separate build options for
PMF since this functionality is needed with large number of newer
protocol extensions and is also something that should be enabled in all
WPA2/WPA3 networks.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-09-08 17:33:40 +03:00
Jouni Malinen
52069c7eff Add TLS-PRF using HMAC with P_SHA384 for TEAP
This version of TLS PRF is needed when using TEAP with TLS ciphersuites
that are defined to use SHA384 instead of SHA256.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-08-16 21:16:37 +03:00
Jouni Malinen
0ed57c5ea8 EAP-TEAP server and peer implementation (RFC 7170)
This adds support for a new EAP method: EAP-TEAP (Tunnel Extensible
Authentication Protocol). This should be considered experimental since
RFC 7170 has number of conflicting statements and missing details to
allow unambiguous interpretation. As such, there may be interoperability
issues with other implementations and this version should not be
deployed for production purposes until those unclear areas are resolved.

This does not yet support use of NewSessionTicket message to deliver a
new PAC (either in the server or peer implementation). In other words,
only the in-tunnel distribution of PAC-Opaque is supported for now. Use
of the NewSessionTicket mechanism would require TLS library support to
allow arbitrary data to be specified as the contents of the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-07-09 16:56:02 +03:00
leiwei
a93b369c17 macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapd
Signed-off-by: leiwei <leiwei@codeaurora.org>
2019-06-03 20:27:44 +03:00
Toke Høiland-Jørgensen
ef7217518b hostapd: Add airtime policy configuration support
This adds support to hostapd for configuring airtime policy settings for
stations as they connect to the access point. This is the userspace
component of the airtime policy enforcement system PoliFi described in
this paper: https://arxiv.org/abs/1902.03439

The Linux kernel part has been merged into mac80211 for the 5.1 dev
cycle.

The configuration mechanism has three modes: Static, dynamic and limit.
In static mode, weights can be set in the configuration file for
individual MAC addresses, which will be applied when the configured
stations connect.

In dynamic mode, weights are instead set per BSS, which will be scaled
by the number of active stations on that BSS, achieving the desired
aggregate weighing between the configured BSSes. Limit mode works like
dynamic mode, except that any BSS *not* marked as 'limited' is allowed
to exceed its configured share if a per-station fairness share would
assign more airtime to that BSS. See the paper for details on these
modes.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
2019-05-02 14:57:43 +03:00
Jouni Malinen
2b84ca4dd9 Share common SAE and EAP-pwd functionality: suitable groups
Start sharing common SAE and EAP-pwd functionality by adding a new
source code file that can be included into both. This first step is
bringing in a shared function to check whether a group is suitable.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-04-25 23:49:49 +03:00
Jouni Malinen
ce7effd08f DPP2: Build configuration flags for DPP version 2 support
The new CONFIG_DPP2=y build option for hostapd and wpa_supplicant is
used to control whether new functionality defined after the DPP
specification v1.0 is included. All such functionality are considered
experimental and subject to change without notice and as such, not
suitable for production use.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2019-03-13 12:00:09 +02:00
Lubomir Rintel
89a7cdd690 crypto: Add option to use getrandom()
According to random(4) manual, /dev/random is essentially deprecated on
Linux for quite some time:

"The /dev/random interface is considered a legacy interface, and
/dev/urandom is preferred and sufficient in all use cases, with the
exception of applications which require randomness during early boot
time; for these applications, getrandom(2) must be used instead, because
it will block until the entropy pool is initialized."

An attempt to use it would cause unnecessary blocking on machines
without a good hwrng even when it shouldn't be needed. Since Linux 3.17,
a getrandom(2) call is available that will block only until the
randomness pool has been seeded.

It is probably not a good default yet as it requires a fairly recent
kernel and glibc (3.17 and 2.25 respectively).

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-01-02 01:24:18 +02:00
Mathy Vanhoef
6ab73efa72 OCV: Add utility functions to insert OCI elements
This commit adds utility functions to insert various encoding of the OCI
element.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 00:02:14 +02:00
Mathy Vanhoef
138205d600 OCV: Add build configuration for channel validation support
Add compilation flags for Operating Channel Verification (OCV) support.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-16 20:31:21 +02:00
Sean Parkinson
3122121746 wolfSSL: Remove aes-omac1.o from hostapd build
Avoid duplicated omac1_*() functions when building hostapd with wolfSSL.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2018-05-02 13:32:51 +03:00
Andrey Utkin
4449efeb1d Fix building nt_password_hash with gnutls
Even with

    CONFIG_TLS=gnutls
    CONFIG_CRYPTO=gnutls

in .config, nt_password_hash was linked with libcrypto instead of
libgcrypt, which caused linkage failure.

Signed-off-by: Andrey Utkin <andrey_utkin@gentoo.org>
2018-04-15 21:55:06 +03:00
Sean Parkinson
fec03f9838 Add support for wolfSSL cryptographic library
Allow hostapd/wpa_supplicant to be compiled with the wolfSSL
cryptography and TLS library.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2018-03-03 11:52:40 +02:00
Jouni Malinen
b7ed94834d GnuTLS: Add option to build with libnettle instead of libgcrypt
GnuTLS-based builds can now be done using either libnettle or libgcrypt
for crypto functionality:

CONFIG_TLS=gnutls
CONFIG_CRYPTO=nettle

CONFIG_TLS=gnutls
CONFIG_CRYPTO=gnutls

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-29 17:13:57 +02:00
Jouni Malinen
133f8d09fc GnuTLS: Implement HMAC functions using libgcrypt
Replace the internal HMAC MD5, SHA-1, and SHA256 implementations with
the ones from libgcrypt and also add the SHA384 and SHA512 versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:35:26 +02:00
Jouni Malinen
85c12a62ee GnuTLS: Implement sha{256,384,512}_vector() using libgcrypt
Replace the internal SHA256 implementation with the one from libgcrypt
and also add the SHA384 and SHA512 versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-12-27 23:21:37 +02:00
Sean Parkinson
04b1bcc5f3 EAP-pwd: Use abstract crypto API
This makes it easier to use EAP-pwd with other crypto libraries than
OpenSSL.

Signed-off-by: Sean Parkinson <sean@wolfssl.com>
2017-12-24 21:40:21 +02:00
Jouni Malinen
a0bf1b68c0 Remove all PeerKey functionality
This was originally added to allow the IEEE 802.11 protocol to be
tested, but there are no known fully functional implementations based on
this nor any known deployments of PeerKey functionality. Furthermore,
PeerKey design in the IEEE Std 802.11-2016 standard has already been
marked as obsolete for DLS and it is being considered for complete
removal in REVmd.

This implementation did not really work, so it could not have been used
in practice. For example, key configuration was using incorrect
algorithm values (WPA_CIPHER_* instead of WPA_ALG_*) which resulted in
mapping to an invalid WPA_ALG_* value for the actual driver operation.
As such, the derived key could not have been successfully set for the
link.

Since there are bugs in this implementation and there does not seem to
be any future for the PeerKey design with DLS (TDLS being the future for
DLS), the best approach is to simply delete all this code to simplify
the EAPOL-Key handling design and to get rid of any potential issues if
these code paths were accidentially reachable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-10-16 02:03:47 +03:00
Jouni Malinen
7a12edd163 OWE: Support DH groups 20 (NIST P-384) and 21 (NIST P-521) in AP mode
This extends OWE support in hostapd to allow DH groups 20 and 21 to be
used in addition to the mandatory group 19 (NIST P-256).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-10-08 17:12:35 +03:00
Jouni Malinen
a6f238f217 DPP: Add base64 dependency in makefiles
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-09-04 13:31:21 +03:00
Avraham Stern
b5bf84ba39 WNM: Differentiate between WNM for station and for AP in build
Previously, CONFIG_WNM enabled build that supports WNM for both
station mode and AP mode. However, in most wpa_supplicant cases only
station mode WNM is required and there is no need for AP mode WNM.

Add support to differentiate between station mode WNM and AP mode
WNM in wpa_supplicant builds by adding CONFIG_WNM_AP that should be
used when AP mode WNM support is required in addition to station mode
WNM. This allows binary size to be reduced for builds that require
only the station side WNM functionality.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-07-18 13:28:09 +03:00
Beniamino Galvani
2b9891bd6e OpenSSL: Add build option to select default ciphers
Add a build option to select different default ciphers for OpenSSL
instead of the hardcoded default "DEFAULT:!EXP:!LOW".

This new option is useful on distributions where the security level
should be consistent for all applications, as in Fedora [1]. In such
cases the new configuration option would be set to "" or
"PROFILE=SYSTEM" to select the global crypto policy by default.

[1] https://fedoraproject.org/wiki/Changes/CryptoPolicy

Signed-off-by: Beniamino Galvani <bgalvani@redhat.com>
2017-07-17 11:55:22 +03:00
Jouni Malinen
9c2b8204e6 DPP: Integration for hostapd
This adds DPP bootstrapping, authentication, and configuration into
hostapd similarly to how the design was integrated in wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-19 21:13:17 +03:00
Jouni Malinen
005be3daa9 Add JavaScript Object Notation (JSON) parser (RFC7159)
This is needed for DPP configuration attributes/objects.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:51 +03:00
Jouni Malinen
77f273c82c Extend SHA-384 and SHA-512 support to match SHA-256
The additional SHA-384 and SHA-512 functionality is needed to support
DPP with various ECC curves.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-06-17 18:04:12 +03:00
Michael Braun
245fc96e5f FT: New RRB message format
Convert FT RRB into a new TLV based format. Use AES-SIV as AEAD cipher
to protect the messages.

This needs at least 32 byte long keys. These can be provided either
by a config file change or letting a KDF derive the 32 byte key used
from the 16 byte key given.

This breaks backward compatibility, i.e., hostapd needs to be updated on
all APs at the same time to allow FT to remain functional.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2017-05-03 21:55:29 +03:00