Commit graph

1019 commits

Author SHA1 Message Date
Jouni Malinen
58e115b869 Fix hlr_auc_gw build with OpenSSL
Commit 983c6a606b ('OpenSSL: Replace
internal HMAC-MD5 implementation') forgot to make inclusion of md5.o
conditional for hlr_auc_gw build.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-03-20 15:56:59 +02:00
Jouni Malinen
6784168d07 Remove SChannel support
SChannel/CryptoAPI as a TLS/crypto library alternative was never
completed. Critical functionality is missing and there are bugs in this
implementation. Since there are no known plans of completing this
support, it is better to remove this code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-18 22:31:36 +02:00
Jouni Malinen
bc1d23ae1d Add ChangeLog entries for v2.4
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-14 16:51:02 +02:00
Jouni Malinen
9836cb5387 Add option to force a specific RADIUS client address to be used
The new hostapd.conf parameter radius_client_addr can now be used to
select a specific local IP address to be used as the RADIUS client
address.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-03-01 22:36:52 +02:00
Jouni Malinen
bbee36e316 Allow RADIUS server address to be replaced
The new hostapd parameters auth_server_addr_replace and
acct_server_addr_replace can now be used to replace the configured IP
address instead of adding a new RADIUS server. This is mainly useful for
testing purposes where the address can be changed over control interface
during AP operation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-28 15:45:16 +02:00
Stefan Tomanek
891dfb3336 Add helper function to clear and free wpa_psk list
This change adds the function hostapd_config_clear_wpa_psk() that
deletes an entire wpa_psk structure, making sure to follow the linked
list and to free the allocated memory of each PSK node. This helps to
prevent memory leaks when using PSKs from multiple sources and
reconfiguring the AP during runtime.

Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
2015-02-21 17:11:15 +02:00
Jouni Malinen
9ff8dda12f Add hostapd UPDATE_BEACON ctrl_iface command
This can be used to ask Beacon frames to be updated explicitly, e.g.,
after a dynamic configuration parameter change. This can also be used to
start beaconing on an interface that was started with start_disabled=1.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-09 19:56:32 +02:00
Jouni Malinen
99650cadc9 Add STOP_AP control interface command
This is mainly for testing purposes to allow beaconing to be stopped
without clearing AP state in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-02-08 13:35:49 +02:00
Jouni Malinen
68fa00c341 ACS: Allow specific channels to be preferred
The new acs_chan_bias configuration parameter is a space-separated list
of <channel>:<bias> pairs. It can be used to increase (or decrease) the
likelihood of a specific channel to be selected by the ACS algorithm.
The total interference factor for each channel gets multiplied by the
specified bias value before finding the channel with the lowest value.
In other words, values between 0.0 and 1.0 can be used to make a channel
more likely to be picked while values larger than 1.0 make the specified
channel less likely to be picked. This can be used, e.g., to prefer the
commonly used 2.4 GHz band channels 1, 6, and 11 (which is the default
behavior on 2.4 GHz band if no acs_chan_bias parameter is specified).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-06 17:59:57 +02:00
Jouni Malinen
d2ca6baa56 Fix hostapd obss_interval documentation
This parameter has been available for more than just testing purposes,
i.e., OBSS scanning has already been used to enable 20-to-40 MHz channel
changes on 2.4 GHz.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-02-03 12:32:37 +02:00
Roger Zanoni
b42f539ed2 Add a variable to handle extra CFLAGS values
Some packages don't install its headers in the default directory
(e.g.: In Arch Linux libiberty and libn13 includes are installed)
in their own subdirectory under /usr/include) and the build fails
trying to find the headers.

This patch will allow passing extra CFLAGS values without discarding
the assignments made in the Makefile. The CFLAGS values in the Makefile
are ignored, if defined directly in the make command line.

Signed-off-by: Roger Zanoni <roger.zanoni@openbossa.org>
2015-02-01 00:26:17 +02:00
Jouni Malinen
4437f8fc77 Free old eap_user_file data on configuration change
This fixes a memory leak if hostapd eap_user_file parameter is modified.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-30 00:54:40 +02:00
Jouni Malinen
f19c907822 OpenSSL: Implement aes_wrap() and aes_unwrap()
This replaces the implementation in aes-wrap.c and aes-unwrap.c with
OpenSSL AES_wrap_key() and AES_unwrap_key() functions when building
hostapd or wpa_supplicant with OpenSSL.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
983c6a606b OpenSSL: Replace internal HMAC-MD5 implementation
Use OpenSSL HMAC_* functions to implement HMAC-MD5 instead of depending
on the src/crypto/md5.c implementation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2015-01-28 13:09:31 +02:00
Jouni Malinen
937403b581 Update copyright notices for the new year 2015
Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:55 +02:00
Jouni Malinen
5e3b5197cc Add Suite B 192-bit AKM
WPA-EAP-SUITE-B-192 can now be used to select 192-bit level Suite B into
use as the key management method.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:43:52 +02:00
Jouni Malinen
97ae35a848 Add HMAC-SHA384
For now, this is only implemented with OpenSSL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-27 01:26:51 +02:00
Adrien Decostre
1648cc6427 ACS: Allow subset of channels to be configured
Add the possibility to define a subset of channels used by the ACS
engine when not operating on DFS channels.

Signed-off-by: Adrien Decostre <ad.decostre@gmail.com>
2015-01-19 02:35:43 +02:00
Yanbo Li
e7d0e97bdb hostapd: Add vendor specific VHT extension for the 2.4 GHz band
This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.

This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.

Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
2015-01-14 00:59:22 +02:00
Jouni Malinen
a16514516b Add "GET tls_library" to provide information on TLS library and version
This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-12 00:19:21 +02:00
Jouni Malinen
0b402479bf Remove Network Security Service (NSS) support
NSS as a TLS/crypto library alternative was never completed and this
barely functional code does not even build with the current NSS version.
Taken into account that there has not been much interest in working on
this crypto wrapper over the years, it is better to just remove this
code rather than try to get it into somewhat more functional state.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-11 00:58:10 +02:00
Janusz Dziedzic
269dfe232b Introduce common hw features
Introduce wpa_supplicant/hostapd hw features.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
2015-01-10 17:35:53 +02:00
Jouni Malinen
86a7fbb2c1 Verify that eloop_register_read_sock() succeeds for ctrl_iface setup
This allows faster detection of a case where a memory allocation fails
within eloop.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-08 02:34:08 +02:00
Jouni Malinen
a156ffda61 Add support for testing memory allocation failures
The new control interface command TEST_ALLOC_FAIL and GET_ALLOC_FAIL can
now be used to trigger memory allocation failures for testing purposes.
TEST_ALLOC_FAIL sets a failure conditions with
<count>:func[;func][;func]... string and GET_ALLOC_FAIL returns the
current state using the same format. Whenever an allocation is made with
a matching backtrace of calling functions, the count is decremented by
one and once zero is reached, the allocation is forced to fail.

Function names can be prefixed with either '=' or '?' to get different
matching behavior. '=' requires this specific function to be the next
one in the backtrace (i.e., do not skip any other functions in the list
which is the default behavior). '?' allows the function to be optionally
present in the backtrace.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-07 13:19:43 +02:00
Jouni Malinen
77a2c3941e crypto: Clear temporary heap allocations before freeing
This reduces the time private keys may remain in heap memory after use.

Signed-off-by: Jouni Malinen <j@w1.fi>
2015-01-06 02:49:13 +02:00
Paul Stewart
de27bc7673 hostapd: Set stdout line-buffered
If hostapd will use stdout for debugging, set stdout to be line
buffered in case its output is redirected to a file. This allows
incremental output to be viewed immediately instead of at the file
buffering interval.

Signed-hostap: Paul Stewart <pstew@chromium.org>
2014-12-29 15:49:05 +02:00
Jouni Malinen
010fa245bd Add QUIET=1 option for make
This can be used to reduce verbosity for build messages.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-29 15:49:05 +02:00
Jouni Malinen
a193231dfb Clean up debug prints to use wpa_printf()
This converts most of the remaining perror() and printf() calls from
hostapd and wpa_supplicant to use wpa_printf().

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-26 13:20:57 +02:00
Prashanth Bhatta
9108ea09f2 hostapd: Make install path configurable
Makefile always installs to /usr/local/bin and on some platforms,
/usr/local/bin is not in default search path. Modify the Makefile such
that bin path can be configurable so that build system can pass
appropriate path for installation. If bin path is not specified then by
default binaries are installed in /usr/local/bin.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-19 12:32:50 +02:00
Jouni Malinen
2c6411edd0 ERP: Add ERP_FLUSH for hostapd
This can be used to drop any pending ERP key from both the internal AP
authentication server and RADIUS server use of hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-14 15:47:04 +02:00
Jouni Malinen
0629eeb490 RRM: Add AP mode minimal advertisement support for testing
The new hostapd.conf radio_measurements parameter can now be used to
configure a test build to advertise support for radio measurements with
neighbor report enabled. There is no real functionality that would
actually process the request, i.e., this only for the purpose of minimal
STA side testing for now.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 20:45:31 +02:00
Jouni Malinen
eeab4f2fda Check os_snprintf() result more consistently - automatic 3
This converts os_snprintf() result validation cases to use
os_snprintf_error() where the comparison was 'res > size' instead of
'res >= size - 1'. These changes were done automatically with spatch
using the following semantic patch:

@@
identifier E1;
expression E2,E3,E4,E5,E6;
statement S1;
@@

(
  E1 = os_snprintf(E2, E3, ...);
|
  int E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else if (E6)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = 0;
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else if (E6) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	E1 = os_snprintf(E2, E3, ...);
  }
)
? os_free(E4);
- if (E1 < 0 || (size_t) E1 >= E3 - 1)
+ if (os_snprintf_error(E3, E1))
(
  S1
|
{ ... }
)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
d85e1fc8a5 Check os_snprintf() result more consistently - automatic 1
This converts os_snprintf() result validation cases to use
os_snprintf_error() where the exact rule used in os_snprintf_error() was
used. These changes were done automatically with spatch using the
following semantic patch:

@@
identifier E1;
expression E2,E3,E4,E5,E6;
statement S1;
@@

(
  E1 = os_snprintf(E2, E3, ...);
|
  int E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = os_snprintf(E2, E3, ...);
|
  if (E5)
	E1 = os_snprintf(E2, E3, ...);
  else if (E6)
	E1 = os_snprintf(E2, E3, ...);
  else
	E1 = 0;
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else if (E6) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	return -1;
  }
|
  if (E5) {
	...
	E1 = os_snprintf(E2, E3, ...);
  } else {
	...
	E1 = os_snprintf(E2, E3, ...);
  }
)
? os_free(E4);
- if (E1 < 0 || \( E1 >= E3 \| (size_t) E1 >= E3 \| (unsigned int) E1 >= E3 \| E1 >= (int) E3 \))
+ if (os_snprintf_error(E3, E1))
(
  S1
|
{ ... }
)

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 11:42:07 +02:00
Jouni Malinen
d3bddd8b84 ERP: Add support for ERP on EAP server and authenticator
Derive rRK and rIK on EAP server if ERP is enabled and use these keys to
allow EAP re-authentication to be used and to derive rMSK.

The new hostapd configuration parameter eap_server_erp=1 can now be used
to configure the integrated EAP server to derive EMSK, rRK, and rIK at
the successful completion of an EAP authentication method. This
functionality is not included in the default build and can be enabled
with CONFIG_ERP=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:16:27 +02:00
Jouni Malinen
2a5156a66c ERP: Add optional EAP-Initiate/Re-auth-Start transmission
hostapd can now be configured to transmit EAP-Initiate/Re-auth-Start
before EAP-Request/Identity to try to initiate ERP. This is disabled by
default and can be enabled with erp_send_reauth_start=1 and optional
erp_reauth_start_domain=<domain>.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-04 12:08:56 +02:00
Jouni Malinen
0ecff8d7c3 Add hostapd driver_params config parameter
This is mainly for development testing purposes to allow driver_nl80211
behavior to be modified.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 13:24:42 +02:00
Jouni Malinen
ebd557288c Remove forgotten driver_test.c variables
hostapd was still providing couple of parameters that were used only in
the already removed driver_test.c framework.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-29 12:49:55 +02:00
Jouni Malinen
85660d312a Add DATA_TEST_FRAME for testing Data frame processing on AP side
The new hostapd control interface command can be used in automated
testing to verify how AP processes Data frames with arbitrary contents.
This is enabled only in builds with CONFIG_TESTING_OPTIONS=y.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-28 22:37:05 +02:00
Jouni Malinen
527d2378ac hostapd: Allow DATA_TEST_CONFIG to configure ifname
This allows the device-based data connectivity tests to be extended for
bridge and VLAN interface cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-27 14:02:18 +02:00
Jouni Malinen
378dec5af9 Android: Add Hotspot 2.0 into hostapd makefile
This makes the Android.mk for hostapd match the Makefile changes for
optional Hotspot 2.0 support.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-25 17:09:50 +02:00
Jouni Malinen
a437378f98 proxyarp: Use C library header files and CONFIG_IPV6
This replaces the use of Linux kernel header files (linux/ip.h,
linux/udp.h, linux/ipv6.h, and linux/icmpv6.h) with equivalent header
files from C library. In addition, ndisc_snoop.c is now built
conditionally on CONFIG_IPV6=y so that it is easier to handle hostapd
builds with toolchains that do not support IPv6 even if Hotspot 2.0 is
enabled in the build.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-25 16:58:21 +02:00
Jouni Malinen
a30dff07fb Add BSS_TM_REQ command to send BSS Transition Management Request
hostapd control interface can now be used to request transmission of a
BSS Transition Management Request frame to a specified station.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-11-22 16:34:34 +02:00
Kyeyoon Park
bd00c4311c AP: Add Neighbor Discovery snooping mechanism for Proxy ARP
This commit establishes the infrastructure, and handles the Neighbor
Solicitation and Neighbor Advertisement frames. This will be extended
in the future to handle other frames.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:47:06 +02:00
Kyeyoon Park
c127355cb8 AP: Add a generic "x_snoop" infrastructure for Proxy ARP
Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-11-19 16:14:02 +02:00
Dmitry Shmidt
88cb27c7a5 hostapd: Add wowlan_triggers config param
New kernels in wiphy_suspend() will call cfg80211_leave_all() that will
eventually end up in cfg80211_stop_ap() unless wowlan_triggers were set.
For now, use the parameters from the station mode as-is. It may be
desirable to extend (or constraint) this in the future for specific AP
mode needs.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-11-16 17:09:11 +02:00
Jouni Malinen
087a1f4efd Suite B: PMKID derivation for AKM 00-0F-AC:11
The new AKM uses a different mechanism of deriving the PMKID based on
KCK instead of PMK. hostapd was already doing this after the KCK had
been derived, but wpa_supplicant functionality needs to be moved from
processing of EAPOL-Key frame 1/4 to 3/4 to have the KCK available.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 17:09:11 +02:00
Jouni Malinen
666497c8e6 Suite B: Add AKM 00-0F-AC:11
This adds definitions for the 128-bit level Suite B AKM 00-0F-AC:11. The
functionality itself is not yet complete, i.e., this commit only
includes parts to negotiate the new AKM.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-16 13:20:51 +02:00
Jouni Malinen
01b32d5e36 Remove references to madwifi from various files
Number of documentation and configuration files had references to the
madwifi driver interface that was removed in the previous commit. Remove
these references as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-11-01 16:15:53 +02:00
Kyeyoon Park
7d597d4617 AP: Add support for Proxy ARP, DHCP snooping mechanism
Proxy ARP allows the AP devices to keep track of the hardware address to
IP address mapping of the STA devices within the BSS. When a request for
such information is made (i.e., ARP request, Neighbor Solicitation), the
AP will respond on behalf of the STA device within the BSS. Such
requests could originate from a device within the BSS or also from the
bridge. In the process of the AP replying to the request (i.e., ARP
reply, Neighbor Advertisement), the AP will drop the original request
frame. The relevant STA will not even know that such information was
ever requested.

This feature is a requirement for Hotspot 2.0, and is defined in IEEE
Std 802.11-2012, 10.23.13. While the Proxy ARP support code mainly
resides in the kernel bridge code, in order to optimize the performance
and simplify kernel implementation, the DHCP snooping code was added to
the hostapd.

Signed-off-by: Kyeyoon Park <kyeyoonp@qca.qualcomm.com>
2014-10-28 01:08:29 +02:00
Eliad Peller
04ee647d58 HT: Let the driver advertise its supported SMPS modes for AP mode
Add smps_modes field, and let the driver fill it with its supported SMPS
modes (static/dynamic). This will let us start an AP with specific SMPS
mode (e.g., dynamic) that will allow it to reduce its power usage.

Signed-off-by: Eliad Peller <eliad@wizery.com>
2014-10-24 01:25:29 +03:00