| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
The latest update of hostapd broke brcmfmac due to upstream regression.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Johannes Römer <jroemer@posteo.net>
|
| |
|
|
| |
Signed-off-by: Ash Benz <ash.benz@bk.ru>
|
| |
|
|
|
|
|
|
| |
RADIUS accounting can be used even when RADIUS authentication is not
used. Move the accounting configuration outside of the EAP-exclusive
sections.
Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
| |
It has been marked as broken for well over a month now and nobody has
complained.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
| |
Suppress -DCONFIG_NO_VLAN if CONFIG_IBSS_RSN is enabled
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
| |
In company networks everything except the http and https protocol is
often causes problems, because the network administrators try to block
everything else. To make it easier to use LEDE in company networks use
the https/http protocol for git access when possible.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
| |
Fixes CVE-2016-4476 and few possible memory leaks.
Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
| |
Signed-off-by: John Crispin <blogic@openwrt.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The wpa_supplicant supports an "anonymous_identity" field, which some
EAP networks require. From the documentation:
anonymous_identity: Anonymous identity string for EAP (to be used as the
unencrypted identity with EAP types that support different tunnelled
identity, e.g., EAP-TTLS).
This change modifies the hostapd.sh script to propagate this field
from the UCI config to the wpa_supplicant.conf file.
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Reviewed-by: Manuel Munz <freifunk@somakoma.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49181
|
| |
|
|
|
|
|
|
| |
wpad-mesh/wpa_supplicant-mesh
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48537
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48529
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48528
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48527
|
| |
|
|
|
|
|
|
|
| |
Introduce config options client_cert2, priv_key2 and priv_key2_pwd
used for EAP-TLS phase2 authentication in WPA-EAP client mode.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48345
|
| |
|
|
|
|
| |
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48344
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...
The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.
Examples:
eap_type auth
'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2"
'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2"
'peap' 'EAP-GTC' -> phase2="auth=GTC"
Deprecated syntax supported for compatibility:
'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"
I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48309
|
| |
|
|
|
|
| |
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 48202
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
(CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
(CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
(CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
(CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
(CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
SVN-Revision: 48185
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In sta-only configuration, wpa_supplicant needs correct regulatory
domain because otherwise it may skip channel of its AP during scan.
Another alternative is to fix "iw reg set" in mac80211 netifd script.
Currently it fails if some phy has private regulatory domain which
matches configured one.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 48099
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The scripts for authsae and iw use the option mesh_id to get set the
"meshid" during a mesh join. But the script for wpad-mesh ignores the
option mesh_id and instead uses the option ssid. Unify the mesh
configuration and let the wpa_supplicant script also use the mesh_id from
the configuration.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47615
|
| |
|
|
|
|
|
|
| |
This fixes the IAPP functionality.
Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
SVN-Revision: 47455
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
r46861 introduced a new option eapol_version to hostapd, but did not
provide a default value. When the option value is evaluated,
the non-existing value causes errors to the systen log:
"netifd: radio0: sh: out of range"
Add a no-op default value 0 for eapol_version. Only values 1 or 2 are
actually passed on, so 0 will not change the default action in hostapd.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 47361
|
| |
|
|
|
|
|
|
|
|
|
| |
One second is not enough for some devices to ackowledge null data frame
which is sent at the end of ap_max_inactivity interval. In particular,
this causes severe Wi-Fi instability with Apple iPhone which may take
up to 3 seconds to respond.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 47149
|
| |
|
|
|
|
|
|
|
|
|
| |
When using FullMAC drivers (e.g. brcmfmac) we don't get mgmt frames so
check for banned client in probe request handler won't ever be used.
Since cfg80211 provides us info about STA associating let's put a check
there.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 47064
|
| |
|
|
|
|
|
|
| |
drivers in hostapd makefile
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46903
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add eapol_version to the openwrt wireless config ssid section.
Only eapol_version=1 and 2 will get passed to hostapd, the default
in hostapd is 2.
This is only useful for really old client devices that don't
accept eapol_version=2.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 46861
|
| |
|
|
|
|
|
|
|
|
|
| |
As the OpenWrt build system only resolves build dependencies per directory,
all hostapd variants were causing libopenssl to be downloaded and built,
not only wpad-mesh. Fix this by applying the same workaround as in
ustream-ssl.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 46851
|
| |
|
|
|
|
|
|
|
|
|
| |
Add CONFIG_IEEE80211W variable to DRIVER_MAKEOPTS so that 802.11w
support is properly compiled in full variant.
This fixes #20179
Signed-off-by: Janusz Dziemidowicz <rraptorr@nails.eu.org>
SVN-Revision: 46737
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Other VLAN related options are already being processed in netifd.sh
but the vlan_file option is missing. This option allows the mapping
of vlan IDs to network interfaces and will be used in dynamic VLAN
feature for binding stations to interfaces based on VLAN
assignments. The change is done similarly to the wpa_psk_file
option.
Signed-off-by: Gong Cheng <chengg11@yahoo.com>
SVN-Revision: 46652
|
| |
|
|
|
|
|
|
| |
this is required by the new button timeout feature
Signed-off-by: John Crispin <blogic@openwrt.org>
SVN-Revision: 46471
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add 802.11r client support to wpa_supplicant. It's only enabled in
wpa_supplicant-full. hostapd gained 802.11r support in commit r45051.
Tested on a TP-Link TL-WR710N sta psk client with two 802.11r enabled
openwrt accesspoints (TP-Link TL-WDR3600).
Signed-off-by: Stefan Hellermann <stefan@the2masters.de>
SVN-Revision: 46377
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45917
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45873
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45619
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45616
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45567
|
| |
|
|
|
|
| |
Signed-off-by: Nicolas Thill <nico@openwrt.org>
SVN-Revision: 45561
|
| |
|
|
|
|
| |
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 45519
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hostapd's control file location was changed in 2013, and that has apparently
broken the wps button hotplug script in cases where there are multiple radios
and wps is possibly configured also for the second radio. The current wps
button hotplug script always handles only the first radio.
https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/files/wps-hotplug.sh
The reason is that the button hotplug script seeks directories like
/var/run/hostapd*, as the hostapd-phy0.conf files were earlier in
per-interface subdirectories.
Currently the *.conf files are directly in /var/run and the control sockets
are in /var/run/hostapd, but there is no subdirectory for each radio.
root@OpenWrt:/# ls /var/run/hostapd*
/var/run/hostapd-phy0.conf /var/run/hostapd-phy1.conf
/var/run/hostapd:
wlan0 wlan1
The hotplug script was attempted to be fixed after the hostapd change by
r38986 in Dec2013, but that change only unbroke the script for the first
radio, but left it broken for multiple radios.
https://dev.openwrt.org/changeset/38986/
The script fails to find subdirectories with [ -d "$dir" ], and passes just
the only found directory /var/run/hostapd, leading into activating only the
first radio, as hostapd_cli defaults to first socket found inthe passed
directory:
root@OpenWrt:/# hostapd_cli -?
...
usage: hostapd_cli [-p<path>] [-i<ifname>] [-hvB] [-a<path>] \
[-G<ping interval>] [command..]
...
-p<path> path to find control sockets (default: /var/run/hostapd)
...
-i<ifname> Interface to listen on (default: first interface found in the
socket path)
Below is a run with the default script and with my proposed solution.
Default script (with logging added):
==================================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
for dir in /var/run/hostapd*; do
[ -d "$dir" ] || continue
logger "WPS activated for: $dir"
hostapd_cli -p "$dir" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Timed-out
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:38:50 2015 user.notice root: WPS activated for: /var/run/hostapd
wlan0 got WPS activated, while wlan1 remained inactive.
I have modified the script to search for sockets instead of directories and
to use the "-i" option with hostapd_cli, and now the script properly
activates wps for both radios. As "-i" needs the interface name instead of
the full path, the script first changes dir to /var/run/hostapd to get simply
the interface names.
Modified script (with logging):
===============================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
cd /var/run/hostapd
for dir in *; do
[ -S "$socket" ] || continue
logger "WPS activated for: $socket"
hostapd_cli -i "$socket" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan0
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan1
Both radios got their WPS activated properly.
I am not sure if my solution is optimal, but it seems to work. WPS button is
maybe not that often used functionality, but it might be fixed in any case.
Routers with multiple radios are common now, so the bug is maybe more
prominent than earlier.
The modified script has been in a slightly different format in my community
build since r42420 in September 2014.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 45492
|
