aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/hostapd/files
Commit message (Collapse)AuthorAgeFilesLines
* hostapd: add support for client taxonomy in the full configFelix Fietkau2018-12-181-1/+1
| | | | | | | | This can be used to fingerprint clients to try to identify the exact model Signed-off-by: Felix Fietkau <nbd@nbd.name> (backported from 23c1827e341fce302ba2841ecabeeb3f95e21d68)
* hostapd: update to git HEAD of 2018-05-21, allow build against wolfsslDaniel Golle2018-12-181-1/+2
| | | | | | | | | | Support for building wpa_supplicant/hostapd against wolfssl has been added upstream recently, add build option to allow users using it. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (backported from 69f544937f8498e856690f9809a016f0d7f5f68b) (rebased patches) Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: fix IEEE 802.11r (fast roaming) defaultsGospod Nassa2018-05-241-21/+27
| | | | | | | | | | | | | | | | | | | | | | | | | Use ft_psk_generate_local=1 by default, as it makes everything else fairly trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd fairly much does it all for us. We do need to provide nas_identifier, which can be derived from the BSSID, and we need to generate a mobility_domain, for which we default to the first four chars of the md5sum of the SSID. The complex manual setup should also still work, but the defaults also now work easily out of the box. Verified by manually running hostapd (with the autogenerated config) and watching the debug output: wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake This was previous submitted to LEDE in https://github.com/lede-project/source/pull/1382 [dwmw2: Rewrote commit message] Signed-off-by: Gospod Nassa <devianca@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org> (cherry picked from commit 3cc56a5534b8b49a7e9ba57edf9878ec32bdd27a)
* hostapd: fix mesh+APDaniel Golle2018-05-141-3/+3
| | | | | | | | Fix encrypted (or DFS) AP+MESH interface combination in a way similar to how it's done for AP+STA and fix netifd shell script. Refresh patches while at it. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add channel utilization as config optionNick Hainke2018-05-071-2/+7
| | | | | | Add the channel utilization as hostapd configuration option. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: fix encrypted mesh channel settingsDaniel Golle2018-04-201-0/+2
| | | | | | | | | | | | | | | Import two patches from Peter Oh to allow setting channel bandwidth in the way it already works for managed interfaces. This fixes mesh interfaces on 802.11ac devices always coming up in VHT80 mode. Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which also skips secondary channel scan just like noscan works in AP mode. This time also make sure to add all files to the patch before committing it... Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Revert "hostapd: fix encrypted mesh channel settings"Felix Fietkau2018-04-201-2/+0
| | | | | | | This reverts commit 7f52919a2f2894125b4dca611eb2d30181af7e0b, which is currently breaking the builds and needs to be reworked Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix encrypted mesh channel settingsDaniel Golle2018-04-201-0/+2
| | | | | | | | | | | | Import two patches from Peter Oh to allow setting channel bandwidth in the way it already works for managed interfaces. This fixes mesh interfaces on 802.11ac devices always coming up in VHT80 mode. Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which also skips secondary channel scan just like noscan works in AP mode. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: mesh: make forwarding configurableDaniel Golle2018-04-181-1/+2
| | | | | | | | | | | For unencrypted mesh networks our scripts take care of setting the various mesh_param values. wpa_supplicant changes somes of them when being used for SAE encrypted mesh and previously didn't allow configuring any of them. Add support for setting mesh_fwding (which has to be set to 0 when using other routing protocols on top of 802.11s) and update our script to pass the value to wpa_supplicant. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: update to git snapshot of 2018-03-26Daniel Golle2018-03-271-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following patches were merged upstream: 000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch replaced by commit 0e3bd7ac6 001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch replaced by commit cb5132bb3 002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch replaced by commit 87e2db16b 003-Prevent-installation-of-an-all-zero-TK.patch replaced by commit 53bb18cc8 004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch replaced by commit 0adc9b28b 005-TDLS-Reject-TPK-TK-reconfiguration.patch replaced by commit ff89af96e 006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch replaced by commit adae51f8b 007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch replaced by commit 2a9c5217b 008-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch replaced by commit a00e946c1 009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch replaced by commit b488a1294 010-Optional-AP-side-workaround-for-key-reinstallation-a.patch replaced by commit 6f234c1e2 011-Additional-consistentcy-checks-for-PTK-component-len.patch replaced by commit a6ea66530 012-Clear-BSSID-information-in-supplicant-state-machine-.patch replaced by commit c0fe5f125 013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch replaced by commit 114f2830d Some patches had to be modified to work with changed upstream source: 380-disable_ctrl_iface_mib.patch (adding more ifdef'ery) plus some minor knits needed for other patches to apply which are not worth being explicitely listed here. For SAE key management in mesh mode, use the newly introduce sae_password parameter instead of the psk parameter to also support SAE keys which would fail the checks applied on the psk field (ie. length and such). This fixes compatibility issues for users migrating from authsae. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add IEEE 802.11v supportLorenzo Santina2018-02-213-2/+21
| | | | | | | | | | | | | | | | | | Add Wireless Network Management (IEEE 802.11v) support to: - hostapd-full - wpa_supplicant-full It must be enabled at runtime via UCI with: - option ieee80211v '1' Add UCI support for: - time_advertisement - time_zone - wnm_sleep_mode - bss_transition Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
* hostapd: add support for hostapd's radius_client_addrStephan Brunner2018-01-271-1/+3
| | | | | | | | Add support for hostapd's radius_client_addr in order to force hostapd to send RADIUS packets from the correct source interface rather than letting linux select the most appropriate. Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>
* hostapd: set group_mgmt_cipher when ieee80211w is enabledJo-Philipp Wich2018-01-071-1/+3
| | | | | | | | | | | | In order to properly support 802.11w, hostapd needs to advertise a group management cipher when negotiating associations. Introduce a new per-wifi-iface option "ieee80211w_mgmt_cipher" which defaults to the standard AES-128-CMAC cipher and always emit a "group_mgmt_cipher" setting in native hostapd config when 802.11w is enabled. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* merge: ssid: update default ssidZoltan HERPAI2017-12-081-2/+2
| | | | Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
* hostapd: Expose the tdls_prohibit option to UCITimo Sigurdsson2017-12-071-1/+6
| | | | | | | | | | | | | | | | wpa_disable_eapol_key_retries can't prevent attacks against the Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested that the existing hostapd option tdls_prohibit can be used to further complicate this possibility at the AP side. tdls_prohibit=1 makes hostapd advertise that use of TDLS is not allowed in the BSS. Note: If an attacker manages to lure both TDLS peers into a fake AP, hiding the tdls_prohibit advertisement from them, it might be possible to bypass this protection. Make this option configurable via UCI, but disabled by default. Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
* hostapd: remove unused local var declarationLeon M. George2017-11-211-2/+0
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: don't set htmode for wpa_supplicantLeon M. George2017-11-211-2/+0
| | | | | | no longer supported Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: rework frequency/ht/vht selection for ibss/meshFelix Fietkau2017-11-154-15/+31
| | | | | | | | | | - Remove obsolete patch chunks regarding fixed_freq - Instead of patching in custom HT40+/- parameters, use the standard config syntax as much as possible. - Use fixed_freq for mesh - Fix issues with disabling obss scan when using fixed_freq on mesh Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: explicitly set beacon interval for wpa_supplicantSven Eckelmann2017-11-151-0/+1
| | | | | | | | | | | | | | | The beacon_int is currently set explicitly for hostapd and when LEDE uses iw to join and IBSS/mesh. But it was not done when wpa_supplicant was used to join an encrypted IBSS or mesh. This configuration is required when an AP interface is configured together with an mesh interface. The beacon_int= line must therefore be re-added to the wpa_supplicant config. The value is retrieved from the the global variable. Fixes: 1a16cb9c67f0 ("mac80211, hostapd: always explicitly set beacon interval") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> [rebase]
* hostapd: remove default r1_key_holder generationYury Shvedov2017-11-061-2/+1
| | | | | | | | By default, hostapd assumes r1_key_holder equal to bssid. If LEDE configures the same static r1 key holder ID on two different APs (BSSes) the RRB exchanges fails behind them. Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
* Revert "wpa_supplicant: log to syslog instead of stdout"Jo-Philipp Wich2017-10-271-1/+1
| | | | | | | | | | | | | | This reverts commit e7373e489d8a215402d6b0c408a26188342c7c17. Support of "-s" depends on the CONFIG_DEBUG_SYSLOG compile time flag which is not enabled for all build variants. Revert the change for now until we can properly examine the size impact of CONFIG_DEBUG_SYSLOG. Fixes FS#1117. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: add wpa_disable_eapol_key_retries optionStijn Tintel2017-10-171-0/+5
| | | | | | | | | | | | | | Commit 2127425434046ae2b9f02fdbbdd37cac447af19c introduced an AP-side workaround for key reinstallation attacks. This option can be used to mitigate KRACK on the station side, in case those stations cannot be updated. Since many devices are out there will not receive an update anytime soon (if at all), it makes sense to include this workaround. Unfortunately this can cause interoperability issues and reduced robustness of key negotiation, so disable the workaround by default, and add an option to allow the user to enable it if he deems necessary. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: add support for specifying device config options directly in uciFelix Fietkau2017-09-281-0/+6
| | | | | | | This is useful for tuning some more exotic parameters where it doesn't make sense to attempt to cover everything in uci directly Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: update wpa_supplicant p2p configLorenzo Santina2017-09-281-91/+278
| | | | | | | | | | | | | | | | Update the config file to the latest version. Added CONFIG_EAP_FAST=y because it was the only missing flag about EAP compared to full config. Removed NEED_80211_COMMON flag because it is not part of config file, it is set by the hostapd upstream Makefile. Other flags are the same as before. Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> [add punctuation to commit msg] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: update wpa_supplicant mini configLorenzo Santina2017-09-281-100/+292
| | | | | | | | | | | | Update the config file to the latest version. Enabled flags are the same as before. Removed NEED_80211_COMMON flag because it is not part of config file, it is set by the hostapd upstream Makefile. Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> [add punctuation to commit msg] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: update wpa_supplicant full configLorenzo Santina2017-09-281-93/+280
| | | | | | | | | | | | | | | Update the config file to the latest version. Enabled flags are the same as before. Commented CONFIG_IEEE80211W=y flag because it is set in the Makefile, only if the driver supports it. Removed NEED_80211_COMMON flag because it is not part of config file, it is set by the hostapd upstream Makefile. Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> [add punctuation to commit msg] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: update hostapd mini configLorenzo Santina2017-09-281-19/+237
| | | | | | | | | Update the config file to the latest version. Enabled flags are the same as before. Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> [add punctuation to commit msg] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: update hostapd full configLorenzo Santina2017-09-281-27/+235
| | | | | | | | | | | | | | Update the config file to the latest version. Enabled flags are the same as before. Removed flag CONFIG_WPS2 because it is no more needed due to this changelog (2014-06-04 - v2.2): "remove WPS 1.0 only support, i.e., WSC 2.0 support is now enabled whenever CONFIG_WPS=y is set". Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> [add punctuation to commit msg] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: ft_over_ds supportLorenzo Santina2017-09-181-2/+4
| | | | | | Add support for ft_over_ds flag in ieee80211r Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
* hostapd: ft_psk_generate_local supportLorenzo Santina2017-09-181-2/+4
| | | | | | | | Add support for ft_psk_generate_local flag in ieee80211r Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> [original author] Signed-off-by: Sergio <mailbox@sergio.spb.ru>
* treewide: fix shellscript syntax errors/typosLorenzo Santina2017-09-131-1/+1
| | | | | | | | | Fix multiple syntax errors in shelscripts (of packages only) These errors were causing many conditions to not working properly Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> [increase PKG_RELEASE, drop command substitution from directip.sh] Signed-off-by: Mathias Kresin <dev@kresin.em>
* hostapd: fix iapp_interface optionLorenzo Santina2017-09-101-1/+1
| | | | | | | ifname variable were not assigned due to syntax error causing the hostapd config file to have an empty iapp_interface= option Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
* wpa_supplicant: log to syslog instead of stdoutStijn Tintel2017-08-101-1/+1
| | | | | | | | While debugging an issue with a client device, wpa_supplicant did not seem to log anything at all. Make wpa_supplicant log to syslog instead of stdout, to make debugging easier and to be consistent with hostapd. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: configure NAS ID regardless of encryptionYury Shvedov2017-06-281-3/+3
| | | | | | | | | | | RADIUS protocol could be used not only for authentication but for accounting too. Accounting could be configured for any type of networks. However there is no way to configure NAS Identifier for non-WPA networks without this patch. Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com> [cleanup commit message] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: add acct_interval optionYury Shvedov2017-06-281-2/+5
| | | | | | | | Make an ability to configure Accounting-Interim-Interval via UCI Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com> [add hostapd prefix, cleanup commit message] Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: add support for acs_chan_bias optionKevin Darbyshire-Bryant2017-06-241-1/+5
| | | | | | | | | | During auto channel selection we may wish to prefer certain channels over others. e.g. we can just squeeze 4 channels into europe so '1:0.8 5:0.8 9:0.8 13:0.8' does that. Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
* mac80211, hostapd: always explicitly set beacon intervalMatthias Schiffer2017-05-131-3/+2
| | | | | | | | | | | | | | | | One of the latest mac80211 updates added sanity checks, requiring the beacon intervals of all VIFs of the same radio to match. This often broke AP+11s setups, as these modes use different default intervals, at least in some configurations (observed on ath9k). Instead of relying on driver or hostapd defaults, change the scripts to always explicitly set the beacon interval, defaulting to 100. This also applies the beacon interval to 11s interfaces, which had been forgotten before. VIF-specific beacon_int setting is removed from hostapd.sh. Fixes FS#619. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* hostapd: remove unused variable declarations in hostapd.shMatthias Schiffer2017-05-131-1/+0
| | | | | | | None of the variables in this "local" declaration are actually set in wpa_supplicant_add_network(). Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* hostapd: add legacy_rates option to disable 802.11b data rates.Nick Lowe2017-05-031-8/+20
| | | | | | | | | | | | | | | | | | Setting legacy_rates to 0 disables 802.11b data rates. Setting legacy_rates to 1 enables 802.11b data rates. (Default) The basic_rate option and supported_rates option are filtered based on this. The rationale for the change, stronger now than in 2014, can be found in: https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx The balance of equities between compatibility with b clients and the detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b rates by default. Signed-off-by: Nick Lowe <nick.lowe@gmail.com> Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]
* hostapd: mv netifd.sh hostapd.shDaniel Albers2017-02-151-0/+0
| | | | | | same name for the file on the host and target Signed-off-by: Daniel Albers <daniel.albers@public-files.de>
* hostapd: enable support for logging wpa_printf messages to syslogRafał Miłecki2017-01-312-0/+6
| | | | | | | This will allow starting hostapd with the new -s parameter and finally read all (error) messages from the syslog. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* hostapd: default to wps_independent 1Steven Honson2017-01-261-1/+2
| | | | Signed-off-by: Steven Honson <steven@honson.id.au>
* hostapd: expose wps_independent and ap_setup_locked as uci optionsSteven Honson2017-01-261-3/+5
| | | | | | | ap_setup_locked is named wps_ap_setup_locked in uci for consistency with other wps related uci options. Signed-off-by: Steven Honson <steven@honson.id.au>
* hostapd: fix stray "out of range" shell errors in hostapd.shJo-Philipp Wich2017-01-231-2/+2
| | | | | | | | | | | | The hostapd_append_wpa_key_mgmt() procedure uses the possibly uninitialized $ieee80211r and $ieee80211w variables in a numerical comparisation, leading to stray "netifd: radio0 (0000): sh: out of range" errors in logread when WPA-PSK security is enabled. Ensure that those variables are substituted with a default value in order to avoid emitting this (harmless) shell error. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wpa_supplicant: Fix mesh encryption configSujith Manoharan2017-01-111-1/+4
| | | | | | | | | | | | | | | wpa_supplicant allows only SAE as the key management type for mesh mode. The recent key_mgmt rework unconditionally added WPA-PSK - this breaks interface bringup and wpa_s throws this error message: Line 10: key_mgmt for mesh network should be open or SAE Line 10: failed to parse network block. Failed to read or parse configuration '/var/run/wpa_supplicant-wlan0.conf Fix this by making sure that only SAE is used for mesh. Signed-off-by: Sujith Manoharan <m.sujith@gmail.com>
* hostapd: enable SHA256-based algorithmsStijn Tintel2017-01-031-2/+2
| | | | | | | | | | | Enable support for stronger SHA256-based algorithms in hostapd and wpa_supplicant when using WPA-EAP or WPA-PSK with 802.11w enabled. We cannot unconditionally enable it, as it requires hostapd to be compiled with 802.11w support, which is disabled in the -mini variants. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
* hostapd: add function to handle wpa_key_mgmtStijn Tintel2017-01-031-9/+10
| | | | | | | | Now that wpa_key_mgmt handling for hostapd and wpa_supplicant are consistent, we can move parts of it to a dedicated function. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
* wpa_supplicant: rework wpa_key_mgmt handlingStijn Tintel2017-01-031-8/+9
| | | | | | | | Rework wpa_key_mgmt handling for wpa_supplicant to be consistent with how it is done for hostapd. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
* hostapd support for VLANs through a file in addition to Radius.Petr Konecny2016-10-311-18/+25
| | | | Signed-off-by: Petr Konecny <pekon@google.com>
* hostapd: Allow RADIUS accounting without 802.1xPetko Bordjukov2016-08-111-10/+9
| | | | | | | | RADIUS accounting can be used even when RADIUS authentication is not used. Move the accounting configuration outside of the EAP-exclusive sections. Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>