aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/hostapd
Commit message (Collapse)AuthorAgeFilesLines
* hostapd: add Multi-AP patches and config optionsArnout Vandecappelle (Essensium/Mind)2019-02-2015-20/+2230
| | | | | | | | | | | | | | | | | | | | | | | | | | Cherry-pick Multi-AP commits from uptream: 9c06f0f6a hostapd: Add Multi-AP protocol support 5abc7823b wpa_supplicant: Add Multi-AP backhaul STA support a1debd338 tests: Refactor test_multi_ap bfcdac1c8 Multi-AP: Don't reject backhaul STA on fronthaul BSS cb3c156e7 tests: Update multi_ap_fronthaul_on_ap to match implementation 56a2d788f WPS: Add multi_ap_subelem to wps_build_wfa_ext() 83ebf5586 wpa_supplicant: Support Multi-AP backhaul STA onboarding with WPS 66819b07b hostapd: Support Multi-AP backhaul STA onboarding with WPS 8682f384c hostapd: Add README-MULTI-AP b1daf498a tests: Multi-AP WPS provisioning Add support for Multi-AP to the UCI configuration. Every wifi-iface gets an option 'multi_ap'. For APs, its value can be 0 (multi-AP support disabled), 1 (backhaul AP), 2 (fronthaul AP), or 3 (fronthaul + backhaul AP). For STAs, it can be 0 (not a backhaul STA) or 1 (backhaul STA, can only associate with backhaul AP). Also add new optional parameter to wps_start ubus call of wpa_supplicant to indicate that a Multi-AP backhaul link is required. Signed-off-by: Daniel Golle <daniel@makrotopia.org> Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
* hostapd: update the fix for a race condition in mesh new peer handlingFelix Fietkau2019-02-171-2/+2
| | | | | | | Prevent the mesh authentication state machine from getting reset on bogus new peer discovery Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: enable CONFIG_DEBUG_SYSLOG for wpa_supplicantFelix Fietkau2019-02-174-8/+8
| | | | | | | It was already enabled for wpad builds and since commit 6a15077e2d7fa the script relies on it. Size impact is minimal (2 kb on MIPS .ipk). Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix race condition in mesh new peer handlingFelix Fietkau2019-02-121-0/+34
| | | | | | Avoid trying to add the same station to the driver multiple times Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: send wpa_supplicant logging output to syslogFelix Fietkau2019-02-121-1/+1
| | | | | | Helpful for debugging network connectivity issues Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wpa_supplicant: fix calling channel switch via wpa_cli on mesh interfacesFelix Fietkau2019-01-291-0/+39
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: add support for passing CSA events from sta/mesh to AP interfacesFelix Fietkau2019-01-292-2/+183
| | | | | | Fixes handling CSA when using AP+STA or AP+Mesh Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: update to version 2018-12-02 (2.7)Hauke Mehrtens2019-01-0238-429/+169
| | | | | | | | | | This updates hostapd to version the git version from 2018-12-02 which matches the 2.7 release. The removed patches were are already available in the upstream code, one additional backport is needed to fix a compile problem. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: Make eapol-test depend on libubusHauke Mehrtens2018-12-161-3/+3
| | | | | | | | The eapol-test application also uses the code with the newly activated ubus support, add the missing dependency. Fixes: f5753aae233 ("hostapd: add support for WPS pushbutton station") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: add support for WPS pushbutton stationDaniel Golle2018-12-1210-14/+467
| | | | | | | | | | | | | | | | | | | | | | similar to hostapd, also add a ubus interface for wpa_supplicant which will allow handling WPS push-button just as it works for hostapd. In order to have wpa_supplicant running without any network configuration (so you can use it to retrieve credentials via WPS), configure wifi-iface in /etc/config/wireless: config wifi-iface 'default_radio0' option device 'radio0' option network 'wwan' option mode 'sta' option encryption 'wps' This section will automatically be edited if credentials have successfully been acquired via WPS. Size difference (mips_24kc): roughly +4kb for the 'full' variants of wpa_supplicant and wpad which do support WPS. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add utf8_ssid flag & enable as defaultKevin Darbyshire-Bryant2018-11-142-3/+5
| | | | | | | | | | | | | SSIDs may contain UTF8 characters but ideally hostapd should be told this is the case so it can advertise the fact. Default enable this option. add uci option utf8_ssid '0'/'1' for disable/enable e.g. config wifi-iface option utf8_ssid '0' Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: add basic variantKevin Darbyshire-Bryant2018-10-164-0/+1016
| | | | | | | | Add a basic variant which provides WPA-PSK only, 802.11r and 802.11w and is intended to support 11r & 11w (subject to driver support) out of the box. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: fix MAC filter related log spamJo-Philipp Wich2018-10-164-11/+78
| | | | | | | | Backport two upstream fixes to address overly verbose logging of MAC ACL rejection messages. Fixes: FS#1468 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise)Hauke Mehrtens2018-10-143-5/+18
| | | | | | | | | | | | This adds support for the WPA3-Enterprise mode authentication. The settings for the WPA3-Enterpriese mode are defined in WPA3_Specification_v1.0.pdf. This mode also requires ieee80211w and guarantees at least 192 bit of security. This does not increase the ipkg size by a significant size. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: Activate Opportunistic Wireless Encryption (OWE)Hauke Mehrtens2018-10-143-4/+21
| | | | | | | | | | | | | | | | | | OWE is defined in RFC 8110 and provides encryption and forward security for open networks. This is based on the requirements in the Wifi alliance document Opportunistic_Wireless_Encryption_Specification_v1.0_0.pdf The wifi alliance requires ieee80211w for the OWE mode. This also makes it possible to configure the OWE transission mode which allows it operate an open and an OWE BSSID in parallel and the client should only show one network. This increases the ipkg size by 5.800 Bytes. Old: 402.541 Bytes New: 408.341 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: Activate Simultaneous Authentication of Equals (SAE)Hauke Mehrtens2018-10-143-9/+42
| | | | | | | | | | | | | | | | | | | | This build the full openssl and wolfssl versions with SAE support which is the main part of WPA3 PSK. This needs elliptic curve cryptography which is only provided by these two external cryptographic libraries and not by the internal implementation. The WPA3_Specification_v1.0.pdf file says that in SAE only mode Protected Management Frames (PMF) is required, in mixed mode with WPA2-PSK PMF should be required for clients using SAE, and optional for clients using WPA2-PSK. The defaults are set now accordingly. This increases the ipkg size by 8.515 Bytes. Old: 394.026 Bytes New: 402.541 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: SAE: Do not ignore option sae_require_mfpHauke Mehrtens2018-10-141-0/+26
| | | | | | This patch was send for integration into the hostapd project. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: backport build fix when OWE is activatedHauke Mehrtens2018-10-145-18/+35
| | | | | | This backports a compile fix form the hostapd project. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: sync config with default configurationHauke Mehrtens2018-10-145-35/+41
| | | | | | | | | This replaces the configuration files with the versions from the hostapd project and the adaptions done by OpenWrt. The resulting binaries should be the same. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: add acs feature indicationEnrique Giraldo2018-09-291-0/+4
| | | | Signed-off-by: Enrique Giraldo <enrique.giraldo@galgus.net>
* hostapd: Fix compile with OpenSSL 1.1.0 + no deprecated APIsRosen Penev2018-09-101-0/+40
| | | | | | | | Patch was accepted upsteam: https://w1.fi/cgit/hostap/commit/?id=373c796948599a509bad71695b5b72eef003f661 Signed-off-by: Rosen Penev <rosenp@gmail.com>
* hostapd: fix build of wpa-supplicant-p2pAlexander Couzens2018-09-031-0/+1
| | | | | | | VARIANT:= got removed by accident. Fixes: 3838b16943c6 ("hostapd: fix conflicts hell") Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* hostapd: process all CSA parametersYury Shvedov2018-08-201-6/+31
| | | | | | | This adds processing of all CSA arguments from ubus switch_chan request in the same manner as in the control interface API. Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
* wpa_supplicant: fix CVE-2018-14526John Crispin2018-08-101-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unauthenticated EAPOL-Key decryption in wpa_supplicant Published: August 8, 2018 Identifiers: - CVE-2018-14526 Latest version available from: https://w1.fi/security/2018-1/ Vulnerability A vulnerability was found in how wpa_supplicant processes EAPOL-Key frames. It is possible for an attacker to modify the frame in a way that makes wpa_supplicant decrypt the Key Data field without requiring a valid MIC value in the frame, i.e., without the frame being authenticated. This has a potential issue in the case where WPA2/RSN style of EAPOL-Key construction is used with TKIP negotiated as the pairwise cipher. It should be noted that WPA2 is not supposed to be used with TKIP as the pairwise cipher. Instead, CCMP is expected to be used and with that pairwise cipher, this vulnerability is not applicable in practice. When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data field is encrypted using RC4. This vulnerability allows unauthenticated EAPOL-Key frames to be processed and due to the RC4 design, this makes it possible for an attacker to modify the plaintext version of the Key Data field with bitwise XOR operations without knowing the contents. This can be used to cause a denial of service attack by modifying GTK/IGTK on the station (without the attacker learning any of the keys) which would prevent the station from accepting received group-addressed frames. Furthermore, this might be abused by making wpa_supplicant act as a decryption oracle to try to recover some of the Key Data payload (GTK/IGTK) to get knowledge of the group encryption keys. Full recovery of the group encryption keys requires multiple attempts (128 connection attempts per octet) and each attempt results in disconnection due to a failure to complete the 4-way handshake. These failures can result in the AP/network getting disabled temporarily or even permanently (requiring user action to re-enable) which may make it impractical to perform the attack to recover the keys before the AP has already changes the group keys. By default, wpa_supplicant is enforcing at minimum a ten second wait time between each failed connection attempt, i.e., over 20 minutes waiting to recover each octet while hostapd AP implementation uses 10 minute default for GTK rekeying when using TKIP. With such timing behavior, practical attack would need large number of impacted stations to be trying to connect to the same AP to be able to recover sufficient information from the GTK to be able to determine the key before it gets changed. Vulnerable versions/configurations All wpa_supplicant versions. Acknowledgments Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU Leuven for discovering and reporting this issue. Possible mitigation steps - Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This can be done also on the AP side. - Merge the following commits to wpa_supplicant and rebuild: WPA: Ignore unauthenticated encrypted EAPOL-Key data This patch is available from https://w1.fi/security/2018-1/ - Update to wpa_supplicant v2.7 or newer, once available Signed-off-by: John Crispin <john@phrozen.org>
* hostapd: add ht and vht support in handle event function Add ht and vht ↵Nick Hainke2018-07-303-2/+45
| | | | | | capabilities. If a device sends a probe request, the capabilities are added. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: add ubus call for ap featuresNick Hainke2018-07-301-0/+16
| | | | | | | | | | | The call "get_features" allows to gather hostapd config options via ubus. As first infos we add the ht and vht support. Although nl80211 supports to gather informations about ht and vht capabilities, the hostapd configuration can disable vht and ht. However, it is possible that the iw output is not representing the actual hostapd configuration. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: remove unused struct hostapd_ubus_ifaceFelix Fietkau2018-07-222-16/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix conflicts hellMathias Kresin2018-07-181-95/+47
| | | | | | | | | | | | | Add each variant to the matching PROVIDERS variables after evaluating the respective hostapd*, wpad* and wpa* variant. Each package providing the same feature will automatically conflict with all prior packages providing the same feature. This way we can handle the conflicts automatically without introducing recursive dependencies. Signed-off-by: Mathias Kresin <dev@kresin.me>
* hostapd: cleanup package definitionMathias Kresin2018-07-181-46/+48
| | | | | | | | | | | | Move common variables and/or values to the package (variant) default. Add additional values in variant packages if necessary. Remove further duplicates by introducing new templates. Remove the ANY_[HOSTAPD|SUPPLICANT_PROVIDERS]_PROVIDERS. The are the same as the variables without the any prefix. No need to maintain both variables. Signed-off-by: Mathias Kresin <dev@kresin.me>
* hostapd: build with LTO enabled (using jobserver for parallel build)Felix Fietkau2018-07-102-3/+54
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: make cli treat UNKNOWN COMMAND as failingDenton Gentry2018-06-071-0/+13
| | | | | | | | | | | Avoid infinite loop at 100% CPU when running hostapd_cli if CONFIG_CTRL_IFACE_MIB is not defined. _newselect(4, [3], NULL, NULL, ...) recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16 sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24 Signed-off-by: Denton Gentry <denny@geekhold.com>
* hostapd: properly build hostapd-only SSL variantsDaniel Golle2018-06-051-11/+11
| | | | | | | Make sure hostapd-openssl is actually build against OpenSSL, same for wolfSSL. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: expose device taxonomy signature via ubusFelix Fietkau2018-06-051-0/+6
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: add support for client taxonomy in the full configFelix Fietkau2018-06-052-5/+29
| | | | | | | This can be used to fingerprint clients to try to identify the exact model Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: update packaging and patchesDaniel Golle2018-05-3137-496/+417
| | | | | | | | | | Clean up conflicts/provides/depends hell and add PROVIDES for eapol-test variants while at it. Update mesh-DFS patchset from Peter Oh to v5 (with local fixes) which allows to drop two revert-patches for upstream commits which previously were necessary to un-break mesh-DFS support. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: convert ssl provider build options to variantsDaniel Golle2018-05-252-85/+285
| | | | | | | | | | | Instead of selecting the SSL provider at compile time, build package variants for each option so users can select the binary package without having to build it themselves. Most likely not all variants have actually ever been user by anyone. We should reduce the selection to the reasonable and most used combinations at some point in future. For now, build them all. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: update to git HEAD of 2018-05-21, allow build against wolfsslDaniel Golle2018-05-2437-296/+603
| | | | | | | Support for building wpa_supplicant/hostapd against wolfssl has been added upstream recently, add build option to allow users using it. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: fix IEEE 802.11r (fast roaming) defaultsGospod Nassa2018-05-181-21/+27
| | | | | | | | | | | | | | | | | | | | | | | Use ft_psk_generate_local=1 by default, as it makes everything else fairly trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd fairly much does it all for us. We do need to provide nas_identifier, which can be derived from the BSSID, and we need to generate a mobility_domain, for which we default to the first four chars of the md5sum of the SSID. The complex manual setup should also still work, but the defaults also now work easily out of the box. Verified by manually running hostapd (with the autogenerated config) and watching the debug output: wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake This was previous submitted to LEDE in https://github.com/lede-project/source/pull/1382 [dwmw2: Rewrote commit message] Signed-off-by: Gospod Nassa <devianca@gmail.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
* hostapd: fix VHT80 for encrypted mesh channel settingsSven Eckelmann2018-05-142-1/+46
| | | | | | | | | | | | | | | | | | | The max_oper_chwidth settings was parsed incorrectly for big endian system. This prevented the system to switch to VHT80 (or VHT160). Instead they were mapped to: * HT20: 20MHz * VHT20: 20MHz * HT40: 40MHz * VHT40: 40MHz * VHT80: 40MHz * VHT160: 40MHz This happened because each max_oper_chwidth setting in the config file was parsed as "0" instead of the actual value. Fixes: a4322eba2b12 ("hostapd: fix encrypted mesh channel settings") Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
* hostapd: fix mesh+APDaniel Golle2018-05-1415-220/+171
| | | | | | | | Fix encrypted (or DFS) AP+MESH interface combination in a way similar to how it's done for AP+STA and fix netifd shell script. Refresh patches while at it. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add channel utilization as config optionNick Hainke2018-05-071-2/+7
| | | | | | Add the channel utilization as hostapd configuration option. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: fix a mesh mode crash with CONFIG_TAXONOMY enabledFelix Fietkau2018-05-031-0/+23
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix encrypted mesh channel settingsDaniel Golle2018-04-205-1/+226
| | | | | | | | | | | | | | | Import two patches from Peter Oh to allow setting channel bandwidth in the way it already works for managed interfaces. This fixes mesh interfaces on 802.11ac devices always coming up in VHT80 mode. Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which also skips secondary channel scan just like noscan works in AP mode. This time also make sure to add all files to the patch before committing it... Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Revert "hostapd: fix encrypted mesh channel settings"Felix Fietkau2018-04-205-213/+1
| | | | | | | This reverts commit 7f52919a2f2894125b4dca611eb2d30181af7e0b, which is currently breaking the builds and needs to be reworked Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix encrypted mesh channel settingsDaniel Golle2018-04-205-1/+213
| | | | | | | | | | | | Import two patches from Peter Oh to allow setting channel bandwidth in the way it already works for managed interfaces. This fixes mesh interfaces on 802.11ac devices always coming up in VHT80 mode. Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which also skips secondary channel scan just like noscan works in AP mode. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: mesh: make forwarding configurableDaniel Golle2018-04-183-2/+245
| | | | | | | | | | | For unencrypted mesh networks our scripts take care of setting the various mesh_param values. wpa_supplicant changes somes of them when being used for SAE encrypted mesh and previously didn't allow configuring any of them. Add support for setting mesh_fwding (which has to be set to 0 when using other routing protocols on top of 802.11s) and update our script to pass the value to wpa_supplicant. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: fix compile of -mini variantsDaniel Golle2018-04-131-0/+23
| | | | | | Fixes commit d88934aa5a (hostapd: update to git snapshot of 2018-04-09) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: update to git snapshot of 2018-04-09Daniel Golle2018-04-1332-76/+1085
| | | | | | | | | And import patchset to allow 802.11s mesh on DFS channels, see also http://lists.infradead.org/pipermail/hostap/2018-April/038418.html Fix sae_password for encryption mesh (sent upstream as well). Also refreshed existing patches and fixed 463-add-mcast_rate-to-11s. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: update to git snapshot of 2018-03-26Daniel Golle2018-03-2735-1530/+153
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The following patches were merged upstream: 000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch replaced by commit 0e3bd7ac6 001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch replaced by commit cb5132bb3 002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch replaced by commit 87e2db16b 003-Prevent-installation-of-an-all-zero-TK.patch replaced by commit 53bb18cc8 004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch replaced by commit 0adc9b28b 005-TDLS-Reject-TPK-TK-reconfiguration.patch replaced by commit ff89af96e 006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch replaced by commit adae51f8b 007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch replaced by commit 2a9c5217b 008-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch replaced by commit a00e946c1 009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch replaced by commit b488a1294 010-Optional-AP-side-workaround-for-key-reinstallation-a.patch replaced by commit 6f234c1e2 011-Additional-consistentcy-checks-for-PTK-component-len.patch replaced by commit a6ea66530 012-Clear-BSSID-information-in-supplicant-state-machine-.patch replaced by commit c0fe5f125 013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch replaced by commit 114f2830d Some patches had to be modified to work with changed upstream source: 380-disable_ctrl_iface_mib.patch (adding more ifdef'ery) plus some minor knits needed for other patches to apply which are not worth being explicitely listed here. For SAE key management in mesh mode, use the newly introduce sae_password parameter instead of the psk parameter to also support SAE keys which would fail the checks applied on the psk field (ie. length and such). This fixes compatibility issues for users migrating from authsae. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: do not register ubus objects for mesh interfacesFelix Fietkau2018-02-241-0/+5
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>