| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Refresh patches for hostapd using make package/hostapd/refresh.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 05e516b12d4463e40df6d97a03bc6aa621c245f5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently for 802.1s only, for wifi 2.4GHz in g/n mode, 40MHz is never
permitted.
This is probably due to the complexity of setting periodic check for the
intolerant bit. When noscan option is set, we ignore the presence of the
intoleran bit in near AP, so we can enable 40MHz and ignore any complex
logic for checking.
Fixes: #13112
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 6c9ac57d58ab0d2c71fb51120a2166b7e0bd7183)
|
| |
|
|
|
|
|
|
| |
Also channel 7 for 2.4GHz can be set to HT40PLUS. Permit this and add it
to the list of the channels.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit b1c7b1bd67ca40289dfb7acd03e12ce43618d548)
|
| |
|
|
|
|
|
|
|
|
| |
noscan option for mesh was broken and actually never applied.
This is caused by a typo where ssid->noscan value is check instead of
conf->noscan resulting in the logic swapped and broken.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 1b5ea2e199fcf391f88afd0322de449459399be4)
|
| |
|
|
|
|
|
| |
In wpa_supplicant, set up wlan interfaces before adding them
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit c2a30b6e01aa756cd7d50c578ab4344c725ecc59)
|
| |
|
|
|
|
|
|
| |
Apply them directly using nl80211 after setting up the interface.
Use the same method in wdev.uc as well
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 531314260d2e50e984e1671f88662b469dffb16e)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl/ath11k
based adapters. The reason for it is hostapd tries to install additional
IEs for scanning while the driver does not support this.
The kernel indicates the maximum number of bytes for additional scan IEs
using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
only add additional scan IEs in case the driver can accommodate these
additional IEs.
Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
Bug-Debian: https://bugs.debian.org/1004524
Bug-ArchLinux: https://bugs.archlinux.org/task/73495
Upstream-Status: Changes Requested [https://patchwork.ozlabs.org/project/hostap/patch/20220130192200.10883-1-mail@david-bauer.net]
Reported-by: Étienne Morice <neon.emorice@mail.com>
Tested-by: Étienne Morice <neon.emorice@mail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 6dca88aa4acd60229147628cb920d05a1136666d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code for hostapd-mbedtls did not work when used for OWE association.
When handling association requests, the buffer offsets and length
assumptions were incorrect, leading to never calculating the y point,
thus denying association.
Also when crafting the association response, the buffer contained the
trailing key-type.
Fix up both issues to adhere to the specification and make
hostapd-mbedtls work with the OWE security type.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 39341f422f895a37b405b753c3630b1bdc9b8c6e)
|
| |
|
|
|
|
|
| |
Fixes adding SSID or key with trailing whitespace
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit a2d8226c4f45555f49542d6f047b70d44f23f7ec)
|
| |
|
|
|
|
|
|
| |
Recent hostapd changes just edited the ucode files. It is required to
bump the PKG_RELEASE to include the newest changes in the latest builds.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 91d2ead3c3bf75b279f861ad5d11b64bf31478f0)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If the full interface is restarted while bringing up an AP, it can trigger a
wpa_supplicant interface start before wpa_supplicant is notified of the
allocated mac addresses.
Fix this by moving the iface_update_supplicant_macaddr call to just after
the point where mac addresses are allocated.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit abceef120d57bf066941882630a76788eb4985a9)
|
| |
|
|
|
|
|
| |
Use the wdev config with the generated MAC address
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 0c43a48735959245f18d79a6e908d3b45cff0a94)
|
| |
|
|
|
|
|
|
| |
Ensure that the iface disable in uc_hostapd_iface_start also clears the ACS
state.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit f1bb528ae7631c60b95499b7e8a1948c3e6a42f0)
|
| |
|
|
|
|
|
|
|
| |
The patch refresh accidentally moved the hostapd_ucode_free_iface call to
the wrong function
Fixes: e9722aef9e84 ("hostapd: fix a crash when disabling an interface during channel list update")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 3a5ad6e3d74da713c0fc7d63b8026a56d16e198b)
|
| |
|
|
|
|
|
| |
Needed for wired 802.1x
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit fd6d7aafb2c3d335a3d192c308ffdace8d292e9f)
|
| |
|
|
|
|
|
| |
Avoid crashing if the interface has already been removed
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 4145ff4d8a29c1c7a1569bb06fa4d1fe9808c94f)
|
| |
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit e9722aef9e84110331706f74f7de0942c8d657ed)
|
| |
|
|
|
|
|
| |
Improves reliability in error handling
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit a511480368a03f754aa6ce7887633247a07ea166)
|
| |
|
|
|
|
|
| |
Without it, a lot of authentication modes fail without obvious error messages
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 560965d5826626e3be8c1f1db194db43cc7002cf)
|
| |
|
|
|
|
|
| |
It is no longer used
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b0501d380f65ae9f82173b35b820c9c6adb92493)
|
| |
|
|
|
|
|
|
| |
WPA3 Enterprise-transitional requires optional MFP support and SHA1+SHA256
WPA3 Enterprise-only requires SHA1 support disabled and mandatory MFP.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b63df6ce5d0639e6106967fd445c96518da52afb)
|
| |
|
|
|
|
|
| |
Use the SHA384 variant to account for longer keys with more security
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit f0d1349b52983400e7526f3ab57dc6a0f2cc771a)
|
| |
|
|
|
|
|
| |
This significantly improves config reload behavior and also fixes some
corner cases related to running AP + mesh interfaces at the same time.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Commit e978072baaca ("Do prune_association only after the STA is
authorized") causes issues when an STA roams from one interface to
another interface on the same PHY. The mt7915 driver is not able to
handle this properly. While the commits fixes a DoS, there are other
devices and drivers with the same limitation, so revert to the orginal
behavior for now, until we have a better solution in place.
Fixes: #13156
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 324673914d42f5fb9b70cc73e955117828b99f3b)
|
| |
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit adfeda849198b33ffa7a7ef233ae8a4df22bbc2d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Removed, merged upstream:
- 170-wpa_supplicant-fix-compiling-without-IEEE8021X_EAPOL.patch
Manually refreshed:
- 040-mesh-allow-processing-authentication-frames-in-block.patch
- 600-ubus_support.patch
- 761-shared_das_port.patch
Fixes: #12661
Fixes: 304423a4 ("hostapd: update to 2023-03-29")
Signed-off-by: Andre Heider <a.heider@gmail.com>
(cherry picked from commit cd804c1ebb34c9740f8ad9fe393a81f3efb7b009)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Based on Paul Fertser <fercerpav@gmail.com>'s guidance:
Change AUTORELEASE in rules.mk to:
```
AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
```
then update all affected packages by:
```
for i in $(git grep -l PKG_RELEASE:=.*AUTORELEASE | sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
make package/$i/clean
done
```
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add patches:
- 170-wpa_supplicant-fix-compiling-without-IEEE8021X_EAPOL.patch
Remove upstreamed:
- 170-DPP-fix-memleak-of-intro.peer_key.patch
- 461-driver_nl80211-use-new-parameters-during-ibss-join.patch
- 800-acs-don-t-select-indoor-channel-on-outdoor-operation.patch
- 992-openssl-include-rsa.patch
Automatically refreshed:
- 011-mesh-use-deterministic-channel-on-channel-switch.patch
- 021-fix-sta-add-after-previous-connection.patch
- 022-hostapd-fix-use-of-uninitialized-stack-variables.patch
- 030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
- 040-mesh-allow-processing-authentication-frames-in-block.patch
- 050-build_fix.patch
- 110-mbedtls-TLS-crypto-option-initial-port.patch
- 120-mbedtls-fips186_2_prf.patch
- 140-tests-Makefile-make-run-tests-with-CONFIG_TLS.patch
- 150-add-NULL-checks-encountered-during-tests-hwsim.patch
- 160-dpp_pkex-EC-point-mul-w-value-prime.patch
- 200-multicall.patch
- 300-noscan.patch
- 310-rescan_immediately.patch
- 330-nl80211_fix_set_freq.patch
- 341-mesh-ctrl-iface-channel-switch.patch
- 360-ctrl_iface_reload.patch
- 381-hostapd_cli_UNKNOWN-COMMAND.patch
- 390-wpa_ie_cap_workaround.patch
- 410-limit_debug_messages.patch
- 420-indicate-features.patch
- 430-hostapd_cli_ifdef.patch
- 450-scan_wait.patch
- 460-wpa_supplicant-add-new-config-params-to-be-used-with.patch
- 463-add-mcast_rate-to-11s.patch
- 465-hostapd-config-support-random-BSS-color.patch
- 500-lto-jobserver-support.patch
- 590-rrm-wnm-statistics.patch
- 710-vlan_no_bridge.patch
- 720-iface_max_num_sta.patch
- 730-ft_iface.patch
- 750-qos_map_set_without_interworking.patch
- 751-qos_map_ignore_when_unsupported.patch
- 760-dynamic_own_ip.patch
- 761-shared_das_port.patch
- 990-ctrl-make-WNM_AP-functions-dependant-on-CONFIG_AP.patch
Manually refresh:
- 010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
- 301-mesh-noscan.patch
- 340-reload_freq_change.patch
- 350-nl80211_del_beacon_bss.patch
- 370-ap_sta_support.patch
- 380-disable_ctrl_iface_mib.patch
- 464-fix-mesh-obss-check.patch
- 470-survey_data_fallback.patch
- 600-ubus_support.patch
- 700-wifi-reload.patch
- 711-wds_bridge_force.patch
- 740-snoop_iface.patch
Tested-by: Packet Please <pktpls@systemli.org> [Fritzbox 4040 (ipq40xx),
EAP225-Outdoor (ath79); 802.11s, WPA3 OWE, and WPA3 PSK]
Tested-by: Andrew Sim <andrewsimz@gmail.com> [mediatek/filogic]
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reduces open coding and allows to easily add a knob to enable
it treewide, where chosen packages can still opt-out via "no-lto".
Some packages used LTO, but not the linker plugin. This unifies 'em
all to attempt to produce better code.
Quoting man gcc(1):
"This improves the quality of optimization by exposing more code to the
link-time optimizer."
Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed
that every buildsystem uses +$(MAKE) correctly.
Signed-off-by: Andre Heider <a.heider@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reduces open coding and allows to easily add a knob to
enable it treewide, where chosen packages can still opt-out via
"no-gc-sections".
Note: libnl, mbedtls and opkg only used the CFLAGS part without the
LDFLAGS counterpart. That doesn't help at all if the goal is to produce
smaller binaries. I consider that an accident, and this fixes it.
Note: there are also packages using only the LDFLAGS part. I didn't
touch those, as gc might have been disabled via CFLAGS intentionally.
Signed-off-by: Andre Heider <a.heider@gmail.com>
|
| |
|
|
|
|
| |
This is useful in combination with the built-in eap server support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
| |
Fixes bogus errors on ubus calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
| |
This allows adding backup servers, in case the primary ones fail.
Assume that port and shared secret are going to be the same.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes a corner case when using passwords that are exactly 64
characters in length with mesh mode or passwords longer than 63 characters
with SAE because 'psk' is used instead of 'sae_password'.
SAE is obligatory for 802.11s (mesh point).
The 'psk' option for hostapd is suited for WPA2 and enforces length
restrictions on passwords. Values of 64 characters are treated as PMKs.
With SAE, PMKs are always generated during the handshake and there are no
length restrictions.
The 'sae_password' option is more suited for SAE and should be used
instead.
Before this patch, the 'sae_password' option is only used with mesh mode
passwords that are not 64 characters long.
As a consequence:
- mesh passwords can't be 64 characters in length
- SAE only works with passwords with lengths >8 and <=63 (due to psk
limitation).
Fix this by always using 'sae_password' with SAE/mesh and applying the PMK
differentiation only when PSK is used.
Fixes: #11324
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
[ improve commit description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
|
| |
|
|
|
|
| |
It's generally advised to use quotes for variable assignments in bash.
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
|
| |
|
|
|
|
|
|
| |
The ABI of the wolfssl library changed a bit between version 5.5.3 and
5.5.4. This release update will trigger a rebuild of all packages which
are using wolfssl to make sure they are adapted to the new ABI.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
The libraries libpthread, libdl, libutil, libanl have been integrated
into the libc library in version 2.34. it is not needed to explicitly
link them any more.
Most of the functions have been moved from the librt.so into libc.so
some time ago already.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
| |
Use the NAS identifier to find the right receiver context on incoming messages
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
| |
This adds the current WIP mbedtls patches for hostapd. The motivation
here is to reduce size.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
| |
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
| |
It is used for both 802.11r and WPA enterprise.
Setting it when not needed is harmless
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
| |
Some servers use the NAS-IP-Address attribute as a destination address
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
hostapd's compile time option CONFIG_IEEE80211N was removed almost 3 years
ago, 80.211n/HT is always included since then.
Noticed because `hostapd -v11n` confusingly returned an error.
See hostapd's commit:
f3bcd69603 "Remove CONFIG_IEEE80211N build option"
Signed-off-by: Andre Heider <a.heider@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pass the expected struct:
../src/drivers/driver_nl80211.c: In function 'wpa_driver_nl80211_del_beacon':
../src/drivers/driver_nl80211.c:2945:31: warning: passing argument 1 of 'nl80211_bss_msg' from incompatible pointer type [-Wincompatible-pointer-types]
2945 | msg = nl80211_bss_msg(drv, 0, NL80211_CMD_DEL_BEACON);
| ^~~
| |
| struct wpa_driver_nl80211_data *
../src/drivers/driver_nl80211.c:695:50: note: expected 'struct i802_bss *' but argument is of type 'struct wpa_driver_nl80211_data *'
695 | struct nl_msg * nl80211_bss_msg(struct i802_bss *bss, int flags, uint8_t cmd)
| ~~~~~~~~~~~~~~~~~^~~
Fixes: 35ff1affe8 "hostapd: update to 2022-05-08"
Signed-off-by: Andre Heider <a.heider@gmail.com>
|
| |
|
|
|
|
|
| |
eee80211_frequency_to_channel() isn't used anymore, which is a leftover from:
2a31e9ca97 "hostapd: add op-class to get_status output"
Signed-off-by: Andre Heider <a.heider@gmail.com>
|
| |
|
|
|
|
| |
It's more reliable than using iw
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
| |
dtim_period is a bss property, not a device one.
It is already handled properly in mac80211.sh
Fixes: 30c64825c7ed ("hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the measurement report value to the beacon reports send via ubus. It
is possible to derive from the measurement report if a station refused to
do a beacon report and why. It is important to know why a station refuses
to do a beacon-report. In particular, we should not request a beacon
report from a station again that refused a beacon-report before.
The rejection reasons can be found by looking at the bits defined by:
- MEASUREMENT_REPORT_MODE_ACCEPT
- MEASUREMENT_REPORT_MODE_REJECT_LATE
- MEASUREMENT_REPORT_MODE_REJECT_INCAPABLE
- MEASUREMENT_REPORT_MODE_REJECT_REFUSED
Suggested-by: Ian Clowes <clowes_ian@hotmail.com>
Signed-off-by: Nick Hainke <vincent@systemli.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
| |
|
|
|
|
|
| |
Also include the station auth_type in the ubus and log message in order
to detect, if clients used FT or FILS to associate
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
