aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* treewide: fix security issues by bumping all packages using libwolfsslPetr Štetiar2022-10-051-1/+1
| | | | | | | | | | | | | | | | | | | As wolfSSL is having hard time maintaining ABI compatibility between releases, we need to manually force rebuild of packages depending on libwolfssl and thus force their upgrade. Otherwise due to the ABI handling we would endup with possibly two libwolfssl libraries in the system, including the patched libwolfssl-5.5.1, but still have vulnerable services running using the vulnerable libwolfssl-5.4.0. So in order to propagate update of libwolfssl to latest stable release done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages using wolfSSL library. Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit f1b7e1434f66a3cb09cb9e70b40add354a22e458) (cherry picked from commit 562894b39da381264a34ce31e9334c8a036fa139)
* mac80211: disable ft-over-ds by defaultFelix Fietkau2022-08-301-1/+1
| | | | | | | | | Testing has shown it to be very unreliable in variety of configurations. It is not mandatory, so let's disable it by default until we have a better solution. Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 2984a0420649733662ff95b0aff720b8c2c19f8a)
* hostapd: ubus: fix uninitialized pointerDavid Bauer2022-08-281-1/+1
| | | | | | | | | This fixes passing a bogus non-null pointer to the ubus handler in case the transition request is rejected. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 9b880f09f394049e0629e3c9d4061f431a6b19a8) Signed-off-by: Nick Hainke <vincent@systemli.org>
* firewall: config: remove restictions on DHCPv6 allow ruleTiago Gaspar2022-05-042-4/+2
| | | | | | | | | | | | | | | Remove restrictions on source and destination addresses, which aren't specified on RFC8415, and for some reason in openwrt are configured to allow both link-local and ULA addresses. As cleared out in issue #5066 there are some ISPs that use Gloabal Unicast addresses, so fix this rule to allow them. Fixes: #5066 Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com> [rebase onto firewall3, clarify subject, bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit 65258f5d6093809c541050256646795bc0a460a9)
* iwinfo: drop obsolete patchJo-Philipp Wich2022-04-271-26/+0
| | | | | Fixes: 01cc5e195d ("iwinfo: update to latest Git HEAD") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iwinfo: update to latest HEADDavid Bauer2022-04-271-3/+3
| | | | | | | dc6847e iwinfo: nl80211: omit A-hwmode on non-5GHz hardware Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit f757a8a09885e3c8bb76371e037b8c0731111980)
* hostapd: refresh patchesDavid Bauer2022-04-271-4/+4
| | | | Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: add ubus link-measurements notificationsDavid Bauer2022-04-273-0/+43
| | | | | | | Notify external ubus subscribers of received link-measurement reports. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit f6445cfa1acb32676723c49da3e3158b64a4b3d2)
* hostapd: add ubus method for requesting link measurementsDavid Bauer2022-04-271-0/+65
| | | | | | | | | | | Add a ubus method to request link-measurements from connected STAs. In addition to the STAs address, the used and maximum transmit power can be provided by the external process for the link-measurement. If they are not provided, 0 is used as the default value. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 965aa33a18c76bb2d5a1eeb0cfa01501b08e784a)
* hostapd: add support for enabling link measurementsDavid Bauer2022-04-271-0/+10
| | | | | | | | Allow external processes to enable advertisement of link-measurement RRM capability. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 2ca5c3da04c3f05a7477ae484768e03d4ca30711)
* iwinfo: update to latest HEADDavid Bauer2022-04-271-3/+3
| | | | | | | | a479b9b devices: remove whitespace 562d015 iwinfo: nl80211: fix hwmode parsing for multi-band NICs Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 46980294f66ab07b79f9037758a7ea94072340df)
* iwinfo: update to latest Git headJosef Schlehofer2022-04-271-3/+3
| | | | | | | | | | Changelog: 90bfbb9 devices: Add Cypress CYW43455 234075b devices: fix AMD RZ608 format 0e2a318 devices: add AMD RZ608 device-id Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> (cherry picked from commit 013b0435641ab12d9a896c29c213d90da64bc623)
* iwinfo: update to latest Git HEADJo-Philipp Wich2022-04-271-4/+4
| | | | | | | a0a0e02 iwinfo: rename hardware.txt to devices.txt Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit c13d7c82aa4cd2cbf1f61bad857cd01b795318e3)
* iwinfo: update to the latest versionFelix Fietkau2022-04-271-3/+3
| | | | | | | c9b1672f5a83 nl80211: fix path compatibility issue Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit 019eca154557e2e2fefa67b4430cab622035c382)
* iwinfo: update to the latest versionFelix Fietkau2022-04-271-4/+4
| | | | | | | | | | aa0e3c4bbe12 iwinfo: nl80211: add support for printing the device path for a phy dd6d6d2dec35 iwinfo: nl80211: use new path lookup function for nl80211_phy_idx_from_uci_path 268bb26d2e2a iwinfo: nl80211: support looking up phy by path=.. and macaddr=... c0414642fead iwinfo: nl80211: fix typo Signed-off-by: Felix Fietkau <nbd@nbd.name> (backported from commit 6e8475bbd0c841043c1187fb5a42d835071ad502)
* bpftools: fix feature override for masking clangTony Ambardar2022-04-111-1/+1
| | | | | | | | | | Rename feature variable clang-bpf-global-var following upstream changes. This restores the HAVE_CLANG feature override and should avoid rare build errors where a recent host clang and BTF-enabled host kernel are present. Fixes: 23be333401f0 ("bpftools: update to 5.10.10") Signed-off-by: Tony Ambardar <itugrok@yahoo.com> (cherry picked from commit cf20f1bb5f0479c2509dd651d08e235a3b9e8755)
* hostapd: add STA extended capabilities to get_clientsDavid Bauer2022-03-201-0/+10
| | | | | | | | | | | Add the STAs extended capabilities to the ubus STA information. This way, external daemons can be made aware of a STAs capabilities. This field is of an array type and contains 0 or more bytes of a STAs advertised extended capabilities. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 6f787239771044ed7eeaf22301c543b699f25cb4)
* hostapd: add op-class to get_status outputDavid Bauer2022-03-201-1/+8
| | | | | | | Include the current operation class to hostapd get_status interface. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 2a31e9ca975d99b6216b2979a825f07253c8947e)
* hostapd: add beacon_interval to get_status ubus outputDavid Bauer2022-03-201-0/+1
| | | | | | | | | | | Add the beacon interval to hostapd status output. This allows external services to discover the beacon interval for a specific VAP. This way, external wireless management daemons can correctly calculate fields containing TBTT value from absolute time-values. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 3ba98468424db1f081818982dfa2a07ab85ae136)
* hostapd: remove unused mac_buff allocationMartin Weinelt2022-03-201-1/+0
| | | | | Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de> (cherry picked from commit cde154c8712255d13658317b116d4fc341ed89f2)
* hostapd: report bssid, ssid and channel over ubusMartin Weinelt2022-03-201-0/+38
| | | | | | | | | | Imports a function from iw to convert frequencies to channel numbers. Co-authored-by: David Bauer <mail@david-bauer.net> Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de> [fix potential out of bounds read] Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 398df6275674b637bc950e4f946f84c2bc5e09ff)
* hostapd: ubus: add notification for BSS transition responseDavid Bauer2022-03-203-0/+74
| | | | | | | | | | To allow steering daemons to be aware of the STA-decided transition target, publish WNM transition responses to ubus. This way, steerings daemons can learn about STA-chosen targets and send a better selection of transition candidates. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit a3de42e72ce349c14263737c5d6ec7b00397cf14)
* hostapd: ubus: add BSS transtiton request methodDavid Bauer2022-03-201-40/+112
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The existing wnm_disassoc_imminent ubus method only supports issuing a bss transition request with the disassoc imminent flag set. For use-cases, where the client is requested to roam to another BSS without a pending disassoc, this existing method is not suitable. Add a new bss_transition_request ubus method, which provides a more universal way to dispatch a transition request. It takes the following arguments: Required: addr: String - MAC-address of the STA to send the request to (colon-seperated) Optional: abridged - Bool - Indicates if the abridged flag is set disassociation_imminent: Bool - Whether or not the disassoc_imminent flag is set disassociation_timer: I32 - number of TBTTs after which the client will be disassociated validity_period: I32 - number of TBTTs after which the beacon candidate list (if included) will be invalid neighbors: blob-array - Array of strings containing neighbor reports as hex-string Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 0eed96ca5d86bdc4158c8ef6814893bc2a3dc467)
* hostapd: fix radius problem due to invalid attributesJohn Crispin2022-02-262-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The offending commit caused the configuration file to contain: radius_auth_req_attr= radius_acct_req_attr= which cause hostapd to add an ATTR of type 0 into the messages. hostapd: RADIUS message: code=4 (Accounting-Request) identifier=0 length=93 hostapd: Attribute 40 (Acct-Status-Type) length=6 hostapd: Value: 7 hostapd: Attribute 30 (Called-Station-Id) length=28 hostapd: Value: 'C4-41-1E-F5-2D-55:OpenWifi' hostapd: Attribute 61 (NAS-Port-Type) length=6 hostapd: Value: 19 hostapd: Attribute 0 (?Unknown?) length=3 <---------------- hostapd: Attribute 55 (Event-Timestamp) length=6 hostapd: Value: 1622726457 hostapd: Attribute 41 (Acct-Delay-Time) length=6 hostapd: Value: 0 hostapd: Attribute 44 (Acct-Session-Id) length=18 hostapd: Value: '9B5961E7235AAEC6' Closes: #9315 Fixes: ce7a17041486 ("hostapd: add additional radius options") Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Petr Štetiar <ynezz@true.cz> [pkg version bump] (cherry picked from commit 96e9c81aabe9e14d6ec75c3f238c4ca7389b92a8)
* tcpdump: Fix CVE-2018-16301Hauke Mehrtens2022-02-132-1/+102
| | | | | | | | | | | | This fixes the following security problem: The command-line argument parser in tcpdump before 4.99.0 has a buffer overflow in tcpdump.c:read_infile(). To trigger this vulnerability the attacker needs to create a 4GB file on the local filesystem and to specify the file name as the value of the -F command-line argument of tcpdump. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 8f5875c4e221453932f217a82f8c3092cacba3e5)
* hostapd: Apply SAE/EAP-pwd side-channel attack update 2Hauke Mehrtens2022-02-134-1/+268
| | | | | | | | | This fixes some recent security problems in hostapd. See here for details: https://w1.fi/security/2022-1 * CVE-2022-23303 * CVE-2022-23304 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* tcpdump: libpcap: Remove http://www.us.tcpdump.org mirrorHauke Mehrtens2021-12-291-2/+1
| | | | | | | | | | | The http://www.us.tcpdump.org mirror will go offline soon, only use the normal download URL. Reported-by: Denis Ovsienko <denis@ovsienko.info> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 18bdfc803bef00fad03f90b73b6e65c3c79cb397) Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> [rebased for OpenWrt 21.02 branch]
* hostapd: only attempt to set qos map if supported by the driverFelix Fietkau2021-12-232-1/+13
| | | | | | | Fixes issues with brcmfmac Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 5e67cd63c4ff5d8f36c341dfa3355e3a4ac2be81)
* hostapd: add a patch that allows processing auth requests for peers in ↵Felix Fietkau2021-11-245-9/+43
| | | | | | | | | | | | | | | | blocked state If authentication fails repeatedly e.g. because of a weak signal, the link can end up in blocked state. If one of the nodes tries to establish a link again before it is unblocked on the other side, it will block the link to that other side. The same happens on the other side when it unblocks the link. In that scenario, the link never recovers on its own. To fix this, allow restarting authentication even if the link is in blocked state, but don't initiate the attempt until the blocked period is over. Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit f84053af5c0b0a159ea4d3e90b0c06574b4fde8d)
* hostapd: bump PKG_RELEASEFelix Fietkau2021-11-241-1/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix goto loop for ubus assoc handlerDavid Bauer2021-11-231-5/+5
| | | | | | | | | | When a ubus event handler denies a association with a non-zero return value, the code jumps to preceeding code, creating an endless loop until the event handler accepts the assc request. Move the ubus handler further up the code to avoid creating such a loop. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: enable ht40 in wpa_supplicant when using wider HE modesFelix Fietkau2021-11-231-1/+1
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit c26d741d07632451337810aaecd500a0b3cbf44f)
* hostapd: add support for providing vendor specific IE elementsFelix Fietkau2021-11-231-1/+4
| | | | | | | They can be added as hex digit strings via the 'vendor_elements' option Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 1818b038d7275273adbd525b5ee76bc60b7d628c)
* hostapd: add eap_server supportJohn Crispin2021-11-231-4/+21
| | | | | | | | This makes it possible to avoid using a RADIUS server for WPA enterprise authentication Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from 98621c97822eb20a80ab2248a253972051ea6f08)
* hostapd: add default values for r0kh/r1khFelix Fietkau2021-11-231-0/+7
| | | | | | | | This allows WPA enterprise roaming in the same mobility domain without any manual key configuration (aside from radius credentials) Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 704ab6a002172e76d41612f6d07ff179ef035d10)
* hostapd: add support for configuring the beacon rateFelix Fietkau2021-11-231-1/+3
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 46509a51dd63aa49648ad0f130461817f43532d0)
* hostapd: add support for configuring rts thresholdFelix Fietkau2021-11-231-1/+4
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 26da5c235983d215a42983467149e0e5597e8de2)
* hostapd: fix use after free bugsDavid Bauer2021-11-231-6/+6
| | | | | | | | Using a pointer one lifter after it freed is not the best idea. Let's not do that. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry-picked from commit 63c01ad025981eaa841353dc0fc27e5017febe21)
* hostapd: add wmm qos map set by defaultFelix Fietkau2021-11-231-1/+6
| | | | | | | | | | | This implements the mapping recommendations from RFC8325, with an update from RFC8622. This ensures that DSCP marked packets are properly sorted into WMM classes. The map can be disabled by setting iw_qos_map_set to something invalid like 'none' Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit a5e3def1822431ef6436cb493df77006dbacafd6)
* hostapd: support qos_map_set without CONFIG_INTERWORKINGFelix Fietkau2021-11-231-0/+112
| | | | | | | This feature is useful on its own even without full interworking support Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit efff3520f4d8fe131c4bd54bb2e098139a7efa4d)
* hostapd: refresh patchesFelix Fietkau2021-11-2314-45/+35
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix a race condition on adding AP mode wds sta interfacesFelix Fietkau2021-11-233-4/+26
| | | | | | | | | | | | Both hostapd and netifd attempt to add a VLAN device to a bridge. Depending on which one wins the race, bridge vlan settings might be incomplete, or hostapd might run into an error and refuse to service the client. Fix this by preventing hostapd from adding interfaces to the bridge and instead rely entirely on netifd handling this properly Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit da4be02fcd5d642954b1c9d9855d9e8d1e6205f4) (cherry-picked from commit 63c01ad025981eaa841353dc0fc27e5017febe21)
* hostapd: fix max_oper_chwidth setting for HEFelix Fietkau2021-11-231-3/+3
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 2319cf4ec048e50a7d3885d19dc27663b45e258d)
* hostapd: let netifd set bridge port attributes for snoopingFelix Fietkau2021-11-231-1/+30
| | | | | | | Avoids race conditions on bridge member add/remove Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 17d19a7d4398789ae8da3daf8e0db167d58b0782)
* hostapd: respect fixed channel BW in HE20 modeJesus Fernandez Manzano2021-11-231-1/+1
| | | | | | | | | When using htmode 'HE20' with a radio mode that uses wpa-supplicant (like mesh or sta), it will default to 40 MHz bw if disable_ht40 is not set. This commit fixes this behaviour. Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net> (cherry-picked from commit af83e3ce0ff40dcecbe913676343bf86846294f7)
* hostapd: make proxyarp work with libnl-tinyFelix Fietkau2021-11-231-0/+275
| | | | | | | Remove a dependency on libnl3-route Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit ae1c5d0d6af60d0467899f5730a2f01aa72137f7)
* hostapd: fix a segfault on sta disconnect with proxy arp enabledFelix Fietkau2021-11-231-0/+19
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 5dd1bd5b80feb2dbaad8bdf93779acad74ed199a)
* hostapd: make the snooping interface (for proxyarp) configurableFelix Fietkau2021-11-232-0/+38
| | | | | | | | | Use the VLAN interface instead of the bridge, to ensure that hostapd receives untagged DHCP packets Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 7b46377a0cd9d809a3c340358121de77f005d4cc) (cherry-picked from commit f1b98fa4fa8a86a9daf2a7177235f28cbd7c53ef)
* hostapd: configure inter-AP communication interface for 802.11rFelix Fietkau2021-11-232-0/+39
| | | | | | | | In setups using VLAN bridge filtering, hostapd may need to communicate using a VLAN interface on top of the bridge, instead of using the bridge directly Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 305c1b8d746b363f655c2f8d5a6497cca10a5d4e)
* hostapd: add additional radius optionsJohn Crispin2021-11-231-2/+17
| | | | | | | | | | - add functionality to configure RADIUS NAS-Id and Operator-Name - add functionality to configure RADIUS accounting interval - enable RADIUS "Chargeable User Identity" Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 3bd6c8c728e72444bdf23b8904ef9c52ebb46bb7)