aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/hostapd
Commit message (Collapse)AuthorAgeFilesLines
* hostapd: Apply SAE/EAP-pwd side-channel attack update 2Hauke Mehrtens2022-02-134-1/+268
| | | | | | | | | This fixes some recent security problems in hostapd. See here for details: https://w1.fi/security/2022-1 * CVE-2022-23303 * CVE-2022-23304 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: only attempt to set qos map if supported by the driverFelix Fietkau2021-12-232-1/+13
| | | | | | | Fixes issues with brcmfmac Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 5e67cd63c4ff5d8f36c341dfa3355e3a4ac2be81)
* hostapd: add a patch that allows processing auth requests for peers in ↵Felix Fietkau2021-11-245-9/+43
| | | | | | | | | | | | | | | | blocked state If authentication fails repeatedly e.g. because of a weak signal, the link can end up in blocked state. If one of the nodes tries to establish a link again before it is unblocked on the other side, it will block the link to that other side. The same happens on the other side when it unblocks the link. In that scenario, the link never recovers on its own. To fix this, allow restarting authentication even if the link is in blocked state, but don't initiate the attempt until the blocked period is over. Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit f84053af5c0b0a159ea4d3e90b0c06574b4fde8d)
* hostapd: bump PKG_RELEASEFelix Fietkau2021-11-241-1/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix goto loop for ubus assoc handlerDavid Bauer2021-11-231-5/+5
| | | | | | | | | | When a ubus event handler denies a association with a non-zero return value, the code jumps to preceeding code, creating an endless loop until the event handler accepts the assc request. Move the ubus handler further up the code to avoid creating such a loop. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: enable ht40 in wpa_supplicant when using wider HE modesFelix Fietkau2021-11-231-1/+1
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit c26d741d07632451337810aaecd500a0b3cbf44f)
* hostapd: add support for providing vendor specific IE elementsFelix Fietkau2021-11-231-1/+4
| | | | | | | They can be added as hex digit strings via the 'vendor_elements' option Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 1818b038d7275273adbd525b5ee76bc60b7d628c)
* hostapd: add eap_server supportJohn Crispin2021-11-231-4/+21
| | | | | | | | This makes it possible to avoid using a RADIUS server for WPA enterprise authentication Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from 98621c97822eb20a80ab2248a253972051ea6f08)
* hostapd: add default values for r0kh/r1khFelix Fietkau2021-11-231-0/+7
| | | | | | | | This allows WPA enterprise roaming in the same mobility domain without any manual key configuration (aside from radius credentials) Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 704ab6a002172e76d41612f6d07ff179ef035d10)
* hostapd: add support for configuring the beacon rateFelix Fietkau2021-11-231-1/+3
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 46509a51dd63aa49648ad0f130461817f43532d0)
* hostapd: add support for configuring rts thresholdFelix Fietkau2021-11-231-1/+4
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 26da5c235983d215a42983467149e0e5597e8de2)
* hostapd: fix use after free bugsDavid Bauer2021-11-231-6/+6
| | | | | | | | Using a pointer one lifter after it freed is not the best idea. Let's not do that. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry-picked from commit 63c01ad025981eaa841353dc0fc27e5017febe21)
* hostapd: add wmm qos map set by defaultFelix Fietkau2021-11-231-1/+6
| | | | | | | | | | | This implements the mapping recommendations from RFC8325, with an update from RFC8622. This ensures that DSCP marked packets are properly sorted into WMM classes. The map can be disabled by setting iw_qos_map_set to something invalid like 'none' Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit a5e3def1822431ef6436cb493df77006dbacafd6)
* hostapd: support qos_map_set without CONFIG_INTERWORKINGFelix Fietkau2021-11-231-0/+112
| | | | | | | This feature is useful on its own even without full interworking support Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit efff3520f4d8fe131c4bd54bb2e098139a7efa4d)
* hostapd: refresh patchesFelix Fietkau2021-11-2314-45/+35
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix a race condition on adding AP mode wds sta interfacesFelix Fietkau2021-11-233-4/+26
| | | | | | | | | | | | Both hostapd and netifd attempt to add a VLAN device to a bridge. Depending on which one wins the race, bridge vlan settings might be incomplete, or hostapd might run into an error and refuse to service the client. Fix this by preventing hostapd from adding interfaces to the bridge and instead rely entirely on netifd handling this properly Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit da4be02fcd5d642954b1c9d9855d9e8d1e6205f4) (cherry-picked from commit 63c01ad025981eaa841353dc0fc27e5017febe21)
* hostapd: fix max_oper_chwidth setting for HEFelix Fietkau2021-11-231-3/+3
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 2319cf4ec048e50a7d3885d19dc27663b45e258d)
* hostapd: let netifd set bridge port attributes for snoopingFelix Fietkau2021-11-231-1/+30
| | | | | | | Avoids race conditions on bridge member add/remove Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 17d19a7d4398789ae8da3daf8e0db167d58b0782)
* hostapd: respect fixed channel BW in HE20 modeJesus Fernandez Manzano2021-11-231-1/+1
| | | | | | | | | When using htmode 'HE20' with a radio mode that uses wpa-supplicant (like mesh or sta), it will default to 40 MHz bw if disable_ht40 is not set. This commit fixes this behaviour. Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net> (cherry-picked from commit af83e3ce0ff40dcecbe913676343bf86846294f7)
* hostapd: make proxyarp work with libnl-tinyFelix Fietkau2021-11-231-0/+275
| | | | | | | Remove a dependency on libnl3-route Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit ae1c5d0d6af60d0467899f5730a2f01aa72137f7)
* hostapd: fix a segfault on sta disconnect with proxy arp enabledFelix Fietkau2021-11-231-0/+19
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 5dd1bd5b80feb2dbaad8bdf93779acad74ed199a)
* hostapd: make the snooping interface (for proxyarp) configurableFelix Fietkau2021-11-232-0/+38
| | | | | | | | | Use the VLAN interface instead of the bridge, to ensure that hostapd receives untagged DHCP packets Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 7b46377a0cd9d809a3c340358121de77f005d4cc) (cherry-picked from commit f1b98fa4fa8a86a9daf2a7177235f28cbd7c53ef)
* hostapd: configure inter-AP communication interface for 802.11rFelix Fietkau2021-11-232-0/+39
| | | | | | | | In setups using VLAN bridge filtering, hostapd may need to communicate using a VLAN interface on top of the bridge, instead of using the bridge directly Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 305c1b8d746b363f655c2f8d5a6497cca10a5d4e)
* hostapd: add additional radius optionsJohn Crispin2021-11-231-2/+17
| | | | | | | | | | - add functionality to configure RADIUS NAS-Id and Operator-Name - add functionality to configure RADIUS accounting interval - enable RADIUS "Chargeable User Identity" Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 3bd6c8c728e72444bdf23b8904ef9c52ebb46bb7)
* hostapd: add extra options for hotspot 2.0 / interworkingFelix Fietkau2021-11-231-4/+25
| | | | | | Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit c76f1d8330c679774eb568a423feb57d956b3ca4)
* hostapd: fix civic location optionJohn Crispin2021-11-231-1/+1
| | | | | Signed-off-by: John Crispin <john@phrozen.org> (cherry-picked from commit 937dd79e2a4457a316d67b3091f6da7d14a99168)
* hostapd: enable airtime policy for the -basic variantsRui Salvaterra2021-11-231-1/+1
| | | | | | | | | | | | | | | Airtime policy configuration is extremely useful in multiple BSS scenarios. Since nowadays most people configure both private and guest networks (at least), it makes sense to enable it by default, except for the most limited of the variants. Size of the hostapd-basic-openssl binary (mipsel 24Kc -O2): 543944 bytes (airtime policy disabled) 548040 bytes (airtime policy enabled) Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> Acked-by: Daniel Golle <daniel@makrotopia.org> (cherry-picked from commit d38f4565828264731f2a9cfe646491fba80315d3)
* hostapd: add patch for disabling automatic bridging of vlan interfacesFelix Fietkau2021-11-232-3/+40
| | | | | | | | netifd is responsible for handling that, except if the vlan bridge was provided by the config Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit cf45caeff16256f9db777e0e652ec3a38cd476a4)
* hostapd: fix segfault when deinit mesh ifacesJesus Fernandez Manzano2021-09-241-0/+5
| | | | | | | | | | | | In hostapd_ubus_add_bss(), ubus objects are not registered for mesh interfaces. This provokes a segfault when accessing the ubus object in mesh deinit. This commit adds the same condition to hostapd_ubus_free_bss() for discarding those mesh interfaces. Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net> (cherry picked from commit 5269c47e8db549695ceaf6a19afdd0cb90074622)
* hostapd: make wnm_sleep_mode_no_keys configurableTimo Sigurdsson2021-07-052-4/+8
| | | | | | | | | | | | | | | In the aftermath of the KRACK attacks, hostapd gained an AP-side workaround against WNM-Sleep Mode GTK/IGTK reinstallation attacks. WNM Sleep Mode is not enabled by default on OpenWrt, but it is configurable through the option wnm_sleep_mode. Thus, make the AP-side workaround configurable as well by exposing the option wnm_sleep_mode_no_keys. If you use the option wpa_disable_eapol_key_retries and have wnm_sleep_mode enabled, you might consider using this workaround. Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> [bump PKG_RELEASE] Signed-off-by: Paul Spooren <mail@aparcar.org> (cherry picked from commit bf98faaac8ed24cf7d3d93dd4fcd7304d109363b)
* hostapd: make country3 option configurableTimo Sigurdsson2021-07-052-3/+4
| | | | | | | | | | | | | The country3 option in hostapd.conf allows the third octet of the country string to be set. It can be used e.g. to indicate indoor or outdoor use (see hostapd.conf for further details). Make this option configurable but optional in OpenWrt. Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> [bump PKG_RELEASE, rebase] Signed-off-by: Paul Spooren <mail@aparcar.org> (cherry picked from commit 9f09c1936a4a13b67fcba632f7ca02331f685359) Signed-off-by: Paul Spooren <mail@aparcar.org>
* hostapd: fix handling of the channel utilization optionsTimo Sigurdsson2021-06-221-0/+2
| | | | | | | | | | | | | Commit 0a7657c ("hostapd: add channel utilization as config option") added the two new uci options bss_load_update_period and chan_util_avg_period. However, the corresponding "config_add_int" calls for these options weren't added, so attempting to actually use these options and change their values is bound to fail - they always stay at their defaults. Add the missing code to actually make these options work. Fixes: 0a7657c ("hostapd: add channel utilization as config option") Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de> (cherry picked from commit 85ce590705072be78c3ef7dc6b64e3b1facc892b)
* hostapd: wolfssl: add RNG to EC keyDavid Bauer2021-06-212-1/+49
| | | | | | | | | | | Since upstream commit 6467de5a8840 ("Randomize z ordinates in scalar mult when timing resistant") WolfSSL requires a RNG for the EC key when built hardened which is the default. Set the RNG for the EC key to fix connections for OWE clients. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit ddcb970274c011d3db611ec39350ee4704ff0e02)
* hostapd: P2P: Fix a corner case in peer addition based on PD RequestStefan Lippers-Hollmann2021-03-011-0/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | p2p_add_device() may remove the oldest entry if there is no room in the peer table for a new peer. This would result in any pointer to that removed entry becoming stale. A corner case with an invalid PD Request frame could result in such a case ending up using (read+write) freed memory. This could only by triggered when the peer table has reached its maximum size and the PD Request frame is received from the P2P Device Address of the oldest remaining entry and the frame has incorrect P2P Device Address in the payload. Fix this by fetching the dev pointer again after having called p2p_add_device() so that the stale pointer cannot be used. This fixes the following security vulnerabilities/bugs: - CVE-2021-27803 - A vulnerability was discovered in how p2p/p2p_pd.c in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision discovery requests. It could result in denial of service or other impact (potentially execution of arbitrary code), for an attacker within radio range. Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request") Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> (cherry picked from commit 1ca5de13a153061feae260864d73d96f7c463785)
* hostapd: backport ignoring 4addr mode enabling errorRaphaël Mélotte2021-02-203-38/+79
| | | | | | | | | | | | | | | | | | | | | This is a backport of the upstream commit 58bbbb598144 ("nl80211: Ignore 4addr mode enabling error if it was already enabled") which fixes same issue as in the current fix contained in '130-wpa_supplicant-multi_ap_roam.patch', but in a different way: nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on an interface that is in a bridge and has 4addr mode already enabled. This operation would not have been necessary in the first place and this failure results in disconnecting, e.g., when roaming from one backhaul BSS to another BSS with Multi AP. Avoid this issue by ignoring the nl80211 command failure in the case where 4addr mode is being enabled while it has already been enabled. Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be> [bump PKG_RELEASE, more verbose commit description] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit fb860b4e418c28a0f388f215e5acce103dcee1bf)
* hostapd: add patch for setting 4addr mode in multi_apRaphaël Mélotte2021-02-137-47/+57
| | | | | | | | | This patch is required to be able to roam from one backhaul AP to another one in the same ESS. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (daniel@makrotopia.org: PKG_REVISION bump and refreshed patches) Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
* hostapd: reconfigure wps credentials on reloadRaphaël Mélotte2021-02-121-0/+187
| | | | | | | | | | This patch fixes a bug that prevents updating Multi-AP credentials after hostapd has started. It was sent to upstream hostapd here: https://patchwork.ozlabs.org/bundle/rmelotte/hostapd:%20update%20WPS%20credentials%20on%20SIGHUP/ Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
* hostapd: add notifications for management framesRaphaël Mélotte2021-02-122-2/+131
| | | | | | | | | | | | | | | | This patch allows other applications to get events management frames (for example: association requests). This is useful in Multi-AP context to be able to save association requests from stations. It has been sent to upstream hostapd in this series: https://patchwork.ozlabs.org/project/hostap/list/?series=217500 '700-wifi-reload.patch' is updated due to the introduction of '110-notify-mgmt-frames.patch'. Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
* hostapd: add forgotten patch for P2P vulnerability fixPetr Štetiar2021-02-042-1/+39
| | | | | | | | Commit 7c8c4f1be648 ("hostapd: fix P2P group information processing vulnerability") was missing the actual patch for the vulnerability. Fixes: 7c8c4f1be648 ("hostapd: fix P2P group information processing vulnerability") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* hostapd: fix P2P group information processing vulnerabilityDaniel Golle2021-02-041-1/+1
| | | | | | | | | | | A vulnerability was discovered in how wpa_supplicant processing P2P (Wi-Fi Direct) group information from active group owners. This issue was discovered by fuzz testing of wpa_supplicant by Google's OSS-Fuzz. https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: fix setting wps_state to "not configured"Leon M. George2021-01-152-2/+2
| | | | | | | | | | | | | | | With encryption disabled, it was intended to set wpa_state=1 (enabled, not configured) through the 'wps_not_configured' flag. The flag is set appropriately but the condition using it is broken. Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled, configured). Fix it by using the correct variable name. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu> [commit title/message improvements] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* hostapd: fix key_mgmt typoLeon M. George2021-01-142-2/+2
| | | | | | | | | | | The key_mgmt variable was mistyped when checking against "WPS", so the if clause was never entered. Fixes: f5753aae233f ("hostapd: add support for WPS pushbutton station") Signed-off-by: Leon M. George <leon@georgemail.eu> [add commit message, bump PKG_RELEASE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* hostapd: remove trailing whitespacesLeon M. George2021-01-141-2/+2
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove unused variableLeon M. George2021-01-141-1/+0
| | | | | | | | | 'base' was never used. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove unused variableLeon M. George2021-01-141-1/+0
| | | | | | | | | 'enc_str' was never used. Fixes: 498d84fc4e00 ("netifd: add wireless configuration support and port mac80211 to the new framework") Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: run as user 'network' if procd-ujail is installedDaniel Golle2021-01-144-2/+55
| | | | | | | Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running hostapd and wpa_supplicant without root priviledges. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: improve error handling when adding supplicant configDaniel Golle2021-01-142-5/+5
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add multicast_to_unicast and per_sta_vifEtan Kissling2021-01-142-2/+15
| | | | | | | | This allows configuration of multicast_to_unicast and per_sta_vif options. - multicast_to_unicast requests multicast-to-unicast conversion. - per_sta_vif assigns each station its own AP_VLAN interface. Signed-off-by: Etan Kissling <etan_kissling@apple.com>
* hostapd: return PID on config_add callDaniel Golle2021-01-104-4/+11
| | | | | | | | | To simplify the way netifd acquires the PIDs of wpa_supplicant and hostapd let the config_add method of both of them return the PID of the called process. Use the returned PID instead of querying procd when adding wpa_supplicant configuration. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: wpa_supplicant: Enable proper GCMP cipher supportRobert Marko2021-01-052-1/+6
| | | | | | | | | This patch enables hostapd.sh to properly configure wpa_supplicant for when GCMP is used as cipher in station mode. Without this wpa_supplicant will be unable to connect to AP. This is needed for wil6210 as it does not support CCMP. Signed-off-by: Robert Marko <robimarko@gmail.com>
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-06 08:40:31 +0000