Commit Graph

1534 Commits

Author SHA1 Message Date
Daniel Golle
00a85a1634
umdns: add missing syscalls to seccomp filter
Looks like 'openat', 'pipe2' and 'ppoll' are now needed, possibly due
to changes on libraries used by umdns now using slightly different
calls.

Found using
/etc/init.d/umdns trace
now use umdns, ie. cover all ubus call etc., then
/etc/init.d/umdns stop
find list of syscalls traced in /tmp/umdns.*.json

Fixes: FS#3355 ("UMDNS: does not start on master with seccomp")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-04-10 17:36:03 +01:00
Stijn Tintel
bcdf600fc5 lldpd: further size reductions
Size difference on mips_4kec:
Before: 120196
After:  120006

Closes https://github.com/openwrt/openwrt/pull/3823

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Suggested-by: Lucian Cristian <lucian.cristian@gmail.com>
2021-04-05 18:50:17 +03:00
Stijn Tintel
e4d7e7b3e4 lldpd: enable LTO
Size difference on mips_4kec:
W/o LTO: 139674
W/ LTO:  120196

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Suggested-by: Lucian Cristian <lucian.cristian@gmail.com>
2021-04-05 18:50:11 +03:00
Stijn Tintel
8946be0ab5 lldpd: bump to 1.0.9
Contains fixes related to CVE-2020-27827.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-04-05 18:27:42 +03:00
Stijn Tintel
c935c6ffb6 lldpd: add libcap dependency
Now that libcap is in OpenWrt base, we can drop our custom patch to
disable libcap support and have lldpd depend on it instead. This will
allow the monitor process to drop its privileges instead of running as
root, improving security.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-04-05 18:20:48 +03:00
Rui Salvaterra
d38f456582 hostapd: enable airtime policy for the -basic variants
Airtime policy configuration is extremely useful in multiple BSS scenarios.
Since nowadays most people configure both private and guest networks (at
least), it makes sense to enable it by default, except for the most limited
of the variants.

Size of the hostapd-basic-openssl binary (mipsel 24Kc -O2):
543944 bytes (airtime policy disabled)
548040 bytes (airtime policy enabled)

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Acked-by: Daniel Golle <daniel@makrotopia.org>
2021-04-03 18:57:13 +02:00
Jan Pavlinec
abbaf696f6 igmpproxy: remove package
Moved to packages repo because it was considered
non-essential for most router configurations.

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[shorten commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-03-21 22:45:20 +01:00
Hauke Mehrtens
1170655f8b uhttpd: update to git HEAD
15346de client: Always close connection with request body in case of error

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-21 22:34:13 +01:00
Hauke Mehrtens
501221af54 uhttpd: Execute uci commit and reload_config once
Instead of doing uci commit and reload_config for each setting do it
only once when one of these options was changed. This should make it a
little faster when both conditions are taken.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-21 22:16:32 +01:00
Hauke Mehrtens
d25d281fd6 uhttpd: Reload config after uhttpd-mod-ubus was added
Without this change the config is only committed, but the uhttpd daemon
is not reloaded. This reload is needed to apply the config. Without the
reload of uhttpd, the ubus server is not available over http and returns
a Error 404.

This caused problems when installing luci on the snapshots and
accessing it without reloading uhttpd.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-21 22:16:31 +01:00
Daniel Golle
d28880cdd8
umdns: add syscalls needed on Aarch64
Now that ujail supports seccomp also on Aarch64, add missing syscall
'fstat' to the list of allowed syscalls.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-19 22:33:33 +00:00
Eike Ritter
46cd0765d0 ppp: compile fix: unset FILTER variable in Makefile
If the environment variable FILTER is set before compilation,
compilation of the ppp-package will fail with the error message

Package ppp is missing dependencies for the following libraries:
libpcap.so.1

The reason is that the OpenWrt-patch for the Makefile only comments
out the line FILTER=y. Hence the pcap-library will be dynamically
linked if the environment variable FILTER is set elsewhere, which
causes compilation to fail. The fix consists on explicitly unsetting
the variable FILTER instead.

Signed-off-by: Eike Ritter <git@rittere.co.uk>
2021-03-19 00:25:58 +01:00
Stefan Lippers-Hollmann
1ca5de13a1 hostapd: P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.

Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.

This fixes the following security vulnerabilities/bugs:

- CVE-2021-27803 - A vulnerability was discovered in how p2p/p2p_pd.c
  in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision
  discovery requests. It could result in denial of service or other
  impact (potentially execution of arbitrary code), for an attacker
  within radio range.

Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2021-03-01 00:34:23 +01:00
Jan Pavlinec
0c0c9c734d igmpproxy: update to version 0.3
Changes:
- Remove custom Build/Compile because it's no longer needed
- Remove std=gnu99 which is added automaticaly by igmpproxy if needed
- Remove -Dlog from CFLAGS because igmpproxy doesn't have log function

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2021-03-01 00:34:23 +01:00
Ilya Lipnitskiy
06351f1bd0 kernel: migrate wireguard into the kernel tree
On Linux 5.4, build WireGuard from backports. Linux 5.10 contains
wireguard in-tree.

Add in-kernel crypto libraries required by WireGuard along with
arch-specific optimizations.

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
2021-02-26 20:41:01 +01:00
Hauke Mehrtens
030bc39c35 ppp: Update to version 2.4.9
Upstream integrated multiple patches from Distributions and did other
changes:
* rp-pppoe.so was renamed to pppoe.so
* Converted to ANSI C

The following patches were applied upstream:
* 100-debian_ip-ip_option.patch
* 101-debian_close_dev_ppp.patch
* 103-debian_fix_link_pidfile.patch
* 106-debian_stripMSdomain.patch
* 107-debian_pppoatm_wildcard.patch
* 110-debian_defaultroute.patch
* 202-no_strip.patch

Compilation with musl libc was fixed upstream so
140-pppoe_compile_fix.patch is not needed any more

Parts of the 203-opt_flags.patch patch were applied in a different way
upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-24 00:30:20 +01:00
Ilya Lipnitskiy
17f7b217d3 wireguard: don't build on Linux 5.10
There are efforts underway to bring wireguard in-tree for Linux 5.4 and
to have a common build infrastructure for both 5.4 and 5.10 for
kmod-wireguard[0]. Until then, restrict kmod-wireguard to build only on
Linux 5.4, because the wireguard-compat package will not build on Linux
5.10.

[0]: https://github.com/openwrt/openwrt/pull/3885

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
2021-02-23 20:13:30 +01:00
Raphaël Mélotte
fb860b4e41 hostapd: backport ignoring 4addr mode enabling error
This is a backport of the upstream commit 58bbbb598144 ("nl80211: Ignore
4addr mode enabling error if it was already enabled") which fixes same
issue as in the current fix contained in '130-wpa_supplicant-multi_ap_roam.patch',
but in a different way:

 nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on
 an interface that is in a bridge and has 4addr mode already enabled.
 This operation would not have been necessary in the first place and this
 failure results in disconnecting, e.g., when roaming from one backhaul
 BSS to another BSS with Multi AP.

 Avoid this issue by ignoring the nl80211 command failure in the case
 where 4addr mode is being enabled while it has already been enabled.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[bump PKG_RELEASE, more verbose commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-02-20 10:38:48 +01:00
Daniel Golle
d79eeba688
odhcpd: setup dhcpv4 server automagically
Automatically setup dhcpv4 server just like it's done for dhcpv6.
To select whether odhcpd or dnsmasq are serving DHCPv4 requests there
still is the 'maindhcp' option. To make things less confusing, make
sure things really work out-of-the-box in case dnsmasq is not even
installed at the time the uci-defaults script is being run.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-15 00:34:43 +00:00
Raphaël Mélotte
68073e2d46 hostapd: add patch for setting 4addr mode in multi_ap
This patch is required to be able to roam from one backhaul AP to
another one in the same ESS.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(daniel@makrotopia.org: PKG_REVISION bump and refreshed patches)
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-13 13:44:22 +00:00
Raphaël Mélotte
14b9100f1c hostapd: reconfigure wps credentials on reload
This patch fixes a bug that prevents updating Multi-AP credentials
after hostapd has started.

It was sent to upstream hostapd here:
https://patchwork.ozlabs.org/bundle/rmelotte/hostapd:%20update%20WPS%20credentials%20on%20SIGHUP/

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-12 08:52:41 +01:00
Raphaël Mélotte
59fa9c28d6 hostapd: add notifications for management frames
This patch allows other applications to get events management
frames (for example: association requests).

This is useful in Multi-AP context to be able to save association
requests from stations.

It has been sent to upstream hostapd in this series:
https://patchwork.ozlabs.org/project/hostap/list/?series=217500

'700-wifi-reload.patch' is updated due to the introduction of
'110-notify-mgmt-frames.patch'.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-12 08:52:41 +01:00
Kevin Darbyshire-Bryant
db00f312d3 dnsmasq: Bump to v2.84
dnsmasq v2.84rc2 has been promoted to release.

No functional difference between v2.83test3 and v2.84/v2.84rc2

Backport 2 patches to fix the version reporting

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-02-08 13:16:24 +00:00
Daniel Golle
aed95c4cb8 dnsmasq: switch to ubus-based hotplug call
Use new ubus-based hotplug call in dhcp-script.sh
As sysntpd now makes use of the new ubus-based hotplug calls, dnsmasq
no longer needs to ship ACL to cover ntpd-hotplug.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-08 00:57:14 +00:00
Petr Štetiar
43ff6e641e hostapd: add forgotten patch for P2P vulnerability fix
Commit 7c8c4f1be6 ("hostapd: fix P2P group information processing
vulnerability") was missing the actual patch for the vulnerability.

Fixes: 7c8c4f1be6 ("hostapd: fix P2P group information processing vulnerability")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-02-04 09:11:50 +01:00
Daniel Golle
7c8c4f1be6 hostapd: fix P2P group information processing vulnerability
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners.
This issue was discovered by fuzz testing of wpa_supplicant by Google's
OSS-Fuzz.

https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-04 01:05:32 +00:00
Hans Dedecker
1b484f1a12 odhcpd: update to latest git HEAD
8d8a8cd dhcpv6-ia: apply prefix_filter on dhcpv6

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-01-30 21:25:09 +01:00
Paul Spooren
7b63d89b52 umdns: bump to 2021-01-26
* i78aa36b umdns: fix 64-bit time format string
* start using $(AUTORELEASE)
* Update Copyright

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-01-26 13:08:56 -10:00
Kevin Darbyshire-Bryant
297f82fc58 dnsmasq: Update to 2.84test3
dnsmasq v2.83 has a bug in handling duplicate queries which means it may
try to reply using the incorrect network socket.  This is especially
noticeable in dual stack environments where replies may be mis-directed to
IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket.

This results in system log spam such as:
dnsmasq[16020]: failed to send packet: Network unreachable
dnsmasq[16020]: failed to send packet: Address family not supported by protocol

dnsmasq v2.84test3 resolves these issues.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-01-24 15:56:39 +00:00
Hauke Mehrtens
e87c0d934c dnsmasq: Update to version 2.83
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
  Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
  overflow in sort_rrset() when DNSSEC is used. This can allow a remote
  attacker to write arbitrary data into target device's memory that can
  lead to memory corruption and other unexpected behaviors on the target
  device.
* CVE-2020-25682:
  Dnsmasq versions before 2.83 is susceptible to buffer overflow in
  extract_name() function due to missing length check, when DNSSEC is
  enabled. This can allow a remote attacker to cause memory corruption
  on the target device.
* CVE-2020-25683:
  Dnsmasq version before 2.83 is susceptible to a heap-based buffer
  overflow when DNSSEC is enabled. A remote attacker, who can create
  valid DNS replies, could use this flaw to cause an overflow in a heap-
  allocated memory. This flaw is caused by the lack of length checks in
  rtc1035.c:extract_name(), which could be abused to make the code
  execute memcpy() with a negative size in get_rdata() and cause a crash
  in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
  A lack of proper address/port check implemented in Dnsmasq version <
  2.83 reply_query function makes forging replies easier to an off-path
  attacker.
* CVE-2020-25685:
  A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
  versions before 2.83 reply_query function allows remote attackers to
  spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
  Multiple DNS query requests for the same resource name (RRNAME) by
  Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
  traffic, using a birthday attack (RFC 5452), that can lead to DNS
  cache poisoning.
* CVE-2020-25687:
  Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
  overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
  remote attacker, who can create valid DNS replies, could use this flaw
  to cause an overflow in a heap-allocated memory. This flaw is caused
  by the lack of length checks in rtc1035.c:extract_name(), which could
  be abused to make the code execute memcpy() with a negative size in
  sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
  Service.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-01-19 13:01:03 +01:00
Leon M. George
d5bbd4975c hostapd: fix setting wps_state to "not configured"
With encryption disabled, it was intended to set wpa_state=1 (enabled,
not configured) through the 'wps_not_configured' flag.
The flag is set appropriately but the condition using it is broken.
Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled,
configured). Fix it by using the correct variable name.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit title/message improvements]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-15 18:17:45 +01:00
Leon M. George
fa02225ee6 hostapd: fix key_mgmt typo
The key_mgmt variable was mistyped when checking against "WPS", so
the if clause was never entered.

Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")

Signed-off-by: Leon M. George <leon@georgemail.eu>
[add commit message, bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-14 03:54:06 +01:00
Leon M. George
f72ce73e36 hostapd: remove trailing whitespaces
Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:50:38 +01:00
Leon M. George
4bde00c2a3 hostapd: remove unused variable
'base' was never used.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:48:41 +01:00
Leon M. George
3497b30b9c hostapd: remove unused variable
'enc_str' was never used.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:45:17 +01:00
Daniel Golle
1f78538387 hostapd: run as user 'network' if procd-ujail is installed
Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-14 00:52:50 +00:00
Daniel Golle
1e2d162092 hostapd: improve error handling when adding supplicant config
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-14 00:52:49 +00:00
Etan Kissling
7babb978ad hostapd: add multicast_to_unicast and per_sta_vif
This allows configuration of multicast_to_unicast and per_sta_vif options.
- multicast_to_unicast requests multicast-to-unicast conversion.
- per_sta_vif assigns each station its own AP_VLAN interface.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
2021-01-14 00:52:49 +00:00
Daniel Golle
2d305ff13a hostapd: return PID on config_add call
To simplify the way netifd acquires the PIDs of wpa_supplicant and
hostapd let the config_add method of both of them return the PID of the
called process. Use the returned PID instead of querying procd when
adding wpa_supplicant configuration.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-10 19:15:51 +00:00
Robert Marko
f246dfde33 hostapd: wpa_supplicant: Enable proper GCMP cipher support
This patch enables hostapd.sh to properly configure wpa_supplicant
for when GCMP is used as cipher in station mode.
Without this wpa_supplicant will be unable to connect to AP.
This is needed for wil6210 as it does not support CCMP.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2021-01-05 02:16:24 +00:00
Nick Hainke
6773bee107 odhcpd: bump to latest version
3bda900 odhcpd: add option for setting preferred lifetime

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-01-04 08:01:16 +01:00
Florian Beverborg
22e568d0fe hostapd: add support for custom per-BSS options
This adds an option "hostapd_bss_options" that does the same as
"hostapd_options" but on a per-BSS level, instead of a per-device level.

This can be used, for example, to configure different per-devce sae_passwords
per BSS or to augment some of the existing per-BSS options.

Signed-off-by: Florian Beverborg <flo@beverb.org>
[remove whitespace errors, bump release]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-01-03 12:31:42 -10:00
Hauke Mehrtens
7aa8c00e4b ppp: Remove already applied patch
This patch was already applied upstream and not needed here.

Fixes: 06403981e1 ("ppp: update to version 2.4.7.git-2019-05-06")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-01-01 19:55:59 +01:00
Felix Fietkau
e1851720f1 hostapd: do not restart hostapd instance on wireless restarts
Add the flag that prevents netifd from killing hostapd/wpa_supplicant

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-12-31 14:26:00 +01:00
Hans Dedecker
bc99b56d7e odhcpd: update to latest git HEAD
b75bcad dhcpv6-ia: remove assignment equal to 0 checks
d1ae052 dhcpv6-ia: fix logic to include IA_PD prefix with lifetimes set to 0
9d5e379 dhcpv6-ia: fix prefix delegation behavior

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-12-24 17:23:41 +01:00
Dobroslaw Kijowski
1a9b896d8b treewide: nuke DRIVER_11W_SUPPORT
As of hostapd upstream commit 7d2ed8ba "Remove CONFIG_IEEE80211W build parameter"
https://w1.fi/cgit/hostap/commit?id=7d2ed8bae86a31dd2df45c24b3f7281d55315482
802.11w feature is always enabled in the build time.

It doesn't make sense to opt-in 802.11w per driver as hostapd will always
be compiled with this feature enabled.

As suggested by Hauke Mehrtens, for now keep 11w enabled in build_features.h
for compatibility reasons. This option will be dropped when LuCI is adjusted.

Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
2020-12-23 16:36:08 +01:00
John Crispin
ceb612e463 hostapd: pass respawn settings when registering the service
When hostapd gets restarted to often/quickly will cause procd to not restart it
anymore. it will think that hapd is in a crash loop.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [adjust respawn time]
2020-12-22 19:30:26 +01:00
Nick Lowe
cb41bc5088 hostapd: Use EAPOLv1 (802.1X-2001) if WPA enabled
Currently, EAPOLv2 (802.1X-2004) is used by default for legacy clients that
are not WPA2 (RSN) capable. These legacy clients are often intolerant to this
EAPOL version and fail to connect.

hostapd.conf upstream documents for eapol_version the following and that this
is a known compatibility issue with version 2:

// IEEE 802.1X/EAPOL version
// hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
// version 2. However, there are many client implementations that do not handle
// the new version number correctly (they seem to drop the frames completely).
// In order to make hostapd interoperate with these clients, the version number
// can be set to the older version (1) with this configuration value.
// Note: When using MACsec, eapol_version shall be set to 3, which is
// defined in IEEE Std 802.1X-2010.
//eapol_version=2

For the wpa parameter, hostapd.conf upstream documents that this is a bitfield,
configured as follows:

// Enable WPA. Setting this variable configures the AP to require WPA (either
// WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
// wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
// Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice.
// For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
// RADIUS authentication server must be configured, and WPA-EAP must be included
// in wpa_key_mgmt.
// This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
// and/or WPA2 (full IEEE 802.11i/RSN):
// bit0 = WPA
// bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
// Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2.
// In other words, for WPA3, wpa=2 is used the configuration (and
// wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
//wpa=2

For client compatibility therefore:

EAPOLv1 (802.1X-2001) should be used by default where WPA is enabled.
EAPOLv2 (802.1X-2004) should be used by default where WPA is disabled.

To fix this, we can therefore change in the script:

set_default eapol_version 0

To the following:

set_default eapol_version $((wpa & 1))

This therefore:
1) Sets eapol_version to 1 where WPA has been enabled via wpa bit0 being set.
2) Sets eapol_version to 0 where WPA has been disabled via wpa bit0 being unset.

For usual configurations that only have WPA2 enabled, EAPOLv2 is then used.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-12-22 19:11:50 +01:00
Nadim Atiya
1302bee12a hostapd: parse skip_inactivity_poll option
hostapd.sh does not parse skip_inactivity_poll boolean from
/etc/config/wireless despite being mentioned in the documentation [1].
This change fixes this, and by default sets its value to 0 [1].

[1] https://openwrt.org/docs/guide-user/network/wifi/basic

Signed-off-by: Nadim Atiya <nadim.atiya@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[fix and reformat commit message, make patch apply]
2020-12-22 15:23:35 +00:00
Petr Štetiar
0cf3c5dd72 uhttpd: don't redirect to HTTPS by default
So we can ship px5g-wolfssl by default in the release image, but still
make the HTTPS for LuCI optional. This small change with addition of
`CONFIG_PACKAGE_px5g-wolfssl=y` into the buildbot's seed config for the
next release should provide optional HTTPS in the next release.

Disabling the current default automatic uhttpd's redirect to HTTPS
should make the HTTPS optional. That's it, user would either need to
switch to HTTPS by manually switching to https:// protocol in the URL or
by issuing the following commands to make the HTTPS automatic redirect
permanent:

 $ uci set uhttpd.main.redirect_https=1
 $ uci commit uhttpd
 $ service uhttpd reload

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-20 10:36:51 +01:00