Commit Graph

708 Commits

Author SHA1 Message Date
Felix Fietkau
12c1a56ec0 hostapd: reload bss if a relevant ifindex changes
This can happen if the bridge or a stacked vlan device gets recreated.
Ensure that hostapd sees the change and handles it gracefully.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-10-06 20:09:19 +02:00
John Crispin
3ed5f6430b hostapd: send a notification via ubus when CSA completed
Signed-off-by: John Crispin <john@phrozen.org>
2024-10-02 15:19:42 +02:00
John Crispin
dd62f7659b hostapd: add ifname to generic ubus notify code
Signed-off-by: John Crispin <john@phrozen.org>
2024-10-02 15:19:34 +02:00
John Crispin
711885ad68 hostapd: add ifname and vlan_id to sta-authorized notifications
Signed-off-by: John Crispin <john@phrozen.org>
2024-10-02 15:19:27 +02:00
John Crispin
dc48732ea7 hostapd: add the ifname to ubus events
Signed-off-by: John Crispin <john@phrozen.org>
2024-10-02 15:19:21 +02:00
Janusz Dziedzic
d1fc8c3db0 hostapd: fix build when 80211BE enabled
In file included from hostapd-wpad-basic-mbedtls/hostapd-2024.03.09~695277a5/src/ap/ubus.h:11,
                 from hostapd-wpad-basic-mbedtls/hostapd-2024.03.09~695277a5/src/ap/hostapd.h:21,
                 from main.c:26:
hostapd-2024.03.09~695277a5/src/ap/sta_info.h: In function 'ap_sta_is_mld':
hostapd-2024.03.09~695277a5/src/ap/sta_info.h:425:20: error: invalid use of undefined type 'struct hostapd_data'
  425 |         return hapd->conf->mld_ap && sta && sta->mld_info.mld_sta;
      |                    ^~

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2024-10-02 15:12:18 +02:00
Janusz Dziedzic
b1d6068330 hostapd: add CONFIG_DRIVER_11BE_SUPPORT
Add option to enable 802.11BE support.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2024-10-02 15:12:18 +02:00
Jianhui Zhao
b4dfa3b33c hostapd: fix UPDATE_VAL fail in uc_hostapd_iface_start
If the `intval` obtained from `info` is indeed 0, it cannot be set to `conf`.

Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15495
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-09-22 23:36:46 +02:00
Felix Fietkau
df1011e0b7 hostapd: fix OWE ssid update on configuration changes
Refresh OWE transition IEs on updating BSS interfaces

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-09-21 20:37:41 +02:00
Felix Fietkau
81a48e7d1a wpa_supplicant: fix num_global_macaddr handling
Pass num_global_macaddr via ubus in the top level config_set call

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-09-21 20:33:45 +02:00
Felix Fietkau
b4e7682c54 hostapd: fix num_global_macaddr and mbssid config handling
Store the config values in the correct field and apply them on restart too

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-09-21 20:14:51 +02:00
Felix Fietkau
1a288670d9 hostapd: fold extra APuP patches into main patch + src/
Simplifies maintenance

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-09-21 18:33:52 +02:00
Felix Fietkau
127078567b hostapd: improve ucode bss notifications
Reduce code duplication, add extra callback for bss create

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-09-21 18:32:26 +02:00
Ivan Pavlov
da11a1e20c hostapd: update to version 2024-09-15
Remove upstreamed from 2.11 release:
  060-nl80211-fix-crash-when-adding-an-interface-fails.patch

Rebase all other patches

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16338
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-09-16 10:32:43 +02:00
Ivan Pavlov
395afc4c58 hostapd: update to 2.11 release tag
Release 2.11 has been quite a few new features and fixes since the 2.10
release. The following ChangeLog entries highlight some of the main
changes:

* Wi-Fi Easy Connect
  - add support for DPP release 3
  - allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
  - various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
  - add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
  drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
  - use Secure=1 in message 3 during PTK rekeying

...and many more

Remove upstreamed patches:
  023-ndisc_snoop-call-dl_list_del-before-freeing-ipv6-add.patch
  030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
  040-mesh-allow-processing-authentication-frames-in-block.patch
  181-driver_nl80211-update-drv-ifindex-on-removing-the-fi.patch
  182-nl80211-move-nl80211_put_freq_params-call-outside-of.patch
  183-hostapd-cancel-channel_list_update_timeout-in-hostap.patch
  210-build-de-duplicate-_DIRS-before-calling-mkdir.patch
  253-qos_map_set_without_interworking.patch
  751-qos_map_ignore_when_unsupported.patch
  800-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
  801-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
  802-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch

Other patches has been updated.

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16338
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-09-16 10:32:43 +02:00
Gioacchino Mazzurco
d760576132 hostapd: ensure that interface name is not null
Include hotfix suggested by Sebastian Gottschall to fix bug introduced
with APuP patchset

Signed-off-by: Gioacchino Mazzurco <gio@polymathes.cc>
Link: 0c3001a69e
Link: https://github.com/openwrt/openwrt/pull/16298
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-09-06 22:42:42 +02:00
Gioacchino Mazzurco
e80520197c hostapd: Add support for APuP
Add support for hostapd Access Point Micro Peering

Signed-off-by: Gioacchino Mazzurco <gio@polymathes.cc>
Link: https://gitlab.com/g10h4ck/hostap/-/commits/APuP
Link: https://github.com/openwrt/openwrt/pull/15442
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-08-13 00:28:32 +02:00
Rany Hany
db7f70fe61 hostapd: fix SAE H2E security vulnerability
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.

As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].

An explanation of the impact of the vulnerability is provided from the
advisory[1]:

This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.

[1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt

Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16042
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-08-02 23:13:44 +02:00
David Bauer
89d7051485 hostapd: bump PKG_RELEASE
Signed-off-by: David Bauer <mail@david-bauer.net>
2024-06-30 22:23:11 +02:00
David Bauer
68e4cc9be5 hostapd: don't ignore probe-requests with invalid DSSS params
Don't ignore probe requests which contain an invalid DS parameter for the
current operating channel.

As the comment outlines, the drop shall only apply if
dot11RadioMeasurementActivated is set to 1.

However, it was observed Linux clients (Debian 12 / NixOS 23.11)
with an Intel 8265 NIC may generate a probe request frame with
dot11RadioMeasurementActivated set to false and an invalid DSSS
parameter.

These were also dropped even though they should not have been. They
however should not have contained this parameter in the first place.

Don't drop Probe Requests which contain such an invalid field. This may
lead to more probe responses being sent, however it does fix very
frequent connection issues for these clients on 2.4 GHz.

Signed-off-by: David Bauer <mail@david-bauer.net>
2024-06-30 22:23:11 +02:00
Felix Fietkau
032d3fcf7a hostapd: use strdup on string passed to hostapd_add_iface
The data is modified within hostapd_add_iface

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-06-21 11:52:25 +02:00
Felix Fietkau
3984fb0582 hostapd: fix crash on interface setup failure
Add a missing NULL pointer check when deleting beacons

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-06-21 11:52:25 +02:00
Felix Fietkau
a3d1583317 Revert "hostapd: add support for authenticating with multiple PSKs via ubus helper"
This reverts commit c67d5189a4.
Revert until reported issues have been resolved

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-06-06 21:34:20 +02:00
Felix Fietkau
c67d5189a4 hostapd: add support for authenticating with multiple PSKs via ubus helper
Also supports assigning a VLAN ID based on the PSK

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-06-06 11:47:59 +02:00
Felix Fietkau
52a5f4491c hostapd: fix a null pointer dereference in wpa_supplicant on teardown
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-05-01 19:00:21 +02:00
Hauke Mehrtens
00a1671248 hostapd: Fix compile against mbedtsl 3.6
Fix compile of the mbedtls extension for hostapd.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-04-28 21:42:18 +02:00
Felix Fietkau
1ee5b7e506 hostapd: fix a crash corner case
On some setup failures, iface->bss can be NULL

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-13 16:33:45 +02:00
Paul Spooren
b3c1c57a35 treewide: update PKG_MIRROR_HASH to zst
When using zst instead of xz, the hash changes. This commit fixes the
hash for packages and tools in core.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2024-04-06 11:24:18 +02:00
Felix Fietkau
27a2b54cba hostapd: fix Config.in dependencies
hostapd packages were accidentally left out. Clean up this mess by
changing the dependencies to hostapd-common

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-05 14:55:59 +02:00
Felix Fietkau
5aab43f933 hostapd: slightly clean up patches
- move build/ifdef related changes together to the 200 patch range
- reduce adding/removing include statements across patches
- move patches away from the 99x patch range to simplify maintenance

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-04 13:38:18 +02:00
Felix Fietkau
7b9996d107 hostapd: replace "argument list too long" fix with a simpler version
Less convoluted and more robust

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-04 13:38:18 +02:00
Felix Fietkau
6e391325af hostapd: remove workaround for broken WPA IEs in ancient devices
Affected devices were already quite old when this patch was added.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-04 13:38:18 +02:00
Eneas U de Queiroz
92379080ea hostapd: adjust patches to work with git am
This adds From:, Date: and Subject: to patches, allowing one to run 'git
am' to import the patches to a hostapd git repository.

From: and Date: fields were taken from the OpenWrt commit where the
patches were first introduced.

Most of the Subject: also followed suit, except for:
 - 300-noscan.patch: Took the description from the LuCI web interface
 - 350-nl80211_del_beacon_bss.patch: Used the file name

The order of the files in the patch was changed to match what git
format-patch does.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2024-04-04 12:12:43 +02:00
Eneas U de Queiroz
3f5a9e80da hostapd: remove unused fix
Patch 050-build_fix.patch fixes the abscence of sha384-kdf.o from the
list of needed objetct files when FILS is selected without any other
option that will select the .o file.

While it is a bug waiting to be fixes upstream, it is not needed for
OpenWrt use case, because OWE already selects sha384-kdf.o, and FILS is
selected along with OWE.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2024-04-04 12:12:43 +02:00
Eneas U de Queiroz
24d0e74627 hostapd: bump to 2024-03-09
This brings many changes, including fixes for a couple of memory leaks,
and improved interoperability with 802.11r.  There are also many changes
related to 802.11be, which is not enabled at this time.

Fixed upstream:
 - 022-hostapd-fix-use-of-uninitialized-stack-variables.patch
 - 180-driver_nl80211-fix-setting-QoS-map-on-secondary-BSSs.patch
 - 993-2023-10-28-ACS-Fix-typo-in-bw_40-frequency-array.patch

Switch PKG_SOURCE_URL to https, since http is not currently working.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Ilya Katsnelson <me@0upti.me>
Tested by: Andrew Sim <andrewsimz@gmail.com>
2024-04-04 12:12:43 +02:00
Robert Marko
bf4c04a4d0 hostapd: fix Argument list too long build error
Currently, both CI and local builds of wpa-supplicant will fail with:
/bin/sh: Argument list too long

Its happening as the argument list for mkdir in build.rules is too large
and over the MAX_ARG_STRLEN limit.

It seems that recent introduction of APK compatible version schema has
increased the argument size and thus pushed it over the limit uncovering
the issue.

Fixes: e8725a932e ("treewide: use APK compatible version schema")
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-03-25 11:02:16 +01:00
Paul Spooren
e8725a932e treewide: use APK compatible version schema
Different from OPKG, APK uses a deterministic version schema which chips
the version into chunks and compares them individually. This enforces a
certain schema which was previously entirely flexible.

 - Releases are added at the very and end prefixed with an `r` like
`1.2.3-r3`.
- Hashes are prefixed with a `~` like `1.2.3~abc123`.
- Dates become semantic versions, like `2024.04.01`
- Extra tags are possible like `_git`, `_alpha` and more.

For full details see the APK test list:
https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/master/test/version.data

Signed-off-by: Paul Spooren <mail@aparcar.org>
2024-03-22 22:14:22 +01:00
Felix Fietkau
2716853132 wifi-scripts: add new package, move wifi scripts to a single place
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-02-03 16:16:36 +01:00
Rany Hany
59f67b2010 hostapd: fail R0KH and R1KH derivation when wpa_psk_file is used
When wpa_psk_file is used, there is a chance that no PSK is set. This means
that the FT key will be generated using only the mobility domain which
could be considered a security vulnerability but only for a very specific
and niche config.

Signed-off-by: Rany Hany <rany_hany@riseup.net>
2024-01-25 20:02:40 +01:00
Jesus Fernandez Manzano
e2f6bfb833 hostapd: fix 11r defaults when using SAE
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
2024-01-25 20:02:40 +01:00
Jesus Fernandez Manzano
cdc4c55175 hostapd: fix 11r defaults when using WPA
802.11r can not be used when selecting WPA. It needs at least WPA2.

This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.

Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
2024-01-25 20:02:40 +01:00
Felix Fietkau
195cf4b58d hostapd: remove obsolete function
Leftover from authsae, which was removed a long time ago

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-25 20:02:30 +01:00
David Bauer
56d7887917 hostapd: ACS: Fix typo in bw_40 frequency array
[Upstream Backport]

The range for the 5 GHz channel 118 was encoded with an incorrect
channel number.

Fixes: ed8e13decc71 (ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan())
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
2024-01-18 23:22:33 +01:00
Felix Fietkau
912e573127 hostapd: add back missing function for updating wpa_supplicant macaddr list
Make the call deferred instead of blocking to avoid deadlock issues

Fixes: 3df9322771 ("hostapd: make ubus calls to wpa_supplicant asynchronous")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-13 16:12:34 +01:00
Felix Fietkau
12c8bba731 hostapd: fix an exception in hostapd.uc on interface add failure
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-13 15:22:27 +01:00
Felix Fietkau
5b8f188c0f Revert "mac80211: rework interface setup, fix race condition"
This reverts commit b7f9742da8.
There are several reports of regressions with this commit. Will be added
back once I've figured out and fixed the cause

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-13 11:19:34 +01:00
Felix Fietkau
b7f9742da8 mac80211: rework interface setup, fix race condition
Only tell netifd about vifs when the setup is complete and hostapd +
wpa_supplicant have been notified

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-11 10:40:43 +01:00
Felix Fietkau
3df9322771 hostapd: make ubus calls to wpa_supplicant asynchronous
This fixes a deadlock issue where depending on the setup order, hostapd and
wpa_supplicant could end up waiting for each other

Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-11 09:15:54 +01:00
Felix Fietkau
d864f68232 hostapd: add missing NULL pointer check on radar notification
Fixes a race condition that can lead to a hostapd crash

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-09 11:06:24 +01:00
Felix Fietkau
f909059b74 hostapd: use new udebug ubus api to make debug rings configurable
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-30 20:08:56 +01:00