Commit Graph

485 Commits

Author SHA1 Message Date
Petr Štetiar
43ff6e641e hostapd: add forgotten patch for P2P vulnerability fix
Commit 7c8c4f1be6 ("hostapd: fix P2P group information processing
vulnerability") was missing the actual patch for the vulnerability.

Fixes: 7c8c4f1be6 ("hostapd: fix P2P group information processing vulnerability")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-02-04 09:11:50 +01:00
Daniel Golle
7c8c4f1be6 hostapd: fix P2P group information processing vulnerability
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners.
This issue was discovered by fuzz testing of wpa_supplicant by Google's
OSS-Fuzz.

https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-04 01:05:32 +00:00
Leon M. George
d5bbd4975c hostapd: fix setting wps_state to "not configured"
With encryption disabled, it was intended to set wpa_state=1 (enabled,
not configured) through the 'wps_not_configured' flag.
The flag is set appropriately but the condition using it is broken.
Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled,
configured). Fix it by using the correct variable name.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit title/message improvements]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-15 18:17:45 +01:00
Leon M. George
fa02225ee6 hostapd: fix key_mgmt typo
The key_mgmt variable was mistyped when checking against "WPS", so
the if clause was never entered.

Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")

Signed-off-by: Leon M. George <leon@georgemail.eu>
[add commit message, bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-14 03:54:06 +01:00
Leon M. George
f72ce73e36 hostapd: remove trailing whitespaces
Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:50:38 +01:00
Leon M. George
4bde00c2a3 hostapd: remove unused variable
'base' was never used.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:48:41 +01:00
Leon M. George
3497b30b9c hostapd: remove unused variable
'enc_str' was never used.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:45:17 +01:00
Daniel Golle
1f78538387 hostapd: run as user 'network' if procd-ujail is installed
Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-14 00:52:50 +00:00
Daniel Golle
1e2d162092 hostapd: improve error handling when adding supplicant config
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-14 00:52:49 +00:00
Etan Kissling
7babb978ad hostapd: add multicast_to_unicast and per_sta_vif
This allows configuration of multicast_to_unicast and per_sta_vif options.
- multicast_to_unicast requests multicast-to-unicast conversion.
- per_sta_vif assigns each station its own AP_VLAN interface.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
2021-01-14 00:52:49 +00:00
Daniel Golle
2d305ff13a hostapd: return PID on config_add call
To simplify the way netifd acquires the PIDs of wpa_supplicant and
hostapd let the config_add method of both of them return the PID of the
called process. Use the returned PID instead of querying procd when
adding wpa_supplicant configuration.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-10 19:15:51 +00:00
Robert Marko
f246dfde33 hostapd: wpa_supplicant: Enable proper GCMP cipher support
This patch enables hostapd.sh to properly configure wpa_supplicant
for when GCMP is used as cipher in station mode.
Without this wpa_supplicant will be unable to connect to AP.
This is needed for wil6210 as it does not support CCMP.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2021-01-05 02:16:24 +00:00
Florian Beverborg
22e568d0fe hostapd: add support for custom per-BSS options
This adds an option "hostapd_bss_options" that does the same as
"hostapd_options" but on a per-BSS level, instead of a per-device level.

This can be used, for example, to configure different per-devce sae_passwords
per BSS or to augment some of the existing per-BSS options.

Signed-off-by: Florian Beverborg <flo@beverb.org>
[remove whitespace errors, bump release]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-01-03 12:31:42 -10:00
Felix Fietkau
e1851720f1 hostapd: do not restart hostapd instance on wireless restarts
Add the flag that prevents netifd from killing hostapd/wpa_supplicant

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-12-31 14:26:00 +01:00
Dobroslaw Kijowski
1a9b896d8b treewide: nuke DRIVER_11W_SUPPORT
As of hostapd upstream commit 7d2ed8ba "Remove CONFIG_IEEE80211W build parameter"
https://w1.fi/cgit/hostap/commit?id=7d2ed8bae86a31dd2df45c24b3f7281d55315482
802.11w feature is always enabled in the build time.

It doesn't make sense to opt-in 802.11w per driver as hostapd will always
be compiled with this feature enabled.

As suggested by Hauke Mehrtens, for now keep 11w enabled in build_features.h
for compatibility reasons. This option will be dropped when LuCI is adjusted.

Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
2020-12-23 16:36:08 +01:00
John Crispin
ceb612e463 hostapd: pass respawn settings when registering the service
When hostapd gets restarted to often/quickly will cause procd to not restart it
anymore. it will think that hapd is in a crash loop.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [adjust respawn time]
2020-12-22 19:30:26 +01:00
Nick Lowe
cb41bc5088 hostapd: Use EAPOLv1 (802.1X-2001) if WPA enabled
Currently, EAPOLv2 (802.1X-2004) is used by default for legacy clients that
are not WPA2 (RSN) capable. These legacy clients are often intolerant to this
EAPOL version and fail to connect.

hostapd.conf upstream documents for eapol_version the following and that this
is a known compatibility issue with version 2:

// IEEE 802.1X/EAPOL version
// hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
// version 2. However, there are many client implementations that do not handle
// the new version number correctly (they seem to drop the frames completely).
// In order to make hostapd interoperate with these clients, the version number
// can be set to the older version (1) with this configuration value.
// Note: When using MACsec, eapol_version shall be set to 3, which is
// defined in IEEE Std 802.1X-2010.
//eapol_version=2

For the wpa parameter, hostapd.conf upstream documents that this is a bitfield,
configured as follows:

// Enable WPA. Setting this variable configures the AP to require WPA (either
// WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
// wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
// Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice.
// For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
// RADIUS authentication server must be configured, and WPA-EAP must be included
// in wpa_key_mgmt.
// This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
// and/or WPA2 (full IEEE 802.11i/RSN):
// bit0 = WPA
// bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
// Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2.
// In other words, for WPA3, wpa=2 is used the configuration (and
// wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
//wpa=2

For client compatibility therefore:

EAPOLv1 (802.1X-2001) should be used by default where WPA is enabled.
EAPOLv2 (802.1X-2004) should be used by default where WPA is disabled.

To fix this, we can therefore change in the script:

set_default eapol_version 0

To the following:

set_default eapol_version $((wpa & 1))

This therefore:
1) Sets eapol_version to 1 where WPA has been enabled via wpa bit0 being set.
2) Sets eapol_version to 0 where WPA has been disabled via wpa bit0 being unset.

For usual configurations that only have WPA2 enabled, EAPOLv2 is then used.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-12-22 19:11:50 +01:00
Nadim Atiya
1302bee12a hostapd: parse skip_inactivity_poll option
hostapd.sh does not parse skip_inactivity_poll boolean from
/etc/config/wireless despite being mentioned in the documentation [1].
This change fixes this, and by default sets its value to 0 [1].

[1] https://openwrt.org/docs/guide-user/network/wifi/basic

Signed-off-by: Nadim Atiya <nadim.atiya@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[fix and reformat commit message, make patch apply]
2020-12-22 15:23:35 +00:00
Nick Lowe
ce5bcff304 hostapd: Disable 802.11b data rates by default
Set legacy_rates to 0 by default to disable 802.11b data rates by default.

The time has long come where 802.11b DSSS/CCK data rates should be disabled
by default in OpenWRT. Users in need of 802.11b client support can reasonably
enable these where they are needed.

The balance of equities has significantly, and for a long time, tipped
such that dropping backwards compatibility by default with 802.11b
devices is appropriate, proportionate and justified. By doing so,
management and control traffic is moved by default to a 20
MHz wide 6 Mb/s OFDM data rate instead of a 22 MHz wide 1 Mb/s DSSS data
rate. This is significantly more airtime efficient.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-12-06 08:51:32 -10:00
Nick Lowe
81ff23fc91 hostapd: Add cell_density data rates option
Add a cell_density option to configure data rates for normal, high and
very high cell density wireless deployments.

The purpose of using a minimum basic/mandatory data rate that is higher
than 6 Mb/s, or 5.5 Mb/s (802.11b compatible), in high cell density
environments is to transmit broadcast/multicast data frames using less
airtime or to reduce management overheads where significant co-channel
interference (CCI) exists and cannot be avoided.

Caution: Without careful design and validation, configuration of a too
high minimum basic/mandatory data rate can sacrifice connection stability
or disrupt the ability to reliably connect and authenticate for little to
no capacity benefit. This is because this configuration affects the
ability of clients to hear and demodulate management, control and
broadcast/multicast data frames.

Deployments that have not been specifically designed and validated are
usually best suited to use 6, 12 and 24 Mb/s as basic/mandatory data
rates.

Only usually seek to configure a 12 Mb/s, or 11 Mb/s (802.11b
compatible), minimum basic/mandatory rate in high cell density
deployments that have been designed and validated for this.

For many deployments, the minimum basic/mandatory data rate should not be
configured above 12 Mb/s to 18 Mb/s, 24 Mb/s or higher. Such a
configuration is only appropriate for use in very high cell density
deployment scenarios.

A cell_density of Very High (3) should only be used where a deployment
has a valid use case and has been designed and validated specifically for
this use, nearly always with highly directional antennas - an example
would be stadium deployments. For example, with a 24 Mb/s OFDM minimum
basic/mandatory data rate, approximately a -73 dBm RSSI is required to
decode frames. Many clients will not have roamed elsewhere by the time
that they experience -73 dBm and, where they do, they frequently may not
hear and be able to demodulate beacon, control or broadcast/multicast
data frames causing connectivity issues.

There is a myth that disabling lower basic/mandatory data rates will
improve roaming and avoid sticky clients. For 802.11n, 802.11ac and
802.11ax clients this is not correct as clients will shift to and use
lower MCS rates and not to the 802.11b or 802.11g/802.11a rates that are
able to be used as basic/mandatory data rates.

There is a myth that disabling lower basic/mandatory data rates will
ensure that clients only use higher data rates and that better
performance is assured. For 802.11n, 802.11ac and 802.11ax clients this
is not correct as clients will shift around and use MCS rates and not the
802.11b or 802.11g/802.11a rates that able to be used as basic/mandatory
data rates.

Cell Density

0 - Disabled (Default)
Setting cell_density to 0 does not configure data rates. This is the
default.

1 - Normal Cell Density
Setting cell_density to 1 configures the basic/mandatory rates to 6, 12
and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting cell_density to 1 configures the basic/mandatory rates to the 5.5
and 11 Mb/s DSSS rates where legacy_rates is 1. Supported rates lower
than the minimum basic/mandatory rate are not offered.

2 - High Cell Density
Setting the cell_density to 2 configures the basic/mandatory rates to the
12 and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting the cell_density to 2 configures the basic/mandatory rates to the
11 Mb/s DSSS rate where legacy_rates is 1. Supported rates lower than the
minimum basic/mandatory rate are not offered.

3 - Very High Cell Density
Setting the cell_density to 3 configures the basic/mandatory rates to the
24 Mb/s OFDM rate where legacy_rates is 0. Supported rates lower than the
minimum basic/mandatory rate are not offered.
Setting the cell_density to 3 only has effect where legacy_rates is 0,
else this has the same effect as being configured with a cell_density of 2.

Where specified, the basic_rate and supported_rates options continue to
override both the cell_density and legacy_rates options.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-11-30 09:31:15 +01:00
Stijn Tintel
26c26e11a2 hostapd: fix "sh: out of range" errors
Several variables in hostapd.sh can be used uninitialized in numerical
comparisons, causing errors in logread:

netifd: radio24 (1668): sh: out of range

Set defaults for those variables to silence those errors.

Fixes: b518f07d4b ("hostapd: remove ieee80211v option")
Fixes: cc80cf53c5 ("hostapd: add FTM responder support")
Fixes: e66bd0eb04 ("hostapd: make rrm report independent of ieee80211k setting")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-11-26 02:25:23 +02:00
Leon M. George
651f0c0999 hostapd: fix patch offset
Fixes the offset of the patch added in 93bbd998aa
  ("hostapd: enter DFS state if no available channel is found").

Signed-off-by: Leon M. George <leon@georgemail.eu>
2020-11-23 22:53:15 +01:00
Rui Salvaterra
dd4e6a70f2 hostapd: enable the epoll-based event loop
Hostapd supports epoll() since 2014. Let's enable it for better performance.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-11-23 03:02:21 +00:00
David Bauer
21dfdfd78b hostapd: set validity interval for BSS TMRA
This sets the validity interval for the BSS transition candidate
list to the same value as the disassociation timer.

Currently the value is always 0, which is the specification states is a
reserved value. Also, wpa_supplicant and from the looks of it some
Android implementations will outright ignore the candidate list in this
case.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:06:39 +01:00
Dobroslaw Kijowski
edb93eda16 hostapd: add support for static airtime policy configuration
* Add support for passing airtime_sta_weight into hostapd configuration.
* Since that commit it is possible to configure station weights. Set higher
  value for larger airtime share, lower for smaller share.

I have tested this functionality by modyfing /etc/config/wireless to:

config wifi-device 'radio0'
	...
        option airtime_mode '1'

config wifi-iface 'default_radio0'
	...
        list airtime_sta_weight '01:02:03:04:05:06 1024'

Now, when the station associates with the access point it has been assigned
a higher weight value.
root@OpenWrt:~# cat /sys/kernel/debug/ieee80211/phy0/netdev\:wlan0/stations/01\:02\:03\:04\:05\:06/airtime
RX: 12656 us
TX: 10617 us
Weight: 1024
Deficit: VO: -2075 us VI: 256 us BE: -206 us BK: 256 us

[MAC address has been changed into a dummy one.]

Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
2020-11-17 17:06:16 +01:00
Dobroslaw Kijowski
03cdeb5f97 hostapd: fix per-BSS airtime configuration
airtime_mode is always parsed as an empty string since it hasn't been
added into hostapd_common_add_device_config function.

Fixes: e289f183 ("hostapd: add support for per-BSS airtime configuration")
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
2020-11-17 17:05:20 +01:00
David Bauer
0ce5f15f9c hostapd: ubus: add get_status method
This adds a new get_status method to a hostapd interface, which
provides information about the current interface status.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:05:06 +01:00
David Bauer
80b531614b hostapd: ubus: add VHT capabilities to client list
This adds parsed VHT capability information to the hostapd
get_clients method.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:04:40 +01:00
David Bauer
cd8052da49 hostapd: ubus: add driver information to client list
This adds information from mac80211 to hostapd get_client ubus function.
This way, TX as well as RX status information as well as the signal can
be determined.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:04:33 +01:00
David Bauer
7463a0b5ee hostapd: fix variable shadowing
Fixes commit 838b412cb5 ("hostapd: add interworking support")

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:04:22 +01:00
Rui Salvaterra
682843adad hostapd: add a hostapd-basic-wolfssl variant
If only AP mode is needed, this is currently the most space-efficient way to
provide support for WPA{2,3}-PSK, 802.11w and 802.11r.

openwrt-ath79-generic-ubnt_nanostation-loco-m-squashfs-sysupgrade.bin sizes:

4719426 bytes (with wpad-basic-wolfssl)
4457282 bytes (with hostapd-basic-wolfssl)

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-11-08 20:25:59 +00:00
Rui Salvaterra
f8c88a8775 hostapd: enable OWE for the basic-{openssl, wolfssl} variants
Opportunistic Wireless Encryption is needed to create/access encrypted networks
which don't require authentication.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-10-31 13:02:28 +00:00
Daniel Golle
c3a4cddaaf hostapd: remove hostapd-hs20 variant
Hotspot 2.0 AP features have been made available in the -full variants
of hostapd and wpad. Hence we no longer need a seperate package for
that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-30 00:39:09 +00:00
Rui Salvaterra
10e73b1e9e hostapd: add {hostapd,wpad}-basic-openssl variants
Add OpenSSL-linked basic variants (which provides WPA-PSK only, 802.11r and
802.11w) of both hostapd and wpad. For people who don't need the full hostapd
but are stuck with libopenssl for other reasons, this saves space by avoiding
the need of an additional library (or a larger hostapd with built-in crypto).

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-10-30 00:39:09 +00:00
David Bauer
9f1927173a hostapd: wpas: add missing config symbols
This adds missing config symbols for interworking as well as Hotspot 2.0
to the wpa_supplicant-full configuration.

These symbols were added to the hostapd-full configuration prior to this
commit. Without adding them to the wpa_supplicant configuration,
building of wpad-full fails.

Thanks to Rene for reaching out on IRC.

Fixes: commit be9694aaa2 ("hostapd: add UCI support for Hotspot 2.0")
Fixes: commit 838b412cb5 ("hostapd: add interworking support")
Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 03:25:25 +01:00
David Bauer
83d40aef13 hostapd: bump PKG_RELEASE
Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 00:09:34 +01:00
David Bauer
838b412cb5 hostapd: add interworking support
This adds configuration options to enable interworking for hostapd.
All options require iw_enabled to be set to 1 for a given VAP.

All IEEE802.11u related settings are supported with exception of the
venue information which will be added as separate UCI sections at a
later point.

The options use the same name as the ones from the hostapd.conf file
with a "iw_" prefix added.

All UCI configuration options are passed without further modifications
to hostapd with exceptions of the following options, whose elements can
be provided using UCI lis elements:

 - iw_roaming_consortium
 - iw_anqp_elem
 - iw_nai_realm
 - iw_domain_name
 - iw_anqp_3gpp_cell_net

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 00:09:04 +01:00
David Bauer
cc80cf53c5 hostapd: add FTM responder support
This adds support for enabling the FTM responder flag for the APs
extended capabilities. On supported hardware, enabling the ftm_responder
config key for a given AP will enable the FTM responder bit.

FTM support itself is unconditionally implemented in the devices
firmware (ath10k 2nd generation with 3.2.1.1 firmware). There's
currently no softmac implementation.

Also allow to configure LCI and civic location information which can be
transmitted to a FTM initiator.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 00:08:56 +01:00
David Bauer
b518f07d4b hostapd: remove ieee80211v option
Remove the ieee80211v option. It previously was required to be enabled
in order to use time_advertisement, time_zone, wnm_sleep_mode and
bss_transition, however it didn't enable any of these options by default.

Remove it, as configuring these options independently is enough.

This change does not influence the behavior of any already configured
setting.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 00:08:29 +01:00
David Bauer
e66bd0eb04 hostapd: make rrm report independent of ieee80211k setting
Allow to configure both RRM beacon as well as neighbor reports
independently and only enable them by default in case the ieee80211k
config option is set.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 00:08:22 +01:00
Daniel Golle
63e2e086be hostapd: ubus: add handler for wps_status and guard WPS calls
Expose WPS ubus API only if compiled with WPS support and add new
handler for wps_status call.
Also add '-v wps' option to check whether WPS support is present in
hostapd.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-16 00:38:06 +01:00
Felix Fietkau
cba4120768 mac80211: add support for specifying a per-device scan list
This is useful to bring up multiple client mode interfaces on a single
channel much faster without having to scan through a lot of channels

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-09-29 17:32:26 +02:00
David Bauer
c5eea362f3 hostapd: ubus: make (B)SSID optional for neighbor report
Make the BSSID and SSID fields optional when configuring a neighbor
report into hostapd.

Both options can now be an empty string. For the BSSID, the first 6 byte
are copied from the neighbor report. For the SSID, the SSID for the
affected hostapd BSS is used.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-09-22 17:41:10 +02:00
David Bauer
560e54c69e hostapd: ubus: send notification instead of event
Rafal Milecki pointed out that ubus events are meant for low-level ubus
events only (e.g. addition or removal of an object). Higher level
events should happen as notifications on the ubus object itself.

Dispatch BSS events on the main hostapd ubus object instead of
publishing them as ubus events.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-09-22 17:40:08 +02:00
David Bauer
d643b10a76 hostapd: ubus: fix infinite loop when configuring RRM NR
The return-code was set, however it was never returned, nor was
the loop interrupted.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-09-21 21:27:56 +02:00
David Bauer
8e7aa739fb hostapd: send procd event on BSS update
Dispatch ubus events also to procd in order to trigger service reloads
on hostapd updates.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-09-21 21:26:27 +02:00
David Bauer
6254af0c37 hostapd: send ubus event on BSS update
hostapd will emit a ubus event with the eventname hostapd.<ifname>.<event>
when adding, removing or reloading a BSS.

This way, services which install state (for example the RMM neighbor
list) can on-demand reinstall this information for the BSS without
polling this state.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-09-21 21:26:12 +02:00
David Bauer
e289f18347 hostapd: add support for per-BSS airtime configuration
Add support for per-BSS airtime weight configuration. This allows to set
a airtime weight per BSS as well as a ratio limit based on the weight.

Support for this feature is only enabled in the full flavors of hostapd.

Consult the hostapd.conf documentation (Airtime policy configuration)
for more information on the inner workings of the exposed settings.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-09-11 17:35:48 +02:00
Daniel Golle
be9694aaa2 hostapd: add UCI support for Hotspot 2.0
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-08 20:04:14 +01:00
Daniel Golle
80a194b100 hostapd: add hs20 variant
Add hostapd variant compiled with support for Hotspot 2.0 AP features.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-01 21:37:35 +01:00
Hauke Mehrtens
bc19481826 hostapd: Fix compile errors after wolfssl update
This fixes the following compile errors after the wolfssl 4.5.0 update:
  LD  wpa_cli
../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject':
../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
    type = GEN_EMAIL;
           ^~~~~~~~~
           ENAVAIL
../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in
../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function)
    type = GEN_DNS;
           ^~~~~~~
../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function)
    type = GEN_URI;
           ^~~~~~~
../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event':
../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
   if (gen->type != GEN_EMAIL &&
                    ^~~~~~~~~
                    ENAVAIL
../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function)
       gen->type != GEN_DNS &&
                    ^~~~~~~
../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function)
       gen->type != GEN_URI)
                    ^~~~~~~
Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed

Fixes: 00722a720c ("wolfssl: Update to version 4.5.0")
Reported-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-27 12:11:47 +02:00
Jo-Philipp Wich
bc1c9fdc20 hostapd: recognize option "key" as alias for "auth_secret"
The hostapd configuration logic is supposed to accept "option key" as
legacy alias for "option auth_secret". This particular fallback option
failed to work though because "key" was not a registered configuration
variable.

Fix this issue by registering the "key" option as well, similar to the
existing "server" nad "port" options.

Ref: https://github.com/openwrt/openwrt/pull/3282
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-07 21:19:29 +02:00
Jo-Philipp Wich
321503dbf3 hostapd: make "key" option optional if "wpa_psk_file" is provided
If an existing "wpa_psk_file" is passed to hostapd, the "key" option may
be omitted.

While we're at it, also improve the passphrase length checking to ensure
that it is either exactly 64 bytes or 8 to 63 bytes.

Fixes: FS#2689
Ref: https://github.com/openwrt/openwrt/pull/3283
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-07 21:04:02 +02:00
Petr Štetiar
c487cf8e94 hostapd: add wpad-basic-wolfssl variant
Add package which provides size optimized wpad with support for just
WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
[adapt to recent changes, add dependency for WPA_WOLFSSL config]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-07 12:02:19 +02:00
David Bauer
8b3e170526 hostapd: fix incorrect service name
When retrieving the PID for hostapd and wpa_supplicant via ubus the
wrong service name is currently used. This leads to the following error
in the log:

netifd: radio0 (1409): WARNING (wireless_add_process):
executable path /usr/sbin/wpad does not match process  path (/proc/exe)

Fixing the service name retrieves the correct PID and therefore the
warning won't occur.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-07-31 19:51:51 +02:00
Adrian Schmutzler
c4dd7fc23b hostapd: reorganize config selection hierarchy for WPA3
The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is
exceptionally hard to read. This tries to make things a little
easier by inverting the hierarchy of the conditions, so SSL_VARIANT
is checked first and LOCAL_VARIANT is checked second.

This exploits the fact that some of the previous conditions were
unnecessary, e.g. there is no hostapd-mesh*, so we don't need
to exclude this combination.

It also should make it a little easier to see which options are
actually switched by SSL_VARIANT and which by LOCAL_VARIANT.

The patch is supposed to be cosmetic.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-31 11:40:15 +02:00
Adrian Schmutzler
917980fd8a hostapd: improve TITLE for packages
For a few packages, the current TITLE is too long, so it is not
displayed at all when running make menuconfig. Despite, there is
no indication of OpenSSL vs. wolfSSL in the titles.

Thus, this patch adjusts titles to be generally shorter, and adds
the SSL variant to it.

While at it, make things easier by creating a shared definition for
eapol-test like it's done already for all the other flavors.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-30 16:27:44 +01:00
Daniel Golle
34705946e2 hostapd: update mesh DFS patches and add mesh HE support
Drop outdated and by now broken patchset originally supplied by
Peter Oh in August 2018 but never merged upstream.
Instead add the more promissing rework recently submitted by
Markus Theil who picked up Peter's patchset, fixed and completed it
and added support for HE (802.11ax) in mesh mode.

This is only compile tested and needs some real-life testing.

Fixes: FS#3214
Fixes: 167028b750 ("hostapd: Update to version 2.9 (2019-08-08)")
Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Fixes: 017320ead3 ("hostapd: bring back mesh patches")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-07-30 16:27:44 +01:00
David Bauer
93bbd998aa hostapd: enter DFS state if no available channel is found
Previously hostapd would not stop transmitting when a DFS event was
detected and no available channel to switch to was available.

Disable and re-enable the interface to enter DFS state. This way, TX
does not happen until the kernel notifies hostapd about the NOP
expiring.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-07-20 15:08:19 +02:00
Karel Kočí
a4248577a0 hostapd: fix compilation of wpa_supplicant
Ubus patch as it seems have been broken by some rebase in the past as
the location of line that adds ubus object file was in condition for
CONFIG_MACSEC. That condition was adding object files that are not
touched by ubus patch. This means ubus.o does not have to be included in
that case. When it has to be and when build fails is when CONFIG_AP is
set. All files included in wpa_supplicant that are touched by this patch
are in this condition. This means that this is for sure the original
place for it.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
2020-06-18 20:08:18 +02:00
Johann Neuhauser
c0ddb85a1d hostapd: hostapd_set_psk_file: fix defaut value for mac
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Bringing up of station vlan fails if the optional mac entry isn't set.
The default mac "00:00:00:00:00:00", which should match all stations,
is mistakenly set to the non used variable "isolate". This results in
a wrong formatted .psk file which has to be "vlan_id mac key".

fixes: 5aa2ddd0: hostapd: add support for wifi-station and wifi-vlan sections

Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
2020-06-13 18:31:43 +02:00
Felix Fietkau
41d7a14ead hostapd: add config symbol for allowing drivers to enable 802.11ax support
Also expose a build feature for it

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-06-10 12:56:35 +02:00
Petr Štetiar
df6a33a8d4 hostapd: update to latest Git hostap_2_9-1331-g5a8b366233f5
Bump to latest Git and refresh all patches in order to get fix for "UPnP
SUBSCRIBE misbehavior in hostapd WPS AP" (CVE-2020-12695).

 General security vulnerability in the way the callback URLs in the UPnP
 SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695).
 Some of the described issues may be applicable to the use of UPnP in WPS
 AP mode functionality for supporting external registrars.

Ref: https://w1.fi/security/2020-1/
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-06-09 16:59:33 +02:00
Stijn Tintel
8a858363b0 hostapd: silence rm
When bringing up wifi the first time after boot, these warnings appear:

netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.psk': No such file or directory
netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.vlan': No such file or directory

Silence them by adding the "-f" option to rm.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: John Crispin <john@phrozen.org>
2020-06-08 08:59:02 +03:00
John Crispin
5aa2ddd0d6 hostapd: add support for wifi-station and wifi-vlan sections
This patch adds support for 2 new uci sections.

config wifi-vlan
	# iface is optional. if it is not defined the vlan will apply
	# to all interfaces
        option iface	default_radio0
        option name	guest
        option vid	100
        option network	guest

config wifi-station
	# iface is optional. if it is not defined the station will apply
	# to all interfaces
        option iface	default_radio0
        # mac is optional. if it is not defined it will be a catch all
	# for any sta using this key
	option mac	'00:11:22:33:44:55'
        # vid is optional. if it is not defined, the sta will be part of
	# the primary iface.
	option vid	100
        option key	testtest

With this patch applied it is possible to use multiple PSKs on a single BSS.

Signed-off-by: John Crispin <john@phrozen.org>
2020-06-04 13:36:37 +02:00
Enrique Rodríguez Valencia
6e8bb68996 hostapd: Add disable_vht when using NOHT/HT* modes
disable_vht parameter needs to be set when using wpa_supplicant NOHT/HT* modes.

Signed-off-by: Enrique Rodríguez Valencia <enrique.rodriguez@galgus.net>
2020-05-28 14:06:55 +01:00
David Bauer
a9f7510150 hostapd: add WEP as queryable build feature
Commit 472fd98c5b ("hostapd: disable support for Wired Equivalent
Privacy by default") made support for WEP optional.

Expose the WEP support to LuCi or other userspace tools using the
existing interface. This way they are able to remove WEP from the
available ciphers if hostapd is built without WEP support.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-05-22 21:54:30 +02:00
Daniel Golle
017320ead3 hostapd: bring back mesh patches
Bring back 802.11s mesh features to the level previously available
before the recent hostapd version bump. This is mostly to support use
of 802.11s on DFS channels, but also making mesh forwarding
configurable which is crucial for use of 802.11s MAC with other routing
protocols, such as batman-adv, on top.
While at it, fix new compiler warning by adapting 700-wifi-reload.patch
to upstream changes, now building without any warnings again.

Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-05-21 10:21:59 +01:00
Petr Štetiar
472fd98c5b hostapd: disable support for Wired Equivalent Privacy by default
Upstream in commit 200c7693c9a1 ("Make WEP functionality an optional
build parameter") has made WEP functionality an optional build parameter
disabled as default, because WEP should not be used for anything
anymore. As a step towards removing it completely, they moved all WEP
related functionality behind CONFIG_WEP blocks and disabled it by
default.

This functionality is subject to be completely removed in a future
release.

So follow this good security advice, deprecation notice and disable WEP
by default, but still allow custom builds with WEP support via
CONFIG_WPA_ENABLE_WEP config option till upstream removes support for
WEP completely.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-21 08:18:01 +02:00
Petr Štetiar
0a3ec87a66 hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed
Bump package to latest upstream Git HEAD which is commit dd2daf0848ed
("HE: Process HE 6 GHz band capab from associating HE STA"). Since last
update there was 1238 commits done in the upstream tree with 618 files
changed, 53399 insertions, 24928 deletions.

I didn't bothered to rebase mesh patches as the changes seems not
trivial and I don't have enough knowledge of those parts to do/test that
properly, so someone else has to forward port them, ideally upstream
them so we don't need to bother anymore. I've just deleted them for now:

 004-mesh-use-setup-completion-callback-to-complete-mesh-.patch
 005-mesh-update-ssid-frequency-as-pri-sec-channel-switch.patch
 006-mesh-inform-kernel-driver-DFS-handler-in-userspace.patch
 007-mesh-apply-channel-attributes-before-running-Mesh.patch
 011-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
 013-mesh-do-not-allow-pri-sec-channel-switch.patch
 015-mesh-do-not-use-offchan-mgmt-tx-on-DFS.patch
 016-mesh-fix-channel-switch-error-during-CAC.patch
 018-mesh-make-forwarding-configurable.patch

Refreshed all other patches, removed upstreamed patches:

 051-wpa_supplicant-fix-race-condition-in-mesh-mpm-new-pe.patch
 067-0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
 070-driver_nl80211-fix-WMM-queue-mapping-for-regulatory-.patch
 071-driver_nl80211-fix-regulatory-limits-for-wmm-cwmin-c.patch
 090-wolfssl-fix-crypto_bignum_sum.patch
 091-0001-wolfssl-Fix-compiler-warnings-on-size_t-printf-forma.patch
 091-0002-wolfssl-Fix-crypto_bignum_rand-implementation.patch
 091-0003-wolfssl-Do-not-hardcode-include-directory-in-wpa_sup.patch
 800-usleep.patch

Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq8065/NBG6817; ipq40xx/MAP-AC2200]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-21 08:18:01 +02:00
Daniel Golle
631c437a91 hostapd: backport wolfssl bignum fixes
crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-05-16 22:28:08 +01:00
Antonio Quartulli
4b3b8ec81c wpad-wolfssl: fix crypto_bignum_sub()
Backport patch from hostapd.git master that fixes copy/paste error in
crypto_bignum_sub() in crypto_wolfssl.c.

This missing fix was discovered while testing SAE over a mesh interface.

With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with
wpad-mesh-wolfssl.

Cc: Sean Parkinson <sean@wolfssl.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-28 11:45:44 +01:00
Daniel Golle
f37d634236 hostapd: reduce to a single instance per service
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-14 00:22:21 +01:00
Rosen Penev
76d22fc24b hostapd: backport usleep patch
Optionally fixes compilation with uClibc-ng.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-04-13 22:40:19 +02:00
Kirill Lukonin
dce97df740 wpa_supplicant: disable CONFIG_WRITE functionality
CONFIG_WRITE functionality is not used and could be removed.
Looks helpful for devices with small flash because wpad is also affected.

Little testing shows that about 6 KB could be saved.

Signed-off-by: Kirill Lukonin <klukonin@gmail.com>
2020-04-13 22:40:06 +02:00
Kevin Darbyshire-Bryant
1c6143e4a0 hostapd: Move hostapd variants to WirelessAPD menu
It seemed very confusing when trying to select the different variants of
hostapd which are somewhat scattered about under the menu 'Network'.
Moving all hostapd variants under a common submenu helps avoid
confusion.

Inspired-by: Kevin Mahoney <kevin.mahoney@zenotec.net>
[Fixup badly formatted patch, change menu name]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-05 10:41:49 +01:00
Nick Hainke
c9c3fd1320 hostapd: add abridged flag in disassoc_imminent
If the abridged flag is set to 1 the APs that are listed in the BSS
Transition Candidate List are prioritized. If the bit is not set, the
APs have the same prioritization as the APs that are not in the list.

If you want to steer a client, you should set the flag!

The flag can be set by adding {...,'abridged': true,...} to the normal
ubus call.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2020-03-30 01:46:50 +02:00
Nick Hainke
c8ef465e10 hostapd: expose beacon reports through ubus
Subscribe to beacon reports through ubus.
Can be used for hearing map and client steering purposes.

First enable rrm:
    ubus call hostapd.wlan0 bss_mgmt_enable '{"beacon_report":True}'

Subscribe to the hostapd notifications via ubus.

Request beacon report:
    ubus call hostapd.wlan0 rrm_beacon_req
	'{"addr":"00:xx:xx:xx:xx:xx", "op_class":0, "channel":1,
	"duration":1,"mode":2,"bssid":"ff:ff:ff:ff:ff:ff", "ssid":""}'

Signed-off-by: Nick Hainke <vincent@systemli.org>
[rework identation]
Signed-off-by: David Bauer <mail@david-bauer.net>
2020-03-30 01:46:50 +02:00
Jesus Fernandez Manzano
86440659b5 hostapd: Add 802.11r support for WPA3-Enterprise
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
2020-03-30 01:46:50 +02:00
Daniel Golle
50a59b3a39 hostapd: fix segfault in wpa_supplicant ubus
When introducing ubus reload support, ubus initialization was moved
to the service level instead of being carried out when adding a BSS
configuration. While this works when using wpa_supplicant in that way,
it breaks the ability to run wpa_supplicant on the command line, eg.
for debugging purposes.
Fix that by re-introducing ubus context intialization when adding
configuration.

Reported-by: @PolynomialDivision https://github.com/openwrt/openwrt/pull/2417
Fixes: 60fb4c92b6 ("hostapd: add ubus reload")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-03-18 19:05:22 +01:00
Leon M. George
b78f61c336 hostapd: fix pointer cast warnings
Signed-off-by: Leon M. George <leon@georgemail.eu>
2020-03-17 10:23:28 +01:00
Leon M. George
a8a993e64c hostapd: remove trailing whitespace
Signed-off-by: Leon M. George <leon@georgemail.eu>
2020-03-17 10:23:28 +01:00
John Crispin
d3b7838ebe hostapd: enhance wifi reload
Add a radio_config_id property. If the radio config changes return an error
upon receiving the reconf call.

Signed-off-by: John Crispin <john@phrozen.org>
2020-02-25 17:01:55 +01:00
Piotr Dymacz
2d113f89d2 hostapd: start hostapd/wpa_supplicant for all wiphy devices
c888e17e06 ("hostapd: manage instances via procd instead of pidfile")
added procd support for managing hostapd and wpa_supplicant daemons
but at the same time limited wiphy names to 'phy*'.

This brings back initial behaviour (introduced in 60fb4c92b6 ("hostapd:
add ubus reload") and makes procd manage daemons for any wiphy device
found in '/sys/class/ieee80211'.

CC: Felix Fietkau <nbd@nbd.name>
CC: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2020-02-24 23:27:50 +01:00
Jo-Philipp Wich
766e778226 hostapd: remove erroneous $(space) redefinition
The $(space) definition in the hostapd Makefile ceased to work with
GNU Make 4.3 and later, leading to syntax errors in the generated
Kconfig files.

Drop the superfluous redefinition and reuse the working $(space)
declaration from rules.mk to fix this issue.

Fixes: GH#2713
Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469
Reported-by: Karel Kočí <cynerd@email.cz>
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Tested-by: Shaleen Jain <shaleen@jain.sh>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-08 11:45:33 +01:00
Felix Fietkau
b3e86cbb4f hostapd: add back support for passing CSA events from sta/mesh to AP interfaces
Fixes handling CSA when using AP+STA or AP+Mesh
This change was accidentally dropped in commit 167028b75
("hostapd: Update to version 2.9 (2019-08-08)")

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-29 12:25:10 +01:00
Felix Fietkau
03e9e4ba9e hostapd: unconditionally enable ap/mesh for wpa-cli
Without this change, wpa-cli features depend on which wpad build variant was
used to build the wpa-cli package

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-28 14:38:43 +01:00
Sven Roederer
3519bf4976 hostapd: remove some bashisms
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
[remove shebang, slightly facelift commit title/message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-01-26 22:03:00 +01:00
Felix Fietkau
c07f6e8659 hostapd: fix faulty WMM IE parameters with ETSI regulatory domains
hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP.
The code for applying those values had a few bugs leading to bogus values,
which caused significant latency and packet loss.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-23 14:53:13 +01:00
David Lam
a5f3648a1c hostapd: add support for system cert bundle validation
Currently, it is very cumbersome for a user to connect to a WPA-Enterprise
based network securely because the RADIUS server's CA certificate must first be
extracted from the EAPOL handshake using tcpdump or other methods before it can
be pinned using the ca_cert(2) fields. To make this process easier and more
secure (combined with changes in openwrt/openwrt#2654), this commit adds
support for validating against the built-in CA bundle when the ca-bundle
package is installed. Related LuCI changes in openwrt/luci#3513.

Signed-off-by: David Lam <david@thedavid.net>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-01-16 12:08:18 +01:00
Daniel Golle
702c70264b hostapd: cleanup IBSS-RSN
set noscan also for IBSS and remove redundant/obsolete variable.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-16 10:26:21 +02:00
Kyle Copperfield
0fcb4a3981 hostapd: add wpa_strict_rekey support
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Rekey GTK on STA disassociate

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:13:49 +01:00
Kyle Copperfield
30c64825c7 hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Allows dtim_period to be configurable, the default is from hostapd.
Adds additional regulatory tunables for power constraint and spectrum
managment.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:13:44 +01:00
David Lam
22b07ff73e hostapd: add support for subject validation
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.

From the documentation:

subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com

subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.

altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI

altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.

domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.

domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

Signed-off-by: David Lam <david@thedavid.net>
2020-01-14 17:46:27 +01:00
Hauke Mehrtens
6b2379d048 hostapd: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 26% uncompressed and 16% compressed
on MIPS BE.

old:
460,933 /usr/sbin/wpad
283,891 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk

new:
584,508 /usr/sbin/wpad
330,281 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
David Bauer
ab16adf80b hostapd: disable ft_psk_generate_local for non-PSK networks
Without this commit, ft_psk_generate_local is enabled for non-PSK
networks by default. This breaks 802.11r for EAP networks.

Disable ft_psk_generate_local by default for non-PSK networks resolves
this misbehavior.

Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Martin Weinelt <martin@darmstadt.freifunk.net>
2020-01-09 01:01:20 +01:00
Daniel Golle
24b97579d2 hostapd: re-introduce process tracking
Before commit 60fb4c92b6 ("hostapd: add ubus reload") netifd was
tracking hostapd/wpa_supplicant and restarting wifi in case of a
process crash. Restore this behaviour by tracking the PIDs of
hostapd and wpa_supplicant.
Also make sure hostapd and/or wpa_supplicant have been started before
emmitting ubus calls to them using ubus wait_for.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-12-08 19:52:39 +01:00
Felix Fietkau
c888e17e06 hostapd: manage instances via procd instead of pidfile
Allows graceful restart of crashing hostapd/wpa_supplicant instances

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: attempt to launch only present services]
2019-12-08 19:52:38 +01:00
Felix Fietkau
4225b83a76 hostapd: fix crash regression triggered by mesh mode
Fixes: 60fb4c92b6 ("hostapd: add ubus reload")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: polish commit message]
2019-12-08 19:51:53 +01:00
David Bauer
1ccf4bb93b hostapd: enable CTRL_IFACE_MIB for hostapd-full
This enables the CTRL_IFACE_MIB symbol for wpad-full and hostapd-full.
If it is not enabled, statistic outputs such as "hostapd_cli all_sta"
are empty.

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-12-08 12:49:09 +01:00