Commit Graph

94 Commits

Author SHA1 Message Date
Nick Lowe
81ff23fc91 hostapd: Add cell_density data rates option
Add a cell_density option to configure data rates for normal, high and
very high cell density wireless deployments.

The purpose of using a minimum basic/mandatory data rate that is higher
than 6 Mb/s, or 5.5 Mb/s (802.11b compatible), in high cell density
environments is to transmit broadcast/multicast data frames using less
airtime or to reduce management overheads where significant co-channel
interference (CCI) exists and cannot be avoided.

Caution: Without careful design and validation, configuration of a too
high minimum basic/mandatory data rate can sacrifice connection stability
or disrupt the ability to reliably connect and authenticate for little to
no capacity benefit. This is because this configuration affects the
ability of clients to hear and demodulate management, control and
broadcast/multicast data frames.

Deployments that have not been specifically designed and validated are
usually best suited to use 6, 12 and 24 Mb/s as basic/mandatory data
rates.

Only usually seek to configure a 12 Mb/s, or 11 Mb/s (802.11b
compatible), minimum basic/mandatory rate in high cell density
deployments that have been designed and validated for this.

For many deployments, the minimum basic/mandatory data rate should not be
configured above 12 Mb/s to 18 Mb/s, 24 Mb/s or higher. Such a
configuration is only appropriate for use in very high cell density
deployment scenarios.

A cell_density of Very High (3) should only be used where a deployment
has a valid use case and has been designed and validated specifically for
this use, nearly always with highly directional antennas - an example
would be stadium deployments. For example, with a 24 Mb/s OFDM minimum
basic/mandatory data rate, approximately a -73 dBm RSSI is required to
decode frames. Many clients will not have roamed elsewhere by the time
that they experience -73 dBm and, where they do, they frequently may not
hear and be able to demodulate beacon, control or broadcast/multicast
data frames causing connectivity issues.

There is a myth that disabling lower basic/mandatory data rates will
improve roaming and avoid sticky clients. For 802.11n, 802.11ac and
802.11ax clients this is not correct as clients will shift to and use
lower MCS rates and not to the 802.11b or 802.11g/802.11a rates that are
able to be used as basic/mandatory data rates.

There is a myth that disabling lower basic/mandatory data rates will
ensure that clients only use higher data rates and that better
performance is assured. For 802.11n, 802.11ac and 802.11ax clients this
is not correct as clients will shift around and use MCS rates and not the
802.11b or 802.11g/802.11a rates that able to be used as basic/mandatory
data rates.

Cell Density

0 - Disabled (Default)
Setting cell_density to 0 does not configure data rates. This is the
default.

1 - Normal Cell Density
Setting cell_density to 1 configures the basic/mandatory rates to 6, 12
and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting cell_density to 1 configures the basic/mandatory rates to the 5.5
and 11 Mb/s DSSS rates where legacy_rates is 1. Supported rates lower
than the minimum basic/mandatory rate are not offered.

2 - High Cell Density
Setting the cell_density to 2 configures the basic/mandatory rates to the
12 and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting the cell_density to 2 configures the basic/mandatory rates to the
11 Mb/s DSSS rate where legacy_rates is 1. Supported rates lower than the
minimum basic/mandatory rate are not offered.

3 - Very High Cell Density
Setting the cell_density to 3 configures the basic/mandatory rates to the
24 Mb/s OFDM rate where legacy_rates is 0. Supported rates lower than the
minimum basic/mandatory rate are not offered.
Setting the cell_density to 3 only has effect where legacy_rates is 0,
else this has the same effect as being configured with a cell_density of 2.

Where specified, the basic_rate and supported_rates options continue to
override both the cell_density and legacy_rates options.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-11-30 09:31:15 +01:00
Stijn Tintel
26c26e11a2 hostapd: fix "sh: out of range" errors
Several variables in hostapd.sh can be used uninitialized in numerical
comparisons, causing errors in logread:

netifd: radio24 (1668): sh: out of range

Set defaults for those variables to silence those errors.

Fixes: b518f07d4b ("hostapd: remove ieee80211v option")
Fixes: cc80cf53c5 ("hostapd: add FTM responder support")
Fixes: e66bd0eb04 ("hostapd: make rrm report independent of ieee80211k setting")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-11-26 02:25:23 +02:00
Dobroslaw Kijowski
edb93eda16 hostapd: add support for static airtime policy configuration
* Add support for passing airtime_sta_weight into hostapd configuration.
* Since that commit it is possible to configure station weights. Set higher
  value for larger airtime share, lower for smaller share.

I have tested this functionality by modyfing /etc/config/wireless to:

config wifi-device 'radio0'
	...
        option airtime_mode '1'

config wifi-iface 'default_radio0'
	...
        list airtime_sta_weight '01:02:03:04:05:06 1024'

Now, when the station associates with the access point it has been assigned
a higher weight value.
root@OpenWrt:~# cat /sys/kernel/debug/ieee80211/phy0/netdev\:wlan0/stations/01\:02\:03\:04\:05\:06/airtime
RX: 12656 us
TX: 10617 us
Weight: 1024
Deficit: VO: -2075 us VI: 256 us BE: -206 us BK: 256 us

[MAC address has been changed into a dummy one.]

Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
2020-11-17 17:06:16 +01:00
Dobroslaw Kijowski
03cdeb5f97 hostapd: fix per-BSS airtime configuration
airtime_mode is always parsed as an empty string since it hasn't been
added into hostapd_common_add_device_config function.

Fixes: e289f183 ("hostapd: add support for per-BSS airtime configuration")
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
2020-11-17 17:05:20 +01:00
David Bauer
7463a0b5ee hostapd: fix variable shadowing
Fixes commit 838b412cb5 ("hostapd: add interworking support")

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:04:22 +01:00
David Bauer
838b412cb5 hostapd: add interworking support
This adds configuration options to enable interworking for hostapd.
All options require iw_enabled to be set to 1 for a given VAP.

All IEEE802.11u related settings are supported with exception of the
venue information which will be added as separate UCI sections at a
later point.

The options use the same name as the ones from the hostapd.conf file
with a "iw_" prefix added.

All UCI configuration options are passed without further modifications
to hostapd with exceptions of the following options, whose elements can
be provided using UCI lis elements:

 - iw_roaming_consortium
 - iw_anqp_elem
 - iw_nai_realm
 - iw_domain_name
 - iw_anqp_3gpp_cell_net

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 00:09:04 +01:00
David Bauer
cc80cf53c5 hostapd: add FTM responder support
This adds support for enabling the FTM responder flag for the APs
extended capabilities. On supported hardware, enabling the ftm_responder
config key for a given AP will enable the FTM responder bit.

FTM support itself is unconditionally implemented in the devices
firmware (ath10k 2nd generation with 3.2.1.1 firmware). There's
currently no softmac implementation.

Also allow to configure LCI and civic location information which can be
transmitted to a FTM initiator.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 00:08:56 +01:00
David Bauer
b518f07d4b hostapd: remove ieee80211v option
Remove the ieee80211v option. It previously was required to be enabled
in order to use time_advertisement, time_zone, wnm_sleep_mode and
bss_transition, however it didn't enable any of these options by default.

Remove it, as configuring these options independently is enough.

This change does not influence the behavior of any already configured
setting.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 00:08:29 +01:00
David Bauer
e66bd0eb04 hostapd: make rrm report independent of ieee80211k setting
Allow to configure both RRM beacon as well as neighbor reports
independently and only enable them by default in case the ieee80211k
config option is set.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 00:08:22 +01:00
Felix Fietkau
cba4120768 mac80211: add support for specifying a per-device scan list
This is useful to bring up multiple client mode interfaces on a single
channel much faster without having to scan through a lot of channels

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-09-29 17:32:26 +02:00
David Bauer
e289f18347 hostapd: add support for per-BSS airtime configuration
Add support for per-BSS airtime weight configuration. This allows to set
a airtime weight per BSS as well as a ratio limit based on the weight.

Support for this feature is only enabled in the full flavors of hostapd.

Consult the hostapd.conf documentation (Airtime policy configuration)
for more information on the inner workings of the exposed settings.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-09-11 17:35:48 +02:00
Daniel Golle
be9694aaa2 hostapd: add UCI support for Hotspot 2.0
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-08 20:04:14 +01:00
Jo-Philipp Wich
bc1c9fdc20 hostapd: recognize option "key" as alias for "auth_secret"
The hostapd configuration logic is supposed to accept "option key" as
legacy alias for "option auth_secret". This particular fallback option
failed to work though because "key" was not a registered configuration
variable.

Fix this issue by registering the "key" option as well, similar to the
existing "server" nad "port" options.

Ref: https://github.com/openwrt/openwrt/pull/3282
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-07 21:19:29 +02:00
Jo-Philipp Wich
321503dbf3 hostapd: make "key" option optional if "wpa_psk_file" is provided
If an existing "wpa_psk_file" is passed to hostapd, the "key" option may
be omitted.

While we're at it, also improve the passphrase length checking to ensure
that it is either exactly 64 bytes or 8 to 63 bytes.

Fixes: FS#2689
Ref: https://github.com/openwrt/openwrt/pull/3283
Suggested-by: Michael Jones <mike@meshplusplus.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-08-07 21:04:02 +02:00
David Bauer
8b3e170526 hostapd: fix incorrect service name
When retrieving the PID for hostapd and wpa_supplicant via ubus the
wrong service name is currently used. This leads to the following error
in the log:

netifd: radio0 (1409): WARNING (wireless_add_process):
executable path /usr/sbin/wpad does not match process  path (/proc/exe)

Fixing the service name retrieves the correct PID and therefore the
warning won't occur.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-07-31 19:51:51 +02:00
Johann Neuhauser
c0ddb85a1d hostapd: hostapd_set_psk_file: fix defaut value for mac
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Bringing up of station vlan fails if the optional mac entry isn't set.
The default mac "00:00:00:00:00:00", which should match all stations,
is mistakenly set to the non used variable "isolate". This results in
a wrong formatted .psk file which has to be "vlan_id mac key".

fixes: 5aa2ddd0: hostapd: add support for wifi-station and wifi-vlan sections

Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
2020-06-13 18:31:43 +02:00
Stijn Tintel
8a858363b0 hostapd: silence rm
When bringing up wifi the first time after boot, these warnings appear:

netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.psk': No such file or directory
netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.vlan': No such file or directory

Silence them by adding the "-f" option to rm.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: John Crispin <john@phrozen.org>
2020-06-08 08:59:02 +03:00
John Crispin
5aa2ddd0d6 hostapd: add support for wifi-station and wifi-vlan sections
This patch adds support for 2 new uci sections.

config wifi-vlan
	# iface is optional. if it is not defined the vlan will apply
	# to all interfaces
        option iface	default_radio0
        option name	guest
        option vid	100
        option network	guest

config wifi-station
	# iface is optional. if it is not defined the station will apply
	# to all interfaces
        option iface	default_radio0
        # mac is optional. if it is not defined it will be a catch all
	# for any sta using this key
	option mac	'00:11:22:33:44:55'
        # vid is optional. if it is not defined, the sta will be part of
	# the primary iface.
	option vid	100
        option key	testtest

With this patch applied it is possible to use multiple PSKs on a single BSS.

Signed-off-by: John Crispin <john@phrozen.org>
2020-06-04 13:36:37 +02:00
Enrique Rodríguez Valencia
6e8bb68996 hostapd: Add disable_vht when using NOHT/HT* modes
disable_vht parameter needs to be set when using wpa_supplicant NOHT/HT* modes.

Signed-off-by: Enrique Rodríguez Valencia <enrique.rodriguez@galgus.net>
2020-05-28 14:06:55 +01:00
Daniel Golle
f37d634236 hostapd: reduce to a single instance per service
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-04-14 00:22:21 +01:00
Jesus Fernandez Manzano
86440659b5 hostapd: Add 802.11r support for WPA3-Enterprise
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
2020-03-30 01:46:50 +02:00
Sven Roederer
3519bf4976 hostapd: remove some bashisms
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
[remove shebang, slightly facelift commit title/message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-01-26 22:03:00 +01:00
David Lam
a5f3648a1c hostapd: add support for system cert bundle validation
Currently, it is very cumbersome for a user to connect to a WPA-Enterprise
based network securely because the RADIUS server's CA certificate must first be
extracted from the EAPOL handshake using tcpdump or other methods before it can
be pinned using the ca_cert(2) fields. To make this process easier and more
secure (combined with changes in openwrt/openwrt#2654), this commit adds
support for validating against the built-in CA bundle when the ca-bundle
package is installed. Related LuCI changes in openwrt/luci#3513.

Signed-off-by: David Lam <david@thedavid.net>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-01-16 12:08:18 +01:00
Daniel Golle
702c70264b hostapd: cleanup IBSS-RSN
set noscan also for IBSS and remove redundant/obsolete variable.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-16 10:26:21 +02:00
Kyle Copperfield
0fcb4a3981 hostapd: add wpa_strict_rekey support
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Rekey GTK on STA disassociate

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:13:49 +01:00
Kyle Copperfield
30c64825c7 hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Allows dtim_period to be configurable, the default is from hostapd.
Adds additional regulatory tunables for power constraint and spectrum
managment.

Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2020-01-15 20:13:44 +01:00
David Lam
22b07ff73e hostapd: add support for subject validation
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.

From the documentation:

subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com

subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.

altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI

altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.

domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.

domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

Signed-off-by: David Lam <david@thedavid.net>
2020-01-14 17:46:27 +01:00
David Bauer
ab16adf80b hostapd: disable ft_psk_generate_local for non-PSK networks
Without this commit, ft_psk_generate_local is enabled for non-PSK
networks by default. This breaks 802.11r for EAP networks.

Disable ft_psk_generate_local by default for non-PSK networks resolves
this misbehavior.

Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Martin Weinelt <martin@darmstadt.freifunk.net>
2020-01-09 01:01:20 +01:00
Daniel Golle
24b97579d2 hostapd: re-introduce process tracking
Before commit 60fb4c92b6 ("hostapd: add ubus reload") netifd was
tracking hostapd/wpa_supplicant and restarting wifi in case of a
process crash. Restore this behaviour by tracking the PIDs of
hostapd and wpa_supplicant.
Also make sure hostapd and/or wpa_supplicant have been started before
emmitting ubus calls to them using ubus wait_for.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-12-08 19:52:39 +01:00
John Crispin
60fb4c92b6 hostapd: add ubus reload
Add ubus interface to hostapd and wpa_supplicant to allow dynamically
reloading wiface configuration without having to restart the hostapd
process.
As a consequence, both hostapd and wpa_supplicant are now started
persistently on boot for each wifi device in the system and then
receive ubus calls adding, modifying or removing interface
configuration.
At a later stage it would be desirable to reduce the services to one
single instance managing all radios.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-11-12 11:52:26 +01:00
David Bauer
3034f8c3b8 hostapd: enable PMKSA and OK caching for WPA3-Personal
This enables PMKSA and opportunistic key caching by default for
WPA2/WPA3-Personal, WPA3-Personal and OWE auth types.
Otherwise, Apple devices won't connect to the WPA3 network.

This should not degrade security, as there's no external authentication
provider.

Tested with OCEDO Koala and iPhone 7 (iOS 13.1).

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-11-04 18:46:54 +01:00
Kyle Copperfield
87f9292300 hostapd: add IEEE 802.11k support
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Enables radio resource management to be reported by hostapd to clients.

Ref: https://github.com/lede-project/source/pull/1430
Co-developed-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2019-11-02 20:51:52 +01:00
Jo-Philipp Wich
abb4f4075e hostapd: mirror ieee80211w ap mode defaults in station mode
For AP mode, OpenWrt automatically sets ieee80211w to either 1 or 2, depending
on whether the encryption is set to sae-mixed, or sae/owe/eap suite-b.

Mirror the same defaults for client mode connections, in order to allow an
OpenWrt station to associate to an OpenWrt ap with SAE, OWE or Suite-B encryption
without the need to manually specify "option ieee80211w" on the station.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:27:28 +02:00
Jo-Philipp Wich
4209b28d23 hostapd: fix OWE settings in client mode
This changes fixes the generation of the wpa_supplicant client configuration
in WPA3 OWE client mode. Instead of incorrectly emitting key_mgmt=NONE, use
the proper key_mgmt=OWE setting instead.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:27:21 +02:00
Arnout Vandecappelle (Essensium/Mind)
2e0f41e73a hostapd: add Multi-AP patches and config options
Cherry-pick Multi-AP commits from uptream:
 9c06f0f6a hostapd: Add Multi-AP protocol support
 5abc7823b wpa_supplicant: Add Multi-AP backhaul STA support
 a1debd338 tests: Refactor test_multi_ap
 bfcdac1c8 Multi-AP: Don't reject backhaul STA on fronthaul BSS
 cb3c156e7 tests: Update multi_ap_fronthaul_on_ap to match implementation
 56a2d788f WPS: Add multi_ap_subelem to wps_build_wfa_ext()
 83ebf5586 wpa_supplicant: Support Multi-AP backhaul STA onboarding with WPS
 66819b07b hostapd: Support Multi-AP backhaul STA onboarding with WPS
 8682f384c hostapd: Add README-MULTI-AP
 b1daf498a tests: Multi-AP WPS provisioning

Add support for Multi-AP to the UCI configuration. Every wifi-iface gets
an option 'multi_ap'. For APs, its value can be 0 (multi-AP support
disabled), 1 (backhaul AP), 2 (fronthaul AP), or 3 (fronthaul + backhaul
AP). For STAs, it can be 0 (not a backhaul STA) or 1 (backhaul STA, can
only associate with backhaul AP).

Also add new optional parameter to wps_start ubus call of
wpa_supplicant to indicate that a Multi-AP backhaul link is required.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2019-02-20 13:17:11 +01:00
Felix Fietkau
6a15077e2d hostapd: send wpa_supplicant logging output to syslog
Helpful for debugging network connectivity issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 15:12:35 +01:00
Daniel Golle
f5753aae23 hostapd: add support for WPS pushbutton station
similar to hostapd, also add a ubus interface for wpa_supplicant
which will allow handling WPS push-button just as it works for hostapd.
In order to have wpa_supplicant running without any network
configuration (so you can use it to retrieve credentials via WPS),
configure wifi-iface in /etc/config/wireless:

  config wifi-iface 'default_radio0'
      option device 'radio0'
      option network 'wwan'
      option mode 'sta'
      option encryption 'wps'

This section will automatically be edited if credentials have
successfully been acquired via WPS.

Size difference (mips_24kc): roughly +4kb for the 'full' variants of
wpa_supplicant and wpad which do support WPS.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-12-12 09:37:23 +01:00
Kevin Darbyshire-Bryant
3a6bddd7f7 hostapd: add utf8_ssid flag & enable as default
SSIDs may contain UTF8 characters but ideally hostapd should be told
this is the case so it can advertise the fact. Default enable this
option.

add uci option utf8_ssid '0'/'1' for disable/enable e.g.

config wifi-iface
	option utf8_ssid '0'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-11-14 17:41:18 +00:00
Hauke Mehrtens
4c3fae4adc hostapd: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise)
This adds support for the WPA3-Enterprise mode authentication.

The settings for the WPA3-Enterpriese mode are defined in
WPA3_Specification_v1.0.pdf. This mode also requires ieee80211w and
guarantees at least 192 bit of security.

This does not increase the ipkg size by a significant size.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
18c6c93a3b hostapd: Activate Opportunistic Wireless Encryption (OWE)
OWE is defined in RFC 8110 and provides encryption and forward security
for open networks.

This is based on the requirements in the Wifi alliance document
Opportunistic_Wireless_Encryption_Specification_v1.0_0.pdf
The wifi alliance requires ieee80211w for the OWE mode.
This also makes it possible to configure the OWE transission mode which
allows it operate an open and an OWE BSSID in parallel and the client
should only show one network.

This increases the ipkg size by 5.800 Bytes.
Old: 402.541 Bytes
New: 408.341 Bytes

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Hauke Mehrtens
4a009a16d2 hostapd: Activate Simultaneous Authentication of Equals (SAE)
This build the full openssl and wolfssl versions with SAE support which
is the main part of WPA3 PSK.

This needs elliptic curve cryptography which is only provided by these
two external cryptographic libraries and not by the internal
implementation.

The WPA3_Specification_v1.0.pdf file says that in SAE only mode
Protected Management Frames (PMF) is required, in mixed mode with
WPA2-PSK PMF should be required for clients using SAE, and optional for
clients using WPA2-PSK. The defaults are set now accordingly.

This increases the ipkg size by 8.515 Bytes.
Old: 394.026 Bytes
New: 402.541 Bytes

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-10-14 13:57:15 +02:00
Daniel Golle
69f544937f hostapd: update to git HEAD of 2018-05-21, allow build against wolfssl
Support for building wpa_supplicant/hostapd against wolfssl has been
added upstream recently, add build option to allow users using it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-24 22:21:10 +02:00
Gospod Nassa
3cc56a5534 hostapd: fix IEEE 802.11r (fast roaming) defaults
Use ft_psk_generate_local=1 by default, as it makes everything else fairly
trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd
fairly much does it all	for us.

We do need to provide nas_identifier, which can	be derived from	the BSSID,
and we need to generate	a mobility_domain, for which we	default	to the first
four chars of the md5sum of the	SSID.

The complex manual setup should also still work, but the defaults also
now work easily out of the box. Verified by manually running hostapd
(with the autogenerated config) and watching the debug output:

wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake

 This was previous submitted to LEDE in
 https://github.com/lede-project/source/pull/1382

[dwmw2: Rewrote commit message]
Signed-off-by: Gospod Nassa <devianca@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
2018-05-18 11:19:00 +02:00
Daniel Golle
6e0fa4a76d hostapd: fix mesh+AP
Fix encrypted (or DFS) AP+MESH interface combination in a way similar
to how it's done for AP+STA and fix netifd shell script.
Refresh patches while at it.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-14 09:48:58 +02:00
Nick Hainke
0a7657c300 hostapd: add channel utilization as config option
Add the channel utilization as hostapd configuration option.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2018-05-07 10:44:09 +02:00
Daniel Golle
a4322eba2b hostapd: fix encrypted mesh channel settings
Import two patches from Peter Oh to allow setting channel
bandwidth in the way it already works for managed interfaces.
This fixes mesh interfaces on 802.11ac devices always coming up in
VHT80 mode.

Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which
also skips secondary channel scan just like noscan works in AP mode.

This time also make sure to add all files to the patch before
committing it...

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-20 16:00:01 +02:00
Felix Fietkau
1a89547957 Revert "hostapd: fix encrypted mesh channel settings"
This reverts commit 7f52919a2f, which is
currently breaking the builds and needs to be reworked

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-04-20 10:36:42 +02:00
Daniel Golle
7f52919a2f hostapd: fix encrypted mesh channel settings
Import two patches from Peter Oh to allow setting channel
bandwidth in the way it already works for managed interfaces.
This fixes mesh interfaces on 802.11ac devices always coming up in
VHT80 mode.

Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which
also skips secondary channel scan just like noscan works in AP mode.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-20 07:52:19 +02:00
Daniel Golle
ff8df2b3f9 hostapd: mesh: make forwarding configurable
For unencrypted mesh networks our scripts take care of setting
the various mesh_param values. wpa_supplicant changes somes of them
when being used for SAE encrypted mesh and previously didn't allow
configuring any of them. Add support for setting mesh_fwding (which
has to be set to 0 when using other routing protocols on top of
802.11s) and update our script to pass the value to wpa_supplicant.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-04-18 22:12:18 +02:00
Daniel Golle
eba3b028e4 hostapd: update to git snapshot of 2018-03-26
The following patches were merged upstream:
000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
 replaced by commit 0e3bd7ac6
001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
 replaced by commit cb5132bb3
002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
 replaced by commit 87e2db16b
003-Prevent-installation-of-an-all-zero-TK.patch
 replaced by commit 53bb18cc8
004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
 replaced by commit 0adc9b28b
005-TDLS-Reject-TPK-TK-reconfiguration.patch
 replaced by commit ff89af96e
006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
 replaced by commit adae51f8b
007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
 replaced by commit 2a9c5217b
008-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch
 replaced by commit a00e946c1
009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch
 replaced by commit b488a1294
010-Optional-AP-side-workaround-for-key-reinstallation-a.patch
 replaced by commit 6f234c1e2
011-Additional-consistentcy-checks-for-PTK-component-len.patch
 replaced by commit a6ea66530
012-Clear-BSSID-information-in-supplicant-state-machine-.patch
 replaced by commit c0fe5f125
013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch
 replaced by commit 114f2830d

Some patches had to be modified to work with changed upstream source:
380-disable_ctrl_iface_mib.patch (adding more ifdef'ery)
plus some minor knits needed for other patches to apply which are not
worth being explicitely listed here.

For SAE key management in mesh mode, use the newly introduce
sae_password parameter instead of the psk parameter to also support
SAE keys which would fail the checks applied on the psk field (ie.
length and such). This fixes compatibility issues for users migrating
from authsae.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-03-27 19:25:32 +02:00