Commit Graph

1692 Commits

Author SHA1 Message Date
Felix Fietkau
7b46377a0c hostapd: make the snooping interface (for proxyarp) configurable
Use the VLAN interface instead of the bridge, to ensure that hostapd receives
untagged DHCP packets

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-28 05:55:11 +02:00
Nick Hainke
3a94c2ca5c dnsmasq: add /tmp/hosts/ to jail_mount
Programs like the olsr-name-plugin write hostname files to "/tmp/hosts/".
If you don't add this to the jail_mount, dnsmasq can't read it anymore.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-07-19 13:11:23 +01:00
Hans Dedecker
033d5ff25e odhcpd: fix invalid DHCPv6 ADVERTSIE with small configured leasetime (FS#3935)
bc9d317 dhcpv6-ia: fix invalid preferred lifetime

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-07-18 19:34:10 +02:00
Felix Fietkau
9ec5f5f230 hostapd: add "force" parameter for channel switch
This will restart the interface in case the CSA fails and can be used to
force the device on a DFS channel (including full CAC)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-15 10:46:10 +02:00
Felix Fietkau
8f7e6db230 hostapd: fix uninitialized stack variable on CSA
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-12 13:34:08 +02:00
Felix Fietkau
da2c244e8c hostapd: initialize ht/vht/he mode on channel switch by default
Use the current mode, but allow overwriting via ubus command parameters

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-12 13:33:56 +02:00
Felix Fietkau
1ec4af4151 hostapd: add support for enabling HE on channel switch
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-12 13:33:47 +02:00
Felix Fietkau
9aa0561534 hostapd: make it possible to update station airtime weights via ubus
This allows dynamic tuning based on other runtime information

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-07-12 13:31:40 +02:00
David Bauer
b0483b19f9 hostapd: add HE flag to get_clients
Expose the hostapd HE flag via ubus to indicate HE capable devices.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-07-06 02:27:06 +02:00
Martin Weinelt
cde154c871 hostapd: remove unused mac_buff allocation
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
2021-07-06 02:26:44 +02:00
Martin Weinelt
398df62756 hostapd: report bssid, ssid and channel over ubus
Imports a function from iw to convert frequencies to channel numbers.

Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
[fix potential out of bounds read]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-07-06 02:26:38 +02:00
Kevin Darbyshire-Bryant
e4cfefa9fc dnsmasq: use local option for local domain parameter
'--local' is a synonym for '--server' so let's use '--local' in the
resultant config file for uci's 'local' instead of uci's local
parameter being turned into '--server'.  Slightly less confusion all
round.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-07-05 16:49:06 +01:00
Etan Kissling
ba5bd8e556 dnsmasq: distinct Ubus names for multiple instances
Currently, when using multiple dnsmasq instances they are all assigned
to the same Ubus instance name. This does not work, as only a single
instance can register with Ubus at a time. In the log, this leads to
`Cannot add object to UBus: Invalid argument` error messages.
Furthermore, upstream 3c93e8eb41952a9c91699386132d6fe83050e9be changes
behaviour so that instead of the log, dnsmasq exits at start instead.

With this patch, all dnsmasq instances are assigned unique names so that
they can register with Ubus concurrently. One of the enabled instances
is always assigned the previous default name "dnsmasq" to avoid breaking
backwards compatibility with other software relying on that default.
Previously, a random instance got assigned that name (while the others
produced error logs). Now, the first unnamed dnsmasq config section is
assigned the default name. If there are no unnamed dnsmasq sections the
first encountered named dnsmasq config section is assigned instead.

A similar issue exists for Dbus and was similarly addressed.

Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
[tweaked commit message] dnsmasq was not crashing it is exiting
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-06-29 11:27:26 +01:00
Kevin Darbyshire-Bryant
76cc8a036c Revert "dnsmasq: Update to version 2.86test3"
This reverts commit 3628870015.

dnsmasq v2.86test3 has some issues with ubus, so is being reverted.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-06-26 20:31:29 +01:00
Kevin Darbyshire-Bryant
2a9d7ecd27 Revert "dnsmasq: add config option for connmark DNS filtering"
This reverts commit dea4bae7c2.

dnsmasq v2.86test3 has some issues with ubus and needs reverting, hence
this needs reverting.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-06-26 20:30:58 +01:00
Etan Kissling
dea4bae7c2 dnsmasq: add config option for connmark DNS filtering
This adds uci support to configure connmark based DNS filtering.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
(See https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/015151.html)
Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
2021-06-26 13:28:47 +01:00
Etan Kissling
3628870015 dnsmasq: Update to version 2.86test3
Need this version to add config option for connmark DNS filtering.

Summary of upstream CHANGELOG:
* Handle DHCPREBIND requests in the DHCPv6 server code.
* Fix bug which caused dnsmasq to lose track of processes forked.
* Major rewrite of the DNS server and domain handling code.
* Revise resource handling for number of concurrent DNS queries.
* Improve efficiency of DNSSEC.
* Connection track mark based DNS query filtering.

Signed-off-by: Etan Kissling <etan.kissling@gmail.com>
2021-06-26 13:28:08 +01:00
Felix Fietkau
1818b038d7 hostapd: add support for providing vendor specific IE elements
They can be added as hex digit strings via the 'vendor_elements' option

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-24 15:56:46 +02:00
Raphaël Mélotte
acdb7c38c6 hostapd: add default_disabled option to the supplicant
With the default configuration we generate, the supplicant starts
scanning and tries to connect to any open network when the interface
is enabled.

In some cases it can be desirable to prevent the supplicant from
scanning by itself. For example, if on the same radio an AP is
configured and an unconfigured STA is added (to be configured with
WPS), the AP might not be able to beacon until the STA stops
scanning.

In such a case, the STA configuration can still be required to set
specific settings (e.g. multi_ap_backhaul_sta) so it can't be set to
"disabled" in uci (because that would prevent the supplicant from
being run at all). The alternative is to add the "disabled" parameter
to the default network block in the supplicant configuration.

This patch adds a "default_disabled" setting in UCI which, when set,
adds the "disabled" parameter to the supplicant default network block.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-06-23 14:52:16 -10:00
Timo Sigurdsson
bf98faaac8 hostapd: make wnm_sleep_mode_no_keys configurable
In the aftermath of the KRACK attacks, hostapd gained an AP-side workaround
against WNM-Sleep Mode GTK/IGTK reinstallation attacks. WNM Sleep Mode is not
enabled by default on OpenWrt, but it is configurable through the option
wnm_sleep_mode. Thus, make the AP-side workaround configurable as well by
exposing the option wnm_sleep_mode_no_keys. If you use the option
wpa_disable_eapol_key_retries and have wnm_sleep_mode enabled, you might
consider using this workaround.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2021-06-22 11:10:06 -10:00
Timo Sigurdsson
85ce590705 hostapd: fix handling of the channel utilization options
Commit 0a7657c ("hostapd: add channel utilization as config option") added the
two new uci options bss_load_update_period and chan_util_avg_period. However,
the corresponding "config_add_int" calls for these options weren't added, so
attempting to actually use these options and change their values is bound to
fail - they always stay at their defaults. Add the missing code to actually
make these options work.

Fixes: 0a7657c ("hostapd: add channel utilization as config option")
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2021-06-21 19:04:06 -10:00
Timo Sigurdsson
9f09c1936a hostapd: make country3 option configurable
The country3 option in hostapd.conf allows the third octet of the country
string to be set. It can be used e.g. to indicate indoor or outdoor use (see
hostapd.conf for further details). Make this option configurable but optional
in OpenWrt.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
2021-06-21 19:02:33 -10:00
Michael Yartys
b9b4aef4f2 hostapd: add support for setting sae_pwe
Make it possible to specify the SAE mechanism for PWE derivation. The
following values are possible:

0 = hunting-and-pecking loop only
1 = hash-to-element only
2 = both hunting-and-pecking loop and hash-to-element enabled

hostapd currently defaults to hunting-and-pecking loop only.

Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
2021-06-20 15:42:52 -10:00
Dobroslaw Kijowski
bb2ac5a33b hostapd: stop advertising 11w feature
This is a follow up of 1a9b896d ("treewide: nuke DRIVER_11W_SUPPORT").
LuCI commit ab010406 ("luci-mod-network: skip check for 802.11w feature")
skips check of the 11w feature [1]. Now advertising it in hostapd is
superfluous so stop doing it.

[1]: https://github.com/openwrt/luci/pull/4689

Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
[remove outdated PKG_RELEASE bump and update to SPDX]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-06-20 14:11:30 -10:00
Martin Schiller
2c6c1501af uhttpd: make organization (O=) of the cert configurable via uci
Make the organization (O=) of the cert configurable via uci. If not
configured, use a combination of "OpenWrt" and an unique id like it was
done before.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2021-06-20 13:50:36 -10:00
Rosen Penev
3dabb62581 treewide: remove PKG_INSTALL from CMake packages
It's already default with cmake.mk

Found with:

git grep PKG_INSTALL\: | cut -d ':' -f 1 | sort -u > ins
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 ins cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Hans Dedecker
6ed0ddde05 odhcpd: update to latest git HEAD
564d25e config: fix ra_flags none setting

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-06-13 22:28:40 +02:00
Rosen Penev
09de28090c package: fix cmake packages build with ninja
+= is needed for CMAKE_OPTIONS.

mt76 needs Ninja disabled as the kernel stuff uses normal make.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-12 10:46:39 +02:00
Felix Fietkau
305c1b8d74 hostapd: configure inter-AP communication interface for 802.11r
In setups using VLAN bridge filtering, hostapd may need to communicate using
a VLAN interface on top of the bridge, instead of using the bridge directly

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-05 06:53:29 +02:00
Felix Fietkau
89bd8607f8 hostapd: fix bringing up vlan interfaces with the no-bridge option
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-04 20:36:42 +02:00
Hans Dedecker
4fd4e9997a odhcpd: update to git HEAD
a12fcb3 config: log config parse failures to syslog
ebd4297 cmake: enforce additonal compiler checks
405da32 odhcpd: fix extra compiler warning

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-06-03 21:07:42 +02:00
John Crispin
96e9c81aab hostapd: fix radius problem due to invalid attributes
The offending commit caused the configuration file to contain:
  radius_auth_req_attr=
  radius_acct_req_attr=
which cause hostapd to add an ATTR of type 0 into the messages.

hostapd: RADIUS message: code=4 (Accounting-Request) identifier=0 length=93
hostapd:    Attribute 40 (Acct-Status-Type) length=6
hostapd:       Value: 7
hostapd:    Attribute 30 (Called-Station-Id) length=28
hostapd:       Value: 'C4-41-1E-F5-2D-55:OpenWifi'
hostapd:    Attribute 61 (NAS-Port-Type) length=6
hostapd:       Value: 19
hostapd:    Attribute 0 (?Unknown?) length=3    <----------------
hostapd:    Attribute 55 (Event-Timestamp) length=6
hostapd:       Value: 1622726457
hostapd:    Attribute 41 (Acct-Delay-Time) length=6
hostapd:       Value: 0
hostapd:    Attribute 44 (Acct-Session-Id) length=18
hostapd:       Value: '9B5961E7235AAEC6'

Fixes: 3bd6c8c728 (hostapd: add additional radius options)
Signed-off-by: John Crispin <john@phrozen.org>
2021-06-03 16:00:51 +02:00
John Crispin
98621c9782 hostapd: add eap_server support
This makes it possible to avoid using a RADIUS server for WPA enterprise authentication

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
704ab6a002 hostapd: add default values for r0kh/r1kh
This allows WPA enterprise roaming in the same mobility domain without any
manual key configuration (aside from radius credentials)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
ec223cf724 hostapd: add support for specifying the maxassoc parameter as a device option
It allows enforcing a limit on associated stations to be enforced for the
full device, e.g. in order to deal with hardware/driver limitations

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
e309b57619 hostapd: add support for configuring proxy ARP
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
190d4b6184 hostapd: add configurable rssi thresholds for rejecting assoc/probe requests
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Felix Fietkau
46509a51dd hostapd: add support for configuring the beacon rate
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-06-02 09:33:12 +02:00
Adrian Schmutzler
54cc1756e2 hostapd: update to version 2021-05-22
This update only adds one commit:
b102f19bcc53 tests: Opportunistic Wireless Encryption - SA Query

The main reason for the bump is to have a newer PKG_SOURCE_DATE,
so we can reset PKG_RELEASE to 1 (this has not been done for the
most recent bump), and replace it with AUTORELEASE.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-05-29 00:31:25 +02:00
Felix Fietkau
962d530dea hostapd: support verbose build using V=sc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-27 12:17:02 +02:00
David Bauer
553cc47ec7 hostapd: ACS: fix channel 100 frequency
Channel 100 is a valid channel to choose for 80MHz operation. However,
it's assigned to 5500 MHz, not 5550MHz. In fact, there is no channel
assigned to this frequency.

Fix this obbvious typo to allow ACS to select channel 100 for 80 MHz
operation again.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-26 23:12:09 +02:00
Felix Fietkau
d87b58bb09 hostapd: fix adding back stations after a missed deauth/disassoc
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
eefed841b0 hostapd: update to version 2021-05-21
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
26da5c2359 hostapd: add support for configuring rts threshold
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
2319cf4ec0 hostapd: fix max_oper_chwidth setting for HE
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
John Crispin
3bd6c8c728 hostapd: add additional radius options
- add functionality to configure RADIUS NAS-Id and Operator-Name
- add functionality to configure RADIUS accounting interval
- enable RADIUS "Chargeable User Identity"

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
c76f1d8330 hostapd: add extra options for hotspot 2.0 / interworking
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
753a91d1d1 hostapd: report radar detected events via ubus
Events are reported on all BSS interfaces

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
8e2ca15726 hostapd: improve channel switch support
Instead of requiring the user to call it on each BSS individually,
run it on all BSSs internally.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
Felix Fietkau
33c69aee41 hostapd: add missing inline stubs for ubus vlan event support
Only used when building without ubus support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-26 11:48:14 +02:00
John Crispin
937dd79e2a hostapd: fix civic location option
Signed-off-by: John Crispin <john@phrozen.org>
2021-05-26 11:48:14 +02:00
David Bauer
ddcb970274 hostapd: wolfssl: add RNG to EC key
Since upstream commit 6467de5a8840 ("Randomize z ordinates in
scalar mult when timing resistant") WolfSSL requires a RNG for
the EC key when built hardened which is the default.

Set the RNG for the EC key to fix connections for OWE clients.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-21 15:44:05 +02:00
Felix Fietkau
cf45caeff1 hostapd: add patch for disabling automatic bridging of vlan interfaces
netifd is responsible for handling that, except if the vlan bridge
was provided by the config

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-18 12:52:52 +02:00
Felix Fietkau
2d89d7c748 hostapd: add ubus notifications for adding/removing vlan interfaces
This can be used to handle network configuration of dynamically created vlan
interfaces in a more flexible way

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-18 12:52:52 +02:00
Stijn Tintel
844598dcbb umdns: bump to git HEAD
777a0b service: fix compilation with GCC 10

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-05-16 03:59:54 +03:00
Leonardo Mörlein
b993b68b6c build: introduce $(MKHASH)
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if

    make TOPDIR="$(pwd)" -C "$pkgdir" compile

was called manually. In most of the cases, I just saw warnings like this:

    make: Entering directory '/home/.../package/gluon-status-page'
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    [...]

While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.

After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
2021-05-13 15:13:15 +02:00
Alan Swanson
3980daffa4 dnsmasq: Update to version 2.85
Fixes issue with merged DNS requests in 2.83/2.84 not being
retried on the firsts failed request causing lookup failures.

Also fixes the following security problem in dnsmasq:
* CVE-2021-3448:
  If specifiying the source address or interface to be used
  when contacting upstream name servers such as:
  server=8.8.8.8@1.2.3.4, server=8.8.8.8@1.2.3.4#66 and
  server=8.8.8.8@eth0 then all would use the same socket
  bound to the explicitly configured port. Now only
  server=8.8.8.8@1.2.3.4#66 will use the explicitly
  configured port and the others random source ports.

Remove upstreamed patches and update remaining patch.

Signed-off-by: Alan Swanson <reiver@improbability.net>
[refreshed old runtime support patch]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-05-05 09:19:46 +01:00
João Henriques
e8a5670122 dnsmasq: add ignore hosts dir to dnsmasq init script
When running multiple instances of dnsmasq, for example one being for the lan
and another for a guest network, it might not be desirable to have the same dns names
configured in both networks

Signed-off-by: João Henriques <joaoh88@gmail.com>
2021-04-24 21:35:27 +02:00
Daniel Golle
00a85a1634
umdns: add missing syscalls to seccomp filter
Looks like 'openat', 'pipe2' and 'ppoll' are now needed, possibly due
to changes on libraries used by umdns now using slightly different
calls.

Found using
/etc/init.d/umdns trace
now use umdns, ie. cover all ubus call etc., then
/etc/init.d/umdns stop
find list of syscalls traced in /tmp/umdns.*.json

Fixes: FS#3355 ("UMDNS: does not start on master with seccomp")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-04-10 17:36:03 +01:00
Stijn Tintel
bcdf600fc5 lldpd: further size reductions
Size difference on mips_4kec:
Before: 120196
After:  120006

Closes https://github.com/openwrt/openwrt/pull/3823

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Suggested-by: Lucian Cristian <lucian.cristian@gmail.com>
2021-04-05 18:50:17 +03:00
Stijn Tintel
e4d7e7b3e4 lldpd: enable LTO
Size difference on mips_4kec:
W/o LTO: 139674
W/ LTO:  120196

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Suggested-by: Lucian Cristian <lucian.cristian@gmail.com>
2021-04-05 18:50:11 +03:00
Stijn Tintel
8946be0ab5 lldpd: bump to 1.0.9
Contains fixes related to CVE-2020-27827.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-04-05 18:27:42 +03:00
Stijn Tintel
c935c6ffb6 lldpd: add libcap dependency
Now that libcap is in OpenWrt base, we can drop our custom patch to
disable libcap support and have lldpd depend on it instead. This will
allow the monitor process to drop its privileges instead of running as
root, improving security.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-04-05 18:20:48 +03:00
Rui Salvaterra
d38f456582 hostapd: enable airtime policy for the -basic variants
Airtime policy configuration is extremely useful in multiple BSS scenarios.
Since nowadays most people configure both private and guest networks (at
least), it makes sense to enable it by default, except for the most limited
of the variants.

Size of the hostapd-basic-openssl binary (mipsel 24Kc -O2):
543944 bytes (airtime policy disabled)
548040 bytes (airtime policy enabled)

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Acked-by: Daniel Golle <daniel@makrotopia.org>
2021-04-03 18:57:13 +02:00
Jan Pavlinec
abbaf696f6 igmpproxy: remove package
Moved to packages repo because it was considered
non-essential for most router configurations.

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[shorten commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-03-21 22:45:20 +01:00
Hauke Mehrtens
1170655f8b uhttpd: update to git HEAD
15346de client: Always close connection with request body in case of error

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-21 22:34:13 +01:00
Hauke Mehrtens
501221af54 uhttpd: Execute uci commit and reload_config once
Instead of doing uci commit and reload_config for each setting do it
only once when one of these options was changed. This should make it a
little faster when both conditions are taken.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-21 22:16:32 +01:00
Hauke Mehrtens
d25d281fd6 uhttpd: Reload config after uhttpd-mod-ubus was added
Without this change the config is only committed, but the uhttpd daemon
is not reloaded. This reload is needed to apply the config. Without the
reload of uhttpd, the ubus server is not available over http and returns
a Error 404.

This caused problems when installing luci on the snapshots and
accessing it without reloading uhttpd.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-21 22:16:31 +01:00
Daniel Golle
d28880cdd8
umdns: add syscalls needed on Aarch64
Now that ujail supports seccomp also on Aarch64, add missing syscall
'fstat' to the list of allowed syscalls.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-19 22:33:33 +00:00
Eike Ritter
46cd0765d0 ppp: compile fix: unset FILTER variable in Makefile
If the environment variable FILTER is set before compilation,
compilation of the ppp-package will fail with the error message

Package ppp is missing dependencies for the following libraries:
libpcap.so.1

The reason is that the OpenWrt-patch for the Makefile only comments
out the line FILTER=y. Hence the pcap-library will be dynamically
linked if the environment variable FILTER is set elsewhere, which
causes compilation to fail. The fix consists on explicitly unsetting
the variable FILTER instead.

Signed-off-by: Eike Ritter <git@rittere.co.uk>
2021-03-19 00:25:58 +01:00
Stefan Lippers-Hollmann
1ca5de13a1 hostapd: P2P: Fix a corner case in peer addition based on PD Request
p2p_add_device() may remove the oldest entry if there is no room in the
peer table for a new peer. This would result in any pointer to that
removed entry becoming stale. A corner case with an invalid PD Request
frame could result in such a case ending up using (read+write) freed
memory. This could only by triggered when the peer table has reached its
maximum size and the PD Request frame is received from the P2P Device
Address of the oldest remaining entry and the frame has incorrect P2P
Device Address in the payload.

Fix this by fetching the dev pointer again after having called
p2p_add_device() so that the stale pointer cannot be used.

This fixes the following security vulnerabilities/bugs:

- CVE-2021-27803 - A vulnerability was discovered in how p2p/p2p_pd.c
  in wpa_supplicant before 2.10 processes P2P (Wi-Fi Direct) provision
  discovery requests. It could result in denial of service or other
  impact (potentially execution of arbitrary code), for an attacker
  within radio range.

Fixes: 17bef1e97a50 ("P2P: Add peer entry based on Provision Discovery Request")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2021-03-01 00:34:23 +01:00
Jan Pavlinec
0c0c9c734d igmpproxy: update to version 0.3
Changes:
- Remove custom Build/Compile because it's no longer needed
- Remove std=gnu99 which is added automaticaly by igmpproxy if needed
- Remove -Dlog from CFLAGS because igmpproxy doesn't have log function

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2021-03-01 00:34:23 +01:00
Ilya Lipnitskiy
06351f1bd0 kernel: migrate wireguard into the kernel tree
On Linux 5.4, build WireGuard from backports. Linux 5.10 contains
wireguard in-tree.

Add in-kernel crypto libraries required by WireGuard along with
arch-specific optimizations.

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
2021-02-26 20:41:01 +01:00
Hauke Mehrtens
030bc39c35 ppp: Update to version 2.4.9
Upstream integrated multiple patches from Distributions and did other
changes:
* rp-pppoe.so was renamed to pppoe.so
* Converted to ANSI C

The following patches were applied upstream:
* 100-debian_ip-ip_option.patch
* 101-debian_close_dev_ppp.patch
* 103-debian_fix_link_pidfile.patch
* 106-debian_stripMSdomain.patch
* 107-debian_pppoatm_wildcard.patch
* 110-debian_defaultroute.patch
* 202-no_strip.patch

Compilation with musl libc was fixed upstream so
140-pppoe_compile_fix.patch is not needed any more

Parts of the 203-opt_flags.patch patch were applied in a different way
upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-24 00:30:20 +01:00
Ilya Lipnitskiy
17f7b217d3 wireguard: don't build on Linux 5.10
There are efforts underway to bring wireguard in-tree for Linux 5.4 and
to have a common build infrastructure for both 5.4 and 5.10 for
kmod-wireguard[0]. Until then, restrict kmod-wireguard to build only on
Linux 5.4, because the wireguard-compat package will not build on Linux
5.10.

[0]: https://github.com/openwrt/openwrt/pull/3885

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
2021-02-23 20:13:30 +01:00
Raphaël Mélotte
fb860b4e41 hostapd: backport ignoring 4addr mode enabling error
This is a backport of the upstream commit 58bbbb598144 ("nl80211: Ignore
4addr mode enabling error if it was already enabled") which fixes same
issue as in the current fix contained in '130-wpa_supplicant-multi_ap_roam.patch',
but in a different way:

 nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on
 an interface that is in a bridge and has 4addr mode already enabled.
 This operation would not have been necessary in the first place and this
 failure results in disconnecting, e.g., when roaming from one backhaul
 BSS to another BSS with Multi AP.

 Avoid this issue by ignoring the nl80211 command failure in the case
 where 4addr mode is being enabled while it has already been enabled.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[bump PKG_RELEASE, more verbose commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-02-20 10:38:48 +01:00
Daniel Golle
d79eeba688
odhcpd: setup dhcpv4 server automagically
Automatically setup dhcpv4 server just like it's done for dhcpv6.
To select whether odhcpd or dnsmasq are serving DHCPv4 requests there
still is the 'maindhcp' option. To make things less confusing, make
sure things really work out-of-the-box in case dnsmasq is not even
installed at the time the uci-defaults script is being run.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-15 00:34:43 +00:00
Raphaël Mélotte
68073e2d46 hostapd: add patch for setting 4addr mode in multi_ap
This patch is required to be able to roam from one backhaul AP to
another one in the same ESS.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(daniel@makrotopia.org: PKG_REVISION bump and refreshed patches)
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-13 13:44:22 +00:00
Raphaël Mélotte
14b9100f1c hostapd: reconfigure wps credentials on reload
This patch fixes a bug that prevents updating Multi-AP credentials
after hostapd has started.

It was sent to upstream hostapd here:
https://patchwork.ozlabs.org/bundle/rmelotte/hostapd:%20update%20WPS%20credentials%20on%20SIGHUP/

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-12 08:52:41 +01:00
Raphaël Mélotte
59fa9c28d6 hostapd: add notifications for management frames
This patch allows other applications to get events management
frames (for example: association requests).

This is useful in Multi-AP context to be able to save association
requests from stations.

It has been sent to upstream hostapd in this series:
https://patchwork.ozlabs.org/project/hostap/list/?series=217500

'700-wifi-reload.patch' is updated due to the introduction of
'110-notify-mgmt-frames.patch'.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
2021-02-12 08:52:41 +01:00
Kevin Darbyshire-Bryant
db00f312d3 dnsmasq: Bump to v2.84
dnsmasq v2.84rc2 has been promoted to release.

No functional difference between v2.83test3 and v2.84/v2.84rc2

Backport 2 patches to fix the version reporting

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-02-08 13:16:24 +00:00
Daniel Golle
aed95c4cb8 dnsmasq: switch to ubus-based hotplug call
Use new ubus-based hotplug call in dhcp-script.sh
As sysntpd now makes use of the new ubus-based hotplug calls, dnsmasq
no longer needs to ship ACL to cover ntpd-hotplug.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-08 00:57:14 +00:00
Petr Štetiar
43ff6e641e hostapd: add forgotten patch for P2P vulnerability fix
Commit 7c8c4f1be6 ("hostapd: fix P2P group information processing
vulnerability") was missing the actual patch for the vulnerability.

Fixes: 7c8c4f1be6 ("hostapd: fix P2P group information processing vulnerability")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-02-04 09:11:50 +01:00
Daniel Golle
7c8c4f1be6 hostapd: fix P2P group information processing vulnerability
A vulnerability was discovered in how wpa_supplicant processing P2P
(Wi-Fi Direct) group information from active group owners.
This issue was discovered by fuzz testing of wpa_supplicant by Google's
OSS-Fuzz.

https://w1.fi/security/2020-2/wpa_supplicant-p2p-group-info-processing-vulnerability.txt

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-04 01:05:32 +00:00
Hans Dedecker
1b484f1a12 odhcpd: update to latest git HEAD
8d8a8cd dhcpv6-ia: apply prefix_filter on dhcpv6

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2021-01-30 21:25:09 +01:00
Paul Spooren
7b63d89b52 umdns: bump to 2021-01-26
* i78aa36b umdns: fix 64-bit time format string
* start using $(AUTORELEASE)
* Update Copyright

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-01-26 13:08:56 -10:00
Kevin Darbyshire-Bryant
297f82fc58 dnsmasq: Update to 2.84test3
dnsmasq v2.83 has a bug in handling duplicate queries which means it may
try to reply using the incorrect network socket.  This is especially
noticeable in dual stack environments where replies may be mis-directed to
IPv4 addresses on an IPv6 socket or IPv6 addresses on an IPv4 socket.

This results in system log spam such as:
dnsmasq[16020]: failed to send packet: Network unreachable
dnsmasq[16020]: failed to send packet: Address family not supported by protocol

dnsmasq v2.84test3 resolves these issues.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-01-24 15:56:39 +00:00
Hauke Mehrtens
e87c0d934c dnsmasq: Update to version 2.83
This fixes the following security problems in dnsmasq:
* CVE-2020-25681:
  Dnsmasq versions before 2.83 is susceptible to a heap-based buffer
  overflow in sort_rrset() when DNSSEC is used. This can allow a remote
  attacker to write arbitrary data into target device's memory that can
  lead to memory corruption and other unexpected behaviors on the target
  device.
* CVE-2020-25682:
  Dnsmasq versions before 2.83 is susceptible to buffer overflow in
  extract_name() function due to missing length check, when DNSSEC is
  enabled. This can allow a remote attacker to cause memory corruption
  on the target device.
* CVE-2020-25683:
  Dnsmasq version before 2.83 is susceptible to a heap-based buffer
  overflow when DNSSEC is enabled. A remote attacker, who can create
  valid DNS replies, could use this flaw to cause an overflow in a heap-
  allocated memory. This flaw is caused by the lack of length checks in
  rtc1035.c:extract_name(), which could be abused to make the code
  execute memcpy() with a negative size in get_rdata() and cause a crash
  in Dnsmasq, resulting in a Denial of Service.
* CVE-2020-25684:
  A lack of proper address/port check implemented in Dnsmasq version <
  2.83 reply_query function makes forging replies easier to an off-path
  attacker.
* CVE-2020-25685:
  A lack of query resource name (RRNAME) checks implemented in Dnsmasq's
  versions before 2.83 reply_query function allows remote attackers to
  spoof DNS traffic that can lead to DNS cache poisoning.
* CVE-2020-25686:
  Multiple DNS query requests for the same resource name (RRNAME) by
  Dnsmasq versions before 2.83 allows for remote attackers to spoof DNS
  traffic, using a birthday attack (RFC 5452), that can lead to DNS
  cache poisoning.
* CVE-2020-25687:
  Dnsmasq versions before 2.83 is vulnerable to a heap-based buffer
  overflow with large memcpy in sort_rrset() when DNSSEC is enabled. A
  remote attacker, who can create valid DNS replies, could use this flaw
  to cause an overflow in a heap-allocated memory. This flaw is caused
  by the lack of length checks in rtc1035.c:extract_name(), which could
  be abused to make the code execute memcpy() with a negative size in
  sort_rrset() and cause a crash in dnsmasq, resulting in a Denial of
  Service.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-01-19 13:01:03 +01:00
Leon M. George
d5bbd4975c hostapd: fix setting wps_state to "not configured"
With encryption disabled, it was intended to set wpa_state=1 (enabled,
not configured) through the 'wps_not_configured' flag.
The flag is set appropriately but the condition using it is broken.
Instead, 'wps_configured' is checked and wpa_state is always 2 (enabled,
configured). Fix it by using the correct variable name.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit title/message improvements]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-15 18:17:45 +01:00
Leon M. George
fa02225ee6 hostapd: fix key_mgmt typo
The key_mgmt variable was mistyped when checking against "WPS", so
the if clause was never entered.

Fixes: f5753aae23 ("hostapd: add support for WPS pushbutton station")

Signed-off-by: Leon M. George <leon@georgemail.eu>
[add commit message, bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-14 03:54:06 +01:00
Leon M. George
f72ce73e36 hostapd: remove trailing whitespaces
Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:50:38 +01:00
Leon M. George
4bde00c2a3 hostapd: remove unused variable
'base' was never used.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:48:41 +01:00
Leon M. George
3497b30b9c hostapd: remove unused variable
'enc_str' was never used.

Fixes: 498d84fc4e ("netifd: add wireless configuration support
and port mac80211 to the new framework")

Signed-off-by: Leon M. George <leon@georgemail.eu>
2021-01-14 03:45:17 +01:00
Daniel Golle
1f78538387 hostapd: run as user 'network' if procd-ujail is installed
Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-14 00:52:50 +00:00
Daniel Golle
1e2d162092 hostapd: improve error handling when adding supplicant config
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-14 00:52:49 +00:00
Etan Kissling
7babb978ad hostapd: add multicast_to_unicast and per_sta_vif
This allows configuration of multicast_to_unicast and per_sta_vif options.
- multicast_to_unicast requests multicast-to-unicast conversion.
- per_sta_vif assigns each station its own AP_VLAN interface.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
2021-01-14 00:52:49 +00:00
Daniel Golle
2d305ff13a hostapd: return PID on config_add call
To simplify the way netifd acquires the PIDs of wpa_supplicant and
hostapd let the config_add method of both of them return the PID of the
called process. Use the returned PID instead of querying procd when
adding wpa_supplicant configuration.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-01-10 19:15:51 +00:00
Robert Marko
f246dfde33 hostapd: wpa_supplicant: Enable proper GCMP cipher support
This patch enables hostapd.sh to properly configure wpa_supplicant
for when GCMP is used as cipher in station mode.
Without this wpa_supplicant will be unable to connect to AP.
This is needed for wil6210 as it does not support CCMP.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2021-01-05 02:16:24 +00:00
Nick Hainke
6773bee107 odhcpd: bump to latest version
3bda900 odhcpd: add option for setting preferred lifetime

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-01-04 08:01:16 +01:00
Florian Beverborg
22e568d0fe hostapd: add support for custom per-BSS options
This adds an option "hostapd_bss_options" that does the same as
"hostapd_options" but on a per-BSS level, instead of a per-device level.

This can be used, for example, to configure different per-devce sae_passwords
per BSS or to augment some of the existing per-BSS options.

Signed-off-by: Florian Beverborg <flo@beverb.org>
[remove whitespace errors, bump release]
Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-01-03 12:31:42 -10:00
Hauke Mehrtens
7aa8c00e4b ppp: Remove already applied patch
This patch was already applied upstream and not needed here.

Fixes: 06403981e1 ("ppp: update to version 2.4.7.git-2019-05-06")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-01-01 19:55:59 +01:00
Felix Fietkau
e1851720f1 hostapd: do not restart hostapd instance on wireless restarts
Add the flag that prevents netifd from killing hostapd/wpa_supplicant

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-12-31 14:26:00 +01:00
Hans Dedecker
bc99b56d7e odhcpd: update to latest git HEAD
b75bcad dhcpv6-ia: remove assignment equal to 0 checks
d1ae052 dhcpv6-ia: fix logic to include IA_PD prefix with lifetimes set to 0
9d5e379 dhcpv6-ia: fix prefix delegation behavior

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-12-24 17:23:41 +01:00
Dobroslaw Kijowski
1a9b896d8b treewide: nuke DRIVER_11W_SUPPORT
As of hostapd upstream commit 7d2ed8ba "Remove CONFIG_IEEE80211W build parameter"
https://w1.fi/cgit/hostap/commit?id=7d2ed8bae86a31dd2df45c24b3f7281d55315482
802.11w feature is always enabled in the build time.

It doesn't make sense to opt-in 802.11w per driver as hostapd will always
be compiled with this feature enabled.

As suggested by Hauke Mehrtens, for now keep 11w enabled in build_features.h
for compatibility reasons. This option will be dropped when LuCI is adjusted.

Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
2020-12-23 16:36:08 +01:00
John Crispin
ceb612e463 hostapd: pass respawn settings when registering the service
When hostapd gets restarted to often/quickly will cause procd to not restart it
anymore. it will think that hapd is in a crash loop.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [adjust respawn time]
2020-12-22 19:30:26 +01:00
Nick Lowe
cb41bc5088 hostapd: Use EAPOLv1 (802.1X-2001) if WPA enabled
Currently, EAPOLv2 (802.1X-2004) is used by default for legacy clients that
are not WPA2 (RSN) capable. These legacy clients are often intolerant to this
EAPOL version and fail to connect.

hostapd.conf upstream documents for eapol_version the following and that this
is a known compatibility issue with version 2:

// IEEE 802.1X/EAPOL version
// hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL
// version 2. However, there are many client implementations that do not handle
// the new version number correctly (they seem to drop the frames completely).
// In order to make hostapd interoperate with these clients, the version number
// can be set to the older version (1) with this configuration value.
// Note: When using MACsec, eapol_version shall be set to 3, which is
// defined in IEEE Std 802.1X-2010.
//eapol_version=2

For the wpa parameter, hostapd.conf upstream documents that this is a bitfield,
configured as follows:

// Enable WPA. Setting this variable configures the AP to require WPA (either
// WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either
// wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK.
// Instead of wpa_psk / wpa_passphrase, wpa_psk_radius might suffice.
// For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys),
// RADIUS authentication server must be configured, and WPA-EAP must be included
// in wpa_key_mgmt.
// This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
// and/or WPA2 (full IEEE 802.11i/RSN):
// bit0 = WPA
// bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
// Note that WPA3 is also configured with bit1 since it uses RSN just like WPA2.
// In other words, for WPA3, wpa=2 is used the configuration (and
// wpa_key_mgmt=SAE for WPA3-Personal instead of wpa_key_mgmt=WPA-PSK).
//wpa=2

For client compatibility therefore:

EAPOLv1 (802.1X-2001) should be used by default where WPA is enabled.
EAPOLv2 (802.1X-2004) should be used by default where WPA is disabled.

To fix this, we can therefore change in the script:

set_default eapol_version 0

To the following:

set_default eapol_version $((wpa & 1))

This therefore:
1) Sets eapol_version to 1 where WPA has been enabled via wpa bit0 being set.
2) Sets eapol_version to 0 where WPA has been disabled via wpa bit0 being unset.

For usual configurations that only have WPA2 enabled, EAPOLv2 is then used.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-12-22 19:11:50 +01:00
Nadim Atiya
1302bee12a hostapd: parse skip_inactivity_poll option
hostapd.sh does not parse skip_inactivity_poll boolean from
/etc/config/wireless despite being mentioned in the documentation [1].
This change fixes this, and by default sets its value to 0 [1].

[1] https://openwrt.org/docs/guide-user/network/wifi/basic

Signed-off-by: Nadim Atiya <nadim.atiya@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[fix and reformat commit message, make patch apply]
2020-12-22 15:23:35 +00:00
Petr Štetiar
0cf3c5dd72 uhttpd: don't redirect to HTTPS by default
So we can ship px5g-wolfssl by default in the release image, but still
make the HTTPS for LuCI optional. This small change with addition of
`CONFIG_PACKAGE_px5g-wolfssl=y` into the buildbot's seed config for the
next release should provide optional HTTPS in the next release.

Disabling the current default automatic uhttpd's redirect to HTTPS
should make the HTTPS optional. That's it, user would either need to
switch to HTTPS by manually switching to https:// protocol in the URL or
by issuing the following commands to make the HTTPS automatic redirect
permanent:

 $ uci set uhttpd.main.redirect_https=1
 $ uci commit uhttpd
 $ service uhttpd reload

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-20 10:36:51 +01:00
Daniel Golle
b2d48c1dfe odhcpd: remove local mkdir_p implementation
Replace local mkdir_p implementation in favour of using mkdir_p now
added to libubox.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-13 00:13:18 +00:00
Konstantin Demin
52aa2017d3 dropbear: bump package version
Bump package version after previous changes.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-11 13:48:24 +01:00
Konstantin Demin
228298290e dropbear: add ssh-askpass support in configuration
binary size cost is much less than 1k.

tested on ath79/generic:
  bin: 215128 -> 215132 (+4b)
  ipk: 111183 -> 111494 (+311b)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
e1bd9645b6 dropbear: roll up recipes into mapping lists
this commit removes manual recipes for options and introduces mapping lists:
- DB_OPT_COMMON holds option mappings which are common for all builds;
- DB_OPT_CONFIG holds option mappings which are depend on config settings.

DB_OPT_COMMON is space-separated list of 'words', each of them is in format:
  'header_option|value'

'header_option' is added with value 'value' to 'localoptions.h'.

if 'header_option' is preceded by two exclamation marks ('!!')
then option is not added to 'localoptions.h' but replaced in 'sysoptions.h'.

in short:
   option|value - add option to localoptions.h
 !!option|value - replace option in sysoptions.h

DB_OPT_CONFIG is space-separated list of 'words', each of them is in format:
  'header_option|config_variable|value_enabled|value_disabled'

'header_option' is handled likewise in DB_OPT_COMMON.

if 'config_variable' is enabled (technically: not disabled)
then 'header_option' is set to 'value_enabled' and 'value_disabled' otherwise.

in short:
   option|config|enabled|disabled = add option to localoptions.h
 !!option|config|enabled|disabled = replace option in sysoptions.h

   option := (config) ? enabled : disabled

If you're not sure that option's value doesn't have '|' within - add your recipe
manually right after '$(Build/Configure/dropbear_headers)' and write some words
about your decision.

PS about two exclamation marks:
early idea was to use one exclamation mark to denote such header options
but then i thought single exclamation mark may be overlooked by mistake.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
79d5c24724 dropbear: rework recipes that configure build
- add two helper functions to avoid mistakes with
  choice of correct header file to work with
- update rules accordingly

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
42eff7c7e6 dropbear: reorder options in Configure recipe
put static options at first place, then place configurable options.
also put DROPBEAR_ECC right before DROPBEAR_ECC_FULL to ease maintainance.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Konstantin Demin
7e122c353a dropbear: enable back DROPBEAR_USE_PASSWORD_ENV
this option was disabled in 2011 and these long nine years showed us that change was definitely wrong.

binary size cost is much less than 1k.

tested on ath79/generic:
  bin: 215128 -> 215128 (no change)
  ipk: 111108 -> 111183 (+75b)

Fixes: 3c801b3dc0 ("tune some more options by default to decrease size")
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-12-11 13:48:24 +01:00
Jo-Philipp Wich
dd5b3b58d8 lldpd: fix autoreconf failure
The lldpd sources ship a modified local AX_LIB_READLINE M4 macro which
conflicts with the official macro shipped by autoconf-archive.

Due to the official macro having the same name and a higher serial
number, autoconf will prefer including that one instead of the local
copy, preventing the substitution of @READLINE_LIBS@ in Makefile.in
templates, ultimately leading to the following build failure when
linking lldpcli:

    ...-gcc: error: READLINE_LIBS@: No such file or directory

Avoid this problem by renaming the locally shipped macro to not clash
with the official implementation anymore.

Ref: https://github.com/lldpd/lldpd/pull/423
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-12-09 12:36:40 +01:00
Nick Lowe
ce5bcff304 hostapd: Disable 802.11b data rates by default
Set legacy_rates to 0 by default to disable 802.11b data rates by default.

The time has long come where 802.11b DSSS/CCK data rates should be disabled
by default in OpenWRT. Users in need of 802.11b client support can reasonably
enable these where they are needed.

The balance of equities has significantly, and for a long time, tipped
such that dropping backwards compatibility by default with 802.11b
devices is appropriate, proportionate and justified. By doing so,
management and control traffic is moved by default to a 20
MHz wide 6 Mb/s OFDM data rate instead of a 22 MHz wide 1 Mb/s DSSS data
rate. This is significantly more airtime efficient.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-12-06 08:51:32 -10:00
Rosen Penev
28a9ac74cc openvpn: remove
This will be moved to packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Paul Spooren <mail@aparcar.org>
2020-12-05 10:09:01 -10:00
Rosen Penev
57a8028949 openvpn-easy-rsa: remove
This will be moved to packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-05 10:08:49 -10:00
Jan Pavlinec
520403cd49 umdns: add check for seccomp list
This should fix an issue when user have a router with enabled seccomp
and tries to run umdns package which was build with SDK with disabled
seccomp support.

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2020-11-30 10:38:13 +00:00
Nick Lowe
81ff23fc91 hostapd: Add cell_density data rates option
Add a cell_density option to configure data rates for normal, high and
very high cell density wireless deployments.

The purpose of using a minimum basic/mandatory data rate that is higher
than 6 Mb/s, or 5.5 Mb/s (802.11b compatible), in high cell density
environments is to transmit broadcast/multicast data frames using less
airtime or to reduce management overheads where significant co-channel
interference (CCI) exists and cannot be avoided.

Caution: Without careful design and validation, configuration of a too
high minimum basic/mandatory data rate can sacrifice connection stability
or disrupt the ability to reliably connect and authenticate for little to
no capacity benefit. This is because this configuration affects the
ability of clients to hear and demodulate management, control and
broadcast/multicast data frames.

Deployments that have not been specifically designed and validated are
usually best suited to use 6, 12 and 24 Mb/s as basic/mandatory data
rates.

Only usually seek to configure a 12 Mb/s, or 11 Mb/s (802.11b
compatible), minimum basic/mandatory rate in high cell density
deployments that have been designed and validated for this.

For many deployments, the minimum basic/mandatory data rate should not be
configured above 12 Mb/s to 18 Mb/s, 24 Mb/s or higher. Such a
configuration is only appropriate for use in very high cell density
deployment scenarios.

A cell_density of Very High (3) should only be used where a deployment
has a valid use case and has been designed and validated specifically for
this use, nearly always with highly directional antennas - an example
would be stadium deployments. For example, with a 24 Mb/s OFDM minimum
basic/mandatory data rate, approximately a -73 dBm RSSI is required to
decode frames. Many clients will not have roamed elsewhere by the time
that they experience -73 dBm and, where they do, they frequently may not
hear and be able to demodulate beacon, control or broadcast/multicast
data frames causing connectivity issues.

There is a myth that disabling lower basic/mandatory data rates will
improve roaming and avoid sticky clients. For 802.11n, 802.11ac and
802.11ax clients this is not correct as clients will shift to and use
lower MCS rates and not to the 802.11b or 802.11g/802.11a rates that are
able to be used as basic/mandatory data rates.

There is a myth that disabling lower basic/mandatory data rates will
ensure that clients only use higher data rates and that better
performance is assured. For 802.11n, 802.11ac and 802.11ax clients this
is not correct as clients will shift around and use MCS rates and not the
802.11b or 802.11g/802.11a rates that able to be used as basic/mandatory
data rates.

Cell Density

0 - Disabled (Default)
Setting cell_density to 0 does not configure data rates. This is the
default.

1 - Normal Cell Density
Setting cell_density to 1 configures the basic/mandatory rates to 6, 12
and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting cell_density to 1 configures the basic/mandatory rates to the 5.5
and 11 Mb/s DSSS rates where legacy_rates is 1. Supported rates lower
than the minimum basic/mandatory rate are not offered.

2 - High Cell Density
Setting the cell_density to 2 configures the basic/mandatory rates to the
12 and 24 Mb/s OFDM rates where legacy_rates is 0. Supported rates lower
than the minimum basic/mandatory rate are not offered.
Setting the cell_density to 2 configures the basic/mandatory rates to the
11 Mb/s DSSS rate where legacy_rates is 1. Supported rates lower than the
minimum basic/mandatory rate are not offered.

3 - Very High Cell Density
Setting the cell_density to 3 configures the basic/mandatory rates to the
24 Mb/s OFDM rate where legacy_rates is 0. Supported rates lower than the
minimum basic/mandatory rate are not offered.
Setting the cell_density to 3 only has effect where legacy_rates is 0,
else this has the same effect as being configured with a cell_density of 2.

Where specified, the basic_rate and supported_rates options continue to
override both the cell_density and legacy_rates options.

Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
2020-11-30 09:31:15 +01:00
Daniel Golle
64cbfd1f54 umdns: update seccomp filter rules
Add 'writev' syscall to list of allowed syscalls.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-27 01:23:43 +00:00
Stijn Tintel
26c26e11a2 hostapd: fix "sh: out of range" errors
Several variables in hostapd.sh can be used uninitialized in numerical
comparisons, causing errors in logread:

netifd: radio24 (1668): sh: out of range

Set defaults for those variables to silence those errors.

Fixes: b518f07d4b ("hostapd: remove ieee80211v option")
Fixes: cc80cf53c5 ("hostapd: add FTM responder support")
Fixes: e66bd0eb04 ("hostapd: make rrm report independent of ieee80211k setting")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-11-26 02:25:23 +02:00
Stijn Tintel
c5ea37af7e lldpd: bump to 1.0.7
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-11-26 00:25:25 +02:00
Leon M. George
651f0c0999 hostapd: fix patch offset
Fixes the offset of the patch added in 93bbd998aa
  ("hostapd: enter DFS state if no available channel is found").

Signed-off-by: Leon M. George <leon@georgemail.eu>
2020-11-23 22:53:15 +01:00
Rui Salvaterra
dd4e6a70f2 hostapd: enable the epoll-based event loop
Hostapd supports epoll() since 2014. Let's enable it for better performance.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-11-23 03:02:21 +00:00
Daniel Golle
97ac290090 uhttpd: update to git HEAD
f53a639 ubus: fix uhttpd crash

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-23 02:06:35 +00:00
David Bauer
21dfdfd78b hostapd: set validity interval for BSS TMRA
This sets the validity interval for the BSS transition candidate
list to the same value as the disassociation timer.

Currently the value is always 0, which is the specification states is a
reserved value. Also, wpa_supplicant and from the looks of it some
Android implementations will outright ignore the candidate list in this
case.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:06:39 +01:00
Dobroslaw Kijowski
edb93eda16 hostapd: add support for static airtime policy configuration
* Add support for passing airtime_sta_weight into hostapd configuration.
* Since that commit it is possible to configure station weights. Set higher
  value for larger airtime share, lower for smaller share.

I have tested this functionality by modyfing /etc/config/wireless to:

config wifi-device 'radio0'
	...
        option airtime_mode '1'

config wifi-iface 'default_radio0'
	...
        list airtime_sta_weight '01:02:03:04:05:06 1024'

Now, when the station associates with the access point it has been assigned
a higher weight value.
root@OpenWrt:~# cat /sys/kernel/debug/ieee80211/phy0/netdev\:wlan0/stations/01\:02\:03\:04\:05\:06/airtime
RX: 12656 us
TX: 10617 us
Weight: 1024
Deficit: VO: -2075 us VI: 256 us BE: -206 us BK: 256 us

[MAC address has been changed into a dummy one.]

Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
2020-11-17 17:06:16 +01:00
Dobroslaw Kijowski
03cdeb5f97 hostapd: fix per-BSS airtime configuration
airtime_mode is always parsed as an empty string since it hasn't been
added into hostapd_common_add_device_config function.

Fixes: e289f183 ("hostapd: add support for per-BSS airtime configuration")
Signed-off-by: Dobroslaw Kijowski <dobo90@gmail.com>
2020-11-17 17:05:20 +01:00
David Bauer
0ce5f15f9c hostapd: ubus: add get_status method
This adds a new get_status method to a hostapd interface, which
provides information about the current interface status.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:05:06 +01:00
David Bauer
80b531614b hostapd: ubus: add VHT capabilities to client list
This adds parsed VHT capability information to the hostapd
get_clients method.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:04:40 +01:00
David Bauer
cd8052da49 hostapd: ubus: add driver information to client list
This adds information from mac80211 to hostapd get_client ubus function.
This way, TX as well as RX status information as well as the signal can
be determined.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:04:33 +01:00
David Bauer
7463a0b5ee hostapd: fix variable shadowing
Fixes commit 838b412cb5 ("hostapd: add interworking support")

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-11-17 17:04:22 +01:00
Daniel Golle
01b83040d3 umdns: convert seccomp filter rules to OCI format
procd-seccomp switched to OCI-compliant seccomp parser instead of our
(legacy, OpenWrt-specific) format. Convert ruleset to new format.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-11-17 13:12:37 +00:00
Hans Dedecker
0f7a3288e1 odhcpd: update to latest git HEAD
fb55e80 dhcpv6-ia : write statefile atomically

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-11-15 18:48:33 +01:00
Hans Dedecker
aaf3443e1a dropbear: update to 2.81
Update dropbear to latest stable 2.81; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES

Refresh patches

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-11-15 18:23:47 +01:00
Jason A. Donenfeld
a0df35e89c wireguard: bump to 1.0.20201112
* noise: take lock when removing handshake entry from table

This is a defense in depth patch backported from upstream to account for any
future issues with list node lifecycles.

* netns: check that route_me_harder packets use the right sk

A test for an issue that goes back to before Linux's git history began. I've
fixed this upstream, but it doesn't look possible to put it into the compat
layer, as it's a core networking problem. But we still test for it in the
netns test and warn on broken kernels.

* qemu: drop build support for rhel 8.2

We now test 8.3+.

* compat: SYM_FUNC_{START,END} were backported to 5.4
* qemu: bump default testing version

The real motivation for this version bump: 5.4.76 made a change that broke our
compat layer.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-11-12 13:28:38 +01:00
Aleksandr Mezin
acb336235c dnsmasq: 'ipset' config sections
Allow configuring ipsets with dedicated config sections:

    config ipset
        list name 'ss_rules_dst_forward'
        list name 'ss_rules6_dst_forward'
        list domain 't.me'
        list domain 'telegram.org'

instead of current, rather inconvenient syntax:

    config dnsmasq
        ...
        list ipset '/t.me/telegram.org/ss_rules_dst_forward,ss_rules6_dst_forward'

Current syntax will still continue to work though.

With this change, a LuCI GUI for DNS ipsets should be easy to implement.

Signed-off-by: Aleksandr Mezin <mezin.alexander@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-11-11 20:47:34 +01:00
Jan Pavlinec
a86c0d97b5 dnsmasq: explictly set ednspacket_max value
This is related to DNS Flag Day 2020. It sets default
ends buffer size value to 1232.

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2020-11-09 20:44:46 +01:00
Paul Spooren
753309c7dd uhttpd: use P-256 for certs
The uhttpd package takes care of creating self-signed certificates if
px5g is installed. This improves the security of router management as it
encrypts the LuCI connection.

The EC P-256 curve is faster than RSA which which improves the user
experience on embedded devices. EC P-256 is support for as old devices
as Android 4.4.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-11-09 10:54:29 +00:00
Rui Salvaterra
682843adad hostapd: add a hostapd-basic-wolfssl variant
If only AP mode is needed, this is currently the most space-efficient way to
provide support for WPA{2,3}-PSK, 802.11w and 802.11r.

openwrt-ath79-generic-ubnt_nanostation-loco-m-squashfs-sysupgrade.bin sizes:

4719426 bytes (with wpad-basic-wolfssl)
4457282 bytes (with hostapd-basic-wolfssl)

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-11-08 20:25:59 +00:00
Florian Eckert
42675aa30c dropbear: use new extra_command wrapper
Use new `extra_command` wrapper to fix the alignement.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2020-11-02 21:32:38 +01:00
Hans Dedecker
cafa3dc7c7 odhcpd: fix compile problem on 64-bit systems
735c783 dhcpv6: fix size_t fields in syslog format

Fixes 5cdc65f6d1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-11-01 20:44:54 +01:00
Hans Dedecker
5cdc65f6d1 odhcpd: update to latest git HEAD
5700919 dhcpv6: add explicit dhcpv4o6 server address
e4f4e62 dhcpv6: add DHCPv4-over-DHCPv6 support
aff290b dhcpv6: check message type
2677fa1 router: fix advertisement interval option

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-10-31 21:27:47 +01:00
Rui Salvaterra
f8c88a8775 hostapd: enable OWE for the basic-{openssl, wolfssl} variants
Opportunistic Wireless Encryption is needed to create/access encrypted networks
which don't require authentication.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-10-31 13:02:28 +00:00
Daniel Golle
c3a4cddaaf hostapd: remove hostapd-hs20 variant
Hotspot 2.0 AP features have been made available in the -full variants
of hostapd and wpad. Hence we no longer need a seperate package for
that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-30 00:39:09 +00:00
Rui Salvaterra
10e73b1e9e hostapd: add {hostapd,wpad}-basic-openssl variants
Add OpenSSL-linked basic variants (which provides WPA-PSK only, 802.11r and
802.11w) of both hostapd and wpad. For people who don't need the full hostapd
but are stuck with libopenssl for other reasons, this saves space by avoiding
the need of an additional library (or a larger hostapd with built-in crypto).

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-10-30 00:39:09 +00:00
David Bauer
9f1927173a hostapd: wpas: add missing config symbols
This adds missing config symbols for interworking as well as Hotspot 2.0
to the wpa_supplicant-full configuration.

These symbols were added to the hostapd-full configuration prior to this
commit. Without adding them to the wpa_supplicant configuration,
building of wpad-full fails.

Thanks to Rene for reaching out on IRC.

Fixes: commit be9694aaa2 ("hostapd: add UCI support for Hotspot 2.0")
Fixes: commit 838b412cb5 ("hostapd: add interworking support")
Signed-off-by: David Bauer <mail@david-bauer.net>
2020-10-28 03:25:25 +01:00
Daniel Golle
256fa157a9 dnsmasq: install /etc/hotplug.d/ntp/25-dnsmasqsec world-readable
/etc/hotplug.d/ntp/25-dnsmasqsec is being sourced by /sbin/hotplug-call
running as ntpd user. For that to work the file needs to be readable by
that user.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-28 02:01:04 +00:00