Commit Graph

2027 Commits

Author SHA1 Message Date
Sergey Ponomarev
908975850d
dropbear: use config_get_bool enable
The config_get_bool also works with on/off, yes/no, true/false.
Add 'main' section name. This will make it easier to change settings from uci.
Add a link to documentation.

Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15579
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 4511fa4b30)
Link: https://github.com/openwrt/openwrt/pull/17097
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2024-11-28 18:47:56 +00:00
Shiji Yang
be082a7c7e
ppp: remove more unnecessary kernel checks
The ppp package can support all features since Linux 4.7.0 kernel.
Therefore, most kernel version checks can pass unconditionally on
OpenWrt v18.06 and later version. This patch can reduce the size
of ppp package by approximately 2.5 KB.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Link: https://github.com/openwrt/openwrt/pull/16695
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 3dbe730080)
Link: https://github.com/openwrt/openwrt/pull/17097
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2024-11-28 18:47:25 +00:00
Leon M. Busch-George
69fd722edd
hostapd: split long lines
These two were getting rather long.

Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
Link: https://github.com/openwrt/openwrt/pull/16849
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 8b6d5874b8)
Link: https://github.com/openwrt/openwrt/pull/17097
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2024-11-28 18:46:43 +00:00
Felix Fietkau
7e542f6a77 hostapd: fix build error with SAE disabled
Fixes: b2a2c28617 ("hostapd: add support for authenticating with multiple PSKs via ubus helper")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-10-22 16:57:43 +02:00
Christian Marangi
eeb59f87a1
ppp: install pkg-config file on InstallDev
It seems some package (sstp-client) makes use of pppd.pc file to detect
the ppp version as 2.5.0 changed some API.

Also install the .pc file to permit the version detection of pppd.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-10-22 16:10:05 +02:00
Felix Fietkau
04fb05914e wifi-scripts: add multi-radio config support
Emit one wifi-device section per wiphy radio

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-10-22 14:40:43 +02:00
Felix Fietkau
b2a2c28617 hostapd: add support for authenticating with multiple PSKs via ubus helper
Also supports assigning a VLAN ID based on the PSK

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-10-22 14:40:42 +02:00
Felix Fietkau
ed484caa03 hostapd: add support for querying bss config parameters via ubus
Supports reading the same parameters currently being used by iwinfo.
Preparation for replacing iwinfo with a rewrite in ucode.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-10-22 13:09:26 +02:00
Paul Donald
3407269ba5 dnsmasq: gate configdir usage behind absolute path check
don't use configuration directories which are relative

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/14975
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-20 21:56:16 +02:00
Paul Donald
7c501e0ed2 dnsmasq: add handling of dns-rr to init script (add arbitrary resource records)
Add support for handling of DNS RR (Resource Records) requests, which
are needed for the HTTPS Type 65 records, introduced to support the
DNS-based Service Discovery (DNS-SD) mechanism for HTTPS services and
defined in the RFC 9460 (9.1. Query Names for HTTPS RRs).

Ref: https://forum.openwrt.org/t/resolving-query-type-65-to-local-address-for-ios-clients-in-dnsmasq/179504/11

uci config usage:

config dnsrr
    option rrname 'foo.example.com'
    option rrnumber '65'
    option hexdata '00'

hexdata is optional.

Available since dnsmasq 2.62 (for around 12 years at this point).

Note: dnsmasq dns-rr are not affected by filter-rr

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Tested-by: Vladimir Kochkovski <ask@getvladimir.com>
Link: https://github.com/openwrt/openwrt/pull/14975
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-20 21:56:16 +02:00
Paul Donald
47ce5f7dd5 dnsmasq: quoted path variables
Prevents problems when variables contain spaces.

Tested on: 23.05.3

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/14975
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-20 21:56:16 +02:00
Paul Donald
bd81d97e19 dnsmasq: add 'extraconftext' parameter
Users can now freely add new dnsmasq parameters (i.e. a whole config)
via extraconf. This means users can add their own parameters without
changes to init or GUI.

Co-opted the default of confdir also to include the instance name.
This way each instance gets its own .d directory (and separate instances
do not all inherit the same 'extraconftext').

Usage:
config dnsmasq 'config'
	...
	option extraconftext 'cache-size=2048\nlog-async=20'

config dnsmasq 'blah'
	...
	option extraconftext 'cache-size=128\nlog-async=5'

or even (which would produce staggered output but still valid)

config dnsmasq 'blah'
	...
	option extraconftext 'cache-size=128
							log-async=5'

See https://forum.openwrt.org/t/add-dnsmasq-custom-options-field-in-luci-gui/193184

Tested on: 23.05.3, 22.03.6

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Tested-by: Vladimir Kochkovski <ask@getvladimir.com>
Link: https://github.com/openwrt/openwrt/pull/14975
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-20 21:56:16 +02:00
Paul Donald
137ac21596 dnsmasq: add handling of cache-rr to init script
dnsmasq v2.90 introduced `--cache-rr=<rrtype>[,<rrtype>...]`.

uci config usage:

config dnsmasq
    ...
    option cache_rr 'AAAA,CNAME,NXDOMAIN,SRV,...'

The dnsmasq instance internally builds a linked list of RR to cache
from the individually supplied parameters, so it's allowed to provide
multiples:

... --cache-rr=AAAA --cache-rr=A ...

See https://forum.openwrt.org/t/resolving-query-type-65-to-local-address-for-ios-clients-in-dnsmasq/179504

Tested on: 23.05.2

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Tested-by: Vladimir Kochkovski <ask@getvladimir.com>
Link: https://github.com/openwrt/openwrt/pull/14975
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-20 21:56:16 +02:00
Paul Donald
9857b41fe9 dnsmasq: add handling of filter-rr to init script
dnsmasq v2.90 introduced `--filter-rr=<rrtype>[,<rrtype>...]`.

uci config usage:

config dnsmasq
    ...
    option filter_rr 'AAAA,CNAME,NXDOMAIN,SRV,...'

The dnsmasq instance internally builds a linked list of RR to filter
from the individually supplied parameters, so it's harmless to provide
synonyms:

... --filter-A --filter-rr=A ...

See https://forum.openwrt.org/t/resolving-query-type-65-to-local-address-for-ios-clients-in-dnsmasq/179504/23

Tested on: 23.05.2

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
Tested-by: Vladimir Kochkovski <ask@getvladimir.com>
Link: https://github.com/openwrt/openwrt/pull/14975
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-20 21:56:16 +02:00
Shiji Yang
eb05baff7f ppp: clean up makefile
The latest ppp version seems to no longer require these ancient
build fixes.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Link: https://github.com/openwrt/openwrt/pull/16605
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-12 15:53:06 +02:00
Shiji Yang
7eb6bf1ac9 ppp: remove discovery phase timeout hack patch
In the original code, the entire time delay of the discovery phase
is only 5+5x2+5x2x2 = 35s. Increasing timeout may be necessary if
discovery phase fails on first attempt. There is a chance to fix
the "Timeout waiting for PADO packets" issue by removing this patch.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Link: https://github.com/openwrt/openwrt/pull/16605
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-12 15:53:06 +02:00
Shiji Yang
8766a92766 ppp: remove uClibc wtmp hack patch
The uClibc library support was removed since commit:
57fe7d5401 ("toolchain: remove uClibc install stuff")

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Link: https://github.com/openwrt/openwrt/pull/16605
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-12 15:53:06 +02:00
Shiji Yang
3e668c6d02 ppp: update to 2.5.1
ChangeLog:
https://github.com/ppp-project/ppp/blob/ppp-2.5.1/ChangeLog

Suppressed patches:
010-use_target_for_configure.patch [1]
510-pptp_compile_fix.patch [2]
520-u_int_bsd_fix.patch [3]

Upstreamed patches:
330-retain_foreign_default_routes.patch [4]
521-remove_unused_openssl_dep.patch [5]

[1] e48a9b5de4
[2] Merged into "500-add-pptp-plugin.patch"
[3] 797cdae57c
[4] 9856f47063
[5] 59342ab622

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Link: https://github.com/openwrt/openwrt/pull/16605
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-12 15:53:06 +02:00
Sergey Ivanov
9cecf2b16e ppp: update to 2.5.0
ChangeLog:
https://github.com/ppp-project/ppp/blob/ppp-2.5.0/ChangeLog

Upstreamed patches:
120-debian_ipv6_updown_option.patch [1]
133-fix_sha1_include.patch [2]
140-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch [3]
141-Expand-byte-count-statistics-to-64-bits-298.patch [4]
142-pppd-Add-support-for-registering-ppp-interface-via-L.patch [5]
143-pppd-Workaround-for-generating-ppp-unit-id-on-Linux-.patch [6]
144-pppd-Retry-registering-interface-when-on-rtnetlink-E.patch [7]

Suppressed patches:
200-makefile.patch [8]
201-mppe_mppc_1.1.patch [9]
203-opt_flags.patch [10]
300-filter-pcap-includes-lib.patch [11]
511-pptp_cflags.patch [12]
600-Revert-pppd-Use-openssl-for-the-DES-instead-of-the-l.patch [13]
610-pppd_compile_fix.patch [14]

[1] 7f8c1a1f8e
[2] ba7f7e053d
[3] 98ec18f098
[4] 81ad945630
[5] 4a54e34cf5
[6] 44609bfc97
[7] 089687fbcc
[8] enable_eaptls=no, with_pcap=no, HAVE_CRYPT_H=1 in configure
[9] enable_microsoft_extensions=yes, MPPC support is removed.
[10] fPIC ignored so far
[11] done by autotools
[12] in main patch for pptp plugin
[13] with_openssl=no, already in upstream ppp-des.c
[14] with_static_pcap=yes from patch 310

Signed-off-by: Sergey Ivanov <icegood1980@gmail.com>

* Fix package hash.
* Fix multilink variant build.
* Fix some compile errors.
* Some code format fixes.
* Refactor commit message.
* Rebase git and fix conflicts.

Co-authored-by: Shiji Yang <yangshiji66@qq.com>
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Link: https://github.com/openwrt/openwrt/pull/16605
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-12 15:53:06 +02:00
Felix Fietkau
12c1a56ec0 hostapd: reload bss if a relevant ifindex changes
This can happen if the bridge or a stacked vlan device gets recreated.
Ensure that hostapd sees the change and handles it gracefully.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-10-06 20:09:19 +02:00
John Crispin
e428d7999a dropbear: add a uci-defaults script for loading authorized keys
Write the ssh authorized key to /etc/dropbear/ssh_authorized_keys if present
inside boad.json.

Signed-off-by: John Crispin <john@phrozen.org>
2024-10-02 15:41:33 +02:00
John Crispin
3ed5f6430b hostapd: send a notification via ubus when CSA completed
Signed-off-by: John Crispin <john@phrozen.org>
2024-10-02 15:19:42 +02:00
John Crispin
dd62f7659b hostapd: add ifname to generic ubus notify code
Signed-off-by: John Crispin <john@phrozen.org>
2024-10-02 15:19:34 +02:00
John Crispin
711885ad68 hostapd: add ifname and vlan_id to sta-authorized notifications
Signed-off-by: John Crispin <john@phrozen.org>
2024-10-02 15:19:27 +02:00
John Crispin
dc48732ea7 hostapd: add the ifname to ubus events
Signed-off-by: John Crispin <john@phrozen.org>
2024-10-02 15:19:21 +02:00
John Crispin
8bfea41eef umdns: update to latest HEAD
fbaca4b cache: improve update call by doing a full refresh probe
93c9036 dns: reply to A/AAAA questions for additional hostnames

Signed-off-by: John Crispin <john@phrozen.org>
2024-10-02 15:19:13 +02:00
Janusz Dziedzic
d1fc8c3db0 hostapd: fix build when 80211BE enabled
In file included from hostapd-wpad-basic-mbedtls/hostapd-2024.03.09~695277a5/src/ap/ubus.h:11,
                 from hostapd-wpad-basic-mbedtls/hostapd-2024.03.09~695277a5/src/ap/hostapd.h:21,
                 from main.c:26:
hostapd-2024.03.09~695277a5/src/ap/sta_info.h: In function 'ap_sta_is_mld':
hostapd-2024.03.09~695277a5/src/ap/sta_info.h:425:20: error: invalid use of undefined type 'struct hostapd_data'
  425 |         return hapd->conf->mld_ap && sta && sta->mld_info.mld_sta;
      |                    ^~

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2024-10-02 15:12:18 +02:00
Janusz Dziedzic
b1d6068330 hostapd: add CONFIG_DRIVER_11BE_SUPPORT
Add option to enable 802.11BE support.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2024-10-02 15:12:18 +02:00
Chen Minqiang
01d257e95f ppp: add delegate option support
Ipv6 delegate option is not respected by proto of ppp/pptp/pppoe/pppoa
this add support for them.

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15508
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-09-22 23:43:08 +02:00
Jianhui Zhao
b4dfa3b33c hostapd: fix UPDATE_VAL fail in uc_hostapd_iface_start
If the `intval` obtained from `info` is indeed 0, it cannot be set to `conf`.

Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15495
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-09-22 23:36:46 +02:00
Felix Fietkau
df1011e0b7 hostapd: fix OWE ssid update on configuration changes
Refresh OWE transition IEs on updating BSS interfaces

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-09-21 20:37:41 +02:00
Felix Fietkau
81a48e7d1a wpa_supplicant: fix num_global_macaddr handling
Pass num_global_macaddr via ubus in the top level config_set call

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-09-21 20:33:45 +02:00
Felix Fietkau
b4e7682c54 hostapd: fix num_global_macaddr and mbssid config handling
Store the config values in the correct field and apply them on restart too

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-09-21 20:14:51 +02:00
Felix Fietkau
1a288670d9 hostapd: fold extra APuP patches into main patch + src/
Simplifies maintenance

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-09-21 18:33:52 +02:00
Felix Fietkau
127078567b hostapd: improve ucode bss notifications
Reduce code duplication, add extra callback for bss create

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-09-21 18:32:26 +02:00
Ivan Pavlov
da11a1e20c hostapd: update to version 2024-09-15
Remove upstreamed from 2.11 release:
  060-nl80211-fix-crash-when-adding-an-interface-fails.patch

Rebase all other patches

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16338
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-09-16 10:32:43 +02:00
Ivan Pavlov
395afc4c58 hostapd: update to 2.11 release tag
Release 2.11 has been quite a few new features and fixes since the 2.10
release. The following ChangeLog entries highlight some of the main
changes:

* Wi-Fi Easy Connect
  - add support for DPP release 3
  - allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
  - various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
  - add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
  drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
  - use Secure=1 in message 3 during PTK rekeying

...and many more

Remove upstreamed patches:
  023-ndisc_snoop-call-dl_list_del-before-freeing-ipv6-add.patch
  030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
  040-mesh-allow-processing-authentication-frames-in-block.patch
  181-driver_nl80211-update-drv-ifindex-on-removing-the-fi.patch
  182-nl80211-move-nl80211_put_freq_params-call-outside-of.patch
  183-hostapd-cancel-channel_list_update_timeout-in-hostap.patch
  210-build-de-duplicate-_DIRS-before-calling-mkdir.patch
  253-qos_map_set_without_interworking.patch
  751-qos_map_ignore_when_unsupported.patch
  800-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
  801-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
  802-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch

Other patches has been updated.

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16338
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-09-16 10:32:43 +02:00
Gioacchino Mazzurco
d760576132 hostapd: ensure that interface name is not null
Include hotfix suggested by Sebastian Gottschall to fix bug introduced
with APuP patchset

Signed-off-by: Gioacchino Mazzurco <gio@polymathes.cc>
Link: 0c3001a69e
Link: https://github.com/openwrt/openwrt/pull/16298
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-09-06 22:42:42 +02:00
Carsten Schuette
57c600dc27 dnsmasq: Add EDNS0 Upstream support
Forward client mac address and subnet on dns queries. Pi-hole and Adguard use this feature to send the originators ip address/subnet so it can be logged and not just the nat address of the router. This feature has been added since version 2.56 of dnsmasq and would be nice to expose this feature in openwrt.

Signed-off-by: Carsten Schuette <schuettecarsten@googlemail.com>
Link: https://github.com/openwrt/openwrt/pull/15965
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-08-24 21:25:17 +02:00
Sylvain Monné
88186c85f9 uhttpd: restart daemon if certificate has changed
Fixes #16075

When the SSL certificate used by uhttpd has been changed, calling
`/etc/init.d/uhttpd reload` will now have the effect of restarting the
daemon to make the change effective.

Signed-off-by: Sylvain Monné <sylvain@monne.contact>
Link: https://github.com/openwrt/openwrt/pull/16076
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-08-19 18:46:08 +02:00
Hannu Nyman
0b7d99147b uhttpd: Decrease the default validity time of certificate
The recommended maximum validity period is currently 397 days
and some browsers throw warning with longer periods.

Reference to
https://cabforum.org/working-groups/server/baseline-requirements/
 6.3.2 Certificate operational periods and key pair usage periods
 Subscriber Certificates issued on or after 1 September 2020
 SHOULD NOT have a Validity Period greater than 397 days and
 MUST NOT have a Validity Period greater than 398 days.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-08-13 21:07:13 +02:00
Pat Fruth
db4e8ef952 uhttpd: Include new extensions in uhttpd self-signed certs
The introduction of MacOS Catalina includes new requirements for self-signed certificates.
See: https://support.apple.com/en-us/HT210176
These new requirements include the addition of two TLS server certificate extensions.
- extendedKeyUsage
- subjectAltName
The extendedKeyUsage must be set to serverAuth.
The subjectAltName must be set to the DNS name of the server.
In the absense of these new extensions, when the LUCI web interface is configured to use HTTPS and
self-signed certs, MacOS user running Google Chrome browsers will not be able to access the LUCI web enterface.
If you are generating self-signed certs which do not include that extension, Chrome will
report "NET::ERR_CERT_INVALID" instead of "NET::ERR_CERT_AUTHORITY_INVALID".  You can click through to
ignore the latter, but not the former.

This change updates the uhttpd init script to generate self-signed cert that meets the new requirements.
Signed-off-by: Pat Fruth <pat@patfruth.com>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-08-13 21:07:13 +02:00
Gioacchino Mazzurco
e80520197c hostapd: Add support for APuP
Add support for hostapd Access Point Micro Peering

Signed-off-by: Gioacchino Mazzurco <gio@polymathes.cc>
Link: https://gitlab.com/g10h4ck/hostap/-/commits/APuP
Link: https://github.com/openwrt/openwrt/pull/15442
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-08-13 00:28:32 +02:00
Rany Hany
db7f70fe61 hostapd: fix SAE H2E security vulnerability
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.

As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].

An explanation of the impact of the vulnerability is provided from the
advisory[1]:

This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.

[1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt

Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16042
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-08-02 23:13:44 +02:00
David Bauer
89d7051485 hostapd: bump PKG_RELEASE
Signed-off-by: David Bauer <mail@david-bauer.net>
2024-06-30 22:23:11 +02:00
David Bauer
68e4cc9be5 hostapd: don't ignore probe-requests with invalid DSSS params
Don't ignore probe requests which contain an invalid DS parameter for the
current operating channel.

As the comment outlines, the drop shall only apply if
dot11RadioMeasurementActivated is set to 1.

However, it was observed Linux clients (Debian 12 / NixOS 23.11)
with an Intel 8265 NIC may generate a probe request frame with
dot11RadioMeasurementActivated set to false and an invalid DSSS
parameter.

These were also dropped even though they should not have been. They
however should not have contained this parameter in the first place.

Don't drop Probe Requests which contain such an invalid field. This may
lead to more probe responses being sent, however it does fix very
frequent connection issues for these clients on 2.4 GHz.

Signed-off-by: David Bauer <mail@david-bauer.net>
2024-06-30 22:23:11 +02:00
Felix Fietkau
032d3fcf7a hostapd: use strdup on string passed to hostapd_add_iface
The data is modified within hostapd_add_iface

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-06-21 11:52:25 +02:00
Felix Fietkau
3984fb0582 hostapd: fix crash on interface setup failure
Add a missing NULL pointer check when deleting beacons

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-06-21 11:52:25 +02:00
Christian Marangi
9f6fc4f524
dropbear: don't install /usr/lib/opkg/info in package install
Don't install /usr/lib/opkg/info in package install as it doesn't make
sense and conflicts with APK installations.

Fixes: a377aa9ab5 ("add dropkey ssh keys and config files to the conffiles section (#2014)")
Link: https://github.com/openwrt/openwrt/pull/15543
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-06-11 23:58:17 +02:00
Felix Fietkau
a3d1583317 Revert "hostapd: add support for authenticating with multiple PSKs via ubus helper"
This reverts commit c67d5189a4.
Revert until reported issues have been resolved

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-06-06 21:34:20 +02:00