Commit Graph

3431 Commits

Author SHA1 Message Date
Alexander Couzens
9431f3625b packages: assign PKG_CPE_ID for all missing packages
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining package which have a CPE ID.
Not every package has CPE id.

Related: https://github.com/openwrt/packages/issues/8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2023-09-27 17:21:26 +02:00
Hauke Mehrtens
66fa45ecef kernel: kmod-ipt-ulog: Remove package
The ulog iptables target was removed with kernel 3.17, remove the kernel
and also the iptables package in OpenWrt too.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2a0284fb03)
2023-01-06 17:23:25 +01:00
Hauke Mehrtens
18f05da13d
dnsmasq: Backport DHCPv6 server fix (CVE-2022-0934)
This backports a commit from upstream dnsmasq to fix CVE-2022-0934.

CVE-2022-0934 description:
A single-byte, non-arbitrary write/use-after-free flaw was found in
dnsmasq. This flaw allows an attacker who sends a crafted packet
processed by dnsmasq, potentially causing a denial of service.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 002a99eccd)
2022-12-21 13:53:51 +01:00
Hauke Mehrtens
dec6584b22 iwinfo: update to latest HEAD
0dad3e6 Add support for CCMP-256 and GCMP-256 ciphers

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit cc6a323e23)
2022-11-12 21:06:50 +01:00
Hauke Mehrtens
1eda1a7946 iwinfo: update to latest HEAD
705d3b5 iwinfo: Add missing auth_suites mappings for WPA3

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit cc2dfc5e4d)
2022-11-12 21:06:50 +01:00
Petr Štetiar
8444302a92 treewide: fix security issues by bumping all packages using libwolfssl
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.

So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit f1b7e1434f)
(cherry picked from commit 562894b39d)
2022-10-05 21:09:50 +02:00
Felix Fietkau
cb6501435c mac80211: disable ft-over-ds by default
Testing has shown it to be very unreliable in variety of configurations.
It is not mandatory, so let's disable it by default until we have a better
solution.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 2984a04206)
2022-08-30 11:01:27 +02:00
David Bauer
69ea8afaea hostapd: ubus: fix uninitialized pointer
This fixes passing a bogus non-null pointer to the ubus handler in case
the transition request is rejected.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 9b880f09f3)
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-28 08:17:29 +02:00
Tiago Gaspar
b4ea8e1089 firewall: config: remove restictions on DHCPv6 allow rule
Remove restrictions on source and destination addresses, which aren't
specified on RFC8415, and for some reason in openwrt are configured
to allow both link-local and ULA addresses.
As cleared out in issue #5066 there are some ISPs that use Gloabal
Unicast addresses, so fix this rule to allow them.

Fixes: #5066

Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
[rebase onto firewall3, clarify subject, bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 65258f5d60)
2022-05-04 15:30:18 +02:00
Jo-Philipp Wich
dd58c12f0f iwinfo: drop obsolete patch
Fixes: 01cc5e195d ("iwinfo: update to latest Git HEAD")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-04-27 12:25:03 +02:00
David Bauer
5b7d01b427 iwinfo: update to latest HEAD
dc6847e iwinfo: nl80211: omit A-hwmode on non-5GHz hardware

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f757a8a098)
2022-04-27 11:37:43 +02:00
David Bauer
39aaec62ca hostapd: refresh patches
Signed-off-by: David Bauer <mail@david-bauer.net>
2022-04-27 11:37:39 +02:00
David Bauer
e2030fcfa7 hostapd: add ubus link-measurements notifications
Notify external ubus subscribers of received link-measurement reports.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f6445cfa1a)
2022-04-27 11:37:39 +02:00
David Bauer
1a2940f68e hostapd: add ubus method for requesting link measurements
Add a ubus method to request link-measurements from connected STAs.

In addition to the STAs address, the used and maximum transmit power can
be provided by the external process for the link-measurement. If they
are not provided, 0 is used as the default value.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 965aa33a18)
2022-04-27 11:37:39 +02:00
David Bauer
b4a9597154 hostapd: add support for enabling link measurements
Allow external processes to enable advertisement of link-measurement RRM
capability.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 2ca5c3da04)
2022-04-27 11:37:39 +02:00
David Bauer
5a18028c69 iwinfo: update to latest HEAD
a479b9b devices: remove whitespace
562d015 iwinfo: nl80211: fix hwmode parsing for multi-band NICs

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 46980294f6)
2022-04-27 10:26:21 +02:00
Josef Schlehofer
b519d76276 iwinfo: update to latest Git head
Changelog:
90bfbb9 devices: Add Cypress CYW43455
234075b devices: fix AMD RZ608 format
0e2a318 devices: add AMD RZ608 device-id

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 013b043564)
2022-04-27 10:26:21 +02:00
Jo-Philipp Wich
01cc5e195d iwinfo: update to latest Git HEAD
a0a0e02 iwinfo: rename hardware.txt to devices.txt

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit c13d7c82aa)
2022-04-27 10:26:15 +02:00
Felix Fietkau
44781b265c iwinfo: update to the latest version
c9b1672f5a83 nl80211: fix path compatibility issue

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 019eca1545)
2022-04-27 10:25:29 +02:00
Felix Fietkau
f7c445aa7d iwinfo: update to the latest version
aa0e3c4bbe12 iwinfo: nl80211: add support for printing the device path for a phy
dd6d6d2dec35 iwinfo: nl80211: use new path lookup function for nl80211_phy_idx_from_uci_path
268bb26d2e2a iwinfo: nl80211: support looking up phy by path=.. and macaddr=...
c0414642fead iwinfo: nl80211: fix typo

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(backported from commit 6e8475bbd0)
2022-04-27 10:25:17 +02:00
Tony Ambardar
9132344444 bpftools: fix feature override for masking clang
Rename feature variable clang-bpf-global-var following upstream changes.
This restores the HAVE_CLANG feature override and should avoid rare build
errors where a recent host clang and BTF-enabled host kernel are present.

Fixes: 23be333401 ("bpftools: update to 5.10.10")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit cf20f1bb5f)
2022-04-11 22:51:57 +02:00
David Bauer
180b750c02 hostapd: add STA extended capabilities to get_clients
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.

This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 6f78723977)
2022-03-20 01:32:36 +01:00
David Bauer
411c73f748 hostapd: add op-class to get_status output
Include the current operation class to hostapd get_status interface.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 2a31e9ca97)
2022-03-20 01:32:06 +01:00
David Bauer
e44a781e11 hostapd: add beacon_interval to get_status ubus output
Add the beacon interval to hostapd status output. This allows external
services to discover the beacon interval for a specific VAP.

This way, external wireless management daemons can correctly calculate
fields containing TBTT value from absolute time-values.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 3ba9846842)
2022-03-20 01:31:47 +01:00
Martin Weinelt
95b0b8725c hostapd: remove unused mac_buff allocation
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
(cherry picked from commit cde154c871)
2022-03-20 01:31:21 +01:00
Martin Weinelt
3731ffa0ee hostapd: report bssid, ssid and channel over ubus
Imports a function from iw to convert frequencies to channel numbers.

Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
[fix potential out of bounds read]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 398df62756)
2022-03-20 01:30:52 +01:00
David Bauer
53c60d4bfa hostapd: ubus: add notification for BSS transition response
To allow steering daemons to be aware of the STA-decided transition
target, publish WNM transition responses to ubus. This way, steerings
daemons can learn about STA-chosen targets and send a better selection
of transition candidates.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit a3de42e72c)
2022-03-20 01:29:59 +01:00
David Bauer
88075c87dc hostapd: ubus: add BSS transtiton request method
The existing wnm_disassoc_imminent ubus method only supports issuing a
bss transition request with the disassoc imminent flag set.
For use-cases, where the client is requested to roam to another BSS
without a pending disassoc, this existing method is not suitable.

Add a new bss_transition_request ubus method, which provides a more
universal way to dispatch a transition request. It takes the following
arguments:

Required:
addr: String - MAC-address of the STA to send the request to (colon-seperated)

Optional:
abridged - Bool - Indicates if the abridged flag is set
disassociation_imminent: Bool - Whether or not the disassoc_imminent
                         flag is set
disassociation_timer: I32 - number of TBTTs after which the client will
                      be disassociated
validity_period: I32 - number of TBTTs after which the beacon
                 candidate list (if included) will be invalid
neighbors: blob-array - Array of strings containing neighbor reports as
           hex-string

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 0eed96ca5d)
2022-03-20 01:29:09 +01:00
John Crispin
abf8209d7f hostapd: fix radius problem due to invalid attributes
The offending commit caused the configuration file to contain:
  radius_auth_req_attr=
  radius_acct_req_attr=
which cause hostapd to add an ATTR of type 0 into the messages.

hostapd: RADIUS message: code=4 (Accounting-Request) identifier=0 length=93
hostapd:    Attribute 40 (Acct-Status-Type) length=6
hostapd:       Value: 7
hostapd:    Attribute 30 (Called-Station-Id) length=28
hostapd:       Value: 'C4-41-1E-F5-2D-55:OpenWifi'
hostapd:    Attribute 61 (NAS-Port-Type) length=6
hostapd:       Value: 19
hostapd:    Attribute 0 (?Unknown?) length=3    <----------------
hostapd:    Attribute 55 (Event-Timestamp) length=6
hostapd:       Value: 1622726457
hostapd:    Attribute 41 (Acct-Delay-Time) length=6
hostapd:       Value: 0
hostapd:    Attribute 44 (Acct-Session-Id) length=18
hostapd:       Value: '9B5961E7235AAEC6'

Closes: #9315
Fixes: ce7a170414 ("hostapd: add additional radius options")
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [pkg version bump]
(cherry picked from commit 96e9c81aab)
2022-02-26 09:27:15 +01:00
Hauke Mehrtens
59e7ae8d65 tcpdump: Fix CVE-2018-16301
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 8f5875c4e2)
2022-02-13 00:23:30 +01:00
Hauke Mehrtens
0c0db6e66b hostapd: Apply SAE/EAP-pwd side-channel attack update 2
This fixes some recent security problems in hostapd.
See here for details: https://w1.fi/security/2022-1
* CVE-2022-23303
* CVE-2022-23304

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-13 00:23:30 +01:00
Hauke Mehrtens
4dddb7ca36 tcpdump: libpcap: Remove http://www.us.tcpdump.org mirror
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.

Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 18bdfc803b)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[rebased for OpenWrt 21.02 branch]
2021-12-29 23:45:37 +01:00
Felix Fietkau
d655eea053 hostapd: only attempt to set qos map if supported by the driver
Fixes issues with brcmfmac

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 5e67cd63c4)
2021-12-23 19:20:34 +01:00
Felix Fietkau
77667a7eb6 hostapd: add a patch that allows processing auth requests for peers in blocked state
If authentication fails repeatedly e.g. because of a weak signal, the link
can end up in blocked state. If one of the nodes tries to establish a link
again before it is unblocked on the other side, it will block the link to
that other side. The same happens on the other side when it unblocks the
link. In that scenario, the link never recovers on its own.

To fix this, allow restarting authentication even if the link is in blocked
state, but don't initiate the attempt until the blocked period is over.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit f84053af5c)
2021-11-24 18:31:04 +01:00
Felix Fietkau
9127e5193e hostapd: bump PKG_RELEASE
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-24 15:43:10 +01:00
David Bauer
dec9e83956 hostapd: fix goto loop for ubus assoc handler
When a ubus event handler denies a association with a non-zero return
value, the code jumps to preceeding code, creating an endless loop until
the event handler accepts the assc request.

Move the ubus handler further up the code to avoid creating such a loop.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-11-23 22:27:13 +01:00
Felix Fietkau
c254d83ea8 hostapd: enable ht40 in wpa_supplicant when using wider HE modes
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit c26d741d07)
2021-11-23 18:30:05 +01:00
Felix Fietkau
0243f09465 hostapd: add support for providing vendor specific IE elements
They can be added as hex digit strings via the 'vendor_elements' option

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 1818b038d7)
2021-11-23 18:30:05 +01:00
John Crispin
28b30ae10b hostapd: add eap_server support
This makes it possible to avoid using a RADIUS server for WPA enterprise authentication

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from 98621c9782)
2021-11-23 18:30:05 +01:00
Felix Fietkau
21eb0a5aa3 hostapd: add default values for r0kh/r1kh
This allows WPA enterprise roaming in the same mobility domain without any
manual key configuration (aside from radius credentials)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 704ab6a002)
2021-11-23 18:30:05 +01:00
Felix Fietkau
32b047e22e hostapd: add support for configuring the beacon rate
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 46509a51dd)
2021-11-23 18:30:05 +01:00
Felix Fietkau
1f5155d005 hostapd: add support for configuring rts threshold
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 26da5c2359)
2021-11-23 18:30:05 +01:00
David Bauer
75f72696b5 hostapd: fix use after free bugs
Using a pointer one lifter after it freed is not the best idea.
Let's not do that.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry-picked from commit 63c01ad025)
2021-11-23 18:30:05 +01:00
Felix Fietkau
0b75372275 hostapd: add wmm qos map set by default
This implements the mapping recommendations from RFC8325, with an
update from RFC8622. This ensures that DSCP marked packets are properly
sorted into WMM classes.
The map can be disabled by setting iw_qos_map_set to something invalid
like 'none'

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit a5e3def182)
2021-11-23 18:30:05 +01:00
Felix Fietkau
6ac1b9188a hostapd: support qos_map_set without CONFIG_INTERWORKING
This feature is useful on its own even without full interworking support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit efff3520f4)
2021-11-23 18:30:04 +01:00
Felix Fietkau
5a8988baa9 hostapd: refresh patches
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-11-23 18:30:04 +01:00
Felix Fietkau
9b660c63ad hostapd: fix a race condition on adding AP mode wds sta interfaces
Both hostapd and netifd attempt to add a VLAN device to a bridge.
Depending on which one wins the race, bridge vlan settings might be incomplete,
or hostapd might run into an error and refuse to service the client.
Fix this by preventing hostapd from adding interfaces to the bridge and
instead rely entirely on netifd handling this properly

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit da4be02fcd)
(cherry-picked from commit 63c01ad025)
2021-11-23 18:30:04 +01:00
Felix Fietkau
d9373c5922 hostapd: fix max_oper_chwidth setting for HE
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 2319cf4ec0)
2021-11-23 18:30:04 +01:00
Felix Fietkau
4a53adbd43 hostapd: let netifd set bridge port attributes for snooping
Avoids race conditions on bridge member add/remove

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 17d19a7d43)
2021-11-23 18:30:04 +01:00
Jesus Fernandez Manzano
345f8fc7f3 hostapd: respect fixed channel BW in HE20 mode
When using htmode 'HE20' with a radio mode that uses wpa-supplicant
(like mesh or sta), it will default to 40 MHz bw if disable_ht40 is not
set. This commit fixes this behaviour.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
(cherry-picked from commit af83e3ce0f)
2021-11-23 18:30:04 +01:00