The internal hostapd version cannot be built with EAP-pwd support, so
enable it only for the SSL variants.
Fixes: #17163
Fixes: 6365316fab ("hostapd: add ubus support for wired driver")
Link: https://github.com/openwrt/openwrt/pull/17164
Signed-off-by: Robert Marko <robimarko@gmail.com>
Use and alternate ubus object when the config contains "driver=wired". This
commit is in preparation of the ieee8021x-wired daemon.
Signed-off-by: John Crispin <john@phrozen.org>
This allows a radius server to send AVPs for client rate control inside the
accept message. Further add the ratelimits to the sta-authorized ubus
notification.
Signed-off-by: John Crispin <john@phrozen.org>
These two were getting rather long.
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
Link: https://github.com/openwrt/openwrt/pull/16849
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Supports reading the same parameters currently being used by iwinfo.
Preparation for replacing iwinfo with a rewrite in ucode.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This can happen if the bridge or a stacked vlan device gets recreated.
Ensure that hostapd sees the change and handles it gracefully.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
In file included from hostapd-wpad-basic-mbedtls/hostapd-2024.03.09~695277a5/src/ap/ubus.h:11,
from hostapd-wpad-basic-mbedtls/hostapd-2024.03.09~695277a5/src/ap/hostapd.h:21,
from main.c:26:
hostapd-2024.03.09~695277a5/src/ap/sta_info.h: In function 'ap_sta_is_mld':
hostapd-2024.03.09~695277a5/src/ap/sta_info.h:425:20: error: invalid use of undefined type 'struct hostapd_data'
425 | return hapd->conf->mld_ap && sta && sta->mld_info.mld_sta;
| ^~
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
If the `intval` obtained from `info` is indeed 0, it cannot be set to `conf`.
Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15495
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Remove upstreamed from 2.11 release:
060-nl80211-fix-crash-when-adding-an-interface-fails.patch
Rebase all other patches
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16338
Signed-off-by: Robert Marko <robimarko@gmail.com>
Release 2.11 has been quite a few new features and fixes since the 2.10
release. The following ChangeLog entries highlight some of the main
changes:
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
- use Secure=1 in message 3 during PTK rekeying
...and many more
Remove upstreamed patches:
023-ndisc_snoop-call-dl_list_del-before-freeing-ipv6-add.patch
030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
040-mesh-allow-processing-authentication-frames-in-block.patch
181-driver_nl80211-update-drv-ifindex-on-removing-the-fi.patch
182-nl80211-move-nl80211_put_freq_params-call-outside-of.patch
183-hostapd-cancel-channel_list_update_timeout-in-hostap.patch
210-build-de-duplicate-_DIRS-before-calling-mkdir.patch
253-qos_map_set_without_interworking.patch
751-qos_map_ignore_when_unsupported.patch
800-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
801-SAE-Check-for-invalid-Rejected-Groups-element-length.patch
802-SAE-Reject-invalid-Rejected-Groups-element-in-the-pa.patch
Other patches has been updated.
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16338
Signed-off-by: Robert Marko <robimarko@gmail.com>
Include hotfix suggested by Sebastian Gottschall to fix bug introduced
with APuP patchset
Signed-off-by: Gioacchino Mazzurco <gio@polymathes.cc>
Link: 0c3001a69e
Link: https://github.com/openwrt/openwrt/pull/16298
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This patch backports fixes for a security vulnerability impacting the
hostapd implementation of SAE H2E.
As upgrading hostapd would require more testing, the second mitigation
step which involves backporting several patches was adopted as outlined
in the official advisory[1].
An explanation of the impact of the vulnerability is provided from the
advisory[1]:
This vulnerability allows the attacker to downgrade the negotiated group
to another enabled group if both the AP and STA have enabled SAE H2E and
multiple groups. It should be noted that the H2E option is not enabled
by default and the attack is not applicable to the default option, i.e.,
hunting-and-pecking, since it does not have any downgrade protection for
group negotiation. In addition, the default configuration for enabled
SAE groups in hostapd is to enable only a single group, so the
vulnerability is not applicable unless hostapd has been explicitly
configured to enable more groups for SAE.
[1]: https://w1.fi/security/2024-2/sae-h2h-and-incomplete-downgrade-protection-for-group-negotiation.txt
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/16042
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Don't ignore probe requests which contain an invalid DS parameter for the
current operating channel.
As the comment outlines, the drop shall only apply if
dot11RadioMeasurementActivated is set to 1.
However, it was observed Linux clients (Debian 12 / NixOS 23.11)
with an Intel 8265 NIC may generate a probe request frame with
dot11RadioMeasurementActivated set to false and an invalid DSSS
parameter.
These were also dropped even though they should not have been. They
however should not have contained this parameter in the first place.
Don't drop Probe Requests which contain such an invalid field. This may
lead to more probe responses being sent, however it does fix very
frequent connection issues for these clients on 2.4 GHz.
Signed-off-by: David Bauer <mail@david-bauer.net>
When using zst instead of xz, the hash changes. This commit fixes the
hash for packages and tools in core.
Signed-off-by: Paul Spooren <mail@aparcar.org>
hostapd packages were accidentally left out. Clean up this mess by
changing the dependencies to hostapd-common
Signed-off-by: Felix Fietkau <nbd@nbd.name>
- move build/ifdef related changes together to the 200 patch range
- reduce adding/removing include statements across patches
- move patches away from the 99x patch range to simplify maintenance
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This adds From:, Date: and Subject: to patches, allowing one to run 'git
am' to import the patches to a hostapd git repository.
From: and Date: fields were taken from the OpenWrt commit where the
patches were first introduced.
Most of the Subject: also followed suit, except for:
- 300-noscan.patch: Took the description from the LuCI web interface
- 350-nl80211_del_beacon_bss.patch: Used the file name
The order of the files in the patch was changed to match what git
format-patch does.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Patch 050-build_fix.patch fixes the abscence of sha384-kdf.o from the
list of needed objetct files when FILS is selected without any other
option that will select the .o file.
While it is a bug waiting to be fixes upstream, it is not needed for
OpenWrt use case, because OWE already selects sha384-kdf.o, and FILS is
selected along with OWE.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This brings many changes, including fixes for a couple of memory leaks,
and improved interoperability with 802.11r. There are also many changes
related to 802.11be, which is not enabled at this time.
Fixed upstream:
- 022-hostapd-fix-use-of-uninitialized-stack-variables.patch
- 180-driver_nl80211-fix-setting-QoS-map-on-secondary-BSSs.patch
- 993-2023-10-28-ACS-Fix-typo-in-bw_40-frequency-array.patch
Switch PKG_SOURCE_URL to https, since http is not currently working.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Ilya Katsnelson <me@0upti.me>
Tested by: Andrew Sim <andrewsimz@gmail.com>
Currently, both CI and local builds of wpa-supplicant will fail with:
/bin/sh: Argument list too long
Its happening as the argument list for mkdir in build.rules is too large
and over the MAX_ARG_STRLEN limit.
It seems that recent introduction of APK compatible version schema has
increased the argument size and thus pushed it over the limit uncovering
the issue.
Fixes: e8725a932e ("treewide: use APK compatible version schema")
Signed-off-by: Robert Marko <robimarko@gmail.com>
Different from OPKG, APK uses a deterministic version schema which chips
the version into chunks and compares them individually. This enforces a
certain schema which was previously entirely flexible.
- Releases are added at the very and end prefixed with an `r` like
`1.2.3-r3`.
- Hashes are prefixed with a `~` like `1.2.3~abc123`.
- Dates become semantic versions, like `2024.04.01`
- Extra tags are possible like `_git`, `_alpha` and more.
For full details see the APK test list:
https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/master/test/version.data
Signed-off-by: Paul Spooren <mail@aparcar.org>
When wpa_psk_file is used, there is a chance that no PSK is set. This means
that the FT key will be generated using only the mobility domain which
could be considered a security vulnerability but only for a very specific
and niche config.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
