This is not activated by default and must be explicitly enabled via ubus
It supports reporting log messages and netlink packets
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The new rewritten ipcalc.sh understands 3 notations:
ipaddr/prefix ...
ipaddr/dotted-netmask ...
ipaddr dotted-netmask ...
meaning that the previous 4th non-standard notation of "ipaddr prefix"
will be dropped, alas that's the notation that dnsmasq currently uses.
This change has us using the first notation which is the most common.
This behavior came in as
eda27e8382
a long time ago.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Currently for 802.1s only, for wifi 2.4GHz in g/n mode, 40MHz is never
permitted.
This is probably due to the complexity of setting periodic check for the
intolerant bit. When noscan option is set, we ignore the presence of the
intoleran bit in near AP, so we can enable 40MHz and ignore any complex
logic for checking.
Fixes: #13112
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Also channel 7 for 2.4GHz can be set to HT40PLUS. Permit this and add it
to the list of the channels.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
noscan option for mesh was broken and actually never applied.
This is caused by a typo where ssid->noscan value is check instead of
conf->noscan resulting in the logic swapped and broken.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
It's already pulled in from /etc/rc.common.
Fixes: #13758
Fixes: 6b23836071 ("package: avoid the use of eval to parse ipcalc.sh output")
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl/ath11k
based adapters. The reason for it is hostapd tries to install additional
IEs for scanning while the driver does not support this.
The kernel indicates the maximum number of bytes for additional scan IEs
using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
only add additional scan IEs in case the driver can accommodate these
additional IEs.
Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
Bug-Debian: https://bugs.debian.org/1004524
Bug-ArchLinux: https://bugs.archlinux.org/task/73495
Upstream-Status: Changes Requested [https://patchwork.ozlabs.org/project/hostap/patch/20220130192200.10883-1-mail@david-bauer.net]
Reported-by: Étienne Morice <neon.emorice@mail.com>
Tested-by: Étienne Morice <neon.emorice@mail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The code for hostapd-mbedtls did not work when used for OWE association.
When handling association requests, the buffer offsets and length
assumptions were incorrect, leading to never calculating the y point,
thus denying association.
Also when crafting the association response, the buffer contained the
trailing key-type.
Fix up both issues to adhere to the specification and make
hostapd-mbedtls work with the OWE security type.
Signed-off-by: David Bauer <mail@david-bauer.net>
d8118f6 config: make sure timer is not on the timeouts list before freeing
4bbc6e7 add hostsfile output in addition to statefile
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The option 31 in the RA specifies the DNS search list, the support
to configure this via UCI is missing in case dnsmasq-dhcpv6 is used.
This commit uses the uci option domain (same as is done by odhcpd) to
read and pass the DNS search list to dnsmasq, which is then used by RA.
Hence, with this commit, we are able to configure DNS search list for the
RA messages via the uci config when dnsmsaq-dhcpv6 is used.
Signed-off-by: Rahul Thakur <rahul.thakur@iopsys.eu>
479c7f8676d9 cache: make record/hostname lookup case-insensitive
26c97a5a50bf ubus: add a browse flag for suppressing cached ip addresses
c286c51a9bd9 Fix AVL tree traversal in cache_record_find and cache_host_is_known
4035fe42df58 interface: use a global socket instead of per-interface ones
c63d465698c7 cache: dump hostname target from srv records
b42b22152d73 use hostname from SRV record to look up IP addresses
d45c443aa1e6 ubus: add array flag support for the hosts method
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Recent hostapd changes just edited the ucode files. It is required to
bump the PKG_RELEASE to include the newest changes in the latest builds.
Signed-off-by: Nick Hainke <vincent@systemli.org>
If the full interface is restarted while bringing up an AP, it can trigger a
wpa_supplicant interface start before wpa_supplicant is notified of the
allocated mac addresses.
Fix this by moving the iface_update_supplicant_macaddr call to just after
the point where mac addresses are allocated.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
In the dnsmasq init script, an off-by-one in the range calculation of
ipcalc.sh was mitigated by passing the limit as if its counting started
at zero. This patch removes the mitigation as the off-by-one has been
fixed.
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
Add a function 'ipcalc' to /lib/functions.sh that sets variables more
safely using export.
With this new function, dnsmasq also handles the return value of ipcalc
correctly.
Fixes: e4bd3de1be ("dnsmasq: refuse to add empty DHCP range")
Co-Authored-By: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
allow to overwrite the detected system capabilities e.g. if devices
does not operate as bridge.
Signed-off-by: Sebastian Pflieger <sebastian@pflieger.email>
The patch refresh accidentally moved the hostapd_ucode_free_iface call to
the wrong function
Fixes: e9722aef9e ("hostapd: fix a crash when disabling an interface during channel list update")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When STA is disconnected, ensure that the interface is in a cleanly stopped
state:
- if in regular enable/disable state, stop beacons if necessary
- in any other state, disable the interface
When the STA is up, ignore repeated start commands for the same channel, in
order to avoid unnecessary AP restarts
Signed-off-by: Felix Fietkau <nbd@nbd.name>
8e6485a1bcb0 PEAP client: Update Phase 2 authentication requirements
de9a11f4dde9 TTLS client: Support phase2_auth=2
b2a1e7fe7ab9 tests: PEAP and TTLS phase2_auth behavior
518ae8c7cca8 P2P: Do not print control characters in debug
a4c133ea73c7 WPS: Optimize attribute parsing workaround
7a37a94eaa0d Check whether element parsing has failed
f80d83368818 ACS: Remove invalid debug print
fb2b7858a728 FILS: Fix HE MCS field initialization
50ee26fc7044 P2P: Check p2p_channel_select() return value
a50d1ea6a2b3 Add QCA vendor attributes for user defined power save parameters
4636476b7f22 Set RRM used config if the (Re)Association Request frame has RRM IE
e53d44ac63e8 AP MLD: Use STA assoc link address in external auth status to the driver
99a96b2f9df7 AP MLD: OWE when SME is offloaded to the driver
96deacf5d710 nl80211: Skip STA MLO link channel switch handling in AP mode
d320692d918a AP MLD: Handle new STA event when using SME offload to the driver
faee8b99e928 tests: Fix eht_mld_sae_legacy_client to restore sae_pwe
c3f465c56c94 wlantest: Handle variable length MIC field in EAPOL-Key with OWE
605034240e0c wlantest: Support multiple input files
053bd8af8ed2 Recognize FTE MLO subelements
43b5f11d969a Defragmentation of FTE
3973300b8ded FTE protected element check for MLO Reassociation Response frame
74e4a0a6f1e4 wlantest: Learn AP MLD MAC address from Beacon frames
a5a0b2cf7b1b wlantest: Find non-AP MLD only from affiliated BSSs of the AP MLD
74472758584d wlantest: Recognize non-AP MLD based on any link address for decryption
1ffabd697c67 wlantest: Learn non-AP MLD MAC address from (Re)Association Request frames
4e8e515f92b9 wlantest: Use MLO search for the STA in reassociation
49bf9f2df95a wlantest: Use the MLD MAC address as well for matching STA entries
5434a42ec69c wlantest: Search for FT Target AP using MLD MAC address as well
a19fcf685cae wlantest: Include the MLD MAC address of the AP MLD in new-STA prints
709d46da73da wlantest: Do not claim update to AP MD MAC address if no change
770760454f9e wlantest: Do not update BSS entries for other AP MLDs in PTK cloning
084745ffc508 Add QCA vendor attributes for NDP setup
bf9cbb462fd9 Fix writing of BIGTK in FT protocol
011775af9443 tests: Check for beacon loss when using beacon protection
8f148d51322f Fix a compiler warning on prototype mismatch
b7db495ad9c9 AP: Fix ieee802_1x_ml_set_sta_authorized()
232667eafe0d Fix CCMP test vector issues
30771e6e05ed Include PTID in PV1 nonce construction for CCMP test vector
34841cfd9aba Minor formatting changes to CCMP test vectors
a685d84139e6 BSS coloring: Fix CCA with multiple BSS
bc0636841a70 wpa_supplicant: Fix configuration parsing error for tx_queue_*
2763d1d97e66 hostapd: Fix AID assignment in multiple BSSID
763a19286e2f AP: Add configuration option to specify the desired MLD address
bd209633eb10 AP: Use is_zero_ether_addr() to check if BSSID is NULL
bc0268d053b4 wlantest: Guess SAE/OWE group from EAPOL-Key length mismatch
a94ba5322803 EHT: Support puncturing for 320 MHz channel bandwidth
7e1f5c44c97e EHT: 320 MHz DFS support
6f293b32112a QCA vendor attributes for updating roaming AP BSSID info
5856373554eb Extend QCA vendor command to include more parameters for netdev events
e080930aa0a5 Define QCA vendor roam control RSSI attributes
fe72afe713ad Define QCA vendor attribute for high RSSI roam trigger threshold
47a65ccbfde2 P2P: Clean wpa_s->last_ssid when removing a temporary group network
884125ab7d21 tests: P2P autonomous GO and clearing of networking information
7637d0f25053 P2P: Do not filter pref_freq_list if the driver does not provide one
dd1330b502ff Fix hostapd interface cleanup with multiple interfaces
0a6842d5030e nl80211: Fix beacon rate configuration for legacy rates 36, 48, 54 Mbps
d606efe054d5 tests: Beacon rate configuration for 54 Mbps
f91d10c0e6aa tests: Update RSA 3k certificates
07d3c1177bbb tests: Make sae_proto_hostapd_status_* more robust
1085e3bdc6f6 Update iface->current_mode when fetching new hw_features
338a78846b44 Add a QCA vendor sub command for transmit latency statistics
9318db7c38bc wlantest: Use local variables for AA/SPA in FT Request/Response processing
628b9f10223d wlantest: Derive PMK-R1 and PTK using AA/SPA for MLO FT over-the-DS
104aa291e5c8 wlantest: Fix FT over-the-DS decryption
37c87efecfe3 wlantest: Search SPA using MLO aware find for FT Request/Response frame
19f33d7929e8 wlantest: Learn the Link ID for AP MLD affiliated BSSs
6ae43bb10323 wlantest: Learn link address for assoc link from (Re)Association Request
4c079dcc64da Increment hmac_sha*_vector() maximum num_elem value to 25
e6f64a8e1daf FT: FTE MIC calculation for MLO Reassociation Request frame
a83575df5994 wlantest: FTE MIC calculation for MLO Reassociation Request frames
ff02f734baf8 wlantest: Allow specific link BSS to be found with bss_find_mld()
7381c60db8f0 FT: Make FTE MIC calculation more flexible
ac9bf1cc2a4c Decrement hmac_sha*_vector() maximum num_elem value to 11
aa08d9d76803 Fix use of defragmented FTE information
78b153f90a74 Calculate defragmented FTE length during IE parsing
8cf919ffd5c4 wlantest: FTE MIC calculation for MLO Reassociation Response frame
d12a3dce82a9 wlantest: Store and check SNonce/ANonce for FT Authentication
20febfd7838d wlantest: Dump MLO association information in debug
609864d6a8a1 Add QCA vendor attribute to configure MLD ID in ML probe request
12154861e24a Add support for conversion to little endian for 24 bits
c437665041c0 Add Non EHT SCS Capability in (Re)Association Request frames
33da386553b7 SCS: Add support for QoS Characteristics in SCS request
edfca280cbe8 SCS: Add support for optional QoS Charateristics parameters
32dcec9529ec Send actual MFP configuration when driver takes care of BSS selection
123d16d860fa Update hw_mode when CSA finishes
b3d852560bda Change QCA vendor configure attribution name of peer MAC address
12fabc4765c2 Add QCA vendor attribute for configuring max A-MPDU aggregation count
f6eaa7b729cb Add QCA vendor attribute for TTLM negotiation support type
f6dcd326fea7 wlantest: Indicate ToDS/FromDS values for BSS DATA entries
6ce745bb87d4 wlantest: MLO support for decrypting 4-address frames
850dc1482953 wlantest: Remove duplicated A1/A2/A3 override detection for MLO
770e5a808fbb wlantest: Determine whether A1 points to STA once in rx_data_bss_prot()
377d617b574a Define new BSS command info mask for AP MLD address
d3ab6e001f62 wlantest: Use non-AP MLD's MLD MAC address in FT over-the-air derivation
a845601ffe32 wlantest: Derive PTK in MLO using MLD MAC addresses for FT over-the-air
0cd2bfc8a402 wlantest: Fix FTE MIC calculation for MLO Reassociation Response frames
528abdeb673b wlantest: Learn group keys from MLO FT Reassociation Response frames
990600753dd9 wlantest: Defragment Basic MLE before processing
de043ec01ab5 wlantest: Defragment the Per-STA Profile subelement
bae1ec693c44 wlantest: Minimal parsing of Basic MLE STA Profile
ba1579f3bf7c Clear BIGTK values from wpa_supplicant state machine when not needed
b46c4b9a916a tests: Beacon protection and reconnection
3e71516936b7 Document per-ESS MAC address (mac_addr=3 and mac_value)
f85b2b2dee3b Extend wpa_parse_kde_ies() to include EHT capabilities
e3a68081bc1e driver: Add option for link ID to be specified for send_tdls_mgmt()
c7561502f2e8 nl80211: Use a QCA vendor command to set the link for TDLS Discovery Response
a41c8dbdd84e TDLS: Copy peer's EHT capabilities
626501434be1 TDLS: Learn MLD link ID from TDLS Discovery Response
5f30f62eead7 TDLS: Reply to Discovery Request on the link with matching BSSID
940ef9a05c0f TDLS: Use link-specific BSSID instead of sm->bssid for MLO cases
f429064189c3 TDLS: Set EHT/MLO information for TDLS STA into the driver
dd25885a9daa Remove space-before-tab in QCA vendor related definitions
af6e0306b2a9 Fix typos in QCA vendor related definitions
4c9af238c1e4 Fix inconsistent whitespace use in QCA vendor related definitions
e5ccbfc69ecf Split long comment lines in QCA vendor related definitions
Signed-off-by: Felix Fietkau <nbd@nbd.name>
MAC address and interface name assigned by mac80211.sh depend on the order in
which interfaces are brought up. This order changes when interfaces get added
or removed, which can cause unnecessary reload churn.
One part of the fix it making MAC address allocation more dynamic in both
wpa_supplicant and hostapd, by ignoring the provided MAC address using
the next available one, whenever the config does not explicitly specify one.
The other part is making use of support for renaming netdevs at runtime and
preserving the MAC address for renamed netdevs.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
set_config causes the ucode bss resource to be re-created and because of that
the bss list needs to be updated as well
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When switching from a STA-only configuration to AP+STA on the same phy, the
STA was previously restarted in order to notify hostapd of the new frequency,
which might not match the AP configuration.
Fix the STA restart by querying the operating frequency from within hostapd
when bringing up the AP.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
WPA3 Enterprise-transitional requires optional MFP support and SHA1+SHA256
WPA3 Enterprise-only requires SHA1 support disabled and mandatory MFP.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When the STA is brought up, it is set to DISABLED before adding the bss to ucode,
so the first trigger to disable the AP is missed.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Commit e978072baaca ("Do prune_association only after the STA is
authorized") causes issues when an STA roams from one interface to
another interface on the same PHY. The mt7915 driver is not able to
handle this properly. While the commits fixes a DoS, there are other
devices and drivers with the same limitation, so revert to the orginal
behavior for now, until we have a better solution in place.
Fixes: #13156
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
It cannot be properly cloned, since it is attached to the resource type.
Use a separate registry for data. Fixes object confusion issues
Signed-off-by: Felix Fietkau <nbd@nbd.name>
An active client mode interface could prevent the AP from claiming its channel
and mess up the bringup sequence order
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Drop obsolete control interface patches.
This fixes some corner cases in the previous code where the segment 0 center
frequency was not adjusted properly, leading to logspam and non-working AP
interfaces.
Additionally, shutting down the AP was broken, because the next beacon update
would re-enable it, leading to a race condition on assoc.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Fixes this error: hostapd: nl80211: kernel reports: integer out of range
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Check the phy before removing unrelated netdevs on the same hw device
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Include AP ucode source file
Fixes: e56c5f7b27 ("hostapd: add ucode support, use ucode for the main ubus object")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This implements vastly improved dynamic configuration reload support.
It can handle configuration changes on individual wifi interfaces, as well
as adding/removing interfaces.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This can be used to run a standalone EAP server that can be used from
other APs. It uses json as user database format and can automatically
handle reload.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
At least Fedora and RHEL 9 set RSAMinSize=2048, so when trying to use
failsafe, we get 'Bad server host key: Invalid key length'
To workaround the issue, we can use: ssh -o RSAMinSize=1024 ...
Generating 2048 bits RSA is extremely slow, so add ed25519.
We keep RSA 1024 to be as compatible as possible.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
5211264 odhcpd: add support for dhcpv6_pd_min_len parameter
c6bff6f router: Add PREF64 (RFC 8781) support
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add an UCI option to enable Multiple BSSID Advertisement. Enabling this
will announce all BSSIDS on a phy in a single beacon frame. The
interface that is brought up first will be the transmitting profile, all
others are non-transmitting profiles and will be advertised in the
Multiple BSSID element in Beacon and Probe Response frames of the first
interface.
This depends on driver and client support. Enabling this will result in
all but the first interface not being visible at all for clients that do
not support it.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Backport patches improving ppp interface creation. As a side effect this
also fix a bug from using netdev trigger that suffer from LED state
wrongly set due to using old ioctl for ppp creation.
Tested-by: Csaba Sipos <metro4@freemail.hu>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
412d03012f13 network: prevent adding endpoint routes for addresses on the network
faaf9cee6ef4 utils: fix ipv4 checksum issue
0e1c2fad3540 pex-msg: fix memory leak on fread fail in pex_msg_update_request_init
51be0ed659d0 host: fix crash parsing gateway when no endpoint is specified
ca17601dc24e wg-linux: add support for splitting netlink messages for allowed ips
7d3986b7a5a2 wg-linux: increase default messages size
Signed-off-by: Felix Fietkau <nbd@nbd.name>
adds ForceCommand option. If the command is specified,
it forces users to execute the command when they log in.
Signed-off-by: Nozomi Miyamori <inspc43313@yahoo.co.jp>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Update to umdns HEAD to include latest enhancements for browse method
filtering, return of TXT records as an array, dumping IPv4/6 as an
array, and including the interface name in a browse reply.
Signed-off-by: Mark Baker <mark@vpost.net>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> #ipq807x, mt7621, x86_64
Based on Paul Fertser <fercerpav@gmail.com>'s guidance:
Change AUTORELEASE in rules.mk to:
```
AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
```
then update all affected packages by:
```
for i in $(git grep -l PKG_RELEASE:=.*AUTORELEASE | sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
make package/$i/clean
done
```
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
d4f56f0e6971 add support for handling traffic to/from the bridge device
3ea579064c00 nl: add separate socket for netlink commands
4ec5a51c6d01 nl: fetch packet stats for offloaded flows
0319fd080bf5 add support for configuring a fixed output port for a bridge member port
5b730f0c2cf5 bridger-bpf: fix build on older kernels
00af6c6e8350 nl: process IFLA_MASTER in any nl events, but skip wireless events
a2794f95756e bridger-bpf: add bpf_skb_pull_data call
6974093eb036 nl: rework vlan code to use the iflink API
d0f79a16c749 nl: do not attempt to enable flow offload on older kernels
Signed-off-by: Felix Fietkau <nbd@nbd.name>
40ab806 config: use dedicated link local function to check interface
a84bff2 netlink: add support for getting interface linklocal
2ea065f Revert "config: recheck have_link_local on interface reload if already init"
4b38e6b config: fix feature for enabling service only when interface RUNNING
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Given ipv6 has SLAAC it is quite plausible to wish to use dynamic
dhcp4 but static dhcp6. This patch keeps dynamicdhcp as the default
option for both, but is overridden by dynamicdhcpv6 or dynamicdhcpv4
Signed-off-by: Ian Dall <ian@beware.dropbear.id.au>
The dhcphostsfile must be mounted into the (ujail) sandbox.
The file can not be accessed without this mount.
Signed-off-by: Ruben Jenster <rjenster@gmail.com>
7c0f603 router: skip RA and wait for LINK-LOCAL to be assigned
ba30afc config: skip interface setup if interface not IFF_RUNNING
06b111e Revert "odhcpd: Reduce error messages"
90d6cc9 odhcpd: Reduce error messages
Also drop AUTORELEASE since it got deprecated.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This reduces open coding and allows to easily add a knob to enable
it treewide, where chosen packages can still opt-out via "no-lto".
Some packages used LTO, but not the linker plugin. This unifies 'em
all to attempt to produce better code.
Quoting man gcc(1):
"This improves the quality of optimization by exposing more code to the
link-time optimizer."
Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed
that every buildsystem uses +$(MAKE) correctly.
Signed-off-by: Andre Heider <a.heider@gmail.com>
This reduces open coding and allows to easily add a knob to
enable it treewide, where chosen packages can still opt-out via
"no-gc-sections".
Note: libnl, mbedtls and opkg only used the CFLAGS part without the
LDFLAGS counterpart. That doesn't help at all if the goal is to produce
smaller binaries. I consider that an accident, and this fixes it.
Note: there are also packages using only the LDFLAGS part. I didn't
touch those, as gc might have been disabled via CFLAGS intentionally.
Signed-off-by: Andre Heider <a.heider@gmail.com>
This allows adding backup servers, in case the primary ones fail.
Assume that port and shared secret are going to be the same.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This patch fixes a corner case when using passwords that are exactly 64
characters in length with mesh mode or passwords longer than 63 characters
with SAE because 'psk' is used instead of 'sae_password'.
SAE is obligatory for 802.11s (mesh point).
The 'psk' option for hostapd is suited for WPA2 and enforces length
restrictions on passwords. Values of 64 characters are treated as PMKs.
With SAE, PMKs are always generated during the handshake and there are no
length restrictions.
The 'sae_password' option is more suited for SAE and should be used
instead.
Before this patch, the 'sae_password' option is only used with mesh mode
passwords that are not 64 characters long.
As a consequence:
- mesh passwords can't be 64 characters in length
- SAE only works with passwords with lengths >8 and <=63 (due to psk
limitation).
Fix this by always using 'sae_password' with SAE/mesh and applying the PMK
differentiation only when PSK is used.
Fixes: #11324
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
[ improve commit description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Use ipcalc's return value to react to invalid range specifications.
By simply ignoring the range instead of aborting with an error code,
dnsmasq should still start when there's an error (best effort).
Aborting the config generation or working with invalid range specs leaves
dnsmasq crash-looping which is the right thing to do concerning that
particular interface but it also hinders DHCP service on other interfaces
and DNS on the router itself.
Signed-off-by: Leon M. George <leon@georgemail.eu>
uhttpd's cmake options all default to ON. Either we set all of them or
none if the defaults need to be changed. Let's go with the latter.
Because support for all modules is always compiled in, remove two unused
and useless config toggles.
uhttpd detects and uses libcrypt itself, no need to add it here again.
Signed-off-by: Andre Heider <a.heider@gmail.com>
47561aa mimetypes: add audio/video support for apple airplay
6341357 ucode: respect all arguments passed to send()
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Dnsmasq DNS cache size is only 150 by default.
Set the uci default value to 1000, so that cache gets used more
and unnecessary DNS queries to upstream can be avoided.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
There is currently a problem with making reproducible version of lldpd.
The tool version is generated based on 3 source:
1. .dist-version file in release tar
2. git hash with presence of .git directory
3. current date
Using the codeload tar from github results in getting the repo without
the .git directory and since they are not release tar, we don't have
.dist-version. This results in having lldpd bin with a version set to
the current build time.
Switch to release tar so that we correctly have a .dist-version file and
the version is not based on the build time.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Reviewed-by: Robert Marko <robimarko@gmail.com>
def7755c459d add missing copyright headers
f68307fd96d7 add hairpin mode support
9ee8f433ba4e nl: do not pass NDA_VLAN with vid=0
978c1f9eed07 add support for the bridge port isolated flag
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The ABI of the wolfssl library changed a bit between version 5.5.3 and
5.5.4. This release update will trigger a rebuild of all packages which
are using wolfssl to make sure they are adapted to the new ABI.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The libraries libpthread, libdl, libutil, libanl have been integrated
into the libc library in version 2.34. it is not needed to explicitly
link them any more.
Most of the functions have been moved from the librt.so into libc.so
some time ago already.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Most relevant feature for openwrt in this release, supports dynamically
removing hosts from 'hostsdir' supplied host files.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
hostapd's compile time option CONFIG_IEEE80211N was removed almost 3 years
ago, 80.211n/HT is always included since then.
Noticed because `hostapd -v11n` confusingly returned an error.
See hostapd's commit:
f3bcd69603 "Remove CONFIG_IEEE80211N build option"
Signed-off-by: Andre Heider <a.heider@gmail.com>
eee80211_frequency_to_channel() isn't used anymore, which is a leftover from:
2a31e9ca97 "hostapd: add op-class to get_status output"
Signed-off-by: Andre Heider <a.heider@gmail.com>
Add new UCI list 'addn_mount' allowing the expose additional filesystem
paths to the jailed dnsmasq process. This is useful e.g. in case of
manually configured includes to the configuration file or symlinks
pointing outside of the exposed paths as used by e.g. the safe-search
package in the packages feed.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This add --filter-A and --filter-AAAA options, to remove IPv4 or IPv6
addresses from DNS answers. these options is supported since version 2.87.
Co-authored-by: NueXini <nuexini@alumni.tongji.edu.cn>
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
dtim_period is a bss property, not a device one.
It is already handled properly in mac80211.sh
Fixes: 30c64825c7 ("hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add build option for nftables sets. By default disable iptables ipset
support. By default enable nftable nftset support since this is what
fw4 uses.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
dnsmasq: nftset: serve from ipset config
Use existing ipset configs as source for nftsets to be compatible with
existing configs. As the OS can either have iptables XOR nftables
support, it's fine to provide both to dnsmasq. dnsmasq will silently
fail for the present one. Depending on the dnsmasq compile time options,
the ipsets or nftsets option will not be added to the dnsmasq config
file.
dnsmasq will try to add the IP addresses to all sets, regardless of the
IP version defined for the set. Adding an IPv6 to an IPv4 set and vice
versa will silently fail.
Signed-off-by: Mathias Kresin <dev@kresin.me>
dnsmasq: support populating nftsets in addition to ipsets
Tell dnsmasq to populate nftsets instead of ipsets, if firewall4 is present in
the system. Keep the same configuration syntax in /etc/config/dhcp, for
compatibility purposes.
Huge thanks to Jo-Philipp Wich for basically writing the function.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
dnsmasq: obtain nftset ip family from nft
Unfortunately dnsmasq nft is noisy if an attempt to add a mismatched ip address
family to an nft set is made.
Heuristic to guess which ip family a nft set might belong by inferring
from the set name.
In order of preference:
If setname ends with standalone '4' or '6' use that, else
if setname has '4' or '6' delimited by '-' or '_' use that (eg
foo-4-bar) else
If setname begins with '4' or '6' standalone use that.
By standalone I mean not as part of a larger number eg. 24
If the above fails then use the existing nft set query mechanism and if
that fails, well you're stuffed!
With-thanks-to: Jo-Philipp Wich <jo@mein.io> who improved my regexp
knowledge.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
dnsmasq: specify firewall table for nftset
Permit ipsets to specify an nftables table for the set. New config
parameter is 'table'. If not specified the default of 'fw4' is used.
config ipset
list name 'BK_4,BK_6'
option table 'dscpclassify'
option table_family 'ip'
option family '4'
list domain 'ms-acdc.office.com'
list domain 'windowsupdate.com'
list domain 'update.microsoft.com'
list domain 'graph.microsoft.com'
list domain '1drv.ms'
list domain '1drv.com'
The table family can also be specified, usually 'ip' or 'ip6' else the
default 'inet' capable of both ipv4 & ipv6 is used.
If the table family is not specified then finally a family option is
available to specify either '4' or '6' for ipv4 or ipv6 respectively.
This is all in addition to the existing heuristic that will look in the
nftset name for an ip family clue, or in total desperation, query the
value from the nftset itself.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
When running sysupgrade from an existing configuration, move existing
ipset definitions to a dedicated config section. Later on, it will allow
to serve ipset as well as nftable sets from the same configuration.
Signed-off-by: Mathias Kresin <dev@kresin.me>
This backports a commit from upstream dnsmasq to fix CVE-2022-0934.
CVE-2022-0934 description:
A single-byte, non-arbitrary write/use-after-free flaw was found in
dnsmasq. This flaw allows an attacker who sends a crafted packet
processed by dnsmasq, potentially causing a denial of service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Calling /etc/init.d/uhttpd reload directly in the acme hotplug script
can inadvertently start a stopped instance.
Signed-off-by: Glen Huang <i@glenhuang.com>
a92c0a7 dhcpv6-ia: make tmp lease file hidden
4a673e1 fix null pointer dereference for INFORM messages
860ca90 odhcpd: Support for Option NTP and SNTP
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Add the measurement report value to the beacon reports send via ubus. It
is possible to derive from the measurement report if a station refused to
do a beacon report and why. It is important to know why a station refuses
to do a beacon-report. In particular, we should not request a beacon
report from a station again that refused a beacon-report before.
The rejection reasons can be found by looking at the bits defined by:
- MEASUREMENT_REPORT_MODE_ACCEPT
- MEASUREMENT_REPORT_MODE_REJECT_LATE
- MEASUREMENT_REPORT_MODE_REJECT_INCAPABLE
- MEASUREMENT_REPORT_MODE_REJECT_REFUSED
Suggested-by: Ian Clowes <clowes_ian@hotmail.com>
Signed-off-by: Nick Hainke <vincent@systemli.org>
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This will prevent `module is already loaded` lines from
appearing in the logs when a PPP connection is reconnecting
Signed-off-by: Manas Sambhus <manas.sambhus+github@gmail.com>
Also include the station auth_type in the ubus and log message in order
to detect, if clients used FT or FILS to associate
Signed-off-by: Felix Fietkau <nbd@nbd.name>
b704dc72e tests: sigma_dut and updated ConfResult value for Configurator failures
89de431f2 DPP: Add config response status value to DPP-CONF-SENT
10104915a tests: sigma_dut and DPP PB session overlap
80d5e264c Enhance QCA vendor roam event to indicate MLO links after reassociation
662249306 Update copyright notices for the QCA vendor definitions
8adcdd659 tests: Temporary workaround for dpp_chirp_ap_5g
ddcd15c2d tests: Fix fuzzing/sae build
7fa67861a tests: Fix p2p_channel_avoid3
ee3567d65 tests: Add more time for scan/connection
1d08b238c nl80211: Allow more time for the initial scan with 6 GHz
ac9e6a2ab tests: Allow 6 GHz opclasses in MBO checks
faf9c04cb Remove a host of unnecessary OPENSSL_IS_BORINGSSL ifdefs
b9cd5a82f Always process pending QCA_NL80211_VENDOR_SUBCMD_KEY_MGMT_ROAM_AUTH data
ef4cd8e33 QoS: Use common classifier_mask for ipv4/ipv6
93be02592 Add fixed FDD mode to qca_btc_chain_mode QCA vendor attribute
e7cbfa1c1 tests: sigma_dut and DPP Enrollee unsupported curves
5565fbee2 DPP: Check Enrollee supported curves when building Config Response
ceae05cec tests: sigma_dut and DPP MUDURL setting for hostapd
4cfb484e9 DPP: Allow dpp_controller_start without arguments in CLIs
c97000933 Fix ifdef condition for imsi_privacy_cert
2a9a61d6c tests: SAE with extended key AKM
e35f6ed1d tests: More detailed report on SAE PMKSA caching error case
f70db167a SAE: Derive a variable length PMK with the new AKM suites
91010e6f6 SAE: Indicate AKM suite selector in commit for new AKM suites
e81ec0962 SAE: Use H2E unconditionally with the new AKM suites
f8eed2e8b SAE: Store PMK length and AKM in SAE data
9dc4e9d13 SAE: EAPOL-Key and key/MIC length information for the new AKM suites
a32ef3cfb SAE: Driver capability flags for the new SAE AKM suites
91df8c9c6 SAE: Internal WPA_KEY_MGMT_* defines for extended key AKMs
5c8a714b1 SAE: Use wpa_key_mgmt_sae() helper
5456b0f26 Define new RSN AKM suite selector values
def33101c DPP: Clear push button announcement state on wpa_supplicant FLUSH
35587fa8f tests: DPP Controller/Relay with need to discover Controller
d22dfe918 DPP: Event message for indicating when Relay would need a Controller
ca7892e98 tests: DPP Relay and adding/removing connection to a Controller
bfe3cfc38 DPP: Allow Relay connections to Controllers to be added and removed
808834b18 Add a comparison function for hostapd_ip_addr
f7763880b DPP: Advertise Configurator connectivity on Relay automatically
ff7cc1d49 tests: DPP Relay and dynamic Controller addition
ca682f80a DPP: Dynamic Controller initiated connection on Relay
d2388bcca DPP: Strict validation of PKEX peer bootstrapping key during auth
a7b8cef8b DPP3: Fix push button boostrapping key passing through PKEX
69d7c8e6b DPP: Add peer=id entry for PKEX-over-TCP case
b607d2723 tests: sigma_dut and DPP PB Configurator in wpa_supplicant
1ff9251a8 DPP3: Push button Configurator in wpa_supplicant
b94e46bc7 tests: PB Configurator in wpa_supplicant
ca4e82cbf tests: sigma_dut DPP/PKEX initiator as Configurator over TCP and Wi-Fi
e9137950f DPP: Recognize own PKEX Exchange Request if it ends up being received
692956446 DPP: Note PKEX code/identifier deletion in debug log
dfa9183b1 tests: DPP reconfig after Controller-initiated operation through Relay
ae4a3a6f6 DPP: Add DPP-CONF-REQ-RX event for Controller
17216b524 tests: sigma_dut DPP/PKEX initiator as Configurator (TCP) through Relay
fb2937b85 DPP: Allow Controller to initiate PKEX through Relay
15af83cf1 DPP: Delete PKEX code and identifier on success completion of PKEX
d86ed5b72 tests: Allow DPP_PKEX_REMOVE success in dpp_pkex_hostapd_errors
0a4f391b1 tests: sigma_dut and DPP Connector Privacy
479e412a6 DPP3: Default value for dpp_connector_privacy
7d12871ba test: DPP Private Peer Introduction protocol
148de3e0d DPP3: Private Peer Introduction protocol
786ea402b HPKE base mode with single-shot API
f0273bc81 OpenSSL: Remove a forgotten debug print
f2bb0839f test: DPP 3rd party config information
68209ddbe DPP: Allow 3rd party information to be added into config object
0e2217c95 DPP: Allow 3rd party information to be added into config request obj
3d82fbe05 Add QCA vendor subcommand and attributes for SCS rule configuration
16b62ddfa QCA vendor attribute for DBAM configuration
004b1ff47 tests: DPP Controller initiating through Relay
451ede2c3 DPP: Allow AP/Relay to be configured to listed for new TCP connections
248654d36 tests: sigma_dut DPP PB test cases
697b7d7ec tests: DPP push button
7bbe85987 DPP3: Allow external configuration to be specified on AP for PB
8db786a43 DPP3: Testing functionality for push button announcements
37bccfcab DPP3: Push button bootstrap mechanism
a0054fe7c Add AP and STA specific P802.11az security capabilities (vendor command)
159e63613 QCA vendor command for CoAP offload processing
3b7bb17f6 Add QCA vendor attribute for TIM beacon statistics
09a281e52 Add QCA vendor interface for PASN offload to userspace
809fb96fa Add a vendor attribute to configure concurrency policy for AP interface
a5754f531 Rename QCA_NL80211_VENDOR_SUBCMD_CONCURRENT_MULTI_STA_POLICY
085a3fc76 EHT: Add 320 channel width support
bafe35df0 Move CHANWIDTH_* definitions from ieee80211_defs.h to defs.h
92f549901 tests: Remove the 80+80 vs. 160 part from wpa2_ocv_ap_vht160_mismatch
c580c2aec tests: Make OCV negative test error cases more robust
3c2ba98ad Add QCA vendor event to indicate driver recovery after internal failures
6b461f68c Set current_ssid before changing state to ASSOCIATING
8dd826741 QCA vendor attribute to configure direct data path for audio traffic
504be2f9d QCA vendor command support to get WLAN radio combinations
d5905dbc8 OCV: Check the Frequency Segment 1 Channel Number only on 80+80 MHz
Signed-off-by: David Bauer <mail@david-bauer.net>
Don't select channels designated for exclusive-indoor use when the
country3 element is set on outdoor operation.
Signed-off-by: David Bauer <mail@david-bauer.net>
e065a7627a46 pex: update last query sent timestamp
6c888f897862 unet-cli: add stun server list editing support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
21360a1b1ce6 cli: fix typo
abfebece0af1 wg-linux: ship a copy of linux/wireguard.h
1cbb1a543cb3 pex: reduce unnecessary ping traffic
0c2f39e52d5d pex: remove pex event debug spam
dcf1362c2104 pex: add support for sending/receiving global PEX messages via unix socket
df5f70b8858c ubus: notify on network updates
e58a56697131 add DHT discovery service
be175767bc67 pex: keep active pex hosts after the specified timeout
543e4a3d2ed7 pex: move rx header check to callback function
395659b9c415 pex: move raw ip send code to sendto_rawudp() in utils.c
dda15ea8b3b2 pex: add utility function to get the sockets based on type / address family
e88f2cd4d3f0 utils: add support for passings address family to network_get_endpoint()
639cdcdf6eda pex: add support for figuring out the external data port via STUN servers
9144339ebe1f pex: improve handling of a longer list of PEX hosts
38212218ecdd unet-cli: add DHT support
0d37ca75434d pex: automatically create host entries from incoming endpoint port notifications
035fcc56ef60 host: keep multiple endpoint candidates, one for each type
a089e8ae7504 pex: avoid sending a query to a host more than once every 15 seconds
Signed-off-by: Felix Fietkau <nbd@nbd.name>
There are two feature currently altered by the multicast_to_unicast option.
1. bridge level multicast_to_unicast via IGMP snooping
2. hostapd/mac80211 config multicast_to_unicast setting
The hostapd/mac80211 setting has the side effect of converting *all* multicast
or broadcast traffic into per-station duplicated unicast traffic, which can
in some cases break expectations of various protocols.
It also has been observed to cause ARP lookup failure between stations
connected to the same interface.
The bridge level feature is much more useful, since it only covers actual
multicast traffic managed by IGMP, and it implicitly defaults to 1 already.
Renaming the hostapd/mac80211 option to multicast_to_unicast_all should avoid
unintentionally enabling this feature
Signed-off-by: Felix Fietkau <nbd@nbd.name>
f5d02c32f811 pex: add support for sending endpoint notification from the wg port via raw socket
c3b1127236a0 ubus: add support for querying active networks
8ad119715168 ubus: add support for adding auth_connect hosts at runtime
26dc52789d41 network: add support for configuring extra peers via a separate json file
d7fb9e5b065b ubus: add reload command
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Testing has shown it to be very unreliable in variety of configurations.
It is not mandatory, so let's disable it by default until we have a better
solution.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
b75791a6db25 scripts/update-cmd.pl: reorder add/remove calls to better deal with dynamic changes
c29e1ad045d0 scripts/update-cmd.pl: set device up before adding routes/addresses
5ad35ce4beea scripts/update-cmd.pl: run update two times
5d79b88f00c1 add support for overriding peer-exchange-port for individual hosts
0041fcacb624 add support for disabling VXLAN/eBPF support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5cbd55f60346 unet-cli: fix formatting of help text
59b97448b636 build.sh: force use of -fPIC on static libraries to fix build error
74a14c00abb0 pex-msg: fix siphash key initializer
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This package simplifies setting up wireguard networks on OpenWrt by a wireguard
network as a JSON file, which can be shared across all participating nodes.
It can be signed with an authentication key and automatically kept in sync.
unetd also supports deterministically generating ipv6 addresses for each host
based on the public key and storing those in a hosts file that can be used with
dnsmasq. It also supports automatically creating VXLAN tunnels between multiple
endpoints.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
e3395cd ucode: initialize search path before VM init
8cb3f85 ucode: initialize default library search path
188dea2 utils: accept '?' as path terminator in uh_path_match()
c5eac5d file: support using dynamic script handlers as error pages
290ff88 relay: trigger close if in header read state with pending data
f9db538 ucode: ignore exit exceptions
8ba0b64 cmake: use variables and find_library for dependency
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
WPA3 enterprise requires group_mgmt_cipher=BIP-GMAC-256 and if 802.11r is
active also wpa_key_mgmt FT-EAP-SHA384. This commit also requires
corresponding changes in netifd.
Signed-off-by: Joerg Werner <schreibubi@gmail.com>
There is no WLAN_STA_MBO flag, but according to the hostapd source code,
when an STA does not support MBO, cell_capa will be 0. Use this to
indicate MBO support in the get_clients ubus method.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: David Bauer <mail@david-bauer.net>
This PR allows a user to enable a private psk, where each station
may have it's own psk or use a common psk if it is not defined.
The private psk is defined using the sta's mac and a radius server
is required.
ppsk option should be enabled in the wireless configuration along with
radius server details. When using PPSK, the key is ignored, it will be
retrieved from radius server. SAE is not yet supported (private sae) in
hostapd.
Wireless example configuration:
option encryption 'psk2+ccmp'
option ppsk '1'
option auth_server '127.0.0.1'
option auth_secret 'radiusServerPassword'
If you want to use dynamic VLAN on PPSK also include:
option dynamic_vlan '2'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
It works enabling mac address verification on radius server and
requiring the tunnel-password (the private psk) from radius server.
In the radius server we need to configure the users. In case of
freeradius: /etc/freeradius3/mods-config/files/authorize
The user and Cleartext-Password should be the mac lower case using the
format "aabbccddeeff"
<sta mac> Cleartext-Password := "<sta mac>"
Tunnel-Password = <Private Password>
Example of a user configured in radius and using dynamic VLAN5:
8cb84a000000 Cleartext-Password := "8cb84a000000"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 5,
Tunnel-Password = MyPrivPw
If we want to have a default or shared psk, used when the mac is not
found in the list, we need to add the following at the end of the radius
authorize file:
DEFAULT Auth-Type := Accept
Tunnel-Password = SharedPw
And if using VLANs, for example VLAN6 for default users:
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 6,
Tunnel-Password = SharedPw
Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
Changes
- Add configure commands to alter inventory TLVs
Fixes
- Update seccomp rules for newer kernel/libc
- Correctly handle an interface whose index has changed
- Don't send VLANs when there are too many
Signed-off-by: Nick Hainke <vincent@systemli.org>
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile -basic and
-full variants with support for OCV. This feature can be configured in the
wireless config by setting ocv equal to one of the following values:
0 = disabled (hostapd/wpa_supplicant default)
1 = enabled if wpa_supplicant's SME in use. Otherwise enabled only when the
driver indicates support for operating channel validation.
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
Operating Channel Validation (OCV) is a security feature designed to
prevent person-in-the-middle multi-channel attacks. Compile the -basic and
-full variants of hostapd with this feature, and enable discovery of this
feature for future luci integration. OCV can be configured by setting ocv
equal to one of the following values in the wireless config:
0 = disabled (hostapd/wpa_supplicant default)
1 = enabled
2 = enabled in workaround mode - Allow STA that claims OCV capability to
connect even if the STA doesn't send OCI or negotiate PMF.
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
Enabling mbo by default on 802.11ax devices breaks for encryption types
that do not enable 802.11w by default. Disable mbo by default to fix
this. Enabling mbo by default on 802.11ax devices was not explained in
the commit message anyway.
Fixes: 6eee983656 ("hostapd: introduce mbo option")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Support the use of MBO in the bss_transition_request ubus method.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
Introduce a new option mbo to toggle Multi Band Operation aka Agile
Multiband for a BSS.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
Multi Band Operation is required for 802.11ax certification, so let's
enable it if 802.11ax support is enabled.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
Multi Band Operation aka Agile Multiband introduces new Transition
and Transition Rejection Reason Codes that should improve client
steering. Add a config symbol to enable it, and enable it by default for
the full variants.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
Document the ubus methods we added to hostapd so that people don't have
to read code to figure out which methods are available and what they do.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
4383528e0 P2P: Use weighted preferred channel list for channel selection
f2c5c8d38 QCA vendor attribute to configure RX link speed threshold for roaming
94bc94b20 Add QCA vendor attribute for DO_ACS to allow using existing scan entries
b9e2826b9 P2P: Filter 6 GHz channels if peer doesn't support them
d5a9944b8 Reserve QCA vendor sub command id 206..212
ed63c286f Remove space before tab in QCA vendor commands
e4015440a ProxyARP: Clear bridge parameters on deinit only if hostapd set them
02047e9c8 hs20-osu-client: Explicit checks for snprintf() result
cd92f7f98 FIPS PRF: Avoid duplicate SHA1Init() functionality
5c87fcc15 OpenSSL: Use internal FIPS 186-2 PRF with OpenSSL 3.0
9e305878c SAE-PK: Fix build without AES-SIV
c41004d86 OpenSSL: Convert more crypto_ec_key routines to new EVP API
667a2959c OpenSSL: crypto_ec_key_get_public_key() using new EVP_PKEY API
5b97395b3 OpenSSL: crypto_ec_key_get_private_key() using new EVP_PKEY API
177ebfe10 crypto: Convert crypto_ec_key_get_public_key() to return new ec_point
26780d92f crypto: Convert crypto_ec_key_get_private_key() to return new bignum
c9c2c2d9c OpenSSL: Fix a memory leak on crypto_hash_init() error path
6d19dccf9 OpenSSL: Free OSSL_DECODER_CTX in tls_global_dh()
4f4479ef9 OpenSSL: crypto_ec_key_parse_{priv,pub}() without EC_KEY API
b092d8ee6 tests: imsi_privacy_attr
563699174 EAP-SIM/AKA peer: IMSI privacy attribute
1004fb7ee tests: Testing functionality to discard DPP Public Action frames
355069616 tests: Add forgotten files for expired IMSI privacy cert tests
b9a222cdd tests: sigma_dut and DPP curve-from-URI special functionality
fa36e7ee4 tests: sigma_dut controlled STA and EAP-AKA parameters
99165cc4b Rename wpa_supplicant imsi_privacy_key configuration parameter
dde7f90a4 tests: Update VM setup example to use Ubuntu 22.04 and UML
426932f06 tests: EAP-AKA and expired imsi_privacy_key
35eda6e70 EAP-SIM peer: Free imsi_privacy_key on an error path
1328cdeb1 Do not try to use network profile with invalid imsi_privacy_key
d1652dc7c OpenSSL: Refuse to accept expired RSA certificate
866e7b745 OpenSSL: Include rsa.h for OpenSSL 3.0
bc99366f9 OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
39e662308 tests: Work around reentrant logging issues due to __del__ misuse
72641f924 tests: Clean up failed test list in parallel-vm.py
e36a7c794 tests: Support pycryptodome
a44744d3b tests: Set ECB mode for AES explicitly to work with cryptodome
e90ea900a tests: sigma_dut DPP TCP Configurator as initiator with addr from URI
ed325ff0f DPP: Allow TCP destination (address/port) to be used from peer URI
e58dabbcf tests: DPP URI with host info
37bb4178b DPP: Host information in bootstrapping URI
1142b6e41 EHT: Do not check HE PHY capability info reserved fields
7173992b9 tests: Flush scan table in ap_wps_priority to make it more robust
b9313e17e tests: Update ap_wpa2_psk_ext_delayed_ptk_rekey to match implementation
bc3699179 Use Secure=1 in PTK rekeying EAPOL-Key msg 1/4 and 2/4
d2ce1b4d6 tests: Wait for request before responding in dscp_response
Compile-tested: all versions / ath79-generic, ramips-mt7621
Run-tested: hostapd-wolfssl / ath79-generic, ramips-mt7621
Signed-off-by: David Bauer <mail@david-bauer.net>
Fix hostapd feature detection after the bump to 2022-05-08.
getopt was not updated correctly after upstream added support for -q arg.
This reenables feature detection so that LuCi can check for features like
SAE, fast roaming etc.
Fixes: c35ff1affe ("hostapd: update to 2022-05-08")
Signed-off-by: Robert Marko <robimarko@gmail.com>
commit c3a4cddaaf ("hostapd: remove hostapd-hs20 variant")
as well as
commit 9f1927173a ("hostapd: wpas: add missing config symbols")
indicate hostapd-full should support Hotspot 2.0 already, but only
wpa_supplicant (and wpad) do.
How this happened is not really clear, as no commit adding support for
Hotspot 2.0 is in the history.
Fix this and add Hotspot 2.0 capability to hostapd-full.
Signed-off-by: David Bauer <mail@david-bauer.net>
Add the current BSS color to hostapd get_status method. This field is
set to -1 in case BSS color is not active for the BSS.
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
In case no specific BSS color is configured, set it to a random value.
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
Update hostapd to Git HEAD from 2022-05-08. This allows us to take
advantage of background radar-detection as well as BSS color collision
detection.
Suggested-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
This patch allows the user to set `auth_server` and related settings on
non WPA2 Enterprise AP modes in `/etc/config/wireless`, too, so the
Radius Attributes for Dynamic VLAN Assignment can be fetched from Radius.
Without this patch, `auth_server` and other needed options are only
written to `hostapd-phy<n>.conf` when `option encryption wpa2` is set.
`hostapd` however supports "Station MAC address -based authentication" for
non WPA Enterprise Modes, too.
A classic approch is to use `accept_mac_file` which contains MAC addr
and VLAN-ID pairs. But, using `accept_mac_file` does not support
VLAN assignment for unknown stations.
This is a sample `freeradius3` config, where a known station
("7e:a6:a7:2a:93:d2") is assigned to VLAN `65` and unknown stations are
assigned to VLAN `67`.
```
"7ea6a72a93d2" Cleartext-Password := "7ea6a72a93d2"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 65
DEFAULT Cleartext-Password := "%{User-Name}"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 67
```
Other option is to configure known stations via `accept_mac_file` and
using only Radius for unknown stations.
I tested this patch only with `wpa_key_mgmt=WPA-PSK`, and assumed that
it should work with other Encryption/Access Mode, too.
Signed-off-by: Bernd Naumann <bernd.naumann@kr217.de>
All known users of this ubus method have been updated to use the new
bss_transition_request method instead.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
If logfacility is a path to a file it needs to be r/w mounted in the
sandbox as well for dnsmasq to work.
Reported-by: @iointerrupt
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add a ubus method to request link-measurements from connected STAs.
In addition to the STAs address, the used and maximum transmit power can
be provided by the external process for the link-measurement. If they
are not provided, 0 is used as the default value.
Signed-off-by: David Bauer <mail@david-bauer.net>