This replaces the configuration files with the versions from the hostapd
project and the adaptions done by OpenWrt.
The resulting binaries should be the same.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This adds processing of all CSA arguments from ubus switch_chan request
in the same manner as in the control interface API.
Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
Unauthenticated EAPOL-Key decryption in wpa_supplicant
Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/
Vulnerability
A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.
When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.
Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.
Vulnerable versions/configurations
All wpa_supplicant versions.
Acknowledgments
Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.
Possible mitigation steps
- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.
- Merge the following commits to wpa_supplicant and rebuild:
WPA: Ignore unauthenticated encrypted EAPOL-Key data
This patch is available from https://w1.fi/security/2018-1/
- Update to wpa_supplicant v2.7 or newer, once available
Signed-off-by: John Crispin <john@phrozen.org>
The call "get_features" allows to gather hostapd config options
via ubus. As first infos we add the ht and vht support.
Although nl80211 supports to gather informations about
ht and vht capabilities, the hostapd configuration can disable
vht and ht. However, it is possible that the iw output is not
representing the actual hostapd configuration.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Add each variant to the matching PROVIDERS variables after evaluating
the respective hostapd*, wpad* and wpa* variant.
Each package providing the same feature will automatically conflict with
all prior packages providing the same feature.
This way we can handle the conflicts automatically without introducing
recursive dependencies.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Move common variables and/or values to the package (variant) default.
Add additional values in variant packages if necessary. Remove further
duplicates by introducing new templates.
Remove the ANY_[HOSTAPD|SUPPLICANT_PROVIDERS]_PROVIDERS. The are the
same as the variables without the any prefix. No need to maintain both
variables.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Clean up conflicts/provides/depends hell and add PROVIDES for
eapol-test variants while at it.
Update mesh-DFS patchset from Peter Oh to v5 (with local fixes) which
allows to drop two revert-patches for upstream commits which previously
were necessary to un-break mesh-DFS support.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Instead of selecting the SSL provider at compile time, build package
variants for each option so users can select the binary package without
having to build it themselves.
Most likely not all variants have actually ever been user by anyone.
We should reduce the selection to the reasonable and most used
combinations at some point in future. For now, build them all.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Support for building wpa_supplicant/hostapd against wolfssl has been
added upstream recently, add build option to allow users using it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Use ft_psk_generate_local=1 by default, as it makes everything else fairly
trivial. All of the r0kh/r1kh and key management stuff goes away and hostapd
fairly much does it all for us.
We do need to provide nas_identifier, which can be derived from the BSSID,
and we need to generate a mobility_domain, for which we default to the first
four chars of the md5sum of the SSID.
The complex manual setup should also still work, but the defaults also
now work easily out of the box. Verified by manually running hostapd
(with the autogenerated config) and watching the debug output:
wlan2: STA ac:37:43:a0:a6:ae WPA: FT authentication already completed - do not start 4-way handshake
This was previous submitted to LEDE in
https://github.com/lede-project/source/pull/1382
[dwmw2: Rewrote commit message]
Signed-off-by: Gospod Nassa <devianca@gmail.com>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
The max_oper_chwidth settings was parsed incorrectly for big endian system.
This prevented the system to switch to VHT80 (or VHT160). Instead they were
mapped to:
* HT20: 20MHz
* VHT20: 20MHz
* HT40: 40MHz
* VHT40: 40MHz
* VHT80: 40MHz
* VHT160: 40MHz
This happened because each max_oper_chwidth setting in the config file was
parsed as "0" instead of the actual value.
Fixes: a4322eba2b ("hostapd: fix encrypted mesh channel settings")
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
Fix encrypted (or DFS) AP+MESH interface combination in a way similar
to how it's done for AP+STA and fix netifd shell script.
Refresh patches while at it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Import two patches from Peter Oh to allow setting channel
bandwidth in the way it already works for managed interfaces.
This fixes mesh interfaces on 802.11ac devices always coming up in
VHT80 mode.
Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which
also skips secondary channel scan just like noscan works in AP mode.
This time also make sure to add all files to the patch before
committing it...
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Import two patches from Peter Oh to allow setting channel
bandwidth in the way it already works for managed interfaces.
This fixes mesh interfaces on 802.11ac devices always coming up in
VHT80 mode.
Add a patch to allow HT40 also on 2.4GHz if noscan option is set, which
also skips secondary channel scan just like noscan works in AP mode.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
For unencrypted mesh networks our scripts take care of setting
the various mesh_param values. wpa_supplicant changes somes of them
when being used for SAE encrypted mesh and previously didn't allow
configuring any of them. Add support for setting mesh_fwding (which
has to be set to 0 when using other routing protocols on top of
802.11s) and update our script to pass the value to wpa_supplicant.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
And import patchset to allow 802.11s mesh on DFS channels, see also
http://lists.infradead.org/pipermail/hostap/2018-April/038418.html
Fix sae_password for encryption mesh (sent upstream as well).
Also refreshed existing patches and fixed 463-add-mcast_rate-to-11s.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The following patches were merged upstream:
000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
replaced by commit 0e3bd7ac6
001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
replaced by commit cb5132bb3
002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
replaced by commit 87e2db16b
003-Prevent-installation-of-an-all-zero-TK.patch
replaced by commit 53bb18cc8
004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
replaced by commit 0adc9b28b
005-TDLS-Reject-TPK-TK-reconfiguration.patch
replaced by commit ff89af96e
006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
replaced by commit adae51f8b
007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
replaced by commit 2a9c5217b
008-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch
replaced by commit a00e946c1
009-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch
replaced by commit b488a1294
010-Optional-AP-side-workaround-for-key-reinstallation-a.patch
replaced by commit 6f234c1e2
011-Additional-consistentcy-checks-for-PTK-component-len.patch
replaced by commit a6ea66530
012-Clear-BSSID-information-in-supplicant-state-machine-.patch
replaced by commit c0fe5f125
013-WNM-Ignore-WNM-Sleep-Mode-Request-in-wnm_sleep_mode-.patch
replaced by commit 114f2830d
Some patches had to be modified to work with changed upstream source:
380-disable_ctrl_iface_mib.patch (adding more ifdef'ery)
plus some minor knits needed for other patches to apply which are not
worth being explicitely listed here.
For SAE key management in mesh mode, use the newly introduce
sae_password parameter instead of the psk parameter to also support
SAE keys which would fail the checks applied on the psk field (ie.
length and such). This fixes compatibility issues for users migrating
from authsae.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
If the auth or assoc request was denied the reason
was always WLAN_STATUS_UNSPECIFIED_FAILURE.
That's why for example the wpa supplicant was always
trying to reconnect to the AP.
Now it's possible to give reasoncodes why the auth
or assoc was denied.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Add Wireless Network Management (IEEE 802.11v)
support to:
- hostapd-full
- wpa_supplicant-full
It must be enabled at runtime via UCI with:
- option ieee80211v '1'
Add UCI support for:
- time_advertisement
- time_zone
- wnm_sleep_mode
- bss_transition
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Neighbor reports are enabled implicitly on use, beacon reports and BSS
transition management need to be enabled explicitly
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add support for hostapd's radius_client_addr in order to
force hostapd to send RADIUS packets from the correct source
interface rather than letting linux select the most appropriate.
Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>
In order to properly support 802.11w, hostapd needs to advertise a group
management cipher when negotiating associations.
Introduce a new per-wifi-iface option "ieee80211w_mgmt_cipher" which
defaults to the standard AES-128-CMAC cipher and always emit a
"group_mgmt_cipher" setting in native hostapd config when 802.11w is
enabled.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
wpa_disable_eapol_key_retries can't prevent attacks against the Wireless
Network Management (WNM) Sleep Mode handshake. Currently, hostapd
processes WNM Sleep Mode requests from clients regardless of the setting
wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in
order to ignore such requests by clients when wnm_sleep_mode is disabled
(which is the default).
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
[rewrite commit subject (<= 50 characters), bump PKG_RELEASE]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
wpa_disable_eapol_key_retries can't prevent attacks against the
Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
that the existing hostapd option tdls_prohibit can be used to further
complicate this possibility at the AP side. tdls_prohibit=1 makes
hostapd advertise that use of TDLS is not allowed in the BSS.
Note: If an attacker manages to lure both TDLS peers into a fake
AP, hiding the tdls_prohibit advertisement from them, it might be
possible to bypass this protection.
Make this option configurable via UCI, but disabled by default.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/
Thanks to swalker for CPE to package mapping and
keep tracking CVEs.
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
- Remove obsolete patch chunks regarding fixed_freq
- Instead of patching in custom HT40+/- parameters, use the standard
config syntax as much as possible.
- Use fixed_freq for mesh
- Fix issues with disabling obss scan when using fixed_freq on mesh
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The beacon_int is currently set explicitly for hostapd and when LEDE uses
iw to join and IBSS/mesh. But it was not done when wpa_supplicant was used
to join an encrypted IBSS or mesh.
This configuration is required when an AP interface is configured together
with an mesh interface. The beacon_int= line must therefore be re-added to
the wpa_supplicant config. The value is retrieved from the the global
variable.
Fixes: 1a16cb9c67 ("mac80211, hostapd: always explicitly set beacon interval")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [rebase]
The wpa_supplicant code for IBSS allows to set the mcast rate. It is
recommended to increase this value from 1 or 6 Mbit/s to something higher
when using a mesh protocol on top which uses the multicast packet loss as
indicator for the link quality.
This setting was unfortunately not applied for mesh mode. But it would be
beneficial when wpa_supplicant would behave similar to IBSS mode and set
this argument during mesh join like authsae already does. At least it is
helpful for companies/projects which are currently switching to 802.11s
(without mesh_fwding and with mesh_ttl set to 1) as replacement for IBSS
because newer drivers seem to support 802.11s but not IBSS anymore.
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
Tested-by: Simon Wunderlich <simon.wunderlich@openmesh.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [refresh]
By default, hostapd assumes r1_key_holder equal to bssid. If LEDE
configures the same static r1 key holder ID on two different APs (BSSes) the
RRB exchanges fails behind them.
Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
This reverts commit e7373e489d.
Support of "-s" depends on the CONFIG_DEBUG_SYSLOG compile time flag which
is not enabled for all build variants.
Revert the change for now until we can properly examine the size impact of
CONFIG_DEBUG_SYSLOG.
Fixes FS#1117.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The previous commit did not adjust PKG_RELEASE, therefore the
hostapd/wpad/wpa_supplicant packages containing the AP-side workaround
for KRACK do not appear as opkg update.
Bump the PKG_RELEASE to signify upgrades to downstream users.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Commit 2127425434 introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.
Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefore the
fixed hostapd/wpad/wpa_supplicant packages do not appear as opkg update.
Bump the PKG_RELEASE to signify upgrades to downstream users.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
A recent commit in hostapd added a build option to specify the default
TLS ciphers. This build option is passed via CFLAGS. Due to the way
CFLAGS are handled when building wpad, the compiler tries to recursively
expand TLS_DEFAULT_CIPHERS, resulting in the following error:
../src/crypto/tls_openssl.c: In function 'tls_init':
<command-line>:0:21: error: 'DEFAULT' undeclared (first use in this function)
../src/crypto/tls_openssl.c:1028:13: note: in expansion of macro 'TLS_DEFAULT_CIPHERS'
ciphers = TLS_DEFAULT_CIPHERS;
^
Escape double quotes in the .cflags file to avoid this.
Fixes: 2f78034c3e ("hostapd: update to version 2017-08-24")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This is useful for tuning some more exotic parameters where it doesn't
make sense to attempt to cover everything in uci directly
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Update the config file to the latest version.
Added CONFIG_EAP_FAST=y because it was the only
missing flag about EAP compared to full config.
Removed NEED_80211_COMMON flag because it is not part
of config file, it is set by the hostapd upstream Makefile.
Other flags are the same as before.
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Update the config file to the latest version.
Enabled flags are the same as before.
Removed NEED_80211_COMMON flag because it is not part
of config file, it is set by the hostapd upstream Makefile.
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Update the config file to the latest version.
Enabled flags are the same as before.
Commented CONFIG_IEEE80211W=y flag because it is
set in the Makefile, only if the driver supports it.
Removed NEED_80211_COMMON flag because it is not part
of config file, it is set by the hostapd upstream Makefile.
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Update the config file to the latest version.
Enabled flags are the same as before.
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Update the config file to the latest version.
Enabled flags are the same as before.
Removed flag CONFIG_WPS2 because it is no more
needed due to this changelog (2014-06-04 - v2.2):
"remove WPS 1.0 only support, i.e., WSC 2.0
support is now enabled whenever CONFIG_WPS=y is set".
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[add punctuation to commit msg]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Add support for ft_psk_generate_local flag in ieee80211r
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[original author]
Signed-off-by: Sergio <mailbox@sergio.spb.ru>
Fix multiple syntax errors in shelscripts (of packages only)
These errors were causing many conditions to not working properly
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[increase PKG_RELEASE, drop command substitution from directip.sh]
Signed-off-by: Mathias Kresin <dev@kresin.em>
ifname variable were not assigned due to syntax error
causing the hostapd config file to have an empty iapp_interface= option
Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
While debugging an issue with a client device, wpa_supplicant did not
seem to log anything at all. Make wpa_supplicant log to syslog instead
of stdout, to make debugging easier and to be consistent with hostapd.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
RADIUS protocol could be used not only for authentication but for
accounting too. Accounting could be configured for any type of networks.
However there is no way to configure NAS Identifier for non-WPA
networks without this patch.
Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
[cleanup commit message]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
During auto channel selection we may wish to prefer certain channels
over others.
e.g. we can just squeeze 4 channels into europe so '1:0.8 5:0.8 9:0.8
13:0.8' does that.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).
Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.
Fixes FS#619.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
None of the variables in this "local" declaration are actually set in
wpa_supplicant_add_network().
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)
The basic_rate option and supported_rates option are filtered based on this.
The rationale for the change, stronger now than in 2014, can be found in:
https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx
The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]
When sta is configured, hostapd receives 'stop' and 'update' command from
wpa_supplicant. In the update command, hostapd gets sta parameters with
which it configures ap.
Problem is, with the default wireless configuration:
mode:11g freq:2.4GHz channel:1
If sta is connected to 5GHz network, then ap does not work. Ideally with
340-reload_freq_change.patch hostapd should reload the frequency changes
and start ap in 5GHz, but ap becomes invisible in the network.
This issue can be reproduced with following /etc/config/wireless:
config wifi-device radio0
option type mac80211
option channel 1
option hwmode 11g
option path 'virtual/uccp420/uccwlan'
option htmode 'none'
config wifi-iface 'ap'
option device 'radio0'
option encryption 'none'
option mode 'ap'
option network 'ap'
option ssid 'MyTestNet'
option encryption none
config wifi-iface 'sta'
option device radio0
option network sta
option mode sta
option ssid TestNet-5G
option encryption psk2
option key 12345
This change updates current_mode structure based on configured hw_mode
received from wpa_supplicant. Also prepare rates table after frequency
selection.
Signed-off-by: Abhilash Tuse <Abhilash.Tuse@imgtec.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, patch refresh]
- Fix eap test to work with standalone hostapd builds
- Fix 11n test to check the correct define
- Add 11ac, 11r and 11w tests
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This will allow starting hostapd with the new -s parameter and finally
read all (error) messages from the syslog.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
It wasn't possible to read hostapd wpa_printf messages unless running
hostapd manually. It was because hostapd was printing them using vprintf
and not directly to the syslog.
We were trying to workaround this problem by redirecting STDIN_FILENO
and STDOUT_FILENO but it was working only for the initialization phase.
As soon as hostapd did os_daemonize our solution stopped working.
Please note despite the subject this change doesn't affect debug level
messages only but just everything printed by hostapd with wpa_printf
including MSG_ERROR-s. This makes it even more important as reading
error messages can be quite useful for debugging.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
ap_setup_locked is named wps_ap_setup_locked in uci for consistency with other
wps related uci options.
Signed-off-by: Steven Honson <steven@honson.id.au>
The hostapd_append_wpa_key_mgmt() procedure uses the possibly uninitialized
$ieee80211r and $ieee80211w variables in a numerical comparisation, leading
to stray "netifd: radio0 (0000): sh: out of range" errors in logread when
WPA-PSK security is enabled.
Ensure that those variables are substituted with a default value in order to
avoid emitting this (harmless) shell error.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
wpa_supplicant allows only SAE as the key management
type for mesh mode. The recent key_mgmt rework unconditionally
added WPA-PSK - this breaks interface bringup and wpa_s
throws this error message:
Line 10: key_mgmt for mesh network should be open or SAE
Line 10: failed to parse network block.
Failed to read or parse configuration '/var/run/wpa_supplicant-wlan0.conf
Fix this by making sure that only SAE is used for mesh.
Signed-off-by: Sujith Manoharan <m.sujith@gmail.com>
Enable support for stronger SHA256-based algorithms in hostapd and
wpa_supplicant when using WPA-EAP or WPA-PSK with 802.11w enabled.
We cannot unconditionally enable it, as it requires hostapd to be
compiled with 802.11w support, which is disabled in the -mini variants.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
Now that wpa_key_mgmt handling for hostapd and wpa_supplicant are
consistent, we can move parts of it to a dedicated function.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
Rework wpa_key_mgmt handling for wpa_supplicant to be consistent with
how it is done for hostapd.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
Update to latest upstream HEAD:
- Refreshed all
- Delete patches and parts which made it upstream
Compile tested Full & Mini configs
Run-tested Mini config
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [another update, remove broken patch]
The build system only accepts Package/<name>/description and since the
typoed version virtually has the same content as the TITLE field, remove
them altogether
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Ensure that selecting the wpa-supplicant-mesh package actually packages the
wpa_supplicant binary with SAE support and add missing dependency on OpenSSL.
Signed-off-by: Alexis Green <alexis@cessp.it>
[Jo-Philipp Wich: slightly reword commit message for clarity]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This more of a demo for the previous commit that comes with
this one, where I added support for copying source from 'src' to
the build dir(s).
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
RADIUS accounting can be used even when RADIUS authentication is not
used. Move the accounting configuration outside of the EAP-exclusive
sections.
Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
In company networks everything except the http and https protocol is
often causes problems, because the network administrators try to block
everything else. To make it easier to use LEDE in company networks use
the https/http protocol for git access when possible.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The wpa_supplicant supports an "anonymous_identity" field, which some
EAP networks require. From the documentation:
anonymous_identity: Anonymous identity string for EAP (to be used as the
unencrypted identity with EAP types that support different tunnelled
identity, e.g., EAP-TTLS).
This change modifies the hostapd.sh script to propagate this field
from the UCI config to the wpa_supplicant.conf file.
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Reviewed-by: Manuel Munz <freifunk@somakoma.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49181
Introduce config options client_cert2, priv_key2 and priv_key2_pwd
used for EAP-TLS phase2 authentication in WPA-EAP client mode.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48345
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...
The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.
Examples:
eap_type auth
'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2"
'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2"
'peap' 'EAP-GTC' -> phase2="auth=GTC"
Deprecated syntax supported for compatibility:
'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"
I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48309
In sta-only configuration, wpa_supplicant needs correct regulatory
domain because otherwise it may skip channel of its AP during scan.
Another alternative is to fix "iw reg set" in mac80211 netifd script.
Currently it fails if some phy has private regulatory domain which
matches configured one.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 48099
The scripts for authsae and iw use the option mesh_id to get set the
"meshid" during a mesh join. But the script for wpad-mesh ignores the
option mesh_id and instead uses the option ssid. Unify the mesh
configuration and let the wpa_supplicant script also use the mesh_id from
the configuration.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47615
r46861 introduced a new option eapol_version to hostapd, but did not
provide a default value. When the option value is evaluated,
the non-existing value causes errors to the systen log:
"netifd: radio0: sh: out of range"
Add a no-op default value 0 for eapol_version. Only values 1 or 2 are
actually passed on, so 0 will not change the default action in hostapd.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 47361
One second is not enough for some devices to ackowledge null data frame
which is sent at the end of ap_max_inactivity interval. In particular,
this causes severe Wi-Fi instability with Apple iPhone which may take
up to 3 seconds to respond.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 47149
When using FullMAC drivers (e.g. brcmfmac) we don't get mgmt frames so
check for banned client in probe request handler won't ever be used.
Since cfg80211 provides us info about STA associating let's put a check
there.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 47064
Add eapol_version to the openwrt wireless config ssid section.
Only eapol_version=1 and 2 will get passed to hostapd, the default
in hostapd is 2.
This is only useful for really old client devices that don't
accept eapol_version=2.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
SVN-Revision: 46861
As the OpenWrt build system only resolves build dependencies per directory,
all hostapd variants were causing libopenssl to be downloaded and built,
not only wpad-mesh. Fix this by applying the same workaround as in
ustream-ssl.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
SVN-Revision: 46851
Add CONFIG_IEEE80211W variable to DRIVER_MAKEOPTS so that 802.11w
support is properly compiled in full variant.
This fixes#20179
Signed-off-by: Janusz Dziemidowicz <rraptorr@nails.eu.org>
SVN-Revision: 46737
Other VLAN related options are already being processed in netifd.sh
but the vlan_file option is missing. This option allows the mapping
of vlan IDs to network interfaces and will be used in dynamic VLAN
feature for binding stations to interfaces based on VLAN
assignments. The change is done similarly to the wpa_psk_file
option.
Signed-off-by: Gong Cheng <chengg11@yahoo.com>
SVN-Revision: 46652
Add 802.11r client support to wpa_supplicant. It's only enabled in
wpa_supplicant-full. hostapd gained 802.11r support in commit r45051.
Tested on a TP-Link TL-WR710N sta psk client with two 802.11r enabled
openwrt accesspoints (TP-Link TL-WDR3600).
Signed-off-by: Stefan Hellermann <stefan@the2masters.de>
SVN-Revision: 46377
Hostapd's control file location was changed in 2013, and that has apparently
broken the wps button hotplug script in cases where there are multiple radios
and wps is possibly configured also for the second radio. The current wps
button hotplug script always handles only the first radio.
https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/files/wps-hotplug.sh
The reason is that the button hotplug script seeks directories like
/var/run/hostapd*, as the hostapd-phy0.conf files were earlier in
per-interface subdirectories.
Currently the *.conf files are directly in /var/run and the control sockets
are in /var/run/hostapd, but there is no subdirectory for each radio.
root@OpenWrt:/# ls /var/run/hostapd*
/var/run/hostapd-phy0.conf /var/run/hostapd-phy1.conf
/var/run/hostapd:
wlan0 wlan1
The hotplug script was attempted to be fixed after the hostapd change by
r38986 in Dec2013, but that change only unbroke the script for the first
radio, but left it broken for multiple radios.
https://dev.openwrt.org/changeset/38986/
The script fails to find subdirectories with [ -d "$dir" ], and passes just
the only found directory /var/run/hostapd, leading into activating only the
first radio, as hostapd_cli defaults to first socket found inthe passed
directory:
root@OpenWrt:/# hostapd_cli -?
...
usage: hostapd_cli [-p<path>] [-i<ifname>] [-hvB] [-a<path>] \
[-G<ping interval>] [command..]
...
-p<path> path to find control sockets (default: /var/run/hostapd)
...
-i<ifname> Interface to listen on (default: first interface found in the
socket path)
Below is a run with the default script and with my proposed solution.
Default script (with logging added):
==================================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
for dir in /var/run/hostapd*; do
[ -d "$dir" ] || continue
logger "WPS activated for: $dir"
hostapd_cli -p "$dir" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Timed-out
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:38:50 2015 user.notice root: WPS activated for: /var/run/hostapd
wlan0 got WPS activated, while wlan1 remained inactive.
I have modified the script to search for sockets instead of directories and
to use the "-i" option with hostapd_cli, and now the script properly
activates wps for both radios. As "-i" needs the interface name instead of
the full path, the script first changes dir to /var/run/hostapd to get simply
the interface names.
Modified script (with logging):
===============================
root@OpenWrt:/# cat /etc/rc.button/wps
#!/bin/sh
if [ "$ACTION" = "pressed" -a "$BUTTON" = "wps" ]; then
cd /var/run/hostapd
for dir in *; do
[ -S "$socket" ] || continue
logger "WPS activated for: $socket"
hostapd_cli -i "$socket" wps_pbc
done
fi
>>>> WPS BUTTON PRESSED <<<<<
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan0 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# hostapd_cli -p /var/run/hostapd -i wlan1 wps_get_status
PBC Status: Active
Last WPS result: None
root@OpenWrt:/# logread | grep WPS
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan0
Tue Apr 14 18:53:06 2015 user.notice root: WPS activated for: wlan1
Both radios got their WPS activated properly.
I am not sure if my solution is optimal, but it seems to work. WPS button is
maybe not that often used functionality, but it might be fixed in any case.
Routers with multiple radios are common now, so the bug is maybe more
prominent than earlier.
The modified script has been in a slightly different format in my community
build since r42420 in September 2014.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 45492
Two errors "netifd: radio0: sh: bad number" have recently surfaced in system
log in trunk when wifi interfaces come up. I tracked the errors to checking
numerical values of some config options without ensuring that the option has
any value.
The errors I see have apparently been introduced by r45051 (ieee80211r in
hostapd) and r45326 (start_disabled in mac80211). My patches fix two
instances of "bad number", but there may be a third one, as the original
report in bug 19345 pre-dates r45326 and already has two "bad number" errors
for radio0.
https://dev.openwrt.org/ticket/19345
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 45380
r45270 removed ieee80211n=%d from the format string but didn't remove
the parameter itself. Though this probably doesn't cause any harm, it's
quite confusing and unneeded.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 45351
To enable 802.11r, wpa_key_mgmt should contain FT-EAP or FT-PSK. Allow
multiple key management algorithms to make this possible.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
SVN-Revision: 45050
The 802.11r implementation in hostapd uses nas_identifier as PMK-R0 Key
Holder identifier. As 802.11r can also be used with WPA Personal, nasid
should be appended to the hostapd config for all WPA types.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
SVN-Revision: 45049
'hostapd-common' is needed by all of the variants for wifi to function
correctly (a number of the target profiles simply select 'wpad-mini').
Signed-off-by: Nathan Hintz <nlhintz@hotmail.com>
SVN-Revision: 45048
These new variants include support for mesh mode and SAE crypto.
They always depend on openssl as EC operations are not provided by
the internal crypto implementation.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 45047
madwifi was dropped upstream, can't find it anywhere in OpenWrt
either, thus finally burrying madwifi.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 45045
This change adds the configuration options "bssid_whitelist" and
"bssid_blacklist" used to limit the AP selection of a network to a
specified (finite) set or discard certain APs.
This can be useful for environments where multiple networks operate
using the same SSID and roaming between those is not desired. It is also
useful to ignore a faulty or otherwise unwanted AP.
In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).
This is especially useful if an OpenWrt device with two radios is used to
retransmit the same network (one in AP mode for other clients, one as STA for
the uplink); the following configuration prevents the device from associating
with itself, given that the own AP to be avoided is using the bssid
'C0:FF:EE:D0:0D:42':
config wifi-iface
option device 'radio2'
option network 'uplink'
option mode 'sta'
option ssid 'MyNetwork'
option encryption 'none'
list bssid_blacklist 'C0:FF:EE:D0:0D:42/00:FF:FF:FF:FF:FF'
This change consists of the following cherry-picked upstream commits:
b3d6a0a8259002448a29f14855d58fe0a624ab76
b83e455451a875ba233b3b8ac29aff8b62f064f2
79cd993a623e101952b81fa6a29c674cd858504f
(squashed to implement bssid_{white,black}lists)
0047306bc9ab7d46e8cc22ff9a3e876c47626473
(Add os_snprintf_error() helper)
Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>
SVN-Revision: 44438
Introduce configuration options to build an "hardened" OpenWRT.
Options to enable Stack-Smashing Protection, FORTIFY_SOURCE and RELRO
have been introduced.
uClibc makefile now automatically detects if SSP support is necessary.
hostapd makefile has been fixed to use "^" as sed separator since
using a comma was problematic when using "-Wl,-z,now" and the like in
TARGET_CFLAGS.
Currently enabling SSP on user space depends on enabling SSP kernel
side, this is due to the fact that TARGET_CFLAGS are used to build
kernel modules (at least). Suggestions on how to avoid this are welcome.
Using "select" instead of "depends on" doesn't seem to work with choice
entries.
Tested with a lantiq (WBMR) router, GCC 4.8, uClibc and a subset of
the available packages.
Needs to be tested with GCC 4.9 and the remaining packages.
PIE not currently included.
Signed-off-by: Alessandro Di Federico <ale+owrt@clearmind.me>
SVN-Revision: 44005
This patch fixes adding new stations for some specific drivers when
using more than 1 BSS.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 43951
The uapsd option sets the uapsd_advertisement_enabled flag in hostapd.
The check for phy support is already implemented here in hostapd since 2011:
http://w1.fi/cgit/hostap/commit/?id=70619a5d8a3d32faa43d66bcb1b670cacf0c243e
So this can be safely set to 1 as default.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
SVN-Revision: 43846
In r41872 and r42787 Dynamic VLAN support was reintroduced, but the vlan_bridge
parameter is not read while setting up the config, so the default is used which
is undesirable for some uses.
Signed-off-by: Ben Franske <ben.mm@franske.com>
SVN-Revision: 43473
Note, that licensing stuff is a nightmare: many packages does not clearly
state their licenses, and often multiple source files are simply copied
together - each with different licensing information in the file headers.
I tried hard to ensure, that the license information extracted into the OpenWRT's
makefiles fit the "spirit" of the packages, e.g. such small packages which
come without a dedicated source archive "inherites" the OpenWRT's own license
in my opinion.
However, I can not garantee that I always picked the correct information
and/or did not miss license information.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
SVN-Revision: 43155
The wpa_psk_file option offers the possibility to use a different WPA-PSK key for each client. The directive points to a file with the following syntax:
mac_address wpa_passphrase_or_hex_key
Example:
00:11:22:33:44:55 passphrase_for_client_1
00:11:22:33:44:67 passphrase_for_client_2
00:11:22:33:44:89 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
So it is possible to specify both ASCII passphrases and raw 64-chars hex keys.
Signed-off-by: Vittorio Gambaletta <openwrt@vittgam.net>
SVN-Revision: 43001
[base-files] shell-scripting: fix wrong usage of '==' operator
normally the '==' is used for invoking a regex parser and is a bashism.
all of the fixes just want to compare a string. the used busybox-ash
will silently "ignore" this mistake, but make it portable/clean at least.
this patch does not change the behavior/logic of the scripts.
Signed-off-by: Bastian Bittorf <bittorf@bluebottle.com>
SVN-Revision: 42911
In r41872 Dynamic VLAN support was reintroduced, but the vlan_naming
parameter is not read while setting up the config, so it always
defaults to 1.
Signed-off-by: Reiner Herrmann <reiner@reiner-h.de>
SVN-Revision: 42787
With this patch WPS discovery can be started or canceled over ubus if
WPS is enabled in wireless configuration. This is equivalent of
'hostapd_cli wps_pbc' and 'hostapd_cli wps_cancel' commands.
Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>
SVN-Revision: 42459
