aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/hostapd
Commit message (Collapse)AuthorAgeFilesLines
* hostapd: fix compilation of wpa_supplicantKarel Kočí2020-06-181-4/+4
| | | | | | | | | | | | | Ubus patch as it seems have been broken by some rebase in the past as the location of line that adds ubus object file was in condition for CONFIG_MACSEC. That condition was adding object files that are not touched by ubus patch. This means ubus.o does not have to be included in that case. When it has to be and when build fails is when CONFIG_AP is set. All files included in wpa_supplicant that are touched by this patch are in this condition. This means that this is for sure the original place for it. Signed-off-by: Karel Kočí <karel.koci@nic.cz>
* hostapd: hostapd_set_psk_file: fix defaut value for macJohann Neuhauser2020-06-131-1/+1
| | | | | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Bringing up of station vlan fails if the optional mac entry isn't set. The default mac "00:00:00:00:00:00", which should match all stations, is mistakenly set to the non used variable "isolate". This results in a wrong formatted .psk file which has to be "vlan_id mac key". fixes: 5aa2ddd0: hostapd: add support for wifi-station and wifi-vlan sections Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
* hostapd: add config symbol for allowing drivers to enable 802.11ax supportFelix Fietkau2020-06-103-0/+14
| | | | | | Also expose a build feature for it Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: update to latest Git hostap_2_9-1331-g5a8b366233f5Petr Štetiar2020-06-0923-113/+113
| | | | | | | | | | | | | Bump to latest Git and refresh all patches in order to get fix for "UPnP SUBSCRIBE misbehavior in hostapd WPS AP" (CVE-2020-12695). General security vulnerability in the way the callback URLs in the UPnP SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695). Some of the described issues may be applicable to the use of UPnP in WPS AP mode functionality for supporting external registrars. Ref: https://w1.fi/security/2020-1/ Signed-off-by: Petr Štetiar <ynezz@true.cz>
* hostapd: silence rmStijn Tintel2020-06-081-2/+2
| | | | | | | | | | | | When bringing up wifi the first time after boot, these warnings appear: netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.psk': No such file or directory netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.vlan': No such file or directory Silence them by adding the "-f" option to rm. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: John Crispin <john@phrozen.org>
* hostapd: add support for wifi-station and wifi-vlan sectionsJohn Crispin2020-06-041-0/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for 2 new uci sections. config wifi-vlan # iface is optional. if it is not defined the vlan will apply # to all interfaces option iface default_radio0 option name guest option vid 100 option network guest config wifi-station # iface is optional. if it is not defined the station will apply # to all interfaces option iface default_radio0 # mac is optional. if it is not defined it will be a catch all # for any sta using this key option mac '00:11:22:33:44:55' # vid is optional. if it is not defined, the sta will be part of # the primary iface. option vid 100 option key testtest With this patch applied it is possible to use multiple PSKs on a single BSS. Signed-off-by: John Crispin <john@phrozen.org>
* hostapd: Add disable_vht when using NOHT/HT* modesEnrique Rodríguez Valencia2020-05-281-1/+2
| | | | | | disable_vht parameter needs to be set when using wpa_supplicant NOHT/HT* modes. Signed-off-by: Enrique Rodríguez Valencia <enrique.rodriguez@galgus.net>
* hostapd: add WEP as queryable build featureDavid Bauer2020-05-221-0/+4
| | | | | | | | | | | Commit 472fd98c5b12 ("hostapd: disable support for Wired Equivalent Privacy by default") made support for WEP optional. Expose the WEP support to LuCi or other userspace tools using the existing interface. This way they are able to remove WEP from the available ciphers if hostapd is built without WEP support. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: bring back mesh patchesDaniel Golle2020-05-2128-108/+792
| | | | | | | | | | | | | Bring back 802.11s mesh features to the level previously available before the recent hostapd version bump. This is mostly to support use of 802.11s on DFS channels, but also making mesh forwarding configurable which is crucial for use of 802.11s MAC with other routing protocols, such as batman-adv, on top. While at it, fix new compiler warning by adapting 700-wifi-reload.patch to upstream changes, now building without any warnings again. Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: disable support for Wired Equivalent Privacy by defaultPetr Štetiar2020-05-212-0/+14
| | | | | | | | | | | | | | | | | | | Upstream in commit 200c7693c9a1 ("Make WEP functionality an optional build parameter") has made WEP functionality an optional build parameter disabled as default, because WEP should not be used for anything anymore. As a step towards removing it completely, they moved all WEP related functionality behind CONFIG_WEP blocks and disabled it by default. This functionality is subject to be completely removed in a future release. So follow this good security advice, deprecation notice and disable WEP by default, but still allow custom builds with WEP support via CONFIG_WPA_ENABLE_WEP config option till upstream removes support for WEP completely. Signed-off-by: Petr Štetiar <ynezz@true.cz>
* hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848edPetr Štetiar2020-05-2147-1327/+262
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump package to latest upstream Git HEAD which is commit dd2daf0848ed ("HE: Process HE 6 GHz band capab from associating HE STA"). Since last update there was 1238 commits done in the upstream tree with 618 files changed, 53399 insertions, 24928 deletions. I didn't bothered to rebase mesh patches as the changes seems not trivial and I don't have enough knowledge of those parts to do/test that properly, so someone else has to forward port them, ideally upstream them so we don't need to bother anymore. I've just deleted them for now: 004-mesh-use-setup-completion-callback-to-complete-mesh-.patch 005-mesh-update-ssid-frequency-as-pri-sec-channel-switch.patch 006-mesh-inform-kernel-driver-DFS-handler-in-userspace.patch 007-mesh-apply-channel-attributes-before-running-Mesh.patch 011-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch 013-mesh-do-not-allow-pri-sec-channel-switch.patch 015-mesh-do-not-use-offchan-mgmt-tx-on-DFS.patch 016-mesh-fix-channel-switch-error-during-CAC.patch 018-mesh-make-forwarding-configurable.patch Refreshed all other patches, removed upstreamed patches: 051-wpa_supplicant-fix-race-condition-in-mesh-mpm-new-pe.patch 067-0001-AP-Silently-ignore-management-frame-from-unexpected-.patch 070-driver_nl80211-fix-WMM-queue-mapping-for-regulatory-.patch 071-driver_nl80211-fix-regulatory-limits-for-wmm-cwmin-c.patch 090-wolfssl-fix-crypto_bignum_sum.patch 091-0001-wolfssl-Fix-compiler-warnings-on-size_t-printf-forma.patch 091-0002-wolfssl-Fix-crypto_bignum_rand-implementation.patch 091-0003-wolfssl-Do-not-hardcode-include-directory-in-wpa_sup.patch 800-usleep.patch Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq8065/NBG6817; ipq40xx/MAP-AC2200] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* hostapd: backport wolfssl bignum fixesDaniel Golle2020-05-164-1/+107
| | | | | | | | crypto_bignum_rand() use needless time-consuming filtering which resulted in SAE no longer connecting within time limits. Import fixes from hostap upstream to fix that. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* wpad-wolfssl: fix crypto_bignum_sub()Antonio Quartulli2020-04-281-0/+26
| | | | | | | | | | | | | | Backport patch from hostapd.git master that fixes copy/paste error in crypto_bignum_sub() in crypto_wolfssl.c. This missing fix was discovered while testing SAE over a mesh interface. With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with wpad-mesh-wolfssl. Cc: Sean Parkinson <sean@wolfssl.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: reduce to a single instance per serviceDaniel Golle2020-04-148-174/+62
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: backport usleep patchRosen Penev2020-04-132-1/+54
| | | | | | Optionally fixes compilation with uClibc-ng. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* wpa_supplicant: disable CONFIG_WRITE functionalityKirill Lukonin2020-04-132-2/+2
| | | | | | | | | CONFIG_WRITE functionality is not used and could be removed. Looks helpful for devices with small flash because wpad is also affected. Little testing shows that about 6 KB could be saved. Signed-off-by: Kirill Lukonin <klukonin@gmail.com>
* hostapd: Move hostapd variants to WirelessAPD menuKevin Darbyshire-Bryant2020-04-051-0/+9
| | | | | | | | | | | It seemed very confusing when trying to select the different variants of hostapd which are somewhat scattered about under the menu 'Network'. Moving all hostapd variants under a common submenu helps avoid confusion. Inspired-by: Kevin Mahoney <kevin.mahoney@zenotec.net> [Fixup badly formatted patch, change menu name] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: add abridged flag in disassoc_imminentNick Hainke2020-03-301-0/+5
| | | | | | | | | | | | | If the abridged flag is set to 1 the APs that are listed in the BSS Transition Candidate List are prioritized. If the bit is not set, the APs have the same prioritization as the APs that are not in the list. If you want to steer a client, you should set the flag! The flag can be set by adding {...,'abridged': true,...} to the normal ubus call. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: expose beacon reports through ubusNick Hainke2020-03-303-0/+51
| | | | | | | | | | | | | | | | | | | Subscribe to beacon reports through ubus. Can be used for hearing map and client steering purposes. First enable rrm: ubus call hostapd.wlan0 bss_mgmt_enable '{"beacon_report":True}' Subscribe to the hostapd notifications via ubus. Request beacon report: ubus call hostapd.wlan0 rrm_beacon_req '{"addr":"00:xx:xx:xx:xx:xx", "op_class":0, "channel":1, "duration":1,"mode":2,"bssid":"ff:ff:ff:ff:ff:ff", "ssid":""}' Signed-off-by: Nick Hainke <vincent@systemli.org> [rework identation] Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: Add 802.11r support for WPA3-EnterpriseJesus Fernandez Manzano2020-03-301-0/+1
| | | | Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
* hostapd: fix segfault in wpa_supplicant ubusDaniel Golle2020-03-182-1/+3
| | | | | | | | | | | | | | When introducing ubus reload support, ubus initialization was moved to the service level instead of being carried out when adding a BSS configuration. While this works when using wpa_supplicant in that way, it breaks the ability to run wpa_supplicant on the command line, eg. for debugging purposes. Fix that by re-introducing ubus context intialization when adding configuration. Reported-by: @PolynomialDivision https://github.com/openwrt/openwrt/pull/2417 Fixes: 60fb4c92b6 ("hostapd: add ubus reload") Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: fix pointer cast warningsLeon M. George2020-03-172-8/+15
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: remove trailing whitespaceLeon M. George2020-03-171-2/+2
| | | | Signed-off-by: Leon M. George <leon@georgemail.eu>
* hostapd: enhance wifi reloadJohn Crispin2020-02-252-18/+134
| | | | | | | Add a radio_config_id property. If the radio config changes return an error upon receiving the reconf call. Signed-off-by: John Crispin <john@phrozen.org>
* hostapd: start hostapd/wpa_supplicant for all wiphy devicesPiotr Dymacz2020-02-242-2/+2
| | | | | | | | | | | | | | c888e17e06 ("hostapd: manage instances via procd instead of pidfile") added procd support for managing hostapd and wpa_supplicant daemons but at the same time limited wiphy names to 'phy*'. This brings back initial behaviour (introduced in 60fb4c92b6 ("hostapd: add ubus reload") and makes procd manage daemons for any wiphy device found in '/sys/class/ieee80211'. CC: Felix Fietkau <nbd@nbd.name> CC: Daniel Golle <daniel@makrotopia.org> Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* hostapd: remove erroneous $(space) redefinitionJo-Philipp Wich2020-02-081-3/+0
| | | | | | | | | | | | | | | | The $(space) definition in the hostapd Makefile ceased to work with GNU Make 4.3 and later, leading to syntax errors in the generated Kconfig files. Drop the superfluous redefinition and reuse the working $(space) declaration from rules.mk to fix this issue. Fixes: GH#2713 Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469 Reported-by: Karel Kočí <cynerd@email.cz> Suggested-by: Jonas Gorski <jonas.gorski@gmail.com> Tested-by: Shaleen Jain <shaleen@jain.sh> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: add back support for passing CSA events from sta/mesh to AP interfacesFelix Fietkau2020-01-291-0/+129
| | | | | | | | Fixes handling CSA when using AP+STA or AP+Mesh This change was accidentally dropped in commit 167028b75 ("hostapd: Update to version 2.9 (2019-08-08)") Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: unconditionally enable ap/mesh for wpa-cliFelix Fietkau2020-01-281-1/+7
| | | | | | | Without this change, wpa-cli features depend on which wpad build variant was used to build the wpa-cli package Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: remove some bashismsSven Roederer2020-01-261-3/+3
| | | | | | | | | "[[" is a bash extension for test. As the ash-implementation is not fully compatible we drop its usage. Signed-off-by: Sven Roederer <devel-sven@geroedel.de> [remove shebang, slightly facelift commit title/message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* hostapd: fix faulty WMM IE parameters with ETSI regulatory domainsFelix Fietkau2020-01-232-0/+88
| | | | | | | | hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP. The code for applying those values had a few bugs leading to bogus values, which caused significant latency and packet loss. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: add support for system cert bundle validationDavid Lam2020-01-162-6/+15
| | | | | | | | | | | | | | Currently, it is very cumbersome for a user to connect to a WPA-Enterprise based network securely because the RADIUS server's CA certificate must first be extracted from the EAPOL handshake using tcpdump or other methods before it can be pinned using the ca_cert(2) fields. To make this process easier and more secure (combined with changes in openwrt/openwrt#2654), this commit adds support for validating against the built-in CA bundle when the ca-bundle package is installed. Related LuCI changes in openwrt/luci#3513. Signed-off-by: David Lam <david@thedavid.net> [bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: cleanup IBSS-RSNDaniel Golle2020-01-162-6/+2
| | | | | | set noscan also for IBSS and remove redundant/obsolete variable. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: add wpa_strict_rekey supportKyle Copperfield2020-01-151-1/+3
| | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Rekey GTK on STA disassociate Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_requiredKyle Copperfield2020-01-152-3/+12
| | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Allows dtim_period to be configurable, the default is from hostapd. Adds additional regulatory tunables for power constraint and spectrum managment. Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* hostapd: add support for subject validationDavid Lam2020-01-142-1/+93
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The wpa_supplicant supports certificate subject validation via the subject match(2) and altsubject_match(2) fields. domain_match(2) and domain_suffix_match(2) fields are also supported for advanced matches. This validation is especially important when connecting to access points that use PAP as the Phase 2 authentication type. Without proper validation, the user's password can be transmitted to a rogue access point in plaintext without the user's knowledge. Most organizations already require these attributes to be included to ensure that the connection from the STA and the AP is secure. Includes LuCI changes via openwrt/luci#3444. From the documentation: subject_match - Constraint for server certificate subject. This substring is matched against the subject of the authentication server certificate. If this string is set, the server sertificate is only accepted if it contains this string in the subject. The subject string is in following format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as .example.com subject_match2 - Constraint for server certificate subject. This field is like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. altsubject_match - Constraint for server certificate alt. subject. Semicolon separated string of entries to be matched against the alternative subject name of the authentication server certificate. If this string is set, the server sertificate is only accepted if it contains one of the entries in an alternative subject name extension. altSubjectName string is in following format: TYPE:VALUE Example: EMAIL:server@example.com Example: DNS:server.example.com;DNS:server2.example.com Following types are supported: EMAIL, DNS, URI altsubject_match2 - Constraint for server certificate alt. subject. This field is like altsubject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_match - Constraint for server domain name. If set, this FQDN is used as a full match requirement for the server certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same full match comparison. This behavior is similar to domain_suffix_match, but has the requirement of a full match, i.e., no subdomains or wildcard matches are allowed. Case-insensitive comparison is used, so "Example.com" matches "example.com", but would not match "test.Example.com". More than one match string can be provided by using semicolons to separate the strings (e.g., example.org;example.com). When multiple strings are specified, a match with any one of the values is considered a sufficient match for the certificate, i.e., the conditions are ORed together. domain_match2 - Constraint for server domain name. This field is like domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_suffix_match - Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for the AAA server certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Suffix match here means that the host/domain name is compared one label at a time starting from the top-level domain and all the labels in domain_suffix_match shall be included in the certificate. The certificate may include additional sub-level labels in addition to the required labels. More than one match string can be provided by using semicolons to separate the strings (e.g., example.org;example.com). When multiple strings are specified, a match with any one of the values is considered a sufficient match for the certificate, i.e., the conditions are ORed together. For example, domain_suffix_match=example.com would match test.example.com but would not match test-example.com. This field is like domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_suffix_match2 - Constraint for server domain name. This field is like domain_suffix_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. Signed-off-by: David Lam <david@thedavid.net>
* hostapd: Activate PIE by defaultHauke Mehrtens2020-01-131-0/+1
| | | | | | | | | | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. This increases the binary size by 26% uncompressed and 16% compressed on MIPS BE. old: 460,933 /usr/sbin/wpad 283,891 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk new: 584,508 /usr/sbin/wpad 330,281 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* hostapd: disable ft_psk_generate_local for non-PSK networksDavid Bauer2020-01-091-1/+9
| | | | | | | | | | | | Without this commit, ft_psk_generate_local is enabled for non-PSK networks by default. This breaks 802.11r for EAP networks. Disable ft_psk_generate_local by default for non-PSK networks resolves this misbehavior. Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net> Signed-off-by: David Bauer <mail@david-bauer.net> Tested-by: Martin Weinelt <martin@darmstadt.freifunk.net>
* hostapd: re-introduce process trackingDaniel Golle2019-12-081-0/+4
| | | | | | | | | | | Before commit 60fb4c92b6 ("hostapd: add ubus reload") netifd was tracking hostapd/wpa_supplicant and restarting wifi in case of a process crash. Restore this behaviour by tracking the PIDs of hostapd and wpa_supplicant. Also make sure hostapd and/or wpa_supplicant have been started before emmitting ubus calls to them using ubus wait_for. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: manage instances via procd instead of pidfileFelix Fietkau2019-12-081-9/+41
| | | | | | | | Allows graceful restart of crashing hostapd/wpa_supplicant instances Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Daniel Golle <daniel@makrotopia.org> [daniel@makrotopia.org: attempt to launch only present services]
* hostapd: fix crash regression triggered by mesh modeFelix Fietkau2019-12-081-1/+1
| | | | | | | Fixes: 60fb4c92b6 ("hostapd: add ubus reload") Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Daniel Golle <daniel@makrotopia.org> [daniel@makrotopia.org: polish commit message]
* hostapd: enable CTRL_IFACE_MIB for hostapd-fullDavid Bauer2019-12-087-0/+35
| | | | | | | | This enables the CTRL_IFACE_MIB symbol for wpad-full and hostapd-full. If it is not enabled, statistic outputs such as "hostapd_cli all_sta" are empty. Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: add ubus reloadJohn Crispin2019-11-129-20/+601
| | | | | | | | | | | | | | | Add ubus interface to hostapd and wpa_supplicant to allow dynamically reloading wiface configuration without having to restart the hostapd process. As a consequence, both hostapd and wpa_supplicant are now started persistently on boot for each wifi device in the system and then receive ubus calls adding, modifying or removing interface configuration. At a later stage it would be desirable to reduce the services to one single instance managing all radios. Signed-off-by: John Crispin <john@phrozen.org> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: enable PMKSA and OK caching for WPA3-PersonalDavid Bauer2019-11-041-1/+8
| | | | | | | | | | | | | This enables PMKSA and opportunistic key caching by default for WPA2/WPA3-Personal, WPA3-Personal and OWE auth types. Otherwise, Apple devices won't connect to the WPA3 network. This should not degrade security, as there's no external authentication provider. Tested with OCEDO Koala and iPhone 7 (iOS 13.1). Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: add IEEE 802.11k supportKyle Copperfield2019-11-021-0/+13
| | | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Enables radio resource management to be reported by hostapd to clients. Ref: https://github.com/lede-project/source/pull/1430 Co-developed-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* hostapd: adjust to removal of WOLFSSL_HAS_AES_GCMEneas U de Queiroz2019-10-121-1/+0
| | | | | | WolfSSL is always built with AES-GCM support now. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* hostapd: Add mesh support for wpad fullHauke Mehrtens2019-09-221-2/+2
| | | | | | | | | | | | | | This increases the size of the binary slightly: old: 427722 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 431696 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk new: 442109 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 445997 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: use getrandom syscallHauke Mehrtens2019-09-227-7/+7
| | | | | | | | hostapd will not use the getrandom() syscall and as a fallback use /dev/random, the syscall is supported since Linux 3.17 and in the musl, glibc and uclibc version used by OpenWrt. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: Remove unneeded patchHauke Mehrtens2019-09-228-28/+14
| | | | | | | All the content of this function is proceeded by IEEE8021X_EAPOL no code accesses the ssid variable outside of this ifdef. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: use config option CONFIG_NO_LINUX_PACKET_SOCKET_WARHauke Mehrtens2019-09-225-16/+4
| | | | | | Instead of patching the workaround away, just use the config option. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: Update to version 2.9 (2019-08-08)Hauke Mehrtens2019-09-2247-639/+272
| | | | | | | | | | | | | | | | | | The size of the ipkgs increase a bit (between 0.7% and 1.1%): old 2019-04-21 (2.8): 288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk 256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk 427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk 423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk new 2019-08-08 (2.9): 290217 wpad-basic_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 258745 wpad-mini_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 431732 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 427641 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>