Commit graph

25918 commits

Author SHA1 Message Date
Felix Fietkau
246e9b449b hostapd: enable WPS2 support on hostapd-full.config
Enable CONFIG_WPS2 for hostapd. This is required to support
options like Virtual Push Button in WPS.

Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>

SVN-Revision: 38337
2013-10-08 11:09:44 +00:00
Felix Fietkau
bcbc9b1e89 hostapd: fix hostapd RSN preauthentication PMKSA caching
In 2009 OpenWrt's hostapd config added an "auth_cache" boolean
to be used to address a reported issue #12129 [0] on a forum [1].
The reported issue on the ticket is different that the one
described on the forum. The commit was r33359. This change broke
proper RSN preauthentication [2] [3] [4] expectations on hostapd's
configuration for WPA2 and this in turn disabled PMKSA caching and
Opportunistic Key Caching. This change:

  * Leaves the "auth_cache" to be used only for WPA networks for those
    looking to use this as a workaround to a reported issue but annotates
    a warning over its usage.

  * Separate "auth_cache" from WPA2 RSN preauthentication, leaving
    WPA2 RSN preauthentication to enabled only with "rsn_preauth" with
    the expected and recommended settings.

  * Adds a new WPA2 RSN preauthentication "rsn_preauth_testing" to
    be used when evaluating funcionality for WPA2 RSN preauthentication
    with the expected and recommended settings with the only difference
    so far with what should be enabled by default to disable Opportunistic
    Key Caching.

Disabling the PMKSA cache should mean the STA could not roam off and back
onto the AP that had PMKSA caching disabled and would require a full
authentication cycle. This fixes this for WPA2 networks with
RSN preauthentication enabled.

This change should be applied to AA as well as trunk.

  TL DR;

The issue described on the forum has to do with failure of a STA
being able to try to authenticate again with the AP if it failed
its first try. This may have been an issue with hostapd in 2009
but as per some tests I cannot reproduce this today on a WPA2
network.

The issue described on the ticket alludes to a security issue with the
design of using a Radius server to authenticate to an AP. The issue
vaguely alludes to the circumstances of zapping a user, deleting their
authentication credentials to log in to the network, and that if
RSN preauthentication is enabled with PMKSA caching that the user
that was zapped would still be able to authenticate.

Lets treat these as separate issues.

I cannot reproduce the first issue reported on the forums of not
being able to authenticate anymore on a WPA2 network.

The issue reported on the ticket modified WPA2 RSN preauthentication
by adding two fields to the hostapd configuration if auth_cache
was enabled:

  * disable_pmksa_caching=1
  * okc=0

The first one disables PMKSA authentication cache.
The second one disables Opportunistic Key Caching.

The issue reported on the ticket was fixed by implementing a workaround
in hostapd's configuration. Disabling PMKSA caching breaks proper use
of WPA2 RSN pre authentication. The usage of disable_pmksa_caching=1
prevents hostapd from adding PMKSA entries into its cache when a successful
802.1x authentication occurs. In practice RSN preauthentication would
trigger a STA to perform authentication with other APs on the same SSID,
it would then have its own supplicant PMKSA cache held. If a STA roams
between one AP to another no new authenitcation would need to be performed
as the new AP would already have authenticated the STA. The purpose of the
PMKSA cache on the AP side would be for the AP to use the same PMKID for
a STA when the STA roams off onto another BSSID and later comes back to it.

Disabling Opportunistic Key Caching could help the reported issue
as well but its not the correct place to address this. Opportunistic
Key Caching enables an AP with different interfaces to share the
PMKSA cache. Its a technical enhancement and disabling it would
be useful to let a testing suite properly test for RSN preauthentication
given that otherwise Opportunistic Key Caching would enable an
interface being tested to derive its own derive the PMKSA entry.
In production though okc=1 should be enabled to help with RSN
preauthentication.

The real fix for this particular issue outside of the scope of hostapd's
configuration and it should not be dealt with as a workaround to
its configuration and breaking expected RSN preauthentication and
technical optimizations. Revert this change and enable users to pick
and choose to enable or disable disable_pmksa_caching and okc expecting them
to instead have read clearly more what these do.

As for the core issure ported, the correct place to fix this is to
enable a sort of messaging between the RADIUS server and its peers
so that if caching for authentication is enabled that cache can be
cleared upon user credential updates. Updating a user password
(not just zapping a user) is another possible issue that would need
to be resolved here. Another part of the solution might be to reduce
the cache timing to account for any systematic limitations (RADIUS
server not able to ask peers to clear cache might be
one).

[0] https://dev.openwrt.org/changeset/33359
[1] https://forum.openwrt.org/viewtopic.php?id=19596
[2] http://wireless.kernel.org/en/users/Documentation/hostapd#IEEE_802.11i.2FRSN.2FWPA2_pre-authentication
[3] http://wireless.kernel.org/en/users/Documentation/wpa_supplicant#RSN_preauthentication
[4] http://wiki.openwrt.org/doc/recipes/rsn_preauthentication

Signed-off-by: Luis R. Rodriguez <mcgrof@do-not-panic.com>

SVN-Revision: 38336
2013-10-08 11:09:40 +00:00
Felix Fietkau
40aec9ed46 hostapd: Add WPS unconfigured & WPS pin method support
Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>

SVN-Revision: 38335
2013-10-08 11:09:36 +00:00
Felix Fietkau
4689bc8517 hostapd: Add eap_reauth_period config option
This adds the eap_reauth_period to be used for modifying
the RADIUS server reauthentication authentication period,
a parameter that gets passed directly to the hostapd
configuration file.

Signed-off-by: Mathieu Olivari <mathieu@qca.qualcomm.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>

SVN-Revision: 38334
2013-10-08 11:09:27 +00:00
Hauke Mehrtens
c8e742a080 mac80211: wl12xx: build them again
WL_TI is bool but was set to =m, which deactivated it. Now it is set to
=y and should be activated in the config so the wl12xx driver gets
build.

This closes #14212.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38333
2013-10-07 22:16:17 +00:00
Hauke Mehrtens
16675de754 mac80211: brcmfmac: BRCMFMAC_USB was not set in config
Somehow BRCMFMAC_USB was not set in the build and brcmfmac.ko did not had usb support.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38332
2013-10-07 21:49:28 +00:00
Luka Perkov
c5bd00d82a openvpn: switch to new procd init script style
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 38331
2013-10-07 21:28:14 +00:00
Luka Perkov
d6415bf1bd polarssl: update to 1.2.9
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 38330
2013-10-07 21:28:12 +00:00
John Crispin
c1316c09a1 lantiq: fix ltq_ptm compile
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38329
2013-10-07 20:13:32 +00:00
John Crispin
715b62ebad lantiq: experia v8 fixes
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38328
2013-10-07 15:03:00 +00:00
John Crispin
81fb43d2f1 lantiq: fix fritz3370 dts file
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38327
2013-10-07 15:02:56 +00:00
John Crispin
ae225124c6 lantiq: fix fritz image generation
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38326
2013-10-07 15:02:52 +00:00
John Crispin
1398a5d849 lantiq: fix eva partition split for squashfs
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38325
2013-10-07 15:02:48 +00:00
John Crispin
c903de043e ralink: fix asiarf image generation
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38324
2013-10-07 15:02:44 +00:00
John Crispin
ddcb800018 ralink: split mt7530 driver out of the gsw driver
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38323
2013-10-07 15:02:39 +00:00
John Crispin
c077698e38 ralink: build recovery images for dcs930 ip cam
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38322
2013-10-07 15:02:35 +00:00
John Crispin
420c62205b ralink: DIR610A1 Fix remaining issues
This patch fixes:

 - Ethernet and Wireless LEDs
 - Wireless MAC Address
 - Remove whitespaces from dts file

Signed-off-by: Flavio Silveira <fggs@terra.com.br>

SVN-Revision: 38321
2013-10-07 15:02:31 +00:00
John Crispin
5eacfc1c60 ralink: MT7620 eval board pinmux fixes
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38320
2013-10-07 15:02:27 +00:00
John Crispin
cc58dd26d3 ralink: make cevt systick selectable via kconfig
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38319
2013-10-07 15:02:23 +00:00
John Crispin
baf9d53792 ralink: fix mt7620a pinmux
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38318
2013-10-07 15:02:18 +00:00
John Crispin
fa4ca9d7eb tools: add tool to generate dcs93xl images
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 38317
2013-10-07 15:01:05 +00:00
Steven Barth
6dbfe22601 odhcp6c: improve server selection, introduce "forceprefix" option
SVN-Revision: 38314
2013-10-07 08:43:33 +00:00
Luka Perkov
702936f4c9 iproute2: update to 3.11
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 38313
2013-10-07 08:26:41 +00:00
Hauke Mehrtens
64c2bc256c brcm47xx: Cocci spatch "noderef"
sizeof when applied to a pointer typed expression gives the size of the
pointer.
Found by coccinelle spatch "misc/noderef.cocci"

Signed-off-by: Thomas Meyer <thomas@m3y3r.de>

SVN-Revision: 38312
2013-10-07 00:01:01 +00:00
Hauke Mehrtens
2402f8a9ee brcm47xx: move clock detection patches
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38311
2013-10-07 00:00:10 +00:00
Hauke Mehrtens
4c193a30ce brcm47xx: move and rename nvram gpio patch
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38310
2013-10-06 23:57:11 +00:00
Hauke Mehrtens
b201818044 brcm47xx: update early printk patches
Early printk was disabled because it caused hangs on some devices, the
old patches were using the CFE console now we use the normal serial
console, it is at a constant address.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38309
2013-10-06 23:55:35 +00:00
Hauke Mehrtens
ebf0778721 brcm47xx: update board detection patches
Add patches like they are currently in the mainline mips tree and add
some more pending patches for board detection.

* Now the board name is shown under machine in /proc/cpuinfo.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38308
2013-10-06 23:51:24 +00:00
Hauke Mehrtens
53a2c19c69 kernel: b53: add switch name into printk when it fails.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38307
2013-10-06 22:35:28 +00:00
Hauke Mehrtens
2c5e4aa6ad brcm47xx: b44: fix some problems with the phy
* do not try initialize a unused phy
* some improvements to the phylib patch
* do not turn the phy off when mac is off

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38306
2013-10-06 18:31:32 +00:00
Felix Fietkau
048fc8f0c1 ath9k: fix tx queueing issues after background scans
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 38304
2013-10-05 12:12:21 +00:00
Luka Perkov
9051e79bc2 build: extend menu with few ubifs options
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 38303
2013-10-04 10:49:47 +00:00
Steven Barth
8b7b7cabf2 opkg: add support for SHA256 verification
based on a patch by Evan Hunt <each@isc.org>
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 38302
2013-10-04 05:56:20 +00:00
Luka Perkov
fa3ab0c237 kirkwood: add support for UBI (3.10.x)
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 38301
2013-10-04 03:45:52 +00:00
Felix Fietkau
e96695df10 netifd: update to latest version, adds macvlan support
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 38299
2013-10-03 14:51:34 +00:00
Luka Perkov
60dd4429b7 imx6: update upstream pcie patches
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 38298
2013-10-03 13:06:42 +00:00
Luka Perkov
5617993e10 kirkwood: enable dts compilation
In 3.10 we might build those, so for now just add this functionality.

Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 38297
2013-10-03 02:50:03 +00:00
Luka Perkov
a30df8987d kirkwood: fix initramfs images
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 38296
2013-10-03 02:50:02 +00:00
Luka Perkov
38936426f7 kirkwood: update patches and configuration (3.10)
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 38295
2013-10-03 02:50:00 +00:00
Hauke Mehrtens
97b15fc45b brcm47xx: add support for ipv6 in default network config
Modify /etc/init.d/netconfig to use UCI defaults for building the
default network config, which includes appropriate defaults for IPV6.

Signed-off-by: Nathan Hintz <nlhintz@hotmail.com>

SVN-Revision: 38294
2013-10-02 23:22:18 +00:00
Hauke Mehrtens
caff3b5aee broadcom-diag: fix 'autoload' number of diag.ko
Change the autoload number from '5' to '05' so the module loads earlier (as intended).

Signed-off-by: Nathan Hintz <nlhintz@hotmail.com>

SVN-Revision: 38293
2013-10-02 23:14:08 +00:00
Hauke Mehrtens
9e5eeb3c38 kernel: bgmac: fix BCM4707 patch
The bool logic was the wrong way around.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38292
2013-10-02 23:12:46 +00:00
Hauke Mehrtens
101034fa23 kernel: refresh patches
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38291
2013-10-02 22:26:43 +00:00
Hauke Mehrtens
fa839274b0 kernel: bcma: update to wireless-testing master-2013-10-01
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38290
2013-10-02 22:26:15 +00:00
Hauke Mehrtens
125fc703bb kernel: bgmac: move other bgmac patches to generic
The bgmac driver will be used on the brcm47xx and the bcm53xx target.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38289
2013-10-02 22:25:26 +00:00
Hauke Mehrtens
06c8b90ebf kernel: bgmac: move bgmac patches already applied in mainline kernel to generic
The bgmac driver will be used on the brcm47xx and the bcm53xx target.
These are only the patches already applied in current net-next/master
branch.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 38288
2013-10-02 22:24:01 +00:00
Steven Barth
03b0c3b5a6 package/index: fix index creating when building without signing
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>

SVN-Revision: 38287
2013-10-02 16:38:28 +00:00
Steven Barth
95e9c260bc odhcp6c: validate hop-limit on RAs
SVN-Revision: 38285
2013-10-02 14:16:05 +00:00
Steven Barth
cbdd346b11 Add package signing infrastructure
Add package signing key and certificate configuration options to the
"Image configuration" submenu. If enabled, the Packages.gz list will
be signed as file Packages.sig. The passphrase for the signing key can
be sourced from a file or entered by the user. The signing certificate
is automatically added to the firmware image if opkg-smime is selected.

Signed-off-by: Evan Hunt <each@isc.org>
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 38284
2013-10-02 12:12:10 +00:00
Steven Barth
0ad1d06c13 6relayd: remove compat ULA setting by default (too many bad sideeffects)
SVN-Revision: 38283
2013-10-02 06:14:39 +00:00