Commit graph

83 commits

Author SHA1 Message Date
Felix Fietkau
bbda81ce30 hostapd: merge fixes for WPA packet number reuse with replayed messages and key reinstallation
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088

For more information see:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 12:01:57 +02:00
Koen Vandeputte
2f78034c3e hostapd: update to version 2017-08-24
- Deleted upstreamed patches & parts
- Refreshed all

Compile tested: full-option package + tools (hostapd + wpa_supplicant)
Run-tested: hostapd wpa2 hotspot & wpa_supplicant IBSS link

Targets: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2017-10-07 05:46:04 +03:00
John Crispin
d18e0dc7d1 hostapd: add additional ubus notifications
Signed-off-by: John Crispin <john@phrozen.org>
2017-08-22 21:31:39 +02:00
Abhilash Tuse
41feba8c4a hostapd: fix reload frequency change patch
When sta is configured, hostapd receives 'stop' and 'update' command from
wpa_supplicant. In the update command, hostapd gets sta parameters with
which it configures ap.

Problem is, with the default wireless configuration:
mode:11g freq:2.4GHz channel:1
If sta is connected to 5GHz network, then ap does not work. Ideally with
340-reload_freq_change.patch hostapd should reload the frequency changes
and start ap in 5GHz, but ap becomes invisible in the network.

This issue can be reproduced with following /etc/config/wireless:
config wifi-device  radio0
        option type     mac80211
        option channel  1
        option hwmode   11g
        option path     'virtual/uccp420/uccwlan'
        option htmode   'none'

config wifi-iface 'ap'
        option device 'radio0'
        option encryption 'none'
        option mode 'ap'
        option network 'ap'
        option ssid 'MyTestNet'
        option encryption none

config wifi-iface 'sta'
       option device radio0
       option network sta
       option mode sta
       option ssid TestNet-5G
       option encryption psk2
       option key 12345

This change updates current_mode structure based on configured hw_mode
received from wpa_supplicant. Also prepare rates table after frequency
selection.

Signed-off-by: Abhilash Tuse <Abhilash.Tuse@imgtec.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, patch refresh]
2017-05-03 13:58:23 +02:00
Rafał Miłecki
37b489fe04 hostapd: backport support for sending debug messages to the syslog
It wasn't possible to read hostapd wpa_printf messages unless running
hostapd manually. It was because hostapd was printing them using vprintf
and not directly to the syslog.

We were trying to workaround this problem by redirecting STDIN_FILENO
and STDOUT_FILENO but it was working only for the initialization phase.
As soon as hostapd did os_daemonize our solution stopped working.

Please note despite the subject this change doesn't affect debug level
messages only but just everything printed by hostapd with wpa_printf
including MSG_ERROR-s. This makes it even more important as reading
error messages can be quite useful for debugging.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-01-30 06:52:02 +01:00
Felix Fietkau
40e4c342fd hostapd: backport a few upstream fixes
Fixes reassoc issues with WDS mode
Fixes reassoc issues in AP mode
Fixes IBSS reauthentication issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-15 14:53:28 +01:00
Koen Vandeputte
05abcf518d hostapd: update to version 2016-12-19
Update to latest upstream HEAD:

- Refreshed all
- Fixes 2 regressions:
--> PeerKey: Fix STK 4-way handshake regression
--> PeerKey: Fix EAPOL-Key processing

Compile tested Full & Mini configs
Run-tested Mini config

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2016-12-20 21:35:56 +01:00
Koen Vandeputte
f628d0e0e9 hostapd: update to version 2016-12-15
Update to latest upstream HEAD:

- Refreshed all
- Delete patches and parts which made it upstream

Compile tested Full & Mini configs
Run-tested Mini config

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [another update, remove broken patch]
2016-12-20 16:24:21 +01:00
Alexandru Ardelean
58cf9a2476 network/services/hostapd: move whole files outside of patches and drop Build/Prepare rule in favor of default one
This more of a demo for the previous commit that comes with
this one, where I added support for copying source from 'src' to
the build dir(s).

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:51 +02:00
Rafał Miłecki
e70e3c544a hostapd: fix regression breaking brcmfmac
The latest update of hostapd broke brcmfmac due to upstream regression.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2016-09-13 12:06:42 +02:00
Felix Fietkau
859d940c79 hostapd: update to version 2016-09-05
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-09-08 15:28:38 +02:00
Johannes Römer
e8cb7d30e9 hostapd: fix typo and indentation in ap_sta_support.patch
Signed-off-by: Johannes Römer <jroemer@posteo.net>
2016-09-05 18:03:24 +02:00
Ash Benz
798cd261ab hostapd: use printf to improve portability.
Signed-off-by: Ash Benz <ash.benz@bk.ru>
2016-08-23 12:15:41 +02:00
Felix Fietkau
da328f2865 hostapd: backport mesh/ibss HT20/HT40 related fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-27 17:22:39 +02:00
Felix Fietkau
ca6375ac51 hostapd: fix an error on parsing radius_das_client
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-21 16:58:50 +02:00
Felix Fietkau
75329fc161 hostapd: fix VLAN support in full wpad builds
Suppress -DCONFIG_NO_VLAN if CONFIG_IBSS_RSN is enabled

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-18 13:37:10 +02:00
Felix Fietkau
ad430c1080 hostapd: add a WDS AP fix for reconnecting clients
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-06 10:12:37 +02:00
Felix Fietkau
4e0a533f60 hostapd: fix breakage with non-nl80211 drivers
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 19:28:55 +02:00
Jo-Philipp Wich
e2a9c638e7 hostapd: fix compilation error in wext backend
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-15 19:10:32 +02:00
Felix Fietkau
ef74d5cbf8 hostapd: implement fallback for incomplete survey data
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:31:48 +02:00
Felix Fietkau
13b44abcff hostapd: update to version 2016-06-15
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:11:43 +02:00
Michal Hrusecky
b67af71181 hostapd: Update to version 2016-05-05
Fixes CVE-2016-4476 and few possible memory leaks.

Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
2016-06-15 17:11:18 +02:00
Felix Fietkau
7eeb254cc4 treewide: replace nbd@openwrt.org with nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-07 08:58:42 +02:00
Felix Fietkau
18b2f2d694 hostapd: fix mesh interface bridge handling
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48529
2016-01-28 17:20:10 +00:00
Felix Fietkau
924407b253 hostapd: update to version 2016-01-15
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48527
2016-01-28 17:19:13 +00:00
Rafał Miłecki
2611a5538e hostapd: fix disassociation with FullMAC drivers and multi-BSS
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 48202
2016-01-11 18:51:47 +00:00
Felix Fietkau
6c40914c0c hostapd: fix post v2.4 security issues
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
  (CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>

SVN-Revision: 48185
2016-01-10 17:03:37 +00:00
Felix Fietkau
8aa110f7a2 hostapd: wait longer for inactive client probe (empty data frame)
One second is not enough for some devices to ackowledge null data frame
which is sent at the end of ap_max_inactivity interval. In particular,
this causes severe Wi-Fi instability with Apple iPhone which may take
up to 3 seconds to respond.

Signed-off-by: Dmitry Ivanov <dima@ubnt.com>

SVN-Revision: 47149
2015-10-06 12:33:10 +00:00
Rafał Miłecki
b6320a63a2 hostapd: check for banned client on association event
When using FullMAC drivers (e.g. brcmfmac) we don't get mgmt frames so
check for banned client in probe request handler won't ever be used.
Since cfg80211 provides us info about STA associating let's put a check
there.

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 47064
2015-09-28 09:09:00 +00:00
Felix Fietkau
91467cec6f hostapd: add a new option to control HT coexistance separate from noscan
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45873
2015-06-02 08:39:19 +00:00
Felix Fietkau
06556a8e6b hostapd: fix remote denial of service vulnerability in WMM action frame parsing
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45619
2015-05-06 09:45:39 +00:00
Felix Fietkau
eba659cbba hostapd: backport fix for CVE-2015-1863, refresh patches
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45567
2015-04-23 08:01:51 +00:00
John Crispin
2b95d21fdb hostapd: remove unused asprintf parameter
r45270 removed ieee80211n=%d from the format string but didn't remove
the parameter itself. Though this probably doesn't cause any harm, it's
quite confusing and unneeded.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 45351
2015-04-10 08:31:26 +00:00
John Crispin
ff211def3e hostapd: add update_beacon to ubus binding
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45325
2015-04-09 10:31:45 +00:00
Felix Fietkau
fe8d9f59da hostapd: when running AP+STA, preserve the AP 802.11n-enabled setting
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45270
2015-04-04 17:51:46 +00:00
Felix Fietkau
89abb27f2c hostapd: fix compile errors with nl80211 disabled (#19325)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45063
2015-03-27 14:55:01 +00:00
Felix Fietkau
44218424f1 hostapd: fix a compiler warning in ap+station patch
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45062
2015-03-27 14:54:53 +00:00
Felix Fietkau
8905eb39b6 hostapd: disable the bridge packet receive workaround, it is unnecessary on openwrt and could potentially harm performance
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45060
2015-03-27 14:54:41 +00:00
Felix Fietkau
184bac2707 hostapd: add switch_chan and set_vendor_elements ubus methods
Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45046
2015-03-26 23:33:52 +00:00
Felix Fietkau
9c7784e5f3 hostapd: update hostapd to 2015-03-25
madwifi was dropped upstream, can't find it anywhere in OpenWrt
either, thus finally burrying madwifi.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 45045
2015-03-26 23:33:47 +00:00
John Crispin
8f3e9c91a8 hostapd: backport BSSID black/whitelists
This change adds the configuration options "bssid_whitelist" and
"bssid_blacklist" used to limit the AP selection of a network to a
specified (finite) set or discard certain APs.

This can be useful for environments where multiple networks operate
using the same SSID and roaming between those is not desired. It is also
useful to ignore a faulty or otherwise unwanted AP.

In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).

This is especially useful if an OpenWrt device with two radios is used to
retransmit the same network (one in AP mode for other clients, one as STA for
the uplink); the following configuration prevents the device from associating
with itself, given that the own AP to be avoided is using the bssid
'C0:FF:EE:D0:0D:42':

config wifi-iface
	option device 'radio2'
	option network 'uplink'
	option mode 'sta'
	option ssid 'MyNetwork'
	option encryption 'none'
	list bssid_blacklist 'C0:FF:EE:D0:0D:42/00:FF:FF:FF:FF:FF'

This change consists of the following cherry-picked upstream commits:

b3d6a0a8259002448a29f14855d58fe0a624ab76
b83e455451a875ba233b3b8ac29aff8b62f064f2
79cd993a623e101952b81fa6a29c674cd858504f
(squashed to implement bssid_{white,black}lists)

0047306bc9ab7d46e8cc22ff9a3e876c47626473
(Add os_snprintf_error() helper)

Signed-off-by: Stefan Tomanek <stefan.tomanek+openwrt@wertarbyte.de>

SVN-Revision: 44438
2015-02-13 10:53:54 +00:00
Rafał Miłecki
adaac86c7f hostapd: backport patch fixing handling new stations
This patch fixes adding new stations for some specific drivers when
using more than 1 BSS.

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 43951
2015-01-12 22:10:00 +00:00
Felix Fietkau
3c9fcd2526 hostapd: update to 2014-10-25
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 43059
2014-10-25 16:48:45 +00:00
Steven Barth
99984eaeb3 hostapd: CVE-2014-3686 fixes
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 42942
2014-10-17 06:15:35 +00:00
Felix Fietkau
cd80931e03 hostapd: merge an upstream patch for pmksa cache
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 42762
2014-10-05 10:26:26 +00:00
Felix Fietkau
96b74d4eef hostapd: add ubus bindings for wps
With this patch WPS discovery can be started or canceled over ubus if
WPS is enabled in wireless configuration. This is equivalent of
'hostapd_cli wps_pbc' and 'hostapd_cli wps_cancel' commands.

Signed-off-by: Petar Koretic <petar.koretic@sartura.hr>

SVN-Revision: 42459
2014-09-10 13:01:53 +00:00
Felix Fietkau
c6d1992701 hostapd: add more missing ifdefs
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 41863
2014-07-28 22:52:39 +00:00
Felix Fietkau
fd619513d1 hostapd: add missing ifdef
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 41855
2014-07-28 10:36:51 +00:00
Felix Fietkau
eaa3c4a11d hostapd: prevent spurious 20/40 mhz channel bandwidth switches if noscan is enabled
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 41828
2014-07-25 14:29:58 +00:00
Felix Fietkau
53fa9374c2 hostapd: fix wpad-mini compile error (#16700)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 41023
2014-06-05 21:14:02 +00:00