298977887/lede
1
0
Fork 0
mirror of https://github.com/coolsnowwolf/lede.git synced 2025-04-16 04:13:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

hostapd: CERT case ID: VU#228519 for WPA packet number reuse with key reinstallation and CVE fixes

Browse Source
This commit is contained in:
coolsnowwolf 2017-10-16 20:55:05 +08:00
parent 020522bcfc
commit 47c9f16b45
42 changed files with 2595 additions and 820 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
package/libs/libubox/Makefile
View File

@ -5,9 +5,9 @@ PKG_RELEASE=1
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL=$(LEDE_GIT)/project/libubox.git PKG_SOURCE_URL=$(LEDE_GIT)/project/libubox.git
PKG_SOURCE_DATE:=2017-06-17 PKG_SOURCE_DATE:=2017-09-29
PKG_SOURCE_VERSION:=fd57eea9f37e447814afbf934db626288aac23c4 PKG_SOURCE_VERSION:=632688e8d6cde32781e4ec685d59afb0938300ad
PKG_MIRROR_HASH:=6921c507c0c7a951a47d619caa8228f7553141484a3c6d87ba526216f9dd927e PKG_MIRROR_HASH:=84b5a0bc404e96a2965cadc1beb92664f4c22cc878a0a624eecd4b6884b56625
CMAKE_INSTALL:=1 CMAKE_INSTALL:=1
PKG_LICENSE:=ISC PKG_LICENSE:=ISC

9
package/network/services/hostapd/Makefile
View File

@ -7,13 +7,13 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd PKG_NAME:=hostapd
PKG_RELEASE:=4 PKG_RELEASE:=1
PKG_SOURCE_URL:=http://w1.fi/hostap.git PKG_SOURCE_URL:=http://w1.fi/hostap.git
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_DATE:=2016-12-19 PKG_SOURCE_DATE:=2017-08-24
PKG_SOURCE_VERSION:=ad02e79d12fd70ed6bd5fbaf64001a2851e5bb7b PKG_SOURCE_VERSION:=c2d4f2eb5dba0b5c5a8c5805823084da958a9b52
PKG_MIRROR_HASH:=7a0983f004b156d46911765c113754a4c00f56fb889430620bbd061b3b1fcf33 PKG_MIRROR_HASH:=c6ad9a73fc1ae0ba8bc48f71cf14394b274bc9c2c1d1b53c2775f08312597e74
PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name> PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause
@ -299,6 +299,7 @@ define Build/Compile/wpad
$(call Build/RunMake,wpa_supplicant,-s MULTICALL=1 dump_cflags) | \ $(call Build/RunMake,wpa_supplicant,-s MULTICALL=1 dump_cflags) | \
sed -e 's,-n ,,g' -e 's^$(TARGET_CFLAGS)^^' \ sed -e 's,-n ,,g' -e 's^$(TARGET_CFLAGS)^^' \
` > $(PKG_BUILD_DIR)/.cflags ` > $(PKG_BUILD_DIR)/.cflags
sed -i 's/"/\\"/g' $(PKG_BUILD_DIR)/.cflags
+$(call Build/RunMake,hostapd, \ +$(call Build/RunMake,hostapd, \
CFLAGS="$$$$(cat $(PKG_BUILD_DIR)/.cflags)" \ CFLAGS="$$$$(cat $(PKG_BUILD_DIR)/.cflags)" \
MULTICALL=1 \ MULTICALL=1 \

266
package/network/services/hostapd/files/hostapd-full.config
View File

@ -15,22 +15,31 @@
# Driver interface for wired authenticator # Driver interface for wired authenticator
CONFIG_DRIVER_WIRED=y CONFIG_DRIVER_WIRED=y
# Driver interface for Prism54 driver
#CONFIG_DRIVER_PRISM54=y
# Driver interface for drivers using the nl80211 kernel interface # Driver interface for drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y CONFIG_DRIVER_NL80211=y
# driver_nl80211.c requires a rather new libnl (version 1.1) which may not be
# shipped with your distribution yet. If that is the case, you need to build # QCA vendor extensions to nl80211
# newer libnl version and point the hostapd build to use it. #CONFIG_DRIVER_NL80211_QCA=y
#LIBNL=/usr/src/libnl
#CFLAGS += -I$(LIBNL)/include # driver_nl80211.c requires libnl. If you are compiling it yourself
#LIBS += -L$(LIBNL)/lib # you may need to point hostapd to your version of libnl.
#
#CFLAGS += -I$<path to libnl include files>
#LIBS += -L$<path to libnl library files>
# Use libnl v2.0 (or 3.0) libraries.
#CONFIG_LIBNL20=y
# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
#CONFIG_LIBNL32=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y #CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include #CFLAGS += -I/usr/local/include
#LIBS += -L/usr/local/lib #LIBS += -L/usr/local/lib
#LIBS_p += -L/usr/local/lib
#LIBS_c += -L/usr/local/lib
# Driver interface for no driver (e.g., RADIUS server only) # Driver interface for no driver (e.g., RADIUS server only)
#CONFIG_DRIVER_NONE=y #CONFIG_DRIVER_NONE=y
@ -45,16 +54,14 @@ CONFIG_RSN_PREAUTH=y
CONFIG_PEERKEY=y CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection) # IEEE 802.11w (management frame protection)
# This version is an experimental implementation based on IEEE 802.11w/D1.0
# draft and is subject to change since the standard has not yet been finalized.
# Driver support is also needed for IEEE 802.11w. # Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y #CONFIG_IEEE80211W=y
# Integrated EAP server # Integrated EAP server
CONFIG_EAP=y CONFIG_EAP=y
# EAP-FAST for the integrated EAP server # EAP Re-authentication Protocol (ERP) in integrated EAP server
CONFIG_EAP_FAST=y #CONFIG_ERP=y
# EAP-MD5 for the integrated EAP server # EAP-MD5 for the integrated EAP server
CONFIG_EAP_MD5=y CONFIG_EAP_MD5=y
@ -90,6 +97,9 @@ CONFIG_EAP_TTLS=y
# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y #CONFIG_EAP_PSK=y
# EAP-pwd for the integrated EAP server (secure authentication with a password)
#CONFIG_EAP_PWD=y
# EAP-SAKE for the integrated EAP server # EAP-SAKE for the integrated EAP server
#CONFIG_EAP_SAKE=y #CONFIG_EAP_SAKE=y
@ -99,17 +109,17 @@ CONFIG_EAP_TTLS=y
#CONFIG_EAP_GPSK_SHA256=y #CONFIG_EAP_GPSK_SHA256=y
# EAP-FAST for the integrated EAP server # EAP-FAST for the integrated EAP server
# Note: Default OpenSSL package does not include support for all the # Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL, # for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
# the OpenSSL library must be patched (openssl-0.9.9-session-ticket.patch) # with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
# to add the needed functions. CONFIG_EAP_FAST=y
#CONFIG_EAP_FAST=y
# Wi-Fi Protected Setup (WPS) # Wi-Fi Protected Setup (WPS)
CONFIG_WPS=y CONFIG_WPS=y
CONFIG_WPS2=y
# Enable UPnP support for external WPS Registrars # Enable UPnP support for external WPS Registrars
#CONFIG_WPS_UPNP=y #CONFIG_WPS_UPNP=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2 # EAP-IKEv2
#CONFIG_EAP_IKEV2=y #CONFIG_EAP_IKEV2=y
@ -117,6 +127,9 @@ CONFIG_WPS2=y
# Trusted Network Connect (EAP-TNC) # Trusted Network Connect (EAP-TNC)
#CONFIG_EAP_TNC=y #CONFIG_EAP_TNC=y
# EAP-EKE for the integrated EAP server
#CONFIG_EAP_EKE=y
# PKCS#12 (PFX) support (used to read private key and certificate file from # PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx) # a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y CONFIG_PKCS12=y
@ -132,23 +145,43 @@ CONFIG_IPV6=y
CONFIG_IEEE80211R=y CONFIG_IEEE80211R=y
# Use the hostapd's IEEE 802.11 authentication (ACL), but without # Use the hostapd's IEEE 802.11 authentication (ACL), but without
# the IEEE 802.11 Management capability (e.g. FreeBSD/net80211) # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
#CONFIG_DRIVER_RADIUS_ACL=y #CONFIG_DRIVER_RADIUS_ACL=y
# IEEE 802.11n (High Throughput) support # IEEE 802.11n (High Throughput) support
CONFIG_IEEE80211N=y CONFIG_IEEE80211N=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
# IEEE 802.11ac (Very High Throughput) support # IEEE 802.11ac (Very High Throughput) support
CONFIG_IEEE80211AC=y CONFIG_IEEE80211AC=y
# IEEE 802.11ax HE support
# Note: This is experimental and work in progress. The definitions are still
# subject to change and this should not be expected to interoperate with the
# final IEEE 802.11ax version.
#CONFIG_IEEE80211AX=y
# Remove debugging code that is printing out debug messages to stdout. # Remove debugging code that is printing out debug messages to stdout.
# This can be used to reduce the size of the hostapd considerably if debugging # This can be used to reduce the size of the hostapd considerably if debugging
# code is not needed. # code is not needed.
#CONFIG_NO_STDOUT_DEBUG=y #CONFIG_NO_STDOUT_DEBUG=y
# Add support for writing debug log to a file: -f /tmp/hostapd.log
# Disabled by default.
#CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout # Send debug messages to syslog instead of stdout
CONFIG_DEBUG_SYSLOG=y CONFIG_DEBUG_SYSLOG=y
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
# Remove support for RADIUS accounting # Remove support for RADIUS accounting
#CONFIG_NO_ACCOUNTING=y #CONFIG_NO_ACCOUNTING=y
@ -158,15 +191,190 @@ CONFIG_DEBUG_SYSLOG=y
# Remove support for VLANs # Remove support for VLANs
#CONFIG_NO_VLAN=y #CONFIG_NO_VLAN=y
CONFIG_TLS=internal # Enable support for fully dynamic VLANs. This enables hostapd to
CONFIG_INTERNAL_LIBTOMMATH=y # automatically create bridge and VLAN interfaces if necessary.
CONFIG_INTERNAL_AES=y
NEED_AES_DEC=y
CONFIG_NO_RANDOM_POOL=y
CONFIG_NO_DUMP_STATE=y
CONFIG_WPS=y
CONFIG_FULL_DYNAMIC_VLAN=y CONFIG_FULL_DYNAMIC_VLAN=y
# Use netlink-based kernel API for VLAN operations instead of ioctl()
# Note: This requires libnl 3.1 or newer.
#CONFIG_VLAN_NETLINK=y
# Remove support for dumping internal state through control interface commands
# This can be used to reduce binary size at the cost of disabling a debugging
# option.
CONFIG_NO_DUMP_STATE=y
# Enable tracing code for developer debugging
# This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y
# For BSD, comment out these.
#LIBS += -lexecinfo
#LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo
# Use libbfd to get more details for developer debugging
# This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y
# For BSD, comment out these.
#LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz
# hostapd depends on strong random number generation being available from the
# operating system. os_get_random() function is used to fetch random data when
# needed, e.g., for key generation. On Linux and BSD systems, this works by
# reading /dev/urandom. It should be noted that the OS entropy pool needs to be
# properly initialized before hostapd is started. This is important especially
# on embedded devices that do not have a hardware random number generator and
# may by default start up with minimal entropy available for random number
# generation.
#
# As a safety net, hostapd is by default trying to internally collect
# additional entropy for generating random data to mix in with the data
# fetched from the OS. This by itself is not considered to be very strong, but
# it may help in cases where the system pool is not initialized properly.
# However, it is very strongly recommended that the system pool is initialized
# with enough entropy either by using hardware assisted random number
# generator or by storing state over device reboots.
#
# hostapd can be configured to maintain its own entropy store over restarts to
# enhance random number generation. This is not perfect, but it is much more
# secure than using the same sequence of random numbers after every reboot.
# This can be enabled with -e<entropy file> command line option. The specified
# file needs to be readable and writable by hostapd.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal hostapd random pool can be disabled.
# This will save some in binary size and CPU use. However, this should only be
# considered for builds that are known to be used on devices that meet the
# requirements described above.
CONFIG_NO_RANDOM_POOL=y
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
# Should we use epoll instead of select? Select is used by default.
#CONFIG_ELOOP_EPOLL=y
# Should we use kqueue instead of select? Select is used by default.
#CONFIG_ELOOP_KQUEUE=y
# Select TLS implementation
# openssl = OpenSSL (default)
# gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template
CONFIG_TLS=internal
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# can be enabled to get a stronger construction of messages when block ciphers
# are used.
#CONFIG_TLSV11=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms.
#CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
# and drawbacks of this option.
CONFIG_INTERNAL_LIBTOMMATH=y
#ifndef CONFIG_INTERNAL_LIBTOMMATH
#LTM_PATH=/usr/src/libtommath-0.39
#CFLAGS += -I$(LTM_PATH)
#LIBS += -L$(LTM_PATH)
#LIBS_p += -L$(LTM_PATH)
#endif
# At the cost of about 4 kB of additional binary size, the internal LibTomMath
# can be configured to include faster routines for exptmod, sqr, and div to
# speed up DH and RSA calculation considerably
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks.
#CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
#CONFIG_SQLITE=y
# Enable Fast Session Transfer (FST)
#CONFIG_FST=y
# Enable CLI commands for FST testing
#CONFIG_FST_TEST=y
# Testing options
# This can be used to enable some testing options (see also the example
# configuration file) that are really useful only for testing clients that
# connect to this hostapd. These options allow, for example, to drop a
# certain percentage of probe requests or auth/(re)assoc frames.
#
#CONFIG_TESTING_OPTIONS=y
# Automatic Channel Selection
# This will allow hostapd to pick the channel automatically when channel is set
# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
# similar way.
#
# Automatic selection is currently only done through initialization, later on
# we hope to do background checks to keep us moving to more ideal channels as
# time goes by. ACS is currently only supported through the nl80211 driver and
# your driver must have survey dump capability that is filled by the driver
# during scanning.
#
# You can customize the ACS survey algorithm with the hostapd.conf variable
# acs_num_scans.
#
# Supported ACS drivers:
# * ath9k
# * ath5k
# * ath10k
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
#
#CONFIG_ACS=y
# Multiband Operation support
# These extentions facilitate efficient use of multiple frequency bands
# available to the AP and the devices that may associate with it.
#CONFIG_MBO=y
# Client Taxonomy
# Has the AP retain the Probe Request and (Re)Association Request frames from
# a client, from which a signature can be produced which can identify the model
# of client device like "Nexus 6P" or "iPhone 5s".
#CONFIG_TAXONOMY=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
# Note: This is an experimental and not yet complete implementation. This
# should not be enabled for production use.
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
# Include internal line edit mode in hostapd_cli. This can be used to provide
# limited command line editing and history support.
#CONFIG_WPA_CLI_EDIT=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y
# uBus IPC/RPC System
# Services can connect to the bus and provide methods
# that can be called by other services or clients.
CONFIG_UBUS=y CONFIG_UBUS=y

256
package/network/services/hostapd/files/hostapd-mini.config
View File

@ -15,28 +15,37 @@
# Driver interface for wired authenticator # Driver interface for wired authenticator
CONFIG_DRIVER_WIRED=y CONFIG_DRIVER_WIRED=y
# Driver interface for Prism54 driver
#CONFIG_DRIVER_PRISM54=y
# Driver interface for drivers using the nl80211 kernel interface # Driver interface for drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y CONFIG_DRIVER_NL80211=y
# driver_nl80211.c requires a rather new libnl (version 1.1) which may not be
# shipped with your distribution yet. If that is the case, you need to build # QCA vendor extensions to nl80211
# newer libnl version and point the hostapd build to use it. #CONFIG_DRIVER_NL80211_QCA=y
#LIBNL=/usr/src/libnl
#CFLAGS += -I$(LIBNL)/include # driver_nl80211.c requires libnl. If you are compiling it yourself
#LIBS += -L$(LIBNL)/lib # you may need to point hostapd to your version of libnl.
#
#CFLAGS += -I$<path to libnl include files>
#LIBS += -L$<path to libnl library files>
# Use libnl v2.0 (or 3.0) libraries.
#CONFIG_LIBNL20=y
# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
#CONFIG_LIBNL32=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y #CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include #CFLAGS += -I/usr/local/include
#LIBS += -L/usr/local/lib #LIBS += -L/usr/local/lib
#LIBS_p += -L/usr/local/lib
#LIBS_c += -L/usr/local/lib
# Driver interface for no driver (e.g., RADIUS server only) # Driver interface for no driver (e.g., RADIUS server only)
#CONFIG_DRIVER_NONE=y #CONFIG_DRIVER_NONE=y
# IEEE 802.11F/IAPP # IEEE 802.11F/IAPP
# CONFIG_IAPP=y #CONFIG_IAPP=y
# WPA2/IEEE 802.11i RSN pre-authentication # WPA2/IEEE 802.11i RSN pre-authentication
CONFIG_RSN_PREAUTH=y CONFIG_RSN_PREAUTH=y
@ -45,14 +54,15 @@ CONFIG_RSN_PREAUTH=y
CONFIG_PEERKEY=y CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection) # IEEE 802.11w (management frame protection)
# This version is an experimental implementation based on IEEE 802.11w/D1.0
# draft and is subject to change since the standard has not yet been finalized.
# Driver support is also needed for IEEE 802.11w. # Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y #CONFIG_IEEE80211W=y
# Integrated EAP server # Integrated EAP server
#CONFIG_EAP=y #CONFIG_EAP=y
# EAP Re-authentication Protocol (ERP) in integrated EAP server
#CONFIG_ERP=y
# EAP-MD5 for the integrated EAP server # EAP-MD5 for the integrated EAP server
#CONFIG_EAP_MD5=y #CONFIG_EAP_MD5=y
@ -87,6 +97,9 @@ CONFIG_PEERKEY=y
# EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK) # EAP-PSK for the integrated EAP server (this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y #CONFIG_EAP_PSK=y
# EAP-pwd for the integrated EAP server (secure authentication with a password)
#CONFIG_EAP_PWD=y
# EAP-SAKE for the integrated EAP server # EAP-SAKE for the integrated EAP server
#CONFIG_EAP_SAKE=y #CONFIG_EAP_SAKE=y
@ -96,16 +109,17 @@ CONFIG_PEERKEY=y
#CONFIG_EAP_GPSK_SHA256=y #CONFIG_EAP_GPSK_SHA256=y
# EAP-FAST for the integrated EAP server # EAP-FAST for the integrated EAP server
# Note: Default OpenSSL package does not include support for all the # Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL, # for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
# the OpenSSL library must be patched (openssl-0.9.9-session-ticket.patch) # with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
# to add the needed functions.
#CONFIG_EAP_FAST=y #CONFIG_EAP_FAST=y
# Wi-Fi Protected Setup (WPS) # Wi-Fi Protected Setup (WPS)
#CONFIG_WPS=y #CONFIG_WPS=y
# Enable UPnP support for external WPS Registrars # Enable UPnP support for external WPS Registrars
#CONFIG_WPS_UPNP=y #CONFIG_WPS_UPNP=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2 # EAP-IKEv2
#CONFIG_EAP_IKEV2=y #CONFIG_EAP_IKEV2=y
@ -113,6 +127,9 @@ CONFIG_PEERKEY=y
# Trusted Network Connect (EAP-TNC) # Trusted Network Connect (EAP-TNC)
#CONFIG_EAP_TNC=y #CONFIG_EAP_TNC=y
# EAP-EKE for the integrated EAP server
#CONFIG_EAP_EKE=y
# PKCS#12 (PFX) support (used to read private key and certificate file from # PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx) # a file that usually has extension .p12 or .pfx)
#CONFIG_PKCS12=y #CONFIG_PKCS12=y
@ -128,23 +145,43 @@ CONFIG_PEERKEY=y
#CONFIG_IEEE80211R=y #CONFIG_IEEE80211R=y
# Use the hostapd's IEEE 802.11 authentication (ACL), but without # Use the hostapd's IEEE 802.11 authentication (ACL), but without
# the IEEE 802.11 Management capability (e.g. FreeBSD/net80211) # the IEEE 802.11 Management capability (e.g., FreeBSD/net80211)
#CONFIG_DRIVER_RADIUS_ACL=y #CONFIG_DRIVER_RADIUS_ACL=y
# IEEE 802.11n (High Throughput) support # IEEE 802.11n (High Throughput) support
CONFIG_IEEE80211N=y CONFIG_IEEE80211N=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
# IEEE 802.11ac (Very High Throughput) support # IEEE 802.11ac (Very High Throughput) support
CONFIG_IEEE80211AC=y CONFIG_IEEE80211AC=y
# IEEE 802.11ax HE support
# Note: This is experimental and work in progress. The definitions are still
# subject to change and this should not be expected to interoperate with the
# final IEEE 802.11ax version.
#CONFIG_IEEE80211AX=y
# Remove debugging code that is printing out debug messages to stdout. # Remove debugging code that is printing out debug messages to stdout.
# This can be used to reduce the size of the hostapd considerably if debugging # This can be used to reduce the size of the hostapd considerably if debugging
# code is not needed. # code is not needed.
#CONFIG_NO_STDOUT_DEBUG=y #CONFIG_NO_STDOUT_DEBUG=y
# Add support for writing debug log to a file: -f /tmp/hostapd.log
# Disabled by default.
#CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout # Send debug messages to syslog instead of stdout
CONFIG_DEBUG_SYSLOG=y CONFIG_DEBUG_SYSLOG=y
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
# Remove support for RADIUS accounting # Remove support for RADIUS accounting
CONFIG_NO_ACCOUNTING=y CONFIG_NO_ACCOUNTING=y
@ -154,9 +191,190 @@ CONFIG_NO_RADIUS=y
# Remove support for VLANs # Remove support for VLANs
#CONFIG_NO_VLAN=y #CONFIG_NO_VLAN=y
CONFIG_TLS=internal # Enable support for fully dynamic VLANs. This enables hostapd to
# automatically create bridge and VLAN interfaces if necessary.
#CONFIG_FULL_DYNAMIC_VLAN=y
CONFIG_NO_RANDOM_POOL=y # Use netlink-based kernel API for VLAN operations instead of ioctl()
# Note: This requires libnl 3.1 or newer.
#CONFIG_VLAN_NETLINK=y
# Remove support for dumping internal state through control interface commands
# This can be used to reduce binary size at the cost of disabling a debugging
# option.
CONFIG_NO_DUMP_STATE=y CONFIG_NO_DUMP_STATE=y
# Enable tracing code for developer debugging
# This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y
# For BSD, comment out these.
#LIBS += -lexecinfo
#LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo
# Use libbfd to get more details for developer debugging
# This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y
# For BSD, comment out these.
#LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz
# hostapd depends on strong random number generation being available from the
# operating system. os_get_random() function is used to fetch random data when
# needed, e.g., for key generation. On Linux and BSD systems, this works by
# reading /dev/urandom. It should be noted that the OS entropy pool needs to be
# properly initialized before hostapd is started. This is important especially
# on embedded devices that do not have a hardware random number generator and
# may by default start up with minimal entropy available for random number
# generation.
#
# As a safety net, hostapd is by default trying to internally collect
# additional entropy for generating random data to mix in with the data
# fetched from the OS. This by itself is not considered to be very strong, but
# it may help in cases where the system pool is not initialized properly.
# However, it is very strongly recommended that the system pool is initialized
# with enough entropy either by using hardware assisted random number
# generator or by storing state over device reboots.
#
# hostapd can be configured to maintain its own entropy store over restarts to
# enhance random number generation. This is not perfect, but it is much more
# secure than using the same sequence of random numbers after every reboot.
# This can be enabled with -e<entropy file> command line option. The specified
# file needs to be readable and writable by hostapd.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal hostapd random pool can be disabled.
# This will save some in binary size and CPU use. However, this should only be
# considered for builds that are known to be used on devices that meet the
# requirements described above.
CONFIG_NO_RANDOM_POOL=y
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
# Should we use epoll instead of select? Select is used by default.
#CONFIG_ELOOP_EPOLL=y
# Should we use kqueue instead of select? Select is used by default.
#CONFIG_ELOOP_KQUEUE=y
# Select TLS implementation
# openssl = OpenSSL (default)
# gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template
CONFIG_TLS=internal
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# can be enabled to get a stronger construction of messages when block ciphers
# are used.
#CONFIG_TLSV11=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms.
#CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of
# LibTomMath can be used. See beginning of libtommath.c for details on benefits
# and drawbacks of this option.
#CONFIG_INTERNAL_LIBTOMMATH=y
#ifndef CONFIG_INTERNAL_LIBTOMMATH
#LTM_PATH=/usr/src/libtommath-0.39
#CFLAGS += -I$(LTM_PATH)
#LIBS += -L$(LTM_PATH)
#LIBS_p += -L$(LTM_PATH)
#endif
# At the cost of about 4 kB of additional binary size, the internal LibTomMath
# can be configured to include faster routines for exptmod, sqr, and div to
# speed up DH and RSA calculation considerably
#CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks.
#CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# Enable SQLite database support in hlr_auc_gw, EAP-SIM DB, and eap_user_file
#CONFIG_SQLITE=y
# Enable Fast Session Transfer (FST)
#CONFIG_FST=y
# Enable CLI commands for FST testing
#CONFIG_FST_TEST=y
# Testing options
# This can be used to enable some testing options (see also the example
# configuration file) that are really useful only for testing clients that
# connect to this hostapd. These options allow, for example, to drop a
# certain percentage of probe requests or auth/(re)assoc frames.
#
#CONFIG_TESTING_OPTIONS=y
# Automatic Channel Selection
# This will allow hostapd to pick the channel automatically when channel is set
# to "acs_survey" or "0". Eventually, other ACS algorithms can be added in
# similar way.
#
# Automatic selection is currently only done through initialization, later on
# we hope to do background checks to keep us moving to more ideal channels as
# time goes by. ACS is currently only supported through the nl80211 driver and
# your driver must have survey dump capability that is filled by the driver
# during scanning.
#
# You can customize the ACS survey algorithm with the hostapd.conf variable
# acs_num_scans.
#
# Supported ACS drivers:
# * ath9k
# * ath5k
# * ath10k
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
#
#CONFIG_ACS=y
# Multiband Operation support
# These extentions facilitate efficient use of multiple frequency bands
# available to the AP and the devices that may associate with it.
#CONFIG_MBO=y
# Client Taxonomy
# Has the AP retain the Probe Request and (Re)Association Request frames from
# a client, from which a signature can be produced which can identify the model
# of client device like "Nexus 6P" or "iPhone 5s".
#CONFIG_TAXONOMY=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
# Note: This is an experimental and not yet complete implementation. This
# should not be enabled for production use.
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
# Include internal line edit mode in hostapd_cli. This can be used to provide
# limited command line editing and history support.
#CONFIG_WPA_CLI_EDIT=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y
# uBus IPC/RPC System
# Services can connect to the bus and provide methods
# that can be called by other services or clients.
CONFIG_UBUS=y CONFIG_UBUS=y

16
package/network/services/hostapd/files/hostapd.sh
View File

@ -67,6 +67,7 @@ hostapd_common_add_device_config() {
config_add_boolean legacy_rates config_add_boolean legacy_rates
config_add_string acs_chan_bias config_add_string acs_chan_bias
config_add_array hostapd_options
hostapd_add_log_config hostapd_add_log_config
} }
@ -127,6 +128,11 @@ hostapd_prepare_device_config() {
[ -n "$brlist" ] && append base_cfg "basic_rates=$brlist" "$N" [ -n "$brlist" ] && append base_cfg "basic_rates=$brlist" "$N"
append base_cfg "beacon_int=$beacon_int" "$N" append base_cfg "beacon_int=$beacon_int" "$N"
json_get_values opts hostapd_options
for val in $opts; do
append base_cfg "$val" "$N"
done
cat > "$config" <<EOF cat > "$config" <<EOF
driver=$driver driver=$driver
$base_cfg $base_cfg
@ -178,7 +184,7 @@ hostapd_common_add_bss_config() {
config_add_int wps_ap_setup_locked wps_independent config_add_int wps_ap_setup_locked wps_independent
config_add_string wps_device_type wps_device_name wps_manufacturer wps_pin config_add_string wps_device_type wps_device_name wps_manufacturer wps_pin
config_add_boolean ieee80211r pmk_r1_push config_add_boolean ieee80211r pmk_r1_push ft_psk_generate_local ft_over_ds
config_add_int r0_key_lifetime reassociation_deadline config_add_int r0_key_lifetime reassociation_deadline
config_add_string mobility_domain r1_key_holder config_add_string mobility_domain r1_key_holder
config_add_array r0kh r1kh config_add_array r0kh r1kh
@ -382,7 +388,7 @@ hostapd_set_bss_options() {
if [ "$ieee80211r" -gt "0" ]; then if [ "$ieee80211r" -gt "0" ]; then
json_get_vars mobility_domain r0_key_lifetime r1_key_holder \ json_get_vars mobility_domain r0_key_lifetime r1_key_holder \
reassociation_deadline pmk_r1_push reassociation_deadline pmk_r1_push ft_psk_generate_local ft_over_ds
json_get_values r0kh r0kh json_get_values r0kh r0kh
json_get_values r1kh r1kh json_get_values r1kh r1kh
@ -391,12 +397,16 @@ hostapd_set_bss_options() {
set_default r1_key_holder "00004f577274" set_default r1_key_holder "00004f577274"
set_default reassociation_deadline 1000 set_default reassociation_deadline 1000
set_default pmk_r1_push 0 set_default pmk_r1_push 0
set_default ft_psk_generate_local 0
set_default ft_over_ds 1
append bss_conf "mobility_domain=$mobility_domain" "$N" append bss_conf "mobility_domain=$mobility_domain" "$N"
append bss_conf "r0_key_lifetime=$r0_key_lifetime" "$N" append bss_conf "r0_key_lifetime=$r0_key_lifetime" "$N"
append bss_conf "r1_key_holder=$r1_key_holder" "$N" append bss_conf "r1_key_holder=$r1_key_holder" "$N"
append bss_conf "reassociation_deadline=$reassociation_deadline" "$N" append bss_conf "reassociation_deadline=$reassociation_deadline" "$N"
append bss_conf "pmk_r1_push=$pmk_r1_push" "$N" append bss_conf "pmk_r1_push=$pmk_r1_push" "$N"
append bss_conf "ft_psk_generate_local=$ft_psk_generate_local" "$N"
append bss_conf "ft_over_ds=$ft_over_ds" "$N"
for kh in $r0kh; do for kh in $r0kh; do
append bss_conf "r0kh=${kh//,/ }" "$N" append bss_conf "r0kh=${kh//,/ }" "$N"
@ -627,7 +637,7 @@ wpa_supplicant_add_network() {
scan_ssid="" scan_ssid=""
} }
[[ "$_w_mode" = "adhoc" -o "$_w_mode" = "mesh" ]] && append network_data "$_w_modestr" "$N$T" [ "$_w_mode" = "adhoc" -o "$_w_mode" = "mesh" ] && append network_data "$_w_modestr" "$N$T"
case "$auth_type" in case "$auth_type" in
none) ;; none) ;;

373
package/network/services/hostapd/files/wpa_supplicant-full.config
View File

@ -1,9 +1,9 @@
# Example wpa_supplicant build time configuration # Example wpa_supplicant build time configuration
# #
# This file lists the configuration options that are used when building the # This file lists the configuration options that are used when building the
# hostapd binary. All lines starting with # are ignored. Configuration option # wpa_supplicant binary. All lines starting with # are ignored. Configuration
# lines must be commented out complete, if they are not to be included, i.e., # option lines must be commented out complete, if they are not to be included,
# just setting VARIABLE=n is not disabling that variable. # i.e., just setting VARIABLE=n is not disabling that variable.
# #
# This file is included in Makefile, so variables like CFLAGS and LIBS can also # This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cases, these lines should use += in order not # be modified from here. In most cases, these lines should use += in order not
@ -20,63 +20,33 @@
# used to fix build issues on such systems (krb5.h not found). # used to fix build issues on such systems (krb5.h not found).
#CFLAGS += -I/usr/include/kerberos #CFLAGS += -I/usr/include/kerberos
# Example configuration for various cross-compilation platforms
#### sveasoft (e.g., for Linksys WRT54G) ######################################
#CC=mipsel-uclibc-gcc
#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
#CFLAGS += -Os
#CPPFLAGS += -I../src/include -I../../src/router/openssl/include
#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl
###############################################################################
#### openwrt (e.g., for Linksys WRT54G) #######################################
#CC=mipsel-uclibc-gcc
#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
#CFLAGS += -Os
#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \
# -I../WRT54GS/release/src/include
#LIBS = -lssl
###############################################################################
# Driver interface for Host AP driver
#CONFIG_DRIVER_HOSTAP=y
# Driver interface for Agere driver
#CONFIG_DRIVER_HERMES=y
# Change include directories to match with the local setup
#CFLAGS += -I../../hcf -I../../include -I../../include/hcf
#CFLAGS += -I../../include/wireless
# Driver interface for ndiswrapper
# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
#CONFIG_DRIVER_NDISWRAPPER=y
# Driver interface for Atmel driver
# CONFIG_DRIVER_ATMEL=y
# Driver interface for old Broadcom driver
# Please note that the newer Broadcom driver ("hybrid Linux driver") supports
# Linux wireless extensions and does not need (or even work) with the old
# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver.
#CONFIG_DRIVER_BROADCOM=y
# Example path for wlioctl.h; change to match your configuration
#CFLAGS += -I/opt/WRT54GS/release/src/include
# Driver interface for Intel ipw2100/2200 driver
# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
#CONFIG_DRIVER_IPW=y
# Driver interface for Ralink driver
#CONFIG_DRIVER_RALINK=y
# Driver interface for generic Linux wireless extensions # Driver interface for generic Linux wireless extensions
# Note: WEXT is deprecated in the current Linux kernel version and no new
# functionality is added to it. nl80211-based interface is the new
# replacement for WEXT and its use allows wpa_supplicant to properly control
# the driver to improve existing functionality like roaming and to support new
# functionality.
CONFIG_DRIVER_WEXT=y CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface # Driver interface for Linux drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
#CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
#
#CFLAGS += -I$<path to libnl include files>
#LIBS += -L$<path to libnl library files>
# Use libnl v2.0 (or 3.0) libraries.
#CONFIG_LIBNL20=y
# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
#CONFIG_LIBNL32=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y #CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include #CFLAGS += -I/usr/local/include
@ -100,14 +70,6 @@ CONFIG_DRIVER_NL80211=y
# wpa_supplicant. # wpa_supplicant.
# CONFIG_USE_NDISUIO=y # CONFIG_USE_NDISUIO=y
# Driver interface for development testing
#CONFIG_DRIVER_TEST=y
# Include client MLME (management frame processing) for test driver
# This can be used to test MLME operations in hostapd with the test interface.
# space.
#CONFIG_CLIENT_MLME=y
# Driver interface for wired Ethernet drivers # Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y CONFIG_DRIVER_WIRED=y
@ -117,13 +79,14 @@ CONFIG_DRIVER_WIRED=y
# Driver interface for no driver (e.g., WPS ER only) # Driver interface for no driver (e.g., WPS ER only)
#CONFIG_DRIVER_NONE=y #CONFIG_DRIVER_NONE=y
# Solaris libraries
#LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is # Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
# included) # included)
CONFIG_IEEE8021X_EAPOL=y CONFIG_IEEE8021X_EAPOL=y
# EAP-FAST
CONFIG_EAP_FAST=y
# EAP-MD5 # EAP-MD5
CONFIG_EAP_MD5=y CONFIG_EAP_MD5=y
@ -140,11 +103,10 @@ CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y CONFIG_EAP_TTLS=y
# EAP-FAST # EAP-FAST
# Note: Default OpenSSL package does not include support for all the # Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL, # for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
# the OpenSSL library must be patched (openssl-0.9.8d-tls-extensions.patch) # with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
# to add the needed functions. CONFIG_EAP_FAST=y
#CONFIG_EAP_FAST=y
# EAP-GTC # EAP-GTC
CONFIG_EAP_GTC=y CONFIG_EAP_GTC=y
@ -158,6 +120,9 @@ CONFIG_EAP_OTP=y
# EAP-PSK (experimental; this is _not_ needed for WPA-PSK) # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y #CONFIG_EAP_PSK=y
# EAP-pwd (secure authentication using only a password)
#CONFIG_EAP_PWD=y
# EAP-PAX # EAP-PAX
#CONFIG_EAP_PAX=y #CONFIG_EAP_PAX=y
@ -187,10 +152,20 @@ CONFIG_EAP_LEAP=y
# Wi-Fi Protected Setup (WPS) # Wi-Fi Protected Setup (WPS)
CONFIG_WPS=y CONFIG_WPS=y
# Enable WPS external registrar functionality
#CONFIG_WPS_ER=y
# Disable credentials for an open network by default when acting as a WPS
# registrar.
#CONFIG_WPS_REG_DISABLE_OPEN=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2 # EAP-IKEv2
#CONFIG_EAP_IKEV2=y #CONFIG_EAP_IKEV2=y
# EAP-EKE
#CONFIG_EAP_EKE=y
# PKCS#12 (PFX) support (used to read private key and certificate file from # PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx) # a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y CONFIG_PKCS12=y
@ -203,13 +178,22 @@ CONFIG_SMARTCARD=y
# Enable this if EAP-SIM or EAP-AKA is included # Enable this if EAP-SIM or EAP-AKA is included
#CONFIG_PCSC=y #CONFIG_PCSC=y
# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
#CONFIG_HT_OVERRIDES=y
# Support VHT overrides (disable VHT, mask MCS rates, etc.)
#CONFIG_VHT_OVERRIDES=y
# Development testing # Development testing
#CONFIG_EAPOL_TEST=y #CONFIG_EAPOL_TEST=y
# Select control interface backend for external programs, e.g, wpa_cli: # Select control interface backend for external programs, e.g, wpa_cli:
# unix = UNIX domain sockets (default for Linux/*BSD) # unix = UNIX domain sockets (default for Linux/*BSD)
# udp = UDP sockets using localhost (127.0.0.1) # udp = UDP sockets using localhost (127.0.0.1)
# udp6 = UDP IPv6 sockets using localhost (::1)
# named_pipe = Windows Named Pipe (default for Windows) # named_pipe = Windows Named Pipe (default for Windows)
# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
# y = use default (backwards compatibility) # y = use default (backwards compatibility)
# If this option is commented out, control interface is not included in the # If this option is commented out, control interface is not included in the
# build. # build.
@ -221,6 +205,10 @@ CONFIG_CTRL_IFACE=y
# the resulting binary. # the resulting binary.
#CONFIG_READLINE=y #CONFIG_READLINE=y
# Include internal line edit mode in wpa_cli. This can be used as a replacement
# for GNU Readline to provide limited command line editing and history support.
#CONFIG_WPA_CLI_EDIT=y
# Remove debugging code that is printing out debug message to stdout. # Remove debugging code that is printing out debug message to stdout.
# This can be used to reduce the size of the wpa_supplicant considerably # This can be used to reduce the size of the wpa_supplicant considerably
# if debugging code is not needed. The size reduction can be around 35% # if debugging code is not needed. The size reduction can be around 35%
@ -231,11 +219,6 @@ CONFIG_CTRL_IFACE=y
# 35-50 kB in code size. # 35-50 kB in code size.
#CONFIG_NO_WPA=y #CONFIG_NO_WPA=y
# Remove WPA2 support. This allows WPA to be used, but removes WPA2 code to
# save about 1 kB in code size when building only WPA-Personal (no EAP support)
# or 6 kB if building for WPA-Enterprise.
#CONFIG_NO_WPA2=y
# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
# This option can be used to reduce code size by removing support for # This option can be used to reduce code size by removing support for
# converting ASCII passphrases into PSK. If this functionality is removed, the # converting ASCII passphrases into PSK. If this functionality is removed, the
@ -270,7 +253,7 @@ CONFIG_BACKEND=file
# main_none = Very basic example (development use only) # main_none = Very basic example (development use only)
#CONFIG_MAIN=main #CONFIG_MAIN=main
# Select wrapper for operatins system and C library specific functions # Select wrapper for operating system and C library specific functions
# unix = UNIX/POSIX like systems (default) # unix = UNIX/POSIX like systems (default)
# win32 = Windows systems # win32 = Windows systems
# none = Empty template # none = Empty template
@ -279,9 +262,17 @@ CONFIG_BACKEND=file
# Select event loop implementation # Select event loop implementation
# eloop = select() loop (default) # eloop = select() loop (default)
# eloop_win = Windows events and WaitForMultipleObject() loop # eloop_win = Windows events and WaitForMultipleObject() loop
# eloop_none = Empty template
#CONFIG_ELOOP=eloop #CONFIG_ELOOP=eloop
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
# Should we use epoll instead of select? Select is used by default.
#CONFIG_ELOOP_EPOLL=y
# Should we use kqueue instead of select? Select is used by default.
#CONFIG_ELOOP_KQUEUE=y
# Select layer 2 packet implementation # Select layer 2 packet implementation
# linux = Linux packet socket (default) # linux = Linux packet socket (default)
# pcap = libpcap/libdnet/WinPcap # pcap = libpcap/libdnet/WinPcap
@ -291,29 +282,44 @@ CONFIG_BACKEND=file
# none = Empty template # none = Empty template
#CONFIG_L2_PACKET=linux #CONFIG_L2_PACKET=linux
# Disable Linux packet socket workaround applicable for station interface
# in a bridge for EAPOL frames. This should be uncommented only if the kernel
# is known to not have the regression issue in packet socket behavior with
# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) # PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection) # IEEE 802.11w (management frame protection), also known as PMF
# This version is an experimental implementation based on IEEE 802.11w/D1.0
# draft and is subject to change since the standard has not yet been finalized.
# Driver support is also needed for IEEE 802.11w. # Driver support is also needed for IEEE 802.11w.
CONFIG_IEEE80211W=y #CONFIG_IEEE80211W=y
# Select TLS implementation # Select TLS implementation
# openssl = OpenSSL (default) # openssl = OpenSSL (default)
# gnutls = GnuTLS (needed for TLS/IA, see also CONFIG_GNUTLS_EXTRA) # gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental) # internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template # none = Empty template
CONFIG_TLS=internal CONFIG_TLS=internal
# Whether to enable TLS/IA support, which is required for EAP-TTLSv1. # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# You need CONFIG_TLS=gnutls for this to have any effect. Please note that # can be enabled to get a stronger construction of messages when block ciphers
# even though the core GnuTLS library is released under LGPL, this extra # are used. It should be noted that some existing TLS v1.0 -based
# library uses GPL and as such, the terms of GPL apply to the combination # implementation may not be compatible with TLS v1.1 message (ClientHello is
# of wpa_supplicant and GnuTLS if this option is enabled. BSD license may not # sent prior to negotiating which version will be used)
# apply for distribution of the resulting binary. #CONFIG_TLSV11=y
#CONFIG_GNUTLS_EXTRA=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms. It should be
# noted that some existing TLS v1.0 -based implementation may not be compatible
# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
# will be used)
#CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are # If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of # needed for LibTomMath. Alternatively, an integrated, minimal version of
@ -369,12 +375,31 @@ CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# amount of memory/flash. # amount of memory/flash.
#CONFIG_DYNAMIC_EAP_METHODS=y #CONFIG_DYNAMIC_EAP_METHODS=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
CONFIG_IEEE80211R=y CONFIG_IEEE80211R=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for AP mode (implies
# CONFIG_IEEE80211R).
#CONFIG_IEEE80211R_AP=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
#CONFIG_DEBUG_FILE=y #CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout
#CONFIG_DEBUG_SYSLOG=y
# Set syslog facility for debug messages
#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
# Add support for writing debug log to Android logcat instead of standard
# output
#CONFIG_ANDROID_LOG=y
# Enable privilege separation (see README 'Privilege separation' for details) # Enable privilege separation (see README 'Privilege separation' for details)
#CONFIG_PRIVSEP=y #CONFIG_PRIVSEP=y
@ -386,7 +411,7 @@ CONFIG_IEEE80211R=y
# This tracks use of memory allocations and other registrations and reports # This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location. # incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y #CONFIG_WPA_TRACE=y
# For BSD, comment out these. # For BSD, uncomment these.
#LIBS += -lexecinfo #LIBS += -lexecinfo
#LIBS_p += -lexecinfo #LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo #LIBS_c += -lexecinfo
@ -395,12 +420,174 @@ CONFIG_IEEE80211R=y
# This enables use of libbfd to get more detailed symbols for the backtraces # This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y. # generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y #CONFIG_WPA_TRACE_BFD=y
# For BSD, comment out these. # For BSD, uncomment these.
#LIBS += -lbfd -liberty -lz #LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz #LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz #LIBS_c += -lbfd -liberty -lz
# wpa_supplicant depends on strong random number generation being available
# from the operating system. os_get_random() function is used to fetch random
# data when needed, e.g., for key generation. On Linux and BSD systems, this
# works by reading /dev/urandom. It should be noted that the OS entropy pool
# needs to be properly initialized before wpa_supplicant is started. This is
# important especially on embedded devices that do not have a hardware random
# number generator and may by default start up with minimal entropy available
# for random number generation.
#
# As a safety net, wpa_supplicant is by default trying to internally collect
# additional entropy for generating random data to mix in with the data fetched
# from the OS. This by itself is not considered to be very strong, but it may
# help in cases where the system pool is not initialized properly. However, it
# is very strongly recommended that the system pool is initialized with enough
# entropy either by using hardware assisted random number generator or by
# storing state over device reboots.
#
# wpa_supplicant can be configured to maintain its own entropy store over
# restarts to enhance random number generation. This is not perfect, but it is
# much more secure than using the same sequence of random numbers after every
# reboot. This can be enabled with -e<entropy file> command line option. The
# specified file needs to be readable and writable by wpa_supplicant.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal wpa_supplicant random pool can be
# disabled. This will save some in binary size and CPU use. However, this
# should only be considered for builds that are known to be used on devices
# that meet the requirements described above.
CONFIG_NO_RANDOM_POOL=y CONFIG_NO_RANDOM_POOL=y
NEED_80211_COMMON=y
# IEEE 802.11n (High Throughput) support (mainly for AP mode)
#CONFIG_IEEE80211N=y
# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
# (depends on CONFIG_IEEE80211N)
#CONFIG_IEEE80211AC=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks (GAS/ANQP to learn more about the networks and network
# selection based on available credentials).
#CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# Enable interface matching in wpa_supplicant
#CONFIG_MATCH_IFACE=y
# Disable roaming in wpa_supplicant
#CONFIG_NO_ROAMING=y
# AP mode operations with wpa_supplicant
# This can be used for controlling AP mode operations with wpa_supplicant. It
# should be noted that this is mainly aimed at simple cases like
# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
# external RADIUS server can be supported with hostapd.
#CONFIG_AP=y
# P2P (Wi-Fi Direct)
# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
# more information on P2P operations.
#CONFIG_P2P=y
# Enable TDLS support
#CONFIG_TDLS=y
# Wi-Fi Direct
# This can be used to enable Wi-Fi Direct extensions for P2P using an external
# program to control the additional information exchanges in the messages.
#CONFIG_WIFI_DISPLAY=y
# Autoscan
# This can be used to enable automatic scan support in wpa_supplicant.
# See wpa_supplicant.conf for more information on autoscan usage.
#
# Enabling directly a module will enable autoscan support.
# For exponential module:
#CONFIG_AUTOSCAN_EXPONENTIAL=y
# For periodic module:
#CONFIG_AUTOSCAN_PERIODIC=y
# Password (and passphrase, etc.) backend for external storage
# These optional mechanisms can be used to add support for storing passwords
# and other secrets in external (to wpa_supplicant) location. This allows, for
# example, operating system specific key storage to be used
#
# External password backend for testing purposes (developer use)
#CONFIG_EXT_PASSWORD_TEST=y
# Enable Fast Session Transfer (FST)
#CONFIG_FST=y
# Enable CLI commands for FST testing
#CONFIG_FST_TEST=y
# OS X builds. This is only for building eapol_test.
#CONFIG_OSX=y
# Automatic Channel Selection
# This will allow wpa_supplicant to pick the channel automatically when channel
# is set to "0".
#
# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
# to "channel=0". This would enable us to eventually add other ACS algorithms in
# similar way.
#
# Automatic selection is currently only done through initialization, later on
# we hope to do background checks to keep us moving to more ideal channels as
# time goes by. ACS is currently only supported through the nl80211 driver and
# your driver must have survey dump capability that is filled by the driver
# during scanning.
#
# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
# a newly to create wpa_supplicant.conf variable acs_num_scans.
#
# Supported ACS drivers:
# * ath9k
# * ath5k
# * ath10k
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
#CONFIG_ACS=y
# Support Multi Band Operation
#CONFIG_MBO=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
# Note: This is an experimental and not yet complete implementation. This
# should not be enabled for production use.
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
# Support RSN on IBSS networks
# This is needed to be able to use mode=1 network profile with proto=RSN and
# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
CONFIG_IBSS_RSN=y CONFIG_IBSS_RSN=y
# External PMKSA cache control
# This can be used to enable control interface commands that allow the current
# PMKSA cache entries to be fetched and new entries to be added.
#CONFIG_PMKSA_CACHE_EXTERNAL=y
# Mesh Networking (IEEE 802.11s)
#CONFIG_MESH=y
# Background scanning modules
# These can be used to request wpa_supplicant to perform background scanning
# operations for roaming within an ESS (same SSID). See the bgscan parameter in
# the wpa_supplicant.conf file for more details.
# Periodic background scans based on signal strength
#CONFIG_BGSCAN_SIMPLE=y
# Learn channels used by the network and try to avoid bgscans on other
# channels (experimental)
#CONFIG_BGSCAN_LEARN=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y

394
package/network/services/hostapd/files/wpa_supplicant-mini.config
View File

@ -1,9 +1,9 @@
# Example wpa_supplicant build time configuration # Example wpa_supplicant build time configuration
# #
# This file lists the configuration options that are used when building the # This file lists the configuration options that are used when building the
# hostapd binary. All lines starting with # are ignored. Configuration option # wpa_supplicant binary. All lines starting with # are ignored. Configuration
# lines must be commented out complete, if they are not to be included, i.e., # option lines must be commented out complete, if they are not to be included,
# just setting VARIABLE=n is not disabling that variable. # i.e., just setting VARIABLE=n is not disabling that variable.
# #
# This file is included in Makefile, so variables like CFLAGS and LIBS can also # This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cases, these lines should use += in order not # be modified from here. In most cases, these lines should use += in order not
@ -20,63 +20,33 @@
# used to fix build issues on such systems (krb5.h not found). # used to fix build issues on such systems (krb5.h not found).
#CFLAGS += -I/usr/include/kerberos #CFLAGS += -I/usr/include/kerberos
# Example configuration for various cross-compilation platforms
#### sveasoft (e.g., for Linksys WRT54G) ######################################
#CC=mipsel-uclibc-gcc
#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
#CFLAGS += -Os
#CPPFLAGS += -I../src/include -I../../src/router/openssl/include
#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl
###############################################################################
#### openwrt (e.g., for Linksys WRT54G) #######################################
#CC=mipsel-uclibc-gcc
#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
#CFLAGS += -Os
#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \
# -I../WRT54GS/release/src/include
#LIBS = -lssl
###############################################################################
# Driver interface for Host AP driver
#CONFIG_DRIVER_HOSTAP=y
# Driver interface for Agere driver
#CONFIG_DRIVER_HERMES=y
# Change include directories to match with the local setup
#CFLAGS += -I../../hcf -I../../include -I../../include/hcf
#CFLAGS += -I../../include/wireless
# Driver interface for ndiswrapper
# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
#CONFIG_DRIVER_NDISWRAPPER=y
# Driver interface for Atmel driver
# CONFIG_DRIVER_ATMEL=y
# Driver interface for old Broadcom driver
# Please note that the newer Broadcom driver ("hybrid Linux driver") supports
# Linux wireless extensions and does not need (or even work) with the old
# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver.
#CONFIG_DRIVER_BROADCOM=y
# Example path for wlioctl.h; change to match your configuration
#CFLAGS += -I/opt/WRT54GS/release/src/include
# Driver interface for Intel ipw2100/2200 driver
# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
#CONFIG_DRIVER_IPW=y
# Driver interface for Ralink driver
#CONFIG_DRIVER_RALINK=y
# Driver interface for generic Linux wireless extensions # Driver interface for generic Linux wireless extensions
# Note: WEXT is deprecated in the current Linux kernel version and no new
# functionality is added to it. nl80211-based interface is the new
# replacement for WEXT and its use allows wpa_supplicant to properly control
# the driver to improve existing functionality like roaming and to support new
# functionality.
CONFIG_DRIVER_WEXT=y CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface # Driver interface for Linux drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
#CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
#
#CFLAGS += -I$<path to libnl include files>
#LIBS += -L$<path to libnl library files>
# Use libnl v2.0 (or 3.0) libraries.
#CONFIG_LIBNL20=y
# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
#CONFIG_LIBNL32=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y #CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include #CFLAGS += -I/usr/local/include
@ -100,14 +70,6 @@ CONFIG_DRIVER_NL80211=y
# wpa_supplicant. # wpa_supplicant.
# CONFIG_USE_NDISUIO=y # CONFIG_USE_NDISUIO=y
# Driver interface for development testing
#CONFIG_DRIVER_TEST=y
# Include client MLME (management frame processing) for test driver
# This can be used to test MLME operations in hostapd with the test interface.
# space.
#CONFIG_CLIENT_MLME=y
# Driver interface for wired Ethernet drivers # Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y CONFIG_DRIVER_WIRED=y
@ -117,37 +79,40 @@ CONFIG_DRIVER_WIRED=y
# Driver interface for no driver (e.g., WPS ER only) # Driver interface for no driver (e.g., WPS ER only)
#CONFIG_DRIVER_NONE=y #CONFIG_DRIVER_NONE=y
# Solaris libraries
#LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is # Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
# included) # included)
# CONFIG_IEEE8021X_EAPOL=y #CONFIG_IEEE8021X_EAPOL=y
# EAP-MD5 # EAP-MD5
# CONFIG_EAP_MD5=y #CONFIG_EAP_MD5=y
# EAP-MSCHAPv2 # EAP-MSCHAPv2
# CONFIG_EAP_MSCHAPV2=y #CONFIG_EAP_MSCHAPV2=y
# EAP-TLS # EAP-TLS
# CONFIG_EAP_TLS=y #CONFIG_EAP_TLS=y
# EAL-PEAP # EAL-PEAP
# CONFIG_EAP_PEAP=y #CONFIG_EAP_PEAP=y
# EAP-TTLS # EAP-TTLS
# CONFIG_EAP_TTLS=y #CONFIG_EAP_TTLS=y
# EAP-FAST # EAP-FAST
# Note: Default OpenSSL package does not include support for all the # Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL, # for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
# the OpenSSL library must be patched (openssl-0.9.8d-tls-extensions.patch) # with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
# to add the needed functions.
#CONFIG_EAP_FAST=y #CONFIG_EAP_FAST=y
# EAP-GTC # EAP-GTC
# CONFIG_EAP_GTC=y #CONFIG_EAP_GTC=y
# EAP-OTP # EAP-OTP
# CONFIG_EAP_OTP=y #CONFIG_EAP_OTP=y
# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used) # EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
#CONFIG_EAP_SIM=y #CONFIG_EAP_SIM=y
@ -155,11 +120,14 @@ CONFIG_DRIVER_WIRED=y
# EAP-PSK (experimental; this is _not_ needed for WPA-PSK) # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y #CONFIG_EAP_PSK=y
# EAP-pwd (secure authentication using only a password)
#CONFIG_EAP_PWD=y
# EAP-PAX # EAP-PAX
#CONFIG_EAP_PAX=y #CONFIG_EAP_PAX=y
# LEAP # LEAP
# CONFIG_EAP_LEAP=y #CONFIG_EAP_LEAP=y
# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used) # EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
#CONFIG_EAP_AKA=y #CONFIG_EAP_AKA=y
@ -184,29 +152,48 @@ CONFIG_DRIVER_WIRED=y
# Wi-Fi Protected Setup (WPS) # Wi-Fi Protected Setup (WPS)
#CONFIG_WPS=y #CONFIG_WPS=y
# Enable WPS external registrar functionality
#CONFIG_WPS_ER=y
# Disable credentials for an open network by default when acting as a WPS
# registrar.
#CONFIG_WPS_REG_DISABLE_OPEN=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2 # EAP-IKEv2
#CONFIG_EAP_IKEV2=y #CONFIG_EAP_IKEV2=y
# EAP-EKE
#CONFIG_EAP_EKE=y
# PKCS#12 (PFX) support (used to read private key and certificate file from # PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx) # a file that usually has extension .p12 or .pfx)
# CONFIG_PKCS12=y #CONFIG_PKCS12=y
# Smartcard support (i.e., private key on a smartcard), e.g., with openssl # Smartcard support (i.e., private key on a smartcard), e.g., with openssl
# engine. # engine.
# CONFIG_SMARTCARD=y #CONFIG_SMARTCARD=y
# PC/SC interface for smartcards (USIM, GSM SIM) # PC/SC interface for smartcards (USIM, GSM SIM)
# Enable this if EAP-SIM or EAP-AKA is included # Enable this if EAP-SIM or EAP-AKA is included
#CONFIG_PCSC=y #CONFIG_PCSC=y
# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
#CONFIG_HT_OVERRIDES=y
# Support VHT overrides (disable VHT, mask MCS rates, etc.)
#CONFIG_VHT_OVERRIDES=y
# Development testing # Development testing
#CONFIG_EAPOL_TEST=y #CONFIG_EAPOL_TEST=y
# Select control interface backend for external programs, e.g, wpa_cli: # Select control interface backend for external programs, e.g, wpa_cli:
# unix = UNIX domain sockets (default for Linux/*BSD) # unix = UNIX domain sockets (default for Linux/*BSD)
# udp = UDP sockets using localhost (127.0.0.1) # udp = UDP sockets using localhost (127.0.0.1)
# udp6 = UDP IPv6 sockets using localhost (::1)
# named_pipe = Windows Named Pipe (default for Windows) # named_pipe = Windows Named Pipe (default for Windows)
# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
# y = use default (backwards compatibility) # y = use default (backwards compatibility)
# If this option is commented out, control interface is not included in the # If this option is commented out, control interface is not included in the
# build. # build.
@ -218,6 +205,10 @@ CONFIG_CTRL_IFACE=y
# the resulting binary. # the resulting binary.
#CONFIG_READLINE=y #CONFIG_READLINE=y
# Include internal line edit mode in wpa_cli. This can be used as a replacement
# for GNU Readline to provide limited command line editing and history support.
#CONFIG_WPA_CLI_EDIT=y
# Remove debugging code that is printing out debug message to stdout. # Remove debugging code that is printing out debug message to stdout.
# This can be used to reduce the size of the wpa_supplicant considerably # This can be used to reduce the size of the wpa_supplicant considerably
# if debugging code is not needed. The size reduction can be around 35% # if debugging code is not needed. The size reduction can be around 35%
@ -228,11 +219,6 @@ CONFIG_CTRL_IFACE=y
# 35-50 kB in code size. # 35-50 kB in code size.
#CONFIG_NO_WPA=y #CONFIG_NO_WPA=y
# Remove WPA2 support. This allows WPA to be used, but removes WPA2 code to
# save about 1 kB in code size when building only WPA-Personal (no EAP support)
# or 6 kB if building for WPA-Enterprise.
#CONFIG_NO_WPA2=y
# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
# This option can be used to reduce code size by removing support for # This option can be used to reduce code size by removing support for
# converting ASCII passphrases into PSK. If this functionality is removed, the # converting ASCII passphrases into PSK. If this functionality is removed, the
@ -267,7 +253,7 @@ CONFIG_BACKEND=file
# main_none = Very basic example (development use only) # main_none = Very basic example (development use only)
#CONFIG_MAIN=main #CONFIG_MAIN=main
# Select wrapper for operatins system and C library specific functions # Select wrapper for operating system and C library specific functions
# unix = UNIX/POSIX like systems (default) # unix = UNIX/POSIX like systems (default)
# win32 = Windows systems # win32 = Windows systems
# none = Empty template # none = Empty template
@ -276,9 +262,17 @@ CONFIG_BACKEND=file
# Select event loop implementation # Select event loop implementation
# eloop = select() loop (default) # eloop = select() loop (default)
# eloop_win = Windows events and WaitForMultipleObject() loop # eloop_win = Windows events and WaitForMultipleObject() loop
# eloop_none = Empty template
#CONFIG_ELOOP=eloop #CONFIG_ELOOP=eloop
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
# Should we use epoll instead of select? Select is used by default.
#CONFIG_ELOOP_EPOLL=y
# Should we use kqueue instead of select? Select is used by default.
#CONFIG_ELOOP_KQUEUE=y
# Select layer 2 packet implementation # Select layer 2 packet implementation
# linux = Linux packet socket (default) # linux = Linux packet socket (default)
# pcap = libpcap/libdnet/WinPcap # pcap = libpcap/libdnet/WinPcap
@ -288,29 +282,44 @@ CONFIG_BACKEND=file
# none = Empty template # none = Empty template
#CONFIG_L2_PACKET=linux #CONFIG_L2_PACKET=linux
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) # Disable Linux packet socket workaround applicable for station interface
# CONFIG_PEERKEY=y # in a bridge for EAPOL frames. This should be uncommented only if the kernel
# is known to not have the regression issue in packet socket behavior with
# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
# IEEE 802.11w (management frame protection) # PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
# This version is an experimental implementation based on IEEE 802.11w/D1.0 #CONFIG_PEERKEY=y
# draft and is subject to change since the standard has not yet been finalized.
# IEEE 802.11w (management frame protection), also known as PMF
# Driver support is also needed for IEEE 802.11w. # Driver support is also needed for IEEE 802.11w.
#CONFIG_IEEE80211W=y #CONFIG_IEEE80211W=y
# Select TLS implementation # Select TLS implementation
# openssl = OpenSSL (default) # openssl = OpenSSL (default)
# gnutls = GnuTLS (needed for TLS/IA, see also CONFIG_GNUTLS_EXTRA) # gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental) # internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template # none = Empty template
CONFIG_TLS=internal CONFIG_TLS=internal
# Whether to enable TLS/IA support, which is required for EAP-TTLSv1. # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# You need CONFIG_TLS=gnutls for this to have any effect. Please note that # can be enabled to get a stronger construction of messages when block ciphers
# even though the core GnuTLS library is released under LGPL, this extra # are used. It should be noted that some existing TLS v1.0 -based
# library uses GPL and as such, the terms of GPL apply to the combination # implementation may not be compatible with TLS v1.1 message (ClientHello is
# of wpa_supplicant and GnuTLS if this option is enabled. BSD license may not # sent prior to negotiating which version will be used)
# apply for distribution of the resulting binary. #CONFIG_TLSV11=y
#CONFIG_GNUTLS_EXTRA=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms. It should be
# noted that some existing TLS v1.0 -based implementation may not be compatible
# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
# will be used)
#CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are # If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of # needed for LibTomMath. Alternatively, an integrated, minimal version of
@ -366,12 +375,31 @@ CONFIG_TLS=internal
# amount of memory/flash. # amount of memory/flash.
#CONFIG_DYNAMIC_EAP_METHODS=y #CONFIG_DYNAMIC_EAP_METHODS=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
#CONFIG_IEEE80211R=y #CONFIG_IEEE80211R=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for AP mode (implies
# CONFIG_IEEE80211R).
#CONFIG_IEEE80211R_AP=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
#CONFIG_DEBUG_FILE=y #CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout
#CONFIG_DEBUG_SYSLOG=y
# Set syslog facility for debug messages
#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
# Add support for writing debug log to Android logcat instead of standard
# output
#CONFIG_ANDROID_LOG=y
# Enable privilege separation (see README 'Privilege separation' for details) # Enable privilege separation (see README 'Privilege separation' for details)
#CONFIG_PRIVSEP=y #CONFIG_PRIVSEP=y
@ -383,7 +411,7 @@ CONFIG_TLS=internal
# This tracks use of memory allocations and other registrations and reports # This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location. # incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y #CONFIG_WPA_TRACE=y
# For BSD, comment out these. # For BSD, uncomment these.
#LIBS += -lexecinfo #LIBS += -lexecinfo
#LIBS_p += -lexecinfo #LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo #LIBS_c += -lexecinfo
@ -392,10 +420,174 @@ CONFIG_TLS=internal
# This enables use of libbfd to get more detailed symbols for the backtraces # This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y. # generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y #CONFIG_WPA_TRACE_BFD=y
# For BSD, comment out these. # For BSD, uncomment these.
#LIBS += -lbfd -liberty -lz #LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz #LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz #LIBS_c += -lbfd -liberty -lz
# wpa_supplicant depends on strong random number generation being available
# from the operating system. os_get_random() function is used to fetch random
# data when needed, e.g., for key generation. On Linux and BSD systems, this
# works by reading /dev/urandom. It should be noted that the OS entropy pool
# needs to be properly initialized before wpa_supplicant is started. This is
# important especially on embedded devices that do not have a hardware random
# number generator and may by default start up with minimal entropy available
# for random number generation.
#
# As a safety net, wpa_supplicant is by default trying to internally collect
# additional entropy for generating random data to mix in with the data fetched
# from the OS. This by itself is not considered to be very strong, but it may
# help in cases where the system pool is not initialized properly. However, it
# is very strongly recommended that the system pool is initialized with enough
# entropy either by using hardware assisted random number generator or by
# storing state over device reboots.
#
# wpa_supplicant can be configured to maintain its own entropy store over
# restarts to enhance random number generation. This is not perfect, but it is
# much more secure than using the same sequence of random numbers after every
# reboot. This can be enabled with -e<entropy file> command line option. The
# specified file needs to be readable and writable by wpa_supplicant.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal wpa_supplicant random pool can be
# disabled. This will save some in binary size and CPU use. However, this
# should only be considered for builds that are known to be used on devices
# that meet the requirements described above.
CONFIG_NO_RANDOM_POOL=y CONFIG_NO_RANDOM_POOL=y
NEED_80211_COMMON=y
# IEEE 802.11n (High Throughput) support (mainly for AP mode)
#CONFIG_IEEE80211N=y
# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
# (depends on CONFIG_IEEE80211N)
#CONFIG_IEEE80211AC=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks (GAS/ANQP to learn more about the networks and network
# selection based on available credentials).
#CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# Enable interface matching in wpa_supplicant
#CONFIG_MATCH_IFACE=y
# Disable roaming in wpa_supplicant
#CONFIG_NO_ROAMING=y
# AP mode operations with wpa_supplicant
# This can be used for controlling AP mode operations with wpa_supplicant. It
# should be noted that this is mainly aimed at simple cases like
# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
# external RADIUS server can be supported with hostapd.
#CONFIG_AP=y
# P2P (Wi-Fi Direct)
# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
# more information on P2P operations.
#CONFIG_P2P=y
# Enable TDLS support
#CONFIG_TDLS=y
# Wi-Fi Direct
# This can be used to enable Wi-Fi Direct extensions for P2P using an external
# program to control the additional information exchanges in the messages.
#CONFIG_WIFI_DISPLAY=y
# Autoscan
# This can be used to enable automatic scan support in wpa_supplicant.
# See wpa_supplicant.conf for more information on autoscan usage.
#
# Enabling directly a module will enable autoscan support.
# For exponential module:
#CONFIG_AUTOSCAN_EXPONENTIAL=y
# For periodic module:
#CONFIG_AUTOSCAN_PERIODIC=y
# Password (and passphrase, etc.) backend for external storage
# These optional mechanisms can be used to add support for storing passwords
# and other secrets in external (to wpa_supplicant) location. This allows, for
# example, operating system specific key storage to be used
#
# External password backend for testing purposes (developer use)
#CONFIG_EXT_PASSWORD_TEST=y
# Enable Fast Session Transfer (FST)
#CONFIG_FST=y
# Enable CLI commands for FST testing
#CONFIG_FST_TEST=y
# OS X builds. This is only for building eapol_test.
#CONFIG_OSX=y
# Automatic Channel Selection
# This will allow wpa_supplicant to pick the channel automatically when channel
# is set to "0".
#
# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
# to "channel=0". This would enable us to eventually add other ACS algorithms in
# similar way.
#
# Automatic selection is currently only done through initialization, later on
# we hope to do background checks to keep us moving to more ideal channels as
# time goes by. ACS is currently only supported through the nl80211 driver and
# your driver must have survey dump capability that is filled by the driver
# during scanning.
#
# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
# a newly to create wpa_supplicant.conf variable acs_num_scans.
#
# Supported ACS drivers:
# * ath9k
# * ath5k
# * ath10k
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
#CONFIG_ACS=y
# Support Multi Band Operation
#CONFIG_MBO=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
# Note: This is an experimental and not yet complete implementation. This
# should not be enabled for production use.
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
# Support RSN on IBSS networks
# This is needed to be able to use mode=1 network profile with proto=RSN and
# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
#CONFIG_IBSS_RSN=y
# External PMKSA cache control
# This can be used to enable control interface commands that allow the current
# PMKSA cache entries to be fetched and new entries to be added.
#CONFIG_PMKSA_CACHE_EXTERNAL=y
# Mesh Networking (IEEE 802.11s)
#CONFIG_MESH=y
# Background scanning modules
# These can be used to request wpa_supplicant to perform background scanning
# operations for roaming within an ESS (same SSID). See the bgscan parameter in
# the wpa_supplicant.conf file for more details.
# Periodic background scans based on signal strength
#CONFIG_BGSCAN_SIMPLE=y
# Learn channels used by the network and try to avoid bgscans on other
# channels (experimental)
#CONFIG_BGSCAN_LEARN=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y

369
package/network/services/hostapd/files/wpa_supplicant-p2p.config
View File

@ -1,9 +1,9 @@
# Example wpa_supplicant build time configuration # Example wpa_supplicant build time configuration
# #
# This file lists the configuration options that are used when building the # This file lists the configuration options that are used when building the
# hostapd binary. All lines starting with # are ignored. Configuration option # wpa_supplicant binary. All lines starting with # are ignored. Configuration
# lines must be commented out complete, if they are not to be included, i.e., # option lines must be commented out complete, if they are not to be included,
# just setting VARIABLE=n is not disabling that variable. # i.e., just setting VARIABLE=n is not disabling that variable.
# #
# This file is included in Makefile, so variables like CFLAGS and LIBS can also # This file is included in Makefile, so variables like CFLAGS and LIBS can also
# be modified from here. In most cases, these lines should use += in order not # be modified from here. In most cases, these lines should use += in order not
@ -20,63 +20,33 @@
# used to fix build issues on such systems (krb5.h not found). # used to fix build issues on such systems (krb5.h not found).
#CFLAGS += -I/usr/include/kerberos #CFLAGS += -I/usr/include/kerberos
# Example configuration for various cross-compilation platforms
#### sveasoft (e.g., for Linksys WRT54G) ######################################
#CC=mipsel-uclibc-gcc
#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
#CFLAGS += -Os
#CPPFLAGS += -I../src/include -I../../src/router/openssl/include
#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl
###############################################################################
#### openwrt (e.g., for Linksys WRT54G) #######################################
#CC=mipsel-uclibc-gcc
#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
#CFLAGS += -Os
#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \
# -I../WRT54GS/release/src/include
#LIBS = -lssl
###############################################################################
# Driver interface for Host AP driver
#CONFIG_DRIVER_HOSTAP=y
# Driver interface for Agere driver
#CONFIG_DRIVER_HERMES=y
# Change include directories to match with the local setup
#CFLAGS += -I../../hcf -I../../include -I../../include/hcf
#CFLAGS += -I../../include/wireless
# Driver interface for ndiswrapper
# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
#CONFIG_DRIVER_NDISWRAPPER=y
# Driver interface for Atmel driver
# CONFIG_DRIVER_ATMEL=y
# Driver interface for old Broadcom driver
# Please note that the newer Broadcom driver ("hybrid Linux driver") supports
# Linux wireless extensions and does not need (or even work) with the old
# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver.
#CONFIG_DRIVER_BROADCOM=y
# Example path for wlioctl.h; change to match your configuration
#CFLAGS += -I/opt/WRT54GS/release/src/include
# Driver interface for Intel ipw2100/2200 driver
# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
#CONFIG_DRIVER_IPW=y
# Driver interface for Ralink driver
#CONFIG_DRIVER_RALINK=y
# Driver interface for generic Linux wireless extensions # Driver interface for generic Linux wireless extensions
# Note: WEXT is deprecated in the current Linux kernel version and no new
# functionality is added to it. nl80211-based interface is the new
# replacement for WEXT and its use allows wpa_supplicant to properly control
# the driver to improve existing functionality like roaming and to support new
# functionality.
CONFIG_DRIVER_WEXT=y CONFIG_DRIVER_WEXT=y
# Driver interface for Linux drivers using the nl80211 kernel interface # Driver interface for Linux drivers using the nl80211 kernel interface
CONFIG_DRIVER_NL80211=y CONFIG_DRIVER_NL80211=y
# QCA vendor extensions to nl80211
#CONFIG_DRIVER_NL80211_QCA=y
# driver_nl80211.c requires libnl. If you are compiling it yourself
# you may need to point hostapd to your version of libnl.
#
#CFLAGS += -I$<path to libnl include files>
#LIBS += -L$<path to libnl library files>
# Use libnl v2.0 (or 3.0) libraries.
#CONFIG_LIBNL20=y
# Use libnl 3.2 libraries (if this is selected, CONFIG_LIBNL20 is ignored)
#CONFIG_LIBNL32=y
# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver) # Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
#CONFIG_DRIVER_BSD=y #CONFIG_DRIVER_BSD=y
#CFLAGS += -I/usr/local/include #CFLAGS += -I/usr/local/include
@ -100,14 +70,6 @@ CONFIG_DRIVER_NL80211=y
# wpa_supplicant. # wpa_supplicant.
# CONFIG_USE_NDISUIO=y # CONFIG_USE_NDISUIO=y
# Driver interface for development testing
#CONFIG_DRIVER_TEST=y
# Include client MLME (management frame processing) for test driver
# This can be used to test MLME operations in hostapd with the test interface.
# space.
#CONFIG_CLIENT_MLME=y
# Driver interface for wired Ethernet drivers # Driver interface for wired Ethernet drivers
CONFIG_DRIVER_WIRED=y CONFIG_DRIVER_WIRED=y
@ -117,6 +79,10 @@ CONFIG_DRIVER_WIRED=y
# Driver interface for no driver (e.g., WPS ER only) # Driver interface for no driver (e.g., WPS ER only)
#CONFIG_DRIVER_NONE=y #CONFIG_DRIVER_NONE=y
# Solaris libraries
#LIBS += -lsocket -ldlpi -lnsl
#LIBS_c += -lsocket
# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is # Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
# included) # included)
CONFIG_IEEE8021X_EAPOL=y CONFIG_IEEE8021X_EAPOL=y
@ -137,11 +103,10 @@ CONFIG_EAP_PEAP=y
CONFIG_EAP_TTLS=y CONFIG_EAP_TTLS=y
# EAP-FAST # EAP-FAST
# Note: Default OpenSSL package does not include support for all the # Note: If OpenSSL is used as the TLS library, OpenSSL 1.0 or newer is needed
# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL, # for EAP-FAST support. Older OpenSSL releases would need to be patched, e.g.,
# the OpenSSL library must be patched (openssl-0.9.8d-tls-extensions.patch) # with openssl-0.9.8x-tls-extensions.patch, to add the needed functions.
# to add the needed functions. CONFIG_EAP_FAST=y
#CONFIG_EAP_FAST=y
# EAP-GTC # EAP-GTC
CONFIG_EAP_GTC=y CONFIG_EAP_GTC=y
@ -155,6 +120,9 @@ CONFIG_EAP_OTP=y
# EAP-PSK (experimental; this is _not_ needed for WPA-PSK) # EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
#CONFIG_EAP_PSK=y #CONFIG_EAP_PSK=y
# EAP-pwd (secure authentication using only a password)
#CONFIG_EAP_PWD=y
# EAP-PAX # EAP-PAX
#CONFIG_EAP_PAX=y #CONFIG_EAP_PAX=y
@ -184,10 +152,20 @@ CONFIG_EAP_LEAP=y
# Wi-Fi Protected Setup (WPS) # Wi-Fi Protected Setup (WPS)
CONFIG_WPS=y CONFIG_WPS=y
# Enable WPS external registrar functionality
#CONFIG_WPS_ER=y
# Disable credentials for an open network by default when acting as a WPS
# registrar.
#CONFIG_WPS_REG_DISABLE_OPEN=y
# Enable WPS support with NFC config method
#CONFIG_WPS_NFC=y
# EAP-IKEv2 # EAP-IKEv2
#CONFIG_EAP_IKEV2=y #CONFIG_EAP_IKEV2=y
# EAP-EKE
#CONFIG_EAP_EKE=y
# PKCS#12 (PFX) support (used to read private key and certificate file from # PKCS#12 (PFX) support (used to read private key and certificate file from
# a file that usually has extension .p12 or .pfx) # a file that usually has extension .p12 or .pfx)
CONFIG_PKCS12=y CONFIG_PKCS12=y
@ -200,13 +178,22 @@ CONFIG_SMARTCARD=y
# Enable this if EAP-SIM or EAP-AKA is included # Enable this if EAP-SIM or EAP-AKA is included
#CONFIG_PCSC=y #CONFIG_PCSC=y
# Support HT overrides (disable HT/HT40, mask MCS rates, etc.)
#CONFIG_HT_OVERRIDES=y
# Support VHT overrides (disable VHT, mask MCS rates, etc.)
#CONFIG_VHT_OVERRIDES=y
# Development testing # Development testing
#CONFIG_EAPOL_TEST=y #CONFIG_EAPOL_TEST=y
# Select control interface backend for external programs, e.g, wpa_cli: # Select control interface backend for external programs, e.g, wpa_cli:
# unix = UNIX domain sockets (default for Linux/*BSD) # unix = UNIX domain sockets (default for Linux/*BSD)
# udp = UDP sockets using localhost (127.0.0.1) # udp = UDP sockets using localhost (127.0.0.1)
# udp6 = UDP IPv6 sockets using localhost (::1)
# named_pipe = Windows Named Pipe (default for Windows) # named_pipe = Windows Named Pipe (default for Windows)
# udp-remote = UDP sockets with remote access (only for tests systems/purpose)
# udp6-remote = UDP IPv6 sockets with remote access (only for tests purpose)
# y = use default (backwards compatibility) # y = use default (backwards compatibility)
# If this option is commented out, control interface is not included in the # If this option is commented out, control interface is not included in the
# build. # build.
@ -218,6 +205,10 @@ CONFIG_CTRL_IFACE=y
# the resulting binary. # the resulting binary.
#CONFIG_READLINE=y #CONFIG_READLINE=y
# Include internal line edit mode in wpa_cli. This can be used as a replacement
# for GNU Readline to provide limited command line editing and history support.
#CONFIG_WPA_CLI_EDIT=y
# Remove debugging code that is printing out debug message to stdout. # Remove debugging code that is printing out debug message to stdout.
# This can be used to reduce the size of the wpa_supplicant considerably # This can be used to reduce the size of the wpa_supplicant considerably
# if debugging code is not needed. The size reduction can be around 35% # if debugging code is not needed. The size reduction can be around 35%
@ -228,11 +219,6 @@ CONFIG_CTRL_IFACE=y
# 35-50 kB in code size. # 35-50 kB in code size.
#CONFIG_NO_WPA=y #CONFIG_NO_WPA=y
# Remove WPA2 support. This allows WPA to be used, but removes WPA2 code to
# save about 1 kB in code size when building only WPA-Personal (no EAP support)
# or 6 kB if building for WPA-Enterprise.
#CONFIG_NO_WPA2=y
# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support # Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
# This option can be used to reduce code size by removing support for # This option can be used to reduce code size by removing support for
# converting ASCII passphrases into PSK. If this functionality is removed, the # converting ASCII passphrases into PSK. If this functionality is removed, the
@ -267,7 +253,7 @@ CONFIG_BACKEND=file
# main_none = Very basic example (development use only) # main_none = Very basic example (development use only)
#CONFIG_MAIN=main #CONFIG_MAIN=main
# Select wrapper for operatins system and C library specific functions # Select wrapper for operating system and C library specific functions
# unix = UNIX/POSIX like systems (default) # unix = UNIX/POSIX like systems (default)
# win32 = Windows systems # win32 = Windows systems
# none = Empty template # none = Empty template
@ -276,9 +262,17 @@ CONFIG_BACKEND=file
# Select event loop implementation # Select event loop implementation
# eloop = select() loop (default) # eloop = select() loop (default)
# eloop_win = Windows events and WaitForMultipleObject() loop # eloop_win = Windows events and WaitForMultipleObject() loop
# eloop_none = Empty template
#CONFIG_ELOOP=eloop #CONFIG_ELOOP=eloop
# Should we use poll instead of select? Select is used by default.
#CONFIG_ELOOP_POLL=y
# Should we use epoll instead of select? Select is used by default.
#CONFIG_ELOOP_EPOLL=y
# Should we use kqueue instead of select? Select is used by default.
#CONFIG_ELOOP_KQUEUE=y
# Select layer 2 packet implementation # Select layer 2 packet implementation
# linux = Linux packet socket (default) # linux = Linux packet socket (default)
# pcap = libpcap/libdnet/WinPcap # pcap = libpcap/libdnet/WinPcap
@ -288,29 +282,44 @@ CONFIG_BACKEND=file
# none = Empty template # none = Empty template
#CONFIG_L2_PACKET=linux #CONFIG_L2_PACKET=linux
# Disable Linux packet socket workaround applicable for station interface
# in a bridge for EAPOL frames. This should be uncommented only if the kernel
# is known to not have the regression issue in packet socket behavior with
# bridge interfaces (commit 'bridge: respect RFC2863 operational state')').
#CONFIG_NO_LINUX_PACKET_SOCKET_WAR=y
# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS) # PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
CONFIG_PEERKEY=y CONFIG_PEERKEY=y
# IEEE 802.11w (management frame protection) # IEEE 802.11w (management frame protection), also known as PMF
# This version is an experimental implementation based on IEEE 802.11w/D1.0
# draft and is subject to change since the standard has not yet been finalized.
# Driver support is also needed for IEEE 802.11w. # Driver support is also needed for IEEE 802.11w.
CONFIG_IEEE80211W=y CONFIG_IEEE80211W=y
# Select TLS implementation # Select TLS implementation
# openssl = OpenSSL (default) # openssl = OpenSSL (default)
# gnutls = GnuTLS (needed for TLS/IA, see also CONFIG_GNUTLS_EXTRA) # gnutls = GnuTLS
# internal = Internal TLSv1 implementation (experimental) # internal = Internal TLSv1 implementation (experimental)
# linux = Linux kernel AF_ALG and internal TLSv1 implementation (experimental)
# none = Empty template # none = Empty template
CONFIG_TLS=internal CONFIG_TLS=internal
# Whether to enable TLS/IA support, which is required for EAP-TTLSv1. # TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.1)
# You need CONFIG_TLS=gnutls for this to have any effect. Please note that # can be enabled to get a stronger construction of messages when block ciphers
# even though the core GnuTLS library is released under LGPL, this extra # are used. It should be noted that some existing TLS v1.0 -based
# library uses GPL and as such, the terms of GPL apply to the combination # implementation may not be compatible with TLS v1.1 message (ClientHello is
# of wpa_supplicant and GnuTLS if this option is enabled. BSD license may not # sent prior to negotiating which version will be used)
# apply for distribution of the resulting binary. #CONFIG_TLSV11=y
#CONFIG_GNUTLS_EXTRA=y
# TLS-based EAP methods require at least TLS v1.0. Newer version of TLS (v1.2)
# can be enabled to enable use of stronger crypto algorithms. It should be
# noted that some existing TLS v1.0 -based implementation may not be compatible
# with TLS v1.2 message (ClientHello is sent prior to negotiating which version
# will be used)
#CONFIG_TLSV12=y
# Select which ciphers to use by default with OpenSSL if the user does not
# specify them.
#CONFIG_TLS_DEFAULT_CIPHERS="DEFAULT:!EXP:!LOW"
# If CONFIG_TLS=internal is used, additional library and include paths are # If CONFIG_TLS=internal is used, additional library and include paths are
# needed for LibTomMath. Alternatively, an integrated, minimal version of # needed for LibTomMath. Alternatively, an integrated, minimal version of
@ -366,12 +375,31 @@ CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# amount of memory/flash. # amount of memory/flash.
#CONFIG_DYNAMIC_EAP_METHODS=y #CONFIG_DYNAMIC_EAP_METHODS=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) # IEEE Std 802.11r-2008 (Fast BSS Transition) for station mode
#CONFIG_IEEE80211R=y #CONFIG_IEEE80211R=y
# IEEE Std 802.11r-2008 (Fast BSS Transition) for AP mode (implies
# CONFIG_IEEE80211R).
#CONFIG_IEEE80211R_AP=y
# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt) # Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
#CONFIG_DEBUG_FILE=y #CONFIG_DEBUG_FILE=y
# Send debug messages to syslog instead of stdout
#CONFIG_DEBUG_SYSLOG=y
# Set syslog facility for debug messages
#CONFIG_DEBUG_SYSLOG_FACILITY=LOG_DAEMON
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
# same file, e.g., using trace-cmd.
#CONFIG_DEBUG_LINUX_TRACING=y
# Add support for writing debug log to Android logcat instead of standard
# output
#CONFIG_ANDROID_LOG=y
# Enable privilege separation (see README 'Privilege separation' for details) # Enable privilege separation (see README 'Privilege separation' for details)
#CONFIG_PRIVSEP=y #CONFIG_PRIVSEP=y
@ -383,7 +411,7 @@ CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# This tracks use of memory allocations and other registrations and reports # This tracks use of memory allocations and other registrations and reports
# incorrect use with a backtrace of call (or allocation) location. # incorrect use with a backtrace of call (or allocation) location.
#CONFIG_WPA_TRACE=y #CONFIG_WPA_TRACE=y
# For BSD, comment out these. # For BSD, uncomment these.
#LIBS += -lexecinfo #LIBS += -lexecinfo
#LIBS_p += -lexecinfo #LIBS_p += -lexecinfo
#LIBS_c += -lexecinfo #LIBS_c += -lexecinfo
@ -392,15 +420,174 @@ CONFIG_INTERNAL_LIBTOMMATH_FAST=y
# This enables use of libbfd to get more detailed symbols for the backtraces # This enables use of libbfd to get more detailed symbols for the backtraces
# generated by CONFIG_WPA_TRACE=y. # generated by CONFIG_WPA_TRACE=y.
#CONFIG_WPA_TRACE_BFD=y #CONFIG_WPA_TRACE_BFD=y
# For BSD, comment out these. # For BSD, uncomment these.
#LIBS += -lbfd -liberty -lz #LIBS += -lbfd -liberty -lz
#LIBS_p += -lbfd -liberty -lz #LIBS_p += -lbfd -liberty -lz
#LIBS_c += -lbfd -liberty -lz #LIBS_c += -lbfd -liberty -lz
# wpa_supplicant depends on strong random number generation being available
# from the operating system. os_get_random() function is used to fetch random
# data when needed, e.g., for key generation. On Linux and BSD systems, this
# works by reading /dev/urandom. It should be noted that the OS entropy pool
# needs to be properly initialized before wpa_supplicant is started. This is
# important especially on embedded devices that do not have a hardware random
# number generator and may by default start up with minimal entropy available
# for random number generation.
#
# As a safety net, wpa_supplicant is by default trying to internally collect
# additional entropy for generating random data to mix in with the data fetched
# from the OS. This by itself is not considered to be very strong, but it may
# help in cases where the system pool is not initialized properly. However, it
# is very strongly recommended that the system pool is initialized with enough
# entropy either by using hardware assisted random number generator or by
# storing state over device reboots.
#
# wpa_supplicant can be configured to maintain its own entropy store over
# restarts to enhance random number generation. This is not perfect, but it is
# much more secure than using the same sequence of random numbers after every
# reboot. This can be enabled with -e<entropy file> command line option. The
# specified file needs to be readable and writable by wpa_supplicant.
#
# If the os_get_random() is known to provide strong random data (e.g., on
# Linux/BSD, the board in question is known to have reliable source of random
# data from /dev/urandom), the internal wpa_supplicant random pool can be
# disabled. This will save some in binary size and CPU use. However, this
# should only be considered for builds that are known to be used on devices
# that meet the requirements described above.
CONFIG_NO_RANDOM_POOL=y CONFIG_NO_RANDOM_POOL=y
NEED_80211_COMMON=y
# IEEE 802.11n (High Throughput) support (mainly for AP mode)
#CONFIG_IEEE80211N=y
# IEEE 802.11ac (Very High Throughput) support (mainly for AP mode)
# (depends on CONFIG_IEEE80211N)
#CONFIG_IEEE80211AC=y
# Wireless Network Management (IEEE Std 802.11v-2011)
# Note: This is experimental and not complete implementation.
#CONFIG_WNM=y
# Interworking (IEEE 802.11u)
# This can be used to enable functionality to improve interworking with
# external networks (GAS/ANQP to learn more about the networks and network
# selection based on available credentials).
#CONFIG_INTERWORKING=y
# Hotspot 2.0
#CONFIG_HS20=y
# Enable interface matching in wpa_supplicant
#CONFIG_MATCH_IFACE=y
# Disable roaming in wpa_supplicant
#CONFIG_NO_ROAMING=y
# AP mode operations with wpa_supplicant
# This can be used for controlling AP mode operations with wpa_supplicant. It
# should be noted that this is mainly aimed at simple cases like
# WPA2-Personal while more complex configurations like WPA2-Enterprise with an
# external RADIUS server can be supported with hostapd.
CONFIG_AP=y
# P2P (Wi-Fi Direct)
# This can be used to enable P2P support in wpa_supplicant. See README-P2P for
# more information on P2P operations.
CONFIG_P2P=y
# Enable TDLS support
#CONFIG_TDLS=y
# Wi-Fi Direct
# This can be used to enable Wi-Fi Direct extensions for P2P using an external
# program to control the additional information exchanges in the messages.
#CONFIG_WIFI_DISPLAY=y
# Autoscan
# This can be used to enable automatic scan support in wpa_supplicant.
# See wpa_supplicant.conf for more information on autoscan usage.
#
# Enabling directly a module will enable autoscan support.
# For exponential module:
#CONFIG_AUTOSCAN_EXPONENTIAL=y
# For periodic module:
#CONFIG_AUTOSCAN_PERIODIC=y
# Password (and passphrase, etc.) backend for external storage
# These optional mechanisms can be used to add support for storing passwords
# and other secrets in external (to wpa_supplicant) location. This allows, for
# example, operating system specific key storage to be used
#
# External password backend for testing purposes (developer use)
#CONFIG_EXT_PASSWORD_TEST=y
# Enable Fast Session Transfer (FST)
#CONFIG_FST=y
# Enable CLI commands for FST testing
#CONFIG_FST_TEST=y
# OS X builds. This is only for building eapol_test.
#CONFIG_OSX=y
# Automatic Channel Selection
# This will allow wpa_supplicant to pick the channel automatically when channel
# is set to "0".
#
# TODO: Extend parser to be able to parse "channel=acs_survey" as an alternative
# to "channel=0". This would enable us to eventually add other ACS algorithms in
# similar way.
#
# Automatic selection is currently only done through initialization, later on
# we hope to do background checks to keep us moving to more ideal channels as
# time goes by. ACS is currently only supported through the nl80211 driver and
# your driver must have survey dump capability that is filled by the driver
# during scanning.
#
# TODO: In analogy to hostapd be able to customize the ACS survey algorithm with
# a newly to create wpa_supplicant.conf variable acs_num_scans.
#
# Supported ACS drivers:
# * ath9k
# * ath5k
# * ath10k
#
# For more details refer to:
# http://wireless.kernel.org/en/users/Documentation/acs
#CONFIG_ACS=y
# Support Multi Band Operation
#CONFIG_MBO=y
# Fast Initial Link Setup (FILS) (IEEE 802.11ai)
# Note: This is an experimental and not yet complete implementation. This
# should not be enabled for production use.
#CONFIG_FILS=y
# FILS shared key authentication with PFS
#CONFIG_FILS_SK_PFS=y
# Support RSN on IBSS networks
# This is needed to be able to use mode=1 network profile with proto=RSN and
# key_mgmt=WPA-PSK (i.e., full key management instead of WPA-None).
CONFIG_IBSS_RSN=y CONFIG_IBSS_RSN=y
CONFIG_P2P=y # External PMKSA cache control
CONFIG_AP=y # This can be used to enable control interface commands that allow the current
# PMKSA cache entries to be fetched and new entries to be added.
#CONFIG_PMKSA_CACHE_EXTERNAL=y
# Mesh Networking (IEEE 802.11s)
#CONFIG_MESH=y
# Background scanning modules
# These can be used to request wpa_supplicant to perform background scanning
# operations for roaming within an ESS (same SSID). See the bgscan parameter in
# the wpa_supplicant.conf file for more details.
# Periodic background scans based on signal strength
#CONFIG_BGSCAN_SIMPLE=y
# Learn channels used by the network and try to avoid bgscans on other
# channels (experimental)
#CONFIG_BGSCAN_LEARN=y
# Opportunistic Wireless Encryption (OWE)
# Experimental implementation of draft-harkins-owe-07.txt
#CONFIG_OWE=y

154
package/network/services/hostapd/patches/000-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch Normal file
View File

@ -0,0 +1,154 @@
From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
Date: Fri, 14 Jul 2017 15:15:35 +0200
Subject: [PATCH] hostapd: Avoid key reinstallation in FT handshake
Do not reinstall TK to the driver during Reassociation Response frame
processing if the first attempt of setting the TK succeeded. This avoids
issues related to clearing the TX/RX PN that could result in reusing
same PN values for transmitted frames (e.g., due to CCM nonce reuse and
also hitting replay protection on the receiver) and accepting replayed
frames on RX side.
This issue was introduced by the commit
0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
authenticator') which allowed wpa_ft_install_ptk() to be called multiple
times with the same PTK. While the second configuration attempt is
needed with some drivers, it must be done only if the first attempt
failed.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
---
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2522,6 +2522,7 @@ static int add_associated_sta(struct hos
{
struct ieee80211_ht_capabilities ht_cap;
struct ieee80211_vht_capabilities vht_cap;
+ int set = 1;
/*
* Remove the STA entry to ensure the STA PS state gets cleared and
@@ -2529,9 +2530,18 @@ static int add_associated_sta(struct hos
* FT-over-the-DS, where a station re-associates back to the same AP but
* skips the authentication flow, or if working with a driver that
* does not support full AP client state.
+ *
+ * Skip this if the STA has already completed FT reassociation and the
+ * TK has been configured since the TX/RX PN must not be reset to 0 for
+ * the same key.
*/
- if (!sta->added_unassoc)
+ if (!sta->added_unassoc &&
+ (!(sta->flags & WLAN_STA_AUTHORIZED) ||
+ !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
hostapd_drv_sta_remove(hapd, sta->addr);
+ wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
+ set = 0;
+ }
#ifdef CONFIG_IEEE80211N
if (sta->flags & WLAN_STA_HT)
@@ -2554,11 +2564,11 @@ static int add_associated_sta(struct hos
sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
sta->vht_opmode, sta->p2p_ie ? 1 : 0,
- sta->added_unassoc)) {
+ set)) {
hostapd_logger(hapd, sta->addr,
HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
"Could not %s STA to kernel driver",
- sta->added_unassoc ? "set" : "add");
+ set ? "set" : "add");
if (sta->added_unassoc) {
hostapd_drv_sta_remove(hapd, sta->addr);
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1783,6 +1783,9 @@ int wpa_auth_sm_event(struct wpa_state_m
#else /* CONFIG_FILS */
break;
#endif /* CONFIG_FILS */
+ case WPA_DRV_STA_REMOVED:
+ sm->tk_already_set = FALSE;
+ return 0;
}
#ifdef CONFIG_IEEE80211R_AP
@@ -3922,6 +3925,14 @@ int wpa_auth_sta_wpa_version(struct wpa_
}
+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
+{
+ if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
+ return 0;
+ return sm->tk_already_set;
+}
+
+
int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
struct rsn_pmksa_cache_entry *entry)
{
--- a/src/ap/wpa_auth.h
+++ b/src/ap/wpa_auth.h
@@ -300,7 +300,7 @@ void wpa_receive(struct wpa_authenticato
u8 *data, size_t data_len);
enum wpa_event {
WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
- WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS
+ WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_ASSOC_FILS, WPA_DRV_STA_REMOVED
};
void wpa_remove_ptk(struct wpa_state_machine *sm);
int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
@@ -313,6 +313,7 @@ int wpa_auth_pairwise_set(struct wpa_sta
int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
+int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
struct rsn_pmksa_cache_entry *entry);
struct rsn_pmksa_cache_entry *
--- a/src/ap/wpa_auth_ft.c
+++ b/src/ap/wpa_auth_ft.c
@@ -1937,6 +1937,14 @@ void wpa_ft_install_ptk(struct wpa_state
return;
}
+ if (sm->tk_already_set) {
+ /* Must avoid TK reconfiguration to prevent clearing of TX/RX
+ * PN in the driver */
+ wpa_printf(MSG_DEBUG,
+ "FT: Do not re-install same PTK to the driver");
+ return;
+ }
+
/* FIX: add STA entry to kernel/driver here? The set_key will fail
* most likely without this.. At the moment, STA entry is added only
* after association has been completed. This function will be called
@@ -1949,6 +1957,7 @@ void wpa_ft_install_ptk(struct wpa_state
/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
sm->pairwise_set = TRUE;
+ sm->tk_already_set = TRUE;
}
@@ -2152,6 +2161,7 @@ static int wpa_ft_process_auth_req(struc
sm->pairwise = pairwise;
sm->PTK_valid = TRUE;
+ sm->tk_already_set = FALSE;
wpa_ft_install_ptk(sm);
buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
--- a/src/ap/wpa_auth_i.h
+++ b/src/ap/wpa_auth_i.h
@@ -61,6 +61,7 @@ struct wpa_state_machine {
struct wpa_ptk PTK;
Boolean PTK_valid;
Boolean pairwise_set;
+ Boolean tk_already_set;
int keycount;
Boolean Pair;
struct wpa_key_replay_counter {

83
package/network/services/hostapd/patches/001-Fix-race-condition-between-AssocResp-callback-and-4a.patch
View File

@ -1,83 +0,0 @@
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Tue, 20 Dec 2016 01:30:09 +0200
Subject: [PATCH] Fix race condition between AssocResp callback and 4addr event
It is apparently possible for the NL80211_CMD_UNEXPECTED_4ADDR_FRAME
event to be delivered to hostapd before the NL80211_CMD_FRAME_TX_STATUS
event for (Re)Association Response frame. This resulted in the 4-address
WDS mode not getting enabled for a STA. This could occur in particular
when operating under heavy load and the STA is reconnecting to the same
AP in a sequence where Deauthentication frame is followed immediately by
Authentication frame and the driver event processing gets delayed due to
removal of the previous netdev taking time in the middle of this
sequence.
Fix this by recording a pending item for 4-address WDS enabling if the
NL80211_CMD_UNEXPECTED_4ADDR_FRAME event would have been dropped due to
incompleted association and then process this pending item if the TX
status for the (Re)Association Response frame is received and it shows
that the frame was acknowledged.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2634,6 +2634,8 @@ static void handle_assoc(struct hostapd_
taxonomy_sta_info_assoc_req(hapd, sta, pos, left);
#endif /* CONFIG_TAXONOMY */
+ sta->pending_wds_enable = 0;
+
fail:
/*
* In case of a successful response, add the station to the driver.
@@ -3248,6 +3250,14 @@ static void handle_assoc_cb(struct hosta
hostapd_set_sta_flags(hapd, sta);
+ if (!(sta->flags & WLAN_STA_WDS) && sta->pending_wds_enable) {
+ wpa_printf(MSG_DEBUG, "Enable 4-address WDS mode for STA "
+ MACSTR " based on pending request",
+ MAC2STR(sta->addr));
+ sta->pending_wds_enable = 0;
+ sta->flags |= WLAN_STA_WDS;
+ }
+
if (sta->flags & WLAN_STA_WDS) {
int ret;
char ifname_wds[IFNAMSIZ + 1];
@@ -3512,10 +3522,22 @@ void ieee802_11_rx_from_unknown(struct h
struct sta_info *sta;
sta = ap_get_sta(hapd, src);
- if (sta && (sta->flags & WLAN_STA_ASSOC)) {
+ if (sta &&
+ ((sta->flags & WLAN_STA_ASSOC) ||
+ ((sta->flags & WLAN_STA_ASSOC_REQ_OK) && wds))) {
if (!hapd->conf->wds_sta)
return;
+ if ((sta->flags & (WLAN_STA_ASSOC | WLAN_STA_ASSOC_REQ_OK)) ==
+ WLAN_STA_ASSOC_REQ_OK) {
+ wpa_printf(MSG_DEBUG,
+ "Postpone 4-address WDS mode enabling for STA "
+ MACSTR " since TX status for AssocResp is not yet known",
+ MAC2STR(sta->addr));
+ sta->pending_wds_enable = 1;
+ return;
+ }
+
if (wds && !(sta->flags & WLAN_STA_WDS)) {
int ret;
char ifname_wds[IFNAMSIZ + 1];
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -115,6 +115,7 @@ struct sta_info {
unsigned int radius_das_match:1;
unsigned int ecsa_supported:1;
unsigned int added_unassoc:1;
+ unsigned int pending_wds_enable:1;
u16 auth_alg;

244
package/network/services/hostapd/patches/001-Prevent-reinstallation-of-an-already-in-use-group-ke.patch Normal file
View File

@ -0,0 +1,244 @@
From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
Date: Wed, 12 Jul 2017 16:03:24 +0200
Subject: [PATCH] Prevent reinstallation of an already in-use group key
Track the current GTK and IGTK that is in use and when receiving a
(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
not install the given key if it is already in use. This prevents an
attacker from trying to trick the client into resetting or lowering the
sequence counter associated to the group key.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
---
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -218,6 +218,17 @@ struct wpa_ptk {
size_t tk_len;
};
+struct wpa_gtk {
+ u8 gtk[WPA_GTK_MAX_LEN];
+ size_t gtk_len;
+};
+
+#ifdef CONFIG_IEEE80211W
+struct wpa_igtk {
+ u8 igtk[WPA_IGTK_MAX_LEN];
+ size_t igtk_len;
+};
+#endif /* CONFIG_IEEE80211W */
/* WPA IE version 1
* 00-50-f2:1 (OUI:OUI type)
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -800,6 +800,15 @@ static int wpa_supplicant_install_gtk(st
const u8 *_gtk = gd->gtk;
u8 gtk_buf[32];
+ /* Detect possible key reinstallation */
+ if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
+ gd->keyidx, gd->tx, gd->gtk_len);
+ return 0;
+ }
+
wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
@@ -834,6 +843,9 @@ static int wpa_supplicant_install_gtk(st
}
os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ sm->gtk.gtk_len = gd->gtk_len;
+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
+
return 0;
}
@@ -940,6 +952,48 @@ static int wpa_supplicant_pairwise_gtk(s
}
+#ifdef CONFIG_IEEE80211W
+static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+ const struct wpa_igtk_kde *igtk)
+{
+ size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ u16 keyidx = WPA_GET_LE16(igtk->keyid);
+
+ /* Detect possible key reinstallation */
+ if (sm->igtk.igtk_len == len &&
+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
+ keyidx);
+ return 0;
+ }
+
+ wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
+ keyidx, MAC2STR(igtk->pn));
+ wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
+ if (keyidx > 4095) {
+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+ "WPA: Invalid IGTK KeyID %d", keyidx);
+ return -1;
+ }
+ if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+ broadcast_ether_addr,
+ keyidx, 0, igtk->pn, sizeof(igtk->pn),
+ igtk->igtk, len) < 0) {
+ wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+ "WPA: Failed to configure IGTK to the driver");
+ return -1;
+ }
+
+ sm->igtk.igtk_len = len;
+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
+
+ return 0;
+}
+#endif /* CONFIG_IEEE80211W */
+
+
static int ieee80211w_set_keys(struct wpa_sm *sm,
struct wpa_eapol_ie_parse *ie)
{
@@ -950,30 +1004,14 @@ static int ieee80211w_set_keys(struct wp
if (ie->igtk) {
size_t len;
const struct wpa_igtk_kde *igtk;
- u16 keyidx;
+
len = wpa_cipher_key_len(sm->mgmt_group_cipher);
if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
return -1;
+
igtk = (const struct wpa_igtk_kde *) ie->igtk;
- keyidx = WPA_GET_LE16(igtk->keyid);
- wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
- "pn %02x%02x%02x%02x%02x%02x",
- keyidx, MAC2STR(igtk->pn));
- wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
- igtk->igtk, len);
- if (keyidx > 4095) {
- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
- "WPA: Invalid IGTK KeyID %d", keyidx);
+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
return -1;
- }
- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
- broadcast_ether_addr,
- keyidx, 0, igtk->pn, sizeof(igtk->pn),
- igtk->igtk, len) < 0) {
- wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
- "WPA: Failed to configure IGTK to the driver");
- return -1;
- }
}
return 0;
@@ -2491,7 +2529,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
*/
void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
{
- int clear_ptk = 1;
+ int clear_keys = 1;
if (sm == NULL)
return;
@@ -2517,7 +2555,7 @@ void wpa_sm_notify_assoc(struct wpa_sm *
/* Prepare for the next transition */
wpa_ft_prepare_auth_request(sm, NULL);
- clear_ptk = 0;
+ clear_keys = 0;
}
#endif /* CONFIG_IEEE80211R */
#ifdef CONFIG_FILS
@@ -2527,11 +2565,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *
* AUTHENTICATED state to get the EAPOL port Authorized.
*/
wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
- clear_ptk = 0;
+ clear_keys = 0;
}
#endif /* CONFIG_FILS */
- if (clear_ptk) {
+ if (clear_keys) {
/*
* IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
* this is not part of a Fast BSS Transition.
@@ -2541,6 +2579,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *
os_memset(&sm->ptk, 0, sizeof(sm->ptk));
sm->tptk_set = 0;
os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
+#ifdef CONFIG_IEEE80211W
+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
+#endif /* CONFIG_IEEE80211W */
}
#ifdef CONFIG_TDLS
@@ -3117,6 +3159,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
os_memset(sm->pmk, 0, sizeof(sm->pmk));
os_memset(&sm->ptk, 0, sizeof(sm->ptk));
os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ os_memset(&sm->gtk, 0, sizeof(sm->gtk));
+#ifdef CONFIG_IEEE80211W
+ os_memset(&sm->igtk, 0, sizeof(sm->igtk));
+#endif /* CONFIG_IEEE80211W */
#ifdef CONFIG_IEEE80211R
os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
@@ -3189,29 +3235,11 @@ int wpa_wnmsleep_install_key(struct wpa_
os_memset(&gd, 0, sizeof(gd));
#ifdef CONFIG_IEEE80211W
} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
- struct wpa_igtk_kde igd;
- u16 keyidx;
+ const struct wpa_igtk_kde *igtk;
- os_memset(&igd, 0, sizeof(igd));
- keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
- os_memcpy(igd.keyid, buf + 2, 2);
- os_memcpy(igd.pn, buf + 4, 6);
-
- keyidx = WPA_GET_LE16(igd.keyid);
- os_memcpy(igd.igtk, buf + 10, keylen);
-
- wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
- igd.igtk, keylen);
- if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
- broadcast_ether_addr,
- keyidx, 0, igd.pn, sizeof(igd.pn),
- igd.igtk, keylen) < 0) {
- wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
- "WNM mode");
- os_memset(&igd, 0, sizeof(igd));
+ igtk = (const struct wpa_igtk_kde *) (buf + 2);
+ if (wpa_supplicant_install_igtk(sm, igtk) < 0)
return -1;
- }
- os_memset(&igd, 0, sizeof(igd));
#endif /* CONFIG_IEEE80211W */
} else {
wpa_printf(MSG_DEBUG, "Unknown element id");
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -31,6 +31,10 @@ struct wpa_sm {
u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
int rx_replay_counter_set;
u8 request_counter[WPA_REPLAY_COUNTER_LEN];
+ struct wpa_gtk gtk;
+#ifdef CONFIG_IEEE80211W
+ struct wpa_igtk igtk;
+#endif /* CONFIG_IEEE80211W */
struct eapol_sm *eapol; /* EAPOL state machine from upper level code */

182
package/network/services/hostapd/patches/002-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch Normal file
View File

@ -0,0 +1,182 @@
From: Jouni Malinen <j@w1.fi>
Date: Sun, 1 Oct 2017 12:12:24 +0300
Subject: [PATCH] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
Mode cases
This extends the protection to track last configured GTK/IGTK value
separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
corner case where these two different mechanisms may get used when the
GTK/IGTK has changed and tracking a single value is not sufficient to
detect a possible key reconfiguration.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -795,14 +795,17 @@ struct wpa_gtk_data {
static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
const struct wpa_gtk_data *gd,
- const u8 *key_rsc)
+ const u8 *key_rsc, int wnm_sleep)
{
const u8 *_gtk = gd->gtk;
u8 gtk_buf[32];
/* Detect possible key reinstallation */
- if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
- os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
+ if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
+ os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
+ (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
+ os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
+ sm->gtk_wnm_sleep.gtk_len) == 0)) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
gd->keyidx, gd->tx, gd->gtk_len);
@@ -843,8 +846,14 @@ static int wpa_supplicant_install_gtk(st
}
os_memset(gtk_buf, 0, sizeof(gtk_buf));
- sm->gtk.gtk_len = gd->gtk_len;
- os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
+ if (wnm_sleep) {
+ sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
+ os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
+ sm->gtk_wnm_sleep.gtk_len);
+ } else {
+ sm->gtk.gtk_len = gd->gtk_len;
+ os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
+ }
return 0;
}
@@ -938,7 +947,7 @@ static int wpa_supplicant_pairwise_gtk(s
(wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
gtk_len, gtk_len,
&gd.key_rsc_len, &gd.alg) ||
- wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
+ wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"RSN: Failed to install GTK");
os_memset(&gd, 0, sizeof(gd));
@@ -954,14 +963,18 @@ static int wpa_supplicant_pairwise_gtk(s
#ifdef CONFIG_IEEE80211W
static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
- const struct wpa_igtk_kde *igtk)
+ const struct wpa_igtk_kde *igtk,
+ int wnm_sleep)
{
size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
u16 keyidx = WPA_GET_LE16(igtk->keyid);
/* Detect possible key reinstallation */
- if (sm->igtk.igtk_len == len &&
- os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
+ if ((sm->igtk.igtk_len == len &&
+ os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
+ (sm->igtk_wnm_sleep.igtk_len == len &&
+ os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
+ sm->igtk_wnm_sleep.igtk_len) == 0)) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
keyidx);
@@ -986,8 +999,14 @@ static int wpa_supplicant_install_igtk(s
return -1;
}
- sm->igtk.igtk_len = len;
- os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
+ if (wnm_sleep) {
+ sm->igtk_wnm_sleep.igtk_len = len;
+ os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
+ sm->igtk_wnm_sleep.igtk_len);
+ } else {
+ sm->igtk.igtk_len = len;
+ os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
+ }
return 0;
}
@@ -1010,7 +1029,7 @@ static int ieee80211w_set_keys(struct wp
return -1;
igtk = (const struct wpa_igtk_kde *) ie->igtk;
- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+ if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
return -1;
}
@@ -1659,7 +1678,7 @@ static void wpa_supplicant_process_1_of_
if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
key_rsc = null_rsc;
- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
goto failed;
os_memset(&gd, 0, sizeof(gd));
@@ -2580,8 +2599,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *
sm->tptk_set = 0;
os_memset(&sm->tptk, 0, sizeof(sm->tptk));
os_memset(&sm->gtk, 0, sizeof(sm->gtk));
+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
#ifdef CONFIG_IEEE80211W
os_memset(&sm->igtk, 0, sizeof(sm->igtk));
+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
#endif /* CONFIG_IEEE80211W */
}
@@ -3160,8 +3181,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
os_memset(&sm->ptk, 0, sizeof(sm->ptk));
os_memset(&sm->tptk, 0, sizeof(sm->tptk));
os_memset(&sm->gtk, 0, sizeof(sm->gtk));
+ os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
#ifdef CONFIG_IEEE80211W
os_memset(&sm->igtk, 0, sizeof(sm->igtk));
+ os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
#endif /* CONFIG_IEEE80211W */
#ifdef CONFIG_IEEE80211R
os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
@@ -3226,7 +3249,7 @@ int wpa_wnmsleep_install_key(struct wpa_
wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
gd.gtk, gd.gtk_len);
- if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
+ if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
os_memset(&gd, 0, sizeof(gd));
wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
"WNM mode");
@@ -3238,7 +3261,7 @@ int wpa_wnmsleep_install_key(struct wpa_
const struct wpa_igtk_kde *igtk;
igtk = (const struct wpa_igtk_kde *) (buf + 2);
- if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+ if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
return -1;
#endif /* CONFIG_IEEE80211W */
} else {
@@ -4121,7 +4144,7 @@ int fils_process_assoc_resp(struct wpa_s
os_memcpy(gd.gtk, kde.gtk + 2, kde.gtk_len - 2);
wpa_printf(MSG_DEBUG, "FILS: Set GTK to driver");
- if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery) < 0) {
+ if (wpa_supplicant_install_gtk(sm, &gd, elems.key_delivery, 0) < 0) {
wpa_printf(MSG_DEBUG, "FILS: Failed to set GTK");
goto fail;
}
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -32,8 +32,10 @@ struct wpa_sm {
int rx_replay_counter_set;
u8 request_counter[WPA_REPLAY_COUNTER_LEN];
struct wpa_gtk gtk;
+ struct wpa_gtk gtk_wnm_sleep;
#ifdef CONFIG_IEEE80211W
struct wpa_igtk igtk;
+ struct wpa_igtk igtk_wnm_sleep;
#endif /* CONFIG_IEEE80211W */
struct eapol_sm *eapol; /* EAPOL state machine from upper level code */

36
package/network/services/hostapd/patches/002-Fix-duplicate-Reassociation-Request-frame-dropping.patch
View File

@ -1,36 +0,0 @@
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Sat, 14 Jan 2017 01:04:31 +0200
Subject: [PATCH] Fix duplicate Reassociation Request frame dropping
Relational operators (==) have higher precedence than the ternary
conditional in C. The last_subtype check for association/reassociation
was broken due to incorrect assumption about the precedence. Fix this by
adding parenthesis around the ternary conditional.
The previous implementation worked for Association Request frames by
accident since WLAN_FC_STYPE_ASSOC_REQ happens to have value 0 and when
the last receive frame was an Association Request frame, the
sta->last_subtype == reassoc check was true and non-zero
WLAN_FC_STYPE_REASSOC_REQ was interpreted as true. However, this was
broken for Reassociation Request frame. reassoc == 1 in that case could
have matched received Association Response frame (subtype == 1), but
those are not received in AP mode and as such, this did not break other
behavior apart from not being able to drop duplicated Reassociation
Request frames.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -2485,8 +2485,8 @@ static void handle_assoc(struct hostapd_
if ((fc & WLAN_FC_RETRY) &&
sta->last_seq_ctrl != WLAN_INVALID_MGMT_SEQ &&
sta->last_seq_ctrl == seq_ctrl &&
- sta->last_subtype == reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
- WLAN_FC_STYPE_ASSOC_REQ) {
+ sta->last_subtype == (reassoc ? WLAN_FC_STYPE_REASSOC_REQ :
+ WLAN_FC_STYPE_ASSOC_REQ)) {
hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
HOSTAPD_LEVEL_DEBUG,
"Drop repeated association frame seq_ctrl=0x%x",

73
package/network/services/hostapd/patches/003-Prevent-installation-of-an-all-zero-TK.patch Normal file
View File

@ -0,0 +1,73 @@
From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
Date: Fri, 29 Sep 2017 04:22:51 +0200
Subject: [PATCH] Prevent installation of an all-zero TK
Properly track whether a PTK has already been installed to the driver
and the TK part cleared from memory. This prevents an attacker from
trying to trick the client into installing an all-zero TK.
This fixes the earlier fix in commit
ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
driver in EAPOL-Key 3/4 retry case') which did not take into account
possibility of an extra message 1/4 showing up between retries of
message 3/4.
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
---
--- a/src/common/wpa_common.h
+++ b/src/common/wpa_common.h
@@ -216,6 +216,7 @@ struct wpa_ptk {
size_t kck_len;
size_t kek_len;
size_t tk_len;
+ int installed; /* 1 if key has already been installed to driver */
};
struct wpa_gtk {
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -594,7 +594,6 @@ static void wpa_supplicant_process_1_of_
os_memset(buf, 0, sizeof(buf));
}
sm->tptk_set = 1;
- sm->tk_to_set = 1;
kde = sm->assoc_wpa_ie;
kde_len = sm->assoc_wpa_ie_len;
@@ -701,7 +700,7 @@ static int wpa_supplicant_install_ptk(st
enum wpa_alg alg;
const u8 *key_rsc;
- if (!sm->tk_to_set) {
+ if (sm->ptk.installed) {
wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
"WPA: Do not re-install same PTK to the driver");
return 0;
@@ -745,7 +744,7 @@ static int wpa_supplicant_install_ptk(st
/* TK is not needed anymore in supplicant */
os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
- sm->tk_to_set = 0;
+ sm->ptk.installed = 1;
if (sm->wpa_ptk_rekey) {
eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
@@ -4172,6 +4171,7 @@ int fils_process_assoc_resp(struct wpa_s
* takes care of association frame encryption/decryption. */
/* TK is not needed anymore in supplicant */
os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
+ sm->ptk.installed = 1;
/* FILS HLP Container */
fils_process_hlp_container(sm, ie_start, end - ie_start);
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -24,7 +24,6 @@ struct wpa_sm {
struct wpa_ptk ptk, tptk;
int ptk_set, tptk_set;
unsigned int msg_3_of_4_ok:1;
- unsigned int tk_to_set:1;
u8 snonce[WPA_NONCE_LEN];
u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
int renew_snonce;

40
package/network/services/hostapd/patches/003-RSN-IBSS-Fix-TK-clearing-on-Authentication-frame-RX.patch
View File

@ -1,40 +0,0 @@
From: Jouni Malinen <j@w1.fi>
Date: Sat, 14 Jan 2017 13:56:18 +0200
Subject: [PATCH] RSN IBSS: Fix TK clearing on Authentication frame RX
When wpa_supplicant was processing a received Authentication frame (seq
1) from a peer STA for which there was already a TK configured to the
driver, debug log claimed that the PTK gets cleared, but the actual
call to clear the key was actually dropped due to AUTH vs. SUPP set_key
selection. Fix this by explicitly clearing the TK in case it was set
and an Authentication frame (seq 1) is received.
This fixes some cases where EAPOL-Key frames were sent encrypted using
the old key when a peer STA restarted itself and lost the key and had to
re-join the IBSS. Previously, that state required timing out the 4-way
handshake and Deauthentication frame exchange to recover.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
--- a/wpa_supplicant/ibss_rsn.c
+++ b/wpa_supplicant/ibss_rsn.c
@@ -838,6 +838,18 @@ static void ibss_rsn_handle_auth_1_of_2(
MAC2STR(addr));
if (peer &&
+ peer->authentication_status & (IBSS_RSN_SET_PTK_SUPP |
+ IBSS_RSN_SET_PTK_AUTH)) {
+ /* Clear the TK for this pair to allow recovery from the case
+ * where the peer STA has restarted and lost its key while we
+ * still have a pairwise key configured. */
+ wpa_printf(MSG_DEBUG, "RSN: Clear pairwise key for peer "
+ MACSTR, MAC2STR(addr));
+ wpa_drv_set_key(ibss_rsn->wpa_s, WPA_ALG_NONE, addr, 0, 0,
+ NULL, 0, NULL, 0);
+ }
+
+ if (peer &&
peer->authentication_status & IBSS_RSN_AUTH_EAPOL_BY_PEER) {
if (peer->own_auth_tx.sec) {
struct os_reltime now, diff;

56
package/network/services/hostapd/patches/004-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch Normal file
View File

@ -0,0 +1,56 @@
From: Jouni Malinen <j@w1.fi>
Date: Sun, 1 Oct 2017 12:32:57 +0300
Subject: [PATCH] Fix PTK rekeying to generate a new ANonce
The Authenticator state machine path for PTK rekeying ended up bypassing
the AUTHENTICATION2 state where a new ANonce is generated when going
directly to the PTKSTART state since there is no need to try to
determine the PMK again in such a case. This is far from ideal since the
new PTK would depend on a new nonce only from the supplicant.
Fix this by generating a new ANonce when moving to the PTKSTART state
for the purpose of starting new 4-way handshake to rekey PTK.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1951,6 +1951,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
}
+static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
+{
+ if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
+ wpa_printf(MSG_ERROR,
+ "WPA: Failed to get random data for ANonce");
+ sm->Disconnect = TRUE;
+ return -1;
+ }
+ wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
+ WPA_NONCE_LEN);
+ sm->TimeoutCtr = 0;
+ return 0;
+}
+
+
SM_STATE(WPA_PTK, INITPMK)
{
u8 msk[2 * PMK_LEN];
@@ -3116,9 +3131,12 @@ SM_STEP(WPA_PTK)
SM_ENTER(WPA_PTK, AUTHENTICATION);
else if (sm->ReAuthenticationRequest)
SM_ENTER(WPA_PTK, AUTHENTICATION2);
- else if (sm->PTKRequest)
- SM_ENTER(WPA_PTK, PTKSTART);
- else switch (sm->wpa_ptk_state) {
+ else if (sm->PTKRequest) {
+ if (wpa_auth_sm_ptk_update(sm) < 0)
+ SM_ENTER(WPA_PTK, DISCONNECTED);
+ else
+ SM_ENTER(WPA_PTK, PTKSTART);
+ } else switch (sm->wpa_ptk_state) {
case WPA_PTK_INITIALIZE:
break;
case WPA_PTK_DISCONNECT:

145
package/network/services/hostapd/patches/004-hostapd-Add-possibility-to-send-debug-messages-to-sy.patch
View File

@ -1,145 +0,0 @@
From cc3dae85bd694506cdea66ae532d452fb8716297 Mon Sep 17 00:00:00 2001
From: Wojciech Dubowik <Wojciech.Dubowik@neratec.com>
Date: Mon, 23 Jan 2017 13:55:04 +0100
Subject: [PATCH] hostapd: Add possibility to send debug messages to syslog
We can only send module specific messages to syslog and not debug
messages printed with wpa_printf. Add an extra command line parameter
'-s' to allow it. The feature is enabled with compile flag
CONFIG_DEBUG_SYSLOG as for wpa_supplicant and behaves in the same manner
as the wpa_supplicant -s command line argument.
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@neratec.com>
---
hostapd/Android.mk | 4 ++++
hostapd/Makefile | 4 ++++
hostapd/defconfig | 3 +++
hostapd/main.c | 19 ++++++++++++++++++-
src/utils/wpa_debug.c | 2 +-
src/utils/wpa_debug.h | 3 +++
6 files changed, 33 insertions(+), 2 deletions(-)
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -952,6 +952,10 @@ ifdef CONFIG_NO_STDOUT_DEBUG
L_CFLAGS += -DCONFIG_NO_STDOUT_DEBUG
endif
+ifdef CONFIG_DEBUG_SYSLOG
+L_CFLAGS += -DCONFIG_DEBUG_SYSLOG
+endif
+
ifdef CONFIG_DEBUG_LINUX_TRACING
L_CFLAGS += -DCONFIG_DEBUG_LINUX_TRACING
endif
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -997,6 +997,10 @@ ifdef CONFIG_NO_STDOUT_DEBUG
CFLAGS += -DCONFIG_NO_STDOUT_DEBUG
endif
+ifdef CONFIG_DEBUG_SYSLOG
+CFLAGS += -DCONFIG_DEBUG_SYSLOG
+endif
+
ifdef CONFIG_DEBUG_LINUX_TRACING
CFLAGS += -DCONFIG_DEBUG_LINUX_TRACING
endif
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -166,6 +166,9 @@ CONFIG_IPV6=y
# Disabled by default.
#CONFIG_DEBUG_FILE=y
+# Send debug messages to syslog instead of stdout
+#CONFIG_DEBUG_SYSLOG=y
+
# Add support for sending all debug messages (regardless of debug verbosity)
# to the Linux kernel tracing facility. This helps debug the entire stack by
# making it easy to record everything happening from the driver up into the
--- a/hostapd/main.c
+++ b/hostapd/main.c
@@ -108,6 +108,10 @@ static void hostapd_logger_cb(void *ctx,
module_str ? module_str : "",
module_str ? ": " : "", txt);
+#ifdef CONFIG_DEBUG_SYSLOG
+ if (wpa_debug_syslog)
+ conf_stdout = 0;
+#endif /* CONFIG_DEBUG_SYSLOG */
if ((conf_stdout & module) && level >= conf_stdout_level) {
wpa_debug_print_timestamp();
wpa_printf(MSG_INFO, "%s", format);
@@ -484,6 +488,9 @@ static void usage(void)
" (records all messages regardless of debug verbosity)\n"
#endif /* CONFIG_DEBUG_LINUX_TRACING */
" -i list of interface names to use\n"
+#ifdef CONFIG_DEBUG_SYSLOG
+ " -s log output to syslog instead of stdout\n"
+#endif /* CONFIG_DEBUG_SYSLOG */
" -S start all the interfaces synchronously\n"
" -t include timestamps in some debug messages\n"
" -v show hostapd version\n");
@@ -661,7 +668,7 @@ int main(int argc, char *argv[])
dl_list_init(&interfaces.global_ctrl_dst);
for (;;) {
- c = getopt(argc, argv, "b:Bde:f:hi:KP:STtu:vg:G:");
+ c = getopt(argc, argv, "b:Bde:f:hi:KP:sSTtu:vg:G:");
if (c < 0)
break;
switch (c) {
@@ -718,6 +725,11 @@ int main(int argc, char *argv[])
bss_config = tmp_bss;
bss_config[num_bss_configs++] = optarg;
break;
+#ifdef CONFIG_DEBUG_SYSLOG
+ case 's':
+ wpa_debug_syslog = 1;
+ break;
+#endif /* CONFIG_DEBUG_SYSLOG */
case 'S':
start_ifaces_in_sync = 1;
break;
@@ -746,6 +758,10 @@ int main(int argc, char *argv[])
wpa_debug_open_file(log_file);
else
wpa_debug_setup_stdout();
+#ifdef CONFIG_DEBUG_SYSLOG
+ if (wpa_debug_syslog)
+ wpa_debug_open_syslog();
+#endif /* CONFIG_DEBUG_SYSLOG */
#ifdef CONFIG_DEBUG_LINUX_TRACING
if (enable_trace_dbg) {
int tret = wpa_debug_open_linux_tracing();
@@ -882,6 +898,7 @@ int main(int argc, char *argv[])
hostapd_global_deinit(pid_file, interfaces.eloop_initialized);
os_free(pid_file);
+ wpa_debug_close_syslog();
if (log_file)
wpa_debug_close_file();
wpa_debug_close_linux_tracing();
--- a/src/utils/wpa_debug.c
+++ b/src/utils/wpa_debug.c
@@ -13,7 +13,7 @@
#ifdef CONFIG_DEBUG_SYSLOG
#include <syslog.h>
-static int wpa_debug_syslog = 0;
+int wpa_debug_syslog = 0;
#endif /* CONFIG_DEBUG_SYSLOG */
#ifdef CONFIG_DEBUG_LINUX_TRACING
--- a/src/utils/wpa_debug.h
+++ b/src/utils/wpa_debug.h
@@ -14,6 +14,9 @@
extern int wpa_debug_level;
extern int wpa_debug_show_keys;
extern int wpa_debug_timestamp;
+#ifdef CONFIG_DEBUG_SYSLOG
+extern int wpa_debug_syslog;
+#endif /* CONFIG_DEBUG_SYSLOG */
/* Debugging function - conditional printf and hex dump. Driver wrappers can
* use these for debugging purposes. */

124
package/network/services/hostapd/patches/005-TDLS-Reject-TPK-TK-reconfiguration.patch Normal file
View File

@ -0,0 +1,124 @@
From: Jouni Malinen <j@w1.fi>
Date: Fri, 22 Sep 2017 11:03:15 +0300
Subject: [PATCH] TDLS: Reject TPK-TK reconfiguration
Do not try to reconfigure the same TPK-TK to the driver after it has
been successfully configured. This is an explicit check to avoid issues
related to resetting the TX/RX packet number. There was already a check
for this for TPK M2 (retries of that message are ignored completely), so
that behavior does not get modified.
For TPK M3, the TPK-TK could have been reconfigured, but that was
followed by immediate teardown of the link due to an issue in updating
the STA entry. Furthermore, for TDLS with any real security (i.e.,
ignoring open/WEP), the TPK message exchange is protected on the AP path
and simple replay attacks are not feasible.
As an additional corner case, make sure the local nonce gets updated if
the peer uses a very unlikely "random nonce" of all zeros.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
--- a/src/rsn_supp/tdls.c
+++ b/src/rsn_supp/tdls.c
@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
} tpk;
int tpk_set;
+ int tk_set; /* TPK-TK configured to the driver */
int tpk_success;
int tpk_in_progress;
@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_s
u8 rsc[6];
enum wpa_alg alg;
+ if (peer->tk_set) {
+ /*
+ * This same TPK-TK has already been configured to the driver
+ * and this new configuration attempt (likely due to an
+ * unexpected retransmitted frame) would result in clearing
+ * the TX/RX sequence number which can break security, so must
+ * not allow that to happen.
+ */
+ wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
+ " has already been configured to the driver - do not reconfigure",
+ MAC2STR(peer->addr));
+ return -1;
+ }
+
os_memset(rsc, 0, 6);
switch (peer->cipher) {
@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_s
return -1;
}
+ wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
+ MAC2STR(peer->addr));
if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
"driver");
return -1;
}
+ peer->tk_set = 1;
return 0;
}
@@ -695,7 +713,7 @@ static void wpa_tdls_peer_clear(struct w
peer->cipher = 0;
peer->qos_info = 0;
peer->wmm_capable = 0;
- peer->tpk_set = peer->tpk_success = 0;
+ peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
peer->chan_switch_enabled = 0;
os_memset(&peer->tpk, 0, sizeof(peer->tpk));
os_memset(peer->inonce, 0, WPA_NONCE_LEN);
@@ -1158,6 +1176,7 @@ skip_rsnie:
wpa_tdls_peer_free(sm, peer);
return -1;
}
+ peer->tk_set = 0; /* A new nonce results in a new TK */
wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
peer->inonce, WPA_NONCE_LEN);
os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct w
}
+static int tdls_nonce_set(const u8 *nonce)
+{
+ int i;
+
+ for (i = 0; i < WPA_NONCE_LEN; i++) {
+ if (nonce[i])
+ return 1;
+ }
+
+ return 0;
+}
+
+
static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
const u8 *buf, size_t len)
{
@@ -2004,7 +2036,8 @@ skip_rsn:
peer->rsnie_i_len = kde.rsn_ie_len;
peer->cipher = cipher;
- if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
+ if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
+ !tdls_nonce_set(peer->inonce)) {
/*
* There is no point in updating the RNonce for every obtained
* TPK M1 frame (e.g., retransmission due to timeout) with the
@@ -2020,6 +2053,7 @@ skip_rsn:
"TDLS: Failed to get random data for responder nonce");
goto error;
}
+ peer->tk_set = 0; /* A new nonce results in a new TK */
}
#if 0

35
package/network/services/hostapd/patches/006-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch Normal file
View File

@ -0,0 +1,35 @@
From: Jouni Malinen <j@w1.fi>
Date: Fri, 22 Sep 2017 11:25:02 +0300
Subject: [PATCH] WNM: Ignore WNM-Sleep Mode Response without pending
request
Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
Mode Response if WNM-Sleep Mode has not been used') started ignoring the
response when no WNM-Sleep Mode Request had been used during the
association. This can be made tighter by clearing the used flag when
successfully processing a response. This adds an additional layer of
protection against unexpected retransmissions of the response frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(
if (!wpa_s->wnmsleep_used) {
wpa_printf(MSG_DEBUG,
- "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
+ "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
return;
}
@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(
return;
}
+ wpa_s->wnmsleep_used = 0;
+
if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "

68
package/network/services/hostapd/patches/007-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch Normal file
View File

@ -0,0 +1,68 @@
From: Jouni Malinen <j@w1.fi>
Date: Fri, 22 Sep 2017 12:06:37 +0300
Subject: [PATCH] FT: Do not allow multiple Reassociation Response frames
The driver is expected to not report a second association event without
the station having explicitly request a new association. As such, this
case should not be reachable. However, since reconfiguring the same
pairwise or group keys to the driver could result in nonce reuse issues,
be extra careful here and do an additional state check to avoid this
even if the local driver ends up somehow accepting an unexpected
Reassociation Response frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
---
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -2637,6 +2637,9 @@ void wpa_sm_notify_disassoc(struct wpa_s
#ifdef CONFIG_FILS
sm->fils_completed = 0;
#endif /* CONFIG_FILS */
+#ifdef CONFIG_IEEE80211R
+ sm->ft_reassoc_completed = 0;
+#endif /* CONFIG_IEEE80211R */
/* Keys are not needed in the WPA state machine anymore */
wpa_sm_drop_sa(sm);
--- a/src/rsn_supp/wpa_ft.c
+++ b/src/rsn_supp/wpa_ft.c
@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wp
u16 capab;
sm->ft_completed = 0;
+ sm->ft_reassoc_completed = 0;
buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
2 + sm->r0kh_id_len + ric_ies_len + 100;
@@ -687,6 +688,11 @@ int wpa_ft_validate_reassoc_resp(struct
return -1;
}
+ if (sm->ft_reassoc_completed) {
+ wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
+ return 0;
+ }
+
if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
return -1;
@@ -787,6 +793,8 @@ int wpa_ft_validate_reassoc_resp(struct
return -1;
}
+ sm->ft_reassoc_completed = 1;
+
if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
return -1;
--- a/src/rsn_supp/wpa_i.h
+++ b/src/rsn_supp/wpa_i.h
@@ -128,6 +128,7 @@ struct wpa_sm {
size_t r0kh_id_len;
u8 r1kh_id[FT_R1KH_ID_LEN];
int ft_completed;
+ int ft_reassoc_completed;
int over_the_ds_in_progress;
u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
int set_ptk_after_assoc;

2
package/network/services/hostapd/patches/100-daemonize_fix.patch
View File

@ -8,7 +8,7 @@
#ifdef ANDROID #ifdef ANDROID
#include <sys/capability.h> #include <sys/capability.h>
@@ -179,59 +180,46 @@ int os_gmtime(os_time_t t, struct os_tm @@ -182,59 +183,46 @@ int os_gmtime(os_time_t t, struct os_tm
return 0; return 0;
} }

2
package/network/services/hostapd/patches/110-no_eapol_fix.patch
View File

@ -1,6 +1,6 @@
--- a/wpa_supplicant/wpa_supplicant.c --- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c
@@ -259,9 +259,10 @@ void wpa_supplicant_cancel_auth_timeout( @@ -265,9 +265,10 @@ void wpa_supplicant_cancel_auth_timeout(
*/ */
void wpa_supplicant_initiate_eapol(struct wpa_supplicant *wpa_s) void wpa_supplicant_initiate_eapol(struct wpa_supplicant *wpa_s)
{ {

2
package/network/services/hostapd/patches/120-disable_bridge_packet_workaround.patch
View File

@ -1,6 +1,6 @@
--- a/src/l2_packet/l2_packet_linux.c --- a/src/l2_packet/l2_packet_linux.c
+++ b/src/l2_packet/l2_packet_linux.c +++ b/src/l2_packet/l2_packet_linux.c
@@ -337,8 +337,7 @@ struct l2_packet_data * l2_packet_init_b @@ -340,8 +340,7 @@ struct l2_packet_data * l2_packet_init_b
l2 = l2_packet_init(br_ifname, own_addr, protocol, rx_callback, l2 = l2_packet_init(br_ifname, own_addr, protocol, rx_callback,
rx_callback_ctx, l2_hdr); rx_callback_ctx, l2_hdr);

57
package/network/services/hostapd/patches/200-multicall.patch
View File

@ -18,7 +18,7 @@
OBJS += ../src/ap/vlan_init.o OBJS += ../src/ap/vlan_init.o
OBJS += ../src/ap/vlan_ifconfig.o OBJS += ../src/ap/vlan_ifconfig.o
OBJS += ../src/ap/vlan.o OBJS += ../src/ap/vlan.o
@@ -330,10 +332,14 @@ CFLAGS += -DCONFIG_MBO @@ -354,10 +356,14 @@ CFLAGS += -DCONFIG_MBO
OBJS += ../src/ap/mbo_ap.o OBJS += ../src/ap/mbo_ap.o
endif endif
@ -36,7 +36,7 @@
LIBS += $(DRV_AP_LIBS) LIBS += $(DRV_AP_LIBS)
ifdef CONFIG_L2_PACKET ifdef CONFIG_L2_PACKET
@@ -1077,6 +1083,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR) @@ -1204,6 +1210,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
BCHECK=../src/drivers/build.hostapd BCHECK=../src/drivers/build.hostapd
@ -49,8 +49,8 @@
hostapd: $(BCHECK) $(OBJS) hostapd: $(BCHECK) $(OBJS)
$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS) $(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
@$(E) " LD " $@ @$(E) " LD " $@
@@ -1118,6 +1130,12 @@ HOBJS += ../src/crypto/aes-internal.o @@ -1248,6 +1260,12 @@ ifeq ($(CONFIG_TLS), linux)
HOBJS += ../src/crypto/aes-internal-enc.o HOBJS += ../src/crypto/crypto_linux.o
endif endif
+dump_cflags: +dump_cflags:
@ -72,7 +72,7 @@
ifndef CONFIG_NO_GITVER ifndef CONFIG_NO_GITVER
# Add VERSION_STR postfix for builds from a git repository # Add VERSION_STR postfix for builds from a git repository
@@ -329,7 +330,9 @@ endif @@ -357,7 +358,9 @@ endif
ifdef CONFIG_IBSS_RSN ifdef CONFIG_IBSS_RSN
NEED_RSN_AUTHENTICATOR=y NEED_RSN_AUTHENTICATOR=y
CFLAGS += -DCONFIG_IBSS_RSN CFLAGS += -DCONFIG_IBSS_RSN
@ -82,7 +82,7 @@
OBJS += ibss_rsn.o OBJS += ibss_rsn.o
endif endif
@@ -820,6 +823,10 @@ ifdef CONFIG_DYNAMIC_EAP_METHODS @@ -861,6 +864,10 @@ ifdef CONFIG_DYNAMIC_EAP_METHODS
CFLAGS += -DCONFIG_DYNAMIC_EAP_METHODS CFLAGS += -DCONFIG_DYNAMIC_EAP_METHODS
LIBS += -ldl -rdynamic LIBS += -ldl -rdynamic
endif endif
@ -92,8 +92,8 @@
+ endif + endif
endif endif
ifdef CONFIG_MACSEC ifdef CONFIG_AP
@@ -840,9 +847,11 @@ NEED_EAP_COMMON=y @@ -868,9 +875,11 @@ NEED_EAP_COMMON=y
NEED_RSN_AUTHENTICATOR=y NEED_RSN_AUTHENTICATOR=y
CFLAGS += -DCONFIG_AP CFLAGS += -DCONFIG_AP
OBJS += ap.o OBJS += ap.o
@ -105,7 +105,7 @@
OBJS += ../src/ap/hostapd.o OBJS += ../src/ap/hostapd.o
OBJS += ../src/ap/wpa_auth_glue.o OBJS += ../src/ap/wpa_auth_glue.o
OBJS += ../src/ap/utils.o OBJS += ../src/ap/utils.o
@@ -910,6 +919,12 @@ endif @@ -952,6 +961,12 @@ endif
ifdef CONFIG_HS20 ifdef CONFIG_HS20
OBJS += ../src/ap/hs20.o OBJS += ../src/ap/hs20.o
endif endif
@ -118,7 +118,7 @@
endif endif
ifdef CONFIG_MBO ifdef CONFIG_MBO
@@ -918,7 +933,9 @@ CFLAGS += -DCONFIG_MBO @@ -960,7 +975,9 @@ CFLAGS += -DCONFIG_MBO
endif endif
ifdef NEED_RSN_AUTHENTICATOR ifdef NEED_RSN_AUTHENTICATOR
@ -128,7 +128,7 @@
NEED_AES_WRAP=y NEED_AES_WRAP=y
OBJS += ../src/ap/wpa_auth.o OBJS += ../src/ap/wpa_auth.o
OBJS += ../src/ap/wpa_auth_ie.o OBJS += ../src/ap/wpa_auth_ie.o
@@ -1706,6 +1723,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv) @@ -1835,6 +1852,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
$(OBJS_c) $(OBJS_t) $(OBJS_t2) $(OBJS) $(BCHECK) $(EXTRA_progs): .config $(OBJS_c) $(OBJS_t) $(OBJS_t2) $(OBJS) $(BCHECK) $(EXTRA_progs): .config
@ -141,7 +141,7 @@
wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs) wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)
$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS) $(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
@$(E) " LD " $@ @$(E) " LD " $@
@@ -1808,6 +1831,12 @@ endif @@ -1937,6 +1960,12 @@ endif
-e 's|\@DBUS_INTERFACE\@|$(DBUS_INTERFACE)|g' $< >$@ -e 's|\@DBUS_INTERFACE\@|$(DBUS_INTERFACE)|g' $< >$@
@$(E) " sed" $< @$(E) " sed" $<
@ -156,7 +156,7 @@
wpa_cli.exe: wpa_cli wpa_cli.exe: wpa_cli
--- a/src/drivers/driver.h --- a/src/drivers/driver.h
+++ b/src/drivers/driver.h +++ b/src/drivers/driver.h
@@ -4968,8 +4968,8 @@ union wpa_event_data { @@ -5317,8 +5317,8 @@ union wpa_event_data {
* Driver wrapper code should call this function whenever an event is received * Driver wrapper code should call this function whenever an event is received
* from the driver. * from the driver.
*/ */
@ -167,7 +167,7 @@
/** /**
* wpa_supplicant_event_global - Report a driver event for wpa_supplicant * wpa_supplicant_event_global - Report a driver event for wpa_supplicant
@@ -4981,7 +4981,7 @@ void wpa_supplicant_event(void *ctx, enu @@ -5330,7 +5330,7 @@ void wpa_supplicant_event(void *ctx, enu
* Same as wpa_supplicant_event(), but we search for the interface in * Same as wpa_supplicant_event(), but we search for the interface in
* wpa_global. * wpa_global.
*/ */
@ -178,7 +178,7 @@
/* /*
--- a/src/ap/drv_callbacks.c --- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c
@@ -1163,8 +1163,8 @@ static void hostapd_event_dfs_cac_starte @@ -1375,8 +1375,8 @@ static void hostapd_event_dfs_cac_starte
#endif /* NEED_AP_MLME */ #endif /* NEED_AP_MLME */
@ -189,7 +189,7 @@
{ {
struct hostapd_data *hapd = ctx; struct hostapd_data *hapd = ctx;
#ifndef CONFIG_NO_STDOUT_DEBUG #ifndef CONFIG_NO_STDOUT_DEBUG
@@ -1373,7 +1373,7 @@ void wpa_supplicant_event(void *ctx, enu @@ -1590,7 +1590,7 @@ void wpa_supplicant_event(void *ctx, enu
} }
@ -231,7 +231,7 @@
os_memset(&global, 0, sizeof(global)); os_memset(&global, 0, sizeof(global));
--- a/wpa_supplicant/events.c --- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c +++ b/wpa_supplicant/events.c
@@ -3610,8 +3610,8 @@ static void wpa_supplicant_event_assoc_a @@ -3709,8 +3709,8 @@ static void wpa_supplicant_event_assoc_a
} }
@ -242,16 +242,7 @@
{ {
struct wpa_supplicant *wpa_s = ctx; struct wpa_supplicant *wpa_s = ctx;
int resched; int resched;
@@ -4315,7 +4315,7 @@ void wpa_supplicant_event(void *ctx, enu @@ -4466,7 +4466,7 @@ void wpa_supplicant_event(void *ctx, enu
#endif /* CONFIG_AP */
break;
case EVENT_ACS_CHANNEL_SELECTED:
-#ifdef CONFIG_ACS
+#if defined(CONFIG_ACS) && defined(CONFIG_AP)
if (!wpa_s->ap_iface)
break;
hostapd_acs_channel_selected(wpa_s->ap_iface->bss[0],
@@ -4337,7 +4337,7 @@ void wpa_supplicant_event(void *ctx, enu
} }
@ -262,7 +253,7 @@
struct wpa_supplicant *wpa_s; struct wpa_supplicant *wpa_s;
--- a/wpa_supplicant/wpa_supplicant.c --- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c
@@ -5136,7 +5136,6 @@ struct wpa_interface * wpa_supplicant_ma @@ -5457,7 +5457,6 @@ struct wpa_interface * wpa_supplicant_ma
return NULL; return NULL;
} }
@ -270,7 +261,7 @@
/** /**
* wpa_supplicant_match_existing - Match existing interfaces * wpa_supplicant_match_existing - Match existing interfaces
* @global: Pointer to global data from wpa_supplicant_init() * @global: Pointer to global data from wpa_supplicant_init()
@@ -5173,6 +5172,11 @@ static int wpa_supplicant_match_existing @@ -5494,6 +5493,11 @@ static int wpa_supplicant_match_existing
#endif /* CONFIG_MATCH_IFACE */ #endif /* CONFIG_MATCH_IFACE */
@ -282,7 +273,7 @@
/** /**
* wpa_supplicant_add_iface - Add a new network interface * wpa_supplicant_add_iface - Add a new network interface
@@ -5428,6 +5432,8 @@ struct wpa_global * wpa_supplicant_init( @@ -5750,6 +5754,8 @@ struct wpa_global * wpa_supplicant_init(
#ifndef CONFIG_NO_WPA_MSG #ifndef CONFIG_NO_WPA_MSG
wpa_msg_register_ifname_cb(wpa_supplicant_msg_ifname_cb); wpa_msg_register_ifname_cb(wpa_supplicant_msg_ifname_cb);
#endif /* CONFIG_NO_WPA_MSG */ #endif /* CONFIG_NO_WPA_MSG */
@ -305,9 +296,9 @@
#ifdef CONFIG_WPS #ifdef CONFIG_WPS
static int gen_uuid(const char *txt_addr) static int gen_uuid(const char *txt_addr)
@@ -667,6 +672,8 @@ int main(int argc, char *argv[]) @@ -670,6 +675,8 @@ int main(int argc, char *argv[])
interfaces.global_ctrl_sock = -1; dl_list_init(&interfaces.eth_p_oui);
dl_list_init(&interfaces.global_ctrl_dst); #endif /* CONFIG_ETH_P_OUI */
+ wpa_supplicant_event = hostapd_wpa_event; + wpa_supplicant_event = hostapd_wpa_event;
+ wpa_supplicant_event_global = hostapd_wpa_event_global; + wpa_supplicant_event_global = hostapd_wpa_event_global;

6
package/network/services/hostapd/patches/300-noscan.patch
View File

@ -1,6 +1,6 @@
--- a/hostapd/config_file.c --- a/hostapd/config_file.c
+++ b/hostapd/config_file.c +++ b/hostapd/config_file.c
@@ -2953,6 +2953,10 @@ static int hostapd_config_fill(struct ho @@ -3014,6 +3014,10 @@ static int hostapd_config_fill(struct ho
} }
#endif /* CONFIG_IEEE80211W */ #endif /* CONFIG_IEEE80211W */
#ifdef CONFIG_IEEE80211N #ifdef CONFIG_IEEE80211N
@ -13,7 +13,7 @@
} else if (os_strcmp(buf, "ht_capab") == 0) { } else if (os_strcmp(buf, "ht_capab") == 0) {
--- a/src/ap/ap_config.h --- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h +++ b/src/ap/ap_config.h
@@ -681,6 +681,8 @@ struct hostapd_config { @@ -734,6 +734,8 @@ struct hostapd_config {
int ht_op_mode_fixed; int ht_op_mode_fixed;
u16 ht_capab; u16 ht_capab;
@ -24,7 +24,7 @@
int no_pri_sec_switch; int no_pri_sec_switch;
--- a/src/ap/hw_features.c --- a/src/ap/hw_features.c
+++ b/src/ap/hw_features.c +++ b/src/ap/hw_features.c
@@ -474,7 +474,8 @@ static int ieee80211n_check_40mhz(struct @@ -480,7 +480,8 @@ static int ieee80211n_check_40mhz(struct
int ret; int ret;
/* Check that HT40 is used and PRI / SEC switch is allowed */ /* Check that HT40 is used and PRI / SEC switch is allowed */

2
package/network/services/hostapd/patches/310-rescan_immediately.patch
View File

@ -1,6 +1,6 @@
--- a/wpa_supplicant/wpa_supplicant.c --- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c
@@ -3696,7 +3696,7 @@ wpa_supplicant_alloc(struct wpa_supplica @@ -3927,7 +3927,7 @@ wpa_supplicant_alloc(struct wpa_supplica
if (wpa_s == NULL) if (wpa_s == NULL)
return NULL; return NULL;
wpa_s->scan_req = INITIAL_SCAN_REQ; wpa_s->scan_req = INITIAL_SCAN_REQ;

2
package/network/services/hostapd/patches/330-nl80211_fix_set_freq.patch
View File

@ -1,6 +1,6 @@
--- a/src/drivers/driver_nl80211.c --- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c
@@ -4104,7 +4104,7 @@ static int nl80211_set_channel(struct i8 @@ -4152,7 +4152,7 @@ static int nl80211_set_channel(struct i8
freq->freq, freq->ht_enabled, freq->vht_enabled, freq->freq, freq->ht_enabled, freq->vht_enabled,
freq->bandwidth, freq->center_freq1, freq->center_freq2); freq->bandwidth, freq->center_freq1, freq->center_freq2);

6
package/network/services/hostapd/patches/340-reload_freq_change.patch
View File

@ -1,6 +1,6 @@
--- a/src/ap/hostapd.c --- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c +++ b/src/ap/hostapd.c
@@ -80,6 +80,25 @@ static void hostapd_reload_bss(struct ho @@ -87,6 +87,25 @@ static void hostapd_reload_bss(struct ho
#endif /* CONFIG_NO_RADIUS */ #endif /* CONFIG_NO_RADIUS */
ssid = &hapd->conf->ssid; ssid = &hapd->conf->ssid;
@ -26,7 +26,7 @@
if (!ssid->wpa_psk_set && ssid->wpa_psk && !ssid->wpa_psk->next && if (!ssid->wpa_psk_set && ssid->wpa_psk && !ssid->wpa_psk->next &&
ssid->wpa_passphrase_set && ssid->wpa_passphrase) { ssid->wpa_passphrase_set && ssid->wpa_passphrase) {
/* /*
@@ -158,6 +177,7 @@ int hostapd_reload_config(struct hostapd @@ -165,6 +184,7 @@ int hostapd_reload_config(struct hostapd
struct hostapd_data *hapd = iface->bss[0]; struct hostapd_data *hapd = iface->bss[0];
struct hostapd_config *newconf, *oldconf; struct hostapd_config *newconf, *oldconf;
size_t j; size_t j;
@ -34,7 +34,7 @@
if (iface->config_fname == NULL) { if (iface->config_fname == NULL) {
/* Only in-memory config in use - assume it has been updated */ /* Only in-memory config in use - assume it has been updated */
@@ -179,21 +199,20 @@ int hostapd_reload_config(struct hostapd @@ -186,21 +206,20 @@ int hostapd_reload_config(struct hostapd
oldconf = hapd->iconf; oldconf = hapd->iconf;
iface->conf = newconf; iface->conf = newconf;

46
package/network/services/hostapd/patches/350-nl80211_del_beacon_bss.patch
View File

@ -1,72 +1,54 @@
--- a/src/drivers/driver_nl80211.c --- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c
@@ -2490,13 +2490,18 @@ wpa_driver_nl80211_finish_drv_init(struc @@ -2536,10 +2536,15 @@ static int wpa_driver_nl80211_del_beacon
}
-static int wpa_driver_nl80211_del_beacon(struct wpa_driver_nl80211_data *drv)
+static int wpa_driver_nl80211_del_beacon(struct i802_bss *bss)
{
+ struct wpa_driver_nl80211_data *drv = bss->drv;
struct nl_msg *msg; struct nl_msg *msg;
struct wpa_driver_nl80211_data *drv = bss->drv;
+ if (!bss->beacon_set) + if (!bss->beacon_set)
+ return 0; + return 0;
+ +
+ bss->beacon_set = 0; + bss->beacon_set = 0;
+
wpa_printf(MSG_DEBUG, "nl80211: Remove beacon (ifindex=%d)", wpa_printf(MSG_DEBUG, "nl80211: Remove beacon (ifindex=%d)",
- drv->ifindex); - drv->ifindex);
- msg = nl80211_drv_msg(drv, 0, NL80211_CMD_DEL_BEACON);
+ bss->ifindex); + bss->ifindex);
nl80211_put_wiphy_data_ap(bss);
- msg = nl80211_drv_msg(drv, 0, NL80211_CMD_DEL_BEACON);
+ msg = nl80211_bss_msg(bss, 0, NL80211_CMD_DEL_BEACON); + msg = nl80211_bss_msg(bss, 0, NL80211_CMD_DEL_BEACON);
return send_and_recv_msgs(drv, msg, NULL, NULL); return send_and_recv_msgs(drv, msg, NULL, NULL);
} }
@@ -2548,7 +2553,7 @@ static void wpa_driver_nl80211_deinit(st @@ -4753,7 +4758,7 @@ static void nl80211_teardown_ap(struct i
nl80211_remove_monitor_interface(drv);
if (is_ap_interface(drv->nlmode))
- wpa_driver_nl80211_del_beacon(drv);
+ wpa_driver_nl80211_del_beacon(bss);
if (drv->eapol_sock >= 0) {
eloop_unregister_read_sock(drv->eapol_sock);
@@ -4703,8 +4708,7 @@ static void nl80211_teardown_ap(struct i
nl80211_remove_monitor_interface(drv);
else
nl80211_mgmt_unsubscribe(bss, "AP teardown"); nl80211_mgmt_unsubscribe(bss, "AP teardown");
-
nl80211_put_wiphy_data_ap(bss);
- bss->beacon_set = 0; - bss->beacon_set = 0;
+ wpa_driver_nl80211_del_beacon(bss); + wpa_driver_nl80211_del_beacon(bss);
} }
@@ -6728,8 +6732,6 @@ static int wpa_driver_nl80211_if_remove( @@ -6853,8 +6858,6 @@ static int wpa_driver_nl80211_if_remove(
} else { } else {
wpa_printf(MSG_DEBUG, "nl80211: First BSS - reassign context"); wpa_printf(MSG_DEBUG, "nl80211: First BSS - reassign context");
nl80211_teardown_ap(bss); nl80211_teardown_ap(bss);
- if (!bss->added_if && !drv->first_bss->next) - if (!bss->added_if && !drv->first_bss->next)
- wpa_driver_nl80211_del_beacon(drv); - wpa_driver_nl80211_del_beacon(bss);
nl80211_destroy_bss(bss); nl80211_destroy_bss(bss);
if (!bss->added_if) if (!bss->added_if)
i802_set_iface_flags(bss, 0); i802_set_iface_flags(bss, 0);
@@ -7091,8 +7093,7 @@ static int wpa_driver_nl80211_deinit_ap( @@ -7225,7 +7228,6 @@ static int wpa_driver_nl80211_deinit_ap(
struct wpa_driver_nl80211_data *drv = bss->drv;
if (!is_ap_interface(drv->nlmode)) if (!is_ap_interface(drv->nlmode))
return -1; return -1;
- wpa_driver_nl80211_del_beacon(drv); wpa_driver_nl80211_del_beacon(bss);
- bss->beacon_set = 0; - bss->beacon_set = 0;
+ wpa_driver_nl80211_del_beacon(bss);
/* /*
* If the P2P GO interface was dynamically added, then it is * If the P2P GO interface was dynamically added, then it is
@@ -7111,8 +7112,7 @@ static int wpa_driver_nl80211_stop_ap(vo @@ -7245,7 +7247,6 @@ static int wpa_driver_nl80211_stop_ap(vo
struct wpa_driver_nl80211_data *drv = bss->drv;
if (!is_ap_interface(drv->nlmode)) if (!is_ap_interface(drv->nlmode))
return -1; return -1;
- wpa_driver_nl80211_del_beacon(drv); wpa_driver_nl80211_del_beacon(bss);
- bss->beacon_set = 0; - bss->beacon_set = 0;
+ wpa_driver_nl80211_del_beacon(bss);
return 0; return 0;
} }

8
package/network/services/hostapd/patches/360-ctrl_iface_reload.patch
View File

@ -1,6 +1,6 @@
--- a/hostapd/ctrl_iface.c --- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c
@@ -55,6 +55,7 @@ @@ -56,6 +56,7 @@
#include "fst/fst_ctrl_iface.h" #include "fst/fst_ctrl_iface.h"
#include "config_file.h" #include "config_file.h"
#include "ctrl_iface.h" #include "ctrl_iface.h"
@ -8,7 +8,7 @@
#define HOSTAPD_CLI_DUP_VALUE_MAX_LEN 256 #define HOSTAPD_CLI_DUP_VALUE_MAX_LEN 256
@@ -73,6 +74,7 @@ static void hostapd_ctrl_iface_send(stru @@ -74,6 +75,7 @@ static void hostapd_ctrl_iface_send(stru
enum wpa_msg_type type, enum wpa_msg_type type,
const char *buf, size_t len); const char *buf, size_t len);
@ -16,7 +16,7 @@
static int hostapd_ctrl_iface_attach(struct hostapd_data *hapd, static int hostapd_ctrl_iface_attach(struct hostapd_data *hapd,
struct sockaddr_storage *from, struct sockaddr_storage *from,
@@ -124,6 +126,61 @@ static int hostapd_ctrl_iface_new_sta(st @@ -125,6 +127,61 @@ static int hostapd_ctrl_iface_new_sta(st
return 0; return 0;
} }
@ -78,7 +78,7 @@
#ifdef CONFIG_IEEE80211W #ifdef CONFIG_IEEE80211W
#ifdef NEED_AP_MLME #ifdef NEED_AP_MLME
@@ -2620,6 +2677,8 @@ static int hostapd_ctrl_iface_receive_pr @@ -2607,6 +2664,8 @@ static int hostapd_ctrl_iface_receive_pr
} else if (os_strncmp(buf, "VENDOR ", 7) == 0) { } else if (os_strncmp(buf, "VENDOR ", 7) == 0) {
reply_len = hostapd_ctrl_iface_vendor(hapd, buf + 7, reply, reply_len = hostapd_ctrl_iface_vendor(hapd, buf + 7, reply,
reply_size); reply_size);

20
package/network/services/hostapd/patches/370-ap_sta_support.patch
View File

@ -1,6 +1,6 @@
--- a/wpa_supplicant/wpa_supplicant_i.h --- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h +++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -100,6 +100,11 @@ struct wpa_interface { @@ -101,6 +101,11 @@ struct wpa_interface {
const char *ifname; const char *ifname;
/** /**
@ -12,7 +12,7 @@
* bridge_ifname - Optional bridge interface name * bridge_ifname - Optional bridge interface name
* *
* If the driver interface (ifname) is included in a Linux bridge * If the driver interface (ifname) is included in a Linux bridge
@@ -484,6 +489,8 @@ struct wpa_supplicant { @@ -512,6 +517,8 @@ struct wpa_supplicant {
#endif /* CONFIG_CTRL_IFACE_BINDER */ #endif /* CONFIG_CTRL_IFACE_BINDER */
char bridge_ifname[16]; char bridge_ifname[16];
@ -34,7 +34,7 @@
-include .config -include .config
-include $(if $(MULTICALL),../hostapd/.config) -include $(if $(MULTICALL),../hostapd/.config)
@@ -115,6 +119,8 @@ OBJS_c += ../src/utils/common.o @@ -117,6 +121,8 @@ OBJS_c += ../src/utils/common.o
OBJS_c += ../src/common/cli.o OBJS_c += ../src/common/cli.o
OBJS += wmm_ac.o OBJS += wmm_ac.o
@ -45,9 +45,9 @@
CONFIG_OS=win32 CONFIG_OS=win32
--- a/wpa_supplicant/wpa_supplicant.c --- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c
@@ -112,6 +112,55 @@ const char *const wpa_supplicant_full_li @@ -118,6 +118,55 @@ const char *const wpa_supplicant_full_li
"\n"; static void wpa_bss_tmp_disallow_timeout(void *eloop_ctx, void *timeout_ctx);
#endif /* CONFIG_NO_STDOUT_DEBUG */
+static int hostapd_stop(struct wpa_supplicant *wpa_s) +static int hostapd_stop(struct wpa_supplicant *wpa_s)
+{ +{
@ -101,7 +101,7 @@
/* Configure default/group WEP keys for static WEP */ /* Configure default/group WEP keys for static WEP */
int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
{ {
@@ -819,8 +868,12 @@ void wpa_supplicant_set_state(struct wpa @@ -883,8 +932,12 @@ void wpa_supplicant_set_state(struct wpa
wpas_p2p_completed(wpa_s); wpas_p2p_completed(wpa_s);
sme_sched_obss_scan(wpa_s, 1); sme_sched_obss_scan(wpa_s, 1);
@ -114,7 +114,7 @@
wpa_s->new_connection = 1; wpa_s->new_connection = 1;
wpa_drv_set_operstate(wpa_s, 0); wpa_drv_set_operstate(wpa_s, 0);
#ifndef IEEE8021X_EAPOL #ifndef IEEE8021X_EAPOL
@@ -4790,6 +4843,20 @@ static int wpa_supplicant_init_iface(str @@ -5080,6 +5133,20 @@ static int wpa_supplicant_init_iface(str
sizeof(wpa_s->bridge_ifname)); sizeof(wpa_s->bridge_ifname));
} }
@ -135,7 +135,7 @@
/* RSNA Supplicant Key Management - INITIALIZE */ /* RSNA Supplicant Key Management - INITIALIZE */
eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE); eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE);
eapol_sm_notify_portValid(wpa_s->eapol, FALSE); eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
@@ -5083,6 +5150,11 @@ static void wpa_supplicant_deinit_iface( @@ -5404,6 +5471,11 @@ static void wpa_supplicant_deinit_iface(
if (terminate) if (terminate)
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_TERMINATING); wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_TERMINATING);
@ -157,7 +157,7 @@
#include "drivers/driver.h" #include "drivers/driver.h"
#include "eap_peer/eap.h" #include "eap_peer/eap.h"
#include "wpa_supplicant_i.h" #include "wpa_supplicant_i.h"
@@ -290,6 +291,10 @@ static void calculate_update_time(const @@ -290,6 +291,10 @@ void calculate_update_time(const struct
static void wpa_bss_copy_res(struct wpa_bss *dst, struct wpa_scan_res *src, static void wpa_bss_copy_res(struct wpa_bss *dst, struct wpa_scan_res *src,
struct os_reltime *fetch_time) struct os_reltime *fetch_time)
{ {

32
package/network/services/hostapd/patches/380-disable_ctrl_iface_mib.patch
View File

@ -12,7 +12,7 @@
else else
--- a/hostapd/ctrl_iface.c --- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c +++ b/hostapd/ctrl_iface.c
@@ -2471,6 +2471,7 @@ static int hostapd_ctrl_iface_receive_pr @@ -2458,6 +2458,7 @@ static int hostapd_ctrl_iface_receive_pr
reply_size); reply_size);
} else if (os_strcmp(buf, "STATUS-DRIVER") == 0) { } else if (os_strcmp(buf, "STATUS-DRIVER") == 0) {
reply_len = hostapd_drv_status(hapd, reply, reply_size); reply_len = hostapd_drv_status(hapd, reply, reply_size);
@ -20,7 +20,7 @@
} else if (os_strcmp(buf, "MIB") == 0) { } else if (os_strcmp(buf, "MIB") == 0) {
reply_len = ieee802_11_get_mib(hapd, reply, reply_size); reply_len = ieee802_11_get_mib(hapd, reply, reply_size);
if (reply_len >= 0) { if (reply_len >= 0) {
@@ -2512,6 +2513,7 @@ static int hostapd_ctrl_iface_receive_pr @@ -2499,6 +2500,7 @@ static int hostapd_ctrl_iface_receive_pr
} else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) { } else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
reply_len = hostapd_ctrl_iface_sta_next(hapd, buf + 9, reply, reply_len = hostapd_ctrl_iface_sta_next(hapd, buf + 9, reply,
reply_size); reply_size);
@ -30,8 +30,8 @@
reply_len = -1; reply_len = -1;
--- a/wpa_supplicant/Makefile --- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile
@@ -891,6 +891,9 @@ ifdef CONFIG_MBO @@ -926,6 +926,9 @@ ifdef CONFIG_FILS
OBJS += ../src/ap/mbo_ap.o OBJS += ../src/ap/fils_hlp.o
endif endif
ifdef CONFIG_CTRL_IFACE ifdef CONFIG_CTRL_IFACE
+ifdef CONFIG_CTRL_IFACE_MIB +ifdef CONFIG_CTRL_IFACE_MIB
@ -42,7 +42,7 @@
--- a/wpa_supplicant/ctrl_iface.c --- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c +++ b/wpa_supplicant/ctrl_iface.c
@@ -1907,7 +1907,7 @@ static int wpa_supplicant_ctrl_iface_sta @@ -2070,7 +2070,7 @@ static int wpa_supplicant_ctrl_iface_sta
pos += ret; pos += ret;
} }
@ -51,7 +51,7 @@
if (wpa_s->ap_iface) { if (wpa_s->ap_iface) {
pos += ap_ctrl_iface_wpa_get_status(wpa_s, pos, pos += ap_ctrl_iface_wpa_get_status(wpa_s, pos,
end - pos, end - pos,
@@ -9032,6 +9032,7 @@ char * wpa_supplicant_ctrl_iface_process @@ -9631,6 +9631,7 @@ char * wpa_supplicant_ctrl_iface_process
reply_len = -1; reply_len = -1;
} else if (os_strncmp(buf, "NOTE ", 5) == 0) { } else if (os_strncmp(buf, "NOTE ", 5) == 0) {
wpa_printf(MSG_INFO, "NOTE: %s", buf + 5); wpa_printf(MSG_INFO, "NOTE: %s", buf + 5);
@ -59,7 +59,7 @@
} else if (os_strcmp(buf, "MIB") == 0) { } else if (os_strcmp(buf, "MIB") == 0) {
reply_len = wpa_sm_get_mib(wpa_s->wpa, reply, reply_size); reply_len = wpa_sm_get_mib(wpa_s->wpa, reply, reply_size);
if (reply_len >= 0) { if (reply_len >= 0) {
@@ -9039,6 +9040,7 @@ char * wpa_supplicant_ctrl_iface_process @@ -9638,6 +9639,7 @@ char * wpa_supplicant_ctrl_iface_process
reply + reply_len, reply + reply_len,
reply_size - reply_len); reply_size - reply_len);
} }
@ -67,7 +67,7 @@
} else if (os_strncmp(buf, "STATUS", 6) == 0) { } else if (os_strncmp(buf, "STATUS", 6) == 0) {
reply_len = wpa_supplicant_ctrl_iface_status( reply_len = wpa_supplicant_ctrl_iface_status(
wpa_s, buf + 6, reply, reply_size); wpa_s, buf + 6, reply, reply_size);
@@ -9517,6 +9519,7 @@ char * wpa_supplicant_ctrl_iface_process @@ -10124,6 +10126,7 @@ char * wpa_supplicant_ctrl_iface_process
reply_len = wpa_supplicant_ctrl_iface_bss( reply_len = wpa_supplicant_ctrl_iface_bss(
wpa_s, buf + 4, reply, reply_size); wpa_s, buf + 4, reply, reply_size);
#ifdef CONFIG_AP #ifdef CONFIG_AP
@ -75,7 +75,7 @@
} else if (os_strcmp(buf, "STA-FIRST") == 0) { } else if (os_strcmp(buf, "STA-FIRST") == 0) {
reply_len = ap_ctrl_iface_sta_first(wpa_s, reply, reply_size); reply_len = ap_ctrl_iface_sta_first(wpa_s, reply, reply_size);
} else if (os_strncmp(buf, "STA ", 4) == 0) { } else if (os_strncmp(buf, "STA ", 4) == 0) {
@@ -9525,12 +9528,15 @@ char * wpa_supplicant_ctrl_iface_process @@ -10132,12 +10135,15 @@ char * wpa_supplicant_ctrl_iface_process
} else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) { } else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
reply_len = ap_ctrl_iface_sta_next(wpa_s, buf + 9, reply, reply_len = ap_ctrl_iface_sta_next(wpa_s, buf + 9, reply,
reply_size); reply_size);
@ -111,7 +111,7 @@
static int p2p_manager_disconnect(struct hostapd_data *hapd, u16 stype, static int p2p_manager_disconnect(struct hostapd_data *hapd, u16 stype,
--- a/src/ap/ieee802_1x.c --- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c +++ b/src/ap/ieee802_1x.c
@@ -2490,6 +2490,7 @@ static const char * bool_txt(Boolean val @@ -2492,6 +2492,7 @@ static const char * bool_txt(Boolean val
return val ? "TRUE" : "FALSE"; return val ? "TRUE" : "FALSE";
} }
@ -119,7 +119,7 @@
int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen) int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
{ {
@@ -2665,6 +2666,7 @@ int ieee802_1x_get_mib_sta(struct hostap @@ -2667,6 +2668,7 @@ int ieee802_1x_get_mib_sta(struct hostap
return len; return len;
} }
@ -129,7 +129,7 @@
static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx) static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx)
--- a/src/ap/wpa_auth.c --- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c +++ b/src/ap/wpa_auth.c
@@ -3544,6 +3544,7 @@ static const char * wpa_bool_txt(int val @@ -3762,6 +3762,7 @@ static const char * wpa_bool_txt(int val
return val ? "TRUE" : "FALSE"; return val ? "TRUE" : "FALSE";
} }
@ -137,7 +137,7 @@
#define RSN_SUITE "%02x-%02x-%02x-%d" #define RSN_SUITE "%02x-%02x-%02x-%d"
#define RSN_SUITE_ARG(s) \ #define RSN_SUITE_ARG(s) \
@@ -3688,7 +3689,7 @@ int wpa_get_mib_sta(struct wpa_state_mac @@ -3906,7 +3907,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
return len; return len;
} }
@ -148,7 +148,7 @@
{ {
--- a/src/rsn_supp/wpa.c --- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c +++ b/src/rsn_supp/wpa.c
@@ -2252,6 +2252,8 @@ static u32 wpa_key_mgmt_suite(struct wpa @@ -2339,6 +2339,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
} }
@ -157,7 +157,7 @@
#define RSN_SUITE "%02x-%02x-%02x-%d" #define RSN_SUITE "%02x-%02x-%02x-%d"
#define RSN_SUITE_ARG(s) \ #define RSN_SUITE_ARG(s) \
((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
@@ -2335,6 +2337,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch @@ -2422,6 +2424,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
return (int) len; return (int) len;
} }
@ -167,7 +167,7 @@
--- a/wpa_supplicant/ap.c --- a/wpa_supplicant/ap.c
+++ b/wpa_supplicant/ap.c +++ b/wpa_supplicant/ap.c
@@ -1119,7 +1119,7 @@ int wpas_ap_wps_nfc_report_handover(stru @@ -1139,7 +1139,7 @@ int wpas_ap_wps_nfc_report_handover(stru
#endif /* CONFIG_WPS */ #endif /* CONFIG_WPS */

4
package/network/services/hostapd/patches/390-wpa_ie_cap_workaround.patch
View File

@ -1,6 +1,6 @@
--- a/src/common/wpa_common.c --- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c +++ b/src/common/wpa_common.c
@@ -1445,6 +1445,31 @@ u32 wpa_akm_to_suite(int akm) @@ -1664,6 +1664,31 @@ u32 wpa_akm_to_suite(int akm)
} }
@ -32,7 +32,7 @@
int wpa_compare_rsn_ie(int ft_initial_assoc, int wpa_compare_rsn_ie(int ft_initial_assoc,
const u8 *ie1, size_t ie1len, const u8 *ie1, size_t ie1len,
const u8 *ie2, size_t ie2len) const u8 *ie2, size_t ie2len)
@@ -1452,8 +1477,19 @@ int wpa_compare_rsn_ie(int ft_initial_as @@ -1671,8 +1696,19 @@ int wpa_compare_rsn_ie(int ft_initial_as
if (ie1 == NULL || ie2 == NULL) if (ie1 == NULL || ie2 == NULL)
return -1; return -1;

4
package/network/services/hostapd/patches/420-indicate-features.patch
View File

@ -8,7 +8,7 @@
#include "crypto/random.h" #include "crypto/random.h"
#include "crypto/tls.h" #include "crypto/tls.h"
#include "common/version.h" #include "common/version.h"
@@ -675,7 +676,7 @@ int main(int argc, char *argv[]) @@ -678,7 +679,7 @@ int main(int argc, char *argv[])
wpa_supplicant_event = hostapd_wpa_event; wpa_supplicant_event = hostapd_wpa_event;
wpa_supplicant_event_global = hostapd_wpa_event_global; wpa_supplicant_event_global = hostapd_wpa_event_global;
for (;;) { for (;;) {
@ -17,7 +17,7 @@
if (c < 0) if (c < 0)
break; break;
switch (c) { switch (c) {
@@ -712,6 +713,8 @@ int main(int argc, char *argv[]) @@ -715,6 +716,8 @@ int main(int argc, char *argv[])
break; break;
#endif /* CONFIG_DEBUG_LINUX_TRACING */ #endif /* CONFIG_DEBUG_LINUX_TRACING */
case 'v': case 'v':

16
package/network/services/hostapd/patches/430-hostapd_cli_ifdef.patch
View File

@ -1,6 +1,6 @@
--- a/hostapd/hostapd_cli.c --- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c +++ b/hostapd/hostapd_cli.c
@@ -447,7 +447,6 @@ static int hostapd_cli_cmd_sa_query(stru @@ -417,7 +417,6 @@ static int hostapd_cli_cmd_sa_query(stru
#endif /* CONFIG_IEEE80211W */ #endif /* CONFIG_IEEE80211W */
@ -8,7 +8,7 @@
static int hostapd_cli_cmd_wps_pin(struct wpa_ctrl *ctrl, int argc, static int hostapd_cli_cmd_wps_pin(struct wpa_ctrl *ctrl, int argc,
char *argv[]) char *argv[])
{ {
@@ -673,7 +672,6 @@ static int hostapd_cli_cmd_wps_config(st @@ -643,7 +642,6 @@ static int hostapd_cli_cmd_wps_config(st
ssid_hex, argv[1]); ssid_hex, argv[1]);
return wpa_ctrl_command(ctrl, buf); return wpa_ctrl_command(ctrl, buf);
} }
@ -16,19 +16,19 @@
static int hostapd_cli_cmd_disassoc_imminent(struct wpa_ctrl *ctrl, int argc, static int hostapd_cli_cmd_disassoc_imminent(struct wpa_ctrl *ctrl, int argc,
@@ -1367,7 +1365,6 @@ static const struct hostapd_cli_cmd host @@ -1476,7 +1474,6 @@ static const struct hostapd_cli_cmd host
{ "sa_query", hostapd_cli_cmd_sa_query, NULL, { "sa_query", hostapd_cli_cmd_sa_query, hostapd_complete_stations,
"<addr> = send SA Query to a station" }, "<addr> = send SA Query to a station" },
#endif /* CONFIG_IEEE80211W */ #endif /* CONFIG_IEEE80211W */
-#ifdef CONFIG_WPS -#ifdef CONFIG_WPS
{ "wps_pin", hostapd_cli_cmd_wps_pin, NULL, { "wps_pin", hostapd_cli_cmd_wps_pin, NULL,
"<uuid> <pin> [timeout] [addr] = add WPS Enrollee PIN" }, "<uuid> <pin> [timeout] [addr] = add WPS Enrollee PIN" },
{ "wps_check_pin", hostapd_cli_cmd_wps_check_pin, NULL, { "wps_check_pin", hostapd_cli_cmd_wps_check_pin, NULL,
@@ -1392,7 +1389,6 @@ static const struct hostapd_cli_cmd host @@ -1501,7 +1498,6 @@ static const struct hostapd_cli_cmd host
"<SSID> <auth> <encr> <key> = configure AP" }, "<SSID> <auth> <encr> <key> = configure AP" },
{ "wps_get_status", hostapd_cli_cmd_wps_get_status, NULL, { "wps_get_status", hostapd_cli_cmd_wps_get_status, NULL,
"= show current WPS status" }, "= show current WPS status" },
-#endif /* CONFIG_WPS */ -#endif /* CONFIG_WPS */
{ "disassoc_imminent", hostapd_cli_cmd_disassoc_imminent, NULL, NULL }, { "disassoc_imminent", hostapd_cli_cmd_disassoc_imminent, NULL,
{ "ess_disassoc", hostapd_cli_cmd_ess_disassoc, NULL, NULL }, "= send Disassociation Imminent notification" },
{ "bss_tm_req", hostapd_cli_cmd_bss_tm_req, NULL, NULL }, { "ess_disassoc", hostapd_cli_cmd_ess_disassoc, NULL,

14
package/network/services/hostapd/patches/460-wpa_supplicant-add-new-config-params-to-be-used-with.patch
View File

@ -21,8 +21,8 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
+#include "ap/sta_info.h" +#include "ap/sta_info.h"
#include "common/defs.h" #include "common/defs.h"
#include "common/ieee802_11_defs.h" #include "common/ieee802_11_defs.h"
#ifdef CONFIG_MACSEC #include "common/wpa_common.h"
@@ -605,6 +606,9 @@ struct wpa_driver_associate_params { @@ -762,6 +763,9 @@ struct wpa_driver_associate_params {
* responsible for selecting with which BSS to associate. */ * responsible for selecting with which BSS to associate. */
const u8 *bssid; const u8 *bssid;
@ -34,7 +34,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
* *
--- a/wpa_supplicant/config.c --- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c
@@ -16,6 +16,7 @@ @@ -17,6 +17,7 @@
#include "eap_peer/eap.h" #include "eap_peer/eap.h"
#include "p2p/p2p.h" #include "p2p/p2p.h"
#include "fst/fst.h" #include "fst/fst.h"
@ -42,7 +42,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
#include "config.h" #include "config.h"
@@ -1891,6 +1892,97 @@ static char * wpa_config_write_mka_ckn(c @@ -1985,6 +1986,97 @@ static char * wpa_config_write_mka_ckn(c
#endif /* CONFIG_MACSEC */ #endif /* CONFIG_MACSEC */
@ -140,7 +140,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
/* Helper macros for network block parser */ /* Helper macros for network block parser */
#ifdef OFFSET #ifdef OFFSET
@@ -2123,6 +2215,9 @@ static const struct parse_data ssid_fiel @@ -2224,6 +2316,9 @@ static const struct parse_data ssid_fiel
{ INT(ap_max_inactivity) }, { INT(ap_max_inactivity) },
{ INT(dtim_period) }, { INT(dtim_period) },
{ INT(beacon_int) }, { INT(beacon_int) },
@ -163,7 +163,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
#define DEFAULT_EAP_WORKAROUND ((unsigned int) -1) #define DEFAULT_EAP_WORKAROUND ((unsigned int) -1)
@@ -719,6 +721,9 @@ struct wpa_ssid { @@ -735,6 +737,9 @@ struct wpa_ssid {
*/ */
void *parent_cred; void *parent_cred;
@ -175,7 +175,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
* macsec_policy - Determines the policy for MACsec secure session * macsec_policy - Determines the policy for MACsec secure session
--- a/wpa_supplicant/wpa_supplicant.c --- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c
@@ -2561,6 +2561,13 @@ static void wpas_start_assoc_cb(struct w @@ -2781,6 +2781,13 @@ static void wpas_start_assoc_cb(struct w
params.beacon_int = ssid->beacon_int; params.beacon_int = ssid->beacon_int;
else else
params.beacon_int = wpa_s->conf->beacon_int; params.beacon_int = wpa_s->conf->beacon_int;

4
package/network/services/hostapd/patches/461-driver_nl80211-use-new-parameters-during-ibss-join.patch
View File

@ -10,7 +10,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
--- a/src/drivers/driver_nl80211.c --- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c
@@ -4962,7 +4962,7 @@ static int wpa_driver_nl80211_ibss(struc @@ -5012,7 +5012,7 @@ static int wpa_driver_nl80211_ibss(struc
struct wpa_driver_associate_params *params) struct wpa_driver_associate_params *params)
{ {
struct nl_msg *msg; struct nl_msg *msg;
@ -19,7 +19,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
int count = 0; int count = 0;
wpa_printf(MSG_DEBUG, "nl80211: Join IBSS (ifindex=%d)", drv->ifindex); wpa_printf(MSG_DEBUG, "nl80211: Join IBSS (ifindex=%d)", drv->ifindex);
@@ -4989,6 +4989,37 @@ retry: @@ -5039,6 +5039,37 @@ retry:
nl80211_put_beacon_int(msg, params->beacon_int)) nl80211_put_beacon_int(msg, params->beacon_int))
goto fail; goto fail;

12
package/network/services/hostapd/patches/462-wpa_s-support-htmode-param.patch
View File

@ -16,7 +16,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
--- a/src/drivers/driver.h --- a/src/drivers/driver.h
+++ b/src/drivers/driver.h +++ b/src/drivers/driver.h
@@ -608,6 +608,8 @@ struct wpa_driver_associate_params { @@ -765,6 +765,8 @@ struct wpa_driver_associate_params {
unsigned char rates[WLAN_SUPP_RATES_MAX]; unsigned char rates[WLAN_SUPP_RATES_MAX];
int mcast_rate; int mcast_rate;
@ -27,7 +27,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
* bssid_hint - BSSID of a proposed AP * bssid_hint - BSSID of a proposed AP
--- a/src/drivers/driver_nl80211.c --- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c +++ b/src/drivers/driver_nl80211.c
@@ -5020,6 +5020,22 @@ retry: @@ -5070,6 +5070,22 @@ retry:
nla_put_u32(msg, NL80211_ATTR_MCAST_RATE, params->mcast_rate); nla_put_u32(msg, NL80211_ATTR_MCAST_RATE, params->mcast_rate);
} }
@ -52,7 +52,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
goto fail; goto fail;
--- a/wpa_supplicant/config.c --- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c
@@ -1923,6 +1923,71 @@ static char * wpa_config_write_mcast_rat @@ -2017,6 +2017,71 @@ static char * wpa_config_write_mcast_rat
} }
#endif /* NO_CONFIG_WRITE */ #endif /* NO_CONFIG_WRITE */
@ -124,7 +124,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
static int wpa_config_parse_rates(const struct parse_data *data, static int wpa_config_parse_rates(const struct parse_data *data,
struct wpa_ssid *ssid, int line, struct wpa_ssid *ssid, int line,
const char *value) const char *value)
@@ -2218,6 +2283,7 @@ static const struct parse_data ssid_fiel @@ -2319,6 +2384,7 @@ static const struct parse_data ssid_fiel
{ INT_RANGE(fixed_freq, 0, 1) }, { INT_RANGE(fixed_freq, 0, 1) },
{ FUNC(rates) }, { FUNC(rates) },
{ FUNC(mcast_rate) }, { FUNC(mcast_rate) },
@ -134,7 +134,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
{ INT_RANGE(macsec_integ_only, 0, 1) }, { INT_RANGE(macsec_integ_only, 0, 1) },
--- a/wpa_supplicant/config_ssid.h --- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h +++ b/wpa_supplicant/config_ssid.h
@@ -723,6 +723,8 @@ struct wpa_ssid { @@ -739,6 +739,8 @@ struct wpa_ssid {
unsigned char rates[WLAN_SUPP_RATES_MAX]; unsigned char rates[WLAN_SUPP_RATES_MAX];
double mcast_rate; double mcast_rate;
@ -145,7 +145,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
/** /**
--- a/wpa_supplicant/wpa_supplicant.c --- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c
@@ -2568,6 +2568,8 @@ static void wpas_start_assoc_cb(struct w @@ -2788,6 +2788,8 @@ static void wpas_start_assoc_cb(struct w
i++; i++;
} }
params.mcast_rate = ssid->mcast_rate; params.mcast_rate = ssid->mcast_rate;

2
package/network/services/hostapd/patches/470-survey_data_fallback.patch
View File

@ -20,7 +20,7 @@
total = survey->channel_time; total = survey->channel_time;
@@ -395,20 +389,19 @@ static int acs_usable_vht80_chan(struct @@ -392,20 +386,19 @@ static int acs_usable_vht80_chan(struct
static int acs_survey_is_sufficient(struct freq_survey *survey) static int acs_survey_is_sufficient(struct freq_survey *survey)
{ {
if (!(survey->filled & SURVEY_HAS_NF)) { if (!(survey->filled & SURVEY_HAS_NF)) {

70
package/network/services/hostapd/patches/600-ubus_support.patch
View File

@ -22,7 +22,7 @@
struct wpa_ctrl_dst; struct wpa_ctrl_dst;
struct radius_server_data; struct radius_server_data;
@@ -119,6 +120,7 @@ struct hostapd_data { @@ -122,6 +123,7 @@ struct hostapd_data {
struct hostapd_iface *iface; struct hostapd_iface *iface;
struct hostapd_config *iconf; struct hostapd_config *iconf;
struct hostapd_bss_config *conf; struct hostapd_bss_config *conf;
@ -30,7 +30,7 @@
int interface_added; /* virtual interface added for this BSS */ int interface_added; /* virtual interface added for this BSS */
unsigned int started:1; unsigned int started:1;
unsigned int disabled:1; unsigned int disabled:1;
@@ -328,6 +330,8 @@ struct hostapd_iface { @@ -370,6 +372,8 @@ struct hostapd_iface {
struct hostapd_config *conf; struct hostapd_config *conf;
char phy[16]; /* Name of the PHY (radio) */ char phy[16]; /* Name of the PHY (radio) */
@ -41,7 +41,7 @@
HAPD_IFACE_DISABLED, HAPD_IFACE_DISABLED,
--- a/src/ap/hostapd.c --- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c +++ b/src/ap/hostapd.c
@@ -302,6 +302,7 @@ static void hostapd_free_hapd_data(struc @@ -309,6 +309,7 @@ static void hostapd_free_hapd_data(struc
hapd->started = 0; hapd->started = 0;
wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface); wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface);
@ -49,7 +49,7 @@
iapp_deinit(hapd->iapp); iapp_deinit(hapd->iapp);
hapd->iapp = NULL; hapd->iapp = NULL;
accounting_deinit(hapd); accounting_deinit(hapd);
@@ -1160,6 +1161,8 @@ static int hostapd_setup_bss(struct host @@ -1186,6 +1187,8 @@ static int hostapd_setup_bss(struct host
if (hapd->driver && hapd->driver->set_operstate) if (hapd->driver && hapd->driver->set_operstate)
hapd->driver->set_operstate(hapd->drv_priv, 1); hapd->driver->set_operstate(hapd->drv_priv, 1);
@ -58,7 +58,7 @@
return 0; return 0;
} }
@@ -1683,6 +1686,7 @@ static int hostapd_setup_interface_compl @@ -1711,6 +1714,7 @@ static int hostapd_setup_interface_compl
if (err) if (err)
goto fail; goto fail;
@ -66,7 +66,7 @@
wpa_printf(MSG_DEBUG, "Completing interface initialization"); wpa_printf(MSG_DEBUG, "Completing interface initialization");
if (iface->conf->channel) { if (iface->conf->channel) {
#ifdef NEED_AP_MLME #ifdef NEED_AP_MLME
@@ -1862,6 +1866,7 @@ dfs_offload: @@ -1890,6 +1894,7 @@ dfs_offload:
fail: fail:
wpa_printf(MSG_ERROR, "Interface initialization failed"); wpa_printf(MSG_ERROR, "Interface initialization failed");
@ -74,7 +74,7 @@
hostapd_set_state(iface, HAPD_IFACE_DISABLED); hostapd_set_state(iface, HAPD_IFACE_DISABLED);
wpa_msg(hapd->msg_ctx, MSG_INFO, AP_EVENT_DISABLED); wpa_msg(hapd->msg_ctx, MSG_INFO, AP_EVENT_DISABLED);
#ifdef CONFIG_FST #ifdef CONFIG_FST
@@ -2310,6 +2315,7 @@ void hostapd_interface_deinit_free(struc @@ -2344,6 +2349,7 @@ void hostapd_interface_deinit_free(struc
(unsigned int) iface->conf->num_bss); (unsigned int) iface->conf->num_bss);
driver = iface->bss[0]->driver; driver = iface->bss[0]->driver;
drv_priv = iface->bss[0]->drv_priv; drv_priv = iface->bss[0]->drv_priv;
@ -84,7 +84,7 @@
__func__, driver, drv_priv); __func__, driver, drv_priv);
--- a/src/ap/ieee802_11.c --- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c +++ b/src/ap/ieee802_11.c
@@ -1293,7 +1293,8 @@ void ieee802_11_finish_fils_auth(struct @@ -1587,7 +1587,8 @@ ieee802_11_set_radius_info(struct hostap
static void handle_auth(struct hostapd_data *hapd, static void handle_auth(struct hostapd_data *hapd,
@ -94,7 +94,7 @@
{ {
u16 auth_alg, auth_transaction, status_code; u16 auth_alg, auth_transaction, status_code;
u16 resp = WLAN_STATUS_SUCCESS; u16 resp = WLAN_STATUS_SUCCESS;
@@ -1309,6 +1310,11 @@ static void handle_auth(struct hostapd_d @@ -1603,6 +1604,11 @@ static void handle_auth(struct hostapd_d
char *identity = NULL; char *identity = NULL;
char *radius_cui = NULL; char *radius_cui = NULL;
u16 seq_ctrl; u16 seq_ctrl;
@ -104,24 +104,22 @@
+ .frame_info = fi, + .frame_info = fi,
+ }; + };
os_memset(&vlan_id, 0, sizeof(vlan_id)); if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
@@ -1466,6 +1472,14 @@ static void handle_auth(struct hostapd_d @@ -1757,6 +1763,12 @@ static void handle_auth(struct hostapd_d
resp = WLAN_STATUS_UNSPECIFIED_FAILURE; resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto fail; goto fail;
} }
+
+ if (hostapd_ubus_handle_event(hapd, &req)) { + if (hostapd_ubus_handle_event(hapd, &req)) {
+ wpa_printf(MSG_DEBUG, "Station " MACSTR " rejected by ubus handler.\n", + wpa_printf(MSG_DEBUG, "Station " MACSTR " rejected by ubus handler.\n",
+ MAC2STR(mgmt->sa)); + MAC2STR(mgmt->sa));
+ resp = WLAN_STATUS_UNSPECIFIED_FAILURE; + resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
+ goto fail; + goto fail;
+ } + }
+ if (res == HOSTAPD_ACL_PENDING)
if (res == HOSTAPD_ACL_PENDING) { return;
wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
" waiting for an external authentication", @@ -2870,7 +2882,7 @@ void fils_hlp_timeout(void *eloop_ctx, v
@@ -2391,7 +2405,7 @@ static u16 send_assoc_resp(struct hostap
static void handle_assoc(struct hostapd_data *hapd, static void handle_assoc(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len, const struct ieee80211_mgmt *mgmt, size_t len,
@ -130,10 +128,10 @@
{ {
u16 capab_info, listen_interval, seq_ctrl, fc; u16 capab_info, listen_interval, seq_ctrl, fc;
u16 resp = WLAN_STATUS_SUCCESS, reply_res; u16 resp = WLAN_STATUS_SUCCESS, reply_res;
@@ -2399,6 +2413,11 @@ static void handle_assoc(struct hostapd_ @@ -2884,6 +2896,11 @@ static void handle_assoc(struct hostapd_
int left, i; #ifdef CONFIG_FILS
struct sta_info *sta; int delay_assoc = 0;
u8 *tmp = NULL; #endif /* CONFIG_FILS */
+ struct hostapd_ubus_request req = { + struct hostapd_ubus_request req = {
+ .type = HOSTAPD_UBUS_ASSOC_REQ, + .type = HOSTAPD_UBUS_ASSOC_REQ,
+ .mgmt_frame = mgmt, + .mgmt_frame = mgmt,
@ -142,7 +140,7 @@
if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) : if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
sizeof(mgmt->u.assoc_req))) { sizeof(mgmt->u.assoc_req))) {
@@ -2518,6 +2537,13 @@ static void handle_assoc(struct hostapd_ @@ -3051,6 +3068,13 @@ static void handle_assoc(struct hostapd_
} }
#endif /* CONFIG_MBO */ #endif /* CONFIG_MBO */
@ -156,7 +154,7 @@
/* /*
* sta->capability is used in check_assoc_ies() for RRM enabled * sta->capability is used in check_assoc_ies() for RRM enabled
* capability element. * capability element.
@@ -2688,6 +2714,7 @@ static void handle_disassoc(struct hosta @@ -3258,6 +3282,7 @@ static void handle_disassoc(struct hosta
wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d", wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
MAC2STR(mgmt->sa), MAC2STR(mgmt->sa),
le_to_host16(mgmt->u.disassoc.reason_code)); le_to_host16(mgmt->u.disassoc.reason_code));
@ -164,7 +162,7 @@
sta = ap_get_sta(hapd, mgmt->sa); sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) { if (sta == NULL) {
@@ -2742,6 +2769,8 @@ static void handle_deauth(struct hostapd @@ -3323,6 +3348,8 @@ static void handle_deauth(struct hostapd
" reason_code=%d", " reason_code=%d",
MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code)); MAC2STR(mgmt->sa), le_to_host16(mgmt->u.deauth.reason_code));
@ -173,7 +171,7 @@
sta = ap_get_sta(hapd, mgmt->sa); sta = ap_get_sta(hapd, mgmt->sa);
if (sta == NULL) { if (sta == NULL) {
wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying " wpa_msg(hapd->msg_ctx, MSG_DEBUG, "Station " MACSTR " trying "
@@ -3025,7 +3054,7 @@ int ieee802_11_mgmt(struct hostapd_data @@ -3637,7 +3664,7 @@ int ieee802_11_mgmt(struct hostapd_data
if (stype == WLAN_FC_STYPE_PROBE_REQ) { if (stype == WLAN_FC_STYPE_PROBE_REQ) {
@ -182,7 +180,7 @@
return 1; return 1;
} }
@@ -3043,17 +3072,17 @@ int ieee802_11_mgmt(struct hostapd_data @@ -3657,17 +3684,17 @@ int ieee802_11_mgmt(struct hostapd_data
switch (stype) { switch (stype) {
case WLAN_FC_STYPE_AUTH: case WLAN_FC_STYPE_AUTH:
wpa_printf(MSG_DEBUG, "mgmt::auth"); wpa_printf(MSG_DEBUG, "mgmt::auth");
@ -205,7 +203,7 @@
case WLAN_FC_STYPE_DISASSOC: case WLAN_FC_STYPE_DISASSOC:
--- a/src/ap/beacon.c --- a/src/ap/beacon.c
+++ b/src/ap/beacon.c +++ b/src/ap/beacon.c
@@ -702,7 +702,7 @@ void sta_track_claim_taxonomy_info(struc @@ -716,7 +716,7 @@ void sta_track_claim_taxonomy_info(struc
void handle_probe_req(struct hostapd_data *hapd, void handle_probe_req(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len, const struct ieee80211_mgmt *mgmt, size_t len,
@ -214,7 +212,7 @@
{ {
u8 *resp; u8 *resp;
struct ieee802_11_elems elems; struct ieee802_11_elems elems;
@@ -711,9 +711,15 @@ void handle_probe_req(struct hostapd_dat @@ -725,9 +725,15 @@ void handle_probe_req(struct hostapd_dat
size_t i, resp_len; size_t i, resp_len;
int noack; int noack;
enum ssid_match_result res; enum ssid_match_result res;
@ -230,7 +228,7 @@
if (len < IEEE80211_HDRLEN) if (len < IEEE80211_HDRLEN)
return; return;
@@ -880,6 +886,12 @@ void handle_probe_req(struct hostapd_dat @@ -894,6 +900,12 @@ void handle_probe_req(struct hostapd_dat
} }
#endif /* CONFIG_P2P */ #endif /* CONFIG_P2P */
@ -256,7 +254,7 @@
int ieee802_11_update_beacons(struct hostapd_iface *iface); int ieee802_11_update_beacons(struct hostapd_iface *iface);
--- a/src/ap/drv_callbacks.c --- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c +++ b/src/ap/drv_callbacks.c
@@ -52,6 +52,10 @@ int hostapd_notif_assoc(struct hostapd_d @@ -116,6 +116,10 @@ int hostapd_notif_assoc(struct hostapd_d
u16 reason = WLAN_REASON_UNSPECIFIED; u16 reason = WLAN_REASON_UNSPECIFIED;
u16 status = WLAN_STATUS_SUCCESS; u16 status = WLAN_STATUS_SUCCESS;
const u8 *p2p_dev_addr = NULL; const u8 *p2p_dev_addr = NULL;
@ -267,7 +265,7 @@
if (addr == NULL) { if (addr == NULL) {
/* /*
@@ -131,6 +135,12 @@ int hostapd_notif_assoc(struct hostapd_d @@ -195,6 +199,12 @@ int hostapd_notif_assoc(struct hostapd_d
goto fail; goto fail;
} }
@ -282,7 +280,7 @@
wpabuf_free(sta->p2p_ie); wpabuf_free(sta->p2p_ie);
--- a/src/ap/sta_info.c --- a/src/ap/sta_info.c
+++ b/src/ap/sta_info.c +++ b/src/ap/sta_info.c
@@ -386,6 +386,7 @@ void ap_handle_timer(void *eloop_ctx, vo @@ -404,6 +404,7 @@ void ap_handle_timer(void *eloop_ctx, vo
HOSTAPD_LEVEL_INFO, "deauthenticated due to " HOSTAPD_LEVEL_INFO, "deauthenticated due to "
"local deauth request"); "local deauth request");
ap_free_sta(hapd, sta); ap_free_sta(hapd, sta);
@ -290,7 +288,7 @@
return; return;
} }
@@ -533,6 +534,7 @@ skip_poll: @@ -551,6 +552,7 @@ skip_poll:
hapd, sta, hapd, sta,
WLAN_REASON_PREV_AUTH_NOT_VALID); WLAN_REASON_PREV_AUTH_NOT_VALID);
ap_free_sta(hapd, sta); ap_free_sta(hapd, sta);
@ -300,7 +298,7 @@
} }
--- a/src/ap/wpa_auth_glue.c --- a/src/ap/wpa_auth_glue.c
+++ b/src/ap/wpa_auth_glue.c +++ b/src/ap/wpa_auth_glue.c
@@ -159,6 +159,7 @@ static void hostapd_wpa_auth_psk_failure @@ -173,6 +173,7 @@ static void hostapd_wpa_auth_psk_failure
struct hostapd_data *hapd = ctx; struct hostapd_data *hapd = ctx;
wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POSSIBLE_PSK_MISMATCH MACSTR, wpa_msg(hapd->msg_ctx, MSG_INFO, AP_STA_POSSIBLE_PSK_MISMATCH MACSTR,
MAC2STR(addr)); MAC2STR(addr));

169
package/network/services/hostapd/src/src/ap/ubus.c
View File

@ -9,8 +9,10 @@
#include "utils/includes.h" #include "utils/includes.h"
#include "utils/common.h" #include "utils/common.h"
#include "utils/eloop.h" #include "utils/eloop.h"
#include "utils/wpabuf.h"
#include "common/ieee802_11_defs.h" #include "common/ieee802_11_defs.h"
#include "hostapd.h" #include "hostapd.h"
#include "neighbor_db.h"
#include "wps_hostapd.h" #include "wps_hostapd.h"
#include "sta_info.h" #include "sta_info.h"
#include "ubus.h" #include "ubus.h"
@ -447,6 +449,170 @@ hostapd_vendor_elements(struct ubus_context *ctx, struct ubus_object *obj,
return UBUS_STATUS_OK; return UBUS_STATUS_OK;
} }
static void
hostapd_rrm_print_nr(struct hostapd_neighbor_entry *nr)
{
const u8 *data;
char *str;
int len;
blobmsg_printf(&b, "", MACSTR, MAC2STR(nr->bssid));
str = blobmsg_alloc_string_buffer(&b, "", nr->ssid.ssid_len + 1);
memcpy(str, nr->ssid.ssid, nr->ssid.ssid_len);
str[nr->ssid.ssid_len] = 0;
blobmsg_add_string_buffer(&b);
len = wpabuf_len(nr->nr);
str = blobmsg_alloc_string_buffer(&b, "", 2 * len + 1);
wpa_snprintf_hex(str, 2 * len + 1, wpabuf_head_u8(nr->nr), len);
blobmsg_add_string_buffer(&b);
}
static int
hostapd_rrm_nr_get_own(struct ubus_context *ctx, struct ubus_object *obj,
struct ubus_request_data *req, const char *method,
struct blob_attr *msg)
{
struct hostapd_data *hapd = get_hapd_from_object(obj);
struct hostapd_neighbor_entry *nr;
void *c;
if (!(hapd->conf->radio_measurements[0] & WLAN_RRM_CAPS_NEIGHBOR_REPORT))
return UBUS_STATUS_NOT_SUPPORTED;
nr = hostapd_neighbor_get(hapd, hapd->own_addr, NULL);
if (!nr)
return UBUS_STATUS_NOT_FOUND;
blob_buf_init(&b, 0);
c = blobmsg_open_array(&b, "value");
hostapd_rrm_print_nr(nr);
blobmsg_close_array(&b, c);
ubus_send_reply(ctx, req, b.head);
return 0;
}
static int
hostapd_rrm_nr_list(struct ubus_context *ctx, struct ubus_object *obj,
struct ubus_request_data *req, const char *method,
struct blob_attr *msg)
{
struct hostapd_data *hapd = get_hapd_from_object(obj);
struct hostapd_neighbor_entry *nr;
void *c;
if (!(hapd->conf->radio_measurements[0] & WLAN_RRM_CAPS_NEIGHBOR_REPORT))
return UBUS_STATUS_NOT_SUPPORTED;
blob_buf_init(&b, 0);
c = blobmsg_open_array(&b, "list");
dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry, list) {
void *cur;
if (!memcmp(nr->bssid, hapd->own_addr, ETH_ALEN))
continue;
cur = blobmsg_open_array(&b, NULL);
hostapd_rrm_print_nr(nr);
blobmsg_close_array(&b, cur);
}
blobmsg_close_array(&b, c);
ubus_send_reply(ctx, req, b.head);
return 0;
}
enum {
NR_SET_LIST,
__NR_SET_LIST_MAX
};
static const struct blobmsg_policy nr_set_policy[__NR_SET_LIST_MAX] = {
[NR_SET_LIST] = { "list", BLOBMSG_TYPE_ARRAY },
};
static void
hostapd_rrm_nr_clear(struct hostapd_data *hapd)
{
struct hostapd_neighbor_entry *nr;
restart:
dl_list_for_each(nr, &hapd->nr_db, struct hostapd_neighbor_entry, list) {
if (!memcmp(nr->bssid, hapd->own_addr, ETH_ALEN))
continue;
hostapd_neighbor_remove(hapd, nr->bssid, &nr->ssid);
goto restart;
}
}
static int
hostapd_rrm_nr_set(struct ubus_context *ctx, struct ubus_object *obj,
struct ubus_request_data *req, const char *method,
struct blob_attr *msg)
{
static const struct blobmsg_policy nr_e_policy[] = {
{ .type = BLOBMSG_TYPE_STRING },
{ .type = BLOBMSG_TYPE_STRING },
{ .type = BLOBMSG_TYPE_STRING },
};
struct hostapd_data *hapd = get_hapd_from_object(obj);
struct blob_attr *tb_l[__NR_SET_LIST_MAX];
struct blob_attr *tb[ARRAY_SIZE(nr_e_policy)];
struct blob_attr *cur;
int ret = 0;
int rem;
if (!(hapd->conf->radio_measurements[0] & WLAN_RRM_CAPS_NEIGHBOR_REPORT))
return UBUS_STATUS_NOT_SUPPORTED;
blobmsg_parse(nr_set_policy, __NR_SET_LIST_MAX, tb_l, blob_data(msg), blob_len(msg));
if (!tb_l[NR_SET_LIST])
return UBUS_STATUS_INVALID_ARGUMENT;
hostapd_rrm_nr_clear(hapd);
blobmsg_for_each_attr(cur, tb_l[NR_SET_LIST], rem) {
struct wpa_ssid_value ssid;
struct wpabuf *data;
u8 bssid[ETH_ALEN];
char *s;
blobmsg_parse_array(nr_e_policy, ARRAY_SIZE(nr_e_policy), tb, blobmsg_data(cur), blobmsg_data_len(cur));
if (!tb[0] || !tb[1] || !tb[2])
goto invalid;
s = blobmsg_get_string(tb[0]);
if (hwaddr_aton(s, bssid))
goto invalid;
s = blobmsg_get_string(tb[1]);
ssid.ssid_len = strlen(s);
if (ssid.ssid_len > sizeof(ssid.ssid))
goto invalid;
memcpy(&ssid, s, ssid.ssid_len);
data = wpabuf_parse_bin(blobmsg_get_string(tb[2]));
if (!data)
goto invalid;
hostapd_neighbor_set(hapd, bssid, &ssid, data, NULL, NULL, 0);
wpabuf_free(data);
continue;
invalid:
ret = UBUS_STATUS_INVALID_ARGUMENT;
}
return 0;
}
static const struct ubus_method bss_methods[] = { static const struct ubus_method bss_methods[] = {
UBUS_METHOD_NOARG("get_clients", hostapd_bss_get_clients), UBUS_METHOD_NOARG("get_clients", hostapd_bss_get_clients),
UBUS_METHOD("del_client", hostapd_bss_del_client, del_policy), UBUS_METHOD("del_client", hostapd_bss_del_client, del_policy),
@ -459,6 +625,9 @@ static const struct ubus_method bss_methods[] = {
#endif #endif
UBUS_METHOD("set_vendor_elements", hostapd_vendor_elements, ve_policy), UBUS_METHOD("set_vendor_elements", hostapd_vendor_elements, ve_policy),
UBUS_METHOD("notify_response", hostapd_notify_response, notify_policy), UBUS_METHOD("notify_response", hostapd_notify_response, notify_policy),
UBUS_METHOD_NOARG("rrm_nr_get_own", hostapd_rrm_nr_get_own),
UBUS_METHOD_NOARG("rrm_nr_list", hostapd_rrm_nr_list),
UBUS_METHOD("rrm_nr_set", hostapd_rrm_nr_set, nr_set_policy),
}; };
static struct ubus_object_type bss_object_type = static struct ubus_object_type bss_object_type =

6
package/system/uci/Makefile
View File

@ -13,9 +13,9 @@ PKG_RELEASE:=1
PKG_SOURCE_URL=$(LEDE_GIT)/project/uci.git PKG_SOURCE_URL=$(LEDE_GIT)/project/uci.git
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_DATE=2017-04-12 PKG_SOURCE_DATE=2017-09-29
PKG_SOURCE_VERSION:=c4df32b386c7bb29568140d135d7315e76c934b7 PKG_SOURCE_VERSION:=5ad59ad412a784c5c478e31d1701ce39568ffd58
PKG_MIRROR_HASH:=88abfe828f164666e3d3c90141449d9c8f622d32b29df135b1b72fcadbb2cb34 PKG_MIRROR_HASH:=0c1c40e8c7e08163a4c8d306ab4b676a9c545028e14aa57b5cf2d6f7bfe726cb
PKG_LICENSE:=LGPL-2.1 PKG_LICENSE:=LGPL-2.1
PKG_LICENSE_FILES:= PKG_LICENSE_FILES:=