The function was using phydev.name (e.g., "phy0.0") instead of
phydev.phy (e.g., "phy0") when calling wpa_supplicant.phy_set_macaddr_list.
This is inconsistent with all other wpa_supplicant ubus calls in the same
file which correctly use phydev.phy.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Assign the address at wdev create time, similar to legacy interfaces.
Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This allows wpa_supplicant to process pending netlink socket messages
first. Without this change, there is a race condition where the newly
created interface processes netlink events from the removal of the
previous interface.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This makes it possible to have more flexible control over the supplicant
without having to install wpa_cli.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Interface might be down or scanning. Better do a full restart in order to avoid
messing up the runtime state.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Do not allow hostapd phy state update to bring up links as long between mld_set
and mld_start calls. Configuration on other PHYs could still be pending.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Bring up AP interfaces, even if no frequency update was provided.
Fixes bringup when a MLO STA on the same radios connects to fewer links
than available, or to a non-MLD AP.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Removing the last remaining link from an MLD AP interface removes the
interface as well. Re-create the interface if necessary on config changes.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Can also be used for a client mode interface that is able to connect on
multiple bands individually, while handling hostapd state for the correct
band.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Execute scripts in /etc/rc.wps until one of them returns a exit code of 0.
Split up sta and ap handling of wps into separate scripts.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
MLO interface config is provided in a separate ubus call before
adding regular per-phy interfaces.
Preparation for full MLO support.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Currently, logging level of the RADIUS server is a constant corresponding
to the highest verbosity (EXCESSIVE, ALL), but when running as a system
service, the output is discarded.
This commit makes logging verbosity configurable by `log_level` option
and redirects all logs to `logd`. Possible levels are defined in hostap
sources:
https://w1.fi/cgit/hostap/tree/src/utils/wpa_debug.h?id=012a893c469157d5734f6f33953497ea6e3b0169#n23
Their reference is inlined in `radius.config` file.
Default value for logging verbosity is INFO (even if the `-l` flag isn't
specified).
Signed-off-by: Dávid Benko <davidbenko@davidbenko.dev>
Link: https://github.com/openwrt/openwrt/pull/18089
Signed-off-by: Robert Marko <robimarko@gmail.com>
Even though IPv6 support for hostapd RADIUS server is implemented
(flag `-6`), it's not possible to enable it from configuration.
This commit adds this option and adapts init script.
Signed-off-by: Dávid Benko <davidbenko@davidbenko.dev>
Link: https://github.com/openwrt/openwrt/pull/18089
Signed-off-by: Robert Marko <robimarko@gmail.com>
access to undeclared variable radio In [anonymous function](), file /usr/share/hostap/hostapd.uc, line 830, byte 45:
Signed-off-by: Florian Maurer <f.maurer@outlook.de>
Initial support for dynamic reload of RxKHs.
In order to check if RxKHs need reloading.
RxKHs defined in the rxkh_file first has to be parsed and formated,
the same way as hostapd will read from the file and also output,
with the command GET_RXKHS.
Then each list of RxKHs can be hashed and compared.
Ucode implementation of hostapds rkh_derive_key() function.
Hostapd converts hex keys with 128-bits or more when less than 256-bits
to 256-bits, and truncates those that are more than 256-bits.
See: https://w1.fi/cgit/hostap/commit/hostapd/config_file.c?id=245fc96e5f4b1c566b7eaa19180c774307ebed79
Signed-off-by: Sybil127 <sybil127@outlook.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Regarding SAE support in wifi-station:
Important Note: Unlike PSK wifi-stations, both `mac` and `key` options are required
to make it work. With PSK, hostapd used to perform a brute-force match to find which
PSK entry to use, but with SAE this is infeasible due to SAE's design.
When `mac` is omitted, it will allow any MAC address to use the SAE password if it
didn't have a MAC address assigned to it, but this could only be done once.
The last wildcard entry would be used.
Also, unlike "hostapd: add support for SAE in PPSK option" (commit 913368a),
it is not required to set `sae_pwe` to `0`. This gives it a slight advantage
over using PPSK that goes beyond not needing RADIUS.
Example Configuration:
```
config wifi-vlan
option iface default_radio0
option name 999
option vid 999
option network management
config wifi-station
# Allow user with MAC address 00:11:22:33:44:55 and matching
# key "secretadminpass" to access the management network.
option iface default_radio0
option vid 999
option mac '00:11:22:33:44:55'
option key secretadminpass
config wifi-vlan
option iface default_radio0
option name 100
option vid 100
option network guest
config wifi-station
# With SAE, when 'mac' is omitted it will be the fallback in case no
# other MAC address matches. It won't be possible for a user that
# has a matching MAC to use this network (i.e., 00:11:22:33:44:55
# in this example).
option iface default_radio0
option vid 100
option key guestpass
```
Regarding PSK file creation optimization:
This patch now conditionally runs `hostapd_set_psk_file` depending on `auth_type`.
Previously, `hostapd_set_psk` would always execute `hostapd_set_psk_file`, which
would create a new file if `wifi-station` was in use even if PSK was not enabled.
This change checks the `auth_type` to ensure that it is appropriate to parse the
`wifi-station` entries and create those files.
Furthermore, we now only configure `wpa_psk_file` when it is a supported option
(i.e., psk or psk-sae is used). Previously, we used to configure it when it was
not necessary. While it didn't cause any issues, it would litter `/var/run` with
unnecessary files. This patch fixes that case by configuring it depending on the
`auth_type`.
The new SAE support is aligned with these PSK file changes.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/17145
Signed-off-by: John Crispin <john@phrozen.org>
The internal hostapd version cannot be built with EAP-pwd support, so
enable it only for the SSL variants.
Fixes: #17163
Fixes: 6365316fab ("hostapd: add ubus support for wired driver")
Link: https://github.com/openwrt/openwrt/pull/17164
Signed-off-by: Robert Marko <robimarko@gmail.com>
Use and alternate ubus object when the config contains "driver=wired". This
commit is in preparation of the ieee8021x-wired daemon.
Signed-off-by: John Crispin <john@phrozen.org>
Supports reading the same parameters currently being used by iwinfo.
Preparation for replacing iwinfo with a rewrite in ucode.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This can happen if the bridge or a stacked vlan device gets recreated.
Ensure that hostapd sees the change and handles it gracefully.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When wpa_psk_file is used, there is a chance that no PSK is set. This means
that the FT key will be generated using only the mobility domain which
could be considered a security vulnerability but only for a very specific
and niche config.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
802.11r can not be used when selecting WPA. It needs at least WPA2.
This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.
Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
