4383528e0 P2P: Use weighted preferred channel list for channel selection
f2c5c8d38 QCA vendor attribute to configure RX link speed threshold for roaming
94bc94b20 Add QCA vendor attribute for DO_ACS to allow using existing scan entries
b9e2826b9 P2P: Filter 6 GHz channels if peer doesn't support them
d5a9944b8 Reserve QCA vendor sub command id 206..212
ed63c286f Remove space before tab in QCA vendor commands
e4015440a ProxyARP: Clear bridge parameters on deinit only if hostapd set them
02047e9c8 hs20-osu-client: Explicit checks for snprintf() result
cd92f7f98 FIPS PRF: Avoid duplicate SHA1Init() functionality
5c87fcc15 OpenSSL: Use internal FIPS 186-2 PRF with OpenSSL 3.0
9e305878c SAE-PK: Fix build without AES-SIV
c41004d86 OpenSSL: Convert more crypto_ec_key routines to new EVP API
667a2959c OpenSSL: crypto_ec_key_get_public_key() using new EVP_PKEY API
5b97395b3 OpenSSL: crypto_ec_key_get_private_key() using new EVP_PKEY API
177ebfe10 crypto: Convert crypto_ec_key_get_public_key() to return new ec_point
26780d92f crypto: Convert crypto_ec_key_get_private_key() to return new bignum
c9c2c2d9c OpenSSL: Fix a memory leak on crypto_hash_init() error path
6d19dccf9 OpenSSL: Free OSSL_DECODER_CTX in tls_global_dh()
4f4479ef9 OpenSSL: crypto_ec_key_parse_{priv,pub}() without EC_KEY API
b092d8ee6 tests: imsi_privacy_attr
563699174 EAP-SIM/AKA peer: IMSI privacy attribute
1004fb7ee tests: Testing functionality to discard DPP Public Action frames
355069616 tests: Add forgotten files for expired IMSI privacy cert tests
b9a222cdd tests: sigma_dut and DPP curve-from-URI special functionality
fa36e7ee4 tests: sigma_dut controlled STA and EAP-AKA parameters
99165cc4b Rename wpa_supplicant imsi_privacy_key configuration parameter
dde7f90a4 tests: Update VM setup example to use Ubuntu 22.04 and UML
426932f06 tests: EAP-AKA and expired imsi_privacy_key
35eda6e70 EAP-SIM peer: Free imsi_privacy_key on an error path
1328cdeb1 Do not try to use network profile with invalid imsi_privacy_key
d1652dc7c OpenSSL: Refuse to accept expired RSA certificate
866e7b745 OpenSSL: Include rsa.h for OpenSSL 3.0
bc99366f9 OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
39e662308 tests: Work around reentrant logging issues due to __del__ misuse
72641f924 tests: Clean up failed test list in parallel-vm.py
e36a7c794 tests: Support pycryptodome
a44744d3b tests: Set ECB mode for AES explicitly to work with cryptodome
e90ea900a tests: sigma_dut DPP TCP Configurator as initiator with addr from URI
ed325ff0f DPP: Allow TCP destination (address/port) to be used from peer URI
e58dabbcf tests: DPP URI with host info
37bb4178b DPP: Host information in bootstrapping URI
1142b6e41 EHT: Do not check HE PHY capability info reserved fields
7173992b9 tests: Flush scan table in ap_wps_priority to make it more robust
b9313e17e tests: Update ap_wpa2_psk_ext_delayed_ptk_rekey to match implementation
bc3699179 Use Secure=1 in PTK rekeying EAPOL-Key msg 1/4 and 2/4
d2ce1b4d6 tests: Wait for request before responding in dscp_response
Compile-tested: all versions / ath79-generic, ramips-mt7621
Run-tested: hostapd-wolfssl / ath79-generic, ramips-mt7621
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit dab91036d6)
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
7e06706 iw: event: report missing radar events
5909e73 iw: survey: add support for radio stats
64bf570 update nl80211.h
0900996 iw: print Radar background capability if supported
56c6077 iw: print out assoc comeback event
a4e5418 iw: support 160MHz frequency command for 6GHz band
5a71b72 iw: Print local EHT capabilities
e3287a1 station: print EHT rate information
ff67fb2 iw: fix double tab in mesh path header
05a5267 iw: fix 'upto' -> 'up to'
00a2985 iw: handle VHT extended NSS
82e0bd1 update nl80211.h
c95877c info: add missing extended features
0976378 info: refactor extended features
79f20cb bump version to 5.19
Sync nl80211.h with our version of mac80211 and remove parts of the iw
code that are not supported by our version of mac80211.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit bbce9f84ec)
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Testing has shown it to be very unreliable in variety of configurations.
It is not mandatory, so let's disable it by default until we have a better
solution.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 2984a04206)
This fixes passing a bogus non-null pointer to the ubus handler in case
the transition request is rejected.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 9b880f09f3)
Signed-off-by: Nick Hainke <vincent@systemli.org>
+= is needed for CMAKE_OPTIONS.
mt76 needs Ninja disabled as the kernel stuff uses normal make.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 09de28090c)
Remove restrictions on source and destination addresses, which aren't
specified on RFC8415, and for some reason in openwrt are configured
to allow both link-local and ULA addresses.
As cleared out in issue #5066 there are some ISPs that use Gloabal
Unicast addresses, so fix this rule to allow them.
Fixes: #5066
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
[rebase onto firewall3, clarify subject, bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 65258f5d60)
Notify external ubus subscribers of received link-measurement reports.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f6445cfa1a)
Add a ubus method to request link-measurements from connected STAs.
In addition to the STAs address, the used and maximum transmit power can
be provided by the external process for the link-measurement. If they
are not provided, 0 is used as the default value.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 965aa33a18)
Allow external processes to enable advertisement of link-measurement RRM
capability.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 2ca5c3da04)
aa0e3c4bbe12 iwinfo: nl80211: add support for printing the device path for a phy
dd6d6d2dec35 iwinfo: nl80211: use new path lookup function for nl80211_phy_idx_from_uci_path
268bb26d2e2a iwinfo: nl80211: support looking up phy by path=.. and macaddr=...
c0414642fead iwinfo: nl80211: fix typo
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(backported from commit 6e8475bbd0)
Rename feature variable clang-bpf-global-var following upstream changes.
This restores the HAVE_CLANG feature override and should avoid rare build
errors where a recent host clang and BTF-enabled host kernel are present.
Fixes: 23be333401 ("bpftools: update to 5.10.10")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit cf20f1bb5f)
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.
This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 6f78723977)
Include the current operation class to hostapd get_status interface.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 2a31e9ca97)
Add the beacon interval to hostapd status output. This allows external
services to discover the beacon interval for a specific VAP.
This way, external wireless management daemons can correctly calculate
fields containing TBTT value from absolute time-values.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 3ba9846842)
Imports a function from iw to convert frequencies to channel numbers.
Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
[fix potential out of bounds read]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 398df62756)
To allow steering daemons to be aware of the STA-decided transition
target, publish WNM transition responses to ubus. This way, steerings
daemons can learn about STA-chosen targets and send a better selection
of transition candidates.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit a3de42e72c)
The existing wnm_disassoc_imminent ubus method only supports issuing a
bss transition request with the disassoc imminent flag set.
For use-cases, where the client is requested to roam to another BSS
without a pending disassoc, this existing method is not suitable.
Add a new bss_transition_request ubus method, which provides a more
universal way to dispatch a transition request. It takes the following
arguments:
Required:
addr: String - MAC-address of the STA to send the request to (colon-seperated)
Optional:
abridged - Bool - Indicates if the abridged flag is set
disassociation_imminent: Bool - Whether or not the disassoc_imminent
flag is set
disassociation_timer: I32 - number of TBTTs after which the client will
be disassociated
validity_period: I32 - number of TBTTs after which the beacon
candidate list (if included) will be invalid
neighbors: blob-array - Array of strings containing neighbor reports as
hex-string
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 0eed96ca5d)
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 8f5875c4e2)
This fixes some recent security problems in hostapd.
See here for details: https://w1.fi/security/2022-1
* CVE-2022-23303
* CVE-2022-23304
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.
Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 18bdfc803b)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[rebased for OpenWrt 21.02 branch]
If authentication fails repeatedly e.g. because of a weak signal, the link
can end up in blocked state. If one of the nodes tries to establish a link
again before it is unblocked on the other side, it will block the link to
that other side. The same happens on the other side when it unblocks the
link. In that scenario, the link never recovers on its own.
To fix this, allow restarting authentication even if the link is in blocked
state, but don't initiate the attempt until the blocked period is over.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit f84053af5c)
When a ubus event handler denies a association with a non-zero return
value, the code jumps to preceeding code, creating an endless loop until
the event handler accepts the assc request.
Move the ubus handler further up the code to avoid creating such a loop.
Signed-off-by: David Bauer <mail@david-bauer.net>
