When procd-ujail is available, 1f78538 runs hostapd as user
"network", with only limited additional capabilities (CAP_NET_ADMIN and
CAP_NET_RAW).
hostapd_cli (CONFIG_PACKAGE_hostapd-utils) communicates with hostapd
over a named UNIX-domain socket. hostapd_cli is responsible for creating
this socket at /tmp/wpa_ctrl_$pid_$counter. Since it typically runs as
root, this endpoint is normally created with uid root, gid root, mode
0755. As a result, hostapd running as uid network is able to receive
control messages sent through this interface, but is not able to respond
to them. If debug-level logging is enabled (CONFIG_WPA_MSG_MIN_PRIORITY
<= 2 at build, and log_level <= 2 in /etc/config/wireless wifi-device),
this message will appear from hostapd:
CTRL: sendto failed: Permission denied
As a fix, hostapd_cli should create the socket node in the filesystem
with uid network, gid network, mode 0770. This borrows the presently
Android-only strategy already in hostapd intended to solve the same
problem on Android.
If procd-ujail is not available and hostapd falls back to running as
root, it will still be able to read from and write to the socket even if
the node in the filesystem has been restricted to the network user and
group. This matches the logic in
package/network/services/hostapd/files/wpad.init, which sets the uid and
gid of /var/run/hostapd to network regardless of whether procd-ujail is
available.
As it appears that the "network" user and group are statically allocated
uid 101 and gid 101, respectively, per
package/base-files/files/etc/passwd and USERID in
package/network/services/hostapd/Makefile, this patch also uses a
constant 101 for the uid and gid.
This adds a new struct for storing statistics not (yet) tracked by
hostapd regarding RRM and WNM activity.
These statistics can be read using the get_status hostapd interface ubus
method.
Configure the HE BSS color to a random value in case the config defines
a BSS color which exceeds the max BSS color (63).
Signed-off-by: David Bauer <mail@david-bauer.net>
The wpa_supplicant code for IBSS allows to set the mcast rate. It is
recommended to increase this value from 1 or 6 Mbit/s to something higher
when using a mesh protocol on top which uses the multicast packet loss as
indicator for the link quality.
This setting was unfortunately not applied for mesh mode. But it would be
beneficial when wpa_supplicant would behave similar to IBSS mode and set
this argument during mesh join like authsae already does. At least it is
helpful for companies/projects which are currently switching to 802.11s
(without mesh_fwding and with mesh_ttl set to 1) as replacement for IBSS
because newer drivers seem to support 802.11s but not IBSS anymore.
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
Tested-by: Simon Wunderlich <simon.wunderlich@openmesh.com>
wps_supplicant.h assumes that 'struct wpa_bss' is forward declared if
CONFIG_WPS is not defined. With the later inclusion of
600-ubus_support, the issue manifests in warnings like these:
wps_supplicant.h:113:15: warning: 'struct wpa_bss' declared inside parameter list will not be visible outside of this definition or declaration
struct wpa_bss *bss)
^~~~~~~
This patch forward declares 'struct wpa_bss' regardless.
Patch 460-wpa_supplicant-add-new-config-params-to-be-used-with.patch
("wpa_supplicant: add new config params to be used with the ibss join
command") adds the definition of unsigned char
rates[WLAN_SUPP_RATES_MAX] to driver.h, which needs to have
WLAN_SUPP_RATES_MAX defined. So it includes sta_info.h to get the
definition.
Commit c74739250a ("AP MLD: Use a helper function to check if a STA is a
non-AP MLD") makes sta_info.h include driver.h before
it defines WLAN_SUPP_RATES_MAX, causing an error:
src/drivers/driver.h:969:29: error: 'WLAN_SUPP_RATES_MAX' undeclared here (not in a function)
Move the definition of WLAN_SUPP_RATES_MAX to defs.h to ensure it gets
defined before other headers are included. The inclusion of sta_info.h
in driver.h can be reverted as well.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This fixes linking errors found when compiling wpa_supplicant with
CONFIG_WNM_AP enabled but CONFIG_AP disabled.
Signed-off-by: David Bauer <mail@david-bauer.net>
As per standard Draft P802.11ax_D8.0,( Table 26-9—Setting
of the VHT Channel Width and VHT NSS at an HE STA
transmitting the OM Control subfield ), center frequency of
160MHz should be published in HT information subset 2 of
HT information when EXT NSS BW field is enabled.
If the supported number of NSS in 160MHz is at least max NSS
support, then center_freq_seg0 indicates the center frequency of 80MHz and
center_freq_seg1 indicates the center frequency of 160MHz.
If the supported number of NSS in 160MHz is less than max NSS
support, then center_freq_seg0 indicates the center frequency of 80MHz and
center_freq_seg1 is 0. The center frequency of 160MHz is published in HT
operation information element instead.
Signed-off-by: P Praneesh <ppranees@codeaurora.org>
crypto_ec_point_mul() with mbedtls requires point
be multiplied by a multiplicand with value < prime
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
add test-crypto_module.c to run crypto_module_tests()
adjust some tests/hwsim/*.py for mbed TLS (work in progress)
option to build and run-tests with CONFIG_TLS=internal # (default)
$ cd tests; make clean
$ make run-tests
option to build and run-tests with CONFIG_TLS=gnutls
$ cd tests; make clean CONFIG_TLS=gnutls
$ make run-tests CONFIG_TLS=gnutls
option to build and run-tests with CONFIG_TLS=mbedtls
$ cd tests; make clean CONFIG_TLS=mbedtls
$ make run-tests CONFIG_TLS=mbedtls
option to build and run-tests with CONFIG_TLS=openssl
$ cd tests; make clean CONFIG_TLS=openssl
$ make run-tests CONFIG_TLS=openssl
option to build and run-tests with CONFIG_TLS=wolfssl
$ cd tests; make clean CONFIG_TLS=wolfssl
$ make run-tests CONFIG_TLS=wolfssl
RFE: Makefile logic for crypto objects should be centralized
instead of being duplicated in hostapd/Makefile,
wpa_supplicant/Makefile, src/crypto/Makefile,
tests/Makefile, ...
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
The code for hostapd-mbedtls did not work when used for OWE association.
When handling association requests, the buffer offsets and length
assumptions were incorrect, leading to never calculating the y point,
thus denying association.
Also when crafting the association response, the buffer contained the
trailing key-type.
Fix up both issues to adhere to the specification and make
hostapd-mbedtls work with the OWE security type.
Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl
based adapters. The reason for it is hostapd tries to install additional
IEs for scanning while the driver does not support this.
The kernel indicates the maximum number of bytes for additional scan IEs
using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
only add additional scan IEs in case the driver can accommodate these
additional IEs.
Reported-by: Étienne Morice <neon.emorice@mail.com>
Tested-by: Étienne Morice <neon.emorice@mail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Commit e978072baa ("Do prune_association only after the STA is
authorized") causes issues when an STA roams from one interface to
another interface on the same PHY. The mt7915 driver is not able to
handle this properly. While the commits fixes a DoS, there are other
devices and drivers with the same limitation, so revert to the orginal
behavior for now, until we have a better solution in place.
Ref: https://github.com/openwrt/openwrt/issues/13156
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This patch uses a deterministic channel on DFS channel switch
in mesh networks. Otherwise, when switching to a usable but not
available channel, no CSA can be sent and a random channel is choosen
without notification of other nodes. It is then quite likely, that
the mesh network gets disconnected.
Fix this by using a deterministic number, based on the sha256 hash
of the mesh ID, in order to use at least a different number in each
mesh network.
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
Note: DFS is assumed to be usable if a country code has been set
Signed-off-by: Benjamin Berg <benjamin@sipsolutions.net>
Signed-off-by: Peter Oh <peter.oh@bowerswilkins.com>
USD had a control interface commands and events defined for it. Extend
this by providing similar USD methods through the dbus control
interface.
Signed-off-by: Lo,Chin-Ran <chin-ran.lo@nxp.com>
USD had a control interface events defined for it. Extend this by
providing similar USD signals through the dbus control interface.
Signed-off-by: Lo,Chin-Ran <chin-ran.lo@nxp.com>
This was supposed to call wpa_drv_nan_update_publish() instead of
wpa_drv_nan_cancel_publish().
Fixes: 633e969311 ("NAN: Option to offload NAN DE for USD into the driver")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
There is no need to copy the A3 value for follow-up frames through the
control interface events and commands since it can be handled internally
in the service with sufficient accuracy. More parallel operations with
multiple peers might need per-peer information, but that can be extended
in the future, if that level of complexity is really needed in practice.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This reverts commit 81322fa43d ("tests: Copy A3 into NAN SDF
Follow-up") to allow simplification of the control interface by removing
the external A3 copying.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
