mtk-20170518/package/network/services/hostapd, branch reboot MTK 20170518 : Mediatek SDK based on OpenWRT Barrier Breaker hostapd.sh: Add support for "anonymous_identity" config field 2016-04-17T12:50:55+00:00 Hauke Mehrtens hauke@hauke-m.de 2016-04-17T12:50:55+00:00 3830200d6ad8f0197ca4f8e0a99d3a043214de10 The wpa_supplicant supports an "anonymous_identity" field, which some EAP networks require. From the documentation: anonymous_identity: Anonymous identity string for EAP (to be used as the unencrypted identity with EAP types that support different tunnelled identity, e.g., EAP-TTLS). This change modifies the hostapd.sh script to propagate this field from the UCI config to the wpa_supplicant.conf file. Signed-off-by: Kevin O'Connor <kevin@koconnor.net> Reviewed-by: Manuel Munz <freifunk@somakoma.de> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 49181 
The wpa_supplicant supports an "anonymous_identity" field, which some
EAP networks require.  From the documentation:

anonymous_identity: Anonymous identity string for EAP (to be used as the
    unencrypted identity with EAP types that support different tunnelled
    identity, e.g., EAP-TTLS).

This change modifies the hostapd.sh script to propagate this field
from the UCI config to the wpa_supplicant.conf file.

Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Reviewed-by: Manuel Munz <freifunk@somakoma.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49181
hostapd: remove useless TLS provider selection override for wpad-mesh/wpa_supplicant-mesh 2016-01-28T22:42:14+00:00 Felix Fietkau nbd@openwrt.org 2016-01-28T22:42:14+00:00 eb47ddd55710729036bfd67f2e71c1d8abbd6819 Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48537 
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48537
hostapd: fix mesh interface bridge handling 2016-01-28T17:20:10+00:00 Felix Fietkau nbd@openwrt.org 2016-01-28T17:20:10+00:00 18b2f2d6943342bda498dfdbdf25d3ba6265c408 Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48529 
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48529
hostapd: fix wpad-mesh and wpa-supplicant-mesh configuration issues 2016-01-28T17:19:48+00:00 Felix Fietkau nbd@openwrt.org 2016-01-28T17:19:48+00:00 b4ef1fca4836986d2e3257493648b75b07510193 Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48528 
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48528
hostapd: update to version 2016-01-15 2016-01-28T17:19:13+00:00 Felix Fietkau nbd@openwrt.org 2016-01-28T17:19:13+00:00 924407b253fdf22ab27e72ae38b4d9513d0191c8 Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48527 
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48527
wpa_supplicant: add support for EAP-TLS phase2 2016-01-19T10:06:29+00:00 Felix Fietkau nbd@openwrt.org 2016-01-19T10:06:29+00:00 faad8b68a463a42b70b2d93582f79d1ac1e5acca Introduce config options client_cert2, priv_key2 and priv_key2_pwd used for EAP-TLS phase2 authentication in WPA-EAP client mode. Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48345 
Introduce config options client_cert2, priv_key2 and priv_key2_pwd
used for EAP-TLS phase2 authentication in WPA-EAP client mode.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48345
hostap/wpa_supplicant: enable EAP-FAST in -full builds 2016-01-19T10:06:23+00:00 Felix Fietkau nbd@openwrt.org 2016-01-19T10:06:23+00:00 3b15eb0adeefa0e9282daec091985953d8c035a9 Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48344 
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48344
wpa_supplicant: improve generating phase2 config line for WPA-EAP 2016-01-18T11:40:44+00:00 Felix Fietkau nbd@openwrt.org 2016-01-18T11:40:44+00:00 e4cf25cfab7dc52bae02d44308e56e7437cb6433 WPA-EAP supports several phase2 (=inner) authentication methods when using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first step towards the UCI model supporting EAP-FAST by this commit) The value of the auth config variable was previously expected to be directly parseable as the content of the 'phase2' option of wpa_supplicant. This exposed wpa_supplicant's internals, leaving it to view-level to set the value properly. Unfortunately, this is currently not the case, as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'. Users thus probably diverged and set auth to values like 'auth=MSCHAPV2' as a work-around. This behaviour isn't explicitely documented anywhere and is not quite intuitive... The phase2-string is now generated according to $eap_type and $auth, following the scheme also found in hostap's test-cases: http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py The old behaviour is also still supported for the sake of not breaking existing, working configurations. Examples: eap_type auth 'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2" 'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2" 'peap' 'EAP-GTC' -> phase2="auth=GTC" Deprecated syntax supported for compatibility: 'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2" I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to the list of Authentication methods available. Signed-off-by: Daniel Golle <daniel@makrotopia.org> SVN-Revision: 48309 
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...

The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.

Examples:
  eap_type   auth
  'ttls'     'EAP-MSCHAPV2'     -> phase2="autheap=MSCHAPV2"
  'ttls'     'MSCHAPV2'         -> phase2="auth=MSCHAPV2"
  'peap'     'EAP-GTC'          -> phase2="auth=GTC"

Deprecated syntax supported for compatibility:
  'ttls'     'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"

I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48309
hostapd: fix disassociation with FullMAC drivers and multi-BSS 2016-01-11T18:51:47+00:00 Rafał Miłecki zajec5@gmail.com 2016-01-11T18:51:47+00:00 2611a5538eae308e69000f42eecde5d7fdfe7a25 Signed-off-by: Rafał Miłecki <zajec5@gmail.com> SVN-Revision: 48202 
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 48202
hostapd: fix post v2.4 security issues 2016-01-10T17:03:37+00:00 Felix Fietkau nbd@openwrt.org 2016-01-10T17:03:37+00:00 6c40914c0c637ee27ab513e734ef63e5a532cdb1 - WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141) - EAP-pwd peer: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd server: Fix payload length validation for Commit and Confirm (CVE-2015-4143) - EAP-pwd peer: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd server: Fix Total-Length parsing for fragment reassembly (CVE-2015-4144, CVE-2015-4145) - EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146) - NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041) - WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use (CVE-2015-5310) - EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315) - EAP-pwd server: Fix last fragment length validation (CVE-2015-5314) - EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316) Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> SVN-Revision: 48185 
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
  (CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>

SVN-Revision: 48185