[openwrt/openwrt] hostapd: add a patch that allows processing auth requests for peers in blocked state

LEDE Commits lede-commits at lists.infradead.org
Wed Nov 24 09:27:01 PST 2021 

nbd pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/f84053af5c0b0a159ea4d3e90b0c06574b4fde8d

commit f84053af5c0b0a159ea4d3e90b0c06574b4fde8d
Author: Felix Fietkau <nbd at nbd.name>
AuthorDate: Wed Nov 24 17:02:26 2021 +0100

    hostapd: add a patch that allows processing auth requests for peers in blocked state
    
    If authentication fails repeatedly e.g. because of a weak signal, the link
    can end up in blocked state. If one of the nodes tries to establish a link
    again before it is unblocked on the other side, it will block the link to
    that other side. The same happens on the other side when it unblocks the
    link. In that scenario, the link never recovers on its own.
    
    To fix this, allow restarting authentication even if the link is in blocked
    state, but don't initiate the attempt until the blocked period is over.
    
    Signed-off-by: Felix Fietkau <nbd at nbd.name>
---
 ...processing-authentication-frames-in-block.patch | 34 ++++++++++++++++++++++
 .../hostapd/patches/600-ubus_support.patch         | 10 +++----
 .../750-qos_map_set_without_interworking.patch     |  2 +-
 3 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/package/network/services/hostapd/patches/040-mesh-allow-processing-authentication-frames-in-block.patch b/package/network/services/hostapd/patches/040-mesh-allow-processing-authentication-frames-in-block.patch
new file mode 100644
index 0000000000..6d9fd81acf
--- /dev/null
+++ b/package/network/services/hostapd/patches/040-mesh-allow-processing-authentication-frames-in-block.patch
@@ -0,0 +1,34 @@
+From: Felix Fietkau <nbd at nbd.name>
+Date: Mon, 18 Feb 2019 12:57:11 +0100
+Subject: [PATCH] mesh: allow processing authentication frames in blocked state
+
+If authentication fails repeatedly e.g. because of a weak signal, the link
+can end up in blocked state. If one of the nodes tries to establish a link
+again before it is unblocked on the other side, it will block the link to
+that other side. The same happens on the other side when it unblocks the
+link. In that scenario, the link never recovers on its own.
+
+To fix this, allow restarting authentication even if the link is in blocked
+state, but don't initiate the attempt until the blocked period is over.
+
+Signed-off-by: Felix Fietkau <nbd at nbd.name>
+---
+
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -3761,15 +3761,6 @@ static void handle_auth(struct hostapd_d
+ 				       seq_ctrl);
+ 			return;
+ 		}
+-#ifdef CONFIG_MESH
+-		if ((hapd->conf->mesh & MESH_ENABLED) &&
+-		    sta->plink_state == PLINK_BLOCKED) {
+-			wpa_printf(MSG_DEBUG, "Mesh peer " MACSTR
+-				   " is blocked - drop Authentication frame",
+-				   MAC2STR(mgmt->sa));
+-			return;
+-		}
+-#endif /* CONFIG_MESH */
+ #ifdef CONFIG_PASN
+ 		if (auth_alg == WLAN_AUTH_PASN &&
+ 		    (sta->flags & WLAN_STA_ASSOC)) {
diff --git a/package/network/services/hostapd/patches/600-ubus_support.patch b/package/network/services/hostapd/patches/600-ubus_support.patch
index b7f156bceb..358c53167a 100644
--- a/package/network/services/hostapd/patches/600-ubus_support.patch
+++ b/package/network/services/hostapd/patches/600-ubus_support.patch
@@ -126,7 +126,7 @@
  	if (res == HOSTAPD_ACL_PENDING)
  		return;
  
-@@ -5454,7 +5466,7 @@ static void handle_assoc(struct hostapd_
+@@ -5445,7 +5457,7 @@ static void handle_assoc(struct hostapd_
  	int resp = WLAN_STATUS_SUCCESS;
  	u16 reply_res = WLAN_STATUS_UNSPECIFIED_FAILURE;
  	const u8 *pos;
@@ -135,7 +135,7 @@
  	struct sta_info *sta;
  	u8 *tmp = NULL;
  #ifdef CONFIG_FILS
-@@ -5667,6 +5679,11 @@ static void handle_assoc(struct hostapd_
+@@ -5658,6 +5670,11 @@ static void handle_assoc(struct hostapd_
  		left = res;
  	}
  #endif /* CONFIG_FILS */
@@ -147,7 +147,7 @@
  
  	/* followed by SSID and Supported rates; and HT capabilities if 802.11n
  	 * is used */
-@@ -5765,6 +5782,13 @@ static void handle_assoc(struct hostapd_
+@@ -5756,6 +5773,13 @@ static void handle_assoc(struct hostapd_
  	}
  #endif /* CONFIG_FILS */
  
@@ -161,7 +161,7 @@
   fail:
  
  	/*
-@@ -5858,6 +5882,7 @@ static void handle_disassoc(struct hosta
+@@ -5849,6 +5873,7 @@ static void handle_disassoc(struct hosta
  	wpa_printf(MSG_DEBUG, "disassocation: STA=" MACSTR " reason_code=%d",
  		   MAC2STR(mgmt->sa),
  		   le_to_host16(mgmt->u.disassoc.reason_code));
@@ -169,7 +169,7 @@
  
  	sta = ap_get_sta(hapd, mgmt->sa);
  	if (sta == NULL) {
-@@ -5927,6 +5952,8 @@ static void handle_deauth(struct hostapd
+@@ -5918,6 +5943,8 @@ static void handle_deauth(struct hostapd
  	/* Clear the PTKSA cache entries for PASN */
  	ptksa_cache_flush(hapd->ptksa, mgmt->sa, WPA_CIPHER_NONE);
  
diff --git a/package/network/services/hostapd/patches/750-qos_map_set_without_interworking.patch b/package/network/services/hostapd/patches/750-qos_map_set_without_interworking.patch
index 1e6892e375..a7a221352f 100644
--- a/package/network/services/hostapd/patches/750-qos_map_set_without_interworking.patch
+++ b/package/network/services/hostapd/patches/750-qos_map_set_without_interworking.patch
@@ -65,7 +65,7 @@
  	wpabuf_free(sta->hs20_ie);
 --- a/src/ap/ieee802_11.c
 +++ b/src/ap/ieee802_11.c
-@@ -4136,13 +4136,11 @@ static u16 copy_supp_rates(struct hostap
+@@ -4127,13 +4127,11 @@ static u16 copy_supp_rates(struct hostap
  static u16 check_ext_capab(struct hostapd_data *hapd, struct sta_info *sta,
  			   const u8 *ext_capab_ie, size_t ext_capab_ie_len)
  {

More information about the lede-commits mailing list