Commit Graph

38109 Commits (14114935691d185f50cfde882deab99ac1374001)

Author SHA1 Message Date
Kevin Darbyshire-Bryant 0946ec0f46 wireguard: bump to snapshot 20171127
== Changes ==

 * compat: support timespec64 on old kernels
 * compat: support AVX512BW+VL by lying
 * compat: fix typo and ranges
 * compat: support 4.15's netlink and barrier changes
 * poly1305-avx512: requires AVX512F+VL+BW

 Numerous compat fixes which should keep us supporting 3.10-4.15-rc1.

 * blake2s: AVX512F+VL implementation
 * blake2s: tweak avx512 code
 * blake2s: hmac space optimization

 Another terrific submission from Samuel Neves: we now have an implementation
 of Blake2s using AVX512, which is extremely fast.

 * allowedips: optimize
 * allowedips: simplify
 * chacha20: directly assign constant and initial state

 Small performance tweaks.

 * tools: fix removing preshared keys
 * qemu: use netfilter.org https site
 * qemu: take shared lock for untarring

 Small bug fixes.

Remove myself from the maintainers list: we have enough and I'm happy to
carry on doing package bumps on ad-hoc basis without the 'official'
title.

Run-tested: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-27 14:51:05 +01:00
Etienne Haarsma 7f3dab2fc3 kernel: bump 4.4 to 4.4.102
Refreshed all patches.

Removed upstream ramips patch: 0063-set-CM_GCR_BASE_CMDEFTGT_MEM-according-to-datasheet.patch

Compile-tested: ar71xx
Run-tested: ar71xx

Signed-off-by: Etienne Haarsma <bladeoner112@gmail.com>
Tested-by: Stijn Segers <francesco.borromini@inventati.org>
2017-11-26 15:10:36 +01:00
Kevin Darbyshire-Bryant d3f40aabba wireguard: bump to 20171122
Bump to latest WireGuard snapshot release:

ed479fa (tag: 0.0.20171122) version: bump snapshot
efd9db0 chacha20poly1305: poly cleans up its own state
5700b61 poly1305-x86_64: unclobber %rbp
314c172 global: switch from timeval to timespec
9e4aa7a poly1305: import MIPS64 primitive from OpenSSL
7a5ce4e chacha20poly1305: import ARM primitives from OpenSSL
abad6ee chacha20poly1305: import x86_64 primitives from OpenSSL
6507a03 chacha20poly1305: add more test vectors, some of which are weird
6f136a3 compat: new kernels have netlink fixes
e4b3875 compat: stable finally backported fix
cc07250 qemu: use unprefixed strip when not cross-compiling
64f1a6d tools: tighten up strtoul parsing
c3a04fe device: uninitialize socket first in destruction
82e6e3b socket: only free socket after successful creation of new
df318d1 compat: fix compilation with PaX
d911cd9 curve25519-neon: compile in thumb mode
d355e57 compat: 3.16.50 got proper rt6_get_cookie
666ee61 qemu: update kernel
2420e18 allowedips: do not write out of bounds
185c324 selftest: allowedips: randomized test mutex update
3f6ed7e wg-quick: document localhost exception and v6 rule

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-24 12:56:36 +01:00
Mathias Kresin 7ec639451d ramips: fix Planex CS-QR10 device packages
Add kmod-sound-core, it is a dependency of kmod-sound-mt7620 and will
not be autoselected.

Remove kmod-i2c-core, it will be autoselected by kmod-i2c-ralink.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-11-22 08:19:37 +01:00
Mathias Kresin 6cfa7e5788 ramips: fix DCH-M225 support
Setting the pins of the uartf group to gpio+i2s at the time the i2c
driver loads is to late for the WPS gpio button.

The gpio-keys driver fails to load since the pin used by the WPS button
is not yet set to GPIO. The WPS button with the rfkill keycode is
essential for this wifi only board.

Add the missing sound and i2c kernel modules corresponding to the
device nodes.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-11-22 08:19:37 +01:00
Emerson Pinter e626942c33 dnsmasq: load instance-specific conf-file if exists
Without this change, the instance-specific conf-file is being added to procd_add_jail_mount,
but not used by dnsmasq.

Signed-off-by: Emerson Pinter <dev@pinter.com.br>
2017-11-20 21:42:10 +01:00
Daniel Golle d64c0e54a5 rpcd: update to version 2017-11-12
a0231be8fbc61 fix memory leak in packagelist
4e483312b0216 sys: add packagelist method

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-11-17 14:42:49 +01:00
Antony Black ecaad8b2cb brcm47xx: fix switch port mapping on D-Link DIR-330
D-Link DIR-330 is clone of ASUS WL500GP2, by default conf the WAN port is
eth1, it's not working cus eth1 not soldered and wan port function
performs 5th port of the switch.

Signed-off-by: Antony Black <gtrtfm@gmail.com>
2017-11-16 22:57:06 +01:00
Felix Fietkau d851d7fa56 wireguard: fix portability issue
Check if the compiler defines __linux__, instead of assuming that the
host OS is the same as the target OS.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-16 22:44:45 +01:00
Felix Fietkau 8751bd771d wireguard: move to kernel build directory
It builds a kernel module, so its build dir should be target specific

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-16 22:43:28 +01:00
Kevin Darbyshire-Bryant ed571c14e0 wireguard: bump to 0.0.20171111
edaad55 (tag: 0.0.20171111) version: bump snapshot
7a989b3 tools: allow for NULL keys everywhere
46f8cbc curve25519: reject deriving from NULL private keys
9b43542 tools: remove ioctl cruft
f6cea8e allowedips: rename from routingtable
23f553e wg-quick: allow for tabs in keys
ab9befb netlink: make sure we reserve space for NLMSG_DONE
73405c0 compat: 4.4.0 has strange ECN function
868be0c wg-quick: stat the correct enclosing folder of config file
ceb11ba qemu: bump kernel version
0a8e173 receive: hoist fpu outside of receive loop
bee188a qemu: more debugging
f1fdd8d device: wait for all peers to be freed before destroying
2188248 qemu: check for memory leaks
c77a34e netlink: plug memory leak
0ac8efd device: please lockdep
a51e196 global: revert checkpatch.pl changes
65c49d7 Kconfig: remove trailing whitespace

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-16 22:36:04 +01:00
Hans Dedecker c9fb48a432 procd: update to latest git HEAD (fixes and improvements)
d9dc0e0 service: fix calls to blobmsg_parse()
5db8f70 procd: add missing new lines inside debug code
8d5d29c service: fix SERVICE_ATTR_NAME usage in service_handle_set

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-15 22:14:26 +01:00
Peter Wagner cda8ec7dd8
openssl: update to 1.0.2m
don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:

../libssl.so: undefined reference to `SSLv3_client_method'

Fixes CVE: CVE-2017-3735, CVE-2017-3736

Signed-off-by: Peter Wagner <tripolar@gmx.at>
2017-11-13 00:53:35 +01:00
Jo-Philipp Wich 421754191d brcm47xx: fix switch port mapping on Asus RT-N12 and RT-N16 models
On Asus RT-N12 and RT-N16 models, the WAN and LAN4 ports are swapped in the
initial switch configuration since the presets present in nvram appear to be
wrong.

Add special casing for these models to detect_by_model() in order to ensure
a proper switch configuration.

Fixes FS#502.

(cherry picked from commit 96ed69101da254b0cb61a0dfc42bd48d27bfacb9
  and squashed with commit f2fdd68664)

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-11-10 15:00:57 +01:00
Rafał Miłecki 95824b9bf6 rpcd: update to the latest version from 2017-11-09
9a8640183c031 plugin: use RTLD_LOCAL instead of RTLD_GLOBAL when loading library

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-11-09 19:57:17 +01:00
Hans Dedecker 792559f25b mountd: bump to git HEAD version (optimization fixes)
7826ca5 mount: add mount with ignore=1 for unsupported filesystems
75e7412 mount: drop duplicated filesystem check from mount_add_list

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-09 18:08:16 +01:00
Marko Ratkaj a0ef1c478a functions.sh: fix default_postinst function
When we run "opkg install" on a package that installs an uci-defaults
script, functions.sh will fail to evaluate that script in its
default_postinst function.

This happens because there is no "./" present and it searches for the
file in paths specified by the PATH variable. This would work on bash,
but it will not work on ash and some other shells like sh, zsh. This
applys to the ". filename" directive used in this case.

This patch will make the path relative to the /etc/uci-defaults
directory.

Fixes: FS#1021

Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
2017-11-08 23:26:20 +01:00
Kevin Darbyshire-Bryant 6b6578feec wireguard: version bump to 0.0.20171101
Update wireguard to latest snapshot:

9fc5daf version: bump snapshot
748ca6b compat: unbreak unloading on kernels 4.6 through 4.9
7be9894 timers: switch to kees' new timer_list functions
6be9a66 wg-quick: save all hooks on save
752e7af version: bump snapshot
2cd9642 wg-quick: fsync the temporary file before renaming
b139499 wg-quick: allow for saving existing interface
582c201 contrib: add reresolve-dns
8e04be1 tools: correct type for CTRL_ATTR_FAMILY_ID
c138276 wg-quick: allow for the hatchet, but not by default
d03f2a0 global: use fewer BUG_ONs
6d681ce timers: guard entire setting in block
4bf32ca curve25519: only enable int128 if compiler support is sound
86e06a3 device: expand scope of destruct lock
e3661ab global: get rid of useless forward declarations
bedc77a device: only take reference if netns is different
7c07e22 wg-quick: remember to rewind DNS settings on failure
2352ec0 wg-quick: allow specifiying multiple hooks
573cb19 qemu: test using four cores
e09ec4d global: style nits
4d3deae qemu: work around ccache bugs
7491cd4 global: infuriating kernel iterator style
78e079c peer: store total number of peers instead of iterating
d4e2752 peer: get rid of peer_for_each magic
6cf12d1 compat: be sure to include header before testing
3ea08d8 qemu: allow for cross compilation
d467551 crypto/avx: make sure we can actually use ymm registers
c786c46 blake2: include headers for macros
328e386 global: accept decent check_patch.pl suggestions
a473592 compat: fix up stat calculation for udp tunnel
9d930f5 stats: more robust accounting
311ca62 selftest: initialize mutex in routingtable selftest
8a9a6d3 netns: use time-based test instead of quantity-based
e480068 netns: use read built-in instead of ncat hack for dmesg

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-05 12:50:18 +01:00
Florian Beier 9740523763 ar71xx: fix LED config for DIR-869 A1
This fixes the LED configuration for the D-Link DIR-869 A1. In order to
support the device I probed around using an initramfs image for the
UniFi AC. Pulling GPIO 15 to low enabled the LEDs while high disabled them.
GPIO 16 set to low meant that the color was white while pulling it to high
made the color change to orange. The past code was written based upon these
findings.
However, running a flashed image I now discovered that GPIO 15 controls the
orange LEDs while GPIO 16 controls the white ones and that both are active
when low. This means that the GPIOs were inverted and one active_low was set
wrong which this patch fixes.

Behavior of the LED front after this patch is applied:

cat /sys/devices/platform/leds-gpio/leds/d-link:white:status/brightness
0   -> white LEDs are OFF
255 -> white LEDs are ON

cat /sys/devices/platform/leds-gpio/leds/d-link🍊status/brightness
0   -> orange LEDs are OFF
255 -> orange LEDs are ON

If the brightness of both is set to 255 the LED front will be white.
If the brightness of both is set to 0 the LED front will be off.

Signed-off-by: Florian Beier <beier.florian@gmail.com>
2017-11-03 22:59:20 +01:00
Stefan Lippers-Hollmann bdf19eec35 ipq806x: nbg6817: sync MAC addresses to the upstream values
The ZyXEL NBG6817 calculates all MAC addresses based on the ethaddr
value stored in the U-Boot environment (0:APPSBLENV). No MAC addresses
are stored in the ART partition and the generated MAC addresses for the
wlan interfaces alternate randomly between 12:34:56:78:90:12 and
00:03:7f:12:34:56.

interface	  new/ OEM MAC	old MAC

wlan-2.4g (phy1): ethaddr	undefined
wlan-5g   (phy0): ethaddr + 1	undefined
lan             : ethaddr + 2	ethaddr
wan             : ethaddr + 3	ethaddr + 1

This patch defines stable MAC addresses for the wlan interfaces for
the first time instead of generating them at random. The previously
defined values for lan/ wan are changed to follow the settings of the
OEM firmware.

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2017-11-03 22:59:20 +01:00
Stefan Lippers-Hollmann 2aff2add31 ipq806x: nbg6817: add kmod-fs-ext4 to device packages
The ZyXEL NBG6817 uses an eMMC flash for the rootfs, which is split
into the readonly squashfs and ext4 for the overlay. This adds the
required package to the device packages to allow mounting the overlay
by default.

/dev/root on /rom type squashfs (ro,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,noatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,noatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
/dev/loop0 on /overlay type ext4 (rw,noatime,data=ordered)
overlayfs:/overlay on / type overlay (rw,noatime,lowerdir=/,upperdir=/overlay/upper,workdir=/overlay/work)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,size=512k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600,ptmxmode=000)
debugfs on /sys/kernel/debug type debugfs (rw,noatime)
mountd(pid1040) on /tmp/run/blockd type autofs (rw,relatime,fd=7,pgrp=1,timeout=30,minproto=5,maxproto=5,indirect)

Before this commit, the ext4 based overlayfs could not be mounted,
which left only the tmpfs based/ volatile  emergency overlay in place.

Fixes: https://forum.lede-project.org/t/zyxel-nbg6817-flashing-from-oem/768

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2017-11-03 22:59:19 +01:00
Felix Fietkau 63f6408ccc uclient: update to the latest version, fixes fetch of multiple files
4b87d83 uclient-fetch: fix overloading of output_file variable

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-03 10:56:47 +01:00
Edmunt Pienkowsky 3eae19acee ramips: fix Youku-YK1 support
Remove the ephy-pins from the ethernet device tree node. The ephy-pins
are useed to controll the ePHY LEDs and this board doesn't have these.
Instead one of the ePHY pins is used in GPIO mode to control the WAN
LED.

Use the switch LED trigger to control the WAN LED. Move the power LED
handling to diag.sh to show the boot status via this LED.

Add the missing kernel packages for USB and microSD card reader to the
default package selection.

Fix the maximum image size value. The board has a 32MByte flash chip.

Fixes: FS#1055

Signed-off-by: Edmunt Pienkowsky <roed@onet.eu>
[make the commit message more verbose, remove GPIO pinmux for pins not
used as GPIOs]
Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-27 11:19:07 +02:00
Alex Maclean 8a48a53dcb tools/squashfs4: include sysmacros.h explicitly
glibc is moving to remove the include of sys/sysmacros.h from
sys/types.h, and some distros have done this early. Other libcs may
already lack this include. Include sysmacros.h explicitly.

Fixes: FS#1017

Signed-off-by: Alex Maclean <monkeh@monkeh.net>
[refresh patches]
Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-25 18:50:27 +02:00
Alex Maclean 8406e50df5 tools/squashfs: include sysmacros.h explicitly
glibc is moving to remove the include of sys/sysmacros.h from
sys/types.h, and some distros have done this early. Other libcs may
already lack this include. Include sysmacros.h explicitly.

Fixes: FS#1018

Signed-off-by: Alex Maclean <monkeh@monkeh.net>
2017-10-25 18:50:27 +02:00
Alex Maclean 96dbf59e5a tools/mtd-utils: include sysmacros.h explicitly
glibc is moving to remove the include of sys/sysmacros.h from
sys/types.h, and some distros have done this early. Other libcs may
already lack this include. Include sysmacros.h explicitly.

Fixes: FS#1015

Signed-off-by: Alex Maclean <monkeh@monkeh.net>
[refresh patches]
Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-25 18:50:27 +02:00
Alex Maclean d2fd6412a6 tools/findutils: include sysmacros.h explicitly
glibc is moving to remove the include of sys/sysmacros.h from
sys/types.h, and some distros have done this early. Other libcs may
already lack this include. Include sysmacros.h explicitly.

Fixes: FS#1016

Signed-off-by: Alex Maclean <monkeh@monkeh.net>
2017-10-25 18:50:27 +02:00
Jo-Philipp Wich 367b4563b4 dnsmasq: restore ability to include/exclude raw device names
Commit 5cd88f4 "dnsmasq: remove use of uci state for getting network ifname"
broke the ability to specify unmanaged network device names for inclusion
and exclusion in the uci configuration.

Restore support for raw device names by falling back to the input value
when "network_get_device" yields no result.

Fixes FS#876.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit a89c36b508)
2017-10-25 09:57:58 +02:00
Mathias Kresin ee6fa8d839 lantiq: add missing default lan interface
With removing the boards from the the default case to fix the xDSL WAN
MAC-Address, the setting for the default LAN interface wasn't added.

Fixes: 92a12c434c ("lantiq: fix avm fritz box mac addresses")

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-25 08:45:53 +02:00
Tolga Cakir 2bee675d33 ipq806x: fix Zyxel NBG6817 WiFi button
Zyxel NBG6817 features a WiFi button, which becomes functional by setting
correct GPIO. It is a switch-type button, so it emits KEY_RFKILL on each ON
and OFF state. This is achieved by setting input-type to EV_SW.

Signed-off-by: Tolga Cakir <tolga@cevel.net>
2017-10-24 22:46:25 +02:00
Alberto Bursi f5935f78a1 ramips: fix default usb support for nexx wt3020-8M
the nexx wt3020-8M has a usb 2.0 port,
add usb 2.0 support packages to its default package list.

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2017-10-24 20:36:08 +02:00
Matthias Schiffer 0780e12483
opkg: bump to 2017-10-23 (lede-17.01)
A lede-17.01 branch for bugfix backports has been added to the opkg-lede
repo.

c6caf07 pkg_parse: fix segfault when parsing descriptions with leading newlines
5bb5fd5 opkg: add --no-check-certificate argument
7a96972 libbb: xreadlink: fix memory leak on failure case
3f13edd pkg_run_script: use pkg->dest in half installed case

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-10-23 23:48:25 +02:00
Mathias Kresin 98c003e3da lantiq: ARV752DPW22: fix wireless mac address
The ARV752DPW22 has the same generic mac address in the EEPROM as it
was already noticed for other lantiq boards using a ralink wireless.

Use the base mac address from the boardconfig partition as it is done
by the stock firmware.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-18 22:14:25 +02:00
Mathias Kresin 50db9a4004 lantiq: ARV752DPW22: set correct wireless led trigger
The ARV752DPW22 has a ralink based wireless and can not use the ath9k
only phy0tpt trigger.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-10-18 22:14:25 +02:00
Kevin Darbyshire-Bryant 373fa54d35 kernel: bump 4.4 to 4.4.93 for 17.01
Refresh patches.
Compile-tested for ar71xx - Archer C7 v2
Runtime-tested on  ar71xx - Archer C7 v2

Fixes CVE-2017-15265.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
[remove 2nd CVE as it was fixed in mac80211 in commit bff16304b0]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 19:58:02 +03:00
Hans Dedecker 586a721d3f mountd: bump to git HEAD version (fixes SIGSEV crashes)
6efeb19 autofs: register SIGTERM for gracefull exit
01bb2b0 mount: fix SIGSEV crashes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-18 14:19:56 +02:00
Stijn Tintel cdb2684dce LEDE v17.01.4: revert to branch defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 11:54:32 +03:00
Stijn Tintel 444add156f LEDE v17.01.4: adjust config defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 11:54:32 +03:00
Jason A. Donenfeld 79f57e422d wireguard: version bump to 0.0.20171017
This is a simple version bump. Changes:

  * noise: handshake constants can be read-only after init
  * noise: no need to take the RCU lock if we're not dereferencing
  * send: improve dead packet control flow
  * receive: improve control flow
  * socket: eliminate dead code
  * device: our use of queues means this check is worthless
  * device: no need to take lock for integer comparison
  * blake2s: modernize API and have faster _final
  * compat: support READ_ONCE
  * compat: just make ro_after_init read_mostly

  Assorted cleanups to the module, including nice things like marking our
  precomputations as const.

  * Makefile: even prettier output
  * Makefile: do not clean before cloc
  * selftest: better test index for rate limiter
  * netns: disable accept_dad for all interfaces

  Fixes in our testing and build infrastructure. Now works on the 4.14 rc
  series.

  * qemu: add build-only target
  * qemu: work on ubuntu toolchain
  * qemu: add more debugging options to main makefile
  * qemu: simplify shutdown
  * qemu: open /dev/console if we're started early
  * qemu: phase out bitbanging
  * qemu: always create directory before untarring
  * qemu: newer packages
  * qemu: put hvc directive into configuration

  This is the beginning of working out a cross building test suite, so we do
  several tricks to be less platform independent.

  * tools: encoding: be more paranoid
  * tools: retry resolution except when fatal
  * tools: don't insist on having a private key
  * tools: add pass example to wg-quick man page
  * tools: style
  * tools: newline after warning
  * tools: account for padding being in zero attribute

  Several important tools fixes, one of which suppresses a needless warning.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit f6c4a9c045)
2017-10-17 20:46:20 +03:00
Stijn Tintel d501786ff2 hostapd: add wpa_disable_eapol_key_retries option
Commit b6c3931ad6 introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.

Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit c5f97c9372)
2017-10-17 17:59:45 +03:00
Stijn Tintel b6c3931ad6 hostapd: backport extra changes related to KRACK
While these changes are not included in the advisory, upstream
encourages users to merge them.
See http://lists.infradead.org/pipermail/hostap/2017-October/037989.html

Added 013-Add-hostapd-options-wpa_group_update_count-and-wpa_p.patch so
that 016-Optional-AP-side-workaround-for-key-reinstallation-a.patch
applies without having to rework it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-17 17:54:59 +03:00
Stijn Tintel a5e1f7f5ef mac80211: backport kernel fix for CVE-2017-13080
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 2f701194c2)
2017-10-17 01:57:05 +03:00
Jo-Philipp Wich 46e29bd078 x86: partly revert cabf775
The subtarget cleanups made in cabf775 "x86: Refresh subtargets kernel config"
removed some important symbol disable statements, so revert the changes to the
subtarget configs for now.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-10-16 17:21:43 +02:00
Ryan Mounce 707305a19d mac80211: Update wireless-regdb to master-2017-03-07
The short log of changes since the 2016-06-10 release is below.

Jouni Malinen (1):
      wireless-regdb: Remove DFS requirement for India (IN)

Ryan Mounce (1):
      wireless-regdb: Update rules for Australia (AU) and add 60GHz rules

Seth Forshee (2):
      wireless-regdb: Update 5 GHz rules for Canada
      wireless-regdb: update regulatory.bin based on preceding changes

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
(cherry picked from commit 8b12e62e9c)
2017-10-16 14:22:18 +03:00
Jason A. Donenfeld 907d8703f4 wireguard: add wireguard to base packages
Move wireguard from openwrt/packages to base a package.

This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.

WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 699c6fcc31)
2017-10-16 14:03:39 +03:00
Felix Fietkau bff16304b0 brcmfmac: backport length check in brcmf_cfg80211_escan_handler()
Fixes CVE-2017-0786

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 13:02:04 +02:00
Stijn Tintel fa0b5fce1f kernel: bump 4.4 to 4.4.92
Refresh patches.

Fixes the following CVEs:
- CVE-2017-1000252
- CVE-2017-12153
- CVE-2017-12154

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-16 13:35:06 +03:00
Felix Fietkau e6fd17d04c ramips: fix compile warning in MT7621 NAND driver
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 12:18:19 +02:00
Felix Fietkau 2e9f3c6225 ramips: fix typo in MT7621 NAND driver
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 12:18:19 +02:00
Felix Fietkau 63c17142c8 hostapd: merge fixes for WPA packet number reuse with replayed messages and key reinstallation
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088

For more information see:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Backport of bbda81ce30

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 12:18:19 +02:00