aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* uhttpd: update to 19.07 Git HEADJo-Philipp Wich2020-11-201-3/+3
| | | | | | | 3abcc89 client: fix spurious keepalive connection timeouts Fixes: FS#3443 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: Fix compile errors after wolfssl updateHauke Mehrtens2020-09-041-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following compile errors after the wolfssl 4.5.0 update: LD wpa_cli ../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject': ../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'? type = GEN_EMAIL; ^~~~~~~~~ ENAVAIL ../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in ../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function) type = GEN_DNS; ^~~~~~~ ../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function) type = GEN_URI; ^~~~~~~ ../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event': ../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'? if (gen->type != GEN_EMAIL && ^~~~~~~~~ ENAVAIL ../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function) gen->type != GEN_DNS && ^~~~~~~ ../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function) gen->type != GEN_URI) ^~~~~~~ Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed Fixes: 00722a720c77 ("wolfssl: Update to version 4.5.0") Reported-by: Andre Heider <a.heider@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit bc19481826e0da9119945eaae4f25736306f023b)
* hostapd: add wpad-basic-wolfssl variantPetr Štetiar2020-08-102-0/+16
| | | | | | | | | | Add package which provides size optimized wpad with support for just WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w. Signed-off-by: Petr Štetiar <ynezz@true.cz> [adapt to recent changes, add dependency for WPA_WOLFSSL config] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit c487cf8e94cbdf582dfc3c2bdaab913a146a2100)
* hostapd: reorganize config selection hierarchy for WPA3Adrian Schmutzler2020-08-101-16/+18
| | | | | | | | | | | | | | | | | | | | | The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is exceptionally hard to read. This tries to make things a little easier by inverting the hierarchy of the conditions, so SSL_VARIANT is checked first and LOCAL_VARIANT is checked second. This exploits the fact that some of the previous conditions were unnecessary, e.g. there is no hostapd-mesh*, so we don't need to exclude this combination. It also should make it a little easier to see which options are actually switched by SSL_VARIANT and which by LOCAL_VARIANT. The patch is supposed to be cosmetic. However, the improvement for readers and the maintained consistency with master qualify this for backporting. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit c4dd7fc23bfcf3b3f1a838668bb070edc9db5d4b)
* hostapd: improve TITLE for packagesAdrian Schmutzler2020-07-301-25/+33
| | | | | | | | | | | | | | | For a few packages, the current TITLE is too long, so it is not displayed at all when running make menuconfig. Despite, there is no indication of OpenSSL vs. wolfSSL in the titles. Thus, this patch adjusts titles to be generally shorter, and adds the SSL variant to it. While at it, make things easier by creating a shared definition for eapol-test like it's done already for all the other flavors. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 917980fd8a6589d6911797211f1871016f527f8c)
* wireguard: bump to 1.0.20200611Stijn Segers2020-07-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This bump fixes breakage introduced by kernel commit 8ab8786f78c3fc930f9abf6d6d85e95567de4e1f, which is part of the 4.14.181 kernel bump, and backported ip6_dst_lookup_flow to 4.14. This breaks the older WireGuard version currently in 19.07. For reference, the compilation error is the one below: build_dir/target-x86_64_musl/linux-x86_64/wireguard-linux-compat-1.0.20200506/src/compat/compat.h:104:42: error: 'const struct ipv6_stub' has no member named 'ipv6_dst_lookup'; did you mean 'ipv6_dst_lookup_flow'? #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, &dst, c) + (void *)0 ?: dst Changelogs below taken from the official release announcements. == Changes since v1.0.20200506 == This release aligns with the changes I sent to DaveM for 5.7-rc7 and were pushed to net.git about 45 minutes ago. * qemu: use newer iproute2 for gcc-10 * qemu: add -fcommon for compiling ping with gcc-10 These enable the test suite to compile with gcc-10. * noise: read preshared key while taking lock Matt noticed a benign data race when porting the Linux code to OpenBSD. * queueing: preserve flow hash across packet scrubbing * noise: separate receive counter from send counter WireGuard now works with fq_codel, cake, and other qdiscs that make use of skb->hash. This should significantly improve latency spikes related to buffer bloat. Here's a before and after graph from some data Toke measured: https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png * compat: support RHEL 8 as 8.2, drop 8.1 support * compat: support CentOS 8 explicitly * compat: RHEL7 backported the skb hash renamings The usual RHEL churn. * compat: backport renamed/missing skb hash members The new support for fq_codel and friends meant more backporting work. * compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4 == Changes since v1.0.20200611 == * qemu: always use cbuild gcc rather than system gcc * qemu: remove -Werror in order to build ancient kernels better * qemu: patch kernels that rely on ancient make * qemu: force 2MB pages for binutils 2.31 * qemu: use cbuild gcc for avx512 exclusion * qemu: add extra fill in idt handler for newer binutils * qemu: support fetching kernels for arbitrary URLs * qemu: patch in UTS_UBUNTU_RELEASE_ABI for Ubuntu detection * qemu: work around broken centos8 kernel * qemu: mark per_cpu_load_addr as static for gcc-10 Our qemu test suite can now handle more kernels and more compilers. Scroll down to the bottom of https://www.wireguard.com/build-status/ to see the expanded array of kernels we now test against, including some distro kernels. * compat: widen breadth of integer constants * compat: widen breadth of memzero_explicit backport * compat: backport skb_scrub_packet to 3.11 * compat: widen breadth of prandom_u32_max backport * compat: narrow the breadth of iptunnel_xmit backport * compat: backport iptunnel_xmit to 3.11 With the expanded qemu test suite, it was possible to expand our list of mainline kernels, so the backport compat layer is now more precise. * compat: ubuntu appears to have backported ipv6_dst_lookup_flow * compat: bionic-hwe-5.0/disco kernel backported skb_reset_redirect and ipv6 flow Ubuntu kernels changed recently, so this ensures we can compile with the latest Ubuntu releases. * compat: remove stale suse support Signed-off-by: Stijn Segers <foss@volatilesystems.org> (cherry picked from commit 1fd1f5e8cff18f97675ce303b05d411136b99fb0)
* hostapd: backport wolfssl bignum fixesDaniel Golle2020-05-254-1/+107
| | | | | | | | | crypto_bignum_rand() use needless time-consuming filtering which resulted in SAE no longer connecting within time limits. Import fixes from hostap upstream to fix that. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 631c437a91c20df678b25dcc34fe23636116a35a)
* opkg: Fix PKG_MIRROR_HASHHauke Mehrtens2020-05-081-1/+1
| | | | | Fixes: c61fbdd0879b ("odhcpd: fix PKG_SOURCE_DATE") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wireguard: bump to 1.0.20200506Jason A. Donenfeld2020-05-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * compat: timeconst.h is a generated artifact Before we were trying to check for timeconst.h by looking in the kernel source directory. This isn't quite correct on configurations in which the object directory is separate from the kernel source directory, for example when using O="elsewhere" as a make option when building the kernel. The correct fix is to use $(CURDIR), which should point to where we want. * compat: use bash instead of bc for HZ-->USEC calculation This should make packaging somewhat easier, as bash is generally already available (at least for dkms), whereas bc isn't provided by distros by default in their build meta packages. * socket: remove errant restriction on looping to self It's already possible to create two different interfaces and loop packets between them. This has always been possible with tunnels in the kernel, and isn't specific to wireguard. Therefore, the networking stack already needs to deal with that. At the very least, the packet winds up exceeding the MTU and is discarded at that point. So, since this is already something that happens, there's no need to forbid the not very exceptional case of routing a packet back to the same interface; this loop is no different than others, and we shouldn't special case it, but rather rely on generic handling of loops in general. This also makes it easier to do interesting things with wireguard such as onion routing. At the same time, we add a selftest for this, ensuring that both onion routing works and infinite routing loops do not crash the kernel. We also add a test case for wireguard interfaces nesting packets and sending traffic between each other, as well as the loop in this case too. We make sure to send some throughput-heavy traffic for this use case, to stress out any possible recursion issues with the locks around workqueues. * send: cond_resched() when processing tx ringbuffers Users with pathological hardware reported CPU stalls on CONFIG_ PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning these workers would never terminate. That turned out not to be okay on systems without forced preemption. This commit adds a cond_resched() to the bottom of each loop iteration, so that these workers don't hog the core. We don't do this on encryption/decryption because the compat module here uses simd_relax, which already includes a call to schedule in preempt_enable. * selftests: initalize ipv6 members to NULL to squelch clang warning This fixes a worthless warning from clang. * send/receive: use explicit unlikely branch instead of implicit coalescing Some code readibility cleanups. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (cherry picked from commit 4f6343ffe7fe8f7018f904b153dea9fc6038daf4)
* wireguard: bump to 20191226Jason A. Donenfeld2020-05-073-279/+7
| | | | | | | | | | | | | | | | | As announced on the mailing list, WireGuard will be in Linux 5.6. As a result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is moving to its own wireguard-tools repo. Meanwhile, the out-of-tree kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux- compat repo. Yesterday, releases were cut out of these repos, so this commit bumps packages to match. Since wg(8) and the compat kernel module are versioned and released separately, we create a wireguard-tools Makefile to contain the source for the new tools repo. Later, when OpenWRT moves permanently to Linux 5.6, we'll drop the original module package, leaving only the tools. So this commit shuffles the build definition around a bit but is basically the same idea as before. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (cherry picked from commit ea980fb9c6de24350976dcc6c20da2bed5fc8cb8)
* odhcpd: fix PKG_SOURCE_DATEHans Dedecker2020-05-071-1/+1
| | | | | | Fixes: 5e8b50da15 (odhcpd : fix lan host reachibility due to identical RIO and PIO prefixes (FS#3056)) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: fix lan host reachibility due to identical RIO and PIO prefixes ↵Hans Dedecker2020-05-061-3/+3
| | | | | | | | (FS#3056) 49e4949 router: fix Lan host reachibility due to identical RIO and PIO prefixes (FS#3056) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* uhttpd: update to 19.07 Git HEADJo-Philipp Wich2020-05-061-3/+3
| | | | | | | 975dce2 client: allow keep-alive for POST requests d062f85 file: poke ustream after starting deferred program Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wpad-wolfssl: fix crypto_bignum_sub()Antonio Quartulli2020-05-011-0/+26
| | | | | | | | | | | | | | | Backport patch from hostapd.git master that fixes copy/paste error in crypto_bignum_sub() in crypto_wolfssl.c. This missing fix was discovered while testing SAE over a mesh interface. With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with wpad-mesh-wolfssl. Cc: Sean Parkinson <sean@wolfssl.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 4b3b8ec81cd1965d0bd548fa31db491295b83354)
* hostapd: unconditionally enable ap/mesh for wpa-cliFelix Fietkau2020-05-012-2/+8
| | | | | | | | | | | Without this change, wpa-cli features depend on which wpad build variant was used to build the wpa-cli package Signed-off-by: Felix Fietkau <nbd@nbd.name> Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1] [added missing package version bump] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 03e9e4ba9ea8f00ff7c6f076f2cdc322e18cd3a4)
* relayd: bump to version 2020-04-25Kevin Darbyshire-Bryant2020-04-271-3/+3
| | | | | | | | | f4d759b dhcp.c: further improve validation Further improve input validation for CVE-2020-11752 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 9e7d11f3e275d6f5d6b3edd7f0fa0440da43c45a)
* umdns: update to version 2020-04-25Kevin Darbyshire-Bryant2020-04-271-3/+3
| | | | | | | | | | | | cdac046 dns.c: fix input validation fix Due to a slight foobar typo, failing to de-reference a pointer, previous fix not quite as complete as it should have been. Improve CVE-2020-11750 fix Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 9f7c8ed0786be97eda879e5f6681994e4de53d74)
* dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)Henrique de Moraes Holschuh2020-04-252-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | Fix the test for an enabled sysntp initscript in dnsmasq.init, and get rid of "test -o" while at it. Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an RTC-less ath79 router. dnssec-no-timecheck would be clearly missing from /var/etc/dnsmasq.conf.* while the router was still a few days in the past due to non-working DNSSEC + DNS-based NTP server config. The fix was tested with the router in the "DNSSEC broken state": it properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp was able to resolve the server name to an IP address, and set the system time. DNSSEC was then enabled by SIGINT through the ntp hotplug hook, as expected. A missing system.ntp.enabled UCI node is required for the bug to show up. The reasons for why it would be missing in the first place were not investigated. Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase] (cherry picked from commit 556b8581a15c855b2de0efbea6b625ab16cc9daf)
* relayd: bump to version 2020-04-20Kevin Darbyshire-Bryant2020-04-201-3/+3
| | | | | | | | | 796da66 dhcp.c: improve input validation & length checks Addresses CVE-2020-11752 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit be172e663f318ec364c13f795df025bbcce9ac18)
* umdns: update to version 2020-04-20Kevin Darbyshire-Bryant2020-04-201-4/+4
| | | | | | | | | e74a3f9 dns.c: improve input validation Addresses CVE-2020-11750 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 533da61ac63079f218a9946cd8e347b880c33dc0)
* umdns: update to the version 2020-04-05Kevin Darbyshire-Bryant2020-04-201-4/+4
| | | | | | | | | ab7a39a umdns: fix unused error 45c4953 dns: explicitly endian-convert all fields in header and question Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 22ae8bd50ef6d056b25a96ce6c77de0b0d53c1a1) (cherry picked from commit 17c4593e63f5847868f2c38185275199d37d379a)
* umdns: suppress address-of-packed-member warningKevin Darbyshire-Bryant2020-04-201-2/+2
| | | | | | | | | | | | | | | | | | | gcc 8 & 9 appear to be more picky with regards access alignment to packed structures, leading to this warning in dns.c: dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer (alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer (alignment 2) may result in an unaligned pointer value [-Werror=address-of-packed-member] 261 | uint16_t *swap = (uint16_t *) q; Work around what I think is a false positive by turning the warning off. Not ideal, but not quite as not ideal as build failure. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (cherry picked from commit 02640f014719a994e2e538b2cb6376a189cd39de) (cherry picked from commit a10b6ec1c8cd6d14a3b76a2ec3d81442b85f7321)
* dnsmasq: add 'scriptarp' optionJordan Sokolic2020-03-232-1/+3
| | | | | | | | | | | Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions. The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute. Also enable --script-arp if has_handlers returns true. Signed-off-by: Jordan Sokolic <oofnik@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
* ppp: backport security fixesPetr Štetiar2020-02-264-1/+129
| | | | | | | | | | | 8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 215598fd03899c19a9cd26266221269dd5ec8cee) Fixes: CVE-2020-8597 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "ppp: backport security fixes"Jo-Philipp Wich2020-02-264-129/+1
| | | | | | | | This reverts commit 6b7eeb74dbf8b491b6426820bfa230fca60047dc since it didn't contain a reference to the CVE it addresses. The next commit will re-add the commit including a CVE reference in its commit message. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* uhttpd: update to latest Git HEADJo-Philipp Wich2020-02-261-3/+3
| | | | | | | 2ee323c file: poke ustream after starting deferred program Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 04069fde19e86af7728111814afadf780bf08018)
* ppp: backport security fixesPetr Štetiar2020-02-204-1/+129
| | | | | | | | | 8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 215598fd03899c19a9cd26266221269dd5ec8cee)
* hostapd: remove erroneous $(space) redefinitionJo-Philipp Wich2020-02-081-3/+0
| | | | | | | | | | | | | | | | | The $(space) definition in the hostapd Makefile ceased to work with GNU Make 4.3 and later, leading to syntax errors in the generated Kconfig files. Drop the superfluous redefinition and reuse the working $(space) declaration from rules.mk to fix this issue. Fixes: GH#2713 Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469 Reported-by: Karel Kočí <cynerd@email.cz> Suggested-by: Jonas Gorski <jonas.gorski@gmail.com> Tested-by: Shaleen Jain <shaleen@jain.sh> Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 766e778226f5d4c6ec49ce22b101a5dbd4306644)
* hostapd: fix faulty WMM IE parameters with ETSI regulatory domainsFelix Fietkau2020-01-232-0/+88
| | | | | | | | hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP. The code for applying those values had a few bugs leading to bogus values, which caused significant latency and packet loss. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: cleanup IBSS-RSNDaniel Golle2020-01-162-6/+2
| | | | | | | set noscan also for IBSS and remove redundant/obsolete variable. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 702c70264b388c2b47e171843f297f43c71b86b9)
* dnsmasq: Fix potential dnsmasq crash with TCPHauke Mehrtens2020-01-062-1/+36
| | | | | | | | | | | | | | | | This is a backport from the dnsmasq master which should fix a bug which could cause a crash in dnsmasq. I saw the following crashes in my log: [522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450 [522413.124464] epc = 004197f1 in dnsmasq[400000+23000] [522413.129459] ra = 004197ef in dnsmasq[400000+23000] This is happening in blockdata_write() when block->next is dereferenced, but I am not sure if this is related to this problem or if this is a different problem. I am unable to reproduce this problem. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 414d0541381d432e69190f394dfe2a6e8122d6bb)
* uhttpd: reset PKG_RELEASEJo-Philipp Wich2019-12-221-1/+1
| | | | | Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 97af1fc979d0683649c6bea8a9245a6a9fa5413a)
* uhttpd: update to latest Git HEADJo-Philipp Wich2019-12-221-3/+3
| | | | | | | 5f9ae57 client: fix invalid data access through invalid content-length values Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit f34f9a414dd32311bda950776eb77e63c0c772cb)
* odhcpd: optimize syslog priority valuesHans Dedecker2019-12-161-3/+3
| | | | | | e53fec8 treewide: optimize syslog priority values Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: add IEEE 802.11k supportKyle Copperfield2019-11-141-0/+13
| | | | | | | | | | | | Enables radio resource management to be reported by hostapd to clients. Ref: https://github.com/lede-project/source/pull/1430 Co-developed-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it> Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me> [removed the DMARC crap] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 87f9292300cf56ad17f44363ced213c59a95ef44)
* hostapd: Add mesh support for wpad fullHauke Mehrtens2019-11-141-2/+2
| | | | | | | | | | | | | | | This increases the size of the binary slightly: old: 427722 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 431696 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk new: 442109 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 445997 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 49cc712b44c76e99bfb716c06700817692975e05)
* hostapd: use getrandom syscallHauke Mehrtens2019-11-147-7/+7
| | | | | | | | | hostapd will not use the getrandom() syscall and as a fallback use /dev/random, the syscall is supported since Linux 3.17 and in the musl, glibc and uclibc version used by OpenWrt. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 998686364da7d002ba9f6dbb43cc5f32294dd4ab)
* hostapd: Remove unneeded patchHauke Mehrtens2019-11-148-28/+14
| | | | | | | | All the content of this function is proceeded by IEEE8021X_EAPOL no code accesses the ssid variable outside of this ifdef. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 0d86bf518aaefa57bef577d09a18aff03eccb70c)
* hostapd: use config option CONFIG_NO_LINUX_PACKET_SOCKET_WARHauke Mehrtens2019-11-145-16/+4
| | | | | | | Instead of patching the workaround away, just use the config option. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 9b4a27455c17c00698ce7ce24e0bcad419c6319e)
* hostapd: Update to version 2.9 (2019-08-08)Hauke Mehrtens2019-11-1447-639/+272
| | | | | | | | | | | | | | | | | | | The size of the ipkgs increase a bit (between 0.7% and 1.1%): old 2019-04-21 (2.8): 288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk 256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk 427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk 423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk new 2019-08-08 (2.9): 290217 wpad-basic_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 258745 wpad-mini_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 431732 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk 427641 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 167028b750028ae3dac24f5ff96bbb1ba04e8bd7)
* hostapd: Update to version 2.8 (2019-04-21)Hauke Mehrtens2019-11-1489-5673/+532
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also syncs the configuration files with the default configuration files, but no extra options are activated or deactivated. The mesh patches were partially merged into hostapd 2.8, the remaining patches were extracted from patchwork and are now applied by OpenWrt. The patches still have open questions which are not fixed by the author. They were taken from this page: https://patchwork.ozlabs.org/project/hostap/list/?series=62725&state=* The changes in 007-mesh-apply-channel-attributes-before-running-Mesh.patch where first applied to hostapd, but later reverted in hostapd commit 3e949655ccc5 because they caused memory leaks. The size of the ipkgs increase a bit (between 1.3% and 2.3%): old 2018-12-02 (2.7): 283337 wpad-basic_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk 252857 wpad-mini_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk 417473 wpad-openssl_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk 415105 wpad-wolfssl_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk new 2019-04-21 (2.8): 288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk 256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk 427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk 423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> (cherry picked from commit 8af79550e6c280717660f66032d89d21007b15d2)
* hostapd: mirror ieee80211w ap mode defaults in station modeJo-Philipp Wich2019-11-142-1/+10
| | | | | | | | | | | | For AP mode, OpenWrt automatically sets ieee80211w to either 1 or 2, depending on whether the encryption is set to sae-mixed, or sae/owe/eap suite-b. Mirror the same defaults for client mode connections, in order to allow an OpenWrt station to associate to an OpenWrt ap with SAE, OWE or Suite-B encryption without the need to manually specify "option ieee80211w" on the station. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit abb4f4075e791789fdb00731035e08a8cf51555f)
* hostapd: fix OWE settings in client modeJo-Philipp Wich2019-11-142-1/+2
| | | | | | | | | This changes fixes the generation of the wpa_supplicant client configuration in WPA3 OWE client mode. Instead of incorrectly emitting key_mgmt=NONE, use the proper key_mgmt=OWE setting instead. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 4209b28d23b8bf28575af5e8904194f49b81532e)
* hostapd: declare struct wpa_bss earlyLeon M. George2019-11-141-0/+19
| | | | | | | | | | | | | | | | | wps_supplicant.h assumes that 'struct wpa_bss' is forward declared if CONFIG_WPS is not defined. With the later inclusion of 600-ubus_support, the issue manifests in warnings like these: wps_supplicant.h:113:15: warning: 'struct wpa_bss' declared inside parameter list will not be visible outside of this definition or declaration struct wpa_bss *bss) ^~~~~~~ This patch forward declares 'struct wpa_bss' regardless. Signed-off-by: Leon M. George <leon@georgemail.eu> [commit message facelift] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit f974f8213b94578581b35e6b3f8fb1fd5a35f753)
* hostapd: revert signature change in patchLeon M. George2019-11-141-1/+1
| | | | | | | | | | | | | The original wpa_hexdump uses a 'void *' for the payload. With patch 410-limit_debug_messages, the signature changes and compiler warnings occur at various places. One such warning is: wpa_debug.h:106:20: note: expected 'const u8 * {aka const unsigned char *}' but argument is of type 'struct wpa_eapol_key *' Signed-off-by: Leon M. George <leon@georgemail.eu> [commit message facelift] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit a123df275846b1b83aaf3d7488a1544f7c0e09aa)
* hostapd: adjust removed wolfssl optionsEneas U de Queiroz2019-11-141-4/+0
| | | | | | | | | | This edjusts the selection of recently removed wolfssl options which have always been built into the library even in their abscence. Also remove the selection of libwolfssl itself, allowing the library to be built as a module. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 94d131332b5adbcf885a92608c40a22b79b3c708)
* hostapd: enable PMKSA and OK caching for WPA3-PersonalDavid Bauer2019-11-051-1/+8
| | | | | | | | | | | | | | | This enables PMKSA and opportunistic key caching by default for WPA2/WPA3-Personal, WPA3-Personal and OWE auth types. Otherwise, Apple devices won't connect to the WPA3 network. This should not degrade security, as there's no external authentication provider. Tested with OCEDO Koala and iPhone 7 (iOS 13.1). Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 3034f8c3b85e70b1dd9b4cd5cd33e9d2cd8be3b8) Signed-off-by: David Bauer <mail@david-bauer.net>
* hostapd: adjust to removal of WOLFSSL_HAS_AES_GCMEneas U de Queiroz2019-10-191-1/+0
| | | | | | | WolfSSL is always built with AES-GCM support now. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit ee5a3f6d605602bbff57cde337235088cf9c3ffa)
* hostapd: Fix AP mode PMF disconnection protection bypassHauke Mehrtens2019-09-214-6/+72
| | | | | | | | | This fixes * CVE-2019-16275 AP mode PMF disconnection protection bypass https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit a6981604b30bc1ddc1713b368fe853d89c2ba40d)
* odhcpd: retry failed PD assignments on addrlist changeHans Dedecker2019-09-151-3/+3
| | | | | | 88d9ab6 dhcpv6: retry failed PD assignments on addrlist change Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>