aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* wireguard: bump to 0.0.20200121Jason A. Donenfeld2020-01-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Makefile: strip prefixed v from version.h This fixes a mistake in dmesg output and when parsing the sysfs entry in the filesystem. * device: skb_list_walk_safe moved upstream This is a 5.6 change, which we won't support here, but it does make the code cleaner, so we make this change to keep things in sync. * curve25519: x86_64: replace with formally verified implementation This comes from INRIA's HACL*/Vale. It implements the same algorithm and implementation strategy as the code it replaces, only this code has been formally verified, sans the base point multiplication, which uses code similar to prior, only it uses the formally verified field arithmetic alongside reproducable ladder generation steps. This doesn't have a pure-bmi2 version, which means haswell no longer benefits, but the increased (doubled) code complexity is not worth it for a single generation of chips that's already old. Performance-wise, this is around 1% slower on older microarchitectures, and slightly faster on newer microarchitectures, mainly 10nm ones or backports of 10nm to 14nm. This implementation is "everest" below: Xeon E5-2680 v4 (Broadwell) armfazh: 133340 cycles per call everest: 133436 cycles per call Xeon Gold 5120 (Sky Lake Server) armfazh: 112636 cycles per call everest: 113906 cycles per call Core i5-6300U (Sky Lake Client) armfazh: 116810 cycles per call everest: 117916 cycles per call Core i7-7600U (Kaby Lake) armfazh: 119523 cycles per call everest: 119040 cycles per call Core i7-8750H (Coffee Lake) armfazh: 113914 cycles per call everest: 113650 cycles per call Core i9-9880H (Coffee Lake Refresh) armfazh: 112616 cycles per call everest: 114082 cycles per call Core i3-8121U (Cannon Lake) armfazh: 113202 cycles per call everest: 111382 cycles per call Core i7-8265U (Whiskey Lake) armfazh: 127307 cycles per call everest: 127697 cycles per call Core i7-8550U (Kaby Lake Refresh) armfazh: 127522 cycles per call everest: 127083 cycles per call Xeon Platinum 8275CL (Cascade Lake) armfazh: 114380 cycles per call everest: 114656 cycles per call Achieving these kind of results with formally verified code is quite remarkable, especialy considering that performance is favorable for newer chips. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* ath10k-firmware: fix mirror hashDENG Qingfang2020-01-241-1/+1
| | | | | | | | | Fix PKG_MIRROR_HASH hash mismatch. Fixes: 641a93f0f226 ("ath10k-firmware: update wave 1 firmware to 10.2.4-1.0-00047") Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn> [added missing commit description] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* procd: update to version 2020-01-24Petr Štetiar2020-01-241-3/+3
| | | | | | | | 00aafc4f439e procd: show process's exit code 856b5f8be046 state: fix reboot causing shutdown inside LXC container b44417c20c7f instance: provide error feedback if ujail binary is missing Signed-off-by: Petr Štetiar <ynezz@true.cz>
* rbextract: support devices directly showing ERD magicRoger Pueyo Centelles2020-01-232-1/+30
| | | | | | | | | Older ath79-based MikroTik devices have the ERD calibration data compressed and stored different to newer IPQ40xx ones. This commit adds support for these former ones. Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net> Acked-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* rbextract: add packageRoger Pueyo Centelles2020-01-236-0/+854
| | | | | | | | | This utility extracts the radio calibration data, as well as other board-related information (model, serial number, etc.), from MikroTik Routerboard devices' flash. Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net> Acked-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* rbcfg: make package available for ath79Roger Pueyo Centelles2020-01-231-1/+1
| | | | Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
* hostapd: fix faulty WMM IE parameters with ETSI regulatory domainsFelix Fietkau2020-01-232-0/+88
| | | | | | | | hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP. The code for applying those values had a few bugs leading to bogus values, which caused significant latency and packet loss. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* uboot-envtools: ath79: add support for glinet,gl-ar150Kimmo Vuorinen2020-01-231-0/+3
| | | | | | | | Add ubootenv uci config for GL.inet GL-AR150 Signed-off-by: Kimmo Vuorinen <kimmo.vuorinen@gmail.com> [commit title/message facelift] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* uboot-envtools: ar71xx: add support for gl-ar150/-domino/-mifiKimmo Vuorinen2020-01-231-0/+5
| | | | | | | | Add ubootenv uci config for gl-ar150, gl-domino and gl-mifi Signed-off-by: Kimmo Vuorinen <kimmo.vuorinen@gmail.com> [commit message/title facelift] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* mac80211: add support for wds_bridge hostapd featureDaniel Golle2020-01-221-2/+6
| | | | | | | | | | | | | hostapd allows putting WDS (4addr mode) clients into a separate bridge other than the bridge regular (3addr mode) clients end up in. This is useful for example giving WDS clients access to several VLANs (trunking) while regular clients will end up inside a specific VLAN. Add 'wds_bridge' config parameter for wifi-iface which contains the name of the bridge. hostapd-mini already supports this feature, so all needed is to add the UCI wrapping in mac80211.sh. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* kernel: add SFP support for Methode DM7052 NBASE-T moduleRussell King2020-01-211-0/+17
| | | | | | | | | | Add support for Methode DM7052 NBASE-T module to OpenWRT. These patches are taken from my "phy" branch, and will be sent for the next kernel merge window. Signed-off-by: Russell King <linux@armlinux.org.uk> [jonas.gorski: move patches to pending, refresh patches] Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
* curl: update to version 7.68.0 (security fix)Jan Pavlinec2020-01-211-3/+3
| | | | | | | Fixes CVE-2019-15601 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* fstools: update to version 2020-01-21Petr Štetiar2020-01-211-3/+3
| | | | | | deb745f82b93 Revert "fstools: Add support to read-only MTD partitions (eg. recovery images)" Signed-off-by: Petr Štetiar <ynezz@true.cz>
* urngd: update to version 2020-01-21Petr Štetiar2020-01-211-3/+3
| | | | | | | c7f7b6b65b82 Tag version 1.0.2 236b7a0aef21 Fix blocked entropy generation Signed-off-by: Petr Štetiar <ynezz@true.cz>
* procd: update to latest git HEADDaniel Golle2020-01-211-4/+4
| | | | | | | | | | | | | 58c12f7 jail: add basic support for network namespaces ba69639 jail: create resolv.conf symlink for netns jails 81b88b1 jail: more strict mount options for /tmp/resolv.conf.d/ Add new 'netns' flag for procd_add_jail to make ujail setup a new network namespace for the jailed service. See previous netifd commit for example configuration for netns jailed service. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* netifd: add basic support for jail network namespacesDaniel Golle2020-01-211-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prepare netifd for handling procd service jails having their own network namespace. Intefaces having the jail attribute will only be brought up inside the jail's network namespace by procd calling the newly introduced ubus method 'netns_updown'. Currently proto 'static' is supported and configuration changes are not yet being handled (ie. you'll have to restart the jailed service for changes to take effect). Example /etc/config/network snippet: config device 'veth0' option type 'veth' option name 'vhost0' option peer_name 'virt0' config interface 'virt' option type 'bridge' list ifname 'vhost0' option proto 'static' option ipaddr '10.0.0.1' option netmask '255.255.255.0' config interface 'virt0' option ifname 'virt0' option proto 'static' option ipaddr '10.0.0.2' option netmask '255.255.255.0' option gateway '10.0.0.1' option dns '10.0.0.1' option jail 'transmission' Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libubox: update to version 2020-01-20Petr Štetiar2020-01-201-3/+3
| | | | | | | | | | | | | | | | 43a103ff17ee blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes 5c0faaf4f5e2 tests: prefer dynamically allocated buffers 1ffa41535369 blobmsg_json: prefer snprintf usage 132ecb563da7 blobmsg: blobmsg_vprintf: prefer vsnprintf a2aab30fc918 jshn: prefer snprintf usage b0886a37f39a cmake: add a possibility to set library version a36ee96618a9 blobmsg: blobmsg_add_json_element() 64-bit values f0da3a4283b7 blobmsg_json: fix int16 serialization 20a070f08139 tests: blobmsg/json: add more test cases 379cd33d1992 tests: include json script shunit2 based testing Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Petr Štetiar <ynezz@true.cz>
* fstools: update to version 2020-01-18Petr Štetiar2020-01-201-3/+3
| | | | | | | f5c7c1813f52 fstools: Add support to read-only MTD partitions (eg. recovery images) 189b41b6b487 libblkid-tiny: fix f2fs labels by increasing label buffer Signed-off-by: Petr Štetiar <ynezz@true.cz>
* kernel: remove further obsolete kernel version switchesSungbo Eo2020-01-181-4/+1
| | | | | | | | Most of the kernel version switches below 4.14 were removed in commit 97940f876616 ("kernel: remove obsolete kernel version switches"), but some of them still remained. Remove them now. Signed-off-by: Sungbo Eo <mans0n@gorani.run>
* base-files/functions.sh: use grep -q instead of []Rosen Penev2020-01-181-4/+4
| | | | | | | | | | | | It's cleaner and faster as it does not need to do extra work. Also removed $() to avoid executing the output. The shell can handle it. https://github.com/koalaman/shellcheck/wiki/SC2143 Signed-off-by: Rosen Penev <rosenp@gmail.com> [correct || to && for one conversion] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* base-files/system.sh: remove $ in $(())Rosen Penev2020-01-171-1/+1
| | | | | | | | Not needed. https://github.com/koalaman/shellcheck/wiki/Sc2004 Signed-off-by: Rosen Penev <rosenp@gmail.com>
* base-files/functions.sh: use && instead of -aRosen Penev2020-01-171-2/+2
| | | | | | | | -a is not well defined. https://github.com/koalaman/shellcheck/wiki/SC2166 Signed-off-by: Rosen Penev <rosenp@gmail.com>
* base-files/functions.sh: remove useless catRosen Penev2020-01-171-2/+2
| | | | | | | | The cut command can take a file as an input. https://github.com/koalaman/shellcheck/wiki/SC2002 Signed-off-by: Rosen Penev <rosenp@gmail.com>
* base-files/functions.sh: don't use $var in $(())Rosen Penev2020-01-171-3/+3
| | | | | | | | It's not needed. It can also lead to subtle bugs. https://github.com/koalaman/shellcheck/wiki/Sc2004 Signed-off-by: Rosen Penev <rosenp@gmail.com>
* libcxx: fix build for x86/64Stijn Tintel2020-01-171-0/+1
| | | | | | | | | | When building libcxx for x86/64, the library is installed in /usr/lib64. As the install section tries to copy the library from /usr/lib, this breaks build on x86/64. Override the lib dir suffix to fix this. Fixes: 856ea2bad3b3 ("libcxx: Add package") Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Rosen Penev <rosenp@gmail.com>
* odhcpd: update to version 2020-01-14Hans Dedecker2020-01-161-3/+3
| | | | | | | | | 6db312a dhcpv6-ia: use dhcp leasetime to set preferred/valid statefull lifetimes 2520c48 dhcpv6-ia: introduce DHCPv6 pd and ia assignments flags b413d8a dhcpv6-ia: cleanup prefix delegation routes b0902af dhcpv6-ia: remove passing interface as parameter to apply_lease Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: add support for system cert bundle validationDavid Lam2020-01-162-6/+15
| | | | | | | | | | | | | | Currently, it is very cumbersome for a user to connect to a WPA-Enterprise based network securely because the RADIUS server's CA certificate must first be extracted from the EAPOL handshake using tcpdump or other methods before it can be pinned using the ca_cert(2) fields. To make this process easier and more secure (combined with changes in openwrt/openwrt#2654), this commit adds support for validating against the built-in CA bundle when the ca-bundle package is installed. Related LuCI changes in openwrt/luci#3513. Signed-off-by: David Lam <david@thedavid.net> [bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: cleanup IBSS-RSNDaniel Golle2020-01-162-6/+2
| | | | | | set noscan also for IBSS and remove redundant/obsolete variable. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* uboot-oxnas: fix memory leak in tool mkox820crcAndrea Dalla Costa2020-01-151-0/+3
| | | | | | | | In function `main` add calls to `free` for the variable `executable`. This is needed because the variable `executable` is allocated but never freed. This cause a memory leak. Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
* dropbear: fix compile errorJohn Crispin2020-01-151-1/+2
| | | | | Fixes: 0da193ee6943 ("dropbear: move failsafe code out of base-files") Signed-off-by: John Crispin <john@phrozen.org>
* wireguard: skip peer config if public key of the peer is not definedFlorian Eckert2020-01-151-0/+5
| | | | | | | | | | | | | | | If a config section of a peer does not have a public key defined, the whole interface does not start. The following log is shown daemon.notice netifd: test (21071): Line unrecognized: `PublicKey=' daemon.notice netifd: test (21071): Configuration parsing erro The command 'wg show' does only show the interface name. With this change we skip the peer for this interface and emit a log message. So the other peers get configured. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* busybox: fix build issuesJohn Crispin2020-01-151-1/+3
| | | | | Fixes: f704f97e4c57 ("busybox: Include hdparm by default on nas type device") Signed-off-by: John Crispin <john@phrozen.org>
* ath79: add support for Netgear WNDR4500 v3Michal Cieslakiewicz2020-01-151-0/+1
| | | | | | | | | | | | | | | | | | | This patch introduces support for Netgear WNDR4500v3. Router is very similar to WNDR4300v2 and is based on the same PCB. Information gathered from various Internet sources (including https://patchwork.ozlabs.org/patch/809227/) shows following differences to WNDR4300v2: * two USB 2.0 ports with separate LEDs * USB LEDs soldered to secondary pads * WPS and RFKILL buttons soldered to secondary pads * described as N900 device with 3x3:3 MIMO for 2.4GHz radio * power supply requirement is DC 12V 2.5A * vendor HW ID suffix differs in one digit * bigger chassis Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
* ath79: add support for Netgear WNDR4300 v2Michal Cieslakiewicz2020-01-151-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch introduces support for Netgear WNDR4300v2. Specification ============= * Description: Netgear WNDR4300 v2 * Loader: U-boot * SOC: Qualcomm Atheros QCA9563 (775 MHz) * RAM: 128 MiB * Flash: 2 MiB SPI-NOR + 128 MiB SPI-NAND - NOR: U-boot binary: 256 KiB - NOR: U-boot environment: 64 KiB - NOR: ART Backup: 64 KiB - NOR: Config: 64 KiB - NOR: Traffic Meter: 64 KiB - NOR: POT: 64 KiB - NOR: Reserved: 1408 KiB - NOR: ART: 64 KiB - NAND: Firmware: 25600 KiB (see notes for OpenWrt) - NAND: Language: 2048 KiB - NAND: mtdoops Crash Dump: 128 KiB - NAND: Reserved: 103296 KiB * Ethernet: 5 x 10/100/1000 (4 x LAN, 1 x WAN) (AR8337) * Wireless: - 2.4 GHz b/g/n (internal) - 5 GHz a/n (AR9580) * USB: yes, 1 x USB 2.0 * Buttons: - Reset - WiFi (rfkill) - WPS * LEDs: - Power (amber/green) - WAN (amber/green) - WLAN 2G (green) - WLAN 5G (blue) - 4 x LAN (amber/green) - USB (green) - WPS (green) * UART: 4-pin connector JP1, 3.3V (Vcc, TX, RX, GND), 115200 8N1 * Power supply: DC 12V 1.5A * MAC addresses: LAN=WLAN2G on case label, WAN +1, WLAN5G +2 Important Notes =============== 0. NOR Flash (2 MiB) is not touched by OpenWrt installation. 1. NAND Flash (128 MiB) layout under OpenWrt is changed as follows: all space is split between 4 MiB kernel and 124 MiB UBI areas; vendor partitions (language and mtdoops) are removed; kernel space size can be further expanded if needed; maximum image size is set to 25600k for compatibility reasons and can also be increased. 2. CPU clock is 775 MHz, not 750 MHz. 3. 5 GHz wireless radio chip is Atheros AR9580-AR1A with bogus PCI device ID 0xabcd. For ath9k driver to load successfully, this is overriden in DTS with correct value for this chip, 0x0033. 4. RFKILL button is wired to AR9580 pin 9 which is normally disabled by chip definition in ath9k code (0x0000F4FF gpio mask). Therefore 'qca,gpio-mask=<0xf6ff>' hack must be used for button to work properly. 5. USB port is always on, no GPIO for 5V power control has been identified. Installation ============ * TFTP recovery * TFTP via U-boot prompt * sysupgrade * Web interface Test build configuration ======================== CONFIG_TARGET_ath79=y CONFIG_TARGET_ath79_nand=y CONFIG_TARGET_ath79_nand_DEVICE_netgear_wndr4300-v2=y CONFIG_ALL_KMODS=y CONFIG_DEVEL=y CONFIG_CCACHE=y CONFIG_COLLECT_KERNEL_DEBUG=y CONFIG_IMAGEOPT=y Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
* mac80211: ath9k: add GPIO mask dts propertyMichal Cieslakiewicz2020-01-151-0/+25
| | | | | | | | | | | | | | | This patch adds 'qca,gpio-mask=<u32>' device tree property to ath9k node. This optional setting is a hack and should only be used in very special (and rare) cases when a button or LED is wired to a GPIO pin normally masked out (due to being one-way etc). Netgear WNDR4300 v2 is one such example - it uses GPI9 for RFKILL. See ath9k/reg.h *_GPIO_MASK constants. Use with caution and expect to see stream of kernel warnings if wrong mask value is provided. Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
* zram-swap: support swap priorityMaxim Storchak2020-01-152-2/+4
| | | | | | | | If zram-backed swap is added after an existing swap, it gets a lower priority. Assiming that usually all other swaps are slower, there should be a way to assign a higher priority to zram swap. Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
* perf: Add libunwind only if selectedRosen Penev2020-01-151-2/+2
| | | | | | | | | The depends are totally wrong. libunwind does not work with powerpc and i386 as it needs glibc. Instead of duplicating the platforms, just change the dependency. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* uhttpd: add enable instance optionFlorian Eckert2020-01-152-1/+5
| | | | | | | | With this change it is now possible to switch off single instances of the uhttpd config. Until now it was only possible to switch all instances of uhttpd on or off. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* hostapd: add wpa_strict_rekey supportKyle Copperfield2020-01-151-1/+3
| | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Rekey GTK on STA disassociate Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_requiredKyle Copperfield2020-01-152-3/+12
| | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Allows dtim_period to be configurable, the default is from hostapd. Adds additional regulatory tunables for power constraint and spectrum managment. Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* dropbear: move failsafe code out of base-filesKyle Copperfield2020-01-154-8/+11
| | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Failsafe code of dropbear should be in the dropbear package not the base-files package. Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* busybox: Include hdparm by default on nas type deviceLinus Walleij2020-01-151-0/+3
| | | | | | | | | NAS devices certainly need to have hdparm to configure things like spin-down time or their disks will be constantly spinning. Just catenate CONFIG_HDPARM=y on these configs. Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
* cryptodev-linux: remove DEFAULT redefinitionEneas U de Queiroz2020-01-151-1/+0
| | | | | | | | The 'DEFAULT:=m if ALL' line prevents the phase1 buildbots from building the package, and users from downloading it, since they use 'ALL_KMODS=y' but 'ALL' is not set. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* mac80211: fix MAC address allocations if the local bit is set on the base addrFelix Fietkau2020-01-151-1/+1
| | | | | | | If it's set, don't subtract 1 from the interface index encoded into the first byte of the address Signed-off-by: Felix Fietkau <nbd@nbd.name>
* valgrind: do not strip internal preload libraries and executablesJo-Philipp Wich2020-01-141-2/+20
| | | | | | | | | | Implement the suggestions laid out in README_PACKAGERS, mainly by preventing the stripping of the internal vgpreload*.so libraries. Also retain the symbol information of valgrind's private helper executables and enable LTO as suggested in the packagers readme. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* base-files: fix build for /sbin/pkg_checkXu Wang2020-01-141-2/+2
| | | | | | | | | | Setting CONFIG_IPK_FILES_CHECKSUMS=y causes sha256 checksum files to be included with the packages to check for corruption. This commit fixes two issues: - /sbin/pkg_check was being removed incorrectly if IPK_FILES_CHECKSUMS=y - checksums were being saved in the wrong file Signed-off-by: Xu Wang <xwang1498@gmx.com>
* hostapd: add support for subject validationDavid Lam2020-01-142-1/+93
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The wpa_supplicant supports certificate subject validation via the subject match(2) and altsubject_match(2) fields. domain_match(2) and domain_suffix_match(2) fields are also supported for advanced matches. This validation is especially important when connecting to access points that use PAP as the Phase 2 authentication type. Without proper validation, the user's password can be transmitted to a rogue access point in plaintext without the user's knowledge. Most organizations already require these attributes to be included to ensure that the connection from the STA and the AP is secure. Includes LuCI changes via openwrt/luci#3444. From the documentation: subject_match - Constraint for server certificate subject. This substring is matched against the subject of the authentication server certificate. If this string is set, the server sertificate is only accepted if it contains this string in the subject. The subject string is in following format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as .example.com subject_match2 - Constraint for server certificate subject. This field is like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. altsubject_match - Constraint for server certificate alt. subject. Semicolon separated string of entries to be matched against the alternative subject name of the authentication server certificate. If this string is set, the server sertificate is only accepted if it contains one of the entries in an alternative subject name extension. altSubjectName string is in following format: TYPE:VALUE Example: EMAIL:server@example.com Example: DNS:server.example.com;DNS:server2.example.com Following types are supported: EMAIL, DNS, URI altsubject_match2 - Constraint for server certificate alt. subject. This field is like altsubject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_match - Constraint for server domain name. If set, this FQDN is used as a full match requirement for the server certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same full match comparison. This behavior is similar to domain_suffix_match, but has the requirement of a full match, i.e., no subdomains or wildcard matches are allowed. Case-insensitive comparison is used, so "Example.com" matches "example.com", but would not match "test.Example.com". More than one match string can be provided by using semicolons to separate the strings (e.g., example.org;example.com). When multiple strings are specified, a match with any one of the values is considered a sufficient match for the certificate, i.e., the conditions are ORed together. domain_match2 - Constraint for server domain name. This field is like domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_suffix_match - Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for the AAA server certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Suffix match here means that the host/domain name is compared one label at a time starting from the top-level domain and all the labels in domain_suffix_match shall be included in the certificate. The certificate may include additional sub-level labels in addition to the required labels. More than one match string can be provided by using semicolons to separate the strings (e.g., example.org;example.com). When multiple strings are specified, a match with any one of the values is considered a sufficient match for the certificate, i.e., the conditions are ORed together. For example, domain_suffix_match=example.com would match test.example.com but would not match test-example.com. This field is like domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_suffix_match2 - Constraint for server domain name. This field is like domain_suffix_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. Signed-off-by: David Lam <david@thedavid.net>
* mac80211: fix list_phy_interfaces for multiple wiphys on the same deviceFelix Fietkau2020-01-141-1/+10
| | | | | | | Network interfaces are looked up based on the device behind a phy, so the phy needs to be checked separately Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mac80211: fix a page refcounting issue leading to leaks/crashes in rx A-MSDU ↵Felix Fietkau2020-01-141-0/+25
| | | | | | decap Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mac80211: fix sta TID stats leak on a few nl80211 callsFelix Fietkau2020-01-142-0/+43
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>