aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* utils/spidev_test: build package directly from LinuxChristian Lamparter2019-05-112-321/+23
| | | | | | | | | | | | | | Jeff Kletsky noted in his patch titled: "utils/spidev_test: Update to current source from upstream Linux" that the spidev_test utility OpenWrt ships is severly out of date. Instead of updating the spidev_test.c from the current kernel, this patch replaces the package building code to utilize the very file that gets shipped with the kernel we compiling for anyway much like the "perf" package already does. Reported-by: Jeff Kletsky <git-commits@allycomm.com> Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* lldpd: add option to edit hostnameLucian Cristian2019-05-112-0/+5
| | | | | | | also fixes the annoying repeating syslog lldp[]: unable to get system name Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
* lldpd: update to 1.0.3Lucian Cristian2019-05-112-11/+25
| | | | | | Support for CDP PD PoE Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
* ath10k-ct: Update to current versionRobert Marko2019-05-1111-48/+48
| | | | | | | | | | | | | This patch updates ath10k-ct to current version. Changes are: ath10k-ct: Fix printing PN in peer stats. Previous logic was incorrect. Also add set-special API to enable returning PN. Patches refreshed and tested on 8devices Jalapeno dev board(IPQ4019) Signed-off-by: Robert Marko <robimarko@gmail.com>
* ath10k-firmware: update Candela Tech firmware imagesRobert Marko2019-05-111-24/+24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Release notes since last time: Release notes for wave-1: 2019-04-02: Support some get/set API for eeprom rate power tables. Mostly backported from 10.2 2019-04-02: Support adaptive-CCA, backported from 10.2 2019-04-02: Support adding eeprom configAddr pairs via the set-special API. These configAddrs can be used to change the default register settings for up to 12 registers. 2019-05-03: Fix tx-power settings for 2x2, 3x3 rates. Original logic I put in back in 2016 set 2x2 and 3x3 lower than the needed to be when using most NICs (very high powered NICs would not have been affected I think, not sure any of those exist though.) This improves throughput for 2x2 and 3x3 devices, especially when the signal is weaker. Release notes for wave-2: 2019-04-08: When setting keys, if high bit of high value of key_rsc_counter is set to 0x1, then the lower 48 bits will be used as the PN value. By default, PN is set to 1 each time the key is set. 2019-04-08: Pack PN into un-used 'excretries' aka 'num_pkt_loss_excess_retry' high 16 bits. This lets us report peer PN, but *only* if driver has previously set a PN when setting key (or set-special cmd is used to enable PN reporting). This is done so that we know the driver is recent enough to deal with the PN stat reporting. 2019-04-16: Support specifying tx rate on a per-beacon packet. See ath10k_wmi_op_gen_beacon_dma and ath10k_convert_hw_rate_to_rate_info for API details. Driver needs additional work to actually enable this feature currently. 2019-04-30: Compile out tx-prefetch caching logic. It is full of tricky bugs that cause tx hangs. I fixed at least one, but more remain and I have wasted too much time on this already. 2019-05-08: Start rate-ctrl at mcs-3 instead of mcs-5. This significantly helps DHCP happen quickly, probably because the initial rate being too high would take a while to ramp down, especially since there are few packets sent by the time DHCP needs to start. This bug was triggered by me decreasing retries of 0x1e (upstream default) to 0x4. But, I think it is better to start with lower initial MCS instead of always having a very high retry count. Tested on 8devices Jalapeno dev board(IPQ4019) Signed-off-by: Robert Marko <robimarko@gmail.com> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [neatify]
* base-files: improve lib/upgrade/common.shKlaus Kudielka2019-05-111-13/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Recently, upgrade device autodetection has been added to the mvebu target. This exposes some shortcomings of the generic export_bootdevice function, e.g. on the Turris Omnia: export_bootdevice silently reports the root partition to be the boot device. This makes the sysupgrade process fail at several places. Fix this by clearly distinguishing between /proc/cmdline arguments which specify the boot disk, and those which specify the root partition. Only in the latter case, strip off the partition, and do it consistently. root=PARTUUID=<pseudo PARTUUID for MBR> (any partition) and root=/dev/* (any partition) are accepted. The root of the problem is that the *existing* export_bootdevice in /lib/upgrade/common.sh behaves differently, if the kernel is booted with root=/dev/..., or if it is booted with root=PARTUUID=... In the former case, it reports back major/minor of the root partition, in the latter case it reports back major/minor of the complete boot disk. Targets, which boot with root=/dev/... *and* use export_bootdevice / export_partdevice, have added workarounds to this behaviour, by specifying *negative* increments to the export_partdevice function. Consequently, those targets have to be adapted to use positive increments, otherwise they are broken by the change to export_bootdevice. Fixes: 4e8345ff68 ("mvebu: base-files: autodetect upgrade device") Signed-off-by: Klaus Kudielka <klaus.kudielka@gmail.com> Tested-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
* ramips: mt7620: fix dependenciesDeng Qingfang2019-05-111-7/+7
| | | | | | | | | | | | | MT7620 integrated WMAC does not need RT2x00 PCI driver or firmware Also corrected kmod-eeprom-93cx6 and kmod-lib-crc-itu-t dependencies according to original Kconfig and lsmod output This will remove some unnecessary packages from MT7620 target to save some space Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [75 characters per line in the commit message]
* procd: fix compile issueHans Dedecker2019-05-091-3/+3
| | | | | | 1361b97 container: include stdbool.h Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to latest git HEADHans Dedecker2019-05-081-3/+3
| | | | | | | f6fb700 interface-ip: fine tune IPv6 mtu warning 975a5c4 interface: tidy ipv6 mtu warning Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: update to latest git HEADHans Dedecker2019-05-081-4/+4
| | | | | | 9b35439 procd: detect lxc container and behave accordingly Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* elfutils: Fix compile with uClibc-ngRosen Penev2019-05-052-1/+39
| | | | | | | | Probably glibc too. argp_help takes a char *. not const char *. Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> [updated with upstream version of the patch]
* uboot-tegra: bump to 2019.04Tomasz Maciej Nowak2019-05-051-2/+2
| | | | | | | This version has important change for tegra boards which is reserving 32MB memory for Linux kernel instead of current 16MB. Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
* base-files: add service_stopped as a post stop hookArthur Skowronek2019-05-051-0/+3
| | | | | | | | | | | | | | | | | | | | Purpose of these changes is to introduce a hook for post service shutdown in a similar fashion to the existing hook service_started. I found it to be useful to specify a hook that is called once the service has been stopped and not before the service is stopped like the stop_service hook does. The concrete use case I have for this is that I'm running a binary that takes over the hardware watchdog timer. Said binary unfortunately can not use ubus directly to tell procd to hand over the watchdog timer so this has to be done in the service file for the binary in question. In order to support a clean handover of the watchdog timer back to procd, the service init script has to dispatch the ubus invocation once the binary in question has been stopped. Signed-off-by: Arthur Skowronek <ags@digineo.de> Signed-off-by: Petr Štetiar <ynezz@true.cz> [added commit message, use the same form as other hooks]
* kernel: Remove support for kernel 3.18Hauke Mehrtens2019-05-0327-296/+41
| | | | | | | | | | No target is using kernel 3.18 anymore, remove all the generic support for kernel 3.18. The removed packages are depending on kernel 3.18 only and are not used on any recent kernel. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* xburst: Remove unmaintained targetHauke Mehrtens2019-05-037-4669/+0
| | | | | | | | | | | | This target only supports kernel 3.18, which is not supported in OpenWrt any more for multiple releases. It also looks like there is no active maintainer for this target. Remove the code and all the packages which are only used by this target. To add this target to OpenWrt again port it to a recent and supported kernel version. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* omap24xx: Remove unmaintained targetHauke Mehrtens2019-05-032-26/+2
| | | | | | | | | | | | This target only supports kernel 4.1, which is not supported in OpenWrt any more for multiple releases. It also looks like there is no active maintainer for this target. Remove the code and all the packages which are only used by this target. To add this target to OpenWrt again port it to a recent and supported kernel version. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* au1000: Remove unmaintained targetHauke Mehrtens2019-05-032-52/+0
| | | | | | | | | | | | This target only supports kernel 3.18, which is not supported in OpenWrt any more for multiple releases. It also looks like there is no active maintainer for this target. Remove the code and all the packages which are only used by this target. To add this target to OpenWrt again port it to a recent and supported kernel version. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* adm5120: Remove unmaintained targetHauke Mehrtens2019-05-036-177/+1
| | | | | | | | | | | | This target only supports kernel 3.18, which is not supported in OpenWrt any more for multiple releases. It also looks like there is no active maintainer for this target. Remove the code and all the packages which are only used by this target. To add this target to OpenWrt again port it to a recent and supported kernel version. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* procd: add procd_running() helper for checking running stateRafał Miłecki2019-05-022-1/+16
| | | | | | | | This should be helpful for implementing service_running() in procd init scripts. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> Acked-by: John Crispin <john@phrozen.org>
* procd: update to latest git HEADHans Dedecker2019-05-021-2/+2
| | | | | | 01f3dc8 instance: dump user and group as well Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* procd: allow passing optional group instance parameterMichael Heimpold2019-05-022-4/+5
| | | | | | | | | Sometimes is desirable to run a process with a specific group id instead of the default one which is derived from passwd entry. This can be achived now by using procd_set_param group $mygroup. Signed-off-by: Michael Heimpold <mhei@heimpold.de> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_SOURCE_VERSION update]
* procd: allow passing optional syslog facility as instance parameterMichael Heimpold2019-05-022-5/+8
| | | | | | | | | Optional syslog facility can be set by adding procd_set_param facility $myfacility. While at, also add stdout/stderr documentation. Signed-off-by: Michael Heimpold <mhei@heimpold.de> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_SOURCE_VERSION update]
* kernel: iio: Fix BMP280 Auto probingRobert Marko2019-05-021-2/+2
| | | | | | | | Currently Auto probing for BMP/BME280 does not work because kernel module name in the call is not correct. Package name was used instead of kernel module name. Signed-off-by: Robert Marko <robimarko@gmail.com>
* libroxml: bump to the 3.0.1 versionRafał Miłecki2019-05-011-5/+5
| | | | | | | | | | | | Some of changes: * Support for local-name() * General refactoring * Better parsing performance * Fix possible buffer overflow & memleak * Validation checks * More commit functions (file, buffer, fd) Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* procd: update to latest git HEADHans Dedecker2019-04-291-3/+3
| | | | | | | cfaed56 procd: add SIGPWR as signal a30a8fd procd: copy the respawn property of new instance Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* mac80211: rt2x00: replace patches with upstream versionDaniel Golle2019-04-2922-1203/+959
| | | | | | | | | | Support for RT3883/RT3663 was merged upstream [1]. Use that patch instead of our original series. The resulting source tree is exactly identical, this commit is merely reorganizing the patches. [1]: https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next.git/commit/?id=d0e61a0f7cca51ce340a5a73595189972122ff25 Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* openssl: build kmods only if engines are selectedEneas U de Queiroz2019-04-261-4/+4
| | | | | | | | | | Add a conditional to the individual package's for the kmods in DEPENDS. This avoids the need to compile the kernel modules when the crypto engine packages are not selected. The final binares are not affected by this. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Tested-by: Rosen Penev <rosenp@gmail.com>
* elfutils: bump to 0.176Jose Olivera2019-04-262-4/+4
| | | | | | | | | | | | | | | | *Fixes: -CVE-2019-7150 -CVE-2019-7149 -CVE-2019-7146 -CVE-2019-7665 -CVE-2019-7664 -CVE-2019-7148 *Refresh 003-libintl-compatibility.patch *Also reset PKG_RELEASE. Signed-off-by: Jose Olivera <oliverajeo@gmail.com>
* mac80211: fix regression in skb resizing optimization in monitor mode (FS#2254)Felix Fietkau2019-04-241-21/+21
| | | | | | | struct ieee80211_local needs to be passed in separately instead of dereferencing the (potentially NULL) sdata Signed-off-by: Felix Fietkau <nbd@nbd.name>
* ath10k-ct: Update to 2019-04-08Koen Vandeputte2019-04-231-3/+3
| | | | | | | | | | | | | | | | 9cd701a4f028 ath10k-ct: Add PN get/set API for wave-2 firmware. 5c8a4668323b ath10k-ct: Support over-riding the power ctl table in eeprom 75e2705f31bb ath10k-ct: CCA, eeprom, other changes. a696e602a0fc ath10k-ct: Attempt to fix-out-of-tree compile for 4.16 a2aec62262df ath10k: Improve beacon tx status for 4.20 kernel. be5c21a82b15 ath10k-ct: Fix out-of-tree compile for 4.20, pull in stable changes for 4.19 Fixes compile errors when using the 4.20 flavour. Also the amount of beacon errors seems to have dropped. Tested on a Mikrotik RB912UAGS-5HPacD Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* Revert "uhttpd: disable concurrent requests by default"Jo-Philipp Wich2019-04-232-2/+2
| | | | | | | | | | This reverts commit c6aa9ff38870a30dbe6da17e4edad6039fe10ddf. Further testing has revealed that we will need to allow concurrent requests after all, especially for situations where CGI processes initiate further HTTP requests to the local host. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openssl: add Eneas U de Queiroz as maintainerEneas U de Queiroz2019-04-221-0/+1
| | | | Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* openssl: fix OPENSSL_config bug affecting wgetEneas U de Queiroz2019-04-222-1/+32
| | | | | | | | This applies an upstream patch that fixes a OPENSSL_config() bug that causes SSL initialization to fail when the openssl.cnf file is not found. The config file is not installed by default. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* nghttp2: bump to 1.38.0Hans Dedecker2019-04-221-3/+3
| | | | | | | | | | | | | | | | | | | 4a9d2005 Update manual pages acf6a922 Bump up version number to 1.38.0, LT revision to 31:3:17 4ff45821 Update AUTHORS 42dce01e Merge branch 'nghttpx-fix-backend-selection-on-retry' a35059e3 nghttpx: Fix bug that altered authority and path affect backend selection 5a30fafd Merge branch 'nghttpx-fix-chunked-request-stall' dce91ad3 Merge branch 'nghttpx-dont-log-authorization' 2cff8b43 nghttpx: Fix bug that chunked request stalls be96654d nghttpx: Don't log authorization request header field value with -LINFO ce962c3f Merge branch 'update-http-parser' f931504e Update http-parser to v2.9.1 d978f351 Fix bug that on_header callback is still called after stream is closed ec519f22 Merge pull request #1270 from baitisj/master e8b213e3 Bump up version number to 1.38.0-DEV Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: update to latest git HEAD (FS#2243, FS#2244)Hans Dedecker2019-04-191-3/+3
| | | | | | 6633efe router: fix dns search list option Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: allow build without dbclientRosy Song2019-04-182-4/+9
| | | | | | This can save ~16KBytes size for the ipk Signed-off-by: Rosy Song <rosysong@rosinson.com>
* mac80211: brcm: backport brcmfmac 5.2 patchesRafał Miłecki2019-04-1818-1/+1410
| | | | | | | This includes some USB fixes and early work on FullMAC firmware crash recovery. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* odhcpd: update to latest git HEAD (FS#2206)Hans Dedecker2019-04-171-3/+3
| | | | | | | | | | | | 38bc630 router: use ra_lifetime as lifetime for RA options (FS#2206) 0523bdd router: improve code readibility 0a3b279 Revert "router:" 207f8e0 treewide: align syslog loglevels f1d7da9 router: 0e048ac treewide: fix compiler warnings 83698f6 CMakeList.txt: enable extra compiler checks Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openssl: change defaults: ENGINE:on, NPN:off, miscEneas U de Queiroz2019-04-172-8/+6
| | | | | | | | | | | | | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Enable engine support by default. Right now, some packages require this, so it is always enabled by the bots. Many packages will compile differently when engine support is detected, needing engine symbols from the libraries. However, being off by default, a user compiling its own image will fail to run some popular packages from the official repo. Note that disabling engines did not work in 1.0.2, so this problem never showed up before. NPN support has been removed in major browsers & servers, and has become a small bloat, so it does not make sense to leave it on by default. Remove deprecated CONFIG_ENGINE_CRYPTO symbol that is no longer needed. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* kernel: Fix kmod-drm-amdgpu and kmod-drm-radeon dependenciesLucian Cristian2019-04-161-7/+40
| | | | | | | | | | | | | | | | | | Currently the Geode builds fails on following kernel module missing dependencies: Package kmod-drm-amdgpu is missing dependencies for the following libraries: backlight.ko drm_kms_helper.ko fb.ko ttm.ko So this patch tries to fix the kmod-drm-amdgpu module dependecies. Fixes: 2f239c0 ("x86: video: add amdgpu DRM kernel package") Fixes: 2f6918e ("x86: video: add radeon DRM module support") Tested-by: Tomasz Maciej Nowak <tomek_n@o2.pl> Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
* procd/hotplug: add dependency to dialout and audio groupMartin Schiller2019-04-161-1/+2
| | | | | | | | | | | | | | | | Commit 6e060bd62c85 introduced a dependency to the dialout group. Adding this group to the "group" file in the base-files package is not enough to handle this dependency, because after a sysupgrade this entry will be missing in the "group" file. To address this problem the dependencies to the required groups needs to be set in the Makefile of the procd package. Then, the uci-default script "13_fix_group_user" will add the groups on first boot-up after a sysupgrade. Fixes: 6e060bd62c85 ("base-files/hotplug: fix dedicated group for tty devices") Tested-by: Michael Heimpold <mhei@heimpold.de> Signed-off-by: Martin Schiller <ms@dev.tdt.de>
* netifd: update to latest git HEADHans Dedecker2019-04-151-3/+3
| | | | | | | | 666c14f system-linux: remove debug tracing 08989e4 interface: add neighbor config support bfd4de3 interface: fix "if-down" hotplug event handling Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* layerscape: unbreak ehci-fsl interaction with mpc85xxChristian Lamparter2019-04-151-22/+9
| | | | | | | | | | Both targets have their own idea of how to use ehci-fsl. This patch reverts part of commit 68b8d3b0796d ("kernel: usb: add FSL EHCI package") and moves ehci-fsl back into kmod-usb2, while also making it hopefully useable for the mpc85xx target. Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* umbim: update to latest git HEADPetr Štetiar2019-04-151-3/+3
| | | | | | | | | 24f9dc7 Iron out all extra compiler warnings 9d8dbc9 Enable extra compiler checks ff8d356 mbim-proxy support ccca03f umbim: add registration set support Signed-off-by: Petr Štetiar <ynezz@true.cz>
* mac80211: Fix rate_idx underflow in mwl8k (FS#2218)Petr Štetiar2019-04-142-1/+81
| | | | | | | Add a patch for mwl8k which fixes endless reboot loops on Linksys EA4500 with certain 5G configurations. Signed-off-by: Petr Štetiar <ynezz@true.cz>
* kernel: usb: add FSL EHCI packageDavid Bauer2019-04-131-2/+21
| | | | | | | Add kernel module package for the Freescale USB2 EHCI used on the mpc85xx platform. Signed-off-by: David Bauer <mail@david-bauer.net>
* mac80211: rt2x00: replace patch with upstream versionDaniel Golle2019-04-123-57/+96
| | | | | | | | Replace the patch introduced by commit d0b969eee8 ("mac80211: rt2x00: do not increment sequence number while re-transmitting") was merged into wireless-drivers.git. Replace our version with the merged version. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* uboot-envtools: fix fw_env.config for ox820/stg-212Daniel Golle2019-04-111-1/+3
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: fix CVE-2019-9497, CVE-2019-9498, CVE-2019-9499Stefan Lippers-Hollmann2019-04-115-1/+467
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | EAP-pwd missing commit validation Published: April 10, 2019 Identifiers: - CVE-2019-9497 (EAP-pwd server not checking for reflection attack) - CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) - CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) Latest version available from: https://w1.fi/security/2019-4/ Vulnerability EAP-pwd implementation in hostapd (EAP server) and wpa_supplicant (EAP peer) was discovered not to validate the received scalar and element values in EAP-pwd-Commit messages properly. This could result in attacks that would be able to complete EAP-pwd authentication exchange without the attacker having to know the used password. A reflection attack is possible against the EAP-pwd server since the hostapd EAP server did not verify that the EAP-pwd-Commit contains scalar/element values that differ from the ones the server sent out itself. This allows the attacker to complete EAP-pwd authentication without knowing the password, but this does not result in the attacker being able to derive the session key (MSK), i.e., the attacker would not be able to complete the following key exchange (e.g., 4-way handshake in RSN/WPA). An attack using invalid scalar/element values is possible against both the EAP-pwd server and peer since hostapd and wpa_supplicant did not validate these values in the received EAP-pwd-Commit messages. If the used crypto library does not implement additional checks for the element (EC point), this could result in attacks where the attacker could use a specially crafted commit message values to manipulate the exchange to result in deriving a session key value from a very small set of possible values. This could further be used to attack the EAP-pwd server in a practical manner. An attack against the EAP-pwd peer is slightly more complex, but still consider practical. These invalid scalar/element attacks could result in the attacker being able to complete authentication and learn the session key and MSK to allow the key exchange to be completed as well, i.e., the attacker gaining access to the network in case of the attack against the EAP server or the attacker being able to operate a rogue AP in case of the attack against the EAP peer. While similar attacks might be applicable against SAE, it should be noted that the SAE implementation in hostapd and wpa_supplicant does have the validation steps that were missing from the EAP-pwd implementation and as such, these attacks do not apply to the current SAE implementation. Old versions of wpa_supplicant/hostapd did not include the reflection attack check in the SAE implementation, though, since that was added in June 2015 for v2.5 (commit 6a58444d27fd 'SAE: Verify that own/peer commit-scalar and COMMIT-ELEMENT are different'). Vulnerable versions/configurations All hostapd versions with EAP-pwd support (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled in the runtime configuration) are vulnerable against the reflection attack. All wpa_supplicant and hostapd versions with EAP-pwd support (CONFIG_EAP_PWD=y in the build configuration and EAP-pwd being enabled in the runtime configuration) are vulnerable against the invalid scalar/element attack when built against a crypto library that does not have an explicit validation step on imported EC points. The following list indicates which cases are vulnerable/not vulnerable: - OpenSSL v1.0.2 or older: vulnerable - OpenSSL v1.1.0 or newer: not vulnerable - BoringSSL with commit 38feb990a183 ('Require that EC points are on the curve.') from September 2015: not vulnerable - BoringSSL without commit 38feb990a183: vulnerable - LibreSSL: vulnerable - wolfssl: vulnerable Acknowledgments Thanks to Mathy Vanhoef (New York University Abu Dhabi) for discovering and reporting the issues and for proposing changes to address them in the implementation. Possible mitigation steps - Merge the following commits to wpa_supplicant/hostapd and rebuild: CVE-2019-9497: EAP-pwd server: Detect reflection attacks CVE-2019-9498: EAP-pwd server: Verify received scalar and element EAP-pwd: Check element x,y coordinates explicitly CVE-2019-9499: EAP-pwd client: Verify received scalar and element EAP-pwd: Check element x,y coordinates explicitly These patches are available from https://w1.fi/security/2019-4/ - Update to wpa_supplicant/hostapd v2.8 or newer, once available Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: fix CVE-2019-9496Stefan Lippers-Hollmann2019-04-112-1/+53
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | hostapd: fix SAE confirm missing state validation Published: April 10, 2019 Identifiers: - CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) Latest version available from: https://w1.fi/security/2019-3/ Vulnerability When hostapd is used to operate an access point with SAE (Simultaneous Authentication of Equals; also known as WPA3-Personal), an invalid authentication sequence could result in the hostapd process terminating due to a NULL pointer dereference when processing SAE confirm message. This was caused by missing state validation steps when processing the SAE confirm message in hostapd/AP mode. Similar cases against the wpa_supplicant SAE station implementation had already been tested by the hwsim test cases, but those sequences did not trigger this specific code path in AP mode which is why the issue was not discovered earlier. An attacker in radio range of an access point using hostapd in SAE configuration could use this issue to perform a denial of service attack by forcing the hostapd process to terminate. Vulnerable versions/configurations All hostapd versions with SAE support (CONFIG_SAE=y in the build configuration and SAE being enabled in the runtime configuration). Possible mitigation steps - Merge the following commit to hostapd and rebuild: SAE: Fix confirm message validation in error cases These patches are available from https://w1.fi/security/2019-3/ - Update to hostapd v2.8 or newer, once available Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>