Merge pull request #580 from wigyori/cc-libpcap master
authorZoltan Herpai <wigyori@uid0.hu>
Fri, 8 Dec 2017 10:07:24 +0000 (11:07 +0100)
committerGitHub <noreply@github.com>
Fri, 8 Dec 2017 10:07:24 +0000 (11:07 +0100)
CC: upgrade libpcap to 1.8.1
200 files changed:
include/download.mk
include/kernel-version.mk
package/base-files/files/bin/login.sh
package/base-files/files/lib/preinit/99_10_failsafe_login
package/kernel/brcm2708-gpu-fw/Makefile
package/kernel/mac80211/patches/090-remove-cred.patch [new file with mode: 0644]
package/libs/lzo/Makefile
package/libs/mbedtls/patches/200-config.patch [new file with mode: 0644]
package/libs/openssl/Makefile
package/libs/openssl/patches/110-optimize-for-size.patch
package/libs/openssl/patches/140-makefile-dirs.patch
package/libs/openssl/patches/150-no_engines.patch
package/libs/openssl/patches/160-disable_doc_tests.patch
package/libs/openssl/patches/190-remove_timestamp_check.patch
package/libs/openssl/patches/200-parallel_build.patch
package/libs/polarssl/Makefile
package/libs/polarssl/patches/100-disable_sslv3.patch [deleted file]
package/libs/polarssl/patches/200-reduce_config.patch
package/network/services/dnsmasq/Makefile
package/network/services/dnsmasq/patches/100-fix-dhcp-no-address-warning.patch [deleted file]
package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch
package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch
package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch [new file with mode: 0644]
package/network/services/dropbear/Config.in
package/network/services/dropbear/Makefile
package/network/services/dropbear/files/dropbear.init
package/network/services/dropbear/patches/100-pubkey_path.patch
package/network/services/dropbear/patches/110-change_user.patch
package/network/services/dropbear/patches/120-openwrt_options.patch
package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch [deleted file]
package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch [new file with mode: 0644]
package/network/services/dropbear/patches/140-disable_assert.patch
package/network/services/dropbear/patches/150-dbconvert_standalone.patch
package/network/services/dropbear/patches/500-set-default-path.patch
package/network/services/dropbear/patches/600-allow-blank-root-password.patch [new file with mode: 0644]
package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch [new file with mode: 0644]
package/network/services/hostapd/Makefile
package/network/services/hostapd/files/netifd.sh
package/network/services/hostapd/files/wpa_supplicant-mesh.config [deleted file]
package/network/services/hostapd/patches/001-P2P-Validate-SSID-element-length-before-copying-it-C.patch [deleted file]
package/network/services/hostapd/patches/002-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch [deleted file]
package/network/services/hostapd/patches/003-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch [deleted file]
package/network/services/hostapd/patches/004-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch [deleted file]
package/network/services/hostapd/patches/005-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch [deleted file]
package/network/services/hostapd/patches/006-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch [deleted file]
package/network/services/hostapd/patches/007-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch [deleted file]
package/network/services/hostapd/patches/008-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch [deleted file]
package/network/services/hostapd/patches/009-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch [deleted file]
package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch [deleted file]
package/network/services/hostapd/patches/011-EAP-pwd-peer-Fix-last-fragment-length-validation.patch [deleted file]
package/network/services/hostapd/patches/012-EAP-pwd-server-Fix-last-fragment-length-validation.patch [deleted file]
package/network/services/hostapd/patches/013-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch [deleted file]
package/network/services/hostapd/patches/014-nl80211-Try-running-without-mgmt-frame-subscription-.patch [deleted file]
package/network/services/hostapd/patches/100-mesh_mode_fix.patch [new file with mode: 0644]
package/network/services/hostapd/patches/110-bool_fix.patch [deleted file]
package/network/services/hostapd/patches/120-daemonize_fix.patch
package/network/services/hostapd/patches/130-no_eapol_fix.patch
package/network/services/hostapd/patches/140-disable_bridge_packet_workaround.patch
package/network/services/hostapd/patches/150-nl80211-Report-disassociated-STA-lost-peer-for-the-c.patch [deleted file]
package/network/services/hostapd/patches/200-multicall.patch
package/network/services/hostapd/patches/300-noscan.patch
package/network/services/hostapd/patches/310-rescan_immediately.patch
package/network/services/hostapd/patches/320-optional_rfkill.patch
package/network/services/hostapd/patches/330-nl80211_fix_set_freq.patch
package/network/services/hostapd/patches/340-reload_freq_change.patch
package/network/services/hostapd/patches/350-nl80211_del_beacon_bss.patch
package/network/services/hostapd/patches/360-ctrl_iface_reload.patch
package/network/services/hostapd/patches/370-ap_sta_support.patch
package/network/services/hostapd/patches/380-disable_ctrl_iface_mib.patch
package/network/services/hostapd/patches/390-wpa_ie_cap_workaround.patch
package/network/services/hostapd/patches/400-wps_single_auth_enc_type.patch
package/network/services/hostapd/patches/410-limit_debug_messages.patch
package/network/services/hostapd/patches/420-indicate-features.patch
package/network/services/hostapd/patches/430-hostapd_cli_ifdef.patch
package/network/services/hostapd/patches/431-wpa_cli_ifdef.patch
package/network/services/hostapd/patches/440-max_num_sta_probe.patch [deleted file]
package/network/services/hostapd/patches/450-scan_wait.patch
package/network/services/hostapd/patches/460-wpa_supplicant-add-new-config-params-to-be-used-with.patch
package/network/services/hostapd/patches/461-driver_nl80211-use-new-parameters-during-ibss-join.patch
package/network/services/hostapd/patches/462-wpa_s-support-htmode-param.patch
package/network/services/hostapd/patches/470-wait-for-nullfunc-longer.patch [deleted file]
package/network/services/hostapd/patches/600-ubus_support.patch
package/network/services/hostapd/patches/901-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch [new file with mode: 0644]
package/network/services/hostapd/patches/902-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch [new file with mode: 0644]
package/network/services/hostapd/patches/903-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch [new file with mode: 0644]
package/network/services/hostapd/patches/904-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch [new file with mode: 0644]
package/network/services/hostapd/patches/905-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch [new file with mode: 0644]
package/network/services/hostapd/patches/906-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch [new file with mode: 0644]
package/network/services/hostapd/patches/907-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch [new file with mode: 0644]
package/network/services/hostapd/patches/908-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch [new file with mode: 0644]
package/network/services/openvpn/Makefile
package/network/services/openvpn/files/openvpn.init
package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch [deleted file]
package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch [new file with mode: 0644]
package/network/services/openvpn/patches/100-polarssl_compat.h [deleted file]
package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch [new file with mode: 0644]
package/network/services/openvpn/patches/110-musl_compat.patch [deleted file]
package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch [deleted file]
package/network/services/openvpn/patches/130-polarssl-disable-runtime-version-check.patch [deleted file]
package/network/services/openvpn/patches/200-small_build_enable_occ.patch [new file with mode: 0644]
package/network/services/samba36/Makefile
package/network/services/samba36/patches/028-CVE-2017-7494-v3-6.patch [new file with mode: 0644]
package/network/services/samba36/patches/310-remove_error_strings.patch
package/network/services/wireguard/Makefile [new file with mode: 0644]
package/network/services/wireguard/files/wireguard.sh [new file with mode: 0644]
package/network/utils/iproute2/Makefile
package/network/utils/tcpdump/Makefile
package/network/utils/tcpdump/patches/001-remove_pcap_debug.patch
package/network/utils/tcpdump/patches/002-remove_static_libpcap_check.patch
package/network/utils/tcpdump/patches/100-tcpdump_mini.patch
package/system/ca-certificates/Makefile
package/system/procd/patches/0001-system-add-reboot-method-to-system-ubus-object.patch [new file with mode: 0644]
package/utils/busybox/Config-defaults.in
package/utils/busybox/Makefile
package/utils/busybox/files/telnet [deleted file]
package/utils/ugps/Makefile
rules.mk
scripts/download.pl
scripts/getver.sh
target/linux/adm5120/patches-3.18/007-adm5120_pci.patch
target/linux/adm5120/patches-3.18/101-cfi_fixup_macronix_bootloc.patch
target/linux/adm5120/patches-3.18/120-rb153_cf_driver.patch
target/linux/adm8668/patches-3.18/002-adm8668_pci.patch
target/linux/adm8668/patches-3.18/004-tulip_pci_split.patch
target/linux/adm8668/patches-3.18/005-tulip_platform.patch
target/linux/ar7/patches-3.18/500-serial_kludge.patch
target/linux/ar7/patches-3.18/950-cpmac_titan.patch
target/linux/ar71xx/patches-3.18/902-unaligned_access_hacks.patch
target/linux/bcm53xx/patches-3.18/003-mtd-spi-nor-from-3.19.patch
target/linux/bcm53xx/patches-3.18/004-mtd-spi-nor-from-3.20.patch
target/linux/brcm2708/patches-3.18/0012-cma-Add-vc_cma-driver-to-enable-use-of-CMA.patch
target/linux/brcm2708/patches-3.18/0054-hid-Reduce-default-mouse-polling-interval-to-60Hz.patch
target/linux/brcm2708/patches-3.18/0055-usb-core-make-overcurrent-messages-more-prominent.patch
target/linux/brcm2708/patches-3.18/0063-bcm2708-Allow-option-card-devices-to-be-configured-v.patch
target/linux/brcm2708/patches-3.18/0065-fdt-Add-support-for-the-CONFIG_CMDLINE_EXTEND-option.patch
target/linux/brcm47xx/patches-3.18/400-mtd-bcm47xxpart-get-nvram.patch
target/linux/cns3xxx/patches-3.18/025-smp_support.patch
target/linux/cns3xxx/patches-3.18/040-fiq_support.patch
target/linux/cns3xxx/patches-3.18/095-gpio_support.patch
target/linux/cns3xxx/patches-3.18/100-laguna_support.patch
target/linux/gemini/patches-3.18/150-gemini-pata.patch
target/linux/generic/patches-3.18/041-mtd-bcm47xxpart-backports-from-3.20.patch
target/linux/generic/patches-3.18/070-bgmac-register-napi-before-the-device.patch
target/linux/generic/patches-3.18/072-bgmac-fix-device-initialization-on-Northstar-SoCs-co.patch [deleted file]
target/linux/generic/patches-3.18/077-03-bgmac-implement-scatter-gather-support.patch
target/linux/generic/patches-3.18/078-01-bgmac-support-up-to-3-cores-devices-on-a-bus.patch
target/linux/generic/patches-3.18/078-02-bgmac-add-helper-checking-for-BCM4707-BCM53018-chip-.patch
target/linux/generic/patches-3.18/078-04-bgmac-reset-enable-Ethernet-core-before-using-it.patch
target/linux/generic/patches-3.18/080-11-fib_trie-Push-rcu_read_lock-unlock-to-callers.patch
target/linux/generic/patches-3.18/082-ipv6-ip6_fragment-fix-headroom-tests-and-skb-leak.patch
target/linux/generic/patches-3.18/141-mtd-bcm47xxpart-limit-scanned-flash-area-on-BCM47XX-.patch [deleted file]
target/linux/generic/patches-3.18/142-mtd-bcm47xxpart-don-t-fail-because-of-bit-flips.patch
target/linux/generic/patches-3.18/191-usb-ehci-orion-fix-probe-for-GENERIC_PHY.patch [deleted file]
target/linux/generic/patches-3.18/201-extra_optimization.patch
target/linux/generic/patches-3.18/204-module_strip.patch
target/linux/generic/patches-3.18/214-spidev_h_portability.patch
target/linux/generic/patches-3.18/462-m25p80-mx-disable-software-protection.patch
target/linux/generic/patches-3.18/540-crypto-xz-decompression-support.patch
target/linux/generic/patches-3.18/630-packet_socket_type.patch
target/linux/generic/patches-3.18/643-bridge_remove_ipv6_dependency.patch
target/linux/generic/patches-3.18/653-disable_netlink_trim.patch
target/linux/generic/patches-3.18/655-increase_skb_pad.patch
target/linux/generic/patches-3.18/656-skb_reduce_truesize-helper.patch
target/linux/generic/patches-3.18/666-Add-support-for-MAP-E-FMRs-mesh-mode.patch
target/linux/generic/patches-3.18/667-ipv6-Fixed-source-specific-default-route-handling.patch
target/linux/generic/patches-3.18/670-ipv6-allow-rejecting-with-source-address-failed-policy.patch
target/linux/generic/patches-3.18/680-NET-skip-GRO-for-foreign-MAC-addresses.patch
target/linux/generic/patches-3.18/702-phy_add_aneg_done_function.patch
target/linux/generic/patches-3.18/703-phy-add-detach-callback-to-struct-phy_driver.patch
target/linux/generic/patches-3.18/704-phy-no-genphy-soft-reset.patch
target/linux/generic/patches-3.18/721-phy_packets.patch
target/linux/generic/patches-3.18/750-hostap_txpower.patch
target/linux/generic/patches-3.18/773-bgmac-add-srab-switch.patch
target/linux/generic/patches-3.18/811-pci_disable_usb_common_quirks.patch
target/linux/generic/patches-3.18/902-debloat_proc.patch
target/linux/generic/patches-3.18/940-ocf_kbuild_integration.patch
target/linux/generic/patches-3.18/997-device_tree_cmdline.patch
target/linux/imx6/patches-3.18/201-pci_imx6_ventana_fixup-for-IRQ-mismapping.patch
target/linux/imx6/patches-3.18/202-net-igb-add-i210-i211-support-for-phy-read-write.patch
target/linux/imx6/patches-3.18/203-net-igb-add-phy-read-write-functions-that-accept-phy.patch
target/linux/imx6/patches-3.18/204-net-igb-register-mii_bus-for-SerDes-w-external-phy.patch
target/linux/ixp4xx/patches-3.18/600-skb_avoid_dmabounce.patch
target/linux/lantiq/patches-3.18/0001-MIPS-lantiq-add-pcie-driver.patch
target/linux/lantiq/patches-3.18/0026-NET-multi-phy-support.patch
target/linux/lantiq/patches-3.18/0032-USB-fix-roothub-for-IFXHCD.patch
target/linux/mcs814x/patches-3.18/008-mcs814x_gpio.patch
target/linux/mvebu/files/arch/arm/boot/dts/armada-385-linksys.dtsi
target/linux/mvebu/patches-3.18/700-usb_xhci_plat_phy_support.patch
target/linux/omap/patches-3.18/0334-video-da8xx-fb-adding-dt-support.patch
target/linux/omap/patches-3.18/0343-video-da8xx-fb-Add-API-to-register-wait-for-vsync-ca.patch
target/linux/omap/patches-3.18/0752-video-da8xx-fb-fix-defect-with-vsync-callback-invoca.patch
target/linux/oxnas/patches-3.18/250-add-plxtech-vendor-prefix.patch
target/linux/oxnas/patches-3.18/500-oxnas-sata.patch
target/linux/ramips/patches-3.18/0033-NET-multi-phy-support.patch
target/linux/ramips/patches-3.18/0057-uvc-add-iPassion-iP2970-support.patch
target/linux/ramips/patches-3.18/0062-mt7621-add-ECHI-OCHI-XCHI-support.patch
target/linux/ramips/patches-3.18/0065-fix_dts_cache_issues.patch
target/linux/sunxi/patches-3.18/200-mmc-add-sdio-function-subnode.patch
target/linux/uml/patches-3.18/001-fix_make_headers_install.patch
target/linux/xburst/patches-3.18/007-qi_lb60-Don-t-use-3-wire-spi-mode-for-the-display-fo.patch

index e518cce..a7b7617 100644 (file)
@@ -13,7 +13,7 @@ DOWNLOAD_RDEP=$(STAMP_PREPARED) $(HOST_STAMP_PREPARED)
 define dl_method
 $(strip \
   $(if $(2),$(2), \
-    $(if $(filter @GNOME/% @GNU/% @KERNEL/% @SF/% @SAVANNAH/% ftp://% http://% https://% file://%,$(1)),default, \
+    $(if $(filter @APACHE/% @GITHUB/% @GNOME/% @GNU/% @KERNEL/% @SF/% @SAVANNAH/% ftp://% http://% https://% file://%,$(1)),default, \
       $(if $(filter git://%,$(1)),git, \
         $(if $(filter svn://%,$(1)),svn, \
           $(if $(filter cvs://%,$(1)),cvs, \
index 2f6d279..9a95ef3 100644 (file)
@@ -2,9 +2,9 @@
 
 LINUX_RELEASE?=1
 
-LINUX_VERSION-3.18 = .45
+LINUX_VERSION-3.18 = .84
 
-LINUX_KERNEL_MD5SUM-3.18.45 = c527bae0aa1a5d6f3ebe31ad348c5339
+LINUX_KERNEL_MD5SUM-3.18.84 = e79685de43fcf3c4ada7d4fc5230a518
 
 ifdef KERNEL_PATCHVER
   LINUX_VERSION:=$(KERNEL_PATCHVER)$(strip $(LINUX_VERSION-$(KERNEL_PATCHVER)))
index 25627b6..754d290 100755 (executable)
@@ -10,8 +10,7 @@ then
 else
 cat << EOF
  === IMPORTANT ============================
-  Use 'passwd' to set your login password
-  this will disable telnet and enable SSH
+  Use 'passwd' to set your login password!
  ------------------------------------------
 EOF
 fi
index 15dcbd8..b12e317 100644 (file)
@@ -1,9 +1,10 @@
 #!/bin/sh
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2015 OpenWrt.org
 # Copyright (C) 2010 Vertical Communications
 
 failsafe_netlogin () {
-       telnetd -l /bin/login.sh <> /dev/null 2>&1
+       dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
+       dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
 }
 
 failsafe_shell() {
index 286984b..370be7d 100644 (file)
@@ -14,7 +14,7 @@ PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_REV).tar.gz
 PKG_SOURCE_URL:=https://github.com/Hexxeh/rpi-firmware/archive/
-PKG_MD5SUM:=f5683c1dcb255714942f7c9fd61b3a0a
+PKG_MD5SUM:=edefa7a1684d5b0a2b11acd058adceff
 
 PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/$(PKG_NAME)/rpi-firmware-$(PKG_REV)
 
diff --git a/package/kernel/mac80211/patches/090-remove-cred.patch b/package/kernel/mac80211/patches/090-remove-cred.patch
new file mode 100644 (file)
index 0000000..3adb2af
--- /dev/null
@@ -0,0 +1,15 @@
+This is only needed for kernel < 2.6.29 and conflicts with kernel 4.4.42
+
+--- a/backport-include/linux/cred.h
++++ /dev/null
+@@ -1,10 +0,0 @@
+-#ifndef __BACKPORT_LINUX_CRED_H
+-#define __BACKPORT_LINUX_CRED_H
+-#include_next <linux/cred.h>
+-#include <linux/version.h>
+-
+-#ifndef current_user_ns
+-#define current_user_ns()     (current->nsproxy->user_ns)
+-#endif
+-
+-#endif /* __BACKPORT_LINUX_CRED_H */
index 6a88a6f..b631759 100644 (file)
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2012 OpenWrt.org
+# Copyright (C) 2006-2016 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=lzo
-PKG_VERSION:=2.08
+PKG_VERSION:=2.10
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.oberhumer.com/opensource/lzo/download/
-PKG_MD5SUM:=fcec64c26a0f4f4901468f360029678f
+PKG_MD5SUM:=39d3f3f9c55c87b1e5d6888e1420f4b5
 
 PKG_FIXUP:=autoreconf
 PKG_INSTALL:=1
diff --git a/package/libs/mbedtls/patches/200-config.patch b/package/libs/mbedtls/patches/200-config.patch
new file mode 100644 (file)
index 0000000..54910b9
--- /dev/null
@@ -0,0 +1,208 @@
+--- a/include/mbedtls/config.h
++++ b/include/mbedtls/config.h
+@@ -185,7 +185,7 @@
+  *
+  * Uncomment to get errors on using deprecated functions.
+  */
+-//#define MBEDTLS_DEPRECATED_REMOVED
++#define MBEDTLS_DEPRECATED_REMOVED
+ /* \} name SECTION: System support */
+@@ -341,7 +341,7 @@
+  *
+  * Enable Cipher Feedback mode (CFB) for symmetric ciphers.
+  */
+-#define MBEDTLS_CIPHER_MODE_CFB
++//#define MBEDTLS_CIPHER_MODE_CFB
+ /**
+  * \def MBEDTLS_CIPHER_MODE_CTR
+@@ -435,13 +435,13 @@
+  *
+  * Comment macros to disable the curve and functions for it
+  */
+-#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+-#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
++//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
++//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ #define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+-#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+-#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
++//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
++//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ #define MBEDTLS_ECP_DP_BP256R1_ENABLED
+ #define MBEDTLS_ECP_DP_BP384R1_ENABLED
+@@ -517,7 +517,7 @@
+  *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
+  *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
+  */
+-#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
++//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+ /**
+  * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+@@ -562,7 +562,7 @@
+  *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
+  *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+  */
+-#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
++//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+ /**
+  * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+@@ -616,7 +616,7 @@
+  *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+  *      MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+  */
+-#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
++//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+ /**
+  * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+@@ -689,7 +689,7 @@
+  *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
+  *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
+  */
+-#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
++//#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+ /**
+  * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+@@ -713,7 +713,7 @@
+  *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
+  *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
+  */
+-#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
++//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+ /**
+  * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+@@ -879,7 +879,7 @@
+  *
+  * Comment this macro to disable support for external private RSA keys.
+  */
+-#define MBEDTLS_PK_RSA_ALT_SUPPORT
++//#define MBEDTLS_PK_RSA_ALT_SUPPORT
+ /**
+  * \def MBEDTLS_PKCS1_V15
+@@ -911,14 +911,14 @@
+  * Uncomment this macro to disable the use of CRT in RSA.
+  *
+  */
+-//#define MBEDTLS_RSA_NO_CRT
++#define MBEDTLS_RSA_NO_CRT
+ /**
+  * \def MBEDTLS_SELF_TEST
+  *
+  * Enable the checkup functions (*_self_test).
+  */
+-#define MBEDTLS_SELF_TEST
++//#define MBEDTLS_SELF_TEST
+ /**
+  * \def MBEDTLS_SHA256_SMALLER
+@@ -934,7 +934,7 @@
+  *
+  * Uncomment to enable the smaller implementation of SHA256.
+  */
+-//#define MBEDTLS_SHA256_SMALLER
++#define MBEDTLS_SHA256_SMALLER
+ /**
+  * \def MBEDTLS_SSL_AEAD_RANDOM_IV
+@@ -1271,7 +1271,7 @@
+  *
+  * Comment this macro to disable support for truncated HMAC in SSL
+  */
+-#define MBEDTLS_SSL_TRUNCATED_HMAC
++//#define MBEDTLS_SSL_TRUNCATED_HMAC
+ /**
+  * \def MBEDTLS_THREADING_ALT
+@@ -1507,7 +1507,7 @@
+  *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
+  *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
+  */
+-#define MBEDTLS_ARC4_C
++//#define MBEDTLS_ARC4_C
+ /**
+  * \def MBEDTLS_ASN1_PARSE_C
+@@ -1572,7 +1572,7 @@
+  *
+  * Module:  library/blowfish.c
+  */
+-#define MBEDTLS_BLOWFISH_C
++//#define MBEDTLS_BLOWFISH_C
+ /**
+  * \def MBEDTLS_CAMELLIA_C
+@@ -1627,7 +1627,7 @@
+  *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
+  *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
+  */
+-#define MBEDTLS_CAMELLIA_C
++//#define MBEDTLS_CAMELLIA_C
+ /**
+  * \def MBEDTLS_CCM_C
+@@ -1641,7 +1641,7 @@
+  * This module enables the AES-CCM ciphersuites, if other requisites are
+  * enabled as well.
+  */
+-#define MBEDTLS_CCM_C
++//#define MBEDTLS_CCM_C
+ /**
+  * \def MBEDTLS_CERTS_C
+@@ -1653,7 +1653,7 @@
+  *
+  * This module is used for testing (ssl_client/server).
+  */
+-#define MBEDTLS_CERTS_C
++//#define MBEDTLS_CERTS_C
+ /**
+  * \def MBEDTLS_CIPHER_C
+@@ -1693,7 +1693,7 @@
+  *
+  * This module provides debugging functions.
+  */
+-#define MBEDTLS_DEBUG_C
++//#define MBEDTLS_DEBUG_C
+ /**
+  * \def MBEDTLS_DES_C
+@@ -1733,7 +1733,7 @@
+  * This module is used by the following key exchanges:
+  *      DHE-RSA, DHE-PSK
+  */
+-#define MBEDTLS_DHM_C
++//#define MBEDTLS_DHM_C
+ /**
+  * \def MBEDTLS_ECDH_C
+@@ -2151,7 +2151,7 @@
+  * Caller:  library/mbedtls_md.c
+  *
+  */
+-#define MBEDTLS_RIPEMD160_C
++//#define MBEDTLS_RIPEMD160_C
+ /**
+  * \def MBEDTLS_RSA_C
+@@ -2461,7 +2461,7 @@
+  * Module:  library/xtea.c
+  * Caller:
+  */
+-#define MBEDTLS_XTEA_C
++//#define MBEDTLS_XTEA_C
+ /* \} name SECTION: mbed TLS modules */
index ea68f16..3d563e1 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
 PKG_BASE:=1.0.2
-PKG_BUGFIX:=j
+PKG_BUGFIX:=m
 PKG_VERSION:=$(PKG_BASE)$(PKG_BUGFIX)
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
@@ -21,7 +21,7 @@ PKG_SOURCE_URL:=http://www.openssl.org/source/ \
        http://www.openssl.org/source/old/$(PKG_BASE)/ \
        ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.openssl.org/source \
        ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/
-PKG_MD5SUM:=96322138f0b69e61b7212bc53d5e912b
+PKG_MD5SUM:=10e9e37f492094b9ef296f68f24a7666
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
index 1721842..0f174a3 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Configure
 +++ b/Configure
-@@ -468,6 +468,12 @@ my %table=(
+@@ -470,6 +470,12 @@ my %table=(
  "linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
  "linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
  
index 7503dfc..83c412f 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Makefile.org
 +++ b/Makefile.org
-@@ -136,7 +136,7 @@ FIPSCANLIB=
+@@ -137,7 +137,7 @@ FIPSCANLIB=
  
  BASEADDR=
  
index f509d28..f8c5d6e 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Configure
 +++ b/Configure
-@@ -2109,6 +2109,11 @@ EOF
+@@ -2129,6 +2129,11 @@ EOF
        close(OUT);
    }
    
index a3bee38..e38d44a 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Makefile
 +++ b/Makefile
-@@ -138,7 +138,7 @@ FIPSCANLIB=
+@@ -139,7 +139,7 @@ FIPSCANLIB=
  
  BASEADDR=0xFB00000
  
@@ -9,7 +9,7 @@
  ENGDIRS= ccgost
  SHLIBDIRS= crypto ssl
  
-@@ -156,7 +156,7 @@ SDIRS=  \
+@@ -157,7 +157,7 @@ SDIRS=  \
  
  # tests to perform.  "alltests" is a special word indicating that all tests
  # should be performed.
@@ -18,7 +18,7 @@
  
  MAKEFILE= Makefile
  
-@@ -170,7 +170,7 @@ SHELL=/bin/sh
+@@ -171,7 +171,7 @@ SHELL=/bin/sh
  
  TOP=    .
  ONEDIRS=out tmp
@@ -27,7 +27,7 @@
  WDIRS=  windows
  LIBS=   libcrypto.a libssl.a
  SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
-@@ -273,7 +273,7 @@ reflect:
+@@ -276,7 +276,7 @@ reflect:
  
  sub_all: build_all
  
@@ -36,7 +36,7 @@
  
  build_libs: build_libcrypto build_libssl openssl.pc
  
-@@ -530,7 +530,7 @@ dist:
+@@ -542,7 +542,7 @@ dist:
        @$(MAKE) SDIRS='$(SDIRS)' clean
        @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
  
@@ -47,7 +47,7 @@
        @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 --- a/Makefile.org
 +++ b/Makefile.org
-@@ -528,7 +528,7 @@ dist:
+@@ -540,7 +540,7 @@ dist:
        @$(MAKE) SDIRS='$(SDIRS)' clean
        @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
  
index ffc2f2d..424e660 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Makefile.org
 +++ b/Makefile.org
-@@ -184,7 +184,7 @@ TARFILE=        ../$(NAME).tar
+@@ -185,7 +185,7 @@ TARFILE=        ../$(NAME).tar
  EXHEADER=       e_os2.h
  HEADER=         e_os.h
  
@@ -9,7 +9,7 @@
  
  # as we stick to -e, CLEARENV ensures that local variables in lower
  # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
-@@ -400,11 +400,6 @@ openssl.pc: Makefile
+@@ -404,11 +404,6 @@ openssl.pc: Makefile
            echo 'Version: '$(VERSION); \
            echo 'Requires: libssl libcrypto' ) > openssl.pc
  
index e3a0bb2..f2acc4a 100644 (file)
@@ -1,6 +1,6 @@
 --- a/Makefile.org
 +++ b/Makefile.org
-@@ -279,17 +279,17 @@ build_libcrypto: build_crypto build_engi
+@@ -282,17 +282,17 @@ build_libcrypto: build_crypto build_engi
  build_libssl: build_ssl libssl.pc
  
  build_crypto:
@@ -24,7 +24,7 @@
  
  all_testapps: build_libs build_testapps
  build_testapps:
-@@ -461,7 +461,7 @@ update: errors stacks util/libeay.num ut
+@@ -473,7 +473,7 @@ update: errors stacks util/libeay.num ut
        @set -e; target=update; $(RECURSIVE_BUILD_CMD)
  
  depend:
@@ -33,7 +33,7 @@
  
  lint:
        @set -e; target=lint; $(RECURSIVE_BUILD_CMD)
-@@ -523,9 +523,9 @@ dist:
+@@ -535,9 +535,9 @@ dist:
        @$(MAKE) SDIRS='$(SDIRS)' clean
        @$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
  
@@ -45,7 +45,7 @@
        @$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
                $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
                $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-@@ -534,12 +534,19 @@ install_sw:
+@@ -546,12 +546,19 @@ install_sw:
                $(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
                $(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
                $(INSTALL_PREFIX)$(OPENSSLDIR)/private
@@ -66,7 +66,7 @@
        @set -e; liblist="$(LIBS)"; for i in $$liblist ;\
        do \
                if [ -f "$$i" ]; then \
-@@ -623,12 +630,7 @@ install_html_docs:
+@@ -635,12 +642,7 @@ install_html_docs:
                done; \
        done
  
        ctags $(SRC)
 --- a/test/Makefile
 +++ b/test/Makefile
-@@ -139,7 +139,7 @@ install:
+@@ -144,7 +144,7 @@ install:
  tags:
        ctags $(SRC)
  
  
  apps:
        @(cd ..; $(MAKE) DIRS=apps all)
-@@ -557,7 +557,7 @@ $(SSLV2CONFTEST)$(EXE_EXT): $(SSLV2CONFT
+@@ -578,7 +578,7 @@ $(DTLSTEST)$(EXE_EXT): $(DTLSTEST).o ssl
  #     fi
  
  dummytest$(EXE_EXT): dummytest.o $(DLIBCRYPTO)
index dc13679..7ac161d 100644 (file)
@@ -9,13 +9,13 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=polarssl
 SRC_PKG_NAME:=mbedtls
-PKG_VERSION:=1.3.14
+PKG_VERSION:=1.3.17
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(SRC_PKG_NAME)-$(PKG_VERSION)-gpl.tgz
-PKG_SOURCE_URL:=https://polarssl.org/download/
-PKG_MD5SUM:=869c7b5798b8769902880c7cf0212fed
+PKG_SOURCE_URL:=https://tls.mbed.org/download/
+PKG_MD5SUM:=a6ed92fc377ef60f7c24d42b900e0dad
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(SRC_PKG_NAME)-$(PKG_VERSION)
 
diff --git a/package/libs/polarssl/patches/100-disable_sslv3.patch b/package/libs/polarssl/patches/100-disable_sslv3.patch
deleted file mode 100644 (file)
index 56c6c4d..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
---- a/include/polarssl/config.h
-+++ b/include/polarssl/config.h
-@@ -1011,8 +1011,8 @@
-  *           POLARSSL_SHA1_C
-  *
-  * Comment this macro to disable support for SSL 3.0
-- */
- #define POLARSSL_SSL_PROTO_SSL3
-+ */
- /**
-  * \def POLARSSL_SSL_PROTO_TLS1
index 80b07ef..9e2734a 100644 (file)
  
  /**
   * \def POLARSSL_SSL_AEAD_RANDOM_IV
-@@ -1138,8 +1138,8 @@
+@@ -1151,8 +1151,8 @@
   * Requires: POLARSSL_VERSION_C
   *
   * Comment this to disable run-time checking and save ROM space
  
  /**
   * \def POLARSSL_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -1457,8 +1457,8 @@
+@@ -1470,8 +1470,8 @@
   *      TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
   *      TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *      TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
  
  /**
   * \def POLARSSL_CCM_C
-@@ -1485,8 +1485,8 @@
+@@ -1498,8 +1498,8 @@
   * Requires: POLARSSL_PEM_PARSE_C
   *
   * This module is used for testing (ssl_client/server).
  
  /**
   * \def POLARSSL_CIPHER_C
-@@ -1525,8 +1525,8 @@
+@@ -1538,8 +1538,8 @@
   *          library/ssl_tls.c
   *
   * This module provides debugging functions.
  
  /**
   * \def POLARSSL_DES_C
-@@ -1581,8 +1581,8 @@
+@@ -1594,8 +1594,8 @@
   *      ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
   *
   * Requires: POLARSSL_ECP_C
  
  /**
   * \def POLARSSL_ECDSA_C
-@@ -1596,8 +1596,8 @@
+@@ -1609,8 +1609,8 @@
   *      ECDHE-ECDSA
   *
   * Requires: POLARSSL_ECP_C, POLARSSL_ASN1_WRITE_C, POLARSSL_ASN1_PARSE_C
  
  /**
   * \def POLARSSL_ECP_C
-@@ -1609,8 +1609,8 @@
+@@ -1622,8 +1622,8 @@
   *          library/ecdsa.c
   *
   * Requires: POLARSSL_BIGNUM_C and at least one POLARSSL_ECP_DP_XXX_ENABLED
  
  /**
   * \def POLARSSL_ENTROPY_C
-@@ -1649,8 +1649,8 @@
-  *
-  * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
-  * requisites are enabled as well.
-- */
- #define POLARSSL_GCM_C
-+ */
- /**
-  * \def POLARSSL_HAVEGE_C
-@@ -1686,8 +1686,8 @@
+@@ -1699,8 +1699,8 @@
   * Requires: POLARSSL_MD_C
   *
   * Uncomment to enable the HMAC_DRBG random number geerator.
  
  /**
   * \def POLARSSL_MD_C
-@@ -1813,8 +1813,8 @@
+@@ -1826,8 +1826,8 @@
   * Requires: POLARSSL_HAVE_ASM
   *
   * This modules adds support for the VIA PadLock on x86.
  
  /**
   * \def POLARSSL_PBKDF2_C
-@@ -1979,8 +1979,8 @@
+@@ -1992,8 +1992,8 @@
   * Module:  library/ripemd160.c
   * Caller:  library/md.c
   *
  
  /**
   * \def POLARSSL_RSA_C
-@@ -2059,8 +2059,8 @@
+@@ -2072,8 +2072,8 @@
   * Caller:
   *
   * Requires: POLARSSL_SSL_CACHE_C
  
  /**
   * \def POLARSSL_SSL_CLI_C
-@@ -2136,8 +2136,8 @@
+@@ -2149,8 +2149,8 @@
   * Caller:  library/havege.c
   *
   * This module is used by the HAVEGE random number generator.
  
  /**
   * \def POLARSSL_VERSION_C
-@@ -2147,8 +2147,8 @@
+@@ -2160,8 +2160,8 @@
   * Module:  library/version.c
   *
   * This module provides run-time version information.
  
  /**
   * \def POLARSSL_X509_USE_C
-@@ -2257,8 +2257,8 @@
+@@ -2270,8 +2270,8 @@
   *
   * Module:  library/xtea.c
   * Caller:
index 19a8df9..9f38de1 100644 (file)
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
-PKG_VERSION:=2.73
+PKG_VERSION:=2.78
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
-PKG_MD5SUM:=b8bfe96d22945c8cf4466826ba9b21bd
+PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
+PKG_MD5SUM:=6d0241b72c79d2b510776ccc4ed69ca4
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
@@ -24,6 +24,7 @@ PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
 PKG_CONFIG_DEPENDS:=CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcpv6 \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec \
+       CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth \
        CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset
 
@@ -50,7 +51,7 @@ endef
 
 define Package/dnsmasq-full
 $(call Package/dnsmasq/Default)
-  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset enabled by default)
+  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, NO_ID enabled by default)
   DEPENDS:=+PACKAGE_dnsmasq_full_dnssec:libnettle \
        +PACKAGE_dnsmasq_full_dhcpv6:kmod-ipv6 \
        +PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset
@@ -70,8 +71,8 @@ endef
 define Package/dnsmasq-full/description
 $(call Package/dnsmasq/description)
 
-This is a fully configurable variant with DHCPv6, DNSSEC, Authroitative DNS and
-IPset support enabled by default.
+This is a fully configurable variant with DHCPv6, DNSSEC, Authoritative DNS and
+IPset, NO_ID support enabled by default.
 endef
 
 define Package/dnsmasq/conffiles
@@ -88,6 +89,9 @@ define Package/dnsmasq-full/config
        config PACKAGE_dnsmasq_full_dnssec
                bool "Build with DNSSEC support."
                default y
+       config PACKAGE_dnsmasq_full_noid
+               bool "Build with NO_ID. (hide *.bind pseudo domain)"
+               default y
        config PACKAGE_dnsmasq_full_auth
                bool "Build with the facility to act as an authoritative DNS server."
                default y
@@ -113,10 +117,11 @@ ifeq ($(BUILD_VARIANT),full)
        COPTS += $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcpv6),,-DNO_DHCP6) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec),-DHAVE_DNSSEC) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth),,-DNO_AUTH) \
+               $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \
                $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET)
        COPTS += $(if $(CONFIG_LIBNETTLE_MINI),-DNO_GMP,)
 else
-       COPTS += -DNO_AUTH -DNO_IPSET
+       COPTS += -DNO_AUTH -DNO_IPSET -DNO_ID
 endif
 
 MAKE_FLAGS := \
diff --git a/package/network/services/dnsmasq/patches/100-fix-dhcp-no-address-warning.patch b/package/network/services/dnsmasq/patches/100-fix-dhcp-no-address-warning.patch
deleted file mode 100644 (file)
index a502a60..0000000
+++ /dev/null
@@ -1,47 +0,0 @@
---- a/src/dhcp.c
-+++ b/src/dhcp.c
-@@ -146,7 +146,7 @@ void dhcp_packet(time_t now, int pxe_fd)
-   struct iovec iov;
-   ssize_t sz; 
-   int iface_index = 0, unicast_dest = 0, is_inform = 0;
--  struct in_addr iface_addr;
-+  struct in_addr iface_addr, *addrp = NULL;
-   struct iface_param parm;
- #ifdef HAVE_LINUX_NETWORK
-   struct arpreq arp_req;
-@@ -272,11 +272,9 @@ void dhcp_packet(time_t now, int pxe_fd)
-     {
-       ifr.ifr_addr.sa_family = AF_INET;
-       if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) != -1 )
--      iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
--      else
-       {
--        my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
--        return;
-+        addrp = &iface_addr;
-+        iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
-       }
-       
-       for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-@@ -295,7 +293,7 @@ void dhcp_packet(time_t now, int pxe_fd)
-       parm.relay_local.s_addr = 0;
-       parm.ind = iface_index;
-       
--      if (!iface_check(AF_INET, (struct all_addr *)&iface_addr, ifr.ifr_name, NULL))
-+      if (!iface_check(AF_INET, (struct all_addr *)addrp, ifr.ifr_name, NULL))
-       {
-         /* If we failed to match the primary address of the interface, see if we've got a --listen-address
-            for a secondary */
-@@ -315,6 +313,12 @@ void dhcp_packet(time_t now, int pxe_fd)
-         complete_context(match.addr, iface_index, NULL, match.netmask, match.broadcast, &parm);
-       }    
-       
-+      if (!addrp)
-+        {
-+          my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
-+          return;
-+        }
-+
-       if (!iface_enumerate(AF_INET, &parm, complete_context))
-       return;
index 61b09d5..88e334b 100644 (file)
        (buffer = safe_malloc(BUFF_SZ)) &&
        (ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 &&
        (bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1))
-@@ -168,62 +149,16 @@ static int new_add_to_ipset(const char *
- }
--static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int remove)
--{
--  socklen_t size;
--  struct ip_set_req_adt_get {
--    unsigned op;
--    unsigned version;
--    union {
--      char name[IPSET_MAXNAMELEN];
--      uint16_t index;
--    } set;
--    char typename[IPSET_MAXNAMELEN];
--  } req_adt_get;
--  struct ip_set_req_adt {
--    unsigned op;
--    uint16_t index;
--    uint32_t ip;
--  } req_adt;
--  
--  if (strlen(setname) >= sizeof(req_adt_get.set.name)) 
--    {
--      errno = ENAMETOOLONG;
--      return -1;
--    }
--  
--  req_adt_get.op = 0x10;
--  req_adt_get.version = 3;
--  strcpy(req_adt_get.set.name, setname);
--  size = sizeof(req_adt_get);
--  if (getsockopt(ipset_sock, SOL_IP, 83, &req_adt_get, &size) < 0)
--    return -1;
--  req_adt.op = remove ? 0x102 : 0x101;
--  req_adt.index = req_adt_get.set.index;
--  req_adt.ip = ntohl(ipaddr->addr.addr4.s_addr);
--  if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
--    return -1;
--  
--  return 0;
--}
--
--
--
- int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove)
- {
-   int af = AF_INET;
- #ifdef HAVE_IPV6
+@@ -217,17 +198,10 @@ int add_to_ipset(const char *setname, co
    if (flags & F_IPV6)
--    {
+     {
        af = AF_INET6;
 -      /* old method only supports IPv4 */
 -      if (old_kernel)
--      return -1;
--    }
+-      {
+-        errno = EAFNOSUPPORT ;
+-        ret = -1;
+-      }
+     }
  #endif
    
--  return old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
-+  return new_add_to_ipset(setname, ipaddr, af, remove);
- }
+-  if (ret != -1) 
+-    ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
++    ret = new_add_to_ipset(setname, ipaddr, af, remove);
  
- #endif
+   if (ret == -1)
+      my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));
index 97dfe3b..2f854d4 100644 (file)
@@ -10,40 +10,38 @@ Signed-off-by: Steven Barth <steven@midlink.org>
 
 --- a/src/dnssec.c
 +++ b/src/dnssec.c
-@@ -432,17 +432,24 @@ static int back_to_the_future;
+@@ -462,17 +462,24 @@ static time_t timestamp_time;
  int setup_timestamp(void)
  {
    struct stat statbuf;
--  
 +  time_t now;
 +  time_t base = 1420070400; /* 1-1-2015 */
-+
-   back_to_the_future = 0;
+   
+   daemon->back_to_the_future = 0;
    
    if (!daemon->timestamp_file)
      return 0;
--  
 +
 +  now = time(NULL);
 +
 +  if (!stat("/proc/self/exe", &statbuf) && difftime(statbuf.st_mtime, base) > 0)
 +    base = statbuf.st_mtime;
-+
+   
    if (stat(daemon->timestamp_file, &statbuf) != -1)
      {
        timestamp_time = statbuf.st_mtime;
      check_and_exit:
 -      if (difftime(timestamp_time, time(0)) <=  0)
-+      if (difftime(now, base) >= 0 && difftime(timestamp_time, now) <=  0)
++      if (difftime(now, base) >= 0 && difftime(timestamp_time, now) <= 0)
        {
          /* time already OK, update timestamp, and do key checking from the start. */
-         if (utime(daemon->timestamp_file, NULL) == -1)
-@@ -463,7 +470,7 @@ int setup_timestamp(void)
+         if (utimes(daemon->timestamp_file, NULL) == -1)
+@@ -493,7 +500,7 @@ int setup_timestamp(void)
  
          close(fd);
          
--        timestamp_time = timbuf.actime = timbuf.modtime = 1420070400; /* 1-1-2015 */
-+        timestamp_time = timbuf.actime = timbuf.modtime = base;
-         if (utime(daemon->timestamp_file, &timbuf) == 0)
-           goto check_and_exit;
-       }
+-        timestamp_time = 1420070400; /* 1-1-2015 */
++        timestamp_time = base; /* 1-1-2015 */
+         tv[0].tv_sec = tv[1].tv_sec = timestamp_time;
+         tv[0].tv_usec = tv[1].tv_usec = 0;
+         if (utimes(daemon->timestamp_file, tv) == 0)
diff --git a/package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch b/package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch
new file mode 100644 (file)
index 0000000..37b11ab
--- /dev/null
@@ -0,0 +1,18 @@
+dnsmasq: fix warning with poll.h include on musl
+
+Warning is:
+  #warning redirecting incorrect #include <sys/poll.h> to <poll.h>
+
+Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
+
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -88,7 +88,7 @@ typedef unsigned long long u64;
+ #if defined(HAVE_SOLARIS_NETWORK)
+ #  include <sys/sockio.h>
+ #endif
+-#include <sys/poll.h>
++#include <poll.h>
+ #include <sys/wait.h>
+ #include <sys/time.h>
+ #include <sys/un.h>
index e2a7610..7c2edd7 100644 (file)
@@ -1,6 +1,15 @@
 menu "Configuration"
        depends on PACKAGE_dropbear
 
+config DROPBEAR_CURVE25519
+       bool "Curve25519 support"
+       default y
+       help
+               This enables the following key exchange algorithm:
+                 curve25519-sha256@libssh.org
+
+               Increases binary size by about 13 kB uncompressed (MIPS).
+
 config DROPBEAR_ECC
        bool "Elliptic curve cryptography (ECC)"
        default n
@@ -12,7 +21,6 @@ config DROPBEAR_ECC
                  ecdh-sha2-nistp256
                  ecdh-sha2-nistp384
                  ecdh-sha2-nistp521
-                 curve25519-sha256@libssh.org
 
                Public key algorithms:
                  ecdsa-sha2-nistp256
@@ -22,6 +30,21 @@ config DROPBEAR_ECC
                Does not generate ECC host keys by default (ECC key exchange will not be used,
                only ECC public key auth).
 
-               Increases binary size by about 36 kB (MIPS).
+               Increases binary size by about 23 kB (MIPS).
+
+config DROPBEAR_UTMP
+       bool "Utmp support"
+       default n
+       depends on BUSYBOX_CONFIG_FEATURE_UTMP
+       help
+               This enables dropbear utmp support, the file /var/run/utmp is used to
+               track who is currently logged in.
+
+config DROPBEAR_PUTUTLINE
+       bool "Pututline support"
+       default n
+       depends on DROPBEAR_UTMP
+       help
+               Dropbear will use pututline() to write the utmp structure into the utmp file.
 
 endmenu
index 35958d3..55b39d1 100644 (file)
@@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2014 OpenWrt.org
+# Copyright (C) 2006-2016 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2015.67
+PKG_VERSION:=2017.75
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
        http://matt.ucc.asn.au/dropbear/releases/ \
        https://dropbear.nl/mirror/releases/
-PKG_MD5SUM:=e967e320344cd4bfebe321e3ab8514d6
+PKG_MD5SUM:=e57e9b9d25705dcb073ba15c416424fd
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -23,10 +23,14 @@ PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
 PKG_BUILD_PARALLEL:=1
 PKG_USE_MIPS16:=0
 
-PKG_CONFIG_DEPENDS:=CONFIG_DROPBEAR_ECC
+PKG_CONFIG_DEPENDS:=CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_CURVE25519
 
 include $(INCLUDE_DIR)/package.mk
 
+ifneq ($(DUMP),1)
+  STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell $(SH_FUNC) echo $(CONFIG_TARGET_INIT_PATH) | md5s)
+endif
+
 define Package/dropbear/Default
   URL:=http://matt.ucc.asn.au/dropbear/
 endef
@@ -48,7 +52,6 @@ endef
 
 define Package/dropbear/conffiles
 /etc/dropbear/dropbear_rsa_host_key
-/etc/dropbear/dropbear_dss_host_key 
 /etc/config/dropbear 
 endef
 
@@ -65,25 +68,34 @@ CONFIGURE_ARGS += \
        --enable-syslog \
        $(if $(CONFIG_SHADOW_PASSWORDS),,--disable-shadow) \
        --disable-lastlog \
-       --disable-utmp \
-       --disable-utmpx \
+       $(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
        --disable-wtmp \
        --disable-wtmpx \
        --disable-loginfunc \
-       --disable-pututline \
+       $(if $(CONFIG_DROPBEAR_PUTUTLINE),,--disable-pututline) \
        --disable-pututxline \
        --disable-zlib \
        --enable-bundled-libtom
 
-TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections
+TARGET_CFLAGS += -DDEFAULT_PATH=\\\"$(TARGET_INIT_PATH)\\\" -DARGTYPE=3 -ffunction-sections -fdata-sections
 TARGET_LDFLAGS += -Wl,--gc-sections
 
 define Build/Configure
        $(Build/Configure/Default)
 
+       $(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(TARGET_INIT_PATH)",g' \
+               $(PKG_BUILD_DIR)/options.h
+
+       awk 'BEGIN { rc = 1 } \
+            /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \
+            { print } \
+            END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
+            >$(PKG_BUILD_DIR)/options.h.new && \
+       mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h
+
        # Enforce that all replacements are made, otherwise options.h has changed
        # format and this logic is broken.
-       for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH DROPBEAR_CURVE25519; do \
+       for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \
          awk 'BEGIN { rc = 1 } \
               /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \
               { print } \
@@ -91,6 +103,13 @@ define Build/Configure
               >$(PKG_BUILD_DIR)/options.h.new && \
          mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \
        done
+
+       # remove protocol idented software version number
+       $(SED) 's,^#define LOCAL_IDENT .*$$$$,#define LOCAL_IDENT "SSH-2.0-dropbear",g' \
+               $(PKG_BUILD_DIR)/sysoptions.h
+
+       # Enforce rebuild of svr-chansession.c
+       rm -f $(PKG_BUILD_DIR)/svr-chansession.o
 endef
 
 define Build/Compile
@@ -118,7 +137,6 @@ define Package/dropbear/install
        $(INSTALL_DIR) $(1)/usr/lib/opkg/info
        $(INSTALL_DIR) $(1)/etc/dropbear
        touch $(1)/etc/dropbear/dropbear_rsa_host_key
-       touch $(1)/etc/dropbear/dropbear_dss_host_key
 endef
 
 define Package/dropbearconvert/install
index 6de0142..5c3345d 100755 (executable)
@@ -37,7 +37,6 @@ validate_section_dropbear()
                'RootPasswordAuth:bool:1' \
                'RootLogin:bool:1' \
                'rsakeyfile:file' \
-               'dsskeyfile:file' \
                'BannerFile:file' \
                'Port:list(port):22' \
                'SSHKeepAlive:uinteger:300' \
@@ -49,7 +48,7 @@ dropbear_instance()
 {
        local PasswordAuth enable Interface GatewayPorts \
                RootPasswordAuth RootLogin rsakeyfile \
-               dsskeyfile BannerFile Port SSHKeepAlive IdleTimeout \
+               BannerFile Port SSHKeepAlive IdleTimeout \
                mdns ipaddrs
 
        validate_section_dropbear "${1}" || {
@@ -75,18 +74,18 @@ dropbear_instance()
        [ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
        [ "${RootLogin}" -eq 0 ] && procd_append_param command -w
        [ -n "${rsakeyfile}" ] && procd_append_param command -r "${rsakeyfile}"
-       [ -n "${dsskeyfile}" ] && procd_append_param command -d "${dsskeyfile}"
        [ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
        append_ports "${ipaddrs}" "${Port}"
        [ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
        [ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}"
        [ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
+       procd_set_param respawn
        procd_close_instance
 }
 
 keygen()
 {
-       for keytype in rsa dss; do
+       for keytype in rsa; do
                # check for keys
                key=dropbear/dropbear_${keytype}_host_key
                [ -f /tmp/$key -o -s /etc/$key ] || {
@@ -107,10 +106,15 @@ keygen()
        chmod 0700 /etc/dropbear
 }
 
+load_interfaces()
+{
+       config_get interface "$1" Interface
+       interfaces=" ${interface} ${interfaces}"
+}
+
 start_service()
 {
-       [ -s /etc/dropbear/dropbear_rsa_host_key -a \
-         -s /etc/dropbear/dropbear_dss_host_key ] || keygen
+       [ -s /etc/dropbear/dropbear_rsa_host_key ] || keygen
 
        . /lib/functions.sh
        . /lib/functions/network.sh
@@ -121,7 +125,21 @@ start_service()
 
 service_triggers()
 {
-       procd_add_reload_trigger "dropbear"
+       local interfaces
+
+       procd_open_trigger
+       procd_add_config_trigger "config.change" "dropbear" /etc/init.d/dropbear reload
+
+       config_load "${NAME}"
+       config_foreach load_interfaces dropbear
+
+       [ -n "${interfaces}" ] & {
+               for n in $interfaces ; do
+                       procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload
+               done
+       }
+       procd_close_trigger
+
        procd_add_validation validate_section_dropbear
 }
 
index 456874b..401c7e1 100644 (file)
@@ -1,6 +1,6 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -208,17 +208,21 @@ static int checkpubkey(unsigned char* al
+@@ -220,14 +220,20 @@ static int checkpubkey(char* algo, unsig
                goto out;
        }
  
@@ -12,9 +12,6 @@
 -      filename = m_malloc(len + 22);
 -      snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
 -                              ses.authstate.pw_dir);
--
--      /* open the file */
--      authfile = fopen(filename, "r");
 +      if (ses.authstate.pw_uid != 0) {
 +              /* we don't need to check pw and pw_dir for validity, since
 +               * its been done in checkpubkeyperms. */
 +              /* allocate max required pathname storage,
 +               * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
 +              filename = m_malloc(len + 22);
-+              snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
-+                       ses.authstate.pw_dir);
-+
-+              /* open the file */
-+              authfile = fopen(filename, "r");
++              snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
++                                      ses.authstate.pw_dir);
 +      } else {
-+              authfile = fopen("/etc/dropbear/authorized_keys","r");
++              filename = m_malloc(30);
++              strncpy(filename, "/etc/dropbear/authorized_keys", 30);
 +      }
-       if (authfile == NULL) {
-               goto out;
-       }
-@@ -371,26 +375,35 @@ static int checkpubkeyperms() {
++
+       /* open the file as the authenticating user. */
+       origuid = getuid();
+@@ -396,26 +402,35 @@ static int checkpubkeyperms() {
                goto out;
        }
  
index 7982af6..4b5c1cb 100644 (file)
@@ -1,6 +1,6 @@
 --- a/svr-chansession.c
 +++ b/svr-chansession.c
-@@ -920,12 +920,12 @@ static void execchild(void *user_data) {
+@@ -922,12 +922,12 @@ static void execchild(void *user_data) {
        /* We can only change uid/gid as root ... */
        if (getuid() == 0) {
  
index 48dae73..b49a95c 100644 (file)
  
  /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
  #define ENABLE_USER_ALGO_LIST
-@@ -126,9 +126,9 @@ much traffic. */
+@@ -91,16 +91,16 @@ much traffic. */
+  * Including multiple keysize variants the same cipher 
+  * (eg AES256 as well as AES128) will result in a minimal size increase.*/
+ #define DROPBEAR_AES128
+-#define DROPBEAR_3DES
++/*#define DROPBEAR_3DES*/
+ #define DROPBEAR_AES256
+ /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
+ /*#define DROPBEAR_BLOWFISH*/
+-#define DROPBEAR_TWOFISH256
+-#define DROPBEAR_TWOFISH128
++/*#define DROPBEAR_TWOFISH256*/
++/*#define DROPBEAR_TWOFISH128*/
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE
++/*#define DROPBEAR_ENABLE_CBC_MODE*/
+ /* Enable "Counter Mode" for ciphers. This is more secure than normal
+  * CBC mode against certain attacks. It is recommended for security
+@@ -131,9 +131,9 @@ If you test it please contact the Dropbe
   * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
   * which are not the standard form. */
  #define DROPBEAR_SHA1_HMAC
 -#define DROPBEAR_SHA1_96_HMAC
--#define DROPBEAR_SHA2_256_HMAC
--#define DROPBEAR_SHA2_512_HMAC
 +/*#define DROPBEAR_SHA1_96_HMAC*/
-+/*#define DROPBEAR_SHA2_256_HMAC*/
+ #define DROPBEAR_SHA2_256_HMAC
+-#define DROPBEAR_SHA2_512_HMAC
 +/*#define DROPBEAR_SHA2_512_HMAC*/
  #define DROPBEAR_MD5_HMAC
  
  /* You can also disable integrity. Don't bother disabling this if you're
-@@ -184,7 +184,7 @@ much traffic. */
+@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
+  * Removing either of these won't save very much space.
+  * SSH2 RFC Draft requires dss, recommends rsa */
+ #define DROPBEAR_RSA
+-#define DROPBEAR_DSS
++/*#define DROPBEAR_DSS*/
+ /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+  * code (either ECDSA or ECDH) increases binary size - around 30kB
+  * on x86-64 */
+@@ -194,7 +194,7 @@ If you test it please contact the Dropbe
  
  /* Whether to print the message of the day (MOTD). This doesn't add much code
   * size */
@@ -40,7 +69,7 @@
  
  /* The MOTD file path */
  #ifndef MOTD_FILENAME
-@@ -226,7 +226,7 @@ much traffic. */
+@@ -242,7 +242,7 @@ Homedir is prepended unless path begins
   * note that it will be provided for all "hidden" client-interactive
   * style prompts - if you want something more sophisticated, use 
   * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_o_and_x_args.patch
deleted file mode 100644 (file)
index edb2909..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
---- a/cli-runopts.c
-+++ b/cli-runopts.c
-@@ -315,6 +315,10 @@ void cli_getopts(int argc, char ** argv)
-                                       debug_trace = 1;
-                                       break;
- #endif
-+                              case 'o':
-+                                      next = &dummy;
-+                              case 'x':
-+                                      break;
-                               case 'F':
-                               case 'e':
- #ifndef ENABLE_USER_ALGO_LIST
-@@ -332,7 +336,6 @@ void cli_getopts(int argc, char ** argv)
-                                       print_version();
-                                       exit(EXIT_SUCCESS);
-                                       break;
--                              case 'o':
-                               case 'b':
-                                       next = &dummy;
-                               default:
diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
new file mode 100644 (file)
index 0000000..ab09c2f
--- /dev/null
@@ -0,0 +1,11 @@
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv)
+                                       debug_trace = 1;
+                                       break;
+ #endif
++                              case 'x':
++                                      break;
+                               case 'F':
+                               case 'e':
+ #ifndef ENABLE_USER_ALGO_LIST
index 0717228..78b54ac 100644 (file)
@@ -1,6 +1,6 @@
 --- a/dbutil.h
 +++ b/dbutil.h
-@@ -101,7 +101,11 @@ int m_str_to_uint(const char* str, unsig
+@@ -78,7 +78,11 @@ int m_str_to_uint(const char* str, unsig
  #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  
  /* Dropbear assertion */
index 367dc2c..ccc2cb7 100644 (file)
@@ -1,8 +1,8 @@
 --- a/options.h
 +++ b/options.h
 @@ -5,6 +5,11 @@
- #ifndef _OPTIONS_H_
- #define _OPTIONS_H_
+ #ifndef DROPBEAR_OPTIONS_H_
+ #define DROPBEAR_OPTIONS_H_
  
 +#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER)
 +#define DROPBEAR_SERVER
index e2add94..da6b9ae 100644 (file)
@@ -1,11 +1,12 @@
 --- a/options.h
 +++ b/options.h
-@@ -336,7 +336,7 @@ be overridden at runtime with -I. 0 disa
+@@ -352,7 +352,9 @@ be overridden at runtime with -I. 0 disa
  #define DEFAULT_IDLE_TIMEOUT 0
  
  /* The default path. This will often get replaced by the shell */
--#define DEFAULT_PATH "/usr/bin:/bin"
-+#define DEFAULT_PATH "/bin:/sbin:/usr/bin:/usr/sbin"
++#ifndef DEFAULT_PATH
+ #define DEFAULT_PATH "/usr/bin:/bin"
++#endif
  
  /* Some other defines (that mostly should be left alone) are defined
   * in sysoptions.h */
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
new file mode 100644 (file)
index 0000000..7c67b08
--- /dev/null
@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
+                               AUTH_METHOD_NONE_LEN) == 0) {
+               TRACE(("recv_msg_userauth_request: 'none' request"))
+               if (valid_user
+-                              && svr_opts.allowblankpass
++                              && (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+                               && !svr_opts.noauthpass
+                               && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
+                               && ses.authstate.pw_passwd[0] == '\0') 
diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
new file mode 100644 (file)
index 0000000..f6453a4
--- /dev/null
@@ -0,0 +1,18 @@
+--- a/svr-runopts.c
++++ b/svr-runopts.c
+@@ -488,6 +488,7 @@ void load_all_hostkeys() {
+               m_free(hostkey_file);
+       }
++      if (svr_opts.num_hostkey_files <= 0) {
+ #ifdef DROPBEAR_RSA
+       loadhostkey(RSA_PRIV_FILENAME, 0);
+ #endif
+@@ -499,6 +500,7 @@ void load_all_hostkeys() {
+ #ifdef DROPBEAR_ECDSA
+       loadhostkey(ECDSA_PRIV_FILENAME, 0);
+ #endif
++      }
+ #ifdef DROPBEAR_DELAY_HOSTKEY
+       if (svr_opts.delay_hostkey) {
index 8e706dc..462a4cf 100644 (file)
@@ -7,9 +7,9 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostapd
-PKG_VERSION:=2015-03-25
-PKG_RELEASE:=1
-PKG_REV:=8278138e679174b1ec8af7f169c2810a8888e202
+PKG_VERSION:=2016-06-15
+PKG_RELEASE:=2
+PKG_REV:=31d3692fe5d56c05753ed4a70c7943979e1d29e7
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=git://w1.fi/srv/git/hostap.git
@@ -40,6 +40,10 @@ LOCAL_TYPE=$(strip \
                hostapd \
        )))
 LOCAL_VARIANT=$(patsubst wpad-%,%,$(patsubst supplicant-%,%,$(BUILD_VARIANT)))
+CONFIG_VARIANT:=$(LOCAL_VARIANT)
+ifeq ($(LOCAL_VARIANT),mesh)
+  CONFIG_VARIANT:=full
+endif
 
 ifeq ($(LOCAL_TYPE),supplicant)
   ifeq ($(LOCAL_VARIANT),full)
@@ -47,10 +51,6 @@ ifeq ($(LOCAL_TYPE),supplicant)
                CONFIG_WPA_SUPPLICANT_INTERNAL \
                CONFIG_WPA_SUPPLICANT_OPENSSL
   endif
-  ifeq ($(LOCAL_VARIANT),mesh)
-    PKG_CONFIG_DEPENDS += \
-               CONFIG_WPA_SUPPLICANT_OPENSSL
-  endif
 endif
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
@@ -82,7 +82,7 @@ ifneq ($(LOCAL_TYPE),hostapd)
     endif
   endif
   ifeq ($(LOCAL_VARIANT),mesh)
-    DRIVER_MAKEOPTS += CONFIG_TLS=openssl
+    DRIVER_MAKEOPTS += CONFIG_TLS=openssl CONFIG_AP=y CONFIG_SAE=y CONFIG_MESH=y
     TARGET_LDFLAGS += -lcrypto -lssl
   endif
   ifdef CONFIG_WPA_SUPPLICANT_NO_TIMESTAMP_CHECK
@@ -177,8 +177,7 @@ endef
 define Package/wpad-mesh
 $(call Package/wpad/Default)
   TITLE+= (with 802.11s mesh and SAE support)
-  DEPENDS:=$(DRV_DEPENDS) +libubus +libopenssl +@CONFIG_WPA_SUPPLICANT_OPENSSL @(!TARGET_uml||BROKEN)
-  CONFLICTS:=@WPA_SUPPLICANT_INTERNAL
+  DEPENDS:=$(DRV_DEPENDS) +libubus +PACKAGE_wpad-mesh:libopenssl @(!TARGET_uml||BROKEN)
   VARIANT:=wpad-mesh
 endef
 
@@ -284,10 +283,10 @@ endif
 
 define Build/Configure
        $(Build/Configure/rebuild)
-       $(if $(wildcard ./files/hostapd-$(LOCAL_VARIANT).config), \
-               $(CP) ./files/hostapd-$(LOCAL_VARIANT).config $(PKG_BUILD_DIR)/hostapd/.config \
+       $(if $(wildcard ./files/hostapd-$(CONFIG_VARIANT).config), \
+               $(CP) ./files/hostapd-$(CONFIG_VARIANT).config $(PKG_BUILD_DIR)/hostapd/.config \
        )
-       $(CP) ./files/wpa_supplicant-$(LOCAL_VARIANT).config $(PKG_BUILD_DIR)/wpa_supplicant/.config
+       $(CP) ./files/wpa_supplicant-$(CONFIG_VARIANT).config $(PKG_BUILD_DIR)/wpa_supplicant/.config
 endef
 
 TARGET_CPPFLAGS := \
index 23d2e7e..21762e9 100644 (file)
@@ -120,6 +120,7 @@ hostapd_common_add_bss_config() {
 
        config_add_boolean rsn_preauth auth_cache
        config_add_int ieee80211w
+       config_add_int eapol_version
 
        config_add_string 'auth_server:host' 'server:host'
        config_add_string auth_secret
@@ -182,7 +183,7 @@ hostapd_set_bss_options() {
                wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 \
                wps_device_type wps_device_name wps_manufacturer wps_pin \
                macfilter ssid wmm uapsd hidden short_preamble rsn_preauth \
-               iapp_interface
+               iapp_interface eapol_version
 
        set_default isolate 0
        set_default maxassoc 0
@@ -192,6 +193,7 @@ hostapd_set_bss_options() {
        set_default hidden 0
        set_default wmm 1
        set_default uapsd 1
+       set_default eapol_version 0
 
        append bss_conf "ctrl_interface=/var/run/hostapd"
        if [ "$isolate" -gt 0 ]; then
@@ -237,6 +239,8 @@ hostapd_set_bss_options() {
                                [ -e "$wpa_psk_file" ] || touch "$wpa_psk_file"
                                append bss_conf "wpa_psk_file=$wpa_psk_file" "$N"
                        }
+                       [ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
+
                        wps_possible=1
                        append wpa_key_mgmt "WPA-PSK"
                ;;
@@ -292,6 +296,8 @@ hostapd_set_bss_options() {
                                [ -n "$vlan_tagged_interface" ] && \
                                        append bss_conf "vlan_tagged_interface=$vlan_tagged_interface" "$N"
                        }
+
+                       [ "$eapol_version" -ge "1" -a "$eapol_version" -le "2" ] && append bss_conf "eapol_version=$eapol_version" "$N"
                ;;
                wep)
                        local wep_keyidx=0
diff --git a/package/network/services/hostapd/files/wpa_supplicant-mesh.config b/package/network/services/hostapd/files/wpa_supplicant-mesh.config
deleted file mode 100644 (file)
index 36e2908..0000000
+++ /dev/null
@@ -1,407 +0,0 @@
-# Example wpa_supplicant build time configuration
-#
-# This file lists the configuration options that are used when building the
-# hostapd binary. All lines starting with # are ignored. Configuration option
-# lines must be commented out complete, if they are not to be included, i.e.,
-# just setting VARIABLE=n is not disabling that variable.
-#
-# This file is included in Makefile, so variables like CFLAGS and LIBS can also
-# be modified from here. In most cases, these lines should use += in order not
-# to override previous values of the variables.
-
-
-# Uncomment following two lines and fix the paths if you have installed OpenSSL
-# or GnuTLS in non-default location
-#CFLAGS += -I/usr/local/openssl/include
-#LIBS += -L/usr/local/openssl/lib
-
-# Some Red Hat versions seem to include kerberos header files from OpenSSL, but
-# the kerberos files are not in the default include path. Following line can be
-# used to fix build issues on such systems (krb5.h not found).
-#CFLAGS += -I/usr/include/kerberos
-
-# Example configuration for various cross-compilation platforms
-
-#### sveasoft (e.g., for Linksys WRT54G) ######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS += -I../src/include -I../../src/router/openssl/include
-#LIBS += -L/opt/brcm/hndtools-mipsel-uclibc-0.9.19/lib -lssl
-###############################################################################
-
-#### openwrt (e.g., for Linksys WRT54G) #######################################
-#CC=mipsel-uclibc-gcc
-#CC=/opt/brcm/hndtools-mipsel-uclibc/bin/mipsel-uclibc-gcc
-#CFLAGS += -Os
-#CPPFLAGS=-I../src/include -I../openssl-0.9.7d/include \
-#      -I../WRT54GS/release/src/include
-#LIBS = -lssl
-###############################################################################
-
-
-# Driver interface for Host AP driver
-CONFIG_DRIVER_HOSTAP=y
-
-# Driver interface for Agere driver
-#CONFIG_DRIVER_HERMES=y
-# Change include directories to match with the local setup
-#CFLAGS += -I../../hcf -I../../include -I../../include/hcf
-#CFLAGS += -I../../include/wireless
-
-# Driver interface for ndiswrapper
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_NDISWRAPPER=y
-
-# Driver interface for Atmel driver
-# CONFIG_DRIVER_ATMEL=y
-
-# Driver interface for old Broadcom driver
-# Please note that the newer Broadcom driver ("hybrid Linux driver") supports
-# Linux wireless extensions and does not need (or even work) with the old
-# driver wrapper. Use CONFIG_DRIVER_WEXT=y with that driver.
-#CONFIG_DRIVER_BROADCOM=y
-# Example path for wlioctl.h; change to match your configuration
-#CFLAGS += -I/opt/WRT54GS/release/src/include
-
-# Driver interface for Intel ipw2100/2200 driver
-# Deprecated; use CONFIG_DRIVER_WEXT=y instead.
-#CONFIG_DRIVER_IPW=y
-
-# Driver interface for Ralink driver
-#CONFIG_DRIVER_RALINK=y
-
-# Driver interface for generic Linux wireless extensions
-CONFIG_DRIVER_WEXT=y
-
-# Driver interface for Linux drivers using the nl80211 kernel interface
-CONFIG_DRIVER_NL80211=y
-
-# Driver interface for FreeBSD net80211 layer (e.g., Atheros driver)
-#CONFIG_DRIVER_BSD=y
-#CFLAGS += -I/usr/local/include
-#LIBS += -L/usr/local/lib
-#LIBS_p += -L/usr/local/lib
-#LIBS_c += -L/usr/local/lib
-
-# Driver interface for Windows NDIS
-#CONFIG_DRIVER_NDIS=y
-#CFLAGS += -I/usr/include/w32api/ddk
-#LIBS += -L/usr/local/lib
-# For native build using mingw
-#CONFIG_NATIVE_WINDOWS=y
-# Additional directories for cross-compilation on Linux host for mingw target
-#CFLAGS += -I/opt/mingw/mingw32/include/ddk
-#LIBS += -L/opt/mingw/mingw32/lib
-#CC=mingw32-gcc
-# By default, driver_ndis uses WinPcap for low-level operations. This can be
-# replaced with the following option which replaces WinPcap calls with NDISUIO.
-# However, this requires that WZC is disabled (net stop wzcsvc) before starting
-# wpa_supplicant.
-# CONFIG_USE_NDISUIO=y
-
-# Driver interface for development testing
-#CONFIG_DRIVER_TEST=y
-
-# Include client MLME (management frame processing) for test driver
-# This can be used to test MLME operations in hostapd with the test interface.
-# space.
-#CONFIG_CLIENT_MLME=y
-
-# Driver interface for wired Ethernet drivers
-CONFIG_DRIVER_WIRED=y
-
-# Driver interface for the Broadcom RoboSwitch family
-#CONFIG_DRIVER_ROBOSWITCH=y
-
-# Driver interface for no driver (e.g., WPS ER only)
-#CONFIG_DRIVER_NONE=y
-
-# Enable IEEE 802.1X Supplicant (automatically included if any EAP method is
-# included)
-CONFIG_IEEE8021X_EAPOL=y
-
-# EAP-MD5
-CONFIG_EAP_MD5=y
-
-# EAP-MSCHAPv2
-CONFIG_EAP_MSCHAPV2=y
-
-# EAP-TLS
-CONFIG_EAP_TLS=y
-
-# EAL-PEAP
-CONFIG_EAP_PEAP=y
-
-# EAP-TTLS
-CONFIG_EAP_TTLS=y
-
-# EAP-FAST
-# Note: Default OpenSSL package does not include support for all the
-# functionality needed for EAP-FAST. If EAP-FAST is enabled with OpenSSL,
-# the OpenSSL library must be patched (openssl-0.9.8d-tls-extensions.patch)
-# to add the needed functions.
-#CONFIG_EAP_FAST=y
-
-# EAP-GTC
-CONFIG_EAP_GTC=y
-
-# EAP-OTP
-CONFIG_EAP_OTP=y
-
-# EAP-SIM (enable CONFIG_PCSC, if EAP-SIM is used)
-#CONFIG_EAP_SIM=y
-
-# EAP-PSK (experimental; this is _not_ needed for WPA-PSK)
-#CONFIG_EAP_PSK=y
-
-# EAP-PAX
-#CONFIG_EAP_PAX=y
-
-# LEAP
-CONFIG_EAP_LEAP=y
-
-# EAP-AKA (enable CONFIG_PCSC, if EAP-AKA is used)
-#CONFIG_EAP_AKA=y
-
-# EAP-AKA' (enable CONFIG_PCSC, if EAP-AKA' is used).
-# This requires CONFIG_EAP_AKA to be enabled, too.
-#CONFIG_EAP_AKA_PRIME=y
-
-# Enable USIM simulator (Milenage) for EAP-AKA
-#CONFIG_USIM_SIMULATOR=y
-
-# EAP-SAKE
-#CONFIG_EAP_SAKE=y
-
-# EAP-GPSK
-#CONFIG_EAP_GPSK=y
-# Include support for optional SHA256 cipher suite in EAP-GPSK
-#CONFIG_EAP_GPSK_SHA256=y
-
-# EAP-TNC and related Trusted Network Connect support (experimental)
-#CONFIG_EAP_TNC=y
-
-# Wi-Fi Protected Setup (WPS)
-CONFIG_WPS=y
-
-# EAP-IKEv2
-#CONFIG_EAP_IKEV2=y
-
-# PKCS#12 (PFX) support (used to read private key and certificate file from
-# a file that usually has extension .p12 or .pfx)
-CONFIG_PKCS12=y
-
-# Smartcard support (i.e., private key on a smartcard), e.g., with openssl
-# engine.
-CONFIG_SMARTCARD=y
-
-# PC/SC interface for smartcards (USIM, GSM SIM)
-# Enable this if EAP-SIM or EAP-AKA is included
-#CONFIG_PCSC=y
-
-# Development testing
-#CONFIG_EAPOL_TEST=y
-
-# Select control interface backend for external programs, e.g, wpa_cli:
-# unix = UNIX domain sockets (default for Linux/*BSD)
-# udp = UDP sockets using localhost (127.0.0.1)
-# named_pipe = Windows Named Pipe (default for Windows)
-# y = use default (backwards compatibility)
-# If this option is commented out, control interface is not included in the
-# build.
-CONFIG_CTRL_IFACE=y
-
-# Include support for GNU Readline and History Libraries in wpa_cli.
-# When building a wpa_cli binary for distribution, please note that these
-# libraries are licensed under GPL and as such, BSD license may not apply for
-# the resulting binary.
-#CONFIG_READLINE=y
-
-# Remove debugging code that is printing out debug message to stdout.
-# This can be used to reduce the size of the wpa_supplicant considerably
-# if debugging code is not needed. The size reduction can be around 35%
-# (e.g., 90 kB).
-#CONFIG_NO_STDOUT_DEBUG=y
-
-# Remove WPA support, e.g., for wired-only IEEE 802.1X supplicant, to save
-# 35-50 kB in code size.
-#CONFIG_NO_WPA=y
-
-# Remove WPA2 support. This allows WPA to be used, but removes WPA2 code to
-# save about 1 kB in code size when building only WPA-Personal (no EAP support)
-# or 6 kB if building for WPA-Enterprise.
-#CONFIG_NO_WPA2=y
-
-# Remove IEEE 802.11i/WPA-Personal ASCII passphrase support
-# This option can be used to reduce code size by removing support for
-# converting ASCII passphrases into PSK. If this functionality is removed, the
-# PSK can only be configured as the 64-octet hexstring (e.g., from
-# wpa_passphrase). This saves about 0.5 kB in code size.
-#CONFIG_NO_WPA_PASSPHRASE=y
-
-# Disable scan result processing (ap_mode=1) to save code size by about 1 kB.
-# This can be used if ap_scan=1 mode is never enabled.
-#CONFIG_NO_SCAN_PROCESSING=y
-
-# Select configuration backend:
-# file = text file (e.g., wpa_supplicant.conf; note: the configuration file
-#      path is given on command line, not here; this option is just used to
-#      select the backend that allows configuration files to be used)
-# winreg = Windows registry (see win_example.reg for an example)
-CONFIG_BACKEND=file
-
-# Remove configuration write functionality (i.e., to allow the configuration
-# file to be updated based on runtime configuration changes). The runtime
-# configuration can still be changed, the changes are just not going to be
-# persistent over restarts. This option can be used to reduce code size by
-# about 3.5 kB.
-#CONFIG_NO_CONFIG_WRITE=y
-
-# Remove support for configuration blobs to reduce code size by about 1.5 kB.
-#CONFIG_NO_CONFIG_BLOBS=y
-
-# Select program entry point implementation:
-# main = UNIX/POSIX like main() function (default)
-# main_winsvc = Windows service (read parameters from registry)
-# main_none = Very basic example (development use only)
-#CONFIG_MAIN=main
-
-# Select wrapper for operatins system and C library specific functions
-# unix = UNIX/POSIX like systems (default)
-# win32 = Windows systems
-# none = Empty template
-#CONFIG_OS=unix
-
-# Select event loop implementation
-# eloop = select() loop (default)
-# eloop_win = Windows events and WaitForMultipleObject() loop
-# eloop_none = Empty template
-#CONFIG_ELOOP=eloop
-
-# Select layer 2 packet implementation
-# linux = Linux packet socket (default)
-# pcap = libpcap/libdnet/WinPcap
-# freebsd = FreeBSD libpcap
-# winpcap = WinPcap with receive thread
-# ndis = Windows NDISUIO (note: requires CONFIG_USE_NDISUIO=y)
-# none = Empty template
-#CONFIG_L2_PACKET=linux
-
-# PeerKey handshake for Station to Station Link (IEEE 802.11e DLS)
-CONFIG_PEERKEY=y
-
-# IEEE 802.11w (management frame protection)
-# This version is an experimental implementation based on IEEE 802.11w/D1.0
-# draft and is subject to change since the standard has not yet been finalized.
-# Driver support is also needed for IEEE 802.11w.
-CONFIG_IEEE80211W=y
-
-# Select TLS implementation
-# openssl = OpenSSL (default)
-# gnutls = GnuTLS (needed for TLS/IA, see also CONFIG_GNUTLS_EXTRA)
-# internal = Internal TLSv1 implementation (experimental)
-# none = Empty template
-CONFIG_TLS=internal
-
-# Whether to enable TLS/IA support, which is required for EAP-TTLSv1.
-# You need CONFIG_TLS=gnutls for this to have any effect. Please note that
-# even though the core GnuTLS library is released under LGPL, this extra
-# library uses GPL and as such, the terms of GPL apply to the combination
-# of wpa_supplicant and GnuTLS if this option is enabled. BSD license may not
-# apply for distribution of the resulting binary.
-#CONFIG_GNUTLS_EXTRA=y
-
-# If CONFIG_TLS=internal is used, additional library and include paths are
-# needed for LibTomMath. Alternatively, an integrated, minimal version of
-# LibTomMath can be used. See beginning of libtommath.c for details on benefits
-# and drawbacks of this option.
-CONFIG_INTERNAL_LIBTOMMATH=y
-#ifndef CONFIG_INTERNAL_LIBTOMMATH
-#LTM_PATH=/usr/src/libtommath-0.39
-#CFLAGS += -I$(LTM_PATH)
-#LIBS += -L$(LTM_PATH)
-#LIBS_p += -L$(LTM_PATH)
-#endif
-# At the cost of about 4 kB of additional binary size, the internal LibTomMath
-# can be configured to include faster routines for exptmod, sqr, and div to
-# speed up DH and RSA calculation considerably
-CONFIG_INTERNAL_LIBTOMMATH_FAST=y
-
-# Include NDIS event processing through WMI into wpa_supplicant/wpasvc.
-# This is only for Windows builds and requires WMI-related header files and
-# WbemUuid.Lib from Platform SDK even when building with MinGW.
-#CONFIG_NDIS_EVENTS_INTEGRATED=y
-#PLATFORMSDKLIB="/opt/Program Files/Microsoft Platform SDK/Lib"
-
-# Add support for old DBus control interface
-# (fi.epitest.hostap.WPASupplicant)
-#CONFIG_CTRL_IFACE_DBUS=y
-
-# Add support for new DBus control interface
-# (fi.w1.hostap.wpa_supplicant1)
-#CONFIG_CTRL_IFACE_DBUS_NEW=y
-
-# Add introspection support for new DBus control interface
-#CONFIG_CTRL_IFACE_DBUS_INTRO=y
-
-# Add support for loading EAP methods dynamically as shared libraries.
-# When this option is enabled, each EAP method can be either included
-# statically (CONFIG_EAP_<method>=y) or dynamically (CONFIG_EAP_<method>=dyn).
-# Dynamic EAP methods are build as shared objects (eap_*.so) and they need to
-# be loaded in the beginning of the wpa_supplicant configuration file
-# (see load_dynamic_eap parameter in the example file) before being used in
-# the network blocks.
-#
-# Note that some shared parts of EAP methods are included in the main program
-# and in order to be able to use dynamic EAP methods using these parts, the
-# main program must have been build with the EAP method enabled (=y or =dyn).
-# This means that EAP-TLS/PEAP/TTLS/FAST cannot be added as dynamic libraries
-# unless at least one of them was included in the main build to force inclusion
-# of the shared code. Similarly, at least one of EAP-SIM/AKA must be included
-# in the main build to be able to load these methods dynamically.
-#
-# Please also note that using dynamic libraries will increase the total binary
-# size. Thus, it may not be the best option for targets that have limited
-# amount of memory/flash.
-#CONFIG_DYNAMIC_EAP_METHODS=y
-
-# IEEE Std 802.11r-2008 (Fast BSS Transition)
-#CONFIG_IEEE80211R=y
-
-# Add support for writing debug log to a file (/tmp/wpa_supplicant-log-#.txt)
-#CONFIG_DEBUG_FILE=y
-
-# Enable privilege separation (see README 'Privilege separation' for details)
-#CONFIG_PRIVSEP=y
-
-# Enable mitigation against certain attacks against TKIP by delaying Michael
-# MIC error reports by a random amount of time between 0 and 60 seconds
-#CONFIG_DELAYED_MIC_ERROR_REPORT=y
-
-# Enable tracing code for developer debugging
-# This tracks use of memory allocations and other registrations and reports
-# incorrect use with a backtrace of call (or allocation) location.
-#CONFIG_WPA_TRACE=y
-# For BSD, comment out these.
-#LIBS += -lexecinfo
-#LIBS_p += -lexecinfo
-#LIBS_c += -lexecinfo
-
-# Use libbfd to get more details for developer debugging
-# This enables use of libbfd to get more detailed symbols for the backtraces
-# generated by CONFIG_WPA_TRACE=y.
-#CONFIG_WPA_TRACE_BFD=y
-# For BSD, comment out these.
-#LIBS += -lbfd -liberty -lz
-#LIBS_p += -lbfd -liberty -lz
-#LIBS_c += -lbfd -liberty -lz
-
-CONFIG_NO_RANDOM_POOL=y
-NEED_80211_COMMON=y
-
-CONFIG_IBSS_RSN=y
-
-CONFIG_MESH=y
-CONFIG_SAE=y
-CONFIG_AP=y
diff --git a/package/network/services/hostapd/patches/001-P2P-Validate-SSID-element-length-before-copying-it-C.patch b/package/network/services/hostapd/patches/001-P2P-Validate-SSID-element-length-before-copying-it-C.patch
deleted file mode 100644 (file)
index e408fbe..0000000
+++ /dev/null
@@ -1,37 +0,0 @@
-From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Tue, 7 Apr 2015 11:32:11 +0300
-Subject: [PATCH] P2P: Validate SSID element length before copying it
- (CVE-2015-1863)
-
-This fixes a possible memcpy overflow for P2P dev->oper_ssid in
-p2p_add_device(). The length provided by the peer device (0..255 bytes)
-was used without proper bounds checking and that could have resulted in
-arbitrary data of up to 223 bytes being written beyond the end of the
-dev->oper_ssid[] array (of which about 150 bytes would be beyond the
-heap allocation) when processing a corrupted management frame for P2P
-peer discovery purposes.
-
-This could result in corrupted state in heap, unexpected program
-behavior due to corrupted P2P peer device information, denial of service
-due to process crash, exposure of memory contents during GO Negotiation,
-and potentially arbitrary code execution.
-
-Thanks to Google security team for reporting this issue and smart
-hardware research group of Alibaba security team for discovering it.
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
----
- src/p2p/p2p.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/src/p2p/p2p.c
-+++ b/src/p2p/p2p.c
-@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p,
-       if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
-               os_memcpy(dev->interface_addr, addr, ETH_ALEN);
-       if (msg.ssid &&
-+          msg.ssid[1] <= sizeof(dev->oper_ssid) &&
-           (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
-            os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
-            != 0)) {
diff --git a/package/network/services/hostapd/patches/002-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch b/package/network/services/hostapd/patches/002-AP-WMM-Fix-integer-underflow-in-WMM-Action-frame-par.patch
deleted file mode 100644 (file)
index bc4d60f..0000000
+++ /dev/null
@@ -1,36 +0,0 @@
-From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Wed, 29 Apr 2015 02:21:53 +0300
-Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
-
-The length of the WMM Action frame was not properly validated and the
-length of the information elements (int left) could end up being
-negative. This would result in reading significantly past the stack
-buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
-so, resulting in segmentation fault.
-
-This can result in an invalid frame being used for a denial of service
-attack (hostapd process killed) against an AP with a driver that uses
-hostapd for management frame processing (e.g., all mac80211-based
-drivers).
-
-Thanks to Kostya Kortchinsky of Google security team for discovering and
-reporting this issue.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/wmm.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/src/ap/wmm.c
-+++ b/src/ap/wmm.c
-@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_d
-               return;
-       }
-+      if (left < 0)
-+              return; /* not a valid WMM Action frame */
-+
-       /* extract the tspec info element */
-       if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
-               hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
diff --git a/package/network/services/hostapd/patches/003-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch b/package/network/services/hostapd/patches/003-WPS-Fix-HTTP-chunked-transfer-encoding-parser.patch
deleted file mode 100644 (file)
index 36b4ca2..0000000
+++ /dev/null
@@ -1,49 +0,0 @@
-From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Tue, 28 Apr 2015 17:08:33 +0300
-Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser
-
-strtoul() return value may end up overflowing the int h->chunk_size and
-resulting in a negative value to be stored as the chunk_size. This could
-result in the following memcpy operation using a very large length
-argument which would result in a buffer overflow and segmentation fault.
-
-This could have been used to cause a denial service by any device that
-has been authorized for network access (either wireless or wired). This
-would affect both the WPS UPnP functionality in a WPS AP (hostapd with
-upnp_iface parameter set in the configuration) and WPS ER
-(wpa_supplicant with WPS_ER_START control interface command used).
-
-Validate the parsed chunk length value to avoid this. In addition to
-rejecting negative values, we can also reject chunk size that would be
-larger than the maximum configured body length.
-
-Thanks to Kostya Kortchinsky of Google security team for discovering and
-reporting this issue.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/wps/httpread.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/src/wps/httpread.c b/src/wps/httpread.c
-index 2f08f37..d2855e3 100644
---- a/src/wps/httpread.c
-+++ b/src/wps/httpread.c
-@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
-                                       if (!isxdigit(*cbp))
-                                               goto bad;
-                                       h->chunk_size = strtoul(cbp, NULL, 16);
-+                                      if (h->chunk_size < 0 ||
-+                                          h->chunk_size > h->max_bytes) {
-+                                              wpa_printf(MSG_DEBUG,
-+                                                         "httpread: Invalid chunk size %d",
-+                                                         h->chunk_size);
-+                                              goto bad;
-+                                      }
-                                       /* throw away chunk header
-                                        * so we have only real data
-                                        */
--- 
-1.9.1
-
diff --git a/package/network/services/hostapd/patches/004-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch b/package/network/services/hostapd/patches/004-EAP-pwd-peer-Fix-payload-length-validation-for-Commi.patch
deleted file mode 100644 (file)
index 91627fb..0000000
+++ /dev/null
@@ -1,73 +0,0 @@
-From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 1 May 2015 16:37:45 +0300
-Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit
- and Confirm
-
-The length of the received Commit and Confirm message payloads was not
-checked before reading them. This could result in a buffer read
-overflow when processing an invalid message.
-
-Fix this by verifying that the payload is of expected length before
-processing it. In addition, enforce correct state transition sequence to
-make sure there is no unexpected behavior if receiving a Commit/Confirm
-message before the previous exchanges have been completed.
-
-Thanks to Kostya Kortchinsky of Google security team for discovering and
-reporting this issue.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++
- 1 file changed, 29 insertions(+)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index f2b0926..a629437 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
-       BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
-       u16 offset;
-       u8 *ptr, *scalar = NULL, *element = NULL;
-+      size_t prime_len, order_len;
-+
-+      if (data->state != PWD_Commit_Req) {
-+              ret->ignore = TRUE;
-+              goto fin;
-+      }
-+
-+      prime_len = BN_num_bytes(data->grp->prime);
-+      order_len = BN_num_bytes(data->grp->order);
-+
-+      if (payload_len != 2 * prime_len + order_len) {
-+              wpa_printf(MSG_INFO,
-+                         "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
-+                         (unsigned int) payload_len,
-+                         (unsigned int) (2 * prime_len + order_len));
-+              goto fin;
-+      }
-       if (((data->private_value = BN_new()) == NULL) ||
-           ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
-@@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
-       u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
-       int offset;
-+      if (data->state != PWD_Confirm_Req) {
-+              ret->ignore = TRUE;
-+              goto fin;
-+      }
-+
-+      if (payload_len != SHA256_MAC_LEN) {
-+              wpa_printf(MSG_INFO,
-+                         "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
-+                         (unsigned int) payload_len, SHA256_MAC_LEN);
-+              goto fin;
-+      }
-+
-       /*
-        * first build up the ciphersuite which is group | random_function |
-        *      prf
--- 
-1.9.1
-
diff --git a/package/network/services/hostapd/patches/005-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch b/package/network/services/hostapd/patches/005-EAP-pwd-server-Fix-payload-length-validation-for-Com.patch
deleted file mode 100644 (file)
index 5dca20b..0000000
+++ /dev/null
@@ -1,66 +0,0 @@
-From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 1 May 2015 16:40:44 +0300
-Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit
- and Confirm
-
-The length of the received Commit and Confirm message payloads was not
-checked before reading them. This could result in a buffer read
-overflow when processing an invalid message.
-
-Fix this by verifying that the payload is of expected length before
-processing it. In addition, enforce correct state transition sequence to
-make sure there is no unexpected behavior if receiving a Commit/Confirm
-message before the previous exchanges have been completed.
-
-Thanks to Kostya Kortchinsky of Google security team for discovering and
-reporting this issue.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
-index 66bd5d2..3189105 100644
---- a/src/eap_server/eap_server_pwd.c
-+++ b/src/eap_server/eap_server_pwd.c
-@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
-       BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
-       EC_POINT *K = NULL, *point = NULL;
-       int res = 0;
-+      size_t prime_len, order_len;
-       wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
-+      prime_len = BN_num_bytes(data->grp->prime);
-+      order_len = BN_num_bytes(data->grp->order);
-+
-+      if (payload_len != 2 * prime_len + order_len) {
-+              wpa_printf(MSG_INFO,
-+                         "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
-+                         (unsigned int) payload_len,
-+                         (unsigned int) (2 * prime_len + order_len));
-+              goto fin;
-+      }
-+
-       if (((data->peer_scalar = BN_new()) == NULL) ||
-           ((data->k = BN_new()) == NULL) ||
-           ((cofactor = BN_new()) == NULL) ||
-@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
-       u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
-       int offset;
-+      if (payload_len != SHA256_MAC_LEN) {
-+              wpa_printf(MSG_INFO,
-+                         "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
-+                         (unsigned int) payload_len, SHA256_MAC_LEN);
-+              goto fin;
-+      }
-+
-       /* build up the ciphersuite: group | random_function | prf */
-       grp = htons(data->group_num);
-       ptr = (u8 *) &cs;
--- 
-1.9.1
-
diff --git a/package/network/services/hostapd/patches/006-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch b/package/network/services/hostapd/patches/006-EAP-pwd-peer-Fix-Total-Length-parsing-for-fragment-r.patch
deleted file mode 100644 (file)
index 4d2f9d8..0000000
+++ /dev/null
@@ -1,52 +0,0 @@
-From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 2 May 2015 19:23:04 +0300
-Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment
- reassembly
-
-The remaining number of bytes in the message could be smaller than the
-Total-Length field size, so the length needs to be explicitly checked
-prior to reading the field and decrementing the len variable. This could
-have resulted in the remaining length becoming negative and interpreted
-as a huge positive integer.
-
-In addition, check that there is no already started fragment in progress
-before allocating a new buffer for reassembling fragments. This avoid a
-potential memory leak when processing invalid message.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index a629437..1d2079b 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
-        * if it's the first fragment there'll be a length field
-        */
-       if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
-+              if (len < 2) {
-+                      wpa_printf(MSG_DEBUG,
-+                                 "EAP-pwd: Frame too short to contain Total-Length field");
-+                      ret->ignore = TRUE;
-+                      return NULL;
-+              }
-               tot_len = WPA_GET_BE16(pos);
-               wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
-                          "total length = %d", tot_len);
-               if (tot_len > 15000)
-                       return NULL;
-+              if (data->inbuf) {
-+                      wpa_printf(MSG_DEBUG,
-+                                 "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
-+                      ret->ignore = TRUE;
-+                      return NULL;
-+              }
-               data->inbuf = wpabuf_alloc(tot_len);
-               if (data->inbuf == NULL) {
-                       wpa_printf(MSG_INFO, "Out of memory to buffer "
--- 
-1.9.1
-
diff --git a/package/network/services/hostapd/patches/007-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch b/package/network/services/hostapd/patches/007-EAP-pwd-server-Fix-Total-Length-parsing-for-fragment.patch
deleted file mode 100644 (file)
index 7edef09..0000000
+++ /dev/null
@@ -1,50 +0,0 @@
-From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 2 May 2015 19:26:06 +0300
-Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment
- reassembly
-
-The remaining number of bytes in the message could be smaller than the
-Total-Length field size, so the length needs to be explicitly checked
-prior to reading the field and decrementing the len variable. This could
-have resulted in the remaining length becoming negative and interpreted
-as a huge positive integer.
-
-In addition, check that there is no already started fragment in progress
-before allocating a new buffer for reassembling fragments. This avoid a
-potential memory leak when processing invalid message.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_server/eap_server_pwd.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
-index 3189105..2bfc3c2 100644
---- a/src/eap_server/eap_server_pwd.c
-+++ b/src/eap_server/eap_server_pwd.c
-@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
-        * the first fragment has a total length
-        */
-       if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
-+              if (len < 2) {
-+                      wpa_printf(MSG_DEBUG,
-+                                 "EAP-pwd: Frame too short to contain Total-Length field");
-+                      return;
-+              }
-               tot_len = WPA_GET_BE16(pos);
-               wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
-                          "length = %d", tot_len);
-               if (tot_len > 15000)
-                       return;
-+              if (data->inbuf) {
-+                      wpa_printf(MSG_DEBUG,
-+                                 "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
-+                      return;
-+              }
-               data->inbuf = wpabuf_alloc(tot_len);
-               if (data->inbuf == NULL) {
-                       wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
--- 
-1.9.1
-
diff --git a/package/network/services/hostapd/patches/008-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch b/package/network/services/hostapd/patches/008-EAP-pwd-peer-Fix-asymmetric-fragmentation-behavior.patch
deleted file mode 100644 (file)
index a601323..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 2 May 2015 19:26:28 +0300
-Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior
-
-The L (Length) and M (More) flags needs to be cleared before deciding
-whether the locally generated response requires fragmentation. This
-fixes an issue where these flags from the server could have been invalid
-for the following message. In some cases, this could have resulted in
-triggering the wpabuf security check that would terminate the process
-due to invalid buffer allocation.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index 1d2079b..e58b13a 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
-       /*
-        * we have output! Do we need to fragment it?
-        */
-+      lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch);
-       len = wpabuf_len(data->outbuf);
-       if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
-               resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu,
--- 
-1.9.1
-
diff --git a/package/network/services/hostapd/patches/009-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch b/package/network/services/hostapd/patches/009-NFC-Fix-payload-length-validation-in-NDEF-record-par.patch
deleted file mode 100644 (file)
index dd34624..0000000
+++ /dev/null
@@ -1,61 +0,0 @@
-From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Tue, 7 Jul 2015 21:57:28 +0300
-Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
-
-It was possible for the 32-bit record->total_length value to end up
-wrapping around due to integer overflow if the longer form of payload
-length field is used and record->payload_length gets a value close to
-2^32. This could result in ndef_parse_record() accepting a too large
-payload length value and the record type filter reading up to about 20
-bytes beyond the end of the buffer and potentially killing the process.
-This could also result in an attempt to allocate close to 2^32 bytes of
-heap memory and if that were to succeed, a buffer read overflow of the
-same length which would most likely result in the process termination.
-In case of record->total_length ending up getting the value 0, there
-would be no buffer read overflow, but record parsing would result in an
-infinite loop in ndef_parse_records().
-
-Any of these error cases could potentially be used for denial of service
-attacks over NFC by using a malformed NDEF record on an NFC Tag or
-sending them during NFC connection handover if the application providing
-the NDEF message to hostapd/wpa_supplicant did no validation of the
-received records. While such validation is likely done in the NFC stack
-that needs to parse the NFC messages before further processing,
-hostapd/wpa_supplicant better be prepared for any data being included
-here.
-
-Fix this by validating record->payload_length value in a way that
-detects integer overflow. (CID 122668)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/wps/ndef.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/wps/ndef.c b/src/wps/ndef.c
-index 5604b0a..50d018f 100644
---- a/src/wps/ndef.c
-+++ b/src/wps/ndef.c
-@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
-               if (size < 6)
-                       return -1;
-               record->payload_length = ntohl(*(u32 *)pos);
-+              if (record->payload_length > size - 6)
-+                      return -1;
-               pos += sizeof(u32);
-       }
-@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
-       pos += record->payload_length;
-       record->total_length = pos - data;
--      if (record->total_length > size)
-+      if (record->total_length > size ||
-+          record->total_length < record->payload_length)
-               return -1;
-       return 0;
- }
--- 
-1.9.1
-
diff --git a/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch b/package/network/services/hostapd/patches/010-WNM-Ignore-Key-Data-in-WNM-Sleep-Mode-Response-frame.patch
deleted file mode 100644 (file)
index 00e5b7c..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 25 Oct 2015 15:45:50 +0200
-Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
- PMF in use
-
-WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
-enabled. Verify that PMF is in use before using this field on station
-side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- wpa_supplicant/wnm_sta.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
-index 954de67..7d79499 100644
---- a/wpa_supplicant/wnm_sta.c
-+++ b/wpa_supplicant/wnm_sta.c
-@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
-       end = ptr + key_len_total;
-       wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
-+      if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
-+              wpa_msg(wpa_s, MSG_INFO,
-+                      "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
-+              return;
-+      }
-+
-       while (ptr + 1 < end) {
-               if (ptr + 2 + ptr[1] > end) {
-                       wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "
diff --git a/package/network/services/hostapd/patches/011-EAP-pwd-peer-Fix-last-fragment-length-validation.patch b/package/network/services/hostapd/patches/011-EAP-pwd-peer-Fix-last-fragment-length-validation.patch
deleted file mode 100644 (file)
index 82c2639..0000000
+++ /dev/null
@@ -1,54 +0,0 @@
-From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Nov 2015 18:18:17 +0200
-Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation
-
-All but the last fragment had their length checked against the remaining
-room in the reassembly buffer. This allowed a suitably constructed last
-fragment frame to try to add extra data that would go beyond the buffer.
-The length validation code in wpabuf_put_data() prevents an actual
-buffer write overflow from occurring, but this results in process
-termination. (CVE-2015-5315)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index 1f78544..75ceef1 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
-       /*
-        * buffer and ACK the fragment
-        */
--      if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
-+      if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
-               data->in_frag_pos += len;
-               if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
-                       wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
-@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
-                       return NULL;
-               }
-               wpabuf_put_data(data->inbuf, pos, len);
--
-+      }
-+      if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
-               resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
-                                    EAP_PWD_HDR_SIZE,
-                                    EAP_CODE_RESPONSE, eap_get_id(reqData));
-@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
-        * we're buffering and this is the last fragment
-        */
-       if (data->in_frag_pos) {
--              wpabuf_put_data(data->inbuf, pos, len);
-               wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
-                          (int) len);
--              data->in_frag_pos += len;
-               pos = wpabuf_head_u8(data->inbuf);
-               len = data->in_frag_pos;
-       }
--- 
-1.9.1
-
diff --git a/package/network/services/hostapd/patches/012-EAP-pwd-server-Fix-last-fragment-length-validation.patch b/package/network/services/hostapd/patches/012-EAP-pwd-server-Fix-last-fragment-length-validation.patch
deleted file mode 100644 (file)
index bfc4c74..0000000
+++ /dev/null
@@ -1,51 +0,0 @@
-From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Nov 2015 18:24:16 +0200
-Subject: [PATCH] EAP-pwd server: Fix last fragment length validation
-
-All but the last fragment had their length checked against the remaining
-room in the reassembly buffer. This allowed a suitably constructed last
-fragment frame to try to add extra data that would go beyond the buffer.
-The length validation code in wpabuf_put_data() prevents an actual
-buffer write overflow from occurring, but this results in process
-termination. (CVE-2015-5314)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_server/eap_server_pwd.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
-index cb83ff7..9f787ab 100644
---- a/src/eap_server/eap_server_pwd.c
-+++ b/src/eap_server/eap_server_pwd.c
-@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
-       /*
-        * the first and all intermediate fragments have the M bit set
-        */
--      if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
-+      if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
-               if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
-                       wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
-                                  "attack detected! (%d+%d > %d)",
-@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
-               }
-               wpabuf_put_data(data->inbuf, pos, len);
-               data->in_frag_pos += len;
-+      }
-+      if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
-               wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
-                          (int) len);
-               return;
-@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
-        * buffering fragments so that's how we know it's the last)
-        */
-       if (data->in_frag_pos) {
--              wpabuf_put_data(data->inbuf, pos, len);
--              data->in_frag_pos += len;
-               pos = wpabuf_head_u8(data->inbuf);
-               len = data->in_frag_pos;
-               wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
--- 
-1.9.1
-
diff --git a/package/network/services/hostapd/patches/013-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch b/package/network/services/hostapd/patches/013-EAP-pwd-peer-Fix-error-path-for-unexpected-Confirm-m.patch
deleted file mode 100644 (file)
index 3088f6a..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Nov 2015 19:35:44 +0200
-Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message
-
-If the Confirm message is received from the server before the Identity
-exchange has been completed, the group has not yet been determined and
-data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
-did not take this corner case into account and could end up
-dereferencing a NULL pointer and terminating the process if invalid
-message sequence is received. (CVE-2015-5316)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index 75ceef1..892b590 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
-       wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
- fin:
--      bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
-+      if (data->grp)
-+              bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
-       BN_clear_free(x);
-       BN_clear_free(y);
-       if (data->outbuf == NULL) {
--- 
-1.9.1
-
diff --git a/package/network/services/hostapd/patches/014-nl80211-Try-running-without-mgmt-frame-subscription-.patch b/package/network/services/hostapd/patches/014-nl80211-Try-running-without-mgmt-frame-subscription-.patch
deleted file mode 100644 (file)
index 25ba87d..0000000
+++ /dev/null
@@ -1,48 +0,0 @@
-From f4830bed661f4adff51f50a0d37c64ceb748e780 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Mon, 25 Apr 2016 17:10:47 +0200
-Subject: [PATCH] nl80211: Try running without mgmt frame subscription (driver
- AP SME)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-One of supported code paths already allows this scenario. It is used if
-driver doesn't report NL80211_ATTR_DEVICE_AP_SME and doesn't support
-monitor interface. In such situation:
-1) We don't quit if subscribing for WLAN_FC_STYPE_PROBE_REQ fails
-2) We don't try subscribing for WLAN_FC_STYPE_ACTION
-3) We fallback to AP SME mode after failing to create monitor interface
-4) We don't quit if subscribing for WLAN_FC_STYPE_PROBE_REQ fails
-Above scenario is used, e.g., with brcmfmac. As you can see - thanks to
-events provided by cfg80211 - it's not really required to receive Probe
-Request or action frames.
-
-However, the previous implementation did not allow using hostapd with
-drivers that:
-1) Report NL80211_ATTR_DEVICE_AP_SME
-2) Don't support subscribing for PROBE_REQ and/or ACTION frames
-In case of using such a driver hostapd will cancel setup after failing
-to subscribe for WLAN_FC_STYPE_ACTION. I noticed it after setting flag
-WIPHY_FLAG_HAVE_AP_SME in brcmfmac driver for my experiments.
-
-This patch allows working with such drivers with just a small warning
-printed as debug message.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
----
- src/drivers/driver_nl80211.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/src/drivers/driver_nl80211.c
-+++ b/src/drivers/driver_nl80211.c
-@@ -4108,7 +4108,8 @@ static int nl80211_setup_ap(struct i802_
-       if (drv->device_ap_sme && !drv->use_monitor)
-               if (nl80211_mgmt_subscribe_ap_dev_sme(bss))
--                      return -1;
-+                      wpa_printf(MSG_DEBUG,
-+                                 "nl80211: Failed to subscribe for mgmt frames from SME driver - trying to run without it");
-       if (!drv->device_ap_sme && drv->use_monitor &&
-           nl80211_create_monitor_interface(drv) &&
diff --git a/package/network/services/hostapd/patches/100-mesh_mode_fix.patch b/package/network/services/hostapd/patches/100-mesh_mode_fix.patch
new file mode 100644 (file)
index 0000000..ceb4c53
--- /dev/null
@@ -0,0 +1,12 @@
+--- a/src/drivers/driver_nl80211.c
++++ b/src/drivers/driver_nl80211.c
+@@ -2332,7 +2332,8 @@ wpa_driver_nl80211_finish_drv_init(struc
+       if (drv->hostapd || bss->static_ap)
+               nlmode = NL80211_IFTYPE_AP;
+-      else if (bss->if_dynamic)
++      else if (bss->if_dynamic ||
++               nl80211_get_ifmode(bss) == NL80211_IFTYPE_MESH_POINT)
+               nlmode = nl80211_get_ifmode(bss);
+       else
+               nlmode = NL80211_IFTYPE_STATION;
diff --git a/package/network/services/hostapd/patches/110-bool_fix.patch b/package/network/services/hostapd/patches/110-bool_fix.patch
deleted file mode 100644 (file)
index 865c014..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/src/ap/ieee802_1x.c
-+++ b/src/ap/ieee802_1x.c
-@@ -2332,9 +2332,9 @@ void ieee802_1x_notify_pre_auth(struct e
- }
--static const char * bool_txt(Boolean bool)
-+static const char * bool_txt(Boolean bool_val)
- {
--      return bool ? "TRUE" : "FALSE";
-+      return bool_val ? "TRUE" : "FALSE";
- }
index 032e207..0389406 100644 (file)
@@ -8,7 +8,7 @@
  
  #ifdef ANDROID
  #include <sys/capability.h>
-@@ -155,59 +156,46 @@ int os_gmtime(os_time_t t, struct os_tm
+@@ -179,59 +180,46 @@ int os_gmtime(os_time_t t, struct os_tm
        return 0;
  }
  
 +      if (chdir("/") < 0)
                return -1;
 -      }
--
 -      return 0;
 -}
 -#else /* __APPLE__ */
 -#define os_daemon daemon
 -#endif /* __APPLE__ */
+-
 -
 -int os_daemonize(const char *pid_file)
 -{
index d23b47b..5aee3d0 100644 (file)
@@ -1,6 +1,6 @@
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
-@@ -252,9 +252,10 @@ void wpa_supplicant_cancel_auth_timeout(
+@@ -257,9 +257,10 @@ void wpa_supplicant_cancel_auth_timeout(
   */
  void wpa_supplicant_initiate_eapol(struct wpa_supplicant *wpa_s)
  {
index 6337d8d..fdd5da9 100644 (file)
@@ -1,6 +1,6 @@
 --- a/src/l2_packet/l2_packet_linux.c
 +++ b/src/l2_packet/l2_packet_linux.c
-@@ -307,8 +307,7 @@ struct l2_packet_data * l2_packet_init_b
+@@ -337,8 +337,7 @@ struct l2_packet_data * l2_packet_init_b
  
        l2 = l2_packet_init(br_ifname, own_addr, protocol, rx_callback,
                            rx_callback_ctx, l2_hdr);
@@ -8,5 +8,5 @@
 -              return NULL;
 +      return l2;
  
+ #ifndef CONFIG_NO_LINUX_PACKET_SOCKET_WAR
        /*
-        * The Linux packet socket behavior has changed over the years and there
diff --git a/package/network/services/hostapd/patches/150-nl80211-Report-disassociated-STA-lost-peer-for-the-c.patch b/package/network/services/hostapd/patches/150-nl80211-Report-disassociated-STA-lost-peer-for-the-c.patch
deleted file mode 100644 (file)
index 66c682f..0000000
+++ /dev/null
@@ -1,67 +0,0 @@
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Mon, 11 Jan 2016 19:18:06 +0100
-Subject: [PATCH] nl80211: Report disassociated STA / lost peer for the correct
- BSS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We shouldn't use drv->ctx as it always points to the first BSS. When
-using FullMAC driver with multi-BSS support it resulted in incorrect
-treating nl80211 events. I noticed with with brcmfmac and BCM43602.
-
-Before my change I was getting "disassociated" on a wrong interface:
-wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: associated
-wlan0-1: STA 78:d6:f0:00:11:22 WPA: pairwise key handshake completed (RSN)
-wlan0: STA 78:d6:f0:00:11:22 IEEE 802.11: disassociated
-
-With this patch it works as expected:
-wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: associated
-wlan0-1: STA 78:d6:f0:00:11:22 WPA: pairwise key handshake completed (RSN)
-wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: disassociated
-
-This doesn't apply to hostapd dealing with SoftMAC drivers when handling
-AP SME & MLME is done it hostapd not the firmware.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
----
- src/drivers/driver_nl80211_event.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
---- a/src/drivers/driver_nl80211_event.c
-+++ b/src/drivers/driver_nl80211_event.c
-@@ -1154,6 +1154,7 @@ static void nl80211_new_station_event(st
- static void nl80211_del_station_event(struct wpa_driver_nl80211_data *drv,
-+                                    struct i802_bss *bss,
-                                     struct nlattr **tb)
- {
-       u8 *addr;
-@@ -1166,7 +1167,7 @@ static void nl80211_del_station_event(st
-                  MAC2STR(addr));
-       if (is_ap_interface(drv->nlmode) && drv->device_ap_sme) {
--              drv_event_disassoc(drv->ctx, addr);
-+              drv_event_disassoc(bss->ctx, addr);
-               return;
-       }
-@@ -1175,7 +1176,7 @@ static void nl80211_del_station_event(st
-       os_memset(&data, 0, sizeof(data));
-       os_memcpy(data.ibss_peer_lost.peer, addr, ETH_ALEN);
--      wpa_supplicant_event(drv->ctx, EVENT_IBSS_PEER_LOST, &data);
-+      wpa_supplicant_event(bss->ctx, EVENT_IBSS_PEER_LOST, &data);
- }
-@@ -1939,7 +1940,7 @@ static void do_process_drv_event(struct
-               nl80211_new_station_event(drv, bss, tb);
-               break;
-       case NL80211_CMD_DEL_STATION:
--              nl80211_del_station_event(drv, tb);
-+              nl80211_del_station_event(drv, bss, tb);
-               break;
-       case NL80211_CMD_SET_REKEY_OFFLOAD:
-               nl80211_rekey_offload_event(drv, tb);
index de4a3a8..e9d49d4 100644 (file)
@@ -1,15 +1,25 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
-@@ -17,6 +17,7 @@ export BINDIR ?= /usr/local/bin/
- # CFLAGS += -DUSE_KERNEL_HEADERS -I/usr/src/linux/include
+@@ -28,6 +28,7 @@ CFLAGS += -I$(abspath ../src/utils)
+ export BINDIR ?= /usr/local/bin/
  
  -include .config
 +-include $(if $(MULTICALL), ../wpa_supplicant/.config)
  
- ifdef CONFIG_TESTING_OPTIONS
- CFLAGS += -DCONFIG_TESTING_OPTIONS
-@@ -242,10 +243,14 @@ ifdef CONFIG_IEEE80211AC
- CFLAGS += -DCONFIG_IEEE80211AC
+ ifndef CONFIG_NO_GITVER
+ # Add VERSION_STR postfix for builds from a git repository
+@@ -190,7 +191,8 @@ endif
+ ifdef CONFIG_NO_VLAN
+ CFLAGS += -DCONFIG_NO_VLAN
+-else
++endif
++ifneq ($(findstring CONFIG_NO_VLAN,$(CFLAGS)), CONFIG_NO_VLAN)
+ OBJS += ../src/ap/vlan_init.o
+ OBJS += ../src/ap/vlan_ifconfig.o
+ OBJS += ../src/ap/vlan.o
+@@ -315,10 +317,14 @@ CFLAGS += -DCONFIG_MBO
+ OBJS += ../src/ap/mbo_ap.o
  endif
  
 +ifndef MULTICALL
@@ -26,7 +36,7 @@
  LIBS += $(DRV_AP_LIBS)
  
  ifdef CONFIG_L2_PACKET
-@@ -941,6 +946,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
+@@ -1051,6 +1057,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
  
  BCHECK=../src/drivers/build.hostapd
  
@@ -39,7 +49,7 @@
  hostapd: $(BCHECK) $(OBJS)
        $(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
        @$(E) "  LD " $@
-@@ -980,6 +991,12 @@ HOBJS += ../src/crypto/aes-internal.o
+@@ -1092,6 +1104,12 @@ HOBJS += ../src/crypto/aes-internal.o
  HOBJS += ../src/crypto/aes-internal-enc.o
  endif
  
        @$(E) "  LD " $@
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
-@@ -15,6 +15,7 @@ CFLAGS += -I$(abspath ../src)
+@@ -27,6 +27,7 @@ CFLAGS += -I$(abspath ../src)
  CFLAGS += -I$(abspath ../src/utils)
  
  -include .config
 +-include $(if $(MULTICALL),../hostapd/.config)
  
- ifdef CONFIG_TESTING_OPTIONS
- CFLAGS += -DCONFIG_TESTING_OPTIONS
-@@ -773,6 +774,10 @@ ifdef CONFIG_DYNAMIC_EAP_METHODS
+ ifndef CONFIG_NO_GITVER
+ # Add VERSION_STR postfix for builds from a git repository
+@@ -803,6 +804,10 @@ ifdef CONFIG_DYNAMIC_EAP_METHODS
  CFLAGS += -DCONFIG_DYNAMIC_EAP_METHODS
  LIBS += -ldl -rdynamic
  endif
@@ -73,7 +83,7 @@
  endif
  
  ifdef CONFIG_MACSEC
-@@ -793,9 +798,11 @@ NEED_EAP_COMMON=y
+@@ -823,9 +828,11 @@ NEED_EAP_COMMON=y
  NEED_RSN_AUTHENTICATOR=y
  CFLAGS += -DCONFIG_AP
  OBJS += ap.o
@@ -85,7 +95,7 @@
  OBJS += ../src/ap/hostapd.o
  OBJS += ../src/ap/wpa_auth_glue.o
  OBJS += ../src/ap/utils.o
-@@ -858,10 +865,18 @@ endif
+@@ -898,10 +905,18 @@ endif
  ifdef CONFIG_HS20
  OBJS += ../src/ap/hs20.o
  endif
  NEED_AES_WRAP=y
  OBJS += ../src/ap/wpa_auth.o
  OBJS += ../src/ap/wpa_auth_ie.o
-@@ -1603,6 +1618,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
+@@ -1680,6 +1695,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
  
  $(OBJS_c) $(OBJS_t) $(OBJS_t2) $(OBJS) $(BCHECK) $(EXTRA_progs): .config
  
  wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)
        $(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
        @$(E) "  LD " $@
-@@ -1694,6 +1715,12 @@ endif
-       $(Q)sed -e 's|\@BINDIR\@|$(BINDIR)|g' $< >$@
+@@ -1782,6 +1803,12 @@ endif
+               -e 's|\@DBUS_INTERFACE\@|$(DBUS_INTERFACE)|g' $< >$@
        @$(E) "  sed" $<
  
 +dump_cflags:
  wpa_cli.exe: wpa_cli
 --- a/src/drivers/driver.h
 +++ b/src/drivers/driver.h
-@@ -4581,8 +4581,8 @@ union wpa_event_data {
+@@ -4794,8 +4794,8 @@ union wpa_event_data {
   * Driver wrapper code should call this function whenever an event is received
   * from the driver.
   */
 +extern void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
 +                                  union wpa_event_data *data);
  
+ /**
+  * wpa_supplicant_event_global - Report a driver event for wpa_supplicant
+@@ -4807,7 +4807,7 @@ void wpa_supplicant_event(void *ctx, enu
+  * Same as wpa_supplicant_event(), but we search for the interface in
+  * wpa_global.
+  */
+-void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
++extern void (*wpa_supplicant_event_global)(void *ctx, enum wpa_event_type event,
+                                union wpa_event_data *data);
  
  /*
 --- a/src/ap/drv_callbacks.c
 +++ b/src/ap/drv_callbacks.c
-@@ -1075,8 +1075,8 @@ static void hostapd_event_dfs_cac_starte
+@@ -1157,8 +1157,8 @@ static void hostapd_event_dfs_cac_starte
  #endif /* NEED_AP_MLME */
  
  
  {
        struct hostapd_data *hapd = ctx;
  #ifndef CONFIG_NO_STDOUT_DEBUG
+@@ -1367,7 +1367,7 @@ void wpa_supplicant_event(void *ctx, enu
+ }
+-void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
++void hostapd_wpa_event_global(void *ctx, enum wpa_event_type event,
+                                union wpa_event_data *data)
+ {
+       struct hapd_interfaces *interfaces = ctx;
 --- a/wpa_supplicant/wpa_priv.c
 +++ b/wpa_supplicant/wpa_priv.c
-@@ -819,8 +819,8 @@ static void wpa_priv_send_ft_response(st
+@@ -940,8 +940,8 @@ static void wpa_priv_send_ft_response(st
  }
  
  
  {
        struct wpa_priv_interface *iface = ctx;
  
-@@ -961,6 +961,7 @@ int main(int argc, char *argv[])
+@@ -1010,7 +1010,7 @@ void wpa_supplicant_event(void *ctx, enu
+ }
+-void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
++void supplicant_event_global(void *ctx, enum wpa_event_type event,
+                                union wpa_event_data *data)
+ {
+       struct wpa_priv_global *global = ctx;
+@@ -1122,6 +1122,8 @@ int main(int argc, char *argv[])
        if (os_program_init())
                return -1;
  
 +      wpa_supplicant_event = supplicant_event;
++      wpa_supplicant_event_global = supplicant_event_global;
        wpa_priv_fd_workaround();
  
-       for (;;) {
+       os_memset(&global, 0, sizeof(global));
 --- a/wpa_supplicant/events.c
 +++ b/wpa_supplicant/events.c
-@@ -3138,8 +3138,8 @@ static void wpa_supplicant_event_assoc_a
+@@ -3384,8 +3384,8 @@ static void wpa_supplicant_event_assoc_a
  }
  
  
 +                    union wpa_event_data *data)
  {
        struct wpa_supplicant *wpa_s = ctx;
+       int resched;
+@@ -4051,7 +4051,7 @@ void wpa_supplicant_event(void *ctx, enu
+ #endif /* CONFIG_AP */
+               break;
+       case EVENT_ACS_CHANNEL_SELECTED:
+-#ifdef CONFIG_ACS
++#if defined(CONFIG_ACS) && defined(CONFIG_AP)
+               if (!wpa_s->ap_iface)
+                       break;
+               hostapd_acs_channel_selected(wpa_s->ap_iface->bss[0],
+@@ -4065,7 +4065,7 @@ void wpa_supplicant_event(void *ctx, enu
+ }
  
+-void wpa_supplicant_event_global(void *ctx, enum wpa_event_type event,
++void supplicant_event_global(void *ctx, enum wpa_event_type event,
+                                union wpa_event_data *data)
+ {
+       struct wpa_supplicant *wpa_s;
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
-@@ -4300,6 +4300,9 @@ static void wpa_supplicant_deinit_iface(
-       os_free(wpa_s);
+@@ -4982,7 +4982,6 @@ struct wpa_interface * wpa_supplicant_ma
+       return NULL;
  }
  
+-
+ /**
+  * wpa_supplicant_match_existing - Match existing interfaces
+  * @global: Pointer to global data from wpa_supplicant_init()
+@@ -5019,6 +5018,11 @@ static int wpa_supplicant_match_existing
+ #endif /* CONFIG_MATCH_IFACE */
 +extern void supplicant_event(void *ctx, enum wpa_event_type event,
 +                           union wpa_event_data *data);
 +
++extern void supplicant_event_global(void *ctx, enum wpa_event_type event,
++                               union wpa_event_data *data);
  
  /**
   * wpa_supplicant_add_iface - Add a new network interface
-@@ -4526,6 +4529,7 @@ struct wpa_global * wpa_supplicant_init(
+@@ -5274,6 +5278,8 @@ struct wpa_global * wpa_supplicant_init(
  #ifndef CONFIG_NO_WPA_MSG
        wpa_msg_register_ifname_cb(wpa_supplicant_msg_ifname_cb);
  #endif /* CONFIG_NO_WPA_MSG */
 +      wpa_supplicant_event = supplicant_event;
++      wpa_supplicant_event_global = supplicant_event_global;
  
        if (params->wpa_debug_file_path)
                wpa_debug_open_file(params->wpa_debug_file_path);
 --- a/hostapd/main.c
 +++ b/hostapd/main.c
-@@ -511,6 +511,9 @@ static int hostapd_get_ctrl_iface_group(
-       return 0;
+@@ -583,6 +583,11 @@ fail:
+       return -1;
  }
  
 +void hostapd_wpa_event(void *ctx, enum wpa_event_type event,
 +                       union wpa_event_data *data);
 +
++void hostapd_wpa_event_global(void *ctx, enum wpa_event_type event,
++                               union wpa_event_data *data);
  
  #ifdef CONFIG_WPS
  static int gen_uuid(const char *txt_addr)
-@@ -562,6 +565,7 @@ int main(int argc, char *argv[])
-       interfaces.global_iface_name = NULL;
+@@ -660,6 +665,8 @@ int main(int argc, char *argv[])
        interfaces.global_ctrl_sock = -1;
+       dl_list_init(&interfaces.global_ctrl_dst);
  
 +      wpa_supplicant_event = hostapd_wpa_event;
++      wpa_supplicant_event_global = hostapd_wpa_event_global;
        for (;;) {
-               c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:vg:G:");
+               c = getopt(argc, argv, "b:Bde:f:hi:KP:STtu:vg:G:");
                if (c < 0)
 --- a/src/drivers/drivers.c
 +++ b/src/drivers/drivers.c
-@@ -10,6 +10,9 @@
+@@ -10,6 +10,11 @@
  #include "utils/common.h"
  #include "driver.h"
  
 +void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
 +                           union wpa_event_data *data);
++void (*wpa_supplicant_event_global)(void *ctx, enum wpa_event_type event,
++                           union wpa_event_data *data);
 +
  #ifdef CONFIG_DRIVER_WEXT
  extern struct wpa_driver_ops wpa_driver_wext_ops; /* driver_wext.c */
  #endif /* CONFIG_DRIVER_WEXT */
 --- a/wpa_supplicant/eapol_test.c
 +++ b/wpa_supplicant/eapol_test.c
-@@ -28,8 +28,12 @@
+@@ -29,7 +29,12 @@
  #include "ctrl_iface.h"
  #include "pcsc_funcs.h"
  #include "wpas_glue.h"
 +#include "drivers/driver.h"
  
 +void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
 +                           union wpa_event_data *data);
-+
- struct wpa_driver_ops *wpa_drivers[] = { NULL };
++void (*wpa_supplicant_event_global)(void *ctx, enum wpa_event_type event,
++                           union wpa_event_data *data);
  
+ const struct wpa_driver_ops *const wpa_drivers[] = { NULL };
  
-@@ -1203,6 +1207,8 @@ static void usage(void)
+@@ -1295,6 +1300,10 @@ static void usage(void)
               "option several times.\n");
  }
  
 +extern void supplicant_event(void *ctx, enum wpa_event_type event,
 +                           union wpa_event_data *data);
++extern void supplicant_event_global(void *ctx, enum wpa_event_type event,
++                           union wpa_event_data *data);
  
  int main(int argc, char *argv[])
  {
-@@ -1221,6 +1227,7 @@ int main(int argc, char *argv[])
+@@ -1315,6 +1324,8 @@ int main(int argc, char *argv[])
        if (os_program_init())
                return -1;
  
 +      wpa_supplicant_event = supplicant_event;
++      wpa_supplicant_event_global = supplicant_event_global;
        hostapd_logger_register_cb(hostapd_logger_cb);
  
        os_memset(&eapol_test, 0, sizeof(eapol_test));
index 57d8fe2..bb3d57b 100644 (file)
@@ -1,6 +1,6 @@
 --- a/hostapd/config_file.c
 +++ b/hostapd/config_file.c
-@@ -2771,6 +2771,10 @@ static int hostapd_config_fill(struct ho
+@@ -2861,6 +2861,10 @@ static int hostapd_config_fill(struct ho
                }
  #endif /* CONFIG_IEEE80211W */
  #ifdef CONFIG_IEEE80211N
@@ -13,7 +13,7 @@
        } else if (os_strcmp(buf, "ht_capab") == 0) {
 --- a/src/ap/ap_config.h
 +++ b/src/ap/ap_config.h
-@@ -619,6 +619,8 @@ struct hostapd_config {
+@@ -655,6 +655,8 @@ struct hostapd_config {
  
        int ht_op_mode_fixed;
        u16 ht_capab;
 +      int no_ht_coex;
        int ieee80211n;
        int secondary_channel;
-       int require_ht;
+       int no_pri_sec_switch;
 --- a/src/ap/hw_features.c
 +++ b/src/ap/hw_features.c
-@@ -461,7 +461,7 @@ static int ieee80211n_check_40mhz(struct
-       struct wpa_driver_scan_params params;
+@@ -474,7 +474,8 @@ static int ieee80211n_check_40mhz(struct
        int ret;
  
--      if (!iface->conf->secondary_channel)
-+      if (!iface->conf->secondary_channel || iface->conf->noscan)
-               return 0; /* HT40 not used */
+       /* Check that HT40 is used and PRI / SEC switch is allowed */
+-      if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch)
++      if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch ||
++              iface->conf->noscan)
+               return 0;
  
        hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
 --- a/src/ap/ieee802_11_ht.c
 +++ b/src/ap/ieee802_11_ht.c
-@@ -221,6 +221,9 @@ void hostapd_2040_coex_action(struct hos
+@@ -244,6 +244,9 @@ void hostapd_2040_coex_action(struct hos
        if (!(iface->conf->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
                return;
  
@@ -45,7 +46,7 @@
        if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie))
                return;
  
-@@ -346,6 +349,9 @@ void ht40_intolerant_add(struct hostapd_
+@@ -368,6 +371,9 @@ void ht40_intolerant_add(struct hostapd_
        if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
                return;
  
index 7be8c32..d9486ed 100644 (file)
@@ -1,6 +1,6 @@
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
-@@ -3249,7 +3249,7 @@ wpa_supplicant_alloc(struct wpa_supplica
+@@ -3548,7 +3548,7 @@ wpa_supplicant_alloc(struct wpa_supplica
        if (wpa_s == NULL)
                return NULL;
        wpa_s->scan_req = INITIAL_SCAN_REQ;
@@ -8,4 +8,4 @@
 +      wpa_s->scan_interval = 1;
        wpa_s->new_connection = 1;
        wpa_s->parent = parent ? parent : wpa_s;
-       wpa_s->sched_scanning = 0;
+       wpa_s->p2pdev = wpa_s->parent;
index 75b4b07..cf2a2c1 100644 (file)
@@ -1,14 +1,14 @@
 --- a/src/drivers/drivers.mak
 +++ b/src/drivers/drivers.mak
-@@ -34,7 +34,6 @@ NEED_SME=y
+@@ -36,7 +36,6 @@ NEED_SME=y
  NEED_AP_MLME=y
  NEED_NETLINK=y
  NEED_LINUX_IOCTL=y
 -NEED_RFKILL=y
+ NEED_RADIOTAP=y
  
  ifdef CONFIG_LIBNL32
-   DRV_LIBS += -lnl-3
-@@ -116,7 +115,6 @@ DRV_WPA_CFLAGS += -DCONFIG_DRIVER_WEXT
+@@ -123,7 +122,6 @@ DRV_WPA_CFLAGS += -DCONFIG_DRIVER_WEXT
  CONFIG_WIRELESS_EXTENSION=y
  NEED_NETLINK=y
  NEED_LINUX_IOCTL=y
@@ -16,7 +16,7 @@
  endif
  
  ifdef CONFIG_DRIVER_NDIS
-@@ -142,7 +140,6 @@ endif
+@@ -149,7 +147,6 @@ endif
  ifdef CONFIG_WIRELESS_EXTENSION
  DRV_WPA_CFLAGS += -DCONFIG_WIRELESS_EXTENSION
  DRV_WPA_OBJS += ../src/drivers/driver_wext.o
  endif
  
  ifdef NEED_NETLINK
-@@ -155,6 +152,7 @@ endif
+@@ -162,6 +159,7 @@ endif
  
  ifdef NEED_RFKILL
  DRV_OBJS += ../src/drivers/rfkill.o
 +DRV_WPA_CFLAGS += -DCONFIG_RFKILL
  endif
  
- ifdef CONFIG_VLAN_NETLINK
+ ifdef NEED_RADIOTAP
 --- a/src/drivers/rfkill.h
 +++ b/src/drivers/rfkill.h
 @@ -18,8 +18,24 @@ struct rfkill_config {
index dd90877..ca46012 100644 (file)
@@ -1,6 +1,6 @@
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
-@@ -3616,7 +3616,7 @@ static int nl80211_set_channel(struct i8
+@@ -3795,7 +3795,7 @@ static int nl80211_set_channel(struct i8
                   freq->freq, freq->ht_enabled, freq->vht_enabled,
                   freq->bandwidth, freq->center_freq1, freq->center_freq2);
  
index 91b6196..086ade9 100644 (file)
@@ -1,6 +1,6 @@
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
-@@ -76,6 +76,16 @@ static void hostapd_reload_bss(struct ho
+@@ -80,6 +80,16 @@ static void hostapd_reload_bss(struct ho
  #endif /* CONFIG_NO_RADIUS */
  
        ssid = &hapd->conf->ssid;
@@ -17,7 +17,7 @@
        if (!ssid->wpa_psk_set && ssid->wpa_psk && !ssid->wpa_psk->next &&
            ssid->wpa_passphrase_set && ssid->wpa_passphrase) {
                /*
-@@ -175,21 +185,12 @@ int hostapd_reload_config(struct hostapd
+@@ -179,21 +189,12 @@ int hostapd_reload_config(struct hostapd
        oldconf = hapd->iconf;
        iface->conf = newconf;
  
index a14fa03..247f154 100644 (file)
@@ -1,6 +1,6 @@
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
-@@ -2254,13 +2254,18 @@ wpa_driver_nl80211_finish_drv_init(struc
+@@ -2394,13 +2394,18 @@ wpa_driver_nl80211_finish_drv_init(struc
  }
  
  
@@ -22,7 +22,7 @@
        return send_and_recv_msgs(drv, msg, NULL, NULL);
  }
  
-@@ -2311,7 +2316,7 @@ static void wpa_driver_nl80211_deinit(st
+@@ -2452,7 +2457,7 @@ static void wpa_driver_nl80211_deinit(st
        nl80211_remove_monitor_interface(drv);
  
        if (is_ap_interface(drv->nlmode))
@@ -31,7 +31,7 @@
  
        if (drv->eapol_sock >= 0) {
                eloop_unregister_read_sock(drv->eapol_sock);
-@@ -4140,8 +4145,7 @@ static void nl80211_teardown_ap(struct i
+@@ -4385,8 +4390,7 @@ static void nl80211_teardown_ap(struct i
                nl80211_remove_monitor_interface(drv);
        else
                nl80211_mgmt_unsubscribe(bss, "AP teardown");
@@ -41,7 +41,7 @@
  }
  
  
-@@ -6066,8 +6070,6 @@ static int wpa_driver_nl80211_if_remove(
+@@ -6387,8 +6391,6 @@ static int wpa_driver_nl80211_if_remove(
        } else {
                wpa_printf(MSG_DEBUG, "nl80211: First BSS - reassign context");
                nl80211_teardown_ap(bss);
@@ -50,7 +50,7 @@
                nl80211_destroy_bss(bss);
                if (!bss->added_if)
                        i802_set_iface_flags(bss, 0);
-@@ -6389,8 +6391,7 @@ static int wpa_driver_nl80211_deinit_ap(
+@@ -6750,8 +6752,7 @@ static int wpa_driver_nl80211_deinit_ap(
        struct wpa_driver_nl80211_data *drv = bss->drv;
        if (!is_ap_interface(drv->nlmode))
                return -1;
@@ -60,7 +60,7 @@
  
        /*
         * If the P2P GO interface was dynamically added, then it is
-@@ -6409,8 +6410,7 @@ static int wpa_driver_nl80211_stop_ap(vo
+@@ -6770,8 +6771,7 @@ static int wpa_driver_nl80211_stop_ap(vo
        struct wpa_driver_nl80211_data *drv = bss->drv;
        if (!is_ap_interface(drv->nlmode))
                return -1;
index 06b005e..1e405cb 100644 (file)
@@ -1,22 +1,22 @@
 --- a/hostapd/ctrl_iface.c
 +++ b/hostapd/ctrl_iface.c
-@@ -45,6 +45,7 @@
- #include "wps/wps.h"
+@@ -54,6 +54,7 @@
+ #include "fst/fst_ctrl_iface.h"
  #include "config_file.h"
  #include "ctrl_iface.h"
 +#include "config_file.h"
  
  
- struct wpa_ctrl_dst {
-@@ -55,6 +56,7 @@ struct wpa_ctrl_dst {
-       int errors;
};
+ #define HOSTAPD_CLI_DUP_VALUE_MAX_LEN 256
+@@ -72,6 +73,7 @@ static void hostapd_ctrl_iface_send(stru
+                                   enum wpa_msg_type type,
                                  const char *buf, size_t len);
  
 +static char *reload_opts = NULL;
  
- static void hostapd_ctrl_iface_send(struct hostapd_data *hapd, int level,
-                                   const char *buf, size_t len);
-@@ -164,6 +166,61 @@ static int hostapd_ctrl_iface_new_sta(st
+ static int hostapd_ctrl_iface_attach(struct hostapd_data *hapd,
+                                    struct sockaddr_storage *from,
+@@ -123,6 +125,61 @@ static int hostapd_ctrl_iface_new_sta(st
        return 0;
  }
  
@@ -78,7 +78,7 @@
  
  #ifdef CONFIG_IEEE80211W
  #ifdef NEED_AP_MLME
-@@ -2086,6 +2143,8 @@ static void hostapd_ctrl_iface_receive(i
+@@ -2483,6 +2540,8 @@ static int hostapd_ctrl_iface_receive_pr
        } else if (os_strncmp(buf, "VENDOR ", 7) == 0) {
                reply_len = hostapd_ctrl_iface_vendor(hapd, buf + 7, reply,
                                                      reply_size);
@@ -89,7 +89,7 @@
  #ifdef RADIUS_SERVER
 --- a/src/ap/ctrl_iface_ap.c
 +++ b/src/ap/ctrl_iface_ap.c
-@@ -541,5 +541,11 @@ int hostapd_parse_csa_settings(const cha
+@@ -593,7 +593,13 @@ int hostapd_parse_csa_settings(const cha
  
  int hostapd_ctrl_iface_stop_ap(struct hostapd_data *hapd)
  {
 +
 +      return 0;
  }
index ea235e6..6b70215 100644 (file)
@@ -1,6 +1,6 @@
 --- a/wpa_supplicant/wpa_supplicant_i.h
 +++ b/wpa_supplicant/wpa_supplicant_i.h
-@@ -110,6 +110,11 @@ struct wpa_interface {
+@@ -100,6 +100,11 @@ struct wpa_interface {
        const char *ifname;
  
        /**
@@ -12,8 +12,8 @@
         * bridge_ifname - Optional bridge interface name
         *
         * If the driver interface (ifname) is included in a Linux bridge
-@@ -442,6 +447,8 @@ struct wpa_supplicant {
- #endif /* CONFIG_CTRL_IFACE_DBUS_NEW */
+@@ -484,6 +489,8 @@ struct wpa_supplicant {
+ #endif /* CONFIG_CTRL_IFACE_BINDER */
        char bridge_ifname[16];
  
 +      struct wpa_ctrl *hostapd;
@@ -23,7 +23,7 @@
  
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
-@@ -14,6 +14,10 @@ CFLAGS += $(EXTRA_CFLAGS)
+@@ -26,6 +26,10 @@ CFLAGS += $(EXTRA_CFLAGS)
  CFLAGS += -I$(abspath ../src)
  CFLAGS += -I$(abspath ../src/utils)
  
@@ -34,7 +34,7 @@
  -include .config
  -include $(if $(MULTICALL),../hostapd/.config)
  
-@@ -84,6 +88,8 @@ OBJS_c += ../src/utils/wpa_debug.o
+@@ -113,6 +117,8 @@ OBJS_c += ../src/utils/wpa_debug.o
  OBJS_c += ../src/utils/common.o
  OBJS += wmm_ac.o
  
@@ -45,7 +45,7 @@
  CONFIG_OS=win32
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
-@@ -107,6 +107,55 @@ const char *wpa_supplicant_full_license5
+@@ -112,6 +112,55 @@ const char *const wpa_supplicant_full_li
  "\n";
  #endif /* CONFIG_NO_STDOUT_DEBUG */
  
@@ -73,7 +73,7 @@
 +      int ret;
 +
 +      if (!bss)
-+              return;
++              return -1;
 +
 +      if (bss->ht_param & HT_INFO_HT_PARAM_STA_CHNL_WIDTH) {
 +              int sec = bss->ht_param & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK;
  /* Configure default/group WEP keys for static WEP */
  int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
  {
-@@ -743,8 +792,12 @@ void wpa_supplicant_set_state(struct wpa
+@@ -812,8 +861,12 @@ void wpa_supplicant_set_state(struct wpa
                wpas_p2p_completed(wpa_s);
  
                sme_sched_obss_scan(wpa_s, 1);
                wpa_s->new_connection = 1;
                wpa_drv_set_operstate(wpa_s, 0);
  #ifndef IEEE8021X_EAPOL
-@@ -4038,6 +4091,20 @@ static int wpa_supplicant_init_iface(str
+@@ -4638,6 +4691,20 @@ static int wpa_supplicant_init_iface(str
                           sizeof(wpa_s->bridge_ifname));
        }
  
        /* RSNA Supplicant Key Management - INITIALIZE */
        eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE);
        eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
-@@ -4280,6 +4347,11 @@ static void wpa_supplicant_deinit_iface(
+@@ -4929,6 +4996,11 @@ static void wpa_supplicant_deinit_iface(
        if (terminate)
                wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_TERMINATING);
  
  #include "drivers/driver.h"
  #include "wpa_supplicant_i.h"
  #include "config.h"
-@@ -277,6 +278,10 @@ static void calculate_update_time(const
+@@ -287,6 +288,10 @@ static void calculate_update_time(const
  static void wpa_bss_copy_res(struct wpa_bss *dst, struct wpa_scan_res *src,
                             struct os_reltime *fetch_time)
  {
        dst->flags = src->flags;
        os_memcpy(dst->bssid, src->bssid, ETH_ALEN);
        dst->freq = src->freq;
-@@ -289,6 +294,15 @@ static void wpa_bss_copy_res(struct wpa_
+@@ -299,6 +304,15 @@ static void wpa_bss_copy_res(struct wpa_
        dst->est_throughput = src->est_throughput;
        dst->snr = src->snr;
  
  
 --- a/wpa_supplicant/main.c
 +++ b/wpa_supplicant/main.c
-@@ -33,7 +33,7 @@ static void usage(void)
+@@ -34,7 +34,7 @@ static void usage(void)
               "vW] [-P<pid file>] "
               "[-g<global ctrl>] \\\n"
               "        [-G<group>] \\\n"
               "[-p<driver_param>] \\\n"
               "        [-b<br_ifname>] [-e<entropy file>]"
  #ifdef CONFIG_DEBUG_FILE
-@@ -84,6 +84,7 @@ static void usage(void)
- #endif /* CONFIG_DEBUG_LINUX_TRACING */
-       printf("  -t = include timestamp in debug messages\n"
+@@ -74,6 +74,7 @@ static void usage(void)
+              "  -g = global ctrl_interface\n"
+              "  -G = global ctrl_interface group\n"
               "  -h = show this help text\n"
 +                 "  -H = connect to a hostapd instance to manage state changes\n"
-              "  -L = show license (BSD)\n"
-              "  -o = override driver parameter for new interfaces\n"
-              "  -O = override ctrl_interface parameter for new interfaces\n"
-@@ -175,7 +176,7 @@ int main(int argc, char *argv[])
+              "  -i = interface name\n"
+              "  -I = additional configuration file\n"
+              "  -K = include keys (passwords, etc.) in debug output\n"
+@@ -201,7 +202,7 @@ int main(int argc, char *argv[])
  
        for (;;) {
                c = getopt(argc, argv,
--                         "b:Bc:C:D:de:f:g:G:hi:I:KLm:No:O:p:P:qsTtuvW");
-+                         "b:Bc:C:D:de:f:g:G:hH:i:I:KLm:No:O:p:P:qsTtuvW");
+-                         "b:Bc:C:D:de:f:g:G:hi:I:KLMm:No:O:p:P:qsTtuvW");
++                         "b:Bc:C:D:de:f:g:G:hH:i:I:KLMm:No:O:p:P:qsTtuvW");
                if (c < 0)
                        break;
                switch (c) {
-@@ -222,6 +223,9 @@ int main(int argc, char *argv[])
+@@ -248,6 +249,9 @@ int main(int argc, char *argv[])
                        usage();
                        exitcode = 0;
                        goto out;
                        break;
 --- a/wpa_supplicant/bss.h
 +++ b/wpa_supplicant/bss.h
-@@ -72,6 +72,10 @@ struct wpa_bss {
-       u8 ssid[32];
+@@ -79,6 +79,10 @@ struct wpa_bss {
+       u8 ssid[SSID_MAX_LEN];
        /** Length of SSID */
        size_t ssid_len;
 +      /** HT caapbilities */
index 3a41b82..ef9c9db 100644 (file)
@@ -1,18 +1,18 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
-@@ -168,6 +168,9 @@ endif
+@@ -212,6 +212,9 @@ endif
  ifdef CONFIG_NO_CTRL_IFACE
  CFLAGS += -DCONFIG_NO_CTRL_IFACE
  else
 +ifdef CONFIG_CTRL_IFACE_MIB
 +CFLAGS += -DCONFIG_CTRL_IFACE_MIB
 +endif
- OBJS += ctrl_iface.o
- OBJS += ../src/ap/ctrl_iface_ap.o
- endif
+ ifeq ($(CONFIG_CTRL_IFACE), udp)
+ CFLAGS += -DCONFIG_CTRL_IFACE_UDP
+ else
 --- a/hostapd/ctrl_iface.c
 +++ b/hostapd/ctrl_iface.c
-@@ -1953,6 +1953,7 @@ static void hostapd_ctrl_iface_receive(i
+@@ -2342,6 +2342,7 @@ static int hostapd_ctrl_iface_receive_pr
                                                      reply_size);
        } else if (os_strcmp(buf, "STATUS-DRIVER") == 0) {
                reply_len = hostapd_drv_status(hapd, reply, reply_size);
        } else if (os_strcmp(buf, "MIB") == 0) {
                reply_len = ieee802_11_get_mib(hapd, reply, reply_size);
                if (reply_len >= 0) {
-@@ -1994,6 +1995,7 @@ static void hostapd_ctrl_iface_receive(i
+@@ -2383,6 +2384,7 @@ static int hostapd_ctrl_iface_receive_pr
        } else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
                reply_len = hostapd_ctrl_iface_sta_next(hapd, buf + 9, reply,
                                                        reply_size);
 +#endif
        } else if (os_strcmp(buf, "ATTACH") == 0) {
-               if (hostapd_ctrl_iface_attach(hapd, &from, fromlen))
+               if (hostapd_ctrl_iface_attach(hapd, from, fromlen))
                        reply_len = -1;
 --- a/wpa_supplicant/Makefile
 +++ b/wpa_supplicant/Makefile
-@@ -837,6 +837,9 @@ ifdef CONFIG_WNM
- OBJS += ../src/ap/wnm_ap.o
+@@ -872,6 +872,9 @@ ifdef CONFIG_MBO
+ OBJS += ../src/ap/mbo_ap.o
  endif
  ifdef CONFIG_CTRL_IFACE
 +ifdef CONFIG_CTRL_IFACE_MIB
@@ -42,7 +42,7 @@
  
 --- a/wpa_supplicant/ctrl_iface.c
 +++ b/wpa_supplicant/ctrl_iface.c
-@@ -1795,7 +1795,7 @@ static int wpa_supplicant_ctrl_iface_sta
+@@ -1895,7 +1895,7 @@ static int wpa_supplicant_ctrl_iface_sta
                        pos += ret;
                }
  
@@ -51,7 +51,7 @@
                if (wpa_s->ap_iface) {
                        pos += ap_ctrl_iface_wpa_get_status(wpa_s, pos,
                                                            end - pos,
-@@ -7896,6 +7896,7 @@ char * wpa_supplicant_ctrl_iface_process
+@@ -8687,6 +8687,7 @@ char * wpa_supplicant_ctrl_iface_process
                        reply_len = -1;
        } else if (os_strncmp(buf, "NOTE ", 5) == 0) {
                wpa_printf(MSG_INFO, "NOTE: %s", buf + 5);
@@ -59,7 +59,7 @@
        } else if (os_strcmp(buf, "MIB") == 0) {
                reply_len = wpa_sm_get_mib(wpa_s->wpa, reply, reply_size);
                if (reply_len >= 0) {
-@@ -7903,6 +7904,7 @@ char * wpa_supplicant_ctrl_iface_process
+@@ -8694,6 +8695,7 @@ char * wpa_supplicant_ctrl_iface_process
                                                      reply + reply_len,
                                                      reply_size - reply_len);
                }
@@ -67,7 +67,7 @@
        } else if (os_strncmp(buf, "STATUS", 6) == 0) {
                reply_len = wpa_supplicant_ctrl_iface_status(
                        wpa_s, buf + 6, reply, reply_size);
-@@ -8353,6 +8355,7 @@ char * wpa_supplicant_ctrl_iface_process
+@@ -9164,6 +9166,7 @@ char * wpa_supplicant_ctrl_iface_process
                reply_len = wpa_supplicant_ctrl_iface_bss(
                        wpa_s, buf + 4, reply, reply_size);
  #ifdef CONFIG_AP
@@ -75,7 +75,7 @@
        } else if (os_strcmp(buf, "STA-FIRST") == 0) {
                reply_len = ap_ctrl_iface_sta_first(wpa_s, reply, reply_size);
        } else if (os_strncmp(buf, "STA ", 4) == 0) {
-@@ -8361,12 +8364,15 @@ char * wpa_supplicant_ctrl_iface_process
+@@ -9172,12 +9175,15 @@ char * wpa_supplicant_ctrl_iface_process
        } else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
                reply_len = ap_ctrl_iface_sta_next(wpa_s, buf + 9, reply,
                                                   reply_size);
                        reply_len = -1;
 --- a/src/ap/ctrl_iface_ap.c
 +++ b/src/ap/ctrl_iface_ap.c
-@@ -22,6 +22,7 @@
- #include "ctrl_iface_ap.h"
+@@ -24,6 +24,7 @@
  #include "ap_drv_ops.h"
+ #include "mbo_ap.h"
  
 +#ifdef CONFIG_CTRL_IFACE_MIB
  
  static int hostapd_get_sta_tx_rx(struct hostapd_data *hapd,
                                 struct sta_info *sta,
-@@ -224,6 +225,7 @@ int hostapd_ctrl_iface_sta_next(struct h
+@@ -249,6 +250,7 @@ int hostapd_ctrl_iface_sta_next(struct h
        return hostapd_ctrl_iface_sta_mib(hapd, sta->next, buf, buflen);
  }
  
  static int p2p_manager_disconnect(struct hostapd_data *hapd, u16 stype,
 --- a/src/ap/ieee802_1x.c
 +++ b/src/ap/ieee802_1x.c
-@@ -2337,6 +2337,7 @@ static const char * bool_txt(Boolean boo
-       return bool_val ? "TRUE" : "FALSE";
+@@ -2441,6 +2441,7 @@ static const char * bool_txt(Boolean val
+       return val ? "TRUE" : "FALSE";
  }
  
 +#ifdef CONFIG_CTRL_IFACE_MIB
  
  int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
  {
-@@ -2512,6 +2513,7 @@ int ieee802_1x_get_mib_sta(struct hostap
+@@ -2616,6 +2617,7 @@ int ieee802_1x_get_mib_sta(struct hostap
        return len;
  }
  
 +#endif
  
- static void ieee802_1x_finished(struct hostapd_data *hapd,
-                               struct sta_info *sta, int success,
+ #ifdef CONFIG_HS20
+ static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx)
 --- a/src/ap/wpa_auth.c
 +++ b/src/ap/wpa_auth.c
-@@ -2999,6 +2999,7 @@ static const char * wpa_bool_txt(int boo
-       return bool ? "TRUE" : "FALSE";
+@@ -3069,6 +3069,7 @@ static const char * wpa_bool_txt(int val
+       return val ? "TRUE" : "FALSE";
  }
  
 +#ifdef CONFIG_CTRL_IFACE_MIB
  
  #define RSN_SUITE "%02x-%02x-%02x-%d"
  #define RSN_SUITE_ARG(s) \
-@@ -3143,7 +3144,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
+@@ -3213,7 +3214,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
  
        return len;
  }
  {
 --- a/src/rsn_supp/wpa.c
 +++ b/src/rsn_supp/wpa.c
-@@ -2032,6 +2032,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
+@@ -2108,6 +2108,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
  }
  
  
  #define RSN_SUITE "%02x-%02x-%02x-%d"
  #define RSN_SUITE_ARG(s) \
  ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
-@@ -2115,6 +2117,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
+@@ -2191,6 +2193,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
  
        return (int) len;
  }
  
 --- a/wpa_supplicant/ap.c
 +++ b/wpa_supplicant/ap.c
-@@ -1015,7 +1015,7 @@ int wpas_ap_wps_nfc_report_handover(stru
+@@ -1114,7 +1114,7 @@ int wpas_ap_wps_nfc_report_handover(stru
  #endif /* CONFIG_WPS */
  
  
index 1065a7f..c9e7bf4 100644 (file)
@@ -1,6 +1,6 @@
 --- a/src/common/wpa_common.c
 +++ b/src/common/wpa_common.c
-@@ -1228,6 +1228,31 @@ u32 wpa_akm_to_suite(int akm)
+@@ -1244,6 +1244,31 @@ u32 wpa_akm_to_suite(int akm)
  }
  
  
@@ -32,7 +32,7 @@
  int wpa_compare_rsn_ie(int ft_initial_assoc,
                       const u8 *ie1, size_t ie1len,
                       const u8 *ie2, size_t ie2len)
-@@ -1235,8 +1260,19 @@ int wpa_compare_rsn_ie(int ft_initial_as
+@@ -1251,8 +1276,19 @@ int wpa_compare_rsn_ie(int ft_initial_as
        if (ie1 == NULL || ie2 == NULL)
                return -1;
  
index 083af5b..f5872cd 100644 (file)
@@ -1,25 +1,22 @@
 --- a/src/ap/wps_hostapd.c
 +++ b/src/ap/wps_hostapd.c
-@@ -1052,11 +1052,9 @@ int hostapd_init_wps(struct hostapd_data
-               if (conf->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP))
+@@ -352,8 +352,7 @@ static int hapd_wps_reconfig_in_memory(s
+                               bss->wpa_pairwise |= WPA_CIPHER_GCMP;
+                       else
+                               bss->wpa_pairwise |= WPA_CIPHER_CCMP;
+-              }
+-              if (cred->encr_type & WPS_ENCR_TKIP)
++              } else if (cred->encr_type & WPS_ENCR_TKIP)
+                       bss->wpa_pairwise |= WPA_CIPHER_TKIP;
+               bss->rsn_pairwise = bss->wpa_pairwise;
+               bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
+@@ -1073,8 +1072,7 @@ int hostapd_init_wps(struct hostapd_data
+               if (conf->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) {
                        wps->encr_types |= WPS_ENCR_AES;
--              if (conf->rsn_pairwise & WPA_CIPHER_TKIP)
-+              else if (conf->rsn_pairwise & WPA_CIPHER_TKIP)
+                       wps->encr_types_rsn |= WPS_ENCR_AES;
+-              }
+-              if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
++              } else if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
                        wps->encr_types |= WPS_ENCR_TKIP;
--      }
--
--      if (conf->wpa & WPA_PROTO_WPA) {
-+      } else if (conf->wpa & WPA_PROTO_WPA) {
-               if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK)
-                       wps->auth_types |= WPS_AUTH_WPAPSK;
-               if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X)
-@@ -1064,7 +1062,7 @@ int hostapd_init_wps(struct hostapd_data
-               if (conf->wpa_pairwise & WPA_CIPHER_CCMP)
-                       wps->encr_types |= WPS_ENCR_AES;
--              if (conf->wpa_pairwise & WPA_CIPHER_TKIP)
-+              else if (conf->wpa_pairwise & WPA_CIPHER_TKIP)
-                       wps->encr_types |= WPS_ENCR_TKIP;
-       }
+                       wps->encr_types_rsn |= WPS_ENCR_TKIP;
+               }
index da88732..a48b696 100644 (file)
@@ -64,7 +64,7 @@
  #ifdef CONFIG_DEBUG_FILE
  static char *last_path = NULL;
  #endif /* CONFIG_DEBUG_FILE */
-@@ -602,7 +576,7 @@ void wpa_msg_register_ifname_cb(wpa_msg_
+@@ -604,7 +578,7 @@ void wpa_msg_register_ifname_cb(wpa_msg_
  }
  
  
@@ -73,7 +73,7 @@
  {
        va_list ap;
        char *buf;
-@@ -640,7 +614,7 @@ void wpa_msg(void *ctx, int level, const
+@@ -642,7 +616,7 @@ void wpa_msg(void *ctx, int level, const
  }
  
  
  
  /*
   * wpa_dbg() behaves like wpa_msg(), but it can be removed from build to reduce
-@@ -181,7 +222,12 @@ void wpa_hexdump_ascii_key(int level, co
+@@ -182,7 +223,12 @@ void wpa_hexdump_ascii_key(int level, co
   *
   * Note: New line '\n' is added to the end of the text when printing to stdout.
   */
  
  /**
   * wpa_msg_ctrl - Conditional printf for ctrl_iface monitors
-@@ -195,8 +241,13 @@ void wpa_msg(void *ctx, int level, const
+@@ -196,8 +242,13 @@ void wpa_msg(void *ctx, int level, const
   * attached ctrl_iface monitors. In other words, it can be used for frequent
   * events that do not need to be sent to syslog.
   */
index 64c92df..335e71e 100644 (file)
@@ -8,16 +8,16 @@
  #include "crypto/random.h"
  #include "crypto/tls.h"
  #include "common/version.h"
-@@ -567,7 +568,7 @@ int main(int argc, char *argv[])
+@@ -668,7 +669,7 @@ int main(int argc, char *argv[])
        wpa_supplicant_event = hostapd_wpa_event;
+       wpa_supplicant_event_global = hostapd_wpa_event_global;
        for (;;) {
--              c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:vg:G:");
-+              c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:g:G:v::");
+-              c = getopt(argc, argv, "b:Bde:f:hi:KP:STtu:vg:G:");
++              c = getopt(argc, argv, "b:Bde:f:hi:KP:STtu:g:G:v::");
                if (c < 0)
                        break;
                switch (c) {
-@@ -604,6 +605,8 @@ int main(int argc, char *argv[])
+@@ -705,6 +706,8 @@ int main(int argc, char *argv[])
                        break;
  #endif /* CONFIG_DEBUG_LINUX_TRACING */
                case 'v':
  
  #include "common.h"
 +#include "build_features.h"
+ #include "fst/fst.h"
  #include "wpa_supplicant_i.h"
  #include "driver_i.h"
- #include "p2p_supplicant.h"
-@@ -176,7 +177,7 @@ int main(int argc, char *argv[])
+@@ -202,7 +203,7 @@ int main(int argc, char *argv[])
  
        for (;;) {
                c = getopt(argc, argv,
--                         "b:Bc:C:D:de:f:g:G:hH:i:I:KLm:No:O:p:P:qsTtuvW");
-+                         "b:Bc:C:D:de:f:g:G:hH:i:I:KLm:No:O:p:P:qsTtuv::W");
+-                         "b:Bc:C:D:de:f:g:G:hH:i:I:KLMm:No:O:p:P:qsTtuvW");
++                         "b:Bc:C:D:de:f:g:G:hH:i:I:KLMm:No:O:p:P:qsTtuv::W");
                if (c < 0)
                        break;
                switch (c) {
-@@ -279,8 +280,12 @@ int main(int argc, char *argv[])
+@@ -305,8 +306,12 @@ int main(int argc, char *argv[])
                        break;
  #endif /* CONFIG_DBUS */
                case 'v':
index 85d2e16..d07b747 100644 (file)
@@ -1,6 +1,6 @@
 --- a/hostapd/hostapd_cli.c
 +++ b/hostapd/hostapd_cli.c
-@@ -67,7 +67,6 @@ static const char *commands_help =
+@@ -69,7 +69,6 @@ static const char *const commands_help =
  #ifdef CONFIG_IEEE80211W
  "   sa_query <addr>      send SA Query to a station\n"
  #endif /* CONFIG_IEEE80211W */
@@ -8,7 +8,7 @@
  "   wps_pin <uuid> <pin> [timeout] [addr]  add WPS Enrollee PIN\n"
  "   wps_check_pin <PIN>  verify PIN checksum\n"
  "   wps_pbc              indicate button pushed to initiate PBC\n"
-@@ -80,7 +79,6 @@ static const char *commands_help =
+@@ -82,7 +81,6 @@ static const char *const commands_help =
  "   wps_ap_pin <cmd> [params..]  enable/disable AP PIN\n"
  "   wps_config <SSID> <auth> <encr> <key>  configure AP\n"
  "   wps_get_status       show current WPS status\n"
@@ -16,7 +16,7 @@
  "   get_config           show current configuration\n"
  "   help                 show this usage help\n"
  "   interface [ifname]   show interfaces/select interface\n"
-@@ -353,7 +351,6 @@ static int hostapd_cli_cmd_sa_query(stru
+@@ -418,7 +416,6 @@ static int hostapd_cli_cmd_sa_query(stru
  #endif /* CONFIG_IEEE80211W */
  
  
@@ -24,7 +24,7 @@
  static int hostapd_cli_cmd_wps_pin(struct wpa_ctrl *ctrl, int argc,
                                   char *argv[])
  {
-@@ -579,7 +576,6 @@ static int hostapd_cli_cmd_wps_config(st
+@@ -644,7 +641,6 @@ static int hostapd_cli_cmd_wps_config(st
                         ssid_hex, argv[1]);
        return wpa_ctrl_command(ctrl, buf);
  }
@@ -32,7 +32,7 @@
  
  
  static int hostapd_cli_cmd_disassoc_imminent(struct wpa_ctrl *ctrl, int argc,
-@@ -1027,7 +1023,6 @@ static struct hostapd_cli_cmd hostapd_cl
+@@ -1236,7 +1232,6 @@ static const struct hostapd_cli_cmd host
  #ifdef CONFIG_IEEE80211W
        { "sa_query", hostapd_cli_cmd_sa_query },
  #endif /* CONFIG_IEEE80211W */
@@ -40,7 +40,7 @@
        { "wps_pin", hostapd_cli_cmd_wps_pin },
        { "wps_check_pin", hostapd_cli_cmd_wps_check_pin },
        { "wps_pbc", hostapd_cli_cmd_wps_pbc },
-@@ -1041,7 +1036,6 @@ static struct hostapd_cli_cmd hostapd_cl
+@@ -1250,7 +1245,6 @@ static const struct hostapd_cli_cmd host
        { "wps_ap_pin", hostapd_cli_cmd_wps_ap_pin },
        { "wps_config", hostapd_cli_cmd_wps_config },
        { "wps_get_status", hostapd_cli_cmd_wps_get_status },
index 874ff4b..256f6b5 100644 (file)
@@ -1,13 +1,12 @@
 --- a/wpa_supplicant/wpa_cli.c
 +++ b/wpa_supplicant/wpa_cli.c
-@@ -26,6 +26,10 @@
+@@ -25,6 +25,9 @@
+ #include <cutils/properties.h>
  #endif /* ANDROID */
  
 +#ifndef CONFIG_P2P
 +#define CONFIG_P2P
 +#endif
-+
- static const char *wpa_cli_version =
+ static const char *const wpa_cli_version =
  "wpa_cli v" VERSION_STR "\n"
- "Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> and contributors";
diff --git a/package/network/services/hostapd/patches/440-max_num_sta_probe.patch b/package/network/services/hostapd/patches/440-max_num_sta_probe.patch
deleted file mode 100644 (file)
index 74aef26..0000000
+++ /dev/null
@@ -1,13 +0,0 @@
---- a/src/ap/beacon.c
-+++ b/src/ap/beacon.c
-@@ -664,6 +664,10 @@ void handle_probe_req(struct hostapd_dat
-               return;
-       }
-+      if (!sta && hapd->num_sta >= hapd->conf->max_num_sta)
-+              wpa_printf(MSG_MSGDUMP, "Probe Request from " MACSTR " ignored,"
-+                         " too many connected stations.", MAC2STR(mgmt->sa));
-+
- #ifdef CONFIG_INTERWORKING
-       if (hapd->conf->interworking &&
-           elems.interworking && elems.interworking_len >= 1) {
index 87ebd45..78cf306 100644 (file)
@@ -1,6 +1,6 @@
 --- a/hostapd/main.c
 +++ b/hostapd/main.c
-@@ -36,6 +36,8 @@ struct hapd_global {
+@@ -37,6 +37,8 @@ struct hapd_global {
  };
  
  static struct hapd_global global;
@@ -9,7 +9,7 @@
  
  
  #ifndef CONFIG_NO_HOSTAPD_LOGGER
-@@ -142,6 +144,14 @@ static void hostapd_logger_cb(void *ctx,
+@@ -143,6 +145,14 @@ static void hostapd_logger_cb(void *ctx,
  }
  #endif /* CONFIG_NO_HOSTAPD_LOGGER */
  
@@ -24,7 +24,7 @@
  
  /**
   * hostapd_driver_init - Preparate driver interface
-@@ -160,6 +170,8 @@ static int hostapd_driver_init(struct ho
+@@ -161,6 +171,8 @@ static int hostapd_driver_init(struct ho
                return -1;
        }
  
@@ -33,7 +33,7 @@
        /* Initialize the driver interface */
        if (!(b[0] | b[1] | b[2] | b[3] | b[4] | b[5]))
                b = NULL;
-@@ -381,8 +393,6 @@ static void hostapd_global_deinit(const
+@@ -401,8 +413,6 @@ static void hostapd_global_deinit(const
  #endif /* CONFIG_NATIVE_WINDOWS */
  
        eap_server_unregister_methods();
  }
  
  
-@@ -408,11 +418,6 @@ static int hostapd_global_run(struct hap
+@@ -428,18 +438,6 @@ static int hostapd_global_run(struct hap
        }
  #endif /* EAP_SERVER_TNC */
  
--      if (daemonize && os_daemonize(pid_file)) {
--              wpa_printf(MSG_ERROR, "daemon: %s", strerror(errno));
--              return -1;
+-      if (daemonize) {
+-              if (os_daemonize(pid_file)) {
+-                      wpa_printf(MSG_ERROR, "daemon: %s", strerror(errno));
+-                      return -1;
+-              }
+-              if (eloop_sock_requeue()) {
+-                      wpa_printf(MSG_ERROR, "eloop_sock_requeue: %s",
+-                                 strerror(errno));
+-                      return -1;
+-              }
 -      }
 -
        eloop_run();
  
        return 0;
-@@ -542,8 +547,7 @@ int main(int argc, char *argv[])
+@@ -638,8 +636,7 @@ int main(int argc, char *argv[])
        struct hapd_interfaces interfaces;
        int ret = 1;
        size_t i, j;
index 217e701..ec84b9a 100644 (file)
@@ -20,9 +20,9 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
  
 +#include "drivers/nl80211_copy.h"
  #include "common/defs.h"
+ #include "common/ieee802_11_defs.h"
  #include "utils/list.h"
-@@ -538,6 +539,9 @@ struct wpa_driver_associate_params {
+@@ -587,6 +588,9 @@ struct wpa_driver_associate_params {
         * responsible for selecting with which BSS to associate. */
        const u8 *bssid;
  
@@ -34,15 +34,15 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
         *
 --- a/wpa_supplicant/config.c
 +++ b/wpa_supplicant/config.c
-@@ -15,6 +15,7 @@
- #include "rsn_supp/wpa.h"
+@@ -16,6 +16,7 @@
  #include "eap_peer/eap.h"
  #include "p2p/p2p.h"
+ #include "fst/fst.h"
 +#include "drivers/nl80211_copy.h"
  #include "config.h"
  
  
-@@ -1722,6 +1723,97 @@ static char * wpa_config_write_mesh_basi
+@@ -1816,6 +1817,97 @@ static char * wpa_config_write_mesh_basi
  #endif /* CONFIG_MESH */
  
  
@@ -140,7 +140,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
  /* Helper macros for network block parser */
  
  #ifdef OFFSET
-@@ -1947,6 +2039,9 @@ static const struct parse_data ssid_fiel
+@@ -2047,6 +2139,9 @@ static const struct parse_data ssid_fiel
        { INT(ap_max_inactivity) },
        { INT(dtim_period) },
        { INT(beacon_int) },
@@ -158,9 +158,9 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
  #include "eap_peer/eap_config.h"
 +#include "drivers/nl80211_copy.h"
  
- #define MAX_SSID_LEN 32
  
-@@ -675,6 +676,9 @@ struct wpa_ssid {
+ #define DEFAULT_EAP_WORKAROUND ((unsigned int) -1)
+@@ -711,6 +712,9 @@ struct wpa_ssid {
         */
        void *parent_cred;
  
@@ -172,7 +172,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
         * macsec_policy - Determines the policy for MACsec secure session
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
-@@ -2266,6 +2266,13 @@ static void wpas_start_assoc_cb(struct w
+@@ -2510,6 +2510,13 @@ static void wpas_start_assoc_cb(struct w
                        params.beacon_int = ssid->beacon_int;
                else
                        params.beacon_int = wpa_s->conf->beacon_int;
index 730cc31..459bdb9 100644 (file)
@@ -10,7 +10,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
 
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
-@@ -4398,7 +4398,7 @@ static int wpa_driver_nl80211_ibss(struc
+@@ -4644,7 +4644,7 @@ static int wpa_driver_nl80211_ibss(struc
                                   struct wpa_driver_associate_params *params)
  {
        struct nl_msg *msg;
@@ -19,7 +19,7 @@ Signed-hostap: Antonio Quartulli <ordex@autistici.org>
        int count = 0;
  
        wpa_printf(MSG_DEBUG, "nl80211: Join IBSS (ifindex=%d)", drv->ifindex);
-@@ -4425,6 +4425,37 @@ retry:
+@@ -4671,6 +4671,37 @@ retry:
            nl80211_put_beacon_int(msg, params->beacon_int))
                goto fail;
  
index 30bb2dc..e2bd37d 100644 (file)
@@ -16,7 +16,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
 
 --- a/src/drivers/driver.h
 +++ b/src/drivers/driver.h
-@@ -541,6 +541,8 @@ struct wpa_driver_associate_params {
+@@ -590,6 +590,8 @@ struct wpa_driver_associate_params {
  
        unsigned char rates[NL80211_MAX_SUPP_RATES];
        int mcast_rate;
@@ -27,7 +27,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
         * bssid_hint - BSSID of a proposed AP
 --- a/src/drivers/driver_nl80211.c
 +++ b/src/drivers/driver_nl80211.c
-@@ -4456,6 +4456,22 @@ retry:
+@@ -4702,6 +4702,22 @@ retry:
                nla_put_u32(msg, NL80211_ATTR_MCAST_RATE, params->mcast_rate);
        }
  
@@ -52,7 +52,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
                goto fail;
 --- a/wpa_supplicant/config.c
 +++ b/wpa_supplicant/config.c
-@@ -1754,6 +1754,71 @@ static char * wpa_config_write_mcast_rat
+@@ -1848,6 +1848,71 @@ static char * wpa_config_write_mcast_rat
  }
  #endif /* NO_CONFIG_WRITE */
  
@@ -124,7 +124,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
  static int wpa_config_parse_rates(const struct parse_data *data,
                                  struct wpa_ssid *ssid, int line,
                                  const char *value)
-@@ -2042,6 +2107,7 @@ static const struct parse_data ssid_fiel
+@@ -2142,6 +2207,7 @@ static const struct parse_data ssid_fiel
        { INT_RANGE(fixed_freq, 0, 1) },
        { FUNC(rates) },
        { FUNC(mcast_rate) },
@@ -134,7 +134,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
  #endif /* CONFIG_MACSEC */
 --- a/wpa_supplicant/config_ssid.h
 +++ b/wpa_supplicant/config_ssid.h
-@@ -678,6 +678,8 @@ struct wpa_ssid {
+@@ -714,6 +714,8 @@ struct wpa_ssid {
  
        unsigned char rates[NL80211_MAX_SUPP_RATES];
        double mcast_rate;
@@ -145,7 +145,7 @@ Signed-off-by: Antonio Quartulli <ordex@autistici.org>
        /**
 --- a/wpa_supplicant/wpa_supplicant.c
 +++ b/wpa_supplicant/wpa_supplicant.c
-@@ -2273,6 +2273,8 @@ static void wpas_start_assoc_cb(struct w
+@@ -2517,6 +2517,8 @@ static void wpas_start_assoc_cb(struct w
                        i++;
                }
                params.mcast_rate = ssid->mcast_rate;
diff --git a/package/network/services/hostapd/patches/470-wait-for-nullfunc-longer.patch b/package/network/services/hostapd/patches/470-wait-for-nullfunc-longer.patch
deleted file mode 100644 (file)
index e6bbddd..0000000
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/src/ap/sta_info.h
-+++ b/src/ap/sta_info.h
-@@ -179,7 +179,7 @@ struct sta_info {
-  * AP_DISASSOC_DELAY seconds. Similarly, the station will be deauthenticated
-  * after AP_DEAUTH_DELAY seconds has passed after disassociation. */
- #define AP_MAX_INACTIVITY (5 * 60)
--#define AP_DISASSOC_DELAY (1)
-+#define AP_DISASSOC_DELAY (3)
- #define AP_DEAUTH_DELAY (1)
- /* Number of seconds to keep STA entry with Authenticated flag after it has
-  * been disassociated. */
index df2eac8..55da4b6 100644 (file)
@@ -1,6 +1,6 @@
 --- a/hostapd/Makefile
 +++ b/hostapd/Makefile
-@@ -121,6 +121,11 @@ OBJS += ../src/common/hw_features_common
+@@ -157,6 +157,11 @@ OBJS += ../src/common/hw_features_common
  
  OBJS += ../src/eapol_auth/eapol_auth_sm.o
  
@@ -22,7 +22,7 @@
  
  struct wpa_ctrl_dst;
  struct radius_server_data;
-@@ -103,6 +104,7 @@ struct hostapd_data {
+@@ -118,6 +119,7 @@ struct hostapd_data {
        struct hostapd_iface *iface;
        struct hostapd_config *iconf;
        struct hostapd_bss_config *conf;
@@ -30,7 +30,7 @@
        int interface_added; /* virtual interface added for this BSS */
        unsigned int started:1;
        unsigned int disabled:1;
-@@ -286,6 +288,8 @@ struct hostapd_iface {
+@@ -323,6 +325,8 @@ struct hostapd_iface {
        struct hostapd_config *conf;
        char phy[16]; /* Name of the PHY (radio) */
  
@@ -41,7 +41,7 @@
                HAPD_IFACE_DISABLED,
 --- /dev/null
 +++ b/src/ap/ubus.c
-@@ -0,0 +1,511 @@
+@@ -0,0 +1,536 @@
 +/*
 + * hostapd / ubus support
 + * Copyright (c) 2013, Felix Fietkau <nbd@openwrt.org>
@@ -58,6 +58,8 @@
 +#include "wps_hostapd.h"
 +#include "sta_info.h"
 +#include "ubus.h"
++#include "ap_drv_ops.h"
++#include "beacon.h"
 +
 +static struct ubus_context *ctx;
 +static struct blob_buf b;
 +{
 +      struct blob_attr *tb[__VENDOR_ELEMENTS_MAX];
 +      struct hostapd_data *hapd = get_hapd_from_object(obj);
++      struct hostapd_bss_config *bss = hapd->conf;
++      struct wpabuf *elems;
++      const char *pos;
++      size_t len;
 +
 +      blobmsg_parse(ve_policy, __VENDOR_ELEMENTS_MAX, tb,
 +                    blob_data(msg), blob_len(msg));
 +      if (!tb[VENDOR_ELEMENTS])
 +              return UBUS_STATUS_INVALID_ARGUMENT;
 +
-+      const char *vendor_elements = blobmsg_data(tb[VENDOR_ELEMENTS]);
-+      if (hostapd_set_iface(hapd->iconf, hapd->conf, "vendor_elements",
-+                            vendor_elements) != 0)
-+              return UBUS_STATUS_NOT_SUPPORTED;
++      pos = blobmsg_data(tb[VENDOR_ELEMENTS]);
++      len = os_strlen(pos);
++      if (len & 0x01)
++                      return UBUS_STATUS_INVALID_ARGUMENT;
++
++      len /= 2;
++      if (len == 0) {
++              wpabuf_free(bss->vendor_elements);
++              bss->vendor_elements = NULL;
++              return 0;
++      }
++
++      elems = wpabuf_alloc(len);
++      if (elems == NULL)
++              return 1;
++
++      if (hexstr2bin(pos, wpabuf_put(elems, len), len)) {
++              wpabuf_free(elems);
++              return UBUS_STATUS_INVALID_ARGUMENT;
++      }
++
++      wpabuf_free(bss->vendor_elements);
++      bss->vendor_elements = elems;
 +
 +      /* update beacons if vendor elements were set successfully */
 +      if (ieee802_11_update_beacons(hapd->iface) != 0)
 +#endif
 --- a/src/ap/hostapd.c
 +++ b/src/ap/hostapd.c
-@@ -277,6 +277,7 @@ static void hostapd_free_hapd_data(struc
+@@ -284,6 +284,7 @@ static void hostapd_free_hapd_data(struc
        hapd->started = 0;
  
        wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface);
        iapp_deinit(hapd->iapp);
        hapd->iapp = NULL;
        accounting_deinit(hapd);
-@@ -1098,6 +1099,8 @@ static int hostapd_setup_bss(struct host
+@@ -1139,6 +1140,8 @@ static int hostapd_setup_bss(struct host
        if (hapd->driver && hapd->driver->set_operstate)
                hapd->driver->set_operstate(hapd->drv_priv, 1);
  
        return 0;
  }
  
-@@ -1384,6 +1387,7 @@ int hostapd_setup_interface_complete(str
+@@ -1664,6 +1667,7 @@ static int hostapd_setup_interface_compl
        if (err)
                goto fail;
  
        wpa_printf(MSG_DEBUG, "Completing interface initialization");
        if (iface->conf->channel) {
  #ifdef NEED_AP_MLME
-@@ -1544,6 +1548,7 @@ dfs_offload:
+@@ -1844,6 +1848,7 @@ dfs_offload:
  
  fail:
        wpa_printf(MSG_ERROR, "Interface initialization failed");
 +      hostapd_ubus_free_iface(iface);
        hostapd_set_state(iface, HAPD_IFACE_DISABLED);
        wpa_msg(hapd->msg_ctx, MSG_INFO, AP_EVENT_DISABLED);
-       if (iface->interfaces && iface->interfaces->terminate_on_error)
-@@ -1873,6 +1878,7 @@ void hostapd_interface_deinit_free(struc
+ #ifdef CONFIG_FST
+@@ -2277,6 +2282,7 @@ void hostapd_interface_deinit_free(struc
                   (unsigned int) iface->conf->num_bss);
        driver = iface->bss[0]->driver;
        drv_priv = iface->bss[0]->drv_priv;
                   __func__, driver, drv_priv);
 --- a/src/ap/ieee802_11.c
 +++ b/src/ap/ieee802_11.c
-@@ -881,7 +881,8 @@ int auth_sae_init_committed(struct hosta
+@@ -980,7 +980,8 @@ int auth_sae_init_committed(struct hosta
  
  
  static void handle_auth(struct hostapd_data *hapd,
  {
        u16 auth_alg, auth_transaction, status_code;
        u16 resp = WLAN_STATUS_SUCCESS;
-@@ -897,6 +898,11 @@ static void handle_auth(struct hostapd_d
+@@ -996,6 +997,11 @@ static void handle_auth(struct hostapd_d
        char *identity = NULL;
        char *radius_cui = NULL;
        u16 seq_ctrl;
 +              .frame_info = fi,
 +      };
  
-       if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
-               wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
-@@ -983,6 +989,14 @@ static void handle_auth(struct hostapd_d
+       os_memset(&vlan_id, 0, sizeof(vlan_id));
+@@ -1149,6 +1155,14 @@ static void handle_auth(struct hostapd_d
                resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
                goto fail;
        }
        if (res == HOSTAPD_ACL_PENDING) {
                wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
                           " waiting for an external authentication",
-@@ -1694,13 +1708,18 @@ static void send_assoc_resp(struct hosta
+@@ -2033,13 +2047,18 @@ static u16 send_assoc_resp(struct hostap
  
  static void handle_assoc(struct hostapd_data *hapd,
                         const struct ieee80211_mgmt *mgmt, size_t len,
 +                       int reassoc, struct hostapd_frame_info *fi)
  {
        u16 capab_info, listen_interval, seq_ctrl, fc;
-       u16 resp = WLAN_STATUS_SUCCESS;
+       u16 resp = WLAN_STATUS_SUCCESS, reply_res;
        const u8 *pos;
        int left, i;
        struct sta_info *sta;
  
        if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
                                      sizeof(mgmt->u.assoc_req))) {
-@@ -1820,6 +1839,13 @@ static void handle_assoc(struct hostapd_
-               goto fail;
+@@ -2159,6 +2178,13 @@ static void handle_assoc(struct hostapd_
        }
+ #endif /* CONFIG_MBO */
  
 +      if (hostapd_ubus_handle_event(hapd, &req)) {
 +              wpa_printf(MSG_DEBUG, "Station " MACSTR " assoc rejected by ubus handler.\n",
 +              goto fail;
 +      }
 +
-       sta->capability = capab_info;
-       sta->listen_interval = listen_interval;
-@@ -2236,7 +2262,7 @@ int ieee802_11_mgmt(struct hostapd_data
+       /*
+        * sta->capability is used in check_assoc_ies() for RRM enabled
+        * capability element.
+@@ -2639,7 +2665,7 @@ int ieee802_11_mgmt(struct hostapd_data
  
  
        if (stype == WLAN_FC_STYPE_PROBE_REQ) {
                return 1;
        }
  
-@@ -2251,17 +2277,17 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -2657,17 +2683,17 @@ int ieee802_11_mgmt(struct hostapd_data
        switch (stype) {
        case WLAN_FC_STYPE_AUTH:
                wpa_printf(MSG_DEBUG, "mgmt::auth");
        case WLAN_FC_STYPE_DISASSOC:
 --- a/src/ap/beacon.c
 +++ b/src/ap/beacon.c
-@@ -542,7 +542,7 @@ static enum ssid_match_result ssid_match
+@@ -675,7 +675,7 @@ sta_track_seen_on(struct hostapd_iface *
  
  void handle_probe_req(struct hostapd_data *hapd,
                      const struct ieee80211_mgmt *mgmt, size_t len,
  {
        u8 *resp;
        struct ieee802_11_elems elems;
-@@ -550,8 +550,14 @@ void handle_probe_req(struct hostapd_dat
-       size_t ie_len;
-       struct sta_info *sta = NULL;
+@@ -684,9 +684,15 @@ void handle_probe_req(struct hostapd_dat
        size_t i, resp_len;
-+      int ssi_signal = fi->ssi_signal;
        int noack;
        enum ssid_match_result res;
++      int ssi_signal = fi->ssi_signal;
+       int ret;
+       u16 csa_offs[2];
+       size_t csa_offs_len;
 +      struct hostapd_ubus_request req = {
 +              .type = HOSTAPD_UBUS_PROBE_REQ,
 +              .mgmt_frame = mgmt,
 +              .frame_info = fi,
 +      };
  
-       ie = mgmt->u.probe_req.variable;
-       if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req))
-@@ -710,6 +716,12 @@ void handle_probe_req(struct hostapd_dat
+       if (len < IEEE80211_HDRLEN)
+               return;
+@@ -838,6 +844,12 @@ void handle_probe_req(struct hostapd_dat
        }
  #endif /* CONFIG_P2P */
  
  int ieee802_11_update_beacons(struct hostapd_iface *iface);
 --- a/src/ap/drv_callbacks.c
 +++ b/src/ap/drv_callbacks.c
-@@ -49,6 +49,10 @@ int hostapd_notif_assoc(struct hostapd_d
+@@ -52,6 +52,10 @@ int hostapd_notif_assoc(struct hostapd_d
        u16 reason = WLAN_REASON_UNSPECIFIED;
        u16 status = WLAN_STATUS_SUCCESS;
        const u8 *p2p_dev_addr = NULL;
  
        if (addr == NULL) {
                /*
-@@ -113,6 +117,12 @@ int hostapd_notif_assoc(struct hostapd_d
+@@ -124,6 +128,12 @@ int hostapd_notif_assoc(struct hostapd_d
+               goto fail;
        }
-       sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
  
 +      if (hostapd_ubus_handle_event(hapd, &req)) {
 +              wpa_printf(MSG_DEBUG, "Station " MACSTR " assoc rejected by ubus handler.\n",
diff --git a/package/network/services/hostapd/patches/901-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch b/package/network/services/hostapd/patches/901-v2.6-0001-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch
new file mode 100644 (file)
index 0000000..7276848
--- /dev/null
@@ -0,0 +1,174 @@
+From cf4cab804c7afd5c45505528a8d16e46163243a2 Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 14 Jul 2017 15:15:35 +0200
+Subject: [PATCH 1/8] hostapd: Avoid key reinstallation in FT handshake
+
+Do not reinstall TK to the driver during Reassociation Response frame
+processing if the first attempt of setting the TK succeeded. This avoids
+issues related to clearing the TX/RX PN that could result in reusing
+same PN values for transmitted frames (e.g., due to CCM nonce reuse and
+also hitting replay protection on the receiver) and accepting replayed
+frames on RX side.
+
+This issue was introduced by the commit
+0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
+authenticator') which allowed wpa_ft_install_ptk() to be called multiple
+times with the same PTK. While the second configuration attempt is
+needed with some drivers, it must be done only if the first attempt
+failed.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/ap/ieee802_11.c  | 16 +++++++++++++---
+ src/ap/wpa_auth.c    | 11 +++++++++++
+ src/ap/wpa_auth.h    |  3 ++-
+ src/ap/wpa_auth_ft.c | 10 ++++++++++
+ src/ap/wpa_auth_i.h  |  1 +
+ 5 files changed, 37 insertions(+), 4 deletions(-)
+
+diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
+index 4e04169..333035f 100644
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -1841,6 +1841,7 @@ static int add_associated_sta(struct hostapd_data *hapd,
+ {
+       struct ieee80211_ht_capabilities ht_cap;
+       struct ieee80211_vht_capabilities vht_cap;
++      int set = 1;
+       /*
+        * Remove the STA entry to ensure the STA PS state gets cleared and
+@@ -1848,9 +1849,18 @@ static int add_associated_sta(struct hostapd_data *hapd,
+        * FT-over-the-DS, where a station re-associates back to the same AP but
+        * skips the authentication flow, or if working with a driver that
+        * does not support full AP client state.
++       *
++       * Skip this if the STA has already completed FT reassociation and the
++       * TK has been configured since the TX/RX PN must not be reset to 0 for
++       * the same key.
+        */
+-      if (!sta->added_unassoc)
++      if (!sta->added_unassoc &&
++          (!(sta->flags & WLAN_STA_AUTHORIZED) ||
++           !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
+               hostapd_drv_sta_remove(hapd, sta->addr);
++              wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
++              set = 0;
++      }
+ #ifdef CONFIG_IEEE80211N
+       if (sta->flags & WLAN_STA_HT)
+@@ -1873,11 +1883,11 @@ static int add_associated_sta(struct hostapd_data *hapd,
+                           sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
+                           sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
+                           sta->vht_opmode, sta->p2p_ie ? 1 : 0,
+-                          sta->added_unassoc)) {
++                          set)) {
+               hostapd_logger(hapd, sta->addr,
+                              HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
+                              "Could not %s STA to kernel driver",
+-                             sta->added_unassoc ? "set" : "add");
++                             set ? "set" : "add");
+               if (sta->added_unassoc) {
+                       hostapd_drv_sta_remove(hapd, sta->addr);
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 3587086..707971d 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1745,6 +1745,9 @@ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event)
+ #else /* CONFIG_IEEE80211R */
+               break;
+ #endif /* CONFIG_IEEE80211R */
++      case WPA_DRV_STA_REMOVED:
++              sm->tk_already_set = FALSE;
++              return 0;
+       }
+ #ifdef CONFIG_IEEE80211R
+@@ -3250,6 +3253,14 @@ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm)
+ }
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
++{
++      if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
++              return 0;
++      return sm->tk_already_set;
++}
++
++
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+                            struct rsn_pmksa_cache_entry *entry)
+ {
+diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
+index 0de8d97..97461b0 100644
+--- a/src/ap/wpa_auth.h
++++ b/src/ap/wpa_auth.h
+@@ -267,7 +267,7 @@ void wpa_receive(struct wpa_authenticator *wpa_auth,
+                u8 *data, size_t data_len);
+ enum wpa_event {
+       WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
+-      WPA_REAUTH_EAPOL, WPA_ASSOC_FT
++      WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
+ };
+ void wpa_remove_ptk(struct wpa_state_machine *sm);
+ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
+@@ -280,6 +280,7 @@ int wpa_auth_pairwise_set(struct wpa_state_machine *sm);
+ int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
+ int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
+ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+                            struct rsn_pmksa_cache_entry *entry);
+ struct rsn_pmksa_cache_entry *
+diff --git a/src/ap/wpa_auth_ft.c b/src/ap/wpa_auth_ft.c
+index 42242a5..e63b99a 100644
+--- a/src/ap/wpa_auth_ft.c
++++ b/src/ap/wpa_auth_ft.c
+@@ -780,6 +780,14 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
+               return;
+       }
++      if (sm->tk_already_set) {
++              /* Must avoid TK reconfiguration to prevent clearing of TX/RX
++               * PN in the driver */
++              wpa_printf(MSG_DEBUG,
++                         "FT: Do not re-install same PTK to the driver");
++              return;
++      }
++
+       /* FIX: add STA entry to kernel/driver here? The set_key will fail
+        * most likely without this.. At the moment, STA entry is added only
+        * after association has been completed. This function will be called
+@@ -792,6 +800,7 @@ void wpa_ft_install_ptk(struct wpa_state_machine *sm)
+       /* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
+       sm->pairwise_set = TRUE;
++      sm->tk_already_set = TRUE;
+ }
+@@ -898,6 +907,7 @@ static int wpa_ft_process_auth_req(struct wpa_state_machine *sm,
+       sm->pairwise = pairwise;
+       sm->PTK_valid = TRUE;
++      sm->tk_already_set = FALSE;
+       wpa_ft_install_ptk(sm);
+       buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
+index 72b7eb3..7fd8f05 100644
+--- a/src/ap/wpa_auth_i.h
++++ b/src/ap/wpa_auth_i.h
+@@ -65,6 +65,7 @@ struct wpa_state_machine {
+       struct wpa_ptk PTK;
+       Boolean PTK_valid;
+       Boolean pairwise_set;
++      Boolean tk_already_set;
+       int keycount;
+       Boolean Pair;
+       struct wpa_key_replay_counter {
+-- 
+2.7.4
+
diff --git a/package/network/services/hostapd/patches/902-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch b/package/network/services/hostapd/patches/902-v2.6-0002-Prevent-reinstallation-of-an-already-in-use-group-ke.patch
new file mode 100644 (file)
index 0000000..1802d66
--- /dev/null
@@ -0,0 +1,250 @@
+From 927f891007c402fefd1ff384645b3f07597c3ede Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Wed, 12 Jul 2017 16:03:24 +0200
+Subject: [PATCH 2/8] Prevent reinstallation of an already in-use group key
+
+Track the current GTK and IGTK that is in use and when receiving a
+(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
+not install the given key if it is already in use. This prevents an
+attacker from trying to trick the client into resetting or lowering the
+sequence counter associated to the group key.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/common/wpa_common.h |  11 +++++
+ src/rsn_supp/wpa.c      | 116 ++++++++++++++++++++++++++++++------------------
+ src/rsn_supp/wpa_i.h    |   4 ++
+ 3 files changed, 87 insertions(+), 44 deletions(-)
+
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index af1d0f0..d200285 100644
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -217,6 +217,17 @@ struct wpa_ptk {
+       size_t tk_len;
+ };
++struct wpa_gtk {
++      u8 gtk[WPA_GTK_MAX_LEN];
++      size_t gtk_len;
++};
++
++#ifdef CONFIG_IEEE80211W
++struct wpa_igtk {
++      u8 igtk[WPA_IGTK_MAX_LEN];
++      size_t igtk_len;
++};
++#endif /* CONFIG_IEEE80211W */
+ /* WPA IE version 1
+  * 00-50-f2:1 (OUI:OUI type)
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 3c47879..95bd7be 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -714,6 +714,15 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+       const u8 *_gtk = gd->gtk;
+       u8 gtk_buf[32];
++      /* Detect possible key reinstallation */
++      if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++          os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++              wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++                      "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
++                      gd->keyidx, gd->tx, gd->gtk_len);
++              return 0;
++      }
++
+       wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
+       wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+               "WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
+@@ -748,6 +757,9 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+       }
+       os_memset(gtk_buf, 0, sizeof(gtk_buf));
++      sm->gtk.gtk_len = gd->gtk_len;
++      os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++
+       return 0;
+ }
+@@ -854,6 +866,48 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ }
++#ifdef CONFIG_IEEE80211W
++static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
++                                     const struct wpa_igtk_kde *igtk)
++{
++      size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
++      u16 keyidx = WPA_GET_LE16(igtk->keyid);
++
++      /* Detect possible key reinstallation */
++      if (sm->igtk.igtk_len == len &&
++          os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++              wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++                      "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
++                      keyidx);
++              return  0;
++      }
++
++      wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++              "WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
++              keyidx, MAC2STR(igtk->pn));
++      wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
++      if (keyidx > 4095) {
++              wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++                      "WPA: Invalid IGTK KeyID %d", keyidx);
++              return -1;
++      }
++      if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
++                         broadcast_ether_addr,
++                         keyidx, 0, igtk->pn, sizeof(igtk->pn),
++                         igtk->igtk, len) < 0) {
++              wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++                      "WPA: Failed to configure IGTK to the driver");
++              return -1;
++      }
++
++      sm->igtk.igtk_len = len;
++      os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++
++      return 0;
++}
++#endif /* CONFIG_IEEE80211W */
++
++
+ static int ieee80211w_set_keys(struct wpa_sm *sm,
+                              struct wpa_eapol_ie_parse *ie)
+ {
+@@ -864,30 +918,14 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+       if (ie->igtk) {
+               size_t len;
+               const struct wpa_igtk_kde *igtk;
+-              u16 keyidx;
++
+               len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+               if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
+                       return -1;
++
+               igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-              keyidx = WPA_GET_LE16(igtk->keyid);
+-              wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
+-                      "pn %02x%02x%02x%02x%02x%02x",
+-                      keyidx, MAC2STR(igtk->pn));
+-              wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
+-                              igtk->igtk, len);
+-              if (keyidx > 4095) {
+-                      wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-                              "WPA: Invalid IGTK KeyID %d", keyidx);
+-                      return -1;
+-              }
+-              if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-                                 broadcast_ether_addr,
+-                                 keyidx, 0, igtk->pn, sizeof(igtk->pn),
+-                                 igtk->igtk, len) < 0) {
+-                      wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-                              "WPA: Failed to configure IGTK to the driver");
++              if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+                       return -1;
+-              }
+       }
+       return 0;
+@@ -2307,7 +2345,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
+  */
+ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ {
+-      int clear_ptk = 1;
++      int clear_keys = 1;
+       if (sm == NULL)
+               return;
+@@ -2333,11 +2371,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+               /* Prepare for the next transition */
+               wpa_ft_prepare_auth_request(sm, NULL);
+-              clear_ptk = 0;
++              clear_keys = 0;
+       }
+ #endif /* CONFIG_IEEE80211R */
+-      if (clear_ptk) {
++      if (clear_keys) {
+               /*
+                * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
+                * this is not part of a Fast BSS Transition.
+@@ -2347,6 +2385,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+               os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+               sm->tptk_set = 0;
+               os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++              os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++              os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+       }
+ #ifdef CONFIG_TDLS
+@@ -2877,6 +2919,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+       os_memset(sm->pmk, 0, sizeof(sm->pmk));
+       os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+       os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++      os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++      os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+       os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+       os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
+@@ -2949,29 +2995,11 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+               os_memset(&gd, 0, sizeof(gd));
+ #ifdef CONFIG_IEEE80211W
+       } else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
+-              struct wpa_igtk_kde igd;
+-              u16 keyidx;
+-
+-              os_memset(&igd, 0, sizeof(igd));
+-              keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
+-              os_memcpy(igd.keyid, buf + 2, 2);
+-              os_memcpy(igd.pn, buf + 4, 6);
+-
+-              keyidx = WPA_GET_LE16(igd.keyid);
+-              os_memcpy(igd.igtk, buf + 10, keylen);
+-
+-              wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
+-                              igd.igtk, keylen);
+-              if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-                                 broadcast_ether_addr,
+-                                 keyidx, 0, igd.pn, sizeof(igd.pn),
+-                                 igd.igtk, keylen) < 0) {
+-                      wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
+-                                 "WNM mode");
+-                      os_memset(&igd, 0, sizeof(igd));
++              const struct wpa_igtk_kde *igtk;
++
++              igtk = (const struct wpa_igtk_kde *) (buf + 2);
++              if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+                       return -1;
+-              }
+-              os_memset(&igd, 0, sizeof(igd));
+ #endif /* CONFIG_IEEE80211W */
+       } else {
+               wpa_printf(MSG_DEBUG, "Unknown element id");
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index f653ba6..afc9e37 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -31,6 +31,10 @@ struct wpa_sm {
+       u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
+       int rx_replay_counter_set;
+       u8 request_counter[WPA_REPLAY_COUNTER_LEN];
++      struct wpa_gtk gtk;
++#ifdef CONFIG_IEEE80211W
++      struct wpa_igtk igtk;
++#endif /* CONFIG_IEEE80211W */
+       struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+-- 
+2.7.4
+
diff --git a/package/network/services/hostapd/patches/903-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch b/package/network/services/hostapd/patches/903-v2.6-0003-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch
new file mode 100644 (file)
index 0000000..e2937b8
--- /dev/null
@@ -0,0 +1,184 @@
+From 8280294e74846ea342389a0cd17215050fa5afe8 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Oct 2017 12:12:24 +0300
+Subject: [PATCH 3/8] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
+ Mode cases
+
+This extends the protection to track last configured GTK/IGTK value
+separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
+corner case where these two different mechanisms may get used when the
+GTK/IGTK has changed and tracking a single value is not sufficient to
+detect a possible key reconfiguration.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/wpa.c   | 53 +++++++++++++++++++++++++++++++++++++---------------
+ src/rsn_supp/wpa_i.h |  2 ++
+ 2 files changed, 40 insertions(+), 15 deletions(-)
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 95bd7be..7a2c68d 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -709,14 +709,17 @@ struct wpa_gtk_data {
+ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+                                     const struct wpa_gtk_data *gd,
+-                                    const u8 *key_rsc)
++                                    const u8 *key_rsc, int wnm_sleep)
+ {
+       const u8 *_gtk = gd->gtk;
+       u8 gtk_buf[32];
+       /* Detect possible key reinstallation */
+-      if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
+-          os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++      if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++           os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
++          (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
++           os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
++                     sm->gtk_wnm_sleep.gtk_len) == 0)) {
+               wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+                       "WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
+                       gd->keyidx, gd->tx, gd->gtk_len);
+@@ -757,8 +760,14 @@ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+       }
+       os_memset(gtk_buf, 0, sizeof(gtk_buf));
+-      sm->gtk.gtk_len = gd->gtk_len;
+-      os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++      if (wnm_sleep) {
++              sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
++              os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
++                        sm->gtk_wnm_sleep.gtk_len);
++      } else {
++              sm->gtk.gtk_len = gd->gtk_len;
++              os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++      }
+       return 0;
+ }
+@@ -852,7 +861,7 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+           (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
+                                              gtk_len, gtk_len,
+                                              &gd.key_rsc_len, &gd.alg) ||
+-           wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
++           wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
+               wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+                       "RSN: Failed to install GTK");
+               os_memset(&gd, 0, sizeof(gd));
+@@ -868,14 +877,18 @@ static int wpa_supplicant_pairwise_gtk(struct wpa_sm *sm,
+ #ifdef CONFIG_IEEE80211W
+ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+-                                     const struct wpa_igtk_kde *igtk)
++                                     const struct wpa_igtk_kde *igtk,
++                                     int wnm_sleep)
+ {
+       size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+       u16 keyidx = WPA_GET_LE16(igtk->keyid);
+       /* Detect possible key reinstallation */
+-      if (sm->igtk.igtk_len == len &&
+-          os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++      if ((sm->igtk.igtk_len == len &&
++           os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
++          (sm->igtk_wnm_sleep.igtk_len == len &&
++           os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++                     sm->igtk_wnm_sleep.igtk_len) == 0)) {
+               wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+                       "WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
+                       keyidx);
+@@ -900,8 +913,14 @@ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+               return -1;
+       }
+-      sm->igtk.igtk_len = len;
+-      os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++      if (wnm_sleep) {
++              sm->igtk_wnm_sleep.igtk_len = len;
++              os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++                        sm->igtk_wnm_sleep.igtk_len);
++      } else {
++              sm->igtk.igtk_len = len;
++              os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++      }
+       return 0;
+ }
+@@ -924,7 +943,7 @@ static int ieee80211w_set_keys(struct wpa_sm *sm,
+                       return -1;
+               igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-              if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++              if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
+                       return -1;
+       }
+@@ -1574,7 +1593,7 @@ static void wpa_supplicant_process_1_of_2(struct wpa_sm *sm,
+       if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
+               key_rsc = null_rsc;
+-      if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
++      if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
+           wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
+               goto failed;
+       os_memset(&gd, 0, sizeof(gd));
+@@ -2386,8 +2405,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+               sm->tptk_set = 0;
+               os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+               os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++              os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+               os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++              os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+       }
+@@ -2920,8 +2941,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+       os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+       os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+       os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++      os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+       os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++      os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+       os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+@@ -2986,7 +3009,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+               wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
+                               gd.gtk, gd.gtk_len);
+-              if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
++              if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
+                       os_memset(&gd, 0, sizeof(gd));
+                       wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
+                                  "WNM mode");
+@@ -2998,7 +3021,7 @@ int wpa_wnmsleep_install_key(struct wpa_sm *sm, u8 subelem_id, u8 *buf)
+               const struct wpa_igtk_kde *igtk;
+               igtk = (const struct wpa_igtk_kde *) (buf + 2);
+-              if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++              if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
+                       return -1;
+ #endif /* CONFIG_IEEE80211W */
+       } else {
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index afc9e37..9a54631 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -32,8 +32,10 @@ struct wpa_sm {
+       int rx_replay_counter_set;
+       u8 request_counter[WPA_REPLAY_COUNTER_LEN];
+       struct wpa_gtk gtk;
++      struct wpa_gtk gtk_wnm_sleep;
+ #ifdef CONFIG_IEEE80211W
+       struct wpa_igtk igtk;
++      struct wpa_igtk igtk_wnm_sleep;
+ #endif /* CONFIG_IEEE80211W */
+       struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+-- 
+2.7.4
+
diff --git a/package/network/services/hostapd/patches/904-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch b/package/network/services/hostapd/patches/904-v2.6-0004-Prevent-installation-of-an-all-zero-TK.patch
new file mode 100644 (file)
index 0000000..22ee217
--- /dev/null
@@ -0,0 +1,79 @@
+From 8f82bc94e8697a9d47fa8774dfdaaede1084912c Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 29 Sep 2017 04:22:51 +0200
+Subject: [PATCH 4/8] Prevent installation of an all-zero TK
+
+Properly track whether a PTK has already been installed to the driver
+and the TK part cleared from memory. This prevents an attacker from
+trying to trick the client into installing an all-zero TK.
+
+This fixes the earlier fix in commit
+ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
+driver in EAPOL-Key 3/4 retry case') which did not take into account
+possibility of an extra message 1/4 showing up between retries of
+message 3/4.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/common/wpa_common.h | 1 +
+ src/rsn_supp/wpa.c      | 5 ++---
+ src/rsn_supp/wpa_i.h    | 1 -
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/src/common/wpa_common.h b/src/common/wpa_common.h
+index d200285..1021ccb 100644
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -215,6 +215,7 @@ struct wpa_ptk {
+       size_t kck_len;
+       size_t kek_len;
+       size_t tk_len;
++      int installed; /* 1 if key has already been installed to driver */
+ };
+ struct wpa_gtk {
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 7a2c68d..0550a41 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -510,7 +510,6 @@ static void wpa_supplicant_process_1_of_4(struct wpa_sm *sm,
+               os_memset(buf, 0, sizeof(buf));
+       }
+       sm->tptk_set = 1;
+-      sm->tk_to_set = 1;
+       kde = sm->assoc_wpa_ie;
+       kde_len = sm->assoc_wpa_ie_len;
+@@ -615,7 +614,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+       enum wpa_alg alg;
+       const u8 *key_rsc;
+-      if (!sm->tk_to_set) {
++      if (sm->ptk.installed) {
+               wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+                       "WPA: Do not re-install same PTK to the driver");
+               return 0;
+@@ -659,7 +658,7 @@ static int wpa_supplicant_install_ptk(struct wpa_sm *sm,
+       /* TK is not needed anymore in supplicant */
+       os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
+-      sm->tk_to_set = 0;
++      sm->ptk.installed = 1;
+       if (sm->wpa_ptk_rekey) {
+               eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 9a54631..41f371f 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -24,7 +24,6 @@ struct wpa_sm {
+       struct wpa_ptk ptk, tptk;
+       int ptk_set, tptk_set;
+       unsigned int msg_3_of_4_ok:1;
+-      unsigned int tk_to_set:1;
+       u8 snonce[WPA_NONCE_LEN];
+       u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
+       int renew_snonce;
+-- 
+2.7.4
+
diff --git a/package/network/services/hostapd/patches/905-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch b/package/network/services/hostapd/patches/905-v2.6-0005-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch
new file mode 100644 (file)
index 0000000..c19c4c7
--- /dev/null
@@ -0,0 +1,64 @@
+From 12fac09b437a1dc8a0f253e265934a8aaf4d2f8b Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Oct 2017 12:32:57 +0300
+Subject: [PATCH 5/8] Fix PTK rekeying to generate a new ANonce
+
+The Authenticator state machine path for PTK rekeying ended up bypassing
+the AUTHENTICATION2 state where a new ANonce is generated when going
+directly to the PTKSTART state since there is no need to try to
+determine the PMK again in such a case. This is far from ideal since the
+new PTK would depend on a new nonce only from the supplicant.
+
+Fix this by generating a new ANonce when moving to the PTKSTART state
+for the purpose of starting new 4-way handshake to rekey PTK.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/ap/wpa_auth.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 707971d..bf10cc1 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1901,6 +1901,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
+ }
++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
++{
++      if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
++              wpa_printf(MSG_ERROR,
++                         "WPA: Failed to get random data for ANonce");
++              sm->Disconnect = TRUE;
++              return -1;
++      }
++      wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
++                  WPA_NONCE_LEN);
++      sm->TimeoutCtr = 0;
++      return 0;
++}
++
++
+ SM_STATE(WPA_PTK, INITPMK)
+ {
+       u8 msk[2 * PMK_LEN];
+@@ -2458,9 +2473,12 @@ SM_STEP(WPA_PTK)
+               SM_ENTER(WPA_PTK, AUTHENTICATION);
+       else if (sm->ReAuthenticationRequest)
+               SM_ENTER(WPA_PTK, AUTHENTICATION2);
+-      else if (sm->PTKRequest)
+-              SM_ENTER(WPA_PTK, PTKSTART);
+-      else switch (sm->wpa_ptk_state) {
++      else if (sm->PTKRequest) {
++              if (wpa_auth_sm_ptk_update(sm) < 0)
++                      SM_ENTER(WPA_PTK, DISCONNECTED);
++              else
++                      SM_ENTER(WPA_PTK, PTKSTART);
++      } else switch (sm->wpa_ptk_state) {
+       case WPA_PTK_INITIALIZE:
+               break;
+       case WPA_PTK_DISCONNECT:
+-- 
+2.7.4
+
diff --git a/package/network/services/hostapd/patches/906-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch b/package/network/services/hostapd/patches/906-v2.6-0006-TDLS-Reject-TPK-TK-reconfiguration.patch
new file mode 100644 (file)
index 0000000..e1bd5a5
--- /dev/null
@@ -0,0 +1,132 @@
+From 6c4bed4f47d1960ec04981a9d50e5076aea5223d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 11:03:15 +0300
+Subject: [PATCH 6/8] TDLS: Reject TPK-TK reconfiguration
+
+Do not try to reconfigure the same TPK-TK to the driver after it has
+been successfully configured. This is an explicit check to avoid issues
+related to resetting the TX/RX packet number. There was already a check
+for this for TPK M2 (retries of that message are ignored completely), so
+that behavior does not get modified.
+
+For TPK M3, the TPK-TK could have been reconfigured, but that was
+followed by immediate teardown of the link due to an issue in updating
+the STA entry. Furthermore, for TDLS with any real security (i.e.,
+ignoring open/WEP), the TPK message exchange is protected on the AP path
+and simple replay attacks are not feasible.
+
+As an additional corner case, make sure the local nonce gets updated if
+the peer uses a very unlikely "random nonce" of all zeros.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/tdls.c | 38 ++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 36 insertions(+), 2 deletions(-)
+
+diff --git a/src/rsn_supp/tdls.c b/src/rsn_supp/tdls.c
+index e424168..9eb9738 100644
+--- a/src/rsn_supp/tdls.c
++++ b/src/rsn_supp/tdls.c
+@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
+               u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
+       } tpk;
+       int tpk_set;
++      int tk_set; /* TPK-TK configured to the driver */
+       int tpk_success;
+       int tpk_in_progress;
+@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+       u8 rsc[6];
+       enum wpa_alg alg;
++      if (peer->tk_set) {
++              /*
++               * This same TPK-TK has already been configured to the driver
++               * and this new configuration attempt (likely due to an
++               * unexpected retransmitted frame) would result in clearing
++               * the TX/RX sequence number which can break security, so must
++               * not allow that to happen.
++               */
++              wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
++                         " has already been configured to the driver - do not reconfigure",
++                         MAC2STR(peer->addr));
++              return -1;
++      }
++
+       os_memset(rsc, 0, 6);
+       switch (peer->cipher) {
+@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+               return -1;
+       }
++      wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
++                 MAC2STR(peer->addr));
+       if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
+                          rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
+               wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
+                          "driver");
+               return -1;
+       }
++      peer->tk_set = 1;
+       return 0;
+ }
+@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct wpa_sm *sm, struct wpa_tdls_peer *peer)
+       peer->cipher = 0;
+       peer->qos_info = 0;
+       peer->wmm_capable = 0;
+-      peer->tpk_set = peer->tpk_success = 0;
++      peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
+       peer->chan_switch_enabled = 0;
+       os_memset(&peer->tpk, 0, sizeof(peer->tpk));
+       os_memset(peer->inonce, 0, WPA_NONCE_LEN);
+@@ -1159,6 +1177,7 @@ skip_rsnie:
+               wpa_tdls_peer_free(sm, peer);
+               return -1;
+       }
++      peer->tk_set = 0; /* A new nonce results in a new TK */
+       wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
+                   peer->inonce, WPA_NONCE_LEN);
+       os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct wpa_sm *sm, struct wpa_tdls_peer *peer,
+ }
++static int tdls_nonce_set(const u8 *nonce)
++{
++      int i;
++
++      for (i = 0; i < WPA_NONCE_LEN; i++) {
++              if (nonce[i])
++                      return 1;
++      }
++
++      return 0;
++}
++
++
+ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
+                                  const u8 *buf, size_t len)
+ {
+@@ -2004,7 +2036,8 @@ skip_rsn:
+       peer->rsnie_i_len = kde.rsn_ie_len;
+       peer->cipher = cipher;
+-      if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
++      if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
++          !tdls_nonce_set(peer->inonce)) {
+               /*
+                * There is no point in updating the RNonce for every obtained
+                * TPK M1 frame (e.g., retransmission due to timeout) with the
+@@ -2020,6 +2053,7 @@ skip_rsn:
+                               "TDLS: Failed to get random data for responder nonce");
+                       goto error;
+               }
++              peer->tk_set = 0; /* A new nonce results in a new TK */
+       }
+ #if 0
+-- 
+2.7.4
+
diff --git a/package/network/services/hostapd/patches/907-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch b/package/network/services/hostapd/patches/907-v2.6-0007-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch
new file mode 100644 (file)
index 0000000..85ea1d6
--- /dev/null
@@ -0,0 +1,43 @@
+From 53c5eb58e95004f86e65ee9fbfccbc291b139057 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 11:25:02 +0300
+Subject: [PATCH 7/8] WNM: Ignore WNM-Sleep Mode Response without pending
+ request
+
+Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
+Mode Response if WNM-Sleep Mode has not been used') started ignoring the
+response when no WNM-Sleep Mode Request had been used during the
+association. This can be made tighter by clearing the used flag when
+successfully processing a response. This adds an additional layer of
+protection against unexpected retransmissions of the response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ wpa_supplicant/wnm_sta.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
+index 1b3409c..67a07ff 100644
+--- a/wpa_supplicant/wnm_sta.c
++++ b/wpa_supplicant/wnm_sta.c
+@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
+       if (!wpa_s->wnmsleep_used) {
+               wpa_printf(MSG_DEBUG,
+-                         "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
++                         "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
+               return;
+       }
+@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(struct wpa_supplicant *wpa_s,
+               return;
+       }
++      wpa_s->wnmsleep_used = 0;
++
+       if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
+           wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
+               wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "
+-- 
+2.7.4
+
diff --git a/package/network/services/hostapd/patches/908-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch b/package/network/services/hostapd/patches/908-v2.6-0008-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch
new file mode 100644 (file)
index 0000000..b9678f6
--- /dev/null
@@ -0,0 +1,82 @@
+From b372ab0b7daea719749194dc554b26e6367603f2 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 12:06:37 +0300
+Subject: [PATCH 8/8] FT: Do not allow multiple Reassociation Response frames
+
+The driver is expected to not report a second association event without
+the station having explicitly request a new association. As such, this
+case should not be reachable. However, since reconfiguring the same
+pairwise or group keys to the driver could result in nonce reuse issues,
+be extra careful here and do an additional state check to avoid this
+even if the local driver ends up somehow accepting an unexpected
+Reassociation Response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/wpa.c    | 3 +++
+ src/rsn_supp/wpa_ft.c | 8 ++++++++
+ src/rsn_supp/wpa_i.h  | 1 +
+ 3 files changed, 12 insertions(+)
+
+diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
+index 0550a41..2a53c6f 100644
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -2440,6 +2440,9 @@ void wpa_sm_notify_disassoc(struct wpa_sm *sm)
+ #ifdef CONFIG_TDLS
+       wpa_tdls_disassoc(sm);
+ #endif /* CONFIG_TDLS */
++#ifdef CONFIG_IEEE80211R
++      sm->ft_reassoc_completed = 0;
++#endif /* CONFIG_IEEE80211R */
+       /* Keys are not needed in the WPA state machine anymore */
+       wpa_sm_drop_sa(sm);
+diff --git a/src/rsn_supp/wpa_ft.c b/src/rsn_supp/wpa_ft.c
+index 205793e..d45bb45 100644
+--- a/src/rsn_supp/wpa_ft.c
++++ b/src/rsn_supp/wpa_ft.c
+@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wpa_sm *sm, size_t *len,
+       u16 capab;
+       sm->ft_completed = 0;
++      sm->ft_reassoc_completed = 0;
+       buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+               2 + sm->r0kh_id_len + ric_ies_len + 100;
+@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
+               return -1;
+       }
++      if (sm->ft_reassoc_completed) {
++              wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
++              return 0;
++      }
++
+       if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
+               wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
+               return -1;
+@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct wpa_sm *sm, const u8 *ies,
+               return -1;
+       }
++      sm->ft_reassoc_completed = 1;
++
+       if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
+               return -1;
+diff --git a/src/rsn_supp/wpa_i.h b/src/rsn_supp/wpa_i.h
+index 41f371f..56f88dc 100644
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -128,6 +128,7 @@ struct wpa_sm {
+       size_t r0kh_id_len;
+       u8 r1kh_id[FT_R1KH_ID_LEN];
+       int ft_completed;
++      int ft_reassoc_completed;
+       int over_the_ds_in_progress;
+       u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
+       int set_ptk_after_assoc;
+-- 
+2.7.4
+
index 81d8007..d3158b5 100644 (file)
@@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.3.6
-PKG_RELEASE:=5
+PKG_VERSION:=2.3.18
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=http://swupdate.openvpn.net/community/releases
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_MD5SUM:=6ca03fe0fd093e0d01601abee808835c
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_MD5SUM:=844ec9c64aae62051478784b8562f881
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 
@@ -72,15 +72,13 @@ define Build/Configure
                --disable-systemd \
                --disable-plugins \
                --disable-debug \
-               --disable-eurephia \
                --disable-pkcs11 \
-               --enable-password-save \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_LZO),--enable,--disable)-lzo \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_X509_ALT_USERNAME),enable,disable-x509-alt-username)-ssl \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SERVER),--enable,--disable)-server \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MANAGEMENT),--enable,--disable)-management \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_SOCKS),--enable,--disable)-socks \
-               $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http \
+               $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_HTTP),--enable,--disable)-http-proxy \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_FRAGMENT),--enable,--disable)-fragment \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_MULTIHOME),--enable,--disable)-multihome \
                $(if $(CONFIG_OPENVPN_$(BUILD_VARIANT)_ENABLE_IPROUTE2),--enable,--disable)-iproute2 \
index 861d0d6..0fcdc7e 100644 (file)
@@ -42,7 +42,8 @@ append_params() {
                config_get v "$s" "$p"
                IFS="$LIST_SEP"
                for v in $v; do
-                       [ -n "$v" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
+                       [ -n "$v" ] && [ "$p" != "push" ] && append_param "$s" "$p" && echo " $v" >> "/var/etc/openvpn-$s.conf"
+                       [ -n "$v" ] && [ "$p" == "push" ] && append_param "$s" "$p" && echo " \"$v\"" >> "/var/etc/openvpn-$s.conf"
                done
                unset IFS
        done
@@ -107,7 +108,7 @@ start_instance() {
 
        # append params
        append_params "$s" \
-               cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert \
+               cd askpass auth auth_retry auth_user_pass auth_user_pass_verify bcast_buffers ca cert capath \
                chroot cipher client_config_dir client_connect client_disconnect comp_lzo connect_freq \
                connect_retry connect_timeout connect_retry_max crl_verify dev dev_node dev_type dh \
                echo engine explicit_exit_notify fragment group hand_window hash_size \
@@ -120,10 +121,11 @@ start_instance() {
                redirect_gateway remap_usr1 remote remote_cert_eku remote_cert_ku remote_cert_tls \
                reneg_bytes reneg_pkts reneg_sec \
                replay_persist replay_window resolv_retry route route_delay route_gateway \
-               route_metric route_up rport script_security secret server server_bridge setenv shaper sndbuf \
-               socks_proxy status status_version syslog tcp_queue_limit tls_auth \
+               route_metric route_pre_down route_up rport script_security secret server server_bridge setenv shaper sndbuf \
+               socks_proxy status status_version syslog tcp_queue_limit tls_auth tls_version_min \
                tls_cipher tls_remote tls_timeout tls_verify tmp_dir topology tran_window \
                tun_mtu tun_mtu_extra txqueuelen user verb down push up \
+               verify_x509_name x509_username_field \
                ifconfig_ipv6 route_ipv6 server_ipv6 ifconfig_ipv6_pool ifconfig_ipv6_push iroute_ipv6
 
        openvpn_add_instance "$s" "/var/etc" "openvpn-$s.conf"
@@ -152,3 +154,7 @@ start_service() {
                fi
        done
 }
+
+service_triggers() {
+       procd_add_reload_trigger openvpn
+}
diff --git a/package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch b/package/network/services/openvpn/patches/001-backport_cipher_none_fix.patch
deleted file mode 100644 (file)
index af445e3..0000000
+++ /dev/null
@@ -1,57 +0,0 @@
-commit 98156e90e1e83133a6a6a020db8e7333ada6156b
-Author: Steffan Karger <steffan@karger.me>
-Date:   Tue Dec 2 21:42:00 2014 +0100
-
-    Really fix '--cipher none' regression
-    
-    ... by not incorrectly hinting to the compiler the function argument of
-    cipher_kt_mode_{cbc,ofb_cfb}() is nonnull, since that no longer is the
-    case.
-    
-    Verified the fix on Debian Wheezy, one of the platforms the reporter in
-    trac #473 mentions with a compiler that would optimize out the required
-    checks.
-    
-    Also add a testcase for --cipher none to t_lpback, to prevent further
-    regressions.
-    
-    Signed-off-by: Steffan Karger <steffan@karger.me>
-    Acked-by: Gert Doering <gert@greenie.muc.de>
-    Message-Id: <1417552920-31770-1-git-send-email-steffan@karger.me>
-    URL: http://article.gmane.org/gmane.network.openvpn.devel/9300
-    Signed-off-by: Gert Doering <gert@greenie.muc.de>
-
---- a/src/openvpn/crypto_backend.h
-+++ b/src/openvpn/crypto_backend.h
-@@ -237,8 +237,7 @@ int cipher_kt_mode (const cipher_kt_t *c
-  *
-  * @return            true iff the cipher is a CBC mode cipher.
-  */
--bool cipher_kt_mode_cbc(const cipher_kt_t *cipher)
--  __attribute__((nonnull));
-+bool cipher_kt_mode_cbc(const cipher_kt_t *cipher);
- /**
-  * Check if the supplied cipher is a supported OFB or CFB mode cipher.
-@@ -247,8 +246,7 @@ bool cipher_kt_mode_cbc(const cipher_kt_
-  *
-  * @return            true iff the cipher is a OFB or CFB mode cipher.
-  */
--bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher)
--  __attribute__((nonnull));
-+bool cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher);
- /**
---- a/tests/t_lpback.sh
-+++ b/tests/t_lpback.sh
-@@ -35,6 +35,9 @@ CIPHERS=$(${top_builddir}/src/openvpn/op
- # GD, 2014-07-06 do not test RC5-* either (fails on NetBSD w/o libcrypto_rc5)
- CIPHERS=$(echo "$CIPHERS" | egrep -v '^(DES-EDE3-CFB1|DES-CFB1|RC5-)' )
-+# Also test cipher 'none'
-+CIPHERS=${CIPHERS}$(printf "\nnone")
-+
- "${top_builddir}/src/openvpn/openvpn" --genkey --secret key.$$
- set +e
diff --git a/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/100-polarssl-disable-runtime-version-check.patch
new file mode 100644 (file)
index 0000000..c7955c2
--- /dev/null
@@ -0,0 +1,11 @@
+--- a/src/openvpn/ssl_polarssl.c
++++ b/src/openvpn/ssl_polarssl.c
+@@ -1156,7 +1156,7 @@ const char *
+ get_ssl_library_version(void)
+ {
+     static char polar_version[30];
+-    unsigned int pv = version_get_number();
++    unsigned int pv = POLARSSL_VERSION_NUMBER;
+     sprintf( polar_version, "PolarSSL %d.%d.%d",
+               (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
+     return polar_version;
diff --git a/package/network/services/openvpn/patches/100-polarssl_compat.h b/package/network/services/openvpn/patches/100-polarssl_compat.h
deleted file mode 100644 (file)
index 4def967..0000000
+++ /dev/null
@@ -1,257 +0,0 @@
---- a/src/openvpn/ssl_polarssl.h
-+++ b/src/openvpn/ssl_polarssl.h
-@@ -38,6 +38,8 @@
- #include <polarssl/pkcs11.h>
- #endif
-+#include <polarssl/compat-1.2.h>
-+
- typedef struct _buffer_entry buffer_entry;
- struct _buffer_entry {
---- a/src/openvpn/ssl_polarssl.c
-+++ b/src/openvpn/ssl_polarssl.c
-@@ -46,7 +46,7 @@
- #include "manage.h"
- #include "ssl_common.h"
--#include <polarssl/sha2.h>
-+#include <polarssl/sha256.h>
- #include <polarssl/havege.h>
- #include "ssl_verify_polarssl.h"
-@@ -212,13 +212,13 @@ tls_ctx_load_dh_params (struct tls_root_
- {
-   if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_inline)
-     {
--      if (0 != x509parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
-+      if (0 != dhm_parse_dhm(ctx->dhm_ctx, (const unsigned char *) dh_inline,
-         strlen(dh_inline)))
-       msg (M_FATAL, "Cannot read inline DH parameters");
-   }
- else
-   {
--    if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
-+    if (0 != dhm_parse_dhmfile(ctx->dhm_ctx, dh_file))
-       msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
-   }
-@@ -253,13 +253,13 @@ tls_ctx_load_cert_file (struct tls_root_
-   if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_inline)
-     {
--      if (0 != x509parse_crt(ctx->crt_chain,
-+      if (0 != x509_crt_parse(ctx->crt_chain,
-         (const unsigned char *) cert_inline, strlen(cert_inline)))
-         msg (M_FATAL, "Cannot load inline certificate file");
-     }
-   else
-     {
--      if (0 != x509parse_crtfile(ctx->crt_chain, cert_file))
-+      if (0 != x509_crt_parse_file(ctx->crt_chain, cert_file))
-       msg (M_FATAL, "Cannot load certificate file %s", cert_file);
-     }
- }
-@@ -277,7 +277,7 @@ tls_ctx_load_priv_file (struct tls_root_
-       status = x509parse_key(ctx->priv_key,
-         (const unsigned char *) priv_key_inline, strlen(priv_key_inline),
-         NULL, 0);
--      if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
-+      if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
-       {
-         char passbuf[512] = {0};
-         pem_password_callback(passbuf, 512, 0, NULL);
-@@ -289,7 +289,7 @@ tls_ctx_load_priv_file (struct tls_root_
-   else
-     {
-       status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL);
--      if (POLARSSL_ERR_X509_PASSWORD_REQUIRED == status)
-+      if (POLARSSL_ERR_PK_PASSWORD_REQUIRED == status)
-       {
-         char passbuf[512] = {0};
-         pem_password_callback(passbuf, 512, 0, NULL);
-@@ -480,14 +480,14 @@ void tls_ctx_load_ca (struct tls_root_ct
-   if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_inline)
-     {
--      if (0 != x509parse_crt(ctx->ca_chain, (const unsigned char *) ca_inline,
-+      if (0 != x509_crt_parse(ctx->ca_chain, (const unsigned char *) ca_inline,
-         strlen(ca_inline)))
-       msg (M_FATAL, "Cannot load inline CA certificates");
-     }
-   else
-     {
-       /* Load CA file for verifying peer supplied certificate */
--      if (0 != x509parse_crtfile(ctx->ca_chain, ca_file))
-+      if (0 != x509_crt_parse_file(ctx->ca_chain, ca_file))
-       msg (M_FATAL, "Cannot load CA certificate file %s", ca_file);
-     }
- }
-@@ -501,14 +501,14 @@ tls_ctx_load_extra_certs (struct tls_roo
-   if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_inline)
-     {
--      if (0 != x509parse_crt(ctx->crt_chain,
-+      if (0 != x509_crt_parse(ctx->crt_chain,
-         (const unsigned char *) extra_certs_inline,
-         strlen(extra_certs_inline)))
-         msg (M_FATAL, "Cannot load inline extra-certs file");
-     }
-   else
-     {
--      if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file))
-+      if (0 != x509_crt_parse_file(ctx->crt_chain, extra_certs_file))
-       msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
-     }
- }
-@@ -724,7 +724,7 @@ void key_state_ssl_init(struct key_state
-          external_key_len );
-       else
- #endif
--      ssl_set_own_cert( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
-+      ssl_set_own_cert_rsa( ks_ssl->ctx, ssl_ctx->crt_chain, ssl_ctx->priv_key );
-       /* Initialise SSL verification */
- #if P2MP_SERVER
-@@ -1068,7 +1068,7 @@ print_details (struct key_state_ssl * ks
-   cert = ssl_get_peer_cert(ks_ssl->ctx);
-   if (cert != NULL)
-     {
--      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) cert->rsa.len * 8);
-+      openvpn_snprintf (s2, sizeof (s2), ", " counter_format " bit RSA", (counter_type) pk_rsa(cert->pk)->len * 8);
-     }
-   msg (D_HANDSHAKE, "%s%s", s1, s2);
---- a/src/openvpn/crypto_polarssl.c
-+++ b/src/openvpn/crypto_polarssl.c
-@@ -487,7 +487,12 @@ cipher_ctx_get_cipher_kt (const cipher_c
- int cipher_ctx_reset (cipher_context_t *ctx, uint8_t *iv_buf)
- {
--  return 0 == cipher_reset(ctx, iv_buf);
-+  int retval = cipher_reset(ctx);
-+
-+  if (0 == retval)
-+    cipher_set_iv(ctx, iv_buf, ctx->cipher_info->iv_size);
-+
-+  return 0 == retval;
- }
- int cipher_ctx_update (cipher_context_t *ctx, uint8_t *dst, int *dst_len,
---- a/src/openvpn/ssl_verify_polarssl.h
-+++ b/src/openvpn/ssl_verify_polarssl.h
-@@ -34,6 +34,7 @@
- #include "misc.h"
- #include "manage.h"
- #include <polarssl/x509.h>
-+#include <polarssl/compat-1.2.h>
- #ifndef __OPENVPN_X509_CERT_T_DECLARED
- #define __OPENVPN_X509_CERT_T_DECLARED
---- a/src/openvpn/ssl_verify_polarssl.c
-+++ b/src/openvpn/ssl_verify_polarssl.c
-@@ -40,6 +40,7 @@
- #include "ssl_verify.h"
- #include <polarssl/error.h>
- #include <polarssl/bignum.h>
-+#include <polarssl/oid.h>
- #include <polarssl/sha1.h>
- #define MAX_SUBJECT_LENGTH 256
-@@ -102,7 +103,7 @@ x509_get_username (char *cn, int cn_len,
-   /* Find common name */
-   while( name != NULL )
-   {
--      if( memcmp( name->oid.p, OID_CN, OID_SIZE(OID_CN) ) == 0)
-+      if( memcmp( name->oid.p, OID_AT_CN, OID_SIZE(OID_AT_CN) ) == 0)
-       break;
-       name = name->next;
-@@ -224,60 +225,18 @@ x509_setenv (struct env_set *es, int cer
-   while( name != NULL )
-     {
-       char name_expand[64+8];
-+      const char *shortname;
--      if( name->oid.len == 2 && memcmp( name->oid.p, OID_X520, 2 ) == 0 )
-+      if( 0 == oid_get_attr_short_name(&name->oid, &shortname) )
-       {
--        switch( name->oid.p[2] )
--          {
--          case X520_COMMON_NAME:
--              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_CN",
--                  cert_depth); break;
--
--          case X520_COUNTRY:
--              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_C",
--                  cert_depth); break;
--
--          case X520_LOCALITY:
--              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_L",
--                  cert_depth); break;
--
--          case X520_STATE:
--              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_ST",
--                  cert_depth); break;
--
--          case X520_ORGANIZATION:
--              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_O",
--                  cert_depth); break;
--
--          case X520_ORG_UNIT:
--              openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_OU",
--                  cert_depth); break;
--
--          default:
--              openvpn_snprintf (name_expand, sizeof(name_expand),
--                  "X509_%d_0x%02X", cert_depth, name->oid.p[2]);
--              break;
--          }
-+        openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_%s",
-+            cert_depth, shortname);
-+      }
-+      else
-+      {
-+        openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
-+            cert_depth);
-       }
--      else if( name->oid.len == 8 && memcmp( name->oid.p, OID_PKCS9, 8 ) == 0 )
--        {
--          switch( name->oid.p[8] )
--            {
--              case PKCS9_EMAIL:
--                openvpn_snprintf (name_expand, sizeof(name_expand),
--                    "X509_%d_emailAddress", cert_depth); break;
--
--              default:
--                openvpn_snprintf (name_expand, sizeof(name_expand),
--                    "X509_%d_0x%02X", cert_depth, name->oid.p[8]);
--                break;
--            }
--        }
--      else
--        {
--          openvpn_snprintf (name_expand, sizeof(name_expand), "X509_%d_\?\?",
--              cert_depth);
--        }
-       for( i = 0; i < name->val.len; i++ )
-       {
---- a/configure.ac
-+++ b/configure.ac
-@@ -819,13 +819,13 @@ if test "${with_crypto_library}" = "pola
- #include <polarssl/version.h>
-                       ]],
-                       [[
--#if POLARSSL_VERSION_NUMBER < 0x01020A00 || POLARSSL_VERSION_NUMBER >= 0x01030000
-+#if POLARSSL_VERSION_NUMBER < 0x01030000
- #error invalid version
- #endif
-                       ]]
-               )],
-               [AC_MSG_RESULT([ok])],
--              [AC_MSG_ERROR([PolarSSL 1.2.x required and must be 1.2.10 or later])]
-+              [AC_MSG_ERROR([PolarSSL 1.3.x required])]
-       )
-       polarssl_with_pkcs11="no"
diff --git a/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch b/package/network/services/openvpn/patches/101-backport_upstream_polarssl_debug_call.patch
new file mode 100644 (file)
index 0000000..2155a4c
--- /dev/null
@@ -0,0 +1,33 @@
+openvpn: fix build without POLARSSL_DEBUG_C
+
+Backport of upstream master commit
+b63f98633dbe2ca92cd43fc6f8597ab283a600bf.
+
+Signed-off-by: Magnus Kroken <mkroken@gmail.com>
+
+From b63f98633dbe2ca92cd43fc6f8597ab283a600bf Mon Sep 17 00:00:00 2001
+From: Steffan Karger <steffan@karger.me>
+Date: Tue, 14 Jun 2016 22:00:03 +0200
+Subject: [PATCH] mbedtls: don't set debug threshold if compiled without
+ MBEDTLS_DEBUG_C
+
+For targets with space constraints, one might want to compile mbed TLS
+without MBEDTLS_DEBUG_C defined, to save some tens of kilobytes.  Make
+sure OpenVPN still compiles if that is the case.
+
+Signed-off-by: Steffan Karger <steffan@karger.me>
+Acked-by: Gert Doering <gert@greenie.muc.de>
+Message-Id: <1465934403-22226-1-git-send-email-steffan@karger.me>
+URL: http://article.gmane.org/gmane.network.openvpn.devel/11922
+Signed-off-by: Gert Doering <gert@greenie.muc.de>
+--- a/src/openvpn/ssl_polarssl.c
++++ b/src/openvpn/ssl_polarssl.c
+@@ -747,7 +747,9 @@ void key_state_ssl_init(struct key_state
+   if (polar_ok(ssl_init(ks_ssl->ctx)))
+     {
+       /* Initialise SSL context */
++      #ifdef POLARSSL_DEBUG_C
+       debug_set_threshold(3);
++      #endif
+       ssl_set_dbg (ks_ssl->ctx, my_debug, NULL);
+       ssl_set_endpoint (ks_ssl->ctx, ssl_ctx->endpoint);
diff --git a/package/network/services/openvpn/patches/110-musl_compat.patch b/package/network/services/openvpn/patches/110-musl_compat.patch
deleted file mode 100644 (file)
index 566c17f..0000000
+++ /dev/null
@@ -1,13 +0,0 @@
---- a/src/openvpn/syshead.h
-+++ b/src/openvpn/syshead.h
-@@ -214,10 +214,6 @@
- #ifdef TARGET_LINUX
--#if defined(HAVE_NETINET_IF_ETHER_H)
--#include <netinet/if_ether.h>
--#endif
--
- #ifdef HAVE_LINUX_IF_TUN_H
- #include <linux/if_tun.h>
- #endif
diff --git a/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch b/package/network/services/openvpn/patches/120-polarssl-disable-record-splitting.patch
deleted file mode 100644 (file)
index 9e1511b..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-Index: openvpn-2.3.6/src/openvpn/ssl_polarssl.c
-===================================================================
---- openvpn-2.3.6.orig/src/openvpn/ssl_polarssl.c
-+++ openvpn-2.3.6/src/openvpn/ssl_polarssl.c
-@@ -707,6 +707,11 @@ void key_state_ssl_init(struct key_state
-       if (ssl_ctx->allowed_ciphers)
-       ssl_set_ciphersuites (ks_ssl->ctx, ssl_ctx->allowed_ciphers);
-+      /* Disable record splitting (breaks current ssl handling) */
-+#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
-+      ssl_set_cbc_record_splitting (ks_ssl->ctx, SSL_CBC_RECORD_SPLITTING_DISABLED);
-+#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
-+
-       /* Initialise authentication information */
-       if (is_server)
-       ssl_set_dh_param_ctx (ks_ssl->ctx, ssl_ctx->dhm_ctx );
diff --git a/package/network/services/openvpn/patches/130-polarssl-disable-runtime-version-check.patch b/package/network/services/openvpn/patches/130-polarssl-disable-runtime-version-check.patch
deleted file mode 100644 (file)
index c97e9f2..0000000
+++ /dev/null
@@ -1,11 +0,0 @@
---- a/src/openvpn/ssl_polarssl.c
-+++ b/src/openvpn/ssl_polarssl.c
-@@ -1119,7 +1119,7 @@ const char *
- get_ssl_library_version(void)
- {
-     static char polar_version[30];
--    unsigned int pv = version_get_number();
-+    unsigned int pv = POLARSSL_VERSION_NUMBER;
-     sprintf( polar_version, "PolarSSL %d.%d.%d",
-               (pv>>24)&0xff, (pv>>16)&0xff, (pv>>8)&0xff );
-     return polar_version;
diff --git a/package/network/services/openvpn/patches/200-small_build_enable_occ.patch b/package/network/services/openvpn/patches/200-small_build_enable_occ.patch
new file mode 100644 (file)
index 0000000..eef4da2
--- /dev/null
@@ -0,0 +1,12 @@
+--- a/src/openvpn/syshead.h
++++ b/src/openvpn/syshead.h
+@@ -602,9 +602,7 @@ socket_defined (const socket_descriptor_
+ /*
+  * Should we include OCC (options consistency check) code?
+  */
+-#ifndef ENABLE_SMALL
+ #define ENABLE_OCC
+-#endif
+ /*
+  * Should we include NTLM proxy functionality
index 98ab31c..2e65183 100644 (file)
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=samba
 PKG_VERSION:=3.6.25
-PKG_RELEASE:=5
+PKG_RELEASE:=6
 
 PKG_SOURCE_URL:=http://ftp.samba.org/pub/samba \
        http://ftp.samba.org/pub/samba/stable
diff --git a/package/network/services/samba36/patches/028-CVE-2017-7494-v3-6.patch b/package/network/services/samba36/patches/028-CVE-2017-7494-v3-6.patch
new file mode 100644 (file)
index 0000000..17b020d
--- /dev/null
@@ -0,0 +1,29 @@
+From d2bc9f3afe23ee04d237ae9f4511fbe59a27ff54 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Mon, 8 May 2017 21:40:40 +0200
+Subject: [PATCH] CVE-2017-7494: rpc_server3: Refuse to open pipe names with /
+ inside
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12780
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/rpc_server/srv_pipe.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/source3/rpc_server/srv_pipe.c
++++ b/source3/rpc_server/srv_pipe.c
+@@ -473,6 +473,11 @@ bool is_known_pipename(const char *cli_f
+               pipename += 1;
+       }
++      if (strchr(pipename, '/')) {
++              DEBUG(1, ("Refusing open on pipe %s\n", pipename));
++              return false;
++      }
++
+       if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
+               DEBUG(10, ("refusing spoolss access\n"));
+               return false;
index ee3460d..596a327 100644 (file)
  
 --- a/source3/rpc_server/srv_pipe.c
 +++ b/source3/rpc_server/srv_pipe.c
-@@ -991,7 +991,6 @@ static bool api_pipe_bind_req(struct pip
+@@ -996,7 +996,6 @@ static bool api_pipe_bind_req(struct pip
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("api_pipe_bind_req: invalid pdu: %s\n",
                          nt_errstr(status)));
                goto err_exit;
        }
  
-@@ -1325,7 +1324,6 @@ bool api_pipe_bind_auth3(struct pipes_st
+@@ -1330,7 +1329,6 @@ bool api_pipe_bind_auth3(struct pipes_st
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("api_pipe_bind_auth3: invalid pdu: %s\n",
                          nt_errstr(status)));
                goto err;
        }
  
-@@ -1483,7 +1481,6 @@ static bool api_pipe_alter_context(struc
+@@ -1488,7 +1486,6 @@ static bool api_pipe_alter_context(struc
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("api_pipe_alter_context: invalid pdu: %s\n",
                          nt_errstr(status)));
                goto err_exit;
        }
  
-@@ -2057,7 +2054,6 @@ static bool process_request_pdu(struct p
+@@ -2062,7 +2059,6 @@ static bool process_request_pdu(struct p
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("process_request_pdu: invalid pdu: %s\n",
                          nt_errstr(status)));
diff --git a/package/network/services/wireguard/Makefile b/package/network/services/wireguard/Makefile
new file mode 100644 (file)
index 0000000..10845cc
--- /dev/null
@@ -0,0 +1,116 @@
+#
+# Copyright (C) 2016-2017 Jason A. Donenfeld <Jason@zx2c4.com>
+# Copyright (C) 2016 Baptiste Jonglez <openwrt@bitsofnetworks.org>
+# Copyright (C) 2016-2017 Dan Luedtke <mail@danrl.com>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=wireguard
+
+PKG_VERSION:=0.0.20171017
+PKG_RELEASE:=1
+
+PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/
+PKG_MD5SUM:=1184c5734f7cd3b5895157835a336b3d
+
+PKG_LICENSE:=GPL-2.0 Apache-2.0
+PKG_LICENSE_FILES:=COPYING
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/WireGuard-$(PKG_VERSION)
+PKG_BUILD_PARALLEL:=1
+PKG_USE_MIPS16:=0
+
+# WireGuard's makefile needs this to know where to build the kernel module
+export KERNELDIR:=$(LINUX_DIR)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/wireguard/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=VPN
+  URL:=https://www.wireguard.com
+  MAINTAINER:=Baptiste Jonglez <openwrt@bitsofnetworks.org>, \
+              Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>, \
+              Dan Luedtke <mail@danrl.com>, \
+              Jason A. Donenfeld <Jason@zx2c4.com>
+endef
+
+define Package/wireguard/Default/description
+  WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes
+  state-of-the-art cryptography. It aims to be faster, simpler, leaner, and
+  more useful than IPSec, while avoiding the massive headache. It intends to
+  be considerably more performant than OpenVPN.  WireGuard is designed as a
+  general purpose VPN for running on embedded interfaces and super computers
+  alike, fit for many different circumstances. It uses UDP.
+endef
+
+define Package/wireguard
+  $(call Package/wireguard/Default)
+  TITLE:=WireGuard meta-package
+  DEPENDS:=+wireguard-tools +kmod-wireguard
+endef
+
+include $(INCLUDE_DIR)/kernel-defaults.mk
+include $(INCLUDE_DIR)/package-defaults.mk
+
+# Used by Build/Compile/Default
+MAKE_PATH:=src/tools
+
+define Build/Compile
+       $(MAKE) $(KERNEL_MAKEOPTS) M="$(PKG_BUILD_DIR)/src" modules
+       $(call Build/Compile/Default)
+endef
+
+define Package/wireguard/install
+  true
+endef
+
+define Package/wireguard/description
+  $(call Package/wireguard/Default/description)
+endef
+
+define Package/wireguard-tools
+  $(call Package/wireguard/Default)
+  TITLE:=WireGuard userspace control program (wg)
+  DEPENDS:=+libmnl +ip
+endef
+
+define Package/wireguard-tools/description
+  $(call Package/wireguard/Default/description)
+
+  This package provides the userspace control program for WireGuard,
+  `wg(8)`, and a netifd protocol helper.
+endef
+
+define Package/wireguard-tools/install
+       $(INSTALL_DIR) $(1)/usr/bin/
+       $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/tools/wg $(1)/usr/bin/
+       $(INSTALL_DIR) $(1)/lib/netifd/proto/
+       $(INSTALL_BIN) ./files/wireguard.sh $(1)/lib/netifd/proto/
+endef
+
+define KernelPackage/wireguard
+  SECTION:=kernel
+  CATEGORY:=Kernel&nb