Commit Graph

3081 Commits

Author SHA1 Message Date
Adrian Schmutzler
9c170cb92f package: drop PKG_VERSION for purely local packages
In the package guidelines, PKG_VERSION is supposed to be used as
"The upstream version number that we're downloading", while
PKG_RELEASE is referred to as "The version of this package Makefile".
Thus, the variables in a strict interpretation provide a clear
distinction between "their" (upstream) version in PKG_VERSION and
"our" (local OpenWrt trunk) version in PKG_RELEASE.

For local (OpenWrt-only) packages, this implies that those will only
need PKG_RELEASE defined, while PKG_VERSION does not apply following
a strict interpretation. While the majority of "our" packages actually
follow that scheme, there are also some that mix both variables or
have one of them defined but keep them at "1".

This is misleading and confusing, which can be observed by the fact
that there typically either one of the variables is never bumped or
the choice of the variable to increase depends on the person doing the
change.

Consequently, this patch aims at clarifying the situation by
consistently using only PKG_RELEASE for "our" packages. To achieve
that, PKG_VERSION is removed there, bumping PKG_RELEASE where
necessary to ensure the resulting package version string is bigger
than before.

During adjustment, one has to make sure that the new resulting composite
package version will not be considered "older" than the previous one.

A useful tool for evaluating that is 'opkg compare-versions'. In
principle, there are the following cases:

1. Sole PKG_VERSION replaced by sole PKG_RELEASE:
   In this case, the resulting version string does not change, it's
   just the value of the variable put in the file. Consequently, we
   do not bump the number in these cases so nobody is tempted to
   install the same package again.

2. PKG_VERSION and PKG_RELEASE replaced by sole PKG_RELEASE:
   In this case, the resulting version string has been "version-release",
   e.g. 1-3 or 1.0-3. For this case, the new PKG_RELEASE will just
   need to be higher than the previous PKG_VERSION.
   For the cases where PKG_VERSION has always sticked to "1", and
   PKG_RELEASE has been incremented, we take the most recent value of
   PKG_RELEASE.

Apart from that, a few packages appear to have developed their own
complex versioning scheme, e.g. using x.y.z number for PKG_VERSION
_and_ a PKG_RELEASE (qos-scripts) or using dates for PKG_VERSION
(adb-enablemodem, wwan). I didn't touch these few in this patch.

Cc: Hans Dedecker <dedeckeh@gmail.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: Andre Valentin <avalentin@marcant.net>
Cc: Matthias Schiffer <mschiffer@universe-factory.net>
Cc: Jo-Philipp Wich <jo@mein.io>
Cc: Steven Barth <steven@midlink.org>
Cc: Daniel Golle <dgolle@allnet.de>
Cc: John Crispin <john@phrozen.org>

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-15 18:33:56 +02:00
Adrian Schmutzler
b29d620ed2 vxlan: bump and change to PKG_RELEASE
Bumping package version has been overlooked in a previous commit.

While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter
is meant for upstream version number only.
(The effective version string for the package would be "3" in both
cases, so there is no harm done for version comparison.)

Fixes: 0453c3866f ("vxlan: fix udp checksum control")

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-15 18:33:56 +02:00
Johannes Kimmel
0453c3866f vxlan: fix udp checksum control
So far, passing "rxcsum" and "txcsum" had no effect.

Fixes: 95ab18e012 ("vxlan: add options to enable and disable UDP
checksums")

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-15 00:23:38 +02:00
Tony Ambardar
e89a7d72a5 iproute2: tc: fix missing em_ipset module
Feature detection doesn't recognize ipset v7 use on kernel v5.x systems
and thus disables the tc ematch function em_ipset.

- backport patch:
  * 002-configure-support-ipset-v7.patch:
    650591a7a70c configure: support ipset version 7 with kernel version 5

Fixes: 4e0c54bc5b ("kernel: add support for kernel 5.4")

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2020-07-14 22:00:43 +02:00
Tony Ambardar
9852104c71 iproute2: tc: fix dynamic symbol table size optimization
Recent iproute2 5.x versions modified the symbols resolved for plugins,
causing "tc .. action xt .." to fail. Update the list of symbols to fix.

Fixes: b61495409b ("iproute2: tc: reduce size of dynamic symbol table")

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2020-07-14 22:00:43 +02:00
Jason A. Donenfeld
ad81e2da08 wireguard: bump to 1.0.20200712
This release brings parity with the commits Linus released a few hours
ago into 5.8-rc5.

* receive: account for napi_gro_receive never returning GRO_DROP

The napi_gro_receive function no longer returns GRO_DROP ever, making
handling GRO_DROP dead code. This commit removes that dead code.
Further, it's not even clear that device drivers have any business in
taking action after passing off received packets; that's arguably out of
their hands.

* device: implement header_ops->parse_protocol for AF_PACKET

WireGuard uses skb->protocol to determine packet type, and bails out if
it's not set or set to something it's not expecting. For AF_PACKET
injection, we need to support its call chain of:

    packet_sendmsg -> packet_snd -> packet_parse_headers ->
      dev_parse_header_protocol -> parse_protocol

Without a valid parse_protocol, this returns zero, and wireguard then
rejects the skb. So, this wires up the ip_tunnel handler for layer 3
packets for that case.

* queueing: make use of ip_tunnel_parse_protocol

Now that wg_examine_packet_protocol has been added for general
consumption as ip_tunnel_parse_protocol, it's possible to remove
wg_examine_packet_protocol and simply use the new
ip_tunnel_parse_protocol function directly.

* compat: backport ip_tunnel_parse_protocol and ip_tunnel_header_ops

These are required for moving wg_examine_packet_protocol out of
wireguard and into upstream.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-07-13 08:02:02 +02:00
Adrian Schmutzler
b837216345 wireguard-tools: replace backticks by $(...)
This replaces deprecated backticks by more versatile $(...) syntax.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-11 12:52:01 +02:00
Kirill Lukonin
667fbb8151 comgt: add new script to send ussd request and get the answer
New script for comgt. Should help to fetch balance or any additional information with USSD.
This script uses the standard AT command which should be supported by all modems.

Run-tested on: Mikrotik wAP LTE KIT

Signed-off-by: Kirill Lukonin <klukonin@gmail.com>
[fixed from/sob]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-08 16:07:05 +02:00
Hans Dedecker
2b479512bc curl: bump to 7.71.1
For changes in 7.71.1; see https://curl.haxx.se/changes.html#7_71_1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-07-07 22:16:47 +02:00
Petr Štetiar
4e57fd5ada dropbear: make rsa-sha2-256 pubkeys usable again
Upstream in commit 972d723484d8 ("split signkey_type and signature_type
for RSA sha1 vs sha256") has added strict checking of pubkey algorithms
which made keys with SHA-256 hashing algorithm unusable as they still
reuse the `ssh-rsa` public key format. So fix this by disabling the
check for `rsa-sha2-256` pubkeys.

Ref: https://tools.ietf.org/html/rfc8332#section-3
Fixes: d4c80f5b17 ("dropbear: bump to 2020.80")
Tested-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-07 19:47:24 +02:00
Hans Dedecker
9858a8c582 odhcpd: bump to latest git HEAD
5da5299 odhcpd: fix compilation with GCC10

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-07-02 22:28:06 +02:00
Hans Dedecker
cbb66f9edb curl: bump to 7.71.0
For changes in 7.71.0; see https://curl.haxx.se/changes.html#7_71_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-07-01 22:19:50 +02:00
Hans Dedecker
d4c80f5b17 dropbear: bump to 2020.80
- drop patches (applied upstream)
 * 001-backport_GNU_SOURCE-for-random.patch
 * 002-backport-move-GNU_SOURCE-earlier.patch
 * 010-backport-disable-toom-and-karatsuba.patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-30 22:13:46 +02:00
Rui Salvaterra
69ca308673 dropbear: init: replace backticks with $()
This replaces deprecated backticks by more versatile $(...) syntax.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[add commit description]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-06-30 19:01:18 +02:00
Sukru Senli
c856f7adfb netifd: replace timesvr with timesrv
/lib/netifd/dhcp.script:
         Keep support for 'timesvr' while also supporting 'timesrv'
         Add log message indicating deprecation of 'timesvr'

Signed-off-by: Sukru Senli <sukru.senli@iopsys.eu>
2020-06-27 00:19:13 +02:00
Hans Dedecker
751e6ab8e6 dropbear: fix compilation for uClibc
Backport patches which fix compile issue for uClibc-ng :

dbrandom.c:174:8: warning: implicit declaration of function 'getrandom'; did you mean 'genrandom'? [-Wimplicit-function-declaration]
  ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
        ^~~~~~~~~
        genrandom
dbrandom.c:174:36: error: 'GRND_NONBLOCK' undeclared (first use in this function); did you mean 'SOCK_NONBLOCK'?
  ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
                                    ^~~~~~~~~~~~~
                                    SOCK_NONBLOCK

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-24 22:36:21 +02:00
Jason A. Donenfeld
ea5192e6c5 wireguard: bump to 1.0.20200623
* compat: drop centos 8.1 support as 8.2 is now out

Of note, as well, is that we now have both RHEL7 and RHEL8 in our CI at
<https://www.wireguard.com/build-status/>.

* Kbuild: remove -fvisibility=hidden from cflags

This fixes an issue when compiling wireguard as a module for ARM kernels in
THUMB2 mode without the JUMP11 workaround.

* noise: do not assign initiation time in if condition

Style fix.

* device: avoid circular netns references

Fixes a circular reference issue with network namespaces.

* netns: workaround bad 5.2.y backport

This works around a back backport in the 5.2.y series.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-06-24 08:01:37 +02:00
Sven Roederer
7e67d14486 igmpproxy: remove some bashism
"[[" is a bash extension for test. As the ash-implementation is not
fully compatible we drop its usage.
This follows up 3519bf4976

As a result, we also need to move the and/or out of the test brackets.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
[squash from two patches, adjust commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-06-23 20:00:16 +02:00
Konstantin Demin
29e170dbaa dropbear: bump to 2020.79
- drop patches (applied upstream):
  * 010-backport-change-address-logging.patch
  * 020-backport-ed25519-support.patch
  * 021-backport-chacha20-poly1305-support.patch
- backport patches:
  * 010-backport-disable-toom-and-karatsuba.patch:
    reduce dropbear binary size (about ~8Kb).
- refresh patches.
- don't bother anymore with following config options
  because they are disabled in upstream too:
  * DROPBEAR_3DES
  * DROPBEAR_ENABLE_CBC_MODE
  * DROPBEAR_SHA1_96_HMAC
- explicitly disable DO_MOTD as it was before commit a1099ed:
  upstream has (accidentally) switched it to 0 in release 2019.77,
  but reverted back in release 2020.79.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2020-06-21 21:33:23 +02:00
Karel Kočí
a4248577a0 hostapd: fix compilation of wpa_supplicant
Ubus patch as it seems have been broken by some rebase in the past as
the location of line that adds ubus object file was in condition for
CONFIG_MACSEC. That condition was adding object files that are not
touched by ubus patch. This means ubus.o does not have to be included in
that case. When it has to be and when build fails is when CONFIG_AP is
set. All files included in wpa_supplicant that are touched by this patch
are in this condition. This means that this is for sure the original
place for it.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
2020-06-18 20:08:18 +02:00
Rozhuk Ivan
ba7ddae9a9 comgt-ncm: do not attempt to connect if the control device is invalid
After a hardware reconnect, the control device might be unavailable and
attempting to interact with it will lead to hanging gcom calls, leaving
the protocol setup in an unrecoverable state.

Change the protocol handler to bail out early and notify netifd if the
control device is not defined or if the underlying device node does not
exist.

Also ensure that the "disconnect", "connect" and "setmode" commands are
actually defined before trying to invoke them.

Finally attempt to re-query the device manufacturer if it is unset in
the interface state in order to prevent UNUPPORTED_MODEM errors after
a modem hardware reconnect.

Signed-off-by: Rozhuk Ivan <rozhuk.im@gmail.com>
[reword subject and commit message]
Ref: https://github.com/openwrt/openwrt/pull/2352
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-06-17 23:14:46 +02:00
Florian Eckert
8fe9940db6 openvpn: add generic hotplug mechanism
Pass a default --up and --down executable to each started OpenVPN instance
which triggers /etc/hotplug.d/openvpn/ scripts whenever an instance
goes up or down.

User-configured up and down scripts are invoked by the default shipped
01-user hotplug handler to ensure that existing setups continue to work
as before.

As a consequence of this change, the up, down and script_security OpenVPN
options are removed from the option file, since we're always passing them
via the command line, they do not need to get included into the generated
configuration.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[reword commit message, move hotplug executable to /usr/libexec]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-06-17 22:43:48 +02:00
Hans Dedecker
a241f439dc iproute2: update to 5.7.0
Update iproute2 to latest stable 5.7.0; for the changes see https://lwn.net/Articles/822152/

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-13 21:36:27 +02:00
Johann Neuhauser
c0ddb85a1d hostapd: hostapd_set_psk_file: fix defaut value for mac
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Bringing up of station vlan fails if the optional mac entry isn't set.
The default mac "00:00:00:00:00:00", which should match all stations,
is mistakenly set to the non used variable "isolate". This results in
a wrong formatted .psk file which has to be "vlan_id mac key".

fixes: 5aa2ddd0: hostapd: add support for wifi-station and wifi-vlan sections

Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
2020-06-13 18:31:43 +02:00
Kevin Darbyshire-Bryant
46555ce5bc odhcpd: remove bogus IPKG_INSTROOT reference
IPKG_INSTROOT is only set under image builder and we won't be running
this script at build time either, so remove the reference before it gets
cargo-culted into other scripts.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-11 15:46:55 +01:00
Adrian Schmutzler
78e8360878 soloscli: fix uci-defaults file
The folder for the uci-defaults file of this package is wrong, so
the file most probably has not been executed at all for several
years at least.

Fix the folder and remove the useless shebang for the file.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-06-11 01:49:24 +02:00
Felix Fietkau
4baf90de8d netifd: disable receive packet steering for DSA slave devices
It is already handled on the master device. Doing it twice reduces
performance

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-06-10 16:17:12 +02:00
Felix Fietkau
41d7a14ead hostapd: add config symbol for allowing drivers to enable 802.11ax support
Also expose a build feature for it

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-06-10 12:56:35 +02:00
Petr Štetiar
df6a33a8d4 hostapd: update to latest Git hostap_2_9-1331-g5a8b366233f5
Bump to latest Git and refresh all patches in order to get fix for "UPnP
SUBSCRIBE misbehavior in hostapd WPS AP" (CVE-2020-12695).

 General security vulnerability in the way the callback URLs in the UPnP
 SUBSCRIBE command are used were reported (VU#339275, CVE-2020-12695).
 Some of the described issues may be applicable to the use of UPnP in WPS
 AP mode functionality for supporting external registrars.

Ref: https://w1.fi/security/2020-1/
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-06-09 16:59:33 +02:00
Kevin Darbyshire-Bryant
68b94f0fb4 umdnsd: update to latest git HEAD
d13290b Fix advertised IPv6 addresses

Don't just serve link-local addresses via mdns, offer all.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-06-08 20:16:17 +01:00
Stijn Tintel
8a858363b0 hostapd: silence rm
When bringing up wifi the first time after boot, these warnings appear:

netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.psk': No such file or directory
netifd: radio0 (1370): rm: can't remove '/var/run/hostapd-wlan0.vlan': No such file or directory

Silence them by adding the "-f" option to rm.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: John Crispin <john@phrozen.org>
2020-06-08 08:59:02 +03:00
Hans Dedecker
9e7fe7faf5 netifd: update to latest git HEAD
51e9fb8 system-linux: improve handling of device rename

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-06 20:55:53 +02:00
John Crispin
5aa2ddd0d6 hostapd: add support for wifi-station and wifi-vlan sections
This patch adds support for 2 new uci sections.

config wifi-vlan
	# iface is optional. if it is not defined the vlan will apply
	# to all interfaces
        option iface	default_radio0
        option name	guest
        option vid	100
        option network	guest

config wifi-station
	# iface is optional. if it is not defined the station will apply
	# to all interfaces
        option iface	default_radio0
        # mac is optional. if it is not defined it will be a catch all
	# for any sta using this key
	option mac	'00:11:22:33:44:55'
        # vid is optional. if it is not defined, the sta will be part of
	# the primary iface.
	option vid	100
        option key	testtest

With this patch applied it is possible to use multiple PSKs on a single BSS.

Signed-off-by: John Crispin <john@phrozen.org>
2020-06-04 13:36:37 +02:00
John Crispin
303b463394 netifd: update to latest HEAD
db275e1 interface-ip: fix build on non-linux systems
3392046 system-dummy: fix missing return
a56b457 netifd: wireless: add support for tracking wifi-station sections
4ce33ce netifd: wireless: add support for tracking wifi-vlan sections

Signed-off-by: John Crispin <john@phrozen.org>
2020-06-04 13:36:37 +02:00
Petr Štetiar
7f0fb3e5d4 iwinfo: update to version 2020-06-03
2faa20e5e9d1 iwinfo: add device id for Mikrotik R11e-5HacD miniPCIe card
d577a9d38a3b iwinfo: add device id for Marvell 88W8997 SDIO wifi card
f6b7d16d2ffa iwinfo: add device id for Atheros AR9287 PCIe wifi card

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-06-03 16:49:28 +02:00
Sven Roederer
2171493f7f dnsmasq: add /etc/dnsmasq.d/ to conffiles
This directory can hold configuration-snippets which should also included in the backup.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2020-06-03 16:49:28 +02:00
Daniel Golle
b1f26b7160 uhttpd: fix script timeout
939c281 proc: do not cancel script killing after writing headers

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-06-03 10:50:01 +01:00
Hans Dedecker
8d2c031f21 ppp: update to version 2.4.8.git-2020-05-25
ddd57c2 pppd: Add lcp-echo-adaptive option
c319558 pppd: Handle SIGINT and SIGTERM during interrupted syscalls (#148)
0bc11fb Added missing options to manual pages. (#149)
b1fcf16 Merge branch 'monotonic-time' of https://github.com/themiron/ppp
c78e312 pppd: linux: use monotonic time if possible

Remove patch 121-debian_adaptive_lcp_echo as patch is upstream accepted
Remove patch 206-compensate_time_change.patch as timewrap issues are
solved by a patch making use of monotonic time

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-05-31 21:13:50 +02:00
Vladislav Grishenko
f166cf9ca0 dropbear: add ed25519 and chacha20-poly1305
- add Ed25519 support (backport):
  * DROPBEAR_ED25519 option for ssh-ed25519,
  * disabled by default
- add Chacha20-Poly1305 support (backport):
  * DROPBEAR_CHACHA20POLY1305 for chacha20-poly1305@openssh.com,
  * enabled by default
- update feature costs in binary size

Signed-off-by: Vladislav Grishenko <themiron@mail.ru>
2020-05-30 21:27:10 +02:00
Jo-Philipp Wich
559b338466 qos-scripts: fix interface resolving
Also ensure that the error message is actually printed to stderr and that
the rule generation is aborted if an interface cannot be resolved.

Ref: https://github.com/openwrt/luci/issues/3975
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-05-29 10:34:58 +02:00
Enrique Rodríguez Valencia
6e8bb68996 hostapd: Add disable_vht when using NOHT/HT* modes
disable_vht parameter needs to be set when using wpa_supplicant NOHT/HT* modes.

Signed-off-by: Enrique Rodríguez Valencia <enrique.rodriguez@galgus.net>
2020-05-28 14:06:55 +01:00
David Bauer
a9f7510150 hostapd: add WEP as queryable build feature
Commit 472fd98c5b ("hostapd: disable support for Wired Equivalent
Privacy by default") made support for WEP optional.

Expose the WEP support to LuCi or other userspace tools using the
existing interface. This way they are able to remove WEP from the
available ciphers if hostapd is built without WEP support.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-05-22 21:54:30 +02:00
Philip Prindeville
de8b88ce17 firewall: add rule for traceroute support
Running your firewall's "wan" zone in REJECT zone (1) exposes the
presence of the router, (2) depending on the sophistication of
fingerprinting tools might identify the OS and release running on
the firewall which then identifies known vulnerabilities with it
and (3) perhaps most importantly of all, your firewall can be
used in a DDoS reflection attack with spoofed traffic generating
ICMP Unreachables or TCP RST's to overwhelm a victim or saturate
his link.

This rule, when enabled, allows traceroute to work even when the
default input policy of the firewall for the wan zone has been
set to DROP.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2020-05-21 20:23:10 +02:00
Hans Dedecker
bc55258464 netifd: ingress/egress vlan qos mapping support
74e0222 vlandev: support setting ingress/egress QoS mappings

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-05-21 20:21:02 +02:00
Hauke Mehrtens
289c632425 mac80211: Update to version 5.7-rc3-1
This updates the mac80211 backport.

The removed patches are already integrated in the upstream version.

The 131-Revert-mac80211-aes-cmac-switch-to-shash-CMAC-driver.patch patch
was manually adapted to the changes in kernel 5.7.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-05-21 14:39:34 +02:00
Hauke Mehrtens
9ca21dc7d5 mac80211: Update to version 5.5.19
This updates the mac80211 backport.

The removed patches are already integrated in the upstream version.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-05-21 14:39:34 +02:00
Daniel Golle
017320ead3 hostapd: bring back mesh patches
Bring back 802.11s mesh features to the level previously available
before the recent hostapd version bump. This is mostly to support use
of 802.11s on DFS channels, but also making mesh forwarding
configurable which is crucial for use of 802.11s MAC with other routing
protocols, such as batman-adv, on top.
While at it, fix new compiler warning by adapting 700-wifi-reload.patch
to upstream changes, now building without any warnings again.

Fixes: 0a3ec87a66 ("hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-05-21 10:21:59 +01:00
Jason A. Donenfeld
a860fe2304 wireguard: bump to 1.0.20200520
This version has the various slew of bug fixes and compat fixes and
such, but the most interesting thing from an OpenWRT perspective is that
WireGuard now plays nicely with cake and fq_codel. I'll be very
interested to hear from OpenWRT users whether this makes a measurable
difference. Usual set of full changes follows.

This release aligns with the changes I sent to DaveM for 5.7-rc7 and were
pushed to net.git about 45 minutes ago.

* qemu: use newer iproute2 for gcc-10
* qemu: add -fcommon for compiling ping with gcc-10

These enable the test suite to compile with gcc-10.

* noise: read preshared key while taking lock

Matt noticed a benign data race when porting the Linux code to OpenBSD.

* queueing: preserve flow hash across packet scrubbing
* noise: separate receive counter from send counter

WireGuard now works with fq_codel, cake, and other qdiscs that make use of
skb->hash. This should significantly improve latency spikes related to
buffer bloat. Here's a before and after graph from some data Toke measured:
https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png

* compat: support RHEL 8 as 8.2, drop 8.1 support
* compat: support CentOS 8 explicitly
* compat: RHEL7 backported the skb hash renamings

The usual RHEL churn.

* compat: backport renamed/missing skb hash members

The new support for fq_codel and friends meant more backporting work.

* compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4

The main motivation for releasing this now: three stable kernels were released
at the same time, with a patch that necessitated updating in our compat layer.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-05-21 08:18:01 +02:00
Petr Štetiar
472fd98c5b hostapd: disable support for Wired Equivalent Privacy by default
Upstream in commit 200c7693c9a1 ("Make WEP functionality an optional
build parameter") has made WEP functionality an optional build parameter
disabled as default, because WEP should not be used for anything
anymore. As a step towards removing it completely, they moved all WEP
related functionality behind CONFIG_WEP blocks and disabled it by
default.

This functionality is subject to be completely removed in a future
release.

So follow this good security advice, deprecation notice and disable WEP
by default, but still allow custom builds with WEP support via
CONFIG_WPA_ENABLE_WEP config option till upstream removes support for
WEP completely.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-21 08:18:01 +02:00
Petr Štetiar
0a3ec87a66 hostapd: update to latest Git hostap_2_9-1238-gdd2daf0848ed
Bump package to latest upstream Git HEAD which is commit dd2daf0848ed
("HE: Process HE 6 GHz band capab from associating HE STA"). Since last
update there was 1238 commits done in the upstream tree with 618 files
changed, 53399 insertions, 24928 deletions.

I didn't bothered to rebase mesh patches as the changes seems not
trivial and I don't have enough knowledge of those parts to do/test that
properly, so someone else has to forward port them, ideally upstream
them so we don't need to bother anymore. I've just deleted them for now:

 004-mesh-use-setup-completion-callback-to-complete-mesh-.patch
 005-mesh-update-ssid-frequency-as-pri-sec-channel-switch.patch
 006-mesh-inform-kernel-driver-DFS-handler-in-userspace.patch
 007-mesh-apply-channel-attributes-before-running-Mesh.patch
 011-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
 013-mesh-do-not-allow-pri-sec-channel-switch.patch
 015-mesh-do-not-use-offchan-mgmt-tx-on-DFS.patch
 016-mesh-fix-channel-switch-error-during-CAC.patch
 018-mesh-make-forwarding-configurable.patch

Refreshed all other patches, removed upstreamed patches:

 051-wpa_supplicant-fix-race-condition-in-mesh-mpm-new-pe.patch
 067-0001-AP-Silently-ignore-management-frame-from-unexpected-.patch
 070-driver_nl80211-fix-WMM-queue-mapping-for-regulatory-.patch
 071-driver_nl80211-fix-regulatory-limits-for-wmm-cwmin-c.patch
 090-wolfssl-fix-crypto_bignum_sum.patch
 091-0001-wolfssl-Fix-compiler-warnings-on-size_t-printf-forma.patch
 091-0002-wolfssl-Fix-crypto_bignum_rand-implementation.patch
 091-0003-wolfssl-Do-not-hardcode-include-directory-in-wpa_sup.patch
 800-usleep.patch

Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq8065/NBG6817; ipq40xx/MAP-AC2200]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-21 08:18:01 +02:00