ba2ab5d version: bump snapshot
5f59c76 tools: wg-quick: wait for interface to disappear on freebsd
ac7e7a3 tools: don't fail if a netlink interface dump is inconsistent
8432585 main: get rid of unloaded debug message
139e57c tools: compile on gnu99
d65817c tools: use libc's endianness macro if no compiler macro
f985de2 global: give if statements brackets and other cleanups
b3a5d8a main: change module description
296d505 device: use textual error labels always
8bde328 allowedips: swap endianness early on
a650d49 timers: avoid using control statements in macro
db4dd93 allowedips: remove control statement from macro by rewriting
780a597 global: more nits
06b1236 global: rename struct wireguard_ to struct wg_
205dd46 netlink: do not stuff index into nla type
2c6b57b qemu: kill after 20 minutes
6f2953d compat: look in Kbuild and Makefile since they differ based on arch
a93d7e4 create-patch: blacklist instead of whitelist
8d53657 global: prefix functions used in callbacks with wg_
123f85c compat: don't output for grep errors
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
841b5d1 system-linux: enable by default ignore encaplimit for grev6 tunnels
125cbee system-linux: fix a typo in gre tunnel data parsing logic
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Make inclusion of the destination option header containing the tunnel
encapsulation limit configurable for IPv6 GRE packets.
Setting the uci parameter encaplimit to ignore; allows to disable the
insertion of the destination option header in the IPv6 GRE packets.
Otherwise the tunnel encapsulation limit value can be set to a value
from 0 till 255 by setting the encaplimit uci parameter accordingly.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Add a basic variant which provides WPA-PSK only, 802.11r and 802.11w and
is intended to support 11r & 11w (subject to driver support) out of the
box.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
96fa353 mt76: do not store aggregation sequence number for null-data frames
c50dca8 mt76x0: print BBP version only for debug
ddc9e05 mt76x0: correct RF access via RF_CSR register.
02d2385 mt76: allow to identify bus
c438e67 mt76x0: correct RF reg pairs write for PCIe
c83abb8 mt76x0: use bus helper to identify rf access method
9c272ff mt76x0: phy: fix bank check in mt76x0_rf_csr_{wr,rr}
1945d57 mt76: use mt76x02_dev instead of mt76_dev in mt76x02_mcu.c
214eab7 mt76: use mt76x02_dev instead of mt76_dev in mt76x02_phy.c
29bc2ae mt76: use mt76x02_dev instead of mt76_dev in mt76x02_util.c
08ecb5f mt76: use mt76x02_dev instead of mt76_dev in mt76x02_usb_mcu.c
fd9b2b0 mt76: use mt76x02_dev instead of mt76_dev in mt76x02_mac.c
f37bd25 mt76: use mt76x02_dev instead of mt76_dev in mt76x02_txrx.c
48950cb mt76: use mt76x02_dev instead of mt76_dev in mt76x02_eeprom.c
06276cc mt76x0: pci: report firmware version using ethtool
72546ed mt76x0: pci: add missing mac80211 callbacks
4de98cd mt76: disable ldpc coding for mt76x0 devices
f0951c2 mt76x0: pci: add mt76x0_register_device in mt76x0e_register_device
4f3685e mt76: reserve enough room for USB tx skbs
5e6907f mt76x0: remove dma.h
acfc5a9 mt76x0: pci: fix set external PA I/O current
2b79bb7 mt76: mt76x0e: another fix for the external PA current setting
8a0acfd mt76x0: phy: fix restore phase in mt76x0_phy_recalibrate_after_assoc
e9e949b mt76x0: phy: remove channel parameter from mt76x0_phy_set_chan_bbp_params
1775717 mt76: move mt76x02_phy_set_bw in mt76x02-lib module
f82134f mt76: move mt76x02_phy_set_band in mt76x02-lib module
3eaa34f mt76x0: pci: rename mt76x0_phy_calibrate
7269fb4 mt76x0: pci: introduce mt76x0_phy_calirate routine
a514b75 mt76x0: phy: update set_channel for mt76x0e devices
62a1bc5 mt76x0: eeprom: introduce mt76x0_tssi_enabled routine
a48481d mt76x0: phy: add phy/vco temperature compensation
cc34ce9 mt76: move rssi_gain_thresh routines in mt76x02-lib module
eaf9751 mt76: move mt76x02_phy_adjust_vga_gain in mt76/mt76x02_phy.c
2715e7c mt76: introduce mt76x02_init_agc_gain routine
87fcb31 mt76x0: phy: align channel gain logic to mt76x2 one
98f8ef7 mt76x0: phy: do not run calibration during channel switch
cf859ad mt76x2: align mt76x2 and mt76x2u firmware
1f3f767 mt76x2u: align channel gain logic to mt76x2 one
d1c1454 treewide: Replace more open-coded allocation size multiplications
bcbecd2 mt76x0: phy: use proper name convention
b6694e6 mt76x0: phy: simplify rf configuration routines
da129c9 mt76x0: phy: improve code readability in initvals_phy.h
eab7ab1 mt76x0: pci: add get_survey support
9e493f7 mt76: move mt76x02_mac_work routine in mt76x02-lib module
ecec6ba mt76: move mt76x02_debugfs in mt76x02-lib module
4f3b608 mt76x0: use shared debugfs implementation
6aae25b mt76x0: use mt76x02_mac_work as stats handler
b228a45 mt76x2u: introduce mac workqueue support
4671af4 mt76x0: phy: unify calibration between mt76x0u and mt76x0e
5ed28f3 mt76x0: do not perform MCU calibration for MT7630
9b844da add mt7610e firmware
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Backport two upstream fixes to address overly verbose logging of MAC ACL
rejection messages.
Fixes: FS#1468
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This patch fixes jailed dnsmasq running into the following issue:
|dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory
|dnsmasq[1]: FAILED to start up
|procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash
Fixes: a45f4f50e1 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[bump package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
53792c9 fix typo
df07182 Update German translation.
Remove local patch 001-fix-typo which is a backport of the above 53792c9
There is no practical difference between our test8 release and this rc
release, but this does at least say 'release candidate'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This adds support for the WPA3-Enterprise mode authentication.
The settings for the WPA3-Enterpriese mode are defined in
WPA3_Specification_v1.0.pdf. This mode also requires ieee80211w and
guarantees at least 192 bit of security.
This does not increase the ipkg size by a significant size.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
OWE is defined in RFC 8110 and provides encryption and forward security
for open networks.
This is based on the requirements in the Wifi alliance document
Opportunistic_Wireless_Encryption_Specification_v1.0_0.pdf
The wifi alliance requires ieee80211w for the OWE mode.
This also makes it possible to configure the OWE transission mode which
allows it operate an open and an OWE BSSID in parallel and the client
should only show one network.
This increases the ipkg size by 5.800 Bytes.
Old: 402.541 Bytes
New: 408.341 Bytes
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This build the full openssl and wolfssl versions with SAE support which
is the main part of WPA3 PSK.
This needs elliptic curve cryptography which is only provided by these
two external cryptographic libraries and not by the internal
implementation.
The WPA3_Specification_v1.0.pdf file says that in SAE only mode
Protected Management Frames (PMF) is required, in mixed mode with
WPA2-PSK PMF should be required for clients using SAE, and optional for
clients using WPA2-PSK. The defaults are set now accordingly.
This increases the ipkg size by 8.515 Bytes.
Old: 394.026 Bytes
New: 402.541 Bytes
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This replaces the configuration files with the versions from the hostapd
project and the adaptions done by OpenWrt.
The resulting binaries should be the same.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Update ath10k-ct to be able to drop 210-ath10k-fix-recent-bandwidth-conversion-bug.patch
as its upstream.
b9989fbd5d6e ath10k-ct: Add upstream patch to fix peer rate reporting.
ac9224344dbf ath10k-ct: Support sending custom frames with no-ack flag.
bc938bc2021e ath10k-ct: Support sending pkts with specific rate on 10.4 firmware.
Runtime tested on:
- GL-iNet GL-B1300
- Mikrotik RB912 + QCA9882
Signed-off-by: Robert Marko <robimarko@gmail.com>
[Added list of all changes from previous version + add own test device]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Check pin count value from pin status and stop verification the pin if
the value is less then 3. This should prevent the proto-handler to
lock the SIM. If SIM is locked then the PUK is needed.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Load the json output from uqmi --get-pin-status command and evaluate the
"pin1_status" value.
The following uqmi "pin1_status" values are evaluated:
- disabled
Do not verify PIN because SIM verification is disabled on this SIM
- blocked
Stop qmi_setup because SIM is locked and a PUK is required
- not_verified
SIM is not yet verified. Do a uqmi --verify-pin1 command if a SIM is
specified
- verified:
Do not verify the PIN because this was already done before
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
QMI proto setup-handler will wait forever if SIM does not get initialized.
To fix this stop polling pin status and notify netifd. Netifd will generate
then a "ifup-failed" ACTION.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
QMI proto setup-handler will wait forever if it is unable to registrate to
the mobile network. To fix this stop polling network registration status
and notify netifd. Netifd will generate then a "ifup-failed" ACTION.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This value will be used for now during following situations:
* Ask the sim with the uqmi --get-pin-status command.
* Wait for network registration with the uqmi --get-serving-system command.
This two commands wait forever in a while loop. Add a timeout to stop
waiting and so inform netifd.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Move uqmi std and error output on commands without using them to /dev/null.
This will remove useless outputs in the syslog.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Since kernel 4.14.75 commit ("netfilter: xt_cluster: add dependency on conntrack module")
a dependency is required on kmod-nf-conntrack.
It seems this was already present for kmod-ipt-clusterip
but not yet for kmod-ipt-cluster
Add it fixing a build error when including kmod-ipt-cluster:
Package kmod-ipt-cluster is missing dependencies for the following libraries:
nf_conntrack.ko
modules/netfilter.mk:665: recipe for target '/mnt/ramdisk/koen/firmware/builds/openwrt/bin/targets/cns3xxx/generic/packages/kmod-ipt-cluster_4.14.75-1_arm_mpcore_vfp.ipk' failed
make[3]: *** [/mnt/ramdisk/koen/firmware/builds/openwrt/bin/targets/cns3xxx/generic/packages/kmod-ipt-cluster_4.14.75-1_arm_mpcore_vfp.ipk] Error 1
make[3]: Leaving directory '/mnt/ramdisk/koen/firmware/builds/openwrt/package/kernel/linux'
Command exited with non-zero status 2
time: package/kernel/linux/compile#1.80#0.05#2.07
package/Makefile:107: recipe for target 'package/kernel/linux/compile' failed
make[2]: *** [package/kernel/linux/compile] Error 2
make[2]: Leaving directory '/mnt/ramdisk/koen/firmware/builds/openwrt'
package/Makefile:103: recipe for target '/mnt/ramdisk/koen/firmware/builds/openwrt/staging_dir/target-arm_mpcore+vfp_musl_eabi/stamp/.package_compile' failed
make[1]: *** [/mnt/ramdisk/koen/firmware/builds/openwrt/staging_dir/target-arm_mpcore+vfp_musl_eabi/stamp/.package_compile] Error 2
make[1]: Leaving directory '/mnt/ramdisk/koen/firmware/builds/openwrt'
/mnt/ramdisk/koen/firmware/builds/openwrt/include/toplevel.mk:216: recipe for target 'world' failed
make: *** [world] Error 2
Fixes: f983956a8b ("kernel: bump 4.14 to 4.14.75")
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
[1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.14.75&id=b969656b46626a674232c0eadf92a394b89df07c
dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for
specific hostnames. Clients claiming certain hostnames and thus
claiming DNS namespace represent a potential security risk. e.g. a
malicious host could claim 'wpad' for itself and redirect other web
client requests to it for nefarious purpose. See CERT VU#598349 for more
details.
Some Samsung TVs are claiming the hostname 'localhost', it is believed
not (yet) for nefarious purposes.
/usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames
in correct syntax to be excluded. e.g.
dhcp-name-match=set:dhcp_bogus_hostname,localhost
Inclusion of this file is controlled by uci option dhcpbogushostname
which is enabled by default.
To be absolutely clear, DHCP leases to these requesting hosts are still
permitted, but they do NOT get to claim ownership of the hostname
itself and hence put into DNS for other hosts to be confused/manipulate by.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
64750c1 version: bump snapshot
f11a2b8 global: style nits
4b34b6a crypto: clean up remaining .h->.c
06d9fc8 allowedips: document additional nobs
c32b5f9 makefile: do more generic wildcard so as to avoid rename issues
20f48d8 crypto: use BIT(i) & bitmap instead of (bitmap >> i) & 1
b6e09f6 crypto: disable broken implementations in selftests
fd50f77 compat: clang cannot handle __builtin_constant_p
bddaca7 compat: make asm/simd.h conditional on its existence
b4ba33e compat: account for ancient ARM assembler
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Fixes the following build error:
.../toolchain-i386_pentium4_gcc-7.3.0_glibc/lib/gcc/i486-openwrt-linux-gnu/7.3.0/../../../../i486-openwrt-linux-gnu/bin/ld: ../lib/libcom_err.so: undefined reference to `sem_post’
.../toolchain-i386_pentium4_gcc-7.3.0_glibc/lib/gcc/i486-openwrt-linux-gnu/7.3.0/../../../../i486-openwrt-linux-gnu/bin/ld: ../lib/libcom_err.so: undefined reference to `sem_wait'
.../toolchain-i386_pentium4_gcc-7.3.0_glibc/lib/gcc/i486-openwrt-linux-gnu/7.3.0/../../../../i486-openwrt-linux-gnu/bin/ld: ../lib/libcom_err.so: undefined reference to `sem_init’
.../toolchain-i386_pentium4_gcc-7.3.0_glibc/lib/gcc/i486-openwrt-linux-gnu/7.3.0/../../../../i486-openwrt-linux-gnu/bin/ld: ../lib/libcom_err.so: undefined reference to `sem_destroy’
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Commit 9f0cb135dd made BUSYBOX_CONFIG_FEATURE_IPV6 dependant on IPV6 but
did not make its default value BUSYBOX_DEFAULT_FEATURE_IPV6 dependant
on IPV6. BUSYBOX_DEFAULT_FEATURE_IPV6 will have as default value y if
IPV6 is enabled otherwise n.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.
0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN.
ee1df06 Tweak strategy for confirming SLAAC addresses.
1e87eba Clarify manpage for --auth-sec-servers
0893347 Make interface spec optional in --auth-server.
7cbf497 Example config file fix for CERT Vulnerability VU#598349.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2b085815 (tag: v1.34.0) Update manual pages
986fa302 Bump up version number to 1.34.0, LT revision to 31:1:17
7c8cb3a0 nghttpx: Improve CONNECT response status handling
334c439c Fix bug that regular CONNECT does not work
6700626c Rule out content-length in the successful response to CONNECT
15162add Update manual pages
93270777 Merge pull request #1235 from nghttp2/backend-conn-timeout
aeb92bbb nghttpx: Add read/write-timeout parameters to backend option
fc7489e0 nghttpx: Fix mruby parameter validation
87ac872f nghttpx: Update doc
c278adde nghttpx: Log error when mruby file cannot be opened
f94d7209 Merge pull request #1234 from nghttp2/nghttpx-rfc8441
9b9baa6b Update doc
02566ee3 nghttpx: Update doc
3002f31b src: Add debug output for SETTINGS_ENABLE_CONNECT_PROTOCOL
d2a594a7 nghttpx: Implement RFC 8441 Bootstrapping WebSocket with HTTP/2
651e1477 Allow client sending :protocol optimistically
a42faf1c nghttpx: Write TLS alert during handshake
4aac05e1 Merge pull request #1231 from nghttp2/ws-lib-only
b80dfaa8 Adjustment for RFC 8441
a19d8f5d Deal with :protocol pseudo header
33f6e90a Add NGHTTP2_TOKEN__PROTOCOL
ed7fabcb Add SETTINGS_ENABLE_CONNECT_PROTOCOL
8753b6da Update doc
f2de733b Update neverbleed to fix OpenSSL 1.1.1 issues
88ff8c69 Update mruby 1.4.1
a63558a1 nghttpx: Call OCSP_response_get1_basic only when OCSP status is successful
3575a132 nghttpx: Fix crash with plain text HTTP
e2de2fee Update bash_completion
9f415979 Update manual pages
4bfc0cd1 Merge pull request #1230 from nghttp2/nghttpx-faster-logging
9c824b87 nghttpx: Get rid of std::stringstream from Log
a1ea1696 Make VALID_HD_NAME_CHARS and VALID_HD_VALUE_CHARS const qualified
dfc0f248 Make static_table const qualified
ed7c9db2 nghttpx: Add mruby env.tls_handshake_finished
5b42815a nghttpx: Strip incoming Early-Data header field by default
cfe7fa9a nghttpx: Add --tls13-ciphers and --tls-client-ciphers options
cb8a9d58 src: Remove TLSv1.3 ciphers from DEFAULT_CIPHER_LIST
023b9448 Merge branch 'tls13-early-data'
9b03c64f nghttpx: Should postpone early data by default
b8eccec6 nghttpx: Disable OpenSSL anti-replay
9f212587 Specify SSL_CTX_set_max_early_data and add an option to change max value
47f60124 nghttpx: Add an option to postpone early data processing
770e44de Implement draft-ietf-httpbis-replay-02
2ab319c1 Don't hide error code from openssl
39923024 Remove SSL_ERROR_WANT_WRITE handling
b30f312a Honor SSL_read semantics
c5cdb78a nghttpx: Add TLSv1.3 0-RTT early data support
f79a5812 Bump up version number to 1.34.0
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Support for -D got broken in the 2.0.11 release by the upstream commit
218d8c667944 ("first pass L2 mode w/UDP checks, v4 only"). After that
commit clients were still able to connect but no traffic was passed.
It was reported and is fixed now in the upstream git repository.
Backport two patches to fix this. The first one is just a requirement
for the later to apply. The second one is the real fix and it needed
only a small adjustment to apply without backporing the commit
10887b59c7e7 ("fix --txstart-time report messages").
Fixes: 457e6d5a27 ("iperf: bump to 2.0.12")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>