Merge https://github.com/openwrt/openwrt

package/kernel/mac80211/patches/327-mac80211-accept-key-reinstall-without-changing-anyth.patch

@@ -0,0 +1,81 @@
+From fdf7cb4185b60c68e1a75e61691c4afdc15dea0e Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 5 Sep 2017 14:54:54 +0200
+Subject: [PATCH] mac80211: accept key reinstall without changing anything
+
+When a key is reinstalled we can reset the replay counters
+etc. which can lead to nonce reuse and/or replay detection
+being impossible, breaking security properties, as described
+in the "KRACK attacks".
+
+In particular, CVE-2017-13080 applies to GTK rekeying that
+happened in firmware while the host is in D3, with the second
+part of the attack being done after the host wakes up. In
+this case, the wpa_supplicant mitigation isn't sufficient
+since wpa_supplicant doesn't know the GTK material.
+
+In case this happens, simply silently accept the new key
+coming from userspace but don't take any action on it since
+it's the same key; this keeps the PN replay counters intact.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+ net/mac80211/key.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/net/mac80211/key.c b/net/mac80211/key.c
+index a98fc2b5e0dc..ae995c8480db 100644
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -4,7 +4,7 @@
+  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
+  * Copyright 2007-2008	Johannes Berg <johannes@sipsolutions.net>
+  * Copyright 2013-2014  Intel Mobile Communications GmbH
+- * Copyright 2015	Intel Deutschland GmbH
++ * Copyright 2015-2017	Intel Deutschland GmbH
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 as
+@@ -620,9 +620,6 @@ int ieee80211_key_link(struct ieee80211_key *key,
+
+ 	pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
+ 	idx = key->conf.keyidx;
+-	key->local = sdata->local;
+-	key->sdata = sdata;
+-	key->sta = sta;
+
+ 	mutex_lock(&sdata->local->key_mtx);
+
+@@ -633,6 +630,21 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ 	else
+ 		old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
+
++	/*
++	 * Silently accept key re-installation without really installing the
++	 * new version of the key to avoid nonce reuse or replay issues.
++	 */
++	if (old_key && key->conf.keylen == old_key->conf.keylen &&
++	    !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) {
++		ieee80211_key_free_unused(key);
++		ret = 0;
++		goto out;
++	}
++
++	key->local = sdata->local;
++	key->sdata = sdata;
++	key->sta = sta;
++
+ 	increment_tailroom_need_count(sdata);
+
+ 	ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
+@@ -648,6 +660,7 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ 		ret = 0;
+ 	}
+
++ out:
+ 	mutex_unlock(&sdata->local->key_mtx);
+
+ 	return ret;
+-- 
+2.13.6
+

package/network/services/dnsmasq/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
-PKG_VERSION:=2.76
+PKG_VERSION:=2.78
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
-PKG_MD5SUM:=00f5ee66b4e4b7f14538bf62ae3c9461
+PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
+PKG_MD5SUM:=6d0241b72c79d2b510776ccc4ed69ca4
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
@@ -24,6 +24,7 @@ PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
 PKG_CONFIG_DEPENDS:=CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcpv6 \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset \
 	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack
@@ -52,7 +53,7 @@ endef
 
 define Package/dnsmasq-full
 $(call Package/dnsmasq/Default)
-  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Conntrack enabled by default)
+  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, NO_ID enabled by default)
   DEPENDS:=+PACKAGE_dnsmasq_full_dnssec:libnettle \
 	+PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset \
 	+PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack
@@ -73,7 +74,7 @@ define Package/dnsmasq-full/description
 $(call Package/dnsmasq/description)
 
 This is a fully configurable variant with DHCPv6, DNSSEC, Authoritative DNS and
-IPset, Conntrack support enabled by default.
+IPset, NO_ID support enabled by default.
 endef
 
 define Package/dnsmasq/conffiles
@@ -90,6 +91,9 @@ define Package/dnsmasq-full/config
 	config PACKAGE_dnsmasq_full_dnssec
 		bool "Build with DNSSEC support."
 		default y
+	config PACKAGE_dnsmasq_full_noid
+		bool "Build with NO_ID. (hide *.bind pseudo domain)"
+		default y
 	config PACKAGE_dnsmasq_full_auth
 		bool "Build with the facility to act as an authoritative DNS server."
 		default y
@@ -118,11 +122,12 @@ ifeq ($(BUILD_VARIANT),full)
 	COPTS += $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcpv6),,-DNO_DHCP6) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec),-DHAVE_DNSSEC) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth),,-DNO_AUTH) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET) \
 		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack),-DHAVE_CONNTRACK,)
 	COPTS += $(if $(CONFIG_LIBNETTLE_MINI),-DNO_GMP,)
 else
-	COPTS += -DNO_AUTH -DNO_IPSET
+	COPTS += -DNO_AUTH -DNO_IPSET -DNO_ID
 endif
 
 MAKE_FLAGS := \

package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch

@@ -44,67 +44,22 @@
        (buffer = safe_malloc(BUFF_SZ)) &&
        (ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 &&
        (bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1))
-@@ -168,62 +149,16 @@ static int new_add_to_ipset(const char *
- }
-
-
--static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int remove)
--{
--  socklen_t size;
--  struct ip_set_req_adt_get {
--    unsigned op;
--    unsigned version;
--    union {
--      char name[IPSET_MAXNAMELEN];
--      uint16_t index;
--    } set;
--    char typename[IPSET_MAXNAMELEN];
--  } req_adt_get;
--  struct ip_set_req_adt {
--    unsigned op;
--    uint16_t index;
--    uint32_t ip;
--  } req_adt;
--  
--  if (strlen(setname) >= sizeof(req_adt_get.set.name)) 
--    {
--      errno = ENAMETOOLONG;
--      return -1;
--    }
--  
--  req_adt_get.op = 0x10;
--  req_adt_get.version = 3;
--  strcpy(req_adt_get.set.name, setname);
--  size = sizeof(req_adt_get);
--  if (getsockopt(ipset_sock, SOL_IP, 83, &req_adt_get, &size) < 0)
--    return -1;
--  req_adt.op = remove ? 0x102 : 0x101;
--  req_adt.index = req_adt_get.set.index;
--  req_adt.ip = ntohl(ipaddr->addr.addr4.s_addr);
--  if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
--    return -1;
--  
--  return 0;
--}
--
--
--
- int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove)
- {
-   int af = AF_INET;
-
- #ifdef HAVE_IPV6
+@@ -217,17 +198,10 @@ int add_to_ipset(const char *setname, co
    if (flags & F_IPV6)
--    {
+     {
        af = AF_INET6;
 -      /* old method only supports IPv4 */
 -      if (old_kernel)
--	return -1;
--    }
+-	{
+-	  errno = EAFNOSUPPORT ;
+-	  ret = -1;
+-	}
+     }
  #endif
 
--  return old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
-+  return new_add_to_ipset(setname, ipaddr, af, remove);
- }
+-  if (ret != -1) 
+-    ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
++    ret = new_add_to_ipset(setname, ipaddr, af, remove);
 
- #endif
+   if (ret == -1)
+      my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));

package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch

@@ -35,13 +35,13 @@ Signed-off-by: Steven Barth <steven@midlink.org>
 +      if (difftime(now, base) >= 0 && difftime(timestamp_time, now) <= 0)
  	{
  	  /* time already OK, update timestamp, and do key checking from the start. */
- 	  if (utime(daemon->timestamp_file, NULL) == -1)
+ 	  if (utimes(daemon->timestamp_file, NULL) == -1)
 @@ -493,7 +500,7 @@ int setup_timestamp(void)
 
  	  close(fd);
 
--	  timestamp_time = timbuf.actime = timbuf.modtime = 1420070400; /* 1-1-2015 */
-+	  timestamp_time = timbuf.actime = timbuf.modtime = base;
- 	  if (utime(daemon->timestamp_file, &timbuf) == 0)
- 	    goto check_and_exit;
- 	}
+-	  timestamp_time = 1420070400; /* 1-1-2015 */
++	  timestamp_time = base; /* 1-1-2015 */
+ 	  tv[0].tv_sec = tv[1].tv_sec = timestamp_time;
+ 	  tv[0].tv_usec = tv[1].tv_usec = 0;
+ 	  if (utimes(daemon->timestamp_file, tv) == 0)

package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch

@@ -7,7 +7,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
 
 --- a/src/dnsmasq.h
 +++ b/src/dnsmasq.h
-@@ -82,7 +82,7 @@ typedef unsigned long long u64;
+@@ -88,7 +88,7 @@ typedef unsigned long long u64;
  #if defined(HAVE_SOLARIS_NETWORK)
  #  include <sys/sockio.h>
  #endif

package/network/services/dropbear/Makefile

@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2016.74
+PKG_VERSION:=2017.75
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	http://matt.ucc.asn.au/dropbear/releases/ \
 	https://dropbear.nl/mirror/releases/
-PKG_MD5SUM:=9ad0172731e0f16623937804643b5bd8
+PKG_MD5SUM:=e57e9b9d25705dcb073ba15c416424fd
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -104,6 +104,10 @@ define Build/Configure
 	  mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \
 	done
 
+	# remove protocol idented software version number
+	$(SED) 's,^#define LOCAL_IDENT .*$$$$,#define LOCAL_IDENT "SSH-2.0-dropbear",g' \
+		$(PKG_BUILD_DIR)/sysoptions.h
+
 	# Enforce rebuild of svr-chansession.c
 	rm -f $(PKG_BUILD_DIR)/svr-chansession.o
 endef

package/network/services/dropbear/patches/100-pubkey_path.patch

@@ -1,6 +1,6 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -218,17 +218,21 @@ static int checkpubkey(char* algo, unsig
+@@ -220,14 +220,20 @@ static int checkpubkey(char* algo, unsig
  		goto out;
  	}
 
@@ -12,28 +12,24 @@
 -	filename = m_malloc(len + 22);
 -	snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
 -				ses.authstate.pw_dir);
--
--	/* open the file */
--	authfile = fopen(filename, "r");
 +	if (ses.authstate.pw_uid != 0) {
 +		/* we don't need to check pw and pw_dir for validity, since
 +		 * its been done in checkpubkeyperms. */
 +		len = strlen(ses.authstate.pw_dir);
 +		/* allocate max required pathname storage,
 +		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
 +		filename = m_malloc(len + 22);
-+		snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
-+		         ses.authstate.pw_dir);
-+
-+		/* open the file */
-+		authfile = fopen(filename, "r");
++		snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
++					ses.authstate.pw_dir);
 +	} else {
-+		authfile = fopen("/etc/dropbear/authorized_keys","r");
++		filename = m_malloc(30);
++		strncpy(filename, "/etc/dropbear/authorized_keys", 30);
 +	}
- 	if (authfile == NULL) {
- 		goto out;
- 	}
-@@ -381,26 +385,35 @@ static int checkpubkeyperms() {
++
+
+ 	/* open the file as the authenticating user. */
+ 	origuid = getuid();
+@@ -396,26 +402,35 @@ static int checkpubkeyperms() {
  		goto out;
  	}
 

package/network/services/dropbear/patches/120-openwrt_options.patch

@@ -44,10 +44,9 @@
   * which are not the standard form. */
  #define DROPBEAR_SHA1_HMAC
 -#define DROPBEAR_SHA1_96_HMAC
--#define DROPBEAR_SHA2_256_HMAC
--#define DROPBEAR_SHA2_512_HMAC
 +/*#define DROPBEAR_SHA1_96_HMAC*/
-+/*#define DROPBEAR_SHA2_256_HMAC*/
+ #define DROPBEAR_SHA2_256_HMAC
+-#define DROPBEAR_SHA2_512_HMAC
 +/*#define DROPBEAR_SHA2_512_HMAC*/
  #define DROPBEAR_MD5_HMAC