staging/pepe2k, branch v17.01.4

LEDE v17.01.4: adjust config defaults

2017-10-18T08:54:32Z

Signed-off-by: Stijn Tintel

wireguard: version bump to 0.0.20171017

2017-10-17T17:46:20Z

This is a simple version bump. Changes: * noise: handshake constants can be read-only after init * noise: no need to take the RCU lock if we're not dereferencing * send: improve dead packet control flow * receive: improve control flow * socket: eliminate dead code * device: our use of queues means this check is worthless * device: no need to take lock for integer comparison * blake2s: modernize API and have faster _final * compat: support READ_ONCE * compat: just make ro_after_init read_mostly Assorted cleanups to the module, including nice things like marking our precomputations as const. * Makefile: even prettier output * Makefile: do not clean before cloc * selftest: better test index for rate limiter * netns: disable accept_dad for all interfaces Fixes in our testing and build infrastructure. Now works on the 4.14 rc series. * qemu: add build-only target * qemu: work on ubuntu toolchain * qemu: add more debugging options to main makefile * qemu: simplify shutdown * qemu: open /dev/console if we're started early * qemu: phase out bitbanging * qemu: always create directory before untarring * qemu: newer packages * qemu: put hvc directive into configuration This is the beginning of working out a cross building test suite, so we do several tricks to be less platform independent. * tools: encoding: be more paranoid * tools: retry resolution except when fatal * tools: don't insist on having a private key * tools: add pass example to wg-quick man page * tools: style * tools: newline after warning * tools: account for padding being in zero attribute Several important tools fixes, one of which suppresses a needless warning. Signed-off-by: Jason A. Donenfeld (cherry picked from commit f6c4a9c045797d9be12310eebc6341050fd260ce)

hostapd: add wpa_disable_eapol_key_retries option

2017-10-17T14:59:45Z

Commit b6c3931ad6554357a108127797c8d7097a93f18f introduced an AP-side workaround for key reinstallation attacks. This option can be used to mitigate KRACK on the station side, in case those stations cannot be updated. Since many devices are out there will not receive an update anytime soon (if at all), it makes sense to include this workaround. Unfortunately this can cause interoperability issues and reduced robustness of key negotiation, so disable the workaround by default, and add an option to allow the user to enable it if he deems necessary. Signed-off-by: Stijn Tintel (cherry picked from commit c5f97c9372da3229350184fb263c97d9ea8944c5)

hostapd: backport extra changes related to KRACK

2017-10-17T14:54:59Z

While these changes are not included in the advisory, upstream encourages users to merge them. See http://lists.infradead.org/pipermail/hostap/2017-October/037989.html Added 013-Add-hostapd-options-wpa_group_update_count-and-wpa_p.patch so that 016-Optional-AP-side-workaround-for-key-reinstallation-a.patch applies without having to rework it. Signed-off-by: Stijn Tintel

mac80211: backport kernel fix for CVE-2017-13080

2017-10-16T22:57:05Z

Signed-off-by: Stijn Tintel (cherry picked from commit 2f701194c29da50bfda968a83c6609843f74a7f4)

x86: partly revert cabf775

2017-10-16T15:21:43Z

The subtarget cleanups made in cabf775 "x86: Refresh subtargets kernel config" removed some important symbol disable statements, so revert the changes to the subtarget configs for now. Signed-off-by: Jo-Philipp Wich

mac80211: Update wireless-regdb to master-2017-03-07

2017-10-16T11:22:18Z

The short log of changes since the 2016-06-10 release is below. Jouni Malinen (1): wireless-regdb: Remove DFS requirement for India (IN) Ryan Mounce (1): wireless-regdb: Update rules for Australia (AU) and add 60GHz rules Seth Forshee (2): wireless-regdb: Update 5 GHz rules for Canada wireless-regdb: update regulatory.bin based on preceding changes Signed-off-by: Ryan Mounce (cherry picked from commit 8b12e62e9cd6ba2e3bb2e7f2555180df0173c7c6)

wireguard: add wireguard to base packages

2017-10-16T11:03:39Z

Move wireguard from openwrt/packages to base a package. This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving experimental kernel module that many find essential and useful. The other is a VPN client. Both are inside of core. When you combine the two characteristics, you get WireGuard. Generally speaking, because of the extremely lightweight nature and "stateless" configuration of WireGuard, many view it as a core and essential utility, initiated at boot time and immediately configured by netifd, much like the use of things like GRE tunnels. WireGuard has a backwards and forwards compatible Netlink API, which means the userspace tools should work with both newer and older kernels as things change. There should be no versioning requirements, therefore, between kernel bumps and userspace package bumps. Signed-off-by: Kevin Darbyshire-Bryant Signed-off-by: Jason A. Donenfeld Acked-by: Jo-Philipp Wich Acked-by: Felix Fietkau (cherry picked from commit 699c6fcc314225f79156a26db418e15bbc6bf10f)

brcmfmac: backport length check in brcmf_cfg80211_escan_handler()

2017-10-16T11:02:04Z

Fixes CVE-2017-0786 Signed-off-by: Felix Fietkau

kernel: bump 4.4 to 4.4.92

2017-10-16T10:35:06Z

Refresh patches. Fixes the following CVEs: - CVE-2017-1000252 - CVE-2017-12153 - CVE-2017-12154 Signed-off-by: Stijn Tintel