Mathias Kresin [Wed, 22 Aug 2018 04:40:28 +0000 (06:40 +0200)]
ramips: fix GL-MT300N-V2 SoC compatible
According to abbfcc85259a ("ramips: add support for GL-inet
GL-MT300N-V2") the board has a MediaTek MT7628AN. Change the SoC
compatible to match the used hardware.
Mathias Kresin [Wed, 22 Aug 2018 04:26:36 +0000 (06:26 +0200)]
ramips: drop not existing groups from pinmux
RT5350 neither have rgmii nor a mdio pinmux group. MT7628an doesn't
have a jtag group. Having these groups defined might cause a boot
panic.
The pin controller fails to initialise for kernels > 4.9 if invalid
groups are used. If a subsystem references a pin controller
configuration node, it can not find this node and errors out. In worst
case it's the SPI driver which errors out and we have no root
filesystem to mount.
Mathias Kresin [Wed, 15 Aug 2018 06:20:33 +0000 (08:20 +0200)]
generic: revert workarounds for AR8337 switch
The intention of 967b6be118e3 ("ar8327: Add workarounds for AR8337
switch") was to remove the register fixups for AR8337. But instead they
were removed for AR8327.
The RGMII RX delay is forced even if the port is used as phy instead of
mac, which results in no package flow at least for one board.
Jo-Philipp Wich [Thu, 23 Aug 2018 18:03:29 +0000 (20:03 +0200)]
wolfssl: disable broken shipped Job server macro
The AX_AM_JOBSERVER macro shipped with m4/ax_am_jobserver.m4 is broken on
plain POSIX shells due to the use of `let`.
Shells lacking `let` will fail to run the generated m4sh code and end up
invoking "make" with "-jyes" as argument, fialing the build.
Since there is no reason in the first place for some random package to
muck with the make job server settings and since we do not want it to
randomly override "-j" either, simply remove references to this defunct
macro to let the build succeed on platforms which not happen to use bash
as default shell.
Jo-Philipp Wich [Thu, 23 Aug 2018 17:08:58 +0000 (19:08 +0200)]
grub2: rebase patches
Patch 300-CVE-2015-8370.patch was added without proper rebasing on the
version used by OpenWrt, make it apply and refresh the patch to fix
compilation.
Additionally rework the init script and update the default configuration
example to treat the lua_prefix option as key=value uci list, similar to
the interpreter extension mapping. Support for the old "option lua_prefix"
plus "option lua_handler" notation is still present.
Finally drop the sed postinstall hack in uhttpd-mod-lua to avoid mangling
files belonging to other packages. Since Lua prefixes have precedence
over CGI prefixes, simply register `/cgi-bin/luci` as Lua handler which
will only become active if both luci-base and uhttpd-mod-lua is installed.
Koen Vandeputte [Wed, 22 Aug 2018 11:00:22 +0000 (13:00 +0200)]
ar71xx: fix build error due to bad include
While "rawnand.h" is available in kernel 4.14,
the default for this target is kernel 4.9 in which "nand.h" should be used.
Add an extra check to include the correct file depending on kernel version
Fixes these build errors:
drivers/mtd/nand/ar934x_nfc.c:16:10: fatal error: linux/mtd/rawnand.h: No such file or directory
#include <linux/mtd/rawnand.h>
^~~~~~~~~~~~~~~~~~~~~
compilation terminated.
Jo-Philipp Wich [Wed, 22 Aug 2018 05:12:47 +0000 (07:12 +0200)]
iptables: make iptables-mod-conntrack-extra depend on kmod-ipt-raw
Since kernel 4.14 there is no auto assignment of conntrack helpers anymore
so fw3 needs raw table support in order to stage ct helper assignment rules.
/etc/ethers is missing on /rom but always created when dnsmasq
runs. It is better to have it in place and avoid an extra change
in flash after firstboot.
It will generate an extra /etc/ethers-opkg when it has changed.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
David Bauer [Sat, 18 Aug 2018 12:01:59 +0000 (14:01 +0200)]
ath79: fix TL-MR3020 image metadata
Sysupgrading to ath79 from ar71xx currently fails because of mismatching
supported_devices. ar71xx is expecting "tl-mr3020" which is missing in
the ath79 image. Upgrading from ath79 is unaffected, as the image
contains the old string for ar71xx and the new one coming from the
device-tree.
David Bauer [Sat, 18 Aug 2018 16:30:46 +0000 (18:30 +0200)]
ath79: add support for Fritz!Box 4020
This commit adds support for the AVM Fritz!Box 4020 WiFi-router.
SoC: Qualcomm Atheros QCA9561 (Dragonfly) 750MHz
RAM: Winbond W971GG6KB-25
FLASH: Macronix MX25L12835F
WiFi: QCA9561 b/g/n 3x3 450Mbit/s
USB: 1x USB 2.0
IN: WPS button, WiFi button
OUT: Power LED green, Internet LED green, WLAN LED green,
LAN LED green, INFO LED green, INFO LED red
UART: Header Next to Black metal shield
Pinout is 3.3V - RX - TX - GND (Square Pad is 3.3V)
The Serial setting is 115200-8-N-1.
Tested and working:
- Ethernet (LAN + WAN)
- WiFi (correct MAC)
- Installation via EVA bootloader
- OpenWRT sysupgrade
- Buttons
- LEDs
The USB port doesn't work. Both Root Hubs are detected as having 0 Ports:
[ 3.670807] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 3.723267] usbcore: registered new interface driver usbfs
[ 3.729058] usbcore: registered new interface driver hub
[ 3.734616] usbcore: registered new device driver usb
[ 3.744181] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 3.758357] SCSI subsystem initialized
[ 3.766026] ehci-platform: EHCI generic platform driver
[ 3.771548] ehci-platform ehci-platform.0: EHCI Host Controller
[ 3.777708] ehci-platform ehci-platform.0: new USB bus registered, assigned bus number 1
[ 3.788169] ehci-platform ehci-platform.0: irq 48, io mem 0x1b000000
[ 3.816647] ehci-platform ehci-platform.0: USB 2.0 started, EHCI 0.00
[ 3.824001] hub 1-0:1.0: USB hub found
[ 3.828219] hub 1-0:1.0: config failed, hub doesn't have any ports! (err -19)
[ 3.835825] ehci-platform ehci-platform.1: EHCI Host Controller
[ 3.842009] ehci-platform ehci-platform.1: new USB bus registered, assigned bus number 2
[ 3.852481] ehci-platform ehci-platform.1: irq 49, io mem 0x1b400000
[ 3.886631] ehci-platform ehci-platform.1: USB 2.0 started, EHCI 0.00
[ 3.894011] hub 2-0:1.0: USB hub found
[ 3.898190] hub 2-0:1.0: config failed, hub doesn't have any ports! (err -19)
[ 3.908928] usbcore: registered new interface driver usb-storage
[ 3.915634] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
A few words about the shift-register:
AVM used a trick to control the shift-register for the LEDs with only 2
pins, SERCLK and MOSI. Q7S, normally used for daisy-chaining multiple
shift-registers, pulls the latch, moving the shift register-state to
the storage register. It also pulls down MR (normally pulled up) to
clear the storage register, so the latch gets released and will not be
pulled by the remaining bits in the shift-register. Shift register is
all-zero after this.
For that we need to make sure output 7 is set to high on driver probe.
We accomplish this by using gpio-hogging.
Installation via EVA:
In the first seconds after Power is connected, the bootloader will
listen for FTP connections on 169.254.157.1 (Might also be 192.168.178.1).
Firmware can be uploaded like following:
ftp> quote USER adam2
ftp> quote PASS adam2
ftp> binary
ftp> debug
ftp> passive
ftp> quote MEDIA FLSH
ftp> put openwrt-sysupgrade.bin mtd1
Note that this procedure might take up to two minutes. After transfer is
complete you need to powercycle the device to boot OpenWRT.
1. Connect the computer to the LAN port of WN-AC1167DGR
2. Connect power cable to WN-AC1167DGR and turn on it
3. Access to "http://192.168.0.1/" and open firmware update page
("ファームウェア")
4. Select the OpenWrt factory image and click update ("更新") button
5. Wait ~150 seconds to complete flashing
1. Connect the computer to the LAN port of WHR-G301N
2. Connect power cable to WHR-G301N and turn on it
3. Access to "http://192.168.11.1/" and open firmware update page
("ファーム更新")
4. Select the OpenWrt factory image and click execute ("実行") button
5. Wait ~150 seconds to complete flashing
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
[fix the SUPPORTED_DEVICES to be compatible with the ar71xx image] Signed-off-by: Mathias Kresin <dev@kresin.me>
Mathias Kresin [Wed, 15 Aug 2018 18:18:26 +0000 (20:18 +0200)]
lantiq: add support for upgrade led
Indicate a (sys)upgrade via leds as well. It brings the lantiq diag.sh
script en par with the other implementations using devicetree aliases
to define multiple leds for boot status indication.
By default, use the boot finished led to indicate an upgrade for now.
Mathias Kresin [Wed, 15 Aug 2018 17:12:27 +0000 (19:12 +0200)]
treewide: fix upgrade led handling
The upgrade led is only used if a running led is defined. If no running
led is defined, the upgrade led is ignored and upgrade isn't indicated
at all.
Instead, turn off the running led prior to turning the upgrade led on.
In most cases there isn't any visual change, but it allows to use an
independent led for upgrade indication.
Mathias Kresin [Sun, 18 Feb 2018 21:48:44 +0000 (22:48 +0100)]
cns3xxx: fix mtu setting with kernel 4.14
Since kernel 4.10 commit 61e84623ace3 ("net: centralize net_device
min/max MTU checking"), the range of mtu is [min_mtu, max_mtu], which
is [68, 1500] by default.
It's necessary to set a max_mtu if a mtu > 1500 is supported.
Hauke Mehrtens [Wed, 15 Aug 2018 20:17:11 +0000 (22:17 +0200)]
openssl: update to version 1.0.2p
This fixes the following security problems:
* CVE-2018-0732: Client DoS due to large DH parameter
* CVE-2018-0737: Cache timing vulnerability in RSA Key Generation
Hauke Mehrtens [Wed, 15 Aug 2018 19:50:09 +0000 (21:50 +0200)]
kernel: bump kernel 4.9 to version 4.9.120
The following patch was integrated upstream:
* target/linux/generic/backport-4.9/500-ext4-fix-check-to-prevent-initializing-reserved-inod.patch
This fixes tries to work around the following security problems:
* CVE-2018-3620 L1 Terminal Fault OS, SMM related aspects
* CVE-2018-3646 L1 Terminal Fault Virtualization related aspects
Hauke Mehrtens [Wed, 15 Aug 2018 17:47:56 +0000 (19:47 +0200)]
kernel: bump kernel 4.14 to version 4.14.63
The following patches were integrated upstream:
* target/linux/ipq40xx/patches-4.14/050-0006-mtd-nand-qcom-Add-a-NULL-check-for-devm_kasprintf.patch
* target/linux/mediatek/patches-4.14/0177-phy-phy-mtk-tphy-use-auto-instead-of-force-to-bypass.patch
This fixes tries to work around the following security problems:
* CVE-2018-3620 L1 Terminal Fault OS, SMM related aspects
* CVE-2018-3646 L1 Terminal Fault Virtualization related aspects
Dmitry Tunin [Tue, 14 Aug 2018 12:55:15 +0000 (15:55 +0300)]
ath79: use both WNDR3x00 power leds for boot status indication
Use the orange led by default to match the bootloader/stock firmware
behaviour. Turn on the green power led after boot to indicate a
finished boot and the orange one off.
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
[reword commit message, keep orange power led enabled during early
kernel boot] Signed-off-by: Mathias Kresin <dev@kresin.me>
Dmitry Tunin [Tue, 14 Aug 2018 12:52:01 +0000 (15:52 +0300)]
ath79: use both DIR-825 B1 power leds for boot status indication
Use the orange led by default to match the bootloader/stock firmware
behaviour. Turn on the blue power led after boot to indicate a finished
boot and the orange one off.
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
[reword commit message, keep orange power led enabled during early
kernel boot] Signed-off-by: Mathias Kresin <dev@kresin.me>
The DWR-118-A2 Wireless Router is based on the MT7620A SoC.
Specification:
- MediaTek MT7620A (580 Mhz)
- 128 MB of RAM
- 16 MB of FLASH
- 1x 802.11bgn radio
- 1x 802.11ac radio (MT7612EN)
- 4x 10/100 Mbps Ethernet (1 WAN and 3 LAN)
- 1x 10/100/1000 Mbps Marvell Ethernet PHY (1 LAN)
- 2x external, non-detachable antennas
- 1x USB 2.0
- UART (J1) header on PCB (57600 8n1)
- 7x LED (5x GPIO-controlled), 2x button
- JBOOT bootloader
Known issues:
- GELAN not working
- flash is very slow
The status led has been assigned to the dwr-118-a2:green:internet led.
At the end of the boot it is switched off and is available for other
operation. Work correctly also during sysupgrade operation.
Installation:
Apply factory image via http web-gui or JBOOT recovery page
How to revert to OEM firmware:
- push the reset button and turn on the power. Wait until LED start
blinking (~10sec.)
- upload original factory image via JBOOT http (IP: 192.168.123.254)
Flash instruction:
1. Get SSH access to the router
2. SSH to router with `ssh -p 1022 root@192.168.199.1`, The SSH password is the same as the webconfig one
3. Upload OpenWrt sysupgrade firmware into the router's `/tmp` folder with SCP
4. Run `mtd write /tmp/<filename> firmware`
5. reboot
Everything is working
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
Johann Neuhauser [Mon, 13 Aug 2018 13:11:15 +0000 (15:11 +0200)]
ath79: move TP-Link WR841v9 aliases node from dtsi to dts
Move the alias node of the TP-Link WR841v9 and rename the phandle of
the qss led to qss_led in preparation for adding the very similar
TP-Link WR841v11.
Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
Hannu Nyman [Mon, 13 Aug 2018 20:10:47 +0000 (23:10 +0300)]
ath79: Add wifi to WNDR3700, WNDR3700v2 and WNDR3800
Add ath9k wifi capabilities to WNDR3700 family.
* use kmod-owl-loader to load firmware from "art"
* add wifi to DTS
* add wifi LEDs
Avoid using the same MAC for eth0 LAN and wlan0 by
toggling the eth0 MAC into a locally administered MAC.
That is currently done by in user-space by adding a
uci config item into /etc/config/network
(More elegant solution might be setting it already in
preinit phase.)
Known issues:
* wifi firmware file may not get created on the first boot
after flashing on time to bring wifi normally up. Likely
the overlay jffs2 is not yet ready for creating the
firmware file. "wifi up" may still bring wifi up.
Wifi will work normally at subsequent boots.
* phy0 and phy1 may get assigned mixed, so that phy0 may
be the 5GHz radio instead of the normal 2.4GHz, and vice
versa for phy1. Does not happen always, but may happen.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
[fix the wifi unit address in the dts] Signed-off-by: Mathias Kresin <dev@kresin.me>
Icenowy Zheng [Sun, 12 Aug 2018 14:32:01 +0000 (22:32 +0800)]
ath79: add support for Pisen WMM003N (Cloud Easy Power)
Pisen WMM003N (sold under the name of Cloud Easy Power) is an
AR9331-based router and power bank combo device. The device uses a
stock firmware modified from OpenWRT for TP-Link TL-WR703N; however
some GPIO definition is different on this device with TL-WR703N. An
AXP202 PMIC (connected to a 5000mAh battery) and a SD slot are also
added, and the stock Flash/RAM configuration is 8MiB/64MiB.
The stock firmware is an old and heavily modified OpenWRT-based
firmware, which has telnetd defaultly open, and the root password is
"ifconfig" (quotation marks not included). The factory image format is
not known yet, however the stock firmware ships the OpenWRT's sysupgrade
command, and it can be used to install a newer firmware.
Due to the lack of the access to the STM8 embedded controller, the SD
slot is currently not usable (because it's muxed with the on-board USB
port) and the AXP PMIC cannot be monitored.
Peter Lundkvist [Fri, 10 Aug 2018 06:48:43 +0000 (08:48 +0200)]
ath79: drop tl prefix for TP-Link RE450 v2
This router is called RE450 and the tl prefix was used to identify it
as a TP-Link device. Drop the tl prefix since we now have tplink in
dts and device name.
Signed-off-by: Peter Lundkvist <peter.lundkvist@gmail.com>
packages: nvram: make it possible to include it for ath79 targets
The WD My Net Range Extender stores the MAC addresses inside the
nvram partition. This utility can extract it, but it's currently
not avilable on the ath79 target. Hence, this patch adds the
necessary target declaration, so it can be built.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Hannu Nyman [Sat, 11 Aug 2018 11:47:21 +0000 (14:47 +0300)]
ath79: create WNDR3700 series .dtsi and adjust WNDR3800
Prepare for addition of WNDR3700 and WNDR3700v2 by
separating the common parts into wndr3700.dtsi and
leaving just the device-specific things into wndr3800.dts
The three routers are identical except
* device IDs
* WNDR3700 (v1) has only 8 MB flash, while others have 16 MB.
Partition structure needs to be defined for each device.
* (WNDR3800 has 128 MB RAM, but RAM size is not in DTS)
Also separate the common parts of the image recipe.
(Drop also the initramfs recipe.)
The wholesale changes introduced in commit f9b8328 missed this DTS file
because it hadn't been merged yet. This patch brings it in line to match
the other mt7620a devices' DTS files.
Additionally, the Internet LED is now labeled correctly and set to unused
by default, since the WAN interface is not known in every configuration.
Using sysupgrade between images before and after this commit will require
the -F flag.
Tested-by: Rohan Murch <rohan.murch@gmail.com> Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
[drop internet led default setting] Signed-off-by: Mathias Kresin <dev@kresin.me>
Ludwig Thomeczek [Tue, 12 Jun 2018 19:16:40 +0000 (21:16 +0200)]
firmware-utils: add sercomm/netgear tool
This adds a tool to generate a firmware file accepted
by Netgear or sercomm devices.
They use a zip-packed rootfs with header and a custom
checksum. The generated Image can be flashed via the
nmrpflash tool or the webinterface of the router.
Signed-off-by: Ludwig Thomeczek <ledesrc@wxorx.net>
Rather than abusing the handshake lock, we're much better off just using
a boring atomic64 for this. It's simpler and performs better. Also, while
we're at it, we set the handshake stamp both before and after the
calculations, in case the calculations block for a really long time waiting
for the RNG to initialize.
* compat: better atomic acquire/release backport
This should fix compilation and correctness on several platforms.
* crypto: move simd context to specific type
This was a suggestion from Andy Lutomirski on LKML.
* chacha20poly1305: selftest: use arrays for test vectors
We no longer have lines so long that they're rejected by SMTP servers.
* qemu: add easy git harness
This makes it a bit easier to use our qemu harness for testing our mainline
integration tree.
* curve25519-x86_64: avoid use of r12
This causes problems with RAP and KERNEXEC for PaX, as r12 is a
reserved register.
* chacha20: use memmove in case buffers overlap
A small correctness fix that we never actually hit in WireGuard but is
important especially for moving this into a general purpose library.
Two bitmath fixes from Samuel, which come complete with a z3 script proving
their correctness.
* timers: include header in right file
This fixes compilation in some environments.
* netlink: don't start over iteration on multipart non-first allowedips
Matt Layher found a bug where a netlink dump of peers would never terminate in
some circumstances, causing wg(8) to keep trying forever. We now have a fix as
well as a unit test to mitigate this, and we'll be looking to create a fuzzer
out of Matt's nice library.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Hauke Mehrtens [Sun, 12 Aug 2018 09:31:28 +0000 (11:31 +0200)]
at91: do not build image for at91-q5xr5
The kernel image of the at91-q5xr5 is getting too bing now and this is
breaking the build. Remove the image for the at91-q5xr5 from the build
to at least build images for the other devices.
INAGAKI Hiroshi [Fri, 10 Aug 2018 00:07:53 +0000 (09:07 +0900)]
ath79: add support for I-O DATA WN-AC1600DGR2
I-O DATA WN-AC1600DGR2 is a 2.4/5 GHz band 11ac router, based on
Qualcomm Atheros QCA9557.
Specification:
- Qualcomm Atheros QCA9557
- 128 MB of RAM
- 16 MB of Flash
- 2.4/5 GHz wifi
- 2.4 GHz: 2T2R (SoC internal)
- 5 GHz: 3T3R (QCA9880)
- 5x 10/100/1000 Mbps Ethernet
- 6x LEDs, 6x keys (4x buttons, 1x slide switch)
- UART header on PCB
- Vcc, GND, TX, RX from ethernet port side
- 115200n8
Flash instruction using factory image:
1. Connect the computer to the LAN port of WN-AC1600DGR2
2. Connect power cable to WN-AC1600DGR2 and turn on it
3. Access to "http://192.168.0.1/" and open firmware update page
("ファームウェア")
4. Select the OpenWrt factory image and click update ("更新") button
5. Wait ~150 seconds to complete flashing
ath79: add ath9k calibration data MAC addresses patching
This patch copies over the MAC patching helper functions from lantiq's
target/linux/lantiq/base-files/etc/hotplug.d/firmware/12-ath9k-eeprom
file.
Not all vendors bothered to write the correct MAC addresses for the
ath9k wifi into the calibration data. And while ath9k does have some
special dt-properties to extract the addresses from a fixed position,
there are still devices that require userspace to edit or modify
the caldata.
In my case, the MAC address for the Wi-Fi device is stored in an
unsorted key-value based "nvram" database and there's an existing
userspace tool to extract the data.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Mathias Kresin [Sat, 11 Aug 2018 08:10:21 +0000 (10:10 +0200)]
base-files: add function to get mac as text from flash
Add a function to get a mac stored as text from flash. The octets of
the mac address need to be separated by any separator supported by
macaddr_canonicalize().
John Crispin [Fri, 10 Aug 2018 13:48:21 +0000 (15:48 +0200)]
wpa_supplicant: fix CVE-2018-14526
Unauthenticated EAPOL-Key decryption in wpa_supplicant
Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/
Vulnerability
A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.
When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.
Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.
Vulnerable versions/configurations
All wpa_supplicant versions.
Acknowledgments
Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.
Possible mitigation steps
- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.
- Merge the following commits to wpa_supplicant and rebuild:
WPA: Ignore unauthenticated encrypted EAPOL-Key data
This patch is available from https://w1.fi/security/2018-1/
- Update to wpa_supplicant v2.7 or newer, once available
Thibaut VARÈNE [Thu, 9 Aug 2018 18:33:45 +0000 (20:33 +0200)]
base-files: make wifi report unknown command
Avoid having /sbin/wifi silently ignore unknown keywords and execute
"up"; instead display the help message and exit with an error.
Spell out the "up" keyword (which has users), add it to usage output,
and preserve the implicit assumption that runing /sbin/wifi without
argument performs "up".
projects / thirdparty / openwrt.git / log
