LEDE v17.01.4: adjust config defaults

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

feeds.conf.default

@@ -1,4 +1,4 @@
-src-git packages https://git.lede-project.org/feed/packages.git^dc558eaa296686603c1730c1aab01f3ea69d7831
-src-git luci https://git.lede-project.org/project/luci.git^7f6fc1681f7becc514a58082e871f3855d3a123f
-src-git routing https://git.lede-project.org/feed/routing.git^dbbad8472288498c17825303d834da3ee5030806
-src-git telephony https://git.lede-project.org/feed/telephony.git^1f0fb2538ba6fc306198fe2a9a4b976d63adb304
+src-git packages https://git.lede-project.org/feed/packages.git^cd5c448758f30868770b9ebf8b656c1a4211a240
+src-git luci https://git.lede-project.org/project/luci.git^d3f0685d63c1291359dc5dd089c82fa1e150e0c6
+src-git routing https://git.lede-project.org/feed/routing.git^d11075cd40a88602bf4ba2b275f72100ddcb4767
+src-git telephony https://git.lede-project.org/feed/telephony.git^ac6415e61f147a6892fd2785337aec93ddc68fa9

include/host-build.mk

@@ -77,6 +77,10 @@ HOST_MAKE_FLAGS =
 
 HOST_CONFIGURE_CMD = $(BASH) ./configure
 
+ifeq ($(HOST_OS),Darwin)
+  HOST_CONFIG_SITE:=$(INCLUDE_DIR)/site/darwin
+endif
+
 define Host/Configure/Default
 	$(if $(HOST_CONFIGURE_PARALLEL),+)(cd $(HOST_BUILD_DIR)/$(3); \
 		if [ -x configure ]; then \
@@ -127,6 +131,7 @@ define Host/Exports/Default
   $(1) : export PKG_CONFIG_PATH=$$(STAGING_DIR_HOST)/lib/pkgconfig:$$(HOST_BUILD_PREFIX)/lib/pkgconfig
   $(1) : export PKG_CONFIG_LIBDIR=$$(HOST_BUILD_PREFIX)/lib/pkgconfig
   $(1) : export CCACHE_DIR:=$(STAGING_DIR_HOST)/ccache
+  $(if $(HOST_CONFIG_SITE),$(1) : export CONFIG_SITE:=$(HOST_CONFIG_SITE))
   $(if $(IS_PACKAGE_BUILD),$(1) : export PATH=$$(TARGET_PATH_PKG))
 endef
 Host/Exports=$(Host/Exports/Default)

include/image-legacy.mk

@@ -48,6 +48,7 @@ endef
 ifdef TARGET_PER_DEVICE_ROOTFS
   define Image/Build/Profile/Filesystem
 	cp $(KDIR)/root.$(2)+pkg=$(3) $(KDIR)/root.$(2)
+	$(call Image/Build/$(2),$(2))
 	$(call Image/Build/Profile,$(1),$(2))
   endef
 else

include/kernel-version.mk

@@ -3,10 +3,10 @@
 LINUX_RELEASE?=1
 
 LINUX_VERSION-3.18 = .43
-LINUX_VERSION-4.4 = .71
+LINUX_VERSION-4.4 = .92
 
 LINUX_KERNEL_HASH-3.18.43 = 1236e8123a6ce537d5029232560966feed054ae31776fe8481dd7d18cdd5492c
-LINUX_KERNEL_HASH-4.4.71 = 44cd5532d6df32197fd0f89e6f8c542fcfb76b52155a4d3a609ef4898522e6ab
+LINUX_KERNEL_HASH-4.4.92 = 53f8cd8b024444df0f242f8e6ab5147b0b009d7a30e8b2ed3854e8d17937460d
 
 ifdef KERNEL_PATCHVER
   LINUX_VERSION:=$(KERNEL_PATCHVER)$(strip $(LINUX_VERSION-$(KERNEL_PATCHVER)))

include/kernel.mk

@@ -131,7 +131,7 @@ define ModuleAutoLoad
 	}; \
 	$(3) \
 	if [ -n "$$$$$$$$modules" ]; then \
-		modules="$$$$$$$$(echo "$$$$$$$$modules" | tr ' ' '\n' | sort | uniq | paste -s -d' ')"; \
+		modules="$$$$$$$$(echo "$$$$$$$$modules" | tr ' ' '\n' | sort | uniq | paste -s -d' ' -)"; \
 		mkdir -p $(2)/etc/modules.d; \
 		mkdir -p $(2)/CONTROL; \
 		echo "#!/bin/sh" > $(2)/CONTROL/postinst-pkg; \

include/site/darwin

@@ -0,0 +1,2 @@
+ac_cv_func_futimens=no
+ac_cv_func_utimensat=no

include/version.mk

@@ -31,16 +31,16 @@ qstrip_escape=$(subst ','\'',$(call qstrip,$(1)))
 sanitize = $(call tolower,$(subst _,-,$(subst $(space),-,$(1))))
 
 VERSION_NUMBER:=$(call qstrip_escape,$(CONFIG_VERSION_NUMBER))
-VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),17.01.2)
+VERSION_NUMBER:=$(if $(VERSION_NUMBER),$(VERSION_NUMBER),17.01.4)
 
 VERSION_CODE:=$(call qstrip_escape,$(CONFIG_VERSION_CODE))
-VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r3435-65eec8bd5f)
+VERSION_CODE:=$(if $(VERSION_CODE),$(VERSION_CODE),r3560-79f57e422d)
 
 VERSION_NICK:=$(call qstrip_escape,$(CONFIG_VERSION_NICK))
 VERSION_NICK:=$(if $(VERSION_NICK),$(VERSION_NICK),$(RELEASE))
 
 VERSION_REPO:=$(call qstrip_escape,$(CONFIG_VERSION_REPO))
-VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.lede-project.org/releases/17.01.2)
+VERSION_REPO:=$(if $(VERSION_REPO),$(VERSION_REPO),http://downloads.lede-project.org/releases/17.01.4)
 
 VERSION_DIST:=$(call qstrip_escape,$(CONFIG_VERSION_DIST))
 VERSION_DIST:=$(if $(VERSION_DIST),$(VERSION_DIST),LEDE)

package/base-files/Makefile

@@ -11,14 +11,15 @@ include $(INCLUDE_DIR)/kernel.mk
 include $(INCLUDE_DIR)/version.mk
 
 PKG_NAME:=base-files
-PKG_RELEASE:=173
+PKG_RELEASE:=173.1
 PKG_FLAGS:=nonshared
 
 PKG_FILE_DEPENDS:=$(PLATFORM_DIR)/ $(GENERIC_PLATFORM_DIR)/base-files/
 PKG_BUILD_DEPENDS:=usign/host
 PKG_LICENSE:=GPL-2.0
 
-PKG_CONFIG_DEPENDS := CONFIG_SIGNED_PACKAGES CONFIG_TARGET_INIT_PATH CONFIG_TARGET_PREINIT_DISABLE_FAILSAFE
+# Extend depends from version.mk
+PKG_CONFIG_DEPENDS += CONFIG_SIGNED_PACKAGES CONFIG_TARGET_INIT_PATH CONFIG_TARGET_PREINIT_DISABLE_FAILSAFE
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -137,6 +138,7 @@ define Package/base-files/install
 
 	mkdir -p $(1)/CONTROL
 	mkdir -p $(1)/dev
+	mkdir -p $(1)/etc/config
 	mkdir -p $(1)/etc/crontabs
 	mkdir -p $(1)/etc/rc.d
 	mkdir -p $(1)/overlay

package/base-files/files/bin/config_generate

@@ -119,17 +119,14 @@ generate_network() {
 		;;
 
 		pppoe)
-			# fixup IPv6 slave interface
-			ifname="pppoe-$1"
-
 			uci -q batch <<-EOF
 				set network.$1.proto='pppoe'
 				set network.$1.username='username'
 				set network.$1.password='password'
-				set network.$1.ipv6='auto'
+				set network.$1.ipv6='1'
 				delete network.${1}6
 				set network.${1}6='interface'
-				set network.${1}6.ifname='$ifname'
+				set network.${1}6.ifname='@${1}'
 				set network.${1}6.proto='dhcpv6'
 			EOF
 		;;

package/base-files/files/lib/preinit/10_indicate_preinit

@@ -96,6 +96,8 @@ preinit_config_board() {
 }
 
 preinit_ip() {
+	[ "$pi_preinit_no_failsafe" = "y" ] && return
+
 	# if the preinit interface isn't specified and ifname is set in
 	# preinit.arch use that interface
 	if [ -z "$pi_ifname" ]; then
@@ -107,6 +109,8 @@ preinit_ip() {
 	elif [ -d "/etc/board.d/" ]; then
 		preinit_config_board
 	fi
+
+	preinit_net_echo "Doing Lede Preinit\n"
 }
 
 preinit_ip_deconfig() {
@@ -146,7 +150,6 @@ preinit_echo() {
 }
 
 pi_indicate_preinit() {
-	preinit_net_echo "Doing Lede Preinit\n"
 	set_state preinit
 }
 

package/base-files/image-config.in

@@ -190,7 +190,7 @@ if VERSIONOPT
 	config VERSION_REPO
 		string
 		prompt "Release repository"
-		default "http://downloads.lede-project.org/releases/17.01.2"
+		default "http://downloads.lede-project.org/releases/17.01.4"
 		help
 			This is the repository address embedded in the image, it defaults
 			to the trunk snapshot repo; the url may contain the following placeholders:

package/boot/uboot-envtools/files/ar71xx

@@ -18,6 +18,7 @@ a40|\
 a60|\
 alfa-ap120c|\
 all0258n|\
+ap121f|\
 ap90q|\
 cap324|\
 cap4200ag|\

package/kernel/lantiq/ltq-vdsl-mei/Makefile

@@ -9,7 +9,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ltq-vdsl-vr9-mei
 PKG_VERSION:=1.5.17.6
-PKG_RELEASE:=1
+PKG_RELEASE:=3
 
 PKG_BASE_NAME:=drv_mei_cpe
 PKG_SOURCE:=$(PKG_BASE_NAME)-$(PKG_VERSION).tar.gz

package/kernel/lantiq/ltq-vdsl/Makefile

@@ -9,7 +9,7 @@ include $(INCLUDE_DIR)/kernel.mk
 
 PKG_NAME:=ltq-vdsl-vr9
 PKG_VERSION:=4.17.18.6
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_BASE_NAME:=drv_dsl_cpe_api
 PKG_SOURCE:=$(PKG_BASE_NAME)_vrx-$(PKG_VERSION).tar.gz

package/kernel/lantiq/ltq-vdsl/patches/110-semaphore-lock.patch

@@ -0,0 +1,107 @@
+--- a/src/include/drv_dsl_cpe_pm_core.h
++++ b/src/include/drv_dsl_cpe_pm_core.h
+@@ -1510,9 +1510,9 @@ typedef struct
+    /** Common PM module mutex*/
+    DSL_DRV_Mutex_t pmMutex;
+    /** PM module direction Near-End mutex*/
+-   DSL_DRV_Mutex_t pmNeMutex;
++   struct semaphore pmNeMutex;
+    /** PM module direction Far-End mutex*/
+-   DSL_DRV_Mutex_t pmFeMutex;
++   struct semaphore pmFeMutex;
+    /** PM module Near-End access mutex*/
+    DSL_DRV_Mutex_t pmNeAccessMutex;
+    /** PM module Far-End access mutex*/
+--- a/src/pm/drv_dsl_cpe_api_pm.c
++++ b/src/pm/drv_dsl_cpe_api_pm.c
+@@ -220,9 +220,9 @@ DSL_Error_t DSL_DRV_PM_Start(
+    /* init PM module common mutex */
+    DSL_DRV_MUTEX_INIT(DSL_DRV_PM_CONTEXT(pContext)->pmMutex);
+    /* init PM module direction Near-End mutex */
+-   DSL_DRV_MUTEX_INIT(DSL_DRV_PM_CONTEXT(pContext)->pmNeMutex);
++   sema_init(&(DSL_DRV_PM_CONTEXT(pContext)->pmNeMutex),1);
+    /* init PM module direction Far-End mutex */
+-   DSL_DRV_MUTEX_INIT(DSL_DRV_PM_CONTEXT(pContext)->pmFeMutex);
++   sema_init(&(DSL_DRV_PM_CONTEXT(pContext)->pmFeMutex),1);
+    /* init PM module Near-End access mutex */
+    DSL_DRV_MUTEX_INIT(DSL_DRV_PM_CONTEXT(pContext)->pmNeAccessMutex);
+    /* init PM module Far-End access mutex */
+@@ -592,7 +592,7 @@ DSL_Error_t DSL_DRV_PM_Stop(
+    if( DSL_DRV_PM_CONTEXT(pContext)->pmThreadFe.bRun != DSL_TRUE )
+    {
+       DSL_DEBUG(DSL_DBG_WRN,
+-         (pContext, SYS_DBG_WRN"DSL[%02d]: PM module Near-End thread already stopped"
++         (pContext, SYS_DBG_WRN"DSL[%02d]: PM module Far-End thread already stopped"
+          DSL_DRV_CRLF, DSL_DEV_NUM(pContext)));
+    }
+    else
+--- a/src/pm/drv_dsl_cpe_pm_core.c
++++ b/src/pm/drv_dsl_cpe_pm_core.c
+@@ -1022,7 +1022,7 @@ DSL_Error_t DSL_DRV_PM_DirectionMutexCon
+    {
+       if( bLock )
+       {
+-         if( DSL_DRV_MUTEX_LOCK(DSL_DRV_PM_CONTEXT(pContext)->pmNeMutex) )
++         if(down_interruptible(&(DSL_DRV_PM_CONTEXT(pContext)->pmNeMutex)))
+          {
+             DSL_DEBUG( DSL_DBG_ERR,
+                (pContext, SYS_DBG_ERR"DSL[%02d]: ERROR - Couldn't lock PM NE mutex!"
+@@ -1034,14 +1034,14 @@ DSL_Error_t DSL_DRV_PM_DirectionMutexCon
+       else
+       {
+           /* Unlock PM module NE Mutex*/
+-          DSL_DRV_MUTEX_UNLOCK(DSL_DRV_PM_CONTEXT(pContext)->pmNeMutex);
++          up(&(DSL_DRV_PM_CONTEXT(pContext)->pmNeMutex));
+       }
+    }
+    else
+    {
+       if( bLock )
+       {
+-         if( DSL_DRV_MUTEX_LOCK(DSL_DRV_PM_CONTEXT(pContext)->pmFeMutex) )
++         if(down_interruptible(&(DSL_DRV_PM_CONTEXT(pContext)->pmFeMutex)))
+          {
+             DSL_DEBUG( DSL_DBG_ERR,
+                (pContext, SYS_DBG_ERR"DSL[%02d]: ERROR - Couldn't lock PM FE mutex!"
+@@ -1053,7 +1053,7 @@ DSL_Error_t DSL_DRV_PM_DirectionMutexCon
+       else
+       {
+          /* Unlock PM module FE Mutex*/
+-         DSL_DRV_MUTEX_UNLOCK(DSL_DRV_PM_CONTEXT(pContext)->pmFeMutex);
++         up(&(DSL_DRV_PM_CONTEXT(pContext)->pmFeMutex));
+       }
+    }
+ 
+@@ -1139,7 +1139,7 @@ DSL_Error_t DSL_DRV_PM_Lock(DSL_Context_
+    if( !(DSL_DRV_PM_CONTEXT(pContext)->bPmLock) )
+    {
+       /* Lock PM module Near-End Mutex*/
+-      if( DSL_DRV_MUTEX_LOCK(DSL_DRV_PM_CONTEXT(pContext)->pmNeMutex) )
++      if(down_interruptible(&(DSL_DRV_PM_CONTEXT(pContext)->pmNeMutex)))
+       {
+          DSL_DEBUG( DSL_DBG_ERR,
+             (pContext, SYS_DBG_ERR"DSL[%02d]: ERROR - Couldn't lock PM NE mutex!"
+@@ -1148,8 +1148,8 @@ DSL_Error_t DSL_DRV_PM_Lock(DSL_Context_
+          return DSL_ERR_SEMAPHORE_GET;
+       }
+ 
+-      /* Lock PM module Near-End Mutex*/
+-      if( DSL_DRV_MUTEX_LOCK(DSL_DRV_PM_CONTEXT(pContext)->pmFeMutex) )
++      /* Lock PM module Far-End Mutex*/
++      if( down_interruptible(&(DSL_DRV_PM_CONTEXT(pContext)->pmFeMutex)) )
+       {
+          DSL_DEBUG( DSL_DBG_ERR,
+             (pContext, SYS_DBG_ERR"DSL[%02d]: ERROR - Couldn't lock PM FE mutex!"
+@@ -1193,10 +1193,10 @@ DSL_Error_t DSL_DRV_PM_UnLock(DSL_Contex
+    if( DSL_DRV_PM_CONTEXT(pContext)->bPmLock )
+    {
+       /* Unlock PM module NE Mutex*/
+-      DSL_DRV_MUTEX_UNLOCK(DSL_DRV_PM_CONTEXT(pContext)->pmNeMutex);
++      up(&(DSL_DRV_PM_CONTEXT(pContext)->pmNeMutex));
+ 
+       /* Unlock PM module FE Mutex*/
+-      DSL_DRV_MUTEX_UNLOCK(DSL_DRV_PM_CONTEXT(pContext)->pmFeMutex);
++      up(&(DSL_DRV_PM_CONTEXT(pContext)->pmFeMutex));
+ 
+       /* Clear bPmLock flag*/
+       DSL_DRV_PM_CONTEXT(pContext)->bPmLock = DSL_FALSE;

package/kernel/linux/modules/netfilter.mk

@@ -360,8 +360,6 @@ define KernelPackage/nf-nathelper/description
  Default Netfilter (IPv4) Conntrack and NAT helpers
  Includes:
  - ftp
- - irc
- - tftp
 endef
 
 $(eval $(call KernelPackage,nf-nathelper))
@@ -381,11 +379,13 @@ define KernelPackage/nf-nathelper-extra/description
  Includes:
  - amanda
  - h323
+ - irc
  - mms
  - pptp
  - proto_gre
  - sip
  - snmp_basic
+ - tftp
  - broadcast
 endef
 

package/kernel/mac80211/Makefile

@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=mac80211
 
 PKG_VERSION:=2017-01-31
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
 PKG_BACKPORT_VERSION:=
 PKG_HASH:=75e6d39e34cf156212a2509172a4a62b673b69eb4a1d9aaa565f7fa719fa2317

package/kernel/mac80211/files/lib/wifi/mac80211.sh

@@ -92,7 +92,7 @@ detect_mac80211() {
 			htmode="VHT80"
 		}
 
-		[ -n $htmode ] && ht_capab="set wireless.radio${devidx}.htmode=$htmode"
+		[ -n "$htmode" ] && ht_capab="set wireless.radio${devidx}.htmode=$htmode"
 
 		if [ -x /usr/bin/readlink -a -h /sys/class/ieee80211/${dev} ]; then
 			path="$(readlink -f /sys/class/ieee80211/${dev}/device)"

package/kernel/mac80211/files/regdb.txt

@@ -85,12 +85,20 @@ country AT: DFS-ETSI
 	# 60 GHz band channels 1-4, ref: Etsi En 302 567
 	(57000 - 66000 @ 2160), (40)
 
+# Source:
+# https://www.legislation.gov.au/Details/F2016C00432
+# Both DFS-ETSI and DFS-FCC are acceptable per AS/NZS 4268 Appendix B.
+# The EIRP for DFS bands can be increased by 3dB if TPC is implemented.
+# In order to allow 80MHz operation between 5650-5730MHz the upper boundary
+# of this more restrictive band has been shifted up by 5MHz from 5725MHz.
 country AU: DFS-ETSI
-	(2402 - 2482 @ 40), (20)
-	(5170 - 5250 @ 80), (17), AUTO-BW
-	(5250 - 5330 @ 80), (24), DFS, AUTO-BW
-	(5490 - 5710 @ 160), (24), DFS
-	(5735 - 5835 @ 80), (30)
+	(2400 - 2483.5 @ 40), (36)
+	(5150 - 5250 @ 80), (23), NO-OUTDOOR, AUTO-BW
+	(5250 - 5350 @ 80), (20), NO-OUTDOOR, AUTO-BW, DFS
+	(5470 - 5600 @ 80), (27), DFS
+	(5650 - 5730 @ 80), (27), DFS
+	(5730 - 5850 @ 80), (36)
+	(57000 - 66000 @ 2160), (43), NO-OUTDOOR
 
 country AW: DFS-ETSI
 	(2402 - 2482 @ 40), (20)
@@ -230,9 +238,9 @@ country BZ: DFS-JP
 
 country CA: DFS-FCC
 	(2402 - 2472 @ 40), (30)
-	(5170 - 5250 @ 80), (17), AUTO-BW
-	(5250 - 5330 @ 80), (24), DFS, AUTO-BW
-	(5490 - 5600 @ 80), (24), DFS
+	(5150 - 5250 @ 80), (23), AUTO-BW
+	(5250 - 5350 @ 80), (24), DFS, AUTO-BW
+	(5470 - 5600 @ 80), (24), DFS
 	(5650 - 5730 @ 80), (24), DFS
 	(5735 - 5835 @ 80), (30)
 
@@ -580,11 +588,10 @@ country IL: DFS-ETSI
 	(5150 - 5250 @ 80), (200 mW), NO-OUTDOOR, AUTO-BW
 	(5250 - 5350 @ 80), (200 mW), NO-OUTDOOR, DFS, AUTO-BW
 
-country IN: DFS-JP
+country IN:
 	(2402 - 2482 @ 40), (20)
-	(5170 - 5250 @ 80), (20), AUTO-BW
-	(5250 - 5330 @ 80), (20), DFS, AUTO-BW
-	(5735 - 5835 @ 80), (20)
+	(5150 - 5350 @ 160), (23)
+	(5725 - 5875 @ 80), (23)
 
 country IR: DFS-JP
 	(2402 - 2482 @ 40), (20)

package/kernel/mac80211/patches/326-brcmfmac-add-length-check-in-brcmf_cfg80211_escan_ha.patch

@@ -0,0 +1,63 @@
+From: Arend Van Spriel <arend.vanspriel@broadcom.com>
+Date: Tue, 12 Sep 2017 10:47:53 +0200
+Subject: [PATCH] brcmfmac: add length check in brcmf_cfg80211_escan_handler()
+
+Upon handling the firmware notification for scans the length was
+checked properly and may result in corrupting kernel heap memory
+due to buffer overruns. This fix addresses CVE-2017-0786.
+
+Cc: stable@vger.kernel.org # v4.0.x
+Cc: Kevin Cernekee <cernekee@chromium.org>
+Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
+Reviewed-by: Franky Lin <franky.lin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3088,6 +3088,7 @@ brcmf_cfg80211_escan_handler(struct brcm
+ 	struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
+ 	s32 status;
+ 	struct brcmf_escan_result_le *escan_result_le;
++	u32 escan_buflen;
+ 	struct brcmf_bss_info_le *bss_info_le;
+ 	struct brcmf_bss_info_le *bss = NULL;
+ 	u32 bi_length;
+@@ -3104,11 +3105,23 @@ brcmf_cfg80211_escan_handler(struct brcm
+ 
+ 	if (status == BRCMF_E_STATUS_PARTIAL) {
+ 		brcmf_dbg(SCAN, "ESCAN Partial result\n");
++		if (e->datalen < sizeof(*escan_result_le)) {
++			brcmf_err("invalid event data length\n");
++			goto exit;
++		}
+ 		escan_result_le = (struct brcmf_escan_result_le *) data;
+ 		if (!escan_result_le) {
+ 			brcmf_err("Invalid escan result (NULL pointer)\n");
+ 			goto exit;
+ 		}
++		escan_buflen = le32_to_cpu(escan_result_le->buflen);
++		if (escan_buflen > BRCMF_ESCAN_BUF_SIZE ||
++		    escan_buflen > e->datalen ||
++		    escan_buflen < sizeof(*escan_result_le)) {
++			brcmf_err("Invalid escan buffer length: %d\n",
++				  escan_buflen);
++			goto exit;
++		}
+ 		if (le16_to_cpu(escan_result_le->bss_count) != 1) {
+ 			brcmf_err("Invalid bss_count %d: ignoring\n",
+ 				  escan_result_le->bss_count);
+@@ -3125,9 +3138,8 @@ brcmf_cfg80211_escan_handler(struct brcm
+ 		}
+ 
+ 		bi_length = le32_to_cpu(bss_info_le->length);
+-		if (bi_length != (le32_to_cpu(escan_result_le->buflen) -
+-					WL_ESCAN_RESULTS_FIXED_SIZE)) {
+-			brcmf_err("Invalid bss_info length %d: ignoring\n",
++		if (bi_length != escan_buflen -	WL_ESCAN_RESULTS_FIXED_SIZE) {
++			brcmf_err("Ignoring invalid bss_info length: %d\n",
+ 				  bi_length);
+ 			goto exit;
+ 		}

package/kernel/mac80211/patches/327-mac80211-accept-key-reinstall-without-changing-anyth.patch

@@ -0,0 +1,81 @@
+From fdf7cb4185b60c68e1a75e61691c4afdc15dea0e Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 5 Sep 2017 14:54:54 +0200
+Subject: [PATCH] mac80211: accept key reinstall without changing anything
+
+When a key is reinstalled we can reset the replay counters
+etc. which can lead to nonce reuse and/or replay detection
+being impossible, breaking security properties, as described
+in the "KRACK attacks".
+
+In particular, CVE-2017-13080 applies to GTK rekeying that
+happened in firmware while the host is in D3, with the second
+part of the attack being done after the host wakes up. In
+this case, the wpa_supplicant mitigation isn't sufficient
+since wpa_supplicant doesn't know the GTK material.
+
+In case this happens, simply silently accept the new key
+coming from userspace but don't take any action on it since
+it's the same key; this keeps the PN replay counters intact.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+ net/mac80211/key.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/net/mac80211/key.c b/net/mac80211/key.c
+index a98fc2b5e0dc..ae995c8480db 100644
+--- a/net/mac80211/key.c
++++ b/net/mac80211/key.c
+@@ -4,7 +4,7 @@
+  * Copyright 2006-2007	Jiri Benc <jbenc@suse.cz>
+  * Copyright 2007-2008	Johannes Berg <johannes@sipsolutions.net>
+  * Copyright 2013-2014  Intel Mobile Communications GmbH
+- * Copyright 2015	Intel Deutschland GmbH
++ * Copyright 2015-2017	Intel Deutschland GmbH
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 as
+@@ -620,9 +620,6 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ 
+ 	pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE;
+ 	idx = key->conf.keyidx;
+-	key->local = sdata->local;
+-	key->sdata = sdata;
+-	key->sta = sta;
+ 
+ 	mutex_lock(&sdata->local->key_mtx);
+ 
+@@ -633,6 +630,21 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ 	else
+ 		old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]);
+ 
++	/*
++	 * Silently accept key re-installation without really installing the
++	 * new version of the key to avoid nonce reuse or replay issues.
++	 */
++	if (old_key && key->conf.keylen == old_key->conf.keylen &&
++	    !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) {
++		ieee80211_key_free_unused(key);
++		ret = 0;
++		goto out;
++	}
++
++	key->local = sdata->local;
++	key->sdata = sdata;
++	key->sta = sta;
++
+ 	increment_tailroom_need_count(sdata);
+ 
+ 	ieee80211_key_replace(sdata, sta, pairwise, old_key, key);
+@@ -648,6 +660,7 @@ int ieee80211_key_link(struct ieee80211_key *key,
+ 		ret = 0;
+ 	}
+ 
++ out:
+ 	mutex_unlock(&sdata->local->key_mtx);
+ 
+ 	return ret;
+-- 
+2.13.6
+

package/kernel/mt76/Makefile

@@ -1,16 +1,16 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mt76
-PKG_RELEASE=2
+PKG_RELEASE=1
 
 PKG_LICENSE:=GPLv2
 PKG_LICENSE_FILES:=
 
 PKG_SOURCE_URL:=https://github.com/openwrt/mt76
 PKG_SOURCE_PROTO:=git
-PKG_SOURCE_DATE:=2017-01-31
-PKG_SOURCE_VERSION:=3c8caafc5e150db79f714b958a51cee8f242f309
-PKG_MIRROR_HASH:=c03c166466cb7ea825e52cd085511045e3847d927ba2bde2b8fb46595a3ed13a
+PKG_SOURCE_DATE:=2017-10-12
+PKG_SOURCE_VERSION:=1be430fc8ae486e61f51f76925b30d6ff64c37dd
+PKG_MIRROR_HASH:=992e3d86d493b976ec23fb4f1179a72c3e34199c6ec5a93f37069555c9b19d9c
 
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_BUILD_PARALLEL:=1

package/libs/mbedtls/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.4.2
+PKG_VERSION:=2.6.0
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=d01f2d5586a52055329d194d909103f445bd2d0b6b2b5f1c830fbf828ac6299f
+PKG_HASH:=a99959d7360def22f9108d2d487c9de384fe76c349697176b1f22370080d5810
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+

package/libs/mbedtls/patches/200-config.patch

@@ -1,6 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -191,7 +191,7 @@
+@@ -220,7 +220,7 @@
   *
   * Uncomment to get errors on using deprecated functions.
   */
@@ -9,7 +9,7 @@
  
  /* \} name SECTION: System support */
  
-@@ -441,17 +441,17 @@
+@@ -539,17 +539,17 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -35,7 +35,7 @@
  #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
  
  /**
-@@ -476,8 +476,8 @@
+@@ -574,8 +574,8 @@
   * Requires: MBEDTLS_HMAC_DRBG_C
   *
   * Comment this macro to disable deterministic ECDSA.
@@ -45,7 +45,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
-@@ -523,7 +523,7 @@
+@@ -621,7 +621,7 @@
   *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
   */
@@ -54,7 +54,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -542,8 +542,8 @@
+@@ -640,8 +640,8 @@
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -568,7 +568,7 @@
+@@ -666,7 +666,7 @@
   *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -695,7 +695,7 @@
+@@ -793,7 +793,7 @@
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -719,7 +719,7 @@
+@@ -817,7 +817,7 @@
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -823,7 +823,7 @@
+@@ -921,7 +921,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -917,14 +917,14 @@
+@@ -1015,14 +1015,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -117,7 +117,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -940,7 +940,7 @@
+@@ -1038,7 +1038,7 @@
   *
   * Uncomment to enable the smaller implementation of SHA256.
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
-@@ -1059,8 +1059,8 @@
+@@ -1157,8 +1157,8 @@
   * misuse/misunderstand.
   *
   * Comment this to disable support for renegotiation.
@@ -136,7 +136,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1234,8 +1234,8 @@
+@@ -1332,8 +1332,8 @@
   * callbacks are provided by MBEDTLS_SSL_TICKET_C.
   *
   * Comment this macro to disable support for SSL session tickets
@@ -146,7 +146,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1265,7 +1265,7 @@
+@@ -1363,7 +1363,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -155,7 +155,7 @@
  
  /**
   * \def MBEDTLS_THREADING_ALT
-@@ -1299,8 +1299,8 @@
+@@ -1397,8 +1397,8 @@
   * Requires: MBEDTLS_VERSION_C
   *
   * Comment this to disable run-time checking and save ROM space
@@ -165,7 +165,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -1621,7 +1621,7 @@
+@@ -1719,7 +1719,7 @@
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -174,7 +174,7 @@
  
  /**
   * \def MBEDTLS_CCM_C
-@@ -1635,7 +1635,7 @@
+@@ -1733,7 +1733,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -183,7 +183,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -1647,7 +1647,7 @@
+@@ -1745,7 +1745,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -192,7 +192,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_C
-@@ -1700,7 +1700,7 @@
+@@ -1798,7 +1798,7 @@
   *
   * This module provides debugging functions.
   */
@@ -201,7 +201,7 @@
  
  /**
   * \def MBEDTLS_DES_C
-@@ -1725,8 +1725,8 @@
+@@ -1823,8 +1823,8 @@
   *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
   *
   * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
@@ -211,7 +211,7 @@
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -1880,8 +1880,8 @@
+@@ -1978,8 +1978,8 @@
   * Requires: MBEDTLS_MD_C
   *
   * Uncomment to enable the HMAC_DRBG random number geerator.
@@ -221,7 +221,7 @@
  
  /**
   * \def MBEDTLS_MD_C
-@@ -2158,7 +2158,7 @@
+@@ -2256,7 +2256,7 @@
   * Caller:  library/md.c
   *
   */
@@ -230,7 +230,7 @@
  
  /**
   * \def MBEDTLS_RSA_C
-@@ -2235,8 +2235,8 @@
+@@ -2334,8 +2334,8 @@
   * Caller:
   *
   * Requires: MBEDTLS_SSL_CACHE_C
@@ -240,7 +240,7 @@
  
  /**
   * \def MBEDTLS_SSL_COOKIE_C
-@@ -2257,8 +2257,8 @@
+@@ -2356,8 +2356,8 @@
   * Caller:
   *
   * Requires: MBEDTLS_CIPHER_C
@@ -250,7 +250,7 @@
  
  /**
   * \def MBEDTLS_SSL_CLI_C
-@@ -2357,8 +2357,8 @@
+@@ -2456,8 +2456,8 @@
   * Module:  library/version.c
   *
   * This module provides run-time version information.
@@ -260,7 +260,7 @@
  
  /**
   * \def MBEDTLS_X509_USE_C
-@@ -2468,7 +2468,7 @@
+@@ -2567,7 +2567,7 @@
   * Module:  library/xtea.c
   * Caller:
   */
@@ -269,3 +269,12 @@
  
  /* \} name SECTION: mbed TLS modules */
  
+@@ -2681,7 +2681,7 @@
+  * recommended because of it is possible to generte SHA-1 collisions, however
+  * this may be safe for legacy infrastructure where additional controls apply.
+  */
+-// #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
++#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
+ 
+ /**
+  * Allow SHA-1 in the default TLS configuration for TLS 1.2 handshake

package/libs/uclient/Makefile

@@ -5,9 +5,9 @@ PKG_RELEASE=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(LEDE_GIT)/project/uclient.git
-PKG_SOURCE_DATE:=2016-12-09
-PKG_SOURCE_VERSION:=52d955fd802a4d990b7ff9116f02ff52aa63ffec
-PKG_MIRROR_HASH:=b96f53ccaa62a229e818be836bb4fc85aa4a1ce257fd41fbdbf4e31a959c641f
+PKG_SOURCE_DATE:=2017-09-06
+PKG_SOURCE_VERSION:=24d6eded73dec427fc4a3a20cc73c94227f59c31
+PKG_MIRROR_HASH:=e884ae0c859baa20a5c7f3d924022f8e1f57d28474dbe5fed1efb8fb97790dd0
 CMAKE_INSTALL:=1
 
 PKG_BUILD_DEPENDS:=ustream-ssl

package/network/config/gre/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=gre
 PKG_VERSION:=1
-PKG_RELEASE:=6
+PKG_RELEASE:=7
 PKG_LICENSE:=GPL-2.0
 
 include $(INCLUDE_DIR)/package.mk

package/network/config/gre/files/gre.sh

@@ -25,7 +25,7 @@ gre_generic_setup() {
 	json_add_string mode "$mode"
 	json_add_int mtu "${mtu:-1280}"
 	[ -n "$df" ] && json_add_boolean df "$df"
-	[ -n "ttl" ] && json_add_int ttl "$ttl"
+	[ -n "$ttl" ] && json_add_int ttl "$ttl"
 	[ -n "$tos" ] && json_add_string tos "$tos"
 	json_add_boolean multicast "$multicast"
 	json_add_string local "$local"

package/network/ipv6/odhcp6c/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=odhcp6c
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL:=$(LEDE_GIT)/project/odhcp6c.git

package/network/ipv6/odhcp6c/files/dhcpv6.script

@@ -214,6 +214,6 @@ case "$2" in
 esac
 
 # user rules
-[ -f /etc/odhcp6c.user ] && . /etc/odhcp6c.user "@"
+[ -f /etc/odhcp6c.user ] && . /etc/odhcp6c.user "$@"
 
 exit 0

package/network/services/dnsmasq/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
-PKG_VERSION:=2.77
+PKG_VERSION:=2.78
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/
-PKG_HASH:=6eac3b1c50ae25170e3ff8c96ddb55236cf45007633fdb8a35b1f3e02f5f8b8a
+PKG_HASH:=89949f438c74b0c7543f06689c319484bd126cc4b1f8c745c742ab397681252b
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING

package/network/services/dnsmasq/files/dnsmasq.init

@@ -533,7 +533,7 @@ dhcp_relay_add() {
 
 dnsmasq_start()
 {
-	local cfg="$1" disabled resolvfile
+	local cfg="$1" disabled
 
 	config_get_bool disabled "$cfg" disabled 0
 	[ "$disabled" -gt 0 ] && return 0
@@ -613,6 +613,7 @@ dnsmasq_start()
 	config_list_foreach "$cfg" "addnhosts" append_addnhosts
 	config_list_foreach "$cfg" "bogusnxdomain" append_bogusnxdomain
 	append_parm "$cfg" "leasefile" "--dhcp-leasefile" "/tmp/dhcp.leases"
+	append_parm "$cfg" "resolvfile" "--resolv-file" "/tmp/resolv.conf.auto"
 	append_parm "$cfg" "serversfile" "--servers-file"
 	append_parm "$cfg" "tftp_root" "--tftp-root"
 	append_parm "$cfg" "dhcp_boot" "--dhcp-boot"
@@ -627,6 +628,7 @@ dnsmasq_start()
 	config_get_bool readethers "$cfg" readethers
 	[ "$readethers" = "1" -a \! -e "/etc/ethers" ] && touch /etc/ethers
 
+	config_get resolvfile $cfg resolvfile
 	config_get dhcpscript $cfg dhcpscript
 
 	config_get leasefile $cfg leasefile "/tmp/dhcp.leases"
@@ -640,8 +642,6 @@ dnsmasq_start()
 		[ -n "$resolvfile" -a \! -e "$resolvfile" ] && touch "$resolvfile"
 	fi
 
-	[ -n "$resolvfile" ] && xappend "--resolv-file=$resolvfile"
-
 	config_get hostsfile "$cfg" dhcphostsfile
 	[ -e "$hostsfile" ] && xappend "--dhcp-hostsfile=$hostsfile"
 

package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch

@@ -7,7 +7,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
 
 --- a/src/dnsmasq.h
 +++ b/src/dnsmasq.h
-@@ -82,7 +82,7 @@ typedef unsigned long long u64;
+@@ -88,7 +88,7 @@ typedef unsigned long long u64;
  #if defined(HAVE_SOLARIS_NETWORK)
  #  include <sys/sockio.h>
  #endif

package/network/services/dropbear/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
 PKG_VERSION:=2017.75
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \

package/network/services/dropbear/files/dropbear.init

@@ -132,7 +132,7 @@ service_triggers()
 	config_load "${NAME}"
 	config_foreach load_interfaces dropbear
 
-	[ -n "${interfaces}" ] & {
+	[ -n "${interfaces}" ] && {
 		for n in $interfaces ; do
 			procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload
 		done

package/network/services/hostapd/Makefile

@@ -7,7 +7,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostapd
-PKG_RELEASE:=3
+PKG_RELEASE:=6
 
 PKG_SOURCE_URL:=http://w1.fi/hostap.git
 PKG_SOURCE_PROTO:=git

package/network/services/hostapd/files/hostapd.sh

@@ -139,6 +139,7 @@ hostapd_common_add_bss_config() {
 	config_add_int \
 		wep_rekey eap_reauth_period \
 		wpa_group_rekey wpa_pair_rekey wpa_master_rekey
+	config_add_boolean wpa_disable_eapol_key_retries
 
 	config_add_boolean rsn_preauth auth_cache
 	config_add_int ieee80211w
@@ -203,6 +204,7 @@ hostapd_set_bss_options() {
 
 	json_get_vars \
 		wep_rekey wpa_group_rekey wpa_pair_rekey wpa_master_rekey \
+		wpa_disable_eapol_key_retries \
 		maxassoc max_inactivity disassoc_low_ack isolate auth_cache \
 		wps_pushbutton wps_label ext_registrar wps_pbc_in_m1 wps_ap_setup_locked \
 		wps_independent wps_device_type wps_device_name wps_manufacturer wps_pin \
@@ -218,6 +220,7 @@ hostapd_set_bss_options() {
 	set_default hidden 0
 	set_default wmm 1
 	set_default uapsd 1
+	set_default wpa_disable_eapol_key_retries 0
 	set_default eapol_version 0
 	set_default acct_port 1813
 
@@ -364,7 +367,7 @@ hostapd_set_bss_options() {
 	[ -n "$network_bridge" ] && append bss_conf "bridge=$network_bridge" "$N"
 	[ -n "$iapp_interface" ] && {
 		local ifname
-		network_get_device ifname "$iapp_interface" || ifname = "$iapp_interface"
+		network_get_device ifname "$iapp_interface" || ifname="$iapp_interface"
 		append bss_conf "iapp_interface=$ifname" "$N"
 	}
 
@@ -399,6 +402,8 @@ hostapd_set_bss_options() {
 			done
 		fi
 
+		append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
+
 		hostapd_append_wpa_key_mgmt
 		[ -n "$wpa_key_mgmt" ] && append bss_conf "wpa_key_mgmt=$wpa_key_mgmt" "$N"
 	fi
@@ -620,7 +625,7 @@ wpa_supplicant_add_network() {
 		scan_ssid=""
 	}
 
-	[[ "$_w_mode" = "adhoc" -o "$_w_mode" = "mesh" ]] && append network_data "$_w_modestr" "$N$T"
+	[ "$_w_mode" = "adhoc" -o "$_w_mode" = "mesh" ] && append network_data "$_w_modestr" "$N$T"
 
 	case "$auth_type" in
 		none) ;;

package/network/services/hostapd/patches/005-hostapd-Avoid-key-reinstallation-in-FT-handshake.patch

@@ -0,0 +1,154 @@
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 14 Jul 2017 15:15:35 +0200
+Subject: [PATCH] hostapd: Avoid key reinstallation in FT handshake
+
+Do not reinstall TK to the driver during Reassociation Response frame
+processing if the first attempt of setting the TK succeeded. This avoids
+issues related to clearing the TX/RX PN that could result in reusing
+same PN values for transmitted frames (e.g., due to CCM nonce reuse and
+also hitting replay protection on the receiver) and accepting replayed
+frames on RX side.
+
+This issue was introduced by the commit
+0e84c25434e6a1f283c7b4e62e483729085b78d2 ('FT: Fix PTK configuration in
+authenticator') which allowed wpa_ft_install_ptk() to be called multiple
+times with the same PTK. While the second configuration attempt is
+needed with some drivers, it must be done only if the first attempt
+failed.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+
+--- a/src/ap/ieee802_11.c
++++ b/src/ap/ieee802_11.c
+@@ -2154,6 +2154,7 @@ static int add_associated_sta(struct hos
+ {
+ 	struct ieee80211_ht_capabilities ht_cap;
+ 	struct ieee80211_vht_capabilities vht_cap;
++	int set = 1;
+ 
+ 	/*
+ 	 * Remove the STA entry to ensure the STA PS state gets cleared and
+@@ -2161,9 +2162,18 @@ static int add_associated_sta(struct hos
+ 	 * FT-over-the-DS, where a station re-associates back to the same AP but
+ 	 * skips the authentication flow, or if working with a driver that
+ 	 * does not support full AP client state.
++	 *
++	 * Skip this if the STA has already completed FT reassociation and the
++	 * TK has been configured since the TX/RX PN must not be reset to 0 for
++	 * the same key.
+ 	 */
+-	if (!sta->added_unassoc)
++	if (!sta->added_unassoc &&
++	    (!(sta->flags & WLAN_STA_AUTHORIZED) ||
++	     !wpa_auth_sta_ft_tk_already_set(sta->wpa_sm))) {
+ 		hostapd_drv_sta_remove(hapd, sta->addr);
++		wpa_auth_sm_event(sta->wpa_sm, WPA_DRV_STA_REMOVED);
++		set = 0;
++	}
+ 
+ #ifdef CONFIG_IEEE80211N
+ 	if (sta->flags & WLAN_STA_HT)
+@@ -2186,11 +2196,11 @@ static int add_associated_sta(struct hos
+ 			    sta->flags & WLAN_STA_VHT ? &vht_cap : NULL,
+ 			    sta->flags | WLAN_STA_ASSOC, sta->qosinfo,
+ 			    sta->vht_opmode, sta->p2p_ie ? 1 : 0,
+-			    sta->added_unassoc)) {
++			    set)) {
+ 		hostapd_logger(hapd, sta->addr,
+ 			       HOSTAPD_MODULE_IEEE80211, HOSTAPD_LEVEL_NOTICE,
+ 			       "Could not %s STA to kernel driver",
+-			       sta->added_unassoc ? "set" : "add");
++			       set ? "set" : "add");
+ 
+ 		if (sta->added_unassoc) {
+ 			hostapd_drv_sta_remove(hapd, sta->addr);
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1751,6 +1751,9 @@ int wpa_auth_sm_event(struct wpa_state_m
+ #else /* CONFIG_IEEE80211R_AP */
+ 		break;
+ #endif /* CONFIG_IEEE80211R_AP */
++	case WPA_DRV_STA_REMOVED:
++		sm->tk_already_set = FALSE;
++		return 0;
+ 	}
+ 
+ #ifdef CONFIG_IEEE80211R_AP
+@@ -3725,6 +3728,14 @@ int wpa_auth_sta_wpa_version(struct wpa_
+ }
+ 
+ 
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm)
++{
++	if (!sm || !wpa_key_mgmt_ft(sm->wpa_key_mgmt))
++		return 0;
++	return sm->tk_already_set;
++}
++
++
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+ 			     struct rsn_pmksa_cache_entry *entry)
+ {
+--- a/src/ap/wpa_auth_ft.c
++++ b/src/ap/wpa_auth_ft.c
+@@ -794,6 +794,14 @@ void wpa_ft_install_ptk(struct wpa_state
+ 		return;
+ 	}
+ 
++	if (sm->tk_already_set) {
++		/* Must avoid TK reconfiguration to prevent clearing of TX/RX
++		 * PN in the driver */
++		wpa_printf(MSG_DEBUG,
++			   "FT: Do not re-install same PTK to the driver");
++		return;
++	}
++
+ 	/* FIX: add STA entry to kernel/driver here? The set_key will fail
+ 	 * most likely without this.. At the moment, STA entry is added only
+ 	 * after association has been completed. This function will be called
+@@ -806,6 +814,7 @@ void wpa_ft_install_ptk(struct wpa_state
+ 
+ 	/* FIX: MLME-SetProtection.Request(TA, Tx_Rx) */
+ 	sm->pairwise_set = TRUE;
++	sm->tk_already_set = TRUE;
+ }
+ 
+ 
+@@ -1002,6 +1011,7 @@ static int wpa_ft_process_auth_req(struc
+ 
+ 	sm->pairwise = pairwise;
+ 	sm->PTK_valid = TRUE;
++	sm->tk_already_set = FALSE;
+ 	wpa_ft_install_ptk(sm);
+ 
+ 	buflen = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+--- a/src/ap/wpa_auth.h
++++ b/src/ap/wpa_auth.h
+@@ -268,7 +268,7 @@ void wpa_receive(struct wpa_authenticato
+ 		 u8 *data, size_t data_len);
+ enum wpa_event {
+ 	WPA_AUTH, WPA_ASSOC, WPA_DISASSOC, WPA_DEAUTH, WPA_REAUTH,
+-	WPA_REAUTH_EAPOL, WPA_ASSOC_FT
++	WPA_REAUTH_EAPOL, WPA_ASSOC_FT, WPA_DRV_STA_REMOVED
+ };
+ void wpa_remove_ptk(struct wpa_state_machine *sm);
+ int wpa_auth_sm_event(struct wpa_state_machine *sm, enum wpa_event event);
+@@ -281,6 +281,7 @@ int wpa_auth_pairwise_set(struct wpa_sta
+ int wpa_auth_get_pairwise(struct wpa_state_machine *sm);
+ int wpa_auth_sta_key_mgmt(struct wpa_state_machine *sm);
+ int wpa_auth_sta_wpa_version(struct wpa_state_machine *sm);
++int wpa_auth_sta_ft_tk_already_set(struct wpa_state_machine *sm);
+ int wpa_auth_sta_clear_pmksa(struct wpa_state_machine *sm,
+ 			     struct rsn_pmksa_cache_entry *entry);
+ struct rsn_pmksa_cache_entry *
+--- a/src/ap/wpa_auth_i.h
++++ b/src/ap/wpa_auth_i.h
+@@ -65,6 +65,7 @@ struct wpa_state_machine {
+ 	struct wpa_ptk PTK;
+ 	Boolean PTK_valid;
+ 	Boolean pairwise_set;
++	Boolean tk_already_set;
+ 	int keycount;
+ 	Boolean Pair;
+ 	struct wpa_key_replay_counter {

package/network/services/hostapd/patches/006-Prevent-reinstallation-of-an-already-in-use-group-ke.patch

@@ -0,0 +1,244 @@
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Wed, 12 Jul 2017 16:03:24 +0200
+Subject: [PATCH] Prevent reinstallation of an already in-use group key
+
+Track the current GTK and IGTK that is in use and when receiving a
+(possibly retransmitted) Group Message 1 or WNM-Sleep Mode Response, do
+not install the given key if it is already in use. This prevents an
+attacker from trying to trick the client into resetting or lowering the
+sequence counter associated to the group key.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -207,6 +207,17 @@ struct wpa_ptk {
+ 	size_t tk_len;
+ };
+ 
++struct wpa_gtk {
++	u8 gtk[WPA_GTK_MAX_LEN];
++	size_t gtk_len;
++};
++
++#ifdef CONFIG_IEEE80211W
++struct wpa_igtk {
++	u8 igtk[WPA_IGTK_MAX_LEN];
++	size_t igtk_len;
++};
++#endif /* CONFIG_IEEE80211W */
+ 
+ /* WPA IE version 1
+  * 00-50-f2:1 (OUI:OUI type)
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -785,6 +785,15 @@ static int wpa_supplicant_install_gtk(st
+ 	const u8 *_gtk = gd->gtk;
+ 	u8 gtk_buf[32];
+ 
++	/* Detect possible key reinstallation */
++	if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++	    os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
++			gd->keyidx, gd->tx, gd->gtk_len);
++		return 0;
++	}
++
+ 	wpa_hexdump_key(MSG_DEBUG, "WPA: Group Key", gd->gtk, gd->gtk_len);
+ 	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 		"WPA: Installing GTK to the driver (keyidx=%d tx=%d len=%d)",
+@@ -819,6 +828,9 @@ static int wpa_supplicant_install_gtk(st
+ 	}
+ 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ 
++	sm->gtk.gtk_len = gd->gtk_len;
++	os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++
+ 	return 0;
+ }
+ 
+@@ -925,6 +937,48 @@ static int wpa_supplicant_pairwise_gtk(s
+ }
+ 
+ 
++#ifdef CONFIG_IEEE80211W
++static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
++				       const struct wpa_igtk_kde *igtk)
++{
++	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
++	u16 keyidx = WPA_GET_LE16(igtk->keyid);
++
++	/* Detect possible key reinstallation */
++	if (sm->igtk.igtk_len == len &&
++	    os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
++			keyidx);
++		return  0;
++	}
++
++	wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
++		"WPA: IGTK keyid %d pn %02x%02x%02x%02x%02x%02x",
++		keyidx, MAC2STR(igtk->pn));
++	wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK", igtk->igtk, len);
++	if (keyidx > 4095) {
++		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++			"WPA: Invalid IGTK KeyID %d", keyidx);
++		return -1;
++	}
++	if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
++			   broadcast_ether_addr,
++			   keyidx, 0, igtk->pn, sizeof(igtk->pn),
++			   igtk->igtk, len) < 0) {
++		wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
++			"WPA: Failed to configure IGTK to the driver");
++		return -1;
++	}
++
++	sm->igtk.igtk_len = len;
++	os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++
++	return 0;
++}
++#endif /* CONFIG_IEEE80211W */
++
++
+ static int ieee80211w_set_keys(struct wpa_sm *sm,
+ 			       struct wpa_eapol_ie_parse *ie)
+ {
+@@ -935,30 +989,14 @@ static int ieee80211w_set_keys(struct wp
+ 	if (ie->igtk) {
+ 		size_t len;
+ 		const struct wpa_igtk_kde *igtk;
+-		u16 keyidx;
++
+ 		len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ 		if (ie->igtk_len != WPA_IGTK_KDE_PREFIX_LEN + len)
+ 			return -1;
++
+ 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-		keyidx = WPA_GET_LE16(igtk->keyid);
+-		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG, "WPA: IGTK keyid %d "
+-			"pn %02x%02x%02x%02x%02x%02x",
+-			keyidx, MAC2STR(igtk->pn));
+-		wpa_hexdump_key(MSG_DEBUG, "WPA: IGTK",
+-				igtk->igtk, len);
+-		if (keyidx > 4095) {
+-			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-				"WPA: Invalid IGTK KeyID %d", keyidx);
++		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+ 			return -1;
+-		}
+-		if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-				   broadcast_ether_addr,
+-				   keyidx, 0, igtk->pn, sizeof(igtk->pn),
+-				   igtk->igtk, len) < 0) {
+-			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+-				"WPA: Failed to configure IGTK to the driver");
+-			return -1;
+-		}
+ 	}
+ 
+ 	return 0;
+@@ -2451,7 +2489,7 @@ void wpa_sm_deinit(struct wpa_sm *sm)
+  */
+ void wpa_sm_notify_assoc(struct wpa_sm *sm, const u8 *bssid)
+ {
+-	int clear_ptk = 1;
++	int clear_keys = 1;
+ 
+ 	if (sm == NULL)
+ 		return;
+@@ -2477,7 +2515,7 @@ void wpa_sm_notify_assoc(struct wpa_sm *
+ 		/* Prepare for the next transition */
+ 		wpa_ft_prepare_auth_request(sm, NULL);
+ 
+-		clear_ptk = 0;
++		clear_keys = 0;
+ 	}
+ #endif /* CONFIG_IEEE80211R */
+ #ifdef CONFIG_FILS
+@@ -2487,11 +2525,11 @@ void wpa_sm_notify_assoc(struct wpa_sm *
+ 		 * AUTHENTICATED state to get the EAPOL port Authorized.
+ 		 */
+ 		wpa_supplicant_key_neg_complete(sm, sm->bssid, 1);
+-		clear_ptk = 0;
++		clear_keys = 0;
+ 	}
+ #endif /* CONFIG_FILS */
+ 
+-	if (clear_ptk) {
++	if (clear_keys) {
+ 		/*
+ 		 * IEEE 802.11, 8.4.10: Delete PTK SA on (re)association if
+ 		 * this is not part of a Fast BSS Transition.
+@@ -2501,6 +2539,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *
+ 		os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 		sm->tptk_set = 0;
+ 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ 	}
+ 
+ #ifdef CONFIG_TDLS
+@@ -3052,6 +3094,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+ 	os_memset(sm->pmk, 0, sizeof(sm->pmk));
+ 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++#ifdef CONFIG_IEEE80211W
++	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++#endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+ 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+ 	os_memset(sm->pmk_r0, 0, sizeof(sm->pmk_r0));
+@@ -3124,29 +3170,11 @@ int wpa_wnmsleep_install_key(struct wpa_
+ 		os_memset(&gd, 0, sizeof(gd));
+ #ifdef CONFIG_IEEE80211W
+ 	} else if (subelem_id == WNM_SLEEP_SUBELEM_IGTK) {
+-		struct wpa_igtk_kde igd;
+-		u16 keyidx;
++		const struct wpa_igtk_kde *igtk;
+ 
+-		os_memset(&igd, 0, sizeof(igd));
+-		keylen = wpa_cipher_key_len(sm->mgmt_group_cipher);
+-		os_memcpy(igd.keyid, buf + 2, 2);
+-		os_memcpy(igd.pn, buf + 4, 6);
+-
+-		keyidx = WPA_GET_LE16(igd.keyid);
+-		os_memcpy(igd.igtk, buf + 10, keylen);
+-
+-		wpa_hexdump_key(MSG_DEBUG, "Install IGTK (WNM SLEEP)",
+-				igd.igtk, keylen);
+-		if (wpa_sm_set_key(sm, wpa_cipher_to_alg(sm->mgmt_group_cipher),
+-				   broadcast_ether_addr,
+-				   keyidx, 0, igd.pn, sizeof(igd.pn),
+-				   igd.igtk, keylen) < 0) {
+-			wpa_printf(MSG_DEBUG, "Failed to install the IGTK in "
+-				   "WNM mode");
+-			os_memset(&igd, 0, sizeof(igd));
++		igtk = (const struct wpa_igtk_kde *) (buf + 2);
++		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
+ 			return -1;
+-		}
+-		os_memset(&igd, 0, sizeof(igd));
+ #endif /* CONFIG_IEEE80211W */
+ 	} else {
+ 		wpa_printf(MSG_DEBUG, "Unknown element id");
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -31,6 +31,10 @@ struct wpa_sm {
+ 	u8 rx_replay_counter[WPA_REPLAY_COUNTER_LEN];
+ 	int rx_replay_counter_set;
+ 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
++	struct wpa_gtk gtk;
++#ifdef CONFIG_IEEE80211W
++	struct wpa_igtk igtk;
++#endif /* CONFIG_IEEE80211W */
+ 
+ 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */
+ 

package/network/services/hostapd/patches/007-Extend-protection-of-GTK-IGTK-reinstallation-of-WNM-.patch

@@ -0,0 +1,173 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Oct 2017 12:12:24 +0300
+Subject: [PATCH] Extend protection of GTK/IGTK reinstallation of WNM-Sleep
+ Mode cases
+
+This extends the protection to track last configured GTK/IGTK value
+separately from EAPOL-Key frames and WNM-Sleep Mode frames to cover a
+corner case where these two different mechanisms may get used when the
+GTK/IGTK has changed and tracking a single value is not sufficient to
+detect a possible key reconfiguration.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -780,14 +780,17 @@ struct wpa_gtk_data {
+ 
+ static int wpa_supplicant_install_gtk(struct wpa_sm *sm,
+ 				      const struct wpa_gtk_data *gd,
+-				      const u8 *key_rsc)
++				      const u8 *key_rsc, int wnm_sleep)
+ {
+ 	const u8 *_gtk = gd->gtk;
+ 	u8 gtk_buf[32];
+ 
+ 	/* Detect possible key reinstallation */
+-	if (sm->gtk.gtk_len == (size_t) gd->gtk_len &&
+-	    os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) {
++	if ((sm->gtk.gtk_len == (size_t) gd->gtk_len &&
++	     os_memcmp(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len) == 0) ||
++	    (sm->gtk_wnm_sleep.gtk_len == (size_t) gd->gtk_len &&
++	     os_memcmp(sm->gtk_wnm_sleep.gtk, gd->gtk,
++		       sm->gtk_wnm_sleep.gtk_len) == 0)) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Not reinstalling already in-use GTK to the driver (keyidx=%d tx=%d len=%d)",
+ 			gd->keyidx, gd->tx, gd->gtk_len);
+@@ -828,8 +831,14 @@ static int wpa_supplicant_install_gtk(st
+ 	}
+ 	os_memset(gtk_buf, 0, sizeof(gtk_buf));
+ 
+-	sm->gtk.gtk_len = gd->gtk_len;
+-	os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++	if (wnm_sleep) {
++		sm->gtk_wnm_sleep.gtk_len = gd->gtk_len;
++		os_memcpy(sm->gtk_wnm_sleep.gtk, gd->gtk,
++			  sm->gtk_wnm_sleep.gtk_len);
++	} else {
++		sm->gtk.gtk_len = gd->gtk_len;
++		os_memcpy(sm->gtk.gtk, gd->gtk, sm->gtk.gtk_len);
++	}
+ 
+ 	return 0;
+ }
+@@ -923,7 +932,7 @@ static int wpa_supplicant_pairwise_gtk(s
+ 	    (wpa_supplicant_check_group_cipher(sm, sm->group_cipher,
+ 					       gtk_len, gtk_len,
+ 					       &gd.key_rsc_len, &gd.alg) ||
+-	     wpa_supplicant_install_gtk(sm, &gd, key_rsc))) {
++	     wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0))) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"RSN: Failed to install GTK");
+ 		os_memset(&gd, 0, sizeof(gd));
+@@ -939,14 +948,18 @@ static int wpa_supplicant_pairwise_gtk(s
+ 
+ #ifdef CONFIG_IEEE80211W
+ static int wpa_supplicant_install_igtk(struct wpa_sm *sm,
+-				       const struct wpa_igtk_kde *igtk)
++				       const struct wpa_igtk_kde *igtk,
++				       int wnm_sleep)
+ {
+ 	size_t len = wpa_cipher_key_len(sm->mgmt_group_cipher);
+ 	u16 keyidx = WPA_GET_LE16(igtk->keyid);
+ 
+ 	/* Detect possible key reinstallation */
+-	if (sm->igtk.igtk_len == len &&
+-	    os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) {
++	if ((sm->igtk.igtk_len == len &&
++	     os_memcmp(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len) == 0) ||
++	    (sm->igtk_wnm_sleep.igtk_len == len &&
++	     os_memcmp(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++		       sm->igtk_wnm_sleep.igtk_len) == 0)) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Not reinstalling already in-use IGTK to the driver (keyidx=%d)",
+ 			keyidx);
+@@ -971,8 +984,14 @@ static int wpa_supplicant_install_igtk(s
+ 		return -1;
+ 	}
+ 
+-	sm->igtk.igtk_len = len;
+-	os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++	if (wnm_sleep) {
++		sm->igtk_wnm_sleep.igtk_len = len;
++		os_memcpy(sm->igtk_wnm_sleep.igtk, igtk->igtk,
++			  sm->igtk_wnm_sleep.igtk_len);
++	} else {
++		sm->igtk.igtk_len = len;
++		os_memcpy(sm->igtk.igtk, igtk->igtk, sm->igtk.igtk_len);
++	}
+ 
+ 	return 0;
+ }
+@@ -995,7 +1014,7 @@ static int ieee80211w_set_keys(struct wp
+ 			return -1;
+ 
+ 		igtk = (const struct wpa_igtk_kde *) ie->igtk;
+-		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++		if (wpa_supplicant_install_igtk(sm, igtk, 0) < 0)
+ 			return -1;
+ 	}
+ 
+@@ -1641,7 +1660,7 @@ static void wpa_supplicant_process_1_of_
+ 	if (wpa_supplicant_rsc_relaxation(sm, key->key_rsc))
+ 		key_rsc = null_rsc;
+ 
+-	if (wpa_supplicant_install_gtk(sm, &gd, key_rsc) ||
++	if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 0) ||
+ 	    wpa_supplicant_send_2_of_2(sm, key, ver, key_info) < 0)
+ 		goto failed;
+ 	os_memset(&gd, 0, sizeof(gd));
+@@ -2540,8 +2559,10 @@ void wpa_sm_notify_assoc(struct wpa_sm *
+ 		sm->tptk_set = 0;
+ 		os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ 		os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++		os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+ 		os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++		os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ 	}
+ 
+@@ -3095,8 +3116,10 @@ void wpa_sm_drop_sa(struct wpa_sm *sm)
+ 	os_memset(&sm->ptk, 0, sizeof(sm->ptk));
+ 	os_memset(&sm->tptk, 0, sizeof(sm->tptk));
+ 	os_memset(&sm->gtk, 0, sizeof(sm->gtk));
++	os_memset(&sm->gtk_wnm_sleep, 0, sizeof(sm->gtk_wnm_sleep));
+ #ifdef CONFIG_IEEE80211W
+ 	os_memset(&sm->igtk, 0, sizeof(sm->igtk));
++	os_memset(&sm->igtk_wnm_sleep, 0, sizeof(sm->igtk_wnm_sleep));
+ #endif /* CONFIG_IEEE80211W */
+ #ifdef CONFIG_IEEE80211R
+ 	os_memset(sm->xxkey, 0, sizeof(sm->xxkey));
+@@ -3161,7 +3184,7 @@ int wpa_wnmsleep_install_key(struct wpa_
+ 
+ 		wpa_hexdump_key(MSG_DEBUG, "Install GTK (WNM SLEEP)",
+ 				gd.gtk, gd.gtk_len);
+-		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc)) {
++		if (wpa_supplicant_install_gtk(sm, &gd, key_rsc, 1)) {
+ 			os_memset(&gd, 0, sizeof(gd));
+ 			wpa_printf(MSG_DEBUG, "Failed to install the GTK in "
+ 				   "WNM mode");
+@@ -3173,7 +3196,7 @@ int wpa_wnmsleep_install_key(struct wpa_
+ 		const struct wpa_igtk_kde *igtk;
+ 
+ 		igtk = (const struct wpa_igtk_kde *) (buf + 2);
+-		if (wpa_supplicant_install_igtk(sm, igtk) < 0)
++		if (wpa_supplicant_install_igtk(sm, igtk, 1) < 0)
+ 			return -1;
+ #endif /* CONFIG_IEEE80211W */
+ 	} else {
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -32,8 +32,10 @@ struct wpa_sm {
+ 	int rx_replay_counter_set;
+ 	u8 request_counter[WPA_REPLAY_COUNTER_LEN];
+ 	struct wpa_gtk gtk;
++	struct wpa_gtk gtk_wnm_sleep;
+ #ifdef CONFIG_IEEE80211W
+ 	struct wpa_igtk igtk;
++	struct wpa_igtk igtk_wnm_sleep;
+ #endif /* CONFIG_IEEE80211W */
+ 
+ 	struct eapol_sm *eapol; /* EAPOL state machine from upper level code */

package/network/services/hostapd/patches/008-Prevent-installation-of-an-all-zero-TK.patch

@@ -0,0 +1,65 @@
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Fri, 29 Sep 2017 04:22:51 +0200
+Subject: [PATCH] Prevent installation of an all-zero TK
+
+Properly track whether a PTK has already been installed to the driver
+and the TK part cleared from memory. This prevents an attacker from
+trying to trick the client into installing an all-zero TK.
+
+This fixes the earlier fix in commit
+ad00d64e7d8827b3cebd665a0ceb08adabf15e1e ('Fix TK configuration to the
+driver in EAPOL-Key 3/4 retry case') which did not take into account
+possibility of an extra message 1/4 showing up between retries of
+message 3/4.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+
+--- a/src/common/wpa_common.h
++++ b/src/common/wpa_common.h
+@@ -205,6 +205,7 @@ struct wpa_ptk {
+ 	size_t kck_len;
+ 	size_t kek_len;
+ 	size_t tk_len;
++	int installed; /* 1 if key has already been installed to driver */
+ };
+ 
+ struct wpa_gtk {
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -581,7 +581,6 @@ static void wpa_supplicant_process_1_of_
+ 		os_memset(buf, 0, sizeof(buf));
+ 	}
+ 	sm->tptk_set = 1;
+-	sm->tk_to_set = 1;
+ 
+ 	kde = sm->assoc_wpa_ie;
+ 	kde_len = sm->assoc_wpa_ie_len;
+@@ -686,7 +685,7 @@ static int wpa_supplicant_install_ptk(st
+ 	enum wpa_alg alg;
+ 	const u8 *key_rsc;
+ 
+-	if (!sm->tk_to_set) {
++	if (sm->ptk.installed) {
+ 		wpa_dbg(sm->ctx->msg_ctx, MSG_DEBUG,
+ 			"WPA: Do not re-install same PTK to the driver");
+ 		return 0;
+@@ -730,7 +729,7 @@ static int wpa_supplicant_install_ptk(st
+ 
+ 	/* TK is not needed anymore in supplicant */
+ 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
+-	sm->tk_to_set = 0;
++	sm->ptk.installed = 1;
+ 
+ 	if (sm->wpa_ptk_rekey) {
+ 		eloop_cancel_timeout(wpa_sm_rekey_ptk, sm, NULL);
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -24,7 +24,6 @@ struct wpa_sm {
+ 	struct wpa_ptk ptk, tptk;
+ 	int ptk_set, tptk_set;
+ 	unsigned int msg_3_of_4_ok:1;
+-	unsigned int tk_to_set:1;
+ 	u8 snonce[WPA_NONCE_LEN];
+ 	u8 anonce[WPA_NONCE_LEN]; /* ANonce from the last 1/4 msg */
+ 	int renew_snonce;

package/network/services/hostapd/patches/009-Fix-PTK-rekeying-to-generate-a-new-ANonce.patch

@@ -0,0 +1,56 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 1 Oct 2017 12:32:57 +0300
+Subject: [PATCH] Fix PTK rekeying to generate a new ANonce
+
+The Authenticator state machine path for PTK rekeying ended up bypassing
+the AUTHENTICATION2 state where a new ANonce is generated when going
+directly to the PTKSTART state since there is no need to try to
+determine the PMK again in such a case. This is far from ideal since the
+new PTK would depend on a new nonce only from the supplicant.
+
+Fix this by generating a new ANonce when moving to the PTKSTART state
+for the purpose of starting new 4-way handshake to rekey PTK.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -1912,6 +1912,21 @@ SM_STATE(WPA_PTK, AUTHENTICATION2)
+ }
+ 
+ 
++static int wpa_auth_sm_ptk_update(struct wpa_state_machine *sm)
++{
++	if (random_get_bytes(sm->ANonce, WPA_NONCE_LEN)) {
++		wpa_printf(MSG_ERROR,
++			   "WPA: Failed to get random data for ANonce");
++		sm->Disconnect = TRUE;
++		return -1;
++	}
++	wpa_hexdump(MSG_DEBUG, "WPA: Assign new ANonce", sm->ANonce,
++		    WPA_NONCE_LEN);
++	sm->TimeoutCtr = 0;
++	return 0;
++}
++
++
+ SM_STATE(WPA_PTK, INITPMK)
+ {
+ 	u8 msk[2 * PMK_LEN];
+@@ -2932,9 +2947,12 @@ SM_STEP(WPA_PTK)
+ 		SM_ENTER(WPA_PTK, AUTHENTICATION);
+ 	else if (sm->ReAuthenticationRequest)
+ 		SM_ENTER(WPA_PTK, AUTHENTICATION2);
+-	else if (sm->PTKRequest)
+-		SM_ENTER(WPA_PTK, PTKSTART);
+-	else switch (sm->wpa_ptk_state) {
++	else if (sm->PTKRequest) {
++		if (wpa_auth_sm_ptk_update(sm) < 0)
++			SM_ENTER(WPA_PTK, DISCONNECTED);
++		else
++			SM_ENTER(WPA_PTK, PTKSTART);
++	} else switch (sm->wpa_ptk_state) {
+ 	case WPA_PTK_INITIALIZE:
+ 		break;
+ 	case WPA_PTK_DISCONNECT:

package/network/services/hostapd/patches/010-TDLS-Reject-TPK-TK-reconfiguration.patch

@@ -0,0 +1,124 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 11:03:15 +0300
+Subject: [PATCH] TDLS: Reject TPK-TK reconfiguration
+
+Do not try to reconfigure the same TPK-TK to the driver after it has
+been successfully configured. This is an explicit check to avoid issues
+related to resetting the TX/RX packet number. There was already a check
+for this for TPK M2 (retries of that message are ignored completely), so
+that behavior does not get modified.
+
+For TPK M3, the TPK-TK could have been reconfigured, but that was
+followed by immediate teardown of the link due to an issue in updating
+the STA entry. Furthermore, for TDLS with any real security (i.e.,
+ignoring open/WEP), the TPK message exchange is protected on the AP path
+and simple replay attacks are not feasible.
+
+As an additional corner case, make sure the local nonce gets updated if
+the peer uses a very unlikely "random nonce" of all zeros.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+
+--- a/src/rsn_supp/tdls.c
++++ b/src/rsn_supp/tdls.c
+@@ -112,6 +112,7 @@ struct wpa_tdls_peer {
+ 		u8 tk[16]; /* TPK-TK; assuming only CCMP will be used */
+ 	} tpk;
+ 	int tpk_set;
++	int tk_set; /* TPK-TK configured to the driver */
+ 	int tpk_success;
+ 	int tpk_in_progress;
+ 
+@@ -192,6 +193,20 @@ static int wpa_tdls_set_key(struct wpa_s
+ 	u8 rsc[6];
+ 	enum wpa_alg alg;
+ 
++	if (peer->tk_set) {
++		/*
++		 * This same TPK-TK has already been configured to the driver
++		 * and this new configuration attempt (likely due to an
++		 * unexpected retransmitted frame) would result in clearing
++		 * the TX/RX sequence number which can break security, so must
++		 * not allow that to happen.
++		 */
++		wpa_printf(MSG_INFO, "TDLS: TPK-TK for the peer " MACSTR
++			   " has already been configured to the driver - do not reconfigure",
++			   MAC2STR(peer->addr));
++		return -1;
++	}
++
+ 	os_memset(rsc, 0, 6);
+ 
+ 	switch (peer->cipher) {
+@@ -209,12 +224,15 @@ static int wpa_tdls_set_key(struct wpa_s
+ 		return -1;
+ 	}
+ 
++	wpa_printf(MSG_DEBUG, "TDLS: Configure pairwise key for peer " MACSTR,
++		   MAC2STR(peer->addr));
+ 	if (wpa_sm_set_key(sm, alg, peer->addr, -1, 1,
+ 			   rsc, sizeof(rsc), peer->tpk.tk, key_len) < 0) {
+ 		wpa_printf(MSG_WARNING, "TDLS: Failed to set TPK to the "
+ 			   "driver");
+ 		return -1;
+ 	}
++	peer->tk_set = 1;
+ 	return 0;
+ }
+ 
+@@ -696,7 +714,7 @@ static void wpa_tdls_peer_clear(struct w
+ 	peer->cipher = 0;
+ 	peer->qos_info = 0;
+ 	peer->wmm_capable = 0;
+-	peer->tpk_set = peer->tpk_success = 0;
++	peer->tk_set = peer->tpk_set = peer->tpk_success = 0;
+ 	peer->chan_switch_enabled = 0;
+ 	os_memset(&peer->tpk, 0, sizeof(peer->tpk));
+ 	os_memset(peer->inonce, 0, WPA_NONCE_LEN);
+@@ -1159,6 +1177,7 @@ skip_rsnie:
+ 		wpa_tdls_peer_free(sm, peer);
+ 		return -1;
+ 	}
++	peer->tk_set = 0; /* A new nonce results in a new TK */
+ 	wpa_hexdump(MSG_DEBUG, "TDLS: Initiator Nonce for TPK handshake",
+ 		    peer->inonce, WPA_NONCE_LEN);
+ 	os_memcpy(ftie->Snonce, peer->inonce, WPA_NONCE_LEN);
+@@ -1751,6 +1770,19 @@ static int wpa_tdls_addset_peer(struct w
+ }
+ 
+ 
++static int tdls_nonce_set(const u8 *nonce)
++{
++	int i;
++
++	for (i = 0; i < WPA_NONCE_LEN; i++) {
++		if (nonce[i])
++			return 1;
++	}
++
++	return 0;
++}
++
++
+ static int wpa_tdls_process_tpk_m1(struct wpa_sm *sm, const u8 *src_addr,
+ 				   const u8 *buf, size_t len)
+ {
+@@ -2004,7 +2036,8 @@ skip_rsn:
+ 	peer->rsnie_i_len = kde.rsn_ie_len;
+ 	peer->cipher = cipher;
+ 
+-	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0) {
++	if (os_memcmp(peer->inonce, ftie->Snonce, WPA_NONCE_LEN) != 0 ||
++	    !tdls_nonce_set(peer->inonce)) {
+ 		/*
+ 		 * There is no point in updating the RNonce for every obtained
+ 		 * TPK M1 frame (e.g., retransmission due to timeout) with the
+@@ -2020,6 +2053,7 @@ skip_rsn:
+ 				"TDLS: Failed to get random data for responder nonce");
+ 			goto error;
+ 		}
++		peer->tk_set = 0; /* A new nonce results in a new TK */
+ 	}
+ 
+ #if 0

package/network/services/hostapd/patches/011-WNM-Ignore-WNM-Sleep-Mode-Response-without-pending-r.patch

@@ -0,0 +1,35 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 11:25:02 +0300
+Subject: [PATCH] WNM: Ignore WNM-Sleep Mode Response without pending
+ request
+
+Commit 03ed0a52393710be6bdae657d1b36efa146520e5 ('WNM: Ignore WNM-Sleep
+Mode Response if WNM-Sleep Mode has not been used') started ignoring the
+response when no WNM-Sleep Mode Request had been used during the
+association. This can be made tighter by clearing the used flag when
+successfully processing a response. This adds an additional layer of
+protection against unexpected retransmissions of the response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+
+--- a/wpa_supplicant/wnm_sta.c
++++ b/wpa_supplicant/wnm_sta.c
+@@ -260,7 +260,7 @@ static void ieee802_11_rx_wnmsleep_resp(
+ 
+ 	if (!wpa_s->wnmsleep_used) {
+ 		wpa_printf(MSG_DEBUG,
+-			   "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode has not been used in this association");
++			   "WNM: Ignore WNM-Sleep Mode Response frame since WNM-Sleep Mode operation has not been requested");
+ 		return;
+ 	}
+ 
+@@ -299,6 +299,8 @@ static void ieee802_11_rx_wnmsleep_resp(
+ 		return;
+ 	}
+ 
++	wpa_s->wnmsleep_used = 0;
++
+ 	if (wnmsleep_ie->status == WNM_STATUS_SLEEP_ACCEPT ||
+ 	    wnmsleep_ie->status == WNM_STATUS_SLEEP_EXIT_ACCEPT_GTK_UPDATE) {
+ 		wpa_printf(MSG_DEBUG, "Successfully recv WNM-Sleep Response "

package/network/services/hostapd/patches/012-FT-Do-not-allow-multiple-Reassociation-Response-fram.patch

@@ -0,0 +1,68 @@
+From: Jouni Malinen <j@w1.fi>
+Date: Fri, 22 Sep 2017 12:06:37 +0300
+Subject: [PATCH] FT: Do not allow multiple Reassociation Response frames
+
+The driver is expected to not report a second association event without
+the station having explicitly request a new association. As such, this
+case should not be reachable. However, since reconfiguring the same
+pairwise or group keys to the driver could result in nonce reuse issues,
+be extra careful here and do an additional state check to avoid this
+even if the local driver ends up somehow accepting an unexpected
+Reassociation Response frame.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -2568,6 +2568,9 @@ void wpa_sm_notify_assoc(struct wpa_sm *
+ #ifdef CONFIG_TDLS
+ 	wpa_tdls_assoc(sm);
+ #endif /* CONFIG_TDLS */
++#ifdef CONFIG_IEEE80211R
++	sm->ft_reassoc_completed = 0;
++#endif /* CONFIG_IEEE80211R */
+ 
+ #ifdef CONFIG_P2P
+ 	os_memset(sm->p2p_ip_addr, 0, sizeof(sm->p2p_ip_addr));
+--- a/src/rsn_supp/wpa_ft.c
++++ b/src/rsn_supp/wpa_ft.c
+@@ -153,6 +153,7 @@ static u8 * wpa_ft_gen_req_ies(struct wp
+ 	u16 capab;
+ 
+ 	sm->ft_completed = 0;
++	sm->ft_reassoc_completed = 0;
+ 
+ 	buf_len = 2 + sizeof(struct rsn_mdie) + 2 + sizeof(struct rsn_ftie) +
+ 		2 + sm->r0kh_id_len + ric_ies_len + 100;
+@@ -681,6 +682,11 @@ int wpa_ft_validate_reassoc_resp(struct
+ 		return -1;
+ 	}
+ 
++	if (sm->ft_reassoc_completed) {
++		wpa_printf(MSG_DEBUG, "FT: Reassociation has already been completed for this FT protocol instance - ignore unexpected retransmission");
++		return 0;
++	}
++
+ 	if (wpa_ft_parse_ies(ies, ies_len, &parse) < 0) {
+ 		wpa_printf(MSG_DEBUG, "FT: Failed to parse IEs");
+ 		return -1;
+@@ -781,6 +787,8 @@ int wpa_ft_validate_reassoc_resp(struct
+ 		return -1;
+ 	}
+ 
++	sm->ft_reassoc_completed = 1;
++
+ 	if (wpa_ft_process_gtk_subelem(sm, parse.gtk, parse.gtk_len) < 0)
+ 		return -1;
+ 
+--- a/src/rsn_supp/wpa_i.h
++++ b/src/rsn_supp/wpa_i.h
+@@ -128,6 +128,7 @@ struct wpa_sm {
+ 	size_t r0kh_id_len;
+ 	u8 r1kh_id[FT_R1KH_ID_LEN];
+ 	int ft_completed;
++	int ft_reassoc_completed;
+ 	int over_the_ds_in_progress;
+ 	u8 target_ap[ETH_ALEN]; /* over-the-DS target AP */
+ 	int set_ptk_after_assoc;

package/network/services/hostapd/patches/013-Add-hostapd-options-wpa_group_update_count-and-wpa_p.patch

@@ -0,0 +1,305 @@
+From 41f140d38617e1fd3fa88c1667c1bce0cad79224 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?G=C3=BCnther=20Kelleter?= <guenther.kelleter@devolo.de>
+Date: Thu, 5 Jan 2017 17:00:33 +0100
+Subject: [PATCH] Add hostapd options wpa_group_update_count and
+ wpa_pairwise_update_count
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+wpa_group_update_count and wpa_pairwise_update_count can now be used to
+set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount
+and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current
+hardcoded value (4).
+
+Some stations may suffer from frequent deauthentications due to GTK
+rekey failures: EAPOL 1/2 frame is not answered during the total timeout
+period of currently ~3.5 seconds. For example, a Galaxy S6 with Android
+6.0.1 appears to go into power save mode for up to 5 seconds. Increasing
+wpa_group_update_count to 6 fixed this issue.
+
+Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
+---
+ hostapd/config_file.c     | 22 ++++++++++++++++++++++
+ hostapd/hostapd.conf      | 11 +++++++++++
+ src/ap/ap_config.c        |  2 ++
+ src/ap/ap_config.h        |  2 ++
+ src/ap/wpa_auth.c         | 37 ++++++++++++++++++-------------------
+ src/ap/wpa_auth.h         |  2 ++
+ src/ap/wpa_auth_glue.c    |  2 ++
+ src/ap/wpa_auth_i.h       |  4 ++--
+ wpa_supplicant/ibss_rsn.c |  2 ++
+ wpa_supplicant/mesh_rsn.c |  2 ++
+ 10 files changed, 65 insertions(+), 21 deletions(-)
+
+diff --git a/hostapd/config_file.c b/hostapd/config_file.c
+index 8cfa198c3..02693a5b1 100644
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -2489,6 +2489,28 @@ static int hostapd_config_fill(struct hostapd_config *conf,
+ 		bss->wpa_gmk_rekey = atoi(pos);
+ 	} else if (os_strcmp(buf, "wpa_ptk_rekey") == 0) {
+ 		bss->wpa_ptk_rekey = atoi(pos);
++	} else if (os_strcmp(buf, "wpa_group_update_count") == 0) {
++		char *endp;
++		unsigned long val = strtoul(pos, &endp, 0);
++
++		if (*endp || val < 1 || val > (u32) -1) {
++			wpa_printf(MSG_ERROR,
++				   "Line %d: Invalid wpa_group_update_count=%lu; allowed range 1..4294967295",
++				   line, val);
++			return 1;
++		}
++		bss->wpa_group_update_count = (u32) val;
++	} else if (os_strcmp(buf, "wpa_pairwise_update_count") == 0) {
++		char *endp;
++		unsigned long val = strtoul(pos, &endp, 0);
++
++		if (*endp || val < 1 || val > (u32) -1) {
++			wpa_printf(MSG_ERROR,
++				   "Line %d: Invalid wpa_pairwise_update_count=%lu; allowed range 1..4294967295",
++				   line, val);
++			return 1;
++		}
++		bss->wpa_pairwise_update_count = (u32) val;
+ 	} else if (os_strcmp(buf, "wpa_passphrase") == 0) {
+ 		int len = os_strlen(pos);
+ 		if (len < 8 || len > 63) {
+diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
+index 314f3842b..1fb1bd987 100644
+--- a/hostapd/hostapd.conf
++++ b/hostapd/hostapd.conf
+@@ -1221,6 +1221,11 @@ own_ip_addr=127.0.0.1
+ # (dot11RSNAConfigGroupRekeyStrict)
+ #wpa_strict_rekey=1
+ 
++# The number of times EAPOL-Key Message 1/2 in the RSN Group Key Handshake is
++#retried per GTK Handshake attempt. (dot11RSNAConfigGroupUpdateCount)
++# Range 1..4294967295; default: 4
++#wpa_group_update_count=4
++
+ # Time interval for rekeying GMK (master key used internally to generate GTKs
+ # (in seconds).
+ #wpa_gmk_rekey=86400
+@@ -1229,6 +1234,12 @@ own_ip_addr=127.0.0.1
+ # PTK to mitigate some attacks against TKIP deficiencies.
+ #wpa_ptk_rekey=600
+ 
++# The number of times EAPOL-Key Message 1/4 and Message 3/4 in the RSN 4-Way
++# Handshake are retried per 4-Way Handshake attempt.
++# (dot11RSNAConfigPairwiseUpdateCount)
++# Range 1..4294967295; default: 4
++#wpa_pairwise_update_count=4
++
+ # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
+ # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
+ # authentication and key handshake before actually associating with a new AP.
+diff --git a/src/ap/ap_config.c b/src/ap/ap_config.c
+index c2b80ad97..9abcab7fb 100644
+--- a/src/ap/ap_config.c
++++ b/src/ap/ap_config.c
+@@ -56,6 +56,8 @@ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
+ 
+ 	bss->wpa_group_rekey = 600;
+ 	bss->wpa_gmk_rekey = 86400;
++	bss->wpa_group_update_count = 4;
++	bss->wpa_pairwise_update_count = 4;
+ 	bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
+ 	bss->wpa_pairwise = WPA_CIPHER_TKIP;
+ 	bss->wpa_group = WPA_CIPHER_TKIP;
+diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
+index 31b1e7762..7495dc96f 100644
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -330,6 +330,8 @@ struct hostapd_bss_config {
+ 	int wpa_strict_rekey;
+ 	int wpa_gmk_rekey;
+ 	int wpa_ptk_rekey;
++	u32 wpa_group_update_count;
++	u32 wpa_pairwise_update_count;
+ 	int rsn_pairwise;
+ 	int rsn_preauth;
+ 	char *rsn_preauth_interfaces;
+diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
+index 0bd901fbf..8c082f426 100644
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -60,8 +60,6 @@ static void wpa_group_put(struct wpa_authenticator *wpa_auth,
+ 			  struct wpa_group *group);
+ static u8 * ieee80211w_kde_add(struct wpa_state_machine *sm, u8 *pos);
+ 
+-static const u32 dot11RSNAConfigGroupUpdateCount = 4;
+-static const u32 dot11RSNAConfigPairwiseUpdateCount = 4;
+ static const u32 eapol_key_timeout_first = 100; /* ms */
+ static const u32 eapol_key_timeout_subseq = 1000; /* ms */
+ static const u32 eapol_key_timeout_first_group = 500; /* ms */
+@@ -1623,7 +1621,7 @@ static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
+ {
+ 	int timeout_ms;
+ 	int pairwise = key_info & WPA_KEY_INFO_KEY_TYPE;
+-	int ctr;
++	u32 ctr;
+ 
+ 	if (sm == NULL)
+ 		return;
+@@ -1640,7 +1638,7 @@ static void wpa_send_eapol(struct wpa_authenticator *wpa_auth,
+ 	if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
+ 		sm->pending_1_of_4_timeout = 1;
+ 	wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
+-		   "counter %d)", timeout_ms, ctr);
++		   "counter %u)", timeout_ms, ctr);
+ 	eloop_register_timeout(timeout_ms / 1000, (timeout_ms % 1000) * 1000,
+ 			       wpa_send_eapol_timeout, wpa_auth, sm);
+ }
+@@ -2002,7 +2000,7 @@ SM_STATE(WPA_PTK, PTKSTART)
+ 	sm->alt_snonce_valid = FALSE;
+ 
+ 	sm->TimeoutCtr++;
+-	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
++	if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
+ 		/* No point in sending the EAPOL-Key - we will disconnect
+ 		 * immediately following this. */
+ 		return;
+@@ -2693,7 +2691,7 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
+ 	sm->TimeoutEvt = FALSE;
+ 
+ 	sm->TimeoutCtr++;
+-	if (sm->TimeoutCtr > (int) dot11RSNAConfigPairwiseUpdateCount) {
++	if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
+ 		/* No point in sending the EAPOL-Key - we will disconnect
+ 		 * immediately following this. */
+ 		return;
+@@ -2988,11 +2986,12 @@ SM_STEP(WPA_PTK)
+ 		    sm->EAPOLKeyPairwise)
+ 			SM_ENTER(WPA_PTK, PTKCALCNEGOTIATING);
+ 		else if (sm->TimeoutCtr >
+-			 (int) dot11RSNAConfigPairwiseUpdateCount) {
++			 sm->wpa_auth->conf.wpa_pairwise_update_count) {
+ 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
+-			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
+-					 "PTKSTART: Retry limit %d reached",
+-					 dot11RSNAConfigPairwiseUpdateCount);
++			wpa_auth_vlogger(
++				sm->wpa_auth, sm->addr, LOGGER_DEBUG,
++				"PTKSTART: Retry limit %u reached",
++				sm->wpa_auth->conf.wpa_pairwise_update_count);
+ 			SM_ENTER(WPA_PTK, DISCONNECT);
+ 		} else if (sm->TimeoutEvt)
+ 			SM_ENTER(WPA_PTK, PTKSTART);
+@@ -3016,12 +3015,12 @@ SM_STEP(WPA_PTK)
+ 			 sm->EAPOLKeyPairwise && sm->MICVerified)
+ 			SM_ENTER(WPA_PTK, PTKINITDONE);
+ 		else if (sm->TimeoutCtr >
+-			 (int) dot11RSNAConfigPairwiseUpdateCount) {
++			 sm->wpa_auth->conf.wpa_pairwise_update_count) {
+ 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
+-			wpa_auth_vlogger(sm->wpa_auth, sm->addr, LOGGER_DEBUG,
+-					 "PTKINITNEGOTIATING: Retry limit %d "
+-					 "reached",
+-					 dot11RSNAConfigPairwiseUpdateCount);
++			wpa_auth_vlogger(
++				sm->wpa_auth, sm->addr, LOGGER_DEBUG,
++				"PTKINITNEGOTIATING: Retry limit %u reached",
++				sm->wpa_auth->conf.wpa_pairwise_update_count);
+ 			SM_ENTER(WPA_PTK, DISCONNECT);
+ 		} else if (sm->TimeoutEvt)
+ 			SM_ENTER(WPA_PTK, PTKINITNEGOTIATING);
+@@ -3056,7 +3055,7 @@ SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING)
+ 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
+ 
+ 	sm->GTimeoutCtr++;
+-	if (sm->GTimeoutCtr > (int) dot11RSNAConfigGroupUpdateCount) {
++	if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
+ 		/* No point in sending the EAPOL-Key - we will disconnect
+ 		 * immediately following this. */
+ 		return;
+@@ -3154,7 +3153,7 @@ SM_STEP(WPA_PTK_GROUP)
+ 		    !sm->EAPOLKeyPairwise && sm->MICVerified)
+ 			SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
+ 		else if (sm->GTimeoutCtr >
+-			 (int) dot11RSNAConfigGroupUpdateCount)
++			 sm->wpa_auth->conf.wpa_group_update_count)
+ 			SM_ENTER(WPA_PTK_GROUP, KEYERROR);
+ 		else if (sm->TimeoutEvt)
+ 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
+@@ -3614,8 +3613,8 @@ int wpa_get_mib(struct wpa_authenticator *wpa_auth, char *buf, size_t buflen)
+ 		"dot11RSNAConfigNumberOfGTKSAReplayCounters=0\n",
+ 		RSN_VERSION,
+ 		!!wpa_auth->conf.wpa_strict_rekey,
+-		dot11RSNAConfigGroupUpdateCount,
+-		dot11RSNAConfigPairwiseUpdateCount,
++		wpa_auth->conf.wpa_group_update_count,
++		wpa_auth->conf.wpa_pairwise_update_count,
+ 		wpa_cipher_key_len(wpa_auth->conf.wpa_group) * 8,
+ 		dot11RSNAConfigPMKLifetime,
+ 		dot11RSNAConfigPMKReauthThreshold,
+diff --git a/src/ap/wpa_auth.h b/src/ap/wpa_auth.h
+index 9cbe3889b..0920a169d 100644
+--- a/src/ap/wpa_auth.h
++++ b/src/ap/wpa_auth.h
+@@ -144,6 +144,8 @@ struct wpa_auth_config {
+ 	int wpa_strict_rekey;
+ 	int wpa_gmk_rekey;
+ 	int wpa_ptk_rekey;
++	u32 wpa_group_update_count;
++	u32 wpa_pairwise_update_count;
+ 	int rsn_pairwise;
+ 	int rsn_preauth;
+ 	int eapol_version;
+diff --git a/src/ap/wpa_auth_glue.c b/src/ap/wpa_auth_glue.c
+index 22518a1f1..394f77a66 100644
+--- a/src/ap/wpa_auth_glue.c
++++ b/src/ap/wpa_auth_glue.c
+@@ -41,6 +41,8 @@ static void hostapd_wpa_auth_conf(struct hostapd_bss_config *conf,
+ 	wconf->wpa_strict_rekey = conf->wpa_strict_rekey;
+ 	wconf->wpa_gmk_rekey = conf->wpa_gmk_rekey;
+ 	wconf->wpa_ptk_rekey = conf->wpa_ptk_rekey;
++	wconf->wpa_group_update_count = conf->wpa_group_update_count;
++	wconf->wpa_pairwise_update_count = conf->wpa_pairwise_update_count;
+ 	wconf->rsn_pairwise = conf->rsn_pairwise;
+ 	wconf->rsn_preauth = conf->rsn_preauth;
+ 	wconf->eapol_version = conf->eapol_version;
+diff --git a/src/ap/wpa_auth_i.h b/src/ap/wpa_auth_i.h
+index 065a624ad..cda2c5065 100644
+--- a/src/ap/wpa_auth_i.h
++++ b/src/ap/wpa_auth_i.h
+@@ -48,8 +48,8 @@ struct wpa_state_machine {
+ 	Boolean AuthenticationRequest;
+ 	Boolean ReAuthenticationRequest;
+ 	Boolean Disconnect;
+-	int TimeoutCtr;
+-	int GTimeoutCtr;
++	u32 TimeoutCtr;
++	u32 GTimeoutCtr;
+ 	Boolean TimeoutEvt;
+ 	Boolean EAPOLKeyReceived;
+ 	Boolean EAPOLKeyPairwise;
+diff --git a/wpa_supplicant/ibss_rsn.c b/wpa_supplicant/ibss_rsn.c
+index 521a692ba..954061ae4 100644
+--- a/wpa_supplicant/ibss_rsn.c
++++ b/wpa_supplicant/ibss_rsn.c
+@@ -428,6 +428,8 @@ static int ibss_rsn_auth_init_group(struct ibss_rsn *ibss_rsn,
+ 	conf.wpa_group = WPA_CIPHER_CCMP;
+ 	conf.eapol_version = 2;
+ 	conf.wpa_group_rekey = ssid->group_rekey ? ssid->group_rekey : 600;
++	conf.wpa_group_update_count = 4;
++	conf.wpa_pairwise_update_count = 4;
+ 
+ 	ibss_rsn->auth_group = wpa_init(own_addr, &conf, &cb, ibss_rsn);
+ 	if (ibss_rsn->auth_group == NULL) {
+diff --git a/wpa_supplicant/mesh_rsn.c b/wpa_supplicant/mesh_rsn.c
+index 33040f30b..628382cbf 100644
+--- a/wpa_supplicant/mesh_rsn.c
++++ b/wpa_supplicant/mesh_rsn.c
+@@ -158,6 +158,8 @@ static int __mesh_rsn_auth_init(struct mesh_rsn *rsn, const u8 *addr,
+ 	conf.wpa_group = rsn->group_cipher;
+ 	conf.eapol_version = 0;
+ 	conf.wpa_group_rekey = -1;
++	conf.wpa_group_update_count = 4;
++	conf.wpa_pairwise_update_count = 4;
+ #ifdef CONFIG_IEEE80211W
+ 	conf.ieee80211w = ieee80211w;
+ 	if (ieee80211w != NO_MGMT_FRAME_PROTECTION)
+-- 
+2.13.6
+

package/network/services/hostapd/patches/014-WPA-Extra-defense-against-PTK-reinstalls-in-4-way-ha.patch

@@ -0,0 +1,34 @@
+From a00e946c1c9a1f9cc65c72900d2a444ceb1f872e Mon Sep 17 00:00:00 2001
+From: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+Date: Thu, 5 Oct 2017 23:53:01 +0200
+Subject: [PATCH] WPA: Extra defense against PTK reinstalls in 4-way handshake
+
+Currently, reinstallations of the PTK are prevented by (1) assuring the
+same TPTK is only set once as the PTK, and (2) that one particular PTK
+is only installed once. This patch makes it more explicit that point (1)
+is required to prevent key reinstallations. At the same time, this patch
+hardens wpa_supplicant such that future changes do not accidentally
+break this property.
+
+Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
+---
+ src/rsn_supp/wpa.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -1728,6 +1728,14 @@ static int wpa_supplicant_verify_eapol_k
+ 			sm->ptk_set = 1;
+ 			os_memcpy(&sm->ptk, &sm->tptk, sizeof(sm->ptk));
+ 			os_memset(&sm->tptk, 0, sizeof(sm->tptk));
++			/*
++			 * This assures the same TPTK in sm->tptk can never be
++			 * copied twice to sm->pkt as the new PTK. In
++			 * combination with the installed flag in the wpa_ptk
++			 * struct, this assures the same PTK is only installed
++			 * once.
++			 */
++			sm->renew_snonce = 1;
+ 		}
+ 	}
+ 

package/network/services/hostapd/patches/015-Clear-PMK-length-and-check-for-this-when-deriving-PT.patch

@@ -0,0 +1,53 @@
+From b488a12948751f57871f09baa345e59b23959a41 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Sun, 8 Oct 2017 13:18:02 +0300
+Subject: [PATCH] Clear PMK length and check for this when deriving PTK
+
+Instead of setting the default PMK length for the cleared PMK, set the
+length to 0 and explicitly check for this when deriving PTK to avoid
+unexpected key derivation with an all-zeroes key should it be possible
+to somehow trigger PTK derivation to happen before PMK derivation.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/wpa_common.c | 5 +++++
+ src/rsn_supp/wpa.c      | 7 ++++---
+ 2 files changed, 9 insertions(+), 3 deletions(-)
+
+--- a/src/common/wpa_common.c
++++ b/src/common/wpa_common.c
+@@ -225,6 +225,11 @@ int wpa_pmk_to_ptk(const u8 *pmk, size_t
+ 	u8 tmp[WPA_KCK_MAX_LEN + WPA_KEK_MAX_LEN + WPA_TK_MAX_LEN];
+ 	size_t ptk_len;
+ 
++	if (pmk_len == 0) {
++		wpa_printf(MSG_ERROR, "WPA: No PMK set for PT derivation");
++		return -1;
++	}
++
+ 	if (os_memcmp(addr1, addr2, ETH_ALEN) < 0) {
+ 		os_memcpy(data, addr1, ETH_ALEN);
+ 		os_memcpy(data + ETH_ALEN, addr2, ETH_ALEN);
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -584,7 +584,8 @@ static void wpa_supplicant_process_1_of_
+ 	/* Calculate PTK which will be stored as a temporary PTK until it has
+ 	 * been verified when processing message 3/4. */
+ 	ptk = &sm->tptk;
+-	wpa_derive_ptk(sm, src_addr, key, ptk);
++	if (wpa_derive_ptk(sm, src_addr, key, ptk) < 0)
++		goto failed;
+ 	if (sm->pairwise_cipher == WPA_CIPHER_TKIP) {
+ 		u8 buf[8];
+ 		/* Supplicant: swap tx/rx Mic keys */
+@@ -2705,8 +2706,8 @@ void wpa_sm_set_pmk_from_pmksa(struct wp
+ 		sm->pmk_len = sm->cur_pmksa->pmk_len;
+ 		os_memcpy(sm->pmk, sm->cur_pmksa->pmk, sm->pmk_len);
+ 	} else {
+-		sm->pmk_len = PMK_LEN;
+-		os_memset(sm->pmk, 0, PMK_LEN);
++		sm->pmk_len = 0;
++		os_memset(sm->pmk, 0, PMK_LEN_MAX);
+ 	}
+ }
+ 

package/network/services/hostapd/patches/016-Optional-AP-side-workaround-for-key-reinstallation-a.patch

@@ -0,0 +1,221 @@
+From 6f234c1e2ee1ede29f2412b7012b3345ed8e52d3 Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Mon, 16 Oct 2017 18:37:43 +0300
+Subject: [PATCH] Optional AP side workaround for key reinstallation attacks
+
+This adds a new hostapd configuration parameter
+wpa_disable_eapol_key_retries=1 that can be used to disable
+retransmission of EAPOL-Key frames that are used to install
+keys (EAPOL-Key message 3/4 and group message 1/2). This is
+similar to setting wpa_group_update_count=1 and
+wpa_pairwise_update_count=1, but with no impact to message 1/4
+retries and with extended timeout for messages 4/4 and group
+message 2/2 to avoid causing issues with stations that may use
+aggressive power saving have very long time in replying to the
+EAPOL-Key messages.
+
+This option can be used to work around key reinstallation attacks
+on the station (supplicant) side in cases those station devices
+cannot be updated for some reason. By removing the
+retransmissions the attacker cannot cause key reinstallation with
+a delayed frame transmission. This is related to the station side
+vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
+CVE-2017-13080, and CVE-2017-13081.
+
+This workaround might cause interoperability issues and reduced
+robustness of key negotiation especially in environments with
+heavy traffic load due to the number of attempts to perform the
+key exchange is reduced significantly. As such, this workaround
+is disabled by default (unless overridden in build
+configuration). To enable this, set the parameter to 1.
+
+It is also possible to enable this in the build by default by
+adding the following to the build configuration:
+
+CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ hostapd/config_file.c  |  2 ++
+ hostapd/defconfig      |  4 ++++
+ hostapd/hostapd.conf   | 24 ++++++++++++++++++++++++
+ src/ap/ap_config.c     |  6 ++++++
+ src/ap/ap_config.h     |  1 +
+ src/ap/wpa_auth.c      | 22 ++++++++++++++++++++--
+ src/ap/wpa_auth.h      |  1 +
+ src/ap/wpa_auth_glue.c |  2 ++
+ 8 files changed, 60 insertions(+), 2 deletions(-)
+
+--- a/hostapd/config_file.c
++++ b/hostapd/config_file.c
+@@ -2515,6 +2515,8 @@ static int hostapd_config_fill(struct ho
+ 			return 1;
+ 		}
+ 		bss->wpa_pairwise_update_count = (u32) val;
++	} else if (os_strcmp(buf, "wpa_disable_eapol_key_retries") == 0) {
++		bss->wpa_disable_eapol_key_retries = atoi(pos);
+ 	} else if (os_strcmp(buf, "wpa_passphrase") == 0) {
+ 		int len = os_strlen(pos);
+ 		if (len < 8 || len > 63) {
+--- a/hostapd/defconfig
++++ b/hostapd/defconfig
+@@ -355,3 +355,7 @@ CONFIG_IPV6=y
+ # Include internal line edit mode in hostapd_cli. This can be used to provide
+ # limited command line editing and history support.
+ #CONFIG_WPA_CLI_EDIT=y
++
++# Override default value for the wpa_disable_eapol_key_retries configuration
++# parameter. See that parameter in hostapd.conf for more details.
++#CFLAGS += -DDEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES=1
+--- a/hostapd/hostapd.conf
++++ b/hostapd/hostapd.conf
+@@ -1240,6 +1240,30 @@ own_ip_addr=127.0.0.1
+ # Range 1..4294967295; default: 4
+ #wpa_pairwise_update_count=4
+ 
++# Workaround for key reinstallation attacks
++#
++# This parameter can be used to disable retransmission of EAPOL-Key frames that
++# are used to install keys (EAPOL-Key message 3/4 and group message 1/2). This
++# is similar to setting wpa_group_update_count=1 and
++# wpa_pairwise_update_count=1, but with no impact to message 1/4 and with
++# extended timeout on the response to avoid causing issues with stations that
++# may use aggressive power saving have very long time in replying to the
++# EAPOL-Key messages.
++#
++# This option can be used to work around key reinstallation attacks on the
++# station (supplicant) side in cases those station devices cannot be updated
++# for some reason. By removing the retransmissions the attacker cannot cause
++# key reinstallation with a delayed frame transmission. This is related to the
++# station side vulnerabilities CVE-2017-13077, CVE-2017-13078, CVE-2017-13079,
++# CVE-2017-13080, and CVE-2017-13081.
++#
++# This workaround might cause interoperability issues and reduced robustness of
++# key negotiation especially in environments with heavy traffic load due to the
++# number of attempts to perform the key exchange is reduced significantly. As
++# such, this workaround is disabled by default (unless overridden in build
++# configuration). To enable this, set the parameter to 1.
++#wpa_disable_eapol_key_retries=1
++
+ # Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up
+ # roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN
+ # authentication and key handshake before actually associating with a new AP.
+--- a/src/ap/ap_config.c
++++ b/src/ap/ap_config.c
+@@ -36,6 +36,10 @@ static void hostapd_config_free_vlan(str
+ }
+ 
+ 
++#ifndef DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES
++#define DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES 0
++#endif /* DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES */
++
+ void hostapd_config_defaults_bss(struct hostapd_bss_config *bss)
+ {
+ 	dl_list_init(&bss->anqp_elem);
+@@ -57,6 +61,8 @@ void hostapd_config_defaults_bss(struct
+ 	bss->wpa_gmk_rekey = 86400;
+ 	bss->wpa_group_update_count = 4;
+ 	bss->wpa_pairwise_update_count = 4;
++	bss->wpa_disable_eapol_key_retries =
++		DEFAULT_WPA_DISABLE_EAPOL_KEY_RETRIES;
+ 	bss->wpa_key_mgmt = WPA_KEY_MGMT_PSK;
+ 	bss->wpa_pairwise = WPA_CIPHER_TKIP;
+ 	bss->wpa_group = WPA_CIPHER_TKIP;
+--- a/src/ap/ap_config.h
++++ b/src/ap/ap_config.h
+@@ -332,6 +332,7 @@ struct hostapd_bss_config {
+ 	int wpa_ptk_rekey;
+ 	u32 wpa_group_update_count;
+ 	u32 wpa_pairwise_update_count;
++	int wpa_disable_eapol_key_retries;
+ 	int rsn_pairwise;
+ 	int rsn_preauth;
+ 	char *rsn_preauth_interfaces;
+--- a/src/ap/wpa_auth.c
++++ b/src/ap/wpa_auth.c
+@@ -63,6 +63,7 @@ static u8 * ieee80211w_kde_add(struct wp
+ static const u32 eapol_key_timeout_first = 100; /* ms */
+ static const u32 eapol_key_timeout_subseq = 1000; /* ms */
+ static const u32 eapol_key_timeout_first_group = 500; /* ms */
++static const u32 eapol_key_timeout_no_retrans = 4000; /* ms */
+ 
+ /* TODO: make these configurable */
+ static const int dot11RSNAConfigPMKLifetime = 43200;
+@@ -1629,6 +1630,9 @@ static void wpa_send_eapol(struct wpa_au
+ 			eapol_key_timeout_first_group;
+ 	else
+ 		timeout_ms = eapol_key_timeout_subseq;
++	if (wpa_auth->conf.wpa_disable_eapol_key_retries &&
++	    (!pairwise || (key_info & WPA_KEY_INFO_MIC)))
++		timeout_ms = eapol_key_timeout_no_retrans;
+ 	if (pairwise && ctr == 1 && !(key_info & WPA_KEY_INFO_MIC))
+ 		sm->pending_1_of_4_timeout = 1;
+ 	wpa_printf(MSG_DEBUG, "WPA: Use EAPOL-Key timeout of %u ms (retry "
+@@ -2700,6 +2704,11 @@ SM_STATE(WPA_PTK, PTKINITNEGOTIATING)
+ 	sm->TimeoutEvt = FALSE;
+ 
+ 	sm->TimeoutCtr++;
++	if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
++	    sm->TimeoutCtr > 1) {
++		/* Do not allow retransmission of EAPOL-Key msg 3/4 */
++		return;
++	}
+ 	if (sm->TimeoutCtr > sm->wpa_auth->conf.wpa_pairwise_update_count) {
+ 		/* No point in sending the EAPOL-Key - we will disconnect
+ 		 * immediately following this. */
+@@ -3027,7 +3036,9 @@ SM_STEP(WPA_PTK)
+ 			 sm->EAPOLKeyPairwise && sm->MICVerified)
+ 			SM_ENTER(WPA_PTK, PTKINITDONE);
+ 		else if (sm->TimeoutCtr >
+-			 sm->wpa_auth->conf.wpa_pairwise_update_count) {
++			 sm->wpa_auth->conf.wpa_pairwise_update_count ||
++			 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
++			  sm->TimeoutCtr > 1)) {
+ 			wpa_auth->dot11RSNA4WayHandshakeFailures++;
+ 			wpa_auth_vlogger(
+ 				sm->wpa_auth, sm->addr, LOGGER_DEBUG,
+@@ -3067,6 +3078,11 @@ SM_STATE(WPA_PTK_GROUP, REKEYNEGOTIATING
+ 	SM_ENTRY_MA(WPA_PTK_GROUP, REKEYNEGOTIATING, wpa_ptk_group);
+ 
+ 	sm->GTimeoutCtr++;
++	if (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
++	    sm->GTimeoutCtr > 1) {
++		/* Do not allow retransmission of EAPOL-Key group msg 1/2 */
++		return;
++	}
+ 	if (sm->GTimeoutCtr > sm->wpa_auth->conf.wpa_group_update_count) {
+ 		/* No point in sending the EAPOL-Key - we will disconnect
+ 		 * immediately following this. */
+@@ -3165,7 +3181,9 @@ SM_STEP(WPA_PTK_GROUP)
+ 		    !sm->EAPOLKeyPairwise && sm->MICVerified)
+ 			SM_ENTER(WPA_PTK_GROUP, REKEYESTABLISHED);
+ 		else if (sm->GTimeoutCtr >
+-			 sm->wpa_auth->conf.wpa_group_update_count)
++			 sm->wpa_auth->conf.wpa_group_update_count ||
++			 (sm->wpa_auth->conf.wpa_disable_eapol_key_retries &&
++			  sm->GTimeoutCtr > 1))
+ 			SM_ENTER(WPA_PTK_GROUP, KEYERROR);
+ 		else if (sm->TimeoutEvt)
+ 			SM_ENTER(WPA_PTK_GROUP, REKEYNEGOTIATING);
+--- a/src/ap/wpa_auth.h
++++ b/src/ap/wpa_auth.h
+@@ -146,6 +146,7 @@ struct wpa_auth_config {
+ 	int wpa_ptk_rekey;
+ 	u32 wpa_group_update_count;
+ 	u32 wpa_pairwise_update_count;
++	int wpa_disable_eapol_key_retries;
+ 	int rsn_pairwise;
+ 	int rsn_preauth;
+ 	int eapol_version;
+--- a/src/ap/wpa_auth_glue.c
++++ b/src/ap/wpa_auth_glue.c
+@@ -42,6 +42,8 @@ static void hostapd_wpa_auth_conf(struct
+ 	wconf->wpa_gmk_rekey = conf->wpa_gmk_rekey;
+ 	wconf->wpa_ptk_rekey = conf->wpa_ptk_rekey;
+ 	wconf->wpa_group_update_count = conf->wpa_group_update_count;
++	wconf->wpa_disable_eapol_key_retries =
++		conf->wpa_disable_eapol_key_retries;
+ 	wconf->wpa_pairwise_update_count = conf->wpa_pairwise_update_count;
+ 	wconf->rsn_pairwise = conf->rsn_pairwise;
+ 	wconf->rsn_preauth = conf->rsn_preauth;

package/network/services/hostapd/patches/017-Additional-consistentcy-checks-for-PTK-component-len.patch

@@ -0,0 +1,92 @@
+From a6ea665300919d6a3af22b1f4237203647fda93a Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Tue, 17 Oct 2017 00:01:11 +0300
+Subject: [PATCH] Additional consistentcy checks for PTK component lengths
+
+Verify that TK, KCK, and KEK lengths are set to consistent values within
+struct wpa_ptk before using them in supplicant. This is an additional
+layer of protection against unexpected states.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/common/wpa_common.c |  6 ++++++
+ src/rsn_supp/wpa.c      | 26 ++++++++++++++++++++------
+ 2 files changed, 26 insertions(+), 6 deletions(-)
+
+--- a/src/common/wpa_common.c
++++ b/src/common/wpa_common.c
+@@ -93,6 +93,12 @@ int wpa_eapol_key_mic(const u8 *key, siz
+ {
+ 	u8 hash[SHA384_MAC_LEN];
+ 
++	if (key_len == 0) {
++		wpa_printf(MSG_DEBUG,
++			   "WPA: KCK not set - cannot calculate MIC");
++		return -1;
++	}
++
+ 	switch (ver) {
+ #ifndef CONFIG_FIPS
+ 	case WPA_KEY_INFO_TYPE_HMAC_MD5_RC4:
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -710,6 +710,11 @@ static int wpa_supplicant_install_ptk(st
+ 
+ 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
+ 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
++	if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
++		wpa_printf(MSG_DEBUG, "WPA: TK length mismatch: %d != %lu",
++			   keylen, (long unsigned int) sm->ptk.tk_len);
++		return -1;
++	}
+ 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
+ 
+ 	if (sm->proto == WPA_PROTO_RSN || sm->proto == WPA_PROTO_OSEN) {
+@@ -730,6 +735,7 @@ static int wpa_supplicant_install_ptk(st
+ 
+ 	/* TK is not needed anymore in supplicant */
+ 	os_memset(sm->ptk.tk, 0, WPA_TK_MAX_LEN);
++	sm->ptk.tk_len = 0;
+ 	sm->ptk.installed = 1;
+ 
+ 	if (sm->wpa_ptk_rekey) {
+@@ -1699,9 +1705,10 @@ static int wpa_supplicant_verify_eapol_k
+ 	os_memcpy(mic, key + 1, mic_len);
+ 	if (sm->tptk_set) {
+ 		os_memset(key + 1, 0, mic_len);
+-		wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len, sm->key_mgmt,
+-				  ver, buf, len, (u8 *) (key + 1));
+-		if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
++		if (wpa_eapol_key_mic(sm->tptk.kck, sm->tptk.kck_len,
++				      sm->key_mgmt,
++				      ver, buf, len, (u8 *) (key + 1)) < 0 ||
++		    os_memcmp_const(mic, key + 1, mic_len) != 0) {
+ 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+ 				"WPA: Invalid EAPOL-Key MIC "
+ 				"when using TPTK - ignoring TPTK");
+@@ -1724,9 +1731,10 @@ static int wpa_supplicant_verify_eapol_k
+ 
+ 	if (!ok && sm->ptk_set) {
+ 		os_memset(key + 1, 0, mic_len);
+-		wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len, sm->key_mgmt,
+-				  ver, buf, len, (u8 *) (key + 1));
+-		if (os_memcmp_const(mic, key + 1, mic_len) != 0) {
++		if (wpa_eapol_key_mic(sm->ptk.kck, sm->ptk.kck_len,
++				      sm->key_mgmt,
++				      ver, buf, len, (u8 *) (key + 1)) < 0 ||
++		    os_memcmp_const(mic, key + 1, mic_len) != 0) {
+ 			wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
+ 				"WPA: Invalid EAPOL-Key MIC - "
+ 				"dropping packet");
+@@ -3689,6 +3697,11 @@ int fils_process_assoc_resp(struct wpa_s
+ 
+ 	alg = wpa_cipher_to_alg(sm->pairwise_cipher);
+ 	keylen = wpa_cipher_key_len(sm->pairwise_cipher);
++	if (keylen <= 0 || (unsigned int) keylen != sm->ptk.tk_len) {
++		wpa_printf(MSG_DEBUG, "FILS: TK length mismatch: %u != %lu",
++			   keylen, (long unsigned int) sm->ptk.tk_len);
++		goto fail;
++	}
+ 	rsclen = wpa_cipher_rsc_len(sm->pairwise_cipher);
+ 	wpa_hexdump_key(MSG_DEBUG, "FILS: Set TK to driver",
+ 			sm->ptk.tk, keylen);

package/network/services/hostapd/patches/018-Clear-BSSID-information-in-supplicant-state-machine-.patch

@@ -0,0 +1,25 @@
+From c0fe5f125a9d4a6564e1f4956ccc3809bf2fd69d Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <j@w1.fi>
+Date: Tue, 17 Oct 2017 01:15:24 +0300
+Subject: [PATCH] Clear BSSID information in supplicant state machine on
+ disconnection
+
+This fixes a corner case where RSN pre-authentication candidate from
+scan results was ignored if the station was associated with that BSS
+just before running the new scan for the connection.
+
+Signed-off-by: Jouni Malinen <j@w1.fi>
+---
+ src/rsn_supp/wpa.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/src/rsn_supp/wpa.c
++++ b/src/rsn_supp/wpa.c
+@@ -2662,6 +2662,7 @@ void wpa_sm_notify_disassoc(struct wpa_s
+ 	wpa_sm_drop_sa(sm);
+ 
+ 	sm->msg_3_of_4_ok = 0;
++	os_memset(sm->bssid, 0, ETH_ALEN);
+ }
+ 
+ 

package/network/services/hostapd/patches/380-disable_ctrl_iface_mib.patch

@@ -129,7 +129,7 @@
  static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx)
 --- a/src/ap/wpa_auth.c
 +++ b/src/ap/wpa_auth.c
-@@ -3544,6 +3544,7 @@ static const char * wpa_bool_txt(int val
+@@ -3565,6 +3565,7 @@ static const char * wpa_bool_txt(int val
  	return val ? "TRUE" : "FALSE";
  }
  
@@ -137,7 +137,7 @@
  
  #define RSN_SUITE "%02x-%02x-%02x-%d"
  #define RSN_SUITE_ARG(s) \
-@@ -3688,7 +3689,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
+@@ -3709,7 +3710,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
  
  	return len;
  }
@@ -148,7 +148,7 @@
  {
 --- a/src/rsn_supp/wpa.c
 +++ b/src/rsn_supp/wpa.c
-@@ -2252,6 +2252,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
+@@ -2308,6 +2308,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
  }
  
  
@@ -157,7 +157,7 @@
  #define RSN_SUITE "%02x-%02x-%02x-%d"
  #define RSN_SUITE_ARG(s) \
  ((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
-@@ -2335,6 +2337,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
+@@ -2391,6 +2393,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
  
  	return (int) len;
  }

package/network/services/hostapd/patches/600-ubus_support.patch

@@ -121,7 +121,7 @@
  	if (res == HOSTAPD_ACL_PENDING) {
  		wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
  			   " waiting for an external authentication",
-@@ -2391,7 +2405,7 @@ static u16 send_assoc_resp(struct hostap
+@@ -2401,7 +2415,7 @@ static u16 send_assoc_resp(struct hostap
  
  static void handle_assoc(struct hostapd_data *hapd,
  			 const struct ieee80211_mgmt *mgmt, size_t len,
@@ -130,7 +130,7 @@
  {
  	u16 capab_info, listen_interval, seq_ctrl, fc;
  	u16 resp = WLAN_STATUS_SUCCESS, reply_res;
-@@ -2399,6 +2413,11 @@ static void handle_assoc(struct hostapd_
+@@ -2409,6 +2423,11 @@ static void handle_assoc(struct hostapd_
  	int left, i;
  	struct sta_info *sta;
  	u8 *tmp = NULL;
@@ -142,7 +142,7 @@
  
  	if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
  				      sizeof(mgmt->u.assoc_req))) {
-@@ -2518,6 +2537,13 @@ static void handle_assoc(struct hostapd_
+@@ -2528,6 +2547,13 @@ static void handle_assoc(struct hostapd_
  	}
  #endif /* CONFIG_MBO */
  
@@ -156,7 +156,7 @@
  	/*
  	 * sta->capability is used in check_assoc_ies() for RRM enabled
  	 * capability element.
-@@ -3025,7 +3051,7 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -3035,7 +3061,7 @@ int ieee802_11_mgmt(struct hostapd_data
  
  
  	if (stype == WLAN_FC_STYPE_PROBE_REQ) {
@@ -165,7 +165,7 @@
  		return 1;
  	}
  
-@@ -3043,17 +3069,17 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -3053,17 +3079,17 @@ int ieee802_11_mgmt(struct hostapd_data
  	switch (stype) {
  	case WLAN_FC_STYPE_AUTH:
  		wpa_printf(MSG_DEBUG, "mgmt::auth");

package/network/services/odhcpd/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=odhcpd
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(LEDE_GIT)/project/odhcpd.git
-PKG_SOURCE_DATE:=2017-04-28
-PKG_SOURCE_VERSION:=9268ca65d6e000b6cd4ed72d4a8fa427dada6f06
-PKG_MIRROR_HASH:=3c375291de38034f0965c92e509ca17788d3b31fe13abbc8f541b2e2452bc7fe
+PKG_SOURCE_DATE:=2017-10-02
+PKG_SOURCE_VERSION:=c6f3d5d4ea5154e5971fa0b1b1e9a9c07119429f
+PKG_MIRROR_HASH:=5ce8f52b5c6acea27d9733918e9c3bc8a154d516a02eef9b172c5e3d459f494c
 
 PKG_MAINTAINER:=Hans Dedecker <dedeckeh@gmail.com>
 PKG_LICENSE:=GPL-2.0

package/network/services/odhcpd/files/odhcpd.defaults

@@ -2,12 +2,27 @@
 uci -q get dhcp.odhcpd && exit 0
 touch /etc/config/dhcp
 
+. /usr/share/libubox/jshn.sh
+
+json_load "$(cat /etc/board.json)"
+json_select network
+json_select lan
+json_get_vars protocol
+json_select ..
+json_select ..
+
+case "$protocol" in
+# only enable server mode on statically addressed lan ports
+"static") MODE=server ;;
+*) MODE=disabled ;;
+esac
+
 uci batch <<EOF
 set dhcp.odhcpd=odhcpd
 set dhcp.odhcpd.maindhcp=0
 set dhcp.odhcpd.leasefile=/tmp/hosts/odhcpd
 set dhcp.odhcpd.leasetrigger=/usr/sbin/odhcpd-update
-set dhcp.lan.dhcpv6=server
-set dhcp.lan.ra=server
+set dhcp.lan.dhcpv6=$MODE
+set dhcp.lan.ra=$MODE
 commit dhcp
 EOF

package/network/services/openvpn/Makefile

@@ -9,14 +9,15 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.2
-PKG_RELEASE:=1
+PKG_VERSION:=2.4.3
+PKG_RELEASE:=2
 
 PKG_SOURCE_URL:=\
 	https://build.openvpn.net/downloads/releases/ \
-	https://swupdate.openvpn.net/community/releases/
+	https://swupdate.openvpn.net/community/releases/ \
+	http://www.eurephia.net/openvpn/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=df5c4f384b7df6b08a2f6fa8a84b9fd382baf59c2cef1836f82e2a7f62f1bff9
+PKG_HASH:=7aa86167a5b8923e54e8795b814ed77288c793671f59fd830d9ab76d4b480571
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>

package/network/services/openvpn/files/openvpn.options

@@ -30,6 +30,7 @@ ecdh_curve
 echo
 engine
 explicit_exit_notify
+extra_certs
 fragment
 group
 hand_window

package/network/services/openvpn/patches/001-reproducible-remove_DATE.patch

@@ -1,6 +1,6 @@
 --- a/src/openvpn/options.c
 +++ b/src/openvpn/options.c
-@@ -107,7 +107,6 @@ const char title_string[] =
+@@ -106,7 +106,6 @@ const char title_string[] =
  #ifdef HAVE_AEAD_CIPHER_MODES
      " [AEAD]"
  #endif

package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch

@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1337,7 +1337,7 @@ const char *
+@@ -1336,7 +1336,7 @@ const char *
  get_ssl_library_version(void)
  {
      static char mbedtls_version[30];

package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1058,37 +1058,14 @@ dnl
+@@ -1076,37 +1076,14 @@ dnl
  AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
  AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
  if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then

package/network/services/openvpn/patches/220-disable_des.patch

@@ -1,6 +1,6 @@
 --- a/src/openvpn/syshead.h
 +++ b/src/openvpn/syshead.h
-@@ -594,11 +594,11 @@ socket_defined(const socket_descriptor_t
+@@ -597,11 +597,11 @@ socket_defined(const socket_descriptor_t
  /*
   * Should we include NTLM proxy functionality
   */
@@ -18,7 +18,7 @@
   * Should we include proxy digest auth functionality
 --- a/src/openvpn/crypto_mbedtls.c
 +++ b/src/openvpn/crypto_mbedtls.c
-@@ -320,6 +320,7 @@ int
+@@ -319,6 +319,7 @@ int
  key_des_num_cblocks(const mbedtls_cipher_info_t *kt)
  {
      int ret = 0;
@@ -26,7 +26,7 @@
      if (kt->type == MBEDTLS_CIPHER_DES_CBC)
      {
          ret = 1;
-@@ -332,6 +333,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -331,6 +332,7 @@ key_des_num_cblocks(const mbedtls_cipher
      {
          ret = 3;
      }
@@ -34,7 +34,7 @@
  
      dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: n_DES_cblocks=%d", ret);
      return ret;
-@@ -340,6 +342,7 @@ key_des_num_cblocks(const mbedtls_cipher
+@@ -339,6 +341,7 @@ key_des_num_cblocks(const mbedtls_cipher
  bool
  key_des_check(uint8_t *key, int key_len, int ndc)
  {
@@ -42,7 +42,7 @@
      int i;
      struct buffer b;
  
-@@ -368,11 +371,15 @@ key_des_check(uint8_t *key, int key_len,
+@@ -367,11 +370,15 @@ key_des_check(uint8_t *key, int key_len,
  
  err:
      return false;
@@ -58,7 +58,7 @@
      int i;
      struct buffer b;
  
-@@ -387,6 +394,7 @@ key_des_fixup(uint8_t *key, int key_len,
+@@ -386,6 +393,7 @@ key_des_fixup(uint8_t *key, int key_len,
          }
          mbedtls_des_key_set_parity(key);
      }
@@ -66,7 +66,7 @@
  }
  
  /*
-@@ -698,10 +706,12 @@ cipher_des_encrypt_ecb(const unsigned ch
+@@ -710,10 +718,12 @@ cipher_des_encrypt_ecb(const unsigned ch
                         unsigned char *src,
                         unsigned char *dst)
  {

package/network/services/uhttpd/Makefile

@@ -12,9 +12,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(LEDE_GIT)/project/uhttpd.git
-PKG_SOURCE_DATE:=2016-10-25
-PKG_SOURCE_VERSION:=1628fa4b34aa143187353f81e8001b9a15286bda
-PKG_MIRROR_HASH:=2ac4ba8dc0b349d72174aac9ff693a73a214295a9890fe3d2a8eedcad54d06e3
+PKG_SOURCE_DATE:=2017-08-19
+PKG_SOURCE_VERSION:=3fd58e9b6da7d9e1a4710dbeefc2d289baea09fb
+PKG_MIRROR_HASH:=69bba3b04c5e1975b99dee4fc47672ebf5ab282f115249a46be0fe0b961eb34b
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=ISC
 

package/network/services/wireguard/Makefile

@@ -0,0 +1,116 @@
+#
+# Copyright (C) 2016-2017 Jason A. Donenfeld <Jason@zx2c4.com>
+# Copyright (C) 2016 Baptiste Jonglez <openwrt@bitsofnetworks.org>
+# Copyright (C) 2016-2017 Dan Luedtke <mail@danrl.com>
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+
+include $(TOPDIR)/rules.mk
+include $(INCLUDE_DIR)/kernel.mk
+
+PKG_NAME:=wireguard
+
+PKG_VERSION:=0.0.20171017
+PKG_RELEASE:=1
+
+PKG_SOURCE:=WireGuard-$(PKG_VERSION).tar.xz
+PKG_SOURCE_URL:=https://git.zx2c4.com/WireGuard/snapshot/
+PKG_HASH:=57b79a62874d9b99659a744513d4f6f9d88cb772deaa99e485b6fed3004a35cd
+
+PKG_LICENSE:=GPL-2.0 Apache-2.0
+PKG_LICENSE_FILES:=COPYING
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/WireGuard-$(PKG_VERSION)
+PKG_BUILD_PARALLEL:=1
+PKG_USE_MIPS16:=0
+
+# WireGuard's makefile needs this to know where to build the kernel module
+export KERNELDIR:=$(LINUX_DIR)
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/wireguard/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=VPN
+  URL:=https://www.wireguard.com
+  MAINTAINER:=Baptiste Jonglez <openwrt@bitsofnetworks.org>, \
+              Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>, \
+              Dan Luedtke <mail@danrl.com>, \
+              Jason A. Donenfeld <Jason@zx2c4.com>
+endef
+
+define Package/wireguard/Default/description
+  WireGuard is a novel VPN that runs inside the Linux Kernel and utilizes
+  state-of-the-art cryptography. It aims to be faster, simpler, leaner, and
+  more useful than IPSec, while avoiding the massive headache. It intends to
+  be considerably more performant than OpenVPN.  WireGuard is designed as a
+  general purpose VPN for running on embedded interfaces and super computers
+  alike, fit for many different circumstances. It uses UDP.
+endef
+
+define Package/wireguard
+  $(call Package/wireguard/Default)
+  TITLE:=WireGuard meta-package
+  DEPENDS:=+wireguard-tools +kmod-wireguard
+endef
+
+include $(INCLUDE_DIR)/kernel-defaults.mk
+include $(INCLUDE_DIR)/package-defaults.mk
+
+# Used by Build/Compile/Default
+MAKE_PATH:=src/tools
+
+define Build/Compile
+	$(MAKE) $(KERNEL_MAKEOPTS) M="$(PKG_BUILD_DIR)/src" modules
+	$(call Build/Compile/Default)
+endef
+
+define Package/wireguard/install
+  true
+endef
+
+define Package/wireguard/description
+  $(call Package/wireguard/Default/description)
+endef
+
+define Package/wireguard-tools
+  $(call Package/wireguard/Default)
+  TITLE:=WireGuard userspace control program (wg)
+  DEPENDS:=+libmnl +ip
+endef
+
+define Package/wireguard-tools/description
+  $(call Package/wireguard/Default/description)
+
+  This package provides the userspace control program for WireGuard,
+  `wg(8)`, and a netifd protocol helper.
+endef
+
+define Package/wireguard-tools/install
+	$(INSTALL_DIR) $(1)/usr/bin/
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/src/tools/wg $(1)/usr/bin/
+	$(INSTALL_DIR) $(1)/lib/netifd/proto/
+	$(INSTALL_BIN) ./files/wireguard.sh $(1)/lib/netifd/proto/
+endef
+
+define KernelPackage/wireguard
+  SECTION:=kernel
+  CATEGORY:=Kernel modules
+  SUBMENU:=Network Support
+  TITLE:=WireGuard kernel module
+  DEPENDS:=+IPV6:kmod-udptunnel6 +kmod-udptunnel4
+  FILES:= $(PKG_BUILD_DIR)/src/wireguard.$(LINUX_KMOD_SUFFIX)
+  AUTOLOAD:=$(call AutoProbe,wireguard)
+endef
+
+define KernelPackage/wireguard/description
+  $(call Package/wireguard/Default/description)
+
+  This package provides the kernel module for WireGuard.
+endef
+
+$(eval $(call BuildPackage,wireguard))
+$(eval $(call BuildPackage,wireguard-tools))
+$(eval $(call KernelPackage,wireguard))

package/network/services/wireguard/files/wireguard.sh

@@ -0,0 +1,192 @@
+#!/bin/sh
+# Copyright 2016-2017 Dan Luedtke <mail@danrl.com>
+# Licensed to the public under the Apache License 2.0.
+
+
+WG=/usr/bin/wg
+if [ ! -x $WG ]; then
+  logger -t "wireguard" "error: missing wireguard-tools (${WG})"
+  exit 0
+fi
+
+
+[ -n "$INCLUDE_ONLY" ] || {
+  . /lib/functions.sh
+  . ../netifd-proto.sh
+  init_proto "$@"
+}
+
+
+proto_wireguard_init_config() {
+  proto_config_add_string "private_key"
+  proto_config_add_int    "listen_port"
+  proto_config_add_int    "mtu"
+  proto_config_add_string "fwmark"
+  available=1
+  no_proto_task=1
+}
+
+
+proto_wireguard_setup_peer() {
+  local peer_config="$1"
+
+  local public_key
+  local preshared_key
+  local allowed_ips
+  local route_allowed_ips
+  local endpoint_host
+  local endpoint_port
+  local persistent_keepalive
+
+  config_get      public_key           "${peer_config}" "public_key"
+  config_get      preshared_key        "${peer_config}" "preshared_key"
+  config_get      allowed_ips          "${peer_config}" "allowed_ips"
+  config_get_bool route_allowed_ips    "${peer_config}" "route_allowed_ips" 0
+  config_get      endpoint_host        "${peer_config}" "endpoint_host"
+  config_get      endpoint_port        "${peer_config}" "endpoint_port"
+  config_get      persistent_keepalive "${peer_config}" "persistent_keepalive"
+
+  # peer configuration
+  echo "[Peer]"                                         >> "${wg_cfg}"
+  echo "PublicKey=${public_key}"                        >> "${wg_cfg}"
+  if [ "${preshared_key}" ]; then
+    echo "PresharedKey=${preshared_key}"                >> "${wg_cfg}"
+  fi
+  for allowed_ip in $allowed_ips; do
+    echo "AllowedIPs=${allowed_ip}"                     >> "${wg_cfg}"
+  done
+  if [ "${endpoint_host}" ]; then
+    case "${endpoint_host}" in
+      *:*)
+        endpoint="[${endpoint_host}]"
+      ;;
+      *)
+        endpoint="${endpoint_host}"
+      ;;
+    esac
+    if [ "${endpoint_port}" ]; then
+      endpoint="${endpoint}:${endpoint_port}"
+    else
+      endpoint="${endpoint}:51820"
+    fi
+    echo "Endpoint=${endpoint}"                         >> "${wg_cfg}"
+  fi
+  if [ "${persistent_keepalive}" ]; then
+    echo "PersistentKeepalive=${persistent_keepalive}"  >> "${wg_cfg}"
+  fi
+
+  # add routes for allowed ips
+  if [ ${route_allowed_ips} -ne 0 ]; then
+    for allowed_ip in ${allowed_ips}; do
+      case "${allowed_ip}" in
+        *:*/*)
+          proto_add_ipv6_route "${allowed_ip%%/*}" "${allowed_ip##*/}"
+        ;;
+        *.*/*)
+          proto_add_ipv4_route "${allowed_ip%%/*}" "${allowed_ip##*/}"
+        ;;
+        *:*)
+          proto_add_ipv6_route "${allowed_ip%%/*}" "128"
+        ;;
+        *.*)
+          proto_add_ipv4_route "${allowed_ip%%/*}" "32"
+        ;;
+      esac
+    done
+  fi
+}
+
+
+proto_wireguard_setup() {
+  local config="$1"
+  local wg_dir="/tmp/wireguard"
+  local wg_cfg="${wg_dir}/${config}"
+
+  local private_key
+  local listen_port
+  local mtu
+
+  # load configuration
+  config_load network
+  config_get private_key   "${config}" "private_key"
+  config_get listen_port   "${config}" "listen_port"
+  config_get addresses     "${config}" "addresses"
+  config_get mtu           "${config}" "mtu"
+  config_get fwmark        "${config}" "fwmark"
+
+  # create interface
+  ip link del dev "${config}" 2>/dev/null
+  ip link add dev "${config}" type wireguard
+
+  if [ "${mtu}" ]; then
+    ip link set mtu "${mtu}" dev "${config}"
+  fi
+
+  proto_init_update "${config}" 1
+
+  # generate configuration file
+  umask 077
+  mkdir -p "${wg_dir}"
+  echo "[Interface]"                     >  "${wg_cfg}"
+  echo "PrivateKey=${private_key}"       >> "${wg_cfg}"
+  if [ "${listen_port}" ]; then
+    echo "ListenPort=${listen_port}"     >> "${wg_cfg}"
+  fi
+  if [ "${fwmark}" ]; then
+    echo "FwMark=${fwmark}" >> "${wg_cfg}"
+  fi
+  config_foreach proto_wireguard_setup_peer "wireguard_${config}"
+
+  # apply configuration file
+  ${WG} setconf ${config} "${wg_cfg}"
+  WG_RETURN=$?
+
+  # delete configuration file
+  rm -f "${wg_cfg}"
+
+  # check status
+  if [ ${WG_RETURN} -ne 0 ]; then
+    sleep 5
+    proto_setup_failed "${config}"
+    exit 1
+  fi
+
+  # add ip addresses
+  for address in ${addresses}; do
+    case "${address}" in
+      *:*/*)
+        proto_add_ipv6_address "${address%%/*}" "${address##*/}"
+      ;;
+      *.*/*)
+        proto_add_ipv4_address "${address%%/*}" "${address##*/}"
+      ;;
+      *:*)
+        proto_add_ipv6_address "${address%%/*}" "128"
+      ;;
+      *.*)
+        proto_add_ipv4_address "${address%%/*}" "32"
+      ;;
+    esac
+  done
+
+  # endpoint dependency
+  wg show "${config}" endpoints | \
+    sed -E 's/\[?([0-9.:a-f]+)\]?:([0-9]+)/\1 \2/' | \
+    while IFS=$'\t ' read -r key address port; do
+    [ -n "${port}" ] || continue
+    proto_add_host_dependency "${config}" "${address}"
+  done
+
+  proto_send_update "${config}"
+}
+
+
+proto_wireguard_teardown() {
+  local config="$1"
+  ip link del dev "${config}" >/dev/null 2>&1
+}
+
+
+[ -n "$INCLUDE_ONLY" ] || {
+  add_protocol wireguard
+}

package/network/utils/comgt/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=comgt
 PKG_VERSION:=0.32
-PKG_RELEASE:=28
+PKG_RELEASE:=29
 
 PKG_SOURCE:=$(PKG_NAME).$(PKG_VERSION).tgz
 PKG_SOURCE_URL:=@SF/comgt

package/network/utils/comgt/files/3g.sh

@@ -109,4 +109,4 @@ proto_3g_teardown() {
 	proto_kill_command "$interface"
 }
 
-[ -z "NOT_INCLUDED" ] || add_protocol 3g
+[ -z "$NOT_INCLUDED" ] || add_protocol 3g

package/network/utils/comgt/files/directip.sh

@@ -44,8 +44,7 @@ proto_directip_setup() {
 		return 1
 	}
 
-	cardinfo=$(gcom -d "$device" -s /etc/gcom/getcardinfo.gcom)
-	[ -n $(echo "$cardinfo" | grep -q "Sierra Wireless") ] || {
+	gcom -d "$device" -s /etc/gcom/getcardinfo.gcom | grep -q "Sierra Wireless" || {
 		proto_notify_error "$interface" BAD_DEVICE
 		proto_block_restart "$interface"
 		return 1

package/network/utils/curl/Makefile

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=curl
 PKG_VERSION:=7.52.1
-PKG_RELEASE:=3
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://curl.haxx.se/download/ \

package/network/utils/curl/patches/101-CVE-2017-7407.patch

@@ -0,0 +1,165 @@
+From 6019f1795b4e3b72507b84b0e02dc8c32024f562 Mon Sep 17 00:00:00 2001
+From: Dan Fandrich <dan@coneharvesters.com>
+Date: Sat, 11 Mar 2017 10:59:34 +0100
+Subject: [PATCH] CVE-2017-7407: fixed
+
+Bug: https://curl.haxx.se/docs/adv_20170403.html
+
+Reported-by: Brian Carpenter
+---
+ src/tool_writeout.c     |  6 +++---
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1440     | 31 +++++++++++++++++++++++++++++++
+ tests/data/test1441     | 31 +++++++++++++++++++++++++++++++
+ tests/data/test1442     | 35 +++++++++++++++++++++++++++++++++++
+ 5 files changed, 101 insertions(+), 4 deletions(-)
+ create mode 100644 tests/data/test1440
+ create mode 100644 tests/data/test1441
+ create mode 100644 tests/data/test1442
+
+--- a/src/tool_writeout.c
++++ b/src/tool_writeout.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -113,7 +113,7 @@ void ourWriteOut(CURL *curl, struct OutS
+   double doubleinfo;
+ 
+   while(ptr && *ptr) {
+-    if('%' == *ptr) {
++    if('%' == *ptr && ptr[1]) {
+       if('%' == ptr[1]) {
+         /* an escaped %-letter */
+         fputc('%', stream);
+@@ -341,7 +341,7 @@ void ourWriteOut(CURL *curl, struct OutS
+         }
+       }
+     }
+-    else if('\\' == *ptr) {
++    else if('\\' == *ptr && ptr[1]) {
+       switch(ptr[1]) {
+       case 'r':
+         fputc('\r', stream);
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -150,7 +150,7 @@ test1408 test1409 test1410 test1411 test
+ test1416 test1417 test1418 test1419 test1420 test1421 test1422 test1423 \
+ test1424 \
+ test1428 test1429 test1430 test1431 test1432 test1433 test1434 test1435 \
+-test1436 test1437 test1438 test1439 \
++test1436 test1437 test1438 test1439 test1440 test1441 test1442 \
+ \
+ test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \
+ test1508 test1509 test1510 test1511 test1512 test1513 test1514 test1515 \
+--- /dev/null
++++ b/tests/data/test1440
+@@ -0,0 +1,31 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing %{
++</name>
++<command>
++file://localhost/%PWD/log/ --write-out '%{'
++</command>
++</client>
++
++# Verify data
++<verify>
++<stdout nonewline="yes">
++%{
++</stdout>
++</verify>
++</testcase>
+--- /dev/null
++++ b/tests/data/test1441
+@@ -0,0 +1,31 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing %
++</name>
++<command>
++file://localhost/%PWD/log/ --write-out '%'
++</command>
++</client>
++
++# Verify data
++<verify>
++<stdout nonewline="yes">
++%
++</stdout>
++</verify>
++</testcase>
+--- /dev/null
++++ b/tests/data/test1442
+@@ -0,0 +1,35 @@
++<testcase>
++<info>
++<keywords>
++--write-out
++FILE
++</keywords>
++</info>
++# Server-side
++<reply>
++</reply>
++
++# Client-side
++<client>
++<server>
++file
++</server>
++
++<name>
++Check --write-out with trailing \
++</name>
++<command>
++file://localhost/%PWD/log/non-existent-file.txt --write-out '\'
++</command>
++</client>
++
++# Verify data
++<verify>
++<errorcode>
++37
++</errorcode>
++<stdout nonewline="yes">
++\
++</stdout>
++</verify>
++</testcase>

package/network/utils/curl/patches/102-CVE-2017-7468.patch

@@ -0,0 +1,264 @@
+From 8166b637bce299f4ac64d371c20cd5afea72c364 Mon Sep 17 00:00:00 2001
+From: Jay Satiro <raysatiro@yahoo.com>
+Date: Wed, 22 Mar 2017 01:59:49 -0400
+Subject: [PATCH] TLS: Fix switching off SSL session id when client cert is
+ used
+
+- Move the sessionid flag to ssl_primary_config so that ssl and
+  proxy_ssl will each have their own sessionid flag.
+
+Regression since HTTPS-Proxy support was added in cb4e2be. Prior to that
+this issue had been fixed in 247d890, CVE-2016-5419.
+
+Bug: https://github.com/curl/curl/issues/1341
+Reported-by: lijian996@users.noreply.github.com
+---
+ lib/url.c            | 5 +++--
+ lib/urldata.h        | 2 +-
+ lib/vtls/axtls.c     | 4 ++--
+ lib/vtls/cyassl.c    | 4 ++--
+ lib/vtls/darwinssl.c | 2 +-
+ lib/vtls/gtls.c      | 4 ++--
+ lib/vtls/mbedtls.c   | 4 ++--
+ lib/vtls/nss.c       | 2 +-
+ lib/vtls/openssl.c   | 4 ++--
+ lib/vtls/polarssl.c  | 4 ++--
+ lib/vtls/schannel.c  | 4 ++--
+ lib/vtls/vtls.c      | 9 ++++++---
+ 12 files changed, 26 insertions(+), 22 deletions(-)
+
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -548,7 +548,7 @@ CURLcode Curl_init_userdefined(struct Us
+ #endif
+   set->ssh_auth_types = CURLSSH_AUTH_DEFAULT; /* defaults to any auth
+                                                       type */
+-  set->general_ssl.sessionid = TRUE; /* session ID caching enabled by
++  set->ssl.primary.sessionid = TRUE; /* session ID caching enabled by
+                                         default */
+   set->proxy_ssl = set->ssl;
+ 
+@@ -2470,8 +2470,9 @@ CURLcode Curl_setopt(struct Curl_easy *d
+     break;
+ 
+   case CURLOPT_SSL_SESSIONID_CACHE:
+-    data->set.general_ssl.sessionid = (0 != va_arg(param, long)) ?
++    data->set.ssl.primary.sessionid = (0 != va_arg(param, long)) ?
+                                       TRUE : FALSE;
++    data->set.proxy_ssl.primary.sessionid = data->set.ssl.primary.sessionid;
+     break;
+ 
+ #ifdef USE_LIBSSH2
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -354,6 +354,7 @@ struct ssl_primary_config {
+   char *random_file;     /* path to file containing "random" data */
+   char *egdsocket;       /* path to file containing the EGD daemon socket */
+   char *cipher_list;     /* list of ciphers to use */
++  bool sessionid;        /* cache session IDs or not */
+ };
+ 
+ struct ssl_config_data {
+@@ -383,7 +384,6 @@ struct ssl_config_data {
+ };
+ 
+ struct ssl_general_config {
+-  bool sessionid; /* cache session IDs or not */
+   size_t max_ssl_sessions; /* SSL session id cache size */
+ };
+ 
+--- a/lib/vtls/axtls.c
++++ b/lib/vtls/axtls.c
+@@ -256,7 +256,7 @@ static CURLcode connect_prep(struct conn
+    * 2) setting up callbacks.  these seem gnutls specific
+    */
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     const uint8_t *ssl_sessionid;
+     size_t ssl_idsize;
+ 
+@@ -386,7 +386,7 @@ static CURLcode connect_finish(struct co
+   conn->send[sockindex] = axtls_send;
+ 
+   /* Put our freshly minted SSL session in cache */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     const uint8_t *ssl_sessionid = ssl_get_session_id_size(ssl);
+     size_t ssl_idsize = ssl_get_session_id(ssl);
+     Curl_ssl_sessionid_lock(conn);
+--- a/lib/vtls/cyassl.c
++++ b/lib/vtls/cyassl.c
+@@ -383,7 +383,7 @@ cyassl_connect_step1(struct connectdata
+ #endif /* HAVE_ALPN */
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -597,7 +597,7 @@ cyassl_connect_step3(struct connectdata
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/darwinssl.c
++++ b/lib/vtls/darwinssl.c
+@@ -1541,7 +1541,7 @@ static CURLcode darwinssl_connect_step1(
+ #endif /* CURL_BUILD_MAC_10_9 || CURL_BUILD_IOS_7 */
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     char *ssl_sessionid;
+     size_t ssl_sessionid_len;
+ 
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -782,7 +782,7 @@ gtls_connect_step1(struct connectdata *c
+ 
+   /* This might be a reconnect, so we check for a session ID in the cache
+      to speed up things */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid;
+     size_t ssl_idsize;
+ 
+@@ -1311,7 +1311,7 @@ gtls_connect_step3(struct connectdata *c
+   conn->recv[sockindex] = gtls_recv;
+   conn->send[sockindex] = gtls_send;
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     /* we always unconditionally get the session id here, as even if we
+        already got it from the cache and asked to use it in the connection, it
+        might've been rejected and then a new one is in use now and we need to
+--- a/lib/vtls/mbedtls.c
++++ b/lib/vtls/mbedtls.c
+@@ -374,7 +374,7 @@ mbed_connect_step1(struct connectdata *c
+                                 mbedtls_ssl_list_ciphersuites());
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -618,7 +618,7 @@ mbed_connect_step3(struct connectdata *c
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     int ret;
+     mbedtls_ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1696,7 +1696,7 @@ static CURLcode nss_setup_connect(struct
+     goto error;
+ 
+   /* do not use SSL cache if disabled or we are not going to verify peer */
+-  ssl_no_cache = (data->set.general_ssl.sessionid
++  ssl_no_cache = (SSL_SET_OPTION(primary.sessionid)
+                   && SSL_CONN_CONFIG(verifypeer)) ? PR_FALSE : PR_TRUE;
+   if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
+     goto error;
+--- a/lib/vtls/openssl.c
++++ b/lib/vtls/openssl.c
+@@ -2161,7 +2161,7 @@ static CURLcode ossl_connect_step1(struc
+ #endif
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *ssl_sessionid = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -2915,7 +2915,7 @@ static CURLcode ossl_connect_step3(struc
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     SSL_SESSION *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/polarssl.c
++++ b/lib/vtls/polarssl.c
+@@ -327,7 +327,7 @@ polarssl_connect_step1(struct connectdat
+   ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());
+ 
+   /* Check if there's a cached ID we can/should use here! */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     void *old_session = NULL;
+ 
+     Curl_ssl_sessionid_lock(conn);
+@@ -555,7 +555,7 @@ polarssl_connect_step3(struct connectdat
+ 
+   DEBUGASSERT(ssl_connect_3 == connssl->connecting_state);
+ 
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     int ret;
+     ssl_session *our_ssl_sessionid;
+     void *old_ssl_sessionid = NULL;
+--- a/lib/vtls/schannel.c
++++ b/lib/vtls/schannel.c
+@@ -145,7 +145,7 @@ schannel_connect_step1(struct connectdat
+   connssl->cred = NULL;
+ 
+   /* check for an existing re-usable credential handle */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     Curl_ssl_sessionid_lock(conn);
+     if(!Curl_ssl_getsessionid(conn, (void **)&old_cred, NULL, sockindex)) {
+       connssl->cred = old_cred;
+@@ -714,7 +714,7 @@ schannel_connect_step3(struct connectdat
+ #endif
+ 
+   /* save the current session data for possible re-use */
+-  if(data->set.general_ssl.sessionid) {
++  if(SSL_SET_OPTION(primary.sessionid)) {
+     bool incache;
+     struct curl_schannel_cred *old_cred = NULL;
+ 
+--- a/lib/vtls/vtls.c
++++ b/lib/vtls/vtls.c
+@@ -120,6 +120,9 @@ Curl_clone_primary_ssl_config(struct ssl
+   CLONE_STRING(egdsocket);
+   CLONE_STRING(random_file);
+   CLONE_STRING(clientcert);
++
++  /* Disable dest sessionid cache if a client cert is used, CVE-2016-5419. */
++  dest->sessionid = (dest->clientcert ? false : source->sessionid);
+   return TRUE;
+ }
+ 
+@@ -293,9 +296,9 @@ bool Curl_ssl_getsessionid(struct connec
+   int port = isProxy ? (int)conn->port : conn->remote_port;
+   *ssl_sessionid = NULL;
+ 
+-  DEBUGASSERT(data->set.general_ssl.sessionid);
++  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+-  if(!data->set.general_ssl.sessionid)
++  if(!SSL_SET_OPTION(primary.sessionid))
+     /* session ID re-use is disabled */
+     return TRUE;
+ 
+@@ -397,7 +400,7 @@ CURLcode Curl_ssl_addsessionid(struct co
+                                            &conn->proxy_ssl_config :
+                                            &conn->ssl_config;
+ 
+-  DEBUGASSERT(data->set.general_ssl.sessionid);
++  DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
+ 
+   clone_host = strdup(isProxy ? conn->http_proxy.host.name : conn->host.name);
+   if(!clone_host)

package/network/utils/curl/patches/103-CVE-2017-1000100.patch

@@ -0,0 +1,41 @@
+From 358b2b131ad6c095696f20dcfa62b8305263f898 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 1 Aug 2017 17:16:46 +0200
+Subject: [PATCH] tftp: reject file name lengths that don't fit
+
+... and thereby avoid telling send() to send off more bytes than the
+size of the buffer!
+
+CVE-2017-1000100
+
+Bug: https://curl.haxx.se/docs/adv_20170809B.html
+Reported-by: Even Rouault
+
+Credit to OSS-Fuzz for the discovery
+---
+ lib/tftp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/lib/tftp.c
++++ b/lib/tftp.c
+@@ -5,7 +5,7 @@
+  *                            | (__| |_| |  _ <| |___
+  *                             \___|\___/|_| \_\_____|
+  *
+- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
++ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
+  *
+  * This software is licensed as described in the file COPYING, which
+  * you should have received as part of this distribution. The terms
+@@ -490,6 +490,11 @@ static CURLcode tftp_send_first(tftp_sta
+     if(result)
+       return result;
+ 
++    if(strlen(filename) > (state->blksize - strlen(mode) - 4)) {
++      failf(data, "TFTP file name too long\n");
++      return CURLE_TFTP_ILLEGAL; /* too long file name field */
++    }
++
+     snprintf((char *)state->spacket.data+2,
+              state->blksize,
+              "%s%c%s%c", filename, '\0',  mode, '\0');

package/network/utils/curl/patches/104-CVE-2017-1000101.patch

@@ -0,0 +1,33 @@
+From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 1 Aug 2017 17:16:07 +0200
+Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow
+ range
+
+Added test 1289 to verify.
+
+CVE-2017-1000101
+
+Bug: https://curl.haxx.se/docs/adv_20170809A.html
+Reported-by: Brian Carpenter
+---
+ src/tool_urlglob.c      |  5 ++++-
+ tests/data/Makefile.inc |  2 +-
+ tests/data/test1289     | 35 +++++++++++++++++++++++++++++++++++
+ 3 files changed, 40 insertions(+), 2 deletions(-)
+ create mode 100644 tests/data/test1289
+
+--- a/src/tool_urlglob.c
++++ b/src/tool_urlglob.c
+@@ -272,7 +272,10 @@ static CURLcode glob_range(URLGlob *glob
+         }
+         errno = 0;
+         max_n = strtoul(pattern, &endp, 10);
+-        if(errno || (*endp == ':')) {
++        if(errno)
++          /* overflow */
++          endp = NULL;
++        else if(*endp == ':') {
+           pattern = endp+1;
+           errno = 0;
+           step_n = strtoul(pattern, &endp, 10);

package/network/utils/tcpdump/Makefile

@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=tcpdump
-PKG_VERSION:=4.9.0
+PKG_VERSION:=4.9.2
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.tcpdump.org/release/ \
-	http://www.at.tcpdump.org/
-PKG_HASH:=eae98121cbb1c9adbedd9a777bf2eae9fa1c1c676424a54740311c8abcee5a5e
+PKG_SOURCE_URL:=http://www.us.tcpdump.org/release/ \
+	http://www.tcpdump.org/release/
+PKG_HASH:=798b3536a29832ce0cbb07fafb1ce5097c95e308a6f592d14052e1ef1505fe79
 
 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_BUILD_PARALLEL:=1
@@ -76,7 +76,6 @@ endif
 MAKE_FLAGS += \
 	CCOPT="$(TARGET_CFLAGS)" INCLS="-I. $(TARGET_CPPFLAGS)"
 
-
 define Package/tcpdump/install
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/sbin/tcpdump $(1)/usr/sbin/

package/network/utils/tcpdump/patches/100-tcpdump_mini.patch

@@ -115,7 +115,7 @@
  	$(CC) $(FULL_CFLAGS) -o $@ -c $(srcdir)/missing/datalinks.c
 --- a/addrtoname.c
 +++ b/addrtoname.c
-@@ -566,8 +566,10 @@ linkaddr_string(netdissect_options *ndo,
+@@ -578,8 +578,10 @@ linkaddr_string(netdissect_options *ndo,
  	if (type == LINKADDR_ETHER && len == ETHER_ADDR_LEN)
  		return (etheraddr_string(ndo, ep));
  
@@ -125,8 +125,8 @@
 +#endif
  
  	tp = lookup_bytestring(ndo, ep, len);
- 	if (tp->e_name)
-@@ -1202,6 +1204,7 @@ init_addrtoname(netdissect_options *ndo,
+	if (tp->bs_name)
+@@ -1214,6 +1216,7 @@ init_addrtoname(netdissect_options *ndo,
  	init_ipxsaparray(ndo);
  }
  
@@ -134,7 +134,7 @@
  const char *
  dnaddr_string(netdissect_options *ndo, u_short dnaddr)
  {
-@@ -1221,6 +1224,7 @@ dnaddr_string(netdissect_options *ndo, u
+@@ -1233,6 +1236,7 @@ dnaddr_string(netdissect_options *ndo, u
  
  	return(tp->name);
  }
@@ -247,7 +247,7 @@
  		return (1);
 @@ -368,6 +369,7 @@ ethertype_print(netdissect_options *ndo,
  		}
- 		isoclns_print(ndo, p + 1, length - 1, caplen - 1);
+		isoclns_print(ndo, p + 1, length - 1);
  		return(1);
 +#endif
  
@@ -335,7 +335,7 @@
          break;
 --- a/print-ip6.c
 +++ b/print-ip6.c
-@@ -303,6 +303,7 @@ ip6_print(netdissect_options *ndo, const
+@@ -305,6 +305,7 @@ ip6_print(netdissect_options *ndo, const
  				return;
  			nh = *cp;
  			break;
@@ -343,13 +343,16 @@
  		case IPPROTO_FRAGMENT:
  			advance = frag6_print(ndo, cp, (const u_char *)ip6);
  			if (advance < 0 || ndo->ndo_snapend <= cp + advance)
-@@ -324,16 +325,19 @@ ip6_print(netdissect_options *ndo, const
- 			advance = mobility_print(ndo, cp, (const u_char *)ip6);
+@@ -328,6 +329,7 @@ ip6_print(netdissect_options *ndo, const
+				return;
  			nh = *cp;
  			return;
 +#endif
  		case IPPROTO_ROUTING:
+			ND_TCHECK(*cp);
  			advance = rt6_print(ndo, cp, (const u_char *)ip6);
+@@ -335,12 +337,14 @@ ip6_print(netdissect_options *ndo, const
+				return;
  			nh = *cp;
  			break;
 +#ifndef TCPDUMP_MINI
@@ -363,15 +366,15 @@
  		case IPPROTO_TCP:
  			tcp_print(ndo, cp, len, (const u_char *)ip6, fragmented);
  			return;
-@@ -343,6 +347,7 @@ ip6_print(netdissect_options *ndo, const
+@@ -350,6 +354,7 @@ ip6_print(netdissect_options *ndo, const
  		case IPPROTO_ICMPV6:
  			icmp6_print(ndo, cp, len, (const u_char *)ip6, fragmented);
  			return;
 +#ifndef TCPDUMP_MINI
  		case IPPROTO_AH:
  			advance = ah_print(ndo, cp);
- 			nh = *cp;
-@@ -371,6 +376,7 @@ ip6_print(netdissect_options *ndo, const
+			if (advance < 0)
+@@ -382,6 +387,7 @@ ip6_print(netdissect_options *ndo, const
  		case IPPROTO_PIM:
  			pim_print(ndo, cp, len, (const u_char *)ip6);
  			return;
@@ -379,7 +382,7 @@
  
  		case IPPROTO_OSPF:
  			ospf6_print(ndo, cp, len);
-@@ -384,9 +390,11 @@ ip6_print(netdissect_options *ndo, const
+@@ -395,9 +401,11 @@ ip6_print(netdissect_options *ndo, const
  		        ip_print(ndo, cp, len);
  			return;
  
@@ -393,7 +396,7 @@
  			gre_print(ndo, cp, len);
 --- a/print-ip.c
 +++ b/print-ip.c
-@@ -329,6 +329,7 @@ ip_print_demux(netdissect_options *ndo,
+@@ -344,6 +344,7 @@ ip_print_demux(netdissect_options *ndo,
  again:
  	switch (ipds->nh) {
  
@@ -401,7 +404,7 @@
  	case IPPROTO_AH:
  		if (!ND_TTEST(*ipds->cp)) {
  			ND_PRINT((ndo, "[|AH]"));
-@@ -367,7 +368,9 @@ again:
+@@ -382,7 +383,9 @@ again:
  		 */
  		break;
  	}
@@ -411,7 +414,7 @@
  	case IPPROTO_SCTP:
  		sctp_print(ndo, ipds->cp, (const u_char *)ipds->ip, ipds->len);
  		break;
-@@ -375,6 +378,7 @@ again:
+@@ -390,6 +393,7 @@ again:
  	case IPPROTO_DCCP:
  		dccp_print(ndo, ipds->cp, (const u_char *)ipds->ip, ipds->len);
  		break;
@@ -419,7 +422,7 @@
  
  	case IPPROTO_TCP:
  		/* pass on the MF bit plus the offset to detect fragments */
-@@ -394,6 +398,7 @@ again:
+@@ -409,6 +413,7 @@ again:
  			   ipds->off & (IP_MF|IP_OFFMASK));
  		break;
  
@@ -427,7 +430,7 @@
  	case IPPROTO_PIGP:
  		/*
  		 * XXX - the current IANA protocol number assignments
-@@ -414,14 +419,17 @@ again:
+@@ -429,14 +434,17 @@ again:
  	case IPPROTO_EIGRP:
  		eigrp_print(ndo, ipds->cp, ipds->len);
  		break;
@@ -445,7 +448,7 @@
  
  	case IPPROTO_OSPF:
  		ospf_print(ndo, ipds->cp, ipds->len, (const u_char *)ipds->ip);
-@@ -454,6 +462,7 @@ again:
+@@ -469,6 +477,7 @@ again:
  		gre_print(ndo, ipds->cp, ipds->len);
  		break;
  
@@ -453,14 +456,14 @@
  	case IPPROTO_MOBILE:
  		mobile_print(ndo, ipds->cp, ipds->len);
  		break;
-@@ -482,6 +491,7 @@ again:
+@@ -497,6 +506,7 @@ again:
  	case IPPROTO_PGM:
  		pgm_print(ndo, ipds->cp, ipds->len, (const u_char *)ipds->ip);
  		break;
 +#endif
  
  	default:
- 		if (ndo->ndo_nflag==0 && (proto = getprotobynumber(ipds->nh)) != NULL)
+		if (ndo->ndo_nflag==0 && (p_name = netdb_protoname(ipds->nh)) != NULL)
 --- a/print-llc.c
 +++ b/print-llc.c
 @@ -206,6 +206,7 @@ llc_print(netdissect_options *ndo, const
@@ -495,21 +498,22 @@
  
  #ifdef ENABLE_SMB
  	if (ssap == LLCSAP_NETBEUI && dsap == LLCSAP_NETBEUI
-@@ -322,11 +326,13 @@ llc_print(netdissect_options *ndo, const
+@@ -322,12 +326,13 @@ llc_print(netdissect_options *ndo, const
  		return (hdrlen);
  	}
  #endif
 +#ifndef TCPDUMP_MINI
  	if (ssap == LLCSAP_ISONS && dsap == LLCSAP_ISONS
  	    && control == LLC_UI) {
- 		isoclns_print(ndo, p, length, caplen);
+		isoclns_print(ndo, p, length);
  		return (hdrlen);
  	}
+-
 +#endif
- 
  	if (!ndo->ndo_eflag) {
  		if (ssap == dsap) {
-@@ -480,6 +486,7 @@ snap_print(netdissect_options *ndo, cons
+			if (src == NULL || dst == NULL)
+@@ -480,6 +485,7 @@ snap_print(netdissect_options *ndo, cons
  
  	case OUI_CISCO:
                  switch (et) {
@@ -517,7 +521,7 @@
                  case PID_CISCO_CDP:
                          cdp_print(ndo, p, length, caplen);
                          return (1);
-@@ -492,6 +499,7 @@ snap_print(netdissect_options *ndo, cons
+@@ -492,6 +498,7 @@ snap_print(netdissect_options *ndo, cons
                  case PID_CISCO_VTP:
                          vtp_print(ndo, p, length);
                          return (1);
@@ -525,7 +529,7 @@
                  case PID_CISCO_PVST:
                  case PID_CISCO_VLANBRIDGE:
                          stp_print(ndo, p, length);
-@@ -504,6 +512,7 @@ snap_print(netdissect_options *ndo, cons
+@@ -504,6 +511,7 @@ snap_print(netdissect_options *ndo, cons
  	case OUI_RFC2684:
  		switch (et) {
  
@@ -533,7 +537,7 @@
  		case PID_RFC2684_ETH_FCS:
  		case PID_RFC2684_ETH_NOFCS:
  			/*
-@@ -565,6 +574,7 @@ snap_print(netdissect_options *ndo, cons
+@@ -565,6 +573,7 @@ snap_print(netdissect_options *ndo, cons
  			 */
  			fddi_print(ndo, p, length, caplen);
  			return (1);
@@ -549,7 +553,7 @@
  
 +#ifndef TCPDUMP_MINI
  	case BSD_AFNUM_ISO:
- 		isoclns_print(ndo, p, length, caplen);
+		isoclns_print(ndo, p, length);
  		break;
 @@ -127,6 +128,7 @@ null_if_print(netdissect_options *ndo, c
  	case BSD_AFNUM_IPX:
@@ -561,7 +565,7 @@
  		/* unknown AF_ value */
 --- a/print-ppp.c
 +++ b/print-ppp.c
-@@ -1358,6 +1358,7 @@ trunc:
+@@ -1367,6 +1367,7 @@ trunc:
  	return 0;
  }
  
@@ -569,7 +573,7 @@
  static void
  ppp_hdlc(netdissect_options *ndo,
           const u_char *p, int length)
-@@ -1436,6 +1437,7 @@ trunc:
+@@ -1445,6 +1446,7 @@ trunc:
  	free(b);
  	ND_PRINT((ndo, "[|ppp]"));
  }
@@ -577,7 +581,7 @@
  
  
  /* PPP */
-@@ -1443,10 +1445,12 @@ static void
+@@ -1452,10 +1454,12 @@ static void
  handle_ppp(netdissect_options *ndo,
             u_int proto, const u_char *p, int length)
  {
@@ -590,7 +594,7 @@
  
  	switch (proto) {
  	case PPP_LCP: /* fall through */
-@@ -1479,6 +1483,7 @@ handle_ppp(netdissect_options *ndo,
+@@ -1488,6 +1492,7 @@ handle_ppp(netdissect_options *ndo,
  	case PPP_IPV6:
  		ip6_print(ndo, p, length);
  		break;
@@ -598,7 +602,7 @@
  	case ETHERTYPE_IPX:	/*XXX*/
  	case PPP_IPX:
  		ipx_print(ndo, p, length);
-@@ -1490,6 +1495,7 @@ handle_ppp(netdissect_options *ndo,
+@@ -1499,6 +1504,7 @@ handle_ppp(netdissect_options *ndo,
  	case PPP_MPLS_MCAST:
  		mpls_print(ndo, p, length);
  		break;
@@ -606,7 +610,7 @@
  	case PPP_COMP:
  		ND_PRINT((ndo, "compressed PPP data"));
  		break;
-@@ -1630,6 +1636,7 @@ ppp_if_print(netdissect_options *ndo,
+@@ -1639,6 +1645,7 @@ ppp_if_print(netdissect_options *ndo,
  	return (0);
  }
  
@@ -614,7 +618,7 @@
  /*
   * PPP I/F printer to use if we know that RFC 1662-style PPP in HDLC-like
   * framing, or Cisco PPP with HDLC framing as per section 4.3.1 of RFC 1547,
-@@ -1857,6 +1864,7 @@ printx:
+@@ -1866,6 +1873,7 @@ printx:
  #endif /* __bsdi__ */
  	return (hdrlength);
  }

package/system/ca-certificates/Makefile

@@ -7,13 +7,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ca-certificates
-PKG_VERSION:=20161130
+PKG_VERSION:=20161130+nmu1
 PKG_MAINTAINER:=Christian Schoenebeck <christian.schoenebeck@gmail.com>
 
 PKG_SOURCE:=$(PKG_NAME)_$(PKG_VERSION).tar.xz
 PKG_SOURCE_URL:=http://ftp.debian.org/debian/pool/main/c/ca-certificates
-PKG_HASH:=04bca9e142a90a834aca0311f7ced237368d71fee7bd5c9f68ef7f4611aee471
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)
+PKG_HASH:=77f9aca431e3122bf04aa0ffd989b723d906db4d1c106e3290e463d73c177f0e
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-20161130
 
 PKG_INSTALL:=1
 

package/system/fstools/Makefile

@@ -12,10 +12,10 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(LEDE_GIT)/project/fstools.git
-PKG_SOURCE_DATE:=2016-12-04
-PKG_SOURCE_VERSION:=84b530a732b12cca1cd5ee9ba163b7ead7a83de3
-PKG_MIRROR_HASH:=b607138de1adbb7f49e53daebe28ac1352910fa2b29278365edeabafc5b46a91
-PKG_RELEASE:=2
+PKG_SOURCE_DATE:=2017-06-30
+PKG_SOURCE_VERSION:=bdcb075fafdac0bfe3207c23f64acd58432bad86
+PKG_MIRROR_HASH:=760a1fdbd379f1191947ac6ba9881a85a9b8c43f4a96d49db18d4654b0c312c4
+PKG_RELEASE:=1
 CMAKE_INSTALL:=1
 
 PKG_LICENSE:=GPL-2.0

package/system/fstools/patches/0001-libfstools-fix-multiple-volume_identify-usages-with-.patch

@@ -1,56 +0,0 @@
-From 633a8d0981fed0c90f6d16ee2257858b04514dc8 Mon Sep 17 00:00:00 2001
-From: Pieter Smith <pieter.smith@philips.com>
-Date: Wed, 29 Mar 2017 18:21:56 +0200
-Subject: [PATCH] libfstools: fix multiple volume_identify usages with the same
- volume
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This fixes e.g. factory-flashed startup issue with jffs2 on ubi overlay
-
-Commit ba019965 ("libfstools: accept volume as argument in most calls")
-broke startup for factory-flashed jffs2 on ubi systems, causing substantial
-slowdown in factory environments.
-
-When starting up with a factory-flashed jffs2 on ubi system, the "rootfs_data"
-volume contains a deadcode marker. In the start phase, mount_root then mounts a
-tmpfs overlay, and postpones remounting of the jffs2 overlay until the done
-phase of the startup.
-
-The refactoring in ba019965 eliminated an unneeded call to volume_find() when
-done() called jffs2_switch(). Unfortunately the refactoring did not take into
-account that volume_identify() does not function correctly when called twice in
-a row on the same struct volume when using an mtd driver.
-
-mtd_volume_identify() uses mtd_volume_load() to open an fd to the mtd device
-and reads a potential deadcode marker from the fd. The first time this works,
-and FS_DEADCODE is returned.
-
-When volume_identify() is called a second time however, mtd_volume_load()
-notices that we already have an open fd, does nothing further and returns 0
-without resetting the file offset to 0. mtd_volume_identify() now reads past
-the deadcode marker and now returns FS_JFFS2 if the mtd device is a UBIVOLUME.
-
-jffs2_switch() then handles the wrong case, either pulling the root out from
-under user-space in Chaos Calmer, or indefinitely sticking to a tmpfs overlay
-in later OpenWRT builds.
-
-Signed-off-by: Pieter Smith <pieter.smith@philips.com>
-Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
----
-
---- a/libfstools/mtd.c
-+++ b/libfstools/mtd.c
-@@ -76,8 +76,10 @@ static int mtd_volume_load(struct mtd_vo
- 	struct mtd_info_user mtdInfo;
- 	struct erase_info_user mtdLockInfo;
- 
--	if (p->fd)
-+	if (p->fd) {
-+		lseek(p->fd, 0, SEEK_SET);
- 		return 0;
-+	}
- 
- 	if (!p->chr)
- 		return -1;

package/system/procd/Makefile

@@ -12,9 +12,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(LEDE_GIT)/project/procd.git
-PKG_SOURCE_DATE:=2017-02-15
-PKG_SOURCE_VERSION:=5f9124103410c178d816bb5229fba7dd2286a49b
-PKG_MIRROR_HASH:=ec887b349fc60ad3882fc9eaefb5cd299d64e7d43c062df9f7b7500591ba3e85
+PKG_SOURCE_DATE:=2017-08-08
+PKG_SOURCE_VERSION:=66be6a23d71fcc068d6b813f0e0be2f8f0b6aa88
+PKG_MIRROR_HASH:=286dcc8855f1dc403895bc9252f617c14be6f7f6ec36f13d4f4de7c4a715f08c
 CMAKE_INSTALL:=1
 
 PKG_LICENSE:=GPL-2.0

package/utils/f2fs-tools/Makefile

@@ -9,13 +9,13 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=f2fs-tools
 PKG_VERSION:=1.8.0
-PKG_RELEASE:=1
+PKG_RELEASE:=3
 
 PKG_LICENSE:=GPLv2
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs-tools.git/snapshot/
-PKG_HASH:=34790bccd74086e6b4f04fcac3a167ce1ca3319ce660454bceefc45c52906f94
+PKG_HASH:=d4dbecf55560c548bf0758c9f641d1beec1e960b38cbbc19951195d5144d39ae
 
 PKG_FIXUP:=autoreconf
 PKG_BUILD_PARALLEL:=1
@@ -59,6 +59,9 @@ endef
 CONFIGURE_ARGS += \
 	--without-selinux
 
+CONFIGURE_VARS += \
+	ac_cv_file__git=no
+
 define Package/libf2fs/install
 	$(INSTALL_DIR) $(1)/usr/lib
 	$(CP) \

package/utils/f2fs-tools/patches/001-compile.patch

@@ -1,19 +0,0 @@
---- a/configure.ac
-+++ b/configure.ac
-@@ -20,14 +20,9 @@ AC_DEFINE([F2FS_MINOR_VERSION], m4_bpats
- 				[\([0-9]*\).\([0-9]*\)\(\w\|\W\)*], [\2]),
- 				[Minor version for f2fs-tools])
- 
--AC_CHECK_FILE(.git,
--	AC_DEFINE([F2FS_TOOLS_DATE],
--		"m4_bpatsubst(f2fs_tools_gitdate,
--		[\([0-9-]*\)\(\w\|\W\)*], [\1])",
--		[f2fs-tools date based on Git commits]),
--	AC_DEFINE([F2FS_TOOLS_DATE],
-+AC_DEFINE([F2FS_TOOLS_DATE],
- 		"f2fs_tools_date",
--		[f2fs-tools date based on Source releases]))
-+		[f2fs-tools date based on Source releases])
- 
- AC_CONFIG_SRCDIR([config.h.in])
- AC_CONFIG_HEADER([config.h])

package/utils/f2fs-tools/patches/010-include-byteswap-h.patch

@@ -1,10 +0,0 @@
---- a/include/f2fs_fs.h
-+++ b/include/f2fs_fs.h
-@@ -15,6 +15,7 @@
- #include <inttypes.h>
- #include <linux/types.h>
- #include <sys/types.h>
-+#include <byteswap.h>
- 
- #ifdef HAVE_CONFIG_H
- #include <config.h>

package/utils/f2fs-tools/patches/100-f2fs-WARNING-at-fs-f2fs-segment.c-718-update_sit_ent.patch

@@ -0,0 +1,66 @@
+From 31873d5cdf8a97d5f7921451c54f6d293293c6cc Mon Sep 17 00:00:00 2001
+From: Jaegeuk Kim <jaegeuk@kernel.org>
+Date: Wed, 23 Aug 2017 13:33:00 -0700
+Subject: [PATCH] mkfs.f2fs: fix missing cpu_to_le64 for checkpoint version
+
+The error on mips was reported by Stijn as follow.
+
+Commit 8399a29df92d6867d226df362edbf2e0efa527c1 in f2fs-tools
+("mkfs.f2fs: give random checkpoint version") causes a bug when mounting
+a filesystem created with it on a MIPS64 device running a 4.4(.83)
+kernel. The following kernel warning appears several times per second,
+for 30 seconds:
+
+[   23.837262] ------------[ cut here ]------------
+[   23.842039] WARNING: CPU: 0 PID: 935 at fs/f2fs/segment.c:718
+update_sit_entry+0x1c0/0x2b0()
+[   23.850507] Modules linked in: pppoe ppp_async l2tp_ppp iptable_nat
+[   24.174064] Call Trace:
+[   24.176527] [<ffffffff81126e14>] show_stack+0x68/0xb4
+[   24.181595] [<ffffffff81321fc4>] dump_stack+0x8c/0xc4
+[   24.186660] [<ffffffff8113d004>] warn_slowpath_common+0xa0/0xd0
+[   24.192597] [<ffffffff812e0148>] update_sit_entry+0x1c0/0x2b0
+[   24.198353] [<ffffffff812e0a70>] refresh_sit_entry+0x70/0xf8
+[   24.204022] [<ffffffff812e251c>] allocate_data_block+0x1f0/0x310
+[   24.210038] [<ffffffff812e28d8>] do_write_page+0x29c/0x2bc
+[   24.215532] [<ffffffff812e2a88>] write_data_page+0xa0/0xd8
+[   24.221028] [<ffffffff812d844c>] do_write_data_page+0xe4/0x384
+[   24.226870] [<ffffffff812d88f4>] f2fs_write_data_page+0x208/0x464
+[   24.232972] [<ffffffff812d5184>] __f2fs_writepage+0x1c/0x74
+[   24.238553] [<ffffffff812d54dc>]
+f2fs_write_cache_pages.constprop.7+0x250/0x394
+[   24.245869] [<ffffffff812d57f4>] f2fs_write_data_pages+0x130/0x1b0
+[   24.252066] [<ffffffff811a9f80>] __filemap_fdatawrite_range+0xa0/0xd4
+[   24.258515] [<ffffffff812d2338>] sync_dirty_dir_inodes+0x94/0xd8
+[   24.264530] [<ffffffff812d2484>] write_checkpoint+0x108/0xb9c
+[   24.270283] [<ffffffff812cc398>] f2fs_sync_fs+0x68/0xb0
+[   24.275526] [<ffffffff812c641c>] f2fs_sync_file+0x2e8/0x518
+[   24.281107] [<ffffffff81213ff4>] do_fsync+0x38/0x70
+[   24.285992] [<ffffffff812142e8>] SyS_fsync+0x14/0x20
+[   24.290972] [<ffffffff81103950>] syscall_common+0x34/0x58
+[   24.296372]
+[   24.298096] ---[ end trace fd3ac44449b218ab ]---
+
+Fix: 8399a29df92d68 ("mkfs.f2fs: give random checkpoint version")
+Reported-And-Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+---
+ mkfs/f2fs_format.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/mkfs/f2fs_format.c b/mkfs/f2fs_format.c
+index 92876b8..b379e80 100644
+--- a/mkfs/f2fs_format.c
++++ b/mkfs/f2fs_format.c
+@@ -546,7 +546,7 @@ static int f2fs_write_check_point_pack(void)
+ 	}
+ 
+ 	/* 1. cp page 1 of checkpoint pack 1 */
+-	cp->checkpoint_ver = rand() | 0x1;
++	cp->checkpoint_ver = cpu_to_le64(rand() | 0x1);
+ 	set_cp(cur_node_segno[0], c.cur_seg[CURSEG_HOT_NODE]);
+ 	set_cp(cur_node_segno[1], c.cur_seg[CURSEG_WARM_NODE]);
+ 	set_cp(cur_node_segno[2], c.cur_seg[CURSEG_COLD_NODE]);
+-- 
+2.13.5
+

package/utils/mtd-utils/Makefile

@@ -20,7 +20,7 @@ PKG_INSTALL:=1
 
 PKG_FLAGS:=nonshared
 
-PKG_BUILD_DEPENDS:=util-linux liblzo zlib
+PKG_BUILD_DEPENDS:=util-linux lzo zlib
 
 PKG_LICENSE:=GPLv2
 PKG_LICENSE_FILES:=

scripts/om-fwupgradecfg-gen.sh

@@ -1,4 +1,4 @@
-#/bin/sh
+#!/bin/sh
 #
 # Copyright (C) 2011 OpenWrt.org
 #

target/linux/apm821xx/patches-4.4/040-backport_leds-convert-IDE-trigger-to-common-disk-trigger.patch

@@ -193,7 +193,7 @@ Signed-off-by: Jacek Anaszewski <j.anaszewski@samsung.com>
 -MODULE_LICENSE("GPL");
 --- a/include/linux/leds.h
 +++ b/include/linux/leds.h
-@@ -302,10 +302,10 @@ static inline void *led_get_trigger_data
+@@ -308,10 +308,10 @@ static inline void *led_get_trigger_data
  #endif /* CONFIG_LEDS_TRIGGERS */
  
  /* Trigger specific functions */

target/linux/apm821xx/patches-4.4/801-usb-xhci-add-firmware-loader-for-uPD720201-and-uPD72.patch

@@ -44,7 +44,7 @@ Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
  
  #include "xhci.h"
  #include "xhci-trace.h"
-@@ -221,6 +223,458 @@ static void xhci_pme_acpi_rtd3_enable(st
+@@ -224,6 +226,458 @@ static void xhci_pme_acpi_rtd3_enable(st
  static void xhci_pme_acpi_rtd3_enable(struct pci_dev *dev) { }
  #endif /* CONFIG_ACPI */
  
@@ -503,7 +503,7 @@ Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
  /* called during probe() after chip reset completes */
  static int xhci_pci_setup(struct usb_hcd *hcd)
  {
-@@ -260,6 +714,22 @@ static int xhci_pci_probe(struct pci_dev
+@@ -263,6 +717,22 @@ static int xhci_pci_probe(struct pci_dev
  	struct hc_driver *driver;
  	struct usb_hcd *hcd;
  
@@ -526,7 +526,7 @@ Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
  	driver = (struct hc_driver *)id->driver_data;
  
  	/* Prevent runtime suspending between USB-2 and USB-3 initialization */
-@@ -317,6 +787,16 @@ static void xhci_pci_remove(struct pci_d
+@@ -320,6 +790,16 @@ static void xhci_pci_remove(struct pci_d
  {
  	struct xhci_hcd *xhci;
  

target/linux/ar7/patches-3.18/101-MIPS-AR7-allow-NULL-clock-for-clk_get_rate.patch

@@ -0,0 +1,45 @@
+From patchwork Tue Jul 18 10:17:26 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [5/9] MIPS: AR7: allow NULL clock for clk_get_rate
+X-Patchwork-Submitter: Jonas Gorski <jonas.gorski@gmail.com>
+X-Patchwork-Id: 16775
+Message-Id: <20170718101730.2541-6-jonas.gorski@gmail.com>
+To: unlisted-recipients:; (no To-header on input)
+Cc: Ralf Baechle <ralf@linux-mips.org>,
+ Paul Gortmaker <paul.gortmaker@windriver.com>,
+ James Hogan <james.hogan@imgtec.com>,
+ linux-mips@linux-mips.org, linux-kernel@vger.kernel.org
+Date: Tue, 18 Jul 2017 12:17:26 +0200
+From: Jonas Gorski <jonas.gorski@gmail.com>
+List-Id: linux-mips <linux-mips.eddie.linux-mips.org>
+
+Make the behaviour of clk_get_rate consistent with common clk's
+clk_get_rate by accepting NULL clocks as parameter. Some device
+drivers rely on this, and will cause an OOPS otherwise.
+
+Fixes: 780019ddf02f ("MIPS: AR7: Implement clock API")
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Reported-by: Mathias Kresin <dev@kresin.me>
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+---
+ arch/mips/ar7/clock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/mips/ar7/clock.c
++++ b/arch/mips/ar7/clock.c
+@@ -430,6 +430,9 @@ EXPORT_SYMBOL(clk_disable);
+ 
+ unsigned long clk_get_rate(struct clk *clk)
+ {
++	if (!clk)
++		return 0;
++
+ 	return clk->rate;
+ }
+ EXPORT_SYMBOL(clk_get_rate);

target/linux/ar7/patches-4.1/101-MIPS-AR7-allow-NULL-clock-for-clk_get_rate.patch

@@ -0,0 +1,45 @@
+From patchwork Tue Jul 18 10:17:26 2017
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Subject: [5/9] MIPS: AR7: allow NULL clock for clk_get_rate
+X-Patchwork-Submitter: Jonas Gorski <jonas.gorski@gmail.com>
+X-Patchwork-Id: 16775
+Message-Id: <20170718101730.2541-6-jonas.gorski@gmail.com>
+To: unlisted-recipients:; (no To-header on input)
+Cc: Ralf Baechle <ralf@linux-mips.org>,
+ Paul Gortmaker <paul.gortmaker@windriver.com>,
+ James Hogan <james.hogan@imgtec.com>,
+ linux-mips@linux-mips.org, linux-kernel@vger.kernel.org
+Date: Tue, 18 Jul 2017 12:17:26 +0200
+From: Jonas Gorski <jonas.gorski@gmail.com>
+List-Id: linux-mips <linux-mips.eddie.linux-mips.org>
+
+Make the behaviour of clk_get_rate consistent with common clk's
+clk_get_rate by accepting NULL clocks as parameter. Some device
+drivers rely on this, and will cause an OOPS otherwise.
+
+Fixes: 780019ddf02f ("MIPS: AR7: Implement clock API")
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: Paul Gortmaker <paul.gortmaker@windriver.com>
+Cc: James Hogan <james.hogan@imgtec.com>
+Cc: linux-mips@linux-mips.org
+Cc: linux-kernel@vger.kernel.org
+Reported-by: Mathias Kresin <dev@kresin.me>
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+---
+ arch/mips/ar7/clock.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/arch/mips/ar7/clock.c
++++ b/arch/mips/ar7/clock.c
+@@ -430,6 +430,9 @@ EXPORT_SYMBOL(clk_disable);
+ 
+ unsigned long clk_get_rate(struct clk *clk)
+ {
++	if (!clk)
++		return 0;
++
+ 	return clk->rate;
+ }
+ EXPORT_SYMBOL(clk_get_rate);

target/linux/ar71xx/base-files/etc/board.d/01_leds

@@ -49,6 +49,10 @@ antrouter-r1)
 	ucidef_set_led_wlan "wlan" "WLAN" "$board:green:wlan" "phy0tpt"
 	ucidef_set_led_default "btc" "BTC" "$board:green:btc" "0"
 	;;
+ap121f)
+	ucidef_set_led_netdev "lan" "LAN" "$board:green:lan" "eth0"
+	ucidef_set_led_wlan "wlan" "WLAN" "$board:green:wlan" "phy0tpt"
+	;;
 arduino-yun)
 	ucidef_set_led_wlan "wlan" "WLAN" "arduino:blue:wlan" "phy0tpt"
 	ucidef_set_led_usbdev "usb" "USB" "arduino:white:usb" "1-1.1"

target/linux/ar71xx/base-files/etc/board.d/02_network

@@ -42,7 +42,6 @@ ar71xx_setup_interfaces()
 	tl-mr3420|\
 	tl-wdr3320-v2|\
 	tl-wdr3500|\
-	tl-wr741nd|\
 	tl-wr741nd-v4|\
 	tl-wr841n-v11|\
 	tl-wr841n-v9|\
@@ -61,6 +60,7 @@ ar71xx_setup_interfaces()
 	antminer-s1|\
 	antminer-s3|\
 	antrouter-r1|\
+	ap121f|\
 	aw-nr580|\
 	bullet-m|\
 	c-55|\
@@ -400,6 +400,7 @@ ar71xx_setup_interfaces()
 		ucidef_set_interface_raw "eth" "eth0"
 		ucidef_set_interfaces_lan_wan "lan1 lan2 lan3 lan4" "wan"
 		;;
+	tl-wr741nd|\
 	tl-wr841n-v7)
 		ucidef_set_interfaces_lan_wan "eth0" "eth1"
 		ucidef_add_switch "switch0" \
@@ -480,7 +481,8 @@ ar71xx_setup_macs()
 		wan_mac=$(mtd_get_mac_binary caldata 6)
 		;;
 	tl-wr1043nd-v4)
-		wan_mac=$(mtd_get_mac_binary config 0x1017c)
+		lan_mac=$(mtd_get_mac_binary product-info 8)
+		wan_mac=$(macaddr_add "$lan_mac" 1)
 		;;
 	esr900)
 		wan_mac=$(mtd_get_mac_ascii u-boot-env "wanaddr")

target/linux/ar71xx/base-files/etc/diag.sh

@@ -29,6 +29,9 @@ get_status_led() {
 	xd3200)
 		status_led="$board:green:system"
 		;;
+	ap121f)
+		status_led="$board:green:vpn"
+		;;
 	ap132|\
 	db120|\
 	dr344|\

target/linux/ar71xx/base-files/lib/ar71xx.sh

@@ -433,6 +433,9 @@ ar71xx_board_detect() {
 	*AP121-MINI)
 		name="ap121-mini"
 		;;
+	*"AP121F")
+		name="ap121f"
+		;;
 	*"AP132 reference board")
 		name="ap132"
 		;;

target/linux/ar71xx/base-files/lib/upgrade/platform.sh

@@ -203,6 +203,7 @@ platform_check_image() {
 	airgatewaypro|\
 	airgateway|\
 	airrouter|\
+	ap121f|\
 	ap132|\
 	ap90q|\
 	bullet-m|\

target/linux/ar71xx/config-4.4

@@ -42,6 +42,7 @@ CONFIG_ATH79_MACH_ANTMINER_S1=y
 CONFIG_ATH79_MACH_ANTMINER_S3=y
 CONFIG_ATH79_MACH_ANTROUTER_R1=y
 CONFIG_ATH79_MACH_AP121=y
+CONFIG_ATH79_MACH_AP121F=y
 CONFIG_ATH79_MACH_AP132=y
 CONFIG_ATH79_MACH_AP136=y
 CONFIG_ATH79_MACH_AP143=y

target/linux/ar71xx/files/arch/mips/ath79/Kconfig.openwrt

@@ -16,6 +16,16 @@ config ATH79_MACH_ALFA_AP120C
 	select ATH79_DEV_M25P80
 	select ATH79_DEV_WMAC
 
+config ATH79_MACH_AP121F
+	bool "ALFA Network AP121F support"
+	select SOC_AR933X
+	select ATH79_DEV_ETH
+	select ATH79_DEV_GPIO_BUTTONS
+	select ATH79_DEV_LEDS_GPIO
+	select ATH79_DEV_M25P80
+	select ATH79_DEV_USB
+	select ATH79_DEV_WMAC
+
 config ATH79_MACH_ALFA_AP96
 	bool "ALFA Network AP96 board support"
 	select SOC_AR71XX

target/linux/ar71xx/files/arch/mips/ath79/Makefile

@@ -48,6 +48,7 @@ obj-$(CONFIG_ATH79_MACH_ANTMINER_S1)		+= mach-antminer-s1.o
 obj-$(CONFIG_ATH79_MACH_ANTMINER_S3)		+= mach-antminer-s3.o
 obj-$(CONFIG_ATH79_MACH_ANTROUTER_R1)		+= mach-antrouter-r1.o
 obj-$(CONFIG_ATH79_MACH_AP121)			+= mach-ap121.o
+obj-$(CONFIG_ATH79_MACH_AP121F)			+= mach-ap121f.o
 obj-$(CONFIG_ATH79_MACH_AP132)			+= mach-ap132.o
 obj-$(CONFIG_ATH79_MACH_AP136)			+= mach-ap136.o
 obj-$(CONFIG_ATH79_MACH_AP143)			+= mach-ap143.o

target/linux/ar71xx/files/arch/mips/ath79/mach-ap121f.c

@@ -0,0 +1,103 @@
+/*
+ * ALFA Network AP121F board support
+ *
+ * Copyright (C) 2017 Piotr Dymacz <pepe2k@gmail.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 as published
+ * by the Free Software Foundation.
+ */
+
+#include <linux/gpio.h>
+#include <linux/platform_device.h>
+
+#include <asm/mach-ath79/ath79.h>
+#include <asm/mach-ath79/ar71xx_regs.h>
+
+#include "common.h"
+#include "dev-eth.h"
+#include "dev-gpio-buttons.h"
+#include "dev-leds-gpio.h"
+#include "dev-m25p80.h"
+#include "dev-usb.h"
+#include "dev-wmac.h"
+#include "machtypes.h"
+
+#define AP121F_GPIO_LED_LAN	17
+#define AP121F_GPIO_LED_VPN	27
+#define AP121F_GPIO_LED_WLAN	0
+
+#define AP121F_GPIO_MICROSD_EN	26
+
+#define AP121F_GPIO_BTN_RESET	12
+#define AP121F_GPIO_BTN_SWITCH	21
+
+#define AP121F_KEYS_POLL_INTERVAL	20
+#define AP121F_KEYS_DEBOUNCE_INTERVAL	(3 * AP121F_KEYS_POLL_INTERVAL)
+
+#define AP121F_WMAC_CALDATA_OFFSET	0x1000
+
+static struct gpio_led ap121f_leds_gpio[] __initdata = {
+	{
+		.name		= "ap121f:green:lan",
+		.gpio		= AP121F_GPIO_LED_LAN,
+		.active_low	= 1,
+	}, {
+		.name		= "ap121f:green:vpn",
+		.gpio		= AP121F_GPIO_LED_VPN,
+		.active_low	= 1,
+	}, {
+		.name		= "ap121f:green:wlan",
+		.gpio		= AP121F_GPIO_LED_WLAN,
+		.active_low	= 0,
+	},
+};
+
+static struct gpio_keys_button ap121f_gpio_keys[] __initdata = {
+	{
+		.desc			= "reset",
+		.type			= EV_KEY,
+		.code			= KEY_RESTART,
+		.debounce_interval	= AP121F_KEYS_DEBOUNCE_INTERVAL,
+		.gpio			= AP121F_GPIO_BTN_RESET,
+		.active_low		= 1,
+	}, {
+		.desc			= "switch",
+		.type			= EV_KEY,
+		.code			= BTN_0,
+		.debounce_interval	= AP121F_KEYS_DEBOUNCE_INTERVAL,
+		.gpio			= AP121F_GPIO_BTN_SWITCH,
+		.active_low		= 0,
+	},
+};
+
+static void __init ap121f_setup(void)
+{
+	u8 *art = (u8 *) KSEG1ADDR(0x1f040000);
+
+	ath79_register_m25p80(NULL);
+
+	ath79_setup_ar933x_phy4_switch(false, false);
+
+	/* LAN */
+	ath79_register_mdio(0, 0x0);
+	ath79_init_mac(ath79_eth0_data.mac_addr, art, 0);
+	ath79_register_eth(0);
+
+	ath79_register_leds_gpio(-1, ARRAY_SIZE(ap121f_leds_gpio),
+				 ap121f_leds_gpio);
+
+	ath79_register_gpio_keys_polled(-1, AP121F_KEYS_POLL_INTERVAL,
+					ARRAY_SIZE(ap121f_gpio_keys),
+					ap121f_gpio_keys);
+
+	gpio_request_one(AP121F_GPIO_MICROSD_EN,
+			 GPIOF_OUT_INIT_HIGH | GPIOF_EXPORT_DIR_FIXED,
+			 "microSD enable");
+
+	ath79_register_wmac(art + AP121F_WMAC_CALDATA_OFFSET, NULL);
+
+	ath79_register_usb();
+}
+
+MIPS_MACHINE(ATH79_MACH_AP121F, "AP121F", "ALFA Network AP121F", ap121f_setup);

target/linux/ar71xx/files/arch/mips/ath79/mach-rb95x.c

@@ -165,6 +165,8 @@ static int rb95x_nand_scan_fixup(struct mtd_info *mtd)
 		chip->ecc.layout = &rb95x_nand_ecclayout;
 	}
 
+	chip->options = NAND_NO_SUBPAGE_WRITE;
+
 	return 0;
 }
 

target/linux/ar71xx/files/arch/mips/ath79/mach-tl-wr1043nd-v4.c

@@ -57,7 +57,7 @@
 #define TL_WR1043_V4_KEYS_POLL_INTERVAL		20 /* msecs */
 #define TL_WR1043_V4_KEYS_DEBOUNCE_INTERVAL	(3 * TL_WR1043_V4_KEYS_POLL_INTERVAL)
 
-#define TL_WR1043_V4_MAC_LOCATION		0x1ff80174
+#define TL_WR1043_V4_MAC_LOCATION		0x1ff50008
 
 #define TL_WR1043_V4_EEPROM_ADDR		0x1fff0000
 #define TL_WR1043_V4_WMAC_CALDATA_OFFSET	0x1000

target/linux/ar71xx/files/arch/mips/ath79/machtypes.h

@@ -30,6 +30,7 @@ enum ath79_mach_type {
 	ATH79_MACH_ANTROUTER_R1,		/* Antrouter R1 */
 	ATH79_MACH_AP121,			/* Atheros AP121 reference board */
 	ATH79_MACH_AP121_MINI,			/* Atheros AP121-MINI reference board */
+	ATH79_MACH_AP121F,			/* ALFA Network AP121F */
 	ATH79_MACH_AP132,			/* Atheros AP132 reference board */
 	ATH79_MACH_AP135_020,			/* Atheros AP135-020 reference board */
 	ATH79_MACH_AP136_010,			/* Atheros AP136-010 reference board */

target/linux/ar71xx/image/generic.mk

@@ -1,3 +1,16 @@
+define Device/ap121f
+  DEVICE_TITLE := ALFA Network AP121F
+  DEVICE_PACKAGES := kmod-usb-core kmod-usb2 kmod-usb-storage -swconfig
+  BOARDNAME := AP121F
+  IMAGE_SIZE := 16064k
+  CONSOLE := ttyATH0,115200
+  MTDPARTS := spi0.0:192k(u-boot)ro,64k(u-boot-env),64k(art)ro,-(firmware)
+  SUPPORTED_DEVICES := ap121f
+  IMAGE/sysupgrade.bin = append-kernel | pad-to $$$$(BLOCKSIZE) | \
+	append-rootfs | pad-rootfs | append-metadata | check-size $$$$(IMAGE_SIZE)
+endef
+TARGET_DEVICES += ap121f
+
 define Device/ap90q
   DEVICE_TITLE := YunCore AP90Q
   BOARDNAME = AP90Q