CVE-2017-15107
An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org and still have it signed by the
signature for the wildcard. So, for example
!.example.org NSEC zz.example.org
is fine.
The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.
This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Add sendopts config support allowing to add options in sent DHCPv6 packets.
Options can be configured as follows :
uci set network.wan6.sendopts="sntpservers:3001:3001::1,3001:3001::2 11:00000000000000000000006674692F 0x3e8:ABCDEF"
Based on a patch by Frank Andrieu <fandrieu@gmail.com>
See https://git.openwrt.org/?p=project/odhcp6c.git;a=commit;h=510aaf6d528210c5e8a6159f9b80b32615e88c5f
for a more detailed description.
Latest git changes :
1f93bd4 dhcpv6: rework option passthrough logic
a477e95 odhcp6c: rework userclass and vendorclass command handling
510aaf6 odhcp6c: add -x opt:val support
ab75be1 treewide: update copyrights to 2018
f3a4609 odhcp6c: let odhcp6c_add_state return a success/failure indication
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
It is no longer actively maintained and does not work well in many
configurations. Fully replaced by wpad-mesh
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Dnsmasq used SIGHUP to do too many things: 1) set dnssec time validation
enabled, 2) bump SOA zone serial, 3) clear dns cache, 4) reload hosts
files, 5) reload resolvers/servers files.
Many subsystems within LEDE can send SIGHUP to dnsmasq: 1) ntpd hotplug
(to indicate time is valid for dnssec) 2) odhcpd (to indicate a
new/removed host - typically DHCPv6 leases) 3) procd on interface state
changes 4) procd on system config state changes, 5) service reload.
If dnssec time validation is enabled before the system clock has been
set to a sensible time, name resolution will fail. Because name
resolution fails, ntpd is unable to resolve time server names to
addresses, so is unable to set time. Classic chicken/egg.
Since commits 23bba9cb33 (service reload) &
4f02285d8b (system config) make it more
likely a SIGHUP will be sent for events other than 'ntpd has set time'
it is more likely that an errant 'name resolution is failing for
everything' situation will be encountered.
Fortunately the upstream dnsmasq people agree and have moved 'check
dnssec timestamp enable' from SIGHUP handler to SIGINT.
Backport the upstream patch to use SIGINT.
ntpd hotplug script updated to use SIGINT.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Some newer LTE modems, like the MC7455 or EC25-E do not support
"802.3" mode, and will stay in "raw-ip" regardless of the mode being
set.
In this case, the driver must be informed that it should handle all
packets in raw mode. [1]
This commit fixes connectivity issues for these devices.
Before:
[ Node 5 ] udhcpc -i wwan0
udhcpc: started, v1.27.2
udhcpc: sending discover
udhcpc: sending discover
udhcpc: sending discover
After:
[ Node 5 ] udhcpc -i wwan0
udhcpc: started, v1.27.2
udhcpc: sending discover
udhcpc: sending select for 100.66.245.226
udhcpc: lease of 100.66.245.226 obtained, lease time 7200
udhcpc: ifconfig wwan0 100.66.245.226 netmask 255.255.255.252 broadcast
+
udhcpc: setting default routers: 100.66.245.225
[1] https://lists.freedesktop.org/archives/libqmi-
devel/2017-January/002064.html
Tested on cns3xxx using a Sierra Wireless MC7455 LTE-A
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
[bumped PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Instead of grepping for NETWORK after calling ipcalc.sh; pass ipcalc.sh as
argument to eval allowing to use $NETWORK to retrieve the IPv4 prefix
(ip4prefix).
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Certain DHCP servers push a gateway outside of the assigned interface subnet,
to support those situations, install a host route towards the gateway.
If Gateway and IP are served in same network, openwrt quagga cannot learn
routes (rip routes are not getting added, showing inactive) whereas
working fine when Gateway and IP are in different network.
Signed-off-by: Mogula Pranay <mogula.pranay@nxp.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
br2684ctl starts automatically, set up reload triggers, which fire as soon
as a atm driver is loaded. No need to do the reload via the script.
The reload is only required as soon as we can reliable switch between atm
and ptm driver and need to be implemented in a race free way.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Add the uci option nameprefix to specifc a target netdev name. Patch the
br2684ctl code to accept and set a netdev name via commandline parameters.
It allows to use the same netdev name for ATM and PTM lines on lantiq
xdsl hardware.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: Mathis Kresin <dev@kresin.me>
Previously this was only activated for ADSL, this patch activates the
same setting also for VDSL, this feature is also support for VDSL in the
same way it works for ADSL.
I tested it with DSL FW 5.7.9.5.1.7 against a Broadcom 177.140 DSLCO
(Deutsche Telekom) and saw different data rates and Max. Attainable Data
Rates depending on the ds_snr_offset settings I choose.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In order to properly support 802.11w, hostapd needs to advertise a group
management cipher when negotiating associations.
Introduce a new per-wifi-iface option "ieee80211w_mgmt_cipher" which
defaults to the standard AES-128-CMAC cipher and always emit a
"group_mgmt_cipher" setting in native hostapd config when 802.11w is
enabled.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Enabling IPTABLES_NFTABLES resulted in an error during build:#
*** No rule to make target '../extensions/libext.a',
needed by 'xtables-compat-multi'."
Comments from Alexander Lochmann and Fedor Konstantinov in FS#711
provided fixes for this build error, allowing iptables to compile.
https://bugs.lede-project.org/index.php?do=details&task_id=711.
This commit updates the Makefile.am xtables_compat_multi_LDFLAGS
and _LDADD, moving linking of extensions to LDFLAGS.
Signed-off-by: rektide de la faye <rektide@voodoowarez.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Send a SIGHUP signal via procd to the dnsmasq service so the instance(s)
re-read(s) the /tmp/hosts/dhcp config.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If the hostname in /etc/config/system is modified the dnsmasq should also
get triggered to rewrite/reload the config.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
7aa2594 odhcpd: Replace strerror(errno) with %m format
750e457 Support muliple RAs on single interface
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The git hash was changed for multiple layerscape packages without
changing the version number. The LEDE build system will not download the
packages again if the old version is already there and so some people
and the build bots are using wrong version of some packages. Use
PKG_SOURCE_DATE instead of PKG_VERSION to generate packages with the
date and the first charterers of the git hash. This will change the file
name and make the build system download them again, also if in future
the git hash is changed the file name will change and trigger a new
download.
This should fix a problem spotted by build bot.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
There has been recent significant activity with the cake qdisc of late
Some of that effort is related to upstreaming to kernel & iproute2
mainline but we're not quite there yet. This commit teaches tc how to
activate and interprete the latest cake operating modes, namely:
ingress mode: Instead of only counting packets that make it past the
shaper, include packets we've decided to drop as well, since they did
arrive with us on the link and took link capacity.
This mode is more suitable for shaping the ingress of a link
(e.g. from ISP) rather than the more normal egress.
ack-filter/ack-filter-aggressive: Filter excessive TCP ACKS. Useful in
highly assymetric links (downstream v upstream capacity) where the
majority of upstream link capacity is occupied with ACKS for downstream
traffic.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Remove PACKAGE_uhttpd_debug config as this is an unused leftover
Add CONFIG_uhttpd_lua to PKG_CONFIG_DEPENDS
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Bump to latest WireGuard snapshot release:
44f8e4d version: bump snapshot
bbe2f94 chacha20poly1305: wire up avx512vl for skylake-x
679e53a chacha20: avx512vl implementation
10b1232 poly1305: fix avx512f alignment bug
5fce163 chacha20poly1305: cleaner generic code
63a0031 blake2s-x86_64: fix spacing
d2e13a8 global: add SPDX tags to all files
d94f3dc chacha20-arm: fix with clang -fno-integrated-as.
3004f6b poly1305: update x86-64 kernel to AVX512F only
d452d86 tools: no need to put this on the stack
0ff098f tools: remove undocumented unused syntax
b1aa43c contrib: keygen-html for generating keys in the browser
e35e45a kernel-tree: jury rig is the more common spelling
210845c netlink: rename symbol to avoid clashes
fcf568e device: clear last handshake timer on ifdown
d698467 compat: fix 3.10 backport
5342867 device: do not clear keys during sleep on Android
88624d4 curve25519: explictly depend on AS_AVX
c45ed55 compat: support RAP in assembly
7f29cf9 curve25519: modularize dispatch
Refresh patches.
Compile-test-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
As MD5 is known weak for many years and more and more
penetration test tools complain about enabled MD5 HMAC
I think it's time to drop it.
By disabling the MD5 HMAC support dropbear will also
automatically use SHA1 for fingerprints.
This shouldn't be a problem too.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Add config option which allows to enable/disable DHCP support at compile
time. Make DHCPv6 support dependant on DHCP support as DHCPv6 support
implies having DHCP support.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
udhcpc doesn't send a hostname by default. Use the system hostname if
nothing else is specified, to always send a hostname.
It syncs the behaviour to odhcpc, which always sends a hostname.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Different invocations of the dnsmasq init script (e.g. at startup by procd)
will rewrite the dhcp host file which might result into dnsmasq reading an
empty dhcp host file as it is being rewritten by the dnsmasq init script.
Let the dnsmasq init script first write to a temp dhcp host file so it does
not overwrite the contents of the existing dhcp host file.
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
wpa_disable_eapol_key_retries can't prevent attacks against the Wireless
Network Management (WNM) Sleep Mode handshake. Currently, hostapd
processes WNM Sleep Mode requests from clients regardless of the setting
wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in
order to ignore such requests by clients when wnm_sleep_mode is disabled
(which is the default).
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
[rewrite commit subject (<= 50 characters), bump PKG_RELEASE]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
wpa_disable_eapol_key_retries can't prevent attacks against the
Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
that the existing hostapd option tdls_prohibit can be used to further
complicate this possibility at the AP side. tdls_prohibit=1 makes
hostapd advertise that use of TDLS is not allowed in the BSS.
Note: If an attacker manages to lure both TDLS peers into a fake
AP, hiding the tdls_prohibit advertisement from them, it might be
possible to bypass this protection.
Make this option configurable via UCI, but disabled by default.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Tiny variant supports a subset of the ip commands; align the ip help
text so it actually reflects which commands are supported in the
tiny variant.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Preserves optionality of libmnl by letting configuration
script follow the HAVE_MNL environment variable.
Signed-off-by: Russell Senior <russell@personaltelco.net>
If all configured dns servers return refused in response to a query in
strict mode; dnsmasq will end up in an infinite loop retransmitting the
dns query resulting into high CPU load.
Problem is fixed by checking for the end of a dns server list iteration
in strict mode.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>