Commit graph

701 commits

Author SHA1 Message Date
Felix Fietkau
c02f41c1d2 igmpproxy: remove procd_open_trigger/procd_close_trigger calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Felix Fietkau
8299737428 dropbear: remove procd_open_trigger/procd_close_trigger calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:08 +02:00
Felix Fietkau
da328f2865 hostapd: backport mesh/ibss HT20/HT40 related fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-27 17:22:39 +02:00
Felix Fietkau
c7a5bb5a7e samba36: avoid picking up a dependency on libunwind (fixes GH #212)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-21 17:33:17 +02:00
Felix Fietkau
ca6375ac51 hostapd: fix an error on parsing radius_das_client
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-21 16:58:50 +02:00
Felix Fietkau
56f686b710 samba36: disable local browse master by default
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-18 13:37:12 +02:00
Felix Fietkau
75329fc161 hostapd: fix VLAN support in full wpad builds
Suppress -DCONFIG_NO_VLAN if CONFIG_IBSS_RSN is enabled

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-18 13:37:10 +02:00
Kevin Darbyshire-Bryant
17f4d3967e samba: update smb template socket options defaults
Removed socket options = TCP_NODELAY IPTOS_LOWDELAY

TCP_NODELAY (disables Nagle algorithm) is default since samba2.
IPTOS_LOWDELAY sets DSCP 0x10 coding (CS2)
The alternate IPTOS_THROUGHPUT sets DSCP 0x08 coding (CS1)

CS1 is a scavenger class, whilst CS2 is more OAM/interactive
(SNMP,SSH,syslog)

Using CS2 is definitely an abuse of DSCP classification, CS1 less so
however even if the ISP takes note of DSCP codings having a default that
sets traffic to CS2 is wrong.  Better to use the default Best Effort
class.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-07-11 14:19:47 +02:00
Kevin Darbyshire-Bryant
527696674a igmpproxy: logging options - make work & improve
Move logging command line option to uci:
option verbose [0]/1/2 - mono-syllabic/verbose/noisy

Previously handled as 'OPTIONS' in .init script however variable
was ignored so never worked.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-07-11 14:19:47 +02:00
Felix Fietkau
ad430c1080 hostapd: add a WDS AP fix for reconnecting clients
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-06 10:12:37 +02:00
neheb
a3e7d5e7ae samba: Update smb.conf.template
Removed some options which are default anyway and added bind interfaces
only which causes the interfaces line to actually have an effect. Can be
verified with netstat.

Signed-off by: Rosen Penev <rosenp@gmail.com>
2016-07-05 22:59:14 +02:00
Hans Dedecker
c2bd469521 dnsmasq: Add broken realtime clock build switch in full variant
By default dnsmasq uses the time function; which returns the time since
Epoch; to retrieve the current time. On boards which have no realtime
clock this can lead to side effects when the time is synced via ntp
as the "time wrap" forces dhcp leases to be considered as expired.
By enabling the broken realtime clock build switch dnsmasq uses the
times utility which returns the number of clock tick.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
[Jo-Philipp Wich: change symbol name, add sym to PKG_CONFIG_DEPENDS]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-30 00:42:46 +02:00
Jo-Philipp Wich
f98f4601de openvpn: fix missing cipher list for polarssl in v2.3.11
Upstream OpenSSL hardening work introduced a change in shared code that
causes polarssl / mbedtls builds to break when no --tls-cipher is specified.

Import the upstream fix commit as patch until the next OpenVPN release gets
released and packaged.

Reported-by: Sebastian Koch <seb@metafly.info>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-28 10:47:22 +02:00
Daniel Dickinson
4a3b8e0596 lldpd: Use /etc/os-release instead of /etc/openwrt_*
With the addition of /etc/os-release patching lldpd to use
/etc/openwrt_release and to have the initscript use
/etc/openwrt_release and/or /etc/openwrt_version becomes
unnecessary.

Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
2016-06-27 15:16:01 +02:00
Kevin Darbyshire-Bryant
5acfe55d71 dnsmasq: dnssec time handling uses ntpd hotplug
Change dnsmasq's dnssec time check handling to use time validity
indicated by ntpd rather than maintaining a cross boot/upgrade
/etc/dnsmasq.time timestamp file.  This saves flash device wear.

If ntpd client is configured in uci and you're using dnssec, then
dnsmasq will not check dnssec timestamp validity until ntpd hotplug
indicates sync via a stratum change. The ntpd hotplug leaves a status
flag file to indicate to dnsmasq.init that time is valid and that it
should now start in 'check dnssec timestamp valid' mode.

If ntpd client is not configured and you're using dnssec, then it is
presumed you're using an alternate time sync mechanism and that time is
correct, thus dnsmasq checks dnssec timestamps are valid from 1st start.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

V2 - stratum & step ntp changes indicate time is valid
V3 - on initial flag file step signal dnsmasq with SIGHUP if running
V4 - only accept step ntp changes. Accepting both stratum & step could
result in unpleasant script race conditions
V5 - Actually only accepting stratum is the correct thing to do after
further testing
V6 - improve handling of non busybox ntpd
if sysntpd not executable
  dnsmasq checks dnssec timestamps
else
  sysntp script disabled - look for timestamp file - allows external mechanism to use hotplug flag file
  sysntp script enabled & uci ntp enabled  - look for timestamp file
  sysntp script enabled & uci ntp disabled - dnsmasq checks dnssec
timestamps
fi
2016-06-24 13:53:39 +02:00
Hauke Mehrtens
3f38356893 packages: prefer http over git for git protocol
In company networks everything except the http and https protocol is
often causes problems, because the network administrators try to block
everything else. To make it easier to use LEDE in company networks use
the https/http protocol for git access when possible.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-06-22 19:32:06 +02:00
Felix Fietkau
475e94b1d2 uhttpd: update to the latest version, adds some extensions to handler script support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-16 19:00:16 +02:00
Felix Fietkau
4e0a533f60 hostapd: fix breakage with non-nl80211 drivers
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 19:28:55 +02:00
Jo-Philipp Wich
e2a9c638e7 hostapd: fix compilation error in wext backend
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-15 19:10:32 +02:00
Felix Fietkau
ef74d5cbf8 hostapd: implement fallback for incomplete survey data
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:31:48 +02:00
Felix Fietkau
13b44abcff hostapd: update to version 2016-06-15
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:11:43 +02:00
Michal Hrusecky
b67af71181 hostapd: Update to version 2016-05-05
Fixes CVE-2016-4476 and few possible memory leaks.

Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
2016-06-15 17:11:18 +02:00
Magnus Kroken
4260d11e8b openvpn: update to 2.3.11
Security fixes:
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data

Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-06-13 22:51:43 +02:00
John Crispin
62dc9831d3 package/*: update git urls for project repos
Signed-off-by: John Crispin <john@phrozen.org>
2016-06-13 22:51:41 +02:00
Kevin Darbyshire-Bryant
e815036460 dnsmasq: support hostid ipv6 address suffix option
Add support for hostid dhcp config entry to dnsmasq. This allows
specification of dhcpv6 hostid suffix and works in the same way as
odhcpd.

Entries in auto generated dnsmasq.conf should conform to:

dhcp-host=mm:mm:mm:mm:mm:mm,IPv4addr,[::V6su:ffix],hostname

example based on sample config/dhcp entry:

config host
        option name 'Kermit'
        option mac 'E0:3F:49:A1:D4:AA'
        option ip '192.168.235.4'
        option hostid '4'

dhcp-host=E0:3F:49:A1:D4:AA,192.168.235.4,[::0:4],Kermit

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-06-10 18:16:47 +02:00
Hans Dedecker
7eaacd4d23 dnsmasq: Add option --max-port
By default dnsmasq uses random ports for outbound dns queries;
when the maxport UCI option is specified the ports used will
always be smaller than the specified value.
This is usefull for systems behind firewalls.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-06-10 18:05:07 +02:00
Matteo Panella
20c608db0a openvpn: add support for tls-version-min
Currently, the uci data model does not provide support for specifying
the minimum TLS version supported in an OpenVPN instance (be it server
or client).

This patch adds support for writing the relevant option to the openvpn
configuration file at service startup.

Signed-off-by: Matteo Panella <morpheus@level28.org>
[Jo-Philipp Wich: shorten commit title, bump pkg release]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-07 23:02:58 +02:00
Jo-Philipp Wich
24a7ccb056 treewide: replace jow@openwrt.org with jo@mein.io
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-07 11:42:52 +02:00
Felix Fietkau
7eeb254cc4 treewide: replace nbd@openwrt.org with nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-07 08:58:42 +02:00
Dirk Neukirchen
04cb722e9f openvpn: remove unrecognized option
removed upstream in
9ffd00e754
now its always on

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
2016-06-01 15:18:42 +02:00
Dario Ernst
4d1c75c601 dropbear: Fix incorrect CONFIG_TARGET_INIT_PATH.
Fix a „semantic typo“ introduced in b78aae793e,
where TARGET_INIT_PATH was used instead of CONFIG_TARGET_INIT_PATH.

Signed-off-by: Dario Ernst <Dario.Ernst@riverbed.com>
2016-05-24 16:31:17 +02:00
Daniel Dickinson
2ac21bd793 dnsmasq: Set the default dhcp lease file and resolv file
Instead of making assumptions about the leasefile and resolv file make sure
we use what the user configures, but fall back to defaults if no configuration
is specified

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
2016-05-24 13:30:58 +02:00
Kevin Darbyshire-Bryant
a6e96998fb dnsmasq: update to dnsmasq v2.76
Update to dnsmasq2.76.  Refresh patches.  Add new patch to fix musl
'poll.h' location warning.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-05-24 13:30:58 +02:00
John Crispin
31293752c8 mdns: update to latest git HEAD
* fixes loopback handling

Signed-off-by: John Crispin <john@phrozen.org>
2016-05-23 10:26:32 +02:00
Felix Fietkau
b570c0c88e uhttpd: use configured distribution name for SSL certificate CN
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-05-21 12:42:44 +02:00
Kevin Darbyshire-Bryant
7938e8d60a dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time
conditionally save dnsmasq.time across sysupgrade
dnsmasq uses /etc/dnsmasq.time as record of the last known good
system time to aid its validation of dnssec timestamps.  dnsmasq
updates the timestamp on process start/stop once it considers the system
time as valid. The timestamp file should be preserved across system
upgrade but should not be included as part of normal configuration
backups to prevent restores corrupting the current timestamp.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-05-19 10:28:18 +02:00
Jo-Philipp Wich
85a59127a7 Revert "dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time"
This reverts commit d830cb0882.

Reverting this commit due to a missing Signed-off-by.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-05-19 10:28:17 +02:00
Kevin Darbyshire-Bryant
d830cb0882 dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time
conditionally save dnsmasq.time across sysupgrade
dnsmasq uses /etc/dnsmasq.time as record of the last known good
system time to aid its validation of dnssec timestamps.  dnsmasq
updates the timestamp on process start/stop once it considers the system
time as valid. The timestamp file should be preserved across system
upgrade but should not be included as part of normal configuration
backups to prevent restores corrupting the current timestamp.
2016-05-18 22:17:33 +02:00
Jo-Philipp Wich
1c61b21489 dropbear: update to 2016.73
Update the dropbear package to version 2016.73, refresh patches.
The measured .ipk sizes on an x86_64 build are:

  94588	dropbear_2015.71-3_x86_64.ipk
  95316	dropbear_2016.73-1_x86_64.ipk

This is an increase of roughly 700 bytes after compression.

Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-05-13 10:23:52 +02:00
John Crispin
b8ab6af1a9 global: change my email address
Signed-off-by: John Crispin <john@phrozen.org>
2016-05-12 03:29:36 +02:00
Hans Dedecker
861266c9ec dropbear: Add --disable-utmpx again
The option --disable-utmpx was deleted by accident in commit 7545c1d;
add it again to the CONFIGURE_ARGS list

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-05-12 03:29:35 +02:00
Hans Dedecker
ec9f6fe04d ppp: Add ppp-mod-passwordfd subpackage to ppp
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:50:41 +02:00
Hans Dedecker
ce9e5e16ff dnsmasq: Add conntrack support in the full variant
Conntrack support reads the connection track mark associated with
incoming DNS queries and sets the same mark value on the upstream
forwarded DNS query. This can be usefull to track traffic generated
by dnsmasq to associate it with the clients who generate the queries,
usefull for bandwidth accouting and firewall.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:50:20 +02:00
Hans Dedecker
16122117a5 dropbear: Add procd interface triggers when interface config is specified
A dropbear instance having an interface config won't start if the interface is down as no
IP address is available.
Adding interface triggers for each configured interface executing the dropbear reload script
will start the dropbear instance when the interface is up.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:49:37 +02:00
Hans Dedecker
7545c1d96b dropbear: Make utmp and putuline support configurable via seperate config options
Utmp support tracks who is currenlty logged in by logging info to the file /var/run/utmp (supported by busybox)
Putuline support will use the utmp structure to write to the utmp file

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:47:48 +02:00
John Crispin
fa69553900 branding: add LEDE branding
Signed-off-by: John Crispin <blogic@openwrt.org>
2016-03-24 22:40:13 +01:00
John Crispin
3481d0d793 dnsmasq: run as dedicated UID/GID
Running dnsmasq in a dedicated user/group allows matching its outgoing
traffic more easily using iptables' owner match.
Add UID/GID to the package metadata and append the user/group
parameters to the init script.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 49252
2016-04-26 11:44:10 +00:00
Hauke Mehrtens
3fabbb814d dnsmasq: Add enable parameter in the UCI DHCP host section
Parameter allows to enable/disable static leases; by default the value is 1
to keep backwards compatibility

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49187
2016-04-17 12:52:54 +00:00
Hauke Mehrtens
3830200d6a hostapd.sh: Add support for "anonymous_identity" config field
The wpa_supplicant supports an "anonymous_identity" field, which some
EAP networks require.  From the documentation:

anonymous_identity: Anonymous identity string for EAP (to be used as the
    unencrypted identity with EAP types that support different tunnelled
    identity, e.g., EAP-TTLS).

This change modifies the hostapd.sh script to propagate this field
from the UCI config to the wpa_supplicant.conf file.

Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Reviewed-by: Manuel Munz <freifunk@somakoma.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49181
2016-04-17 12:50:55 +00:00
Hauke Mehrtens
1414f1647d samba: fix some security problems
This fixes the following security problems:
* CVE-2015-7560
* CVE-2015-5370
* CVE-2016-2110
* CVE-2016-2111
* CVE-2016-2112
* CVE-2016-2115
* CVE-2016-2118

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49175
2016-04-16 20:06:34 +00:00
John Crispin
0ca7071632 openvpn: add support for X.509 name options
x509-username-field was added in OpenVPN 2.2, and verify-x509-name was
added in 2.3. This fixes ticket #18807.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

SVN-Revision: 48969
2016-03-08 18:12:02 +00:00
John Crispin
b5bfb3534b dnsmasq: add host-specific lease time option for static hosts
Enable setting a host-specific lease time for static hosts.
The new option is called "leasetime" and the format is similar
as for the default lease time: e.g. 12h, 3d, infinite

Default lease time is used for all hosts for which there is
no host-specific definition.

The option is added to /etc/config/dhcp for the selected hosts:
  config host
        option name 'Nexus'
        option mac 'd8:50:66:55:59:7c'
        option ip '192.168.1.245'
        option leasetime '2h'

It gets appended to /var/etc/dnsmasq.conf like this:
  dhcp-host=d8:50:66:55:59:7c,192.168.1.245,Nexus,2h

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 48801
2016-02-26 09:13:03 +00:00
John Crispin
c503984876 dnsmasq: add dhcp relay option
Signed-off-by: dbugnar <dnbugnar@ocedo.com>

SVN-Revision: 48800
2016-02-26 08:35:48 +00:00
Felix Fietkau
b4a1bd8992 dnsmasq: export tftp root to the procd jail
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48761
2016-02-25 09:24:31 +00:00
Felix Fietkau
5e84051a0f dnsmasq: only enable tftp if the tftp root exists
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48760
2016-02-25 09:24:24 +00:00
John Crispin
7a29f7c22d lldp: Upgrade to 0.9.0
Signed-off-by: Ben Kelly <ben@benjii.net>

SVN-Revision: 48738
2016-02-18 08:22:07 +00:00
Jo-Philipp Wich
b78aae793e dropbear: honor CONFIG_TARGET_INIT_PATH
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 48679
2016-02-08 14:28:57 +00:00
Felix Fietkau
d8684c7068 relayd: update to the latest version, fixes some more connectivity issues (#21817)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48655
2016-02-08 08:03:06 +00:00
Felix Fietkau
2d7840b505 relayd: update to the latest version, fixes route table issues when connecting to the router
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48635
2016-02-05 15:59:41 +00:00
Felix Fietkau
eb47ddd557 hostapd: remove useless TLS provider selection override for wpad-mesh/wpa_supplicant-mesh
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48537
2016-01-28 22:42:14 +00:00
Felix Fietkau
18b2f2d694 hostapd: fix mesh interface bridge handling
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48529
2016-01-28 17:20:10 +00:00
Felix Fietkau
b4ef1fca48 hostapd: fix wpad-mesh and wpa-supplicant-mesh configuration issues
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48528
2016-01-28 17:19:48 +00:00
Felix Fietkau
924407b253 hostapd: update to version 2016-01-15
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48527
2016-01-28 17:19:13 +00:00
Jo-Philipp Wich
d8da5c5630 dnsmasq: Don't add local hostname if ula prefix is not specified
Commit 6a7e56b adds support for adding local hostname for own lan ula adress
but if ula prefix is not specified results into an invalid config (address=/OpenWrt.lan/1)
causing dnsmasq not to start up.
Use lanaddr6 when adding local hostname as the lan ula address is constructed based on the
UCI parameters ip6hint and ip6ifaceid and thus not always ula prefix suffixed with 1

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 48495
2016-01-25 17:47:22 +00:00
Felix Fietkau
565570cfd5 package/uhttpd: generate 2048 bit RSA key
RSA keys should be generated with sufficient length.
Using 1024 bits is considered unsafe.
In other packages the used key length is 2048 bits.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>

SVN-Revision: 48494
2016-01-25 17:42:25 +00:00
Felix Fietkau
208b96cacd uhttpd: fix typo in default config for px5g
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48385
2016-01-19 23:27:14 +00:00
Felix Fietkau
faad8b68a4 wpa_supplicant: add support for EAP-TLS phase2
Introduce config options client_cert2, priv_key2 and priv_key2_pwd
used for EAP-TLS phase2 authentication in WPA-EAP client mode.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48345
2016-01-19 10:06:29 +00:00
Felix Fietkau
3b15eb0ade hostap/wpa_supplicant: enable EAP-FAST in -full builds
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48344
2016-01-19 10:06:23 +00:00
Felix Fietkau
808a605453 uhttpd: add option for mbedtls
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48343
2016-01-19 10:06:18 +00:00
Felix Fietkau
e4cf25cfab wpa_supplicant: improve generating phase2 config line for WPA-EAP
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...

The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.

Examples:
  eap_type   auth
  'ttls'     'EAP-MSCHAPV2'     -> phase2="autheap=MSCHAPV2"
  'ttls'     'MSCHAPV2'         -> phase2="auth=MSCHAPV2"
  'peap'     'EAP-GTC'          -> phase2="auth=GTC"

Deprecated syntax supported for compatibility:
  'ttls'     'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"

I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48309
2016-01-18 11:40:44 +00:00
Felix Fietkau
56f6d35716 dnsmasq: Add option --min-port
By default dnsmasq uses random ports for outbound dns queries;
when the minport UCI option is specified the ports used will
always be larger than the specified value.
This is usefull for systems behind firewalls.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 48244
2016-01-15 11:24:15 +00:00
Felix Fietkau
64c23711ea dropbear: update version to 2015.71
Update dropbear to version 2015.71, released on 3 Dec 2015.
Refresh patches.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 48243
2016-01-15 11:24:09 +00:00
Jo-Philipp Wich
722badfa82 dnsmasq: add local hostname record for own lan ula address as well
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 48214
2016-01-12 10:03:50 +00:00
Rafał Miłecki
2611a5538e hostapd: fix disassociation with FullMAC drivers and multi-BSS
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 48202
2016-01-11 18:51:47 +00:00
Felix Fietkau
37a57c1d71 openvpn: update to version 2.3.10
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48201
2016-01-11 18:37:28 +00:00
Felix Fietkau
4c7983a00a dropbear: enable curve25519 support by default, increases compressed binary size by ~5 kb
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48196
2016-01-10 22:38:59 +00:00
Felix Fietkau
1455b5b89a dropbear: split out curve25519 support into a separate config option
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48195
2016-01-10 22:38:53 +00:00
Felix Fietkau
6c40914c0c hostapd: fix post v2.4 security issues
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
  (CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>

SVN-Revision: 48185
2016-01-10 17:03:37 +00:00
Felix Fietkau
1aa774053b openvpn: added service_triggers() to init script
Follow up of #21469
This patch enables autoreloading openvpn via procd.

Signed-off-by: Federico Capoano <nemesis@ninux.org>

SVN-Revision: 48150
2016-01-07 21:08:05 +00:00
Felix Fietkau
44b6a5e549 samba36: add three CVE patches from 2015-12-16
This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A
patchset for these vulnerabilities was published on 16th December 2015.

Signed-off-by: Jan Čermák <jan.cermak@nic.cz>

SVN-Revision: 48133
2016-01-05 10:42:52 +00:00
Felix Fietkau
f500c8f3ac relayd: move to git.openwrt.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48129
2016-01-04 15:13:17 +00:00
Felix Fietkau
a5dc438274 uhttpd: move to git.openwrt.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48122
2016-01-04 15:12:21 +00:00
Felix Fietkau
9cd6162b63 packages: use OPENWRT_GIT to point at the main openwrt git repo
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48118
2016-01-04 15:11:49 +00:00
Felix Fietkau
74c36b9d20 wpa_supplicant: set regulatory domain the same way as hostapd
In sta-only configuration, wpa_supplicant needs correct regulatory
domain because otherwise it may skip channel of its AP during scan.

Another alternative is to fix "iw reg set" in mac80211 netifd script.
Currently it fails if some phy has private regulatory domain which
matches configured one.

Signed-off-by: Dmitry Ivanov <dima@ubnt.com>

SVN-Revision: 48099
2016-01-03 20:56:57 +00:00
John Crispin
7029ee5abe openvpn: fix configure options
- eurephia:
commit: Remove the --disable-eurephia configure option

- fix option name:
http proxy option is now called http-proxy (see configure.ac)

fixes:
configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>

SVN-Revision: 47979
2015-12-23 14:44:24 +00:00
John Crispin
fde2ac3537 package/lldpd: Remove extraneous select
Only the conditional dependency ought to be required;
if build fails with JSON there is some other problem
at work.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>

SVN-Revision: 47976
2015-12-23 14:44:05 +00:00
John Crispin
a621edbb0a dnsmasq: Add option --no-ping
By default dnsmasq sends an ICMP echo request before allocating
an IP address to a host; the uci option noping allows to disable
this check.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 47974
2015-12-23 14:43:41 +00:00
Felix Fietkau
f45697d904 dnsmasq: changed option nonwildcard to --bind-dynamic
Changed option nonwildcard from --bind-interfaces into --bind-dynamic.
With this, Dnsmasq binds the address of individual interfaces, allowing multiple
dnsmasq instances, but if new interfaces or addresses appear, it automatically
listens on those. This makes dynamically created interfaces work in the same way as
the default, but allows also use of other DNS-servers (like Named) at the same time
on diffirent interfaces where Dnsmasq is NOT configured, whereas with
--bind-interfaces will still reserve every interface even if not used and thus
disallowing use of any other DNS-program even on unused interfaces.

Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi>
Signed-off-by: Sami Olmari <sami@olmari.fi>

SVN-Revision: 47953
2015-12-19 13:18:26 +00:00
John Crispin
fa532b839f network/services/lldpd: Fix missing dependency when using JSON
Using the JSON output option depends on json library so
add select json-c library when JSON output is selected.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>

SVN-Revision: 47928
2015-12-17 09:30:16 +00:00
John Crispin
725fc09cec dnsmasq: Add option "--all-servers"
Add the option "--all-servers" which forces dnsmasq to send all
queries to all servers and then take the first answer.

Signed-off-by: Andréas Gustafsson <gurgalof@gmail.com>

SVN-Revision: 47857
2015-12-11 15:06:59 +00:00
Felix Fietkau
b580ebb5a8 lldpd: add STOP=01 param in init script
This should ensure that lldpd is among the first processes to stop,
so that it has time to send the shutdown LLDPU to the other side,
before the network goes down.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 47786
2015-12-05 09:57:19 +00:00
John Crispin
3afe39af72 wpa-supplicant: Get 802.11s ssid information from option mesh_id
The scripts for authsae and iw use the option mesh_id to get set the
"meshid" during a mesh join. But the script for wpad-mesh ignores the
option mesh_id and instead uses the option ssid. Unify the mesh
configuration and let the wpa_supplicant script also use the mesh_id from
the configuration.

Signed-off-by: Sven Eckelmann <sven@open-mesh.com>

SVN-Revision: 47615
2015-11-24 18:28:44 +00:00
John Crispin
939175e9f2 authsae: Use kbit/s as mcast_rate unit like wpad
The OpenWrt wireless configuration for mcast_rate is defined as Kbit/s when
using wpa_supplicant for IBSS/802.11s and iw for unencrypted IBSS/802.11s.
But when using authsae, the unit for the same option is redefined as
Mbit/s. Better use the same unit for this option independent of the backend
which is used.

Old values for mcast_rate (< 1000) are still interpreted Mbit/s to avoid
problems during upgrades from older versions.

Signed-off-by: Sven Eckelmann <sven@open-mesh.com>

SVN-Revision: 47614
2015-11-24 18:28:35 +00:00
John Crispin
b816d6276d authsae: Fix meshid in authsae config
The variable $mesh_id was never defined in authsae_start_interface and thus
the option meshid in $authsae_conf_file was always set to "".

Signed-off-by: Sven Eckelmann <sven@open-mesh.com>

SVN-Revision: 47613
2015-11-24 18:28:19 +00:00
Steven Barth
0c450f1f47 odhcpd: correctly handle netlink congestion case
Thanks to @ktgeek and @willmo for diagnosing

Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 47514
2015-11-19 11:49:21 +00:00
Felix Fietkau
047f9ef8eb hostapd: Use network_get_device instead of uci_get_state
This fixes the IAPP functionality.

Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>

SVN-Revision: 47455
2015-11-11 08:34:59 +00:00
Luka Perkov
b18c9d271e uhttpd: add support for configuration option ubus_cors
Signed-off-by: Luka Perkov <luka@openwrt.org>

SVN-Revision: 47448
2015-11-10 22:28:45 +00:00
Felix Fietkau
b613c96d94 openvpn: enable options consistency check even in the small build
Only costs about 3k compressed, but significantly improves handling of
configuration mismatch

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47439
2015-11-10 12:04:04 +00:00
Felix Fietkau
1d6a530fe6 uhttpd: update to the latest version, adds support for redirect helper scripts
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47419
2015-11-08 20:39:09 +00:00
Felix Fietkau
322de4101a lldpd: implement a reload hook
Seems the default one is not working as expected.
The way that reload should work is that the 'start' service
call should return 1 (if lldpd is running) and then a normal
restart would be called.

However, for lldpd a reload would mean just clearing all custom TLVs
(if they're configured) and reloading the configuration.

So, this patch adds a reload hook, which would:
 - 'start' lldpd if it's not running (because we return 1 if not running)
 - reload configuration if it is running (also previously
    clearing custom TLVs if present)

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>

SVN-Revision: 47367
2015-11-03 11:59:09 +00:00