Commit graph

1507 commits

Author SHA1 Message Date
Felix Fietkau
faad8b68a4 wpa_supplicant: add support for EAP-TLS phase2
Introduce config options client_cert2, priv_key2 and priv_key2_pwd
used for EAP-TLS phase2 authentication in WPA-EAP client mode.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48345
2016-01-19 10:06:29 +00:00
Felix Fietkau
3b15eb0ade hostap/wpa_supplicant: enable EAP-FAST in -full builds
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48344
2016-01-19 10:06:23 +00:00
Felix Fietkau
808a605453 uhttpd: add option for mbedtls
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48343
2016-01-19 10:06:18 +00:00
Felix Fietkau
f6e38ec125 br2684ctl: resolve a boot time race condition with nas0 bringup by using explicit notification when init is done
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48321
2016-01-18 15:35:30 +00:00
Felix Fietkau
262f054c6e br2684ctl: add support for notifying nas* bringup via a script
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48320
2016-01-18 15:35:24 +00:00
Felix Fietkau
614ebec4d2 firewall: add CONFIG_IPV6 to PKG_CONFIG_DEPENDS to fix a rebuild error
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48315
2016-01-18 13:21:37 +00:00
Felix Fietkau
3c8827fa7f iptables: fix rebuild errors on configuration changes
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48314
2016-01-18 13:21:32 +00:00
Felix Fietkau
e4cf25cfab wpa_supplicant: improve generating phase2 config line for WPA-EAP
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...

The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.

Examples:
  eap_type   auth
  'ttls'     'EAP-MSCHAPV2'     -> phase2="autheap=MSCHAPV2"
  'ttls'     'MSCHAPV2'         -> phase2="auth=MSCHAPV2"
  'peap'     'EAP-GTC'          -> phase2="auth=GTC"

Deprecated syntax supported for compatibility:
  'ttls'     'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"

I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 48309
2016-01-18 11:40:44 +00:00
Felix Fietkau
495935a3b8 iproute2: remove odd conffiles generation
This was generating a conffiles list that included the binary
and CONTROL/ files.

Signed-off-by: Rob Mosher <nyt-openwrt@countercultured.net>

SVN-Revision: 48296
2016-01-17 20:41:09 +00:00
Jo-Philipp Wich
5cf88bb032 netifd: fix PKG_VERSION (#21630)
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 48280
2016-01-17 17:15:01 +00:00
Felix Fietkau
e2e8cb8347 network: add virtual tunnel interface (VTI) support
This adds support for configuring VTI interfaces within /etc/config/network.
VTI interfaces are used to create IPsec tunnel interfaces. These interfaces
may be used for routing and other purposes.

Example config:
config interface 'vti1'
	option proto 'vti'
	option mtu '1500'
	option tunlink 'wan'
	option peeraddr '192.168.5.16'
	option zone 'VPN'
	option ikey 2
	option okey 2

config interface 'vti1_static'
	option proto 'static'
	option ifname '@vti1'
	option ipaddr '192.168.7.2/24'

The options ikey and okey correspond to the fwmark value of a ipsec policy.
The may be null if you do not want fwmarks.
Also peeraddr may be 0.0.0 if you want all ESP packets go through the
interface.
Example strongswan config:
conn vti
	left=%any
	leftcert=peer2.test.der
	leftid=@peer2.test
	right=192.168.5.16
	rightid=@peer3.test
	leftsubnet=0.0.0.0/0
	rightsubnet=0.0.0.0/0
	mark=2
	auto=route

Signed-off-by: André Valentin <avalentin@marcant.net>

SVN-Revision: 48274
2016-01-17 11:06:02 +00:00
Felix Fietkau
eb1ac66ce7 netifd: update to the latest version, adds VTI support and a policy routing fix
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48273
2016-01-17 11:05:53 +00:00
Felix Fietkau
56f6d35716 dnsmasq: Add option --min-port
By default dnsmasq uses random ports for outbound dns queries;
when the minport UCI option is specified the ports used will
always be larger than the specified value.
This is usefull for systems behind firewalls.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 48244
2016-01-15 11:24:15 +00:00
Felix Fietkau
64c23711ea dropbear: update version to 2015.71
Update dropbear to version 2015.71, released on 3 Dec 2015.
Refresh patches.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 48243
2016-01-15 11:24:09 +00:00
Jo-Philipp Wich
722badfa82 dnsmasq: add local hostname record for own lan ula address as well
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 48214
2016-01-12 10:03:50 +00:00
Rafał Miłecki
2611a5538e hostapd: fix disassociation with FullMAC drivers and multi-BSS
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 48202
2016-01-11 18:51:47 +00:00
Felix Fietkau
37a57c1d71 openvpn: update to version 2.3.10
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48201
2016-01-11 18:37:28 +00:00
Felix Fietkau
4c7983a00a dropbear: enable curve25519 support by default, increases compressed binary size by ~5 kb
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48196
2016-01-10 22:38:59 +00:00
Felix Fietkau
1455b5b89a dropbear: split out curve25519 support into a separate config option
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48195
2016-01-10 22:38:53 +00:00
Felix Fietkau
6c40914c0c hostapd: fix post v2.4 security issues
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
  (CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
  (CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
  (CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>

SVN-Revision: 48185
2016-01-10 17:03:37 +00:00
Felix Fietkau
1aa774053b openvpn: added service_triggers() to init script
Follow up of #21469
This patch enables autoreloading openvpn via procd.

Signed-off-by: Federico Capoano <nemesis@ninux.org>

SVN-Revision: 48150
2016-01-07 21:08:05 +00:00
Rafał Miłecki
a09e713299 swconfig: support sending SWITCH_TYPE_LINK to kernel
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 48141
2016-01-06 18:32:13 +00:00
Felix Fietkau
44b6a5e549 samba36: add three CVE patches from 2015-12-16
This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A
patchset for these vulnerabilities was published on 16th December 2015.

Signed-off-by: Jan Čermák <jan.cermak@nic.cz>

SVN-Revision: 48133
2016-01-05 10:42:52 +00:00
Felix Fietkau
f500c8f3ac relayd: move to git.openwrt.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48129
2016-01-04 15:13:17 +00:00
Felix Fietkau
9632c00435 firewall: move to git.openwrt.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48128
2016-01-04 15:13:10 +00:00
Felix Fietkau
286e0917f3 uqmi: move to git.openwrt.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48124
2016-01-04 15:12:33 +00:00
Felix Fietkau
a5dc438274 uhttpd: move to git.openwrt.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48122
2016-01-04 15:12:21 +00:00
Felix Fietkau
9cd6162b63 packages: use OPENWRT_GIT to point at the main openwrt git repo
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48118
2016-01-04 15:11:49 +00:00
Felix Fietkau
c5dfbea1e8 package/network/config/gre: ipv6 gre kmod package name was wrong
Source package gre was depending on kmod-ip6-gre, however the actual
kernel module package that is created is kmod-gre6.  Therefore
update (source) package gre for ipv6 gre support.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>

SVN-Revision: 48100
2016-01-03 20:57:06 +00:00
Felix Fietkau
74c36b9d20 wpa_supplicant: set regulatory domain the same way as hostapd
In sta-only configuration, wpa_supplicant needs correct regulatory
domain because otherwise it may skip channel of its AP during scan.

Another alternative is to fix "iw reg set" in mac80211 netifd script.
Currently it fails if some phy has private regulatory domain which
matches configured one.

Signed-off-by: Dmitry Ivanov <dima@ubnt.com>

SVN-Revision: 48099
2016-01-03 20:56:57 +00:00
Felix Fietkau
8e9eed3442 iproute2: update to 4.3.0
iproute2-4.0 had connmark support added by nbd.  This does not work
with 4.x kernels.  iproute2-4.3 is the latest version and has his
changes mainlined.  This patch updates the package to iproute2-4.3
and fixes the patches so that it compiles.  This should resolve
ticket #21374.

Signed-off-by: Rob Mosher <nyt-openwrt@countercultured.net>

SVN-Revision: 48098
2016-01-03 20:56:45 +00:00
John Crispin
dc69b89c24 ltq-vdsl-app: re-add lowlevel settings
Add back a slightly modified version of the lowlevel settings which
where removed with r46920.

In compare to the old lowlevel settings, the B43c tone is added to
tone_adsl_b and tone_adsl_bv.

If an unsupported tone value is used, the auto probing mode is used, in
compare to the fallback to tone_adsl_av and tone_vdsl_av with the old
lowlevel settings.

Signed-off-by: Mathias Kresin <openwrt@kresin.me>

SVN-Revision: 48054
2016-01-01 21:20:24 +00:00
John Crispin
4908088268 ltq-vdsl-app: enable G.993.5 XTSE bit by default
According to ITU-T G.997.1 Amendment 2 (04/2013) section 2.1, bit 3 of
XTSE octet 8 either allow or denies the initialization of G.993.5.

Even if the current redistributable xDSL firmware doesn't include
G.993.5 vectoring support, enable this bit by default to allow people to
get their G.993.5 line working using a custom xDSL firmware.

Signed-off-by: Mathias Kresin <openwrt@kresin.me>

SVN-Revision: 48053
2016-01-01 21:20:16 +00:00
John Crispin
846124f536 ltq-vdsl-app: let the driver/app probe the xtse on missing annex
r47933 revealed that the driver/app in combination with the chosen
firmware does a good job in selecting a working xtse.

Use this probing mode if no annex is specified.

Signed-off-by: Mathias Kresin <openwrt@kresin.me>

SVN-Revision: 48052
2016-01-01 21:20:08 +00:00
John Crispin
7816dffd03 ltq-vdsl-app: add/enable missing G.993.2 XTSE bits
This patch adds the missing VDSL2 bits to the annex specific XTSE (like
it should be according to the comments above the XTSE bits).

Since r47933 it's mandatory to remove the annex option to switch to
VDSL2 (only) operation mode.

As shown by ticket #21436 and a few mails I received personally, even
experienced users are not aware that they have to remove the annex
option to get their VDSL2 line working and as shown by this patch it
doesn't need to be that "complicated".

Signed-off-by: Mathias Kresin <openwrt@kresin.me>

SVN-Revision: 48051
2016-01-01 21:20:02 +00:00
John Crispin
2625c5621d ltq-vdsl-app: use the final xtse format
This way we can drop the call to sed.

Signed-off-by: Mathias Kresin <openwrt@kresin.me>

SVN-Revision: 48050
2016-01-01 21:19:55 +00:00
Nicolas Thill
98f27a223d dante: fix MD5SUM
MD5SUM is wrong, it was not updated during last update to v1.4.1.

Thanks to Daniel Dickinson <openwrt@daniel.thecshore.com> for reporting it.

Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 48017
2015-12-31 09:20:59 +00:00
Hauke Mehrtens
f80cee1ce5 6in4: Corrected tunnelbroker tunnel update URL
Changed the tunnel update URL into format tunnelbrokers
example has, that made it work again. Current method gives "Username/Password
Authentication Failed." when I tried the wget line manually and logread
eventually says also "6in4: update failed". With corrected URL it works fine:
"good 111.222.333.444" or "nochg 111.222.333.444" and logread concurs with
success, and tunnel actually updates.

Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi>
Signed-off-by: Sami Olmari <sami@olmari.fi>

SVN-Revision: 48006
2015-12-27 20:42:26 +00:00
John Crispin
8536afae6f swconfig: support receiving SWITCH_TYPE_LINK from kernel
When using cli, print link state the same way kernel used to do it.
This will allow kernel switching PORT_LINK from SWITCH_TYPE_STRING.

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

SVN-Revision: 47998
2015-12-23 19:24:45 +00:00
John Crispin
7029ee5abe openvpn: fix configure options
- eurephia:
commit: Remove the --disable-eurephia configure option

- fix option name:
http proxy option is now called http-proxy (see configure.ac)

fixes:
configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>

SVN-Revision: 47979
2015-12-23 14:44:24 +00:00
John Crispin
fde2ac3537 package/lldpd: Remove extraneous select
Only the conditional dependency ought to be required;
if build fails with JSON there is some other problem
at work.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>

SVN-Revision: 47976
2015-12-23 14:44:05 +00:00
John Crispin
a621edbb0a dnsmasq: Add option --no-ping
By default dnsmasq sends an ICMP echo request before allocating
an IP address to a host; the uci option noping allows to disable
this check.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

SVN-Revision: 47974
2015-12-23 14:43:41 +00:00
Felix Fietkau
f45697d904 dnsmasq: changed option nonwildcard to --bind-dynamic
Changed option nonwildcard from --bind-interfaces into --bind-dynamic.
With this, Dnsmasq binds the address of individual interfaces, allowing multiple
dnsmasq instances, but if new interfaces or addresses appear, it automatically
listens on those. This makes dynamically created interfaces work in the same way as
the default, but allows also use of other DNS-servers (like Named) at the same time
on diffirent interfaces where Dnsmasq is NOT configured, whereas with
--bind-interfaces will still reserve every interface even if not used and thus
disallowing use of any other DNS-program even on unused interfaces.

Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi>
Signed-off-by: Sami Olmari <sami@olmari.fi>

SVN-Revision: 47953
2015-12-19 13:18:26 +00:00
Felix Fietkau
41aa066df9 ltq-vdsl-app: enable Annex-M support, disable unsupported Annex-A modes
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47934
2015-12-18 21:47:49 +00:00
Felix Fietkau
57ccd6c9e7 ltq-vdsl-app: remove whitespace after -i, it prevents vdsl_cpe_control from parsing the XTSE bits
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47933
2015-12-18 21:47:33 +00:00
John Crispin
fa532b839f network/services/lldpd: Fix missing dependency when using JSON
Using the JSON output option depends on json library so
add select json-c library when JSON output is selected.

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>

SVN-Revision: 47928
2015-12-17 09:30:16 +00:00
John Crispin
a418d03d6d dante: update to 1.4.1
- 1.4.x has IPv6 support

- set C std explicitly due to gcc 5 changes/old code style of dante
- disable pam via configure vars since detection of without pam option
  is broken (-lpam gets linked in if available)
- remove and refresh patches

only compile tested

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>

SVN-Revision: 47926
2015-12-17 09:29:54 +00:00
Felix Fietkau
a99c78a09a netifd: update to the latest version, fixes more route table issues
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47897
2015-12-16 23:15:15 +00:00
Felix Fietkau
513702e658 netifd: update to the latest version, fixes reload issues on routing table changes
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47893
2015-12-15 11:01:47 +00:00
Felix Fietkau
510f5a7209 linux-atm: add wrapper for br2684ctl to defer nasX device bringup
Fixes a race condition on netifd device bringup.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 47891
2015-12-14 11:02:12 +00:00