Commit graph

805 commits

Author SHA1 Message Date
Steven Honson
c0ed04ce45 hostapd: default to wps_independent 1
Signed-off-by: Steven Honson <steven@honson.id.au>
2017-01-26 14:41:31 +01:00
Steven Honson
c0345d93a2 hostapd: expose wps_independent and ap_setup_locked as uci options
ap_setup_locked is named wps_ap_setup_locked in uci for consistency with other
wps related uci options.

Signed-off-by: Steven Honson <steven@honson.id.au>
2017-01-26 14:41:31 +01:00
Wilco Baan Hofman
fa0ac030f5 Fix dependency for hostapd
Signed-off-by: Wilco Baan Hofman <wilco@baanhofman.nl>
2017-01-26 11:38:21 +01:00
Hans Dedecker
9993d80259 odhcpd: update to git HEAD version
e447ff9 router: fix compile issue on 64 bit systems

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-01-24 10:05:06 +01:00
Hans Dedecker
fa66900eeb odhcpd: update to git HEAD version
237f1f4 router: convert syslog lifetime traces into LOG_INFO prio
da660c7 treewide: rework prio of syslog messages
0485580 ndp: code cleanup
c5040fe router: add syslog debug tracing for trouble shooting
df023ad treewide: use RELAYD_MAX_ADDRS as address array size
c8ac572 ndp: don't scan netlink attributes in case of netlink route
event

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-01-23 18:40:53 +01:00
Jo-Philipp Wich
633c35aaa4 hostapd: fix stray "out of range" shell errors in hostapd.sh
The hostapd_append_wpa_key_mgmt() procedure uses the possibly uninitialized
$ieee80211r and $ieee80211w variables in a numerical comparisation, leading
to stray "netifd: radio0 (0000): sh: out of range" errors in logread when
WPA-PSK security is enabled.

Ensure that those variables are substituted with a default value in order to
avoid emitting this (harmless) shell error.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-01-23 14:55:46 +01:00
Jo-Philipp Wich
f2e6e11af1 openvpn: let all openvpn variants provide a virtual openvpn package
Add PROVIDES:=openvpn to the default recipe in order to let all build variants
provide a virtual openvpn package.

The advantage of this approach is that downstream packages can depend on just
"openvpn" without having to require a specific flavor.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-01-21 23:05:32 +01:00
Felix Fietkau
7e8fecb224 hostapd: fix passing jobserver to hostapd/supplicant build processes
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-15 14:57:53 +01:00
Felix Fietkau
40e4c342fd hostapd: backport a few upstream fixes
Fixes reassoc issues with WDS mode
Fixes reassoc issues in AP mode
Fixes IBSS reauthentication issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-15 14:53:28 +01:00
Kevin Darbyshire-Bryant
c914fa04a3 dnsmasq: use ubus signalling in ntp hotplug script
Use ubus process signalling instead of 'kill pidof dnsmasq' for
SIGHUP signalling to dnsmasq when ntp says time is valid.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-01-13 16:08:22 +01:00
Hans Dedecker
5303d4bedb odhcpd: take over maintainership
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2017-01-12 12:14:46 +01:00
Hans Dedecker
ec63e3bf13 Revert "dnsmasq: change 'add_local_hostname' to use dnsmasq '--interface-name'"
This causes problem when a FQDN is configured in /etc/config/system. The
domain name will appear twice in reverse DNS.

Next to that, there seems to be a bug in dnsmasq. From the manual page:

--interface-name=<name>,<interface>[/4|/6]
Return  a  DNS  record  associating  the  name  with  the primary address
on the given interface. This flag specifies an A or AAAA record for the
given name in the same way as an /etc/hosts line, except that the address
is not constant, but taken from the given interface. The interface may be
followed by "/4" or "/6" to specify  that  only  IPv4  or  IPv6 addresses
of the interface should be used. If the interface is down, not configured
or non-existent, an empty record is returned. The matching PTR record is
also created, mapping the interface address to the name. More than one name
may be associated with an interface address by repeating the flag; in that
case the first instance is used for  the  reverse address-to-name mapping.

It does not just create an A/AAAA record for the primary address, it creates
one for all addresses. And what is worse, it seems to actually resolve to the
non-primary address first. This is quite annoying when you use floating IP
addresses (e.g. VRRP), because when the floating IP is on the other device,
SSH failes due to incorrect entry in the known hosts file.

I know that this is not a common setup, but it would be nice if there was an
option to restore the previous behaviour, rather than just forcing this new
feature on everybody.

Reported-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-01-12 12:14:20 +01:00
Sujith Manoharan
593240075f wpa_supplicant: Fix mesh encryption config
wpa_supplicant allows only SAE as the key management
type for mesh mode. The recent key_mgmt rework unconditionally
added WPA-PSK - this breaks interface bringup and wpa_s
throws this error message:

Line 10: key_mgmt for mesh network should be open or SAE
Line 10: failed to parse network block.
Failed to read or parse configuration '/var/run/wpa_supplicant-wlan0.conf

Fix this by making sure that only SAE is used for mesh.

Signed-off-by: Sujith Manoharan <m.sujith@gmail.com>
2017-01-11 04:01:07 +01:00
Stijn Tintel
cdcf7265fd lldpd: take over maintainership
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2017-01-10 13:02:00 +01:00
Stijn Tintel
046606a05e lldpd: add Net-SNMP AgentX support
Enabling this makes it possible to query LLDP neighbors via SNMP.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2017-01-10 13:02:00 +01:00
Hans Dedecker
621f8cbfae odhcpd: bump to git HEAD
ef3c563 dhcpv6-ia: filter out prefixes having invalid length
16cd87e dhcpv6-ia: fix dereference after freeing assignment
d6b0c99 dhcpv6-ia: log only IPv6 addresses which are effectively
assigned to a DHCPv6 client
08a9367 config: respect ignore uci option

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-01-07 21:08:24 +01:00
Eric Luehrsen
612e2276b4 dnsmasq: change 'add_local_hostname' to use dnsmasq '--interface-name'
'add_local_hostname' previous implementation may drop some addresses.
Soft addition of IP6 addresses may not cause a reload or restart event.
dnsmasq '--interface-name' robustly applies DNS to all addresses per
interface (except fe80::/10).

Change UCI 'add_local_hostname' to expand during each interface assignement
during add_dhcp().
Assign '<iface>.<host>.<domain>' as true name (reflexive A, AAAA, and PTR).
Assign '<host>.<domain>' and '<host>' as convinience aliases (no PTR, not
technically CNAME).
This is accomplished with the '--interface-name' order, first is PTR.
We could also assign each <ip4/6>.<iface>.<host>.<domain> to the respective
dual stack on the interface.
That seemed excessive so it was skipped (/4 or /6 suffix to the interface).
Add UCI 'add_wan_hostname' similar to 'add_local_hostname' function for
external WAN.

WAN IP4 are less often named by the ISP and rarely WAN IP6 due to complexity.
For logs, LuCI connection graph, and other uses assigning a WAN name is desired.
'add_local_hostname' only applies with DHCP and 'add_wam_hostname' only applies
without DHCP. Common residential users will want to set both options TRUE.
Businesses will probably have global DNS, static IP, and 'add_wan_hostname' FALSE.

Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2017-01-05 22:51:39 +01:00
Eric Luehrsen
06e26363d8 dnsmasq: clean up white space in dnsmasq.init
Signed-off-by: Eric Luehrsen <ericluehrsen@hotmail.com>
2017-01-05 22:51:23 +01:00
Felix Fietkau
84bd74057f build: use mkhash to replace various quirky md5sum/openssl calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-05 11:09:12 +01:00
Arjen de Korte
10f91525bc dnsmasq: add DHCP Unique Identifier for DHCPv6
Add DHCPv6 matching by DHCP Unique Identifier (RFC-3315) in addition to
existing MAC-address (RFC-6939). The latter is not widely supported yet.

Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
2017-01-03 22:27:23 +01:00
Hans Dedecker
1175a5b153 odhcpd: bump to git HEAD version
091d8a9 dhcpv6-ia: fix static assignment check
11ce6b5 dhcpv6-ia: coding style fixes
561890e dhcpv6-ia: update valid_until only for non static DHCPv6 leases
0b45fce dhcpv4: coding style fixes
95b76c2 README: Add host leasetime uci parameter
541219e dhcpv6-ia: fix invalid IPv6/hostname entries in statefile
13937ab dhcpv6-ia: fix delete logic of an assignment in reconf_timer
60c3969 dhcpv6-ia : code style fixes
bf4ebc0 config: use free_lease to delete a lease
c24782a config: coding style fixes
0572d1a config: Create statefile dir
ec833f4 dhcpv6-ia: use free_dhcpv6_assignment where needed
1d55edb dhcpv6-ia: make free_dhcpv6_assignment static
f01e538 dhcpv4: make dhcpv4_msg_to_string static
700f5ab dhcpv4: fix DHCPv4 hostname handling
4c89614 Limit lifetime of non-static leases in case of release and
decline

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-01-03 22:25:13 +01:00
Stijn Tintel
388681fe53 hostapd: enable SHA256-based algorithms
Enable support for stronger SHA256-based algorithms in hostapd and
wpa_supplicant when using WPA-EAP or WPA-PSK with 802.11w enabled.

We cannot unconditionally enable it, as it requires hostapd to be
compiled with 802.11w support, which is disabled in the -mini variants.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
2017-01-03 20:53:49 +01:00
Stijn Tintel
30f14f6198 hostapd: add function to handle wpa_key_mgmt
Now that wpa_key_mgmt handling for hostapd and wpa_supplicant are
consistent, we can move parts of it to a dedicated function.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
2017-01-03 20:53:48 +01:00
Stijn Tintel
bdcffb9bb6 wpa_supplicant: rework wpa_key_mgmt handling
Rework wpa_key_mgmt handling for wpa_supplicant to be consistent with
how it is done for hostapd.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Sebastian Kemper <sebastian_ml@gmx.net>
2017-01-03 20:53:48 +01:00
Magnus Kroken
39d3a4117b openvpn: update to 2.4.0
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-12-30 13:07:41 +01:00
Felix Fietkau
6b524fe5b8 relayd: fix expiry time handling
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-27 13:21:42 +01:00
Felix Fietkau
3f20fd4ee0 relayd: fix reload / interface restart issues
- replace the hotplug script with an interface trigger
- add netdev params to procd to trigger restart

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-27 13:20:33 +01:00
Stijn Tintel
1b5640be33 odhcpd: bump to git HEAD
8dc2a59 Revert "Respect interface "ignore" settings as documented."
93ab25b router: skip parse_routes when ra_default > 1

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2016-12-27 10:50:29 +01:00
Hans Dedecker
bdd2b67414 odhcpd: Use procd_send_signal in reload_service
Replace killall HUP by procd_send_signal in reload_service to trigger
an odhcpd config reload

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-12-26 22:32:38 +01:00
dibdot
08db3e1b85 dnsmasq: add log facility option
add possibility to set the facility to which dnsmasq will send syslog entries, i.e. set it to '/dev/null' to mute dnsmasq output at all.

Signed-off-by: Dirk Brenken dev@brenken.org
2016-12-23 10:46:56 +01:00
Felix Fietkau
47cf238779 uhttpd: drop uhttpd-mod-tls, it has been useless for years
Before the rewrite, uhttpd-mod-tls used to contain a tls plugin.
Afterwards it was left in for compatibility reasons, but given how much
has changed, and that we're about to change the default SSL
implementation again, it's better to just drop this now

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-22 16:46:01 +01:00
Felix Fietkau
c7c1cf5618 treewide: clean up and unify PKG_VERSION for git based downloads
Also use default defintions for PKG_SOURCE_SUBDIR, PKG_SOURCE

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-22 16:42:21 +01:00
Felix Fietkau
600b824087 openvpn: use conditional dependencies to avoid pulling in unused ssl libraries
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-22 16:42:19 +01:00
Felix Fietkau
2bc747aaea openvpn: reduce binary size using --gc-sections on linking
Saves around 9kb gzipped on MIPS

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-22 16:42:19 +01:00
Felix Fietkau
e6871ab925 openvpn: fix disabling DES support in mbedtls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-12-22 16:42:19 +01:00
Magnus Kroken
13592c1454 openvpn: update to 2.4_rc2
OpenVPN 2.4 builds with mbedTLS 2.x, rename openvpn-polarssl
variant to openvpn-mbedtls.

Some feature highlights:
* Data channel cipher negotiation
* AEAD cipher support for data channel encryption (currently only
* AES-GCM)
* ECDH key exchange for control channel
* LZ4 compression support

See https://github.com/OpenVPN/openvpn/blob/master/Changes.rst
for additional change notes.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-12-22 16:42:18 +01:00
Hans Dedecker
00dbfa1764 odhcpd: Use procd_send_signal in odhcpd-update file
Let dnsmasq reread the leasefile by using procd_send_signal
which triggers procd to send SIGHUP kill signal by default
if signal is not specified

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-12-21 20:35:49 +01:00
Koen Vandeputte
05abcf518d hostapd: update to version 2016-12-19
Update to latest upstream HEAD:

- Refreshed all
- Fixes 2 regressions:
--> PeerKey: Fix STK 4-way handshake regression
--> PeerKey: Fix EAPOL-Key processing

Compile tested Full & Mini configs
Run-tested Mini config

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2016-12-20 21:35:56 +01:00
Alexis Green
77ece30eb9 hostapd: Add ability to specify that that wireless driver supports 802.11ac
Signed-off-by: Alexis Green <agreen@cococorp.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [make more generic]
2016-12-20 16:24:22 +01:00
Koen Vandeputte
f628d0e0e9 hostapd: update to version 2016-12-15
Update to latest upstream HEAD:

- Refreshed all
- Delete patches and parts which made it upstream

Compile tested Full & Mini configs
Run-tested Mini config

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [another update, remove broken patch]
2016-12-20 16:24:21 +01:00
Yousong Zhou
cf62a17710 hostapd: remove never-used Package/<name>/Description
The build system only accepts Package/<name>/description and since the
typoed version virtually has the same content as the TITLE field, remove
them altogether

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2016-12-20 09:35:35 +01:00
John Crispin
ef94b9d08e mdns: bump to latest git HEAD
be8ae8d cmake: Search for libjson-c
1fa9077 Fix IPv6 read
846369c Revert "mdnsd: interface: enable looped back messages"

Signed-off-by: John Crispin <john@phrozen.org>
2016-12-20 09:35:35 +01:00
Hans Dedecker
6f77b8d510 odhcpd: Bump to git HEAD version (various fixes)
e055530 Don't print non bound assignments in the state file
3af23ad config: Fix RA interface config being overwritten
41b5268 dhcpv6-ia : Fix static DHCPv6 assignments becoming non static
be6c515 dhcpv6-ia: Fix assignment of static DHCPv6 leases
374dc3f cmake: Find libubox/uloop.h
01c919c odhcpd: Display infinite valid lifetime as -1
2016-12-17 22:23:49 +01:00
Felix Fietkau
720b99215d treewide: clean up download hashes
Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-16 22:39:22 +01:00
John Crispin
93227e4d3f dnsmasq: fix service reload
The SIGHUP also got sent to the reload script making it bail out
with an error

Revert "dnsmasq: reload config if host name is modified"
This reverts commit 854459a2f9.

Reported-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: John Crispin <john@phrozen.org>
2016-12-16 10:40:10 +01:00
Hauke Mehrtens
fb74550bdf odhcpd: update sha256sum
The sha256sum was not updated in the last commit.

Fixes: a7c231027 [odhcpd: Fix dnsmasq re-reading hostfile]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-12-14 21:43:58 +01:00
Felix Fietkau
e175a4d4f1 ppp: use --gc-sections to save a tiny bit of space
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-14 12:13:13 +01:00
Dario Ernst
866b7bad00 dropbear: clean up default PATH handling in makefile
Harmonise handling of DEFAULT_PATH by removing the patch introducing #ifndef
guards around the path, and only using one means to set the path in the
makefile.

Signed-off-by: Dario Ernst <Dario.Ernst@riverbed.com>
2016-12-14 10:37:01 +01:00
Hans Dedecker
a7c2310278 odhcpd: Fix dnsmasq re-reading hostfile
Depending on the dhcp uci config pidof dnsmasq can return
multiple pids. Fix re-reading of the hostfile by dnsmasq in
such case by sending SIGHUP signal to each of the returned
pids.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-12-13 23:32:57 +01:00
Hans Dedecker
942904f7b9 dnsmasq: Specify directory /tmp/hosts as argument for --addn-hosts
Let dnsmasq read all hosts files in /tmp/hosts directory by specifying
/tmp/hosts as argument of --addn-host

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-12-13 23:32:20 +01:00
Magnus Kroken
a456dd96e7 openvpn: quote parameters to --push in openvpn config file
OpenVPN requires arguments to --push to be enclosed in double quotes.
One set of quotes is stripped when the UCI config is parsed.
Change append_params() of openvpn.init to enclose push parameters in
double quotes.

Unquoted push parameters do not cause errors in OpenVPN 2.3,
but OpenVPN 2.4 fails to start with unquoted push parameters.

Fixes: FS#290.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-12-12 10:22:19 +01:00
Arjen de Korte
4fbd3aa278 dnsmasq: Fix splitting hostid for DHCPv6 static leases
Correct splitting the 32-bit 'hostid' value to two 16-bit hexadecimal
values. Previously, the lower 16-bit value was truncated to an 8-bit
value, which would result in hostid values 100 and 200 both to be set
to [::0:0] instead of [::0:100] and [::0:200] respectively.

Signed-off-by: Arjen de Korte <build+lede@de-korte.org>
2016-12-06 07:55:07 +01:00
Florian Eckert
854459a2f9 dnsmasq: reload config if host name is modified
If the hostname in /etc/config/system is modified the dnsmasq will not
reread the update host file under /tmp/hosts/dhcp.$cfg.

Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
2016-12-04 15:56:04 +01:00
Pierre Lebleu
898857f77a ppp: Split the ppp-up for the IPv6 part
Signed-off-by: Pierre Lebleu <pme.lebleu@gmail.com>
2016-12-04 11:41:53 +01:00
John Crispin
320d8fa3bc odhcpd: update to latest git HEAD
Signed-off-by: John Crispin <john@phrozen.org>
2016-11-21 12:16:55 +01:00
John Crispin
41164ba2dc odhcpd: update to latest git HEAD
Signed-off-by: John Crispin <john@phrozen.org>
2016-11-21 12:04:23 +01:00
Magnus Kroken
a74394be00 openvpn: update to 2.3.13
Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-11-21 10:11:53 +01:00
Matthias Schiffer
c18bf14dab
hostapd: fix PKG_CONFIG_DEPENDS for CONFIG_WPA_SUPPLICANT_*
These symbols don't affect wpa-supplicant only, but also wpad.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-11-16 20:59:17 +01:00
Hans Dedecker
e58f3f515f odhcpd: Add reload support
odhcpd daemon has hitless config reload support by means of the
sighup signal; add reload_service function which uses sighup
signal to reload the config

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-11-14 20:35:13 +01:00
Hans Dedecker
a50243ea1f dnsmasq: Support add-mac option
Adds the mac address of the DNS requestor to DNS queries which
are forwarded upstream and can be used to do filtering by the
upstream servers. This only works if the requestor is on the
same subnet as the dnsmasq server

The addmac parameter can hold the following values:
	0 : mac address is not added
	1 : mac address is added in binary format
	base64 : mac address is added base64 encoded
	text: : mac address is added in human readable format
		as hex and colons

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-11-08 11:17:10 +01:00
Karl Palsson
df1804b75c dnsmasq: support log-dhcp option
Helpful when trying to resolve issues with quirky dhcp client devices.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2016-11-02 10:25:44 +01:00
Alexis Green
12f0d5402c hostapd: properly package wpa-supplicant-mesh
Ensure that selecting the wpa-supplicant-mesh package actually packages the
wpa_supplicant binary with SAE support and add missing dependency on OpenSSL.

Signed-off-by: Alexis Green <alexis@cessp.it>
[Jo-Philipp Wich: slightly reword commit message for clarity]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-31 13:46:01 +01:00
Petr Konecny
6797a10fa1 hostapd support for VLANs through a file in addition to Radius.
Signed-off-by: Petr Konecny <pekon@google.com>
2016-10-31 13:24:58 +01:00
Daniel Dickinson
98c86e2970 uhttpd: Add Basic Auth config
We add an 'httpauth' section type that contains the options:

prefix: What virtual or real URL is being protected
username: The username for the Basic Auth dialogue
password: Hashed (crypt()) or plaintext password for the Basic Auth dialogue

httpauth section names are given included as list
items to the instances to which they are to be applied.

Further any existing httpd.conf file (really whatever
is configured in the instance, but default of
/etc/httpd.conf) is appended to the per-instance httpd.conf

Signed-off-by: Daniel Dickinson <lede@cshore.thecshore.com>
2016-10-31 13:22:51 +01:00
Alexandru Ardelean
b7fadb12b7 lldpd: freeze execution of lldpd during reload
During reload, we could send invalid information to the other
side and confuse it.

That's why, during reload we'll pause execution, do the reconfig
and resume + update when reload is done.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-31 12:51:15 +01:00
Alexandru Ardelean
909f063066 lldpd: fix reload function for when interfaces change
The problem is that interfaces are specified at start as
command line arguments, making them unchange-able via reload.

That means, we have to move (since lldpd allows this) the
interfaces-match-pattern option to be in a config file and reload
the configuration.
It's either that, or do a 'restart'.

Since we're generating the lldpd.conf file, we'll have to
move the 'sysconfdir' of lldpd to /tmp, where the files will
get written ; this will prevent any unncessary flash writes.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-31 12:51:15 +01:00
John Crispin
1e3c4f763c openvpn: cacert does not exist
cacert is really called ca and already in the script

Signed-off-by: John Crispin <john@phrozen.org>
2016-10-27 19:53:01 +02:00
John Crispin
0ec48b883c openvpn: add handling for capath and cafile
Signed-off-by: John Crispin <john@phrozen.org>
2016-10-27 15:19:59 +02:00
Hans Dedecker
a35f9bbc43 dnsmasq: Multiple dnsmasq instances support
Adds support in uci for configuring multiple dnsmasq instances via
multiple dnsmasq sections.
The uci sections host, boot, mac, tag, vendorclass, userclass,
circuitid, ... will refer to a dnsmasq instance via the instance
parameter defined in the section; if the instance parameter is
not specified backwards compatibility is preserved.

Start/Stopping a dnsmasq instance can be achieved by passing the
dnsmasq instance name as argument to start/stop via the init script.

Multiple dnsmasq instances is usefull in scenarios where you want to
bind a dnsmasq instance to an interface in order to isolate networks.

This patch is a rework of a multiple dnsmasq instance patch by Daniel Dickinson

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-10-26 17:53:53 +02:00
Hannu Nyman
9097dc5ad8 uhttpd: create self-signed certificates with unique subjects
Add a partially random O= item to the certificate subject in order
to make the automatically generated certificates' subjects unique.

Firefox has problems when several self-signed certificates
with CA:true attribute and identical subjects have been
seen (and stored) by the browser. Reference to upstream bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1147544
https://bugzilla.mozilla.org/show_bug.cgi?id=1056341
https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34

Certificates created by the OpenSSL one-liner fall into that category.

Avoid identical certificate subjects by including a new 'O=' item
with CommonName + a random part (8 chars). Example:
/CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ

That ensures that the browser properly sees the accumulating
certificates as separate items and does not spend time
trying to form a trust chain from them.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-26 15:16:52 +02:00
Hannu Nyman
82132540a3 uhttpd: prefer px5g for certificate creation
Prefer the old default 'px5g' for certificate creation
as Firefox seems to dislike OpenSSL-created certs.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-26 15:16:51 +02:00
Jo-Philipp Wich
81b256ee00 uhttpd: fix handling of special "/" prefix when matching handlers
The special prefix of "/" should match any url by definition but the final
assertion which ensures that the matched prefix ends in '\0' or '/' is causing
matches against the "/" prefix to fail.

Update to current HEAD in order to fix this particular case.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-25 16:38:50 +02:00
Alexandru Ardelean
598722956b network/services/ead: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean
58cf9a2476 network/services/hostapd: move whole files outside of patches and drop Build/Prepare rule in favor of default one
This more of a demo for the previous commit that comes with
this one, where I added support for copying source from 'src' to
the build dir(s).

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:51 +02:00
Daniel Engberg
49ee771e6b package/network/services/lldpd: Update to 0.9.5
Updates lldpd to 0.9.5

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-15 11:36:51 +02:00
Hans Dedecker
1341b88732 odhcpd: Upstep to git HEAD version
Adds per-host leasetime support
Various bugfixes :
	-Prioritize ifname resolving via ubus
	-Free interface if ifindex cannot be resolved
	-...

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [update mirror sha256]
2016-10-13 17:05:21 +02:00
Felix Fietkau
175b59c59b uhttpd: update to the latest version, adds a small json handler fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-08 13:50:54 +02:00
Daniel Engberg
9edfe7dd13 source: Switch to xz for packages and tools where possible
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-06 12:16:56 +02:00
Jo-Philipp Wich
eb75b6ac1f uhttpd: rename certificate defaults section
Now that the uhttpd init script can generate certificates using openssl as
well, update the section name and related comment to be more generic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-06 11:29:24 +02:00
Felix Fietkau
73c87a3cad hostapd: make -mesh and -p2p variants depend on the cfg80211 symbol
Avoids build failures when the nl80211 driver is disabled

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-05 23:02:13 +02:00
Hannu Nyman
3c4858eeb2 uhttpd: support using OpenSSL for certificate generation
Support the usage of the OpenSSL command-line tool for generating
the SSL certificate for uhttpd. Traditionally 'px5g' based on
PolarSSL (or mbedTLS in LEDE), has been used for the creation.

uhttpd init script is enhanced by adding detection of an installed
openssl command-line binary (provided by 'openssl-util' package),
and if found, the tool is used for certificate generation.

Note: After this patch the script prefers to use the OpenSSL tool
if both it and px5g are installed.

This enables creating a truly OpenSSL-only version of LuCI
without dependency to PolarSSL/mbedTLS based px5g.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-05 00:48:19 +02:00
Matthias Schiffer
77f54eae45
config: enable shadow passwords unconditionally
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.

The config symbol is kept (for a while), as packages from feeds depend on
it.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Hans Dedecker
32f4777530 dnsmasq: Add match section support
Match sections allow to set a tag specified by the option networkid if the client
sends an option and optionally the option value specified by the match option.
The force option will convert the dhcp-option to force-dhcp-option if set to 1 in
the dnsmasq config if options are specified in the dhcp_option option.

config match
    option networkid tag
    option match 12,myhost
    option force 1
    list dhcp_option '3,192.168.1.1'

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-09-19 15:30:32 +02:00
Rafał Miłecki
e70e3c544a hostapd: fix regression breaking brcmfmac
The latest update of hostapd broke brcmfmac due to upstream regression.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2016-09-13 12:06:42 +02:00
Kevin Darbyshire-Bryant
591755ad1a dnsmasq: make NO_ID optional in full variant
Permit users of the full variant to disable the NO_ID *.bind pseudo
domain masking.

Defaulted 'on' in all variants.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-10 12:17:39 +02:00
Kevin Darbyshire-Bryant
96f0bbe91d dropbear: hide dropbear version
As security precaution and to limit the attack surface based on
the version reported by tools like nmap mask out the dropbear
version so the version is not visible anymore by snooping on the
wire. Version is still visible by 'dropbear -V'

Based on a patch by Hans Dedecker <dedeckeh@gmail.com>

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove trailing _]
2016-09-10 12:17:39 +02:00
Kevin Darbyshire-Bryant
03cd416795 dnsmasq: Don't expose *.bind data incl version
Don't expose dnsmasq version & other data to clients via the *.bind
pseudo domain.  This uses a new 'NO_ID' compile time option which has been
discussed and submitted upstream.

This is an alternate to replacing version with 'unknown' which affects
the version reported to syslog and 'dnsmasq --version'

Run time tested with & without NO_ID on Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-08 15:28:38 +02:00
Felix Fietkau
859d940c79 hostapd: update to version 2016-09-05
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-09-08 15:28:38 +02:00
Kevin Darbyshire-Bryant
9209f4304b dnsmasq: fix remove pidfile on shutdown regression
Regression introduced by 3481d0d dnsmasq: run as dedicated UID/GID

dnsmasq is unable to remove its own pidfile as /var/run/dnsmasq is owned
by root and now dnsmasq runs as dnsmasq:dnsmasq.  Change directory
ownership to match.

dnsmasq initially starts as root, creates the pidfile, then drops to
requested non-root user.  Until this fix dnsmasq had insufficient
privilege to remove its own pidfile.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-06 11:26:05 +02:00
Johannes Römer
e8cb7d30e9 hostapd: fix typo and indentation in ap_sta_support.patch
Signed-off-by: Johannes Römer <jroemer@posteo.net>
2016-09-05 18:03:24 +02:00
Karl Palsson
a4dc9ff934 dropbear: mdns flag is a bool, not integer
Effectively the same for most purposes, but more accurate.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2016-09-05 07:27:16 +02:00
Magnus Kroken
2653a12c4d openvpn: update to 2.3.12
300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream.
Replaced 101-remove_polarssl_debug_call.patch with upstream backport.

Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-08-24 00:33:08 +02:00
Ash Benz
798cd261ab hostapd: use printf to improve portability.
Signed-off-by: Ash Benz <ash.benz@bk.ru>
2016-08-23 12:15:41 +02:00
Hans Dedecker
d7c249fa1c ppp: Extend uci datamodel with persistency sypport
PPP daemon can be put into persist mode meaning the
daemon will not exit after a connection gets terminated
but will instead try to reopen the connection.
The re-initiation after the link has been terminated
can be controlled via holdoff; this is helpfull in
scenarios where a BRAS is in denial of service mode
due to link setup requests after a BRAS has gone down

Following uci parameters have been added :
persist (boolean) : Puts the ppp daemon in persist mode
maxfail (integer) : Number of consecutive fail attempts which
puts the PPP daemon in exit mode
holdoff (interget) : Specifies how many seconds to wait
before re-initiating link setup after it has been terminated

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-08-18 09:49:18 +02:00
Conn O'Griofa
63f6fc5c16 samba: add file/interface reload triggers & filter interfaces
* Only parse interfaces that are up during init_config (as the
  script depends on this to determine the proper IP/subnet range)
* Add reload interface triggers for samba-designated interfaces
* Force full service restart upon config change to ensure Samba
  binds to new interfaces (sending HUP signal doesn't work)
* Rename "interface" variable to "samba_iface" and move into
  global scope

Needed to fix Samba connectivity for clients connecting from a
different LAN subnet (e.g. pseudobridge configurations) due to the
'bind interfaces only' setting.

Signed-off-by: Conn O'Griofa <connogriofa@gmail.com>
2016-08-15 15:18:35 +02:00
Jo-Philipp Wich
4e8c6f3407 dropbear: security update to 2016.74
- Security: Message printout was vulnerable to format string injection.

  If specific usernames including "%" symbols can be created on a system
  (validated by getpwnam()) then an attacker could run arbitrary code as root
  when connecting to Dropbear server.

  A dbclient user who can control username or host arguments could potentially
  run arbitrary code as the dbclient user. This could be a problem if scripts
  or webpages pass untrusted input to the dbclient program.

- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
  the local dropbearconvert user when parsing malicious key files

- Security: dbclient could run arbitrary code as the local dbclient user if
  particular -m or -c arguments are provided. This could be an issue where
  dbclient is used in scripts.

- Security: dbclient or dropbear server could expose process memory to the
  running user if compiled with DEBUG_TRACE and running with -v

  The security issues were reported by an anonymous researcher working with
  Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-12 11:45:47 +02:00
Petko Bordjukov
dff6df9625 hostapd: Allow RADIUS accounting without 802.1x
RADIUS accounting can be used even when RADIUS authentication is not
used. Move the accounting configuration outside of the EAP-exclusive
sections.

Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
2016-08-11 10:45:33 +02:00
Felix Fietkau
51e70267bd hostapd: remove unused hostapd-common-old package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-05 11:02:57 +02:00
Felix Fietkau
9201e88f51 kernel: remove hostap driver
It has been marked as broken for well over a month now and nobody has
complained.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-31 12:25:24 +02:00
Felix Fietkau
b2ddfbc1c7 dnsmasq: drop --interface and --except-interface options when the interface cannot be found
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 20:58:14 +02:00