Commit graph

740 commits

Author SHA1 Message Date
Alexandru Ardelean
909f063066 lldpd: fix reload function for when interfaces change
The problem is that interfaces are specified at start as
command line arguments, making them unchange-able via reload.

That means, we have to move (since lldpd allows this) the
interfaces-match-pattern option to be in a config file and reload
the configuration.
It's either that, or do a 'restart'.

Since we're generating the lldpd.conf file, we'll have to
move the 'sysconfdir' of lldpd to /tmp, where the files will
get written ; this will prevent any unncessary flash writes.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-31 12:51:15 +01:00
John Crispin
1e3c4f763c openvpn: cacert does not exist
cacert is really called ca and already in the script

Signed-off-by: John Crispin <john@phrozen.org>
2016-10-27 19:53:01 +02:00
John Crispin
0ec48b883c openvpn: add handling for capath and cafile
Signed-off-by: John Crispin <john@phrozen.org>
2016-10-27 15:19:59 +02:00
Hans Dedecker
a35f9bbc43 dnsmasq: Multiple dnsmasq instances support
Adds support in uci for configuring multiple dnsmasq instances via
multiple dnsmasq sections.
The uci sections host, boot, mac, tag, vendorclass, userclass,
circuitid, ... will refer to a dnsmasq instance via the instance
parameter defined in the section; if the instance parameter is
not specified backwards compatibility is preserved.

Start/Stopping a dnsmasq instance can be achieved by passing the
dnsmasq instance name as argument to start/stop via the init script.

Multiple dnsmasq instances is usefull in scenarios where you want to
bind a dnsmasq instance to an interface in order to isolate networks.

This patch is a rework of a multiple dnsmasq instance patch by Daniel Dickinson

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-10-26 17:53:53 +02:00
Hannu Nyman
9097dc5ad8 uhttpd: create self-signed certificates with unique subjects
Add a partially random O= item to the certificate subject in order
to make the automatically generated certificates' subjects unique.

Firefox has problems when several self-signed certificates
with CA:true attribute and identical subjects have been
seen (and stored) by the browser. Reference to upstream bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=1147544
https://bugzilla.mozilla.org/show_bug.cgi?id=1056341
https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34

Certificates created by the OpenSSL one-liner fall into that category.

Avoid identical certificate subjects by including a new 'O=' item
with CommonName + a random part (8 chars). Example:
/CN=LEDE/O=LEDEb986be0b/L=Unknown/ST=Somewhere/C=ZZ

That ensures that the browser properly sees the accumulating
certificates as separate items and does not spend time
trying to form a trust chain from them.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-26 15:16:52 +02:00
Hannu Nyman
82132540a3 uhttpd: prefer px5g for certificate creation
Prefer the old default 'px5g' for certificate creation
as Firefox seems to dislike OpenSSL-created certs.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-26 15:16:51 +02:00
Jo-Philipp Wich
81b256ee00 uhttpd: fix handling of special "/" prefix when matching handlers
The special prefix of "/" should match any url by definition but the final
assertion which ensures that the matched prefix ends in '\0' or '/' is causing
matches against the "/" prefix to fail.

Update to current HEAD in order to fix this particular case.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-25 16:38:50 +02:00
Alexandru Ardelean
598722956b network/services/ead: drop Build/Prepare rule in favor of default one
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:52 +02:00
Alexandru Ardelean
58cf9a2476 network/services/hostapd: move whole files outside of patches and drop Build/Prepare rule in favor of default one
This more of a demo for the previous commit that comes with
this one, where I added support for copying source from 'src' to
the build dir(s).

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-10-15 11:36:51 +02:00
Daniel Engberg
49ee771e6b package/network/services/lldpd: Update to 0.9.5
Updates lldpd to 0.9.5

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-15 11:36:51 +02:00
Hans Dedecker
1341b88732 odhcpd: Upstep to git HEAD version
Adds per-host leasetime support
Various bugfixes :
	-Prioritize ifname resolving via ubus
	-Free interface if ifindex cannot be resolved
	-...

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [update mirror sha256]
2016-10-13 17:05:21 +02:00
Felix Fietkau
175b59c59b uhttpd: update to the latest version, adds a small json handler fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-08 13:50:54 +02:00
Daniel Engberg
9edfe7dd13 source: Switch to xz for packages and tools where possible
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-06 12:16:56 +02:00
Jo-Philipp Wich
eb75b6ac1f uhttpd: rename certificate defaults section
Now that the uhttpd init script can generate certificates using openssl as
well, update the section name and related comment to be more generic.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-10-06 11:29:24 +02:00
Felix Fietkau
73c87a3cad hostapd: make -mesh and -p2p variants depend on the cfg80211 symbol
Avoids build failures when the nl80211 driver is disabled

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-10-05 23:02:13 +02:00
Hannu Nyman
3c4858eeb2 uhttpd: support using OpenSSL for certificate generation
Support the usage of the OpenSSL command-line tool for generating
the SSL certificate for uhttpd. Traditionally 'px5g' based on
PolarSSL (or mbedTLS in LEDE), has been used for the creation.

uhttpd init script is enhanced by adding detection of an installed
openssl command-line binary (provided by 'openssl-util' package),
and if found, the tool is used for certificate generation.

Note: After this patch the script prefers to use the OpenSSL tool
if both it and px5g are installed.

This enables creating a truly OpenSSL-only version of LuCI
without dependency to PolarSSL/mbedTLS based px5g.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-10-05 00:48:19 +02:00
Matthias Schiffer
77f54eae45
config: enable shadow passwords unconditionally
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.

The config symbol is kept (for a while), as packages from feeds depend on
it.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Hans Dedecker
32f4777530 dnsmasq: Add match section support
Match sections allow to set a tag specified by the option networkid if the client
sends an option and optionally the option value specified by the match option.
The force option will convert the dhcp-option to force-dhcp-option if set to 1 in
the dnsmasq config if options are specified in the dhcp_option option.

config match
    option networkid tag
    option match 12,myhost
    option force 1
    list dhcp_option '3,192.168.1.1'

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-09-19 15:30:32 +02:00
Rafał Miłecki
e70e3c544a hostapd: fix regression breaking brcmfmac
The latest update of hostapd broke brcmfmac due to upstream regression.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2016-09-13 12:06:42 +02:00
Kevin Darbyshire-Bryant
591755ad1a dnsmasq: make NO_ID optional in full variant
Permit users of the full variant to disable the NO_ID *.bind pseudo
domain masking.

Defaulted 'on' in all variants.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-10 12:17:39 +02:00
Kevin Darbyshire-Bryant
96f0bbe91d dropbear: hide dropbear version
As security precaution and to limit the attack surface based on
the version reported by tools like nmap mask out the dropbear
version so the version is not visible anymore by snooping on the
wire. Version is still visible by 'dropbear -V'

Based on a patch by Hans Dedecker <dedeckeh@gmail.com>

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove trailing _]
2016-09-10 12:17:39 +02:00
Kevin Darbyshire-Bryant
03cd416795 dnsmasq: Don't expose *.bind data incl version
Don't expose dnsmasq version & other data to clients via the *.bind
pseudo domain.  This uses a new 'NO_ID' compile time option which has been
discussed and submitted upstream.

This is an alternate to replacing version with 'unknown' which affects
the version reported to syslog and 'dnsmasq --version'

Run time tested with & without NO_ID on Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-08 15:28:38 +02:00
Felix Fietkau
859d940c79 hostapd: update to version 2016-09-05
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-09-08 15:28:38 +02:00
Kevin Darbyshire-Bryant
9209f4304b dnsmasq: fix remove pidfile on shutdown regression
Regression introduced by 3481d0d dnsmasq: run as dedicated UID/GID

dnsmasq is unable to remove its own pidfile as /var/run/dnsmasq is owned
by root and now dnsmasq runs as dnsmasq:dnsmasq.  Change directory
ownership to match.

dnsmasq initially starts as root, creates the pidfile, then drops to
requested non-root user.  Until this fix dnsmasq had insufficient
privilege to remove its own pidfile.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-06 11:26:05 +02:00
Johannes Römer
e8cb7d30e9 hostapd: fix typo and indentation in ap_sta_support.patch
Signed-off-by: Johannes Römer <jroemer@posteo.net>
2016-09-05 18:03:24 +02:00
Karl Palsson
a4dc9ff934 dropbear: mdns flag is a bool, not integer
Effectively the same for most purposes, but more accurate.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2016-09-05 07:27:16 +02:00
Magnus Kroken
2653a12c4d openvpn: update to 2.3.12
300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream.
Replaced 101-remove_polarssl_debug_call.patch with upstream backport.

Changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-08-24 00:33:08 +02:00
Ash Benz
798cd261ab hostapd: use printf to improve portability.
Signed-off-by: Ash Benz <ash.benz@bk.ru>
2016-08-23 12:15:41 +02:00
Hans Dedecker
d7c249fa1c ppp: Extend uci datamodel with persistency sypport
PPP daemon can be put into persist mode meaning the
daemon will not exit after a connection gets terminated
but will instead try to reopen the connection.
The re-initiation after the link has been terminated
can be controlled via holdoff; this is helpfull in
scenarios where a BRAS is in denial of service mode
due to link setup requests after a BRAS has gone down

Following uci parameters have been added :
persist (boolean) : Puts the ppp daemon in persist mode
maxfail (integer) : Number of consecutive fail attempts which
puts the PPP daemon in exit mode
holdoff (interget) : Specifies how many seconds to wait
before re-initiating link setup after it has been terminated

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-08-18 09:49:18 +02:00
Conn O'Griofa
63f6fc5c16 samba: add file/interface reload triggers & filter interfaces
* Only parse interfaces that are up during init_config (as the
  script depends on this to determine the proper IP/subnet range)
* Add reload interface triggers for samba-designated interfaces
* Force full service restart upon config change to ensure Samba
  binds to new interfaces (sending HUP signal doesn't work)
* Rename "interface" variable to "samba_iface" and move into
  global scope

Needed to fix Samba connectivity for clients connecting from a
different LAN subnet (e.g. pseudobridge configurations) due to the
'bind interfaces only' setting.

Signed-off-by: Conn O'Griofa <connogriofa@gmail.com>
2016-08-15 15:18:35 +02:00
Jo-Philipp Wich
4e8c6f3407 dropbear: security update to 2016.74
- Security: Message printout was vulnerable to format string injection.

  If specific usernames including "%" symbols can be created on a system
  (validated by getpwnam()) then an attacker could run arbitrary code as root
  when connecting to Dropbear server.

  A dbclient user who can control username or host arguments could potentially
  run arbitrary code as the dbclient user. This could be a problem if scripts
  or webpages pass untrusted input to the dbclient program.

- Security: dropbearconvert import of OpenSSH keys could run arbitrary code as
  the local dropbearconvert user when parsing malicious key files

- Security: dbclient could run arbitrary code as the local dbclient user if
  particular -m or -c arguments are provided. This could be an issue where
  dbclient is used in scripts.

- Security: dbclient or dropbear server could expose process memory to the
  running user if compiled with DEBUG_TRACE and running with -v

  The security issues were reported by an anonymous researcher working with
  Beyond Security's SecuriTeam Secure Disclosure www.beyondsecurity.com/ssd.html

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-12 11:45:47 +02:00
Petko Bordjukov
dff6df9625 hostapd: Allow RADIUS accounting without 802.1x
RADIUS accounting can be used even when RADIUS authentication is not
used. Move the accounting configuration outside of the EAP-exclusive
sections.

Signed-off-by: Petko Bordjukov <bordjukov@gmail.com>
2016-08-11 10:45:33 +02:00
Felix Fietkau
51e70267bd hostapd: remove unused hostapd-common-old package
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-05 11:02:57 +02:00
Felix Fietkau
9201e88f51 kernel: remove hostap driver
It has been marked as broken for well over a month now and nobody has
complained.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-31 12:25:24 +02:00
Felix Fietkau
b2ddfbc1c7 dnsmasq: drop --interface and --except-interface options when the interface cannot be found
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 20:58:14 +02:00
Felix Fietkau
5cd88f4812 dnsmasq: remove use of uci state for getting network ifname
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 19:48:22 +02:00
Felix Fietkau
a1681ce39b dnsmasq: replace the iface hotplug script with a procd trigger
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Felix Fietkau
6916ca8d33 dnsmasq: make the check for existing DHCP servers more reliable
If there is no carrier yet, wait for 2 seconds (STP forwarding delay)

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Ulrich Weber
712b6fdc5c dnsmasq: write atomic config file
multiple invocation of dnsmasq script (e.g. by procd and hotplugd)
might cause procd to restart dnsmasq with an incomplete config file.
Config file generation might take quite a long time on larger configs
due ubus calls for each listening interface...

Signed-off-by: Ulrich Weber <ulrich.weber@riverbed.com>
2016-07-29 16:41:09 +02:00
Felix Fietkau
c02f41c1d2 igmpproxy: remove procd_open_trigger/procd_close_trigger calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:09 +02:00
Felix Fietkau
8299737428 dropbear: remove procd_open_trigger/procd_close_trigger calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:08 +02:00
Felix Fietkau
da328f2865 hostapd: backport mesh/ibss HT20/HT40 related fix
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-27 17:22:39 +02:00
Felix Fietkau
c7a5bb5a7e samba36: avoid picking up a dependency on libunwind (fixes GH #212)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-21 17:33:17 +02:00
Felix Fietkau
ca6375ac51 hostapd: fix an error on parsing radius_das_client
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-21 16:58:50 +02:00
Felix Fietkau
56f686b710 samba36: disable local browse master by default
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-18 13:37:12 +02:00
Felix Fietkau
75329fc161 hostapd: fix VLAN support in full wpad builds
Suppress -DCONFIG_NO_VLAN if CONFIG_IBSS_RSN is enabled

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-18 13:37:10 +02:00
Kevin Darbyshire-Bryant
17f4d3967e samba: update smb template socket options defaults
Removed socket options = TCP_NODELAY IPTOS_LOWDELAY

TCP_NODELAY (disables Nagle algorithm) is default since samba2.
IPTOS_LOWDELAY sets DSCP 0x10 coding (CS2)
The alternate IPTOS_THROUGHPUT sets DSCP 0x08 coding (CS1)

CS1 is a scavenger class, whilst CS2 is more OAM/interactive
(SNMP,SSH,syslog)

Using CS2 is definitely an abuse of DSCP classification, CS1 less so
however even if the ISP takes note of DSCP codings having a default that
sets traffic to CS2 is wrong.  Better to use the default Best Effort
class.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-07-11 14:19:47 +02:00
Kevin Darbyshire-Bryant
527696674a igmpproxy: logging options - make work & improve
Move logging command line option to uci:
option verbose [0]/1/2 - mono-syllabic/verbose/noisy

Previously handled as 'OPTIONS' in .init script however variable
was ignored so never worked.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-07-11 14:19:47 +02:00
Felix Fietkau
ad430c1080 hostapd: add a WDS AP fix for reconnecting clients
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-06 10:12:37 +02:00
neheb
a3e7d5e7ae samba: Update smb.conf.template
Removed some options which are default anyway and added bind interfaces
only which causes the interfaces line to actually have an effect. Can be
verified with netstat.

Signed-off by: Rosen Penev <rosenp@gmail.com>
2016-07-05 22:59:14 +02:00
Hans Dedecker
c2bd469521 dnsmasq: Add broken realtime clock build switch in full variant
By default dnsmasq uses the time function; which returns the time since
Epoch; to retrieve the current time. On boards which have no realtime
clock this can lead to side effects when the time is synced via ntp
as the "time wrap" forces dhcp leases to be considered as expired.
By enabling the broken realtime clock build switch dnsmasq uses the
times utility which returns the number of clock tick.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
[Jo-Philipp Wich: change symbol name, add sym to PKG_CONFIG_DEPENDS]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-30 00:42:46 +02:00
Jo-Philipp Wich
f98f4601de openvpn: fix missing cipher list for polarssl in v2.3.11
Upstream OpenSSL hardening work introduced a change in shared code that
causes polarssl / mbedtls builds to break when no --tls-cipher is specified.

Import the upstream fix commit as patch until the next OpenVPN release gets
released and packaged.

Reported-by: Sebastian Koch <seb@metafly.info>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-28 10:47:22 +02:00
Daniel Dickinson
4a3b8e0596 lldpd: Use /etc/os-release instead of /etc/openwrt_*
With the addition of /etc/os-release patching lldpd to use
/etc/openwrt_release and to have the initscript use
/etc/openwrt_release and/or /etc/openwrt_version becomes
unnecessary.

Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
2016-06-27 15:16:01 +02:00
Kevin Darbyshire-Bryant
5acfe55d71 dnsmasq: dnssec time handling uses ntpd hotplug
Change dnsmasq's dnssec time check handling to use time validity
indicated by ntpd rather than maintaining a cross boot/upgrade
/etc/dnsmasq.time timestamp file.  This saves flash device wear.

If ntpd client is configured in uci and you're using dnssec, then
dnsmasq will not check dnssec timestamp validity until ntpd hotplug
indicates sync via a stratum change. The ntpd hotplug leaves a status
flag file to indicate to dnsmasq.init that time is valid and that it
should now start in 'check dnssec timestamp valid' mode.

If ntpd client is not configured and you're using dnssec, then it is
presumed you're using an alternate time sync mechanism and that time is
correct, thus dnsmasq checks dnssec timestamps are valid from 1st start.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>

V2 - stratum & step ntp changes indicate time is valid
V3 - on initial flag file step signal dnsmasq with SIGHUP if running
V4 - only accept step ntp changes. Accepting both stratum & step could
result in unpleasant script race conditions
V5 - Actually only accepting stratum is the correct thing to do after
further testing
V6 - improve handling of non busybox ntpd
if sysntpd not executable
  dnsmasq checks dnssec timestamps
else
  sysntp script disabled - look for timestamp file - allows external mechanism to use hotplug flag file
  sysntp script enabled & uci ntp enabled  - look for timestamp file
  sysntp script enabled & uci ntp disabled - dnsmasq checks dnssec
timestamps
fi
2016-06-24 13:53:39 +02:00
Hauke Mehrtens
3f38356893 packages: prefer http over git for git protocol
In company networks everything except the http and https protocol is
often causes problems, because the network administrators try to block
everything else. To make it easier to use LEDE in company networks use
the https/http protocol for git access when possible.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-06-22 19:32:06 +02:00
Felix Fietkau
475e94b1d2 uhttpd: update to the latest version, adds some extensions to handler script support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-16 19:00:16 +02:00
Felix Fietkau
4e0a533f60 hostapd: fix breakage with non-nl80211 drivers
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 19:28:55 +02:00
Jo-Philipp Wich
e2a9c638e7 hostapd: fix compilation error in wext backend
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-15 19:10:32 +02:00
Felix Fietkau
ef74d5cbf8 hostapd: implement fallback for incomplete survey data
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:31:48 +02:00
Felix Fietkau
13b44abcff hostapd: update to version 2016-06-15
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:11:43 +02:00
Michal Hrusecky
b67af71181 hostapd: Update to version 2016-05-05
Fixes CVE-2016-4476 and few possible memory leaks.

Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
2016-06-15 17:11:18 +02:00
Magnus Kroken
4260d11e8b openvpn: update to 2.3.11
Security fixes:
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data

Full changelog: https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-06-13 22:51:43 +02:00
John Crispin
62dc9831d3 package/*: update git urls for project repos
Signed-off-by: John Crispin <john@phrozen.org>
2016-06-13 22:51:41 +02:00
Kevin Darbyshire-Bryant
e815036460 dnsmasq: support hostid ipv6 address suffix option
Add support for hostid dhcp config entry to dnsmasq. This allows
specification of dhcpv6 hostid suffix and works in the same way as
odhcpd.

Entries in auto generated dnsmasq.conf should conform to:

dhcp-host=mm:mm:mm:mm:mm:mm,IPv4addr,[::V6su:ffix],hostname

example based on sample config/dhcp entry:

config host
        option name 'Kermit'
        option mac 'E0:3F:49:A1:D4:AA'
        option ip '192.168.235.4'
        option hostid '4'

dhcp-host=E0:3F:49:A1:D4:AA,192.168.235.4,[::0:4],Kermit

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-06-10 18:16:47 +02:00
Hans Dedecker
7eaacd4d23 dnsmasq: Add option --max-port
By default dnsmasq uses random ports for outbound dns queries;
when the maxport UCI option is specified the ports used will
always be smaller than the specified value.
This is usefull for systems behind firewalls.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-06-10 18:05:07 +02:00
Matteo Panella
20c608db0a openvpn: add support for tls-version-min
Currently, the uci data model does not provide support for specifying
the minimum TLS version supported in an OpenVPN instance (be it server
or client).

This patch adds support for writing the relevant option to the openvpn
configuration file at service startup.

Signed-off-by: Matteo Panella <morpheus@level28.org>
[Jo-Philipp Wich: shorten commit title, bump pkg release]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-07 23:02:58 +02:00
Jo-Philipp Wich
24a7ccb056 treewide: replace jow@openwrt.org with jo@mein.io
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-07 11:42:52 +02:00
Felix Fietkau
7eeb254cc4 treewide: replace nbd@openwrt.org with nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-07 08:58:42 +02:00
Dirk Neukirchen
04cb722e9f openvpn: remove unrecognized option
removed upstream in
9ffd00e754
now its always on

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
2016-06-01 15:18:42 +02:00
Dario Ernst
4d1c75c601 dropbear: Fix incorrect CONFIG_TARGET_INIT_PATH.
Fix a „semantic typo“ introduced in b78aae793e,
where TARGET_INIT_PATH was used instead of CONFIG_TARGET_INIT_PATH.

Signed-off-by: Dario Ernst <Dario.Ernst@riverbed.com>
2016-05-24 16:31:17 +02:00
Daniel Dickinson
2ac21bd793 dnsmasq: Set the default dhcp lease file and resolv file
Instead of making assumptions about the leasefile and resolv file make sure
we use what the user configures, but fall back to defaults if no configuration
is specified

Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
2016-05-24 13:30:58 +02:00
Kevin Darbyshire-Bryant
a6e96998fb dnsmasq: update to dnsmasq v2.76
Update to dnsmasq2.76.  Refresh patches.  Add new patch to fix musl
'poll.h' location warning.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-05-24 13:30:58 +02:00
John Crispin
31293752c8 mdns: update to latest git HEAD
* fixes loopback handling

Signed-off-by: John Crispin <john@phrozen.org>
2016-05-23 10:26:32 +02:00
Felix Fietkau
b570c0c88e uhttpd: use configured distribution name for SSL certificate CN
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-05-21 12:42:44 +02:00
Kevin Darbyshire-Bryant
7938e8d60a dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time
conditionally save dnsmasq.time across sysupgrade
dnsmasq uses /etc/dnsmasq.time as record of the last known good
system time to aid its validation of dnssec timestamps.  dnsmasq
updates the timestamp on process start/stop once it considers the system
time as valid. The timestamp file should be preserved across system
upgrade but should not be included as part of normal configuration
backups to prevent restores corrupting the current timestamp.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-05-19 10:28:18 +02:00
Jo-Philipp Wich
85a59127a7 Revert "dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time"
This reverts commit d830cb0882.

Reverting this commit due to a missing Signed-off-by.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-05-19 10:28:17 +02:00
Kevin Darbyshire-Bryant
d830cb0882 dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time
conditionally save dnsmasq.time across sysupgrade
dnsmasq uses /etc/dnsmasq.time as record of the last known good
system time to aid its validation of dnssec timestamps.  dnsmasq
updates the timestamp on process start/stop once it considers the system
time as valid. The timestamp file should be preserved across system
upgrade but should not be included as part of normal configuration
backups to prevent restores corrupting the current timestamp.
2016-05-18 22:17:33 +02:00
Jo-Philipp Wich
1c61b21489 dropbear: update to 2016.73
Update the dropbear package to version 2016.73, refresh patches.
The measured .ipk sizes on an x86_64 build are:

  94588	dropbear_2015.71-3_x86_64.ipk
  95316	dropbear_2016.73-1_x86_64.ipk

This is an increase of roughly 700 bytes after compression.

Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-05-13 10:23:52 +02:00
John Crispin
b8ab6af1a9 global: change my email address
Signed-off-by: John Crispin <john@phrozen.org>
2016-05-12 03:29:36 +02:00
Hans Dedecker
861266c9ec dropbear: Add --disable-utmpx again
The option --disable-utmpx was deleted by accident in commit 7545c1d;
add it again to the CONFIGURE_ARGS list

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-05-12 03:29:35 +02:00
Hans Dedecker
ec9f6fe04d ppp: Add ppp-mod-passwordfd subpackage to ppp
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:50:41 +02:00
Hans Dedecker
ce9e5e16ff dnsmasq: Add conntrack support in the full variant
Conntrack support reads the connection track mark associated with
incoming DNS queries and sets the same mark value on the upstream
forwarded DNS query. This can be usefull to track traffic generated
by dnsmasq to associate it with the clients who generate the queries,
usefull for bandwidth accouting and firewall.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:50:20 +02:00
Hans Dedecker
16122117a5 dropbear: Add procd interface triggers when interface config is specified
A dropbear instance having an interface config won't start if the interface is down as no
IP address is available.
Adding interface triggers for each configured interface executing the dropbear reload script
will start the dropbear instance when the interface is up.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:49:37 +02:00
Hans Dedecker
7545c1d96b dropbear: Make utmp and putuline support configurable via seperate config options
Utmp support tracks who is currenlty logged in by logging info to the file /var/run/utmp (supported by busybox)
Putuline support will use the utmp structure to write to the utmp file

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2016-04-28 13:47:48 +02:00
John Crispin
fa69553900 branding: add LEDE branding
Signed-off-by: John Crispin <blogic@openwrt.org>
2016-03-24 22:40:13 +01:00
John Crispin
3481d0d793 dnsmasq: run as dedicated UID/GID
Running dnsmasq in a dedicated user/group allows matching its outgoing
traffic more easily using iptables' owner match.
Add UID/GID to the package metadata and append the user/group
parameters to the init script.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

SVN-Revision: 49252
2016-04-26 11:44:10 +00:00
Hauke Mehrtens
3fabbb814d dnsmasq: Add enable parameter in the UCI DHCP host section
Parameter allows to enable/disable static leases; by default the value is 1
to keep backwards compatibility

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49187
2016-04-17 12:52:54 +00:00
Hauke Mehrtens
3830200d6a hostapd.sh: Add support for "anonymous_identity" config field
The wpa_supplicant supports an "anonymous_identity" field, which some
EAP networks require.  From the documentation:

anonymous_identity: Anonymous identity string for EAP (to be used as the
    unencrypted identity with EAP types that support different tunnelled
    identity, e.g., EAP-TTLS).

This change modifies the hostapd.sh script to propagate this field
from the UCI config to the wpa_supplicant.conf file.

Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Reviewed-by: Manuel Munz <freifunk@somakoma.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49181
2016-04-17 12:50:55 +00:00
Hauke Mehrtens
1414f1647d samba: fix some security problems
This fixes the following security problems:
* CVE-2015-7560
* CVE-2015-5370
* CVE-2016-2110
* CVE-2016-2111
* CVE-2016-2112
* CVE-2016-2115
* CVE-2016-2118

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 49175
2016-04-16 20:06:34 +00:00
John Crispin
0ca7071632 openvpn: add support for X.509 name options
x509-username-field was added in OpenVPN 2.2, and verify-x509-name was
added in 2.3. This fixes ticket #18807.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>

SVN-Revision: 48969
2016-03-08 18:12:02 +00:00
John Crispin
b5bfb3534b dnsmasq: add host-specific lease time option for static hosts
Enable setting a host-specific lease time for static hosts.
The new option is called "leasetime" and the format is similar
as for the default lease time: e.g. 12h, 3d, infinite

Default lease time is used for all hosts for which there is
no host-specific definition.

The option is added to /etc/config/dhcp for the selected hosts:
  config host
        option name 'Nexus'
        option mac 'd8:50:66:55:59:7c'
        option ip '192.168.1.245'
        option leasetime '2h'

It gets appended to /var/etc/dnsmasq.conf like this:
  dhcp-host=d8:50:66:55:59:7c,192.168.1.245,Nexus,2h

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 48801
2016-02-26 09:13:03 +00:00
John Crispin
c503984876 dnsmasq: add dhcp relay option
Signed-off-by: dbugnar <dnbugnar@ocedo.com>

SVN-Revision: 48800
2016-02-26 08:35:48 +00:00
Felix Fietkau
b4a1bd8992 dnsmasq: export tftp root to the procd jail
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48761
2016-02-25 09:24:31 +00:00
Felix Fietkau
5e84051a0f dnsmasq: only enable tftp if the tftp root exists
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48760
2016-02-25 09:24:24 +00:00
John Crispin
7a29f7c22d lldp: Upgrade to 0.9.0
Signed-off-by: Ben Kelly <ben@benjii.net>

SVN-Revision: 48738
2016-02-18 08:22:07 +00:00
Jo-Philipp Wich
b78aae793e dropbear: honor CONFIG_TARGET_INIT_PATH
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 48679
2016-02-08 14:28:57 +00:00
Felix Fietkau
d8684c7068 relayd: update to the latest version, fixes some more connectivity issues (#21817)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48655
2016-02-08 08:03:06 +00:00
Felix Fietkau
2d7840b505 relayd: update to the latest version, fixes route table issues when connecting to the router
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48635
2016-02-05 15:59:41 +00:00
Felix Fietkau
eb47ddd557 hostapd: remove useless TLS provider selection override for wpad-mesh/wpa_supplicant-mesh
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48537
2016-01-28 22:42:14 +00:00
Felix Fietkau
18b2f2d694 hostapd: fix mesh interface bridge handling
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48529
2016-01-28 17:20:10 +00:00