Commit Graph

13212 Commits

Author SHA1 Message Date
Rafał Miłecki
b41a2e646e opkg: bump to version 2017-12-08
This updates package to the latest commit from the lede-17.01 branch. It
contains few fixes backported from the master:
1) SHA256 fix
2) URL encoding which allows hosting packages on some more picky servers

Changes:
9f61f7a opkg_download: decode file:/ URLs
3c46c88 file_util: implement urldecode_path()
79908c2 file_util: consolidate hex/unhex routines
793fbac opkg: encode archive filenames while constructing download URLs
a6bb5cb file_util: implement urlencode_path() helper
098e774 libopkg: fix SHA256 calculation for big endian system

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-12-08 14:17:38 +01:00
Timo Sigurdsson
f5f5f583f9 hostapd: backport fix for wnm_sleep_mode=0
wpa_disable_eapol_key_retries can't prevent attacks against the Wireless
Network Management (WNM) Sleep Mode handshake. Currently, hostapd
processes WNM Sleep Mode requests from clients regardless of the setting
wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in
order to ignore such requests by clients when wnm_sleep_mode is disabled
(which is the default).

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
[rewrite commit subject (<= 50 characters), bump PKG_RELEASE]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit bd45e15d0a
 fixed PKG_RELEASE and renumbered patch)

Conflicts:
	package/network/services/hostapd/Makefile
2017-12-07 19:45:44 +01:00
Timo Sigurdsson
19ebc19f54 hostapd: Expose the tdls_prohibit option to UCI
wpa_disable_eapol_key_retries can't prevent attacks against the
Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
that the existing hostapd option tdls_prohibit can be used to further
complicate this possibility at the AP side. tdls_prohibit=1 makes
hostapd advertise that use of TDLS is not allowed in the BSS.

Note: If an attacker manages to lure both TDLS peers into a fake
AP, hiding the tdls_prohibit advertisement from them, it might be
possible to bypass this protection.

Make this option configurable via UCI, but disabled by default.

Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
(cherry picked from commit 6515887ed9)
2017-12-07 19:42:30 +01:00
Hans Dedecker
3590316121 dnsmasq: backport infinite dns retries fix
If all configured dns servers return refused in response to a query in
strict mode; dnsmasq will end up in an infinite loop retransmitting the
dns query resulting into high CPU load.
Problem is fixed by checking for the end of a dns server list iteration
in strict mode.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-06 22:04:31 +01:00
Stijn Segers
060b7f1fbb curl: apply CVE 2017-8816 and 2017-8817 security patches
This commit adds the upstream patches for CVE 2017-8816 and 2017-8817 to the 17.01
Curl package.

Compile-tested on ar71xx, ramips and x86.

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
2017-12-04 11:10:31 +01:00
Felix Fietkau
4b5861c47d mt76: update to the latest version
Significant performance/stability improvements for MT76x2 and MT7603.
Adds LED support.

Changes:

2895775 mt76x2: mcu: remove unused parameter in mt76x2_mcu_msg_alloc signature
1dae8f0 mt7603: mcu: remove unused parameter in mt7603_mcu_msg_alloc() signature
5e49aa9 Fix errors found by cppcheck
1b8c8a0 mt7603: add LED definition registers
4d83561 mt76x2: add LED register definitions
2f40e4a mt76x2: Support using PCI ID as chip ID
27c64bc mt76: add led support using mac80211 led framework
dfd64fc mt76x2: init: add ma80211 led callbacks
215edf1 mt7603: init: add ma80211 led callbacks
9d36ff2 mt76x2: Add PCI identifier for MT7602
0b7984e mt7603: remove unnecessary mcu register read function
f5498d2 debugfs: add support for changing the LED pin
8e453b3 mac80211: move DT led configuration to the "led" child node
8f1673a mt76x2: limit client WCID entries to 0-127
f9d9c22 mt76x2: clear drop flag for all WCIDs on init
0dd8b68 mt76x2: clear per-WCID tx rate lookup register
3e5afe7 mt76x2: add helper function for setting drop mask
941555b mt76x2: clear drop mask when sending a PS response
7dfb354 mt76: increase rx ring size for mt76x2
73902dc mt76x2: add rx statistics registers
fe79816 mt76x2: fix LNA gain register annotation
cc588c5 mt76x2: sync channel gain value with latest reference driver
60a4d67 mt76x2: implement dynamic AGC tuning based on false packet detection count
4bc9aa9 mt76x2: add more gain tuning based on the latest reference driver
0a0d16f mt76x2: sync tx power related values with reference driver
8c821aa mac80211: add missing include
82acc85 mt7603: add missing include required on newer kernels
2c1a77c mt76x2: fix transmission of encrypted management frames
0532315 mt76x2: increase OFDM SIFS time
1acde21 mt76x2: add channel argument to eeprom tx power functions
58364a2 mt76x2: initialize channel power limits
c2bd89e mt76x2: convert between per-chain tx power and combined output
e7eaa7c mt7603: rename mt7603_mac_reset to mt7603_pse_reset
ea4c2a1 mt7603: rename MT_PSE_RESET register
c86c3a0 mt7603: remove watchdog reset on interface stop
4490f93 mt7603: remove WARN_ON_ONCE for workaround checks
3075059 mt7603: simplify PSE reset
4ed7e07 mt7603: warn if PSE reset fails
7dc8db1 mt7603: clean up dma debug reads
41e6a04 mt7603: make mt7603_mac_watchdog_reset() static
dc7a351 mt7603: clear wtbl PS bit for powersave responses
123acf2 mt7603: set tx-skip flag for powersave clients
7dd2a9e mt7603: initialize wtbl ps flag on station add
86ddef3 mt76x2: remove some harmless WARN_ONs in tx status and rx path
e326bc2 mt7603: remove some harmless WARN_ONs in rx path

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-12-04 10:52:52 +01:00
Felix Fietkau
e5a10bc0fc samba36: backport an upstream fix for an information leak (CVE-2017-15275)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-12-04 10:51:07 +01:00
Kevin Darbyshire-Bryant
0946ec0f46 wireguard: bump to snapshot 20171127
== Changes ==

 * compat: support timespec64 on old kernels
 * compat: support AVX512BW+VL by lying
 * compat: fix typo and ranges
 * compat: support 4.15's netlink and barrier changes
 * poly1305-avx512: requires AVX512F+VL+BW

 Numerous compat fixes which should keep us supporting 3.10-4.15-rc1.

 * blake2s: AVX512F+VL implementation
 * blake2s: tweak avx512 code
 * blake2s: hmac space optimization

 Another terrific submission from Samuel Neves: we now have an implementation
 of Blake2s using AVX512, which is extremely fast.

 * allowedips: optimize
 * allowedips: simplify
 * chacha20: directly assign constant and initial state

 Small performance tweaks.

 * tools: fix removing preshared keys
 * qemu: use netfilter.org https site
 * qemu: take shared lock for untarring

 Small bug fixes.

Remove myself from the maintainers list: we have enough and I'm happy to
carry on doing package bumps on ad-hoc basis without the 'official'
title.

Run-tested: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-27 14:51:05 +01:00
Kevin Darbyshire-Bryant
d3f40aabba wireguard: bump to 20171122
Bump to latest WireGuard snapshot release:

ed479fa (tag: 0.0.20171122) version: bump snapshot
efd9db0 chacha20poly1305: poly cleans up its own state
5700b61 poly1305-x86_64: unclobber %rbp
314c172 global: switch from timeval to timespec
9e4aa7a poly1305: import MIPS64 primitive from OpenSSL
7a5ce4e chacha20poly1305: import ARM primitives from OpenSSL
abad6ee chacha20poly1305: import x86_64 primitives from OpenSSL
6507a03 chacha20poly1305: add more test vectors, some of which are weird
6f136a3 compat: new kernels have netlink fixes
e4b3875 compat: stable finally backported fix
cc07250 qemu: use unprefixed strip when not cross-compiling
64f1a6d tools: tighten up strtoul parsing
c3a04fe device: uninitialize socket first in destruction
82e6e3b socket: only free socket after successful creation of new
df318d1 compat: fix compilation with PaX
d911cd9 curve25519-neon: compile in thumb mode
d355e57 compat: 3.16.50 got proper rt6_get_cookie
666ee61 qemu: update kernel
2420e18 allowedips: do not write out of bounds
185c324 selftest: allowedips: randomized test mutex update
3f6ed7e wg-quick: document localhost exception and v6 rule

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-24 12:56:36 +01:00
Emerson Pinter
e626942c33 dnsmasq: load instance-specific conf-file if exists
Without this change, the instance-specific conf-file is being added to procd_add_jail_mount,
but not used by dnsmasq.

Signed-off-by: Emerson Pinter <dev@pinter.com.br>
2017-11-20 21:42:10 +01:00
Daniel Golle
d64c0e54a5 rpcd: update to version 2017-11-12
a0231be8fbc61 fix memory leak in packagelist
4e483312b0216 sys: add packagelist method

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-11-17 14:42:49 +01:00
Felix Fietkau
d851d7fa56 wireguard: fix portability issue
Check if the compiler defines __linux__, instead of assuming that the
host OS is the same as the target OS.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-16 22:44:45 +01:00
Felix Fietkau
8751bd771d wireguard: move to kernel build directory
It builds a kernel module, so its build dir should be target specific

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-16 22:43:28 +01:00
Kevin Darbyshire-Bryant
ed571c14e0 wireguard: bump to 0.0.20171111
edaad55 (tag: 0.0.20171111) version: bump snapshot
7a989b3 tools: allow for NULL keys everywhere
46f8cbc curve25519: reject deriving from NULL private keys
9b43542 tools: remove ioctl cruft
f6cea8e allowedips: rename from routingtable
23f553e wg-quick: allow for tabs in keys
ab9befb netlink: make sure we reserve space for NLMSG_DONE
73405c0 compat: 4.4.0 has strange ECN function
868be0c wg-quick: stat the correct enclosing folder of config file
ceb11ba qemu: bump kernel version
0a8e173 receive: hoist fpu outside of receive loop
bee188a qemu: more debugging
f1fdd8d device: wait for all peers to be freed before destroying
2188248 qemu: check for memory leaks
c77a34e netlink: plug memory leak
0ac8efd device: please lockdep
a51e196 global: revert checkpatch.pl changes
65c49d7 Kconfig: remove trailing whitespace

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-16 22:36:04 +01:00
Hans Dedecker
c9fb48a432 procd: update to latest git HEAD (fixes and improvements)
d9dc0e0 service: fix calls to blobmsg_parse()
5db8f70 procd: add missing new lines inside debug code
8d5d29c service: fix SERVICE_ATTR_NAME usage in service_handle_set

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-15 22:14:26 +01:00
Peter Wagner
cda8ec7dd8
openssl: update to 1.0.2m
don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:

../libssl.so: undefined reference to `SSLv3_client_method'

Fixes CVE: CVE-2017-3735, CVE-2017-3736

Signed-off-by: Peter Wagner <tripolar@gmx.at>
2017-11-13 00:53:35 +01:00
Rafał Miłecki
95824b9bf6 rpcd: update to the latest version from 2017-11-09
9a8640183c031 plugin: use RTLD_LOCAL instead of RTLD_GLOBAL when loading library

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-11-09 19:57:17 +01:00
Hans Dedecker
792559f25b mountd: bump to git HEAD version (optimization fixes)
7826ca5 mount: add mount with ignore=1 for unsupported filesystems
75e7412 mount: drop duplicated filesystem check from mount_add_list

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-09 18:08:16 +01:00
Marko Ratkaj
a0ef1c478a functions.sh: fix default_postinst function
When we run "opkg install" on a package that installs an uci-defaults
script, functions.sh will fail to evaluate that script in its
default_postinst function.

This happens because there is no "./" present and it searches for the
file in paths specified by the PATH variable. This would work on bash,
but it will not work on ash and some other shells like sh, zsh. This
applys to the ". filename" directive used in this case.

This patch will make the path relative to the /etc/uci-defaults
directory.

Fixes: FS#1021

Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
2017-11-08 23:26:20 +01:00
Kevin Darbyshire-Bryant
6b6578feec wireguard: version bump to 0.0.20171101
Update wireguard to latest snapshot:

9fc5daf version: bump snapshot
748ca6b compat: unbreak unloading on kernels 4.6 through 4.9
7be9894 timers: switch to kees' new timer_list functions
6be9a66 wg-quick: save all hooks on save
752e7af version: bump snapshot
2cd9642 wg-quick: fsync the temporary file before renaming
b139499 wg-quick: allow for saving existing interface
582c201 contrib: add reresolve-dns
8e04be1 tools: correct type for CTRL_ATTR_FAMILY_ID
c138276 wg-quick: allow for the hatchet, but not by default
d03f2a0 global: use fewer BUG_ONs
6d681ce timers: guard entire setting in block
4bf32ca curve25519: only enable int128 if compiler support is sound
86e06a3 device: expand scope of destruct lock
e3661ab global: get rid of useless forward declarations
bedc77a device: only take reference if netns is different
7c07e22 wg-quick: remember to rewind DNS settings on failure
2352ec0 wg-quick: allow specifiying multiple hooks
573cb19 qemu: test using four cores
e09ec4d global: style nits
4d3deae qemu: work around ccache bugs
7491cd4 global: infuriating kernel iterator style
78e079c peer: store total number of peers instead of iterating
d4e2752 peer: get rid of peer_for_each magic
6cf12d1 compat: be sure to include header before testing
3ea08d8 qemu: allow for cross compilation
d467551 crypto/avx: make sure we can actually use ymm registers
c786c46 blake2: include headers for macros
328e386 global: accept decent check_patch.pl suggestions
a473592 compat: fix up stat calculation for udp tunnel
9d930f5 stats: more robust accounting
311ca62 selftest: initialize mutex in routingtable selftest
8a9a6d3 netns: use time-based test instead of quantity-based
e480068 netns: use read built-in instead of ncat hack for dmesg

Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-11-05 12:50:18 +01:00
Felix Fietkau
63f6408ccc uclient: update to the latest version, fixes fetch of multiple files
4b87d83 uclient-fetch: fix overloading of output_file variable

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-03 10:56:47 +01:00
Jo-Philipp Wich
367b4563b4 dnsmasq: restore ability to include/exclude raw device names
Commit 5cd88f4 "dnsmasq: remove use of uci state for getting network ifname"
broke the ability to specify unmanaged network device names for inclusion
and exclusion in the uci configuration.

Restore support for raw device names by falling back to the input value
when "network_get_device" yields no result.

Fixes FS#876.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit a89c36b508)
2017-10-25 09:57:58 +02:00
Matthias Schiffer
0780e12483
opkg: bump to 2017-10-23 (lede-17.01)
A lede-17.01 branch for bugfix backports has been added to the opkg-lede
repo.

c6caf07 pkg_parse: fix segfault when parsing descriptions with leading newlines
5bb5fd5 opkg: add --no-check-certificate argument
7a96972 libbb: xreadlink: fix memory leak on failure case
3f13edd pkg_run_script: use pkg->dest in half installed case

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-10-23 23:48:25 +02:00
Hans Dedecker
586a721d3f mountd: bump to git HEAD version (fixes SIGSEV crashes)
6efeb19 autofs: register SIGTERM for gracefull exit
01bb2b0 mount: fix SIGSEV crashes

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-18 14:19:56 +02:00
Stijn Tintel
cdb2684dce LEDE v17.01.4: revert to branch defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 11:54:32 +03:00
Stijn Tintel
444add156f LEDE v17.01.4: adjust config defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-18 11:54:32 +03:00
Jason A. Donenfeld
79f57e422d wireguard: version bump to 0.0.20171017
This is a simple version bump. Changes:

  * noise: handshake constants can be read-only after init
  * noise: no need to take the RCU lock if we're not dereferencing
  * send: improve dead packet control flow
  * receive: improve control flow
  * socket: eliminate dead code
  * device: our use of queues means this check is worthless
  * device: no need to take lock for integer comparison
  * blake2s: modernize API and have faster _final
  * compat: support READ_ONCE
  * compat: just make ro_after_init read_mostly

  Assorted cleanups to the module, including nice things like marking our
  precomputations as const.

  * Makefile: even prettier output
  * Makefile: do not clean before cloc
  * selftest: better test index for rate limiter
  * netns: disable accept_dad for all interfaces

  Fixes in our testing and build infrastructure. Now works on the 4.14 rc
  series.

  * qemu: add build-only target
  * qemu: work on ubuntu toolchain
  * qemu: add more debugging options to main makefile
  * qemu: simplify shutdown
  * qemu: open /dev/console if we're started early
  * qemu: phase out bitbanging
  * qemu: always create directory before untarring
  * qemu: newer packages
  * qemu: put hvc directive into configuration

  This is the beginning of working out a cross building test suite, so we do
  several tricks to be less platform independent.

  * tools: encoding: be more paranoid
  * tools: retry resolution except when fatal
  * tools: don't insist on having a private key
  * tools: add pass example to wg-quick man page
  * tools: style
  * tools: newline after warning
  * tools: account for padding being in zero attribute

  Several important tools fixes, one of which suppresses a needless warning.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit f6c4a9c045)
2017-10-17 20:46:20 +03:00
Stijn Tintel
d501786ff2 hostapd: add wpa_disable_eapol_key_retries option
Commit b6c3931ad6 introduced an AP-side
workaround for key reinstallation attacks. This option can be used to
mitigate KRACK on the station side, in case those stations cannot be
updated. Since many devices are out there will not receive an update
anytime soon (if at all), it makes sense to include this workaround.

Unfortunately this can cause interoperability issues and reduced
robustness of key negotiation, so disable the workaround by default, and
add an option to allow the user to enable it if he deems necessary.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit c5f97c9372)
2017-10-17 17:59:45 +03:00
Stijn Tintel
b6c3931ad6 hostapd: backport extra changes related to KRACK
While these changes are not included in the advisory, upstream
encourages users to merge them.
See http://lists.infradead.org/pipermail/hostap/2017-October/037989.html

Added 013-Add-hostapd-options-wpa_group_update_count-and-wpa_p.patch so
that 016-Optional-AP-side-workaround-for-key-reinstallation-a.patch
applies without having to rework it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-17 17:54:59 +03:00
Stijn Tintel
a5e1f7f5ef mac80211: backport kernel fix for CVE-2017-13080
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 2f701194c2)
2017-10-17 01:57:05 +03:00
Ryan Mounce
707305a19d mac80211: Update wireless-regdb to master-2017-03-07
The short log of changes since the 2016-06-10 release is below.

Jouni Malinen (1):
      wireless-regdb: Remove DFS requirement for India (IN)

Ryan Mounce (1):
      wireless-regdb: Update rules for Australia (AU) and add 60GHz rules

Seth Forshee (2):
      wireless-regdb: Update 5 GHz rules for Canada
      wireless-regdb: update regulatory.bin based on preceding changes

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
(cherry picked from commit 8b12e62e9c)
2017-10-16 14:22:18 +03:00
Jason A. Donenfeld
907d8703f4 wireguard: add wireguard to base packages
Move wireguard from openwrt/packages to base a package.

This follows the pattern of kmod-cake and openvpn. Cake is a fast-moving
experimental kernel module that many find essential and useful. The
other is a VPN client. Both are inside of core. When you combine the two
characteristics, you get WireGuard. Generally speaking, because of the
extremely lightweight nature and "stateless" configuration of WireGuard,
many view it as a core and essential utility, initiated at boot time
and immediately configured by netifd, much like the use of things like
GRE tunnels.

WireGuard has a backwards and forwards compatible Netlink API, which
means the userspace tools should work with both newer and older kernels
as things change. There should be no versioning requirements, therefore,
between kernel bumps and userspace package bumps.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 699c6fcc31)
2017-10-16 14:03:39 +03:00
Felix Fietkau
bff16304b0 brcmfmac: backport length check in brcmf_cfg80211_escan_handler()
Fixes CVE-2017-0786

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 13:02:04 +02:00
Felix Fietkau
63c17142c8 hostapd: merge fixes for WPA packet number reuse with replayed messages and key reinstallation
Fixes:
- CERT case ID: VU#228519
- CVE-2017-13077
- CVE-2017-13078
- CVE-2017-13079
- CVE-2017-13080
- CVE-2017-13081
- CVE-2017-13082
- CVE-2017-13086
- CVE-2017-13087
- CVE-2017-13088

For more information see:
https://w1.fi/security/2017-1/wpa-packet-number-reuse-with-replayed-messages.txt

Backport of bbda81ce30

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-16 12:18:19 +02:00
Felix Fietkau
c1023c8075 mt76: sync with version 878456caf6 from master
Backport required DT changes from commit dabdd123c9.
Significantly improves stability and performance for MT76x2 and MT7603

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-10-13 11:56:25 +02:00
Stijn Tintel
ee32de4426 LEDE v17.01.3: revert to branch defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-03 15:10:55 +03:00
Stijn Tintel
df54a8f583 LEDE v17.01.3: adjust config defaults
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-03 15:10:53 +03:00
Adrian Panella
d0bf257c46 uhttp: update to latest version
3fd58e9 2017-08-19 uhttpd: add manifest support
88c0b4b 2017-07-09 file: fix basic auth regression
99957f6 2017-07-02 file: remove unused "auth" member from struct
path_info
c0a569d 2017-07-02 proc: expose HTTP_AUTH_USER and HTTP_AUTH_PASS
ad93be7 2017-07-02 auth: store parsed username and password
fa51d7f 2017-07-02 proc: do not declare empty process variables
a8bf9c0 2017-01-26 uhttpd: Add TCP_FASTOPEN support
e6cfc91 2016-10-25 lua: ensure that PATH_INFO starts with a slash

Signed-off-by: Adrian Panella <ianchi74@outlook.com>
2017-10-03 13:03:27 +02:00
Karl Palsson
783465d783 odhcpd: don't enable server mode on non-static lan port
Instead of blindly enabling the odhcpd v6 server and RA server on the
lan port, only do that if the lan port protocol is "static"

This prevents the unhelpful case of a device being a dhcpv4 client and
v6 server on the same ethernet port.

Signed-off-by: Karl Palsson <karlp@etactica.com>
[PKG_SOURCE_DATE increase; odhcpd.defaults script cleanup]
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-02 18:51:17 +02:00
Hans Dedecker
c92c1894a5 odhcpd: backport fixes from master branch (FS#402, FS#524)
336212c config: fix dhcpv4 server being started
336212c dhcpv6: assign all viable DHCPv6 addresses by default (FS#402, FS#524)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-02 18:46:24 +02:00
Kevin Darbyshire-Bryant
4b4a4af814 dnsmasq: bump to v2.78
Fixes CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, 2017-CVE-14495, 2017-CVE-14496

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-10-02 18:36:21 +02:00
Hauke Mehrtens
b8357e87d7 base-files: create /etc/config/ directory
The /bin/config_generate script and some other scripts are assuming the
/etc/config directory exists in the image. This is true in case for
example the package firewall, dropbear or dnsmasq are included, which
are adding the files under /etc/config/. Without any of these package
the system will not boot up fully because the /etc/config/ directory is
missing and some init scripts just fail.

Make sure all images with the base-files contain a /etc/config/
directory.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: John Crispin <john@phrozen.org>
2017-10-01 10:52:14 +02:00
Mathias Kresin
a881323cb2 ltq-vdsl-mei: revert disable optimized firmware download
This reverts commit b428f45c06.

If the optimized firmware download is disabled, the xdsl subsystem
hangs in the "idle request" state after physically disconnecting and
reconnecting the xdsl modem from the line.

It might fix the failing line init on boot as well.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-09-30 20:37:33 +02:00
Hauke Mehrtens
f483a35f08 curl: fix security problems
This fixes the following security problems:
 * CVE-2017-1000100 TFTP sends more than buffer size
 * CVE-2017-1000101 URL globbing out of bounds read

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-09-30 15:27:29 +02:00
Kevin Darbyshire-Bryant
e232c6754d mbedtls: update to 2.6.0 CVE-2017-14032
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
2017-09-30 15:24:52 +02:00
Mathias Kresin
b428f45c06 ltq-vdsl-mei: disable optimized firmware download
With ltq-vdsl-mei 1.5.17.6 an optimized firmware download was added and
enabled by default. As soon as the optimized firmware download is
enabled, a watchdog based reboot is trigger between 24h to 48h of
uptime if the board isn't connected to a xdsl line.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-09-28 07:22:58 +02:00
Martin Schiller
39e5cd9556 ltq-vdsl: fix PM thread suspend and resume handling
This is a backport form drv_dsl_cpe_api-4.18.10 and fixes some PM
thread handling issues which lead to high system load and watchdog
trigger within 1h of uptime for boards not connected to a xdsl line.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2017-09-28 07:22:58 +02:00
Sven Roederer
86f0e8b091 openvpn: add "extra-certs" option
This option is used to specify a file containing PEM certs, to complete the
local certificate chain. Which is quite usefull for "split-CA" setups.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-09-25 09:32:00 +02:00
Stijn Tintel
12a0da6315 tcpdump: noop commit to refer CVEs fixed in 4.9.2
When bumping tcpdump from 4.9.1 to 4.9.2, I did not include the fixed
CVEs in the commit message. As the list of fixed CVEs is quite long,
we should probably mention them in the changelogs of the releases to
come. This commit will make sure this happens.

The following CVEs were fixed in 21014d9708:

CVE-2017-11541
CVE-2017-11541
CVE-2017-11542
CVE-2017-11542
CVE-2017-11543
CVE-2017-11543
CVE-2017-12893
CVE-2017-12894
CVE-2017-12895
CVE-2017-12896
CVE-2017-12897
CVE-2017-12898
CVE-2017-12899
CVE-2017-12900
CVE-2017-12901
CVE-2017-12902
CVE-2017-12985
CVE-2017-12986
CVE-2017-12987
CVE-2017-12988
CVE-2017-12989
CVE-2017-12990
CVE-2017-12991
CVE-2017-12992
CVE-2017-12993
CVE-2017-12994
CVE-2017-12995
CVE-2017-12996
CVE-2017-12997
CVE-2017-12998
CVE-2017-12999
CVE-2017-13000
CVE-2017-13001
CVE-2017-13002
CVE-2017-13003
CVE-2017-13004
CVE-2017-13005
CVE-2017-13006
CVE-2017-13007
CVE-2017-13008
CVE-2017-13009
CVE-2017-13010
CVE-2017-13011
CVE-2017-13012
CVE-2017-13013
CVE-2017-13014
CVE-2017-13015
CVE-2017-13016
CVE-2017-13017
CVE-2017-13018
CVE-2017-13019
CVE-2017-13020
CVE-2017-13021
CVE-2017-13022
CVE-2017-13023
CVE-2017-13024
CVE-2017-13025
CVE-2017-13026
CVE-2017-13027
CVE-2017-13028
CVE-2017-13029
CVE-2017-13030
CVE-2017-13031
CVE-2017-13032
CVE-2017-13033
CVE-2017-13034
CVE-2017-13035
CVE-2017-13036
CVE-2017-13037
CVE-2017-13038
CVE-2017-13039
CVE-2017-13040
CVE-2017-13041
CVE-2017-13042
CVE-2017-13043
CVE-2017-13044
CVE-2017-13045
CVE-2017-13046
CVE-2017-13047
CVE-2017-13048
CVE-2017-13049
CVE-2017-13050
CVE-2017-13051
CVE-2017-13052
CVE-2017-13053
CVE-2017-13054
CVE-2017-13055
CVE-2017-13687
CVE-2017-13688
CVE-2017-13689
CVE-2017-13690
CVE-2017-13725

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 2375e279a7)
2017-09-18 16:50:07 +03:00
Stijn Tintel
f66c6e1d8a tcpdump: bump to 4.9.2
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 21014d9708)
2017-09-18 16:50:07 +03:00
Daniel Engberg
a131f7cb69 utils/tcpdump: Rework URLs
Add actual mirror and use main site as last resport
Source: http://www.tcpdump.org/mirrors.html

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit fd95397ee3)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>

Conflicts:
	package/network/utils/tcpdump/Makefile
2017-09-18 16:50:07 +03:00
Hans Dedecker
7f1359c14e base-files: fix wan6 interface config generation for pppoe
Setting ipv6 to auto in case of a pppoe interface will trigger the
creation of a dynamic wan_6 interface meaning two IPv6 interfaces
(wan6 and wan_6) will be active on top of the pppoe interface.
This leads to unpredictable behavior in the network; therefore set
ipv6 to 1 which will prevent the dynamic creation of the wan_6
interface.
Further alias the wan6 interface on top of the wan interface for pppoe
as the wan6 interface can only be started when the link local address is
ready. In case of pppoe the link local address is negotiated during the
Internet Protocol Control Protocol when the PPP link is setup meaning
all the IP address info is only available when the wan interface is up.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-09-18 13:22:58 +02:00
Lorenzo Santina
d33f7905df treewide: fix shellscript syntax errors/typos
Fix multiple syntax errors in shelscripts (of packages only)
These errors were causing many conditions to not working properly

Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
[increase PKG_RELEASE, drop command substitution from directip.sh]
Signed-off-by: Mathias Kresin <dev@kresin.em>
2017-09-13 08:07:39 +02:00
Lorenzo Santina
082e6215b7 hostapd: fix iapp_interface option
ifname variable were not assigned due to syntax error
causing the hostapd config file to have an empty iapp_interface= option

Signed-off-by: Lorenzo Santina <lorenzo.santina.dev@gmail.com>
2017-09-10 08:31:05 +02:00
Kevin Darbyshire-Bryant
1d15a03050 dnsmasq: backport arcount edns0 fix
Don't return arcount=1 if EDNS0 RR won't fit in the packet.

Omitting the EDNS0 RR but setting arcount gives a malformed packet.
Also, don't accept UDP packet size less than 512 in received EDNS0.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-09-08 10:09:48 +02:00
Kevin Darbyshire-Bryant
a7506c0e2b dnsmasq: backport official fix for CVE-2017-13704
Remove LEDE partial fix for CVE-2017-13704.

Backport official fix from upstream.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (PKG_RELEASE increase)
2017-09-07 08:11:49 +02:00
Matthias Schiffer
bb6a8b2cbf
uclient: update to 2017-09-06
24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses
83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-09-06 15:48:05 +02:00
Stijn Tintel
f62a31d0e9 f2fs-tools: fix mkfs.f2fs on big-endian systems
Fixes: FS#749

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit cdb494fdc2)
2017-09-03 10:14:09 +03:00
Stijn Tintel
c3bddb49ff f2fs-tools: drop musl compat patch
It is no longer needed since version 1.4.1.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 252c8ddf14)
2017-09-03 10:14:09 +03:00
Stijn Tintel
707a4b459d f2fs-tools: drop patch in favour of CONFIGURE_VARS
Override the failing check in configure with CONFIGURE_VARS instead of
carrying a patch that's unlikely to be accepted by upstream.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: John Crispin <john@phrozen.org>
(cherry picked from commit d87f27af54)
2017-09-03 10:14:09 +03:00
Daniel Engberg
bd29aa1ba1 f2fs-tools: Switch to gz tarball
At some point kernel.org decided to drop xz generated tarballs, switch to gz which they still provide.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-09-03 10:14:09 +03:00
Kevin Darbyshire-Bryant
a006b48c04 dnsmasq: forward.c: fix CVE-2017-13704
Fix SIGSEGV in rfc1035.c answer_request() line 1228 where memset()
is called with header & limit pointing at the same address and thus
tries to clear memory from before the buffer begins.

answer_request() is called with an invalid edns packet size provided by
the client.  Ensure the udp_size provided by the client is bounded by
512 and configured maximum as per RFC 6891 6.2.3 "Values lower than 512
MUST be treated as equal to 512"

The client that exposed the problem provided a payload udp size of 0.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-30 21:12:49 +02:00
Daniel Engberg
ae3c55666d tcpdump: Update to 4.9.1
Fixes:
 * CVE-2017-11108: Fix bounds checking for STP.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-08-15 18:31:10 +02:00
Baptiste Jonglez
3e35eb13ad mbedtls: Re-allow SHA1-signed certificates
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.

Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.

Fixes: FS#942

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-08-11 20:45:28 +02:00
Rafał Miłecki
889638c8bf base-files: don't setup network in preinit if failsafe is disabled
With failsafe disabled there is no point in early network setup. We
don't send announcement over UDP and there is no way to ssh to the
device.

A side effect of this is avoiding a possibly incorrect network config
(only with failsafe disabled). This problem is related to possible
changes made by user in /etc/config/network.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-08-09 23:20:23 +02:00
Hans Dedecker
b67b316dd1 dnsmasq: backport remove ping check of configured dhcp address
Remove ping check in DHCPDISCOVER case as too many buggy clients leave
an interface in configured state causing the ping check to fail.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-08 14:44:36 +02:00
Hans Dedecker
4503d8b297 procd: update to the latest git HEAD
66be6a2 watchdog: fix inline watchdog_get_magicclose function prototype

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-08-08 14:41:02 +02:00
John Crispin
66b071fa09 procd: update to latest git HEAD
3e68cdf procd: Do not leak pipe file descriptors to children

Signed-off-by: John Crispin <john@phrozen.org>
2017-08-01 07:02:53 +02:00
Hauke Mehrtens
7ab8bf126e curl: fix CVE-2017-7407 and CVE-2017-7468
This fixes the following security problems:
* CVE-2017-7407: https://curl.haxx.se/docs/adv_20170403.html
* CVE-2017-7468: https://curl.haxx.se/docs/adv_20170419.html

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-07-28 23:49:39 +02:00
Uwe Arnold
823d35f2fd kernel: netfilter: fix nf-nathelper(-extra) description
The tftp and irc netfilter modules are provided by nf-nathelper-extra
and not by nf-nathelper.

Signed-off-by: Uwe Arnold <donvipre@gmail.com>
[move the irc module as well]
Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-07-25 21:02:27 +02:00
Piotr Dymacz
671fc88c91 uboot-envtools: add support for ALFA Network AP121F
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-07-23 00:26:51 +02:00
Hans Dedecker
82b20d74cb procd: backport kernel watchdog start/stop support
4dbf57a watchdog: add support for starting/stopping kernel watchdog

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-13 21:54:59 +02:00
Hans Dedecker
699e3127c5 dnsmasq: backport patch fixing DNS failover (FS#841)
Backport upstream dnsmasq patch fixing DNS failover when first servers
returns REFUSED in strict mode; fixes issue FS#841.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-12 22:06:48 +02:00
Daniel Golle
7896d7b814
fstools: backport fixes from master branch
The following changes are backported from the master branch

bdcb075 libfstools: fix matching device name
(f038a61 on master)

ef2d438 fstools: use -Wno-format-truncation instead of -Wno-error=format-truncation
(c43ae11 on master)

d361923 build: disable the format-truncation warning error to fix gcc 7 build errors
(a19f2b3 on master)

cddc830 libfstools: silence mkfs.{ext4,f2fs}
(88d48d5 on master)

be5004c libfstools: add basic documentation of mount functions
(92b4c2c on master)

34d36c2 add missing includes
(7d78836 on master)

A previously added hotfix was replaced by a git commit, hence the patch
file is removed and we got instead

45c2a6f libfstools: fix multiple volume_identify usages with the same volume
(633a8d0 on master)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-07-11 23:30:10 +02:00
Matthias Schiffer
74d5c3e019
mtd-utils: use source package name for lzo in PKG_BUILD_DEPENDS
PKG_BUILD_DEPENDS should always refer to source package names.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-07-08 22:55:19 +02:00
Hans Dedecker
91d41b6305 dnsmasq: backport tweak ICMP ping logic for DHCPv4
Don't start ping-check of address in DHCP discover if there already
exists a lease for the address. It has been reported under some
circumstances android and netbooted windows devices can reply to
ICMP pings if they have a lease and thus block the allocation of
the IP address the device already has during boot.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-07-01 13:53:53 +02:00
Hans Dedecker
cca765f64c dhcpv6: add missing dollar sign in dhcpv6 script (FS#874)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-29 10:02:14 +02:00
Daniel Golle
eff3469510 procd: backport fixes from master branch
The following commits have been cherry-picked into the lede-17.01
branch of procd, listed here in git-log-order ie. with head first:

89918c8 system: introduce new attribute board_name
(79bbe6d and 453116e on master branch)

8297c38 preinit: define _GNU_SOURCE
(e5b963a on master branch)

8fd57dd upgraded: cmake: Find and include uloop.h
(e5ff8ca on master branch)

6b0da20 hotplug: fix a memory leak in handle_button_complete()
(f367ec6 on master branch)

558ffb5 service/service_stopped(): fix a use-after-free
(796ba3b on master branch)

22f89e1 upgraded: define __GNU_SOURCE
(e7bb2c8 on master branch)

6e8ea8b rcS: add missing fcntl.h include
(992b796 on master branch)

cd5225d procd/rcS: Use /dev/null as stdin
(d42b21e on master branch)

5131bec procd: Log initscript output prefixed with script name
(1247db1 on master branch)

225b18d procd: Don't use syslog before its initialization
(8d720b2 on master branch)

889442c procd: Add missing \n in debug message
(2555474 on master branch)

2716228 procd: service gets deleted when its last instance is freed
(8f218f5 on master branch)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-06-28 02:01:07 +02:00
Rafał Miłecki
761e6087ed base-files: fix PKG_CONFIG_DEPENDS to include version.mk entries
Including version.mk sets PKG_CONFIG_DEPENDS to config entries used for
VERSION_SED command. We should keep these configs to make sure package
gets refreshed when needed.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-06-26 23:47:12 +02:00
Christian Schoenebeck
73a4568f19 ca-certificates: Update to version 20161130+nmu1
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
2017-06-26 10:09:54 +02:00
Magnus Kroken
57289ae640 openvpn: update to 2.4.3
Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:57:11 +02:00
Magnus Kroken
73e81a8318 mbedtls: update to 2.5.1
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:57:11 +02:00
Hans Dedecker
8f254e9c27 Revert "dnsmasq: don't point --resolv-file to default location unconditionally"
This reverts commit 78edfff530.

This breaks local dns resolving in case noresolv=1 as resolv.conf is not
populated anymore with 127.0.0.1 as resolvfile does not equal
/tmp/resolv.conf.auto anymore.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-19 22:07:44 +02:00
Kevin Darbyshire-Bryant
c16326cfed dropbear: fix service trigger syntax error
The classic single '&' when double '&&' conditional was meant.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-17 13:50:27 +02:00
Alexander Couzens
a6b5ddfd9b LEDE v17.01.2: revert to branch defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-10 13:08:07 +02:00
Alexander Couzens
2da512ecf4 LEDE v17.01.2: adjust config defaults
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-06-10 13:08:02 +02:00
Jo-Philipp Wich
e5db08edf7 base-files: network.sh: fix a number of IPv6 logic flaws
* Change network_get_subnet6() to sensibly guess a suitable prefix

  Attempt to return the first non-linklocal, non-ula range, then attempt
  to return the first non-linklocal range and finally fall back to the
  previous behaviour of simply returning the first found item.

* Fix network_get_ipaddrs_all()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on network_get_ipaddrs() and network_get_ipaddrs6()
  to build a single list of all interface addresses.

* Fix network_get_subnets6()

  Instead of replicating the flawed logic appending a fixed ":1" suffix
  to IPv6 addresses, rely on the ipv6-prefix-assignment.local-address
  field to figure out the proper network address.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 23:02:16 +02:00
Jo-Philipp Wich
8a42d4d851 mwlwifi: update to version 10.3.4.0 / 2017-06-06
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 19:57:31 +02:00
Jo-Philipp Wich
df4363b607 base-files: network.sh: properly report local IPv6 addresses
Rework the network_get_ipaddr6() and network_get_ipaddrs6() functions to
fetch the effective local IPv6 address of delegated prefix from the
"local-address" field instead of naively hardcoding ":1" as static suffix.

Fixes FS#829.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-08 12:06:50 +02:00
Mathias Kresin
524ed5088e base-files: always set proto passed to _ucidef_set_interface()
Overwrite an already set proto if a new one is passed to
_ucidef_set_interface() similar to what is done for the interface.

It is required when using ""ucidef_set_interface_wan 'ptm0' 'pppoe'"
after some initial wan interface configuration is already done by
ucidef_add_switch.

The "json_is_a protocol string" guard is meant to not reset an earlier
set interface proto in case something like
"ucidef_set_interface_lan 'eth0'" is used afterwards.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-06-03 20:41:26 +02:00
Jo-Philipp Wich
e78a641f52 umdns: remove superfluous include in init script
The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.

Additionally, the network.sh helper is not actually used.

Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 01:29:51 +02:00
Jo-Philipp Wich
cdfc6788a9 dnsmasq: bump to 2.77
This is a cumulative backport of multiple dnsmasq update commits in master.

Drops three LEDE specific patches which are included upstream and another
patch which became obsolete. Remaining LEDE specific patches are rebased.

Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-02 00:25:08 +02:00
Alberto Bursi
9e20cc56b9 dnsmasq: make tftp root if not existing
If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.

Originally submitted by nfw user aka Nathaniel Wesley Filardo

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2017-06-02 00:09:14 +02:00
Karl Vogel
ebf46d2c5b dnsmasq: use logical interface name for dhcp relay config
The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.

Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
2017-06-02 00:07:02 +02:00
Philip Prindeville
78edfff530 dnsmasq: don't point --resolv-file to default location unconditionally
If noresolv is set, we should not generate a --resolv-file parameter.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [minor cleanup]
2017-06-02 00:06:24 +02:00
Julian Labus
fe5e343933 usbmode: update usb-modeswitch-data to 20170205
add support for new hardware

Signed-off-by: Julian Labus <julian@labus-online.de>
2017-05-29 09:26:27 +02:00
Julian Labus
4baf0ea229 usbmode: update to latest version
453da8e convert-modeswitch.pl: fix message indices

Signed-off-by: Julian Labus <julian@labus-online.de>
2017-05-29 09:26:27 +02:00
Florian Fainelli
7c1e58863c usbmode: Update to latest HEAD
Brings the following changes:

22f041e18df0 Extend StandardEject sequence to include LUN 1
61fdf7e9b1cc cmake: Search for libjson-c
2769852e76b5 cmake: Find libubox/blobmsg_json.h
8a47c4b6649f add TargetClass support

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-05-29 09:26:27 +02:00
Jo-Philipp Wich
22478bf473 samba: bump PKG_RELEASE
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.

Bump the PKG_RELEASE to signify upgrades to downstream users.

Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 17:40:21 +02:00
Jo-Philipp Wich
757353c3a0 firewall: resync with master
Update to latest Git HEAD in order to import a number of fixes and other
improvements:

a4d98ae options: remove stray continue statement
3d2c18a options: improve handling of negations when parsing space separated values
0e5dd73 iptables: support -i, -o, -s and -d in option extra
4cb06c7 ubus: increase ubus network interface dump timeout
e5dfc82 iptables: add exception handling
f625954 firewall3: add check_snat() function
7d3d9dc firewall3: display the section type for UBUS rules
53ef9f1 firewall3: add UBUS support for include scripts
5cd4af4 firewall3: add UBUS support for ipset sections
02d6832 firewall3: add UBUS support for forwarding sections
0a7d36d firewall3: add UBUS support for redirect sections
d44f418 firewall3: add fw3_attr_parse_name_type() function
e264c8e firewall3: replace warn_rule() by warn_section()
6039c7f firewall3: check the return value of fw3_parse_options()
c328d1f build: use -Wno-format-truncation instead of -Wno-error=format-truncation
e06e537 utils: replace sprintf use with snprintf to avoid overflows
533f834 build: disable the format-truncation warning error to fix gcc 7 build errors
e751cde zones: drop outgoing invalid traffic in masqueraded zones
d596f72 rules: fix UCI context in error reporting
1d0564c ubus: fix interface name and proto lookup
82ccd9e firewall3: fix handling of UTC times
1949e0c iptables: support xtables API > 11

Fixes FS#548, FS#640, FS#806, FS#811.

Ref: https://forum.lede-project.org/t/nat-leakage-on-tl-wr1043nd-v4/1712

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-05-27 16:18:31 +02:00