Commit Graph

2962 Commits

Author SHA1 Message Date
David Lam
22b07ff73e hostapd: add support for subject validation
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.

From the documentation:

subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com

subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.

altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI

altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.

domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.

domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.

domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.

Signed-off-by: David Lam <david@thedavid.net>
2020-01-14 17:46:27 +01:00
Petr Štetiar
2b28358a37 odhcpd: activate PIE ASLR by default
This activates PIE ASLR support by default when the regular option is
selected.

Size increase on x86/64:

 odhcpd-ipv6only Installed-Size: 36821 -> 38216

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-14 00:06:40 +01:00
Hauke Mehrtens
a2571f3c81 uhttpd: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 39% uncompressed and 21% compressed
on MIPS BE.

old:
33,189 /usr/sbin/uhttpd
23,016 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk

new:
46,212 /usr/sbin/uhttpd
27,979 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
6b2379d048 hostapd: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 26% uncompressed and 16% compressed
on MIPS BE.

old:
460,933 /usr/sbin/wpad
283,891 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk

new:
584,508 /usr/sbin/wpad
330,281 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
7ab6613026 dropbear: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 18% uncompressed and 17% compressed
on MIPS BE.

old:
164,261 /usr/sbin/dropbear
 85,648 dropbear_2019.78-2_mips_24kc.ipk

new:
194,492 /usr/sbin/dropbear
100,309 dropbear_2019.78-2_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hauke Mehrtens
dae0ac7770 dnsmasq: Activate PIE by default
This activates PIE ASLR support by default when the regular option is
selected.

This increases the binary size by 37% uncompressed and 18% compressed
on MIPS BE.

old:
146,933 /usr/sbin/dnsmasq
101,837 dnsmasq_2.80-14_mips_24kc.ipk

new:
202,020 /usr/sbin/dnsmasq
120,577 dnsmasq_2.80-14_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
2020-01-13 15:34:36 +01:00
Hans Dedecker
3446702cdb ethtool: bump to 5.4
7dc0af7 Release version 5.4.
914912e ethtool: add 0x16 and 0x1c extended compliance codes
600b779 ethtool: mark 10G Base-ER as SFF-8472 revision 10.4 onwards
696565d ethtool: correctly interpret bitrate of 255
2941970 fix unused parameter warning in e1000_get_mac_type()
5e814f2 fix unused parameter warning in fjes_dump_regs()
b1a5279 fix unused parameter warning in ixgb_dump_regs()
6608751 fix unused parameter warning in ibm_emac_dump_regs()
1c30119 fix unused parameter warning in et131x_dump_regs()
a56aba4 fix unused parameter warning in amd8111e_dump_regs()
f40d32d fix unused parameter warning in fec_dump_regs()
8b84f1a fix unused parameter warning in at76c50x_usb_dump_regs()
f725f5a fix unused parameter warning in smsc911x_dump_regs()
a12cd66 fix unused parameter warning in e1000_dump_regs()
e058656 fix unused parameter warning in igb_dump_regs()
debac02 fix unused parameter warning in de2104[01]_dump_regs()
d434eea fix unused parameter warning in e100_dump_regs()
8df12f3 fix unused parameter warning in vioc_dump_regs()
92d716b fix unused parameter warning in tg3_dump_{eeprom, regs}()
211c99e fix unused parameter warning in fec_8xx_dump_regs()
362fb8b fix unused parameter warning in ixgbevf_dump_regs()
87903c2 fix unused parameter warning in st_{mac100, gmac}_dump_regs()
c1eaddf fix unused parameter warning in vmxnet3_dump_regs()
313c9f8 fix unused parameter warning in dsa_dump_regs()
183e8a2 fix unused parameter warning in {skge, sky2}_dump_regs()
7f84c13 fix unused parameter warning in lan78xx_dump_regs()
02d0aaa fix unused parameter warning in realtek_dump_regs()
726d607 fix unused parameter warning in ixgbe_dump_regs()
967177c fix unused parameter warning in netsemi_dump_eeprom()
710a414 fix unused parameter warning in natsemi_dump_regs()
283398a fix unused parameter warning in print_simple_table()
0404267 fix unused parameter warning in sfc_dump_regs()
57c7298 fix unused parameter warning in altera_tse_dump_regs()
302e91a fix unused parameter warning in dump_eeprom()
2054a8c fix unused parameter warning in find_option()
d5432a9 fix unused parameter warnings in do_version() and show_usage()
c430e75 fix arithmetic on pointer to void is a GNU extension warning
e568431 ethtool: implement support for Energy Detect Power Down
e391f4c ethtool: sync ethtool-copy.h: adds support for EDPD

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-01-12 22:19:37 +01:00
Jason A. Donenfeld
7936cb94a9 wireguard-tools: bump to 1.0.20200102
* systemd: update documentation URL
* global: bump copyright

Usual house keeping.

* Makefile: DEBUG_TOOLS -> DEBUG and document
* Makefile: port static analysis check
* dns-hatchet: adjust path for new repo layout
* Makefile: rework automatic version.h mangling

These are some important-ish cleanups for downstream package maintainers that
should make packaging this a lot smoother.

* man: add documentation about removing explicit listen-port

Documentation improvement.

* wg-quick: linux: quote ifname for nft

This should fix issues with weirdly named ifnames and odd versions of nft(8).

* fuzz: find bugs in the config syntax parser
* fuzz: find bugs when parsing uapi input

These are two fuzzers that have been laying around without a repo for a while.
Perhaps somebody with enough compute power will find bugs with them.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-09 18:54:24 +01:00
Jason A. Donenfeld
62c2199bd8 wireguard: bump to 0.0.20200105
* socket: mark skbs as not on list when receiving via gro

Certain drivers will pass gro skbs to udp, at which point the udp driver
simply iterates through them and passes them off to encap_rcv, which is
where we pick up. At the moment, we're not attempting to coalesce these
into bundles, but we also don't want to wind up having cascaded lists of
skbs treated separately. The right behavior here, then, is to just mark
each incoming one as not on a list. This can be seen in practice, for
example, with Qualcomm's rmnet_perf driver. This lead to crashes on
OnePlus devices and possibly other Qualcomm 4.14 devices. But I fear
that it could lead to issues on other drivers on weird OpenWRT routers.

This commit is upstream in net-next as:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=736775d06bac60d7a353e405398b48b2bd8b1e54

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2020-01-09 18:54:24 +01:00
Daniel Golle
6a28552120 dnsmasq: add uci-defaults script for config migration
When running sysupgrade from an existing configuration, UCI option
dhcp.@dnsmasq[0].resolvfile needs to be modified in case it has not
been changed from it's original value.
Accomplish that using a uci-defaults script.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-09 15:37:53 +02:00
David Bauer
ab16adf80b hostapd: disable ft_psk_generate_local for non-PSK networks
Without this commit, ft_psk_generate_local is enabled for non-PSK
networks by default. This breaks 802.11r for EAP networks.

Disable ft_psk_generate_local by default for non-PSK networks resolves
this misbehavior.

Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Martin Weinelt <martin@darmstadt.freifunk.net>
2020-01-09 01:01:20 +01:00
Matthias Schiffer
41c19dd542
ethtool: fix PKG_CONFIG_DEPENDS
Add missing CONFIG_ prefix.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-01-07 20:53:31 +01:00
Matthias Schiffer
9924db5b37
iperf: fix PKG_CONFIG_DEPENDS
Fix typo in PKG_CONFIG_DEPENDS and missing CONFIG_ prefix.

Fixes: e98e046f06 ("iperf: Allow enabling multicast support")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-01-07 20:52:23 +01:00
Daniel Golle
2e3cf4500b dnsmasq: bump PKG_RELEASE
Previous commit should have bumped PKG_RELEASE, but git add was
forgotten... Add it now.

Fixes: cd48d8d342 ("dnsmasq: switch to /tmp/resolv.conf.d/resolv.conf.auto")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:44:16 +02:00
Daniel Golle
cd48d8d342 dnsmasq: switch to /tmp/resolv.conf.d/resolv.conf.auto
Mount-bind directory instead of resolv.conf.auto file in jail to
avoid problems when the file is deleted/replaced.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:37:22 +02:00
Daniel Golle
5e1604477a netifd: move /tmp/resolv.conf.auto to /tmp/resolv.conf.d/
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:36:59 +02:00
Daniel Golle
fedc5d30ae base-files: move /tmp/resolv.conf.auto to /tmp/resolv.conf.d/
Having it in a directory it more friendly for mount-bind.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-01-07 15:36:03 +02:00
Hauke Mehrtens
414d054138 dnsmasq: Fix potential dnsmasq crash with TCP
This is a backport from the dnsmasq master which should fix a bug which
could cause a crash in dnsmasq.

I saw the following crashes in my log:
[522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450
[522413.124464] epc = 004197f1 in dnsmasq[400000+23000]
[522413.129459] ra  = 004197ef in dnsmasq[400000+23000]
This is happening in blockdata_write() when block->next is
dereferenced, but I am not sure if this is related to this problem or if
this is a different problem. I am unable to reproduce this problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-06 17:44:22 +01:00
Hauke Mehrtens
8fb6be73b5 iwinfo: Update to version 2020-01-05
bf2c106 nl80211: add htmode to iwinfo_ops

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-05 20:19:37 +01:00
Andrea Dalla Costa
52f0b0913d ead: fix resource leak in tinysrp
Add call to fclose for file pointer fp in function t_openpw.
The resource leak could happen during an error handling.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-05 19:36:46 +01:00
DENG Qingfang
983605e61f pppd: update to 2.4.8
78cd384 Update README and patchlevel.h for 2.4.8 release
5d03403 pppd: Avoid use of strnlen (and strlen) in vslprintf
a1e950a pppd: Fix IPv6 default route code for Solaris
ca5e61b plugins/rp-pppoe: Make tag parsing loop condition more accurate
c10c3c7 pppd: Make sure word read from options file is null-terminated
b311e98 pppd: Limit memory accessed by string formats with max length specified
3ea9de9 pppd: Eliminate some more compiler warnings
57edb1a pppd: Include time.h header before using time_t
09f695f pppd: Don't free static string
03104ba pppd.h: Add missing headers
388597e pppd: Add defaultroute6 and related options
66ce4ba pppd: Avoid declarations within statements in main.c
5637180 pppd: Fix `ifname` option in case of multilink (#105)
d00f8a0 pppd: Fix variable reference syntax in Makefile.linux
b6b4d28 pppd: Check tdb pointer before closing

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-01-05 19:36:45 +01:00
Matt Merhar
3d7f76383f dropbear: add missing zlib dependency for dropbearconvert
If CONFIG_DROPBEAR_ZLIB is set, building fails at the packaging stage
due to an undeclared dependency on libz.so.1.

As is already done for the main dropbear package, conditionally add a
dependency on zlib.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
2020-01-05 19:36:45 +01:00
Rosen Penev
121ad10601 lldpd: Fix compilation without fortify-headers
Upstream backport.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-01-05 19:36:45 +01:00
Florian Fainelli
e98e046f06 iperf: Allow enabling multicast support
iperf2 is useful for testing UDP over multicast, add an option to permit
the enabling/disabling of multicast support.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2020-01-03 20:30:09 -08:00
Jo-Philipp Wich
0590d74db2 Revert "iptables: update to 1.8.4"
This reverts commit 10cbc896c0.

The updated iptables package does not build due to the following error
encountered on the buildbots:

    cp: cannot stat '.../iptables-1.8.4/ipkg-install/usr/lib/libiptc.so.*': No such file or directory

The changelog mentions "build: remove -Wl,--no-as-needed and libiptc.so" so
it appears as if further packaging changes are needed beyond a simple
version bump.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-12-30 23:07:29 +01:00
DENG Qingfang
10cbc896c0 iptables: update to 1.8.4
Update iptables to 1.8.4

ChangeLog:
  https://netfilter.org/projects/iptables/files/changes-iptables-1.8.4.txt

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-12-30 21:14:31 +01:00
David Bauer
3026cfe172 iwinfo: update to 2019-12-27
a6f6c05 nl80211: properly handle netdev names starting with "radio"
31dcef3 iwinfo: add several QC/A device ids

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-12-30 15:09:30 +01:00
Jason A. Donenfeld
ea980fb9c6 wireguard: bump to 20191226
As announced on the mailing list, WireGuard will be in Linux 5.6. As a
result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is
moving to its own wireguard-tools repo. Meanwhile, the out-of-tree
kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux-
compat repo. Yesterday, releases were cut out of these repos, so this
commit bumps packages to match. Since wg(8) and the compat kernel module
are versioned and released separately, we create a wireguard-tools
Makefile to contain the source for the new tools repo. Later, when
OpenWRT moves permanently to Linux 5.6, we'll drop the original module
package, leaving only the tools. So this commit shuffles the build
definition around a bit but is basically the same idea as before.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-27 16:34:27 +01:00
Eneas U de Queiroz
3018c4c02f curl: rename cyassl->wolfssl
The old name was dropped and no longer works.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-12-26 23:30:33 +01:00
Kevin Darbyshire-Bryant
9cf9f903a3 wireguard: bump to 20191219
edad0d6 version: bump snapshot
0e38a3c compat: ipv6_dst_lookup_flow was backported to 5.3 and 5.4
2e52c41 wg-quick: linux: use already configured addresses instead of in-memory
3721521 tools: adjust wg.8 syntax for consistency in COMMANDS section
21a1498 wg-quick: linux: try both iptables(8) and nft(8) on teardown

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-12-24 20:53:32 +00:00
Rosen Penev
fd211e1677 iperf: Fix compilation with libcxx
Avoids redefining bool.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-12-23 00:22:07 +01:00
Jo-Philipp Wich
97af1fc979 uhttpd: reset PKG_RELEASE
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-12-22 23:03:59 +01:00
Jo-Philipp Wich
f34f9a414d uhttpd: update to latest Git HEAD
5f9ae57 client: fix invalid data access through invalid content-length values

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-12-22 22:50:00 +01:00
Magnus Kroken
bf43e5bbf9 openvpn: update to 2.4.8
Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.

Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2019-12-22 10:45:09 +01:00
Petr Štetiar
98b3526bf2 iputils: move iputils tools to packages feed
iputils has moved from the master tree to the packages feed, and is
switching from the abandoned skbuff.net upstream to
github.com/iputils/iputils.

Ref: https://git.openwrt.org/556698cedf9e86a0ffe9f148d4e8e733676c26f6
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-19 22:41:57 +01:00
Kevin Darbyshire-Bryant
ca7ed1712e wireguard: bump to 0.0.20191212
1ec6ece version: bump snapshot
e13de91 main: remove unused include <linux/version.h>
72eb17c wg-quick: linux: support older nft(8)
1d8e978 global: fix up spelling
e02713e wg-quick: linux: add support for nft and prefer it
b4e3a83 compat: support building for RHEL-8.1 instead of RHEL-8.0
f29e3ac socket: convert to ipv6_dst_lookup_flow for 5.5

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-12-17 19:46:41 +00:00
Hans Dedecker
a15f658ed0 odhcpd: update to latest git HEAD
d60f0a6 treewide: optimize syslog priority values

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-12-15 20:54:25 +01:00
Daniel Golle
24b97579d2 hostapd: re-introduce process tracking
Before commit 60fb4c92b6 ("hostapd: add ubus reload") netifd was
tracking hostapd/wpa_supplicant and restarting wifi in case of a
process crash. Restore this behaviour by tracking the PIDs of
hostapd and wpa_supplicant.
Also make sure hostapd and/or wpa_supplicant have been started before
emmitting ubus calls to them using ubus wait_for.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-12-08 19:52:39 +01:00
Felix Fietkau
c888e17e06 hostapd: manage instances via procd instead of pidfile
Allows graceful restart of crashing hostapd/wpa_supplicant instances

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: attempt to launch only present services]
2019-12-08 19:52:38 +01:00
Felix Fietkau
4225b83a76 hostapd: fix crash regression triggered by mesh mode
Fixes: 60fb4c92b6 ("hostapd: add ubus reload")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: polish commit message]
2019-12-08 19:51:53 +01:00
David Bauer
1ccf4bb93b hostapd: enable CTRL_IFACE_MIB for hostapd-full
This enables the CTRL_IFACE_MIB symbol for wpad-full and hostapd-full.
If it is not enabled, statistic outputs such as "hostapd_cli all_sta"
are empty.

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-12-08 12:49:09 +01:00
Hans Dedecker
39d9010c20 iproute2: update to 5.4.0
Update iproute2 to latest stable version, see https://lwn.net/Articles/805654/
for the changes in 5.4.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-12-06 18:35:55 +01:00
Jason A. Donenfeld
82a8f91c89 wireguard: bump to 0.0.20191205
* wg-quick: linux: suppress error when finding unused table

This fixes a spurious warning messages seen with recent versions of iproute2
and kernels.

* wg-quick: linux: ensure postdown hooks execute
* wg-quick: linux: have remove_iptables return true
* wg-quick: linux: iptables-* -w is not widely supported

Adding in iptables had some hiccups. For the record, I'm very unhappy about
having to put any firewalling code into wg-quick(8). We'll of course need to
support nftables too at some point if this continues. I'm investigating with
upstream the possibility of adding a sysctl to patch the issue that iptables
is handling now, so hopefully at somepoint down the line we'll be able to shed
this dependency once again.

* send: use kfree_skb_list
* device: prepare skb_list_walk_safe for upstreaming
* send: avoid touching skb->{next,prev} directly

Suggestions from LKML.

* ipc: make sure userspace communication frees wgdevice

Free things properly on error paths.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-12-05 12:11:40 +01:00
Alin Nastac
416d2cc71e gre: add ipv6 parameter to gre interfaces
IPv6 protocol is enabled on all gre interfaces, but gre(v6)tap
interfaces are usually added to a bridge interface, in which case
IPv6 should be enabled only on the bridge interface.

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2019-12-02 21:52:33 +01:00
Hans Dedecker
806339a4cc curl: bump to 7.67.0
For changes in 7.67.0; see https://curl.haxx.se/changes.html#7_67_0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-12-02 20:50:57 +01:00
Hans Dedecker
f573e5756a netifd: update to latest git HEAD
e45b140 interface: warn if ip6hint is truncated

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-11-29 21:56:42 +01:00
Jason A. Donenfeld
2fedf023e4 wireguard: bump to 0.0.20191127
* messages: recalculate rekey max based on a one minute flood
* allowedips: safely dereference rcu roots
* socket: remove redundant check of new4
* allowedips: avoid double lock in selftest error case
* tools: add syncconf command

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2019-11-27 20:20:31 +01:00
Kevin Darbyshire-Bryant
f1ca277405 dnsmasq: correct sense & usage of dnsseccheckunsigned
dnsmasq v2.80 made 'dnssec-check-unsigned' the default, thus the uci
option was rendered ineffectual: we checked unsigned zones no matter the
setting.

Disabling the checking of unsigned zones is now achieve with the
"--dnssec-check-unsigned=no" dnsmasq option.

Update init script to pass required option in the disabled case.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-11-23 08:29:15 +00:00
Jo-Philipp Wich
482114d3f7 firewall: update to latest Git HEAD
8174814 utils: persist effective extra_src and extra_dest options in state file
72a486f zones: fix emitting match rules for zones with only "extra" options

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-11-22 18:53:57 +01:00
Kevin Darbyshire-Bryant
3cee6f3f24 netifd: dhcp proto convert release to norelease
Change dhcp no/release on shutdown to 'norelease' uci option to match
existing proto dhcpv6 usage.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
2019-11-20 10:52:57 +00:00
John Crispin
60fb4c92b6 hostapd: add ubus reload
Add ubus interface to hostapd and wpa_supplicant to allow dynamically
reloading wiface configuration without having to restart the hostapd
process.
As a consequence, both hostapd and wpa_supplicant are now started
persistently on boot for each wifi device in the system and then
receive ubus calls adding, modifying or removing interface
configuration.
At a later stage it would be desirable to reduce the services to one
single instance managing all radios.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-11-12 11:52:26 +01:00
Daniel Golle
155ede4f1f netifd: add dynamic wireless reconfiguration
7a723d0 wireless: add ubus method for reloading configuration
 e15147c wireless: make reconf opt-in and allow serializing configuration

Set new option 'reconf' in 'wifi-device' section to enable dynamic
re-configuration on that radio.
If necessary, also set option 'serialize' which forced netifd to
configure interfaces of wireless devices one-by-one.
Both options are disabled by default.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2019-11-12 11:51:36 +01:00
DENG Qingfang
2ea8cd73fe ipset: update to 7.4
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-11-09 14:33:42 +01:00
Hauke Mehrtens
e926681387 swconfig: Activate LTO compile option
This decreases the size of the swconfig application by 25% on MIPS BE.

old:
16,916 /sbin/swconfig

new:
12,565 /sbin/swconfig

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-08 23:57:53 +01:00
Hauke Mehrtens
6596c95eca dnsmasq: Activate LTO
This decreases the binary size when PIE ASLR is activated by 8% on MIPS BE.

old:
202,020 /usr/sbin/dnsmasq

new:
185,676 /usr/sbin/dnsmasq

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-08 23:57:51 +01:00
David Bauer
3034f8c3b8 hostapd: enable PMKSA and OK caching for WPA3-Personal
This enables PMKSA and opportunistic key caching by default for
WPA2/WPA3-Personal, WPA3-Personal and OWE auth types.
Otherwise, Apple devices won't connect to the WPA3 network.

This should not degrade security, as there's no external authentication
provider.

Tested with OCEDO Koala and iPhone 7 (iOS 13.1).

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-11-04 18:46:54 +01:00
Kyle Copperfield
87f9292300 hostapd: add IEEE 802.11k support
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Enables radio resource management to be reported by hostapd to clients.

Ref: https://github.com/lede-project/source/pull/1430
Co-developed-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Signed-off-by: Lorenzo Santina <lorenzo.santina@edu.unito.it>
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
2019-11-02 20:51:52 +01:00
Hauke Mehrtens
ddab758997 lantiq: Allow PKG_ASLR_PIE for DSL and voice drivers
When ASLR_PIE was activated globally these drivers failed to build
because the user space LDFLAGS leaked into the kernel build process.
This was fixed in upstream Linux kernel commit ce99d0bf312d ("kbuild:
clear LDFLAGS in the top Makefile") which went into Linux 4.17. The
lantiq target is now on Linux 4.19 only and these exceptions are not
needed any more.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-01 21:19:40 +01:00
Yousong Zhou
289d532ddd dropbear: rebuild libs on config change
Required as dependency on dropbear config headers is not tracked in
dropbear build system

Fixes FS#2275

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-11-01 06:59:51 +00:00
Hauke Mehrtens
e6cadb215c mac80211: Update to version 5.4-rc2
This updates mac80211 to backports based on kernel 5.4-rc2

ath10k-ct was updated to match the API changes and iw now uses the new
nl80211.h header file.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-10-19 12:35:55 +02:00
Florian Eckert
c7c14aaad3 wwan: Double quote to prevent globbing and word splitting
Fix some shellcheck warnings.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:48:41 +02:00
Florian Eckert
a78a539afd wwan: add ec25 to database
Add ec25 to database.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:48:21 +02:00
Florian Eckert
68b1b0bb39 wwan: add mc7304 to database
Add mc7304 to database.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-18 19:47:58 +02:00
Florian Eckert
c45c7606cc wwan: check new uci bus option on proto setup event
If system has more then one and different wwan interface (modem). Then the
wwan protohandler will always take the modem which is discovered first.
The protohandler will always setup the same interface. To fix this add a
new usb "bus" option which is associated with wwan device and so will set
the specified interface up. With this change more then one interface
could be mananged by the wwan protohandler.

If the "bus" option is not set in the uci network config then the protohandler
behaves as before the change. The protohanldler will take the first
interface which he founds.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2019-10-18 19:46:21 +02:00
Sean Kenny
9105057cc0 6in4: add rfc1918 check function
This is a precursor to adding proper support for multiple
6in4 tunnels with the already programmed tunlink parameter.
This is an essential sanity check so as to not break existing
and working behind NAT setups.

Signed-off-by: Sean Kenny <skenny@wfap.ca>

6in4: add myip he.net api parameter logic

This is to add proper support for multiple 6in4 tunnels
with the already programmed tunlink parameter.
As it stands before this commit, if there is a multi wan setup that
consists of dynamic ips, there is no way to use the
dynamic update feature as the he.net api is implicitly using
the ip address of the caller. This will explicitly use the
ipaddr specified in the interface config OR the ip of the
tunlink interface specified in the dynamic update api call instead
ONLY if the final resolved ipaddr variable is not an rfc1918 address.

Signed-off-by: Sean Kenny <skenny@wfap.ca>
2019-10-18 19:23:07 +02:00
Kevin Darbyshire-Bryant
9d5e266cb1 wireguard: bump to latest snapshot 20191012
8eb8443 version: bump snapshot
be09cf5 wg-quick: android: use Binder for setting DNS on Android 10
4716f85 noise: recompare stamps after taking write lock
54db197 netlink: allow preventing creation of new peers when updating
f1b87d1 netns: add test for failing 5.3 FIB changes
a3539c4 qemu: bump default version

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-10-16 16:13:39 +01:00
Jo-Philipp Wich
bc61458b73 iwinfo: update to latest Git HEAD
07315b6 nl80211: handle hidden SSIDs in wpa_supplicant scan results
3ac846e lua: fix string description of mixed WPA3 modes

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-16 16:48:40 +02:00
Martin Schiller
71e04091a9 lantiq: fix dsl_control status handling.
Commit 7519a36774 ("base-files,procd: add generic service status")
introduced the generic 'status' command which broke the previous
dsl_control status output. To fix this, let's rename the "old" command
to "dslstat".

Fixes: 7519a36774 ("base-files,procd: add generic service status")
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2019-10-15 23:23:08 +02:00
Jo-Philipp Wich
57b834281b iwinfo: update to latest Git HEAD
a29b7d4 nl80211: align path to phy mapping logic with mac80211.sh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-10-15 15:52:01 +02:00
Hans Dedecker
34c4741da0 odhcpd: update to latest git HEAD
9a4531a ndp: fix endian issue

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-14 21:35:09 +02:00
Eneas U de Queiroz
ee5a3f6d60 hostapd: adjust to removal of WOLFSSL_HAS_AES_GCM
WolfSSL is always built with AES-GCM support now.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-10-12 23:43:08 +02:00
DENG Qingfang
394273c066 tcpdump: update to 4.9.3
Fixed CVEs:
	CVE-2017-16808
	CVE-2018-10103
	CVE-2018-10105
	CVE-2018-14461
	CVE-2018-14462
	CVE-2018-14463
	CVE-2018-14464
	CVE-2018-14465
	CVE-2018-14466
	CVE-2018-14467
	CVE-2018-14468
	CVE-2018-14469
	CVE-2018-14470
	CVE-2018-14879
	CVE-2018-14880
	CVE-2018-14881
	CVE-2018-14882
	CVE-2018-16227
	CVE-2018-16228
	CVE-2018-16229
	CVE-2018-16230
	CVE-2018-16300
	CVE-2018-16301
	CVE-2018-16451
	CVE-2018-16452
	CVE-2019-15166
	CVE-2019-15167

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-10-12 23:37:00 +02:00
Hans Dedecker
f8b58757d0 ppp: update to version 2.4.7.git-2019-10-04
0d004db Revert "pppd: Include time.h before using time_t"
e400854 pppdump: Eliminate printf format warning by using %zd
7f2f0de pppd: Refactor setjmp/longjmp with pipe pair in event wait loop
4e71317 make: Avoid using host include for cross-compiling
3202f89 pppoe: Remove the use of cdefs
d8e8d7a pppd: Remove unused rcsid variables
486f854 pppd: Fix GLIBC version test for non-glibc toolchains
b6cd558 pppd: Include time.h before using time_t
ef8ec11 radius: Fix compiler warning
f6330ec magic: Remove K&R style of arguments
347904e Add Submitting-patches.md

Remove patches 130-no_cdefs_h.patch, 131-missing_prototype_macro.patch,
132-fix_linux_includes.patch as fixed upstream
Refresh patches

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-10 22:37:10 +02:00
Hans Dedecker
27bf8abe69 firewall: update to latest git HEAD
daed0cf utils: fix resource leak

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-04 20:42:26 +02:00
Hans Dedecker
1ed5c1b146 odhcpd: update to latest git HEAD
e76ad06 netlink: fix potential infinite loops

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-10-04 20:42:17 +02:00
Hauke Mehrtens
9a4fb78e7c iw: Update to version 5.3
Wifi HE (ieee80211ax) parsing is currently only activated in the full
version because it increases the compressed size by 2.5KBytes.

This also activates link time optimization (LTO) again, the problem was
fixed upstream

This increases the uncompressed binary size of iw-tiny by about 1.7%

old:
34446 iw_5.0.1-1_mipsel_24kc.ipk
new:
35064 iw_5.3-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-10-03 17:59:19 +02:00
Hans Dedecker
6077cde98a ethtool: bump to 5.3
76c4682 Release version 5.3.
3870efc ethtool: dump nested registers
7c06fa8 gitignore: ignore vim swapfiles and patches
49d1401 ethtool: igb: dump RR2DCDELAY register

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-30 21:53:35 +02:00
Jo-Philipp Wich
f2b9181bb1 iwinfo: update to latest Git HEAD
2a95086 nl80211: recognize SAE encrypted mesh

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-30 12:44:13 +02:00
Felix Fietkau
d25cc3207d iw: add patch to include local BSS rx time in survey information
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-09-29 22:16:27 +02:00
DENG Qingfang
eddbd68b6d iproute2: update to 5.3.0
Update iproute2 to 5.3.0

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-09-28 21:26:53 +02:00
Brandy Krueger
1fe1a200d9 wireguard: bump to 0.0.20190913
Changes since 0.0.20190702:

define conversion constants for ancient kernels
android: refactor and add incoming allow rules
enforce that unused bits of flags are zero
immediately rekey all peers after changing device private key
support running in OpenVZ environments
do not run bc on clean target
skip peers with invalid keys
account for upstream configuration maze changes
openbsd: fix alternate routing table syntax
account for android-4.9 backport of addr_gen_mode
don't fail down when using systemd-resolved
allow specifying kernel release
enforce named pipe ownership and use protected prefix
work around ubuntu breakage
support newer PaX
don't rewrite siphash when it's from compat
squelch warnings for stack limit on broken kernel configs
support rhel/centos 7.7

Signed-off-by: Brandy Krueger <krueger.brandy24@gmail.com>
2019-09-28 21:01:53 +02:00
Jo-Philipp Wich
ced4c0e635 iwinfo: update to latest Git HEAD
313e827 nl80211: keep awaiting wpa_supplicant scan results on busy response
a766751 nl80211: fix parsing of mixed wpa encryption in wpa_supp scan results
f096bfd utils: support parsing SAE and OWE key management suites from IEs

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-22 18:58:50 +02:00
Hauke Mehrtens
49cc712b44 hostapd: Add mesh support for wpad full
This increases the size of the binary slightly:

old:
427722 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
431696 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

new:
442109 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
445997 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
998686364d hostapd: use getrandom syscall
hostapd will not use the getrandom() syscall and as a fallback use
/dev/random, the syscall is supported since Linux 3.17 and in the musl,
glibc and uclibc version used by OpenWrt.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
0d86bf518a hostapd: Remove unneeded patch
All the content of this function is proceeded by IEEE8021X_EAPOL no code
accesses the ssid variable outside of this ifdef.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
9b4a27455c hostapd: use config option CONFIG_NO_LINUX_PACKET_SOCKET_WAR
Instead of patching the workaround away, just use the config option.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:51 +02:00
Hauke Mehrtens
167028b750 hostapd: Update to version 2.9 (2019-08-08)
The size of the ipkgs increase a bit (between 0.7% and 1.1%):

old 2019-04-21 (2.8):
288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk
256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk
427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk
423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk

new 2019-08-08 (2.9):
290217 wpad-basic_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
258745 wpad-mini_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
431732 wpad-openssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk
427641 wpad-wolfssl_2019-08-08-ca8c2bd2-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-22 17:39:38 +02:00
Hauke Mehrtens
8af79550e6 hostapd: Update to version 2.8 (2019-04-21)
This also syncs the configuration files with the default configuration
files, but no extra options are activated or deactivated.

The mesh patches were partially merged into hostapd 2.8, the remaining
patches were extracted from patchwork and are now applied by OpenWrt.
The patches still have open questions which are not fixed by the author.
They were taken from this page:
https://patchwork.ozlabs.org/project/hostap/list/?series=62725&state=*

The changes in 007-mesh-apply-channel-attributes-before-running-Mesh.patch
where first applied to hostapd, but later reverted in hostapd commit
3e949655ccc5 because they caused memory leaks.

The size of the ipkgs increase a bit (between 1.3% and 2.3%):

old 2018-12-02 (2.7):
283337 wpad-basic_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
252857 wpad-mini_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
417473 wpad-openssl_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk
415105 wpad-wolfssl_2018-12-02-c2c6c01b-11_mipsel_24kc.ipk

new 2019-04-21 (2.8):
288264 wpad-basic_2019-04-21-63962824-1_mipsel_24kc.ipk
256188 wpad-mini_2019-04-21-63962824-1_mipsel_24kc.ipk
427475 wpad-openssl_2019-04-21-63962824-1_mipsel_24kc.ipk
423071 wpad-wolfssl_2019-04-21-63962824-1_mipsel_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
2019-09-22 17:39:26 +02:00
Hauke Mehrtens
a6981604b3 hostapd: Fix AP mode PMF disconnection protection bypass
This fixes
* CVE-2019-16275 AP mode PMF disconnection protection bypass
https://w1.fi/security/2019-7/ap-mode-pmf-disconnection-protection-bypass.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-21 01:12:35 +02:00
Jo-Philipp Wich
d6bd3fd5c4 iwinfo: update to latest Git HEAD
02112f9 cli: fix reporting of mixed WPA2/WPA3 versions
7faeaea nl80211: properly detect WEP encryption in wpa_supp scan results
629b5ff nl80211: do not confuse open connections with WEP ones
3d47ddd nl80211: rework hostapd and wpa_supplicant wpa suite parsing

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:32:49 +02:00
Jo-Philipp Wich
abb4f4075e hostapd: mirror ieee80211w ap mode defaults in station mode
For AP mode, OpenWrt automatically sets ieee80211w to either 1 or 2, depending
on whether the encryption is set to sae-mixed, or sae/owe/eap suite-b.

Mirror the same defaults for client mode connections, in order to allow an
OpenWrt station to associate to an OpenWrt ap with SAE, OWE or Suite-B encryption
without the need to manually specify "option ieee80211w" on the station.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:27:28 +02:00
Jo-Philipp Wich
4209b28d23 hostapd: fix OWE settings in client mode
This changes fixes the generation of the wpa_supplicant client configuration
in WPA3 OWE client mode. Instead of incorrectly emitting key_mgmt=NONE, use
the proper key_mgmt=OWE setting instead.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-20 13:27:21 +02:00
Leon M. George
f974f8213b hostapd: declare struct wpa_bss early
wps_supplicant.h assumes that 'struct wpa_bss' is forward declared if
CONFIG_WPS is not defined.  With the later inclusion of
600-ubus_support, the issue manifests in warnings like these:

wps_supplicant.h:113:15: warning: 'struct wpa_bss' declared inside parameter list will not be visible outside of this definition or declaration
        struct wpa_bss *bss)
               ^~~~~~~

This patch forward declares 'struct wpa_bss' regardless.

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit message facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-19 23:43:27 +02:00
Leon M. George
a123df2758 hostapd: revert signature change in patch
The original wpa_hexdump uses a 'void *' for the payload.  With patch
410-limit_debug_messages, the signature changes and compiler warnings
occur at various places.  One such warning is:

 wpa_debug.h:106:20: note: expected 'const u8 * {aka const unsigned char *}' but argument is of type 'struct wpa_eapol_key *'

Signed-off-by: Leon M. George <leon@georgemail.eu>
[commit message facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-19 23:43:27 +02:00
Hans Dedecker
71cf4a272c curl: bump to 7.66.0
Refresh patches, for changes in version 7.66.0 see https://curl.haxx.se/changes.html#7_66_0

Fixes CVEs:
    CVE-2019-5481
    CVE-2019-5482

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-19 22:23:01 +02:00
Jo-Philipp Wich
5ef9e4f107 firewall: update to latest Git HEAD
383eb58 ubus: do not overwrite ipset name attribute

Ref: https://forum.openwrt.org/t/fw3-ipset-procd-objects/44044
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-09-18 10:51:24 +02:00
Petr Štetiar
2cf209ce91 firewall: update to latest git HEAD
c26f8907d1d2 firewall3: fix typo that affects ICMPv6 rules with numeric icmp_type

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-15 22:56:09 +02:00
Petr Štetiar
296e1f253c netifd,lldpd,rpcd,log: use generic service_running
commit eb204d14f75c ("base-files: implement generic service_running")
introduced generic service_running so it's not needed to copy&paste same
3 lines over and over again.

I've removed service_running from netifd/network init script as well,
because it was not working properly, looked quite strange and I didn't
understand the intention:

 $ /etc/init.d/network stop
 $ service network running && echo "yes" || echo "nope"
     ( have to wait for 30s )
 Command failed: Request timed out
 yes

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-09-15 22:53:01 +02:00
Hans Dedecker
a33d60c896 odhcpd: update to latest git HEAD
1d24009 netlink: rename netlink callback handlers
91a28e4 ndp: answer global-addressed NS manually
fd93e36 dhcpv6: retry failed PD assignments on addrlist change

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-15 20:43:14 +02:00
Hans Dedecker
ce6311d301 odhcpd: fix update to git HEAD
Fixes commit 7ff5b12e90

e73bf11 config: ra_management compatibility support
d818380 odhcpd: router: Fix out of scope memory access
94a1c94 dhcpv6-ia: free assignment when validity timer expires
752fc2c router: speed up initial router advertisements
09aa022 router: close socket upon NETEV_IFINDEX_CHANGE fixed
79eb160 router: fix previous commit
6034b5c router: close socket upon NETEV_IFINDEX_CHANGE
000182f router: fix lingering uloop socket descriptor
f6c2242 router: support ra_lifetime being 0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-09-12 22:37:54 +02:00