Commit Graph

2024 Commits

Author SHA1 Message Date
Christian Marangi
21ddd1164d
odhcpd: update to Git HEAD (2024-05-08)
99dd990690bc treewide: refactor pref(erred) to preferred_lt (lifetime)
4c2b51eab368 treewide: refactor valid to valid_lt (lifetime)
3b4e06055900 router: inherit user-assigned preferred_lifetime
e164414aa184 router: limit prefix preferred_lt to valid_lt in accordance with RFC4861
a2176af7bdeb treewide: spell-fixes and new comments for extra clarification
4590efd3a2b3 treewide: normalize spaces to tabs
2edc60cb7c7a router: rename minvalid to lowest_found_lifetime
7ee72ee17bfa router: disambiguate and clarify 'no route' messages
a29882318a4c config: set RFC defaults for preferred lifetime

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-05-08 00:11:19 +02:00
Sergey Ponomarev
1d4b88265b
dropbear: use ssh-keygen as an alias for dropbearkey
The DropBear's dropbearkey supports limited set of arguments of
OpenSSH ssh-keygen:  -t, -q -N -Y
After the change you can generate a key with the same command.
Still many features of the original OpenSSH ssh-keygen are absent in
the dropbearkey.
If it's needed then users should install openssh-keygen package that
will replace the /usr/bin/ssh-keygen with the full version.

Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/14174
[ wrap commit description to 80 columns ]
Link: https://github.com/openwrt/openwrt/pull/14174
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-05-06 13:41:43 +02:00
Felix Fietkau
52a5f4491c hostapd: fix a null pointer dereference in wpa_supplicant on teardown
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-05-01 19:00:21 +02:00
Hauke Mehrtens
00a1671248 hostapd: Fix compile against mbedtsl 3.6
Fix compile of the mbedtls extension for hostapd.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-04-28 21:42:18 +02:00
Fabrice Fontaine
289f811abb package/network/services/dropbear: fix PKG_CPE_ID
cpe:/a:dropbear_ssh_project:dropbear_ssh is the correct CPE ID for dropbear:
https://nvd.nist.gov/products/cpe/search/results?keyword=cpe:2.3🅰️dropbear_ssh_project:dropbear_ssh

Fixes: c61a239514 (add PKG_CPE_ID ids to package and tools)

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15290
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-04-27 23:43:58 +02:00
Paul Donald
708101c141 lldpd: fix reload bug: advertisements shall default to on
Because these capability advertisements default to on in lldpd, they
became absent at reload, and not restart, due to how the reload logic
works ( keep daemon running, send unconfigured and then the new config
via socket ), and it was not evident unless you happened to be looking
for it (e.g. via pcap or tcpdump). It was also not evident from the
manpage ( have now sent patches upstream ).

At reload time, the unconfigure logic disabled them unless they were
explicitly enabled (compare with other settings where 'unconfigure' just
resets them). Now they default to on/enabled at init time, and are
explicitly 'unconfigure'd at startup if the user disables them via:

lldp_mgmt_addr_advertisements=0
lldp_capability_advertisements=0

In other words: explicit is necessary to disable the advertisements.

The same applies to 'configure system capabilities enabled'. Technically
'unconfigure'd is the default but now it is explicit at reload.

Tested on: 23.05.3

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
2024-04-27 12:11:27 +02:00
Paul Donald
01cdeb531b ustp: update to Git HEAD (2023-05-29)
a85a5bc83bde netif_utils: correctly close fd on read error

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
2024-04-27 11:40:04 +02:00
Felix Fietkau
786e3dec01 bridger: update to Git HEAD (2024-04-22)
ec8c620fd5f4 split bridge-local disable into rx and tx
40b1c5b6be4e flow: do not attempt to offload bridge-local flows

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-22 11:02:52 +02:00
Chen Minqiang
3416144418 ppp: add sourcefilter option support
This make source based IPv6 routing option available for
ppp/pptp/pppoe/pppoa

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2024-04-22 15:11:44 +08:00
Paul Donald
4a81d868db
lldpd: extended interface(s) parsing to handle patterns
For interface type parameters, the man page documents patterns:
```
*,!eth*,!!eth1

uses all interfaces, except interfaces starting with "eth",
but including "eth1".
```

* Renamed `_ifname` to `_l2dev`.
* get the l2dev via network_get_physdev (and not l3dev)
* Glob pattern `*` is also valid - use noglob for this

The net result is that now interface 'names' including globs '*' and '!'
inversions are included in the generated lldpd configs.

Temporarily `set -o noglob` and then `set +o noglob` to disable & enable
globbing respectively, because when we pass `*` as an interface choice,
other file and pathnames get sucked in from where the init script runs,
and the `*` never makes it to lldpd.

Tested extensively on: 22.03.6, 23.05.3

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
[ squash with commit bumping release version ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-04-21 17:57:03 +02:00
Felix Fietkau
93d75f8401 bridger: update to Git HEAD (2024-04-15)
3159bbe0a2eb improve isolation when selecting a fixed output port
c77a7a1ff74d nl: fix getting flow offload stats
a08e51e679dd add support for disabling bridge-local flows via config

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-15 11:29:24 +02:00
Felix Fietkau
1ee5b7e506 hostapd: fix a crash corner case
On some setup failures, iface->bss can be NULL

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-13 16:33:45 +02:00
Paul Donald
50021d3222
lldpd: make management address advertisement controllable
Defaults to off.

Available from >= 0.7.15

These are sent in TLV

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
2024-04-12 13:45:48 +02:00
Paul Donald
4d8f56bd59
lldpd: make capabilities advertisement controllable
Defaults to off.

Only available from >= 1.0.15

These capabilities are sent in TLV.

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
2024-04-12 13:45:48 +02:00
Paul Donald
b476917502
lldpd: note about capabilities
only available from >= 1.0.15

Comments are useful. Apparently this config parameter was committed when
openwrt used an older version of lldpd which did not yet support it.

Signed-off-by: Paul Donald <newtwen+github@gmail.com>
2024-04-12 13:20:40 +02:00
Paul Donald
8cf1dce428
lldpd: fix restart
Redirection broke in 5364fe0f01 ("lldpd: shellcheck fixes")

redirects to /dev/null shall be handled correctly (i.e. last).

This fixes these errors on `/etc/init.d/lldpd reload`:

2024-03-16T20:39:00 [WARN/lldpctl] unknown command from argument 1: `/dev/null`
2024-03-16T20:39:00 [WARN/lldpctl] unknown command from argument 1: `/dev/null`
2024-03-16T20:39:00 [WARN/lldpctl] unknown command from argument 1: `/dev/null`
2024-03-16T20:39:00 [WARN/lldpctl] unknown command from argument 1: `/dev/null`

Tested-on: 22.03.6
Fixes: 5364fe0f01 ("lldpd: shellcheck fixes")
Signed-off-by: Paul Donald <newtwen+github@gmail.com>
[ improve commit description, add fixes tag ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-04-12 13:20:06 +02:00
Paul Spooren
b3c1c57a35 treewide: update PKG_MIRROR_HASH to zst
When using zst instead of xz, the hash changes. This commit fixes the
hash for packages and tools in core.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2024-04-06 11:24:18 +02:00
Felix Fietkau
27a2b54cba hostapd: fix Config.in dependencies
hostapd packages were accidentally left out. Clean up this mess by
changing the dependencies to hostapd-common

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-05 14:55:59 +02:00
Felix Fietkau
5aab43f933 hostapd: slightly clean up patches
- move build/ifdef related changes together to the 200 patch range
- reduce adding/removing include statements across patches
- move patches away from the 99x patch range to simplify maintenance

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-04 13:38:18 +02:00
Felix Fietkau
7b9996d107 hostapd: replace "argument list too long" fix with a simpler version
Less convoluted and more robust

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-04 13:38:18 +02:00
Felix Fietkau
6e391325af hostapd: remove workaround for broken WPA IEs in ancient devices
Affected devices were already quite old when this patch was added.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-04-04 13:38:18 +02:00
Eneas U de Queiroz
92379080ea hostapd: adjust patches to work with git am
This adds From:, Date: and Subject: to patches, allowing one to run 'git
am' to import the patches to a hostapd git repository.

From: and Date: fields were taken from the OpenWrt commit where the
patches were first introduced.

Most of the Subject: also followed suit, except for:
 - 300-noscan.patch: Took the description from the LuCI web interface
 - 350-nl80211_del_beacon_bss.patch: Used the file name

The order of the files in the patch was changed to match what git
format-patch does.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2024-04-04 12:12:43 +02:00
Eneas U de Queiroz
3f5a9e80da hostapd: remove unused fix
Patch 050-build_fix.patch fixes the abscence of sha384-kdf.o from the
list of needed objetct files when FILS is selected without any other
option that will select the .o file.

While it is a bug waiting to be fixes upstream, it is not needed for
OpenWrt use case, because OWE already selects sha384-kdf.o, and FILS is
selected along with OWE.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2024-04-04 12:12:43 +02:00
Eneas U de Queiroz
24d0e74627 hostapd: bump to 2024-03-09
This brings many changes, including fixes for a couple of memory leaks,
and improved interoperability with 802.11r.  There are also many changes
related to 802.11be, which is not enabled at this time.

Fixed upstream:
 - 022-hostapd-fix-use-of-uninitialized-stack-variables.patch
 - 180-driver_nl80211-fix-setting-QoS-map-on-secondary-BSSs.patch
 - 993-2023-10-28-ACS-Fix-typo-in-bw_40-frequency-array.patch

Switch PKG_SOURCE_URL to https, since http is not currently working.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Ilya Katsnelson <me@0upti.me>
Tested by: Andrew Sim <andrewsimz@gmail.com>
2024-04-04 12:12:43 +02:00
Paul Spooren
2070049c1c unetd: fix PKG_MIRROR_HASH
Our CI on GitHub as well as my local machine generates a different
PKG_MIRROR_HASH from what Felix uploaded the other day.

After receiving Felix file, both have indeed different hashes, however
when unpackaged via `xz -d` both have the same tarball content.

Below the checksums to compare:

a62bef497078c7b825f11fc8358c1a43f5db3e6d4b97812044f7653d60747d5b  dl/unetd-2024.03.31~80645766.tar.xz
fbdac59581742bf208c18995b1d69d9848c93bfce487e57ba780d959e0d62fc4  dl/unetd-2024.03.31~80645766_felix.tar.xz

After unpacking:

a7189cae90bc600abf3a3bff3620dc17a9143be8c27d27412de6eb66a1cf1b7d  dl/unetd-2024.03.31~80645766.tar
a7189cae90bc600abf3a3bff3620dc17a9143be8c27d27412de6eb66a1cf1b7d  dl/unetd-2024.03.31~80645766_felix.tar

The tarball with the wrong hash was accidentally generated without the xz
revert to version 5.4.6

Signed-off-by: Paul Spooren <mail@aparcar.org>
2024-04-03 13:27:20 +02:00
Felix Fietkau
a112ed4126 unetd: update to Git HEAD (2024-03-31)
52144f723bec pex: after receiving data update req, notify peer of local address/port
29aacb9386e0 pex: track indirect hosts (reachable via gateway) as peers without adding them to wg
48049524d4fc pex: do not send peer notifications for hosts with a gateway
12ac684ee22a pex: do not query for hosts with a gateway
203c88857354 pex: fix endian issues on config transfer
a29d45c71bca network: fix endian issue in converting port to network id
cbbe9d337a17 unet-cli: emit id by default
806457664ab6 unet-cli: strip initial newline in usage message

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-03-31 19:42:30 +02:00
Robert Marko
bf4c04a4d0 hostapd: fix Argument list too long build error
Currently, both CI and local builds of wpa-supplicant will fail with:
/bin/sh: Argument list too long

Its happening as the argument list for mkdir in build.rules is too large
and over the MAX_ARG_STRLEN limit.

It seems that recent introduction of APK compatible version schema has
increased the argument size and thus pushed it over the limit uncovering
the issue.

Fixes: e8725a932e ("treewide: use APK compatible version schema")
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-03-25 11:02:16 +01:00
Paul Spooren
e8725a932e treewide: use APK compatible version schema
Different from OPKG, APK uses a deterministic version schema which chips
the version into chunks and compares them individually. This enforces a
certain schema which was previously entirely flexible.

 - Releases are added at the very and end prefixed with an `r` like
`1.2.3-r3`.
- Hashes are prefixed with a `~` like `1.2.3~abc123`.
- Dates become semantic versions, like `2024.04.01`
- Extra tags are possible like `_git`, `_alpha` and more.

For full details see the APK test list:
https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/master/test/version.data

Signed-off-by: Paul Spooren <mail@aparcar.org>
2024-03-22 22:14:22 +01:00
Daniel Golle
56448cc8c1 umdns: fix PKG_MIRROR_HASH
PKG_MIRROR_HASH was accidentally generated with already APK-adapted
version string in the filename. That can't work (yet). Regenerate and
hash the file with the currently used version scheme to fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-03-20 23:44:10 +00:00
Daniel Golle
5d34c835a1 umdns: update to git HEAD
e91ed40 ubus: assume that the service iface can be NULL
 4094a3c interface: remove unused peer field
 8a0c9db interface: add missing cache cleanup on interface free
 3b341f4 add the ability to announce additional hostnames

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-03-20 19:43:10 +00:00
Daniel Golle
330d67ecc0 umdns: add /etc/umdns/ to mount namespace jail
Make sure /etc/umdns/ is accessiable for the umdns process if it
exists and umdns is run with umdns.@umdns[0].jail='1'.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-03-20 19:23:50 +00:00
Hauke Mehrtens
28c87d7ecd dnsmasq: Backport 2 upstream patches
These two patches are fixing minor problems with DNSSEC found shortly
after the dnsmasq 2.90 release.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-03-20 01:18:21 +01:00
Robert Marko
694e647784 dnsmasq: reset PKG_RELEASE
dnsmasq was recently updated to 2.90, but PKG_RELEASE was not reset to 1.

Fixes: 838a27f64f ("dnsmasq: version 2.90")
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-03-13 14:02:23 +01:00
Paul Donald
f753d3152f lldpd: update URL
update Makefile URL

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-12 20:41:01 +01:00
Paul Donald
5364fe0f01 lldpd: shellcheck fixes
No functionality/behaviour changes; code is synonymous

Tested on: 22.03.6

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-12 20:40:25 +01:00
Paul Donald
497fafb8ae lldpd: implement lldp_policy parameter
For certain lldp_class scenarios (2 & 3) a policy must be set also.
Class 4 is default, although it's good to handle the policy eventuality.

Here, set a default lldp_policy for all lldp_class scenarios. Any
lldp_policy can now be set.

Depends on PR #14584 (which introduced an `if` block)

Tested on 22.03.5, 22.03.6

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-12 20:39:06 +01:00
Paul Donald
53252eeb3b lldpd: Implement location parameter
Previously only partially implemented. After commit
5007f488bb lldp_location was never removed

Now, add the value of lldp_location to the generated config.

The location param has a few syntaxes, so the config acquires the first
usage from the man page: 'address country EU'

Supplementary fix for PR #14193 (this param was included in the original
PR #13018 but the lldp_location fixes were absent from PR #14193).

Tested on 22.03.5, 22.03.6

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 15:35:58 +01:00
Paul Donald
79ee4cb039 lldpd: fix error "sh: XXXms: bad number"
from commit 3ce909914a

The lldpd man page says that "configure lldp tx-interval" can
specify an interval value in milliseconds by appending a "ms" suffix to
the figure. Thus mandating string handling, and not integer comparison.

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Paul Donald
228d4e7f1b lldpd: refactor out ifaces derivation; reuse function
from commit 909f063066

Now pass two params to get_config_cid_ifaces() for:

cid_interface
interface

Each of which is a CSV of interfaces.

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Paul Donald
4dcece46a7 lldpd: remove unneeded quotes
from commit a5f715da71

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Paul Donald
bd1b17d589 lldpd: remove unneeded quotes and variable quoting
from commit ac771313eb

portidsubtype takes 1 of 2 possible keywords which do not need quoting:

         configure lldp portidsubtype ifname | macaddress

The third keyword 'local' is used in the syntax when individual ports
are being defined:

         configure [ports ethX [,…]] lldp portidsubtype local value

When this syntax is used, quoting is useful (see test cases for lldpd).
In the init file, the 'local' syntax is unused.

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Paul Donald
24a4da527f lldpd: remove unneeded quotes and variable quoting
from commit c98ee4dbb3

agent-type takes 1 of 3 possible keywords which do not require quoting:

         configure lldp agent-type nearest-bridge | nearest-non-tpmr-bridge
         | nearest-customer-bridge

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Paul Donald
b039641071 lldpd: remove unneeded quotes and variable quoting
from commit 3ce909914a

'capabilities enabled x' where x is a string of CSV

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Paul Donald
82ec853284 lldpd: remove unneeded quotes
from commit 3ce909914a

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Paul Donald
20a4dddeb0 lldpd: remove unneeded quotes and variable quoting
from commit 24176a6bdd

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Paul Donald
4fb8fea6de lldpd: fix a paste error
from commit 1be2088a52

The original PR #13018 did not exhibit this.

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Paul Donald
1909b6f883 lldpd: spell fixes
Supplementary fix for PR #14193

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Paul Donald
97eb3bf76c lldpd: fix -k 'lldp_no_version' row
Supplementary fix for PR #14193 and commit
b67182008f

Tested on 22.03.5

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-03-11 09:58:20 +01:00
Nathaniel Wesley Filardo
838a27f64f dnsmasq: version 2.90
Bump to 2.90 to get upstream's fix for DNSSEC KeyTrap (CVE-2023-50387,
CVE-2023-50868) among many other goodies and fixes (notably, upstream
568fb024... fixes a UAF in cache_remove_uid that was routinely crashing
dnsmasq in my deployment).

Catch up our 200-ubus_dns.patch, too.

Signed-off-by: Nathaniel Wesley Filardo <nwfilardo@gmail.com>
2024-03-11 09:55:15 +01:00
Paul Donald
dd8850756d umdns: prevent a few 'uci: Entry not found'
pass '-q' switch to uci to prevent spurious output

Signed-off-by: Paul Donald <newtwen@gmail.com>
2024-02-27 20:10:08 +01:00
Julius Lehmann
1d456c5e7a dnsmasq: Fix wrong format for --dhcp-boot option
dnsmasq --dhcp-boot option uses 'tag' instead of 'net' to specify tags

Signed-off-by: Julius Lehmann <lehmanju@devpi.de>
2024-02-26 21:24:37 +01:00
Yegor Yefremov
62acd9a2f9 dnsmasq: rework network interface ignore
In some situations (slow protocol or interfaces with auto 0), the
interfaces are not available during the dnsmasq initialization and
hence, the ignore setting will be skipped.

Install an interface trigger for ignored interfaces in case their
ifname cannot be resolved.

Signed-off-by: Yegor Yefremov <yegorslists@googlemail.com>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2024-02-22 09:17:25 +01:00
Konstantin Demin
3f96246e97 dropbear: better handle interfaces
- introduce 'DirectInterface' option to bind exactly to specified interface;
  fixes #9666 and late IPv4/IPv6 address assignment
- option 'DirectInterface' takes precedence over 'Interface'
- improve interface/address handling,
  e.g. verify count of listening endpoints due to dropbear limit (10 for now)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
865ae1c10c dropbear: better handle receive window size
- correct maximum receive window size
- adjust receive window size against maximum allowed value
- warn about too high receive window size in syslog

improves f95eecfb

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
05100d8651 dropbear: adjust file permissions
runtime:
- adjust ownership/permissions while starting dropbear
build time:
- correct file permissions for preseed files in $(TOPDIR)/files/etc/dropbear/ (if any)

closes #10849

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
a97e0dad6e dropbear: 'rsakeyfile' -> 'keyfile' transition
end users should have done this since OpenWrt 19.07.
if they didn't do this yet - perform auto-transition.

schedule 'rsakeyfile' removal for next year release.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
ff1ccd85e8 dropbear: failsafe: handle all supported key types
dropbear may be configured and compiled with support for different host key types

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
55218bcedb dropbear: minor config reorder
move DROPBEAR_ASKPASS under DROPBEAR_DBCLIENT (in all meanings)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
c87a192386 dropbear: split U2F/FIDO support
these options allow one to configure U2F/FIDO support in more granular way

inspired by upstream commit aa6559db

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
bf900e02c7 dropbear: add option to enable modern crypto only
reduces binary/package size and increases overall performance

also:
- adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
  to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
88c8053d47 dropbear: adjust allowed shell list
this takes an effect only if getusershell(3) is missing

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
7f6fcaa3bf dropbear: honor CONFIG_TARGET_INIT_PATH
fixes 65256aee

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
2d9a0be307 dropbear: disable two weak kex/mac algorithms
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms.
A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1]

It has no place in a potentially internet-facing daemon like dropbear.
Upstream has acknowledged this and offered this solution to disable
these two until this is made to be the default in the next release
of dropbear next year. [2]

1. https://www.openssh.com/txt/release-8.2
2. https://github.com/mkj/dropbear/issues/138

Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
0b277f8659 dropbear: minor config clarification
- "default n" is not needed: options are not selected by default
- wrap config on 80 characters width (assuming tab is 8 characters long)
- add feature cost size and security notes for DROPBEAR_AGENTFORWARD
  and DROPBEAR_DBCLIENT_AGENTFORWARD:
  describe why and where it should be disabled

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
fa849fd411 dropbear: better object cleanup
improves b78aae79

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
f2b2293663 dropbear: allow more complex configuration
- switch DB_OPT_COMMON and DB_OPT_CONFIG to comma-separated lists:
  this allows to have values with "|" in DB_OPT_COMMON and DB_OPT_CONFIG
  which is more likely to be than values with commas;
  use $(comma) variable for values with commas.
- sort DB_OPT_COMMON and DB_OPT_CONFIG to have "overrides" on top of list.
- allow DB_OPT_COMMON to have values with commas.
- allow to replace multiline definitions in sysoptions.h.

improves e1bd9645

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
b5cde26048 dropbear: cherry-pick upstream patches
critical fixes:
- libtommath: possible integer overflow (CVE-2023-36328)
- implement Strict KEX mode (CVE-2023-48795)

various fixes:
- fix DROPBEAR_DSS and DROPBEAR_RSA config options
- y2038 issues
- remove SO_LINGER socket option
- make banner reading failure non-fatal
- fix "noremotetcp" behavior
- don't try to shutdown a pty
- fix test for multiuser kernels

adds new features:
- option to bind to interface
- allow inetd with non-syslog
- ignore unsupported command line options with dropbearkey

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
d4dfb566e2 dropbear: bump to 2022.83
- update dropbear to latest stable 2022.83;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop patches:
  - 001-fix-MAX_UNAUTH_CLIENTS-regression.patch
- rework patches:
  - 901-bundled-libs-cflags.patch
- refresh remaining patches

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Stephen Howell
d274867c21 lldpd: add option to force EDP
allow EDP support if compiled and add force EDP option

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
8b2d02e48c lldpd: only use snmp options when compiled in
prevent SNMP options being passed unless lldpd supports them

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
1b36d44323 lldpd: Update Makefile package release
increment Makefile package release to reflect changes to init script

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
a5f715da71 lldpd: add option for tx delay and tx hold
add option to set LLDP transmit delay, hold timers to set update frequency

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
4159acceeb lldpd: add option to set system platform
add option to override system platform instead of using kernel name

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
4ac134aa78 lldpd: add option to force SONMP enabled
add option to force SONMP to be enabled even when no peer detected

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
1be2088a52 lldpd: add option to force FDP on
add option to force FDP when no peers detected

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
b67182008f lldpd: set CDP version and allow forcing CDP on
add option to specify CDPv1 or CDPv2 and separately enable or force each

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
61dbe756d8 lldpd: allow disabling LLDP protcol
add option to allow LLDP disabling while using other supported protocols

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
ac771313eb lldpd: add portidsubtype option
add option portidsubtype to correct port identifiers and descriptions

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
c98ee4dbb3 lldpd: add agent-type option
add option to set agent-type to control propogation

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
24176a6bdd lldpd: add LLDP MED options
add option to enable LLDP MED fast-start and set fast-start timer

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
1753498b01 lldpd: option to disable LLDP-MED inventory TLV
add option to disable LLDP-MED inventory TLV transmission

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
058f284b1a lldpd: Init adds no-version option
add option to disable advertising kernel version

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
ac3ed75309 lldpd: Allow neighbour filtering
add filter option to init script.

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
064b4999ad lldpd: LLDPD binds to only specified interfaces
Bind to the configured system interfaces only. Switchport interfaces
are no longer ignored and uci interface values for LLDPD are honored.

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
e483c247dc lldpd: Init config read on reload
Init script reload with trigger to detect config file update.
Reload command added to attempt non-impactful lldpd reload where
lldpcli can be used to update config without process restart.
Config hash function used to track whether process restart is needed.

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Felix Fietkau
2716853132 wifi-scripts: add new package, move wifi scripts to a single place
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-02-03 16:16:36 +01:00
Daniel Golle
7eee094f01 uhttpd: bump PKG_RELEASE
Bump PKG_RELEASE which should have been done by commit 7b1c3068b7
("uhttpd: restart when interface to listen becomes available").

Fixes: 7b1c3068b7 ("uhttpd: restart when interface to listen becomes available")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-02 04:22:17 +00:00
Daniel Golle
7b1c3068b7 uhttpd: restart when interface to listen becomes available
Currently uhttpd won't start with a listening interface configured if
the interface isn't already up at the time uhttpd starts. Make sure we
attempt to start uhttpd when it comes up.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-01 00:52:54 +00:00
Rany Hany
59f67b2010 hostapd: fail R0KH and R1KH derivation when wpa_psk_file is used
When wpa_psk_file is used, there is a chance that no PSK is set. This means
that the FT key will be generated using only the mobility domain which
could be considered a security vulnerability but only for a very specific
and niche config.

Signed-off-by: Rany Hany <rany_hany@riseup.net>
2024-01-25 20:02:40 +01:00
Jesus Fernandez Manzano
e2f6bfb833 hostapd: fix 11r defaults when using SAE
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
2024-01-25 20:02:40 +01:00
Jesus Fernandez Manzano
cdc4c55175 hostapd: fix 11r defaults when using WPA
802.11r can not be used when selecting WPA. It needs at least WPA2.

This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.

Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
2024-01-25 20:02:40 +01:00
Felix Fietkau
195cf4b58d hostapd: remove obsolete function
Leftover from authsae, which was removed a long time ago

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-25 20:02:30 +01:00
David Bauer
56d7887917 hostapd: ACS: Fix typo in bw_40 frequency array
[Upstream Backport]

The range for the 5 GHz channel 118 was encoded with an incorrect
channel number.

Fixes: ed8e13decc71 (ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan())
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
2024-01-18 23:22:33 +01:00
Felix Fietkau
912e573127 hostapd: add back missing function for updating wpa_supplicant macaddr list
Make the call deferred instead of blocking to avoid deadlock issues

Fixes: 3df9322771 ("hostapd: make ubus calls to wpa_supplicant asynchronous")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-13 16:12:34 +01:00
Felix Fietkau
12c8bba731 hostapd: fix an exception in hostapd.uc on interface add failure
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-13 15:22:27 +01:00
Felix Fietkau
5b8f188c0f Revert "mac80211: rework interface setup, fix race condition"
This reverts commit b7f9742da8.
There are several reports of regressions with this commit. Will be added
back once I've figured out and fixed the cause

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-13 11:19:34 +01:00
Felix Fietkau
b7f9742da8 mac80211: rework interface setup, fix race condition
Only tell netifd about vifs when the setup is complete and hostapd +
wpa_supplicant have been notified

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-11 10:40:43 +01:00
Felix Fietkau
3df9322771 hostapd: make ubus calls to wpa_supplicant asynchronous
This fixes a deadlock issue where depending on the setup order, hostapd and
wpa_supplicant could end up waiting for each other

Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-11 09:15:54 +01:00
Rafał Miłecki
1f11a4e283 uhttpd: handle reload after uhttpd-mod-ubus installation using postinst
Use postinst script to reload service instead of uci-defaults hack. It's
possible thanks to recent base-files change that executes postinst after
uci-defaults.

This fixes support for uhttpd customizations. It's possible (again) to
adjust uhttpd config with custom uci-defaults before it gets started.

Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: d25d281fd6 ("uhttpd: Reload config after uhttpd-mod-ubus was added")
Ref: b799dd3c70 ("base-files: execute package's "postinst" after executing uci-defaults")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-01-10 17:06:56 +01:00
Felix Fietkau
d864f68232 hostapd: add missing NULL pointer check on radar notification
Fixes a race condition that can lead to a hostapd crash

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-09 11:06:24 +01:00