Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released
* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
This reverts commit 78edfff530.
This breaks local dns resolving in case noresolv=1 as resolv.conf is not
populated anymore with 127.0.0.1 as resolvfile does not equal
/tmp/resolv.conf.auto anymore.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* Change network_get_subnet6() to sensibly guess a suitable prefix
Attempt to return the first non-linklocal, non-ula range, then attempt
to return the first non-linklocal range and finally fall back to the
previous behaviour of simply returning the first found item.
* Fix network_get_ipaddrs_all()
Instead of replicating the flawed logic appending a fixed ":1" suffix
to IPv6 addresses, rely on network_get_ipaddrs() and network_get_ipaddrs6()
to build a single list of all interface addresses.
* Fix network_get_subnets6()
Instead of replicating the flawed logic appending a fixed ":1" suffix
to IPv6 addresses, rely on the ipv6-prefix-assignment.local-address
field to figure out the proper network address.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Rework the network_get_ipaddr6() and network_get_ipaddrs6() functions to
fetch the effective local IPv6 address of delegated prefix from the
"local-address" field instead of naively hardcoding ":1" as static suffix.
Fixes FS#829.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Overwrite an already set proto if a new one is passed to
_ucidef_set_interface() similar to what is done for the interface.
It is required when using ""ucidef_set_interface_wan 'ptm0' 'pppoe'"
after some initial wan interface configuration is already done by
ucidef_add_switch.
The "json_is_a protocol string" guard is meant to not reset an earlier
set interface proto in case something like
"ucidef_set_interface_lan 'eth0'" is used afterwards.
Signed-off-by: Mathias Kresin <dev@kresin.me>
The umdns init script includes function/network.sh globally, outside of any
service procedure. This causes init script activation to fail in buildroot
and IB context if umdns is set to builtin.
Additionally, the network.sh helper is not actually used.
Drop the entire include in order to repair init script activation in build
host context. Fixes FS#658.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This is a cumulative backport of multiple dnsmasq update commits in master.
Drops three LEDE specific patches which are included upstream and another
patch which became obsolete. Remaining LEDE specific patches are rebased.
Fixes FS#766 - Intermittent SIGSEGV crash of dnsmasq-full.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
If there's a TFTP root directory configured, create it with mkdir -p
(which does not throw an error if the folder exists already)
before starting dnsmasq. This is useful for TFTP roots in /tmp, for example.
Originally submitted by nfw user aka Nathaniel Wesley Filardo
Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
The relay section should use the logical interface name and
not the linux network device name directly. This to be
consistent with other sections of the dnsmasq config where
'interface' means the logical interface.
Signed-off-by: Karl Vogel <karl.vogel@gmail.com>
If noresolv is set, we should not generate a --resolv-file parameter.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [minor cleanup]
Brings the following changes:
22f041e18df0 Extend StandardEject sequence to include LUN 1
61fdf7e9b1cc cmake: Search for libjson-c
2769852e76b5 cmake: Find libubox/blobmsg_json.h
8a47c4b6649f add TargetClass support
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
The previous CVE bugfix commit did not adjust PKG_RELEASE, therefor the
fixed samba package does not appear as opkg update.
Bump the PKG_RELEASE to signify upgrades to downstream users.
Ref: https://forum.lede-project.org/t/sambacry-are-lede-devices-affected/3972/4
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update to latest Git HEAD in order to import a number of fixes and other
improvements:
a4d98ae options: remove stray continue statement
3d2c18a options: improve handling of negations when parsing space separated values
0e5dd73 iptables: support -i, -o, -s and -d in option extra
4cb06c7 ubus: increase ubus network interface dump timeout
e5dfc82 iptables: add exception handling
f625954 firewall3: add check_snat() function
7d3d9dc firewall3: display the section type for UBUS rules
53ef9f1 firewall3: add UBUS support for include scripts
5cd4af4 firewall3: add UBUS support for ipset sections
02d6832 firewall3: add UBUS support for forwarding sections
0a7d36d firewall3: add UBUS support for redirect sections
d44f418 firewall3: add fw3_attr_parse_name_type() function
e264c8e firewall3: replace warn_rule() by warn_section()
6039c7f firewall3: check the return value of fw3_parse_options()
c328d1f build: use -Wno-format-truncation instead of -Wno-error=format-truncation
e06e537 utils: replace sprintf use with snprintf to avoid overflows
533f834 build: disable the format-truncation warning error to fix gcc 7 build errors
e751cde zones: drop outgoing invalid traffic in masqueraded zones
d596f72 rules: fix UCI context in error reporting
1d0564c ubus: fix interface name and proto lookup
82ccd9e firewall3: fix handling of UTC times
1949e0c iptables: support xtables API > 11
Fixes FS#548, FS#640, FS#806, FS#811.
Ref: https://forum.lede-project.org/t/nat-leakage-on-tl-wr1043nd-v4/1712
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
One of the latest mac80211 updates added sanity checks, requiring the
beacon intervals of all VIFs of the same radio to match. This often broke
AP+11s setups, as these modes use different default intervals, at least in
some configurations (observed on ath9k).
Instead of relying on driver or hostapd defaults, change the scripts to
always explicitly set the beacon interval, defaulting to 100. This also
applies the beacon interval to 11s interfaces, which had been forgotten
before. VIF-specific beacon_int setting is removed from hostapd.sh.
Fixes FS#619.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Setting legacy_rates to 0 disables 802.11b data rates.
Setting legacy_rates to 1 enables 802.11b data rates. (Default)
The basic_rate option and supported_rates option are filtered based on this.
The rationale for the change, stronger now than in 2014, can be found in:
https://mentor.ieee.org/802.11/dcn/14/11-14-0099-00-000m-renewing-2-4ghz-band.pptx
The balance of equities between compatibility with b clients and the
detriment to the 2.4 GHz ecosystem as a whole strongly favors disabling b
rates by default.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup, defaults change]
Do not select the qca988x by default as soon as kmod-ath10k is
selected. We do support more ath10k chips than the qca988x in the
meantime, so this dependency doesn't make sense any longer.
Signed-off-by: Mathias Kresin <dev@kresin.me>
binutils 2.27 checks if the target compiler supports -Wstack-
usage=262144, and also uses this setting for the host compiler. If the
host compiler is gcc < 4.9 binutils build will fail. This backports 2
commits which are fixing this problem for binutils 2.28.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fix build of scriptreplay with uClibc.
Some parts of the libm detection were backported to 2.29.2, but some
parts were missing, which are added here. This patch is needed when
libm is a separate library, this is not needed for LEDE master, because
libm is there integrated in the libc for uClibc and musl.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
- Security: Fix double-free in server TCP listener cleanup A double-free
in the server could be triggered by an authenticated user if dropbear is
running with -a (Allow connections to forwarded ports from any host)
This could potentially allow arbitrary code execution as root by an
authenticated user. Affects versions 2013.56 to 2016.74. Thanks to Mark
Shepard for reporting the crash.
CVE-2017-9078 https://secure.ucc.asn.au/hg/dropbear/rev/c8114a48837c
- Security: Fix information disclosure with ~/.ssh/authorized_keys
symlink. Dropbear parsed authorized_keys as root, even if it were a
symlink. The fix is to switch to user permissions when opening
authorized_keys
A user could symlink their ~/.ssh/authorized_keys to a root-owned file
they couldn't normally read. If they managed to get that file to contain
valid authorized_keys with command= options it might be possible to read
other contents of that file.
This information disclosure is to an already authenticated user.
Thanks to Jann Horn of Google Project Zero for reporting this.
CVE-2017-9079 https://secure.ucc.asn.au/hg/dropbear/rev/0d889b068123
Refresh patches, rework 100-pubkey_path.patch to work with new
authorized_keys validation.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
This includes following changes:
0e8b948 Support specifying instance name in JSON file
49fdb9f Support PTR queries for a specific service
26ce7dc Allow filtering with instance name in service_reply
920c62a Store instance name in the struct service
ff09d9a Rename service_name function to the service_instance_name
64f78f1 Rename mdns_hostname variable to the umdns_host_label
Previous package update pulled commit 70c66fbbcde86 ("Fix sending
replies to PTR questions") which introduced a regression which this
update fixes.
Fixes: 474c31a20d ("umdns: update to the version 2017-03-21")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Add rut5xx GPIO PIN selection to om-package startup script.
Testet on a RUT500 device, the timeout value of the hardware watchdog
is about 280 sec.
Signed-off-by: Steffen Weinreich <steve@weinreich.org>
[split into two commits, bump PKG_RELEASE]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Update OpenVPN to 2.4.1
Remove 200-small_build_enable_occ.patch as it's included upstream.
Refresh patches
Add mirror and switch to HTTPS
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
This change protects the openvpn instances to be marked as "in a crash
loop" and thereby the connection retries will run infinitely.
When the remote site of an openvpn connection goes down for some time
(network failure etc.) the openvpn instance in an openwrt/lede device
should not stop retrying to establish the connection.
With the current limit of 5 retries, there is a user interaction
required, which isn't really what you want when the device should
simply do everything to keep the vpn connection up.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Configuring dhcp_option as an option does not allow the usage of white
spaces in the option value; fix this by supporting dhcp_option as a list
config while still supporting the option config to maintain backwards
compatibility
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Commit 2036ae4 (base-files: support hostname and ntp servers through board.d)
was supposed to implement these procedures but lacked the required changes
to uci-defaults.sh.
Add the missing procedures now to fix config generation on targets relying
on hostname or NTP server presetting.
Fixes FS#754.
Reported-by: Cristian Morales Vega <cristian@samknows.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
update RF register 47 and 54 values according to vendor driver
Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: moved changes into a separate patch]
Use register values from init LNA function instead of the ones from
restore LNA function. Apply register values based on rx path
configuration.
Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[daniel@makrotopia.org: moved changes into a separate patch]
Some of our local patches have been accepted upstream. And there are
some more relevant changes (mostly for rt2800usb). Import them and
rebase our remaining local patches on top.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Introduce RT6352 instead of matching against RF7620.
Clean up channel setting rfvals.
Port bandwidth filter calibration.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
So here is another round of improvements for MT7620 WiFi.
This commit fixes a few significant issues related to TX_PWR_CFG_x and
TX_ALC and also makes the code more readable by adding register
descriptions for things added for MT7620 and use the usual bit-field
access macros and the now defined macros instead of plain bit-ops and
magic numbers.
Properly describe EEPROM_TARGET_POWER at word 0x68 (== byte 0xD0) and
thereby fix internal TXALC which would otherwise just read
out-of-bounds of the EEPROM map.
Split-out tx-power/ALC related stuff into an additional function.
Fix VCO calibration, it was carried out properly in the channel
switching but incomplete in the actual VCO calibration function.
Also there is no need to trigger VCO calibration in channel switching,
the VCO calibration function is already being called at this point.
Remove it from channel switching function to avoid redundant code.
The TX power calibration differs significantly from all other
Mediatek/Ralink chips: They finally allow 0.5dB steps stored as 8-bit
values for (almost) each bitrate -- and promptly ran out of space and
for some reason didn't want to change the EEPROM layout. The hence
opted for a scheme of sharing values for some adjecent bitrates and
a highly over-complicated (or obfuscated?) way to populate the
TX_PWR_CFG_x registers with the values stored in the EEPROM.
The code here now looks much less complicated than what you see in the
vendor's driver, however, it does the exact same thing:
bGpwrdeltaMinus is a constant and always TRUE, hence half of the
code was dead. Gpwrdelta is always 0 (rather than using the value read
from the EEPROM). What remains is some very grotesque effort to avoid
0x20, probably some hardware bug related to some misunderstanding of
what a singed 8-bit value is (imagine: if it was a signed 6-bit value
then someone could believe that 0x20 == 0x0). And then they didn't
clean it up once they later on anandonned that whole story of having a
constant offset for 40 MHz channels and just set the offset to be
constant 0 -- there is no effort for avoiding 0x20 for the 20 MHz
values stored in the EEPROM, hence that's probably just a forbidden
value in the EEPROM specs and won't appear anyway...
Anyway, the whole thing felt like solving some college math test
where in the end everything cancels out and the result equals 0 ;)
To make sure that channel bandwidth power compensation really doesn't
need to be taken care of, output a warning when the corresponding
value stored in the EEPROM is non-zero.
Also there is no apparent reason to refrain from initializing RFCSR
register 13, it doesn't fail what-so-ever.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The tx power applied by set_txpower is limited by the CTL (conformance
test limit) entries in the EEPROM. These can change based on the user
configured regulatory domain.
Depending on the EEPROM data this can cause the tx power to become too
limited, if the original regdomain CTLs impose lowr limits than the CTLs
of the user configured regdomain.
To fix this issue, set the initial channel limits without any CTL
restrictions and only apply the CTL at run time when setting the channel
and the real tx power.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
If a device uses the default EEPROM code, typically only the main CTLs
are valid, and they do not apply properly when switching to a different
regulatory domain. If the regdomain deviates from the EEPROM one, force
the world roaming regdomain to ensure that power limits are sane
Signed-off-by: Felix Fietkau <nbd@nbd.name>
9268ca6 ndp: don't trigger IPv6 ping when neighbor entry is invalid
2b3355f ndp: fix adding proxy neighbor entries
7dff5b4 ndp: fix wrong interface name in syslog message
a54afb5 dhcpv6-ia: Fix segfault when writing DHCPv4 leases in state file
c0e9dbf ubus: don't segfault when there're no leases
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Fixes build issues with some toolchains that don't add lcrypt in the default
search paths:
CMakeFiles/rpcd.dir/session.c.o: In function `rpc_login_test_password':
build_dir/target-mipsel-linux-gnu/rpcd-2016-12-03-0577cfc1/session.c:823: undefined reference to `crypt'
collect2: error: ld returned 1 exit status
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Due to an oversight during patch conflict resolution, the PKG_VERSION got
accidentially bumped instead of the PKG_RELEASE field.
Revert the bad version change as there exists no upstream 1.25.2 version.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When invoking "nslookup_lede" with a domain argument and without explicit
query type, issue both A and AAAA queries and display the resulting IP
addresses in a numbered list style, similar to how the old BusyBox nslookup
used to output the records.
This is required for compatibility with certain scripts.
Ref: https://forum.lede-project.org/t/nslookup-ipv6-in-lede-17-01-1
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The ":*" optstring syntax was only recently introduced with BusyBox v1.26,
older versions need a corresponding hint in the "opt_complementary" variable
to denote flag values that should be stored as llist entries.
Add the required opt_complementary entry to fix random SIGBUS, SIGILL or
SIGSEGV related crashes on BusyBox 1.25.x when attempting to use the "-q"
flag of the "nslookup_lede" applet.
Ref: https://forum.lede-project.org/t/nslookup-ipv6-in-lede-17-01-1
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fixes FS#684 with commit 21a4bd0
Changes since current version. All changes except the ones prefixed
with asterisks are for bugfixes. Module aliases awareness is expected
by the kernel to be a basic facility and is required for properly
initializing wireguard.
16f7e16 syslog: remove unnecessary sizeof struct between messages
21a4bd0 kmodloader: modprobe: return 0 for loaded modules
3dc78a4 kmodloader: don't store aliases info in struct module
c553354 cmake: fix typo
8973576 kmodloader: fix not being able to find some modules
fce9382 cmake: Check for getrandom system call
ac2d43e kmodloader: support '-q' quiet option
*f8d3d16 ubox: Add an option for more accurate timestamps in log
14839f0 kmodloader: make insert_module() idempotent
*6e3c6dc kmodloader: add module alias awareness
9371411 kmodloader: fix out-of-bound access when parsing .modinfo
a62c946 kmodloader: modprobe: skip possible command line arguments
*46a4b5f kmodloader: log to kmsg when loading directories of modules
eacc426 kmodloader: remove redundant glob wildcard char
8488bb5 ubox: Initialize conditionally uninitialized variabled
db070f1 ubox: Fix some memory leaks
acc48b5 kmodloader: Fix typo in error message
Size comparison on x86_64 host
function old new delta
main 2190 2344 +154
scan_module_folder 665 793 +128
alloc_module_node - 113 +113
.rodata 946 1036 +90
alloc_module 202 245 +43
free_modules 77 119 +42
load_modprobe 209 237 +28
scan_loaded_modules 241 265 +24
avl_modcmp 45 67 +22
insert_module 204 224 +20
find_module 13 30 +17
static.optind@@GLIBC_2 - 4 +4
static.load_moddeps 118 117 -1
scan_module_folders 55 54 -1
------------------------------------------------------------------------------
(add/remove: 2/0 grow/shrink: 10/2 up/down: 685/-2) Total: 683 bytes
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The current way of creating a STAMP_CONFIGURED filename for OpenSSL can
lead to an extremely long filename that makes touch unable to create it,
and fail the build.
Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a
shortert stamp file,
Fixes#572
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Protect any IPv6 related with appropriate guards to fix compilation with
disabled IPv6 support in Busybox.
Fixes#728.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Since the LEDE nslookup applet is already specific to LEDE, move the
libresolv detection into the busybox Makefile that LEDE uses.
This fixes builds with external toolchains that don't automatically
search for headers and/or libraries without being told so.
Fixes: de5b8e5d2f ("busybox: add musl compatible nslookup replacement")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Add an alternative nslookup applet implementation which is compatible with
musl libc wrt. name server selection and which supports a number of additional
features such as query type selection.
Fixes#155, #217
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update util-linux to 2.29.2
Remote 0001-fix-uClibc-ng-scanf-check.patch as it's been merged upstream.
Refresh patches
Change ncurses to ncursesw to fix compilation and avoid confusion
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [remove faulty dependency changes]
Commit 131db36 "build: remove separate /install step for host builds" dropped
the package/*/host/install targets in favor to performing the install steps
within the compile target instead.
Adjust package/Makefile accordingly in order to prevent a missing
staging_dir/host/bin/opkg when staging package archives into the rootfs.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ntpd from Busybox supports peer-less (standalone) mode when it's started
with option -l and without any peer provided with option -p. In this
mode ntpd uses local time as reference and acts as stratum 1 server.
This mode can be used in isolated networks, where Internet access and/or
other NTP server/s are not available, but the device has some other way
of getting correct time, like e.g. GPS (ugps supports setting local time
by default).
Support for this mode was incorrectly disabled/removed in:
1527f96ca6
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
The ugps tool expects device path in last argument. If it's provided
before other options, they won't be processed at all.
Additionally, make it possible to use absolute path for gps character
device in related uci configuration.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Commit 5c20a4fec9 ("ubox: turn logd into a separate package") changed
the PKG_SOURCE_DATE which is also included in the tar file. This change
resulted in a new tar with a different hash, but the sha256 hash was not
updated. Fix the sha256 hash value in this commit to match what would be
created from git and what is already on the mirror.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
The sha256sum added in commit b8567cb44e ("odhcpd: update to git HEAD
version (FS#396)") does not match the sha256sum of the file on the mirror or
when I clone it. Update the sha256 sum to the correct value.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
These are recommended practices by REC-22 and REC-24 of RFC6092:
"Recommended Simple Security Capabilities in Customer Premises Equipment
(CPE) for Providing Residential IPv6 Internet Service"
Fixes FS#640
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Make scan output useful for 802.11s meshes. The common print_ssid function
is used, so this doesn't add any additional code.
Based-on-patch-by: Jan-Tarek Butt <tarek@ring0.de>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This includes following changes:
480d7bc Fix sending unicast questions on cache expire
a0403cd Keep source sockaddr for every cached DNS record
1478293 Fix code freeing cached non-A(AAA) records too early
9f1cc22 Fix replying to "QU" questions received on unicast interface
943bedb Fix reading port of incoming packets
c725494 Use MCAST_PORT define for port 5353
ce7e9e9 Use one define for DNS-Based Service Discovery service name
e1bacef Drop entries cached for interface we're going to delete
496aeba Fix comment typo in cache_gc_timer
f89986b Fix refreshing cached A(AAA) records that expire
Previous updates made umdns work as expected on startup but there were
still many bugs. They were mostly related to runtime - cache management
and requests + responses. E.g. umdns was never able to send question on
DNS record expire. It was also ignoring all incoming unicast questions.
Since these issues are quite serious it makes sense to backport this
update to the stable branch.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This includes 3 cleanups:
fd5a160 Don't cache hosts as services
80dd246 Refresh DNS records A and AAAA directly
6515101 Access cached records (instead of services) to read list of hosts
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This adds option to build kernel module and firmware packages
for a Marvell 8887 SDIO Wireless device
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This fixes crash in interface_start caused by freeing interface in
interface_free without stopping a timeout.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Honour the parent interfaces peerdns option when spawning a virtual DHCPv6
interface in order to avoid pulling in IPv6 DNS servers when the user opted
to inhibit peer DNS servers in the configuration.
Fixes#597.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Drops a LEDE carried patch now upstream.
Convert to autotools.
A number of nits fixed upstream (dns & short packet handling most
notable)
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
When not defining 'device' or 'vlan' in relevant switch_port uci
sections, behaviour is inconsistent due to *devn, *port and *vlan
pointers not being zero initialized.
Signed-off-by: Ben Kelly <ben@benjii.net>
stop() is overwritten by rc.common, so implement stop_service instead.
While at it, remove the now unnecessary restart() override
Signed-off-by: Felix Fietkau <nbd@nbd.name>
px5g-standalone only supports SHA1 for certificates, which is strongly
deprecated. The new px5g-standalone is about 27k bigger (compressed),
and has identical behavior to px5g-mbedtls (it uses SHA256).
Signed-off-by: Felix Fietkau <nbd@nbd.name>
as we do for IPv4 PPP interfaces. When we create the
dynamic IPv6 interface we should inherit ip6table from
main interface.
Signed-off-by: Ulrich Weber <ulrich.weber@riverbed.com>
pppoe-discovery performs the same discovery process as pppoe, but does
not initiate a session
Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
When running wifi detect, the user will be told on error output that
wifi detect is deprecated, that wifi config must be used instead. Also
the commit that changes it is referenced for further info.
Signed-off-by: David Pinilla Caparrós <dpinitux@gmail.com>
Since commit 5f8f8a3661 wifi detect does
not longer work and wifi config it's used to configure not yet
configured wireless devices.
This commit changes command usage to reflect that change.
Signed-off-by: David Pinilla Caparrós <dpinitux@gmail.com>
When calling erase() on a containers derived from __base_associative
(e.g. multimap) and providing a pair of iterators a segfault will
occur.
Example code to reproduce:
typedef std::multimap<int, int> testmap;
testmap t;
t.insert(std::pair<int, int>(1, 1));
t.insert(std::pair<int, int>(2, 1));
t.insert(std::pair<int, int>(3, 1));
t.erase(t.begin(), t.end());
Signed-off-by: Ben Kelly <ben@benjii.net>
Fixes firmware crash in rare cases and a bug
ath10k_pci 0001:01:00.0: received unexpected tx_fetch_ind event: in
push mode
for those who kept experiencing it after previous firmware update.
Signed-off-by: Pavel Kubelun <be.dissent@gmail.com>
And, update support for 9880 chipsets. The new firmware
fixes a regression with EAPOL 4/4 packets added in
a recent commit.
It also fixes a case where the firmware would improperly try
to use STBC when configured for 1x1 (as 9887 always is).
Signed-off-by: Ben Greear <greearb@candelatech.com>
This adds support for the PCB LEDs and Reset Button found on the PC
Engines APU2/APU3 embedded boards.
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
This adds support for the SuperIO chip nct5104d found on the PC Engines
APU boards, which allows for a handful of additional ports, such as 2x
additional UART pinouts, enabling an external watchdog (no driver for
this functionality yet), and 16 GPIO pins. More info can be found at
https://pcengines.ch/ht_gpio.htm
Thanks to @feckert for helping package this.
Cc: Florian Eckert <Eckert.Florian@googlemail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
The subtarget on which the driver still depends was removed with
dee8986b95 because it was unmaintained
for a long time.
Signed-off-by: Mathias Kresin <dev@kresin.me>
5f91241 procd: add cancel_timeout on rc scripts when a runtime_timeout is specified
961dc69 procd: stop service using SIGKILL if SIGTERM failed to do so
Fixes FS#516.
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 946d1dfb87)
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
- Fix eap test to work with standalone hostapd builds
- Fix 11n test to check the correct define
- Add 11ac, 11r and 11w tests
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This is required for default wireless configuration of malta target to
work out of the box again. Fixes "77ece30e: hostapd: Add ability to
specify that that wireless driver supports 802.11ac"
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
key_direction shows up as an openvpn option in the user-interface but does not end up in the /var/etc/openvpn*.conf file. Adding it to the list here fixed the issue for me.
Signed-off-by: Brandon Koepke <bdkoepke@fastmail.com>
[Fixes FS#537]
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
c09e4f0 ubusd: fix incomplete copy of shared buf during queue-ing
453b87f cli: add support for subscribing to objects
6eb3c96 cli: do not use default timeout for listen
dfe3383 libubus: reset ctx->sock.error when doing ubus reconnect
34c6e81 cli: fix listen_timeout compile issue
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Adds the following fixes:
91acde6 libubus: do not modify uloop_cancelled
763b9b2 libubus: reset ctx->sock.eof to fix reconnect issues
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Adds the following changes:
de3f14b uloop: add uloop_cancelling function
3b6181b utils: fix build on Mac OS X 10.12
7f671b1 blobmsg: add support for double
0fe1374 utils: add helper functions useful for allocating a ring buffer
8fc1c30 libubox: replace strtok with _r version.
4a9f74f libubox: allow reading out the pid of uloop process in lua
372e1e6 uloop: remove useless epoll data assignment
f9db1cb libubox: allow reading out the remaining time of a uloop timer in Lua
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Includes the following changes:
9edff13abd mac80211: disable potentially harmful PS software retry for A-MPDU sessions
75216a76b0 mac80211: backport upstream fix for CSA in IBSS mode
368cc8ef47 mac80211: update brcmfmac backporting brcmf_err cleanups
66a63d25c4 mac80211: fix build on linux 3.18
9eacb9d7fc rt2x00: mt7620: lots of improvements
fd94fa61a7 mac80211: brcmfmac: update Raspberry Pi patches for linux 4.9
649e766a64 mac80211: update to wireless-testing 2017-01-31
47540afa5d ath9k: add a warning to the tx99 config option
b367eef21d mac80211: rt2x00: add support for external LNA on MT7620
9200e168f2 mac80211: move (& update) upstream accepted brcmfmac patches
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The driver had a bug when calculating the rateset. This resolves
that and allows full VHT mcs rates on 2x2 hardware.
Signed-off-by: Ben Greear <greearb@candelatech.com>
This patch splits `kmod-mt76` into three separate packages:
`kmod-mt76-core`, `kmod-mt76x2` and `kmod-mt7603`. By making
`kmod-mt76` a metapackage containing these new packages,
the previous behaviour of including all drivers and firmware
is left unchanged, unless explicitly unselected in
`DEVICE_PACKAGES`.
This splitting is especially beneficial for devices with
small flash chips, since the `kmod-mt76` package currently
requires ~160K on squashfs (after compression).
Signed-off-by: Joseph C. Lehner <joseph.c.lehner@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cleanup]
This reverts commit cc66f819b4.
This commit causes opkg to install px5g-standalone instead of px5g when
installing luci-ssl. As luci-ssl depends on mbedtls, using
px5g-standalone makes no sense. Next to that, it creates deprecated SHA1
certificates. Revert the commit to avoid pxg5-standalone to be
installed by accident.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit ca8aee0c57)
Goflexhome/net use uImage, and to boot an uImage the u-boot
must use bootm command, not bootz.
Fixes the "i cannot boot LEDE with this u-boot" issue that I
found out myself with my goflexnet.
Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
The only HMACs currently available use MD5 and SHA1, both of which have known
weaknesses. We already compile in the SHA256 code since we use Curve25519
by default, so there's no significant size penalty to enabling this.
Signed-off-by: Joseph C. Sible <josephcsible@users.noreply.github.com>
(cherry picked from commit 0bf85ef048)
Removing redundant spaces from the name of the option. Without fix:
root@LEDE:~# opkg install ugps
Installing ugps (2016-10-24-32a6b2b7-1) to root...
Downloading http://downloads.lede-project.org/releases/17.01-SNAPSHOT/packages/mips_24kc/base/ugps_2016-10-24-32a6b2b7-1_mips_24kc.ipk
Configuring ugps.
uci: Parse error (invalid character in name field) at line 3, byte 23
uci: Parse error (invalid character in name field) at line 3, byte 23
sh: out of range
root@LEDE:~# uci show gps
uci: Parse error (invalid character in name field) at line 3, byte 23
With this fix:
root@LEDE:~# uci show gps
gps.@gps[0]=gps
gps.@gps[0].tty='ttyACM0'
gps.@gps[0].adjust_time='1'
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
This update includes numerous small fixes for:
1) Interfaces setup
2) Packets parsing
3) Sending replies
Without this there were multiple problems with exchanging information
between (u)mdns and other implementations (including (u)mdns as well).
This also follows project rename to umdns which was required to avoid
confusion with Apple's mdnsd from mDNSResponder project.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This can be used to tweak the buildbot behavior without having to change
buildbot's configuration.
It will also allow us to add more aggressive clean steps (e.g. on
toolchain changes), which would break developers' workflows if enable
by default.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Default trigger action timeout was added to procd.sh in commit f88e3a4c0
(procd: add default timeout for reload trigger actions)
However, the timeout value was not placed under the correct JSON-script
array nesting level and thus did not apply.
To fix this and make the timeout actually apply to the reload triggers,
we place it in the correct scope, that is the per-trigger array.
Fixes: f88e3a4c0a
Signed-off-by: Denis Osvald <denis.osvald@sartura.hr>
Effects of the bugs could include memory corruption, tx hangs, kernel
crahes, possibly other things as well
Signed-off-by: Felix Fietkau <nbd@nbd.name>
I needed a moment to figure out relation between this patchset and the
nl80211: fix validation of scheduled scan info for wowlan netdetect
It appears nl80211 commit will go on top of brcmfmac changes so it's
safe to backport these patches.
One patch that was excluded is commit 2a2a5d1835b6 ("brcmfmac: add
.update_connect_params() callback") as it depends on missing commit
088e8df82f91 ("cfg80211: Add support to update connection parameters").
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Some debugging/error messages are printed using wpa_printf and this
change allows finally reading them out of the syslog.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This will allow starting hostapd with the new -s parameter and finally
read all (error) messages from the syslog.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
It wasn't possible to read hostapd wpa_printf messages unless running
hostapd manually. It was because hostapd was printing them using vprintf
and not directly to the syslog.
We were trying to workaround this problem by redirecting STDIN_FILENO
and STDOUT_FILENO but it was working only for the initialization phase.
As soon as hostapd did os_daemonize our solution stopped working.
Please note despite the subject this change doesn't affect debug level
messages only but just everything printed by hostapd with wpa_printf
including MSG_ERROR-s. This makes it even more important as reading
error messages can be quite useful for debugging.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
samba.org has started to enforce https and
currently plain http downloads with curl/wget fail,
so convert samba.org download links to use https.
Modernise links at the same time.
Also convert samba.org URL fields to have https.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
wash, mpu & some memory optimisation have now made it to the official
cake repository.
Point LEDE to the official repository.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
The libtool target package stages its files into the host staging directory
and moves the libltdl library parts from there into the target staging
directory afterwards.
By doing so, the package essentially renders the host libtool infrastructure
unusable, leading to the below error in subsequent package builds:
libtoolize: $pkgltdldir is not a directory: `.../hostpkg/share/libtool`
Prevent this problem by using a dedicated libltdl install prefix in order to
avoid overwriting and moving away preexisting files belonging to tools/libtool.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
c13b6a0 dhcpv6: fix white space error
e9d80cc dhcpv6: trigger restart of DHCPv6 state machine when not
receiving statefull options
c7122ec update README
419fb63 dhcpv6: server unicast option support
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The name will appear in shell prompt and LuCI page title. Uppercase
letters seem to be more vigorous
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
A given signal-name is now converted to the corresonding number. In general
it's good style to use names (readability) and it's more portable: signal
numbers can be architecture-dependent, so we are more safe giving names.
A real world example is signal 10, which is BUS on ramips and USR1 on PPC.
All users of 'procd_send_signal' must change their code to reflect this.
Signed-off-by: Bastian Bittorf <bb@npl.de>
When relying on x.509 certs for auth and / or encryption of traffic you can't
use package openvpn-nossl.
Just have your package depend on openvpn-crypto to have SSL-encryption and
X.509-support enabled in OpenVPN. If encryption / X.509 is not a must, use
virtual packge openvpn, which is provided by all OpenVPN-variants.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
ap_setup_locked is named wps_ap_setup_locked in uci for consistency with other
wps related uci options.
Signed-off-by: Steven Honson <steven@honson.id.au>
The author of the upstream mwlwifi edited the history of the previous commit.
This commit not only fixes the updated hash but also sends in the latest
commits he made to the code which are mainly testing.
Signed-off-by: Gabe Rodriguez <lifehacksback@gmail.com>
Clarify opkg's messages related to downloads:
* more visible error message for package list download failure
* separate error message for signature file download error
* if wget returns 4, signal the network error more clearly
* remove '.' from end of filenames and URLs
* try signature check only if the package list was downloaded ok.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
- Adds support for passing file descriptors in ubus invoke requests
- Fixes clearing pending timers on ubus_shutdown()
- Fixes checking the amount of written data in ubusd
- Fixes an ubusd crash when trying to subscribe to system objects
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The condition is always true due to the literal string followed the
-n test parameter. A model name set by target scripts always gets
overwritten this way.
Change the condition to check for an already existing destination file
as it was before 5e85ae9 ("base-files: fix error message during boot").
Signed-off-by: Mathias Kresin <dev@kresin.me>
HTB and TBF are the basic traffic shapers used by sqm-scripts. Moving
these into kmod-sched-core enables sqm-scripts to downgrade its
dependency from kmod-sched to kmod-sched-core, potentially making it
useful on devices with smaller flash sizes.
This adds around 30k to the size of kmod-sched-core (20k for sch_htb.ko
and 10k for sch_tbf.ko).
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Updates to openvpn.init were included in early OpenVPN 2.4 patch
series, but got lost along the way and were never merged.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
If only a single opkg control file exists (which can happen with
CONFIG_CLEAN_IPKG), grep would not print the file name by default. Instead
of forcing it using -H, we just switch to -l (print only file names) and
get rid of the cut.
Add -s to suppress an error message when no control files exist.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The radio would stop communicating completely. This issue was easiest to
trigger on AR913x devices, e.g. the TP-Link TL-WR1043ND, but other
hardware was occasionally affected as well.
The most critical issue was a race condition in disabling/enabling IRQs
between the IRQ handler and the IRQ processing tasklet
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This reverts commit c296ba834d.
According to several reports, the issues with the airtime fairness
changes are gone in current versions.
It's time to re-apply the patch now.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
There was a bug in brcmfmac patch that could result in treating random
memory as source of country codes.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
The hostapd_append_wpa_key_mgmt() procedure uses the possibly uninitialized
$ieee80211r and $ieee80211w variables in a numerical comparisation, leading
to stray "netifd: radio0 (0000): sh: out of range" errors in logread when
WPA-PSK security is enabled.
Ensure that those variables are substituted with a default value in order to
avoid emitting this (harmless) shell error.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add PROVIDES:=openvpn to the default recipe in order to let all build variants
provide a virtual openvpn package.
The advantage of this approach is that downstream packages can depend on just
"openvpn" without having to require a specific flavor.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The last two parameters passed between user space tc and kernel space
sched-cake were transposed due to a merge mistake in a parameter header
file.
As such, using a packet overhead figure was likely to set cake to wash
packet DSCP values. Similarly, the DSCP wash flag was used as an offset
to the displayed packet overhead value.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback
Note: SF doesn't carry the 1.2.11 update yet.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Knowing the package architecture at runtime can be useful, e.g. to
configure opkg repository URLs. The value of ARCH_PACKAGES ("%A" in
VERSION_SED) as added to openwrt_release (as DISTRIB_ARCH) and os-release
(as LEDE_ARCH).
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Currently system log is always included as a part of ubox. Add logd as a
seperate package and add it to default packages list.
Signed-off-by: Andrej Vlasic <andrej.vlasic@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
opkg doesn't have BUILD_VARIANTs anymore, so the previously defined
PKG_BUILD_DIR would lead to a weird 'opkg-' path component.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This allows some basic region switching on Netgear R8000. More devices &
codes may be added. Ideally it should be converted into DT info & patch.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This makes use of cfg80211 feature backported & described in
188626f17c ("mac80211: backport cfg80211 support for
ieee80211-freq-limit DT property").
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Fixes build failure for kmod-can-c-can-platform which depends on
kmod-regmap for kernel 4.1 and 4.4.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This patch updates the QCA988X firmware to the latest revision
firmware-5.bin_10.2.4-1.0-00016
found in the official ath10k-firmware repository.
Tested on TP-Link Archer C7 v2.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Packets which are merely forwarded by the router and which are neither
involved in any DNAT/SNAT nor originate locally, are considered INVALID
from a conntrack point of view, causing them to get dropped in the
zone_*_dest_ACCEPT chains, since those only allow stream with state NEW
or UNTRACKED.
Remove the ctstate restriction on dest accept chains to properly pass-
through unrelated 3rd party traffic.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Use ubus process signalling instead of 'kill pidof dnsmasq' for
SIGHUP signalling to dnsmasq when ntp says time is valid.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Most mac80211 drivers leave the SMPS field in the HT capabilities
uninitialized (unfortunately defaults to static SMPS), which leads to
some devices limiting themselves to single-stream rates in some modes
(mostly mesh and IBSS).
Signed-off-by: Felix Fietkau <nbd@nbd.name>
For 988X, 9980, 9984 CT firmware.
This should allow IBSS + RSN on at least the 988X firmware,
and includes recent stability fixes for all firmware.
Signed-off-by: Ben Greear <greearb@candelatech.com>
This at least makes it harder to hit some txq related
crashes on firmware restart, a potential memory leak,
and some other fixes.
Signed-off-by: Ben Greear <greearb@candelatech.com>
This causes problem when a FQDN is configured in /etc/config/system. The
domain name will appear twice in reverse DNS.
Next to that, there seems to be a bug in dnsmasq. From the manual page:
--interface-name=<name>,<interface>[/4|/6]
Return a DNS record associating the name with the primary address
on the given interface. This flag specifies an A or AAAA record for the
given name in the same way as an /etc/hosts line, except that the address
is not constant, but taken from the given interface. The interface may be
followed by "/4" or "/6" to specify that only IPv4 or IPv6 addresses
of the interface should be used. If the interface is down, not configured
or non-existent, an empty record is returned. The matching PTR record is
also created, mapping the interface address to the name. More than one name
may be associated with an interface address by repeating the flag; in that
case the first instance is used for the reverse address-to-name mapping.
It does not just create an A/AAAA record for the primary address, it creates
one for all addresses. And what is worse, it seems to actually resolve to the
non-primary address first. This is quite annoying when you use floating IP
addresses (e.g. VRRP), because when the floating IP is on the other device,
SSH failes due to incorrect entry in the known hosts file.
I know that this is not a common setup, but it would be nice if there was an
option to restore the previous behaviour, rather than just forcing this new
feature on everybody.
Reported-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>