Commit Graph

59809 Commits

Author SHA1 Message Date
Konstantin Demin
3f96246e97 dropbear: better handle interfaces
- introduce 'DirectInterface' option to bind exactly to specified interface;
  fixes #9666 and late IPv4/IPv6 address assignment
- option 'DirectInterface' takes precedence over 'Interface'
- improve interface/address handling,
  e.g. verify count of listening endpoints due to dropbear limit (10 for now)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
865ae1c10c dropbear: better handle receive window size
- correct maximum receive window size
- adjust receive window size against maximum allowed value
- warn about too high receive window size in syslog

improves f95eecfb

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
05100d8651 dropbear: adjust file permissions
runtime:
- adjust ownership/permissions while starting dropbear
build time:
- correct file permissions for preseed files in $(TOPDIR)/files/etc/dropbear/ (if any)

closes #10849

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
a97e0dad6e dropbear: 'rsakeyfile' -> 'keyfile' transition
end users should have done this since OpenWrt 19.07.
if they didn't do this yet - perform auto-transition.

schedule 'rsakeyfile' removal for next year release.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
ff1ccd85e8 dropbear: failsafe: handle all supported key types
dropbear may be configured and compiled with support for different host key types

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
55218bcedb dropbear: minor config reorder
move DROPBEAR_ASKPASS under DROPBEAR_DBCLIENT (in all meanings)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
c87a192386 dropbear: split U2F/FIDO support
these options allow one to configure U2F/FIDO support in more granular way

inspired by upstream commit aa6559db

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
bf900e02c7 dropbear: add option to enable modern crypto only
reduces binary/package size and increases overall performance

also:
- adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
  to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
88c8053d47 dropbear: adjust allowed shell list
this takes an effect only if getusershell(3) is missing

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
7f6fcaa3bf dropbear: honor CONFIG_TARGET_INIT_PATH
fixes 65256aee

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
2d9a0be307 dropbear: disable two weak kex/mac algorithms
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms.
A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1]

It has no place in a potentially internet-facing daemon like dropbear.
Upstream has acknowledged this and offered this solution to disable
these two until this is made to be the default in the next release
of dropbear next year. [2]

1. https://www.openssh.com/txt/release-8.2
2. https://github.com/mkj/dropbear/issues/138

Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
0b277f8659 dropbear: minor config clarification
- "default n" is not needed: options are not selected by default
- wrap config on 80 characters width (assuming tab is 8 characters long)
- add feature cost size and security notes for DROPBEAR_AGENTFORWARD
  and DROPBEAR_DBCLIENT_AGENTFORWARD:
  describe why and where it should be disabled

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
fa849fd411 dropbear: better object cleanup
improves b78aae79

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
f2b2293663 dropbear: allow more complex configuration
- switch DB_OPT_COMMON and DB_OPT_CONFIG to comma-separated lists:
  this allows to have values with "|" in DB_OPT_COMMON and DB_OPT_CONFIG
  which is more likely to be than values with commas;
  use $(comma) variable for values with commas.
- sort DB_OPT_COMMON and DB_OPT_CONFIG to have "overrides" on top of list.
- allow DB_OPT_COMMON to have values with commas.
- allow to replace multiline definitions in sysoptions.h.

improves e1bd9645

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
b5cde26048 dropbear: cherry-pick upstream patches
critical fixes:
- libtommath: possible integer overflow (CVE-2023-36328)
- implement Strict KEX mode (CVE-2023-48795)

various fixes:
- fix DROPBEAR_DSS and DROPBEAR_RSA config options
- y2038 issues
- remove SO_LINGER socket option
- make banner reading failure non-fatal
- fix "noremotetcp" behavior
- don't try to shutdown a pty
- fix test for multiuser kernels

adds new features:
- option to bind to interface
- allow inetd with non-syslog
- ignore unsupported command line options with dropbearkey

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
d4dfb566e2 dropbear: bump to 2022.83
- update dropbear to latest stable 2022.83;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop patches:
  - 001-fix-MAX_UNAUTH_CLIENTS-regression.patch
- rework patches:
  - 901-bundled-libs-cflags.patch
- refresh remaining patches

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Christian Marangi
c6ed34940d
ipq40xx: fix dts error in LED color/function conversion
Fix DTS error in LED color/function conversion due to a bug in the
conversion script.

Fixes: a9e0d97e1f ("ipq40xx: convert to new LED color/function format where possible")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-09 01:44:19 +01:00
Christian Marangi
c4910e9cb3
linux: add dtb makefile target to targets list
Add dtb makefile target to targets list to permit correct working of

make target/linux/dtb

Fixes: c47532b1ea ("kernel-buildOnmk: add support for compiling only DTS")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-08 23:04:55 +01:00
Christian Marangi
c47532b1ea
kernel-build.mk: add support for compiling only DTS
Add support for compiling DTS for the selected target. This can be
useful for testing if the DTS correctly compile and doesn't produce any
error.

This adds a new make target. To compile only DTS use:

make target/linux/dtb

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-08 19:57:28 +01:00
John Audia
f89904ad78 kernel: bump 6.1 to 6.1.77
Changelog: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.77

Removed upstreamed:
	generic/backport-6.1/707-v6.8-01-net-phy-at803x-fix-passing-the-wrong-reference-for-c.patch[1]
	generic/backport-6.1/796-v6.8-ipmr-fix-kernel-panic-when-forwarding-mcast-packets.patch[2]

All other patches automatically rebased.

1. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.77&id=7dc0fefd37dd5fb03fdac6e3e01b1c2291148ccb
2. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v6.1.77&id=d2f1b7fe74afd66298dbb3c7b39e7b62e4df1724

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
2024-02-08 18:35:42 +01:00
John Audia
4a0839b44e kernel: bump 6.1 to 6.1.76
Changelog: https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.1.76

All patches automatically rebased.

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

Signed-off-by: John Audia <therealgraysky@proton.me>
2024-02-08 18:35:42 +01:00
Stephen Howell
d274867c21 lldpd: add option to force EDP
allow EDP support if compiled and add force EDP option

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
8b2d02e48c lldpd: only use snmp options when compiled in
prevent SNMP options being passed unless lldpd supports them

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
1b36d44323 lldpd: Update Makefile package release
increment Makefile package release to reflect changes to init script

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
a5f715da71 lldpd: add option for tx delay and tx hold
add option to set LLDP transmit delay, hold timers to set update frequency

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
4159acceeb lldpd: add option to set system platform
add option to override system platform instead of using kernel name

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
4ac134aa78 lldpd: add option to force SONMP enabled
add option to force SONMP to be enabled even when no peer detected

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
1be2088a52 lldpd: add option to force FDP on
add option to force FDP when no peers detected

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
b67182008f lldpd: set CDP version and allow forcing CDP on
add option to specify CDPv1 or CDPv2 and separately enable or force each

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
61dbe756d8 lldpd: allow disabling LLDP protcol
add option to allow LLDP disabling while using other supported protocols

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
ac771313eb lldpd: add portidsubtype option
add option portidsubtype to correct port identifiers and descriptions

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
c98ee4dbb3 lldpd: add agent-type option
add option to set agent-type to control propogation

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
24176a6bdd lldpd: add LLDP MED options
add option to enable LLDP MED fast-start and set fast-start timer

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
1753498b01 lldpd: option to disable LLDP-MED inventory TLV
add option to disable LLDP-MED inventory TLV transmission

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
058f284b1a lldpd: Init adds no-version option
add option to disable advertising kernel version

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
ac3ed75309 lldpd: Allow neighbour filtering
add filter option to init script.

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
064b4999ad lldpd: LLDPD binds to only specified interfaces
Bind to the configured system interfaces only. Switchport interfaces
are no longer ignored and uci interface values for LLDPD are honored.

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
e483c247dc lldpd: Init config read on reload
Init script reload with trigger to detect config file update.
Reload command added to attempt non-impactful lldpd reload where
lldpcli can be used to update config without process restart.
Config hash function used to track whether process restart is needed.

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Álvaro Fernández Rojas
6bbb75dfdc bmips: dts: move leds dt-bindings include to SoCs
bmips has all the dt-bindings includes inside each SoC .dtsi files, so let's
move the new includes there instead of adding them to each board .dts files.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2024-02-08 09:45:26 +01:00
Christian Marangi
1765973c40
ramips: fix dts error in LED color/function conversion
Fix DTS error in LED color/function conversion due to a bug in the
conversion script.

Fixes: 19c45b95db ("ramips: convert to new LED color/function format where possible")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-08 00:01:22 +01:00
Christian Marangi
60d4f6c025
lantiq: fix dts error in LED color/function conversion
Fix DTS error in LED color/function conversion due to a bug in the
conversion script.

Fixes: 0c3f3eb229 ("lantiq: convert to new LED color/function format where possible")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-08 00:01:22 +01:00
Christian Marangi
07b57c3e80
ipq806x: fix dts error in LED color/function conversion
Fix DTS error in LED color/function conversion due to a bug in the
conversion script.

Fixes: 33e7962329 ("ipq806x: convert to new LED color/function format where possible")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-08 00:01:22 +01:00
Nick Hainke
21ca43d28a strace: update to 6.7
Release Notes:
https://github.com/strace/strace/releases/tag/v6.7

Signed-off-by: Nick Hainke <vincent@systemli.org>
2024-02-07 20:13:06 +01:00
Florian Eckert
c6fabd0bc3 base-files/leds: add setting the LED color via uci
Add the possibility that colored LEDs can also be configured via the uci.

config led 'led1'
	option name '<name>'
	option sysfs '<path>'
	option trigger 'default-on'
	option default '1'
-->	option color_{$color} '<0-255>'

The supported names of the variable "${color}" for the selected LED can be
queried in the file with the name 'multi_index'.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2024-02-07 15:34:43 +01:00
Florian Eckert
3aa812d8be base-files/leds: merging code sequences that belongs together
Setting the trigger and checking whether the trigger can be set belong
together and should not be interrupted by other lines of code.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2024-02-07 15:34:43 +01:00
Florian Eckert
102855b3c1 base-files/leds: save led color value if available
There are monochrome LEDs that can only display one color. However, there
are also LEDs that can display multiple colors. This can be tested in the
led subsystem of the kernel if the files 'multi_index' and 'multi_intensity'
are present in the folder '/sys/class/leds/<ledname>'.

Until now it was not possible to reset the default color. This commit adds
the missing information in the file '/var/run/led.state' so that the bootup
color can be seen on the LED again when the LED configuration has been changed.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
2024-02-07 15:34:43 +01:00
Christian Marangi
db9f26cfcb
realtek: convert to new LED color/function format where possible
Initial conversion to new LED color/function format
and drop label format where possible. The same label
is composed at runtime.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-07 14:48:44 +01:00
Christian Marangi
f038c0c18f
realtek: drop redundant label with new LED color/function format
Drop redundant label with new LED color/function format declared.
This was needed previously when the new format wasn't supported by
leds.sh functions script. Now that is supported this property
can be removed in favor of the new format.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-07 14:48:44 +01:00
Christian Marangi
19c45b95db
ramips: convert to new LED color/function format where possible
Initial conversion to new LED color/function format
and drop label format where possible. The same label
is composed at runtime.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-07 14:48:43 +01:00
Christian Marangi
7630c052c4
ramips: drop redundant label with new LED color/function format
Drop redundant label with new LED color/function format declared.
This was needed previously when the new format wasn't supported by
leds.sh functions script. Now that is supported this property
can be removed in favor of the new format.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2024-02-07 14:48:43 +01:00