Commit Graph

1918 Commits

Author SHA1 Message Date
Konstantin Demin
ff1ccd85e8 dropbear: failsafe: handle all supported key types
dropbear may be configured and compiled with support for different host key types

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
55218bcedb dropbear: minor config reorder
move DROPBEAR_ASKPASS under DROPBEAR_DBCLIENT (in all meanings)

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
c87a192386 dropbear: split U2F/FIDO support
these options allow one to configure U2F/FIDO support in more granular way

inspired by upstream commit aa6559db

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
bf900e02c7 dropbear: add option to enable modern crypto only
reduces binary/package size and increases overall performance

also:
- adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
  to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
88c8053d47 dropbear: adjust allowed shell list
this takes an effect only if getusershell(3) is missing

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
7f6fcaa3bf dropbear: honor CONFIG_TARGET_INIT_PATH
fixes 65256aee

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
2d9a0be307 dropbear: disable two weak kex/mac algorithms
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms.
A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1]

It has no place in a potentially internet-facing daemon like dropbear.
Upstream has acknowledged this and offered this solution to disable
these two until this is made to be the default in the next release
of dropbear next year. [2]

1. https://www.openssh.com/txt/release-8.2
2. https://github.com/mkj/dropbear/issues/138

Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
0b277f8659 dropbear: minor config clarification
- "default n" is not needed: options are not selected by default
- wrap config on 80 characters width (assuming tab is 8 characters long)
- add feature cost size and security notes for DROPBEAR_AGENTFORWARD
  and DROPBEAR_DBCLIENT_AGENTFORWARD:
  describe why and where it should be disabled

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
fa849fd411 dropbear: better object cleanup
improves b78aae79

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
f2b2293663 dropbear: allow more complex configuration
- switch DB_OPT_COMMON and DB_OPT_CONFIG to comma-separated lists:
  this allows to have values with "|" in DB_OPT_COMMON and DB_OPT_CONFIG
  which is more likely to be than values with commas;
  use $(comma) variable for values with commas.
- sort DB_OPT_COMMON and DB_OPT_CONFIG to have "overrides" on top of list.
- allow DB_OPT_COMMON to have values with commas.
- allow to replace multiline definitions in sysoptions.h.

improves e1bd9645

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
b5cde26048 dropbear: cherry-pick upstream patches
critical fixes:
- libtommath: possible integer overflow (CVE-2023-36328)
- implement Strict KEX mode (CVE-2023-48795)

various fixes:
- fix DROPBEAR_DSS and DROPBEAR_RSA config options
- y2038 issues
- remove SO_LINGER socket option
- make banner reading failure non-fatal
- fix "noremotetcp" behavior
- don't try to shutdown a pty
- fix test for multiuser kernels

adds new features:
- option to bind to interface
- allow inetd with non-syslog
- ignore unsupported command line options with dropbearkey

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Konstantin Demin
d4dfb566e2 dropbear: bump to 2022.83
- update dropbear to latest stable 2022.83;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop patches:
  - 001-fix-MAX_UNAUTH_CLIENTS-regression.patch
- rework patches:
  - 901-bundled-libs-cflags.patch
- refresh remaining patches

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2024-02-09 09:13:05 +00:00
Stephen Howell
d274867c21 lldpd: add option to force EDP
allow EDP support if compiled and add force EDP option

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
8b2d02e48c lldpd: only use snmp options when compiled in
prevent SNMP options being passed unless lldpd supports them

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
1b36d44323 lldpd: Update Makefile package release
increment Makefile package release to reflect changes to init script

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
a5f715da71 lldpd: add option for tx delay and tx hold
add option to set LLDP transmit delay, hold timers to set update frequency

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
4159acceeb lldpd: add option to set system platform
add option to override system platform instead of using kernel name

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:37 +02:00
Stephen Howell
4ac134aa78 lldpd: add option to force SONMP enabled
add option to force SONMP to be enabled even when no peer detected

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
1be2088a52 lldpd: add option to force FDP on
add option to force FDP when no peers detected

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
b67182008f lldpd: set CDP version and allow forcing CDP on
add option to specify CDPv1 or CDPv2 and separately enable or force each

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
61dbe756d8 lldpd: allow disabling LLDP protcol
add option to allow LLDP disabling while using other supported protocols

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
ac771313eb lldpd: add portidsubtype option
add option portidsubtype to correct port identifiers and descriptions

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
c98ee4dbb3 lldpd: add agent-type option
add option to set agent-type to control propogation

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
24176a6bdd lldpd: add LLDP MED options
add option to enable LLDP MED fast-start and set fast-start timer

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
1753498b01 lldpd: option to disable LLDP-MED inventory TLV
add option to disable LLDP-MED inventory TLV transmission

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
058f284b1a lldpd: Init adds no-version option
add option to disable advertising kernel version

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
ac3ed75309 lldpd: Allow neighbour filtering
add filter option to init script.

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
064b4999ad lldpd: LLDPD binds to only specified interfaces
Bind to the configured system interfaces only. Switchport interfaces
are no longer ignored and uci interface values for LLDPD are honored.

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Stephen Howell
e483c247dc lldpd: Init config read on reload
Init script reload with trigger to detect config file update.
Reload command added to attempt non-impactful lldpd reload where
lldpcli can be used to update config without process restart.
Config hash function used to track whether process restart is needed.

Signed-off-by: Stephen Howell <howels@allthatwemight.be>
2024-02-08 12:35:36 +02:00
Felix Fietkau
2716853132 wifi-scripts: add new package, move wifi scripts to a single place
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-02-03 16:16:36 +01:00
Daniel Golle
7eee094f01 uhttpd: bump PKG_RELEASE
Bump PKG_RELEASE which should have been done by commit 7b1c3068b7
("uhttpd: restart when interface to listen becomes available").

Fixes: 7b1c3068b7 ("uhttpd: restart when interface to listen becomes available")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-02 04:22:17 +00:00
Daniel Golle
7b1c3068b7 uhttpd: restart when interface to listen becomes available
Currently uhttpd won't start with a listening interface configured if
the interface isn't already up at the time uhttpd starts. Make sure we
attempt to start uhttpd when it comes up.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2024-02-01 00:52:54 +00:00
Rany Hany
59f67b2010 hostapd: fail R0KH and R1KH derivation when wpa_psk_file is used
When wpa_psk_file is used, there is a chance that no PSK is set. This means
that the FT key will be generated using only the mobility domain which
could be considered a security vulnerability but only for a very specific
and niche config.

Signed-off-by: Rany Hany <rany_hany@riseup.net>
2024-01-25 20:02:40 +01:00
Jesus Fernandez Manzano
e2f6bfb833 hostapd: fix 11r defaults when using SAE
When using WPA3-SAE or WPA2/WPA3 Personal Mixed, we can not use
ft_psk_generate_local because it will break FT for SAE. Instead
use the r0kh and r1kh configuration approach.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
2024-01-25 20:02:40 +01:00
Jesus Fernandez Manzano
cdc4c55175 hostapd: fix 11r defaults when using WPA
802.11r can not be used when selecting WPA. It needs at least WPA2.

This is because 802.11r advertises FT support in-part through the
Authentication and Key Management (AKM) suites in the Robust
Security Network (RSN) Information Element, which was included in
the 802.11i amendment and WPA2 certification program.

Pre-standard WPA did not include the RSN IE, but the WPA IE.
This IE can not advertise the AKM suite for FT.

Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.ai>
2024-01-25 20:02:40 +01:00
Felix Fietkau
195cf4b58d hostapd: remove obsolete function
Leftover from authsae, which was removed a long time ago

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-25 20:02:30 +01:00
David Bauer
56d7887917 hostapd: ACS: Fix typo in bw_40 frequency array
[Upstream Backport]

The range for the 5 GHz channel 118 was encoded with an incorrect
channel number.

Fixes: ed8e13decc71 (ACS: Extract bw40/80/160 freqs out of acs_usable_bwXXX_chan())
Signed-off-by: Michael Lee <michael-cy.lee@mediatek.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
2024-01-18 23:22:33 +01:00
Felix Fietkau
912e573127 hostapd: add back missing function for updating wpa_supplicant macaddr list
Make the call deferred instead of blocking to avoid deadlock issues

Fixes: 3df9322771 ("hostapd: make ubus calls to wpa_supplicant asynchronous")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-13 16:12:34 +01:00
Felix Fietkau
12c8bba731 hostapd: fix an exception in hostapd.uc on interface add failure
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-13 15:22:27 +01:00
Felix Fietkau
5b8f188c0f Revert "mac80211: rework interface setup, fix race condition"
This reverts commit b7f9742da8.
There are several reports of regressions with this commit. Will be added
back once I've figured out and fixed the cause

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-13 11:19:34 +01:00
Felix Fietkau
b7f9742da8 mac80211: rework interface setup, fix race condition
Only tell netifd about vifs when the setup is complete and hostapd +
wpa_supplicant have been notified

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-11 10:40:43 +01:00
Felix Fietkau
3df9322771 hostapd: make ubus calls to wpa_supplicant asynchronous
This fixes a deadlock issue where depending on the setup order, hostapd and
wpa_supplicant could end up waiting for each other

Reported-by: Michael-cy Lee (李峻宇) <Michael-cy.Lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-11 09:15:54 +01:00
Rafał Miłecki
1f11a4e283 uhttpd: handle reload after uhttpd-mod-ubus installation using postinst
Use postinst script to reload service instead of uci-defaults hack. It's
possible thanks to recent base-files change that executes postinst after
uci-defaults.

This fixes support for uhttpd customizations. It's possible (again) to
adjust uhttpd config with custom uci-defaults before it gets started.

Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: d25d281fd6 ("uhttpd: Reload config after uhttpd-mod-ubus was added")
Ref: b799dd3c70 ("base-files: execute package's "postinst" after executing uci-defaults")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-01-10 17:06:56 +01:00
Felix Fietkau
d864f68232 hostapd: add missing NULL pointer check on radar notification
Fixes a race condition that can lead to a hostapd crash

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2024-01-09 11:06:24 +01:00
David Bauer
f95eecfb21 dropbear: increase default receive window size
Increasing the receive window size improves throughout on higher-latency
links such as WAN connections. The current default of 24KB caps out at
around 500 KB/s.

Increasing the receive buffer to 256KB increases the throughput to at
least 11 MB/s.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-12-28 23:37:51 +01:00
Thibaut VARÈNE
8815a3114f dnsmasq: invert logic for "localuse"
Prior to this commit, "localuse" (which enables local resolving through
dnsmsasq) was off by "default". That default was in turn overridden when
"noresolv" was unset (which itself is the default for "noresolv") *and*
"resolvfile" was "/tmp/resolv.conf.d/resolv.conf.auto" (also the default
for this parameter).

In other words, the "default" unset value for "localuse" would only be
ever used in specific *non-default* configurations.

However, the problem with that logic is that a user who wants to ignore
their ISP-provided resolvers by setting "noresolv" to true ends up with
a device that will *only use* said resolvers for local DNS queries,
serving clients' queries via dnsmasq (which now ignores the ISP
resolvers). This can lead to confusion and break random setups as the
DNS lookup performed on clients behalf can differ in their replies from
DNS lookups performed locally on the router.

Furthermore, "localuse" is not configurable through Luci, contrary to
the other two involved settings, adding further confusion for the end
user.

To work around this situation, the logic that sets "localuse" is
inverted: "localuse" now defaults to on by default, and IFF "noresolv"
is unset (default) AND "resolvfile" is changed from default THEN
"localuse" gets turned back off, allowing for more sensible behaviour.

"localuse" value set in config/dhcp still overrides the logic in all
cases, as it did already.

Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
2023-12-16 15:28:21 +00:00
Felix Fietkau
f909059b74 hostapd: use new udebug ubus api to make debug rings configurable
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-30 20:08:56 +01:00
Sven Eckelmann
711dcb7763 dnsmasq: mark global ubus context as closed after fork
If the dnsmasq process forks to handle TCP connections, it closes the ubus
context. But instead of changing the daemon wide pointer to NULL, only the
local variable was adjusted - and this portion of the code was even dropped
(dead store) by some optimizing compilers.

It makes more sense to change the daemon->ubus pointer because various
functions are already checking it for NULL. It is also the behavior which
ubus_destroy() implements.

Fixes: d8b33dad0b ("dnsmasq: add support for monitoring and modifying dns lookup results via ubus")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
2023-11-26 19:58:35 +01:00
Felix Fietkau
0f283ab4c9 umdns: update to Git HEAD (2023-11-21)
9040335e102b interface: fix interface memory corruption
b1e023eda358 add udebug support

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-21 07:36:08 +01:00
Felix Fietkau
2723f16dda hostapd: add missing acl entries for udebug
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-20 14:10:27 +01:00