aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services
Commit message (Collapse)AuthorAgeFilesLines
* wireguard: bump to 0.0.20180809Jason A. Donenfeld2018-08-121-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * send: switch handshake stamp to an atomic Rather than abusing the handshake lock, we're much better off just using a boring atomic64 for this. It's simpler and performs better. Also, while we're at it, we set the handshake stamp both before and after the calculations, in case the calculations block for a really long time waiting for the RNG to initialize. * compat: better atomic acquire/release backport This should fix compilation and correctness on several platforms. * crypto: move simd context to specific type This was a suggestion from Andy Lutomirski on LKML. * chacha20poly1305: selftest: use arrays for test vectors We no longer have lines so long that they're rejected by SMTP servers. * qemu: add easy git harness This makes it a bit easier to use our qemu harness for testing our mainline integration tree. * curve25519-x86_64: avoid use of r12 This causes problems with RAP and KERNEXEC for PaX, as r12 is a reserved register. * chacha20: use memmove in case buffers overlap A small correctness fix that we never actually hit in WireGuard but is important especially for moving this into a general purpose library. * curve25519-hacl64: simplify u64_eq_mask * curve25519-hacl64: correct u64_gte_mask Two bitmath fixes from Samuel, which come complete with a z3 script proving their correctness. * timers: include header in right file This fixes compilation in some environments. * netlink: don't start over iteration on multipart non-first allowedips Matt Layher found a bug where a netlink dump of peers would never terminate in some circumstances, causing wg(8) to keep trying forever. We now have a fix as well as a unit test to mitigate this, and we'll be looking to create a fuzzer out of Matt's nice library. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wpa_supplicant: fix CVE-2018-14526John Crispin2018-08-101-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unauthenticated EAPOL-Key decryption in wpa_supplicant Published: August 8, 2018 Identifiers: - CVE-2018-14526 Latest version available from: https://w1.fi/security/2018-1/ Vulnerability A vulnerability was found in how wpa_supplicant processes EAPOL-Key frames. It is possible for an attacker to modify the frame in a way that makes wpa_supplicant decrypt the Key Data field without requiring a valid MIC value in the frame, i.e., without the frame being authenticated. This has a potential issue in the case where WPA2/RSN style of EAPOL-Key construction is used with TKIP negotiated as the pairwise cipher. It should be noted that WPA2 is not supposed to be used with TKIP as the pairwise cipher. Instead, CCMP is expected to be used and with that pairwise cipher, this vulnerability is not applicable in practice. When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data field is encrypted using RC4. This vulnerability allows unauthenticated EAPOL-Key frames to be processed and due to the RC4 design, this makes it possible for an attacker to modify the plaintext version of the Key Data field with bitwise XOR operations without knowing the contents. This can be used to cause a denial of service attack by modifying GTK/IGTK on the station (without the attacker learning any of the keys) which would prevent the station from accepting received group-addressed frames. Furthermore, this might be abused by making wpa_supplicant act as a decryption oracle to try to recover some of the Key Data payload (GTK/IGTK) to get knowledge of the group encryption keys. Full recovery of the group encryption keys requires multiple attempts (128 connection attempts per octet) and each attempt results in disconnection due to a failure to complete the 4-way handshake. These failures can result in the AP/network getting disabled temporarily or even permanently (requiring user action to re-enable) which may make it impractical to perform the attack to recover the keys before the AP has already changes the group keys. By default, wpa_supplicant is enforcing at minimum a ten second wait time between each failed connection attempt, i.e., over 20 minutes waiting to recover each octet while hostapd AP implementation uses 10 minute default for GTK rekeying when using TKIP. With such timing behavior, practical attack would need large number of impacted stations to be trying to connect to the same AP to be able to recover sufficient information from the GTK to be able to determine the key before it gets changed. Vulnerable versions/configurations All wpa_supplicant versions. Acknowledgments Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU Leuven for discovering and reporting this issue. Possible mitigation steps - Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This can be done also on the AP side. - Merge the following commits to wpa_supplicant and rebuild: WPA: Ignore unauthenticated encrypted EAPOL-Key data This patch is available from https://w1.fi/security/2018-1/ - Update to wpa_supplicant v2.7 or newer, once available Signed-off-by: John Crispin <john@phrozen.org>
* wireguard: bump to 0.0.20180802Jason A. Donenfeld2018-08-041-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog taken from the version announcement > == Changes == > > * chacha20poly1305: selftest: split up test vector constants > > The test vectors are encoded as long strings -- really long strings -- and > apparently RFC821 doesn't like lines longer than 998. > https://cr.yp.to/smtp/message.html > > * queueing: keep reference to peer after setting atomic state bit > > This fixes a regression introduced when preparing the LKML submission. > > * allowedips: prevent double read in kref > * allowedips: avoid window of disappeared peer > * hashtables: document immediate zeroing semantics > * peer: ensure resources are freed when creation fails > * queueing: document double-adding and reference conditions > * queueing: ensure strictly ordered loads and stores > * cookie: returned keypair might disappear if rcu lock not held > * noise: free peer references on failure > * peer: ensure destruction doesn't race > > Various fixes, as well as lots of code comment documentation, for a > small variety of the less obvious aspects of object lifecycles, > focused on correctness. > > * allowedips: free root inside of RCU callback > * allowedips: use different macro names so as to avoid confusion > > These incorporate two suggestions from LKML. > > This snapshot contains commits from: Jason A. Donenfeld and Jann Horn. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* hostapd: add ht and vht support in handle event function Add ht and vht ↵Nick Hainke2018-07-303-2/+45
| | | | | | capabilities. If a device sends a probe request, the capabilities are added. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: add ubus call for ap featuresNick Hainke2018-07-301-0/+16
| | | | | | | | | | | The call "get_features" allows to gather hostapd config options via ubus. As first infos we add the ht and vht support. Although nl80211 supports to gather informations about ht and vht capabilities, the hostapd configuration can disable vht and ht. However, it is possible that the iw output is not representing the actual hostapd configuration. Signed-off-by: Nick Hainke <vincent@systemli.org>
* openvpn-easy-rsa: update to 3.0.4Luiz Angelo Daros de Luca2018-07-302-6/+31
| | | | | | | | | | | | | | Upstream renamed openssl-1.0.cnf to openssl-easyrsa.cnf. However, pkg kept using openssl-1.0.cnf. Upstream easyrsa searchs for vars, openssl-*, x509-types in the same directory as easyrsa script. This was patched to revert back to static /etc/easy-rsa/ directory (as does OpenSUSE). EASYRSA_PKI still depends on $PWD. Move easyrsa from /usr/sbin to /usr/bin as root is not needed. Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
* igmpproxy: drop SSDP packetsDmitry Tunin2018-07-302-1/+13
| | | | | | | It is insecure to let this type of packets inside They can e.g. open ports on some other routers with UPnP, etc Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
* treewide: Bump PKG_RELEASE due to mbedtls updateDaniel Engberg2018-07-301-1/+1
| | | | | | | Bump PKG_RELEASE on packages that depends on (lib)mbedtls to avoid library mismatch. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* igmpproxy: add a silent logging optionDmitry Tunin2018-07-283-5/+6
| | | | | | | | [0-3](none, minimal[default], more, maximum) It is not 100% backward compatible, because now 0 disables logging Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
* dnsmasq: bump to dnsmasq v2.80test3Kevin Darbyshire-Bryant2018-07-2820-1565/+6
| | | | | | | | | | | | | | | | | Refresh patches Upstream commits since last bump: 3b6eb19 Log DNSSEC trust anchors at startup. f3e5787 Trivial comment change. c851c69 Log failure to confirm an address in DHCPv6. a3bd7e7 Fix missing fatal errors when parsing some command-line/config options. ab5ceaf Document the --help option in the french manual 1f2f69d Fix recurrent minor spelling mistake in french manual f361b39 Fix some mistakes in french translation of the manual eb1fe15 When replacing cache entries, preserve CNAMES which target them. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* ead: use new protocol setting API since libpcap 1.9.0Syrone Wong2018-07-271-3/+1
| | | | | | | Dropped the protocol API specific symbol: HAS_PROTO_EXTENSION and switch to the official API Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
* odhcpd: update to latest git HEADJo-Philipp Wich2018-07-261-4/+4
| | | | | | 44cce31 ubus: avoid dumping interface state with NULL message Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wireguard-tools: add wireguard_watchdog scriptAleksandr V. Piskunov2018-07-222-2/+63
| | | | | | | | | | | | This watchdog script tries to re-resolve hostnames for inactive WireGuard peers. Use it for peers with a frequently changing dynamic IP. persistent_keepalive must be set, recommended value is 25 seconds. Run this script from cron every minute: echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com> [bump the package release] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 0.0.20180718Jason A. Donenfeld2018-07-221-2/+2
| | | | | | | | | | | | | | 80b41cd version: bump snapshot fe5f0f6 recieve: disable NAPI busy polling e863f40 device: destroy workqueue before freeing queue 81a2e7e wg-quick: allow link local default gateway 95951af receive: use gro call instead of plain call d9501f1 receive: account for zero or negative budget e80799b tools: only error on wg show if all interfaces failk Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> [Added commit log to commit description] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: remove unused struct hostapd_ubus_ifaceFelix Fietkau2018-07-222-16/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: fix conflicts hellMathias Kresin2018-07-181-95/+47
| | | | | | | | | | | | | Add each variant to the matching PROVIDERS variables after evaluating the respective hostapd*, wpad* and wpa* variant. Each package providing the same feature will automatically conflict with all prior packages providing the same feature. This way we can handle the conflicts automatically without introducing recursive dependencies. Signed-off-by: Mathias Kresin <dev@kresin.me>
* hostapd: cleanup package definitionMathias Kresin2018-07-181-46/+48
| | | | | | | | | | | | Move common variables and/or values to the package (variant) default. Add additional values in variant packages if necessary. Remove further duplicates by introducing new templates. Remove the ANY_[HOSTAPD|SUPPLICANT_PROVIDERS]_PROVIDERS. The are the same as the variables without the any prefix. No need to maintain both variables. Signed-off-by: Mathias Kresin <dev@kresin.me>
* igmpproxy: run in foreground for procdKevin Darbyshire-Bryant2018-07-182-2/+2
| | | | | | | | | procd needs processes to stay in foreground to remain under its gaze and control. Failure to do so means service stop commands fail to actually stop the process (procd doesn't think it's running 'cos the process has exited already as part of its forking routing) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: don't use network functions at boottime (FS#1542)Hans Dedecker2018-07-172-6/+15
| | | | | | | | | | | | As dnsmasq is started earlier than netifd usage of network.sh functions at boottime will fail; therefore don't call at boottime the functions which construct the dhcp pool/relay info. As interface triggers are installed the dhcp pool/relay info will be constructed when the interface gets reported as up by netifd. At the same time also register interface triggers based on DHCP relay config. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ppp: fix building pptp pluginJo-Philipp Wich2018-07-172-1/+12
| | | | | | | | | The pptp.so plugin needs to be built with -fPIC as well in order to be linkable again. Fixes 888a15ff83 ("ppp: add missing -fPIC to rp-pppoe.so CFLAGS") Fixes e7397eef69 ("ppp: compile with LTO enabled") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: increase procd termination timeout to 15sJo-Philipp Wich2018-07-172-1/+2
| | | | | | | | | Increase the termination timeout to 15s to let OpenVPN properly tear down its connections, especially when weak links or complex down scripts are involved. Fixes FS#859. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dropbear: close all active clients on shutdownChristian Schoenebeck2018-07-161-0/+5
| | | | | | | | | | | | | | | | | | | | Override the default shutdown action (stop) and close all processes of dropbear Since commit 498fe85, the stop action only closes the process that's listening for new connections, maintaining the ones with existing clients. This poses a problem when restarting or shutting-down a device, because the connections with existing SSH clients, like OpenSSH, are not properly closed, causing them to hang. This situation can be avoided by closing all dropbear processes when shutting-down the system, which closes properly the connections with current clients. Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com> [Luis: Rework commit message] Signed-off-by: Luis Araneda <luaraneda@gmail.com>
* ppp: add missing -fPIC to rp-pppoe.so CFLAGSFelix Fietkau2018-07-141-0/+11
| | | | | | Fixes build error with LTO Signed-off-by: Felix Fietkau <nbd@nbd.name>
* dropbear: compile with LTO enabledFelix Fietkau2018-07-132-2/+35
| | | | | | Reduces size of the .ipk on MIPS from 87k to 84k Signed-off-by: Felix Fietkau <nbd@nbd.name>
* ppp: compile with LTO enabledFelix Fietkau2018-07-131-2/+2
| | | | | | Reduces .ipk size on MIPS from 98.5k to 98k Signed-off-by: Felix Fietkau <nbd@nbd.name>
* ppp: fix linker flags for the radius pluginFelix Fietkau2018-07-131-3/+3
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wireguard: bump to 0.0.20180708Jason A. Donenfeld2018-07-111-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | * device: print daddr not saddr in missing peer error * receive: style Debug messages now make sense again. * wg-quick: android: support excluding applications Android now supports excluding certain apps (uids) from the tunnel. * selftest: ratelimiter: improve chance of success via retry * qemu: bump default kernel version * qemu: decide debug kernel based on KERNEL_VERSION Some improvements to our testing infrastructure. * receive: use NAPI on the receive path This is a big change that should both improve preemption latency (by not disabling it unconditionally) and vastly improve rx performance on most systems by using NAPI. The main purpose of this snapshot is to test out this technique. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: build with LTO enabled (using jobserver for parallel build)Felix Fietkau2018-07-102-3/+54
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* odhcpd: update to latest git HEADHans Dedecker2018-07-091-4/+4
| | | | | | | 345bba0 dhcpv4: improve error checking in handle_dhcpv4() c0f6390 odhcpd: Check if open the ioctl socket failed Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* mbedtls: Update to 2.11.0Daniel Engberg2018-07-071-1/+1
| | | | | | | | | | | | | | | | Update mbed TLS to 2.11.0 Disable OFB block mode and XTS block cipher mode, added in 2.11.0. The soVersion of mbedtls changed, bump PKG_RELEASE for packages that use mbedTLS This is to avoid having a mismatch between packages when upgrading. The size of mbedtls increased a little bit: ipkg for mips_24kc before: 163.846 Bytes ipkg for mips_24kc after: 164.382 Bytes Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* dnsmasq: bump to latest patches on 2.80rc2Kevin Darbyshire-Bryant2018-07-0319-11/+406
| | | | | | | | | | | | | | | Refresh patches and backport upstream to current HEAD: a997ca0 Fix sometimes missing DNSSEC RRs when DNSSEC validation not enabled. 51e4eee Fix address-dependent domains for IPv6. 05ff659 Fix stupid infinite loop introduced by preceding commit. db0f488 Handle some corner cases in RA contructed interfaces with addresses changing interface. 7dcca6c Warn about the impact of cache-size on performance. 090856c Allow zone transfer in authoritative mode whenever auth-peer is specified. cc5cc8f Sane error message when pcap file header is wrong. c488b68 Handle standard and contructed dhcp-ranges on the same interface. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* uhttpd: update to latest Git headJo-Philipp Wich2018-07-031-3/+3
| | | | | | | | | | db86175 lua: honour size argument in recv() function d3b9560 utils: add uh_htmlescape() helper 8109b95 file: escape strings in HTML output 393b59e proc: expose HTTP Origin header in process environment 796d42b client: flush buffered SSL output when tearing down client ustream Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* samba36: Disable external libtdb and libteventRosen Penev2018-07-021-1/+3
| | | | | | | This was causing issues recently as samba36 is not API compatible with the libtdb in the packages repo. It shouldn't be using it anyway. Nor tevent. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* wireguard: bump to 0.0.20180625Kevin Darbyshire-Bryant2018-06-261-2/+2
| | | | | | | | | | | | | | | | | | | | dfd9827 version: bump snapshot 88729f0 wg-quick: android: prevent outgoing handshake packets from being dropped 1bb9daf compat: more robust ktime backport 68441fb global: use fast boottime instead of normal boottime d0bd6dc global: use ktime boottime instead of jiffies 18822b8 tools: fix misspelling of strchrnul in comment 0f8718b manpages: eliminate whitespace at the end of the line 590c410 global: fix a few typos bb76804 simd: add missing header 7e88174 poly1305: give linker the correct constant data section size fd8dfd3 main: test poly1305 before chacha20poly1305 c754c59 receive: don't toggle bh Compile-tested-for: ath79 Archer C7 v2 Run-tested-on: ath79 Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* odhcpd: update to latest git HEADHans Dedecker2018-06-261-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | 81a281e dhcpv6-ia: fix border assignment size setting a2ffc59 dhcpv6-ia: fix status code for not on link IAs 5b087a6 dhcpv6-ia: improve error checking in assign_pd() c9114a1 config: fix wrong assignment bb8470f dhcpv4: delay forced renew transaction start 62a1b09 dhcpv4: fix DHCP address space logic d5726ff dhcpv4: improve logging when sending DHCP messages 9484351 odhcpd: call handle_error when socket error can be retrieved c45e2eb dhcpv6: fix out of bounds write in handle_nested_message() c2ff5af dhcpv6-ia: log renew messages as well 676eb38 router: fix possible segfault in send_router_advert() 392701f odhcpd: fix passing possible negative parameter 029123b treewide: switch to C-code style comments 6b79748 router: improve error checking 12e21bc netlink: fix incorrect sizeof argument d7aa414 dhcpv6: improve error checking in dhcpv6_setup_interface() 373495a ubus: fix invalid ipv6-prefix json 79d5e6f ndp: improve error checking d834ae3 dhcpv4: fix error checking in dhcpv4_setup_interface() f2aa383 dhcpv4: fix out of bound access in dhcpv4_put 4591b36 dhcpv4: improve error checking in dhcpv4_setup_interface() 4983ee5 odhcpd: fix strncpy bounds Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dropbear: let opkg manage symlinks of ssh, scpYousong Zhou2018-06-251-3/+5
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* wireguard: bump to 0.0.20180620Kevin Darbyshire-Bryant2018-06-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | 0bc4230 version: bump snapshot ed04799 poly1305: add missing string.h header cbd4e34 compat: use stabler lkml links caa718c ratelimiter: do not allow concurrent init and uninit 894ddae ratelimiter: mitigate reference underflow 0a8a62c receive: drop handshake packets if rng is not initialized cad9e52 noise: wait for crng before taking locks 83c0690 netlink: maintain static_identity lock over entire private key update 0913f1c noise: take locks for ss precomputation 073f31a qemu: bump default kernel bec4c48 wg-quick: android: don't forget to free compiled regexes 7ce2ef3 wg-quick: android: disable roaming to v6 networks when v4 is specified 9132be4 dns-hatchet: apply resolv.conf's selinux context to new resolv.conf 41a5747 simd: no need to restore fpu state when no preemption 6d7f0b0 simd: encapsulate fpu amortization into nice functions f8b57d5 queueing: re-enable preemption periodically to lower latency b7b193f queueing: remove useless spinlocks on sc 5bb62fe tools: getentropy requires 10.12 4e9f120 chacha20poly1305: use slow crypto on -rt kernels on arm too Compiled-for: ar71xx, lantiq Run-tested-on: ar71xx Archer C7 v2 & lantiq HH5a Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix dnsmasq startup issueHans Dedecker2018-06-202-9/+1
| | | | | | | | | | | Commit ecd954d530 installs specific interface triggers which rewrites the dnsmasq config file and restarts dnsmasq if the network interface becomes active for which a trigger has been installed. In case no dhcp sections are specified or ignore is set to 1 dnsmasq will not be started at startup which breaks DNS resolving. Fix this by ditching the BOOT check in start_service and always start dnsmasq at startup. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: fix confdir option processing (FS#1572)Hans Dedecker2018-06-112-2/+3
| | | | | | | | Fix condir option processing allowing to use the format "<directory>[,<file-extension>......]," as documented on the dnsmasq man page which previously resulted into bogus dir being created. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: make cli treat UNKNOWN COMMAND as failingDenton Gentry2018-06-071-0/+13
| | | | | | | | | | | Avoid infinite loop at 100% CPU when running hostapd_cli if CONFIG_CTRL_IFACE_MIB is not defined. _newselect(4, [3], NULL, NULL, ...) recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16 sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24 Signed-off-by: Denton Gentry <denny@geekhold.com>
* hostapd: properly build hostapd-only SSL variantsDaniel Golle2018-06-051-11/+11
| | | | | | | Make sure hostapd-openssl is actually build against OpenSSL, same for wolfSSL. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: expose device taxonomy signature via ubusFelix Fietkau2018-06-051-0/+6
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: add support for client taxonomy in the full configFelix Fietkau2018-06-052-5/+29
| | | | | | | This can be used to fingerprint clients to try to identify the exact model Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wireguard: bump to 0.0.20180531 to fix flow offloadingJason A. Donenfeld2018-05-311-6/+5
| | | | | | | | | | This version bump was made upstream mostly for OpenWRT, and should fix an issue with a null dst when on the flow offloading path. While we're at it, Kevin and I are the only people actually taking care of this package, so trim the maintainer list a bit. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: update packaging and patchesDaniel Golle2018-05-3137-496/+417
| | | | | | | | | | Clean up conflicts/provides/depends hell and add PROVIDES for eapol-test variants while at it. Update mesh-DFS patchset from Peter Oh to v5 (with local fixes) which allows to drop two revert-patches for upstream commits which previously were necessary to un-break mesh-DFS support. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: convert ssl provider build options to variantsDaniel Golle2018-05-252-85/+285
| | | | | | | | | | | Instead of selecting the SSL provider at compile time, build package variants for each option so users can select the binary package without having to build it themselves. Most likely not all variants have actually ever been user by anyone. We should reduce the selection to the reasonable and most used combinations at some point in future. For now, build them all. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* hostapd: update to git HEAD of 2018-05-21, allow build against wolfsslDaniel Golle2018-05-2437-296/+603
| | | | | | | Support for building wpa_supplicant/hostapd against wolfssl has been added upstream recently, add build option to allow users using it. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Revert "dnsmasq: use "hostsdir" instead of "addn-hosts""Hans Dedecker2018-05-241-1/+1
| | | | | | | | | This reverts commit a03035dad198cd4b51645ceb43c1170f9cf95f16 as it has several issues: -Host file is located in a directory which is not unique per dnsmasq instance -odhcpd writes host info into the same directory but still sends a SIGHUP to dnsmasq Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: use "hostsdir" instead of "addn-hosts"Christian Schoenebeck2018-05-231-1/+1
| | | | | | | 1.) "addn-hosts" per default point to a file (but it supports directory) 2.) "hostsdir" only support directory with the additional benefit: New or changed files are read automatically. Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
* mbedtls: update to version 2.9.0Hauke Mehrtens2018-05-221-1/+1
| | | | | | | | The soversion was changed in this version again and is now aligned with the 2.7.2 version. The size of the ipkg file stayed mostly the same. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>