aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* dnsmasq: bump to 2.81rc2 + 2 localKevin Darbyshire-Bryant2020-03-063-2/+79
| | | | | | | | | Bump to dnsmasq 2.81rc2. In the process discovered several compiler warnings one with a logical error. 2 relevant patches sent upstream, added as 2 local patches for OpenWrt Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.81rc1Kevin Darbyshire-Bryant2020-03-0435-8841/+5
| | | | | | | | | | 1st release candidate for v2.81 after 18 months. Refresh patches & remove all upstreamed leaving: 110-ipset-remove-old-kernel-support.patch Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* netifd: rename 20-smp-tune to 20-smp-packet-steeringAlan Swanson2020-03-031-0/+0
| | | | | | | Rename the script to be more obvious that this is for packet steering only. Signed-off-by: Alan Swanson <reiver@improbability.net>
* netifd: change RPS/XPS handling to all CPUs and disable by defaultAlan Swanson2020-03-031-9/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current implementation is significantly lowering lantiq performace [1][2] by using RPS with non-irq CPUs and XPS with alternating CPUs. The previous netifd implementation (by default but could be configured) simply used all CPUs and this patch essentially reverts to this behaviour. The only document suggesting using non-interrupt CPUs is Red Hat [3] where if the network interrupt rate is extremely high excluding the CPU that handles network interrupts *may* also improve performance. The original packet steering patches [4] advise that optimal settings for the CPU mask seems to depend on architectures and cache hierarcy so one size does not fit all. It also advises that the overhead in processing for a lightly loaded server can cause performance degradation. Ideally, proper IRQ balancing is a better option with the irqbalance daemon or manually. The kernel does not enable packet steering by default, so also disable in OpenWRT by default. (Though mvebu with its hardware scheduling issues [5] might want to enable packet steering by default.) Change undocumented "default_ps" parameter to clearer "packet_steering" parameter. The old parameter was only ever set in target/linux/mediatek/base-files/etc/uci-defaults/99-net-ps and matched the default. [1] https://forum.openwrt.org/t/18-06-4-speed-fix-for-bt-homehub-5a [2] https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=1105 [3] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/network-rps [4] https://marc.info/?l=linux-netdev&m=125792239522685&w=2 [5] https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=2e1f6f1682d3974d8ea52310e460f1bbe470390f Fixes: #1852 Fixes: #2573 Signed-off-by: Alan Swanson <reiver@improbability.net>
* ppp: activate PIE ASLR by defaultPetr Štetiar2020-03-011-0/+1
| | | | | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. Size increase on imx6: 112681 ppp_2.4.8-2_arm_cortex-a9_neon.ipk 121879 ppp_2.4.8-2_arm_cortex-a9_neon.ipk = 9198 diff Acked-by: Alexander Couzens <lynxis@fe80.eu> Signed-off-by: Petr Štetiar <ynezz@true.cz>
* ppp: backport security fixesPetr Štetiar2020-02-264-1/+129
| | | | | | | | | | 8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Petr Štetiar <ynezz@true.cz> Fixes: CVE-2020-8597 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Revert "ppp: backport security fixes"Jo-Philipp Wich2020-02-264-129/+1
| | | | | | | | This reverts commit 215598fd03899c19a9cd26266221269dd5ec8cee since it didn't contain a reference to the CVE it addresses. The next commit will re-add the commit including a CVE reference in its commit message. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: enhance wifi reloadJohn Crispin2020-02-252-18/+134
| | | | | | | Add a radio_config_id property. If the radio config changes return an error upon receiving the reconf call. Signed-off-by: John Crispin <john@phrozen.org>
* hostapd: start hostapd/wpa_supplicant for all wiphy devicesPiotr Dymacz2020-02-242-2/+2
| | | | | | | | | | | | | | c888e17e06 ("hostapd: manage instances via procd instead of pidfile") added procd support for managing hostapd and wpa_supplicant daemons but at the same time limited wiphy names to 'phy*'. This brings back initial behaviour (introduced in 60fb4c92b6 ("hostapd: add ubus reload") and makes procd manage daemons for any wiphy device found in '/sys/class/ieee80211'. CC: Felix Fietkau <nbd@nbd.name> CC: Daniel Golle <daniel@makrotopia.org> Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* umbim: move package to 'WWAN' submenuPiotr Dymacz2020-02-241-0/+1
| | | | | | | 'uqmi' was moved to 'WWAN' submenu in 9abdeee0b7. Let's be consistent and do the same with 'umbim'. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* linux-atm: Fix compile warningHauke Mehrtens2020-02-241-1/+15
| | | | | | | | | | | | The function trace_on_exit() is given to atexit() as a parameter, but atexit() only takes a function pointer to a function with a void parameter. This problem was introduced when the on_exit() function was incompletely replaced by atexit(). Fixes: ba6c8bd6142f ("linux-atm: add portability fixes") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* iw: update to 5.4DENG Qingfang2020-02-223-118/+43
| | | | | | | Update iw to 5.4 This increases the ipk size of iw-tiny/full by about 400 bytes Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
* rssileds: add dependencies based on LDFLAGSAdrian Schmutzler2020-02-221-1/+1
| | | | | | | | | | | | | | | | | This adds the direct dependencies introduced by TARGET_LDFLAGS to the package's DEPENDS variable. This was found by accidentally building rssileds on octeon, which resulted in: "Package rssileds is missing dependencies for the following libraries: libnl-tiny.so" Though the dependencies are provided when building for the relevant targets ar71xx, ath79 and ramips, it seems more tidy to specify them explicitly. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* lldpd: bump to 1.0.5Stijn Tintel2020-02-223-23/+4
| | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* ppp: backport security fixesPetr Štetiar2020-02-204-1/+129
| | | | | | | | 8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP 8d7970b8f3db pppd: Fix bounds check in EAP code 858976b1fc31 radius: Prevent buffer overflow in rc_mksid() Signed-off-by: Petr Štetiar <ynezz@true.cz>
* dnsmasq: fix uci-defaults script to exit 0 so it is cleaned upRussell Senior2020-02-191-0/+2
| | | | | | | | | | A file, package/network/services/dnsmasq/files/50-dnsmasq-migrate-resolv-conf-auto.sh, was added in commit 6a2855212096d2c486961a0841b037bae4b75de7, but it does not exit in a way that tells the uci-defaults mechanism that it succeeded, and so it is not cleaned up after running successfully. Add an exit 0 to the end to correct that. Signed-off-by: Russell Senior <russell@personaltelco.net>
* wireguard: bump to 0.0.20200215Jason A. Donenfeld2020-02-151-2/+2
| | | | | | | | | | * send: cleanup skb padding calculation * socket: remove useless synchronize_net Sorry for the back-to-back releases. This fixes a regression spotted by Eric Dumazet. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* iproute2: update to 5.5.0, enable LTODENG Qingfang2020-02-139-16/+16
| | | | | | | Update iproute2 to 5.5.0 Enable LTO to save several KB of size Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
* uhttpd: update to latest Git HEADJo-Philipp Wich2020-02-121-4/+4
| | | | | | 2ee323c file: poke ustream after starting deferred program Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wireguard-tools: bump to 1.0.20200206Jason A. Donenfeld2020-02-091-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * wg-quick: android: split uids into multiple commands Newer android's ndc implementations have limits on uid size, so we have to break these into several lists. * man: document dynamic debug trick for Linux This comes up occasionally, so it may be useful to mention its possibility in the man page. At least the Arch Linux and Ubuntu kernels support dynamic debugging, so this advice will at least help somebody. So that you don't have to go digging into the commit, this adds this helpful tidbit to the man page for getting debug logs on Linux: # modprobe wireguard && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control * extract-{handshakes,keys}: rework for upstream kernel These tools will now use the source code from the running kernel instead of from the old monolithic repo. Essential for the functioning of Wireshark. * netlink: remove libmnl requirement We no longer require libmnl. It turns out that inlining the small subset of libmnl that we actually use results in a smaller binary than the overhead of linking to the external library. And we intend to gradually morph this code into something domain specific as a libwg emerges. Performance has also increased, thanks to the inliner. On all platforms, wg(8) only needs a normal libc. Compile time on my system is still less than one second. So all in all we have: smaller binary, zero dependencies, faster performance. Packagers should no longer have their wireguard-tools package depend on libmnl. * embeddable-wg-library: use newer string_list * netlink: don't pretend that sysconf isn't a function Small cleanups. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: remove erroneous $(space) redefinitionJo-Philipp Wich2020-02-081-3/+0
| | | | | | | | | | | | | | | | The $(space) definition in the hostapd Makefile ceased to work with GNU Make 4.3 and later, leading to syntax errors in the generated Kconfig files. Drop the superfluous redefinition and reuse the working $(space) declaration from rules.mk to fix this issue. Fixes: GH#2713 Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469 Reported-by: Karel Kočí <cynerd@email.cz> Suggested-by: Jonas Gorski <jonas.gorski@gmail.com> Tested-by: Shaleen Jain <shaleen@jain.sh> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wireguard: bump to 0.0.20200205Jason A. Donenfeld2020-02-051-2/+2
| | | | | | | | | | | | | | | | | | | | | | | * compat: support building for RHEL-8.2 * compat: remove RHEL-7.6 workaround Bleeding edge RHEL users should be content now (which includes the actual RedHat employees I've been talking to about getting this into the RHEL kernel itself). Also, we remove old hacks for versions we no longer support anyway. * allowedips: remove previously added list item when OOM fail * noise: reject peers with low order public keys With this now being upstream, we benefit from increased fuzzing coverage of the code, uncovering these two bugs. * netns: ensure non-addition of peers with failed precomputation * netns: tie socket waiting to target pid An added test to our test suite for the above and a small fix for high-load CI scenarios. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* Revert "iwinfo: update to latest Git HEAD"Jo-Philipp Wich2020-02-052-3/+12
| | | | | | | | | This reverts commit 96424c143dd818b391d9b8da18249eca1d2e6c83. The commit changed libiwinfo's internal ABI which breaks a number of downstream projects, including LuCI and rpcd-mod-iwinfo. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* iwinfo: update to latest Git HEADDavid Bauer2020-02-042-12/+3
| | | | | | | | | eba5a20 iwinfo: add device id for BCM43602 a6914dc iwinfo: add BSS load element to scan result bb21698 iwinfo: add device id for Atheros AR9287 7483398 iwinfo: add device id for MediaTek MT7615E Signed-off-by: David Bauer <mail@david-bauer.net>
* bcm4xxx: fix iwinfo behaviourJohn Crispin2020-02-041-0/+9
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* iptables: set-dscpmark follow upstreamimg attemptKevin Darbyshire-Bryant2020-01-313-215/+460
| | | | | | | | | | | I'm having another attempt at trying to getting the 'store dscp into conntrack connmark' functionality into upstream kernel, since the restore function (act_ctinfo) has been accepted. The syntax has changed from 'savedscp' to 'set-dscpmark' since that conforms more closely with existing functionality. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: add back support for passing CSA events from sta/mesh to AP interfacesFelix Fietkau2020-01-291-0/+129
| | | | | | | | Fixes handling CSA when using AP+STA or AP+Mesh This change was accidentally dropped in commit 167028b75 ("hostapd: Update to version 2.9 (2019-08-08)") Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wireguard: bump to 0.0.20200128Jason A. Donenfeld2020-01-281-2/+2
| | | | | | This fixes a few small oversights for the 5.5 compat layer. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: unconditionally enable ap/mesh for wpa-cliFelix Fietkau2020-01-281-1/+7
| | | | | | | Without this change, wpa-cli features depend on which wpad build variant was used to build the wpa-cli package Signed-off-by: Felix Fietkau <nbd@nbd.name>
* hostapd: remove some bashismsSven Roederer2020-01-261-3/+3
| | | | | | | | | "[[" is a bash extension for test. As the ash-implementation is not fully compatible we drop its usage. Signed-off-by: Sven Roederer <devel-sven@geroedel.de> [remove shebang, slightly facelift commit title/message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* 6in4/6in4.sh: remove some bashism (usage of [[)Sven Roederer2020-01-261-1/+1
| | | | | | | "[[" is a bash extension for test. As the ash-implementation is not fully compatible we drop its usage. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* netifd/config.sh: remove some bashism (usage of [[)Sven Roederer2020-01-261-1/+1
| | | | | | | "[[" is a bash extension for test. As the ash-implementation is not fully compatible we drop its usage. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* wireguard-tools: bump to 1.0.20200121Jason A. Donenfeld2020-01-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Makefile: remove pwd from compile output * Makefile: add standard 'all' target * Makefile: evaluate git version lazily Quality of life improvements for packagers. * ipc: simplify inflatable buffer and add fuzzer * fuzz: add generic command argument fuzzer * fuzz: add set and setconf fuzzers More fuzzers and a slicker string list implementation. These fuzzers now find themselves configuring wireguard interfaces from scratch after several million mutations, which is fun to watch. * netlink: make sure to clear return value when trying again Prior, if a dump was interrupted by a concurrent set operation, we'd try again, but forget to reset an error flag, so we'd keep trying again forever. Now we do the right thing and succeed when we succeed. * Makefile: sort inputs to linker so that build is reproducible Earlier versions of make(1) passed GLOB_NOSORT to glob(3), resulting in the linker receiving its inputs in a filesystem-dependent order. This screwed up reproducible builds. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wireguard: bump to 0.0.20200121Jason A. Donenfeld2020-01-241-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Makefile: strip prefixed v from version.h This fixes a mistake in dmesg output and when parsing the sysfs entry in the filesystem. * device: skb_list_walk_safe moved upstream This is a 5.6 change, which we won't support here, but it does make the code cleaner, so we make this change to keep things in sync. * curve25519: x86_64: replace with formally verified implementation This comes from INRIA's HACL*/Vale. It implements the same algorithm and implementation strategy as the code it replaces, only this code has been formally verified, sans the base point multiplication, which uses code similar to prior, only it uses the formally verified field arithmetic alongside reproducable ladder generation steps. This doesn't have a pure-bmi2 version, which means haswell no longer benefits, but the increased (doubled) code complexity is not worth it for a single generation of chips that's already old. Performance-wise, this is around 1% slower on older microarchitectures, and slightly faster on newer microarchitectures, mainly 10nm ones or backports of 10nm to 14nm. This implementation is "everest" below: Xeon E5-2680 v4 (Broadwell) armfazh: 133340 cycles per call everest: 133436 cycles per call Xeon Gold 5120 (Sky Lake Server) armfazh: 112636 cycles per call everest: 113906 cycles per call Core i5-6300U (Sky Lake Client) armfazh: 116810 cycles per call everest: 117916 cycles per call Core i7-7600U (Kaby Lake) armfazh: 119523 cycles per call everest: 119040 cycles per call Core i7-8750H (Coffee Lake) armfazh: 113914 cycles per call everest: 113650 cycles per call Core i9-9880H (Coffee Lake Refresh) armfazh: 112616 cycles per call everest: 114082 cycles per call Core i3-8121U (Cannon Lake) armfazh: 113202 cycles per call everest: 111382 cycles per call Core i7-8265U (Whiskey Lake) armfazh: 127307 cycles per call everest: 127697 cycles per call Core i7-8550U (Kaby Lake Refresh) armfazh: 127522 cycles per call everest: 127083 cycles per call Xeon Platinum 8275CL (Cascade Lake) armfazh: 114380 cycles per call everest: 114656 cycles per call Achieving these kind of results with formally verified code is quite remarkable, especialy considering that performance is favorable for newer chips. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: fix faulty WMM IE parameters with ETSI regulatory domainsFelix Fietkau2020-01-232-0/+88
| | | | | | | | hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP. The code for applying those values had a few bugs leading to bogus values, which caused significant latency and packet loss. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* curl: update to version 7.68.0 (security fix)Jan Pavlinec2020-01-211-3/+3
| | | | | | | Fixes CVE-2019-15601 Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
* netifd: add basic support for jail network namespacesDaniel Golle2020-01-211-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prepare netifd for handling procd service jails having their own network namespace. Intefaces having the jail attribute will only be brought up inside the jail's network namespace by procd calling the newly introduced ubus method 'netns_updown'. Currently proto 'static' is supported and configuration changes are not yet being handled (ie. you'll have to restart the jailed service for changes to take effect). Example /etc/config/network snippet: config device 'veth0' option type 'veth' option name 'vhost0' option peer_name 'virt0' config interface 'virt' option type 'bridge' list ifname 'vhost0' option proto 'static' option ipaddr '10.0.0.1' option netmask '255.255.255.0' config interface 'virt0' option ifname 'virt0' option proto 'static' option ipaddr '10.0.0.2' option netmask '255.255.255.0' option gateway '10.0.0.1' option dns '10.0.0.1' option jail 'transmission' Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* odhcpd: update to version 2020-01-14Hans Dedecker2020-01-161-3/+3
| | | | | | | | | 6db312a dhcpv6-ia: use dhcp leasetime to set preferred/valid statefull lifetimes 2520c48 dhcpv6-ia: introduce DHCPv6 pd and ia assignments flags b413d8a dhcpv6-ia: cleanup prefix delegation routes b0902af dhcpv6-ia: remove passing interface as parameter to apply_lease Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: add support for system cert bundle validationDavid Lam2020-01-162-6/+15
| | | | | | | | | | | | | | Currently, it is very cumbersome for a user to connect to a WPA-Enterprise based network securely because the RADIUS server's CA certificate must first be extracted from the EAPOL handshake using tcpdump or other methods before it can be pinned using the ca_cert(2) fields. To make this process easier and more secure (combined with changes in openwrt/openwrt#2654), this commit adds support for validating against the built-in CA bundle when the ca-bundle package is installed. Related LuCI changes in openwrt/luci#3513. Signed-off-by: David Lam <david@thedavid.net> [bump PKG_RELEASE] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* hostapd: cleanup IBSS-RSNDaniel Golle2020-01-162-6/+2
| | | | | | set noscan also for IBSS and remove redundant/obsolete variable. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* dropbear: fix compile errorJohn Crispin2020-01-151-1/+2
| | | | | Fixes: 0da193ee6943 ("dropbear: move failsafe code out of base-files") Signed-off-by: John Crispin <john@phrozen.org>
* wireguard: skip peer config if public key of the peer is not definedFlorian Eckert2020-01-151-0/+5
| | | | | | | | | | | | | | | If a config section of a peer does not have a public key defined, the whole interface does not start. The following log is shown daemon.notice netifd: test (21071): Line unrecognized: `PublicKey=' daemon.notice netifd: test (21071): Configuration parsing erro The command 'wg show' does only show the interface name. With this change we skip the peer for this interface and emit a log message. So the other peers get configured. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uhttpd: add enable instance optionFlorian Eckert2020-01-152-1/+5
| | | | | | | | With this change it is now possible to switch off single instances of the uhttpd config. Until now it was only possible to switch all instances of uhttpd on or off. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* hostapd: add wpa_strict_rekey supportKyle Copperfield2020-01-151-1/+3
| | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Rekey GTK on STA disassociate Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_requiredKyle Copperfield2020-01-152-3/+12
| | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Allows dtim_period to be configurable, the default is from hostapd. Adds additional regulatory tunables for power constraint and spectrum managment. Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* dropbear: move failsafe code out of base-filesKyle Copperfield2020-01-152-1/+10
| | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Failsafe code of dropbear should be in the dropbear package not the base-files package. Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
* hostapd: add support for subject validationDavid Lam2020-01-142-1/+93
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The wpa_supplicant supports certificate subject validation via the subject match(2) and altsubject_match(2) fields. domain_match(2) and domain_suffix_match(2) fields are also supported for advanced matches. This validation is especially important when connecting to access points that use PAP as the Phase 2 authentication type. Without proper validation, the user's password can be transmitted to a rogue access point in plaintext without the user's knowledge. Most organizations already require these attributes to be included to ensure that the connection from the STA and the AP is secure. Includes LuCI changes via openwrt/luci#3444. From the documentation: subject_match - Constraint for server certificate subject. This substring is matched against the subject of the authentication server certificate. If this string is set, the server sertificate is only accepted if it contains this string in the subject. The subject string is in following format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as .example.com subject_match2 - Constraint for server certificate subject. This field is like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. altsubject_match - Constraint for server certificate alt. subject. Semicolon separated string of entries to be matched against the alternative subject name of the authentication server certificate. If this string is set, the server sertificate is only accepted if it contains one of the entries in an alternative subject name extension. altSubjectName string is in following format: TYPE:VALUE Example: EMAIL:server@example.com Example: DNS:server.example.com;DNS:server2.example.com Following types are supported: EMAIL, DNS, URI altsubject_match2 - Constraint for server certificate alt. subject. This field is like altsubject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_match - Constraint for server domain name. If set, this FQDN is used as a full match requirement for the server certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same full match comparison. This behavior is similar to domain_suffix_match, but has the requirement of a full match, i.e., no subdomains or wildcard matches are allowed. Case-insensitive comparison is used, so "Example.com" matches "example.com", but would not match "test.Example.com". More than one match string can be provided by using semicolons to separate the strings (e.g., example.org;example.com). When multiple strings are specified, a match with any one of the values is considered a sufficient match for the certificate, i.e., the conditions are ORed together. domain_match2 - Constraint for server domain name. This field is like domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_suffix_match - Constraint for server domain name. If set, this FQDN is used as a suffix match requirement for the AAA server certificate in SubjectAltName dNSName element(s). If a matching dNSName is found, this constraint is met. If no dNSName values are present, this constraint is matched against SubjectName CN using same suffix match comparison. Suffix match here means that the host/domain name is compared one label at a time starting from the top-level domain and all the labels in domain_suffix_match shall be included in the certificate. The certificate may include additional sub-level labels in addition to the required labels. More than one match string can be provided by using semicolons to separate the strings (e.g., example.org;example.com). When multiple strings are specified, a match with any one of the values is considered a sufficient match for the certificate, i.e., the conditions are ORed together. For example, domain_suffix_match=example.com would match test.example.com but would not match test-example.com. This field is like domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. domain_suffix_match2 - Constraint for server domain name. This field is like domain_suffix_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication. Signed-off-by: David Lam <david@thedavid.net>
* odhcpd: activate PIE ASLR by defaultPetr Štetiar2020-01-141-0/+1
| | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. Size increase on x86/64: odhcpd-ipv6only Installed-Size: 36821 -> 38216 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* uhttpd: Activate PIE by defaultHauke Mehrtens2020-01-131-0/+1
| | | | | | | | | | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. This increases the binary size by 39% uncompressed and 21% compressed on MIPS BE. old: 33,189 /usr/sbin/uhttpd 23,016 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk new: 46,212 /usr/sbin/uhttpd 27,979 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>
* hostapd: Activate PIE by defaultHauke Mehrtens2020-01-131-0/+1
| | | | | | | | | | | | | | | | | | | This activates PIE ASLR support by default when the regular option is selected. This increases the binary size by 26% uncompressed and 16% compressed on MIPS BE. old: 460,933 /usr/sbin/wpad 283,891 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk new: 584,508 /usr/sbin/wpad 330,281 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Petr Štetiar <ynezz@true.cz>