aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* wireguard: bump to 0.0.20181119Jason A. Donenfeld2018-11-191-2/+2
| | | | | | | | | | | | | | | | | | | * chacha20,poly1305: fix up for win64 * poly1305: only export neon symbols when in use * poly1305: cleanup leftover debugging changes * crypto: resolve target prefix on buggy kernels * chacha20,poly1305: don't do compiler testing in generator and remove xor helper * crypto: better path resolution and more specific generated .S * poly1305: make frame pointers for auxiliary calls * chacha20,poly1305: do not use xlate This should fix up the various build errors, warnings, and insertion errors introduced by the previous snapshot, where we added some significant refactoring. In short, we're trying to port to using Andy Polyakov's original perlasm files, and this means quite a lot of work to re-do that had stableized in our old .S. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* netifd: update to latest git HEADHans Dedecker2018-11-191-3/+3
| | | | | | | | | 4b83102 treewide: switch to C-code style comments 70506bf treewide: make some functions static d9872db interface: fix removal of dynamic interfaces 2f7ef7d interface: rework code to get rid of interface_set_dynamic Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 0.0.20181115Jason A. Donenfeld2018-11-161-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Zinc no longer ships generated assembly code. Rather, we now bundle in the original perlasm generator for it. The primary purpose of this snapshot is to get testing of this. * Clarify the peer removal logic and make lifetimes more precise. * Use READ_ONCE for is_valid and is_dead. * No need to use atomic when the recounter is mutex protected. * Fix up macros and annotations in allowedips. * Increment drop counter when staged packets are dropped. * Use static constants instead of enums for 64-bit values in selftest. * Mark large constants as ULL in poly1305-donna64. * Fix sparse warnings in allowedips debugging code. * Do not use wg_peer_get_maybe_zero in timer callbacks, since we now can carefully control the lifetime of these functions and ensure they never execute after dropping the last reference. * Cleanup hashing in ratelimiter. * Do not guard timer removals, since del_timer is always okay. * We now check for PM_AUTOSLEEP, which makes the clear*on-suspend decision a bit more general. * Set csum_level to ~0, since the poly1305 authenticator certainly means that no data was modified in transit. * Use CHECKSUM_PARTIAL check for skb_checksum_help instead of skb_checksum_setup check. * wg.8: specify that wg(8) shows runtime info too * wg.8: AllowedIPs isn't actually required * keygen-html: add missing glue macro * wg-quick: android: do not choke on empty allowed-ips Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* hostapd: add utf8_ssid flag & enable as defaultKevin Darbyshire-Bryant2018-11-142-3/+5
| | | | | | | | | | | | | SSIDs may contain UTF8 characters but ideally hostapd should be told this is the case so it can advertise the fact. Default enable this option. add uci option utf8_ssid '0'/'1' for disable/enable e.g. config wifi-iface option utf8_ssid '0' Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* Revert "iptables: fix dependency for libip6tc on IPV6"Petr Štetiar2018-11-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reverts commit 2dc1f54b1205094e7c6036cae6275d2c326bad3e as it breaks the build for me on x86-64 if I've IPV6 support disabled. Same config builds fine on `openwrt-18.06` branch at 55d078b2. $ grep IPV6 .config # CONFIG_KERNEL_IPV6 is not set # CONFIG_IPV6 is not set Build errors out on: Package libiptc is missing dependencies for the following libraries: libip6tc.so.0 Looking at iptables-1.6.2/libiptc/Makefile.am: libiptc_la_LIBADD = libip4tc.la libip6tc.la and to iptables-1.6.2/libiptc/libiptc.pc.in: Requires: libip4tc libip6tc It seems that libiptc needs v4/v6 libs, so v6 isn't optional. Cc: Rosy Song <rosysong@rosinson.com> Signed-off-by: Petr Štetiar <ynezz@true.cz>
* ethtool: update to 4.19Hans Dedecker2018-11-101-2/+2
| | | | | | | | | 8a1ad80 Release version 4.19. ecdf295 ethtool: Fix uninitialized variable use at qsfp dump 98c148e ethtool: better syntax for combinations of FEC modes d4b9f3f ethtool: support combinations of FEC modes Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iproute2: update to 4.19.0Hans Dedecker2018-11-085-1671/+9
| | | | | | | | Update to the latest version of iproute2; see https://lwn.net/Articles/769354/ for a full overview of the changes in 4.19. Remove 190-add-cake-to-tc patch as CAKE qdisc is now supported in 4.19.0 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iperf: allow non-ipv6 buildsAlexander Couzens2018-11-032-1/+27
| | | | | | | | Add configure argument --disable-ipv6 when ipv6 is deselected. Add fix-non-ipv6-builds.patch as long there is no new upstream release. Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* curl: noop commit to refer CVEs fixed in 7.62.0Hans Dedecker2018-11-021-1/+0
| | | | | | | | | | | | | When bumping Curl to 7.62.0 in commit 278e4eba09 I did not include the fixed CVEs in the commit message; this commit fixes this. The following CVEs were fixed in 7.62.0 : CVE-2018-16839 CVE-2018-16840 CVE-2018-16842 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* curl: bump to 7.62.0Hans Dedecker2018-10-312-3/+3
| | | | | | Refresh patches, for changes in version 7.62.0 see https://curl.haxx.se/changes.html#7_62_0 Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: tighten config file permissionsKevin Darbyshire-Bryant2018-10-301-6/+6
| | | | | | | | | | | | | | | | | | Install following as config files (600) perms instead of as data (644) /usr/share/dnsmasq/dhcpbogushostname.conf /usr/share/dnsmasq/trust-anchors.conf /usr/share/dnsmasq/rfc6761.conf /etc/hotplug.d/ntp/25-dnsmasqsec /etc/config/dhcp /etc/dnsmasq.conf dnsmasq reads relevant config files before dropping root privilege and running as dnsmasq:dnsmasq ntpd runs as root so the hotplug script is still accessible Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.80Kevin Darbyshire-Bryant2018-10-191-4/+4
| | | | | | | | | | dnsmasq v2.80 release Change from rc1: 91421cb Fix compiler warning. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* iproute2: install ip-tiny and ip-full in /usr/libexecHans Dedecker2018-10-181-7/+7
| | | | | | | Install the ip-tiny and ip-full variants in /usr/libexec as the suffixed ip variants are not meant to be called directly Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 0.0.20181018Jason A. Donenfeld2018-10-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | ba2ab5d version: bump snapshot 5f59c76 tools: wg-quick: wait for interface to disappear on freebsd ac7e7a3 tools: don't fail if a netlink interface dump is inconsistent 8432585 main: get rid of unloaded debug message 139e57c tools: compile on gnu99 d65817c tools: use libc's endianness macro if no compiler macro f985de2 global: give if statements brackets and other cleanups b3a5d8a main: change module description 296d505 device: use textual error labels always 8bde328 allowedips: swap endianness early on a650d49 timers: avoid using control statements in macro db4dd93 allowedips: remove control statement from macro by rewriting 780a597 global: more nits 06b1236 global: rename struct wireguard_ to struct wg_ 205dd46 netlink: do not stuff index into nla type 2c6b57b qemu: kill after 20 minutes 6f2953d compat: look in Kbuild and Makefile since they differ based on arch a93d7e4 create-patch: blacklist instead of whitelist 8d53657 global: prefix functions used in callbacks with wg_ 123f85c compat: don't output for grep errors Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* netifd: update to latest git HEADHans Dedecker2018-10-171-3/+3
| | | | | | | 841b5d1 system-linux: enable by default ignore encaplimit for grev6 tunnels 125cbee system-linux: fix a typo in gre tunnel data parsing logic Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* gre: make encaplimit support configurableHans Dedecker2018-10-172-2/+4
| | | | | | | | | | | Make inclusion of the destination option header containing the tunnel encapsulation limit configurable for IPv6 GRE packets. Setting the uci parameter encaplimit to ignore; allows to disable the insertion of the destination option header in the IPv6 GRE packets. Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255 by setting the encaplimit uci parameter accordingly. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: add basic variantKevin Darbyshire-Bryant2018-10-164-0/+1016
| | | | | | | | Add a basic variant which provides WPA-PSK only, 802.11r and 802.11w and is intended to support 11r & 11w (subject to driver support) out of the box. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* ppp: don't start ppp with IPv6 support if ipv6 is not supportedRosy Song2018-10-162-5/+8
| | | | | Signed-off-by: Rosy Song <rosysong@rosinson.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: fix MAC filter related log spamJo-Philipp Wich2018-10-164-11/+78
| | | | | | | | Backport two upstream fixes to address overly verbose logging of MAC ACL rejection messages. Fixes: FS#1468 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: fix dnsmasq failure to start when ujail'dChristian Lamparter2018-10-162-2/+2
| | | | | | | | | | | | | | This patch fixes jailed dnsmasq running into the following issue: |dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory |dnsmasq[1]: FAILED to start up |procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash Fixes: a45f4f50e16 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349") Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [bump package release] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.80rc1Kevin Darbyshire-Bryant2018-10-162-32/+4
| | | | | | | | | | | | 53792c9 fix typo df07182 Update German translation. Remove local patch 001-fix-typo which is a backport of the above 53792c9 There is no practical difference between our test8 release and this rc release, but this does at least say 'release candidate' Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: fix compile issueHans Dedecker2018-10-151-0/+28
| | | | | | Fix compile issue in case HAVE_BROKEN_RTC is enabled Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* hostapd: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise)Hauke Mehrtens2018-10-143-5/+18
| | | | | | | | | | | | This adds support for the WPA3-Enterprise mode authentication. The settings for the WPA3-Enterpriese mode are defined in WPA3_Specification_v1.0.pdf. This mode also requires ieee80211w and guarantees at least 192 bit of security. This does not increase the ipkg size by a significant size. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: Activate Opportunistic Wireless Encryption (OWE)Hauke Mehrtens2018-10-143-4/+21
| | | | | | | | | | | | | | | | | | OWE is defined in RFC 8110 and provides encryption and forward security for open networks. This is based on the requirements in the Wifi alliance document Opportunistic_Wireless_Encryption_Specification_v1.0_0.pdf The wifi alliance requires ieee80211w for the OWE mode. This also makes it possible to configure the OWE transission mode which allows it operate an open and an OWE BSSID in parallel and the client should only show one network. This increases the ipkg size by 5.800 Bytes. Old: 402.541 Bytes New: 408.341 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: Activate Simultaneous Authentication of Equals (SAE)Hauke Mehrtens2018-10-143-9/+42
| | | | | | | | | | | | | | | | | | | | This build the full openssl and wolfssl versions with SAE support which is the main part of WPA3 PSK. This needs elliptic curve cryptography which is only provided by these two external cryptographic libraries and not by the internal implementation. The WPA3_Specification_v1.0.pdf file says that in SAE only mode Protected Management Frames (PMF) is required, in mixed mode with WPA2-PSK PMF should be required for clients using SAE, and optional for clients using WPA2-PSK. The defaults are set now accordingly. This increases the ipkg size by 8.515 Bytes. Old: 394.026 Bytes New: 402.541 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: SAE: Do not ignore option sae_require_mfpHauke Mehrtens2018-10-141-0/+26
| | | | | | This patch was send for integration into the hostapd project. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: backport build fix when OWE is activatedHauke Mehrtens2018-10-145-18/+35
| | | | | | This backports a compile fix form the hostapd project. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* hostapd: sync config with default configurationHauke Mehrtens2018-10-145-35/+41
| | | | | | | | | This replaces the configuration files with the versions from the hostapd project and the adaptions done by OpenWrt. The resulting binaries should be the same. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* netifd: update to latest git HEADHauke Mehrtens2018-10-141-2/+2
| | | | | | | | 22476ff wireless: Add Simultaneous Authentication of Equals (SAE) c6c3a0d wireless: Add Opportunistic Wireless Encryption (OWE) a117e41 wireless: Add WPA-EAP-SUITE-B-192 (WPA3-Enterprise) Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* uqmi: fix variable initilization for timeout handlingFlorian Eckert2018-10-121-0/+2
| | | | | | Also add logging output for SIM initilization. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uqmi: update PKG_RELEASE versionFlorian Eckert2018-10-111-1/+1
| | | | | | update PKG_RELEASE Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uqmi: stop proto handler if verify pin count is not 3Florian Eckert2018-10-111-0/+7
| | | | | | | | Check pin count value from pin status and stop verification the pin if the value is less then 3. This should prevent the proto-handler to lock the SIM. If SIM is locked then the PUK is needed. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uqmi: evaluate pin-status output in qmi_setup functionFlorian Eckert2018-10-111-7/+49
| | | | | | | | | | | | | | | | | | | | | | Load the json output from uqmi --get-pin-status command and evaluate the "pin1_status" value. The following uqmi "pin1_status" values are evaluated: - disabled Do not verify PIN because SIM verification is disabled on this SIM - blocked Stop qmi_setup because SIM is locked and a PUK is required - not_verified SIM is not yet verified. Do a uqmi --verify-pin1 command if a SIM is specified - verified: Do not verify the PIN because this was already done before Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uqmi: do not block proto handler if SIM is uninitializedFlorian Eckert2018-10-111-1/+9
| | | | | | | | QMI proto setup-handler will wait forever if SIM does not get initialized. To fix this stop polling pin status and notify netifd. Netifd will generate then a "ifup-failed" ACTION. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uqmi: do not block proto handler if modem is unable to registrateFlorian Eckert2018-10-111-1/+10
| | | | | | | | QMI proto setup-handler will wait forever if it is unable to registrate to the mobile network. To fix this stop polling network registration status and notify netifd. Netifd will generate then a "ifup-failed" ACTION. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uqmi: add timeout option valueFlorian Eckert2018-10-111-2/+5
| | | | | | | | | | | This value will be used for now during following situations: * Ask the sim with the uqmi --get-pin-status command. * Wait for network registration with the uqmi --get-serving-system command. This two commands wait forever in a while loop. Add a timeout to stop waiting and so inform netifd. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uqmi: redirect uqmi commands output to /dev/nullFlorian Eckert2018-10-111-12/+12
| | | | | | | Move uqmi std and error output on commands without using them to /dev/null. This will remove useless outputs in the syslog. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* uqmi: fix indentingFlorian Eckert2018-10-111-16/+16
| | | | | | fix indenting Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* package/: fix $(PROJECT_GIT) usageJohn Crispin2018-10-111-1/+1
| | | | Signed-off-by: John Crispin <john@phrozen.org>
* linux-atm: Install hotplug file as 600Rosen Penev2018-10-111-2/+2
| | | | | | The hotplug files is only used by procd, which runs as root. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* comgt: Install hotplug and netifd files as 600Rosen Penev2018-10-111-3/+3
| | | | | | procd and netifd both run as root. These files are not used elsewhere. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* samba36: Install several config files as 600Rosen Penev2018-10-111-4/+4
| | | | | | | Hotplug is managed by procd, which runs as root. The other files are used by root as well. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* soloscli: Install hotplug file as 600Rosen Penev2018-10-111-2/+2
| | | | | | Hotplug is managed by procd, which runs as root. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* firewall: Install config files as 600Rosen Penev2018-10-111-6/+6
| | | | | | None of the files in firewall are used by non-root. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* dnsmasq: add dhcp-ignore-names support - CERT VU#598349Kevin Darbyshire-Bryant2018-10-093-1/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for specific hostnames. Clients claiming certain hostnames and thus claiming DNS namespace represent a potential security risk. e.g. a malicious host could claim 'wpad' for itself and redirect other web client requests to it for nefarious purpose. See CERT VU#598349 for more details. Some Samsung TVs are claiming the hostname 'localhost', it is believed not (yet) for nefarious purposes. /usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames in correct syntax to be excluded. e.g. dhcp-name-match=set:dhcp_bogus_hostname,localhost Inclusion of this file is controlled by uci option dhcpbogushostname which is enabled by default. To be absolutely clear, DHCP leases to these requesting hosts are still permitted, but they do NOT get to claim ownership of the hostname itself and hence put into DNS for other hosts to be confused/manipulate by. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 0.0.20181007Kevin Darbyshire-Bryant2018-10-091-2/+2
| | | | | | | | | | | | | | | 64750c1 version: bump snapshot f11a2b8 global: style nits 4b34b6a crypto: clean up remaining .h->.c 06d9fc8 allowedips: document additional nobs c32b5f9 makefile: do more generic wildcard so as to avoid rename issues 20f48d8 crypto: use BIT(i) & bitmap instead of (bitmap >> i) & 1 b6e09f6 crypto: disable broken implementations in selftests fd50f77 compat: clang cannot handle __builtin_constant_p bddaca7 compat: make asm/simd.h conditional on its existence b4ba33e compat: account for ancient ARM assembler Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* dnsmasq: bump to v2.80test8Kevin Darbyshire-Bryant2018-10-071-2/+2
| | | | | | | | | | | e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading. 0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN. ee1df06 Tweak strategy for confirming SLAAC addresses. 1e87eba Clarify manpage for --auth-sec-servers 0893347 Make interface spec optional in --auth-server. 7cbf497 Example config file fix for CERT Vulnerability VU#598349. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* iperf: fix --daemon optionRafał Miłecki2018-10-073-1/+205
| | | | | | | | | | | | | | | Support for -D got broken in the 2.0.11 release by the upstream commit 218d8c667944 ("first pass L2 mode w/UDP checks, v4 only"). After that commit clients were still able to connect but no traffic was passed. It was reported and is fixed now in the upstream git repository. Backport two patches to fix this. The first one is just a requirement for the later to apply. The second one is the real fix and it needed only a small adjustment to apply without backporing the commit 10887b59c7e7 ("fix --txstart-time report messages"). Fixes: 457e6d5a27be ("iperf: bump to 2.0.12") Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* odhcpd: update to latest git HEAD (FS#1853)Hans Dedecker2018-10-071-4/+4
| | | | | | | | 57f639e (HEAD -> master, origin/master, origin/HEAD) odhcpd: make DHCPv6/RA/NDP support optional 402c274 dhcpv6: check return code of dhcpv6_ia_init() ee7472a router: don't leak RA message in relay mode (FS#1853) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iw: strip a few more non-essential features from iw-tinyFelix Fietkau2018-10-071-1/+46
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>