aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
...
* firewall: bump to git HEADStijn Tintel2018-08-131-3/+3
| | | | | | | | 12a7cf9 Add support for DSCP matches and target 06fa692 defaults: use a generic check_kmod() function 1c4d5bc defaults: fix check_kmod() function Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* wireguard: bump to 0.0.20180809Jason A. Donenfeld2018-08-121-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * send: switch handshake stamp to an atomic Rather than abusing the handshake lock, we're much better off just using a boring atomic64 for this. It's simpler and performs better. Also, while we're at it, we set the handshake stamp both before and after the calculations, in case the calculations block for a really long time waiting for the RNG to initialize. * compat: better atomic acquire/release backport This should fix compilation and correctness on several platforms. * crypto: move simd context to specific type This was a suggestion from Andy Lutomirski on LKML. * chacha20poly1305: selftest: use arrays for test vectors We no longer have lines so long that they're rejected by SMTP servers. * qemu: add easy git harness This makes it a bit easier to use our qemu harness for testing our mainline integration tree. * curve25519-x86_64: avoid use of r12 This causes problems with RAP and KERNEXEC for PaX, as r12 is a reserved register. * chacha20: use memmove in case buffers overlap A small correctness fix that we never actually hit in WireGuard but is important especially for moving this into a general purpose library. * curve25519-hacl64: simplify u64_eq_mask * curve25519-hacl64: correct u64_gte_mask Two bitmath fixes from Samuel, which come complete with a z3 script proving their correctness. * timers: include header in right file This fixes compilation in some environments. * netlink: don't start over iteration on multipart non-first allowedips Matt Layher found a bug where a netlink dump of peers would never terminate in some circumstances, causing wg(8) to keep trying forever. We now have a fix as well as a unit test to mitigate this, and we'll be looking to create a fuzzer out of Matt's nice library. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* wpa_supplicant: fix CVE-2018-14526John Crispin2018-08-101-0/+48
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unauthenticated EAPOL-Key decryption in wpa_supplicant Published: August 8, 2018 Identifiers: - CVE-2018-14526 Latest version available from: https://w1.fi/security/2018-1/ Vulnerability A vulnerability was found in how wpa_supplicant processes EAPOL-Key frames. It is possible for an attacker to modify the frame in a way that makes wpa_supplicant decrypt the Key Data field without requiring a valid MIC value in the frame, i.e., without the frame being authenticated. This has a potential issue in the case where WPA2/RSN style of EAPOL-Key construction is used with TKIP negotiated as the pairwise cipher. It should be noted that WPA2 is not supposed to be used with TKIP as the pairwise cipher. Instead, CCMP is expected to be used and with that pairwise cipher, this vulnerability is not applicable in practice. When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data field is encrypted using RC4. This vulnerability allows unauthenticated EAPOL-Key frames to be processed and due to the RC4 design, this makes it possible for an attacker to modify the plaintext version of the Key Data field with bitwise XOR operations without knowing the contents. This can be used to cause a denial of service attack by modifying GTK/IGTK on the station (without the attacker learning any of the keys) which would prevent the station from accepting received group-addressed frames. Furthermore, this might be abused by making wpa_supplicant act as a decryption oracle to try to recover some of the Key Data payload (GTK/IGTK) to get knowledge of the group encryption keys. Full recovery of the group encryption keys requires multiple attempts (128 connection attempts per octet) and each attempt results in disconnection due to a failure to complete the 4-way handshake. These failures can result in the AP/network getting disabled temporarily or even permanently (requiring user action to re-enable) which may make it impractical to perform the attack to recover the keys before the AP has already changes the group keys. By default, wpa_supplicant is enforcing at minimum a ten second wait time between each failed connection attempt, i.e., over 20 minutes waiting to recover each octet while hostapd AP implementation uses 10 minute default for GTK rekeying when using TKIP. With such timing behavior, practical attack would need large number of impacted stations to be trying to connect to the same AP to be able to recover sufficient information from the GTK to be able to determine the key before it gets changed. Vulnerable versions/configurations All wpa_supplicant versions. Acknowledgments Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU Leuven for discovering and reporting this issue. Possible mitigation steps - Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This can be done also on the AP side. - Merge the following commits to wpa_supplicant and rebuild: WPA: Ignore unauthenticated encrypted EAPOL-Key data This patch is available from https://w1.fi/security/2018-1/ - Update to wpa_supplicant v2.7 or newer, once available Signed-off-by: John Crispin <john@phrozen.org>
* odhcp6c: apply IPv6/ND configuration earlierHans Dedecker2018-08-092-8/+9
| | | | | | | | | | Apply IPv6/ND configuration before proto_send_update so that all config info is available when netifd is handling the notify_proto ubus call. In particular this fixes an issue when netifd is updating the downstream IPv6 mtu as netifd was still using the not yet updated upstream IPv6 mtu to set the downstream IPv6 mtu Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iproute2: remove libutil from InstallDev sectionHans Dedecker2018-08-091-3/+2
| | | | | | | | | | | Commit 4d961538f6 added libutil to the iproute2 InstallDev section but lead to compile issues with packages picking up the wrong libutil since libutil is quite a generic name ... Further libutil is rather meant for internal usage in iproute2 than a public API; therefore let's remove it from the InstallDev section together with ll_map.h Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* netifd: update to latest git HEADHans Dedecker2018-08-091-3/+3
| | | | | | 115a694 interface-ip: always override downstream IPv6 mtu Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* iproute2: add libutil to InstallDev sectionHans Dedecker2018-08-081-0/+1
| | | | | | | | In iproute2 v4.17 ll_map has been moved from the libnetlink to the libutil library; add libutil as well to the staging dir in order to keep support for ll_map Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wireguard: bump to 0.0.20180802Jason A. Donenfeld2018-08-041-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog taken from the version announcement > == Changes == > > * chacha20poly1305: selftest: split up test vector constants > > The test vectors are encoded as long strings -- really long strings -- and > apparently RFC821 doesn't like lines longer than 998. > https://cr.yp.to/smtp/message.html > > * queueing: keep reference to peer after setting atomic state bit > > This fixes a regression introduced when preparing the LKML submission. > > * allowedips: prevent double read in kref > * allowedips: avoid window of disappeared peer > * hashtables: document immediate zeroing semantics > * peer: ensure resources are freed when creation fails > * queueing: document double-adding and reference conditions > * queueing: ensure strictly ordered loads and stores > * cookie: returned keypair might disappear if rcu lock not held > * noise: free peer references on failure > * peer: ensure destruction doesn't race > > Various fixes, as well as lots of code comment documentation, for a > small variety of the less obvious aspects of object lifecycles, > focused on correctness. > > * allowedips: free root inside of RCU callback > * allowedips: use different macro names so as to avoid confusion > > These incorporate two suggestions from LKML. > > This snapshot contains commits from: Jason A. Donenfeld and Jann Horn. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* iproute2: cake: make gso/gro splitting configurableKevin Darbyshire-Bryant2018-08-022-2/+11
| | | | | | | | | | | | | | | | | | This patch makes sch_cake's gso/gro splitting configurable from userspace. To disable breaking apart superpackets in sch_cake: tc qdisc replace dev whatever root cake no-split-gso to enable: tc qdisc replace dev whatever root cake split-gso Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> Signed-off-by: Dave Taht <dave.taht@gmail.com> [pulled from netdev list - no API/ABI change] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* iperf: bump to 2.0.12Koen Vandeputte2018-08-021-2/+2
| | | | | | | | | | | | | | | | | | | Fixes the annoying 'feature' were TTL was set to "1" by default .. Users had to specify -T manually to test outside the own network. 2.0.12 change set (as of June 25th 2018) o Change the unicast TTL default value from 1 to the system default (to be compatable with previous versions.) Multicast still defaults to 1. o adpative formatting bug fix: crash occurs when values exceed 1 Tera. Add support for Tera and Peta and eliminate the potential crash condition o configure default compile to include isochronous support (use configure --disable-isochronous to remove support) o replace 2.0.11's --vary-load option with a more general -b option to include <mean>,<stdev>, e.g. -b 100m,40m, which will pull from a log normal distribution every 0.1 seconds o fixes for windows cross compile (using mingw32) o compile flags of -fPIE for android o configure --enable-checkprograms to compile ancillary binaries used to test things such as delay, isoch, pdf generation o compile tests when trying to use 64b seq numbers on a 32b platform o Fix GCC ver 8 warnings Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* nftables: allow to build with json supportRosy Song2018-08-011-1/+12
| | | | Signed-off-by: Rosy Song <rosysong@rosinson.com>
* iwinfo: update to latest Git HEADJo-Philipp Wich2018-07-311-3/+3
| | | | | | | | a514139 build: compile with -ffunction-sections, -fdata-sections and LTO 3c30b17 wl: only invoke nvram executable if it exists 65b8333 Revert "build: compile with -ffunction-sections, -fdata-sections and LTO" Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* netifd: update to latest git HEADJohn Crispin2018-07-301-2/+2
| | | | | | fix a compile error Signed-off-by: John Crispin <john@phrozen.org>
* netifd: update to latest git HEAD (FS#1668)Hans Dedecker2018-07-301-3/+3
| | | | | | | | | | | | | | 75ee790 interface-ip: fix eui64 ifaceid generation (FS#1668) ca97097 netifd: make sure the vlan ifname fits into the buffer b8c1bca iprule: remove bogus assert calls a2f952d iprule: fix broken in_dev/out_dev checks 263631a vlan: use alloca to get rid of IFNAMSIZE in vlan_dev_set_name() 291ccbb ubus: display correct prefix size for IPv6 prefix address 908a9f4 CMakeLists.txt: add -Wimplicit-fallthrough to the compiler flags b06b011 proto-shell.c: add a explicit "fall through" comment to make the compiler happy 60293a7 replace fall throughs in switch/cases where possible with simple code changes Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* tcpdump: explicitly disable libcap-ng supportStijn Tintel2018-07-301-0/+1
| | | | | | | | When libcap-ng is detected during build, support for it is enabled. This will cause a build failure due to a missing dependency. Explicitly disable libcap-ng support to avoid this. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* hostapd: add ht and vht support in handle event function Add ht and vht ↵Nick Hainke2018-07-303-2/+45
| | | | | | capabilities. If a device sends a probe request, the capabilities are added. Signed-off-by: Nick Hainke <vincent@systemli.org>
* hostapd: add ubus call for ap featuresNick Hainke2018-07-301-0/+16
| | | | | | | | | | | The call "get_features" allows to gather hostapd config options via ubus. As first infos we add the ht and vht support. Although nl80211 supports to gather informations about ht and vht capabilities, the hostapd configuration can disable vht and ht. However, it is possible that the iw output is not representing the actual hostapd configuration. Signed-off-by: Nick Hainke <vincent@systemli.org>
* openvpn-easy-rsa: update to 3.0.4Luiz Angelo Daros de Luca2018-07-302-6/+31
| | | | | | | | | | | | | | Upstream renamed openssl-1.0.cnf to openssl-easyrsa.cnf. However, pkg kept using openssl-1.0.cnf. Upstream easyrsa searchs for vars, openssl-*, x509-types in the same directory as easyrsa script. This was patched to revert back to static /etc/easy-rsa/ directory (as does OpenSUSE). EASYRSA_PKI still depends on $PWD. Move easyrsa from /usr/sbin to /usr/bin as root is not needed. Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
* iptables: add ip[6|]tables-compat packages + libxtables-compat depends on ↵Martin Strobel2018-07-301-0/+59
| | | | | | | | | IPTABLES_NFTABLES allows iptables-compat to use nft packet filtering allows to translate iptables-style to nft-style Signed-off-by: Martin Strobel <arctus@crza.de>
* igmpproxy: drop SSDP packetsDmitry Tunin2018-07-302-1/+13
| | | | | | | It is insecure to let this type of packets inside They can e.g. open ports on some other routers with UPnP, etc Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
* iwinfo: update to version 2018-07-24Nick Hainke2018-07-301-4/+4
| | | | | | | | | Update to new iwinfo version. Adds support for channel survey. Adds ubus support. Etc. Signed-off-by: Nick Hainke <vincent@systemli.org>
* treewide: Bump PKG_RELEASE due to mbedtls updateDaniel Engberg2018-07-302-2/+2
| | | | | | | Bump PKG_RELEASE on packages that depends on (lib)mbedtls to avoid library mismatch. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* thc-ipv6: Update URLsRosen Penev2018-07-291-2/+2
| | | | | | Development has moved to GitHub. Found using UScan. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* igmpproxy: add a silent logging optionDmitry Tunin2018-07-283-5/+6
| | | | | | | | [0-3](none, minimal[default], more, maximum) It is not 100% backward compatible, because now 0 disables logging Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
* dnsmasq: bump to dnsmasq v2.80test3Kevin Darbyshire-Bryant2018-07-2820-1565/+6
| | | | | | | | | | | | | | | | | Refresh patches Upstream commits since last bump: 3b6eb19 Log DNSSEC trust anchors at startup. f3e5787 Trivial comment change. c851c69 Log failure to confirm an address in DHCPv6. a3bd7e7 Fix missing fatal errors when parsing some command-line/config options. ab5ceaf Document the --help option in the french manual 1f2f69d Fix recurrent minor spelling mistake in french manual f361b39 Fix some mistakes in french translation of the manual eb1fe15 When replacing cache entries, preserve CNAMES which target them. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wwan: Fix teardown for sierra_net driverMasashi Honma2018-07-271-1/+1
| | | | | | | The sierra_net driver is using proto_directip_setup for setup. So use proto_directip_teardown for teardown. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* ead: use new protocol setting API since libpcap 1.9.0Syrone Wong2018-07-271-3/+1
| | | | | | | Dropped the protocol API specific symbol: HAS_PROTO_EXTENSION and switch to the official API Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
* odhcpd: update to latest git HEADJo-Philipp Wich2018-07-261-4/+4
| | | | | | 44cce31 ubus: avoid dumping interface state with NULL message Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* firewall: update to latest git HEADJo-Philipp Wich2018-07-261-3/+3
| | | | | | aa8846b ubus: avoid dumping interface state with NULL message Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* utils/curl: Disable libpslDaniel Engberg2018-07-241-1/+2
| | | | | | | | | Disabled libpsl to fix build issue reported by buildbots Package libcurl is missing dependencies for the following libraries: libpsl.so.5 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* wireguard-tools: add wireguard_watchdog scriptAleksandr V. Piskunov2018-07-222-2/+63
| | | | | | | | | | | | This watchdog script tries to re-resolve hostnames for inactive WireGuard peers. Use it for peers with a frequently changing dynamic IP. persistent_keepalive must be set, recommended value is 25 seconds. Run this script from cron every minute: echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com> [bump the package release] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* wireguard: bump to 0.0.20180718Jason A. Donenfeld2018-07-221-2/+2
| | | | | | | | | | | | | | 80b41cd version: bump snapshot fe5f0f6 recieve: disable NAPI busy polling e863f40 device: destroy workqueue before freeing queue 81a2e7e wg-quick: allow link local default gateway 95951af receive: use gro call instead of plain call d9501f1 receive: account for zero or negative budget e80799b tools: only error on wg show if all interfaces failk Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> [Added commit log to commit description] Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: remove unused struct hostapd_ubus_ifaceFelix Fietkau2018-07-222-16/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iproute2: tc: backport canonical cake supportKevin Darbyshire-Bryant2018-07-212-150/+154
| | | | | | | | | | | | | | | | | | | iproute2's tc was updated to support the recently upstreamed cake qdisc. Backport this canonical support from upstream into iproute2 v4.17 There is no kernel kmod/userspace tc ABI change in this release from the previous package bump, so everyone can breath a sigh of relief. This is largely a code style change, the exception to prove the rule: option 'autorate_ingress' has been changed to 'autorate-ingress' to fit in with upstream option naming expectations. No openwrt package (e.g. sqm-scripts) has knowledge of 'autorate_ingress' thus only users who made their own scripts or used it within the 'dangerous configuration' options of sqm-scripts will be affected. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* hostapd: fix conflicts hellMathias Kresin2018-07-181-95/+47
| | | | | | | | | | | | | Add each variant to the matching PROVIDERS variables after evaluating the respective hostapd*, wpad* and wpa* variant. Each package providing the same feature will automatically conflict with all prior packages providing the same feature. This way we can handle the conflicts automatically without introducing recursive dependencies. Signed-off-by: Mathias Kresin <dev@kresin.me>
* hostapd: cleanup package definitionMathias Kresin2018-07-181-46/+48
| | | | | | | | | | | | Move common variables and/or values to the package (variant) default. Add additional values in variant packages if necessary. Remove further duplicates by introducing new templates. Remove the ANY_[HOSTAPD|SUPPLICANT_PROVIDERS]_PROVIDERS. The are the same as the variables without the any prefix. No need to maintain both variables. Signed-off-by: Mathias Kresin <dev@kresin.me>
* igmpproxy: run in foreground for procdKevin Darbyshire-Bryant2018-07-182-2/+2
| | | | | | | | | procd needs processes to stay in foreground to remain under its gaze and control. Failure to do so means service stop commands fail to actually stop the process (procd doesn't think it's running 'cos the process has exited already as part of its forking routing) Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* firewall3: update to latest git HEADHans Dedecker2018-07-171-3/+3
| | | | | | d2bbeb7 firewall3: make reject types selectable by user Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* dnsmasq: don't use network functions at boottime (FS#1542)Hans Dedecker2018-07-172-6/+15
| | | | | | | | | | | | As dnsmasq is started earlier than netifd usage of network.sh functions at boottime will fail; therefore don't call at boottime the functions which construct the dhcp pool/relay info. As interface triggers are installed the dhcp pool/relay info will be constructed when the interface gets reported as up by netifd. At the same time also register interface triggers based on DHCP relay config. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ppp: fix building pptp pluginJo-Philipp Wich2018-07-172-1/+12
| | | | | | | | | The pptp.so plugin needs to be built with -fPIC as well in order to be linkable again. Fixes 888a15ff83 ("ppp: add missing -fPIC to rp-pppoe.so CFLAGS") Fixes e7397eef69 ("ppp: compile with LTO enabled") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openvpn: increase procd termination timeout to 15sJo-Philipp Wich2018-07-172-1/+2
| | | | | | | | | Increase the termination timeout to 15s to let OpenVPN properly tear down its connections, especially when weak links or complex down scripts are involved. Fixes FS#859. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dropbear: close all active clients on shutdownChristian Schoenebeck2018-07-161-0/+5
| | | | | | | | | | | | | | | | | | | | Override the default shutdown action (stop) and close all processes of dropbear Since commit 498fe85, the stop action only closes the process that's listening for new connections, maintaining the ones with existing clients. This poses a problem when restarting or shutting-down a device, because the connections with existing SSH clients, like OpenSSH, are not properly closed, causing them to hang. This situation can be avoided by closing all dropbear processes when shutting-down the system, which closes properly the connections with current clients. Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com> [Luis: Rework commit message] Signed-off-by: Luis Araneda <luaraneda@gmail.com>
* curl: Update to 7.61.0Daniel Engberg2018-07-151-5/+5
| | | | | | Update curl to 7.61.0 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* odhcp6c: add noserverunicast config option for broken DHCPv6 serversHans Dedecker2018-07-152-6/+9
| | | | | | | | | Fix broken DHCPv6 servers which provide the server unicast option but do not reply on DHCPv6 renew messages directed to the IPv6 address contained in the server unicast option whihc results in broken IPv6 connectivity. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* ppp: add missing -fPIC to rp-pppoe.so CFLAGSFelix Fietkau2018-07-141-0/+11
| | | | | | Fixes build error with LTO Signed-off-by: Felix Fietkau <nbd@nbd.name>
* dropbear: compile with LTO enabledFelix Fietkau2018-07-132-2/+35
| | | | | | Reduces size of the .ipk on MIPS from 87k to 84k Signed-off-by: Felix Fietkau <nbd@nbd.name>
* firewall: compile with LTO enabledFelix Fietkau2018-07-131-2/+2
| | | | | | Reduces .ipk size on MIPS from 41.6k to 41.1k Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iw: compile with LTO enabledFelix Fietkau2018-07-131-2/+3
| | | | | | Reduces .ipk size on MIPS from 34k to 33k Signed-off-by: Felix Fietkau <nbd@nbd.name>
* ppp: compile with LTO enabledFelix Fietkau2018-07-131-2/+2
| | | | | | Reduces .ipk size on MIPS from 98.5k to 98k Signed-off-by: Felix Fietkau <nbd@nbd.name>
* ppp: fix linker flags for the radius pluginFelix Fietkau2018-07-131-3/+3
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>