| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: John Crispin <blogic@openwrt.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Running dnsmasq in a dedicated user/group allows matching its outgoing
traffic more easily using iptables' owner match.
Add UID/GID to the package metadata and append the user/group
parameters to the init script.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 49252
|
|
|
|
|
|
|
|
|
|
| |
Parameter allows to enable/disable static leases; by default the value is 1
to keep backwards compatibility
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49187
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The wpa_supplicant supports an "anonymous_identity" field, which some
EAP networks require. From the documentation:
anonymous_identity: Anonymous identity string for EAP (to be used as the
unencrypted identity with EAP types that support different tunnelled
identity, e.g., EAP-TTLS).
This change modifies the hostapd.sh script to propagate this field
from the UCI config to the wpa_supplicant.conf file.
Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
Reviewed-by: Manuel Munz <freifunk@somakoma.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49181
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes the following security problems:
* CVE-2015-7560
* CVE-2015-5370
* CVE-2016-2110
* CVE-2016-2111
* CVE-2016-2112
* CVE-2016-2115
* CVE-2016-2118
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49175
|
|
|
|
|
|
|
|
|
| |
x509-username-field was added in OpenVPN 2.2, and verify-x509-name was
added in 2.3. This fixes ticket #18807.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
SVN-Revision: 48969
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enable setting a host-specific lease time for static hosts.
The new option is called "leasetime" and the format is similar
as for the default lease time: e.g. 12h, 3d, infinite
Default lease time is used for all hosts for which there is
no host-specific definition.
The option is added to /etc/config/dhcp for the selected hosts:
config host
option name 'Nexus'
option mac 'd8:50:66:55:59:7c'
option ip '192.168.1.245'
option leasetime '2h'
It gets appended to /var/etc/dnsmasq.conf like this:
dhcp-host=d8:50:66:55:59:7c,192.168.1.245,Nexus,2h
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 48801
|
|
|
|
|
|
| |
Signed-off-by: dbugnar <dnbugnar@ocedo.com>
SVN-Revision: 48800
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48761
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48760
|
|
|
|
|
|
| |
Signed-off-by: Ben Kelly <ben@benjii.net>
SVN-Revision: 48738
|
|
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48679
|
|
|
|
|
|
|
|
| |
(#21817)
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48655
|
|
|
|
|
|
|
|
| |
connecting to the router
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48635
|
|
|
|
|
|
|
|
| |
wpad-mesh/wpa_supplicant-mesh
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48537
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48529
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48528
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48527
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit 6a7e56b adds support for adding local hostname for own lan ula adress
but if ula prefix is not specified results into an invalid config (address=/OpenWrt.lan/1)
causing dnsmasq not to start up.
Use lanaddr6 when adding local hostname as the lan ula address is constructed based on the
UCI parameters ip6hint and ip6ifaceid and thus not always ula prefix suffixed with 1
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 48495
|
|
|
|
|
|
|
|
|
|
| |
RSA keys should be generated with sufficient length.
Using 1024 bits is considered unsafe.
In other packages the used key length is 2048 bits.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
SVN-Revision: 48494
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48385
|
|
|
|
|
|
|
|
|
| |
Introduce config options client_cert2, priv_key2 and priv_key2_pwd
used for EAP-TLS phase2 authentication in WPA-EAP client mode.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48345
|
|
|
|
|
|
| |
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48344
|
|
|
|
|
|
| |
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48343
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
WPA-EAP supports several phase2 (=inner) authentication methods when
using EAP-TTLS, EAP-PEAP or EAP-FAST (the latter is added as a first
step towards the UCI model supporting EAP-FAST by this commit)
The value of the auth config variable was previously expected to be
directly parseable as the content of the 'phase2' option of
wpa_supplicant.
This exposed wpa_supplicant's internals, leaving it to view-level to
set the value properly. Unfortunately, this is currently not the case,
as LuCI currently allows values like 'PAP', 'CHAP', 'MSCHAPV2'.
Users thus probably diverged and set auth to values like
'auth=MSCHAPV2' as a work-around.
This behaviour isn't explicitely documented anywhere and is not quite
intuitive...
The phase2-string is now generated according to $eap_type and $auth,
following the scheme also found in hostap's test-cases:
http://w1.fi/cgit/hostap/tree/tests/hwsim/test_ap_eap.py
The old behaviour is also still supported for the sake of not breaking
existing, working configurations.
Examples:
eap_type auth
'ttls' 'EAP-MSCHAPV2' -> phase2="autheap=MSCHAPV2"
'ttls' 'MSCHAPV2' -> phase2="auth=MSCHAPV2"
'peap' 'EAP-GTC' -> phase2="auth=GTC"
Deprecated syntax supported for compatibility:
'ttls' 'autheap=MSCHAPV2' -> phase2="autheap=MSCHAPV2"
I will suggest a patch to LuCI adding EAP-MSCHAPV2, EAP-GTC, ... to
the list of Authentication methods available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
SVN-Revision: 48309
|
|
|
|
|
|
|
|
|
|
|
| |
By default dnsmasq uses random ports for outbound dns queries;
when the minport UCI option is specified the ports used will
always be larger than the specified value.
This is usefull for systems behind firewalls.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 48244
|
|
|
|
|
|
|
|
|
| |
Update dropbear to version 2015.71, released on 3 Dec 2015.
Refresh patches.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 48243
|
|
|
|
|
|
| |
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48214
|
|
|
|
|
|
| |
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 48202
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48201
|
|
|
|
|
|
|
|
| |
size by ~5 kb
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48196
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48195
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- WPS: Fix HTTP chunked transfer encoding parser (CVE-2015-4141)
- EAP-pwd peer: Fix payload length validation for Commit and Confirm
(CVE-2015-4143)
- EAP-pwd server: Fix payload length validation for Commit and Confirm
(CVE-2015-4143)
- EAP-pwd peer: Fix Total-Length parsing for fragment reassembly
(CVE-2015-4144, CVE-2015-4145)
- EAP-pwd server: Fix Total-Length parsing for fragment reassembly
(CVE-2015-4144, CVE-2015-4145)
- EAP-pwd peer: Fix asymmetric fragmentation behavior (CVE-2015-4146)
- NFC: Fix payload length validation in NDEF record parser (CVE-2015-8041)
- WNM: Ignore Key Data in WNM Sleep Mode Response frame if no PMF in use
(CVE-2015-5310)
- EAP-pwd peer: Fix last fragment length validation (CVE-2015-5315)
- EAP-pwd server: Fix last fragment length validation (CVE-2015-5314)
- EAP-pwd peer: Fix error path for unexpected Confirm message (CVE-2015-5316)
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
SVN-Revision: 48185
|
|
|
|
|
|
|
|
|
| |
Follow up of #21469
This patch enables autoreloading openvpn via procd.
Signed-off-by: Federico Capoano <nemesis@ninux.org>
SVN-Revision: 48150
|
|
|
|
|
|
|
|
|
| |
This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A
patchset for these vulnerabilities was published on 16th December 2015.
Signed-off-by: Jan Čermák <jan.cermak@nic.cz>
SVN-Revision: 48133
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48129
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48122
|
|
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48118
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In sta-only configuration, wpa_supplicant needs correct regulatory
domain because otherwise it may skip channel of its AP during scan.
Another alternative is to fix "iw reg set" in mac80211 netifd script.
Currently it fails if some phy has private regulatory domain which
matches configured one.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 48099
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- eurephia:
commit: Remove the --disable-eurephia configure option
- fix option name:
http proxy option is now called http-proxy (see configure.ac)
fixes:
configure: WARNING: unrecognized options: --disable-nls, --disable-eurephia, --enable-http
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 47979
|
|
|
|
|
|
|
|
|
|
| |
Only the conditional dependency ought to be required;
if build fails with JSON there is some other problem
at work.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
SVN-Revision: 47976
|
|
|
|
|
|
|
|
|
|
| |
By default dnsmasq sends an ICMP echo request before allocating
an IP address to a host; the uci option noping allows to disable
this check.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
SVN-Revision: 47974
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed option nonwildcard from --bind-interfaces into --bind-dynamic.
With this, Dnsmasq binds the address of individual interfaces, allowing multiple
dnsmasq instances, but if new interfaces or addresses appear, it automatically
listens on those. This makes dynamically created interfaces work in the same way as
the default, but allows also use of other DNS-servers (like Named) at the same time
on diffirent interfaces where Dnsmasq is NOT configured, whereas with
--bind-interfaces will still reserve every interface even if not used and thus
disallowing use of any other DNS-program even on unused interfaces.
Tested-by: Vaasa Hacklab <info@vaasa.hacklab.fi>
Signed-off-by: Sami Olmari <sami@olmari.fi>
SVN-Revision: 47953
|
|
|
|
|
|
|
|
|
| |
Using the JSON output option depends on json library so
add select json-c library when JSON output is selected.
Signed-off-by: Daniel Dickinson <openwrt@daniel.thecshore.com>
SVN-Revision: 47928
|
|
|
|
|
|
|
|
|
| |
Add the option "--all-servers" which forces dnsmasq to send all
queries to all servers and then take the first answer.
Signed-off-by: Andréas Gustafsson <gurgalof@gmail.com>
SVN-Revision: 47857
|
|
|
|
|
|
|
|
|
|
| |
This should ensure that lldpd is among the first processes to stop,
so that it has time to send the shutdown LLDPU to the other side,
before the network goes down.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 47786
|
|
|
|
|
|
|
|
|
|
|
|
| |
The scripts for authsae and iw use the option mesh_id to get set the
"meshid" during a mesh join. But the script for wpad-mesh ignores the
option mesh_id and instead uses the option ssid. Unify the mesh
configuration and let the wpa_supplicant script also use the mesh_id from
the configuration.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47615
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The OpenWrt wireless configuration for mcast_rate is defined as Kbit/s when
using wpa_supplicant for IBSS/802.11s and iw for unencrypted IBSS/802.11s.
But when using authsae, the unit for the same option is redefined as
Mbit/s. Better use the same unit for this option independent of the backend
which is used.
Old values for mcast_rate (< 1000) are still interpreted Mbit/s to avoid
problems during upgrades from older versions.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47614
|
|
|
|
|
|
|
|
|
| |
The variable $mesh_id was never defined in authsae_start_interface and thus
the option meshid in $authsae_conf_file was always set to "".
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 47613
|
|
|
|
|
|
|
|
| |
Thanks to @ktgeek and @willmo for diagnosing
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 47514
|