RE: [PATCH 1/3] dropbear: create a submenu for public key algorithms
Hi, > -Original Message- > From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org] > On Behalf Of Rui Salvaterra > Sent: Dienstag, 13. Oktober 2020 18:45 > To: Adrian Schmutzler > Cc: openwrt-devel@lists.openwrt.org > Subject: Re: [PATCH 1/3] dropbear: create a submenu for public key > algorithms > > Hi, Adrian, > > On Tue, 13 Oct 2020 at 16:52, Adrian Schmutzler > wrote: > > > > > package/network/services/dropbear/files/dropbear.failsafe.ecc > > > create mode 100755 > > > package/network/services/dropbear/files/dropbear.failsafe.ed25519 > > > rename package/network/services/dropbear/files/{dropbear.failsafe > > > => dropbear.failsafe.rsa} (100%) > > > > Do these really need execute bit? > > Well spotted. To be honest, the original file was executable and I just copied > it. They're installed as 644, though. Should I respin, or send a follow-up > patch? I don't care so terribly, so do it as it's most convenient for you. Best Adrian > > Thanks, > Rui > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel openpgp-digital-signature.asc Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[RFC]Secure ImageBuilders
Hi, Over the last month I suggested two different approaches to improve the ImageBuilder security. The amount of feedback was fairly low, maybe partly because it's not trivial to understand the issue. I wrote a summary of the two approaches and the current problem, please spend the 5 minutes to read through it. It's a release goal for 20.x. The current state of 19.07 ImageBuilders is insecure as the packages that are missing locally are downloaded via unencrypted HTTP and then directly installed, without any signature verification. As a consequence, images could contain malicious binaries if an attacker was able to intercept traffic. For now the SNAPSHOT ImageBuilder uses HTTPS for package downloads, which is suboptimal as HTTPS slows down the build process by about 50%, due to missing connection pooling in OPKG. A better implementation is to use OPKG signature checking (via `usign`), which is fast and the same mechanism as on running OpenWrt devices. However, the ImageBuilder offer a special folder called `packages/`, which contains `kernel-*.ipk`, `libc-*.ipk` and any other optional `ipk` files provided by the user. The folder is indexed after every change. The use case is that locally built packages can be included in images, instead of providing them via a remote repository. This folder adds the challenge for signature checking. OPKG can not *only* check remote feeds and trust local feeds. Below are two possible implementation to allow signature checking while allow a local `packages/` feed. ## Possible implementation Both implementation have their advantages and drawbacks, this document summarizes two different approaches to simplify the decision. ### Add trusted feeds to OPKG The approach adds a new feed type which is always trusted, as in *no signature checks are done, even if globally enabled*. This was done by adding a new feed prefix to OPKG, either `src/trusted` or `src/gz/trusted`. The local `packages/` feed is added as `src/trusted` and work independently of `option signature_check`. This implementation involves changes in OPKG [here][1] with a bit of glue code in the build system [here][2]. [1]: https://patchwork.ozlabs.org/project/openwrt/patch/20200916011041.1746959-1-m...@aparcar.org/ [2]: https://patchwork.ozlabs.org/project/openwrt/patch/20200916012457.1748220-1-m...@aparcar.org/ It is simple and the only possible attack is to modify the repositories file and set a feed from `src/gz` to `src/gz/trusted`. In that case it would also be possible to replace the entire feed address, therefore a minor *security issues*. ### Let ImageBuilder create signing keys The approach runs the same signing key generation steps as the build system. The keys are used to sign the local `packages/` feed and therefore don't require any additional changes in OPKG. Arguably this approach is a bit awkward because a feed is verified by a public key which was created on the very same machine. On the other hand, this approach brings the advantage that created images can contain a `usign`/`ucert` signature, so that created images are verifiable by the on device running `sysupgrade` process, if the ImageBuilders local key was previously included. This implementation exists [here][3] with the extra option to include the locally generated key in the build images. [3]: https://github.com/openwrt/openwrt/pull/3477 Best, Paul ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: The status of intel ax200 support (iwlwifi)
Hi On 2020-10-13, Alexander Pyattaev wrote: > I am trying to figure out if any version of openWRT can in principle > support the Intel's AX200 chips. I am quite willing to build a kernel > from source, but I have absolutely no idea whether I actually need to do > so. Some info on the internet points to there existing a backported > version of the driver, but I can not find it anywhere. If it does not > indeed exist, any pointers towards making it work would be nice, I'd be > happy to contribute a patch. iwlwifi should support ax200 just fine, but its firmware won't allow AP mode in the 5 GHz band at all (maybe using 25 mW on the short range band (ETSI EN 300 440-1), if you're lucky). That is an intentional choice from Intel to restrict (all of-) their WLAN cards and not fixable. Regards Stefan Lippers-Hollmann ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH] argp-standalone: add BUILDONLY
Fixes Makefile warning: WARNING: skipping argp-standalone -- package has no install section Signed-off-by: Rosen Penev --- package/libs/argp-standalone/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/package/libs/argp-standalone/Makefile b/package/libs/argp-standalone/Makefile index 8fad739d85..d570918bcf 100644 --- a/package/libs/argp-standalone/Makefile +++ b/package/libs/argp-standalone/Makefile @@ -26,6 +26,7 @@ define Package/argp-standalone CATEGORY:=Libraries TITLE:=Hierarchial argument parsing broken out from glibc URL:=http://www.lysator.liu.se/~nisse/misc/ + BUILDONLY:=1 endef define Package/argp-standalone/description -- 2.26.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: The status of intel ax200 support (iwlwifi)
On 13/10/20 16:36, Alexander Pyattaev wrote: Hello! I am trying to figure out if any version of openWRT can in principle support the Intel's AX200 chips. I am quite willing to build a kernel from source, but I have absolutely no idea whether I actually need to do so. Some info on the internet points to there existing a backported version of the driver, but I can not find it anywhere. If it does not indeed exist, any pointers towards making it work would be nice, I'd be happy to contribute a patch. Thanks, Alex ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel Afaik the support for AX200 was added in kernel 5.2, so if you use snapshot it should be OK (kernel 5.4). I see the commits that add support for its firmware in the "linux-firmware" package, again in snapshot. Next release will branch from snapshot so will probably also support the AX200. If you install a snapshot release it should work already. Assuming all the bugs I've seen around for this chipset were fixed, and also backported to 5.4 LTS kernel, which is what is used in the snapshot -Alberto ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 2/3] dropbear: create a submenu for encryption algorithms
20. 10. 13. 오후 9:54에 Rui Salvaterra 이(가) 쓴 글: This allows the user to select only the encryption algorithms (s)he requires (e.g., disabling AES and keeping only ChaCha20-Poly1305). The default selection maintains the current functionality. Additionally, make sure at least one encryption algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 21 + package/network/services/dropbear/Makefile | 12 +--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index d2771eca93..9cea6242a6 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -64,6 +64,20 @@ config DROPBEAR_AUTOSEL_PK endmenu +menu "Encryption algorithm selection" + +config DROPBEAR_AES128 + bool "AES-128 support" + default y + help + This enables support for the 128-bit AES cipher + +config DROPBEAR_AES256 + bool "AES-256 support" + default y + help + This enables support for the 256-bit AES cipher + does those option enable AES-GCM too? it looks like they added with chacha20-poly1305 but unlike chacha it's not enable by default on upsteam. AES-GCM will be enabled by DROPBEAR_ENABLE_GCM_MODE by the way keysize is set for entire AES types, so no for just aes-gcm-128 and aes-ctr-256 config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -73,6 +87,13 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_AUTOSEL_EA + def_bool y + depends on !(DROPBEAR_AES256 || DROPBEAR_CHACHA20POLY1305) + select DROPBEAR_AES128 + +endmenu + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 2ab2cd396d..768058718c 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -30,9 +30,9 @@ PKG_FLAGS:=nonshared PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ - CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ - CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP + CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ + CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \ + CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP include $(INCLUDE_DIR)/package.mk @@ -121,6 +121,12 @@ define Build/Configure echo '#define DROPBEAR_ED25519 $(if $(CONFIG_DROPBEAR_ED25519),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_AES128 $(if $(CONFIG_DROPBEAR_AES128),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_AES256 $(if $(CONFIG_DROPBEAR_AES256),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH 1/3] dropbear: create a submenu for public key algorithms
Hi, Adrian, On Tue, 13 Oct 2020 at 16:52, Adrian Schmutzler wrote: > > > package/network/services/dropbear/files/dropbear.failsafe.ecc > > create mode 100755 > > package/network/services/dropbear/files/dropbear.failsafe.ed25519 > > rename package/network/services/dropbear/files/{dropbear.failsafe => > > dropbear.failsafe.rsa} (100%) > > Do these really need execute bit? Well spotted. To be honest, the original file was executable and I just copied it. They're installed as 644, though. Should I respin, or send a follow-up patch? Thanks, Rui ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
RE: [PATCH 5/7] netfilter.mk: add version conditional around nf_nat_redirect mod
Hi, > -Original Message- > From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org] > On Behalf Of Yousong Zhou > Sent: Dienstag, 13. Oktober 2020 14:31 > To: openwrt-devel@lists.openwrt.org; Tony Ambardar > > Cc: Yousong Zhou > Subject: [PATCH 5/7] netfilter.mk: add version conditional around > nf_nat_redirect mod > > Kernel commit 1ac89d20150e ("netfilter: nat: merge nf_nat_redirect into > nf_nat") made the redirect module part of the nat core and changed the > CONFIG_NF_NAT_REDIRECT option to a boolean, without prompt, affecting > kernel 4.18 onwards. CONFIG_NF_NAT_REDIRECT now can only be selected > by CONFIG_NFT_REDIR or NETFILTER_XT_TARGET_REDIRECT We only support 4.19+ by now (4.14 has been dropped a while ago), so we can drop the "lt 4.18" part here. Best Adrian > > Fixes: FS#2476 > Ref: https://bugs.openwrt.org/index.php?do=details_id=2476 > > Fixes: FS#2990 (partial) > Ref: https://bugs.openwrt.org/index.php?do=details_id=2990 > > Signed-off-by: Tony Ambardar [note that the option > has no prompt and can only be selected by other kconfig options] > Signed-off-by: Yousong Zhou > --- > include/netfilter.mk | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/include/netfilter.mk b/include/netfilter.mk index > 3c217db106..e5ba3b366e 100644 > --- a/include/netfilter.mk > +++ b/include/netfilter.mk > @@ -184,7 +184,7 @@ $(eval $(call > nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt)) > > # kernel only > $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT, > $(P_XT)nf_nat),)) -$(eval $(if $(NF_KMOD),$(call > nf_add,NF_NAT,CONFIG_NF_NAT_REDIRECT, $(P_XT)nf_nat_redirect),)) > +$(eval $(if $(NF_KMOD),$(call > nf_add,NF_NAT,CONFIG_NF_NAT_REDIRECT, > +$(P_XT)nf_nat_redirect, lt 4.18),)) > $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_IPV4, > $(P_V4)nf_nat_ipv4, lt 5.1))) $(eval $(if $(NF_KMOD),$(call > nf_add,NF_NAT6,CONFIG_NF_NAT_IPV6, $(P_V6)nf_nat_ipv6, lt 5.1))) > > > ___ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel openpgp-digital-signature.asc Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
RE: [PATCH 1/3] dropbear: create a submenu for public key algorithms
Hi, > -Original Message- > From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org] > On Behalf Of Rui Salvaterra > Sent: Dienstag, 13. Oktober 2020 14:54 > To: openwrt-devel@lists.openwrt.org > Cc: Rui Salvaterra > Subject: [PATCH 1/3] dropbear: create a submenu for public key algorithms > > This allows the user to select only the public key algorithms (s)he requires > (e.g., disabling RSA and keeping only Ed25519). The default selection > maintains the current functionality. > > Additionally, make sure at least one public key algorithm is selected, lest > the > build would fail. > > Dropbear executable sizes (ath79, -O2): > > RSA + Ed25519: 210101 bytes > RSA only: 197765 bytes > Ed25519 only: 189637 bytes > > Signed-off-by: Rui Salvaterra > --- > package/network/services/dropbear/Config.in | 27 ++- > package/network/services/dropbear/Makefile| 23 +++- > .../dropbear/files/dropbear.failsafe.ecc | 8 ++ > .../dropbear/files/dropbear.failsafe.ed25519 | 8 ++ > ...ropbear.failsafe > => dropbear.failsafe.rsa} | 0 ...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch > | 14 ++ > 6 files changed, 63 insertions(+), 17 deletions(-) create mode 100755 > package/network/services/dropbear/files/dropbear.failsafe.ecc > create mode 100755 > package/network/services/dropbear/files/dropbear.failsafe.ed25519 > rename package/network/services/dropbear/files/{dropbear.failsafe => > dropbear.failsafe.rsa} (100%) Do these really need execute bit? Best Adrian openpgp-digital-signature.asc Description: PGP signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
The status of intel ax200 support (iwlwifi)
Hello! I am trying to figure out if any version of openWRT can in principle support the Intel's AX200 chips. I am quite willing to build a kernel from source, but I have absolutely no idea whether I actually need to do so. Some info on the internet points to there existing a backported version of the driver, but I can not find it anywhere. If it does not indeed exist, any pointers towards making it work would be nice, I'd be happy to contribute a patch. Thanks, Alex ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 09/10] cache: cache_record_find: fix buffer overflow
Fixes following buffer overflow: ERROR: AddressSanitizer: global-buffer-overflow on address 0x007338b8 at pc 0x004db339 bp 0x7ffe370e6140 sp 0x7ffe370e6138 READ of size 8 at 0x007338b8 thread T0 #0 0x4db338 in cache_record_find mdnsd/cache.c:197:17 #1 0x4d74b4 in cache_answer mdnsd/cache.c:336:6 #2 0x4cf04a in parse_answer mdnsd/dns.c:343:3 #3 0x4cb272 in dns_handle_packet mdnsd/dns.c:442:7 #4 0x4f508c in read_socket4 mdnsd/interface.c:253:3 #5 0x7fb81dddc73d in uloop_run_events libubox/uloop.c:198:4 #6 0x7fb81dddc73d in uloop_run_timeout libubox/uloop.c:555:3 #7 0x4c77cd in uloop_run libubox/uloop.h:111:9 #8 0x4c7757 in main mdnsd/main.c:99:2 0x007338b8 is located 8 bytes to the right of global variable 'records' defined in 'mdnsd/cache.c:45:1' (0x733880) of size 48 SUMMARY: AddressSanitizer: global-buffer-overflow mdnsd/cache.c:197:17 in cache_record_find Signed-off-by: Petr Štetiar --- cache.c| 2 +- .../crash-68e33cae6500804f6856f5a92dca26626ad0479c | Bin 0 -> 69 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c diff --git a/cache.c b/cache.c index 7d2aa8fdba2d..b2e5568f517a 100644 --- a/cache.c +++ b/cache.c @@ -194,7 +194,7 @@ cache_record_find(char *record, int type, int port, int rdlength, uint8_t *rdata if (!l) return NULL; - while (l && l->record && !strcmp(l->record, record)) { + while (l && !avl_is_last(, >avl) && !strcmp(l->record, record)) { struct cache_record *r = l; l = avl_next_element(l, avl); diff --git a/tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c b/tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c new file mode 100644 index ..69cd85b203101a80e6f3417ceedbbc0c2e4ff893 GIT binary patch literal 69 ycmZo*_}jq1z_4xU{~ruY@j#|P1LHPPAV*t4RRBqt2P(`UAO-^<5uk<#e0%^rNfjgj literal 0 HcmV?d1 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 00/10] fixes and improvements
Hi, this patch series adds the basic building blocks of automatic CI fuzzing and fixes all discovered issues. Cheers, Petr Petr Štetiar (10): cmake: fix include dirs and libs lookup Add initial GitLab CI support interface: fix value stored to 'fd' is never read interface: fix possible null pointer dereference cmake: create static library tests: add libFuzzer based fuzzing tests: add dns_handle_packet_file tool cmake: tests: provide umdns-san binary cache: cache_record_find: fix buffer overflow cache: cache_answer: fix off by one .gitlab-ci.yml| 6 ++ CMakeLists.txt| 37 -- cache.c | 4 +- interface.c | 10 ++- tests/CMakeLists.txt | 13 tests/dns_handle_packet_file.c| 64 ++ tests/fuzz/CMakeLists.txt | 18 + ...h-68e33cae6500804f6856f5a92dca26626ad0479c | Bin 0 -> 69 bytes tests/fuzz/dict/mdns.dict | 6 ++ tests/fuzz/inputs/query_qu.pcap | Bin 0 -> 128 bytes tests/fuzz/test-fuzz.c| 48 + 11 files changed, 198 insertions(+), 8 deletions(-) create mode 100644 .gitlab-ci.yml create mode 100644 tests/CMakeLists.txt create mode 100644 tests/dns_handle_packet_file.c create mode 100644 tests/fuzz/CMakeLists.txt create mode 100644 tests/fuzz/corpus/crash-68e33cae6500804f6856f5a92dca26626ad0479c create mode 100644 tests/fuzz/dict/mdns.dict create mode 100644 tests/fuzz/inputs/query_qu.pcap create mode 100644 tests/fuzz/test-fuzz.c ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 06/10] tests: add libFuzzer based fuzzing
LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka "target function"); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. So lets use libFuzzer to fuzz dns_handle_packet for the start. Ref: https://llvm.org/docs/LibFuzzer.html Signed-off-by: Petr Štetiar --- CMakeLists.txt | 5 tests/CMakeLists.txt| 3 ++ tests/fuzz/CMakeLists.txt | 18 tests/fuzz/dict/mdns.dict | 6 tests/fuzz/inputs/query_qu.pcap | Bin 0 -> 128 bytes tests/fuzz/test-fuzz.c | 48 6 files changed, 80 insertions(+) create mode 100644 tests/CMakeLists.txt create mode 100644 tests/fuzz/CMakeLists.txt create mode 100644 tests/fuzz/dict/mdns.dict create mode 100644 tests/fuzz/inputs/query_qu.pcap create mode 100644 tests/fuzz/test-fuzz.c diff --git a/CMakeLists.txt b/CMakeLists.txt index e08720327b7c..80d1cf5be352 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -28,6 +28,11 @@ TARGET_LINK_LIBRARIES(umdns-lib ${LIBS}) ADD_EXECUTABLE(umdns main.c) TARGET_LINK_LIBRARIES(umdns umdns-lib) +IF(UNIT_TESTING) + ENABLE_TESTING() + ADD_SUBDIRECTORY(tests) +ENDIF() + INSTALL(TARGETS umdns RUNTIME DESTINATION sbin ) diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt new file mode 100644 index ..02b121c7b8ec --- /dev/null +++ b/tests/CMakeLists.txt @@ -0,0 +1,3 @@ +IF(CMAKE_C_COMPILER_ID STREQUAL "Clang") + ADD_SUBDIRECTORY(fuzz) +ENDIF() diff --git a/tests/fuzz/CMakeLists.txt b/tests/fuzz/CMakeLists.txt new file mode 100644 index ..e2f98730de05 --- /dev/null +++ b/tests/fuzz/CMakeLists.txt @@ -0,0 +1,18 @@ +FILE(GLOB test_cases "test-*.c") + +MACRO(ADD_FUZZER_TEST name) + ADD_EXECUTABLE(${name} ${name}.c) + TARGET_COMPILE_OPTIONS(${name} PRIVATE -g -O1 -fno-omit-frame-pointer -fsanitize=fuzzer,address,leak,undefined) + TARGET_INCLUDE_DIRECTORIES(${name} PRIVATE ${PROJECT_SOURCE_DIR}) + TARGET_LINK_OPTIONS(${name} PRIVATE -stdlib=libc++ -fsanitize=fuzzer,address,leak,undefined) + TARGET_LINK_LIBRARIES(${name} umdns-lib-san ${LIBS}) + ADD_TEST( +NAME ${name} + COMMAND ${name} -max_len=256 -timeout=10 -max_total_time=300 ${CMAKE_CURRENT_SOURCE_DIR}/corpus + ) +ENDMACRO(ADD_FUZZER_TEST) + +FOREACH(test_case ${test_cases}) + GET_FILENAME_COMPONENT(test_case ${test_case} NAME_WE) + ADD_FUZZER_TEST(${test_case}) +ENDFOREACH(test_case) diff --git a/tests/fuzz/dict/mdns.dict b/tests/fuzz/dict/mdns.dict new file mode 100644 index ..f8f80c13a521 --- /dev/null +++ b/tests/fuzz/dict/mdns.dict @@ -0,0 +1,6 @@ +"\x0c" +"\x78" +"\xc0\xb0" +"\x80\x01" +"." +"_" diff --git a/tests/fuzz/inputs/query_qu.pcap b/tests/fuzz/inputs/query_qu.pcap new file mode 100644 index ..b1857a963a4f3efb0af43ee6714d96f07e04c198 GIT binary patch literal 128 zcmca|c+)~A1{MYcU}0bca;#!n84i^_!)B~WL$V-uz3}#=K0TqLkg8^rJacWUnW^!sVdwfb>v2Jk+OMGcc0c%cv Ma$*hx15X1Z0A`FJT>t<8 literal 0 HcmV?d1 diff --git a/tests/fuzz/test-fuzz.c b/tests/fuzz/test-fuzz.c new file mode 100644 index ..ca6caa1ee17a --- /dev/null +++ b/tests/fuzz/test-fuzz.c @@ -0,0 +1,48 @@ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "dns.h" +#include "cache.c" +#include "interface.h" + +int cfg_proto = 0; +int cfg_no_subnet = 0; + +static void fuzz_dns_handle_packet(uint8_t *input, size_t size) +{ + struct sockaddr from; + struct interface iface; + struct cache_service *s, *t; + + memset(, 0, sizeof(from)); + memset(, 0, sizeof(iface)); + + cache_init(); + dns_handle_packet(, , 1922, input, size); + + avl_for_each_element_safe(, s, avl, t) + cache_service_free(s); +} + +int LLVMFuzzerTestOneInput(const uint8_t *input, size_t size) +{ + uint8_t *buf = calloc(1, size); + if (!buf) + return 0; + + memcpy(buf, input, size); + fuzz_dns_handle_packet(buf, size); + free(buf); + + return 0; +} ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 01/10] cmake: fix include dirs and libs lookup
In order to make it compile properly in more environments. Signed-off-by: Petr Štetiar --- CMakeLists.txt | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index a52e5bd015be..8be878dd2cd8 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -7,7 +7,16 @@ SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "") SET(SOURCES main.c dns.c announce.c cache.c service.c util.c ubus.c interface.c) -SET(LIBS ubox ubus resolv blobmsg_json json-c) +FIND_PATH(ubox_include_dir NAMES libubox/usock.h) +FIND_PATH(ubus_include_dir NAMES libubus.h) +INCLUDE_DIRECTORIES(${ubox_include_dir} ${ubus_include_dir}) + +FIND_LIBRARY(ubox NAMES ubox) +FIND_LIBRARY(ubus NAMES ubus) +FIND_LIBRARY(blobmsg_json NAMES blobmsg_json) +FIND_LIBRARY(json NAMES json json-c) + +SET(LIBS ${ubox} ${ubus} ${blobmsg_json} ${json} resolv) IF(DEBUG) ADD_DEFINITIONS(-DDEBUG -g3) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 10/10] cache: cache_answer: fix off by one
Fixes following issue found by the AFL fuzzer which was then confirmed by the libFuzzer as well: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604072fa at pc 0x0051f647 bp 0x7ffe95787cd0 sp 0x7ffe95787498 READ of size 16 at 0x604072fa thread T0 #0 0x51f646 in __asan_memcpy (mdnsd/build/tests/fuzz/test-fuzz+0x51f646) #1 0x5539d3 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34:10 #2 0x5539d3 in cache_answer mdnsd/cache.c:311:3 #3 0x561c7a in parse_answer mdnsd/dns.c:345:3 #4 0x55de9c in dns_handle_packet mdnsd/dns.c:446:7 #5 0x55a9f4 in fuzz_dns_handle_packet mdnsd/tests/fuzz/test-fuzz.c:31:2 0x604072fa is located 0 bytes to the right of 42-byte region [0x604072d0,0x604072fa) allocated by thread T0 here: #0 0x520412 in calloc (mdnsd/build/tests/fuzz/test-fuzz+0x520412) memcpy() reads one byte past `rdata` buffer as the read starts from the 2nd byte, but the reading length wasn't adjusted to that fact. Signed-off-by: Petr Štetiar --- cache.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cache.c b/cache.c index b2e5568f517a..ea6a4c8ab656 100644 --- a/cache.c +++ b/cache.c @@ -303,7 +303,7 @@ void cache_answer(struct interface *iface, struct sockaddr *from, uint8_t *base, if (rdlength <= 2) return; - memcpy(rdata_buffer, [1], rdlength); + memcpy(rdata_buffer, [1], rdlength-1); rdata_buffer[rdlength] = rdata_buffer[rdlength + 1] = '\0'; tlen = rdlength + 1; p = _buffer[*rdata]; ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 07/10] tests: add dns_handle_packet_file tool
So it can read packets from file, which is handy when using for example AFL or hongfuzz fuzzers. Signed-off-by: Petr Štetiar --- tests/CMakeLists.txt | 10 ++ tests/dns_handle_packet_file.c | 64 ++ 2 files changed, 74 insertions(+) create mode 100644 tests/dns_handle_packet_file.c diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index 02b121c7b8ec..99c248281eb1 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -1,3 +1,13 @@ IF(CMAKE_C_COMPILER_ID STREQUAL "Clang") ADD_SUBDIRECTORY(fuzz) + + ADD_EXECUTABLE(dhpf-san dns_handle_packet_file.c) + TARGET_INCLUDE_DIRECTORIES(dhpf-san PRIVATE ${PROJECT_SOURCE_DIR}) + TARGET_COMPILE_OPTIONS(dhpf-san PRIVATE -g -fno-omit-frame-pointer -fsanitize=undefined,address,leak -fno-sanitize-recover=all) + TARGET_LINK_OPTIONS(dhpf-san PRIVATE -fsanitize=undefined,address,leak) + TARGET_LINK_LIBRARIES(dhpf-san umdns-lib-san) ENDIF() + +ADD_EXECUTABLE(dhpf dns_handle_packet_file.c) +TARGET_INCLUDE_DIRECTORIES(dhpf PRIVATE ${PROJECT_SOURCE_DIR}) +TARGET_LINK_LIBRARIES(dhpf umdns-lib) diff --git a/tests/dns_handle_packet_file.c b/tests/dns_handle_packet_file.c new file mode 100644 index ..cbcea08b9751 --- /dev/null +++ b/tests/dns_handle_packet_file.c @@ -0,0 +1,64 @@ +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#include "dns.h" +#include "cache.c" +#include "interface.h" + +int cfg_proto = 0; +int cfg_no_subnet = 0; + +static void fuzz_dns_handle_packet(uint8_t *input, size_t size) +{ + struct sockaddr from; + struct interface iface; + struct cache_service *s, *t; + + memset(, 0, sizeof(from)); + memset(, 0, sizeof(iface)); + + cache_init(); + dns_handle_packet(, , 1922, input, size); + + avl_for_each_element_safe(, s, avl, t) + cache_service_free(s); +} + +int main(int argc, char *argv[]) +{ + size_t len = 0; + FILE *fd = NULL; + uint8_t *buf = NULL; + + if (argc != 2) { + fprintf(stderr, "Usage: %s \n", argv[0]); + return -1; + } + + fd = fopen(argv[1], "r"); + if (!fd) { + perror("unable to open input file\n"); + return -1; + } + + buf = calloc(1, MDNS_BUF_LEN+1); + if (!buf) + return -1; + + len = fread(buf, 1, MDNS_BUF_LEN, fd); + + fuzz_dns_handle_packet(buf, len); + + fclose(fd); + free(buf); +} ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 04/10] interface: fix possible null pointer dereference
Fixes following issue reported by clang-12 static analyzer: mdnsd/interface.c:250:6: warning: Access to field 'ipi_ifindex' results in a dereference of a null pointer (loaded from variable 'inp') if (inp->ipi_ifindex != iface->ifindex) ^~~~ mdnsd/interface.c:323:6: warning: Access to field 'ipi6_ifindex' results in a dereference of a null pointer (loaded from variable 'inp') if (inp->ipi6_ifindex != iface->ifindex) ^ Signed-off-by: Petr Štetiar --- interface.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/interface.c b/interface.c index 690e8579a44c..5fb9bad072ed 100644 --- a/interface.c +++ b/interface.c @@ -233,6 +233,9 @@ read_socket4(struct uloop_fd *u, unsigned int events) } } + if (!inp) + return; + if (debug > 1) { char buf[256]; @@ -308,6 +311,9 @@ read_socket6(struct uloop_fd *u, unsigned int events) } } + if (!inp) + return; + if (debug > 1) { char buf[256]; ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 05/10] cmake: create static library
So it could be reused in other binaries for fuzzing etc. Signed-off-by: Petr Štetiar --- CMakeLists.txt | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 8be878dd2cd8..e08720327b7c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -5,7 +5,7 @@ ADD_DEFINITIONS(-Os -ggdb -Wall -Werror --std=gnu99 -Wmissing-declarations) SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "") -SET(SOURCES main.c dns.c announce.c cache.c service.c util.c ubus.c interface.c) +SET(SOURCES dns.c announce.c cache.c service.c util.c ubus.c interface.c) FIND_PATH(ubox_include_dir NAMES libubox/usock.h) FIND_PATH(ubus_include_dir NAMES libubus.h) @@ -22,9 +22,11 @@ IF(DEBUG) ADD_DEFINITIONS(-DDEBUG -g3) ENDIF() -ADD_EXECUTABLE(umdns ${SOURCES}) +ADD_LIBRARY(umdns-lib STATIC ${SOURCES}) +TARGET_LINK_LIBRARIES(umdns-lib ${LIBS}) -TARGET_LINK_LIBRARIES(umdns ${LIBS}) +ADD_EXECUTABLE(umdns main.c) +TARGET_LINK_LIBRARIES(umdns umdns-lib) INSTALL(TARGETS umdns RUNTIME DESTINATION sbin ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 03/10] interface: fix value stored to 'fd' is never read
Fixes following issue reported by clang-12 static analyzer: mdnsd/interface.c:360:3: warning: Value stored to 'fd' is never read fd = -1; ^~~ mdnsd/interface.c:394:3: warning: Value stored to 'fd' is never read fd = -1; ^~~ Original author most likely wanted to assing -1 to the original interface filedescriptor. Signed-off-by: Petr Štetiar --- interface.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/interface.c b/interface.c index d3f2ad342201..690e8579a44c 100644 --- a/interface.c +++ b/interface.c @@ -357,7 +357,7 @@ interface_mcast_setup4(struct interface *iface) if (setsockopt(fd, IPPROTO_IP, IP_ADD_MEMBERSHIP, , sizeof(mreq)) < 0) { fprintf(stderr, "failed to join multicast group: %m\n"); close(fd); - fd = -1; + iface->fd.fd = -1; return -1; } @@ -391,7 +391,7 @@ interface_socket_setup6(struct interface *iface) if (setsockopt(fd, IPPROTO_IPV6, IPV6_ADD_MEMBERSHIP, , sizeof(mreq)) < 0) { fprintf(stderr, "failed to join multicast group: %m\n"); close(fd); - fd = -1; + iface->fd.fd = -1; return -1; } ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 02/10] Add initial GitLab CI support
Uses currently proof-of-concept openwrt-ci[1] in order to: * improve the quality of the codebase in various areas * decrease code review time and help merging contributions faster * get automagic feedback loop on various platforms and tools - out of tree build with OpenWrt SDK on following targets: * ath79-generic * imx6-generic * malta-be * mvebu-cortexa53 - out of tree native build on x86/64 with GCC (versions 8, 9, 10) and Clang 10 - out of tree native x86/64 static code analysis with cppcheck and scan-build from Clang 10 1. https://gitlab.com/ynezz/openwrt-ci/ Signed-off-by: Petr Štetiar --- .gitlab-ci.yml | 6 ++ 1 file changed, 6 insertions(+) create mode 100644 .gitlab-ci.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index ..56d55a3891bc --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,6 @@ +variables: + CI_TARGET_BUILD_DEPENDS: umdns + +include: + - remote: https://gitlab.com/ynezz/openwrt-ci/raw/master/openwrt-ci/gitlab/main.yml + - remote: https://gitlab.com/ynezz/openwrt-ci/raw/master/openwrt-ci/gitlab/pipeline.yml ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH mdnsd 08/10] cmake: tests: provide umdns-san binary
Which is compiled with clang UB, address and leak sanitizers which is handy for example with fuzzing directly over network. Signed-off-by: Petr Štetiar --- CMakeLists.txt | 13 + 1 file changed, 13 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 80d1cf5be352..f1bc8f0e9dfe 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -31,6 +31,19 @@ TARGET_LINK_LIBRARIES(umdns umdns-lib) IF(UNIT_TESTING) ENABLE_TESTING() ADD_SUBDIRECTORY(tests) + + IF(CMAKE_C_COMPILER_ID STREQUAL "Clang") + ADD_LIBRARY(umdns-lib-san STATIC ${SOURCES}) + TARGET_COMPILE_OPTIONS(umdns-lib-san PRIVATE -g -fno-omit-frame-pointer -fsanitize=undefined,address,leak -fno-sanitize-recover=all) +TARGET_LINK_OPTIONS(umdns-lib-san PRIVATE -fsanitize=undefined,address,leak) + TARGET_LINK_LIBRARIES(umdns-lib-san ${LIBS}) + +ADD_EXECUTABLE(umdns-san main.c ${SOURCES}) + TARGET_COMPILE_OPTIONS(umdns-san PRIVATE -g -fno-omit-frame-pointer -fsanitize=undefined,address,leak -fno-sanitize-recover=all) +TARGET_LINK_OPTIONS(umdns-san PRIVATE -fsanitize=undefined,address,leak) + TARGET_LINK_LIBRARIES(umdns-san umdns-lib-san) + ENDIF() + ENDIF() INSTALL(TARGETS umdns ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] hostapd: Add cell_density data rates option
Hello Nick, sorry, i was quite busy the last days. On 10/8/20 10:24 AM, Nick Lowe wrote: > Thank you very much for the review. Do you think this specific patch > could be merged in its present state? If yes, please could you do so? I've merged your commit to my staging tree and will push it in a few days when I've sent my hostapd changes to the list. Best wishes David ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/3] dropbear: overhaul the crypto algorithm selection
This patch series enables a much more fine-grained configuration of the public key, encryption and key exchange algorithms in Dropbear. Rui Salvaterra (3): dropbear: create a submenu for public key algorithms dropbear: create a submenu for encryption algorithms dropbear: create a submenu for key exchange algorithms package/network/services/dropbear/Config.in | 60 +-- package/network/services/dropbear/Makefile| 44 ++ .../dropbear/files/dropbear.failsafe.ecc | 8 +++ .../dropbear/files/dropbear.failsafe.ed25519 | 8 +++ ...ropbear.failsafe => dropbear.failsafe.rsa} | 0 ...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 14 +++-- 6 files changed, 113 insertions(+), 21 deletions(-) create mode 100755 package/network/services/dropbear/files/dropbear.failsafe.ecc create mode 100755 package/network/services/dropbear/files/dropbear.failsafe.ed25519 rename package/network/services/dropbear/files/{dropbear.failsafe => dropbear.failsafe.rsa} (100%) -- 2.28.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 3/3] dropbear: create a submenu for key exchange algorithms
This allows the user to select only the key exchange algorithms (s)he requires (e.g., disabling group 14 SHA-{1,256} and keeping only Curve25519). The default selection maintains the current functionality. Additionally, make sure at least one key exchange algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 12 package/network/services/dropbear/Makefile | 13 ++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 9cea6242a6..066dab0a9b 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -94,6 +94,16 @@ config DROPBEAR_AUTOSEL_EA endmenu +menu "Key exchange algorithm selection" + +config DROPBEAR_DH_GROUP14_SHA1 + bool "Group 14 SHA-1" + default y + +config DROPBEAR_DH_GROUP14_SHA256 + bool "Group 14 SHA-256" + default y + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y @@ -103,6 +113,8 @@ config DROPBEAR_CURVE25519 Increases binary size by about 4 kB (MIPS). +endmenu + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 768058718c..d0b0dbf3dc 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -32,6 +32,7 @@ PKG_CONFIG_DEPENDS:= \ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \ + CONFIG_DROPBEAR_DH_GROUP14_SHA1 CONFIG_DROPBEAR_DH_GROUP14_SHA256 \ CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP include $(INCLUDE_DIR)/package.mk @@ -110,9 +111,6 @@ define Build/Configure echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h - echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ - $(PKG_BUILD_DIR)/localoptions.h - for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \ echo "#define OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \ $(PKG_BUILD_DIR)/localoptions.h; \ @@ -130,6 +128,15 @@ define Build/Configure echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_DH_GROUP14_SHA1 $(if $(CONFIG_DROPBEAR_DH_GROUP14_SHA1),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_DH_GROUP14_SHA256 $(if $(CONFIG_DROPBEAR_DH_GROUP14_SHA256),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + # remove protocol idented software version number $(ESED) 's,^(#define LOCAL_IDENT) .*,\1 "SSH-2.0-dropbear",g' \ $(PKG_BUILD_DIR)/sysoptions.h -- 2.28.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 1/3] dropbear: create a submenu for public key algorithms
This allows the user to select only the public key algorithms (s)he requires (e.g., disabling RSA and keeping only Ed25519). The default selection maintains the current functionality. Additionally, make sure at least one public key algorithm is selected, lest the build would fail. Dropbear executable sizes (ath79, -O2): RSA + Ed25519: 210101 bytes RSA only: 197765 bytes Ed25519 only: 189637 bytes Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 27 ++- package/network/services/dropbear/Makefile| 23 +++- .../dropbear/files/dropbear.failsafe.ecc | 8 ++ .../dropbear/files/dropbear.failsafe.ed25519 | 8 ++ ...ropbear.failsafe => dropbear.failsafe.rsa} | 0 ...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch | 14 ++ 6 files changed, 63 insertions(+), 17 deletions(-) create mode 100755 package/network/services/dropbear/files/dropbear.failsafe.ecc create mode 100755 package/network/services/dropbear/files/dropbear.failsafe.ed25519 rename package/network/services/dropbear/files/{dropbear.failsafe => dropbear.failsafe.rsa} (100%) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 6aa5a7e4e1..d2771eca93 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -1,14 +1,13 @@ menu "Configuration" depends on PACKAGE_dropbear -config DROPBEAR_CURVE25519 - bool "Curve25519 support" +menu "Public key algorithm selection" + +config DROPBEAR_RSA + bool "RSA support" default y help - This enables the following key exchange algorithm: - curve25519-sha...@libssh.org - - Increases binary size by about 4 kB (MIPS). + Enable support for the RSA public key algorithm. config DROPBEAR_ECC bool "Elliptic curve cryptography (ECC)" @@ -58,6 +57,13 @@ config DROPBEAR_ED25519 Increases binary size by about 12 kB (MIPS). +config DROPBEAR_AUTOSEL_PK + def_bool y + depends on !(DROPBEAR_ECC || DROPBEAR_ED25519) + select DROPBEAR_RSA + +endmenu + config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -67,6 +73,15 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_CURVE25519 + bool "Curve25519 support" + default y + help + This enables the following key exchange algorithm: + curve25519-sha...@libssh.org + + Increases binary size by about 4 kB (MIPS). + config DROPBEAR_ZLIB bool "Enable compression" default n diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 6c97d3e77b..2ab2cd396d 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -29,7 +29,7 @@ PKG_FLAGS:=nonshared PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ - CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ + CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP @@ -67,9 +67,9 @@ define Package/dropbear/description endef define Package/dropbear/conffiles +$(if $(CONFIG_DROPBEAR_RSA),/etc/dropbear/dropbear_rsa_host_key) $(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key) $(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key) -/etc/dropbear/dropbear_rsa_host_key /etc/config/dropbear endef @@ -107,6 +107,9 @@ define Build/Configure echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_RSA $(if $(CONFIG_DROPBEAR_RSA),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h @@ -169,10 +172,18 @@ define Package/dropbear/install $(INSTALL_DIR) $(1)/usr/lib/opkg/info $(INSTALL_DIR) $(1)/etc/dropbear $(INSTALL_DIR) $(1)/lib/preinit - $(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear - $(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key) - $(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key) - touch $(1)/etc/dropbear/dropbear_rsa_host_key + +ifdef CONFIG_DROPBEAR_ED25519 + $(INSTALL_DATA) ./files/dropbear.failsafe.ed25519 $(1)/lib/preinit/99_10_failsafe_dropbear +else ifdef CONFIG_DROPBEAR_ECC + $(INSTALL_DATA) ./files/dropbear.failsafe.ecc
[PATCH 2/3] dropbear: create a submenu for encryption algorithms
This allows the user to select only the encryption algorithms (s)he requires (e.g., disabling AES and keeping only ChaCha20-Poly1305). The default selection maintains the current functionality. Additionally, make sure at least one encryption algorithm is selected, lest the build would fail. Signed-off-by: Rui Salvaterra --- package/network/services/dropbear/Config.in | 21 + package/network/services/dropbear/Makefile | 12 +--- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index d2771eca93..9cea6242a6 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -64,6 +64,20 @@ config DROPBEAR_AUTOSEL_PK endmenu +menu "Encryption algorithm selection" + +config DROPBEAR_AES128 + bool "AES-128 support" + default y + help + This enables support for the 128-bit AES cipher + +config DROPBEAR_AES256 + bool "AES-256 support" + default y + help + This enables support for the 256-bit AES cipher + config DROPBEAR_CHACHA20POLY1305 bool "Chacha20-Poly1305 support" default y @@ -73,6 +87,13 @@ config DROPBEAR_CHACHA20POLY1305 Increases binary size by about 4 kB (MIPS). +config DROPBEAR_AUTOSEL_EA + def_bool y + depends on !(DROPBEAR_AES256 || DROPBEAR_CHACHA20POLY1305) + select DROPBEAR_AES128 + +endmenu + config DROPBEAR_CURVE25519 bool "Curve25519 support" default y diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 2ab2cd396d..768058718c 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -30,9 +30,9 @@ PKG_FLAGS:=nonshared PKG_CONFIG_DEPENDS:= \ CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \ CONFIG_DROPBEAR_RSA CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \ - CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \ - CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \ - CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP + CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_AES128 CONFIG_DROPBEAR_AES256 \ + CONFIG_DROPBEAR_CHACHA20POLY1305 CONFIG_DROPBEAR_UTMP \ + CONFIG_DROPBEAR_PUTUTLINE CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP include $(INCLUDE_DIR)/package.mk @@ -121,6 +121,12 @@ define Build/Configure echo '#define DROPBEAR_ED25519 $(if $(CONFIG_DROPBEAR_ED25519),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_AES128 $(if $(CONFIG_DROPBEAR_AES128),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + + echo '#define DROPBEAR_AES256 $(if $(CONFIG_DROPBEAR_AES256),1,0)' >> \ + $(PKG_BUILD_DIR)/localoptions.h + echo '#define DROPBEAR_CHACHA20POLY1305 $(if $(CONFIG_DROPBEAR_CHACHA20POLY1305),1,0)' >> \ $(PKG_BUILD_DIR)/localoptions.h -- 2.28.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 0/7] netfilter: kconfig symbol updates
The series was based work by Tony Ambardar in GitHub pull request [1]. Many investigations were done by Tony. And many changes were done by me and all errors are mine of course. [1] https://github.com/openwrt/openwrt/pull/3257 The work foucused on the following aspects. - Use current config symbols when possible, instead of those retained for compat reasons - Many kconfig symbols for conntrack and nat functions are now bool with prompt ones, instead of the old tristate ones. Version conditionals are added for old kernel versions. And make them unset state as these options can only be enabled when selected by others Tony Ambardar (1): netfilter.mk: add version conditional for CONFIG_NF_CT_PROTO_GRE Yousong Zhou (6): netfilter.mk: use CONFIG_NETFILTER_XT_TARGET_MASQUERADE netfilter.mk: use CONFIG_NETFILTER_XT_TARGET_REDIRECT netfilter.mk: add version conditional for nf_nat_ipv4,6 generic: 5.4: make nf nat masquerade in unset state by default netfilter.mk: add version conditional around nf_nat_redirect mod netfilter.mk: add version conditional around CONFIG_NF_NAT_PROTO_GRE include/netfilter.mk| 14 +++--- target/linux/generic/config-5.4 | 3 +-- 2 files changed, 8 insertions(+), 9 deletions(-) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 4/7] generic: 5.4: make nf nat masquerade in unset state by default
Upstream linux 5.1 commit d1aca8ab ("netfilter: nat: merge ipv4 and ipv6 masquerade functionality") replaces the following 2 options - CONFIG_NF_NAT_MASQUERADE_IPV4 - CONFIG_NF_NAT_MASQUERADE_IPV6 with CONFIG_NF_NAT_MASQUERADE. The new option is one without prompt and will be selected by CONFIG_NETFILTER_XT_TARGET_MASQUERADE introduced still later in 5.2. Signed-off-by: Yousong Zhou --- target/linux/generic/config-5.4 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/target/linux/generic/config-5.4 b/target/linux/generic/config-5.4 index aa3fbded3b..ebbff3fa62 100644 --- a/target/linux/generic/config-5.4 +++ b/target/linux/generic/config-5.4 @@ -3689,8 +3689,7 @@ CONFIG_NF_CONNTRACK_PROCFS=y # CONFIG_NF_NAT_H323 is not set # CONFIG_NF_NAT_IPV6 is not set # CONFIG_NF_NAT_IRC is not set -CONFIG_NF_NAT_MASQUERADE_IPV4=y -CONFIG_NF_NAT_MASQUERADE_IPV6=y +# CONFIG_NF_NAT_MASQUERADE is not set # CONFIG_NF_NAT_NEEDED is not set # CONFIG_NF_NAT_PPTP is not set # CONFIG_NF_NAT_PROTO_GRE is not set ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 1/7] netfilter.mk: use CONFIG_NETFILTER_XT_TARGET_MASQUERADE
CONFIG_IP_NF_TARGET_MASQUERADE and its counterpart CONFIG_IP6_NF_TARGET_MASQUERADE are "backwards-compat option for the user's convenience" Related commit d22c1755 ("netfilter: fix NAT packaging with kernels 5.2+") Signed-off-by: Yousong Zhou --- include/netfilter.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index 5d6e3a0c98..2047dcc842 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -199,7 +199,7 @@ $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT,CONFIG_NF_NAT, ipt_SNAT ipt_DNAT)) $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT6,CONFIG_IP6_NF_TARGET_NPT, ip6t_DNPT ip6t_SNPT))) $(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_MASQUERADE, $(P_V4)ipt_MASQUERADE, lt 5.2)) -$(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_MASQUERADE, $(P_XT)xt_MASQUERADE, ge 5.2)) +$(eval $(call nf_add,IPT_NAT,CONFIG_NETFILTER_XT_TARGET_MASQUERADE, $(P_XT)xt_MASQUERADE, ge 5.2)) $(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_REDIRECT, $(P_XT)xt_REDIRECT)) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 2/7] netfilter.mk: use CONFIG_NETFILTER_XT_TARGET_REDIRECT
CONFIG_IP_NF_TARGET_REDIRECT is a compat option since upstream commit 2cbc78a2 ("netfilter: combine ipt_REDIRECT and ip6t_REDIRECT"). That happened since linux 3.10 Signed-off-by: Yousong Zhou --- include/netfilter.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index 2047dcc842..9f22512d68 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -200,7 +200,7 @@ $(eval $(if $(NF_KMOD),,$(call nf_add,IPT_NAT6,CONFIG_IP6_NF_TARGET_NPT, ip6t_DN $(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_MASQUERADE, $(P_V4)ipt_MASQUERADE, lt 5.2)) $(eval $(call nf_add,IPT_NAT,CONFIG_NETFILTER_XT_TARGET_MASQUERADE, $(P_XT)xt_MASQUERADE, ge 5.2)) -$(eval $(call nf_add,IPT_NAT,CONFIG_IP_NF_TARGET_REDIRECT, $(P_XT)xt_REDIRECT)) +$(eval $(call nf_add,IPT_NAT,CONFIG_NETFILTER_XT_TARGET_REDIRECT, $(P_XT)xt_REDIRECT)) # nat-extra ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 7/7] netfilter.mk: add version conditional around CONFIG_NF_NAT_PROTO_GRE
It was removed in upstream linux commit faec18db ("netfilter: nat: remove l4proto->manip_pkt"). This happened since linux 5.1 Signed-off-by: Yousong Zhou --- include/netfilter.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index dccec09ffb..0c29c0bd04 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -220,7 +220,7 @@ $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CONNTRACK_BROADCAST, $(P_XT)nf $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CONNTRACK_AMANDA, $(P_XT)nf_conntrack_amanda)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_NAT_AMANDA, $(P_XT)nf_nat_amanda)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CT_PROTO_GRE, $(P_XT)nf_conntrack_proto_gre, lt 5.1)) -$(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_NAT_PROTO_GRE, $(P_V4)nf_nat_proto_gre)) +$(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_NAT_PROTO_GRE, $(P_V4)nf_nat_proto_gre, lt 5.0)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CONNTRACK_H323, $(P_XT)nf_conntrack_h323)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_NAT_H323, $(P_V4)nf_nat_h323)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CONNTRACK_PPTP, $(P_XT)nf_conntrack_pptp)) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 6/7] netfilter.mk: add version conditional for CONFIG_NF_CT_PROTO_GRE
From: Tony Ambardar Kernel commit 22fc4c4c9fd6 ("netfilter: conntrack: gre: switch module to be built-in") moved the CT GRE code into the core nf_conntrack.ko module and changed the CONFIG_NF_CT_PROTO_GRE option to boolean for kernel 5.1 and onwards. CONFIG_NF_CT_PROTO_GRE at the moment has no prompt and can only be selected by NF_CONNTRACK_PPTP Fixes: FS#2990 (partial) Ref: https://bugs.openwrt.org/index.php?do=details_id=2990 Signed-off-by: Tony Ambardar [note that the option now can not be enabled on its own] Signed-off-by: Yousong Zhou --- include/netfilter.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index e5ba3b366e..dccec09ffb 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -219,7 +219,7 @@ $(eval $(call nf_add,NF_NATHELPER,CONFIG_NF_NAT_FTP, $(P_XT)nf_nat_ftp)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CONNTRACK_BROADCAST, $(P_XT)nf_conntrack_broadcast)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CONNTRACK_AMANDA, $(P_XT)nf_conntrack_amanda)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_NAT_AMANDA, $(P_XT)nf_nat_amanda)) -$(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CT_PROTO_GRE, $(P_XT)nf_conntrack_proto_gre)) +$(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CT_PROTO_GRE, $(P_XT)nf_conntrack_proto_gre, lt 5.1)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_NAT_PROTO_GRE, $(P_V4)nf_nat_proto_gre)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_CONNTRACK_H323, $(P_XT)nf_conntrack_h323)) $(eval $(call nf_add,NF_NATHELPER_EXTRA,CONFIG_NF_NAT_H323, $(P_V4)nf_nat_h323)) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 5/7] netfilter.mk: add version conditional around nf_nat_redirect mod
Kernel commit 1ac89d20150e ("netfilter: nat: merge nf_nat_redirect into nf_nat") made the redirect module part of the nat core and changed the CONFIG_NF_NAT_REDIRECT option to a boolean, without prompt, affecting kernel 4.18 onwards. CONFIG_NF_NAT_REDIRECT now can only be selected by CONFIG_NFT_REDIR or NETFILTER_XT_TARGET_REDIRECT Fixes: FS#2476 Ref: https://bugs.openwrt.org/index.php?do=details_id=2476 Fixes: FS#2990 (partial) Ref: https://bugs.openwrt.org/index.php?do=details_id=2990 Signed-off-by: Tony Ambardar [note that the option has no prompt and can only be selected by other kconfig options] Signed-off-by: Yousong Zhou --- include/netfilter.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index 3c217db106..e5ba3b366e 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -184,7 +184,7 @@ $(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt)) # kernel only $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT, $(P_XT)nf_nat),)) -$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_REDIRECT, $(P_XT)nf_nat_redirect),)) +$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_REDIRECT, $(P_XT)nf_nat_redirect, lt 4.18),)) $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_IPV4, $(P_V4)nf_nat_ipv4, lt 5.1))) $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT6,CONFIG_NF_NAT_IPV6, $(P_V6)nf_nat_ipv6, lt 5.1))) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 3/7] netfilter.mk: add version conditional for nf_nat_ipv4,6
The upstream linux commit is 3bf195ae ("netfilter: nat: merge nf_nat_ipv4,6 into nat core"). It was included since linux 5.1 Signed-off-by: Yousong Zhou --- include/netfilter.mk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/netfilter.mk b/include/netfilter.mk index 9f22512d68..3c217db106 100644 --- a/include/netfilter.mk +++ b/include/netfilter.mk @@ -185,8 +185,8 @@ $(eval $(call nf_add,IPT_IPV6_EXTRA,CONFIG_IP6_NF_MATCH_RT, $(P_V6)ip6t_rt)) # kernel only $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT, $(P_XT)nf_nat),)) $(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_REDIRECT, $(P_XT)nf_nat_redirect),)) -$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_IPV4, $(P_V4)nf_nat_ipv4),)) -$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT6,CONFIG_NF_NAT_IPV6, $(P_V6)nf_nat_ipv6),)) +$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT,CONFIG_NF_NAT_IPV4, $(P_V4)nf_nat_ipv4, lt 5.1))) +$(eval $(if $(NF_KMOD),$(call nf_add,NF_NAT6,CONFIG_NF_NAT_IPV6, $(P_V6)nf_nat_ipv6, lt 5.1))) $(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_NETFILTER_XT_NAT, $(P_XT)xt_nat),)) $(eval $(if $(NF_KMOD),$(call nf_add,IPT_NAT,CONFIG_IP_NF_NAT, $(P_V4)iptable_nat),)) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: hostapd: add additional network section to wpa_supplicant
Hello Daniel, thanks for your feedback :+1: Or where do I have to start? This could be done by introducing a new type of UCI section, 'wifi-credential' which can be listed in the 'wifi-iface' section of a station interface. The way I see it, we have to hook into here [1] for the sta mode. Now I am not sure if this is also useful for other modes for example mesh. In the whole mac80211 layer there is no 'config_load' call. All data settings are added via json. So I do not have the new section 'wifi-credential' available to get the additional network options from the json config. I now only have the new uci list option ( I named it 'networks') for the interface that points to the new 'wifi-credential' section to add an additional network config section to the wpa_supplicant config. May config would looks like this: config wifi-iface 'wifinet2' option device 'radio0' option mode 'sta' option encryption 'psk2+tkip' option key 'nas21234' option network 'nas2' option ssid 'nas2' option autoscan_periodic_interval '600' list networks 'test1' list networks 'test2' config wifi-credential option encryption 'psk2+tkip' option key 'test1' option ssid 'test1' config wifi-credential option encryption 'psk2+tkip' option key 'test' option ssid 'test' The question is now who to iterate of the uci option 'networks' of the 'wifi-iface' to get the 'wifi-credential' and hand them over to the wpa_supplicant_add_network [2] function. In this function, all options are read from the config json object. Is the procedure here that I have to implement this as in this Commit [3]. And also have to update netifd as in this commits [5] [6]. So that we can use a new uci section wifi-credential via json? Kind regards Florian [1] https://github.com/openwrt/openwrt/blob/master/package/kernel/mac80211/files/lib/netifd/wireless/mac80211.sh#L641 [2] https://github.com/openwrt/openwrt/blob/master/package/network/services/hostapd/files/hostapd.sh#L928 [3] https://github.com/openwrt/openwrt/commit/5aa2ddd0d6b9759c62bbb7bb11b72a7f4269c16b#diff-0524cbcb28eb9c9b7a08dd8c38f9b88ab8dab0af51bae8ca63e1124090008907 [4] https://git.openwrt.org/?p=project/netifd.git;a=commit;h=a56b457656218e5b6142b6238286ea54801ac4b2 https://git.openwrt.org/?p=project/netifd.git;a=commit;h=4ce33cee34e413f69082a80a833f3ed1baf8a761 [5] ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel