Re: [OpenWrt-Devel] netifd: adding default route + route via previous default route
On Sun, 2016-05-15 at 20:50 +0800, Yousong Zhou wrote: > > > I remember `proto_add_host_dependency` can be used to instruct > > > netifd > > > to setup such a route. But it looks like the relevant code for > > > openconnect.sh is now commented out. > > It was causing an infinite loop, and I could not understand through > > code what the add_host_dependency was supposed to do. Do you have > > any > > information about this function? > `proto_add_host_dependency` takes 3 arguments. > > - The 1st is the logical interface name we are adding dependency for > - The 2nd is the host the above interface will depend on > - The 3rd is also a logical interface name. It's optional and is > for > explicitly specifying which logical interface the 1st argument > depends on. > > If the 3rd argument is not given, netifd will try to find the logical > interface which provides route to to the specified host (2nd > argument) > and a host route will be available. The 1st logical interface will > also be added to the list of "users" of that logical interface and > will be notified of it's up/down/update > event. > I guess the problem with openconnect.sh may be that the 3rd argument > was using the incorrect type. Is that `vpn-$config` meant to be a > linux system interface name? We can try just not passing the 3rd > argument and see how it works. That was most helpful, thank you. The issue seems to be addressed now. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] netifd: adding default route + route via previous default route
On Sat, 2016-05-14 at 18:29 +0800, Yousong Zhou wrote: > On 14 May 2016 at 16:18, Nikos Mavrogiannopoulos > <n.mavrogiannopou...@gmail.com> wrote: > > > > Hi, > > A user of openconnect VPN is trying to use openconnect as a > > default > > route on his router [0]. Currently this works by setting > > defaultroute=1 > > on his /etc/config/network, however, once the default route is > > setup > > the VPN connection drops because there is no direct route to the > > VPN > > gateway. > > > > Obviously I need to setup a /32 (or /128 for IPv6) route for the > > VPN > > gateway using the previous defaultroute interface. However it is > > not > > apparent to me how to do that via the netifd-proto.sh or the > > functions/network.sh. Any hints? Should I use the user's suggestion > > of > > directly setting the route via busybox' route command? > > > I remember `proto_add_host_dependency` can be used to instruct netifd > to setup such a route. But it looks like the relevant code for > openconnect.sh is now commented out. It was causing an infinite loop, and I could not understand through code what the add_host_dependency was supposed to do. Do you have any information about this function? regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] netifd: adding default route + route via previous default route
Hi, A user of openconnect VPN is trying to use openconnect as a default route on his router [0]. Currently this works by setting defaultroute=1 on his /etc/config/network, however, once the default route is setup the VPN connection drops because there is no direct route to the VPN gateway. Obviously I need to setup a /32 (or /128 for IPv6) route for the VPN gateway using the previous defaultroute interface. However it is not apparent to me how to do that via the netifd-proto.sh or the functions/network.sh. Any hints? Should I use the user's suggestion of directly setting the route via busybox' route command? regards, Nikos [0]. https://github.com/openwrt/packages/issues/2548 [1]. https://github.com/openwrt/packages/blob/master/net/vpnc-scripts/files/vpnc-script ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] SHA512/SHA256 hashes truncated/busybox weirdness
On Sun, 2016-01-03 at 11:17 -0800, Chris Marchesi wrote: > Hey! > > I tried to change the default passwd algorithm used by busybox to > sha512, but got some strange looking hashes back by passwd after > changing. > They basically had the algorithm and the salt (maybe) squashed, like > below. > $6abCDefGH:(rest of shadow entry here) That is a uclibc bug. When it didn't support the algorithm it incorrectly used the DES crypt instead. Most likely the openwrt uclibc doesn't contain the fix. https://bugs.busybox.net/show_bug.cgi?id=7808 regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] can netifd automatically restart a service?
On Thu, 2015-06-11 at 09:20 +0100, Bruno Randolf wrote: On 06/11/2015 07:32 AM, Nikos Mavrogiannopoulos wrote: In issue 574 [0] there is a big discussion of the behavior of transmission in openwrt. To summarize it: * By default when transmission downloads, it may crash the router due to high memory consumption and OOB. That crash may lead to reboot or not. * To avoid that, some memory limitations can be set (such as disabling overcommit), and then transmission will exit, but the router would be functional. I think the 2nd is quite a reasonable approach as it is more important to keep the router up and running than transmission (or any other individual service). However, a way to reduce the impact would be for netifd to restart transmission if crashed. Can that be done already, or inittab is the only option? procd can do that. E.g. a sample init.d/service file: #!/bin/sh /etc/rc.common Thank you for the replies. I'll try to modify transmission for that, unless someone is faster to it. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] can netifd automatically restart a service?
In issue 574 [0] there is a big discussion of the behavior of transmission in openwrt. To summarize it: * By default when transmission downloads, it may crash the router due to high memory consumption and OOB. That crash may lead to reboot or not. * To avoid that, some memory limitations can be set (such as disabling overcommit), and then transmission will exit, but the router would be functional. I think the 2nd is quite a reasonable approach as it is more important to keep the router up and running than transmission (or any other individual service). However, a way to reduce the impact would be for netifd to restart transmission if crashed. Can that be done already, or inittab is the only option? regards, Nikos [0]. https://github.com/openwrt/packages/issues/574 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] enabling seccomp by default in kernel
On Sat, 2015-02-14 at 15:31 -0800, David Lang wrote: I've also enabled the ocserv package to use seccomp if configured to, but in order for that protection to become meaningful for other programs to use as well, it would also need the default kernel option to enable seccomp filter. It needs the kernel support to use the seccomp filter, but why is this so critical that it must be enabled by default? Being critical isn't the only reason for enabling kernel options on openwrt. IPv6 isn't critical, many can live without it, but still it is there. The question is whether the added value of seccomp justifies the few kilobytes spent. My opinion on that, is that exploits on a router are more grave than on a PC, because a router is harder to upgrade, and an issue is harder to notice. For that a mechanism like seccomp which can contain potential damage, is very useful on openwrt. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] enabling seccomp by default in kernel
Hello, I've added libseccomp into packages. That library allows programs to easily restrict the system calls they are allowed to use. In turn that uses the kernel's seccomp filter. That's one of the most reliable ways to restrict/sandbox processes into specific tasks which cannot be overriden even in the event of code injection. I've also enabled the ocserv package to use seccomp if configured to, but in order for that protection to become meaningful for other programs to use as well, it would also need the default kernel option to enable seccomp filter. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] enabling seccomp by default in kernel
On Sat, 2015-02-14 at 14:54 +0100, Etienne Champetier wrote: Hi Nikos, Can you send size with/without seccomp option I compiled openwrt on lantiq (3.18.7) and the size with seccomp filter is: 1481440 Feb 14 19:12 openwrt-lantiq-xway-WBMR-uImage 3695419 Feb 14 19:12 openwrt-lantiq-xway-WBMR-uImage-initramfs while the uImage without is: 1479763 Feb 14 19:18 openwrt-lantiq-xway-WBMR-uImage 3693891 Feb 14 19:18 openwrt-lantiq-xway-WBMR-uImage-initramfs regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] setting up ocserv VPN interactions with lan
Hello, After some of experimentation, I've put up some instructions on how to setup ocserv clients to interact easily with lan. I've abolished the approach of adding each client into a vpn zone, and I now suggest adding an interface for vpns+ devices, which will simplify both setup and number of firewall rules. The instructions are in: https://github.com/openwrt/packages/tree/master/net/ocserv If you are more familiar with interface and firewall setup in openwrt, please let me know of any omissions or issues with it. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] netifd + split dns servers
On Fri, Jan 9, 2015 at 9:48 AM, Hans Dedecker dedec...@gmail.com wrote: On Thu, Jan 8, 2015 at 5:43 PM, Nikos Mavrogiannopoulos n.mavrogiannopou...@gmail.com wrote: Currently a protocol can register a dns server with netifd using the proto_add_dns_server function. That however, does not allow registering a DNS server for a specific domain. I checked the netifd code and there is no provision for that. Would it make sense to add such functionality to netifd, or should I make openconnect directly register its split-dns servers with dnsmasq? Netifd writes the dns servers in /tmp/resolv.conf.auto which are read by dnsmasq. However I don't see a way to pass DNS servers for a specific domain via the resolv.conf.auto file to dnsmasq unless changes are done in dnsmasq. If such functionality needs to be supported; the changes will not only be limited to netifd. And netifd rewriting dnsmasq.conf seems a bit hacky too me The resolv.conf format is very limited, if you rely on it you can only register global dns servers, and that's all. With dnsmasq, to support split-dns you need to configure a config directory for dnsmasq, and then place files in it that contain with the following format: server=/domain/address.ip regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] netifd + split dns servers
On Fri, Jan 9, 2015 at 12:25 PM, Steven Barth cy...@openwrt.org wrote: Our dnsmasq init script registers /tmp/dnsmasq.d as an additional configuration dir, so you can place files there and restart it. However I'm not sure as to how much we want netifd to do dnsmasq-specific stuff or how we would do it. Well I think that depends on how common use case is to have a dns server per domain. Currently I think I can handle that in openconnect directly, but if any other vpn application would like to do that, they'll have to duplicate that code. Of course the bad thing here again is that dnsmasq doesn't support soft-reloading and every time you restart it you lose your dns cache etc. etc. Interestingly it supports the 'servers-file' option which would allow re-loading the domain specific servers without a restart. But even in that case the cache will be cleared. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] netifd + split dns servers
Currently a protocol can register a dns server with netifd using the proto_add_dns_server function. That however, does not allow registering a DNS server for a specific domain. I checked the netifd code and there is no provision for that. Would it make sense to add such functionality to netifd, or should I make openconnect directly register its split-dns servers with dnsmasq? regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] openconnect does not remove default routes [was: Some OpenConnect observations]
On Mon, Jan 5, 2015 at 8:00 AM, Gottfried Haider gottfried.hai...@gmail.com wrote: It seems that you use openconnect to set a default route, and that's why I couldn't reproduce it. I don't think that openconnect handles default routes differently, so it could be an issue in netifd. As I see default routes are registered using proto_add_ipv4_route, and should have been automatically removed when proto_kill_command is called in openconnect.sh. Most probably you'll have to check the log (readlog), and possibly add some additional logging in: /lib/netifd/netifd-proto.sh /lib/netifd/proto/openconnect.sh Sorry for not being able to help more. Maybe someone in the openwrt-devel list will be able to help with that. Thanks for those pointers. I could follow the execution all the way to vpnc-script, so openconnect gets called with SIGINT and cleanly closes the connection. In the disconnect case in vpnc-script, I only see calls to proto_init_update and proto_send_update, whereas in connect the script did the heavy lifting to setup those routes... where do these calls go, do you happen to know? (primarily trying to figure out whether its openconnect or some part of netfid that I should look into) My understanding is that they are rpc, go to netifd daemon, which calls openconnect.sh shortly after that. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] openconnect does not remove default routes [was: Some OpenConnect observations]
On Sun, 2015-01-04 at 09:18 +0100, Gottfried Haider wrote: Hello Nikos, * Bringing the VPN interface down again doesn't restore regular internet access. It seems the routes (and DNS?) that came with the VPN stay also after running ifdown. I don't seem to have this issue, please provide more information if it persists with the latest packages. Those are the routes on a pretty recent OpenWrt snapshot (w/ openconnect 7.00-4). Please let me now if I can help with anything else, or update to an even more recent system. Before connecting to the VPN, during, and after (the VPN IP remains as destination): [...] It seems that you use openconnect to set a default route, and that's why I couldn't reproduce it. I don't think that openconnect handles default routes differently, so it could be an issue in netifd. As I see default routes are registered using proto_add_ipv4_route, and should have been automatically removed when proto_kill_command is called in openconnect.sh. Most probably you'll have to check the log (readlog), and possibly add some additional logging in: /lib/netifd/netifd-proto.sh /lib/netifd/proto/openconnect.sh Sorry for not being able to help more. Maybe someone in the openwrt-devel list will be able to help with that. regards, Nios ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] rules for packages for-14.09 branch
Hello, What are the rules for updating packages in the for-14.09 branch? Is this branch inactive, or bug fixes and CVEs should get in? regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [luci] [DISCUSSION] How to support LuCI applications not in OpenWrt packages repository
On Fri, Oct 3, 2014 at 11:32 AM, Christian Schoenebeck christian.schoeneb...@gmail.com wrote: Hi, we got a new ticket inside OpenWrt Ticket #18018 with problems inside LuCI app. This is normally not an OpenWrt ticket it's a LuCI ticket, but the user don't know. If the user try to post the ticket at LuCI trac it takes weeks before the ticket is reported by LuciTrac to the mailing lists. So for a me as an external developer there is no chance to help quick. LuCi trac is also no good choice to send patches or possibly new functionality. LuCI trac has problems to accept file attachments when creating a new ticket. LuCI trac gives no chance to correct/edit a ticket or append a comment if you just create it. From my point of view LuCi trac is more then awful including used CHAPTCHA. Sending patches or new functionality to luci mailing list is also not a choice because there is no guarantee that the code is implemented short term. My idea is to move code of LuCI applications like tinyproxy, samba, hd-idle, ddns-scripts, . to OpenWrt/packages as samba/samba-luci, tinyproxy/tinyproxy-luci or ddns-scripts/ddns-scripts-luci. The mwan3 package already doing this. As there is no objection, would it make sense to move forward with that? ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [luci] [DISCUSSION] How to support LuCI applications not in OpenWrt packages repository
On Tue, 2014-10-07 at 19:24 +0200, Jo-Philipp Wich wrote: Hi. I think about abandoning the LuCI Trac entirely and only accept patches sent to the mailinglist, I lack time and resources to keep it running and spam-free. So please resend the patches to the LuCI list in case you haven't done already and I'll try to get them merged until tomorrow. Wouldn't it be more efficient if luci was on github too? (even as a separate repository but with multiple committers) ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [luci] [DISCUSSION] How to support LuCI applications not in OpenWrt packages repository
On Fri, Oct 3, 2014 at 11:32 AM, Christian Schoenebeck christian.schoeneb...@gmail.com wrote: Hi, we got a new ticket inside OpenWrt Ticket #18018 with problems inside LuCI app. This is normally not an OpenWrt ticket it's a LuCI ticket, but the user don't know. If the user try to post the ticket at LuCI trac it takes weeks before the ticket is reported by LuciTrac to the mailing lists. So for a me as an external developer there is no chance to help quick. [...] My idea is to move code of LuCI applications like tinyproxy, samba, hd-idle, ddns-scripts, . to OpenWrt/packages as samba/samba-luci, tinyproxy/tinyproxy-luci or ddns-scripts/ddns-scripts-luci. The mwan3 package already doing this. I think this is the best way, because openwrt/packages are moving fast forward and needed changes to the corresponding LuCI apps needs to be in sync. What do you think ? I concur, my impression with the luci part of the project is that it is unable to cope with any changes/new functionality proposal. It would be nice to respin it as part of packages. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] overcommit memory/ratio
On Fri, 2014-09-19 at 18:39 -0700, David Lang wrote Well being used to something bad, doesn't mean things cannot get better. Routers (to which I have some experience at), rarely have processes running that wouldn't matter if they are randomly killed; on a desktop system you immediately notice an issue, and you can reboot, a router is typically running unattended. Being locked out of such a system because another process had a memory leak, can be an issue. Turning off overcommit so that a program that wants to spawn a child will end up requiring double it's memory (for the time between the fork and the exec) is likely to cause programs to fail when they don't need to. I'd be surprised if fork and exec worked that way. After a fork the two processes share the same physical pages (see the notes on fork() manpage), and overcommit applies to physical ram, not virtual. And unlike desktops, you can't just say allocate a lot of swap to cover this up. The same argument works the other way as well. A process using more memory than the available in the router will force some other (arbitrary) process to be killed. Unlike desktops you can't just say allocate a lot of swap to cover this up. What you _can_ do, is tell to the process that uses more memory than the existing one, that there is no memory left. In spite of what some people say, it's far from a clear-cut win to disable overcommit. I don't think anyone claims that. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] overcommit memory/ratio
On Tue, 2014-09-16 at 22:29 +, Karl P wrote: Alternatively, if you know which process it is, set it's oom_adj_score so that it gets killed first. Some other people are kinda used to things behaving as they are, for better or worse. (Turning off overcommit on an openwrt device is no different than turning off overcommit on a desktop as far as I'm concerned. Somethings will be better, lots of things less so) Well being used to something bad, doesn't mean things cannot get better. Routers (to which I have some experience at), rarely have processes running that wouldn't matter if they are randomly killed; on a desktop system you immediately notice an issue, and you can reboot, a router is typically running unattended. Being locked out of such a system because another process had a memory leak, can be an issue. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] overcommit memory/ratio
Hello, It seems I have a memory leak in a process that runs under openwrt, and occasionally the watchdog process is being killed by the oom-killer causing a reboot. Seen that, I think that having the default overcommit settings of the linux kernel is quite an overkill for a system like openwrt where memory is really limited. May I suggest turning off overcommit completely in openwrt using: echo 2 /proc/sys/vm/overcommit_memory echo 100 /proc/sys/vm/overcommit_ratio somewhere in the init scripts. That way processes which have a leak will eventually get a NULL pointer in malloc() and the oom-killer wouldn't kill unrelated processes. regards, Nikos [0]. http://serverfault.com/questions/362589/effects-of-configuring-vm-overcommit-memory [1]. http://www.win.tue.nl/~aeb/linux/lk/lk-9.html ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Toolchain issue: Significant decrease in performance of binaries produced by Barrier Breaker relative to Attitude Adjustment
On Sat, 2014-08-30 at 20:10 +0200, Felix Fietkau wrote: This could be a problem caused by mips16. We use that in BB to create smaller binaries. but Jonas saw a performance problem in some applications, mostly stuff doing crypto (big integer calculations). Can you try to build the BB toolchain without the mips16 feature in target/linux/ar71xx/Makefile and try your application again. There's no need to disable it for the target, since it can be disabled for individual packages. So should all packages that contain performance critical code have that flag? 35% performance penalty is too high for such systems. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] nettle mips16 patch [was: Significant decrease in performance of binaries produced by Barrier Breaker relative to Attitude Adjustment]
On Sat, 2014-08-30 at 21:33 +0200, Felix Fietkau wrote: On 2014-08-30 21:27, Nikos Mavrogiannopoulos wrote: On Sat, 2014-08-30 at 20:10 +0200, Felix Fietkau wrote: This could be a problem caused by mips16. We use that in BB to create smaller binaries. but Jonas saw a performance problem in some applications, mostly stuff doing crypto (big integer calculations). Can you try to build the BB toolchain without the mips16 feature in target/linux/ar71xx/Makefile and try your application again. There's no need to disable it for the target, since it can be disabled for individual packages. So should all packages that contain performance critical code have that flag? 35% performance penalty is too high for such systems. Some kinds of code may be more affected than others. For crypto code we should definitely disable mips16, as it seems to be most affected. Then I guess, that patch should be applied on nettle. regards, Nikos From a75b56c15bd28e41daec6867fe652a3c61a65edc Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos n...@gnutls.org Date: Sat, 30 Aug 2014 22:09:27 +0200 Subject: [PATCH] nettle: set PKG_USE_MIPS16 to zer Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- package/libs/nettle/Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/package/libs/nettle/Makefile b/package/libs/nettle/Makefile index 4b0ce0b..c655b72 100644 --- a/package/libs/nettle/Makefile +++ b/package/libs/nettle/Makefile @@ -10,6 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nettle PKG_VERSION:=2.7.1 PKG_RELEASE:=1 +PKG_USE_MIPS16:=0 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=@GNU/nettle -- 2.0.0 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH] Change of location of linux-pam sources
On Tue, 2014-08-12 at 12:47 +0100, Stephen Parry wrote: Hi Nikos, The linux-pam tarball location has been changed: PKG_RELEASE:=4 PKG_SOURCE:=Linux-PAM-$(PKG_VERSION).tar.bz2 -PKG_SOURCE_URL:=http://www.linux-pam.org/ +PKG_SOURCE_URL:=http://www.linux-pam.org/library/ PKG_MD5SUM:=35b6091af95981b1b2cd60d813b5e4ee PKG_INSTALL:=1 PKG_FIXUP:=autoreconf Please can you apply? It is unclear from the site if going forward this will continue to be the correct location or if it will change to: Thanks for reporting it. I've inadvertently broken it, but it seems it was corrected already. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] openwrt + openconnect
On 28 July 2014 12:53:17 CEST, David Woodhouse dw...@infradead.org wrote: On Thu, 2014-06-05 at 08:18 +0200, Nikos Mavrogiannopoulos wrote: Hello, I'm trying to resubmit the scripts for openconnect in openwrt's luci interface. Currently the most difficult part in the interface is specifying the server certificate. There no tools installed by default in openwrt that can fetch the server's certificate, and there is no way to calculate the SHA1 hash of the certificate as well. Thus it becomes a pretty geeky interface that very few people will be able to use. Said that I think it would be really good for openconnect to have a mode trust on first use (thus no certificate will need to be specified), or at least a flag --print-hash or so that will allow running openconnect to obtain the server's certificate hash (and thus the web interface will be able to calculate the hash without other dependencies). What do you think of these two options? (mostly a question to David but other opinions are welcome) It's not ideal, but actually there's already a way to do this. Just connect with '--servercert foo'. Where 'foo' really is a literal 'foo', or anything else that'll never match a real sha1sum :) You'll get something like this (localised) on stderr: Server SSL certificate didn't match: A098E8E7339BBB0FBE3BB57932DA6BAFDC2DEE8B That's the hash you were after. Actually, I think we want a kind of 'wizard' for openconnect configuration in luci. Rather than having hard-coded configuration items like 'username' and 'password' which aren't always going to be relevant, we actually want to work through the forms that the server offers us. That's not easily done on the current lucy interface. It allows easy access to text configuration data but any interaction with applications is pretty hard. Hook up a trivial dæmon listening on a local socket, and using libopenconnect's obtain_cookie() method. Every time it gets a validate_peer_cert() or process_auth_form() callback, stop and wait for a connection (from luci) on its local socket. Spew the request out the socket and wait for a response. You then have a luci page for the 'wizard' which simply fetches the next request for user interaction from that dæmon and stores the user's responses as the configuration to be stored. When the dæmon finally reports success, the 'wizard' page then gives you the option to 'Save Apply' the new configuration. Could be done but looks too much work for simply configuring openconnect. The current interface accepts a username and password and a certificate in advanced settings; that should handle 90% of sessions. -- Sent fron my mobile. Please excuse my brevity. ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] ddns-scripts: currently no MAINTAINER defined
On Thu, 2014-07-24 at 21:17 +0200, Christian Schoenebeck wrote: Hi, I would offer to do the job, but I down know what I need to do. What are the requirements? - technically (hardware/software equipment) - knowledge (I don't call myself a programmer) - permissions to which development environments I'm not aware of formal requirements. Your interest and ability to hack the package are the most important factor. I modified ddns-scripts and luci-app-ddns for many new functionality as described in openwrt forum https://forum.openwrt.org/viewtopic.php?pid=235338#p235338 - IPv6 support - Proxy Support - DNS-Server support - LuCI App redesign including status in Status-Overview For the ddns-scripts you only need to sent your pull request at: https://github.com/openwrt/packages For the luci interface I'm also not very sure how it works. I ended up creating a luci-app package within the packages repository, but in your case as the package is already there, it may make sense to send it to the luci maintainer's list. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Mon, Jun 16, 2014 at 10:12 AM, Andre Heider a.hei...@gmail.com wrote: could you please add nettle-mini support and make this a build variant instead of a config option, please? Build variant has the advantage that we can precompile it as ipks because we cannot enable dnssec by default. I posted a patch to fix nettle-mini builds to the dnsmasq list. Once a fix is merged I'll include that in this package. The ipkg suggestion sounds nice, but, as Zhou mentioned, that'll give 4 variants already. Is that really what we want? Is there a reason for not having dnssec by default? If there is a way to disable it, I believe it will only be beneficial to have it in. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Mon, Jun 16, 2014 at 10:31 AM, Steven Barth cy...@openwrt.org wrote: Hi Nikos, Is there a reason for not having dnssec by default? If there is a way to disable it, I believe it will only be beneficial to have it in. The main problem here is that this increase the default image size significantly plus we can't even reuse all the added crypto code because none of the core or important services use nettle. It would be nice to see dnsmasq interacting with a more mainstream embedded crypto library like polarssl or so. On the contrary I'd prefer if it doesn't. Nettle is an open project under LGPL that anyone can contribute and can be reused by a variety of software; polarssl is closed commercial project under a commercial license with a GPLv2 exception. Also I would probably let all the DNSSEC deployment and the dnsmasq implementation mature a bit more before considering to enable it by default for everyone. But thats just my personal opinion. Well, it will never mature if it is not distributed :) regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Mon, Jun 16, 2014 at 10:53 AM, edgar.sol...@web.de wrote: On the contrary I'd prefer if it doesn't. Nettle is an open project under LGPL that anyone can contribute and can be reused by a variety of software; polarssl is closed commercial project under a commercial license with a GPLv2 exception. according to https://polarssl.org/how-to-get you can use the polarssl library properly under copyleft GPL2. if they offer additional licenses does not matter. That's what I already mentioned. The difference with open-source software is the missing how to contribute page (I consider the presence of a developer community a vital part of being open source). Otherwise, tomorrow you could be left with a GPLv2 codebase that is outdated an unmaintained if the X company desires that the GPLv2 codebase they release is no longer a good marketing approach. Another risk is to wait for years (or eternity) to get features that paying customers get (see matrixssl). On Mon, Jun 16, 2014 at 10:51 AM, Steven Barth cy...@openwrt.org wrote: On the contrary I'd prefer if it doesn't. Nettle is an open project under LGPL that anyone can contribute and can be reused by a variety of software; polarssl is closed commercial project under a commercial license with a GPLv2 exception. Oh well, I sometimes have the feeling if its open-source + backed by a company there is more interest in avoiding another case of heartbleed You could be right, but I'd expect a different set of bugs to be present rather than no bugs. Being commercial doesn't imply there are no bugs. My experience shows the contrary (and both openssl and gnutls are far from being non-commercial as they are backed from several companies that either contribute code or hire their developers). The advantage small implementations have initially over gnutls and openssl is the fact that they are smaller and support much less features, thus they are easy to check and have a smaller attack vector. Their disadvantage is that they need to get in par with the features of the other libraries (see for example how supporting cryptodev and modern algorithms improves performance in a small system [0], thus using a mainstream implementation pays off). In any case my opinion is biased as I am working on gnutls. regards, Nikos [0]. http://nmav.gnutls.org/2012/04/in-some-embedded-systems-space-may.html ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 1/2] Added luci configuration for ocserv
On Sat, 2014-06-07 at 00:19 +0200, Nikos Mavrogiannopoulos wrote: This applies to ocserv at the github packages repository of openwrt: https://github.com/openwrt/packages Hello any comments one the above two additions? I'm mostly worried how can that be added to luci as these programs are in the extra packages of openwrt. Is there a repository for extra luci modules as well? Hello, Any plans to adopt these patches to luci? I'm not sure which list is more appropriate for that. Initial openconnect support was already sent since 2012, but was never included. Is there a reason for that? I currently maintain them out-of-tree as patches at: https://github.com/nmav/luci-openconnect/commits/openconnect but it doesn't make much sense, as adding uci configuration to the packages without luci support only makes them more difficult to use. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 0/4] dnsmasq: DNSSEC support
On Sat, 2014-06-14 at 17:34 +0200, Andre Heider wrote: Hi, this set adds DNSSEC validation to dnsmasq, tested on ar71xx. The set is pretty small and should be self explanatory. There's room for improvement though: - compilation will fail under CONFIG_LIBNETTLE_MINI. I failed to express the dependencies so that this combination is not allowed... Hints? Hello, Why would it fail? If the issue is the missing gmp.h, you could simply replace it with nettle's bignum.h and avoid direct linking with gmp. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Future of package maintenance and new scope of this mailing list
On Wed, 2014-06-11 at 00:16 +0300, Hannu Nyman wrote: The current buildbot run was the first after the default feed change, and as oldpackages are not built by buildbot, many packages will be missing from the snapshot directory as of today... So I expect to see a flow of bugs for missing binary packages :-( How are you going to ease the transition to the new repository? The default feed was changed yesterday, but only a few packages have been transferred to github so far. Will core developers add/move selected key packages that they assume being widely used? Or are you expecting non-core people to assume maintenance of all packages to be transferred and move them? I am not speaking on their behalf but I guess they are trying to ease the burden on them, and form a new team that will maintain the additional packages. There are also packages like collectd, which is the core part of luci-statistics and part of the code lies in Luci repository. It would be no use for a non-core developer to assume maintenance of collectd, as proper maintenance would also require access to the luci repository. (I have submitted version bump patches for collectd, but I have no interest in trying to assume maintenance for it, as the packages part is only half of the picture.) I think the 'assume maintenance' is pretty strong wording. Even if you did you'd always be free to quit, so my opinion would be to feel free to add packages that you consider essential and do update them when and if you can. My experience with the official maintainers at gnu shows that one way or an other, there will be abandonware that we need to cope with. However, that move to the new repository would help to keep only software that is used and is safe to use, and hopefully get the critical mass of people needed to maintain them. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/2] gnutls: updated to 3.2.15
Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- libs/gnutls/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/gnutls/Makefile b/libs/gnutls/Makefile index 9544ffb..d1f8919 100644 --- a/libs/gnutls/Makefile +++ b/libs/gnutls/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gnutls -PKG_VERSION:=3.2.14 +PKG_VERSION:=3.2.15 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2 -PKG_MD5SUM:=807bbf14a5b6c81a9249fffab5c3982b +PKG_MD5SUM:=ec3b06f80e312137386c5d322183ca5a PKG_MAINTAINER:=Nikos Mavrogiannopoulos n...@gnutls.org PKG_INSTALL:=1 -- 1.9.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/2] ocserv: updated to 0.8.0 and better detection of local hostname.
Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- net/ocserv/Config.in | 4 +-- net/ocserv/Makefile | 28 - net/ocserv/files/ocserv.conf | 71 +--- net/ocserv/files/ocserv.init | 7 +++-- 4 files changed, 82 insertions(+), 28 deletions(-) diff --git a/net/ocserv/Config.in b/net/ocserv/Config.in index e0d2983..75ebd5a 100644 --- a/net/ocserv/Config.in +++ b/net/ocserv/Config.in @@ -7,8 +7,8 @@ config OCSERV_PAM bool enable PAM default n -config OCSERV_DBUS - bool enable DBUS (needed for occtl) +config OCSERV_PROTOBUF + bool use external libprotobuf default n endmenu diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 9fcff95..87ad98d 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -8,15 +8,15 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ocserv -PKG_VERSION:=0.3.5 +PKG_VERSION:=0.8.0 PKG_RELEASE:=1 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/ -PKG_MD5SUM:=7ba8ebe4eba08b6e1c9dabbc78da16e5 +PKG_MD5SUM:=6383535a21f8eecfb1bbb7f7ac99c41f -PKG_LICENSE:=GPLv2 +PKG_LICENSE:=GPLv3 PKG_LICENSE_FILES:=COPYING PKG_FIXUP:=autoreconf @@ -32,7 +32,8 @@ define Package/ocserv SUBMENU:=VPN TITLE:=OpenConnect VPN server URL:=http://www.infradead.org/ocserv/ - DEPENDS:= +libgnutls +OCSERV_PAM:libpam +OCSERV_DBUS:libdbus +OCSERV_DBUS:libreadline +libprotobuf-c + MAINTAINER:=Nikos Mavrogiannopoulos n.mavrogiannopou...@gmail.com + DEPENDS:= +libgnutls +libncurses +libreadline +OCSERV_PAM:libpam +OCSERV_PROTOBUF:libprotobuf-c endef define Package/ocserv/description @@ -44,32 +45,31 @@ define Package/ocserv/description as TLS 1.2, and Datagram TLS to provide the secure VPN service. endef +EXTRA_CPPFLAGS+=-I$(STAGING_DIR)/usr/include/readline/ +EXTRA_LDFLAGS+=-lncurses + CONFIGURE_ARGS+= \ --enable-local-libopts \ - --with-libcrypt-prefix=$(STAGING_DIR)/include \ - -ifneq ($(CONFIG_OCSERV_DBUS),y) -CONFIGURE_ARGS += --without-dbus -endif + --with-libreadline-prefix=$(STAGING_DIR)/ \ ifneq ($(CONFIG_OCSERV_PAM),y) CONFIGURE_ARGS += --without-pam endif +ifneq ($(CONFIG_OCSERV_PROTOBUF),y) +CONFIGURE_ARGS += --without-protobuf +endif + define Package/ocserv/install $(INSTALL_DIR) $(1)/usr/sbin $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocserv $(1)/usr/sbin/ $(INSTALL_DIR) $(1)/usr/bin $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocpasswd $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/ $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/ocserv.init $(1)/etc/init.d/ocserv $(INSTALL_DIR) $(1)/etc/ocserv $(INSTALL_CONF) ./files/ocserv.conf $(1)/etc/ocserv/ocserv.conf -ifeq ($(CONFIG_OCSERV_DBUS),y) - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/ - $(INSTALL_DIR) $(1)/etc/dbus-1/system.d - $(INSTALL_CONF) $(PKG_BUILD_DIR)/doc/dbus/org.infradead.ocserv.conf $(1)/etc/dbus-1/system.d/ -endif endef $(eval $(call BuildPackage,ocserv)) diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf index badf4b5..1b8941e 100644 --- a/net/ocserv/files/ocserv.conf +++ b/net/ocserv/files/ocserv.conf @@ -4,6 +4,10 @@ #auth = certificate #auth = pam +# The gid-min option is used by auto-select-group option, in order to +# select the minimum group ID. +#auth = pam[gid-min=1000] + # The plain option requires specifying a password file which contains # entries of the following format. # username:groupname:encoded-password @@ -122,11 +126,18 @@ auth-timeout = 40 # a failed authentication attempt. #min-reauth-time = 2 -# Cookie validity time (in seconds) -# Once a client is authenticated he's provided a cookie with -# which he can reconnect. This option sets the maximum lifetime -# of that cookie. -cookie-validity = 86400 +# Cookie timeout (in seconds) +# which he can reconnect. That cookie will be invalided if not +# used within this timeout value. On a user disconnection, that +# cookie will also be active for this time amount prior to be +# invalid. That should allow a reasonable amount of time for roaming +# between different networks. +cookie-timeout = 300 + +# Whether roaming is allowed, i.e., if true a cookie is +# restricted to a single IP address and cannot be re-used +# from a different IP. +deny-roaming = false # ReKey time (in seconds) # ocserv will ask the client to refresh keys periodically once @@ -154,6 +165,14 @@ rekey-method = ssl # UTMP use-utmp = false +# Whether to enable support for the occtl tool (i.e., either through D-BUS, +# or via a unix socket). +use-occtl = true + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +occtl-socket-file = /var/run/occtl.socket + # D-BUS usage. If disabled occtl tool cannot be used
[OpenWrt-Devel] [PATCH] Fix endianness issue, and added configuration template.
This is a follow-up on the previous patch; it fixes an issue on big endian systems, and adds some uci configuration options. Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- net/ocserv/Makefile| 6 ++- net/ocserv/files/ocserv-config | 8 +++ net/ocserv/files/ocserv.conf | 17 +++ net/ocserv/files/ocserv.init | 40 +-- net/ocserv/patches/0001-native-endianess.patch | 70 ++ 5 files changed, 123 insertions(+), 18 deletions(-) create mode 100644 net/ocserv/files/ocserv-config create mode 100644 net/ocserv/patches/0001-native-endianess.patch diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile index 87ad98d..80ec24e 100644 --- a/net/ocserv/Makefile +++ b/net/ocserv/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=ocserv PKG_VERSION:=0.8.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz @@ -69,7 +69,9 @@ define Package/ocserv/install $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/ocserv.init $(1)/etc/init.d/ocserv $(INSTALL_DIR) $(1)/etc/ocserv - $(INSTALL_CONF) ./files/ocserv.conf $(1)/etc/ocserv/ocserv.conf + $(INSTALL_CONF) ./files/ocserv.conf $(1)/etc/ocserv/ocserv.conf.template + $(INSTALL_DIR) $(1)/etc/config + $(INSTALL_CONF) ./files/ocserv-config $(1)/etc/config/ocserv endef $(eval $(call BuildPackage,ocserv)) diff --git a/net/ocserv/files/ocserv-config b/net/ocserv/files/ocserv-config new file mode 100644 index 000..3475857 --- /dev/null +++ b/net/ocserv/files/ocserv-config @@ -0,0 +1,8 @@ +config ocserv + option 'port' '4443' + option 'dpd''120' + option 'max_clients''8' + option 'max_same' '2' + + +config ocservusers diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf index 1b8941e..9c11500 100644 --- a/net/ocserv/files/ocserv.conf +++ b/net/ocserv/files/ocserv.conf @@ -13,7 +13,7 @@ # username:groupname:encoded-password # One entry must be listed per line, and 'ocpasswd' can be used # to generate password entries. -auth = plain[/etc/ocserv/ocpasswd] +auth = plain[/var/etc/ocpasswd] # A banner to be displayed on clients banner = Welcome to OpenWRT @@ -24,7 +24,7 @@ banner = Welcome to OpenWRT # Limit the number of clients. Unset or set to zero for unlimited. #max-clients = 1024 -max-clients = 8 +max-clients = |MAX_CLIENTS| # Limit the number of client connections to one every X milliseconds # (X is the provided value). Set to zero for no limit. @@ -32,17 +32,17 @@ max-clients = 8 # Limit the number of identical clients (i.e., users connecting # multiple times). Unset or set to zero for unlimited. -max-same-clients = 2 +max-same-clients = |MAX_SAME| # TCP and UDP port number -tcp-port = 4443 -udp-port = 4443 +tcp-port = |PORT| +udp-port = |PORT| # Keepalive in seconds keepalive = 32400 # Dead peer detection in seconds. -dpd = 120 +dpd = |DPD| # Dead peer detection for mobile clients. The needs to # be much higher to prevent such clients being awaken too @@ -173,11 +173,6 @@ use-occtl = true # if you use more than a single servers. occtl-socket-file = /var/run/occtl.socket -# D-BUS usage. If disabled occtl tool cannot be used. If enabled -# then ocserv must have access to register org.infradead.ocserv -# D-BUS service. See doc/dbus/org.infradead.ocserv.conf -use-dbus = true - # PID file. It can be overriden in the command line. pid-file = /var/run/ocserv.pid diff --git a/net/ocserv/files/ocserv.init b/net/ocserv/files/ocserv.init index 3f661ed..62b35df 100644 --- a/net/ocserv/files/ocserv.init +++ b/net/ocserv/files/ocserv.init @@ -4,6 +4,32 @@ SERVICE_USE_PID=1 START=50 +setup_config() { + config_get port $1 port 4443 + config_get max_clients $1 max_clients 8 + config_get max_same $1 max_same 2 + config_get dpd $1 dpd 120 + + mkdir -p /var/etc + sed -e s#|PORT|#$port#g \ + -e s#|MAX_CLIENTS|#$max_clients#g \ + -e s#|MAX_SAME|#$max_same#g \ + -e s#|DPD|#$dpd#g \ + /etc/ocserv/ocserv.conf.template /var/etc/ocserv.conf +} + +setup_users() { + local name + local password + + config_get name $1 name + config_get password $1 password + + [ -z $name -o -z $password ] return + + echo $password|ocpasswd -c /var/etc/ocpasswd $name +} + start() { user_exists ocserv 72 || user_add ocserv 72 72 /var/lib/ocserv group_exists ocserv 72 || group_add ocserv 72 @@ -42,10 +68,6 @@ start() { /etc/ocserv/ca-key.pem --outfile /etc/ocserv/server-cert.pem /dev/null 21 } - [ -f /etc/ocserv/ocpasswd ] || { - touch /etc/ocserv/ocpasswd - } - [ -f /var
[OpenWrt-Devel] [PATCH] Added initial luci configuration for ocserv
This patch adds a configuration menu for ocserv. As it is my first attempt in luci I'd appreciate any comments. Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- applications/luci-ocserv/Makefile | 4 ++ .../luci-ocserv/luasrc/controller/ocserv.lua | 26 + .../luci-ocserv/luasrc/model/cbi/ocserv.lua| 64 ++ contrib/package/luci/Makefile | 3 + 4 files changed, 97 insertions(+) create mode 100644 applications/luci-ocserv/Makefile create mode 100644 applications/luci-ocserv/luasrc/controller/ocserv.lua create mode 100644 applications/luci-ocserv/luasrc/model/cbi/ocserv.lua diff --git a/applications/luci-ocserv/Makefile b/applications/luci-ocserv/Makefile new file mode 100644 index 000..74cd597 --- /dev/null +++ b/applications/luci-ocserv/Makefile @@ -0,0 +1,4 @@ +PO = ocserv + +include ../../build/config.mk +include ../../build/module.mk diff --git a/applications/luci-ocserv/luasrc/controller/ocserv.lua b/applications/luci-ocserv/luasrc/controller/ocserv.lua new file mode 100644 index 000..f95b437 --- /dev/null +++ b/applications/luci-ocserv/luasrc/controller/ocserv.lua @@ -0,0 +1,26 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2014 Nikos Mavrogiannopoulos n.mavrogiannopou...@gmail.com + +Licensed under the Apache License, Version 2.0 (the License); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +module(luci.controller.ocserv, package.seeall) + +function index() + if not nixio.fs.access(/etc/config/ocserv) then + return + end + + local page + + page = entry({admin, services, ocserv}, cbi(ocserv), _(OpenConnect VPN)) + page.dependent = true +end diff --git a/applications/luci-ocserv/luasrc/model/cbi/ocserv.lua b/applications/luci-ocserv/luasrc/model/cbi/ocserv.lua new file mode 100644 index 000..b0715f2 --- /dev/null +++ b/applications/luci-ocserv/luasrc/model/cbi/ocserv.lua @@ -0,0 +1,64 @@ +--[[ +LuCI - Lua Configuration Interface + +Copyright 2014 Nikos Mavrogiannopoulos n.mavrogiannopou...@gmail.com + +Licensed under the Apache License, Version 2.0 (the License); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +$Id$ +]]-- + +m = Map(ocserv, translate(OpenConnect VPN)) + +s = m:section(TypedSection, ocserv, OpenConnect) +s.anonymous = true + +s:tab(general, translate(General Settings)) +s:tab(template, translate(Edit Template)) +s:tab(ca, translate(CA certificate)) + +s:taboption(general, Value, port, translate(Port)) +s:taboption(general, Value, max_clients, translate(Max clients)) +s:taboption(general, Value, max_same, translate(Max same clients)) +s:taboption(general, Value, dpd, translate(Dead peer detection time (secs))) + +tmpl = s:taboption(template, Value, _tmpl, + translate(Edit the template that is used for generating the ocserv configuration.)) + +tmpl.template = cbi/tvalue +tmpl.rows = 20 + +function tmpl.cfgvalue(self, section) + return nixio.fs.readfile(/etc/ocserv/ocserv.conf.template) +end + +function tmpl.write(self, section, value) + value = value:gsub(\r\n?, \n) + nixio.fs.writefile(/etc/ocserv/ocserv.conf.template, value) +end + +ca = s:taboption(ca, Value, _ca, + translate(View the CA certificate used by this server.)) + +ca.template = cbi/tvalue +ca.rows = 20 + +function ca.cfgvalue(self, section) + return nixio.fs.readfile(/etc/ocserv/ca.pem) +end + +s = m:section(TypedSection, ocservusers, translate(Available users)) +s.anonymous = true +s.addremove = true +s.template = cbi/tblsection + +s:option(Value, name, translate(Name)).rmempty = true +pwd = s:option(Value, password, translate(Password)) + +pwd.password = true + +return m diff --git a/contrib/package/luci/Makefile b/contrib/package/luci/Makefile index 64abf69..4cc9d8b 100644 --- a/contrib/package/luci/Makefile +++ b/contrib/package/luci/Makefile @@ -403,6 +403,9 @@ $(eval $(call application,polipo,LuCI Support for the Polipo Proxy,\ $(eval $(call application,openvpn,LuCI Support for OpenVPN,\ +PACKAGE_luci-app-openvpn:openvpn @BROKEN)) +$(eval $(call application,ocserv,LuCI Support for OpenConnect VPN,\ + +PACKAGE_luci-app-ocserv:ocserv certtool)) + $(eval $(call application,p2pblock,LuCI Support for the Freifunk P2P-Block addon,\ luci-app-firewall +PACKAGE_luci-app-p2pblock:freifunk-p2pblock)) -- 1.9.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/2] Added the cryptodev-linux kernel module.
Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- utils/cryptodev-linux/Makefile | 74 ++ 1 file changed, 74 insertions(+) create mode 100644 utils/cryptodev-linux/Makefile diff --git a/utils/cryptodev-linux/Makefile b/utils/cryptodev-linux/Makefile new file mode 100644 index 000..f559c7e --- /dev/null +++ b/utils/cryptodev-linux/Makefile @@ -0,0 +1,74 @@ +# +# Copyright (C) 2014 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# +# $Id$ + +include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/kernel.mk + +PKG_NAME:=cryptodev-linux +PKG_VERSION:=1.6 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://download.gna.org/cryptodev-linux/ +PKG_MD5SUM:=eade38998313c25fd7934719cdf8a2ea + +PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) + +include $(INCLUDE_DIR)/package.mk + +CRYPTODEV_AUTOLOAD:= \ + cryptodev + +define KernelPackage/cryptodev + SUBMENU:=Cryptographic API modules + DEFAULT:=m if ALL + TITLE:=Driver for cryptographic acceleration + URL:=http://cryptodev-linux.org/ + VERSION:=$(LINUX_VERSION)+$(PKG_VERSION)-$(BOARD)-$(PKG_RELEASE) + DEPENDS:=+kmod-crypto-core +kmod-crypto-authenc +kmod-crypto-hash + FILES:= \ + $(PKG_BUILD_DIR)/cryptodev.$(LINUX_KMOD_SUFFIX) + AUTOLOAD:=$(call AutoLoad,50,$(CRYPTODEV_AUTOLOAD)) +endef + +define KernelPackage/cryptodev/description + This is a driver for that allows to use the Linux kernel supported + hardware ciphers by user-space applications. +endef + +CRYPTODEV_MAKEOPTS= -C $(PKG_BUILD_DIR) \ + PATH=$(TARGET_PATH) \ + ARCH=$(LINUX_KARCH) \ + CROSS_COMPILE=$(TARGET_CROSS) \ + TOOLPREFIX=$(KERNEL_CROSS) \ + TOOLPATH=$(KERNEL_CROSS) \ + KERNEL_DIR=$(LINUX_DIR) \ + LDOPTS= \ + DOMULTI=1 + +define Build/Compile/cryptodev + $(MAKE) $(CRYPTODEV_MAKEOPTS) +endef + +define Build/Compile + $(call Build/Compile/cryptodev) +endef + +define Build/InstallDev + $(INSTALL_DIR) $(STAGING_DIR)/usr/include/crypto + $(CP) $(PKG_BUILD_DIR)/crypto/cryptodev.h $(STAGING_DIR)/usr/include/crypto/ +endef + +define KernelPackage/cryptodev/install + $(INSTALL_DIR) $(1)/etc/modules.d + $(INSTALL_DATA) ./files/cryptodev.modules $(1)/etc/modules.d/80-cryptodev + $(INSTALL_DIR) $(1)/lib/modules/$(LINUX_VERSION) + $(INSTALL_DIR) $(1)/usr/sbin +endef + +$(eval $(call KernelPackage,cryptodev)) -- 1.9.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/2] GNUTLS_CRYPTODEV depends on kmod-cryptodev.
Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- libs/gnutls/Config.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libs/gnutls/Config.in b/libs/gnutls/Config.in index d55743f..0160cf0 100644 --- a/libs/gnutls/Config.in +++ b/libs/gnutls/Config.in @@ -14,7 +14,7 @@ config GNUTLS_OCSP config GNUTLS_CRYPTODEV bool enable /dev/crypto support - depends on BROKEN + depends on PACKAGE_kmod-cryptodev config GNUTLS_HEARTBEAT bool enable DTLS heartbeat support -- 1.9.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/2] Added ocserv 0.3.5, an SSL VPN server.
This server is compatible with the openconnect client, and cisco's anyconnect clients. Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- net/ocserv/Config.in | 14 +++ net/ocserv/Makefile | 74 +++ net/ocserv/files/ocserv.conf | 293 +++ net/ocserv/files/ocserv.init | 61 + 4 files changed, 442 insertions(+) create mode 100644 net/ocserv/Config.in create mode 100644 net/ocserv/Makefile create mode 100644 net/ocserv/files/ocserv.conf create mode 100644 net/ocserv/files/ocserv.init diff --git a/net/ocserv/Config.in b/net/ocserv/Config.in new file mode 100644 index 000..e0d2983 --- /dev/null +++ b/net/ocserv/Config.in @@ -0,0 +1,14 @@ +# ocserv avanced configuration + +menu Configuration + depends on PACKAGE_ocserv + +config OCSERV_PAM + bool enable PAM + default n + +config OCSERV_DBUS + bool enable DBUS (needed for occtl) + default n + +endmenu diff --git a/net/ocserv/Makefile b/net/ocserv/Makefile new file mode 100644 index 000..4335121 --- /dev/null +++ b/net/ocserv/Makefile @@ -0,0 +1,74 @@ +# +# Copyright (C) 2007-2011 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=ocserv +PKG_VERSION:=0.3.5 +PKG_RELEASE:=1 + +PKG_BUILD_DIR :=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL :=ftp://ftp.infradead.org/pub/ocserv/ +PKG_MD5SUM:=7ba8ebe4eba08b6e1c9dabbc78da16e5 + +PKG_LICENSE:=GPLv2 +PKG_LICENSE_FILES:=COPYING +PKG_FIXUP:=autoreconf + +include $(INCLUDE_DIR)/package.mk + +define Package/ocserv/config + source $(SOURCE)/Config.in +endef + +define Package/ocserv + SECTION:=net + CATEGORY:=Network + SUBMENU:=VPN + TITLE:=OpenConnect VPN server + URL:=http://www.infradead.org/ocserv/ + DEPENDS:= +libgnutls +OCSERV_PAM:libpam +OCSERV_DBUS:libdbus +OCSERV_DBUS:libreadline +endef + +define Package/ocserv/description + OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be + a secure, small, fast and configurable VPN server. It implements the + OpenConnect SSL VPN protocol, and has also (currently experimental) + compatibility with clients using the AnyConnect SSL VPN protocol. The + OpenConnect VPN protocol uses the standard IETF security protocols such + as TLS 1.2, and Datagram TLS to provide the secure VPN service. +endef + +CONFIGURE_ARGS+= \ + --enable-local-libopts + +ifneq ($(CONFIG_OCSERV_DBUS),y) +CONFIGURE_ARGS += --without-dbus +endif + +ifneq ($(CONFIG_OCSERV_PAM),y) +CONFIGURE_ARGS += --without-pam +endif + +define Package/ocserv/install + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocserv $(1)/usr/sbin/ + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/ocpasswd $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_BIN) ./files/ocserv.init $(1)/etc/init.d/ocserv + $(INSTALL_DIR) $(1)/etc/ocserv + $(INSTALL_CONF) ./files/ocserv.conf $(1)/etc/ocserv/ocserv.conf +ifeq ($(CONFIG_OCSERV_DBUS),y) + $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/occtl $(1)/usr/bin/ + $(INSTALL_DIR) $(1)/etc/dbus-1/system.d + $(INSTALL_CONF) $(PKG_BUILD_DIR)/doc/dbus/org.infradead.ocserv.conf $(1)/etc/dbus-1/system.d/ +endif +endef + +$(eval $(call BuildPackage,ocserv)) diff --git a/net/ocserv/files/ocserv.conf b/net/ocserv/files/ocserv.conf new file mode 100644 index 000..badf4b5 --- /dev/null +++ b/net/ocserv/files/ocserv.conf @@ -0,0 +1,293 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = certificate +#auth = pam + +# The plain option requires specifying a password file which contains +# entries of the following format. +# username:groupname:encoded-password +# One entry must be listed per line, and 'ocpasswd' can be used +# to generate password entries. +auth = plain[/etc/ocserv/ocpasswd] + +# A banner to be displayed on clients +banner = Welcome to OpenWRT + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 8 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +tcp-port = 4443 +udp-port = 4443 + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds. +dpd = 120 + +# Dead peer detection for mobile clients. The needs to +# be much higher to prevent such clients being awaken too +# often by the DPD messages, and save
[OpenWrt-Devel] [PATCH 1/2] Do not try to install gnutls-cli or server when OCSP is disabled.
These tools aren't compiled in that case. Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- libs/gnutls/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libs/gnutls/Makefile b/libs/gnutls/Makefile index 997532b..9544ffb 100644 --- a/libs/gnutls/Makefile +++ b/libs/gnutls/Makefile @@ -190,10 +190,12 @@ endef define Package/gnutls-utils/install $(INSTALL_DIR) $(1)/usr/bin +ifeq ($(CONFIG_GNUTLS_OCSP),y) +ifeq ($(CONFIG_GNUTLS_ANON),y) $(CP) \ $(PKG_INSTALL_DIR)/usr/bin/gnutls-{cli,serv} \ $(1)/usr/bin/ -ifeq ($(CONFIG_GNUTLS_OCSP),y) +endif $(CP) \ $(PKG_INSTALL_DIR)/usr/bin/ocsptool \ $(1)/usr/bin/ -- 1.9.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 1/3] Made several parts of gnutls configurable and updated to 3.2.14.
On Wed, 2014-05-07 at 18:23 -0700, Florian Fainelli wrote: 2014-05-07 14:56 GMT-07:00 Nikos Mavrogiannopoulos n...@gnutls.org: Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org Applied in r40721, had to disable cryptodev since it was missing a bunch of definitions to build. thanks! It requires cryptodev either from OCF or http://cryptodev-linux.org/. I plan to add the latter at some point, but packaging an out-of-tree kernel module doesn't look very easy. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/3] Made several parts of gnutls configurable and updated to 3.2.14.
--- libs/gnutls/Config.in | 33 +++ libs/gnutls/Makefile | 62 ++- 2 files changed, 89 insertions(+), 6 deletions(-) create mode 100644 libs/gnutls/Config.in diff --git a/libs/gnutls/Config.in b/libs/gnutls/Config.in new file mode 100644 index 000..550565d --- /dev/null +++ b/libs/gnutls/Config.in @@ -0,0 +1,33 @@ +# gnutls avanced configuration + +menu Configuration + depends on PACKAGE_libgnutls + +config GNUTLS_DTLS_SRTP + bool enable DTLS SRTP support + +config GNUTLS_ALPN + bool enable ALPN support + +config GNUTLS_OCSP + bool enable ocsp support + +config GNUTLS_CRYPTODEV + bool enable /dev/crypto support + +config GNUTLS_HEARTBEAT + bool enable DTLS heartbeat support + +config GNUTLS_OPENPGP + bool enable OPENPGP authentication support + +config GNUTLS_SRP + bool enable SRP authentication support + +config GNUTLS_PSK + bool enable PSK authentication support + +config GNUTLS_ANON + bool enable anonymous authentication support + +endmenu diff --git a/libs/gnutls/Makefile b/libs/gnutls/Makefile index 349e492..c2a010a 100644 --- a/libs/gnutls/Makefile +++ b/libs/gnutls/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gnutls -PKG_VERSION:=3.2.13 +PKG_VERSION:=3.2.14 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2 -PKG_MD5SUM:=300e5f413054e2f4719c1c3b5179a611 +PKG_MD5SUM:=807bbf14a5b6c81a9249fffab5c3982b PKG_MAINTAINER:=Nikos Mavrogiannopoulos n...@gnutls.org PKG_INSTALL:=1 @@ -21,6 +21,7 @@ PKG_LIBTOOL_PATHS:=. lib include $(INCLUDE_DIR)/package.mk + define Package/gnutls/Default SUBMENU:=SSL SECTION:=libs @@ -67,6 +68,9 @@ $(call Package/gnutls/Default/description) and srptool utilities. endef +define Package/libgnutls/config + source $(SOURCE)/Config.in +endef define Package/libgnutls $(call Package/gnutls/Default) @@ -94,7 +98,6 @@ endef CONFIGURE_ARGS+= \ --enable-shared \ --enable-static \ - --disable-openpgp-authentication \ --disable-libdane \ --disable-guile \ --disable-nls \ @@ -105,8 +108,43 @@ CONFIGURE_ARGS+= \ --disable-tests \ --disable-rsa-export \ --disable-crywrap \ - --without-p11-kit \ - --disable-hardware-acceleration + --without-p11-kit + +ifneq ($(CONFIG_GNUTLS_DTLS_SRTP),y) +CONFIGURE_ARGS += --disable-dtls-srtp-support +endif + +ifneq ($(CONFIG_GNUTLS_ALPN),y) +CONFIGURE_ARGS += --disable-alpn-support +endif + +ifneq ($(CONFIG_GNUTLS_HEARTBEAT),y) +CONFIGURE_ARGS += --disable-heartbeat-support +endif + +ifneq ($(CONFIG_GNUTLS_SRP),y) +CONFIGURE_ARGS += --disable-srp-authentication +endif + +ifneq ($(CONFIG_GNUTLS_PSK),y) +CONFIGURE_ARGS += --disable-psk-authentication +endif + +ifneq ($(CONFIG_GNUTLS_OPENPGP),y) +CONFIGURE_ARGS += --disable-openpgp-authentication +endif + +ifneq ($(CONFIG_GNUTLS_ANON),y) +CONFIGURE_ARGS += --disable-anon-authentication +endif + +ifneq ($(CONFIG_GNUTLS_OCSP),y) +CONFIGURE_ARGS += --disable-ocsp +endif + +ifeq ($(CONFIG_GNUTLS_CRYPTODEV),y) +CONFIGURE_ARGS += --enable-cryptodev +endif # XXX: AM_CFLAGS duplicates with CFLAGS MAKE_FLAGS:= \ @@ -150,10 +188,22 @@ define Package/gnutls-utils/install $(INSTALL_DIR) $(1)/usr/bin $(CP) \ $(PKG_INSTALL_DIR)/usr/bin/gnutls-{cli,serv} \ - $(PKG_INSTALL_DIR)/usr/bin/psktool \ + $(1)/usr/bin/ +ifeq ($(CONFIG_GNUTLS_OCSP),y) + $(CP) \ $(PKG_INSTALL_DIR)/usr/bin/ocsptool \ + $(1)/usr/bin/ +endif +ifeq ($(CONFIG_GNUTLS_SRP),y) + $(CP) \ $(PKG_INSTALL_DIR)/usr/bin/srptool \ $(1)/usr/bin/ +endif +ifeq ($(CONFIG_GNUTLS_PSK),y) + $(CP) \ + $(PKG_INSTALL_DIR)/usr/bin/psktool \ + $(1)/usr/bin/ +endif endef -- 1.9.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 3/3] Allow gnutls to be compiled using nettle-mini.
--- libs/gnutls/Makefile | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libs/gnutls/Makefile b/libs/gnutls/Makefile index c2a010a..997532b 100644 --- a/libs/gnutls/Makefile +++ b/libs/gnutls/Makefile @@ -75,7 +75,7 @@ endef define Package/libgnutls $(call Package/gnutls/Default) TITLE+= (library) - DEPENDS+= +libnettle + DEPENDS+= +libnettle +!LIBNETTLE_MINI:libgmp endef define Package/libgnutls/description @@ -110,6 +110,10 @@ CONFIGURE_ARGS+= \ --disable-crywrap \ --without-p11-kit +ifeq ($(CONFIG_LIBNETTLE_MINI),y) +CONFIGURE_ARGS += --with-nettle-mini +endif + ifneq ($(CONFIG_GNUTLS_DTLS_SRTP),y) CONFIGURE_ARGS += --disable-dtls-srtp-support endif -- 1.9.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/3] Made several parts of gnutls configurable and updated to 3.2.14.
Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- libs/gnutls/Config.in | 33 +++ libs/gnutls/Makefile | 62 ++- 2 files changed, 89 insertions(+), 6 deletions(-) create mode 100644 libs/gnutls/Config.in diff --git a/libs/gnutls/Config.in b/libs/gnutls/Config.in new file mode 100644 index 000..550565d --- /dev/null +++ b/libs/gnutls/Config.in @@ -0,0 +1,33 @@ +# gnutls avanced configuration + +menu Configuration + depends on PACKAGE_libgnutls + +config GNUTLS_DTLS_SRTP + bool enable DTLS SRTP support + +config GNUTLS_ALPN + bool enable ALPN support + +config GNUTLS_OCSP + bool enable ocsp support + +config GNUTLS_CRYPTODEV + bool enable /dev/crypto support + +config GNUTLS_HEARTBEAT + bool enable DTLS heartbeat support + +config GNUTLS_OPENPGP + bool enable OPENPGP authentication support + +config GNUTLS_SRP + bool enable SRP authentication support + +config GNUTLS_PSK + bool enable PSK authentication support + +config GNUTLS_ANON + bool enable anonymous authentication support + +endmenu diff --git a/libs/gnutls/Makefile b/libs/gnutls/Makefile index 349e492..c2a010a 100644 --- a/libs/gnutls/Makefile +++ b/libs/gnutls/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gnutls -PKG_VERSION:=3.2.13 +PKG_VERSION:=3.2.14 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2 -PKG_MD5SUM:=300e5f413054e2f4719c1c3b5179a611 +PKG_MD5SUM:=807bbf14a5b6c81a9249fffab5c3982b PKG_MAINTAINER:=Nikos Mavrogiannopoulos n...@gnutls.org PKG_INSTALL:=1 @@ -21,6 +21,7 @@ PKG_LIBTOOL_PATHS:=. lib include $(INCLUDE_DIR)/package.mk + define Package/gnutls/Default SUBMENU:=SSL SECTION:=libs @@ -67,6 +68,9 @@ $(call Package/gnutls/Default/description) and srptool utilities. endef +define Package/libgnutls/config + source $(SOURCE)/Config.in +endef define Package/libgnutls $(call Package/gnutls/Default) @@ -94,7 +98,6 @@ endef CONFIGURE_ARGS+= \ --enable-shared \ --enable-static \ - --disable-openpgp-authentication \ --disable-libdane \ --disable-guile \ --disable-nls \ @@ -105,8 +108,43 @@ CONFIGURE_ARGS+= \ --disable-tests \ --disable-rsa-export \ --disable-crywrap \ - --without-p11-kit \ - --disable-hardware-acceleration + --without-p11-kit + +ifneq ($(CONFIG_GNUTLS_DTLS_SRTP),y) +CONFIGURE_ARGS += --disable-dtls-srtp-support +endif + +ifneq ($(CONFIG_GNUTLS_ALPN),y) +CONFIGURE_ARGS += --disable-alpn-support +endif + +ifneq ($(CONFIG_GNUTLS_HEARTBEAT),y) +CONFIGURE_ARGS += --disable-heartbeat-support +endif + +ifneq ($(CONFIG_GNUTLS_SRP),y) +CONFIGURE_ARGS += --disable-srp-authentication +endif + +ifneq ($(CONFIG_GNUTLS_PSK),y) +CONFIGURE_ARGS += --disable-psk-authentication +endif + +ifneq ($(CONFIG_GNUTLS_OPENPGP),y) +CONFIGURE_ARGS += --disable-openpgp-authentication +endif + +ifneq ($(CONFIG_GNUTLS_ANON),y) +CONFIGURE_ARGS += --disable-anon-authentication +endif + +ifneq ($(CONFIG_GNUTLS_OCSP),y) +CONFIGURE_ARGS += --disable-ocsp +endif + +ifeq ($(CONFIG_GNUTLS_CRYPTODEV),y) +CONFIGURE_ARGS += --enable-cryptodev +endif # XXX: AM_CFLAGS duplicates with CFLAGS MAKE_FLAGS:= \ @@ -150,10 +188,22 @@ define Package/gnutls-utils/install $(INSTALL_DIR) $(1)/usr/bin $(CP) \ $(PKG_INSTALL_DIR)/usr/bin/gnutls-{cli,serv} \ - $(PKG_INSTALL_DIR)/usr/bin/psktool \ + $(1)/usr/bin/ +ifeq ($(CONFIG_GNUTLS_OCSP),y) + $(CP) \ $(PKG_INSTALL_DIR)/usr/bin/ocsptool \ + $(1)/usr/bin/ +endif +ifeq ($(CONFIG_GNUTLS_SRP),y) + $(CP) \ $(PKG_INSTALL_DIR)/usr/bin/srptool \ $(1)/usr/bin/ +endif +ifeq ($(CONFIG_GNUTLS_PSK),y) + $(CP) \ + $(PKG_INSTALL_DIR)/usr/bin/psktool \ + $(1)/usr/bin/ +endif endef -- 1.9.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 3/3] Allow gnutls to be compiled using nettle-mini.
Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- libs/gnutls/Makefile | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/libs/gnutls/Makefile b/libs/gnutls/Makefile index c2a010a..997532b 100644 --- a/libs/gnutls/Makefile +++ b/libs/gnutls/Makefile @@ -75,7 +75,7 @@ endef define Package/libgnutls $(call Package/gnutls/Default) TITLE+= (library) - DEPENDS+= +libnettle + DEPENDS+= +libnettle +!LIBNETTLE_MINI:libgmp endef define Package/libgnutls/description @@ -110,6 +110,10 @@ CONFIGURE_ARGS+= \ --disable-crywrap \ --without-p11-kit +ifeq ($(CONFIG_LIBNETTLE_MINI),y) +CONFIGURE_ARGS += --with-nettle-mini +endif + ifneq ($(CONFIG_GNUTLS_DTLS_SRTP),y) CONFIGURE_ARGS += --disable-dtls-srtp-support endif -- 1.9.2 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 1/3] Made several parts of gnutls configurable and updated to 3.2.14.
On Wed, 2014-05-07 at 14:44 -0700, Florian Fainelli wrote: Could you resubmit these patches with your Signed-off-by tag? They look good otherwise, thank you! Thanks for checking them. Just resubmitted. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 2/2] Added nettle library
On Sun, Mar 2, 2014 at 1:06 PM, Hauke Mehrtens ha...@hauke-m.de wrote: We will not add any new packages without an maintainer, because we already have too many outdated packages. You should also take over maintainer ship for that package you want to add and send patches if there are problems with that package. Hello, As I previously mentioned, I'd be willing to take over the maintainership of these packages. However, is there some process that needs to be followed for that? It has been quite some time since I submitted these patches (and updates) with no update. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 1/3] Added nettle library 2.7.1
Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- libs/nettle/Makefile | 72 1 file changed, 72 insertions(+) create mode 100644 libs/nettle/Makefile diff --git a/libs/nettle/Makefile b/libs/nettle/Makefile new file mode 100644 index 000..9835832 --- /dev/null +++ b/libs/nettle/Makefile @@ -0,0 +1,72 @@ +# +# Copyright (C) 2014 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=nettle +PKG_VERSION:=2.7.1 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=@GNU/nettle +PKG_MD5SUM:=003d5147911317931dd453520eb234a5 + +PKG_LICENSE:=LGPLv2 +PKG_LICENSE_FILES:=COPYING + +PKG_FIXUP:= +PKG_BUILD_PARALLEL:=1 + +include $(INCLUDE_DIR)/package.mk + +define Package/libnettle + SECTION:=libs + CATEGORY:=Libraries + TITLE:=GNU crypto library + URL:=http://www.lysator.liu.se/~nisse/nettle/ + DEPENDS+= +libgmp +endef + +TARGET_CFLAGS += $(FPIC) + +CONFIGURE_ARGS += \ + --enable-shared \ + --disable-openssl \ + --disable-documentation \ + --enable-static + +ifeq ($(CONFIG_CPU_SUBTYPE),neon) +CONFIGURE_ARGS += \ + --enable-arm-neon +endif + +define Build/Compile + +$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \ + DESTDIR=$(PKG_INSTALL_DIR) \ + all install +endef + +define Build/InstallDev + $(INSTALL_DIR) $(1)/usr/include/nettle + $(CP) $(PKG_INSTALL_DIR)/usr/include/nettle/*.h $(1)/usr/include/nettle/ + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnettle.{a,so*} $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libhogweed.{a,so*} $(1)/usr/lib/ + $(INSTALL_DIR) $(1)/usr/include $(1)/usr/lib/pkgconfig + $(CP) \ + $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/nettle.pc \ + $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/hogweed.pc \ + $(1)/usr/lib/pkgconfig/ +endef + +define Package/libnettle/install + $(INSTALL_DIR) $(1)/usr/lib + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libnettle.so.* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libhogweed.so.* $(1)/usr/lib/ +endef + +$(eval $(call BuildPackage,libnettle)) -- 1.8.5.3 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] [PATCH 2/3] Added gnutls 3.2.12
Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- libs/gnutls/Makefile | 70 +++ libs/gnutls/patches/001-no_doc_tests_po.patch | 65 - 2 files changed, 29 insertions(+), 106 deletions(-) delete mode 100644 libs/gnutls/patches/001-no_doc_tests_po.patch diff --git a/libs/gnutls/Makefile b/libs/gnutls/Makefile index 19a7635..1cacb70 100644 --- a/libs/gnutls/Makefile +++ b/libs/gnutls/Makefile @@ -8,17 +8,16 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gnutls -PKG_VERSION:=2.8.6 -PKG_RELEASE:=2 +PKG_VERSION:=3.2.12 +PKG_RELEASE:=1 -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 -PKG_SOURCE_URL:=@GNU/gnutls \ - ftp://ftp.mirrors.wiretapped.net/pub/security/network-security/gnutls/ -PKG_MD5SUM:=eb0a6d7d3cb9ac684d971c14f9f6d3ba +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz +PKG_SOURCE_URL:=ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/ +PKG_MD5SUM:=f507365940de8f095e1d867c6f0842f6 -PKG_FIXUP:=autoreconf +PKG_FIXUP:=#autoreconf PKG_INSTALL:=1 -PKG_LIBTOOL_PATHS:=. lib libextra +PKG_LIBTOOL_PATHS:=. lib include $(INCLUDE_DIR)/package.mk @@ -27,13 +26,16 @@ define Package/gnutls/Default SECTION:=libs CATEGORY:=Libraries TITLE:=GNU TLS - URL:=http://www.gnu.org/software/gnutls/ + URL:=http://www.gnutls.org/ endef define Package/gnutls/Default/description - GnuTLS is a project that aims to develop a library which provides a - secure layer, over a reliable transport layer. Currently the GnuTLS - library implements the SSL 3.0, TLS 1.0, and TLS 1.1 protocols. + GnuTLS is a secure communications library implementing the SSL, TLS + and DTLS protocols and technologies around them. It provides a simple + C language application programming interface (API) to access the secure + communications protocols as well as APIs to parse and write X.509, PKCS12, + OpenPGP and other required structures. It is aimed to be portable and + efficient with focus on security and interoperability. endef @@ -42,7 +44,7 @@ $(call Package/gnutls/Default) SECTION:=utils CATEGORY:=Utilities TITLE+= (certool utility) - DEPENDS+= +libgnutls +libgnutls-extra +libncurses +libreadline + DEPENDS+= +libgnutls endef define Package/certtool/description @@ -56,7 +58,7 @@ $(call Package/gnutls/Default) SECTION:=utils CATEGORY:=Utilities TITLE+= (utilities) - DEPENDS+= +libgnutls +libgnutls-extra + DEPENDS+= +libgnutls endef define Package/gnutls-utils/description @@ -69,7 +71,7 @@ endef define Package/libgnutls $(call Package/gnutls/Default) TITLE+= (library) - DEPENDS+= +zlib +libgcrypt +libgpg-error + DEPENDS+= +libnettle endef define Package/libgnutls/description @@ -78,18 +80,6 @@ $(call Package/gnutls/Default/description) endef -define Package/libgnutls-extra -$(call Package/gnutls/Default) - TITLE+= (extra library) - DEPENDS+= +libgnutls -endef - -define Package/libgnutls-extra/description -$(call Package/gnutls/Default/description) - This package contains the GnuTLS extra shared library. -endef - - define Package/libgnutls-openssl $(call Package/gnutls/Default) TITLE+= (OpenSSL compat library) @@ -105,13 +95,17 @@ CONFIGURE_ARGS+= \ --enable-shared \ --enable-static \ --disable-openpgp-authentication \ + --disable-libdane \ --disable-guile \ - --with-included-libcfg \ + --disable-nls \ + --without-zlib \ --with-included-libtasn1 \ - --with-libgcrypt-prefix=$(STAGING_DIR)/usr \ - --with-libreadline-prefix=$(STAGING_DIR)/usr \ - --with-libz-prefix=$(STAGING_DIR)/usr \ - --without-lzo \ + --enable-local-libopts \ + --disable-doc \ + --disable-tests \ + --disable-rsa-export \ + --disable-crywrap \ + --without-p11-kit \ # XXX: AM_CFLAGS duplicates with CFLAGS MAKE_FLAGS:= \ @@ -132,10 +126,10 @@ define Build/InstallDev $(PKG_INSTALL_DIR)/usr/include/gnutls \ $(1)/usr/include/ $(CP) \ - $(PKG_INSTALL_DIR)/usr/lib/libgnutls{,-extra,-openssl}.{a,so*} \ + $(PKG_INSTALL_DIR)/usr/lib/libgnutls{,-openssl}.{a,so*} \ $(1)/usr/lib/ $(CP) \ - $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/gnutls{,-extra}.pc \ + $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/gnutls.pc \ $(1)/usr/lib/pkgconfig/ endef @@ -156,6 +150,7 @@ define Package/gnutls-utils/install $(CP) \ $(PKG_INSTALL_DIR)/usr/bin/gnutls-{cli,serv} \ $(PKG_INSTALL_DIR)/usr/bin/psktool \ + $(PKG_INSTALL_DIR)/usr/bin/ocsptool \ $(PKG_INSTALL_DIR)/usr/bin/srptool \ $(1)/usr/bin/ endef @@ -167,12 +162,6 @@ define Package/libgnutls/install endef -define Package/libgnutls-extra/install - $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libgnutls-extra.so.* $(1)/usr/lib/ -endef - - define Package
[OpenWrt-Devel] [PATCH 3/3] Updated openconnect to 5.03
Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- libs/openconnect/Makefile | 49 libs/openconnect/files/openconnect.sh | 56 + libs/openconnect/files/vpnc-script| 156 ++ net/openconnect/Config.in | 18 +++ net/openconnect/Makefile | 17 ++- net/openconnect/files/openconnect.sh | 4 +- net/openconnect/patches/100-passwd_file.patch | 100 - 7 files changed, 294 insertions(+), 106 deletions(-) create mode 100644 libs/openconnect/Makefile create mode 100755 libs/openconnect/files/openconnect.sh create mode 100755 libs/openconnect/files/vpnc-script create mode 100644 net/openconnect/Config.in delete mode 100644 net/openconnect/patches/100-passwd_file.patch diff --git a/libs/openconnect/Makefile b/libs/openconnect/Makefile new file mode 100644 index 000..3ab09f1 --- /dev/null +++ b/libs/openconnect/Makefile @@ -0,0 +1,49 @@ +# +# Copyright (C) 2006 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# + +include $(TOPDIR)/rules.mk + +PKG_NAME:=openconnect +PKG_VERSION:=5.03 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=ftp://ftp.infradead.org/pub/openconnect/ +PKG_MD5SUM:=ff43ed1dbaccd2537fd7c5bfb04295a6 + +include $(INCLUDE_DIR)/package.mk + +define Package/openconnect + SECTION:=net + CATEGORY:=Network + DEPENDS:=+libxml2 +gnutls +kmod-tun +resolveip + TITLE:=VPN client for Cisco's AnyConnect SSL VPN + URL:=http://www.infradead.org/openconnect/ + SUBMENU:=VPN +endef + +define Package/openconnect/description + A VPN client compatible with Cisco's AnyConnect SSL VPN and ocserv. + +OpenConnect is a client for Cisco's AnyConnect SSL VPN, which is +supported by IOS 12.4(9)T or later on Cisco SR500, 870, 880, 1800, 2800, +3800, 7200 Series and Cisco 7301 Routers. +endef + +CONFIGURE_ARGS += \ + --disable-shared \ + --with-vpnc-script=/lib/netifd/vpnc-script + +define Package/openconnect/install + $(INSTALL_DIR) $(1)/lib/netifd/proto + $(INSTALL_BIN) ./files/openconnect.sh $(1)/lib/netifd/proto/ + $(INSTALL_BIN) ./files/vpnc-script $(1)/lib/netifd/ + $(INSTALL_DIR) $(1)/usr/sbin + $(INSTALL_BIN) $(PKG_BUILD_DIR)/openconnect $(1)/usr/sbin/ +endef + +$(eval $(call BuildPackage,openconnect)) diff --git a/libs/openconnect/files/openconnect.sh b/libs/openconnect/files/openconnect.sh new file mode 100755 index 000..2610194 --- /dev/null +++ b/libs/openconnect/files/openconnect.sh @@ -0,0 +1,56 @@ +#!/bin/sh +. /lib/functions.sh +. ../netifd-proto.sh +init_proto $@ + +proto_openconnect_init_config() { + proto_config_add_string server + proto_config_add_int port + proto_config_add_string username + proto_config_add_string cookie + proto_config_add_string password + no_device=1 + available=1 +} + +proto_openconnect_setup() { + local config=$1 + + json_get_vars server port username cookie password + + grep -q tun /proc/modules || insmod tun + + serv_addr= + for ip in $(resolveip -t 5 $server); do + proto_add_host_dependency $config $server + serv_addr=1 + done + [ -n $serv_addr ] || { + echo Could not resolve server address + sleep 5 + proto_setup_failed $config + exit 1 + } + + [ -n $port ] port=:$port + + cmdline=$server$port -i vpn-$config --no-cert-check --non-inter --syslog --script /lib/netifd/vpnc-script + + [ -n $cookie ] append cmdline -C $cookie + [ -n $username ] append cmdline -u $username + [ -n $password ] { + umask 077 + pwfile=/var/run/openconnect-$config.passwd + echo $password $pwfile + append cmdline --passwd-on-stdin + } + + proto_export INTERFACE=$config + proto_run_command $config /usr/sbin/openconnect $cmdline $pwfile +} + +proto_openconnect_teardown() { + proto_kill_command $config +} + +add_protocol openconnect diff --git a/libs/openconnect/files/vpnc-script b/libs/openconnect/files/vpnc-script new file mode 100755 index 000..4d12d7e --- /dev/null +++ b/libs/openconnect/files/vpnc-script @@ -0,0 +1,156 @@ +#!/bin/sh +# List of parameters passed through environment +#* reason -- why this script was called, one of: pre-init connect disconnect +#* VPNGATEWAY -- vpn gateway address (always present) +#* TUNDEV -- tunnel device (always present) +#* INTERNAL_IP4_ADDRESS -- address (always present) +#* INTERNAL_IP4_MTU -- mtu (often unset) +#* INTERNAL_IP4_NETMASK -- netmask (often unset) +#* INTERNAL_IP4_NETMASKLEN -- netmask length (often unset
[OpenWrt-Devel] [PATCH 1/2] Updated gmp to 5.1.3
Signed-off-by: Nikos Mavrogiannopoulos n...@gnutls.org --- libs/gmp/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libs/gmp/Makefile b/libs/gmp/Makefile index 0a07990..4f6e167 100644 --- a/libs/gmp/Makefile +++ b/libs/gmp/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gmp -PKG_VERSION:=5.1.0 +PKG_VERSION:=5.1.3 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=ftp://ftp.gmplib.org/pub/$(PKG_NAME)-$(PKG_VERSION)/ -PKG_MD5SUM:=362cf515aff8dc240958ce47418e4c78 +PKG_MD5SUM:=a082867cbca5e898371a97bb27b31fea PKG_BUILD_PARALLEL:=1 PKG_INSTALL:=1 -- 1.8.5.3 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] [PATCH 2/2] Added nettle library
On 02/28/2014 09:27 PM, Nikos Mavrogiannopoulos wrote: This library is needed for DNSSEC support in dnsmasq, and to update gnutls to a more recent version. [...] +ifeq ($(CPU_SUBTYPE),neon) +CONFIGURE_ARGS += \ + --enable-arm-neon +endif It seems my neon detection is wrong here as there is no cpu subtype as I can see in non-kernel compilation. Is there a better detection of the neon instruction set other than adding each board separated? regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Tracking memory leak in kernel space
On 11/03/2010 09:49 AM, Roberto Riggio wrote: Hi, how would you track a memory leak in a kernel module? Is there something equivalent to valgrind for kernel debugging? [...] A not very efficient way might be /proc/slabinfo. There you can find the allocation size of the leak and this might be helpful to pin-out the buffer in question. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [OpenWrt-Devel] Solos 4610 (conexant) adsl router, anyone?
On Fri, Jul 30, 2010 at 9:45 PM, Stefan Monnier monn...@iro.umontreal.ca wrote: I inherited from a DSL modem+router whose firmware describe as a Solos 4610 RD / Solos 461x CSP v1.0, and telnet shows me a big `conexant' banner. Just going from the hardware, this seems to be a Connexant CX96410 based device. There is no OpenWRT port, but there are linux sources for a Linksys device using the same SoC (WAG54G2 v1.0, [1], [2]). Also the Netgear DG834G v5[3] uses it, and there seem to sources available on the netgear ftp [4]. Great, thanks. So there's hope, but there's also a lot of work left to do, You'll have hard time with it. I remember trying to boot something else than the thing produced by the conexant bsp, and failed. The boot loader has a netboot command that allows you to load an initrd image. If you try to write a kernel to it I'd suggest to check the kernel of the provider of the device and the sys_reboot() system call that does the firmware write (in the kernels given by conexant, I dropped that code for the product i was working on). The boot loader can load kernels in some a.out format (the vmlinuz kernel was converted by the conexant bsp using some elf2aout utility). Even if you manage to load an alternative kernel, I don't think you can use any of the hw drivers without the kernel supplied by conexant (the one I worked on was at http://broadband.gennetsa.com/gpl/). regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[OpenWrt-Devel] usage of OCF
Hello, I've noticed that to export the crypto accelerators to userspace (i.e. openssl/gnutls) you use the OCF kernel subsystem. I'd like to ask what are the reasons for this decision. Is it because the supported accelerators in the linux kernel are less than those in OCF? Do they provide better or more recent dirvers? The reason I ask is because i'm working on a module (http://home.gna.org/cryptodev-linux/), that exports the linux kernel supported crypto engines at userspace using the /dev/crypto interface. I think it might be of interest to owners of boards with crypto accelerators, since if the engines supported in recent kernels are sufficient, using OCF shouldn't be required to have /dev/crypto. regards, Nikos ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel