detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential
Bleichenbacher/BERserk-style attack.
Signed-off-by: Magnus Kroken
---
Runtime-tested on mpc85xx. Connecting to uhttpd with HTTPS works, uclient-fetch
with HTTPS works, openvpn-mbedtls works.
package
5.6)
Signed-off-by: Magnus Kroken
---
Compile-tested openssl/mbedtls/nossl variants for mpc85xx. Runtime-tested on
mpc85xx with mbedTLS 2.5.1, OpenVPN-Connect Android client connects
successfully.
package/network/services/openvpn/Makefile | 4 ++--
.../openvpn/patches/001
5.6)
Signed-off-by: Magnus Kroken
---
v2: Correct PKG_HASH and add another mirror. OpenVPN had various issues with
their
CDN caching wrong files, these are the correct values according to
http://community.openvpn.net/openvpn/wiki/release-packages-2.4.3-2.3.17. See
mailing list
for more
Hi Philip
On 25.07.2017 18:29, Philip Prindeville wrote:
I’m guessing I’d need a sed script with a loop to gather all of the ‘server’
lines and replace them with one.
Or am I missing something obvious?
I think you are. Look at Dnsmasq and OpenVPN for two examples of UCI
config integration.
Refresh patches, delete patches backported from upstream.
Signed-off-by: Magnus Kroken
---
Some BusyBox config symbols have been renamed and/or moved
from being global to applet-specific. I have attempted to retain
the same behavior as previous config defaults would.
Compile and run-time tested
Hi Baptiste, thanks for looking over it
On 29.07.2017 22:48, Baptiste Jonglez wrote:
Thanks for the update! You can drop 120-remove_uclibc_rpc_check.patch
altogether, since the check has been changed from an error to a warning.
I'll consider that for a v2. My thought was that since we previou
Refresh patches, delete patches backported from upstream.
Delete 120-remove_uclibc_rpc_check.patch, as upstream now only prints
a warning instead of erroring out.
Signed-off-by: Magnus Kroken
---
v2: Delete 120-remove_uclibc_rpc_check.patch as well,
as suggested by Baptiste Jonglez. Also
Hi
On 04.08.2017 18:37, Hauke Mehrtens wrote:
I agree to put this into LEDE 17.01 and the master branch for now.
It should be merged to LEDE 17.01 to maintain feature compatibility. I
disagree that it should be merged to master, as this is a feature we
(should) want to break in the long run.
Hi Karl
On 17.08.2017 15:13, Karl Palsson wrote:
It certainly _looks_ better, but isn't actually syncing...
Sincerely,
Karl Palsson
# /usr/sbin/ntpd -d -n -N -l -S /usr/sbin/ntpd-hotplug -p 0.lede.pool.ntp.org
-p working.good.org
ntpd: bad address '0.lede.pool.ntp.org'
ntpd: sending query t
On 21.08.2017 16:34, Karl Palsson wrote:
on master, even with the ntpd patch for busybox applied.
# ntpdate -q localhost
server ::1, stratum 0, offset 0.00, delay 0.0
server 127.0.0.1, stratum 0, offset 0.00, delay 0.0 21
Aug 14:26:24 ntpdate[1392]: no server suitable for
synchron
On 01.09.2017 20:04, Kevin Darbyshire-Bryant wrote:
compile & run tested: ar71xx - archer C7 v2
Tested-by: Magnus Kroken
Runtim-tested on powerpc/mpc85xx.
Tests run:
Connect to uhttpd with TLS - successful
Download HTTPS URL with uclient-fetch - successful
Connect to openvpn-mbe
Fixes CVE-2017-12166: out of bounds write in key-method 1.
Remove the mirror that was temporarily added during the
2.4.3 release.
Signed-off-by: Magnus Kroken
---
Compile-tested all variants on powerpc, runtime-tested mbedTLS variant as
server.
package/network/services/openvpn/Makefile
Various fixes inlcuding CVE-2017-7518, CVE-2017-0786
and CVE-2017-1000255.
Patches refreshed.
Signed-off-by: Magnus Kroken
---
Runtime tested on mpc85xx and x86_64.
include/kernel-version.mk | 4 ++--
...d-firmware-loader-for-uPD720201-and-uPD72.patch | 6
On 14.02.2018 22.13, Michelle Sullivan wrote:
FWIW, I had misunderstood the intent of the original comments... OpenSSH
server vs Dropbear - if someone is using OpenSSH server they already
went in with advanced config as Dropbear is the default - I'd err on the
side of security as they should alre
On 15.02.2018 16.52, Philip Prindeville wrote:
Well, right! That was my first approach with a “config" option to do exactly
that, but it was shot down:
https://github.com/openwrt/packages/pull/5520
I even defaulted the option to continue to allow passwords so that only people
who (a) selecte
On 16.02.2018 11.33, Koen Vandeputte wrote:
On 2018-02-16 11:28, Mauro Mozzarelli wrote:
I am not sure if you are already aware, master fails to build after
today's git pull:
Hi all
This is related to the mbed TLS update, 2.7 adds digest functions with
return types (instead of void return),
Signed-off-by: Magnus Kroken
---
Runtime tested on powerpc/mpc85xx, with mbed TLS.
package/network/services/openvpn/Makefile | 6 +++---
...100-mbedtls-disable-runtime-version-check.patch | 2 +-
.../210-build_always_use_internal_lz4.patch| 24
Signed-off-by: Magnus Kroken
---
Runtime tested on powerpc/mpc85xx.
include/kernel-version.mk | 4 +--
.../patches-4.9/432-spi-rb4xx-spi-driver.patch | 2 +-
.../patches-4.9/433-spi-rb4xx-cpld-driver.patch| 2 +-
.../patches-4.9/435-spi-vsc7385_driver.patch
Changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.13
Signed-off-by: Magnus Kroken
---
No patches need refreshing. Compile-tested on mips/ar71xx.
package/network/services/openvpn/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a
push arguments.
This fixes FS#290 by way of documentation, but existing configurations
will need editing to work with OpenVPN 2.4.
Signed-off-by: Magnus Kroken
---
package/network/services/openvpn/files/openvpn.config | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a
https://github.com/OpenVPN/openvpn/blob/master/Changes.rst
for additional change notes.
Signed-off-by: Magnus Kroken
---
I'd like feedback on these issues:
* Package renaming
OpenVPN 2.4 uses mbedTLS 2.x, so I have renamed the openvpn-polarssl
package to openvpn-mbedtls. Thoughts? Are ther
explanation in that patch). I also hope some will test it to discover
any issues with either OpenVPN 2.4 itself or the LEDE package, I'm
running the mbedTLS variant right now without issues, but have only
build-tested OpenSSL/nossl variants.
Magnus Kroken (3):
mbedtls: enable MBEDTLS_DHM_C
This option is required by OpenVPN, and OpenVPN 2.4 uses mbedTLS 2.x.
DHM_C is also already enabled in the PolarSSL 1.3.x config.h.
Signed-off-by: Magnus Kroken
---
package/libs/mbedtls/Makefile | 2 +-
package/libs/mbedtls/patches/200-config.patch | 9 -
2 files changed
Hi P
On 09.12.2016 23.34, p.wa...@gmx.at wrote:
What about doing the 'correct' quotation in the init script?
I.e. removing the 'push' option from the append_params list
and instead do the workaround for quoatition there.
Thanks for making me rethink this. I thought about it when I worked on
t
to start with unquoted push parameters.
Fixes: FS#290.
Signed-off-by: Magnus Kroken
---
v2: Fix by changing openvpn.init rather than requiring users
to edit their openvpn config.
package/network/services/openvpn/files/openvpn.init | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff
https://github.com/OpenVPN/openvpn/blob/master/Changes.rst
for additional change notes.
Signed-off-by: Magnus Kroken
---
v2: Rename 100-polarssl-disable-runtime-version-check.patch,
fix indentation in 101-fix_mbedtls_net_sockets_include.patch.
package/network/services/openvpn/Config-mbedtls.in | 70
On 10.12.2016 12.36, Felix Fietkau wrote:
If you have some time, please take a look at the other mbedtls/openvpn
changes that I made:
https://git.lede-project.org/?p=lede/nbd/staging.git;a=summary
Thanks, these changes look good to me. With your tweaks I did a new test
regarding internal/exter
From: Felix Fietkau
Signed-off-by: Felix Fietkau
Signed-off-by: Magnus Kroken
---
Felix added this to his staging tree along with my 2.4_rc1 patch,
it needed updates after rc2 due to a style reformatting of the OpenVPN
codebase. Not sure if I got the rebasing right, let me know of any problems
https://github.com/OpenVPN/openvpn/blob/master/Changes.rst
for additional change notes.
Signed-off-by: Magnus Kroken
---
package/network/services/openvpn/Config-mbedtls.in | 70 ++
package/network/services/openvpn/Config-nossl.in | 4 ++
package/network/services/openvpn/Config
From: Felix Fietkau
Signed-off-by: Felix Fietkau
Signed-off-by: Magnus Kroken
---
v2: Fix whitespace issues, sorry for the noise.
.../services/openvpn/patches/220-disable_des.patch | 81 ++
1 file changed, 81 insertions(+)
create mode 100644
package/network/services
Hi Martin
On 25.12.2016 14.23, Martin Blumenstingl wrote:
I guess this worked on LEDE with PolarSSL with OpenVPN 2.3:
#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
while
//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
can you tell if I ran into some corner case (the affected server was
using Ope
Secp384r1 is the default curve for OpenVPN 2.4+. Enable this to
make OpenVPN-mbedtls clients able to perform ECDHE key exchange
with remote OpenVPN 2.4-openssl servers that use the default
OpenVPN curve.
Signed-off-by: Magnus Kroken
---
package/libs/mbedtls/patches/200-config.patch | 3 +--
1
: Magnus Kroken
Reported-by: Martin Blumenstingl
Reported-by: Lucian Cristian
---
package/libs/mbedtls/patches/200-config.patch | 9 -
1 file changed, 9 deletions(-)
diff --git a/package/libs/mbedtls/patches/200-config.patch
b/package/libs/mbedtls/patches/200-config.patch
index bb74e61
Signed-off-by: Magnus Kroken
---
Runtime tested on x86, rc2 and 2.4.0 are minimal.
package/network/services/openvpn/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/network/services/openvpn/Makefile
b/package/network/services/openvpn/Makefile
index
Hi Lucian, Martin
On 25.12.2016 14.23, Martin Blumenstingl wrote:
I guess this worked on LEDE with PolarSSL with OpenVPN 2.3:
#define POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED
while
//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
can you tell if I ran into some corner case (the affected server was
Hi Mauro
On 01.01.2017 16.10, Mauro M. wrote:
Collected errors:
* check_data_file_clashes: Package libustream-polarssl wants to install
file
/net2/router/lede/trunk-ipvs/build_dir/target-mips_24kc_musl-1.1.15/root-ar71xx/lib/libustream-ssl.so
But that file is already provided by package *
* Fix bug in deflate_stored() for zero-length input
* Fix bug in gzwrite.c that produced corrupt gzip files
Signed-off-by: Magnus Kroken
---
Zlib authors recommend immediately upgrading from 1.2.9 due to these bugs.
package/libs/zlib/Makefile | 4 ++--
1 file changed, 2 insertions(+), 2
Signed-off-by: Magnus Kroken
---
.../utils/busybox/patches/220-add_lock_util.patch | 54 ++
1 file changed, 15 insertions(+), 39 deletions(-)
diff --git a/package/utils/busybox/patches/220-add_lock_util.patch
b/package/utils/busybox/patches/220-add_lock_util.patch
index
The "new style" busybox applet approach moves all config
and build definitions related to an applet to its .c file.
Signed-off-by: Magnus Kroken
---
.../busybox/patches/210-add_netmsg_util.patch | 54 ++
1 file changed, 15 insertions(+), 39 deletions(-)
di
Hi Oswald
On 07.01.2017 19.04, Oswald Buddenhagen wrote:
the idea would be to simply dump the list of user-installed packages into
a config file which is preserved by sysupgrade. now, firstboot would see
that file and start opgk with it - that's usually going to just work, as
the network configu
-by: Magnus Kroken
---
The referenced commit message says:
The new output format will look like "r2400+2-882472e" for dirty trees or like
"r2402-882472e" for clean ones.
Since the example hashes are the same, I take this to mean that this was the
intended behavior.
Inte
The "new style" busybox applet approach moves all config and build
definitions related to an applet to its .c file. This makes the
patches easier to maintain, as they only add new files to the busybox
build directory, without modifying BusyBox files.
Signed-off-by: Magnus Kroken
---
Updates to openvpn.init were included in early OpenVPN 2.4 patch
series, but got lost along the way and were never merged.
Signed-off-by: Magnus Kroken
---
.../network/services/openvpn/files/openvpn.init| 43 ++
1 file changed, 19 insertions(+), 24 deletions(-)
diff
Hi
On 16.01.2017 22.56, Magnus Kroken wrote:
Updates to openvpn.init were included in early OpenVPN 2.4 patch
series, but got lost along the way and were never merged.
Signed-off-by: Magnus Kroken
---
.../network/services/openvpn/files/openvpn.init| 43 ++
1 file
On 07.02.2017 16.40, Bastian Bittorf wrote:
* Etienne Champetier [07.02.2017 16:27]:
not a fan of leaking revision number on public network by default (if
you are connected to public wifi or ...)
This is a valid point somehow, but:
because model and revision number can/must be encoded with e.
Hi Mauro
On 18.02.2017 12.49, Mauro Mozzarelli wrote:
So far with trial and error (unfortunately I could not find specific
documentation) I found that I can test reliably a variable that includes
both kernel version and patchlevel as follows:
LINUX_4_0||LINUX_4_1||LINUX_4_2||LINUX_4_3||LINUX_4_
Security fixes:
* Fixed port-share bug with DoS potential
* Fix buffer overflow by user supplied data
Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11
Signed-off-by: Magnus Kroken
---
package/network/services/openvpn/Makefile | 6
300-upstream-fix-polarssl-mbedtls-builds.patch has been applied upstream.
Replaced 101-remove_polarssl_debug_call.patch with upstream backport.
Changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.12
Signed-off-by: Magnus Kroken
---
package/network/services
://www.openssl.org/news/secadv/20160922.txt
Changelog: https://www.openssl.org/news/cl102.txt
Signed-off-by: Magnus Kroken
---
package/libs/openssl/Makefile | 4 ++--
.../libs/openssl/patches/140-makefile-dirs.patch | 2 +-
package/libs/openssl/patches/150-no_engines.patch
-Fix_typo_introduced_by_a03f81f4.patch
Security advisory: https://www.openssl.org/news/secadv/20160926.txt
Signed-off-by: Magnus Kroken
---
package/libs/openssl/Makefile | 4 ++--
.../patches/301-fix_no_nextprotoneg_build.patch| 26 --
.../302
50 matches
Mail list logo