Merge tag '388.1-beta3' into gnuton-master

388.1-beta3

Changelog-NG.txt

@@ -25,8 +25,9 @@ Asuswrt-Merlin Changelog
          (if any is provided).
 
          Note that enabling WireGuard will disable hardware
-         NAT acceleration due to compatiblity reasons.
+         NAT acceleration due to compatibility reasons.
 
+  - NEW: httpd support for EC certificates (Ivan Kruglov)
   - UPDATED: getdns/stubby to 1.7.2/0.4.2.
   - UPDATED: zlib to 1.2.12 + backports.
   - UPDATED: openssl to 1.1.1s.
@@ -53,6 +54,8 @@ Asuswrt-Merlin Changelog
   - CHANGED: Optimized VPN Director WAN and DNS rule creation, so
              they no longer get re-created multiple times when
              editing VPNDirector rules.
+  - CHANGED: Switched generated self-signed certificate to an
+             EC certificate.
   - FIXED: Wrong temperatures used by the temperature graphs
            (386.8 regression)
   - FIXED: CVE-2022-37434 in zlib.
@@ -64,6 +67,8 @@ Asuswrt-Merlin Changelog
            Server Certificate Name Validation.
   - REMOVED: Interface selector on Speedtest page (no longer
              working, possibly due to an ookla client update)
+  - REMOVED: NAT Type setting on HND 5.04 devices (fullcone is
+             not supported by kernel 4.19)
 
 
 386.08_0-gnuton1 (8-Oct-2022)

README-merlin.txt

@@ -46,7 +46,7 @@ Fully supported devices:
 388.x:
  * RT-AX88U
  * RT-AX56U
- * RT-AX58U & RT-AX3000
+ * RT-AX58U & RT-AX3000 (V1 only)
  * RT-AX86U & RT-AX86S
  * GT-AC2900
  * GT-AX11000
@@ -103,17 +103,15 @@ Disk sharing:
 Networking:
    - Act as a SMB Master Browser
    - Act as a WINS server
-   - SSHD support for key-based authentication
    - Allows tweaking TCP/UDP connection tracking timeouts
    - CIFS client support (for mounting remote SMB share on the router)
    - Advanced OpenVPN client and server.
    - Netfilter ipset module, for efficient blacklist implementation
+   - DNS Director - enforcing the use of a specific DNS server, can be applied globally or per client
    - Wireless site survey page
-   - DNS-based Filtering, enforcing a specific DNS server, can be applied globally or per client
    - Custom DDNS (through a user script)
    - TOR support, individual client access control
    - VPN Director - Policy-based routing for OpenVPN and WireGUard clients (based on source or destination IPs)
-   - fq_codel queue discipline for Traditional QoS
    - Detailed wireless troubleshooting information (on some models)
    - Redirect NTP client queries to the router's own NTP daemon
    - Cake SQM QoS (on newer HND models)
@@ -126,7 +124,6 @@ Web interface:
    - Hostname field on the DHCP reservation list and Wireless ACL list
    - System info summary page
    - Wifi icon reports the state of both radios
-   - Wireless site survey
    - Advanced wireless client list display, including automated refresh
    - Redesigned layout of the various System Log sections
    - Editable entries (on some pages)

release/src-rt/target.mak

@@ -295,7 +295,7 @@ export RT-AX68U += BUILD_NAME="RT-AX68U" NVSIZE="128" DHDAP=n HND_WL=y DPSTA=y R
 		WEBDAV=y SMARTSYNCBASE=y USB="USB" APP="network" PROXYSTA=y DNSMQ=y BCMWL6=y BCMWL6A=y DISK_MONITOR=y \
 		OPTIMIZE_XBOX=y ODMPID=y BCMSMP=y XHCI=y DUALWAN=y NEW_USER_LOW_RSSI=y OPENVPN=y TIMEMACHINE=y MDNS=y \
 		VPNC=y BRCM_NAND_JFFS2=y JFFS2LOG=y NOTIFICATION_CENTER=y BWDPI=y DUMP_OOPS_MSG=n LINUX_MTD="64" \
-		DEBUGFS=y SSH=y EMAIL=y FRS_FEEDBACK=n SYSSTATE=y STAINFO=y CLOUDCHECK=y NATNL_AICLOUD=y \
+		DEBUGFS=y SSH=y EMAIL=y FRS_FEEDBACK=n SYSSTATE=y STAINFO=y CLOUDCHECK=y NATNL_AICLOUD=y ASD=y \
 		REBOOT_SCHEDULE=y MULTICASTIPTV=y QUAGGA=y BCM_MUMIMO=y LAN50="all" ATCOVER=y GETREALIP=y CFEZ=y \
 		NEWSSID_REV2=y NEWSSID_REV4=y NEW_APP_ARM=y NETOOL=y TRACEROUTE=y FORCE_AUTO_UPGRADE=n ALEXA=y IFTTT=n \
 		SW_HW_AUTH=y HD_SPINDOWN=y BCMEVENTD=y LETSENCRYPT=y JFFS_NVRAM=y NVRAM_ENCRYPT=y IPSEC=STRONGSWAN \

release/src-rt/version.conf

@@ -1,7 +1,7 @@
 KERNEL_VER=3.0
 FS_VER=0.4
 SERIALNO=388.1
-EXTENDNO=beta1
+EXTENDNO=beta3
 ifeq ($(ROG_UI),y)
 EXTENDNO:=$(EXTENDNO)_rog
 endif

release/src/router/httpd/gencert.sh

@@ -103,10 +103,12 @@ then
 fi
 
 # create the key and certificate request
-OPENSSL_CONF="/etc/openssl.config" $OPENSSL req -new -out /tmp/cert.csr -keyout /tmp/privkey.pem -newkey rsa:2048 -passout pass:password
+#OPENSSL_CONF="/etc/openssl.config" $OPENSSL req -new -out /tmp/cert.csr -keyout /tmp/privkey.pem -newkey rsa:2048 -passout pass:password
+#OPENSSL_CONF="/etc/openssl.config" $OPENSSL rsa -in /tmp/privkey.pem -out key.pem -passin pass:password
+OPENSSL_CONF="/etc/openssl.config" $OPENSSL ecparam -out key.pem -name prime256v1 -genkey
+OPENSSL_CONF="/etc/openssl.config" $OPENSSL req -new -key key.pem -out /tmp/cert.csr
 
-# import the self-certificate
-OPENSSL_CONF="/etc/openssl.config" $OPENSSL rsa -in /tmp/privkey.pem -out key.pem -passin pass:password
+# Import the self-certificate
 OPENSSL_CONF="/etc/openssl.config" RANDFILE=/dev/urandom $OPENSSL req -x509 -new -nodes -in /tmp/cert.csr -key key.pem -days 3653 -sha256 -out cert.pem
 
 # server.pem for WebDav SSL

release/src/router/libovpn/amvpn_routing.c

@@ -434,17 +434,18 @@ void amvpn_clear_exclusive_dns(int unit, vpndir_proto_t proto)
 }
 
 
-// Recreate the port 53 PREROUTING rules to ensure they are in the correct order (OVPN1 first, OVPN5 last)
+// Recreate the port 53 PREROUTING rules to ensure they are in the correct order (OVPN1 first, OVPN5 last, followed by WGC)
 void amvpn_update_exclusive_dns_rules()
 {
 	int unit;
 	char buffer[100];
 
-	for (unit = OVPN_CLIENT_MAX; unit > 0; unit--) {
-		snprintf(buffer, sizeof (buffer), "/etc/openvpn/client%d/dns.sh", unit);
+#ifdef RTCONFIG_WIREGUARD
+	for (unit = WG_CLIENT_MAX; unit > 0; unit--) {
+		snprintf(buffer, sizeof (buffer), "/etc/wg/dns%d.sh", unit);
 		if (f_exists(buffer)) {
 			// Remove and re-add to ensure proper order
-			snprintf(buffer, sizeof (buffer), "DNSVPN%d", unit);
+			snprintf(buffer, sizeof (buffer), "DNSVPN%d", unit + OVPN_CLIENT_MAX);
 
 			eval("/usr/sbin/iptables", "-t", "nat", "-D", "PREROUTING", "-p", "udp", "-m", "udp", "--dport", "53", "-j", buffer);
 			eval("/usr/sbin/iptables", "-t", "nat", "-D", "PREROUTING", "-p", "tcp", "-m", "tcp", "--dport", "53", "-j", buffer);
@@ -453,13 +454,13 @@ void amvpn_update_exclusive_dns_rules()
 			eval("/usr/sbin/iptables", "-t", "nat", "-I", "PREROUTING", "-p", "tcp", "-m", "tcp", "--dport", "53", "-j", buffer);
 		}
 	}
+#endif
 
-#ifdef RTCONFIG_WIREGUARD
-	for (unit = WG_CLIENT_MAX; unit > 0; unit--) {
-		snprintf(buffer, sizeof (buffer), "/etc/wg/dns%d.sh", unit);
+	for (unit = OVPN_CLIENT_MAX; unit > 0; unit--) {
+		snprintf(buffer, sizeof (buffer), "/etc/openvpn/client%d/dns.sh", unit);
 		if (f_exists(buffer)) {
 			// Remove and re-add to ensure proper order
-			snprintf(buffer, sizeof (buffer), "DNSVPN%d", unit + OVPN_CLIENT_MAX);
+			snprintf(buffer, sizeof (buffer), "DNSVPN%d", unit);
 
 			eval("/usr/sbin/iptables", "-t", "nat", "-D", "PREROUTING", "-p", "udp", "-m", "udp", "--dport", "53", "-j", buffer);
 			eval("/usr/sbin/iptables", "-t", "nat", "-D", "PREROUTING", "-p", "tcp", "-m", "tcp", "--dport", "53", "-j", buffer);
@@ -468,7 +469,6 @@ void amvpn_update_exclusive_dns_rules()
 			eval("/usr/sbin/iptables", "-t", "nat", "-I", "PREROUTING", "-p", "tcp", "-m", "tcp", "--dport", "53", "-j", buffer);
 		}
 	}
-#endif
 }
 
 

release/src/router/lltd.arm/Makefile

@@ -56,12 +56,6 @@ else ifeq ($(BUILD_NAME),RT-AC5300)
 else ifeq ($(BUILD_NAME),GT-AC5300)
 	install icon.rtac5300.ico $(INSTALLDIR)/usr/sbin/icon.ico
 	install icon.large.rtac5300.ico $(INSTALLDIR)/usr/sbin/icon.large.ico
-else ifeq ($(BUILD_NAME), RT-AX88U)
-	install icon.rtax88u.ico $(INSTALLDIR)/usr/sbin/icon.ico
-	install icon.large.rtax88u.ico $(INSTALLDIR)/usr/sbin/icon.large.ico
-else ifeq ($(BUILD_NAME), GT-AX11000)
-	install icon.gtax11000.ico $(INSTALLDIR)/usr/sbin/icon.ico
-	install icon.large.gtax11000.ico $(INSTALLDIR)/usr/sbin/icon.large.ico
 else ifeq ($(BUILD_NAME), RT-AX92U)
 	install icon.rtax92u.ico $(INSTALLDIR)/usr/sbin/icon.ico
 	install icon.large.rtax92u.ico $(INSTALLDIR)/usr/sbin/icon.large.ico
@@ -134,6 +128,11 @@ else ifeq ($(BUILD_NAME),RT-AX88U)
 	install icon.large.rtax88u.ico $(INSTALLDIR)/usr/sbin/icon_default.large.ico
 	install icon.rtax88u_gd.ico $(INSTALLDIR)/usr/sbin/icon_gd.ico
 	install icon.large.rtax88u_gd.ico $(INSTALLDIR)/usr/sbin/icon_gd.large.ico
+else ifeq ($(BUILD_NAME),GT-AX11000)
+	install icon.gtax11000.ico $(INSTALLDIR)/usr/sbin/icon_default.ico
+	install icon.large.gtax11000.ico $(INSTALLDIR)/usr/sbin/icon_default.large.ico
+	install icon.gtax11000_gd.ico $(INSTALLDIR)/usr/sbin/icon_gd.ico
+	install icon.large.gtax11000_gd.ico $(INSTALLDIR)/usr/sbin/icon_gd.large.ico
 else ifeq ($(BUILD_NAME), GT-AX11000_PRO)
 	install icon.gtax11000_pro.ico $(INSTALLDIR)/usr/sbin/icon.ico
 	install icon.large.gtax11000_pro.ico $(INSTALLDIR)/usr/sbin/icon.large.ico

release/src/router/lltd.arm/icon.large.rtax5400.ico

@@ -0,0 +1 @@
+./icon.large.rtax58u.ico

release/src/router/lltd.arm/icon.rtax5400.ico

@@ -0,0 +1 @@
+./icon.rtax58u.ico

release/src/router/mssl/mssl.c

@@ -29,6 +29,7 @@
 #include <openssl/err.h>
 
 #include <openssl/rsa.h>
+#include <openssl/ec.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
@@ -598,6 +599,12 @@ int mssl_cert_key_match(const char *cert_path, const char *key_path)
 	RSA *rsa_pri = NULL;
 	DSA *dsa_pub = NULL;
 	DSA *dsa_pri = NULL;
+	EC_KEY *ec_pub = NULL;
+	EC_KEY *ec_pri = NULL;
+	const EC_GROUP *ec_group = NULL;
+	const EC_POINT *ec_pub_pub = NULL;
+	const EC_POINT *ec_pri_pub = NULL;
+
 	int pem = 1;
 	int ret = 0;
 
@@ -652,6 +659,11 @@ int mssl_cert_key_match(const char *cert_path, const char *key_path)
 		//_dprintf("DSA public key\n");
 		dsa_pub = EVP_PKEY_get1_DSA(pkey);
 	}
+	else if(EVP_PKEY_id(pkey) == EVP_PKEY_EC)
+	{
+		//_dprintf("EC public key\n");
+		ec_pub = EVP_PKEY_get1_EC_KEY(pkey);
+	}
 	EVP_PKEY_free(pkey);
 	pkey = NULL;
 
@@ -691,6 +703,12 @@ int mssl_cert_key_match(const char *cert_path, const char *key_path)
 		//_dprintf("DSA private key\n");
 		dsa_pri = EVP_PKEY_get1_DSA(pkey);
 	}
+	else if(EVP_PKEY_id(pkey) == EVP_PKEY_EC)
+	{
+		//_dprintf("EC public key\n");
+		ec_pri  = EVP_PKEY_get1_EC_KEY(pkey);
+	}
+
 	EVP_PKEY_free(pkey);
 	pkey = NULL;
 
@@ -721,6 +739,26 @@ int mssl_cert_key_match(const char *cert_path, const char *key_path)
 			ret = 1;
 		}
 	}
+	else if(ec_pub && ec_pri)
+	{
+		ec_group = EC_KEY_get0_group(ec_pub);
+		ec_pub_pub = EC_KEY_get0_public_key(ec_pub);
+		ec_pri_pub = EC_KEY_get0_public_key(ec_pri);
+
+		if (ec_group != NULL &&
+			ec_pub_pub != NULL &&
+			ec_pri_pub != NULL &&
+			EC_POINT_cmp(ec_group, ec_pub_pub, ec_pri_pub, NULL) == 0)
+		{
+			_dprintf("[mssl] ec modulus match\n");
+			ret = 1;
+		}
+		else
+		{
+			_dprintf("[mssl] ec modulus not match\n");
+			ret = 0;
+		}
+	}
 	else
 	{
 		_dprintf("[mssl] compare failed");
@@ -735,10 +773,14 @@ int mssl_cert_key_match(const char *cert_path, const char *key_path)
 		RSA_free(rsa_pub);
 	if(dsa_pub)
 		DSA_free(dsa_pub);
+	if(ec_pub)
+		EC_KEY_free(ec_pub);
 	if(rsa_pri)
 		RSA_free(rsa_pri);
 	if(dsa_pri)
 		DSA_free(dsa_pri);
+	if(ec_pri)
+		EC_KEY_free(ec_pri);
 
 	return ret;
 }

release/src/router/rc/firewall.c

@@ -1954,7 +1954,7 @@ void nat_setting(char *wan_if, char *wan_ip, char *wanx_if, char *wanx_ip, char
 				    offset + psidlen == 0 || offset + psidlen > 16)
 					break;
 
-#ifdef BCM_KF_NETFILTER
+#if defined(BCM_KF_NETFILTER) && !defined(BCM4912)
 				foreach(proto, "tcp udp icmp", next) {
 					fprintf(fp, "-A POSTROUTING -p %s -o %s -j MASQUERADE --mode %s --psid %d,%d,%d\n",
 						proto, wan_if, (nvram_get_int("nat_type") ? "fullcone" : "symmetric"),
@@ -1969,7 +1969,7 @@ void nat_setting(char *wan_if, char *wan_ip, char *wanx_if, char *wanx_ip, char
 				break;
 			}
 #endif
-#ifdef BCM_KF_NETFILTER
+#if defined(BCM_KF_NETFILTER) && !defined(BCM4912)
 			fprintf(fp, "-A POSTROUTING %s -o %s ! -s %s -j MASQUERADE --mode %s\n", p, wan_if, wan_ip, (nvram_get_int("nat_type") ? "fullcone" : "symmetric"));
 #else
 			fprintf(fp, "-A POSTROUTING %s -o %s ! -s %s -j MASQUERADE\n", p, wan_if, wan_ip);
@@ -1978,7 +1978,7 @@ void nat_setting(char *wan_if, char *wan_ip, char *wanx_if, char *wanx_ip, char
 
 		/* masquerade physical WAN port connection */
 		if (strcmp(wan_if, wanx_if) && inet_addr_(wanx_ip))
-#ifdef BCM_KF_NETFILTER
+#if defined(BCM_KF_NETFILTER) && !defined(BCM4912)
 			fprintf(fp, "-A POSTROUTING %s -o %s ! -s %s -j MASQUERADE --mode %s\n", p, wanx_if, wanx_ip, (nvram_get_int("nat_type") ? "fullcone" : "symmetric"));
 #else
 			fprintf(fp, "-A POSTROUTING %s -o %s ! -s %s -j MASQUERADE\n", p, wanx_if, wanx_ip);
@@ -2489,15 +2489,15 @@ void nat_setting2(char *lan_if, char *lan_ip, char *logaccept, char *logdrop)	//
 			wanx_ip = nvram_safe_get(strcat_r(prefix, "xipaddr", tmp));
 
 			if(inet_addr_(wan_ip))
-#ifdef BCM_KF_NETFILTER
+#if defined(BCM_KF_NETFILTER) && !defined(BCM4912)
 				fprintf(fp, "-A POSTROUTING %s -o %s ! -s %s -j MASQUERADE --mode %s\n", p, wan_if, wan_ip, (nvram_get_int("nat_type") ? "fullcone" : "symmetric"));
 #else
 				fprintf(fp, "-A POSTROUTING %s -o %s ! -s %s -j MASQUERADE\n", p, wan_if, wan_ip);
 #endif
 
 			/* masquerade physical WAN port connection */
 			if (dualwan_unit__nonusbif(unit) && strcmp(wan_if, wanx_if) && inet_addr_(wanx_ip))
-#ifdef BCM_KF_NETFILTER
+#if defined(BCM_KF_NETFILTER) && !defined(BCM4912)
 				fprintf(fp, "-A POSTROUTING %s -o %s ! -s %s -j MASQUERADE --mode %s\n", p, wanx_if, wanx_ip, (nvram_get_int("nat_type") ? "fullcone" : "symmetric"));
 #else
 				fprintf(fp, "-A POSTROUTING %s -o %s ! -s %s -j MASQUERADE\n", p, wanx_if, wanx_ip);
@@ -7479,10 +7479,6 @@ int start_firewall(int wanunit, int lanunit)
 	vpnc_add_firewall_rule();
 #endif
 
-#ifdef RTCONFIG_OPENVPN
-	ovpn_run_fw_scripts();
-#endif
-
 	if (!nvram_get_int("ttl_inc_enable") && !nvram_get_int("ttl_spoof_enable")) {
 		modprobe_r("xt_HL");
 		modprobe_r("xt_hl");
@@ -7509,6 +7505,9 @@ int start_firewall(int wanunit, int lanunit)
 	run_wgc_fw_scripts();
 #endif
 
+#ifdef RTCONFIG_OPENVPN
+	ovpn_run_fw_scripts();
+#endif
 	/* Assuming wan interface doesn't change */
 	reload_upnp();
 

release/src/router/rc/sysdeps/init-broadcom.c

@@ -11328,9 +11328,16 @@ void fc_fini()
 void hnd_nat_ac_init(int bootup)
 {
 	int routing_mode = is_routing_enabled();
+	int unit, wg_enabled = 0;
+	char buffer[32];
 
-	// A.QOS : not to disable fc
-	nvram_set_int("fc_disable", nvram_get_int("fc_disable_force") || (routing_mode && IS_NON_AQOS()) ? 1 : 0);
+	// WG: keep FC disabled if WG server or clients  are enabled
+#ifdef RTCONFIG_WIREGUARD
+	wg_enabled = is_wg_enabled();
+#endif
+
+	// Set fc_disable based on QOS type and WG states
+	nvram_set_int("fc_disable", nvram_get_int("fc_disable_force") || wg_enabled || (routing_mode && IS_NON_AQOS()) ? 1 : 0);
 
 	// A.QOS : no need to disable runner
 	nvram_set_int("runner_disable", nvram_get_int("runner_disable_force") || (routing_mode && IS_NON_AQOS()) ? 1 : 0);