Merge tag '386.7_2'

386.7_2

Changelog-NG.txt

@@ -2,9 +2,27 @@ Asuswrt-Merlin 386/NG Changelog
 ===============================
 
 
-386.07_0-gnuton0 (xx-xxx-xxxx)
+386.07_2-gnuton0 (xx-xxx-xxxx)
   - NEW: Added support for TUF-AX3000
 
+386.7_2 (24-July-2022)
+  - UPDATED: openssl to 1.1.1q.
+  - UPDATED: RT-AX86U driver + SDK updated to latest upstream version
+  - UPDATED: RT-AX88U and GT-AX11000 radio firmware downgraded to the
+             previous version.
+  - FIXED: Some ISPs would fail to allocate a proper IPv6 prefix (tvlz)
+  - FIXED: Packet checksum errors logged when using DNSFilter in Router
+           mode.  Router mode will no longer use DNAT, except for newer
+           HND 5.04 models like the GT-AX6000 or XT12, which work
+           properly.  Non-Router mode on HND will still use
+           the new DNAT support added in 386.7.
+  - FIXED: Some SSH clients would end up with an incorrect PATH
+           value for the default search path.
+  - FIXED: OpenVPN clients wouldn't get updated routing tables
+           if an OpenVPN server was stopped/started while an
+           OpenVPN client was connected
+
+
 386.7 (22-June-2022)
   - NEW: IPV6 support for DNSFilter for HND router models.
          Custom settings can also let you specify IPv6 servers.

release/src-rt/version.conf

@@ -1,5 +1,5 @@
 KERNEL_VER=3.0
 FS_VER=0.4
 SERIALNO=386.7
-EXTENDNO=0
+EXTENDNO=2
 RCNO=0

release/src/router/libovpn/openvpn_control.c

@@ -908,6 +908,10 @@ void ovpn_start_server(int unit) {
 
 	ovpn_setup_server_watchdog(sconf, unit);
 
+	// Update running ovpn client tables
+	if (sconf->if_type == OVPN_IF_TUN)
+		update_client_routes(sconf->if_name, 1);
+
 	free(sconf);
 }
 
@@ -965,6 +969,13 @@ void ovpn_stop_server(int unit) {
 		return;
 	}
 
+	// Remove routes from running ovpn clients
+	snprintf(buffer, sizeof(buffer), "vpn_server%d_if", unit);
+	if (!strcmp(nvram_safe_get(buffer), "tun")) {
+		snprintf(buffer, sizeof(buffer), "tun%d", OVPN_SERVER_BASEIF + unit);
+		update_client_routes(buffer, 0);
+	}
+
 	// Remove watchdog
 	sprintf(buffer, "CheckVPNServer%d", unit);
 	eval("cru", "d", buffer);
@@ -1061,3 +1072,66 @@ void stop_ovpn_serverall() {
 			ovpn_stop_server(unit);
         }
 }
+
+
+/* Remove/add server routes from client routing tables */
+
+void update_client_routes(char *server_iface, int addroute) {
+	int unit;
+	char buffer[32];
+
+	for( unit = 1; unit <= OVPN_CLIENT_MAX; unit++ ) {
+		sprintf(buffer, "vpnclient%d", unit);
+		if ( pidof(buffer) >= 0 ) {
+			if (addroute)
+				_add_server_routes(server_iface, unit);
+			else
+				_del_server_routes(server_iface, unit);
+		}
+	}
+}
+
+
+/* Add / remove OpenVPN server routes from client tables */
+/* Server-agnostic, could eventually be reused for other servers like WG/IPSEC */
+
+void _add_server_routes(char *server_iface, int client_unit) {
+	char buffer[128], routecmd[128], line[128];
+	FILE *fp_route;
+
+	snprintf(buffer, sizeof (buffer), "/usr/sbin/ip route list table main | grep %s > /tmp/vpnroute%d_tmp", server_iface, client_unit);
+	system(buffer);
+
+	snprintf(buffer, sizeof (buffer), "/tmp/vpnroute%d_tmp", client_unit);
+	fp_route = fopen(buffer, "r");
+
+	if (fp_route) {
+		while (fgets(line, sizeof(line), fp_route) != NULL) {
+			snprintf(routecmd, sizeof (routecmd), "/usr/sbin/ip route add %s table ovpnc%d", trimNL(line), client_unit);
+			system(routecmd);
+		}
+		fclose(fp_route);
+	}
+	unlink(buffer);
+}
+
+
+void _del_server_routes(char *server_iface, int client_unit) {
+	char buffer[128], routecmd[128], line[128];
+	FILE *fp_route;
+
+	snprintf(buffer, sizeof (buffer), "/usr/sbin/ip route list table ovpnc%d | grep %s > /tmp/vpnroute%d_tmp", client_unit, server_iface, client_unit);
+	system(buffer);
+
+	snprintf(buffer, sizeof (buffer), "/tmp/vpnroute%d_tmp", client_unit);
+	fp_route = fopen(buffer, "r");
+
+	if (fp_route) {
+		while (fgets(line, sizeof(line), fp_route) != NULL) {
+			snprintf(routecmd, sizeof (routecmd), "/usr/sbin/ip route del %s table ovpnc%d", trimNL(line), client_unit);
+			system(routecmd);
+		}
+		fclose(fp_route);
+	}
+	unlink(buffer);
+}

release/src/router/libovpn/openvpn_control.h

@@ -36,5 +36,7 @@ extern void ovpn_update_exclusive_dns_rules();
 
 extern void start_ovpn_serverall();
 extern void stop_ovpn_serverall();
-
+extern void update_client_routes(char *server_iface, int addroute);
+void _add_server_routes(char *server_iface, int client_unit);
+void _del_server_routes(char *server_iface, int client_unit);
 #endif

release/src/router/libovpn/openvpn_setup.c

@@ -1127,7 +1127,7 @@ void ovpn_setup_server_watchdog(ovpn_sconf_t *sconf, int unit) {
 
 	if ((fp = fopen(buffer, "w"))) {
 		fprintf(fp, "#!/bin/sh\n"
-		            "if [ -z $(pidof vpnserver%d) ]\n"
+		            "if [ -z \"$(pidof vpnserver%d)\" ]\n"
 		            "then\n"
 		            "   service restart_vpnserver%d\n"
 		            "fi\n",

release/src/router/openssl-1.1/CHANGES

@@ -7,18 +7,57 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
+ Changes between 1.1.1p and 1.1.1q [5 Jul 2022]
+
+  *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
+     implementation would not encrypt the entirety of the data under some
+     circumstances.  This could reveal sixteen bytes of data that was
+     preexisting in the memory that wasn't written.  In the special case of
+     "in place" encryption, sixteen bytes of the plaintext would be revealed.
+
+     Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
+     they are both unaffected.
+     (CVE-2022-2097)
+     [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]
+
+ Changes between 1.1.1o and 1.1.1p [21 Jun 2022]
+
+  *) In addition to the c_rehash shell command injection identified in
+     CVE-2022-1292, further bugs where the c_rehash script does not
+     properly sanitise shell metacharacters to prevent command injection have been
+     fixed.
+
+     When the CVE-2022-1292 was fixed it was not discovered that there
+     are other places in the script where the file names of certificates
+     being hashed were possibly passed to a command executed through the shell.
+
+     This script is distributed by some operating systems in a manner where
+     it is automatically executed.  On such operating systems, an attacker
+     could execute arbitrary commands with the privileges of the script.
+
+     Use of the c_rehash script is considered obsolete and should be replaced
+     by the OpenSSL rehash command line tool.
+     (CVE-2022-2068)
+     [Daniel Fiala, Tomáš Mráz]
+
+  *) When OpenSSL TLS client is connecting without any supported elliptic
+     curves and TLS-1.3 protocol is disabled the connection will no longer fail
+     if a ciphersuite that does not use a key exchange based on elliptic
+     curves can be negotiated.
+     [Tomáš Mráz]
+
  Changes between 1.1.1n and 1.1.1o [3 May 2022]
 
   *) Fixed a bug in the c_rehash script which was not properly sanitising shell
-    metacharacters to prevent command injection.  This script is distributed by
-    some operating systems in a manner where it is automatically executed.  On
-    such operating systems, an attacker could execute arbitrary commands with the
-    privileges of the script.
-
-    Use of the c_rehash script is considered obsolete and should be replaced
-    by the OpenSSL rehash command line tool.
-    (CVE-2022-1292)
-    [Tomáš Mráz]
+     metacharacters to prevent command injection.  This script is distributed
+     by some operating systems in a manner where it is automatically executed.
+     On such operating systems, an attacker could execute arbitrary commands
+     with the privileges of the script.
+
+     Use of the c_rehash script is considered obsolete and should be replaced
+     by the OpenSSL rehash command line tool.
+     (CVE-2022-1292)
+     [Tomáš Mráz]
 
  Changes between 1.1.1m and 1.1.1n [15 Mar 2022]
 

release/src/router/openssl-1.1/Configurations/10-main.conf

@@ -1007,6 +1007,13 @@ my %targets = (
         perlasm_scheme   => "linux64",
     },
 
+    "BSD-aarch64" => {
+        inherit_from     => [ "BSD-generic64", asm("aarch64_asm") ],
+        lib_cppflags     => add("-DL_ENDIAN"),
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
+        perlasm_scheme   => "linux64",
+    },
+
     "bsdi-elf-gcc" => {
         inherit_from     => [ "BASE_unix", asm("x86_elf_asm") ],
         CC               => "gcc",

release/src/router/openssl-1.1/NEWS

@@ -5,6 +5,17 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.1.1p and OpenSSL 1.1.1q [5 Jul 2022]
+
+      o Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms
+        (CVE-2022-2097)
+
+  Major changes between OpenSSL 1.1.1o and OpenSSL 1.1.1p [21 Jun 2022]
+
+      o Fixed additional bugs in the c_rehash script which was not properly
+        sanitising shell metacharacters to prevent command injection
+        (CVE-2022-2068)
+
   Major changes between OpenSSL 1.1.1n and OpenSSL 1.1.1o [3 May 2022]
 
       o Fixed a bug in the c_rehash script which was not properly sanitising

release/src/router/openssl-1.1/README

@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1o 3 May 2022
+ OpenSSL 1.1.1q 5 Jul 2022
 
  Copyright (c) 1998-2022 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

release/src/router/openssl-1.1/apps/s_server.c

@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -2236,6 +2236,30 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
                SSL_CTX_sess_get_cache_size(ssl_ctx));
 }
 
+static long int count_reads_callback(BIO *bio, int cmd, const char *argp,
+                                     int argi, long int argl, long int ret)
+{
+    unsigned int *p_counter = (unsigned int *)BIO_get_callback_arg(bio);
+
+    switch (cmd) {
+    case BIO_CB_READ:  /* No break here */
+    case BIO_CB_GETS:
+        if (p_counter != NULL)
+            ++*p_counter;
+        break;
+    default:
+        break;
+    }
+
+    if (s_debug) {
+        BIO_set_callback_arg(bio, (char *)bio_s_out);
+        ret = bio_dump_callback(bio, cmd, argp, argi, argl, ret);
+        BIO_set_callback_arg(bio, (char *)p_counter);
+    }
+
+    return ret;
+}
+
 static int sv_body(int s, int stype, int prot, unsigned char *context)
 {
     char *buf = NULL;
@@ -2353,10 +2377,7 @@ static int sv_body(int s, int stype, int prot, unsigned char *context)
     SSL_set_accept_state(con);
     /* SSL_set_fd(con,s); */
 
-    if (s_debug) {
-        BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
-        BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
-    }
+    BIO_set_callback(SSL_get_rbio(con), count_reads_callback);
     if (s_msg) {
 #ifndef OPENSSL_NO_SSL_TRACE
         if (s_msg == 2)
@@ -2648,7 +2669,25 @@ static int sv_body(int s, int stype, int prot, unsigned char *context)
              */
             if ((!async || !SSL_waiting_for_async(con))
                     && !SSL_is_init_finished(con)) {
+                /*
+                 * Count number of reads during init_ssl_connection.
+                 * It helps us to distinguish configuration errors from errors
+                 * caused by a client.
+                 */
+                unsigned int read_counter = 0;
+
+                BIO_set_callback_arg(SSL_get_rbio(con), (char *)&read_counter);
                 i = init_ssl_connection(con);
+                BIO_set_callback_arg(SSL_get_rbio(con), NULL);
+
+                /*
+                 * If initialization fails without reads, then
+                 * there was a fatal error in configuration.
+                 */
+                if (i <= 0 && read_counter == 0) {
+                    ret = -1;
+                    goto err;
+                }
 
                 if (i < 0) {
                     ret = 0;

release/src/router/openssl-1.1/config

@@ -1,5 +1,5 @@
 #!/bin/sh
-# Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -709,6 +709,7 @@ case "$GUESSOS" in
   ia64-*-*bsd*)		OUT="BSD-ia64" ;;
   x86_64-*-dragonfly*)  OUT="BSD-x86_64" ;;
   amd64-*-*bsd*)	OUT="BSD-x86_64" ;;
+  arm64-*-*bsd*)	OUT="BSD-aarch64" ;;
   *86*-*-*bsd*)		# mimic ld behaviour when it's looking for libc...
 			if [ -L /usr/lib/libc.so ]; then	# [Free|Net]BSD
 			    libc=/usr/lib/libc.so

release/src/router/openssl-1.1/crypto/aes/asm/aesni-x86.pl

@@ -1,5 +1,5 @@
 #! /usr/bin/env perl
-# Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved.
 #
 # Licensed under the OpenSSL license (the "License").  You may not use
 # this file except in compliance with the License.  You can obtain a copy
@@ -2027,7 +2027,7 @@ sub aesni_generate6
 	&movdqu		(&QWP(-16*2,$out,$inp),$inout4);
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
 	&cmp		($inp,$len);			# done yet?
-	&jb		(&label("grandloop"));
+	&jbe		(&label("grandloop"));
 
 &set_label("short");
 	&add		($len,16*6);
@@ -2453,7 +2453,7 @@ sub aesni_generate6
 	&pxor		($rndkey1,$inout5);
 	&movdqu		(&QWP(-16*1,$out,$inp),$inout5);
 	&cmp		($inp,$len);			# done yet?
-	&jb		(&label("grandloop"));
+	&jbe		(&label("grandloop"));
 
 &set_label("short");
 	&add		($len,16*6);