Select Git revision
-
Matthias Schiffer authoredThe autoupdater supports HTTPS when a ustream TLS backend is installed, but we did not allow this in site.conf. However, just allowing HTTPS URLs unconditionally is also a bad idea, as it might result in nodes being unable to reach the mirror, in particular if the `tls` feature is enabled only for some devices. Solve this by allowing https:// URLs only if the marker file installed by gluon-tls is found, failing the site check with an error message like the following otherwise: *** All of the following alternatives have failed: 1) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern 'http://', but it is "https://..." (a string value) 2) site.conf error: expected autoupdater.branches.test.mirrors.1 to use HTTPS only if the 'tls' feature is enabled, but it is "https://..." (a string value) 3) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern '^//', but it is "https://..." (a string value) In addition, introduce support for protocol-less //server/path URLs, which will use either HTTP or HTTPS depending on the availablility of the `tls` feature. No fallback happens when `tls` is available, but the HTTPS connection fails, preventing downgrade attack. Based-on-patch-by:
Kevin Olbrich <ko@sv01.de>Matthias Schiffer authoredThe autoupdater supports HTTPS when a ustream TLS backend is installed, but we did not allow this in site.conf. However, just allowing HTTPS URLs unconditionally is also a bad idea, as it might result in nodes being unable to reach the mirror, in particular if the `tls` feature is enabled only for some devices. Solve this by allowing https:// URLs only if the marker file installed by gluon-tls is found, failing the site check with an error message like the following otherwise: *** All of the following alternatives have failed: 1) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern 'http://', but it is "https://..." (a string value) 2) site.conf error: expected autoupdater.branches.test.mirrors.1 to use HTTPS only if the 'tls' feature is enabled, but it is "https://..." (a string value) 3) site.conf error: expected autoupdater.branches.test.mirrors.1 to match pattern '^//', but it is "https://..." (a string value) In addition, introduce support for protocol-less //server/path URLs, which will use either HTTP or HTTPS depending on the availablility of the `tls` feature. No fallback happens when `tls` is available, but the HTTPS connection fails, preventing downgrade attack. Based-on-patch-by:Kevin Olbrich <ko@sv01.de>
check_site.lua 1.37 KiB
need_string 'site_code'
need_string 'site_name'
if need_table('opkg', nil, false) then
need_string('opkg.lede', false)
function check_repo(k, _)
-- this is not actually a uci name, but using the same naming rules here is fine
assert_uci_name(k)
need_string(string.format('opkg.extra[%q]', k))
end
need_table('opkg.extra', check_repo, false)
end
need_string('hostname_prefix', false)
need_string 'timezone'
need_string_array('ntp_servers', false)
need_string_match('prefix6', '^[%x:]+/%d+$')
for _, config in ipairs({'wifi24', 'wifi5'}) do
if need_table(config, nil, false) then
need_string('regdom') -- regdom is only required when wifi24 or wifi5 is configured
need_number(config .. '.channel')
local rates = {1000, 2000, 5500, 6000, 9000, 11000, 12000, 18000, 24000, 36000, 48000, 54000}
local supported_rates = need_array_of(config .. '.supported_rates', rates, false)
if supported_rates then
need_array_of(config .. '.basic_rate', supported_rates, true)
else
need_array_of(config .. '.basic_rate', rates, false)
end
end
end
need_boolean('poe_passthrough', false)
if need_table('dns', nil, false) then
need_number('dns.cacheentries', false)
need_string_array('dns.servers', false)
end
if need_table('next_node', nil, false) then
need_string_match('next_node.ip6', '^[%x:]+$', false)
need_string_match('next_node.ip4', '^%d+.%d+.%d+.%d+$', false)
end