The NanoPi NEO2 is a small Allwinner H5 based board available with
different DRAM configurations.
This board is very similar to the NanoPi NEO PLUS2
Signed-off-by: Jasper Scholte <NightNL@outlook.com>
Add support for the Silicon Labs Si7020 family of relative humidity and
temperature sensors using the I2C bus.
Signed-off-by: Hartmut Knaack <knaack.h@gmx.de>
* Fixed a security issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing.
* Several bugfixes.
* Improvements for better support for DTLS on low-bandwidth, high latency networks with high packet loss.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Backport upstream commit
Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jonathan Lancett <j.lancett@ntlworld.com>
[minor tweak to commit title]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Registering a GPIO chip with the ath9k device as parent prevents unload,
because the gpiochip core increases the module use count.
Unfortunately, the only way to avoid this at the moment seems to be to
register the GPIO chip without a parent device
Signed-off-by: Felix Fietkau <nbd@nbd.name>
/etc/config/mdadm is only used by the init script which is ran as root.
There is no need for it to be readable by anything else.
Added PKG_CPE_ID for proper CVE tracking.
Small reorganization for consistency between Makefiles.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The hotplug file is ran by procd, which runs as root. The config file is
used by the init script, which also runs as root.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
/etc/config/lldpd is only used by the init script, which only runs as root
Adjusted homepage and download URLs to use HTTPS.
-std=c99 is useful for GCC versions less than 6. Current OpenWrt uses 7.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Setting encaplimit to a numerical value results into the value being
included as tunnel encapsulation limit in the destination option header
for tunneled packets.
Several users have reported interop issues as not all ISPs support the
destination option header containing the tunnel encapsulation limit
resulting into broken map connectivity.
Therefore drop the default encaplimit value for map tunnels so
no destination option header is included by default.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Setting encaplimit to a numerical value results into the value being
included as tunnel encapsulation limit in the destination option header
for tunneled packets.
Several users have reported interop issues as not all ISPs support the
destination option header containing the tunnel encapsulation limit
resulting into broken ds-lite connectivity.
Therefore drop the default encaplimit value for ds-lite tunnels so
no destination option header is included by default.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* blake2s-x86_64: fix whitespace errors
* crypto: do not use compound literals in selftests
* crypto: make sure UML is properly disabled
* kconfig: make NEON depend on CPU_V7
* poly1305: rename finish to final
* chacha20: add constant for words in block
* curve25519-x86_64: remove useless define
* poly1305: precompute 5*r in init instead of blocks
* chacha20-arm: swap scalar and neon functions
* simd: add __must_check annotation
* poly1305: do not require simd context for arch
* chacha20-x86_64: cascade down implementations
* crypto: pass simd by reference
* chacha20-x86_64: don't activate simd for small blocks
* poly1305-x86_64: don't activate simd for small blocks
* crypto: do not use -include trick
* crypto: turn Zinc into individual modules
* chacha20poly1305: relax simd between sg chunks
* chacha20-x86_64: more limited cascade
* crypto: allow for disabling simd in zinc modules
* poly1305-x86_64: show full struct for state
* chacha20-x86_64: use correct cut off for avx512-vl
* curve25519-arm: only compile if symbols will be used
* chacha20poly1305: add __init to selftest helper functions
* chacha20: add independent self test
Tons of improvements all around the board to our cryptography library,
including some performance boosts with how we handle SIMD for small packets.
* send/receive: reduce number of sg entries
This quells a powerpc stack usage warning.
* global: remove non-essential inline annotations
We now allow the compiler to determine whether or not to inline certain
functions, while still manually choosing so for a few performance-critical
sections.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
usign occasionally writes 16 characters then exits without writing a LF,
leaving ucert hanging waiting for more input. Accept 16 characters
or more rather than 17 to work around the short read.
Signed-off-by: Mike McCormack <mike@atratus.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Allow setting specific routing tables via the ip4table and ip6table
options also when ${ifname}_4 and ${ifname}_6 child interfaces are
being created.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Pull in latest upstream tweaks:
Similar to the previous patch for no-split-gso, the negative keywords for
'nat', 'wash' and 'ack-filter' were not printed either. Add those as well.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
When the GSO splitting was turned into dual split-gso/no-split-gso options,
the printing of the latter was left out. Add that, so output is consistent
with the options passed
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Bump to latest upstream cake:
Add workaround for wrong skb->mac_len values after splitting GSO
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
* curve25519: arm: do not modify sp directly
* compat: support neon.h on old kernels
* compat: arch-namespace certain includes
* compat: move simd.h from crypto to compat since it's going upstream
This fixes a decent amount of compat breakage and thumb2-mode breakage
introduced by our move to Zinc.
* crypto: use CRYPTOGAMS license
Rather than using code from OpenSSL, use code directly from AndyP.
* poly1305: rewrite self tests from scratch
* poly1305: switch to donna
This makes our C Poly1305 implementation a bit more intensely tested and also
faster, especially on 64-bit systems. It also sets the stage for moving to a
HACL* implementation when that's ready.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* add missing 'rpcbind' alias to /etc/services
Allows rpcbind to open its 111 port and be reachable via lan, this is the default behaviour.
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
This is an upstream-applied patch that fixes 'PATH_MAX' and 'NAME_MAX'
undeclared when compiling on musl with CONFIG_PCAP_HAS_USB.
[aafa351] pcap-usb-linux.c: add missing limits.h for musl systems.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Currently it's close to impossible to tell what part of mac80211 setup
went wrong. Errors logged into system log look like this:
radio0 (6155): command failed: No error information (-524)
radio0 (6155): command failed: Not supported (-95)
radio0 (6155): command failed: I/O error (-5)
radio0 (6155): command failed: Too many open files in system (-23)
With this commit change it's getting clear:
command failed: No error information (-524)
Failed command: iw dev wlan0 del
command failed: Not supported (-95)
Failed command: iw phy phy0 set antenna_gain 0
command failed: I/O error (-5)
Failed command: iw phy phy0 set distance 0
command failed: Too many open files in system (-23)
Failed command: iw phy phy0 interface add wlan0 type __ap
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Follow the strategy of other targets and create a
default environment file, uEnv.txt, to configure the
behavior of U-Boot.
For now, use it to pass bootargs to the kernel
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
Create a directory inside STAGING_DIR and copy U-Boot
output images, so they can be used later when creating the
sdcard image
Additionally, like others targets, override the default
install method to avoid copying the images to bin directory
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
Select the U-Boot variant automatically based on the
current selected device, and hide the package from
menuconfig
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
The board was added when creating the target, but the
corresponding device was never defined inside the target
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
Refresh patches
Changes since latest bump:
af3bd07 Man page typo.
d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789
47b45b2 Fix lengths of interface names
2b38e38 Minor improvements in lease-tools
282eab7 Mark die function as never returning
c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8
03212e5 Manpage typo.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Allowing DHCPV6_CLIENT_FQDN and DHCPV6_ACCEPT_RECONFIGURE to be turned off.
Defaulting to false, former behavior remains unchanged.
Signed-off-by: pacien <pacien.trangirard@pacien.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
*** Changes in GDB 8.2
Support for the following target has been added:
RiscV ELF (riscv*-*-elf)
Support for following targets and native configurations has been removed:
m88k running OpenBSD (m88*-*-openbsd*)
SH-5/SH64 ELF (sh64-*-elf*)
SH-5/SH64 (sh*)
SH-5/SH64 running GNU/Linux (sh*-*-linux*)
SH-5/SH64 running OpenBSD (sh*-*-openbsd*)
Various Python API enhancements
Aarch64/Linux enhancements:
SVE support.
Hardware watchpoints improvements for entities stored at unaligned addresses.
New "c" response to disable the pager for the rest of the current command.
C expressions can now use _Alignof, and C++ expressions can now use alignof.
Improved flexibility for loading symbol files.
The 'info proc' command nows works on running processes on FreeBSD systems as well as core files created on FreeBSD systems.
A new --enable-codesign=CERT configure option to automatically codesign GDB after build (useful on MacOS X).
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
The dnsmasq variants should provide dnsmasq, otherwise it is impossible
to include them in the image.
This change allows one to have CONFIG_PACKAGE_dnsmasq=m and
CONFIG_PACKAGE_dnsmasq-full=y, e.g. because you want DNSSEC support, or
IPSETs suport on your 3000-devices fleet ;-)
Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Refresh patches
Remove 240-ubus patch as upstream accepted.
Add uci option ubus which allows to enable/disable ubus support (enabled
by default)
Upstream commits since last bump:
da8b651 Implement --address=/example.com/#
c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c
974a6d0 Add --caa-record
b758b67 Improve logging of RRs from --dns-rr.
9bafdc6 Tidy up file parsing code.
97f876b Properly deal with unaligned addresses in DHCPv6 packets.
cbfbd17 Fix broken DNSSEC records in previous.
b6f926f Don't return NXDOMAIN to empty non-terminals.
c822620 Add --dhcp-name-match
397c050 Handle case of --auth-zone but no --auth-server.
1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/
dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c
c16d966 Add copyright to src/metrics.h
1dfed16 Remove C99 only code.
6f835ed Format fixes - ubus.c
9d6fd17 dnsmasq.c fix OPT_UBUS option usage
8c1b6a5 New metrics and ubus files.
8dcdb33 Add --enable-ubus option.
aba8bbb Add collection of metrics
caf4d57 Add OpenWRT ubus patch
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
As of version 4.21, strace enforces mpers by default. The current
implementation of aarch64 compat in strace assumes it's identical to
ARMv7 EABI and therefore tries to enable m32 personality support. As
there is no -m32 support on aarch64, this causes the build to fail.
Restore previous strace behavior to fix build on aarch64.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Karl Palsson <karlp@tweak.net.au>
* Kconfig: use new-style help marker
* global: run through clang-format
* uapi: reformat
* global: satisfy check_patch.pl errors
* global: prefer sizeof(*pointer) when possible
* global: always find OOM unlikely
Tons of style cleanups.
* crypto: use unaligned helpers
We now avoid unaligned accesses for generic users of the crypto API.
* crypto: import zinc
More style cleanups and a rearrangement of the crypto routines to fit how this
is going to work upstream. This required some fairly big changes to our build
system, so there may be some build errors we'll have to address in subsequent
snapshots.
* compat: rng_is_initialized made it into 4.19
We therefore don't need it in the compat layer anymore.
* curve25519-hacl64: use formally verified C for comparisons
The previous code had been proved in Z3, but this new code from upstream
KreMLin is directly generated from the F*, which is preferable. The
assembly generated is identical.
* curve25519-x86_64: let the compiler decide when/how to load constants
Small performance boost.
* curve25519-arm: reformat
* curve25519-arm: cleanups from lkml
* curve25519-arm: add spaces after commas
* curve25519-arm: use ordinary prolog and epilogue
* curve25519-arm: do not waste 32 bytes of stack
* curve25519-arm: prefix immediates with #
This incorporates ASM nits from upstream review.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
9d843334 Update bash_completion
23cb3f38 Update manual pages
1d682dcd Bump up version number to 1.33.0, LT revision to 31:0:17
601fbbb4 Update doc
f44aa246 Update AUTHORS
dd74a6dd Update manual pages
e959e733 src: Refactor utos
fb9a204d nghttpx: Fix compile error without mruby
cd096802 Update doc
7417fd71 nghttpx: Per-pattern not per-backend
2d1a981c Merge branch 'akonskarm-master'
45acc922 clang-format
214d0899 Merge branch 'master' of https://github.com/akonskarm/nghttp2 into akonskarm-master
31fd707d nghttpx: Fix broken healthmon frontend
9a2e38e0 fix code for reuse addr on asio client
d24527e7 Bump up LT revision due to v1.32.1 release
6195d747 nghttpx: Share mruby context if it is compiled from same file
fb97f596 nghttpx: Allocate mruby file because fopen requires NULL terminated string
0ccc7a77 nghttpx: Move blocked request data to request buffer for API request
32826466 nghttpx: Fix crash with API request
0422f8a8 nghttpx: Fix worker process crash with neverbleed write error
e329479a Merge pull request #1215 from nghttp2/mruby-per-backend
f80a7873 Merge branch 'akonskarm-reuse_addr'
866ac6ab add option reuse addr in local endpoint configuration of asio client
b574ae6a nghttpx: Support per-backend mruby script
de4fd7cd doc: Update doc
32d7883c nghttpx: Downstream::request_buf_full: take into account blocked_request_buf_
9b24e197 nghttpx: Choose h1 protocol if headers have been sent to backend on retry
13ffece1 Merge pull request #1214 from nghttp2/fix-rst-without-dconn
9d5b781d Fix stream reset if data from client is arrived before dconn is attached
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
CAKE supports overriding of its internal classification of
packets through the tc filter mechanism.
Update the man page in our package, even though we don't
build them. Someone may find the documentation useful.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 30598a05385b0ac2380dd4f30037a9f9d0318cf2)
Expand filter flow mapping to include hosts as well
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit d14ffdc307d36bd9abe908b46ff7baece54c9551)
OpenWrt used to ship hardcoded defaults for lcp-echo-failure and
lcp-echo-interval in the non-uci /etc/ppp/options file.
These values break uci support for *disabling* LCP echos through
the use of "option keepalive 0" as either omitting the keepalive
option or setting it to 0 will result in no lcp-echo-* flags
getting passed to the pppd cmdline, causing the pppd process to
revert to the defaults in /etc/ppp/options.
Address this issue by letting the uci "keepalive" option default
to the former hardcoded values "5, 1" and by removing the fixed
lcp-echo-failure and lcp-echo-interval settings from the
/etc/ppp/options files.
Ref: https://github.com/openwrt/luci/issues/2112
Ref: https://dev.archive.openwrt.org/ticket/2373.html
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=854
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=1259
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The control device /dev/cdc-wdm0 is not available immediately on the
D-Link DWR-921 Rev.C3, therefore the wwan interface fails to start at
boot with a "The specified control device does not exist" error.
This patch alters /lib/netifd/proto/qmi.sh to wait for
network.wwan.delay earlier, before checking for the control device,
instead of just before interacting with the modem.
One still has to use network.wwan.proto='qmi', as the "wwan" proto
performs that sort of check before any delay is possible, failing with a
"No valid device was found" error.
Signed-off-by: Thomas Equeter <tequeter@users.noreply.github.com>
Some combination of modem/wireless operator requires more time to
execute the commands.
Tested on DWR-512 embedded wwan modem and italian operator iliad (new
virtual operator).
Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
Set the window title not only in "xterm", but also in
e.g. "xterm-256color", "xterm-color", etc.
The case statement is taken from Debian / Ubuntu.
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
This is necessary to get my position right.
Without this my longitude is incorrecty -15.85xxxx instead of -16.52yyyy
Signed-off-by: Bruno Randolf <br1@einfach.org>
Tested on 8devices Jalapeno(ipq40xx)
Introduces following changes:
Feature: Add support for WAKE_FILTER (WoL using filters)
Feature: Add support for action value -2 (wake-up filter)
Fix: document WoL filters option also in help message
Feature: ixgbe dump strings for security registers
Signed-off-by: Robert Marko <robimarko@gmail.com>
4c76aaee Update manual pages
2b51ad67 Bump up version number to 1.32.1, LT revision to 30:3:16
708379dc Tweak nghttp2_session_set_stream_user_data
73106b0d Compile with clang-6.0
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
e0d2ce0 ath10k: Support setting tx_antenna in descriptor field.
29c644f Update to latest 4.13 and 4.16 ath10k-ct drivers.
20db9db ath10k: Support vdev stats for 4.9, 4.16 kernel
fd92066 ath10k: Support 'ct-sta-mode' for 9984 firmware that supports it.
34954f0 ath10k: get_tsf, PMF
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Update to the latest version of iproute2; see https://lwn.net/Articles/762515/
for a full overview of the changes in 4.18.
Remove upstream patch 001-rdma-sync-some-IP-headers-with-glibc
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This fixes a build problem recently introduced.
Fixes: a904003b9b ("kernel: fix kmod-gpio-mcp23s08 for linux 4.14")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This adds support for BBR (Bottleneck Bandwidth and RTT) TCP
congestion control. Applications (e.g. webservers, VPN client/server)
which initiate connections from router side can benefit from this.
This provide an easier way for users to use BBR by selecting /
installing kmod-tcp-bbr instead of altering kernel config and
compiling firmware by themselves.
Signed-off-by: Keith Wong <keithwky@gmail.com>
Update libbsd to 0.8.7
Remove glibc dependency
Clean up InstallDev and install entries
Use /usr path for consistency
Cherry pick patches from upstream to fix musl compilation
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
- Specifications -
CuBox i1:
- SoC: i.MX6 Solo
- Cores: 1
- Memory Size: 512MB
- GPU: GC880
- Wifi/Bluetooth: Optional
- USB 2.0 ports: 2
- Ethernet: 10/100/1000 Mbps
CuBox i2 | i2eX:
- SoC: i.MX6 Dual Lite
- Cores: 2
- Memory Size: 1GB
- GPU: GC2000
- Wifi/Bluetooth: Optional
- USB 2.0 ports: 2
- Ethernet: 10/100/1000 Mbps
CuBox i4Pro | i4x4:
- SoC: i.MX6 Quad
- Cores: 4
- Memory Size: 2/4 GB
- GPU: GC2000
- Wifi/Bluetooth: Build In
- USB 2.0 ports: 2
- Ethernet: 10/100/1000 Mbps
Built-in u-boot requires SPL (secondary program loader) to be present on the SD-card regardless of the image type which will be loaded.
SPL is generated by the u-boot-mx6cuboxi package which is preselected by the target device and can be found in bin/u-boot-mx6cuboxi directory.
Flashing the SPL:
dd if=/dev/zero of=/dev/mmcblk0 bs=1M count=4
dd if=bin/targets/imx6/generic/u-boot-mx6cuboxi/SPL of=/dev/mmcblk0 bs=1K seek=1
Preparing the firmware on the SD-card:
(echo o; echo n; echo p; echo 1; echo ''; echo ''; echo w) | fdisk /dev/mmcblk0
mkfs.ext4 /dev/mmcblk0p1
mount /dev/mmcblk0p1 /mnt
tar -xzf bin/targets/imx6/generic/openwrt-imx6-device-cubox-i-rootfs.tar.gz -C /mnt/
mkdir -p /mnt/boot
cp bin/targets/imx6/generic/{*-uImage,*.dtb,*.scr} /mnt/boot/
Generated u-boot.img needs to be placed on the first partition:
cp bin/targets/imx6/generic/u-boot-mx6cuboxi/u-boot.img /mnt/
To boot from the SD card:
Boot script which sets mmc/dtb parameters and boots the board is automatically sourced.
If this does not work for any reason:
mmc dev 0; load mmc 0:1 $scriptaddr boot/boot.scr; source $scriptaddr
Currently imx6dl-cubox-i.dtb (Dual Lite) and imx6q-cubox-i.dtb (Quad) device trees are available.
Tested on i4Pro, MMC, USB (+ HiD), HDMI and ethernet ports are working.
Wireless and bluetooth are broken ATM. According to SolidRun forums, BCM4329/BCM4330 firmware is used which works fine on older kernels.
Signed-off-by: Vladimir Vid <vladimir.vid@sartura.hr>
Backport board support from the upcoming v2018.09 release,
and add an additional patch to read the MAC address
from flash memory
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
Starting with version 2.1.8, a release tarball is available.
Simplifies the Makefile slightly.
Updated the project URL. HTTPS is broken. Issue has been reported upstream
Adjusted patches. CMake support is not present in the tarball. It's made
for Windows anyway.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
7daf962 mt7603: add survey support
980c606 mt7603: add fix for CCA signal configuration
30b8371 mt7603: fix BAR rate
Signed-off-by: Felix Fietkau <nbd@nbd.name>
CVE description :
The recv_msg_userauth_request function in svr-auth.c in Dropbear through
2018.76 is prone to a user enumeration vulnerability because username
validity affects how fields in SSH_MSG_USERAUTH messages are handled,
a similar issue to CVE-2018-15473 in an unrelated codebase.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The AX_AM_JOBSERVER macro shipped with m4/ax_am_jobserver.m4 is broken on
plain POSIX shells due to the use of `let`.
Shells lacking `let` will fail to run the generated m4sh code and end up
invoking "make" with "-jyes" as argument, fialing the build.
Since there is no reason in the first place for some random package to
muck with the make job server settings and since we do not want it to
randomly override "-j" either, simply remove references to this defunct
macro to let the build succeed on platforms which not happen to use bash
as default shell.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Patch 300-CVE-2015-8370.patch was added without proper rebasing on the
version used by OpenWrt, make it apply and refresh the patch to fix
compilation.
Fixes: 7e73e9128f ("grub2: Fix CVE-2015-8370")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update to latest git HEAD in order to support configuring multiple
concurrent Lua prefixes in a single uhttpd instance:
b741dec lua: support multiple Lua prefixes
Additionally rework the init script and update the default configuration
example to treat the lua_prefix option as key=value uci list, similar to
the interpreter extension mapping. Support for the old "option lua_prefix"
plus "option lua_handler" notation is still present.
Finally drop the sed postinstall hack in uhttpd-mod-lua to avoid mangling
files belonging to other packages. Since Lua prefixes have precedence
over CGI prefixes, simply register `/cgi-bin/luci` as Lua handler which
will only become active if both luci-base and uhttpd-mod-lua is installed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This CVE is a culmination of multiple integer overflow issues that cause
multiple issues like Denial of Service and authentication bypass.
More info: https://nvd.nist.gov/vuln/detail/CVE-2015-8370
Taken from Fedora.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Allows discovery without having to use NetBIOS. Useful for mobile devices.
Could eventually throw nbmd away. But that requires Windows 10...
Tested on Fedora 28 with avahi-discover.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Since kernel 4.14 there is no auto assignment of conntrack helpers anymore
so fw3 needs raw table support in order to stage ct helper assignment rules.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Remove creation of file /etc/ethers in dnsmasq init script as the
file is now created by default in the base-files package by
commit fa3301a28e
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
/etc/ethers is missing on /rom but always created when dnsmasq
runs. It is better to have it in place and avoid an extra change
in flash after firstboot.
It will generate an extra /etc/ethers-opkg when it has changed.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This adds processing of all CSA arguments from ubus switch_chan request
in the same manner as in the control interface API.
Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
Update util-linux to 2.32.1
For release notes see https://lwn.net/Articles/759922/
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Set the (sys)upgrade state when sourcing the stage2 script instead of
setting the state for each target individual.
This change fixes the, due to a missing state set, not working upgrade
led on ath79 and apm821xx.
Signed-off-by: Mathias Kresin <dev@kresin.me>
This fixes the following security problems:
* CVE-2018-0732: Client DoS due to large DH parameter
* CVE-2018-0737: Cache timing vulnerability in RSA Key Generation
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
12a7cf9 Add support for DSCP matches and target
06fa692 defaults: use a generic check_kmod() function
1c4d5bc defaults: fix check_kmod() function
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The WD My Net Range Extender stores the MAC addresses inside the
nvram partition. This utility can extract it, but it's currently
not avilable on the ath79 target. Hence, this patch adds the
necessary target declaration, so it can be built.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* send: switch handshake stamp to an atomic
Rather than abusing the handshake lock, we're much better off just using
a boring atomic64 for this. It's simpler and performs better. Also, while
we're at it, we set the handshake stamp both before and after the
calculations, in case the calculations block for a really long time waiting
for the RNG to initialize.
* compat: better atomic acquire/release backport
This should fix compilation and correctness on several platforms.
* crypto: move simd context to specific type
This was a suggestion from Andy Lutomirski on LKML.
* chacha20poly1305: selftest: use arrays for test vectors
We no longer have lines so long that they're rejected by SMTP servers.
* qemu: add easy git harness
This makes it a bit easier to use our qemu harness for testing our mainline
integration tree.
* curve25519-x86_64: avoid use of r12
This causes problems with RAP and KERNEXEC for PaX, as r12 is a
reserved register.
* chacha20: use memmove in case buffers overlap
A small correctness fix that we never actually hit in WireGuard but is
important especially for moving this into a general purpose library.
* curve25519-hacl64: simplify u64_eq_mask
* curve25519-hacl64: correct u64_gte_mask
Two bitmath fixes from Samuel, which come complete with a z3 script proving
their correctness.
* timers: include header in right file
This fixes compilation in some environments.
* netlink: don't start over iteration on multipart non-first allowedips
Matt Layher found a bug where a netlink dump of peers would never terminate in
some circumstances, causing wg(8) to keep trying forever. We now have a fix as
well as a unit test to mitigate this, and we'll be looking to create a fuzzer
out of Matt's nice library.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Add a function to get a mac stored as text from flash. The octets of
the mac address need to be separated by any separator supported by
macaddr_canonicalize().
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Mathias Kresin <dev@kresin.me>
Add the opening bracket right after the function name, to do it the
same way for all functions in this file.
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Mathias Kresin <dev@kresin.me>
Unauthenticated EAPOL-Key decryption in wpa_supplicant
Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/
Vulnerability
A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.
When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.
Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.
Vulnerable versions/configurations
All wpa_supplicant versions.
Acknowledgments
Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.
Possible mitigation steps
- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.
- Merge the following commits to wpa_supplicant and rebuild:
WPA: Ignore unauthenticated encrypted EAPOL-Key data
This patch is available from https://w1.fi/security/2018-1/
- Update to wpa_supplicant v2.7 or newer, once available
Signed-off-by: John Crispin <john@phrozen.org>
Avoid having /sbin/wifi silently ignore unknown keywords and execute
"up"; instead display the help message and exit with an error.
Spell out the "up" keyword (which has users), add it to usage output,
and preserve the implicit assumption that runing /sbin/wifi without
argument performs "up".
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This commit adds support for the OCEDO Koala
SOC: Qualcomm QCA9558 (Scorpion)
RAM: 128MB
FLASH: 16MiB
WLAN1: QCA9558 2.4 GHz 802.11bgn 3x3
WLAN2: QCA9880 5 GHz 802.11nac 3x3
INPUT: RESET button
LED: Power, LAN, WiFi 2.4, WiFi 5, SYS
Serial: Header Next to Black metal shield
Pinout is 3.3V - GND - TX - RX (Arrow Pad is 3.3V)
The Serial setting is 115200-8-N-1.
Tested and working:
- Ethernet
- 2.4 GHz WiFi
- 5 GHz WiFi
- TFTP boot from ramdisk image
- Installation via ramdisk image
- OpenWRT sysupgrade
- Buttons
- LEDs
Installation seems to be possible only through booting an OpenWRT
ramdisk image.
Hold down the reset button while powering on the device. It will load a
ramdisk image named 'koala-uImage-initramfs-lzma.bin' from 192.168.100.8.
Note: depending on the present software, the device might also try to
pull a file called 'koala-uimage-factory'. Only the name differs, it
is still used as a ramdisk image.
Wait for the ramdisk image to boot. OpenWRT can be written to the flash
via sysupgrade or mtd.
Due to the flip-flop bootloader which we not (yet) support, you need to
set the partition the bootloader is selecting. It is possible from the
initramfs image with
> fw_setenv bootcmd run bootcmd_1
Afterwards you can reboot the device.
Signed-off-by: David Bauer <mail@david-bauer.net>
Apply IPv6/ND configuration before proto_send_update so that all config info
is available when netifd is handling the notify_proto ubus call.
In particular this fixes an issue when netifd is updating the downstream IPv6 mtu
as netifd was still using the not yet updated upstream IPv6 mtu to set the
downstream IPv6 mtu
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Commit 4d961538f6 added libutil to the iproute2 InstallDev section
but lead to compile issues with packages picking up the wrong libutil
since libutil is quite a generic name ...
Further libutil is rather meant for internal usage in iproute2 than a
public API; therefore let's remove it from the InstallDev section together
with ll_map.h
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
CPU: H5 High Performance Quad-core 64-bit Cortex-A53
GPU: Mali450 OpenGL ES 2.0/1.1/1.0, OpenVG 1.1, EGL
Memory: 1GB DDR3 (shared with GPU)
Onboard Storage: TF card (Max. 32GB) / NOR flash(2MB)
Onboard Network: 1000M/100M Ethernet RJ45
USB 2.0 Ports: Three USB 2.0 HOST, one USB 2.0 OTG, HOST mode
role by default in DTS
Buttons: Power Button(SW4) Debug TTL
UART: ..DC-IN..
>[GND][RX][TX] ..HDMI..
Signed-off-by: Antonio Silverio <menion@gmail.com>
The BZIP2_SMALL option was not being exposed via Config.in which
caused the build to fail as 'yes' is piped to the config during
build. As it's expecting a number, it gets stuck in a loop.
Signed-off-by: Rob Mosher <nyt-openwrt@countercultured.net>
Update to latest HEAD in order to fix a stack memory corruption issue:
1056e73 Change the sigb buffer to be the same size as the fread
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In iproute2 v4.17 ll_map has been moved from the libnetlink to the libutil
library; add libutil as well to the staging dir in order to keep support
for ll_map
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This adds uci entries for all ath79 devices for which this already was
the case on ar71xx. Additionally we add the OCEDO Koala as there was no
support in OpenWRT yet.
Signed-off-by: David Bauer <mail@david-bauer.net>
Verify ucert signature chains in sysupgrade images in case ucert is
installed and $CHECK_IMAGE_SIGNARURE = 1.
Also make sure ucert host binary is present and generate a self-signed
ucert in case $TOPDIR/key-build.ucert is missing.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
ad816fc set rpath to make bundle-libraries.sh happy
63ad591 blob_buf needs to be zero'd
Now that libubox, libjson-c and libblobms_json are installed into
STAGING_DIR_HOST we can properly bundle ucert in the ImageBuilder.
Follow-up commits will make use of it to include a signature-chain in
sysupgrade images using fwtool.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The referenced Git commit was made on the 25th of July, not June.
Fixes 432eaa940f ("libubox: fix mirror hash")
Fixes 5dc32620c4 ("libubox: update to latest git HEAD")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Correct the mirror hash to reflect whats on the download server.
A locally produced libubox SCM tarball was also verified to yield an identical
checksum compared to the one currently on the download server.
Fixes FS#1707.
Fixes 5dc32620c4 ("libubox: update to latest git HEAD")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
23a3f28 openssl, wolfssl: match mbedTLS ciphersuite list
450ada0 ustream-ssl: Revised security on mbedtls
34b0b80 ustream-ssl: add openssl-1.1.0 compatibility
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
e29966f Allow disabling seccomp or changing the whitelist
5f57223 trace: Use properly sized type for PTRACE_GETEVENTMSG
747efb6 procd: fix ustream deadlock when there are 0 bytes or no newlines
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This reverts commit 42a3c6465a.
The change was apparently never build-tested with all kmods enabled. I took
a brief look but found no simple way to untangle this, so revert it.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Jonas Gorski commented on the previous patch:
|This is actually the wrong fix and papers over an issue in one of our
|local patches.
|
|We intentionally allow regmap to be built as a module, see
|
|/target/linux/generic/hack-4.14/259-regmap_dynamic.patch
|[...]
|[The regulator code] optionally supports regmap thanks to the stubs
|provided if regmap is disabled - which breaks if you compile regmap
|as a module.
In order to mitigate this issue, this patch reverts the previous patch
and replaces the existing IS_ENABLED(CONFIG_REGMAP) with
IS_REACHABLE(CONFIG_REGMAP). This solves this particular issue as the
regulator code will now automatically fallback to the regmap stubs in
case the kmod-regmap module is enabled, but nothing else sets
CONFIG_REGMAP=y.
Note: There's still a potential issue that this patch doesn't solve:
If someone ever wants to make a OpenWrt kernel package for a
regulator module that requires the REGMAP feature for a target that
doesn't set CONFIG_REGMAP=y but has CONFIG_REGULATOR=y, the resulting
kmod-regulator-xyz package will not work on the target.
Luckily, there aren't any in-tree OpenWrt kernel module packages for
regulators at the moment. On the bright side: regmap is a critical
part nowadays and all new and upcoming architectures require it by
default. This will likely only ever be a problem for legacy targets
and devices that cannot afford to enable REGMAP.
Cc: Jonas Gorski <jonas.gorski@gmail.com>
Cc: John Crispin <john@phrozen.org>
Fixes: d00913d121 ("kernel: modules: fix kmod-regmap")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Sysupgrade shouldn't proceed, if the backup of the configuration
fails because tar (or gzip) exit with a non-zero code.
Signed-off-by: Andreas Ziegler <dev@andreas-ziegler.de>
Changelog taken from the version announcement
> == Changes ==
>
> * chacha20poly1305: selftest: split up test vector constants
>
> The test vectors are encoded as long strings -- really long strings -- and
> apparently RFC821 doesn't like lines longer than 998.
> https://cr.yp.to/smtp/message.html
>
> * queueing: keep reference to peer after setting atomic state bit
>
> This fixes a regression introduced when preparing the LKML submission.
>
> * allowedips: prevent double read in kref
> * allowedips: avoid window of disappeared peer
> * hashtables: document immediate zeroing semantics
> * peer: ensure resources are freed when creation fails
> * queueing: document double-adding and reference conditions
> * queueing: ensure strictly ordered loads and stores
> * cookie: returned keypair might disappear if rcu lock not held
> * noise: free peer references on failure
> * peer: ensure destruction doesn't race
>
> Various fixes, as well as lots of code comment documentation, for a
> small variety of the less obvious aspects of object lifecycles,
> focused on correctness.
>
> * allowedips: free root inside of RCU callback
> * allowedips: use different macro names so as to avoid confusion
>
> These incorporate two suggestions from LKML.
>
> This snapshot contains commits from: Jason A. Donenfeld and Jann Horn.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
This patch makes sch_cake's gso/gro splitting configurable
from userspace.
To disable breaking apart superpackets in sch_cake:
tc qdisc replace dev whatever root cake no-split-gso
to enable:
tc qdisc replace dev whatever root cake split-gso
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Dave Taht <dave.taht@gmail.com>
[pulled from netdev list - no API/ABI change]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Follow upstream kernel patch that restores always splitting gso packets
by default whilst making the option configurable from (tc) userspace.
No ABI/API change
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Fixes the annoying 'feature' were TTL was set to "1" by default ..
Users had to specify -T manually to test outside the own network.
2.0.12 change set (as of June 25th 2018)
o Change the unicast TTL default value from 1 to the system default (to be compatable with previous versions.) Multicast still defaults to 1.
o adpative formatting bug fix: crash occurs when values exceed 1 Tera. Add support for Tera and Peta and eliminate the potential crash condition
o configure default compile to include isochronous support (use configure --disable-isochronous to remove support)
o replace 2.0.11's --vary-load option with a more general -b option to include <mean>,<stdev>, e.g. -b 100m,40m, which will pull from a log normal distribution every 0.1 seconds
o fixes for windows cross compile (using mingw32)
o compile flags of -fPIE for android
o configure --enable-checkprograms to compile ancillary binaries used to test things such as delay, isoch, pdf generation
o compile tests when trying to use 64b seq numbers on a 32b platform
o Fix GCC ver 8 warnings
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
GDB 8.1.1 brings the following fixes and enhancements over GDB 8.1:
* PR gdb/22824 (misleading description of new rbreak Python function in GDB 8.1 NEWS file)
* PR gdb/22849 (ctrl-c doesn't work in extended-remote)
* PR gdb/22907 ([Regression] gdbserver doesn't work with filename-only binaries)
* PR gdb/23028 (inconsistent disassemble of vcvtpd2dq)
* PR gdb/23053 (Fix -D_GLIBCXX_DEBUG gdb-add-index regression)
* PR gdb/23127 ([AArch64] GDB cannot be used for debugging software that uses high Virtual Addresses)
* PR server/23158 (gdbserver no longer functional on Windows)
* PR breakpoints/23210 ([8.1/8.2 Regression] Bogus Breakpoint address adjusted from 0xf7fe7dd3 to 0xfffffffff7fe7dd3)
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
a514139 build: compile with -ffunction-sections, -fdata-sections and LTO
3c30b17 wl: only invoke nvram executable if it exists
65b8333 Revert "build: compile with -ffunction-sections, -fdata-sections and LTO"
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
75ee790 interface-ip: fix eui64 ifaceid generation (FS#1668)
ca97097 netifd: make sure the vlan ifname fits into the buffer
b8c1bca iprule: remove bogus assert calls
a2f952d iprule: fix broken in_dev/out_dev checks
263631a vlan: use alloca to get rid of IFNAMSIZE in vlan_dev_set_name()
291ccbb ubus: display correct prefix size for IPv6 prefix address
908a9f4 CMakeLists.txt: add -Wimplicit-fallthrough to the compiler flags
b06b011 proto-shell.c: add a explicit "fall through" comment to make the compiler happy
60293a7 replace fall throughs in switch/cases where possible with simple code changes
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This patch fixes the a compile issue that was triggered by
apm821xx/sata when kmod-regmap was selected.
The CONFIG_REGMAP is declared in drivers/base/regmap/Kconfig
as type "bool" and not "tristate". Hence the symbol should
never be set to module, as this confuses the #if CONFIG_REGMAP
guards in include/linux/regmap.h:
|.../drivers/regulator/core.c:4041: undefined reference to `dev_get_regmap'
|.../drivers/regulator/core.c:4042: undefined reference to `dev_get_regmap'
|.../drivers/regulator/core.c:4044: undefined reference to `dev_get_regmap'
|.../drivers/regulator/helpers.o: In function `regulator_is_enabled_regmap':
|.../drivers/regulator/helpers.c:36: undefined reference to `regmap_read'
|...
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
When libcap-ng is detected during build, support for it is enabled. This
will cause a build failure due to a missing dependency. Explicitly
disable libcap-ng support to avoid this.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tri-band devices (1x 2.4GHz + 2x 5GHz) often incorporate special filters in
the RX and TX path. These filtered channel can in theory still be used by
the hardware but the signal strength is reduced so much that it makes no
sense.
There is already a DT property to limit the available channels but ath10k
has to manually call this functionality to limit the currrently set wiphy
channels further.
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
This adds support for the htu21 humidity and temperature sensor.
To get it to work you have to do something like this:
echo "htu21 0x40" >/sys/class/i2c-dev/i2c-1/device/new_device
for example by adding it to rc.local
Compile tested on brcm2708 and I have used an earlier version of this
patch for more than a year.
Signed-off-by: Torbjörn Jansson <torbjorn.jansson@mbox200.swipnet.se>
I no longer have the time, nor the desire to maintain this package.
Remove myself as maintainer.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
this feature has never worked, the fw image name was not passed and the -t
parameter was missing in the tool invocation. drop the feature.
Signed-off-by: John Crispin <john@phrozen.org>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
This reduces build time significantly.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Commit 2dcd955aea ("mac80211: backport and update patches for ath10k")
changed the DFS detector API, causing ath10k-ct to fail building due to
a missing add_pulse() argument.
Extend the already existing kernel compatibility patch to also adjust
the add_pulse() call accordingly.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The call "get_features" allows to gather hostapd config options
via ubus. As first infos we add the ht and vht support.
Although nl80211 supports to gather informations about
ht and vht capabilities, the hostapd configuration can disable
vht and ht. However, it is possible that the iw output is not
representing the actual hostapd configuration.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Upstream renamed openssl-1.0.cnf to openssl-easyrsa.cnf.
However, pkg kept using openssl-1.0.cnf.
Upstream easyrsa searchs for vars, openssl-*, x509-types in the
same directory as easyrsa script. This was patched to revert
back to static /etc/easy-rsa/ directory (as does OpenSUSE).
EASYRSA_PKI still depends on $PWD.
Move easyrsa from /usr/sbin to /usr/bin as root is not needed.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Some of the modules in the crypto-misc package have alternate
implementations optimized for different x86 instruction set extensions,
but only one of these was built for this package until now: twofish-i586.ko
Tested with insmod, on both x86 and x86_64. The modules now have an
autoload, which they previous didn't, loading the dependencies in the
correct order.
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
It is insecure to let this type of packets inside
They can e.g. open ports on some other routers with UPnP, etc
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
With AVM Fritz!Box 4040 and OpenWrt 18.06 RC1 there are many kernel warnings
kern.warn kernel: [87771.917049] ath10k_ahb a000000.wifi: Invalid VHT mcs 15 peer stats
and there are disconnections when the connected clients are many, at the moment I tried with 16 clients on 2.4 GHz and 8 on 5 GHZ.
Firmware 10.4-3.5.3-00057 fixes these warnings and the problem of disconnections of some clients.
Signed-off-by: Massimo Tum <masnia@tiscali.it>
Update mbedtls to 2.12.0
Multiple security fixes
Add support for Chacha20 and Poly1305 cryptographic primitives and their
associated ciphersuites
Difference in size on mips_24kc (ipk):
164kbytes (167882 bytes)
170kbytes (173563 bytes)
https://tls.mbed.org/tech-updates/releases/mbedtls-2.12.0-2.7.5-and-2.1.14-released
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
[0-3](none, minimal[default], more, maximum)
It is not 100% backward compatible, because now 0 disables logging
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Refresh patches
Upstream commits since last bump:
3b6eb19 Log DNSSEC trust anchors at startup.
f3e5787 Trivial comment change.
c851c69 Log failure to confirm an address in DHCPv6.
a3bd7e7 Fix missing fatal errors when parsing some command-line/config options.
ab5ceaf Document the --help option in the french manual
1f2f69d Fix recurrent minor spelling mistake in french manual
f361b39 Fix some mistakes in french translation of the manual
eb1fe15 When replacing cache entries, preserve CNAMES which target them.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The sierra_net driver is using proto_directip_setup for setup. So use
proto_directip_teardown for teardown.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
001-Fix-compiler_state_t.ai-usage-when-INET6-is-not-defi.patch dropped due to upstream
002-Add-missing-compiler_state_t-parameter.patch dropped due to upstream
202-protocol_api.patch dropped due to implemented upstream by another way
upstream commit: 55c690f6f8
and renamed via: 697b1f7e9b
ead is the only user who use the protocol api, we have to use the new api since libpcap 1.9.0
Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
Monitor mode isn't supported yet with brcmfmac, it's just an early work.
This also prepares brcmfmac to work stable with new firmwares which use
updated struct for passing STA info.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
The most important is probably regression fix in handling platform
NVRAM. That bug stopped hardware from being properly calibrated breaking
e.g. 5 GHz for Netgear R8000.
Other than that it triggers memory dumps when experiencing firmware
problems which is important for debugging purposes.
Fixes: 7e8eb7f309 ("mac80211: backport brcmfmac firmware & clm_blob loading rework")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Disabled libpsl to fix build issue reported by buildbots
Package libcurl is missing dependencies for the following libraries:
libpsl.so.5
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
This watchdog script tries to re-resolve hostnames for inactive WireGuard peers.
Use it for peers with a frequently changing dynamic IP.
persistent_keepalive must be set, recommended value is 25 seconds.
Run this script from cron every minute:
echo '* * * * * /usr/bin/wireguard_watchdog' >> /etc/crontabs/root
Signed-off-by: Aleksandr V. Piskunov <aleksandr.v.piskunov@gmail.com>
[bump the package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This commit refreshes and updates the VHT160 ath10k support fix patches
and adds a number of backports from ath-next:
* 8ed05ed06fca ath10k: handle tdls peer events
* 229329ff345f ath10k: wmi: modify svc bitmap parsing for wcn3990
* 14d65775687c ath10k: advertise TDLS wider bandwidth support for 5GHz
* bc64d05220f3 ath10k: debugfs support to get final TPC stats for 10.4 variants
* 8b2d93dd2261 ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk)
* 4b190675ad06 ath10k: fix kernel panic while reading tpc_stats
* be8cce96f14d ath10k: add support to configure channel dwell time
* f40105e67478 ath: add support to get the detected radar specifications
* 6f6eb1bcbeff ath10k: DFS Host Confirmation
* 260e629bbf44 ath10k: fix memory leak of tpc_stats
* 38441fb6fcbb ath10k: support use of channel 173
* 2e9bcd0d7324 ath10k: fix spectral scan for QCA9984 and QCA9888 chipsets
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
[move backported patches in the 3xx number space, bring in upstream order,
replace incomplete patch files with git format-patch ones, rewrite commit
message, fix subject]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
80b41cd version: bump snapshot
fe5f0f6 recieve: disable NAPI busy polling
e863f40 device: destroy workqueue before freeing queue
81a2e7e wg-quick: allow link local default gateway
95951af receive: use gro call instead of plain call
d9501f1 receive: account for zero or negative budget
e80799b tools: only error on wg show if all interfaces failk
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
[Added commit log to commit description]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
iproute2's tc was updated to support the recently upstreamed cake qdisc.
Backport this canonical support from upstream into iproute2 v4.17
There is no kernel kmod/userspace tc ABI change in this release from the
previous package bump, so everyone can breath a sigh of relief.
This is largely a code style change, the exception to prove the rule:
option 'autorate_ingress' has been changed to 'autorate-ingress' to fit
in with upstream option naming expectations.
No openwrt package (e.g. sqm-scripts) has knowledge of
'autorate_ingress' thus only users who made their own scripts or used
it within the 'dangerous configuration' options of sqm-scripts will be
affected.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Restarting service sysctl echos multiple errors like:
sysctl: -e: No such file or directory
After the first filename, all remaining arguments are treated
as files.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Add each variant to the matching PROVIDERS variables after evaluating
the respective hostapd*, wpad* and wpa* variant.
Each package providing the same feature will automatically conflict with
all prior packages providing the same feature.
This way we can handle the conflicts automatically without introducing
recursive dependencies.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Move common variables and/or values to the package (variant) default.
Add additional values in variant packages if necessary. Remove further
duplicates by introducing new templates.
Remove the ANY_[HOSTAPD|SUPPLICANT_PROVIDERS]_PROVIDERS. The are the
same as the variables without the any prefix. No need to maintain both
variables.
Signed-off-by: Mathias Kresin <dev@kresin.me>
procd needs processes to stay in foreground to remain under its gaze and
control. Failure to do so means service stop commands fail to actually
stop the process (procd doesn't think it's running 'cos the process has
exited already as part of its forking routing)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
As dnsmasq is started earlier than netifd usage of network.sh functions
at boottime will fail; therefore don't call at boottime the functions
which construct the dhcp pool/relay info.
As interface triggers are installed the dhcp pool/relay info will be
constructed when the interface gets reported as up by netifd.
At the same time also register interface triggers based on DHCP relay
config.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The pptp.so plugin needs to be built with -fPIC as well in order to be
linkable again.
Fixes 888a15ff83 ("ppp: add missing -fPIC to rp-pppoe.so CFLAGS")
Fixes e7397eef69 ("ppp: compile with LTO enabled")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Increase the termination timeout to 15s to let OpenVPN properly tear down
its connections, especially when weak links or complex down scripts are
involved.
Fixes FS#859.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When attempting to use any of the functions in network.sh while netifd is
not started yet, the ubus interface dump query will fail with "Not found",
yielding an empty response.
Subsequently, jsonfilter is invoked with an empty string instead of a valid
JSON document, causing it to emit a second "unexpected end of data" error.
This caused the dnsmasq init script to log the following errors during
early boot on some systems:
procd: /etc/rc.d/S19dnsmasq: Command failed: Not found.
procd: /etc/rc.d/S19dnsmasq: Failed to parse json data: unexpected end of data.
Fix the issue by allowing the ubus query to fail with "Not found" but still
logging other failures, and by passing an empty JSON object to jsonfilter
if the interface status cache is empty.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some HP Thin clients use the broadcom nextreme chip as integrated NIC.
It is connected via PCI express and will only be found automatically if
phy-broadcom is loaded before tg3. This small change makes the thin
client usable for Freifunk with gluon out of the box.
Signed-off-by: Steffen Förster <steffen@chemnitz.freifunk.net>
We can safely assume by now that rpm5.org is dead and isn't coming back
so just add another mirror instead.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
'In different versions of coreboot are different names of apu boardname.
No need to check boardname to load module.'
Signed-off-by: Lukas Mrtvy <lukas.mrtvy@gmail.com>
Bump to the latest cake recipe.
This backports tc class support to kernel 4.9 and other than conditional
kernel compilation pre-processor macros represents the cake that has
gone upstream into kernel 4.19. Loud cheer!
Fun may be had by changing cake tin classification for packets on
ingress. e.g.
tc filter add dev ifb4eth0 parent 800b: protocol ip u32 match \
ip dport 6981 0xffff action skbedit priority 800b:1
Where 800b: represents the filter handle for the ifb obtained by 'tc
qdisc' and the 1 from 800b:1 represents the cake tin number. So the
above example puts all incoming packets destined for port 6981 into the
BULK (lowest priority) tin.
f39ab9a Obey tin_order for tc filter classifiers
1e2473f Clean up after latest backport.
82531d0 Reorder includes to fix out of tree compilation
52cbc00 Code style cleanup
6cdb496 Fix argument order for NL_SET_ERR_MSG_ATTR()
cab17b6 Remove duplicate call to qdisc_watchdog_init()
71c7991 Merge branch 'backport-classful'
32aa7fb Fix compilation on Linux 4.9
9f8fe7a Fix compilation on Linux 4.14
ceab7a3 Rework filter classification
aad5436 Fixed version of class stats
be1c549 Add cake-specific class stats
483399d Use tin_order for class dumps
80dc129 Add class dumping
0c8e6c1 Fix dropping when using filters
c220493 Add the minimum class ops
5ed54d2 Start implementing tc filter/class support
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Override the default shutdown action (stop) and close all processes
of dropbear
Since commit 498fe85, the stop action only closes the process
that's listening for new connections, maintaining the ones with
existing clients.
This poses a problem when restarting or shutting-down a device,
because the connections with existing SSH clients, like OpenSSH,
are not properly closed, causing them to hang.
This situation can be avoided by closing all dropbear processes when
shutting-down the system, which closes properly the connections with
current clients.
Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com>
[Luis: Rework commit message]
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
First of all lengths should be compared after checking all blocks for
being good/bad. It's because requested length may differ from a final
one if there were some bad blocks.
Secondly it makes sense to also compare crc32 since we already have a
new one calculated.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Fix broken DHCPv6 servers which provide the server unicast option but
do not reply on DHCPv6 renew messages directed to the IPv6 address
contained in the server unicast option whihc results in broken IPv6
connectivity.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Reading MTD data with (p)read doesn't return any error when accessing
bad block. As the result, with current code, CRC32 covers "data" stored
in bad blocks.
That behavior doesn't match CFE's one (bootloader simply skips bad
blocks) and may result in:
1) Invalid CRC32
2) CFE refusing to boot firmware with a following error:
Boot program checksum is invalid
Fix that problem by checking every block before reading its content.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
08719b1 mt76: use a per rx queue page fragment cache
4d2c565 mt76x2: reset HW before probe
f622975 mt76x2: fix CCK protection control frame rate
6780375 mt76x2: add frame protection support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Allow enabling/commenting/disabling each feed individually by using a
tristate config symbol.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
FEEDS_ENABLED and FEEDS_DISABLED are derived from FEEDS_AVAILABLE, not
FEEDS_INSTALLED.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
'In different versions of coreboot are different names of apu boardname.
No need to check boardname to load module.'
Signed-off-by: Lukáš Mrtvý <lukas.mrtvy@gmail.com>
Enables support for Dynack feature.
When a remote station is far away, we need to compensate for the distance
by allowing more time for an ACK to arrive back before issueing a retransmission.
Currently, it needs to be set fixed to indicate the maximum distance the remote
station will ever be.
While this mostly works for static antennae, it introduces 2 issues:
- If the actual distance is less, speed is reduced due to a lot of wates wait-time
- If the distance becomes greater, retries start to occur and comms can get lost.
Allowing to set it dynamically using dynack ensures the best possible tradeoff
between speed vs distance.
This feature is currently only supported in ath9k.
it is also disabled by default.
Enabling it can be done in 2 ways:
- issue cmd: iw phy0 set distance auto
- sending the NL80211_ATTR_WIPHY_DYN_ACK flag to mac80211 driver using netlink
Disabling it can be done by providing a valid fixed value.
To give an idea of a practical example:
In my usecase, we have mesh wifi device installed on ships/platforms.
Currently, the coverage class is set at 12000m fixed.
When a vessel moved closer (ex. 1500m), the measured link capacity was a lot
lower compared to setting the coverage class fixed to 1500m
Dynack completely solved this, nearly providing double the bandwidth at closer range
compared to the fixed setting of 12000m being used.
Also when a vessel sailed to a distance greater than the fixed setting,
communication was lost as the ACK's never arrived within the max allowed timeframe.
Actual distance: 6010m
iperf 60s run avg
Fixed 12150m: 31 Mbit/s
Dynack: 58 Mbit/s
Fixed 6300m: 51 Mbit/s
Dynack: 59 Mbit/s
Fixed 3000m: 13 Mbit/s (lots of retries)
Dynack: 58 Mbit/s
Actual distance: 1504m
iperf 60s run avg
Fixed 12150m: 31 Mbit/s
Dynack: 86 Mbit/s
Fixed 6300m: 55 Mbit/s
Dynack: 87 Mbit/s
Fixed 3000m: 67 Mbit/s
Dynack: 87 Mbit/s
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
* device: print daddr not saddr in missing peer error
* receive: style
Debug messages now make sense again.
* wg-quick: android: support excluding applications
Android now supports excluding certain apps (uids) from the tunnel.
* selftest: ratelimiter: improve chance of success via retry
* qemu: bump default kernel version
* qemu: decide debug kernel based on KERNEL_VERSION
Some improvements to our testing infrastructure.
* receive: use NAPI on the receive path
This is a big change that should both improve preemption latency (by not
disabling it unconditionally) and vastly improve rx performance on most
systems by using NAPI. The main purpose of this snapshot is to test out this
technique.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Update to the latest version of iproute2; see https://lwn.net/Articles/756991/
for a full overview of the changes in 4.17.
Remove upstream patch 002-json_print-fix-hidden-64-bit-type-promotion.
Backport upstream patch 001-rdma-sync-some-IP-headers-with-glibc fixing
rdma compile issue.
At the same time re-organize patch numbering so the OpenWRT specific
patches start at 100.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
345bba0 dhcpv4: improve error checking in handle_dhcpv4()
c0f6390 odhcpd: Check if open the ioctl socket failed
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* change mx6qsabresd to mx6qsabres to match defconfig name
* merge wanboard profiles since there is only one defconfig for the target device
* move wanboard options from wandboard.h to defconfig
* remove legacy patches
Signed-off-by: Vladimir Vid <vladimir.vid@sartura.hr>
Most of the implementations behind cfg80211_get_station will not initialize
sinfo to zero before manipulating it. For example, the member "filled",
which indicates the filled in parts of this struct, is often only modified
by enabling certain bits in the bitfield while keeping the remaining bits
in their original state. A caller without a preinitialized sinfo.filled can
then no longer decide which parts of sinfo were filled in by
cfg80211_get_station (or actually the underlying implementations).
cfg80211_get_station must therefore take care that sinfo is initialized to
zero. Otherwise, the caller may tries to read information which was not
filled in and which must therefore also be considered uninitialized. In
batadv_v_elp_get_throughput's case, an invalid "random" expected throughput
may be stored for this neighbor and thus the B.A.T.M.A.N V algorithm may
switch to non-optimal neighbors for certain destinations.
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
Board Data File (BDF) is loaded upon driver boot-up procedure. The right
board data file is identified on QCA4019 using bus, bmi-chip-id and
bmi-board-id.
The problem, however, can occur when the (default) board data file cannot
fulfill the vendor requirements and it is necessary to use a different
board data file.
This problem was solved for SMBIOS by adding a special SMBIOS type 0xF8.
Something similar has to be provided for systems without SMBIOS but with
device trees. No solution was specified by QCA and therefore a new one has
to be found for ath10k.
The device tree requires addition strings to define the variant name
wifi@a000000 {
status = "okay";
qcom,ath10k-calibration-variant = "RT-AC58U";
};
wifi@a800000 {
status = "okay";
qcom,ath10k-calibration-variant = "RT-AC58U";
};
This would create the boarddata identifiers for the board-2.bin search
* bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=RT-AC58U
* bus=ahb,bmi-chip-id=0,bmi-board-id=17,variant=RT-AC58U
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
With deterministic ECDSA the value k needed for the ECDSA signature is
not randomly generated any more, but generated from a hash over the
private key and the message to sign. If the value k used in a ECDSA
signature or the relationship between the two values k used in two
different ECDSA signatures over the same content is know to an attacker
he can derive the private key pretty easily. Using deterministic ECDSA
as defined in the RFC6979 removes this problem by deriving the value k
deterministically from the private key and the content which gets
signed.
The resulting signature is still compatible to signatures generated not
deterministic.
This increases the size of the ipk on mips 24Kc by about 2 KByte.
old:
166.240 libmbedtls_2.11.0-1_mips_24kc.ipk
new:
167.811 libmbedtls_2.11.0-1_mips_24kc.ipk
This does not change the ECDSA performance in a measurable way.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>