In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2,
the tab autocomplete feature of the shell, used to get a list of filenames
in a directory, does not sanitize filenames and results in executing any
escape sequence in the terminal. This could potentially result in code
execution, arbitrary file writes, or other attacks.
Fixes: FS#1181 - CVE-2017-16544:
Backport the patch from:
https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8https://nvd.nist.gov/vuln/detail/CVE-2017-16544
Signed-off-by: Derek Werthmuller <thewerthfam@gmail.com>
Signed-off-by: John Crispin <john@phrozen.org>
In current state, if there is START but no STOP, enbale()
will return 1 (failure), which is wrong.
Moreover there is no need to check for START/STOP twice.
Instead, add err variable to save success state and
and return it's value.
Also eliminate the need to disable() by using 'ln -sf',
which will first delete the old symlink if one exists.
Changes from v1:
- fixed description
Signed-off-by: Roman Yeryomin <roman@advem.lv>
5beb95d lua: additionally return name when looking up sections
ff33bb2 lua: support extended section notation
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fix overhead accounting error introduced by f33c4d6 refactor
cake_advance_shaper and ack_filter
Symptoms were links running under rate.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Enabling IPTABLES_NFTABLES resulted in an error during build:#
*** No rule to make target '../extensions/libext.a',
needed by 'xtables-compat-multi'."
Comments from Alexander Lochmann and Fedor Konstantinov in FS#711
provided fixes for this build error, allowing iptables to compile.
https://bugs.lede-project.org/index.php?do=details&task_id=711.
This commit updates the Makefile.am xtables_compat_multi_LDFLAGS
and _LDADD, moving linking of extensions to LDFLAGS.
Signed-off-by: rektide de la faye <rektide@voodoowarez.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Fixes: 8170f280c4 ("base-files: set FAILSAFE in /etc/profile when
/tmp/.failsafe exists")
Since dropbear clears the environment, FAILSAFE was not set as intended in
failsafe mode. This also broke sysupgrade from failsafe mode over SSH.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Unconditionally pass TARGET_CPPFLAGS (not passed at all before) and
TARGET_LDFLAGS (passed only in certain non-default configuration before the
Makefile streamlining). Without these flags, hardening options
(PKG_FORTIFY_SOURCE and PKG_RELRO) were not actually applied to busybox.
The addition of these flags increases the size of the stripped busybox
binary by about 6KB (~4KB with fortify headers, ~2KB with "-znow -zrelro")
with the default hardening options PKG_FORTIFY_SOURCE_1 and PKG_RELRO_FULL.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Use default Build/Install steps where possible. No binary change in default
configuration, so PKG_RELEASE is not incremented.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Send a SIGHUP signal via procd to the dnsmasq service so the instance(s)
re-read(s) the /tmp/hosts/dhcp config.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
If the hostname in /etc/config/system is modified the dnsmasq should also
get triggered to rewrite/reload the config.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
PKG_BUILD_DIR was defined with quoting PKG_VERSION in
layerscape package makefiles. Now PKG_VERSION has been
removed from these makefiles. When PKG_BUILD_DIR quotes
PKG_VERSION, '=' should be used instead ':=' to make
sure PKG_VERSION has been defined in common makefile.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
Intel motherboards (as well as the Cavium ThunderX SoC) use a
superset of the I2C protocol called SMBus.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
439b9b6c (tag: v1.29.0) Update manual pages
48498452 Bump up version number to v1.29.0, LT revision to 29:1:15
d30f3816 Update manual pages
4d1139f6 Remove SPDY
48f57407 nghttpx: Update doc
c1f14d73 Update manual pages
216f4dad nghttpx: Remove redundant check
a4e27d76 Revert "nghttpx: Use an existing h2 backend connection as much as possible"
2365f12e Fix CMAKE_MODULE_PATH
03f7ec0f nghttpx: Write API request body in temporary file
2056e812 nghttpx: Increase api-max-request-body
1ebb6810 nghttpx: Faster configuration loading with lots of backends
a3ebeeaf nghttpx: Fix crash with --backend-http-proxy-uri option
422ad1be Use NGHTTP2_REFUSED_STREAM for streams which are closed by GOAWAY
97f1735c Bump up version number to 1.29.0
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
f40f84c support PantechMode
d8dc335 support Quanta and Blackberry modes
333e486 fix support for Option modems
Signed-off-by: John Crispin <john@phrozen.org>
7aa2594 odhcpd: Replace strerror(errno) with %m format
750e457 Support muliple RAs on single interface
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The git hash was changed for multiple layerscape packages without
changing the version number. The LEDE build system will not download the
packages again if the old version is already there and so some people
and the build bots are using wrong version of some packages. Use
PKG_SOURCE_DATE instead of PKG_VERSION to generate packages with the
date and the first charterers of the git hash. This will change the file
name and make the build system download them again, also if in future
the git hash is changed the file name will change and trigger a new
download.
This should fix a problem spotted by build bot.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The LinkIt Smart 7688/LinkIt Smart 7688 Duo are identical beside the
extra ATmega32U4 - accessible via UART - on the the Duo.
Since all relevant hardware is identical, drop the Duo special handling
in userspace.
Signed-off-by: Mathias Kresin <dev@kresin.me>
In commit 2b1ec44dbd ("layerscape: add ls1012afrdm device support")
The git revision and the mirror hash for this package was updated to a
version which includes ls1012afrdm-uboot.bin, but the file name at
dl/uboot-layerscape-armv8_32b-2017.09.tar.xz staid the same. This way
most user did not download the new version but used the old file.
Convert this package to the normal git clone parameters by using
PKG_SOURCE_DATE instated of PKG_VERSION, now the file name in dl also
contains the git hash and should change every time the git hash is
updated.
This should fix a problem spotted by build bot.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
LEDE Flyspray Task 1091:
Fix libiconv-full 'undefined reference' compile linker error using GCC7 Musl
Tested with targets x86 (i386 and x86_64)
Addition of CFLAGS "std=gnu89" fixes the linker issues, credit to harrylwc
Issue found with 'minidlna' package, which depends on 'libiconv-full'
Error in compile log:
../lib/.libs/libiconv.so: undefined reference to `aliases_lookup'
../lib/.libs/libiconv.so: undefined reference to `aliases2_lookup'
collect2: error: ld returned 1 exit status
Makefile:64: recipe for target 'iconv_no_i18n' failed
Signed-off-by: Jake Staehle <jacob@staehle.us>
Use <manufacturer>_<modelname> as image name.
Use the BOARD_NAME variable to ensure that the former used boardname is
still used as the subdirectory name for the sysupgrade-tar image, to
not break sysupgrade from earlier versions.
While at it, normalise the image filenames by using only lower case
characters and bin as file extension for sysupgrade images.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Use the first compatible string as board name in userspace. Add the new
board name as well as the former used board name to the image metadata
to keep compatibilty with already deployed installations.
Don't add the former used boardname for boards which exists only in
master or evaluation boards.
Signed-off-by: Mathias Kresin <dev@kresin.me>
kmod-lib-lzo and kmod-lib-lz4 depend in kernel 4.14 on
kmod-crypto-acompress, add this missing dependency.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
CONFIG_FRAMEBUFFER_CONSOLE does not activate new modules any more in
kernel 4.14, but CONFIG_FRAMEBUFFER_CONSOLE is now a boolean option
which change the kmod-fb package. kmod-fbcon should be split up.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This deactivates the following options which were introduced between
kernel 4.9 and 4.14 in some kernel packages:
CONFIG_INET_ESP_OFFLOAD
CONFIG_INET6_ESP_OFFLOAD
CONFIG_LWTUNNEL_BPF
CONFIG_NET_9P_XEN
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In kernel 4.14 kmod-bluetooth depends on kmod-crypto-ecdh, add
kmod-crypto-ecdh to LEDE.
Both packages also depend on the kmod-crypto-kpp package. To build this
we have to fix the dependency of CRYPTO_ECDH which has a typo.
This patch is already accepted upstream.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In kernel 4.14 kmod-crypto-hw-ccp depends on kmod-crypto-rsa, add it.
kmod-crypto-rsa also packages the ASN1 parser and some other code which
is currently only used by this module.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In kernel 4.14 kmod-dm depends on kmod-dax.
Add DAX: "Direct access to differentiated memory" to LEDE.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
In kernel 4.14 hwmon support can be deactivated for the tg3 driver,
deactivate it by default to save some space.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The default e1000e parameters (interrupt throttling rate, MSI/MSI-X
mode) are optimized for desktop and server computers to optimize
user-space execution (i.e. what's typically referred to as "useful"
work). This assumption breaks on a router under load where most of
the "useful" work actually takes place either in hardware interrupt
handlers (IRQ) or at software IRQ (swirq) modes, so we try to reflect
that by overriding these parameters with more appropriate values.
Patch-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
There has been recent significant activity with the cake qdisc of late
Some of that effort is related to upstreaming to kernel & iproute2
mainline but we're not quite there yet. This commit teaches tc how to
activate and interprete the latest cake operating modes, namely:
ingress mode: Instead of only counting packets that make it past the
shaper, include packets we've decided to drop as well, since they did
arrive with us on the link and took link capacity.
This mode is more suitable for shaping the ingress of a link
(e.g. from ISP) rather than the more normal egress.
ack-filter/ack-filter-aggressive: Filter excessive TCP ACKS. Useful in
highly assymetric links (downstream v upstream capacity) where the
majority of upstream link capacity is occupied with ACKS for downstream
traffic.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
There has been recent significant activity with the cake qdisc of late
but in the cobalt branch. Some of that effort is related to upstreaming
to kernel & iproute2 mainline but we're not quite there yet. Relevant
feature changes:
ingress mode: Instead of only counting packets that make it past the
shaper, include packets we've decided to drop as well, since they did
arrive with us on the link and took link capacity.
This mode is more suitable for shaping the ingress of a link
(e.g. from ISP) rather than the more normal egress.
ptm mode: Minor optimisation in packet overhead calculation.
dual-src/dsthost/triple-isolate: Optimise only calculating src or dst
host hashes only if required.
ack-filter/ack-filter-aggressive: Filter excessive TCP ACKS. Useful in
highly assymetric links (downstream v upstream capacity) where the
majority of upstream link capacity is occupied with ACKS for downstream
traffic.
A separate iproute2 patch to teach it about Cake's new features will
follow.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Remove PACKAGE_uhttpd_debug config as this is an unused leftover
Add CONFIG_uhttpd_lua to PKG_CONFIG_DEPENDS
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Including version.mk sets PKG_CONFIG_DEPENDS to config entries used for
VERSION_SED command. We should keep these configs to make sure package
gets refreshed when needed.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Since /overlay/upper appeared, -b ignored -c silently (cause it was
still checking for /overlay/etc). Now, if /overlay/upper is absent,
sysupgrade -c will fail and exit verbosely.
Fix -l to consider -c (it never did).
Clean up to always use /overlay/upper/xxx instead of still checking
for /overlay/xxx.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Lantiq and IPQ806X (which includes IPQ40XX) both define the
same custom function {ipq806x|lantiq}_get_dt_led.
This patch moves the function into the base-file package at
lib/functions/leds.sh to make it more accessible for other
targets as well.
Cc: Mathias Kresin <dev@kresin.me>
Cc: John Crispin <john@phrozen.org>
Cc: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
To not clutter the system when building an opkg free image, generate the
distfeeds.conf only if CLEAN_IPKG is unset.
Since opkg is now a shared package, we can't rely on PACKAGE_opkg, but
since opkg is not reasonably usable without the status information, we
can tie the distfeeds.conf to it.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Ensure /etc/opkg exists before trying to write there. This fixes a build
failure if SIGNED_PACKAGES is disabled.
Reported-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
All the relevant options used for distfeeds.conf are part of base-files,
so it makes more sense to move the file there as well.
This has the added benefit that the we can share the opkg package again,
reducing the amount of target specific packages.
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Bump to latest WireGuard snapshot release:
44f8e4d version: bump snapshot
bbe2f94 chacha20poly1305: wire up avx512vl for skylake-x
679e53a chacha20: avx512vl implementation
10b1232 poly1305: fix avx512f alignment bug
5fce163 chacha20poly1305: cleaner generic code
63a0031 blake2s-x86_64: fix spacing
d2e13a8 global: add SPDX tags to all files
d94f3dc chacha20-arm: fix with clang -fno-integrated-as.
3004f6b poly1305: update x86-64 kernel to AVX512F only
d452d86 tools: no need to put this on the stack
0ff098f tools: remove undocumented unused syntax
b1aa43c contrib: keygen-html for generating keys in the browser
e35e45a kernel-tree: jury rig is the more common spelling
210845c netlink: rename symbol to avoid clashes
fcf568e device: clear last handshake timer on ifdown
d698467 compat: fix 3.10 backport
5342867 device: do not clear keys during sleep on Android
88624d4 curve25519: explictly depend on AS_AVX
c45ed55 compat: support RAP in assembly
7f29cf9 curve25519: modularize dispatch
Refresh patches.
Compile-test-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
As MD5 is known weak for many years and more and more
penetration test tools complain about enabled MD5 HMAC
I think it's time to drop it.
By disabling the MD5 HMAC support dropbear will also
automatically use SHA1 for fingerprints.
This shouldn't be a problem too.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Add config option which allows to enable/disable DHCP support at compile
time. Make DHCPv6 support dependant on DHCP support as DHCPv6 support
implies having DHCP support.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
- use %d instead of %n for opkg feed identifiers
- remove %n / %N references from version files
Fixes bf5cef47b3 merge: release/banner: drop release name and update banner.
Fixes FS#1213.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
udhcpc doesn't send a hostname by default. Use the system hostname if
nothing else is specified, to always send a hostname.
It syncs the behaviour to odhcpc, which always sends a hostname.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Kernel and rootfs in a subdirectory matching the userspace boardname,
was intended to use a single sysupgrade-tar archive for multiple boards
with different kernel/rootfs images. This feature was never used.
Use the first found directory in the tar archive instead of relying on
a directory named according to the userspace boardname.
It allows to change the boardname without adding another compatibility
layer - using the nand_board_name() function - for (sub)targets using
the metadata based image validation in favour to
nand_do_platform_check().
Signed-off-by: Mathias Kresin <dev@kresin.me>
This patch fixes two issues with the current get_partitions()
function.
First: "Invalid partition table on $disk" will pop up on
legitimate images on big endian system.
This is because the little-endian representation of "55 AA" is
assumed in the context of little-endian architectures. On these
comparing it to the 16-bit word 0xAA55 does work as intented.
Whereas on big-endian systems, this would have to be 0x55AA.
This patch fixes the issue by replacing the integer conversion
and value match check with just a string comparision.
Second: The extraction of the type, start LBA and LBA num from
the partition table has the same endianness issue. This has been
fixed by using the new hex_le32_to_cpu() function. This function
will translate the stored little-endian data to the correct
byte-order if necessary.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This patch updates ath10k-firmware to use the
firmware-5.bin_10.4-3.2.1-00058 firmware for the QCA4019.
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
d02a05b mt7603: update firmware to version 20160107100755
4d4cd05 Partially revert "mt7603: use mcu command to set timing registers, fix OFDM timeout values"
170f334 mt76x2: remove MAC address limitation for multi-vif setups
3563b8f mt76x2: clean up MAC/BSSID address initialization
9de77e1 mt76x2: drop wiphy->addresses
a6a6e25 mt76x2: init: disable APCLI by default
c64633e mt76x2: configure rx filter based on monitor mode setting
ac815fa mt76x2: init: fix rx filter default value during init
e504656 mt7603: configure other-unicast drop based on monitor mode setting
Signed-off-by: Felix Fietkau <nbd@nbd.name>
add no-ssl3-method again as 1.0.2n compiles without the ssl3-method(s)
Fixes CVEs: CVE-2017-3737, CVE-2017-3738
Signed-off-by: Peter Wagner <tripolar@gmx.at>
Different invocations of the dnsmasq init script (e.g. at startup by procd)
will rewrite the dhcp host file which might result into dnsmasq reading an
empty dhcp host file as it is being rewritten by the dnsmasq init script.
Let the dnsmasq init script first write to a temp dhcp host file so it does
not overwrite the contents of the existing dhcp host file.
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
wpa_disable_eapol_key_retries can't prevent attacks against the Wireless
Network Management (WNM) Sleep Mode handshake. Currently, hostapd
processes WNM Sleep Mode requests from clients regardless of the setting
wnm_sleep_mode. Backport Jouni Malinen's upstream patch 114f2830 in
order to ignore such requests by clients when wnm_sleep_mode is disabled
(which is the default).
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
[rewrite commit subject (<= 50 characters), bump PKG_RELEASE]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
wpa_disable_eapol_key_retries can't prevent attacks against the
Tunneled Direct-Link Setup (TDLS) handshake. Jouni Malinen suggested
that the existing hostapd option tdls_prohibit can be used to further
complicate this possibility at the AP side. tdls_prohibit=1 makes
hostapd advertise that use of TDLS is not allowed in the BSS.
Note: If an attacker manages to lure both TDLS peers into a fake
AP, hiding the tdls_prohibit advertisement from them, it might be
possible to bypass this protection.
Make this option configurable via UCI, but disabled by default.
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Tiny variant supports a subset of the ip commands; align the ip help
text so it actually reflects which commands are supported in the
tiny variant.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Preserves optionality of libmnl by letting configuration
script follow the HAVE_MNL environment variable.
Signed-off-by: Russell Senior <russell@personaltelco.net>
If all configured dns servers return refused in response to a query in
strict mode; dnsmasq will end up in an infinite loop retransmitting the
dns query resulting into high CPU load.
Problem is fixed by checking for the end of a dns server list iteration
in strict mode.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
11f42a8 mt76x2: add channel argument to eeprom tx power functions
3bd7e76 mt76x2: initialize channel power limits
19fff41 mt76x2: convert between per-chain tx power and combined output
737cf2b mt7603: rename mt7603_mac_reset to mt7603_pse_reset
8026638 mt7603: rename MT_PSE_RESET register
c4dd32a mt7603: remove watchdog reset on interface stop
d99092b mt7603: remove WARN_ON_ONCE for workaround checks
c8807b4 mt7603: simplify PSE reset
d8a5990 mt7603: warn if PSE reset fails
c079960 mt7603: clean up dma debug reads
96817d6 mt7603: make mt7603_mac_watchdog_reset() static
e953c78 mt7603: clear wtbl PS bit for powersave responses
57a2e33 mt7603: set tx-skip flag for powersave clients
c8e5ab1 mt7603: initialize wtbl ps flag on station add
b4034cf mt76x2: remove some harmless WARN_ONs in tx status and rx path
8e17d36 mt7603: remove some harmless WARN_ONs in rx path
Signed-off-by: Felix Fietkau <nbd@nbd.name>
layerscape firmware package names collide with existing package contributions.
Ex: layerscape mc and midnight-commander(mc) are in conflict.
Firmware packages: mc, ppa, rcw and dpl are renamed to ls-mc, ls-ppa, ls-rcw
and ls-dpl respectively.
Signed-off-by: Ted Hess <thess@kitschensync.net>
CVE-2017-8816: NTLM buffer overflow via integer overflow
CVE-2017-8817: FTP wildcard out of bounds read
CVE-2017-8818: SSL out of buffer access
For other bugfixes and changes in 7.57.0 see https://curl.haxx.se/changes.html
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Latencies can be much higher on wifi devices, especially with
aggregation. Tune the network stack setting introduced in the previous
commit to account for that.
This commit reintroduces the previously reverted one with a fix for the
crash issues
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Due to improper localization of helper variables, "config host" entries
without a given mac address may inherit the mac address of a preceeding,
leading to invalid generated netive configuration.
Fix the issue by marking the "macs" and "tags" helper variables in
dhcp_host_add() local, avoiding the need for explicitely resetting them
with each invocation.
Reported-by: Russell Senior <russell@personaltelco.net>
Tested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This reverts commit 2dc485250d.
This patch needs some additional checks in order to avoid overwriting
unrelated fields for request sockets.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
== Changes ==
* compat: support timespec64 on old kernels
* compat: support AVX512BW+VL by lying
* compat: fix typo and ranges
* compat: support 4.15's netlink and barrier changes
* poly1305-avx512: requires AVX512F+VL+BW
Numerous compat fixes which should keep us supporting 3.10-4.15-rc1.
* blake2s: AVX512F+VL implementation
* blake2s: tweak avx512 code
* blake2s: hmac space optimization
Another terrific submission from Samuel Neves: we now have an implementation
of Blake2s using AVX512, which is extremely fast.
* allowedips: optimize
* allowedips: simplify
* chacha20: directly assign constant and initial state
Small performance tweaks.
* tools: fix removing preshared keys
* qemu: use netfilter.org https site
* qemu: take shared lock for untarring
Small bug fixes.
Remove myself from the maintainers list: we have enough and I'm happy to
carry on doing package bumps on ad-hoc basis without the 'official'
title.
Run-tested: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
939ad5dd Update manual pages
24d92b97 Add deprecation warning when spdylay support is enabled
4c92ff18 Bump up version number to 1.28.0, LT revision to 29:0:15
280db5c6 Update neverbleed
7fbcb2d0 Merge pull request #1074 from nghttp2/fix-doc
53aeb2c3 Fix doc
ff200bfc clang-format-5.0
fee3151f Switch to clang-format-5.0
99a85159 Update manual pages
2a981a3f Merge pull request #1066 from nghttp2/nghttpx-add-affinity-cookie-secure
0028275d nghttpx: Add affinity-cookie-secure parameter to backend option
ee8bfddf Merge pull request #1063 from nghttp2/error_callback2
194acb1f src: Use nghttp2_error_callback2
43a2a70a Add nghttp2_error_callback2
73344ae9 nghttpx: Use plain hex string format for client serial
c479f612 Merge pull request #1060 from nghttp2/nghttpx-add-client-serial
eca0a302 nghttpx: Add $tls_client_serial log variable
4720c5cb nghttpx: Make client serial available in mruby script
cd55ab28 nghttpx: Add function to get serial number from certificate
d402cfdf Merge pull request #1057 from nghttp2/nghttpx-add-tls-client-issuer-name
22502182 Add tls_client_issuer_name log variable and expose it to mruby
05e1fd5e Update manual pages
943d7923 Add Session Affinity section to nghttpx howto
568ecbfb doc: Add missing port
f5ddd7f4 nghttpx: Make initial_addr_idx_ unsigned
88abbce7 nghttpx: Fix compile error with gcc
16e90365 nghttpx: Fix affinity retry
fa7945c6 nghttpx: Refactor
daca43f0 nghttpx: Fix stalled backend connection on retry
16bc11e6 nghttpx: Remove duplicated util::make_socket_nodelay
6f7e94cd Merge pull request #1047 from PiotrSikora/go_vet
61efa15a integration: Fix issues reported by the `go vet` tool.
8c0ea56b Merge pull request #1036 from nghttp2/nghttpx-affinity-cookie
54905371 nghttpx: Refactor
6010d393 integration: Add tests
be5c39a1 src: Add tests
b8fda680 nghttpx: Cookie based session affinity
e29b9c12 Merge pull request #1045 from nghttp2/nghttpx-sha1-fingerprint
539e2781 nghttpx: Add tls_client_fingerprint_sha1 to mruby and accesslog
7008afd4 nghttpx: Refactor get_x509_fingerprint to accept hash function
77a41756 Merge pull request #1041 from nghttp2/fix-examples-client-server
b15045d6 Merge pull request #1040 from nghttp2/nghttpx-mruby-add-more-tls-vars
03084f75 examples: Make client and server work with libevent-2.1.8
60baca27 nghttpx: Add more TLS related attributes to mruby Env object
86990db2 Merge pull request #1038 from nghttp2/nghttpx-add-more-logging-vars
cb376bcd nghttpx: Add client fingerprint and subject name to accesslog
f2b8edd1 nghttpx: Fix memory leak
c4f8afcf nghttpx: Get TLS info only when it is necessary when writing accesslog
1a1a216d Merge pull request #1037 from nghttp2/nghttpx-mruby-tls-client-vars
9f80a82c nghttpx: Add client fingerprint and subject name to mruby env
c573c80b nghttpx: Pass a pointer to SSL instead of TLSSessionInfo to LogSpec
3cd6817e Fix typos
d4a69658 Add another warning about mruby
8e06fe49 Fix typo
aaeeec8f Fix typos
66d5e246 Bump up version number to 1.28.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
dfb2f6c pkt_sched: make compile again
5ab7026 sch_cake: make compile again
6f28803 codel5: make more checkpatch compliant
bd426aa Fix build error on 4.12
e4a3628 Whitespace tidy up
Signed-off-by: Fushan Wen <qydwhotmail@gmail.com>
Add an ipv6only variant providing server services for RA, stateful and stateless
DHCPv6, prefix delegation and relay support for DHCPv6, NDP and RA.
The full variant called odhcpd supports DHCPv4 server as before.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Bump to latest WireGuard snapshot release:
ed479fa (tag: 0.0.20171122) version: bump snapshot
efd9db0 chacha20poly1305: poly cleans up its own state
5700b61 poly1305-x86_64: unclobber %rbp
314c172 global: switch from timeval to timespec
9e4aa7a poly1305: import MIPS64 primitive from OpenSSL
7a5ce4e chacha20poly1305: import ARM primitives from OpenSSL
abad6ee chacha20poly1305: import x86_64 primitives from OpenSSL
6507a03 chacha20poly1305: add more test vectors, some of which are weird
6f136a3 compat: new kernels have netlink fixes
e4b3875 compat: stable finally backported fix
cc07250 qemu: use unprefixed strip when not cross-compiling
64f1a6d tools: tighten up strtoul parsing
c3a04fe device: uninitialize socket first in destruction
82e6e3b socket: only free socket after successful creation of new
df318d1 compat: fix compilation with PaX
d911cd9 curve25519-neon: compile in thumb mode
d355e57 compat: 3.16.50 got proper rt6_get_cookie
666ee61 qemu: update kernel
2420e18 allowedips: do not write out of bounds
185c324 selftest: allowedips: randomized test mutex update
3f6ed7e wg-quick: document localhost exception and v6 rule
Compile-tested-for: ar71xx
Run-tested-on: ar71xx Archer C7 v2
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
The uboot target is named MarsBoard_A10 and it was not build at all.
This fixes a build problem seen by the build bot.
Fixes: 6a3565985f ("sunxi: Added profile for HAOYU Electronics Marsboard A10")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fix the target dependency to make it possible to select this module also
on x86 target and its subtargets.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The firmware directory in the Linux kernel was removed in kernel 4.14,
take the e100 firmware files now from the linux-firmware repository
instead. To do so create the new package e100-firmware. This will also
work with older kernel versions.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Adds NFS4 client support:
1. Package kmod-fs-nfs is split into kmod-fs-nfs (nfs.ko) and
kmod-fs-nfs-v3 (nfsv3.ko).
2. A new package kmod-fs-nfs-v4 (nfsv4.ko) is created.
3. Package kmod-fs-nfs-common-v4 is renamed to kmod-fs-nfs-rpcsec
and includes additional module rpcsec_gss_krb5.ko.
CONFIG_NFS_V4 goes into kmod-fs-nfs-v4, CONFIG_NFSD_V4 (NFS4
server) is removed. Missing kernel module oid_registry.ko
needed by auth_rpcgss.ko is added to the package.
A new package kmod-crypto-cts needed by rpcsec_gss_krb5.ko is
also created.
Signed-off-by: Marcin Jurkowski <marcin1j@gmail.com>
[add dependency to kmod-crypto-ecb in fs-nfs-common-rpcsec]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The module parameters "nogameport=1" and "nocir=1" are needed,
because this is not supported on recent chips and doesn't
really tell if the system is stable.
As this features will already be removed in linux-4.13 or newer,
this module parameters can be removed in the future.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
make check complains about PKG_MIRROR_HASH of the wireless-regdb package:
WARNING: PKG_MIRROR_HASH does not match wireless-regdb-2017-10-20-4343d359.tar.xz
hash 5f5b669f32ae36cb65b1d99efbbbfd42c2983cda32f6448346e3e54ffaba3889
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The DEFINE_PCI_DEVICE_TABLE macro was removed with upstream commit
7e9321599011 ("treewide: remove references to the now unnecessary
DEFINE_PCI_DEVICE_TABLE").
Use the pci_device_id struct to fix the acx-mac80211 build failure on
ramips.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Without this change, the instance-specific conf-file is being added to procd_add_jail_mount,
but not used by dnsmasq.
Signed-off-by: Emerson Pinter <dev@pinter.com.br>
Usually this function is called for appending some small files only
(like fs marks) but let's just make it more generic and capable of
handling bigger files easily. Increasing buffer to 1 KiB shouldn't hurt.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
It was there in case of adding some "create" command options that should
be parsed before actually creating the output image. It seems we don't
need any at this point so let's drop this function for now.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/
Thanks to swalker for CPE to package mapping and
keep tracking CVEs.
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
My compilation failed because of missing uint.* definitions:
In file included from mtd.h:33:0,
from bootstream.c:35:
BootControlBlocks.h:58:2: error: unknown type name 'uint8_t'
uint8_t m_u8DataSetup;
^
BootControlBlocks.h:59:2: error: unknown type name 'uint8_t'
uint8_t m_u8DataHold;
^
BootControlBlocks.h:60:2: error: unknown type name 'uint8_t'
uint8_t m_u8AddressSetup;
^
BootControlBlocks.h:61:2: error: unknown type name 'uint8_t'
uint8_t m_u8DSAMPLE_TIME;
Adding the header file fixes the problem.
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[fold changes into 001-compile.patch]
Signed-off-by: Mathias Kresin <dev@kresin.me>
The kernel firmware/ is going away, so pull this firmware
from the linux-firmware git repo instead. No actual changes
to the installed files.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Significantly improves throughput on MT76x2, fixes some stability
issues, adds LED support.
Changes:
266ef38 mt76x2: mcu: remove unused parameter in mt76x2_mcu_msg_alloc signature
758376d mt7603: mcu: remove unused parameter in mt7603_mcu_msg_alloc() signature
e764787 Fix errors found by cppcheck
a6fce8a mt7603: add LED definition registers
f658dd2 mt76x2: add LED register definitions
f6a021d mt76x2: Support using PCI ID as chip ID
c9bdcd8 mt76: add led support using mac80211 led framework
58e9138 mt76x2: init: add ma80211 led callbacks
8ea8da3 mt7603: init: add ma80211 led callbacks
ded88cd mt76x2: Add PCI identifier for MT7602
51a6764 mt7603: remove unnecessary mcu register read function
fbdbf65 debugfs: add support for changing the LED pin
cc02e49 mac80211: move DT led configuration to the "led" child node
e4e7734 mt76x2: limit client WCID entries to 0-127
60172cc mt76x2: clear drop flag for all WCIDs on init
d8140b6 mt76x2: clear per-WCID tx rate lookup register
0ce7923 mt76x2: add helper function for setting drop mask
ccc4baf mt76x2: clear drop mask when sending a PS response
ff60d14 mt76: increase rx ring size for mt76x2
b57ada5 mt76x2: add rx statistics registers
af425de mt76x2: fix LNA gain register annotation
efd7724 mt76x2: sync channel gain value with latest reference driver
4af37bd mt76x2: implement dynamic AGC tuning based on false packet detection count
70f2002 mt76x2: add more gain tuning based on the latest reference driver
8f1c8ab mt76x2: sync tx power related values with reference driver
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Latencies can be much higher on wifi devices, especially with
aggregation. Tune the network stack setting introduced in the previous
commit to account for that
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The wireless regdb is now loaded via firmware loading, CRDA support and
built-in regdb support have been removed.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
9c13096 ubus: Remove unnecessary memset calls.
6d1ea6c libubus: Fix deletion from context's object AVL tree when removing object
e02813b ubusd: don't free messages in ubus_send_msg() anymore
be146ad ubusd: rename goto label from `error` to `out`
27d712d ubusd_monitor: alloc & free the buffer outside of the loop
5f87f54 ubusd: move global retmsg per client
Signed-off-by: Felix Fietkau <nbd@nbd.name>