dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for
specific hostnames. Clients claiming certain hostnames and thus
claiming DNS namespace represent a potential security risk. e.g. a
malicious host could claim 'wpad' for itself and redirect other web
client requests to it for nefarious purpose. See CERT VU#598349 for more
details.
Some Samsung TVs are claiming the hostname 'localhost', it is believed
not (yet) for nefarious purposes.
/usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames
in correct syntax to be excluded. e.g.
dhcp-name-match=set:dhcp_bogus_hostname,localhost
Inclusion of this file is controlled by uci option dhcpbogushostname
which is enabled by default.
To be absolutely clear, DHCP leases to these requesting hosts are still
permitted, but they do NOT get to claim ownership of the hostname
itself and hence put into DNS for other hosts to be confused/manipulate by.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
64750c1 version: bump snapshot
f11a2b8 global: style nits
4b34b6a crypto: clean up remaining .h->.c
06d9fc8 allowedips: document additional nobs
c32b5f9 makefile: do more generic wildcard so as to avoid rename issues
20f48d8 crypto: use BIT(i) & bitmap instead of (bitmap >> i) & 1
b6e09f6 crypto: disable broken implementations in selftests
fd50f77 compat: clang cannot handle __builtin_constant_p
bddaca7 compat: make asm/simd.h conditional on its existence
b4ba33e compat: account for ancient ARM assembler
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Fixes the following build error:
.../toolchain-i386_pentium4_gcc-7.3.0_glibc/lib/gcc/i486-openwrt-linux-gnu/7.3.0/../../../../i486-openwrt-linux-gnu/bin/ld: ../lib/libcom_err.so: undefined reference to `sem_post’
.../toolchain-i386_pentium4_gcc-7.3.0_glibc/lib/gcc/i486-openwrt-linux-gnu/7.3.0/../../../../i486-openwrt-linux-gnu/bin/ld: ../lib/libcom_err.so: undefined reference to `sem_wait'
.../toolchain-i386_pentium4_gcc-7.3.0_glibc/lib/gcc/i486-openwrt-linux-gnu/7.3.0/../../../../i486-openwrt-linux-gnu/bin/ld: ../lib/libcom_err.so: undefined reference to `sem_init’
.../toolchain-i386_pentium4_gcc-7.3.0_glibc/lib/gcc/i486-openwrt-linux-gnu/7.3.0/../../../../i486-openwrt-linux-gnu/bin/ld: ../lib/libcom_err.so: undefined reference to `sem_destroy’
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The tl-wa850re-v2 images from the ar71xx/tiny target are getting too big
with the default packages. The size check is done before the meta data
is added so there is no file to add meta data to or to sign. Originally
errors in Build/append-metadata were getting ignored, but if the signing
fails the error is not ignored.
This adds a check if the file to be signed is there and only does the
signing if it is there. This way it does not fail if the package
creation was already aborted earlier.
Fixes: 848b455d2e ("image: use ucert to append signature")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Commit 9f0cb135dd made BUSYBOX_CONFIG_FEATURE_IPV6 dependant on IPV6 but
did not make its default value BUSYBOX_DEFAULT_FEATURE_IPV6 dependant
on IPV6. BUSYBOX_DEFAULT_FEATURE_IPV6 will have as default value y if
IPV6 is enabled otherwise n.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.
0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN.
ee1df06 Tweak strategy for confirming SLAAC addresses.
1e87eba Clarify manpage for --auth-sec-servers
0893347 Make interface spec optional in --auth-server.
7cbf497 Example config file fix for CERT Vulnerability VU#598349.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2b085815 (tag: v1.34.0) Update manual pages
986fa302 Bump up version number to 1.34.0, LT revision to 31:1:17
7c8cb3a0 nghttpx: Improve CONNECT response status handling
334c439c Fix bug that regular CONNECT does not work
6700626c Rule out content-length in the successful response to CONNECT
15162add Update manual pages
93270777 Merge pull request #1235 from nghttp2/backend-conn-timeout
aeb92bbb nghttpx: Add read/write-timeout parameters to backend option
fc7489e0 nghttpx: Fix mruby parameter validation
87ac872f nghttpx: Update doc
c278adde nghttpx: Log error when mruby file cannot be opened
f94d7209 Merge pull request #1234 from nghttp2/nghttpx-rfc8441
9b9baa6b Update doc
02566ee3 nghttpx: Update doc
3002f31b src: Add debug output for SETTINGS_ENABLE_CONNECT_PROTOCOL
d2a594a7 nghttpx: Implement RFC 8441 Bootstrapping WebSocket with HTTP/2
651e1477 Allow client sending :protocol optimistically
a42faf1c nghttpx: Write TLS alert during handshake
4aac05e1 Merge pull request #1231 from nghttp2/ws-lib-only
b80dfaa8 Adjustment for RFC 8441
a19d8f5d Deal with :protocol pseudo header
33f6e90a Add NGHTTP2_TOKEN__PROTOCOL
ed7fabcb Add SETTINGS_ENABLE_CONNECT_PROTOCOL
8753b6da Update doc
f2de733b Update neverbleed to fix OpenSSL 1.1.1 issues
88ff8c69 Update mruby 1.4.1
a63558a1 nghttpx: Call OCSP_response_get1_basic only when OCSP status is successful
3575a132 nghttpx: Fix crash with plain text HTTP
e2de2fee Update bash_completion
9f415979 Update manual pages
4bfc0cd1 Merge pull request #1230 from nghttp2/nghttpx-faster-logging
9c824b87 nghttpx: Get rid of std::stringstream from Log
a1ea1696 Make VALID_HD_NAME_CHARS and VALID_HD_VALUE_CHARS const qualified
dfc0f248 Make static_table const qualified
ed7c9db2 nghttpx: Add mruby env.tls_handshake_finished
5b42815a nghttpx: Strip incoming Early-Data header field by default
cfe7fa9a nghttpx: Add --tls13-ciphers and --tls-client-ciphers options
cb8a9d58 src: Remove TLSv1.3 ciphers from DEFAULT_CIPHER_LIST
023b9448 Merge branch 'tls13-early-data'
9b03c64f nghttpx: Should postpone early data by default
b8eccec6 nghttpx: Disable OpenSSL anti-replay
9f212587 Specify SSL_CTX_set_max_early_data and add an option to change max value
47f60124 nghttpx: Add an option to postpone early data processing
770e44de Implement draft-ietf-httpbis-replay-02
2ab319c1 Don't hide error code from openssl
39923024 Remove SSL_ERROR_WANT_WRITE handling
b30f312a Honor SSL_read semantics
c5cdb78a nghttpx: Add TLSv1.3 0-RTT early data support
f79a5812 Bump up version number to 1.34.0
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Support for -D got broken in the 2.0.11 release by the upstream commit
218d8c667944 ("first pass L2 mode w/UDP checks, v4 only"). After that
commit clients were still able to connect but no traffic was passed.
It was reported and is fixed now in the upstream git repository.
Backport two patches to fix this. The first one is just a requirement
for the later to apply. The second one is the real fix and it needed
only a small adjustment to apply without backporing the commit
10887b59c7e7 ("fix --txstart-time report messages").
Fixes: 457e6d5a27 ("iperf: bump to 2.0.12")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This commit adds support for the TP-Link TL-WR901ND v2 access point.
CPU: Atheros AR9132 400MHz
RAM: 32MB
FLASH: 4MiB
WiFi: Atheros AR9103 3x3:2 bgn
LED: Power (static on)
LAN (controlled by PHY)
SYS, WiFi, QSS toggleable
BTN: Reset, QSS
Installation:
Upload the factory image via the vendor-GUI.
Signed-off-by: David Bauer <mail@david-bauer.net>
Buffalo WZR-HP-G302H is a 2T2R 2.4 GHz 11n router, based on Atheros
AR7242.
It is Japanese market model of WZR-HP-G300NH2, but there are some
diffrences. This commit is based on WZR-HP-G300NH2 in ar71xx.
And, G302H has several hardware versions and hardware is different
dependent on the versions. This commit adds support for "A1A0"
version.
Specification:
- Atheros AR7242
- 64 MB of RAM (DDR2)
- 32 MB of Flash
- 2x 16 MB SPI-NOR flash
- 2.4 GHz 2T2R wifi
- Atheros AR9283
- 5x 10/100/1000 Mbps Ethernet
- Atheros AR8316
- 7x LEDs, 5x keys
- LED: 1x gpio-leds, 6x ath9k-leds
- key: 3x buttons, 2x slide switches
- UART header on PCB
- Vcc, GND, TX, RX from ethernet port side
- 115200n8
Flash instruction using factory image:
1. Boot WZR-HP-G302H normaly and connect the computer to its LAN port
2. Access to "http://192.168.11.1/" and move to firmware update page
("ファーム更新")
3. Select the OpenWrt factory image and click update ("更新実行")
button to perform firmware update
4. Wait ~200 seconds to complete flashing
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
In order to be able to set the value of "hardware version" other than
"3", I added the "hwver" parameter.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This PR adds support for TP-Link TL-WR842N-v2 router which is supported by ar71xx to ath79.
This is a low cost model with following specs:
CPU: Atheros AR9341 SoC
RAM: 32 MB DDR1
Flash: 8 MB NOR SPI
Switch: Internal AR9341 5 port 10/100 Mbit
Ports: 5x 10/100 Mbit(1x WAN, 4x LAN)
USB: 1x USB2.0
WLAN: 2.4 GHZ AR9341
Installation:
Simply flash the factory image through stock firmware WEB UI.
Signed-off-by: Robert Marko <robimarko@gmail.com>
The sysupgrade_pre_upgrade hook was removed with 5e1b4c57de ("base-files:
drop fwtool_pre_upgrade") while there were still scripts using it:
* target/linux/ar71xx/base-files/lib/upgrade/allnet.sh
* target/linux/ar71xx/base-files/lib/upgrade/openmesh.sh
* target/linux/ipq40xx/base-files/lib/upgrade/openmesh.sh
Not running the hooks can either prevent a successful upgrade or brick the
device because the fw_setenv program cannot be started correctly.
Instead of adding this hook again, the directory /var/lock for fw_setenv
can also just be created directly before fw_setenv is called.
Fixes: 5e1b4c57de ("base-files: drop fwtool_pre_upgrade")
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
The sysupgrade_pre_upgrade hook was removed with 5e1b4c57de ("base-files:
drop fwtool_pre_upgrade") while there were still scripts using it:
* target/linux/ar71xx/base-files/lib/upgrade/allnet.sh
* target/linux/ar71xx/base-files/lib/upgrade/openmesh.sh
* target/linux/ipq40xx/base-files/lib/upgrade/openmesh.sh
Not running the hooks can either prevent a successful upgrade or brick the
device because the fw_setenv program cannot be started correctly.
Instead of adding this hook again, the directory /var/lock for fw_setenv
can also just be created directly before fw_setenv is called.
Fixes: 5e1b4c57de ("base-files: drop fwtool_pre_upgrade")
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
The install_bin from /lib/upgrade/common.sh is no longer creating the
symlinks when a secondary parameter is added. But the fw_setenv program was
always copied this way to the ramdisk for the upgrade.
Instead, this should be done using RAMFS_COPY_* like on all other
platforms.
Fixes: 438dcbfe74 ("base-files: automatically handle paths and symlinks for RAMFS_COPY_BIN")
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com>
The image build code for the Ubiquiti Nanostation AC series adds the
factory image as to be build image. The same is already done by an
included recipe which results into an expanded IMAGE variable of:
IMAGES = sysupgrade.bin factory.bin factory.bin
The build system doesn't like these duplicates and issues the following
warning:
Makefile:82: warning: overriding recipe for target...
Get remove the duplicate factory image to get rid of the warning.
Fixes: 5736af8024 ("ath79: Add support for Ubiquiti NanoStation AC loco")
fa3c2676ab ("ath79: Add support for Ubiquiti Nanostation AC")
Signed-off-by: Mathias Kresin <dev@kresin.me>
Don't hijack the status led to indicate the wireless state. If we don't
have a dedicated wireless led, it's as simply as the wireless status
can't be indicated.
Such a led misuse should be set by the user and not shipped by default.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Release the led used for boot status indication via devicetree instead
of setting a default off trigger in userspace.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Use diag.sh version used for other targets supporting different leds
for the different boot states.
The existing led sequences should be the same as before.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Assign the usbdev trigger via devicetree for all subtargets and drop
the userspace handling of the usb leds.
With the change all usb ports are triggering the usb led instead of
only usb 1.1 XOR usb 2.0 XOR usb 3.0 as it was before.
Signed-off-by: Mathias Kresin <dev@kresin.me>
5 GHz AC wireless outdoor PoE CPE with internal 2.4 GHz management radio
CPU: Atheros AR9342 SoC
RAM: 64 MB DDR2
Flash: 16 MB NOR SPI
Switch: QCA8334
Ports: 2 GbE ports (1x PoE in, 1x PoE passthrough)
WLAN: 5 GHz QCA899X (PCI) and 2.4 GHZ AR9342
Successor to the old NanoStation M5 with AC wireless.
The integrated QCA899X is a Ubiquiti branded part with modified vendor and
product id (0777:11ac9).
Serial
Serial settings: 115200, 8N1
* = plated through hole
0 = nylon screw
[Top of device]
+--------------------------+
| [label] |
| 0 |
| 0 |
| [ubnt] |
| [logo] 3V3 * |
| TX * |
| RX * |
| GND * |
| |
| * |
| * |
| * |
| * |
| 0 |
| 0 |
| |
| |
Installation
1. Connect to serial header on device
2. Power on device and enter uboot console
3. Set up tftp server serving an openwrt initramfs build
4. Load initramfs build using the command tftpboot in the uboot cli
5. Boot the loaded image using the command bootm
6. Copy squashfs openwrt sysupgrade build to the booted device
7. Use mtd to write sysupgrade to partition "firmware"
8. Reboot and enjoy
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
Atheros AR9342, 16 MB flash, 64 MB RAM
Successor to the old NanoStation M5 loco with AC wireless.
Includes a mac80211 patch for ath10k_pci because Ubiquiti uses a Ubiquiti
branded and customized QCA988X with vendor id 0777 and device id 11ac for
AC wireless.
Installation
1. Connect to serial header on device (8N1 115200)
2. Power on device and enter uboot console
3. Set up tftp server serving an openwrt initramfs build
4. Load initramfs build using the command tftpboot in the uboot cli
5. Boot the loaded image using the command bootm
6. Copy squashfs openwrt sysupgrade build to the booted device
7. Use mtd to write sysupgrade to partition "firmware"
8. Reboot and enjoy
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
This patch adds a new type of ubiquiti image, the WA image. First seen
on the NanoStation AC loco the generic name implies that we will see
this type of image on more ubiquiti devices thus it makes sense to
implement it in mkfwimage.
The main difference is that WA images are signed. The "END" header has
been replaced by a "ENDS" header followed by a 2048 bit RSA signature.
This signature is not being generated by mkfwimage and filled with 0x00.
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
I added mtd-mac-address for WZR-HP-G450H and BHR-4GRV in
1df1ea4d7e, but that address in ART is
incorrect for BHR-4GRV.
WZR-HP-G450H has wlan eeprom and MAC address in ART, but BHR-4GRV
has only MAC address in ART.
- WZR-HP-G450H
- eeprom: 0x1000
- MAC: 0x1002
- BHR-4GRV
- MAC: 0x0
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
In dtc version 1.4.6 the macro names in header include guards changed,
but the build relies on them matching in order to replace selected
headers. This is a horrible hack to work around this.
Signed-off-by: Thomas Nixon <tom@tomn.co.uk>
only thing not working is the b43 5GHz wifi band as upstream
kernel
doesn't supporthe 0x4360 chip so far
Signed-off-by: Rene Kjellerup <rk.katana.steel@gmail.com>
Backport commit 3d9c8f6b3f033a6092425b7344647fb51dbed5c6
Without this binutils doesn't properly link u-boot
Source:
https://sourceware.org/bugzilla/show_bug.cgi?id=23571
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
221ce7e ubusd_acl: event send access list support
da503db ubusd_acl: event listen access list support
c035bab ubusd_acl: rework wildcard support
73bd847 ubusd_event: move strmatch_len to ubus_common.h
0327a91 ubus/lua: add support for BLOBMSG_TYPE_DOUBLE
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* Account for big-endian 2^26 conversion in Poly1305.
* Account for big-endian NEON in Curve25519.
* Fix macros in big-endian AArch64 code so that this will actually run there
at all.
* Prefer if (IS_ENABLED(...)) over ifdef mazes when possible.
* Call simd_relax() within any preempt-disabling glue code every once in a
while so as not to increase latency if folks pass in super long buffers.
* Prefer compiler-defined architecture macros in assembly code, which puts us
in closer alignment with upstream CRYPTOGAMS code, and is cleaner.
* Non-static symbols are prefixed with wg_ to avoid polluting the global
namespace.
* Return a bool from simd_relax() indicating whether or not we were
rescheduled.
* Reflect the proper simd conditions on arm.
* Do not reorder lines in Kbuild files for the simd asm-generic addition,
since we don't want to cause merge conflicts.
* WARN() if the selftests fail in Zinc, since if this is an initcall, it won't
block module loading, so we want to be loud.
* Document some interdependencies beside include statements.
* Add missing static statement to fpu init functions.
* Use union in chacha to access state words as a flat matrix, instead of
casting a struct to a u8 and hoping all goes well. Then, by passing around
that array as a struct for as long as possible, we can update counter[0]
instead of state[12] in the generic blocks, which makes it clearer what's
happening.
* Remove __aligned(32) for chacha20_ctx since we no longer use vmovdqa on x86,
and the other implementations do not require that kind of alignment either.
* Submit patch to ARM tree for adjusting RiscPC's cflags to be -march=armv3 so
that we can build code that uses umull.
* Allow CONFIG_ARM[64] to imply [!]CONFIG_64BIT, and use zinc arch config
variables consistently throughout.
* Document rationale for the 2^26->2^64/32 conversion in code comments.
* Convert all of remaining BUG_ON to WARN_ON.
* Replace `bxeq lr` with `reteq lr` in ARM assembler to be compatible with old
ISAs via the macro in <asm/assembler.h>.
* Do not allow WireGuard to be a built-in if IPv6 is a module.
* Writeback the base register and reorder multiplications in the NEON x25519
implementation.
* Try all combinations of different implementations in selftests, so that
potential bugs are more immediately unearthed.
* Self tests and SIMD glue code work with #include, which lets the compiler
optimize these. Previously these files were .h, because they were included,
but a simple grep of the kernel tree shows 259 other files that carry out
this same pattern. Only they prefer to instead name the files with a .c
instead of a .h, so we now follow the convention.
* Support many more platforms in QEMU, especially big endian ones.
* Kernels < 3.17 don't have read_cpuid_part, so fix building there.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>