Commit graph

36207 commits

Author SHA1 Message Date
Magnus Kroken
b1f39d3d7e openssl: update to 1.0.2j
A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.

Patches applied upstream:
* 301-fix_no_nextprotoneg_build.patch
* 302-Fix_typo_introduced_by_a03f81f4.patch

Security advisory: https://www.openssl.org/news/secadv/20160926.txt

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-09-27 17:50:22 +02:00
BangLang Huang
142ec7ada9 ramips : add support for Newifi D1
Signed-off-by: BangLang Huang <banglang.huang@foxmail.com>
2016-09-27 17:50:22 +02:00
BangLang Huang
9fe833e1d0 ramips : add support for PandoraBox D1
Signed-off-by: BangLang Huang <banglang.huang@foxmail.com>
2016-09-27 17:50:22 +02:00
Kevin Darbyshire-Bryant
1bc68e1379 fortify-headers: update to 0.8
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-27 17:50:22 +02:00
diizzyy
0d4f02dfd6 linux-firmware: Add mirrors
Adds Google's mirrors as primary source and kernel.org as fallback.
Discussed in #lede-dev on Freenode

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-09-27 17:50:22 +02:00
Rosen Penev
c0b15b3072 openssl: Make DTLS configurable.
Signed-off by: Rosen Penev <rosenp@gmail.com>
2016-09-27 17:50:22 +02:00
Rosen Penev
aaa067ab0b openssl: Remove J-PAKE. Nothing uses it.
Signed-off by: Rosen Penev <rosenp@gmail.com>
2016-09-27 17:50:22 +02:00
Kevin Darbyshire-Bryant
78ae7d8efd busybox: v1.25.0 upstream patches
Include upstream patches for gzip, ip & ntpd.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2016-09-27 17:50:22 +02:00
Daniel Engberg
edbc8fec8a libjson-c: Update to 0.12.1
Updates libjson-c and removes backport patch.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-09-27 17:50:21 +02:00
diizzyy
509708889c libunwind: use url alias
Use alias instead of hardcoded URL

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-09-27 17:50:21 +02:00
Adrian Panella
dd1b69a058 uml: set inittab for working console
Signed-off-by: Adrian Panella <ianchi74@outlook.com>
2016-09-27 17:50:21 +02:00
Cezary Jackiewicz
66aae9a271 ramips: Add support for ZBT-CPE102
- CPU: MT7620N 580MHz
- Flash: 8MB
- RAM: 64MB
- build-in minipcie slot for modem 3G/4G
- one ethernet port 10/100Mbps

Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
2016-09-27 17:50:21 +02:00
Jo-Philipp Wich
875cddd94c iwinfo: fix WPA cipher reporting
Within the Lua binding, use the same logic as the command line interface for
reporting the used WPA ciphers. Instead of printing the intersection of
pairwise and group ciphers, report both group and pairwise ciphers.

This fixes a case where a connection which uses CCMP for pairwise and TKIP
as groupwise cipher is getting reported as using the NONE cipher.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-09-27 16:23:48 +02:00
Jo-Philipp Wich
8badcba229 iproute: properly support high routing table IDs
The Linux kernel uses two distinct fields to denote the routing table ID in
use by network routes; the 8 bit `rtm_table` member of `struct rtmsg` and the
32 bit `RTA_TABLE` netlink attribute.

If a routing table ID is larger than 255, the `RT_TABLE` attribute must be used
and the `rtm_table` field has to be set to the special `RT_TABLE_UNSPEC` value.

This commit adds a patch which...
 - switches the *_n2a() and *_a2n() functions of rt_names.c to use dynamically
   sized, name-sorted arrays instead of fixed arrays limited to 1024 slots in
   order to support IDs up to 65535
 - adds proper handling of high table IDs to iprule.c and iproute.c when
   adding, removing and dumping ip rules and network routes

After this change, the Busybox ip applet fully supports IP rules with high ID
numbers, using the same logic as the full iproute2.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-09-27 16:23:06 +02:00
Jo-Philipp Wich
864b2d113a 6in4: fix invalid local variable declaration (FS#188)
Remove an invalid local variable declaration in the tunnel update subshell
invocation. Local declarations outside of function scopes are illegal since
the Busybox update to version 1.25.0 .

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-09-27 16:23:06 +02:00
Rafał Miłecki
45b73af7f6 mac80211: backport brcmfmac changes from 2016-09-26
All these patches are in wireless-drirvers-next. There is support for
hidden SSID, few new devices and many fixes.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2016-09-27 07:00:53 +02:00
Matthias Schiffer
5b99693832
rootfs: fail on errors in postinst scripts
The Gluon firmware framework [1] uses postinst scripts for sanity checks.
Make the build fail when a postinst script exits with an error to make
these sanity checks effective.

All postinst scripts in packages from the LEDE core and the packages feed
seem to work correctly with this change and will always return 0 unless
something is very broken.

[1] https://github.com/freifunk-gluon/gluon

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:58 +02:00
Matthias Schiffer
021b96d7c5
rootfs: remove unnecessary and potentially harmful force flags from opkg call
Especially --force-overwrite and --force-depends will often lead to broken
images; it's better to fail the build in such cases than to silently ignore
the errors.

Instead, ignore errors in the per-device rootfs opkg remove command, so
the build doesn't break when packages can't be removed because of
dependencies.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:58 +02:00
Matthias Schiffer
593dfac909
image: per-device rootfs: first remove, then install packages
Some DEVICE_PACKAGES definitions replace one package variant with another
(e.g. wpad-mini is replaced with wpad). To avoid file conflicts, first
remove, then install packages.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:58 +02:00
Matthias Schiffer
26b4216f95
base-files: make default_prerm work offline
IPKG_INSTROOT must be respected for offline removal (used for per-device
rootfs).

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:57 +02:00
Matthias Schiffer
43bf3e80b2
ramips: fix DEVICE_PACKAGES of Ubiquiti EdgeRouter X
kmod-rt2x00-lib and kmod-mac80211 need to be removed, as they depend on
kmod-cfg80211. kmod-rt2800-pci should not be installed anyways.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:57 +02:00
Matthias Schiffer
9dbf8241c3
ar71xx: clean up DEVICE_PACKAGES of legacy devices
Remove arbitrary or redundant packages from DEVICE_PACKAGES.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:57 +02:00
Matthias Schiffer
a16a8814ea
image: don't modify file permissions before rootfs generation
Modifying the file permissions can be harmful, as it would make files
world-readable even if they weren't in the ipk packages. The
Image/mkfs/prepare step is removed completely, as it is redundant now (/tmp
and /overlay are already provided by base-files with the correct
permissions).

It has been verified that this change does not affect any permissions of
files in the default package set except /etc/ppp/chap-secrets, which was
world-readable before. All packages not in the default set are more likely
to be installed via opkg than being part of a base image and thus were
usually not affected by the permission modification anyways.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Matthias Schiffer
6c1542787d
base-files: fix check for empty password warning
Now that we know that the password is in /etc/shadow and not in
/etc/passwd, we can properly fix the logic for the empty password check.
Only 'root::' is an empty password, 'root' and 'root:!:' allow no
password login at all.

This fixes the empty password warning still showing after the root password
has been locked using 'passwd -l root' (e.g. to allow public-key auth
only).

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Matthias Schiffer
77f54eae45
config: enable shadow passwords unconditionally
Configurations without shadow passwords have been broken since the removal
of telnet: as the default entry in /etc/passwd is not empty (but rather
unset), there will be no way to log onto such a system by default. As
disabling shadow passwords is not useful anyways, remove this configuration
option.

The config symbol is kept (for a while), as packages from feeds depend on
it.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-26 17:57:56 +02:00
Felix Fietkau
da4e81960d mac80211: fix crash in mac80211_hwsim
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-09-26 16:19:58 +02:00
Jonas Gorski
27ed4e9c14 mvebu: add switch config for clearfog pro
Check for switch0 existance and add default switch config if found.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2016-09-26 13:27:44 +02:00
Jonas Gorski
6859098d97 mvebu: add sysupgrade support for clearfog
Add and enable sysupgrade support for clearfog boards, based on how the
brcm2708 target does it.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
2016-09-26 13:04:53 +02:00
Jonas Gorski
c359d7e81b mvebu: add switch node to clearfog
Add a switch node to clearfog to probe and initialize it on Clearfog
Pro. This make the switch work and allows using all six switch ports.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
2016-09-26 13:04:47 +02:00
Jonas Gorski
167763837b mvsw61xx: enable SerDes on 6176 if required
If the cpu port is connected through SGMII we need to enable SerDes for
it to work.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
2016-09-26 13:04:04 +02:00
Jonas Gorski
92dcaecee3 mvsw61xx: reset phys on probe to enable switch ports on clearfog pro
The clearfog u-boot does not initialize the switch at all, so we need to
power up the phys ourselves.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
2016-09-26 13:03:58 +02:00
Jonas Gorski
f2102b484b mvebu: replace ClearFog dts files with patches from upstream
Make the dts file match with what is upstream, to ensure it has the
latest changes and switching to newer kernels is easier.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
2016-09-26 13:03:51 +02:00
Jonas Gorski
c4f4d65835 mvebu: enable PCA955x driver for clearfog to enable pcie and usb
Some of the PCIe and USB signals use a GPIO expander on I2C on ClearFog,
so enable the driver so that they can be configured to their required
values.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
2016-09-26 13:03:45 +02:00
Jonas Gorski
c4823622d8 uboot-mvebu: reset the 88E1512 PHY to make the wan port work
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
2016-09-26 13:03:18 +02:00
Jonas Gorski
d8075b15d0 uboot-mvebu: make hidden and be m for clearfog to fix IB failing to add it
Uboot-mvebu isn't a real package, which will break the image builder
when it tries to install it during the packing step. Instead of cleafog
selecting it through its default packages, make it default to m if the
clearfog profile is selected.

This will ensure it is always build, but never added to the rootfs. This
fixes creating images for clearfog with IB.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
2016-09-26 12:48:18 +02:00
Jonas Gorski
bc1f006b4e uboot-mvebu: also install into KDIR to ensure it packaged in IB
The clearfog image requires u-boot, so package it into KDIR to make sure
it is available in imageBuilder.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Acked-by: Felix Fietkau <nbd@nbd.name>
2016-09-26 12:47:36 +02:00
Jonas Gorski
997fed94e3 ptgen: work around gcc miscompilation
Some gcc versions seem to miscompile code using ternary operators,
work around this by just returning the result if exp is 0.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2016-09-26 12:23:41 +02:00
Matthias Schiffer
175fbe4d4e
ramips: move /lib/ramips.sh include in /etc/init.d/bootcount into start()
Enabling the init script offline will print an error otherwise.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-25 23:26:42 +02:00
Matthias Schiffer
b3dd642584
fstools: mark as nonshared and add missing PKG_CONFIG_DEPENDS
The fstools build depends on the CONFIG_NAND_SUPPORT flag, which is
target-specific.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-25 23:26:25 +02:00
Matthias Schiffer
663145e419
image: fix CONFIG_CLEAN_IPKG with CONFIG_TARGET_PER_DEVICE_ROOTFS
Running prepare_rootfs on TARGET_DIR deletes the opkg state when
CONFIG_CLEAN_IPKG is enabled, making the per-device rootfs package install
fail.

To avoid this, create a copy of the TARGET_DIR before prepare_rootfs is run
and use this as basis for per-device rootfs generation.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-25 09:30:55 +02:00
Matthias Schiffer
ce89535bce
kernel: remove duplicate br-netfilter file and Kconfig symbol from kmod-ebtables
br_netfilter.ko and the corresponding Kconfig symbol are already provided
by kmod-br-netfilter, which is a dependency of kmod-ebtables.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-24 23:37:54 +02:00
Hauke Mehrtens
ea288126db openssl: backport build fix when hardware support is used
This fix added to the openssl 1.0.2 branch.
In addition add the header for the existing backport.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-09-24 19:53:00 +02:00
Neal Oakey
524d4110f9
ar71xx: add model detection for many Ubiquiti AirMax XM devices
Signed-off-by: Neal Oakey <neal.oakey@bingo-ev.de>
[Matthias Schiffer: minor adjustments]
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-24 19:07:27 +02:00
Matthias Schiffer
3675e657ed
image: per-device rootfs: don't fail without opkg
Ignore errors caused by /etc/opkg not existing (i.e. when opkg is not
selected).

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-24 18:41:37 +02:00
Matthias Schiffer
e916579340
image: allow specifying additional packages for device-specific rootfs
Add a new option to each device in multi-profile mode, allowing to provide
a list of packages to add or remove. In case of added packages, the user
must take care that these are selected to be built.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-24 18:25:25 +02:00
Jo-Philipp Wich
1c09849f6c treewide: remove bad local shell variable declarations
Local variable declarations outside of functions are illegal since the Busybox
update to v1.25.0, therfore remove them from the appropriate places.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-09-24 14:38:20 +02:00
Hauke Mehrtens
df9efc9497 curl: update to version 7.50.3
This fixes the following security problems:
7.50.1:
 CVE-2016-5419 TLS session resumption client cert bypass
 CVE-2016-5420 Re-using connections with wrong client cert
 CVE-2016-5421 use of connection struct after free
7.50.2:
 CVE-2016-7141 Incorrect reuse of client certificates
7.50.3:
 CVE-2016-7167 curl escape and unescape integer overflows

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-09-24 13:48:05 +02:00
Magnus Kroken
6926325829 openssl: update to 1.0.2i
Drop 302-fix_no_cmac_build.patch, it has been applied upstream.

Security fixes:
* (Severity: High) OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
* (Severity: Moderate) SSL_peek() hang on empty record (CVE-2016-6305)
* 10 Low severity issues

Security advisory: https://www.openssl.org/news/secadv/20160922.txt
Changelog: https://www.openssl.org/news/cl102.txt

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-09-24 13:28:59 +02:00
Matthias Schiffer
c15d70c6d6
image: don't override opkg list directory in per-device rootfs mode
opkg's -l option is always interpreted relative to the installation root.
This leads to very weird paths inside the rootfs (containing the whole path
to the LEDE tree on the build machine) and causes the subsequent deletion
of the list directory to fail (cluttering the resulting images).

Instead, use the default list directory and remove its contents in
prepare_rootfs.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-09-24 03:37:08 +02:00
Martin Blumenstingl
d72e838429 ramips: do not "local" variables outside of a function
Older busybox versions allowed using the local keyword outside of
functions, whereas 1.25.0 (which was introduced in 06fa1c46fc) do not
allow this anymore (leading to the following error when executing the
script: "file: local: line nn: not in a function").

Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
2016-09-24 01:17:18 +02:00