Commit Graph

17854 Commits

Author SHA1 Message Date
Ilya Lipnitskiy
06351f1bd0 kernel: migrate wireguard into the kernel tree
On Linux 5.4, build WireGuard from backports. Linux 5.10 contains
wireguard in-tree.

Add in-kernel crypto libraries required by WireGuard along with
arch-specific optimizations.

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
2021-02-26 20:41:01 +01:00
David Bauer
9a9cf40dd9 download: add mirror alias for Debian
Add an alias for Debian packages and download them from the Debian
mirror redirector.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-02-26 20:41:00 +01:00
Lech Perczak
59d065c9f8 ramips: add support for ZTE MF283+
ZTE MF283+ is a dual-antenna LTE category 4 router, based on Ralink
RT3352 SoC, and built-in ZTE P685M PCIe MiniCard LTE modem.

Hardware highlighs:
- CPU: MIPS24KEc at 400MHz,
- RAM: 64MB DDR2,
- Flash: 16MB SPI,
- Ethernet: 4 10/100M port switch with VLAN support,
- Wireless: Dual-stream 802.11n (RT2860), with two internal antennas,
- WWAN: Built-in ZTE P685M modem, with two internal antennas and two
  switching SMA connectors for external antennas,
- FXS: Single ATA, with two connectors marked PHONE1 and PHONE2,
  internally wired in parallel by 0-Ohm resistors, handled entirely by
  internal WWAN modem.
- USB: internal miniPCIe slot for modem,
  unpopulated USB A connector on PCB.
- SIM slot for the WWAN modem.
- UART connector for the console (unpopulated) at 3.3V,
  pinout: 1: VCC, 2: TXD, 3: RXD, 4: GND,
  settings: 57600-8-N-1.
- LEDs: Power (fixed), WLAN, WWAN (RGB),
  phone (bicolor, controlled by modem), Signal,
  4 link/act LEDs for LAN1-4.
- Buttons: WPS, reset.

Installation:
As the modem is, for most of the time, provided by carriers, there is no
possibility to flash through web interface, only built-in FOTA update
and TFTP recovery are supported.

There are two installation methods:
(1) Using serial console and initramfs-kernel - recommended, as it
allows you to back up original firmware, or
(2) Using TFTP recovery - does not require disassembly.

(1) Using serial console:
To install OpenWrt, one needs to disassemble the
router and flash it via TFTP by using serial console:
- Locate unpopulated 4-pin header on the top of the board, near buttons.
- Connect UART adapter to the connector. Use 3.3V voltage level only,
  omit VCC connection. Pin 1 (VCC) is marked by square pad.
- Put your initramfs-kernel image in TFTP server directory.
- Power-up the device.
- Press "1" to load initramfs image to RAM.
- Enter IP address chosen for the device (defaults to 192.168.0.1).
- Enter TFTP server IP address (defaults to 192.168.0.22).
- Enter image filename as put inside TFTP server - something short,
  like firmware.bin is recommended.
- Hit enter to load the image. U-boot will store above values in
  persistent environment for next installation.
- If you ever might want to return to vendor firmware,
  BACK UP CONTENTS OF YOUR FLASH NOW.
  For this router, commonly used by mobile networks,
  plain vendor images are not officially available.
  To do so, copy contents of each /dev/mtd[0-3], "firmware" - mtd3 being the
  most important, and copy them over network to your PC. But in case
  anything goes wrong, PLEASE do back up ALL OF THEM.
- From under OpenWrt just booted, load the sysupgrade image to tmpfs,
  and execute sysupgrade.

(2) Using TFTP recovery
- Set your host IP to 192.168.0.22 - for example using:
sudo ip addr add 192.168.0.22/24 dev <interface>
- Set up a TFTP server on your machine
- Put the sysupgrade image in TFTP server root named as 'root_uImage'
  (no quotes), for example using tftpd:
  cp openwrt-ramips-rt305x-zte_mf283plus-squashfs-sysupgrade.bin /srv/tftp/root_uImage
- Power on the router holding BOTH Reset and WPS buttons held for around
  5 seconds, until after WWAN and Signal LEDs blink.
- Wait for OpenWrt to start booting up, this should take around a
  minute.

Return to original firmware:
Here, again there are two possibilities are possible, just like for
installation:
(1) Using initramfs-kernel image and serial console
(2) Using TFTP recovery

(1) Using initramfs-kernel image and serial console
- Boot OpenWrt initramfs-kernel image via TFTP the same as for
  installation.
- Copy over the backed up "firmware.bin" image of "mtd3" to /tmp/
- Use "mtd write /tmp/firmware.bin /dev/mtd3", where firmware.bin is
  your backup taken before OpenWrt installation, and /dev/mtd3 is the
  "firmware" partition.

(2) Using TFTP recovery
- Follow the same steps as for installation, but replacing 'root_uImage'
  with firmware backup you took during installation, or by vendor
  firmware obtained elsewhere.

A few quirks of the device, noted from my instance:
- Wired and wireless MAC addresses written in flash are the same,
  despite being in separate locations.
- Power LED is hardwired to 3.3V, so there is no status LED per se, and
  WLAN LED is controlled by WLAN driver, so I had to hijack 3G/4G LED
  for status - original firmware also does this in bootup.
- FXS subsystem and its LED is controlled by the
  modem, so it work independently of OpenWrt.
  Tested to work even before OpenWrt booted.
  I managed to open up modem's shell via ADB,
  and found from its kernel logs, that FXS and its LED is indeed controlled
  by modem.
- While finding LEDs, I had no GPL source drop from ZTE, so I had to probe for
  each and every one of them manually, so this might not be complete -
  it looks like bicolor LED is used for FXS, possibly to support
  dual-ported variant in other device sharing the PCB.
- Flash performance is very low, despite enabling 50MHz clock and fast
  read command, due to using 4k sectors throughout the target. I decided
  to keep it at the moment, to avoid breaking existing devices - I
  identified one potentially affected, should this be limited to under
  4MB of Flash. The difference between sysupgrade durations is whopping
  3min vs 8min, so this is worth pursuing.

In vendor firmware, WWAN LED behaviour is as follows, citing the manual:
- red - no registration,
- green - 3G,
- blue - 4G.
Blinking indicates activity, so netdev trigger mapped from wwan0 to blue:wwan
looks reasonable at the moment, for full replacement, a script similar to
"rssileds" would need to be developed.

Behaviour of "Signal LED" in vendor firmware is as follows:
- Off - no signal,
- Blinking - poor coverage
- Solid - good coverage.

A few more details on the built-in LTE modem:
Modem is not fully supported upstream in Linux - only two CDC ports
(DIAG and one for QMI) probe. I sent patches upstream to add required device
IDs for full support.
The mapping of USB functions is as follows:
- CDC (QCDM) - dedicated to comunicating with proprietary Qualcomm tools.
- CDC (PCUI) - not supported by upstream 'option' driver yet. Patch
  submitted upstream.
- CDC (Modem) - Exactly the same as above
- QMI - A patch is sent upstream to add device ID, with that in place,
  uqmi did connect successfully, once I selected correct PDP context
  type for my SIM (IPv4-only, not default IPv4v6).
- ADB - self-explanatory, one can access the ADB shell with a device ID
  added to 51-android.rules like so:

SUBSYSTEM!="usb", GOTO="android_usb_rules_end"
LABEL="android_usb_rules_begin"
SUBSYSTEM=="usb", ATTR{idVendor}=="19d2", ATTR{idProduct}=="1275", ENV{adb_user}="yes"
ENV{adb_user}=="yes", MODE="0660", GROUP="plugdev", TAG+="uaccess"
LABEL="android_usb_rules_end"

While not really needed in OpenWrt, it might come useful if one decides to
move the modem to their PC to hack it further, insides seem to be pretty
interesting. ADB also works well from within OpenWrt without that. O
course it isn't needed for normal operation, so I left it out of
DEVICE_PACKAGES.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
[remove kmod-usb-ledtrig-usbport, take merged upstream patches]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-26 13:57:54 +01:00
David Bauer
a7ff66e2d2 rtl8812au-ct: fix PKG_MIRROR_HASH
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-02-24 22:28:27 +01:00
Daniel Golle
f38c54c635
arm-trusted-firmware-mediatek: correct location of PKG_LICENSE
As PKG_LICENSE is originally set by include/trusted-firmware-a.mk it
can only be appended after that. Hence move that line below the
include to actually make sense.
(cosmetical change, already slipped into openwrt-21.02 branch)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-24 19:01:14 +00:00
Adrian Schmutzler
702147b797 imx-bootlets: refresh patches
Tidy this up a little.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-24 16:15:02 +01:00
Adrian Schmutzler
221eefaf6b zlib: properly split patches
This package had two patches (with two headers etc.) in one file,
which would have quilt merging them during a refresh.

Separate these patches into two files, as the original intent seems
to be having them separate.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-24 14:08:29 +01:00
Daniel Golle
287bd78e6f
base-files: remove unneeded '$' signs in nand.sh
When using Shell arithmetric evaluation via $((..)) the variables in
the expression do not need to be prefixed by the '$' sign.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-24 11:42:02 +00:00
Daniel Golle
5c10f26c28 sysupgrade-nand: allow limiting rootfs_data by setting env variable
Check if firmware environment variable 'rootfs_data_max' exists and is
set to a numerical value greater than 0. If so, limit rootfs_data
volume to that size instead of using the maximum available size.

This is useful on devices with lots of flash where users may want to
have eg. a volume for persistent logs and statistics or for external
applications/containers. Persistence on rootfs overlay is limited by
the size of memory available during the sysugprade process as that
data needs to be copied to RAM while the volume is being recreated
during sysupgrade. Hence it is unsuitable for keeping larger amounts
of data accross upgrade which makes additional volume(s) for
application data desirable.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-24 01:35:20 +00:00
Daniel Golle
e6aac8d98f image: add support for building FIT image with filesystem
Allow for single (external-data) FIT image to hold kernel, dtb and
squashfs. In that way, the bootloader verifies the system integrity
including the rootfs, because what's the point of checking that the
hash of the kernel is correct if it won't boot in case of squashfs
being corrupted? Better allow bootloader to check everything needed
to make it at least up to failsafe mode. As a positive side effect
this change also makes the sysupgrade process on nand potentially
much easier as it is now.
In short: mkimage has a parameter '-E' which allows generating FIT
images with 'external' data rather than embedding the data into the
device-tree blob itself. In this way, the FIT structure itself remains
small and can be parsed easily (rather than having to page around
megabytes of image content). This patch makes use of that and adds
support for adding sub-images of type 'filesystem' which are used to
store the squashfs. Now U-Boot can verify the whole OS and the new
partition parsers added in the Linux kernel can detect the filesystem
sub-images, create partitions for them, and select the active rootfs
volume based on the configuration in FIT (passing configuration via
device tree could be implemented easily at a later stage).

This new FIT partition parser works for NOR flash (on top of mtdblock),
NAND flash (on top of ubiblock) as well as classic block devices
(ie. eMMC, SDcard, SATA, NVME, ...).
It could even be used to mount such FIT images via `losetup -P` on a
user PC if this patch gets included in Linux upstream one day ;)

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-24 01:35:20 +00:00
Rosen Penev
fb83efb626 pcre: disable C++ bindings
Nothing uses them. Allows to simplify the Makefile.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-24 00:30:40 +01:00
Hauke Mehrtens
030bc39c35 ppp: Update to version 2.4.9
Upstream integrated multiple patches from Distributions and did other
changes:
* rp-pppoe.so was renamed to pppoe.so
* Converted to ANSI C

The following patches were applied upstream:
* 100-debian_ip-ip_option.patch
* 101-debian_close_dev_ppp.patch
* 103-debian_fix_link_pidfile.patch
* 106-debian_stripMSdomain.patch
* 107-debian_pppoatm_wildcard.patch
* 110-debian_defaultroute.patch
* 202-no_strip.patch

Compilation with musl libc was fixed upstream so
140-pppoe_compile_fix.patch is not needed any more

Parts of the 203-opt_flags.patch patch were applied in a different way
upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-24 00:30:20 +01:00
Eneas U de Queiroz
12a80e44b9 openssl: always build with GOST engine support
The packages feed has a proposed package for a GOST engine, which needs
support from the main openssl library.  It is a default option in
OpenSSL.  All that needs to be done here is to not disable it.

Package increases by a net 1-byte, so it is not really really worth
keeping this optional.

This commit also includes a commented-out example engine configuration
in openssl.cnf, as it is done for other available engines.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-23 21:10:56 +01:00
Stijn Segers
b5bc53813d uboot-envtools: add support for ZyXEL GS-1900-8HP v1 and v2
This adds the necessary nuts and bolts for the uboot settings for both the ZyXEL GS1900-8HP v1 and v2.

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
2021-02-23 21:10:56 +01:00
Eneas U de Queiroz
d1dfb577f1 wolfssl: bump to v4.7.0-stable
Biggest fix for this version is CVE-2021-3336, which has already been
applied here.  There are a couple of low severity security bug fixes as
well.

Three patches are no longer needed, and were removed; the one remaining
was refreshed.

This tool shows no ABI changes:
https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-23 21:10:56 +01:00
Ilya Lipnitskiy
17f7b217d3 wireguard: don't build on Linux 5.10
There are efforts underway to bring wireguard in-tree for Linux 5.4 and
to have a common build infrastructure for both 5.4 and 5.10 for
kmod-wireguard[0]. Until then, restrict kmod-wireguard to build only on
Linux 5.4, because the wireguard-compat package will not build on Linux
5.10.

[0]: https://github.com/openwrt/openwrt/pull/3885

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
2021-02-23 20:13:30 +01:00
Ilya Lipnitskiy
30b482551d kernel: 5.10: fix kmod build failures
Modify existing modules to reflect their new location in Linux 5.10. Add
missing dependenices.

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
[enable CRYPTO_USER_API_ENABLE_OBSOLETE; add kmod-crypto-hash dependency
to usb-net-rtl8152]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-02-23 20:13:22 +01:00
Ilya Lipnitskiy
57fdcf66f0 kernel: 5.10: fix rtl8812au-ct build
Pull in upstream:
c8d243936f
1e9689c89f

Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
2021-02-23 20:13:15 +01:00
Daniel Golle
9cd089dbbf arm-trusted-firmware-mediatek: use @OPENWRT mirror for blobs
Now that mirrors have picked it up, switch to using the @OPENWRT
mirror instead of hosting those files on Github.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-23 18:03:27 +00:00
Daniel Golle
5f1bd95278
procd: update to git HEAD
2be57ed cosmetics: provide compatible system info on Aarch64
 37eed13 system: expose if system was booted from initramfs

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-23 13:16:23 +00:00
Daniel Golle
068c82039f arm-trusted-firmware-mediatek: bring back package
* use binary provided by MediaTek to work-around 'bromimage' issue
 * refactor Makefile
 * add mt7622 1c variants (using binaries provided by MTK)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-23 12:28:49 +00:00
Álvaro Fernández Rojas
00f6944f16 bcm63xx-cferam: select for bmips target
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2021-02-22 18:09:03 +01:00
Álvaro Fernández Rojas
f107e1668c mtd: fixtrx: support CFE imagetag on bmips target
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2021-02-22 18:09:03 +01:00
Georgi Valkov
4b37e3bc2b libusb: Fix parsing of descriptors for multi-configuration devices
Prerequisite patch:
Correct a typo in the Changelog and clean up a stray file

Fix changes in libusb which introduced a regression:
Commit e2be556bd2 ("linux_usbfs: Parse config descriptors during device
initialization") introduced a regression for devices with multiple
configurations. The logic that verifies the reported length of the
configuration descriptors failed to count the length of the
configuration descriptor itself and would truncate the actual length by
9 bytes, leading to a parsing error for subsequent descriptors.

Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
2021-02-21 10:12:10 -10:00
Adrian Schmutzler
910b5d669f tfa-layerscape: build fiptool again
The ls-ddr-phy package needs fiptool options that are not
available via the version from arm-trusted-firmware-tools.
This breaks build for layerscape with the recently added LX2160a:

  create: unrecognized option '--ddr-immem-udimm-1d'

Use the tfa-layerscape variant again for now, but rename it to
fiptool-layerscape to indicate that it's a specific variant.

This reverts 84bc7d31e0 ("tfa-layerscape: don't build fiptool").

Fixes: f59d7aab2a ("layerscape: add ddr-phy package")

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-21 00:01:36 +01:00
Petr Štetiar
1bf6d70e60 openwrt-keyring: add OpenWrt 21.02 GPG/usign keys
49283916005d usign: add 21.02 release build pubkey
bc4d80f064f2 gpg: add OpenWrt 21.02 signing key

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-02-20 15:59:47 +01:00
Andreas Eberlein
a3e6521c1a x86: add led driver for PC Engines APU1
This driver adds the LED support for the PC Engines APU1.
This integrates the Linux kernel driver and includes a patch to support
 newer firmware versions. Also the default LED configuration is updated
 to use the correct devices.

Signed-off-by: Andreas Eberlein <foodeas@aeberlein.de>
2021-02-20 00:29:18 -10:00
Christian Lamparter
09e66112f1 wolfssl: fix Ed25519 typo in config prompt
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-02-20 11:11:13 +01:00
Raphaël Mélotte
fb860b4e41 hostapd: backport ignoring 4addr mode enabling error
This is a backport of the upstream commit 58bbbb598144 ("nl80211: Ignore
4addr mode enabling error if it was already enabled") which fixes same
issue as in the current fix contained in '130-wpa_supplicant-multi_ap_roam.patch',
but in a different way:

 nl80211_set_4addr_mode() could fail when trying to enable 4addr mode on
 an interface that is in a bridge and has 4addr mode already enabled.
 This operation would not have been necessary in the first place and this
 failure results in disconnecting, e.g., when roaming from one backhaul
 BSS to another BSS with Multi AP.

 Avoid this issue by ignoring the nl80211 command failure in the case
 where 4addr mode is being enabled while it has already been enabled.

Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
[bump PKG_RELEASE, more verbose commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-02-20 10:38:48 +01:00
David Bauer
10e84bde36 openssl: update package sources
OpenSSL downloads itself are distributed using Akamai CDN, so use these
sources as the highest priority.

Remove a stale mirror which seems to be offline for a longer time
already.

Add fallbacks to the old release path also for the mirrors.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-02-20 01:26:40 +01:00
Yangbo Lu
80dcd14abe layerscape: add LX2160ARDB (Rev2.0 silicon) board support
The QorIQ LX2160A reference design board provides a comprehensive platform
that enables design and evaluation of the LX2160A processor.

- Enables network intelligence with the next generation Datapath (DPPA2)
  which provides differentiated offload and a rich set of IO, including
  10GE, 25GE, 40GE, and PCIe Gen4

- Delivers unprecedented efficiency and new virtualized networks

- Supports designs in 5G packet processing, network function
  virtualization, storage controller, white box switching, network
  interface cards, and mobile edge computing

- Supports all three LX2 family members (16-core LX2160A; 12-core LX2120A;
  and 8-core LX2080A)

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
[use AUTORELEASE, add dtb to firmware part]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-19 15:29:46 +01:00
Yangbo Lu
f59d7aab2a layerscape: add ddr-phy package
Add ddr-phy package for layerscape. Currently only LX2160ARDB
requires the package.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
[use AUTORELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-19 15:27:45 +01:00
Yangbo Lu
2c2d77bd3b layerscape: add FRWY-LS1046A board support
The LS1046A Freeway board (FRWY) is a high-performance computing,
evaluation, and development platform that supports the QorIQ
LS1046A architecture processor capable of support more than 32,000
CoreMark performance. The FRWY-LS1046A board supports the QorIQ
LS1046A processor, onboard DDR4 memory, multiple Gigabit Ethernet,
USB3.0 and M2_Type_E interfaces for Wi-Fi.

The FRWY-LS1046A-TP includes the Coral Tensor Flow Processing Unit
that offloads AI/ML inferencing from the CPU to provide significant
boost for AI/ML applications. The FRWY-LS1046A-TP includes one M.2
TPU module and more modules can easily be added including USB
versions of the module to scale the AI/ML performance.

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
[rebase, use AUTORELEASE, fix sorting, add dtb to firmware part]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-19 15:27:15 +01:00
Álvaro Fernández Rojas
7febba3e50 cypress-firmware: fix PKG_SOURCE_URL
Download link has been moved.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2021-02-19 11:06:23 +01:00
Álvaro Fernández Rojas
1d3a9b1c00 bcm27xx-userland: update to latest version
Adds some fixes and removes upstreamed patch.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2021-02-18 23:42:46 +01:00
Álvaro Fernández Rojas
f41e653da9 bcm27xx-gpu-fw: update to latest version
This is needed to add support for CM4 and RPI 400.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2021-02-18 23:42:46 +01:00
Mathias Kresin
d2d32dcd5f kernel: lantiq: fix Module.symvers handling
If an external module uses exported symbols from another external
module, Kbuild needs to have full knowledge of all symbols to
avoid spitting out warnings about undefined symbols.

Use PKG_EXTMOD_SUBDIRS to point to the build directory which contains
the Module.symvers.

Pass KERNEL_MAKE_FLAGS to the external module build, to inject
KBUILD_EXTRA_SYMBOLS. KBUILD_EXTRA_SYMBOLS holds a space separated list
of Module.symvers, which list all exported symbols.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2021-02-18 08:43:08 +01:00
Eneas U de Queiroz
482c9ff289 openssl: bump to 1.1.1j
This fixes 4 security vulnerabilities/bugs:

- CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support
  SSLv2, but the affected functions still exist. Considered just a bug.

- CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and
  EVP_DecryptUpdate may overflow the output length argument in some
  cases where the input length is close to the maximum permissable
  length for an integer on the platform. In such cases the return value
  from the function call will be 1 (indicating success), but the output
  length value will be negative.

- CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to
  create a unique hash value based on the issuer and serial number data
  contained within an X509 certificate. However it was failing to
  correctly handle any errors that may occur while parsing the issuer
  field (which might occur if the issuer field is maliciously
  constructed). This may subsequently result in a NULL pointer deref and
  a crash leading to a potential denial of service attack.

- Fixed SRP_Calc_client_key so that it runs in constant time. This could
  be exploited in a side channel attack to recover the password.

The 3 CVEs above are currently awaiting analysis.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-17 09:24:47 +01:00
Rosen Penev
b59905f045 gettext-full: update to 0.21
Add m4 patch to avoid conflict with tools/autoconf-archive.

Add build parallel as it seems to work now.

Remove a bunch of uClibc-ng hacks as it is not in the tree anymore.

Format security patch was fixed upstream.

Refreshed other patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-16 19:27:55 -10:00
Felix Fietkau
b10d604459 kernel: add linux 5.10 support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-16 20:06:51 +01:00
Felix Fietkau
d02088762a build: reorder more BuildPackages lines to deal with ABI_VERSION
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-16 11:29:38 +01:00
Álvaro Fernández Rojas
a5c4c40476 ath10k-ct: switch to 5.10
Let's switch to 5.10 now that mac80211 has been updated.
Runtime-tested on ipq806x (Netgear R7800).

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2021-02-16 07:31:28 +01:00
Felix Fietkau
46b6ee7ffc util-linux: move libuuid BuildPackage line further up to fix ABI versioning
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-16 00:00:14 +01:00
Hauke Mehrtens
1132340a22 mac80211: Update to version 5.10.16-1
The removed patches were applied upstream.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-15 22:29:42 +01:00
Hauke Mehrtens
0cde9a0a65 mac80211: Refresh patches again
A wrong quilt configuration was used last time.

Fixes: ed1e234d87 ("mac80211: refresh patches")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-15 22:29:42 +01:00
Felix Fietkau
8edb1797d5 libubox: update to the latest version, set ABI_VERSION dynamically
2537be018587 cmake: add a possibility to set library version

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 19:41:13 +01:00
Felix Fietkau
26a899e3e8 wolfssl: use libtool patch for PKG_ABI_VERSION
Makes it unnecessary to patch .so files after build

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 18:47:19 +01:00
Felix Fietkau
0a497c4640 libubox: use build system variable to specify ABI version
This removes the need to patch it afterwards

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 18:47:19 +01:00
Felix Fietkau
f378d81da6 wolfssl: use dynamic ABI_VERSION depending on the configuration and package version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 07:40:47 +01:00
Felix Fietkau
a933c26852 libubox: use PKG_ABI_VERSION
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 07:40:45 +01:00