Currently, the build option to enable/disable engine support isn't
reflected in the final '/etc/ssl/openssl.cnf' config. It assumes `engines`
is always enabled, producing an error whenever running any
commands in openssl util or programs that explicitly use settings
from '/etc/ssl/openssl.cnf'.
```
➤ openssl version
FATAL: Startup failure (dev note: apps_startup()) for openssl
307D1EA97F000000:error:12800067:lib(37):dlfcn_load:reason(103):crypto/dso/dso_dlfcn.c:118:filename(libengines.so):
Error loading shared library libengines.so: No such file or directory
307D1EA97F000000:error:12800067:lib(37):DSO_load:reason(103):crypto/dso/dso_lib.c:152:
307D1EA97F000000:error:0700006E:lib(14):module_load_dso:reason(110):crypto/conf/conf_mod.c:321:module=engines, path=engines
307D1EA97F000000:error:07000071:lib(14):module_run:reason(113):crypto/conf/conf_mod.c:266:module=engines
```
Build should check for the `CONFIG_OPENSSL_ENGINE` option, and comment out `engines`
if not explicitly enabled.
Example:
```
[openssl_init]
providers = provider_sect
```
After this change, openssl util works correctly.
```
➤ openssl version
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/15661
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 31ec4515c3)
Link: https://github.com/openwrt/openwrt/pull/15873
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Major changes between OpenSSL 3.0.13 and OpenSSL 3.0.14 [04-Jun-2024]
* Fixed potential use after free after SSL_free_buffers() is called.
[CVE-2024-4741]
* Fixed checking excessively long DSA keys or parameters may be very slow.
[CVE-2024-4603]
* Fixed an issue where some non-default TLS server configurations can cause
unbounded memory growth when processing TLSv1.3 sessions. An attacker may
exploit certain server configurations to trigger unbounded memory growth that
would lead to a Denial of Service. [CVE-2024-2511]
* New atexit configuration switch, which controls whether the OPENSSL_cleanup
is registered when libcrypto is unloaded. This can be used on platforms
where using atexit() from shared libraries causes crashes on exit
Signed-off-by: John Audia <therealgraysky@proton.me>
Build system: x86/64
Build-tested: x86/64/AMD Cezanne
(cherry picked from commit bac2f1bed6)
Link: https://github.com/openwrt/openwrt/pull/15873
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes multiple security problems:
* [High] CVE-2024-0901 Potential denial of service and out of bounds
read. Affects TLS 1.3 on the server side when accepting a connection
from a malicious TLS 1.3 client. If using TLS 1.3 on the server side
it is recommended to update the version of wolfSSL used.
* [Med] CVE-2024-1545 Fault Injection vulnerability in
RsaPrivateDecryption function that potentially allows an attacker
that has access to the same system with a victims process to perform
a Rowhammer fault injection. Thanks to Junkai Liang, Zhi Zhang, Xin
Zhang, Qingni Shen for the report (Peking University, The University
of Western Australia)."
* [Med] Fault injection attack with EdDSA signature operations. This
affects ed25519 sign operations where the system could be susceptible
to Rowhammer attacks. Thanks to Junkai Liang, Zhi Zhang, Xin Zhang,
Qingni Shen for the report (Peking University, The University of
Western Australia).
Size increased a little:
wolfssl 5.6.6:
516880 bin/packages/mips_24kc/base/libwolfssl5.6.6.e624513f_5.6.6-stable-r1_mips_24kc.ipk
wolfssl: 5.7.0:
519429 bin/packages/mips_24kc/base/libwolfssl5.7.0.e624513f_5.7.0-stable-r1_mips_24kc.ipk
(cherry picked from commit f475a44c03)
Link: https://github.com/openwrt/openwrt/pull/15872
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Comfast CF-E393AX is a dual-band Wi-Fi 6 POE ceiling mount access point.
Oem firmware is a custom openwrt 21.02 snapshot version.
We can gain access via ssh once we remove the root password.
Hardware specification:
SoC: MediaTek MT7981A 2x A53
Flash: 128 MB SPI-NAND
RAM: 256MB DDR3
Ethernet: 1x 10/100/1000 Mbps built-in PHY (WAN)
1x 10/100/1000/2500 Mbps MaxLinear GPY211C (LAN)
Switch: MediaTek MT7531AE
WiFi: MediaTek MT7976D
LEDS: 1x (Red, Blue and Green)
Button: Reset
UART: 3.3v, 115200n8
--------------------------
| Layout |
| ----------------- |
| 4 | VCC GND TX RX | <= |
| ----------------- |
--------------------------
Gain SSH access:
1. Login into web interface (http://apipaddress/computer/login.html),
and download the
configuration(http://apipaddress/computer/config.html).
2. Rename downloaded backup config - 'backup.file to backup.tar.gz',
Enter 'fakeroot' command then decompress the configuration:
tar -zxf backup.tar.gz
3. Edit 'etc/shadow', update (remove) root password:
With password =
'root:$1$xf7D0Hfg$5gkjmvgQe4qJbe1fi/VLy1:19362:0:99999:7:::'
'root:$1$xf7D0Hfg$5gkjmvgQe4qJbe1fi/VLy1:19362:0:99999:7:::'
to
Without password =
'root::0:99999:7:::'
'root::0:99999:7:::'
4. Repack 'etc' directory back to a new backup file:
tar -zcf backup-ssh.tar.gz etc/
5. Rename new config tar.gz file to 'backup-ssh.file'
Exit fakeroot - 'exit'
6. Upload new configuration via web interface, now you
can SSH with the following:
'ssh -vv -o HostKeyAlgorithms=+ssh-rsa \
-o PubkeyAcceptedAlgorithms=+ssh-rsa root@192.168.10.1'.
Backup the mtd partitions
- https://openwrt.org/docs/guide-user/installation/generic.backup
7. Copy openwrt factory firmware to the tmp folder to install via ssh:
'scp -o HostKeyAlgorithms=+ssh-rsa \
-o PubkeyAcceptedAlgorithms=+ssh-rsa \
*-mediatek-filogic-comfast_cf-e393ax-squashfs-factory.bin \
root@192.168.10.1:/tmp/'
'sysupgrade -n -F \
/tmp/*--mediatek-filogic-comfast_cf-e393ax-squashfs-factory.bin'
8. Once led has stopped flashing - Connect via ssh with the
default openwrt ip address - 'ssh root@192.168.1.1'
9. SSH copy the openwrt sysupgrade firmware and upgrade
as per the default instructions.
Signed-off-by: David Bentham <db260179@gmail.com>
(cherry picked from commit d8f4453bf2)
Specifications:
SoC: MediaTek MT7981B
RAM: 256MiB
Flash: SPI-NAND 128 MiB
Switch: 1 WAN, 3 LAN (Gigabit)
Buttons: Reset, Mesh
Power: DC 12V 1A
WiFi: MT7976CN
UART: 115200n8
UART Layout:
VCC-RX-TX-GND
No. of Antennas: 6
Note: Upon opening the router, only 5 antennas were connected
to the mainboard.
Led Layout:
Power-Mesh-5gwifi-WAN-LAN3-LAN2-LAN1-2gWiFi
Buttons:
Reset-Mesh
Installation:
A. Through OpenWrt Dashboard:
If your router comes with OpenWrt preinstalled (modified by the seller),
you can easily upgrade by going to the dashboard (192.168.1.1) and then
navigate to System -> Backup/Flash firmware, then flash the firmware
B. Through TFTP
Standard installation via UART:
1. Connect USB Serial Adapter to the UART, (NOTE: Don't connect the VCC pin).
2. Power on the router. Make sure that you can access your router via UART.
3. Restart the router then repeatedly press ctrl + c to skip default boot.
4. Type > bootmenu
5. Press '2' to select upgrade firmware
6. Press 'Y' on 'Run image after upgrading?'
7. Press '0' and hit 'enter' to select TFTP client (default)
8. Fill the U-Boot's IP address and TFTP server's IP address.
9. Finally, enter the 'firmware' filename.
Signed-off-by: Ian Oderon <ianoderon@gmail.com>
(cherry picked from commit 4300bc6688)
This is mostly a cosmetic cleanup. The absence of
the return statement was not causing any problems.
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
(cherry picked from commit 8cf4ac5195)
Similar to the *_get_mac_binary function, also split the common parts
off mtd_get_mac_ascii into new get_mac_ascii function and introduce
mmc_get_mac_ascii which uses it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 45c85c1827)
Don't ignore probe requests which contain an invalid DS parameter for the
current operating channel.
As the comment outlines, the drop shall only apply if
dot11RadioMeasurementActivated is set to 1.
However, it was observed Linux clients (Debian 12 / NixOS 23.11)
with an Intel 8265 NIC may generate a probe request frame with
dot11RadioMeasurementActivated set to false and an invalid DSSS
parameter.
These were also dropped even though they should not have been. They
however should not have contained this parameter in the first place.
Don't drop Probe Requests which contain such an invalid field. This may
lead to more probe responses being sent, however it does fix very
frequent connection issues for these clients on 2.4 GHz.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 68e4cc9be5)
a903d3169193 wifi: mt76: mt7921: fix a potential association failure upon resuming
eb0d0ce344f3 wifi: mt76: mt7921: fix suspend issue on MediaTek COB platform
841bf82e9958 wifi: mt76: fix the issue of missing txpwr settings from ch153 to ch177
ce7ccc540168 wifi: mt76: Remove redundant assignment to variable tidno
a238df940d6f wifi: mt76: mt7915: initialize rssi on adding stations
46c7d1849dbd wifi: mt76: replace skb_put with skb_put_zero
b5640b3153c7 wifi: mt76: fix tx packet loss when scanning on DBDC
7b054e5cb3af wifi: mt76: mt7915: fix mcu command format for mt7915 tx stats
3f27a64a8010 wifi: mt76: mt7915: fix bogus Tx/Rx airtime duration values
4f681a8fbc91 wifi: mt76: mt7915: fix HE PHY capabilities IE for station mode
8ede229eb8b5 wifi: mt76: mt7915: only set MT76_MCU_RESET for the main phy
2330781b8c5f wifi: mt76: mt7996: only set MT76_MCU_RESET for the main phy
e5fb6995e7eb wifi: mt76: mt7915: add support for disabling in-band discovery
b4a917417c85 wifi: mt76: mt7915: add mt7986, mt7916 and mt7981 pre-calibration
2135e201e7a9 mt76: mt7915: add fallback in case of missing precal data
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 85ad6b9569)
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
On Fedora 40 system, some compile error happens when
building iconv-ostream.c. Linking to libiconv-full
fixes this.
Signed-off-by: Yanase Yuki <dev@zpc.st>
(cherry picked from commit 63dd14b906)
Link: https://github.com/openwrt/openwrt/pull/15627
Signed-off-by: Robert Marko <robimarko@gmail.com>
This reverts commit dcdcfc1511.
This is a firmware for third-party u-boot mod, which should not
be carried here by us.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
(cherry picked from commit 1b7e62b20b)
When an IBBS interface is configured for IBSS legacy mode, wdev.htmode
is empty. This is empty string results in an empty positional argument
to the "ibbs join" command, for example:
iw dev phy0-ibss0 ibss join crymesh 2412 '' fixed-freq beacon-interval 100
This empty argument is interpreted as an invalid HT mode by 'iw',
causing the entire command to fail and print a "usage" message:
daemon.notice netifd: radio0 (4527): Usage: iw [options] \
dev <devname> ibss join <SSID> <freq in MHz> ...
Although nobody will ever need more than 640K of IBSS, explicitly use
"NOHT" if an HT mode is not given. This fixes the problem.
Fixes: e56c5f7b27 ("hostapd: add ucode support, use ucode for the main ubus object")
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [extend to cover more cases]
(cherry picked from commit cee9fcdb73)
Changes:
73529a8 Revert "wireless-regdb: Update and disable 5470-5730MHz band according to TPC requirement for Singapore (SG)"
87941e4 wireless-regdb: Update regulatory rules for Taiwan (TW) on 6GHz
33797ae wireless-regdb: update regulatory database based on preceding changes
Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit 65c1f0d433)
This fixes:
mt7603/dma.c: In function 'mt7603_rx_loopback_skb':
mt7603/dma.c:60:17: error: ISO C90 forbids mixed declarations and code [-Werror=declaration-after-statement]
Fixes: 2568b30285 ("mt76: backport mt7603 fixes important for its stability")
Fixes: https://github.com/openwrt/openwrt/issues/15510
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Those are required for stable MT7603E & on-SoC MT7628/MT7688 wireless
support. After mt76 receiving more testing we may just update codebase
and drop those backports.
Fixes: https://github.com/openwrt/mt76/issues/865
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
bebd9cffc2ae wifi: mt76: mt7921: fix 6GHz disabled by the missing default CLC config
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 1a57d758f2)
[rmilecki: it's a no-change for 23.05 as we had that fix backported]
f63f87cd5b45 wifi: mt76: mt7996: fix shift overflow warning on 32 bit systems
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit da7b0351fc)
[rmilecki: it's a no-change for 23.05 as we had that fix backported]
mDNS broadcast can't accept empty TXT record and would fail
registration.
Current procd_add_mdns_service checks only if the first passed arg is
empty but don't make any verification on the other args permittins
insertion of empty values in TXT record.
Example:
procd_add_mdns "blah" \
"tcp" "50" \
"1" \
"" \
"3"
Produce:
{ "blah_50": { "service": "_blah._tcp.local", "port": 50, "txt": [ "1", "", "3" ] } }
The middle empty TXT record should never be included as it's empty.
This can happen with scripts that make fragile parsing and include
variables even if they are empty.
Prevent this and make the TXT record more solid by checking every
provided TXT record and include only the non-empty ones.
The fixed JSON is the following:
{ "blah_50": { "service": "_blah._tcp.local", "port": 50, "txt": [ "1", "3" ] } }
Fixes: b0d9dcf84d ("procd: update to latest git HEAD")
Reported-by: Paul Donald <newtwen@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15331
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 4b04304713)
This reverts commit 997ff740dc.
78cbd5apick as it should be fixed in commit 78cbd5a57e11 ("tools: macOS:
types.h: fix missing unsigned types").
References: #13833
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit f691830307)
This reverts commit 3cc57ba462 as it
should be fixed in commit 78cbd5a57e11 ("tools: macOS: types.h: fix
missing unsigned types").
References: #13833
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit bc47613cf0)
It's needed by some drivers, e.g. mt7925, see:
mt7925/main.c:264:9: error: implicit declaration of function '_ieee80211_set_sband_iftype_data' [-Werror=implicit-function-declaration]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
It's needed by some drivers, e.g. mt7925, see:
mt7925/mcu.c:2181:23: error: implicit declaration of function 'ieee80211_vif_is_mld' [-Werror=implicit-function-declaration]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Some queues can't be tweaked and return -ENOENT if it's not multiqueue.
Silence any error from echo to produce a more clean bootlog.
Fixes: #12095
Suggested-by: Andris PE <neandris@gmail.com>
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Add kernel module for lp5562 LED driver.
The kmod-leds-lp5562 depends on kmod-leds-lp55xx-common.
Signed-off-by: CheWei Chien <chewei.chien@wnc.com.tw>
(cherry picked from commit b33fa6ac90)
Huawei AP5030DN is a dual-band, dual-radio 802.11ac Wave 1 3x3 MIMO
enterprise access point with two Gigabit Ethernet ports and PoE
support.
Hardware highlights:
- CPU: QCA9550 SoC at 720MHz
- RAM: 256MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: QCA9550-internal radio
- Wi-Fi 5GHz: QCA9880 PCIe WLAN SoC
- Ethernet 1: 10/100/1000 Mbps Ethernet through Broadcom B50612E PHY
- Ethernet 2: 10/100/1000 Mbps Ethernet through Marvell 88E1510 PHY
- PoE: input through Ethernet 1 port
- Standalone 12V/2A power input
- Serial console externally available through RJ45 port
- External watchdog: SGM706 (1.6s timeout)
Serial console:
9600n8 (9600 baud, no stop bits, no parity, 8 data bits)
MAC addresses:
Each device has 32 consecutive MAC addresses allocated by
the vendor, which don't overlap between devices.
This was confirmed with multiple devices with consecutive
serial numbers.
The MAC address range starts with the address on the label.
To be able to distinguish between the interfaces,
the following MAC address scheme is used:
- eth0 = label MAC
- eth1 = label MAC + 1
- radio0 (Wi-Fi 5GHz) = label MAC + 2
- radio1 (Wi-Fi 2.4GHz) = label MAC + 3
Installation:
0. Connect some sort of RJ45-to-USB adapter to "Console" port of the AP
1. Power up the AP
2. At prompt "Press f or F to stop Auto-Boot in 3 seconds",
do what they say.
Log in with default admin password "admin@huawei.com".
3. Boot the OpenWrt initramfs from TFTP using the hidden script
"run ramboot". Replace IP address as needed:
> setenv serverip 192.168.1.10
> setenv ipaddr 192.168.1.1
> setenv rambootfile
openwrt-ath79-generic-huawei_ap5030dn-initramfs-kernel.bin
> saveenv
> run ramboot
4. Optional but recommended as the factory firmware cannot
be downloaded publicly:
Back up contents of "firmware" partition using the web interface or ssh:
$ ssh root@192.168.1.1 cat /dev/mtd11 > huawei_ap5030dn_fw_backup.bin
5. Run sysupgrade using sysupgrade image. OpenWrt
shall boot from flash afterwards.
Return to factory firmware (using firmware upgrade package downloaded from
non-public Huawei website):
1. Start a TFTP server in the directory where
the firmware upgrade package is located
2. Boot to u-boot as described above
3. Install firmware upgrade package and format the config partitions:
> update system FatAP5X30XN_SOMEVERSION.bin
> format_fs
Return to factory firmware (from previously created backup):
1. Copy over the firmware partition backup to /tmp,
for example using scp
2. Use sysupgrade with force to restore the backup:
sysupgrade -F huawei_ap5030dn_fw_backup.bin
3. Boot AP to U-Boot as described above
Quirks and known issues
-----------------------
- On initial power-up, the Huawei-modified bootloader suspends both
ethernet PHYs (it sets the "Power Down" bit in the MII control
register). Unfortunately, at the time of the initial port, the kernel
driver for the B50612E/BCM54612E PHY behind eth0 doesn't have a resume
callback defined which would clear this bit. This makes the PHY unusable
since it remains suspended forever. This is why the backported kernel
patches in this commit are required which add this callback and for
completeness also a suspend callback.
- The stock firmware has a semi dual boot concept where the primary
kernel uses a squashfs as root partition and the secondary kernel uses
an initramfs. This dual boot concept is circumvented on purpose to gain
more flash space and since the stock firmware's flash layout isn't
compatible with mtdsplit.
- The external watchdog's timeout of 1.6s is very hard to satisfy
during bootup. This is why the GPIO15 pin connected to the watchdog input
is configured directly in the LZMA loader to output the CPU_CLK/4 signal
which keeps the watchdog happy until the wdt-gpio kernel driver takes
over. Because it would also take too long to read the whole kernel image
from flash, the uImage header only includes the loader which then reads
the kernel image from flash after GPIO15 is configured.
Signed-off-by: Marco von Rosenberg <marcovr@selfnet.de>
[fixed 6.6 backport patch naming]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 06cdc07f8c)
52144f723bec pex: after receiving data update req, notify peer of local address/port
29aacb9386e0 pex: track indirect hosts (reachable via gateway) as peers without adding them to wg
48049524d4fc pex: do not send peer notifications for hosts with a gateway
12ac684ee22a pex: do not query for hosts with a gateway
203c88857354 pex: fix endian issues on config transfer
a29d45c71bca network: fix endian issue in converting port to network id
cbbe9d337a17 unet-cli: emit id by default
806457664ab6 unet-cli: strip initial newline in usage message
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit a112ed4126)
This adds support for the Iomega ix4-200d device in uboot-envtools.
Signed-off-by: Sander van Deijck <sander@vandeijck.com>
(cherry picked from commit 2cfe86d383)
These two patches are fixing minor problems with DNSSEC found shortly
after the dnsmasq 2.90 release.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 28c87d7ecd)
dnsmasq was recently updated to 2.90, but PKG_RELEASE was not reset to 1.
Fixes: 838a27f64f ("dnsmasq: version 2.90")
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 694e647784)
