This version fixes 3 low-severity vulnerabilities:
- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey
Patches were refreshed, and Eneas U de Queiroz added as maintainer.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This makes brcmfmac use the same wiphy after PCIe reset to help user
space handle corner cases (e.g. firmware crash).
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit f39f4b2f6d)
Patch getting RAM info got upstreamed. A debugging fs entry for testing
reset feature was added.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 681acdcc54)
Close cooperation with Lorenzo Bianconi resulted
in these patches which fix all remaining seen issues
when using dynack.
Fix link losses when:
- Late Ack's are not seen or not present
- switching from too low static coverage class to dynack on a live link
These are fixed by setting the Ack Timeout/Slottime to
the max possible value for the currently used channel width when
a new station has been discovered.
When traffic flows, dynack is able to adjust to optimal values
within a few packets received (typically < 1 second)
These changes have been thoroughly tested on ~60 offshore devices
all interconnected using mesh over IBSS and dynack enabled on all.
Distances between devices varied from <100m up to ~35km
[move patches to correct folder + renumber]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
(cherry picked from commit f6e8ba0238fe349b7529357793e2fb18635819ed)
This happens only the second time a library is loaded by dlopen().
After lib1 is loaded, dlsym(lib1,"undef1") correctly resolves the undef
symbol from lib1 dependencies. After the second library is loaded,
dlsym(lib2,"undef1") was returning the address of "undef1" in lib2
instead of searching lib2 dependencies.
Backporting upstream fix which now uses the same logic for relocation
time and dlsym.
Fixesopenwrt/packages#9297
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
CVE-2018-16870: medium-severity, new variant of the Bleichenbacher
attack to perform downgrade attacks against TLS, which may lead to
leakage of sensible data. Backported from 3.15.7.
CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes
when performing ECDSA signing operations. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack. Backported from 4.1.0.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The 8 year old file does not have any ARC definitions.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[updated content of the patch with version sent to upstream]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 395bef4bba)
Missing header for va_list.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[updated with upstream version of the patch]
(cherry picked from commit 2f97797471)
Introduce a new option CONFIG_SIGNATURE_CHECK which defaults to the value
of CONFIG_SIGNED_PACKAGES and thus is enabled by default.
This option is needed to support building target opkg with enabled
signature verification while having the signed package lists disabled.
Our buildbots currently disable package signing globally in the
buildroot and SDK to avoid the need to ship private signing keys to
the build workers and to prevent the triggering of random key generation
on the worker nodes since package signing happens off-line on the master
nodes.
As unintended side-effect, updated opkg packages will get built with
disabled signature verification, hence the need for a new override option.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f565f276e2)
Since usign miscalculates SHA-512 digests for input sizes of exactly
64 + N * 128 + 110 or 64 + N * 128 + 111 bytes, we need to apply some
white space padding to avoid triggering the hashing edge case.
While usign itself has been fixed already, there is still many firmwares
in the wild which use broken usign versions to verify current package
indexes so we'll need to carry this workaround in the forseeable future.
Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Ref: https://git.openwrt.org/5a52b379902471cef495687547c7b568142f66d2
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit e1f588e446)
This update fixes usign signature verification on files with certain
file sizes triggering a bug in the shipped SHA-512 implementation.
5a52b37 sha512: fix bad hardcoded constant in sha512_final()
3e6648b README: replace unicode character
716c3f2 README: add reference to OpenBSD signify
86d3668 README: provide reference for ed25519 algorithm
939ec35 usign: main.c: describe necessary arguments for -G
Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 991dd5a893)
Don't use cpu_to_be32 outside of a function.
In file included from /omcproxy-2017-02-14-1fe6f48f/src/omcproxy.h:51:0,
from omcproxy-2017-02-14-1fe6f48f/src/mrib.c:39:
omcproxy-2017-02-14-1fe6f48f/src/mrib.c:57:34: error: braced-group within expression allowed only inside a function
static uint32_t ipv4_rtr_alert = cpu_to_be32(0x94040000);
^
cc1: warning: unrecognized command line option '-Wno-gnu'
Ref: https://downloads.openwrt.org/releases/faillogs-18.06/arm_cortex-a9_vfpv3/base/omcproxy/compile.txt
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
[more verbose commit message]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit cb4d00d184)
This fixes:
1) Crash during USB disconnect
2) Crash in brcmf_txfinalize() on rmmod with packets queued
3) Some errors in exit path
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Now that busybox is a known alternatives provider by opkg, we remove the
ALTERNATIVES spec and add a note to make the implicit situation clear
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry-picked from 62be427067)
Changelog
dcbc142 alternatives: remove duplicate 'const' specifier
21b7bd7 alternatives: special-case busybox as alternatives provider
d4ba162 libopkg: only perform size check when information is available
cb66403 libopkg: check for file size mismatches
Opkg starting from this version special-cases busybox as alternatives
provider. There should be no need to add entries to ALTERNATIVES of
busybox package
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Logic was inverted when changing from string check to file check.
Fix it.
Fixes: 8592602d0a ("base-files: Really check path in get_mac_binary")
Reported-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 6ed3349308)
Currently, path argument is only checked for being not empty.
This changes behavior to actually check whether path exists.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
There was an issue with the backport compat layer in yesterday's snapshot,
causing issues on certain (mostly Atom) Intel chips on kernels older than
4.2, due to the use of xgetbv without checking cpu flags for xsave support.
This manifested itself simply at module load time. Indeed it's somewhat tricky
to support 33 different kernel versions (3.10+), plus weird distro
frankenkernels.
If OpenWRT doesn't support < 4.2, you probably don't need to apply this.
But it also can't hurt, and probably best to stay updated.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit 593b487538)
Fix an issue where subinterfaces were not added to the same
firewall zone as their parent.
Fixes: FS#2122
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
(cherry picked from commit 64bb88841f)
Apparently this modem replies differently to attempted --get-pin-status
which makes the script fail if a pincode is set. Fix this.
Manufacturer: Sierra Wireless, Incorporated
Model: MC7455
Revision: SWI9X30C_02.24.05.06 r7040 CARMD-EV-FRMWR2 2017/05/19 06:23:09
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0b373bf4d6)
Restarting service causes file-systems to be unmounted without being
mounted back. When this service was obsoleted it should have been
implemented in a way that all actions are ignored. Up to this commit
default handler was called when restart was requested. This default
handler just simply calls stop and start. That means that stop called
unmount but start just printed that this service is obsoleted.
This instead implements restart that just prints same message like start
does. It just calls start in reality. This makes restart unavailable for
call.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
(cherry picked from commit 3ead9e7b74)
ff1ded6 libfstools: Fix overflow of F2FS_MINSIZE constant
bc2c876 libfstools: Print error in case of loop blkdev failure
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 1e55171a12)
Linux kernel has a polling mechanism that can be activated by changing
the parameter /sys/module/block/parameters/events_dfl_poll_msecs which
is deactivated by default or the /sys/block/[device]/events_poll_msecs
for one device.
This patch set the events_poll_msecs when a disk is inserted.
Once the media disk change event is sent by the kernel then we force a
re-read of the devices using /sbin/block info.
With this patch, insertion and ejection of sd card will automatically
generate partition devices in /dev.
Signed-off-by: Matthias Badaire <mbadaire@gmail.com>
[rewrap commit message, fix bashisms, fix non-matching condition,
bump pkg release]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit cf8483cb4f)
This fixes the following security problems:
* CVE-2019-9494: cache attack against SAE
* CVE-2019-9495: cache attack against EAP-pwd
* CVE-2019-9496: SAE confirm missing state validation in hostapd/AP
* CVE-2019-9497: EAP-pwd server not checking for reflection attack)
* CVE-2019-9498: EAP-pwd server missing commit validation for scalar/element
* CVE-2019-9499: EAP-pwd peer missing commit validation for scalar/element
* CVE-2019-11555: EAP-pwd message reassembly issue with unexpected fragment
Most of these problems are not relevant for normal users, SAE is only
used in ieee80211s mesh mode and EAP-pwd is normally not activated.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This patch adds a missing type property which prevented
the creation of oneshot and timer led triggers when they
are specified in the /etc/board.d/01_leds files.
i.e.:
ucidef_set_led_timer "system" "system" "zhuotk:green:system" "1000" "1000"
Fixes: b06a286a48 ("base-files: cleanup led functions in uci-defaults.sh")
Signed-off-by: Robinson Wu <wurobinson@qq.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[also fix oneshot as well]
1) Crash/Oops fixes
2) One-line patch for BCM43456 support
3) Fix communication with some specific FullMAC firmwares
4) Potential fix for "Invalid packet id" errors
5) Important helper for reporting FullMAC firmware crashes
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Drop the legacy start() and stop() procedures and define a proper
reload signal action instead.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f664d560df)
Highlights of this version:
- Change default RSA, DSA and DH size to 2048 bit
- Reject invalid EC point coordinates
This avoids CVE-2019-9498 and CVE-2019-9499 in hostapd
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This adds the host staging directory to the include path to make it use
the zlib.h files from the staging include directory and also link
against the zlib version from the staging directory.
This fixes a compile problem when the zlib header were not installed on
the build host.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This reverts commit c6aa9ff388.
Further testing has revealed that we will need to allow concurrent
requests after all, especially for situations where CGI processes
initiate further HTTP requests to the local host.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f00a4ae6e0)
- Tested on Turris MOX, OpenWrt master
- Removed PKG_BUILD_DIR
In build_dir there were two folders
ca-certificates and ca-certificates-20190110 and it failed as files
were in ca-certificates-20190110
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
(cherry picked from commit f22c33b40c)
This bump contains bug and security fixes.
Compile-tested on ar71xx, ramips/mt7621 and x86/64.
Run-tested on ramips/mt7621.
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_HASH fixup]
Copy U-Boot to STAGING_DIR_IMAGE (and append it to the EVA-image from
there) to fix image generation using the image-builder.
Also remove the bootloader from DEVICE_PACKAGES and instead use the
BUILD_DEVICES directive from within the U-Boot makefile.
This fixes eva-image generation using the OpenWRT image-builder.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 634c733065)
00ac79d mt7603: fix initialization of max rx length
320af65 mt76: mt7603: use the correct hweight8() function
bdee924 mt76: fix schedule while atomic in mt76x02_reset_state
abcb544 mt76x02: do not enable RTS/CTS by default
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add missing /usr/sbin install dir fixing :
install: cannot create regular file 'build_dir/target-x86_64_musl/busybox-1.30.1/.pkgdir/busybox/usr/sbin/ntpd-hotplug': No such file or directory
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 2cd28c9a08)
28d81ff mt76x0: eeprom: fix VHT mcs{8,9} rate power offset
6e33ce6 mt76: move mt76_mcu_msg_alloc in mt76-core
4637f95 mt76: move mt76_mcu_get_response in mt76-core
1763cb0 mt76: move mt76_mcu_rx_event in mt76-core
4db9d75 mt76x0: mcu: remove useless commented configuration
91d0455 mt76: move mt76_dma_tx_queue_skb_raw in mt76-core module
0e8e53f mt76: remove add_buf pointer in mt76_queue_ops
db47920 mt7603: rely on mt76_mcu_msg_alloc routine
471c447 mt7603: rely on mt76_mcu_get_response routine
cacc986 mt7603: rely on mt76_mcu_rx_event routine
11ab620 mt7603: rely on mt76_tx_queue_skb_raw common routine
82fa312 mt7603: move alloc_dev common code in mt76_alloc_device
47d5922 mt76: move alloc_device common code in mt76_alloc_device
c50c993 mt76x2u: remove mt76x2u_alloc_device routine
6ed5b7a mt76x0: remove mt76x0u_alloc_device routine
e32e249 mt76x2: remove mt76x2_alloc_device routine
6aacd1e mt76: change the return type of mt76_dma_attach()
a10e9e5 mt76x02u: use usb_bulk_msg to upload firmware
a774ff6 mt76: usb: fix possible NULL pointer dereference in mt76u_mcu_deinit
c2877bc mt76: usb: fix possible memory leak in mt76u_buf_free
a5cfe96 mt76: usb: do not run mt76u_queues_deinit twice
1e4db14 mt76: usb: move mt76u_check_sg in usb.c
302406b mt76: usb: do not use sg buffers for mcu messages
8ab5267 mt76: usb: use a linear buffer for tx/rx datapath if sg is not supported
a0a3505 mt76: usb: introduce disable_usb_sg parameter
0cee180 mt76: usb: use dev_err_ratelimited instead of dev_err in mt76u_complete_rx
1bb97c4 mt76x02u: remove bogus check and comment padding
2cbc2d4 mt76: Use the correct hweight8() function
f18e03a mt76x0u: fix suspend/resume
6231336 mt76: mt76x02: fix TSF sync mode
783da04 mt76: mt76x02: fix beacon timer drift adjustment
43d2507 mt76: mt76x02: fix beacon timer issue
59a6587 mt76: mt76x02: only reset beacon drift counter when enabling beacons
8c8eb98 mt76: mt76x02: issue watchdog reset on MCU request timeout
52161d2 mt76: mt76x02: fix ED/CCA enabling/disabling
5e7ecce mt76: mt76x2: unify mt76x2[u]_mac_resume
18af219 mt76: mt76x02: set MT_TXOP_HLDR_TX40M_BLK_EN for mt76x2
e5747b2 mt76usb: allow mt76u_bulk_msg be used for reads
2437a9a mt76usb: use synchronous msg for mcu command responses
e4250c9 mt76usb: remove usb_mcu.c
8b1110e mt76: usb: fix warning in mt76u_buf_free
89215f6 mt76: usb: introduce mt76u_fill_bulk_urb routine
523e374 mt76: usb: simplify rx buffer allocation
ffe1292 mt76: usb: simplify mt76u_tx_build_sg routine
e2a9d40 mt7603: fix ba window size selection
b040ef7 mt76: remove no longer used routine declarations
645ef43 mt76: usb: check urb->num_sgs limit in mt76u_process_rx_entry
fd315bd mt7603: disable dynamic sensitivity adjustment by default
3c6df9b mt76: rewrite dma descriptor base and ring size on queue reset
30e757e mt76: mt76x02: when setting a key, use PN from mac80211
fa83406 mt76: mt76x2: implement full device restart on watchdog reset
ead881b mt76: mt76x02: do not sync PN for keys with sw_iv set
ba1d989 mt76: mmio: move mt76x02_set_irq_mask in mt76 module
283ebbe mt76: dma: move mt76x02_init_{tx,rx}_queue in mt76 module
b216d3c mt76: introduce q->stopped parameter
8b437d2 mt76x02: clear sta and vif driver data structures on add
2c62d03 mt76x02: clear running flag when resetting state on restart
6b10cfc mt76: mt76x02: only update the base mac address if necessary
669bc49 mt76: mt76x02: reduce false positives in ED/CCA tx blocking
2ed9382 mt76: mt7603: fix tx status HT rate validation
d2c6823 mt76: mt76x2: fix external LNA gain settings
8ee2259 mt76: mt76x2: fix 2.4 GHz channel gain settings
8bfe6d4 mt76: mt7603: clear ps filtering mode before releasing buffered frames
d13b065 mt76: mt7603: fix up hardware queue index for PS filtered packets
eb1ecc4 mt76: mt7603: notify mac80211 about buffered frames in ps queue
3687eec mt76: mt7603: clear the service period on releasing PS filtered packets
42ab27e mt76: when releasing PS frames, end the service period if no frame was found
461f3b0 mt76: mt76x02: disable ED/CCA by default
1d7760d mt76: mt7603: set moredata flag when queueing ps-filtered packets
0b927b2 mt76: fix return value check in mt76_wmac_probe()
e72376d mt76x02: fix hdr pointer in write txwi for USB
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This makes it clear that localuse when explicitly specified in the
config will have its final say on whether or not the initscript should
touch /etc/resolv.conf, no matter whatever the result of previous
guesswork would be
(cherry picked from c17a68cc61)
Tested-by: Paul Oranje <por@oranjevos.nl>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Paul Oranje <por@oranjevos.nl>
Currently it seems impossible to configure /etc/config/dhcp to achieve
the following use case
- run dnsmasq with no-resolv
- re-generate /etc/resolv.conf with "nameserver 127.0.0.1"
Before this change, we have to set resolvfile to /tmp/resolv.conf.auto
to achive the 2nd effect above, but setting resolvfile requires noresolv
being false.
A new boolean option "localuse" is added to indicate that we intend to
use dnsmasq as the local dns resolver. It's false by default and to
align with old behaviour it will be true automatically if resolvfile is
set to /tmp/resolv.conf.auto
(cherry picked from 2aea1ada65f050d74a064e74466bbe4e8d)
Tested-by: Paul Oranje <por@oranjevos.nl>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Paul Oranje <por@oranjevos.nl>
a9d4c0e mt76: mt76x2: avoid running DPD calibration if tx is blocked
4d7e13f mt76: explicitly disable energy detect cca during scan
e3c1aad mt76: run MAC work every 100ms
4e8766a mt76: clear CCA timer stats in mt76x02_edcca_init
e301f23 mt76: measure the time between mt76x02_edcca_check runs
74075ef mt76: increase ED/CCA tx block threshold
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This partitialy reverts commit f506de2cda.
Registering the GPIO chip without a parent device completely breaks the
ath9k GPIOs for device tree targets.
As long as boards using the devicetree don't have the gpio-controller
property set for the ath9k node, the unloading of the driver works as
expected.
Register the GPIO chip with the ath9k device as parent only for OF
targets to find a trade-off between the needs of driver developers and
the broken LEDs and buttons seen by users.
Fixes: FS#2098
Signed-off-by: Mathias Kresin <dev@kresin.me>
(cherry picked from commit d35f2a5565)
a4ec45c mt7603: fix LED support (copy CFLAGS from main Makefile)
edda5c5 mt76x02: use mask for vifs
dd52191 mt76x02: use commmon add interface for mt76x2u
a80acaf mt76x02: initialize mutli bss mode when set up address
38e832d mt76x02: minor beaconing init changes
171adaf mt76x02: init beacon config for mt76x2u
dcab682 mt76: beaconing fixes for USB
ff81de1 mt76x02: enable support for IBSS and MESH
8027b5d mt7603: remove copyright headers
e747e80 mt76: fix software encryption issues
2afa0d7 mt7603: remove WCID override for software encrypted frames
Signed-off-by: Felix Fietkau <nbd@nbd.name>
c3da1aa mt7603: trigger beacon stuck detection faster
7a53138 mt7603: trigger watchdog reset if flushing CAB queue fails
6eef33b mt7603: remove mt7603_txq_init
ae30c30 mt76: add driver callback for when a sta is associated
0db925f mt7603: update HT/VHT capabilities after assoc
b5ac8e4 mt7603: initialize LED callbacks only if CONFIG_MT76_LEDS is set
c989bac mt76x0: eeprom: fix chan_vs_power map in mt76x0_get_power_info
24bd2c0 mt76x0: phy: report target_power in debugfs
bc7ce2a mt76x0: init: introduce mt76x0_init_txpower routine
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When config_get is called as "config_get section option" the option
is unexpectedly globbed by the shell which differs from the way options
are read to a variable with "config_get variable section option".
Add another layer of double quotes to fix it.
Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
(backported from commit c3389ab135)
This fixes the following security problems:
* CVE-2018-5407: Microarchitecture timing vulnerability in ECC scalar multiplication
* CVE-2018-0734: Timing vulnerability in DSA signature generation
* Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module
Signed-off-by: Sven Roederer <freifunk@it-solutions.geroedel.de>
(cherry picked from commit 989060478a)
* tools: curve25519: handle unaligned loads/stores safely
This should fix sporadic crashes with `wg pubkey` on certain architectures.
* netlink: auth socket changes against namespace of socket
In WireGuard, the underlying UDP socket lives in the namespace where the
interface was created and doesn't move if the interface is moved. This
allows one to create the interface in some privileged place that has
Internet access, and then move it into a container namespace that only
has the WireGuard interface for egress. Consider the following
situation:
1. Interface created in namespace A. Socket therefore lives in namespace A.
2. Interface moved to namespace B. Socket remains in namespace A.
3. Namespace B now has access to the interface and changes the listen
port and/or fwmark of socket. Change is reflected in namespace A.
This behavior is arguably _fine_ and perhaps even expected or
acceptable. But there's also an argument to be made that B should have
A's cred to do so. So, this patch adds a simple ns_capable check.
* ratelimiter: build tests with !IPV6
Should reenable building in debug mode for systems without IPv6.
* noise: replace getnstimeofday64 with ktime_get_real_ts64
* ratelimiter: totalram_pages is now a function
* qemu: enable FP on MIPS
Linux 5.0 support.
* keygen-html: bring back pure javascript implementation
Benoît Viguier has proofs that values will stay well within 2^53. We
also have an improved carry function that's much simpler. Probably more
constant time than emscripten's 64-bit integers.
* contrib: introduce simple highlighter library
This is the highlighter library being used in:
- https://twitter.com/EdgeSecurity/status/1085294681003454465
- https://twitter.com/EdgeSecurity/status/1081953278248796165
It's included here as a contrib example, so that others can paste it into
their own GUI clients for having the same strictly validating highlighting.
* netlink: use __kernel_timespec for handshake time
This readies us for Y2038. See https://lwn.net/Articles/776435/ for more info.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit bbcd0634f8)
Updates mbedtls to 2.14.1. This builds on the previous master commit 7849f74117.
Fixes in 2.13.0:
* Fixed a security issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing.
* Several bugfixes.
* Improvements for better support for DTLS on low-bandwidth, high latency networks with high packet loss.
Fixes in 2.14.1:
* CVE-2018-19608: Local timing attack on RSA decryption
Includes master commit 9e7c4702a1 'mbedtls: fix compilation on ARM < 6'.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
[Update to 2.14.1]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
[Adapted and squashed for 18.06.1+]
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
d273ddd mt7603: fix number of frames limit in .release_buffered_frames
63bf183 mt76: add channel switch announcement support
e45db12 mt7603: fix tx status info
9d11596 mt7603: discard bogus tx status data
4bcb2f9 mt7603: fix txd q_idx field value
4206db7 mt76: set IEEE80211_HW_NEEDS_UNIQUE_STA_ADDR flag
c4e4982 mt7603: set IEEE80211_HW_TX_STATUS_NO_AMPDU_LEN
702f557 mt7603: use maximum tx count for buffered multicast packets
158529d mt7603: fix PSE reset retry sequence
fc31457 mt7603: implement support for SMPS
3e9a7d5 Revert "mt7603: fix txd q_idx field value"
815fd03 mt7603: fix CCA timing values
b35cc8e mt7603: set timing on channel change before starting MAC
79b337c mt7603: move CF-End rate update to mt7603_mac_set_timing
3df341d mt7603: avoid redundant MAC timing updates
1c751f3 mt76: avoid scheduling tx queues for powersave stations
2efa389 mt7603: limit station power save queue length to 64
63a79ff mt76: do not report out-of-range rx nss
fe30bd3 mt7603: issue PSE reset on tx hang
ce8cc5d mt7603: issue PSE client reset on init
e342cc5 mt7603: fix buffered multicast count register
aa470d8 mt7603: fix buffered multicast queue flush
b4ee01f mt76: fix tx status timeout processing
7d00d58 mt76x02: fix per-chain signal strength reporting
64abb35 mt76: fix corrupted software generated tx CCMP PN
0b939dc mt76: fix resetting software IV flag on key delete
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This update fixes some cosmetical issues and a number of segmentation
faults when parsing lists having Conflicts or Replaces tags.
d217daf libopkg: fix replacelist parsing and writing
9dd9a07 libopkg: fix segmentation fault when traversing conflicts
34571ba libopkg: consider provided packages in pkg_vec_mark_if_matches()
18740e6 opkg_download: print error when fork() fails
e3d7330 libopkg: don't print unresolved dependencies twice
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 1bd18f2b5c)
check_signature is a bool option and doesn't take any arguments. The
presence of the 1 falsely suggests setting it to 0 disables the check,
while the option actually needs to be removed or commented out to be
disabled. So remove the argument to make it more clear.
Fixes: beca028bd6 ("build: add integration for managing opkg package feed keys")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
(cherry picked from commit d3bf5ff9bc)
331ac70 Correctly update parent qlen when splitting GSO packets
581967c Makefile: Hook into Kbuild/Kconfig infrastructure
The parent qlen change is potentially relevant for us, the makefile is a
no-op.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 55e0a7131a4b6e98d7cd623727f8ac5c4702b60d)
6745830 mt76: fix race condition in station removal
7e5c819 mt76: add mt76_sta_remove helper
75aa36e mt7603: use wcid/wcid_mask from struct mt76_dev
fd85ff9 mt7603: use mt76_sta_remove helper
0848d2d mt7603: simplify mt7603_mcu_msg_send, remove skb_ret handling
83a80ca mt76: request tx status for powersave released EOSP packet
df5c797 mt76: fix uninitialized mutex access setting rts threshold
0bfa98e mt76: introduce mt76x02_config_mac_addr_list routine
4248446 mt76x0: pci: enable VHT rates in IBSS mode
f75efd8 mt76x2u: phy: add TX_SHAPING calibration
c1d67b4 mt76x2u: phy: run phy_channel_calibrate after channel switch
9fe0fe8 mt76x2u: main: use mt76x02_bss_info_changed utility routine
3fc95d7 mt76x2u: init: remove mt76x2u_init_beacon_offsets routine
88f6883 mt76: remove wait argument from mt76x02_mcu_calibrate
009ab91 mt76: clean up more unused EXPORT_SYMBOLs
963768d mt76x02: fix regression in tx station race condition fix
d7788cc mt76: mt76x02: make group_wcid the first member in struct mt76x02_vif
e65ad4c mt7603: make group_wcid the first member in struct mt7603_vif
7b1373e mt76: mt76x02: remove mt76x02_txq_init
a97127b mt76: replace sta_add/remove ops with common sta_state function
13f1e82 mt7603: clear wtbl entry for removed stations
90e2c1b mt7603: add mt7603_wtbl_set_skip_tx, change mt7603_wtbl_set_ps users
41931e4 mt7603: toggle skip_tx on station add/remove
d0fdf01 mt7603: avoid unnecessary wtbl writes for ps-filter
96b3b3d mt76x2u: main: fix typo setting sta_state mac80211 callback
471d397 mt7603: fix priority for buffered multicast packets
3873e82 mt7603: fix MT_BMAP_0/MT_GROUP_THD_0 register initializion for mt7628
749d5c3 mt7603: fix reserved page handling for mt7628
d22799b mt7603: reduce reserved pages for beacons
42c5281 mt7603: fix maximum frame size in scheduler init
fa7335b mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues
84aa12a mt76: fix potential null pointer deref in mt76_sta_add
7c4c33c mt7603: skip efuse tx power data for mt7628
ca2c875 mt7603: add support for accessing remapped registers via ops
b44d793 mt7603: clear PSE redirections before MCU init
82363ab mt7603: move tx status to rx queue 0
c09e8a4 mt7603: fix buffering of tx packets for powersave clients
4734108 mt7603: use mt7603_wtbl_clear on station removal
9428e34 mt7603: fix watchdog reset sequence
b3f82a3 mt7603: report PSE reset failures via debugfs
a301dec mt7603: add back PSE client reset code
94cebfc mt7603: fix handling lost interrupt events during watchdog reset
b38fe7d mt7603: only issue PSE reset on PSE stuck
da666a7 mt7603: issue PSE reset if firmware debug register indicates stuck queues
5fb60a7 mt7603: fix aggregation size handling
31cd20e mt7603: issue PSE reset on stuck beacon
4063ae1 mt7603: check for PSE hang / stuck beacon first
00e03b9 mt7603: fix MT_WF_PHY_CR_RXTD_BASE definition
c3efb5d mt7603: add support for detecting MT7688 and single stream devices
2a136cb mt7603: fix TKIP key setup
cd456ca mt7603: disable broken support for WEP hardware encryption
3ecb7f8 mt7603: fix hardware queue assignment
6ac9653 mt7603: fix CAB queue limits
d22feb0 mt7603: move cab queue enabling to pre-tbtt tasklet
44bb372 mt7603: fix CAB queue flush mask
5a5b396 mt76: throttle transmission of buffered multicast packets
8084323 mt7603: implement code for adjusting energy detect CCA thresholds
8929a6e mt7603: increase MCU timeout
f2ba65f mt7603: update firmware to 20161027164355
0ad998b mt7603: increase aggregation limits (based on vendor driver changes)
da00af0 mt7603: clear bit 18 in MT_SEC_SCR to fix ICV error
417ab77 mt7603: improve recovery from PSE reset failure
fea7ad8 mt76: move mt76x02_phy_get_min_avg_rssi to mt76 core
9d009be mt7603: add dynamic sensitivity tuning based on false CCA events
2c8e9ac mt7603: initialize channel maximum power from eeprom data
b2cc29b mt76: move mt76x02_get_txpower to mt76 core
6203d46 mt7603: add support for setting transmit power
294e095 mt7603: reset DMA scheduler on MT7628
8178f0d mt7603: apply efuse data only when it exists
e67e551 mt76: dma: remove napi from mt76_dma_rx_fill signature
0490bd2 mt76: usb: do not build the skb if reported len does not fit in buf_size
eb076ae mt76: Add missing include of linux/module.h
1d2819e mt76: fix typo in mt76x02_check_mac_err routine
9c9fae3 mt76: mac: run mt76x02_mac_work routine atomically
6be90b6 mt76: usb: avoid queue/status spinlocks while passing tx status to mac80211
40dad32 mt76x0: pci: fix ACS support
d94e9c4 mt76x02: do not set protection on set_rts_threshold callback
0d83d73 mt76x02: fixup MT_PROT_RATE_* defines
628f8d7 mt76x02: set protection according to ht operation element
f7d8c17 mt76x0: configure MT_VHT_HT_FBK_CFG1
10f57cf mt76x2: add static qualifier to mt76x2_init_hardware
37b2ad3 mt76: dfs: run mt76x02_dfs_set_domain atomically
51b6daf mt76x2: init: set default value for MT_TX_LINK_CFG
9661da4 mt76: add energy detect CCA support to mt76x{0,2}e drivers
876d0e9 mt76: mac: minor optimizations in mt76x02_mac_tx_rate_val
c78e317 mt76: dma: do not build skb if reported len does not fit in buf_size
3598046 mt76: mmio: introduce mt76x02_check_tx_hang watchdog
58988a3 mt76: fix signedness of rx status signal field
bce700d mt7603: fix signal strength reporting on single-stream devices
148219d mt7603: fix checkpatch issues
2a092e2 mt7603: fix per-rate retry accounting
962152b mt7603: fix WMM TXOP limit configuration
24ec040 mt7603: fix BSSID configuration in AP mode
48fb011 mt7603: fix CF-End transmit rate when 11b stations are connected
9daa5ff mt76: make const array 'data' static, shrinks object size
7d4a95c mt76: dma: avoid indirect call in mt76_dma_tx_queue_skb
f84b008 mt76: fix tx status reporting for non-probing frames
8167074 Revert "mt7603: update firmware to 20161027164355"
2ad54b2 mt76: move wcid rssi ewma init to mt76 core
d77c861 mt76: fix rssi ewma tracking
eca96cd mt76: use proper name for __MT76x02_H macro
d1bc504 mt76: fix building without CONFIG_LEDS_CLASS
a946b78 mt76: add led support to mt76x0e driver
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This is a big block(d) cleanup with new feature of generating "mount"
hotplug.d events.
It's an important update for those who were using mountd in the
pre-18.06 releases. Due to the mountd being replaced with blockd a
support for "mountd" hotplug.d events has been lost. It broke all kind
of shell scripts that were e.g. managing services depending on an
external USB drive availability.
This basically (re-)adds support for calling /etc/hotplug.d/mount/
scripts with ACTION ("add" or "remove") and DEVICE set.
af93f4b block(d): improve hotplug.d "mount" events for the autofs
3bb3352 blockd: unmount device explicitly when it disappears
28753b3 block: remove target directory after unmounting
c8c7ca5 block: cleanup handling "start" action of the "autofs" command
f1bb762 block: make blockd_notify() return an int instead of void
71c2bde block: generate hotplug.d mount events
30f5096 block: validate amount of arguments for the "autofs" command
dc6a462 blockd: don't reparse blob msg in the vlist callbacks
f6a9686 blockd: don't unmount device when removing it from the list
1913fea block: don't duplicate unmounting code in the mount_action()
6b445fa block: make umount_device() function more generic
a778468 block: don't duplicate mounting code in the mount_device()
5dc631d block: simplify code picking mount target directory
2971779 block: move blockd_notify() call out of the conditional blocks
b86bd6e block: fix formatting & indent in the mount_device()
e12c0d6 fstools: use EXIT_FAILURE when indicating error on exit
091aa3d fstools: guard usage of WEXITSTATUS
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 5c4277ec37)
Both of these are used by programs that run as root and nothing else.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[rmilecki: dropped PKG_SOURCE_URL regression from the original patch]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 4ad87744fa)
This file is needed to properly use the tc ematch modules present in
kmod-sched-core and kmod-sched. It is a read-only index file of ematch
methods used only by tc.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
[cherry picked from commit 10a2ccb7fc]
This pick most of brcmfmac changes backported into the master in commits
5932eb690f ("mac80211: brcmfmac: backport firmware loading cleanup")
3eab6b8275 ("mac80211: brcmfmac: backport NVRAM loading improvements")
529c95cc15 ("mac80211: brcmfmac: fix use-after-free & possible NULL pointer dereference")
It's more than would be normally backported into a stable branch but it
seems required. Firmware loading cleanups are needed to allow fix memory
bugs in a reliable way. Memory fixes are really important to avoid
corrupting memory and risking a NULL pointer dereference.
Hopefully this stuff has received enough testing in the master.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Interface triggers are installed by the dropbear init script in case an
interface is configured for a given dropbear uci section.
As dropbear is started after network the interface trigger event can be
missed during a small window; this is especially the case if lan is
specified as interface.
Fix this by starting dropbear before network so no interface trigger
is missed. As dropbear is started earlier than netifd add a boot function
to avoid the usage of network.sh functions as call to such functions will
fail at boottime.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
* chacha20,poly1305: fix up for win64
* poly1305: only export neon symbols when in use
* poly1305: cleanup leftover debugging changes
* crypto: resolve target prefix on buggy kernels
* chacha20,poly1305: don't do compiler testing in generator and remove xor helper
* crypto: better path resolution and more specific generated .S
* poly1305: make frame pointers for auxiliary calls
* chacha20,poly1305: do not use xlate
This should fix up the various build errors, warnings, and insertion errors
introduced by the previous snapshot, where we added some significant
refactoring. In short, we're trying to port to using Andy Polyakov's original
perlasm files, and this means quite a lot of work to re-do that had stableized
in our old .S.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(backported from 48d8d46d33)
* Zinc no longer ships generated assembly code. Rather, we now
bundle in the original perlasm generator for it. The primary purpose
of this snapshot is to get testing of this.
* Clarify the peer removal logic and make lifetimes more precise.
* Use READ_ONCE for is_valid and is_dead.
* No need to use atomic when the recounter is mutex protected.
* Fix up macros and annotations in allowedips.
* Increment drop counter when staged packets are dropped.
* Use static constants instead of enums for 64-bit values in selftest.
* Mark large constants as ULL in poly1305-donna64.
* Fix sparse warnings in allowedips debugging code.
* Do not use wg_peer_get_maybe_zero in timer callbacks, since we now can
carefully control the lifetime of these functions and ensure they never
execute after dropping the last reference.
* Cleanup hashing in ratelimiter.
* Do not guard timer removals, since del_timer is always okay.
* We now check for PM_AUTOSLEEP, which makes the clear*on-suspend decision a
bit more general.
* Set csum_level to ~0, since the poly1305 authenticator certainly means
that no data was modified in transit.
* Use CHECKSUM_PARTIAL check for skb_checksum_help instead of
skb_checksum_setup check.
* wg.8: specify that wg(8) shows runtime info too
* wg.8: AllowedIPs isn't actually required
* keygen-html: add missing glue macro
* wg-quick: android: do not choke on empty allowed-ips
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(backported from bf52c968e8)
ba2ab5d version: bump snapshot
5f59c76 tools: wg-quick: wait for interface to disappear on freebsd
ac7e7a3 tools: don't fail if a netlink interface dump is inconsistent
8432585 main: get rid of unloaded debug message
139e57c tools: compile on gnu99
d65817c tools: use libc's endianness macro if no compiler macro
f985de2 global: give if statements brackets and other cleanups
b3a5d8a main: change module description
296d505 device: use textual error labels always
8bde328 allowedips: swap endianness early on
a650d49 timers: avoid using control statements in macro
db4dd93 allowedips: remove control statement from macro by rewriting
780a597 global: more nits
06b1236 global: rename struct wireguard_ to struct wg_
205dd46 netlink: do not stuff index into nla type
2c6b57b qemu: kill after 20 minutes
6f2953d compat: look in Kbuild and Makefile since they differ based on arch
a93d7e4 create-patch: blacklist instead of whitelist
8d53657 global: prefix functions used in callbacks with wg_
123f85c compat: don't output for grep errors
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(backported from 4653818dab)
64750c1 version: bump snapshot
f11a2b8 global: style nits
4b34b6a crypto: clean up remaining .h->.c
06d9fc8 allowedips: document additional nobs
c32b5f9 makefile: do more generic wildcard so as to avoid rename issues
20f48d8 crypto: use BIT(i) & bitmap instead of (bitmap >> i) & 1
b6e09f6 crypto: disable broken implementations in selftests
fd50f77 compat: clang cannot handle __builtin_constant_p
bddaca7 compat: make asm/simd.h conditional on its existence
b4ba33e compat: account for ancient ARM assembler
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(backported from 3925298f3c)
* Account for big-endian 2^26 conversion in Poly1305.
* Account for big-endian NEON in Curve25519.
* Fix macros in big-endian AArch64 code so that this will actually run there
at all.
* Prefer if (IS_ENABLED(...)) over ifdef mazes when possible.
* Call simd_relax() within any preempt-disabling glue code every once in a
while so as not to increase latency if folks pass in super long buffers.
* Prefer compiler-defined architecture macros in assembly code, which puts us
in closer alignment with upstream CRYPTOGAMS code, and is cleaner.
* Non-static symbols are prefixed with wg_ to avoid polluting the global
namespace.
* Return a bool from simd_relax() indicating whether or not we were
rescheduled.
* Reflect the proper simd conditions on arm.
* Do not reorder lines in Kbuild files for the simd asm-generic addition,
since we don't want to cause merge conflicts.
* WARN() if the selftests fail in Zinc, since if this is an initcall, it won't
block module loading, so we want to be loud.
* Document some interdependencies beside include statements.
* Add missing static statement to fpu init functions.
* Use union in chacha to access state words as a flat matrix, instead of
casting a struct to a u8 and hoping all goes well. Then, by passing around
that array as a struct for as long as possible, we can update counter[0]
instead of state[12] in the generic blocks, which makes it clearer what's
happening.
* Remove __aligned(32) for chacha20_ctx since we no longer use vmovdqa on x86,
and the other implementations do not require that kind of alignment either.
* Submit patch to ARM tree for adjusting RiscPC's cflags to be -march=armv3 so
that we can build code that uses umull.
* Allow CONFIG_ARM[64] to imply [!]CONFIG_64BIT, and use zinc arch config
variables consistently throughout.
* Document rationale for the 2^26->2^64/32 conversion in code comments.
* Convert all of remaining BUG_ON to WARN_ON.
* Replace `bxeq lr` with `reteq lr` in ARM assembler to be compatible with old
ISAs via the macro in <asm/assembler.h>.
* Do not allow WireGuard to be a built-in if IPv6 is a module.
* Writeback the base register and reorder multiplications in the NEON x25519
implementation.
* Try all combinations of different implementations in selftests, so that
potential bugs are more immediately unearthed.
* Self tests and SIMD glue code work with #include, which lets the compiler
optimize these. Previously these files were .h, because they were included,
but a simple grep of the kernel tree shows 259 other files that carry out
this same pattern. Only they prefer to instead name the files with a .c
instead of a .h, so we now follow the convention.
* Support many more platforms in QEMU, especially big endian ones.
* Kernels < 3.17 don't have read_cpuid_part, so fix building there.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(backported from b665856450)
8a1ad80 Release version 4.19.
ecdf295 ethtool: Fix uninitialized variable use at qsfp dump
98c148e ethtool: better syntax for combinations of FEC modes
d4b9f3f ethtool: support combinations of FEC modes
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(backported from 5617e138bd)
Tested on 8devices Jalapeno(ipq40xx)
Introduces following changes:
Feature: Add support for WAKE_FILTER (WoL using filters)
Feature: Add support for action value -2 (wake-up filter)
Fix: document WoL filters option also in help message
Feature: ixgbe dump strings for security registers
Signed-off-by: Robert Marko <robimarko@gmail.com>
(backported from a9d7353192)