* Makefile: remove pwd from compile output
* Makefile: add standard 'all' target
* Makefile: evaluate git version lazily
Quality of life improvements for packagers.
* ipc: simplify inflatable buffer and add fuzzer
* fuzz: add generic command argument fuzzer
* fuzz: add set and setconf fuzzers
More fuzzers and a slicker string list implementation. These fuzzers now find
themselves configuring wireguard interfaces from scratch after several million
mutations, which is fun to watch.
* netlink: make sure to clear return value when trying again
Prior, if a dump was interrupted by a concurrent set operation, we'd try
again, but forget to reset an error flag, so we'd keep trying again forever.
Now we do the right thing and succeed when we succeed.
* Makefile: sort inputs to linker so that build is reproducible
Earlier versions of make(1) passed GLOB_NOSORT to glob(3), resulting in the
linker receiving its inputs in a filesystem-dependent order. This screwed up
reproducible builds.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
* Makefile: strip prefixed v from version.h
This fixes a mistake in dmesg output and when parsing the sysfs entry in the
filesystem.
* device: skb_list_walk_safe moved upstream
This is a 5.6 change, which we won't support here, but it does make the code
cleaner, so we make this change to keep things in sync.
* curve25519: x86_64: replace with formally verified implementation
This comes from INRIA's HACL*/Vale. It implements the same algorithm and
implementation strategy as the code it replaces, only this code has been
formally verified, sans the base point multiplication, which uses code
similar to prior, only it uses the formally verified field arithmetic
alongside reproducable ladder generation steps. This doesn't have a
pure-bmi2 version, which means haswell no longer benefits, but the
increased (doubled) code complexity is not worth it for a single
generation of chips that's already old.
Performance-wise, this is around 1% slower on older microarchitectures,
and slightly faster on newer microarchitectures, mainly 10nm ones or
backports of 10nm to 14nm. This implementation is "everest" below:
Xeon E5-2680 v4 (Broadwell)
armfazh: 133340 cycles per call
everest: 133436 cycles per call
Xeon Gold 5120 (Sky Lake Server)
armfazh: 112636 cycles per call
everest: 113906 cycles per call
Core i5-6300U (Sky Lake Client)
armfazh: 116810 cycles per call
everest: 117916 cycles per call
Core i7-7600U (Kaby Lake)
armfazh: 119523 cycles per call
everest: 119040 cycles per call
Core i7-8750H (Coffee Lake)
armfazh: 113914 cycles per call
everest: 113650 cycles per call
Core i9-9880H (Coffee Lake Refresh)
armfazh: 112616 cycles per call
everest: 114082 cycles per call
Core i3-8121U (Cannon Lake)
armfazh: 113202 cycles per call
everest: 111382 cycles per call
Core i7-8265U (Whiskey Lake)
armfazh: 127307 cycles per call
everest: 127697 cycles per call
Core i7-8550U (Kaby Lake Refresh)
armfazh: 127522 cycles per call
everest: 127083 cycles per call
Xeon Platinum 8275CL (Cascade Lake)
armfazh: 114380 cycles per call
everest: 114656 cycles per call
Achieving these kind of results with formally verified code is quite
remarkable, especialy considering that performance is favorable for
newer chips.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Older ath79-based MikroTik devices have the ERD calibration data
compressed and stored different to newer IPQ40xx ones. This commit
adds support for these former ones.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Acked-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
This utility extracts the radio calibration data, as well as other
board-related information (model, serial number, etc.), from MikroTik
Routerboard devices' flash.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Acked-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP.
The code for applying those values had a few bugs leading to bogus values,
which caused significant latency and packet loss.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add ubootenv uci config for gl-ar150, gl-domino and gl-mifi
Signed-off-by: Kimmo Vuorinen <kimmo.vuorinen@gmail.com>
[commit message/title facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
hostapd allows putting WDS (4addr mode) clients into a separate bridge
other than the bridge regular (3addr mode) clients end up in. This is
useful for example giving WDS clients access to several VLANs
(trunking) while regular clients will end up inside a specific VLAN.
Add 'wds_bridge' config parameter for wifi-iface which contains the
name of the bridge. hostapd-mini already supports this feature, so all
needed is to add the UCI wrapping in mac80211.sh.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add support for Methode DM7052 NBASE-T module to OpenWRT. These
patches are taken from my "phy" branch, and will be sent for the
next kernel merge window.
Signed-off-by: Russell King <linux@armlinux.org.uk>
[jonas.gorski: move patches to pending, refresh patches]
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
58c12f7 jail: add basic support for network namespaces
ba69639 jail: create resolv.conf symlink for netns jails
81b88b1 jail: more strict mount options for /tmp/resolv.conf.d/
Add new 'netns' flag for procd_add_jail to make ujail setup a new
network namespace for the jailed service.
See previous netifd commit for example configuration for netns jailed
service.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Prepare netifd for handling procd service jails having their own
network namespace.
Intefaces having the jail attribute will only be brought up inside the
jail's network namespace by procd calling the newly introduced ubus
method 'netns_updown'.
Currently proto 'static' is supported and configuration changes are
not yet being handled (ie. you'll have to restart the jailed service
for changes to take effect).
Example /etc/config/network snippet:
config device 'veth0'
option type 'veth'
option name 'vhost0'
option peer_name 'virt0'
config interface 'virt'
option type 'bridge'
list ifname 'vhost0'
option proto 'static'
option ipaddr '10.0.0.1'
option netmask '255.255.255.0'
config interface 'virt0'
option ifname 'virt0'
option proto 'static'
option ipaddr '10.0.0.2'
option netmask '255.255.255.0'
option gateway '10.0.0.1'
option dns '10.0.0.1'
option jail 'transmission'
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Most of the kernel version switches below 4.14 were removed in commit
97940f8766 ("kernel: remove obsolete kernel version switches"),
but some of them still remained. Remove them now.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
It's cleaner and faster as it does not need to do extra work.
Also removed $() to avoid executing the output. The shell can handle it.
https://github.com/koalaman/shellcheck/wiki/SC2143
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[correct || to && for one conversion]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
When building libcxx for x86/64, the library is installed in /usr/lib64.
As the install section tries to copy the library from /usr/lib, this
breaks build on x86/64. Override the lib dir suffix to fix this.
Fixes: 856ea2bad3 ("libcxx: Add package")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rosen Penev <rosenp@gmail.com>
6db312a dhcpv6-ia: use dhcp leasetime to set preferred/valid statefull lifetimes
2520c48 dhcpv6-ia: introduce DHCPv6 pd and ia assignments flags
b413d8a dhcpv6-ia: cleanup prefix delegation routes
b0902af dhcpv6-ia: remove passing interface as parameter to apply_lease
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Currently, it is very cumbersome for a user to connect to a WPA-Enterprise
based network securely because the RADIUS server's CA certificate must first be
extracted from the EAPOL handshake using tcpdump or other methods before it can
be pinned using the ca_cert(2) fields. To make this process easier and more
secure (combined with changes in openwrt/openwrt#2654), this commit adds
support for validating against the built-in CA bundle when the ca-bundle
package is installed. Related LuCI changes in openwrt/luci#3513.
Signed-off-by: David Lam <david@thedavid.net>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In function `main` add calls to `free` for the variable `executable`.
This is needed because the variable `executable` is allocated but
never freed. This cause a memory leak.
Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
If a config section of a peer does not have a public key defined, the
whole interface does not start. The following log is shown
daemon.notice netifd: test (21071): Line unrecognized: `PublicKey='
daemon.notice netifd: test (21071): Configuration parsing erro
The command 'wg show' does only show the interface name.
With this change we skip the peer for this interface and emit a log
message. So the other peers get configured.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This patch introduces support for Netgear WNDR4500v3. Router
is very similar to WNDR4300v2 and is based on the same PCB.
Information gathered from various Internet sources (including
https://patchwork.ozlabs.org/patch/809227/) shows following
differences to WNDR4300v2:
* two USB 2.0 ports with separate LEDs
* USB LEDs soldered to secondary pads
* WPS and RFKILL buttons soldered to secondary pads
* described as N900 device with 3x3:3 MIMO for 2.4GHz radio
* power supply requirement is DC 12V 2.5A
* vendor HW ID suffix differs in one digit
* bigger chassis
Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
This patch introduces support for Netgear WNDR4300v2.
Specification
=============
* Description: Netgear WNDR4300 v2
* Loader: U-boot
* SOC: Qualcomm Atheros QCA9563 (775 MHz)
* RAM: 128 MiB
* Flash: 2 MiB SPI-NOR + 128 MiB SPI-NAND
- NOR: U-boot binary: 256 KiB
- NOR: U-boot environment: 64 KiB
- NOR: ART Backup: 64 KiB
- NOR: Config: 64 KiB
- NOR: Traffic Meter: 64 KiB
- NOR: POT: 64 KiB
- NOR: Reserved: 1408 KiB
- NOR: ART: 64 KiB
- NAND: Firmware: 25600 KiB (see notes for OpenWrt)
- NAND: Language: 2048 KiB
- NAND: mtdoops Crash Dump: 128 KiB
- NAND: Reserved: 103296 KiB
* Ethernet: 5 x 10/100/1000 (4 x LAN, 1 x WAN) (AR8337)
* Wireless:
- 2.4 GHz b/g/n (internal)
- 5 GHz a/n (AR9580)
* USB: yes, 1 x USB 2.0
* Buttons:
- Reset
- WiFi (rfkill)
- WPS
* LEDs:
- Power (amber/green)
- WAN (amber/green)
- WLAN 2G (green)
- WLAN 5G (blue)
- 4 x LAN (amber/green)
- USB (green)
- WPS (green)
* UART: 4-pin connector JP1, 3.3V (Vcc, TX, RX, GND), 115200 8N1
* Power supply: DC 12V 1.5A
* MAC addresses: LAN=WLAN2G on case label, WAN +1, WLAN5G +2
Important Notes
===============
0. NOR Flash (2 MiB) is not touched by OpenWrt installation.
1. NAND Flash (128 MiB) layout under OpenWrt is changed as follows:
all space is split between 4 MiB kernel and 124 MiB UBI areas;
vendor partitions (language and mtdoops) are removed; kernel space
size can be further expanded if needed; maximum image size is set
to 25600k for compatibility reasons and can also be increased.
2. CPU clock is 775 MHz, not 750 MHz.
3. 5 GHz wireless radio chip is Atheros AR9580-AR1A with bogus PCI
device ID 0xabcd. For ath9k driver to load successfully, this is
overriden in DTS with correct value for this chip, 0x0033.
4. RFKILL button is wired to AR9580 pin 9 which is normally disabled
by chip definition in ath9k code (0x0000F4FF gpio mask). Therefore
'qca,gpio-mask=<0xf6ff>' hack must be used for button to work
properly.
5. USB port is always on, no GPIO for 5V power control has been
identified.
Installation
============
* TFTP recovery
* TFTP via U-boot prompt
* sysupgrade
* Web interface
Test build configuration
========================
CONFIG_TARGET_ath79=y
CONFIG_TARGET_ath79_nand=y
CONFIG_TARGET_ath79_nand_DEVICE_netgear_wndr4300-v2=y
CONFIG_ALL_KMODS=y
CONFIG_DEVEL=y
CONFIG_CCACHE=y
CONFIG_COLLECT_KERNEL_DEBUG=y
CONFIG_IMAGEOPT=y
Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
This patch adds 'qca,gpio-mask=<u32>' device tree property to ath9k node.
This optional setting is a hack and should only be used in very special
(and rare) cases when a button or LED is wired to a GPIO pin normally
masked out (due to being one-way etc). Netgear WNDR4300 v2 is one such
example - it uses GPI9 for RFKILL.
See ath9k/reg.h *_GPIO_MASK constants.
Use with caution and expect to see stream of kernel warnings if wrong
mask value is provided.
Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
If zram-backed swap is added after an existing swap, it gets a lower
priority. Assiming that usually all other swaps are slower, there should
be a way to assign a higher priority to zram swap.
Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
The depends are totally wrong. libunwind does not work with powerpc and
i386 as it needs glibc.
Instead of duplicating the platforms, just change the dependency.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
With this change it is now possible to switch off single instances of
the uhttpd config. Until now it was only possible to switch all
instances of uhttpd on or off.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Rekey GTK on STA disassociate
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Allows dtim_period to be configurable, the default is from hostapd.
Adds additional regulatory tunables for power constraint and spectrum
managment.
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Failsafe code of dropbear should be in the dropbear package not the
base-files package.
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
NAS devices certainly need to have hdparm to configure
things like spin-down time or their disks will be
constantly spinning. Just catenate CONFIG_HDPARM=y
on these configs.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
The 'DEFAULT:=m if ALL' line prevents the phase1 buildbots from building
the package, and users from downloading it, since they use 'ALL_KMODS=y'
but 'ALL' is not set.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Implement the suggestions laid out in README_PACKAGERS, mainly by preventing
the stripping of the internal vgpreload*.so libraries.
Also retain the symbol information of valgrind's private helper executables
and enable LTO as suggested in the packagers readme.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Setting CONFIG_IPK_FILES_CHECKSUMS=y causes sha256 checksum files to be
included with the packages to check for corruption. This commit fixes two
issues:
- /sbin/pkg_check was being removed incorrectly if IPK_FILES_CHECKSUMS=y
- checksums were being saved in the wrong file
Signed-off-by: Xu Wang <xwang1498@gmx.com>
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.
From the documentation:
subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com
subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.
altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI
altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.
domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.
domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
Signed-off-by: David Lam <david@thedavid.net>
Network interfaces are looked up based on the device behind a phy, so the
phy needs to be checked separately
Signed-off-by: Felix Fietkau <nbd@nbd.name>