Many bugs were fixed--2 patches removed here.
This release of wolfSSL includes fixes for 5 security vulnerabilities,
including two CVEs with high/critical base scores:
- potential invalid read with TLS 1.3 PSK, including session tickets
- potential hang with ocspstaping2 (always enabled in openwrt)
- CVE-2019-15651: 1-byte overread when decoding certificate extensions
- CVE-2019-16748: 1-byte overread when checking certificate signatures
- DSA attack to recover DSA private keys
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit f4853f7cca)
Hardware acceleration was disabled when AES-CCM was selected as a
workaround for a build failure. This applies a couple of upstream
patches fixing this.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit ab19627ecc)
c9b6668 ustream-ssl: skip writing pending data if .eof is true after connect
Fixes: CVE-2019-5101, CVE-2019-5102
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 6f9157e6bd)
Instead of depending on kmod-usb2 make it depend on the normal USB
dependencies. This should hopefully fix some problems seen in the build
bot builds for powerpc_8540.
In addition also activate DRIVER_11N_SUPPORT support.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 3ff3b044c0)
This patch breaks building on PowerPC, like the mpc85xx_generic
target for me.
Fixes: FS#2585
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit b01305c8d2)
Forward the OpenWrt TARGET_LDFLAGS to the linker of the fw_printenv tool.
In addition also use the more standard make invocation script.
With this change the fw_printenv tool is built with PIE and Full RELRO
support when activated globally in OpenWrt.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
(cherry picked from commit b7b2be0b26)
All buttons on the Netgear R6220 are active-low while they are flagged
as active-high.
The GPIO status reads the following for no buttons pressed:
root@64367-r6220:~# cat /sys/kernel/debug/gpio
gpio-7 ( |wps ) in hi
gpio-8 ( |wifi ) in hi
gpio-14 ( |reset ) in hi
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f7f9fe5256ebb660d3160452c3c01a9eb080938f)
This fixes the netdev LED trigger for interfaces, which are renamed
during initialization (e.g. ppp interfaces).
Fixes: FS#2193
Fixes: FS#2239
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit edbadec843)
When switching from master branch to 19.07 or older, we need to ensure
that Python symlink in staging bin directory points to Python 2.
We can't rely completly just on SetupHostCommand as its executed only in
cases when the $(STAGING_DIR_HOST)/bin/python doesn't already exist, so
we need to remove it before running SetupHostCommand.
This is a cherry-pick of 3b68fb57c9
with python3 instead of python2
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Here is a way to break your build env without this patch:
1) have python point to python3, and no python2
2) start the build, SetupHostCommand will create a symlink
./staging_dir/host/bin/python -> /usr/bin/python
3) build fails on scons because it can't find any python2
4) install python2 and restart the build
5) the build fails on wireless-regdb compile because python is python3 instead of python
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Refresh patches, for changes in version 7.66.0 see https://curl.haxx.se/changes.html#7_66_0
Fixes CVEs:
CVE-2019-5481
CVE-2019-5482
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 71cf4a272c)
To simplify the upgrade process and ensure easier identification of
device partitioning, the following devices are disabled on ath79
target in openwrt-19.07 branch:
- glinet,gl-ar300m-nor
- glinet,gl-ar300m-nand
- glinet,gl-ar750s
Proper ath79 (NAND) support for the devices is expected to be
introduced based on kernel 4.19 (see GitHub PR #2184).
In openwrt-19.07, ar71xx should be used for those devices.
With this, we ensure that the new ath79 image names (at least for
releases) refer to the updated partitioning.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The QCA953x only supports 25 MHz refclk, however some OEMs set an
invalid bootstrap value for the REF_CLK option, which would break the
clock detection in ath9k.
Force the QCA953x refclk to 25MHz in ath9k, as this is (according to the
datasheet) the only valid frequency.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 4c6fe32468)
This fixes commit bae927c551 ("ar71xx: add support for TP-LINK CPE510
V2.0") where the support for this device wasn't optimal.
Device support for the CPE510v2 so far has been a hack to enable
flashing with CPE510v1 images. Those even have different hardware (e.g.
additional ethernet port).
With this patch, we provide proper support for this device in ar71xx.
Installation:
- Flash factory image through stock firmware WEB UI or through TFTP
- To get to TFTP recovery just hold reset button while powering on
for around 4-5 seconds and release.
- Rename factory image to recovery.bin
- Stock TFTP server IP: 192.168.0.100
- Stock device TFTP address: 192.168.0.254
Fixes: bae927c551 ("ar71xx: add support for TP-LINK CPE510 V2.0")
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[Rebased onto revert commit, changed comments in mach-cpe510.c,
changed commit title and description, fixed eth0 MAC address,
removed eth1 initialization]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[squashed revert, added fixes tag]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit c79b796280)
[added CPE510V2 entry to tplink-safeloader.c]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This will have GIT ignore patches in root directory, as created
when using "git format-patch".
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 2c54135598)
There is a problem with the EA8500, the switch will not work after soft
reboot, the only way to get it working again is to power cycle it
manually.
There are probably several issues in the play, it's quite hard to fix it
without having access to the actual device, so I don't see any other
option now, then revert the offending commit.
Ref: PR#2047
Fixes: FS#2168 ("Switch no longer work after restart on Linksys EA8500")
Reported-by: Adam <424778940z@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 04d6753d03)
The release notes since last time for wave-1:
* October 5, 2019: Fix too-short msg caused by invalid use of PayloadLen in receive path.
This appears to resolve the issue of getting (and ignoring) too-short commands
when we detect loss of CE interrupts and go into polling mode.
* October 12, 2019: Fix regression in IBSS mode that caused SWBA overrun issues. Related to
regression added during the ct-station logic, specifically TSF allocation.
Thanks for Ahmed Zaki @ Mage-Networks for helping to diagnose and test.
* October 15, 2019: Only send beacon tx completion events if we can detect CT driver is being
used (based on CT_STATS_OK flag being set). This should help CT firmware work
better on stock driver.
The release notes since last time for wave-2:
* October 15, 2019: Only send beacon tx completion events if we can detect CT driver is being
used (based on ATH10k_USE_TXCOMPL_TXRATE2 | ATH10k_USE_TXCOMPL_TXRATE1 flags being set).
This should help CT firmware work better on stock driver.
* October 31, 2019: Compile out peer-ratecode-list-event. ath10k driver ignores the event.
* November 1, 2019: Fix rate-ctrl related crash when nss and other things were changed while
station stays associated. See bug: https://github.com/greearb/ath10k-ct/issues/96
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
(cherry picked from commit e716e93a2f7290086f49992c9980773c88100c3a)
Import patches from upstream to sync 19.07 with master:
9f3e3323e996 rt2x00: allow to specify watchdog interval
2034afe4db4a rt2800: add helpers for reading dma done index
759c5b599cf4 rt2800: initial watchdog implementation
09db3b000619 rt2800: add pre_reset_hw callback
710e6cc1595e rt2800: do not nullify initialization vector data
e403fa31ed71 rt2x00: add restart hw
0f47aeeada2a rt2800: do not enable watchdog by default
41a531ffa4c5 rt2x00usb: fix rx queue hang
3b902fa811cf rt2x00usb: remove unnecessary rx flag checks
1dc244064c47 rt2x00: no need to check return value of debugfs_create functions
706f0182b1ad rt2800usb: Add new rt2800usb device PLANEX GW-USMicroN
95844124385e rt2x00: clear IV's on start to fix AP mode regression
567a9b766b47 rt2x00: do not set IEEE80211_TX_STAT_AMPDU_NO_BACK on tx status
14d5e14c8a6c rt2x00: clear up IV's on key removal
13fa451568ab Revert "rt2800: enable TX_PIN_CFG_LNA_PE_ bits per band"
--pending-- rt2800: remove errornous duplicate condition
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
With this commit, the WAN LED is triggered by the switch port state
instead of the eth0 netdev.
Otherwise, the LED is always illuminated, regardless of the WAN port
link state.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 70d5989c9c)
Signed-off-by: David Bauer <mail@david-bauer.net>
This enables PMKSA and opportunistic key caching by default for
WPA2/WPA3-Personal, WPA3-Personal and OWE auth types.
Otherwise, Apple devices won't connect to the WPA3 network.
This should not degrade security, as there's no external authentication
provider.
Tested with OCEDO Koala and iPhone 7 (iOS 13.1).
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 3034f8c3b8)
Signed-off-by: David Bauer <mail@david-bauer.net>
Both targets miss a subtarget causing an image naming style which is
different from other all othe targets, even tho it already uses
`x/generic/` as subfolder as if the subtarget would exist.
This commit adds the Generic subtarget resulting in consistent naming.
~/src/openwrt/openwrt/bin/targets/ipq806x/generic$ ls
openwrt-ipq806x-generic-netgear_d7800-initramfs-uImage
openwrt-ipq806x-generic-netgear-d7800.manifest
openwrt-ipq806x-generic-netgear_d7800-squashfs-factory.img
openwrt-ipq806x-generic-netgear_d7800-squashfs-sysupgrade.bin
CC: John Crispin <john@phrozen.org>
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 853e4dd306)
The 2.4 GHz radio had very poor signal reception (-89 dBm for an AP
sitting 5 m away). By enabling the external amplifier, received signal
has improved to -50 dBm for the same AP.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
(cherry picked from commit e667d6f46b)
Modify GL-AR300M-Lite and GL-AR300M (NOR):
* Include qca9531_glinet_gl-ar300m.dtsi directly
rather than qca9531_glinet_gl-ar300m-nor.dts
* Remove redundant inclusion of gpio.h and input.h
Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
Reviewed-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit f5c7fe2ff0)
So far, WiFi MAC addresses for this device have been set up from
caldata. However, this returns values which do not look like MAC
addresses. They also do not match stock firmware:
wlan0 (5.0): 00:11:22:00:17:D0 from 0x8004
wlan1 (2.4): 00:11:22:00:17:CD from 0x4 (and 0x2e)
It looks like the only valid MAC address on this device is at 0x28.
So, this patch changes setup to calculate addresses based on the
value at 0x28:
lan: *:0A (flash, label)
wan: *:0B (flash + 1)
wifi2: *:0A (flash)
wifi5: *:0C (flash + 2)
Thanks to Roger Pueyo Centelles <roger.pueyo@guifi.net> for
investigating this on his devices.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit d1072096f4)
Update libevent to 2.1.11
Use CMake instead GNU Autotools
Backport following commits:
f05ba67193
..and partially
7201062f3e
to fix compilation
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit f351beedfd)
(resolves FS#2435)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The kconfig symbol is an invisible one since its introduction. It is
not supposed to be enabled on its own.
Resolves FS#1821
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry picked from commit 4bf9bec361)
Improves rate control responsiveness and performance
Signed-off-by: Felix Fietkau <nbd@nbd.name>
[reworked to apply on 4.19.79 mac80211 + renumbered + refreshed]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
The Unifi AC-LR has identical hardware to the Unifi AC-Lite.
The antenna setup is different according to the vendor,
which explains the thicker enclosure.
Therefore, it is helpful to know the exact device variant,
instead of having "Ubiquiti UniFi-AC-LITE/LR".
Signed-off-by: Andreas Ziegler <dev@andreas-ziegler.de>
[fix legacy name in commit message; add old boardname to
SUPPORTED_DEVICES]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 07c1ddf522)
Signed-off-by: David Bauer <mail@david-bauer.net>
This commit adds correct model detection for UniFi
AC-LR. Previously, said device was incorrectly detected
as UniFi-AC-LITE/MESH.
The Information about the device is stored at 0xC in the EEPROM
partition. It corresponds to the sysid in /etc/board.info of the
Ubiquiti stock firmware.
Signed-off-by: Andreas Ziegler <dev@andreas-ziegler.de>
[adjust naming style of target to existing ones]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 2bc7c519dc)
Signed-off-by: David Bauer <mail@david-bauer.net>
This fixes frequent crashes observed on a UniFi AC Mesh using OpenWrt
master and 19.07. 18.06 seems not affected from our testing.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 641a93f0f2)
Signed-off-by: David Bauer <mail@david-bauer.net>
This commit changes the source of the Wave 1 ath10k-firmware
from linux-firmware to Kall Valos ath10k-firmware repository.
This is necessary as the firmware selected in linux-firmware produces
frequent crashes in some circumstances.
This patch can be removed as soon as linux-firmware carries
10.2.4-1.0-00047 firmware.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit a3914783a3)
Signed-off-by: David Bauer <mail@david-bauer.net>
Several Archer Cxx devices were using board-specific LED names in
ar71xx, which were changed to "tp-link:*" in ath79.
This patch adds migration for them.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 53e6cc7a81)
Several devices added to LED migration script will just have their
(old) board name converted to tp-link.
By using a variable for this, the amount of code in the migration
script can be reduced and the chance for typos is reduced.
This patch also introduces the marker for beginning of a pattern
"^" to the regex, so the match is more specific.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 6b0eb84336)
The code line patching ath9k MAC address for this device contains
a wrong number of arguments including an unset "$mac", which
looks like a typo or copy/paste mistake.
This has been introduced already in the device support commit
745dee11ac ("ath79: add support for WD My Net Wi-Fi Range
Extender").
This patch just removes the "$mac" argument, leaving a formally
valid line. (No on-device test has been performed.)
Cc: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 6b53033783)
The ar71xx images for the Ubiquiti NanoStation M (XM) devices use
"nanostation-m" as board name, but the ath79 images are only
compatible with the "nano-m" board name, so sysupgrade complains.
By changing this additional supported device, sysupgrade smoothly
upgrades from ar71xx to ath79.
Ref: openwrt#2418
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit f473ce6f23)
The ar71xx images for the Ubiquiti NanoStation M (XW) devices use
"nanostation-m-xw" as the board name, but the ath79 images are only
compatible with the "nano-m-xw" board name, so sysupgrade complains.
By adding this additional supported device, sysuspgrade smoothly
upgrades from ar71xx to ath79.
Tested on a NanoStation M (XW) running OpenWrt ar71xx r10250-016d1eb.
Ref: https://github.com/openwrt/openwrt/pull/2418
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
[removed duplicate DEVICE_VARIANT, removed uneeded nano-m-xw support]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 6dda2ea6ad)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The device did not appear to be reachable unless the connection were
forced to 100Mb or lower. Revert to previously working pll-data.
Also fix the phy-mode to represent the actual state needed for ethernet
to function.
Reported-by: Moritz Schreiber <moritz@mosos.de>
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
[add remark about phy-mode property]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit ee41b602a2)