The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Rekey GTK on STA disassociate
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Allows dtim_period to be configurable, the default is from hostapd.
Adds additional regulatory tunables for power constraint and spectrum
managment.
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
The present U-Boot for GL-AR750S has a limit of 2 MB for kernel size.
While sysupgrade can manage kernels up to the present limit of 4 MB,
directly flashing a factory.img with a kernel size greater than 2 MB
through U-Boot will result in an unbootable device.
This commit uses the newly-introduced check-kernel-size build
operation to prevent the output of factory.img when the kernel
exceeds 2 MB in size, yet permits output of sysupgrade.img
as long as the kernel is within KERNEL_SIZE := 4096k
Cc: Chuanhong Guo <gch981213@gmail.com>
Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
Certain boards have limitations on U-Boot that prevent flashing
of images where the kernel size exceeds a threshold, yet
sysupgrade can sucessfully manage larger kernels. The current
check-size will remove the target artifact if its total size
exceeds the threshold. If applied after append-kernel,
it will remove the kernel, but the remaining image-assembly
steps will continue, resulting in an image without a kernel
that is likely unbootable.
By defining check-kernel-size, it is now possible to prevent release
of such unbootable images through a construct similar to:
IMAGE/factory.img := append-kernel | pad-to $$$$(GL_UBOOT_UBI_OFFSET) | \
append-ubi | check-kernel-size $$$$(GL_UBOOT_UBI_OFFSET)
Cc: Chuanhong Guo <gch981213@gmail.com>
Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Failsafe code of dropbear should be in the dropbear package not the
base-files package.
Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
NAS devices certainly need to have hdparm to configure
things like spin-down time or their disks will be
constantly spinning. Just catenate CONFIG_HDPARM=y
on these configs.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
The memory hacks got removed from ath10k with 1e27bef ("mac80211: remove
ath10k_pci memory hacks"). As this device has low amount of RAM, switch
to ath-10k-ct small buffers variant, to avoid the OOM Reaper.
Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
The 'DEFAULT:=m if ALL' line prevents the phase1 buildbots from building
the package, and users from downloading it, since they use 'ALL_KMODS=y'
but 'ALL' is not set.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This reorganizes 02_network board.d files based on what's done for
ath79 and ramips: Instead of putting all settings into a single big
case, the interface/dsl/MAC address setup is put into separate
functions with a specific switch case for each of them. This makes
grouping of devices much easier and should be easier to read, too.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
DSL setup consists of the same commands for all subtargets, so move it
into a helper function.
While at it, remove shebang from library file.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This splits the device-dependent base-files into subtarget directories,
like done recently for ath79 and ramips. While this increases the
overall lines of codes, it will make the code per subtarget smaller
and easier to keep track of features and devices.
While at it, several variables at the top of 02_network are removed,
as they were never changed. The values are put directly into the
function calls where they are used.
Remove unneeded LED setup from 01_leds, and remove 01_leds entirely
for falcon subtarget (as it is not used there).
Applies alphabetic reordering to device cases in base-files.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Implement the suggestions laid out in README_PACKAGERS, mainly by preventing
the stripping of the internal vgpreload*.so libraries.
Also retain the symbol information of valgrind's private helper executables
and enable LTO as suggested in the packagers readme.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Setting CONFIG_IPK_FILES_CHECKSUMS=y causes sha256 checksum files to be
included with the packages to check for corruption. This commit fixes two
issues:
- /sbin/pkg_check was being removed incorrectly if IPK_FILES_CHECKSUMS=y
- checksums were being saved in the wrong file
Signed-off-by: Xu Wang <xwang1498@gmx.com>
Add missing calls to `free` for variable `mem`.
Add missing call to `fclose` for variable `f`.
The same changes were made in both `mkfwimage.c` and `mkfwimage2.c`.
Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
Add missing `fclose` calls for file pointers `kern_fp`, `fs_fp`
and `out_fp`.
Not closing files could lead to resource leaks.
Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
Add missing calls to `free` for variable `buffer`.
This could lead to a memory leak.
Add missing call to `close` for file pointer `fdin`.
This could lead to a resource leak.
Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
Add missing calls to `fclose` in functions `write_img`, `write_rootfs`
and `write_kernel`.
The not-closed files could lead to resource leaks.
Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
The wpa_supplicant supports certificate subject validation via the
subject match(2) and altsubject_match(2) fields. domain_match(2) and
domain_suffix_match(2) fields are also supported for advanced matches.
This validation is especially important when connecting to access
points that use PAP as the Phase 2 authentication type. Without proper
validation, the user's password can be transmitted to a rogue access
point in plaintext without the user's knowledge. Most organizations
already require these attributes to be included to ensure that the
connection from the STA and the AP is secure. Includes LuCI changes via
openwrt/luci#3444.
From the documentation:
subject_match - Constraint for server certificate subject. This substring
is matched against the subject of the authentication server certificate.
If this string is set, the server sertificate is only accepted if it
contains this string in the subject. The subject string is in following
format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as
.example.com
subject_match2 - Constraint for server certificate subject. This field is
like subject_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST
tunnel) authentication.
altsubject_match - Constraint for server certificate alt. subject.
Semicolon separated string of entries to be matched against the
alternative subject name of the authentication server certificate. If
this string is set, the server sertificate is only accepted if it
contains one of the entries in an alternative subject name extension.
altSubjectName string is in following format: TYPE:VALUE Example:
EMAIL:server@example.com Example:
DNS:server.example.com;DNS:server2.example.com Following types are
supported: EMAIL, DNS, URI
altsubject_match2 - Constraint for server certificate alt. subject. This
field is like altsubject_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_match - Constraint for server domain name. If set, this FQDN is
used as a full match requirement for the
server certificate in SubjectAltName dNSName element(s). If a
matching dNSName is found, this constraint is met. If no dNSName
values are present, this constraint is matched against SubjectName CN
using same full match comparison. This behavior is similar to
domain_suffix_match, but has the requirement of a full match, i.e.,
no subdomains or wildcard matches are allowed. Case-insensitive
comparison is used, so "Example.com" matches "example.com", but would
not match "test.Example.com". More than one match string can be
provided by using semicolons to
separate the strings (e.g., example.org;example.com). When multiple
strings are specified, a match with any one of the values is considered
a sufficient match for the certificate, i.e., the conditions are ORed
together.
domain_match2 - Constraint for server domain name. This field is like
domain_match, but used for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel)
authentication.
domain_suffix_match - Constraint for server domain name. If set, this
FQDN is used as a suffix match requirement for the AAA server
certificate in SubjectAltName dNSName element(s). If a matching dNSName
is found, this constraint is met. If no dNSName values are present,
this constraint is matched against SubjectName CN using same suffix
match comparison. Suffix match here means that the host/domain name is
compared one label at a time starting from the top-level domain and all
the labels in domain_suffix_match shall be included in the certificate.
The certificate may include additional sub-level labels in addition to
the required labels. More than one match string can be provided by using
semicolons to separate the strings (e.g., example.org;example.com).
When multiple strings are specified, a match with any one of the values
is considered a sufficient match for the certificate, i.e., the
conditions are ORed together. For example,
domain_suffix_match=example.com would match test.example.com but would
not match test-example.com. This field is like domain_match, but used
for phase 2 (inside EAP-TTLS/PEAP/FAST tunnel) authentication.
domain_suffix_match2 - Constraint for server domain name. This field is
like domain_suffix_match, but used for phase 2 (inside
EAP-TTLS/PEAP/FAST tunnel) authentication.
Signed-off-by: David Lam <david@thedavid.net>
Package new kmods "nf_tables_set" and "nft_objref" which got introduced
with kernel 4.18 and restrict the old "nft_set_rbtree" and "nft_set_hash"
modules to sub-4.18 versions.
Also reorder the nftables related netfilter.mk entries alphabetically
while touching this code section.
Fixes: FS#2699
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=2699#comment7450
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Network interfaces are looked up based on the device behind a phy, so the
phy needs to be checked separately
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This splits some base-files across subtargets, as done previously
on ath79 and ramips and also introduced for mt7629 subtarget here
already. Most of the existing base-files content is specific to
mt7623.
While at it, apply the following fixes:
- Remove lots of trailing whitespaces
- Remove wildcard on unielec,u7623-02-emmc-512m
- Remove inconsistent quotation marks in cases
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: John Crispin <john@phrozen.org>
The Aruba AP-303H is the hospitality version of the Aruba AP-303 with a
POE-passthrough enabled ethernet switch instead of a sigle PHY.
Hardware
--------
SoC: Qualcomm IPQ4029
RAM: 512M DDR3
FLASH: - 128MB SPI-NAND (Macronix)
- 4MB SPI-NOR (Macronix MX25R3235F)
TPM: Atmel AT97SC3203
BLE: Texas Instruments CC2540T
attached to ttyMSM1
ETH: Qualcomm QCA8075
LED: WiFi (amber / green)
System (red / green /amber)
PSE (green)
BTN: Reset
USB: USB 2.0
To connect to the serial console, you can solder to the labled pads next
to the USB port or use your Aruba supplied UARt adapter.
Do NOT plug a standard USB cable into the Console labled USB-port!
Aruba/HPE simply put UART on the micro-USB pins. You can solder yourself
an adapter cable:
VCC - NC
D+ - TX
D- - RX
GND - GND
The console setting in bootloader and OS is 9600 8N1. Voltage level is
3.3V.
To enable a full list of commands in the U-Boot "help" command, execute
the literal "diag" command.
Installation
------------
1. Get the OpenWrt initramfs image. Rename it to ipq40xx.ari and put it
into the TFTP server root directory. Configure the TFTP server to
be reachable at 192.168.1.75/24. Connect the machine running the TFTP
server to the E0 (!) ethernet port of the access point, as it only
tries to pull from the WAN port.
2. Connect to the serial console. Interrupt autobooting by pressing
Enter when prompted.
3. Configure the bootargs and bootcmd for OpenWrt.
$ setenv bootargs_openwrt "setenv bootargs console=ttyMSM0,9600n8"
$ setenv nandboot_openwrt "run bootargs_openwrt; ubi part aos1;
ubi read 0x85000000 kernel; set fdt_high 0x87000000;
bootm 0x85000000"
$ setenv ramboot_openwrt "run bootargs_openwrt;
setenv ipaddr 192.168.1.105; setenv serverip 192.168.1.75;
netget; set fdt_high 0x87000000; bootm"
$ setenv bootcmd "run nandboot_openwrt"
$ saveenv
4. Load OpenWrt into RAM:
$ run ramboot_openwrt
5. After OpenWrt booted, transfer the OpenWrt sysupgrade image to the
/tmp folder on the device. You will need to plug into E1-E3 ports of
the access point to reach OpenWrt, as E0 is the WAN port of the
device.
6. Flash OpenWrt:
$ ubidetach -p /dev/mtd16
$ ubiformat /dev/mtd16
$ sysupgrade -n /tmp/openwrt-sysupgrade.bin
To go back to the stock firmware, simply reset the bootcmd in the
bootloader to the original value:
$ setenv bootcmd "boot"
$ saveenv
Signed-off-by: David Bauer <mail@david-bauer.net>
The Ubiquiti ToughSwitch 5XP is a 5-port PoE Gigabit switch with a single
Fast-Ethernet management port. It supports both 24V passive PoE out on all
five ports.
Flash: 8 MB
RAM: 64 MB
SoC: AR7242
Switch: ar8327
USB: 1x USB 2.0
Ethernet: 5x GbE, 1x FE
Installation of the firmware is possible either via serial + tftpboot or
the factory firmware update function via webinterface.
By default the single Fast-Ethernet port labeled "MGMT" is configured
as the WAN port. Thus access to the device is only possible via the
five switch ports.
Serial: 3v3 115200 8n1
The serial header is located in the lower left corner of the switches PCB:
```
|
|
|
| o
| o RX
| o TX
| o GND
|
|
++ +-++-+ ++ ++ +
+--+ ++ +--++--++--+
```
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[remove ubnt,sw compatible - fix spelling - wrap commit message -
remove superfluous phy-mode property]
Signed-off-by: David Bauer <mail@david-bauer.net>
This device OOPs during the boot due to broken flash. It can be probably
fixed with `broken-flash-reset` once ramips is on 4.19 kernel.
So disable images for this device until its fixed.
Ref: FS#2695, PR#2483
Signed-off-by: Petr Štetiar <ynezz@true.cz>
With this change the well known jshn library will be used, to build the
json arguments for the ubus sysupgrade method. This is also used in all
other shell program that uses JSON. This commit unifies that.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This activates PIE ASLR support by default when the regular option is
selected.
Size increase on x86/64:
odhcpd-ipv6only Installed-Size: 36821 -> 38216
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This activates PIE ASLR support by default when the regular option is
selected.
Size increase on x86/64:
procd Installed-Size: 44931 -> 47362
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This activates PIE ASLR support by default when the regular option is
selected.
Size increase on x86/64:
ubus Installed-Size: 5602 -> 5950
ubusd Installed-Size: 11643 -> 12119
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This activates PIE ASLR support by default when the regular option is
selected.
This increases the binary size by 39% uncompressed and 21% compressed
on MIPS BE.
old:
33,189 /usr/sbin/uhttpd
23,016 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk
new:
46,212 /usr/sbin/uhttpd
27,979 uhttpd_2019-08-17-6b03f960-4_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
This activates PIE ASLR support by default when the regular option is
selected.
This increases the binary size by 26% uncompressed and 16% compressed
on MIPS BE.
old:
460,933 /usr/sbin/wpad
283,891 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk
new:
584,508 /usr/sbin/wpad
330,281 wpad-basic_2019-08-08-ca8c2bd2-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
This activates PIE ASLR support by default when the regular option is
selected.
This increases the binary size by 18% uncompressed and 17% compressed
on MIPS BE.
old:
164,261 /usr/sbin/dropbear
85,648 dropbear_2019.78-2_mips_24kc.ipk
new:
194,492 /usr/sbin/dropbear
100,309 dropbear_2019.78-2_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
This activates PIE ASLR support by default when the regular option is
selected.
This increases the binary size by 37% uncompressed and 18% compressed
on MIPS BE.
old:
146,933 /usr/sbin/dnsmasq
101,837 dnsmasq_2.80-14_mips_24kc.ipk
new:
202,020 /usr/sbin/dnsmasq
120,577 dnsmasq_2.80-14_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
This tristate choose allows to select to build only some applications
with PIE enabled. On MIPS binaries are getting about 30% bigger when PIE
is activated for the, which is a huge increase.
Network exposed applications like dnsmasq should then be build with PIE
enabled, but some applications which are normally not parsing data from
the network do not have it activated. The regular option should give a
good trade off between extra flash and RAM memory usage and security.
This changes the default from building no applications with PIE to build
some specifically marked applications with PIE enabled. This option is
only activated for targets with bigger flash and RAM to not consume
extra memory on the very small targets. On SDK builds the Regular option
should always be selected, because some tiny targets share the
applications with big targets and only the images for the tiny targets
should contain the none PIE applications, but the images for the normal
targets should use PIE. The shared packages should always use PIE when
it should be normally activated.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Petr Štetiar <ynezz@true.cz>
nft_hash hash falsely removed in commit 97940f8766
("kernel: remove obsolete kernel version switches").
Add the module back, as otherwise the build fails.
Fixes: 97940f8766 ("kernel: remove obsolete kernel version switches")
Signed-off-by: David Bauer <mail@david-bauer.net>
After kernel 4.9 has been removed, this removes all (now obsolete)
kernel version switches that deal with versions before 4.14.
Package kmod-crypto-iv is empty now and thus removed entirely.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Builds for kenrel 4.14 targetswere failing because of
missing symbols for the B53 swconfig driver.
Fixes: 313bde53ce ("generic: update config-4.19")
Signed-off-by: David Bauer <mail@david-bauer.net>
Hardware:
SOC: Qualcomm IPQ4018
RAM: 128 MB Nanya NT5CC64M16GP-DI
FLASH: 16 MB Macronix MX25L12805D
ETH: Qualcomm QCA8075 (4 Gigabit ports, 3xLAN, 1xWAN)
WLAN: Qualcomm IPQ4018 (2.4 & 5 Ghz)
BUTTON: Shared WPS/Reset button
LED: RGB Status/Power LED
SERIAL: Header J8 (UART, Left side of board). Numbered from
top to bottom:
(1) GND, (2) TX, (3) RX, (4) VCC (White triangle
next to it).
3.3v, 115200, 8N1
Tested/Working:
* Ethernet
* WiFi (2.4 and 5GHz)
* Status LED
* Reset Button (See note below)
Implementation notes:
* The shared WPS/Reset button is implemented as a Reset button
* I could not find a original firmware image to reverse engineer, meaning
currently it's not possible to flash OpenWrt through the Web GUI.
Installation (Through Serial console & TFTP):
1. Set your PC to fixed IP 192.168.1.12, Netmask 255.255.255.0, and connect to
one of the LAN ports
2. Rename the initramfs image to 'C0A8010B.img' and enable a TFTP server on
your pc, to serve the image
2. Connect to the router through serial (See connection properties above)
3. Hit a key during startup, to pause startup
4. type `setenv serverip 192.168.1.12`, to set the tftp server address
5. type `tftpboot`, to load the image from the laptop through tftp
6. type `bootm` to run the loaded image from memory
6. (If you want to return to stock firmware later, create an full MTD backup,
e.g. using instructions here https://openwrt.org/docs/guide-user/installation/generic.backup#create_full_mtd_backup)
7. Transfer the 'sysupgrade' OpenWrt firmware image from PC to router, e.g.:
`scp xxx-squashfs-sysupgrade.bin root@192.168.1.1:/tmp/upgrade.bin`
8. Run sysupgrade to permanently install OpenWrt to flash: `sysupgrade -n /tmp/upgrade.bin`
Revert to stock:
To revert to stock, you need the MTD backup from step 6 above:
1. Unpack the MTD backup archive
2. Transfer the 'firmware' partition image to the router (e.g. mtd8_firmware.backup)
3. On the router, do `mtd write mtd8_firmware.backup firmware`
Signed-off-by: Tom Brouwer <tombrouwer@outlook.com>
[removed BOARD_NAME, OpenWRT->OpenWrt, changed LED device name to board name]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This patch partially reverts
"ipq40xx: remove unnecessary usb nodes in DTS for ASUS RT-AC58U"
as the change removed the usb2 port-trigger, so the LED would no
longer light-up when a USB 2.0 was inserted into the USB port.
Fixes: d0efb1ba95 ("ipq40xx: remove unnecessary usb nodes in DTS for ASUS RT-AC58U")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Flash: 8 MB
RAM: 64 MB
SoC: AR7242
Switch: bcm53128
USB: 1x USB 2.0
Ethernet: 8x GbE, 1x FE
The Ubiquiti ToughSwitch 8XP is a 8-port PoE Gigabit switch with a single
Fast-Ethernet management port. It supports both 24V passive PoE and 48V
802.11af/at PoE out on all eight ports.
By default the single Fast-Ethernet port labeled "MGMT" is configured as the
WAN port. Thus access to the device is only possible via the eight switch
ports.
Installation of the firware is possible either via serial + tftpboot or
the factory firmware update function via webinterface.
Serial: 3v3 115200 8n1
The serial header is located in the lower left corner of the switches PCB:
|
|
|
| o
| o RX
| o TX
| o GND
|
|
++ +-++-+ ++ ++ +
+--+ ++ +--++--++--+
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
[fix whitespace issue]
Signed-off-by: David Bauer <mail@david-bauer.net>