The OpenWrt buildroot ABI version rebuild tracker does not handle
transient dependencies, therefor add all libraries linked by uhttpd
as direct dependencies to the corresponding binary package definition.
This ensures that uhttpd is automatically rebuilt and relinked if any
of these libraries has its ABI_VERSION updated in the future.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit a95ddaba0272f254a3aeade3aa0c086e1625d672)
This happens only the second time a library is loaded by dlopen().
After lib1 is loaded, dlsym(lib1,"undef1") correctly resolves the undef
symbol from lib1 dependencies. After the second library is loaded,
dlsym(lib2,"undef1") was returning the address of "undef1" in lib2
instead of searching lib2 dependencies.
Using upstream fix which now uses the same logic for relocation time
and dlsym.
Fixesopenwrt/packages#9297
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit 0d0617ff14b8b020896680de1f1a49c7ba8a5e0d)
It seems bzip2 was abandoned by the author and adopted by the sourceware
people. The last release of bzip2 was from 2010.
Several security bugs were fixed as well as others.
Fixed up PKG_LICENSE to be compatible with SPDX.
Changed URLs to point to the new home.
Added patch that gets rid of deprecated utime function and switches it to
utimensat.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Always build AES-GCM support.
Unnecessary patches were removed.
This includes two vulnerability fixes:
CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK
extension parsing.
CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes
when performing ECDSA signing operations. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack.
This brings the package up-to-date with master, so it incorporates
changes from 4.0.0 in master:
* Removed options that can't be turned off because we're building with
--enable-stunnel, some of which affect hostapd's Config.in.
* Adjusted the title of OCSP option, as OCSP itself can't be turned off,
only the stapling part is selectable.
* Mark options turned on when wpad support is selected.
* Add building options for TLS 1.0, and TLS 1.3.
* Add hardware crypto support, which due to a bug, only works when CCM
support is turned off.
* Reorganized option conditionals in Makefile.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This updates to backports-4.19.57-1 which contains the wireless
subsystem and driver from kernel 4.19.57.
The removed patches are applied upstream.
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Introduce a new option CONFIG_SIGNATURE_CHECK which defaults to the value
of CONFIG_SIGNED_PACKAGES and thus is enabled by default.
This option is needed to support building target opkg with enabled
signature verification while having the signed package lists disabled.
Our buildbots currently disable package signing globally in the
buildroot and SDK to avoid the need to ship private signing keys to
the build workers and to prevent the triggering of random key generation
on the worker nodes since package signing happens off-line on the master
nodes.
As unintended side-effect, updated opkg packages will get built with
disabled signature verification, hence the need for a new override option.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f565f276e2c06ac8f3176e0b16d6f2d40cd653d4)
Fix build breakage as upstream has removed implicit include of
sys/sysmacros.h from sys/types.h:
remove implicit include of sys/sysmacros.h from sys/types.h
this reverts commit f552c792c7ce5a560f214e1104d93ee5b0833967, which
exposed the sysmacros.h macros (device major/minor calculations) for
BSD and GNU profiles to mimic an unintentional glibc behavior some
code depended on. glibc has deprecated and since removed them as the
resolution to bug #19239, so it makes no sense for us to keep this
behavior. affected code should all have been fixed by now, and if it's
not yet fixed it needs to be for use with modern glibc anyway.
Ref: https://git.musl-libc.org/cgit/musl/commit/include/sys/types.h?id=a31a30a0076c284133c0f4dfa32b8b37883ac930
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 79596f782e2c8daa1ebb8e480b6373c8142714c6)
Since usign miscalculates SHA-512 digests for input sizes of exactly
64 + N * 128 + 110 or 64 + N * 128 + 111 bytes, we need to apply some
white space padding to avoid triggering the hashing edge case.
While usign itself has been fixed already, there is still many firmwares
in the wild which use broken usign versions to verify current package
indexes so we'll need to carry this workaround in the forseeable future.
Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Ref: https://git.openwrt.org/5a52b379902471cef495687547c7b568142f66d2
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit e1f588e446c7ceb696b644b37aeab9b3476e2a57)
This update fixes usign signature verification on files with certain
file sizes triggering a bug in the shipped SHA-512 implementation.
5a52b37 sha512: fix bad hardcoded constant in sha512_final()
3e6648b README: replace unicode character
716c3f2 README: add reference to OpenBSD signify
86d3668 README: provide reference for ed25519 algorithm
939ec35 usign: main.c: describe necessary arguments for -G
Ref: https://forum.openwrt.org/t/signature-check-failed/41945
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 991dd5a89340367920315a3fd0390a7423e6b34a)
Use commits from wireless-drivers-next.git.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 8e466fb7e315f33d0d2bbc06c4fa7c27b81d9a3b)
- make create_pbl and byte_swap as host tools
- fix a bug that maybe use the cross compiler
to compile create_pbl and byte_swap:
# -a option appends the image for Chassis 3 devices in case of non secure boot
aarch64-openwrt-linux-musl-gcc -Wall -Werror -pedantic -std=c99 -O2
-DVERSION=v1.5(release):reboot-10604-ge9216b3336 -D_GNU_SOURCE -D_XOPEN_SOURCE=700
-c -o create_pbl.o create_pbl.c
cc1: note: someone does not honour COPTS correctly, passed 0 times
LD create_pbl
/usr/bin/ld: create_pbl.o: Relocations in generic ELF (EM: 183)
/usr/bin/ld: create_pbl.o: Relocations in generic ELF (EM: 183)
/usr/bin/ld: create_pbl.o: Relocations in generic ELF (EM: 183)
create_pbl.o: error adding symbols: File in wrong format
collect2: error: ld returned 1 exit status
Makefile:43: recipe for target create_pbl failed
make[4]: *** [create_pbl] Error 1
plat/nxp/tools/pbl_ch2.mk:45: recipe for target pbl failed
make[3]: *** [pbl] Error 2
- add tfa- prefix to all tools in order to avoid future clashes with
other toolnames
Signed-off-by: Biwen Li <biwen.li@nxp.com>
[added missing HOST_CFLAGS, added tfa- prefix to the tools]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 83d5ca2186f7801d94f336e09f8db0a2c5c5d97f)
fiptool is a host tool, used in a firmware generation pipeline, but it's
not treated as such, leading to the build breakage on the hosts which
don't have {Open,Libre}SSL dev package installed:
In file included from fiptool.h:16:0,
from fiptool.c:19:
fiptool_platform.h:18:27: fatal error: openssl/sha.h:
No such file or directory
# include <openssl/sha.h>
So this patch promotes fiptool into the host tool with proper host
include and library paths under STAGING_DIR.
Ref: https://github.com/openwrt/openwrt/pull/2267
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit b8249cef9fedb1e2e3ed4f1b16382c6815e08df1)
So it's possible to install or remove it as needed.
Tested-by: Lucian Cristian <lucian.cristian@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 27bfde9c9f789dbfabebf13047e8b042c27cdeef)
So it's possible to install or remove it as needed.
Tested-by: Lucian Cristian <lucian.cristian@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 9b4de712cae9b3d745ea4331a804242505f58619)
μrngd is OpenWrt's micro non-physical true random number generator based
on timing jitter.
Using the Jitter RNG core, the rngd provides an entropy source that
feeds into the Linux /dev/random device if its entropy runs low. It
updates the /dev/random entropy estimator such that the newly provided
entropy unblocks /dev/random.
The seeding of /dev/random also ensures that /dev/urandom benefits from
entropy. Especially during boot time, when the entropy of Linux is low,
the Jitter RNGd provides a source of sufficient entropy.
Acked-by: Jo-Philip Wich <jow@mein.io>
Tested-by: Lucian Cristian <lucian.cristian@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 714bd89fceee494282984d0ed76e4a3acde419e0)
This doesn't include 9ff8614a3dbe ("brcmfmac: use separate Kconfig file
for brcmfmac") due to a few conflicts with backports changes.
An important change is:
[PATCH 2/7] brcmfmac: change the order of things in brcmf_detach()
which fixes a rmmod crash in the brcmf_txfinalize().
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit db8e08a5a4469f98ed5d9b0ff3189e356f53d924)
This patch unifies the polled and interrupt-driven gpio_keys code
paths as well implements consistent handling of the debounce
interval set for the GPIO buttons and switches.
Hotplug events will only be fired if
1. The input changes its state and remains stable for the duration
of the debounce interval (default is 5 ms).
2. In the initial stable (no state-change for duration of the
debounce interval) state once the driver module gets loaded.
Switch type inputs will always report their stable state.
Unpressed buttons will not trigger an event for the initial
stable state. Whereas pressed buttons will trigger an event.
This is consistent with upstream's gpio-key driver that uses
the input subsystem (and dont use autorepeat).
Prior to this patch, this was handled inconsistently for interrupt-based
an polled gpio-keys. Hence this patch unifies the shared logic into the
gpio_keys_handle_button() function and modify both implementations to
handle the initial state properly.
The changes described in 2. ) . can have an impact on the
failsafe trigger. Up until now, the script checked for button
state changes. On the down side, this allowed to trigger the
failsafe by releasing a held button at the right time. On the
plus side, the button's polarity setting didn't matter.
Now, the failsafe will only engage when a button was pressed
at the right moment (same as before), but now it can
theoretically also trigger when the button was pressed the
whole time the kernel booted and well into the fast-blinking
preinit phase. However, the chances that this can happen are
really small. This is because the gpio-button module is usually
up and ready even before the preinit state is entered. So, the
initial pressed button event gets lost and most devices behave
as before.
Bisectors: If this patch causes a device to permanently go into
failsafe or experience weird behavior due to inputs, please
check the following:
- the GPIO polarity setting for the button
- the software-debounce value
Run-tested for 'gpio-keys' and 'gpio-keys-polled' on
- devolo WiFi pro 1200e
- devolo WiFi pro 1750c
- devolo WiFi pro 1750x
- Netgear WNDR4700
- Meraki MR24
- RT-AC58U
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [further
cleanups, simplification and unification]
(cherry picked from commit 27f3f493de0610c74de2ea406641b256bfcc13a9)
While testing 4.19 build on malta/be64, I've encountered following
error:
gpio-button-hotplug/gpio-button-hotplug.c:529:18: error: implicit
declaration of function 'gpio_to_desc'
which is caused by the missing include fixed by this patch.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit dd6d82112a10796dd5aa0f9e9c76ec8e77e7e211)
This addresses an issue where the list option specified in
/etc/config/openvpn i.e. 'tls_cipher' would instead show up in the
generated openvpn-<name>.conf as 'ncp-ciphers'. For context,
'ncp_ciphers' appears after 'tls_cipher' in OPENVPN_LIST from
openvpn.options.
Also, the ordering of the options in the UCI config file is now
preserved when generating the OpenVPN config. The two currently
supported list options deal with cipher preferences.
Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
(cherry picked from commit 1d4c4cbd20580dd211431ab58460a6eebd5e021e)
* Fix for memory leak regression
* Support for (un)escaping
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 430d65c544551f9af88cdc6f0b9c6c12364b28f9)
The OpenWrt buildroot ABI version rebuild tracker does not handle
transient dependencies, therefore add all libraries linked by
block-mount and blockd as direct dependencies to the corresponding
binary package definition.
This ensures that block-mount and blockd is automatically rebuilt and
relinked if any of these libraries has its ABI_VERSION updated in the
future.
Fixes: FS#2373
[jow: similar fix for procd and 98.42% of commit message]
Signed-off-by: Jo-Philip Wich <jow@mein.io>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit cbae306815bdfc335eeedc35dc5df3d2d4021a2a)
Now that busybox is a known alternatives provider by opkg, we remove the
ALTERNATIVES spec and add a note to make the implicit situation clear
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry-picked from commit 62be427067ee3883b68bcfb08dfc0c43dce22fa3)
Opkg starting from this version special-cases busybox as alternatives
provider. There should be no need to add entries to ALTERNATIVES of
busybox package
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
(cherry-picked from commit e51b513f75d28306a744637b0fbe7fdd6e3fb813)
b43legacy needs ssb support and we do not compile the mips74 subtarget
of the brcm47xx target with SSB support. This causes a build failure in
the mac80211 package and only some of the kernel modules are being
created.
I am not aware of any device with a BRCM47xx mips74 CPU which uses a
b43legacy compatible device.
Fixes: FS#2334
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit e05310b9b80f944c718374b449b6fe48d06d412d)
Logic was inverted when changing from string check to file check.
Fix it.
Fixes: 8592602d0a88 ("base-files: Really check path in get_mac_binary")
Reported-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 6ed3349308b24a6bac753643970a1f9f56ff6070)
This includes a fix for a medium-level potential cache attack with a
variant of Bleichenbacher’s attack. Patches were refreshed.
Increased FP_MAX_BITS to allow 4096-bit RSA keys.
Fixed poly1305 build option, and some Makefile updates.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 2792daab5ad26e916619052fc7f581cddc1ea53c)
Currently, path argument is only checked for being not empty.
This changes behavior to actually check whether path exists.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Restarting service causes file-systems to be unmounted without being
mounted back. When this service was obsoleted it should have been
implemented in a way that all actions are ignored. Up to this commit
default handler was called when restart was requested. This default
handler just simply calls stop and start. That means that stop called
unmount but start just printed that this service is obsoleted.
This instead implements restart that just prints same message like start
does. It just calls start in reality. This makes restart unavailable for
call.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
(cherry picked from commit 3ead9e7b743b1fbd3b07f5a72a16999abbec9347)
When targets for multiple ESPRESSObin devices were added, not all
files were updated which means any ESPRESSObin version beside generic
won't have proper networking, sysupgrade and uboot-env. This patch
fixes the issue.
* fixup network detection
* fixup uboot-env
* fixup platform.sh for sysupgrade
Signed-off-by: Vladimir Vid <vladimir.vid@sartura.hr>
(cherry picked from commit bc47285cb3c0125424e628521f905f1f0d7b4cef)
Just stumbled across this LEDE legacy, without finding any real reason
to keep it. There is a single LEDE_DEVICE_MANUFACTURER_URL dependency
in the luci feed repo which needs to be syncronized.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
[re-added missing commit message]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 8a34a54b6aa6e9a5e2983d554fd5b97bec97e891)
Follow upstream changes - header file changes only
no functional or executable changes, hence no package bump
required
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit a8f0c02f80fa0c7c55702770b3ca99f6db5405e7)
This patch adds a missing type property which prevented
the creation of oneshot and timer led triggers when they
are specified in the /etc/board.d/01_leds files.
i.e.:
ucidef_set_led_timer "system" "system" "zhuotk:green:system" "1000" "1000"
Fixes: b06a286a4861 ("base-files: cleanup led functions in uci-defaults.sh")
Signed-off-by: Robinson Wu <wurobinson@qq.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This improves FullMAC firmware compatibility, adds logging in case of
firmware crash and *may* fix "Invalid packet id" errors.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 8888cb725d492ad5cad5b59fc7117b006e1bba5a)
FCC allows maximum antenna gain of 6 dBi. 15.247(b)(4):
> (4) The conducted output power limit
> specified in paragraph (b) of this section
> is based on the use of antennas
> with directional gains that do not exceed
> 6 dBi. Except as shown in paragraph
> (c) of this section, if transmitting
> antennas of directional gain greater
> than 6 dBi are used, the conducted
> output power from the intentional radiator
> shall be reduced below the stated
> values in paragraphs (b)(1), (b)(2),
> and (b)(3) of this section, as appropriate,
> by the amount in dB that the
> directional gain of the antenna exceeds
> 6 dBi.
https://www.gpo.gov/fdsys/pkg/CFR-2013-title47-vol1/pdf/CFR-2013-title47-vol1-sec15-247.pdf
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Most of the txpower for the ath10k firmware is stored as twicepower (0.5 dB
steps). This isn't the case for max_antenna_gain - which is still expected
by the firmware as dB.
The firmware is converting it from dB to the internal (twicepower)
representation when it calculates the limits of a channel. This can be seen
in tpc_stats when configuring "12" as max_antenna_gain. Instead of the
expected 12 (6 dB), the tpc_stats shows 24 (12 dB).
Tested on QCA9888 and IPQ4019 with firmware 10.4-3.5.3-00057.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
