Commit Graph

44987 Commits

Author SHA1 Message Date
Rafał Miłecki
87fe1a560a brcm47xx: extend firmware validation
This provides TRX validation result, so final JSON may look like:
{
	"tests": {
		"fwtool_signature": true,
		"fwtool_device_match": true,
		"trx_valid": true
	},
	"valid": true,
	"forceable": true
}

It also prevents users from installing broken firmware files, e.g.:

root@OpenWrt:/# sysupgrade -F -n /tmp/TZ
Image metadata not found
Invalid image type. Please use firmware specific for this device.
Image check failed but --force given - will update anyway!
Commencing upgrade. Closing all shell sessions.
Firmware image is broken and cannot be installed

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit e68c1cebd1)
2019-09-12 14:30:18 +02:00
Rafał Miłecki
a717428828 treewide: use new procd sysupgrade $UPGRADE_BACKUP variable
It's a variable set by procd that should replace hardcoded
/tmp/sysupgrade.tgz.

This change requires the most recent procd with the commit 0f3c136
("sysupgrade: set UPGRADE_BACKUP env variable").

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 641f6b6c26)
2019-09-12 13:27:29 +02:00
Rafał Miłecki
1b9a4f0cb4 treewide: when copying a backup file always specify dest name
$CONF_TAR shouldn't be assumed to always point to the sysupgrade.tgz.
This change makes code more generic and allows refactoring $CONF_TAR.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 62dbe361a1)
2019-09-12 13:26:39 +02:00
Rafał Miłecki
37caec2d5e treewide: don't hardcode "sysupgrade.tgz" file name
1) Add BACKUP_FILE and use it when copying an archive to be restored
   after sysupgrade (on the next preinit).
2) Use CONF_TAR for copying backup prepared by the /sbin/sysupgrade

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit bf39047872)
2019-09-12 13:25:27 +02:00
Yousong Zhou
f54bc3985a tools: mkimage: fix __u64 typedef conflict with new glibc
Including "sys/stat.h" from newer glibc will cause __u64 from linux uapi
header to be included, causing compilation failure for u-boot tools
USE_HOSTCC

Remove typedef for __u64 in include/compiler.h to fix the issue.  It should be
safe because as of u-boot-2018.03, no ref to __u64 is found under u-boot tools/
directory

Error message snippet follows

	  HOSTCC  tools/mkenvimage.o
	In file included from /usr/include/asm-generic/types.h:7,
			 from /usr/include/asm/types.h:5,
			 from /usr/include/linux/types.h:5,
			 from /usr/include/linux/stat.h:5,
			 from /usr/include/bits/statx.h:30,
			 from /usr/include/sys/stat.h:446,
			 from tools/mkenvimage.c:21:
	/usr/include/asm-generic/int-ll64.h:31:42: error: conflicting types for '__u64'
	   31 | __extension__ typedef unsigned long long __u64;
	      |                                          ^~~~~
	In file included from <command-line>:
	././include/compiler.h:69:18: note: previous declaration of '__u64' was here
	   69 | typedef uint64_t __u64;
	      |                  ^~~~~
	make[5]: *** [scripts/Makefile.host:116: tools/mkenvimage.o] Error 1

Ref: https://forum.openwrt.org/t/compile-error-19-07/44423
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1699194
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-09-12 02:25:03 +00:00
Koen Vandeputte
3b8239e93e Revert "ar71xx: use platform code for qca955x usb0 init"
This reverts commit af91a370de.

As Piotr Dymacz pointed out:

In QCA MIPS based WiSOCs, for first USB interface,
device/host mode can be selected _only_ in hardware
see description of 57c641ba6e

QCA955x and QCA9563, second USB can be switched to device
mode in software (tested and confirmed on real hardware).

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-09-12 00:24:08 +02:00
Tomislav Požega
9ba9a91343 ar71xx: qca955x pci init/reset fixes
Current ar724x code does the reset only on single pci bus, and
in case of qca9558 writes the wrong register (0x10 vs 0x0c).
This change allows the reset of second pci bus, commonly used in
Archer C7 devices, in case host controller is stuck in reset.
If the resetting controller on boot can solve any other issue it
can be enabled unconditionally by removing reset check before
ar724x_pci_hw_init is called.

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
[refreshed to apply cleanly]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
(cherry picked from commit 76d870871cb12fc0c170e5fd23bce568adfaae6d)
2019-09-11 09:57:28 +02:00
Tomislav Požega
a3c3a8c5ab ar71xx: enable ddr wb flush on qca955x
Enable flushing of write buffers on qca955x. GPL code has 0x88 reg
defined for PCI flush which is likely an error since the device
freezes on boot. So use DS default value 0xA8 for PCI flush.

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
(cherry picked from commit fe9e702dc94ece2a004f6db68d6fb9a94d9437cb)
2019-09-11 09:57:28 +02:00
Tomislav Požega
af91a370de ar71xx: use platform code for qca955x usb0 init
Switch from ci_usb_setup to generic platform initialization of
usb0 port.

Signed-off-by: Tomislav Požega <pozega.tomislav@gmail.com>
(cherry picked from commit 36a0cfd24be1cb79f221964ed2bfe12b98befff3)
2019-09-11 09:57:28 +02:00
Koen Vandeputte
2cd89cf0d7 kernel: bump 4.14 to 4.4.142
Refreshed all patches.

Remove upstreamed:
- 0032-usb-host-fotg2-restart-hcd-after-port-reset.patch

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-09-11 09:57:28 +02:00
Hauke Mehrtens
e8c5e6177d hostapd: SAE/EAP-pwd side-channel attack update
Fixes this security problem:
* SAE/EAP-pwd side-channel attack update
https://w1.fi/security/2019-6/sae-eap-pwd-side-channel-attack-update.txt

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7bed9bf10f)
2019-09-10 21:55:02 +02:00
Hauke Mehrtens
a0c8494704 hostapd: Fix security problem in EAP-pwd
This fixes:
CVE-2019-11555 "EAP-pwd message reassembly issue with unexpected fragment"
https://w1.fi/security/2019-5/eap-pwd-message-reassembly-issue-with-unexpected-fragment.txt

This should not affect OpenWrt in the default settings as we do not use
EAP-pwd.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 9f34bf51d6)
2019-09-10 21:54:58 +02:00
Adrian Schmutzler
d889cc9887 ramips: fix ethernet MAC address of ASUS RT-AC57U
This backports the only non-cosmetic fix from 6640e1c368
("ramips: clean and improve MAC address setup in 02_network").

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-09-09 21:12:23 +08:00
Adrian Schmutzler
79b9bc44d6 ramips: fix duplicate network setup for dlink, dir-615-h1
In 555ca422d1 ("ramips: fix D-Link DIR-615 H1 switch port
mapping"), port setup for dir-615-h1 was changed without removing
the old one. This was working as the new one was triggered earlier
than the old one.

(In the meantine, changed sorting during ramips rename patches
actually inversed that order.)

Anyway, just remove the wrong case now.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit e35e4a996e)
2019-09-09 21:12:23 +08:00
Adrian Schmutzler
f9ecee7913 ramips: remove duplicate case for MAC setup of freestation5
ARC FreeStation5 is present twice in MAC address setup.

>From older commits/changes, it is not possible to reconstruct
the correct choice only by reading the annotations.

Thus, remove the second case and keep the first one, so behavior
stays the same (as nobody seems to have complained about it).

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit ad4eb2241b)
2019-09-09 21:12:23 +08:00
Rafał Miłecki
c7f710e474 mac80211: brcmfmac: backport more kernel 5.4 changes
Patch getting RAM info got upstreamed. A debugging fs entry for testing
reset feature was added.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 681acdcc54)
2019-09-09 10:29:01 +02:00
Hauke Mehrtens
6d2044d62f mt7620: disable image generation for Nexx WT3020 (4MB)
Image generation is currently failing on builbots due to the following
error:

WARNING: Image file openwrt-19.07-snapshot-r10495-db5164d3d0-ramips-mt7620-wt3020-4M-squashfs-factory.bin is too big

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-08 21:08:22 +02:00
Hauke Mehrtens
ccd1335dcc apm821xx: Make patches apply again
This patch was applied to the upstream kernel in version 4.14.135,
remove it from our patches directory.

Fixes: 40379b0ec6 ("apm821xx: fix bogus key-presses on boot")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-09-08 20:05:15 +02:00
Jonas Gorski
4c8258c925 Revert "build: remove harmful -nopad option from mksquashfs"
This reverts commit 1c0290c5cc.

Dropping the nopad can make the padding overflow into the next erase
block on devices using a non-aligned rootfs start. This breaks the jffs2
overlay partition with the following messages:

[   30.343877] jffs2_scan_eraseblock(): End of filesystem marker found at 0x10000
[   30.376512] jffs2: Cowardly refusing to erase blocks on filesystem with no valid JFFS2 nodes
[   30.385253] jffs2: empty_blocks 196, bad_blocks 0, c->nr_blocks 197

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
(cherry picked from commit f11d90a76b)
2019-09-08 18:50:11 +02:00
David Bauer
271990321a ipq40xx: fix AVM NAND caldata extraction
The AVM Fritz!Box 7530 (and probably other AVM IPQ4019 NAND devices)
has it's caldata not stored consistently, but instead at currently
3 known possible offsets.

As we get a non-zero exit code from fritz_cal_extract, simply try all
three possible offsets on both bootloader partitions, until a matching
caldata for each radio is found.

Reported-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit a6f85b81b7)
2019-09-08 17:42:39 +02:00
Cong Wang
16985d2aab kernel: net_sched: fix a NULL pointer deref in ipt action
The net pointer in struct xt_tgdtor_param is not explicitly
initialized therefore is still NULL when dereferencing it.
So we have to find a way to pass the correct net pointer to
ipt_destroy_target().

The best way I find is just saving the net pointer inside the per
netns struct tcf_idrinfo, which could make this patch smaller.

Fixes: 0c66dc1ea3f0 ("netfilter: conntrack: register hooks in netns when needed by ruleset")
Reported-and-tested-by: Tony Ambardar <itugrok@xxxxxxxxx>
Cc: Jamal Hadi Salim <jhs@xxxxxxxxxxxx>
Cc: Jiri Pirko <jiri@xxxxxxxxxxx>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

[Backport for kernel v4.19 and v4.14]
[Bug Link: https://bugzilla.kernel.org/show_bug.cgi?id=204681]
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 7735cce0c5)
2019-09-08 17:42:39 +02:00
Rafał Miłecki
15292501a1 mvebu: sysupgrade: don't use $ARGV in platform_check_image()
sysupgrade passes image path to platform_check_image() as an argument so
it can be simply accessed using $1

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 76e43c82b5)
[rmilecki: dropping ARGV without this change broke sysupgrade]
Fixes: 6ac62c4b6c ("base-files: don't set ARGV and ARGC")
2019-09-07 14:31:45 +02:00
Rafał Miłecki
5ae87c76b7 treewide: sysupgrade: don't use $ARGV in platform_do_upgrade()
stage2 passes image path to platform_do_upgrade() as an argument so it
can be simply accessed using $1

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 8b4bc7abe0)
[rmilecki: dropping ARGV without this change broke sysupgrade]
Fixes: 6ac62c4b6c ("base-files: don't set ARGV and ARGC")
2019-09-07 14:31:16 +02:00
Hans Dedecker
986c706cd1 odhcp6c: update to latest git HEAD
e199804 dhcpv6: sanitize oro options

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 1855c23794)
2019-09-07 13:13:40 +02:00
David Bauer
db7a1e7c04 ath79: correct OCEDO Ursus phy-mode property
This fixes the previously incorrect phy-mode for the OCEDO Ursus GMAC0.

See 62abbd587d ("ath79: correct various phy-mode properties")
for more details.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 7b137e9df9)
2019-09-07 00:59:41 +02:00
David Bauer
15d84131fe ramips: fix network setup for various NETGEAR boards
There are currently the following issues present for the Netgear R6220,
R6350 and WNDR3700 v5:

 - LAN and WAN MAC-addresses are inverted
 - WAN MAC-address is off. It are +2 compared to the LAN MAC-address
   (R6350 only)
 - Switchport order is inverted in LuCi

This commit fixes both these issues by assigning correct MAC-addresses
to LAN and WAN interfaces and defining the switchports with the correct
labels.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 13937a16d4)
2019-09-07 00:59:41 +02:00
David Bauer
f057133349 ramips: use phy trigger for various Netgear boards
This commit switches the default trigger for the WiFi LED from a netdev
trigger on "wlan0" to a wireless-phy based trigger. THis allows the LED
to work, even when the wireless interface is not named "wlan0" without
modifiying the LED settings.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit fa46c9b208)
2019-09-07 00:59:41 +02:00
David Bauer
b8b62b8506 ramips: disable badblock shifting for MT7621 NAND
The MediaTek MT7621 NAND driver currently intransparently shifts NAND
pages when a block is marked as bad. Because of this, offsets for e.g.
caldata and MAC-addresses seem to be off.

This is, howeer, not a task for the mtd NAND driver, as the flash
translation layer is tasked with this.

This patch disables this badblock shifting. This fix was originally
proposed by Jo-Philipp Wich at
https://bugs.openwrt.org/index.php?do=details&task_id=1926

Fixes FS#1926 ("MTD partition offset not correctly mapped when bad
eraseblocks present")
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 527832e54b)
2019-09-07 00:53:18 +02:00
Rafał Miłecki
afce041e2b treewide: fix invalid UPGRADE_OPT_SAVE_CONFIG spellings
That was a result of accidentally running "sed" twice on some files.

Fixes: 9b9412d55c ("treewide: replace remaining (not working now) $SAVE_CONFIG uses")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 1078de96e3)
2019-09-06 11:37:39 +02:00
Rafał Miłecki
9b9412d55c treewide: replace remaining (not working now) $SAVE_CONFIG uses
This var has been replaced by the $UPGRADE_OPT_UPGRADE_OPT_SAVE_CONFIG

Fixes: f25d164aca ("base-files: pass "save_config" option to the "sysupgrade" method")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 5797fe84a3)
2019-09-06 11:36:26 +02:00
Rafał Miłecki
af7c186ead procd: update to the latest git HEAD
0f3c136 sysupgrade: set UPGRADE_BACKUP env variable
0bcbbbf system: fix uninitialized variables in firmware validation code

This update includes a fix for uninitialized variable usage.

Fixes: db5164d3d0 ("procd: update to the latest git HEAD")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit e8dcbbc865)
2019-09-06 08:11:13 +02:00
Rafał Miłecki
db5164d3d0 procd: update to the latest git HEAD
34ac88c system: reject sysupgrade of invalid firmware images by default
f55c235 system: reject sysupgrade of broken firmware images
e990e21 system: add "validate_firmware_image" ubus method

This update changes "sysupgrade" ubus method API. It's now required to
pass "force" attribute whenever invalid firmware is meant to be
installed.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 7290963d09)
2019-09-04 13:47:36 +02:00
Rafał Miłecki
d7af175321 base-files: pass "force" parameter to the "sysupgrade" call
This makes sysupgrade work with the most recent procd that validates
firmware before proceeding.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit b71962da16)
2019-09-04 13:47:17 +02:00
Rosen Penev
aa239ceaed upslug2: Update to git repository
This has two improvements over the current version. An autotools fix and
application of the wrt350v2 patch.

Cleaned up Makefile as a result of makefiles being fixed.

Note that this package is not really used as it depends on orion, which is
classified as broken.

This is the last package that uses svn in the tree.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit ac31ec0f62)
2019-09-04 13:47:11 +02:00
Jo-Philipp Wich
068e9210d5 sdk: use bundle-libraries.sh to ship kernel objtool tools
Ensure that the kernel objtool utilities are processed by the library
bundler in order to ensure that they're usable on foreign systems with
different libc versions.

Fixes: a9f6fceb42 ("sdk: fix building external modules when CONFIG_STACK_VALIDATION=y")
Acked-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit efaaadb49e)
2019-09-04 13:47:04 +02:00
Jo-Philipp Wich
cf2dba5273 include: kernel-build: pass pkg-config overrides to kernel build
Pass suitable pkg-config overrides to the kernel build process in
order to let our pkg-config wrapper discover libraries provided
by tools/.

This mainly affects the use of libelf which is required for the
CONFIG_STACK_VALIDATION features. So far, the build system either
silently used host system libraries or kbuild simply disabled the
feature due to the lack of a suitable libelf.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit fe43969336)
2019-09-04 13:46:59 +02:00
Jo-Philipp Wich
5aa1b9ad68 tools: libelf: fix headers to trigger -Wundef warnings
When libelf from tools/ is used for building the kernel, compilation
aborts due to access to undefined defines since Kbuild adds -Wundef
to the compiler flags.

Patch the header files to use `#if defined(...)` instead of `#if ...`
to prevent such issues.

Ref: https://github.com/NixOS/nixpkgs/issues/59929
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit f3ab336d7c)
2019-09-04 13:46:55 +02:00
Jo-Philipp Wich
2e490e7e46 tools: libelf: install pkg-config file
Install the pkg-config definition for libelf in order to allow the
kernel build process discover it later on.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit d3f86c9cc3)
2019-09-04 13:46:49 +02:00
Bjørn Mork
7c811372d8 scripts/feeds: fix 'src-include' directive
Commit 775b70f8d5 renamed parse_file() parameters without
updating the recursive call. This broke parsing of any feeds.conf
using 'src-include'.

 $ scripts/feeds update -a
 Can't use string ("defaults") as a HASH ref while "strict refs" in use at scripts/feeds line 63, <$fh> line 1.

Fixes: 775b70f8d5 ("scripts/feeds: allow adding parameters to feeds")
Signed-off-by: Bjørn Mork <bjorn@mork.no>
(cherry picked from commit a21b70be31)
2019-09-04 13:46:35 +02:00
Hauke Mehrtens
0d4ab1559a uci: update to latest Git HEAD
415f9e4 uci/file: replace mktemp() with mkstemp()

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 6aa962a622)
2019-09-04 13:46:30 +02:00
Hauke Mehrtens
5bda748af4 iwinfo: update to latest Git HEAD
f599a8d iwinfo: Fix rate buffer size
71ec9be iwinfo: Fix buffer size
f8ef450 iwinfo: Add support for WPA3

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 6658447534)
2019-09-04 13:46:23 +02:00
Thomas Langer
76297c3454 Fix handling of BUILD_SUFFIX in remote-gdb script
When CONFIG_BUILD_SUFFIX is enabled, the target-* folders in build_dir
and staging_dir have this suffix in the name, but not the
toolchain directories. When detecting the names for "arch" and "libc",
also accept the suffix and do not use it for the toolchain path.

Signed-off-by: Thomas Langer <thomas.langer@intel.com>
(cherry picked from commit 035906fd05)
2019-09-04 13:46:18 +02:00
Daniel Engberg
32d27a9017 tools/cmake: Update to 3.15.1
Update CMake to 3.15.1
Refresh patches
Remove inofficial fossies.org and replace with GitHub (link on official site)
Remove 150-C-feature-checks-Match-warnings-more-strictly.patch as it's
a no longer needed backport from upstream.
Disable ccache if GCC is 4.8, 4.9 or 5.X to avoid build failures.
Reference: https://github.com/openwrt/openwrt/pull/1929

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit 413c68d120)
2019-09-04 13:46:12 +02:00
Konstantin Demin
6b5e0eede8 nftables: bump to version 0.9.2
- exclude Python-related stuff from build
- drop patches:
  * 010-uclibc-ng.patch, applied upstream

ipkg size decrease by 2.8%:
old:
194.851 nftables_0.9.0-2_arm_cortex-a7_neon-vfpv4.ipk
new:
189.581 nftables_0.9.2-1_arm_cortex-a7_neon-vfpv4.ipk

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
(cherry picked from commit b74f1f335a)
2019-09-04 13:46:06 +02:00
Konstantin Demin
ab0088b239 libnftnl: bump to version 1.1.4
ABI version is same.

The ipkg size increase by about 2.2%:
old:
47.909 libnftnl11_1.1.3-1_arm_cortex-a7_neon-vfpv4.ipk
new:
48.985 libnftnl11_1.1.4-1_arm_cortex-a7_neon-vfpv4.ipk

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
(cherry picked from commit 699955a684)
2019-09-04 13:46:01 +02:00
Jo-Philipp Wich
fe34c2538b rpcd: update to latest Git HEAD
821045f file: add path based read/write/exec ACL checks
fb337e5 file: add stat() information to directory listings

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 02169bd3f8)
2019-09-04 13:45:49 +02:00
Eneas U de Queiroz
882052caae uhttpd: add support to generate EC keys
This adds the key_type and ec_curve options to enable the generation of
EC keys during initialization, using openssl or the new options added to
px5g.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 7f2b230b3b)
2019-09-04 13:45:44 +02:00
Eneas U de Queiroz
ad4af2b8df px5g: support EC keys
This adds an 'eckey' command to generate an EC key, with an optional
curve name argument, with P-256 as default.

For the 'selfsigned' command, it adds an 'ec' algorithm argument to the
'-newkey' option, and a '-pkeyopt ec_paramgen_curve:<curvename>' option,
mirroring the way openssl specifies the curve name.

Notice that curve names are not necessarily the same in mbedtls and
openssl.  In particular, secp256r1 works for mbedtls, but openssl uses
prime256v1 instead. px5g uses mbedtls, but short NIST curve names P-256
and P-384 are specifically supported.

Package size increased by about 900 bytes (arm).

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit a552ababd4)
2019-09-04 13:45:39 +02:00
Eneas U de Queiroz
da10d4a779 openssl: always build with EC support
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit f40262697f)
2019-09-04 13:45:34 +02:00
Rosen Penev
6151609d07 libnfnetlink: Avoid passing both -fPIC and -fpic
Instead, instruct the configure script to use $(FPIC) only.

Mixing -fPIC and -fpic can cause issues on some platforms like PPC.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 926157c2cc)
2019-09-04 13:45:26 +02:00