Without this, WOLFSSL_HAS_DH can be disabled even if WOLFSSL_HAS_WPAS is
enabled, resulting in an "Anonymous suite requires DH" error when trying
to compile wolfssl.
Signed-off-by: Pascal Ernster <git@hardfalcon.net>
Reviewed-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 21825af2da)
Due to the bug described here[1], remove the 300 MHz clock to avoid a low
voltage condition that can cause a hang when rebooting the RT3200/E8450.
This solution is probably better than the script-based work-around[2].
1. https://forum.openwrt.org/t/belkin-rt3200-linksys-e8450-wifi-ax-discussion/94302/1490
2. https://github.com/openwrt/openwrt/pull/5025
Signed-off-by: John Audia <therealgraysky@proton.me>
Tested-by: Rui Salvaterra <rsalvaterra@gmail.com>
Tested-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit d0d6b8e183)
[ fix the conflict by apply the patch to kernel 5.10 ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Changes:
9c44557 opkg_remove: avoid remove pkg repeatly with option --force-removal-of-dependent-packages
2edcfad libopkg: set 'const' attribute for argv
This should fix the CI error in the packages repository, which happens with perl.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit e21fea9289)
Changes between 1.1.1p and 1.1.1q [5 Jul 2022]
*) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation would not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written. In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
they are both unaffected.
(CVE-2022-2097)
[Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]
Signed-off-by: Dustin Lundquist <dustin@null-ptr.net>
(cherry picked from commit 3899f68b54)
This version fixes two vulnerabilities:
-CVE-2022-34293[high]: Potential for DTLS DoS attack
-[medium]: Ciphertext side channel attack on ECC and DH operations.
The patch fixing x86 aesni build has been merged upstream.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 9710fe70a6)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This image is supposed to be written with help of bootloader to the
flash, but as it stands, it's not aligned to block size and RedBoot will
happily create non-aligned partition size in FIS directory. This could
lead to kernel to mark the partition as read-only, therefore pad the
image to block erase size boundary.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit 9decd2a843)
The bootloader on this board hid the partition containig MAC addresses
and prevented adding this space to FIS directory, therefore those had to
be stored in RedBoot configuration as aliases to be able to assigne them
to proper interfaces. Now that fixed partition size are used instead of
redboot-fis parser, the partition containig MAC addresses could be
specified, and with marking it as nvmem cell, we can assign them without
userspace involvement.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit b52719b71a)
Don't comence the switch to RAMFS when the image format is wrong. This
led to rebooting the device, which could lead to false impression that
upgrade succeded.
Being here, factor out the code responsible for upgrading RedBoot
devices to separate file.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit 5897c52e78)
After the kernel has switched version to 5.10, JA76PF2 and
RouterStations lost the capability to sysupgrade the OpenWrt version.
The cause is the lack of porting the patches responsible for partial
flash erase block writing and these boards FIS directory and RedBoot
config partitions share the same erase block. Because of that the FIS
directory can't be updated to accommodate kernel/rootfs partition size
changes. This could be remedied by bootloader update, but it is very
intrusive and could potentially lead to non-trivial recovery procedure,
if something went wrong. The less difficult option is to use OpenWrt
kernel loader, which will let us use static partition sizes and employ
mtd splitter to dynamically adjust kernel and rootfs partition sizes.
On sysupgrade from ath79 19.07 or 21.02 image, which still let to modify
FIS directory, the loader will be written to kernel partition, while the
kernel+rootfs to rootfs partition.
The caveats are:
* image format changes, no possible upgrade from ar71xx target images
* downgrade to any older OpenWrt version will require TFTP recovery or
usage of bootloader command line interface
To downgrade to 19.07 or 21.02, or to upgrade if one is already on
OpenWrt with kernel 5.10, for RouterStations use TFTP recovery
procedure. For JA76PF2 use instructions from this commit message:
commit 0cc87b3bac ("ath79: image: disable sysupgrade images for routerstations and ja76pf2"),
replacing kernel image with loader (loader.bin suffix) and rootfs
image with firmware (firmware.bin suffix).
Fixes: b10d604459 ("kernel: add linux 5.10 support")
Fixes: 15aa53d7ee ("ath79: switch to Kernel 5.10")
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(mkubntimage was moved to generic-ubnt.mk)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 5c142aad7b)
On the NanoPI R4S it takes an average of 3..5 seconds for the network devices
to appear in '/proc/interrupts'.
Wait up to 10 seconds to ensure that the distribution of the interrupts
really happens.
Signed-off-by: Ronny Kotzschmar <ro.ok@me.com>
(cherry picked from commit 9b00e97956)
Apply an upstream patch that removes unnecessary CFLAGs, avoiding
generation of incompatible code.
Commit 0bd5367233 is reverted so the
accelerated version builds by default on x86_64.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 639419ec4f)
During upload of firmware images the WebUI and CLI patch process
extracts a version information from the uploaded file and stores it
onto the jffs2 partition. To be precise it is written into the
flash.txt or flash2.txt files depending on the selected target image.
This data is not used anywhere else. The current OpenWrt factory
image misses this label. Therefore version information shows only
garbage. Fix this.
Before:
DGS-1210-20> show firmware information
IMAGE ONE:
Version : xfo/QE~WQD"A\Scxq...
Size : 5505185 Bytes
After:
DGS-1210-20> show firmware information
IMAGE ONE:
Version : OpenWrt
Size : 5505200 Bytes
Tested-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
(cherry picked from commit fae3ac3560)
Currently we build factory images only for DGS-1210-28 model. Relax
that constraint and take care about all models. Tested on DGS-1210-20
and should work on other models too because of common flash layout.
Tested-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
(cherry picked from commit 2b49ec3a28)
What should have been only cosmetic changes, ended up in breaking the
script. Rename UIMAGE_CRC_SLICE back to (the original) UIMAGE_CRC_OFF.
Fixes issue #10204 "cameo-tag.py broken"
Reported-by: Markus Stockhausen <markus.stockhausen@gmx.de>
Fixes: f9e840b657 ("scripts: add CAMEO tag generator")
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit ebfe66e494)
From now on we will insert CAMEO tags into sysupgrade images for
DGS-1210 devices. This will make the "OS:...FAILED" and "FS:...FAILED"
messages go away.
Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
(cherry picked from commit e763c4c89f)
This script inserts CAMEO tags into an uImage to make U-Boot
of DGS-1210 switches happy.
Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
Suggested-by: Sander Vanheule <sander@svanheule.net> # Mutual checksum algorithm
[commit title prefix, trailing whitespace, OpenWrt capitalisation, move
CRC calculation comment, use UIMAGE_NAME_*, remove parentheses for
return, use f-string instead of str()]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit f9e840b657)
DGS-1210 switches support dual image, with each image composed of a
kernel and a rootfs partition. For image1, kernel and rootfs are in
sequence. The current OpenWrt image (written using a serial console),
uses those partitions together as the firmware partition, ignoring the
partition division. The current OEM u-boot fails to validate image1 but
it will only trigger firmware recovery if both image1 and image2 fail,
and it does not switch the boot image in case one of them fails the
check.
The OEM factory image is composed of concatenated blocks of data, each
one prefixed with a 0x40-byte cameo header. A normal OEM firmware will
have two of these blocks (kernel, rootfs). The OEM firmware only checks
the header before writing unconditionally the data (except the header)
to the correspoding partition.
The OpenWrt factory image mimics the OEM image by cutting the
kernel+rootfs firmware at the exact size of the OEM kernel partition
and packing it as "the kernel partition" and the rest of the kernel and
the rootfs as "the rootfs partition". It will only work if written to
image1 because image2 has a sysinfo partition between kernel2 and
rootfs2, cutting the kernel code in the middle.
Steps to install:
1) switch to image2 (containing an OEM image), using web or these CLI
commands:
- config firmware image_id 2 boot_up
- reboot
2) flash the factory_image1.bin to image1. OEM web (v6.30.016)
is crashing for any upload (ssh keys, firmware), even applying OEM
firmwares. These CLI commands can upload a new firmware to the other
image location (not used to boot):
- download firmware_fromTFTP <tftpserver> factory_image1.bin
- config firmware image_id 1 boot_up
- reboot
To debrick the device, you'll need serial access. If you want to
recover to an OpenWrt, you can replay the serial installation
instructions. For returning to the original firmware, press ESC during
the boot to trigger the emergency firmware recovery procedure. After
that, use D-Link Network Assistant v2.0.2.4 to flash a new firmware.
The device documentation does describe that holding RESET for 12s
trigger the firmware recovery. However, the latest shipped U-Boot
"2011.12.(2.1.5.67086)-Candidate1" from "Aug 24 2021 - 17:33:09" cannot
trigger that from a cold boot. In fact, any U-Boot procedure that relies
on the RESET button, like reset settings, will only work if started from
a running original firmware. That, in practice, cancels the benefit of
having two images and a firmware recovery procedure (if you are not
consider dual-booting OpenWrt).
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit 1005dc0a64)
The cameo header is a 0x40-byte header used by D-Link DGS 1210 switches
and Apresia ApresiaLightGS series. cameo-imghdr.py is a clean-room
reimplementation of imghdr present in the DGS-1210-28-GPL package.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[fix board_version argument's help text]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit 2fd66e058b)
This improves NAT masquarade network performance.
An alternative to kernel change would be runtime setup but that requires
ethtool and identifying relevant network interface and all related
switch ports interfaces.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 82d0dd8f8a)
Bumping max frame size has significantly affected network performance.
It was done by upstream commit that first appeared in the 5.7 release.
This change bumps NAT masquarade speed from 196 Mb/s to 383 Mb/s for the
BCM4708 SoC.
Ref: f55f1dbaad ("bcm53xx: switch to the kernel 5.10")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 230c9da963)
1. KCFLAGS should be used for custom flags
2. Optimization flags are arch / SoC specific
3. -fno-reorder-blocks may *worsen* network performace on some SoCs
4. Usage of flags was *reversed* since 5.4 and noone reported that
If we really need custom flags then CONFIG_KERNEL_CFLAGS should get
default value adjusted properly (per target).
Ref: 4e0c54bc5b ("kernel: add support for kernel 5.4")
Link: http://lists.openwrt.org/pipermail/openwrt-devel/2022-June/038853.html
Link: https://patchwork.ozlabs.org/project/openwrt/patch/20190409093046.13401-1-zajec5@gmail.com/
Cc: Felix Fietkau <nbd@nbd.name>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Rui Salvaterra <rsalvaterra@gmail.com>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 22168ae681)
This uses kernel's generic variable and doesn't require patching it with
a custom Makefile change. It's expected *not* to change any behaviour.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 1d42af720c)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 24e27bec9a)
When building the mediatek/mt7629 target in OpenWrt 22.03 the kernel
does not have a configuration option for CONFIG_CRYPTO_DEV_MEDIATEK. Add
this option to the generic kernel configuration and also add two other
configuration options which are removed when we refresh the mt7629
kernel configuration.
Fixes: 2bea35cb55 ("mediatek: remove crypto-hw-mtk package")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit dcc0fe24ea)
Changes between 1.1.1o and 1.1.1p [21 Jun 2022]
*) In addition to the c_rehash shell command injection identified in
CVE-2022-1292, further bugs where the c_rehash script does not
properly sanitise shell metacharacters to prevent command injection have been
fixed.
When the CVE-2022-1292 was fixed it was not discovered that there
are other places in the script where the file names of certificates
being hashed were possibly passed to a command executed through the shell.
This script is distributed by some operating systems in a manner where
it is automatically executed. On such operating systems, an attacker
could execute arbitrary commands with the privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.
(CVE-2022-2068)
[Daniel Fiala, Tomáš Mráz]
*) When OpenSSL TLS client is connecting without any supported elliptic
curves and TLS-1.3 protocol is disabled the connection will no longer fail
if a ciphersuite that does not use a key exchange based on elliptic
curves can be negotiated.
[Tomáš Mráz]
Signed-off-by: Andre Heider <a.heider@gmail.com>
(cherry picked from commit eb7d2abbf0)
The recent differentiation between v1 and v2 of the UniFi 6 LR added
support for the v2 version which has GPIO-controlled LEDs instead of
using an additional microcontroller to drive an RGB led.
The polarity of the white LED, however, was inverted and the default
states didn't make a lot of sense after all. Fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit f58e562b07)
The line trying to generate the standard sdcard.img.gz fails due to
boot.scr not being generated.
Remove the line in order to use the default sdcard.img.gz which is
exactly the same but includes generating the boot.scr file.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 1d3b57dbee)
Select matching U-Boot for both v1 and v2 variants.
Fixes: 15a02471bb ("mediatek: new target mt7622-ubnt-unifi-6-lr-v1")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 2caa03ec86)
Add targets:
* Ubiquiti UniFi 6 LR v2
* Ubiquiti UniFi 6 LR v2 (U-Boot mod)
This target does not have a RGB led bar like v1 did
Used target/linux/ramips/dts/mt7621_ubnt_unifi.dtsi as inspiration
The white dome LED is default-on, blue will turn on when the system is
in running state
Signed-off-by: Henrik Riomar <henrik.riomar@gmail.com>
(cherry picked from commit 31d86a1a11)
based on current ubnt_unifi-6-lr-ubootmod
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[added SUPPORTED_DEVICES for compatibility with existing setups]
Signed-off-by: Henrik Riomar <henrik.riomar@gmail.com>
(cherry picked from commit 5c8d3893a7)
Based on current mt7622-ubnt-unifi-6-lr, this is a preparation for
adding a v2 version of this target
* v1 - with led-bar
* v2 - two simple GPIO connected LEDs (in later commits)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[added SUPPORTED_DEVICES for compatibility with existing setups]
Signed-off-by: Henrik Riomar <henrik.riomar@gmail.com>
(cherry picked from commit 15a02471bb)
The config for LEDS_UBNT_LEDBAR doesn't stay in mt7629 kconfig because
of its I2C dependency. Build it as a module and let buildroot handle
this config option instead.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
(cherry picked from commit d9ea9c06e9)
The MediaTek's Crypto Engine module is only available for mt7623, in
which case it is built into the kernel.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 3f2d0703b6)