Commit Graph

43835 Commits

Author SHA1 Message Date
Pawel Dembicki
d5f615bf2a sunxi: add support for Sinovoip Banana Pi M2 Plus
CPU: H3 Quad-core Cortex-A7 H.265/HEVC 4K @ 1.2 Ghz
GPU: Mali400MP2 GPU @ 600MHz (supports OpenGL ES 2.0)
Memory: 1GB DDR3 (shared with GPU)
Onboard: Storage TF card (Max. 64GB) / MMC card slot
Onboard: Network 10/100M Ethernet RJ45 (Realtek RTL8211E)
Onboard: Network BT4.0/WiFi 802.11 b/g/n (Ampak AP6212)
Onboard header: SPI, I2C, GPIO, UART
USB 2.0: Two USB 2.0 HOST, One USB 2.0 OTG

Untested:
Audio, Video

Not working:
Bluetooth

Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
2019-02-17 19:22:39 +01:00
Pawel Dembicki
1559682757 linux-firmware: broadcom: package 43430a0 FullMAC firmware
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
2019-02-17 19:22:39 +01:00
Eneas U de Queiroz
ddee1825de openssl: patch to fix devcrypto sessions leak
Applies a patch from https://github.com/openssl/openssl/pull/8213
that fixes an error where open /dev/crypto sessions were not closed.
Thanks to Ansuel Smith for reporting it.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-17 19:22:35 +01:00
R. Diez
eabc1ddc45 build: Honour NO_COLOR in include/scan.mk
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Hi all:

This is my first OpenWrt patch. I am a clean, pure newbie! 8-)

Honour NO_COLOR in Makefile function 'progress' in include/scan.mk, in the same way that include/verbose.mk does.

Signed-off-by: R. Diez <rdiezmail-openwrt@yahoo.com>
2019-02-17 19:22:04 +01:00
Tomasz Maciej Nowak
55b808e0c4 x86: image: add test module to bootloader
It was previously added in 546fced, which was part of "intel-microcode:
load as early as possible" series.
Unfortunately the conditionals added to GRUB config caused error on boot,
because on sysupgrade, bootloader is not updated and is left with old
features/modules. Since this module is needed for early microcode load
and transition to this needs to be done step by step, enable the test
module now, so that every newly created image has it already embedded.

Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
2019-02-17 18:22:40 +01:00
Tomasz Maciej Nowak
bb0e4f9fb0 build: remove leftovers from previous x86 commits
VBoxManage is not used and the image is created with proper permisions:
0f5d0f6  image: use internal qemu-img for vmdk and vdi images drop host
         dependencies on qemu-utils and VirtualBox

Unreachable config symbols:
9e0759e  x86: merge all geode based subtargets into one

No need to define those symbols since x86_64 is subtarget of x86:
196fb76  x86: make x86_64 a subtarget instead of a standalone target

Unreachable config symbols, so remove GRUB_ROOT:
371b382  x86: remove the xen_domu subtarget

Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl>
2019-02-17 18:22:40 +01:00
Daniel F. Dickinson
da50f027f0 config: kernel: Fix missing symbol on brcm2708 with CGROUPS
When CGROUP block io is enabled a new symbol is exposed and needs to
be set or unset else kernel oldconfig hangs waiting for input during
normal OpenWrt builds.  Therefore add sane defaults for this symbol
in that case.  Also, the defaults brcm2708 are different than generic
defaults because the platform's defconfig enables BLK_DEV_THROTTLING
by default (in defconfig config from the patches used to match
upstream's kernel, not in OpenWrt config-4.xx).

Signed-off-by: Daniel F. Dickinson <cshored@thecshore.com>
[make KERNEL_BLK_DEV_THROTTLING_LOW depend on KERNEL_BLK_DEV_THROTTLING]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-02-17 18:22:40 +01:00
Adrian Schmutzler
319c5d7c49 ar71xx: Fix 5 GHz MAC address for Archer C60 v2
Looks like C60 v2 needs the MAC address to be calculated
manually, while the C60 v1 gets it correctly without manual
interference.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-02-17 18:22:39 +01:00
Rosen Penev
5e8f18fef6 kernel: Remove CONFIG_UDF_NLS for kernel 4.19
kernel 4.18 removed the symbol and made NLS implicit.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-02-17 17:33:18 +01:00
Rosen Penev
cd519abdbc mdadm: Update to 4.1
Tested on GnuBee PC1.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-02-17 17:33:18 +01:00
Deng Qingfang
f5db5742e4 iw: update to 5.0.1
Refresh patches

MIPS IPK size increases:
iw-tiny: +3k
iw-full: +10k

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
[Remove sha256, nan, bloom, measurements and ftm from tiny version]
[sync nl80211 between backports and iw]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-02-17 17:33:18 +01:00
Hauke Mehrtens
d48a8ed40d mac80211: update to version 4.19.23-1
This updates mac80211 to backports version 4.19.23-1 which includes all
the stable fixes from kernel 4.19.23.
The removed patches are included in this version.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-02-17 17:33:18 +01:00
Jonas Gorski
c8a30172f8 dnsmasq: ensure test and rc order as older than final releases
Opkg treats text after a version number as higher than without:

 ~# opkg compare-versions "2.80rc1" "<<" "2.80"; echo $?
 1
 ~# opkg compare-versions "2.80rc1" ">>" "2.80"; echo $?
 0

This causes opkg not offering final release as upgradable version, and
even refusing to update, since it thinks the installed version is
higher.

This can be mitigated by adding ~ between the version and the text, as ~
will order as less than everything except itself. Since 'r' < 't', to
make sure that test will be treated as lower than rc we add a second ~
before the test tag. That way, the ordering becomes

  2.80~~test < 2.80~rc < 2.80

which then makes opkg properly treat prerelease versions as lower.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2019-02-17 16:55:24 +01:00
Felix Fietkau
5b6997dcb3 hostapd: update the fix for a race condition in mesh new peer handling
Prevent the mesh authentication state machine from getting reset on bogus
new peer discovery

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-17 16:06:44 +01:00
Felix Fietkau
f948aa4d4f hostapd: enable CONFIG_DEBUG_SYSLOG for wpa_supplicant
It was already enabled for wpad builds and since commit 6a15077e2d
the script relies on it. Size impact is minimal (2 kb on MIPS .ipk).

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-17 13:05:14 +01:00
Alin Nastac
5241f9005c ipset: add support for hash(ip,mac)
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-17 12:00:02 +01:00
Koen Vandeputte
ca13820d13 kernel: bump 4.19 to 4.19.23
Refreshed all patches.

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-15 21:53:27 +01:00
Koen Vandeputte
3967376eb7 kernel: bump 4.14 to 4.14.101
Refreshed all patches.

Fixes:
- CVE-2019-3819

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-15 21:53:27 +01:00
Koen Vandeputte
276d8b86a7 kernel: bump 4.9 to 4.9.158
Refreshed all patches.

Fixes:
- CVE-2019-3819

Compile-tested on: ar7
Runtime-tested on: none

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-15 21:53:27 +01:00
Hannu Nyman
94993a79f8 busybox: update to 1.30.1
Minor bugfix release. Fixes for
 * bc/dc
 * sed (backslash parsing for 'w' command)
 * ip (vlan fixes)
 * grep (fixes for -x -v)
 * ls (-i compat)

No need to refresh patches or config defaults

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2019-02-14 21:43:07 +01:00
Oever González
c35d7f3f8a ipq40xx: fix ipq40xx_setup_macs for Linksys EA6350v3
This commit fixes the script that sets the MAC address of the LAN
switch. The LAN MAC address should be the WAN MAC address plus one.

Without this patch the WAN and the LAN interface will use the same
MAC address and an error will be generated.

With this patch all interfaces will have a different MAC address,
consecutive in the following order: WAN, LAN, radio0 and radio1.

Signed-off-by: Oever González <notengobattery@gmail.com>
2019-02-14 16:56:15 +01:00
Roman Glova
064e431575 ipq8064: Enabling sata port ipq8064 based devices
(original text here: https://patchwork.kernel.org/patch/8686761/)

On some SOCs PORTS_IMPL register value is never programmed by the BIOS
and left at zero value. Which means that no sata ports are avaiable for
software. AHCI driver used to cope up with this by fabricating the
port_map if the PORTS_IMPL register is read zero, but recent patch
broke this workaround as zero value was valid for nvme disks.
This patch adds ports-implemented dt bindings as workaround for this issue
in a way that DT can dictate the port_map incase where the SOCs does not
program it already.

This patch is equal to commits:
67f8425d0ee1 ("ipq8064: dts: force AP148 SATA port mapping")
2e7a2c91019c ("ARM: dts: qcom: Move common nodes to ipq8064-v.1.0.dtsi")
in the upstream linux kernel.

Signed-off-by: Roman Glova <roman_glova@epam.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[added upstream commits, reorg' commit message]
2019-02-14 16:56:15 +01:00
INAGAKI Hiroshi
93d4439454 ath79: add support for I-O DATA WN-AC1600DGR
I-O DATA WN-AC1600DGR is a 2.4/5 GHz band 11ac router, based on
Qualcomm Atheros QCA9557.

Specification:

- SoC:      Qualcomm Atheros QCA9557
- RAM:      128 MB
- Flash:    16 MB
- WLAN:     2.4/5 GHz
  - 2.4 GHz: 2T2R (SoC internal)
  - 5 GHz:   3T3R (QCA9880)
- Ethernet: 5x 10/100/1000 Mbps
  - Switch: QCA8337N
- LED/key:  6x/6x(4x buttons, 1x slide switch)
- UART:     through-hole on PCB
  - Vcc, GND, TX, RX from ethernet port side
  - 115200n8

Flash instruction using factory image:

1. Connect the computer to the LAN port of WN-AC1600DGR
2. Connect power cable to WN-AC1600DGR and turn on it
3. Access to "http://192.168.0.1/" and open firmware update page
("ファームウェア")
4. Select the OpenWrt factory image and click update ("更新") button
5. Wait ~150 seconds to complete flashing

Alternative flash instruction using initramfs image:

1. Prepare a computer and TFTP server software with the IP address
"192.168.99.8" and renamed OpenWrt initramfs image
"uImageWN-AC1600DGR"
2. Connect between WN-AC1600DGR and the computer with UART
3. Connect power cable to WN-AC1600DGR, press "4" on the serial
console and enter the U-Boot console
4. execute "tftpboot" command on the console and download initramfs
image from the TFTP server
5. execute "bootm" command and boot OpenWrt
6. On initramfs image, download the sysupgrade image to the device
and perform sysupgrade with it
7. Wait ~150 seconds to complete flashing

This commit also removes unnecessary "qca,no-eeprom" property from
the ath10k wifi node.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2019-02-14 16:56:15 +01:00
Santiago Piccinini
cc8bd77772 ath79: fix qca955x dual pci resource allocation
Tested with a dual pci QCA9558 board (LibreRouter v1) in three
configurations: enabling pcie0 only, pcie1 only and both enabled.

Signed-off-by: Santiago Piccinini <spiccinini@altermundi.net>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [removed ML notice]
2019-02-14 16:56:15 +01:00
Santiago Piccinini
eea66c3227 ath79: fix qca955x pcie0 memory size
Datasheet states that both PCI ranges are of 0x2000000 size:
0x1000_0000-0x11FF_FFF and 0x1200_0000-0x13FF_0000.

Signed-off-by: Santiago Piccinini <spiccinini@altermundi.net>
Reviewed-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [removed ML notice]
2019-02-14 16:56:15 +01:00
Marius Genheimer
9ad3967f14 ipq40xx: add support for ASUS Lyra
SoC:   Qualcomm IPQ4019 (Dakota) 717 MHz, 4 cores
RAM:   256 MiB (Nanya NT5CC128M16IP-DI)
FLASH: 128 MiB (Macronix NAND)
WiFi0: Qualcomm IPQ4019 b/g/n 2x2
WiFi1: Qualcomm IPQ4019 a/n/ac 2x2
WiFi2: Qualcomm Atheros QCA9886 a/n/ac
BT:    Atheros AR3012
IN:    WPS Button, Reset Button
OUT:   RGB-LED via TI LP5523 9-channel Controller
UART:  Front of Device - 115200 N-8
       Pinout 3.3v - RX - TX - GND (Square is VCC)

Installation:
1. Transfer OpenWRT-initramfs image to the device via SSH to /tmp.
Login credentials are identical to the Web UI.

2. Login to the device via SSH.

3. Flash the initramfs image using

> mtd-write -d linux -i openwrt-image-file

4. Power-cycle the device and wait for OpenWRT to boot.

5. From there flash the OpenWRT-sysupgrade image.

Ethernet-Ports: Although labeled identically, the port next to
the power socket is the LAN port and the other one is WAN. This
is the same behavior as in the stock firmware.

Signed-off-by: Marius Genheimer <mail@f0wl.cc>
[Dropped setup_mac 02_network in favour of 05_set_iface_mac_ipq40xx.sh,
reorderd 02_network entries, added board.bin WA for the QCA9886 from ath79,
minor dts touchup, added rng to 4.19 dts]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-14 16:56:15 +01:00
Christian Lamparter
5ee9763aaa ipq40xx: ea6350v3: 4.19: enable pseudo rng support
Robert Marko made a big effort to enable the rng on all
ipq40xx for 4.19, so let's continue the quest.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-14 16:56:15 +01:00
Linus Walleij
b9a24f31a9 gemini: Name binary "bootpart.tar.gz"
This factory binary i supposed to actually be unzipped and
untarred by the user as part of the installation process
(this NAS boots from harddisk), so name it "bootpart.tar.gz"
and not "factory.bin" so it is helpful for users.

Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-14 16:56:15 +01:00
Daniel Engberg
b3c050c013 kernel: Add missing config option for kernel 4.19
Add CONFIG_USB_ROLE_SWITCH otherwise Octeon 4.19 fails compile

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-02-14 16:56:15 +01:00
Pawel Dembicki
bbe932ac16 mpc85xx: 4.19: add missing symbol
OCEDO Panda was added in b368373f, but only for
4.14 config. This patch fix 4.19 build for generic
and p2020 subtarget.

Signed-off-by: Pawel Dembicki <p.dembicki@wb.com.pl>
2019-02-14 16:56:15 +01:00
INAGAKI Hiroshi
e52ad0f919 ramips: change status LED for Buffalo WHR-G300N
Buffalo WHR-G300N has a LED for power status indication, but it is not
connected to the GPIO and cannot be controlled by the kernel. So,
WHR-G300N uses "ROUTER" LED as the system status LED instead.

This commit changes it to use "DIAG" LED insted of "ROUTER" like
WHR-G301N in ath79 target.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2019-02-14 16:56:15 +01:00
David Bauer
7bf6b59724 ramips: various Netgear R6120 fixes
The R6120 has no 5GHz WLAN LED, the assigned GPIO in fact controls
the WAN LED.

Renames the LED accordingly in the device-tree.
Removes the 5GHz WLAN LED trigger.
Adds the correct WAN port LED trigger.

----

Currently, the MAC address for the Netgear R6120 is read from the NVRAM
partition. The offset for the MAC address however is not consistent
across devices or firmware versions.

Switch to using the factory partition like all other Netgear devices do.

----

The LAN ports of the R6120 are labled in reverse on the casing.

Adjust LuCI switchport numbering accordingly.

----

The WiFi eeprom offsets for the R6120 are currently wrong (5GHz offset
is bigger than the partition itself).

Fixes poor performance on 2.4 and 5 GHz.

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-02-14 16:56:14 +01:00
INAGAKI Hiroshi
f305ce5c35 ramips: add support for I-O DATA WN-AC1167GR
I-O DATA WN-AC1167GR is a 2.4/5 GHz band 11ac router, based on
MediaTek MT7620A.

Specification:

- SoC     : MediaTek MT7620A
- RAM     : DDR2 64 MB
- Flash   : SPI-NOR 8MB
- WLAN    : 2.4/5 GHz, 2T2R
  - 2.4 GHz: MT7620A (SoC)
  - 5 GHz  : MT7612E
- Ethernet: 10/100/1000 Mbps (ext. MT7530)
- LED/key : 4x/3x (2x buttons, 1x slide-switch)
- UART    : through-hole on PCB
  - J2: TX, GND, RX, Vcc from SoC side
  - 115200n8

Flash instruction using factory image:

1. Boot WN-AC1167GR normaly
2. Access to "http://192.168.0.1/" and open firmware update page
("ファームウェア")
3. Select the OpenWrt factory image and click update ("更新") button
to perform firmware update
4. Wait ~150 seconds to complete flashing

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2019-02-14 16:56:14 +01:00
Paul Wassi
dee8db441e ath79: proper indentation in image/common-tp-link.mk
Add two spaces for proper indentation in image/common-tp-link.mk

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:14 +01:00
Paul Wassi
212892ce70 ath79: fix port order on TL-WR841ND-v7
The switch ports are seen one to one on the case.
Also remove unneeded secondary port numbers in this
case statement.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:14 +01:00
Paul Wassi
97fcd2622a ath79: change ledtrig on GL.iNet AR150
Change the ledtrig for LAN from netdev to switch.
Although eth1 comes out of the device at a single port,
this port is a switch-port and therefore the LED
must be triggered by that.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:14 +01:00
Paul Wassi
79cc48ff60 ath79: rename TP-LINK to TP-Link
Remove inconsistencies in the vendor's name.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:14 +01:00
Paul Wassi
78277ec162 ar71xx: fix TL-MR3220-v2 switch port order
Fix the switch port order for proper display on high
level interfaces.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:14 +01:00
Paul Wassi
341311f319 ar71xx: fix TL-WR741ND-v4 switch port order
Fix the switch port order for proper display on high
level interfaces.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:14 +01:00
Paul Wassi
ff541c5ca2 ath79: rename TL-WR740ND-v4 to TL-WR740N-v4
Give the device the same name it had in ar71xx.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:14 +01:00
Paul Wassi
da1107f8a5 ath79: fix TL-WR741ND-v4 switch port order
Fix the switch port order for proper display on high
level interfaces.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2019-02-14 16:56:13 +01:00
Koen Vandeputte
6b6f238b82 kernel: bump 4.19 to 4.19.21
Refreshed all patches.

Remove upstreamed:
- 0007-ARM-dts-Fix-up-the-D-Link-DIR-685-MTD-partition-info.patch

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-14 16:45:01 +01:00
Koen Vandeputte
9a1d7ff187 kernel: bump 4.14 to 4.14.99
Refreshed all patches.

Remove upstreamed:
- 950-0434-mmc-bcm2835-Recover-from-MMC_SEND_EXT_CSD.patch

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-14 16:45:01 +01:00
Koen Vandeputte
a23a13dec2 kernel: bump 4.9 to 4.9.156
Refreshed all patches.

Compile-tested on: ar7
Runtime-tested on: none

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-14 16:45:01 +01:00
Hans Dedecker
880f8e6d32 dnsmasq: add rapid commit config option
Add config option rapidcommit to enable support for DHCPv4 rapid
commit (RFC4039)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-02-13 10:37:36 +01:00
Eneas U de Queiroz
29b69e840a openssl: add package for openssl.cnf, misc changes
- Add the /etc/ssl/openssl.cnf as a separate package, to avoid breaking
  the transitional mechanism, allowing libopenssl_1.0* and
  libopenssl_1.1* to coexist.

- Remove the (selecting) dependency on @KERNEL_AIO

- Use global SOURCE_DATE_EPOCH

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:24:09 +01:00
Eneas U de Queiroz
2eeb2853ed openssl: optimizations based on ARCH/small flash
Add a patch to enable the option to change the default ciphersuite list
ordering to prefer ChaCha20 over AES-GCM.  This is used by default for
all platforms, except for x86_64 and aarch64. The assumption is that
only the latter have AES-specific CPU instructions and asm code that
uses them in openssl.  Chacha20Poly1305 is 3x faster than AES-256 in
systems without AES instructions, with an equivalent strength.

Disable error messages by default except for devices with small flash or
RAM, to aid debugging.

Disable ASM by default on arm platform with small flash.  Size
difference on mips and powerpc, the other platforms with small flash
devices, are not really relevant (using 100K as a threshold).  All of
the affected platforms are source-only anyway.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:24:09 +01:00
Eneas U de Queiroz
d872d00b2f openssl: update to version 1.1.1a
This version adds the following functionality:
  * TLS 1.3
  * AFALG engine support for hardware accelleration
  * x25519 ECC curve support
  * CRIME protection: disable use of compression by default
  * Support for ChaCha20 and Poly1305

Patches fixing bugs in the /dev/crypto engine were applied, from
https://github.com/openssl/openssl/pull/7585

This increses the size of the ipk binray on MIPS32 by about 32%:
old:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:23:26 +01:00
Eneas U de Queiroz
be3892284c openssl: add configuration options, disable ssl3
Adds the following configuration options:
* using optimized assembler code (was always on before)
* use of x86 SSE2 instructions
* dyanic engine support
* include error messages
* Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms
* RFC3779, CMS protocols
* VIA padlock hardware acceleration engine

Installs openssl.cnf with the library as it is used by engines
independent of the openssl util.

Fixes DTLS option that was innefective before.

Disables insecure SSL3 protocol and SHA0.

Adds openwrt-specific targets to Configure script, including asm support
for i386, ppc and mips64.

Strips building dirs from CFLAGS shown in binary.

Skips the fuzz directory during build.

Removed include/crypto/devcrypto.h that was included here, to use the
cryptodev-linux package, now that it was been moved from the packages
feed to the main openwrt repository.

This decreses the size of the ipk binray on MIPS32 by about 3.3%:
old:
706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 21:14:46 +01:00
Felix Fietkau
b044b52ab9 base-files: fix ucert verification
ucert needs to check the firmware part with metadata, but without the signature.
Use the new fwtool mode to extract that without altering the firmware image inside
the check

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-02-12 16:42:03 +01:00