If /root is created with too permissive permissions, then sshd won't
trust the contents of /root/.ssh as being adequately protected.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
ath9k-htc USB-based adapters also support 5/10MHz channel bandwidth.
Move the code handling the features in debugfs to common-debug.c,
and create proper registration functions to use in debug.c and
htc_drv_debug.c, leaving only debugfs registration there.
While at that, refresh one patch that would conflict otherwise.
Tested on TP-Link Archer C7v2 (ath79) and TP-Link WN722Nv1 (AR9287)
and WN822Nv2 (AR7010+AR9287).
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
ath9k-htc USB-based adapterssupport 5/10MHz channel bandwidth, the
same as standard ath9k ones.
Move the code handling the features in debugfs to common-debug.c,
and create proper registration functions to use in debug.c and
htc_drv_debug.c, leaving only debugfs registration there.
While at that, refresh one patch that would conflict otherwise.
Tested on TP-Link Archer C7v2 (ath79) and TP-Link WN722Nv1 (AR9287)
and WN822Nv2 (AR7010+AR9287).
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
In-kernel driver for MCS7715 USB-serial bridge has a bool option,
enabling support for parallel port on that chip - which is tied to the
same kernel module. Enable it and select kmod-ppdev, as the image size
increase is minimal and the package isn't bundled in the images by
default.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Adjust our local ath10k-ct patches to the change
from the -ct 6.2 version to 6.4.
This restores e.g. the LED functionality.
Fixes: 7d3651f1b9 ("ath10k-ct: switch to 6.4")
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Commit 947b44d9ae ("ipq807x: fix wrong define for LAN and WAN ess mask")
started fixing wrong switch_lan_bmp that defined lan there weren't
actually present. This displayed a fragility in the malibu phy init code
in qca-ssdk.
Add patch to fix this.
Quoting the patch detailed description:
I'm very confused by this and to me it's not clear the real usage of
this logic.
From what I can see the usage of this is EXTREMELY FRAGILE and results
in dangerous results if the OEM (or anyone that by chance try to
implement things in a logical manner) deviates from the default values
from the "magical template".
To be in more details. With QSDK 12.4, some tweaks were done to improve
autoneg and now on every call of port status, the phydev is tried to
add. This resulted in the call and log spam of an error with ports that
are actually not present on the system with qsdk reporting phydev is
NULL. This itself is not an error and printing the error is correct.
What is actually an error from ages is setting generic bitmap reporting
presence of port that are actually not present. This is very common on
OEM where the switch_lan_bmp is always a variant of 0x1e (that on bitmap
results in PORT1 PORT2 PORT3 PORT4 present) or 0x3e (PORT1 PORT2 PORT3
PORT4 PORT5). Reality is that many device are used as AP with one LAN
port or one WAN port. (or even exotic configuration with PORT1 not
present and PORT2 PORT3 PORT4 present (Xiaomi 3600)
With this finding one can say... ok nice, then lets update the DT and
set the correct bitmap...
Again world is a bad place and reality is that this cause wonderful
regression in some case of by extreme luck the first ever connected
port working and the rest of the switch dead.
The problem has been bisected to all the device that doesn't have the
PORT1 declared in any of the bitmap.
With this perfection in mind, on to the REAL problem.
malibu_phy_hw_init FOR SOME REASON, set a global variable first_phy_addr
to the first detected PHY addr that coincidentally is always PORT1.
PORT1 addr is 0x0. The entire code in malibu_phy use this variable to
derive the phy addrs in some function.
Declaring a bitmap where the PORT1 is missing (or worse PORT4 the only
one connected) result in first_phy_addr set to 1 or whatever phy addr is
detected first setting wrong value all over the init stage.
To fix this, just drop this variable and hardcode everything to assume
the first phy adrr is ALWAYS 0 and remove calculation and use define for
special case.
With the following change normal switch traffic is restored and ports
function is recovered.
Fixes: #13945
Fixes: 947b44d9ae ("ipq807x: fix wrong define for LAN and WAN ess mask")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Information about package license is important, so lets add it.
Fixes: 79ee0d2cee ("debugcc: add new package to debug IPQ based SoC clocks")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
I find myself manually compiling dtc as a staticly linked binary rather
often while porting a new device to OpenWrt as dtc is rarely included in
various vendor modifications of OpenWrt.
So, since dtc offers a convenient meson option to build it as staticaly
linked binary, lets make it a compile time option.
Signed-off-by: Robert Marko <robimarko@gmail.com>
eee02ccca8c8 device: add support to configure eee
bb28f6a291d9 wireless: fix sign comparison warning
35facc8306f5 wireless: fix premature removal of hotplug devices due to down state
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add additional uci-defaults function for configuring GRO settings and
conduit for network devices.
Tweaking the GRO values might increase performance on some low spec
device that lack some offload feature on gmac.
Tweaking conduit interface is specific to DSA based devices and is
useful for multi-CPU scenario where one CPU is dedicated to one single
port.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Generalize ucidef_set_network_device functions to use a more generic
_ucidef_set_network_device_common that takes as args the option and the
value to apply instead of hardcoding.
This is to reduce duplicated code in preparation for addition of
additional option for board.d usage.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
841b05fbb91e system-linux: fix compilation error if IFLA_DSA_MASTER is not supported
5c9ecc1ff74f system-linux: make system_if_get_master_ifindex static
2dc7f450f3a2 system-linux: add option to configure DSA conduit device
838f815db5ef system-linux: add support for configurable GRO option
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Update the devel/gdb package to version 13.2
* Remove the upstreamed patch 001-Add-support-for-readline-8.2.patch
* Adjust 130-gdb-ctrl-c.patch to upstream changes
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Currently for 802.1s only, for wifi 2.4GHz in g/n mode, 40MHz is never
permitted.
This is probably due to the complexity of setting periodic check for the
intolerant bit. When noscan option is set, we ignore the presence of the
intoleran bit in near AP, so we can enable 40MHz and ignore any complex
logic for checking.
Fixes: #13112
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Also channel 7 for 2.4GHz can be set to HT40PLUS. Permit this and add it
to the list of the channels.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
noscan option for mesh was broken and actually never applied.
This is caused by a typo where ssid->noscan value is check instead of
conf->noscan resulting in the logic swapped and broken.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
noscan option was changed to hostapd_noscan but the entry in
wpa_supplicant was never updated resulting in the noscan option actually
never set.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Update SSDK version to 12.4, this fixes weird SFP port link up/downs
while there is no SFP module plugged in.
Signed-off-by: Robert Marko <robimarko@gmail.com>
0352a33 uloop: support new interval and signal APIs
1468cc4 syntax: don't treat `as` and `from` as reserved keywords
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
3a07943 block: support skipping uuid check
56a9b4e block: consider currently mounted root device first
9cd09d4 block: try to find the root device on both / and /rom
c1a8d95 block: support extroot on already mounted overlay
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Store the private key with read and write permission for the user only
and not with read permissions for everyone. This converts the
write_file() function from fopen() to open() because open allows to
specify the permission mask of the newly created file. It also adds and
fixes some existing error handling.
OpenSSL does this in the same way already.
With this change it looks like this:
root@OpenWrt:/# ls -al /etc/uhttpd.*
-rw-r--r-- 1 root root 749 Nov 6 23:14 /etc/uhttpd.crt
-rw------- 1 root root 121 Nov 6 23:14 /etc/uhttpd.key
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Store the private key with read and write permission for the user only
and not with read permissions for everyone. This converts the
write_file() function from fopen() to open() because open allows to
specify the permission mask of the newly created file. It also adds and
fixes some existing error handling.
OpenSSL does this in the same way already.
With this change it looks like this:
root@OpenWrt:/# ls -al /etc/uhttpd.crt /etc/uhttpd.key
-rw-r--r-- 1 root root 519 Nov 6 22:58 /etc/uhttpd.crt
-rw------- 1 root root 121 Nov 6 22:58 /etc/uhttpd.key
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
383753dd65ae device/bridge: support passing extra vlans in the device_set_state call
b6e75eafc1af device: send notifications for device events via ubus
cab415c7aefd bridge: add auth-required bridge members with auth_status=0 if vlan is enabled
827a02f0343c bridge: add support for configuring vlans for auth=1,auth_status=false
40ed7363caf2 device: fix build error on 32 bit systems
516ab774cc16 system-linux: fix race condition on bringing up wireless devices
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This fixes the download of the kernel 5.15 for the bpf-headers when
kernel 6.1 is build for the target.
Even if kernel 6.1 was selected for the target we still use kernel 5.15
for the bpf-headers. The download script tried to download the 5.15
kernel from the 6.x directory on kernel,org and this failed. Define
PKG_SOURCE_URL based on PKG_PATCHVER and not KERNEL_BASE like done in
kernel.mk.
Without this change it tries to download the kernel from this URL:
ttps://cdn.kernel.org/pub/linux/kernel/v6.x/linux-5.15.129.tar.xz
Fixes: #13190Fixes: #13671Fixes: #13814
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Activate the secp521r1 ecliptic curve by default. This curve is allowed
by the CA/Browser forum, see
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.1-redlined.pdf#page=110
This increases the size of libmbedtls12_2.28.5-1_aarch64_generic.ipk by
about 400 bytes:
Without:
252,696 libmbedtls12_2.28.5-1_aarch64_generic.ipk
With:
253,088 libmbedtls12_2.28.5-2_aarch64_generic.ipk
Fixes: #13774
Acked-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
4101dd4 fw4: perform strict validation of zone and set names
a923c88 fw4: pass zone to templates whenever possible
597dc90 fw4: add support for zone log_limit
1874050 fw4: add log_limit to rules and redirects
19a8caf ruleset: dispatch ct states using verdict map
a5553da ruleset: reduce ksoftirqd load by refering to looopback by numeric id
de3483c tests: adjust zone log limit testcases
7392792 ruleset: do not emit redundant drop invalid rules
698a533 ruleset: apply egress MSS fixup later to apply final MTU before wire
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
ath10k-ct based on kernel 6.4 doesn't have a fix present in previous
kernel. Add patch that port the compilation error fix from previous
kernel in the new 6.4 kernel.
Fixes: 7d3651f1b9 ("ath10k-ct: switch to 6.4")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Switch to the latest version so we match as close as possible to
our own mac80211 version.
Run-time tested on hundreds of devices in the field for months now:
- qca988x (wave 1)
- qca4019 (wave 2)
Tested-by: Enrico Mioso <mrkiko.rs@gmail.com>
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
It's already pulled in from /etc/rc.common.
Fixes: #13758
Fixes: 6b23836071 ("package: avoid the use of eval to parse ipcalc.sh output")
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This reverts commit 3cc57ba462 as it
should be fixed in commit 78cbd5a57e11 ("tools: macOS: types.h: fix
missing unsigned types").
References: #13833
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This reverts commit 997ff740dc.
78cbd5apick as it should be fixed in commit 78cbd5a57e11 ("tools: macOS:
types.h: fix missing unsigned types").
References: #13833
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Upgrading wpa_supplicant from 2.9 to 2.10 breaks broadcom-wl/ath11k
based adapters. The reason for it is hostapd tries to install additional
IEs for scanning while the driver does not support this.
The kernel indicates the maximum number of bytes for additional scan IEs
using the NL80211_ATTR_MAX_SCAN_IE_LEN attribute. Save this value and
only add additional scan IEs in case the driver can accommodate these
additional IEs.
Bug: http://lists.infradead.org/pipermail/hostap/2022-January/040178.html
Bug-Debian: https://bugs.debian.org/1004524
Bug-ArchLinux: https://bugs.archlinux.org/task/73495
Upstream-Status: Changes Requested [https://patchwork.ozlabs.org/project/hostap/patch/20220130192200.10883-1-mail@david-bauer.net]
Reported-by: Étienne Morice <neon.emorice@mail.com>
Tested-by: Étienne Morice <neon.emorice@mail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
CycloneDX is an open source standard developed by the OWASP foundation.
It supports a wide range of development ecosystems, a comprehensive set
of use cases, and focuses on automation, ease of adoption, and
progressive enhancement of SBOMs (Software Bill Of Materials) throughout
build pipelines.
So lets add support for CycloneDX SBOM for packages and images
manifests.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
It must read the entire image for previous code of 'imsz' or 'imszb'.
Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
Suggested-by: Chuanhong Guo <gch981213@gmail.com>
The code for hostapd-mbedtls did not work when used for OWE association.
When handling association requests, the buffer offsets and length
assumptions were incorrect, leading to never calculating the y point,
thus denying association.
Also when crafting the association response, the buffer contained the
trailing key-type.
Fix up both issues to adhere to the specification and make
hostapd-mbedtls work with the OWE security type.
Signed-off-by: David Bauer <mail@david-bauer.net>