Commit Graph

16316 Commits

Author SHA1 Message Date
Álvaro Fernández Rojas
ddc2af4505 ath10k-firmware: move CT firmwares to new package
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
(cherry picked from commit 658e68f85c)
2020-09-06 18:19:39 +02:00
Álvaro Fernández Rojas
a43a39f531 ath10k-firmware: update ath10k-ct firmware images
Release notes for 017:

Wave-1:

 *  March 19, 2020:  Fix problem where power-save was not enabled when going off-channel to scan.
                     The problem was a boolean logic inversion in the chmgr code, a regression I introduced
                     a long time ago.

 *  March 19, 2020:  When scanning only on current working channel, do not bother with disable/enable
                     powersave.  This should make an on-channel scan less obtrusive than it was previously.

 *  March 23, 2020:  Fix channel-mgr use-after-free problem that caused crashes in some cases.  The crash
                     was exacerbated by recent power-save changes.

 *  March 23, 2020:  Fix station-mode power-save related crash:  backported the fix from 10.2 QCA firmware.

 *  March 23, 2020:  Attempt to better clean up power-save objects and state, especially in station mode.

Release notes for 016:

Wave-1 changes, some debugging code for a crash someone reported, plus:

*  February 28, 2020:  Fix custom-tx path when sending in 0x0 for rate-code.  Have tries == 0 mean
                        one try but NO-ACK (similar to how wave-2 does it).

wave-2:

 * Fixed some long-ago regressions related to powersave and/or multicast.  Maybe fix some
   additional multicast and/or tx-scheduling bugs.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Acked-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 84f4a783c6)
2020-09-06 18:19:39 +02:00
Michael Yartys
4b8a5bdc83 ath10k-firmware: update ath10k-ct firmware
This supports better per-chain noise floor reporting, which in turn allows for
better RSSI reporting in the driver.

Wave-2 fixes a long-standing rate-ctrl problem when connected to xbox (and probably other devices).

Wave-2 has fix for crash likely related to rekeying.

Wave-1 has some debugging code added where a user reported a crash.

Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>  [ipq806x+qca9984,ipq4019+qca9986]
Signed-off-by: Michael Yartys <michael.yartys@protonmail.com>
(cherry picked from commit 1862263883)
2020-09-06 18:19:39 +02:00
Stefan Lippers-Hollmann
e4b47e12cb ath10k-firmware: update Candela Tech firmware images
The release notes since last time for wave-1:

 * No changes to wave-1, but I make a version .014 copy anyway to keep
   the makefile in sync.

The release notes since last time for wave-2:

 * December 16, 2019: Wave-2 has a fix to make setting txpower work
                      better. Before setting the power was ignored at
                      least some of the time (it also appeared to work
                      mostly, so I guess it was being correctly set in
                      other ways).

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
(cherry picked from commit 6598264266)
2020-09-06 18:19:39 +02:00
Hauke Mehrtens
f5afa593e7 hostapd: Fix compile errors after wolfssl update
This fixes the following compile errors after the wolfssl 4.5.0 update:
  LD  wpa_cli
../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject':
../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
    type = GEN_EMAIL;
           ^~~~~~~~~
           ENAVAIL
../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is reported only once for each function it appears in
../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first use in this function)
    type = GEN_DNS;
           ^~~~~~~
../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first use in this function)
    type = GEN_URI;
           ^~~~~~~
../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event':
../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first use in this function); did you mean 'ENAVAIL'?
   if (gen->type != GEN_EMAIL &&
                    ^~~~~~~~~
                    ENAVAIL
../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first use in this function)
       gen->type != GEN_DNS &&
                    ^~~~~~~
../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first use in this function)
       gen->type != GEN_URI)
                    ^~~~~~~
Makefile:2029: recipe for target '../src/crypto/tls_wolfssl.o' failed

Fixes: 00722a720c ("wolfssl: Update to version 4.5.0")
Reported-by: Andre Heider <a.heider@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit bc19481826)
2020-09-04 00:41:56 +02:00
Hauke Mehrtens
403039c562 wolfssl: Update to version 4.5.0
This fixes the following security problems:
* In earlier versions of wolfSSL there exists a potential man in the
  middle attack on TLS 1.3 clients.
* Denial of service attack on TLS 1.3 servers from repetitively sending
  ChangeCipherSpecs messages. (CVE-2020-12457)
* Potential cache timing attacks on public key operations in builds that
  are not using SP (single precision). (CVE-2020-15309)
* When using SGX with EC scalar multiplication the possibility of side-
  channel attacks are present.
* Leak of private key in the case that PEM format private keys are
  bundled in with PEM certificates into a single file.
* During the handshake, clear application_data messages in epoch 0 are
  processed and returned to the application.

Full changelog:
https://www.wolfssl.com/docs/wolfssl-changelog/

Fix a build error on big endian systems by backporting a pull request:
https://github.com/wolfSSL/wolfssl/pull/3255

The size of the ipk increases on mips BE by 1.4%
old:
libwolfssl24_4.4.0-stable-2_mips_24kc.ipk:	386246
new:
libwolfssl24_4.5.0-stable-1_mips_24kc.ipk:	391528

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 00722a720c)
2020-09-02 15:46:42 +02:00
Eneas U de Queiroz
dc61110adc wolfssl: use -fomit-frame-pointer to fix asm error
32-bit x86 fail to compile fast-math feature when compiled with frame
pointer, which uses a register used in a couple of inline asm functions.

Previous versions of wolfssl had this by default.  Keeping an extra
register available may increase performance, so it's being restored for
all architectures.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 750d52f6c9)
2020-09-02 15:46:36 +02:00
Eneas U de Queiroz
ad38a2ae61 wolfssl: update to 4.4.0-stable
This version adds many bugfixes, including a couple of security
vulnerabilities:
 - For fast math (enabled by wpa_supplicant option), use a constant time
   modular inverse when mapping to affine when operation involves a
   private key - keygen, calc shared secret, sign.
 - Change constant time and cache resistant ECC mulmod. Ensure points
   being operated on change to make constant time.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 3481f6ffc7)
2020-09-02 15:46:30 +02:00
Magnus Kroken
0d35fcbff0 mbedtls: update to 2.16.8
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues and the most notable of them
are described in more detail in the security advisories.

* Local side channel attack on RSA and static Diffie-Hellman
* Local side channel attack on classical CBC decryption in (D)TLS
* When checking X.509 CRLs, a certificate was only considered as revoked
if its revocationDate was in the past according to the local clock if
available.

Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 66893063ab)
2020-09-02 15:46:22 +02:00
Hauke Mehrtens
2d7ea69dd3 mac80211: Fix potential endless loop
Backport a fix from kernel 5.8.3.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit ca5ee6eba3)
2020-08-30 23:36:52 +02:00
Magnus Kroken
19b8696dd7 mbedtls: update to 2.16.7
Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch,
and provides bug fixes and minor enhancements. This release includes
fixes for security issues and the most severe one is described in more
detail in a security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07

* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private
key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros).

Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some
changes to the download URLs are required. For the time being, the
ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
[Use https://codeload.github.com and new tar.gz file]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 201d6776a0)
2020-08-27 00:28:00 +02:00
Magnus Kroken
e754e0a143 busybox: delete redundant patch
This problem has been fixed in upstream commit
6b6a3d9339f1c08efaa18a7fb7357e20b48bdc95. This patch now (harmlessly)
adds the same definition a second time.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
[bump PKG_RELEASE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 4165232c45)
2020-08-12 11:10:16 +02:00
Hauke Mehrtens
72878e3244 mac80211: Fix build on mpc85xx target
This fixes the following compile error seen on the mpc85xx target:
  CC [M]  /linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.o
In file included from /builder/shared-workdir/build/staging_dir/toolchain-powerpc_8540_gcc-8.4.0_musl/include/stddef.h:17,
                 from /linux-mpc85xx_p2020/backports-5.7-rc3-1/include/uapi/linux/wireless.h:77,
                 from /linux-mpc85xx_p2020/backports-5.7-rc3-1/include/linux/wireless.h:13,
                 from /linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.c:89:
/builder/shared-workdir/build/staging_dir/toolchain-powerpc_8540_gcc-8.4.0_musl/include/bits/alltypes.h:106:15: error: conflicting types for 'ptrdiff_t'
 typedef _Addr ptrdiff_t;
               ^~~~~~~~~
In file included from /linux-mpc85xx_p2020/backports-5.7-rc3-1/backport-include/linux/types.h:4,
                 from ./include/linux/list.h:5,
                 from /linux-mpc85xx_p2020/backports-5.7-rc3-1/backport-include/linux/list.h:3,
                 from ./include/linux/module.h:9,
                 from /linux-mpc85xx_p2020/backports-5.7-rc3-1/backport-include/linux/module.h:3,
                 from /linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.c:79:
./include/linux/types.h:65:28: note: previous declaration of 'ptrdiff_t' was here
 typedef __kernel_ptrdiff_t ptrdiff_t;
                            ^~~~~~~~~
scripts/Makefile.build:265: recipe for target '/linux-mpc85xx_p2020/backports-5.7-rc3-1/drivers/net/wireless/intersil/orinoco/main.o' failed

Fixes: d6b158b869 ("mac80211: Update to 4.19.137-1")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 04b1a11f5c)
2020-08-11 20:59:39 +02:00
Hauke Mehrtens
d6b158b869 mac80211: Update to 4.19.137-1
b43 and b43legacy now support ieee80211w, hardware crypto will be
deactivated in such cases.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-11 00:13:47 +02:00
Christoph Krapp
e52f7cfc1d uboot-envtools: ar71xx: add ZyXEL NBG6616 uboot env support
This adds support for ZyXEL NBG6616 uboot-env access

Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[add "ar71xx" to commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit eb95ca3b5c)
2020-08-10 00:08:04 +02:00
Petr Štetiar
dedf089bb7 hostapd: add wpad-basic-wolfssl variant
Add package which provides size optimized wpad with support for just
WPA-PSK, SAE (WPA3-Personal), 802.11r and 802.11w.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
[adapt to recent changes, add dependency for WPA_WOLFSSL config]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit c487cf8e94)
2020-08-10 00:05:27 +02:00
Adrian Schmutzler
2788db3d38 hostapd: reorganize config selection hierarchy for WPA3
The current selection of DRIVER_MAKEOPTS and TARGET_LDFLAGS is
exceptionally hard to read. This tries to make things a little
easier by inverting the hierarchy of the conditions, so SSL_VARIANT
is checked first and LOCAL_VARIANT is checked second.

This exploits the fact that some of the previous conditions were
unnecessary, e.g. there is no hostapd-mesh*, so we don't need
to exclude this combination.

It also should make it a little easier to see which options are
actually switched by SSL_VARIANT and which by LOCAL_VARIANT.

The patch is supposed to be cosmetic. However, the improvement
for readers and the maintained consistency with master qualify
this for backporting.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit c4dd7fc23b)
2020-08-10 00:05:20 +02:00
Adrian Schmutzler
86727bd158 hostapd: improve TITLE for packages
For a few packages, the current TITLE is too long, so it is not
displayed at all when running make menuconfig. Despite, there is
no indication of OpenSSL vs. wolfSSL in the titles.

Thus, this patch adjusts titles to be generally shorter, and adds
the SSL variant to it.

While at it, make things easier by creating a shared definition for
eapol-test like it's done already for all the other flavors.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 917980fd8a)
2020-07-30 21:43:27 +02:00
Jan Pavlinec
8fbe450e40 curl: patch CVE-2020-8169
Affected versions: curl 7.62.0 to and including 7.70.0
https://curl.haxx.se/docs/CVE-2020-8169.html

Run tested on Omnia with OpenWrt 19.07

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-29 14:32:03 +02:00
Yousong Zhou
afaa978b74 firewall: backport patch for mss clamping in both directions
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2020-07-26 18:23:26 +08:00
Adrian Schmutzler
2ca5a386ee vxlan: bump and change to PKG_RELEASE
Bumping package version has been overlooked in a previous commit.

While at it, use PKG_RELEASE instead of PKG_VERSION, as the latter
is meant for upstream version number only.
(The effective version string for the package would be "3" in both
cases, so there is no harm done for version comparison.)

Fixes: 0453c3866f ("vxlan: fix udp checksum control")

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit b29d620ed2)
2020-07-17 12:23:04 +02:00
Johannes Kimmel
e894e1b2f0 vxlan: fix udp checksum control
So far, passing "rxcsum" and "txcsum" had no effect.

Fixes: 95ab18e012 ("vxlan: add options to enable and disable UDP
checksums")

Signed-off-by: Johannes Kimmel <fff@bareminimum.eu>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 0453c3866f)
2020-07-17 12:22:57 +02:00
Hans Dedecker
d46650de7c nghttp2: bump to 1.41.0
8f7b008b Update bash_completion
83086ba9 Update manual pages
c3b46625 Merge pull request from GHSA-q5wr-xfw9-q7xr
3eecc2ca Bump version number to v1.41.0, LT revision to 34:0:20
881c060d Update AUTHORS
f8da73bd Earlier check for settings flood
336a98fe Implement max settings option
ef415836 Revert "Add missing connection error handling"
979e6c53 Merge pull request #1459 from nghttp2/proxyprotov2
b7d16101 Add missing connection error handling
cd53bd81 Merge pull request #1460 from gportay/patch-1
e5625b8c Fix doc
c663349f integration: Add PROXY protocol v2 tests
854e9fe3 nghttpx: Always call init_forwarded_for
c60ea227 Update doc
49cd8e6e nghttpx: Add PROXY-protocol v2 support
3b17a659 Merge pull request #1453 from Leo-Neat/master
600fcdf5 Merge pull request #1455 from xjtian/long_serials
4922bb41 static_cast size parameter in StringRef constructor to size_t
aad86975 Fix get_x509_serial for long serial numbers
dc7a7df6 Adding CIFuzz
b3f85e2d Merge pull request #1444 from nghttp2/fix-recv-window-flow-control-issue
ffb49c6c Merge pull request #1435 from geoffhill/master
2ec58551 Fix receiving stream data stall
459df42b Merge pull request #1442 from nghttp2/upgrade-llhttp
a4c1fed5 Bump llhttp to 2.0.4
866eadb5 Enable session_create_idle_stream test, fix errors
5e13274b Fix typo
e0d7f7de h2load: Allow port in --connect-to
df575f96 h2load: add --connect-to option
1fff7379 clang-format-9
b40c6c86 Merge pull request #1418 from vszakats/patch-1
9bc2c75e lib/CMakeLists.txt: Make hard-coded static lib suffix optional
2d5f7659 Bump up version number to 1.41.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

Note this is cherry-pick from master. It fixes CVE-2020-11080
and  https://github.com/nxhack/openwrt-node-packages/issues/679

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
2020-07-04 21:10:18 +02:00
Stijn Segers
820f4654c6 wireguard: bump to 1.0.20200611
This bump fixes breakage introduced by kernel commit 8ab8786f78c3fc930f9abf6d6d85e95567de4e1f,
which is part of the 4.14.181 kernel bump, and backported ip6_dst_lookup_flow to 4.14.
This breaks the older WireGuard version currently in 19.07.

For reference, the compilation error is the one below:

build_dir/target-x86_64_musl/linux-x86_64/wireguard-linux-compat-1.0.20200506/src/compat/compat.h:104:42: error: 'const struct ipv6_stub' has no member named 'ipv6_dst_lookup'; did you mean 'ipv6_dst_lookup_flow'?
 #define ipv6_dst_lookup_flow(a, b, c, d) ipv6_dst_lookup(a, b, &dst, c) + (void *)0 ?: dst

Changelogs below taken from the official release announcements.

== Changes since v1.0.20200506 ==

  This release aligns with the changes I sent to DaveM for 5.7-rc7 and were
  pushed to net.git about 45 minutes ago.

  * qemu: use newer iproute2 for gcc-10
  * qemu: add -fcommon for compiling ping with gcc-10

  These enable the test suite to compile with gcc-10.

  * noise: read preshared key while taking lock

  Matt noticed a benign data race when porting the Linux code to OpenBSD.

  * queueing: preserve flow hash across packet scrubbing
  * noise: separate receive counter from send counter

  WireGuard now works with fq_codel, cake, and other qdiscs that make use of
  skb->hash. This should significantly improve latency spikes related to
  buffer bloat. Here's a before and after graph from some data Toke measured:
  https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png

  * compat: support RHEL 8 as 8.2, drop 8.1 support
  * compat: support CentOS 8 explicitly
  * compat: RHEL7 backported the skb hash renamings

  The usual RHEL churn.

  * compat: backport renamed/missing skb hash members

  The new support for fq_codel and friends meant more backporting work.

  * compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4

== Changes since v1.0.20200611 ==

  * qemu: always use cbuild gcc rather than system gcc
  * qemu: remove -Werror in order to build ancient kernels better
  * qemu: patch kernels that rely on ancient make
  * qemu: force 2MB pages for binutils 2.31
  * qemu: use cbuild gcc for avx512 exclusion
  * qemu: add extra fill in idt handler for newer binutils
  * qemu: support fetching kernels for arbitrary URLs
  * qemu: patch in UTS_UBUNTU_RELEASE_ABI for Ubuntu detection
  * qemu: work around broken centos8 kernel
  * qemu: mark per_cpu_load_addr as static for gcc-10

  Our qemu test suite can now handle more kernels and more compilers. Scroll
  down to the bottom of https://www.wireguard.com/build-status/ to see the
  expanded array of kernels we now test against, including some distro kernels.

  * compat: widen breadth of integer constants
  * compat: widen breadth of memzero_explicit backport
  * compat: backport skb_scrub_packet to 3.11
  * compat: widen breadth of prandom_u32_max backport
  * compat: narrow the breadth of iptunnel_xmit backport
  * compat: backport iptunnel_xmit to 3.11

  With the expanded qemu test suite, it was possible to expand our list of
  mainline kernels, so the backport compat layer is now more precise.

  * compat: ubuntu appears to have backported ipv6_dst_lookup_flow
  * compat: bionic-hwe-5.0/disco kernel backported skb_reset_redirect and ipv6 flow

  Ubuntu kernels changed recently, so this ensures we can compile with the
  latest Ubuntu releases.

  * compat: remove stale suse support

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
(cherry picked from commit 1fd1f5e8cff18f97675ce303b05d411136b99fb0)
2020-07-04 19:22:36 +02:00
Leon M. George
73fecd36bf mac80211: fix use of local variable
mac80211_get_addr is called from mac80211_generate_mac, where the local variable
initialisation id="${macidx:-0}" suggests that macidx is not always defined.
Probably, idx was supposed to be used instead of $(($macidx + 1)).

Fixes: 4d99db168c ("mac80211: try to get interface addresses from wiphy sysfs 'addresses' if no mask is set")

Signed-off-by: Leon M. George <leon@georgemail.eu>
(cherry picked from commit 8f95220bcb)
2020-06-30 22:13:23 +02:00
Catalin Patulea
a2c556aa8f libnetfilter-queue: fix package title and description
The original text was copy/pasted from some other package.
Adjust the package title and description to match the description
on the publishers page.

Signed-off-by: Catalin Patulea <catalinp@google.com>
[slightly adjust content and commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 492a6594b9)
2020-06-28 14:29:03 +02:00
Sungbo Eo
8adbe26f6e base-files: remove urandom-seed definition
urandom-seed has a separate Makefile, we can safely remove the definition here.

Fixes: 27bfde9c9f ("base-files: move urandom seed bits into separate package")

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 46a6586c83)
2020-06-28 14:28:10 +02:00
Jo-Philipp Wich
6520659870 uclient: update to 19.07 Git HEAD
51e16eb uclient-fetch: add option to read POST data from file
99aebe3 uclient: Add string error function

Fixes: 0c910d8459 ("uclient: Update to version 2020-06-17")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-06-17 22:22:25 +02:00
Jo-Philipp Wich
b547542297 Revert "uclient: Update to version 2020-06-17"
This reverts commit 0c910d8459.

We cannot use uclient Git HEAD as-is on 19.07 due to an older
version of the ustream-ssl API.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-06-17 22:14:07 +02:00
Daniel Golle
0c910d8459 uclient: Update to version 2020-06-17
fef6d3d uclient: Add string error function
 af585db uclient-fetch: support specifying advertised TLS ciphers
 c660986 uclient-fetch: add option to read POST data from file

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry-squashed from commits 05145ffbef
                              98017228dd
                              dd166960f4
                              8e98613f4d)
2020-06-17 18:39:59 +01:00
Christian Lamparter
1f5cbd6be7 ca-certificates: update to version 20200601
This patch updates the ca-certificates and ca-bundle package.
This version changed the files directory again, to work/, so
PKG_BUILD_DIR was brought back.

A list of changes from Debian's change-log entry for 20200601 [0]:

  * mozilla/{certdata.txt,nssckbi.h}:
    Update Mozilla certificate authority bundle to version 2.40.
    Closes: #956411, #955038
  * mozilla/blacklist.txt
    Add distrusted Symantec CA list to blacklist for explicit removal.
    Closes: #911289
    Blacklist expired root certificate, "AddTrust External Root"
    Closes: #961907
    The following certificate authorities were added (+):
    + "Certigna Root CA"
    + "emSign ECC Root CA - C3"
    + "emSign ECC Root CA - G3"
    + "emSign Root CA - C1"
    + "emSign Root CA - G1"
    + "Entrust Root Certification Authority - G4"
    + "GTS Root R1"
    + "GTS Root R2"
    + "GTS Root R3"
    + "GTS Root R4"
    + "Hongkong Post Root CA 3"
    + "UCA Extended Validation Root"
    + "UCA Global G2 Root"
    The following certificate authorities were removed (-):
    - "AddTrust External Root"
    - "Certinomis - Root CA"
    - "Certplus Class 2 Primary CA"
    - "Deutsche Telekom Root CA 2"
    - "GeoTrust Global CA"
    - "GeoTrust Primary Certification Authority"
    - "GeoTrust Primary Certification Authority - G2"
    - "GeoTrust Primary Certification Authority - G3"
    - "GeoTrust Universal CA"
    - "thawte Primary Root CA"
    - "thawte Primary Root CA - G2"
    - "thawte Primary Root CA - G3"
    - "VeriSign Class 3 Public Primary Certification Authority - G4"
    - "VeriSign Class 3 Public Primary Certification Authority - G5"
    - "VeriSign Universal Root Certification Authority"

[0] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20200601_changelog>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit f611b014a7)
2020-06-09 22:46:13 +02:00
Jo-Philipp Wich
c963e4267b qos-scripts: fix interface resolving
Also ensure that the error message is actually printed to stderr and that
the rule generation is aborted if an interface cannot be resolved.

Ref: https://github.com/openwrt/luci/issues/3975
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 559b338466)
2020-05-29 10:37:13 +02:00
Jo-Philipp Wich
31de4a40e7 broadcom-wl: don't inherit lock descriptor in nas process
Add a local hack to prevent the Broadcom WPA authenticator process from
inheriting the lock descriptor 1000 used to prevent concurrent executions
of the init script.

Without this fix, repeated invocations of /etc/init.d/network, e.g. for
obtaining the enabled state, would hang forever.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit a03d6d2fab)
2020-05-28 13:08:51 +02:00
Jo-Philipp Wich
f99b1d1d92 rpcd: update to latest openwrt-19.07 Git HEAD
67c8a3f uci: reset uci_ptr flags when merging options during section add
970ce1a session: deny access if password login is disabled

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-05-26 17:29:09 +02:00
Jo-Philipp Wich
92bd395b04 Revert "rpcd: update to latest Git HEAD"
This reverts commit adf5d753ef.

Reverting this commit because it relies on a changed libiwinfo API.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-05-26 17:23:38 +02:00
Jo-Philipp Wich
adf5d753ef rpcd: update to latest Git HEAD
078bb57 uci: reset uci_ptr flags when merging options during section add
3df62bc session: deny access if password login is disabled
efe51f4 iwinfo: add current hw and ht mode to info call

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-05-26 16:13:47 +02:00
Felix Fietkau
9b48375c7e libubox: update to the latest version
86818eaa976b blob: make blob_parse_untrusted more permissive
cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len
c2fc622b771f blobmsg: fix length in blobmsg_check_array
639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name
66195aee5042 blobmsg: fix missing length checks

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b371182d24)
2020-05-26 11:47:46 +02:00
Rafał Miłecki
a4e8eca03e libubox: update to the latest master
5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len()
eeddf22 tests: runqueue: try to fix race on GitLab CI
89fb613 libubox: runqueue: fix use-after-free bug
1db3e7d libubox: runqueue fix comment in header
7c4ef0d tests: list: add test case for list_empty iterator

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit a765b063ee)
2020-05-26 11:47:46 +02:00
Daniel Golle
d8d1956a80 hostapd: backport wolfssl bignum fixes
crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 631c437a91)
2020-05-25 16:01:29 +01:00
Matthias Schiffer
ab7e9754df
ucert: update to latest git HEAD
00b921d80ac0 Do not print line number in debug messages
96c42c5ed320 Fix length checks in cert_load()
fe06b4b836b3 usign-exec: improve usign -F output handling
19f9e1917e1b usign-exec: return code fixes
077feb5b5824 usign-exec: close writing end of pipe early in parent process
7ec4bb764e1e usign-exec: remove redundant return statements
5a738e549d31 usign-exec: change usign_f_* fingerprint argument to char[17]
112488bbbccc usign-exec: do not close stdin and stderr before exec
38dcb1a6f121 usign-exec: fix exec error handling
a9be4fb17df2 usign-exec: simplify usign execv calls
854d93e2326a Introduce read_file() helper, improve error reporting
afc86f352bf7 Fix return code of write_file()
fdff10852326 stdout/stderr improvements
dddb2aa8124d ci: fix unit test failures by enabling full ucert build
5f206bcfe5c2 ci: enable unit testing

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-05-24 17:04:48 +02:00
Matthias Schiffer
97b522a1f9
usign: update to latest git HEAD
f1f65026a941 Always pad fingerprints to 16 characters

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit e35e40ad82)
2020-05-23 13:40:25 +02:00
Hauke Mehrtens
942262f9c8
usign: update to latest Git HEAD
f34a383 main: fix some resource leaks

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 81e93fff7d)
2020-05-23 13:40:15 +02:00
Hauke Mehrtens
c3e3802a8e OpenWrt v19.07.3: revert to branch defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-05-16 20:40:11 +02:00
Hauke Mehrtens
f3f38f40da OpenWrt v19.07.3: adjust config defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-05-16 20:39:58 +02:00
Robert Marko
4cd9ae41c5 libjson-c: backport security fixes
This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592

Addresses CVE-2020-12762

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
[bump PKG_RELEASE, rebase patches on top of json-c 0.12]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit bc0288b768)
2020-05-13 11:45:15 +02:00
Daniel Golle
d2ee15ef76 fstools: blockd: fix segfault triggered by non-autofs mounts
Program received signal SIGSEGV, Segmentation fault.
main_autofs (argv=<optimized out>, argc=<optimized out>)
    at fstools-2020-05-06-eec16e2f/block.c:1193
1193:    if (!m->autofs && (mp = find_mount_point(pr->dev))) {

Fixes: 3b9e4d6d4c ("fstools: update to the latest version")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit b181294b02)
2020-05-12 13:24:23 +02:00
Hauke Mehrtens
a8c92e9eda opkg: Fix PKG_MIRROR_HASH
Fixes: c61fbdd087 ("odhcpd: fix PKG_SOURCE_DATE")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-05-08 20:35:50 +02:00
DENG Qingfang
844b892a74 ath10k-firmware: fix mirror hash
Fix PKG_MIRROR_HASH hash mismatch.

Fixes: 641a93f0f2 ("ath10k-firmware: update wave 1 firmware to 10.2.4-1.0-00047")
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 2d758129ca)
2020-05-08 19:57:28 +02:00
Jo-Philipp Wich
7e9d84ee4a opkg: update to latest Git HEAD
f2166a8 libopkg: implement lightweight package listing logic
cf4554d libopkg: support passing callbacks to feed parsing functions
2a0210f opkg-cl: don't read feeds on opkg update
b6f1967 libopkg: use xsystem() to spawn opkg-key
60b9af2 file_util.c: refactor and fix checksum_hex2bin()
206ebae file_util.c: fix possible bad memory access in file_read_line_alloc()

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 79da9d78b9)
2020-05-07 22:55:05 +02:00
Jason A. Donenfeld
81f3f6540e wireguard: bump to 1.0.20200506
* compat: timeconst.h is a generated artifact

Before we were trying to check for timeconst.h by looking in the kernel
source directory. This isn't quite correct on configurations in which
the object directory is separate from the kernel source directory, for
example when using O="elsewhere" as a make option when building the
kernel. The correct fix is to use $(CURDIR), which should point to
where we want.

* compat: use bash instead of bc for HZ-->USEC calculation

This should make packaging somewhat easier, as bash is generally already
available (at least for dkms), whereas bc isn't provided by distros by
default in their build meta packages.

* socket: remove errant restriction on looping to self

It's already possible to create two different interfaces and loop
packets between them. This has always been possible with tunnels in the
kernel, and isn't specific to wireguard. Therefore, the networking stack
already needs to deal with that. At the very least, the packet winds up
exceeding the MTU and is discarded at that point. So, since this is
already something that happens, there's no need to forbid the not very
exceptional case of routing a packet back to the same interface; this
loop is no different than others, and we shouldn't special case it, but
rather rely on generic handling of loops in general. This also makes it
easier to do interesting things with wireguard such as onion routing.
At the same time, we add a selftest for this, ensuring that both onion
routing works and infinite routing loops do not crash the kernel. We
also add a test case for wireguard interfaces nesting packets and
sending traffic between each other, as well as the loop in this case
too. We make sure to send some throughput-heavy traffic for this use
case, to stress out any possible recursion issues with the locks around
workqueues.

* send: cond_resched() when processing tx ringbuffers

Users with pathological hardware reported CPU stalls on CONFIG_
PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
these workers would never terminate. That turned out not to be okay on
systems without forced preemption. This commit adds a cond_resched() to
the bottom of each loop iteration, so that these workers don't hog the
core. We don't do this on encryption/decryption because the compat
module here uses simd_relax, which already includes a call to schedule
in preempt_enable.

* selftests: initalize ipv6 members to NULL to squelch clang warning

This fixes a worthless warning from clang.

* send/receive: use explicit unlikely branch instead of implicit coalescing

Some code readibility cleanups.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit 4f6343ffe7)
2020-05-07 13:50:33 +02:00
Jason A. Donenfeld
b956f6bd13 wireguard: bump to 20191226
As announced on the mailing list, WireGuard will be in Linux 5.6. As a
result, the wg(8) tool, used by OpenWRT in the same manner as ip(8), is
moving to its own wireguard-tools repo. Meanwhile, the out-of-tree
kernel module for kernels 3.10 - 5.5 moved to its own wireguard-linux-
compat repo. Yesterday, releases were cut out of these repos, so this
commit bumps packages to match. Since wg(8) and the compat kernel module
are versioned and released separately, we create a wireguard-tools
Makefile to contain the source for the new tools repo. Later, when
OpenWRT moves permanently to Linux 5.6, we'll drop the original module
package, leaving only the tools. So this commit shuffles the build
definition around a bit but is basically the same idea as before.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit ea980fb9c6)
2020-05-07 13:49:49 +02:00
Hans Dedecker
c61fbdd087 odhcpd: fix PKG_SOURCE_DATE
Fixes: 5e8b50da15 (odhcpd : fix lan host reachibility due to identical RIO and PIO prefixes (FS#3056))

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-05-07 08:02:06 +02:00
Hans Dedecker
5e8b50da15 odhcpd: fix lan host reachibility due to identical RIO and PIO prefixes (FS#3056)
49e4949 router: fix Lan host reachibility due to identical RIO and PIO prefixes (FS#3056)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-05-06 21:22:10 +02:00
Jo-Philipp Wich
ac5d5d8d09 ustream-ssl: update to 19.07 Git HEAD
40b563b ustream-openssl: clear error stack before SSL_read/SSL_write
30cebb4 ustream-ssl: mbedtls: fix ssl client verification
77de09f ustream-ssl: mbedtls: fix net_sockets.h include warning

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-05-06 20:24:38 +02:00
Jo-Philipp Wich
a6caa8fad1 uhttpd: update to 19.07 Git HEAD
975dce2 client: allow keep-alive for POST requests
d062f85 file: poke ustream after starting deferred program

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-05-06 20:24:38 +02:00
Rafał Miłecki
3b9e4d6d4c fstools: update to the latest version
eec16e2 blockd: add optional "device" parameter to "info" ubus method
9ab936d block(d): always call hotplug.d "mount" scripts from blockd
4963db4 blockd: use uloop_process for calling /sbin/hotplug-call mount
cddd902 Truncate FAT filesystem label until 1st occurance of a blank (0x20)

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit c3a43753b9)
2020-05-06 17:51:38 +02:00
Jo-Philipp Wich
429e4490c4 libpcap: fix library packaging issues
Workaround a bug in patches/100-debian_shared_lib.patch - it attemptss to
extract the library major version from debian/changelog which does not exist
in the vanilla upstream tarball.

Create a fake changelog file for now to satisfy the version extraction
routine until we get around to properly augment the patch.

Fixes: FS#2970
Fixes: 96ee7c8bfd ("libpcap: Update shared-lib patch from Debian to fix linking problems")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-05-06 00:51:35 +02:00
Rafał Miłecki
8fa4ed9ef7 fstools: update to the latest version
8b9e601 block: always use st_dev (device ID) of / when looking for root
37c9148 block: simplify check_extroot() a bit
d70774d block: add some basic extroot documentation
32db27d Revert "block: support hierarchical mount/umount"
0b93429 Revert "block: mount_action: handle mount/umount deps"

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 9295ce7006)
2020-05-05 13:07:40 +02:00
Felix Fietkau
5c6dfb5bc0 fstools: update to the latest version
84965b92f635 blockd: print symlink error code and string message
62c578c22f9d blockd: report "target" path as "mount" for autofs available mounts
d1f1f2b38fa1 block: remove mount target file if it's a link
830441d790d6 blockd: remove symlink linkpath file if it's a dir or link
c80f7002114f libfstools/mtd: attempt to read from OOB data if empty space is found

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b7d6e80fee)
2020-05-05 13:07:40 +02:00
Hauke Mehrtens
607809dcdc mac80211: Update to version 4.19.120
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-05-05 00:05:28 +02:00
Hauke Mehrtens
55ccb04046 upgs: Remove extra _DEFAULT_SOURCE definition
This extra _DEFAULT_SOURCE definition results in a double definition
which is a compile error.

This fixes the following compile error with glibc:
----------------------------------------------------------------------
ugps-2019-06-25-cd7eabcd/nmea.c:19: error: "_DEFAULT_SOURCE" redefined [-Werror]
 #define _DEFAULT_SOURCE

<command-line>: note: this is the location of the previous definition
cc1: all warnings being treated as errors

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 70a962ca6f)
2020-05-05 00:05:28 +02:00
Hauke Mehrtens
ee480c50c1 dante: Fix compile with glibc
When compiled with glibc the config_scan.c wants to use the
cpupolicy2numeric() function which is only available when
HAVE_SCHED_SETSCHEDULER is set. It looks like the wrong define was used here.

This fixes a build problem with glibc in combination with the force
ac_cv_func_sched_setscheduler=no in the OpenWrt CONFIGURE_VARS.

This fixes the following compile error with glibc:
----------------------------------------------------------------------
/bin/ld: config_scan.o: in function `socks_yylex':
dante-1.4.1/sockd/config_scan.l:461: undefined reference to `cpupolicy2numeric'
collect2: error: ld returned 1 exit status
make[5]: *** [Makefile:522: sockd] Error 1

Fixes: aaf46a8fe2 ("dante: disable sched_getscheduler() - not implemented in musl")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit ce1798e915)
2020-05-05 00:05:28 +02:00
Yangbo Lu
5f0e25d966 perf: build with NO_LIBCAP=1
Build with NO_LIBCAP=1. This is to resolve build issue.

Package perf is missing dependencies for the following libraries:
libcap.so.2

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
(cherry picked from commit 80f128d2aa)
2020-05-05 00:05:28 +02:00
Linus Lüssing
005adba939 mac80211: ath10k: increase rx buffer size to 2048
Before, only frames with a maximum size of 1528 bytes could be
transmitted between two 802.11s nodes.

For batman-adv for instance, which adds its own header to each frame,
we typically need an MTU of at least 1532 bytes to be able to transmit
without fragmentation.

This patch now increases the maxmimum frame size from 1528 to 1656
bytes.

Tested with two ath10k devices in 802.11s mode, as well as with
batman-adv on top of 802.11s with forwarding disabled.

Fix originally found and developed by Ben Greear.

Link: https://github.com/greearb/ath10k-ct/issues/89
Link: 9e5ab25027
Cc: Ben Greear <greearb@candelatech.com>
Signed-off-by: Linus Lüssing <ll@simonwunderlich.de>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(cherry picked from commit 066ec97167)
2020-05-05 00:05:26 +02:00
Antonio Quartulli
2df0ea042d wpad-wolfssl: fix crypto_bignum_sub()
Backport patch from hostapd.git master that fixes copy/paste error in
crypto_bignum_sub() in crypto_wolfssl.c.

This missing fix was discovered while testing SAE over a mesh interface.

With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with
wpad-mesh-wolfssl.

Cc: Sean Parkinson <sean@wolfssl.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4b3b8ec81c)
2020-05-01 16:19:47 +01:00
Felix Fietkau
ec6cb33452 mac80211: backport fix for an no-ack tx status issue
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1]
[added missing package version bump]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit e0ab33ea49)
2020-05-01 11:12:31 +02:00
Felix Fietkau
f141cdd200 hostapd: unconditionally enable ap/mesh for wpa-cli
Without this change, wpa-cli features depend on which wpad build variant was
used to build the wpa-cli package

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1]
[added missing package version bump]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 03e9e4ba9e)
2020-05-01 11:12:31 +02:00
Petr Štetiar
54b6683390 wireless-regdb: backport three upstream fixes
Another release is overdue for quite some time, so I'm backporting three
fixes from upstream which I plan to backport into 19.07 as well.

Ref: FS#2880
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 76a0ddf130)
2020-05-01 11:12:31 +02:00
Petr Štetiar
55591e63bc curl: backport fix for CVE-2019-15601
On Windows, refuse paths that start with \\ ... as that might cause an
unexpected SMB connection to a given host name.

Ref: PR#2730
Ref: https://curl.haxx.se/docs/CVE-2019-15601.html
Suggested-by: Jerome Benoit <jerome.benoit@sap.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-01 11:12:31 +02:00
Pawel Dembicki
35ea808b97 uboot-kirkwood: fix ethernet and usb
Before 2019.01 version was introduced patch, which changes cache
routines: 93b283d4 ("ARM: CPU: arm926ejs: Consolidate cache
routines to common file"). Unfortunately that patch make ethernet
and usb in kirkwood broken.

This patch backport commit 599f7aa5 ("ARM: kirkwood: disable dcache
for Kirkwood boards"), which are fix for that problem.

Fixes: dc08514e6d ("uboot-kirkwood: update to 2019.01")

Run tested: pogoplugv4

Tested-by: Cezary Jackiewicz <cezary@eko.one.pl> [nsa310]
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
2020-05-01 11:12:31 +02:00
Kevin Darbyshire-Bryant
5b4e4a38d8 relayd: bump to version 2020-04-25
f4d759b dhcp.c: further improve validation

Further improve input validation for CVE-2020-11752

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9e7d11f3e2)
2020-04-27 10:58:16 +01:00
Kevin Darbyshire-Bryant
4e5a29827f umdns: update to version 2020-04-25
cdac046 dns.c: fix input validation fix

Due to a slight foobar typo, failing to de-reference a pointer, previous
fix not quite as complete as it should have been.

Improve CVE-2020-11750 fix

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9f7c8ed078)
2020-04-27 10:58:15 +01:00
Henrique de Moraes Holschuh
c2efc973d5 dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)
Fix the test for an enabled sysntp initscript in dnsmasq.init, and get
rid of "test -o" while at it.

Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an
RTC-less ath79 router.  dnssec-no-timecheck would be clearly missing
from /var/etc/dnsmasq.conf.* while the router was still a few days in
the past due to non-working DNSSEC + DNS-based NTP server config.

The fix was tested with the router in the "DNSSEC broken state": it
properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp
was able to resolve the server name to an IP address, and set the system
time.  DNSSEC was then enabled by SIGINT through the ntp hotplug hook,
as expected.

A missing system.ntp.enabled UCI node is required for the bug to show
up.  The reasons for why it would be missing in the first place were not
investigated.

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
(cherry picked from commit 556b8581a1)
2020-04-25 20:51:46 +02:00
Petr Štetiar
6c020577ae libpcap: fix build breakage with very high number of simultaneous jobs
Building libpcap with high number (64) of simultaneous jobs fails:

 In file included from ./fmtutils.c:42:0:
 ./ftmacros.h:106:0: warning: "_BSD_SOURCE" redefined
   #define _BSD_SOURCE

 <command-line>:0:0: note: this is the location of the previous definition
 ./gencode.c:67:10: fatal error: grammar.h: No such file or directory
  #include "grammar.h"
           ^~~~~~~~~~~
 compilation terminated.
 Makefile:99: recipe for target 'gencode_pic.o' failed

So fix this by less intrusive way by disabling the parallel builds for
this package.

Ref: FS#3010
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-04-25 13:59:19 +02:00
Petr Štetiar
efe837de84 openssl: bump to 1.1.1g
Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with
high severity, assigned CVE-2020-1967.

Ref: https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 3773ae127a)
2020-04-21 23:05:20 +02:00
Kevin Darbyshire-Bryant
1df49d98e7 relayd: bump to version 2020-04-20
796da66 dhcp.c: improve input validation & length checks

Addresses CVE-2020-11752

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit be172e663f)
2020-04-20 11:34:43 +01:00
Kevin Darbyshire-Bryant
b71c7c261b umdns: update to version 2020-04-20
e74a3f9 dns.c: improve input validation

Addresses CVE-2020-11750

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 533da61ac6)
2020-04-20 11:34:13 +01:00
Kevin Darbyshire-Bryant
b6d8119c53 umdns: update to the version 2020-04-05
ab7a39a umdns: fix unused error
45c4953 dns: explicitly endian-convert all fields in header and question

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 22ae8bd50e)
(cherry picked from commit 17c4593e63f5847868f2c38185275199d37d379a)
2020-04-20 11:34:13 +01:00
Kevin Darbyshire-Bryant
ef3df27507 umdns: suppress address-of-packed-member warning
gcc 8 & 9 appear to be more picky with regards access alignment to
packed structures, leading to this warning in dns.c:

dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer
(alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer
(alignment 2) may result in an unaligned pointer value
[-Werror=address-of-packed-member]

261 |  uint16_t *swap = (uint16_t *) q;

Work around what I think is a false positive by turning the warning off.
Not ideal, but not quite as not ideal as build failure.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 02640f0147)
(cherry picked from commit a10b6ec1c8cd6d14a3b76a2ec3d81442b85f7321)
2020-04-20 11:34:13 +01:00
Hans Dedecker
55312cc202 binutils: add ALTERNATIVES for strings (FS#3001)
Don't move strings anymore to /bin/strings to avoid clash with
busybox /usr/bin/strings but move it to /usr/bin/binutils-strings.
Use ALTERNATIVES support to install it as /usr/bin/strings

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 5f126c541a)
2020-04-18 13:12:42 +02:00
Magnus Kroken
3b6f079d8d mbedtls: update to 2.16.6
Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters

Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 02fcbe2f3d)
2020-04-18 00:18:13 +02:00
Josef Schlehofer
02c6deab8c mbedtls: update to version 2.16.5
Changelog:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.5-and-2.7.14-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 36af1967f5)
2020-04-13 21:14:29 +02:00
Rafał Miłecki
55c29c398c busybox: enable truncate on bcm53xx target
It's needed for optimized sysupgrade. On host machine this change
increased busybox size by 4096 B.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 547f1ec25a)
2020-04-07 15:49:56 +02:00
Eneas U de Queiroz
36373c5ddb openssl: bump to 1.1.1f
There were two changes between 1.1.1e and 1.1.1f:
- a change in BN prime generation to avoid possible fingerprinting of
  newly generated RSA modules
- the patch reversing EOF detection we had already applied.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit af5ccfbac7)
2020-04-01 21:34:58 +02:00
Hauke Mehrtens
96ee7c8bfd libpcap: Update shared-lib patch from Debian to fix linking problems
This updates the shared-lib patch to the recent version from debian
found here:
https://salsa.debian.org/rfrancoise/libpcap/-/blob/debian/1.9.1-2/debian/patches/shared-lib.diff

This patch makes it include missing/strlcpy.o to the shared library
which is needed for OpenWrt glibc builds, otherwise there is an
undefined symbol and tcpdump and other builds are failing.

Fixes: 44f11353de ("libpcap: update to 1.9.1")
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
2020-03-29 18:50:46 +02:00
Petr Štetiar
bf5ea2a8dc rpcd: fix respawn settings
Commit 432ec292cc ("rpcd: add respawn param") has introduced infinite
restarting of the service which could be reached over network. This is
not recommended security practice as it might give potential adversary
infinite number of tries in case there might be some issue in the rpcd
or its surrounding stack.

So lets remove the currently bogus `respawn_retry` variable (it wasn't
possible to override it anyway), reverting to the previous default max.
of 5 service restarts which could be now overriden via system's UCI
settings if desired.

Cc: Jo-Philip Wich <jow@mein.io>
Cc: Florian Eckert <fe@dev.tdt.de>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Fixes: 432ec292cc ("rpcd: add respawn param")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 52e6fb1369)
2020-03-29 18:47:26 +02:00
Jan Kardell
83381ce95d readline: needs host depend on ncurses to build
We must ensure that host ncurses is build before host readline.

Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
(cherry picked from commit ecef29b294)
2020-03-29 18:47:21 +02:00
Eneas U de Queiroz
eea3a9625c openssl: revert EOF detection change in 1.1.1
This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e.  It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443

Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read().  Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0.  The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct.  Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.

The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 2e8a4db9b6)
2020-03-29 18:46:51 +02:00
Hauke Mehrtens
c6c3f6bb0a mac80211: Update to version 4.19.112
The removed patches are all integrated in the upstream version now.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-03-29 18:27:49 +02:00
Petr Štetiar
794fd4c6cf procd: turn error into debug message for missing ujail binary
Since commit 557f11b3a20f ("instance: provide error feedback if ujail
binary is missing") worrying log spam of the form "unable to find
/sbin/jail ..." may be encountered.

This corresponds with the changes done in the upstream commit
bcb86554f1b4 ("instance: add 'requirejail' attribute").

Ref: https://forum.openwrt.org/t/openwrt-19-07-2-service-release/57066
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-03-28 13:46:37 +01:00
Rafał Miłecki
dba6f418fa mac80211: fix brcmfmac monitor interface crash
This fixes bug in brcmfmac *exposed* by ipv6/addrconf fix.

Fixes: 6e4453aecc ("kernel: backport out-of-memory fix for non-Ethernet devices")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 038318f766)
2020-03-27 15:47:17 +01:00
Jordan Sokolic
39405644d5 dnsmasq: add 'scriptarp' option
Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions.
The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended
to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute.

Also enable --script-arp if has_handlers returns true.

Signed-off-by: Jordan Sokolic <oofnik@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
2020-03-23 08:01:54 +01:00
Eneas U de Queiroz
d5b1f4430f openssl: update to 1.1.1e
This version includes bug and security fixes, including medium-severity
CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit dcef8d6093)
2020-03-22 23:03:24 +01:00
Eneas U de Queiroz
798ff37aaa openssl: add configuration example for afalg-sync
This adds commented configuration help for the alternate, afalg-sync
engine to /etc/ssl/openssl.cnf.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit d9d689589b)
2020-03-22 23:03:24 +01:00
Adrian Schmutzler
b32129d30b rssileds: add dependencies based on LDFLAGS
This adds the direct dependencies introduced by TARGET_LDFLAGS
to the package's DEPENDS variable.

This was found by accidentally building rssileds on octeon, which
resulted in:

"Package rssileds is missing dependencies for the following libraries:
libnl-tiny.so"

Though the dependencies are provided when building for the
relevant targets ar71xx, ath79 and ramips, it seems more tidy to
specify them explicitly.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a5b2c6f5ed)
2020-03-11 14:56:03 +01:00
Felix Fietkau
9da31d0fb4 mt76: update to the latest version
8682e0d0b49c mt76: speed up usb bulk copy
884c25e7caca mt76: usb: use max packet length for m76u_copy
1ad98b95cf4a mt76: mt76u: rely only on data buffer for usb control messagges
3d491603caff mt76: fix array overflow on receiving too many fragments for a packet
9792a62e7f30 mt76: set dma-done flag for flushed descriptors
53233cdf9486 mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw
a4ae9219e6c7 mt76: dma: do not write cpu_idx on rx queue reset until after refill
1198fa57d185 mt76: mt7603: increase dma mcu rx ring size
91cd5be6ee37 mt76: avoid extra RCU synchronization on station removal
7d7fb26bb78a mt76: mt76x2: avoid starting the MAC too early
aac609809de1 mt76: fix LED link time failure
18627db2e633 mt76: mt76x0u: add support to TP-Link T2UHP
5ecfdb1a6e0a mt76: mt76x02: fix handling MCU timeouts during hw restart
f7e9be89db59 mt76: mt7603: add upper limit for dynamic sensitivity minimum receive power
23b834485070 mt76: mt7603: enable dynamic sensitivity adjustment by default
08054d5ab135 mt76: mt76x02: reset MCU timeout counter earlier in watchdog reset

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-03-11 13:37:19 +01:00
Florian Eckert
e7f1313bbb rpcd: add respawn param
The rpcd service is an important service, but if the service stops
working for any reason, no one will ever respawn that service. With this
commit, the procd service will monitor if the rpcd service
is running. If the rpcd service has crashed, then
procd respawns the rpcd service.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
(cherry picked from commit 432ec292cc)
2020-03-04 09:16:43 +01:00
Jo-Philipp Wich
f6f0cd54a2 rpcd: update to latest Git HEAD
aaa0836 file: extend exec acl checks to commands with arguments

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 762aac50c0)
2020-03-04 09:16:43 +01:00
Jo-Philipp Wich
c56ed72d2b OpenWrt v19.07.2: revert to branch defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-27 22:34:09 +01:00
Jo-Philipp Wich
33732f4a9c OpenWrt v19.07.2: adjust config defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-27 22:34:09 +01:00
Jo-Philipp Wich
65030d81f3 libubox: update to latest Git HEAD
7da6643 tests: blobmsg: add test case
75e300a blobmsg: fix wrong payload len passed from blobmsg_check_array

Fixes: FS#2833
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 955634b473)
2020-02-27 22:05:12 +01:00
Petr Štetiar
cf118077cd ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 215598fd03)
Fixes: CVE-2020-8597
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-26 16:40:43 +01:00
Jo-Philipp Wich
0e9e5b1553 Revert "ppp: backport security fixes"
This reverts commit 6b7eeb74db since it
didn't contain a reference to the CVE it addresses. The next commit
will re-add the commit including a CVE reference in its commit message.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-26 16:40:25 +01:00
Jo-Philipp Wich
9e2a1af62f uhttpd: update to latest Git HEAD
2ee323c file: poke ustream after starting deferred program

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 04069fde19)
2020-02-26 16:11:56 +01:00
Petr Štetiar
6b7eeb74db ppp: backport security fixes
8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 215598fd03)
2020-02-20 09:17:11 +01:00
Jo-Philipp Wich
b6c01fec92 hostapd: remove erroneous $(space) redefinition
The $(space) definition in the hostapd Makefile ceased to work with
GNU Make 4.3 and later, leading to syntax errors in the generated
Kconfig files.

Drop the superfluous redefinition and reuse the working $(space)
declaration from rules.mk to fix this issue.

Fixes: GH#2713
Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469
Reported-by: Karel Kočí <cynerd@email.cz>
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Tested-by: Shaleen Jain <shaleen@jain.sh>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 766e778226)
2020-02-08 11:46:27 +01:00
Michal Cieslakiewicz
a0ca72d9ab uboot-envtools: ath79: add Netgear WNDR3700v2
Add Netgear WNDR3700v2 to the list of supported boards.

Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
[rebase, adjusted commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a09408fa57)
2020-02-07 14:08:24 +01:00
Rafał Miłecki
887eb669f9 mac80211: brcm: backport remaining 5.6 kernel patches
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit aca274091a)
2020-02-07 11:05:24 +01:00
Jo-Philipp Wich
4668ae3bed OpenWrt v19.07.1: revert to branch defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-01-29 17:08:14 +01:00
Jo-Philipp Wich
901bbe2ab9 OpenWrt v19.07.1: adjust config defaults
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-01-29 17:08:11 +01:00
Jo-Philipp Wich
c155900f66 opkg: update to latest Git HEAD
80d161e opkg: Fix -Wformat-overflow warning
c09fe20 libopkg: fix skipping of leading whitespace when parsing checksums

Fixes: CVE-2020-7982
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit c69c20c667)
2020-01-29 17:05:35 +01:00
Hauke Mehrtens
f84981f6f8 mac80211: Update to version 4.19.98
The removed patches are all integrated in the upstream version now.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-27 00:28:46 +01:00
Martin Schiller
3212290a3b lantiq: ltq-ptm: vr9: fix skb handling in ptm_hard_start_xmit()
Call skb_orphan(skb) to call the owner's destructor function and make
the skb unowned.

This is necessary to prevent sk_wmem_alloc of a socket from overflowing,
which leads to ENOBUFS errors on application level.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit 996f02e5ba)
2020-01-26 19:23:46 +01:00
Magnus Kroken
6ee0138a6c mbedtls: update to 2.16.4
Fixes side channel vulnerabilities in mbed TLS' implementation of ECDSA.

Release announcement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12

Fixes:
 * CVE-2019-18222: Side channel attack on ECDSA

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 6e96fd9047)
2020-01-26 19:23:40 +01:00
Petr Štetiar
8038846b62 procd: update to version 2020-01-24
Get only fix backports from openwr-19.07 procd branch:

 31e4b2dfdbd7 state: fix reboot causing shutdown inside LXC container
 557f11b3a20f instance: provide error feedback if ujail binary is missing
 0a11aa405d3f instance: Fix instance_config_move_strdup() function
 44dd9419812b instance: fix typo in error message
 153820c76471 instance: fix pidfile and seccomp attributes double free

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-24 08:42:24 +01:00
Felix Fietkau
4a58a871c4 hostapd: fix faulty WMM IE parameters with ETSI regulatory domains
hostapd sets minimum values for CWmin/CWmax/AIFS and maximum for TXOP.
The code for applying those values had a few bugs leading to bogus values,
which caused significant latency and packet loss.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-01-23 15:00:16 +01:00
Kimmo Vuorinen
177c9ed4b0 uboot-envtools: ath79: add support for glinet,gl-ar150
Add ubootenv uci config for GL.inet GL-AR150

Signed-off-by: Kimmo Vuorinen <kimmo.vuorinen@gmail.com>
[commit title/message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit a8723c48ad)
2020-01-23 14:33:21 +01:00
Kimmo Vuorinen
a1502b0443 uboot-envtools: ar71xx: add support for gl-ar150/-domino/-mifi
Add ubootenv uci config for gl-ar150, gl-domino and gl-mifi

Signed-off-by: Kimmo Vuorinen <kimmo.vuorinen@gmail.com>
[commit message/title facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit dc6dfaac80)
2020-01-23 14:33:21 +01:00
Petr Štetiar
eed8f30b98 urngd: update to version 2020-01-21
c7f7b6b65b82 Tag version 1.0.2
236b7a0aef21 Fix blocked entropy generation

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 3d8edd9bb4)
2020-01-21 20:03:43 +01:00
Petr Štetiar
1636e99e80 urngd: update to latest Git head
* 40f939d57c67 Tag version 1.0.1
 * 9e758e6e6aec jitterentropy-rngd: update to version v1.1.0 + clang compile fix
 * 193586a25adc Fix wrong types in format strings used in debug build
 * d474977bb611 Add initial GitLab CI support

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit ed67b137c7)
2020-01-21 20:03:39 +01:00
Petr Štetiar
f8902d1ae6 libubox: update to version 2020-01-20
43a103ff17ee blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes
 5c0faaf4f5e2 tests: prefer dynamically allocated buffers
 1ffa41535369 blobmsg_json: prefer snprintf usage
 132ecb563da7 blobmsg: blobmsg_vprintf: prefer vsnprintf
 a2aab30fc918 jshn: prefer snprintf usage
 b0886a37f39a cmake: add a possibility to set library version
 a36ee96618a9 blobmsg: blobmsg_add_json_element() 64-bit values
 f0da3a4283b7 blobmsg_json: fix int16 serialization
 20a070f08139 tests: blobmsg/json: add more test cases
 379cd33d1992 tests: include json script shunit2 based testing

Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 5c73bb12c8)
2020-01-20 21:14:08 +01:00
Petr Štetiar
5ca066a5c2 fstools: backport fix from version 2020-01-18
Contains only the FS#2735 fix:

 189b41b6b487 libblkid-tiny: fix f2fs labels by increasing label buffer

Commit adding new feature wasn't backported (needs patched kernel anyway):

 f5c7c1813f52 fstools: Add support to read-only MTD partitions (eg. recovery images)

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 63000bfaf7)
2020-01-20 21:14:08 +01:00
Daniel Golle
455ba76bf9 hostapd: cleanup IBSS-RSN
set noscan also for IBSS and remove redundant/obsolete variable.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 702c70264b)
2020-01-16 17:32:02 +02:00
Eneas U de Queiroz
dd4d49dcc1 cryptodev-linux: remove DEFAULT redefinition
The 'DEFAULT:=m if ALL' line prevents the phase1 buildbots from building
the package, and users from downloading it, since they use 'ALL_KMODS=y'
but 'ALL' is not set.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 9b25f833eb)
2020-01-15 19:31:42 +01:00
Felix Fietkau
44b37774f9 mac80211: fix a page refcounting issue leading to leaks/crashes in rx A-MSDU decap
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 9501469e11)
2020-01-15 12:26:07 +01:00
Felix Fietkau
a3b6ffe01b mac80211: fix sta TID stats leak on a few nl80211 calls
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit d5b3024139)
2020-01-15 12:23:46 +01:00
Petr Štetiar
25e1afb9e1 ucert: update to version 2019-12-19
14a279411cff fix certificate blob parsing vulnerability by using blob_parse_untrusted
19a7225ac018 fix leaking memory in cert_dump_blob
9dba44ddd4f5 fix possibly garbage value returned in cert_process_revoker
4462ff9dedfa add cram based unit tests
5fe64b5606aa cmake: split usign bits into static library
5d7626a2b6d8 cmake: reindent the file
e284ed941972 cmake: enable hardening compiler flags and fix the reported issues
7e5390666347 add initial GitLab CI support
fa0bf4ef45b1 cmake: add proper include and library dependencies

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 2544cb1ba3)
2020-01-14 00:21:35 +01:00
Matthias Schiffer
44c827215d
ethtool: fix PKG_CONFIG_DEPENDS
Add missing CONFIG_ prefix.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 41c19dd542)
2020-01-07 21:42:13 +01:00
Hauke Mehrtens
eb15634541 OpenWrt v19.07.0: revert to branch defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-06 22:41:02 +01:00
Hauke Mehrtens
aca39acedf OpenWrt v19.07.0: adjust config defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-06 22:40:58 +01:00
Hauke Mehrtens
f58705b77e dnsmasq: Fix potential dnsmasq crash with TCP
This is a backport from the dnsmasq master which should fix a bug which
could cause a crash in dnsmasq.

I saw the following crashes in my log:
[522413.117215] do_page_fault(): sending SIGSEGV to dnsmasq for invalid read access from 2a001450
[522413.124464] epc = 004197f1 in dnsmasq[400000+23000]
[522413.129459] ra  = 004197ef in dnsmasq[400000+23000]
This is happening in blockdata_write() when block->next is
dereferenced, but I am not sure if this is related to this problem or if
this is a different problem. I am unable to reproduce this problem.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 414d054138)
2020-01-06 17:46:00 +01:00
Maxim Storchak
abb0665bec ca-certificates: provide ca-certs by both ca-certificates and ca-bundle
- both packages provide ca-certs
- make ca-bundle the default provider

This should allow easy transition between these two forms of CA certificates storage

Signed-off-by: Maxim Storchak <m.storchak@gmail.com>
(cherry picked from commit dd299805ad)
2020-01-05 20:05:33 +01:00
Petr Štetiar
a5653ec87e package: remove accidentally added symlink
In the commit f3439c4019 ("procd: update to version 2020-01-04") I've
somehow managed to add local testing symlink to the uledd package, so
removing it now.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-05 18:42:16 +01:00
Jo-Philipp Wich
6395ac4126 fstools: update to latest Git HEAD
823faa0 block: re-discover mtd devices on extroot mount retry

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 22a178e892)
2020-01-05 18:41:25 +01:00
Petr Štetiar
f3439c4019 procd: update to version 2020-01-04
Contains following changes:

 a5af33ce9a16 instance: strdup string attributes
 d2e8bf6ef7cf system: watchdog_set: fix misleading indentation
 9814807bd71c system: sysupgrade: fix possibly misleading error
 c7a2db3c1eb6 system: sysupgrade: rework firmware validation
 ea45c4a0f07c system: fix failing image validation due to EINTR
 4fde95506243 cmake: fix lookup of external libraries
 5ed190aae1b3 jail: remove accidentally added lines
 52c5c1980ba3 jail: set user and group inside jail
 3aa051b44177 system: sysupgrade: close input side of pipe before reading
 f47622e89c4d instance: Warn about unexpected number of parameters
 564ecdfd9cc4 instance: ujail: Fix allocated size for no_new_privs parameter
 7fb2e1dfa221 procd: simplify code in procd_inittab_run
 4a127c3c60af procd: replace exit(-1) with exit(EXIT_FAILURE)
 bc0a73eaad58 procd: add upgraded binary to .gitignore
 ba4c4dbbbd65 procd: add start-console support
 3e39fe539490 procd: shift arguments for askfirst only once
 5d6282906baf procd: skip respawn in case device disappeared
 d27949f12fd7 procd: guard fork_worker calls
 258aa04328a2 procd: Add cached and available to memory table
 8e9fb51fa66e procd: Switch to nanosleep
 c844ace9729a system: Fix possible integer overflows

Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-05 17:50:10 +01:00
Petr Štetiar
64c45d95d6 ubus: update to version 2019-12-27
Contains following changes:

 041c9d1c052b ubusd/libubus-io: fix socket descriptor passing
 8f2292478c57 ci: enable unit testing
 a1523d76b016 fix blob parsing vulnerability by using blob_parse_untrusted
 c60583743ccf ubus_monitor: workaround possibly false positive uses of memory after it is freed
 dac6c7c575ac ubusd_monitor: fix possible null pointer dereference
 060dfbb26da3 ubus_common: remove duplicate ARRAY_SIZE and add missing include
 c5f2053dfcfd workaround possibly false positive uses of memory after it is freed
 72be8e93f07d lua: ubus_lua_do_subscribe: fix copy&paste error
 a995b1e68129 lua: workaround false positive dereference of null pointer
 08f17c87a000 add fuzzer and cram based unit tests
 c413be9b376c refactor ubusd.c into reusable ubusd_library
 afd47189e864 examples: remove dead increments
 b2e544238672 add initial GitLab CI support
 058f4e9526ed libubus: fix incompatible pointer types assigment
 d2e026a33df8 iron out all extra compiler warnings
 5d7ca8309d0a ubusd/libubus-io: fix variable sized struct position warning
 d61282db5640 ubusd: fix comparison of integers of different signs
 90fb16234c22 cmake: enable extra compiler checks
 2e051f628996 ubus: Support static builds
 588baa3cd784 ubusd: retry sending messages on EINTR
 76ea27a62774 libubus: attempt to receive data before calling poll
 4daab27d004f libubus: do not abort recv_retry before completing a message

and bumps ABI_VERSION to 20191227.

Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-05 17:50:10 +01:00
Petr Štetiar
04fd5e22b2 libubox: update to version 2019-12-28
Contains following changes:

 cd75136b1342 blobmsg: fix wrong payload len passed from blobmsg_check_array
 eb7eb6393d47 blobmsg: fix array out of bounds GCC 10 warning
 86f6a5b8d1f1 blobmsg: reuse blobmsg_namelen in blobmsg_data
 586ce031eaa0 tests: fuzz: fuzz _len variants of checking methods
 b0e21553ae8c blobmsg: add _len variants for all attribute checking methods
 cd3059796a57 Replace use of blobmsg_check_attr by blobmsg_check_attr_len
 143303149c8b Ensure blob_attr length check does not perform out of bounds reads
 f2b2ee441adb blobmsg: fix heap buffer overflow in blobmsg_parse
 4dfd24ed88c4 blobmsg: make blobmsg_len and blobmsg_data_len return unsigned value
 2df6d35e3299 tests: add test cases for blobmsg parsing
 8a34788b46c4 test: fuzz: add blobmsg_check_attr crashes
 478597b9f9ae blob: fix OOB access in blob_check_type
 325418a7a3c0 tests: use blob_parse_untrusted variant
 0b24e24b93e1 blob: introduce blob_parse_untrusted
 6d27336e4a8b blob: refactor attr parsing into separate function
 833d25797b16 test: fuzz: add blob_parse crashes
 09ee90f8d6ed tests: add test cases for blob parsing
 436d6363a10b tests: add libFuzzer based tests
 bf680707acfd tests: add unit tests covered with Clang sanitizers
 f804578847de cmake: add more hardening compiler flags
 46f8268b4b5b blobmsg/ulog: fix format string compiler warnings
 eb216a952407 cmake: use extra compiler warnings only on gcc6+
 07413cce72e1 tests: jshn: add more test cases
 26586dae43a8 jshn: fix missing usage for -p and -o arguments
 8e832a771d3a jshn: fix off by one in jshn_parse_file
 cb698e35409b jshn: jshn_parse: fix leaks of memory pointed to by 'obj'
 c42f11cc7c0f jshn: main: fix leak of memory pointed to by 'vars'
 93848ec96dc5 jshn: refactor main into smaller pieces
 9b6ede0e5312 avl: guard against theoretical null pointer dereference
 c008294a8323 blobmsg_json: fix possible uninitialized struct member
 0003ea9c45cc base64: fix possible null pointer dereference
 8baeeea1f52d add assert.h component
 b0a5cd8a28bf add cram based unit tests
 1fefb7c4d7f9 add initial GitLab CI support
 c955464d7a9b enable extra compiler checks
 6228df9de91d iron out all extra compiler warnings

and bumps ABI_VERSION to 20191228.

Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-05 17:50:10 +01:00
Petr Štetiar
bf99f79200 base-files: sysupgrade: exit if the firmware download failed
Sysupgrade process shouldn't continue if the firmware image couldn't be
downloaded.

Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020940.html
Reported-by: Petr Novák <petrn@me.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit cf3da66d2c)
2020-01-05 17:50:10 +01:00
Klaus Kudielka
3140d38042 base-files: upgrade: add case to export_bootdevice
The factory uboot of the Turris Omnia boots with "root=b301", and we
instruct new users to sysupgrade from there (e.g. method 1, step 7).
Currently, this will fail with "Unable to determine upgrade device".
Add a new case to export_bootdevice, which parses the hex argument.

Ref: https://github.com/openwrt/openwrt/pull/2340#issuecomment-561317688
Fixes: 2e5a0b81ec ("mvebu: sysupgrade: sdcard: keep user added partitons")
Reviewed-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Klaus Kudielka <klaus.kudielka@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 3a4f587c46)
2020-01-05 16:41:35 +01:00
Eneas U de Queiroz
3fc47dd443 wolfssl: bump to 4.3.0-stable
This update fixes many bugs, and six security vulnerabilities, including
CVE-2019-18840.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit d5ede68f8b)
2020-01-04 23:04:24 +01:00
David Bauer
f8543adb14 mt76: update to the latest openwrt-19.07 version
8a78567 mt76: fix compilation warning in mt76_eeprom_override()

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-01-04 22:02:22 +01:00
David Bauer
bce5342fb6 mt76: fix incorrect firmware path
The mt76 driver does load the firmware for the MT7615 chip from
/lib/firmware/mediatek instead of /lib/firmware. The driver loads the
firmware from this path since mt76 commit
ea3ab68c7589 ("mt76: mt7615: fix mt7615 firmware path definitions").

Fixes: a2e2c40b5e ("mt76: update to the latest openwrt-19.07 version")

Reported-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Segers <foss@volatilesystems.org>
2020-01-04 12:40:04 +01:00
David Bauer
a2e2c40b5e mt76: update to the latest openwrt-19.07 version
330e832 mt76: mt76x0: fix default mac address overwrite
f97c33e mt76: mt7603: fix input validation issues for powersave-filtered frames
875f6d7 mt76: mt7615: increase MCU command timeout
abd7d86 mt76: clear skb pointers from rx aggregation reorder buffer during cleanup
96c7b07 mt76: eeprom: add support for big endian eeprom partition
19c8e20 mt76: fix possible undetected invalid MAC address
df64c56 mt76: Off by one in mt76_calc_rx_airtime()
1702b24 mt76: mt7603: reset STA_CCA counter setting the channel
383a631 mt76: mt76x0u: do not reset radio on resume
2dcfbdd mt76: disable bh in mt76_dma_rx_poll
947d20d mt76: fix rx dma ring descriptor state on reset
f3348f5 mt7615: replace sta_state callback with sta_add/sta_remove
faf5e6f mt76: mt7615: read {tx,rx} mask from eeprom
db78ee0 mt76: move mt76_get_antenna in mt76_core module
7121e16 mt76: fix possible out-of-bound access in mt7615_fill_txs/mt7603_fill_txs
5dfb0ec mt76: mt7615: disable radar pattern detector during scanning
e2f90ad mt76: move interface_modes definition in mt76_core module
cfdb751 mt76: mt7615: add ibss support
e0731a8 mt76: move SUPPORTS_REORDERING_BUFFER hw property in mt76_register_device
a85c06c mt76: use mt76_dev in mt76_is_{mmio,usb}
ea19cd7 mt76: Remove set but not used variable 'idx'
3cbaf81 mt76: mt76u: rely on a dedicated stats workqueue
20f0589 mt76: mt76u: rely on usb_interface instead of usb_dev
f2be00b mt76: dma: fix buffer unmap with non-linear skbs
c14d656 mt76: mt76x2e: disable pcie_aspm by default
58e1e96 mt76: mt7615: remove unneeded semicolon
c93a2d1 mt76: mt76x02u: update ewma pkt len in mt76x02u_tx_prepare_skb
1987b74 mt76: mt76x0: remove 350ms delay in mt76x0_phy_calibrate
50b1e9b mt76: refactor cc_lock locking scheme
d868638 mt76: remove obsolete .add_buf() from struct mt76_queue_ops
dc14ac6 mt7615: remove vif sta from poll list on interface remove
2a0a191 mt7603: remove vif sta from poll list on interface remove
d3a5895 mt76: fix a-mpdu boundary detection issue for airtime reporting
391e148 mt76: add sanity check for a-mpdu rx wcid index
01642d8 mt76: mt76x02: fix use-after-free in tx status code handling airtime
c11a4ad mt76: mt76x0: eeprom: add support for MAC address from OF
d94cc81 mt76: drop rcu read lock in mt76_rx_aggr_stop
7d8764d mt76: avoid enabling interrupt if NAPI poll is still pending
5b02a07 mt76: add missing locking around ampdu action
71c2ef0 mt76: fix aggregation stop issue
6f7d0f5 mt76: fix use-after-free bug in airtime fairness code
8f22de0 mt76: do not use devm API for led classdev
e7199f9 mt76: enable airtime fairness
81f2be0 mt76: mt7615: track tx/rx airtime for airtime fairness
2579122 mt76: mt7615: introduce mt7615_mac_wtbl_update routine
d91f7c1 mt76: mt7615: fix survey channel busy time
028071d mt76: mt7615: report tx_time, bss_rx and busy time to mac80211
0e5050e mt76: mt76x02: track approximate tx airtime for airtime fairness and survey
3429cc7 mt76: mt76x02: move MT_CH_TIME_CFG init to mt76x02_mac_cc_reset
de118bb mt76: unify channel survey update code
fdf0163 mt76: mt7603: switch to a different counter for survey busy time
ee31030 mt76: mt7603: track tx airtime for airtime fairness and survey
f34b1ae mt76: track rx airtime for airtime fairness and survey
a1d6891 mt76: store current channel survey_state in struct mt76_dev
b042987 mt76: rename mt76_driver_ops txwi_flags to drv_flags and include tx aligned4
2027763 mt76: report rx a-mpdu subframe status
1ddcadb mt76: mt7603: remove q_rx field from struct mt7603_dev
ea3ab68 mt76: mt7615: fix mt7615 firmware path definitions
081926a mt76: mt7603: collect aggregation stats
696c0fc mt76: mt7615: collect aggregation stats
23e8aed mt76: move aggr_stats array in mt76_dev
1118b5e mt76: mt7615: add queue entry in debugfs
fbc59e6 mt76: move queue debugfs entry to driver specific code
0b01ace mt76: mt76x02u: move mt76x02u_mac_start in mt76x02-usb module
c394887 mt76: mt76x0u: reset counter starting the device
0355b7a mt76: mt76x2: move mt76x02_mac_reset_counters in mt76x02_mac_start
f3792b5 mt76: mt76x02: move mac_reset_counter in mt76x02_lib module
63e8152 mt76: mt7615: enable SCS by default
b140512 mt76: mt76x0e: make array mt76x0_chan_map static const, makes object smaller
a20c20b mt76: usb: add lockdep_assert_held in __mt76u_vendor_request
0308d75 mt76: remove empty flag in mt76_txq_schedule_list
0efbc5d mt76: use cancel_delayed_work_sync in mt76_rx_aggr_shutdown
9c5df3c mt76: remove aggr_work field from struct mt76_wcid
8739f87 mt76: mt7615: fix control frame rx in monitor mode
e07407a mt7603: fix build with CONFIG_KERNEL_DYNAMIC_DEBUG=y
c7f8214 mt76: mt7615: add support to read temperature from mcu
6797378 mt76: mt7615: introduce mt7615_txwi_to_txp utility routine
496c78e mt76: mt76x0: remove unneeded return value on set channel
1d2acd5 mt76: mt76x0: remove redundant chandef copy
0167bfa mt76: make mt76_rx_convert static

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-01-03 17:52:35 +01:00
David Bauer
ad4b939bd0 rt2x00: add throughput LED trigger
This adds a (currently missing) throughput LED trigger for the rt2x00
driver. Previously, LED triggers had to be assigned to the netdev, which
was limited to a single VAP.

Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Christoph Krapp <achterin@googlemail.com>
(cherry picked from commit 985ec835ae)
2019-12-30 15:17:32 +01:00
Felix Fietkau
91dde4291c mac80211: fix build without CONFIG_PCI
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit fa37dbbc43)
2019-12-29 09:08:09 +01:00
Felix Fietkau
30301dfcf0 mac80211: add patch to include local BSS rx time in survey information
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 6a3739dc42)
2019-12-28 21:11:02 +01:00
Felix Fietkau
da7dde8993 mac80211: add pcie apsm backport changes
Required for newer versions of mt76

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit d64daf7026)
2019-12-28 20:40:58 +01:00
Hauke Mehrtens
36057763fa ath10k-firmware: Add kmod-ath10k-ct-smallbuffers to depends
Only select ath10k-ct-regular when smallbuffers version was not
selected.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 80f06cb601)
2019-12-24 01:04:14 +01:00
Paul Fertser
450b306e54 kernel: ath10k-ct: provide a build variant for small RAM devices
According to many bugreports [0][1][2] the default ath10k-ct kernel
module is unusable on devices with just 64 MiB RAM or with 128 MiB and
dual ath10k cards. The target boards boot but eventually oom-killer
starts to interfere with normal operation, so the current state is
effectively broken.

Since the two patches in question have a performance impact (and
possibly some other unexpected side-effects) a dedicated build variant
is added so that users of the low RAM devices can still benefit from all
the ath10k-ct advantages.

According to testing [3] results, the issue can be experienced even with
"a 256MB device with three radios". Measured performance impact of
implementing small buffers was lowering "the maximum 5 GHz throughput on
an IPQ40xx device without RPS/XPS optimizations from 494/432 Mbit/s for
TCP transfers (download/upload) to 438/343 Mbit/s"

The patches were apparently inspired by QSDK tweaks used by ODMs for the
affected devices.

[0] http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020573.html
[1] https://github.com/openwrt/openwrt/pull/1077
[2] https://bugs.openwrt.org/index.php?do=details&task_id=2664
[3] https://github.com/freifunk-gluon/gluon/pull/1440#issue-195607701

Signed-off-by: Paul Fertser <fercerpav@gmail.com>
[Remove double CONFIG_ATH10K-CT_LEDS entry]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 1ac627024d)
2019-12-24 01:03:47 +01:00
Jo-Philipp Wich
e50d44d985 fstools: update to latest git HEAD
b4e25d5 libblkid-tiny: fix symbol collision with full libblkid

Fixes: FS#2691, FS#2692
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 5f4244150f)
2019-12-23 07:33:55 +01:00