Commit Graph

19270 Commits

Author SHA1 Message Date
Petr Štetiar
562894b39d treewide: fix security issues by bumping all packages using libwolfssl
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.

So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit f1b7e1434f)
2022-10-04 10:11:08 +02:00
Petr Štetiar
ce59843662 wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.

This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.

Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Fixes: CVE-2022-39173
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Tested-by: Kien Truong <duckientruong@gmail.com>
Reported-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit ec8fb542ec)
2022-10-04 10:11:08 +02:00
Petr Štetiar
3d2be75b0c wolfssl: refresh patches
So they're tidy and apply cleanly.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 8ad9a72cbe)
2022-10-04 10:11:08 +02:00
Ivan Pavlov
0c8425bf11 wolfssl: bump to 5.5.0
Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch

Some low severity vulnerabilities fixed
OpenVPN compatibility fixed (broken in 5.4.0)
Other fixes && improvements

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
(cherry picked from commit 3d88f26d74)
2022-10-04 10:11:08 +02:00
Josef Schlehofer
23d23038dd uboot-mvebu: backport LibreSSL patches for older version of LibreSSL
If you would like to compile the newest version of U-boot together with the stable
OpenWrt version, which does not have LibreSSL >= 3.5, which was updated
in the master branch by commit 5451b03b7c
("tools/libressl: bump to v3.5.3"), then you need these two patches to
fix it. They are backported from U-boot repository.

This should be backported to stable OpenWrt versions.

Reported-by: Michal Vasilek <michal.vasilek@nic.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 185541f50f)
2022-10-03 19:51:50 +02:00
Josef Schlehofer
1ff2993edb uboot-mvebu: backport patch to fix compilation on non glibc system
This issue was reported by @paper42, who is using Void Linux with musl
to compile OpenWrt and its packages and found out it is not possible to
compile U-boot for Turris Omnia (neither any other).

It fixes following output:
```
  HOSTCC  tools/kwboot
tools/kwboot.c: In function 'kwboot_tty_change_baudrate':
tools/kwboot.c:662:6: error: 'struct termios' has no member named 'c_ospeed'
  662 |   tio.c_ospeed = tio.c_ispeed = baudrate;
      |      ^
tools/kwboot.c:662:21: error: 'struct termios' has no member named 'c_ispeed'
  662 |   tio.c_ospeed = tio.c_ispeed = baudrate;
      |                     ^
tools/kwboot.c:690:31: error: 'struct termios' has no member named 'c_ospeed'
  690 |  if (!_is_within_tolerance(tio.c_ospeed, baudrate, 3))
      |                               ^
tools/kwboot.c:693:31: error: 'struct termios' has no member named 'c_ispeed'
  693 |  if (!_is_within_tolerance(tio.c_ispeed, baudrate, 3))
      |
```

Tested-by: Michal Vasilek <michal.vasilek@nic.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 9c7472950b)
2022-10-03 19:51:50 +02:00
Christian Lamparter
e5ab159fbf firmware: intel-microcode: update to 20220809
Debian's changelog by Henrique de Moraes Holschuh <hmh@debian.org>:

  * New upstream microcode datafile 20220809
    * Fixes INTEL-SA-00657, CVE-2022-21233
      Stale data from APIC leaks SGX memory (AEPIC leak)
    * Fixes unspecified errata (functional issues) on Xeon Scalable
    * Updated Microcodes:
      sig 0x00050653, pf_mask 0x97, 2022-03-14, rev 0x100015e, size 34816
      sig 0x00050654, pf_mask 0xb7, 2022-03-08, rev 0x2006e05, size 44032
      sig 0x000606a6, pf_mask 0x87, 2022-04-07, rev 0xd000375, size 293888
      sig 0x000706a1, pf_mask 0x01, 2022-03-23, rev 0x003c, size 75776
      sig 0x000706a8, pf_mask 0x01, 2022-03-23, rev 0x0020, size 75776
      sig 0x000706e5, pf_mask 0x80, 2022-03-17, rev 0x00b2, size 112640
      sig 0x000806c2, pf_mask 0xc2, 2022-03-19, rev 0x0028, size 97280
      sig 0x000806d1, pf_mask 0xc2, 2022-03-28, rev 0x0040, size 102400
      sig 0x00090672, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x00090675, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x000906a3, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
      sig 0x000906a4, pf_mask 0x80, 2022-06-15, rev 0x0421, size 216064
      sig 0x000a0671, pf_mask 0x02, 2022-03-17, rev 0x0054, size 103424
      sig 0x000b06f2, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064
      sig 0x000b06f5, pf_mask 0x03, 2022-06-07, rev 0x0022, size 216064

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit bb73828b89)
2022-10-03 19:51:50 +02:00
Felix Fietkau
25d8b9cad6 build: fix issues with targets installed via feeds
- fix including modules.mk when a target is being replaced
- fix calling make targets from target/linux

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 3a8825ad6a)
2022-09-27 13:45:03 +02:00
Felix Fietkau
74eeee1698 build: fix including modules.mk for targets pulled in from feeds
Fixes: ebc36ebb23 ("scripts/feeds: install targets to target/linux/feeds and support overriding")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 00094efec3)
2022-09-27 13:45:03 +02:00
Wenli Looi
7707b47c72 ramips: fix fw_setsys
This change was included in the original pull request but later omitted
for some reason:

https://github.com/openwrt/openwrt/pull/4936

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
(cherry picked from commit 4cccea02a6)
2022-09-23 17:03:10 +02:00
Daniel Golle
7c459ac1d5 mac80211: rt2x00: experimental improvements for MT7620 wifi
Serge Vasilugin reports:

To improve mt7620 built-in wifi performance some changes:
1. Correct BW20/BW40 switching (see comments with mark (1))
2. Correct TX_SW_CFG1 MAC reg from v3 of vendor driver see
	https://gitlab.com/dm38/padavan-ng/-/blob/master/trunk/proprietary/rt_wifi/rtpci/3.0.X.X/mt76x2/chips/rt6352.c#L531
3. Set bbp66 for all chains.
4. US_CYC_CNT init based on Programming guide, default value was 33 (pci),
   set chipset bus clock with fallback to cpu clock/3.
5. Don't overwrite default values for mt7620.
6. Correct some typos.
7. Add support for external LNA:
    a) RF and BBP regs never be corrected for this mode
    b) eLNA is driven the same way as ePA with mt7620's pin PA
	but vendor driver explicitly pin PA to gpio mode (for forrect calibration?)
	so I'm not sure that request for pa_pin in dts-file will be enough

First 5 changes (really 2) improve performance for boards w/o eLNA/ePA.
Changes 7 add support for eLNA

Configuration w/o eLAN/ePA and with eLNA show results
tx/rx (from router point of view) for each stream:
 35-40/30-35 Mbps for HT20
 65-70/60-65 Mbps for HT40

Yes. Max results for 2T2R client is 140-145/135-140
with peaks 160/150, It correspond to mediatek driver results.
Boards with ePA untested.

Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[directly include v3 of the patchset submitted upstream]
(cherry picked from commit 31a6605de0)
(cherry picked from commit e785ca05e9)
(cherry picked from commit 412fcf3d44)
2022-09-19 02:48:26 +01:00
Sungbo Eo
d004110ef7 mac80211: rt2x00: fix typo
Add missing semicolon and refresh patches.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit d826c91704)
2022-09-19 02:48:26 +01:00
Daniel Golle
0755c18ff1 mac80211: add patch descriptions to rt2x00 patches
Prepare patches for sending upstream by adding patch descriptions
generated from the original OpenWrt commits adding each patch.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d4feb66048)
2022-09-18 15:40:05 +01:00
Daniel Golle
745d3cd4aa kernel: modules: package kmod-crypto-essiv
Package kernel module providing ESSIV support for block encryption.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4133102898)
2022-09-18 15:39:41 +01:00
Nick Hainke
0c9833d0e0 wireless-regdb: update to 2022-08-12
Changes:
9dc9c89 wireless-regdb: update regulatory database based on preceding changes
442bc25 wireless-regdb: update 5 GHz rules for PK and add 60 GHz rule
daee7f3 wireless-regdb: add 5 GHz rules for GY

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 1d2d69c810)
2022-09-17 23:25:50 +02:00
Josef Schlehofer
e7ef88ff1d kernel: build crypto md5/sha1/sha256 modules for powerpc
This builds and enables kernel optimized modules for mpc85xx target:
- CONFIG_CRYPTO_MD5_PPC [1]
- CONFIG_CRYPTO_SHA1_PPC_SPE [2]
- CONFIG_CRYPTO_SHA256_PPC_SPE [3]

Where it was possible, then use Signal Processing Engine, because
CONFIG_SPE is already enabled in mpc85xx config.

[1] https://cateee.net/lkddb/web-lkddb/CRYPTO_MD5_PPC.html
[2] https://cateee.net/lkddb/web-lkddb/CRYPTO_SHA1_PPC.html
[3] https://cateee.net/lkddb/web-lkddb/CRYPTO_SHA256_PPC_SPE.html

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 3a702f8733)
2022-09-17 15:58:25 +02:00
Felix Fietkau
b3fa0241e2 mac80211: backport tx queueing bugfixes add a bug fix for a rare crash
Re-introduce the queue wake fix that was reverted due to a regression,
but this time with the follow-up fixes that take care of the regression.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 9a93b62f31)
(cherry-picked from commit 8b804cae5e)
(cherry-picked from commit 8b06e06832)
2022-09-15 17:52:28 +02:00
Felix Fietkau
da7b26dfb8 mt76: update to the latest version
d70546462b7b mt76: fix 5 GHz connection regression on mt76x0/mt76x2

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 33c11442b2)
2022-09-06 22:45:44 +02:00
Felix Fietkau
ab61232b0a hostapd: rename hostapd multicast_to_unicast option to multicast_to_unicast_all
There are two feature currently altered by the multicast_to_unicast option.
1. bridge level multicast_to_unicast via IGMP snooping
2. hostapd/mac80211 config multicast_to_unicast setting

The hostapd/mac80211 setting has the side effect of converting *all* multicast
or broadcast traffic into per-station duplicated unicast traffic, which can
in some cases break expectations of various protocols.
It also has been observed to cause ARP lookup failure between stations
connected to the same interface.

The bridge level feature is much more useful, since it only covers actual
multicast traffic managed by IGMP, and it implicitly defaults to 1 already.

Renaming the hostapd/mac80211 option to multicast_to_unicast_all should avoid
unintentionally enabling this feature

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 09ea1db93b)
2022-09-06 12:18:52 +02:00
Hauke Mehrtens
510f0628c7 OpenWrt v22.03.0: revert to branch defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-09-03 18:49:08 +02:00
Hauke Mehrtens
17bd6b0477 OpenWrt v22.03.0: adjust config defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-09-03 18:49:01 +02:00
Daniel Golle
512e76967f uboot-mediatek: mt7622: suppress unwanted pinctrl warning
Import patch which removes the default pinctrl of uart0 to suppress
the unwanted warning. Apply also to downstream boards.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-09-03 03:55:34 +01:00
Daniel Golle
93e6581b90 uboot-mediatek: backport fix for unstable UART on MT7622
Import pending patch "arm: dts: mt7622: force high-speed mode for uart"
from Weijie Gao <weijie.gao@mediatek.com> fixing the UART problems on
MT7622 which made it hard to use the U-Boot menu on devices with this
SoC.

This patch is also contained in commit
 c09eb08dad ("uboot-mediatek: add support for MT798x platforms")
in the development branch.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-09-03 02:03:42 +01:00
Daniel Golle
3889f90ee2 uboot-mediatek: no compression means IH_COMP_NONE
Treat missing compression node in FIT image as IH_COMP_NONE.
This is implicentely already happening in most places, but for now
was still triggering an annoying warning about initramfs compression
being obsolete despite compression note being absent.
Fix this.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0a18456ffc)
2022-09-03 02:00:16 +01:00
Daniel Golle
8ff8a4dc9e uboot-mediatek: fix factory reset on UBI
Truncating a UBI volume using `ubi write 0x0 volname 0x0` results in
segfault on newer U-Boot. Write 1MB of 0s instead.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d118cbdfec)
2022-09-03 02:00:16 +01:00
Daniel Golle
aebb19d34b uboot-envtools: mt7622: use 4k sectors for UniFi 6 LR (ubootmod)
Use 4k sectors when accessing the U-Boot environment on the 64MiB
SPI-NOR flash chip found in the UniFi 6 LR. The speeds up environment
write access as only 4kB instead of 64kB have to be written.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit f0adf253fd)
2022-09-03 02:00:16 +01:00
Daniel Golle
f7c358c2ad uboot-mediatek: fix Ubiquiti UniFi 6 LR U-Boot mod
Image names as well as the calculation of the padded image size did
not work as intended. Fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0bc8889e7b)
2022-09-03 02:00:16 +01:00
Claudiu Beznea
ea4ec11f4e at91bootstrap: use sdmmc0 as booting media for sama5d27_som1_ek
Commit 0b7c66c ("at91bootstrap: add sama5d27_som1_eksd1_uboot as
default defconfig") changed default booting media for sama5d27_som1_ek
board w/o any reason. Changed it back to sdmmc0 as it is for all the
other Microchip supported distributions for this board (Buildroot,
Yocto Project). The initial commit cannot be cleanly reverted.

Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
(cherry picked from commit e9f12931e6)
2022-09-02 21:42:50 +02:00
Claudiu Beznea
c53fea7a8a uboot-at91: use sdmmc0 as booting media for sama5d27_som1_ek
Commit adc69fe (""uboot-at91: changed som1 ek default defconfigs")
changed the booting media to sdmmc1 as default booting w/o any reason.
The Microchip releases for the rest of supported distributions (Buildroot,
Yocto Project) uses sdmmc0 as default booting media for this board.
Thus change it back to sdmmc0. With this remove references to sdmmc1
config. The initial commit cannot be cleanly reverted.

Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
(cherry picked from commit 9a49788008)
2022-09-02 21:42:49 +02:00
Jo-Philipp Wich
caa43f4428 firewall4: update to latest Git HEAD
f5fcdcf cli: introduce test mode and refuse firewall restart on errors
a540f6d fw4: fix cosmetic issue with per-ruleset and per-table include paths
695e821 doc: fix swapped include positions in nftables.d README

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit ab31ffc425)
2022-09-01 12:41:00 +02:00
Jo-Philipp Wich
26b436e2a2 ucode: update to latest Git HEAD
344fa9e lib: extend render() to support function values
89452b2 lib: improve getenv() and split() implementations

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
[fix commit subject]
(cherry picked from commit c6d6306827)
2022-08-31 23:06:01 +02:00
Felix Fietkau
0588b124e4 mac80211: disable ft-over-ds by default
Testing has shown it to be very unreliable in variety of configurations.
It is not mandatory, so let's disable it by default until we have a better
solution.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 2984a04206)
2022-08-30 10:59:51 +02:00
Hauke Mehrtens
251336639c mbedtls: update to version 2.28.1
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.1
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.

The build problem was reported upstream:
https://github.com/Mbed-TLS/mbedtls/issues/6243

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit f3870546a5)
2022-08-28 12:46:44 +02:00
Etienne Champetier
a901a13505 iptables: default to ip(6)tables-nft when using buildroot
35fec487e3 fixed opkg usage,
but when using buildroot we were still defaulting to
ip(6)tables-legacy

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 0c8d7e34ab)
2022-08-28 00:41:40 +02:00
Joerg Werner
0197cc553a hostapd: fix WPA3 enterprise keys and ciphers
WPA3 enterprise requires group_mgmt_cipher=BIP-GMAC-256 and if 802.11r is
active also wpa_key_mgmt FT-EAP-SHA384. This commit also requires
corresponding changes in netifd.

Signed-off-by: Joerg Werner <schreibubi@gmail.com>
(cherry picked from commit 9fbb76c047)
2022-08-26 22:30:56 +02:00
Hauke Mehrtens
567f64df57 iwinfo: update to latest HEAD
0dad3e6 Add support for CCMP-256 and GCMP-256 ciphers

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit cc6a323e23)
2022-08-26 22:30:56 +02:00
Hauke Mehrtens
f543588812 iproute2: Fix KERNEL_INCLUDE in SDK
In the SDK the folder $(LINUX_DIR)/user_headers/include does not exist,
but it more or less contains the same content as
$(LINUX_DIR)/include/uapi which also exists in the SDK.

Since iproute2 commit 1d819dcc741e ("configure: fix parsing issue on
include_dir option") it checks if this folder exists and aborts the
build if it does not exists.
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=1d819dcc741e25958190e31f8186c940713fa0a8

With this commit the KERNEL_INCLUDE variable points to a valid folder
with the kernel include headers. I am not sure if they are actually
needed because the build worked before even with an invalid path.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 60738feded)
2022-08-26 22:30:56 +02:00
Hauke Mehrtens
8de88a2aa9 umbim: bump to git HEAD
146bc77 umbim: fix invalid mbim message string encoding

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 90bedc411b)
2022-08-26 22:30:56 +02:00
Felix Fietkau
e0832778a3 mt76: update to the latest version
9485e3b47066 mt76: remove q->qid
e5674c4aa402 mt76: mt7921: enable HW beacon filter not depending on PM flag
7fd299e3c921 mt76: mt7921: enable HW beacon filter in the initialization stage
d5459efaaf14 mt76: mt7921: make mt7921_pci_driver static
b8304b456e23 mt76: connac: move tx initialization/cleanup in mt76_connac module
6e0d7077486c mt76: mt7921: reduce log severity levels for informative messages
cb80da974fe6 mt76: mt7921: reduce the mutex lock scope during reset
a2d61f4f4063 mt76: mt7915 add ht mpdu density
08ea730c1130 mt76: add len parameter to __mt76_mcu_msg_alloc signature
60ef85fa352c mt76: introduce MT_RXQ_BAND2 and MT_RXQ_BAND2_WA in mt76_rxq_id
8ccbb38ca6e6 mt76: add phy_idx in mt76_rx_status
eb19ac83c07e mt76: introduce phys array in mt76_dev structure
30887591e3ab mt76: add phy_idx to mt76_wcid
4bf8c20a9524 mt76: convert MT_TX_HW_QUEUE_EXT_PHY to MT_TX_HW_QUEUE_PHY
e6c6bf8cee09 mt76: get rid of mt76_wcid_hw routine
120f73ad992a mediatek: mt76: mac80211: Fix missing of_node_put() in mt76_led_init()
111e92cf8c22 mediatek: mt76: eeprom: fix missing of_node_put() in mt76_find_power_limits_node()
13bedd62ff4a mt76: connac: introduce mt76_connac_reg_map structure
5ec78e1ec43d wifi: mt76: fix reading current per-tid starting sequence number for aggregation

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit ec7d32f376)
2022-08-26 20:24:54 +02:00
Felix Fietkau
da3dc96b64 netifd: update to the latest version
76d2d41b7355 interface: fix use-after-free bug when rewriting resolv.conf

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 31648c4b59)
2022-08-25 21:42:44 +02:00
Hauke Mehrtens
237f8e2cfc netifd: update to git HEAD
87fbefd interface: support "zone" config option
bfa039c netifd: fix WPA3 enterprise ciphers

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry-picked from commit 8008816a2c)
2022-08-25 21:42:34 +02:00
Petr Štetiar
8a9733ee0d rpcd: bump version to 2022-08-24
gcc 10 with -O2 reports following:

 In function ‘strncpy’,
     inlined from ‘rpc_sys_packagelist’ at /opt/devel/openwrt/c-projects/rpcd/sys.c:244:4:
 /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 128 equals destination size [-Werror=stringop-truncation]
   106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
       |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 In function ‘strncpy’,
     inlined from ‘rpc_sys_packagelist’ at /opt/devel/openwrt/c-projects/rpcd/sys.c:227:4:
 /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound 128 equals destination size [-Werror=stringop-truncation]
   106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
       |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Since it is not possible to avoid truncation by strncpy, it is necessary
to make sure the result of strncpy is properly NUL-terminated and the
NUL must be inserted explicitly, after strncpy has returned.

References: #10442
Reported-by: Alexey Smirnov <s.alexey@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 34ddd2e545)
2022-08-25 11:05:20 +02:00
Jo-Philipp Wich
8f4a2e4234 rpcd: update to latest Git HEAD
ae5afea ucode: parse ucode plugin scripts in raw mode, init search path

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 66a360206e)
2022-08-25 10:33:14 +02:00
Jo-Philipp Wich
f92ac40ebd uhttpd: update to latest Git HEAD
e3395cd ucode: initialize search path before VM init
8cb3f85 ucode: initialize default library search path
188dea2 utils: accept '?' as path terminator in uh_path_match()
c5eac5d file: support using dynamic script handlers as error pages
290ff88 relay: trigger close if in header read state with pending data
f9db538 ucode: ignore exit exceptions
8ba0b64 cmake: use variables and find_library for dependency

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 4ee77cfcfa)
2022-08-25 10:32:34 +02:00
Jo-Philipp Wich
d4f20964ff ucode: update to latest Git HEAD
bcdd2cb examples: add module search path initialization and freeing
ee1946f ubus: fix GCC strncpy() truncation warning
131d99c lib: introduce three new functions call(), loadstring() and loadfile()
8e8dae0 lib: introduce helper function for indenting error messages
476f02b lib: simplify include_path()
d84b53a source: avoid null pointer access in uc_source_runpath_set()
c43a54f types: gracefully handle unpatched upvalues in ucv_free()
e2fb11a README.md: document gc() function
b41cb2d main: introduce -g flag to allow enabling periodic gc from cli
85d7885 lib: implement gc()
47528f0 vm: support automatic periodic GC runs
381cc75 types: treat vm->exports as GC roots
fcc49e6 compiler: add import statement support for dynamic extensions
c9442f1 vm: introduce new I_DYNLOAD opcode
b6fd8a2 lib: internally expose new uc_require_library() helper
a486adc vm: don't treat offset 0 special for exceptions
41ccd19 compiler: don't treat offset 0 special at syntax errors
b4a3f68 compiler: improve formatting of nested syntax error messages
5d5dadc program: remove now unused uc_program_export_lookup()
304995b compiler: rework export index allocation
506cc37 compiler: fix deriving module path from source runpath
54b7fac compiler: enforce stricter module compilation rules
d62e372 vm: don't initialize upvalues for module functions
b856602 program: add serialization and deserialization for module function flag
d7d1bde compiler: add a flag denoting module functions
156d584 treewide: unexport libucode internal functions
10e056d compiler: add support for import/export statements
862e49d compiler: resolve predeclared upvalues
78dfb08 compiler: require a name in function declarations
afd78c1 compiler: fix reported source position in inc/dec operator error
e1c3db0 tests: run_tests.sh: substitute dynamic test directory path in output
3c168b5 vm, cli: move search path into global configuration structure
d85bc71 vm: introduce import and export opcodes
365782e vm: honor constant flag of objects and arrays
6becc64 vm: transparently resolve upvalue references
3418967 vm: gracefully handle unresolved upvalues
50cf572 program: add function to globally lookup exported name
c441f65 program: add infrastructure to handle multiple sources per program
2322468 program: fix reporting source position of first instruction
9c9a9ec program: fix en/decoding debuginfo upvalue slots in precompiled bytecode
41114a0 source: add tracking of exported symbols
70ae304 lib: honor constant flag of arrays
3c104f5 types: resolve upvalue references on stringification
3a6f9cb types: add ability to mark array and object values as constant
b738f3a lexer: recognize module related keywords
03c8e4b lexer: rewrite token scanner
fd433aa lexer: fix parsing with disabled block left stripping
557577a rtnl: fix parsing/creation of IFLA_AF_SPEC RTA for the AF_BRIDGE family
35c6b73 compiler: fix stack mismatch on continue statements nested in switches
f673096 uloop: end uloop on exceptions in managed code
2e5426c ubus: end uloop on exceptions in managed code
c024270 rtnl: expose IFLA_STATS64 contents
d3c58c0 rtnl: expose ifinfomsg.ifi_change member
c4dde50 rtnl: update NETLINK_GET_STRICT_CHK socket flag with every request
7ef0d02 nl80211: fix NL80211_SURVEY_INFO_NOISE datatype
9a2e592 compiler: fix stack mismatch on nonmatching switch statements with locals
03c8ca5 nl80211: recognize further NL80211_STA_INFO_* NLAs
a1ed566 struct: add optional offset argument to `unpack()`
230e595 rtnl: fix segmentation fault on parsing linkinfo RTA without data
523566d rtnl: zero request message headers
56be30d rtnl: fix premature netlink reply receive abort
1347440 rtnl: avoid stray "netlink: %d bytes leftover after parsing attributes."
44b0a3b struct: fix packing `*` format after other repeated formats

Also package uloop binding module which has been introduced by a previous
ucode update and introduce a host build with the basic set of modules.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 3446d32616)
2022-08-25 10:31:56 +02:00
Jo-Philipp Wich
469db326ac nftables: fix parsing date expressions
Musl libc does not support the non-POSIX "%F" format for strptime() so
replace all occurrences of it with an equivalent "%Y-%m-%d" format.

Fixes: #10419
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit e6e4f97999)
2022-08-25 10:30:46 +02:00
Jo-Philipp Wich
fd268e3973 firewall4: update to latest Git HEAD
a4484d4 fw4: support automatic includes
ca7e3a1 fw4: honour enabled option of include sections
5a02f74 tests: add missing fs.stat) mock data for `nf_conntrack_dummy`
111a7f7 fw4: don't inherit zone family from ct helpers

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit fe86b2ffaa)
2022-08-25 10:19:46 +02:00
Sultan Alsawaf
97213c7335 mac80211: parse the correct set of HE capabilities for AP mode
It is common for 802.11ax NICs to support more than just AP mode, which
results in there being a distinct set of HE capabilities for each mode. As
(bad) luck would have it, iw prints out info for each HE mode in sequential
order according to `enum nl80211_iftype`, and AP mode isn't always first.

As a result, the wrong set of HE capabilities can be parsed if an AP NIC
supports station (managed) mode or any other mode preceding AP mode, since
only the first set of HE capabilities printed by iw is parsed from awk's
output.

This has a noticeable impact on beamforming for example, since managed mode
usually doesn't have beamformer capabilities enabled, while AP mode does.
Hostapd won't be set up with the configs to enable beamformer capabilities
in this scenario, causing hostapd to disable beamforming to HE stations
even when it's supported by the AP.

Always parse the correct set of HE capabilities for AP mode to fix this.
This is achieved by trimming all of iw's output prior to the AP mode
capabilities, which ensures that the first set of HE capabilities are
always for AP mode.

Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com>
(cherry picked from commit f338f76a66)
2022-08-21 15:54:22 +02:00
Mikhail Zhilkin
290ace2fe6
base-files: add mtd_get_mac_encrypted_arcadyan function
Some Arcadyan devices (e.g. MTS WG430223) keep their config in encrypted
mtd. This adds mtd_get_mac_encrypted_arcadyan() function to get the MAC
address from the encrypted partition. Function uses uencrypt utility for
decryption (and openssl if the uencrypt wasn't found).

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
(cherry picked from commit 12c971bc26)
2022-08-19 14:44:35 +02:00
Eneas U de Queiroz
d94a28f7d2
uencrypt: add package to decrypt WG4хх223 config
This adds a simple AES-128-CBC encryption/decryption program using
either wolfSSL or OpenSSL as backend to decrypt Arcadyan WG4xx223
configuration partitions.  The ipk size is 3,355 bytes.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit bc43ad88ed)
2022-08-19 14:44:07 +02:00