librecmc/librecmc.git
4 years agotor: update to version 0.4.3.6 (security fix)
RISCi_ATOM [Mon, 3 Aug 2020 17:12:34 +0000 (13:12 -0400)]
tor: update to version 0.4.3.6 (security fix)

Applicable CVEs:
* CVE-2020-15572

Notes:
* Removes libssp hack : Upstream pkg. feed: 0df6c58f82f0b84ca08696d9d0760d425ce11917

4 years agocurl: patch CVE-2020-8169
Jan Pavlinec [Wed, 29 Jul 2020 12:24:38 +0000 (14:24 +0200)]
curl: patch CVE-2020-8169

Affected versions: curl 7.62.0 to and including 7.70.0
https://curl.haxx.se/docs/CVE-2020-8169.html

Run tested on Omnia with OpenWrt 19.07

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agomac80211: fix use of local variable
Leon M. George [Thu, 30 Apr 2020 08:26:36 +0000 (10:26 +0200)]
mac80211: fix use of local variable

mac80211_get_addr is called from mac80211_generate_mac, where the local variable
initialisation id="${macidx:-0}" suggests that macidx is not always defined.
Probably, idx was supposed to be used instead of $(($macidx + 1)).

Fixes: 4d99db168cf7 ("mac80211: try to get interface addresses from wiphy sysfs 'addresses' if no mask is set")

Signed-off-by: Leon M. George <leon@georgemail.eu>
(cherry picked from commit 8f95220bcb554b1b668114e5264ebce4028c5f93)

4 years agonghttp2: bump to 1.41.0
Hans Dedecker [Sat, 6 Jun 2020 12:00:37 +0000 (14:00 +0200)]
nghttp2: bump to 1.41.0

8f7b008b Update bash_completion
83086ba9 Update manual pages
c3b46625 Merge pull request from GHSA-q5wr-xfw9-q7xr
3eecc2ca Bump version number to v1.41.0, LT revision to 34:0:20
881c060d Update AUTHORS
f8da73bd Earlier check for settings flood
336a98fe Implement max settings option
ef415836 Revert "Add missing connection error handling"
979e6c53 Merge pull request #1459 from nghttp2/proxyprotov2
b7d16101 Add missing connection error handling
cd53bd81 Merge pull request #1460 from gportay/patch-1
e5625b8c Fix doc
c663349f integration: Add PROXY protocol v2 tests
854e9fe3 nghttpx: Always call init_forwarded_for
c60ea227 Update doc
49cd8e6e nghttpx: Add PROXY-protocol v2 support
3b17a659 Merge pull request #1453 from Leo-Neat/master
600fcdf5 Merge pull request #1455 from xjtian/long_serials
4922bb41 static_cast size parameter in StringRef constructor to size_t
aad86975 Fix get_x509_serial for long serial numbers
dc7a7df6 Adding CIFuzz
b3f85e2d Merge pull request #1444 from nghttp2/fix-recv-window-flow-control-issue
ffb49c6c Merge pull request #1435 from geoffhill/master
2ec58551 Fix receiving stream data stall
459df42b Merge pull request #1442 from nghttp2/upgrade-llhttp
a4c1fed5 Bump llhttp to 2.0.4
866eadb5 Enable session_create_idle_stream test, fix errors
5e13274b Fix typo
e0d7f7de h2load: Allow port in --connect-to
df575f96 h2load: add --connect-to option
1fff7379 clang-format-9
b40c6c86 Merge pull request #1418 from vszakats/patch-1
9bc2c75e lib/CMakeLists.txt: Make hard-coded static lib suffix optional
2d5f7659 Bump up version number to 1.41.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Note this is cherry-pick from master. It fixes CVE-2020-11080
and  https://github.com/nxhack/openwrt-node-packages/issues/679

Signed-off-by: Jan Pavlinec <jan.pavlinec@nic.cz>
4 years agombedtls: update to 2.16.7
Magnus Kroken [Mon, 27 Jul 2020 14:36:42 +0000 (10:36 -0400)]
mbedtls: update to 2.16.7

Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch,
and provides bug fixes and minor enhancements. This release includes
fixes for security issues and the most severe one is described in more
detail in a security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07

* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private
key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros).

Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some
changes to the download URLs are required. For the time being, the
ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
4 years agoBump libreCMC version to v6.0
RISCi_ATOM [Mon, 27 Jul 2020 14:27:20 +0000 (10:27 -0400)]
Bump libreCMC version to v6.0

4 years agokernel: Bump to 4.14.187
RISCi_ATOM [Fri, 10 Jul 2020 19:10:07 +0000 (15:10 -0400)]
kernel: Bump to 4.14.187

4 years agoBump version to v1.5.2
RISCi_ATOM [Fri, 26 Jun 2020 01:53:32 +0000 (21:53 -0400)]
Bump version to v1.5.2

4 years agomvebu: Add basic support for WRT1900AC (v1) and Turris Omnia (pre 2019)
RISCi_ATOM [Fri, 26 Jun 2020 01:26:28 +0000 (21:26 -0400)]
mvebu: Add basic support for WRT1900AC (v1) and Turris Omnia (pre 2019)

This adds basic support for the WRT1900AC and Turris Omnia. In order
to continue to use these as wifi routers, some or all of the wifi
modules will need to be replaced, preferably with an ath9k based
chipset. Keep in mind that not all ath9k chipsets work well in
AP mode.

WRT1900AC:

* The original issue with this router, in addition to the non-free
wifi, was an init / learning blob needed for the DDR3 memory. This
issue was resolved in 2015, but there were some stability issues.

* The Marvell wifi chipset is not supported and will need to be
removed or replaced.

* RISCi_ATOM was not able to successfully flash upstream u-boot.
It's most likely a configuration or build issue.

* libreCMC can be installed from the stock firmware web-ui using
the *-factory.img.

Turris Omnnia:

* The ath10k wifi chipset will need to be removed.

* Full support is not ready yet; it works with some hacks.

* Upstream u-boot can be built and flashed; the libreCMC
toolchain was used to build it.

Taken from upstrem openwrt-19.07 @ 153392e209c5110448db9e1e7ce9a3566f124b37

4 years agowireguard: bump to 1.0.20200623
RISCi_ATOM [Fri, 26 Jun 2020 00:20:26 +0000 (20:20 -0400)]
wireguard: bump to 1.0.20200623

4 years agokernel: Bump to 4.14.185
RISCi_ATOM [Thu, 25 Jun 2020 01:53:24 +0000 (21:53 -0400)]
kernel: Bump to 4.14.185

4 years agouclient: update to 19.07 Git HEAD
Jo-Philipp Wich [Wed, 17 Jun 2020 20:21:29 +0000 (22:21 +0200)]
uclient: update to 19.07 Git HEAD

51e16eb uclient-fetch: add option to read POST data from file
99aebe3 uclient: Add string error function

Fixes: 0c910d8459 ("uclient: Update to version 2020-06-17")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4 years agoath79: wndr3700 series: fix wifi range & throughput
Christian Lamparter [Sun, 7 Jun 2020 20:57:46 +0000 (22:57 +0200)]
ath79: wndr3700 series: fix wifi range & throughput

This patch adds ar71xx's GPIO setup for the 2.4GHz and 5GHz antennae
demultiplexer:

| 158         /* 2.4 GHz uses the first fixed antenna group (1, 0, 1, 0) */
| 159         ap9x_pci_setup_wmac_gpio(0, (0xf << 6), (0xa << 6));
| 160
| 161         /* 5 GHz uses the second fixed antenna group (0, 1, 1, 0) */
| 162         ap9x_pci_setup_wmac_gpio(1, (0xf << 6), (0x6 << 6));

This should restore the range and throughput of the 2.4GHz radio
on all the derived wndr3700 variants and versions with the AR7161 SoC.
A special case is the 5GHz radio. The original wndr3700(v1) will
benefit from this change. However the wndr3700v2 and later revisions
were unaffected by the missing bits, as there is no demultiplexer
present in the later designs.

This patch uses gpio-hogs within the device-tree for all
wndr3700/wndr3800/wndrmac variants.

Notes:

Based on the PCB pictures, the WNDR3700(v1) really had eight
independent antennae. Four antennae for each radio and all of
those were printed on the circut board.

The WNDR3700v2 and later have just six antennae. Four of those
are printed on the circuit board and serve the 2.4GHz radio.
Whereas the remaining two are special 5GHz Rayspan Patch Antennae
which are directly connected to the 5GHz radio.

Hannu Nyman dug pretty deep and unearthed a treasure of information
regarding the history of how these values came to be in the OpenWrt
archives: <https://dev.archive.openwrt.org/ticket/6533.html>.

Mark Mentovai came across the fixed antenna group when he was looking
into the driver:

    fixed_antenna_group 1, (0, 1, 0, 1)
    fixed_antenna_group 2, (0, 1, 1, 0)
    fixed_antenna_group 3, (1, 0, 0, 1)
    fixed_antenna_group 4, (1, 0, 1, 0)

Fixes: FS#3088

Reported-by: Luca Bensi
Reported-by: Maciej Mazur
Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Debugged-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 61307544d1f1ab81a2eb3a200164456c59308d81)

4 years agoca-certificates: update to version 20200601
Christian Lamparter [Sun, 7 Jun 2020 15:22:02 +0000 (17:22 +0200)]
ca-certificates: update to version 20200601

This patch updates the ca-certificates and ca-bundle package.
This version changed the files directory again, to work/, so
PKG_BUILD_DIR was brought back.

A list of changes from Debian's change-log entry for 20200601 [0]:

  * mozilla/{certdata.txt,nssckbi.h}:
    Update Mozilla certificate authority bundle to version 2.40.
    Closes: #956411, #955038
  * mozilla/blacklist.txt
    Add distrusted Symantec CA list to blacklist for explicit removal.
    Closes: #911289
    Blacklist expired root certificate, "AddTrust External Root"
    Closes: #961907
    The following certificate authorities were added (+):
    + "Certigna Root CA"
    + "emSign ECC Root CA - C3"
    + "emSign ECC Root CA - G3"
    + "emSign Root CA - C1"
    + "emSign Root CA - G1"
    + "Entrust Root Certification Authority - G4"
    + "GTS Root R1"
    + "GTS Root R2"
    + "GTS Root R3"
    + "GTS Root R4"
    + "Hongkong Post Root CA 3"
    + "UCA Extended Validation Root"
    + "UCA Global G2 Root"
    The following certificate authorities were removed (-):
    - "AddTrust External Root"
    - "Certinomis - Root CA"
    - "Certplus Class 2 Primary CA"
    - "Deutsche Telekom Root CA 2"
    - "GeoTrust Global CA"
    - "GeoTrust Primary Certification Authority"
    - "GeoTrust Primary Certification Authority - G2"
    - "GeoTrust Primary Certification Authority - G3"
    - "GeoTrust Universal CA"
    - "thawte Primary Root CA"
    - "thawte Primary Root CA - G2"
    - "thawte Primary Root CA - G3"
    - "VeriSign Class 3 Public Primary Certification Authority - G4"
    - "VeriSign Class 3 Public Primary Certification Authority - G5"
    - "VeriSign Universal Root Certification Authority"

[0] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20200601_changelog>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit f611b014a713d82d7c7da4c171f3aa04a8984063)

4 years agobuild: Switch to Python3
RISCi_ATOM [Fri, 12 Jun 2020 20:02:45 +0000 (16:02 -0400)]
build: Switch to Python3

4 years agoscons: move to packages feed
Petr Štetiar [Sat, 27 Jul 2019 22:33:32 +0000 (00:33 +0200)]
scons: move to packages feed

This patch removes scons host build tool, as commit 7087efd72a8d
("scons: move host build tool to a proper place") in the packages feed
has moved scons into the new home.

There are currently no packages in the master tree which would need
scons, yet scons is build always as part of host tools, just in order to
satisfy host build dependency of few packages in the packages feeds.

Ref: https://github.com/openwrt/packages/pull/9584
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agoar71xx: fix reset key for TP-Link TL-WR802N V1/V2
Lech Perczak [Fri, 29 May 2020 19:56:18 +0000 (21:56 +0200)]
ar71xx: fix reset key for TP-Link TL-WR802N V1/V2

During porting support for this router to ath79 target
it was discovered that GPIO mapping was incorrect (GPIO11 active high).
Correct mapping for both V1 and V2 is GPIO12 active low.

Default configuration from GPL source for V2 explicitly states this, and
this was confirmed experimentally on ath79 by looking on
/sys/kernel/debug/gpio. Correctness of this was also validated for V1 by
cross-flashing vendor firmware for V1 on V2 hardware, in which reset
button also worked.

Fix it.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
[slightly adjust commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit f841e706403b1a111cbb6dc5930b7886307bf633)

4 years agogeneric: fix flow table hw offload
John Crispin [Mon, 6 Apr 2020 05:04:38 +0000 (07:04 +0200)]
generic: fix flow table hw offload

Make the driver work with recent upstream changes.

Fixes: FS#2632
Ref: https://github.com/openwrt/openwrt/pull/2815
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 6786dc26a205da55ec2d9771693cdfb99e756e59)

4 years agoar71xx: correct button type for TL-MR3020 mode slider
David Bauer [Sat, 30 May 2020 14:24:03 +0000 (16:24 +0200)]
ar71xx: correct button type for TL-MR3020 mode slider

The TP-Link TL-MR3020 has a three-state mode slider which was previously
integrated as a button (EV_KEY). This led to spurious activations of
failsafe mode.

Set the type for the button to switch (EV_SW), to avoid unintended
activations of failsafe mode.

Related: commit 27f3f493de06 ("gpio-button-hotplug: unify polled and
interrupt code")

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit b017a016cc0cd26f84a7e6b8de3dc02dc101e888)

4 years agoqos-scripts: fix interface resolving
Jo-Philipp Wich [Fri, 29 May 2020 08:34:58 +0000 (10:34 +0200)]
qos-scripts: fix interface resolving

Also ensure that the error message is actually printed to stderr and that
the rule generation is aborted if an interface cannot be resolved.

Ref: https://github.com/openwrt/luci/issues/3975
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 559b3384666bbc6e4e9e6d86cf54bd88d30b341f)

4 years agomusl: fix locking synchronization bug
Matthias Schiffer [Sat, 23 May 2020 19:16:44 +0000 (21:16 +0200)]
musl: fix locking synchronization bug

Import proposed upstream fix [2] for the critical locking
synchronization bug recently found in musl [1].

This affects all programs that are temporarily multithreaded, but then
return to single-threaded operation.

[1] https://www.openwall.com/lists/musl/2020/05/22/3
[2] https://www.openwall.com/lists/musl/2020/05/22/10

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 10c211031ccd4703230493025a5a3b9d6fcad2f2)

4 years agolibubox: update to the latest version
Felix Fietkau [Tue, 26 May 2020 08:45:06 +0000 (10:45 +0200)]
libubox: update to the latest version

86818eaa976b blob: make blob_parse_untrusted more permissive
cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len
c2fc622b771f blobmsg: fix length in blobmsg_check_array
639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name
66195aee5042 blobmsg: fix missing length checks

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b371182d2450b3c4f15cbe790351d92a2a7b5a67)

4 years agolibubox: update to the latest master
Rafał Miłecki [Sun, 24 May 2020 14:30:02 +0000 (16:30 +0200)]
libubox: update to the latest master

5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len()
eeddf22 tests: runqueue: try to fix race on GitLab CI
89fb613 libubox: runqueue: fix use-after-free bug
1db3e7d libubox: runqueue fix comment in header
7c4ef0d tests: list: add test case for list_empty iterator

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit a765b063ee3e1dd6519f6a4a9e4d4f72214b33b8)

4 years agolibubox: update to latest Git HEAD
Jo-Philipp Wich [Thu, 27 Feb 2020 21:03:18 +0000 (22:03 +0100)]
libubox: update to latest Git HEAD

7da6643 tests: blobmsg: add test case
75e300a blobmsg: fix wrong payload len passed from blobmsg_check_array

Fixes: FS#2833
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 955634b473284847e3c8281a6ac85655329d8b06)

4 years agorpcd: update to latest openwrt-19.07 Git HEAD
Jo-Philipp Wich [Tue, 26 May 2020 15:29:09 +0000 (17:29 +0200)]
rpcd: update to latest openwrt-19.07 Git HEAD

67c8a3f uci: reset uci_ptr flags when merging options during section add
970ce1a session: deny access if password login is disabled

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4 years agowireguard-tools: bump to 1.0.20200513
Jason A. Donenfeld [Wed, 20 May 2020 01:39:08 +0000 (19:39 -0600)]
wireguard-tools: bump to 1.0.20200513

* ipc: add support for openbsd kernel implementation
* ipc: cleanup openbsd support
* wg-quick: add support for openbsd kernel implementation
* wg-quick: cleanup openbsd support

Very exciting! wg(8) and wg-quick(8) now support the kernel implementation for
OpenBSD. OpenBSD is the second kernel, after Linux, to receive full fledged
and supported WireGuard kernel support. We'll probably send our patch set up
to the list during this next week. `ifconfig wg0 create` to make an interface,
and `wg ...` like usual to configure WireGuard aspects of it, like usual.

* wg-quick: support dns search domains

If DNS= has a non-IP in it, it is now treated as a search domain in
resolv.conf.  This new feature will be rolling out across our various GUI
clients in the next week or so.

* Makefile: simplify silent cleaning
* ipc: remove extra space
* git: add gitattributes so tarball doesn't have gitignore files
* terminal: specialize color_mode to stdout only

Small cleanups.

* highlighter: insist on 256-bit keys, not 257-bit or 258-bit

The highlighter's key checker is now stricter with base64 validation.

* wg-quick: android: support application whitelist

Android users can now have an application whitelist instead of application
blacklist.

* systemd: add wg-quick.target

This enables all wg-quick at .services to be restarted or managed as a unit via
wg-quick.target.

* Makefile: remember to install all systemd units

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agowireguard: bump to 1.0.20200520
Jason A. Donenfeld [Thu, 21 May 2020 04:43:08 +0000 (22:43 -0600)]
wireguard: bump to 1.0.20200520

This version has the various slew of bug fixes and compat fixes and
such, but the most interesting thing from an OpenWRT perspective is that
WireGuard now plays nicely with cake and fq_codel. I'll be very
interested to hear from OpenWRT users whether this makes a measurable
difference. Usual set of full changes follows.

This release aligns with the changes I sent to DaveM for 5.7-rc7 and were
pushed to net.git about 45 minutes ago.

* qemu: use newer iproute2 for gcc-10
* qemu: add -fcommon for compiling ping with gcc-10

These enable the test suite to compile with gcc-10.

* noise: read preshared key while taking lock

Matt noticed a benign data race when porting the Linux code to OpenBSD.

* queueing: preserve flow hash across packet scrubbing
* noise: separate receive counter from send counter

WireGuard now works with fq_codel, cake, and other qdiscs that make use of
skb->hash. This should significantly improve latency spikes related to
buffer bloat. Here's a before and after graph from some data Toke measured:
https://data.zx2c4.com/removal-of-buffer-bloat-in-wireguard.png

* compat: support RHEL 8 as 8.2, drop 8.1 support
* compat: support CentOS 8 explicitly
* compat: RHEL7 backported the skb hash renamings

The usual RHEL churn.

* compat: backport renamed/missing skb hash members

The new support for fq_codel and friends meant more backporting work.

* compat: ip6_dst_lookup_flow was backported to 4.14, 4.9, and 4.4

The main motivation for releasing this now: three stable kernels were released
at the same time, with a patch that necessitated updating in our compat layer.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agohostapd: backport wolfssl bignum fixes
Daniel Golle [Sat, 16 May 2020 21:23:41 +0000 (23:23 +0200)]
hostapd: backport wolfssl bignum fixes

crypto_bignum_rand() use needless time-consuming filtering
which resulted in SAE no longer connecting within time limits.
Import fixes from hostap upstream to fix that.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 631c437a91c20df678b25dcc34fe23636116a35a)

4 years agoucert: update to latest git HEAD
Matthias Schiffer [Sun, 24 May 2020 15:01:36 +0000 (17:01 +0200)]
ucert: update to latest git HEAD

00b921d80ac0 Do not print line number in debug messages
96c42c5ed320 Fix length checks in cert_load()
fe06b4b836b3 usign-exec: improve usign -F output handling
19f9e1917e1b usign-exec: return code fixes
077feb5b5824 usign-exec: close writing end of pipe early in parent process
7ec4bb764e1e usign-exec: remove redundant return statements
5a738e549d31 usign-exec: change usign_f_* fingerprint argument to char[17]
112488bbbccc usign-exec: do not close stdin and stderr before exec
38dcb1a6f121 usign-exec: fix exec error handling
a9be4fb17df2 usign-exec: simplify usign execv calls
854d93e2326a Introduce read_file() helper, improve error reporting
afc86f352bf7 Fix return code of write_file()
fdff10852326 stdout/stderr improvements
dddb2aa8124d ci: fix unit test failures by enabling full ucert build
5f206bcfe5c2 ci: enable unit testing

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
4 years agosquashfs: Fix compile with GCC 10
Hauke Mehrtens [Sun, 24 May 2020 10:23:31 +0000 (12:23 +0200)]
squashfs: Fix compile with GCC 10

Fixes the following build error with GCC 10:
/usr/bin/ld: read_fs.o:(.bss+0x0): multiple definition of `swap'; mksquashfs.o:(.bss+0x1b2a88): first defined here
And a compile warning.

Fixes: FS#3104, FS#3119
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 1bbc1aa884902fd05cc579b53d68b2ba0b18683f)

4 years agousign: update to latest git HEAD
Matthias Schiffer [Sat, 23 May 2020 11:38:12 +0000 (13:38 +0200)]
usign: update to latest git HEAD

f1f65026a941 Always pad fingerprints to 16 characters

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit e35e40ad824eab9d51cdd690fb747e576e01412f)

4 years agousign: update to latest Git HEAD
Hauke Mehrtens [Fri, 20 Sep 2019 23:05:42 +0000 (01:05 +0200)]
usign: update to latest Git HEAD

f34a383 main: fix some resource leaks

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 81e93fff7d867851f2fedd966a931336d4092686)

4 years agolibjson-c: backport security fixes
Robert Marko [Tue, 12 May 2020 20:18:33 +0000 (22:18 +0200)]
libjson-c: backport security fixes

This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592

Addresses CVE-2020-12762

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
[bump PKG_RELEASE, rebase patches on top of json-c 0.12]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit bc0288b76816578f5aeccb2abd679f82bfc5738e)

4 years agofstools: blockd: fix segfault triggered by non-autofs mounts
Daniel Golle [Tue, 12 May 2020 09:48:50 +0000 (10:48 +0100)]
fstools: blockd: fix segfault triggered by non-autofs mounts

Program received signal SIGSEGV, Segmentation fault.
main_autofs (argv=<optimized out>, argc=<optimized out>)
    at fstools-2020-05-06-eec16e2f/block.c:1193
1193:    if (!m->autofs && (mp = find_mount_point(pr->dev))) {

Fixes: 3b9e4d6d4c4f ("fstools: update to the latest version")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit b181294b02499e41b6b6fa24163f59c9ee4988ed)

4 years agokernel: Bump 4.14 to 4.14.180
RISCi_ATOM [Thu, 21 May 2020 16:58:12 +0000 (12:58 -0400)]
kernel: Bump 4.14 to 4.14.180

4 years agoath79: dts: add missing 'serial0' alias for TP-Link TL-MR3040v2
Lech Perczak [Thu, 7 May 2020 22:41:36 +0000 (00:41 +0200)]
ath79: dts: add missing 'serial0' alias for TP-Link TL-MR3040v2

Out of all devices currently supported based on AR9331 chipset,
this one had the 'serial0' alias missing. Add it to fix setting of
/dev/console and login shell on the onboard UART.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit 94f344997769a9a18e2d73574d9d17785828955d)

4 years agoodhcpd: Fix PKG_MIRROR_HASH
RISCi_ATOM [Mon, 11 May 2020 04:49:25 +0000 (00:49 -0400)]
odhcpd: Fix PKG_MIRROR_HASH
fixes: 8d16c4e ("odhcpd: fix PKG_SOURCE_DATE")

4 years agoopkg: update to latest Git HEAD
Jo-Philipp Wich [Thu, 7 May 2020 20:47:47 +0000 (22:47 +0200)]
opkg: update to latest Git HEAD

f2166a8 libopkg: implement lightweight package listing logic
cf4554d libopkg: support passing callbacks to feed parsing functions
2a0210f opkg-cl: don't read feeds on opkg update
b6f1967 libopkg: use xsystem() to spawn opkg-key
60b9af2 file_util.c: refactor and fix checksum_hex2bin()
206ebae file_util.c: fix possible bad memory access in file_read_line_alloc()

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 79da9d78b98e1cd4574a37e2c4c5f8315b91563d)

4 years agowireguard: bump to 1.0.20200506
RISCi_ATOM [Thu, 7 May 2020 19:25:23 +0000 (15:25 -0400)]
wireguard: bump to 1.0.20200506

* compat: timeconst.h is a generated artifact

Before we were trying to check for timeconst.h by looking in the kernel
source directory. This isn't quite correct on configurations in which
the object directory is separate from the kernel source directory, for
example when using O="elsewhere" as a make option when building the
kernel. The correct fix is to use $(CURDIR), which should point to
where we want.

* compat: use bash instead of bc for HZ-->USEC calculation

This should make packaging somewhat easier, as bash is generally already
available (at least for dkms), whereas bc isn't provided by distros by
default in their build meta packages.

* socket: remove errant restriction on looping to self

It's already possible to create two different interfaces and loop
packets between them. This has always been possible with tunnels in the
kernel, and isn't specific to wireguard. Therefore, the networking stack
already needs to deal with that. At the very least, the packet winds up
exceeding the MTU and is discarded at that point. So, since this is
already something that happens, there's no need to forbid the not very
exceptional case of routing a packet back to the same interface; this
loop is no different than others, and we shouldn't special case it, but
rather rely on generic handling of loops in general. This also makes it
easier to do interesting things with wireguard such as onion routing.
At the same time, we add a selftest for this, ensuring that both onion
routing works and infinite routing loops do not crash the kernel. We
also add a test case for wireguard interfaces nesting packets and
sending traffic between each other, as well as the loop in this case
too. We make sure to send some throughput-heavy traffic for this use
case, to stress out any possible recursion issues with the locks around
workqueues.

* send: cond_resched() when processing tx ringbuffers

Users with pathological hardware reported CPU stalls on CONFIG_
PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning
these workers would never terminate. That turned out not to be okay on
systems without forced preemption. This commit adds a cond_resched() to
the bottom of each loop iteration, so that these workers don't hog the
core. We don't do this on encryption/decryption because the compat
module here uses simd_relax, which already includes a call to schedule
in preempt_enable.

* selftests: initalize ipv6 members to NULL to squelch clang warning

This fixes a worthless warning from clang.

* send/receive: use explicit unlikely branch instead of implicit coalescing

Some code readibility cleanups.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
(cherry picked from commit 4f6343f)
(upstream commit : 81f3f6540e66e21be877b99e6524ff91bcea1805)

4 years agoodhcpd: fix PKG_SOURCE_DATE
Hans Dedecker [Thu, 7 May 2020 05:59:40 +0000 (07:59 +0200)]
odhcpd: fix PKG_SOURCE_DATE

Fixes: 5e8b50da15 (odhcpd : fix lan host reachibility due to identical RIO and PIO prefixes (FS#3056))

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
4 years agoodhcpd: fix lan host reachibility due to identical RIO and PIO prefixes (FS#3056)
Hans Dedecker [Wed, 6 May 2020 19:20:09 +0000 (21:20 +0200)]
odhcpd: fix lan host reachibility due to identical RIO and PIO prefixes (FS#3056)

49e4949 router: fix Lan host reachibility due to identical RIO and PIO prefixes (FS#3056)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
4 years agoustream-ssl: update to 19.07 Git HEAD
Jo-Philipp Wich [Wed, 6 May 2020 17:46:48 +0000 (19:46 +0200)]
ustream-ssl: update to 19.07 Git HEAD

40b563b ustream-openssl: clear error stack before SSL_read/SSL_write
30cebb4 ustream-ssl: mbedtls: fix ssl client verification
77de09f ustream-ssl: mbedtls: fix net_sockets.h include warning

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4 years agouhttpd: update to 19.07 Git HEAD
Jo-Philipp Wich [Wed, 6 May 2020 17:42:11 +0000 (19:42 +0200)]
uhttpd: update to 19.07 Git HEAD

975dce2 client: allow keep-alive for POST requests
d062f85 file: poke ustream after starting deferred program

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4 years agofstools: update to the latest version
Rafał Miłecki [Wed, 6 May 2020 15:49:59 +0000 (17:49 +0200)]
fstools: update to the latest version

eec16e2 blockd: add optional "device" parameter to "info" ubus method
9ab936d block(d): always call hotplug.d "mount" scripts from blockd
4963db4 blockd: use uloop_process for calling /sbin/hotplug-call mount
cddd902 Truncate FAT filesystem label until 1st occurance of a blank (0x20)

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit c3a43753b984657d1b65c666f776856cdf3af61d)

4 years agofstools: update to the latest version
Felix Fietkau [Thu, 9 Apr 2020 12:25:51 +0000 (14:25 +0200)]
fstools: update to the latest version

84965b92f635 blockd: print symlink error code and string message
62c578c22f9d blockd: report "target" path as "mount" for autofs available mounts
d1f1f2b38fa1 block: remove mount target file if it's a link
830441d790d6 blockd: remove symlink linkpath file if it's a dir or link
c80f7002114f libfstools/mtd: attempt to read from OOB data if empty space is found

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b7d6e80feea21aac80d5bd25dc3a0dd5b148fec9)

4 years agomac80211: Update to version 4.19.120
Hauke Mehrtens [Mon, 4 May 2020 20:39:52 +0000 (22:39 +0200)]
mac80211: Update to version 4.19.120

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
4 years agodante: Fix compile with glibc
Hauke Mehrtens [Sat, 18 Apr 2020 15:50:03 +0000 (17:50 +0200)]
dante: Fix compile with glibc

When compiled with glibc the config_scan.c wants to use the
cpupolicy2numeric() function which is only available when
HAVE_SCHED_SETSCHEDULER is set. It looks like the wrong define was used here.

This fixes a build problem with glibc in combination with the force
ac_cv_func_sched_setscheduler=no in the OpenWrt CONFIGURE_VARS.

This fixes the following compile error with glibc:
----------------------------------------------------------------------
/bin/ld: config_scan.o: in function `socks_yylex':
dante-1.4.1/sockd/config_scan.l:461: undefined reference to `cpupolicy2numeric'
collect2: error: ld returned 1 exit status
make[5]: *** [Makefile:522: sockd] Error 1

Fixes: aaf46a8fe23e ("dante: disable sched_getscheduler() - not implemented in musl")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit ce1798e915181e6c1f3ba735b254b37b84261303)

4 years agoperf: build with NO_LIBCAP=1
Yangbo Lu [Tue, 14 Apr 2020 07:24:50 +0000 (15:24 +0800)]
perf: build with NO_LIBCAP=1

Build with NO_LIBCAP=1. This is to resolve build issue.

Package perf is missing dependencies for the following libraries:
libcap.so.2

Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
(cherry picked from commit 80f128d2aa7586ce068bbc24badc46ffab2edd4a)

4 years agokernel: backport fix for non-regular inodes on f2fs
Matt Merhar [Sun, 19 Apr 2020 21:12:03 +0000 (17:12 -0400)]
kernel: backport fix for non-regular inodes on f2fs

Upstream commit dda9f4b9ca ("f2fs: fix to skip verifying block address
for non-regular inode").

On 4.14, attempting to perform operations on a non-regular inode
residing on an f2fs filesystem, such rm-ing a device node, would fail
and lead to a warning / call trace in dmesg. This fix was already
applied to other kernels upstream - including 4.19, from which the patch
was taken.

More info at https://bugzilla.kernel.org/show_bug.cgi?id=202495.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
(cherry picked from commit ee500186a5617dfe80f4b762fd6bd0c38af93d49)

4 years agoBump kernel to 4.14.179
RISCi_ATOM [Thu, 7 May 2020 18:13:46 +0000 (14:13 -0400)]
Bump kernel to 4.14.179

4 years agowpad-wolfssl: fix crypto_bignum_sub()
Antonio Quartulli [Tue, 28 Apr 2020 10:06:58 +0000 (12:06 +0200)]
wpad-wolfssl: fix crypto_bignum_sub()

Backport patch from hostapd.git master that fixes copy/paste error in
crypto_bignum_sub() in crypto_wolfssl.c.

This missing fix was discovered while testing SAE over a mesh interface.

With this fix applied and wolfssl >3.14.4 mesh+SAE works fine with
wpad-mesh-wolfssl.

Cc: Sean Parkinson <sean@wolfssl.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4b3b8ec81cd1965d0bd548fa31db491295b83354)

4 years agomac80211: backport fix for an no-ack tx status issue
Felix Fietkau [Sat, 18 Jan 2020 17:41:08 +0000 (18:41 +0100)]
mac80211: backport fix for an no-ack tx status issue

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1]
[added missing package version bump]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit e0ab33ea496f371a0683b18d5555d651f8df1f5e)

4 years agohostapd: unconditionally enable ap/mesh for wpa-cli
Felix Fietkau [Tue, 28 Jan 2020 13:12:08 +0000 (14:12 +0100)]
hostapd: unconditionally enable ap/mesh for wpa-cli

Without this change, wpa-cli features depend on which wpad build variant was
used to build the wpa-cli package

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Jérôme Benoit <jerome.benoit@piment-noir.org> [WRT1900AC v1]
[added missing package version bump]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 03e9e4ba9ea8f00ff7c6f076f2cdc322e18cd3a4)

4 years agohostapd: cleanup IBSS-RSN
Daniel Golle [Thu, 16 Jan 2020 08:13:51 +0000 (10:13 +0200)]
hostapd: cleanup IBSS-RSN

set noscan also for IBSS and remove redundant/obsolete variable.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 702c70264b388c2b47e171843f297f43c71b86b9)

4 years agowireless-regdb: backport three upstream fixes
Petr Štetiar [Sat, 25 Apr 2020 12:56:20 +0000 (14:56 +0200)]
wireless-regdb: backport three upstream fixes

Another release is overdue for quite some time, so I'm backporting three
fixes from upstream which I plan to backport into 19.07 as well.

Ref: FS#2880
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 76a0ddf1308782a4da2693978955aee9cf631862)

4 years agocurl: backport fix for CVE-2019-15601
Petr Štetiar [Fri, 1 May 2020 08:12:11 +0000 (10:12 +0200)]
curl: backport fix for CVE-2019-15601

On Windows, refuse paths that start with \\ ... as that might cause an
unexpected SMB connection to a given host name.

Ref: PR#2730
Ref: https://curl.haxx.se/docs/CVE-2019-15601.html
Suggested-by: Jerome Benoit <jerome.benoit@sap.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agowireguard: bump to 1.0.20200429
RISCi_ATOM [Thu, 30 Apr 2020 17:23:50 +0000 (13:23 -0400)]
wireguard: bump to 1.0.20200429

* compat: support latest suse 15.1 and 15.2
* compat: support RHEL 7.8's faulty siphash backport
* compat: error out if bc is missing
* compat: backport hsiphash_1u32 for tests

We now have improved support for RHEL 7.8, SUSE 15.[12], and Ubuntu 16.04.

* compat: include sch_generic.h header for skb_reset_tc

A fix for a compiler error on kernels with weird configs.

* compat: import latest fixes for ptr_ring
* compat: don't assume READ_ONCE barriers on old kernels
* compat: kvmalloc_array is not required anyway

ptr_ring.h from upstream was imported, with compat modifications, to our
compat layer, to receive the latest fixes.

* compat: prefix icmp[v6]_ndo_send with __compat

Some distros that backported icmp[v6]_ndo_send still try to build the compat
module in some corner case circumstances, resulting in errors.  Work around
this with the usual __compat games.

* compat: ip6_dst_lookup_flow was backported to 3.16.83
* compat: ip6_dst_lookup_flow was backported to 4.19.119

Greg and Ben backported the ip6_dst_lookup_flow patches to stable kernels,
causing breaking in our compat module, which these changes fix.

* git: add gitattributes so tarball doesn't have gitignore files

Distros won't need to clean this up manually now.

* crypto: do not export symbols

These don't do anything and only increased file size.

* queueing: cleanup ptr_ring in error path of packet_queue_init

Sultan Alsawaf reported a memory leak on an error path.

* main: mark as in-tree

Now that we're upstream, there's no need to set the taint flag.

* receive: use tunnel helpers for decapsulating ECN markings

ECN markings are now decapsulated using RFC6040 instead of the old RFC3168.

Upstream commit : f57230c4e6ee5af36d22bc0bef0bf7adc583c5b0

4 years agorelayd: bump to version 2020-04-25
Kevin Darbyshire-Bryant [Sat, 25 Apr 2020 09:27:22 +0000 (10:27 +0100)]
relayd: bump to version 2020-04-25

f4d759b dhcp.c: further improve validation

Further improve input validation for CVE-2020-11752

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9e7d11f3e275d6f5d6b3edd7f0fa0440da43c45a)

4 years agoumdns: update to version 2020-04-25
Kevin Darbyshire-Bryant [Sat, 25 Apr 2020 09:30:08 +0000 (10:30 +0100)]
umdns: update to version 2020-04-25

cdac046 dns.c: fix input validation fix

Due to a slight foobar typo, failing to de-reference a pointer, previous
fix not quite as complete as it should have been.

Improve CVE-2020-11750 fix

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 9f7c8ed0786be97eda879e5f6681994e4de53d74)

4 years agodnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)
Henrique de Moraes Holschuh [Sun, 1 Mar 2020 03:08:43 +0000 (00:08 -0300)]
dnsmasq: fix dnssec+ntp chicken-and-egg workaround (FS#2574)

Fix the test for an enabled sysntp initscript in dnsmasq.init, and get
rid of "test -o" while at it.

Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an
RTC-less ath79 router.  dnssec-no-timecheck would be clearly missing
from /var/etc/dnsmasq.conf.* while the router was still a few days in
the past due to non-working DNSSEC + DNS-based NTP server config.

The fix was tested with the router in the "DNSSEC broken state": it
properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp
was able to resolve the server name to an IP address, and set the system
time.  DNSSEC was then enabled by SIGINT through the ntp hotplug hook,
as expected.

A missing system.ntp.enabled UCI node is required for the bug to show
up.  The reasons for why it would be missing in the first place were not
investigated.

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
(cherry picked from commit 556b8581a15c855b2de0efbea6b625ab16cc9daf)

4 years agolibpcap: fix build breakage with very high number of simultaneous jobs
Petr Štetiar [Sat, 25 Apr 2020 11:59:19 +0000 (13:59 +0200)]
libpcap: fix build breakage with very high number of simultaneous jobs

Building libpcap with high number (64) of simultaneous jobs fails:

 In file included from ./fmtutils.c:42:0:
 ./ftmacros.h:106:0: warning: "_BSD_SOURCE" redefined
   #define _BSD_SOURCE

 <command-line>:0:0: note: this is the location of the previous definition
 ./gencode.c:67:10: fatal error: grammar.h: No such file or directory
  #include "grammar.h"
           ^~~~~~~~~~~
 compilation terminated.
 Makefile:99: recipe for target 'gencode_pic.o' failed

So fix this by less intrusive way by disabling the parallel builds for
this package.

Ref: FS#3010
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agoChange AR71XX support to and link to Supported Hardware page
RISCi_ATOM [Mon, 27 Apr 2020 21:52:53 +0000 (17:52 -0400)]
Change AR71XX support to  and link to Supported Hardware page

4 years agoopenssl: bump to 1.1.1g
Petr Štetiar [Tue, 21 Apr 2020 20:51:20 +0000 (22:51 +0200)]
openssl: bump to 1.1.1g

Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with
high severity, assigned CVE-2020-1967.

Ref: https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 3773ae127ac83766028f767ac744e87a7ddcaf50)

4 years agorelayd: bump to version 2020-04-20
Kevin Darbyshire-Bryant [Mon, 20 Apr 2020 08:08:20 +0000 (09:08 +0100)]
relayd: bump to version 2020-04-20

796da66 dhcp.c: improve input validation & length checks

Addresses CVE-2020-11752

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit be172e663f318ec364c13f795df025bbcce9ac18)

4 years agoumdns: update to version 2020-04-20
Kevin Darbyshire-Bryant [Mon, 20 Apr 2020 08:03:52 +0000 (09:03 +0100)]
umdns: update to version 2020-04-20

e74a3f9 dns.c: improve input validation

Addresses CVE-2020-11750

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 533da61ac63079f218a9946cd8e347b880c33dc0)

4 years agoumdns: update to the version 2020-04-05
Kevin Darbyshire-Bryant [Sun, 5 Apr 2020 08:14:43 +0000 (09:14 +0100)]
umdns: update to the version 2020-04-05

ab7a39a umdns: fix unused error
45c4953 dns: explicitly endian-convert all fields in header and question

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 22ae8bd50ef6d056b25a96ce6c77de0b0d53c1a1)
(cherry picked from commit 17c4593e63f5847868f2c38185275199d37d379a)

4 years agoumdns: suppress address-of-packed-member warning
Kevin Darbyshire-Bryant [Sat, 4 Apr 2020 08:20:08 +0000 (09:20 +0100)]
umdns: suppress address-of-packed-member warning

gcc 8 & 9 appear to be more picky with regards access alignment to
packed structures, leading to this warning in dns.c:

dns.c:261:2: error: converting a packed ‘struct dns_question’ pointer
(alignment 1) to a ‘uint16_t’ {aka ‘short unsigned int’} pointer
(alignment 2) may result in an unaligned pointer value
[-Werror=address-of-packed-member]

261 |  uint16_t *swap = (uint16_t *) q;

Work around what I think is a false positive by turning the warning off.
Not ideal, but not quite as not ideal as build failure.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 02640f014719a994e2e538b2cb6376a189cd39de)
(cherry picked from commit a10b6ec1c8cd6d14a3b76a2ec3d81442b85f7321)

4 years agobinutils: add ALTERNATIVES for strings (FS#3001)
Hans Dedecker [Sat, 18 Apr 2020 08:34:10 +0000 (10:34 +0200)]
binutils: add ALTERNATIVES for strings (FS#3001)

Don't move strings anymore to /bin/strings to avoid clash with
busybox /usr/bin/strings but move it to /usr/bin/binutils-strings.
Use ALTERNATIVES support to install it as /usr/bin/strings

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 5f126c541a743e2ff5d8f406128d477ab5a509b4)

4 years agombedtls: update to 2.16.6
Magnus Kroken [Thu, 16 Apr 2020 15:47:47 +0000 (17:47 +0200)]
mbedtls: update to 2.16.6

Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters

Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 02fcbe2f3d4eaf65e90bb167aa7818eacc08c633)

4 years agokernel: bump 4.14 to 4.14.176
RISCi_ATOM [Sat, 18 Apr 2020 20:38:06 +0000 (16:38 -0400)]
kernel: bump 4.14 to 4.14.176

Upstreamed:
- 600-ipv6-addrconf-call-ipv6_mc_up-for-non-Ethernet-inter.patch

Fixes:
- CVE-2020-8647
- CVE-2020-8648 (potentially)
- CVE-2020-8649

Upstream ref. : 0232f57e1af6580542c0ed1ce1d76c7cd4084613

4 years agombedtls: update to version 2.16.5
Josef Schlehofer [Sat, 22 Feb 2020 22:03:36 +0000 (23:03 +0100)]
mbedtls: update to version 2.16.5

Changelog:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.5-and-2.7.14-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 36af1967f5fcfc889594a8af0f92f873f445d249)

4 years agoopenssl: bump to 1.1.1f
Eneas U de Queiroz [Tue, 31 Mar 2020 20:51:45 +0000 (17:51 -0300)]
openssl: bump to 1.1.1f

There were two changes between 1.1.1e and 1.1.1f:
- a change in BN prime generation to avoid possible fingerprinting of
  newly generated RSA modules
- the patch reversing EOF detection we had already applied.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit af5ccfbac74b859801cf174460fb8dbf9ed9e181)

4 years agoFix README.md links
RISCi_ATOM [Fri, 3 Apr 2020 11:06:17 +0000 (07:06 -0400)]
Fix README.md links

4 years agoFix image links in docs/*
RISCi_ATOM [Fri, 3 Apr 2020 11:04:13 +0000 (07:04 -0400)]
Fix image links in docs/*

4 years agoBump tor to 0.4.2.7 v1.5.1 v1.5.1-20200401
RISCi_ATOM [Tue, 31 Mar 2020 20:17:57 +0000 (16:17 -0400)]
Bump tor to 0.4.2.7

Fixes CVE-2020-10592 and init scripts.

4 years agoBump libreCMC version to v1.5.1
RISCi_ATOM [Tue, 31 Mar 2020 05:29:23 +0000 (01:29 -0400)]
Bump libreCMC version to v1.5.1

4 years agoBump Wireguard to 1.0.20200330 / *-tools 1.0.20200319
RISCi_ATOM [Tue, 31 Mar 2020 03:46:47 +0000 (23:46 -0400)]
Bump Wireguard to 1.0.20200330 / *-tools 1.0.20200319

4 years agolibpcap: Update shared-lib patch from Debian to fix linking problems
Hauke Mehrtens [Fri, 20 Mar 2020 18:07:31 +0000 (19:07 +0100)]
libpcap: Update shared-lib patch from Debian to fix linking problems

This updates the shared-lib patch to the recent version from debian
found here:
https://salsa.debian.org/rfrancoise/libpcap/-/blob/debian/1.9.1-2/debian/patches/shared-lib.diff

This patch makes it include missing/strlcpy.o to the shared library
which is needed for OpenWrt glibc builds, otherwise there is an
undefined symbol and tcpdump and other builds are failing.

Fixes: 44f11353de04 ("libpcap: update to 1.9.1")
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
4 years agoreadline: needs host depend on ncurses to build
Jan Kardell [Fri, 20 Mar 2020 13:32:23 +0000 (14:32 +0100)]
readline: needs host depend on ncurses to build

We must ensure that host ncurses is build before host readline.

Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
(cherry picked from commit ecef29b29463e7549779e90739e61f8729ccaf09)

4 years agotools: squashfskit4: fix build with GCC10
Robert Marko [Thu, 19 Mar 2020 11:22:07 +0000 (12:22 +0100)]
tools: squashfskit4: fix build with GCC10

In order to build squashfskit with GCC10, this backport from upstream is needed.

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
[increase PKG_RELEASE]
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
(cherry picked from commit be4ed1db18e68cc57f03788b4529afbbf629411c)

4 years agosquashfskit4/Makefile: introduce PKG_RELEASE=1
Alexander Couzens [Sun, 22 Mar 2020 01:03:19 +0000 (02:03 +0100)]
squashfskit4/Makefile: introduce PKG_RELEASE=1

When adding patches, the PKG_RELEASE should be increased.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
(cherry picked from commit 1f4020a293476d5e34461a655cb9f6540cefeea2)

4 years agobuild: prereq: tidy gcc version checks
Kevin Darbyshire-Bryant [Tue, 24 Mar 2020 11:05:27 +0000 (11:05 +0000)]
build: prereq: tidy gcc version checks

There is a restriction in the number of parameters(10)  that may be passed to
the SetupHostCommand macro so continually adding explicit gcc'n' version
checks ends up breaking the compiler check for the later versions and
oddballs like Darwin as was done in 835d1c68a0 which added gcc10.

Drop all the explicitly specified gcc version checks.  If a suitable gcc
compiler is not found, it may be specified at the dependency checking
stage after which that version will be symlinked into the build staging
host directory.

eg. 'CC=gccfoo CXX=g++foo make prereq'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Acked-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 1fb3c003d68d3feaf797e8b64edccc9fa622d250)

4 years agobuild: add GCC 10 version detection
Robert Marko [Wed, 18 Mar 2020 18:39:43 +0000 (19:39 +0100)]
build: add GCC 10 version detection

Lets add GCC 10 detection to the build system as distributions like Fedora 32 have started shipping with it.
Some tools like mtd-utils need work to compile under GCC10, but that will be next step.

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
(cherry picked from commit 835d1c68a0f036c8b0d837a48b5a05fdfb2e8218)

4 years agovpnc-script: enable reconnect
RISCi_ATOM [Mon, 30 Mar 2020 04:36:50 +0000 (00:36 -0400)]
vpnc-script: enable reconnect

Based upon upstream package feed commit : 80ab3fdc49f965782dcf667e727a7111942a9560

4 years agomac80211: Update to version 4.19.112
Hauke Mehrtens [Sat, 21 Mar 2020 19:24:00 +0000 (20:24 +0100)]
mac80211: Update to version 4.19.112

The removed patches are all integrated in the upstream version now.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
4 years agoprocd: turn error into debug message for missing ujail binary
Petr Štetiar [Sat, 28 Mar 2020 12:42:05 +0000 (13:42 +0100)]
procd: turn error into debug message for missing ujail binary

Since commit 557f11b3a20f ("instance: provide error feedback if ujail
binary is missing") worrying log spam of the form "unable to find
/sbin/jail ..." may be encountered.

This corresponds with the changes done in the upstream commit
bcb86554f1b4 ("instance: add 'requirejail' attribute").

Ref: https://forum.openwrt.org/t/openwrt-19-07-2-service-release/57066
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agodnsmasq: add 'scriptarp' option
Jordan Sokolic [Thu, 19 Mar 2020 12:23:22 +0000 (14:23 +0200)]
dnsmasq: add 'scriptarp' option

Add option 'scriptarp' to uci dnsmasq config to enable --script-arp functions.
The default setting is false, meaning any scripts in `/etc/hotplug.d/neigh` intended
to be triggered by `/usr/lib/dnsmasq/dhcp-script.sh` will fail to execute.

Also enable --script-arp if has_handlers returns true.

Signed-off-by: Jordan Sokolic <oofnik@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
4 years agoopenssl: revert EOF detection change in 1.1.1
Eneas U de Queiroz [Fri, 27 Mar 2020 02:20:08 +0000 (23:20 -0300)]
openssl: revert EOF detection change in 1.1.1

This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e.  It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443

Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read().  Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0.  The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct.  Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.

The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 2e8a4db9b6b942e3180afda0dc0fd8ac506527f1)

4 years agoopenssl: update to 1.1.1e
Eneas U de Queiroz [Thu, 19 Mar 2020 19:12:15 +0000 (16:12 -0300)]
openssl: update to 1.1.1e

This version includes bug and security fixes, including medium-severity
CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit dcef8d6093cd54aa990a5ae0099a16e88a18dfbd)

4 years agowireguard: bump to 0.0.20200318
Jason A. Donenfeld [Sat, 21 Mar 2020 02:12:53 +0000 (20:12 -0600)]
wireguard: bump to 0.0.20200318

WireGuard had a brief professional security audit. The auditors didn't find
any vulnerabilities, but they did suggest one defense-in-depth suggestion to
protect against potential API misuse down the road, mentioned below. This
compat snapshot corresponds with the patches I just pushed to Dave for
5.6-rc7.

* curve25519-x86_64: avoid use of r12

This buys us 100 extra cycles, which isn't much, but it winds up being even
faster on PaX kernels, which use r12 as a RAP register.

* wireguard: queueing: account for skb->protocol==0

This is the defense-in-depth change. We deal with skb->protocol==0 just fine,
but the advice to deal explicitly with it seems like a good idea.

* receive: remove dead code from default packet type case

A default case of a particular switch statement should never be hit, so
instead of printing a pretty debug message there, we full-on WARN(), so that
we get bug reports.

* noise: error out precomputed DH during handshake rather than config

All peer keys will now be addable, even if they're low order. However, no
handshake messages will be produced successfully. This is a more consistent
behavior with other low order keys, where the handshake just won't complete if
they're being used anywhere.

* send: use normaler alignment formula from upstream

We're trying to keep a minimal delta with upstream for the compat backport.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
4 years agokernel: backport out-of-memory fix for non-Ethernet devices
Rafał Miłecki [Wed, 11 Mar 2020 07:39:29 +0000 (08:39 +0100)]
kernel: backport out-of-memory fix for non-Ethernet devices

Doing up & down on non-Ethernet devices (e.g. monitor mode interface)
was consuming memory.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit ec8e8e2ef0826d82b4dfbd567a073b31dc27b764)

4 years agoBump kernel to 4.14.174
RISCi_ATOM [Mon, 16 Mar 2020 20:56:24 +0000 (16:56 -0400)]
Bump kernel to 4.14.174

4 years agohostapd: remove erroneous $(space) redefinition
Jo-Philipp Wich [Sat, 8 Feb 2020 10:34:41 +0000 (11:34 +0100)]
hostapd: remove erroneous $(space) redefinition

The $(space) definition in the hostapd Makefile ceased to work with
GNU Make 4.3 and later, leading to syntax errors in the generated
Kconfig files.

Drop the superfluous redefinition and reuse the working $(space)
declaration from rules.mk to fix this issue.

Fixes: GH#2713
Ref: https://github.com/openwrt/openwrt/pull/2713#issuecomment-583722469
Reported-by: Karel Kočí <cynerd@email.cz>
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Tested-by: Shaleen Jain <shaleen@jain.sh>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 766e778226f5d4c6ec49ce22b101a5dbd4306644)

4 years agoath79: add gpio4 pinmux on TL-WR841N/ND v8, WR842N v2, MR3420 v2
Adrian Schmutzler [Thu, 30 Jan 2020 13:59:25 +0000 (14:59 +0100)]
ath79: add gpio4 pinmux on TL-WR841N/ND v8, WR842N v2, MR3420 v2

This adds a pinmux to the shared DTSI for TP-Link TL-WR841N/ND v8,
TL-WR842N v2 and TL-MR3420 v2. It is supposed to be the equivalent
of:

/* config gpio4 as normal gpio function */
ath79_gpio_output_select(TL_MR3420V2_GPIO_USB_POWER,AR934X_GPIO_OUT_GPIO);

This allows to enable USB power on these devices.

While at it, move the jtag_disable_pins to &gpio node and remove the
redundant status=okay there.

Tested on TP-Link TL-WR842N v2.

Fixes: FS#2753

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Armin Fuerst <armin@fuerst.priv.at>
[backport: change individual DTS files, no mr3420-v2 present]
(backported from commit 18c95c9d6ebea5cef1254ee917bff8aba993666d)

4 years agoath79: phy-ar7200-usb: adapt old behavior of arch/mips/ath79/dev-usb.c
Johann Neuhauser [Thu, 19 Dec 2019 12:07:17 +0000 (13:07 +0100)]
ath79: phy-ar7200-usb: adapt old behavior of arch/mips/ath79/dev-usb.c

[ Upstream commit 6cca6fffa06b1996f9bcc280f766e8ba4fa97d45 ]

Do not put usb-phy into reset if clearing the usb-phy reset or
setting the suspend_override has failed.

Reorder (de)asserts like in arch/mips/ath79/dev-usb.c.

Add an optional reset_control "usb-phy-analog", which is needed for
ar934x SoCs like in the old mach-driver arch/mips/ath79/dev-usb.c.

Tested-By: Lech Perczak <lech.perczak@gmail.com> [TL-WDR4300]
Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
[added reference to upstream commit, Tested-by]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
4 years agoath79: ar934x: use reset for usb-phy-analog
Johann Neuhauser [Thu, 19 Dec 2019 12:11:26 +0000 (13:11 +0100)]
ath79: ar934x: use reset for usb-phy-analog

This was already available on ar71xx, but is missing on ath79.
This solves the slow usb speed on TP-Link WDR3600/WDR4300 and similar,
as reported in Flyspray [0], OpenWRT Forum [1] and GitHub PR [2].

[0] https://bugs.openwrt.org/index.php?do=details&task_id=2567
[1] https://forum.openwrt.org/t/usb-wdr4300-low-speed-on-external-storage/46794
[2] https://github.com/openwrt/openwrt/pull/964

Tested-By: Lech Perczak <lech.perczak@gmail.com> [TL-WDR4300]
Signed-off-by: Johann Neuhauser <johann@it-neuhauser.de>
(cherry picked from commit bda6b6144dbe3e12d128b500821799ef472de4cb)

4 years agouhttpd: update to latest Git HEAD
Jo-Philipp Wich [Wed, 12 Feb 2020 17:00:42 +0000 (18:00 +0100)]
uhttpd: update to latest Git HEAD

2ee323c file: poke ustream after starting deferred program

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 04069fde19e86af7728111814afadf780bf08018)

4 years agoBump kernel to 4.14.171 and refresh patches
RISCi_ATOM [Thu, 27 Feb 2020 21:28:18 +0000 (16:28 -0500)]
Bump kernel to 4.14.171 and refresh patches

4 years agoppp: backport security fixes
Petr Štetiar [Thu, 20 Feb 2020 08:03:54 +0000 (09:03 +0100)]
ppp: backport security fixes

8d45443bb5c9 pppd: Ignore received EAP messages when not doing EAP
8d7970b8f3db pppd: Fix bounds check in EAP code
858976b1fc31 radius: Prevent buffer overflow in rc_mksid()

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 215598fd03899c19a9cd26266221269dd5ec8cee)

4 years agoBump Wireguard to 0.0.20200215
RISCi_ATOM [Sat, 15 Feb 2020 13:54:24 +0000 (08:54 -0500)]
Bump Wireguard to 0.0.20200215