aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* iptables: backport missing init_extensions6() callsEtienne Champetier2022-03-132-1/+69
| | | | | | | This fixes ip6tables-nft no being able to use built-in extensions like icmp6. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* ipset: add backport patch for IPv6 nftables ipset-translationFlorian Eckert2022-03-132-1/+83
| | | | | | | | | | | | | | When porting mwan3 from iptables to nftables I tried the new translation tool for ipset ipset-translate. I noticed that no IPv6 ipset can be created with the tool. I have reported the problem to the upstream project and the following patch fixes the problem. Until this upsream is included in a new release, this patch should be used in Openwrt. https://lore.kernel.org/netfilter-devel/20220228190217.2256371-1-pablo@netfilter.org/T/#m09cc3cb738f2e42024c7aecf5b7240d9f6bbc19c Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* base-files: call "sync" after initial setupRafał Miłecki2022-03-121-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | OpenWrt uses a lot of (b)ash scripts for initial setup. This isn't the best solution as they almost never consider syncing files / data. Still this is what we have and we need to try living with it. Without proper syncing OpenWrt can easily get into an inconsistent state on power cut. It's because: 1. Actual (flash) inode and data writes are not synchronized 2. Data writeback can take up to 30 seconds (dirty_expire_centisecs) 3. ubifs adds extra 5 seconds (dirty_writeback_centisecs) "delay" Some possible cases (examples) for new files: 1. Power cut during 5 seconds after write() can result in all data loss 2. Power cut happening between 5 and 35 seconds after write() can result in empty file (inode flushed after 5 seconds, data flush queued) Above affects e.g. uci-defaults. After executing some migration script it may get deleted (whited out) without generated data getting actually written. Power cut will result in missing data and deleted file. There are three ways of dealing with that: 1. Rewriting all user-space init to proper C with syncs 2. Trying bash hacks (like creating tmp files & moving them) 3. Adding sync and hoping for no power cut during critical section This change introduces the last solution that is the simplest. It reduces time during which things may go wrong from ~35 seconds to probably less than a second. Of course it applies only to IO operations performed before /etc/init.d/boot . It's probably the stage when the most new files get created. All later changes are usually done using smarter C apps (e.g. busybox or uci) that creates tmp files and uses rename() that is expected to be atomic. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> Acked-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
* uqmi: update to git HEADDaniel Golle2022-03-121-3/+3
| | | | | | 44dd095 uqmi: corrected too short received SMS Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* uqmi: set CID during 'query-data-status' operationLech Perczak2022-03-121-2/+2
| | | | | | | | | | | | | Modems used in ZTE mobile broadband routers require to query the data session status using the same CID as one used to establish the session, otherwise they will report the session as "disconnected" despite reporting correct PDH in previous step. Without this change, IPv6 connection on these modems doesn't establish properly. In IPv4 this bug is present as well, but for some reason querying of IPv4 status works using temporary CID, this however seems noncompliant with QMI specifications, so fix it as well. Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
* uboot-bcm4908: add package with BCM4908 U-BootRafał Miłecki2022-03-114-0/+181
| | | | | | | New BCM4908 devices come with U-Boot instead of CFE. Firmwares for such devices has to include U-Boot. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* iptables: add iptables-mod-socketYousong Zhou2022-03-101-4/+15
| | | | | | | | | Previously libxt_socket.so was included in iptables-mod-tproxy. It was missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy separate packages Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy") Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* uboot-envtools: add support for I-O DATA BSH-G24MBINAGAKI Hiroshi2022-03-071-0/+8
| | | | | | | This patch adds the device-specific configuration to u-boot-envtools for I-O DATA BSH-G24MB switch. Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
* nftables: update to version 1.0.2Josef Schlehofer2022-03-073-47/+32
| | | | | | | | | | | | | | | | | | | | | | | | | Changelog: https://lwn.net/ml/netdev/YhO5Pn+6+dgAgSd9@salvia/ Patches: removed: - 001-parser-allow-quoted-string-in-flowtable_expr_member: it is now part of upstream release [1] added: - 001-examples-compile-with-make-check.patch: backported from [2], it fixes: nft-json-file.c:3:10: fatal error: nftables/libnftables.h: No such file or directory 3 | #include <nftables/libnftables.h> | ^~~~~~~~~~~~~~~~~~~~~~~~ compilation terminated. [1] https://git.netfilter.org/nftables/commit/?h=v1.0.2&id=07af4429241c9832a613cb8620331ac54257d9df [2] https://git.netfilter.org/nftables/commit/?id=18a08fb7f0443f8bde83393bd6f69e23a04246b3 Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* linux-firmware: Update to version 20220209Hauke Mehrtens2022-03-072-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | This switches the iwlwifi-firmware-ax200 file to API version 66, this is the most recent version supported by our driver. The following files used in OpenWrt changed: amdgpu-firmware/lib/firmware/amdgpu/yellow_carp_dmcub.bin ar3k-firmware/lib/firmware/qca/nvm_usb_00130201.bin ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_010a.bin ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_010b.bin ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_0303.bin ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf.bin ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf_010a.bin ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf_010b.bin ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf_0303.bin ar3k-firmware/lib/firmware/qca/rampatch_usb_00130200.bin ar3k-firmware/lib/firmware/qca/rampatch_usb_00130201.bin iwlwifi-firmware-ax200/lib/firmware/iwlwifi-cc-a0-66.ucode iwlwifi-firmware-ax210/lib/firmware/iwlwifi-ty-a0-gf-a0-66.ucode iwlwifi-firmware-ax210/lib/firmware/iwlwifi-ty-a0-gf-a0.pnvm iwlwifi-firmware-iwl9000/lib/firmware/iwlwifi-9000-pu-b0-jf-b0-46.ucode iwlwifi-firmware-iwl9260/lib/firmware/iwlwifi-9260-th-b0-jf-b0-46.ucode rtl8822ce-firmware/lib/firmware/rtw88/rtw8822c_fw.bin Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* bpf-headers: ship a modified version of stdarg.h from musl to fix ebpf build ↵Felix Fietkau2022-03-072-0/+22
| | | | | | on glibc Signed-off-by: Felix Fietkau <nbd@nbd.name>
* qosify: update to the latest versionFelix Fietkau2022-03-061-3/+3
| | | | | | | | | | | 3276aed81c73 move run_cmd() to main.c 558eabc13c64 map: move dns host based lookup code to a separate function 6ff06d66c36c dns: add code for snooping dns packets a78bd43c4a54 ubus: remove dnsmasq subscriber 9773ffa70f1f map: process dns patterns in the order in which they were defined f13b67c9a786 dns: allow limiting dns entry matching to cname name Signed-off-by: Felix Fietkau <nbd@nbd.name>
* iproute2: Remove libxtables from some tc variantsHauke Mehrtens2022-03-051-3/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds the new tc-bpf variant and removes libxtables dependency from the tc-tiny variant. The tc-full variant stays like before and contains everything. This allows to use tc without libxtables. The variants have the following sizes: root@OpenWrt:/# ls -al /usr/libexec/tc-* -rwxr-xr-x 1 root root 282453 Mar 1 21:55 /usr/libexec/tc-bpf -rwxr-xr-x 1 root root 282533 Mar 1 21:55 /usr/libexec/tc-full -rwxr-xr-x 1 root root 266037 Mar 1 21:55 /usr/libexec/tc-tiny They are linking the following shared libraries: root@OpenWrt:/# ldd /usr/libexec/tc-tiny /lib/ld-musl-mips-sf.so.1 (0x77d6e000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000) root@OpenWrt:/# ldd /usr/libexec/tc-bpf /lib/ld-musl-mips-sf.so.1 (0x77da6000) libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000) libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000) libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000) root@OpenWrt:/# ldd /usr/libexec/tc-full /lib/ld-musl-mips-sf.so.1 (0x77de8000) libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000) libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000) libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000) libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000) libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000) libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000) This is based on a patch from Tiago Gaspar. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* uboot-envtools: mt7622: add support for Ruijie RG-EW3200GX PROLanghua Ye2022-03-051-0/+3
| | | | | | | | Add U-Boot environment settings for Ruijie RG-EW3200GX PRO to allow users to access the bootloader environment using fw_printenv/fw_setenv while running OpenWrt. Signed-off-by: Langhua Ye <y1248289414@outlook.com>
* libnetfilter-conntrack: backport patch fixing compilation with 5.15Ansuel Smith2022-03-052-1/+50
| | | | | | Backport patch fixing compilation with 5.15 and musl provided by Robert Marko Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
* util-linux: add lsnsOskari Rauta2022-03-051-0/+16
| | | | | | lsns lists system namespaces Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
* uboot-mvebu: backport patch to fix nvme detail crashJosef Schlehofer2022-03-051-0/+92
| | | | | | | | | | | | | | | | | | | | | Steps to reproduce: 1. Insert NVMe disk with a reduction to Turris Omnia 2. Go to U-boot 3. Run these two commands: a) ``nvme scan`` b) ``nvme detail`` 4. Wait for crash This is backported from U-boot upstream repository. It should be included in the upcoming release - 2022.04 [1]. It was tested on Turris Omnia, mvebu, cortex-a9, OpenWrt master. [1] https://patchwork.ozlabs.org/project/uboot/patch/20211209100639.21530-1-pali@kernel.org/ Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> [Export the patch from U-Boot git] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* qosify: bump to git HEADStijn Tintel2022-03-042-4/+4
| | | | | | | | interface: disable autorate-ingress by default Also change the example config to reflect this. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* qosify: add PKG_RELEASEStijn Tintel2022-03-041-0/+1
| | | | | | | | | Without PKG_RELEASE, it's impossible to trigger package updates when changing files included in the package that are not in the qosify git repository. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Felix Fietkau <nbd@nbd.name>
* procd: remove support for mounting /tmp in zramRui Salvaterra2022-03-031-10/+1
| | | | | | | | | | | | | | | | | The /tmp directory is mounted as tmpfs. The tmpfs filesystem is backed by anonymous memory, which means it can be swapped out at any time, if there is memory pressure [1]. For this reason, a zram swap device is a much better choice than mounting /tmp on zram, since it's able to compress all anonymous memory, and not just the memory assigned to /tmp. We already have the zram-swap package for this specific purpose, which means procd's tmp-on-zram is both redundant and more limited. A follow-up patch will remove support for mounting /tmp in zram from procd itself. [1] https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
* kernel: kmod-tcp-scalable: add scalable tcp congestion algorithmCatalin Toda2022-03-011-0/+18
| | | | Signed-off-by: Catalin Toda <catalinii@gmail.com>
* ipset: update to 7.15Florian Eckert2022-03-012-2/+14
| | | | | | | | | Update to the latest upstream version. In this version there is a new tool with which you can convert ipsets into nftables sets. Since we are now using nftables as default firewall, this could be a useful tool for porting ipsets to nftables sets. Signed-off-by: Florian Eckert <fe@dev.tdt.de>
* layerscape: use semantic versions for LSDKPaul Spooren2022-03-019-9/+9
| | | | | | PKG_VERSION should not contain the package name but the version only. Signed-off-by: Paul Spooren <mail@aparcar.org>
* iptables: bump PKG_RELEASEEtienne Champetier2022-02-281-1/+1
| | | | | | Following dependencies rework, bump PKG_RELEASE Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: move libiptext* to their own packagesEtienne Champetier2022-02-282-20/+46
| | | | | | | | iptables-nft doesn't depend on libip{4,6}tc, so move libiptext* libs in their own packages to clean up dependencies Rename libxtables-nft to libiptext-nft Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: rename to ip(6)tables-legacy, add PROVIDESEtienne Champetier2022-02-281-8/+12
| | | | | | | | Using PROVIDES allows to have other packages continue to depend on iptables and users to pick between legacy and nft version. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: move IPTABLES_{CONNLABEL,NFTABLES} to libxtablesEtienne Champetier2022-02-281-15/+15
| | | | | | Those 2 configs are not specific to iptables(-legacy) Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: make mod depend on libxtablesEtienne Champetier2022-02-281-4/+3
| | | | | | | | | 'iptables-mod-' can be used directly by firewall3, by iptables and by iptables-nft. They are not linked to iptables but to libxtables, so fix the dependencies to allow to remove iptables(-legacy) Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* iptables: fix libnftnl/IPTABLES_NFTABLES dependencyEtienne Champetier2022-02-281-5/+3
| | | | | | | | | libxtables doesn't depend on libnftnl, iptables-nft does, so move the dependency to not pull libnftnl with firewall3/iptables-legacy Also libxtables-nft depends on IPTABLES_NFTABLES Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
* ubus: bump to git HEADStijn Tintel2022-02-281-3/+3
| | | | | | | | 66baa44 libubus: introduce new status messages b3cd5ab cli: use UBUS_STATUS_PARSE_ERROR 584f56a cli: improve error logging for call command Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* netfilter: add kmod-nft-tproxyYousong Zhou2022-02-281-0/+11
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* netfilter: add kmod-nft-socketYousong Zhou2022-02-281-0/+11
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxyYousong Zhou2022-02-281-1/+38
| | | | Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* uboot-envtools: ath79: add support for ALFA Network Tube-2HQPiotr Dymacz2022-02-271-0/+1
| | | | Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
* firmware: intel-microcode: update to 20220207Christian Lamparter2022-02-261-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Debians' changelog by Henrique de Moraes Holschuh <hmh@debian.org>: * upstream changelog: new upstream datafile 20220207 * Mitigates (*only* when loaded from UEFI firmware through the FIT) CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through debug port, on Pentium, Celeron and Atom processors with signatures 0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145 * Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint may cause a system hang, on many processors. * Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due to improper sanitization of shared resources (fast-store forward predictor), on many processors. * Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some Atom Processors may allow information disclosure or denial of service via network access. * Fixes critical errata (functional issues) on many processors * Adds a MSR switch to enable RAPL filtering (default off, once enabled it can only be disabled by poweroff or reboot). Useful to protect SGX and other threads from side-channel info leak. Improves the mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many processors. * Disables TSX in more processor models. * Fixes issue with WBINDV on multi-socket (server) systems which could cause resets and unpredictable system behavior. * Adds a MSR switch to 10th and 11th-gen (Ice Lake, Tiger Lake, Rocket Lake) processors, to control a fix for (hopefully rare) unpredictable processor behavior when HyperThreading is enabled. This MSR switch is enabled by default on *server* processors. On other processors, it needs to be explicitly enabled by an updated UEFI/BIOS (with added configuration logic). An updated operating system kernel might also be able to enable it. When enabled, this fix can impact performance. * Updated Microcodes: sig 0x000306f2, pf_mask 0x6f, 2021-08-11, rev 0x0049, size 38912 sig 0x000306f4, pf_mask 0x80, 2021-05-24, rev 0x001a, size 23552 sig 0x000406e3, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 105472 sig 0x00050653, pf_mask 0x97, 2021-05-26, rev 0x100015c, size 34816 sig 0x00050654, pf_mask 0xb7, 2021-06-16, rev 0x2006c0a, size 43008 sig 0x00050656, pf_mask 0xbf, 2021-08-13, rev 0x400320a, size 35840 sig 0x00050657, pf_mask 0xbf, 2021-08-13, rev 0x500320a, size 36864 sig 0x0005065b, pf_mask 0xbf, 2021-06-04, rev 0x7002402, size 28672 sig 0x00050663, pf_mask 0x10, 2021-06-12, rev 0x700001c, size 28672 sig 0x00050664, pf_mask 0x10, 2021-06-12, rev 0xf00001a, size 27648 sig 0x00050665, pf_mask 0x10, 2021-09-18, rev 0xe000014, size 23552 sig 0x000506c9, pf_mask 0x03, 2021-05-10, rev 0x0046, size 17408 sig 0x000506ca, pf_mask 0x03, 2021-05-10, rev 0x0024, size 16384 sig 0x000506e3, pf_mask 0x36, 2021-04-29, rev 0x00ec, size 108544 sig 0x000506f1, pf_mask 0x01, 2021-05-10, rev 0x0036, size 11264 sig 0x000606a6, pf_mask 0x87, 2021-12-03, rev 0xd000331, size 291840 sig 0x000706a1, pf_mask 0x01, 2021-05-10, rev 0x0038, size 74752 sig 0x000706a8, pf_mask 0x01, 2021-05-10, rev 0x001c, size 75776 sig 0x000706e5, pf_mask 0x80, 2021-05-26, rev 0x00a8, size 110592 sig 0x000806a1, pf_mask 0x10, 2021-09-02, rev 0x002d, size 34816 sig 0x000806c1, pf_mask 0x80, 2021-08-06, rev 0x009a, size 109568 sig 0x000806c2, pf_mask 0xc2, 2021-07-16, rev 0x0022, size 96256 sig 0x000806d1, pf_mask 0xc2, 2021-07-16, rev 0x003c, size 101376 sig 0x000806e9, pf_mask 0x10, 2021-04-28, rev 0x00ec, size 104448 sig 0x000806e9, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 104448 sig 0x000806ea, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 103424 sig 0x000806eb, pf_mask 0xd0, 2021-04-28, rev 0x00ec, size 104448 sig 0x000806ec, pf_mask 0x94, 2021-04-28, rev 0x00ec, size 104448 sig 0x00090661, pf_mask 0x01, 2021-09-21, rev 0x0015, size 20480 sig 0x000906c0, pf_mask 0x01, 2021-08-09, rev 0x2400001f, size 20480 sig 0x000906e9, pf_mask 0x2a, 2021-04-29, rev 0x00ec, size 106496 sig 0x000906ea, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 102400 sig 0x000906eb, pf_mask 0x02, 2021-04-28, rev 0x00ec, size 104448 sig 0x000906ec, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424 sig 0x000906ed, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424 sig 0x000a0652, pf_mask 0x20, 2021-04-28, rev 0x00ec, size 93184 sig 0x000a0653, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 94208 sig 0x000a0655, pf_mask 0x22, 2021-04-28, rev 0x00ee, size 94208 sig 0x000a0660, pf_mask 0x80, 2021-04-28, rev 0x00ea, size 94208 sig 0x000a0661, pf_mask 0x80, 2021-04-29, rev 0x00ec, size 93184 sig 0x000a0671, pf_mask 0x02, 2021-08-29, rev 0x0050, size 102400 * Removed Microcodes: sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048 sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048 * update .gitignore and debian/.gitignore. Add some missing items from .gitignore and debian/.gitignore. * ucode-blacklist: do not late-load 0x406e3 and 0x506e3. When the BIOS microcode is older than revision 0x7f (and perhaps in some other cases as well), the latest microcode updates for 0x406e3 and 0x506e3 must be applied using the early update method. Otherwise, the system might hang. Also: there must not be any other intermediate microcode update attempts [other than the one done by the BIOS itself], either. It must go from the BIOS microcode update directly to the latest microcode update. * source: update symlinks to reflect id of the latest release, 20220207 Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* iucode-tool: fix host-compile on macos and non-x86 linuxSergey V. Lobanov2022-02-262-1/+45
| | | | | | | | | | | | | | | | | | | | | | | iucode-tool/host is used by intel-microcode to manipulate with microcode.bin file. iucode-tool requires cpuid.h at compile time for autodection feature, but non-x86 build hosts does not have this header file (e.g. ubuntu 20.04 aarch64) or this header generates compile time error (#error macro) (e.g. macos arm64). This patch provides compat cpuid.h to build iucode-tool/host on non-x86 linux hosts and macos. CPU autodectection is not required for intel-microcode package build so compat cpuid.h is ok for OpenWrt purposes. glibc and argp lib are not present in macos so iucode-tool/host build fails. This patch adds argp-standalone/host as build dependency if host os is macos. Generated ucode (intel-microcode package) is exactly the same on Linux x86_64 (Ubuntu 20.04), Linux aarch64 (Ubuntu 20.04) and Darwin arm64 (MacOS 11.6) build hosts. Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* argp-standalone: add host-compile abilitySergey V. Lobanov2022-02-261-1/+12
| | | | | | | | | This patch adds host-compile ability to argp-standalone for build hosts without glibc and argp lib, e.g. MacOS. iucode-tool/host can not be built on MacOS due to lack of argp. Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* mbedtls: update to 2.28.0 LTS branchLucian Cristian2022-02-262-24/+28
| | | | | | | | | | | | | | | | | | | | | | | | <https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0> "Mbed TLS 2.28 is a long-time support branch. It will be supported with bug-fixes and security fixes until end of 2024." <https://github.com/ARMmbed/mbedtls/blob/development/BRANCHES.md> "Currently, the only supported LTS branch is: mbedtls-2.28. For a short time we also have the previous LTS, which has recently ended its support period, mbedtls-2.16. This branch will move into the archive namespace around the time of the next release." this will also add support for uacme ualpn support. size changes 221586 libmbedtls12_2.28.0-1_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com> (remark about 2.16's EOS, slightly reworded) Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* ath79: support ZTE MF286A/RLech Perczak2022-02-261-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ZTE MF286A and MF286R are indoor LTE category 6/7 CPE router with simultaneous dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit Ethernet switch, FXS and external USB 2.0 port. Hardware highlights: - CPU: QCA9563 SoC at 775MHz, - RAM: 128MB DDR2, - NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only, - NAND Flash: W25N01GV 128MB SPI NAND-Flash, for all other data, - Wi-Fi 5GHz: QCA9886 2x2 MIMO 802.11ac Wave2 radio, - WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio, - Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port, - WWAN: [MF286A] MDM9230-based category 6 internal LTE modem [MF286R] PXA1826-based category 7 internal LTE modem in extended mini-PCIE form factor, with 3 internal antennas and 2 external antenna connections, single mini-SIM slot. - FXS: one external ATA port (handled entirely by modem part) with two physical connections in parallel, - USB: Single external USB 2.0 port, - Switches: power switch, WPS, Wi-Fi and reset buttons, - LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery, Signal state) handled entirely by modem. 4 link status LEDs handled by the switch on the backside. - Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and monitoring handled by modem. - Label MAC device: eth0 The device shares many components with previous model, MF286, differing mostly by a Wave2 5GHz radio, flash layout and internal LED color. In case of MF286A, the modem is the same as in MF286. MF286R uses a different modem based on Marvell PXA1826 chip. Internal modem of MF286A is supported via uqmi, MF286R modem isn't fully supported, but it is expected to use comgt-ncm for connection, as it uses standard 3GPP AT commands for connection establishment. Console connection: connector X2 is the console port, with the following pinout, starting from pin 1, which is the topmost pin when the board is upright: - VCC (3.3V). Do not use unless you need to source power for the converer from it. - TX - RX - GND Default port configuration in U-boot as well as in stock firmware is 115200-8-N-1. Installation: Due to different flash layout from stock firmware, sysupgrade from within stock firmware is impossible, despite it's based on QSDK which itself is based on OpenWrt. STEP 0: Stock firmware update: As installing OpenWrt cuts you off from official firmware updates for the modem part, it is recommended to update the stock firmware to latest version before installation, to have built-in modem at the latest firmware version. STEP 1: gaining root shell: Method 1: This works if busybox has telnetd compiled in the binary. If this does not work, try method 2. Using well-known exploit to start telnetd on your router - works only if Busybox on stock firmware has telnetd included: - Open stock firmware web interface - Navigate to "URL filtering" section by going to "Advanced settings", then "Firewall" and finally "URL filter". - Add an entry ending with "&&telnetd&&", for example "http://hostname/&&telnetd&&". - telnetd will immediately listen on port 4719. - After connecting to telnetd use "admin/admin" as credentials. Method 2: This works if busybox does not have telnetd compiled in. Notably, this is the case in DNA.fi firmware. If this does not work, try method 3. - Set IP of your computer to 192.168.0.22. (or appropriate subnet if changed) - Have a TFTP server running at that address - Download MIPS build of busybox including telnetd, for example from: https://busybox.net/downloads/binaries/1.21.1/busybox-mips and put it in it's root directory. Rename it as "telnetd". - As previously, login to router's web UI and navigate to "URL filtering" - Using "Inspect" feature, extend "maxlength" property of the input field named "addURLFilter", so it looks like this: <input type="text" name="addURLFilter" id="addURLFilter" maxlength="332" class="required form-control"> - Stay on the page - do not navigate anywhere - Enter "http://aa&zte_debug.sh 192.168.0.22 telnetd" as a filter. - Save the settings. This will download the telnetd binary over tftp and execute it. You should be able to log in at port 23, using "admin/admin" as credentials. Method 3: If the above doesn't work, use the serial console - it exposes root shell directly without need for login. Some stock firmwares, notably one from finnish DNA operator lack telnetd in their builds. STEP 2: Backing up original software: As the stock firmware may be customized by the carrier and is not officially available in the Internet, IT IS IMPERATIVE to back up the stock firmware, if you ever plan to returning to stock firmware. It is highly recommended to perform backup using both methods, to avoid hassle of reassembling firmware images in future, if a restore is needed. Method 1: after booting OpenWrt initramfs image via TFTP: PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION. - Dump stock firmware located on stock kernel and ubi partitions: ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin ssh root@192.168.1.1: cat /dev/mtd9 > mtd9_ubi.bin And keep them in a safe place, should a restore be needed in future. Method 2: using stock firmware: - Connect an external USB drive formatted with FAT or ext4 to the USB port. - The drive will be auto-mounted to /var/usb_disk - Check the flash layout of the device: cat /proc/mtd It should show the following: mtd0: 000a0000 00010000 "u-boot" mtd1: 00020000 00010000 "u-boot-env" mtd2: 00140000 00010000 "reserved1" mtd3: 000a0000 00020000 "fota-flag" mtd4: 00080000 00020000 "art" mtd5: 00080000 00020000 "mac" mtd6: 000c0000 00020000 "reserved2" mtd7: 00400000 00020000 "cfg-param" mtd8: 00400000 00020000 "log" mtd9: 000a0000 00020000 "oops" mtd10: 00500000 00020000 "reserved3" mtd11: 00800000 00020000 "web" mtd12: 00300000 00020000 "kernel" mtd13: 01a00000 00020000 "rootfs" mtd14: 01900000 00020000 "data" mtd15: 03200000 00020000 "fota" mtd16: 01d00000 00020000 "firmware" Differences might indicate that this is NOT a MF286A device but one of other variants. - Copy over all MTD partitions, for example by executing the following: for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do cat /dev/mtd$i > \ /var/usb_disk/mtd$i; done "Firmware" partition can be skipped, it is a concatenation of "kernel" and "rootfs". - If the count of MTD partitions is different, this might indicate that this is not a MF286A device, but one of its other variants. - (optionally) rename the files according to MTD partition names from /proc/mtd - Unmount the filesystem: umount /var/usb_disk; sync and then remove the drive. - Store the files in safe place if you ever plan to return to stock firmware. This is especially important, because stock firmware for this device is not available officially, and is usually customized by the mobile providers. STEP 3: Booting initramfs image: Method 1: using serial console (RECOMMENDED): - Have TFTP server running, exposing the OpenWrt initramfs image, and set your computer's IP address as 192.168.0.22. This is the default expected by U-boot. You may wish to change that, and alter later commands accordingly. - Connect the serial console if you haven't done so already, - Interrupt boot sequence by pressing any key in U-boot when prompted - Use the following commands to boot OpenWrt initramfs through TFTP: setenv serverip 192.168.0.22 setenv ipaddr 192.168.0.1 tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin bootm 0x81000000 (Replace server IP and router IP as needed). There is no emergency TFTP boot sequence triggered by buttons, contrary to MF283+. - When OpenWrt initramfs finishes booting, proceed to actual installation. Method 2: using initramfs image as temporary boot kernel This exploits the fact, that kernel and rootfs MTD devices are consecutive on NAND flash, so from within stock image, an initramfs can be written to this area and booted by U-boot on next reboot, because it uses "nboot" command which isn't limited by kernel partition size. - Download the initramfs-kernel.bin image - After backing up the previous MTD contents, write the images to the "firmware" MTD device, which conveniently concatenates "kernel" and "rootfs" partitions that can fit the initramfs image: nandwrite -p /dev/<firmware-mtd> \ /var/usb_disk/openwrt-ath79-zte_mf286a-initramfs-kernel.bin - If write is OK, reboot the device, it will reboot to OpenWrt initramfs: reboot -f - After rebooting, SSH into the device and use sysupgrade to perform proper installation. Method 3: using built-in TFTP recovery (LAST RESORT): - With that method, ensure you have complete backup of system's NAND flash first. It involves deliberately erasing the kernel. - Download "-initramfs-kernel.bin" image for the device. - Prepare the recovery image by prepending 8MB of zeroes to the image, and name it root_uImage: dd if=/dev/zero of=padding.bin bs=8M count=1 cat padding.bin openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin > root_uImage - Set up a TFTP server at 192.0.0.1/8. Router will use random address from that range. - Put the previously generated "root_uImage" into TFTP server root directory. - Deliberately erase "kernel" partition" using stock firmware after taking backup. THIS IS POINT OF NO RETURN. - Restart the device. U-boot will attempt flashing the recovery initramfs image, which will let you perform actual installation using sysupgrade. This might take a considerable time, sometimes the router doesn't establish Ethernet link properly right after booting. Be patient. - After U-boot finishes flashing, the LEDs of switch ports will all light up. At this moment, perform power-on reset, and wait for OpenWrt initramfs to finish booting. Then proceed to actual installation. STEP 4: Actual installation: - Set your computer IP to 192.168.1.22/24 - scp the sysupgrade image to the device: scp openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin \ root@192.168.1.1:/tmp/ - ssh into the device and execute sysupgrade: sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin - Wait for router to reboot to full OpenWrt. STEP 5: WAN connection establishment Since the router is equipped with LTE modem as its main WAN interface, it might be useful to connect to the Internet right away after installation. To do so, please put the following entries in /etc/config/network, replacing the specific configuration entries with one needed for your ISP: config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth '<auth>' # As required, usually 'none' option pincode '<pin>' # If required by SIM option apn '<apn>' # As required by ISP option pdptype '<pdp>' # Typically 'ipv4', or 'ipv4v6' or 'ipv6' For example, the following works for most polish ISPs config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth 'none' option apn 'internet' option pdptype 'ipv4' The required minimum is: config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' In this case, the modem will use last configured APN from stock firmware - this should work out of the box, unless your SIM requires PIN which can't be switched off. If you have build with LuCI, installing luci-proto-qmi helps with this task. Restoring the stock firmware: Preparation: If you took your backup using stock firmware, you will need to reassemble the partitions into images to be restored onto the flash. The layout might differ from ISP to ISP, this example is based on generic stock firmware The only partitions you really care about are "web", "kernel", and "rootfs". These are required to restore the stock firmware through factory TFTP recovery. Because kernel partition was enlarged, compared to stock firmware, the kernel and rootfs MTDs don't align anymore, and you need to carve out required data if you only have backup from stock FW: - Prepare kernel image cat mtd12_kernel.bin mtd13_rootfs.bin > owrt_kernel.bin truncate -s 4M owrt_kernel_restore.bin - Cut off first 1MB from rootfs dd if=mtd13_rootfs.bin of=owrt_rootfs.bin bs=1M skip=1 - Prepare image to write to "ubi" meta-partition: cat mtd6_reserved2.bi mtd7_cfg-param.bin mtd8_log.bin mtd9_oops.bin \ mtd10_reserved3.bin mtd11_web.bin owrt_rootfs.bin > \ owrt_ubi_ubi_restore.bin You can skip the "fota" partition altogether, it is used only for stock firmware update purposes and can be overwritten safely anyway. The same is true for "data" partition which on my device was found to be unused at all. Restoring mtd5_cfg-param.bin will restore the stock firmware configuration you had before. Method 1: Using initramfs: This method is recmmended if you took your backup from within OpenWrt initramfs, as the reassembly is not needed. - Boot to initramfs as in step 3: - Completely detach ubi0 partition using ubidetach /dev/ubi0_0 - Look up the kernel and ubi partitions in /proc/mtd - Copy over the stock kernel image using scp to /tmp - Erase kernel and restore stock kernel: (scp mtd4_kernel.bin root@192.168.1.1:/tmp/) mtd write <kernel_mtd> mtd4_kernel.bin rm mtd4_kernel.bin - Copy over the stock partition backups one-by-one using scp to /tmp, and restore them individually. Otherwise you might run out of space in tmpfs: (scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/) mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin rm mtd3_ubiconcat0.bin (scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/) mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin rm mtd5_ubiconcat1.bin - If the write was correct, force a device reboot with reboot -f Method 2: Using live OpenWrt system (NOT RECOMMENDED): - Prepare a USB flash drive contatining MTD backup files - Ensure you have kmod-usb-storage and filesystem driver installed for your drive - Mount your flash drive mkdir /tmp/usb mount /dev/sda1 /tmp/usb - Remount your UBI volume at /overlay to R/O mount -o remount,ro /overlay - Write back the kernel and ubi partitions from USB drive cd /tmp/usb mtd write mtd4_kernel.bin /dev/<kernel_mtd> mtd write mtd9_ubi.bin /dev/<kernel_ubi> - If everything went well, force a device reboot with reboot -f Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota" MTD partition which may be safely erased after reboot anyway. Method 3: using built-in TFTP recovery: This method is recommended if you took backups using stock firmware. - Assemble a recovery rootfs image from backup of stock partitions by concatenating "web", "kernel", "rootfs" images dumped from the device, as "root_uImage" - Use it in place of "root_uImage" recovery initramfs image as in the TFTP pre-installation method. Quirks and known issuesa - It was observed, that CH340-based USB-UART converters output garbage during U-boot phase of system boot. At least CP2102 is known to work properly. - Kernel partition size is increased to 4MB compared to stock 3MB, to accomodate future kernel updates - at this moment OpenWrt 5.10 kernel image is at 2.5MB which is dangerously close to the limit. This has no effect on booting the system - but keep that in mind when reassembling an image to restore stock firmware. - uqmi seems to be unable to change APN manually, so please use the one you used before in stock firmware first. If you need to change it, please use protocok '3g' to establish connection once, or use the following command to change APN (and optionally IP type) manually: echo -ne 'AT+CGDCONT=1,"IP","<apn>' > /dev/ttyUSB0 - The only usable LED as a "system LED" is the blue debug LED hidden inside the case. All other LEDs are controlled by modem, on which the router part has some influence only on Wi-Fi LED. - Wi-Fi LED currently doesn't work while under OpenWrt, despite having correct GPIO mapping. All other LEDs are controlled by modem, including this one in stock firmware. GPIO19, mapped there only acts as a gate, while the actual signal source seems to be 5GHz Wi-Fi radio, however it seems it is not the LED exposed by ath10k as ath10k-phy0. - GPIO5 used for modem reset is a suicide switch, causing a hardware reset of whole board, not only the modem. It is attached to gpio-restart driver, to restart the modem on reboot as well, to ensure QMI connectivity after reboot, which tends to fail otherwise. - Modem, as in MF283+, exposes root shell over ADB - while not needed for OpenWrt operation at all - have fun lurking around. The same modem module is used as in older MF286. Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
* usbmode: update to version 2022-02-24Petr Štetiar2022-02-261-4/+4
| | | | | | * usbmode: add config #0 and delay before actual config Signed-off-by: Petr Štetiar <ynezz@true.cz>
* jsonfilter: update makefile urlVladislav Grigoryev2022-02-261-1/+1
| | | | | | Specify URL as PKG_SOURCE_URL in the jsonfilter Makefile. Signed-off-by: Vladislav Grigoryev <vg.aetera@gmail.com>
* mac80211: add #if guards against 5.4 compile failuresChristian Lamparter2022-02-253-8/+14
| | | | | | | | | | | | | | | | | Both struct net_device_path_ctx and struct net_device_path are not available in 5.4. This causes an build error on the bcm63xx target. |mac80211/driver-ops.h: In function 'drv_net_fill_forward_path': |driver-ops.h:1502:57: error: passing argument 4 of |'local->ops->net_fill_forward_path' from incompatible pointer type | [-Werror=incompatible-pointer-types] | 1502 | ctx, path); | | ^~~ | | | | | struct net_device_path_ctx * Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* kernel: package ramoops pstore-ram crash log storageHannu Nyman2022-02-242-0/+56
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Package the ability to log kernel crashes to 'ramoops' pstore files into RAM in /sys/fs/pstore Reference to the ramoops admin guide in upstream Linux: https://www.kernel.org/doc/html/v5.10/admin-guide/ramoops.html The files in RAM survive a warm reboot, but not a cold reboot. Note: kmod-ramoops selects kmod-pstore and kmod-reed-solomon. The feature can be used by selecting the kmod-ramoops and adding a ramoops reserved-memory definition to the device DTS. Example from R7800: reserved-memory { rsvd@5fe00000 { reg = <0x5fe00000 0x200000>; reusable; }; ramoops@42100000 { compatible = "ramoops"; reg = <0x42100000 0x40000>; record-size = <0x4000>; console-size = <0x4000>; ftrace-size = <0x4000>; pmsg-size = <0x4000>; }; }; If no definition has been made in DTS, no crash log is stored for the device. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (added CONFIG_EFI_VARS_PSTORE disable)
* x86: grub2: search for the "kernel" filesystem on all disksJax Jiang2022-02-241-4/+4
| | | | | | | | | | | | | | | | | | | Previously, grub2 was hardcoded to always look on "hd0" for the kernel. This works well when the system only had a single disk. But if there was a second disk/stick present, it may have look on the wrong drive because of enumeration races. This patch utilizes grub2 search function to look for a filesystem with the label "kernel". This works thanks to existing setup in scripts/gen_image_generic.sh. Which sets the "kernel" label on both the fat and ext4 filesystem variants. Signed-off-by: Jax Jiang <jax.jiang.007@gmail.com> Suggested-by: Alberto Bursi <bobafetthotmail@gmail.com> (MX100 WA) (word wrapped, slightly rewritten commit message, removed MX100 WA) Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* at91: add support for sama7g5-ek boardClaudiu Beznea2022-02-242-2/+16
| | | | | | | | | | | | | | | | | | | | | | Add support for SAMA7G5-EK board. Hardware: - SoC: SAMA7G5 - RAM: Aliance Memory AS4C256M16D3LC (4 Gbit DDR3L) - SD/MMC: 1 standard 4bit SD Card interface - USB: 1 Micro-AB host/device, 1 Type-A host, 1 Type-C host - CAN: 2 interfaces - Ethernet: 10/100 port, 1Gbps port - Wi-Fi/BT: 1 optional interface - Audio: 1 SPDIF RX port, 1 SPDIF TX port, 4 digital microphones - Camera: 1 RPi CSI camera interface - Debug: 1 J-Link-OB + CDC, 1 JTAG - LEDs: 1 RGB - Buttons: 4 push buttons - Expansions: 1 RPi Expansion connector, 2 mikroBUS connectors - Power management: 1 power management IC, 1 power consumption measurement device Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
* uboot-at91: update to linux4sam-2021.10Claudiu Beznea2022-02-243-63/+38
| | | | | | Update uboot-at91 to linux4sam-2021.10 version. Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
* at91bootstrap: update to v3.10.4, v4.0.1Claudiu Beznea2022-02-243-42/+22
| | | | | | | | | | AT91Bootstrap version 4 is available only for SAM9X60, SAMA5D2, SAMA5D3, SAMA5D4, SAMA7G5. Thus use v4.0.1 for the above targets and v3.10.4 for the rest of them. With the switch to v4 AT91Bootstrap binaries are now on build/binaries. Take also this into account. Also, patches directory is not needed anymore with the version update. Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
* base-file: remove password aging feature form /etc/shadowRucke Teg2022-02-241-1/+1
| | | | | | | | | | | | | | In the default shadow file, as visible in the failsafe mode, the user root has value of `0` set in the 3rd field, the date of last password change. This setting means that the password needs to be changed the next time the user will log in the system. `dropbear` server is ignoring this setting but `openssh-server` tries to enforce it and fails in the failsafe mode because the rootfs is R/O. Disable the password aging feature for user root by setting the 3rd filed empty. Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
* hostapd: SAE - Enable hunting-and-pecking and H2ENick Lowe2022-02-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | | Enable both the hunting-and-pecking loop and hash-to-element mechanisms by default in OpenWRT with SAE. Commercial Wi-Fi solutions increasingly frequently now ship with both hunting-and-pecking and hash-to-element (H2E) enabled by default as this is more secure and more performant than offering hunting-and-pecking alone for H2E capable clients. The hunting and pecking loop mechanism is inherently fragile and prone to timing-based side channels in its design and is more computationally intensive to perform. Hash-to-element (H2E) is its long-term replacement to address these concerns. For clients that only support the hunting-and-pecking loop mechanism, this is still available to use by default. For clients that in addition support, or were to require, the hash-to-element (H2E) mechanism, this is then available for use. Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
* wolfssl: fix API breakage of SSL_get_verify_resultPetr Štetiar2022-02-221-0/+26
| | | | | | | | | | | | | | | | | | Backport fix for API breakage of SSL_get_verify_result() introduced in v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return X509_V_OK when used on LE powered sites or other sites utilizing relaxed/alternative cert chain validation feature. After an update to v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA error and thus rendered all such connection attempts imposible: $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org" Downloading 'https://letsencrypt.org' Connecting to 18.159.128.50:443 Connection error: Invalid SSL certificate Fixes: #9283 References: https://github.com/wolfSSL/wolfssl/issues/4879 Signed-off-by: Petr Štetiar <ynezz@true.cz>