Commit Graph

20888 Commits

Author SHA1 Message Date
Tianling Shen
294ae1013b kernel: netdevices: add QLogic FastLinQ Ethernet NIC device support
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-05-29 16:30:44 +08:00
Vieno Hakkerinen
f9e0e9d841 kernel: netdev: add qlcnic
Add driver for QLogic QLE8240 and QLE8242 Converged Ethernet devices.

Signed-off-by: Vieno Hakkerinen <vieno@hakkerinen.eu>
2023-05-29 16:27:08 +08:00
Tianling Shen
739fd7532f kernel: netdevices: add Intel Ethernet Network Adapter E810 support
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-05-29 16:25:23 +08:00
Paul Spooren
491b784141 build: generate index.json
The index.json file lies next to Packages index files and contains a
json dict with the package architecture and a dict of package names and
versions.

This can be used for downstream project to know what packages in which
versions are available.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 218ce40cd7)
2023-05-11 13:15:02 +02:00
Tianling Shen
32e60759e6
default-settings: add luci to dependency
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 650f5eacd4)
2023-05-10 23:34:06 +08:00
Paul Spooren
47a7e9ae6f
build: generate index.json
The index.json file lies next to Packages index files and contains a
json dict with the package architecture and a dict of package names and
versions.

This can be used for downstream project to know what packages in which
versions are available.

Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 218ce40cd7)
2023-05-10 10:32:14 +08:00
Nian Bohung
c694aa3326
linux-firmware: add firmware for intel ax200
Signed-off-by: Nian Bohung <n0404.n0404@gmail.com>
(cherry picked from commit 454ebdf1c9)
2023-05-04 13:40:41 +08:00
Tianling Shen
6114723dd1
ImmortalWrt v21.02.6: revert to branch defaults
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-05-01 14:42:56 +08:00
Tianling Shen
6fce758996
ImmortalWrt v21.02.6: adjust config defaults
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-05-01 14:42:53 +08:00
Tianling Shen
002f71defd
uboot-rockchip: add NanoPi R4SE support
Add support for the FriendlyARM NanoPi R4SE.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 133ee76af2)
2023-04-30 20:22:35 +08:00
Hauke Mehrtens
6a12ecbd6d OpenWrt v21.02.7: revert to branch defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-27 23:08:19 +02:00
Hauke Mehrtens
57a6d97ddf OpenWrt v21.02.7: adjust config defaults
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-27 23:08:10 +02:00
Tianling Shen
14f80a8449
default-settings-chn: add luci-i18n-base-zh-cn to dependencies
For firmware-selector.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-04-19 05:47:46 +08:00
Tianling Shen
738b1b7593
Merge Official Source
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-04-18 01:39:45 +08:00
Eneas U de Queiroz
f8282da11e
openssl: fix CVE-2023-464 and CVE-2023-465
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:

- Excessive Resource Usage Verifying X.509 Policy Constraints
  (CVE-2023-0464)
  Severity: Low
  A security vulnerability has been identified in all supported versions
  of OpenSSL related to the verification of X.509 certificate chains
  that include policy constraints.  Attackers may be able to exploit
  this vulnerability by creating a malicious certificate chain that
  triggers exponential use of computational resources, leading to a
  denial-of-service (DoS) attack on affected systems.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

- Invalid certificate policies in leaf certificates are silently ignored
  (CVE-2023-0465)
  Severity: Low
  Applications that use a non-default option when verifying certificates
  may be vulnerable to an attack from a malicious CA to circumvent
  certain checks.
  Invalid certificate policies in leaf certificates are silently ignored
  by OpenSSL and other certificate policy checks are skipped for that
  certificate.  A malicious CA could use this to deliberately assert
  invalid certificate policies in order to circumvent policy checking on
  the certificate altogether.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466.  It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.

Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-17 10:15:36 -03:00
Tianling Shen
1e8449591f
Merge Official Source
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-04-14 21:25:05 +08:00
Matthias Schiffer
e63b8443ab
uclient: update to Git version 2023-04-13
007d94546749 uclient: cancel state change timeout in uclient_disconnect()
644d3c7e13c6 ci: improve wolfSSL test coverage
dc54d2b544a1 tests: add certificate check against letsencrypt.org

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 4f1c2e8dee)
2023-04-13 20:55:09 +02:00
Daniel Golle
f6a41570a5 OpenWrt v21.02.6: revert to branch defaults
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-04-09 23:38:42 +01:00
Daniel Golle
9f213a85e2 OpenWrt v21.02.6: adjust config defaults
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-04-09 23:38:36 +01:00
Tianling Shen
93e9ad63c9
ipq: build with automount by default
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-04-06 03:49:45 +08:00
Tianling Shen
6e74276e97
autocore: remove ethinfo for ipq boards
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-04-06 03:38:05 +08:00
Tianling Shen
116d3ccfd7
rockchip: fix supported device for firefly roc-rk3328-cc
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit bed2c6c773)
2023-04-04 20:06:16 +08:00
Tianling Shen
81b17ed8cc
uboot-rockchip: add ROC-RK3328-CC support
Add support for the Firefly ROC-RK3328-CC.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit d9a1c7a99a)
2023-04-04 18:51:59 +08:00
Szabolcs Hubai
9c081a938f
comgt: ncm: support Mikrotik R11e-LTE6 modem
The Mikrotik R11e-LTE6 modem is similar to ZTE MF286R modem, added
earlier: it has a Marvel chip, able to work in ACM+RNDIS mode, knows ZTE
specific commands, runs OpenWrt Barrier Breaker fork.
While the modem is able to offer IPv6 address, the RNDIS setup is unable
to complete if there is an IPv6 adress.

While it works in ACM+RNDIS mode, the user experience isn't as good as
with "proto 3g": the modem happily serves a local IP (192.168.1.xxx)
without internet access. Of course, if the modem has enough time
(for example at the second dialup), it will serve a public IP.

Modifing the DHCP Lease (to a short interval before connect and back to
default while finalizing) is a workaround to get a public IP at the
first try.

A safe workaround for this is to excercise an offline script of the
pingcheck program: simply restart (ifdown - ifup) the connection.

Another pitfall is that the modem writes a few messages at startup,
which confuses the manufacturer detection algorithm and got disabled.

    daemon.notice netifd: Interface 'mikrotik' is setting up now
    daemon.notice netifd: mikrotik (2366): Failed to parse message data
    daemon.notice netifd: mikrotik (2366): WARNING: Variable 'ok' does not exist or is not an array/object
    daemon.notice netifd: mikrotik (2366): Unsupported modem
    daemon.notice netifd: mikrotik (2426): Stopping network mikrotik
    daemon.notice netifd: mikrotik (2426): Failed to parse message data
    daemon.notice netifd: mikrotik (2426): WARNING: Variable '*simdetec:1,sim' does not exist or is not an array/object
    daemon.notice netifd: mikrotik (2426): Unsupported modem
    daemon.notice netifd: Interface 'mikrotik' is now down

A workaround for this is to use the "delay" option in the interface
configuration.

I want to thank Forum members dchard (in topic Adding support for
MikroTik hAP ac3 LTE6 kit (D53GR_5HacD2HnD)) [1]
and mrhaav (in topic OpenWrt X86_64 + Mikrotik R11e-LTE6) [2]
for sharing their experiments and works.
Another information page was found at eko.one.pl [3].

[1]: https://forum.openwrt.org/t/137555
[2]: https://forum.openwrt.org/t/151743
[3]: https://eko.one.pl/?p=modem-r11elte

Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
(cherry picked from commit dbd6ebd6d8)
2023-04-02 18:58:10 +08:00
Szabolcs Hubai
efd2313a5b
comgt: add quirk for Mikrotik modems based on Mikrotik R11e-LTE6
The MikroTik R11e-LTE6 modem goes into flight mode (CFUN=4) at startup
and the radio is off (*RADIOPOWER: 0):

    AT+RESET
    OK

    OK

    *SIMDETEC:2,NOS

    *SIMDETEC:1,SIM

    *ICCID: 8936500119010596302

    *EUICC: 1

    +MSTK: 11, D025....74F3

    *ADMINDATA: 0, 2, 0

    +CPIN: READY

    *EUICC: 1

    *ECCLIST: 5, 0, 112, 0, 000, 0, 08, 0, 118, 0, 911

    +CREG: 0

    $CREG: 0

    +CESQ: 99,99,255,255,255,255

    *CESQ: 99,99,255,255,255,255,0

    +CGREG: 0

    +CEREG: 0

    +CESQ: 99,99,255,255,255,255

    *CESQ: 99,99,255,255,255,255,0

    *RADIOPOWER: 0

    +MMSG: 0, 0

    +MMSG: 0, 0

    +MMSG: 1, 0

    +MPBK: 1

While the chat script is able to establish the PPP connection,
it's closed instantly by the modem: LCP terminated by peer.

    local2.info chat[7000]: send (ATD*99***1#^M)
    local2.info chat[7000]: expect (CONNECT)
    local2.info chat[7000]: ^M
    local2.info chat[7000]: ATD*99***1#^M^M
    local2.info chat[7000]: CONNECT
    local2.info chat[7000]:  -- got it
    local2.info chat[7000]: send ( ^M)
    daemon.info pppd[6997]: Serial connection established.
    kern.info kernel: [  453.659146] 3g-mikrotik: renamed from ppp0
    daemon.info pppd[6997]: Renamed interface ppp0 to 3g-mikrotik
    daemon.info pppd[6997]: Using interface 3g-mikrotik
    daemon.notice pppd[6997]: Connect: 3g-mikrotik <--> /dev/ttyACM0
    daemon.info pppd[6997]: LCP terminated by peer
    daemon.notice pppd[6997]: Connection terminated.
    daemon.notice pppd[6997]: Modem hangup
    daemon.info pppd[6997]: Exit.
    daemon.notice netifd: Interface 'mikrotik' is now down

Sending "AT+CFUN=1" to modem deactivates the flight mode and
solves the issue:

    daemon.notice netifd: Interface 'mikrotik' is setting up now
    daemon.notice netifd: mikrotik (7051): sending -> AT+CFUN=1
    daemon.notice pppd[7137]: pppd 2.4.9 started by root, uid 0
    local2.info chat[7140]: abort on (BUSY)
    local2.info chat[7140]: abort on (NO CARRIER)
    local2.info chat[7140]: abort on (ERROR)
    local2.info chat[7140]: report (CONNECT)
    local2.info chat[7140]: timeout set to 10 seconds
    local2.info chat[7140]: send (AT&F^M)
    local2.info chat[7140]: expect (OK)
    local2.info chat[7140]: ^M
    local2.info chat[7140]: +CESQ: 99,99,255,255,255,255^M
    local2.info chat[7140]: ^M
    local2.info chat[7140]: *CESQ: 99,99,255,255,255,255,0^M
    local2.info chat[7140]: AT&F^MAT&F^M^M
    local2.info chat[7140]: OK
    local2.info chat[7140]:  -- got it
    ...
    local2.info chat[7140]: send (ATD*99***1#^M)
    local2.info chat[7140]: expect (CONNECT)
    local2.info chat[7140]: ^M
    local2.info chat[7140]: ATD*99***1#^M^M
    local2.info chat[7140]: CONNECT
    local2.info chat[7140]:  -- got it
    local2.info chat[7140]: send ( ^M)
    daemon.info pppd[7137]: Serial connection established.
    kern.info kernel: [  463.094254] 3g-mikrotik: renamed from ppp0
    daemon.info pppd[7137]: Renamed interface ppp0 to 3g-mikrotik
    daemon.info pppd[7137]: Using interface 3g-mikrotik
    daemon.notice pppd[7137]: Connect: 3g-mikrotik <--> /dev/ttyACM0
    daemon.warn pppd[7137]: Could not determine remote IP address: defaulting to 10.64.64.64
    daemon.notice pppd[7137]: local  IP address 100.112.63.62
    daemon.notice pppd[7137]: remote IP address 10.64.64.64
    daemon.notice pppd[7137]: primary   DNS address 185.29.83.64
    daemon.notice pppd[7137]: secondary DNS address 185.62.131.64
    daemon.notice netifd: Network device '3g-mikrotik' link is up
    daemon.notice netifd: Interface 'mikrotik' is now up

To send this AT command to the modem the "runcommand.gcom" script
dependency is moved from comgt-ncm to comgt.
As the comgt-ncm package depends on comgt already, this change
is a NOOP from that point of view.
But from the modem's point it is a low hanging fruit as the modem
is usable with installing comgt and kmod-usb-ncm packages.

Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
(cherry picked from commit 91eca7b04f)
2023-04-02 18:58:05 +08:00
Mike Wilson
3efa783aa9
ncm: add error check and retry mechanism for gcom call
This patch solves the problem of receiving "error" responses when
initially calling gcom. This avoids unnecessary NO_DEVICE failures.

A retry loop retries the call after an "error" response within the
specified delay. A successful response will continue with the connection
immediately without waiting for max specified delay, bringing the
interface up sooner.

Signed-off-by: Mike Wilson <mikewse@hotmail.com>
(cherry picked from commit 8f27093ce7)
2023-04-02 18:58:01 +08:00
Jan-Niklas Burfeind
83b9155a3e
comgt-ncm: add support for quectel modem EC200T-EU
context_type is an integer mapping of pdptype:
1: IPV4
2: IPV6
3: IPV4V6

Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
(cherry picked from commit 13f82ce264)
2023-04-02 18:57:55 +08:00
Cezary Jackiewicz
77536f5c7d
comgt: support ZTE MF286R modem
The modem is based on Marvell PXA1826 and uses ACM+RNDIS interface to
establish connection with custom commands specific to ZTE modems.
Two variants of modems were discovered, some identifying themselves
as "ZTE", and others as plain "Marvell", the chipset manufacturer.
The modem itself runs a fork of OpenWrt inside, which root shell can be
accessed via ADB interface.

Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit e02fb42c53)
2023-04-02 18:57:52 +08:00
Tianling Shen
9773b2a49e
Revert "base-files: do not generate ULA prefix"
This reverts commit ee76f4feb2.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-04-02 15:56:15 +08:00
Felix Fietkau
509363ba58
mac80211, mt76: add fixes for recently discovered security issues
Fixes CVE-2022-47522

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit d54c91bd9a)
(cherry picked from commit 4ae854d05568bc36a4df2cb6dd8fb023b5ef9944)
2023-04-02 02:07:16 +08:00
Felix Fietkau
32621086c3 mac80211, mt76: add fixes for recently discovered security issues
Fixes CVE-2022-47522

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit d54c91bd9a)
2023-03-30 12:24:52 +02:00
Tianling Shen
0e967b37fe
Merge Official Source
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-30 03:10:42 +08:00
Mathias Kresin
8e12360fcf lantiq: ltq-tapi: add kernel 5.10 compatiblity
Due to SCHED_FIFO being a broken scheduler model, all users of
sched_setscheduler() are converted to sched_set_fifo_low() upstream and
sched_setscheduler() is no longer exported.

The callback handling of the tasklet API was redesigned and the macros
using the old syntax renamed to _OLD.

Signed-off-by: Mathias Kresin <dev@kresin.me>
(cherry picked from commit 31f3f79700)
[Add DECLARE_TASKLET handling for kernel 5.4.235 too]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-03-29 16:31:21 +02:00
Mathias Kresin
3d93d2cea5 ltq-atm/ltq-ptm: add kernel 5.10 compatiblity
The callback handling of the tasklet API was redesigned and the macros
using the old syntax renamed to _OLD.

The stuck queue is now passed to ndo_tx_timeout callback but not used so
far.

Signed-off-by: Mathias Kresin <dev@kresin.me>
(cherry picked from commit 804c541446)
[Add DECLARE_TASKLET handling for kernel 5.4.235 too]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-03-27 18:42:28 +02:00
John Audia
a4f065a646 kernel: tcindex classifier has been retired
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sched?h=v5.4.235&id=7a6fb69bbcb21e9ce13bdf18c008c268874f0480

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit fbfec3286e)
2023-03-27 18:42:28 +02:00
Tianling Shen
d1e165884e
ImmortalWrt v21.02.5: revert to branch defaults
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-25 14:40:33 +08:00
Tianling Shen
7853a2498f
ImmortalWrt v21.02.5: adjust config defaults
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-25 14:40:33 +08:00
Mathias Kresin
da9ffd2add
lantiq: ltq-tapi: add kernel 5.10 compatiblity
Due to SCHED_FIFO being a broken scheduler model, all users of
sched_setscheduler() are converted to sched_set_fifo_low() upstream and
sched_setscheduler() is no longer exported.

The callback handling of the tasklet API was redesigned and the macros
using the old syntax renamed to _OLD.

Signed-off-by: Mathias Kresin <dev@kresin.me>

ltq tapi

(cherry picked from commit 31f3f79700)
2023-03-16 15:58:57 +08:00
Tianling Shen
f167cd2979
ixgbe: fix missing Kconfig
Fixes: #907

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-16 14:47:08 +08:00
John Audia
25d01b26a1
kernel: tcindex classifier has been retired
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sched?h=linux-5.4.y&id=7a6fb69bbcb21e9ce13bdf18c008c268874f0480

Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-16 14:35:04 +08:00
Tianling Shen
714401cbed
ltq-ptm: fix build with kernel 5.4
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-16 13:06:35 +08:00
Mathias Kresin
17daee647c
ltq-atm/ltq-ptm: add kernel 5.10 compatiblity
The callback handling of the tasklet API was redesigned and the macros
using the old syntax renamed to _OLD.

The stuck queue is now passed to ndo_tx_timeout callback but not used so
far.

Signed-off-by: Mathias Kresin <dev@kresin.me>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-15 21:13:52 +08:00
Tianling Shen
0982198339
igb: build for x86 only
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-15 21:02:57 +08:00
Tianling Shen
5c237602f0
iavf: add intel vendor driver
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-15 15:40:27 +08:00
Tianling Shen
34b2606570
ixgbe(vf): add intel vendor driver
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-15 15:14:56 +08:00
Tianling Shen
181f885645
i40e: download from sourceforge
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-15 14:49:19 +08:00
Tianling Shen
86d3a78e29
igb: Update to 5.13.16
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-15 14:37:03 +08:00
Tianling Shen
cd7ba71c76
mac80211: refresh vht patch
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit a589031152)
2023-03-11 15:39:00 +08:00
Felix Fietkau
84451d680c
hostapd: add missing return code for the bss_mgmt_enable ubus method
Fixes bogus errors on ubus calls

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit cf992ca862)
2023-03-09 11:00:47 +08:00
Tianling Shen
c35f7f23db
i40e: fix generate compat headers
Fixes: #896

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-06 13:10:39 +08:00
Leon M. Busch-George
ae4a8f858e
hostapd: always use sae_password for mesh/SAE auth
This patch fixes a corner case when using passwords that are exactly 64
characters in length with mesh mode or passwords longer than 63 characters
with SAE because 'psk' is used instead of 'sae_password'.
SAE is obligatory for 802.11s (mesh point).

The 'psk' option for hostapd is suited for WPA2 and enforces length
restrictions on passwords. Values of 64 characters are treated as PMKs.
With SAE, PMKs are always generated during the handshake and there are no
length restrictions.
The 'sae_password' option is more suited for SAE and should be used
instead.

Before this patch, the 'sae_password' option is only used with mesh mode
passwords that are not 64 characters long.
As a consequence:
- mesh passwords can't be 64 characters in length
- SAE only works with passwords with lengths >8 and <=63 (due to psk
  limitation).

Fix this by always using 'sae_password' with SAE/mesh and applying the PMK
differentiation only when PSK is used.

Fixes: #11324
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
[ improve commit description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit ae751535de)
2023-03-05 10:49:41 +08:00
Leon M. Busch-George
a0314a2020
hostapd: add quotes in assignments
It's generally advised to use quotes for variable assignments in bash.

Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
(cherry picked from commit 3c10c42ddd)
2023-03-05 10:49:00 +08:00
Christian Lamparter
23c86d44bc ca-certificates: fix python3-cryptography woes in certdata2pem.py
This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")

The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.

|Traceback (most recent call last):
|  File "certdata2pem.py", line 125, in <module>
|    cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1

...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
|  File "/certdata2pem.py", line 31, in <module>
|    from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'

More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."

Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 25bc66eb40)
2023-03-04 13:09:12 +01:00
Christian Lamparter
f67f60b809 ca-certicficates: Update to version 20211016
Update the ca-certificates and ca-bundle package from version 20210119 to
version 20211016.

Debian change-log entry [1]:
|[...]
|[ Julien Cristau ]
|* mozilla/{certdata.txt,nssckbi.h}: Update Mozilla certificate authority
|    bundle to version 2.50
|    The following certificate authorities were added (+):
|    + "AC RAIZ FNMT-RCM SERVIDORES SEGUROS"
|    + "GlobalSign Root R46"
|    + "GlobalSign Root E46"
|    + "GLOBALTRUST 2020"
|    + "ANF Secure Server Root CA"
|    + "Certum EC-384 CA"
|    + "Certum Trusted Root CA"
|    The following certificate authorities were removed (-):
|    - "QuoVadis Root CA"
|    - "Sonera Class 2 Root CA"
|    - "GeoTrust Primary Certification Authority - G2"
|    - "VeriSign Universal Root Certification Authority"
|    - "Chambers of Commerce Root - 2008"
|    - "Global Chambersign Root - 2008"
|    - "Trustis FPS Root CA"
|    - "Staat der Nederlanden Root CA - G3"
|  * Blacklist expired root certificate "DST Root CA X3" (closes: #995432)
|[...]

[1] <https://metadata.ftp-master.debian.org/changelogs//main/c/ca-certificates/ca-certificates_20211016_changelog>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 7c99085bd6)
2023-03-04 13:09:12 +01:00
Tianling Shen
08281831be
i40e: bump to 2.22.18
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-01 12:59:11 +08:00
Tianling Shen
cc9a7cea38
ramips: jcg q20: add lzma-loader and pb-boot variants
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-03-01 08:28:22 +08:00
Tianling Shen
0d4c9bde61
mt76: backport fixes from coolsnowwolf
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-02-25 15:08:45 +08:00
Felix Fietkau
365c259b1d
mt76: update to the latest version
a03ef0aab93e wifi: mt76: mt7921: fix deadlock in mt7921_abort_roc
5b509e80384a wifi: mt76: dma: fix a regression in adding rx buffers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 274dfcb19e)
2023-02-25 15:08:45 +08:00
Felix Fietkau
a17a86ff20
mt76: update to the latest version
ec46d7486ab9 sync with upstream
2575de3aea33 wifi: mt76: mt7921: introduce chanctx support
473cebb3c3e1 wifi: mt76: fix bandwidth 80MHz link fail in 6GHz band
de3e77227f62 wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices
f0c191a9f6cd wifi: mt76: mt7996: add missing argument in mt7996_queue_rx_skb()
d3838a52df62 wifi: mt76: mt7996: enable use_cts_prot support
98492dff3bec wifi: mt76: mt7996: enable ack signal support
2a41e7a82f86 wifi: mt76: mt7996: add support to configure spatial reuse parameter set
194cb3392829 mt76: mt7915: add missing of_node_put()
f91d6f3b73ac wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host
1ce4970d799f wifi: mt76: mt7915: fix mt7915_rate_txpower_get() resource leaks
379f3fc0fc43 wifi: mt76: mt7996: fix insecure data handling of mt7996_mcu_ie_countdown()
233c272f0f86 wifi: mt76: mt7996: fix insecure data handling of mt7996_mcu_rx_radar_detected()
5616c4cc1d5d wifi: mt76: mt7996: fix integer handling issue of mt7996_rf_regval_set()
f9598e6d4c2c wifi: mt76: mt7915: split mcu chan_mib array up
b252d94bd763 wifi: mt76: mt7915: check return value before accessing free_block_num
f1cc3696d725 wifi: mt76: mt7996: check return value before accessing free_block_num
b94ba58fa698 wifi: mt76: mt7915: check the correctness of event data
35843a1670c0 wifi: mt76: mt7915: drop always true condition of __mt7915_reg_addr()
01a256c1dc41 wifi: mt76: mt7996: drop always true condition of __mt7996_reg_addr()
5185bbab8953 wifi: mt76: mt7996: fix endianness warning in mt7996_mcu_sta_he_tlv
eeb6949c4d06 wifi: mt76: mt76x0: fix oob access in mt76x0_phy_get_target_power
063823aba978 wifi: mt76: mt7921: add support to update fw capability with MTFG table
a44109267e4e wifi: mt76: mt7996: fix unintended sign extension of mt7996_hw_queue_read()
be5dbb781068 wifi: mt76: mt7915: fix unintended sign extension of mt7915_hw_queue_read()
adf9042b6f63 wifi: mt76: fix coverity uninit_use_in_call in mt76_connac2_reverse_frag0_hdr_trans()
551201379efe wifi: mt76: move leds field in leds struct
14fbb6d6e85e wifi: mt76: move leds struct in mt76_phy
81edc468fc62 wifi: mt76: mt7915: enable per-phy led support
bbad827e447f wifi: mt76: mt7615: enable per-phy led support
8e7e7e52fc09 wifi: mt76: dma: do not increment queue head if mt76_dma_add_buf fails
95c66d651133 wifi: mt76: handle possible mt76_rx_token_consume failures
52d04463a66e wifi: mt76: dma: rely on queue page_frag_cache for wed rx queues
7fae1de12ae7 wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit a75a798162)
2023-02-25 15:08:45 +08:00
Felix Fietkau
908e869689
mt76: update to version 2022-12-01
3deafbad7061 wifi: mt76: mt7915: fix uninitialized irq_mask
6ca31dc64da4 wifi: mt76: mt7921: introduce remain_on_channel support
7962005b0734 wifi: mt76: connac: rework macros for unified command
3b2882ca704e wifi: mt76: connac: update struct sta_rec_phy
c4d46cb1dd45 wifi: mt76: connac: rework fields for larger bandwidth support in sta_rec_bf
532c322fd72f wifi: mt76: connac: add more unified command IDs
4c43e060726b wifi: mt76: connac: introduce unified event table
4c423058920d wifi: mt76: connac: add more bss info command tags
143d7ab8ef92 wifi: mt76: connac: add more starec command tags
733ef9887b2c wifi: mt76: connac: introduce helper for mt7996 chipset
8e309b5560e1 wifi: mt76: mt7921: fix wrong power after multiple SAR set
d791ed1f5877 wifi: mt76: mt7915: add missing MODULE_PARM_DESC
3b8eed9c3866 wifi: mt76: mt7915: add support to configure spatial reuse parameter set
417cca39bab2 wifi: mt76: introduce rxwi and rx token utility routines
629f8631f54f wifi: mt76: add WED RX support to mt76_dma_{add,get}_buf
13c2dc8993b6 wifi: mt76: add WED RX support to mt76_dma_rx_fill
86e94f4162b7 wifi: mt76: add WED RX support to dma queue alloc
1361519851f3 wifi: mt76: add info parameter to rx_skb signature
a2e5e0667553 wifi: mt76: connac: introduce mt76_connac_mcu_sta_wed_update utility routine
f38faf294310 wifi: mt76: mt7915: enable WED RX support
a887a5feb3d1 wifi: mt76: mt7915: enable WED RX stats
4c23061ebcfc wifi: mt76: mt7915: add basedband Txpower info into debugfs
a9c88ded5cac wifi: mt76: mt7915: enable .sta_set_txpwr support
2c172bb6cd9f wifi: mt76: mt7915: fix band_idx usage
1b88dd07f153 linux-firmware: update firmware for MT7915
6196f6080506 linux-firmware: update firmware for MT7916
daae6ca5d81f linux-firmware: update firmware for MT7986
e7a9f7a0440c wifi: mt76: mt7915: fix unused-but-set warning
340f3be65397 wifi: mt76: fix coverity overrun-call in mt76_get_txpower()
aa7132da0326 wifi: mt76: mt7915: fix endianness of mt7915_mcu_set_obss_spr_pd()
a36017d09324 wifi: mt76: mt7921: Add missing __packed annotation of struct mt7921_clc
66dc48bea883 wifi: mt76: do not send firmware FW_FEATURE_NON_DL region
fa79eeeadc2d mt76: mt7915: Fix PCI device refcount leak in mt7915_pci_init_hif2()
ff94604b2edd wifi: mt76: mt7915: introduce mt7915_get_power_bound()
5082a58f8082 wifi: mt76: mt7915: enable per bandwidth power limit support
a7b915302147 wifi: mt76: mt7915: fix scene detection flow of spatial reuse
525592c28d6b wifi: mt76: mt7915: rely on band_idx of mt76_phy
cdd7229e769b wifi: mt76: mt7915: mmio: fix naming convention

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b1b29ba987)
2023-02-25 15:08:45 +08:00
Shiji Yang
1f530a6e85
mt76: remove unnecessary dependency from mt7915e
The kmod-mt7615-common package does not contain any code that
related to mt7915e Wi-Fi6 driver, so remove it.

Tested on ramips/mt7621: SIM SIMAX1800T

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
(cherry picked from commit 3410f010a2)
2023-02-25 15:08:45 +08:00
Andre Heider
2c5685d3eb
mt76: move the mt7921 firmware to its own package
It's not just required for the PCI version, but for USB and presumably
SDIO as well.

Tested with 0e8d:7961 Comfast CF-953AX (MT7921AU).

Signed-off-by: Andre Heider <a.heider@gmail.com>
(cherry picked from commit 6f729163b1)
2023-02-25 15:08:41 +08:00
Lauro Moreno
3c4de29ee3
ipq806x: add support for Askey RT4230W REV6
This adds support for the Askey RT4230W REV6
(Branded by Spectrum/Charter as RAC2V1K)

At this time, there's no way to reinstall the stock firmware so don't install
this on a router that's being rented.

Specifications:

    Qualcomm IPQ8065
    1 GB of RAM (DDR3)
    512 MB Flash (NAND)
    2x Wave 2 WiFi cards (QCA9984)
    5x 10/100/1000 Mbps Ethernet (Switch: QCA8337)
    1x LED (Controlled by a microcontroller that switches it between red and
        blue with different patterns)
    1x USB 3.0 Type-A
    12V DC Power Input
    UART header on PCB - pinout from top to bottom is RX, TX, GND, 5V
    Port settings are 115200n8

More information: https://forum.openwrt.org/t/askey-rac2v1k-support/15830
https://deviwiki.com/wiki/Askey_RAC2V1K

To check what revision your router is, restore one of these config backups
through the stock firmware to get ssh access then run
"cat /proc/device-tree/model".
https://forum.openwrt.org/t/askey-rac2v1k-support/15830/17
The revision number on the board doesn't seem to be very consistent so that's
why this is needed. You can also run printenv in the uboot console and if
machid is set to 177d, that means your router is rev6.

Note: Don't install this if the router is being rented from an ISP. The defined
partition layout is different from the OEM one and even if you changed the
layout to match, backing up and restoring the OEM firmware breaks /overlay so
nothing will save and the router will likely enter a bootloop.

How to install:

Method 1: Install without opening the case using SSH and tftp

    You'll need:
    RAC2V1K-SSH.zip:
https://github.com/lmore377/openwrt-rt4230w/blob/master/RAC2V1K-SSH.zip
    initramfs and sysupgrade images

    Connect to one of the router's LAN ports

    Download the RAC2V1K-SSH.zip file and restore the config file that
corresponds to your router's firmware (If you're firmware is newer than what's
in the zip file, just restore the 1.1.16 file)

    After a reboot, you should be able to ssh into the router with username:
"4230w" and password: "linuxbox" or "admin". Run the following commannds
     fw_setenv ipaddr 10.42.0.10 #IP of router, can be anything as long as
it's in the same subnet as the server
     fw_setenv serverip 10.42.0.1# #IP of tftp server that's set up in next
steps
     fw_setenv bootdelay 8
     fw_setenv bootcmd "tftpboot initramfs.bin; bootm; bootipq"

    Don't reboot the router yet.

    Install and set up a tftp server on your computer

    Set a static ip on the ethernet interface of your computer (use this for
serverip in the above commands)

    Rename the initramfs image to initramfs.bin, and host it with the tftp
server

    Reboot the router. If you set up everything right, the router led should
switch over to a slow blue glow which means openwrt is booted. If for some
reason the file doesn't get loaded into ram properly, it should still boot to
the OEM firmware.
    After openwrt boots, ssh into it and run these commands:
    fw_setenv bootcmd "setenv mtdids nand0=nand0 && setenv mtdparts
 mtdparts=nand0:0x1A000000@0x2400000(firmware) && ubi part firmware && ubi
read 0x44000000 kernel 0x6e0000 && bootm"
    fw_setenv bootdelay 2

    After openwrt boots up, figure out a way to get the sysupgrade file onto it
(scp, custom build with usb kernel module included, wget, etc.) then flash it
with sysupgrade. After it finishes flashing, it should reboot, the light should
start flashing blue, then when the light starts "breathing" blue that means
openwrt is booted.

Method 2: Install with serial access (Do this if something fails and you can't
boot after using method 1)

    You'll need:
    initramfs and sysupgrade images
    Serial access:
https://openwrt.org/inbox/toh/askey/askey_rt4230w_rev6#opening_the_case

    Install and set up a tftp server

    Set a static ip on the ethernet interface of your computer

    Download the initramfs image, rename it to initramfs.bin, and host it with
the tftp server

    Connect the wan port of the router to your computer

    Interrupt U-Boot and run these commands:
    setenv serverip 10.42.0.1 (You can use whatever ip you set for the computer)
    setenv ipaddr 10.42.0.10 (Can be any ip as long as it's in the same subnet)
    setenv bootcmd "setenv mtdids nand0=nand0 &&
set mtdparts mtdparts=nand0:0x1A000000@0x2400000(firmware) && ubi part firmware
&& ubi read 0x44000000 kernel 0x6e0000 && bootm"

    saveenv
    tftpboot initramfs.bin
    bootm

    After openwrt boots up, figure out a way to get the sysupgrade file onto it
(scp, custom build with usb kernel module included, wget, etc.) then flash it
with sysupgrade. After it finishes flashing, it should reboot, the light should
start flashing blue, then when the light starts "breathing" blue that means
openwrt is booted.

Signed-off-by: Lauro Moreno <lmore377@gmail.com>
[add entry in 5.10 patch, fix whitespace issues]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit da8428d277)
2023-02-25 14:05:31 +08:00
Tianling Shen
891bf5b61d
netifd: fix auto-negotiate for out-of-tree ethernet drivers
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-02-24 14:45:03 +08:00
Tianling Shen
e252dd0177
Revert "r8125: bump to 9.011.00-1"
Fix 2.5 Gbps auto-negotiate.

This reverts commit 5657d4ffb0.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-02-24 14:03:38 +08:00
Tianling Shen
b4f56cda2b
default-settings: drop outdated banner hack
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-02-23 11:55:55 +08:00
Tianling Shen
14895598fb
mt76: refresh patches
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-02-19 11:52:13 +08:00
Hauke Mehrtens
8d995b3bd7 mac80211: Update to version 5.10.168-1
This update mac80211 to version 5.10.168-1. This includes multiple
bugfixes. Some of these bugfixes are fixing security relevant bugs.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-02-18 19:22:17 +01:00
John Audia
dbbf5c2a1d openssl: bump to 1.1.1t
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

  *) Fixed X.400 address type confusion in X.509 GeneralName.

     There is a type confusion vulnerability relating to X.400 address processing
     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
     vulnerability may allow an attacker who can provide a certificate chain and
     CRL (neither of which need have a valid signature) to pass arbitrary
     pointers to a memcmp call, creating a possible read primitive, subject to
     some constraints. Refer to the advisory for more information. Thanks to
     David Benjamin for discovering this issue. (CVE-2023-0286)

     This issue has been fixed by changing the public header file definition of
     GENERAL_NAME so that x400Address reflects the implementation. It was not
     possible for any existing application to successfully use the existing
     definition; however, if any application references the x400Address field
     (e.g. in dead code), note that the type of this field has changed. There is
     no ABI change.
     [Hugo Landau]

  *) Fixed Use-after-free following BIO_new_NDEF.

     The public API function BIO_new_NDEF is a helper function used for
     streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
     to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
     be called directly by end user applications.

     The function receives a BIO from the caller, prepends a new BIO_f_asn1
     filter BIO onto the front of it to form a BIO chain, and then returns
     the new head of the BIO chain to the caller. Under certain conditions,
     for example if a CMS recipient public key is invalid, the new filter BIO
     is freed and the function returns a NULL result indicating a failure.
     However, in this case, the BIO chain is not properly cleaned up and the
     BIO passed by the caller still retains internal pointers to the previously
     freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
     then a use-after-free will occur. This will most likely result in a crash.
     (CVE-2023-0215)
     [Viktor Dukhovni, Matt Caswell]

  *) Fixed Double free after calling PEM_read_bio_ex.

     The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
     decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
     data. If the function succeeds then the "name_out", "header" and "data"
     arguments are populated with pointers to buffers containing the relevant
     decoded data. The caller is responsible for freeing those buffers. It is
     possible to construct a PEM file that results in 0 bytes of payload data.
     In this case PEM_read_bio_ex() will return a failure code but will populate
     the header argument with a pointer to a buffer that has already been freed.
     If the caller also frees this buffer then a double free will occur. This
     will most likely lead to a crash.

     The functions PEM_read_bio() and PEM_read() are simple wrappers around
     PEM_read_bio_ex() and therefore these functions are also directly affected.

     These functions are also called indirectly by a number of other OpenSSL
     functions including PEM_X509_INFO_read_bio_ex() and
     SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
     internal uses of these functions are not vulnerable because the caller does
     not free the header argument if PEM_read_bio_ex() returns a failure code.
     (CVE-2022-4450)
     [Kurt Roeckx, Matt Caswell]

  *) Fixed Timing Oracle in RSA Decryption.

     A timing based side channel exists in the OpenSSL RSA Decryption
     implementation which could be sufficient to recover a plaintext across
     a network in a Bleichenbacher style attack. To achieve a successful
     decryption an attacker would have to be able to send a very large number
     of trial messages for decryption. The vulnerability affects all RSA padding
     modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
     (CVE-2022-4304)
     [Dmitry Belyavsky, Hubert Kario]

Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 4ae86b3358)

The original commit removed the upstreamed patch 010-padlock.patch, but
it's not on OpenWrt 21.02, so it doesn't have to be removed.

Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
2023-02-18 16:16:44 +01:00
Tianling Shen
1da9099f0f
ImmortalWrt v21.02.4: revert to branch defaults
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-02-14 05:59:11 +08:00
Tianling Shen
b00741e92a
ImmortalWrt v21.02.4: adjust config defaults
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-02-14 05:59:07 +08:00
Hauke Mehrtens
058b685a70
mac80211: Update to version 5.15.92-1
This update mac80211 to version 5.15.92-1. This includes multiple
bugfixes. Some of these bugfixes are fixing security relevant bugs.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 863288b49d3d1466f22bcf6098e4635a5be98626)
2023-02-12 04:57:59 +08:00
John Audia
f8f56aa8c2
openssl: bump to 1.1.1t
Removed upstreamed patch: 010-padlock.patch

Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

  *) Fixed X.400 address type confusion in X.509 GeneralName.

     There is a type confusion vulnerability relating to X.400 address processing
     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
     vulnerability may allow an attacker who can provide a certificate chain and
     CRL (neither of which need have a valid signature) to pass arbitrary
     pointers to a memcmp call, creating a possible read primitive, subject to
     some constraints. Refer to the advisory for more information. Thanks to
     David Benjamin for discovering this issue. (CVE-2023-0286)

     This issue has been fixed by changing the public header file definition of
     GENERAL_NAME so that x400Address reflects the implementation. It was not
     possible for any existing application to successfully use the existing
     definition; however, if any application references the x400Address field
     (e.g. in dead code), note that the type of this field has changed. There is
     no ABI change.
     [Hugo Landau]

  *) Fixed Use-after-free following BIO_new_NDEF.

     The public API function BIO_new_NDEF is a helper function used for
     streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
     to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
     be called directly by end user applications.

     The function receives a BIO from the caller, prepends a new BIO_f_asn1
     filter BIO onto the front of it to form a BIO chain, and then returns
     the new head of the BIO chain to the caller. Under certain conditions,
     for example if a CMS recipient public key is invalid, the new filter BIO
     is freed and the function returns a NULL result indicating a failure.
     However, in this case, the BIO chain is not properly cleaned up and the
     BIO passed by the caller still retains internal pointers to the previously
     freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
     then a use-after-free will occur. This will most likely result in a crash.
     (CVE-2023-0215)
     [Viktor Dukhovni, Matt Caswell]

  *) Fixed Double free after calling PEM_read_bio_ex.

     The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
     decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
     data. If the function succeeds then the "name_out", "header" and "data"
     arguments are populated with pointers to buffers containing the relevant
     decoded data. The caller is responsible for freeing those buffers. It is
     possible to construct a PEM file that results in 0 bytes of payload data.
     In this case PEM_read_bio_ex() will return a failure code but will populate
     the header argument with a pointer to a buffer that has already been freed.
     If the caller also frees this buffer then a double free will occur. This
     will most likely lead to a crash.

     The functions PEM_read_bio() and PEM_read() are simple wrappers around
     PEM_read_bio_ex() and therefore these functions are also directly affected.

     These functions are also called indirectly by a number of other OpenSSL
     functions including PEM_X509_INFO_read_bio_ex() and
     SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
     internal uses of these functions are not vulnerable because the caller does
     not free the header argument if PEM_read_bio_ex() returns a failure code.
     (CVE-2022-4450)
     [Kurt Roeckx, Matt Caswell]

  *) Fixed Timing Oracle in RSA Decryption.

     A timing based side channel exists in the OpenSSL RSA Decryption
     implementation which could be sufficient to recover a plaintext across
     a network in a Bleichenbacher style attack. To achieve a successful
     decryption an attacker would have to be able to send a very large number
     of trial messages for decryption. The vulnerability affects all RSA padding
     modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
     (CVE-2022-4304)
     [Dmitry Belyavsky, Hubert Kario]

Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-02-12 04:55:07 +08:00
David Bauer
44715a1df0
mac80211: use 802.11ax iw modes
This adds missing HE modes to mac80211_prepare_ht_modes.

Previously mesh without wpa_supplicant would be initialized with 802.11g
/NO-HT only, as this method did not parse channel bandwidth for HE
operation.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit a63430eac3)
2023-01-28 22:29:54 +08:00
LGA1150
ee76f4feb2
base-files: do not generate ULA prefix
(cherry picked from commit 9f853eb850)
2023-01-28 22:19:04 +08:00
Tianling Shen
85a15a1093
default-settings: remove unused banner
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 17ec9eae8d)
2023-01-28 04:45:13 +08:00
Tianling Shen
751ef82118
mbedtls: make library shared again
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit f295e348cb)
2023-01-26 19:03:25 +08:00
Tianling Shen
5657d4ffb0
r8125: bump to 9.011.00-1
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit ad344210d9)
2023-01-18 17:30:08 +08:00
AmadeusGhost
c98e772ab7
r8125: update to version 9.010.01-2
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 731846cf82)
2023-01-18 17:29:57 +08:00
Nick Hainke
1bc1dab5e1
wolfssl: update to 5.5.4-stable
Remove upstreamed:
- 001-Fix-enable-devcrypto-build-error.patch

Refresh patch:
- 100-disable-hardening-check.patch

Release notes:
https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.4-stable

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 04634b2d82)
(cherry picked from commit 77e2a24e6240778c7a0af848e3b8d852161da41f)
2023-01-09 15:03:20 +08:00
Shiji Yang
836b03aa23
ramips: add support for H3C TX1800 Plus / TX1801 Plus / TX1806
H3C TX180x series WiFi6 routers are customized by different carrier.
While these three devices look different, they use the same motherboard
inside. Another minor difference comes from the model name definition
in the u-boot environment variable.

Specifications:
 SOC:      MT7621 + MT7915
 ROM:      128 MiB
 RAM:      256 MiB
 LED:      status *2
 Button:   reset *1 + wps/mesh *1
 Ethernet:        lan *3 + wan *1 (10/100/1000Mbps)
 TTL Baudrate:    115200
 TFTP server IP:  192.168.124.99

MAC Address:
 use        address(sample 1)   address(sample 2)    source
 label      88:xx:xx:98:xx:12   88:xx:xx:a2:xx:a5   u-boot-env@ethaddr
 lan        88:xx:xx:98:xx:13   88:xx:xx:a2:xx:a6   $label +1
 wan        88:xx:xx:98:xx:12   88:xx:xx:a2:xx:a5   $label
 WiFi4_2G   8a:xx:xx:58:xx:14   8a:xx:xx:52:xx:a7   (Compatibility mode)
 WiFi5_5G   8a:xx:xx:b8:xx:14   8a:xx:xx:b2:xx:a7   (Compatibility mode)
 WiFi6_2G   8a:xx:xx:18:xx:14   8a:xx:xx:12:xx:a7
 WiFi6_5G   8a:xx:xx:78:xx:14   8a:xx:xx:72:xx:a7

Compatibility mode is used to guarantee the connection of old devices
that only support WiFi4 or WiFi5.

TFTP + TTL Installation:
Although a TTL connection is required for installation, we do not need
to tear down it. We can find the TTL port from the cooling hole at the
bottom. It is located below LAN3 and the pins are defined as follows:
|LAN1|LAN2|LAN3|----|WAN|
--------------------
    |GND|TX|RX|VCC|

1. Set tftp server IP to 192.168.124.99 and put initramfs firmware in
   server's root directory, rename it to a simple name "initramfs.bin".
2. Plug in the power supply and wait for power on, connect the TTL cable
   and open a TTL session, enter "reboot", then enter "Y" to confirm.
   Finally push "0" to interruput boot while booting.
3. Execute command to install a initramfs system:
   # tftp 0x80010000 192.168.124.99:initramfs.bin
   # bootm 0x80010000
4. Backup nand flash by OpenWrt LuCI or dd instruction. We need those
   partitions if we want to back to stock firmwre due to official
   website does not provide download link.
   # dd if=/dev/mtd1 of=/tmp/u-boot-env.bin
   # dd if=/dev/mtd4 of=/tmp/firmware.bin
5. Edit u-boot env to ensure use default bootargs and first image slot:
   # fw_setenv bootargs
   # fw_setenv bootflag 0
6. Upgrade sysupgrade firmware.
7. About restore stock firmware: flash the "firmware" and "u-boot-env"
   partitions that we backed up in step 4.
   # mtd write /tmp/u-boot-env.bin u-boot-env
   # mtd write /tmp/firmware.bin firmware

Additional Info:
The H3C stock firmware has a 160-byte firmware header that appears to
use a non-standard CRC32 verification algorithm. For this part of the
data, the u-boot does not check it so we can just directly replace it
with a placeholder.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
(cherry picked from commit 1330816178)
2023-01-09 14:43:31 +08:00
Tianling Shen
619e883cb0
Merge Official Source
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-01-07 16:35:05 +08:00
Josef Schlehofer
1b6e9b3f64 opkg: add patch to avoid remove package repeatly with force
This patch was taken from the OpenWrt-devel mailing list:
https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg59794.html

It is included already in OpenWrt master branch and OpenWrt 22.03
release as it was included in opkg-lede repository:
https://git.openwrt.org/?p=project/opkg-lede.git;a=commit;h=9c44557a776da993c2ab80cfac4dbd8d59807d01

However, it is not included in OpenWrt 21.02, where the same issue is
happening.

Fixes: CI for https://github.com/openwrt/packages/pull/20074

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2023-01-06 17:34:46 +01:00
Daniel Golle
cdd9bee370 kernel: add kmod-nvme package
Add driver for NVM Express block devices, ie. PCIe connected SSDs.

Targets which allow booting from NVMe (x86, maybe some mvebu boards come
to mind) should have it built-in, so rootfs can be mounted from there.
For targets without NVMe support in bootloader or BIOS/firmware it's
sufficient to provide the kernel module package.

On targets having the NVMe driver built-in the resulting kmod package
is an empty dummy. In any case, depending on or installing kmod-nvme
results in driver support being available (either because it was already
built-in or because the relevant kernel modules are added and loaded).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit dbe53352e3)
2023-01-06 17:30:51 +01:00
Hauke Mehrtens
0f423804f6 kernel: kmod-isdn4linux: Remove package
The isdn4linux drivers and subsystem was removed in kernel 5.3, remove
the kernel package also from OpenWrt.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit db55dea5fc)
2023-01-06 17:26:45 +01:00
Hauke Mehrtens
66fa45ecef kernel: kmod-ipt-ulog: Remove package
The ulog iptables target was removed with kernel 3.17, remove the kernel
and also the iptables package in OpenWrt too.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2a0284fb03)
2023-01-06 17:23:25 +01:00
Hauke Mehrtens
e6b1094b8d kernel: kmod-w1-slave-ds2760: Remove package
The w1_ds2760.ko driver was merged into the ds2760_battery.ko driver.
The driver was removed and this package was never build any more.
This happened with kernel 4.19.

Remove this unused package.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5808973d14)
2023-01-06 17:23:25 +01:00
Hauke Mehrtens
ab9025769b kenrel: kmod-rtc-pt7c4338: Remove package
The rtc-pt7c4338.ko was never upstream under this name, the driver was
removed from OpenWrt some years ago, remove the kmod-rtc-pt7c4338
package too.

Fixes: 74d00a8c38 ("kernel: split patches folder up into backport, pending and hack folders")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5ccf4dcf88)
2023-01-06 17:23:25 +01:00
Josef Schlehofer
3e0faf2866 kernel: build crypto md5/sha1/sha256 modules for powerpc
This builds and enables kernel optimized modules for mpc85xx target:
- CONFIG_CRYPTO_MD5_PPC [1]
- CONFIG_CRYPTO_SHA1_PPC_SPE [2]
- CONFIG_CRYPTO_SHA256_PPC_SPE [3]

Where it was possible, then use Signal Processing Engine, because
CONFIG_SPE is already enabled in mpc85xx config.

[1] https://cateee.net/lkddb/web-lkddb/CRYPTO_MD5_PPC.html
[2] https://cateee.net/lkddb/web-lkddb/CRYPTO_SHA1_PPC.html
[3] https://cateee.net/lkddb/web-lkddb/CRYPTO_SHA256_PPC_SPE.html

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 3a702f8733)
2023-01-06 17:17:07 +01:00
Josef Schlehofer
8e548ac9bd kernel: fix typo for tegra crypto-sha1 module
Fixes: e889489bed ("kernel: build
arm/neon-optimized sha1/512 modules")

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit f8f9d6901c)
2023-01-06 17:14:40 +01:00
Tianling Shen
1bb9e55434
i40e: build for x86 only
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2022-12-30 11:03:29 +08:00
Felix Fietkau
b1833122ea
hostapd: allow sharing the incoming DAS port across multiple interfaces
Use the NAS identifier to find the right receiver context on incoming messages

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 090ad03343)
2022-12-28 14:36:37 +08:00
Tianling Shen
87266b3f7e
rtl_wifi: add missing kernel nostdinc flags
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit d6d00ec070)
2022-12-28 14:29:06 +08:00
Tianling Shen
0bada4eed0
mt7601u-ap: bump to latest git HEAD
Removed outdated patches.

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 07f7c90b93)
2022-12-28 14:23:47 +08:00
Tianling Shen
2c3c7f1b8e
rtl8812au-ac: remove unused patches
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 7958f1f0c1)
2022-12-28 14:23:22 +08:00
Tianling Shen
50cae2e938
rtl8812au-ac: bump to latest git HEAD
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 3ad16a8b69)
2022-12-28 14:22:46 +08:00
Tianling Shen
d2494642aa
rtl8192eu: bump to latest git HEAD
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 90a7dced2a)
2022-12-28 14:16:42 +08:00
Tianling Shen
3fdd47d733
rtl8189es: bump to latest git HEAD
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 5a12ff85ff)
2022-12-28 14:13:09 +08:00
Tianling Shen
579be6b930
rtl8188eu: bump to latest git HEAD
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 57af11342b)
2022-12-28 14:11:09 +08:00
Tianling Shen
7b5adca44d
rtl88x2bu: bump to latest git HEAD
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit 9ecd98c35f)
2022-12-28 14:08:26 +08:00