"Alternate certification chains, as oppossed to requiring full chain
validataion. Certificate validation behavior is relaxed, similar to
openssl and browsers. Only the peer certificate must validate to a trusted
certificate. Without this, all certificates sent by a peer must be
used in the trust chain or the connection will be rejected."
This fixes e.g. uclient-fetch and curl connecting to servers using a Let's
Encrypt certificate which are cross-signed by the now expired
DST Root CA X3, see [0].
This is the recommended solution from upstream [1].
The binary size increases by ~12.3kb:
1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
[0] https://github.com/openwrt/packages/issues/16674
[1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793
Signed-off-by: Andre Heider <a.heider@gmail.com>
[bump PKG_RELEASE]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3)
1. Add support for Marvell CN9130 SoC
2. Add support for CP115,and create an armada-cp11x.dtsi file which will be used to instantiate both CP110 and CP115
3. Add support for AP807/AP807-quad,AP807 is a major component of CN9130 SoC series
4. Drop PCIe I/O ranges from CP11x file and externalize PCIe macros from CP11x file
Signed-off-by: Ian Chang <ianchang@ieiworld.com>
(cherry picked from commit c98ddf0f019986bbb4c868bfcaf97e0d1f4ee2dc)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
While the binary `python3.10` is correctly detected by the build system
the default `python3` binary is currently not detected if pointing to a
Python 3.10 installation.
Fix this by extending the grep regex.
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 56ea2bf2eec431ccd3c566190a444ad63db39b65)
Modifying PHY capabilities in the probe function broke with upstream
commit 92ed2eb7f4b7 ("net: phy: probe the PHY before determining the
supported features").
AR8316 switches only support 10/100 Mbit/s link modes because of this
change.
Provide a get_features method for the PHY driver, so Gigabit link mode
will be advertised to link partners again.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 766e0f584a325b0b80a97bbc86ca515d97c63001)
Fedora 35 contains Python 3.10 as default version. Make use of it.
Signed-off-by: Marcin Juszkiewicz <marcin@juszkiewicz.com.pl>
[fix commit subject]
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit e1c03ca18519f9683f6bfce1795e58d99575d895)
Fix Fedora 34/35 issue where 'which' detection of 'which' wasn't working
because Fedora use alias and proc
Fixup of fca5ad55d2 prereq-build: fix `which` detection on Fedora
Reported-by: Jani Partanen <rtfm@iki.fi>
Suggest-by: Etienne Champetier <champetier.etienne@gmail.com>
Tested-by: Georgi Valkov <gvalkov@abv.bg>
Signed-off-by: Paul Spooren <mail@aparcar.org>
(cherry picked from commit 0d1ebf0d6d20f0439ab45b293f9daa7662c44ba6)
Make the organization (O=) of the cert configurable via uci. If not
configured, use a combination of "OpenWrt" and an unique id like it was
done before.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit 2c6c1501af664490ec9b701b46a201e21c670b96)
The official Plasma Cloud firmware adjusted the BDFs to contain new
conformance test limits and target power values. These should be imported
to avoid emissions outside the allowed limits.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(cherry picked from commit e0721608f9620b570c7f18d94681e86b01c0b9a0)
In hostapd_ubus_add_bss(), ubus objects are not registered for mesh
interfaces. This provokes a segfault when accessing the ubus object in
mesh deinit.
This commit adds the same condition to hostapd_ubus_free_bss() for
discarding those mesh interfaces.
Signed-off-by: Jesus Fernandez Manzano <jesus.manzano@galgus.net>
(cherry picked from commit 5269c47e8db549695ceaf6a19afdd0cb90074622)
The rockchip platform supports squashfs SD card images. However, the
resulting image is not padded to completely fill the rootfs partition.
Because of that, the f2fs overlay might not be erased, resulting in
uci-defaults not bing executed or the configuration not being erased,
even though drop config was selected.
Modify the image generation process so the image is padded to cover the
entire root filesystem partition.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit b56f7407d999d29c200c8c5880655926ef9874b7)
Takimata reported on the OpenWrt forum in thread [0], that his
MyBook Live Duo wasn't booting OpenWrt 21.02 after upgrading
from the previous OpenWrt 19.07.
The last logged entries on his console
|[ 0.531599] sata1-regulator GPIO handle specifies active low - ignored
|[ 0.538391] sata0-regulator GPIO handle specifies active low - ignored
|[ 0.759791] ata2: SATA link down (SStatus 0 SControl 300)
|[ 0.765251] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300)
|[ 5.909555] ata1.00: qc timeout (cmd 0xec)
|[ 5.913656] ata1.00: failed to IDENTIFY (I/O error, err_mask=0x4)
|[ 6.231757] ata1: SATA link down (SStatus 0 SControl 300)
This extract clearly showed that the HDD on which OpenWrt is installed,
simply disappeared after the SATA power regulators had been initialized.
Since the device-tree regulators haven't changed since the OpenWrt 19.07
days this will require further investigation on the snapshot/master/trunk
branch.
For the time being, it was requested to just delete the nodes so,
the device will boot again. Which unfortunately, will have to wait
until 21.02.1 is released.
He also confirmed that the My Book Live Single wasn't affected.
It works with or without this change.
[0] <https://forum.openwrt.org/t/21-02-0-and-snapshot-fail-to-boot-on-my-book-live-duo/106585>
Reported-by: Takimata (forum.openwrt.org/u/takimata)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The minew g1-c is a smart home gateway / BLE gateway.
A Nordic nRF52832 is available via USB UART (cp210x) to support BLE.
The LED ring is a ring of 24x ws2812b connect to a generic GPIO (unsupported).
There is a small LED which is only visible when the device is open which
will be used as LED until the ws2812b is supported.
The board has also a micro sdcard/tfcard slot (untested).
The Nordic nRF52832 exposes SWD over a 5pin header (GND, VCC, SWD, SWC, RST).
The vendor uses an older OpenWrt version, sysupgrade can be used via
serial or ssh.
CPU: MT7628AN / 580MHz
RAM: DDR2 128 MiB RAM
Flash: SPI NOR 16 MiB W25Q128
Ethernet: 1x 100 mbit (Port 0) (PoE in)
USB: USB hub, 2x external, 1x internal to USB UART
Power: via micro usb or PoE 802.11af
UART: 3.3V, 115200 8n1
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
The board data file for the Plasma Cloud PA2200 is not part of the default
board-2.bin which is shipped by ath10k-board-qca4019. A typo in the device
package name resulted in a not correctly selected package for the device
specific board-2.bin. The wifi driver has therefore loaded the wrong
calibration information into the wifi chip.
Fixes: 4871fd2616ac ("ipq40xx: add support for Plasma Cloud PA2200")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(cherry picked from commit c7e9335e4c23f3bd074cb2b215a289b8b75f319c)
The board data file for the Plasma Cloud PA1200 is not part of the default
board-2.bin which is shipped by ath10k-board-qca4019. A typo in the device
package name resulted in a not correctly selected package for the device
specific board-2.bin. The wifi driver has therefore loaded the wrong
calibration information into the wifi chip.
Fixes: ea5bb6bbfee0 ("ipq40xx: add support for Plasma Cloud PA1200")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(cherry picked from commit d0ffc175350f2be6174932dc0afd4d2737afe52d)
The board data file for the EnGenius EMR3500 is not part of the default
board-2.bin which is shipped by ath10k-board-qca4019. As result, the wrong
calibration information will be loaded into the wifi chip.
Fixes: 3f61e5e1b97e ("ipq40xx: add support for EnGenius EMR3500")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(cherry picked from commit 14bd392a1cd0b8e267e4402ae27b3c5a8f66b933)
The board data file for the EnGenius EMD1 is not part of the default
board-2.bin which is shipped by ath10k-board-qca4019. As result, the wrong
calibration information will be loaded into the wifi chip.
Fixes: 51f303597839 ("ipq40xx: add support for EnGenius EMD1")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
(cherry picked from commit d9f4a4280e674ddb4ec75ae2d73b0f86e0c282cc)
This patch fixes the forwarding behavior of bridge in bridge
configurations with DSA.
Without it, the configuration of the upper bridge might overwrite
settings of the lower bridge. For example, a vlan-aware bridge
with DSA interfaces in it might be offloaded to the DSA hardware. If the
bridge interface itself gets slave of a different bridge without vlan
filtering, the vlan filtering setting of the lower bridge is overwritten
by the upper bridge, which results in an incorrect hardware
configuration.
This was backported from kernel 5.7.
Ref: https://lore.kernel.org/netdev/20191222192235.GK25745@shell.armlinux.org.uk/
Fixes: FS#3996
Signed-off-by: Fabian Bläse <fabian@blaese.de>
(cherry picked from commit c50ece58c41647880cc74c927d98b465cdfbdad8)
These options are selectable when some of the kernel debug options like
KERNEL_SOFTLOCKUP_DETECTOR are selected.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 1a3b3dc7974c98843baeb22251dc4c580dc771d6)
The LOCKUP_DETECTOR configuration option split into the
SOFTLOCKUP_DETECTOR and HARDLOCKUP_DETECTOR configuration option some
time ago. The HARDLOCKUP_DETECTOR option is only working on some
architectures, but SOFTLOCKUP_DETECTOR should work everywhere. Replace
KERNEL_LOCKUP_DETECTOR with KERNEL_SOFTLOCKUP_DETECTOR.
LOCKUP_DETECTOR will be selected by SOFTLOCKUP_DETECTOR automatically.
Fixes: b951f53fbae3 ("build: Add additional kernel debug options")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d27f6e2c5d2a2315cc8fe684d117c80aa9984ca8)
At this moment kernel partition in Linksyses EA3500/E4200/EA4500 is
ended before start of rootfs partition. It was introduced in 9808b9ae02
and it broke easy revert to stock. Sysupgrade, when OFW is used, write
whole stock image to kernel partition. Most likeley image will be bigger
than small kernel partition and it make stock system invalid.
This patch change size of kernel partitions and now it overlaps rootfs.
Revert to stock will be possible again.
Fixes: 9808b9ae02 ("kirkwood: switch to kernel 4.9")
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
This patch has been carried since introduction throughout every kernel
major bump and no one has tested if the later kernels improved the
situation. The Armada 3720 SoC can only process GbE interrupts on Core 0
and this is already limited in all stable kernels, so ditch this
workaround for 64 bit SoCs.
Ref: https://git.kernel.org/torvalds/c/cf9bf871280d
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit cbdd2b62e4d5e0572204c37d874d32dc8610840e)
The Onion Omega is a hardware development platform with built-in WiFi.
https://onioniot.github.io/wiki/
Specifications:
- QCA9331 @ 400 MHz (MIPS 24Kc Big-Endian Processor)
- 64MB of DDR2 RAM running at 400 MHz
- 16MB of on-board flash storage
- Support for USB 2.0
- Support for Ethernet at 100 Mbps
- 802.11b/g/n WiFi at 150 Mbps
- 18 digital GPIOs
- A single Serial UART
- Support for SPI
- Support for I2S
Flash instructions:
The device is running OpenWrt upon release using the ar71xx target.
Both a sysupgrade
and uploading the factory image using u-boots web-UI do work fine.
Depending on the ssh client, it might be necessary to enable outdated
KeyExchange methods e.g. in the clients ssh-config:
Host 192.168.1.1
KexAlgorithms +diffie-hellman-group1-sha1
The stock credentials are: root onioneer
For u-boots web-UI manually configure `192.168.1.2/24` on your computer,
connect to `192.168.1.1`.
MAC addresses as verified by OEM firmware:
2G phy0 label
LAN eth0 label - 1
LAN is only available in combination with an optional expansion dock.
Based on vendor acked commit:
commit 5cd49bb067ca ("ar71xx: add support for Onion Omega")
Partly reverts:
commit fc553c7e4c8e ("ath79: drop unused/incomplete dts")
Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
(cherry picked from commit d98738b5c118fc45068b45f07b8b6938e91f35d2)
This version fixes two vulnerabilities:
- SM2 Decryption Buffer Overflow (CVE-2021-3711)
Severity: High
- Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
Severity: Medium
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 7119fd32d397567931e63dbbf72014e95624018f)
Backport a patch from upstream U-Boot to fix the compile with host GCC 10.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 8d143784cb8fafccdbcdc0bd5d1aa47d3d676f70)
Backport a patch from upstream U-Boot to fix the compile with host GCC 10.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit a1034afba8ea8bec48e2528fdae0fb74a6757e53)
The bootloader will look for a configuration section named ap.dk01.1-c2
in the FIT image. If this doesn't exist, the device won't boot.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit a43da1be43ae251f0edaa6419612e600fc6ec972)
A missing quote in target/linux/ath79/patches-5.x/920-mikrotik-rb4xx.patch
produces:
...
scripts/kconfig/conf --syncconfig Kconfig
drivers/mfd/Kconfig:2016:warning: multi-line strings not supported
...
This patch adds missing closing quote, fixing the above warning.
Signed-off-by: Paul Blazejowski <paulb@blazebox.homeip.net>
(cherry picked from commit f7374bce00a97fda78ace3acaef48369e8246814)
Installing headers and static libraries to the target system seems
to be not required for most use cases, so let's factor them
out into a dedicated -dev package.
This cuts down to disk usage to around 50% of the original
package to ~ 2MB - not that disk space is an issue normally,
but when using inside an initramfs only project, it counts.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
NR_CPUS limits the number of CPUs supported to 8. This makes total sense
on hardware-restircted platforms, but not on x86_64, where CPUs with
more than 8 cores can be easily acquired and with less physical limitaions.
see also: https://forum.openwrt.org/t/x86-64-8-cpu-limitation-on-vanilla-release/100946
Signed-off-by: Edgar Su <sjs333@outlook.com>
(cherry picked from commit df554e6fcab171ec499d8fb2ed10a0da328323f3)
When having two keys that start with the same characters and the second
key just has one character more nand_tffs_read and tffs_read return the
wrong value for the longer key. This is due to the usage of strncmp in
combination with the length of the shorter key which is usually first in
the list before the longer key and when strncmp matches, the search is
stopped. The problem only occurs when the length of the two keys is
different, not if just the last character is different. The fix is to
use strcmp and as such it will only return the value if the key (name)
and the key to look for (namefilter) have the same value and length. A
sample case returning wrong values is when keys macwlan and macwlan2 are
defined and querying macwlan2 returns the value for macwlan.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
(cherry picked from commit 12564c5b860f9849c9a2fb7026c2c11150b9a4fc)
This patch is backported from linux-arm-kernel [1] to improve situation, when
it was reported that 1.2 GHz variant is unstable with DFS.
It waits to be accepted upstream, however, it waits for Marvell people to respond.
[1] https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210630225601.6372-1-kabel@kernel.org/
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit d3794768177293f584cc74f90c921276793da1e7)
Based on the discussion on the mailing list [1], the patch which was
reverted, it reverts only one patch without the subsequent ones.
This leads to the SoC scaling issue not using a CPU parent clock, but
it uses DDR clock. This is done for all variants, and it's wrong because
commits (hacks) that were using the DDR clock are no longer in the mainline kernel.
If someone has stability issues on 1.2 GHz, it should not affect all
routers (1 GHz, 800 MHz) and it should be rather consulted with guys, who are trying to
improve the situation in the kernel and not making the situation worse.
There are two solutions in cases of instability:
a) disable cpufreq
b) underclock it up to 1 GHz
This reverts commit 080a0b74e39d159eecf69c468debec42f28bf4d8.
[1] https://lists.openwrt.org/pipermail/openwrt-devel/2021-June/035702.html
CC: Pali Rohár <pali@kernel.org>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 7b868fe04a8961048feec1143e72fe47bde52a12)
EXTRA_MOUNT variable should be reset in dnsmasq_start() rather than
just once at the beginning of the script.
Fixes: ac4e8aa2f8 ("dnsmasq: fix more dnsmasq jail issues")
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit ddc8d085f39dea998f59680fb556ca72d779a3b1)
* remove superflus mounts of /dev/null and /dev/urandom
* reset EXTRA_MOUNTS at the beginning of the script
* add mount according to ignore_hosts_dir
* don't add mount for file which is inside a directory already in the
EXTRA_MOUNTS list
Fixes: 59c63224e1 ("dnsmasq: rework jail mounts")
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit ac4e8aa2f8d98158ea7b749f877269f1f5fa9c5a)
* split into multiple lines to improve readability
* use EXTRA_MOUNT for addnhosts instead of blindly adding /tmp/hosts
* remove no longer needed mount for /sbin/hotplug-call
* add dhcp-script.sh dependencies (jshn, ubus)
Fixes: 3a94c2ca5c ("dnsmasq: add /tmp/hosts/ to jail_mount")
Fixes: aed95c4cb8 ("dnsmasq: switch to ubus-based hotplug call")
Reported-by: Stijn Tintel <stijn@linux-ipv6.be>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 59c63224e11d6c4eca27131a73bf16218e47a271)
'--local' is a synonym for '--server' so let's use '--local' in the
resultant config file for uci's 'local' instead of uci's local
parameter being turned into '--server'. Slightly less confusion all
round.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit e4cfefa9fc3d22da5705b554785ba9c533c373d0)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
