Jo-Philipp Wich [Sat, 11 Jun 2016 01:18:07 +0000 (03:18 +0200)]
polarssl: enable AES-GCM and CAMELLIA-GCM ciphersuites
Recent versions of Chrome require this ciphers to successfully handshake with
a TLS enabled uhttpd server using the ustream-polarssl backend.
If `CONFIG_GCM` is disabled, `ssl_ciphersuite_from_id()` will return `NULL`
when cipher `0x9d` is looked up, causing the calling `ssl_ciphersuite_match()`
to fail with `POLARSSL_ERR_SSL_INTERNAL_ERROR`.
Jo-Philipp Wich [Fri, 10 Jun 2016 22:53:16 +0000 (00:53 +0200)]
kernel: deny swconfig set requests for unprivileged users
The swconfig kernel infrastructure fails to do any permissions checks when
changing settings. As such an ordinary user account on a device with a
switch can change switch settings without any special permissions.
Routers generally have few non-admin users so this isn't a big hole, but it
is a security hole. Likely the greatest danger is for multifunction devices
which have a lot of extra daemons, compromising a low-security daemon would
allow one to modify switch settings and cause the router/switch to appear to
lock-up (or cause other sorts of troublesome nyetwork behavior).
Implement a check for CAP_NET_ADMIN in swconfig_set_attr() and deny any
requests originating from user contexts lacking this capability.
Scott Shambarger [Fri, 10 Jun 2016 12:50:35 +0000 (14:50 +0200)]
mac80211: fix calculation of VHT capability values
- Fix calculation of `$vht_cap` bit field
- Replace wrong reference to `$tx_stbc` variable with proper `$tx_stbc_2by1` one
- Emit proper `RX-STBC-{1,12,123,1234}` tokens for the VHT capability list
See https://dev.openwrt.org/ticket/22535 for reference.
Signed-off-by: Scott Shambarger <devel@shambarger.net>
Hans Dedecker [Wed, 8 Jun 2016 14:39:04 +0000 (16:39 +0200)]
busybox: Call ntpd hotplug script for every action
Daemons that are waiting for a timesync are only triggered when the action is stratum.
As step is the first sync action pass all actions to the ntpd hotplug scripts; it's up
to the ntpd hotplugscript to filter out the actions it is interested in.
Hans Dedecker [Wed, 8 Jun 2016 14:35:18 +0000 (16:35 +0200)]
dnsmasq: Add option --max-port
By default dnsmasq uses random ports for outbound dns queries;
when the maxport UCI option is specified the ports used will
always be smaller than the specified value.
This is usefull for systems behind firewalls.
Hannu Nyman [Wed, 8 Jun 2016 13:12:55 +0000 (16:12 +0300)]
ubox: increase default size of system log buffer to 64 kB
Increase the default system log buffer size
from 16 kB (default both in logd source and in the startup script)
to 64 kB by adjusting the default value in startup script.
brcm2708: update linux 4.4 patches to latest version
As usual these patches were extracted from the raspberry pi repo:
https://github.com/raspberrypi/linux/tree/rpi-4.4.y
Also alphabetically order sound-soc kernel packages.
Jo-Philipp Wich [Wed, 8 Jun 2016 08:14:27 +0000 (10:14 +0200)]
base-files: maintain LED config state
Record the state of any hardware LED configured through UCI and use that
information to revert the state when applying updated settings while
maintaining default behaviour of system LEDs.
Jo-Philipp Wich [Tue, 31 May 2016 12:47:30 +0000 (14:47 +0200)]
base-files: rework config generation logic
Now that config_generate is able to generate the entire /etc/config/system
from scratch we can apply the same logic as used for /etc/config/network;
when the configuration file exists already then do not do anything, else
generate it from the values provided by /etc/board.json .
In order to facilitate that move the file existance checking inside
/bin/config_generate and call it unconditionally from /bin/board_detect.
Jo-Philipp Wich [Tue, 31 May 2016 11:33:05 +0000 (13:33 +0200)]
ath25: drop target specific button hotplug
The ath25 target has its own unique button action config support, which is not
used anywhere except for two example logger statements in UCI.
Since there is a generic /etc/rc.button facility since some time already there
is no reason at all to keep this target specific mechanism anymore, so simply
drop it.
Matteo Panella [Sat, 4 Jun 2016 13:15:03 +0000 (15:15 +0200)]
openvpn: add support for tls-version-min
Currently, the uci data model does not provide support for specifying
the minimum TLS version supported in an OpenVPN instance (be it server
or client).
This patch adds support for writing the relevant option to the openvpn
configuration file at service startup.
Jo-Philipp Wich [Tue, 7 Jun 2016 20:58:22 +0000 (22:58 +0200)]
base-files: reset LED state
Attempt to reset all LED states before applying the UCI configuration to
avoid leaving disabled LEDs behind in lingering glowing state, e.g. when
changing the sysfs entry in the config from one hardware LED to another.
This patch adds the target profile SOM9331 and configures hardware
functionality for the 3x Eth Ports & corresponding LED's, the USB Host,
the USART to USB bridge and the System LED.
Signed-off-by: Allan Nick Pedrana <nik9993@gmail.com>
Jo-Philipp Wich [Tue, 7 Jun 2016 09:13:03 +0000 (11:13 +0200)]
ixp4xx: fix Avila SoC audio driver compilation
Upstream dropped the `dapm` member of `struct snd_soc_component`, requiring
users to access it using `snd_soc_codec_get_dapm()` instead so change the
driver code to do just that.
Fixes the following build error spotted by the buildbots:
CC [M] sound/soc/gw-avila/gw-avila.o
sound/soc/gw-avila/gw-avila.c: In function 'avila_aic3x_init':
sound/soc/gw-avila/gw-avila.c:104:44: error: 'struct snd_soc_codec' has no member named 'dapm'
Karl Palsson [Mon, 6 Jun 2016 15:49:21 +0000 (15:49 +0000)]
wolfssl: enable openssl 1.0.1 compatibility
>From wolfssl/openssl/opensslv.h, and from skimming the contents of what
"--enable-stunnel" actually does, it seems that --enable-opensslextra
doesn't give you the "full" openssl compatibility that you may wish for
these days. Unfortuantely, while wolfssl writes the build time options
into wolfssl/options.h, it doesn't include that file itself. User
applications must include that directly.
Latest Xcode doesn't include openssl anymore. To compile
mkimage from u-boot source you need SSL headers on your host.
This patch provides libressl host package for any Darwin
compilation. Unfortunately openssl from MacPorts can not be
used, as the installed headers in /opt/local are breaking
GDB compilation. Tested with a RB532 image build and resulting
kernel booted on a device via TFTP.
Signed-off-by: Waldemar Brodkorb <wbx@openadk.org> Signed-off-by: Felix Fietkau <nbd@nbd.name> [fixes, dependencies]
Hannu Nyman [Tue, 31 May 2016 18:01:09 +0000 (21:01 +0300)]
kmod-sched-cake: Add support for cake qdisc
Add 'cake' qdisc kernel module package.
V2 - KDB Small update to base on latest cake tc changes (wash option
deprecated)
V3 - KDB Move kmod-sched-cake package to kernel as is kernel related
V4 - KDB Split into individual patches, kmod & tc
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> Acked-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Hannu Nyman [Tue, 31 May 2016 18:01:09 +0000 (21:01 +0300)]
iproute2: Add support for cake qdisc
Add cake support to 'tc' in iproute2
- Use a patch to modify tc instead of adding a new tc-adv package.
Patch creates q_cake.c that matches commit https://github.com/dtaht/tc-adv/commit/3314230bc47328bc9b44faacaad8210065ef98b7
- Do not include the other things from tc-adv (cake0, cake2, pie etc.).
V2 - KDB Small update to base on latest cake tc changes (wash option
deprecated)
V3 - KDB Move kmod-sched-cake package to kernel as is kernel related
v4 - KDB Split into individual patches, tc & kmod
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> Acked-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
util-linux: fix scanf fallback detection for uClibc-ng
uClibc-ng pretends to be GNU libc 2.2 and then a fallback
scanf check is tried, so that libmount is disabled
afterwards. Add a fix already suggested upstream.
Add librt dependency required for other apps, too.
Alexey Brodkin [Tue, 31 May 2016 17:12:21 +0000 (20:12 +0300)]
arc: Build uImage as well as vmlinux output files
Initially for ARC we were building vmlinux images because it
was both simpler and more convenient to debug Linux kernel
in runt-time via JTAG. Now when base system works quite nice
we may finally use U-Boot for loading the system image as
well. Still we keep building vmlinux images as some of our
boards are development boards and loading images with JTAG
could be at some points very beneficial.
Note for U-Boot header it's required to specify 2 values:
* loading address
* entry point (if it doesn't match loading address)
and in case of ARC entry point (EP) not only differs from
loading address but also changes from build to build due to
initramfs being placed between loading address and text section.
To accommodate that feature we have to calculate EP after
vmlinux gets built and before call to mkimage.
projects / thirdparty / openwrt.git / log
