Re: [PATCH 19.07 0/3] openvpn: update to 2.4.11

[Magnus Kroken]

On 21.04.2021 22:10, Magnus Kroken wrote:

This series backports two prior version updates for consistency, and
updates to 2.4.11 which fixes two security vulnerabilites affecting
OpenVPN peers running as servers.


Sorry, forgot to include testing details.

Compile-tested openvpn-openssl and openvpn-mbedtls for x86_64.

Run-tested openvpn-openssl and openvpn-mbedtls on x86_64 as clients.

Regards,
Magnus Kroken

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 19.07 2/3] openvpn: update to 2.4.9

[Magnus Kroken]

This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810) which allows
disrupting service of a freshly connected client that has not yet
negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.

Release announcement:
https://openvpn.net/community-downloads/#heading-13812
Full list of changes:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9

Signed-off-by: Magnus Kroken 
(cherry-picked from commit d7e98bd7c5316f95cc11635371a39c6c0e18b9a7)
---
 package/network/services/openvpn/Makefile | 4 ++--
 .../patches/100-mbedtls-disable-runtime-version-check.patch   | 2 +-
 .../110-openssl-dont-use-deprecated-ssleay-symbols.patch  | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/network/services/openvpn/Makefile 
b/package/network/services/openvpn/Makefile
index baa8c1d07e..5f102d967d 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.8
+PKG_VERSION:=2.4.9
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=fb8ca66bb7807fff595fbdf2a0afd085c02a6aa47715c9aa3171002f9f1a3f91
+PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
 
 PKG_MAINTAINER:=Felix Fietkau 
 
diff --git 
a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
 
b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
index 7fc0089000..cb16a906fe 100644
--- 
a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ 
b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1406,7 +1406,7 @@ const char *
+@@ -1415,7 +1415,7 @@ const char *
  get_ssl_library_version(void)
  {
  static char mbedtls_version[30];
diff --git 
a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 
b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
index 7e9931f0f3..c7faf7c0c0 100644
--- 
a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
+++ 
b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
@@ -47,7 +47,7 @@ Signed-off-by: Gert Doering 
  #endif
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
-@@ -1977,7 +1977,7 @@ get_highest_preference_tls_cipher(char *
+@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char *
  const char *
  get_ssl_library_version(void)
  {
-- 
2.20.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 19.07 1/3] openvpn: update to 2.4.8

[Magnus Kroken]

Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.

Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8

Signed-off-by: Magnus Kroken 
(cherry-picked from commit bf43e5bbf91ca1a90df8dae3e2cce6bbb61d5cd9)
---
 package/network/services/openvpn/Makefile |  8 +--
 ...l-dont-use-deprecated-ssleay-symbols.patch | 58 +
 ...enssl-add-missing-include-statements.patch | 65 +++
 .../210-build_always_use_internal_lz4.patch   |  2 +-
 .../openvpn/patches/220-disable_des.patch |  2 +-
 5 files changed, 129 insertions(+), 6 deletions(-)
 create mode 100644 
package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 create mode 100644 
package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch

diff --git a/package/network/services/openvpn/Makefile 
b/package/network/services/openvpn/Makefile
index aed9f43f80..baa8c1d07e 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.7
-PKG_RELEASE:=2
+PKG_VERSION:=2.4.8
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=a42f53570f669eaf10af68e98d65b531015ff9e12be7a62d9269ea684652f648
+PKG_HASH:=fb8ca66bb7807fff595fbdf2a0afd085c02a6aa47715c9aa3171002f9f1a3f91
 
 PKG_MAINTAINER:=Felix Fietkau 
 
@@ -44,7 +44,7 @@ else
 endif
 endef
 
-Package/openvpn-openssl=$(call 
Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl 
+@OPENSSL_WITH_DEPRECATED)
+Package/openvpn-openssl=$(call 
Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
 Package/openvpn-mbedtls=$(call 
Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
 Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
 
diff --git 
a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 
b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
new file mode 100644
index 00..7e9931f0f3
--- /dev/null
+++ 
b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
@@ -0,0 +1,58 @@
+From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001
+From: Steffan Karger 
+Date: Sun, 26 Nov 2017 16:04:00 +0100
+Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols
+
+Compiling our current master against OpenSSL 1.1 with
+-DOPENSSL_API_COMPAT=0x1010L screams bloody murder.  This patch fixes
+the errors about the deprecated SSLEAY/SSLeay symbols and defines.
+
+Signed-off-by: Steffan Karger 
+Acked-by: Gert Doering 
+Message-Id: <20171126150401.28565-1-stef...@karger.me>
+URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html
+Signed-off-by: Gert Doering 
+---
+ configure.ac | 1 +
+ src/openvpn/openssl_compat.h | 8 
+ src/openvpn/ssl_openssl.c| 2 +-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/configure.ac
 b/configure.ac
+@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$
+   EVP_MD_CTX_free \
+   EVP_MD_CTX_reset \
+   EVP_CIPHER_CTX_reset \
++  OpenSSL_version \
+   SSL_CTX_get_default_passwd_cb \
+   SSL_CTX_get_default_passwd_cb_userdata \
+   SSL_CTX_set_security_level \
+--- a/src/openvpn/openssl_compat.h
 b/src/openvpn/openssl_compat.h
+@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou
+ #endif
+ 
+ /* SSLeay symbols have been renamed in OpenSSL 1.1 */
++#ifndef OPENSSL_VERSION
++#define OPENSSL_VERSION SSLEAY_VERSION
++#endif
++
++#ifndef HAVE_OPENSSL_VERSION
++#define OpenSSL_version SSLeay_version
++#endif
++
+ #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
+ #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT   RSA_F_RSA_EAY_PRIVATE_ENCRYPT
+ #endif
+--- a/src/openvpn/ssl_openssl.c
 b/src/openvpn/ssl_openssl.c
+@@ -1977,7 +1977,7 @@ get_highest_preference_tls_cipher(char *
+ const char *
+ get_ssl_library_version(void)
+ {
+-return SSLeay_version(SSLEAY_VERSION);
++return OpenSSL_version(OPENSSL_VERSION);
+ }
+ 
+ #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
diff --git 
a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
 
b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
new file mode 100644
index 00..6a62b16500
--- /dev/null
+++ 
b/package/network/services/openvpn/patches/111-openssl-add-missing-include-

[PATCH 19.07 3/3] openvpn: update to 2.4.11

[Magnus Kroken]

Fixes two related security vulnerabilities (CVE-2020-15078) which under
very specific circumstances allow tricking a server using delayed
authentication (plugin or management) into returning a PUSH_REPLY before
the AUTH_FAILED message, which can possibly be used to gather
information about a VPN setup.

This release also includes other bug fixes and improvements.

Signed-off-by: Magnus Kroken 
---
 package/network/services/openvpn/Makefile | 4 ++--
 .../110-openssl-dont-use-deprecated-ssleay-symbols.patch  | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/network/services/openvpn/Makefile 
b/package/network/services/openvpn/Makefile
index 5f102d967d..33da5688c7 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.9
+PKG_VERSION:=2.4.11
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
+PKG_HASH:=e579eff218ab1d765965e64a917927504d8324717afdfcd56850f6b83ba8441b
 
 PKG_MAINTAINER:=Felix Fietkau 
 
diff --git 
a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 
b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
index c7faf7c0c0..a8ad6868c4 100644
--- 
a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
+++ 
b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
@@ -47,7 +47,7 @@ Signed-off-by: Gert Doering 
  #endif
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
-@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char *
+@@ -2018,7 +2018,7 @@ get_highest_preference_tls_cipher(char *
  const char *
  get_ssl_library_version(void)
  {
-- 
2.20.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 19.07 0/3] openvpn: update to 2.4.11

[Magnus Kroken]

This series backports two prior version updates for consistency, and
updates to 2.4.11 which fixes two security vulnerabilites affecting
OpenVPN peers running as servers.



___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] mbedtls: update to 2.16.10

[Magnus Kroken]

This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.

Security fixes:
* Fix a buffer overflow in mbedtls_mpi_sub_abs()
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem()
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code

Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10

Signed-off-by: Magnus Kroken 
---
Compile and run-tested on arm/mvebu.
Tested uclient-fetch with libustream-mbedtls backend against HTTPS URL,
tested openvpn-mbedtls as client.

package/libs/mbedtls/Makefile |  4 ++--
 package/libs/mbedtls/patches/200-config.patch | 22 +--
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 43cc8b05b7..7f6bf4e4c0 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.9
+PKG_VERSION:=2.16.10
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 
PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=fc17ff7d8c11d08f23ae2800a18269408ad2c24ea6bb8b9363e41a01c2425697
+PKG_HASH:=96257bb03b30300b2f35f861ffe204ed957e9fd0329d80646fe57fc49f589b29
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0-or-later
diff --git a/package/libs/mbedtls/patches/200-config.patch 
b/package/libs/mbedtls/patches/200-config.patch
index 4cdeed921d..1e3d41f0eb 100644
--- a/package/libs/mbedtls/patches/200-config.patch
+++ b/package/libs/mbedtls/patches/200-config.patch
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1779,7 +1779,7 @@
+@@ -1796,7 +1796,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -2109,7 +2109,7 @@
+@@ -2126,7 +2126,7 @@
   *  MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -2175,7 +2175,7 @@
+@@ -2192,7 +2192,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2187,7 +2187,7 @@
+@@ -2204,7 +2204,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -180,7 +180,7 @@
  
  /**
   * \def MBEDTLS_CHACHA20_C
-@@ -2295,7 +2295,7 @@
+@@ -2312,7 +2312,7 @@
   * \warning   DES is considered a weak cipher and its use constitutes a
   *security risk. We recommend considering stronger ciphers 
instead.
   */
@@ -189,7 +189,7 @@
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -2458,7 +2458,7 @@
+@@ -2475,7 +2475,7 @@
   * This module adds support for the Hashed Message Authentication Code
   * (HMAC)-based key derivation function (HKDF).
   */
@@ -198,7 +198,7 @@
  
  /**
   * \def MBEDTLS_HMAC_DRBG_C
-@@ -2768,7 +2768,7 @@
+@@ -2785,7 +2785,7 @@
   *
   * This module enables abstraction of common (libc) functions.
   */
@@ -207,7 +207,7 @@
  
  /**
   * \def MBEDTLS_POLY1305_C
-@@ -2789,7 +2789,7 @@
+@@ -2806,7 +2806,7 @@
   * Caller:  library/md.c
   *
   */
@@ -216,7 +216,7 @@
  
  /**
   * \def MBEDTLS_RSA_C
-@@ -2896,7 +2896,7 @@
+@@ -2913,7 +2913,7 @@
   *
   * Requires: MBEDTLS_CIPHER_C
   */
@@ -225,7 +225,7 @@
  
  /**
   * \def MBEDTLS_SSL_CLI_C
-@@ -2996,7 +2996,7 @@
+@@ -3013,7 +3013,7 @@
   *
   * This module provides run-time version information.
   */
@@ -234,7 +234,7 @@
  
  /**
   * \def MBEDTLS_X509_USE_C
-@@ -3106,7 +3106,7 @@
+@@ -3123,7 +3123,7 @@
   * Module:  library/xtea.c
   * Caller:
   */
-- 
2.20.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Turris Omnia boot failure after "mvebu: fix initramfs/kernel image for CZNIC Turris Omnia"

[Magnus Kroken]

Commit e401a2a42e6d7c892e1cf7d765fa5ec9b2db3fb3 causes my Turris Omnia 
CZ11NIC13 to no longer boot. Compiling with EARLY_PRINTK does not show 
anything of interest:


## Executing script at 0180
Setting bus to 0
reading armada-385-turris-omnia.dtb
18748 bytes read in 20 ms (915 KiB/s)
reading zImage
3151292 bytes read in 134 ms (22.4 MiB/s)
Kernel image @ 0x100 [ 0x00 - 0x2fcc80 ]
## Flattened Device Tree blob at 0200
   Booting using the fdt blob at 0x200
   Loading Device Tree to 0fff8000, end 093b ... OK

Starting kernel ...

<--- device reboots --->
U-Boot SPL 2015.10-rc2 (Aug 18 2016 - 20:43:35)

Reverting the mentioned commit solves the issue. Any ideas about what 
the problem is? Is there any additional data that would be useful?


Regards
Magnus Kroken

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] openvpn: disable LZO support by default

[Magnus Kroken]

OpenVPN recommends disabling compression, as it may weaken the security
of the connection. For users who need compression, we build with LZ4
support by default. LZO in OpenVPN pulls in liblzo at approx. 32 kB.

OpenWrt users will no longer be able to connect to OpenVPN peers that
require LZO compression, unless they build the OpenVPN package themselves.

Signed-off-by: Magnus Kroken 
---
 package/network/services/openvpn/Config-mbedtls.in| 2 +-
 package/network/services/openvpn/Config-openssl.in| 2 +-
 package/network/services/openvpn/files/openvpn.config | 6 +-
 3 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/package/network/services/openvpn/Config-mbedtls.in 
b/package/network/services/openvpn/Config-mbedtls.in
index 2a2f303c48..3cf233b8f7 100644
--- a/package/network/services/openvpn/Config-mbedtls.in
+++ b/package/network/services/openvpn/Config-mbedtls.in
@@ -2,7 +2,7 @@ if PACKAGE_openvpn-mbedtls
 
 config OPENVPN_mbedtls_ENABLE_LZO
bool "Enable LZO compression support"
-   default y
+   default n
 
 config OPENVPN_mbedtls_ENABLE_LZ4
bool "Enable LZ4 compression support"
diff --git a/package/network/services/openvpn/Config-openssl.in 
b/package/network/services/openvpn/Config-openssl.in
index 7a7be74db9..335bbaa2c4 100644
--- a/package/network/services/openvpn/Config-openssl.in
+++ b/package/network/services/openvpn/Config-openssl.in
@@ -2,7 +2,7 @@ if PACKAGE_openvpn-openssl
 
 config OPENVPN_openssl_ENABLE_LZO
bool "Enable LZO compression support"
-   default y
+   default n
 
 config OPENVPN_openssl_ENABLE_LZ4
bool "Enable LZ4 compression support"
diff --git a/package/network/services/openvpn/files/openvpn.config 
b/package/network/services/openvpn/files/openvpn.config
index f6278836e7..09d504da28 100644
--- a/package/network/services/openvpn/files/openvpn.config
+++ b/package/network/services/openvpn/files/openvpn.config
@@ -293,9 +293,7 @@ config openvpn sample_server
#
# LZ4 requires OpenVPN 2.4+ client and server
 #  option compress lz4
-   # LZO is compatible with most OpenVPN versions
-   # (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older 
clients)
-#  option compress lzo
+   
# Control how OpenVPN handles peers using compression
#
# Do not allow any connections using compression
@@ -487,8 +485,6 @@ config openvpn sample_client
#
# LZ4 requires OpenVPN 2.4+ on server and client
 #  option compress lz4
-   # LZO is compatible with most OpenVPN versions
-#  option compress lzo
 
# Set log file verbosity.
option verb 3
-- 
2.20.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH v2] openvpn: update to 2.5.0

[Magnus Kroken]

New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
  (unless iproute2 support is enabled).
* VLAN support when using a TAP device

Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
  OpenVPN peers prior to 2.4, or peers with data cipher negotiation
  disabled, will not be able to connect to a 2.5 peer unless
  option data_fallback_ciphers is set on the 2.5 peer and it contains a
  cipher supported by the client.

Signed-off-by: Magnus Kroken 
---
v2: Fix missed -/_ conversion in openvpn.options, thanks Jo for pointing
this out. Restored LZO as enabled by default to ease the version update,
proposal to disable LZO will be sent as a separate patch.

.../services/openvpn/Config-mbedtls.in|  4 --
 .../network/services/openvpn/Config-nossl.in  | 50 --
 .../services/openvpn/Config-openssl.in|  4 --
 package/network/services/openvpn/Makefile | 20 +-
 .../services/openvpn/files/openvpn.config | 61 +++--
 .../services/openvpn/files/openvpn.options| 14 +++-
 .../001-reproducible-remove_DATE.patch|  6 +-
 ...bedtls-disable-runtime-version-check.patch |  2 +-
 ...l-dont-use-deprecated-ssleay-symbols.patch | 58 -
 ...enssl-add-missing-include-statements.patch | 65 ---
 .../210-build_always_use_internal_lz4.patch   |  2 +-
 .../openvpn/patches/220-disable_des.patch | 21 ++
 12 files changed, 69 insertions(+), 238 deletions(-)
 delete mode 100644 package/network/services/openvpn/Config-nossl.in
 delete mode 100644 
package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 delete mode 100644 
package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch

diff --git a/package/network/services/openvpn/Config-mbedtls.in 
b/package/network/services/openvpn/Config-mbedtls.in
index beac492022..2a2f303c48 100644
--- a/package/network/services/openvpn/Config-mbedtls.in
+++ b/package/network/services/openvpn/Config-mbedtls.in
@@ -8,10 +8,6 @@ config OPENVPN_mbedtls_ENABLE_LZ4
bool "Enable LZ4 compression support"
default y
 
-config OPENVPN_mbedtls_ENABLE_SERVER
-   bool "Enable server support (otherwise only client mode is support)"
-   default y
-
 #config OPENVPN_mbedtls_ENABLE_EUREPHIA
 #  bool "Enable support for the eurephia plug-in"
 #  default n
diff --git a/package/network/services/openvpn/Config-nossl.in 
b/package/network/services/openvpn/Config-nossl.in
deleted file mode 100644
index 79140ad5d1..00
--- a/package/network/services/openvpn/Config-nossl.in
+++ /dev/null
@@ -1,50 +0,0 @@
-if PACKAGE_openvpn-nossl
-
-config OPENVPN_nossl_ENABLE_LZO
-   bool "Enable LZO compression support"
-   default y
-
-config OPENVPN_nossl_ENABLE_LZ4
-   bool "Enable LZ4 compression support"
-   default y
-
-config OPENVPN_nossl_ENABLE_SERVER
-   bool "Enable server support (otherwise only client mode is support)"
-   default y
-
-config OPENVPN_nossl_ENABLE_MANAGEMENT
-   bool "Enable management server support"
-   default n
-
-config OPENVPN_nossl_ENABLE_FRAGMENT
-   bool "Enable internal fragmentation support (--fragment)"
-   default y
-
-config OPENVPN_nossl_ENABLE_MULTIHOME
-   bool "Enable multi-homed UDP server support (--multihome)"
-   default y
-
-config OPENVPN_nossl_ENABLE_PORT_SHARE
-   bool "Enable TCP server port-share support (--port-share)"
-   default y
-
-config OPENVPN_nossl_ENABLE_DEF_AUTH
-   bool "Enable deferred authentication"
-   default y
-
-config OPENVPN_nossl_ENABLE_PF
-   bool "Enable internal packet filter"
-   default y
-
-config OPENVPN_nossl_ENABLE_IPROUTE2
-   bool "Enable support for iproute2"
-   default n
-
-config OPENVPN_nossl_ENABLE_SMALL
-   bool "Enable size optimization"
-   default y
-   help
- enable smaller executable size (disable OCC, usage
- message, and verb 4 parm list)
-
-endif
diff --git a/package/network/services/openvpn/Config-openssl.in 
b/package/network/services/openvpn/Config-openssl.in
index f2b618eff1..7a7be74db9 100644
--- a/package/network/services/openvpn/Config-openssl.in
+++ b/package/network/services/openvpn/Config-openssl.in
@@ -12,10 +12,6 @@ config OPENVPN_openssl_ENABLE_X509_ALT_USERNAME
bool "Enable the --x509-username-field feature"
default n
 
-config OPENVPN_openssl_ENABLE_SERVER
-   bool "Enable server support (otherwise only client mode is support)"
-   default y
-
 #config OPENVPN_openssl_ENABLE_EUREPHIA
 # 

[PATCH] openvpn: update to 2.5.0

[Magnus Kroken]

New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
  (unless iproute2 support is enabled).
* VLAN support when using a TAP device

Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
  OpenVPN peers prior to 2.4, or peers with data cipher negotiation
  disabled, will not be able to connect to a 2.5 peer unless
  option data_fallback_ciphers is set on the 2.5 peer and it contains a
  cipher supported by the client.

Signed-off-by: Magnus Kroken 
---
Compile-tested openssl variant on mips_24kc, powerpc_8540 and
arm_cortex-a9. Runtime-tested openssl variant as server on arm_cortex-a9.

I have tested the earlier 2.5 beta and RC releases more extensively with
both openssl and mbedtls in various configurations.

I propose disabling LZO compression support by default, due to:
* Compression is not recommended, as it may weaken the security of the
  connection
* For users who need compression, we build with LZ4 support by default
* LZO in OpenVPN pulls in liblzo at approx. 32 kB. LZO support also
  adds about 1 kB to the OpenVPN package itself. LZ4 support (using
  OpenVPN bundled LZ4) adds about 6 kB to the OpenVPN package in total.

This means OpenWrt users will not be able to connect to OpenVPN
peers that require LZO compression, unless they build the package
themselves.

I left the PROVIDES line as "openvpn openvpn-crypto". As the nossl
variant will no longer exist and all OpenVPN packages will cover both
cases I am not entirely sure how this should be handled.

.../services/openvpn/Config-mbedtls.in|  6 +-
 .../network/services/openvpn/Config-nossl.in  | 50 --
 .../services/openvpn/Config-openssl.in|  6 +-
 package/network/services/openvpn/Makefile | 20 +-
 .../services/openvpn/files/openvpn.config | 67 ---
 .../services/openvpn/files/openvpn.options| 14 +++-
 .../001-reproducible-remove_DATE.patch|  6 +-
 ...bedtls-disable-runtime-version-check.patch |  2 +-
 ...l-dont-use-deprecated-ssleay-symbols.patch | 58 
 ...enssl-add-missing-include-statements.patch | 65 --
 .../210-build_always_use_internal_lz4.patch   |  2 +-
 .../openvpn/patches/220-disable_des.patch | 21 ++
 12 files changed, 72 insertions(+), 245 deletions(-)
 delete mode 100644 package/network/services/openvpn/Config-nossl.in
 delete mode 100644 
package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 delete mode 100644 
package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch

diff --git a/package/network/services/openvpn/Config-mbedtls.in 
b/package/network/services/openvpn/Config-mbedtls.in
index beac492022..3cf233b8f7 100644
--- a/package/network/services/openvpn/Config-mbedtls.in
+++ b/package/network/services/openvpn/Config-mbedtls.in
@@ -2,16 +2,12 @@ if PACKAGE_openvpn-mbedtls
 
 config OPENVPN_mbedtls_ENABLE_LZO
bool "Enable LZO compression support"
-   default y
+   default n
 
 config OPENVPN_mbedtls_ENABLE_LZ4
bool "Enable LZ4 compression support"
default y
 
-config OPENVPN_mbedtls_ENABLE_SERVER
-   bool "Enable server support (otherwise only client mode is support)"
-   default y
-
 #config OPENVPN_mbedtls_ENABLE_EUREPHIA
 #  bool "Enable support for the eurephia plug-in"
 #  default n
diff --git a/package/network/services/openvpn/Config-nossl.in 
b/package/network/services/openvpn/Config-nossl.in
deleted file mode 100644
index 79140ad5d1..00
--- a/package/network/services/openvpn/Config-nossl.in
+++ /dev/null
@@ -1,50 +0,0 @@
-if PACKAGE_openvpn-nossl
-
-config OPENVPN_nossl_ENABLE_LZO
-   bool "Enable LZO compression support"
-   default y
-
-config OPENVPN_nossl_ENABLE_LZ4
-   bool "Enable LZ4 compression support"
-   default y
-
-config OPENVPN_nossl_ENABLE_SERVER
-   bool "Enable server support (otherwise only client mode is support)"
-   default y
-
-config OPENVPN_nossl_ENABLE_MANAGEMENT
-   bool "Enable management server support"
-   default n
-
-config OPENVPN_nossl_ENABLE_FRAGMENT
-   bool "Enable internal fragmentation support (--fragment)"
-   default y
-
-config OPENVPN_nossl_ENABLE_MULTIHOME
-   bool "Enable multi-homed UDP server support (--multihome)"
-   default y
-
-config OPENVPN_nossl_ENABLE_PORT_SHARE
-   bool "Enable TCP server port-share support (--port-share)"
-   default y
-
-config OPENVPN_nossl_ENABLE_DEF_AUTH
-   bool "Enable deferred authentication"
-   default y
-
-config OPENVPN_nossl_ENABLE_PF
-   bool "Enable inter

[PATCH] mbedtls: update to 2.16.8

[Magnus Kroken]

This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues and the most notable of them
are described in more detail in the security advisories.

* Local side channel attack on RSA and static Diffie-Hellman
* Local side channel attack on classical CBC decryption in (D)TLS
* When checking X.509 CRLs, a certificate was only considered as revoked
if its revocationDate was in the past according to the local clock if
available.

Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8

Signed-off-by: Magnus Kroken 
---
 package/libs/mbedtls/Makefile |  4 +-
 package/libs/mbedtls/patches/200-config.patch | 46 +--
 2 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 0fa95ee6b5..27f50f8dde 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.7
+PKG_VERSION:=2.16.8
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 
PKG_SOURCE_URL:=https://codeload.github.com/ARMmbed/mbedtls/tar.gz/v$(PKG_VERSION)?
-PKG_HASH:=c95b11557ee97d2bdfd48cd57cf9b648a6cddd2ca879e3c35c4e7525f2871992
+PKG_HASH:=fe9e3b15c3375943bdfe20dd6b4f1147b3b5d926248bd835d73247407430
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0-or-later
diff --git a/package/libs/mbedtls/patches/200-config.patch 
b/package/libs/mbedtls/patches/200-config.patch
index 70d178feb8..4cdeed921d 100644
--- a/package/libs/mbedtls/patches/200-config.patch
+++ b/package/libs/mbedtls/patches/200-config.patch
@@ -1,6 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -658,14 +658,14 @@
+@@ -692,14 +692,14 @@
   *
   * Enable Output Feedback mode (OFB) for symmetric ciphers.
   */
@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -782,19 +782,19 @@
+@@ -816,19 +816,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -918,7 +918,7 @@
+@@ -952,7 +952,7 @@
   * See dhm.h for more details.
   *
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -938,7 +938,7 @@
+@@ -972,7 +972,7 @@
   *  MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *  MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -963,7 +963,7 @@
+@@ -997,7 +997,7 @@
   *  MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *  MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1097,7 +1097,7 @@
+@@ -1131,7 +1131,7 @@
   *  MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1121,7 +1121,7 @@
+@@ -1155,7 +1155,7 @@
   *  MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1225,7 +1225,7 @@
+@@ -1259,7 +1259,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1320,14 +1320,14 @@
+@@ -1354,14 +1354,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -117,7 +117,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1481,7 +1481,7 @@
+@@ -1515,7 +1515,7 @@
   *  configuration of this extension).
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1656,7 +1656,7 @@
+@@ -1690,7 +1690,7 @@
   *
   * Comment this macro to disable support for SSL session tickets
   */
@@ -135,7 +135,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1686,7 +1686,7 @@
+@@ -1720,7 +1720,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1745,7 +1745,7 @@
+@@ -1779,7 +1779,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -2075,7 +2075,7 @@
+@@ -2109,7 +2109,7 @@
   *  MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -2141,7 +2141,7 @@
+@@ -2175,7 +2175,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2153,7 +2153,7 @@
+@@ -2187,7 +2187,7 @@
   *
   * This module is used for testing (ssl_client/server

[RFC PATCH] openvpn: update to 2.5 beta2

[Magnus Kroken]

New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
  (unless iproute2 support is enabled).
* VLAN support when using a TAP device

Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
  OpenVPN peers prior to 2.4, or peers with data cipher negotiation
  disabled, will not be able to connect to a 2.5 peer unless
  option data_fallback_ciphers is set on the 2.5 peer and it contains a
  cipher supported by the client.

Signed-off-by: Magnus Kroken 
---
Compile-tested mbedtls and openssl variants on mips_24kc and
arm_cortex-a9. Runtime-tested mbedtls variant as server and openssl as
client.

I propose disabling LZO compression support by default, due to:
* Compression is not recommended, as it may weaken the security of the
  connection
* For users who need compression, we build with LZ4 support by default
* LZO in OpenVPN pulls in liblzo at approx. 32 kB. LZO support also
adds about 1 kB to the OpenVPN package itself. LZ4 support (using
OpenVPN bundled LZ4) adds about 6 kB to the OpenVPN package in total.

This means OpenWrt users will not be able to connect to OpenVPN
peers that require LZO compression, unless they build the package
themselves.

I left the PROVIDES line as "openvpn openvpn-crypto". As the nossl
variant will no longer exist and all OpenVPN packages will cover both
cases I am not entirely sure how this should be handled.

.../services/openvpn/Config-mbedtls.in|  6 +-
 .../network/services/openvpn/Config-nossl.in  | 50 --
 .../services/openvpn/Config-openssl.in|  6 +-
 package/network/services/openvpn/Makefile | 20 +-
 .../services/openvpn/files/openvpn.config | 67 ---
 .../services/openvpn/files/openvpn.options| 14 +++-
 .../001-reproducible-remove_DATE.patch|  6 +-
 ...bedtls-disable-runtime-version-check.patch |  2 +-
 ...l-dont-use-deprecated-ssleay-symbols.patch | 58 
 ...enssl-add-missing-include-statements.patch | 65 --
 .../210-build_always_use_internal_lz4.patch   |  2 +-
 .../openvpn/patches/220-disable_des.patch | 21 ++
 12 files changed, 72 insertions(+), 245 deletions(-)
 delete mode 100644 package/network/services/openvpn/Config-nossl.in
 delete mode 100644 
package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 delete mode 100644 
package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch

diff --git a/package/network/services/openvpn/Config-mbedtls.in 
b/package/network/services/openvpn/Config-mbedtls.in
index beac492022..3cf233b8f7 100644
--- a/package/network/services/openvpn/Config-mbedtls.in
+++ b/package/network/services/openvpn/Config-mbedtls.in
@@ -2,16 +2,12 @@ if PACKAGE_openvpn-mbedtls
 
 config OPENVPN_mbedtls_ENABLE_LZO
bool "Enable LZO compression support"
-   default y
+   default n
 
 config OPENVPN_mbedtls_ENABLE_LZ4
bool "Enable LZ4 compression support"
default y
 
-config OPENVPN_mbedtls_ENABLE_SERVER
-   bool "Enable server support (otherwise only client mode is support)"
-   default y
-
 #config OPENVPN_mbedtls_ENABLE_EUREPHIA
 #  bool "Enable support for the eurephia plug-in"
 #  default n
diff --git a/package/network/services/openvpn/Config-nossl.in 
b/package/network/services/openvpn/Config-nossl.in
deleted file mode 100644
index 79140ad5d1..00
--- a/package/network/services/openvpn/Config-nossl.in
+++ /dev/null
@@ -1,50 +0,0 @@
-if PACKAGE_openvpn-nossl
-
-config OPENVPN_nossl_ENABLE_LZO
-   bool "Enable LZO compression support"
-   default y
-
-config OPENVPN_nossl_ENABLE_LZ4
-   bool "Enable LZ4 compression support"
-   default y
-
-config OPENVPN_nossl_ENABLE_SERVER
-   bool "Enable server support (otherwise only client mode is support)"
-   default y
-
-config OPENVPN_nossl_ENABLE_MANAGEMENT
-   bool "Enable management server support"
-   default n
-
-config OPENVPN_nossl_ENABLE_FRAGMENT
-   bool "Enable internal fragmentation support (--fragment)"
-   default y
-
-config OPENVPN_nossl_ENABLE_MULTIHOME
-   bool "Enable multi-homed UDP server support (--multihome)"
-   default y
-
-config OPENVPN_nossl_ENABLE_PORT_SHARE
-   bool "Enable TCP server port-share support (--port-share)"
-   default y
-
-config OPENVPN_nossl_ENABLE_DEF_AUTH
-   bool "Enable deferred authentication"
-   default y
-
-config OPENVPN_nossl_ENABLE_PF
-   bool "Enable internal packet filter"
-   default y
-
-config OPENVPN_nossl_ENABLE_IPROUTE2
-   bool "Enable su

Re: [PATCH] mbedtls: Update to version 2.16.7

[Magnus Kroken]

Hi

On 15.08.2020 20:19, Paul Spooren wrote:

Duplicate of this one?

https://patchwork.ozlabs.org/project/openwrt/patch/20200725121928.10850-1-mkro...@gmail.com/
They likely result in the same code, but there is a small difference. 
There was an issue with the tarball file name, which was why my patch 
added a PKG_BUILD_DIR workaround. This has been fixed and release URLs 
changed [1]. It wasn't sent to the mbed-tls-announce list, so I wasn't 
aware. Haukes patch is the correct one in regard to what upstream 
officially points to.


1: 
https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-August/000160.html


Regards,
Magnus Kroken

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[RFC PATCH] openvpn: update to 2.5 beta1

[Magnus Kroken]

New features:
* Per client tls-crypt keys
* ChaCha20-Poly1305 can be used to encrypt the data channel
* Routes are added/removed via Netlink instead of ifconfig/route
  (unless iproute2 support is enabled).
* VLAN support when using a TAP device

Significant changes:
* Server support can no longer be disabled.
* Crypto support can no longer be disabled, remove nossl variant.
* Blowfish (BF-CBC) is no longer implicitly the default cipher.
  OpenVPN peers prior to 2.4, or peers with data cipher negotiation
  disabled, will not be able to connect to a 2.5 peer unless
  option data_fallback_ciphers is set on the 2.5 peer and it contains a
  cipher supported by the client.

Signed-off-by: Magnus Kroken 
---
Compile-tested mbedtls and openssl variants on mips_24kc and
arm_cortex-a9. Runtime-tested mbedtls variant as server and openssl as
client.

Hopefully more people will test this and give feedback, I'd suggest
merging this later in the release cycle or at 2.5.0 release.

I propose disabling LZO compression support by default, due to:
* Compression is not recommended, as it may weaken the security of the
  connection
* For users who need compression, we build with LZ4 support by default
* LZO in OpenVPN pulls in liblzo at approx. 32 kB. LZO support also
  adds about 1 kB to the OpenVPN package itself. LZ4 support (using OpenVPN
  bundled LZ4) adds about 6 kB to the OpenVPN package in total.

This means OpenWrt users will not be able to connect to OpenVPN peers 
that require LZO compression, unless they build the package themselves.

I left the PROVIDES line as "openvpn openvpn-crypto". As the nossl variant 
will no longer exist and all OpenVPN packages will cover both cases 
I am not entirely sure how this should be handled.

 .../services/openvpn/Config-mbedtls.in|  6 +-
 .../network/services/openvpn/Config-nossl.in  | 50 --
 .../services/openvpn/Config-openssl.in|  6 +-
 package/network/services/openvpn/Makefile | 20 +-
 .../services/openvpn/files/openvpn.config | 67 ---
 .../services/openvpn/files/openvpn.options| 14 +++-
 .../001-reproducible-remove_DATE.patch|  6 +-
 ...bedtls-disable-runtime-version-check.patch |  2 +-
 ...l-dont-use-deprecated-ssleay-symbols.patch | 58 
 ...enssl-add-missing-include-statements.patch | 65 --
 .../210-build_always_use_internal_lz4.patch   |  2 +-
 .../openvpn/patches/220-disable_des.patch | 21 ++
 12 files changed, 72 insertions(+), 245 deletions(-)
 delete mode 100644 package/network/services/openvpn/Config-nossl.in
 delete mode 100644 
package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 delete mode 100644 
package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch

diff --git a/package/network/services/openvpn/Config-mbedtls.in 
b/package/network/services/openvpn/Config-mbedtls.in
index beac492022..3cf233b8f7 100644
--- a/package/network/services/openvpn/Config-mbedtls.in
+++ b/package/network/services/openvpn/Config-mbedtls.in
@@ -2,16 +2,12 @@ if PACKAGE_openvpn-mbedtls
 
 config OPENVPN_mbedtls_ENABLE_LZO
bool "Enable LZO compression support"
-   default y
+   default n
 
 config OPENVPN_mbedtls_ENABLE_LZ4
bool "Enable LZ4 compression support"
default y
 
-config OPENVPN_mbedtls_ENABLE_SERVER
-   bool "Enable server support (otherwise only client mode is support)"
-   default y
-
 #config OPENVPN_mbedtls_ENABLE_EUREPHIA
 #  bool "Enable support for the eurephia plug-in"
 #  default n
diff --git a/package/network/services/openvpn/Config-nossl.in 
b/package/network/services/openvpn/Config-nossl.in
deleted file mode 100644
index 79140ad5d1..00
--- a/package/network/services/openvpn/Config-nossl.in
+++ /dev/null
@@ -1,50 +0,0 @@
-if PACKAGE_openvpn-nossl
-
-config OPENVPN_nossl_ENABLE_LZO
-   bool "Enable LZO compression support"
-   default y
-
-config OPENVPN_nossl_ENABLE_LZ4
-   bool "Enable LZ4 compression support"
-   default y
-
-config OPENVPN_nossl_ENABLE_SERVER
-   bool "Enable server support (otherwise only client mode is support)"
-   default y
-
-config OPENVPN_nossl_ENABLE_MANAGEMENT
-   bool "Enable management server support"
-   default n
-
-config OPENVPN_nossl_ENABLE_FRAGMENT
-   bool "Enable internal fragmentation support (--fragment)"
-   default y
-
-config OPENVPN_nossl_ENABLE_MULTIHOME
-   bool "Enable multi-homed UDP server support (--multihome)"
-   default y
-
-config OPENVPN_nossl_ENABLE_PORT_SHARE
-   bool "Enable TCP server port-share support (--port-share)"
-   default y
-
-config OPENVPN_nossl_ENABLE_DEF_AUTH
-   bool "Enable deferred authentication"
-   default y
-
-config OPENVPN_nossl_ENABLE_PF
-   bool &

[PATCH] openvpn: revise sample configuration

[Magnus Kroken]

Update the openvpn sample configurations to use modern options in favor
of deprecated ones, suggest more sane default settings and add some
warnings.

* Add tls_crypt and ncp_disable to the sample configuration
* Replace nsCertType with remote_cert_tls in client sample configuration
* Comment out "option compress", compression should not be preferred
* Advise 2048-bit Diffie-Hellman parameters by default
* Add warnings about compression and use of Blowfish (BF-CBC)

Signed-off-by: Magnus Kroken 
---
 .../services/openvpn/files/openvpn.config | 83 +--
 1 file changed, 75 insertions(+), 8 deletions(-)

diff --git a/package/network/services/openvpn/files/openvpn.config 
b/package/network/services/openvpn/files/openvpn.config
index 1fd846f558..3de1881e35 100644
--- a/package/network/services/openvpn/files/openvpn.config
+++ b/package/network/services/openvpn/files/openvpn.config
@@ -77,10 +77,10 @@ config openvpn sample_server
 
# Diffie hellman parameters.
# Generate your own with:
-   #   openssl dhparam -out dh1024.pem 1024
+   #   openssl dhparam -out dh2048.pem 2048
# Substitute 2048 for 1024 if you are using
-   # 2048 bit keys.
-   option dh /etc/openvpn/dh1024.pem
+   # 1024 bit keys.
+   option dh /etc/openvpn/dh2048.pem
 
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
@@ -228,10 +228,52 @@ config openvpn sample_server
# This file is secret:
 #  option tls_auth "/etc/openvpn/ta.key 0"
 
+   # For additional privacy, a shared secret key
+   # can be used for both authentication (as in tls_auth)
+   # and encryption of the TLS control channel.
+   #
+   # Generate a shared secret with:
+   # openvpn --genkey --secret ta.key
+   #
+   # The server and each client must have
+   # a copy of this key.
+   #
+   # tls_auth and tls_crypt should NOT
+   # be combined, as tls_crypt implies tls_auth.
+   # Use EITHER tls_crypt, tls_auth, or neither option.
+#  option tls_crypt "/etc/openvpn/ta.key"
+
+   # Set the minimum required TLS protocol version
+   # for all connections.
+   #
+   # Require at least TLS 1.1
+#  option tls_version_min "1.1"
+   # Require at least TLS 1.2
+#  option tls_version_min "1.2"
+   # Require TLS 1.2, or the highest version supported
+   # on the system
+#  option tls_version_min "1.2 'or-highest'"
+
+   # OpenVPN versions 2.4 and later will attempt to
+   # automatically negotiate the most secure cipher
+   # between the client and server, regardless of a
+   # configured "option cipher" (see below).
+   # Automatic negotiation is recommended.
+   #
+   # Uncomment this option to disable this behavior,
+   # and force all OpenVPN peers to use the configured
+   # cipher option instead (not recommended).
+#  option ncp_disable
+
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
-   # Blowfish (default):
+   #
+   # To see all supported ciphers, run:
+   # openvpn --show-ciphers
+   #
+   # Blowfish (default for backwards compatibility,
+   # but not recommended due to weaknesses):
 #  option cipher BF-CBC
# AES:
 #  option cipher AES-128-CBC
@@ -241,11 +283,16 @@ config openvpn sample_server
# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
+   #
+   # Compression is not recommended, as compression and
+   # encryption in combination can weaken the security
+   # of the connection.
+   #
# LZ4 requires OpenVPN 2.4+ client and server
 #  option compress lz4
# LZO is compatible with most OpenVPN versions
# (set "compress lzo" on 2.4+ clients, and "comp-lzo yes" on older 
clients)
-   option compress lzo
+#  option compress lzo
 
# The maximum number of concurrently connected
# clients we want to allow.
@@ -371,7 +418,7 @@ config openvpn sample_client
option key /etc/openvpn/client.key
 
# Verify server certificate by checking
-   # that the certicate has the nsCertType
+   # that the certicate has the key usage
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
@@ -381,12 +428,27 @@ config openvpn sample_client
# your server certificates with the nsCertType
# field set to "server".  The build_key_server
# script in the easy_rsa folder will do this.
-#  option ns_cert_type server
+#  option remote_cert_tls server
 
# If a tls_auth key is used on the server
# then e

[PATCH] mbedtls: update to 2.16.7

[Magnus Kroken]

Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch,
and provides bug fixes and minor enhancements. This release includes
fixes for security issues and the most severe one is described in more
detail in a security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07

* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private
key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros).

Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some
changes to the download URLs are required. For the time being, the
ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS.

Signed-off-by: Magnus Kroken 
---
Tested on arm/cortexa9. Tested with openvpn-mbedtls as server, uhttpd
serving HTTPS and uclient-fetch HTTPS download.

 package/libs/mbedtls/Makefile | 10 ++--
 package/libs/mbedtls/patches/200-config.patch | 46 +--
 2 files changed, 29 insertions(+), 27 deletions(-)

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 04f80f4715..abc8789e01 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,19 +8,21 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.6
+PKG_VERSION:=2.16.7
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
-PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=80a484df42f32dbe95665cd4b18ce0dd14b6c67dfd561d36d1475802e41eb3ed
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=https://github.com/ARMmbed/mbedtls/archive/
+PKG_HASH:=4786b7d1676f5e4d248f3a7f2d28446876d64962634f060ff21b92c690cfbe86
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0-or-later
 PKG_LICENSE_FILES:=gpl-2.0.txt
 PKG_CPE_ID:=cpe:/a:arm:mbed_tls
 
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_NAME)-$(PKG_VERSION)
+
 PKG_CONFIG_DEPENDS:=CONFIG_LIBMBEDTLS_DEBUG_C
 
 include $(INCLUDE_DIR)/package.mk
diff --git a/package/libs/mbedtls/patches/200-config.patch 
b/package/libs/mbedtls/patches/200-config.patch
index 298fa4aa79..70d178feb8 100644
--- a/package/libs/mbedtls/patches/200-config.patch
+++ b/package/libs/mbedtls/patches/200-config.patch
@@ -1,6 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -633,14 +633,14 @@
+@@ -658,14 +658,14 @@
   *
   * Enable Output Feedback mode (OFB) for symmetric ciphers.
   */
@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -757,19 +757,19 @@
+@@ -782,19 +782,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -871,7 +871,7 @@
+@@ -918,7 +918,7 @@
   * See dhm.h for more details.
   *
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -891,7 +891,7 @@
+@@ -938,7 +938,7 @@
   *  MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *  MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -916,7 +916,7 @@
+@@ -963,7 +963,7 @@
   *  MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *  MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1050,7 +1050,7 @@
+@@ -1097,7 +1097,7 @@
   *  MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1074,7 +1074,7 @@
+@@ -1121,7 +1121,7 @@
   *  MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1178,7 +1178,7 @@
+@@ -1225,7 +1225,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1273,14 +1273,14 @@
+@@ -1320,14 +1320,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -117,7 +117,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1434,7 +1434,7 @@
+@@ -1481,7 +1481,7 @@
   *  configuration of this extension).
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def

[PATCH] busybox: delete redundant patch

[Magnus Kroken]

This problem has been fixed in upstream commit
6b6a3d9339f1c08efaa18a7fb7357e20b48bdc95. This patch now (harmlessly)
adds the same definition a second time.

Signed-off-by: Magnus Kroken 
---
 .../patches/130-mconf_missing_sigwinch.patch| 13 -
 1 file changed, 13 deletions(-)
 delete mode 100644 
package/utils/busybox/patches/130-mconf_missing_sigwinch.patch

diff --git a/package/utils/busybox/patches/130-mconf_missing_sigwinch.patch 
b/package/utils/busybox/patches/130-mconf_missing_sigwinch.patch
deleted file mode 100644
index b8ca2122b8..00
--- a/package/utils/busybox/patches/130-mconf_missing_sigwinch.patch
+++ /dev/null
@@ -1,13 +0,0 @@
 a/scripts/kconfig/mconf.c
-+++ b/scripts/kconfig/mconf.c
-@@ -31,6 +31,10 @@
- #define SIGWINCH 28
- #endif
- 
-+#ifndef SIGWINCH
-+#define SIGWINCH 28
-+#endif
-+
- #define LKC_DIRECT_LINK
- #include "lkc.h"
- 
-- 
2.20.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH] busybox: tr: enable options required by POSIX

[Magnus Kroken]

Support for character classes (e.g. [:upper:] and [:lower:]) and
equivalence classes (e.g. [=a=]) in the tr utility are required by POSIX.
This change increases package size by approx. 500 bytes.

Size before:
208372 busybox_1.31.1-1_mips_24kc.ipk

Size after:
208895 busybox_1.31.1-1_mips_24kc.ipk

Signed-off-by: Magnus Kroken 
Reported-by: Jordan Geoghegan 
---
This was discussed a few days ago [1], but the patch wasn't caught by
Patchwork. Resending.

Jordan: I was not able to apply your patch, but it was easy enough to
fix. Please consider using git-send-email for future patches, as it
ensures it is formatted so Patchwork [2] will keep track of it, and
solves most formatting issues that may occur between author and committer.

1: https://lists.openwrt.org/pipermail/openwrt-devel/2020-July/030021.html
2: https://patchwork.ozlabs.org/project/openwrt/list/
 package/utils/busybox/Config-defaults.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/utils/busybox/Config-defaults.in 
b/package/utils/busybox/Config-defaults.in
index 29724041f4..76c51cf7e9 100644
--- a/package/utils/busybox/Config-defaults.in
+++ b/package/utils/busybox/Config-defaults.in
@@ -837,10 +837,10 @@ config BUSYBOX_DEFAULT_TR
default y
 config BUSYBOX_DEFAULT_FEATURE_TR_CLASSES
bool
-   default n
+   default y
 config BUSYBOX_DEFAULT_FEATURE_TR_EQUIV
bool
-   default n
+   default y
 config BUSYBOX_DEFAULT_TRUE
bool
default y
-- 
2.20.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: 'tr' character class support?

[Magnus Kroken]

Hi Jordan

On 10.07.2020 22:45, Jordan Geoghegan wrote:

Hey folks,

Does the 'tr' utility support character classes in OpenWRT? I was 
playing around with an OpenWRT x86_64 VM and I noticed that 'tr' doesn't 
seem to support character classes.
The command " echo HELLO | tr '[:upper:]' '[:lower:]' "  does not 
convert to the text to lowercase as it should (and as required by 
POSIX).
This would be expected behavior. OpenWrt disables tr character classes 
in BusyBox by default, see [1]:


config BUSYBOX_DEFAULT_FEATURE_TR_CLASSES
bool
default n
config BUSYBOX_DEFAULT_FEATURE_TR_EQUIV
bool
default n

I don't know what the size cost in the BusyBox binary is, but that will 
likely be the deciding factor for such a change.


1: 
https://git.openwrt.org/?p=openwrt/openwrt.git;a=blob;f=package/utils/busybox/Config-defaults.in


Regards,
Magnus Kroken

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] How am I supposed to change settings in /etc/config/network of default root file system of OpenWRT?

[Magnus Kroken]

Hi

On 20.05.2020 02:01, Jeonghum Joh wrote:

Hello Magnus Kroken,

Thank you so much!
Your script works like a charm!

I'd like to use this script in our board. This board would be our 
customer's new product - 5G router.

We are Telesquare Inc. (www.telesquare.co.kr <http://www.telesquare.co.kr>)

I'd like to write copyright to your name.
And I'd like you to clarify the license of this script.

Please let me know your opinion.

Thank you very much!
Jeonghum


Appreciate the consideration, although I'm not sure this snippet is 
substantial enough to be copyrightable. No matter I suppose - if it is 
copyrightable I can license it, if it is too simple to be copyrightable 
any claim of copyright is invalid and it can safely be used by anyone.


I have put a slightly clarified version as a Gist: 
https://gist.github.com/mkrkn/4ba4bef3f0d541aa1180bef4156b340c


Regards
Magnus Kroken

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] How am I supposed to change settings in /etc/config/network of default root file system of OpenWRT?

[Magnus Kroken]

Sorry, forgot reply-to list.

On 19.05.2020 13:23, Jeonghum Joh wrote:

Thank you!

But I have another question :

   config zone
           option name       wan
           list   network          'wan'
           list   network          'wan6'
+        list   network          'wwan'
           option input            REJECT
           option output           ACCEPT
           option forward          REJECT

Above is part of /etc/config/firewall.
And as you see, I'd like to add new interface wwan into zone wan.
How can I write uci command script for this?

Thank you very much!
Jeonghum


Here is an untested snippet I found in an old uci-defaults script of mine.

8<
#!/bin/sh
. /lib/functions.sh

lanzone_var=""
wanzone_var=""

find_firewall_zones () {
local config="$1"
local zone_name

config_get zone_name "$config" name

if [ "$zone_name" == "lan" ]
then
lanzone_var="$config"
elif [ "$zone_name" == "wan" ]
then
wanzone_var="$config"
fi

return 0
}

config_load firewall
config_foreach find_firewall_zones zone

uci -q add_list firewall.${wanzone_var}.network='wwan'
>8

I don't think I actually used this, I wrote it because I thought I might 
need it and it followed the same pattern as manipulating network.vlan 
sections. I do know it doesn't work in my current device script, 
although I attempted to fix that error in the code above. Consider it a 
hint.


In addition, I've not mentioned 'uci commit' or commands to reload 
configuration/services, which you probably also want to add in these 
scripts.


Regards,
Magnus Kroken

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] How am I supposed to change settings in /etc/config/network of default root file system of OpenWRT?

[Magnus Kroken]

Hi

On 19.05.2020 08:30, Jeonghum Joh wrote:
> config interface 'wwan'

         option ifname 'usb0'
         option proto 'dhcp'

So I added something like below to 
package/base-files/files/etc/board.d/99-default_network :


   ucidef_set_interface_lan 'eth0'
   [ -d /sys/class/net/eth1 ] && ucidef_set_interface_wan 'eth1'
+[ -d /sys/class/net/usb0 ] && ucidef_set_interface_wan 'usb0'

But this didn't resolve my problem.

I think I can just make some commands into startup script.
Isn't there more grace approach for me to automatically add usb0 
interface into /etc/config/network?


As already suggested, use the files/ directory to include files.

$ cd openwrt # change to the root of your OpenWrt build environment
$ mkdir -p files/etc/uci-defaults
$ mkdir -p files/etc/config

Now you have two options.

1. Put your complete working /etc/config/network file in the files/ 
tree, so it resides at files/etc/config/network.


2. Write a script with the UCI commands needed to change your config, 
and put it in files/etc/uci-defaults. I name mine e.g. 
zzz_33_device_config, so that they are executed as late as possible.


The commands you would need for option 2 is probably:

uci -q set network.wwan=interface
uci -q set network.wwan.proto='dhcp'
uci -q set network.wwan.ifname='usb0'
exit 0

This is very simple, you may want to script checks to ensure the script 
is running on correct device (e.g. by checking for a MAC address), and 
if the usb0 device exists.


Regards
Magnus Kroken


Thank you in advance.
Jeonghum



___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] openvpn: update to 2.4.9

[Magnus Kroken]

This is primarily a maintenance release with bugfixes and improvements.
This release also fixes a security issue (CVE-2020-11810) which allows
disrupting service of a freshly connected client that has not yet
negotiated session keys. The vulnerability cannot be used to
inject or steal VPN traffic.

Release announcement:
https://openvpn.net/community-downloads/#heading-13812
Full list of changes:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.9

Signed-off-by: Magnus Kroken 
---
Compile- and run-tested on arm.

Tests run: openvpn-mbedtls as server.

 package/network/services/openvpn/Makefile | 4 ++--
 .../patches/100-mbedtls-disable-runtime-version-check.patch   | 2 +-
 .../110-openssl-dont-use-deprecated-ssleay-symbols.patch  | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/network/services/openvpn/Makefile 
b/package/network/services/openvpn/Makefile
index baa8c1d07e..5f102d967d 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.8
+PKG_VERSION:=2.4.9
 PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=fb8ca66bb7807fff595fbdf2a0afd085c02a6aa47715c9aa3171002f9f1a3f91
+PKG_HASH:=641f3add8694b2ccc39fd4fd92554e4f089ad16a8db6d2b473ec284839a5ebe2
 
 PKG_MAINTAINER:=Felix Fietkau 
 
diff --git 
a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
 
b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
index 7fc0089000..cb16a906fe 100644
--- 
a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ 
b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1406,7 +1406,7 @@ const char *
+@@ -1415,7 +1415,7 @@ const char *
  get_ssl_library_version(void)
  {
  static char mbedtls_version[30];
diff --git 
a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 
b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
index 7e9931f0f3..c7faf7c0c0 100644
--- 
a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
+++ 
b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
@@ -47,7 +47,7 @@ Signed-off-by: Gert Doering 
  #endif
 --- a/src/openvpn/ssl_openssl.c
 +++ b/src/openvpn/ssl_openssl.c
-@@ -1977,7 +1977,7 @@ get_highest_preference_tls_cipher(char *
+@@ -2008,7 +2008,7 @@ get_highest_preference_tls_cipher(char *
  const char *
  get_ssl_library_version(void)
  {
-- 
2.20.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] mbedtls: update to 2.16.6

[Magnus Kroken]

Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters

Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released

Signed-off-by: Magnus Kroken 
---
Compile- and run-tested on arm/mvebu.

Tests run:
openvpn-mbedtls (as server)
uhttpd and uclient-fetch using libustream-mbedtls

 package/libs/mbedtls/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 7ceb0dc4af..04f80f4715 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.5
+PKG_VERSION:=2.16.6
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=6ebdea6565c714f1315b9af6a802afb4b4e89976f7d5d2b15aa8028eb52e7d09
+PKG_HASH:=80a484df42f32dbe95665cd4b18ce0dd14b6c67dfd561d36d1475802e41eb3ed
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0-or-later
-- 
2.20.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] ath79: switch to kernel 5.4

[Magnus Kroken]

Hi all

On 03.04.2020 11:21, Bjørn Mork wrote:

David Bauer  writes:


As the reported major bugs are ironed out, switch to the new kernel to
begin testing with a broader audience.



Hmm... I wonder if you might want to hold back on that for a while.

I have no useful info yet since I don't have console access on this
device, but I just lost network access to a UniFi AP AC PRO after trying
out current master (fcd14017007d).


I held back and planned to report when I have a log from serial, but I'm 
sending this now since this sounds similar to my experience.


I've tested 5.4 on my tl-wdr4300v1, and it got stuck in reboot loop 
recently. I plan to get a serial connection on it this weekend to see 
exactly what happens, but with the easy TFTP recovery I've bisected it 
to the GCC 8.4 update. Doing a dirclean between each test, 
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=db70077668e757a27f41d9cb3c84f28ea7d4c22e 
is the first bad commit. This is the simple config I've used for testing:


CONFIG_TARGET_ath79=y
CONFIG_TARGET_ath79_generic=y
CONFIG_TARGET_ath79_generic_DEVICE_tplink_tl-wdr4300-v1=y
CONFIG_LINUX_5_4=y
CONFIG_TESTING_KERNEL=y

Testing is on hold as the device is in service right now, but I'd 
appreciate any ideas for further testing.


/Magnus

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] mpc85xx: set kernel 4.19 as default, 5.4 as testing kernel

[Magnus Kroken]

Signed-off-by: Magnus Kroken 
---
According to e-mail about pushing kernel 5.4 support to master, 5.4 was added 
as testing
kernel for supported targets. For mpc85xx, 5.4 was set as its default
kernel. (This technically also applies to ipq807x, but master has no
support for it on any prior kernel.)

I send this patch purely based on the content of the mentioned message.
I have tested 5.4 briefly on tl-wdr4900-v1, it boots and ethernet works. 
There may be reasons to prefer 5.4 over 4.19 on mpc85xx that I am
unaware of, and I'd appreciate any input.

 target/linux/mpc85xx/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/target/linux/mpc85xx/Makefile b/target/linux/mpc85xx/Makefile
index b0f92ccf26..9c686a1b01 100644
--- a/target/linux/mpc85xx/Makefile
+++ b/target/linux/mpc85xx/Makefile
@@ -14,7 +14,8 @@ FEATURES:=squashfs ramdisk
 MAINTAINER:=Imre Kaloz 
 SUBTARGETS:=generic p1020 p2020
 
-KERNEL_PATCHVER:=5.4
+KERNEL_PATCHVER:=4.19
+KERNEL_TESTING_PATCHVER:=5.4
 
 KERNELNAME:=zImage
 
-- 
2.20.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] mbedtls: update to 2.16.4

[Magnus Kroken]

On 25.01.2020 18:33, Magnus Kroken wrote:

Fixes side channel vulnerabilities in mbed TLS' implementation of ECDSA.

Release announcement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12

Signed-off-by: Magnus Kroken 
---


Please note: upstream did not update include/mbedtls/version.h in 
2.16.3. .so filenames as well as software relying on e.g. 
MBEDTLS_VERSION_NUMBER will report 2.16.3 as the version. This has been 
reported upstream[1].


I have not modified version.h in this patch, as upstream has not yet 
committed any updates or confirmed a fixed release.


1: https://github.com/ARMmbed/mbedtls/issues/3004

Regards,
Magnus Kroken

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] mbedtls: update to 2.16.4

[Magnus Kroken]

Fixes side channel vulnerabilities in mbed TLS' implementation of ECDSA.

Release announcement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12

Signed-off-by: Magnus Kroken 
---
Runtime-tested on mips/ath79. Tested with uhttpd and uclient-fetch using
libustream-mbedtls.

 package/libs/mbedtls/Makefile |  4 +-
 package/libs/mbedtls/patches/200-config.patch | 44 +--
 2 files changed, 24 insertions(+), 24 deletions(-)

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 307d03432e..618a74703a 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.3
+PKG_VERSION:=2.16.4
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=fd01fe4b289116df7781d05e1ef712b6c98823c5334f4a27404f13a8d066ef6a
+PKG_HASH:=5fdb9c43ab43fd9bcc3631508170b089ede7b86dd655253a93cb0ffeb42309f3
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+
diff --git a/package/libs/mbedtls/patches/200-config.patch 
b/package/libs/mbedtls/patches/200-config.patch
index a09cf1f49b..298fa4aa79 100644
--- a/package/libs/mbedtls/patches/200-config.patch
+++ b/package/libs/mbedtls/patches/200-config.patch
@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -750,19 +750,19 @@
+@@ -757,19 +757,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -864,7 +864,7 @@
+@@ -871,7 +871,7 @@
   * See dhm.h for more details.
   *
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -884,7 +884,7 @@
+@@ -891,7 +891,7 @@
   *  MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *  MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -909,7 +909,7 @@
+@@ -916,7 +916,7 @@
   *  MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *  MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1043,7 +1043,7 @@
+@@ -1050,7 +1050,7 @@
   *  MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1067,7 +1067,7 @@
+@@ -1074,7 +1074,7 @@
   *  MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1171,7 +1171,7 @@
+@@ -1178,7 +1178,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1266,14 +1266,14 @@
+@@ -1273,14 +1273,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -117,7 +117,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1427,7 +1427,7 @@
+@@ -1434,7 +1434,7 @@
   *  configuration of this extension).
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1602,7 +1602,7 @@
+@@ -1609,7 +1609,7 @@
   *
   * Comment this macro to disable support for SSL session tickets
   */
@@ -135,7 +135,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1632,7 +1632,7 @@
+@@ -1639,7 +1639,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1691,7 +1691,7 @@
+@@ -1698,7 +1698,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -2021,7 +2021,7 @@
+@@ -2028,7 +2028,7 @@
   *  MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -2087,7 +2087,7 @@
+@@ -2094,7 +2094,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2099,7 +2099,7 @@
+@@ -2106,7 +2106,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -180,7 +180,7 @@
  
  /**
   * \def MBEDTLS_CHACHA20_C
-@@ -2203,7 +2203,7 @@
+@@ -2214,7 +2214,7 @@
   * \warning   DES is considered a weak cipher and its use constitutes a
   *security risk. We recommend considering stronger ciphers 
instead.
   */
@@ -189,7 +189,7 @@
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -2366,7 +2366,7 @@
+@@ -2377,7 +2377,7 @@
   * This module adds support for the Hashed Message

[OpenWrt-Devel] [PATCH] openvpn: update to 2.4.8

[Magnus Kroken]

Backport two upstream commits that allow building
openvpn-openssl without OpenSSLs deprecated APIs.

Full changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24#OpenVPN2.4.8

Signed-off-by: Magnus Kroken 
---
Runtime-tested openvpn-mbedtls and openvpn-openssl on x86_64. 
openvpn-openssl was tested against libopenssl built with and without
deprecated APIs.

This patch can be cherry-picked to openwrt-19.07.

 package/network/services/openvpn/Makefile |  8 +--
 ...l-dont-use-deprecated-ssleay-symbols.patch | 58 +
 ...enssl-add-missing-include-statements.patch | 65 +++
 .../210-build_always_use_internal_lz4.patch   |  2 +-
 .../openvpn/patches/220-disable_des.patch |  2 +-
 5 files changed, 129 insertions(+), 6 deletions(-)
 create mode 100644 
package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 create mode 100644 
package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch

diff --git a/package/network/services/openvpn/Makefile 
b/package/network/services/openvpn/Makefile
index aed9f43f80..baa8c1d07e 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.7
-PKG_RELEASE:=2
+PKG_VERSION:=2.4.8
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=a42f53570f669eaf10af68e98d65b531015ff9e12be7a62d9269ea684652f648
+PKG_HASH:=fb8ca66bb7807fff595fbdf2a0afd085c02a6aa47715c9aa3171002f9f1a3f91
 
 PKG_MAINTAINER:=Felix Fietkau 
 
@@ -44,7 +44,7 @@ else
 endif
 endef
 
-Package/openvpn-openssl=$(call 
Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl 
+@OPENSSL_WITH_DEPRECATED)
+Package/openvpn-openssl=$(call 
Package/openvpn/Default,openssl,OpenSSL,+PACKAGE_openvpn-openssl:libopenssl)
 Package/openvpn-mbedtls=$(call 
Package/openvpn/Default,mbedtls,mbedTLS,+PACKAGE_openvpn-mbedtls:libmbedtls)
 Package/openvpn-nossl=$(call Package/openvpn/Default,nossl,plaintext (no SSL))
 
diff --git 
a/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
 
b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
new file mode 100644
index 00..7e9931f0f3
--- /dev/null
+++ 
b/package/network/services/openvpn/patches/110-openssl-dont-use-deprecated-ssleay-symbols.patch
@@ -0,0 +1,58 @@
+From 17a476fd5c8cc49f1d103a50199e87ede76b1b67 Mon Sep 17 00:00:00 2001
+From: Steffan Karger 
+Date: Sun, 26 Nov 2017 16:04:00 +0100
+Subject: [PATCH] openssl: don't use deprecated SSLEAY/SSLeay symbols
+
+Compiling our current master against OpenSSL 1.1 with
+-DOPENSSL_API_COMPAT=0x1010L screams bloody murder.  This patch fixes
+the errors about the deprecated SSLEAY/SSLeay symbols and defines.
+
+Signed-off-by: Steffan Karger 
+Acked-by: Gert Doering 
+Message-Id: <20171126150401.28565-1-stef...@karger.me>
+URL: 
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15934.html
+Signed-off-by: Gert Doering 
+---
+ configure.ac | 1 +
+ src/openvpn/openssl_compat.h | 8 
+ src/openvpn/ssl_openssl.c| 2 +-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/configure.ac
 b/configure.ac
+@@ -904,6 +904,7 @@ if test "${enable_crypto}" = "yes" -a "$
+   EVP_MD_CTX_free \
+   EVP_MD_CTX_reset \
+   EVP_CIPHER_CTX_reset \
++  OpenSSL_version \
+   SSL_CTX_get_default_passwd_cb \
+   SSL_CTX_get_default_passwd_cb_userdata \
+   SSL_CTX_set_security_level \
+--- a/src/openvpn/openssl_compat.h
 b/src/openvpn/openssl_compat.h
+@@ -689,6 +689,14 @@ EC_GROUP_order_bits(const EC_GROUP *grou
+ #endif
+ 
+ /* SSLeay symbols have been renamed in OpenSSL 1.1 */
++#ifndef OPENSSL_VERSION
++#define OPENSSL_VERSION SSLEAY_VERSION
++#endif
++
++#ifndef HAVE_OPENSSL_VERSION
++#define OpenSSL_version SSLeay_version
++#endif
++
+ #if !defined(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT)
+ #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT   RSA_F_RSA_EAY_PRIVATE_ENCRYPT
+ #endif
+--- a/src/openvpn/ssl_openssl.c
 b/src/openvpn/ssl_openssl.c
+@@ -1977,7 +1977,7 @@ get_highest_preference_tls_cipher(char *
+ const char *
+ get_ssl_library_version(void)
+ {
+-return SSLeay_version(SSLEAY_VERSION);
++return OpenSSL_version(OPENSSL_VERSION);
+ }
+ 
+ #endif /* defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL) */
diff --git 
a/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
 
b/package/network/services/openvpn/patches/111-openssl-add-missing-include-statements.patch
new file mode 100644
ind

[OpenWrt-Devel] [PATCH 19.07] mbedtls: update to 2.16.3

[Magnus Kroken]

Remove 300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch,
the issue has been fixed upstream.

Signed-off-by: Magnus Kroken 
---
 package/libs/mbedtls/Makefile |  4 +-
 package/libs/mbedtls/patches/200-config.patch | 46 +--
 ...optimized-MULADDC-code-only-on-ARM-6.patch | 27 ---
 3 files changed, 25 insertions(+), 52 deletions(-)
 delete mode 100644 
package/libs/mbedtls/patches/300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 03f291ebc3..307d03432e 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.2
+PKG_VERSION:=2.16.3
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=40d18965dd36ce0158a2b037c8c54401bad54f683f4311502518ee1a1a0b622c
+PKG_HASH:=fd01fe4b289116df7781d05e1ef712b6c98823c5334f4a27404f13a8d066ef6a
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+
diff --git a/package/libs/mbedtls/patches/200-config.patch 
b/package/libs/mbedtls/patches/200-config.patch
index da482eb027..a09cf1f49b 100644
--- a/package/libs/mbedtls/patches/200-config.patch
+++ b/package/libs/mbedtls/patches/200-config.patch
@@ -1,6 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -599,14 +599,14 @@
+@@ -633,14 +633,14 @@
   *
   * Enable Output Feedback mode (OFB) for symmetric ciphers.
   */
@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -716,19 +716,19 @@
+@@ -750,19 +750,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -830,7 +830,7 @@
+@@ -864,7 +864,7 @@
   * See dhm.h for more details.
   *
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -850,7 +850,7 @@
+@@ -884,7 +884,7 @@
   *  MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *  MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -875,7 +875,7 @@
+@@ -909,7 +909,7 @@
   *  MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *  MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1009,7 +1009,7 @@
+@@ -1043,7 +1043,7 @@
   *  MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1033,7 +1033,7 @@
+@@ -1067,7 +1067,7 @@
   *  MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1137,7 +1137,7 @@
+@@ -1171,7 +1171,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1232,14 +1232,14 @@
+@@ -1266,14 +1266,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -117,7 +117,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1393,7 +1393,7 @@
+@@ -1427,7 +1427,7 @@
   *  configuration of this extension).
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1568,7 +1568,7 @@
+@@ -1602,7 +1602,7 @@
   *
   * Comment this macro to disable support for SSL session tickets
   */
@@ -135,7 +135,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1598,7 +1598,7 @@
+@@ -1632,7 +1632,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1657,7 +1657,7 @@
+@@ -1691,7 +1691,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -1987,7 +1987,7 @@
+@@ -2021,7 +2021,7 @@
   *  MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -2053,7 +2053,7 @@
+@@ -2087,7 +2087,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2065,7 +2065,7 @@
+@@ -2099,7 +2099,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -180,7 +180,7 @@
  
  /**
   * \def MBEDTLS_CHACHA20_C
-@@ -2169,7 +2169,7 @@
+@@ -2203,7 +2203,7 @@
   * \warning   DES is considered a weak cipher and its use constitutes a
   *security risk. We recommend considering stronger ciphers 
instead.
   */
@@ -189,7 +189,7 @@
  
  /**
   * \def MBEDTLS_DHM_C
-@@ -2332,7

[OpenWrt-Devel] [PATCH] mbedtls: update to 2.16.3

[Magnus Kroken]

Remove 300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch,
the issue has been fixed upstream.

Signed-off-by: Magnus Kroken 
---
Runtime-tested on: ath79

 package/libs/mbedtls/Makefile |  4 +-
 package/libs/mbedtls/patches/200-config.patch | 46 +--
 ...optimized-MULADDC-code-only-on-ARM-6.patch | 27 ---
 3 files changed, 25 insertions(+), 52 deletions(-)
 delete mode 100644 
package/libs/mbedtls/patches/300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 03f291ebc3..307d03432e 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.16.2
+PKG_VERSION:=2.16.3
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=40d18965dd36ce0158a2b037c8c54401bad54f683f4311502518ee1a1a0b622c
+PKG_HASH:=fd01fe4b289116df7781d05e1ef712b6c98823c5334f4a27404f13a8d066ef6a
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+
diff --git a/package/libs/mbedtls/patches/200-config.patch 
b/package/libs/mbedtls/patches/200-config.patch
index da482eb027..a09cf1f49b 100644
--- a/package/libs/mbedtls/patches/200-config.patch
+++ b/package/libs/mbedtls/patches/200-config.patch
@@ -1,6 +1,6 @@
 --- a/include/mbedtls/config.h
 +++ b/include/mbedtls/config.h
-@@ -599,14 +599,14 @@
+@@ -633,14 +633,14 @@
   *
   * Enable Output Feedback mode (OFB) for symmetric ciphers.
   */
@@ -17,7 +17,7 @@
  
  /**
   * \def MBEDTLS_CIPHER_NULL_CIPHER
-@@ -716,19 +716,19 @@
+@@ -750,19 +750,19 @@
   *
   * Comment macros to disable the curve and functions for it
   */
@@ -46,7 +46,7 @@
  
  /**
   * \def MBEDTLS_ECP_NIST_OPTIM
-@@ -830,7 +830,7 @@
+@@ -864,7 +864,7 @@
   * See dhm.h for more details.
   *
   */
@@ -55,7 +55,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
-@@ -850,7 +850,7 @@
+@@ -884,7 +884,7 @@
   *  MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
   *  MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
   */
@@ -64,7 +64,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
-@@ -875,7 +875,7 @@
+@@ -909,7 +909,7 @@
   *  MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
   *  MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
   */
@@ -73,7 +73,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-@@ -1009,7 +1009,7 @@
+@@ -1043,7 +1043,7 @@
   *  MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -82,7 +82,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
-@@ -1033,7 +1033,7 @@
+@@ -1067,7 +1067,7 @@
   *  MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
   */
@@ -91,7 +91,7 @@
  
  /**
   * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
-@@ -1137,7 +1137,7 @@
+@@ -1171,7 +1171,7 @@
   * This option is only useful if both MBEDTLS_SHA256_C and
   * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
   */
@@ -100,7 +100,7 @@
  
  /**
   * \def MBEDTLS_ENTROPY_NV_SEED
-@@ -1232,14 +1232,14 @@
+@@ -1266,14 +1266,14 @@
   * Uncomment this macro to disable the use of CRT in RSA.
   *
   */
@@ -117,7 +117,7 @@
  
  /**
   * \def MBEDTLS_SHA256_SMALLER
-@@ -1393,7 +1393,7 @@
+@@ -1427,7 +1427,7 @@
   *  configuration of this extension).
   *
   */
@@ -126,7 +126,7 @@
  
  /**
   * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
-@@ -1568,7 +1568,7 @@
+@@ -1602,7 +1602,7 @@
   *
   * Comment this macro to disable support for SSL session tickets
   */
@@ -135,7 +135,7 @@
  
  /**
   * \def MBEDTLS_SSL_EXPORT_KEYS
-@@ -1598,7 +1598,7 @@
+@@ -1632,7 +1632,7 @@
   *
   * Comment this macro to disable support for truncated HMAC in SSL
   */
@@ -144,7 +144,7 @@
  
  /**
   * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
-@@ -1657,7 +1657,7 @@
+@@ -1691,7 +1691,7 @@
   *
   * Comment this to disable run-time checking and save ROM space
   */
@@ -153,7 +153,7 @@
  
  /**
   * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
-@@ -1987,7 +1987,7 @@
+@@ -2021,7 +2021,7 @@
   *  MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
   *  MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
   */
@@ -162,7 +162,7 @@
  
  /**
   * \def MBEDTLS_ARIA_C
-@@ -2053,7 +2053,7 @@
+@@ -2087,7 +2087,7 @@
   * This module enables the AES-CCM ciphersuites, if other requisites are
   * enabled as well.
   */
@@ -171,7 +171,7 @@
  
  /**
   * \def MBEDTLS_CERTS_C
-@@ -2065,7 +2065,7 @@
+@@ -2099,7 +2099,7 @@
   *
   * This module is used for testing (ssl_client/server).
   */
@@ -180,7 +180,7 @@
  
  /**
   * \def MBEDTLS_CHACHA20_C
-@@ -2169,7 +2169,7 @@
+@@ -2203,7 +2203,7 @@
   * \warning   DES is considered a weak cipher and its use constitutes a
   *security risk. We recommend considering stronger ciphers 
instead.
   */
@@ -189,7 +189,7 @@
  
  /**
   * \def

Re: [OpenWrt-Devel] kernel: bump 4.19 to 4.19.72 broke ath79

[Magnus Kroken]

Hi Andre

On 14.09.2019 10:49, Andre Valentin wrote:

It seems the kernel bump broke ath79 compilation. The problem lies in
target/linux/ath79/patches-4.19/0028-MIPS-ath79-drop-machfiles.patch

It cannot be applied anymore. I tried a quick fix, but there seems to be a 
bigger change.


The culprit isn't the kernel update, but this commit:
00d48bcac0 ar71xx: Fix potentially missed IRQ handling during dispatch

Koen (or anyone else), can you shed some light on this one? I mostly 
poke at kernel patches until something happens, I don't really 
understand hardware/kernel well. Some things jump out:


1. The commit message is labeled ar71xx, but the patch is applied to the 
generic target. It patches kernel files that IIUC are used by both ath79 
and ar71xx targets.
2. It modifies arch/mips/ath79/irq.c. The patch that fails on ath79, 
0027-MIPS-ath79-drop-legacy-IRQ-code, deletes this file completely 
(which now fails, as the file content is changed by 
343-MIPS-ath79-Fix-potentially-missed-IRQ-handling-durin.patch).



Kind regards,

André


Regards,
Magnus Kroken

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] openvpn: update to 2.4.7

[Magnus Kroken]

Signed-off-by: Magnus Kroken 
---
 package/network/services/openvpn/Makefile   | 6 +++---
 .../openvpn/patches/100-mbedtls-disable-runtime-version-check.patch | 2 +-
 .../openvpn/patches/210-build_always_use_internal_lz4.patch | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/network/services/openvpn/Makefile 
b/package/network/services/openvpn/Makefile
index 9eef7f4cdc..e5bd80649a 100644
--- a/package/network/services/openvpn/Makefile
+++ b/package/network/services/openvpn/Makefile
@@ -9,14 +9,14 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openvpn
 
-PKG_VERSION:=2.4.6
-PKG_RELEASE:=3
+PKG_VERSION:=2.4.7
+PKG_RELEASE:=1
 
 PKG_SOURCE_URL:=\
https://build.openvpn.net/downloads/releases/ \
https://swupdate.openvpn.net/community/releases/
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_HASH:=4f6434fa541cc9e363434ea71a16a62cf2615fb2f16af5b38f43ab5939998c26
+PKG_HASH:=a42f53570f669eaf10af68e98d65b531015ff9e12be7a62d9269ea684652f648
 
 
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 PKG_MAINTAINER:=Felix Fietkau 
diff --git 
a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
 
b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
index 5608fa4430..7fc0089000 100644
--- 
a/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
+++ 
b/package/network/services/openvpn/patches/100-mbedtls-disable-runtime-version-check.patch
@@ -1,6 +1,6 @@
 --- a/src/openvpn/ssl_mbedtls.c
 +++ b/src/openvpn/ssl_mbedtls.c
-@@ -1394,7 +1394,7 @@ const char *
+@@ -1406,7 +1406,7 @@ const char *
  get_ssl_library_version(void)
  {
  static char mbedtls_version[30];
diff --git 
a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
 
b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
index a99f923644..dc4039c3e6 100644
--- 
a/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
+++ 
b/package/network/services/openvpn/patches/210-build_always_use_internal_lz4.patch
@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1077,68 +1077,15 @@ dnl
+@@ -1078,68 +1078,15 @@ dnl
  AC_ARG_VAR([LZ4_CFLAGS], [C compiler flags for lz4])
  AC_ARG_VAR([LZ4_LIBS], [linker flags for lz4])
  if test "$enable_lz4" = "yes" && test "$enable_comp_stub" = "no"; then
-- 
2.11.0


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] patch: apply upstream cve fixes

[Magnus Kroken]

Hi Russell, Kevin

On 14.10.2018 11:34, Russell Senior wrote:


Apply two upstream patches to address two CVEs:

  * CVE-2018-1000156
  * CVE-2018-6952

Add PKG_CPE_ID to Makefile.

Build tested on apm821xx and ar71xx.

Signed-off-by: Russell Senior 
---
  tools/patch/Makefile  |   2 +
  .../patch/patches/010-CVE-2018-1000156.patch  | 209 ++
  tools/patch/patches/020-CVE-2018-6952.patch   |  30 +++
  3 files changed, 240 insertions(+)
  create mode 100644 tools/patch/patches/010-CVE-2018-1000156.patch
  create mode 100644 tools/patch/patches/020-CVE-2018-6952.patch


This change causes tools/patch/compile to fail, with:

make[5]: Leaving directory 
'/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/src'

Making all in tests
make[5]: Entering directory 
'/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/tests'
 cd .. && /usr/bin/env bash 
/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing 
automake-1.15 --gnu tests/Makefile
/var/lib/buildbot/slaves/slashdirt-02/MAIN/build/build_dir/host/patch-2.7.6/build-aux/missing: 
line 81: automake-1.15: command not found

WARNING: 'automake-1.15' is missing on your system.
 You should only need it if you modified 'Makefile.am' or
 'configure.ac' or m4 files included by 'configure.ac'.
 The 'automake' program is part of the GNU Automake package:
 
 It also requires GNU Autoconf, GNU m4 and Perl in order to run:
 
 
 
Makefile:1361: recipe for target 'Makefile.in' failed

Making patch depend on automake allows patch to build successfully, but 
I'm not sure that's the correct fix. Looking casually at the changes in 
the tests/ directory that these CVE patches do, I don't immediately see 
why this pulls in automake.


I worked around this by:
diff --git a/tools/Makefile b/tools/Makefile
index 9a354f6c70..7a9abddad7 100644
--- a/tools/Makefile
+++ b/tools/Makefile
@@ -76,7 +76,7 @@ $(curdir)/zlib/compile := $(curdir)/cmake/compile
 $(curdir)/wrt350nv2-builder/compile := $(curdir)/zlib/compile
 $(curdir)/lzma-old/compile := $(curdir)/zlib/compile
 $(curdir)/make-ext4fs/compile := $(curdir)/zlib/compile
-
+$(curdir)/patch/compile := $(curdir)/automake/compile
 ifneq ($(HOST_OS),Linux)
   tools-y += coreutils
 endif


Regards
/Magnus

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH 3/3] mpc85xx: remove kernel 4.9 support

[Magnus Kroken]

Signed-off-by: Magnus Kroken 
---
 target/linux/mpc85xx/config-4.9| 361 -
 ...erpc-85xx-add-gpio-keys-to-of-match-table.patch |  10 -
 .../100-powerpc-85xx-tl-wdr4900-v1-support.patch   |  78 -
 .../101-powerpc-85xx-hiveap-330-support.patch  |  30 --
 .../102-powerpc-add-cmdline-override.patch |  37 ---
 5 files changed, 516 deletions(-)
 delete mode 100644 target/linux/mpc85xx/config-4.9
 delete mode 100644 
target/linux/mpc85xx/patches-4.9/001-powerpc-85xx-add-gpio-keys-to-of-match-table.patch
 delete mode 100644 
target/linux/mpc85xx/patches-4.9/100-powerpc-85xx-tl-wdr4900-v1-support.patch
 delete mode 100644 
target/linux/mpc85xx/patches-4.9/101-powerpc-85xx-hiveap-330-support.patch
 delete mode 100644 
target/linux/mpc85xx/patches-4.9/102-powerpc-add-cmdline-override.patch

diff --git a/target/linux/mpc85xx/config-4.9 b/target/linux/mpc85xx/config-4.9
deleted file mode 100644
index 68568c4a62..00
--- a/target/linux/mpc85xx/config-4.9
+++ /dev/null
@@ -1,361 +0,0 @@
-# CONFIG_40x is not set
-# CONFIG_44x is not set
-# CONFIG_ADVANCED_OPTIONS is not set
-CONFIG_AR8216_PHY=y
-CONFIG_AR8216_PHY_LEDS=y
-CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
-CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
-CONFIG_ARCH_HAS_DMA_SET_COHERENT_MASK=y
-CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
-CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
-CONFIG_ARCH_HAS_ILOG2_U32=y
-CONFIG_ARCH_HAS_SG_CHAIN=y
-CONFIG_ARCH_HAS_WALK_MEMORY=y
-CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
-CONFIG_ARCH_HIBERNATION_POSSIBLE=y
-CONFIG_ARCH_MAY_HAVE_PC_FDC=y
-CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
-CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
-# CONFIG_ARCH_RANDOM is not set
-CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
-CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
-CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
-CONFIG_ARCH_SUPPORTS_UPROBES=y
-CONFIG_ARCH_SUSPEND_POSSIBLE=y
-CONFIG_ARCH_USE_BUILTIN_BSWAP=y
-CONFIG_ARCH_WANT_IPC_PARSE_VERSION=y
-CONFIG_ASN1=y
-CONFIG_AUDIT_ARCH=y
-CONFIG_BLK_MQ_PCI=y
-CONFIG_BOOKE=y
-CONFIG_BOOKE_WDT=y
-CONFIG_BOUNCE=y
-# CONFIG_BSC9131_RDB is not set
-# CONFIG_BSC9132_QDS is not set
-# CONFIG_C293_PCIE is not set
-CONFIG_CLONE_BACKWARDS=y
-CONFIG_CLZ_TAB=y
-CONFIG_CMDLINE="console=ttyS0,115200"
-CONFIG_CMDLINE_BOOL=y
-# CONFIG_CMDLINE_OVERRIDE is not set
-# CONFIG_CORENET_GENERIC is not set
-# CONFIG_CPM2 is not set
-CONFIG_CPU_BIG_ENDIAN=y
-CONFIG_CRYPTO_AEAD=y
-CONFIG_CRYPTO_AEAD2=y
-# CONFIG_CRYPTO_AES_PPC_SPE is not set
-CONFIG_CRYPTO_AKCIPHER=y
-CONFIG_CRYPTO_AKCIPHER2=y
-CONFIG_CRYPTO_AUTHENC=y
-CONFIG_CRYPTO_DEV_FSL_CAAM=y
-CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
-CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y
-# CONFIG_CRYPTO_DEV_FSL_CAAM_DEBUG is not set
-# CONFIG_CRYPTO_DEV_FSL_CAAM_IMX is not set
-# CONFIG_CRYPTO_DEV_FSL_CAAM_INTC is not set
-CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y
-CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
-CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
-CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
-CONFIG_CRYPTO_HASH=y
-CONFIG_CRYPTO_HASH2=y
-CONFIG_CRYPTO_HW=y
-CONFIG_CRYPTO_MANAGER=y
-CONFIG_CRYPTO_MANAGER2=y
-# CONFIG_CRYPTO_MD5_PPC is not set
-CONFIG_CRYPTO_NULL=y
-CONFIG_CRYPTO_NULL2=y
-CONFIG_CRYPTO_RNG=y
-CONFIG_CRYPTO_RNG2=y
-CONFIG_CRYPTO_RSA=y
-# CONFIG_CRYPTO_SHA1_PPC is not set
-# CONFIG_CRYPTO_SHA1_PPC_SPE is not set
-# CONFIG_CRYPTO_SHA256_PPC_SPE is not set
-CONFIG_CRYPTO_WORKQUEUE=y
-CONFIG_DEBUG_BUGVERBOSE=y
-# CONFIG_DEFAULT_UIMAGE is not set
-CONFIG_DNOTIFY=y
-CONFIG_DTC=y
-# CONFIG_E200 is not set
-CONFIG_E500=y
-CONFIG_EARLY_PRINTK=y
-CONFIG_EDAC_ATOMIC_SCRUB=y
-CONFIG_EDAC_SUPPORT=y
-CONFIG_ENABLE_MUST_CHECK=y
-# CONFIG_EPAPR_BOOT is not set
-CONFIG_ETHERNET_PACKET_MANGLE=y
-# CONFIG_FHCI_DEBUG is not set
-CONFIG_FIXED_PHY=y
-CONFIG_FSL_BOOKE=y
-# CONFIG_FSL_DPAA is not set
-CONFIG_FSL_EMB_PERFMON=y
-# CONFIG_FSL_FMAN is not set
-CONFIG_FSL_GTM=y
-CONFIG_FSL_LBC=y
-CONFIG_FSL_PCI=y
-CONFIG_FSL_PQ_MDIO=y
-CONFIG_FSL_SOC=y
-CONFIG_FSL_SOC_BOOKE=y
-# CONFIG_FSL_ULI1575 is not set
-CONFIG_GENERIC_ALLOCATOR=y
-CONFIG_GENERIC_ATOMIC64=y
-CONFIG_GENERIC_BUG=y
-CONFIG_GENERIC_CLOCKEVENTS=y
-CONFIG_GENERIC_CMOS_UPDATE=y
-CONFIG_GENERIC_CPU_AUTOPROBE=y
-# CONFIG_GENERIC_CSUM is not set
-CONFIG_GENERIC_IO=y
-CONFIG_GENERIC_IRQ_SHOW=y
-CONFIG_GENERIC_IRQ_SHOW_LEVEL=y
-CONFIG_GENERIC_ISA_DMA=y
-CONFIG_GENERIC_NVRAM=y
-CONFIG_GENERIC_PCI_IOMAP=y
-CONFIG_GENERIC_SMP_IDLE_THREAD=y
-CONFIG_GENERIC_STRNCPY_FROM_USER=y
-CONFIG_GENERIC_STRNLEN_USER=y
-# CONFIG_GENERIC_TBSYNC is not set
-CONFIG_GENERIC_TIME_VSYSCALL_OLD=y
-CONFIG_GEN_RTC=y
-# CONFIG_GE_FPGA is not set
-# CONFIG_GE_IMP3A is not set
-CONFIG_GIANFAR=y
-CONFIG_GPIOLIB=y
-CONFIG_GPIO_GENERIC=y
-CONFIG_GPIO_MPC8XXX=y
-CONFIG_GPIO_SYSFS=y
-CONFIG_HAS_DMA=y
-CONFIG_HAS_IOMEM=y
-CONFIG_HAS_IOPORT_MAP=y
-# CONFIG_HAS_RAPIDIO is not set
-# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
-CONFIG_HAVE_ARCH_AUDITSYSCALL=y
-# CONFIG_HAVE_ARCH_BITREVERSE is not set
-CONFIG_HAVE_ARCH_JUMP_LABEL=y
-CONFIG_HAVE_ARCH_KGDB=y
-CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
-CONFIG_HAVE_ARCH

[OpenWrt-Devel] [PATCH 1/3] mpc85xx: add kernel 4.14 support

[Magnus Kroken]

Based on patches previously submitted by Achim Gottinger:
http://lists.infradead.org/pipermail/openwrt-devel/2018-June/012719.html

Tested on TP-Link TL-WDR4900 v1.

Signed-off-by: Magnus Kroken 
---
 target/linux/mpc85xx/config-4.14   | 365 +
 ...erpc-85xx-add-gpio-keys-to-of-match-table.patch |  10 +
 .../100-powerpc-85xx-tl-wdr4900-v1-support.patch   |  79 +
 .../101-powerpc-85xx-hiveap-330-support.patch  |  30 ++
 .../102-powerpc-add-cmdline-override.patch |  37 +++
 5 files changed, 521 insertions(+)
 create mode 100644 target/linux/mpc85xx/config-4.14
 create mode 100644 
target/linux/mpc85xx/patches-4.14/001-powerpc-85xx-add-gpio-keys-to-of-match-table.patch
 create mode 100644 
target/linux/mpc85xx/patches-4.14/100-powerpc-85xx-tl-wdr4900-v1-support.patch
 create mode 100644 
target/linux/mpc85xx/patches-4.14/101-powerpc-85xx-hiveap-330-support.patch
 create mode 100644 
target/linux/mpc85xx/patches-4.14/102-powerpc-add-cmdline-override.patch

diff --git a/target/linux/mpc85xx/config-4.14 b/target/linux/mpc85xx/config-4.14
new file mode 100644
index 00..0bdf7aa25d
--- /dev/null
+++ b/target/linux/mpc85xx/config-4.14
@@ -0,0 +1,365 @@
+# CONFIG_40x is not set
+# CONFIG_44x is not set
+# CONFIG_ADVANCED_OPTIONS is not set
+CONFIG_AR8216_PHY=y
+CONFIG_AR8216_PHY_LEDS=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+CONFIG_ARCH_HAS_DMA_SET_COHERENT_MASK=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+CONFIG_ARCH_HAS_ILOG2_U32=y
+CONFIG_ARCH_HAS_SG_CHAIN=y
+CONFIG_ARCH_HAS_WALK_MEMORY=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_ARCH_MMAP_RND_BITS=11
+# CONFIG_ARCH_RANDOM is not set
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_ARCH_WANT_IPC_PARSE_VERSION=y
+CONFIG_ASN1=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_BLK_MQ_PCI=y
+CONFIG_BOOKE=y
+CONFIG_BOOKE_WDT=y
+CONFIG_BOUNCE=y
+# CONFIG_BSC9131_RDB is not set
+# CONFIG_BSC9132_QDS is not set
+# CONFIG_C293_PCIE is not set
+CONFIG_CLONE_BACKWARDS=y
+CONFIG_CLZ_TAB=y
+CONFIG_CMDLINE="console=ttyS0,115200"
+CONFIG_CMDLINE_BOOL=y
+# CONFIG_CMDLINE_OVERRIDE is not set
+# CONFIG_CORENET_GENERIC is not set
+# CONFIG_CPM2 is not set
+CONFIG_CPU_BIG_ENDIAN=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+# CONFIG_CRYPTO_AES_PPC_SPE is not set
+CONFIG_CRYPTO_AKCIPHER=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_AUTHENC=y
+#CONFIG_CRYPTO_DEV_FSL_CAAM=y
+#CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API=y
+#CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API=y
+# CONFIG_CRYPTO_DEV_FSL_CAAM_DEBUG is not set
+# CONFIG_CRYPTO_DEV_FSL_CAAM_IMX is not set
+# CONFIG_CRYPTO_DEV_FSL_CAAM_INTC is not set
+#CONFIG_CRYPTO_DEV_FSL_CAAM_JR=y
+#CONFIG_CRYPTO_DEV_FSL_CAAM_PKC_API=y
+#CONFIG_CRYPTO_DEV_FSL_CAAM_RINGSIZE=9
+#CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_API=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_HW=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+# CONFIG_CRYPTO_MD5_PPC is not set
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RSA=y
+# CONFIG_CRYPTO_SHA1_PPC is not set
+# CONFIG_CRYPTO_SHA1_PPC_SPE is not set
+# CONFIG_CRYPTO_SHA256_PPC_SPE is not set
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEFAULT_UIMAGE is not set
+CONFIG_DNOTIFY=y
+CONFIG_DTC=y
+# CONFIG_E200 is not set
+CONFIG_E500=y
+CONFIG_EARLY_PRINTK=y
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_SUPPORT=y
+CONFIG_ENABLE_MUST_CHECK=y
+# CONFIG_EPAPR_BOOT is not set
+CONFIG_ETHERNET_PACKET_MANGLE=y
+# CONFIG_FHCI_DEBUG is not set
+CONFIG_FIXED_PHY=y
+CONFIG_FSL_BOOKE=y
+# CONFIG_FSL_DPAA is not set
+CONFIG_FSL_EMB_PERFMON=y
+# CONFIG_FSL_FMAN is not set
+CONFIG_FSL_GTM=y
+CONFIG_FSL_LBC=y
+CONFIG_FSL_PCI=y
+CONFIG_FSL_PQ_MDIO=y
+CONFIG_FSL_SOC=y
+CONFIG_FSL_SOC_BOOKE=y
+# CONFIG_FSL_ULI1575 is not set
+CONFIG_GENERIC_ALLOCATOR=y
+CONFIG_GENERIC_ATOMIC64=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_GENERIC_CSUM is not set
+CONFIG_GENERIC_IO=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_GENERIC_IRQ_SHOW_LEVEL=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_NVRAM=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+# CONFIG_GENERIC_TBSYNC is not set
+CONFIG_GENERIC_TIME_VSYSCALL_OLD=y
+CONFIG_GEN_RTC=y
+# CONFIG_GE_FPGA is not set
+# CONFIG_GE_IMP3A is not set
+CONFIG_GIANFAR=y
+CONFIG_GPIOLIB=y
+CONFIG_GPIO_GENERIC=y
+CONFIG_GPIO_MPC8XXX=y
+CONFIG_GPIO_SYSFS=y
+CONFIG_HAS_DMA=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+# CONFIG_HAS_RAPIDIO 

[OpenWrt-Devel] [PATCH 2/3] mpc85xx: switch to kernel 4.14

[Magnus Kroken]

Signed-off-by: Magnus Kroken 
---
 target/linux/mpc85xx/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/linux/mpc85xx/Makefile b/target/linux/mpc85xx/Makefile
index b181e67c0e..1eac544344 100644
--- a/target/linux/mpc85xx/Makefile
+++ b/target/linux/mpc85xx/Makefile
@@ -14,7 +14,7 @@ FEATURES:=squashfs
 MAINTAINER:=Imre Kaloz 
 SUBTARGETS:=generic p1020
 
-KERNEL_PATCHVER:=4.9
+KERNEL_PATCHVER:=4.14
 
 KERNELNAME:=zImage
 
-- 
2.11.0


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH 2/3] mpc85xx: kernel 4.14

[Magnus Kroken]

Hi Achim

On 06.06.2018 23:42, Achim Gottinger wrote:

Am 05.06.2018 um 00:09 schrieb Magnus Kroken:

Tested-by: Magnus Kroken 

Works well on my WDR4900v1. I don't use the crypto driver, so can't 
respond to those changes, but the Wi-Fi radios, ethernet and the basic 
hardware works fine.


Most of your patches haven't shown up in Patchwork though [1]. Not 
sure if there was an issue with Patchwork when you sent your series, 
it could also be caused by your mail client malforming the e-mails. 
You may want to resubmit the series to ensure they are kept track of, 
with git-send-email if possible.


1: 
http://patchwork.ozlabs.org/project/openwrt/list/?series==74207=*==both= 


Regards
/Magnus

Thank you for thes tests and the tips about patchwork. Can be I used the 
wron numbering for the series because i did not start with 0/3. But I 
plan to modify the patches in an way that the caam modules are build in 
for generic/p1020 targets and are disabled only on wdr4900v1 which has 
no hardware crypto enabled. This way the additional caam module package 
is not required and the change does not interfere with other subtargets.


achim~



Do you have any plans to move forward with your mpc85xx 4.14 patch 
series? I am still using your patches on top of current master, 
presently running kernel 4.14.73 on my WDR4900v1, and they work perfectly.


Keep in mind that most of your patches did not end up in Patchwork for 
some reason, so they are not kept track of by anyone. If you find it 
easier to submit a pull request on Github you can do so here: 
https://github.com/openwrt/openwrt/pulls


/Magnus

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] mbedtls: update to 2.13.0

[Magnus Kroken]

* Fixed a security issue in the X.509 module which could lead to a buffer 
overread during certificate extensions parsing.
* Several bugfixes.
* Improvements for better support for DTLS on low-bandwidth, high latency 
networks with high packet loss.

Signed-off-by: Magnus Kroken 
---
Compile-tested on mips and powerpc. 

Runtime-tested on powerpc by connecting to an openvpn-mbedtls server and to 
uhttpd via HTTPS.

 package/libs/mbedtls/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libs/mbedtls/Makefile b/package/libs/mbedtls/Makefile
index 659bf59d88..b775c72a5c 100644
--- a/package/libs/mbedtls/Makefile
+++ b/package/libs/mbedtls/Makefile
@@ -8,13 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=mbedtls
-PKG_VERSION:=2.12.0
+PKG_VERSION:=2.13.0
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION)-gpl.tgz
 PKG_SOURCE_URL:=https://tls.mbed.org/download/
-PKG_HASH:=8661d19a896a5a7a232ed01ac7f05cf0ec3514798f18076c2c9ef965fbeb5a28
+PKG_HASH:=a08ddf08aae55fc4f48fbc6281fcb08bc5c53ed53ffd15355ee0d75ec32b53ae
 
 PKG_BUILD_PARALLEL:=1
 PKG_LICENSE:=GPL-2.0+
-- 
2.11.0


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] busybox: update to 1.28.4

[Magnus Kroken]

Signed-off-by: Magnus Kroken 
---
Runtime tested on mips/ath79, mips/ar71xx and powerpc/mpc85xx.

General bump to the latest stable version. This version fixes issues
with the nsenter and dpkg utilities in BusyBox, which OpenWrt does
not build by default.

 package/utils/busybox/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index 77e76af7cd..e73b1d41a8 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=busybox
-PKG_VERSION:=1.28.3
-PKG_RELEASE:=3
+PKG_VERSION:=1.28.4
+PKG_RELEASE:=1
 PKG_FLAGS:=essential
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://www.busybox.net/downloads \
http://sources.buildroot.net
-PKG_HASH:=ad0d22033f23e696f9a71a4c2f9210194dda39b024a79151f4ac278995332a6e
+PKG_HASH:=e3c14a3699dc7e82fed397392957afc78e37bdf25398ac38ead6e84621b2ae6a
 
 PKG_BUILD_DEPENDS:=BUSYBOX_USE_LIBRPC:librpc BUSYBOX_CONFIG_PAM:libpam
 PKG_BUILD_PARALLEL:=1
-- 
2.11.0


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] kernel: update 4.14 to 4.14.50

[Magnus Kroken]

Signed-off-by: Magnus Kroken 
---
Runtime-tested on 
* powerpc/mpc85xx (with 4.14 support patches by Achim Gottinger)
* mips/ath79

 include/kernel-version.mk  |  4 ++--
 .../patches-4.14/0035-MIPS-ath79-fix-QCA956x-boot.patch|  6 +++---
 .../324-v4.16-netfilter-flow-table-support-for-IPv6.patch  |  2 +-
 .../350-v4.18-ipv6-make-ip6_dst_mtu_forward-inline.patch   |  2 +-
 .../666-Add-support-for-MAP-E-FMRs-mesh-mode.patch | 14 +++---
 .../950-tty-serial-exar-generalize-rs485-setup.patch   |  9 ++---
 .../ramips/patches-4.14/302-spi-nor-add-gd25q512.patch |  2 +-
 .../303-spi-nor-enable-4B-opcodes-for-mx66l51235l.patch|  2 +-
 8 files changed, 18 insertions(+), 23 deletions(-)

diff --git a/include/kernel-version.mk b/include/kernel-version.mk
index f43344ab84..5021a2f0be 100644
--- a/include/kernel-version.mk
+++ b/include/kernel-version.mk
@@ -5,12 +5,12 @@ LINUX_RELEASE?=1
 LINUX_VERSION-3.18 = .71
 LINUX_VERSION-4.4 = .121
 LINUX_VERSION-4.9 = .107
-LINUX_VERSION-4.14 = .48
+LINUX_VERSION-4.14 = .50
 
 LINUX_KERNEL_HASH-3.18.71 = 
5abc9778ad44ce02ed6c8ab52ece8a21c6d20d21f6ed8a19287b4a38a50c1240
 LINUX_KERNEL_HASH-4.4.121 = 
44a88268b5088dc326b30c9b9133ac35a9a200b636b7268d08f32abeae6ca729
 LINUX_KERNEL_HASH-4.9.107 = 
3ce7f40ecee096cda1d51eb2cada105a39abe8da7b968ef85f52be961f22cad3
-LINUX_KERNEL_HASH-4.14.48 = 
80a0608f611fe7a5c54556402cdc2880a21301e1c4e1b19d4c1db82ad2bf22b9
+LINUX_KERNEL_HASH-4.14.50 = 
703a8d013b25dc428d936f72858fa0c702c22cb3114a040fb9bb47562e4ea2ac
 
 remove_uri_prefix=$(subst git://,,$(subst http://,,$(subst https://,,$(1
 sanitize_uri=$(call qstrip,$(subst @,_,$(subst :,_,$(subst .,_,$(subst 
-,_,$(subst /,_,$(1)))
diff --git 
a/target/linux/ath79/patches-4.14/0035-MIPS-ath79-fix-QCA956x-boot.patch 
b/target/linux/ath79/patches-4.14/0035-MIPS-ath79-fix-QCA956x-boot.patch
index e5b714c442..c3dd676d4d 100644
--- a/target/linux/ath79/patches-4.14/0035-MIPS-ath79-fix-QCA956x-boot.patch
+++ b/target/linux/ath79/patches-4.14/0035-MIPS-ath79-fix-QCA956x-boot.patch
@@ -1,6 +1,6 @@
 a/arch/mips/ath79/clock.c  2018-06-01 13:56:30.376729328 +0300
-+++ b/arch/mips/ath79/clock.c  2018-06-04 02:06:57.039616840 +0300
-@@ -525,6 +525,14 @@
+--- a/arch/mips/ath79/clock.c
 b/arch/mips/ath79/clock.c
+@@ -525,6 +525,14 @@ static void __init qca956x_clocks_init(v
u32 cpu_pll, ddr_pll;
u32 bootstrap;
  
diff --git 
a/target/linux/generic/backport-4.14/324-v4.16-netfilter-flow-table-support-for-IPv6.patch
 
b/target/linux/generic/backport-4.14/324-v4.16-netfilter-flow-table-support-for-IPv6.patch
index abe7ef0092..a561f2669d 100644
--- 
a/target/linux/generic/backport-4.14/324-v4.16-netfilter-flow-table-support-for-IPv6.patch
+++ 
b/target/linux/generic/backport-4.14/324-v4.16-netfilter-flow-table-support-for-IPv6.patch
@@ -15,7 +15,7 @@ Signed-off-by: Pablo Neira Ayuso 
 
 --- a/include/net/ipv6.h
 +++ b/include/net/ipv6.h
-@@ -913,6 +913,8 @@ static inline struct sk_buff *ip6_finish
+@@ -918,6 +918,8 @@ static inline struct sk_buff *ip6_finish
  _sk(sk)->cork);
  }
  
diff --git 
a/target/linux/generic/backport-4.14/350-v4.18-ipv6-make-ip6_dst_mtu_forward-inline.patch
 
b/target/linux/generic/backport-4.14/350-v4.18-ipv6-make-ip6_dst_mtu_forward-inline.patch
index e16f13ac45..9ed9ca558d 100644
--- 
a/target/linux/generic/backport-4.14/350-v4.18-ipv6-make-ip6_dst_mtu_forward-inline.patch
+++ 
b/target/linux/generic/backport-4.14/350-v4.18-ipv6-make-ip6_dst_mtu_forward-inline.patch
@@ -38,7 +38,7 @@ Signed-off-by: Felix Fietkau 
  #endif
 --- a/include/net/ipv6.h
 +++ b/include/net/ipv6.h
-@@ -913,8 +913,6 @@ static inline struct sk_buff *ip6_finish
+@@ -918,8 +918,6 @@ static inline struct sk_buff *ip6_finish
  _sk(sk)->cork);
  }
  
diff --git 
a/target/linux/generic/pending-4.14/666-Add-support-for-MAP-E-FMRs-mesh-mode.patch
 
b/target/linux/generic/pending-4.14/666-Add-support-for-MAP-E-FMRs-mesh-mode.patch
index 09dfd1b906..1de8543353 100644
--- 
a/target/linux/generic/pending-4.14/666-Add-support-for-MAP-E-FMRs-mesh-mode.patch
+++ 
b/target/linux/generic/pending-4.14/666-Add-support-for-MAP-E-FMRs-mesh-mode.patch
@@ -350,7 +350,7 @@ Signed-off-by: Steven Barth 
memcpy(p->name, u->name, sizeof(u->name));
  }
  
-@@ -1912,6 +2074,15 @@ static int ip6_tnl_validate(struct nlatt
+@@ -1917,6 +2079,15 @@ static int ip6_tnl_validate(struct nlatt
return 0;
  }
  
@@ -366,7 +366,7 @@ Signed-off-by: Steven Barth 
  static void ip6_tnl_netlink_parms(struct nlattr *data[],
  struct __ip6_tnl_parm *parms)
  {
-@@ -1949,6 +2120,46 @@ static void ip6_tnl_netlink_parms(struct
+@@ -1954,6 +2125,46 @@ static void ip6_tnl_netlink_parms(struct
  
if (data[IFLA_IPTUN_FWMARK])
parms->fwmark = nla_get_u32(data[IFLA_IPTUN_FWMARK]);
@@ -413,7 +413,7 @@ Signed-off-by: Steven Bart

Re: [OpenWrt-Devel] [PATCH 2/3] mpc85xx: kernel 4.14

[Magnus Kroken]

Hi Achim

On 02.06.2018 12:37, Achim Gottinger wrote:

Added kernel version 4.14 to mpc85xx.
Rebased all patches
Added new kernel options with default values.
Caam support is not enabled in the kernel.

Fixed typo in Makefile KERNEL_PATCHVER is now 4.14 instead of 4.4. Thank 
you Martin Strobel.

Fixed typo in subject sould be patch 2/3 and not 1/3.

Signed-off-by: Achim Gottinger 
---


Tested-by: Magnus Kroken 

Works well on my WDR4900v1. I don't use the crypto driver, so can't 
respond to those changes, but the Wi-Fi radios, ethernet and the basic 
hardware works fine.


Most of your patches haven't shown up in Patchwork though [1]. Not sure 
if there was an issue with Patchwork when you sent your series, it could 
also be caused by your mail client malforming the e-mails. You may want 
to resubmit the series to ensure they are kept track of, with 
git-send-email if possible.


1: 
http://patchwork.ozlabs.org/project/openwrt/list/?series==74207=*==both=


Regards
/Magnus

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/listinfo/openwrt-devel

Re: [OpenWrt-Devel] How to pre-define the LAN IP

[Magnus Kroken]

Hi Bill

On 28.02.2018 15:18, Bill Yuan wrote:

Hi,

I noticed the default LAN IP is still 192.168.1.1 even after I 
configured the "preinit network interface" in "preinit configuration 
options". Can someone please share with me where is the proper way to 
pre-define the LAN IP?


The build system does not include a way to do this. You can do this by 
including additional files in your image. To do this, create a directory 
"files" in the root of the build directory (same directory you run make 
menuconfig from).


You can either include a full network configuration file in the image, 
or you can include a script that will execute after the device has 
booted, which configures the IP address.


For a full configuration, configure the network as you want it to be, 
then copy /etc/config/network from your OpenWrt device to your files/ 
folder, so it ends up as: files/etc/config/network.


For a script, here is a snippet of how I do this on my devices. You can 
omit the if check, I do this so I can use the same script on several 
devices.


--8<--
#!/bin/sh

if [ "$(ip link show eth0 | awk '/ether/ {print $2}')" == 
"11:22:33:44:55:66" -a "$(uci -q get network.lan.ipaddr)" == "192.168.1.1" ]

then
uci -q set network.lan.ipaddr='10.123.234.1'
fi

/etc/init.d/network restart
-->8--

Put this in files/etc/uci-defaults/zz_changeip4.sh. The zz prefix 
ensures the file is executed last in the uci-defaults folder, if it 
executes too early the base network config may not be in place yet.



Regards,
bycn82


Regards
/Magnus
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

[Magnus Kroken]

On 15.02.2018 16.52, Philip Prindeville wrote:

Well, right!  That was my first approach with a “config" option to do exactly 
that, but it was shot down:

https://github.com/openwrt/packages/pull/5520

I even defaulted the option to continue to allow passwords so that only people 
who (a) selected OpenSSH and (b) turned this option off would be affected… 
which has to be a small portion of the population.


Sorry, I must have missed this. I'm in favor of the current state of 
that pull request (my concern is the direct consequences of the patch, 
not the way it is implemented, more below).



Consider a scenario where a user builds an image with OpenSSH, without Dropbear 
(because they have OpenSSH), and without a web interface (because they want to 
save space). This is easily done by selecting and deselecting packages in 
menuconfig/imagebuilder, no custom files needed today. With this change, if the 
image is missing authorized_keys, the only way to log in is serial console 
(failsafe will be locked out too), which requires soldering - or using 
bootloader recovery features, which may also require soldering and aren't 
consistently documented.



Actually, most of the boxes that *I* work on (Geos, Alix 2D, net5501, Xeon 1U 
servers, etc.) all have serial ports and most of them have VGA as well (or 
could if you install the optional header).


True, I was thinking of typical 5-port wireless routers. Still, the 
lockout problem is real on those devices, and OpenWrt targets and 
supports a lot of them.



This is just about the default configuration, it's not a choice between 
conflicting compile time options with varying security implications. While key 
authentication may be best practice, allowing SSH password logins isn't on the 
level of reimplementing LuCI in PHP 4. The change is *literally* a handful of 
sed commands, why can't advanced users take care of that themselves? Why do we 
want to make it easier to build a soft-bricking image than it is today?



Conversely, why can’t advanced users have a clear, standardized way of doing 
this?  That they’re “advanced” doesn’t mean they don’t also appreciate 
convenience, an easy way to save and export/import configurations, etc.


I'm not against general development, improvement or standardization of 
config handling. I'm against the default state of the patch that started 
this mail thread. The convenience of this patch opens up a new way to 
break the convenience of failsafe on a lot of devices, and I don't think 
many people would expect the particular package selection to cause such 
a behavior. I consider failsafe to be more important. You've already 
addressed that in your pull request, and I'm in favor of "this should be 
configurable at build time, but the default behavior should not change". 
How that is implemented is a different matter, which so far I haven't 
thought much about.



In a perfect world, no one should ever have to build with patches, anything in 
files/, cherry-picked commits, etc.  Everything would be expressed in the 
.config (or kernel-config).


I have a bunch of uci-defaults scripts (currently loaded via files) that 
configure my devices after flashing (if any interface has MAC address X, 
run a bunch of commands (uci stuff, sed, cat, service reloads, 
whatever)). I keep adding to them without structuring things, and they 
become unmanageable. One of many things I've thought of and never gotten 
around to is creating a package feed of config script packages. A 
package would e.g. be set_lan_ip4_addr, it would have configuration 
option(s) to set the desired IP address in menuconfig, and then install 
a generic uci-defaults script with the desired IP address inserted via 
sed. Maybe there are better ways to do this (install a 
/etc/config/deployment file that all the scripts read from?), anyway it 
would be an improvement of what I do now. In theory, that could be used 
to get any number of possibilities into menuconfig or .config as well.



-Philip


/Magnus
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [LEDE-DEV] [PATCH v1 1/1] openssh: disable passwords for openssh server

[Magnus Kroken]

On 14.02.2018 22.13, Michelle Sullivan wrote:

FWIW, I had misunderstood the intent of the original comments... OpenSSH
server vs Dropbear - if someone is using OpenSSH server they already
went in with advanced config as Dropbear is the default - I'd err on the
side of security as they should already know what they are doing  it
should be recoverable by webinterface though (rather than worrying about
people 'fixing' by using something not secure.)


The opposite argument applies equally well IMO: they already know what 
they are doing, they should know how to allow key authentication only if 
they want that.


Consider a scenario where a user builds an image with OpenSSH, without 
Dropbear (because they have OpenSSH), and without a web interface 
(because they want to save space). This is easily done by selecting and 
deselecting packages in menuconfig/imagebuilder, no custom files needed 
today. With this change, if the image is missing authorized_keys, the 
only way to log in is serial console (failsafe will be locked out too), 
which requires soldering - or using bootloader recovery features, which 
may also require soldering and aren't consistently documented.


This is just about the default configuration, it's not a choice between 
conflicting compile time options with varying security implications. 
While key authentication may be best practice, allowing SSH password 
logins isn't on the level of reimplementing LuCI in PHP 4. The change is 
*literally* a handful of sed commands, why can't advanced users take 
care of that themselves? Why do we want to make it easier to build a 
soft-bricking image than it is today?


How about adding a configuration flag to menuconfig for OpenSSH, which 
runs said sed commands if the flag is set (disabled by default, for the 
reasons above). It makes it easier to set for those who want it, and it 
will also be saved in a diffconfig output if they set that.


Regards
/Magnus
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

Re: [OpenWrt-Devel] [PATCH] busybox: update to 1.24.2

[Magnus Kroken]

On 17.04.2016 14.18, Hauke Mehrtens wrote:

Why are you changing these default values? I do not see any commit
between 1.24.1 and 1.24.2 that changes anything to Kconfig.

Hauke


Sorry, you are right. I ran the config update scripts, I interpreted 
r47775 [1] as that should always be done when doing a version update.


[1]: https://dev.openwrt.org/changeset/47775

/Magnus
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH] busybox: update to 1.24.2

[Magnus Kroken]

Signed-off-by: Magnus Kroken <mkro...@gmail.com>
---
Runtime tested on mips/ar71xx and mipsel/brcm47xx

Fixes since 1.24.1:
* scripts/trylink: fix static build with glibc again
* truncate: always set mode when opening file to avoid fortify errors
* [g]unzip: fix recent breakage.
* unzip: test for bad archive SEGVing

 package/utils/busybox/Config-defaults.in | 6 +++---
 package/utils/busybox/Makefile   | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/package/utils/busybox/Config-defaults.in 
b/package/utils/busybox/Config-defaults.in
index ee42fa1..6c13a5d 100644
--- a/package/utils/busybox/Config-defaults.in
+++ b/package/utils/busybox/Config-defaults.in
@@ -1971,13 +1971,13 @@ config BUSYBOX_DEFAULT_WGET
default n
 config BUSYBOX_DEFAULT_FEATURE_WGET_STATUSBAR
bool
-   default y
+   default n
 config BUSYBOX_DEFAULT_FEATURE_WGET_AUTHENTICATION
bool
-   default y
+   default n
 config BUSYBOX_DEFAULT_FEATURE_WGET_LONG_OPTIONS
bool
-   default y
+   default n
 config BUSYBOX_DEFAULT_FEATURE_WGET_TIMEOUT
bool
default n
diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index 6a55d56..24c064c 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=busybox
-PKG_VERSION:=1.24.1
-PKG_RELEASE:=2
+PKG_VERSION:=1.24.2
+PKG_RELEASE:=1
 PKG_FLAGS:=essential
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://www.busybox.net/downloads \
http://distfiles.gentoo.org/distfiles/
-PKG_MD5SUM:=be98a40cadf84ce2d6b05fa41a275c6a
+PKG_MD5SUM:=2eaae519cac1143bcf583636a745381f
 
 PKG_BUILD_DEPENDS:=BUSYBOX_USE_LIBRPC:librpc BUSYBOX_CONFIG_PAM:libpam
 PKG_BUILD_PARALLEL:=1
-- 
2.1.4
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

[OpenWrt-Devel] [PATCH v2] busybox: update to version 1.24.1

[Magnus Kroken]

Patches applied upstream and dropped:
280-fix_find_regression.patch
300-ip-addr-improvements.patch

Fixed upstream:
290-ash-fix-a-regression-in-handling-local-variables.patch (see thread: 
http://lists.busybox.net/pipermail/busybox/2015-April/082783.html)

Signed-off-by: Magnus Kroken <mkro...@gmail.com>
---
v2: Drop 290-ash-fix-a-regression-in-handling-local-variables.patch as well. 
Thanks, Bastian.

 package/utils/busybox/Makefile |  6 +-
 .../patches/120-remove_uclibc_rpc_check.patch  |  2 +-
 .../busybox/patches/200-udhcpc_reduce_msgs.patch   |  4 +-
 .../patches/201-udhcpc_changed_ifindex.patch   |  2 +-
 .../patches/203-udhcpc_renew_no_deconfig.patch |  2 +-
 .../busybox/patches/204-udhcpc_src_ip_rebind.patch | 10 +--
 .../busybox/patches/210-add_netmsg_util.patch  |  2 +-
 .../busybox/patches/230-ntpd_delayed_resolve.patch |  6 +-
 .../patches/270-libbb_make_unicode_printable.patch |  4 +-
 .../busybox/patches/280-fix_find_regression.patch  | 31 -
 ...-a-regression-in-handling-local-variables.patch | 75 --
 .../busybox/patches/300-ip-addr-improvements.patch | 73 -
 12 files changed, 19 insertions(+), 198 deletions(-)
 delete mode 100644 package/utils/busybox/patches/280-fix_find_regression.patch
 delete mode 100644 
package/utils/busybox/patches/290-ash-fix-a-regression-in-handling-local-variables.patch
 delete mode 100644 package/utils/busybox/patches/300-ip-addr-improvements.patch

diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index fb24703..5ca4363 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=busybox
-PKG_VERSION:=1.23.2
-PKG_RELEASE:=3
+PKG_VERSION:=1.24.1
+PKG_RELEASE:=1
 PKG_FLAGS:=essential
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://www.busybox.net/downloads \
http://distfiles.gentoo.org/distfiles/
-PKG_MD5SUM:=7925683d7dd105aabe9b6b618d48cc73
+PKG_MD5SUM:=be98a40cadf84ce2d6b05fa41a275c6a
 
 PKG_BUILD_DEPENDS:=BUSYBOX_USE_LIBRPC:librpc BUSYBOX_CONFIG_PAM:libpam
 PKG_BUILD_PARALLEL:=1
diff --git a/package/utils/busybox/patches/120-remove_uclibc_rpc_check.patch 
b/package/utils/busybox/patches/120-remove_uclibc_rpc_check.patch
index a18b7dc..5499efd 100644
--- a/package/utils/busybox/patches/120-remove_uclibc_rpc_check.patch
+++ b/package/utils/busybox/patches/120-remove_uclibc_rpc_check.patch
@@ -1,6 +1,6 @@
 --- a/util-linux/mount.c
 +++ b/util-linux/mount.c
-@@ -138,9 +138,6 @@
+@@ -236,9 +236,6 @@
  #if ENABLE_FEATURE_MOUNT_NFS
  /* This is just a warning of a common mistake.  Possibly this should be a
   * uclibc faq entry rather than in busybox... */
diff --git a/package/utils/busybox/patches/200-udhcpc_reduce_msgs.patch 
b/package/utils/busybox/patches/200-udhcpc_reduce_msgs.patch
index c3de978..1083675 100644
--- a/package/utils/busybox/patches/200-udhcpc_reduce_msgs.patch
+++ b/package/utils/busybox/patches/200-udhcpc_reduce_msgs.patch
@@ -1,6 +1,6 @@
 --- a/networking/udhcp/dhcpc.c
 +++ b/networking/udhcp/dhcpc.c
-@@ -685,6 +685,7 @@ static int bcast_or_ucast(struct dhcp_pa
+@@ -695,6 +695,7 @@ static int bcast_or_ucast(struct dhcp_pa
  static NOINLINE int send_discover(uint32_t xid, uint32_t requested)
  {
struct dhcp_packet packet;
@@ -8,7 +8,7 @@
  
/* Fill in: op, htype, hlen, cookie, chaddr fields,
 * random xid field (we override it below),
-@@ -702,6 +703,7 @@ static NOINLINE int send_discover(uint32
+@@ -712,6 +713,7 @@ static NOINLINE int send_discover(uint32
 */
add_client_options();
  
diff --git a/package/utils/busybox/patches/201-udhcpc_changed_ifindex.patch 
b/package/utils/busybox/patches/201-udhcpc_changed_ifindex.patch
index e7e2fce..f32cea2 100644
--- a/package/utils/busybox/patches/201-udhcpc_changed_ifindex.patch
+++ b/package/utils/busybox/patches/201-udhcpc_changed_ifindex.patch
@@ -1,6 +1,6 @@
 --- a/networking/udhcp/dhcpc.c
 +++ b/networking/udhcp/dhcpc.c
-@@ -1410,6 +1410,12 @@ int udhcpc_main(int argc UNUSED_PARAM, c
+@@ -1418,6 +1418,12 @@ int udhcpc_main(int argc UNUSED_PARAM, c
/* silence "uninitialized!" warning */
unsigned timestamp_before_wait = timestamp_before_wait;
  
diff --git a/package/utils/busybox/patches/203-udhcpc_renew_no_deconfig.patch 
b/package/utils/busybox/patches/203-udhcpc_renew_no_deconfig.patch
index 471f12f..f38b128 100644
--- a/package/utils/busybox/patches/203-udhcpc_renew_no_deconfig.patch
+++ b/package/utils/busybox/patches/203-udhcpc_renew_no_deconfig.patch
@@ -1,6 +1,6 @@
 --- a/networking/udhcp/dhcpc.c
 +++ b/networking/udhcp/dhcpc.c
-@@ -1093,7 +1093,6 @@ static void perform_renew(void)
+@@ -1101,7 +1101,6 @@ static void perform_renew(void)
state = RENEW_REQUESTED;
break;
case RENEW_REQUESTED: /* impatient are we? fine, square 1 */
diff --git

[OpenWrt-Devel] [PATCH] busybox: update to version 1.24.1

[Magnus Kroken]

Patches applied upstream and dropped:
280-fix_find_regression.patch
300-ip-addr-improvements.patch

Signed-off-by: Magnus Kroken <mkro...@gmail.com>
---
Run-time tested on ar71xx (TL-WDR4300). Compile-tested on mpc85xx and mvebu.

Size comparison:
210569 busybox_1.23.2-3_ar71xx.ipk
209573 busybox_1.24.1-1_ar71xx.ipk

247588 busybox_1.23.2-3_mpc85xx.ipk
246458 busybox_1.24.1-1_mpc85xx.ipk

224013 busybox_1.23.2-3_mvebu.ipk
222554 busybox_1.24.1-1_mvebu.ipk

 package/utils/busybox/Makefile |  6 +-
 .../patches/120-remove_uclibc_rpc_check.patch  |  2 +-
 .../busybox/patches/200-udhcpc_reduce_msgs.patch   |  4 +-
 .../patches/201-udhcpc_changed_ifindex.patch   |  2 +-
 .../patches/203-udhcpc_renew_no_deconfig.patch |  2 +-
 .../busybox/patches/204-udhcpc_src_ip_rebind.patch | 10 +--
 .../busybox/patches/210-add_netmsg_util.patch  |  2 +-
 .../busybox/patches/230-ntpd_delayed_resolve.patch |  6 +-
 .../patches/270-libbb_make_unicode_printable.patch |  4 +-
 .../busybox/patches/280-fix_find_regression.patch  | 31 -
 ...-a-regression-in-handling-local-variables.patch |  6 +-
 .../busybox/patches/300-ip-addr-improvements.patch | 73 --
 12 files changed, 22 insertions(+), 126 deletions(-)
 delete mode 100644 package/utils/busybox/patches/280-fix_find_regression.patch
 delete mode 100644 package/utils/busybox/patches/300-ip-addr-improvements.patch

diff --git a/package/utils/busybox/Makefile b/package/utils/busybox/Makefile
index fb24703..5ca4363 100644
--- a/package/utils/busybox/Makefile
+++ b/package/utils/busybox/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=busybox
-PKG_VERSION:=1.23.2
-PKG_RELEASE:=3
+PKG_VERSION:=1.24.1
+PKG_RELEASE:=1
 PKG_FLAGS:=essential
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=http://www.busybox.net/downloads \
http://distfiles.gentoo.org/distfiles/
-PKG_MD5SUM:=7925683d7dd105aabe9b6b618d48cc73
+PKG_MD5SUM:=be98a40cadf84ce2d6b05fa41a275c6a
 
 PKG_BUILD_DEPENDS:=BUSYBOX_USE_LIBRPC:librpc BUSYBOX_CONFIG_PAM:libpam
 PKG_BUILD_PARALLEL:=1
diff --git a/package/utils/busybox/patches/120-remove_uclibc_rpc_check.patch 
b/package/utils/busybox/patches/120-remove_uclibc_rpc_check.patch
index a18b7dc..5499efd 100644
--- a/package/utils/busybox/patches/120-remove_uclibc_rpc_check.patch
+++ b/package/utils/busybox/patches/120-remove_uclibc_rpc_check.patch
@@ -1,6 +1,6 @@
 --- a/util-linux/mount.c
 +++ b/util-linux/mount.c
-@@ -138,9 +138,6 @@
+@@ -236,9 +236,6 @@
  #if ENABLE_FEATURE_MOUNT_NFS
  /* This is just a warning of a common mistake.  Possibly this should be a
   * uclibc faq entry rather than in busybox... */
diff --git a/package/utils/busybox/patches/200-udhcpc_reduce_msgs.patch 
b/package/utils/busybox/patches/200-udhcpc_reduce_msgs.patch
index c3de978..1083675 100644
--- a/package/utils/busybox/patches/200-udhcpc_reduce_msgs.patch
+++ b/package/utils/busybox/patches/200-udhcpc_reduce_msgs.patch
@@ -1,6 +1,6 @@
 --- a/networking/udhcp/dhcpc.c
 +++ b/networking/udhcp/dhcpc.c
-@@ -685,6 +685,7 @@ static int bcast_or_ucast(struct dhcp_pa
+@@ -695,6 +695,7 @@ static int bcast_or_ucast(struct dhcp_pa
  static NOINLINE int send_discover(uint32_t xid, uint32_t requested)
  {
struct dhcp_packet packet;
@@ -8,7 +8,7 @@
  
/* Fill in: op, htype, hlen, cookie, chaddr fields,
 * random xid field (we override it below),
-@@ -702,6 +703,7 @@ static NOINLINE int send_discover(uint32
+@@ -712,6 +713,7 @@ static NOINLINE int send_discover(uint32
 */
add_client_options();
  
diff --git a/package/utils/busybox/patches/201-udhcpc_changed_ifindex.patch 
b/package/utils/busybox/patches/201-udhcpc_changed_ifindex.patch
index e7e2fce..f32cea2 100644
--- a/package/utils/busybox/patches/201-udhcpc_changed_ifindex.patch
+++ b/package/utils/busybox/patches/201-udhcpc_changed_ifindex.patch
@@ -1,6 +1,6 @@
 --- a/networking/udhcp/dhcpc.c
 +++ b/networking/udhcp/dhcpc.c
-@@ -1410,6 +1410,12 @@ int udhcpc_main(int argc UNUSED_PARAM, c
+@@ -1418,6 +1418,12 @@ int udhcpc_main(int argc UNUSED_PARAM, c
/* silence "uninitialized!" warning */
unsigned timestamp_before_wait = timestamp_before_wait;
  
diff --git a/package/utils/busybox/patches/203-udhcpc_renew_no_deconfig.patch 
b/package/utils/busybox/patches/203-udhcpc_renew_no_deconfig.patch
index 471f12f..f38b128 100644
--- a/package/utils/busybox/patches/203-udhcpc_renew_no_deconfig.patch
+++ b/package/utils/busybox/patches/203-udhcpc_renew_no_deconfig.patch
@@ -1,6 +1,6 @@
 --- a/networking/udhcp/dhcpc.c
 +++ b/networking/udhcp/dhcpc.c
-@@ -1093,7 +1093,6 @@ static void perform_renew(void)
+@@ -1101,7 +1101,6 @@ static void perform_renew(void)
state = RENEW_REQUESTED;
break;
case RENEW_REQUESTED: /* impatient are we? fine, square 1 */
diff --git a/package/utils/busybox/patches/204-udhcpc_src_ip_rebind.patch 
b/packa

[OpenWrt-Devel] [PATCH] openssl: bump to 1.0.2c

[Magnus Kroken]

Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.

Signed-off-by: Magnus Kroken mkro...@gmail.com
---
 package/libs/openssl/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libs/openssl/Makefile b/package/libs/openssl/Makefile
index de71033..2d69417 100644
--- a/package/libs/openssl/Makefile
+++ b/package/libs/openssl/Makefile
@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=openssl
-PKG_VERSION:=1.0.2b
+PKG_VERSION:=1.0.2c
 PKG_RELEASE:=1
 PKG_USE_MIPS16:=0
 
@@ -18,7 +18,7 @@ PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.openssl.org/source/ \
ftp://ftp.funet.fi/pub/crypt/mirrors/ftp.openssl.org/source \
ftp://ftp.sunet.se/pub/security/tools/net/openssl/source/
-PKG_MD5SUM:=7729b259e2dea7d60b32fc3934d6984b
+PKG_MD5SUM:=8c8d81a9ae7005276e486702edbcd4b6
 
 PKG_LICENSE:=OpenSSL
 PKG_LICENSE_FILES:=LICENSE
-- 
2.1.0
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel