Jo-Philipp Wich [Thu, 25 Jan 2018 16:12:29 +0000 (17:12 +0100)]
build: bundle-libraries.sh: patch bundled ld.so
Remove references to /etc/, /lib/ and /usr/ from the bundled ld.so
interpreter using simple binary patching.
This is needed to prevent loading host system libraries such as
libnss_compat.so.2 on foreign systems, which may result in ld.so
inconsistency assertions.
Hans Dedecker [Thu, 1 Feb 2018 14:12:58 +0000 (15:12 +0100)]
netifd: add defaultreqopts config option
By default udhcpc asks for a default list of options; the config option
defaultreqopts allows to tweak this behavior.
When set to 0 udhcpc will not ask for any options except for the options
specified in the reqopts config option.
Hans Dedecker [Wed, 31 Jan 2018 11:58:53 +0000 (12:58 +0100)]
odhcp6c: add defaultreqopts config option
By default odhcp6c asks for a default list of options; the config option
defaultreqopts allows to tweak this behavior.
When set to 0 odhcp6c will not ask for any options except for the options
specified in the reqopts config option.
Matthias Schiffer [Thu, 25 Jan 2018 17:11:37 +0000 (18:11 +0100)]
nftables: remove dependency on kmod-nf-nat
For minimal firewall setups, NAT support may be unnecessary.
It would be possible to further reduce the minimum number of installed
modules, e.g. by separating IPv4 and IPv6 support or moving conntrack
support into a separate kmod package. We go with a more complete
kmod-nft-core for now, until a concrete usecase for smaller packages
arises.
Matthias Schiffer [Thu, 25 Jan 2018 17:05:12 +0000 (18:05 +0100)]
netfilter: clean up dependencies of kernel modules
The nf_reject_ipv4 and nf_reject_ipv6 modules are moved into separate
packages, as they are a common dependency of ip(6)tables and nftables. This
avoids a dependency of nftables on kmod-nf-ipt(6). Also, fewer iptables
modules depend on nf-conntrack(6) now.
Hans Dedecker [Fri, 26 Jan 2018 20:17:46 +0000 (21:17 +0100)]
curl: bump to 7.58.0
a0b5e8944 progress-bar: get screen width on windows 65ceb20df test1454: --connect-to with IPv6 address w/o IPv6 support! eb6e3c4f6 CONNECT_TO: fail attempt to set an IPv6 numerical without IPv6 support 96186de1f docs: fix man page syntax to make test 1140 OK again af32cd385 http: prevent custom Authorization headers in redirects 993dd5651 curl: progress bar refresh, get width using ioctl() 9d82cde7b RELEASE-NOTES: synced with bb0ffcc36 bb0ffcc36 libcurl-env.3: first take ec122c4c8 TODO: two possible name resolver improvements a5e6d6ebc http2: don't close connection when single transfer is stopped 87ddeee59 test558: fix for multissl builds da07dbb86 examples/url2file.c: add missing curl_global_cleanup() call ddafd45af SSH: Fix state machine for ssh-agent authentication 9e4ad1e2a openssl: fix potential memory leak in SSLKEYLOGFILE logic ca9c93e3e openssl: fix the libressl build again 2c0c4dff0 unit1307: test many wildcards too 2a1b2b4ef curl_fnmatch: only allow 5 '*' sections in a single pattern cb5accab9 ftp-wildcard: fix matching an empty string with "*[^a]" 25c40c9af SMB: fix numeric constant suffix and variable types 945df7410 CURLOPT_TCP_NODELAY.3: fix typo 8dd4edeb9 smtp/pop3/imap_get_message: decrease the data length too... 84fcaa2e7 openssl: enable SSLKEYLOGFILE support by default e44ddfd47 mime: clone mime tree upon easy handle duplication. 2c821bba8 docs: comment about CURLE_READ_ERROR returned by curl_mime_filedata a06311be2 test395: HTTP with overflow Content-Length value 67595e7d2 test394: verify abort of rubbish in Content-Length: value ac17d7947 test393: verify --max-filesize with excessive Content-Length f68e67271 HTTP: bail out on negative Content-Length: values 0616dfa1e configure.ac: append extra linker flags instead of prepending them. 650b9c1d6 RELEASE-NOTES: synced with 6fa10c8fa 6fa10c8fa setopt: fix SSLVERSION to allow CURL_SSLVERSION_MAX_ values 3b548ffde setopt: reintroduce non-static Curl_vsetopt() for OS400 support fa3dbb9a1 http2: fix incorrect trailer buffer size 2a6dbb815 easy: fix connection ownership in curl_easy_pause 89f680473 system.h: Additionally check __LONG_MAX__ for defining curl_off_t 14d07be37 COPYING: it's 2018! a8ce5efba progress: calculate transfer speed on milliseconds if possible d4e40f069 scripts: allow all perl scripts to be run directly e4f86025d mail-rcpt.d: fix short-text description 908a9a674 build: remove HAVE_LIMITS_H check 129390a51 openssl: fix memory leak of SSLKEYLOGFILE filename 272613df0 Revert "curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX" 481539e90 test1554: improve the error handling 593dcc553 test1554: add global initialization and cleanup dc831260b curl_version_info.3: call the argument 'age' 58d7cd28a brotli: data at the end of content can be lost a0f3eaf25 examples/cacertinmem: ignore cert-already-exists error 859ac3602 tool_getparam: Support size modifiers for --max-filesize b399b0490 build: Fixed incorrect script termination from commit ad1dc10e61 a9b774a77 Makefile.vc: Added our standard copyright header 22fddb85a winbuild: Added support for VC15 ad1dc10e6 build: Added Visual Studio 2017 project files d409640d6 build-wolfssl.bat: Added support for VC15 a4e88317d build-openssl.bat: Added support for VC15 c97648b55 curl/system.h: fix compilation with gcc on AIX PPC and IA64 HP-UX b43755789 examples/rtsp: fix error handling macros f009bbe1f curl_easy_reset: release mime-related data. 4acc9d3d1 content_encoding: rework zlib_inflate e639d4ca4 brotli: allow compiling with version 0.6.0. 9c6a6be88 CURLOPT_READFUNCTION.3: refer to argument with correct name 02f207a76 rand: add a clang-analyzer work-around 13ce373a5 krb5: fix a potential access of uninitialized memory 41982b6ac conncache: fix a return code [regression] 5d0ba70e1 curl: support >256 bytes warning messsages 188a43a8f libssh: fix a syntax error in configure.ac 7ef0c2d86 examples/smtp-mail.c: use separate defines for options and mail 621b24505 THANKS: added missing names cc0cca1ba mailmap: added/clarified several names 9d7a59c8f setopt: less *or equal* than INT_MAX/1000 should be fine 2437dbbf1 vtls: replaced getenv() with curl_getenv() ef5633d4b RELEASE-NOTES: synced with 3b9ea70ee 3b9ea70ee TODO: Expose tried IP addresses that failed 48c184a60 curl.1: mention http:// and https:// as valid proxy prefixes 76db03dd9 curl.1: documented two missing valid exit codes 63e58b8b4 CURLOPT_DNS_LOCAL_IP4.3: fixed the seel also to not self-reference 671f0b506 Revert "curl: don't set CURLOPT_INTERLEAVEDATA" 4b6f3cff7 tests: mark data files as non-executable in git 98c572ed3 tests: update .gitignore for libtests e959f16c5 multi_done: prune DNS cache 06a0a26fb mailmap: fixup two old git Author "aliases" 7ab4e7adb openssl: Disable file buffering for Win32 SSLKEYLOGFILE b1b94305d RESOLVE: output verbose text when trying to set a duplicate name bbea75ad6 CURLOPT_DNS_CACHE_TIMEOUT.3: see also CURLOPT_RESOLVE a4a56ec93 sftp: allow quoted commands to use relative paths 9fb5a943f CURLOPT_PRIVATE.3: fix grammar 179ee78e8 curl: remove __EMX__ #ifdefs 9dfb19483 openssl: improve data-pending check for https proxy 9ffad8eb1 curl: don't set CURLOPT_INTERLEAVEDATA 912324024 curl.h: remove incorrect comment about ERRORBUFFER ebaab4d17 configure: add AX_CODE_COVERAGE only if using gcc b5881d1fb curl: limit -# update frequency for unknown total size 546e7db78 BINDINGS: another PostgreSQL client 55e609890 CONNECT: keep close connection flag in http_connect_state struct c103cac3c include: get netinet/in.h before linux/tcp.h 00cda0f9b openldap: fix checksrc nits ff07f07cc openldap: add commented out debug possibilities bb0ca2d44 examples: move threaded-shared-conn.c to the "complicated" ones 4fb85b87b RELEASE-NOTES: synced with b261c44e8 b261c44e8 URL: tolerate backslash after drive letter for FILE: 24dcd7466 tests: added netinet/in6.h includes in test servers 76ebd5417 configure: check for netinet/in6.h 0c65678e7 curl-config: add --ssl-backends ea3a5d07d conncache: only allow multiplexing within same multi handle 415b8dff8 threaded-shared-conn.c: fixed typo in commenta 5254d8bf2 threaded-shared-conn.c: new example 07cb27c98 conncache: fix several lock issues 85f0133ea libssh: remove dead code in sftp_qoute 615edc1f7 sasl_getmesssage: make sure we have a long enough string to pass 440140946 libssh2: remove dead code from SSH_SFTP_QUOTE 6401ddad4 ssh-libssh.c: please checksrc 918530752 libssh: fixed dereference in statvfs access 8dad32bcf RESOURCES: update spec names a08f5a77c libssh: corrected use of sftp_statvfs() in SSH_SFTP_QUOTE_STATVFS 8843c0939 libssh: no need to call sftp_get_error as ssh_get_error is sufficient 3cef6f22e libssh: fix minor static code analyzer nits 10bb0b471 openssl: pkcs12 is supported by boringssl 8eff32f0b travis: use pip2 instead of pip b7f534597 lib582: do not verify host for SFTP a2f396680 libssh: added SFTP support c75c9d4fb symbols-in-versions: added new symbols with 7.56.3 version 05675ab5a .travis.yml: added build --with-libssh 38aef6dc4 libssh2: return CURLE_UPLOAD_FAILED on failure to upload 75427291e libssh2: send the correct CURLE error code on scp file not found c92d2e14c Added support for libssh SSH SCP back-end 3973ee6a6 RELEASE-NOTES: synced with af8cc7a69 af8cc7a69 curlver: towards 7.57.1 4b4142491 lib: don't export all symbols, just everything curl_* 9194a9959 SSL: Avoid magic allocation of SSL backend specific data 744ee5838 examples/xmlstream.c: don't switch off CURL_GLOBAL_SSL 270494e1a travis: add boringssl build
Yousong Zhou [Sun, 28 Jan 2018 01:43:30 +0000 (09:43 +0800)]
procd: fix procd_lock() when prepare_roofs
This fixes the following errors when doing "make package/install"
/home/yousong/git-repo/lede-project/lede/build_dir/target-mips_24kc_musl/root-malta/lib/functions/procd.sh: line 47: /home/yousong/git-repo/l
ede-project/lede/build_dir/target-mips_24kc_musl/root-malta/var/lock/procd_urandom_seed.lock: No such file or directory
flock: 1000: Bad file descriptor
Hauke Mehrtens [Sat, 27 Jan 2018 21:51:59 +0000 (22:51 +0100)]
binutils: assertion failure bfd/elfxx-mips.c:3860
With forced PIE and SSP support I ran into this assertion failure.
backport two patches to fix this problem from the binutils 2.28 branch.
This fix is already included in binutils 2.28.1 and 2.29.
Julien Dusser [Sun, 7 Jan 2018 17:47:21 +0000 (18:47 +0100)]
build: cleanup SSP_SUPPORT configure option
Configure variable SSP_SUPPORT is ambiguous for packages (tor, openssh,
avahi, freeswitch). It means 'toolchain supporting SSP', but for toolchain
and depends it means 'build gcc with libssp'.
Musl no longer uses libssp (1877bc9d8f), it has internal support, so
SSP_SUPPORT was disabled leading some package to not use SSP.
No information why Glibc and uClibc use libssp, but they may also provide
their own SSP support. uClibc used it own with commit 933b588e25 but it was
reverted in f3cacb9e84 without details.
Create an new configure GCC_LIBSSP and automatically enable SSP_SUPPORT
if either USE_MUSL or GCC_LIBSSP.
Julien Dusser [Mon, 8 Jan 2018 22:47:06 +0000 (23:47 +0100)]
build: add hardened builds with PIE (ASLR) support
Introduce a configuration option to build a "hardened" OpenWrt with
ASLR PIE support.
Add new option PKG_ASLR_PIE to enable Address Space Layout Randomization (ASLR)
by building Position Independent Executables (PIE). This new option protects
against "return-to-text" attacks.
Busybox need a special care, link is done with ld, not gcc, leading to
unknown flags. Set BUSYBOX_DEFAULT_PIE instead and disable PKG_ASLR_PIE.
If other failing packages were found, PKG_ASLR_PIE:=0 should be added to
their Makefiles.
Original Work by: Yongkui Han <yonhan@cisco.com> Signed-off-by: Julien Dusser <julien.dusser@free.fr>
Alexandru Ardelean [Wed, 17 Jan 2018 10:55:15 +0000 (12:55 +0200)]
kernel-headers: adjust PKG_ variables when using git clone method
When using an external git clone for the kernel repo,
the build would fail because the build won't download
[via git] the kernel tarball.
This is because the `toolchain/kernel-headers` assumes
that the kernel would get downloaded via normal HTTP.
The reason for this is the `HostBuild` rule, which
calls the `Download/default` rule.
To use the `Download/default` we just need to conditionally
adjust some PKG_ vars.
We can safely use `LINUX_VERSION` as it was already adjusted
in the `kernel-version.mk` to avoid collisions with other tarballs.
Alexandru Ardelean [Mon, 15 Jan 2018 14:50:38 +0000 (16:50 +0200)]
kernel.mk: update LINUX_VERSION filename for cloned repo
In case there is an external git repo specified,
it could overwrite the kernel tarball that was
downloaded from kernel.org.
The only identifier for such a file is the
KERNEL_GIT_CLONE_URI & KERNEL_GIT_REF symbols,
so if we have to download it we'll use that
information [after some sanitization]
to create a different filename for the kernel tarball.
If KERNEL_GIT_REF symbol is empty, HEAD will be used
as mentioned in the description of KERNEL_GIT_REF.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Stephan Brunner [Fri, 19 Jan 2018 13:03:46 +0000 (14:03 +0100)]
hostapd: add support for hostapd's radius_client_addr
Add support for hostapd's radius_client_addr in order to
force hostapd to send RADIUS packets from the correct source
interface rather than letting linux select the most appropriate.
Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>
Evgeniy Didin [Wed, 24 Jan 2018 17:26:03 +0000 (20:26 +0300)]
toolchain/arc: update to the most recent release arc-2017.09
This commit finally bumps ARC tools to the most recent arc-2017.09 release version.
ARC GNU tools of version arc-2017.09 bring some quite significant changes like:
* Binutils v2.29 with additional ARC patches
* GCC 7.1.1 with additional ARC patches
More information on this release could be found here:
https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/releases/tag/arc-2017.09-release
Signed-off-by: Evgeniy Didin <Evgeniy.Didin@synopsys.com> CC: Alexey Brodkin <abrodkin@synopsys.com> CC: John Crispin <john@phrozen.org>
Matthias Schiffer [Fri, 26 Jan 2018 22:24:59 +0000 (23:24 +0100)]
mac80211: revert "wireless: set correct mandatory rate flags"
Revert upstream commit 1bd773c077de "wireless: set correct mandatory rate
flags", as it breaks 11s interoperability: nodes can only associate when
neither or both have this patch. As this is a regression from released
versions, revert to the old code for now.
Alexandru Ardelean [Wed, 24 Jan 2018 10:56:39 +0000 (12:56 +0200)]
rules.mk: drop `include_mk` build rule
The only users of this were the python packages
from the `packages` feed.
The 2 python interpreters would export some mk
files (e.g. python-package.mk) and then other
python packages would include it via this rule.
But there's a few things wrong with this approach,
most of them drawing from the fact that python host
needs to be built first, to export these mk files.
By now all uses of include_mk have been corrected
in the feeds and this can be removed.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Yousong Zhou [Thu, 25 Jan 2018 01:40:33 +0000 (09:40 +0800)]
build: disable BUILD_PATENTED by default
This is mainly for legal considerations and not promoting the usage of
and no redistribution of binaries of patented technologies seems to be
also the established practice in other linux distros.
9a93a3d version: bump snapshot 7bc0579 contrib: keygen-html: update curve25519 implementation ffc13a3 tools: import new curve25519 implementations 0ae7356 curve25519: wire up new impls and remove donna f90e36b curve25519: resolve symbol clash between fe types 505bc05 curve25519: import 64-bit hacl-star implementation 8c02050 curve25519: import 32-bit fiat-crypto implementation 96157fd curve25519: modularize implementation 4830fc7 poly1305: remove indirect calls bfd1a5e tools: plug memleak in config error path 09bf49b external-tests: add python implementation b4d5801 wg-quick: ifnames have max len of 15 6fcd86c socket: check for null socket before fishing out sport ddb8270 global: year bump 399d766 receive: treat packet checking as irrelevant for timers
Felix Fietkau [Thu, 25 Jan 2018 15:49:14 +0000 (16:49 +0100)]
mt76: update to the latest version
2b7fae4 mt76: fix returnvar.cocci warnings 939e3e0 mt76x2: dfs: avoid tasklet scheduling during mt76x2_dfs_init_params() cf59170 mt76x2: dfs: add set_domain handler 5e4d60e mt76x2: dfs: take into account dfs region in mt76x2_dfs_init_params() f76e25f mt76x2: fix WMM parameter configuration 34d612d mt76: retry rx polling as long as there is budget left 0f8327a mt76x2: fix TSF value in probe responses ad3f8e9 mt76: add an intermediate struct for rx status information 58a41f1 mt76: get station pointer by wcid and pass it to mac80211 b0508d3 mt76: implement A-MPDU rx reordering in the driver code cf3cfc4 mt76: split mt76_rx_complete 461cdf9 mt76: pass the per-vif wcid to the core for multicast rx 9b2c778 mt76: validate rx CCMP PN 302af90 mt76x2: init: disable all pending tasklets during device removal 9f685fe mt7603: init: disable tbtt tasklet during device removal c6f8cac mt76: let mac80211 validate CCMP PN for fragmented frames 3968dae mt7603: fix 40 mhz channel bandwidth reporting 9c2e03d mt7603: fix rx LDPC reporting
Catrinel Catrinescu [Mon, 15 Jan 2018 15:45:16 +0000 (16:45 +0100)]
ar71xx: add ew-balin platform from Embedded Wireless
Add the Embedded Wireless "Balin" platform
SoC: QCA AR9344 or AR9350
RAM: DDR2-RAM 64MBytes
Flash: SPI-NOR 16MBytes
WLAN: 2 x 2 MIMO 2.4 & 5 GHz IEEE802.11 a/b/g/n
Ethernet: 3 x 10/100 Mb/s
USB: 1 x USB2.0 Host/Device bootstrap-pin at power-up
PCI-Express: 1 x lane PCIe 1.2
UART: 1 x Normal, 1 x High-Speed
JTAG: 1 x EJTAG
GPIO: 10 x Input/Output multiplexed
The module comes already with the current vanilla OpenWrt firmware.
To update, use "sysupgrade" image directly in vendor firmware.
Felix Fietkau [Wed, 24 Jan 2018 15:43:28 +0000 (16:43 +0100)]
musl: allow autorebuild
Autorebuild is disabled for the toolchain to avoid build-order issues.
However, rebuilding musl is safe, so exclude it from that restriction.
Avoids the need for manual cleaning on kernel header <-> libc API
changes like the ones introduced recently
Mathias Kresin [Wed, 17 Jan 2018 07:14:41 +0000 (08:14 +0100)]
ramips: add flash size postfix to Widora neo
Rename the Widora neo by adding a flash size prefix. Move the common parts
into a dtsi to be prepare everything for upcomming support of the 32MB
version.
Migrate the Widora neo to the generic board detection as well.
Daniel Golle [Wed, 24 Jan 2018 00:20:41 +0000 (01:20 +0100)]
ar71xx: fix MikroTik rb-nor-flash-16M-ac image
commit e15c63a375
ar71xx: add support for MikroTik RouterBOARD wAP G-5HacT2HnD (wAP AC)
changed the existing rb-nor-flash-16M-ac image in a way that it would
now only support the rb-wapg-5hact2hnd.
The board show however rather be added to the existing boards in the
rb-nor-flash-16M image template.
Reported-by: Mathias Kresin <dev@kresin.me> Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Hauke Mehrtens [Sun, 10 Dec 2017 19:56:31 +0000 (20:56 +0100)]
sunxi: backport stmmac network patches
Ethernet support was initial added in kernel 4.13, but deactivated
before the final release. This is backports the changes which are
activating it again from kernel 4.15.
Notes:
* Older versions of these boards might be equipped with a NAND
flash chip instead of the SPI NOR device. Those boards are not
supported (yet).
* The MikroTik RB911-5HnD (911 Lite5 Dual) board also uses the
same hardware. Support for that can be added later with little
effort probably.
Installation:
1. Setup a DHCP/BOOTP Server with the following parameters:
* DHCP-Option 66 (TFTP server name): pointing to a local TFTP
server within the same subnet of the DHCP range
* DHCP-Option 67 (Bootfile-Name): matching the initramfs filename
of the to be booted image. The usable intramfs files are:
- openwrt-ar71xx-mikrotik-vmlinux-initramfs.elf
- openwrt-ar71xx-mikrotik-vmlinux-initramfs-lzma.elf
- openwrt-ar71xx-mikrotik-rb-nor-flash-16M-initramfs-kernel.bin
2. Press the reset button on the board and keep that pressed.
3. Connect the board to your local network via its ethernet port.
4. Release the button after the LEDs on the board are turned off.
Now the board should load and start the initramfs image from
the TFTP server.
5. Upload the sysupgrade image to the board with scp:
$ scp openwrt-ar71xx-mikrotik-rb-nor-flash-16M-squashfs-sysupgrade.bin root@192.168.1.1:/tmp/fw.bin
5. Log in to the running system listening on 192.168.1.1 via ssh
as root (without password):
$ ssh root@192.168.1.1
7. Flash the uploaded firmware file from the ssh session via the
sysupgrade command:
root@OpenWrt:~# sysupgrade /tmp/fw.bin
Gabor Juhos [Thu, 18 Jan 2018 12:50:30 +0000 (13:50 +0100)]
ar71xx: mach-rbspi: return rb_info from rbspi_platform_setup
Modify the rbspi_platform_setup() function to return the pointer of the
rb_info structure. This allows board specific setup routines to access
the various fields of the information. It is useful for investigating
the hardware option bits for example.
Also update the board setup codes, to ensure that those handle the new
return value correctly.
Gabor Juhos [Thu, 18 Jan 2018 12:50:29 +0000 (13:50 +0100)]
ar71xx: add definitions for RouterBOARD hardware option bits
Add bit definitions for the 'hardware options' tag which is used in
the MikroTik devices' hardware configurations. These values can be
used in board setup codes, to do different initialization sequences.
The values were obtained from the RouterOS 6.41-rc38 patches.
Additionally, introduce two helper functions what make the processing
of the hardware options easy.
Daniel Gimpelevich [Thu, 18 Jan 2018 11:52:12 +0000 (03:52 -0800)]
kernel: add IEEE-1284 parallel port support
The kmod-lp package included both lp.ko and ppdev.ko, but ECP device
drivers may or may not require lp NOT to be loaded, needing only ppdev.
Additionally, There were no packages for any parport interface modules,
such as uss720 or parport_pc, provided here. It has not been otherwise
possible to use PC-style parport hardware for kmod-lp.
Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
Hauke Mehrtens [Sat, 3 Jun 2017 10:59:55 +0000 (12:59 +0200)]
kernel: use upstream patches for musl
This replaces the current patches used to make the kernel headers
compatible with musl with the version which was accepted upstream. This
is included in upstream kernel 4.15.
This was compile tested with iproute2 build on all supported kernel
versions with musl and one one with glibc.
Kevin Darbyshire-Bryant [Fri, 19 Jan 2018 17:16:08 +0000 (17:16 +0000)]
dnsmasq: backport dnssec security fix
CVE-2017-15107
An interesting problem has turned up in DNSSEC validation. It turns out
that NSEC records expanded from wildcards are allowed, so a domain can
include an NSEC record for *.example.org and an actual query reply could
expand that to anything in example.org and still have it signed by the
signature for the wildcard. So, for example
!.example.org NSEC zz.example.org
is fine.
The problem is that most implementers (your author included, but also
the Google public DNS people, powerdns and Unbound) then took that
record to prove the nothing exists between !.example.org and
zz.example.org, whereas in fact it only provides that proof between
*.example.org and zz.example.org.
This gives an attacker a way to prove that anything between
!.example.org and *.example.org doesn't exists, when it may well do so.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This patch aligns the device-tree file with the latest
guidelines.
- No longer include qcom-ipq4019-ap.dk01.1.dtsi. This
file is only partially upstream and therefore subjected
to changes that might not be compatible with the board.
As a result, the definitions from the file have been
copied into this dts.
- exclusively use decimal GPIO addresses.
- reorganize the reserved-memory layout to waste less
memory. There's no point in keeping the u-boot loader
around. This should also make it possible to create
an image that will boot with the original EVA/ADAM2 loader
without needing to install the modified u-boot loader.
And finally mark the "tz-apps" as reusable.
There isn't a way to upload apps to the trust-zone in OpenWrt
yet. But it might see some use in the future as a "secure"
key-store/TPM.
- sort the first-level nodes alphabetically.
- sort nodes with an address by the address.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Hans Dedecker [Tue, 16 Jan 2018 14:59:03 +0000 (15:59 +0100)]
odhcp6c: add sendopts config support and update to latest git HEAD
Add sendopts config support allowing to add options in sent DHCPv6 packets.
Options can be configured as follows :
uci set network.wan6.sendopts="sntpservers:3001:3001::1,3001:3001::2 11:00000000000000000000006674692F 0x3e8:ABCDEF"
Based on a patch by Frank Andrieu <fandrieu@gmail.com>
Serg Studzinskii [Sun, 24 Dec 2017 16:00:13 +0000 (18:00 +0200)]
ramips: tl-wr840n-v5: increase firmware partition for 4Mmtk layot
According to console log during TP-Link TL-WR840N v5 OEM firmware update
procedure 0x3e0000-0x3f0000 64kB "config" partition, which is used to store
router's configuration settings, is erased and recreated again during every
OEM firmware update procedure, thus does not contain any valuable factory data.
So it is conviniant to use this extra 64kB erase block for jffs overlay due
limited flash size on this device like it used on TP-Link's ar71xx boards.
projects / users / dwmw2 / openwrt.git / log