Forward the OpenWrt CPPFLAGS to the compile process. This fixes fortify
sources support.
Link: https://github.com/openwrt/openwrt/pull/22056
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2ca7c2b846)
Forward the OpenWrt CPPFLAGS to the compile process. This fixes fortify
sources support.
Link: https://github.com/openwrt/openwrt/pull/22056
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 39e5f11631)
Forward the OpenWrt CPPFLAGS to the compile process. This fixes fortify
sources support.
Link: https://github.com/openwrt/openwrt/pull/22056
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 35939e4db9)
Changelog: https://github.com/autotools-mirror/m4/blob/branch-1.4/NEWS
This update fixes a build error on my system:
./string.h:777:20: error: expected identifier or '(' before '_Generic'
777 | _GL_EXTERN_C void *memchr (const void *__s, int __c, size_t __n)
| ^~~~~~
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/21987
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit ce9a0ff3fb)
The target name of meraki_mx64-a0 in
target/linux/bcm53xx/image/Makefile used not to be consistent with the
one defined in target/linux/bcm53xx/base-files/lib/upgrade/platform.sh
and generates warning for "Image check failed" during sysupgrade.
This commit would also make the target name for meraki_mx64-a0 to
conform to the openwrt standard.
Signed-off-by: Edward Chow <equu@openmail.cc>
Link: https://github.com/openwrt/openwrt/pull/22034
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 625f01cd80)
The Linux kernel assumes that the u-boot environment covers the full
partition, but it only covers 0x1000 bytes. Linux checks the CRC and
does this over the full partition. This fails like this:
```
u-boot-env-layout 1f000000.spi:flash@0:partitions:partition@30000:nvmem-layout: Invalid calculated CRC32: 0xfcac8c41 (expected: 0x14e6335a)
u-boot-env-layout 1f000000.spi:flash@0:partitions:partition@30000:nvmem-layout: probe with driver u-boot-env-layout failed with error -22
```
Define the u-boot environment with a length of 0x1000 bytes to calculate
the CRC only over this area.
When replicating the u-boot environment with these parameters it
generates the same CRC:
```
mkenvimage -p 0 -b -s 0x1000 -o output.bin input.txt
```
Fixes: https://github.com/openwrt/openwrt/issues/21696
Fixes: 5e3a602def ("ath79: sitecom,wlrx100: use nvmem")
Link: https://github.com/openwrt/openwrt/pull/22030
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 68a466b698)
The TARGET_CPPFLAGS contain the include paths used by OpenWrt. This also
contains the including of the fortify sources headers. If they are not
provided, the applications will not use fortify sources headers when
compiled against musl. Add them to cmake builds too. cmake does not
support a special CPPFLGS option [0], just add them to CFLAGS and
CXXFLAGS like we also do it for meson and normal make.
This should fix fortify sources support for cmake builds.
I found this explanation for the flags:
* CFLAGS: C flags, passed during compile AND link
* CXXFLAGS: C++ flags, passed during compile AND link
* CPPFLAGS: pre-processor flags, passed ONLY during compile
* LDFLAGS: linker flags, passed ONLY during link
[0]: https://gitlab.kitware.com/cmake/cmake/-/issues/12928
Link: https://github.com/openwrt/openwrt/pull/22042
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7bf8d568f6)
Some applications might activate -Werror=format-nonliteral when building
their application. This breaks fortify headers build. Tell GCC to ignore
such warnings for this code.
This fixes the libubox and ucode build:
```
/include/fortify/stdio.h: In function 'snprintf':
/include/fortify/stdio.h:101:9: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
101 | return __orig_snprintf(__s, __n, __f, __builtin_va_arg_pack());
| ^~~~~~
/include/fortify/stdio.h: In function 'sprintf':
/include/fortify/stdio.h:110:17: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
110 | __r = __orig_snprintf(__s, __b, __f, __builtin_va_arg_pack());
| ^~~
/include/fortify/stdio.h:114:17: error: format not a string literal, argument types not checked [-Werror=format-nonliteral]
114 | __r = __orig_sprintf(__s, __f, __builtin_va_arg_pack());
| ^~~
cc1: all warnings being treated as errors
ninja: build stopped: subcommand failed.
```
Link: https://github.com/openwrt/openwrt/pull/22042
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit b237266640)
If nvmem is used for ethernet mac address, we need to defer loading to
get the proper mac.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21955
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit fb71774232)
RIPE Atlas Probe v5 is a network measurement device based on Turris MOX.
u-boot bootscript supports booting both from the original Turris BTRFS
layout and default OpenWrt ext4 boot + root partition layout.
Specifications:
* SoC: Marvell ARMADA 3720
* RAM: 512 MiB, DDR3
* eMMC: 4G
* Ethernet: 1x 1GbE
MAC:
LAN MAC: label on board
Flash instructions:
* For using the default ext4 layout, boot into a live system using
tftpboot in u-boot and flash an OpenWrt SD image onto /dev/mmcblk0.
* For the Turris layout, put the new rootfs into subvolume '@', not
forgetting to add Image, device tree, and boot.scr to /boot.
Misc:
* USB connection is only for power. For UART access use the pin header:
1: GND
2: +1.8V
5: TX
6: RX
* Flashing the image onto Turris Shield won't work. Use Turris MOX image
instead.
Signed-off-by: Tomáš Macholda <tomas.macholda@nic.cz>
Link: https://github.com/openwrt/openwrt/pull/20031
(cherry picked from commit 0271f2ee36)
Signed-off-by: Trix Taiclet <git@trix.moe>
Link: https://github.com/openwrt/openwrt/pull/22048
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes a simple logic error in the macaddr existence check in mac80211.uc.
Signed-off-by: Harin Lee <me@harin.net>
Link: https://github.com/openwrt/openwrt/pull/21277
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 2ebcda1ea6)
This allows services to dynamically configure MLO interfaces without
using UCI.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 0a8bccf85d)
This helps for setups where the wifi interfaces are added dynamically
via procd data by avoiding automatically bringing up interfaces with
the default config. Internally, they are treated pretty much the same
by netifd.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 79a0aebd81)
Add optional chaining when accessing device config in the wifi-iface
loop to handle cases where a referenced device doesn't exist.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 8b994ed397)
When storing device-level data, wdev_set_data() spread the entire wdev
object into handler_data. Since handler_config.data is set from the
previous handler_data[wdev.name] before each setup, this created
exponentially growing nesting with each reload, eventually causing
"nesting too deep" JSON parse errors.
Fix by initializing cur to a simple object containing only the device
name instead of the entire wdev object.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 68c2ab8f5f)
Extract survey fetching into get_survey() and store results in iface.survey,
allowing access to full survey info (not just noise) for later use.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit e855f32bdd)
Moved interface discovery and data population into an exported update()
function that can be called on-demand to refresh wireless interface
information. This allows using iwinfo.uc as a library inside daemons.
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 26eab84f81)
63413daa8760 uclient-http: fix HTTP authentication after deferred header processing
4fa6fae02f74 uclient-fetch: Extract opt_post variable
8df3120639a4 uclient-fetch: Use HEAD for --spider
0392dfc8e8c4 uclient-fetch: Support of --method, --body-data and --body-file
115c92824b6d uclient-fetch: add OPTIONS request type
a1531e89f6c2 uclient-fetch: support for WebDAV methods
Fixes: https://github.com/openwrt/uclient/issues/14
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 88f3c0eeb0)
b3ee1209a3d0 uclient-http: reset fd to -1 after close in disconnect
9c2ad269c42b uclient-http: fix seq field check to use correct field
80c9bd29c233 uclient-http: fix hang on HTTP to HTTPS redirect
931bbfeb2c92 ucode: fix memory leak when using ssl context
Fixes: https://github.com/openwrt/uclient/issues/11
Fixes: https://github.com/openwrt/uclient/issues/13
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 9d496dfb98)
d324c0503040 libubox: send warnings to stderr
5a65cb5a79b7 libubox: document positional arguments
8c7b489daa02 libubox: add anonymous strings, ints, et al in arrays
5ec7ff2effb3 uloop: use volatile sig_atomic_t for do_sigchld flag
0efa2cd3b74c usock: check SO_ERROR after poll in usock_inet_timeout()
1a73ded9f738 usock: fix timeout handling in usock_inet_timeout()
1aa36ee774c8 usock: implement RFC 8305 Happy Eyeballs for usock_inet_timeout()
Fixes: https://github.com/openwrt/uclient/issues/8
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 7bc8aa492f)
Check /var/run/uci/ before /etc/config/ so that overlay configs
also trigger service reload events.
The overlay directory takes precedence, and uci show already handles
merging overlay + base configuration correctly.
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit aaa2d9f1e5)
When a remote peer's connection drops (device powered off, unetmsgd
crash, network failure), network_rx_cleanup_state silently removed
the remote publish/subscribe handles without notifying local
subscribers. This meant local clients had no way to detect that a
remote peer had disappeared.
Call handle_publish for each channel where a remote publish handle
is removed during connection cleanup, so local subscribers receive
the publisher change notification and can react accordingly.
Signed-off-by: John Crispin <john@phrozen.org>
(cherry picked from commit 7fd71f2c74)
handle_publish() notifies local subscribers about publisher state
changes. The publish/subscribe handler in network_socket_handle_request()
was calling it for both remote publish and subscribe changes, but
subscriber changes are not relevant to local subscribers.
Guard the handle_publish() calls with a msgtype == "publish" check,
matching the local client paths in unetmsgd-client.uc which already
have this guard.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit e0722d0ac4)
When both peers connect simultaneously, the RX side can authenticate
before the TX handshake completes. network_check_auth() was sending a
ping on the unauthenticated TX channel, which gets rejected by the
remote's pre-auth handler as "Auth failed", killing the connection and
triggering an endless reconnect cycle.
Check chan.auth before interacting with the TX channel. If TX auth
hasn't completed yet, just schedule a reconnect timer - auth_data_cb
already handles state sync when TX auth completes.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 212040b5ca)
network_close() only closed the listening socket without shutting down
established RX/TX connections. This left remote state in
core.remote_publish/core.remote_subscribe for hosts on the removed
network, causing stale entries in channel listings and failed routing
attempts.
Close all RX and TX channels before removing the network, which also
triggers remote state cleanup via network_rx_socket_close().
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 389a79d972)
The cleanup condition checked != instead of ==, inverting the logic.
This caused two problems:
When an authenticated RX connection disconnected, remote state for that
host was never cleaned up since the stored entry matched the one being
closed.
When a stale unauthenticated connection from a peer closed, any existing
authenticated connection from the same peer was incorrectly deleted and
its remote state wiped.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit f09596f84f)
When a remote peer's publish registrations arrive via RX before the
local TX connection is authenticated, handle_publish fires but the
subscriber can't reach the remote publisher yet since the TX channel
isn't ready.
Suppress publish notifications on the RX side when no authenticated TX
channel exists for the remote host. After TX authentication completes,
re-trigger handle_publish only for topics that the specific peer
publishes and that have local subscribers.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 3efcf444a1)
The condition checked !data.networks instead of !data.networks[name],
making it always false since data.networks was already validated earlier
in the function. Networks removed from unetd were never closed.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit a2368e0f69)
channel.disconnect() already closes the fd via ubus_shutdown(),
so calling socket.close() afterwards is redundant and causes EBADF.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit bdc3c1a820)
Add a 10-second timeout for outgoing auth requests to prevent
connections from getting stuck when the remote peer goes silent
after the hello handshake but before responding to auth.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 8a304d051f)
The network may be deleted before the disconnect callback fires.
Check for null to avoid crash when accessing net.tx_channels.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit f631d1576d)
This should not be defaulted to anything in the schema.
What seemed like a minor cleanup actually broke this
as the schema defines a default value already. I did
not notice as I had this explictly set in my config.
Fixes: 70ba7512 ("wifi-scripts: ucode: allow sae_pwe to be modified for AP mode")
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/22043
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit f012e8d50a)
Some Android devices have issues with H2E causing downgrades to PSK
when using WPA2/3. With WPA3 it doesn't work reliably whatsoever.
My Samsung A55/6 for example has the following behavior:
daemon.info hostapd: lan5g: STA <redacted> IEEE 802.11: authenticated
daemon.notice hostapd: SAE: <redacted> indicates support for SAE H2E, but did not use it
daemon.info hostapd: lan2g: STA <redacted> IEEE 802.11: authenticated
daemon.info hostapd: lan2g: STA <redacted> IEEE 802.11: associated (aid 1)
daemon.notice hostapd: lan5g: Prune association for <redacted>
daemon.notice hostapd: lan2g: AP-STA-CONNECTED <redacted> auth_alg=open
daemon.info hostapd: lan2g: STA <redacted> RADIUS: starting accounting session 8234C696AAC1AE7D
daemon.info hostapd: lan2g: STA <redacted> WPA: pairwise key handshake completed (RSN)
daemon.notice hostapd: lan2g: EAPOL-4WAY-HS-COMPLETED <redacted>
This is also brought up in the issue: https://github.com/openwrt/openwrt/issues/9963
Ultimately this allows users to have the option to at the very least
disable H2E.
Unrelated: a minor cleanup was done so that ieee80211w uses set_default instead.
There is no functional change on that front.
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/22021
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 70ba7512e7)
- uclient-fetch timeout bumped from 5s to 15s. If we do not do this
we get flagged by HE as the update request is expensive and takes
more than 5s to execute. Currently 5s timeout causes uclient-fetch
to be killed prematurely as can be seen by the following log:
10:34:57 user.notice 6in4-henet: update 1/3: timeout
10:35:07 user.notice 6in4-henet: update 2/3: timeout
10:35:17 user.notice 6in4-henet: update 3/3: timeout
10:35:22 user.notice 6in4-henet: update failed
The above is the worst case, what usually happens is:
10:53:59 user.notice 6in4-henet: update 1/3: timeout
10:54:06 user.notice 6in4-henet: update 2/3: abuse
10:54:06 user.notice 6in4-henet: updated
- We now use an exponential backoff starting from 5 seconds.
- Detect ca-bundle so we don't use --no-check-certificates
unnecessarily.
- The while loop was changed so we don't retry unnecessarily
after the final failure.
- Worst-case total time the update operation might take before
bailing out is:
(sum(15 + (5 × (2^(x − 1))), 1, 2) + 15) seconds = 1 min
Signed-off-by: Rany Hany <rany_hany@riseup.net>
Link: https://github.com/openwrt/openwrt/pull/22016
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 862b46dd8f)
Mark T4240RDB u-boot variants as device-built and avoid installing them into rootfs.
Without this buildbot crashes during package install with:
ERROR: unable to select packages:
u-boot-fsl_T4240RDB-nor (no such package):
required by: world[u-boot-fsl_T4240RDB-nor]
u-boot-fsl_T4240RDB-sdboot (no such package):
required by: world[u-boot-fsl_T4240RDB-sdboot]
Fixes: c5d3d5fe28 ("package: u-boot: initial support for qoriq arch")
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21514
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit 20727f89d5)
Link: https://github.com/openwrt/openwrt/pull/21477
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This package adds initial u-boot support for qoriq target.
U-boot for qoriq devices must be compiled with 32-bit compiler and
linked with 32-bit linker. It's part of mpc 85xx target. But qoriq
target is 64-bit. As workaround, mpc85xx binary toolchain is downloaded
only for this u-boot.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/10941
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit c5d3d5fe28)
Link: https://github.com/openwrt/openwrt/pull/21477
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The build would continue even if the some of the intermediate commands
failed, as long as the last command in the final iteration of the loop
was successful.
Add 'set -e' to the subshell so that we immediately exit. Previously,
only the exit status of the final make-index-json.py mattered.
Fixes: https://github.com/openwrt/openwrt/issues/21981
Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/21993
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit fcb07b00ec)
This fixes a previous commit for Sophos XG 210r3 which was missing
board_name mapping and adds support for the SG related version and the
XG/SG 230r2 which is the same hardware with a faster processor.
Sophos board_name mapping was modified to support all Sophos
SG/XG devices.
Sophos SG/XG 210r3 and SG/XG 230r2 are rackmounted x86 based firewall
with 6 RJ-45 gigabit ethernet ports (eth0-5) and 2 SFP gigabit ethernet
ports (eth6, eth7) all running Intel NICs supported by igb driver. The 210r3
and 230r2 only differ in the processor used. This board update maps
eth1 (marked as WAN) as wan and eth0 and eth2-5 as lan. Leaving the
two SFP ports unmapped.
Fixes: 4880e8e338 ("x86: add board mapping for Sophos XG 210r3")
Signed-off-by: Raylynn Knight <rayknight@me.com>
Link: https://github.com/openwrt/openwrt/pull/21959
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d0c82dbb17)
