Re: [PATCH 2/2] uboot-envtools: support alternate default config

2020-12-10 Thread Bjørn Mork
Luis Araneda  writes:

> I think this could be archived without patching the upstream
> fw_printenv tool, depending on what solution you find acceptable.
>
> My motivation is to reduce the amount of patches that I think are not
> going to be accepted upstream.

Thanks a lot for your valuable feedback. I was not sure which way to
prefer.  This helps a lot.

> Please let me know if I'm missing some details that make the patches
> required, so we can brainstorm alternative solutions.
>
> One solution could be to add an alias using the "-c" option of
> fw_printenv. This is its help text:
>>  -c, --config configuration file, default:/etc/fw_env.config
>
> So, you could add the following alias:
> # alias fw_printsys='fw_printenv -c /etc/fw_env2.config'

Did not think of that.  Too obvious, probably, Thanks.  But is there any
standard way of configuring system aliases from a package?  I believe
that's a prerequisite.  I'd like these commands to Just Work, preferably
also in a sysupgrade context although that could be solved by the
scripts having knowledge about the underlying config file.

(there are two system partitions.  If OpenWrt ever is to support the
second one, then sysupgrade will have to know about the way U-Boot
selects the next boot.  This is a variable in the "sys" environment)

> A second solution (assuming an alias is not acceptable), would be to
> add a wrapper script, again using the "-c" option.
> The wrapper script could contain:
>> #!/bin/sh
>> fw_printenv -c /etc/fw_env2.config "$@"

Yes, this was actually my first implementation.  It is pretty simple. I
just made it a bit too magic for myself by dealing with an aribtrary
number of configurations.  And then I wanted to "fix" the misleading
help text.  None of that is required..  So two very simple wrappers will
do.

Will send a v2 with this solution unless there are other contradicting
feedback.  And I will try to update the package revision this time...

> Finally, another thing that I noticed from the first patch is that the
> MTD partitions seems to be named u-boot-env2:
>> find_mtd_index u-boot-env2
>
> If that is the case, IMHO it would be more consistent to call the
> command "fw_printenv2" instead of "fw_printsys".
> Sure, it would not be consistent with Realtek's u-boot shell, but the
> naming is more generic and could be used by other devices as well in
> the future where the second env partition has something different than
> system information.
> In this case, variables like "cfgtype" could be renamed to "cfgnum" or
> something else.

Sorry, I really want to be consistent with U-Boot shell here.  We must
expect users with console access, and naming this enviroment differently
from the stock U-Boot will be unnecessarily confusing.

If the mismatch with the Linux/OpenWrt partition names is going to be a
problem, then I'd rather we change those to match stock.  Both realtek
devices I have (a Netgear GS108Tv3 and a ZyXEL GS1900-10HP) use these
partition names:

RTL838x# flshow
=== FLASH Partition Layout ===
Index  Name   Size   Address
--
 0 LOADER 0xe0xb400-0xb40d
 1 BDINFO 0x10xb40e-0xb40e
 2 SYSINFO0x10xb40f-0xb40f
 3 JFFS2_CFG  0x10   0xb410-0xb41f
 4 JFFS2_LOG  0x10   0xb420-0xb42f
 5 RUNTIME1   0xe8   0xb430-0xb517
 6 RUNTIME2   0xe8   0xb518-0xb5ff
==

So "u-boot-env" is "BDINFO" and "u-boot-env2" is "SYSINFO".  The stock
U-Boot shell refers to the variable sets as "environment" for "BDINFO",
and "system information" for "SYSINFO":

 RTL838x# help printenv
 printenv - print environment variables
 
 Usage:
 printenv 
 - print values of all environment variables
 printenv name ...
- print value of environment variable 'name'

 RTL838x# help printsys
 printsys - printsys - print system information variables

 Usage:
 printsys 
 - print values of all system information variables
 printenv name ...
 - print value of system information variable 'name'



Huh?  Did not notice that before, but that command name typo is
real. Yes, this is vendor patched and it sucks as expected ;-)

Anyway, the printsys/setsys/savesys along with SYSINFO is consistently
pointing to this as "system information" and not "environment 2".



Bjørn


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH] hostapd: pass respawn settings when registering the service

2020-12-10 Thread John Crispin
When hostapd gets restarted to often/quickly will cause procd to not restart it
anymore. it will think that hapd is in a crash loop.

Signed-off-by: John Crispin 
---
 package/network/services/hostapd/files/wpad.init | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/network/services/hostapd/files/wpad.init 
b/package/network/services/hostapd/files/wpad.init
index 3198e9801f..e2cd380cb5 100644
--- a/package/network/services/hostapd/files/wpad.init
+++ b/package/network/services/hostapd/files/wpad.init
@@ -11,7 +11,7 @@ start_service() {
mkdir -p /var/run/hostapd
procd_open_instance hostapd
procd_set_param command /usr/sbin/hostapd -s -g 
/var/run/hostapd/global
-   procd_set_param respawn
+   procd_set_param respawn 3600 5 0
procd_close_instance
fi
 
@@ -19,7 +19,7 @@ start_service() {
mkdir -p /var/run/wpa_supplicant
procd_open_instance supplicant
procd_set_param command /usr/sbin/wpa_supplicant -n -s -g 
/var/run/wpa_supplicant/global
-   procd_set_param respawn
+   procd_set_param respawn 3600 5 0
procd_close_instance
fi
 }
-- 
2.25.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH 2/2] lldpd: fix init.d script

2020-12-10 Thread John Crispin
The script was missing the reload trigger. Additionally running lldpid on a
bridge is not correct. Rather than running lldpd on the L3 bridge, it needs
to be run on all the L2 members.

Signed-off-by: John Crispin 
---
 package/network/services/lldpd/files/lldpd.init | 8 
 1 file changed, 8 insertions(+)

diff --git a/package/network/services/lldpd/files/lldpd.init 
b/package/network/services/lldpd/files/lldpd.init
index 7a5b25e016..8200556786 100644
--- a/package/network/services/lldpd/files/lldpd.init
+++ b/package/network/services/lldpd/files/lldpd.init
@@ -10,6 +10,10 @@ LLDPSOCKET=/var/run/lldpd.socket
 LLDPD_CONF=/tmp/lldpd.conf
 LLDPD_CONFS_DIR=/tmp/lldpd.d
 
+service_triggers() {
+   procd_add_reload_trigger lldpd
+}
+
 find_release_info()
 {
[ -s /etc/os-release ] && . /etc/os-release
@@ -38,6 +42,10 @@ write_lldpd_conf()
for iface in $ifaces; do
local ifname=""
if network_get_device ifname "$iface" || [ -e 
"/sys/class/net/$iface" ]; then
+   if [ -e "/sys/class/net/$ifname/bridge" -o -e 
"/sys/class/net/$ifname/lower_bridge" ] ; then
+   local ports=$(jsonfilter -i /etc/board.json -e 
"@.network.$iface.ifname")
+   [ "${ports// /,}" ] && ifname="${ports// /,}"
+   fi
append ifnames "${ifname:-$iface}" ","
fi
done
-- 
2.25.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH 1/2] lldpd: do not start lldpd on the loopback device

2020-12-10 Thread John Crispin
Starting lldpd on 'lo' makes no sense. We know that we are the only one on
that device.

Signed-off-by: John Crispin 
---
 package/network/services/lldpd/files/lldpd.config | 1 -
 1 file changed, 1 deletion(-)

diff --git a/package/network/services/lldpd/files/lldpd.config 
b/package/network/services/lldpd/files/lldpd.config
index 5e7c51ba7e..6a4b3e3dfa 100644
--- a/package/network/services/lldpd/files/lldpd.config
+++ b/package/network/services/lldpd/files/lldpd.config
@@ -16,5 +16,4 @@ config lldpd config
#option lldp_mgmt_ip "!192.168.1.1"
 
# interfaces to listen on
-   list interface "loopback"
list interface "lan"
-- 
2.25.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH 2/2] uboot-envtools: support alternate default config

2020-12-10 Thread Luis Araneda
Hi Bjørn,

On Thu, Dec 10, 2020 at 9:42 AM Bjørn Mork  wrote:
>
> Now that we can create an alternate configuration file, add support
> for selecting it by using the alternate application names
> `fw_printsys' or `fw_setsys'.
>
> Signed-off-by: Bjørn Mork 
> ---
>  package/boot/uboot-envtools/Makefile  |   2 +
>  .../002-support-alternate-config.patch|  91 ++
>  .../patches/003-fix-usage-text.patch  | 167 ++
>  3 files changed, 260 insertions(+)
>  create mode 100644 
> package/boot/uboot-envtools/patches/002-support-alternate-config.patch
>  create mode 100644 
> package/boot/uboot-envtools/patches/003-fix-usage-text.patch

I think this could be archived without patching the upstream
fw_printenv tool, depending on what solution you find acceptable.

My motivation is to reduce the amount of patches that I think are not
going to be accepted upstream.
Please let me know if I'm missing some details that make the patches
required, so we can brainstorm alternative solutions.

One solution could be to add an alias using the "-c" option of
fw_printenv. This is its help text:
>  -c, --config configuration file, default:/etc/fw_env.config

So, you could add the following alias:
# alias fw_printsys='fw_printenv -c /etc/fw_env2.config'

A second solution (assuming an alias is not acceptable), would be to
add a wrapper script, again using the "-c" option.
The wrapper script could contain:
> #!/bin/sh
> fw_printenv -c /etc/fw_env2.config "$@"

If you still want to modify the fw_printenv, I would suggest patching
it so it accepts a new argument with the function requested (print,
set) that it can be used to override the automatic detection based on
the cmd name.
I see you already have something similar to this on the second patch.
To me, this sounds like a modification that could be upstreamed.


Finally, another thing that I noticed from the first patch is that the
MTD partitions seems to be named u-boot-env2:
> find_mtd_index u-boot-env2

If that is the case, IMHO it would be more consistent to call the
command "fw_printenv2" instead of "fw_printsys".
Sure, it would not be consistent with Realtek's u-boot shell, but the
naming is more generic and could be used by other devices as well in
the future where the second env partition has something different than
system information.
In this case, variables like "cfgtype" could be renamed to "cfgnum" or
something else.

Regards,
Luis Araneda.

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


Re: [PATCH ustream-ssl 07/12] cmake: enable extra compiler checks

2020-12-10 Thread Rosen Penev
On Thu, Dec 10, 2020 at 7:44 AM Petr Štetiar  wrote:
>
> Let's enforce additional automatic checks enforced by the compiler in
> order to catch possible errors during compilation.
>
> Signed-off-by: Petr Štetiar 
> ---
>  CMakeLists.txt | 8 +++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/CMakeLists.txt b/CMakeLists.txt
> index bb2abe5af596..b883751f6e3e 100644
> --- a/CMakeLists.txt
> +++ b/CMakeLists.txt
> @@ -3,7 +3,13 @@ cmake_minimum_required(VERSION 2.6)
>  INCLUDE(CheckSymbolExists)
>
>  PROJECT(ustream-ssl C)
> -ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3 -Wmissing-declarations)
> +
> +ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3)
> +IF(CMAKE_C_COMPILER_VERSION VERSION_GREATER 6)
> +ADD_DEFINITIONS(-Wextra -Werror=implicit-function-declaration)
> +ADD_DEFINITIONS(-Wformat -Werror=format-security 
> -Werror=format-nonliteral)
> +ENDIF()
> +ADD_DEFINITIONS(-Wno-unused-parameter -Wmissing-declarations)
I recommend adding a clang section that includes
-Wgnu-empty-initializer . You mentioned before that it doesn't work
properly on GCC4.

>
>  SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
>
>
> ___
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


Security Advisory 2020-12-09-1 - Linux kernel - ICMP rate limiting can be used to facilitate DNS poisoning attack (CVE-2020-25705)

2020-12-10 Thread Baptiste Jonglez
https://openwrt.org/advisory/2020-12-09-1


DESCRIPTION

A flaw has been found in the ICMP rate limiting algorithm of the Linux
kernel.

This flaw allows an off-path attacker to quickly determine open ephemeral
ports that are used by applications making outbound connections.

This can be exploited by an off-path attacker to more easily perform a DNS
cache poisoning attack. Such an attack normally involves trying all
possible values of the UDP source port and the DNS transaction ID, which
is considered difficult to do. With this flaw, the attacker can quickly
guess the UDP source port, and then it only has to try all possible values
of the DNS transaction ID, which is easier to do: the transaction ID only
has 16 bits. It should be noted that the attacker also needs to know the
actual query sent by the resolver.


IMPACT ON OPENWRT

OpenWrt is affected in its default configuration. By default, dnsmasq is
used to perform DNS resolution and the firewall allows the kernel to reply
with ICMP errors when hosts on the Internet send packets to closed UDP
ports.

An off-path attacker may use this flaw to more easily perform a DNS cache
poisining attack on dnsmasq.


AFFECTED VERSIONS

OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to 19.07.4 are
affected.

The issue has been fixed in the following versions of OpenWrt:

OpenWrt 18.06.9 (fixed by updating the Linux kernel to 4.9.243 and 4.14.206)
OpenWrt 19.07.5 (fixed by updating the Linux kernel to 4.14.206)
OpenWrt master as of 2020-11-01 (fixed by updating the Linux kernel to 
5.4.73)

Older versions of OpenWrt (e.g. OpenWrt 15.05 and LEDE 17.01) are end of
life and not supported any more.


MITIGATION

It is recommended to upgrade to the latest 18.06 or 19.07 release of
OpenWrt.

If upgrading is not possible, the flaw can be mitigated on older versions
of OpenWrt by disabling ICMP errors on the WAN firewall zone.

This can be achieved by changing the input policy from REJECT to DROP in
the WAN firewall zone and reloading the firewall configuration.

Users that have upgraded to 18.06.9 or 19.07.5 do not need to apply this
mitigation.


CREDITS AND REFERENCES

The issue was disclosed by Keyu Man et al. from the University of
California as the “SAD DNS” attack.

https://www.saddns.net/
Fix in linux kernel: 
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b38e7819cae946e2edf869e604af1e65a5d241c5
CVE description at NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-25705
CVE description at Red Hat: 
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25705



signature.asc
Description: PGP signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


Re: [PATCH ustream] ustream-openssl: fix bio memory leak

2020-12-10 Thread Eneas U de Queiroz
Hi Petr

On Thu, Dec 10, 2020 at 12:57 PM Petr Štetiar  wrote:
> > After tackling BIO_free, my suggestion would be to determine where the
> > method table variable should go, and where to call BIO_meth_new and
> > BIO_meth_free.  I would add it to a defined struct
> > ustream_ssl_ctx--which is now just used with a cast to SSL_CTX--and
>
> IIRC I've tried that approach already(this WIP solution is like 3rd
> iteration), but that struct is opaque.

I meant the ustream_ssl_ctx structure, which is an ustream internal
structure.  For openssl, we're just using a straight cast to the
openssl's SSL_CTX struct, so that's why it is opaque, while for
mbedtls, it is a defined struct.  What I meant was to actually define
a ustream_ssl_ctx structure for openssl, just as ustream-mbedtls does,
with the BIO_methods and the SSL_CTX as members.

> > would create and free the object in __ustream_ssl_context_new and
> > __ustream_ssl_context_free, which would give it a possibly larger
> > lifetime than the ssl_session or the BIO object.
>
> AFAIK that's exactly what I'm doing in my current solution.

You're doing it at the SSL struct.  You can have multiple SSL structs
under the same SSL_CTX struct. In a server, for example, you  will
have one SSL_CTX object, which accepts connections, creating a new SSL
structure for each connection.  You know I'm just madly fighting for
every CPU cycle of performance optimization I can get. ;-)

If you look at it from an organization and tidiness POV, you can argue
that the BIO methods structure should be placed along with the BIO,
which is with the SSL structure.  I'll let you pick your side.

> > We should coordinate efforts.  You're the boss, so tell me what you want me
> > to do, if anything.
>
> I didn't wanted to sound like the boss and I apologize if that was the case,
> sorry.

I apologize for the bad choice of words.  Someone has to take the
lead, and that was a rather ill-fated attempt to make it clear that I
would follow your lead, and had nothing to do with your tone or
anything you had done.

> I've just send out some patches for uclient/ustream-ssl, so I would be
> grateful if you could review and test those changes on your device(s), ideally
> on all three SSL libs and client/server setup. Thanks!

I'll do that over the weekend.  I'm updating openssl to 1.1.1i, which
fixes high severity CVE-2020-1971.  I haven't sent it yet because I
want to test it first, and I'm low on testing resources right now.
I'll probably test openssl tonight, then tackle ustream-ssl.

Cheers,

Eneas

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


Re: [PATCH] Revert "build: switch VERSION_REPO to HTTPS"

2020-12-10 Thread Petr Štetiar
Paul Spooren  [2020-11-25 08:52:30]:

Hi,

> Until somebody jumps on ustream-ssl and fixes the WolfSSL
> implementation, we should consider to disable it.

FYI I've just posted hopefully fixes for those issue(s):

 uclient https://patchwork.ozlabs.org/project/openwrt/list/?series=219813
 ustream-ssl https://patchwork.ozlabs.org/project/openwrt/list/?series=219811

The updated packages are available in my staging tree[1]. Please let me know
if there is anything else preventing marking this patch as 'Not applicable'.
Thanks!

1. 
https://git.openwrt.org/?p=openwrt/staging/ynezz.git;a=shortlog;h=refs/heads/staging

Cheers,

Petr

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


Re: [PATCH ustream] ustream-openssl: fix bio memory leak

2020-12-10 Thread Petr Štetiar
Eneas U de Queiroz  [2020-12-10 11:29:36]:

Hi,

> access that memory after we free it.  This would be after we call
> BIO_free.  The thing is, we aren't making that call. so we are leaking
> that resource as well. 

IIRC this is solved by OpenSSL internal reference counting and executed in
SSL_free() or SSL_shutdown().

> After tackling BIO_free, my suggestion would be to determine where the
> method table variable should go, and where to call BIO_meth_new and
> BIO_meth_free.  I would add it to a defined struct
> ustream_ssl_ctx--which is now just used with a cast to SSL_CTX--and

IIRC I've tried that approach already(this WIP solution is like 3rd
iteration), but that struct is opaque.

> would create and free the object in __ustream_ssl_context_new and
> __ustream_ssl_context_free, which would give it a possibly larger
> lifetime than the ssl_session or the BIO object.

AFAIK that's exactly what I'm doing in my current solution.

> We should coordinate efforts.  You're the boss, so tell me what you want me
> to do, if anything.

I didn't wanted to sound like the boss and I apologize if that was the case,
sorry. 

I've just send out some patches for uclient/ustream-ssl, so I would be
grateful if you could review and test those changes on your device(s), ideally
on all three SSL libs and client/server setup. Thanks!

Cheers,

Petr

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 12/12] Add initial GitLab CI support

2020-12-10 Thread Petr Štetiar
Uses currently proof-of-concept openwrt-ci[1] in order to:

 * improve the quality of the codebase in various areas
 * decrease code review time and help merging contributions faster
 * get automagic feedback loop on various platforms and tools
   - out of tree build with OpenWrt SDK on following targets:
 * ath79-generic
 * imx6-generic
 * malta-be
 * mvebu-cortexa53
   - out of tree native build on x86/64 with GCC (versions 8, 9, 10) and Clang 
10
   - out of tree native x86/64 static code analysis with cppcheck and
 scan-build from Clang 10

1. https://gitlab.com/ynezz/openwrt-ci/

Signed-off-by: Petr Štetiar 
---
 .gitlab-ci.yml | 7 +++
 1 file changed, 7 insertions(+)
 create mode 100644 .gitlab-ci.yml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index ..94befcee491e
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,7 @@
+variables:
+  CI_ENABLE_UNIT_TESTING: 1
+  CI_TARGET_BUILD_DEPENDS: uclient
+
+include:
+  - remote: 
https://gitlab.com/ynezz/openwrt-ci/raw/master/openwrt-ci/gitlab/main.yml
+  - remote: 
https://gitlab.com/ynezz/openwrt-ci/raw/master/openwrt-ci/gitlab/pipeline.yml

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 11/12] uclient-fetch: wolfSSL: fix certificate validation

2020-12-10 Thread Petr Štetiar
Currently wolfSSL doesn't validate any certificates, quoting from
README:

 wolfSSL takes a different approach to certificate verification than
 OpenSSL does. The default policy for the client is to verify the server,
 this means that if you don't load CAs to verify the server you'll get a
 connect error, no signer error to confirm failure (-188).

 If you want to mimic OpenSSL behavior of having SSL_connect succeed even if
 verifying the server fails and reducing security you can do this by calling:

 wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

 before calling wolfSSL_new();. Though it's not recommended.

wolfSSL simply behaves differently then OpenSSL so once you set
SSL_VERIFY_NONE wolfSSL doesn't care about the certificates anymore so
every call to SSL_get_verify_result() is going to succeed (returns
X509_V_OK) even for invalid certificates and current OpenSSL based post
connection verification logic thus doesn't work.

So in order to get the validation working we need to use SSL_VERIFY_PEER
for wolfSSL by default and allow disabling it explicitly by new
`context_set_require_validation()` call.

Fixes: FS#3465
Signed-off-by: Petr Štetiar 
---
 uclient-fetch.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/uclient-fetch.c b/uclient-fetch.c
index bbf5eec58d71..958f75618194 100644
--- a/uclient-fetch.c
+++ b/uclient-fetch.c
@@ -591,6 +591,8 @@ int main(int argc, char **argv)
switch (longopt_idx) {
case L_NO_CHECK_CERTIFICATE:
verify = false;
+   if (ssl_ctx)
+   
ssl_ops->context_set_require_validation(ssl_ctx, verify);
break;
case L_CA_CERTIFICATE:
has_cert = true;

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 02/12] Add basic cram based unit tests

2020-12-10 Thread Petr Štetiar
For the start just basic uclient-fetch functionality coverage.

Signed-off-by: Petr Štetiar 
---
 CMakeLists.txt  | 24 -
 tests/CMakeLists.txt|  1 +
 tests/cram/CMakeLists.txt   | 38 ++
 tests/cram/server/lorem | 64 +++
 tests/cram/test-san_uclient-fetch.t | 78 +
 tests/cram/test_uclient-fetch.t | 77 
 6 files changed, 280 insertions(+), 2 deletions(-)
 create mode 100644 tests/CMakeLists.txt
 create mode 100644 tests/cram/CMakeLists.txt
 create mode 100644 tests/cram/server/lorem
 create mode 100644 tests/cram/test-san_uclient-fetch.t
 create mode 100644 tests/cram/test_uclient-fetch.t

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 841bc0f8f17c..c2f1fdb2f662 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,12 +16,32 @@ ELSE(BUILD_STATIC)
   FIND_LIBRARY(ubox_library NAMES ubox)
 ENDIF(BUILD_STATIC)
 
-ADD_LIBRARY(uclient SHARED uclient.c uclient-http.c uclient-utils.c)
+SET(LIB_SOURCES uclient.c uclient-http.c uclient-utils.c)
+ADD_LIBRARY(uclient SHARED ${LIB_SOURCES})
 TARGET_LINK_LIBRARIES(uclient ${ubox_library} dl)
 
-ADD_EXECUTABLE(uclient-fetch uclient-fetch.c progress.c)
+SET(CLI_SOURCES uclient-fetch.c progress.c)
+ADD_EXECUTABLE(uclient-fetch ${CLI_SOURCES})
 TARGET_LINK_LIBRARIES(uclient-fetch uclient)
 
+IF(UNIT_TESTING)
+  ADD_DEFINITIONS(-DUNIT_TESTING)
+  ENABLE_TESTING()
+  ADD_SUBDIRECTORY(tests)
+
+  IF(CMAKE_C_COMPILER_ID STREQUAL "Clang")
+ADD_LIBRARY(uclient-san SHARED ${LIB_SOURCES})
+TARGET_COMPILE_OPTIONS(uclient-san PRIVATE -g -fno-omit-frame-pointer 
-fsanitize=undefined,address,leak -fno-sanitize-recover=all)
+TARGET_LINK_OPTIONS(uclient-san PRIVATE -fsanitize=undefined,address,leak)
+TARGET_LINK_LIBRARIES(uclient-san ${ubox_library} dl)
+
+   ADD_EXECUTABLE(uclient-fetch-san ${CLI_SOURCES})
+TARGET_COMPILE_OPTIONS(uclient-fetch-san PRIVATE -g 
-fno-omit-frame-pointer -fsanitize=undefined,address,leak 
-fno-sanitize-recover=all)
+TARGET_LINK_OPTIONS(uclient-fetch-san PRIVATE 
-fsanitize=undefined,address,leak)
+TARGET_LINK_LIBRARIES(uclient-fetch-san uclient-san ${ubox_library} dl)
+  ENDIF()
+ENDIF()
+
 INSTALL(FILES uclient.h uclient-utils.h
DESTINATION include/libubox
 )
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
new file mode 100644
index ..3d339b1ebc53
--- /dev/null
+++ b/tests/CMakeLists.txt
@@ -0,0 +1 @@
+ADD_SUBDIRECTORY(cram)
diff --git a/tests/cram/CMakeLists.txt b/tests/cram/CMakeLists.txt
new file mode 100644
index ..ba75802ae21c
--- /dev/null
+++ b/tests/cram/CMakeLists.txt
@@ -0,0 +1,38 @@
+FIND_PACKAGE(PythonInterp 3 REQUIRED)
+FILE(GLOB test_cases "test_*.t")
+
+IF(CMAKE_C_COMPILER_ID STREQUAL "Clang")
+  FILE(GLOB test_cases_san "test-san_*.t")
+ENDIF()
+
+SET(PYTHON_VENV_DIR "${CMAKE_CURRENT_BINARY_DIR}/.venv")
+SET(PYTHON_VENV_PIP "${PYTHON_VENV_DIR}/bin/pip")
+SET(PYTHON_VENV_CRAM "${PYTHON_VENV_DIR}/bin/cram")
+
+ADD_CUSTOM_COMMAND(
+   OUTPUT ${PYTHON_VENV_CRAM}
+   COMMAND ${PYTHON_EXECUTABLE} -m venv ${PYTHON_VENV_DIR}
+   COMMAND ${PYTHON_VENV_PIP} install cram
+)
+ADD_CUSTOM_TARGET(prepare-cram-venv ALL DEPENDS ${PYTHON_VENV_CRAM})
+
+ADD_CUSTOM_TARGET(
+   http-server-kill ALL
+   COMMAND pkill --full -9 "${PYTHON_VENV_DIR}/bin/python3 -m http.server 
1922 --bind 127.0.0.1" > /dev/null 2>&1 || true
+   DEPENDS ${PYTHON_VENV_CRAM}
+)
+
+ADD_CUSTOM_TARGET(
+   http-server ALL
+   COMMAND ${PYTHON_VENV_DIR}/bin/python3 -m http.server 1922 --bind 
127.0.0.1 > /dev/null 2>&1 &
+   WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/server
+   DEPENDS http-server-kill
+)
+
+ADD_TEST(
+   NAME cram
+   COMMAND ${PYTHON_VENV_CRAM} ${test_cases} ${test_cases_san}
+   WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+)
+
+SET_PROPERTY(TEST cram APPEND PROPERTY ENVIRONMENT 
"BUILD_BIN_DIR=$")
diff --git a/tests/cram/server/lorem b/tests/cram/server/lorem
new file mode 100644
index ..133af11d18f8
--- /dev/null
+++ b/tests/cram/server/lorem
@@ -0,0 +1,64 @@
+Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas accumsan dui
+diam, sit amet vehicula nisl tincidunt non. Duis orci urna, luctus porttitor
+viverra non, interdum id erat. Vivamus in tortor eu augue dignissim imperdiet
+vitae ut ligula. Nunc luctus arcu viverra dolor commodo, et pellentesque
+lectus convallis. Donec molestie gravida venenatis. Curabitur vitae nulla at
+nisi ullamcorper sagittis vitae eget arcu. Sed elementum neque metus, in
+sollicitudin lorem vestibulum sed. Etiam non leo id eros ultrices hendrerit.
+
+Etiam sed luctus lacus. Fusce congue quam varius, cursus enim id, varius
+tellus. Suspendisse at mauris blandit, tempor urna non, pharetra tortor. In
+laoreet turpis a sollicitudin auctor. Duis semper diam mi, at mollis dolor
+tristique a. Sed sed mauris diam. Curabitur vel eleifend 

[PATCH uclient 10/12] uclient-fetch: init_ca_cert: fix memory leak

2020-12-10 Thread Petr Štetiar
Fixes following memory leak:

 $ valgrind --quiet --leak-check=full uclient-fetch -q 
http://127.0.0.1:1922/does-not-exist

  51 (16 direct, 35 indirect) bytes in 1 blocks are definitely lost in loss 
record 4 of 9
   at 0x4C31A3F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x4C33D84: realloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
   by 0x553C7DF: glob_in_dir (glob.c:1410)
   by 0x553D5E8: glob@@GLIBC_2.27 (glob.c:1097)
   by 0x401D62: init_ca_cert (uclient-fetch.c:503)
   by 0x401D62: main (uclient-fetch.c:741)

Signed-off-by: Petr Štetiar 
---
 uclient-fetch.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/uclient-fetch.c b/uclient-fetch.c
index 1c66ac6d33ae..bbf5eec58d71 100644
--- a/uclient-fetch.c
+++ b/uclient-fetch.c
@@ -503,6 +503,7 @@ static void init_ca_cert(void)
glob("/etc/ssl/certs/*.crt", 0, NULL, );
for (i = 0; i < gl.gl_pathc; i++)
ssl_ops->context_add_ca_crt_file(ssl_ctx, gl.gl_pathv[i]);
+   globfree();
 }
 
 static void init_ustream_ssl(void)

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 03/12] Fix extra compiler warnings

2020-12-10 Thread Petr Štetiar
Fixes following -Wextra compiler warnings:

 uclient.c:195:16: error: comparison of integers of different signs: 'int' and 
'unsigned long' [-Werror,-Wsign-compare]
 for (i = 0; i < ARRAY_SIZE(backends); i++) {
 ~ ^ 

 uclient-http.c:619:2: error: comparison of integers of different signs: 
'size_t' (aka 'unsigned long') and 'int' [-Werror,-Wsign-compare]
 blobmsg_for_each_attr(cur, uh->headers.head, rem)
 ^

 uclient-http.c:619:2: error: comparison of integers of different signs: 'int' 
and 'unsigned long' [-Werror,-Wsign-compare]
 blobmsg_for_each_attr(cur, uh->headers.head, rem)
 ^

 uclient-http.c:993:16: error: comparison of integers of different signs: 'int' 
and 'unsigned long' [-Werror,-Wsign-compare]
 for (i = 0; i < ARRAY_SIZE(request_types); i++) {
 ~ ^ ~

 uclient.c:195:16: error: comparison of integers of different signs: 'int' and 
'unsigned long' [-Werror,-Wsign-compare]
 for (i = 0; i < ARRAY_SIZE(backends); i++) {
 ~ ^ 

 uclient-http.c:619:2: error: comparison of integers of different signs: 
'size_t' (aka 'unsigned long') and 'int' [-Werror,-Wsign-compare]
 blobmsg_for_each_attr(cur, uh->headers.head, rem)
 ^

 uclient-http.c:619:2: error: comparison of integers of different signs: 'int' 
and 'unsigned long' [-Werror,-Wsign-compare]
 blobmsg_for_each_attr(cur, uh->headers.head, rem)
 ^

 uclient-http.c:993:16: error: comparison of integers of different signs: 'int' 
and 'unsigned long' [-Werror,-Wsign-compare]
 for (i = 0; i < ARRAY_SIZE(request_types); i++) {
 ~ ^ ~

 uclient-fetch.c:551:67: error: missing field 'flag' initializer 
[-Werror,-Wmissing-field-initializers]
 [L_NO_CHECK_CERTIFICATE] = { "no-check-certificate", no_argument },

Signed-off-by: Petr Štetiar 
---
 uclient-fetch.c | 30 +++---
 uclient-http.c  |  5 +++--
 uclient.c   |  2 +-
 3 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/uclient-fetch.c b/uclient-fetch.c
index 061f0fd4f808..5f7ac6200bb8 100644
--- a/uclient-fetch.c
+++ b/uclient-fetch.c
@@ -497,7 +497,7 @@ static int usage(const char *progname)
 static void init_ca_cert(void)
 {
glob_t gl;
-   int i;
+   unsigned int i;
 
glob("/etc/ssl/certs/*.crt", 0, NULL, );
for (i = 0; i < gl.gl_pathc; i++)
@@ -548,20 +548,20 @@ enum {
 };
 
 static const struct option longopts[] = {
-   [L_NO_CHECK_CERTIFICATE] = { "no-check-certificate", no_argument },
-   [L_CA_CERTIFICATE] = { "ca-certificate", required_argument },
-   [L_CIPHERS] = { "ciphers", required_argument },
-   [L_USER] = { "user", required_argument },
-   [L_PASSWORD] = { "password", required_argument },
-   [L_USER_AGENT] = { "user-agent", required_argument },
-   [L_POST_DATA] = { "post-data", required_argument },
-   [L_POST_FILE] = { "post-file", required_argument },
-   [L_SPIDER] = { "spider", no_argument },
-   [L_TIMEOUT] = { "timeout", required_argument },
-   [L_CONTINUE] = { "continue", no_argument },
-   [L_PROXY] = { "proxy", required_argument },
-   [L_NO_PROXY] = { "no-proxy", no_argument },
-   [L_QUIET] = { "quiet", no_argument },
+   [L_NO_CHECK_CERTIFICATE] = { "no-check-certificate", no_argument, NULL, 
0 },
+   [L_CA_CERTIFICATE] = { "ca-certificate", required_argument, NULL, 0 },
+   [L_CIPHERS] = { "ciphers", required_argument, NULL, 0 },
+   [L_USER] = { "user", required_argument, NULL, 0 },
+   [L_PASSWORD] = { "password", required_argument, NULL, 0 },
+   [L_USER_AGENT] = { "user-agent", required_argument, NULL, 0 },
+   [L_POST_DATA] = { "post-data", required_argument, NULL, 0 },
+   [L_POST_FILE] = { "post-file", required_argument, NULL, 0 },
+   [L_SPIDER] = { "spider", no_argument, NULL, 0 },
+   [L_TIMEOUT] = { "timeout", required_argument, NULL, 0 },
+   [L_CONTINUE] = { "continue", no_argument, NULL, 0 },
+   [L_PROXY] = { "proxy", required_argument, NULL, 0 },
+   [L_NO_PROXY] = { "no-proxy", no_argument, NULL, 0 },
+   [L_QUIET] = { "quiet", no_argument, NULL, 0 },
{}
 };
 
diff --git a/uclient-http.c b/uclient-http.c
index c1f722878df7..279669620ebe 100644
--- a/uclient-http.c
+++ b/uclient-http.c
@@ -596,7 +596,8 @@ uclient_http_send_headers(struct uclient_http *uh)
struct blob_attr *cur;
enum request_type req_type = uh->req_type;
bool literal_ipv6;
-   int err, rem;
+   int err;
+   size_t rem;
 
if (uh->state >= HTTP_STATE_HEADERS_SENT)
return 0;
@@ -982,7 +983,7 

[PATCH uclient 09/12] cmake: enable extra compiler checks

2020-12-10 Thread Petr Štetiar
Let's enforce additional automatic checks enforced by the compiler in
order to catch possible errors during compilation.

Signed-off-by: Petr Štetiar 
---
 CMakeLists.txt | 7 ++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index c2f1fdb2f662..74031bb8ef57 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -3,7 +3,12 @@ cmake_minimum_required(VERSION 2.6)
 INCLUDE(CheckIncludeFiles)
 
 PROJECT(uclient C)
-ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3 -Wmissing-declarations)
+ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3)
+IF(CMAKE_C_COMPILER_VERSION VERSION_GREATER 6)
+ADD_DEFINITIONS(-Wextra -Werror=implicit-function-declaration)
+ADD_DEFINITIONS(-Wformat -Werror=format-security 
-Werror=format-nonliteral)
+ENDIF()
+ADD_DEFINITIONS(-Wno-unused-parameter -Wmissing-declarations)
 
 SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
 

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 08/12] uclient-http: fix extra compiler warnings on mips_24kc and cortex-a9+neon

2020-12-10 Thread Petr Štetiar
Fixes following warnings as reported on 32-bit platforms
toolchain-mips_24kc_gcc-8.4.0_musl and 
toolchain-arm_cortex-a9+neon_gcc-8.4.0_musl_eabi:

 uclient-http.c::10: error: comparison of integer expressions of different 
signedness: 'unsigned int' and 'int' [-Werror=sign-compare]
   if (len > data_end - data)
   ^
 uclient-http.c:1115:11: error: comparison of integer expressions of different 
signedness: 'unsigned int' and 'long int' [-Werror=sign-compare]
if (len > uh->read_chunked)
^
 uclient-http.c:1120:11: error: comparison of integer expressions of different 
signedness: 'unsigned int' and 'long int' [-Werror=sign-compare]
if (len > uh->content_length)
^

References: https://gitlab.com/ynezz/openwrt-uclient/-/pipelines/226912126
Signed-off-by: Petr Štetiar 
---
 uclient-http.c | 9 +
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/uclient-http.c b/uclient-http.c
index 7eb469221d7f..349e69cdd4ae 100644
--- a/uclient-http.c
+++ b/uclient-http.c
@@ -1108,16 +1108,17 @@ uclient_http_read(struct uclient *cl, char *buf, 
unsigned int len)
}
}
 
-   if (len > data_end - data)
-   len = data_end - data;
+   unsigned int diff = data_end - data;
+   if (len > diff)
+   len = diff;
 
if (uh->read_chunked >= 0) {
-   if (len > uh->read_chunked)
+   if (len > (unsigned long) uh->read_chunked)
len = uh->read_chunked;
 
uh->read_chunked -= len;
} else if (uh->content_length >= 0) {
-   if (len > uh->content_length)
+   if (len > (unsigned long) uh->content_length)
len = uh->content_length;
 
uh->content_length -= len;

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 05/12] uclient-fetch: fix statement may fallt hrough

2020-12-10 Thread Petr Štetiar
Fixes following issue reported by clang-12 static analyzer:

 uclient-fetch.c:228:6: error: this statement may fall through 
[-Werror=implicit-fallthrough=]
if (sscanf(blobmsg_get_string(tb[H_RANGE]),
   ^
 uclient-fetch.c:236:2: note: here
   case 204:
   ^~~~

Signed-off-by: Petr Štetiar 
---
 uclient-fetch.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/uclient-fetch.c b/uclient-fetch.c
index 5f7ac6200bb8..0c7a1232f256 100644
--- a/uclient-fetch.c
+++ b/uclient-fetch.c
@@ -233,6 +233,7 @@ static void header_done_cb(struct uclient *cl)
error_ret = 8;
break;
}
+   /* fall through */
case 204:
case 200:
if (no_output)

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 07/12] uclient-fetch: fix potential memory leaks

2020-12-10 Thread Petr Štetiar
Fixes following issue reported by clang-12 static analyzer:

 uclient-fetch.c:612:25: warning: Potential leak of memory pointed to by 
'username' [unix.Malloc]
 memset(optarg, '*', strlen(optarg));
 ^~
 uclient-fetch.c:618:25: warning: Potential leak of memory pointed to by 
'password' [unix.Malloc]
 memset(optarg, '*', strlen(optarg));
 ^~

Signed-off-by: Petr Štetiar 
---
 uclient-fetch.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/uclient-fetch.c b/uclient-fetch.c
index 0c7a1232f256..1c66ac6d33ae 100644
--- a/uclient-fetch.c
+++ b/uclient-fetch.c
@@ -608,13 +608,13 @@ int main(int argc, char **argv)
case L_USER:
if (!strlen(optarg))
break;
-   username = strdup(optarg);
+   username = strdupa(optarg);
memset(optarg, '*', strlen(optarg));
break;
case L_PASSWORD:
if (!strlen(optarg))
break;
-   password = strdup(optarg);
+   password = strdupa(optarg);
memset(optarg, '*', strlen(optarg));
break;
case L_USER_AGENT:

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 06/12] uclient: fix initialized but never read variable

2020-12-10 Thread Petr Štetiar
Fixes following issue reported by clang-12 static analyzer:

 uclient.c:290:22: warning: Value stored to 'url' during its initialization is 
never read [deadcode.DeadStores]
 struct uclient_url *url = cl->url;
 ^~~   ~~~

Signed-off-by: Petr Štetiar 
---
 uclient.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/uclient.c b/uclient.c
index 95e4585a61cf..a372d4a9dcbf 100644
--- a/uclient.c
+++ b/uclient.c
@@ -287,7 +287,7 @@ int uclient_set_proxy_url(struct uclient *cl, const char 
*url_str, const char *a
 int uclient_set_url(struct uclient *cl, const char *url_str, const char 
*auth_str)
 {
const struct uclient_backend *backend = cl->backend;
-   struct uclient_url *url = cl->url;
+   struct uclient_url *url;
 
url = uclient_get_url(url_str, auth_str);
if (!url)

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 00/12] fixes, improvements and CI

2020-12-10 Thread Petr Štetiar
Hi,

this series should fix certificate verification in mbedTLS and wolfSSL like
for example FS#3465, few issues spotted by Valgrind and clang-12 static code
analyzer and adds basic cram based unit tests which should be executed on
GitLab CI.

You can find the packages ready for testing in my staging tree:

 
https://git.openwrt.org/?p=openwrt/staging/ynezz.git;a=shortlog;h=refs/heads/staging

Please note, that you need to update ustream-ssl I've sent in the previous
series as well and you might need also other wolfSSL updates by Eneas found in
that staging tree as well.

Cheers,

Petr


Petr Štetiar (12):
  cmake: fix building out of the tree
  Add basic cram based unit tests
  Fix extra compiler warnings
  uclient-http: fix freeing of stack allocated memory
  uclient-fetch: fix statement may fallt hrough
  uclient: fix initialized but never read variable
  uclient-fetch: fix potential memory leaks
  uclient-http: fix extra compiler warnings on mips_24kc and
cortex-a9+neon
  cmake: enable extra compiler checks
  uclient-fetch: init_ca_cert: fix memory leak
  uclient-fetch: wolfSSL: fix certificate validation
  Add initial GitLab CI support

 .gitlab-ci.yml  |  7 +++
 CMakeLists.txt  | 39 +--
 tests/CMakeLists.txt|  1 +
 tests/cram/CMakeLists.txt   | 38 ++
 tests/cram/server/lorem | 64 +++
 tests/cram/test-san_uclient-fetch.t | 78 +
 tests/cram/test_uclient-fetch.t | 77 
 uclient-fetch.c | 38 +++---
 uclient-http.c  | 26 +-
 uclient.c   |  4 +-
 10 files changed, 336 insertions(+), 36 deletions(-)
 create mode 100644 .gitlab-ci.yml
 create mode 100644 tests/CMakeLists.txt
 create mode 100644 tests/cram/CMakeLists.txt
 create mode 100644 tests/cram/server/lorem
 create mode 100644 tests/cram/test-san_uclient-fetch.t
 create mode 100644 tests/cram/test_uclient-fetch.t


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 01/12] cmake: fix building out of the tree

2020-12-10 Thread Petr Štetiar
When building out of the tree, linker is unable to find the ubox library
so fix it by using find_library CMake command.

Signed-off-by: Petr Štetiar 
---
 CMakeLists.txt | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 072afef92479..841bc0f8f17c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -10,8 +10,14 @@ SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
 FIND_PATH(ubox_include_dir libubox/ustream-ssl.h)
 INCLUDE_DIRECTORIES(${ubox_include_dir})
 
+IF(BUILD_STATIC)
+  FIND_LIBRARY(ubox_library NAMES ubox.a)
+ELSE(BUILD_STATIC)
+  FIND_LIBRARY(ubox_library NAMES ubox)
+ENDIF(BUILD_STATIC)
+
 ADD_LIBRARY(uclient SHARED uclient.c uclient-http.c uclient-utils.c)
-TARGET_LINK_LIBRARIES(uclient ubox dl)
+TARGET_LINK_LIBRARIES(uclient ${ubox_library} dl)
 
 ADD_EXECUTABLE(uclient-fetch uclient-fetch.c progress.c)
 TARGET_LINK_LIBRARIES(uclient-fetch uclient)

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH uclient 04/12] uclient-http: fix freeing of stack allocated memory

2020-12-10 Thread Petr Štetiar
Fixes following issue reported by clang-12 static analyzer:

 uclient-http.c:568:2: warning: Memory allocated by alloca() should not be 
deallocated [unix.Malloc]
 free(buf_orig);
 ^~

Signed-off-by: Petr Štetiar 
---
 uclient-http.c | 12 +---
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/uclient-http.c b/uclient-http.c
index 279669620ebe..7eb469221d7f 100644
--- a/uclient-http.c
+++ b/uclient-http.c
@@ -441,7 +441,7 @@ uclient_http_add_auth_digest(struct uclient_http *uh)
struct uclient_url *url = uh->uc.url;
const char *realm = NULL, *opaque = NULL;
const char *user, *password;
-   char *buf, *next, *buf_orig;
+   char *buf, *next;
int len, ofs;
int err = 0;
 
@@ -471,7 +471,7 @@ uclient_http_add_auth_digest(struct uclient_http *uh)
strcpy(buf, uh->auth_str);
 
/* skip auth type */
-   buf_orig = strsep(, " ");
+   strsep(, " ");
 
next = buf;
while (*next) {
@@ -507,7 +507,7 @@ uclient_http_add_auth_digest(struct uclient_http *uh)
 
if (!realm || !data.qop || !data.nonce) {
err = -EINVAL;
-   goto fail_buf;
+   goto fail;
}
 
sprintf(nc_str, "%08x", uh->nc++);
@@ -524,13 +524,13 @@ uclient_http_add_auth_digest(struct uclient_http *uh)
len = password - url->auth;
if (len > 256) {
err = -EINVAL;
-   goto fail_buf;
+   goto fail;
}
 
user_buf = alloca(len + 1);
if (!user_buf) {
err = -ENOMEM;
-   goto fail_buf;
+   goto fail;
}
 
strncpy(user_buf, url->auth, len);
@@ -564,8 +564,6 @@ uclient_http_add_auth_digest(struct uclient_http *uh)
 
return 0;
 
-fail_buf:
-   free(buf_orig);
 fail:
return err;
 }

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 08/12] ustream-openssl: wolfSSL: fix certificate validation

2020-12-10 Thread Petr Štetiar
Currently wolfSSL doesn't validate any certificates, quoting from
README:

 wolfSSL takes a different approach to certificate verification than
 OpenSSL does. The default policy for the client is to verify the server,
 this means that if you don't load CAs to verify the server you'll get a
 connect error, no signer error to confirm failure (-188).

 If you want to mimic OpenSSL behavior of having SSL_connect succeed even if
 verifying the server fails and reducing security you can do this by calling:

  wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);

 before calling wolfSSL_new();. Though it's not recommended.

wolfSSL simply behaves differently then OpenSSL so once you set
SSL_VERIFY_NONE wolfSSL doesn't care about the certificates anymore so
every call to SSL_get_verify_result() is going to succeed (returns
X509_V_OK) even for invalid certificates and current OpenSSL based post
connection verification logic thus doesn't work.

So in order to get the validation working we need to use SSL_VERIFY_PEER
for wolfSSL by default and allow disabling it explicitly by new
`context_set_require_validation()` call. In order to keep the same error
handling/messages via `notify_verify_error()` callback we as well need
to handle certificate errors manually.

Fixes: FS#3465
Signed-off-by: Petr Štetiar 
---
 ustream-internal.h |  1 +
 ustream-openssl.c  | 73 ++
 ustream-ssl.c  |  1 +
 ustream-ssl.h  | 19 +++-
 4 files changed, 86 insertions(+), 8 deletions(-)

diff --git a/ustream-internal.h b/ustream-internal.h
index 147141ab5f05..e80abf827515 100644
--- a/ustream-internal.h
+++ b/ustream-internal.h
@@ -39,6 +39,7 @@ int __ustream_ssl_add_ca_crt_file(struct ustream_ssl_ctx 
*ctx, const char *file)
 int __ustream_ssl_set_crt_file(struct ustream_ssl_ctx *ctx, const char *file);
 int __ustream_ssl_set_key_file(struct ustream_ssl_ctx *ctx, const char *file);
 int __ustream_ssl_set_ciphers(struct ustream_ssl_ctx *ctx, const char 
*ciphers);
+int __ustream_ssl_set_require_validation(struct ustream_ssl_ctx *ctx, bool 
require);
 void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx);
 enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us);
 int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len);
diff --git a/ustream-openssl.c b/ustream-openssl.c
index ad77e721534c..9b4ac6c80894 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -130,7 +130,15 @@ __ustream_ssl_context_new(bool server)
if (!c)
return NULL;
 
+#if defined(HAVE_WOLFSSL)
+   if (server)
+   SSL_CTX_set_verify(c, SSL_VERIFY_NONE, NULL);
+   else
+   SSL_CTX_set_verify(c, SSL_VERIFY_PEER, NULL);
+#else
SSL_CTX_set_verify(c, SSL_VERIFY_NONE, NULL);
+#endif
+
SSL_CTX_set_options(c, SSL_OP_NO_COMPRESSION | SSL_OP_SINGLE_ECDH_USE |
   SSL_OP_CIPHER_SERVER_PREFERENCE);
 #if defined(SSL_CTX_set_ecdh_auto) && OPENSSL_VERSION_NUMBER < 0x1010L
@@ -203,6 +211,18 @@ __hidden int __ustream_ssl_set_ciphers(struct 
ustream_ssl_ctx *ctx, const char *
return 0;
 }
 
+__hidden int __ustream_ssl_set_require_validation(struct ustream_ssl_ctx *ctx, 
bool require)
+{
+   int mode = SSL_VERIFY_PEER;
+
+   if (!require)
+   mode = SSL_VERIFY_NONE;
+
+   SSL_CTX_set_verify((void *) ctx, mode, NULL);
+
+   return 0;
+}
+
 __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
 {
SSL_CTX_free((void *) ctx);
@@ -270,6 +290,54 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
X509_free(cert);
 }
 
+#ifdef WOLFSSL_SSL_H
+static bool handle_wolfssl_asn_error(struct ustream_ssl *us, int r)
+{
+   switch (r) {
+   case ASN_PARSE_E:
+   case ASN_VERSION_E:
+   case ASN_GETINT_E:
+   case ASN_RSA_KEY_E:
+   case ASN_OBJECT_ID_E:
+   case ASN_TAG_NULL_E:
+   case ASN_EXPECT_0_E:
+   case ASN_BITSTR_E:
+   case ASN_UNKNOWN_OID_E:
+   case ASN_DATE_SZ_E:
+   case ASN_BEFORE_DATE_E:
+   case ASN_AFTER_DATE_E:
+   case ASN_SIG_OID_E:
+   case ASN_TIME_E:
+   case ASN_INPUT_E:
+   case ASN_SIG_CONFIRM_E:
+   case ASN_SIG_HASH_E:
+   case ASN_SIG_KEY_E:
+   case ASN_DH_KEY_E:
+   case ASN_NTRU_KEY_E:
+   case ASN_CRIT_EXT_E:
+   case ASN_ALT_NAME_E:
+   case ASN_NO_PEM_HEADER:
+   case ASN_ECC_KEY_E:
+   case ASN_NO_SIGNER_E:
+   case ASN_CRL_CONFIRM_E:
+   case ASN_CRL_NO_SIGNER_E:
+   case ASN_OCSP_CONFIRM_E:
+   case ASN_NAME_INVALID_E:
+   case ASN_NO_SKID:
+   case ASN_NO_AKID:
+   case ASN_NO_KEYUSAGE:
+   case ASN_COUNTRY_SIZE_E:
+   case ASN_PATHLEN_SIZE_E:
+   case ASN_PATHLEN_INV_E:
+   case ASN_SELF_SIGNED_E:
+   if (us->notify_verify_error)
+   us->notify_verify_error(us, r, wc_GetErrorString(r));
+   return true;
+   }
+
+

[PATCH ustream-ssl 11/12] wolfssl: remove now deprecated compatibility code

2020-12-10 Thread Petr Štetiar
Mainly that NO_X509_CHECK_HOST is causing certificate validation issues
in some setups:

 root@OpenWrt:/# wget https://www.google.com
 Downloading 'https://www.google.com'
 Connecting to 172.217.23.196:443
 Connection error: Server hostname does not match SSL certificate

but instead of spending time on fixing it, I've simply decided to remove
it as we're now on wolfSSL 4.5.0 and those symbols should be avaialable
so no symbol detection and handling should be needed anymore.

Signed-off-by: Petr Štetiar 
---
 CMakeLists.txt   | 13 -
 ustream-io-wolfssl.c |  7 ---
 ustream-ssl.c|  3 ---
 3 files changed, 23 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index b883751f6e3e..c98b12ac8d99 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,7 +1,5 @@
 cmake_minimum_required(VERSION 2.6)
 
-INCLUDE(CheckSymbolExists)
-
 PROJECT(ustream-ssl C)
 
 ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3)
@@ -26,17 +24,6 @@ ELSEIF(WOLFSSL)
   SET(SSL_SRC ustream-io-wolfssl.c ustream-openssl.c)
   SET(SSL_LIB ${wolfssl_library} m)
   SET(CMAKE_REQUIRED_LIBRARIES "${wolfssl_library} -lm")
-  CHECK_SYMBOL_EXISTS (wolfSSL_SSLSetIORecv "wolfssl/ssl.h"
-  HAVE_WOLFSSL_SSLSETIORECV)
-  IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
-ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
-  ENDIF()
-  CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host
-  "wolfssl/options.h;wolfssl/ssl.h"
-  HAVE_WOLFSSL_X509_CHECK_HOST)
-  IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST)
-ADD_DEFINITIONS(-DNO_X509_CHECK_HOST)
-  ENDIF()
 ELSE()
   SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
   SET(SSL_LIB crypto ssl)
diff --git a/ustream-io-wolfssl.c b/ustream-io-wolfssl.c
index db69499a8e4b..4ff85d34e333 100644
--- a/ustream-io-wolfssl.c
+++ b/ustream-io-wolfssl.c
@@ -67,15 +67,8 @@ static int io_send_cb(SSL* ssl, char *buf, int sz, void *ctx)
 
 __hidden void ustream_set_io(struct ustream_ssl_ctx *ctx, void *ssl, struct 
ustream *conn)
 {
-#ifndef NO_WOLFSSL_SSLSETIO_SEND_RECV
wolfSSL_SSLSetIORecv(ssl, io_recv_cb);
wolfSSL_SSLSetIOSend(ssl, io_send_cb);
-#else
-   wolfSSL_SetIORecv((void *) ctx, io_recv_cb);
-   wolfSSL_SetIOSend((void *) ctx, io_send_cb);
-   if (ssl == NULL)
-   return;
-#endif
wolfSSL_SetIOReadCtx(ssl, conn);
wolfSSL_SetIOWriteCtx(ssl, conn);
 }
diff --git a/ustream-ssl.c b/ustream-ssl.c
index 46ac5523d999..cd69f9e97449 100644
--- a/ustream-ssl.c
+++ b/ustream-ssl.c
@@ -199,9 +199,6 @@ static int _ustream_ssl_init(struct ustream_ssl *us, struct 
ustream *conn, struc
us->conn = conn;
us->ctx = ctx;
 
-#if defined(HAVE_WOLFSSL) && defined(NO_WOLFSSL_SSLSETIO_SEND_RECV)
-   ustream_set_io(ctx, NULL, conn);
-#endif
us->ssl = __ustream_ssl_session_new(us->ctx);
if (!us->ssl)
return -ENOMEM;

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 05/12] ustream-openssl: fix BIO_method memory leak

2020-12-10 Thread Petr Štetiar
Fixes following issues as reported by clang-12 LeakSanitizer:

 $ uclient-fetch-san -q -O /dev/null 'https://expired.badssl.com/'
  Direct leak of 96 byte(s) in 1 object(s) allocated from:
  #0 0x49716d in malloc (uclient-fetch-san+0x49716d)
  #1 0x7f551cbabe58 in CRYPTO_zalloc 
(/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1+0x17ae58)

  Indirect leak of 8 byte(s) in 1 object(s) allocated from:
  #0 0x49716d in malloc (uclient-fetch-san+0x49716d)
  #1 0x7f551cbb51c5 in CRYPTO_strdup 
(/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1+0x1841c5)

  SUMMARY: AddressSanitizer: 104 byte(s) leaked in 2 allocation(s).

and Valgrind:

  $ valgrind --quiet --leak-check=full uclient-fetch -q -O /dev/null 
'https://expired.badssl.com/'
  ==1966== 104 (96 direct, 8 indirect) bytes in 1 blocks are definitely lost in 
loss record 4 of 9
  ==1966==at 0x4C31B0F: malloc (in 
/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
  ==1966==by 0x5FC4E58: CRYPTO_zalloc (in 
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
  ==1966==by 0x5EF712F: BIO_meth_new (in 
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.1)
  ==1966==by 0x5C48039: ustream_bio_new (ustream-io-openssl.c:125)
  ==1966==by 0x5C48039: ustream_set_io (ustream-io-openssl.c:141)
  ==1966==by 0x5C47CB0: _ustream_ssl_init (ustream-ssl.c:210)
  ==1966==by 0x4E4117A: uclient_setup_https (uclient-http.c:914)
  ==1966==by 0x4E4117A: uclient_http_connect (uclient-http.c:936)
  ==1966==by 0x401FD9: init_request (uclient-fetch.c:333)
  ==1966==by 0x401E08: main (uclient-fetch.c:745)

Suggested-by: Pan Chen 
Signed-off-by: Petr Štetiar 
---
 ustream-io-openssl.c | 47 ++--
 ustream-openssl.c|  7 +++
 ustream-openssl.h|  5 +
 3 files changed, 36 insertions(+), 23 deletions(-)

diff --git a/ustream-io-openssl.c b/ustream-io-openssl.c
index 606ed4a36f40..7045bb660a36 100644
--- a/ustream-io-openssl.c
+++ b/ustream-io-openssl.c
@@ -48,18 +48,18 @@ s_ustream_free(BIO *b)
 static int
 s_ustream_read(BIO *b, char *buf, int len)
 {
-   struct ustream *s;
+   struct bio_ctx *ctx;
char *sbuf;
int slen;
 
if (!buf || len <= 0)
return 0;
 
-   s = (struct ustream *)BIO_get_data(b);
-   if (!s)
+   ctx = (struct bio_ctx *)BIO_get_data(b);
+   if (!ctx || !ctx->stream)
return 0;
 
-   sbuf = ustream_get_read_buf(s, );
+   sbuf = ustream_get_read_buf(ctx->stream, );
 
BIO_clear_retry_flags(b);
if (!slen) {
@@ -71,7 +71,7 @@ s_ustream_read(BIO *b, char *buf, int len)
slen = len;
 
memcpy(buf, sbuf, slen);
-   ustream_consume(s, slen);
+   ustream_consume(ctx->stream, slen);
 
return slen;
 }
@@ -79,19 +79,19 @@ s_ustream_read(BIO *b, char *buf, int len)
 static int
 s_ustream_write(BIO *b, const char *buf, int len)
 {
-   struct ustream *s;
+   struct bio_ctx *ctx;
 
if (!buf || len <= 0)
return 0;
 
-   s = (struct ustream *)BIO_get_data(b);
-   if (!s)
+   ctx = (struct bio_ctx *)BIO_get_data(b);
+   if (!ctx || !ctx->stream)
return 0;
 
-   if (s->write_error)
+   if (ctx->stream->write_error)
return len;
 
-   return ustream_write(s, buf, len, false);
+   return ustream_write(ctx->stream, buf, len, false);
 }
 
 static int
@@ -119,19 +119,20 @@ static long s_ustream_ctrl(BIO *b, int cmd, long num, 
void *ptr)
 static BIO *ustream_bio_new(struct ustream *s)
 {
BIO *bio;
-
-   BIO_METHOD *methods_ustream;
-
-   methods_ustream = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "ustream");
-   BIO_meth_set_write(methods_ustream, s_ustream_write);
-   BIO_meth_set_read(methods_ustream, s_ustream_read);
-   BIO_meth_set_puts(methods_ustream, s_ustream_puts);
-   BIO_meth_set_gets(methods_ustream, s_ustream_gets);
-   BIO_meth_set_ctrl(methods_ustream, s_ustream_ctrl);
-   BIO_meth_set_create(methods_ustream, s_ustream_new);
-   BIO_meth_set_destroy(methods_ustream, s_ustream_free);
-   bio = BIO_new(methods_ustream);
-   BIO_set_data(bio, s);
+   struct bio_ctx *ctx = calloc(1, sizeof(struct bio_ctx));
+
+   ctx->stream = s;
+   ctx->meth = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "ustream");
+
+   BIO_meth_set_write(ctx->meth, s_ustream_write);
+   BIO_meth_set_read(ctx->meth, s_ustream_read);
+   BIO_meth_set_puts(ctx->meth, s_ustream_puts);
+   BIO_meth_set_gets(ctx->meth, s_ustream_gets);
+   BIO_meth_set_ctrl(ctx->meth, s_ustream_ctrl);
+   BIO_meth_set_create(ctx->meth, s_ustream_new);
+   BIO_meth_set_destroy(ctx->meth, s_ustream_free);
+   bio = BIO_new(ctx->meth);
+   BIO_set_data(bio, ctx);
 
return bio;
 }
diff --git a/ustream-openssl.c b/ustream-openssl.c
index dec2b9f7816d..ad77e721534c 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -210,8 

[PATCH ustream-ssl 10/12] ustream-mbedtls: fix certificate verification

2020-12-10 Thread Petr Štetiar
Fixes certificate verification if no CA certificates are available, it's
visible when you run:

 $ uclient-fetch https://www.openwrt.org

(so no explicit certificate is given) and have *not* installed
`ca-certificates` or `ca-bundle` package, mbed TLS obviously can't do
verification since no root certificates are available.  But then it
simply ignores the issue and continues SSL handshake without warning.

Further, if you run it like:

 $ uclient-fetch --ca-certificate=/dev/null https://www.openwrt.org

ustream-mbedtls also does not do verification at all (gives no warning
either).

References: 
https://lists.infradead.org/pipermail/openwrt-devel/2018-August/019183.html
Suggested-by: Paul Wassi 
Signed-off-by: Petr Štetiar 
---
 ustream-mbedtls.c | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 1bea9832617f..e79e37ba5051 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -159,15 +159,17 @@ __ustream_ssl_context_new(bool server)
 
mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
-   mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(conf, _urandom, NULL);
 
if (server) {
+   mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_ciphersuites(conf, 
default_ciphersuites_server);
mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3,
 MBEDTLS_SSL_MINOR_VERSION_3);
-   } else
+   } else {
+   mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_ciphersuites(conf, 
default_ciphersuites_client);
+   }
 
 #if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_conf_session_cache(conf, >cache,

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 12/12] Add initial GitLab CI support

2020-12-10 Thread Petr Štetiar
Uses currently proof-of-concept openwrt-ci[1] in order to:

 * improve the quality of the codebase in various areas
 * decrease code review time and help merging contributions faster
 * get automagic feedback loop on various platforms and tools
   - out of tree build with OpenWrt SDK on following targets:
 * ath79-generic
 * imx6-generic
 * malta-be
 * mvebu-cortexa53
   - out of tree native build on x86/64 with GCC (versions 8, 9, 10) and Clang 
10
   - out of tree native x86/64 static code analysis with cppcheck and
 scan-build from Clang 10

1. https://gitlab.com/ynezz/openwrt-ci/

Signed-off-by: Petr Štetiar 
---
 .gitlab-ci.yml | 6 ++
 1 file changed, 6 insertions(+)
 create mode 100644 .gitlab-ci.yml

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index ..aae5e9297edf
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,6 @@
+variables:
+  CI_TARGET_BUILD_DEPENDS: libubox openssl
+
+include:
+  - remote: 
https://gitlab.com/ynezz/openwrt-ci/raw/master/openwrt-ci/gitlab/main.yml
+  - remote: 
https://gitlab.com/ynezz/openwrt-ci/raw/master/openwrt-ci/gitlab/pipeline.yml

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 06/12] ustream-mbedtls: fix comparison of integers of different signs

2020-12-10 Thread Petr Štetiar
Fixes following compiler extra warning:

 ustream-mbedtls.c:40:11: error: comparison of integers of different signs: 
'int' and 'size_t' (aka 'unsigned long') [-Werror,-Wsign-compare]
if (slen > len)
 ^ ~~~

Signed-off-by: Petr Štetiar 
---
 ustream-mbedtls.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 9f73c5836034..3424743c6452 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -37,7 +37,7 @@ static int s_ustream_read(void *ctx, unsigned char *buf, 
size_t len)
return 0;
 
sbuf = ustream_get_read_buf(s, );
-   if (slen > len)
+   if ((size_t) slen > len)
slen = len;
 
if (!slen)

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 09/12] ustream-mbedtls: implement set_require_validation

2020-12-10 Thread Petr Štetiar
In commit "ustream-openssl: wolfSSL: fix certificate validation" we've
added new set_require_validation() function so implement it for mbed TLS
as well.

Signed-off-by: Petr Štetiar 
---
 ustream-mbedtls.c | 12 
 1 file changed, 12 insertions(+)

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 3424743c6452..1bea9832617f 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -290,6 +290,18 @@ __hidden int __ustream_ssl_set_ciphers(struct 
ustream_ssl_ctx *ctx, const char *
return 0;
 }
 
+__hidden int __ustream_ssl_set_require_validation(struct ustream_ssl_ctx *ctx, 
bool require)
+{
+   int mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+
+   if (!require)
+   mode = MBEDTLS_SSL_VERIFY_NONE;
+
+   mbedtls_ssl_conf_authmode(>conf, mode);
+
+   return 0;
+}
+
 __hidden void __ustream_ssl_context_free(struct ustream_ssl_ctx *ctx)
 {
 #if defined(MBEDTLS_SSL_CACHE_C)

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 04/12] ustream-openssl: fix wolfSSL includes

2020-12-10 Thread Petr Štetiar
Fixes following compilation errors:

 ustream-io-wolfssl.c:74:2: error: implicit declaration of function 
'wolfSSL_SetIORecv' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
 ustream-io-wolfssl.c:75:2: error: implicit declaration of function 
'wolfSSL_SetIOSend' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
 ustream-io-wolfssl.c:79:2: error: implicit declaration of function 
'wolfSSL_SetIOReadCtx' is invalid in C99 
[-Werror,-Wimplicit-function-declaration]
 ustream-io-wolfssl.c:80:2: error: implicit declaration of function 
'wolfSSL_SetIOWriteCtx' is invalid in C99 
[-Werror,-Wimplicit-function-declaration]

Signed-off-by: Petr Štetiar 
---
 ustream-openssl.c | 3 +++
 ustream-openssl.h | 6 --
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/ustream-openssl.c b/ustream-openssl.c
index f8e848d69fb3..dec2b9f7816d 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -20,7 +20,10 @@
 #include 
 #include "ustream-ssl.h"
 #include "ustream-internal.h"
+
+#if !defined(HAVE_WOLFSSL)
 #include 
+#endif
 
 /* Ciphersuite preference:
  * - for server, no weak ciphers are used if you use an ECDSA key.
diff --git a/ustream-openssl.h b/ustream-openssl.h
index 0a6ca91023d0..9663d21ffd70 100644
--- a/ustream-openssl.h
+++ b/ustream-openssl.h
@@ -21,10 +21,12 @@
 
 #if defined(HAVE_WOLFSSL)
 #include 
-#endif
-
+#include 
+#else
 #include 
 #include 
+#endif
+
 #include 
 
 void __ustream_ssl_session_free(void *ssl);

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 00/12] fixes, improvements and CI

2020-12-10 Thread Petr Štetiar
Hi,

this series should fix several issues related to certificate verification in
mbedTLS and wolfSSL like for example FS#3465.

You can find the packages ready for testing in my staging tree:

 
https://git.openwrt.org/?p=openwrt/staging/ynezz.git;a=shortlog;h=refs/heads/staging

Cheers,

Petr

Petr Štetiar (12):
  cmake: fix building out of the tree
  cmake: fix linking when wolfSSL not in default paths
  cmake: fix linking when mbed TLS not in default paths
  ustream-openssl: fix wolfSSL includes
  ustream-openssl: fix BIO_method memory leak
  ustream-mbedtls: fix comparison of integers of different signs
  cmake: enable extra compiler checks
  ustream-openssl: wolfSSL: fix certificate validation
  ustream-mbedtls: implement set_require_validation
  ustream-mbedtls: fix certificate verification
  wolfssl: remove now deprecated compatibility code
  Add initial GitLab CI support

 .gitlab-ci.yml   |  6 
 CMakeLists.txt   | 34 +-
 ustream-internal.h   |  1 +
 ustream-io-openssl.c | 47 +
 ustream-io-wolfssl.c |  7 
 ustream-mbedtls.c| 20 +--
 ustream-openssl.c| 83 
 ustream-openssl.h| 11 --
 ustream-ssl.c|  4 +--
 ustream-ssl.h| 19 +-
 10 files changed, 168 insertions(+), 64 deletions(-)
 create mode 100644 .gitlab-ci.yml


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 03/12] cmake: fix linking when mbed TLS not in default paths

2020-12-10 Thread Petr Štetiar
Fixes following issue when mbed TLS libs are installed in different
paths:

 /usr/bin/ld: cannot find -lmbedtls
 /usr/bin/ld: cannot find -lmbedcrypto
 /usr/bin/ld: cannot find -lmbedx509

Signed-off-by: Petr Štetiar 
---
 CMakeLists.txt | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 42c7f1fb00de..bb2abe5af596 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -10,7 +10,10 @@ SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
 IF(MBEDTLS)
   ADD_DEFINITIONS(-DHAVE_MBEDTLS)
   SET(SSL_SRC ustream-mbedtls.c)
-  SET(SSL_LIB mbedtls mbedcrypto mbedx509 m)
+  FIND_LIBRARY(mbedtls_library mbedtls)
+  FIND_LIBRARY(mbedx509_library mbedx509)
+  FIND_LIBRARY(mbedcrypto_library mbedcrypto)
+  SET(SSL_LIB ${mbedtls_library} ${mbedx509_library} ${mbedcrypto_library} m)
 ELSEIF(WOLFSSL)
   ADD_DEFINITIONS(-DHAVE_WOLFSSL)
   FIND_LIBRARY(wolfssl_library wolfssl)

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 07/12] cmake: enable extra compiler checks

2020-12-10 Thread Petr Štetiar
Let's enforce additional automatic checks enforced by the compiler in
order to catch possible errors during compilation.

Signed-off-by: Petr Štetiar 
---
 CMakeLists.txt | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index bb2abe5af596..b883751f6e3e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -3,7 +3,13 @@ cmake_minimum_required(VERSION 2.6)
 INCLUDE(CheckSymbolExists)
 
 PROJECT(ustream-ssl C)
-ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3 -Wmissing-declarations)
+
+ADD_DEFINITIONS(-Os -Wall -Werror --std=gnu99 -g3)
+IF(CMAKE_C_COMPILER_VERSION VERSION_GREATER 6)
+ADD_DEFINITIONS(-Wextra -Werror=implicit-function-declaration)
+ADD_DEFINITIONS(-Wformat -Werror=format-security 
-Werror=format-nonliteral)
+ENDIF()
+ADD_DEFINITIONS(-Wno-unused-parameter -Wmissing-declarations)
 
 SET(CMAKE_SHARED_LIBRARY_LINK_C_FLAGS "")
 

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 02/12] cmake: fix linking when wolfSSL not in default paths

2020-12-10 Thread Petr Štetiar
Fixes following issue when wolfSSL libs are installed in different
paths:

 /usr/bin/ld: cannot find -lwolfssl

Signed-off-by: Petr Štetiar 
---
 CMakeLists.txt | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 315aeb87c80b..42c7f1fb00de 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -13,9 +13,10 @@ IF(MBEDTLS)
   SET(SSL_LIB mbedtls mbedcrypto mbedx509 m)
 ELSEIF(WOLFSSL)
   ADD_DEFINITIONS(-DHAVE_WOLFSSL)
+  FIND_LIBRARY(wolfssl_library wolfssl)
   SET(SSL_SRC ustream-io-wolfssl.c ustream-openssl.c)
-  SET(SSL_LIB wolfssl m)
-  SET(CMAKE_REQUIRED_LIBRARIES "-lwolfssl -lm")
+  SET(SSL_LIB ${wolfssl_library} m)
+  SET(CMAKE_REQUIRED_LIBRARIES "${wolfssl_library} -lm")
   CHECK_SYMBOL_EXISTS (wolfSSL_SSLSetIORecv "wolfssl/ssl.h"
   HAVE_WOLFSSL_SSLSETIORECV)
   IF (NOT HAVE_WOLFSSL_SSLSETIORECV)

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH ustream-ssl 01/12] cmake: fix building out of the tree

2020-12-10 Thread Petr Štetiar
When building out of the tree, linker is unable to find the ubox library
so fix it by using find_library CMake command.

Signed-off-by: Petr Štetiar 
---
 CMakeLists.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 86e1b0788613..315aeb87c80b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -34,9 +34,10 @@ ENDIF()
 
 FIND_PATH(ubox_include_dir libubox/ustream.h)
 INCLUDE_DIRECTORIES(${ubox_include_dir})
+FIND_LIBRARY(ubox_library NAMES ubox)
 
 ADD_LIBRARY(ustream-ssl SHARED ustream-ssl.c ${SSL_SRC})
-TARGET_LINK_LIBRARIES(ustream-ssl ubox ${SSL_LIB})
+TARGET_LINK_LIBRARIES(ustream-ssl ${ubox_library} ${SSL_LIB})
 
 ADD_EXECUTABLE(ustream-example-server ustream-example-server.c)
 TARGET_LINK_LIBRARIES(ustream-example-server ustream-ssl)

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH] wolfssl: fix broken wolfSSL_X509_check_host

2020-12-10 Thread Petr Štetiar
Backport upstream post 4.5.0 fix for broken wolfSSL_X509_check_host().

References: https://github.com/wolfSSL/wolfssl/issues/3329
Signed-off-by: Petr Štetiar 
---
 package/libs/wolfssl/Makefile |   2 +-
 .../200-fix-checkhostname-matching.patch  | 123 ++
 2 files changed, 124 insertions(+), 1 deletion(-)
 create mode 100644 
package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index aeea1b7b7b91..6758f7dd08d6 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
 PKG_VERSION:=4.5.0-stable
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch 
b/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch
new file mode 100644
index ..aaf14e46d9c8
--- /dev/null
+++ b/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch
@@ -0,0 +1,123 @@
+From ea5c290d605b2af7b10d6e5ce69aa3534f52385f Mon Sep 17 00:00:00 2001
+From: Eric Blankenhorn 
+Date: Fri, 17 Jul 2020 08:37:02 -0500
+Subject: [PATCH] Fix CheckHostName matching
+
+---
+ src/internal.c | 18 --
+ src/ssl.c  |  5 +
+ tests/api.c| 30 ++
+ 3 files changed, 47 insertions(+), 6 deletions(-)
+
+diff --git a/src/internal.c b/src/internal.c
+index dc57df0242..cda815d875 100644
+--- a/src/internal.c
 b/src/internal.c
+@@ -9346,7 +9346,7 @@ int CheckForAltNames(DecodedCert* dCert, const char* 
domain, int* checkCN)
+ altName = dCert->altNames;
+ 
+ if (checkCN != NULL) {
+-*checkCN = altName == NULL;
++*checkCN = (altName == NULL) ? 1 : 0;
+ }
+ 
+ while (altName) {
+@@ -9415,23 +9415,29 @@ int CheckForAltNames(DecodedCert* dCert, const char* 
domain, int* checkCN)
+ int CheckHostName(DecodedCert* dCert, const char *domainName, size_t 
domainNameLen)
+ {
+ int checkCN;
++int ret = DOMAIN_NAME_MISMATCH;
+ 
+ /* Assume name is NUL terminated. */
+ (void)domainNameLen;
+ 
+ if (CheckForAltNames(dCert, domainName, ) != 1) {
+-WOLFSSL_MSG("DomainName match on alt names failed too");
+-return DOMAIN_NAME_MISMATCH;
++WOLFSSL_MSG("DomainName match on alt names failed");
+ }
++else {
++ret = 0;
++}
++
+ if (checkCN == 1) {
+ if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen,
+-domainName) == 0) {
++domainName) == 1) {
++ret = 0;
++}
++else {
+ WOLFSSL_MSG("DomainName match on common name failed");
+-return DOMAIN_NAME_MISMATCH;
+ }
+ }
+ 
+-return 0;
++return ret;
+ }
+ 
+ int CheckIPAddr(DecodedCert* dCert, const char* ipasc)
+diff --git a/src/ssl.c b/src/ssl.c
+index 11bc08a3cb..59ad9bae60 100644
+--- a/src/ssl.c
 b/src/ssl.c
+@@ -43661,6 +43661,11 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const 
char *chk, size_t chklen,
+ (void)flags;
+ (void)peername;
+ 
++if ((x == NULL) || (chk == NULL)) {
++WOLFSSL_MSG("Invalid parameter");
++return WOLFSSL_FAILURE;
++}
++
+ if (flags == WOLFSSL_NO_WILDCARDS) {
+ WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented");
+ return WOLFSSL_FAILURE;
+diff --git a/tests/api.c b/tests/api.c
+index 774a332968..db888952d4 100644
+--- a/tests/api.c
 b/tests/api.c
+@@ -23875,6 +23875,35 @@ static void test_wolfSSL_X509_issuer_name_hash(void)
+ #endif
+ }
+ 
++static void test_wolfSSL_X509_check_host(void)
++{
++#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \
++&& !defined(NO_SHA) && !defined(NO_RSA)
++
++X509* x509;
++const char altName[] = "example.com";
++
++printf(testingFmt, "wolfSSL_X509_check_host()");
++
++AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile,
++SSL_FILETYPE_PEM));
++
++AssertIntEQ(X509_check_host(x509, altName, XSTRLEN(altName), 0, NULL),
++WOLFSSL_SUCCESS);
++
++AssertIntEQ(X509_check_host(x509, NULL, 0, 0, NULL),
++WOLFSSL_FAILURE);
++
++X509_free(x509);
++
++AssertIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), 0, NULL),
++WOLFSSL_FAILURE);
++
++printf(resultFmt, passed);
++
++#endif
++}
++
+ static void test_wolfSSL_DES(void)
+ {
+ #if defined(OPENSSL_EXTRA) && !defined(NO_DES3)
+@@ -36407,6 +36436,7 @@ void ApiTest(void)
+ test_wolfSSL_X509_INFO();
+ test_wolfSSL_X509_subject_name_hash();
+ test_wolfSSL_X509_issuer_name_hash();
++test_wolfSSL_X509_check_host();
+ test_wolfSSL_DES();
+ test_wolfSSL_certs();
+ test_wolfSSL_ASN1_TIME_print();


Re: [PATCH ustream] ustream-openssl: fix bio memory leak

2020-12-10 Thread Eneas U de Queiroz
Hi Petr

On Wed, Dec 9, 2020 at 6:59 PM Petr Štetiar  wrote:
>
> Eneas U de Queiroz  [2020-12-09 14:39:06]:
>
> Hi,
>
> > So the answer to your question is because you only allocate the table if
> > methods_ustream is NULL, and it will point to the created table then.
>
> I was referencing the missing freeing of allocated resources.
>
> > We could free it in s_ustream_free, but only to have to create it again
> > with the same data the next time ustream_bio_new is called. I wouldn't do
> > it, but if you'd rather, I can add it in a v2.
>
> Is this micro optimization worth it? You're adding global variable in the
> library, you're breaking API layer etc. I'm not supposed to study how is it
> implemented _now_, because it will likely change with the next release (either
> OpenSSL or wolfSSL) and it might be source of regressions. The API boundary is
> given so I'm just trying to use it as designed and as seen in the
> docs/examples/tests etc. And there is always new/free combo.
>
The purpose of BIO_METHOD struct is to hold a table of methods for a
BIO object to use.   In our case, it remains constant for the lifetime
of the process.
So, the maximum usable lifetime of methods_ustream is up to the
lifetime of the program--it does not mean that we can't set a shorter
lifetime.

In an ideal world, we would free the resource when the library is
cleaned up/deinitialized, but we don't have a function for that.
So a possible lifetime we can use is the lifetime of the BIO object
using it. One thing we need to be aware of is use after free.  We pass
the pointer to the BIO_new, and we must be sure that openssl will not
access that memory after we free it.  This would be after we call
BIO_free.  The thing is, we aren't making that call. so we are leaking
that resource as well.  That one can't have the lifetime of the
program, its lifetime is no larger than the underlying SSL connection,
apparently.  So we need to take care of that first.

After tackling BIO_free, my suggestion would be to determine where the
method table variable should go, and where to call BIO_meth_new and
BIO_meth_free.  I would add it to a defined struct
ustream_ssl_ctx--which is now just used with a cast to SSL_CTX--and
would create and free the object in __ustream_ssl_context_new and
__ustream_ssl_context_free, which would give it a possibly larger
lifetime than the ssl_session or the BIO object.

> > As for the WIP, you're perhaps doing too much work.

I was corrected by my own previous point.

> I'm spending time on this mainly because of FS#3465, perhaps mbedTLS has
> similar issues[1]. In the end I would like to have uclient/ustream-ssl CI
> tested (all 3 SSL libs combinations), with static analyzers, various
> sanitizers and Valgrind. So I have to fix all the issues those tools expose.
>
> Maybe it's too much work, but given the constraints (no globals, follow API),
> it's currently simplest working solution, but not fully tested yet.
>
> BTW I'm not discouraging you from v2, I've rejected the v1 patch, because it
> doesn't fix the memory leak as advertised in the subject :-) Thanks!

We should coordinate efforts.  You're the boss, so tell me what you
want me to do, if anything.

Cheers,

Eneas

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH 0/3] [netifd] support external device handlers

2020-12-10 Thread arne . kappen
From: Arne Kappen 

This extension is based on an idea by Felix Fietkau which I implemented as part
of a student project at TU Berlin in 2015 and during Google Summer of Code 2016
for Freifunk. I've since been using this prototype  to allow for native UCI
configuration of Open vSwitch devices through /etc/config/network - to add wifi
interfaces to it, configure OpenFlow controllers etc. The project recently got
some attention and I was asked to publish it. The concept is as follows:
Add an interface to netifd which allows other programs to fulfill the device
handler function (struct device_type) for a certain device class (ovs in my
case). The communication happens over ubus and thus device handling logic for a
specific type of devices can evolve independently from netifd. To realize this
netifd generates device handler stubs from JSON descriptions which simply relay
calls against the device handler API to the external device configuration
daemon over ubus. The JSON file also contains the UCI config options for the
device class. That way, netifd can create a blobmsg_policy to parse config
options that are unknown at compile time. As a convention I had to add the UCI
option 'depends_on' for expressing dependencies between devices.
There are 2 general external device types: regular devices and bridge devices.
Since my use case with Open vSwitch only involved bridge devices the regular
device part is untested. It is a lot less complex than the bridge part, though.
For the bridge part I followed the structure in bridge.c as much as possible
and it works with Open vSwitch but I don't know if it is generic enough for
other bridge device classes. I was hoping to get some feedback on that.

I've broken down my work into 3 patches. Unfortunately almost the entire thing
comes as a huge block in patch 3. Patch 1 just cleans up an irrelevant comment
on a line which I contributed in 2016 in preparation for publication of this
extension which eventually didn't happen. Patch 2 prepares the device handler
stub generation using a mechanism similar to how proto handlers are
constructed. Patch 3 adds extdev.c which is the meat of the extension.

If you want to test it with Open vSwitch these are the repositories for
my external device handler 'ovsd' and its package feed:
 - https://github.com/arkap/package-ovsd.git
 - https://github.com/arkap/ovsd.git


Arne Kappen (3):
  device: remove left-over comment
  handler: add mechanism to generate external device handler stubs
  extdev: add support for external device handlers

 CMakeLists.txt |3 +-
 device.c   |3 -
 extdev.c   | 1383 
 extdev.h   |   20 +
 handler.c  |  114 
 handler.h  |5 +
 main.c |2 +
 ubus.c |7 +
 ubus.h |3 +
 9 files changed, 1536 insertions(+), 4 deletions(-)
 create mode 100644 extdev.c
 create mode 100644 extdev.h

-- 
2.29.2


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH 3/3] [netifd] extdev: add support for external device handlers

2020-12-10 Thread arne . kappen
From: Arne Kappen 

This allows to integrate external daemons that configure network devices with
netifd. At startup, netifd generates device handler stubs from descriptions in
/lib/netifd/extdev-config via the mechanism in handler.c. These are then added
to the list of device handlers. Device handlers stubs act as relays forwarding
calls against the device handler interface to the external daemon.

Signed-off-by: Arne Kappen 
---
 CMakeLists.txt |3 +-
 extdev.c   | 1383 
 extdev.h   |   20 +
 main.c |2 +
 ubus.c |7 +
 ubus.h |3 +
 6 files changed, 1417 insertions(+), 1 deletion(-)
 create mode 100644 extdev.c
 create mode 100644 extdev.h

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9d19817..ca5d944 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -20,7 +20,8 @@ SET(SOURCES
interface.c interface-ip.c interface-event.c
iprule.c proto.c proto-static.c proto-shell.c
config.c device.c bridge.c veth.c vlan.c alias.c
-   macvlan.c ubus.c vlandev.c wireless.c)
+   macvlan.c ubus.c vlandev.c wireless.c
+   extdev.c)
 
 
 SET(LIBS
diff --git a/extdev.c b/extdev.c
new file mode 100644
index 000..9eea0c0
--- /dev/null
+++ b/extdev.c
@@ -0,0 +1,1383 @@
+/*
+ * netifd - network interface daemon
+ * Copyright (C) 2015 Arne Kappen 
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2
+ * as published by the Free Software Foundation
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ *
+ * extdev - external device handler interface
+ *
+ * This allows to integrate external daemons that configure network devices
+ * with netifd. At startup, netifd generates device handler stubs from
+ * descriptions in /lib/netifd/extdev-config and adds them to the list of
+ * device handlers. A device handler is an instance of struct device_type
+ * The descriptions are in JSON format and specify
+ *   - names of the device type and of the external device handler on ubus,
+ *   - whether the device is bridge-like,
+ *   - a prefix for device names,
+ *   - the UCI config options for devices of this type, and
+ *   - the format of calls to dump() and info()
+ * These device handlers stubs act as relays forwarding calls against the
+ * device handler interface to the external daemon.
+ */
+
+#include 
+#include 
+#include 
+#include 
+
+#include "netifd.h"
+#include "handler.h"
+#include "device.h"
+#include "ubus.h"
+#include "extdev.h"
+#include "interface.h"
+#include "system.h"
+
+
+static struct blob_buf b;
+static int confdir_fd = -1;
+
+struct extdev_type {
+   struct device_type handler;
+
+   const char *name;
+   uint32_t peer_id;
+   struct ubus_subscriber ubus_sub;
+   bool subscribed;
+   struct ubus_event_handler obj_wait;
+
+   struct uci_blob_param_list *config_params;
+   char *config_strbuf;
+
+   struct uci_blob_param_list *info_params;
+   char *info_strbuf;
+
+   struct uci_blob_param_list *stats_params;
+   char *stats_strbuf;
+};
+
+struct extdev_device {
+   struct device dev;
+   struct extdev_type *etype;
+   const char *dep_name;
+   struct uloop_timeout retry;
+};
+
+struct extdev_bridge {
+   struct extdev_device edev;
+   device_state_cb set_state;
+
+   struct blob_attr *config;
+   bool empty;
+   struct blob_attr *ifnames;
+   bool active;
+   bool force_active;
+
+   struct uloop_timeout retry;
+   struct vlist_tree members;
+   int n_present;
+   int n_failed;
+};
+
+struct extdev_bridge_member {
+   struct vlist_node node;
+   struct extdev_bridge *parent_br;
+   struct device_user dev_usr;
+   bool present;
+   char *name;
+};
+
+static void __bridge_config_init(struct extdev_bridge *ebr);
+static enum dev_change_type __bridge_reload(struct extdev_bridge *ebr, struct 
blob_attr *config);
+
+enum {
+   METHOD_CREATE,
+   METHOD_CONFIG_INIT,
+   METHOD_RELOAD,
+   METHOD_DUMP_INFO,
+   METHOD_DUMP_STATS,
+   METHOD_CHECK_STATE,
+   METHOD_FREE,
+   METHOD_HOTPLUG_PREPARE,
+   METHOD_HOTPLUG_ADD,
+   METHOD_HOTPLUG_REMOVE,
+   __METHODS_MAX
+};
+
+static const char *__extdev_methods[__METHODS_MAX] = {
+   [METHOD_CREATE] = "create",
+   [METHOD_CONFIG_INIT] = "config_init",
+   [METHOD_RELOAD] = "reload",
+   [METHOD_DUMP_INFO] = "dump_info",
+   [METHOD_DUMP_STATS] = "dump_stats",
+   [METHOD_CHECK_STATE] = "check_state",
+   [METHOD_FREE] = "free",
+   [METHOD_HOTPLUG_PREPARE] = "prepare",
+   [METHOD_HOTPLUG_ADD] = "add",
+   [METHOD_HOTPLUG_REMOVE] = 

[PATCH 2/3] [netifd] handler: add mechanism to generate external device handler stubs

2020-12-10 Thread arne . kappen
From: Arne Kappen 

Parse JSON files in a given directory and pass the information on to a callback
function for creation of an external device handler stub.
The description contains:
 - 'name': the name of the device type,
 - 'ubus_name': the name of the external device handler daemon on ubus,
 - 'bridge': a flag indicating whether the devices are bridge-like,
 - optionally 'br_prefix': a prefix for created devices
   (only for bridge-like, defaults to type name),
 - 'config': the UCI config options for devices of this type, and
 - optionally 'info' and 'stats': the format of calls to info() and dump().

Signed-off-by: Arne Kappen 
---
 handler.c | 114 ++
 handler.h |   5 +++
 2 files changed, 119 insertions(+)

diff --git a/handler.c b/handler.c
index 8608a97..04bdbee 100644
--- a/handler.c
+++ b/handler.c
@@ -78,6 +78,65 @@ netifd_init_script_handler(const char *script, json_object 
*obj, script_dump_cb
cb(script, name, obj);
 }
 
+static void
+netifd_init_extdev_handler(const char *config_file, json_object *obj,
+  create_extdev_handler_cb cb)
+{
+   json_object *tmp, *cfg, *info, *stats;
+   const char *name, *ubus_name, *br_prefix = NULL;
+   bool bridge_support = true;
+   char *err_missing;
+
+   if (!json_check_type(obj, json_type_object))
+   return;
+
+   tmp = json_get_field(obj, "name", json_type_string);
+   if (!tmp) {
+   err_missing = "name";
+   goto field_missing;
+   }
+
+   name = json_object_get_string(tmp);
+
+   tmp = json_get_field(obj, "ubus_name", json_type_string);
+   if (!tmp) {
+   err_missing = "ubus_name";
+   goto field_missing;
+   }
+
+   ubus_name = json_object_get_string(tmp);
+
+   tmp = json_get_field(obj, "bridge", json_type_string);
+   if (!tmp || !strcmp(json_object_get_string(tmp), "0"))
+   bridge_support = false;
+
+   if (bridge_support) {
+   tmp = json_get_field(obj, "br-prefix", json_type_string);
+   if (!tmp)
+   br_prefix = name;
+   else
+   br_prefix = json_object_get_string(tmp);
+   }
+
+   tmp = json_get_field(obj, "config", json_type_array);
+   if (!tmp) {
+   err_missing = "config";
+   goto field_missing;
+   }
+
+   cfg = tmp;
+
+   info = json_get_field(obj, "info", json_type_array);
+   stats = json_get_field(obj, "stats", json_type_array);
+
+   cb(config_file, name, ubus_name, bridge_support, br_prefix, cfg, info, 
stats);
+   return;
+
+field_missing:
+   netifd_log_message(L_WARNING, "external device handler description '%s' 
is"
+  "missing field '%s'\n", config_file, 
err_missing);
+}
+
 static void
 netifd_parse_script_handler(const char *name, script_dump_cb cb)
 {
@@ -125,6 +184,48 @@ netifd_parse_script_handler(const char *name, 
script_dump_cb cb)
pclose(f);
 }
 
+static void
+netifd_parse_extdev_handler(const char *path_to_file, create_extdev_handler_cb 
cb)
+{
+   struct json_tokener *tok = NULL;
+   json_object *obj;
+   FILE *file;
+   int len;
+   char buf[512], *start;
+
+   file = fopen(path_to_file, "r");
+   if (!file)
+   return;
+
+   do {
+   start = fgets(buf, sizeof(buf), file);
+   if (!start)
+   continue;
+
+   len = strlen(start);
+
+   if (!tok)
+   tok = json_tokener_new();
+
+   obj = json_tokener_parse_ex(tok, start, len);
+
+   if (obj) {
+   netifd_init_extdev_handler(path_to_file, obj, cb);
+   json_object_put(obj);
+   json_tokener_free(tok);
+   tok = NULL;
+   } else if (start[len - 1] == '\n') {
+   json_tokener_free(tok);
+   tok = NULL;
+   }
+   } while (!feof(file) && !ferror(file));
+
+   if (tok)
+   json_tokener_free(tok);
+
+   fclose(file);
+}
+
 void netifd_init_script_handlers(int dir_fd, script_dump_cb cb)
 {
glob_t g;
@@ -143,6 +244,19 @@ void netifd_init_script_handlers(int dir_fd, 
script_dump_cb cb)
globfree();
 }
 
+void
+netifd_init_extdev_handlers(int dir_fd, create_extdev_handler_cb cb)
+{
+   glob_t g;
+   int prev_fd;
+
+   prev_fd = netifd_dir_push(dir_fd);
+   glob("*.json", 0, NULL, );
+   for (int i = 0; i < g.gl_pathc; i++)
+   netifd_parse_extdev_handler(g.gl_pathv[i], cb);
+   netifd_dir_pop(prev_fd);
+}
+
 char *
 netifd_handler_parse_config(struct uci_blob_param_list *config, json_object 
*obj)
 {
diff --git a/handler.h b/handler.h
index e3e2af5..7064409 100644
--- a/handler.h
+++ b/handler.h
@@ -19,6 +19,10 @@
 

[PATCH 1/3] [netifd] device: remove left-over comment

2020-12-10 Thread arne . kappen
From: Arne Kappen 

Signed-off-by: Arne Kappen 
---

This is an irrelevant left-over from an earlier shot at publishing
this extension. It is obviously no longer needed. 

 device.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/device.c b/device.c
index 73cc4bf..32e4549 100644
--- a/device.c
+++ b/device.c
@@ -77,9 +77,6 @@ int device_type_add(struct device_type *devtype)
return 0;
 }
 
-/* Retrieve the device type for the given name. If 'bridge' is true, the type
- * must have bridge capabilities
- */
 struct device_type *
 device_type_get(const char *tname)
 {
-- 
2.29.2


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH] kernel/kmod-lib-lzo: include the lzo-rle kmod in the package

2020-12-10 Thread Rui Salvaterra
Albeit a separate crypto module, lzo-rle uses the same kernel library as lzo.
Crypto API users (zram, for example) expect both lzo and lzo-rle to be
available, so let's include lzo-rle (about 5.5 kiB) in the lib-lzo package.

Based on e9hack's original patch: 
https://patchwork.ozlabs.org/project/openwrt/patch/541cbfbd-76f2-59b3-a867-47b6f0fc7...@gmail.com/

Signed-off-by: Rui Salvaterra 
---

Sven, I read your original reply [1], but I don't think a less than 6 kiB
difference is worth the violation of the principle of least surprise. Besides,
at least for the zram use case, we'll soon be able to rely on a single
compression algorithm, without a hard dependency on lzo [2] (zstd being the
obvious candidate). Thoughts?

[1] https://lists.openwrt.org/pipermail/openwrt-devel/2020-September/031434.html
[2] 
https://lore.kernel.org/linux-block/20201207121245.50529-1-rsalvate...@gmail.com/

 package/kernel/linux/modules/lib.mk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/kernel/linux/modules/lib.mk 
b/package/kernel/linux/modules/lib.mk
index 9a341932bd..8dba905f50 100644
--- a/package/kernel/linux/modules/lib.mk
+++ b/package/kernel/linux/modules/lib.mk
@@ -109,9 +109,10 @@ define KernelPackage/lib-lzo
   HIDDEN:=1
   FILES:= \
$(LINUX_DIR)/crypto/lzo.ko \
+   $(LINUX_DIR)/crypto/lzo-rle.ko \
$(LINUX_DIR)/lib/lzo/lzo_compress.ko \
$(LINUX_DIR)/lib/lzo/lzo_decompress.ko
-  AUTOLOAD:=$(call AutoProbe,lzo lzo_compress lzo_decompress)
+  AUTOLOAD:=$(call AutoProbe,lzo lzo-rle lzo_compress lzo_decompress)
 endef
 
 define KernelPackage/lib-lzo/description
-- 
2.29.2


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


RE: [PATCH 1/2] uboot-envtools: add support for multiple config partitions

2020-12-10 Thread Adrian Schmutzler
Please bump PKG_RELEASE 

> -Original Message-
> From: openwrt-devel [mailto:openwrt-devel-boun...@lists.openwrt.org]
> On Behalf Of Bjørn Mork
> Sent: Donnerstag, 10. Dezember 2020 13:40
> To: openwrt-devel@lists.openwrt.org
> Cc: Bjørn Mork 
> Subject: [PATCH 1/2] uboot-envtools: add support for multiple config
> partitions
> 
> Most (all?) of the realtek devices have two u-boot config partitions with a
> different set of variables in each. The U-Boot shell provides two sets of apps
> to manipulate these:
> 
>  printenv- print environment variables
>  printsys- printsys - print system information variables  saveenv - save
> environment variables to persistent storage  savesys - savesys - save system
> information variables to persistent storage  setenv  - set environment
> variables  setsys  - setsys  - set system information variables
> 
> Add support for multiple ubootenv configuration types, allowing more than
> one configuration file.
> 
> Section names are not suitable for naming the different configurations since
> each file can be the result of multiple sections in case of backup partitions.
> 
> Signed-off-by: Bjørn Mork 
> ---
>  package/boot/uboot-envtools/Makefile  |  1 +
>  package/boot/uboot-envtools/files/realtek |  8 +++-
>  .../uboot-envtools/files/uboot-envtools.sh| 38 ---
>  3 files changed, 32 insertions(+), 15 deletions(-)
> 
> diff --git a/package/boot/uboot-envtools/Makefile b/package/boot/uboot-
> envtools/Makefile
> index 590e38d8831a..601627011d56 100644
> --- a/package/boot/uboot-envtools/Makefile
> +++ b/package/boot/uboot-envtools/Makefile
> @@ -61,6 +61,7 @@ MAKE_FLAGS += \
>  define Package/uboot-envtools/conffiles  /etc/config/ubootenv
> /etc/fw_env.config
> +/etc/fw_sys.config
>  endef
> 
>  define Package/uboot-envtools/install
> diff --git a/package/boot/uboot-envtools/files/realtek
> b/package/boot/uboot-envtools/files/realtek
> index cce0628ffcbb..b64bb23b0747 100644
> --- a/package/boot/uboot-envtools/files/realtek
> +++ b/package/boot/uboot-envtools/files/realtek
> @@ -15,15 +15,21 @@ zyxel,gs1900-10hp)
>   idx="$(find_mtd_index u-boot-env)"
>   [ -n "$idx" ] && \
>   ubootenv_add_uci_config "/dev/mtd$idx" "0x0" "0x400"
> "0x1"
> + idx="$(find_mtd_index u-boot-env2)"
> + [ -n "$idx" ] && \
> + ubootenv_add_uci_sys_config "/dev/mtd$idx" "0x0"
> "0x1000" "0x1"
>   ;;
>  *)
>   idx="$(find_mtd_index u-boot-env)"
>   [ -n "$idx" ] && \
>   ubootenv_add_uci_config "/dev/mtd$idx" "0x0" "0x1"
> "0x1"
> + idx="$(find_mtd_index u-boot-env2)"
> + [ -n "$idx" ] && \
> + ubootenv_add_uci_sys_config "/dev/mtd$idx" "0x0"
> "0x1000" "0x1"
>   ;;
>  esac
> 
>  config_load ubootenv
> -config_foreach ubootenv_add_app_config ubootenv
> +config_foreach ubootenv_add_app_config
> 
>  exit 0
> diff --git a/package/boot/uboot-envtools/files/uboot-envtools.sh
> b/package/boot/uboot-envtools/files/uboot-envtools.sh
> index 9218bc4e3912..980c9962b17c 100644
> --- a/package/boot/uboot-envtools/files/uboot-envtools.sh
> +++ b/package/boot/uboot-envtools/files/uboot-envtools.sh
> @@ -3,34 +3,44 @@
>  # Copyright (C) 2011-2012 OpenWrt.org
>  #
> 
> -ubootenv_add_uci_config() {
> - local dev=$1
> - local offset=$2
> - local envsize=$3
> - local secsize=$4
> - local numsec=$5
> +_ubootenv_add_uci_config() {
> + local cfgtype=$1
> + local dev=$2
> + local offset=$3
> + local envsize=$4
> + local secsize=$5
> + local numsec=$6
>   uci batch < -add ubootenv ubootenv
> -set ubootenv.@ubootenv[-1].dev='$dev'
> -set ubootenv.@ubootenv[-1].offset='$offset'
> -set ubootenv.@ubootenv[-1].envsize='$envsize'
> -set ubootenv.@ubootenv[-1].secsize='$secsize'
> -set ubootenv.@ubootenv[-1].numsec='$numsec'
> +add ubootenv $cfgtype
> +set ubootenv.@$cfgtype[-1].dev='$dev'
> +set ubootenv.@$cfgtype[-1].offset='$offset'
> +set ubootenv.@$cfgtype[-1].envsize='$envsize'
> +set ubootenv.@$cfgtype[-1].secsize='$secsize'
> +set ubootenv.@$cfgtype[-1].numsec='$numsec'
>  EOF
>   uci commit ubootenv
>  }
> 
> +ubootenv_add_uci_config() {
> + _ubootenv_add_uci_config "ubootenv" "$@"
> +}
> +
> +ubootenv_add_uci_sys_config() {
> + _ubootenv_add_uci_config "ubootsys" "$@"
> +}
> +
>  ubootenv_add_app_config() {
> + local cfgtype
>   local dev
>   local offset
>   local envsize
>   local secsize
>   local numsec
> + config_get cfgtype "$1" TYPE
>   config_get dev "$1" dev
>   config_get offset "$1" offset
>   config_get envsize "$1" envsize
>   config_get secsize "$1" secsize
>   config_get numsec "$1" numsec
> - grep -q "^[[:space:]]*${dev}[[:space:]]*${offset}"
> /etc/fw_env.config || echo "$dev $offset $envsize $secsize $numsec"
> >>/etc/fw_env.config
> + grep -q "^[[:space:]]*${dev}[[:space:]]*${offset}"
> "/etc/fw_${cfgtype#uboot}.config" || echo "$dev 

[PATCH 1/2] uboot-envtools: add support for multiple config partitions

2020-12-10 Thread Bjørn Mork
Most (all?) of the realtek devices have two u-boot config partitions
with a different set of variables in each. The U-Boot shell provides
two sets of apps to manipulate these:

 printenv- print environment variables
 printsys- printsys - print system information variables
 saveenv - save environment variables to persistent storage
 savesys - savesys - save system information variables to persistent storage
 setenv  - set environment variables
 setsys  - setsys  - set system information variables

Add support for multiple ubootenv configuration types, allowing
more than one configuration file.

Section names are not suitable for naming the different
configurations since each file can be the result of multiple sections
in case of backup partitions.

Signed-off-by: Bjørn Mork 
---
 package/boot/uboot-envtools/Makefile  |  1 +
 package/boot/uboot-envtools/files/realtek |  8 +++-
 .../uboot-envtools/files/uboot-envtools.sh| 38 ---
 3 files changed, 32 insertions(+), 15 deletions(-)

diff --git a/package/boot/uboot-envtools/Makefile 
b/package/boot/uboot-envtools/Makefile
index 590e38d8831a..601627011d56 100644
--- a/package/boot/uboot-envtools/Makefile
+++ b/package/boot/uboot-envtools/Makefile
@@ -61,6 +61,7 @@ MAKE_FLAGS += \
 define Package/uboot-envtools/conffiles
 /etc/config/ubootenv
 /etc/fw_env.config
+/etc/fw_sys.config
 endef
 
 define Package/uboot-envtools/install
diff --git a/package/boot/uboot-envtools/files/realtek 
b/package/boot/uboot-envtools/files/realtek
index cce0628ffcbb..b64bb23b0747 100644
--- a/package/boot/uboot-envtools/files/realtek
+++ b/package/boot/uboot-envtools/files/realtek
@@ -15,15 +15,21 @@ zyxel,gs1900-10hp)
idx="$(find_mtd_index u-boot-env)"
[ -n "$idx" ] && \
ubootenv_add_uci_config "/dev/mtd$idx" "0x0" "0x400" "0x1"
+   idx="$(find_mtd_index u-boot-env2)"
+   [ -n "$idx" ] && \
+   ubootenv_add_uci_sys_config "/dev/mtd$idx" "0x0" "0x1000" 
"0x1"
;;
 *)
idx="$(find_mtd_index u-boot-env)"
[ -n "$idx" ] && \
ubootenv_add_uci_config "/dev/mtd$idx" "0x0" "0x1" "0x1"
+   idx="$(find_mtd_index u-boot-env2)"
+   [ -n "$idx" ] && \
+   ubootenv_add_uci_sys_config "/dev/mtd$idx" "0x0" "0x1000" 
"0x1"
;;
 esac
 
 config_load ubootenv
-config_foreach ubootenv_add_app_config ubootenv
+config_foreach ubootenv_add_app_config
 
 exit 0
diff --git a/package/boot/uboot-envtools/files/uboot-envtools.sh 
b/package/boot/uboot-envtools/files/uboot-envtools.sh
index 9218bc4e3912..980c9962b17c 100644
--- a/package/boot/uboot-envtools/files/uboot-envtools.sh
+++ b/package/boot/uboot-envtools/files/uboot-envtools.sh
@@ -3,34 +3,44 @@
 # Copyright (C) 2011-2012 OpenWrt.org
 #
 
-ubootenv_add_uci_config() {
-   local dev=$1
-   local offset=$2
-   local envsize=$3
-   local secsize=$4
-   local numsec=$5
+_ubootenv_add_uci_config() {
+   local cfgtype=$1
+   local dev=$2
+   local offset=$3
+   local envsize=$4
+   local secsize=$5
+   local numsec=$6
uci batch <>/etc/fw_env.config
+   grep -q "^[[:space:]]*${dev}[[:space:]]*${offset}" 
"/etc/fw_${cfgtype#uboot}.config" || echo "$dev $offset $envsize $secsize 
$numsec" >>"/etc/fw_${cfgtype#uboot}.config"
 }
-
-- 
2.20.1


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH 2/2] uboot-envtools: support alternate default config

2020-12-10 Thread Bjørn Mork
Now that we can create an alternate configuration file, add support
for selecting it by using the alternate application names
`fw_printsys' or `fw_setsys'.

Signed-off-by: Bjørn Mork 
---
 package/boot/uboot-envtools/Makefile  |   2 +
 .../002-support-alternate-config.patch|  91 ++
 .../patches/003-fix-usage-text.patch  | 167 ++
 3 files changed, 260 insertions(+)
 create mode 100644 
package/boot/uboot-envtools/patches/002-support-alternate-config.patch
 create mode 100644 package/boot/uboot-envtools/patches/003-fix-usage-text.patch

diff --git a/package/boot/uboot-envtools/Makefile 
b/package/boot/uboot-envtools/Makefile
index 601627011d56..e7ecfefec73a 100644
--- a/package/boot/uboot-envtools/Makefile
+++ b/package/boot/uboot-envtools/Makefile
@@ -68,6 +68,8 @@ define Package/uboot-envtools/install
$(INSTALL_DIR) $(1)/usr/sbin
$(INSTALL_BIN) $(PKG_BUILD_DIR)/tools/env/fw_printenv $(1)/usr/sbin
$(LN) fw_printenv $(1)/usr/sbin/fw_setenv
+   $(LN) fw_printenv $(1)/usr/sbin/fw_printsys
+   $(LN) fw_printenv $(1)/usr/sbin/fw_setsys
$(INSTALL_DIR) $(1)/lib
$(INSTALL_DATA) ./files/uboot-envtools.sh $(1)/lib
$(INSTALL_DIR) $(1)/etc/uci-defaults
diff --git 
a/package/boot/uboot-envtools/patches/002-support-alternate-config.patch 
b/package/boot/uboot-envtools/patches/002-support-alternate-config.patch
new file mode 100644
index ..aa341545a03c
--- /dev/null
+++ b/package/boot/uboot-envtools/patches/002-support-alternate-config.patch
@@ -0,0 +1,91 @@
+From e5255e1ca3af000adb5ff686ea5c5b5b60fb7d9d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= 
+Date: Thu, 10 Dec 2020 12:32:21 +0100
+Subject: [PATCH 1/2] tools: env: add support for alternate config file
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Some devices use two distinct environment partitions for
+different variable sets.  Add basic support for choosing
+between two configuration files based on application name.
+
+Signed-off-by: Bjørn Mork 
+---
+ tools/env/fw_env_main.c| 28 +---
+ tools/env/fw_env_private.h |  4 +++-
+ 2 files changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/tools/env/fw_env_main.c b/tools/env/fw_env_main.c
+index 1d193bd437d8..d67c2ed407e3 100644
+--- a/tools/env/fw_env_main.c
 b/tools/env/fw_env_main.c
+@@ -42,6 +42,12 @@
+ #define CMD_SETENV"fw_setenv"
+ static int do_printenv;
+ 
++#ifdef CONFIG_SYSFILE
++#define CMD_PRINTSYS  "fw_printsys"
++#define CMD_SETSYS"fw_setsys"
++static int do_sys;
++#endif
++
+ static struct option long_options[] = {
+   {"config", required_argument, NULL, 'c'},
+   {"help", no_argument, NULL, 'h'},
+@@ -117,7 +123,7 @@ static void parse_common_args(int argc, char *argv[])
+   int c;
+ 
+ #ifdef CONFIG_FILE
+-  env_opts.config_file = CONFIG_FILE;
++  env_opts.config_file = do_sys ? CONFIG_SYSFILE : CONFIG_FILE;
+ #endif
+ 
+   while ((c = getopt_long(argc, argv, ":a:c:l:h:v", long_options, NULL)) 
!=
+@@ -219,10 +225,26 @@ int main(int argc, char *argv[])
+   do_printenv = 1;
+   } else if (strcmp(_cmdname, CMD_SETENV) == 0) {
+   do_printenv = 0;
++#ifdef CONFIG_SYSFILE
++  } else if (strcmp(_cmdname, CMD_PRINTSYS) == 0) {
++  do_printenv = 1;
++  do_sys = 1;
++  } else if (strcmp(_cmdname, CMD_SETSYS) == 0) {
++  do_printenv = 0;
++  do_sys = 1;
++#endif
+   } else {
+   fprintf(stderr,
+-  "Identity crisis - may be called as `%s' or as `%s' but 
not as `%s'\n",
+-  CMD_PRINTENV, CMD_SETENV, _cmdname);
++  "Identity crisis - may be called as `%s',"
++#ifdef CONFIG_SYSFILE
++  "`%s', `%s',"
++#endif
++  " or as `%s' but not as `%s'\n",
++  CMD_PRINTENV, CMD_SETENV,
++#ifdef CONFIG_SYSFILE
++  CMD_PRINTSYS, CMD_SETSYS,
++#endif
++  _cmdname);
+   exit(EXIT_FAILURE);
+   }
+ 
+diff --git a/tools/env/fw_env_private.h b/tools/env/fw_env_private.h
+index 86be16dabc62..35b9bfc70aee 100644
+--- a/tools/env/fw_env_private.h
 b/tools/env/fw_env_private.h
+@@ -23,7 +23,9 @@
+  */
+ #define CONFIG_FILE "/etc/fw_env.config"
+ 
+-#ifndef CONFIG_FILE
++#ifdef CONFIG_FILE
++#define CONFIG_SYSFILE  "/etc/fw_sys.config"
++#else
+ #define HAVE_REDUND /* For systems with 2 env sectors */
+ #define DEVICE1_NAME  "/dev/mtd1"
+ #define DEVICE2_NAME  "/dev/mtd2"
+-- 
+2.29.2
+
diff --git a/package/boot/uboot-envtools/patches/003-fix-usage-text.patch 
b/package/boot/uboot-envtools/patches/003-fix-usage-text.patch
new file mode 100644
index ..220239ac2150
--- /dev/null
+++ b/package/boot/uboot-envtools/patches/003-fix-usage-text.patch
@@ -0,0 +1,167 @@
+From 

[PATCH] ath79: Add support for Ubiquiti Bullet AC

2020-12-10 Thread Russell Senior


CPU: Atheros AR9342 rev 3 SoC
RAM: 64 MB DDR2
Flash:   16 MB NOR SPI
WLAN 2.4GHz: Atheros AR9342 v3 (ath9k)
WLAN 5.0GHz: QCA988X
Ports:   1x GbE

Flashing procedure is identical to other ubnt devices.
https://openwrt.org/toh/ubiquiti/common

Flashing through factory firmware
1. Ensure firmware version v8.7.0 is installed.
   Up/downgrade to this exact version.
2. Patch fwupdate.real binary using
   `hexdump -Cv /bin/ubntbox | sed 's/14 40 fe 27/00 00 00 00/g' | \
hexdump -R > /tmp/fwupdate.real`
3. Make the patched fwupdate.real binary executable using
   `chmod +x /tmp/fwupdate.real`
4. Copy the squashfs factory image to /tmp on the device
5. Flash OpenWrt using `/tmp/fwupdate.real -m `
6. Wait for the device to reboot
(copied from Ubiquiti NanoBeam AC and modified)

Flashing from serial console
1. Connect serial console (115200 baud)
2. Connect ethernet to a network with a TFTP server, through a
   passive PoE injector.
3. Press a key to obtain a u-boot prompt
4. Set your TFTP server's ip address, with:
   setenv serverip 
5. Set the Bullet AC's ip address, with:
   setenv ipaddr 
6. Set the boot file, with:
   setenv bootfile 
7. Fetch the binary with tftp:
   tftpboot
8. Boot the initramfs binary:
   bootm
9. From the initramfs, fetch the sysupgrade binary, and flash it with
   sysupgrade.

Phy0 is QCA988X which can tune either band (2.4 or 5GHz). Phy1 is AR9342,
on which 5GHz is disabled.  It isn't currently known whether phy1 is
routed to the N connector at all.

Signed-off-by: Russell Senior 
---
 .../linux/ath79/dts/ar9342_ubnt_bullet-ac.dts | 38 +++
 .../generic/base-files/etc/board.d/01_leds|  1 +
 .../generic/base-files/etc/board.d/02_network |  1 +
 .../etc/hotplug.d/firmware/11-ath10k-caldata  |  1 +
 target/linux/ath79/image/generic-ubnt.mk  |  7 
 5 files changed, 48 insertions(+)
 create mode 100644 target/linux/ath79/dts/ar9342_ubnt_bullet-ac.dts

diff --git a/target/linux/ath79/dts/ar9342_ubnt_bullet-ac.dts 
b/target/linux/ath79/dts/ar9342_ubnt_bullet-ac.dts
new file mode 100644
index 00..be0b0792bb
--- /dev/null
+++ b/target/linux/ath79/dts/ar9342_ubnt_bullet-ac.dts
@@ -0,0 +1,38 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include "ar9342_ubnt_wa_1port.dtsi"
+
+/ {
+   compatible = "ubnt,bullet-ac", "ubnt,wa", "qca,ar9342";
+   model = "Ubiquiti Bullet AC (2WA)";
+
+   aliases {
+   led-boot = _rssi3;
+   led-failsafe = _rssi3;
+   led-upgrade = _rssi3;
+   };
+
+   leds {
+   compatible = "gpio-leds";
+
+   rssi0 {
+   label = "blue:rssi0";
+   gpios = < 11 GPIO_ACTIVE_LOW>;
+   };
+
+   rssi1 {
+   label = "blue:rssi1";
+   gpios = < 16 GPIO_ACTIVE_LOW>;
+   };
+
+   rssi2 {
+   label = "blue:rssi2";
+   gpios = < 13 GPIO_ACTIVE_LOW>;
+   };
+
+   led_rssi3: rssi3 {
+   label = "blue:rssi3";
+   gpios = < 14 GPIO_ACTIVE_LOW>;
+   };
+   };
+};
diff --git a/target/linux/ath79/generic/base-files/etc/board.d/01_leds 
b/target/linux/ath79/generic/base-files/etc/board.d/01_leds
index a0ed21e318..46d4650eac 100755
--- a/target/linux/ath79/generic/base-files/etc/board.d/01_leds
+++ b/target/linux/ath79/generic/base-files/etc/board.d/01_leds
@@ -366,6 +366,7 @@ ubnt,rocket-m)
ucidef_set_led_rssi "rssimediumhigh" "RSSIMEDIUMHIGH" "green:link3" 
"wlan0" "51" "100"
ucidef_set_led_rssi "rssihigh" "RSSIHIGH" "green:link4" "wlan0" "76" 
"100"
;;
+ubnt,bullet-ac|\
 ubnt,nanobeam-ac|\
 ubnt,nanobeam-ac-gen2|\
 ubnt,nanostation-ac|\
diff --git a/target/linux/ath79/generic/base-files/etc/board.d/02_network 
b/target/linux/ath79/generic/base-files/etc/board.d/02_network
index 149f7b1141..44430d375a 100755
--- a/target/linux/ath79/generic/base-files/etc/board.d/02_network
+++ b/target/linux/ath79/generic/base-files/etc/board.d/02_network
@@ -58,6 +58,7 @@ ath79_setup_interfaces()
tplink,re450-v2|\
tplink,re450-v3|\
tplink,tl-wr902ac-v1|\
+   ubnt,bullet-ac|\
ubnt,bullet-m-ar7240|\
ubnt,bullet-m-ar7241|\
ubnt,bullet-m-xw|\
diff --git 
a/target/linux/ath79/generic/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
 
b/target/linux/ath79/generic/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
index 0d09cd3140..be62e52480 100644
--- 
a/target/linux/ath79/generic/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
+++ 
b/target/linux/ath79/generic/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
@@ -26,6 +26,7 @@ case "$FIRMWARE" in
qxwlan,e1700ac-v2-16m|\
qxwlan,e600gac-v2-8m|\
qxwlan,e600gac-v2-16m|\
+   ubnt,bullet-ac|\
ubnt,unifiac-lite|\
ubnt,unifiac-lr|\
ubnt,unifiac-mesh|\
diff 

[PATCH] pcre: fix paths in config file

2020-12-10 Thread Rosen Penev
The paths are pointing to OS paths, not OpenWrt ones. Use SED line from
libpng to fix and adjust accordingly.

This may allow certain packages that use the config file to pick up pcre.

Signed-off-by: Rosen Penev 
---
 package/libs/pcre/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/libs/pcre/Makefile b/package/libs/pcre/Makefile
index bf3f733a5c..37d939da7f 100644
--- a/package/libs/pcre/Makefile
+++ b/package/libs/pcre/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=pcre
 PKG_VERSION:=8.44
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@SF/$(PKG_NAME)
@@ -87,6 +87,7 @@ MAKE_FLAGS += \
 define Build/InstallDev
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/pcre-config $(1)/usr/bin/
+   $(SED) 's,^\(prefix\|exec_prefix\)=.*,\1=$(STAGING_DIR)/usr,g' 
$(1)/usr/bin/pcre-config
 
$(INSTALL_DIR) $(2)/bin
$(LN) $(STAGING_DIR)/usr/bin/pcre-config $(2)/bin
-- 
2.29.2


___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


[PATCH] bcm63xx: DGND3700v1: use the real board name

2020-12-10 Thread Daniel González Cabanelas
The Netgear DGND3700v1/DGND3800B shows kernel redundant info at the board
message, already provided by the machine info message.

Use the real board name which is silkscreened on the PCB and used in the
stock firmware header.

Signed-off-by: Daniel González Cabanelas 
---
 target/linux/bcm63xx/patches-5.4/518-board_bcm6368.patch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/linux/bcm63xx/patches-5.4/518-board_bcm6368.patch 
b/target/linux/bcm63xx/patches-5.4/518-board_bcm6368.patch
index 4b85e0bbab..e200535217 100644
--- a/target/linux/bcm63xx/patches-5.4/518-board_bcm6368.patch
+++ b/target/linux/bcm63xx/patches-5.4/518-board_bcm6368.patch
@@ -136,7 +136,7 @@
 +};
 +
 +static struct board_info __initdata board_DGND3700v1_3800B = {
-+  .name = "DGND3700v1_3800B",
++  .name = "U12L144T01",
 +  .expected_cpu_id = 0x6368,
 +
 +  .has_pci = 1,
-- 
2.29.2





___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


Security Advisory 2020-11-XX-2 - libuci import heap use after free (CVE-2020-XXXX)

2020-12-10 Thread Petr Štetiar
Security Advisory 2020-12-09-2 - libuci import heap use after free 
(CVE-2020-28951)


DESCRIPTION

Possibly exploitable vulnerability was found in Unified Config Interface (UCI)
library named libuci, specifically in uci_import() C API function.

CVE-2020-28951[1] has been assigned to this issue, you can find the latest
version of this advisory on our wiki[2].


REQUIREMENTS

In order to exploit this vulnerability a malicious attacker would need to
provide specially crafted config file to uci_import() C API function. For
example, this is possible with UCI CLI by following shell command:

uci import -f malicious.config


MITIGATIONS

To fix this issue, update the affected libuci package using the command below.

   opkg update; opkg upgrade libuci

The fix is contained in the following and later versions:

  - OpenWrt 19.07:  19.07.5
(https://git.openwrt.org/78c4c04dd7979a7f6d3cadeb1783b6c38d63b575)
  - OpenWrt 18.06:  18.06.9
(https://git.openwrt.org/5625f5bc36954d644cb80adf8de47854c65d91c3)
  - OpenWrt master: 2020-10-27 
(https://git.openwrt.org/095cc2b7454addeaf25b05aff194f287783219ed)


AFFECTED VERSIONS

To our knowledge, OpenWrt versions 18.06.0 to 18.06.8 and versions 19.07.0 to
19.07.4 are affected.  The fixed packages will be integrated in the upcoming
OpenWrt 18.06.9 and OpenWrt 19.07.5 releases.  Older versions of OpenWrt (e.g.
OpenWrt 15.05 and LEDE 17.01) are end of life and not supported any more.


CREDITS

This issue was identified by Jeremy Galindo, fixed by Petr Štetiar and Hauke
Mehrtens.


REFERENCES

1. https://nvd.nist.gov/vuln/detail/CVE-2020-28951
2. https://openwrt.org/advisory/2020-12-09-2


signature.asc
Description: PGP signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel