On some devices the chip has RTC but no battery save time.
This leads back to getting the wrong time
and skipping the check of the last file modification date.
This commit ensures that the file time is checked even
if the RTC exists.
which would ordinarily return an approbiate
system time used for e.g. certificate generation.
Tested-on: NanoPi R2S
Signed-off-by: Yuan Tao <ty@wevs.org>
Specifications:
* SoC: MediaTek MT7622BV
* RAM: DDR3 512 MiB (Nanya NT5CC256M16ER-EK)
* Flash: SPI-NAND 256 MiB (Toshiba TC58CVG1S3HRAIJ)
* Wi-Fi 2.4/5 GHz 4T4R:
* 2.4 GHz: MediaTek MT7622BV
* 5 GHz: MediaTek MT7915AN/MT7975AN
* Ethernet: 4x 10/100/1000 Mbps LAN,
1x 10/100/1000/2500 Mbps WAN (Realtek RTL8221B PHY)
* Switch: MediaTek MT7531AE
* LEDs/Keys: 8/1 (Power, Internet, LAN1, LAN2, LAN3, LAN4,
Wifin and Wifia dual-colour LEDs + Reset pin)
* UART: Marked J19 on board VCC GND TX RX, beginning from "1". 3.3v,
115200n8
* Power: 12 VDC, 2.5 A
Installation:
* Flash the factory image through the stock web interface, or TFTP to
the bootloader. NMRP can be used to TFTP without opening the case.
* U-Boot allows booting an initramfs image via TFTP as follows:
setenv ipaddr 192.168.1.1
setenv serverip 192.168.1.100
tftpboot openwrt-mediatek-mt7622-netgear_wax206-initramfs-recovery.itb
bootm
Known Limitations:
* The 2.5G WAN port labeled 'wan' only works for speeds up to 1G at the
moment. If connected to a multi-gig port the speed has to be manually
set to 1G/full either for the switch port or in OpenWrt. For example
add the following to /etc/rc.local to set it on boot:
/usr/sbin/ethtool -s wan speed 1000 duplex full
Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.
References to WAX206 GPL source:
https://www.downloads.netgear.com/files/GPL/WAX206_V1.0.4.0_Source.rar
* openwrt/target/linux/mediatek/dts/mt7622-netgear-wax206.dts
DTS file for this device.
* openwrt/target/linux/mediatek/image/mt7622.mk
Image creation code for this device
Signed-off-by: Marcel Ziswiler <marcel@ziswiler.com>
[fix WAN port, adjust partition layout and image creation]
Signed-off-by: Thomas Kupper <thomas.kupper@gmail.com>
Import some accepted and pending upstream patches for mtk_eth_soc,
replacing some semantically equivalent local patches and fixing issues
when operating the PCS in 1G SGMII mode.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Removed upstreamed patch: 010-padlock.patch
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
This reverts commit 52167feff8ae3fbd02be22dfe6021e7e9c79c599.
Fakeroot 1.30.1 broke building on certain hosts (32-bit archs).
As of 2023-01-10, this was apparently fixed in source code,
however, the version is still 1.30.1 (patch release),
so the old binaries are removed from the repository and replaced,
but the source provided by the repository remains the same.
Furthermore, there are some complicated issues blocking
the "testing" release from being bumped to a 1.30.x version.
Considering all of this, it would likely be better for this package
to follow the "testing" release instead of the "unstable" release,
which is still 1.29-1, so revert to that.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
By specifying the flag "denx,fit" for partition "kernel", the kernel
try to find rootfs in the same partition during boot. Reality is that
the placement of rootfs is precisely determined by the name of another
partition -"ubi".
It was also found that on some device (for example devices with NAND
chips), the "Denx search engine" manages to find roots at the end of
partition "kernel", but such partition doesn't exist and is empty
there.
Fix this by removing the "denx,fit" flag from partition "kernel". With
this change the original behavior of searchif rootfs in partition "ubi"
is restored.
Signed-off-by: Oleg S <remittor@gmail.com>
Inline the preinst.arm-ce script. Support for including was added in
make 4.2 and is not working with older make versions.
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
In Action "DescribeSubDomainRecords", define argument “Line” to the specific "defalut". This is for someone who have two or more same domain names but in different dns request source(ISP), but return more than 1 record will goto print "地址需要修改". For document of aliyun API, set a Line parament can solve this issue because most of users just have one ISP for each domain and its value was set as "default".
