From cd23dc1d21c2ab784e3a4014bbdcda532b2e12e2 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 25 Mar 2020 19:16:19 +0100
Subject: [PATCH 1/6] ustream-ssl: bump to latest Git HEAD

5e1bc34 ustream-openssl: clear error stack before SSL_read/SSL_write
f7f93ad add support for specifying usable ciphers

Also bump the ABI version since the layout of `struct ustream_ssl_ops`
changed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 package/libs/ustream-ssl/Makefile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libs/ustream-ssl/Makefile b/package/libs/ustream-ssl/Makefile
index f117f063fe..6368ca9619 100644
--- a/package/libs/ustream-ssl/Makefile
+++ b/package/libs/ustream-ssl/Makefile
@@ -5,9 +5,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/ustream-ssl.git
-PKG_SOURCE_DATE:=2020-01-05
-PKG_SOURCE_VERSION:=30cebb4fc78e49e0432a404f7c9dd8c9a93b3cc3
-PKG_MIRROR_HASH:=b37b730b8fcd5186d7b194a6e90b79efad845ec89e2b9d2d49b4d347c7c4cbcb
+PKG_SOURCE_DATE:=2020-03-13
+PKG_SOURCE_VERSION:=5e1bc3429cbf9c3be4db65ef5dbf21ea99cf5b95
+PKG_MIRROR_HASH:=c59dea9b98d3ce88d886f7c7b3b252c55312ad281b731ab9172ae78570f1b643
 CMAKE_INSTALL:=1
 
 PKG_LICENSE:=ISC
@@ -23,7 +23,7 @@ define Package/libustream/default
   CATEGORY:=Libraries
   TITLE:=ustream SSL Library
   DEPENDS:=+libubox
-  ABI_VERSION:=20150806
+  ABI_VERSION:=20200215
 endef
 
 define Package/libustream-openssl

From 052aaa7c965157ef058d168319d5e0874fabb0c8 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 25 Mar 2020 19:22:10 +0100
Subject: [PATCH 2/6] uhttpd: bump to latest Git HEAD

5e9c23c client: allow keep-alive for POST requests
5fc551d tls: support specifying accepted TLS ciphers

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 package/network/services/uhttpd/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/network/services/uhttpd/Makefile b/package/network/services/uhttpd/Makefile
index fe4d0aaaed..07baf478ad 100644
--- a/package/network/services/uhttpd/Makefile
+++ b/package/network/services/uhttpd/Makefile
@@ -12,9 +12,9 @@ PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uhttpd.git
-PKG_SOURCE_DATE:=2020-02-12
-PKG_SOURCE_VERSION:=2ee323c01079248baa9465969df9e25b5fb68cdf
-PKG_MIRROR_HASH:=ebec09286cf5f977cac893931a5a4f27ba891db88d5e44a9b0de9446ae431527
+PKG_SOURCE_DATE:=2020-03-13
+PKG_SOURCE_VERSION:=5e9c23c6f40ff26209ef22cfeeda4904a5918f3d
+PKG_MIRROR_HASH:=3ede9616c5a9fbbf9db68eeb083efc605246ec53b7f4404b8dc63b5190646949
 PKG_MAINTAINER:=Felix Fietkau <nbd@nbd.name>
 PKG_LICENSE:=ISC
 

From 98017228ddd5ce41a63da20b78f5d2e30c87c494 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 25 Mar 2020 19:32:18 +0100
Subject: [PATCH 3/6] uclient: bump to latest Git HEAD

af585db uclient-fetch: support specifying advertised TLS ciphers

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 package/libs/uclient/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/libs/uclient/Makefile b/package/libs/uclient/Makefile
index 5865ba0140..e073783578 100644
--- a/package/libs/uclient/Makefile
+++ b/package/libs/uclient/Makefile
@@ -6,8 +6,8 @@ PKG_RELEASE=1
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uclient.git
 PKG_MIRROR_HASH:=8c95a3c84b4b44308de264a90460fb01b1e7ed27b22d3c76ef16aedb9774ac7c
-PKG_SOURCE_DATE:=2020-01-05
-PKG_SOURCE_VERSION:=fef6d3d311ac45c662c01e0ebd9cb0f6c8d7145c
+PKG_SOURCE_DATE:=2020-02-15
+PKG_SOURCE_VERSION:=af585dbd1d444faafa370a73c1db43aece731f85
 CMAKE_INSTALL:=1
 
 PKG_BUILD_DEPENDS:=ustream-ssl

From dd166960f48580bf6d4a8dde071b96832bfd9e1f Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Wed, 25 Mar 2020 19:34:34 +0100
Subject: [PATCH 4/6] uclient: update mirror hash

Fixes: 98017228dd ("uclient: bump to latest Git HEAD")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 package/libs/uclient/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/libs/uclient/Makefile b/package/libs/uclient/Makefile
index e073783578..92c1e1d1e0 100644
--- a/package/libs/uclient/Makefile
+++ b/package/libs/uclient/Makefile
@@ -5,7 +5,7 @@ PKG_RELEASE=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_URL=$(PROJECT_GIT)/project/uclient.git
-PKG_MIRROR_HASH:=8c95a3c84b4b44308de264a90460fb01b1e7ed27b22d3c76ef16aedb9774ac7c
+PKG_MIRROR_HASH:=8b71b02feb721ec0ed9cd7fe6761aa6a40216563a294d04243779ebe98891355
 PKG_SOURCE_DATE:=2020-02-15
 PKG_SOURCE_VERSION:=af585dbd1d444faafa370a73c1db43aece731f85
 CMAKE_INSTALL:=1

From f81403c43354ad646bff647a5f5e58c1588b599d Mon Sep 17 00:00:00 2001
From: Henrique de Moraes Holschuh <henrique@nic.br>
Date: Sat, 29 Feb 2020 23:31:45 -0300
Subject: [PATCH 5/6] dnsmasq: init: get rid of test -a and test -o

Refer to shellcheck SC2166.  There are just too many caveats that are
shell-dependent on test -a and test -o to use them.

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
---
 .../services/dnsmasq/files/dnsmasq.init       | 34 +++++++++----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index f3afb825ea..1be60de860 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -207,7 +207,7 @@ filter_dnsmasq() {
 
 	# use entry when no instance entry set, or if it matches
 	config_get found_cfg "$cfg" "instance"
-	if [ -z "$found_cfg" -o "$found_cfg" = "$match_cfg" ]; then
+	if [ -z "$found_cfg" ] || [ "$found_cfg" = "$match_cfg" ]; then
 		$func $cfg
 	fi
 }
@@ -326,10 +326,10 @@ dhcp_host_add() {
 	config_get ip "$cfg" ip
 	config_get hostid "$cfg" hostid
 
-	[ -n "$ip" -o -n "$name" -o -n "$hostid" ] || return 0
+	[ -z "$ip" ] && [ -z "$name" ] && [ -z "$hostid" ] && return 0
 
 	config_get_bool dns "$cfg" dns 0
-	[ "$dns" = "1" -a -n "$ip" -a -n "$name" ] && {
+	[ "$dns" = "1" ] && [ -n "$ip" ] && [ -n "$name" ] && {
 		echo "$ip $name${DOMAIN:+.$DOMAIN}" >> $HOSTFILE_TMP
 	}
 
@@ -343,13 +343,13 @@ dhcp_host_add() {
 		for m in $mac; do append macs "$m" ","; done
 	fi
 
-	if [ $DNSMASQ_DHCP_VER -eq 6 -a -n "$duid" ]; then
+	if [ $DNSMASQ_DHCP_VER -eq 6 ] && [ -n "$duid" ]; then
 		# --dhcp-host=id:00:03:00:01:12:00:00:01:02:03,[::beef],lap
 		# one (virtual) machine gets one DUID per RFC3315
 		duids="id:${duid// */}"
 	fi
 
-	if [ -z "$macs" -a -z "$duids" ]; then
+	if [ -z "$macs" ] && [ -z "$duids" ]; then
 		# --dhcp-host=lap,192.168.0.199,[::beef]
 		[ -n "$name" ] || return 0
 		macs="$name"
@@ -416,7 +416,7 @@ dhcp_this_host_add() {
 				dhcp_domain_add "" "$routername" "$lanaddr"
 			fi
 
-			if [ -n "$ulaprefix" -a -n "$lanaddrs6" ] ; then
+			if [ -n "$ulaprefix" ] && [ -n "$lanaddrs6" ] ; then
 				for lanaddr6 in $lanaddrs6 ; do
 					case "$lanaddr6" in
 					"${ulaprefix%%:/*}"*)
@@ -472,7 +472,7 @@ dhcp_boot_add() {
 	config_get servername "$cfg" servername
 	config_get serveraddress "$cfg" serveraddress
 
-	[ -n "$serveraddress" -a ! -n "$servername" ] && return 0
+	[ -n "$serveraddress" ] && [ ! -n "$servername" ] && return 0
 
 	xappend "--dhcp-boot=${networkid:+net:$networkid,}${filename}${servername:+,$servername}${serveraddress:+,$serveraddress}"
 
@@ -566,7 +566,7 @@ dhcp_add() {
 	fi
 
 
-	if [ $DNSMASQ_DHCP_VER -eq 6 -a "$ra" = "server" ] ; then
+	if [ $DNSMASQ_DHCP_VER -eq 6 ] && [ "$ra" = "server" ] ; then
 		# Note: dnsmasq cannot just be a DHCPv6 server (all-in-1)
 		# and let some other machine(s) send RA pointing to it.
 
@@ -805,13 +805,13 @@ dnsmasq_start()
 	$PROG --version | grep -osqE "^Compile time options:.* DHCPv6( |$)" && DHCPv6CAPABLE=1 || DHCPv6CAPABLE=0
 
 
-	if [ -x /usr/sbin/odhcpd -a -x /etc/init.d/odhcpd ] ; then
+	if [ -x /usr/sbin/odhcpd ] && [ -x /etc/init.d/odhcpd ] ; then
 		local odhcpd_is_main odhcpd_is_enabled
 		config_get odhcpd_is_main odhcpd maindhcp 0
 		/etc/init.d/odhcpd enabled && odhcpd_is_enabled=1 || odhcpd_is_enabled=0
 
 
-		if [ "$odhcpd_is_enabled" -eq 0 -a "$DHCPv6CAPABLE" -eq 1 ] ; then
+		if [ "$odhcpd_is_enabled" -eq 0 ] && [ "$DHCPv6CAPABLE" -eq 1 ] ; then
 			# DHCP V4 and V6 in DNSMASQ
 			DNSMASQ_DHCP_VER=6
 		elif [ "$odhcpd_is_main" -gt 0 ] ; then
@@ -834,7 +834,7 @@ dnsmasq_start()
 		if [ -x /etc/init.d/dhcpd ] ; then
 			/etc/init.d/dhcpd enabled && DNSMASQ_DHCP_VER=0
 		fi
-		if [ -x /etc/init.d/dhcpd6 -a "$DNSMASQ_DHCP_VER" -gt 0 ] ; then
+		if [ -x /etc/init.d/dhcpd6 ] && [ "$DNSMASQ_DHCP_VER" -gt 0 ] ; then
 			/etc/init.d/dhcpd6 enabled && DNSMASQ_DHCP_VER=4
 		fi
 	fi
@@ -920,13 +920,13 @@ dnsmasq_start()
 	fi
 
 	config_get leasefile $cfg leasefile "/tmp/dhcp.leases"
-	[ -n "$leasefile" -a \! -e "$leasefile" ] && touch "$leasefile"
+	[ -n "$leasefile" ] && [ ! -e "$leasefile" ] && touch "$leasefile"
 	config_get_bool cachelocal "$cfg" cachelocal 1
 
 	config_get_bool noresolv "$cfg" noresolv 0
 	if [ "$noresolv" != "1" ]; then
 		config_get resolvfile "$cfg" resolvfile /tmp/resolv.conf.d/resolv.conf.auto
-		[ -n "$resolvfile" -a ! -e "$resolvfile" ] && touch "$resolvfile"
+		[ -n "$resolvfile" ] && [ ! -e "$resolvfile" ] && touch "$resolvfile"
 		xappend "--resolv-file=$resolvfile"
 		[ "$resolvfile" = "/tmp/resolv.conf.d/resolv.conf.auto" ] && localuse=1
 		resolvdir="$(dirname "$resolvfile")"
@@ -1087,7 +1087,7 @@ dnsmasq_stop()
 	config_get_bool noresolv "$cfg" noresolv 0
 	config_get resolvfile "$cfg" "resolvfile"
 
-	[ "$noresolv" = 0 -a "$resolvfile" = "/tmp/resolv.conf.d/resolv.conf.auto" ] && localuse=1
+	[ "$noresolv" = 0 ] && [ "$resolvfile" = "/tmp/resolv.conf.d/resolv.conf.auto" ] && localuse=1
 	config_get_bool localuse "$cfg" localuse "$localuse"
 	[ "$localuse" -gt 0 ] && ln -sf "/tmp/resolv.conf.d/resolv.conf.auto" /tmp/resolv.conf
 
@@ -1101,7 +1101,7 @@ add_interface_trigger()
 	config_get interface "$1" interface
 	config_get_bool ignore "$1" ignore 0
 
-	[ -n "$interface" -a $ignore -eq 0 ] && procd_add_interface_trigger "interface.*" "$interface" /etc/init.d/dnsmasq reload
+	[ -n "$interface" ] && [ $ignore -eq 0 ] && procd_add_interface_trigger "interface.*" "$interface" /etc/init.d/dnsmasq reload
 }
 
 service_triggers()
@@ -1129,7 +1129,7 @@ start_service() {
 		local type="$1"
 		local name="$2"
 		if [ "$type" = "dnsmasq" ]; then
-			if [ -n "$instance" -a "$instance" = "$name" ]; then
+			if [ -n "$instance" ] && [ "$instance" = "$name" ]; then
 				instance_found=1
 			fi
 		fi
@@ -1158,7 +1158,7 @@ stop_service() {
 		local type="$1"
 		local name="$2"
 		if [ "$type" = "dnsmasq" ]; then
-			if [ -n "$instance" -a "$instance" = "$name" ]; then
+			if [ -n "$instance" ] && [ "$instance" = "$name" ]; then
 				instance_found=1
 			fi
 		fi

From 556b8581a15c855b2de0efbea6b625ab16cc9daf Mon Sep 17 00:00:00 2001
From: Henrique de Moraes Holschuh <henrique@nic.br>
Date: Sun, 1 Mar 2020 00:08:43 -0300
Subject: [PATCH 6/6] dnsmasq: fix dnssec+ntp chicken-and-egg workaround
 (FS#2574)

Fix the test for an enabled sysntp initscript in dnsmasq.init, and get
rid of "test -o" while at it.

Issue reproduced on openwrt-19.07 with the help of pool.ntp.br and an
RTC-less ath79 router.  dnssec-no-timecheck would be clearly missing
from /var/etc/dnsmasq.conf.* while the router was still a few days in
the past due to non-working DNSSEC + DNS-based NTP server config.

The fix was tested with the router in the "DNSSEC broken state": it
properly started dnsmasq in dnssec-no-timecheck mode, and eventually ntp
was able to resolve the server name to an IP address, and set the system
time.  DNSSEC was then enabled by SIGINT through the ntp hotplug hook,
as expected.

A missing system.ntp.enabled UCI node is required for the bug to show
up.  The reasons for why it would be missing in the first place were not
investigated.

Signed-off-by: Henrique de Moraes Holschuh <henrique@nic.br>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [PKG_RELEASE increase]
---
 package/network/services/dnsmasq/Makefile           | 2 +-
 package/network/services/dnsmasq/files/dnsmasq.init | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index 0bee31c0e6..3961770ca8 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 PKG_NAME:=dnsmasq
 PKG_UPSTREAM_VERSION:=2.81rc3
 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
 PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/release-candidates
diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
index 1be60de860..1051087e05 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -964,10 +964,9 @@ dnsmasq_start()
 		xappend "--conf-file=$TRUSTANCHORSFILE"
 		xappend "--dnssec"
 		[ -x /etc/init.d/sysntpd ] && {
-			/etc/init.d/sysntpd enabled
-			[ "$?" -ne 0 -o "$(uci_get system.ntp.enabled)" = "1" ] && {
+			if /etc/init.d/sysntpd enabled || [ "$(uci_get system.ntp.enabled)" = "1" ] ; then
 				[ -f "$TIMEVALIDFILE" ] || xappend "--dnssec-no-timecheck"
-			}
+			fi
 		}
 		config_get_bool dnsseccheckunsigned "$cfg" dnsseccheckunsigned 1
 		[ "$dnsseccheckunsigned" -eq 0 ] && xappend "--dnssec-check-unsigned=no"