Merge with GPL 7378 (RT-N66U and RT-AC68U binary blobs)

The new protect_srv service has been disabled as it causes a crash
at boot time on the RT-AC88U (and possibly other models).

Our editable Virtual Server webui page was reverted to the stock version,
as our editing code is incompatible with the new version of that page.

release/src-rt/Makefile

@@ -298,11 +298,7 @@ ifeq ($(IPQ40XX),y)
 	@rm -rf $(PLATFORMDIR)/zImage.lzma ; \
 		$(CROSS_COMPILE)objcopy -O binary $(LINUXDIR)/vmlinux $(PLATFORMDIR)/vmlinus ; \
 		asustools/lzma -9 -f -c $(PLATFORMDIR)/vmlinus > $(PLATFORMDIR)/zImage.lzma ;
-ifeq ($(RTAC82U),y)
-	asustools/mkits.sh -D qcom-ipq40xx-ap.dkxx -o image/fit-qcom-ipq40xx-ap.dkxx.its -k $(PLATFORMDIR)/zImage.lzma -r $(PLATFORMDIR)/target.image -d $(LINUXDIR)/arch/arm/boot/dts/qcom-ipq40xx-rtac82u.dtb -C lzma -a 0x$(LOADADDR) -e 0x$(ENTRYADDR) -A $(ARCH) -v $(KERNEL_VER)
-else # RTAC58U
-	asustools/mkits.sh -D qcom-ipq40xx-ap.dkxx -o image/fit-qcom-ipq40xx-ap.dkxx.its -k $(PLATFORMDIR)/zImage.lzma -r $(PLATFORMDIR)/target.image -d $(LINUXDIR)/arch/arm/boot/dts/qcom-ipq40xx-ap.dk01.1-c2.dtb -C lzma -a 0x$(LOADADDR) -e 0x$(ENTRYADDR) -A $(ARCH) -v $(KERNEL_VER)
-endif
+	asustools/mkits.sh -D qcom-ipq40xx-ap.dkxx -o image/fit-qcom-ipq40xx-ap.dkxx.its -k $(PLATFORMDIR)/zImage.lzma -r $(PLATFORMDIR)/target.image -d $(LINUXDIR)/arch/arm/boot/dts/qcom-ipq40xx-$(lowercase_B).dtb -C lzma -a 0x$(LOADADDR) -e 0x$(ENTRYADDR) -A $(ARCH) -v $(KERNEL_VER)
 	asustools/mkimage -f image/fit-qcom-ipq40xx-ap.dkxx.its image/$(IMGNAME).img
 	asustools/mkimage -A $(ARCH) -O linux -T kernel -C lzma -a $(LOADADDR) -e $(ENTRYADDR) \
 			-n $(BUILD_NAME) -V "$(KERNEL_VER)" "$(FS_VER)" "0" "0" "0" "0" "0" "0" "0" "0" \
@@ -898,33 +894,48 @@ define RouterOptions
 			sed -i "/RTCONFIG_MEDIA_SERVER/d" $(1); \
 			echo "RTCONFIG_MEDIA_SERVER=y" >>$(1); \
 		fi; \
-		if [ "$(SWEBDAVCLIENT)" = "y" ]; then \
-			sed -i "/RTCONFIG_SWEBDAVCLIENT/d" $(1); \
-			echo "RTCONFIG_SWEBDAVCLIENT=y" >>$(1); \
-		fi; \
-		if [ "$(DROPBOXCLIENT)" = "y" ]; then \
-			sed -i "/RTCONFIG_DROPBOXCLIENT/d" $(1); \
-			echo "RTCONFIG_DROPBOXCLIENT=y" >>$(1); \
-		fi; \
-		if [ "$(FTPCLIENT)" = "y" ]; then \
-			sed -i "/RTCONFIG_FTPCLIENT/d" $(1); \
-			echo "RTCONFIG_FTPCLIENT=y" >>$(1); \
-		fi; \
-		if [ "$(SAMBACLIENT)" = "y" ]; then \
-			sed -i "/RTCONFIG_SAMBACLIENT/d" $(1); \
-			echo "RTCONFIG_SAMBACLIENT=y" >>$(1); \
-		fi; \
-		if [ "$(USBCLIENT)" = "y" ]; then \
-			sed -i "/RTCONFIG_USBCLIENT/d" $(1); \
-			echo "RTCONFIG_USBCLIENT=y" >>$(1); \
-		fi; \
-		if [ "$(FLICKRCLIENT)" = "y" ]; then \
-			sed -i "/RTCONFIG_FLICKRCLIENT/d" $(1); \
-			echo "RTCONFIG_FLICKRCLIENT=y" >>$(1); \
-		fi; \
-		if [ "$(CLOUDSYNC)" = "y" ]; then \
-			sed -i "/RTCONFIG_CLOUDSYNC/d" $(1); \
-			echo "RTCONFIG_CLOUDSYNC=y" >>$(1); \
+		if [ "$(SMARTSYNCBASE)" = "y" ]; then \
+				sed -i "/RTCONFIG_SWEBDAVCLIENT/d" $(1); \
+				echo "RTCONFIG_SWEBDAVCLIENT=y" >>$(1); \
+				sed -i "/RTCONFIG_DROPBOXCLIENT/d" $(1); \
+				echo "RTCONFIG_DROPBOXCLIENT=y" >>$(1); \
+				sed -i "/RTCONFIG_FTPCLIENT/d" $(1); \
+				echo "RTCONFIG_FTPCLIENT=y" >>$(1); \
+				sed -i "/RTCONFIG_SAMBACLIENT/d" $(1); \
+				echo "RTCONFIG_SAMBACLIENT=y" >>$(1); \
+				sed -i "/RTCONFIG_USBCLIENT/d" $(1); \
+				echo "RTCONFIG_USBCLIENT=y" >>$(1); \
+				sed -i "/RTCONFIG_CLOUDSYNC/d" $(1); \
+				echo "RTCONFIG_CLOUDSYNC=y" >>$(1); \
+		else \
+			if [ "$(SWEBDAVCLIENT)" = "y" ]; then \
+				sed -i "/RTCONFIG_SWEBDAVCLIENT/d" $(1); \
+				echo "RTCONFIG_SWEBDAVCLIENT=y" >>$(1); \
+			fi; \
+			if [ "$(DROPBOXCLIENT)" = "y" ]; then \
+				sed -i "/RTCONFIG_DROPBOXCLIENT/d" $(1); \
+				echo "RTCONFIG_DROPBOXCLIENT=y" >>$(1); \
+			fi; \
+			if [ "$(FTPCLIENT)" = "y" ]; then \
+				sed -i "/RTCONFIG_FTPCLIENT/d" $(1); \
+				echo "RTCONFIG_FTPCLIENT=y" >>$(1); \
+			fi; \
+			if [ "$(SAMBACLIENT)" = "y" ]; then \
+				sed -i "/RTCONFIG_SAMBACLIENT/d" $(1); \
+				echo "RTCONFIG_SAMBACLIENT=y" >>$(1); \
+			fi; \
+			if [ "$(USBCLIENT)" = "y" ]; then \
+				sed -i "/RTCONFIG_USBCLIENT/d" $(1); \
+				echo "RTCONFIG_USBCLIENT=y" >>$(1); \
+			fi; \
+			if [ "$(FLICKRCLIENT)" = "y" ]; then \
+				sed -i "/RTCONFIG_FLICKRCLIENT/d" $(1); \
+				echo "RTCONFIG_FLICKRCLIENT=y" >>$(1); \
+			fi; \
+			if [ "$(CLOUDSYNC)" = "y" ]; then \
+				sed -i "/RTCONFIG_CLOUDSYNC/d" $(1); \
+				echo "RTCONFIG_CLOUDSYNC=y" >>$(1); \
+			fi; \
 		fi; \
 		if [ "$(MODEM)" = "y" ]; then \
 			sed -i "/RTCONFIG_USB_MODEM/d" $(1); \
@@ -1385,6 +1396,10 @@ define RouterOptions
 		sed -i "/RTCONFIG_NOTIFICATION_CENTER/d" $(1); \
 		echo "RTCONFIG_NOTIFICATION_CENTER=y" >>$(1); \
 	fi; \
+	if [ "$(PROTECTION_SERVER)" = "y" ]; then \
+		sed -i "/RTCONFIG_PROTECTION_SERVER/d" $(1); \
+		echo "RTCONFIG_PROTECTION_SERVER=y" >>$(1); \
+	fi; \
 	if [ "$(ADBLOCK)" = "y" ]; then \
 		sed -i "/RTCONFIG_ADBLOCK/d" $(1); \
 		echo "RTCONFIG_ADBLOCK=y" >>$(1); \

release/src-rt/target.mak

@@ -6,7 +6,7 @@ export RT-N66U := IPV6SUPP=y HTTPS=y MIPS32=r2 BCM57=y BBEXTRAS=y USBEXTRAS=y EB
                   USER_LOW_RSSI=y  TIMEMACHINE=n MDNS=n VPNC=y JFFS2LOG=n DROPBOXCLIENT=y FTPCLIENT=y SAMBACLIENT=y \
                   PROXYSTA=y AUTODICT=y CFE_NVRAM_CHK=y DUMP_OOPS_MSG=y DEBUGFS=n SWEBDAVCLIENT=y SNMPD=y ROG=y \
                   TFAT=n HFS="none" NTFS="paragon" IPSECMOD=y REPEATER=y DUALWAN=y YANDEXDNS=n DNSFILTER=y SAMBA36=y \
-                  CLOUDCHECK=y NATNL=y JFFS2USERICON=y REBOOT_SCHEDULE=y MULTICASTIPTV=y QUAGGA=y LAN50=y ATCOVER=y GETREALIP=y \
+                  CLOUDCHECK=y NATNL=y REBOOT_SCHEDULE=y MULTICASTIPTV=y QUAGGA=y LAN50=y ATCOVER=y GETREALIP=y \
                   TOR=y UPNPIGD2=n DNSSEC=y NANO=y
 
 export RT-AC66U := IPV6SUPP=y HTTPS=y MIPS32=r2 BCM57=y BBEXTRAS=y USBEXTRAS=y EBTABLES=y SAMBA3=y STAINFO=y \
@@ -30,7 +30,7 @@ export RT-AC68U_BASE := IPV6SUPP=y HTTPS=y ARM=y BCM57=y AUTODICT=y BBEXTRAS=y U
                         TIMEMACHINE=y MDNS=y VPNC=y BRCM_NAND_JFFS2=y JFFS2LOG=y BCMFA=y BWDPI=y HSPOT=y \
                         DUMP_OOPS_MSG=y LINUX_MTD="64" BCM7=n TEMPROOTFS=y DEBUGFS=y SWEBDAVCLIENT=y SNMPD=y TOR=y \
                         MULTICASTIPTV=y QUAGGA=y BCM_RECVFILE=y LAN50=y ATCOVER=y GETREALIP=y \
-                        BCM5301X_TRAFFIC_MONITOR=n CLOUDCHECK=y NATNL=y JFFS2USERICON=y REBOOT_SCHEDULE=y \
+                        BCM5301X_TRAFFIC_MONITOR=n CLOUDCHECK=y NATNL=y REBOOT_SCHEDULE=y \
                         TFAT=y HFS="tuxera" NTFS="tuxera" IPSECMOD=n REPEATER=y DUALWAN=y DNSFILTER=y SAMBA36=y UPNPIGD2=n \
                         DNSSEC=y NANO=y
 
@@ -70,7 +70,7 @@ export RT-AC3200 := IPV6SUPP=y HTTPS=y ARM=y BCM57=y AUTODICT=y BBEXTRAS=y USBEX
                     TIMEMACHINE=y MDNS=y TFAT=y NTFS="tuxera" HFS="tuxera" VPNC=y BRCM_NAND_JFFS2=y JFFS2LOG=y BCMFA=y \
                     XHCI=y BWDPI=y DUMP_OOPS_MSG=y DHDAP=y GMAC3=y HSPOT=n LINUX_MTD="64" DEBUGFS=y NVSIZE="64" \
                     TEMPROOTFS=y SSH=y DROPBOXCLIENT=y FTPCLIENT=y SAMBACLIENT=y NOWL=y EMAIL=y BCM_RECVFILE=y REBOOT_SCHEDULE=y \
-                    BCM5301X_TRAFFIC_MONITOR=n DPSTA=y CLOUDCHECK=y NATNL=y JFFS2USERICON=y DISABLE_REPEATER_UI=y \
+                    BCM5301X_TRAFFIC_MONITOR=n CLOUDCHECK=y NATNL=y DISABLE_REPEATER_UI=y \
                     MULTICASTIPTV=y QUAGGA=y LAN50=y ATCOVER=y GETREALIP=y NANO=y \
                     NFS=y IPSECMOD=n DNSFILTER=y SAMBA36=y SNMPD=y TOR=y UPNPIGD2=n DNSSEC=y
 

release/src/router/Makefile

@@ -241,6 +241,9 @@ SEP=echo "\033[41;1m   $@   \033[0m"
 #
 obj-$(RTCONFIG_NOTIFICATION_CENTER) += sqlite
 obj-$(RTCONFIG_NOTIFICATION_CENTER) += nt_center
+
+obj-$(RTCONFIG_PROTECTION_SERVER) += protect_srv
+
 obj-$(RTCONFIG_QTN) += libqcsapi_client
 obj-$(RTCONFIG_QTN) += qtnimage
 obj-$(RTCONFIG_DMALLOC) += dmalloc
@@ -822,7 +825,7 @@ endif
 obj-clean := $(foreach obj, $(obj-y) $(obj-n) $(obj-), $(obj)-clean)
 obj-install := $(foreach obj,$(obj-y),$(obj)-install)
 
-MKSQUASHFS_TARGET = $(if $(KPATH_2636X_OR_3X),mksquashfs,mksquashfs-lzma)
+MKSQUASHFS_TARGET = mksquashfs
 MKSQUASHFS = $(MKSQUASHFS_TARGET)
 
 LINUX_ARCH_ASM_INCL_DIR = $(if ($KPATH_3X),$(LINUXDIR)/arch/mips/include/asm,$(LINUXDIR)/include/asm-mips)
@@ -2684,6 +2687,25 @@ nt_center-clean:
 	-$(MAKE) -C nt_center clean
 	@rm -f nt_center/stamp-h1
 
+protect_srv/stamp-h1:
+	touch $@
+
+protect_srv: protect_srv/stamp-h1
+	$(MAKE) -C protect_srv
+
+protect_srv-install: protect_srv
+	install -d $(INSTALLDIR)/protect_srv/usr/lib/
+	install -d $(INSTALLDIR)/protect_srv/usr/sbin/
+	install -D protect_srv/lib/libptcsrv.so $(INSTALLDIR)/protect_srv/usr/lib/libptcsrv.so
+	install -D protect_srv/protect_srv $(INSTALLDIR)/protect_srv/usr/sbin/protect_srv
+	install -D protect_srv/Send_Event2ptcsrv $(INSTALLDIR)/protect_srv/usr/sbin/Send_Event2ptcsrv
+	$(STRIP) $(INSTALLDIR)/protect_srv/usr/lib/libptcsrv.so
+	$(STRIP) $(INSTALLDIR)/protect_srv/usr/sbin/protect_srv
+
+protect_srv-clean:
+	-$(MAKE) -C protect_srv clean
+	@rm -f protect_srv/stamp-h1
+
 #	$(STRIP) $(INSTALLDIR)/tr/sbin/*
 
 #	libnet:
@@ -2862,7 +2884,10 @@ dropbear/config.h: dropbear/config.h.in
 		--disable-utmp --disable-utmpx \
 		--disable-wtmp --disable-wtmpx \
 		--disable-loginfunc \
-		--disable-pututline --disable-pututxline
+		--disable-pututline --disable-pututxline \
+		LDFLAGS="$(if $(RTCONFIG_PROTECTION_SERVER),-L$(TOP)/protect_srv/lib)" \
+		CFLAGS="$(if $(RTCONFIG_PROTECTION_SERVER),-I$(TOP)/protect_srv/include -DRTCONFIG_PROTECTION_SERVER)" \
+		LIBS="$(if $(RTCONFIG_PROTECTION_SERVER),-lptcsrv)" 
 
 
 dropbear: dropbear/config.h

release/src/router/bled/driver/Makefile

@@ -12,7 +12,7 @@ QCA8337_MODEL_LIST = "RT-AC55U RT-AC55UHP 4G-AC55U PL-AC56 PL-AC66U"
 QCA9531ESW_MODEL_LIST = "PL-N12"
 MT7620ESW_MODEL_LIST = "RT-N11P RT-N300 RT-N14U RT-AC51U RT-AC52U RT-AC1200HP"
 MT7621ESW_MODEL_LIST = "RT-N56UB1 RT-N56UB2"
-RTL8370M_MODEL_LIST = "RT-AC88Q BRT-AC828M2 RT-AC88S"
+RTL8370M_MODEL_LIST = "RT-AC88Q BRT-AC828 RT-AC88S"
 DAKOTA_MODEL_LIST = "RT-AC58U RT-AC82U"
 DUMMY_SWITCH_MODEL_LIST = "RT-AC88N"
 

release/src/router/config/config.in

@@ -1277,6 +1277,10 @@ config RTCONFIG_NOTIFICATION_CENTER
 	bool "Notification Center"
 	default y
 
+config RTCONFIG_PROTECTION_SERVER
+	bool "Security Protection Mechanism"
+	default n
+
 config RTCONFIG_6RELAYD
 	bool "IPv6 Relay support"
 	depends on RTCONFIG_IPV6

release/src/router/config_base

@@ -298,6 +298,7 @@ RTCONFIG_BONJOUR=y
 # RTCONFIG_MULTICAST_IPTV is not set
 # RTCONFIG_DYN_MODEM is not set
 # RTCONFIG_NOTIFICATION_CENTER is not set
+# RTCONFIG_PROTECTION_SERVER is not set
 RTCONFIG_6RELAYD=y
 # RTCONFIG_BCMASPMD is not set
 # RTCONFIG_WLCLMLOAD is not set

release/src/router/dropbear/svr-authpasswd.c

@@ -30,7 +30,9 @@
 #include "dbutil.h"
 #include "auth.h"
 #include "runopts.h"
-
+#ifdef RTCONFIG_PROTECTION_SERVER
+#include <libptcsrv.h>
+#endif
 #ifdef ENABLE_SVR_PASSWORD_AUTH
 
 /* not constant time when strings are differing lengths. 
@@ -103,6 +105,15 @@ void svr_auth_password() {
 				svr_ses.addrstring);
 		send_msg_userauth_success();
 	} else {
+
+#ifdef RTCONFIG_PROTECTION_SERVER
+		char ip[64];
+		char *addr;
+		strncpy(ip, svr_ses.addrstring, sizeof(ip));
+		addr = strrchr(ip, ':');
+		*addr = '\0';
+		SEND_PTCSRV_EVENT(PROTECTION_SERVICE_SSH, ip, "From dropbear , LOGIN FAIL");
+#endif
 		dropbear_log(LOG_WARNING,
 				"Bad password attempt for '%s' from %s",
 				ses.authstate.pw_name,

release/src/router/dropbear/svr-session.c

@@ -40,6 +40,9 @@
 #include "auth.h"
 #include "runopts.h"
 #include "crypto_desc.h"
+#ifdef RTCONFIG_PROTECTION_SERVER
+#include <libptcsrv.h>
+#endif
 
 static void svr_remoteclosed(void);
 
@@ -170,6 +173,15 @@ void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
 		snprintf(fullmsg, sizeof(fullmsg), "Exit before auth: %s", exitmsg);
 	}
 
+#ifdef RTCONFIG_PROTECTION_SERVER
+		char ip[64];
+		char *addr;
+		strncpy(ip, svr_ses.addrstring, sizeof(ip));
+		addr = strrchr(ip, ':');
+		*addr = '\0';
+		SEND_PTCSRV_EVENT(PROTECTION_SERVICE_SSH, ip, "From dropbear , LOGIN FAIL");
+#endif
+
 	dropbear_log(LOG_INFO, "%s", fullmsg);
 
 #ifdef USE_VFORK