Commit Graph

549 Commits

Author SHA1 Message Date
Peter Wagner
50b478956a openssl: update to 1.0.2n
add no-ssl3-method again as 1.0.2n compiles without the ssl3-method(s)

Fixes CVEs: CVE-2017-3737, CVE-2017-3738

Signed-off-by: Peter Wagner <tripolar@gmx.at>
(backported from commit 55e70c8b72)
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-12-13 13:17:12 +01:00
Jo-Philipp Wich
207bcea1de cyassl: update to wolfssl 3.12.2 (1 CVE)
Update wolfssl to the latest release v3.12.2 and backport an upstream
pending fix for CVE-2017-13099 ("ROBOT vulnerability").

Ref: https://github.com/wolfSSL/wolfssl/pull/1229
Ref: https://robotattack.org/

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 902961c148)
2017-12-13 13:08:38 +01:00
Peter Wagner
cda8ec7dd8
openssl: update to 1.0.2m
don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:

../libssl.so: undefined reference to `SSLv3_client_method'

Fixes CVE: CVE-2017-3735, CVE-2017-3736

Signed-off-by: Peter Wagner <tripolar@gmx.at>
2017-11-13 00:53:35 +01:00
Felix Fietkau
63f6408ccc uclient: update to the latest version, fixes fetch of multiple files
4b87d83 uclient-fetch: fix overloading of output_file variable

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-03 10:56:47 +01:00
Kevin Darbyshire-Bryant
e232c6754d mbedtls: update to 2.6.0 CVE-2017-14032
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
2017-09-30 15:24:52 +02:00
Matthias Schiffer
bb6a8b2cbf
uclient: update to 2017-09-06
24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses
83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-09-06 15:48:05 +02:00
Baptiste Jonglez
3e35eb13ad mbedtls: Re-allow SHA1-signed certificates
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.

Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.

Fixes: FS#942

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-08-11 20:45:28 +02:00
Magnus Kroken
73e81a8318 mbedtls: update to 2.5.1
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:57:11 +02:00
Florian Fainelli
72fcdb6286 openssl: Use mkhash for STAMP_CONFIGURED
The current way of creating a STAMP_CONFIGURED filename for OpenSSL can
lead to an extremely long filename that makes touch unable to create it,
and fail the build.

Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a
shortert stamp file,

Fixes #572

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-04-22 12:43:51 +02:00
Felix Fietkau
5866ff8be8 libubox: fix host build on macOS
Use the defaults instead of a custom non-portable Host/Install section

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-04-08 14:49:05 +02:00
Jo-Philipp Wich
293c54c567 libubox: add host build
Our opkg fork requires libubox to build, so add a host build for it.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-04-08 14:48:55 +02:00
Hauke Mehrtens
c4ed92ae7d mbedtls: update to version 2.4.2
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-03-13 22:35:48 +01:00
Martin Schiller
87e021e6e3 libpcap: add optional netfilter support
This is needed to use the nflog interface with tcpdump

Signed-off-by: Martin Schiller <mschiller@tdt.de>
2017-03-01 20:37:37 +01:00
Felix Fietkau
2e8545333a mbedtls: add --function-sections and --data-sections to CFLAGS
This allows binaries that links these libraries statically to be reduced
by using --gc-sections on link

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-03-01 20:37:37 +01:00
Felix Fietkau
db7f80c587 libpcap: remove feature dependencies on kmod-* packages
USB support could be built into the kernel as well

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-03-01 20:37:36 +01:00
Ben Kelly
e1e9d27655 uclibc++: patch bugfix erase() on derived __base_associative
When calling erase() on a containers derived from __base_associative
(e.g. multimap) and providing a pair of iterators a segfault will
occur.

Example code to reproduce:

	typedef std::multimap<int, int> testmap;
	testmap t;
	t.insert(std::pair<int, int>(1, 1));
	t.insert(std::pair<int, int>(2, 1));
	t.insert(std::pair<int, int>(3, 1));
	t.erase(t.begin(), t.end());

Signed-off-by: Ben Kelly <ben@benjii.net>
2017-03-01 20:37:36 +01:00
Ted Hess
4c9b45966e libubox: Update to latest version
9d6305a utils: Change calloc_a() to return size_t aligned pointers

Signed-off-by: Ted Hess <thess@kitschensync.net>
2017-02-25 11:10:41 +01:00
Felix Fietkau
67c2a176ce libubox: update to the latest version
Adds the following changes:

de3f14b uloop: add uloop_cancelling function
3b6181b utils: fix build on Mac OS X 10.12
7f671b1 blobmsg: add support for double
0fe1374 utils: add helper functions useful for allocating a ring buffer
8fc1c30 libubox: replace strtok with _r version.
4a9f74f libubox: allow reading out the pid of uloop process in lua
372e1e6 uloop: remove useless epoll data assignment
f9db1cb libubox: allow reading out the remaining time of a uloop timer in Lua

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-25 11:10:35 +01:00
Jo-Philipp Wich
d1d970e235 libtool: don't clobber host libtool infrastructure
The libtool target package stages its files into the host staging directory
and moves the libltdl library parts from there into the target staging
directory afterwards.

By doing so, the package essentially renders the host libtool infrastructure
unusable, leading to the below error in subsequent package builds:

    libtoolize: $pkgltdldir is not a directory: `.../hostpkg/share/libtool`

Prevent this problem by using a dedicated libltdl install prefix in order to
avoid overwriting and moving away preexisting files belonging to tools/libtool.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-02-01 16:05:52 +01:00
Hauke Mehrtens
f5ab082243 openssl: update to version 1.0.2k
This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-01-28 13:33:22 +01:00
Daniel Engberg
12392e5600 zlib: Update to 1.2.11
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback

Note: SF doesn't carry the 1.2.11 update yet.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-01-21 14:27:23 +01:00
Domagoj Pintaric
b5b83706be mbedtls: add static files in staging_dir
Signed-off-by: Domagoj Pintaric <domagoj.pintaric@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
2017-01-16 11:41:54 +01:00
Matthias Schiffer
0d8381aea3
ncurses: revert $(STAGING_DIR_HOSTPKG) to $(STAGING_DIR)/host where appropriate
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-01-14 18:58:44 +01:00
Felix Fietkau
bd68ddbda4 polarssl: remove package
The mbedTLS 1.3 branch has been EOL since end of 2016 and now all
remaining users have been converted.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-13 12:08:08 +01:00
Jo-Philipp Wich
b95494baed gettext-full: avoid using iconv for host builds
The gettext-full host build might pick up iconv-stub host build  headers
during the build, leading to stray linker errors with unresolved references
to libiconv_open(), libiconv() and libiconv_close().

Since we're not needing iconv support on the host, pass the appropriate
cache variables to configure to prevent detection and linking of iconv.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-01-11 03:48:30 +01:00
Matthias Schiffer
77beaf2ec9
package: replace $(STAGING_DIR)/host with $(STAGING_DIR_HOSTPKG)
Cleanup to prepare for changing STAGING_DIR_HOSTPKG. The actual change of
STAGING_DIR_HOSTPKG (i.e., moving the host packages back into a common, not
target-specific directory) will be done after the first LEDE release, but
the cleanup will also be useful for projects like Gluon.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-01-10 22:15:37 +01:00
Daniel Engberg
dfe93c20ec libnl: Update to 3.2.29
Update libnl to 3.2.29

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-01-10 08:26:42 +01:00
Hauke Mehrtens
e9f0b75976 cyassl: update to wolfssl version 3.10.0
This fixes a low level security vulnerability.
Deactivate MIPS16 support, crypto code gets much slower with MIPS16.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-01-10 00:10:15 +01:00
Felix Fietkau
3e7b894ac0 ustream-ssl: remove legacy polarssl support
The old polarssl 1.3 branch is EOL since end of 2016, and the package
for it will be removed soon.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-09 14:35:09 +01:00
Felix Fietkau
f0353c5e8c mbedtls: re-enable CFB support
It is safe and required by some software, e.g. shadowsocks

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-09 10:59:30 +01:00
Felix Fietkau
355e150065 mbedtls: re-enable RC4 support (needed by transmission and others)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-08 18:22:23 +01:00
Magnus Kroken
186cd4533d zlib: update to 1.2.10
* Fix bug in deflate_stored() for zero-length input
* Fix bug in gzwrite.c that produced corrupt gzip files

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-01-07 19:35:22 +01:00
Luiz Angelo Daros de Luca
0bb474652e elfutils: bump to 0.168
Other changes:
- Project moved to sourceware.org
- musl patch where cleaned up and submitted upstream
- TEMP_FAILURE_RETRY macro fixed and submitted upstream

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[Jo-Philipp Wich: add missing .patch extension to 007-fix_TEMP_FAILURE_RETRY]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-01-03 14:32:35 +01:00
Daniel Engberg
0050b39fd4 gmp: Update to 6.1.2
Update GMP to 6.1.2

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-01-03 14:24:33 +01:00
Daniel Engberg
6099f22097 zlib: Update to 1.2.9
Update zlib to 1.2.9 and switch to XZ tarballs for download.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-01-03 14:24:33 +01:00
Daniel Engberg
bb4afdc8bc libusb: Update to 1.0.21
Update libusb to 1.0.21

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-01-03 14:24:33 +01:00
Florian Fainelli
55209a9df9 uclient: Update to 2016-12-09
Brings in the following changes:

52d955fd802a remove obsolete mac os x /opt/local include/library search path
a4e49b4163b2 Fix unused results warnings
48cfff3fbec9 uclient-http: send correct "Host:" header if port is set

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-01-02 21:06:13 +01:00
Hannu Nyman
b7677f05d6 ustream-ssl: remove extra DEFAULT_VARIANT from libustream-polarssl
Currently both libustream-polarssl and libustream-mbedtls
variants define themselves as the DEFAULT_VARIANT

Remove extra DEFAULT_VARIANT from libustream-polarssl.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-12-30 17:38:39 +01:00
Magnus Kroken
8ed11ebf7d mbedtls: enable DHE-RSA key exchange
Later OpenVPN 2.3-openssl versions only enable
TLS cipher suites with perfect forward secrecy, i.e. DHE and ECDHE
cipher suites. ECDHE key exchange is not supported by
OpenVPN 2.3-openssl, enable DHE key exchange to allow LEDE
OpenVPN 2.4-mbedtls clients to connect to such servers.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reported-by: Lucian Cristian <luci@createc.ro>
2016-12-30 13:06:43 +01:00
Magnus Kroken
ca963bbf5f mbedtls: enable secp384r1 elliptic curve support
Secp384r1 is the default curve for OpenVPN 2.4+. Enable this to
make OpenVPN-mbedtls clients able to perform ECDHE key exchange
with remote OpenVPN 2.4-openssl servers that use the default
OpenVPN curve.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-12-30 13:06:25 +01:00
Felix Fietkau
ae37f2310b mbedtls: enable support for external private RSA keys to fix openvpn build issue
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-28 22:56:36 +01:00
Zefir Kurtisi
16725e2db0 libpcap: Fix build when PACKAGECONFIG ipv6 is not enabled
Add patches provided upstream [1] by Fabio Berton to fix error:

> ./gencode.c: In function 'pcap_compile':
> ./gencode.c:693:8: error: 'compiler_state_t {aka struct _compiler_state}' has no member named 'ai'
>   cstate.ai = NULL;
>         ^
> ./gencode.c: In function 'gen_gateway':
> ./gencode.c:4914:13: error: 'cstate' undeclared (first use in this function)
>    bpf_error(cstate, "direction applied to 'gateway'");
>              ^

[1] https://github.com/the-tcpdump-group/libpcap/pull/541

Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Tested-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
2016-12-24 11:59:42 +01:00
Felix Fietkau
43855793ca ncurses: rename libncursesw to libncurses (more common name)
provide libncursesw via PROVIDES instead

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-22 21:10:43 +01:00
Felix Fietkau
c7c1cf5618 treewide: clean up and unify PKG_VERSION for git based downloads
Also use default defintions for PKG_SOURCE_SUBDIR, PKG_SOURCE

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-22 16:42:21 +01:00
Alexandru Ardelean
acfb067835 gettext-full: enforce only static lib on the host build
Sometimes I'm getting error on the host-side build:
```
/usr/lib64/gcc/x86_64-suse-linux/4.8/../../../../x86_64-suse-linux/bin/ld: /home/sandu/work/lede/staging_dir/host/lib/liblzma.a(liblzma_la-common.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/home/sandu/work/lede/staging_dir/host/lib/liblzma.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:2847: recipe for target 'libgettextlib.la' failed
make[9]: *** [libgettextlib.la] Error 1
make[9]: Leaving directory '/home/sandu/work/lede/build_dir/target-x86_64_musl-1.1.15/host/gettext-0.19.8.1/gettext-tools/gnulib-lib'
Makefile:2597: recipe for target 'all' failed
```

Disabling the shared-lib build, seems to fix this.

This is when building glib2 on the host-side.
glib2 is required by newer QEMU package [which is in the feeds].

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-12-22 16:42:20 +01:00
Felix Fietkau
e5e98d58f7 ncurses: set ABI_VERSION to avoid running into rebuild issues
When the version changes, this will force rebuild of packages depending
on it.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-20 17:07:58 +01:00
Felix Fietkau
cbca3ae92e libs/cyassl: re-enable the stunnel flag
This partially reverts commit 15734b023b.
--enable-stunnel was actually important and properly described in
commit 9b118cde89. Removing it broke ustream-cyassl

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-20 10:42:23 +01:00
Alexandru Ardelean
3c1f20d0bb libnl-tiny: define _GNU_SOURCE if not defined
If _GNU_SOURCE was added as part of a package's TARGET_CFLAGS,
then compilation would fail for that module (especially if
warnings get treated as errors).

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2016-12-20 09:35:36 +01:00
Daniel Engberg
15734b023b libs/cyassl: Enable multithreading, drop stunnel
More and more platforms are multicore SoCs, don't enforce singlethreading.
Drop stunnel option as stunnel code isn't available for download from upstream website.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-12-20 09:35:36 +01:00
p-wassi
6a902108a8 libs/ncurses: update to 6.0
Update libncurses to upstream release 6.0

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2016-12-20 09:35:36 +01:00