Commit Graph

1268 Commits

Author SHA1 Message Date
Hauke Mehrtens
58d838d81d mbedtls: Update to version 2.28.4
This only fixes minor problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit d773fe5411)
2023-08-11 12:53:34 +02:00
Ivan Pavlov
11b0c43671 openssl: update to 3.0.10
Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
 * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
 * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
 * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
(cherry picked from commit 92602f823a)
2023-08-09 22:20:58 +02:00
Christophe Sokol
e0d5621d28 openssl: opt-out of lto usage
This fixes building with USE_LTO enabled:

aarch64-openwrt-linux-musl-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/build_dir/target-aarch64_cortex-a53_musl/openssl-3.0.9=openssl-3.0.9 -ffunction-sections -fdata-sections -flto=auto -fno-fat-lto-objects -Wformat -Werror=format-security -DPIC -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -DPIC -fPIC -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/build_dir/target-aarch64_cortex-a53_musl/openssl-3.0.9=openssl-3.0.9 -ffunction-sections -fdata-sections -flto=auto -fno-fat-lto-objects -Wformat -Werror=format-security -fPIC -fstack-protector-strong -fPIC -fuse-ld=bfd -flto=auto -fuse-linker-plugin -fPIC -specs=/include/hardened-ld-pie.specs -znow -zrelro -L. -Wl,-z,defs -Wl,-znodelete -shared -Wl,-Bsymbolic  -Wl,-z,now -Wl,-z,relro -L/staging_dir/toolchain-aarch64_cortex-a53_gcc-13.1.0_musl/usr/lib -L/staging_dir/toolchain-aarch64_cortex-a53_gcc-13.1.0_musl/lib -Wl,--gc-sections \
	-o providers/legacy.so -Wl,--version-script=providers/legacy.ld \
	providers/legacy-dso-legacyprov.o \
	providers/liblegacy.a providers/libcommon.a -lcrypto -ldl -pthread
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `legacy_get_params':
<artificial>:(.text.legacy_get_params+0xd4): undefined reference to `ossl_prov_is_running'
ld.bfd: <artificial>:(.text.legacy_get_params+0xd8): undefined reference to `ossl_prov_is_running'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `legacy_teardown':
<artificial>:(.text.legacy_teardown+0x4): undefined reference to `ossl_prov_ctx_get0_libctx'
ld.bfd: <artificial>:(.text.legacy_teardown+0x8): undefined reference to `ossl_prov_ctx_get0_libctx'
ld.bfd: <artificial>:(.text.legacy_teardown+0x34): undefined reference to `ossl_prov_ctx_free'
ld.bfd: <artificial>:(.text.legacy_teardown+0x38): undefined reference to `ossl_prov_ctx_free'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `OSSL_provider_init':
<artificial>:(.text.OSSL_provider_init+0x14): undefined reference to `ossl_prov_ctx_new'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x18): undefined reference to `ossl_prov_ctx_new'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x84): undefined reference to `ossl_prov_ctx_set0_libctx'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x88): undefined reference to `ossl_prov_ctx_set0_libctx'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x98): undefined reference to `ossl_prov_ctx_set0_handle'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x9c): undefined reference to `ossl_prov_ctx_set0_handle'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_kdfs+0x10): undefined reference to `ossl_kdf_pbkdf1_functions'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_ciphers+0x10): undefined reference to `ossl_cast5128ecb_functions'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_ciphers+0x30): undefined reference to `ossl_cast5128cbc_functions'
[...]
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_digests+0x10): undefined reference to `ossl_md4_functions'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_digests+0x30): undefined reference to `ossl_ripemd160_functions'
collect2: error: ld returned 1 exit status

Signed-off-by: Christophe Sokol <christophe@wk3.org>
(cherry picked from commit 906616d201)
2023-08-09 22:20:52 +02:00
Jo-Philipp Wich
77b8ce64fa libnl-tiny: update to latest Git HEAD
8667347 build: allow passing SOVERSION value for dynamic library

Also adjust packaging of the library to only ship the SOVERSION
suffixed library object, to allow for concurrent installation of
ABI-incompible versions in the future.

Fixes: #13082
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 4af0a72a65)
2023-07-27 12:06:02 +02:00
Tony Ambardar
b607cd30c7 libbpf: Update to v1.2.2
Update to the latest upstream release to include recent bugfixes:

Link: https://github.com/libbpf/libbpf/compare/v1.2.0...v1.2.2
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 1d5e7b85cc)
2023-07-20 08:04:11 +02:00
Nick Hainke
2f71a7ecd8 libnftnl: update to 1.2.6
Release Notes:
https://lists.netfilter.org/pipermail/netfilter-announce/2023/000250.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit e57a752217)
2023-07-20 08:04:11 +02:00
Nick Hainke
f2a98977c4 wolfssl: update to 5.6.3
Release Notes:
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.0-stable
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.2-stable
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.3-stable

Refresh patch:
- 100-disable-hardening-check.patch

Backport patch:
- 001-fix-detection-of-cut-tool-in-configure.ac.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 0e83b5e6cc)
2023-07-08 15:43:59 +02:00
Hauke Mehrtens
f9fadb8de2 libnl-tiny: update to latest git HEAD
d433990 Make struct nla_policy and struct nlattr const

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 513bcfdf78)
2023-07-02 15:31:03 +02:00
Jitao Lu
e9d2ff8045 openssl: passing cflags to configure
openssl sets additional cflags in its configuration script. We need to
make it aware of our custom cflags to avoid adding conflicting cflags.

Fixes: #12866
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
(cherry picked from commit 51f57e7c2d)
2023-06-17 12:55:29 +02:00
Zoltan HERPAI
cd650f1e91 openssl: add linux-riscv64 into the targets list
Add "linux-riscv64-openwrt" into openssl configurations to enable building
on riscv64.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
(cherry picked from commit a0840ecd53)
2023-06-14 09:22:08 +02:00
Mathew McBride
e9ea571657
wolfssl: change armvirt reference to armsr
armvirt target has been renamed to armsr (Arm SystemReady).

Signed-off-by: Mathew McBride <matt@traverse.com.au>
(cherry picked from commit 203deef82c)
2023-06-13 14:14:33 +02:00
Felix Fietkau
c6531042da
libubox: update to the latest version
b09b316aeaf6 blobmsg: add blobmsg_parse_attr function
eac92a4d5d82 blobmsg: add blobmsg_parse_array_attr
ef5e8e38bd38 usock: fix poll return code check
6fc29d1c4292 jshn.sh: Add pretty-printing to json_dump
5893cf78da40 blobmsg: Don't do at run-time what can be done at compile-time
362951a2d96e uloop: fix uloop_run_timeout
75a3b870cace uloop: add support for integrating with a different event loop

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit b6e0a24c49)
2023-06-12 22:10:18 +02:00
Ivan Pavlov
e1d59497e9 openssl: update to 3.0.9
CVE-2023-2650 fix
Remove upstreamed patches

Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
 * Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms (CVE-2023-1255)
 * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
 * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
 * Limited the number of nodes created in a policy tree (CVE-2023-0464)

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
(cherry picked from commit 6348850f10)
2023-06-09 13:36:21 +02:00
Tianling Shen
a48d0bdb77 openssl: fix uci config for built-in engines
Built-in engine configs are added in libopenssl-conf/install stage
already, postinst/add_engine_config is just duplicating them, and
due to the lack of `config` header it results a broken uci config:

> uci: Parse error (invalid command) at line 3, byte 0

```
config engine 'devcrypto'
        option enabled '1'
engine 'devcrypto'
        option enabled '1'
        option builtin '1'
```

Add `builtin` option in libopenssl-conf/install stage and remove
duplicate engine configuration in postinst/add_engine_config to
fix this issue.

Fixes: 0b70d55a64 ("openssl: make UCI config aware of built-in engines")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit a0d7193425)
2023-06-08 15:33:14 +02:00
Linhui Liu
65b5b72cb7 selinux-policy: update to 1.2.5
30d503a uci jsonfilter: pipe and leak
e13cb64 rpcd leds
144781f jsonfilter, luci, ubus
1210762 rpcd and all agents get fd's leaked
ab9227c rpcd
2f99e0e luci rpcd
b43aaf3 rpcd (enable/disable services) luci peeraddr
f20f03e rpcd
7bc74f6 rpcd reads all subj state and luci-bwc leaks
9634b17 adds inotify perms to anon_inode
3d3c17c adds bare anon_inode (linux 5.15)
7104b20 dnsmasq and luci
0de2c66 luci,rpcd, ucode, wpad
14f5cf9 luci and ucode
e3ce84c rpcd, ucode and cgiio loose ends
96a2401 misc updates
9fe0490 initscript: remove redundant rules
71bd77e allow all init scripts to log to logd
f697331 sandbox: make ttydev handling more robust
a471877 simplify pty tty console access
f738984 sandbox: also remove TIOSCTI from all ttydevs

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
(cherry picked from commit 4c5a9da869)
2023-05-31 23:10:06 +02:00
Petr Štetiar
20295c071a pcre2: fix host compilation of libselinux by enabling PIC
libselinux-3.5 fails to compile in Fedora 38 container due to the
following:

 cc -O2 -I/openwrt/staging_dir/host/include -I/openwrt/staging_dir/hostpkg/include -I/openwrt/staging_dir/target-x86_64_musl/host/include -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -I/openwrt/staging_dir/hostpkg/include -L/openwrt/staging_dir/host/lib -L/openwrt/staging_dir/hostpkg/lib -L/openwrt/staging_dir/target-x86_64_musl/host/lib -Wl,-rpath=/openwrt/staging_dir/hostpkg/lib -shared -o libselinux.so.1 avc.lo avc_internal.lo avc_sidtab.lo booleans.lo callbacks.lo canonicalize_context.lo checkAccess.lo check_context.lo checkreqprot.lo compute_av.lo compute_create.lo compute_member.lo compute_relabel.lo compute_user.lo context.lo deny_unknown.lo disable.lo enabled.lo fgetfilecon.lo freecon.lo freeconary.lo fsetfilecon.lo get_context_list.lo get_default_type.lo get_initial_context.lo getenforce.lo getfilecon.lo getpeercon.lo init.lo is_customizable_type.lo label.lo label_db.lo label_file.lo label_media.lo label_support.lo label_x.lo lgetfilecon.lo load_policy.lo lsetfilecon.lo mapping.lo matchmediacon.lo matchpathcon.lo policyvers.lo procattr.lo query_user_context.lo regex.lo reject_unknown.lo selinux_check_securetty_context.lo selinux_config.lo selinux_internal.lo selinux_restorecon.lo sestatus.lo setenforce.lo setexecfilecon.lo setfilecon.lo setrans_client.lo seusers.lo sha1.lo stringrep.lo validatetrans.lo -L/openwrt/staging_dir/hostpkg/lib -lpcre2-8 -lfts -ldl -Wl,-soname,libselinux.so.1,--version-script=libselinux.map,-z,defs,-z,relro
 /usr/bin/ld: /openwrt/staging_dir/hostpkg/lib/libpcre2-8.a(pcre2_compile.c.o): relocation R_X86_64_32S against symbol `_pcre2_ucd_stage1_8' can not be used when making a shared object; recompile with -fPIC
 /usr/bin/ld: failed to set dynamic section sizes: bad value

So lets fix it by enabling build of host static library with the
position independent code option enabled.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 12494f5b8a)
2023-05-31 23:10:06 +02:00
Tony Ambardar
f54bea12b6 bpftools: update, split off bpftool and libbpf packages
My original bpftools package made "variant" builds of bpftool and libbpf
as a convenience, since both used the same local kernel sources with the
same versioning. This is no longer the case, since the commit below
switched to using an out-of-tree build mirror hosting repos for each.

Replace bpftools with separate bpftool and libbpf packages, each simplified
and correctly versioned. Also fix the broken libbpf ABI introduced in the
same commit. Existing build .config files are not impacted.

Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit afe1bf11f2)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-05-25 09:33:59 +01:00
Nick Hainke
ea9a7f1250 libxml2: update to 2.11.4
Release Notes:
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4

Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit c520d682f0)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-05-24 19:26:28 +01:00
Nick Hainke
f1fbf61fcf libcap: update to 2.69
Release Notes:
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe

Fixes: CVE-2023-2602 CVE-2023-2603
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 78c45c1e59)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-05-24 19:26:24 +01:00
Nick Hainke
aa28e91404 nettle: update to 3.9
Changelog:
26cd0222fd/NEWS

Refresh patch:
- 100-portability.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-20 21:02:18 +02:00
Linhui Liu
c0ef48814e pcre2: switch to Github Releases and bump to 10.42
The mirror at SourceForge is an unofficial mirror and no longer maintained.

ChangeLogs:
https://github.com/PCRE2Project/pcre2/blob/pcre2-10.42/ChangeLog

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-20 13:20:53 +08:00
Nick Hainke
f73d011810 libjson-c: import patch to fix compilation on macos
Fixes errors in the form of:
  /Users/user/src/openwrt/openwrt/build_dir/hostpkg/json-c-0.16/json_util.c:63:35: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
  const char *json_util_get_last_err()
                                    ^
                                     void
  1 error generated.
  ninja: build stopped: subcommand failed.

Reported-by: Paul Spooren <mail@aparcar.org>
Suggested-by: Paul Spooren <mail@aparcar.org>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-19 13:43:18 +02:00
Nick Hainke
4b950bc5f4 libxml2: update to 2.11.3
Changelog:
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.0
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.1
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.2
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.3

Fixes: CVE-2023-28484 CVE-2023-29469
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 16:16:20 +02:00
Tianling Shen
48ed07bc0b treewide: replace AUTORELEASE with real PKG_RELEASE
Based on Paul Fertser <fercerpav@gmail.com>'s guidance:
Change AUTORELEASE in rules.mk to:
```
AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
```

then update all affected packages by:
```
for i in $(git grep -l PKG_RELEASE:=.*AUTORELEASE | sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
	make package/$i/clean
done
```

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-05-18 11:35:29 +02:00
Linhui Liu
91c75c3124 libselinux: update to 3.5
Switch from libpcre to libpcre2. While working on it remove the double
defined HOST_BUILD_DEPENDS section.

Release Notes:
https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt
https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
[depend on libpcre2]
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 10:14:13 +02:00
Linhui Liu
d641963f1b libsemanage: update to 3.5
Release Notes:
https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt
https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-18 10:14:13 +02:00
Linhui Liu
bd0dce62b1 libsepol: update to 3.5
Release Notes:
https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt
https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-18 10:14:13 +02:00
Nick Hainke
e3e6652a55 pcre: move package to packages feed
With the update of selinux no package depends anymore on pcre in the
base repository. Move it to packages feed.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 10:14:13 +02:00
Nick Hainke
c39b0646f3 pcre2: import pcre2 from packages feed
pcre2 is needed by newer selinux versions, so it needs to be in the base
repository.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 10:14:13 +02:00
Robert Marko
6b17e19ad8
libbsd: fix compilation with musl 1.2.4
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.

_LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used
to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.

Fixes: fff878c5bc ("toolchain/musl: update to 1.2.4")
Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-05-16 14:31:14 +02:00
Robert Marko
6ff12094cd
libselinux: fix compilation with musl 1.2.4
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.

_LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used
to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-05-15 20:39:21 +02:00
Michael Pratt
0779c47be6
gettext-full: link to local libunistring
Configure gettext to require and link
to our local libunistring explicitly.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-15 16:14:44 +02:00
Michael Pratt
0288415877
gettext-full: add missing link to libunistring
Running autoreconf or autogen.sh is causing
the gettext-runtime subdirectory to have a configure script
that looks for and attempts to link to an external libunistring.
However, the macros and symbols for supporting that configuration
are not present in this subdirectory yet.

This results in some host machines to not build the
included libunistring objects for libgrt,
but at the same time, also not input the proper flag to the linker
for linking to an external library when it is found or even when
explicitly setting configuration to use a prefix for libunistring,
resulting in the common linking failure "undefined reference".

Some similar (and old...) upstream commits do the same thing,
but only for gettext-tools and libgettextpo.

Ref: ae943bcc1 ("Link with libunistring, if it exists.") # gettext.git
Ref: 61e21a72f ("Avoid link error in programs that use libgettextpo.") # gettext.git
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-15 16:14:44 +02:00
Michael Pratt
d3c3b79c1e
libunistring: add from packages feed
Add libunistring in order to link to gettext
and other packages directly
instead of the built-in substitute for it.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-15 16:14:41 +02:00
Michael Pratt
d167adbc44
gettext-full: bootstrap to local gnulib source
Using the local gnulib source during autogen.sh
allows for fine-grained control over the macros
and source files for use with gettext
but part of gnulib instead of gettext,
without having to wait for a release
or deal with gnulib as a git submodule.

This is an alternative to running autoreconf.

It also removes the need to patch macros
in the case where there is a conflict
between the source and our aclocal directory.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:31 +02:00
Michael Pratt
d95d5d2a3a
gettext-full: link to local libxml2
Some users have reported that gettext builds
are attempting to link to libxml2
while it was supposed to be configured
to use it's own built-in substitute.

Configure gettext to require and link
to our local libxml2 explicitly.

Add a patch to revert upstream commit 87927a4e2
which forces libtextstyle to use the built-in libxml,
no matter what the configuration is,
making that option configurable again
after the configure script is regenerated.

Reported-by: Tianling Shen <cnsztl@immortalwrt.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:30 +02:00
Michael Pratt
f7fbe77115
gettext-full: set gperf as build prerequisite
Require gperf to be built before gettext.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:29 +02:00
Michael Pratt
9b0b46985c
libxml2: add from packages feed
Add libxml2 which can be used to build gettext
instead of the old built-in substitute for it.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:29 +02:00
Michael Pratt
ca8577f930
gettext-full: override SUBDIRS variable with Makefile
Instead of editing the SUBDIRS variable with a patch,
it can be overriden at the end of the command line when invoking Make.

This tool has a series of recursive Makefiles in each subdirectory,
therefore SUBDIRS is set to a pattern of Make functions
so that the result is variable depending on the current subdirectory
that Make is being invoked in.

Some of the subdirectories don't have a Makefile and are just storing files
for another subdirectory Makefile target,
therefore we have to place a fake Makefile that does nothing.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:29 +02:00
Eneas U de Queiroz
1c5cafa3eb openssl: fix low-severity CVE-2023-1255
This applies commit 02ac9c94 to fix this OpenSSL Security Advisory
issued on 20th April 2023[1]:

Input buffer over-read in AES-XTS implementation on 64 bit ARM
(CVE-2023-1255)
==============================================================

Severity: Low

Issue summary: The AES-XTS cipher decryption implementation for 64 bit
ARM platform contains a bug that could cause it to read past the input
buffer, leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64
bit ARM platform can crash in rare circumstances. The AES-XTS algorithm
is usually used for disk encryption.

The AES-XTS cipher decryption implementation for 64 bit ARM platform
will read past the end of the ciphertext buffer if the ciphertext size
is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the
memory after the ciphertext buffer is unmapped, this will trigger a
crash which results in a denial of service.

If an attacker can control the size and location of the ciphertext
buffer being decrypted by an application using AES-XTS on 64 bit ARM,
the application is affected. This is fairly unlikely making this issue a
Low severity one.

1. https://www.openssl.org/news/secadv/20230420.txt

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-29 12:33:44 +02:00
Nick Hainke
b64c471b8e libpcap: update to 1.10.4
Changes:
https://git.tcpdump.org/libpcap/blob/104271ba4a14de6743e43bcf87536786d8fddea4:/CHANGES

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-22 02:35:19 +02:00
Matthias Schiffer
4f1c2e8dee
uclient: update to Git version 2023-04-13
007d94546749 uclient: cancel state change timeout in uclient_disconnect()
644d3c7e13c6 ci: improve wolfSSL test coverage
dc54d2b544a1 tests: add certificate check against letsencrypt.org

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2023-04-13 20:51:05 +02:00
Hauke Mehrtens
d679b15d31 mbedtls: Update to version 2.28.3
This only fixes minor problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3

The 100-fix-compile.patch patch was merged upstream, see:
https://github.com/Mbed-TLS/mbedtls/issues/6243
https://github.com/Mbed-TLS/mbedtls/pull/7013

The code style of all files in mbedtls 2.28.3 was changed. I took a new
version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this
pull request: https://github.com/Mbed-TLS/mbedtls/pull/6475

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-10 13:36:26 +02:00
Nick Hainke
0c53801968 libcap: update to 2.68
Release Notes:
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.vdh3d47czmle

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-08 15:52:56 +02:00
Eneas U de Queiroz
c3cb2d48da
openssl: fix CVE-2023-464 and CVE-2023-465
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:

- Excessive Resource Usage Verifying X.509 Policy Constraints
  (CVE-2023-0464)
  Severity: Low
  A security vulnerability has been identified in all supported versions
  of OpenSSL related to the verification of X.509 certificate chains
  that include policy constraints.  Attackers may be able to exploit
  this vulnerability by creating a malicious certificate chain that
  triggers exponential use of computational resources, leading to a
  denial-of-service (DoS) attack on affected systems.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

- Invalid certificate policies in leaf certificates are silently ignored
  (CVE-2023-0465)
  Severity: Low
  Applications that use a non-default option when verifying certificates
  may be vulnerable to an attack from a malicious CA to circumvent
  certain checks.
  Invalid certificate policies in leaf certificates are silently ignored
  by OpenSSL and other certificate policy checks are skipped for that
  certificate.  A malicious CA could use this to deliberately assert
  invalid certificate policies in order to circumvent policy checking on
  the certificate altogether.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466.  It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.

Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-07 11:26:26 +02:00
Eneas U de Queiroz
0dc5fc8fa5
openssl: add legacy provider
This adapts the engine build infrastructure to allow building providers,
and packages the legacy provider.  Providers are the successors of
engines, which have been deprecated.

The legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool.

Even though these algorithms are implemented in a separate package,
their removal makes the regular library smaller by 3%, so the build
options will remain to allow lean custom builds.  Their defaults will
change to 'y' if not bulding for a small flash, so that the regular
legacy package will contain a complete set of algorithms.

The engine build and configuration structure was changed to accomodate
providers, and adapt to the new style of openssl.cnf in version 3.0.

There is not a clean upgrade path for the /etc/ssl/openssl.cnf file,
installed by the openssl-conf package.  It is recommended to rename or
remove the old config file when flashing an image with the updated
openssl-conf package, then apply the changes manually.

An old openssl.cnf file will silently work, but new engine or provider
packages will not be enabled.  Any remaining engine config files under
/etc/ssl/engines.cnf.d can be removed.

On the build side, the include file used by engine packages was renamed
to openssl-module.mk, so the engine packages in other feeds need to
adapt.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00
Eneas U de Queiroz
0b70d55a64
openssl: make UCI config aware of built-in engines
Engines that are built into the main libcrypto OpenSSL library can't be
disabled through UCI.  Add a 'builtin' setting to signal that the engine
can't be disabled through UCI, and show a message explaining this in
case buitin=1 and enabled=0.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00
Eneas U de Queiroz
975036f6f9
openssl: avoid OPENSSL_SMALL_FOOTPRINT, no-asm
Building openssl with OPENSSL_SMALL_FOOTPRINT yelds only from 1% to 3%
decrease in size, dropping performance from 2% to 91%, depending on the
target and algorithm.

For example, using AES256-GCM with 1456-bytes operations, X86_64 appears
to be the least affected with 2% performance penalty and 1% reduction in
size; mips drops performance by 13%, size by 3%;  Arm drops 29% in
performance, 2% in size.

On aarch64, it slows down ghash so much that I consider it broken
(-91%).  SMALL_FOOTPRINT will reduce AES256-GCM performance by 88%, and
size by only 1%.  It makes an AES-capable CPU run AES128-GCM at 35% of
the speed of Chacha20-Poly1305:

Block-size=1456 bytes   AES256-GCM   AES128-GCM  ChaCha20-Poly1305
SMALL_FOOTPRINT           62014.44     65063.23          177090.50
regular                  504220.08    565630.28          182706.16

OpenSSL 1.1.1 numbers are about the same, so this should have been
noticed a long time ago.

This creates an option to use OPENSSL_SMALL_FOOTPRINT, but it is turned
off by default unless SMALL_FLASH or LOW_MEMORY_FOOTPRINT is used.

Compiling with -O3 instead of -Os, for comparison, will increase size by
about 14-15%, with no measureable effect on AES256-GCM performance, and
about 2% increase in Chacha20-Poly1305 performance on Aarch64.

There are no Arm devices with the small flash feature, so drop the
conditional default.  The package is built on phase2, so even if we
include an Arm device with small flash later, a no-asm library would
have to be built from source anyway.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00
Hauke Mehrtens
18d516a649 libnl-tiny: update to the latest version
f5d9b7e libnl-tiny: fix duplicated branch in family.h
11b7c5f attr: add NLA_S* definitions

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-02 02:25:16 +02:00
Nick Hainke
fca03b4bad libtraceevent: update to 1.7.2
Changes:
1c6f0f3 libtraceevent: version 1.7.2
73f6a8a libtraceevent: Fix some missing commas in big endian blocks
da2ea6b libtraceevent: Rename "ok" to "token_has_paren" in process_sizeof()
e6f7cfa libtraceevent: No need for testing ok in else if (!ok) in process_sizeof()
a4b1ba5 libtraceevent: Fix double free in parsing sizeof()

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-01 22:02:24 +02:00