Commit Graph

1021 Commits

Author SHA1 Message Date
Dominick Grift
2a1bdde0d0 libsepol: update to version 3.2
a9e0004f libsepol: invalidate the pointer to the policydb if policydb_init fails
6238e025 libsepol/cil: fix NULL pointer dereference in cil_fill_ipaddr
b69d77bc libsepol/cil: handle SID without assigned context when writing policy.conf
0861c659 libsepol: Validate policydb values when reading binary policy
8f5409cf libsepol: Create function ebitmap_highest_set_bit()
0451adeb libsepol/cil: Destroy disabled optional blocks after pass is complete
32f8ed3d libsepol/cil: introduce intermediate cast to silence -Wvoid-pointer-to-enum-cast
4662bdc1 libsepol/cil: be more robust when encountering <src_info>
6b561058 libsepol/cil: fix NULL pointer dereference with empty macro argument
0d0e47c7 libsepol/cil: Fix integer overflow in the handling of hll line marks
1b36ace2 libsepol: include header files in source files when matching declarations
1f1fa9d4 libsepol: uniformize prototypes of sepol_mls_contains and sepol_mls_check
72a88d75 libsepol: remove unused files
eba0ffee libsepol/cil: Fix heap-use-after-free when using optional blockinherit
1048f8d3 libsepol/cil: unlink blockinherit->block link when destroying a block
b3202918 libsepol/cil: fix memory leak when a constraint expression is too deep
f0d98f83 libsepol/cil: Fix heap-use-after-free in __class_reset_perm_values()
5d021d66 libsepol/cil: Update symtab nprim field when adding or removing datums
34bd9a9d libsepol: destroy filename_trans list properly
bdf4e332 libsepol/cil: fix NULL pointer dereference when parsing an improper integer
b7ea65f5 libsepol/cil: destroy perm_datums when __cil_resolve_perms fails
228c06d9 libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit
a25d9104 libsepol/cil: constify some strings
e2d01842 libsepol/cil: propagate failure of cil_fill_list()
6c8fca10 libsepol/cil: do not add a stack variable to a list
38a09b74 libsepol/cil: fix NULL pointer dereference when using an unused alias
3c357285 libsepol/cil: remove useless print statement
90809674 libsepol/cil: always destroy the lexer state
d16a1e46 libsepol/cil: Use the macro FLAVOR() whenever possible
2aac859a libsepol/cil: Use the macro NODE() whenever possible
d317b470 libsepol/cil: Remove unnecessary assignment in cil_resolve_name_keep_aliases()
9b9761cf libsepol/cil: Remove unused field from struct cil_args_resolve
e257d4c7 libsepol/cil: Get rid of unnecessary check in cil_gen_node()
ebba2b00 libsepol/cil: cil_tree_walk() helpers should use CIL_TREE_SKIP_*
89dab467 libsepol: free memory when realloc() fails
2d353bd5 libsepol/cil: Give error for more than one true or false block
4a142ac4 libsepol: Bump libsepol.so version
506c7b95 libsepol: Drop deprecated functions
ae58e84b libsepol: Get rid of the old and duplicated symbols
c97d63c6 libsepol: silence potential NULL pointer dereference warning
64387cb3 libsepol: drop confusing BUG_ON macro
521e6a2f libsepol/cil: fix signed overflow caused by using (1 << 31) - 1
a152653b libsepol/cil: Fix neverallow checking involving classmaps
734e4beb libsepol/cil: Validate conditional expressions before adding to binary policy
685f577a libsepol/cil: Validate constraint expressions before adding to binary policy
8206b8cb libsepol: implement POLICYDB_VERSION_COMP_FTRANS
42ae834a libsepol,checkpolicy: optimize storage of filename transitions

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-08 21:27:35 +00:00
Daniel Golle
c82cc4407a
libubox: update to git HEAD
2e52c7e libubox: fix BLOBMSG_CAST_INT64 (do not override BLOBMSG_TYPE_DOUBLE)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-02 19:16:04 +00:00
Donald Hoskins
ea6d4bdde2 libunwind: Add MIPS64 dep check
libunwind dependency check does not allow for MIPS64 arch.  Add MIPS64 awareness.

libunwind seems to support MIPS64 without issues, it was limited by the dep arch
check in the Makefile.

Used to compile Suricata6/Rust locally without issue.

Signed-off-by: Donald Hoskins <grommish@gmail.com>
2021-03-01 00:34:23 +01:00
Rosen Penev
b77f21c98a libpcap: update to 1.10.0
Simplify cmake option handling by putting everything in blocks.

Add openssl patch as there's no easy way to disable.

Rebase the skip manpages patch.

Remove the monitor mode patch as it no longer applies.

Remove flex patch as normal Makefile is no longer used.

Remove USB path patch. While it is deprecated, the codepath is never
taken. /sys/bus/usb/devices is checked before hand. If it exists, the
function does stuff and returns. Additionally, this path is used
elsewhere in the code.

Refresh other patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-03-01 00:34:23 +01:00
Adrian Schmutzler
221eefaf6b zlib: properly split patches
This package had two patches (with two headers etc.) in one file,
which would have quilt merging them during a refresh.

Separate these patches into two files, as the original intent seems
to be having them separate.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-24 14:08:29 +01:00
Rosen Penev
fb83efb626 pcre: disable C++ bindings
Nothing uses them. Allows to simplify the Makefile.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-24 00:30:40 +01:00
Eneas U de Queiroz
12a80e44b9 openssl: always build with GOST engine support
The packages feed has a proposed package for a GOST engine, which needs
support from the main openssl library.  It is a default option in
OpenSSL.  All that needs to be done here is to not disable it.

Package increases by a net 1-byte, so it is not really really worth
keeping this optional.

This commit also includes a commented-out example engine configuration
in openssl.cnf, as it is done for other available engines.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-23 21:10:56 +01:00
Eneas U de Queiroz
d1dfb577f1 wolfssl: bump to v4.7.0-stable
Biggest fix for this version is CVE-2021-3336, which has already been
applied here.  There are a couple of low severity security bug fixes as
well.

Three patches are no longer needed, and were removed; the one remaining
was refreshed.

This tool shows no ABI changes:
https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-23 21:10:56 +01:00
Georgi Valkov
4b37e3bc2b libusb: Fix parsing of descriptors for multi-configuration devices
Prerequisite patch:
Correct a typo in the Changelog and clean up a stray file

Fix changes in libusb which introduced a regression:
Commit e2be556bd2 ("linux_usbfs: Parse config descriptors during device
initialization") introduced a regression for devices with multiple
configurations. The logic that verifies the reported length of the
configuration descriptors failed to count the length of the
configuration descriptor itself and would truncate the actual length by
9 bytes, leading to a parsing error for subsequent descriptors.

Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
2021-02-21 10:12:10 -10:00
Christian Lamparter
09e66112f1 wolfssl: fix Ed25519 typo in config prompt
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-02-20 11:11:13 +01:00
David Bauer
10e84bde36 openssl: update package sources
OpenSSL downloads itself are distributed using Akamai CDN, so use these
sources as the highest priority.

Remove a stale mirror which seems to be offline for a longer time
already.

Add fallbacks to the old release path also for the mirrors.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-02-20 01:26:40 +01:00
Eneas U de Queiroz
482c9ff289 openssl: bump to 1.1.1j
This fixes 4 security vulnerabilities/bugs:

- CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support
  SSLv2, but the affected functions still exist. Considered just a bug.

- CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and
  EVP_DecryptUpdate may overflow the output length argument in some
  cases where the input length is close to the maximum permissable
  length for an integer on the platform. In such cases the return value
  from the function call will be 1 (indicating success), but the output
  length value will be negative.

- CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to
  create a unique hash value based on the issuer and serial number data
  contained within an X509 certificate. However it was failing to
  correctly handle any errors that may occur while parsing the issuer
  field (which might occur if the issuer field is maliciously
  constructed). This may subsequently result in a NULL pointer deref and
  a crash leading to a potential denial of service attack.

- Fixed SRP_Calc_client_key so that it runs in constant time. This could
  be exploited in a side channel attack to recover the password.

The 3 CVEs above are currently awaiting analysis.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-17 09:24:47 +01:00
Rosen Penev
b59905f045 gettext-full: update to 0.21
Add m4 patch to avoid conflict with tools/autoconf-archive.

Add build parallel as it seems to work now.

Remove a bunch of uClibc-ng hacks as it is not in the tree anymore.

Format security patch was fixed upstream.

Refreshed other patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-16 19:27:55 -10:00
Felix Fietkau
d02088762a build: reorder more BuildPackages lines to deal with ABI_VERSION
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-16 11:29:38 +01:00
Felix Fietkau
26a899e3e8 wolfssl: use libtool patch for PKG_ABI_VERSION
Makes it unnecessary to patch .so files after build

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 18:47:19 +01:00
Felix Fietkau
0a497c4640 libubox: use build system variable to specify ABI version
This removes the need to patch it afterwards

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 18:47:19 +01:00
Felix Fietkau
f378d81da6 wolfssl: use dynamic ABI_VERSION depending on the configuration and package version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 07:40:47 +01:00
Felix Fietkau
a933c26852 libubox: use PKG_ABI_VERSION
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 07:40:45 +01:00
Hauke Mehrtens
304df2836a Revert "wolfssl: use dynamic ABI_VERSION depending on the configuration and package version"
This fixes the build on MIPS BE like ath25 and ath79 target.
We get this error message when linking libwolfssl:
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: skipping incompatible /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so when searching for -lwolfssl
mips-openwrt-linux-musl/bin/ld: cannot find -lwolfssl
collect2: error: ld returned 1 exit status

This reverts commit 2591c83b34.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-15 01:15:49 +01:00
Hauke Mehrtens
505a808302 Revert "libubox: use PKG_ABI_VERSION"
This fixes the build on MIPS BE like ath25 and ath79 target.
We get this error message when linking libubox:
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: skipping incompatible /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so when searching for -lubox

This reverts commit f421fefa8a.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-15 01:15:49 +01:00
Felix Fietkau
2591c83b34 wolfssl: use dynamic ABI_VERSION depending on the configuration and package version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-14 19:41:52 +01:00
Felix Fietkau
f421fefa8a libubox: use PKG_ABI_VERSION
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-14 19:41:52 +01:00
Rosen Penev
6d103beb15 libnftnl: update to 1.1.8
Fix license information.

Fix wrong ABI version. The library is versioned as libnftnl.so.11.4.0

Add PKG_BUILD_PARALLEL for faster compilation.

Remove autoreconf as nothing is being patched.

Minor cleanups for consistency between packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-14 19:38:15 +01:00
Rosen Penev
1c264de177 libevent2: update to 2.1.12
Remove upstream backports.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-14 19:38:15 +01:00
Rosen Penev
8cb7d13aa7 readline: update to 8.1
Fix license.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-14 19:38:15 +01:00
Rosen Penev
26e152e1dd gmp: update to 6.2.1
Fix license information.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-14 19:38:15 +01:00
Hauke Mehrtens
1f559cafe5 wolfssl: Backport fix for CVE-2021-3336
This should fix CVE-2021-3336:
DoTls13CertificateVerify in tls13.c in wolfSSL through 4.6.0 does not
cease processing for certain anomalous peer behavior (sending an
ED22519, ED448, ECC, or RSA signature without the corresponding
certificate).

The patch is backported from the upstream wolfssl development branch.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-09 23:12:49 +01:00
Rosen Penev
f13b623f5e mbedtls: update to 2.16.9
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-01-18 00:49:14 +01:00
Rosen Penev
43539a6aab libusb: make InstallDev explicit
Helps to see what actually gets installed.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-01-16 23:37:08 -10:00
Rosen Penev
3d2dab5660 libusb: cleanup PKG_ variables
Reordered for consistency between packages.

Fixed license information.

Change PKG_BUILD_PARALLEL to 1. This is no longer a problem.1

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-01-16 23:26:52 -10:00
Rosen Penev
0798b13d7d libusb: update to 1.0.24
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-01-16 23:25:27 -10:00
Etan Kissling
02abd99f89 mbedtls: add config option to compile with hkdf
This adds a config option to allow compiling with HKDF algorithm support
to support applications that require this feature.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
2021-01-14 00:52:49 +00:00
Felix Fietkau
55e23f2c02 wolfssl: enable HAVE_SECRET_CALLBACK
Fixes wpad-wolfssl build

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-01-02 14:36:25 +01:00
Hauke Mehrtens
e7d0d2e9dc wolfssl: Fix hostapd build with wolfssl 4.6.0
This fixes the following build problem in hostapd:
mipsel-openwrt-linux-musl/bin/ld: /builder/shared-workdir/build/tmp/ccN4Wwer.ltrans7.ltrans.o: in function `crypto_ec_point_add':
<artificial>:(.text.crypto_ec_point_add+0x170): undefined reference to `ecc_projective_add_point'
mipsel-openwrt-linux-musl/bin/ld: <artificial>:(.text.crypto_ec_point_add+0x18c): undefined reference to `ecc_map'
mipsel-openwrt-linux-musl/bin/ld: /builder/shared-workdir/build/tmp/ccN4Wwer.ltrans7.ltrans.o: in function `crypto_ec_point_to_bin':
<artificial>:(.text.crypto_ec_point_to_bin+0x40): undefined reference to `ecc_map'

Fixes: ba40da9045 ("wolfssl: Update to v4.6.0-stable")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-01-01 22:10:20 +01:00
Alexandru Ardelean
5eaf6d8bea libevent2: trigger rebuild on libevent2-pthreads
The symbol determines if the libevent2-pthreads libraries get built or not.
If we want to select libevent2-pthreads, and these haven't been built, an
error will occur mentioning that there are no 'libevent_pthreads-2.1.so'
files.

Adding CONFIG_PACKAGE_libevent2-pthreads to PKG_CONFIG_DEPEND will make
sure that the libraries get re-built in case libevent2-pthreads is
selected.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2021-01-01 10:26:20 -10:00
Eneas U de Queiroz
ba40da9045 wolfssl: Update to v4.6.0-stable
This version fixes a large number of bugs, although no security
vulnerabilities are listed.

Full changelog at:
https://www.wolfssl.com/docs/wolfssl-changelog/
or, as part of the version's README.md:
https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md

Due a number of API additions, size increases from 374.7K to 408.8K for
arm_cortex_a9_vfpv3-d16.  The ABI does not change from previous version.

Backported patches were removed; remaining patch was refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-01-01 19:55:59 +01:00
Rosen Penev
57fe7d5401 toolchain: remove uClibc install stuff
This is preparation for removing uClibc-ng.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-22 19:11:50 +01:00
Rosen Penev
2a92754ce9 libpcap: fix pcap-config
pcap-config as installed is using OS paths instead of OpenWrt ones.

Take fix from libpng and adjust as needed.

This problem seems to occur on Arch Linux and not on Debian/Fedora
based distros. No idea why.

Remove CMAKE_INSTALL as there is now an InstallDev section.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-22 18:59:10 +01:00
Rosen Penev
6e5759f6b4 pcre: fix paths in config file
The paths are pointing to OS paths, not OpenWrt ones. Use SED line from
libpng to fix and adjust accordingly.

This may allow certain packages that use the config file to pick up pcre.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-22 18:59:10 +01:00
Rosen Penev
36540aa973 nettle: update to 3.6
Updated ABI_VERSION.

Switched PKG_BUILD_PARALLEL on as there seems to be no issue anymore.
I can't find any information about why it was turned off.

Fixed license information.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-22 18:59:10 +01:00
Rosen Penev
0d502293e6 elfutils: update to 0.180
Refreshed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-22 18:59:10 +01:00
Hauke Mehrtens
aa08f43cab toolchain: Deactivate sanitizer on MIPS and ARC
MIPS 32 bit support for sanitizer was added with GCC 9, MIPS 64 bit and
ARC are still not supported in GCC 10.

Deactivate them for now and change this when we change the default
compiler to GCC 9 or later.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-12-19 23:18:38 +01:00
Rosen Penev
e030a19a57 libunwind: update to 1.5.0
Cleanup Makefile for consistency with other ones.

Remove PKG_SSP. It can be fixed with -lssp_nonshared.

Add PKG_BUILD_PARALLEL for faster compilation.

Add zlib dependency. 1.5.0 requires it now.

Refresh patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-16 22:11:19 +01:00
Rosen Penev
3040791608 libnetfilter-conntrack: update to 1.0.8
Previous git version was 1.0.7.

Switched to using tarballs for simplicity.

Fixed license information.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-15 00:18:12 +01:00
Petr Štetiar
ce1163dfa7 uclient: update to Git version 2020-12-10
2c843b2bc04c Add initial GitLab CI support
073f89f567c0 uclient-fetch: wolfSSL: fix certificate validation
086c292160ac uclient-fetch: init_ca_cert: fix memory leak
a3c1a88b031a cmake: enable extra compiler checks
32ff717ed316 uclient-http: fix extra compiler warnings on mips_24kc and cortex-a9+neon
86a2ac6ac46f uclient-fetch: fix potential memory leaks
158dd9dd289c uclient: fix initialized but never read variable
66b4420856a7 uclient-fetch: fix statement may fallt hrough
436f9b3af2ad uclient-http: fix freeing of stack allocated memory
e6b5b8a98ce2 Fix extra compiler warnings
12df67e45bb0 Add basic cram based unit tests
b6e34845124f cmake: fix building out of the tree

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-14 09:41:39 +01:00
Petr Štetiar
23bbaa02a9 ustream-ssl: update to Git version 2020-12-10
68d09243b6fd Add initial GitLab CI support
8280140db9d1 wolfssl: remove now deprecated compatibility code
cee6791b362a ustream-mbedtls: fix certificate verification
55c3fd89d508 ustream-mbedtls: implement set_require_validation
c6b4c48689a3 ustream-openssl: wolfSSL: fix certificate validation
3bc05402bfab cmake: enable extra compiler checks
cd2c3d12db43 ustream-mbedtls: fix comparison of integers of different signs
5896991e46a3 ustream-openssl: fix BIO_method memory leak
2c342ae57c5b ustream-openssl: fix wolfSSL includes
fa8ecd6ed140 cmake: fix linking when mbed TLS not in default paths
63656f81045f cmake: fix linking when wolfSSL not in default paths
c26f71e844df cmake: fix building out of the tree

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-14 09:41:39 +01:00
Daniel Golle
ee0ff7343e libubox: utils: introduce mkdir_p
Add new utility function mkdir_p(char *path, mode_t mode) to replace
the partially buggy implementations found accross fstools and procd.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-12 23:34:10 +00:00
Eneas U de Queiroz
882ca13d92 openssl: update to 1.1.1i
Fixes: CVE-2020-1971, defined as high severity, summarized as:
NULL pointer deref in GENERAL_NAME_cmp function can lead to a DOS
attack.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-12-11 13:57:04 +01:00
Petr Štetiar
064d65c2f7 wolfssl: fix broken wolfSSL_X509_check_host
Backport upstream post 4.5.0 fix for broken wolfSSL_X509_check_host().

References: https://github.com/wolfSSL/wolfssl/issues/3329
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-11 13:48:24 +01:00
Eneas U de Queiroz
f31c9cd383 wolfssl: compile with --enable-opensslall
This enables all OpenSSL API available.  It is required to avoid some
silent failures, such as when performing client certificate validation.

Package size increases from 356.6K to 374.7K for
arm_cortex-a9_vfpv3-d16.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-12-11 13:48:24 +01:00
Eneas U de Queiroz
4e8a0014aa wolfssl: add lighty support, skip crypttests
Tnis adds the --enable-lighty option to configure, enabling the minimum
API needed to run lighttpd, in the packages feed.  Size increase is
about 120 bytes for arm_cortex-a9_vfpv3-d16.

While at it, speed up build by disabling crypt bench/test.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-12-11 13:48:24 +01:00
Rosen Penev
f7d7a3a18b libcxx[abi]: remove
This is a neat project, but offers no benefit to OpenWrt. The initial
reason for it was to be a replacement for libstdcpp as it is smaller
and lacks compatibility for C++98. Unfortunately, compiling several
packages with it results in larger ipk sizes.

While not a member of the packages feed, this will be moved to
packages-abandoned to keep it somewhere.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-07 10:46:43 -10:00
Rosen Penev
588933ae9a lzo: remove
This is not used by any package in base. It will be moved to packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-06 11:21:44 -10:00
Eneas U de Queiroz
2f75348923 openssl: use --cross-compile-prefix in Configure
This sets the --cross-compile-prefix option when running Configure, so
that that it will not use the host gcc to figure out, among other
things, compiler defines.  It avoids errors, if the host 'gcc' is
handled by clang:

mips-openwrt-linux-musl-gcc: error: unrecognized command-line option
'-Qunused-arguments'

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
2020-12-06 18:32:14 +01:00
Rosen Penev
c7778acf10 libnetfilter-cthelper: remove
conntrack was moved to packages where this is used. This will be moved
there as well.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-28 14:24:25 +01:00
Rosen Penev
6d242414e4 libnetfilter-cttimeout: remove
conntrack was moved to packages where this is used. This will be moved
there as well.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-28 14:24:25 +01:00
Rosen Penev
f06aface3c libnetfilter-log: remove
ulogd in the packages feed is the only user of this. It will be moved
there.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-28 14:24:25 +01:00
Rosen Penev
530965dfb4 libnetfilter-queue: remove
Nothing in base uses this. This will be moved to packages where it is
used.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-28 14:24:25 +01:00
Rosen Penev
9762cf107b libroxml: remove
This will be moved to the packages feed as nothing here uses it.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-27 00:58:48 -10:00
Rosen Penev
8a87ab43d1 libiconv-full: Makefile polishing
Added PKG_INSTALL to avoid using an explicit define Build/Compile

Added PKG_BUILD_PARALLEL for faster compilation.

Removed TARGET_CLAFGS. They are no longer necessary.
fPIC is default now. So is gnu99. -DUSE_DOS is a hack to include old
and mostly unused conversions.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-26 13:09:32 -10:00
Josef Schlehofer
75063b941b libiconv-full: update to version 1.16
- Removed following patches:
100-strip_charsets.patch - makes the full variant slim.
101-autotools.patch - this one fails to apply because it was backported
from newer versions for 1.11.1.
103-configure_ac_fix.patch - backported from newer versions
200-work-with-libtool2.patch - is not needed anymore, it is done
differently in upstream
300-fortify-source-compat.patch - these files are not there anymore

- TVHeadend requires working iconv library e.g. transliteration to ASCII
and this does not work with libiconv-full currently.

There is a simple test, which requires to install iconv package.

Before applying this update:
root@turris:/# echo ŽluťoučkýKůň | iconv -t ASCII//TRANSLIT//IGNORE
luoukK

After applying this update:
root@turris:~# echo ŽluťoučkýKůň | iconv -t ASCII//TRANSLIT//IGNORE
Zlutouck'yKun

- Makefile changes:
Use HTTPS for their website
Fixed deprecated SPDX License Identifier
Move PKG_MAINTAINER above PKG_LICENSE

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Tested-by: Rosen Penev <rosenp@gmail.com> [malta]
2020-11-26 13:09:24 -10:00
Kevin Darbyshire-Bryant
6429307a3d nettle: fix build on macos xcode 12
compiler warns that exit() isn't defined so checks for build system
compiler fail.

include <stdlib.h> to define exit()

Tested under macos Catalina & Big Sur

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-11-26 17:37:42 +00:00
Rosen Penev
a058349ff9 libusb-compat: remove
No package in base relies on this library. This library will be moved
to packages where it is needed.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-25 13:23:06 +01:00
Felix Fietkau
5752ccb60f libjson-c: enable rpath for host builds to fix errors on recent macOS
Same approach as on libubox

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-11-14 14:48:30 +01:00
Brett Mastbergen
e800ecfa3d libnetfilter-log: Backport kernel header syncs
Backport upstream commits that sync the local kernel header
copies in this library, with up to date copies.  These updated
headers ensure that libnetfilter-log users can use current
kernel functionality such as requesting that conntrack
information be appended to nflog events sent to userspace via
the NFULNL_CFG_F_CONNTRACK flag.  This functionality has been
available since kernel version 4.4

Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
2020-11-12 18:21:55 +01:00
Felix Fietkau
128ef379ae libnl-tiny: update to the latest version
2584ebc642b2 libnl-tiny: install pkgconfig file
c291088f631d unl: add support for connecting to rtnl

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-11-12 11:26:03 +01:00
Daniel Golle
237f708b3c libselinux: remove dependency on musl-fts for non-musl builds
Suggested-by: Curtis Deptuck <curtdept@users.noreply.github.com>
Tested-by: Curtis Deptuck <curtdept@users.noreply.github.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-31 00:49:43 +00:00
Eneas U de Queiroz
475838de1a openssl: bump to 1.1.1h
This is a bug-fix release.  Patches were refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-09-28 08:49:39 +02:00
Daniel Golle
d96d324280 libsepol: break out chkcon utility
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-27 17:22:01 +01:00
Daniel Golle
81d895d1f1 libselinux: split utility packages and add PKG_LICENSE
Split utility packages similar to coreutils in packages feed, adding
ALTERNATIVES for those which are also provided by busybox-selinux.
Also add missing license information.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-21 18:40:38 +01:00
David Bauer
c2e75017a2 libjson-c: update to 0.15
Drop patches as they've been upstreamed:
 * 001-Fix-CVE-2020-12762.patch

Refresh patches:
 * 000-libm.patch

Add patch to avoid build failure due to missing docs in tarball.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-09-17 18:08:54 +02:00
Hauke Mehrtens
787de4331f wolfssl: Activate link time optimization (LTO)
The ipk sizes for mips_24Kc change like this:
old:
libwolfssl24_4.5.0-stable-1_mips_24kc.ipk	391.545

new:
libwolfssl24_4.5.0-stable-2_mips_24kc.ipk	387.439

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-09-06 20:30:51 +02:00
Hauke Mehrtens
56c2e9fe37 libnftnl: Activate link time optimization (LTO)
The ipk sizes for mips_24Kc change like this:
old:
libnftnl12_1.1.7-1_mips_24kc.ipk	47.459

new:
libnftnl12_1.1.7-2_mips_24kc.ipk	45.742

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-09-06 20:30:18 +02:00
Hauke Mehrtens
a617861d4c jansson: Activate link time optimization (LTO)
The ipk sizes for mips_24Kc change like this:
old:
jansson4_2.13.1-1_mips_24kc.ipk	19.171

new:
jansson4_2.13.1-2_mips_24kc.ipk	18.936

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-09-06 20:30:18 +02:00
Hauke Mehrtens
082354e4bb libnftnl: Update to version 1.1.7
The ipk sizes for mips_24Kc change like this:
old:
libnftnl12_1.1.5-1_mips_24kc.ipk	46.252

new:
libnftnl12_1.1.7-1_mips_24kc.ipk	47.459

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-09-06 20:30:18 +02:00
Hauke Mehrtens
cd2aad3812 jansson: Update to version 2.13.1
This also sets the ABI_VERSION as this is a versioned shared library.

The ipk sizes for mips_24Kc change like this:
old:
jansson_2.12-1_mips_24kc.ipk	18.692

new:
jansson4_2.13.1-1_mips_24kc.ipk	19.171

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-09-06 20:30:18 +02:00
Daniel Golle
c2c701e058 libselinux: package executables into -utils
Add new package libselinux-utils containing the executable
utilities included with libselinux.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-04 02:50:20 +01:00
Magnus Kroken
66893063ab mbedtls: update to 2.16.8
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues and the most notable of them
are described in more detail in the security advisories.

* Local side channel attack on RSA and static Diffie-Hellman
* Local side channel attack on classical CBC decryption in (D)TLS
* When checking X.509 CRLs, a certificate was only considered as revoked
if its revocationDate was in the past according to the local clock if
available.

Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2020-09-02 15:12:12 +02:00
Daniel Golle
d136848b8b libaudit: add host-build required by policycoreutils/host
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-01 14:24:07 +01:00
Daniel Golle
3ce21b8797 libsemanage: host-build depends on renamed libaudit package
Fixes: efdf619f21 ("audit: build only libaudit")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-01 12:32:52 +01:00
Daniel Golle
93ed51e5b6 libaudit: drop unused file
Drop init script from libaudit package. It will be added to the
'audit' package in the packages feed.

Fixes: efdf619f21 ("audit: build only libaudit")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-01 00:32:54 +01:00
Daniel Golle
2e2425ce7f libsemanage: add missing package metadata
License and CPE-ID were missing, add them.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-31 22:02:12 +01:00
Daniel Golle
efdf619f21 audit: build only libaudit
Turns out auditd depends on libev. Lets have that in packages.git.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-31 21:51:45 +01:00
Rosen Penev
879e68eafd libcxx: update to 10.0.0
Switched to upstream tarballs.

Switched to libcxxabi as using libsupc++ is quite wonky.

Fixed description.

Removed patches. The fixes are cosmetic.

Added ssp patch. This one is needed for i386 and powerpc under musl.

Compile tested every C++ package in the tree with the exception of
several boost packages. There's something broken with boost.

Ran tested with gerbera.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-08-31 22:11:23 +02:00
Rosen Penev
3f9bd9e8ee libcxxabi: add
This will be used for libcxx.

libcxxabi is needed as libsupc++ is not good enough for libcxx. It uses
GCC specific stuff which causes failed compilation for some packages.
There are also runtime issues, most notably with cxxopts where the
program just crashes.

Reference: https://github.com/gerbera/gerbera/issues/795

Added patch to fix ARM compilation.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-08-31 22:11:23 +02:00
Daniel Golle
e868809861 libsemanage: new package
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[update to 3.1]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
[removed python part for inclusion in core]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-31 13:52:05 +01:00
Paul Spooren
367c23740f wolfssl: add certgen config option
The option allows to generate certificates.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-08-31 10:19:31 +01:00
Hans Dedecker
9ee27c232e nghttp2: move to packages.git
As the package curl has been moved to packages.git and only libcurl
depends on libnghttps move it as well to packages.git.
This is based on the Hamburg  2019 decision that non essential packages
should move outside base.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-08-31 08:01:27 +02:00
Hauke Mehrtens
00722a720c wolfssl: Update to version 4.5.0
This fixes the following security problems:
* In earlier versions of wolfSSL there exists a potential man in the
  middle attack on TLS 1.3 clients.
* Denial of service attack on TLS 1.3 servers from repetitively sending
  ChangeCipherSpecs messages. (CVE-2020-12457)
* Potential cache timing attacks on public key operations in builds that
  are not using SP (single precision). (CVE-2020-15309)
* When using SGX with EC scalar multiplication the possibility of side-
  channel attacks are present.
* Leak of private key in the case that PEM format private keys are
  bundled in with PEM certificates into a single file.
* During the handshake, clear application_data messages in epoch 0 are
  processed and returned to the application.

Full changelog:
https://www.wolfssl.com/docs/wolfssl-changelog/

Fix a build error on big endian systems by backporting a pull request:
https://github.com/wolfSSL/wolfssl/pull/3255

The size of the ipk increases on mips BE by 1.4%
old:
libwolfssl24_4.4.0-stable-2_mips_24kc.ipk:	386246
new:
libwolfssl24_4.5.0-stable-1_mips_24kc.ipk:	391528

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-26 23:29:30 +02:00
Magnus Kroken
201d6776a0 mbedtls: update to 2.16.7
Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch,
and provides bug fixes and minor enhancements. This release includes
fixes for security issues and the most severe one is described in more
detail in a security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07

* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private
key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros).

Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some
changes to the download URLs are required. For the time being, the
ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
[Use https://codeload.github.com and new tar.gz file]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-24 18:54:00 +02:00
Daniel Golle
bda1c127cc libselinux: fix Makefile style
Also fix line order in libselinux Makefile.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-14 02:43:31 +01:00
Daniel Golle
0133160177 libsepol: fix Makefile style
Fix line ordering (cosmetic).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-14 02:42:25 +01:00
Daniel Golle
4469e45f60 pcre: clean up Makefile line order
The most recent patch added add lines in one block instead of in the
appropriate places to keep Makefiles in consistent style. Fix that.

Fixes: ff02e1561f ("pcre: add host variant of libpcre")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-14 02:42:25 +01:00
Thomas Petazzoni
ff02e1561f pcre: add host variant of libpcre
This is needed to build the host variant of libselinux.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-14 02:29:03 +01:00
Felix Fietkau
072c5876c5 libselinux: fix build on non-Linux systems
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-08-13 20:08:29 +02:00
Felix Fietkau
2a9fb827aa libsepol: fix build on non-Linux systems
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-08-13 20:08:29 +02:00
Daniel Golle
ff6b815691 libselinux: don't depend on kernel config symbols
Dependencies are meant to express actual run-time dependencies and
strictly speaking, libselinux can be build and used on kernels without
SELinux (not in a very meaningful way, but never mind).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 14:07:18 +01:00
Daniel Golle
ab4c6f1632 musl-fts: import from packages feed
libselinux requires musl-fts to build with musl. Import it from
packages feed as well.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 11:44:05 +01:00
Daniel Golle
e16b84df15 pcre: import from packages feeds
libselinux require pcre, import to to core so it can build without
packages feeds.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 11:28:28 +01:00
Thomas Petazzoni
a0df664531 libselinux: add new package
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, update to 3.1]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
2020-08-13 09:31:34 +01:00