957abacf Bump up version number to 1.39.2, LT revision to 32:0:18
83d362c6 Don't read too greedily
a76d0723 Add nghttp2_option_set_max_outbound_ack
db2f612a nghttpx: Fix request stall
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This happens only the second time a library is loaded by dlopen().
After lib1 is loaded, dlsym(lib1,"undef1") correctly resolves the undef
symbol from lib1 dependencies. After the second library is loaded,
dlsym(lib2,"undef1") was returning the address of "undef1" in lib2
instead of searching lib2 dependencies.
Using upstream fix which now uses the same logic for relocation time
and dlsym.
Fixesopenwrt/packages#9297
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Always build AES-GCM support.
Unnecessary patches were removed.
This includes two vulnerability fixes:
CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK
extension parsing.
CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes
when performing ECDSA signing operations. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This changes the default PKG_BUILD_DIR to take BUILD_VARIANT into
account (if set), so that packages do not need to manually override
PKG_BUILD_DIR just to handle variants.
This also updates most base packages with variants to use the updated
default PKG_BUILD_DIR.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Removed options that can't be turned off because we're building with
--enable-stunnel, some of which affect hostapd's Config.in.
Adjusted the title of OCSP option, as OCSP itself can't be turned off,
only the stapling part is selectable.
Mark options turned on when wpad support is selected.
Add building options for TLS 1.0, and TLS 1.3.
Add hardware crypto support, which due to a bug, only works when CCM
support is turned off.
Reorganized option conditionals in Makefile.
Add Eneas U de Queiroz as maintainer.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This includes a fix for a medium-level potential cache attack with a
variant of Bleichenbacher’s attack. Patches were refreshed.
Increased FP_MAX_BITS to allow 4096-bit RSA keys.
Fixed poly1305 build option, and some Makefile updates.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
'38b22b1e: deduplicate files in libnghttp2' missed duplicates in
staging_dir by Build/InstallDev.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
7ffc239b Bump up version number to 1.39.1
bc886a0e Fix FPE with default backend
a3a14a9c Fix log-level is not set with cmd-line or configuration file
acfb3607 Update manual pages
bdfd14c2 Bump up version number to 1.39.0, LT revision to 31:4:17
cddc09fe Update AUTHORS
3c3b6ae8 Add missing colon
2f83aa9e Fix multi-line text travis issue
fc591d0c Run nghttpx integration test with cmake build
9a17c3ef travis: use multi-line text
b7220f07 cmake: Remove SPDY related files
a1556fd1 Merge pull request #1356 from nghttp2/fix-log-level-on-reload
77f1c872 nghttpx: Fix unchanged log level on configuration reload
49ce44e1 Merge pull request #1352 from nghttp2/travis-osx
f54b3ffc Fix libxml2 CFLAGS output
b0f5e5cc Implement daemon() using fork() for OSX
8d6ecd66 Enable osx build on travis
f82fb521 Update doc
2e1975dd clang-format-8
97ce392b Merge pull request #1347 from nghttp2/nghttpx-ignore-cl-te-on-upgrade
afefbda5 Ignore content-length in 200 response to CONNECT request
4fca2502 nghttpx: Ignore Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT
6975c336 Update llhttp to 1.1.3
0288093c Fix llhttp_get_error_pos usage
a3a03481 Merge pull request #1340 from nghttp2/nghttpx-llhttp
c64d2573 Replace http-parser with llhttp
f028cc43 clang-format
302e3746 Merge pull request #1337 from nghttp2/upgrade-mruby
3cdbc5f5 Merge pull request #1335 from adamgolebiowski/boost-1.70
a6925186 Fix mruby build error
45d63d20 Upgrade mruby to 2.0.1
cbba1ebf asio: support boost-1.70
e86d1378 Bump up version number to 1.39.0-DEV
4a9d2005 Update manual pages
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
9dd2dcf libubox: add format string checking to ulog()
ecf5617 ustream: Add format string checks to ustream_(v)printf()
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Highlights of this version:
- Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
- Fix OPENSSL_config bug (patch removed)
- Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
- Enable SHA3 pre-hashing for ECDSA and DSA
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [DMARC removal]
This version bump contains the following commit to fix FS#2222
3b3e368 uclient-http: set data_eof when content-length is 0
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The 8 year old file does not have any ARC definitions.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[updated content of the patch with version sent to upstream]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The buildroot pkg-config (in staging_dir/host/bin) overrides the prefix
and exec_prefix variables in *.pc files, to supply the correct
(buildroot) paths for callers. If other variables are not defined
relative to prefix and exec_prefix, then the returned values will be
incorrect.
The default zlib.pc file generated by cmake contains absolute paths.
This patches the file to use relative paths (relative to ${prefix} and
${exec_prefix}).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Switched to xz archives for smaller size.
Removed upstreamed patches.
Reorganized Makefile a little bit for clarity. Build/Prepare is not useful
anymore. Upstream converted the file to LF.
Refreshed config.
Removed -ansi option from the original CFLAGS as this was causing long
long support to be missing.
Removed fPIC. We have the macro $(FPIC) already used. No point in setting
fpic and fPIC together.
Removed pedantic -Wlong-long warnings as they are not useful.
Removed -std=gnu++98. Not only is it unnecessary (it compiles against all
standards), it actually results in a size increase. 75843 vs. 75222 (gcc
in OpenWrt defaults to g++14).
Added --gc-sections to linker flags to reduce size: 72653 vs 75222.
Removed warn linker options. They have been upstreamed.
Tested on Archer C7v2 and GnuBee PC1.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Probably glibc too. argp_help takes a char *. not const char *.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[updated with upstream version of the patch]
No target is using kernel 3.18 anymore, remove all the generic
support for kernel 3.18.
The removed packages are depending on kernel 3.18 only and are not used on
any recent kernel.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Some of changes:
* Support for local-name()
* General refactoring
* Better parsing performance
* Fix possible buffer overflow & memleak
* Validation checks
* More commit functions (file, buffer, fd)
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Add a conditional to the individual package's for the kmods in DEPENDS.
This avoids the need to compile the kernel modules when the crypto
engine packages are not selected. The final binares are not affected by
this.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
This applies an upstream patch that fixes a OPENSSL_config() bug that
causes SSL initialization to fail when the openssl.cnf file is not
found. The config file is not installed by default.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
4a9d2005 Update manual pages
acf6a922 Bump up version number to 1.38.0, LT revision to 31:3:17
4ff45821 Update AUTHORS
42dce01e Merge branch 'nghttpx-fix-backend-selection-on-retry'
a35059e3 nghttpx: Fix bug that altered authority and path affect backend selection
5a30fafd Merge branch 'nghttpx-fix-chunked-request-stall'
dce91ad3 Merge branch 'nghttpx-dont-log-authorization'
2cff8b43 nghttpx: Fix bug that chunked request stalls
be96654d nghttpx: Don't log authorization request header field value with -LINFO
ce962c3f Merge branch 'update-http-parser'
f931504e Update http-parser to v2.9.1
d978f351 Fix bug that on_header callback is still called after stream is closed
ec519f22 Merge pull request #1270 from baitisj/master
e8b213e3 Bump up version number to 1.38.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Enable engine support by default. Right now, some packages require
this, so it is always enabled by the bots. Many packages will compile
differently when engine support is detected, needing engine symbols from
the libraries.
However, being off by default, a user compiling its own image will fail
to run some popular packages from the official repo.
Note that disabling engines did not work in 1.0.2, so this problem never
showed up before.
NPN support has been removed in major browsers & servers, and has become
a small bloat, so it does not make sense to leave it on by default.
Remove deprecated CONFIG_ENGINE_CRYPTO symbol that is no longer needed.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Openssl 1.1.0 made wholesale changes to its building system.
Apparently, parallel builds are working now.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Openssh uses digest contexts across forks, which is not supported by the
/dev/crypto engine. The speed of digests is usually not worth enabling
them anyway. This changes the default of the DIGESTS option to NONE, so
the user still has the option to enable them.
Added another patch related to the use of encryption contexts across
forks, that ignores a failure to close a previous open session when
reinitializing a context, instead of failing the reinitialization.
Added a link to the Cryptographic Hardware Accelerators document to the
engine pacakges description, to provide more detailed instructions to
configure the engines.
Revert the removal of the OPENSSL_ENGINE_CRYPTO symbol, currently used
by openssh. There is an open PR to update openssh; when merged, this
symbol can be safely removed.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [refresh patches]
cfb47d30 Take into account larger frame size for prioritization
dbbe4e01 Remove unused field
371bc3a8 clang-format
5e7889c5 Update manual pages
b1b2ad50 Bump up version number to 1.37.0, LT revision to 31:2:17
e043ca83 Update AUTHORS
c2434dfb Simplify stream_less
816ad210 Reuse name when indexing header by referencing dynamic table
f5feb16e Merge pull request #1295 from bratkartoffel/fix-compile-boringssl
adf09f21 Merge pull request #1303 from donny-dont/fix-shared-install
2591960e Explicitly set install location when building shared libs
d93842db nghttpx: Fix backend stall if header and request body are sent in 2 packets
8dc2b263 nghttpx: Use std::priority_queue
8d842701 Update manual pages
de85b0fd Update README
5d6beed5 Merge branch 'nghttpx-backend-weight'
1ff9de4c nghttpx: Backend address selection with weight
34482ed4 Fix compilation with boringssl
9b6ced66 Bump up version number to 1.37.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The configure script broke when used in alpine-3.9 based docker containers. Fixed in wolfSSL >3.15.7.
Signed-off-by: Moritz Warning <moritzwarning@web.de>
The patches to the /dev/crypto engine were commited to openssl master,
and will be in the next major version (3.0).
Changes:
- Optimization in computing a digest in one operation, saving an ioctl
- Runtime configuration options for the choice of algorithms to use
- Command to dump useful information about the algorithms supported by
the engine and the system.
- Build the devcrypto engine as a dynamic module, like other engines.
The devcrypto engine is built as a separate package by default, but
options were added to allow building the engines into the main library.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
[refresh patches]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Contains the following change
eeef7b5 blobmsg_json: blobmsg_format_string: do not escape '/'
Resolves FS#2147
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
ar has a deterministic (-D) and non-deterministic (-U) mode.
OpenWrt is already using the deterministic mode by default,
but ncurses' configure script force this to be non-deterministic.
Since autoreconf fails to generate a new configure, the configure script
is directly modified.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
This is bugfix release that incorporated all of the devcrypto engine
patches currently in the tree.
The cleaning procedure in Package/Configure was not removing the
dependency files, causing linking errors during a rebuild with
different options. It was replaced by a simple make clean.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Applies a patch from https://github.com/openssl/openssl/pull/8213
that fixes an error where open /dev/crypto sessions were not closed.
Thanks to Ansuel Smith for reporting it.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
- Add the /etc/ssl/openssl.cnf as a separate package, to avoid breaking
the transitional mechanism, allowing libopenssl_1.0* and
libopenssl_1.1* to coexist.
- Remove the (selecting) dependency on @KERNEL_AIO
- Use global SOURCE_DATE_EPOCH
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Add a patch to enable the option to change the default ciphersuite list
ordering to prefer ChaCha20 over AES-GCM. This is used by default for
all platforms, except for x86_64 and aarch64. The assumption is that
only the latter have AES-specific CPU instructions and asm code that
uses them in openssl. Chacha20Poly1305 is 3x faster than AES-256 in
systems without AES instructions, with an equivalent strength.
Disable error messages by default except for devices with small flash or
RAM, to aid debugging.
Disable ASM by default on arm platform with small flash. Size
difference on mips and powerpc, the other platforms with small flash
devices, are not really relevant (using 100K as a threshold). All of
the affected platforms are source-only anyway.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This version adds the following functionality:
* TLS 1.3
* AFALG engine support for hardware accelleration
* x25519 ECC curve support
* CRIME protection: disable use of compression by default
* Support for ChaCha20 and Poly1305
Patches fixing bugs in the /dev/crypto engine were applied, from
https://github.com/openssl/openssl/pull/7585
This increses the size of the ipk binray on MIPS32 by about 32%:
old:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk
new:
912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Adds the following configuration options:
* using optimized assembler code (was always on before)
* use of x86 SSE2 instructions
* dyanic engine support
* include error messages
* Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms
* RFC3779, CMS protocols
* VIA padlock hardware acceleration engine
Installs openssl.cnf with the library as it is used by engines
independent of the openssl util.
Fixes DTLS option that was innefective before.
Disables insecure SSL3 protocol and SHA0.
Adds openwrt-specific targets to Configure script, including asm support
for i386, ppc and mips64.
Strips building dirs from CFLAGS shown in binary.
Skips the fuzz directory during build.
Removed include/crypto/devcrypto.h that was included here, to use the
cryptodev-linux package, now that it was been moved from the packages
feed to the main openwrt repository.
This decreses the size of the ipk binray on MIPS32 by about 3.3%:
old:
706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk
new:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Host "gd.tuwien.ac.at" does not exists anymore, so we replace it by "ftp.pca.dfn.de" from the official list of mirrors.
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
This fixes the following security problems:
* CVE-2018-5407: Microarchitecture timing vulnerability in ECC scalar multiplication
* CVE-2018-0734: Timing vulnerability in DSA signature generation
* Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module
Signed-off-by: Sven Roederer <freifunk@it-solutions.geroedel.de>
This introduces a new Kconfig option to switch on/off mbedtls' support
for debug functions.
The idea behind is to inspect TLS traffic with Wireshark for debug
purposes. At the moment, there is no native or 'nice' support for
this, but at
68aea15833
an example implementation can be found which uses the debug functions
of the library. However, this requires to have this debug stuff enabled
in the library, but at the moment it is staticly patched out.
So this patch removes the static part from the configuration patch
and introduces a dynamic config file editing during build.
When enabled, this heavily increases the library size, so I added
a warning in the Kconfig help section.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
The library has an usual shared object file name, which caused the
install glob pattern to miss the actual so.
Fixes: #2082
Fixes; 0e70f69a35 ("treewide: revise library packaging")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The ABI_VERSION:=1 tag will take care of transforming the binary
library package basename.
Add a virtual PROVIDES:=libelf1 for packages still having libelf1
in their DEPENDS:=... lists.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Last incompatible change appeared to be 4924411
("http: add proper error handling to uclient_http_redirect()") which
changed the return value of uclient_http_redirect() from bool to int.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Since readline/host links ncurses/host now, we need to ensure that the
libncursesw.so host library is built with -fPIC.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Also fix the libxxxw.so* -> libxxx.so* linking to actually work, the
prevsious code failed to properly symlink the versioned .so files.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update (lib)readline to 8.0
Remove autoreconf
Remove blankspace at the end of the lines in description
Remove --enable-shared and --enable-static as they're enabled by default
Remove TARGET_CPPFLAGS
Simplify install sections
Install readline.pc (pkgconfig)
Add patch for linking (lib)ncurses
Source:
https://git.buildroot.net/buildroot/plain/package/readline/0000-curses-link.patch
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
e7e8ee5f Update bash_completion
b3b4e335 Update manual pages
bd93d90a Don't treat text as option if it matches -[0-9]
ea69c84b Bump up version number to 1.36.0
783b649b Update AUTHORS
eb21e6f8 Merge branch 'update-http-parser'
ab2aa567 Fix test failure
ff87a542 Use http-parser 0d0a24e19eb5ba232d2ea8859aba2a7cc6c42bc4
439dbce6 Merge branch 'nghttpx-h1-connection-pool-per-addr'
e9c9838c nghttpx: Pool h1 backend connection per address
803d4ba9 Merge branch 'nghttpx-randomize-roundrobin-order'
732245e5 make clang-format
9e8d5433 Use clang-format-7
fdcdb21c nghttpx: Randomize backend address round robin order per thread
11d0533c nghttpx: Ensure that cert serial does not exceed 20 bytes
dbb5f00d Merge pull request #1287 from rckclmbr/fix_serial_size
9cc412e2 Merge pull request #1285 from staticinvocation/master
5b2efc0a Fix getting long serial numbers for openssl < 1.1
7e4c48a4 Disable shared library if ENABLE_SHARED_LIB is OFF
082e162f Merge pull request #1282 from alagoutte/travis
7cc7c06c .travis(.yml): no longer need llvm-toolchain-trusty-7
12ebeb30 .travis(.yml): Update to Xenial
c78abbe1 Update mruby to 2.0.0
124c7848 nghttpx: Add missing return
ce9667c4 Merge branch 'nghttpx-fix-trailing-slash-handling'
f3f40840 nghttpx: Fix broken trailing slash handling
302abf1b h2load: Fix compile error with gcc
089a03be h2load: Write log file with write(2)
de4fe728 Merge branch 'pyos-master'
d1b3a83f h2load: add an option to write per-request logs
eb679253 Merge branch 'puscas-port_in_use'
6800d317 added access to the number of the current server port
c98362ea Bump up version number to 1.36.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
In the case of upstream libraries, set the ABI_VERSION variable to the
soname value of the first version version after the last backwards
incompatible change.
For custom OpenWrt libraries, set the ABI_VERSION to the date of the
last Git commit doing backwards incompatible changes to the source,
such as changing function singatures or dropping exported symbols.
The soname values have been determined by either checking
https://abi-laboratory.pro/index.php?view=tracker or - in the case
of OpenWrt libraries - by carefully reviewing the changes made to
header files thorough the corresponding Git history.
In the future, the ABI_VERSION values must be bumped whenever the
library is updated to an incpompatible version but not with every
package update, in order to reduce the dependency churn in the
binary package repository.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
4ea9a2db164c Update upload-release.sh script and po files.
a01938d584b9 libelf: Mark both fsize and msize with const attribute.
c338a0541663 libebl: Don't update w, t and len unnecessarily in ebl_object_note_type_name.
422b549007f6 Prepare for 0.175
22ec8efc1dd8 elflint: Allow PT_GNU_EH_FRAME segment to match SHT_X86_64_UNWIND section.
cf10453f8252 libelf: Correctly setup alignment of SHF_COMPRESSED section data.
d3e6266754b9 strip: Also handle gnu compressed debug sections with --reloc-debug-sections
72e30c2e0cb4 Handle GNU Build Attribute ELF Notes.
7a3f6fe60b85 Recognize NT_VERSION notes.
cff53f1784c9 libcpu: Recognize bpf jump variants BPF_JLT, BPF_JLE, BPF_JSLT and BPF_JSLE
ecbe3120cddb libdwelf: New function dwelf_elf_begin.
4b0342b85b5b backends: Add x86_64 section_type_name for SHT_X86_64_UNWIND.
825e48c4e942 Also find CFI in sections of type SHT_X86_64_UNWIND
4789e0fb92b0 libelf: Explicitly update section data after (de)compression.
1628254ba215 strip: Add --reloc-debug-sections-only option.
f2d59180b90b strip: Extract code to update shdrstrndx into new common function.
f6ae0ab9350e strip: Split out debug section relocation into separate helper functions.
b15ee95bcee4 strip: Always copy over any phdrs if there are any.
e574889d92b1 unstrip: Add ELF_CHECK to make sure gelf_getehdr () doesn't return NULL.
5199e15870e0 Recognize and parse GNU Property notes.
b75ff1bbd060 addr2line: Use elf_getshdrstrndx not Ehdr field to print section name.
35197ea4c43e readelf: Use shstrndx to lookup section names.
9a74c190a2b3 backends: ppc use define instead of const for size of dwarf_regs array.
72d023b35f36 readelf: Make sure readp is smaller than cieend in print_debug_frame_section.
dce0b3b63ba0 readelf: Make sure readp is smaller than cieend in print_debug_frame_section.
1e7c230b277b Check sh_entsize is not zero.
22d2d082d57a size: Handle recursive ELF ar files.
2b16a9be6993 arlib: Check that sh_entsize isn't zero.
4cdb0fd0d3b4 ar: Assume epoch if ar_date is bogus.
577511f66842 findtextrel: Check that sh_entsize isn't zero.
20f9de9b5f70 libdwfl: Sanity check partial core file data reads.
2f4a040fab52 readelf: Handle multiple .debug_macro sections and decode header flag.
eee4269e5315 unstrip: Renumber the group section indexes.
c06ab0bbb476 strip, unstrip: Handle SHT_GROUP correctly.
2876b3b648f6 Handle ADD/SUB relocations
69d6e67eee30 tests: backtrace-dwarf.c improve error handling in test framework.
Originally-produced--by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Don't symlink uclient-fetch anymore to /bin/wget but rather use
the ALTERNATIVES support for wget to install it as /usr/bin/wget.
Let uclient-fetch provide wget
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
GCC 8.0+ <https://gcc.gnu.org/gcc-8/changes.html> introduces a new
warning about unsafe macros expanding to multiple statements used
as a body of a statement such as if, else, while, switch, or for.
In combination with -Werror this can cause the compilation to fail:
|In file included from xmalloc.c:37:
|xmalloc.c: In function 'xmalloc':
|system.h:39:2: error: macro expands to multiple statements [-Werror=multistatement-macros]
| fflush(stdout); \
| ^~~~~~
|xmalloc.c:52:5: note: in expansion of macro 'error'
| error (EXIT_FAILURE, 0, _("memory exhausted"));
| ^~~~~
|xmalloc.c:51:3: note: some parts of macro expansion are not guarded by this 'if' clause
| if (p == NULL)
| ^~
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
When building with full lagnuage support, libelf.so will depend on and
link with libintl.so so we need to change the pkg-config template to
reflect this library dependency.
Also change the Makefile to only pass --disable-nls to configure when
the full nls support is actually disabled in the buildroot config.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Support other packages using pkg-config to query existence and details of
libelf and libdw libraries at build time.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
This reverts commit 216397b812.
Due to:
Package ip-tiny is missing dependencies for the following libraries:
libelf.so.1
Makefile:187: recipe for target '/var/lib/buildbot/slaves/slave-lede-builds4/mips_24kc/build/sdk/bin/packages/mips_24kc/base/ip-tiny_4.19.0-6_mips_24kc.ipk' failed
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
mbedtls uses some instructions introduced in ARMv6 which are not
available in older architectures.
Fixes: 3f7dd06fd8 ("mbedtls: Update to 2.14.1")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Update mbedtls to 2.14.1
This fixes:
* CVE-2018-19608: Local timing attack on RSA decryption
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
[Update to 2.14.1]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
63843750 Update manual pages
27801e98 Bump up version number to 1.35.1
60e020a8 nghttpx: Fix broken trailing slash handling
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Support other packages using pkg-config to query existence and details of
libelf and libdw libraries at build time.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
e520469b Update manual pages
54067256 Bump up version number to 1.35.0
c4d2eeee Update AUTHORS
f51e696e asio: Add stop() to listen_and_serve doc
a433b132 Merge pull request #1260 from nghttp2/h2load-non-final-response
cf48a56d Merge pull request #1238 from jktjkt/cmake-fix-libevent-detection
6cad1b24 nghttpx: Write mruby send_info early
3c393dca nghttpx: Fix assertion failure on mruby send_info with HTTP/1 frontend
17292445 h2load: Handle HTTP/1 non-final response
f6644a92 make clang-format
48998f72 Merge pull request #1222 from donny-dont/fix/declspec
15ff52f9 Update README
6c03bb14 Upgrade travis toolchain
524b4392 Fix travis build failure
859bf2bc Update manual pages
b5619fb1 h2load: Clarify that time for connect includes TLS handshake
dcbe0c69 nghttpx: Simplify move ctor and operator
2996c284 nghttpx: Cleanup
42e8ceb6 nghttpx: Convert API status code to enum class
1daf9ce8 nghttpx: Convert WorkerEventType to enum class
d68edf56 nghttpx: Convert MemcachedStatusCode to enum class
0c4e9fef nghttpx: Convert memcached op to enum class
571404c6 nghttpx: Convert MemcachedParseState to enum class
4d562b77 nghttpx: Convert LogFragmentType to enum class
e6225871 nghttpx: Convert connection check status to enum class
4bd075de nghttpx: Convert Http2Session state to enum class
b46a3249 nghttpx: Convert FreelistZone to enum class
4bd44b9c nghttpx: Convert dispatch state to enum class
1b42110d nghttpx: Make Downstream state enum class
0735ec55 nghttpx: Convert shrpx_connect_proto to enum class
00554779 nghttpx: Convert DNSResolverStatus to enum class
0963f389 nghttpx: Convert SerialEventType to enum class
1abfa3ca nghttpx: Make TLS handshake state enum class
f2159bc2 nghttpx: Convert UpstreamAltMode to enum class
b0eb68ee nghttpx: Convert shrpx_forwarded_node_type to enum class
e7b7b037 nghttpx: Convert shrpx_cookie_secure to enum class
5e4f434f nghttpx: Convert shrpx_session_affinity to enum class
20ea964f nghttpx: Convert shrpx_proto to enum class
d105619b src: Remove extra braces if possible
ec5729b1 Use std::make_unique
6c919695 Use C++14
46576178 Don't send Transfer-Encoding to pre-HTTP/1.1 clients
5e925f87 Update doc
153531d4 nghttpx: Use the same type as standard stream operator<<
f7287df0 Bump up version number to 1.35.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Some package (e.g. libunbound) depend on OPENSSL_WITH_DEPRECATED. In some
situations it may happen that libunbound and openssl are only pulled in as
build dependencies, but are not enabled in .config.
In such cases, the defaults of symbols like OPENSSL_WITH_DEPRECATED are
ignored (as the whole symbol depends on PACKAGE_libopenssl), and config
symbol dependencies of libunbound aren't effective either (as libunbound
is not actually enabled).
This commit works around the issue by introducing a hidden negated symbol
OPENSSL_NO_DEPRECATED, which is always disabled when PACKAGE_libopenssl is
disabled, and ensures that OpenSSL is built with deprecated APIs in this
case. A user can still manage to break the build by explicitly enabling
libopenssl and disabling OPENSSL_WITH_DEPRECATED; the interaction between
build dependencies and config symbols will require further discussion.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2b085815 (tag: v1.34.0) Update manual pages
986fa302 Bump up version number to 1.34.0, LT revision to 31:1:17
7c8cb3a0 nghttpx: Improve CONNECT response status handling
334c439c Fix bug that regular CONNECT does not work
6700626c Rule out content-length in the successful response to CONNECT
15162add Update manual pages
93270777 Merge pull request #1235 from nghttp2/backend-conn-timeout
aeb92bbb nghttpx: Add read/write-timeout parameters to backend option
fc7489e0 nghttpx: Fix mruby parameter validation
87ac872f nghttpx: Update doc
c278adde nghttpx: Log error when mruby file cannot be opened
f94d7209 Merge pull request #1234 from nghttp2/nghttpx-rfc8441
9b9baa6b Update doc
02566ee3 nghttpx: Update doc
3002f31b src: Add debug output for SETTINGS_ENABLE_CONNECT_PROTOCOL
d2a594a7 nghttpx: Implement RFC 8441 Bootstrapping WebSocket with HTTP/2
651e1477 Allow client sending :protocol optimistically
a42faf1c nghttpx: Write TLS alert during handshake
4aac05e1 Merge pull request #1231 from nghttp2/ws-lib-only
b80dfaa8 Adjustment for RFC 8441
a19d8f5d Deal with :protocol pseudo header
33f6e90a Add NGHTTP2_TOKEN__PROTOCOL
ed7fabcb Add SETTINGS_ENABLE_CONNECT_PROTOCOL
8753b6da Update doc
f2de733b Update neverbleed to fix OpenSSL 1.1.1 issues
88ff8c69 Update mruby 1.4.1
a63558a1 nghttpx: Call OCSP_response_get1_basic only when OCSP status is successful
3575a132 nghttpx: Fix crash with plain text HTTP
e2de2fee Update bash_completion
9f415979 Update manual pages
4bfc0cd1 Merge pull request #1230 from nghttp2/nghttpx-faster-logging
9c824b87 nghttpx: Get rid of std::stringstream from Log
a1ea1696 Make VALID_HD_NAME_CHARS and VALID_HD_VALUE_CHARS const qualified
dfc0f248 Make static_table const qualified
ed7c9db2 nghttpx: Add mruby env.tls_handshake_finished
5b42815a nghttpx: Strip incoming Early-Data header field by default
cfe7fa9a nghttpx: Add --tls13-ciphers and --tls-client-ciphers options
cb8a9d58 src: Remove TLSv1.3 ciphers from DEFAULT_CIPHER_LIST
023b9448 Merge branch 'tls13-early-data'
9b03c64f nghttpx: Should postpone early data by default
b8eccec6 nghttpx: Disable OpenSSL anti-replay
9f212587 Specify SSL_CTX_set_max_early_data and add an option to change max value
47f60124 nghttpx: Add an option to postpone early data processing
770e44de Implement draft-ietf-httpbis-replay-02
2ab319c1 Don't hide error code from openssl
39923024 Remove SSL_ERROR_WANT_WRITE handling
b30f312a Honor SSL_read semantics
c5cdb78a nghttpx: Add TLSv1.3 0-RTT early data support
f79a5812 Bump up version number to 1.34.0
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* Fixed a security issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing.
* Several bugfixes.
* Improvements for better support for DTLS on low-bandwidth, high latency networks with high packet loss.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
This is an upstream-applied patch that fixes 'PATH_MAX' and 'NAME_MAX'
undeclared when compiling on musl with CONFIG_PCAP_HAS_USB.
[aafa351] pcap-usb-linux.c: add missing limits.h for musl systems.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
9d843334 Update bash_completion
23cb3f38 Update manual pages
1d682dcd Bump up version number to 1.33.0, LT revision to 31:0:17
601fbbb4 Update doc
f44aa246 Update AUTHORS
dd74a6dd Update manual pages
e959e733 src: Refactor utos
fb9a204d nghttpx: Fix compile error without mruby
cd096802 Update doc
7417fd71 nghttpx: Per-pattern not per-backend
2d1a981c Merge branch 'akonskarm-master'
45acc922 clang-format
214d0899 Merge branch 'master' of https://github.com/akonskarm/nghttp2 into akonskarm-master
31fd707d nghttpx: Fix broken healthmon frontend
9a2e38e0 fix code for reuse addr on asio client
d24527e7 Bump up LT revision due to v1.32.1 release
6195d747 nghttpx: Share mruby context if it is compiled from same file
fb97f596 nghttpx: Allocate mruby file because fopen requires NULL terminated string
0ccc7a77 nghttpx: Move blocked request data to request buffer for API request
32826466 nghttpx: Fix crash with API request
0422f8a8 nghttpx: Fix worker process crash with neverbleed write error
e329479a Merge pull request #1215 from nghttp2/mruby-per-backend
f80a7873 Merge branch 'akonskarm-reuse_addr'
866ac6ab add option reuse addr in local endpoint configuration of asio client
b574ae6a nghttpx: Support per-backend mruby script
de4fd7cd doc: Update doc
32d7883c nghttpx: Downstream::request_buf_full: take into account blocked_request_buf_
9b24e197 nghttpx: Choose h1 protocol if headers have been sent to backend on retry
13ffece1 Merge pull request #1214 from nghttp2/fix-rst-without-dconn
9d5b781d Fix stream reset if data from client is arrived before dconn is attached
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
4c76aaee Update manual pages
2b51ad67 Bump up version number to 1.32.1, LT revision to 30:3:16
708379dc Tweak nghttp2_session_set_stream_user_data
73106b0d Compile with clang-6.0
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Update libbsd to 0.8.7
Remove glibc dependency
Clean up InstallDev and install entries
Use /usr path for consistency
Cherry pick patches from upstream to fix musl compilation
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Starting with version 2.1.8, a release tarball is available.
Simplifies the Makefile slightly.
Updated the project URL. HTTPS is broken. Issue has been reported upstream
Adjusted patches. CMake support is not present in the tarball. It's made
for Windows anyway.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The AX_AM_JOBSERVER macro shipped with m4/ax_am_jobserver.m4 is broken on
plain POSIX shells due to the use of `let`.
Shells lacking `let` will fail to run the generated m4sh code and end up
invoking "make" with "-jyes" as argument, fialing the build.
Since there is no reason in the first place for some random package to
muck with the make job server settings and since we do not want it to
randomly override "-j" either, simply remove references to this defunct
macro to let the build succeed on platforms which not happen to use bash
as default shell.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This fixes the following security problems:
* CVE-2018-0732: Client DoS due to large DH parameter
* CVE-2018-0737: Cache timing vulnerability in RSA Key Generation
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The referenced Git commit was made on the 25th of July, not June.
Fixes 432eaa940f ("libubox: fix mirror hash")
Fixes 5dc32620c4 ("libubox: update to latest git HEAD")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Correct the mirror hash to reflect whats on the download server.
A locally produced libubox SCM tarball was also verified to yield an identical
checksum compared to the one currently on the download server.
Fixes FS#1707.
Fixes 5dc32620c4 ("libubox: update to latest git HEAD")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
23a3f28 openssl, wolfssl: match mbedTLS ciphersuite list
450ada0 ustream-ssl: Revised security on mbedtls
34b0b80 ustream-ssl: add openssl-1.1.0 compatibility
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
I no longer have the time, nor the desire to maintain this package.
Remove myself as maintainer.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
This reduces build time significantly.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Update mbedtls to 2.12.0
Multiple security fixes
Add support for Chacha20 and Poly1305 cryptographic primitives and their
associated ciphersuites
Difference in size on mips_24kc (ipk):
164kbytes (167882 bytes)
170kbytes (173563 bytes)
https://tls.mbed.org/tech-updates/releases/mbedtls-2.12.0-2.7.5-and-2.1.14-released
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
001-Fix-compiler_state_t.ai-usage-when-INET6-is-not-defi.patch dropped due to upstream
002-Add-missing-compiler_state_t-parameter.patch dropped due to upstream
202-protocol_api.patch dropped due to implemented upstream by another way
upstream commit: 55c690f6f8
and renamed via: 697b1f7e9b
ead is the only user who use the protocol api, we have to use the new api since libpcap 1.9.0
Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
We can safely assume by now that rpm5.org is dead and isn't coming back
so just add another mirror instead.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
With deterministic ECDSA the value k needed for the ECDSA signature is
not randomly generated any more, but generated from a hash over the
private key and the message to sign. If the value k used in a ECDSA
signature or the relationship between the two values k used in two
different ECDSA signatures over the same content is know to an attacker
he can derive the private key pretty easily. Using deterministic ECDSA
as defined in the RFC6979 removes this problem by deriving the value k
deterministically from the private key and the content which gets
signed.
The resulting signature is still compatible to signatures generated not
deterministic.
This increases the size of the ipk on mips 24Kc by about 2 KByte.
old:
166.240 libmbedtls_2.11.0-1_mips_24kc.ipk
new:
167.811 libmbedtls_2.11.0-1_mips_24kc.ipk
This does not change the ECDSA performance in a measurable way.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Disable MBEDTLS_SHA256_SMALLER implementation, not enabled by default in
upstream and reduces performance by quite a bit.
Source: include/mbedtls/config.h
Enable an implementation of SHA-256 that has lower ROM footprint but also
lower performance.
The default implementation is meant to be a reasonnable compromise between
performance and size. This version optimizes more aggressively for size at
the expense of performance. Eg on Cortex-M4 it reduces the size of
mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of
about 30%.
The size of mbedtls increased a little bit:
ipkg for mips_24kc before:
164.382 Bytes
ipkg for mips_24kc after:
166.240 Bytes
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Update mbed TLS to 2.11.0
Disable OFB block mode and XTS block cipher mode, added in 2.11.0.
The soVersion of mbedtls changed, bump PKG_RELEASE for packages that use mbedTLS
This is to avoid having a mismatch between packages when upgrading.
The size of mbedtls increased a little bit:
ipkg for mips_24kc before:
163.846 Bytes
ipkg for mips_24kc after:
164.382 Bytes
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
- Removed hacks to use standalone argp as upstream now detects it nicely.
- As we are already installing files, use files from PKG_INSTALL_DIR and
not PKG_BUILD_DIR
- Only changes Makefile.am as PKG_FIXUP:=autoreconf is in use
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
3.4 is mainly a bug fix/maintenance release.
3KB increase in ipk lib size on mips.
Compile tested for: ar71xx, ramips
Run tested on: ar71xx Archer C7 v2, ramips mir3g
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Implicetely selecting the required options via Kconfig snippet from
hostapd worked fine in local builds when using menuconfig but confused
the buildbots which (in phase1) may build wpad-mini and hence already
come with CONFIG_WPA_WOLFSSL being defined as unset which then won't
trigger changing the defaults of wolfssl.
Work around by explicitely reflecting wpa_supplicant's needs in
wolfssl's default settings to make buildbots happy.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This change will trigger rebuild on buildbots in case of changed config
symbols, like in the case of hostapd selecting some wolfssl symbols
lately.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Use download from github archive corresponding to v3.14.4 tag because
the project's website apparently only offers 3.14.0-stable release
downloads.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
commit 39a6ce205d (ustream-ssl: Enable ECDHE with OpenSSL.) broke
build against wolfSSL because wolfSSL doesn't (yet) support
SSL_CTX_set_ecdh_auto() of the OpenSSL API.
Fix this in ustream-ssl:
189cd38b41 don't use SSL_CTX_set_ecdh_auto with wolfSSL
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This makes mbedtls use the POSIX API directly and not use the own
abstraction layer.
The size of the ipkg decreased by about 100 bytes.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This make sit possible to store informations about a session and reuse
it later. When used by a server it increases the time to create a new
TLS session from about 1 second to less than 0.1 seconds.
The size of the ipkg file increased by about 800 Bytes.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The soversion was changed in this version again and is now aligned with
the 2.7.2 version.
The size of the ipkg file stayed mostly the same.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
572735e4 Update manual pages
e8d693c3 Bump up version number to 1.32.0, LT revision to 30:2:16
f44dfcd9 Update AUTHORS
1f1b0d93 Update manual pages
ce8c749b Merge pull request #1173 from nghttp2/asio-client-sni
3e4f257b asio: Support client side SNI
86fab997 Upgrade neverbleed to the latest master
c3ecd445 Merge pull request #1171 from nghttp2/h2load-rate-and-duration
c65ca20a h2load: -r and --duration are mutually exclusive
a5c408c5 Ignore all input after calling session_terminate_session
06379b28 Fix treatment of padding
e04de48e Merge pull request #1162 from nghttp2/libressl
00964642 Use LIBRESSL_IN_USE instead of defined(LIBRESSL_VERSION_NUMBER)
8d0b4544 libressl 2.7 has X509_VERIFY_PARAM_*
d8a34131 libressl 2.7 has SSL_CTX_get0_certificate
5db17d0a Compile with libressl 2.7.2
1bf69b56 Define LIBRESSL_LEGACY_API and LIBRESSL_2_7_API
3febaef1 Bump up LT revision to 30:1:16 due to v1.31.1 release
b1bd6035 Fix frame handling
b48bcb21 examples: Use C style comment in .c files
6f3ce2c7 examples: Remove unused lambda capture
2f9121cf Merge branch 'Sp1l-Sp1l/allow-no-npn'
e65e7711 Add comment on #endif
636ef51b Fix compile error with -Wunused-function
400934e5 [PATCH] Allow building without NPN
4c3a3acf Merge pull request #1146 from vszakats/cmakestaticlib
9aa6002c Merge pull request #1144 from hellojaewon/master
f342260b cmake: add ENABLE_STATIC_LIB option to build static lib
a6dd4970 Fix typo
842509da Don't allow 101 HTTP status code because HTTP/2 removes HTTP Upgrade
4add618a Bump up version number to 1.32.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Some options' default values have been changed upstream, others were
accidentally inverted (CONFIG_WOLFSSL_HAS_DES3). Also add options
needed to build hostapd/wpa_supplicant against wolfssl.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
527e700 ustream-ssl: Remove RC4 from ciphersuite in server mode.
39a6ce2 ustream-ssl: Enable ECDHE with OpenSSL.
45ac930 remove polarssl support
Signed-off-by: John Crispin <john@phrozen.org>
Switched download from SourceForge to GitHub. It seems the author migrated to that.
Also fixed the website URL as the SourceForge link is dead.
Compile tested on ar71xx and mvebu. Small size decrease on ar71xx: 30444 vs. 30099 bytes.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This allows us to link the other tools against our libz and we do not
need the system zlib any more.
Only the static linked library is copied to the staging directory so we
have a statically linked library on all systems and not only on Linux.
This also adds the new dependencies of the packages which are depending
on zlib.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
mbedtls changed in version 2.7.0 the soversion of the libmbedcrypto.so
library, all applications using this shared library have to be
recompiled to be able to load the new library.
Some binaries got rebuild to for the 2.7.0 release and are now using
libmbedcrypto.so.1, the older ones are still using libmbedcrypto.so.0.
Fixes: 75c5ab4ca ("mbedtls: update to version 2.7.0")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
42a8ecd jshn: fix format string for int64 type
92009b7 utils: ensure that byte-order conversion functions evaluate the argument only once
ace6489 switch from typeof to the more portable __typeof__
Signed-off-by: Felix Fietkau <nbd@nbd.name>
42a8ecd jshn: fix format string for int64 type
92009b7 utils: ensure that byte-order conversion functions evaluate the argument only once
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This reverts commit 4fb684a755.
The compile fixes are still required for host systems using GCC 5.x,
such as Ubuntu 16.04 LTS.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
It seems both issues (GCC5 and Musl) were fixed at some point. Thus, they can be dropped.
Did not bump version as there is no change in functionality or size.
Compile-tested on ar71xx and mvebu, both with musl.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This fixes some minor security problems.
Old size:
162262 bin/packages/mips_24kc/base/libmbedtls_2.7.0-1_mips_24kc.ipk
New size:
163162 bin/packages/mips_24kc/base/libmbedtls_2.8.0-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
6e744662 Update bash_completion
478eac09 Update manual pages
88e2029e Bump up version number to 1.31.0, LT revision to 30:0:16
45d76cf5 nghttpx: Close listening socket on graceful shutdown
54573f28 Merge pull request #1137 from nghttp2/session-set-user-data
17793e99 Add nghttp2_session_set_user_data() public API function
5eac3c90 Update manual pages
e70195ae nghttpx: Update doc
fe51e7fa Merge pull request #1130 from nghttp2/avoid-inet_pton-macro
eb951c2c src: Define nghttp2_inet_pton wrapper to avoid inet_pton macro
39f0ce7c Merge pull request #1126 from nghttp2/nghttpx-expired-client-cert
65157811 Merge pull request #1123 from nghttp2/mruby-client-cert-not-before-after
e8af7afc nghttpx: Add an option to accept expired client certificate
38abfd18 nghttpx: Add mruby tls_client_not_before, and tls_client_not_after
ff3edc09 nghttpx: Fix potential memory leak
0bb15406 Bump up version number to 1.31.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Works around two incompatiblities between glibc and (POSIX-compliant) musl:
- missing register definitions from asm/ptrace.h
- non-POSIX-compliant ucontext_t on PPC32 with glibc
Compile tested on mpc85xx.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Some functions used by a lot of other software was renamed and is only
active when deprecated functions are allowed, deactivate the removal of
deprecated functions for now.
Fixes: 75c5ab4caf ("mbedtls: update to version 2.7.0")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes the following security problems:
* CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled
* CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
f0836c7e Update manual pages
25db178b Bump up version number to 1.30.0, LT revision to 29:2:15
1b6713e6 Update AUTHORS
c1a496cf nghttpx: Fix bug that h1 backend idle timeout expires sooner
e098a211 mruby: Fix bug that response header is unexpectedly overwritten
0ba4bf51 Merge pull request #1120 from dylanplecki/issue-1119-mruby-header-overwrite
6deee203 Fix#1119: Stop overwrite of first header on mruby call to env.req.set_header(..)
6761a933 Merge pull request #1105 from nghttp2/nghttpx-upgrade-scheme
5cc3d159 nghttpx: Add upgrade-scheme parameter to backend option
652f57e7 Merge pull request #1104 from nghttp2/allow-ping-after-goaway
acd6b40e Allow PING frame to be sent after GOAWAY
0fbb46ed Merge pull request #1101 from nghttp2/remember-pushed-links
6ad629de Merge pull request #1102 from nghttp2/fix-missing-alpn-validation
74754982 nghttpx: Fix missing ALPN validation (--npn-list)
a31a2e3b nghttpx: Remember which resource is pushed
a776b0db Merge pull request #1092 from nghttp2/define-103
cfd926f0 src: Define 103 status code
72f52716 Bump up version number to 1.30.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
It's not needed now since commit a621b8c ("include: clean package
staging dir files before configure")
Fixes FS#1309
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Configure variable SSP_SUPPORT is ambiguous for packages (tor, openssh,
avahi, freeswitch). It means 'toolchain supporting SSP', but for toolchain
and depends it means 'build gcc with libssp'.
Musl no longer uses libssp (1877bc9d8f), it has internal support, so
SSP_SUPPORT was disabled leading some package to not use SSP.
No information why Glibc and uClibc use libssp, but they may also provide
their own SSP support. uClibc used it own with commit 933b588e25 but it was
reverted in f3cacb9e84 without details.
Create an new configure GCC_LIBSSP and automatically enable SSP_SUPPORT
if either USE_MUSL or GCC_LIBSSP.
Signed-off-by: Julien Dusser <julien.dusser@free.fr>
So that it will not try to run c_rehash with the just built binaries on
certs/demo.
Fixesopenwrt/packages#5432
Reported-by: Val Kulkov <val.kulkov@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Also, drop unsupported configure options.
Don't use git retrieve but released tarball instead.
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
The previous commit was incorrectly rebased and referred to a not
yet existing PROJECT_GIT variable.
Fixes: d86a269c1f libubox: update to latest git HEAD
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Instead of inferring the availability of NEON support from the target
optimization flags, use a preprocessor test to decide whether to enable
ARMv8 NEON optimizations.
Fixes the following build error spotted by the mediatek/32 buildbot:
[ 26%] Building C object CMakeFiles/zlib.dir/contrib/arm/inflate.o
In file included from .../zlib-1.2.11/contrib/arm/chunkcopy.h:10:0,
from .../zlib-1.2.11/contrib/arm/inflate.c:87:
.../arm_neon.h:31:2: error: #error You must enable NEON instructions (e.g. -mfloat-abi=softfp -mfpu=neon) to use arm_neon.h
#error You must enable NEON instructions (e.g. -mfloat-abi=softfp -mfpu=neon) to use arm_neon.h
^
In file included from .../zlib-1.2.11/contrib/arm/inflate.c:87:0:
.../zlib-1.2.11/contrib/arm/chunkcopy.h:18:9: error: unknown type name 'uint8x16_t'
typedef uint8x16_t chunkcopy_chunk_t;
^
[...]
CMakeFiles/zlib.dir/build.make:302: recipe for target 'CMakeFiles/zlib.dir/contrib/arm/inflate.o' failed
Fixes: 3acecba520 "package/libs/zlib: Add ARM and NEON optimizations"
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some packages such as Python/Python3 (host pip/pip3) needs this
to compile.
More detailed explanation provided by Alexandru:
"i need the zlib/host for Python/Python3 ; because, it seems the
host pip/pip3 needs this to work ; i suspect in older versions
this worked, because some of the host's build env would be used
in the build, and then the zlib-dev from the host distro would
be used ; now, the host-build does not seem to have any
-I/usr/include stuff, which is good
and it also seems that Python/Python3 does not like it if the
zlib-dev package is too old, so using this zlib/host would be
good for this as well"
Source:
https://github.com/lede-project/source/pull/1329#issuecomment-351055861
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Add option to use O3 optimization as not all devices have
space constraints. This option is default using GCC in upstream
but isn't in the CMake makefile for some reason.
Source: https://github.com/madler/zlib/blob/master/configure#L170
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
439b9b6c (tag: v1.29.0) Update manual pages
48498452 Bump up version number to v1.29.0, LT revision to 29:1:15
d30f3816 Update manual pages
4d1139f6 Remove SPDY
48f57407 nghttpx: Update doc
c1f14d73 Update manual pages
216f4dad nghttpx: Remove redundant check
a4e27d76 Revert "nghttpx: Use an existing h2 backend connection as much as possible"
2365f12e Fix CMAKE_MODULE_PATH
03f7ec0f nghttpx: Write API request body in temporary file
2056e812 nghttpx: Increase api-max-request-body
1ebb6810 nghttpx: Faster configuration loading with lots of backends
a3ebeeaf nghttpx: Fix crash with --backend-http-proxy-uri option
422ad1be Use NGHTTP2_REFUSED_STREAM for streams which are closed by GOAWAY
97f1735c Bump up version number to 1.29.0
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
LEDE Flyspray Task 1091:
Fix libiconv-full 'undefined reference' compile linker error using GCC7 Musl
Tested with targets x86 (i386 and x86_64)
Addition of CFLAGS "std=gnu89" fixes the linker issues, credit to harrylwc
Issue found with 'minidlna' package, which depends on 'libiconv-full'
Error in compile log:
../lib/.libs/libiconv.so: undefined reference to `aliases_lookup'
../lib/.libs/libiconv.so: undefined reference to `aliases2_lookup'
collect2: error: ld returned 1 exit status
Makefile:64: recipe for target 'iconv_no_i18n' failed
Signed-off-by: Jake Staehle <jacob@staehle.us>
add no-ssl3-method again as 1.0.2n compiles without the ssl3-method(s)
Fixes CVEs: CVE-2017-3737, CVE-2017-3738
Signed-off-by: Peter Wagner <tripolar@gmx.at>
939ad5dd Update manual pages
24d92b97 Add deprecation warning when spdylay support is enabled
4c92ff18 Bump up version number to 1.28.0, LT revision to 29:0:15
280db5c6 Update neverbleed
7fbcb2d0 Merge pull request #1074 from nghttp2/fix-doc
53aeb2c3 Fix doc
ff200bfc clang-format-5.0
fee3151f Switch to clang-format-5.0
99a85159 Update manual pages
2a981a3f Merge pull request #1066 from nghttp2/nghttpx-add-affinity-cookie-secure
0028275d nghttpx: Add affinity-cookie-secure parameter to backend option
ee8bfddf Merge pull request #1063 from nghttp2/error_callback2
194acb1f src: Use nghttp2_error_callback2
43a2a70a Add nghttp2_error_callback2
73344ae9 nghttpx: Use plain hex string format for client serial
c479f612 Merge pull request #1060 from nghttp2/nghttpx-add-client-serial
eca0a302 nghttpx: Add $tls_client_serial log variable
4720c5cb nghttpx: Make client serial available in mruby script
cd55ab28 nghttpx: Add function to get serial number from certificate
d402cfdf Merge pull request #1057 from nghttp2/nghttpx-add-tls-client-issuer-name
22502182 Add tls_client_issuer_name log variable and expose it to mruby
05e1fd5e Update manual pages
943d7923 Add Session Affinity section to nghttpx howto
568ecbfb doc: Add missing port
f5ddd7f4 nghttpx: Make initial_addr_idx_ unsigned
88abbce7 nghttpx: Fix compile error with gcc
16e90365 nghttpx: Fix affinity retry
fa7945c6 nghttpx: Refactor
daca43f0 nghttpx: Fix stalled backend connection on retry
16bc11e6 nghttpx: Remove duplicated util::make_socket_nodelay
6f7e94cd Merge pull request #1047 from PiotrSikora/go_vet
61efa15a integration: Fix issues reported by the `go vet` tool.
8c0ea56b Merge pull request #1036 from nghttp2/nghttpx-affinity-cookie
54905371 nghttpx: Refactor
6010d393 integration: Add tests
be5c39a1 src: Add tests
b8fda680 nghttpx: Cookie based session affinity
e29b9c12 Merge pull request #1045 from nghttp2/nghttpx-sha1-fingerprint
539e2781 nghttpx: Add tls_client_fingerprint_sha1 to mruby and accesslog
7008afd4 nghttpx: Refactor get_x509_fingerprint to accept hash function
77a41756 Merge pull request #1041 from nghttp2/fix-examples-client-server
b15045d6 Merge pull request #1040 from nghttp2/nghttpx-mruby-add-more-tls-vars
03084f75 examples: Make client and server work with libevent-2.1.8
60baca27 nghttpx: Add more TLS related attributes to mruby Env object
86990db2 Merge pull request #1038 from nghttp2/nghttpx-add-more-logging-vars
cb376bcd nghttpx: Add client fingerprint and subject name to accesslog
f2b8edd1 nghttpx: Fix memory leak
c4f8afcf nghttpx: Get TLS info only when it is necessary when writing accesslog
1a1a216d Merge pull request #1037 from nghttp2/nghttpx-mruby-tls-client-vars
9f80a82c nghttpx: Add client fingerprint and subject name to mruby env
c573c80b nghttpx: Pass a pointer to SSL instead of TLSSessionInfo to LogSpec
3cd6817e Fix typos
d4a69658 Add another warning about mruby
8e06fe49 Fix typo
aaeeec8f Fix typos
66d5e246 Bump up version number to 1.28.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/
Thanks to swalker for CPE to package mapping and
keep tracking CVEs.
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
When a library is using fortify-packages GCC will complain about
"error: format not a string literal, argument types not checked".
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:
../libssl.so: undefined reference to `SSLv3_client_method'
Fixes CVE: CVE-2017-3735, CVE-2017-3736
Signed-off-by: Peter Wagner <tripolar@gmx.at>
If we enable -fstack-protector while building libunwind, function
__stack_chk_fail_local will be referred to for i386 and powerpc32
arches. This will cause link failure because the default gcc build
specs says no link_ssp if -nostdlib is given.
The error message:
OpenWrt-libtool: link: ccache_cc -shared -fPIC -DPIC .libs/os-linux.o mi/.libs/init.o mi/.libs/flush_cache.o mi/.libs/mempool.o mi/.libs/strerror.o x86/.libs/is_fpreg.o x86/.libs/regname.o x86/.libs/Los-linux.o mi/.libs/backtrace.o mi/.libs/dyn-cancel.o mi/.libs/dyn-info-list.o mi/.libs/dyn-register.o mi/.libs/Ldyn-extract.o mi/.libs/Lfind_dynamic_proc_info.o mi/.libs/Lget_accessors.o mi/.libs/Lget_proc_info_by_ip.o mi/.libs/Lget_proc_name.o mi/.libs/Lput_dynamic_unwind_info.o mi/.libs/Ldestroy_addr_space.o mi/.libs/Lget_reg.o mi/.libs/Lset_reg.o mi/.libs/Lget_fpreg.o mi/.libs/Lset_fpreg.o mi/.libs/Lset_caching_policy.o x86/.libs/Lcreate_addr_space.o x86/.libs/Lget_save_loc.o x86/.libs/Lglobal.o x86/.libs/Linit.o x86/.libs/Linit_local.o x86/.libs/Linit_remote.o x86/.libs/Lget_proc_info.o x86/.libs/Lregs.o x86/.libs/Lresume.o x86/.libs/Lstep.o x86/.libs/getcontext-linux.o -Wl,--whole-archive ./.libs/libunwind-dwarf-local.a ./.libs/libunwind-elf32.a -Wl,--no-whole-archive -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/target-i386_i486_musl-1.1.16/usr/lib -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/target-i386_i486_musl-1.1.16/lib -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/toolchain-i386_i486_gcc-5.4.0_musl-1.1.16/usr/lib -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/toolchain-i386_i486_gcc-5.4.0_musl-1.1.16/lib -lc -lgcc -Os -march=i486 -fstack-protector -Wl,-z -Wl,now -Wl,-z -Wl,relro -nostartfiles -nostdlib -Wl,-soname -Wl,libunwind.so.8 -o .libs/libunwind.so.8.0.1
.libs/os-linux.o: In function `_Ux86_get_elf_image':
os-linux.c:(.text+0x588): undefined reference to `__stack_chk_fail_local'
x86/.libs/Lregs.o: In function `_ULx86_access_fpreg':
Lregs.c:(.text+0x25b): undefined reference to `__stack_chk_fail_local'
x86/.libs/Lresume.o: In function `_ULx86_resume':
Lresume.c:(.text+0xdc): undefined reference to `__stack_chk_fail_local'
collect2: error: ld returned 1 exit status
Makefile:2249: recipe for target 'libunwind.la' failed
The snippet from gcc -dumpspecs
%{!nostdlib:%{!nodefaultlibs:%(link_ssp) %(link_gcc_c_sequence)}}
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Switch from git to xz release tarball as there's no good reason to keep
using git when release tarballs are provided.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
OpenSSL is built with the generic linux settings for most targets,
including aarch64. These generic settings are designed for 32-bit CPU and
provide no assembler optmization: this is widely suboptimal for aarch64.
This patch simply switches to the aarch64 settings that are already
available in OpenSSL.
Here is the output of "openssl speed" before the optimization, with
"(...)" representing build flags that didn't change:
OpenSSL 1.0.2l 25 May 2017
options:bn(64,32) rc4(ptr,char) des(idx,cisc,2,int) aes(partial) blowfish(ptr)
compiler: aarch64-openwrt-linux-musl-gcc (...)
And after this patch, OpenSSL uses 64 bit mode and assembler optimizations:
OpenSSL 1.0.2l 25 May 2017
options:bn(64,64) rc4(ptr,char) des(idx,cisc,2,int) aes(partial) blowfish(ptr)
compiler: aarch64-openwrt-linux-musl-gcc (...) -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
Here are some benchmarks on a pine64+ running latest LEDE master r5142-20d363aed3:
before# openssl speed sha aes blowfish
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 3918.89k 9982.43k 19148.03k 24933.03k 27325.78k
sha256 4604.51k 10240.64k 17472.51k 21355.18k 22801.07k
sha512 3662.19k 14539.41k 21443.16k 29544.11k 33177.60k
blowfish cbc 16266.63k 16940.86k 17176.92k 17237.33k 17252.35k
aes-128 cbc 19712.95k 21447.40k 22091.09k 22258.35k 22304.09k
aes-192 cbc 17680.12k 19064.47k 19572.14k 19703.13k 19737.26k
aes-256 cbc 15986.67k 17132.48k 17537.28k 17657.17k 17689.26k
after# openssl speed sha aes blowfish
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 6770.87k 26172.80k 86878.38k 205649.58k 345978.20k
sha256 20913.93k 74663.85k 184658.18k 290891.09k 351032.66k
sha512 7633.10k 30110.14k 50083.24k 71883.43k 82485.25k
blowfish cbc 16224.93k 16933.55k 17173.76k 17234.94k 17252.35k
aes-128 cbc 19425.74k 21193.31k 22065.74k 22304.77k 22380.54k
aes-192 cbc 17452.29k 18883.84k 19536.90k 19741.70k 19800.06k
aes-256 cbc 15815.89k 17003.01k 17530.03k 17695.40k 17746.60k
For some reason AES and blowfish do not benefit, but SHA performance
improves between 1.7x and 15x. SHA256 clearly benefits the most from the
optimization (4.5x on small blocks, 15x on large blocks!).
When using EVP (with "openssl speed -evp <algo>"):
# Before, EVP mode
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 3824.46k 10049.66k 19170.56k 24947.03k 27325.78k
sha256 3368.33k 8511.15k 16061.44k 20772.52k 22721.88k
sha512 2845.23k 11381.57k 19467.69k 28512.26k 33008.30k
bf-cbc 15146.74k 16623.83k 17092.01k 17211.39k 17249.62k
aes-128-cbc 17873.03k 20870.61k 21933.65k 22216.36k 22301.35k
aes-192-cbc 16184.18k 18607.15k 19447.13k 19670.02k 19737.26k
aes-256-cbc 14774.06k 16757.25k 17457.58k 17639.42k 17686.53k
# After, EVP mode
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 7056.97k 27142.10k 89515.86k 209155.41k 347419.99k
sha256 7745.70k 29750.06k 95341.48k 211001.69k 332376.75k
sha512 4550.47k 18086.06k 39997.10k 65880.75k 81431.21k
bf-cbc 15129.20k 16619.03k 17090.56k 17212.76k 17246.89k
aes-128-cbc 99619.74k 269032.34k 450214.23k 567353.00k 613933.06k
aes-192-cbc 93180.74k 231017.79k 361766.66k 433671.51k 461731.16k
aes-256-cbc 89343.23k 209858.58k 310160.04k 362234.88k 380878.85k
Blowfish does not seem to have assembler optimization at all, and SHA
still benefits (between 1.6x and 14.5x) but is generally slower than in
non-EVP mode.
However, AES performance is improved between 5.5x and 27.5x, which is
really impressive! For aes-128-cbc on large blocks, a core i7-6600U
@2.60GHz is only twice as fast...
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Changes in v1.27.0 :
build: Fixed accidental compiler flags concatenation for MSVC (Patch from LazyHamster) (GH-1029)
build: Reduce libxml2 version requirement to 2.6.26 (Patch from Mike Lothian) (GH-1020)
asio: Support for Windows / MinGW (Patch from Daniel Evers) (GH-1027)
h2load: Print out h2 header fields with --verbose option (GH-1015)
nghttpx: Send non-final response to HTTP/1.1 or HTTP/2 client only (GH-1016)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Due a compiler bug on ARM targets
( https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64516 )
unaligned access was disabled on all targets other than i386 and
x86_64 with commit 061319ec3d .
A fix has been added to lzo-2.09 so it is not necessary to disable
unaligned access within the Makefile anymore.
Signed-off-by: Stefan Oberhumer <stefan@obssys.com>
In order to build conntrack-tools from git, a newer version of
libnetfilter_conntrack is required. As 1.0.6 is currently the latest
release, switch to git.
b0a7cf7 include: expose a copy of nf_conntrack_common.h
f68f7b3 conntrack: fix missing break in setobjopt_undo_dnat()
79dac5a conntrack: revert getobjopt_is_nat() condition
b266523 libnetfilter_conntrack: bump version to 1.0.7
e870432 labels: don't crash on NULL labelmap
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
b39cac7 src: Correct typo in the location of internal.h in #include
58cb066 src: Declare the define visibility attribute together
e84b559 Revert "src: Declare the define visibility attribute together"
003c2b1 examples: set dummy connmark value to show use of NFQA_CT nested attribute
63973da doc: extend the doxygen section about NFQA_CFG_F_GSO
d7f74c7 build: bump version to 1.0.3
3f9eb57 build: bump library release version too
601abd1 doc: Add information about retrieving UID/GID/SECCTX fields
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
As git.netfilter.org seems to support HTTPS, use that instead of HTTP
which is insecure, or GIT which is blocked on many corporate networks.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The nghttp2 library is an implementation of the Hypertext Transfer
Protocol version 2 in C; it supports RFC7540 and RFC7541.
The package enables only the reusable C library; binary size is 130K (X86)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
632688e utils: nuke bitfield functions and macros
f714be1 uloop: make SIGCHLD signal handling optional
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Some symbols have been renamed.
Some are default enabled/disabled, so we need
to adjust semantics against that.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This seems to cause a false-positive warning/error
while building `libwebsockets-cyassl`.
```
make[6]: Leaving directory '/home/sandu/work/lede/build_dir/target-x86_64_musl/libwebsockets-cyassl/libwebsockets-2.2.1'
make[6]: Entering directory '/home/sandu/work/lede/build_dir/target-x86_64_musl/libwebsockets-cyassl/libwebsockets-2.2.1'
[ 2%] Building C object CMakeFiles/websockets.dir/lib/base64-decode.c.o
In file included from /home/sandu/work/lede/staging_dir/target-x86_64_musl/usr/include/wolfssl/ssl.h:31:0,
from /home/sandu/work/lede/staging_dir/target-x86_64_musl/usr/include/cyassl/ssl.h:33,
from /home/sandu/work/lede/staging_dir/target-x86_64_musl/usr/include/cyassl/openssl/ssl.h:30,
from /home/sandu/work/lede/build_dir/target-x86_64_musl/libwebsockets-cyassl/libwebsockets-2.2.1/lib/private-libwebsockets.h:256,
from /home/sandu/work/lede/build_dir/target-x86_64_musl/libwebsockets-cyassl/libwebsockets-2.2.1/lib/base64-decode.c:43:
/home/sandu/work/lede/staging_dir/target-x86_64_musl/usr/include/wolfssl/wolfcrypt/settings.h:1642:14: error: #warning "For timing resistance / side-channel attack prevention consider using harden options" [-Werror=cpp]
#warning "For timing resistance / side-channel attack prevention consider using harden options"
```
Hardening is enabled by default in libwolfssl at build-time.
However, the `settings.h` header is exported (along with other headers)
for build (via Build/InstallDev).
This looks like a small bug/issue with wolfssl.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This is to eliminate any ambiguity about the cyassl/wolfssl lib.
The rename happened some time ago (~3+ years).
As time goes by, people will start to forget cyassl and
start to get confused about the wolfSSL vs cyassl thing.
It's a good idea to keep up with the times (moving forward).
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Until other packages from feeds decide to rename the
dependency of `+libcyassl` to `+libwolfssl`, this allows
for a bit of backwards compatibility with those packages.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released
* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
elfutils turns on -Werror by default, and patch 100-musl-compat.patch
changes how strerror_r is used and we no longer use the function's
return value. This causes the following build error/warning to occur
with glibc-based toolchains:
dwfl_error.c: In function 'dwfl_errmsg':
dwfl_error.c:158:18: error: ignoring return value of 'strerror_r',
declared with attribute warn_unused_result [-Werror=unused-result]
strerror_r (error & 0xffff, s, sizeof(s));
^
cc1: all warnings being treated as errors
Fixing this would be tricky as there are two possible signatures for
strerror_r (XSI and GNU), just turn off unused-result warnings instead.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Addresses CVE-2015-3239: Off-by-one error in the dwarf_to_unw_regnum
function in include/dwarf_i.h in libunwind 1.1 allows local users to
have unspecified impact via invalid dwarf opcodes.
Upstream stable-v1.2 fixed the missing unwind_i.h issue but no new
tarball is released yet
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Some external toolchains may be configured to enable OpenMP. Provide a
package for these libraries which can be used by other packages.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Add mirror and use main site as last resort.
Source: http://www.tcpdump.org/mirrors.html
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Refresh mirror list, some doesn't offer OpenSSL and add main site as last resort.
Source: https://www.openssl.org/source/mirror.html
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
uClibc doesn't implement strerror_l() and thus libnl starting from
3.2.29 couldn't be compiled with it any longer, see
6c2d111177
To work-around that problem we'll just do a check on strerror_l()
availability during configuration and if it's not there just fall back
to locale-less strerror().
Patch for libnl is alreadfy merged upstream, see
e15966ac7f
and once the next libnl release happens this one must be removed from
Lede/OpenWrt.
Signed-off-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: John Crispin <john@phrozen.org>
Cc: Daniel Engberg <daniel.engberg.lists@pyret.net>
musl provides a /lib/libc.so file which should be integrated into the libc
package when the external toolchain with musl is used.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
We need to let external toolchains be able to specify the path and
specification file to the libthread-db POSIX thread debugging shared
libraries.
This fixes GDB not being able to be installed because it is depending on
libthread-db:
Collected errors:
* satisfy_dependencies_for: Cannot satisfy the following dependencies
* for gdb:
* libthread-db *
* opkg_install_cmd: Cannot install package gdb.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
The current way of creating a STAMP_CONFIGURED filename for OpenSSL can
lead to an extremely long filename that makes touch unable to create it,
and fail the build.
Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a
shortert stamp file,
Fixes#572
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Important change was made in 1.0.18: all sub-libs were merged
in one and only libc similarly to musl.
See [1] for more details.
To support that we had to remove refences to those sub-libs like
libpthread, libcrypt, libdl, libm, libutil etc.
[1] http://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/commit/?id=29ff9055c80efe77a7130767a9fcb3ab8c67e8ce
Signed-off-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
When calling erase() on a containers derived from __base_associative
(e.g. multimap) and providing a pair of iterators a segfault will
occur.
Example code to reproduce:
typedef std::multimap<int, int> testmap;
testmap t;
t.insert(std::pair<int, int>(1, 1));
t.insert(std::pair<int, int>(2, 1));
t.insert(std::pair<int, int>(3, 1));
t.erase(t.begin(), t.end());
Signed-off-by: Ben Kelly <ben@benjii.net>
Adds the following changes:
de3f14b uloop: add uloop_cancelling function
3b6181b utils: fix build on Mac OS X 10.12
7f671b1 blobmsg: add support for double
0fe1374 utils: add helper functions useful for allocating a ring buffer
8fc1c30 libubox: replace strtok with _r version.
4a9f74f libubox: allow reading out the pid of uloop process in lua
372e1e6 uloop: remove useless epoll data assignment
f9db1cb libubox: allow reading out the remaining time of a uloop timer in Lua
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Some toolchains will produce executables with an interpreter that is e.g:
ld.so.1 (typically a symbolic link). Due to our current LIBC_SPEC_FILE value,
we would not be able to copy this symbolic link/file over to the rootfs and
executables would fail to load. Extend the search pattern to include all
ld*.so* files that could be needed.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The libtool target package stages its files into the host staging directory
and moves the libltdl library parts from there into the target staging
directory afterwards.
By doing so, the package essentially renders the host libtool infrastructure
unusable, leading to the below error in subsequent package builds:
libtoolize: $pkgltdldir is not a directory: `.../hostpkg/share/libtool`
Prevent this problem by using a dedicated libltdl install prefix in order to
avoid overwriting and moving away preexisting files belonging to tools/libtool.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback
Note: SF doesn't carry the 1.2.11 update yet.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The gettext-full host build might pick up iconv-stub host build headers
during the build, leading to stray linker errors with unresolved references
to libiconv_open(), libiconv() and libiconv_close().
Since we're not needing iconv support on the host, pass the appropriate
cache variables to configure to prevent detection and linking of iconv.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Cleanup to prepare for changing STAGING_DIR_HOSTPKG. The actual change of
STAGING_DIR_HOSTPKG (i.e., moving the host packages back into a common, not
target-specific directory) will be done after the first LEDE release, but
the cleanup will also be useful for projects like Gluon.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* Fix bug in deflate_stored() for zero-length input
* Fix bug in gzwrite.c that produced corrupt gzip files
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Other changes:
- Project moved to sourceware.org
- musl patch where cleaned up and submitted upstream
- TEMP_FAILURE_RETRY macro fixed and submitted upstream
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[Jo-Philipp Wich: add missing .patch extension to 007-fix_TEMP_FAILURE_RETRY]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Brings in the following changes:
52d955fd802a remove obsolete mac os x /opt/local include/library search path
a4e49b4163b2 Fix unused results warnings
48cfff3fbec9 uclient-http: send correct "Host:" header if port is set
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Currently both libustream-polarssl and libustream-mbedtls
variants define themselves as the DEFAULT_VARIANT
Remove extra DEFAULT_VARIANT from libustream-polarssl.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Later OpenVPN 2.3-openssl versions only enable
TLS cipher suites with perfect forward secrecy, i.e. DHE and ECDHE
cipher suites. ECDHE key exchange is not supported by
OpenVPN 2.3-openssl, enable DHE key exchange to allow LEDE
OpenVPN 2.4-mbedtls clients to connect to such servers.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reported-by: Lucian Cristian <luci@createc.ro>
Secp384r1 is the default curve for OpenVPN 2.4+. Enable this to
make OpenVPN-mbedtls clients able to perform ECDHE key exchange
with remote OpenVPN 2.4-openssl servers that use the default
OpenVPN curve.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Add patches provided upstream [1] by Fabio Berton to fix error:
> ./gencode.c: In function 'pcap_compile':
> ./gencode.c:693:8: error: 'compiler_state_t {aka struct _compiler_state}' has no member named 'ai'
> cstate.ai = NULL;
> ^
> ./gencode.c: In function 'gen_gateway':
> ./gencode.c:4914:13: error: 'cstate' undeclared (first use in this function)
> bpf_error(cstate, "direction applied to 'gateway'");
> ^
[1] https://github.com/the-tcpdump-group/libpcap/pull/541
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Tested-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Sometimes I'm getting error on the host-side build:
```
/usr/lib64/gcc/x86_64-suse-linux/4.8/../../../../x86_64-suse-linux/bin/ld: /home/sandu/work/lede/staging_dir/host/lib/liblzma.a(liblzma_la-common.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/home/sandu/work/lede/staging_dir/host/lib/liblzma.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:2847: recipe for target 'libgettextlib.la' failed
make[9]: *** [libgettextlib.la] Error 1
make[9]: Leaving directory '/home/sandu/work/lede/build_dir/target-x86_64_musl-1.1.15/host/gettext-0.19.8.1/gettext-tools/gnulib-lib'
Makefile:2597: recipe for target 'all' failed
```
Disabling the shared-lib build, seems to fix this.
This is when building glib2 on the host-side.
glib2 is required by newer QEMU package [which is in the feeds].
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This partially reverts commit 15734b023b.
--enable-stunnel was actually important and properly described in
commit 9b118cde89. Removing it broke ustream-cyassl
Signed-off-by: Felix Fietkau <nbd@nbd.name>
If _GNU_SOURCE was added as part of a package's TARGET_CFLAGS,
then compilation would fail for that module (especially if
warnings get treated as errors).
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
More and more platforms are multicore SoCs, don't enforce singlethreading.
Drop stunnel option as stunnel code isn't available for download from upstream website.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Update libpcap to upstream release 1.8.1
Change the name from libpcap.so.1.3 to libpcap.so.1
Remove parts of patch 201 which moved code among src files.
Import patch 204 from Debian to update the USB path.
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [fix parallel build bug]
One of those changes is re-enabling blowfish support to make
openvpn-mbedtls compatible with common configurations
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This option is required by OpenVPN, and OpenVPN 2.4 uses mbedTLS 2.x.
DHM_C is also already enabled in the PolarSSL 1.3.x config.h.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Last release of libnetfilter-queue was in 2012.
There don't seem to be any release tarballs since then.
This updates it to a more recent version, pointing to the git repo.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This fixes the following security problems:
CVE-2016-7440: Software AES table lookups do not properly consider cache-bank access times
CVE-2016-7439: Software RSA does not properly consider cache-bank monitoring
CVE-2016-7438: Software ECC does not properly consider cache-bank monitoring
SWEET32 Attack
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This constant was always defined to 0, and recently got removed in
upstream commit a07ea4d9941af5a0c6f0be2a71b51ac9c083c5e5 ("genetlink: no
longer support using static family IDs")
Fixes libnl-tiny builds with latest upstream kernels.
Fixes: d723f2573a ("libnl-tiny: remove include/linux overrides to fix various build issues")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This allows to include optimizations such as ARM neon which
are detected on run-time.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
[Jo-Philipp Wich: picked from openwrt#191 and rebased onto LEDE master]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Switch to xz tarball, there's no point pulling two different tarballs of the same source code (tools/libtool uses xz).
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
luci using ustream-mbedtls is extremely slow vs ustream-polarssl.
polarssl alias mbedtls v1 is configured to use NIST prime speed
optimisation, so no longer disable the default optimisation for
mbedtls v2.
Compile & run tested: Archer C7v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
[Jo-Philipp Wich: refresh patch to use common format]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
For 64-bit capable systems, a symbolic link is set up for /lib64 to point to
/lib, so make sure the installation goes into /lib, irrespective of where the C
library files come from in an external toolchain.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
Patches applied upstream:
* 301-fix_no_nextprotoneg_build.patch
* 302-Fix_typo_introduced_by_a03f81f4.patch
Security advisory: https://www.openssl.org/news/secadv/20160926.txt
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
The default configuration might not be suitable for
every use case. Add options to enable/disable additional
options.
Signed-off-by: Andreas Schultz <aschultz@tpip.net>
The default configuration might not be suitable for
every use case. Add options to enable/disable additional
options.
Signed-off-by: Andreas Schultz <aschultz@tpip.net>
When PKG_CONFIG_LIBDIR was unset in the environment, the configure
script was deducing the PKG_CONFIG_LIBDIR from the location of the
pkg-config binary, which doesn't make a lot of sense, and isn't done
by other autotools based packages.
Patch imported from the Buildroot project:
https://github.com/buildroot/buildroot/blob/master/package/ncurses/0001-fixup-pkg-config-handling.patch
Also refresh patches while we're at.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Change the error message about missing SSL support to be more explicit by
mentioning required package names.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The patch needed for this commit has been sent upstream:
https://github.com/openssl/openssl/pull/1155
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [add back bf and srp]
NPN has been superseded by ALPN so NPN is disabled by default
The patch has been sent to OpenSSL for inclusion, see
https://github.com/openssl/openssl/pull/1100
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
There seems to be a situation in which a rebuild of libpcap.so is triggered
in the install step of the libpcap Makefile. libpcap.so is the wrong
target, leading to the build failure reported in [1].
Fix the dependency of install-shared-so to $(SHAREDLIB) so the build can
succeed in this case.
[1] https://dev.openwrt.org/ticket/19894
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This reverts commit abf0768131.
The description is wrong, there is no recursive dependency here. The
conditions were added intentionally to avoid bogus build dependencies.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Two variants incorrectly include themselves in
conditional depends on ssl libraries, which results
in a recursive dependency.
Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
This adds this commit from normal libnl to libnl-tiny:
2dbc1ca76c
commit 2dbc1ca76c5b82c40749e609eb83877418abb006
Author: dima <dima.ky@gmail.com>
Date: Wed Oct 13 17:53:34 2010 +0300
Generic Netlink multicast groups support
I have a patch against commit d378220c96c3c8b6f27dca33e7d8ba03318f9c2d
extending libnl with a facility to receive generic netlink messages sent
to multicast groups.
Essentially it add one new function genl_ctrl_resolve_grp which
prototype looks like this
int genl_ctrl_resolve_grp(struct nl_sock *sk, const char *family_name,
const char *grp_name)
It resolves the family name and the group name to group id. Then
the returned id can be used in nl_socket_add_membership to subscribe
to multicast messages.
Besides that it adds two more functions
uint32_t nl_socket_get_peer_groups(struct nl_sock *sk)
void nl_socket_set_peer_groups(struct nl_sock *sk, uint32_t groups)
allowing to modify the socket peer groups field. So it's possible to
multicast messages from the user space using the legacy interface.
Looks like there is no way (or I was not able to find one?) to modify
the netlink socket destination group from the user space, when the
group id is greater then 32.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cosmetic style fix]
There are 2 issues fixed by this patch:
- UDP checksum is computed incorrectly, the used pseudo IP header
contains transport protocol 6 iso 17
- on big endian arches the UDP/TCP checksum is incorrectly
computed when payload length is odd
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [refresh patch]
The package Makefile was based on work at link [1] with the following
changes
1. Disable minidebuginfo support thus no dependency on liblzma
2. Add 2 patches for building against musl-libc and building with
mips16 enabled
3. Add LICENSE and DEPENDS info, etc.
[1] https://github.com/rpi-openwrt/rpi-packages/tree/master/libs/libunwind
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Recent versions of Chrome require this ciphers to successfully handshake with
a TLS enabled uhttpd server using the ustream-polarssl backend.
If `CONFIG_GCM` is disabled, `ssl_ciphersuite_from_id()` will return `NULL`
when cipher `0x9d` is looked up, causing the calling `ssl_ciphersuite_match()`
to fail with `POLARSSL_ERR_SSL_INTERNAL_ERROR`.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
>From wolfssl/openssl/opensslv.h, and from skimming the contents of what
"--enable-stunnel" actually does, it seems that --enable-opensslextra
doesn't give you the "full" openssl compatibility that you may wish for
these days. Unfortuantely, while wolfssl writes the build time options
into wolfssl/options.h, it doesn't include that file itself. User
applications must include that directly.
Signed-off-by: Karl Palsson <karlp@etactica.com>
When the gettext-full host build phase finds an `emacs` exectuble during the
build it will launch an `emacs --batch` command to run some Lisp code.
On certain Debian systems the `/usr/bin/emacs` path might point, via
alternatives, to the `/usr/bin/jove` editor which will then launch an
interactive session when invoked by the gettext build.
In order to avoid this problem, explicitely disable emacs handling during
the build through a configure environment variable.
Also remove my now unreachable maintainer address.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
wolfssl has a fine grained feature and compatibility control
for compiling stunnel, lighthttp or (partly) openssl dropin
ustream-ssl uses features that require normally
HAVE_SNI, HAVE_STUNNEL and the openssl compatibility headers
ar71xx ipkg sizes of wolfssl 3.9.0:
- with stunnel: 144022
- this patch (w.o. stunnel): 131712
- without openssl(extra): 111104
- w.o openssl/sni:108515
- w.o openssl/sni/ecc: 93954
so patch 300 saves around 12k compressed ipkg size
v2: keep & rename patch 300 for clarity, fixes ustream-ssl/cyassl
that broke with v1
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
The libusb package is not parallel build save, a make -j16 reliably breaks it.
Forcibly disable parallel building.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
this patch fixes a bug when using uclibc on MIPS. The bug does not exist when
using musl, so drop the fix.
Signed-off-by: John Crispin <john@phrozen.org>
Bump to the latest version, fixes several security issues:
* CVE-2016-2107, CVE-2016-2105, CVE-2016-2106, CVE-2016-2109, CVE-2016-2176
More details at https://www.openssl.org/news/openssl-1.0.2-notes.html
Signed-off-by: Michal Hrusecky <Michal.Hrusecky@nic.cz>
This patch adds missing ASCII aliases to the libiconv stub in order to avoid conversion errors like https://github.com/openwrt/packages/issues/2373
Signed-off-by: Gergely Kiss <mail.gery@gmail.com>
One of the patched files, include/unwind-cxx.h, contains windows newlines
which lead to the following failure:
Applying ./patches/006-eabi_fix.patch using plaintext:
patching file include/typeinfo
patching file include/unwind-cxx.h
Hunk #1 FAILED at 173 (different line endings).
Hunk #2 FAILED at 181 (different line endings).
Add a fixup command to the prepare phase which normalizes the line endings
before applying source patches.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This has been added to the kernel uapi for a while, and makes
sense to have it here too.
At the moment we're using it for query-ing qdisc via netlink
using libnl-tiny.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 49188
CVE-2016-0704
s2_srvr.c overwrite the wrong bytes in the master-key when applying
Bleichenbacher protection for export cipher suites. This provides a
Bleichenbacher oracle, and could potentially allow more efficient variants of
the DROWN attack.
CVE-2016-0703
s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers.
If clear-key bytes are present for these ciphers, they *displace* encrypted-key
bytes. This leads to an efficient divide-and-conquer key recovery attack: if
an eavesdropper has intercepted an SSLv2 handshake, they can use the server as
an oracle to determine the SSLv2 master-key, using only 16 connections to the
server and negligible computation. More importantly, this leads to a more
efficient version of DROWN that is effective against non-export ciphersuites,
and requires no significant computation.
CVE-2016-0702
A side-channel attack was found which makes use of cache-bank conflicts on
the Intel Sandy-Bridge microarchitecture which could lead to the recovery of
RSA keys. The ability to exploit this issue is limited as it relies on an
attacker who has control of code in a thread running on the same hyper-
threaded core as the victim thread which is performing decryptions.
CVE-2016-0799
The internal |fmtstr| function used in processing a "%s" format string in
the BIO_*printf functions could overflow while calculating the length of a
string and cause an OOB read when printing very long strings. Additionally
the internal |doapr_outch| function can attempt to write to an OOB memory
location (at an offset from the NULL pointer) in the event of a memory
allocation failure. In 1.0.2 and below this could be caused where the size
of a buffer to be allocated is greater than INT_MAX. E.g. this could be in
processing a very long "%s" format string. Memory leaks can also occur.
The first issue may mask the second issue dependent on compiler behaviour.
These problems could enable attacks where large amounts of untrusted data is
passed to the BIO_*printf functions. If applications use these functions in
this way then they could be vulnerable. OpenSSL itself uses these functions
when printing out human-readable dumps of ASN.1 data. Therefore applications
that print this data could be vulnerable if the data is from untrusted sources.
OpenSSL command line applications could also be vulnerable where they print out
ASN.1 data, or if untrusted data is passed as command line arguments. Libssl is
not considered directly vulnerable. Additionally certificates etc received via
remote connections via libssl are also unlikely to be able to trigger these
issues because of message size limits enforced within libssl.
CVE-2016-0797
In the BN_hex2bn function the number of hex digits is calculated using an int
value |i|. Later |bn_expand| is called with a value of |i * 4|. For large
values of |i| this can result in |bn_expand| not allocating any memory because
|i * 4| is negative. This can leave the internal BIGNUM data field as NULL
leading to a subsequent NULL ptr deref. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than |i|. In this case
memory is allocated to the internal BIGNUM data field, but it is insufficiently
sized leading to heap corruption. A similar issue exists in BN_dec2bn. This
could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user
applications with very large untrusted hex/dec data. This is anticipated to be
a rare occurrence. All OpenSSL internal usage of these functions use data that
is not expected to be untrusted, e.g. config file data or application command
line arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be rare.
CVE-2016-0798
The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory
management semantics; the returned pointer was sometimes newly allocated, and
sometimes owned by the callee. The calling code has no way of distinguishing
these two cases. Specifically, SRP servers that configure a secret seed to hide
valid login information are vulnerable to a memory leak: an attacker connecting
with an invalid username can cause a memory leak of around 300 bytes per
connection. Servers that do not configure SRP, or configure SRP but do not
configure a seed are not vulnerable. In Apache, the seed directive is known as
SSLSRPUnknownUserSeed. To mitigate the memory leak, the seed handling in
SRP_VBASE_get_by_user is now disabled even if the user has configured a seed.
Applications are advised to migrate to SRP_VBASE_get1_by_user. However, note
that OpenSSL makes no strong guarantees about the indistinguishability of valid
and invalid logins. In particular, computations are currently not carried out
in constant time.
CVE-2016-0705
A double free bug was discovered when OpenSSL parses malformed DSA private keys
and could lead to a DoS attack or memory corruption for applications that
receive DSA private keys from untrusted sources. This scenario is considered
rare.
CVE-2016-0800
A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle. Note that traffic between clients and non-
vulnerable servers can be decrypted provided another server supporting SSLv2
and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP)
shares the RSA keys of the non-vulnerable server. This vulnerability is known
as DROWN (CVE-2016-0800). Recovering one session key requires the attacker to
perform approximately 2^50 computation, as well as thousands of connections to
the affected server. A more efficient variant of the DROWN attack exists
against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m,
1.0.0r and 0.9.8zf released on 19/Mar/2015 (see CVE-2016-0703 below). Users can
avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS servers,
if they've not done so already. Disabling all SSLv2 ciphers is also sufficient,
provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and 1.0.2f)
have been deployed. Servers that have not disabled the SSLv2 protocol, and are
not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers. OpenSSL 1.0.2g and 1.0.1s deploy the following
mitigation against DROWN: SSLv2 is now by default disabled at build-time.
Builds that are not configured with "enable-ssl2" will not support SSLv2.
Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl,
SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the
application explicitly uses the version-specific SSLv2_method() or its client
or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery
have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2
56-bit DES are no longer available. In addition, weak ciphers in SSLv3 and up
are now disabled in default builds of OpenSSL. Builds that are not configured
with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength
ciphers.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48868
Update also the library version of gmp to 6.1.0.
Switch download to use the GNU alias.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
SVN-Revision: 48712
This will make adding future glibc versions easier because the
conditionals won't have to be modified again.
Signed-off-by: Michael Marley <michael@michaelmarley.com>
SVN-Revision: 48399
Currently libiconv-stub and libiconv-full use different names
for functions iconv, iconv_open, and iconv_close.
This may lead to failures when building modules, e.g. with
apr-util when NLS is not activated.
The two modules libiconv-stub and libiconv-full should be
interchangeable, so we need the same function names.
cf.
http://git.savannah.gnu.org/cgit/libiconv.git/tree/include/iconv.h.in
After applying this patch execute
make distclean
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
SVN-Revision: 48301
The autopoint and gettextize host utilities contain hardcoded staging dir
paths which need to be overridden for the SDK environment.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48208
The patch adds a new package zlib-dev. It contains all files needed for
compiling a program using the zlib library:
/usr/include/zconf.h
/usr/include/zlib.h
/usr/lib/libz.a
/usr/lib/pkgconfig/zlib.pc
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
SVN-Revision: 48151
Source package libtool is used to package libltdl.
Unfortunately binary libtoolize is missing.
Packaging libtoolize would depend on package file which is in the
packages feed.
Felix Fietkau suggested to rename source libtool to libltdl
and to create a new package libtool in packages.
This patch contains the renaming.
CC: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
SVN-Revision: 48149
Warning is:
#warning redirecting incorrect #include <sys/poll.h> to <poll.
Not a big issue.
But it can be annoying when building with -Werror set.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
SVN-Revision: 48004
OpenSSL moves old versions of the library from
http://www.openssl.org/source/ to
http://www.openssl.org/source/old/$version/ breaking the old links.
That behavior breaks the OpenWRT-build every time OpenSSL releases
a new version.
This patch adds http://www.openssl.org/source/old/$version/ to the
PKG_SOURCE_URL of OpenSSL to avoid breaking the build whenever
OpenSSL releases a new version.
Signed-off-by: Kevin Kirsch <ranlvor@starletp9.de>
Reviewed-by: Alexander Dahl <post@lespocky.de>
SVN-Revision: 47860
Packages using libncursesw can fail to build if both libncurses and libncursesw
are not installed. Currently the ncurses.h file is installed in "usr/include/ncursesw"
directory and includes other .h files in the "usr/include" directory incorrectly.
For example: Including <ncursesw/ncurses.h> fails due to these references. These build
changes will set the correct include paths within the developer includes.
Packages that expect ncurses.h (or curses.h) in the default "usr/include" path fail
even when expecting to build with libncursesw and will need to be fixed as well. However,
they cannot be fixed until this patch is applied.
Signed-off-by: Ted Hess <thess@kitschensync.net>
SVN-Revision: 47853
This version and version 3.6.8 are fixing the following security problems:
* CVE-2015-7744
* CVE-2015-6925
The activation of SSLv3 support is needed for curl.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 47791
This is a minor version update which fixes some small bugs. None of
these bugs were exploitable according to the release notes.
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
SVN-Revision: 47724
Currently some libnl headers require application code to include
dependencies on its own. E.g. a simple include of <linux/netlink.h>
will trigger an error:
/usr/include/libnl-tiny/linux/netlink.h:32:2: error: unknown type name 'sa_family_t'
Similarly including <netlink/handlers.h> causes:
/usr/include/libnl-tiny/netlink/handlers.h:133:19: warning: 'struct ucred' declared inside parameter list [enabled by default]
Fix it by including <sys/socket.h> where needed in libnl headers.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
SVN-Revision: 47456