Commit Graph

1043 Commits

Author SHA1 Message Date
Eneas U de Queiroz
def9565be6 openssl: bump to 1.1.1m
This is a bugfix release.  Changelog:

  *) Avoid loading of a dynamic engine twice.
  *) Fixed building on Debian with kfreebsd kernels
  *) Prioritise DANE TLSA issuer certs over peer certs
  *) Fixed random API for MacOS prior to 10.12

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-01-01 18:02:49 +01:00
Sergey V. Lobanov
dfd695f4b9 libs/wolfssl: add SAN (Subject Alternative Name) support
x509v3 SAN extension is required to generate a certificate compatible with
chromium-based web browsers (version >58)

It can be disabled via unsetting CONFIG_WOLFSSL_ALT_NAMES

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2021-12-29 22:55:16 +01:00
Hauke Mehrtens
18bdfc803b tcpdump: libpcap: Remove http://www.us.tcpdump.org mirror
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.

Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-27 00:49:08 +01:00
Stijn Tintel
052e31ed47 libunwind: add ppc64 support
Backport an upstream patch to make libunwind build on ppc64, and add
powerpc64 to the dependencies.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-12-21 21:37:05 +02:00
Stijn Tintel
38c3ead820 nettle: disable assembler on ppc64
As of version 3.7, Nettle added PowerPC64 assembly for several
algorithms. Unfortunately, they cause build to fail due to ABI mismatch:

gcm-hash.o: ABI version 1 is not compatible with ABI version 2 output

Disable assembler when ppc64 and musl are used for now.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-12-21 21:36:55 +02:00
Stijn Tintel
ac8673ff85 openssl: add ppc64 support
Backport an upstream patch that adds support for ELFv2 ABI on big endian
ppc64. As musl only supports ELFv2 ABI on ppc64 regardless of
endianness, this is required to be able to build OpenSSL for ppc64be.

Modify our targets patch to add linux-powerpc64-openwrt, which will use
the linux64v2 perlasm scheme. This will probably break the combination
ppc64 with glibc, but as we really only want to support musl, this
shouldn't be a problem.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-12-21 21:36:38 +02:00
Hauke Mehrtens
954e1278a9 libnl-tiny: update to the latest version
8e0555f attr.h: Add NLA_PUT_S32

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-14 22:59:10 +01:00
Stijn Tintel
7f7034d79f libnftnl: bump to 1.2.1
This version is required by nftables 1.0.1.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-12-01 00:39:26 +02:00
Rosen Penev
e6f569406f gettext: remove package
This package was necessary when uClibc was in the tree. Now that uClibc
is gone, this can go too.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:25 +01:00
Rosen Penev
a3cd6c0b89 pcre: bring back C++ bindings
It seems some people use them privately.

Reported-by: Jan Kardell <jan.kardell@telliq.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:24 +01:00
Rosen Penev
a24de89539 readline: disable shared library for host
Allows to avoid rpath hacks with at least softethervpn.

--with-pic is needed as it's not default with static libraries, only
shared ones.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:24 +01:00
Rosen Penev
3d6e25dd32 libjson-c: don't build shared host libraries
Avoids having to deal with various rpath hacks.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:24 +01:00
Daniel Golle
6fcb4f4e04
libubox: update to git HEAD
cce5e35 vlist: define vlist_for_each_element_safe

This is change affects only a macro in headers and hence it is not
required to bump ABI_VERSION.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-20 17:48:49 +00:00
Stijn Tintel
36a621b1e7 libubox: bump to git HEAD
123e976 uloop: restore return type of uloop_timeout_remaining
 3344157 uloop: add uloop_timeout_remaining64
 c87d3e1 lua/uloop: use uloop_timeout_remaining64
 c86a894 uloop: deprecate uloop_timeout_remaining

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 13:18:13 +02:00
Stijn Tintel
8802b21dff libubox: bump to git HEAD
be3dc72 uloop: avoid integer overflow in tv_diff

Fixes: FS#3943
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 01:56:53 +02:00
Hauke Mehrtens
db3acbac11 toolchain: Allow sanitizer on mips and mipsel
Support for libsanitizer on MIPS 32 and MIPSEL 32 was added with GCC 9.
MIPS 64 and ARC are still not supported.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-11-03 23:52:08 +01:00
Lucian Cristian
8550086c24 elfutils: enable host build
frr 8.0 needs host libelf dev
add option for host build
tested on x86, ramips, kirkwood

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
[changed commit author's email]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-11-01 00:56:51 +01:00
Dominick Grift
25e15f5951 libsepol: update to version 3.3
Update VERSIONs to 3.3 for release.
libsepol/cil: Fix potential undefined shifts
libsepol: Fix potential undefined shifts
Update VERSIONs to 3.3-rc3 for release.
libsepol/cil: Do not skip macros when resolving until later passes
libsepol/cil: Limit the amount of reporting for bounds failures
libsepol/cil: silence clang void-pointer-to-enum-cast warning
libsepol: resolve GCC warning about null-dereference
libsepol: use correct cast
libsepol: ebitmap: mark nodes of const ebitmaps const
Update VERSIONs to 3.3-rc2 for release.
libsepol/cil: Handle operations in a class mapping when verifying
libsepol/cil: Do not use original type and typeattribute datums
libsepol: free memory after policy validation
libsepol: avoid implicit conversions
libsepol: fix typo
libsepol/cil: Free duplicate datums in original calling function
libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
Update VERSIONs and Python bindings version to 3.3-rc1 for release
libsepol/cil: Limit the number of active line marks
libsepol/cil: Add function to get number of items in a stack
libsepol: Fix detected RESOURCE_LEAKs
libsepol/cil: Fix syntax checking in __cil_verify_syntax()
libsepol/cil: Use size_t for len in __cil_verify_syntax()
libsepol/cil: Remove redundant syntax checking
libsepol/cil: Improve in-statement to allow use after inheritance
libsepol/cil: Simplify cil_tree_children_destroy()
libsepol/cil: Refactor the function __cil_build_ast_node_helper()
libsepol/cil: Don't destroy optionals whose parent will be destroyed
libsepol/cil: Properly check for parameter when inserting name
libsepol/cil: Reset expandtypeattribute rules when resetting AST
libsepol/cil: Properly check parse tree when printing error messages
libsepol/cil: Allow some duplicate macro and block declarations
libsepol/cil: When writing AST use line marks for src_info nodes
libsepol/cil: Report correct high-level language line numbers
libsepol/cil: Add line mark kind and line number to src info
libsepol/cil: Create common string-to-unsigned-integer functions
libsepol/cil: Push line mark state first when processing a line mark
libsepol/cil: Check for valid line mark type immediately
libsepol/cil: Check the token type after getting the next token
libsepol/cil: Check syntax of src_info statement
libsepol/cil: move the fuzz target and build script to the selinux repository
libsepol: replace strerror by %m
libsepol/cil: remove obsolete comment
libsepol/cil: do not allow \0 in quoted strings
libsepol/cil: Fix handling category sets in an expression
libsepol: assure string NUL-termination of ibdev_name
libsepol: avoid implicit conversions
libsepol: ignore UBSAN false-positives
libsepol: avoid unsigned integer overflow
libsepol/cil: Improve checking for bad inheritance patterns
libsepol: silence -Wextra-semi-stmt warning
libsepol/cil: do not override previous results of __cil_verify_classperms
libsepol/cil: Provide option to allow qualified names in declarations
libsepol/cil: make array cil_sym_sizes const
libsepol/cil: Only reset AST if optional has a declaration
libsepol/cil: Add function to determine if a subtree has a declaration
libsepol/cil: Improve degenerate inheritance check
libsepol/cil: Reduce the initial symtab sizes for blocks
libsepol/cil: Check for empty list when marking neverallow attributes
libsepol/cil: Fix syntax checking of defaultrange rule
libsepol/cil: Properly check for loops in sets
libsepol/cil: Allow duplicate optional blocks in most cases
libsepol: declare read-only arrays const
libsepol: declare file local variable static
libsepol: drop unnecessary casts
libsepol: drop repeated semicolons
libsepol/cil: avoid using maybe uninitialized variables
libsepol/cil: drop unnecessary casts
libsepol/cil: drop dead store
libsepol/cil: drop extra semicolon
libsepol/cil: silence cast warning
libsepol: remove dead stores
libsepol: do not allocate memory of size 0
libsepol: mark read-only parameters of type_set_ interfaces const
libsepol: mark read-only parameters of ebitmap interfaces const
libsepol: remove dead stores
libsepol/cil: follow declaration-after-statement
libsepol: follow declaration-after-statement
libsepol: avoid unsigned integer overflow
libsepol: remove unused functions
libsepol: resolve missing prototypes
libsepol: fix typos
libsepol: Quote paths when generating policy.conf from binary policy
libsepol/cil: Account for anonymous category sets in an expression
libsepol/cil: Fix anonymous IP address call arguments
libsepol: quote paths in CIL conversion
libsepol/cil: Resolve anonymous levels only once
libsepol/cil: Pointers to datums should be set to NULL when resetting
libsepol/cil: Resolve anonymous class permission sets only once
libsepol/cil: Limit the number of open parenthesis allowed
libsepol/cil: Destroy the permission nodes when exiting with an error
libsepol/cil: Handle disabled optional blocks in earlier passes
libsepol/cil: Do not resolve arguments to declarations in the call
libsepo/cil: Refactor macro call resolution
libsepol/cil: Do not add NULL node when inserting key into symtab
libsepol/cil: Make name resolution in macros work as documented
libsepol/cil: Fix name resolution involving inherited blocks
libsepol/cil: Check for self-referential loops in sets
libsepol/cil: Return an error if a call argument fails to resolve
libsepol/cil: Check datum in ordered list for expected flavor
libsepol/cil: Detect degenerate inheritance and exit with an error
libsepol/cil: Fix instances where an error returns SEPOL_OK
libsepol/cil: Properly reset an anonymous classperm set
libsepol: use checked arithmetic builtin to perform safe addition
libsepol/cil: Add functions to make use of cil_write_ast()
libsepol/cil: Create functions to write the CIL AST
libsepol/cil: Use CIL_ERR for error messages in cil_compile()
libsepol/cil: Make invalid statement error messages consistent
libsepol/cil: Do not allow tunable declarations in in-statements
libsepol/cil: Sync checks for invalid rules in macros
libsepol/cil: Check for statements not allowed in optional blocks
libsepol/cil: Sync checks for invalid rules in booleanifs
libsepol/cil: Reorder checks for invalid rules when resolving AST
libsepol/cil: Use AST to track blocks and optionals when resolving
libsepol/cil: Create new first child helper function for building AST
libsepol/cil: Cleanup build AST helper functions
libsepol/cil: Reorder checks for invalid rules when building AST
libsepol/cil: Move check for the shadowing of macro parameters
libsepol/cil: Create function cil_add_decl_to_symtab() and refactor
libsepol/cil: Refactor helper function for cil_gen_node()
libsepol/cil: Allow permission expressions when using map classes
libsepol/cil: Exit with an error if declaration name is a reserved word
libsepol/cil: More strict verification of constraint leaf expressions
libsepol/cil: Set class field to NULL when resetting struct cil_classperms
libsepol/cil: cil_reset_classperms_set() should not reset classpermission
libsepol/cil: Destroy classperm list when resetting map perms
libsepol/cil: Destroy classperms list when resetting classpermission
libsepol/cil: Fix out-of-bound read of file context pattern ending with "\"
libsepol/cil: Check for duplicate blocks, optionals, and macros
libsepol: Write "NO_IDENTIFIER" for empty CIL constraint expression
libsepol: Enclose identifier lists in CIL constraint expressions
libsepol/cil: Allow lists in constraint expressions
libsepol: Enclose identifier lists in constraint expressions
libsepol: Write "NO_IDENTIFIER" for empty constraint expression
libsepol: make num_* unsigned int in module_to_cil
libsepol/cil: do not leak avrulex_ioctl_table memory when an error occurs
libsepol/cil: fix NULL pointer dereference in __cil_insert_name
libsepol/cil: replace printf with proper cil_tree_log
libsepol/cil: remove stray printf
libsepol/cil: make cil_post_fc_fill_data static
libsepol: Check kernel to CIL and Conf functions for supported versions
libsepol: Remove unnecessary copying of declarations from link.c
libsepol: Properly handle types associated to role attributes
libsepol: Expand role attributes in constraint expressions

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[re-apply now that buildbot phase1 has caught up]
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-31 13:01:24 +00:00
Daniel Golle
ae4069c577
Revert "libsepol: update to version 3.3"
This reverts commit de8a800ca9.
Host build uses host includes instead of staging/hostpkg.
This breaks the build in case of selinux host libs being older than
version 3.3. Revert for now until better fix is found.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-29 14:16:30 +01:00
Dominick Grift
c8d1f8fda7 libsemanage: update to version 3.3
Update VERSIONs to 3.3 for release.
Update VERSIONs to 3.3-rc3 for release.
Update VERSIONs to 3.3-rc2 for release.
Update VERSIONs and Python bindings version to 3.3-rc1 for release
libsemanage: Fix USE_AFTER_FREE (CWE-672) in semanage_direct_write_langext()
libsemanage: silence -Wextra-semi-stmt warning
libsemanage: fix use-after-free in parse_module_store()

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Dominick Grift
6925c7580d libselinux: update to version 3.3
Update VERSIONs to 3.3 for release.
libselinux: Fix potential undefined shifts
Update VERSIONs to 3.3-rc3 for release.
Update VERSIONs to 3.3-rc2 for release.
libselinux/utils: drop requirement to combine compiling and linking
Update VERSIONs and Python bindings version to 3.3-rc1 for release
Improve error message for label file validation
libselinux: replace strerror by %m
libselinux: silence -Wextra-semi-stmt warning
libselinux/utils/getseuser.c: fix build with gcc 4.8
selinux.8: document how mount flag nosuid affects SELinux
libselinux: fix typo
libselinux: improve getcon(3) man page
libselinux: selinux_status_open: return 1 in fallback mode
libselinux: do not use status page fallback mode internally
libselinux: make selinux_status_open(3) reentrant
libselinux: avc_destroy(3) closes status page
libselinux: label_file.c: fix indent
libselinux: regex: unify parameter names
libselinux: sidtab_sid_stats(): unify parameter name
libselinux: drop redundant casts to the same type
libselinux: label_db::db_init(): open file with CLOEXEC mode
libselinux: matchpathcon: free memory on realloc failure
libselinux: label_file::init(): do not pass NULL to strdup
libselinux: init_selinux_config(): free resources on error
libselinux: matchmediacon(): close file on error
libselinux: store_stem(): do not free possible non-heap object
libselinux: getdefaultcon: free memory on multiple same arguments
libselinux: setexecfilecon(): drop dead assignment
libselinux: label_media::init(): drop dead assignment
libselinux: label_x::init(): drop dead assignment
libselinux: context_new(): drop dead assignment
libselinux: exclude_non_seclabel_mounts(): drop unused variable
libselinux: getconlist: free memory on multiple level arguments
libselinux: selabel_get_digests_all_partial_matches: free memory after FTS_D block
libselinux: selinux_restorecon: mark local variable static
libselinux: avcstat: use standard length modifier for unsigned long long
libselinux: sefcontext_compile: mark local variable static
libselinux: Sha1Finalise(): do not discard const qualifier
libselinux: label_common(): do not discard const qualifier
libselinux: selinux_file_context_cmp(): do not discard const qualifier
libselinux: sidtab_hash(): do not discard const qualifier
libselinux: silence -Wstringop-overflow warning from gcc 10.3.1
libselinux: selinux_check_passwd_access_internal(): respect deny_unknown
libselinux: do not duplicate make target when going into subdirectory

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Dominick Grift
de8a800ca9 libsepol: update to version 3.3
Update VERSIONs to 3.3 for release.
libsepol/cil: Fix potential undefined shifts
libsepol: Fix potential undefined shifts
Update VERSIONs to 3.3-rc3 for release.
libsepol/cil: Do not skip macros when resolving until later passes
libsepol/cil: Limit the amount of reporting for bounds failures
libsepol/cil: silence clang void-pointer-to-enum-cast warning
libsepol: resolve GCC warning about null-dereference
libsepol: use correct cast
libsepol: ebitmap: mark nodes of const ebitmaps const
Update VERSIONs to 3.3-rc2 for release.
libsepol/cil: Handle operations in a class mapping when verifying
libsepol/cil: Do not use original type and typeattribute datums
libsepol: free memory after policy validation
libsepol: avoid implicit conversions
libsepol: fix typo
libsepol/cil: Free duplicate datums in original calling function
libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
Update VERSIONs and Python bindings version to 3.3-rc1 for release
libsepol/cil: Limit the number of active line marks
libsepol/cil: Add function to get number of items in a stack
libsepol: Fix detected RESOURCE_LEAKs
libsepol/cil: Fix syntax checking in __cil_verify_syntax()
libsepol/cil: Use size_t for len in __cil_verify_syntax()
libsepol/cil: Remove redundant syntax checking
libsepol/cil: Improve in-statement to allow use after inheritance
libsepol/cil: Simplify cil_tree_children_destroy()
libsepol/cil: Refactor the function __cil_build_ast_node_helper()
libsepol/cil: Don't destroy optionals whose parent will be destroyed
libsepol/cil: Properly check for parameter when inserting name
libsepol/cil: Reset expandtypeattribute rules when resetting AST
libsepol/cil: Properly check parse tree when printing error messages
libsepol/cil: Allow some duplicate macro and block declarations
libsepol/cil: When writing AST use line marks for src_info nodes
libsepol/cil: Report correct high-level language line numbers
libsepol/cil: Add line mark kind and line number to src info
libsepol/cil: Create common string-to-unsigned-integer functions
libsepol/cil: Push line mark state first when processing a line mark
libsepol/cil: Check for valid line mark type immediately
libsepol/cil: Check the token type after getting the next token
libsepol/cil: Check syntax of src_info statement
libsepol/cil: move the fuzz target and build script to the selinux repository
libsepol: replace strerror by %m
libsepol/cil: remove obsolete comment
libsepol/cil: do not allow \0 in quoted strings
libsepol/cil: Fix handling category sets in an expression
libsepol: assure string NUL-termination of ibdev_name
libsepol: avoid implicit conversions
libsepol: ignore UBSAN false-positives
libsepol: avoid unsigned integer overflow
libsepol/cil: Improve checking for bad inheritance patterns
libsepol: silence -Wextra-semi-stmt warning
libsepol/cil: do not override previous results of __cil_verify_classperms
libsepol/cil: Provide option to allow qualified names in declarations
libsepol/cil: make array cil_sym_sizes const
libsepol/cil: Only reset AST if optional has a declaration
libsepol/cil: Add function to determine if a subtree has a declaration
libsepol/cil: Improve degenerate inheritance check
libsepol/cil: Reduce the initial symtab sizes for blocks
libsepol/cil: Check for empty list when marking neverallow attributes
libsepol/cil: Fix syntax checking of defaultrange rule
libsepol/cil: Properly check for loops in sets
libsepol/cil: Allow duplicate optional blocks in most cases
libsepol: declare read-only arrays const
libsepol: declare file local variable static
libsepol: drop unnecessary casts
libsepol: drop repeated semicolons
libsepol/cil: avoid using maybe uninitialized variables
libsepol/cil: drop unnecessary casts
libsepol/cil: drop dead store
libsepol/cil: drop extra semicolon
libsepol/cil: silence cast warning
libsepol: remove dead stores
libsepol: do not allocate memory of size 0
libsepol: mark read-only parameters of type_set_ interfaces const
libsepol: mark read-only parameters of ebitmap interfaces const
libsepol: remove dead stores
libsepol/cil: follow declaration-after-statement
libsepol: follow declaration-after-statement
libsepol: avoid unsigned integer overflow
libsepol: remove unused functions
libsepol: resolve missing prototypes
libsepol: fix typos
libsepol: Quote paths when generating policy.conf from binary policy
libsepol/cil: Account for anonymous category sets in an expression
libsepol/cil: Fix anonymous IP address call arguments
libsepol: quote paths in CIL conversion
libsepol/cil: Resolve anonymous levels only once
libsepol/cil: Pointers to datums should be set to NULL when resetting
libsepol/cil: Resolve anonymous class permission sets only once
libsepol/cil: Limit the number of open parenthesis allowed
libsepol/cil: Destroy the permission nodes when exiting with an error
libsepol/cil: Handle disabled optional blocks in earlier passes
libsepol/cil: Do not resolve arguments to declarations in the call
libsepo/cil: Refactor macro call resolution
libsepol/cil: Do not add NULL node when inserting key into symtab
libsepol/cil: Make name resolution in macros work as documented
libsepol/cil: Fix name resolution involving inherited blocks
libsepol/cil: Check for self-referential loops in sets
libsepol/cil: Return an error if a call argument fails to resolve
libsepol/cil: Check datum in ordered list for expected flavor
libsepol/cil: Detect degenerate inheritance and exit with an error
libsepol/cil: Fix instances where an error returns SEPOL_OK
libsepol/cil: Properly reset an anonymous classperm set
libsepol: use checked arithmetic builtin to perform safe addition
libsepol/cil: Add functions to make use of cil_write_ast()
libsepol/cil: Create functions to write the CIL AST
libsepol/cil: Use CIL_ERR for error messages in cil_compile()
libsepol/cil: Make invalid statement error messages consistent
libsepol/cil: Do not allow tunable declarations in in-statements
libsepol/cil: Sync checks for invalid rules in macros
libsepol/cil: Check for statements not allowed in optional blocks
libsepol/cil: Sync checks for invalid rules in booleanifs
libsepol/cil: Reorder checks for invalid rules when resolving AST
libsepol/cil: Use AST to track blocks and optionals when resolving
libsepol/cil: Create new first child helper function for building AST
libsepol/cil: Cleanup build AST helper functions
libsepol/cil: Reorder checks for invalid rules when building AST
libsepol/cil: Move check for the shadowing of macro parameters
libsepol/cil: Create function cil_add_decl_to_symtab() and refactor
libsepol/cil: Refactor helper function for cil_gen_node()
libsepol/cil: Allow permission expressions when using map classes
libsepol/cil: Exit with an error if declaration name is a reserved word
libsepol/cil: More strict verification of constraint leaf expressions
libsepol/cil: Set class field to NULL when resetting struct cil_classperms
libsepol/cil: cil_reset_classperms_set() should not reset classpermission
libsepol/cil: Destroy classperm list when resetting map perms
libsepol/cil: Destroy classperms list when resetting classpermission
libsepol/cil: Fix out-of-bound read of file context pattern ending with "\"
libsepol/cil: Check for duplicate blocks, optionals, and macros
libsepol: Write "NO_IDENTIFIER" for empty CIL constraint expression
libsepol: Enclose identifier lists in CIL constraint expressions
libsepol/cil: Allow lists in constraint expressions
libsepol: Enclose identifier lists in constraint expressions
libsepol: Write "NO_IDENTIFIER" for empty constraint expression
libsepol: make num_* unsigned int in module_to_cil
libsepol/cil: do not leak avrulex_ioctl_table memory when an error occurs
libsepol/cil: fix NULL pointer dereference in __cil_insert_name
libsepol/cil: replace printf with proper cil_tree_log
libsepol/cil: remove stray printf
libsepol/cil: make cil_post_fc_fill_data static
libsepol: Check kernel to CIL and Conf functions for supported versions
libsepol: Remove unnecessary copying of declarations from link.c
libsepol: Properly handle types associated to role attributes
libsepol: Expand role attributes in constraint expressions

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Stan Grishin
05a7af9ca0 wolfssl: enable ECC Curve 25519 by default
* fixes https://github.com/openwrt/packages/issues/16652
 see https://github.com/openwrt/packages/issues/16674#issuecomment-934983898

Signed-off-by: Stan Grishin <stangri@melmac.net>
2021-10-24 18:46:24 +02:00
Rosen Penev
6b2ed6101e uclibc++: remove
No package here depends on it. Furthermore, uClibc++ is a fairly buggy
C++ library and seems to be relatively inactive upstream.

It also lacks proper support for modern C++11 features.

The main benefit of it is size: 66.6 KB	vs 287.3 KB on mips24kc. Static
linking and LTO can help bring the size down of packages that need it.

Added warning message to uclibc++.mk

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-10-24 18:20:50 +02:00
Ivan Pavlov
be3e260f92 wolfssl: fix compile when enable-devcrypto is set
fixing linking error when --enable-devcrypto=yes
fixes: 7d92bb0509 wolfssl: update to 4.8.1-stable

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2021-10-21 00:17:36 +02:00
Jitao Lu
917126ff4c ncurses: add tmux terminfo
They're preferred terminal descriptions for tmux, with additional support to
some special characters and italic fonts. More info can be found at:
https://github.com/tmux/tmux/wiki/FAQ

Fixes: FS#3404

Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
2021-10-19 08:11:38 -10:00
Andre Heider
7cb5af30f4 wolfssl: remove --enable-sha512 configure switch
It's the default anyway and this just looks confusing, as if it wasn't.

Switch to AUTORELEASE while at it.

The binary size is unchanged.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2021-10-17 16:30:12 +02:00
Andre Heider
c76300707e wolfssl: always build with --enable-reproducible-build
This gates out anything that might introduce semantically frivolous jitter,
maximizing chance of identical object files.

The binary size shrinks by 8kb:
1244352 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f

Signed-off-by: Andre Heider <a.heider@gmail.com>
2021-10-17 16:29:00 +02:00
Andre Heider
28d8e6a871 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
"Alternate certification chains, as oppossed to requiring full chain
validataion. Certificate validation behavior is relaxed, similar to
openssl and browsers. Only the peer certificate must validate to a trusted
certificate. Without this, all certificates sent by a peer must be
used in the trust chain or the connection will be rejected."

This fixes e.g. uclient-fetch and curl connecting to servers using a Let's
Encrypt certificate which are cross-signed by the now expired
DST Root CA X3, see [0].

This is the recommended solution from upstream [1].

The binary size increases by ~12.3kb:
1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f

[0] https://github.com/openwrt/packages/issues/16674
[1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793

Signed-off-by: Andre Heider <a.heider@gmail.com>
[bump PKG_RELEASE]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-17 16:25:10 +02:00
Ivan Pavlov
7d92bb0509 wolfssl: update to 4.8.1-stable
Changes from 4.7.0:
  Fix one high (OCSP verification issue) and two low vulnerabilities
  Improve compatibility layer
  Other improvements and fixes

For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2021-09-13 18:36:15 +02:00
Rosen Penev
a235b41792 libjson-c: remove old math patch
Remove old math patch meant for old GCC versions. It's not needed
for GCC and causes issues with clang.

Add CMake patch to identify clang properly and apply the proper
flags. Fixes the following warnings/errors:

json_pointer.c:230:7: warning: implicit declaration of function
'vasprintf' is invalid in C99 [-Wimplicit-function-declaration]
        rc = vasprintf(&path_copy, path_fmt, args);
             ^
json_pointer.c:317:7: warning: implicit declaration of function
'vasprintf' is invalid in C99 [-Wimplicit-function-declaration]
        rc = vasprintf(&path_copy, path_fmt, args);
             ^
/usr/include/bits/mathcalls.h:177:23: error: cannot redeclare builtin
function '__builtin_isinf'
__MATHDECL_ALIAS (int,isinf,, (_Mdouble_ __value), isinf)
                      ^
/usr/include/bits/mathcalls.h:177:23: note: '__builtin_isinf' is a
builtin with type 'int ()'
/usr/include/bits/mathcalls.h:213:23: error: cannot redeclare builtin
function '__builtin_isnan'
__MATHDECL_ALIAS (int,isnan,, (_Mdouble_ __value), isnan)

The clang patch is an upstream backport.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-30 19:16:49 -10:00
Eneas U de Queiroz
7119fd32d3 openssl: bump to 1.1.1l
This version fixes two vulnerabilities:
  - SM2 Decryption Buffer Overflow (CVE-2021-3711)
    Severity: High

  - Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
    Severity: Medium

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-08-26 21:37:20 +02:00
Felix Fietkau
ca77ffcef2 libubox: update to the latest version
d716ac4bc423 list.h: add a few missing iterator macros

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-08-24 17:35:45 +02:00
Stijn Tintel
718a4f4780 wolfssl: fix build with GCC 10 on 32 x86 targets
Backport upstream patch to fix build with GCC 10 on 32 x86 targets.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-08-20 23:45:20 +03:00
Rosen Penev
9982a51ed3 pcre: update to 8.45
Switch to AUTORELEASE to avoid manual increments.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
381f0e3e8d nettle: update to 3.7.3
Switch to AUTORELEASE to avoid manual increments.

Refreshed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
fcfd741eb8 mbedtls: update to 2.16.11
Switched to AUTORELEASE to avoid manual increments.

Release notes:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
065d4300c0 libpcap: update to 1.10.1
Switch to AUTORELEASE to avoid manual increments.

Refreshed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
7aff590ace libnftnl: update to 1.2.0
Switch to AUTORELEASE to avoid manual increments.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
094fb3f6f9 libcap: update to 2.51
Switched to AUTORELEASE to avoid manual increments.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
1795bd2f1b elfutils: update to 0.182
Add --disable-libdebuginfod with remove libcurl dependency.

Remove totally unused host elfutils.

Refreshed and rebased patches.

Also happens to fix compilation with GCC11.

Newer versions of elfutils seem to have some kind of dependency on
obstack.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
30fb675847 gettext-full: disable parallel compilation
Fails fairly reliably with make -j 12 on a Ryzen 3600.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Stephan Schmidtmer
891c8676a1 libpcap: add rpcapd as package
This enables building of rpcapd and adds it as a package.

It is a daemon that allows remote packet capturing from another machine.
E.g. Wireshark can talk to it using the Remote Capture Protocol (RPCAP).
https://www.tcpdump.org/manpages/rpcapd.8.html

Compile and run tested: OpenWrt SNAPSHOT r17190-2801fe6132 on x86/64

Signed-off-by: Stephan Schmidtmer <hurz@gmx.org>
2021-08-08 19:50:46 +02:00
Rui Salvaterra
2434a57dd7 elfutils: fix building with GCC 11
Add a patch to fix building with GCC 11, which triggers new warnings by
enabling -Warray-parameter by default.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-07-25 13:52:38 +02:00
Petr Štetiar
8307da3dbd treewide: unmark selected packages nonshared
This partially reverts changes done in commit 72cc44958e ("treewide:
mark selected packages nonshared") as it removes the nonshared flag, but
keeps the PKG_RELEASE as the PKG_RELEASE bump while adding nonshared
flag was incorrect.

Unmark uci, ubus, libubox, lua, libnl-tiny and libjson-c as nonshared
packages as this fix attempt didn't worked out. Currently the
imagebuilder is broken again:

 openwrt-imagebuilder-21.02.0-rc3-ipq40xx-generic.Linux-x86_64$ make image PROFILE=avm_fritzbox-7530 PACKAGES=luci-ssl-openssl
 ...
 Collected errors:
  * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for luci-mod-status
  * pkg_hash_fetch_best_installation_candidate: Packages for luci-mod-status found, but incompatible with the architectures configured
  * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for rpcd-mod-iwinfo
  * pkg_hash_fetch_best_installation_candidate: Packages for rpcd-mod-iwinfo found, but incompatible with the architectures configured
  * satisfy_dependencies_for: Cannot satisfy the following dependencies for luci-ssl-openssl:
  * 	libiwinfo20210430
  * opkg_install_cmd: Cannot install package luci-ssl-openssl.

Everything because iwinfo's ABI was changed two times since rc3 release:

 +IWINFO_ABI_VERSION:=20210430
 +IWINFO_ABI_VERSION:=20210420

Since iwinfo is marked as nonshared, it wasn't built by phase2 builders, but
luci-mod-status was already updated 2 times since rc3 and was thus rebuilt by
phase2 builders:

 d1d452ed2fb3 luci-mod-status: don't set '-' hostname when creating static lease
 95b3633055c1 luci-mod-status: switch to html table for wlan channel analysis

So now luci-mod-status depends on libiwinfo20210430 but only
libiwinfo20210106 can be downloaded. This is first part of the fix, in
the upcoming commit Jo is going to remove nonshared flag from iwinfo
package as well.

References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035736.html
References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035741.html
Acked-by: Jo-Philipp Wich <jo@mein.io>
Reported-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-07-02 18:12:15 +02:00
Karel Kočí
219e17a350 ustream-ssl: variants conflict with each other
This adds conflicts between variants of libustream pacakge.
They provide the same file and thus it should not be possible to install
them side by side.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
2021-06-21 18:48:03 -10:00
Rosen Penev
3dabb62581 treewide: remove PKG_INSTALL from CMake packages
It's already default with cmake.mk

Found with:

git grep PKG_INSTALL\: | cut -d ':' -f 1 | sort -u > ins
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 ins cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Rosen Penev
2e745e9be6 treewide: remove BUILD_PARALLEL from CMake packages
It's already default. The only exception is mt76 which has Ninja
disabled.

Found with:

git grep BUILD_PARALLEL | cut -d ':' -f 1 | sort -u > par
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 par cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Hannu Nyman
72cc44958e treewide: mark selected packages nonshared
Mark uci, ubus, libubox, lua, libnl-tiny and libjson-c
as nonshared packages. This helps to keep coherent dependencies
if these ABI versioned packages are later updated.

Before this commit it is possible to get missing dependencies
in target-specific nonshared packages (like iwinfo) that depend
on these shared ABI versioned packages. If these are later updated
and rebuilt, only the new ABI version will be available for download,
while the target-specific packages in releases continue to depend on
the old ABI version.

After this commit the packages are built along the other nonshared
packages by the phase1 images buildbot and will be available at the
target/ download directories instead of packages/base dir. That will
help to keep a coherent set available.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2021-06-13 23:58:15 +02:00
Rosen Penev
09de28090c package: fix cmake packages build with ninja
+= is needed for CMAKE_OPTIONS.

mt76 needs Ninja disabled as the kernel stuff uses normal make.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-12 10:46:39 +02:00