Commit Graph

1387 Commits

Author SHA1 Message Date
Hauke Mehrtens
3c17cdbc36 mbedtls: Activate secp521r1 curve by default
Activate the secp521r1 ecliptic curve by default. This curve is allowed
by the CA/Browser forum, see
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.1-redlined.pdf#page=110

This increases the size of libmbedtls12_2.28.5-1_aarch64_generic.ipk by
about 400 bytes:
Without:
252,696 libmbedtls12_2.28.5-1_aarch64_generic.ipk
With:
253,088 libmbedtls12_2.28.5-2_aarch64_generic.ipk

Fixes: #13774
Acked-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-11-06 23:04:00 +01:00
Anari Jalakas
1925a183a3 libsepol: opt-out of lto usage
This fixes building with USE_LTO enabled.

<artificial>:(.text+0x4194): relocation R_MIPS16_26 against `cil_printf.lto_priv.0' cannot be used when making a shared object; recompile with -fPIC
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: non-dynamic relocations refer to dynamic symbol memcmp
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: failed to set dynamic section sizes: bad value
collect2: error: ld returned 1 exit status

Signed-off-by: Anari Jalakas <anari.jalakas@gmail.com>
2023-10-29 19:42:32 +01:00
Anari Jalakas
2a33d26d21 libselinux: opt-out of lto usage
This fixes building with USE_LTO enabled:

<artificial>:(.text.exit+0x6e): relocation R_MIPS16_26 against `pthread_key_delete' cannot be used when making a shared object; recompile with -fPIC
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: non-dynamic relocations refer to dynamic symbol stpcpy
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: failed to set dynamic section sizes: bad value
collect2: error: ld returned 1 exit status

Signed-off-by: Anari Jalakas <anari.jalakas@gmail.com>
2023-10-29 19:42:32 +01:00
Hauke Mehrtens
e4ebc7b566 openssl: update to 3.0.12
Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
 * Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363)

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-10-26 00:00:18 +02:00
Koen Vandeputte
4bdd1c1a13 libnl: add support for cli
Some packages (like wavemon >= 0.9.4) depend on libnl-cli. Add support
for this part of the lib. libnl-cli itself depends on libnl-genl and
libnl-nf. On MIPS, this component adds 81kB.

Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
(punctuation correction and reorganisation of commit message)
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-10-22 12:08:09 +02:00
Arien Judge
c46ae366cf
toolchain: link ldd when using external toolchain
When using an external toolchain, ldd is not linked into the rootfs.
This causes subsequent upgrades to fail with 'Failed to exec upgraded'.
This patch adds the symlink when using an external toolchain and musl.

Signed-off-by: Arien Judge <arienjudge@outlook.com>
2023-10-20 18:55:55 +02:00
Christian Marangi
c0e30b17eb
treewide: disable QUILT refresh for unsupported packages
Some packages won't ever have something to patch as they normally
install files or are meta-packages.

For these special packages, disable QUILT refresh.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-10-20 16:13:13 +02:00
Nick Hainke
c9e6831a89 gmp: update to 6.3
Release Notes:
https://gmplib.org/gmp6.3

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-10-17 11:05:16 +02:00
Nick Hainke
79e9bdda68 zlib: update to 1.3
Changes in 1.3 (18 Aug 2023)
- Remove K&R function definitions and zlib2ansi
- Fix bug in deflateBound() for level 0 and memLevel 9
- Fix bug when gzungetc() is used immediately after gzopen()
- Fix bug when using gzflush() with a very small buffer
- Fix crash when gzsetparams() attempted for transparent write
- Fix test/example.c to work with FORCE_STORED
- Rewrite of zran in examples (see zran.c version history)
- Fix minizip to allow it to open an empty zip file
- Fix reading disk number start on zip64 files in minizip
- Fix logic error in minizip argument processing
- Add minizip testing to Makefile
- Read multiple bytes instead of byte-by-byte in minizip unzip.c
- Add memory sanitizer to configure (--memory)
- Various portability improvements
- Various documentation improvements
- Various spelling and typo corrections

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-10-17 11:05:08 +02:00
Hauke Mehrtens
9e1c5ad4b0 mbedtls: Update to version 2.28.5
This fixes some minor security problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-2.28.5

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-10-14 15:48:31 +02:00
Nick Hainke
4e5d45f1e6 libnl: update to 3.8.0
Changes:
6b2533c0 libnl-3.8.0 release
1558bd62 build: replace old "NOTE" in configure output and add summary
f66383a4 build: avoid aclocal warning about missing "m4" directory
e4402a4c build: run `autoupdate` for AM_PROG_LIBTOOL
5761b6af build: add "-Wno-portability" to AC_INIT_AUTOMAKE()
661f10a1 license: fix/adjust license for "src/nl-cls-add.c"
c8fcb412 license: fix/adjust license for "src/nl-addr-{add,delete,list}.c"
e3e6fd6d tests: use thread-safe localtime_r() instead of localtime()
f520471c lib/xfrm: use thread-safe gmtime_r() instead of gmtime()
be5add72 tests: avoid srandom()/random() in favor of _nltst_rand_u32()
40578a62 lib: use getprotobyname_r(), getprotobynumber_r() if available
8ee8b05f lib: fix error handling in nl_str2ip_proto()
09f03f29 tests: check nl_str2ip_proto()
74bffbf6 route: fix documentation comment for nl_nh_group_info
59f8db0d clang-format: add "-l" alias for option in "tools/clang-format.sh"
935cc90a clang-format: ignore reformatting commit in ".git-blame-ignore-revs"
53da4712 clang-format: reformat files with new format
65c43bfe clang-format: update ".clang-format" from linux kernel
4c39a2ce include: use <linux/$file> instead of <linux-private/linux/$file>
a1e9fb3d include/linux: add all linux headers that we use
d37ffe15 include/linux: update all linux headers
1af767a8 include: add missing "extern "C"" specifier to public headers
e0a5d12b all: drop "extern "C"" from internal code
d9a1e0ce build: add "check-local-build-headers" test target to build public headers
02b87012 build: add a "check-local" build target
f9413915 include: fix headers "include/netlink/route/{netconf.h,route/qdisc/red.h}" to be self-contained
680df173 idiag: "fix" license for "idiag-socket-details" tool
2f210d9a github: test build on alpine:latest for musl
dcc4c0a5 Revert "gitignore: ignore patch files"
39106309 github: add test for linking with mold and fail on unknown versions
f475c3b2 route/nh: drop not implemented "nh" API from headers
4c681e77 build: fix exporting symbol rtnl_link_info_ops_get
260c9575 include: don't explicitly include headers from "nl-default.h"
98c1e696 tests: cleanup include of netlink headers
42bec462 build: cleanup default include list in Makefile.am
4c1a119a include: include private linux headers with explicit path
ca063725 python: add make target for python build
25c90193 python: drop unused "python/netlink/fixes.h"
3f3da7fd gitignore: ignore python build artifacts
61ef5609 gitignore: ignore generated doc files
298c5dc6 include: drop "netlink-private/netlink.h" and move declarations
862eed54 all: cleanup includes and use "nm-default.h"
2b3cd741 include: add "nl-default.h" header
8952ce6f build: move "lib/defs.h" to "include/config.h"
1010776d include: split and drop "netlink-private/types.h"
d1d57846 include: rename "nl-shared-core" to "nl-priv-dynamic-core"
fc91c4f8 include: rename "nl-hidden-route" to "nl-priv-dynamic-route"
9bb6f770 include: rename "nl-intern-route" to "nl-priv-static-route"
b5195db9 genl: rename private header "nl-priv-genl.h" to "nl-genl.h"
0eacf658 include: make "netlink/route/link/{inet,inet6}.h" self-contained
ad014ad1 route/tc: avoid unalinged access in rtnl_tc_msg_parse()
05bd6366 add support for TC action statistics
776fc5a6 lib: move "include/netlink-private/object-api" to include/nl-shared-core
fad34560 lib: move "include/netlink-private/cache-api" to include/nl-shared-core
ed2be537 route: move "include/netlink-private/route/link/sriov.h" to lib/route/link-sriov.h
97f61eda lib: move "include/netlink-private/socket.h" to lib/nl-core.h
96e1cc5b route: move "include/netlink-private/route/nexthop-encap.h" to lib/route
391e03d3 route: merge "include/netlink-private/tc.h" to lib/route/tc-api.h
7fc4f5b3 route: move rtnl_tc_build_rate_table() to "tc-api.h"
cf41e14d route: move "include/netlink-private/route/tc-api.h" to lib/route
db810cfb route: move hidden symbols from "include/netlink-private/route/tc-api.h"
ff08e618 build: don't add lib/route to include directory for all libs
eb8da16d include: move "include/netlink-private/route/link/api.h" to lib/route
8b2074aa include: move "include/netlink-private/route/utils.h" to nl-intern-route
fd470c06 include: move "include/netlink-private/route/mpls.h" to "lib/mpls.h"
78056ad2 genl: add comment about wrongly exported symbol genl_resolve_id()
befc4ab4 include: move "include/netlink-private/genl.h" to "lib/genl/nl-priv-genl.h"
f6c26127 nl-aux: add "include/nl-aux-{core,route}" headers
2da8481b base: move "netlink-private/utils.h" to "base/nl-base-utils.h"
d3e9b513 include/utils: move nl-auto base defines to "utils.h"
543b9f8f clang-format: reformat "include/netlink-private/nl-auto.h"
aa565460 route: cleanup ATTR_DIFF() macros
beba5a18 cli: add nl-nh-list utility
780d06ae route: add nh type
1b6433d9 neigh: add support of NHID attribute
e0140c5f include: import kernel headers "linux/{neighbour,nexthop,rtnetlink}.h"
eef06744 utils: add static-assert for signedness of arguments of _NL_CMP_DIRECT() macro
679c4c51 cli: use <netlink-private/utils.h> in cli and _nl_{init,exit}
a9c5de52 lib: use _nl_{init,exit} instead of __{init,exit}
102f9bd2 include/private: add _nl_init/_nl_exit macros
6782678e include/private: drop unused __deprecated macro
a0535a58 all: use "_nl_packed" macro instead of "__attribute__((packed))"
8c9f98cf all: rework ATTR_DIFF() macros to not generate attribute names
ca34ad52 lib: handle negative and zero size in nla_memcpy()
859b89dc include: drop now unused min()/max()/min_t()/max_t() macros
2e0ae977 all: use _NL_{MIN,MAX}() macros
57c451fa utils: add various helpers to "include/netlink-private/utils.h"
a9a9dcea style: format "include/netlink-private/utils.h" with clang-format
590e8a61 tools: improve failure message with "tools/clang-format.sh -n"
06dc5ae0 github: fix format checking with clang-format
7738f239 route/trivial: sort entries in "libnl-route-3.sym" asciibetically
fc805c56 route/bond: Add support for link_info for bond
6af26981 lib: accept NULL argument in nla_nest_cancel() for robustness
e9662091 macsec: Drop offload capability validation check
35a68109 github: update flake8 linter to not explicitly select checks
9a266405 python: add ".flake8" file for configuring "flake8"
e6b934a5 python: fix flake8 warnings E712
2cea738b python: fix flake8 warnings E711
d561096c python: fix flake8 warnings E302
29b06d0f python: fix flake8 warnings E741
4dc1f498 python: fix flake8 warnings F841
f4875c69 python: fix flake8 warnings W605
9a3d91df python: fix flake8 warnings F401
6baf2339 clang-format: add "tools/clang-format-container.sh" script
ee2876e3 github: add test for checking clang-format style
45c7aae3 clang-format: add "tools/clang-format.sh" script
02e0fd3f github: check python-black code formatting in github actions
2dd53895 build: add ".git-blame-ignore-revs" file for "blame.ignoreRevsFile" git config
3c753e3c python: reformat all Python files with python-black
298ee58e python add "pyproject.toml" for configuring black
a0e4b7f9 github: skip Python flake8 test with clang build
c4240c0b github: run "Build Release" test also with clang
143cee1d bridge: fix bridge info parsing
96bbe55c test-cache-mngr: Flush output after object dumps
cf5dcbcd test-cache-mngr: Add option to print timestamps
bd570952 test-cache-mngr: Add an option to iterate over all supported address families
bf80da90 test-cache-mngr: Add dump interval options
80febeea test-cache-mngr: Add an option to control which oo_dump function is used
6519a917 route/link: prevent segfault in af_request_type()
a68260f8 github: fix installing python dependencies via pip
39c04bc7 build: drop redundant "autogen.sh" call from "tools/build_release.sh"
d411b88d build: change proper working directory in "doc/autogen.sh"
2fa73ce0 build: ensure "autogen.sh" scripts fail on error
fc786296 gitignore: ignore "*~" files
4c4e614b docs: rtnl_link_put() 'releases' instead of 'returns'
336b15dc include/linux: update copy of kernel header "linux/ipv6.h"
e2cacc26 route/link: improve handling of IFLA_INET6_CONF
ec8c493c route/link: remove rtnl_link_inet6_set_conf() API
e790f8ad route/link: various fixes for rtnl_link_inet6_get_conf() API
d83c6d54 route/link: add accessor API for IPv6 DEVCONF
9167504d bridge: drop unnecessary goto in bridge_info_parse()
984d6e93 bridge: don't normalize the u8 argument in rtnl_link_bridge_set_vlan_filtering() to boolean
3662a5da bridge: expose rtnl_link_bridge_get_vlan_protocol() in host byte order
5a1ef219 bridge: fix parsing vlan-protocol in bridge_info_parse()
ad1c2927 bridge: minor cleanups in "bridge_info.c"
1c74725a bridge: use SPDX license identifiers in bridge_info files
26ca549d bridge: reformat bridge_info file with clang-format
08dc5d9c bridge: extend libnl with options needed for VLAN aware forwarding
7391a38e bridge: Add support for link_info of a bridge
1f1e8385 route/vlan: drop unnecessary "else" in vlan_put_attrs()
2bc30e57 route/vlan: fix error handling in 'lib/route/link/vlan.c'
8273d6ce build: add comments to linker version scripts about the version tags
6ac7a812 doc: fix typo
07d274ab doc: fix typo
0461a425 attr: reject zero length addresses
8d40d9eb route: construct all-zero addresses for default route destination
25d42a4f addr: allow constructing all-zero addresses
0c0aee82 addr: create an all-zero addresses when parsing "any" or "default"

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-10-12 09:50:38 +02:00
Nick Hainke
22174e7c2a libmd: update to 1.1.0
Changes:
16d68ab Release libmd 1.1.0
054bca1 build: Terminate lists in variables with «# EOL»
84d269e test: Add cases for SHA224 and SHA512-256
a677e68 test: Add a new test_eq() helper function
4c5931f Sync SHA2 changes from OpenBSD
9934d94 Sync SHA1 changes from OpenBSD
457e30a Sync RMD160 changes from OpenBSD
b2e54bc Sync MD5 changes from OpenBSD
ee56a52 Sync MD4 changes from OpenBSD
b9496ac Sync MD2 changes from NetBSD
09d5824 Remove unused <assert.h>
08b2c5d build: Rename libmd_alias() to libmd_strong_alias()
ed69599 On Darwin use assembler to support symbol aliases
b74b777 build: Do not use strong aliases on macOS
94838ec build: Require automake 1.11
39cbc7b build: Fix configure.ac indentation
4620a04 build: Switch to debian:latest Docker image
e408786 build: Fix version script linker support detection
0ef1e4d doc: Move mailing list reference to the end
a3f1671 man: Add new libmd(7) man page

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-10-12 09:50:25 +02:00
Nick Hainke
bf4092cf61 libjson-c: update to 0.17
Release Notes:
ad8b8afa7d/ChangeLog (L2)

Refresh patch:
- 001-dont-build-docs.patch

Delete upstreamed patch:
- 010-fix-build-with-clang-15.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-10-12 09:50:06 +02:00
Hauke Mehrtens
d2b5f4b2cd treewide: Add extra CPE identifier
This adds some Common Platform Enumerations (CPE) identifiers which I
found.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-09-25 23:06:33 +02:00
Ivan Pavlov
bfd54529fa openssl: update to 3.0.11
Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
 * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. ([CVE-2023-4807])

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2023-09-24 12:41:54 +02:00
Alexander Couzens
8572007f90 packages: assign PKG_CPE_ID for all missing packages
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining package which have a CPE ID.
Not every package has CPE id.

Related: https://github.com/openwrt/packages/issues/8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2023-09-19 20:21:13 +02:00
Hauke Mehrtens
d773fe5411 mbedtls: Update to version 2.28.4
This only fixes minor problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.4

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-08-11 11:03:08 +02:00
Ivan Pavlov
92602f823a openssl: update to 3.0.10
Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
 * Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
 * Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
 * Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2023-08-09 21:03:59 +03:00
Nick Hainke
a8c84b550b libtracefs: update to 1.7.0
ChangeLog:
aebab37 libtracefs: version 1.7
a3237c3 libtracefs: Add initial support for meson
b25019f libtarcefs doc: Add tracefs_kprobe_destroy() to index man page
4c2194f libtracefs doc: State that tracefs_dynevent_create() is needed for tracefs_kprobe_alloc()
df53d43 libtracefs Documentation: Add missing prototypes in top level man page
9a2df4a libtracefs: Update version to 1.7.dev
18ede68 libtracefs: Add tracefs_kprobe_destory() API
309b1ba libtracefs tests: Add helper function to destroy dynamic events
53dce80 tracefs: Add tracefs_time_conversion() API
5ea4128 libtracefs: Add tracefs_find_cid_pid() API
857dd3e libtracefs/utest: Fix crashing of synth test when synths exist
6332309 libtracefs/utest: Do not use synth for test_synth element
25cd206 libtracefs: Clarify the tracefs_synth_create() man page
6b6d43f libtracefs: Do not allow tracefs_synth_set_instance() on created synth
c860f93 libtracefs: Documentation for tracefs_synth_set_instance
0039173 libtracefs: New API to set synthetic event instance
e97c311 libtracefs: Do not segfault in tests if synthetic events are not configured
185019c libtracefs: Add tracefs_instance_tracers() API
6775d23 libtracefs: Do not use hwlat tracer and fdb_delete event for tests
5a1a01e libtracefs: Add stacktrace to tracefs_sql()
b1b234e libtracefs: Unit test for tracefs_instance_reset()
dd620f4 libtracefs: Documentation for tracefs_instance_reset()
789e82d libtracefs: New API to reset ftrace instance

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-08-01 13:29:40 +02:00
Nick Hainke
85efbbcf06 libtraceevent: update to 1.7.3
ChangeLog:
dd14818 libtraceevent: version 1.7.3
0b9a34e libtraceevent: Handle printf '%+d" case
eba4a41 libtraceevent: Add initial support for meson
1d8ddb9 libtraceevent: Handle %c

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-08-01 13:29:40 +02:00
Jo-Philipp Wich
4af0a72a65 libnl-tiny: update to latest Git HEAD
8667347 build: allow passing SOVERSION value for dynamic library

Also adjust packaging of the library to only ship the SOVERSION
suffixed library object, to allow for concurrent installation of
ABI-incompible versions in the future.

Fixes: #13082
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2023-07-27 12:03:12 +02:00
Christophe Sokol
906616d201 openssl: opt-out of lto usage
This fixes building with USE_LTO enabled:

aarch64-openwrt-linux-musl-gcc -fPIC -pthread -Wa,--noexecstack -Wall -O3 -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/build_dir/target-aarch64_cortex-a53_musl/openssl-3.0.9=openssl-3.0.9 -ffunction-sections -fdata-sections -flto=auto -fno-fat-lto-objects -Wformat -Werror=format-security -DPIC -fPIC -fstack-protector-strong -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -DPIC -fPIC -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/build_dir/target-aarch64_cortex-a53_musl/openssl-3.0.9=openssl-3.0.9 -ffunction-sections -fdata-sections -flto=auto -fno-fat-lto-objects -Wformat -Werror=format-security -fPIC -fstack-protector-strong -fPIC -fuse-ld=bfd -flto=auto -fuse-linker-plugin -fPIC -specs=/include/hardened-ld-pie.specs -znow -zrelro -L. -Wl,-z,defs -Wl,-znodelete -shared -Wl,-Bsymbolic  -Wl,-z,now -Wl,-z,relro -L/staging_dir/toolchain-aarch64_cortex-a53_gcc-13.1.0_musl/usr/lib -L/staging_dir/toolchain-aarch64_cortex-a53_gcc-13.1.0_musl/lib -Wl,--gc-sections \
	-o providers/legacy.so -Wl,--version-script=providers/legacy.ld \
	providers/legacy-dso-legacyprov.o \
	providers/liblegacy.a providers/libcommon.a -lcrypto -ldl -pthread
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `legacy_get_params':
<artificial>:(.text.legacy_get_params+0xd4): undefined reference to `ossl_prov_is_running'
ld.bfd: <artificial>:(.text.legacy_get_params+0xd8): undefined reference to `ossl_prov_is_running'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `legacy_teardown':
<artificial>:(.text.legacy_teardown+0x4): undefined reference to `ossl_prov_ctx_get0_libctx'
ld.bfd: <artificial>:(.text.legacy_teardown+0x8): undefined reference to `ossl_prov_ctx_get0_libctx'
ld.bfd: <artificial>:(.text.legacy_teardown+0x34): undefined reference to `ossl_prov_ctx_free'
ld.bfd: <artificial>:(.text.legacy_teardown+0x38): undefined reference to `ossl_prov_ctx_free'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o: in function `OSSL_provider_init':
<artificial>:(.text.OSSL_provider_init+0x14): undefined reference to `ossl_prov_ctx_new'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x18): undefined reference to `ossl_prov_ctx_new'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x84): undefined reference to `ossl_prov_ctx_set0_libctx'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x88): undefined reference to `ossl_prov_ctx_set0_libctx'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x98): undefined reference to `ossl_prov_ctx_set0_handle'
ld.bfd: <artificial>:(.text.OSSL_provider_init+0x9c): undefined reference to `ossl_prov_ctx_set0_handle'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_kdfs+0x10): undefined reference to `ossl_kdf_pbkdf1_functions'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_ciphers+0x10): undefined reference to `ossl_cast5128ecb_functions'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_ciphers+0x30): undefined reference to `ossl_cast5128cbc_functions'
[...]
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_digests+0x10): undefined reference to `ossl_md4_functions'
ld.bfd: /tmp/ccdWw6Lo.ltrans0.ltrans.o:(.data.rel.ro.legacy_digests+0x30): undefined reference to `ossl_ripemd160_functions'
collect2: error: ld returned 1 exit status

Signed-off-by: Christophe Sokol <christophe@wk3.org>
2023-07-26 10:34:07 +02:00
Nick Hainke
fabd891569 nettle: update to 3.9.1
Announcement:
https://lists.gnu.org/archive/html/info-gnu/2023-06/msg00000.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-07-19 15:25:35 +02:00
Tony Ambardar
1d5e7b85cc libbpf: Update to v1.2.2
Update to the latest upstream release to include recent bugfixes:

Link: https://github.com/libbpf/libbpf/compare/v1.2.0...v1.2.2
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2023-07-18 23:02:47 +02:00
Nick Hainke
e57a752217 libnftnl: update to 1.2.6
Release Notes:
https://lists.netfilter.org/pipermail/netfilter-announce/2023/000250.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-07-18 14:37:19 +02:00
Nick Hainke
0e83b5e6cc wolfssl: update to 5.6.3
Release Notes:
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.0-stable
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.2-stable
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.3-stable

Refresh patch:
- 100-disable-hardening-check.patch

Backport patch:
- 001-fix-detection-of-cut-tool-in-configure.ac.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-07-07 17:38:38 +02:00
Hauke Mehrtens
513bcfdf78 libnl-tiny: update to latest git HEAD
d433990 Make struct nla_policy and struct nlattr const

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-07-01 12:07:05 +02:00
Jitao Lu
51f57e7c2d openssl: passing cflags to configure
openssl sets additional cflags in its configuration script. We need to
make it aware of our custom cflags to avoid adding conflicting cflags.

Fixes: #12866
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
2023-06-14 21:16:15 +08:00
Mathew McBride
203deef82c
wolfssl: change armvirt reference to armsr
armvirt target has been renamed to armsr (Arm SystemReady).

Signed-off-by: Mathew McBride <matt@traverse.com.au>
2023-06-10 21:30:23 +02:00
Ivan Pavlov
6348850f10 openssl: update to 3.0.9
CVE-2023-2650 fix
Remove upstreamed patches

Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
 * Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
 * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms (CVE-2023-1255)
 * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
 * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
 * Limited the number of nodes created in a policy tree (CVE-2023-0464)

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2023-06-09 13:33:27 +02:00
Felix Fietkau
b6e0a24c49 libubox: update to the latest version
b09b316aeaf6 blobmsg: add blobmsg_parse_attr function
eac92a4d5d82 blobmsg: add blobmsg_parse_array_attr
ef5e8e38bd38 usock: fix poll return code check
6fc29d1c4292 jshn.sh: Add pretty-printing to json_dump
5893cf78da40 blobmsg: Don't do at run-time what can be done at compile-time
362951a2d96e uloop: fix uloop_run_timeout
75a3b870cace uloop: add support for integrating with a different event loop

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-06-04 18:38:03 +02:00
Tianling Shen
a0d7193425 openssl: fix uci config for built-in engines
Built-in engine configs are added in libopenssl-conf/install stage
already, postinst/add_engine_config is just duplicating them, and
due to the lack of `config` header it results a broken uci config:

> uci: Parse error (invalid command) at line 3, byte 0

```
config engine 'devcrypto'
        option enabled '1'
engine 'devcrypto'
        option enabled '1'
        option builtin '1'
```

Add `builtin` option in libopenssl-conf/install stage and remove
duplicate engine configuration in postinst/add_engine_config to
fix this issue.

Fixes: 0b70d55a64 ("openssl: make UCI config aware of built-in engines")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-06-03 21:15:11 +02:00
Linhui Liu
4c5a9da869 selinux-policy: update to 1.2.5
30d503a uci jsonfilter: pipe and leak
e13cb64 rpcd leds
144781f jsonfilter, luci, ubus
1210762 rpcd and all agents get fd's leaked
ab9227c rpcd
2f99e0e luci rpcd
b43aaf3 rpcd (enable/disable services) luci peeraddr
f20f03e rpcd
7bc74f6 rpcd reads all subj state and luci-bwc leaks
9634b17 adds inotify perms to anon_inode
3d3c17c adds bare anon_inode (linux 5.15)
7104b20 dnsmasq and luci
0de2c66 luci,rpcd, ucode, wpad
14f5cf9 luci and ucode
e3ce84c rpcd, ucode and cgiio loose ends
96a2401 misc updates
9fe0490 initscript: remove redundant rules
71bd77e allow all init scripts to log to logd
f697331 sandbox: make ttydev handling more robust
a471877 simplify pty tty console access
f738984 sandbox: also remove TIOSCTI from all ttydevs

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-31 22:00:48 +02:00
Petr Štetiar
12494f5b8a
pcre2: fix host compilation of libselinux by enabling PIC
libselinux-3.5 fails to compile in Fedora 38 container due to the
following:

 cc -O2 -I/openwrt/staging_dir/host/include -I/openwrt/staging_dir/hostpkg/include -I/openwrt/staging_dir/target-x86_64_musl/host/include -I../include -D_GNU_SOURCE -DNO_ANDROID_BACKEND -DUSE_PCRE2 -DPCRE2_CODE_UNIT_WIDTH=8 -I/openwrt/staging_dir/hostpkg/include -L/openwrt/staging_dir/host/lib -L/openwrt/staging_dir/hostpkg/lib -L/openwrt/staging_dir/target-x86_64_musl/host/lib -Wl,-rpath=/openwrt/staging_dir/hostpkg/lib -shared -o libselinux.so.1 avc.lo avc_internal.lo avc_sidtab.lo booleans.lo callbacks.lo canonicalize_context.lo checkAccess.lo check_context.lo checkreqprot.lo compute_av.lo compute_create.lo compute_member.lo compute_relabel.lo compute_user.lo context.lo deny_unknown.lo disable.lo enabled.lo fgetfilecon.lo freecon.lo freeconary.lo fsetfilecon.lo get_context_list.lo get_default_type.lo get_initial_context.lo getenforce.lo getfilecon.lo getpeercon.lo init.lo is_customizable_type.lo label.lo label_db.lo label_file.lo label_media.lo label_support.lo label_x.lo lgetfilecon.lo load_policy.lo lsetfilecon.lo mapping.lo matchmediacon.lo matchpathcon.lo policyvers.lo procattr.lo query_user_context.lo regex.lo reject_unknown.lo selinux_check_securetty_context.lo selinux_config.lo selinux_internal.lo selinux_restorecon.lo sestatus.lo setenforce.lo setexecfilecon.lo setfilecon.lo setrans_client.lo seusers.lo sha1.lo stringrep.lo validatetrans.lo -L/openwrt/staging_dir/hostpkg/lib -lpcre2-8 -lfts -ldl -Wl,-soname,libselinux.so.1,--version-script=libselinux.map,-z,defs,-z,relro
 /usr/bin/ld: /openwrt/staging_dir/hostpkg/lib/libpcre2-8.a(pcre2_compile.c.o): relocation R_X86_64_32S against symbol `_pcre2_ucd_stage1_8' can not be used when making a shared object; recompile with -fPIC
 /usr/bin/ld: failed to set dynamic section sizes: bad value

So lets fix it by enabling build of host static library with the
position independent code option enabled.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2023-05-28 08:58:07 +02:00
Zoltan HERPAI
a0840ecd53 openssl: add linux-riscv64 into the targets list
Add "linux-riscv64-openwrt" into openssl configurations to enable building
on riscv64.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
2023-05-28 13:19:11 +02:00
Tony Ambardar
afe1bf11f2 bpftools: update, split off bpftool and libbpf packages
My original bpftools package made "variant" builds of bpftool and libbpf
as a convenience, since both used the same local kernel sources with the
same versioning. This is no longer the case, since the commit below
switched to using an out-of-tree build mirror hosting repos for each.

Replace bpftools with separate bpftool and libbpf packages, each simplified
and correctly versioned. Also fix the broken libbpf ABI introduced in the
same commit. Existing build .config files are not impacted.

Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2023-05-24 21:17:20 +02:00
Nick Hainke
c520d682f0 libxml2: update to 2.11.4
Release Notes:
https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.4

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-22 18:52:59 +02:00
Nick Hainke
78c45c1e59 libcap: update to 2.69
Release Notes:
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe

Fixes: CVE-2023-2602 CVE-2023-2603
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-22 18:51:31 +02:00
Nick Hainke
aa28e91404 nettle: update to 3.9
Changelog:
26cd0222fd/NEWS

Refresh patch:
- 100-portability.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-20 21:02:18 +02:00
Linhui Liu
c0ef48814e pcre2: switch to Github Releases and bump to 10.42
The mirror at SourceForge is an unofficial mirror and no longer maintained.

ChangeLogs:
https://github.com/PCRE2Project/pcre2/blob/pcre2-10.42/ChangeLog

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-20 13:20:53 +08:00
Nick Hainke
f73d011810 libjson-c: import patch to fix compilation on macos
Fixes errors in the form of:
  /Users/user/src/openwrt/openwrt/build_dir/hostpkg/json-c-0.16/json_util.c:63:35: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
  const char *json_util_get_last_err()
                                    ^
                                     void
  1 error generated.
  ninja: build stopped: subcommand failed.

Reported-by: Paul Spooren <mail@aparcar.org>
Suggested-by: Paul Spooren <mail@aparcar.org>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-19 13:43:18 +02:00
Nick Hainke
4b950bc5f4 libxml2: update to 2.11.3
Changelog:
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.0
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.1
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.2
- https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.3

Fixes: CVE-2023-28484 CVE-2023-29469
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 16:16:20 +02:00
Tianling Shen
48ed07bc0b treewide: replace AUTORELEASE with real PKG_RELEASE
Based on Paul Fertser <fercerpav@gmail.com>'s guidance:
Change AUTORELEASE in rules.mk to:
```
AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
```

then update all affected packages by:
```
for i in $(git grep -l PKG_RELEASE:=.*AUTORELEASE | sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
	make package/$i/clean
done
```

Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
2023-05-18 11:35:29 +02:00
Linhui Liu
91c75c3124 libselinux: update to 3.5
Switch from libpcre to libpcre2. While working on it remove the double
defined HOST_BUILD_DEPENDS section.

Release Notes:
https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt
https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
[depend on libpcre2]
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 10:14:13 +02:00
Linhui Liu
d641963f1b libsemanage: update to 3.5
Release Notes:
https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt
https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-18 10:14:13 +02:00
Linhui Liu
bd0dce62b1 libsepol: update to 3.5
Release Notes:
https://github.com/SELinuxProject/selinux/releases/download/3.4/RELEASE-3.4.txt
https://github.com/SELinuxProject/selinux/releases/download/3.5/RELEASE-3.5.txt

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-05-18 10:14:13 +02:00
Nick Hainke
e3e6652a55 pcre: move package to packages feed
With the update of selinux no package depends anymore on pcre in the
base repository. Move it to packages feed.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 10:14:13 +02:00
Nick Hainke
c39b0646f3 pcre2: import pcre2 from packages feed
pcre2 is needed by newer selinux versions, so it needs to be in the base
repository.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-05-18 10:14:13 +02:00
Robert Marko
6b17e19ad8
libbsd: fix compilation with musl 1.2.4
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.

_LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used
to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.

Fixes: fff878c5bc ("toolchain/musl: update to 1.2.4")
Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-05-16 14:31:14 +02:00
Robert Marko
6ff12094cd
libselinux: fix compilation with musl 1.2.4
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.

_LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used
to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-05-15 20:39:21 +02:00
Michael Pratt
0779c47be6
gettext-full: link to local libunistring
Configure gettext to require and link
to our local libunistring explicitly.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-15 16:14:44 +02:00
Michael Pratt
0288415877
gettext-full: add missing link to libunistring
Running autoreconf or autogen.sh is causing
the gettext-runtime subdirectory to have a configure script
that looks for and attempts to link to an external libunistring.
However, the macros and symbols for supporting that configuration
are not present in this subdirectory yet.

This results in some host machines to not build the
included libunistring objects for libgrt,
but at the same time, also not input the proper flag to the linker
for linking to an external library when it is found or even when
explicitly setting configuration to use a prefix for libunistring,
resulting in the common linking failure "undefined reference".

Some similar (and old...) upstream commits do the same thing,
but only for gettext-tools and libgettextpo.

Ref: ae943bcc1 ("Link with libunistring, if it exists.") # gettext.git
Ref: 61e21a72f ("Avoid link error in programs that use libgettextpo.") # gettext.git
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-15 16:14:44 +02:00
Michael Pratt
d3c3b79c1e
libunistring: add from packages feed
Add libunistring in order to link to gettext
and other packages directly
instead of the built-in substitute for it.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-15 16:14:41 +02:00
Michael Pratt
d167adbc44
gettext-full: bootstrap to local gnulib source
Using the local gnulib source during autogen.sh
allows for fine-grained control over the macros
and source files for use with gettext
but part of gnulib instead of gettext,
without having to wait for a release
or deal with gnulib as a git submodule.

This is an alternative to running autoreconf.

It also removes the need to patch macros
in the case where there is a conflict
between the source and our aclocal directory.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:31 +02:00
Michael Pratt
d95d5d2a3a
gettext-full: link to local libxml2
Some users have reported that gettext builds
are attempting to link to libxml2
while it was supposed to be configured
to use it's own built-in substitute.

Configure gettext to require and link
to our local libxml2 explicitly.

Add a patch to revert upstream commit 87927a4e2
which forces libtextstyle to use the built-in libxml,
no matter what the configuration is,
making that option configurable again
after the configure script is regenerated.

Reported-by: Tianling Shen <cnsztl@immortalwrt.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:30 +02:00
Michael Pratt
f7fbe77115
gettext-full: set gperf as build prerequisite
Require gperf to be built before gettext.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:29 +02:00
Michael Pratt
9b0b46985c
libxml2: add from packages feed
Add libxml2 which can be used to build gettext
instead of the old built-in substitute for it.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:29 +02:00
Michael Pratt
ca8577f930
gettext-full: override SUBDIRS variable with Makefile
Instead of editing the SUBDIRS variable with a patch,
it can be overriden at the end of the command line when invoking Make.

This tool has a series of recursive Makefiles in each subdirectory,
therefore SUBDIRS is set to a pattern of Make functions
so that the result is variable depending on the current subdirectory
that Make is being invoked in.

Some of the subdirectories don't have a Makefile and are just storing files
for another subdirectory Makefile target,
therefore we have to place a fake Makefile that does nothing.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-05-04 06:07:29 +02:00
Eneas U de Queiroz
1c5cafa3eb openssl: fix low-severity CVE-2023-1255
This applies commit 02ac9c94 to fix this OpenSSL Security Advisory
issued on 20th April 2023[1]:

Input buffer over-read in AES-XTS implementation on 64 bit ARM
(CVE-2023-1255)
==============================================================

Severity: Low

Issue summary: The AES-XTS cipher decryption implementation for 64 bit
ARM platform contains a bug that could cause it to read past the input
buffer, leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64
bit ARM platform can crash in rare circumstances. The AES-XTS algorithm
is usually used for disk encryption.

The AES-XTS cipher decryption implementation for 64 bit ARM platform
will read past the end of the ciphertext buffer if the ciphertext size
is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the
memory after the ciphertext buffer is unmapped, this will trigger a
crash which results in a denial of service.

If an attacker can control the size and location of the ciphertext
buffer being decrypted by an application using AES-XTS on 64 bit ARM,
the application is affected. This is fairly unlikely making this issue a
Low severity one.

1. https://www.openssl.org/news/secadv/20230420.txt

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-29 12:33:44 +02:00
Nick Hainke
b64c471b8e libpcap: update to 1.10.4
Changes:
https://git.tcpdump.org/libpcap/blob/104271ba4a14de6743e43bcf87536786d8fddea4:/CHANGES

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-22 02:35:19 +02:00
Matthias Schiffer
4f1c2e8dee
uclient: update to Git version 2023-04-13
007d94546749 uclient: cancel state change timeout in uclient_disconnect()
644d3c7e13c6 ci: improve wolfSSL test coverage
dc54d2b544a1 tests: add certificate check against letsencrypt.org

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2023-04-13 20:51:05 +02:00
Hauke Mehrtens
d679b15d31 mbedtls: Update to version 2.28.3
This only fixes minor problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3

The 100-fix-compile.patch patch was merged upstream, see:
https://github.com/Mbed-TLS/mbedtls/issues/6243
https://github.com/Mbed-TLS/mbedtls/pull/7013

The code style of all files in mbedtls 2.28.3 was changed. I took a new
version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this
pull request: https://github.com/Mbed-TLS/mbedtls/pull/6475

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-10 13:36:26 +02:00
Nick Hainke
0c53801968 libcap: update to 2.68
Release Notes:
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.vdh3d47czmle

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-08 15:52:56 +02:00
Eneas U de Queiroz
c3cb2d48da
openssl: fix CVE-2023-464 and CVE-2023-465
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:

- Excessive Resource Usage Verifying X.509 Policy Constraints
  (CVE-2023-0464)
  Severity: Low
  A security vulnerability has been identified in all supported versions
  of OpenSSL related to the verification of X.509 certificate chains
  that include policy constraints.  Attackers may be able to exploit
  this vulnerability by creating a malicious certificate chain that
  triggers exponential use of computational resources, leading to a
  denial-of-service (DoS) attack on affected systems.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

- Invalid certificate policies in leaf certificates are silently ignored
  (CVE-2023-0465)
  Severity: Low
  Applications that use a non-default option when verifying certificates
  may be vulnerable to an attack from a malicious CA to circumvent
  certain checks.
  Invalid certificate policies in leaf certificates are silently ignored
  by OpenSSL and other certificate policy checks are skipped for that
  certificate.  A malicious CA could use this to deliberately assert
  invalid certificate policies in order to circumvent policy checking on
  the certificate altogether.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466.  It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.

Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-07 11:26:26 +02:00
Eneas U de Queiroz
0dc5fc8fa5
openssl: add legacy provider
This adapts the engine build infrastructure to allow building providers,
and packages the legacy provider.  Providers are the successors of
engines, which have been deprecated.

The legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool.

Even though these algorithms are implemented in a separate package,
their removal makes the regular library smaller by 3%, so the build
options will remain to allow lean custom builds.  Their defaults will
change to 'y' if not bulding for a small flash, so that the regular
legacy package will contain a complete set of algorithms.

The engine build and configuration structure was changed to accomodate
providers, and adapt to the new style of openssl.cnf in version 3.0.

There is not a clean upgrade path for the /etc/ssl/openssl.cnf file,
installed by the openssl-conf package.  It is recommended to rename or
remove the old config file when flashing an image with the updated
openssl-conf package, then apply the changes manually.

An old openssl.cnf file will silently work, but new engine or provider
packages will not be enabled.  Any remaining engine config files under
/etc/ssl/engines.cnf.d can be removed.

On the build side, the include file used by engine packages was renamed
to openssl-module.mk, so the engine packages in other feeds need to
adapt.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00
Eneas U de Queiroz
0b70d55a64
openssl: make UCI config aware of built-in engines
Engines that are built into the main libcrypto OpenSSL library can't be
disabled through UCI.  Add a 'builtin' setting to signal that the engine
can't be disabled through UCI, and show a message explaining this in
case buitin=1 and enabled=0.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00
Eneas U de Queiroz
975036f6f9
openssl: avoid OPENSSL_SMALL_FOOTPRINT, no-asm
Building openssl with OPENSSL_SMALL_FOOTPRINT yelds only from 1% to 3%
decrease in size, dropping performance from 2% to 91%, depending on the
target and algorithm.

For example, using AES256-GCM with 1456-bytes operations, X86_64 appears
to be the least affected with 2% performance penalty and 1% reduction in
size; mips drops performance by 13%, size by 3%;  Arm drops 29% in
performance, 2% in size.

On aarch64, it slows down ghash so much that I consider it broken
(-91%).  SMALL_FOOTPRINT will reduce AES256-GCM performance by 88%, and
size by only 1%.  It makes an AES-capable CPU run AES128-GCM at 35% of
the speed of Chacha20-Poly1305:

Block-size=1456 bytes   AES256-GCM   AES128-GCM  ChaCha20-Poly1305
SMALL_FOOTPRINT           62014.44     65063.23          177090.50
regular                  504220.08    565630.28          182706.16

OpenSSL 1.1.1 numbers are about the same, so this should have been
noticed a long time ago.

This creates an option to use OPENSSL_SMALL_FOOTPRINT, but it is turned
off by default unless SMALL_FLASH or LOW_MEMORY_FOOTPRINT is used.

Compiling with -O3 instead of -Os, for comparison, will increase size by
about 14-15%, with no measureable effect on AES256-GCM performance, and
about 2% increase in Chacha20-Poly1305 performance on Aarch64.

There are no Arm devices with the small flash feature, so drop the
conditional default.  The package is built on phase2, so even if we
include an Arm device with small flash later, a no-asm library would
have to be built from source anyway.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00
Hauke Mehrtens
18d516a649 libnl-tiny: update to the latest version
f5d9b7e libnl-tiny: fix duplicated branch in family.h
11b7c5f attr: add NLA_S* definitions

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-02 02:25:16 +02:00
Nick Hainke
fca03b4bad libtraceevent: update to 1.7.2
Changes:
1c6f0f3 libtraceevent: version 1.7.2
73f6a8a libtraceevent: Fix some missing commas in big endian blocks
da2ea6b libtraceevent: Rename "ok" to "token_has_paren" in process_sizeof()
e6f7cfa libtraceevent: No need for testing ok in else if (!ok) in process_sizeof()
a4b1ba5 libtraceevent: Fix double free in parsing sizeof()

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-01 22:02:24 +02:00
Andre Heider
9fe7cc62a6
treewide: opt-out of tree-wide LTO usage
These fail to build with LTO enabled or packages depending on them do.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:23 +01:00
Andre Heider
07730ff346
treewide: add support for "lto" in PKG_BUILD_FLAGS
This reduces open coding and allows to easily add a knob to enable
it treewide, where chosen packages can still opt-out via "no-lto".

Some packages used LTO, but not the linker plugin. This unifies 'em
all to attempt to produce better code.
Quoting man gcc(1):
"This improves the quality of optimization by exposing more code to the
link-time optimizer."

Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed
that every buildsystem uses +$(MAKE) correctly.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Andre Heider
da3700988d
treewide: add support for "gc-sections" in PKG_BUILD_FLAGS
This reduces open coding and allows to easily add a knob to
enable it treewide, where chosen packages can still opt-out via
"no-gc-sections".

Note: libnl, mbedtls and opkg only used the CFLAGS part without the
LDFLAGS counterpart. That doesn't help at all if the goal is to produce
smaller binaries. I consider that an accident, and this fixes it.

Note: there are also packages using only the LDFLAGS part. I didn't
touch those, as gc might have been disabled via CFLAGS intentionally.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Andre Heider
5c545bdb36
treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16
Keep backwards compatibility via PKG_USE_MIPS16 for now, as this is
used in all package feeds.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Nick Hainke
8d975708fc libnftnl: update to 1.2.5
Upstream switched to "tar.xz".

Release Notes:
https://www.spinics.net/lists/netfilter/msg61016.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-03-19 17:00:45 +01:00
Nick Hainke
56f4d5ec6b elfutils: update to 1.89
Release Notes:
https://sourceware.org/pipermail/elfutils-devel/2023q1/006023.html

Refresh patch:
- 003-libintl-compatibility.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-03-12 13:54:50 +01:00
Eneas U de Queiroz
c75cd5f602
openssl: fix variable reference in conffiles
Fix the trivial abscence of $() when assigning engine config files to
the main libopenssl-config package even if the corresponding engines
were not built into the main library.

This is mostly cosmetic, since scripts/ipkg-build tests the file's
presence before it is actually included in the package's conffiles.

Fixes: 30b0351039 "openssl: configure engine packages during install"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-03-06 18:11:36 -03:00
Eneas U de Queiroz
387c2df15c
openssl: fix sysupgrade failure with devcrypto
The bump to 3.0.8 inadvertently removed patches that are needed here,
but were not adopted upstream.  The most important one changes the
default value of the DIGESTS setting from ALL to NONE.  The absence of
this patch causes a sysupgrade failure while the engine is in use with
digests enabled.  When this happens, the system fails to boot with a
kernel panic.

Also, explicitly set DIGESTS to NONE in the provided config file, and
change the default ciphers setting to disable ECB, which has been
recommended for a long time and may cause trouble with some apps.

The config file change by itself is not enough because the config file
may be preserved during sysupgrade.

For people affected by this bug:

You can either:
1. remove, the libopenssl-devcrypto package
2. disable the engine in /etc/config/openssl;
3. change /etc/ssl/engines.cnf.d/devcrypto.cnf to set DIGESTS=NONE;
4. update libopenssl-devcrypto to >=3.0.8-3

However, after doing any of the above, **you must reboot the device
before running sysupgrade** to ensure no running application is using
the engine.  Running `/etc/init.d/openssl restart` is not enough.

Fixes: 7e7e76afca "openssl: bump to 3.0.8"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-03-06 18:09:13 -03:00
Tobias Hilbig
888b207f1a ncurses: add alacritty terminfo
Add terminfo file for the terminal emulator alacritty.

https://github.com/alacritty/alacritty

Signed-off-by: Tobias Hilbig <web.tobias@hilbig-ffb.de>
2023-02-26 01:12:02 +01:00
Hauke Mehrtens
32a9fdfc02 ustream-ssl: update to Git version 2023-02-25
498f6e2 ustream-mbedtls: Use getrandom() instead of /dev/urandom

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-02-25 18:37:26 +01:00
Nick Hainke
530f5c2fda libcap: update to 2.67
Release notes:
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.o8papfkfh1x9

While working on it, remove $(AUTORELEASE).

Tested-by: Linhui Liu liulinhui36@gmail.com # Xiaomi AX3600
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-02-25 00:14:38 +01:00
Eneas U de Queiroz
595509cc78
openssl: fix powerpc & arc libatomic dependencies
PowerPC CONFIG_ARCH is defined as powerpc, not ppc.  Fix that in the
DEPENDS condition.

Arc needs to be built with libatomic.  Change the OpenSSL configuration
file, and add it to the libatomic DEPENDS condition.

Fixes: 7e7e76afca "openssl: bump to 3.0.8"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-02-22 11:05:06 -03:00
Eneas U de Queiroz
7e7e76afca
openssl: bump to 3.0.8
This is a major update to the current LTS version, supported until
2026-09-07.

Changelog:
https://github.com/openssl/openssl/blob/openssl-3.0.8/CHANGES.md

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-02-20 11:24:17 +01:00
Andre Heider
0859c7129f elfutils: fix build with GCC 11
GCC 11 doesn't know about -Wno-error=use-after-free and aborts
compilation.

Fixes: 2748c45d "elfutils: Ignore wrong use-after-free error"
Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-02-18 19:55:37 +01:00
John Audia
4ae86b3358 openssl: bump to 1.1.1t
Removed upstreamed patch: 010-padlock.patch

Changes between 1.1.1s and 1.1.1t [7 Feb 2023]

  *) Fixed X.400 address type confusion in X.509 GeneralName.

     There is a type confusion vulnerability relating to X.400 address processing
     inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
     but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
     vulnerability may allow an attacker who can provide a certificate chain and
     CRL (neither of which need have a valid signature) to pass arbitrary
     pointers to a memcmp call, creating a possible read primitive, subject to
     some constraints. Refer to the advisory for more information. Thanks to
     David Benjamin for discovering this issue. (CVE-2023-0286)

     This issue has been fixed by changing the public header file definition of
     GENERAL_NAME so that x400Address reflects the implementation. It was not
     possible for any existing application to successfully use the existing
     definition; however, if any application references the x400Address field
     (e.g. in dead code), note that the type of this field has changed. There is
     no ABI change.
     [Hugo Landau]

  *) Fixed Use-after-free following BIO_new_NDEF.

     The public API function BIO_new_NDEF is a helper function used for
     streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
     to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
     be called directly by end user applications.

     The function receives a BIO from the caller, prepends a new BIO_f_asn1
     filter BIO onto the front of it to form a BIO chain, and then returns
     the new head of the BIO chain to the caller. Under certain conditions,
     for example if a CMS recipient public key is invalid, the new filter BIO
     is freed and the function returns a NULL result indicating a failure.
     However, in this case, the BIO chain is not properly cleaned up and the
     BIO passed by the caller still retains internal pointers to the previously
     freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
     then a use-after-free will occur. This will most likely result in a crash.
     (CVE-2023-0215)
     [Viktor Dukhovni, Matt Caswell]

  *) Fixed Double free after calling PEM_read_bio_ex.

     The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
     decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
     data. If the function succeeds then the "name_out", "header" and "data"
     arguments are populated with pointers to buffers containing the relevant
     decoded data. The caller is responsible for freeing those buffers. It is
     possible to construct a PEM file that results in 0 bytes of payload data.
     In this case PEM_read_bio_ex() will return a failure code but will populate
     the header argument with a pointer to a buffer that has already been freed.
     If the caller also frees this buffer then a double free will occur. This
     will most likely lead to a crash.

     The functions PEM_read_bio() and PEM_read() are simple wrappers around
     PEM_read_bio_ex() and therefore these functions are also directly affected.

     These functions are also called indirectly by a number of other OpenSSL
     functions including PEM_X509_INFO_read_bio_ex() and
     SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
     internal uses of these functions are not vulnerable because the caller does
     not free the header argument if PEM_read_bio_ex() returns a failure code.
     (CVE-2022-4450)
     [Kurt Roeckx, Matt Caswell]

  *) Fixed Timing Oracle in RSA Decryption.

     A timing based side channel exists in the OpenSSL RSA Decryption
     implementation which could be sufficient to recover a plaintext across
     a network in a Bleichenbacher style attack. To achieve a successful
     decryption an attacker would have to be able to send a very large number
     of trial messages for decryption. The vulnerability affects all RSA padding
     modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
     (CVE-2022-4304)
     [Dmitry Belyavsky, Hubert Kario]

Signed-off-by: John Audia <therealgraysky@proton.me>
2023-02-12 00:08:29 +01:00
Chen Minqiang
fcde517d35 wolfssl: fix build with make < 4.2
Inline the preinst.arm-ce script. Support for including was added in
make 4.2 and is not working with older make versions.

Fixes: https://github.com/openwrt/openwrt/issues/11866
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2023-02-03 12:18:19 +01:00
Glenn Strauss
2a691fc7f2 mbedtls: x509 crt verify SAN iPAddress
backport from
X509 crt verify SAN iPAddress
https://github.com/Mbed-TLS/mbedtls/pull/6475

addresses
curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName)
https://github.com/Mbed-TLS/mbedtls/issues/6473

filed for
mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls
https://github.com/openwrt/packages/issues/19677

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2023-02-03 11:27:58 +01:00
ValdikSS ValdikSS
2fc170cc21 openssl: fix VIA Padlock AES-192 and 256 encryption
Byte swapping code incorrectly uses the number of AES rounds to swap expanded
AES key, while swapping only a single dword in a loop, resulting in swapped
key and partially swapped expanded keys, breaking AES encryption and
decryption on VIA Padlock hardware.

This commit correctly sets the number of swapping loops to be done.

Upstream: 2bcf8e69bd

Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: ValdikSS ValdikSS <iam@valdikss.org.ru>
2023-01-22 01:33:33 +01:00
David Bauer
00f1463df7 mbedtls: move source modification to patch
Patch the mbedtls source instead of modifying the compile-targets
in the prepare buildstep within OpenWrt.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-01-18 23:36:22 +01:00
Nick Hainke
e846606900 libpcap: update to 1.10.3
Changelog:
https://git.tcpdump.org/libpcap/blob/95691ebe7564afa3faa5c6ba0dbd17e351be455a:/CHANGES

Refresh patch:
- 300-Add-support-for-B.A.T.M.A.N.-Advanced.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-17 23:16:02 +01:00
Nick Hainke
d649c32989 libtracefs: update to 1.6.4
Update to latest release.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-13 22:02:20 +01:00
Nick Hainke
d1bdf5a9d9 libtraceevent: update to 1.7.1
Update to latest release.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-13 22:02:20 +01:00
Hauke Mehrtens
2748c45d46 elfutils: Ignore wrong use-after-free error
GCC 12.2.0 shows this false positive error message:
````
In function 'bigger_buffer',
    inlined from '__libdw_gunzip' at gzip.c:374:12:
gzip.c:96:9: error: pointer may be used after 'realloc' [-Werror=use-after-free]
   96 |     b = realloc (state->buffer, more -= 1024);
      |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gzip.c:94:13: note: call to 'realloc' here
   94 |   char *b = realloc (state->buffer, more);
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
````

GCC bug report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104069

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-01-09 00:10:52 +01:00
Nick Hainke
acbae4f234 libpcap: update to 1.20.2
A huge rewrite in libpcap was introduced by dc14a7babca1 ("rpcap: have
the server tell the client its byte order.") [0]. The patch
"201-space_optimization.patch" does not apply at all anymore. So remove
it.

Refresh:
- 100-no-openssl.patch
- 102-skip-manpages.patch

Update the "300-Add-support-for-B.A.T.M.A.N.-Advanced.patch" with latest
PR [1].

old ipkg size:
90964 bin/packages/mips_24kc/base/libpcap1_1.10.1-5_mips_24kc.ipk

new ipkg size:
93340 bin/packages/mips_24kc/base/libpcap1_1.10.2-1_mips_24kc.ipk

[0] - dc14a7babc
[1] - https://github.com/the-tcpdump-group/libpcap/pull/980

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-06 16:20:06 +01:00
Linhui Liu
87b9825521 ncurses: update to 6.4
Update to the latest released version.

Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
2023-01-05 00:11:53 +01:00
Hauke Mehrtens
ee47a28cec treewide: Trigger reinstall of all wolfssl dependencies
The ABI of the wolfssl library changed a bit between version 5.5.3 and
5.5.4. This release update will trigger a rebuild of all packages which
are using wolfssl to make sure they are adapted to the new ABI.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-01-01 21:06:54 +01:00
Nick Hainke
04634b2d82 wolfssl: update to 5.5.4-stable
Remove upstreamed:
- 001-Fix-enable-devcrypto-build-error.patch

Refresh patch:
- 100-disable-hardening-check.patch

Release notes:
https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.4-stable

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-01 21:05:31 +01:00
Hauke Mehrtens
af3c9b74e1 mbedtls: update to version 2.28.2
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.

Fixes the following CVEs:
* CVE-2022-46393: Fix potential heap buffer overread and overwrite in
DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.

* CVE-2022-46392: An adversary with access to precise enough information
about memory accesses (typically, an untrusted operating system
attacking a secure enclave) could recover an RSA private key after
observing the victim performing a single private-key operation if the
window size used for the exponentiation was 3 or smaller.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-12-31 03:19:58 +01:00
Xuefer H
ab31547df0 libbsd: fix libpath to not use host path
libpath.so uses host path in ld script causing other packages fail to
cross compile, e.g. perl:
"ld: cannot find /usr/lib/libbsd.so.0.11.6: No such file or directory"

Fixes: openwrt/packages#19390

Signed-off-by: Xuefer H <xuefer@gmail.com>
2022-12-26 13:36:41 +01:00
Nick Hainke
b5d317f47e libtracefs: update to 1.6.3
Update to latest release.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-12-17 20:24:46 +01:00
Nick Hainke
b01f2d9f38 libtraceevent: update to 1.7.0
Update to latest release.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-12-17 20:24:46 +01:00
Linus Lüssing
26d10bad7c libpcap: add support for B.A.T.M.A.N. Advanced
This adds support for the layer 2 mesh routing protocol
B.A.T.M.A.N. Advanced. "batadv" can be used to filter on batman-adv
packets. It also allows later filters to look at frames inside the
tunnel when both "version" and "type" are specified.

Documentation for the batman-adv protocol can be found at the following
locations:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/batman-adv.rst
https://www.open-mesh.org/

--

This is a backport of the following upstream pull request:

https://github.com/the-tcpdump-group/libpcap/pull/980
-> "Add support for B.A.T.M.A.N. Advanced #980"

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
2022-12-14 01:06:26 +01:00
Chukun Pan
171691500e wolfssl: fix build with /dev/crypto
Backport upstream patch to fix build error when
/dev/crypto enabled.

dc9f46a3be

Fixes: #10944
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2022-12-11 03:30:14 +01:00
Nick Hainke
b76bcdb210 libtracefs: update to 1.6.2
378a9dd libtracefs: version 1.6.2
e6daa60 libtracefs: Add unit test to test mounting of tracefs_{tracing,debug}_dir()
32acbbf libtracefs: Have tracefs_{tracing,debug}_dir() mount {tracefs,debugfs} if not mounted

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-12-11 02:45:28 +01:00
Hauke Mehrtens
69f0c29b8b ustream-ssl: update to Git version 2022-12-07
9217ab4 ustream-openssl: Disable renegotiation in TLSv1.2 and earlier
2ce1d48 ci: fix building with i.MX6 SDK
584f1f6 ustream-openssl: wolfSSL: provide detailed information in debug builds
aa8c48e cmake: add a possibility to set library version

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-12-08 01:17:26 +01:00
Tony Butler
3d205eb216 wolfssl: fix Config.in typo
Fix simple typo `/crytpo/crypto/` in a description string

Signed-off-by: Tony Butler <spudz76@gmail.com>
2022-11-27 12:58:33 +01:00
Nick Hainke
745f1ca976 wolfssl: update to v5.5.3
Remove "200-ecc-rng.patch" because it was upstramed by:
e2566bab21
Refreshed "100-disable-hardening-check.patch".

Fixes CVE 2022-42905.

Release Notes:
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-stable
- https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.3-stable

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-27 12:58:33 +01:00
Nick Hainke
8db2db9890 libtracefs: update to 1.6.1
Update to latest version.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-18 20:27:52 +01:00
Glenn Strauss
0d43c22d47 libmbedtls: use defaults if no build opts selected
use defaults if no build opts selected
(allows build with defaults when mbedtls not selected and configured)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-11-16 12:27:18 +02:00
Glenn Strauss
1064252259 libmbedtls: disable older RSA ciphers
disable older RSA ciphers

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-11-13 21:51:22 +01:00
Glenn Strauss
aeeb12eb83 libmbedtls: enable crypto algorithms for hostap
enable additional crypto algorithms for hostap

hostap uses local implementations if not provided by crypto library,
so might as well enable in the crypto library for shared use by others.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-11-13 21:51:22 +01:00
Glenn Strauss
602a76ed65 libmbedtls: build option submenu
menuconfig libmbedtls build option submenu

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-11-13 21:51:22 +01:00
Nick Hainke
de79a0a9e0 zlib: update to 1.2.13
Remove "001-neon-implementation-of-adler32.patch" because upstreamed
deleted assembler code optimizations:
d0704a8201

Remove upstreamed patches:
- 006-fix-CVE-2022-37434.patch
- 007-fix-null-dereference-in-fix-CVE-2022-37434.patch

Refresh patches:
- 002-arm-specific-optimisations-for-inflate.patch
- 003-arm-specific-optimisations-for-inflate.patch
- 004-attach-sourcefiles-in-patch-002-to-buildsystem.patch

Switch to "https github.com" for downloading source files.

Release Announcements:
https://github.com/madler/zlib/releases/tag/v1.2.13

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-13 20:47:57 +01:00
Nick Hainke
6830fb37cb libnftnl: update to 1.2.4
Release Announcement:
https://lore.kernel.org/netfilter-devel/Y20W+LT%2F+sq%2Fi2rz@salvia/T/#u

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-12 13:15:16 +01:00
John Audia
a0814f04ed openssl: bump to 1.1.1s
Changes between 1.1.1r and 1.1.1s [1 Nov 2022]

  *) Fixed a regression introduced in 1.1.1r version not refreshing the
     certificate data to be signed before signing the certificate.
     [Gibeom Gwon]

 Changes between 1.1.1q and 1.1.1r [11 Oct 2022]

  *) Fixed the linux-mips64 Configure target which was missing the
     SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
     platform.
     [Adam Joseph]

  *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was
     causing incorrect results in some cases as a result.
     [Paul Dale]

  *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
     report correct results in some cases
     [Matt Caswell]

  *) Fixed a regression introduced in 1.1.1o for re-signing certificates with
     different key sizes
     [Todd Short]

  *) Added the loongarch64 target
     [Shi Pujin]

  *) Fixed a DRBG seed propagation thread safety issue
     [Bernd Edlinger]

  *) Fixed a memory leak in tls13_generate_secret
     [Bernd Edlinger]

  *) Fixed reported performance degradation on aarch64. Restored the
     implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
     32-bit lane assignment in CTR mode") for 64bit targets only, since it is
     reportedly 2-17% slower and the silicon errata only affects 32bit targets.
     The new algorithm is still used for 32 bit targets.
     [Bernd Edlinger]

  *) Added a missing header for memcmp that caused compilation failure on some
     platforms
     [Gregor Jasny]

Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B

Signed-off-by: John Audia <therealgraysky@proton.me>
2022-11-05 14:07:46 +00:00
Nick Hainke
bef3699ad5 elfutils: update to 1.88
Release Notes:
https://sourceware.org/pipermail/elfutils-devel/2022q4/005561.html

Refresh patches:
- 003-libintl-compatibility.patch
- 100-musl-compat.patch
- 101-no-fts.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-11-05 14:07:46 +00:00
Hauke Mehrtens
5b7c99bc4c libnl-tiny: update to the latest version
db3b2cd libnl-tiny: set SOCK_CLOEXEC if available

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-11-01 18:04:39 +01:00
Nick Hainke
96aa052c40 readline: update to 8.2
Release Announcement:
https://lists.gnu.org/archive/html/info-gnu/2022-09/msg00013.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-23 18:16:22 +02:00
Nick Hainke
b6d850317b gettext-full: update to 0.21.1
Release Announcement:
https://lists.gnu.org/archive/html/info-gnu/2020-07/msg00009.html

Further, refresh 001-autotools.patch and manually refresh 010-m4.patch.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-22 21:10:34 +02:00
Nick Hainke
8ad82d31a0 libbsd: update to 0.11.7
Changes:
084911c Release libbsd 0.11.7
3538d38 man: Discourage using the library in non-overlay mode
03fccd1 include: Adjust reallocarray() per glibc adoption
6b6e686 include: Adjust arc4random() per glibc adoption
da1f45a include: explicit_bzero() requires _DEFAULT_SOURCE
2f9eddc include: Simplify glibc version dependent macro handling
28298ac doc: Switch references from pkg-config to pkgconf
ef981f9 doc: Add missing empty line to separate README sections
6928d78 doc: Refer to the main git repository as primary
d586575 test: Fix explicit_bzero() test on the Hurd
be327c6 fgetwln: Add comment about lack of getwline(3) for recommendation
a14612d setmode: Dot not use saveset after free
f4baceb man: Rewrite gerprogname(3bsd) from scratch
f35c545 man: Lowercase man page title
b466b14 man: Document that some arc4random(3) functions are now in glibc 2.36
1f6a48b Sync arc4random(3) implementation from OpenBSD
873639e Fix ELF support for big endian SH
c9c78fd man: Use -compact also for alternative functions in libbsd(7)
5f21307 getentropy: Fix function cast for getauxval()

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-22 21:10:34 +02:00
Petr Štetiar
3826e72b8e ncurses: add package CPE ID
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.

Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-19 21:40:23 +02:00
Petr Štetiar
efb4324c36 libnftnl: add package CPE ID
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.

Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-19 21:40:23 +02:00
Felix Fietkau
0a4a0c7193 libubox: update to the latest version
ea56013409d5 jshn.sh: add json_add_fields function for adding multiple fields at once

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-10-14 13:12:23 +02:00
Chukun Pan
ffd29a55c3 libnl-tiny: update to the latest version
c42d890 build static library
28c44ca genl_family: explicitly null terminate
                     strncpy destination buffer

This fixes the compilation with gcc 12.

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2022-10-09 22:52:48 +02:00
Daniel Cousens
3bd04767ba
build: prefer HTTPS if available (for packages)
Changes PKG_SOURCE_URL's for arptables, bsdiff, dnsmasq,
fortify-headers, ipset, ipset-dns, libaudit, libpcap, libressl,
lua, lua5.3, tcpdump and valgrind, to HTTPS

Signed-off-by: Daniel Cousens <github@dcousens.com>
2022-10-05 17:37:07 +02:00
Petr Štetiar
f1b7e1434f treewide: fix security issues by bumping all packages using libwolfssl
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.

So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-03 17:52:06 +02:00
Nick Hainke
4f70380ff1 libtracefs: update to 1.5.0
Changes:
93f4d52 libtracefs: version 1.5
bc857db libtracefs: Add tracefs_u{ret}probe_alloc to generic man page
db55441 libtracefs: Add tracefs_debug_dir() to generic libtracefs man page
d2d5924 libtracefs: Add test instructions for openSUSE
4a7b475 libtracefs: Fix test suite typo
ee8c644 libtracefs: Add tracefs_tracer_available() helper
799d88e libtracefs: Add API to set custom tracing directory
1bb00d1 libtracefs: allow pthread inclusion overrideable in Makefile
04651d0 libtracefs sqlhist: Allow pointers to match longs
9de59a0 libtracefs: Remove double free attempt of new_event in tracefs_synth_echo_cmd()
0aaa86a libtracefs: Fix use after free in tracefs_synth_alloc()
d2d5340 libtracefs: Add missed_events to record
9aaa8b0 libtracefs: Set the number of CPUs in tracefs_local_events_system()
56a0ba0 libtracefs: Return negative number when tracefs_filter_string_append() fails
c5f849f libtracefs: Set the long size of the tep handle in tracefs_local_events_system()
5c8103e revert: 0de961e74f96 ("libtracefs: Set visibility of parser symbols as 'internal'")

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
cef2ec62ab libtraceevent: update to 1.6.3
Changes:
fda4ad9 libtraceevent: version 1.6.3
d02a61e libtraceevent: Add man pages for tep_plugin_kvm_get/put_func()
6643bf9 libtraceevent: Have kvm_exit/enter be able to show guest function
a596299 libtraceevent: Add tep_print_field() to check-manpages.sh deprecated
065c9cd libtraceevent: Add man page documentation of tep_get_sub_buffer_size()
6e18ecc libtraceevent: Add man page for tep_plugin_add_option()
6738713 libtraceevent: Add some missing functions to generic libtraceevent man page
deefe29 libtraceevent: Include meta data functions in libtraceevent man pages
cf6dd2d libtraceevent: Add tep_get_function_count() to libtraceevent man page
5bfc11e libtraceevent: Add printk documentation to libtraceevent man page
65c767b libtraceevent: Update man page to reflect tep_is_pid_registered() rename
7cd173f libtraceevent: Add check-manpages.sh
fd6efc9 libtraceevent: Documentation: Correct typo in example
5c375b0 libtraceevent: Fixing linking to C++ code
7839fc2 libtraceevent: Makefile - set LIBS as conditional assignment
c5493e7 libtraceevent: Remove double assignment of val in eval_num_arg()
efd3289 libtraceevent: Add warnings if fields are outside the event

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
d327466149 popt: update to 1.19
Add patch to fix compilation:
- 100-configure.ac-remove-require-gettext-version.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Nick Hainke
04119d7cce libcap: update to 2.66
4f96e67 Up the release version to 2.66
60ff008 Fix typos in the cap_from_text.3 man page.
281b6e4 Add captrace to .gitignore file
09a2c1d Add an example of using BPF kprobing to trace capability use.
26e3a09 Clean up getpcaps code.
fc804ac getpcaps: catch PID parsing errors.
fc437fd Fix an issue with bash displaying an error.
7db9589 Some more simplifications for building
27e801b Fix for "make clean ; make -j48 test"

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-02 20:22:54 +02:00
Petr Štetiar
ec8fb542ec wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.

This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.

Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Fixes: CVE-2022-39173
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Tested-by: Kien Truong <duckientruong@gmail.com>
Reported-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:53:56 +02:00
Petr Štetiar
a0cd133fde Revert "wolfssl: fix TLSv1.3 RCE in uhttpd by using latest 5.5.1-stable release"
This reverts commit a596a8396b as I've
just discovered private email, that the issue has CVE-2022-39173
assigned so I'm going to reword the commit and push it again.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:53:12 +02:00
Petr Štetiar
8ad9a72cbe wolfssl: refresh patches
So they're tidy and apply cleanly.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:36:19 +02:00
Petr Štetiar
a596a8396b wolfssl: fix TLSv1.3 RCE in uhttpd by using latest 5.5.1-stable release
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.

This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.

Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.

Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable

Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-09-29 07:36:19 +02:00
Kevin Darbyshire-Bryant
dafa663012 sysfsutils: Define START early in file
The luci ucode rewrite exposed the definition of START as being over 1K
from start of file.  Initial versions limited the search for START &
STOP to within the 1st 1K of a file.  Whilst the search has been
expanded, it doesn't do any harm to define START early in the file like
all other init scripts seen so far.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2022-09-26 17:58:32 +01:00
Eneas U de Queiroz
d08c9da43c
wolfssl: prefer regular libwolfssl over cpu-crypto
Rename libwolfssl-cpu-crypto to libwolfsslcpu-crypto so that the
regular libwolfssl version comes first when running:
opkg install libwolfssl

Normally, if the package name matches the opkg parameter, that package
is preferred.  However, for libraries, the ABI version string is
appended to the package official name, and the short name won't match.
Failing a name match, the candidate packages are sorted in alphabetical
order, and a dash will come before any number.  So in order to prefer
the original library, the dash should be removed from the alternative
library.

Fixes: c3e7d86d2b (wolfssl: add libwolfssl-cpu-crypto package)
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-09-25 15:19:10 +02:00
Eneas U de Queiroz
50d0b41b38
wolfssl: ABI version shouldn't depend on benchmark
Move CONFIG_PACKAGE_libwolfssl-benchmark from the top of
PKG_CONFIG_DEPENDS to after PKG_ABI_VERSION is set.

This avoids changing the ABI version hash whether the bnechmark package
package is selected or not.

Fixes: 05df135cac (wolfssl: Rebuild when libwolfssl-benchmark gets changes)
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-09-25 15:19:07 +02:00
Daniel Golle
1c785d2567 packages: libusb: add package 'fxload' (from libusb examples)
The 'fxload' tool contained in the examples provided with libusb is
actually useful and turns out to be the only way to load firmware into
some rather ancient EZ-USB microcontrollers made by Cypress (formerly
Anchor Chips).
The original 'fxload' tool from hotplug-linux has been abandonned long
ago and requires usbfs to be mounted in /proc/bus/usb/ (like it was in
Linux 2.4...).
Hence the best option is to package the modern 'fxload' from the libusb
examples which (unsurprisingly) uses libusb and works on modern
systems.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-09-17 00:44:08 +01:00
Eneas U de Queiroz
c3e7d86d2b
wolfssl: add libwolfssl-cpu-crypto package
libwolfssl-cpu-crypto is a variant of libwolfssl with support for
cryptographic CPU instructions on x86_64 and aarch64.

On aarch64, wolfSSL does not perform run-time detection, so the library
will crash when the AES functions are called.  A preinst script attempts
to check for support by querying /proc/cpuinfo, if installed in a
running system.  When building an image, the script will check the
DISTRIB_TARGET value in /etc/openwrt_release, and will abort
installation if target is bcm27xx.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-09-16 08:30:26 +02:00
Ilya Katsnelson
e8135247c1
libcap: use more compatible shebang
Patch a script to use a shebang that works on systems that don't have
a /bin/bash, e.g. NixOS or GuixSD.

Signed-off-by: Ilya Katsnelson <me@0upti.me>
2022-09-14 00:06:18 +02:00
Nick Hainke
f42e24f19d libbsd: update to 0.11.6
Update to latest version. Needs libmd.

Old size:
37615	libbsd0_0.10.0-1_aarch64_cortex-a53.ipk
new size (libmd linked static):
38514	libbsd0_0.11.6-1_aarch64_cortex-a53.ipk

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-11 01:30:11 +02:00
Nick Hainke
89a3987607 libmd: add library providing message digest functions
This library is needed by >= libbsd-0.11.3.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-11 01:30:11 +02:00
Nick Hainke
7cae914939 libunwind: update to 1.6.2
Remove upstreamed:
- 001-Don-t-force-exec_prefix-lib64-libdir-on-ppc64.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-07 04:22:40 +01:00
Nick Hainke
d40948b35d libsepol: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:48 +01:00
Nick Hainke
17dd8c7305 libselinux: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:48 +01:00
Nick Hainke
79f3e6e2c1 libnfnetlink: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:45 +01:00
Nick Hainke
7ea924d74f libmnl: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:44 +01:00
Nick Hainke
5bc8e5a5a9 libnl: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:41 +01:00
Nick Hainke
f93795cd90 jansson: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:40 +01:00
Nick Hainke
2091a76d34 libusb: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:38 +01:00
Nick Hainke
f9a502c721 libcap: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:34:52 +01:00