Mark uci, ubus, libubox, lua, libnl-tiny and libjson-c
as nonshared packages. This helps to keep coherent dependencies
if these ABI versioned packages are later updated.
Before this commit it is possible to get missing dependencies
in target-specific nonshared packages (like iwinfo) that depend
on these shared ABI versioned packages. If these are later updated
and rebuilt, only the new ABI version will be available for download,
while the target-specific packages in releases continue to depend on
the old ABI version.
After this commit the packages are built along the other nonshared
packages by the phase1 images buildbot and will be available at the
target/ download directories instead of packages/base dir. That will
help to keep a coherent set available.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Support for wolfSSL has been upstreamed to the master OpenVPN branch
in f6dca235ae560597a0763f0c98fcc9130b80ccf4, so we can use wolfSSL
directly in OpenVPN. So no more needed differnt SSL engine for OpenVPN
in systems based on wolfSSL library
Compiled && tested on ramips/mt7620, ramips/mt7621
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Since commit 6467de5a8840 ("Randomize z ordinates in scalar
mult when timing resistant") wolfssl requires a RNG for an EC
key when the hardened built option is selected.
wc_ecc_set_rng is only available when built hardened, so there
is no safe way to install the RNG to the key regardless whether
or not wolfssl is compiled hardened.
Always export wc_ecc_set_rng so tools such as hostapd can install
RNG regardless of the built settings for wolfssl.
Signed-off-by: David Bauer <mail@david-bauer.net>
6a6011d uclient-http: set eof mark when content-length is 0
19571e4 tests: fix help usage test for uclient built with sanitizer
c5fc04b tests: fix help usage test
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if
make TOPDIR="$(pwd)" -C "$pkgdir" compile
was called manually. In most of the cases, I just saw warnings like this:
make: Entering directory '/home/.../package/gluon-status-page'
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
[...]
While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.
After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Having libcap in OpenWrt base allows us to enable libcap support in
other packages in base.
In lldpd, this would allow the monitor process to drop its privileges
instead of running as root, improving security. It will also allow us to
drop our patch to disable libcap.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
The terminfo is required by the popular terminal multiplexer screen and
tmux, offer it by default as the size impact is minimal with 885 Bytes.
Signed-off-by: Paul Spooren <mail@aparcar.org>
The terminfo files were all in one row which is terrible to read.
Split them over multiple lines to improve readability.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This version fixes 2 security vulnerabilities, among other changes:
- CVE-2021-3450: problem with verifying a certificate chain when using
the X509_V_FLAG_X509_STRICT flag.
- CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Building with MIPS16 was disabled in 2013 due to an issue with GCC TLS:
https://dev.archive.openwrt.org/ticket/13572. But after the problematic
GCC version was retired, this change wasn't revisited.
Re-enable MIPS16 builds to reduce average elfutils library sizes ~10%.
This was compile-tested on malta/mips32be and malta/mips32le, and linked
with iproute2 for run-testing. Package sizes follow:
Library MIPS16:=0 MIPS16:=1
------- --------- ---------
libelf1 43217 37492
libasm1 12481 11658
libdw1 229723 205793
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
When $(FPIC) gets expanded on the command line (for instance
when setting environment variables for libtool, configure, or
make) we can't count on it not needing quoting (i.e. it could
contain multiple flags separated with spaces).
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.
Security fixes:
* Fix a buffer overflow in mbedtls_mpi_sub_abs()
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem()
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Commit f4da28c301 ("elfutils: Add host build") supplied a libelf host
library to fix a glib2 host build error, but this need was later removed
by b6212c8769 ("glib2: don't use libelf during host build").
More importantly, there are already two sources for libelf host libraries:
OpenWRT build prerequisites [1] and tools/libelf. A third is not needed.
Ref [1]: https://openwrt.org/docs/guide-developer/build-system/install-buildsystem#prerequisites
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
142826a3 libselinux: fix segfault in add_xattr_entry()
398d2cee libselinux: rename gettid() to something which never conflicts with the libc
8f0f0a28 selinux(8,5): Describe fcontext regular expressions
9cc6b5cf libselinux/getconlist: report failures
156dd0de libselinux: update getseuser
e2dca5df libselinux: accept const fromcon in get_context API
da4829d0 libselinux: Always close status page fd
45b15c22 selinux(8): explain that runtime disable is deprecated
3c16aaef selinux(8): mark up SELINUX values
c2a58cc5 libselinux: LABEL_BACKEND_ANDROID add option to enable
db0f2f38 libselinux: Add build option to disable X11 backend
4a142ac4 libsepol: Bump libsepol.so version
d23342a9 libselinux: convert matchpathcon to selabel_lookup()
7ef5b185 libselinux: Change userspace AVC setenforce and policy load messages to audit format.
f5d644c7 libselinux: Add additional log callback details in man page for auditing.
075f9cfe libselinux: Fix selabel_lookup() for the root dir.
a4149e0e libselinux: Add new log callback levels for enforcing and policy load notices.
a63f93d8 libselinux: initialize last_policyload in selinux_status_open()
ef902db9 libselinux: safely access shared memory in selinux_status_updated()
9e4480b9 libselinux: Remove trailing slash on selabel_file lookups.
21fb5f20 libselinux: use full argument specifiers for security_check_context in man page
e7abd802 libselinux: fix build order
05bdc031 libselinux: use kernel status page by default
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
a9e0004f libsepol: invalidate the pointer to the policydb if policydb_init fails
6238e025 libsepol/cil: fix NULL pointer dereference in cil_fill_ipaddr
b69d77bc libsepol/cil: handle SID without assigned context when writing policy.conf
0861c659 libsepol: Validate policydb values when reading binary policy
8f5409cf libsepol: Create function ebitmap_highest_set_bit()
0451adeb libsepol/cil: Destroy disabled optional blocks after pass is complete
32f8ed3d libsepol/cil: introduce intermediate cast to silence -Wvoid-pointer-to-enum-cast
4662bdc1 libsepol/cil: be more robust when encountering <src_info>
6b561058 libsepol/cil: fix NULL pointer dereference with empty macro argument
0d0e47c7 libsepol/cil: Fix integer overflow in the handling of hll line marks
1b36ace2 libsepol: include header files in source files when matching declarations
1f1fa9d4 libsepol: uniformize prototypes of sepol_mls_contains and sepol_mls_check
72a88d75 libsepol: remove unused files
eba0ffee libsepol/cil: Fix heap-use-after-free when using optional blockinherit
1048f8d3 libsepol/cil: unlink blockinherit->block link when destroying a block
b3202918 libsepol/cil: fix memory leak when a constraint expression is too deep
f0d98f83 libsepol/cil: Fix heap-use-after-free in __class_reset_perm_values()
5d021d66 libsepol/cil: Update symtab nprim field when adding or removing datums
34bd9a9d libsepol: destroy filename_trans list properly
bdf4e332 libsepol/cil: fix NULL pointer dereference when parsing an improper integer
b7ea65f5 libsepol/cil: destroy perm_datums when __cil_resolve_perms fails
228c06d9 libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit
a25d9104 libsepol/cil: constify some strings
e2d01842 libsepol/cil: propagate failure of cil_fill_list()
6c8fca10 libsepol/cil: do not add a stack variable to a list
38a09b74 libsepol/cil: fix NULL pointer dereference when using an unused alias
3c357285 libsepol/cil: remove useless print statement
90809674 libsepol/cil: always destroy the lexer state
d16a1e46 libsepol/cil: Use the macro FLAVOR() whenever possible
2aac859a libsepol/cil: Use the macro NODE() whenever possible
d317b470 libsepol/cil: Remove unnecessary assignment in cil_resolve_name_keep_aliases()
9b9761cf libsepol/cil: Remove unused field from struct cil_args_resolve
e257d4c7 libsepol/cil: Get rid of unnecessary check in cil_gen_node()
ebba2b00 libsepol/cil: cil_tree_walk() helpers should use CIL_TREE_SKIP_*
89dab467 libsepol: free memory when realloc() fails
2d353bd5 libsepol/cil: Give error for more than one true or false block
4a142ac4 libsepol: Bump libsepol.so version
506c7b95 libsepol: Drop deprecated functions
ae58e84b libsepol: Get rid of the old and duplicated symbols
c97d63c6 libsepol: silence potential NULL pointer dereference warning
64387cb3 libsepol: drop confusing BUG_ON macro
521e6a2f libsepol/cil: fix signed overflow caused by using (1 << 31) - 1
a152653b libsepol/cil: Fix neverallow checking involving classmaps
734e4beb libsepol/cil: Validate conditional expressions before adding to binary policy
685f577a libsepol/cil: Validate constraint expressions before adding to binary policy
8206b8cb libsepol: implement POLICYDB_VERSION_COMP_FTRANS
42ae834a libsepol,checkpolicy: optimize storage of filename transitions
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
libunwind dependency check does not allow for MIPS64 arch. Add MIPS64 awareness.
libunwind seems to support MIPS64 without issues, it was limited by the dep arch
check in the Makefile.
Used to compile Suricata6/Rust locally without issue.
Signed-off-by: Donald Hoskins <grommish@gmail.com>
Simplify cmake option handling by putting everything in blocks.
Add openssl patch as there's no easy way to disable.
Rebase the skip manpages patch.
Remove the monitor mode patch as it no longer applies.
Remove flex patch as normal Makefile is no longer used.
Remove USB path patch. While it is deprecated, the codepath is never
taken. /sys/bus/usb/devices is checked before hand. If it exists, the
function does stuff and returns. Additionally, this path is used
elsewhere in the code.
Refresh other patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This package had two patches (with two headers etc.) in one file,
which would have quilt merging them during a refresh.
Separate these patches into two files, as the original intent seems
to be having them separate.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The packages feed has a proposed package for a GOST engine, which needs
support from the main openssl library. It is a default option in
OpenSSL. All that needs to be done here is to not disable it.
Package increases by a net 1-byte, so it is not really really worth
keeping this optional.
This commit also includes a commented-out example engine configuration
in openssl.cnf, as it is done for other available engines.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Biggest fix for this version is CVE-2021-3336, which has already been
applied here. There are a couple of low severity security bug fixes as
well.
Three patches are no longer needed, and were removed; the one remaining
was refreshed.
This tool shows no ABI changes:
https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Prerequisite patch:
Correct a typo in the Changelog and clean up a stray file
Fix changes in libusb which introduced a regression:
Commit e2be556bd2 ("linux_usbfs: Parse config descriptors during device
initialization") introduced a regression for devices with multiple
configurations. The logic that verifies the reported length of the
configuration descriptors failed to count the length of the
configuration descriptor itself and would truncate the actual length by
9 bytes, leading to a parsing error for subsequent descriptors.
Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
OpenSSL downloads itself are distributed using Akamai CDN, so use these
sources as the highest priority.
Remove a stale mirror which seems to be offline for a longer time
already.
Add fallbacks to the old release path also for the mirrors.
Signed-off-by: David Bauer <mail@david-bauer.net>
This fixes 4 security vulnerabilities/bugs:
- CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support
SSLv2, but the affected functions still exist. Considered just a bug.
- CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and
EVP_DecryptUpdate may overflow the output length argument in some
cases where the input length is close to the maximum permissable
length for an integer on the platform. In such cases the return value
from the function call will be 1 (indicating success), but the output
length value will be negative.
- CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to
create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it was failing to
correctly handle any errors that may occur while parsing the issuer
field (which might occur if the issuer field is maliciously
constructed). This may subsequently result in a NULL pointer deref and
a crash leading to a potential denial of service attack.
- Fixed SRP_Calc_client_key so that it runs in constant time. This could
be exploited in a side channel attack to recover the password.
The 3 CVEs above are currently awaiting analysis.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Add m4 patch to avoid conflict with tools/autoconf-archive.
Add build parallel as it seems to work now.
Remove a bunch of uClibc-ng hacks as it is not in the tree anymore.
Format security patch was fixed upstream.
Refreshed other patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This fixes the build on MIPS BE like ath25 and ath79 target.
We get this error message when linking libwolfssl:
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: skipping incompatible /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so when searching for -lwolfssl
mips-openwrt-linux-musl/bin/ld: cannot find -lwolfssl
collect2: error: ld returned 1 exit status
This reverts commit 2591c83b34.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes the build on MIPS BE like ath25 and ath79 target.
We get this error message when linking libubox:
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: skipping incompatible /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so when searching for -lubox
This reverts commit f421fefa8a.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fix license information.
Fix wrong ABI version. The library is versioned as libnftnl.so.11.4.0
Add PKG_BUILD_PARALLEL for faster compilation.
Remove autoreconf as nothing is being patched.
Minor cleanups for consistency between packages.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This should fix CVE-2021-3336:
DoTls13CertificateVerify in tls13.c in wolfSSL through 4.6.0 does not
cease processing for certain anomalous peer behavior (sending an
ED22519, ED448, ECC, or RSA signature without the corresponding
certificate).
The patch is backported from the upstream wolfssl development branch.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Reordered for consistency between packages.
Fixed license information.
Change PKG_BUILD_PARALLEL to 1. This is no longer a problem.1
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This adds a config option to allow compiling with HKDF algorithm support
to support applications that require this feature.
Signed-off-by: Etan Kissling <etan_kissling@apple.com>
This fixes the following build problem in hostapd:
mipsel-openwrt-linux-musl/bin/ld: /builder/shared-workdir/build/tmp/ccN4Wwer.ltrans7.ltrans.o: in function `crypto_ec_point_add':
<artificial>:(.text.crypto_ec_point_add+0x170): undefined reference to `ecc_projective_add_point'
mipsel-openwrt-linux-musl/bin/ld: <artificial>:(.text.crypto_ec_point_add+0x18c): undefined reference to `ecc_map'
mipsel-openwrt-linux-musl/bin/ld: /builder/shared-workdir/build/tmp/ccN4Wwer.ltrans7.ltrans.o: in function `crypto_ec_point_to_bin':
<artificial>:(.text.crypto_ec_point_to_bin+0x40): undefined reference to `ecc_map'
Fixes: ba40da9045 ("wolfssl: Update to v4.6.0-stable")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The symbol determines if the libevent2-pthreads libraries get built or not.
If we want to select libevent2-pthreads, and these haven't been built, an
error will occur mentioning that there are no 'libevent_pthreads-2.1.so'
files.
Adding CONFIG_PACKAGE_libevent2-pthreads to PKG_CONFIG_DEPEND will make
sure that the libraries get re-built in case libevent2-pthreads is
selected.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This version fixes a large number of bugs, although no security
vulnerabilities are listed.
Full changelog at:
https://www.wolfssl.com/docs/wolfssl-changelog/
or, as part of the version's README.md:
https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md
Due a number of API additions, size increases from 374.7K to 408.8K for
arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version.
Backported patches were removed; remaining patch was refreshed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
pcap-config as installed is using OS paths instead of OpenWrt ones.
Take fix from libpng and adjust as needed.
This problem seems to occur on Arch Linux and not on Debian/Fedora
based distros. No idea why.
Remove CMAKE_INSTALL as there is now an InstallDev section.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The paths are pointing to OS paths, not OpenWrt ones. Use SED line from
libpng to fix and adjust accordingly.
This may allow certain packages that use the config file to pick up pcre.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Updated ABI_VERSION.
Switched PKG_BUILD_PARALLEL on as there seems to be no issue anymore.
I can't find any information about why it was turned off.
Fixed license information.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
MIPS 32 bit support for sanitizer was added with GCC 9, MIPS 64 bit and
ARC are still not supported in GCC 10.
Deactivate them for now and change this when we change the default
compiler to GCC 9 or later.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Cleanup Makefile for consistency with other ones.
Remove PKG_SSP. It can be fixed with -lssp_nonshared.
Add PKG_BUILD_PARALLEL for faster compilation.
Add zlib dependency. 1.5.0 requires it now.
Refresh patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2c843b2bc04c Add initial GitLab CI support
073f89f567c0 uclient-fetch: wolfSSL: fix certificate validation
086c292160ac uclient-fetch: init_ca_cert: fix memory leak
a3c1a88b031a cmake: enable extra compiler checks
32ff717ed316 uclient-http: fix extra compiler warnings on mips_24kc and cortex-a9+neon
86a2ac6ac46f uclient-fetch: fix potential memory leaks
158dd9dd289c uclient: fix initialized but never read variable
66b4420856a7 uclient-fetch: fix statement may fallt hrough
436f9b3af2ad uclient-http: fix freeing of stack allocated memory
e6b5b8a98ce2 Fix extra compiler warnings
12df67e45bb0 Add basic cram based unit tests
b6e34845124f cmake: fix building out of the tree
Signed-off-by: Petr Štetiar <ynezz@true.cz>
68d09243b6fd Add initial GitLab CI support
8280140db9d1 wolfssl: remove now deprecated compatibility code
cee6791b362a ustream-mbedtls: fix certificate verification
55c3fd89d508 ustream-mbedtls: implement set_require_validation
c6b4c48689a3 ustream-openssl: wolfSSL: fix certificate validation
3bc05402bfab cmake: enable extra compiler checks
cd2c3d12db43 ustream-mbedtls: fix comparison of integers of different signs
5896991e46a3 ustream-openssl: fix BIO_method memory leak
2c342ae57c5b ustream-openssl: fix wolfSSL includes
fa8ecd6ed140 cmake: fix linking when mbed TLS not in default paths
63656f81045f cmake: fix linking when wolfSSL not in default paths
c26f71e844df cmake: fix building out of the tree
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Add new utility function mkdir_p(char *path, mode_t mode) to replace
the partially buggy implementations found accross fstools and procd.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fixes: CVE-2020-1971, defined as high severity, summarized as:
NULL pointer deref in GENERAL_NAME_cmp function can lead to a DOS
attack.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This enables all OpenSSL API available. It is required to avoid some
silent failures, such as when performing client certificate validation.
Package size increases from 356.6K to 374.7K for
arm_cortex-a9_vfpv3-d16.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tnis adds the --enable-lighty option to configure, enabling the minimum
API needed to run lighttpd, in the packages feed. Size increase is
about 120 bytes for arm_cortex-a9_vfpv3-d16.
While at it, speed up build by disabling crypt bench/test.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This is a neat project, but offers no benefit to OpenWrt. The initial
reason for it was to be a replacement for libstdcpp as it is smaller
and lacks compatibility for C++98. Unfortunately, compiling several
packages with it results in larger ipk sizes.
While not a member of the packages feed, this will be moved to
packages-abandoned to keep it somewhere.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This sets the --cross-compile-prefix option when running Configure, so
that that it will not use the host gcc to figure out, among other
things, compiler defines. It avoids errors, if the host 'gcc' is
handled by clang:
mips-openwrt-linux-musl-gcc: error: unrecognized command-line option
'-Qunused-arguments'
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
Added PKG_INSTALL to avoid using an explicit define Build/Compile
Added PKG_BUILD_PARALLEL for faster compilation.
Removed TARGET_CLAFGS. They are no longer necessary.
fPIC is default now. So is gnu99. -DUSE_DOS is a hack to include old
and mostly unused conversions.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
- Removed following patches:
100-strip_charsets.patch - makes the full variant slim.
101-autotools.patch - this one fails to apply because it was backported
from newer versions for 1.11.1.
103-configure_ac_fix.patch - backported from newer versions
200-work-with-libtool2.patch - is not needed anymore, it is done
differently in upstream
300-fortify-source-compat.patch - these files are not there anymore
- TVHeadend requires working iconv library e.g. transliteration to ASCII
and this does not work with libiconv-full currently.
There is a simple test, which requires to install iconv package.
Before applying this update:
root@turris:/# echo ŽluťoučkýKůň | iconv -t ASCII//TRANSLIT//IGNORE
luoukK
After applying this update:
root@turris:~# echo ŽluťoučkýKůň | iconv -t ASCII//TRANSLIT//IGNORE
Zlutouck'yKun
- Makefile changes:
Use HTTPS for their website
Fixed deprecated SPDX License Identifier
Move PKG_MAINTAINER above PKG_LICENSE
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Tested-by: Rosen Penev <rosenp@gmail.com> [malta]
compiler warns that exit() isn't defined so checks for build system
compiler fail.
include <stdlib.h> to define exit()
Tested under macos Catalina & Big Sur
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Backport upstream commits that sync the local kernel header
copies in this library, with up to date copies. These updated
headers ensure that libnetfilter-log users can use current
kernel functionality such as requesting that conntrack
information be appended to nflog events sent to userspace via
the NFULNL_CFG_F_CONNTRACK flag. This functionality has been
available since kernel version 4.4
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
Split utility packages similar to coreutils in packages feed, adding
ALTERNATIVES for those which are also provided by busybox-selinux.
Also add missing license information.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Drop patches as they've been upstreamed:
* 001-Fix-CVE-2020-12762.patch
Refresh patches:
* 000-libm.patch
Add patch to avoid build failure due to missing docs in tarball.
Signed-off-by: David Bauer <mail@david-bauer.net>
This also sets the ABI_VERSION as this is a versioned shared library.
The ipk sizes for mips_24Kc change like this:
old:
jansson_2.12-1_mips_24kc.ipk 18.692
new:
jansson4_2.13.1-1_mips_24kc.ipk 19.171
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues and the most notable of them
are described in more detail in the security advisories.
* Local side channel attack on RSA and static Diffie-Hellman
* Local side channel attack on classical CBC decryption in (D)TLS
* When checking X.509 CRLs, a certificate was only considered as revoked
if its revocationDate was in the past according to the local clock if
available.
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Drop init script from libaudit package. It will be added to the
'audit' package in the packages feed.
Fixes: efdf619f21 ("audit: build only libaudit")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Switched to upstream tarballs.
Switched to libcxxabi as using libsupc++ is quite wonky.
Fixed description.
Removed patches. The fixes are cosmetic.
Added ssp patch. This one is needed for i386 and powerpc under musl.
Compile tested every C++ package in the tree with the exception of
several boost packages. There's something broken with boost.
Ran tested with gerbera.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This will be used for libcxx.
libcxxabi is needed as libsupc++ is not good enough for libcxx. It uses
GCC specific stuff which causes failed compilation for some packages.
There are also runtime issues, most notably with cxxopts where the
program just crashes.
Reference: https://github.com/gerbera/gerbera/issues/795
Added patch to fix ARM compilation.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[update to 3.1]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
[removed python part for inclusion in core]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
As the package curl has been moved to packages.git and only libcurl
depends on libnghttps move it as well to packages.git.
This is based on the Hamburg 2019 decision that non essential packages
should move outside base.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This fixes the following security problems:
* In earlier versions of wolfSSL there exists a potential man in the
middle attack on TLS 1.3 clients.
* Denial of service attack on TLS 1.3 servers from repetitively sending
ChangeCipherSpecs messages. (CVE-2020-12457)
* Potential cache timing attacks on public key operations in builds that
are not using SP (single precision). (CVE-2020-15309)
* When using SGX with EC scalar multiplication the possibility of side-
channel attacks are present.
* Leak of private key in the case that PEM format private keys are
bundled in with PEM certificates into a single file.
* During the handshake, clear application_data messages in epoch 0 are
processed and returned to the application.
Full changelog:
https://www.wolfssl.com/docs/wolfssl-changelog/
Fix a build error on big endian systems by backporting a pull request:
https://github.com/wolfSSL/wolfssl/pull/3255
The size of the ipk increases on mips BE by 1.4%
old:
libwolfssl24_4.4.0-stable-2_mips_24kc.ipk: 386246
new:
libwolfssl24_4.5.0-stable-1_mips_24kc.ipk: 391528
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch,
and provides bug fixes and minor enhancements. This release includes
fixes for security issues and the most severe one is described in more
detail in a security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07
* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private
key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros).
Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some
changes to the download URLs are required. For the time being, the
ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
[Use https://codeload.github.com and new tar.gz file]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The most recent patch added add lines in one block instead of in the
appropriate places to keep Makefiles in consistent style. Fix that.
Fixes: ff02e1561f ("pcre: add host variant of libpcre")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Dependencies are meant to express actual run-time dependencies and
strictly speaking, libselinux can be build and used on kernels without
SELinux (not in a very meaningful way, but never mind).
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The pkgconfig file references the host directories, not the openwrt
ones. Used SED to fix as is done elsewhere. Removed CMAKE_INSTALL as a
result.
Removed now pointless CFLAGS.
Added PKG_BUILD_PARALLEL for faster compilation.
Various rearrangements for consistency between packages.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The last commit to this package that added the pkgconfig file did not
fix the paths to point to the prefix.
This allows packages to find lzo properly.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
CMake is less error prone that autotools and also compiles faster.
Fixed license information.
Added pkgconfig file to InstallDev so that packages that use it can
find lzo.
Before:
time make package/lzo/compile -j 12
________________________________________________________
Executed in 20.87 secs fish external
usr time 26.95 secs 0.00 micros 26.95 secs
sys time 5.49 secs 305.00 micros 5.49 secs
After:
time make package/lzo/compile -j 12
________________________________________________________
Executed in 13.22 secs fish external
usr time 19.59 secs 328.00 micros 19.59 secs
sys time 4.03 secs 10.00 micros 4.03 secs
Time output is with fish shell. make clean was ran before both attempts.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
f4e9bf73ac5c examples/lua: attempt to highlight some traps
53b9a2123fc6 lua/uloop: fd_add: use absolute indices for arguments
c0941d3289fc lua/uloop: make get_sock_fd capable of absolute addresses
161c25960ba2 lua/uloop: fd_add() better args checking
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Before this change, setting the verbosity to anything with V=blah would
cause uclibc++ build to print errors to the screen. Now, it the
clibc++ build verbosity will be altered in the following manners:
* V=s will set V=1 in the uclibc++ build
* V=sc will set V=2 in the uclibc++ build
Signed-off-by: Wren Turkal <wt@penguintechs.org>
The original text was copy/pasted from some other package.
Adjust the package title and description to match the description
on the publishers page.
Signed-off-by: Catalin Patulea <catalinp@google.com>
[slightly adjust content and commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This replace the shell script header of ldd
when it install to `/usr/bin/ldd` where
`#! /..../staging_dir/host/bin/bash`
should be
`#!/bin/sh`
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Removes the standalone implementation of stack smashing protection
in gcc's libssp in favour of the native implementation available
in glibc and uclibc. Musl libc already uses its native ssp, so this
patch does not affect musl-based toolchains.
Stack smashing protection configuration options are now uniform
across all supported libc variants.
This also makes kernel-level stack smashing protection available
for x86_64 and i386 builds using non-musl libc.
Signed-off-by: Ian Cooper <iancooper@hotmail.com>
32-bit x86 fail to compile fast-math feature when compiled with frame
pointer, which uses a register used in a couple of inline asm functions.
Previous versions of wolfssl had this by default. Keeping an extra
register available may increase performance, so it's being restored for
all architectures.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
No package in base uses libconfig. Everything is in the packages feed.
Ref: https://github.com/openwrt/packages/pull/12255
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[subject facelift, PR ref]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
86818eaa976b blob: make blob_parse_untrusted more permissive
cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len
c2fc622b771f blobmsg: fix length in blobmsg_check_array
639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name
66195aee5042 blobmsg: fix missing length checks
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len()
eeddf22 tests: runqueue: try to fix race on GitLab CI
89fb613 libubox: runqueue: fix use-after-free bug
1db3e7d libubox: runqueue fix comment in header
7c4ef0d tests: list: add test case for list_empty iterator
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This version adds many bugfixes, including a couple of security
vulnerabilities:
- For fast math (enabled by wpa_supplicant option), use a constant time
modular inverse when mapping to affine when operation involves a
private key - keygen, calc shared secret, sign.
- Change constant time and cache resistant ECC mulmod. Ensure points
being operated on change to make constant time.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592
Addresses CVE-2020-12762
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fixes following build error on mpc85xx/generic:
ppc_initreg.c: In function 'ppc_set_initial_registers_tid':
ppc_initreg.c:79:22: error: field 'r' has incomplete type
struct pt_regs r;
Ref: FS#2924
Fixes: d27623b542 ("elfutils: update to 0.179")
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[commit description facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with
high severity, assigned CVE-2020-1967.
Ref: https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters
Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Removed sys/cdefs usage. The header is deprecated.
Removed canonicalize_file_name define. It's already fixed upstream.
Added --disable-debuginfod. Seems to be needed.
Modified patch 005 to build more stuff. It was failing before. It still
only builds libraries.
Modified patch 100 to use strerror under non-glibc. It is used under
glibc as strerror is not thread safe. It is under musl and uClibc-ng.
strerror_l is not available under uClibc-ng.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
There were two changes between 1.1.1e and 1.1.1f:
- a change in BN prime generation to avoid possible fingerprinting of
newly generated RSA modules
- the patch reversing EOF detection we had already applied.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e. It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443
Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read(). Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct. Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.
The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
5e1bc34 ustream-openssl: clear error stack before SSL_read/SSL_write
f7f93ad add support for specifying usable ciphers
Also bump the ABI version since the layout of `struct ustream_ssl_ops`
changed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This version includes bug and security fixes, including medium-severity
CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This adds commented configuration help for the alternate, afalg-sync
engine to /etc/ssl/openssl.cnf.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Solve missing references to nftnl_set_list_lookup_byname when building
iptables with Nftables support enabled (CONFIG_IPTABLES_NFTABLES)
Bump the ABI version to force everything to match.
/Users/kevin/wrt/staging_dir/toolchain-x86_64_gcc-9.2.0_musl/lib/gcc/x86_64-openwrt-linux-musl/9.2.0/../../../../x86_64-openwrt-linux-musl/bin/ld: xtables_nft_multi-nft-bridge.o: in function `nft_bridge_parse_lookup':
nft-bridge.c:(.text.nft_bridge_parse_lookup+0xcd): undefined reference to `nftnl_set_list_lookup_byname'
/Users/kevin/wrt/staging_dir/toolchain-x86_64_gcc-9.2.0_musl/lib/gcc/x86_64-openwrt-linux-musl/9.2.0/../../../../x86_64-openwrt-linux-musl/bin/ld: xtables_nft_multi-nft-cache.o: in function `nftnl_set_list_cb':
nft-cache.c:(.text.nftnl_set_list_cb+0x80): undefined reference to `nftnl_set_list_lookup_byname'
/Users/kevin/wrt/staging_dir/toolchain-x86_64_gcc-9.2.0_musl/lib/gcc/x86_64-openwrt-linux-musl/9.2.0/../../../../x86_64-openwrt-linux-musl/bin/ld: xtables_nft_multi-nft-cache.o: in function `fetch_set_cache':
nft-cache.c:(.text.fetch_set_cache+0x10a): undefined reference to `nftnl_set_list_lookup_byname'
collect2: error: ld returned 1 exit status
make[6]: *** [xtables-nft-multi] Error 1
make[5]: *** [all] Error 2
make[4]: *** [all-recursive] Error 1
make[3]: *** [all] Error 2
make[2]: *** [/Users/kevin/wrt/build_dir/target-x86_64_musl/linux-x86_64/iptables-1.8.4/.built] Error 2
make[2]: Leaving directory `/Users/kevin/wrt/package/network/utils/iptables'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
This activates PIE ASLR support by default when the regular option is
selected. This is required to enable PIE ASLR support by default in ppp,
as it fails to build without it, on x86/64.
The .so file size stays identical.
Suggested-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
License "GPL-2.0+" is deprecated License Identifier according to
SPDX License list [1]. The correct one is GPL-2.0-or-later.
While at it, also add the License file.
[1] https://spdx.org/licenses/
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Removed all upstream patches.
Added PKG_BUILD_PARALLEL for faster compilation.
Small Makefile rearrangements for consistency between packages.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
When building libcxx for x86/64, the library is installed in /usr/lib64.
As the install section tries to copy the library from /usr/lib, this
breaks build on x86/64. Override the lib dir suffix to fix this.
Fixes: 856ea2bad3 ("libcxx: Add package")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rosen Penev <rosenp@gmail.com>
It seems the buildbots can't handle it.
Added a cmake option to find the cxxabi files as they are part of the
toolchain and not in the normal path. It doesn't seem to make a
difference, just gets rid of cmake warnings.
Added another small GCC warning fix. It's fairly minor.
This has no change in compiled size, and most likely no change in
behavior. Bumped the PKG_RELEASE anyway.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Changed standard to 2a. 2a (as well as 17) contain more constexpr
functions, which are evaluated at compile time. This saves space.
Added --gc-sections. With the CXXABI change, this now makes the package
smaller.
With these, size went down to 210845 on mipsel_24kc.
Also fixed two small compiler warnings. No real change in behavior.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Allows proper exception handling. This includes removing unimplemented
warnings.
File size increased as a result:
Before:
182874
After:
211006
On mipsel_24kc.
Note that this requires libsupc++ anyway. It's specified in g++-libcxx.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Contains following changes:
eb7eb6393d47 blobmsg: fix array out of bounds GCC 10 warning
86f6a5b8d1f1 blobmsg: reuse blobmsg_namelen in blobmsg_data
586ce031eaa0 tests: fuzz: fuzz _len variants of checking methods
b0e21553ae8c blobmsg: add _len variants for all attribute checking methods
cd3059796a57 Replace use of blobmsg_check_attr by blobmsg_check_attr_len
143303149c8b Ensure blob_attr length check does not perform out of bounds reads
f2b2ee441adb blobmsg: fix heap buffer overflow in blobmsg_parse
4dfd24ed88c4 blobmsg: make blobmsg_len and blobmsg_data_len return unsigned value
2df6d35e3299 tests: add test cases for blobmsg parsing
8a34788b46c4 test: fuzz: add blobmsg_check_attr crashes
478597b9f9ae blob: fix OOB access in blob_check_type
325418a7a3c0 tests: use blob_parse_untrusted variant
0b24e24b93e1 blob: introduce blob_parse_untrusted
6d27336e4a8b blob: refactor attr parsing into separate function
833d25797b16 test: fuzz: add blob_parse crashes
09ee90f8d6ed tests: add test cases for blob parsing
436d6363a10b tests: add libFuzzer based tests
bf680707acfd tests: add unit tests covered with Clang sanitizers
f804578847de cmake: add more hardening compiler flags
46f8268b4b5b blobmsg/ulog: fix format string compiler warnings
eb216a952407 cmake: use extra compiler warnings only on gcc6+
and bumps ABI_VERSION to 20191226.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Don't build with uClibc-ng. It's totally unsupported as several functions
are missing.
Make the musl libc support conditional.
Fix hash with make check FIXUP=1. Apparently I based the Makefile off of
libedit and forgot to fix the hash.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fixes: 856ea2bad3 ("libcxx: Add package")
Currently in OpenWrt, there are two libc++: libstdcpp and uClibc++. The
former is huge and the latter supports only C++98 with some basic support
for C++11. Those C++ versions seem to be specific to the compiler version
libcxx supports C++11 and above while being much smaller than libstdcpp.
On mt7621, these are the sizes of the ipks that I get:
libstdcpp: 460786
libcxx: 182881
uClibc++:67720
libcxx is faster than uClibc++ and is under active development as part of
the LLVM project while uClibc++ is effectively dead.
This PR modifies uclibc++.mk to expose the make menuconfig option. Further
cleanup is beyond the scope of this PR. What that means is, this is not
used by default.
A g++-libcxx wrapper based on the uClibc++ one was added. Works the same
way.
Compile tested with all packages that use uclibc++.mk in their Makefiles
under mipsel_24kc. kismet fails compilation but that package needs to be
cleaned up and updated.
Runtime tested with gddrescue, gdisk, dcwapd, bonnie++, and aircrack-ng
on a TP-Link Archer C7v2.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
07413cce72e1 tests: jshn: add more test cases
26586dae43a8 jshn: fix missing usage for -p and -o arguments
8e832a771d3a jshn: fix off by one in jshn_parse_file
cb698e35409b jshn: jshn_parse: fix leaks of memory pointed to by 'obj'
c42f11cc7c0f jshn: main: fix leak of memory pointed to by 'vars'
93848ec96dc5 jshn: refactor main into smaller pieces
9b6ede0e5312 avl: guard against theoretical null pointer dereference
c008294a8323 blobmsg_json: fix possible uninitialized struct member
0003ea9c45cc base64: fix possible null pointer dereference
8baeeea1f52d add assert.h component
b0a5cd8a28bf add cram based unit tests
1fefb7c4d7f9 add initial GitLab CI support
c955464d7a9b enable extra compiler checks
6228df9de91d iron out all extra compiler warnings
Signed-off-by: Petr Štetiar <ynezz@true.cz>
41060943 Bump up version number to 1.40.0, LT revision to 33:0:19
5ae9bb89 Fail fast if huffman decoding context is in failure state
bb519154 Merge pull request #1413 from nghttp2/check-authority
77f5487a Add nghttp2_check_authority as public API
db9a8f6e Merge pull request #1409 from nghttp2/fix-wrong-stream-close-error-code
6f28a69b Merge pull request #1411 from richard78917/fix_warning
6ce4835e Fix the bug that stream is closed with wrong error code
29042f1c priority_spec::valid(): remove const qualifier from return value
d08c4395 Merge pull request #1405 from nghttp2/huffman
5d6964cf Faster huffman decoding
0d855bfc Faster huffman encoding
6f967c6e Fix errors reported by coverity scan
b8a43db8 Merge pull request #1394 from wrowe/fix-static-libname
70b62c1a Merge pull request #1393 from wrowe/fix-static-msvcrt
28b1f0b9 Avoid filename collision of static and dynamic lib
1dd966f1 Merge branch 'fix-nghttpx-mruby'
fe8946dd nghttpx: Fix bug that mruby is incorrectly shared between backends
72b71a6b Add new flag ENABLE_STATIC_CRT for Windows
f8933fe5 nghttpx: Reconnect h1 backend if it lost connection before sending headers
89c33d69 Update neverbleed
7079dc5e Update neverbleed to fix memory leak
5080db84 Revert "nghttpx: Reconnect h1 backend if it lost connection before sending headers"
053c7ac5 nghttpx: Returns 408 if backend timed out before sending headers
8a59ce6d nghttpx: Reconnect h1 backend if it lost connection before sending headers
f2fde180 Remove redundant null check before delete
95efb3e1 Don't read too greedily
0a6ce87c Add nghttp2_option_set_max_outbound_ack
2aa79fa9 Bump up LT revision to 32:0:18
3980678d Merge branch 'nghttpx-fix-request-stall'
319d5ab1 nghttpx: Fix request stall
448bbbc3 integration-tests: gofmt
e575a2aa Merge pull request #1377 from Aldrog/cmake_systemd
4f7aedc9 cmake: Support building nghttpx with systemd
7a590893 Fix clang-8 warning
ee443134 Fix FPE with default backend
abef9b90 Fix log-level is not set with cmd-line or configuration file
12a999f0 Bump up version number to 1.40.0-DEV
acfb3607 Update manual pages
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
0219008cc876 remove never used err variable assignment disliked by scan-build
7ce813fcd667 silence use after the free clang analyzer warning
1f73b6a8e678 use offsetof macro to make scan-build happy
Signed-off-by: Petr Štetiar <ynezz@true.cz>
lib and includedir point to the host, not staging_dir.
Note that prefix and exec_prefix is overriden to point to staging_dir.
As CMAKE_INSTTALL is passed, switched InstallDev to use cmake.mk's rule.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
includedir and libdir are set to /usr/include and /usr/lib . This breaks
compilation with packages such as tmux that use pkgconfig to find libevent
Also added PKG_LICENSE_FILES.
Simplified the InstallDev section by using cmake.mk's default rule.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Many bugs were fixed--2 patches removed here.
This release of wolfSSL includes fixes for 5 security vulnerabilities,
including two CVEs with high/critical base scores:
- potential invalid read with TLS 1.3 PSK, including session tickets
- potential hang with ocspstaping2 (always enabled in openwrt)
- CVE-2019-15651: 1-byte overread when decoding certificate extensions
- CVE-2019-16748: 1-byte overread when checking certificate signatures
- DSA attack to recover DSA private keys
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Includes following changes:
0230d0698e59 add initial GitLab CI support
5e13b797a988 iron out all extra compiler warnings
802fbd4d6f39 cmake: enable extra compiler checks
050bb5c4431b convert into CMake project
5b350e42d1fd refactor into separate Git project
and converts the package build to utilize CMake.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
c9b6668 ustream-ssl: skip writing pending data if .eof is true after connect
Fixes: CVE-2019-5101, CVE-2019-5102
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
It contains a single change to vlist.h header file: "vlist: add more
macros for loop iteration". This is needed for newer version of fstools
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The main motivation is to drop and stop maintaining
"100-debian_shared_lib.patch". It lacks the logic to include custom
implementation of several functions like pcap_strlcpy() which can cause
build failures when glibc is used [2]
CAN and CAN-USB support related symbols are now handled by general linux
support, see [1]
"-ffunction-sections -fdata-sections" were removed as they should help
much for shared libraries
Size comparison before and after the change
-rw-r--r-- 1 yunion yunion 238042 Oct 18 11:42 ipkg-x86_64/libpcap/usr/lib/libpcap.so.1
lrwxrwxrwx 1 yunion yunion 16 Oct 18 13:03 ipkg-x86_64/libpcap/usr/lib/libpcap.so.1 -> libpcap.so.1.9.1
-rwxr-xr-x 1 yunion yunion 229867 Oct 18 13:03 ipkg-x86_64/libpcap/usr/lib/libpcap.so.1.9.1
[1] On Linux, handle all CAN captures with pcap-linux.c, in cooked mode,
93ca5ff703
[2] https://github.com/openwrt/packages/issues/10270
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
This adds engine configuration sections to openssl.cnf, with a commented
list of engines. To enable an engine, all you have to do is uncomment
the engine line.
It also adds some useful comments to the devcrypto engine configuration
section. Other engines currently don't have configuration commands.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Update libevent to 2.1.11
Use CMake instead GNU Autotools
Backport following commits:
f05ba67193
..and partially
7201062f3e
to fix compilation
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
The first allows usage of several functions in the std namespace, which
broke compilation of gddrescue specifically with uClibc-ng and uClibc++.
The second allows usage of long long with normal C++11, which is part of
the standard. Before, std=gnu++11 needed to be passsed to work around it.
As a result of the second patch, the pedantic patch can safely be removed.
Both patches are upstream backports.
Added -std=c++11 to CFLAGS to guarentee proper inclusion of long long.
Added another patch that fixes a typo with the long long support. Sent to
upstream.
Fixed up license information according to SPDX.
Small cleanups for consistency.
Signed-off-by: Rosen Penev <rosenp@gmail.com>