Many bugs were fixed--2 patches removed here.
This release of wolfSSL includes fixes for 5 security vulnerabilities,
including two CVEs with high/critical base scores:
- potential invalid read with TLS 1.3 PSK, including session tickets
- potential hang with ocspstaping2 (always enabled in openwrt)
- CVE-2019-15651: 1-byte overread when decoding certificate extensions
- CVE-2019-16748: 1-byte overread when checking certificate signatures
- DSA attack to recover DSA private keys
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit f4853f7cca)
Hardware acceleration was disabled when AES-CCM was selected as a
workaround for a build failure. This applies a couple of upstream
patches fixing this.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit ab19627ecc)
c9b6668 ustream-ssl: skip writing pending data if .eof is true after connect
Fixes: CVE-2019-5101, CVE-2019-5102
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 6f9157e6bd)
Update libevent to 2.1.11
Use CMake instead GNU Autotools
Backport following commits:
f05ba67193
..and partially
7201062f3e
to fix compilation
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
(cherry picked from commit f351beedfd)
(resolves FS#2435)
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
This adds engine configuration sections to openssl.cnf, with a commented
list of engines. To enable an engine, all you have to do is uncomment
the engine line.
It also adds some useful comments to the devcrypto engine configuration
section. Other engines currently don't have configuration commands.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit cebf024c4d)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The first allows usage of several functions in the std namespace, which
broke compilation of gddrescue specifically with uClibc-ng and uClibc++.
The second allows usage of long long with normal C++11, which is part of
the standard. Before, std=gnu++11 needed to be passsed to work around it.
As a result of the second patch, the pedantic patch can safely be removed.
Both patches are upstream backports.
Added -std=c++11 to CFLAGS to guarentee proper inclusion of long long.
Added another patch that fixes a typo with the long long support. Sent to
upstream.
Fixed up license information according to SPDX.
Small cleanups for consistency.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 6ab386c9bc)
This version fixes 3 low-severity vulnerabilities:
- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey
Patches were refreshed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit d868d0a5d7)
This patch was originally added to fix compilation with v4l2rtspserver.
Turns out it was v4l2rtspserver that was broken, not uClibc++. This now
causes issues with a different package where the arguments are being
split.
Note that with this patch, shellcheck throws an error:
SC2068: Double quote array expansions to avoid re-splitting elements.
More: https://github.com/openwrt/packages/pull/9972#discussion_r324878373
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 977a8fc5fc)
Remove 300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch,
the issue has been fixed upstream.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
(cherry picked from commit 49d96ffc5c)
ABI version is same.
The ipkg size increase by about 2.2%:
old:
47.909 libnftnl11_1.1.3-1_arm_cortex-a7_neon-vfpv4.ipk
new:
48.985 libnftnl11_1.1.4-1_arm_cortex-a7_neon-vfpv4.ipk
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
(cherry picked from commit 699955a684)
Instead, instruct the configure script to use $(FPIC) only.
Mixing -fPIC and -fpic can cause issues on some platforms like PPC.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 926157c2cc)
The configure scripts matches Linux with -fPIC, which is not exactly what
is desired. Since we are already passing $(FPIC), added a CONFIGURE_VAR to
avoid passing -fPIC.
Removed PKG_BUILD_DIR as it is already the default value.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit e2ecf39e8e)
957abacf Bump up version number to 1.39.2, LT revision to 32:0:18
83d362c6 Don't read too greedily
a76d0723 Add nghttp2_option_set_max_outbound_ack
db2f612a nghttpx: Fix request stall
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 58f929077f)
This changes the default PKG_BUILD_DIR to take BUILD_VARIANT into
account (if set), so that packages do not need to manually override
PKG_BUILD_DIR just to handle variants.
This also updates most base packages with variants to use the updated
default PKG_BUILD_DIR.
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
(cherry picked from commit e545fac8d9)
This removes package/libs/toolchain/eglibc-files/etc/nsswitch.conf.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit c47eff0df3)
bump ABI version accordingly (thanks to Jo-Philipp Wich).
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
(cherry picked from commit ce8027ed29)
This adds chacha20-poly1305 support to the mbedtls variant.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 82a8ddd603)
'38b22b1e: deduplicate files in libnghttp2' missed duplicates in
staging_dir by Build/InstallDev.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
(cherry picked from commit ee1a783314)
7ffc239b Bump up version number to 1.39.1
bc886a0e Fix FPE with default backend
a3a14a9c Fix log-level is not set with cmd-line or configuration file
acfb3607 Update manual pages
bdfd14c2 Bump up version number to 1.39.0, LT revision to 31:4:17
cddc09fe Update AUTHORS
3c3b6ae8 Add missing colon
2f83aa9e Fix multi-line text travis issue
fc591d0c Run nghttpx integration test with cmake build
9a17c3ef travis: use multi-line text
b7220f07 cmake: Remove SPDY related files
a1556fd1 Merge pull request #1356 from nghttp2/fix-log-level-on-reload
77f1c872 nghttpx: Fix unchanged log level on configuration reload
49ce44e1 Merge pull request #1352 from nghttp2/travis-osx
f54b3ffc Fix libxml2 CFLAGS output
b0f5e5cc Implement daemon() using fork() for OSX
8d6ecd66 Enable osx build on travis
f82fb521 Update doc
2e1975dd clang-format-8
97ce392b Merge pull request #1347 from nghttp2/nghttpx-ignore-cl-te-on-upgrade
afefbda5 Ignore content-length in 200 response to CONNECT request
4fca2502 nghttpx: Ignore Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT
6975c336 Update llhttp to 1.1.3
0288093c Fix llhttp_get_error_pos usage
a3a03481 Merge pull request #1340 from nghttp2/nghttpx-llhttp
c64d2573 Replace http-parser with llhttp
f028cc43 clang-format
302e3746 Merge pull request #1337 from nghttp2/upgrade-mruby
3cdbc5f5 Merge pull request #1335 from adamgolebiowski/boost-1.70
a6925186 Fix mruby build error
45d63d20 Upgrade mruby to 2.0.1
cbba1ebf asio: support boost-1.70
e86d1378 Bump up version number to 1.39.0-DEV
4a9d2005 Update manual pages
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 865e25e049)
9dd2dcf libubox: add format string checking to ulog()
ecf5617 ustream: Add format string checks to ustream_(v)printf()
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit fc454ca153)
This happens only the second time a library is loaded by dlopen().
After lib1 is loaded, dlsym(lib1,"undef1") correctly resolves the undef
symbol from lib1 dependencies. After the second library is loaded,
dlsym(lib2,"undef1") was returning the address of "undef1" in lib2
instead of searching lib2 dependencies.
Using upstream fix which now uses the same logic for relocation time
and dlsym.
Fixesopenwrt/packages#9297
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
(cherry picked from commit 0d0617ff14)
Always build AES-GCM support.
Unnecessary patches were removed.
This includes two vulnerability fixes:
CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK
extension parsing.
CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes
when performing ECDSA signing operations. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack.
This brings the package up-to-date with master, so it incorporates
changes from 4.0.0 in master:
* Removed options that can't be turned off because we're building with
--enable-stunnel, some of which affect hostapd's Config.in.
* Adjusted the title of OCSP option, as OCSP itself can't be turned off,
only the stapling part is selectable.
* Mark options turned on when wpad support is selected.
* Add building options for TLS 1.0, and TLS 1.3.
* Add hardware crypto support, which due to a bug, only works when CCM
support is turned off.
* Reorganized option conditionals in Makefile.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This includes a fix for a medium-level potential cache attack with a
variant of Bleichenbacher’s attack. Patches were refreshed.
Increased FP_MAX_BITS to allow 4096-bit RSA keys.
Fixed poly1305 build option, and some Makefile updates.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit 2792daab5a)
Highlights of this version:
- Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
- Fix OPENSSL_config bug (patch removed)
- Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
- Enable SHA3 pre-hashing for ECDSA and DSA
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [DMARC removal]
This version bump contains the following commit to fix FS#2222
3b3e368 uclient-http: set data_eof when content-length is 0
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
The 8 year old file does not have any ARC definitions.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[updated content of the patch with version sent to upstream]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The buildroot pkg-config (in staging_dir/host/bin) overrides the prefix
and exec_prefix variables in *.pc files, to supply the correct
(buildroot) paths for callers. If other variables are not defined
relative to prefix and exec_prefix, then the returned values will be
incorrect.
The default zlib.pc file generated by cmake contains absolute paths.
This patches the file to use relative paths (relative to ${prefix} and
${exec_prefix}).
Signed-off-by: Jeffery To <jeffery.to@gmail.com>
Switched to xz archives for smaller size.
Removed upstreamed patches.
Reorganized Makefile a little bit for clarity. Build/Prepare is not useful
anymore. Upstream converted the file to LF.
Refreshed config.
Removed -ansi option from the original CFLAGS as this was causing long
long support to be missing.
Removed fPIC. We have the macro $(FPIC) already used. No point in setting
fpic and fPIC together.
Removed pedantic -Wlong-long warnings as they are not useful.
Removed -std=gnu++98. Not only is it unnecessary (it compiles against all
standards), it actually results in a size increase. 75843 vs. 75222 (gcc
in OpenWrt defaults to g++14).
Added --gc-sections to linker flags to reduce size: 72653 vs 75222.
Removed warn linker options. They have been upstreamed.
Tested on Archer C7v2 and GnuBee PC1.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Probably glibc too. argp_help takes a char *. not const char *.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[updated with upstream version of the patch]
No target is using kernel 3.18 anymore, remove all the generic
support for kernel 3.18.
The removed packages are depending on kernel 3.18 only and are not used on
any recent kernel.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Some of changes:
* Support for local-name()
* General refactoring
* Better parsing performance
* Fix possible buffer overflow & memleak
* Validation checks
* More commit functions (file, buffer, fd)
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Add a conditional to the individual package's for the kmods in DEPENDS.
This avoids the need to compile the kernel modules when the crypto
engine packages are not selected. The final binares are not affected by
this.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
This applies an upstream patch that fixes a OPENSSL_config() bug that
causes SSL initialization to fail when the openssl.cnf file is not
found. The config file is not installed by default.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
4a9d2005 Update manual pages
acf6a922 Bump up version number to 1.38.0, LT revision to 31:3:17
4ff45821 Update AUTHORS
42dce01e Merge branch 'nghttpx-fix-backend-selection-on-retry'
a35059e3 nghttpx: Fix bug that altered authority and path affect backend selection
5a30fafd Merge branch 'nghttpx-fix-chunked-request-stall'
dce91ad3 Merge branch 'nghttpx-dont-log-authorization'
2cff8b43 nghttpx: Fix bug that chunked request stalls
be96654d nghttpx: Don't log authorization request header field value with -LINFO
ce962c3f Merge branch 'update-http-parser'
f931504e Update http-parser to v2.9.1
d978f351 Fix bug that on_header callback is still called after stream is closed
ec519f22 Merge pull request #1270 from baitisj/master
e8b213e3 Bump up version number to 1.38.0-DEV
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>