Commit Graph

1369 Commits

Author SHA1 Message Date
Rosen Penev
f8571749a7 pcre: disable shared libraries for host builds
Getting rid of shared libraries for hostpkg avoids having to use rpath
hacks to find the library. It also fixes compilation with host glib2
binaries.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-27 14:38:13 +02:00
Rosen Penev
8a75ed4ba0 musl-fts: remove shared libraries from host
Avoids having to add rpath to the various packages using it. Also add
PIC to fix compilation as static libraries do not use PIC by default.

Fixes: 1fb099341e ("musl-fts: add host build")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-27 14:38:13 +02:00
Rosen Penev
abb2683de3 libselinux: use musl-fts for host builds
Fixes compilation under musl based distros like Alpine Linux.

Also add pcre/host as a build dependency as it's needed.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-25 18:14:13 +01:00
Rosen Penev
1fb099341e musl-fts: add host build
This will be used for libselinux.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-25 18:14:13 +01:00
Stijn Tintel
636cb00ecc gettext-full: add gmsgfmt symlink in host install
Some configure scripts look for msgfmt and gmsgfmt. As we don't install
the latter, configure might pick up one from staging_dir/hostpkg, and
the other from the host:

checking for msgfmt... /home/stijn/Development/OpenWrt/openwrt/staging_dir/hostpkg/bin/msgfmt
checking for gmsgfmt... /usr/bin/gmsgfmt

This could potentially lead to hard to debug undefined behaviour.
Install a symlink in the host install phase to avoid this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-03-25 17:48:49 +02:00
Petr Štetiar
b3aa2909a7 zlib: backport security fix for a reproducible crash in compressor
Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.

Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.

Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-24 08:15:24 +01:00
Eneas U de Queiroz
1bf94b6797 openssl: move engine.mk to INCLUDE_DIR
engine.mk is supposed to be included by engine packages, but it will not
be present in the SDK in the same place as in the main repository.

Move it to include/openssl-engine.mk to avoid this.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-03-23 23:13:51 +00:00
Huangbin Zhan
3bf10bac11 ncurses: update to 6.3
release notes: https://invisible-island.net/ncurses/announce-6.3.html

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
2022-03-19 17:42:29 +01:00
Rosen Penev
80b88b083a argp-standalone: fix compilation with Alpine Linux
This package is a C89 one. Add the proper CFLAG to fix compilation.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-16 17:58:24 +01:00
Martin Schiller
e17c6ee627 openssl: bump to 1.1.1n
This is a bugfix release. Changelog:

  *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
     forever for non-prime moduli. (CVE-2022-0778)

  *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
     (RFC 5489) to the list of ciphersuites providing Perfect Forward
     Secrecy as required by SECLEVEL >= 3.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2022-03-16 16:28:16 +01:00
Ansuel Smith
4393d8c090 libnetfilter-conntrack: backport patch fixing compilation with 5.15
Backport patch fixing compilation with 5.15 and musl provided by Robert Marko

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2022-03-05 21:05:45 +01:00
Sergey V. Lobanov
64d159cdad argp-standalone: add host-compile ability
This patch adds host-compile ability to argp-standalone for build
hosts without glibc and argp lib, e.g. MacOS.

iucode-tool/host can not be built on MacOS due to lack of argp.

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-02-26 19:52:41 +01:00
Lucian Cristian
fbf485e6c6 mbedtls: update to 2.28.0 LTS branch
<https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0>
"Mbed TLS 2.28 is a long-time support branch.
It will be supported with bug-fixes and security
fixes until end of 2024."

<https://github.com/ARMmbed/mbedtls/blob/development/BRANCHES.md>
"Currently, the only supported LTS branch is: mbedtls-2.28.
For a short time we also have the previous LTS, which has
recently ended its support period, mbedtls-2.16.
This branch will move into the archive namespace around the
time of the next release."

this will also add support for uacme ualpn support.

size changes
221586 libmbedtls12_2.28.0-1_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(remark about 2.16's EOS, slightly reworded)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-26 19:52:41 +01:00
Petr Štetiar
b9251e3b40 wolfssl: fix API breakage of SSL_get_verify_result
Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable.  In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:

 $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
 Downloading 'https://letsencrypt.org'
 Connecting to 18.159.128.50:443
 Connection error: Invalid SSL certificate

Fixes: #9283
References: https://github.com/wolfSSL/wolfssl/issues/4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-02-22 20:27:15 +01:00
Eneas U de Queiroz
0134f845da openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:

    config engine 'devcrypto'
            option enabled '1'

Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.

The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.

The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped.  It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Eneas U de Queiroz
30b0351039 openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.

The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Eneas U de Queiroz
17a6ca12d3 openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory.  The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.

Patches were refreshed with --zero-commit.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Stijn Tintel
add7884cd0 libnetfilter-conntrack: bump to 1.0.9
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2022-02-17 13:59:44 +02:00
Sergey V. Lobanov
93d91197b9 wolfssl: update to 5.1.1-stable
Bump from 4.8.1-stable to 5.1.1-stable

Detailed release notes: https://github.com/wolfSSL/wolfssl/releases

Upstreamed patches:
001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch -
 fa8f23284d
002-Update-macro-guard-on-SHA256-transform-call.patch -
 f447e4c1fa

Refreshed patches:
100-disable-hardening-check.patch
200-ecc-rng.patch

CFLAG -DWOLFSSL_ALT_CERT_CHAINS replaced to --enable-altcertchains
configure option

The size of the ipk changed on aarch64 like this:
491341 libwolfssl4.8.1.31258522_4.8.1-stable-7_aarch64_cortex-a53.ipk
520322 libwolfssl5.1.1.31258522_5.1.1-stable-1_aarch64_cortex-a53.ipk

Tested-by: Alozxy <alozxy@users.noreply.github.com>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-02-01 23:18:01 +01:00
Hauke Mehrtens
392609543d libcap: Update to version 2.63
The sizes of the ipk changed on MIPS 24Kc like this:
11248 libcap_2.51-1_mips_24kc.ipk
14461 libcap_2.63-1_mips_24kc.ipk

18864 libcap-bin_2.51-1_mips_24kc.ipk
20576 libcap-bin_2.63-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
57f38e2c82 mbedtls: Update to version 2.16.12
This fixes the following security problems:
* Zeroize several intermediate variables used to calculate the expected
  value when verifying a MAC or AEAD tag. This hardens the library in
  case the value leaks through a memory disclosure vulnerability. For
  example, a memory disclosure vulnerability could have allowed a
  man-in-the-middle to inject fake ciphertext into a DTLS connection.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
  mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
  (out of memory). After that, calling mbedtls_ssl_session_free()
  and mbedtls_ssl_free() would cause an internal session buffer to
  be free()'d twice. CVE-2021-44732

The sizes of the ipk changed on MIPS 24Kc like this:
182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
e74529552c ustream-ssl: update to Git version 2022-01-16
868fd88 ustream-openssl: wolfSSL: Add compatibility for wolfssl >= 5.0

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-16 21:51:21 +01:00
Florian Fainelli
a372946e60 elfutils: Add missing musl-fts dependency
libdw depends on libfts.so when building with the musl-libc library, add
this missing dependency.

Fixes: 6835ea13f0 ("elfutils: update to 0.186")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2022-01-07 20:50:50 -08:00
Glenn Strauss
a8513e2461 mbedtls: enable session tickets
session tickets are a feature of TLSv1.2 and require less memory
and overhead on the server than does managing a session cache

Building mbedtls with support for session tickets will allow the
feature to be used with lighttpd-1.4.56 and later.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-01-08 00:49:59 +01:00
Sergey V. Lobanov
6835ea13f0 elfutils: update to 0.186
Upstreamed patches (deleted):
0001-ppc_initreg.c-Incliude-asm-ptrace.h-for-pt_regs-defi.patch -
 https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=8382833a257b57b0d288be07d2d5e7af6c102869
110-no-cdefs.patch -
 https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=d390548df1942e98a1d836269a5e41ba52e121f1

Auto-refreshed:
006-Fix-build-on-aarch64-musl.patch
101-no-fts.patch

Manually updated and refreshed:
005-build_only_libs.patch
003-libintl-compatibility.patch
100-musl-compat.patch

Disabled _obstack_free check (via configure vars)

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-01-08 00:49:59 +01:00
Hauke Mehrtens
e708bf76d5 toolchain: glibc: Update to version 2.34
glibc version 2.34 does not provide versioned shared libraries any more,
it only provides shared libraries using the ABI version. Do not try to
copy them any more.

The functions from libpthread and librt were integrated into the main
binary, the libpthread.so and librt.so are only used for backwards
compatibility any more.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-07 22:30:40 +01:00
Eneas U de Queiroz
def9565be6 openssl: bump to 1.1.1m
This is a bugfix release.  Changelog:

  *) Avoid loading of a dynamic engine twice.
  *) Fixed building on Debian with kfreebsd kernels
  *) Prioritise DANE TLSA issuer certs over peer certs
  *) Fixed random API for MacOS prior to 10.12

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-01-01 18:02:49 +01:00
Sergey V. Lobanov
dfd695f4b9 libs/wolfssl: add SAN (Subject Alternative Name) support
x509v3 SAN extension is required to generate a certificate compatible with
chromium-based web browsers (version >58)

It can be disabled via unsetting CONFIG_WOLFSSL_ALT_NAMES

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2021-12-29 22:55:16 +01:00
Hauke Mehrtens
18bdfc803b tcpdump: libpcap: Remove http://www.us.tcpdump.org mirror
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.

Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-27 00:49:08 +01:00
Stijn Tintel
052e31ed47 libunwind: add ppc64 support
Backport an upstream patch to make libunwind build on ppc64, and add
powerpc64 to the dependencies.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-12-21 21:37:05 +02:00
Stijn Tintel
38c3ead820 nettle: disable assembler on ppc64
As of version 3.7, Nettle added PowerPC64 assembly for several
algorithms. Unfortunately, they cause build to fail due to ABI mismatch:

gcm-hash.o: ABI version 1 is not compatible with ABI version 2 output

Disable assembler when ppc64 and musl are used for now.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-12-21 21:36:55 +02:00
Stijn Tintel
ac8673ff85 openssl: add ppc64 support
Backport an upstream patch that adds support for ELFv2 ABI on big endian
ppc64. As musl only supports ELFv2 ABI on ppc64 regardless of
endianness, this is required to be able to build OpenSSL for ppc64be.

Modify our targets patch to add linux-powerpc64-openwrt, which will use
the linux64v2 perlasm scheme. This will probably break the combination
ppc64 with glibc, but as we really only want to support musl, this
shouldn't be a problem.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-12-21 21:36:38 +02:00
Hauke Mehrtens
954e1278a9 libnl-tiny: update to the latest version
8e0555f attr.h: Add NLA_PUT_S32

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-14 22:59:10 +01:00
Stijn Tintel
7f7034d79f libnftnl: bump to 1.2.1
This version is required by nftables 1.0.1.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-12-01 00:39:26 +02:00
Rosen Penev
e6f569406f gettext: remove package
This package was necessary when uClibc was in the tree. Now that uClibc
is gone, this can go too.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:25 +01:00
Rosen Penev
a3cd6c0b89 pcre: bring back C++ bindings
It seems some people use them privately.

Reported-by: Jan Kardell <jan.kardell@telliq.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:24 +01:00
Rosen Penev
a24de89539 readline: disable shared library for host
Allows to avoid rpath hacks with at least softethervpn.

--with-pic is needed as it's not default with static libraries, only
shared ones.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:24 +01:00
Rosen Penev
3d6e25dd32 libjson-c: don't build shared host libraries
Avoids having to deal with various rpath hacks.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:24 +01:00
Daniel Golle
6fcb4f4e04
libubox: update to git HEAD
cce5e35 vlist: define vlist_for_each_element_safe

This is change affects only a macro in headers and hence it is not
required to bump ABI_VERSION.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-20 17:48:49 +00:00
Stijn Tintel
36a621b1e7 libubox: bump to git HEAD
123e976 uloop: restore return type of uloop_timeout_remaining
 3344157 uloop: add uloop_timeout_remaining64
 c87d3e1 lua/uloop: use uloop_timeout_remaining64
 c86a894 uloop: deprecate uloop_timeout_remaining

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 13:18:13 +02:00
Stijn Tintel
8802b21dff libubox: bump to git HEAD
be3dc72 uloop: avoid integer overflow in tv_diff

Fixes: FS#3943
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 01:56:53 +02:00
Hauke Mehrtens
db3acbac11 toolchain: Allow sanitizer on mips and mipsel
Support for libsanitizer on MIPS 32 and MIPSEL 32 was added with GCC 9.
MIPS 64 and ARC are still not supported.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-11-03 23:52:08 +01:00
Lucian Cristian
8550086c24 elfutils: enable host build
frr 8.0 needs host libelf dev
add option for host build
tested on x86, ramips, kirkwood

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
[changed commit author's email]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-11-01 00:56:51 +01:00
Dominick Grift
25e15f5951 libsepol: update to version 3.3
Update VERSIONs to 3.3 for release.
libsepol/cil: Fix potential undefined shifts
libsepol: Fix potential undefined shifts
Update VERSIONs to 3.3-rc3 for release.
libsepol/cil: Do not skip macros when resolving until later passes
libsepol/cil: Limit the amount of reporting for bounds failures
libsepol/cil: silence clang void-pointer-to-enum-cast warning
libsepol: resolve GCC warning about null-dereference
libsepol: use correct cast
libsepol: ebitmap: mark nodes of const ebitmaps const
Update VERSIONs to 3.3-rc2 for release.
libsepol/cil: Handle operations in a class mapping when verifying
libsepol/cil: Do not use original type and typeattribute datums
libsepol: free memory after policy validation
libsepol: avoid implicit conversions
libsepol: fix typo
libsepol/cil: Free duplicate datums in original calling function
libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
Update VERSIONs and Python bindings version to 3.3-rc1 for release
libsepol/cil: Limit the number of active line marks
libsepol/cil: Add function to get number of items in a stack
libsepol: Fix detected RESOURCE_LEAKs
libsepol/cil: Fix syntax checking in __cil_verify_syntax()
libsepol/cil: Use size_t for len in __cil_verify_syntax()
libsepol/cil: Remove redundant syntax checking
libsepol/cil: Improve in-statement to allow use after inheritance
libsepol/cil: Simplify cil_tree_children_destroy()
libsepol/cil: Refactor the function __cil_build_ast_node_helper()
libsepol/cil: Don't destroy optionals whose parent will be destroyed
libsepol/cil: Properly check for parameter when inserting name
libsepol/cil: Reset expandtypeattribute rules when resetting AST
libsepol/cil: Properly check parse tree when printing error messages
libsepol/cil: Allow some duplicate macro and block declarations
libsepol/cil: When writing AST use line marks for src_info nodes
libsepol/cil: Report correct high-level language line numbers
libsepol/cil: Add line mark kind and line number to src info
libsepol/cil: Create common string-to-unsigned-integer functions
libsepol/cil: Push line mark state first when processing a line mark
libsepol/cil: Check for valid line mark type immediately
libsepol/cil: Check the token type after getting the next token
libsepol/cil: Check syntax of src_info statement
libsepol/cil: move the fuzz target and build script to the selinux repository
libsepol: replace strerror by %m
libsepol/cil: remove obsolete comment
libsepol/cil: do not allow \0 in quoted strings
libsepol/cil: Fix handling category sets in an expression
libsepol: assure string NUL-termination of ibdev_name
libsepol: avoid implicit conversions
libsepol: ignore UBSAN false-positives
libsepol: avoid unsigned integer overflow
libsepol/cil: Improve checking for bad inheritance patterns
libsepol: silence -Wextra-semi-stmt warning
libsepol/cil: do not override previous results of __cil_verify_classperms
libsepol/cil: Provide option to allow qualified names in declarations
libsepol/cil: make array cil_sym_sizes const
libsepol/cil: Only reset AST if optional has a declaration
libsepol/cil: Add function to determine if a subtree has a declaration
libsepol/cil: Improve degenerate inheritance check
libsepol/cil: Reduce the initial symtab sizes for blocks
libsepol/cil: Check for empty list when marking neverallow attributes
libsepol/cil: Fix syntax checking of defaultrange rule
libsepol/cil: Properly check for loops in sets
libsepol/cil: Allow duplicate optional blocks in most cases
libsepol: declare read-only arrays const
libsepol: declare file local variable static
libsepol: drop unnecessary casts
libsepol: drop repeated semicolons
libsepol/cil: avoid using maybe uninitialized variables
libsepol/cil: drop unnecessary casts
libsepol/cil: drop dead store
libsepol/cil: drop extra semicolon
libsepol/cil: silence cast warning
libsepol: remove dead stores
libsepol: do not allocate memory of size 0
libsepol: mark read-only parameters of type_set_ interfaces const
libsepol: mark read-only parameters of ebitmap interfaces const
libsepol: remove dead stores
libsepol/cil: follow declaration-after-statement
libsepol: follow declaration-after-statement
libsepol: avoid unsigned integer overflow
libsepol: remove unused functions
libsepol: resolve missing prototypes
libsepol: fix typos
libsepol: Quote paths when generating policy.conf from binary policy
libsepol/cil: Account for anonymous category sets in an expression
libsepol/cil: Fix anonymous IP address call arguments
libsepol: quote paths in CIL conversion
libsepol/cil: Resolve anonymous levels only once
libsepol/cil: Pointers to datums should be set to NULL when resetting
libsepol/cil: Resolve anonymous class permission sets only once
libsepol/cil: Limit the number of open parenthesis allowed
libsepol/cil: Destroy the permission nodes when exiting with an error
libsepol/cil: Handle disabled optional blocks in earlier passes
libsepol/cil: Do not resolve arguments to declarations in the call
libsepo/cil: Refactor macro call resolution
libsepol/cil: Do not add NULL node when inserting key into symtab
libsepol/cil: Make name resolution in macros work as documented
libsepol/cil: Fix name resolution involving inherited blocks
libsepol/cil: Check for self-referential loops in sets
libsepol/cil: Return an error if a call argument fails to resolve
libsepol/cil: Check datum in ordered list for expected flavor
libsepol/cil: Detect degenerate inheritance and exit with an error
libsepol/cil: Fix instances where an error returns SEPOL_OK
libsepol/cil: Properly reset an anonymous classperm set
libsepol: use checked arithmetic builtin to perform safe addition
libsepol/cil: Add functions to make use of cil_write_ast()
libsepol/cil: Create functions to write the CIL AST
libsepol/cil: Use CIL_ERR for error messages in cil_compile()
libsepol/cil: Make invalid statement error messages consistent
libsepol/cil: Do not allow tunable declarations in in-statements
libsepol/cil: Sync checks for invalid rules in macros
libsepol/cil: Check for statements not allowed in optional blocks
libsepol/cil: Sync checks for invalid rules in booleanifs
libsepol/cil: Reorder checks for invalid rules when resolving AST
libsepol/cil: Use AST to track blocks and optionals when resolving
libsepol/cil: Create new first child helper function for building AST
libsepol/cil: Cleanup build AST helper functions
libsepol/cil: Reorder checks for invalid rules when building AST
libsepol/cil: Move check for the shadowing of macro parameters
libsepol/cil: Create function cil_add_decl_to_symtab() and refactor
libsepol/cil: Refactor helper function for cil_gen_node()
libsepol/cil: Allow permission expressions when using map classes
libsepol/cil: Exit with an error if declaration name is a reserved word
libsepol/cil: More strict verification of constraint leaf expressions
libsepol/cil: Set class field to NULL when resetting struct cil_classperms
libsepol/cil: cil_reset_classperms_set() should not reset classpermission
libsepol/cil: Destroy classperm list when resetting map perms
libsepol/cil: Destroy classperms list when resetting classpermission
libsepol/cil: Fix out-of-bound read of file context pattern ending with "\"
libsepol/cil: Check for duplicate blocks, optionals, and macros
libsepol: Write "NO_IDENTIFIER" for empty CIL constraint expression
libsepol: Enclose identifier lists in CIL constraint expressions
libsepol/cil: Allow lists in constraint expressions
libsepol: Enclose identifier lists in constraint expressions
libsepol: Write "NO_IDENTIFIER" for empty constraint expression
libsepol: make num_* unsigned int in module_to_cil
libsepol/cil: do not leak avrulex_ioctl_table memory when an error occurs
libsepol/cil: fix NULL pointer dereference in __cil_insert_name
libsepol/cil: replace printf with proper cil_tree_log
libsepol/cil: remove stray printf
libsepol/cil: make cil_post_fc_fill_data static
libsepol: Check kernel to CIL and Conf functions for supported versions
libsepol: Remove unnecessary copying of declarations from link.c
libsepol: Properly handle types associated to role attributes
libsepol: Expand role attributes in constraint expressions

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[re-apply now that buildbot phase1 has caught up]
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-31 13:01:24 +00:00
Daniel Golle
ae4069c577
Revert "libsepol: update to version 3.3"
This reverts commit de8a800ca9.
Host build uses host includes instead of staging/hostpkg.
This breaks the build in case of selinux host libs being older than
version 3.3. Revert for now until better fix is found.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-29 14:16:30 +01:00
Dominick Grift
c8d1f8fda7 libsemanage: update to version 3.3
Update VERSIONs to 3.3 for release.
Update VERSIONs to 3.3-rc3 for release.
Update VERSIONs to 3.3-rc2 for release.
Update VERSIONs and Python bindings version to 3.3-rc1 for release
libsemanage: Fix USE_AFTER_FREE (CWE-672) in semanage_direct_write_langext()
libsemanage: silence -Wextra-semi-stmt warning
libsemanage: fix use-after-free in parse_module_store()

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Dominick Grift
6925c7580d libselinux: update to version 3.3
Update VERSIONs to 3.3 for release.
libselinux: Fix potential undefined shifts
Update VERSIONs to 3.3-rc3 for release.
Update VERSIONs to 3.3-rc2 for release.
libselinux/utils: drop requirement to combine compiling and linking
Update VERSIONs and Python bindings version to 3.3-rc1 for release
Improve error message for label file validation
libselinux: replace strerror by %m
libselinux: silence -Wextra-semi-stmt warning
libselinux/utils/getseuser.c: fix build with gcc 4.8
selinux.8: document how mount flag nosuid affects SELinux
libselinux: fix typo
libselinux: improve getcon(3) man page
libselinux: selinux_status_open: return 1 in fallback mode
libselinux: do not use status page fallback mode internally
libselinux: make selinux_status_open(3) reentrant
libselinux: avc_destroy(3) closes status page
libselinux: label_file.c: fix indent
libselinux: regex: unify parameter names
libselinux: sidtab_sid_stats(): unify parameter name
libselinux: drop redundant casts to the same type
libselinux: label_db::db_init(): open file with CLOEXEC mode
libselinux: matchpathcon: free memory on realloc failure
libselinux: label_file::init(): do not pass NULL to strdup
libselinux: init_selinux_config(): free resources on error
libselinux: matchmediacon(): close file on error
libselinux: store_stem(): do not free possible non-heap object
libselinux: getdefaultcon: free memory on multiple same arguments
libselinux: setexecfilecon(): drop dead assignment
libselinux: label_media::init(): drop dead assignment
libselinux: label_x::init(): drop dead assignment
libselinux: context_new(): drop dead assignment
libselinux: exclude_non_seclabel_mounts(): drop unused variable
libselinux: getconlist: free memory on multiple level arguments
libselinux: selabel_get_digests_all_partial_matches: free memory after FTS_D block
libselinux: selinux_restorecon: mark local variable static
libselinux: avcstat: use standard length modifier for unsigned long long
libselinux: sefcontext_compile: mark local variable static
libselinux: Sha1Finalise(): do not discard const qualifier
libselinux: label_common(): do not discard const qualifier
libselinux: selinux_file_context_cmp(): do not discard const qualifier
libselinux: sidtab_hash(): do not discard const qualifier
libselinux: silence -Wstringop-overflow warning from gcc 10.3.1
libselinux: selinux_check_passwd_access_internal(): respect deny_unknown
libselinux: do not duplicate make target when going into subdirectory

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Dominick Grift
de8a800ca9 libsepol: update to version 3.3
Update VERSIONs to 3.3 for release.
libsepol/cil: Fix potential undefined shifts
libsepol: Fix potential undefined shifts
Update VERSIONs to 3.3-rc3 for release.
libsepol/cil: Do not skip macros when resolving until later passes
libsepol/cil: Limit the amount of reporting for bounds failures
libsepol/cil: silence clang void-pointer-to-enum-cast warning
libsepol: resolve GCC warning about null-dereference
libsepol: use correct cast
libsepol: ebitmap: mark nodes of const ebitmaps const
Update VERSIONs to 3.3-rc2 for release.
libsepol/cil: Handle operations in a class mapping when verifying
libsepol/cil: Do not use original type and typeattribute datums
libsepol: free memory after policy validation
libsepol: avoid implicit conversions
libsepol: fix typo
libsepol/cil: Free duplicate datums in original calling function
libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
Update VERSIONs and Python bindings version to 3.3-rc1 for release
libsepol/cil: Limit the number of active line marks
libsepol/cil: Add function to get number of items in a stack
libsepol: Fix detected RESOURCE_LEAKs
libsepol/cil: Fix syntax checking in __cil_verify_syntax()
libsepol/cil: Use size_t for len in __cil_verify_syntax()
libsepol/cil: Remove redundant syntax checking
libsepol/cil: Improve in-statement to allow use after inheritance
libsepol/cil: Simplify cil_tree_children_destroy()
libsepol/cil: Refactor the function __cil_build_ast_node_helper()
libsepol/cil: Don't destroy optionals whose parent will be destroyed
libsepol/cil: Properly check for parameter when inserting name
libsepol/cil: Reset expandtypeattribute rules when resetting AST
libsepol/cil: Properly check parse tree when printing error messages
libsepol/cil: Allow some duplicate macro and block declarations
libsepol/cil: When writing AST use line marks for src_info nodes
libsepol/cil: Report correct high-level language line numbers
libsepol/cil: Add line mark kind and line number to src info
libsepol/cil: Create common string-to-unsigned-integer functions
libsepol/cil: Push line mark state first when processing a line mark
libsepol/cil: Check for valid line mark type immediately
libsepol/cil: Check the token type after getting the next token
libsepol/cil: Check syntax of src_info statement
libsepol/cil: move the fuzz target and build script to the selinux repository
libsepol: replace strerror by %m
libsepol/cil: remove obsolete comment
libsepol/cil: do not allow \0 in quoted strings
libsepol/cil: Fix handling category sets in an expression
libsepol: assure string NUL-termination of ibdev_name
libsepol: avoid implicit conversions
libsepol: ignore UBSAN false-positives
libsepol: avoid unsigned integer overflow
libsepol/cil: Improve checking for bad inheritance patterns
libsepol: silence -Wextra-semi-stmt warning
libsepol/cil: do not override previous results of __cil_verify_classperms
libsepol/cil: Provide option to allow qualified names in declarations
libsepol/cil: make array cil_sym_sizes const
libsepol/cil: Only reset AST if optional has a declaration
libsepol/cil: Add function to determine if a subtree has a declaration
libsepol/cil: Improve degenerate inheritance check
libsepol/cil: Reduce the initial symtab sizes for blocks
libsepol/cil: Check for empty list when marking neverallow attributes
libsepol/cil: Fix syntax checking of defaultrange rule
libsepol/cil: Properly check for loops in sets
libsepol/cil: Allow duplicate optional blocks in most cases
libsepol: declare read-only arrays const
libsepol: declare file local variable static
libsepol: drop unnecessary casts
libsepol: drop repeated semicolons
libsepol/cil: avoid using maybe uninitialized variables
libsepol/cil: drop unnecessary casts
libsepol/cil: drop dead store
libsepol/cil: drop extra semicolon
libsepol/cil: silence cast warning
libsepol: remove dead stores
libsepol: do not allocate memory of size 0
libsepol: mark read-only parameters of type_set_ interfaces const
libsepol: mark read-only parameters of ebitmap interfaces const
libsepol: remove dead stores
libsepol/cil: follow declaration-after-statement
libsepol: follow declaration-after-statement
libsepol: avoid unsigned integer overflow
libsepol: remove unused functions
libsepol: resolve missing prototypes
libsepol: fix typos
libsepol: Quote paths when generating policy.conf from binary policy
libsepol/cil: Account for anonymous category sets in an expression
libsepol/cil: Fix anonymous IP address call arguments
libsepol: quote paths in CIL conversion
libsepol/cil: Resolve anonymous levels only once
libsepol/cil: Pointers to datums should be set to NULL when resetting
libsepol/cil: Resolve anonymous class permission sets only once
libsepol/cil: Limit the number of open parenthesis allowed
libsepol/cil: Destroy the permission nodes when exiting with an error
libsepol/cil: Handle disabled optional blocks in earlier passes
libsepol/cil: Do not resolve arguments to declarations in the call
libsepo/cil: Refactor macro call resolution
libsepol/cil: Do not add NULL node when inserting key into symtab
libsepol/cil: Make name resolution in macros work as documented
libsepol/cil: Fix name resolution involving inherited blocks
libsepol/cil: Check for self-referential loops in sets
libsepol/cil: Return an error if a call argument fails to resolve
libsepol/cil: Check datum in ordered list for expected flavor
libsepol/cil: Detect degenerate inheritance and exit with an error
libsepol/cil: Fix instances where an error returns SEPOL_OK
libsepol/cil: Properly reset an anonymous classperm set
libsepol: use checked arithmetic builtin to perform safe addition
libsepol/cil: Add functions to make use of cil_write_ast()
libsepol/cil: Create functions to write the CIL AST
libsepol/cil: Use CIL_ERR for error messages in cil_compile()
libsepol/cil: Make invalid statement error messages consistent
libsepol/cil: Do not allow tunable declarations in in-statements
libsepol/cil: Sync checks for invalid rules in macros
libsepol/cil: Check for statements not allowed in optional blocks
libsepol/cil: Sync checks for invalid rules in booleanifs
libsepol/cil: Reorder checks for invalid rules when resolving AST
libsepol/cil: Use AST to track blocks and optionals when resolving
libsepol/cil: Create new first child helper function for building AST
libsepol/cil: Cleanup build AST helper functions
libsepol/cil: Reorder checks for invalid rules when building AST
libsepol/cil: Move check for the shadowing of macro parameters
libsepol/cil: Create function cil_add_decl_to_symtab() and refactor
libsepol/cil: Refactor helper function for cil_gen_node()
libsepol/cil: Allow permission expressions when using map classes
libsepol/cil: Exit with an error if declaration name is a reserved word
libsepol/cil: More strict verification of constraint leaf expressions
libsepol/cil: Set class field to NULL when resetting struct cil_classperms
libsepol/cil: cil_reset_classperms_set() should not reset classpermission
libsepol/cil: Destroy classperm list when resetting map perms
libsepol/cil: Destroy classperms list when resetting classpermission
libsepol/cil: Fix out-of-bound read of file context pattern ending with "\"
libsepol/cil: Check for duplicate blocks, optionals, and macros
libsepol: Write "NO_IDENTIFIER" for empty CIL constraint expression
libsepol: Enclose identifier lists in CIL constraint expressions
libsepol/cil: Allow lists in constraint expressions
libsepol: Enclose identifier lists in constraint expressions
libsepol: Write "NO_IDENTIFIER" for empty constraint expression
libsepol: make num_* unsigned int in module_to_cil
libsepol/cil: do not leak avrulex_ioctl_table memory when an error occurs
libsepol/cil: fix NULL pointer dereference in __cil_insert_name
libsepol/cil: replace printf with proper cil_tree_log
libsepol/cil: remove stray printf
libsepol/cil: make cil_post_fc_fill_data static
libsepol: Check kernel to CIL and Conf functions for supported versions
libsepol: Remove unnecessary copying of declarations from link.c
libsepol: Properly handle types associated to role attributes
libsepol: Expand role attributes in constraint expressions

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Stan Grishin
05a7af9ca0 wolfssl: enable ECC Curve 25519 by default
* fixes https://github.com/openwrt/packages/issues/16652
 see https://github.com/openwrt/packages/issues/16674#issuecomment-934983898

Signed-off-by: Stan Grishin <stangri@melmac.net>
2021-10-24 18:46:24 +02:00
Rosen Penev
6b2ed6101e uclibc++: remove
No package here depends on it. Furthermore, uClibc++ is a fairly buggy
C++ library and seems to be relatively inactive upstream.

It also lacks proper support for modern C++11 features.

The main benefit of it is size: 66.6 KB	vs 287.3 KB on mips24kc. Static
linking and LTO can help bring the size down of packages that need it.

Added warning message to uclibc++.mk

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-10-24 18:20:50 +02:00
Ivan Pavlov
be3e260f92 wolfssl: fix compile when enable-devcrypto is set
fixing linking error when --enable-devcrypto=yes
fixes: 7d92bb0509 wolfssl: update to 4.8.1-stable

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2021-10-21 00:17:36 +02:00
Jitao Lu
917126ff4c ncurses: add tmux terminfo
They're preferred terminal descriptions for tmux, with additional support to
some special characters and italic fonts. More info can be found at:
https://github.com/tmux/tmux/wiki/FAQ

Fixes: FS#3404

Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
2021-10-19 08:11:38 -10:00
Andre Heider
7cb5af30f4 wolfssl: remove --enable-sha512 configure switch
It's the default anyway and this just looks confusing, as if it wasn't.

Switch to AUTORELEASE while at it.

The binary size is unchanged.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2021-10-17 16:30:12 +02:00
Andre Heider
c76300707e wolfssl: always build with --enable-reproducible-build
This gates out anything that might introduce semantically frivolous jitter,
maximizing chance of identical object files.

The binary size shrinks by 8kb:
1244352 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f

Signed-off-by: Andre Heider <a.heider@gmail.com>
2021-10-17 16:29:00 +02:00
Andre Heider
28d8e6a871 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
"Alternate certification chains, as oppossed to requiring full chain
validataion. Certificate validation behavior is relaxed, similar to
openssl and browsers. Only the peer certificate must validate to a trusted
certificate. Without this, all certificates sent by a peer must be
used in the trust chain or the connection will be rejected."

This fixes e.g. uclient-fetch and curl connecting to servers using a Let's
Encrypt certificate which are cross-signed by the now expired
DST Root CA X3, see [0].

This is the recommended solution from upstream [1].

The binary size increases by ~12.3kb:
1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f

[0] https://github.com/openwrt/packages/issues/16674
[1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793

Signed-off-by: Andre Heider <a.heider@gmail.com>
[bump PKG_RELEASE]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-17 16:25:10 +02:00
Ivan Pavlov
7d92bb0509 wolfssl: update to 4.8.1-stable
Changes from 4.7.0:
  Fix one high (OCSP verification issue) and two low vulnerabilities
  Improve compatibility layer
  Other improvements and fixes

For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2021-09-13 18:36:15 +02:00
Rosen Penev
a235b41792 libjson-c: remove old math patch
Remove old math patch meant for old GCC versions. It's not needed
for GCC and causes issues with clang.

Add CMake patch to identify clang properly and apply the proper
flags. Fixes the following warnings/errors:

json_pointer.c:230:7: warning: implicit declaration of function
'vasprintf' is invalid in C99 [-Wimplicit-function-declaration]
        rc = vasprintf(&path_copy, path_fmt, args);
             ^
json_pointer.c:317:7: warning: implicit declaration of function
'vasprintf' is invalid in C99 [-Wimplicit-function-declaration]
        rc = vasprintf(&path_copy, path_fmt, args);
             ^
/usr/include/bits/mathcalls.h:177:23: error: cannot redeclare builtin
function '__builtin_isinf'
__MATHDECL_ALIAS (int,isinf,, (_Mdouble_ __value), isinf)
                      ^
/usr/include/bits/mathcalls.h:177:23: note: '__builtin_isinf' is a
builtin with type 'int ()'
/usr/include/bits/mathcalls.h:213:23: error: cannot redeclare builtin
function '__builtin_isnan'
__MATHDECL_ALIAS (int,isnan,, (_Mdouble_ __value), isnan)

The clang patch is an upstream backport.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-30 19:16:49 -10:00
Eneas U de Queiroz
7119fd32d3 openssl: bump to 1.1.1l
This version fixes two vulnerabilities:
  - SM2 Decryption Buffer Overflow (CVE-2021-3711)
    Severity: High

  - Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
    Severity: Medium

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-08-26 21:37:20 +02:00
Felix Fietkau
ca77ffcef2 libubox: update to the latest version
d716ac4bc423 list.h: add a few missing iterator macros

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-08-24 17:35:45 +02:00
Stijn Tintel
718a4f4780 wolfssl: fix build with GCC 10 on 32 x86 targets
Backport upstream patch to fix build with GCC 10 on 32 x86 targets.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-08-20 23:45:20 +03:00
Rosen Penev
9982a51ed3 pcre: update to 8.45
Switch to AUTORELEASE to avoid manual increments.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
381f0e3e8d nettle: update to 3.7.3
Switch to AUTORELEASE to avoid manual increments.

Refreshed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
fcfd741eb8 mbedtls: update to 2.16.11
Switched to AUTORELEASE to avoid manual increments.

Release notes:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
065d4300c0 libpcap: update to 1.10.1
Switch to AUTORELEASE to avoid manual increments.

Refreshed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
7aff590ace libnftnl: update to 1.2.0
Switch to AUTORELEASE to avoid manual increments.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
094fb3f6f9 libcap: update to 2.51
Switched to AUTORELEASE to avoid manual increments.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
1795bd2f1b elfutils: update to 0.182
Add --disable-libdebuginfod with remove libcurl dependency.

Remove totally unused host elfutils.

Refreshed and rebased patches.

Also happens to fix compilation with GCC11.

Newer versions of elfutils seem to have some kind of dependency on
obstack.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
30fb675847 gettext-full: disable parallel compilation
Fails fairly reliably with make -j 12 on a Ryzen 3600.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Stephan Schmidtmer
891c8676a1 libpcap: add rpcapd as package
This enables building of rpcapd and adds it as a package.

It is a daemon that allows remote packet capturing from another machine.
E.g. Wireshark can talk to it using the Remote Capture Protocol (RPCAP).
https://www.tcpdump.org/manpages/rpcapd.8.html

Compile and run tested: OpenWrt SNAPSHOT r17190-2801fe6132 on x86/64

Signed-off-by: Stephan Schmidtmer <hurz@gmx.org>
2021-08-08 19:50:46 +02:00
Rui Salvaterra
2434a57dd7 elfutils: fix building with GCC 11
Add a patch to fix building with GCC 11, which triggers new warnings by
enabling -Warray-parameter by default.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-07-25 13:52:38 +02:00
Petr Štetiar
8307da3dbd treewide: unmark selected packages nonshared
This partially reverts changes done in commit 72cc44958e ("treewide:
mark selected packages nonshared") as it removes the nonshared flag, but
keeps the PKG_RELEASE as the PKG_RELEASE bump while adding nonshared
flag was incorrect.

Unmark uci, ubus, libubox, lua, libnl-tiny and libjson-c as nonshared
packages as this fix attempt didn't worked out. Currently the
imagebuilder is broken again:

 openwrt-imagebuilder-21.02.0-rc3-ipq40xx-generic.Linux-x86_64$ make image PROFILE=avm_fritzbox-7530 PACKAGES=luci-ssl-openssl
 ...
 Collected errors:
  * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for luci-mod-status
  * pkg_hash_fetch_best_installation_candidate: Packages for luci-mod-status found, but incompatible with the architectures configured
  * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for rpcd-mod-iwinfo
  * pkg_hash_fetch_best_installation_candidate: Packages for rpcd-mod-iwinfo found, but incompatible with the architectures configured
  * satisfy_dependencies_for: Cannot satisfy the following dependencies for luci-ssl-openssl:
  * 	libiwinfo20210430
  * opkg_install_cmd: Cannot install package luci-ssl-openssl.

Everything because iwinfo's ABI was changed two times since rc3 release:

 +IWINFO_ABI_VERSION:=20210430
 +IWINFO_ABI_VERSION:=20210420

Since iwinfo is marked as nonshared, it wasn't built by phase2 builders, but
luci-mod-status was already updated 2 times since rc3 and was thus rebuilt by
phase2 builders:

 d1d452ed2fb3 luci-mod-status: don't set '-' hostname when creating static lease
 95b3633055c1 luci-mod-status: switch to html table for wlan channel analysis

So now luci-mod-status depends on libiwinfo20210430 but only
libiwinfo20210106 can be downloaded. This is first part of the fix, in
the upcoming commit Jo is going to remove nonshared flag from iwinfo
package as well.

References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035736.html
References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035741.html
Acked-by: Jo-Philipp Wich <jo@mein.io>
Reported-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-07-02 18:12:15 +02:00
Karel Kočí
219e17a350 ustream-ssl: variants conflict with each other
This adds conflicts between variants of libustream pacakge.
They provide the same file and thus it should not be possible to install
them side by side.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
2021-06-21 18:48:03 -10:00
Rosen Penev
3dabb62581 treewide: remove PKG_INSTALL from CMake packages
It's already default with cmake.mk

Found with:

git grep PKG_INSTALL\: | cut -d ':' -f 1 | sort -u > ins
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 ins cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Rosen Penev
2e745e9be6 treewide: remove BUILD_PARALLEL from CMake packages
It's already default. The only exception is mt76 which has Ninja
disabled.

Found with:

git grep BUILD_PARALLEL | cut -d ':' -f 1 | sort -u > par
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 par cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Hannu Nyman
72cc44958e treewide: mark selected packages nonshared
Mark uci, ubus, libubox, lua, libnl-tiny and libjson-c
as nonshared packages. This helps to keep coherent dependencies
if these ABI versioned packages are later updated.

Before this commit it is possible to get missing dependencies
in target-specific nonshared packages (like iwinfo) that depend
on these shared ABI versioned packages. If these are later updated
and rebuilt, only the new ABI version will be available for download,
while the target-specific packages in releases continue to depend on
the old ABI version.

After this commit the packages are built along the other nonshared
packages by the phase1 images buildbot and will be available at the
target/ download directories instead of packages/base dir. That will
help to keep a coherent set available.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2021-06-13 23:58:15 +02:00
Rosen Penev
09de28090c package: fix cmake packages build with ninja
+= is needed for CMAKE_OPTIONS.

mt76 needs Ninja disabled as the kernel stuff uses normal make.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-12 10:46:39 +02:00
Ivan Pavlov
b1baa01f14 wolfssl: add support for OpenVPN
Support for wolfSSL has been upstreamed to the master OpenVPN branch
in f6dca235ae560597a0763f0c98fcc9130b80ccf4, so we can use wolfSSL
directly in OpenVPN. So no more needed differnt SSL engine for OpenVPN
in systems based on wolfSSL library
Compiled && tested on ramips/mt7620, ramips/mt7621

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2021-05-23 15:11:38 +02:00
David Bauer
ef9b103107 wolfssl: always export wc_ecc_set_rng
Since commit 6467de5a8840 ("Randomize z ordinates in scalar
mult when timing resistant") wolfssl requires a RNG for an EC
key when the hardened built option is selected.

wc_ecc_set_rng is only available when built hardened, so there
is no safe way to install the RNG to the key regardless whether
or not wolfssl is compiled hardened.

Always export wc_ecc_set_rng so tools such as hostapd can install
RNG regardless of the built settings for wolfssl.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-21 15:43:57 +02:00
Felix Fietkau
04d21604fd libubox: update to the latest version
870acee325fe tests: cram: test_base64: fix failing tests
4d8995e91d56 tests: cram: test_base64: really fix failing tests
551d75b5662c libubox: tests: add more blobmsg/json test cases
a0dbcf8b8f96 tests: add blob-buffer overflow test
b36a3a90098d blob: fix exceeding maximum buffer length
b8abed749423 utils.h: add fallthrough macro
b14c4688612c json_script: fix unannotated fall-through warning

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-18 12:52:52 +02:00
Baptiste Jonglez
1ec6fc4dcb uclient: update to Git version 2021-05-14
6a6011d uclient-http: set eof mark when content-length is 0
19571e4 tests: fix help usage test for uclient built with sanitizer
c5fc04b tests: fix help usage test

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2021-05-14 23:40:42 +02:00
Leonardo Mörlein
b993b68b6c build: introduce $(MKHASH)
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if

    make TOPDIR="$(pwd)" -C "$pkgdir" compile

was called manually. In most of the cases, I just saw warnings like this:

    make: Entering directory '/home/.../package/gluon-status-page'
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    [...]

While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.

After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
2021-05-13 15:13:15 +02:00
Rosen Penev
0ec8c793f5 libsemanage: fix pkgconfig paths
The pkgconfig file currently points to host paths.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-04-15 11:54:14 +01:00
Stijn Tintel
0f7f4de6ba libcap: bump to 2.48
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-05 18:20:45 +03:00
Stijn Tintel
dd91ba0d62 libcap: drop invalid copyright header
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-05 18:20:40 +03:00
Stijn Tintel
427acb71fc libcap: import from packages feed
Having libcap in OpenWrt base allows us to enable libcap support in
other packages in base.

In lldpd, this would allow the monitor process to drop its privileges
instead of running as root, improving security. It will also allow us to
drop our patch to disable libcap.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-05 18:20:29 +03:00
Hauke Mehrtens
1371910b76 uclient: update to Git version 2021-04-03
83efca2 tests: fix possibly longer start of HTTP server
64e00d6 uclient-fetch: document missing options

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-03 19:06:09 +02:00
Paul Spooren
6a6b5a677e ncurses: add screen-256color terminfo
The terminfo is required by the popular terminal multiplexer screen and
tmux, offer it by default as the size impact is minimal with 885 Bytes.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-03-29 13:47:55 -10:00
Paul Spooren
75ea474b90 ncurses: split long line of supported terminfo
The terminfo files were all in one row which is terrible to read.
Split them over multiple lines to improve readability.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-03-29 13:47:19 -10:00
Eneas U de Queiroz
0bd0de7d43 openssl: bump to 1.1.1k
This version fixes 2 security vulnerabilities, among other changes:

 - CVE-2021-3450: problem with verifying a certificate chain when using
   the X509_V_FLAG_X509_STRICT flag.

 - CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
   crafted renegotiation ClientHello message from a client.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-03-26 19:57:20 +01:00
Kevin Darbyshire-Bryant
bbb9c1c2be Revert "openssl: refresh patches"
This reverts commit e27ef2da0d.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-03-26 09:12:12 +00:00
Kevin Darbyshire-Bryant
e27ef2da0d openssl: refresh patches
Tidy up some patch fuzz.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-03-26 09:03:32 +00:00
Tony Ambardar
9390e20dba elfutils: enable building with MIPS16
Building with MIPS16 was disabled in 2013 due to an issue with GCC TLS:
https://dev.archive.openwrt.org/ticket/13572. But after the problematic
GCC version was retired, this change wasn't revisited.

Re-enable MIPS16 builds to reduce average elfutils library sizes ~10%.
This was compile-tested on malta/mips32be and malta/mips32le, and linked
with iproute2 for run-testing. Package sizes follow:

Library  MIPS16:=0  MIPS16:=1
-------  ---------  ---------
libelf1    43217      37492
libasm1    12481      11658
libdw1    229723     205793

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2021-03-25 22:48:10 -10:00
Philip Prindeville
7fae64cc06 libnfnetlink: quote $(FPIC) on command line
When $(FPIC) gets expanded on the command line (for instance
when setting environment variables for libtool, configure, or
make) we can't count on it not needing quoting (i.e. it could
contain multiple flags separated with spaces).

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2021-03-19 13:37:51 -10:00
Magnus Kroken
dbde2bcf60 mbedtls: update to 2.16.10
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.

Security fixes:
* Fix a buffer overflow in mbedtls_mpi_sub_abs()
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem()
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code

Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2021-03-16 21:17:02 +01:00
Rosen Penev
6cd13be014 gettext-full: disable nameless locale define
It seems some packages like transmission and json-glib fail with it
enabled.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-03-14 19:25:32 -10:00
Tony Ambardar
29e2be69c4 elfutils: remove host build from target package
Commit f4da28c301 ("elfutils: Add host build") supplied a libelf host
library to fix a glib2 host build error, but this need was later removed
by b6212c8769 ("glib2: don't use libelf during host build").

More importantly, there are already two sources for libelf host libraries:
OpenWRT build prerequisites [1] and tools/libelf. A third is not needed.

Ref [1]: https://openwrt.org/docs/guide-developer/build-system/install-buildsystem#prerequisites

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2021-03-13 21:33:22 +00:00
Dominick Grift
4670492ad7 libsemanage: update to version 3.2
c35919a7 libsemanage: sync filesystem with sandbox
5b05e829 Revert "libsemanage/genhomedircon: check usepasswd"
edae9275 libsemanage: Free contents of modkey in semanage_direct_remove
ce46daab libsemanage/genhomedircon: check usepasswd
6ebb35d2 libsemanage: Bump libsemanage.so version
c08b73d7 libsemanage: Drop deprecated functions
b46406de libsemanage: Remove legacy and duplicate symbols

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-08 21:27:35 +00:00
Dominick Grift
b1fc2b5b0b libselinux: update to version 3.2
142826a3 libselinux: fix segfault in add_xattr_entry()
398d2cee libselinux: rename gettid() to something which never conflicts with the libc
8f0f0a28 selinux(8,5): Describe fcontext regular expressions
9cc6b5cf libselinux/getconlist: report failures
156dd0de libselinux: update getseuser
e2dca5df libselinux: accept const fromcon in get_context API
da4829d0 libselinux: Always close status page fd
45b15c22 selinux(8): explain that runtime disable is deprecated
3c16aaef selinux(8): mark up SELINUX values
c2a58cc5 libselinux: LABEL_BACKEND_ANDROID add option to enable
db0f2f38 libselinux: Add build option to disable X11 backend
4a142ac4 libsepol: Bump libsepol.so version
d23342a9 libselinux: convert matchpathcon to selabel_lookup()
7ef5b185 libselinux: Change userspace AVC setenforce and policy load messages to audit format.
f5d644c7 libselinux: Add additional log callback details in man page for auditing.
075f9cfe libselinux: Fix selabel_lookup() for the root dir.
a4149e0e libselinux: Add new log callback levels for enforcing and policy load notices.
a63f93d8 libselinux: initialize last_policyload in selinux_status_open()
ef902db9 libselinux: safely access shared memory in selinux_status_updated()
9e4480b9 libselinux: Remove trailing slash on selabel_file lookups.
21fb5f20 libselinux: use full argument specifiers for security_check_context in man page
e7abd802 libselinux: fix build order
05bdc031 libselinux: use kernel status page by default

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-08 21:27:35 +00:00
Dominick Grift
2a1bdde0d0 libsepol: update to version 3.2
a9e0004f libsepol: invalidate the pointer to the policydb if policydb_init fails
6238e025 libsepol/cil: fix NULL pointer dereference in cil_fill_ipaddr
b69d77bc libsepol/cil: handle SID without assigned context when writing policy.conf
0861c659 libsepol: Validate policydb values when reading binary policy
8f5409cf libsepol: Create function ebitmap_highest_set_bit()
0451adeb libsepol/cil: Destroy disabled optional blocks after pass is complete
32f8ed3d libsepol/cil: introduce intermediate cast to silence -Wvoid-pointer-to-enum-cast
4662bdc1 libsepol/cil: be more robust when encountering <src_info>
6b561058 libsepol/cil: fix NULL pointer dereference with empty macro argument
0d0e47c7 libsepol/cil: Fix integer overflow in the handling of hll line marks
1b36ace2 libsepol: include header files in source files when matching declarations
1f1fa9d4 libsepol: uniformize prototypes of sepol_mls_contains and sepol_mls_check
72a88d75 libsepol: remove unused files
eba0ffee libsepol/cil: Fix heap-use-after-free when using optional blockinherit
1048f8d3 libsepol/cil: unlink blockinherit->block link when destroying a block
b3202918 libsepol/cil: fix memory leak when a constraint expression is too deep
f0d98f83 libsepol/cil: Fix heap-use-after-free in __class_reset_perm_values()
5d021d66 libsepol/cil: Update symtab nprim field when adding or removing datums
34bd9a9d libsepol: destroy filename_trans list properly
bdf4e332 libsepol/cil: fix NULL pointer dereference when parsing an improper integer
b7ea65f5 libsepol/cil: destroy perm_datums when __cil_resolve_perms fails
228c06d9 libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit
a25d9104 libsepol/cil: constify some strings
e2d01842 libsepol/cil: propagate failure of cil_fill_list()
6c8fca10 libsepol/cil: do not add a stack variable to a list
38a09b74 libsepol/cil: fix NULL pointer dereference when using an unused alias
3c357285 libsepol/cil: remove useless print statement
90809674 libsepol/cil: always destroy the lexer state
d16a1e46 libsepol/cil: Use the macro FLAVOR() whenever possible
2aac859a libsepol/cil: Use the macro NODE() whenever possible
d317b470 libsepol/cil: Remove unnecessary assignment in cil_resolve_name_keep_aliases()
9b9761cf libsepol/cil: Remove unused field from struct cil_args_resolve
e257d4c7 libsepol/cil: Get rid of unnecessary check in cil_gen_node()
ebba2b00 libsepol/cil: cil_tree_walk() helpers should use CIL_TREE_SKIP_*
89dab467 libsepol: free memory when realloc() fails
2d353bd5 libsepol/cil: Give error for more than one true or false block
4a142ac4 libsepol: Bump libsepol.so version
506c7b95 libsepol: Drop deprecated functions
ae58e84b libsepol: Get rid of the old and duplicated symbols
c97d63c6 libsepol: silence potential NULL pointer dereference warning
64387cb3 libsepol: drop confusing BUG_ON macro
521e6a2f libsepol/cil: fix signed overflow caused by using (1 << 31) - 1
a152653b libsepol/cil: Fix neverallow checking involving classmaps
734e4beb libsepol/cil: Validate conditional expressions before adding to binary policy
685f577a libsepol/cil: Validate constraint expressions before adding to binary policy
8206b8cb libsepol: implement POLICYDB_VERSION_COMP_FTRANS
42ae834a libsepol,checkpolicy: optimize storage of filename transitions

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-08 21:27:35 +00:00
Daniel Golle
c82cc4407a
libubox: update to git HEAD
2e52c7e libubox: fix BLOBMSG_CAST_INT64 (do not override BLOBMSG_TYPE_DOUBLE)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-02 19:16:04 +00:00
Donald Hoskins
ea6d4bdde2 libunwind: Add MIPS64 dep check
libunwind dependency check does not allow for MIPS64 arch.  Add MIPS64 awareness.

libunwind seems to support MIPS64 without issues, it was limited by the dep arch
check in the Makefile.

Used to compile Suricata6/Rust locally without issue.

Signed-off-by: Donald Hoskins <grommish@gmail.com>
2021-03-01 00:34:23 +01:00
Rosen Penev
b77f21c98a libpcap: update to 1.10.0
Simplify cmake option handling by putting everything in blocks.

Add openssl patch as there's no easy way to disable.

Rebase the skip manpages patch.

Remove the monitor mode patch as it no longer applies.

Remove flex patch as normal Makefile is no longer used.

Remove USB path patch. While it is deprecated, the codepath is never
taken. /sys/bus/usb/devices is checked before hand. If it exists, the
function does stuff and returns. Additionally, this path is used
elsewhere in the code.

Refresh other patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-03-01 00:34:23 +01:00
Adrian Schmutzler
221eefaf6b zlib: properly split patches
This package had two patches (with two headers etc.) in one file,
which would have quilt merging them during a refresh.

Separate these patches into two files, as the original intent seems
to be having them separate.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-24 14:08:29 +01:00
Rosen Penev
fb83efb626 pcre: disable C++ bindings
Nothing uses them. Allows to simplify the Makefile.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-24 00:30:40 +01:00
Eneas U de Queiroz
12a80e44b9 openssl: always build with GOST engine support
The packages feed has a proposed package for a GOST engine, which needs
support from the main openssl library.  It is a default option in
OpenSSL.  All that needs to be done here is to not disable it.

Package increases by a net 1-byte, so it is not really really worth
keeping this optional.

This commit also includes a commented-out example engine configuration
in openssl.cnf, as it is done for other available engines.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-23 21:10:56 +01:00
Eneas U de Queiroz
d1dfb577f1 wolfssl: bump to v4.7.0-stable
Biggest fix for this version is CVE-2021-3336, which has already been
applied here.  There are a couple of low severity security bug fixes as
well.

Three patches are no longer needed, and were removed; the one remaining
was refreshed.

This tool shows no ABI changes:
https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-23 21:10:56 +01:00
Georgi Valkov
4b37e3bc2b libusb: Fix parsing of descriptors for multi-configuration devices
Prerequisite patch:
Correct a typo in the Changelog and clean up a stray file

Fix changes in libusb which introduced a regression:
Commit e2be556bd2 ("linux_usbfs: Parse config descriptors during device
initialization") introduced a regression for devices with multiple
configurations. The logic that verifies the reported length of the
configuration descriptors failed to count the length of the
configuration descriptor itself and would truncate the actual length by
9 bytes, leading to a parsing error for subsequent descriptors.

Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
2021-02-21 10:12:10 -10:00
Christian Lamparter
09e66112f1 wolfssl: fix Ed25519 typo in config prompt
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-02-20 11:11:13 +01:00
David Bauer
10e84bde36 openssl: update package sources
OpenSSL downloads itself are distributed using Akamai CDN, so use these
sources as the highest priority.

Remove a stale mirror which seems to be offline for a longer time
already.

Add fallbacks to the old release path also for the mirrors.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-02-20 01:26:40 +01:00
Eneas U de Queiroz
482c9ff289 openssl: bump to 1.1.1j
This fixes 4 security vulnerabilities/bugs:

- CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support
  SSLv2, but the affected functions still exist. Considered just a bug.

- CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and
  EVP_DecryptUpdate may overflow the output length argument in some
  cases where the input length is close to the maximum permissable
  length for an integer on the platform. In such cases the return value
  from the function call will be 1 (indicating success), but the output
  length value will be negative.

- CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to
  create a unique hash value based on the issuer and serial number data
  contained within an X509 certificate. However it was failing to
  correctly handle any errors that may occur while parsing the issuer
  field (which might occur if the issuer field is maliciously
  constructed). This may subsequently result in a NULL pointer deref and
  a crash leading to a potential denial of service attack.

- Fixed SRP_Calc_client_key so that it runs in constant time. This could
  be exploited in a side channel attack to recover the password.

The 3 CVEs above are currently awaiting analysis.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-17 09:24:47 +01:00
Rosen Penev
b59905f045 gettext-full: update to 0.21
Add m4 patch to avoid conflict with tools/autoconf-archive.

Add build parallel as it seems to work now.

Remove a bunch of uClibc-ng hacks as it is not in the tree anymore.

Format security patch was fixed upstream.

Refreshed other patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-16 19:27:55 -10:00
Felix Fietkau
d02088762a build: reorder more BuildPackages lines to deal with ABI_VERSION
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-16 11:29:38 +01:00
Felix Fietkau
26a899e3e8 wolfssl: use libtool patch for PKG_ABI_VERSION
Makes it unnecessary to patch .so files after build

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 18:47:19 +01:00
Felix Fietkau
0a497c4640 libubox: use build system variable to specify ABI version
This removes the need to patch it afterwards

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 18:47:19 +01:00
Felix Fietkau
f378d81da6 wolfssl: use dynamic ABI_VERSION depending on the configuration and package version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 07:40:47 +01:00
Felix Fietkau
a933c26852 libubox: use PKG_ABI_VERSION
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 07:40:45 +01:00
Hauke Mehrtens
304df2836a Revert "wolfssl: use dynamic ABI_VERSION depending on the configuration and package version"
This fixes the build on MIPS BE like ath25 and ath79 target.
We get this error message when linking libwolfssl:
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: skipping incompatible /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so when searching for -lwolfssl
mips-openwrt-linux-musl/bin/ld: cannot find -lwolfssl
collect2: error: ld returned 1 exit status

This reverts commit 2591c83b34.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-15 01:15:49 +01:00
Hauke Mehrtens
505a808302 Revert "libubox: use PKG_ABI_VERSION"
This fixes the build on MIPS BE like ath25 and ath79 target.
We get this error message when linking libubox:
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so: unknown type [0x7000002a] section `.MIPS.abiflags'
mips-openwrt-linux-musl/bin/ld: skipping incompatible /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libubox.so when searching for -lubox

This reverts commit f421fefa8a.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-15 01:15:49 +01:00
Felix Fietkau
2591c83b34 wolfssl: use dynamic ABI_VERSION depending on the configuration and package version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-14 19:41:52 +01:00
Felix Fietkau
f421fefa8a libubox: use PKG_ABI_VERSION
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-14 19:41:52 +01:00
Rosen Penev
6d103beb15 libnftnl: update to 1.1.8
Fix license information.

Fix wrong ABI version. The library is versioned as libnftnl.so.11.4.0

Add PKG_BUILD_PARALLEL for faster compilation.

Remove autoreconf as nothing is being patched.

Minor cleanups for consistency between packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-14 19:38:15 +01:00
Rosen Penev
1c264de177 libevent2: update to 2.1.12
Remove upstream backports.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-14 19:38:15 +01:00
Rosen Penev
8cb7d13aa7 readline: update to 8.1
Fix license.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-14 19:38:15 +01:00
Rosen Penev
26e152e1dd gmp: update to 6.2.1
Fix license information.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-14 19:38:15 +01:00
Hauke Mehrtens
1f559cafe5 wolfssl: Backport fix for CVE-2021-3336
This should fix CVE-2021-3336:
DoTls13CertificateVerify in tls13.c in wolfSSL through 4.6.0 does not
cease processing for certain anomalous peer behavior (sending an
ED22519, ED448, ECC, or RSA signature without the corresponding
certificate).

The patch is backported from the upstream wolfssl development branch.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-02-09 23:12:49 +01:00
Rosen Penev
f13b623f5e mbedtls: update to 2.16.9
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-01-18 00:49:14 +01:00
Rosen Penev
43539a6aab libusb: make InstallDev explicit
Helps to see what actually gets installed.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-01-16 23:37:08 -10:00
Rosen Penev
3d2dab5660 libusb: cleanup PKG_ variables
Reordered for consistency between packages.

Fixed license information.

Change PKG_BUILD_PARALLEL to 1. This is no longer a problem.1

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-01-16 23:26:52 -10:00
Rosen Penev
0798b13d7d libusb: update to 1.0.24
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-01-16 23:25:27 -10:00
Etan Kissling
02abd99f89 mbedtls: add config option to compile with hkdf
This adds a config option to allow compiling with HKDF algorithm support
to support applications that require this feature.

Signed-off-by: Etan Kissling <etan_kissling@apple.com>
2021-01-14 00:52:49 +00:00
Felix Fietkau
55e23f2c02 wolfssl: enable HAVE_SECRET_CALLBACK
Fixes wpad-wolfssl build

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-01-02 14:36:25 +01:00
Hauke Mehrtens
e7d0d2e9dc wolfssl: Fix hostapd build with wolfssl 4.6.0
This fixes the following build problem in hostapd:
mipsel-openwrt-linux-musl/bin/ld: /builder/shared-workdir/build/tmp/ccN4Wwer.ltrans7.ltrans.o: in function `crypto_ec_point_add':
<artificial>:(.text.crypto_ec_point_add+0x170): undefined reference to `ecc_projective_add_point'
mipsel-openwrt-linux-musl/bin/ld: <artificial>:(.text.crypto_ec_point_add+0x18c): undefined reference to `ecc_map'
mipsel-openwrt-linux-musl/bin/ld: /builder/shared-workdir/build/tmp/ccN4Wwer.ltrans7.ltrans.o: in function `crypto_ec_point_to_bin':
<artificial>:(.text.crypto_ec_point_to_bin+0x40): undefined reference to `ecc_map'

Fixes: ba40da9045 ("wolfssl: Update to v4.6.0-stable")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-01-01 22:10:20 +01:00
Alexandru Ardelean
5eaf6d8bea libevent2: trigger rebuild on libevent2-pthreads
The symbol determines if the libevent2-pthreads libraries get built or not.
If we want to select libevent2-pthreads, and these haven't been built, an
error will occur mentioning that there are no 'libevent_pthreads-2.1.so'
files.

Adding CONFIG_PACKAGE_libevent2-pthreads to PKG_CONFIG_DEPEND will make
sure that the libraries get re-built in case libevent2-pthreads is
selected.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2021-01-01 10:26:20 -10:00
Eneas U de Queiroz
ba40da9045 wolfssl: Update to v4.6.0-stable
This version fixes a large number of bugs, although no security
vulnerabilities are listed.

Full changelog at:
https://www.wolfssl.com/docs/wolfssl-changelog/
or, as part of the version's README.md:
https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md

Due a number of API additions, size increases from 374.7K to 408.8K for
arm_cortex_a9_vfpv3-d16.  The ABI does not change from previous version.

Backported patches were removed; remaining patch was refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-01-01 19:55:59 +01:00
Rosen Penev
57fe7d5401 toolchain: remove uClibc install stuff
This is preparation for removing uClibc-ng.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-22 19:11:50 +01:00
Rosen Penev
2a92754ce9 libpcap: fix pcap-config
pcap-config as installed is using OS paths instead of OpenWrt ones.

Take fix from libpng and adjust as needed.

This problem seems to occur on Arch Linux and not on Debian/Fedora
based distros. No idea why.

Remove CMAKE_INSTALL as there is now an InstallDev section.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-22 18:59:10 +01:00
Rosen Penev
6e5759f6b4 pcre: fix paths in config file
The paths are pointing to OS paths, not OpenWrt ones. Use SED line from
libpng to fix and adjust accordingly.

This may allow certain packages that use the config file to pick up pcre.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-22 18:59:10 +01:00
Rosen Penev
36540aa973 nettle: update to 3.6
Updated ABI_VERSION.

Switched PKG_BUILD_PARALLEL on as there seems to be no issue anymore.
I can't find any information about why it was turned off.

Fixed license information.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-22 18:59:10 +01:00
Rosen Penev
0d502293e6 elfutils: update to 0.180
Refreshed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-22 18:59:10 +01:00
Hauke Mehrtens
aa08f43cab toolchain: Deactivate sanitizer on MIPS and ARC
MIPS 32 bit support for sanitizer was added with GCC 9, MIPS 64 bit and
ARC are still not supported in GCC 10.

Deactivate them for now and change this when we change the default
compiler to GCC 9 or later.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-12-19 23:18:38 +01:00
Rosen Penev
e030a19a57 libunwind: update to 1.5.0
Cleanup Makefile for consistency with other ones.

Remove PKG_SSP. It can be fixed with -lssp_nonshared.

Add PKG_BUILD_PARALLEL for faster compilation.

Add zlib dependency. 1.5.0 requires it now.

Refresh patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-16 22:11:19 +01:00
Rosen Penev
3040791608 libnetfilter-conntrack: update to 1.0.8
Previous git version was 1.0.7.

Switched to using tarballs for simplicity.

Fixed license information.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-15 00:18:12 +01:00
Petr Štetiar
ce1163dfa7 uclient: update to Git version 2020-12-10
2c843b2bc04c Add initial GitLab CI support
073f89f567c0 uclient-fetch: wolfSSL: fix certificate validation
086c292160ac uclient-fetch: init_ca_cert: fix memory leak
a3c1a88b031a cmake: enable extra compiler checks
32ff717ed316 uclient-http: fix extra compiler warnings on mips_24kc and cortex-a9+neon
86a2ac6ac46f uclient-fetch: fix potential memory leaks
158dd9dd289c uclient: fix initialized but never read variable
66b4420856a7 uclient-fetch: fix statement may fallt hrough
436f9b3af2ad uclient-http: fix freeing of stack allocated memory
e6b5b8a98ce2 Fix extra compiler warnings
12df67e45bb0 Add basic cram based unit tests
b6e34845124f cmake: fix building out of the tree

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-14 09:41:39 +01:00
Petr Štetiar
23bbaa02a9 ustream-ssl: update to Git version 2020-12-10
68d09243b6fd Add initial GitLab CI support
8280140db9d1 wolfssl: remove now deprecated compatibility code
cee6791b362a ustream-mbedtls: fix certificate verification
55c3fd89d508 ustream-mbedtls: implement set_require_validation
c6b4c48689a3 ustream-openssl: wolfSSL: fix certificate validation
3bc05402bfab cmake: enable extra compiler checks
cd2c3d12db43 ustream-mbedtls: fix comparison of integers of different signs
5896991e46a3 ustream-openssl: fix BIO_method memory leak
2c342ae57c5b ustream-openssl: fix wolfSSL includes
fa8ecd6ed140 cmake: fix linking when mbed TLS not in default paths
63656f81045f cmake: fix linking when wolfSSL not in default paths
c26f71e844df cmake: fix building out of the tree

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-14 09:41:39 +01:00
Daniel Golle
ee0ff7343e libubox: utils: introduce mkdir_p
Add new utility function mkdir_p(char *path, mode_t mode) to replace
the partially buggy implementations found accross fstools and procd.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-12 23:34:10 +00:00
Eneas U de Queiroz
882ca13d92 openssl: update to 1.1.1i
Fixes: CVE-2020-1971, defined as high severity, summarized as:
NULL pointer deref in GENERAL_NAME_cmp function can lead to a DOS
attack.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-12-11 13:57:04 +01:00
Petr Štetiar
064d65c2f7 wolfssl: fix broken wolfSSL_X509_check_host
Backport upstream post 4.5.0 fix for broken wolfSSL_X509_check_host().

References: https://github.com/wolfSSL/wolfssl/issues/3329
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-11 13:48:24 +01:00
Eneas U de Queiroz
f31c9cd383 wolfssl: compile with --enable-opensslall
This enables all OpenSSL API available.  It is required to avoid some
silent failures, such as when performing client certificate validation.

Package size increases from 356.6K to 374.7K for
arm_cortex-a9_vfpv3-d16.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-12-11 13:48:24 +01:00
Eneas U de Queiroz
4e8a0014aa wolfssl: add lighty support, skip crypttests
Tnis adds the --enable-lighty option to configure, enabling the minimum
API needed to run lighttpd, in the packages feed.  Size increase is
about 120 bytes for arm_cortex-a9_vfpv3-d16.

While at it, speed up build by disabling crypt bench/test.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-12-11 13:48:24 +01:00
Rosen Penev
f7d7a3a18b libcxx[abi]: remove
This is a neat project, but offers no benefit to OpenWrt. The initial
reason for it was to be a replacement for libstdcpp as it is smaller
and lacks compatibility for C++98. Unfortunately, compiling several
packages with it results in larger ipk sizes.

While not a member of the packages feed, this will be moved to
packages-abandoned to keep it somewhere.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-07 10:46:43 -10:00
Rosen Penev
588933ae9a lzo: remove
This is not used by any package in base. It will be moved to packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-12-06 11:21:44 -10:00
Eneas U de Queiroz
2f75348923 openssl: use --cross-compile-prefix in Configure
This sets the --cross-compile-prefix option when running Configure, so
that that it will not use the host gcc to figure out, among other
things, compiler defines.  It avoids errors, if the host 'gcc' is
handled by clang:

mips-openwrt-linux-musl-gcc: error: unrecognized command-line option
'-Qunused-arguments'

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
2020-12-06 18:32:14 +01:00
Rosen Penev
c7778acf10 libnetfilter-cthelper: remove
conntrack was moved to packages where this is used. This will be moved
there as well.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-28 14:24:25 +01:00
Rosen Penev
6d242414e4 libnetfilter-cttimeout: remove
conntrack was moved to packages where this is used. This will be moved
there as well.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-28 14:24:25 +01:00
Rosen Penev
f06aface3c libnetfilter-log: remove
ulogd in the packages feed is the only user of this. It will be moved
there.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-28 14:24:25 +01:00
Rosen Penev
530965dfb4 libnetfilter-queue: remove
Nothing in base uses this. This will be moved to packages where it is
used.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-28 14:24:25 +01:00
Rosen Penev
9762cf107b libroxml: remove
This will be moved to the packages feed as nothing here uses it.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-27 00:58:48 -10:00
Rosen Penev
8a87ab43d1 libiconv-full: Makefile polishing
Added PKG_INSTALL to avoid using an explicit define Build/Compile

Added PKG_BUILD_PARALLEL for faster compilation.

Removed TARGET_CLAFGS. They are no longer necessary.
fPIC is default now. So is gnu99. -DUSE_DOS is a hack to include old
and mostly unused conversions.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-26 13:09:32 -10:00
Josef Schlehofer
75063b941b libiconv-full: update to version 1.16
- Removed following patches:
100-strip_charsets.patch - makes the full variant slim.
101-autotools.patch - this one fails to apply because it was backported
from newer versions for 1.11.1.
103-configure_ac_fix.patch - backported from newer versions
200-work-with-libtool2.patch - is not needed anymore, it is done
differently in upstream
300-fortify-source-compat.patch - these files are not there anymore

- TVHeadend requires working iconv library e.g. transliteration to ASCII
and this does not work with libiconv-full currently.

There is a simple test, which requires to install iconv package.

Before applying this update:
root@turris:/# echo ŽluťoučkýKůň | iconv -t ASCII//TRANSLIT//IGNORE
luoukK

After applying this update:
root@turris:~# echo ŽluťoučkýKůň | iconv -t ASCII//TRANSLIT//IGNORE
Zlutouck'yKun

- Makefile changes:
Use HTTPS for their website
Fixed deprecated SPDX License Identifier
Move PKG_MAINTAINER above PKG_LICENSE

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Tested-by: Rosen Penev <rosenp@gmail.com> [malta]
2020-11-26 13:09:24 -10:00
Kevin Darbyshire-Bryant
6429307a3d nettle: fix build on macos xcode 12
compiler warns that exit() isn't defined so checks for build system
compiler fail.

include <stdlib.h> to define exit()

Tested under macos Catalina & Big Sur

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-11-26 17:37:42 +00:00
Rosen Penev
a058349ff9 libusb-compat: remove
No package in base relies on this library. This library will be moved
to packages where it is needed.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-11-25 13:23:06 +01:00
Felix Fietkau
5752ccb60f libjson-c: enable rpath for host builds to fix errors on recent macOS
Same approach as on libubox

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-11-14 14:48:30 +01:00
Brett Mastbergen
e800ecfa3d libnetfilter-log: Backport kernel header syncs
Backport upstream commits that sync the local kernel header
copies in this library, with up to date copies.  These updated
headers ensure that libnetfilter-log users can use current
kernel functionality such as requesting that conntrack
information be appended to nflog events sent to userspace via
the NFULNL_CFG_F_CONNTRACK flag.  This functionality has been
available since kernel version 4.4

Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
2020-11-12 18:21:55 +01:00
Felix Fietkau
128ef379ae libnl-tiny: update to the latest version
2584ebc642b2 libnl-tiny: install pkgconfig file
c291088f631d unl: add support for connecting to rtnl

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-11-12 11:26:03 +01:00
Daniel Golle
237f708b3c libselinux: remove dependency on musl-fts for non-musl builds
Suggested-by: Curtis Deptuck <curtdept@users.noreply.github.com>
Tested-by: Curtis Deptuck <curtdept@users.noreply.github.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-10-31 00:49:43 +00:00
Eneas U de Queiroz
475838de1a openssl: bump to 1.1.1h
This is a bug-fix release.  Patches were refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-09-28 08:49:39 +02:00
Daniel Golle
d96d324280 libsepol: break out chkcon utility
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-27 17:22:01 +01:00
Daniel Golle
81d895d1f1 libselinux: split utility packages and add PKG_LICENSE
Split utility packages similar to coreutils in packages feed, adding
ALTERNATIVES for those which are also provided by busybox-selinux.
Also add missing license information.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-21 18:40:38 +01:00
David Bauer
c2e75017a2 libjson-c: update to 0.15
Drop patches as they've been upstreamed:
 * 001-Fix-CVE-2020-12762.patch

Refresh patches:
 * 000-libm.patch

Add patch to avoid build failure due to missing docs in tarball.

Signed-off-by: David Bauer <mail@david-bauer.net>
2020-09-17 18:08:54 +02:00
Hauke Mehrtens
787de4331f wolfssl: Activate link time optimization (LTO)
The ipk sizes for mips_24Kc change like this:
old:
libwolfssl24_4.5.0-stable-1_mips_24kc.ipk	391.545

new:
libwolfssl24_4.5.0-stable-2_mips_24kc.ipk	387.439

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-09-06 20:30:51 +02:00
Hauke Mehrtens
56c2e9fe37 libnftnl: Activate link time optimization (LTO)
The ipk sizes for mips_24Kc change like this:
old:
libnftnl12_1.1.7-1_mips_24kc.ipk	47.459

new:
libnftnl12_1.1.7-2_mips_24kc.ipk	45.742

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-09-06 20:30:18 +02:00
Hauke Mehrtens
a617861d4c jansson: Activate link time optimization (LTO)
The ipk sizes for mips_24Kc change like this:
old:
jansson4_2.13.1-1_mips_24kc.ipk	19.171

new:
jansson4_2.13.1-2_mips_24kc.ipk	18.936

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-09-06 20:30:18 +02:00
Hauke Mehrtens
082354e4bb libnftnl: Update to version 1.1.7
The ipk sizes for mips_24Kc change like this:
old:
libnftnl12_1.1.5-1_mips_24kc.ipk	46.252

new:
libnftnl12_1.1.7-1_mips_24kc.ipk	47.459

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-09-06 20:30:18 +02:00
Hauke Mehrtens
cd2aad3812 jansson: Update to version 2.13.1
This also sets the ABI_VERSION as this is a versioned shared library.

The ipk sizes for mips_24Kc change like this:
old:
jansson_2.12-1_mips_24kc.ipk	18.692

new:
jansson4_2.13.1-1_mips_24kc.ipk	19.171

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-09-06 20:30:18 +02:00
Daniel Golle
c2c701e058 libselinux: package executables into -utils
Add new package libselinux-utils containing the executable
utilities included with libselinux.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-04 02:50:20 +01:00
Magnus Kroken
66893063ab mbedtls: update to 2.16.8
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues and the most notable of them
are described in more detail in the security advisories.

* Local side channel attack on RSA and static Diffie-Hellman
* Local side channel attack on classical CBC decryption in (D)TLS
* When checking X.509 CRLs, a certificate was only considered as revoked
if its revocationDate was in the past according to the local clock if
available.

Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2020-09-02 15:12:12 +02:00
Daniel Golle
d136848b8b libaudit: add host-build required by policycoreutils/host
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-01 14:24:07 +01:00
Daniel Golle
3ce21b8797 libsemanage: host-build depends on renamed libaudit package
Fixes: efdf619f21 ("audit: build only libaudit")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-01 12:32:52 +01:00
Daniel Golle
93ed51e5b6 libaudit: drop unused file
Drop init script from libaudit package. It will be added to the
'audit' package in the packages feed.

Fixes: efdf619f21 ("audit: build only libaudit")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-09-01 00:32:54 +01:00
Daniel Golle
2e2425ce7f libsemanage: add missing package metadata
License and CPE-ID were missing, add them.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-31 22:02:12 +01:00
Daniel Golle
efdf619f21 audit: build only libaudit
Turns out auditd depends on libev. Lets have that in packages.git.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-31 21:51:45 +01:00
Rosen Penev
879e68eafd libcxx: update to 10.0.0
Switched to upstream tarballs.

Switched to libcxxabi as using libsupc++ is quite wonky.

Fixed description.

Removed patches. The fixes are cosmetic.

Added ssp patch. This one is needed for i386 and powerpc under musl.

Compile tested every C++ package in the tree with the exception of
several boost packages. There's something broken with boost.

Ran tested with gerbera.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-08-31 22:11:23 +02:00
Rosen Penev
3f9bd9e8ee libcxxabi: add
This will be used for libcxx.

libcxxabi is needed as libsupc++ is not good enough for libcxx. It uses
GCC specific stuff which causes failed compilation for some packages.
There are also runtime issues, most notably with cxxopts where the
program just crashes.

Reference: https://github.com/gerbera/gerbera/issues/795

Added patch to fix ARM compilation.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-08-31 22:11:23 +02:00
Daniel Golle
e868809861 libsemanage: new package
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[update to 3.1]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
[removed python part for inclusion in core]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-31 13:52:05 +01:00
Paul Spooren
367c23740f wolfssl: add certgen config option
The option allows to generate certificates.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2020-08-31 10:19:31 +01:00
Hans Dedecker
9ee27c232e nghttp2: move to packages.git
As the package curl has been moved to packages.git and only libcurl
depends on libnghttps move it as well to packages.git.
This is based on the Hamburg  2019 decision that non essential packages
should move outside base.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-08-31 08:01:27 +02:00
Hauke Mehrtens
00722a720c wolfssl: Update to version 4.5.0
This fixes the following security problems:
* In earlier versions of wolfSSL there exists a potential man in the
  middle attack on TLS 1.3 clients.
* Denial of service attack on TLS 1.3 servers from repetitively sending
  ChangeCipherSpecs messages. (CVE-2020-12457)
* Potential cache timing attacks on public key operations in builds that
  are not using SP (single precision). (CVE-2020-15309)
* When using SGX with EC scalar multiplication the possibility of side-
  channel attacks are present.
* Leak of private key in the case that PEM format private keys are
  bundled in with PEM certificates into a single file.
* During the handshake, clear application_data messages in epoch 0 are
  processed and returned to the application.

Full changelog:
https://www.wolfssl.com/docs/wolfssl-changelog/

Fix a build error on big endian systems by backporting a pull request:
https://github.com/wolfSSL/wolfssl/pull/3255

The size of the ipk increases on mips BE by 1.4%
old:
libwolfssl24_4.4.0-stable-2_mips_24kc.ipk:	386246
new:
libwolfssl24_4.5.0-stable-1_mips_24kc.ipk:	391528

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-26 23:29:30 +02:00
Magnus Kroken
201d6776a0 mbedtls: update to 2.16.7
Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch,
and provides bug fixes and minor enhancements. This release includes
fixes for security issues and the most severe one is described in more
detail in a security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07

* Fix a side channel vulnerability in modular exponentiation that could
reveal an RSA private key used in a secure enclave.
* Fix side channel in mbedtls_ecp_check_pub_priv() and
mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private
key that didn't include the uncompressed public key), as well as
mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL
f_rng argument. An attacker with access to precise enough timing and
memory access information (typically an untrusted operating system
attacking a secure enclave) could fully recover the ECC private key.
* Fix issue in Lucky 13 counter-measure that could make it ineffective when
hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT
macros).

Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some
changes to the download URLs are required. For the time being, the
ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
[Use https://codeload.github.com and new tar.gz file]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-24 18:54:00 +02:00
Daniel Golle
bda1c127cc libselinux: fix Makefile style
Also fix line order in libselinux Makefile.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-14 02:43:31 +01:00
Daniel Golle
0133160177 libsepol: fix Makefile style
Fix line ordering (cosmetic).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-14 02:42:25 +01:00
Daniel Golle
4469e45f60 pcre: clean up Makefile line order
The most recent patch added add lines in one block instead of in the
appropriate places to keep Makefiles in consistent style. Fix that.

Fixes: ff02e1561f ("pcre: add host variant of libpcre")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-14 02:42:25 +01:00
Thomas Petazzoni
ff02e1561f pcre: add host variant of libpcre
This is needed to build the host variant of libselinux.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-08-14 02:29:03 +01:00
Felix Fietkau
072c5876c5 libselinux: fix build on non-Linux systems
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-08-13 20:08:29 +02:00
Felix Fietkau
2a9fb827aa libsepol: fix build on non-Linux systems
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-08-13 20:08:29 +02:00
Daniel Golle
ff6b815691 libselinux: don't depend on kernel config symbols
Dependencies are meant to express actual run-time dependencies and
strictly speaking, libselinux can be build and used on kernels without
SELinux (not in a very meaningful way, but never mind).

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 14:07:18 +01:00
Daniel Golle
ab4c6f1632 musl-fts: import from packages feed
libselinux requires musl-fts to build with musl. Import it from
packages feed as well.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 11:44:05 +01:00
Daniel Golle
e16b84df15 pcre: import from packages feeds
libselinux require pcre, import to to core so it can build without
packages feeds.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-13 11:28:28 +01:00
Thomas Petazzoni
a0df664531 libselinux: add new package
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, update to 3.1]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
2020-08-13 09:31:34 +01:00
Thomas Petazzoni
6531eee347 libsepol: add new package
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
[rebase, update to 3.1]
Signed-off-by: W. Michael Petullo <mike@flyn.org>
2020-08-13 09:31:34 +01:00
Rosen Penev
b59a98b009 libjson-c: fix pkgconfig file
The pkgconfig file references the host directories, not the openwrt
ones. Used SED to fix as is done elsewhere. Removed CMAKE_INSTALL as a
result.

Removed now pointless CFLAGS.

Added PKG_BUILD_PARALLEL for faster compilation.

Various rearrangements for consistency between packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-08-11 21:29:44 +02:00
Daniel Golle
2d9b653a2f libubox: update to git HEAD
9e52171 blobmsg: introduce BLOBMSG_CAST_INT64

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-06 15:27:51 +01:00
Rosen Penev
cc66580293 lzo: fix pkgconfig paths
The last commit to this package that added the pkgconfig file did not
fix the paths to point to the prefix.

This allows packages to find lzo properly.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-07-17 11:00:33 +02:00
Rosen Penev
f61110e8f2 lzo: switch to building with CMake
CMake is less error prone that autotools and also compiles faster.

Fixed license information.

Added pkgconfig file to InstallDev so that packages that use it can
find lzo.

Before:

time make package/lzo/compile -j 12
________________________________________________________
Executed in   20.87 secs   fish           external
   usr time   26.95 secs    0.00 micros   26.95 secs
   sys time    5.49 secs  305.00 micros    5.49 secs

After:

time make package/lzo/compile -j 12
________________________________________________________
Executed in   13.22 secs   fish           external
   usr time   19.59 secs  328.00 micros   19.59 secs
   sys time    4.03 secs   10.00 micros    4.03 secs

Time output is with fish shell. make clean was ran before both attempts.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-07-11 13:33:28 +02:00
Petr Štetiar
0b76410231 libubox: update to version 2020-07-11
f4e9bf73ac5c examples/lua: attempt to highlight some traps
 53b9a2123fc6 lua/uloop: fd_add: use absolute indices for arguments
 c0941d3289fc lua/uloop: make get_sock_fd capable of absolute addresses
 161c25960ba2 lua/uloop: fd_add() better args checking

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-11 13:33:28 +02:00
Wren Turkal
9f02026933 uclibc++: make verbosity affect uClibc++ build
Before this change, setting the verbosity to anything with V=blah would
cause uclibc++ build to print errors to the screen. Now, it the
clibc++ build verbosity will be altered in the following manners:
* V=s will set V=1 in the uclibc++ build
* V=sc will set V=2 in the uclibc++ build

Signed-off-by: Wren Turkal <wt@penguintechs.org>
2020-07-08 16:07:05 +02:00
DENG Qingfang
78b632134f libjson-c: update to 0.14
Update libjson-c to 0.14
Changelog: https://github.com/json-c/json-c/wiki/Notes-for-v0.14-release

Switch to CMake because the upstream build system was changed

ipk size increased by 2KB

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-07-04 21:00:11 +02:00
Catalin Patulea
492a6594b9 libnetfilter-queue: fix package title and description
The original text was copy/pasted from some other package.
Adjust the package title and description to match the description
on the publishers page.

Signed-off-by: Catalin Patulea <catalinp@google.com>
[slightly adjust content and commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-06-23 19:25:20 +02:00
Chen Minqiang
a57fb86d6a toolchain: glibc ldd env path fixup
This replace the shell script header of ldd
when it install to `/usr/bin/ldd` where
`#! /..../staging_dir/host/bin/bash`
should be
`#!/bin/sh`

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
2020-06-18 20:08:18 +02:00
Ian Cooper
b933f9cf0c toolchain: remove gcc libssp and use libc variant
Removes the standalone implementation of stack smashing protection
in gcc's libssp in favour of the native implementation available
in glibc and uclibc. Musl libc already uses its native ssp, so this
patch does not affect musl-based toolchains.

Stack smashing protection configuration options are now uniform
across all supported libc variants.

This also makes kernel-level stack smashing protection available
for x86_64 and i386 builds using non-musl libc.

Signed-off-by: Ian Cooper <iancooper@hotmail.com>
2020-06-17 23:57:07 +02:00
Daniel Golle
8e98613f4d uclient: uclient-fetch: add option to read POST data from file
c660986 uclient-fetch: add option to read POST data from file

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-06-17 16:38:35 +01:00
Hans Dedecker
4e65838871 nghttp2: bump to 1.41.0
8f7b008b Update bash_completion
83086ba9 Update manual pages
c3b46625 Merge pull request from GHSA-q5wr-xfw9-q7xr
3eecc2ca Bump version number to v1.41.0, LT revision to 34:0:20
881c060d Update AUTHORS
f8da73bd Earlier check for settings flood
336a98fe Implement max settings option
ef415836 Revert "Add missing connection error handling"
979e6c53 Merge pull request #1459 from nghttp2/proxyprotov2
b7d16101 Add missing connection error handling
cd53bd81 Merge pull request #1460 from gportay/patch-1
e5625b8c Fix doc
c663349f integration: Add PROXY protocol v2 tests
854e9fe3 nghttpx: Always call init_forwarded_for
c60ea227 Update doc
49cd8e6e nghttpx: Add PROXY-protocol v2 support
3b17a659 Merge pull request #1453 from Leo-Neat/master
600fcdf5 Merge pull request #1455 from xjtian/long_serials
4922bb41 static_cast size parameter in StringRef constructor to size_t
aad86975 Fix get_x509_serial for long serial numbers
dc7a7df6 Adding CIFuzz
b3f85e2d Merge pull request #1444 from nghttp2/fix-recv-window-flow-control-issue
ffb49c6c Merge pull request #1435 from geoffhill/master
2ec58551 Fix receiving stream data stall
459df42b Merge pull request #1442 from nghttp2/upgrade-llhttp
a4c1fed5 Bump llhttp to 2.0.4
866eadb5 Enable session_create_idle_stream test, fix errors
5e13274b Fix typo
e0d7f7de h2load: Allow port in --connect-to
df575f96 h2load: add --connect-to option
1fff7379 clang-format-9
b40c6c86 Merge pull request #1418 from vszakats/patch-1
9bc2c75e lib/CMakeLists.txt: Make hard-coded static lib suffix optional
2d5f7659 Bump up version number to 1.41.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2020-06-06 14:11:41 +02:00
Eneas U de Queiroz
750d52f6c9 wolfssl: use -fomit-frame-pointer to fix asm error
32-bit x86 fail to compile fast-math feature when compiled with frame
pointer, which uses a register used in a couple of inline asm functions.

Previous versions of wolfssl had this by default.  Keeping an extra
register available may increase performance, so it's being restored for
all architectures.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-06-03 16:49:28 +02:00
Rosen Penev
173d2843c7 libconfig: move into packages feed
No package in base uses libconfig. Everything is in the packages feed.

Ref: https://github.com/openwrt/packages/pull/12255
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[subject facelift, PR ref]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-06-03 16:49:28 +02:00
Felix Fietkau
b371182d24 libubox: update to the latest version
86818eaa976b blob: make blob_parse_untrusted more permissive
cf2e8eb485ab tests: add fuzzer seed file for crash in blob_len
c2fc622b771f blobmsg: fix length in blobmsg_check_array
639c29d19717 blobmsg: simplify and fix name length checks in blobmsg_check_name
66195aee5042 blobmsg: fix missing length checks

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-05-26 10:45:44 +02:00
Rafał Miłecki
a765b063ee libubox: update to the latest master
5e75160 blobmsg: fix attrs iteration in the blobmsg_check_array_len()
eeddf22 tests: runqueue: try to fix race on GitLab CI
89fb613 libubox: runqueue: fix use-after-free bug
1db3e7d libubox: runqueue fix comment in header
7c4ef0d tests: list: add test case for list_empty iterator

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2020-05-24 17:06:09 +02:00
Eneas U de Queiroz
3481f6ffc7 wolfssl: update to 4.4.0-stable
This version adds many bugfixes, including a couple of security
vulnerabilities:
 - For fast math (enabled by wpa_supplicant option), use a constant time
   modular inverse when mapping to affine when operation involves a
   private key - keygen, calc shared secret, sign.
 - Change constant time and cache resistant ECC mulmod. Ensure points
   being operated on change to make constant time.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-05-20 17:03:45 +02:00
Robert Marko
bc0288b768 libjson-c: backport security fixes
This backports upstream fixes for the out of bounds write vulnerability in json-c.
It was reported and patches in this upstream PR: https://github.com/json-c/json-c/pull/592

Addresses CVE-2020-12762

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
[bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-05-13 11:16:43 +02:00
Stijn Tintel
3a79e3b185 argp-standalone: fix segfault in canon_doc_option
Backported from glibc.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-05-03 20:31:30 +03:00
Luiz Angelo Daros de Luca
a3079fb7ba elfutils: powerpc build fix
Fixes following build error on mpc85xx/generic:

 ppc_initreg.c: In function 'ppc_set_initial_registers_tid':
 ppc_initreg.c:79:22: error: field 'r' has incomplete type
        struct pt_regs r;

Ref: FS#2924
Fixes: d27623b542 ("elfutils: update to 0.179")
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[commit description facelift]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-04-28 07:45:00 +02:00
Petr Štetiar
3773ae127a openssl: bump to 1.1.1g
Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with
high severity, assigned CVE-2020-1967.

Ref: https://www.openssl.org/news/secadv/20200421.txt
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-04-21 22:59:56 +02:00
Magnus Kroken
02fcbe2f3d mbedtls: update to 2.16.6
Security fixes for:
* CVE-2020-10932
* a potentially remotely exploitable buffer overread in a DTLS client
* bug in DTLS handling of new associations with the same parameters

Full release announement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2020-04-17 23:43:01 +02:00
Lucian Cristian
16ad4de2c0 elfutils: aarch64 fix build on musl
aarch64_initreg.c: In function 'aarch64_set_initial_registers_tid':
aarch64_initreg.c:85:37: error: invalid operands to binary & (have 'long double' and 'unsigned int')
     dwarf_fregs[r] = fregs.vregs[r] & 0xFFFFFFFF;
                      ~~~~~~~~~~~~~~ ^

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
2020-04-17 13:43:34 +02:00
Rosen Penev
d27623b542 elfutils: update to 0.179
Removed sys/cdefs usage. The header is deprecated.

Removed canonicalize_file_name define. It's already fixed upstream.

Added --disable-debuginfod. Seems to be needed.

Modified patch 005 to build more stuff. It was failing before. It still
only builds libraries.

Modified patch 100 to use strerror under non-glibc. It is used under
glibc as strerror is not thread safe. It is under musl and uClibc-ng.
strerror_l is not available under uClibc-ng.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-04-13 22:40:19 +02:00
Kevin Darbyshire-Bryant
51edc4eb89 jansson: convert to cmake
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-04-01 16:36:04 +01:00
Eneas U de Queiroz
af5ccfbac7 openssl: bump to 1.1.1f
There were two changes between 1.1.1e and 1.1.1f:
- a change in BN prime generation to avoid possible fingerprinting of
  newly generated RSA modules
- the patch reversing EOF detection we had already applied.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-04-01 08:12:20 +02:00
Kevin Darbyshire-Bryant
9e835377ad jansson: import jansson from packages
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-29 17:27:54 +01:00
Eneas U de Queiroz
2e8a4db9b6 openssl: revert EOF detection change in 1.1.1
This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e.  It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443

Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read().  Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0.  The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct.  Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.

The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-03-28 13:03:02 +01:00
Jo-Philipp Wich
dd166960f4 uclient: update mirror hash
Fixes: 98017228dd ("uclient: bump to latest Git HEAD")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-03-25 19:34:34 +01:00
Jo-Philipp Wich
98017228dd uclient: bump to latest Git HEAD
af585db uclient-fetch: support specifying advertised TLS ciphers

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-03-25 19:32:18 +01:00
Jo-Philipp Wich
cd23dc1d21 ustream-ssl: bump to latest Git HEAD
5e1bc34 ustream-openssl: clear error stack before SSL_read/SSL_write
f7f93ad add support for specifying usable ciphers

Also bump the ABI version since the layout of `struct ustream_ssl_ops`
changed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-03-25 19:16:19 +01:00
Kevin Darbyshire-Bryant
a0027f8dbf libnftnl: drop unsupported configure option
--without-json-parsing is not a supported configure option.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-23 21:31:05 +00:00
Eneas U de Queiroz
dcef8d6093 openssl: update to 1.1.1e
This version includes bug and security fixes, including medium-severity
CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-03-21 17:48:34 +01:00
Eneas U de Queiroz
d9d689589b openssl: add configuration example for afalg-sync
This adds commented configuration help for the alternate, afalg-sync
engine to /etc/ssl/openssl.cnf.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2020-03-21 17:48:34 +01:00
Jan Kardell
ecef29b294 readline: needs host depend on ncurses to build
We must ensure that host ncurses is build before host readline.

Signed-off-by: Jan Kardell <jan.kardell@telliq.com>
2020-03-20 17:08:58 +00:00
Kevin Darbyshire-Bryant
77b4cb0b39 libnftnl: bump to 1.1.5
Solve missing references to nftnl_set_list_lookup_byname when building
iptables with Nftables support enabled (CONFIG_IPTABLES_NFTABLES)

Bump the ABI version to force everything to match.

/Users/kevin/wrt/staging_dir/toolchain-x86_64_gcc-9.2.0_musl/lib/gcc/x86_64-openwrt-linux-musl/9.2.0/../../../../x86_64-openwrt-linux-musl/bin/ld: xtables_nft_multi-nft-bridge.o: in function `nft_bridge_parse_lookup':
nft-bridge.c:(.text.nft_bridge_parse_lookup+0xcd): undefined reference to `nftnl_set_list_lookup_byname'
/Users/kevin/wrt/staging_dir/toolchain-x86_64_gcc-9.2.0_musl/lib/gcc/x86_64-openwrt-linux-musl/9.2.0/../../../../x86_64-openwrt-linux-musl/bin/ld: xtables_nft_multi-nft-cache.o: in function `nftnl_set_list_cb':
nft-cache.c:(.text.nftnl_set_list_cb+0x80): undefined reference to `nftnl_set_list_lookup_byname'
/Users/kevin/wrt/staging_dir/toolchain-x86_64_gcc-9.2.0_musl/lib/gcc/x86_64-openwrt-linux-musl/9.2.0/../../../../x86_64-openwrt-linux-musl/bin/ld: xtables_nft_multi-nft-cache.o: in function `fetch_set_cache':
nft-cache.c:(.text.fetch_set_cache+0x10a): undefined reference to `nftnl_set_list_lookup_byname'
collect2: error: ld returned 1 exit status
make[6]: *** [xtables-nft-multi] Error 1
make[5]: *** [all] Error 2
make[4]: *** [all-recursive] Error 1
make[3]: *** [all] Error 2
make[2]: *** [/Users/kevin/wrt/build_dir/target-x86_64_musl/linux-x86_64/iptables-1.8.4/.built] Error 2
make[2]: Leaving directory `/Users/kevin/wrt/package/network/utils/iptables'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2020-03-16 15:49:13 +00:00
DENG Qingfang
a017773a92 ncurses: update to 6.2
Update ncurses to 6.2

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-03-05 20:48:58 +01:00
Stijn Tintel
8ce359d6bb libpcap: activate PIE ASLR by default
This activates PIE ASLR support by default when the regular option is
selected. This is required to enable PIE ASLR support by default in ppp,
as it fails to build without it, on x86/64.

The .so file size stays identical.

Suggested-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2020-03-01 21:35:59 +01:00
Jo-Philipp Wich
955634b473 libubox: update to latest Git HEAD
7da6643 tests: blobmsg: add test case
75e300a blobmsg: fix wrong payload len passed from blobmsg_check_array

Fixes: FS#2833
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-02-27 22:03:18 +01:00
Josef Schlehofer
8fe9daf775 mbedtls: use correct SPDX License Identifier and add License file
License "GPL-2.0+" is deprecated License Identifier according to
SPDX License list [1]. The correct one is GPL-2.0-or-later.
While at it, also add the License file.

[1] https://spdx.org/licenses/

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2020-02-24 23:25:28 +01:00
Josef Schlehofer
36af1967f5 mbedtls: update to version 2.16.5
Changelog:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.5-and-2.7.14-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02

Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
2020-02-24 23:25:28 +01:00
Rosen Penev
499ebb791f libbsd: update to 0.10.0
Removed all upstream patches.

Added PKG_BUILD_PARALLEL for faster compilation.

Small Makefile rearrangements for consistency between packages.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-02-22 16:34:57 +01:00
Magnus Kroken
6e96fd9047 mbedtls: update to 2.16.4
Fixes side channel vulnerabilities in mbed TLS' implementation of ECDSA.

Release announcement:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released

Security advisory:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12

Fixes:
 * CVE-2019-18222: Side channel attack on ECDSA

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2020-01-26 15:07:59 +01:00
Petr Štetiar
5c73bb12c8 libubox: update to version 2020-01-20
43a103ff17ee blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes
 5c0faaf4f5e2 tests: prefer dynamically allocated buffers
 1ffa41535369 blobmsg_json: prefer snprintf usage
 132ecb563da7 blobmsg: blobmsg_vprintf: prefer vsnprintf
 a2aab30fc918 jshn: prefer snprintf usage
 b0886a37f39a cmake: add a possibility to set library version
 a36ee96618a9 blobmsg: blobmsg_add_json_element() 64-bit values
 f0da3a4283b7 blobmsg_json: fix int16 serialization
 20a070f08139 tests: blobmsg/json: add more test cases
 379cd33d1992 tests: include json script shunit2 based testing

Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-01-20 20:57:21 +01:00
Stijn Tintel
1322190fd3 libcxx: fix build for x86/64
When building libcxx for x86/64, the library is installed in /usr/lib64.
As the install section tries to copy the library from /usr/lib, this
breaks build on x86/64. Override the lib dir suffix to fix this.

Fixes: 856ea2bad3 ("libcxx: Add package")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rosen Penev <rosenp@gmail.com>
2020-01-17 00:42:49 +02:00
Hauke Mehrtens
05145ffbef uclient: Update to version 2020-01-05
fef6d3d uclient: Add string error function

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-05 20:04:37 +01:00
Hauke Mehrtens
ccd7e2dfb2 ustream-ssl: Update to version 2020-01-05
30cebb4 ustream-ssl: mbedtls: fix ssl client verification
77de09f ustream-ssl: mbedtls: fix net_sockets.h include warning

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-05 20:04:37 +01:00
Rosen Penev
c2ef6c2148 nettle: Disable ARMEB assembly
It's broken for ARMv5, which is the only armeb target in OpenWrt.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-01-05 19:36:45 +01:00
Rosen Penev
c84a3458aa libcxx: Remove -flto from LDFLAGS
It seems the buildbots can't handle it.

Added a cmake option to find the cxxabi files as they are part of the
toolchain and not in the normal path. It doesn't seem to make a
difference, just gets rid of cmake warnings.

Added another small GCC warning fix. It's fairly minor.

This has no change in compiled size, and most likely no change in
behavior. Bumped the PKG_RELEASE anyway.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-01-05 19:36:45 +01:00
Rosen Penev
9f7d36d1a9 libcxx: Add size optimizations
Changed standard to 2a. 2a (as well as 17) contain more constexpr
functions, which are evaluated at compile time. This saves space.

Added --gc-sections. With the CXXABI change, this now makes the package
smaller.

With these, size went down to 210845 on mipsel_24kc.

Also fixed two small compiler warnings. No real change in behavior.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-01-01 16:59:32 +01:00
Rosen Penev
1f8ab1c640 libcxx: Build with the libsupc++ ABI
Allows proper exception handling. This includes removing unimplemented
warnings.

File size increased as a result:

Before:

182874

After:

211006

On mipsel_24kc.

Note that this requires libsupc++ anyway. It's specified in g++-libcxx.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2020-01-01 16:59:13 +01:00
Petr Štetiar
e3e939d8e6 libubox: update to version 2019-12-28
Fixes startup issues of some services in procd and bumps ABI_VERSION to 20191228.

Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-December/020840.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-28 21:28:09 +01:00
Eneas U de Queiroz
d5ede68f8b wolfssl: bump to 4.3.0-stable
This update fixes many bugs, and six security vulnerabilities, including
CVE-2019-18840.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-12-26 23:30:57 +01:00
Petr Štetiar
b9f3af7c89 libubox: update to version 2019-12-26
Contains following changes:

 eb7eb6393d47 blobmsg: fix array out of bounds GCC 10 warning
 86f6a5b8d1f1 blobmsg: reuse blobmsg_namelen in blobmsg_data
 586ce031eaa0 tests: fuzz: fuzz _len variants of checking methods
 b0e21553ae8c blobmsg: add _len variants for all attribute checking methods
 cd3059796a57 Replace use of blobmsg_check_attr by blobmsg_check_attr_len
 143303149c8b Ensure blob_attr length check does not perform out of bounds reads
 f2b2ee441adb blobmsg: fix heap buffer overflow in blobmsg_parse
 4dfd24ed88c4 blobmsg: make blobmsg_len and blobmsg_data_len return unsigned value
 2df6d35e3299 tests: add test cases for blobmsg parsing
 8a34788b46c4 test: fuzz: add blobmsg_check_attr crashes
 478597b9f9ae blob: fix OOB access in blob_check_type
 325418a7a3c0 tests: use blob_parse_untrusted variant
 0b24e24b93e1 blob: introduce blob_parse_untrusted
 6d27336e4a8b blob: refactor attr parsing into separate function
 833d25797b16 test: fuzz: add blob_parse crashes
 09ee90f8d6ed tests: add test cases for blob parsing
 436d6363a10b tests: add libFuzzer based tests
 bf680707acfd tests: add unit tests covered with Clang sanitizers
 f804578847de cmake: add more hardening compiler flags
 46f8268b4b5b blobmsg/ulog: fix format string compiler warnings
 eb216a952407 cmake: use extra compiler warnings only on gcc6+

and bumps ABI_VERSION to 20191226.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-12-26 08:41:37 +01:00
Rosen Penev
fb19fb868c libcxx: Depenency fixes
Don't build with uClibc-ng. It's totally unsupported as several functions
are missing.

Make the musl libc support conditional.

Fix hash with make check FIXUP=1. Apparently I based the Makefile off of
libedit and forgot to fix the hash.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Fixes: 856ea2bad3 ("libcxx: Add package")
2019-12-23 12:08:23 +01:00
Rosen Penev
856ea2bad3 libcxx: Add package
Currently in OpenWrt, there are two libc++: libstdcpp and uClibc++. The
former is huge and the latter supports only C++98 with some basic support
for C++11. Those C++ versions seem to be specific to the compiler version

libcxx supports C++11 and above while being much smaller than libstdcpp.
On mt7621, these are the sizes of the ipks that I get:

libstdcpp: 460786
libcxx: 182881
uClibc++:67720

libcxx is faster than uClibc++ and is under active development as part of
the LLVM project while uClibc++ is effectively dead.

This PR modifies uclibc++.mk to expose the make menuconfig option. Further
cleanup is beyond the scope of this PR. What that means is, this is not
used by default.

A g++-libcxx wrapper based on the uClibc++ one was added. Works the same
way.

Compile tested with all packages that use uclibc++.mk in their Makefiles
under mipsel_24kc. kismet fails compilation but that package needs to be
cleaned up and updated.

Runtime tested with gddrescue, gdisk, dcwapd, bonnie++, and aircrack-ng
on a TP-Link Archer C7v2.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-12-23 00:22:07 +01:00
Petr Štetiar
441c7944e6 libubox: update to latest Git HEAD
07413cce72e1 tests: jshn: add more test cases
26586dae43a8 jshn: fix missing usage for -p and -o arguments
8e832a771d3a jshn: fix off by one in jshn_parse_file
cb698e35409b jshn: jshn_parse: fix leaks of memory pointed to by 'obj'
c42f11cc7c0f jshn: main: fix leak of memory pointed to by 'vars'
93848ec96dc5 jshn: refactor main into smaller pieces
9b6ede0e5312 avl: guard against theoretical null pointer dereference
c008294a8323 blobmsg_json: fix possible uninitialized struct member
0003ea9c45cc base64: fix possible null pointer dereference
8baeeea1f52d add assert.h component
b0a5cd8a28bf add cram based unit tests
1fefb7c4d7f9 add initial GitLab CI support
c955464d7a9b enable extra compiler checks
6228df9de91d iron out all extra compiler warnings

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-11-24 14:19:43 +01:00
Hans Dedecker
68fb38548b nghttp2: bump to 1.40.0
41060943 Bump up version number to 1.40.0, LT revision to 33:0:19
5ae9bb89 Fail fast if huffman decoding context is in failure state
bb519154 Merge pull request #1413 from nghttp2/check-authority
77f5487a Add nghttp2_check_authority as public API
db9a8f6e Merge pull request #1409 from nghttp2/fix-wrong-stream-close-error-code
6f28a69b Merge pull request #1411 from richard78917/fix_warning
6ce4835e Fix the bug that stream is closed with wrong error code
29042f1c priority_spec::valid(): remove const qualifier from return value
d08c4395 Merge pull request #1405 from nghttp2/huffman
5d6964cf Faster huffman decoding
0d855bfc Faster huffman encoding
6f967c6e Fix errors reported by coverity scan
b8a43db8 Merge pull request #1394 from wrowe/fix-static-libname
70b62c1a Merge pull request #1393 from wrowe/fix-static-msvcrt
28b1f0b9 Avoid filename collision of static and dynamic lib
1dd966f1 Merge branch 'fix-nghttpx-mruby'
fe8946dd nghttpx: Fix bug that mruby is incorrectly shared between backends
72b71a6b Add new flag ENABLE_STATIC_CRT for Windows
f8933fe5 nghttpx: Reconnect h1 backend if it lost connection before sending headers
89c33d69 Update neverbleed
7079dc5e Update neverbleed to fix memory leak
5080db84 Revert "nghttpx: Reconnect h1 backend if it lost connection before sending headers"
053c7ac5 nghttpx: Returns 408 if backend timed out before sending headers
8a59ce6d nghttpx: Reconnect h1 backend if it lost connection before sending headers
f2fde180 Remove redundant null check before delete
95efb3e1 Don't read too greedily
0a6ce87c Add nghttp2_option_set_max_outbound_ack
2aa79fa9 Bump up LT revision to 32:0:18
3980678d Merge branch 'nghttpx-fix-request-stall'
319d5ab1 nghttpx: Fix request stall
448bbbc3 integration-tests: gofmt
e575a2aa Merge pull request #1377 from Aldrog/cmake_systemd
4f7aedc9 cmake: Support building nghttpx with systemd
7a590893 Fix clang-8 warning
ee443134 Fix FPE with default backend
abef9b90 Fix log-level is not set with cmd-line or configuration file
12a999f0 Bump up version number to 1.40.0-DEV
acfb3607 Update manual pages

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-11-23 21:32:04 +01:00
Petr Štetiar
5d7fcd07a2 libnl-tiny: update to latest Git head
0219008cc876 remove never used err variable assignment disliked by scan-build
 7ce813fcd667 silence use after the free clang analyzer warning
 1f73b6a8e678 use offsetof macro to make scan-build happy

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-11-14 22:53:31 +01:00
Rosen Penev
cabaaf06fe nghttp2: Fix pkgconfig file
lib and includedir point to the host, not staging_dir.

Note that prefix and exec_prefix is overriden to point to staging_dir.

As CMAKE_INSTTALL is passed, switched InstallDev to use cmake.mk's rule.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-11-09 14:33:42 +01:00
Rosen Penev
7f4cef67c2 libevent2: Fix pkgconfig directories
includedir and libdir are set to /usr/include and /usr/lib . This breaks
compilation with packages such as tmux that use pkgconfig to find libevent

Also added PKG_LICENSE_FILES.

Simplified the InstallDev section by using cmake.mk's default rule.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-11-09 14:33:42 +01:00
Eneas U de Queiroz
f4853f7cca wolfssl: update to v4.2.0-stable
Many bugs were fixed--2 patches removed here.

This release of wolfSSL includes fixes for 5 security vulnerabilities,
including two CVEs with high/critical base scores:

- potential invalid read with TLS 1.3 PSK, including session tickets
- potential hang with ocspstaping2 (always enabled in openwrt)
- CVE-2019-15651: 1-byte overread when decoding certificate extensions
- CVE-2019-16748: 1-byte overread when checking certificate signatures
- DSA attack to recover DSA private keys

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-11-06 23:23:53 +01:00
Petr Štetiar
80a799125b libnl-tiny: update to latest Git head
Includes following changes:

 0230d0698e59 add initial GitLab CI support
 5e13b797a988 iron out all extra compiler warnings
 802fbd4d6f39 cmake: enable extra compiler checks
 050bb5c4431b convert into CMake project
 5b350e42d1fd refactor into separate Git project

and converts the package build to utilize CMake.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-11-06 16:31:42 +01:00
Jo-Philipp Wich
6f9157e6bd ustream-ssl: update to latest Git HEAD
c9b6668 ustream-ssl: skip writing pending data if .eof is true after connect

Fixes: CVE-2019-5101, CVE-2019-5102
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-11-05 14:43:20 +01:00
Yousong Zhou
51e7624776 libubox: bump to version 2019-10-29
It contains a single change to vlist.h header file: "vlist: add more
macros for loop iteration".  This is needed for newer version of fstools

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-11-03 04:24:54 +00:00
DENG Qingfang
2d00cf7515 libnl: update to 3.5.0
Update libnl to 3.5.0

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-11-01 21:19:40 +01:00
Hauke Mehrtens
57ff06405e ustream-ssl: Update to latest git HEAD
465f8dc wolfssl: adjust to new API in v4.2.0
3b06c65 Update example certificate & key, fix typo
1c38fd8 wolfssl: enable CN validation
33308ee ustream-io-cyassl.c: fix client-mode connections
79d91aa Remove CyaSSL, WolfSSL < 3.10.4 support

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-01 21:19:40 +01:00
Yousong Zhou
69b9f0161e toolchain: gcc: enable sanitizers for glibc toolchain
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-10-24 11:40:00 +00:00
Roman Yeryomin
c0e7ec91a0 libubox: update to latest git HEAD
eb30a03 libubox, jshn: add option to write output to a file

Signed-off-by: Roman Yeryomin <roman@advem.lv>
2019-10-22 11:38:40 +02:00
Yousong Zhou
e8f79474c9 libpcap: build with cmake
The main motivation is to drop and stop maintaining
"100-debian_shared_lib.patch".  It lacks the logic to include custom
implementation of several functions like pcap_strlcpy() which can cause
build failures when glibc is used [2]

CAN and CAN-USB support related symbols are now handled by general linux
support, see [1]

"-ffunction-sections -fdata-sections" were removed as they should help
much for shared libraries

Size comparison before and after the change

  -rw-r--r-- 1 yunion yunion 238042 Oct 18 11:42 ipkg-x86_64/libpcap/usr/lib/libpcap.so.1

  lrwxrwxrwx 1 yunion yunion     16 Oct 18 13:03 ipkg-x86_64/libpcap/usr/lib/libpcap.so.1 -> libpcap.so.1.9.1
  -rwxr-xr-x 1 yunion yunion 229867 Oct 18 13:03 ipkg-x86_64/libpcap/usr/lib/libpcap.so.1.9.1

[1] On Linux, handle all CAN captures with pcap-linux.c, in cooked mode,
    93ca5ff703
[2] https://github.com/openwrt/packages/issues/10270

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-10-21 01:37:43 +00:00
Eneas U de Queiroz
cebf024c4d openssl: Add engine configuration to openssl.cnf
This adds engine configuration sections to openssl.cnf, with a commented
list of engines.  To enable an engine, all you have to do is uncomment
the engine line.

It also adds some useful comments to the devcrypto engine configuration
section.  Other engines currently don't have configuration commands.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-10-20 13:01:43 +02:00
Daniel Engberg
f351beedfd libevent2: Update to 2.1.11
Update libevent to 2.1.11
Use CMake instead GNU Autotools
Backport following commits:
f05ba67193
..and partially
7201062f3e
to fix compilation

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-10-15 22:35:14 +02:00
Rosen Penev
6ab386c9bc uClibc++: Fix three bugs
The first allows usage of several functions in the std namespace, which
broke compilation of gddrescue specifically with uClibc-ng and uClibc++.

The second allows usage of long long with normal C++11, which is part of
the standard. Before, std=gnu++11 needed to be passsed to work around it.

As a result of the second patch, the pedantic patch can safely be removed.

Both patches are upstream backports.

Added -std=c++11 to CFLAGS to guarentee proper inclusion of long long.

Added another patch that fixes a typo with the long long support. Sent to
upstream.

Fixed up license information according to SPDX.

Small cleanups for consistency.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-10-12 23:43:08 +02:00
DENG Qingfang
44f11353de libpcap: update to 1.9.1
Fixed CVEs:
	CVE-2018-16301
	CVE-2019-15161
	CVE-2019-15162
	CVE-2019-15163
	CVE-2019-15164
	CVE-2019-15165

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-10-12 23:37:00 +02:00
Petr Štetiar
36c6f4a011 libnl-tiny: fix package mirror hash
Current hash doesn't match with the content of the source tarball.

Fixes: a92f74ba8d ("libnl-tiny: move source code into separate Git repository")
Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-10-11 22:48:06 +02:00
Paul Spooren
a9e4e595e1 openssl: add gcc-8 -ffile-prefix-map filter
gcc-8 switch -ffile-prefix-map helps a lot with reproducible build paths
in the resulting binaries.

Ref: https://reproducible-builds.org/docs/build-path/
Signed-off-by: Paul Spooren <mail@aparcar.org>
[refactored into separate commit]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-10-09 09:13:44 +02:00
Petr Štetiar
a92f74ba8d libnl-tiny: move source code into separate Git repository
In order to make the source code usable and testable separately out of
buildroot.

Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: Hans Dedecker <dedeckeh@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-10-09 09:13:44 +02:00
Rosen Penev
f4da28c301 elfutils: Add host build
Needed for glib2 host build:

gresource-tool.c:32:20: fatal error: libelf.h: No such file or directory
 #include <libelf.h>

Changed PKG_LICENSE to the SPDX version.

Switched build dependency for argp-standalone to !USE_GLIBC. argp is a
glibc extension. Treat it as such.

Adjusted patch to use strerror_l, which works properly with both glibc
and musl. The patch errors under glibc with:

dwfl_error.c:158:7: error: ignoring return value of 'strerror_r', declared
with attribute warn_unused_result [-Werror=unused-result]
       strerror_r (error & 0xffff, s, sizeof(s));

void casting does not fix the error.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-09-21 01:09:30 +02:00
Eneas U de Queiroz
ab19627ecc wolfssl: allow building with hw-crytpo and AES-CCM
Hardware acceleration was disabled when AES-CCM was selected as a
workaround for a build failure.  This applies a couple of upstream
patches fixing this.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-09-20 20:54:10 +02:00
Magnus Kroken
49d96ffc5c mbedtls: update to 2.16.3
Remove 300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch,
the issue has been fixed upstream.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2019-09-20 19:32:04 +02:00
Rosen Penev
977a8fc5fc uClibc++: Remove faulty patch
This patch was originally added to fix compilation with v4l2rtspserver.
Turns out it was v4l2rtspserver that was broken, not uClibc++. This now
causes issues with a different package where the arguments are being
split.

Note that with this patch, shellcheck throws an error:

SC2068: Double quote array expansions to avoid re-splitting elements.

More: https://github.com/openwrt/packages/pull/9972#discussion_r324878373

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-09-20 19:30:51 +02:00
Eneas U de Queiroz
d868d0a5d7 openssl: bump to 1.1.1d
This version fixes 3 low-severity vulnerabilities:

- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
		 CMS_decrypt_set1_pkey

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-09-19 21:28:53 +02:00
Konstantin Demin
699955a684 libnftnl: bump to version 1.1.4
ABI version is same.

The ipkg size increase by about 2.2%:
old:
47.909 libnftnl11_1.1.3-1_arm_cortex-a7_neon-vfpv4.ipk
new:
48.985 libnftnl11_1.1.4-1_arm_cortex-a7_neon-vfpv4.ipk

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-09-01 18:38:04 +02:00
Eneas U de Queiroz
f40262697f openssl: always build with EC support
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-09-01 00:16:08 +02:00
Rosen Penev
926157c2cc libnfnetlink: Avoid passing both -fPIC and -fpic
Instead, instruct the configure script to use $(FPIC) only.

Mixing -fPIC and -fpic can cause issues on some platforms like PPC.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-08-31 12:08:23 +02:00
Rosen Penev
e2ecf39e8e ncurses: Do not pass both -fPIC and -fpic
The configure scripts matches Linux with -fPIC, which is not exactly what
is desired. Since we are already passing $(FPIC), added a CONFIGURE_VAR to
avoid passing -fPIC.

Removed PKG_BUILD_DIR as it is already the default value.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-08-31 12:08:23 +02:00
Christian Lamparter
5ef3fe614c openssl: refresh patches
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-08-24 23:23:31 +02:00
Luiz Angelo Daros de Luca
0851ce4ff9 elfutils: bump to 0.177
200-uclibc-ng-compat.patch is upstream now.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2019-08-19 22:10:35 +02:00
Hans Dedecker
58f929077f nghttp2: bump to 1.39.2
957abacf Bump up version number to 1.39.2, LT revision to 32:0:18
83d362c6 Don't read too greedily
a76d0723 Add nghttp2_option_set_max_outbound_ack
db2f612a nghttpx: Fix request stall

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-08-18 18:58:16 +02:00
Hauke Mehrtens
ced2b7bb98 ustream-ssl: update to latest git HEAD
e8f9c22 Revise supported ciphersuites
7e9e269 wolfssl, openssl: use TLS 1.3, set ciphersuites

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 17:09:42 +02:00
Luiz Angelo Daros de Luca
0d0617ff14 musl: ldso/dlsym: fix mips returning undef dlsym
This happens only the second time a library is loaded by dlopen().
After lib1 is loaded, dlsym(lib1,"undef1") correctly resolves the undef
symbol from lib1 dependencies. After the second library is loaded,
dlsym(lib2,"undef1") was returning the address of "undef1" in lib2
instead of searching lib2 dependencies.

Using upstream fix which now uses the same logic for relocation time
and dlsym.

Fixes openwrt/packages#9297

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2019-08-17 16:57:32 +02:00
Eneas U de Queiroz
77e0e99d31 wolfssl: bump to 4.1.0-stable
Always build AES-GCM support.
Unnecessary patches were removed.

This includes two vulnerability fixes:

CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK
extension parsing.

CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes
when performing ECDSA signing operations. The leak is considered to be
difficult to exploit but it could potentially be used maliciously to
perform a lattice based timing attack.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-08-17 16:43:23 +02:00
Daniel Engberg
9e489b41b5 nettle: Update to 3.5.1
Update (lib)nettle to 3.5.1
Bump ABI_VERSION

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-08-09 21:40:13 +02:00
Jeffery To
e545fac8d9 build: include BUILD_VARIANT in PKG_BUILD_DIR
This changes the default PKG_BUILD_DIR to take BUILD_VARIANT into
account (if set), so that packages do not need to manually override
PKG_BUILD_DIR just to handle variants.

This also updates most base packages with variants to use the updated
default PKG_BUILD_DIR.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-08-05 23:22:26 +02:00
Rafał Miłecki
430d65c544 libroxml: bump to the 3.0.2 version
* Fix for memory leak regression
* Support for (un)escaping

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-07-15 21:35:56 +02:00
Eneas U de Queiroz
c47eff0df3 libs/toolchain: remove eglibc remnant file
This removes package/libs/toolchain/eglibc-files/etc/nsswitch.conf.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-07-15 19:29:07 +02:00
Konstantin Demin
ce8027ed29 libnftnl: bump to version 1.1.3
bump ABI version accordingly (thanks to Jo-Philipp Wich).

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-07-07 13:02:06 +02:00
Eneas U de Queiroz
ff69364ad8 wolfssl: update to 4.0.0-stable
Removed options that can't be turned off because we're building with
--enable-stunnel, some of which affect hostapd's Config.in.
Adjusted the title of OCSP option, as OCSP itself can't be turned off,
only the stapling part is selectable.
Mark options turned on when wpad support is selected.
Add building options for TLS 1.0, and TLS 1.3.
Add hardware crypto support, which due to a bug, only works when CCM
support is turned off.
Reorganized option conditionals in Makefile.
Add Eneas U de Queiroz as maintainer.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-07-07 13:02:05 +02:00
Eneas U de Queiroz
2792daab5a wolfssl: update to 3.15.7, fix Makefile
This includes a fix for a medium-level potential cache attack with a
variant of Bleichenbacher’s attack.  Patches were refreshed.
Increased FP_MAX_BITS to allow 4096-bit RSA keys.
Fixed poly1305 build option, and some Makefile updates.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-07-07 13:02:05 +02:00
Eneas U de Queiroz
82a8ddd603 ustream-ssl: update to 2019-06-24
This adds chacha20-poly1305 support to the mbedtls variant.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-06-24 22:01:17 +02:00
Josef Schlehofer
a2f54f6d5d mbedtls: Update to version 2.16.2
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
2019-06-24 20:22:23 +02:00
Eneas U de Queiroz
ee1a783314 nghttp2: deduplicate files in staging_dir
'38b22b1e: deduplicate files in libnghttp2' missed duplicates in
staging_dir by Build/InstallDev.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-06-22 10:23:56 +02:00
Deng Qingfang
080ba31eec
libjson-c: update to 0.13.1
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-06-19 22:44:28 +02:00
Hans Dedecker
865e25e049 nghttp2: bump to 1.39.1
7ffc239b Bump up version number to 1.39.1
bc886a0e Fix FPE with default backend
a3a14a9c Fix log-level is not set with cmd-line or configuration file
acfb3607 Update manual pages
bdfd14c2 Bump up version number to 1.39.0, LT revision to 31:4:17
cddc09fe Update AUTHORS
3c3b6ae8 Add missing colon
2f83aa9e Fix multi-line text travis issue
fc591d0c Run nghttpx integration test with cmake build
9a17c3ef travis: use multi-line text
b7220f07 cmake: Remove SPDY related files
a1556fd1 Merge pull request #1356 from nghttp2/fix-log-level-on-reload
77f1c872 nghttpx: Fix unchanged log level on configuration reload
49ce44e1 Merge pull request #1352 from nghttp2/travis-osx
f54b3ffc Fix libxml2 CFLAGS output
b0f5e5cc Implement daemon() using fork() for OSX
8d6ecd66 Enable osx build on travis
f82fb521 Update doc
2e1975dd clang-format-8
97ce392b Merge pull request #1347 from nghttp2/nghttpx-ignore-cl-te-on-upgrade
afefbda5 Ignore content-length in 200 response to CONNECT request
4fca2502 nghttpx: Ignore Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT
6975c336 Update llhttp to 1.1.3
0288093c Fix llhttp_get_error_pos usage
a3a03481 Merge pull request #1340 from nghttp2/nghttpx-llhttp
c64d2573 Replace http-parser with llhttp
f028cc43 clang-format
302e3746 Merge pull request #1337 from nghttp2/upgrade-mruby
3cdbc5f5 Merge pull request #1335 from adamgolebiowski/boost-1.70
a6925186 Fix mruby build error
45d63d20 Upgrade mruby to 2.0.1
cbba1ebf asio: support boost-1.70
e86d1378 Bump up version number to 1.39.0-DEV
4a9d2005 Update manual pages

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-06-16 21:34:56 +02:00
Hauke Mehrtens
fc454ca153 libubox: update to latest git HEAD
9dd2dcf libubox: add format string checking to ulog()
ecf5617 ustream: Add format string checks to ustream_(v)printf()

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-06-16 16:40:08 +02:00
Konstantin Demin
38b22b1e70 nghttp2: deduplicate files in libnghttp2
libnghttp2 accidentally ships library twice:

$ tar -Oxzf libnghttp2-14_1.38.0-1_mips_24kc.ipk ./data.tar.gz | tar -tzvf -
drwxr-xr-x root/root         0 2019-06-07 23:14 ./
drwxr-xr-x root/root         0 2019-06-07 23:14 ./usr/
drwxr-xr-x root/root         0 2019-06-07 23:14 ./usr/lib/
-rw-r--r-- root/root    144412 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14
-rw-r--r-- root/root    144412 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14.17.3

after fix, there's library and symlink (as designed):

$ tar -Oxzf libnghttp2-14_1.38.0-2_mips_24kc.ipk ./data.tar.gz | tar -tzvf -
drwxr-xr-x root/root         0 2019-06-07 23:14 ./
drwxr-xr-x root/root         0 2019-06-07 23:14 ./usr/
drwxr-xr-x root/root         0 2019-06-07 23:14 ./usr/lib/
lrwxrwxrwx root/root         0 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14 -> libnghttp2.so.14.17.3
-rw-r--r-- root/root    144412 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14.17.3

Binary package size reduced accordingly: 134621 -> 66593.

Compile/run-tested: ar71xx/generic.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-06-12 23:00:58 +02:00
Yousong Zhou
ef7aa03bdb libunwind: bump to version 1.3.1
Libunwind provides a sigreturn stub for x86 in version 1.2 [1].  However
the arch still depends on setcontext() which is unavailable in musl-libc
and which is supposed to be "deprecated everywhere" [2]

 [1] x86 sigreturn unimplemented for some libcs,
     https://github.com/libunwind/libunwind/issues/13
 [2] setcontext deprecated on x86,
     https://github.com/libunwind/libunwind/issues/69

Refs: https://github.com/openwrt/packages/issues/8548#issuecomment-497791552
Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-06-05 01:13:07 +00:00
Eneas U de Queiroz
f22ef1f1de openssl: update to version 1.1.1c
Highlights of this version:
 - Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
 - Fix OPENSSL_config bug (patch removed)
 - Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
 - Enable SHA3 pre-hashing for ECDSA and DSA

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [DMARC removal]
2019-05-31 11:21:22 +02:00
Yousong Zhou
cf463159df uclient: bump to version 2019-05-30
This version bump contains the following commit to fix FS#2222

	3b3e368 uclient-http: set data_eof when content-length is 0

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-05-30 12:13:31 +00:00
Yousong Zhou
1e5f4dcd66 libunwind: requires glibc if arch in powerpc
libunwind for powerpc depends on getcontext() from libc which musl-libc
does not provide because this API and its friends are supposed to be
"obsolescent" [1,2]

 [1] Subject: Re: setcontext/getcontext/makecontext missing?
     https://www.openwall.com/lists/musl/2016/02/04/5
 [2] http://pubs.opengroup.org/onlinepubs/009695399/functions/makecontext.html

Refs: https://github.com/openwrt/packages/issues/8548#issuecomment-497200058
Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-05-30 10:30:45 +00:00
Rosen Penev
395bef4bba libbsd: Fix compilation under ARC
The 8 year old file does not have any ARC definitions.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
[updated content of the patch with version sent to upstream]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-05-17 21:41:43 +02:00
Jeffery To
782eda9750 zlib: Use relative paths in pkg-config metadata file
The buildroot pkg-config (in staging_dir/host/bin) overrides the prefix
and exec_prefix variables in *.pc files, to supply the correct
(buildroot) paths for callers. If other variables are not defined
relative to prefix and exec_prefix, then the returned values will be
incorrect.

The default zlib.pc file generated by cmake contains absolute paths.
This patches the file to use relative paths (relative to ${prefix} and
${exec_prefix}).

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-05-17 21:41:43 +02:00
Rosen Penev
0b26382533 uClibc++: Update to 0.2.5
Switched to xz archives for smaller size.

Removed upstreamed patches.

Reorganized Makefile a little bit for clarity. Build/Prepare is not useful
anymore. Upstream converted the file to LF.

Refreshed config.

Removed -ansi option from the original CFLAGS as this was causing long
long support to be missing.

Removed fPIC. We have the macro $(FPIC) already used. No point in setting
fpic and fPIC together.

Removed pedantic -Wlong-long warnings as they are not useful.

Removed -std=gnu++98. Not only is it unnecessary (it compiles against all
standards), it actually results in a size increase. 75843 vs. 75222 (gcc
in OpenWrt defaults to g++14).

Added --gc-sections to linker flags to reduce size: 72653 vs 75222.

Removed warn linker options. They have been upstreamed.

Tested on Archer C7v2 and GnuBee PC1.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-05-11 23:10:10 +02:00
Rosen Penev
4760541027 elfutils: Fix compile with uClibc-ng
Probably glibc too. argp_help takes a char *. not const char *.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[updated with upstream version of the patch]
2019-05-05 21:11:01 +02:00
Hauke Mehrtens
1325e74e0c kernel: Remove support for kernel 3.18
No target is using kernel 3.18 anymore, remove all the generic
support for kernel 3.18.

The removed packages are depending on kernel 3.18 only and are not used on
any recent kernel.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-05-03 22:41:38 +02:00
Rafał Miłecki
d6643aca34 libroxml: bump to the 3.0.1 version
Some of changes:
* Support for local-name()
* General refactoring
* Better parsing performance
* Fix possible buffer overflow & memleak
* Validation checks
* More commit functions (file, buffer, fd)

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-05-01 07:25:55 +02:00
Eneas U de Queiroz
17cb490ac4 openssl: build kmods only if engines are selected
Add a conditional to the individual package's for the kmods in DEPENDS.
This avoids the need to compile the kernel modules when the crypto
engine packages are not selected.  The final binares are not affected by
this.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
2019-04-26 15:31:34 +02:00
Jose Olivera
40de4c038a elfutils: bump to 0.176
*Fixes:
  -CVE-2019-7150
  -CVE-2019-7149
  -CVE-2019-7146
  -CVE-2019-7665
  -CVE-2019-7664
  -CVE-2019-7148

*Refresh 003-libintl-compatibility.patch

*Also reset PKG_RELEASE.

Signed-off-by: Jose Olivera <oliverajeo@gmail.com>
2019-04-26 10:04:47 +02:00
Eneas U de Queiroz
8abb505048 openssl: add Eneas U de Queiroz as maintainer
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-04-22 21:37:31 +02:00
Eneas U de Queiroz
ff9ac986ce openssl: fix OPENSSL_config bug affecting wget
This applies an upstream patch that fixes a OPENSSL_config() bug that
causes SSL initialization to fail when the openssl.cnf file is not
found.  The config file is not installed by default.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-04-22 20:30:02 +02:00
Hans Dedecker
47dc4f96cb nghttp2: bump to 1.38.0
4a9d2005 Update manual pages
acf6a922 Bump up version number to 1.38.0, LT revision to 31:3:17
4ff45821 Update AUTHORS
42dce01e Merge branch 'nghttpx-fix-backend-selection-on-retry'
a35059e3 nghttpx: Fix bug that altered authority and path affect backend selection
5a30fafd Merge branch 'nghttpx-fix-chunked-request-stall'
dce91ad3 Merge branch 'nghttpx-dont-log-authorization'
2cff8b43 nghttpx: Fix bug that chunked request stalls
be96654d nghttpx: Don't log authorization request header field value with -LINFO
ce962c3f Merge branch 'update-http-parser'
f931504e Update http-parser to v2.9.1
d978f351 Fix bug that on_header callback is still called after stream is closed
ec519f22 Merge pull request #1270 from baitisj/master
e8b213e3 Bump up version number to 1.38.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-22 13:42:24 +02:00
Eneas U de Queiroz
450d44a8ea openssl: change defaults: ENGINE:on, NPN:off, misc
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Enable engine support by default.  Right now, some packages require
this, so it is always enabled by the bots.  Many packages will compile
differently when engine support is detected, needing engine symbols from
the libraries.

However, being off by default, a user compiling its own image will fail
to run some popular packages from the official repo.
Note that disabling engines did not work in 1.0.2, so this problem never
showed up before.

NPN support has been removed in major browsers & servers, and has become
a small bloat, so it does not make sense to leave it on by default.

Remove deprecated CONFIG_ENGINE_CRYPTO symbol that is no longer needed.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-04-17 11:26:55 +02:00
Josef Schlehofer
4ebd66d7a9 mbedtls: update to version 2.16.1
Refreshed patches

Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
Tested-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-04-06 16:30:43 +02:00
Rosy Song
488e7ccfbc libnftnl: bump to latest version
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-03-21 17:05:44 +01:00
Eneas U de Queiroz
fc1386ccf8 openssl: revert disallowing parallel build
Openssl 1.1.0 made wholesale changes to its building system.
Apparently, parallel builds are working now.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-03-21 17:05:34 +01:00
Eneas U de Queiroz
2407b1edcc openssl: disable digests by default, misc fixes
Openssh uses digest contexts across forks, which is not supported by the
/dev/crypto engine.  The speed of digests is usually not worth enabling
them anyway.  This changes the default of the DIGESTS option to NONE, so
the user still has the option to enable them.

Added another patch related to the use of encryption contexts across
forks, that ignores a failure to close a previous open session when
reinitializing a context, instead of failing the reinitialization.

Added a link to the Cryptographic Hardware Accelerators document to the
engine pacakges description, to provide more detailed instructions to
configure the engines.

Revert the removal of the OPENSSL_ENGINE_CRYPTO symbol, currently used
by openssh.  There is an open PR to update openssh; when merged, this
symbol can be safely removed.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [refresh patches]
2019-03-12 18:26:59 +01:00
Hans Dedecker
b04c9a1ffc nghttp2: bump to 1.37.0
cfb47d30 Take into account larger frame size for prioritization
dbbe4e01 Remove unused field
371bc3a8 clang-format
5e7889c5 Update manual pages
b1b2ad50 Bump up version number to 1.37.0, LT revision to 31:2:17
e043ca83 Update AUTHORS
c2434dfb Simplify stream_less
816ad210 Reuse name when indexing header by referencing dynamic table
f5feb16e Merge pull request #1295 from bratkartoffel/fix-compile-boringssl
adf09f21 Merge pull request #1303 from donny-dont/fix-shared-install
2591960e Explicitly set install location when building shared libs
d93842db nghttpx: Fix backend stall if header and request body are sent in 2 packets
8dc2b263 nghttpx: Use std::priority_queue
8d842701 Update manual pages
de85b0fd Update README
5d6beed5 Merge branch 'nghttpx-backend-weight'
1ff9de4c nghttpx: Backend address selection with weight
34482ed4 Fix compilation with boringssl
9b6ced66 Bump up version number to 1.37.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-03-10 19:34:33 +01:00
Moritz Warning
3d3e04d8c8 wolfssl: fix build in busybox environments
The configure script broke when used in alpine-3.9 based docker containers. Fixed in wolfSSL >3.15.7.

Signed-off-by: Moritz Warning <moritzwarning@web.de>
2019-03-10 17:48:23 +01:00
Eneas U de Queiroz
d971ae51a5 openssl: backport devcrypto changes from master
The patches to the /dev/crypto engine were commited to openssl master,
and will be in the next major version (3.0).

Changes:
- Optimization in computing a digest in one operation, saving an ioctl
- Runtime configuration options for the choice of algorithms to use
- Command to dump useful information about the algorithms supported by
  the engine and the system.
- Build the devcrypto engine as a dynamic module, like other engines.

The devcrypto engine is built as a separate package by default, but
options were added to allow building the engines into the main library.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
[refresh patches]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-03-09 18:55:07 +01:00
Yousong Zhou
0e8ddc953f libubox: bump to version 2019-02-27
Contains the following change

	eeef7b5 blobmsg_json: blobmsg_format_string: do not escape '/'

Resolves FS#2147

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-03-01 08:09:41 +00:00
Alexander Couzens
b2bf3745ff
package/ncurses: change AR options to fix reproducible builds
ar has a deterministic (-D) and non-deterministic (-U) mode.
OpenWrt is already using the deterministic mode by default,
but ncurses' configure script force this to be non-deterministic.
Since autoreconf fails to generate a new configure, the configure script
is directly modified.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2019-02-28 19:09:35 +01:00
Eneas U de Queiroz
9e8cbecb7f openssl: bump to release 1.1.1b
This is bugfix release that incorporated all of the devcrypto engine
patches currently in the tree.

The cleaning procedure in Package/Configure was not removing the
dependency files, causing linking errors during a rebuild with
different options.  It was replaced by a simple make clean.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-27 22:43:30 +01:00
Daniel Engberg
38867b7eba popt: Use modern toolchain logic
Replace define Build/Configure with CONFIGURE_ARGS

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-02-26 23:20:04 +01:00
Matt Merhar
0d1d5880c0 elfutils: fix install .so glob
Only libelf was being packaged correctly - libdw and libasm included
just the symlinks.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
2019-02-26 23:20:04 +01:00
Peter Wagner
0297610554 elfutils: fix DEPENDS for libelf
Signed-off-by: Peter Wagner <tripolar@gmx.at>
2019-02-17 19:22:39 +01:00
Eneas U de Queiroz
ddee1825de openssl: patch to fix devcrypto sessions leak
Applies a patch from https://github.com/openssl/openssl/pull/8213
that fixes an error where open /dev/crypto sessions were not closed.
Thanks to Ansuel Smith for reporting it.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-17 19:22:35 +01:00
Eneas U de Queiroz
29b69e840a openssl: add package for openssl.cnf, misc changes
- Add the /etc/ssl/openssl.cnf as a separate package, to avoid breaking
  the transitional mechanism, allowing libopenssl_1.0* and
  libopenssl_1.1* to coexist.

- Remove the (selecting) dependency on @KERNEL_AIO

- Use global SOURCE_DATE_EPOCH

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:24:09 +01:00
Eneas U de Queiroz
2eeb2853ed openssl: optimizations based on ARCH/small flash
Add a patch to enable the option to change the default ciphersuite list
ordering to prefer ChaCha20 over AES-GCM.  This is used by default for
all platforms, except for x86_64 and aarch64. The assumption is that
only the latter have AES-specific CPU instructions and asm code that
uses them in openssl.  Chacha20Poly1305 is 3x faster than AES-256 in
systems without AES instructions, with an equivalent strength.

Disable error messages by default except for devices with small flash or
RAM, to aid debugging.

Disable ASM by default on arm platform with small flash.  Size
difference on mips and powerpc, the other platforms with small flash
devices, are not really relevant (using 100K as a threshold).  All of
the affected platforms are source-only anyway.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:24:09 +01:00
Eneas U de Queiroz
d872d00b2f openssl: update to version 1.1.1a
This version adds the following functionality:
  * TLS 1.3
  * AFALG engine support for hardware accelleration
  * x25519 ECC curve support
  * CRIME protection: disable use of compression by default
  * Support for ChaCha20 and Poly1305

Patches fixing bugs in the /dev/crypto engine were applied, from
https://github.com/openssl/openssl/pull/7585

This increses the size of the ipk binray on MIPS32 by about 32%:
old:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:23:26 +01:00
Eneas U de Queiroz
be3892284c openssl: add configuration options, disable ssl3
Adds the following configuration options:
* using optimized assembler code (was always on before)
* use of x86 SSE2 instructions
* dyanic engine support
* include error messages
* Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms
* RFC3779, CMS protocols
* VIA padlock hardware acceleration engine

Installs openssl.cnf with the library as it is used by engines
independent of the openssl util.

Fixes DTLS option that was innefective before.

Disables insecure SSL3 protocol and SHA0.

Adds openwrt-specific targets to Configure script, including asm support
for i386, ppc and mips64.

Strips building dirs from CFLAGS shown in binary.

Skips the fuzz directory during build.

Removed include/crypto/devcrypto.h that was included here, to use the
cryptodev-linux package, now that it was been moved from the packages
feed to the main openwrt repository.

This decreses the size of the ipk binray on MIPS32 by about 3.3%:
old:
706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 21:14:46 +01:00
Sven Roederer
6e575fa9d6 openssl: update list of mirrors
Host "gd.tuwien.ac.at" does not exists anymore, so we replace it by "ftp.pca.dfn.de" from the official list of mirrors.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2019-01-31 21:21:49 +01:00
Sven Roederer
989060478a openssl: bump to 1.0.2q
This fixes the following security problems:
 * CVE-2018-5407: Microarchitecture timing vulnerability in ECC scalar multiplication
 * CVE-2018-0734: Timing vulnerability in DSA signature generation
 * Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module

Signed-off-by: Sven Roederer <freifunk@it-solutions.geroedel.de>
2019-01-30 11:59:46 +01:00
Michael Heimpold
268b5bec80 mbedtls: Kconfig option to enable/disable debug functions
This introduces a new Kconfig option to switch on/off mbedtls' support
for debug functions.

The idea behind is to inspect TLS traffic with Wireshark for debug
purposes. At the moment, there is no native or 'nice' support for
this, but at
68aea15833
an example implementation can be found which uses the debug functions
of the library. However, this requires to have this debug stuff enabled
in the library, but at the moment it is staticly patched out.

So this patch removes the static part from the configuration patch
and introduces a dynamic config file editing during build.

When enabled, this heavily increases the library size, so I added
a warning in the Kconfig help section.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2019-01-27 01:04:53 +01:00
Deng Qingfang
e8f2302516 mbedtls: update to 2.16.0
Refresh patch

https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.0-2.7.9-and-2.1.18-released

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-01-27 01:04:53 +01:00
Jo-Philipp Wich
f4d6e8f98f libelf: fix library packaging
The library has an usual shared object file name, which caused the
install glob pattern to miss the actual so.

Fixes: #2082
Fixes; 0e70f69a35 ("treewide: revise library packaging")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-25 18:59:46 +01:00
Jo-Philipp Wich
d7bf0898a8 elfutils: rename libelf1 to libelf
The ABI_VERSION:=1 tag will take care of transforming the binary
library package basename.

Add a virtual PROVIDES:=libelf1 for packages still having libelf1
in their DEPENDS:=... lists.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 12:52:23 +01:00
Jo-Philipp Wich
0e70f69a35 treewide: revise library packaging
- Annotate versionless libraries (such as libubox, libuci etc.) with a fixed
  ABI_VERSION resembling the source date of the last incompatible change
- Annotate packages shipping versioned library objects with ABI_VERSION
- Stop shipping unversioned library symlinks for packages with ABI_VERSION

Ref: https://openwrt.org/docs/guide-developer/package-policies#shared_libraries
Ref: https://github.com/KanjiMonster/maintainer-tools/blob/master/check-abi-versions.pl
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 10:39:30 +01:00
Jo-Philipp Wich
68b29a7a95 uclient: set fixed ABI_VERSION on libuclient
Last incompatible change appeared to be 4924411
("http: add proper error handling to uclient_http_redirect()") which
changed the return value of uclient_http_redirect() from bool to int.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 10:39:29 +01:00
Andy Walsh
94f6030170 librpc: remove package
* replaced with packages/libtirpc
* remove busybox options rarely used/deprecated
BUSYBOX_CONFIG_FEATURE_MOUNT_NFS
BUSYBOX_CONFIG_FEATURE_INETD_RPC

Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
2019-01-22 13:29:46 +01:00
Jo-Philipp Wich
5d1399788a ncurses: build host libraries with -fPIC
Since readline/host links ncurses/host now, we need to ensure that the
libncursesw.so host library is built with -fPIC.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 11:29:05 +01:00
Jo-Philipp Wich
5a89eea8e4 ncurses: package only versioned shared objects
Also fix the libxxxw.so* -> libxxx.so* linking to actually work, the
prevsious code failed to properly symlink the versioned .so files.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 08:49:36 +01:00