Commit Graph

1104 Commits

Author SHA1 Message Date
Eneas U de Queiroz
30b0351039 openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.

The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Eneas U de Queiroz
17a6ca12d3 openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory.  The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.

Patches were refreshed with --zero-commit.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Stijn Tintel
add7884cd0 libnetfilter-conntrack: bump to 1.0.9
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2022-02-17 13:59:44 +02:00
Sergey V. Lobanov
93d91197b9 wolfssl: update to 5.1.1-stable
Bump from 4.8.1-stable to 5.1.1-stable

Detailed release notes: https://github.com/wolfSSL/wolfssl/releases

Upstreamed patches:
001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch -
 fa8f23284d
002-Update-macro-guard-on-SHA256-transform-call.patch -
 f447e4c1fa

Refreshed patches:
100-disable-hardening-check.patch
200-ecc-rng.patch

CFLAG -DWOLFSSL_ALT_CERT_CHAINS replaced to --enable-altcertchains
configure option

The size of the ipk changed on aarch64 like this:
491341 libwolfssl4.8.1.31258522_4.8.1-stable-7_aarch64_cortex-a53.ipk
520322 libwolfssl5.1.1.31258522_5.1.1-stable-1_aarch64_cortex-a53.ipk

Tested-by: Alozxy <alozxy@users.noreply.github.com>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-02-01 23:18:01 +01:00
Hauke Mehrtens
392609543d libcap: Update to version 2.63
The sizes of the ipk changed on MIPS 24Kc like this:
11248 libcap_2.51-1_mips_24kc.ipk
14461 libcap_2.63-1_mips_24kc.ipk

18864 libcap-bin_2.51-1_mips_24kc.ipk
20576 libcap-bin_2.63-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
57f38e2c82 mbedtls: Update to version 2.16.12
This fixes the following security problems:
* Zeroize several intermediate variables used to calculate the expected
  value when verifying a MAC or AEAD tag. This hardens the library in
  case the value leaks through a memory disclosure vulnerability. For
  example, a memory disclosure vulnerability could have allowed a
  man-in-the-middle to inject fake ciphertext into a DTLS connection.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
  mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
  (out of memory). After that, calling mbedtls_ssl_session_free()
  and mbedtls_ssl_free() would cause an internal session buffer to
  be free()'d twice. CVE-2021-44732

The sizes of the ipk changed on MIPS 24Kc like this:
182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
e74529552c ustream-ssl: update to Git version 2022-01-16
868fd88 ustream-openssl: wolfSSL: Add compatibility for wolfssl >= 5.0

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-16 21:51:21 +01:00
Florian Fainelli
a372946e60 elfutils: Add missing musl-fts dependency
libdw depends on libfts.so when building with the musl-libc library, add
this missing dependency.

Fixes: 6835ea13f0 ("elfutils: update to 0.186")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2022-01-07 20:50:50 -08:00
Glenn Strauss
a8513e2461 mbedtls: enable session tickets
session tickets are a feature of TLSv1.2 and require less memory
and overhead on the server than does managing a session cache

Building mbedtls with support for session tickets will allow the
feature to be used with lighttpd-1.4.56 and later.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-01-08 00:49:59 +01:00
Sergey V. Lobanov
6835ea13f0 elfutils: update to 0.186
Upstreamed patches (deleted):
0001-ppc_initreg.c-Incliude-asm-ptrace.h-for-pt_regs-defi.patch -
 https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=8382833a257b57b0d288be07d2d5e7af6c102869
110-no-cdefs.patch -
 https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=d390548df1942e98a1d836269a5e41ba52e121f1

Auto-refreshed:
006-Fix-build-on-aarch64-musl.patch
101-no-fts.patch

Manually updated and refreshed:
005-build_only_libs.patch
003-libintl-compatibility.patch
100-musl-compat.patch

Disabled _obstack_free check (via configure vars)

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-01-08 00:49:59 +01:00
Hauke Mehrtens
e708bf76d5 toolchain: glibc: Update to version 2.34
glibc version 2.34 does not provide versioned shared libraries any more,
it only provides shared libraries using the ABI version. Do not try to
copy them any more.

The functions from libpthread and librt were integrated into the main
binary, the libpthread.so and librt.so are only used for backwards
compatibility any more.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-07 22:30:40 +01:00
Eneas U de Queiroz
def9565be6 openssl: bump to 1.1.1m
This is a bugfix release.  Changelog:

  *) Avoid loading of a dynamic engine twice.
  *) Fixed building on Debian with kfreebsd kernels
  *) Prioritise DANE TLSA issuer certs over peer certs
  *) Fixed random API for MacOS prior to 10.12

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-01-01 18:02:49 +01:00
Sergey V. Lobanov
dfd695f4b9 libs/wolfssl: add SAN (Subject Alternative Name) support
x509v3 SAN extension is required to generate a certificate compatible with
chromium-based web browsers (version >58)

It can be disabled via unsetting CONFIG_WOLFSSL_ALT_NAMES

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2021-12-29 22:55:16 +01:00
Hauke Mehrtens
18bdfc803b tcpdump: libpcap: Remove http://www.us.tcpdump.org mirror
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.

Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-27 00:49:08 +01:00
Stijn Tintel
052e31ed47 libunwind: add ppc64 support
Backport an upstream patch to make libunwind build on ppc64, and add
powerpc64 to the dependencies.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-12-21 21:37:05 +02:00
Stijn Tintel
38c3ead820 nettle: disable assembler on ppc64
As of version 3.7, Nettle added PowerPC64 assembly for several
algorithms. Unfortunately, they cause build to fail due to ABI mismatch:

gcm-hash.o: ABI version 1 is not compatible with ABI version 2 output

Disable assembler when ppc64 and musl are used for now.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-12-21 21:36:55 +02:00
Stijn Tintel
ac8673ff85 openssl: add ppc64 support
Backport an upstream patch that adds support for ELFv2 ABI on big endian
ppc64. As musl only supports ELFv2 ABI on ppc64 regardless of
endianness, this is required to be able to build OpenSSL for ppc64be.

Modify our targets patch to add linux-powerpc64-openwrt, which will use
the linux64v2 perlasm scheme. This will probably break the combination
ppc64 with glibc, but as we really only want to support musl, this
shouldn't be a problem.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-12-21 21:36:38 +02:00
Hauke Mehrtens
954e1278a9 libnl-tiny: update to the latest version
8e0555f attr.h: Add NLA_PUT_S32

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-14 22:59:10 +01:00
Stijn Tintel
7f7034d79f libnftnl: bump to 1.2.1
This version is required by nftables 1.0.1.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-12-01 00:39:26 +02:00
Rosen Penev
e6f569406f gettext: remove package
This package was necessary when uClibc was in the tree. Now that uClibc
is gone, this can go too.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:25 +01:00
Rosen Penev
a3cd6c0b89 pcre: bring back C++ bindings
It seems some people use them privately.

Reported-by: Jan Kardell <jan.kardell@telliq.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:24 +01:00
Rosen Penev
a24de89539 readline: disable shared library for host
Allows to avoid rpath hacks with at least softethervpn.

--with-pic is needed as it's not default with static libraries, only
shared ones.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:24 +01:00
Rosen Penev
3d6e25dd32 libjson-c: don't build shared host libraries
Avoids having to deal with various rpath hacks.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-11-20 21:08:24 +01:00
Daniel Golle
6fcb4f4e04
libubox: update to git HEAD
cce5e35 vlist: define vlist_for_each_element_safe

This is change affects only a macro in headers and hence it is not
required to bump ABI_VERSION.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-20 17:48:49 +00:00
Stijn Tintel
36a621b1e7 libubox: bump to git HEAD
123e976 uloop: restore return type of uloop_timeout_remaining
 3344157 uloop: add uloop_timeout_remaining64
 c87d3e1 lua/uloop: use uloop_timeout_remaining64
 c86a894 uloop: deprecate uloop_timeout_remaining

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 13:18:13 +02:00
Stijn Tintel
8802b21dff libubox: bump to git HEAD
be3dc72 uloop: avoid integer overflow in tv_diff

Fixes: FS#3943
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 01:56:53 +02:00
Hauke Mehrtens
db3acbac11 toolchain: Allow sanitizer on mips and mipsel
Support for libsanitizer on MIPS 32 and MIPSEL 32 was added with GCC 9.
MIPS 64 and ARC are still not supported.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-11-03 23:52:08 +01:00
Lucian Cristian
8550086c24 elfutils: enable host build
frr 8.0 needs host libelf dev
add option for host build
tested on x86, ramips, kirkwood

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
[changed commit author's email]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-11-01 00:56:51 +01:00
Dominick Grift
25e15f5951 libsepol: update to version 3.3
Update VERSIONs to 3.3 for release.
libsepol/cil: Fix potential undefined shifts
libsepol: Fix potential undefined shifts
Update VERSIONs to 3.3-rc3 for release.
libsepol/cil: Do not skip macros when resolving until later passes
libsepol/cil: Limit the amount of reporting for bounds failures
libsepol/cil: silence clang void-pointer-to-enum-cast warning
libsepol: resolve GCC warning about null-dereference
libsepol: use correct cast
libsepol: ebitmap: mark nodes of const ebitmaps const
Update VERSIONs to 3.3-rc2 for release.
libsepol/cil: Handle operations in a class mapping when verifying
libsepol/cil: Do not use original type and typeattribute datums
libsepol: free memory after policy validation
libsepol: avoid implicit conversions
libsepol: fix typo
libsepol/cil: Free duplicate datums in original calling function
libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
Update VERSIONs and Python bindings version to 3.3-rc1 for release
libsepol/cil: Limit the number of active line marks
libsepol/cil: Add function to get number of items in a stack
libsepol: Fix detected RESOURCE_LEAKs
libsepol/cil: Fix syntax checking in __cil_verify_syntax()
libsepol/cil: Use size_t for len in __cil_verify_syntax()
libsepol/cil: Remove redundant syntax checking
libsepol/cil: Improve in-statement to allow use after inheritance
libsepol/cil: Simplify cil_tree_children_destroy()
libsepol/cil: Refactor the function __cil_build_ast_node_helper()
libsepol/cil: Don't destroy optionals whose parent will be destroyed
libsepol/cil: Properly check for parameter when inserting name
libsepol/cil: Reset expandtypeattribute rules when resetting AST
libsepol/cil: Properly check parse tree when printing error messages
libsepol/cil: Allow some duplicate macro and block declarations
libsepol/cil: When writing AST use line marks for src_info nodes
libsepol/cil: Report correct high-level language line numbers
libsepol/cil: Add line mark kind and line number to src info
libsepol/cil: Create common string-to-unsigned-integer functions
libsepol/cil: Push line mark state first when processing a line mark
libsepol/cil: Check for valid line mark type immediately
libsepol/cil: Check the token type after getting the next token
libsepol/cil: Check syntax of src_info statement
libsepol/cil: move the fuzz target and build script to the selinux repository
libsepol: replace strerror by %m
libsepol/cil: remove obsolete comment
libsepol/cil: do not allow \0 in quoted strings
libsepol/cil: Fix handling category sets in an expression
libsepol: assure string NUL-termination of ibdev_name
libsepol: avoid implicit conversions
libsepol: ignore UBSAN false-positives
libsepol: avoid unsigned integer overflow
libsepol/cil: Improve checking for bad inheritance patterns
libsepol: silence -Wextra-semi-stmt warning
libsepol/cil: do not override previous results of __cil_verify_classperms
libsepol/cil: Provide option to allow qualified names in declarations
libsepol/cil: make array cil_sym_sizes const
libsepol/cil: Only reset AST if optional has a declaration
libsepol/cil: Add function to determine if a subtree has a declaration
libsepol/cil: Improve degenerate inheritance check
libsepol/cil: Reduce the initial symtab sizes for blocks
libsepol/cil: Check for empty list when marking neverallow attributes
libsepol/cil: Fix syntax checking of defaultrange rule
libsepol/cil: Properly check for loops in sets
libsepol/cil: Allow duplicate optional blocks in most cases
libsepol: declare read-only arrays const
libsepol: declare file local variable static
libsepol: drop unnecessary casts
libsepol: drop repeated semicolons
libsepol/cil: avoid using maybe uninitialized variables
libsepol/cil: drop unnecessary casts
libsepol/cil: drop dead store
libsepol/cil: drop extra semicolon
libsepol/cil: silence cast warning
libsepol: remove dead stores
libsepol: do not allocate memory of size 0
libsepol: mark read-only parameters of type_set_ interfaces const
libsepol: mark read-only parameters of ebitmap interfaces const
libsepol: remove dead stores
libsepol/cil: follow declaration-after-statement
libsepol: follow declaration-after-statement
libsepol: avoid unsigned integer overflow
libsepol: remove unused functions
libsepol: resolve missing prototypes
libsepol: fix typos
libsepol: Quote paths when generating policy.conf from binary policy
libsepol/cil: Account for anonymous category sets in an expression
libsepol/cil: Fix anonymous IP address call arguments
libsepol: quote paths in CIL conversion
libsepol/cil: Resolve anonymous levels only once
libsepol/cil: Pointers to datums should be set to NULL when resetting
libsepol/cil: Resolve anonymous class permission sets only once
libsepol/cil: Limit the number of open parenthesis allowed
libsepol/cil: Destroy the permission nodes when exiting with an error
libsepol/cil: Handle disabled optional blocks in earlier passes
libsepol/cil: Do not resolve arguments to declarations in the call
libsepo/cil: Refactor macro call resolution
libsepol/cil: Do not add NULL node when inserting key into symtab
libsepol/cil: Make name resolution in macros work as documented
libsepol/cil: Fix name resolution involving inherited blocks
libsepol/cil: Check for self-referential loops in sets
libsepol/cil: Return an error if a call argument fails to resolve
libsepol/cil: Check datum in ordered list for expected flavor
libsepol/cil: Detect degenerate inheritance and exit with an error
libsepol/cil: Fix instances where an error returns SEPOL_OK
libsepol/cil: Properly reset an anonymous classperm set
libsepol: use checked arithmetic builtin to perform safe addition
libsepol/cil: Add functions to make use of cil_write_ast()
libsepol/cil: Create functions to write the CIL AST
libsepol/cil: Use CIL_ERR for error messages in cil_compile()
libsepol/cil: Make invalid statement error messages consistent
libsepol/cil: Do not allow tunable declarations in in-statements
libsepol/cil: Sync checks for invalid rules in macros
libsepol/cil: Check for statements not allowed in optional blocks
libsepol/cil: Sync checks for invalid rules in booleanifs
libsepol/cil: Reorder checks for invalid rules when resolving AST
libsepol/cil: Use AST to track blocks and optionals when resolving
libsepol/cil: Create new first child helper function for building AST
libsepol/cil: Cleanup build AST helper functions
libsepol/cil: Reorder checks for invalid rules when building AST
libsepol/cil: Move check for the shadowing of macro parameters
libsepol/cil: Create function cil_add_decl_to_symtab() and refactor
libsepol/cil: Refactor helper function for cil_gen_node()
libsepol/cil: Allow permission expressions when using map classes
libsepol/cil: Exit with an error if declaration name is a reserved word
libsepol/cil: More strict verification of constraint leaf expressions
libsepol/cil: Set class field to NULL when resetting struct cil_classperms
libsepol/cil: cil_reset_classperms_set() should not reset classpermission
libsepol/cil: Destroy classperm list when resetting map perms
libsepol/cil: Destroy classperms list when resetting classpermission
libsepol/cil: Fix out-of-bound read of file context pattern ending with "\"
libsepol/cil: Check for duplicate blocks, optionals, and macros
libsepol: Write "NO_IDENTIFIER" for empty CIL constraint expression
libsepol: Enclose identifier lists in CIL constraint expressions
libsepol/cil: Allow lists in constraint expressions
libsepol: Enclose identifier lists in constraint expressions
libsepol: Write "NO_IDENTIFIER" for empty constraint expression
libsepol: make num_* unsigned int in module_to_cil
libsepol/cil: do not leak avrulex_ioctl_table memory when an error occurs
libsepol/cil: fix NULL pointer dereference in __cil_insert_name
libsepol/cil: replace printf with proper cil_tree_log
libsepol/cil: remove stray printf
libsepol/cil: make cil_post_fc_fill_data static
libsepol: Check kernel to CIL and Conf functions for supported versions
libsepol: Remove unnecessary copying of declarations from link.c
libsepol: Properly handle types associated to role attributes
libsepol: Expand role attributes in constraint expressions

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[re-apply now that buildbot phase1 has caught up]
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-31 13:01:24 +00:00
Daniel Golle
ae4069c577
Revert "libsepol: update to version 3.3"
This reverts commit de8a800ca9.
Host build uses host includes instead of staging/hostpkg.
This breaks the build in case of selinux host libs being older than
version 3.3. Revert for now until better fix is found.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-10-29 14:16:30 +01:00
Dominick Grift
c8d1f8fda7 libsemanage: update to version 3.3
Update VERSIONs to 3.3 for release.
Update VERSIONs to 3.3-rc3 for release.
Update VERSIONs to 3.3-rc2 for release.
Update VERSIONs and Python bindings version to 3.3-rc1 for release
libsemanage: Fix USE_AFTER_FREE (CWE-672) in semanage_direct_write_langext()
libsemanage: silence -Wextra-semi-stmt warning
libsemanage: fix use-after-free in parse_module_store()

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Dominick Grift
6925c7580d libselinux: update to version 3.3
Update VERSIONs to 3.3 for release.
libselinux: Fix potential undefined shifts
Update VERSIONs to 3.3-rc3 for release.
Update VERSIONs to 3.3-rc2 for release.
libselinux/utils: drop requirement to combine compiling and linking
Update VERSIONs and Python bindings version to 3.3-rc1 for release
Improve error message for label file validation
libselinux: replace strerror by %m
libselinux: silence -Wextra-semi-stmt warning
libselinux/utils/getseuser.c: fix build with gcc 4.8
selinux.8: document how mount flag nosuid affects SELinux
libselinux: fix typo
libselinux: improve getcon(3) man page
libselinux: selinux_status_open: return 1 in fallback mode
libselinux: do not use status page fallback mode internally
libselinux: make selinux_status_open(3) reentrant
libselinux: avc_destroy(3) closes status page
libselinux: label_file.c: fix indent
libselinux: regex: unify parameter names
libselinux: sidtab_sid_stats(): unify parameter name
libselinux: drop redundant casts to the same type
libselinux: label_db::db_init(): open file with CLOEXEC mode
libselinux: matchpathcon: free memory on realloc failure
libselinux: label_file::init(): do not pass NULL to strdup
libselinux: init_selinux_config(): free resources on error
libselinux: matchmediacon(): close file on error
libselinux: store_stem(): do not free possible non-heap object
libselinux: getdefaultcon: free memory on multiple same arguments
libselinux: setexecfilecon(): drop dead assignment
libselinux: label_media::init(): drop dead assignment
libselinux: label_x::init(): drop dead assignment
libselinux: context_new(): drop dead assignment
libselinux: exclude_non_seclabel_mounts(): drop unused variable
libselinux: getconlist: free memory on multiple level arguments
libselinux: selabel_get_digests_all_partial_matches: free memory after FTS_D block
libselinux: selinux_restorecon: mark local variable static
libselinux: avcstat: use standard length modifier for unsigned long long
libselinux: sefcontext_compile: mark local variable static
libselinux: Sha1Finalise(): do not discard const qualifier
libselinux: label_common(): do not discard const qualifier
libselinux: selinux_file_context_cmp(): do not discard const qualifier
libselinux: sidtab_hash(): do not discard const qualifier
libselinux: silence -Wstringop-overflow warning from gcc 10.3.1
libselinux: selinux_check_passwd_access_internal(): respect deny_unknown
libselinux: do not duplicate make target when going into subdirectory

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Dominick Grift
de8a800ca9 libsepol: update to version 3.3
Update VERSIONs to 3.3 for release.
libsepol/cil: Fix potential undefined shifts
libsepol: Fix potential undefined shifts
Update VERSIONs to 3.3-rc3 for release.
libsepol/cil: Do not skip macros when resolving until later passes
libsepol/cil: Limit the amount of reporting for bounds failures
libsepol/cil: silence clang void-pointer-to-enum-cast warning
libsepol: resolve GCC warning about null-dereference
libsepol: use correct cast
libsepol: ebitmap: mark nodes of const ebitmaps const
Update VERSIONs to 3.3-rc2 for release.
libsepol/cil: Handle operations in a class mapping when verifying
libsepol/cil: Do not use original type and typeattribute datums
libsepol: free memory after policy validation
libsepol: avoid implicit conversions
libsepol: fix typo
libsepol/cil: Free duplicate datums in original calling function
libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772)
Update VERSIONs and Python bindings version to 3.3-rc1 for release
libsepol/cil: Limit the number of active line marks
libsepol/cil: Add function to get number of items in a stack
libsepol: Fix detected RESOURCE_LEAKs
libsepol/cil: Fix syntax checking in __cil_verify_syntax()
libsepol/cil: Use size_t for len in __cil_verify_syntax()
libsepol/cil: Remove redundant syntax checking
libsepol/cil: Improve in-statement to allow use after inheritance
libsepol/cil: Simplify cil_tree_children_destroy()
libsepol/cil: Refactor the function __cil_build_ast_node_helper()
libsepol/cil: Don't destroy optionals whose parent will be destroyed
libsepol/cil: Properly check for parameter when inserting name
libsepol/cil: Reset expandtypeattribute rules when resetting AST
libsepol/cil: Properly check parse tree when printing error messages
libsepol/cil: Allow some duplicate macro and block declarations
libsepol/cil: When writing AST use line marks for src_info nodes
libsepol/cil: Report correct high-level language line numbers
libsepol/cil: Add line mark kind and line number to src info
libsepol/cil: Create common string-to-unsigned-integer functions
libsepol/cil: Push line mark state first when processing a line mark
libsepol/cil: Check for valid line mark type immediately
libsepol/cil: Check the token type after getting the next token
libsepol/cil: Check syntax of src_info statement
libsepol/cil: move the fuzz target and build script to the selinux repository
libsepol: replace strerror by %m
libsepol/cil: remove obsolete comment
libsepol/cil: do not allow \0 in quoted strings
libsepol/cil: Fix handling category sets in an expression
libsepol: assure string NUL-termination of ibdev_name
libsepol: avoid implicit conversions
libsepol: ignore UBSAN false-positives
libsepol: avoid unsigned integer overflow
libsepol/cil: Improve checking for bad inheritance patterns
libsepol: silence -Wextra-semi-stmt warning
libsepol/cil: do not override previous results of __cil_verify_classperms
libsepol/cil: Provide option to allow qualified names in declarations
libsepol/cil: make array cil_sym_sizes const
libsepol/cil: Only reset AST if optional has a declaration
libsepol/cil: Add function to determine if a subtree has a declaration
libsepol/cil: Improve degenerate inheritance check
libsepol/cil: Reduce the initial symtab sizes for blocks
libsepol/cil: Check for empty list when marking neverallow attributes
libsepol/cil: Fix syntax checking of defaultrange rule
libsepol/cil: Properly check for loops in sets
libsepol/cil: Allow duplicate optional blocks in most cases
libsepol: declare read-only arrays const
libsepol: declare file local variable static
libsepol: drop unnecessary casts
libsepol: drop repeated semicolons
libsepol/cil: avoid using maybe uninitialized variables
libsepol/cil: drop unnecessary casts
libsepol/cil: drop dead store
libsepol/cil: drop extra semicolon
libsepol/cil: silence cast warning
libsepol: remove dead stores
libsepol: do not allocate memory of size 0
libsepol: mark read-only parameters of type_set_ interfaces const
libsepol: mark read-only parameters of ebitmap interfaces const
libsepol: remove dead stores
libsepol/cil: follow declaration-after-statement
libsepol: follow declaration-after-statement
libsepol: avoid unsigned integer overflow
libsepol: remove unused functions
libsepol: resolve missing prototypes
libsepol: fix typos
libsepol: Quote paths when generating policy.conf from binary policy
libsepol/cil: Account for anonymous category sets in an expression
libsepol/cil: Fix anonymous IP address call arguments
libsepol: quote paths in CIL conversion
libsepol/cil: Resolve anonymous levels only once
libsepol/cil: Pointers to datums should be set to NULL when resetting
libsepol/cil: Resolve anonymous class permission sets only once
libsepol/cil: Limit the number of open parenthesis allowed
libsepol/cil: Destroy the permission nodes when exiting with an error
libsepol/cil: Handle disabled optional blocks in earlier passes
libsepol/cil: Do not resolve arguments to declarations in the call
libsepo/cil: Refactor macro call resolution
libsepol/cil: Do not add NULL node when inserting key into symtab
libsepol/cil: Make name resolution in macros work as documented
libsepol/cil: Fix name resolution involving inherited blocks
libsepol/cil: Check for self-referential loops in sets
libsepol/cil: Return an error if a call argument fails to resolve
libsepol/cil: Check datum in ordered list for expected flavor
libsepol/cil: Detect degenerate inheritance and exit with an error
libsepol/cil: Fix instances where an error returns SEPOL_OK
libsepol/cil: Properly reset an anonymous classperm set
libsepol: use checked arithmetic builtin to perform safe addition
libsepol/cil: Add functions to make use of cil_write_ast()
libsepol/cil: Create functions to write the CIL AST
libsepol/cil: Use CIL_ERR for error messages in cil_compile()
libsepol/cil: Make invalid statement error messages consistent
libsepol/cil: Do not allow tunable declarations in in-statements
libsepol/cil: Sync checks for invalid rules in macros
libsepol/cil: Check for statements not allowed in optional blocks
libsepol/cil: Sync checks for invalid rules in booleanifs
libsepol/cil: Reorder checks for invalid rules when resolving AST
libsepol/cil: Use AST to track blocks and optionals when resolving
libsepol/cil: Create new first child helper function for building AST
libsepol/cil: Cleanup build AST helper functions
libsepol/cil: Reorder checks for invalid rules when building AST
libsepol/cil: Move check for the shadowing of macro parameters
libsepol/cil: Create function cil_add_decl_to_symtab() and refactor
libsepol/cil: Refactor helper function for cil_gen_node()
libsepol/cil: Allow permission expressions when using map classes
libsepol/cil: Exit with an error if declaration name is a reserved word
libsepol/cil: More strict verification of constraint leaf expressions
libsepol/cil: Set class field to NULL when resetting struct cil_classperms
libsepol/cil: cil_reset_classperms_set() should not reset classpermission
libsepol/cil: Destroy classperm list when resetting map perms
libsepol/cil: Destroy classperms list when resetting classpermission
libsepol/cil: Fix out-of-bound read of file context pattern ending with "\"
libsepol/cil: Check for duplicate blocks, optionals, and macros
libsepol: Write "NO_IDENTIFIER" for empty CIL constraint expression
libsepol: Enclose identifier lists in CIL constraint expressions
libsepol/cil: Allow lists in constraint expressions
libsepol: Enclose identifier lists in constraint expressions
libsepol: Write "NO_IDENTIFIER" for empty constraint expression
libsepol: make num_* unsigned int in module_to_cil
libsepol/cil: do not leak avrulex_ioctl_table memory when an error occurs
libsepol/cil: fix NULL pointer dereference in __cil_insert_name
libsepol/cil: replace printf with proper cil_tree_log
libsepol/cil: remove stray printf
libsepol/cil: make cil_post_fc_fill_data static
libsepol: Check kernel to CIL and Conf functions for supported versions
libsepol: Remove unnecessary copying of declarations from link.c
libsepol: Properly handle types associated to role attributes
libsepol: Expand role attributes in constraint expressions

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-10-28 22:15:02 +01:00
Stan Grishin
05a7af9ca0 wolfssl: enable ECC Curve 25519 by default
* fixes https://github.com/openwrt/packages/issues/16652
 see https://github.com/openwrt/packages/issues/16674#issuecomment-934983898

Signed-off-by: Stan Grishin <stangri@melmac.net>
2021-10-24 18:46:24 +02:00
Rosen Penev
6b2ed6101e uclibc++: remove
No package here depends on it. Furthermore, uClibc++ is a fairly buggy
C++ library and seems to be relatively inactive upstream.

It also lacks proper support for modern C++11 features.

The main benefit of it is size: 66.6 KB	vs 287.3 KB on mips24kc. Static
linking and LTO can help bring the size down of packages that need it.

Added warning message to uclibc++.mk

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-10-24 18:20:50 +02:00
Ivan Pavlov
be3e260f92 wolfssl: fix compile when enable-devcrypto is set
fixing linking error when --enable-devcrypto=yes
fixes: 7d92bb0509 wolfssl: update to 4.8.1-stable

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2021-10-21 00:17:36 +02:00
Jitao Lu
917126ff4c ncurses: add tmux terminfo
They're preferred terminal descriptions for tmux, with additional support to
some special characters and italic fonts. More info can be found at:
https://github.com/tmux/tmux/wiki/FAQ

Fixes: FS#3404

Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
2021-10-19 08:11:38 -10:00
Andre Heider
7cb5af30f4 wolfssl: remove --enable-sha512 configure switch
It's the default anyway and this just looks confusing, as if it wasn't.

Switch to AUTORELEASE while at it.

The binary size is unchanged.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2021-10-17 16:30:12 +02:00
Andre Heider
c76300707e wolfssl: always build with --enable-reproducible-build
This gates out anything that might introduce semantically frivolous jitter,
maximizing chance of identical object files.

The binary size shrinks by 8kb:
1244352 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f

Signed-off-by: Andre Heider <a.heider@gmail.com>
2021-10-17 16:29:00 +02:00
Andre Heider
28d8e6a871 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
"Alternate certification chains, as oppossed to requiring full chain
validataion. Certificate validation behavior is relaxed, similar to
openssl and browsers. Only the peer certificate must validate to a trusted
certificate. Without this, all certificates sent by a peer must be
used in the trust chain or the connection will be rejected."

This fixes e.g. uclient-fetch and curl connecting to servers using a Let's
Encrypt certificate which are cross-signed by the now expired
DST Root CA X3, see [0].

This is the recommended solution from upstream [1].

The binary size increases by ~12.3kb:
1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f

[0] https://github.com/openwrt/packages/issues/16674
[1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793

Signed-off-by: Andre Heider <a.heider@gmail.com>
[bump PKG_RELEASE]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-10-17 16:25:10 +02:00
Ivan Pavlov
7d92bb0509 wolfssl: update to 4.8.1-stable
Changes from 4.7.0:
  Fix one high (OCSP verification issue) and two low vulnerabilities
  Improve compatibility layer
  Other improvements and fixes

For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2021-09-13 18:36:15 +02:00
Rosen Penev
a235b41792 libjson-c: remove old math patch
Remove old math patch meant for old GCC versions. It's not needed
for GCC and causes issues with clang.

Add CMake patch to identify clang properly and apply the proper
flags. Fixes the following warnings/errors:

json_pointer.c:230:7: warning: implicit declaration of function
'vasprintf' is invalid in C99 [-Wimplicit-function-declaration]
        rc = vasprintf(&path_copy, path_fmt, args);
             ^
json_pointer.c:317:7: warning: implicit declaration of function
'vasprintf' is invalid in C99 [-Wimplicit-function-declaration]
        rc = vasprintf(&path_copy, path_fmt, args);
             ^
/usr/include/bits/mathcalls.h:177:23: error: cannot redeclare builtin
function '__builtin_isinf'
__MATHDECL_ALIAS (int,isinf,, (_Mdouble_ __value), isinf)
                      ^
/usr/include/bits/mathcalls.h:177:23: note: '__builtin_isinf' is a
builtin with type 'int ()'
/usr/include/bits/mathcalls.h:213:23: error: cannot redeclare builtin
function '__builtin_isnan'
__MATHDECL_ALIAS (int,isnan,, (_Mdouble_ __value), isnan)

The clang patch is an upstream backport.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-30 19:16:49 -10:00
Eneas U de Queiroz
7119fd32d3 openssl: bump to 1.1.1l
This version fixes two vulnerabilities:
  - SM2 Decryption Buffer Overflow (CVE-2021-3711)
    Severity: High

  - Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
    Severity: Medium

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-08-26 21:37:20 +02:00
Felix Fietkau
ca77ffcef2 libubox: update to the latest version
d716ac4bc423 list.h: add a few missing iterator macros

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-08-24 17:35:45 +02:00
Stijn Tintel
718a4f4780 wolfssl: fix build with GCC 10 on 32 x86 targets
Backport upstream patch to fix build with GCC 10 on 32 x86 targets.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-08-20 23:45:20 +03:00
Rosen Penev
9982a51ed3 pcre: update to 8.45
Switch to AUTORELEASE to avoid manual increments.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
381f0e3e8d nettle: update to 3.7.3
Switch to AUTORELEASE to avoid manual increments.

Refreshed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
fcfd741eb8 mbedtls: update to 2.16.11
Switched to AUTORELEASE to avoid manual increments.

Release notes:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
065d4300c0 libpcap: update to 1.10.1
Switch to AUTORELEASE to avoid manual increments.

Refreshed patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
7aff590ace libnftnl: update to 1.2.0
Switch to AUTORELEASE to avoid manual increments.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
094fb3f6f9 libcap: update to 2.51
Switched to AUTORELEASE to avoid manual increments.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
1795bd2f1b elfutils: update to 0.182
Add --disable-libdebuginfod with remove libcurl dependency.

Remove totally unused host elfutils.

Refreshed and rebased patches.

Also happens to fix compilation with GCC11.

Newer versions of elfutils seem to have some kind of dependency on
obstack.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Rosen Penev
30fb675847 gettext-full: disable parallel compilation
Fails fairly reliably with make -j 12 on a Ryzen 3600.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-08-08 19:50:46 +02:00
Stephan Schmidtmer
891c8676a1 libpcap: add rpcapd as package
This enables building of rpcapd and adds it as a package.

It is a daemon that allows remote packet capturing from another machine.
E.g. Wireshark can talk to it using the Remote Capture Protocol (RPCAP).
https://www.tcpdump.org/manpages/rpcapd.8.html

Compile and run tested: OpenWrt SNAPSHOT r17190-2801fe6132 on x86/64

Signed-off-by: Stephan Schmidtmer <hurz@gmx.org>
2021-08-08 19:50:46 +02:00
Rui Salvaterra
2434a57dd7 elfutils: fix building with GCC 11
Add a patch to fix building with GCC 11, which triggers new warnings by
enabling -Warray-parameter by default.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-07-25 13:52:38 +02:00
Petr Štetiar
8307da3dbd treewide: unmark selected packages nonshared
This partially reverts changes done in commit 72cc44958e ("treewide:
mark selected packages nonshared") as it removes the nonshared flag, but
keeps the PKG_RELEASE as the PKG_RELEASE bump while adding nonshared
flag was incorrect.

Unmark uci, ubus, libubox, lua, libnl-tiny and libjson-c as nonshared
packages as this fix attempt didn't worked out. Currently the
imagebuilder is broken again:

 openwrt-imagebuilder-21.02.0-rc3-ipq40xx-generic.Linux-x86_64$ make image PROFILE=avm_fritzbox-7530 PACKAGES=luci-ssl-openssl
 ...
 Collected errors:
  * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for luci-mod-status
  * pkg_hash_fetch_best_installation_candidate: Packages for luci-mod-status found, but incompatible with the architectures configured
  * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for rpcd-mod-iwinfo
  * pkg_hash_fetch_best_installation_candidate: Packages for rpcd-mod-iwinfo found, but incompatible with the architectures configured
  * satisfy_dependencies_for: Cannot satisfy the following dependencies for luci-ssl-openssl:
  * 	libiwinfo20210430
  * opkg_install_cmd: Cannot install package luci-ssl-openssl.

Everything because iwinfo's ABI was changed two times since rc3 release:

 +IWINFO_ABI_VERSION:=20210430
 +IWINFO_ABI_VERSION:=20210420

Since iwinfo is marked as nonshared, it wasn't built by phase2 builders, but
luci-mod-status was already updated 2 times since rc3 and was thus rebuilt by
phase2 builders:

 d1d452ed2fb3 luci-mod-status: don't set '-' hostname when creating static lease
 95b3633055c1 luci-mod-status: switch to html table for wlan channel analysis

So now luci-mod-status depends on libiwinfo20210430 but only
libiwinfo20210106 can be downloaded. This is first part of the fix, in
the upcoming commit Jo is going to remove nonshared flag from iwinfo
package as well.

References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035736.html
References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035741.html
Acked-by: Jo-Philipp Wich <jo@mein.io>
Reported-by: Nick Hainke <vincent@systemli.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-07-02 18:12:15 +02:00
Karel Kočí
219e17a350 ustream-ssl: variants conflict with each other
This adds conflicts between variants of libustream pacakge.
They provide the same file and thus it should not be possible to install
them side by side.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
2021-06-21 18:48:03 -10:00
Rosen Penev
3dabb62581 treewide: remove PKG_INSTALL from CMake packages
It's already default with cmake.mk

Found with:

git grep PKG_INSTALL\: | cut -d ':' -f 1 | sort -u > ins
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 ins cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Rosen Penev
2e745e9be6 treewide: remove BUILD_PARALLEL from CMake packages
It's already default. The only exception is mt76 which has Ninja
disabled.

Found with:

git grep BUILD_PARALLEL | cut -d ':' -f 1 | sort -u > par
git grep cmake.mk | cut -d ':' -f 1 > cmake
comm -1 -2 par cmake

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-19 20:44:59 -10:00
Hannu Nyman
72cc44958e treewide: mark selected packages nonshared
Mark uci, ubus, libubox, lua, libnl-tiny and libjson-c
as nonshared packages. This helps to keep coherent dependencies
if these ABI versioned packages are later updated.

Before this commit it is possible to get missing dependencies
in target-specific nonshared packages (like iwinfo) that depend
on these shared ABI versioned packages. If these are later updated
and rebuilt, only the new ABI version will be available for download,
while the target-specific packages in releases continue to depend on
the old ABI version.

After this commit the packages are built along the other nonshared
packages by the phase1 images buildbot and will be available at the
target/ download directories instead of packages/base dir. That will
help to keep a coherent set available.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2021-06-13 23:58:15 +02:00
Rosen Penev
09de28090c package: fix cmake packages build with ninja
+= is needed for CMAKE_OPTIONS.

mt76 needs Ninja disabled as the kernel stuff uses normal make.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-06-12 10:46:39 +02:00
Ivan Pavlov
b1baa01f14 wolfssl: add support for OpenVPN
Support for wolfSSL has been upstreamed to the master OpenVPN branch
in f6dca235ae560597a0763f0c98fcc9130b80ccf4, so we can use wolfSSL
directly in OpenVPN. So no more needed differnt SSL engine for OpenVPN
in systems based on wolfSSL library
Compiled && tested on ramips/mt7620, ramips/mt7621

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2021-05-23 15:11:38 +02:00
David Bauer
ef9b103107 wolfssl: always export wc_ecc_set_rng
Since commit 6467de5a8840 ("Randomize z ordinates in scalar
mult when timing resistant") wolfssl requires a RNG for an EC
key when the hardened built option is selected.

wc_ecc_set_rng is only available when built hardened, so there
is no safe way to install the RNG to the key regardless whether
or not wolfssl is compiled hardened.

Always export wc_ecc_set_rng so tools such as hostapd can install
RNG regardless of the built settings for wolfssl.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-21 15:43:57 +02:00
Felix Fietkau
04d21604fd libubox: update to the latest version
870acee325fe tests: cram: test_base64: fix failing tests
4d8995e91d56 tests: cram: test_base64: really fix failing tests
551d75b5662c libubox: tests: add more blobmsg/json test cases
a0dbcf8b8f96 tests: add blob-buffer overflow test
b36a3a90098d blob: fix exceeding maximum buffer length
b8abed749423 utils.h: add fallthrough macro
b14c4688612c json_script: fix unannotated fall-through warning

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-18 12:52:52 +02:00
Baptiste Jonglez
1ec6fc4dcb uclient: update to Git version 2021-05-14
6a6011d uclient-http: set eof mark when content-length is 0
19571e4 tests: fix help usage test for uclient built with sanitizer
c5fc04b tests: fix help usage test

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2021-05-14 23:40:42 +02:00
Leonardo Mörlein
b993b68b6c build: introduce $(MKHASH)
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if

    make TOPDIR="$(pwd)" -C "$pkgdir" compile

was called manually. In most of the cases, I just saw warnings like this:

    make: Entering directory '/home/.../package/gluon-status-page'
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    bash: line 1: mkhash: command not found
    [...]

While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.

After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.

Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
2021-05-13 15:13:15 +02:00
Rosen Penev
0ec8c793f5 libsemanage: fix pkgconfig paths
The pkgconfig file currently points to host paths.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-04-15 11:54:14 +01:00
Stijn Tintel
0f7f4de6ba libcap: bump to 2.48
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-05 18:20:45 +03:00
Stijn Tintel
dd91ba0d62 libcap: drop invalid copyright header
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-05 18:20:40 +03:00
Stijn Tintel
427acb71fc libcap: import from packages feed
Having libcap in OpenWrt base allows us to enable libcap support in
other packages in base.

In lldpd, this would allow the monitor process to drop its privileges
instead of running as root, improving security. It will also allow us to
drop our patch to disable libcap.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-05 18:20:29 +03:00
Hauke Mehrtens
1371910b76 uclient: update to Git version 2021-04-03
83efca2 tests: fix possibly longer start of HTTP server
64e00d6 uclient-fetch: document missing options

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-04-03 19:06:09 +02:00
Paul Spooren
6a6b5a677e ncurses: add screen-256color terminfo
The terminfo is required by the popular terminal multiplexer screen and
tmux, offer it by default as the size impact is minimal with 885 Bytes.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-03-29 13:47:55 -10:00
Paul Spooren
75ea474b90 ncurses: split long line of supported terminfo
The terminfo files were all in one row which is terrible to read.
Split them over multiple lines to improve readability.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2021-03-29 13:47:19 -10:00
Eneas U de Queiroz
0bd0de7d43 openssl: bump to 1.1.1k
This version fixes 2 security vulnerabilities, among other changes:

 - CVE-2021-3450: problem with verifying a certificate chain when using
   the X509_V_FLAG_X509_STRICT flag.

 - CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
   crafted renegotiation ClientHello message from a client.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-03-26 19:57:20 +01:00
Kevin Darbyshire-Bryant
bbb9c1c2be Revert "openssl: refresh patches"
This reverts commit e27ef2da0d.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-03-26 09:12:12 +00:00
Kevin Darbyshire-Bryant
e27ef2da0d openssl: refresh patches
Tidy up some patch fuzz.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-03-26 09:03:32 +00:00
Tony Ambardar
9390e20dba elfutils: enable building with MIPS16
Building with MIPS16 was disabled in 2013 due to an issue with GCC TLS:
https://dev.archive.openwrt.org/ticket/13572. But after the problematic
GCC version was retired, this change wasn't revisited.

Re-enable MIPS16 builds to reduce average elfutils library sizes ~10%.
This was compile-tested on malta/mips32be and malta/mips32le, and linked
with iproute2 for run-testing. Package sizes follow:

Library  MIPS16:=0  MIPS16:=1
-------  ---------  ---------
libelf1    43217      37492
libasm1    12481      11658
libdw1    229723     205793

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2021-03-25 22:48:10 -10:00
Philip Prindeville
7fae64cc06 libnfnetlink: quote $(FPIC) on command line
When $(FPIC) gets expanded on the command line (for instance
when setting environment variables for libtool, configure, or
make) we can't count on it not needing quoting (i.e. it could
contain multiple flags separated with spaces).

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2021-03-19 13:37:51 -10:00
Magnus Kroken
dbde2bcf60 mbedtls: update to 2.16.10
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.

Security fixes:
* Fix a buffer overflow in mbedtls_mpi_sub_abs()
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem()
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code

Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2021-03-16 21:17:02 +01:00
Rosen Penev
6cd13be014 gettext-full: disable nameless locale define
It seems some packages like transmission and json-glib fail with it
enabled.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-03-14 19:25:32 -10:00
Tony Ambardar
29e2be69c4 elfutils: remove host build from target package
Commit f4da28c301 ("elfutils: Add host build") supplied a libelf host
library to fix a glib2 host build error, but this need was later removed
by b6212c8769 ("glib2: don't use libelf during host build").

More importantly, there are already two sources for libelf host libraries:
OpenWRT build prerequisites [1] and tools/libelf. A third is not needed.

Ref [1]: https://openwrt.org/docs/guide-developer/build-system/install-buildsystem#prerequisites

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2021-03-13 21:33:22 +00:00
Dominick Grift
4670492ad7 libsemanage: update to version 3.2
c35919a7 libsemanage: sync filesystem with sandbox
5b05e829 Revert "libsemanage/genhomedircon: check usepasswd"
edae9275 libsemanage: Free contents of modkey in semanage_direct_remove
ce46daab libsemanage/genhomedircon: check usepasswd
6ebb35d2 libsemanage: Bump libsemanage.so version
c08b73d7 libsemanage: Drop deprecated functions
b46406de libsemanage: Remove legacy and duplicate symbols

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-08 21:27:35 +00:00
Dominick Grift
b1fc2b5b0b libselinux: update to version 3.2
142826a3 libselinux: fix segfault in add_xattr_entry()
398d2cee libselinux: rename gettid() to something which never conflicts with the libc
8f0f0a28 selinux(8,5): Describe fcontext regular expressions
9cc6b5cf libselinux/getconlist: report failures
156dd0de libselinux: update getseuser
e2dca5df libselinux: accept const fromcon in get_context API
da4829d0 libselinux: Always close status page fd
45b15c22 selinux(8): explain that runtime disable is deprecated
3c16aaef selinux(8): mark up SELINUX values
c2a58cc5 libselinux: LABEL_BACKEND_ANDROID add option to enable
db0f2f38 libselinux: Add build option to disable X11 backend
4a142ac4 libsepol: Bump libsepol.so version
d23342a9 libselinux: convert matchpathcon to selabel_lookup()
7ef5b185 libselinux: Change userspace AVC setenforce and policy load messages to audit format.
f5d644c7 libselinux: Add additional log callback details in man page for auditing.
075f9cfe libselinux: Fix selabel_lookup() for the root dir.
a4149e0e libselinux: Add new log callback levels for enforcing and policy load notices.
a63f93d8 libselinux: initialize last_policyload in selinux_status_open()
ef902db9 libselinux: safely access shared memory in selinux_status_updated()
9e4480b9 libselinux: Remove trailing slash on selabel_file lookups.
21fb5f20 libselinux: use full argument specifiers for security_check_context in man page
e7abd802 libselinux: fix build order
05bdc031 libselinux: use kernel status page by default

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-08 21:27:35 +00:00
Dominick Grift
2a1bdde0d0 libsepol: update to version 3.2
a9e0004f libsepol: invalidate the pointer to the policydb if policydb_init fails
6238e025 libsepol/cil: fix NULL pointer dereference in cil_fill_ipaddr
b69d77bc libsepol/cil: handle SID without assigned context when writing policy.conf
0861c659 libsepol: Validate policydb values when reading binary policy
8f5409cf libsepol: Create function ebitmap_highest_set_bit()
0451adeb libsepol/cil: Destroy disabled optional blocks after pass is complete
32f8ed3d libsepol/cil: introduce intermediate cast to silence -Wvoid-pointer-to-enum-cast
4662bdc1 libsepol/cil: be more robust when encountering <src_info>
6b561058 libsepol/cil: fix NULL pointer dereference with empty macro argument
0d0e47c7 libsepol/cil: Fix integer overflow in the handling of hll line marks
1b36ace2 libsepol: include header files in source files when matching declarations
1f1fa9d4 libsepol: uniformize prototypes of sepol_mls_contains and sepol_mls_check
72a88d75 libsepol: remove unused files
eba0ffee libsepol/cil: Fix heap-use-after-free when using optional blockinherit
1048f8d3 libsepol/cil: unlink blockinherit->block link when destroying a block
b3202918 libsepol/cil: fix memory leak when a constraint expression is too deep
f0d98f83 libsepol/cil: Fix heap-use-after-free in __class_reset_perm_values()
5d021d66 libsepol/cil: Update symtab nprim field when adding or removing datums
34bd9a9d libsepol: destroy filename_trans list properly
bdf4e332 libsepol/cil: fix NULL pointer dereference when parsing an improper integer
b7ea65f5 libsepol/cil: destroy perm_datums when __cil_resolve_perms fails
228c06d9 libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit
a25d9104 libsepol/cil: constify some strings
e2d01842 libsepol/cil: propagate failure of cil_fill_list()
6c8fca10 libsepol/cil: do not add a stack variable to a list
38a09b74 libsepol/cil: fix NULL pointer dereference when using an unused alias
3c357285 libsepol/cil: remove useless print statement
90809674 libsepol/cil: always destroy the lexer state
d16a1e46 libsepol/cil: Use the macro FLAVOR() whenever possible
2aac859a libsepol/cil: Use the macro NODE() whenever possible
d317b470 libsepol/cil: Remove unnecessary assignment in cil_resolve_name_keep_aliases()
9b9761cf libsepol/cil: Remove unused field from struct cil_args_resolve
e257d4c7 libsepol/cil: Get rid of unnecessary check in cil_gen_node()
ebba2b00 libsepol/cil: cil_tree_walk() helpers should use CIL_TREE_SKIP_*
89dab467 libsepol: free memory when realloc() fails
2d353bd5 libsepol/cil: Give error for more than one true or false block
4a142ac4 libsepol: Bump libsepol.so version
506c7b95 libsepol: Drop deprecated functions
ae58e84b libsepol: Get rid of the old and duplicated symbols
c97d63c6 libsepol: silence potential NULL pointer dereference warning
64387cb3 libsepol: drop confusing BUG_ON macro
521e6a2f libsepol/cil: fix signed overflow caused by using (1 << 31) - 1
a152653b libsepol/cil: Fix neverallow checking involving classmaps
734e4beb libsepol/cil: Validate conditional expressions before adding to binary policy
685f577a libsepol/cil: Validate constraint expressions before adding to binary policy
8206b8cb libsepol: implement POLICYDB_VERSION_COMP_FTRANS
42ae834a libsepol,checkpolicy: optimize storage of filename transitions

Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
2021-03-08 21:27:35 +00:00
Daniel Golle
c82cc4407a
libubox: update to git HEAD
2e52c7e libubox: fix BLOBMSG_CAST_INT64 (do not override BLOBMSG_TYPE_DOUBLE)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-02 19:16:04 +00:00
Donald Hoskins
ea6d4bdde2 libunwind: Add MIPS64 dep check
libunwind dependency check does not allow for MIPS64 arch.  Add MIPS64 awareness.

libunwind seems to support MIPS64 without issues, it was limited by the dep arch
check in the Makefile.

Used to compile Suricata6/Rust locally without issue.

Signed-off-by: Donald Hoskins <grommish@gmail.com>
2021-03-01 00:34:23 +01:00
Rosen Penev
b77f21c98a libpcap: update to 1.10.0
Simplify cmake option handling by putting everything in blocks.

Add openssl patch as there's no easy way to disable.

Rebase the skip manpages patch.

Remove the monitor mode patch as it no longer applies.

Remove flex patch as normal Makefile is no longer used.

Remove USB path patch. While it is deprecated, the codepath is never
taken. /sys/bus/usb/devices is checked before hand. If it exists, the
function does stuff and returns. Additionally, this path is used
elsewhere in the code.

Refresh other patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-03-01 00:34:23 +01:00
Adrian Schmutzler
221eefaf6b zlib: properly split patches
This package had two patches (with two headers etc.) in one file,
which would have quilt merging them during a refresh.

Separate these patches into two files, as the original intent seems
to be having them separate.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-24 14:08:29 +01:00
Rosen Penev
fb83efb626 pcre: disable C++ bindings
Nothing uses them. Allows to simplify the Makefile.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-24 00:30:40 +01:00
Eneas U de Queiroz
12a80e44b9 openssl: always build with GOST engine support
The packages feed has a proposed package for a GOST engine, which needs
support from the main openssl library.  It is a default option in
OpenSSL.  All that needs to be done here is to not disable it.

Package increases by a net 1-byte, so it is not really really worth
keeping this optional.

This commit also includes a commented-out example engine configuration
in openssl.cnf, as it is done for other available engines.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-23 21:10:56 +01:00
Eneas U de Queiroz
d1dfb577f1 wolfssl: bump to v4.7.0-stable
Biggest fix for this version is CVE-2021-3336, which has already been
applied here.  There are a couple of low severity security bug fixes as
well.

Three patches are no longer needed, and were removed; the one remaining
was refreshed.

This tool shows no ABI changes:
https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-23 21:10:56 +01:00
Georgi Valkov
4b37e3bc2b libusb: Fix parsing of descriptors for multi-configuration devices
Prerequisite patch:
Correct a typo in the Changelog and clean up a stray file

Fix changes in libusb which introduced a regression:
Commit e2be556bd2 ("linux_usbfs: Parse config descriptors during device
initialization") introduced a regression for devices with multiple
configurations. The logic that verifies the reported length of the
configuration descriptors failed to count the length of the
configuration descriptor itself and would truncate the actual length by
9 bytes, leading to a parsing error for subsequent descriptors.

Signed-off-by: Georgi Valkov <gvalkov@abv.bg>
2021-02-21 10:12:10 -10:00
Christian Lamparter
09e66112f1 wolfssl: fix Ed25519 typo in config prompt
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-02-20 11:11:13 +01:00
David Bauer
10e84bde36 openssl: update package sources
OpenSSL downloads itself are distributed using Akamai CDN, so use these
sources as the highest priority.

Remove a stale mirror which seems to be offline for a longer time
already.

Add fallbacks to the old release path also for the mirrors.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-02-20 01:26:40 +01:00
Eneas U de Queiroz
482c9ff289 openssl: bump to 1.1.1j
This fixes 4 security vulnerabilities/bugs:

- CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support
  SSLv2, but the affected functions still exist. Considered just a bug.

- CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and
  EVP_DecryptUpdate may overflow the output length argument in some
  cases where the input length is close to the maximum permissable
  length for an integer on the platform. In such cases the return value
  from the function call will be 1 (indicating success), but the output
  length value will be negative.

- CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to
  create a unique hash value based on the issuer and serial number data
  contained within an X509 certificate. However it was failing to
  correctly handle any errors that may occur while parsing the issuer
  field (which might occur if the issuer field is maliciously
  constructed). This may subsequently result in a NULL pointer deref and
  a crash leading to a potential denial of service attack.

- Fixed SRP_Calc_client_key so that it runs in constant time. This could
  be exploited in a side channel attack to recover the password.

The 3 CVEs above are currently awaiting analysis.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2021-02-17 09:24:47 +01:00
Rosen Penev
b59905f045 gettext-full: update to 0.21
Add m4 patch to avoid conflict with tools/autoconf-archive.

Add build parallel as it seems to work now.

Remove a bunch of uClibc-ng hacks as it is not in the tree anymore.

Format security patch was fixed upstream.

Refreshed other patches.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2021-02-16 19:27:55 -10:00
Felix Fietkau
d02088762a build: reorder more BuildPackages lines to deal with ABI_VERSION
After the ABI version rework, packages need to be declared in the order of
their dependencies, so that dependent packages will use the right ABI version

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-16 11:29:38 +01:00
Felix Fietkau
26a899e3e8 wolfssl: use libtool patch for PKG_ABI_VERSION
Makes it unnecessary to patch .so files after build

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 18:47:19 +01:00
Felix Fietkau
0a497c4640 libubox: use build system variable to specify ABI version
This removes the need to patch it afterwards

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 18:47:19 +01:00
Felix Fietkau
f378d81da6 wolfssl: use dynamic ABI_VERSION depending on the configuration and package version
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-02-15 07:40:47 +01:00