Commit Graph

975 Commits

Author SHA1 Message Date
Eneas U de Queiroz
c47eff0df3 libs/toolchain: remove eglibc remnant file
This removes package/libs/toolchain/eglibc-files/etc/nsswitch.conf.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-07-15 19:29:07 +02:00
Konstantin Demin
ce8027ed29 libnftnl: bump to version 1.1.3
bump ABI version accordingly (thanks to Jo-Philipp Wich).

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-07-07 13:02:06 +02:00
Eneas U de Queiroz
ff69364ad8 wolfssl: update to 4.0.0-stable
Removed options that can't be turned off because we're building with
--enable-stunnel, some of which affect hostapd's Config.in.
Adjusted the title of OCSP option, as OCSP itself can't be turned off,
only the stapling part is selectable.
Mark options turned on when wpad support is selected.
Add building options for TLS 1.0, and TLS 1.3.
Add hardware crypto support, which due to a bug, only works when CCM
support is turned off.
Reorganized option conditionals in Makefile.
Add Eneas U de Queiroz as maintainer.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-07-07 13:02:05 +02:00
Eneas U de Queiroz
2792daab5a wolfssl: update to 3.15.7, fix Makefile
This includes a fix for a medium-level potential cache attack with a
variant of Bleichenbacher’s attack.  Patches were refreshed.
Increased FP_MAX_BITS to allow 4096-bit RSA keys.
Fixed poly1305 build option, and some Makefile updates.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-07-07 13:02:05 +02:00
Eneas U de Queiroz
82a8ddd603 ustream-ssl: update to 2019-06-24
This adds chacha20-poly1305 support to the mbedtls variant.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-06-24 22:01:17 +02:00
Josef Schlehofer
a2f54f6d5d mbedtls: Update to version 2.16.2
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
2019-06-24 20:22:23 +02:00
Eneas U de Queiroz
ee1a783314 nghttp2: deduplicate files in staging_dir
'38b22b1e: deduplicate files in libnghttp2' missed duplicates in
staging_dir by Build/InstallDev.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-06-22 10:23:56 +02:00
Deng Qingfang
080ba31eec
libjson-c: update to 0.13.1
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-06-19 22:44:28 +02:00
Hans Dedecker
865e25e049 nghttp2: bump to 1.39.1
7ffc239b Bump up version number to 1.39.1
bc886a0e Fix FPE with default backend
a3a14a9c Fix log-level is not set with cmd-line or configuration file
acfb3607 Update manual pages
bdfd14c2 Bump up version number to 1.39.0, LT revision to 31:4:17
cddc09fe Update AUTHORS
3c3b6ae8 Add missing colon
2f83aa9e Fix multi-line text travis issue
fc591d0c Run nghttpx integration test with cmake build
9a17c3ef travis: use multi-line text
b7220f07 cmake: Remove SPDY related files
a1556fd1 Merge pull request #1356 from nghttp2/fix-log-level-on-reload
77f1c872 nghttpx: Fix unchanged log level on configuration reload
49ce44e1 Merge pull request #1352 from nghttp2/travis-osx
f54b3ffc Fix libxml2 CFLAGS output
b0f5e5cc Implement daemon() using fork() for OSX
8d6ecd66 Enable osx build on travis
f82fb521 Update doc
2e1975dd clang-format-8
97ce392b Merge pull request #1347 from nghttp2/nghttpx-ignore-cl-te-on-upgrade
afefbda5 Ignore content-length in 200 response to CONNECT request
4fca2502 nghttpx: Ignore Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT
6975c336 Update llhttp to 1.1.3
0288093c Fix llhttp_get_error_pos usage
a3a03481 Merge pull request #1340 from nghttp2/nghttpx-llhttp
c64d2573 Replace http-parser with llhttp
f028cc43 clang-format
302e3746 Merge pull request #1337 from nghttp2/upgrade-mruby
3cdbc5f5 Merge pull request #1335 from adamgolebiowski/boost-1.70
a6925186 Fix mruby build error
45d63d20 Upgrade mruby to 2.0.1
cbba1ebf asio: support boost-1.70
e86d1378 Bump up version number to 1.39.0-DEV
4a9d2005 Update manual pages

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-06-16 21:34:56 +02:00
Hauke Mehrtens
fc454ca153 libubox: update to latest git HEAD
9dd2dcf libubox: add format string checking to ulog()
ecf5617 ustream: Add format string checks to ustream_(v)printf()

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-06-16 16:40:08 +02:00
Konstantin Demin
38b22b1e70 nghttp2: deduplicate files in libnghttp2
libnghttp2 accidentally ships library twice:

$ tar -Oxzf libnghttp2-14_1.38.0-1_mips_24kc.ipk ./data.tar.gz | tar -tzvf -
drwxr-xr-x root/root         0 2019-06-07 23:14 ./
drwxr-xr-x root/root         0 2019-06-07 23:14 ./usr/
drwxr-xr-x root/root         0 2019-06-07 23:14 ./usr/lib/
-rw-r--r-- root/root    144412 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14
-rw-r--r-- root/root    144412 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14.17.3

after fix, there's library and symlink (as designed):

$ tar -Oxzf libnghttp2-14_1.38.0-2_mips_24kc.ipk ./data.tar.gz | tar -tzvf -
drwxr-xr-x root/root         0 2019-06-07 23:14 ./
drwxr-xr-x root/root         0 2019-06-07 23:14 ./usr/
drwxr-xr-x root/root         0 2019-06-07 23:14 ./usr/lib/
lrwxrwxrwx root/root         0 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14 -> libnghttp2.so.14.17.3
-rw-r--r-- root/root    144412 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14.17.3

Binary package size reduced accordingly: 134621 -> 66593.

Compile/run-tested: ar71xx/generic.

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2019-06-12 23:00:58 +02:00
Yousong Zhou
ef7aa03bdb libunwind: bump to version 1.3.1
Libunwind provides a sigreturn stub for x86 in version 1.2 [1].  However
the arch still depends on setcontext() which is unavailable in musl-libc
and which is supposed to be "deprecated everywhere" [2]

 [1] x86 sigreturn unimplemented for some libcs,
     https://github.com/libunwind/libunwind/issues/13
 [2] setcontext deprecated on x86,
     https://github.com/libunwind/libunwind/issues/69

Refs: https://github.com/openwrt/packages/issues/8548#issuecomment-497791552
Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-06-05 01:13:07 +00:00
Eneas U de Queiroz
f22ef1f1de openssl: update to version 1.1.1c
Highlights of this version:
 - Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
 - Fix OPENSSL_config bug (patch removed)
 - Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
 - Enable SHA3 pre-hashing for ECDSA and DSA

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [DMARC removal]
2019-05-31 11:21:22 +02:00
Yousong Zhou
cf463159df uclient: bump to version 2019-05-30
This version bump contains the following commit to fix FS#2222

	3b3e368 uclient-http: set data_eof when content-length is 0

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-05-30 12:13:31 +00:00
Yousong Zhou
1e5f4dcd66 libunwind: requires glibc if arch in powerpc
libunwind for powerpc depends on getcontext() from libc which musl-libc
does not provide because this API and its friends are supposed to be
"obsolescent" [1,2]

 [1] Subject: Re: setcontext/getcontext/makecontext missing?
     https://www.openwall.com/lists/musl/2016/02/04/5
 [2] http://pubs.opengroup.org/onlinepubs/009695399/functions/makecontext.html

Refs: https://github.com/openwrt/packages/issues/8548#issuecomment-497200058
Reported-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-05-30 10:30:45 +00:00
Rosen Penev
395bef4bba libbsd: Fix compilation under ARC
The 8 year old file does not have any ARC definitions.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
[updated content of the patch with version sent to upstream]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-05-17 21:41:43 +02:00
Jeffery To
782eda9750 zlib: Use relative paths in pkg-config metadata file
The buildroot pkg-config (in staging_dir/host/bin) overrides the prefix
and exec_prefix variables in *.pc files, to supply the correct
(buildroot) paths for callers. If other variables are not defined
relative to prefix and exec_prefix, then the returned values will be
incorrect.

The default zlib.pc file generated by cmake contains absolute paths.
This patches the file to use relative paths (relative to ${prefix} and
${exec_prefix}).

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-05-17 21:41:43 +02:00
Rosen Penev
0b26382533 uClibc++: Update to 0.2.5
Switched to xz archives for smaller size.

Removed upstreamed patches.

Reorganized Makefile a little bit for clarity. Build/Prepare is not useful
anymore. Upstream converted the file to LF.

Refreshed config.

Removed -ansi option from the original CFLAGS as this was causing long
long support to be missing.

Removed fPIC. We have the macro $(FPIC) already used. No point in setting
fpic and fPIC together.

Removed pedantic -Wlong-long warnings as they are not useful.

Removed -std=gnu++98. Not only is it unnecessary (it compiles against all
standards), it actually results in a size increase. 75843 vs. 75222 (gcc
in OpenWrt defaults to g++14).

Added --gc-sections to linker flags to reduce size: 72653 vs 75222.

Removed warn linker options. They have been upstreamed.

Tested on Archer C7v2 and GnuBee PC1.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2019-05-11 23:10:10 +02:00
Rosen Penev
4760541027 elfutils: Fix compile with uClibc-ng
Probably glibc too. argp_help takes a char *. not const char *.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
[updated with upstream version of the patch]
2019-05-05 21:11:01 +02:00
Hauke Mehrtens
1325e74e0c kernel: Remove support for kernel 3.18
No target is using kernel 3.18 anymore, remove all the generic
support for kernel 3.18.

The removed packages are depending on kernel 3.18 only and are not used on
any recent kernel.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-05-03 22:41:38 +02:00
Rafał Miłecki
d6643aca34 libroxml: bump to the 3.0.1 version
Some of changes:
* Support for local-name()
* General refactoring
* Better parsing performance
* Fix possible buffer overflow & memleak
* Validation checks
* More commit functions (file, buffer, fd)

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2019-05-01 07:25:55 +02:00
Eneas U de Queiroz
17cb490ac4 openssl: build kmods only if engines are selected
Add a conditional to the individual package's for the kmods in DEPENDS.
This avoids the need to compile the kernel modules when the crypto
engine packages are not selected.  The final binares are not affected by
this.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
2019-04-26 15:31:34 +02:00
Jose Olivera
40de4c038a elfutils: bump to 0.176
*Fixes:
  -CVE-2019-7150
  -CVE-2019-7149
  -CVE-2019-7146
  -CVE-2019-7665
  -CVE-2019-7664
  -CVE-2019-7148

*Refresh 003-libintl-compatibility.patch

*Also reset PKG_RELEASE.

Signed-off-by: Jose Olivera <oliverajeo@gmail.com>
2019-04-26 10:04:47 +02:00
Eneas U de Queiroz
8abb505048 openssl: add Eneas U de Queiroz as maintainer
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-04-22 21:37:31 +02:00
Eneas U de Queiroz
ff9ac986ce openssl: fix OPENSSL_config bug affecting wget
This applies an upstream patch that fixes a OPENSSL_config() bug that
causes SSL initialization to fail when the openssl.cnf file is not
found.  The config file is not installed by default.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-04-22 20:30:02 +02:00
Hans Dedecker
47dc4f96cb nghttp2: bump to 1.38.0
4a9d2005 Update manual pages
acf6a922 Bump up version number to 1.38.0, LT revision to 31:3:17
4ff45821 Update AUTHORS
42dce01e Merge branch 'nghttpx-fix-backend-selection-on-retry'
a35059e3 nghttpx: Fix bug that altered authority and path affect backend selection
5a30fafd Merge branch 'nghttpx-fix-chunked-request-stall'
dce91ad3 Merge branch 'nghttpx-dont-log-authorization'
2cff8b43 nghttpx: Fix bug that chunked request stalls
be96654d nghttpx: Don't log authorization request header field value with -LINFO
ce962c3f Merge branch 'update-http-parser'
f931504e Update http-parser to v2.9.1
d978f351 Fix bug that on_header callback is still called after stream is closed
ec519f22 Merge pull request #1270 from baitisj/master
e8b213e3 Bump up version number to 1.38.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-04-22 13:42:24 +02:00
Eneas U de Queiroz
450d44a8ea openssl: change defaults: ENGINE:on, NPN:off, misc
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Enable engine support by default.  Right now, some packages require
this, so it is always enabled by the bots.  Many packages will compile
differently when engine support is detected, needing engine symbols from
the libraries.

However, being off by default, a user compiling its own image will fail
to run some popular packages from the official repo.
Note that disabling engines did not work in 1.0.2, so this problem never
showed up before.

NPN support has been removed in major browsers & servers, and has become
a small bloat, so it does not make sense to leave it on by default.

Remove deprecated CONFIG_ENGINE_CRYPTO symbol that is no longer needed.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-04-17 11:26:55 +02:00
Josef Schlehofer
4ebd66d7a9 mbedtls: update to version 2.16.1
Refreshed patches

Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
Tested-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-04-06 16:30:43 +02:00
Rosy Song
488e7ccfbc libnftnl: bump to latest version
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2019-03-21 17:05:44 +01:00
Eneas U de Queiroz
fc1386ccf8 openssl: revert disallowing parallel build
Openssl 1.1.0 made wholesale changes to its building system.
Apparently, parallel builds are working now.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-03-21 17:05:34 +01:00
Eneas U de Queiroz
2407b1edcc openssl: disable digests by default, misc fixes
Openssh uses digest contexts across forks, which is not supported by the
/dev/crypto engine.  The speed of digests is usually not worth enabling
them anyway.  This changes the default of the DIGESTS option to NONE, so
the user still has the option to enable them.

Added another patch related to the use of encryption contexts across
forks, that ignores a failure to close a previous open session when
reinitializing a context, instead of failing the reinitialization.

Added a link to the Cryptographic Hardware Accelerators document to the
engine pacakges description, to provide more detailed instructions to
configure the engines.

Revert the removal of the OPENSSL_ENGINE_CRYPTO symbol, currently used
by openssh.  There is an open PR to update openssh; when merged, this
symbol can be safely removed.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [refresh patches]
2019-03-12 18:26:59 +01:00
Hans Dedecker
b04c9a1ffc nghttp2: bump to 1.37.0
cfb47d30 Take into account larger frame size for prioritization
dbbe4e01 Remove unused field
371bc3a8 clang-format
5e7889c5 Update manual pages
b1b2ad50 Bump up version number to 1.37.0, LT revision to 31:2:17
e043ca83 Update AUTHORS
c2434dfb Simplify stream_less
816ad210 Reuse name when indexing header by referencing dynamic table
f5feb16e Merge pull request #1295 from bratkartoffel/fix-compile-boringssl
adf09f21 Merge pull request #1303 from donny-dont/fix-shared-install
2591960e Explicitly set install location when building shared libs
d93842db nghttpx: Fix backend stall if header and request body are sent in 2 packets
8dc2b263 nghttpx: Use std::priority_queue
8d842701 Update manual pages
de85b0fd Update README
5d6beed5 Merge branch 'nghttpx-backend-weight'
1ff9de4c nghttpx: Backend address selection with weight
34482ed4 Fix compilation with boringssl
9b6ced66 Bump up version number to 1.37.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-03-10 19:34:33 +01:00
Moritz Warning
3d3e04d8c8 wolfssl: fix build in busybox environments
The configure script broke when used in alpine-3.9 based docker containers. Fixed in wolfSSL >3.15.7.

Signed-off-by: Moritz Warning <moritzwarning@web.de>
2019-03-10 17:48:23 +01:00
Eneas U de Queiroz
d971ae51a5 openssl: backport devcrypto changes from master
The patches to the /dev/crypto engine were commited to openssl master,
and will be in the next major version (3.0).

Changes:
- Optimization in computing a digest in one operation, saving an ioctl
- Runtime configuration options for the choice of algorithms to use
- Command to dump useful information about the algorithms supported by
  the engine and the system.
- Build the devcrypto engine as a dynamic module, like other engines.

The devcrypto engine is built as a separate package by default, but
options were added to allow building the engines into the main library.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
[refresh patches]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-03-09 18:55:07 +01:00
Yousong Zhou
0e8ddc953f libubox: bump to version 2019-02-27
Contains the following change

	eeef7b5 blobmsg_json: blobmsg_format_string: do not escape '/'

Resolves FS#2147

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2019-03-01 08:09:41 +00:00
Alexander Couzens
b2bf3745ff
package/ncurses: change AR options to fix reproducible builds
ar has a deterministic (-D) and non-deterministic (-U) mode.
OpenWrt is already using the deterministic mode by default,
but ncurses' configure script force this to be non-deterministic.
Since autoreconf fails to generate a new configure, the configure script
is directly modified.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2019-02-28 19:09:35 +01:00
Eneas U de Queiroz
9e8cbecb7f openssl: bump to release 1.1.1b
This is bugfix release that incorporated all of the devcrypto engine
patches currently in the tree.

The cleaning procedure in Package/Configure was not removing the
dependency files, causing linking errors during a rebuild with
different options.  It was replaced by a simple make clean.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-27 22:43:30 +01:00
Daniel Engberg
38867b7eba popt: Use modern toolchain logic
Replace define Build/Configure with CONFIGURE_ARGS

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-02-26 23:20:04 +01:00
Matt Merhar
0d1d5880c0 elfutils: fix install .so glob
Only libelf was being packaged correctly - libdw and libasm included
just the symlinks.

Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
2019-02-26 23:20:04 +01:00
Peter Wagner
0297610554 elfutils: fix DEPENDS for libelf
Signed-off-by: Peter Wagner <tripolar@gmx.at>
2019-02-17 19:22:39 +01:00
Eneas U de Queiroz
ddee1825de openssl: patch to fix devcrypto sessions leak
Applies a patch from https://github.com/openssl/openssl/pull/8213
that fixes an error where open /dev/crypto sessions were not closed.
Thanks to Ansuel Smith for reporting it.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-17 19:22:35 +01:00
Eneas U de Queiroz
29b69e840a openssl: add package for openssl.cnf, misc changes
- Add the /etc/ssl/openssl.cnf as a separate package, to avoid breaking
  the transitional mechanism, allowing libopenssl_1.0* and
  libopenssl_1.1* to coexist.

- Remove the (selecting) dependency on @KERNEL_AIO

- Use global SOURCE_DATE_EPOCH

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:24:09 +01:00
Eneas U de Queiroz
2eeb2853ed openssl: optimizations based on ARCH/small flash
Add a patch to enable the option to change the default ciphersuite list
ordering to prefer ChaCha20 over AES-GCM.  This is used by default for
all platforms, except for x86_64 and aarch64. The assumption is that
only the latter have AES-specific CPU instructions and asm code that
uses them in openssl.  Chacha20Poly1305 is 3x faster than AES-256 in
systems without AES instructions, with an equivalent strength.

Disable error messages by default except for devices with small flash or
RAM, to aid debugging.

Disable ASM by default on arm platform with small flash.  Size
difference on mips and powerpc, the other platforms with small flash
devices, are not really relevant (using 100K as a threshold).  All of
the affected platforms are source-only anyway.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:24:09 +01:00
Eneas U de Queiroz
d872d00b2f openssl: update to version 1.1.1a
This version adds the following functionality:
  * TLS 1.3
  * AFALG engine support for hardware accelleration
  * x25519 ECC curve support
  * CRIME protection: disable use of compression by default
  * Support for ChaCha20 and Poly1305

Patches fixing bugs in the /dev/crypto engine were applied, from
https://github.com/openssl/openssl/pull/7585

This increses the size of the ipk binray on MIPS32 by about 32%:
old:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 22:23:26 +01:00
Eneas U de Queiroz
be3892284c openssl: add configuration options, disable ssl3
Adds the following configuration options:
* using optimized assembler code (was always on before)
* use of x86 SSE2 instructions
* dyanic engine support
* include error messages
* Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms
* RFC3779, CMS protocols
* VIA padlock hardware acceleration engine

Installs openssl.cnf with the library as it is used by engines
independent of the openssl util.

Fixes DTLS option that was innefective before.

Disables insecure SSL3 protocol and SHA0.

Adds openwrt-specific targets to Configure script, including asm support
for i386, ppc and mips64.

Strips building dirs from CFLAGS shown in binary.

Skips the fuzz directory during build.

Removed include/crypto/devcrypto.h that was included here, to use the
cryptodev-linux package, now that it was been moved from the packages
feed to the main openwrt repository.

This decreses the size of the ipk binray on MIPS32 by about 3.3%:
old:
706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

new:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2019-02-12 21:14:46 +01:00
Sven Roederer
6e575fa9d6 openssl: update list of mirrors
Host "gd.tuwien.ac.at" does not exists anymore, so we replace it by "ftp.pca.dfn.de" from the official list of mirrors.

Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
2019-01-31 21:21:49 +01:00
Sven Roederer
989060478a openssl: bump to 1.0.2q
This fixes the following security problems:
 * CVE-2018-5407: Microarchitecture timing vulnerability in ECC scalar multiplication
 * CVE-2018-0734: Timing vulnerability in DSA signature generation
 * Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module

Signed-off-by: Sven Roederer <freifunk@it-solutions.geroedel.de>
2019-01-30 11:59:46 +01:00
Michael Heimpold
268b5bec80 mbedtls: Kconfig option to enable/disable debug functions
This introduces a new Kconfig option to switch on/off mbedtls' support
for debug functions.

The idea behind is to inspect TLS traffic with Wireshark for debug
purposes. At the moment, there is no native or 'nice' support for
this, but at
68aea15833
an example implementation can be found which uses the debug functions
of the library. However, this requires to have this debug stuff enabled
in the library, but at the moment it is staticly patched out.

So this patch removes the static part from the configuration patch
and introduces a dynamic config file editing during build.

When enabled, this heavily increases the library size, so I added
a warning in the Kconfig help section.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2019-01-27 01:04:53 +01:00
Deng Qingfang
e8f2302516 mbedtls: update to 2.16.0
Refresh patch

https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.0-2.7.9-and-2.1.18-released

Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
2019-01-27 01:04:53 +01:00
Jo-Philipp Wich
f4d6e8f98f libelf: fix library packaging
The library has an usual shared object file name, which caused the
install glob pattern to miss the actual so.

Fixes: #2082
Fixes; 0e70f69a35 ("treewide: revise library packaging")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-25 18:59:46 +01:00
Jo-Philipp Wich
d7bf0898a8 elfutils: rename libelf1 to libelf
The ABI_VERSION:=1 tag will take care of transforming the binary
library package basename.

Add a virtual PROVIDES:=libelf1 for packages still having libelf1
in their DEPENDS:=... lists.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 12:52:23 +01:00
Jo-Philipp Wich
0e70f69a35 treewide: revise library packaging
- Annotate versionless libraries (such as libubox, libuci etc.) with a fixed
  ABI_VERSION resembling the source date of the last incompatible change
- Annotate packages shipping versioned library objects with ABI_VERSION
- Stop shipping unversioned library symlinks for packages with ABI_VERSION

Ref: https://openwrt.org/docs/guide-developer/package-policies#shared_libraries
Ref: https://github.com/KanjiMonster/maintainer-tools/blob/master/check-abi-versions.pl
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 10:39:30 +01:00
Jo-Philipp Wich
68b29a7a95 uclient: set fixed ABI_VERSION on libuclient
Last incompatible change appeared to be 4924411
("http: add proper error handling to uclient_http_redirect()") which
changed the return value of uclient_http_redirect() from bool to int.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-24 10:39:29 +01:00
Andy Walsh
94f6030170 librpc: remove package
* replaced with packages/libtirpc
* remove busybox options rarely used/deprecated
BUSYBOX_CONFIG_FEATURE_MOUNT_NFS
BUSYBOX_CONFIG_FEATURE_INETD_RPC

Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
2019-01-22 13:29:46 +01:00
Jo-Philipp Wich
5d1399788a ncurses: build host libraries with -fPIC
Since readline/host links ncurses/host now, we need to ensure that the
libncursesw.so host library is built with -fPIC.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 11:29:05 +01:00
Jo-Philipp Wich
5a89eea8e4 ncurses: package only versioned shared objects
Also fix the libxxxw.so* -> libxxx.so* linking to actually work, the
prevsious code failed to properly symlink the versioned .so files.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 08:49:36 +01:00
Daniel Engberg
166b335e6e readline: Update to 8.0 and various fixes
Update (lib)readline to 8.0
Remove autoreconf
Remove blankspace at the end of the lines in description
Remove --enable-shared and --enable-static as they're enabled by default
Remove TARGET_CPPFLAGS
Simplify install sections
Install readline.pc (pkgconfig)
Add patch for linking (lib)ncurses

Source:
https://git.buildroot.net/buildroot/plain/package/readline/0000-curses-link.patch

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2019-01-22 08:49:36 +01:00
Peter Wagner
4da73af112 libnetfilter-conntrack: update to 1.0.7
Signed-off-by: Peter Wagner <tripolar@gmx.at>
[split from https://github.com/openwrt/openwrt/pull/1274]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-22 08:15:41 +01:00
Hans Dedecker
351e5516eb nghttp2: bump to 1.36.0
e7e8ee5f Update bash_completion
b3b4e335 Update manual pages
bd93d90a Don't treat text as option if it matches -[0-9]
ea69c84b Bump up version number to 1.36.0
783b649b Update AUTHORS
eb21e6f8 Merge branch 'update-http-parser'
ab2aa567 Fix test failure
ff87a542 Use http-parser 0d0a24e19eb5ba232d2ea8859aba2a7cc6c42bc4
439dbce6 Merge branch 'nghttpx-h1-connection-pool-per-addr'
e9c9838c nghttpx: Pool h1 backend connection per address
803d4ba9 Merge branch 'nghttpx-randomize-roundrobin-order'
732245e5 make clang-format
9e8d5433 Use clang-format-7
fdcdb21c nghttpx: Randomize backend address round robin order per thread
11d0533c nghttpx: Ensure that cert serial does not exceed 20 bytes
dbb5f00d Merge pull request #1287 from rckclmbr/fix_serial_size
9cc412e2 Merge pull request #1285 from staticinvocation/master
5b2efc0a Fix getting long serial numbers for openssl < 1.1
7e4c48a4 Disable shared library if ENABLE_SHARED_LIB is OFF
082e162f Merge pull request #1282 from alagoutte/travis
7cc7c06c .travis(.yml): no longer need llvm-toolchain-trusty-7
12ebeb30 .travis(.yml): Update to Xenial
c78abbe1 Update mruby to 2.0.0
124c7848 nghttpx: Add missing return
ce9667c4 Merge branch 'nghttpx-fix-trailing-slash-handling'
f3f40840 nghttpx: Fix broken trailing slash handling
302abf1b h2load: Fix compile error with gcc
089a03be h2load: Write log file with write(2)
de4fe728 Merge branch 'pyos-master'
d1b3a83f h2load: add an option to write per-request logs
eb679253 Merge branch 'puscas-port_in_use'
6800d317 added access to the number of the current server port
c98362ea Bump up version number to 1.36.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-20 18:16:29 +01:00
Jo-Philipp Wich
797e5c1c48 packages: set more explicit ABI_VERSION values
In the case of upstream libraries, set the ABI_VERSION variable to the
soname value of the first version version after the last backwards
incompatible change.

For custom OpenWrt libraries, set the ABI_VERSION to the date of the
last Git commit doing backwards incompatible changes to the source,
such as changing function singatures or dropping exported symbols.

The soname values have been determined by either checking
https://abi-laboratory.pro/index.php?view=tracker or - in the case
of OpenWrt libraries - by carefully reviewing the changes made to
header files thorough the corresponding Git history.

In the future, the ABI_VERSION values must be bumped whenever the
library is updated to an incpompatible version but not with every
package update, in order to reduce the dependency churn in the
binary package repository.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-19 14:31:51 +01:00
Kevin Darbyshire-Bryant
ba4fe412c4 elfutils: bump to 0.175
4ea9a2db164c Update upload-release.sh script and po files.
a01938d584b9 libelf: Mark both fsize and msize with const attribute.
c338a0541663 libebl: Don't update w, t and len unnecessarily in ebl_object_note_type_name.
422b549007f6 Prepare for 0.175
22ec8efc1dd8 elflint: Allow PT_GNU_EH_FRAME segment to match SHT_X86_64_UNWIND section.
cf10453f8252 libelf: Correctly setup alignment of SHF_COMPRESSED section data.
d3e6266754b9 strip: Also handle gnu compressed debug sections with --reloc-debug-sections
72e30c2e0cb4 Handle GNU Build Attribute ELF Notes.
7a3f6fe60b85 Recognize NT_VERSION notes.
cff53f1784c9 libcpu: Recognize bpf jump variants BPF_JLT, BPF_JLE, BPF_JSLT and BPF_JSLE
ecbe3120cddb libdwelf: New function dwelf_elf_begin.
4b0342b85b5b backends: Add x86_64 section_type_name for SHT_X86_64_UNWIND.
825e48c4e942 Also find CFI in sections of type SHT_X86_64_UNWIND
4789e0fb92b0 libelf: Explicitly update section data after (de)compression.
1628254ba215 strip: Add --reloc-debug-sections-only option.
f2d59180b90b strip: Extract code to update shdrstrndx into new common function.
f6ae0ab9350e strip: Split out debug section relocation into separate helper functions.
b15ee95bcee4 strip: Always copy over any phdrs if there are any.
e574889d92b1 unstrip: Add ELF_CHECK to make sure gelf_getehdr () doesn't return NULL.
5199e15870e0 Recognize and parse GNU Property notes.
b75ff1bbd060 addr2line: Use elf_getshdrstrndx not Ehdr field to print section name.
35197ea4c43e readelf: Use shstrndx to lookup section names.
9a74c190a2b3 backends: ppc use define instead of const for size of dwarf_regs array.
72d023b35f36 readelf: Make sure readp is smaller than cieend in print_debug_frame_section.
dce0b3b63ba0 readelf: Make sure readp is smaller than cieend in print_debug_frame_section.
1e7c230b277b Check sh_entsize is not zero.
22d2d082d57a size: Handle recursive ELF ar files.
2b16a9be6993 arlib: Check that sh_entsize isn't zero.
4cdb0fd0d3b4 ar: Assume epoch if ar_date is bogus.
577511f66842 findtextrel: Check that sh_entsize isn't zero.
20f9de9b5f70 libdwfl: Sanity check partial core file data reads.
2f4a040fab52 readelf: Handle multiple .debug_macro sections and decode header flag.
eee4269e5315 unstrip: Renumber the group section indexes.
c06ab0bbb476 strip, unstrip: Handle SHT_GROUP correctly.
2876b3b648f6 Handle ADD/SUB relocations
69d6e67eee30 tests: backtrace-dwarf.c improve error handling in test framework.

Originally-produced--by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-01-14 13:32:38 +00:00
Hans Dedecker
055cdab2bb uclient: add ALTERNATIVES for wget
Don't symlink uclient-fetch anymore to /bin/wget but rather use
the ALTERNATIVES support for wget to install it as /usr/bin/wget.
Let uclient-fetch provide wget

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2019-01-13 18:27:28 +01:00
Christian Lamparter
a8bae35914 elfutils: fix gcc 8.0+ multistatement macros warning/error
GCC 8.0+ <https://gcc.gnu.org/gcc-8/changes.html> introduces a new
warning about unsafe macros expanding to multiple statements used
as a body of a statement such as if, else, while, switch, or for.

In combination with -Werror this can cause the compilation to fail:

|In file included from xmalloc.c:37:
|xmalloc.c: In function 'xmalloc':
|system.h:39:2: error: macro expands to multiple statements [-Werror=multistatement-macros]
|  fflush(stdout); \
|  ^~~~~~
|xmalloc.c:52:5: note: in expansion of macro 'error'
|     error (EXIT_FAILURE, 0, _("memory exhausted"));
|     ^~~~~
|xmalloc.c:51:3: note: some parts of macro expansion are not guarded by this 'if' clause
|   if (p == NULL)
|   ^~

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2018-12-20 19:21:42 +01:00
Jo-Philipp Wich
f2c6e2c385 elfutils: produce correct libelf.pc file when building with full nls
When building with full lagnuage support, libelf.so will depend on and
link with libintl.so so we need to change the pkg-config template to
reflect this library dependency.

Also change the Makefile to only pass --disable-nls to configure when
the full nls support is actually disabled in the buildroot config.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-12-20 08:13:24 +01:00
Tony Ambardar
4b4e6a04ac elfutils: install library files for pkg-config
Support other packages using pkg-config to query existence and details of
libelf and libdw libraries at build time.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2018-12-19 10:49:57 +01:00
Kevin Darbyshire-Bryant
d6c6d1c7a7 Revert "elfutils: install library files for pkg-config"
This reverts commit 216397b812.

Due to:

Package ip-tiny is missing dependencies for the following libraries:
libelf.so.1
Makefile:187: recipe for target '/var/lib/buildbot/slaves/slave-lede-builds4/mips_24kc/build/sdk/bin/packages/mips_24kc/base/ip-tiny_4.19.0-6_mips_24kc.ipk' failed

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-12-16 17:20:16 +00:00
Hauke Mehrtens
9e7c4702a1 mbedtls: fix compilation on ARM < 6
mbedtls uses some instructions introduced in ARMv6 which are not
available in older architectures.

Fixes: 3f7dd06fd8 ("mbedtls: Update to 2.14.1")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-16 14:03:06 +01:00
Daniel Engberg
3f7dd06fd8 mbedtls: Update to 2.14.1
Update mbedtls to 2.14.1

This fixes:
* CVE-2018-19608: Local timing attack on RSA decryption

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
[Update to 2.14.1]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-12-16 00:57:20 +01:00
Hans Dedecker
a6f9e3b608 nghttp2: bump to 1.35.1
63843750 Update manual pages
27801e98 Bump up version number to 1.35.1
60e020a8 nghttpx: Fix broken trailing slash handling

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-12-15 12:30:02 +01:00
Tony Ambardar
216397b812 elfutils: install library files for pkg-config
Support other packages using pkg-config to query existence and details of
libelf and libdw libraries at build time.

Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2018-12-12 09:44:32 +00:00
Nikos Mavrogiannopoulos
99dbbe7eb7 nettle: bump to 3.4.1
This is a security fix adding safer APIs for RSA use.

Compile tested for: ar71xx

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
2018-12-09 20:39:35 +01:00
Hans Dedecker
a0d5acfbe2 nghttp2: bump to 1.35.0
e520469b Update manual pages
54067256 Bump up version number to 1.35.0
c4d2eeee Update AUTHORS
f51e696e asio: Add stop() to listen_and_serve doc
a433b132 Merge pull request #1260 from nghttp2/h2load-non-final-response
cf48a56d Merge pull request #1238 from jktjkt/cmake-fix-libevent-detection
6cad1b24 nghttpx: Write mruby send_info early
3c393dca nghttpx: Fix assertion failure on mruby send_info with HTTP/1 frontend
17292445 h2load: Handle HTTP/1 non-final response
f6644a92 make clang-format
48998f72 Merge pull request #1222 from donny-dont/fix/declspec
15ff52f9 Update README
6c03bb14 Upgrade travis toolchain
524b4392 Fix travis build failure
859bf2bc Update manual pages
b5619fb1 h2load: Clarify that time for connect includes TLS handshake
dcbe0c69 nghttpx: Simplify move ctor and operator
2996c284 nghttpx: Cleanup
42e8ceb6 nghttpx: Convert API status code to enum class
1daf9ce8 nghttpx: Convert WorkerEventType to enum class
d68edf56 nghttpx: Convert MemcachedStatusCode to enum class
0c4e9fef nghttpx: Convert memcached op to enum class
571404c6 nghttpx: Convert MemcachedParseState to enum class
4d562b77 nghttpx: Convert LogFragmentType to enum class
e6225871 nghttpx: Convert connection check status to enum class
4bd075de nghttpx: Convert Http2Session state to enum class
b46a3249 nghttpx: Convert FreelistZone to enum class
4bd44b9c nghttpx: Convert dispatch state to enum class
1b42110d nghttpx: Make Downstream state enum class
0735ec55 nghttpx: Convert shrpx_connect_proto to enum class
00554779 nghttpx: Convert DNSResolverStatus to enum class
0963f389 nghttpx: Convert SerialEventType to enum class
1abfa3ca nghttpx: Make TLS handshake state enum class
f2159bc2 nghttpx: Convert UpstreamAltMode to enum class
b0eb68ee nghttpx: Convert shrpx_forwarded_node_type to enum class
e7b7b037 nghttpx: Convert shrpx_cookie_secure to enum class
5e4f434f nghttpx: Convert shrpx_session_affinity to enum class
20ea964f nghttpx: Convert shrpx_proto to enum class
d105619b src: Remove extra braces if possible
ec5729b1 Use std::make_unique
6c919695 Use C++14
46576178 Don't send Transfer-Encoding to pre-HTTP/1.1 clients
5e925f87 Update doc
153531d4 nghttpx: Use the same type as standard stream operator<<
f7287df0 Bump up version number to 1.35.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-11-25 20:22:15 +01:00
Jo-Philipp Wich
0bd99db511 uclient: update to latest Git head
3ba74eb uclient-http: properly handle HTTP redirects via proxy connections

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-11-24 20:15:04 +01:00
Daniel Engberg
dbba87aa6a popt: Add main site back to PKG_SOURCE_URL
Main site is back up after weeks of downtime.
Add it back as last resort

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-11-09 08:50:18 +01:00
Daniel Engberg
f9a408b75e libconfig: Fix tarball filename (and URL)
v$(PKG_VERSION).tar.gz is a bad idea and will clash for obvious reasons.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-11-01 17:16:52 +01:00
Matthias Schiffer
dd9da51462
openssl: enable OPENSSL_WITH_DEPRECATED when OpenSSL is built as a build dep
Some package (e.g. libunbound) depend on OPENSSL_WITH_DEPRECATED. In some
situations it may happen that libunbound and openssl are only pulled in as
build dependencies, but are not enabled in .config.

In such cases, the defaults of symbols like OPENSSL_WITH_DEPRECATED are
ignored (as the whole symbol depends on PACKAGE_libopenssl), and config
symbol dependencies of libunbound aren't effective either (as libunbound
is not actually enabled).

This commit works around the issue by introducing a hidden negated symbol
OPENSSL_NO_DEPRECATED, which is always disabled when PACKAGE_libopenssl is
disabled, and ensures that OpenSSL is built with deprecated APIs in this
case. A user can still manage to break the build by explicitly enabling
libopenssl and disabling OPENSSL_WITH_DEPRECATED; the interaction between
build dependencies and config symbols will require further discussion.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-10-30 20:38:34 +01:00
Daniel Golle
ed0d5a1e60 wolfssl: update to version 3.15.3-stable
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-10-15 08:41:02 +02:00
Hans Dedecker
329f2d5457 nghttp2: bump to 1.34.0
2b085815 (tag: v1.34.0) Update manual pages
986fa302 Bump up version number to 1.34.0, LT revision to 31:1:17
7c8cb3a0 nghttpx: Improve CONNECT response status handling
334c439c Fix bug that regular CONNECT does not work
6700626c Rule out content-length in the successful response to CONNECT
15162add Update manual pages
93270777 Merge pull request #1235 from nghttp2/backend-conn-timeout
aeb92bbb nghttpx: Add read/write-timeout parameters to backend option
fc7489e0 nghttpx: Fix mruby parameter validation
87ac872f nghttpx: Update doc
c278adde nghttpx: Log error when mruby file cannot be opened
f94d7209 Merge pull request #1234 from nghttp2/nghttpx-rfc8441
9b9baa6b Update doc
02566ee3 nghttpx: Update doc
3002f31b src: Add debug output for SETTINGS_ENABLE_CONNECT_PROTOCOL
d2a594a7 nghttpx: Implement RFC 8441 Bootstrapping WebSocket with HTTP/2
651e1477 Allow client sending :protocol optimistically
a42faf1c nghttpx: Write TLS alert during handshake
4aac05e1 Merge pull request #1231 from nghttp2/ws-lib-only
b80dfaa8 Adjustment for RFC 8441
a19d8f5d Deal with :protocol pseudo header
33f6e90a Add NGHTTP2_TOKEN__PROTOCOL
ed7fabcb Add SETTINGS_ENABLE_CONNECT_PROTOCOL
8753b6da Update doc
f2de733b Update neverbleed to fix OpenSSL 1.1.1 issues
88ff8c69 Update mruby 1.4.1
a63558a1 nghttpx: Call OCSP_response_get1_basic only when OCSP status is successful
3575a132 nghttpx: Fix crash with plain text HTTP
e2de2fee Update bash_completion
9f415979 Update manual pages
4bfc0cd1 Merge pull request #1230 from nghttp2/nghttpx-faster-logging
9c824b87 nghttpx: Get rid of std::stringstream from Log
a1ea1696 Make VALID_HD_NAME_CHARS and VALID_HD_VALUE_CHARS const qualified
dfc0f248 Make static_table const qualified
ed7c9db2 nghttpx: Add mruby env.tls_handshake_finished
5b42815a nghttpx: Strip incoming Early-Data header field by default
cfe7fa9a nghttpx: Add --tls13-ciphers and --tls-client-ciphers options
cb8a9d58 src: Remove TLSv1.3 ciphers from DEFAULT_CIPHER_LIST
023b9448 Merge branch 'tls13-early-data'
9b03c64f nghttpx: Should postpone early data by default
b8eccec6 nghttpx: Disable OpenSSL anti-replay
9f212587 Specify SSL_CTX_set_max_early_data and add an option to change max value
47f60124 nghttpx: Add an option to postpone early data processing
770e44de Implement draft-ietf-httpbis-replay-02
2ab319c1 Don't hide error code from openssl
39923024 Remove SSL_ERROR_WANT_WRITE handling
b30f312a Honor SSL_read semantics
c5cdb78a nghttpx: Add TLSv1.3 0-RTT early data support
f79a5812 Bump up version number to 1.34.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-10-07 17:39:05 +02:00
Andy Walsh
e0196152eb ncurses: use default host install
* just use default host/install, so libs/headers get properly generated/installed

Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
2018-09-24 19:22:53 +02:00
Andy Walsh
2bbc9376c6 gettext-full: host compile with -fpic
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
2018-09-24 19:18:52 +02:00
Magnus Kroken
7849f74117 mbedtls: update to 2.13.0
* Fixed a security issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing.
* Several bugfixes.
* Improvements for better support for DTLS on low-bandwidth, high latency networks with high packet loss.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2018-09-22 19:26:25 +02:00
Luiz Angelo Daros de Luca
38a88ade14 elfutils: bump to 0.174
- Simplified musl patch with error.h concentrated into system.h

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2018-09-21 21:32:12 +02:00
Eneas U de Queiroz
0317fc3658 libpcap: patch to add limits.h to pcap-usb-linux.c
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
This is an upstream-applied patch that fixes 'PATH_MAX' and 'NAME_MAX'
undeclared when compiling on musl with CONFIG_PCAP_HAS_USB.

[aafa351] pcap-usb-linux.c: add missing limits.h for musl systems.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-09-10 09:15:26 +02:00
Hans Dedecker
17c9b72046 nghttp2: bump to 1.33.0
9d843334 Update bash_completion
23cb3f38 Update manual pages
1d682dcd Bump up version number to 1.33.0, LT revision to 31:0:17
601fbbb4 Update doc
f44aa246 Update AUTHORS
dd74a6dd Update manual pages
e959e733 src: Refactor utos
fb9a204d nghttpx: Fix compile error without mruby
cd096802 Update doc
7417fd71 nghttpx: Per-pattern not per-backend
2d1a981c Merge branch 'akonskarm-master'
45acc922 clang-format
214d0899 Merge branch 'master' of https://github.com/akonskarm/nghttp2 into akonskarm-master
31fd707d nghttpx: Fix broken healthmon frontend
9a2e38e0 fix code for reuse addr on asio client
d24527e7 Bump up LT revision due to v1.32.1 release
6195d747 nghttpx: Share mruby context if it is compiled from same file
fb97f596 nghttpx: Allocate mruby file because fopen requires NULL terminated string
0ccc7a77 nghttpx: Move blocked request data to request buffer for API request
32826466 nghttpx: Fix crash with API request
0422f8a8 nghttpx: Fix worker process crash with neverbleed write error
e329479a Merge pull request #1215 from nghttp2/mruby-per-backend
f80a7873 Merge branch 'akonskarm-reuse_addr'
866ac6ab add option reuse addr in local endpoint configuration of asio client
b574ae6a nghttpx: Support per-backend mruby script
de4fd7cd doc: Update doc
32d7883c nghttpx: Downstream::request_buf_full: take into account blocked_request_buf_
9b24e197 nghttpx: Choose h1 protocol if headers have been sent to backend on retry
13ffece1 Merge pull request #1214 from nghttp2/fix-rst-without-dconn
9d5b781d Fix stream reset if data from client is arrived before dconn is attached

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-09-03 10:46:20 +02:00
Hans Dedecker
6caa8e09aa nghttp2: bump to 1.32.1
4c76aaee Update manual pages
2b51ad67 Bump up version number to 1.32.1, LT revision to 30:3:16
708379dc Tweak nghttp2_session_set_stream_user_data
73106b0d Compile with clang-6.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-08-27 10:11:10 +02:00
Daniel Engberg
e341f45913 libbsd: Update to 0.8.7
Update libbsd to 0.8.7
Remove glibc dependency
Clean up InstallDev and install entries
Use /usr path for consistency
Cherry pick patches from upstream to fix musl compilation

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-08-25 15:40:23 +02:00
Rosen Penev
3ccc2ebe01 libevent2: Switch to using release tarball
Starting with version 2.1.8, a release tarball is available.

Simplifies the Makefile slightly.

Updated the project URL. HTTPS is broken. Issue has been reported upstream

Adjusted patches. CMake support is not present in the tarball. It's made
for Windows anyway.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-08-25 13:18:35 +02:00
Jo-Philipp Wich
a27de701b0 wolfssl: disable broken shipped Job server macro
The AX_AM_JOBSERVER macro shipped with m4/ax_am_jobserver.m4 is broken on
plain POSIX shells due to the use of `let`.

Shells lacking `let` will fail to run the generated m4sh code and end up
invoking "make" with "-jyes" as argument, fialing the build.

Since there is no reason in the first place for some random package to
muck with the make job server settings and since we do not want it to
randomly override "-j" either, simply remove references to this defunct
macro to let the build succeed on platforms which not happen to use bash
as default shell.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-23 20:14:00 +02:00
Hauke Mehrtens
d74d6c4522 openssl: update to version 1.0.2p
This fixes the following security problems:
 * CVE-2018-0732: Client DoS due to large DH parameter
 * CVE-2018-0737: Cache timing vulnerability in RSA Key Generation

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-08-15 22:32:07 +02:00
Jo-Philipp Wich
5762efd8b2 libubox: set RPATH for host build
This is required for programs that indirectly link libjson-c through the
libubox blobmsg_json library.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-14 23:54:59 +02:00
Daniel Golle
73100024d3 libubox: set HOST_BUILD_PREFIX
Install into STAGING_DIR_HOST rather than STAGING_DIR_HOSTPKG to make
bundle-libraries.sh happy.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-08-07 22:31:48 +02:00
Daniel Golle
a5368dc30c libjson-c: set HOST_BUILD_PREFIX
Install into STAGING_DIR_HOST rather than STAGING_DIR_HOSTPKG to make
bundle-libraries.sh happy.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-08-07 22:31:48 +02:00
Jo-Philipp Wich
1c4a255aa1 libubox: fix source version date
The referenced Git commit was made on the 25th of July, not June.

Fixes 432eaa940f ("libubox: fix mirror hash")
Fixes 5dc32620c4 ("libubox: update to latest git HEAD")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-07 17:27:05 +02:00
Jo-Philipp Wich
432eaa940f libubox: fix mirror hash
Correct the mirror hash to reflect whats on the download server.

A locally produced libubox SCM tarball was also verified to yield an identical
checksum compared to the one currently on the download server.

Fixes FS#1707.
Fixes 5dc32620c4 ("libubox: update to latest git HEAD")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-07 16:32:30 +02:00
Eneas U de Queiroz
33fd1d0d91 ustream-ssl: update to latest git HEAD
23a3f28 openssl, wolfssl: match mbedTLS ciphersuite list
450ada0 ustream-ssl: Revised security on mbedtls
34b0b80 ustream-ssl: add openssl-1.1.0 compatibility

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-08-07 14:28:16 +02:00
Jo-Philipp Wich
e44162ffca uclient: update to latest git HEAD
f2573da uclient-fetch: use package name pattern in message for missing SSL library
9fd8070 uclient-fetch: Check for nullpointer returned by uclient_get_url_filename
f41ff60 uclient-http: basic auth: Handle memory allocation failure
a73b23b uclient-http: auth digest: Handle multiple possible memory allocation failures
66fb58d uclient-http: Handle memory allocation failure
2ac991b uclient: Handle memory allocation failure for url
63beea4 uclient-http: Implement error handling for header-sending
eb850df uclient-utils: Handle memory allocation failure for url file name
ae1c656 uclient-http: Close ustream file handle only if allocated

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-08-03 23:50:29 +02:00
Alexandru Ardelean
20346a63f6 wolfssl: remove myself as maintainer
I no longer have the time, nor the desire to maintain this package.
Remove myself as maintainer.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2018-07-30 19:34:43 +02:00
Eneas U de Queiroz
26dbf79f49 libevent2: Don't build tests and samples
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
This reduces build time significantly.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-07-30 15:19:16 +02:00
Leon M. George
025688794d libevent: update to 2.1.8
Signed-off-by: Leon M. George <leon@georgemail.eu>
2018-07-30 10:43:37 +02:00
Andy Walsh
1639ebcb06 ncurses: install lib on host build
Signed-off-by: Andy Walsh <andy.walsh44+github@gmail.com>
2018-07-30 10:43:37 +02:00
Daniel Engberg
5647cc7bd4 treewide: Bump PKG_RELEASE due to mbedtls update
Bump PKG_RELEASE on packages that depends on (lib)mbedtls to avoid library
mismatch.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-30 10:35:12 +02:00
Daniel Engberg
5b614e3347 mbedtls: Update to 2.12.0
Update mbedtls to 2.12.0
Multiple security fixes
Add support for Chacha20 and Poly1305 cryptographic primitives and their
associated ciphersuites

Difference in size on mips_24kc (ipk):
164kbytes (167882 bytes)
170kbytes (173563 bytes)

https://tls.mbed.org/tech-updates/releases/mbedtls-2.12.0-2.7.5-and-2.1.14-released

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-30 10:35:12 +02:00
Rosen Penev
31f87ebcb2 libjson-c: Update package URL
Found through UScan.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-07-29 12:05:53 +02:00
Syrone Wong
4d57c696b1 libpcap: update to 1.9.0
001-Fix-compiler_state_t.ai-usage-when-INET6-is-not-defi.patch dropped due to upstream
002-Add-missing-compiler_state_t-parameter.patch dropped due to upstream

202-protocol_api.patch dropped due to implemented upstream by another way
upstream commit: 55c690f6f8
and renamed via: 697b1f7e9b

ead is the only user who use the protocol api, we have to use the new api since libpcap 1.9.0

Signed-off-by: Syrone Wong <wong.syrone@gmail.com>
2018-07-27 11:17:20 +02:00
John Crispin
5dc32620c4 libubox: update to latest git HEAD
c83a84a fix segfault when passed blobmsg attr is NULL

Signed-off-by: John Crispin <john@phrozen.org>
2018-07-25 12:13:19 +02:00
Ted Hess
354de22bad elfutils: Copy missing libraries to staging and packages
Newer shared libraries seem to have the package version as part of their name.
E.g.: libelf-0.173.so

Signed-off-by: Ted Hess <thess@kitschensync.net>
2018-07-24 14:32:27 -04:00
Peter Wagner
d8d2133c35 librpc: add host build to install h files needed for nfs-kernel-server to get compiled
Signed-off-by: Peter Wagner <tripolar@gmx.at>
2018-07-16 15:12:19 +02:00
Daniel Engberg
09d794ab92 popt: Replace dead upstream site with mirror
We can safely assume by now that rpm5.org is dead and isn't coming back
so just add another mirror instead.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-16 15:12:18 +02:00
Konstantin Demin
f715d816b7 libnl: bump to 3.4.0
refresh patches

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2018-07-07 18:33:58 +02:00
Hauke Mehrtens
b19622044d mbedtls: Activate deterministic ECDSA
With deterministic ECDSA the value k needed for the ECDSA signature is
not randomly generated any more, but generated from a hash over the
private key and the message to sign. If the value k used in a ECDSA
signature or the relationship between the two values k used in two
different ECDSA signatures over the same content is know to an attacker
he can derive the private key pretty easily. Using deterministic ECDSA
as defined in the RFC6979 removes this problem by deriving the value k
deterministically from the private key and the content which gets
signed.

The resulting signature is still compatible to signatures generated not
deterministic.

This increases the size of the ipk on mips 24Kc by about 2 KByte.
old:
166.240 libmbedtls_2.11.0-1_mips_24kc.ipk
new:
167.811 libmbedtls_2.11.0-1_mips_24kc.ipk

This does not change the ECDSA performance in a measurable way.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-07-07 18:33:53 +02:00
Daniel Engberg
5a078180d0 mbedtls: Disable MBEDTLS_SHA256_SMALLER implementation
Disable MBEDTLS_SHA256_SMALLER implementation, not enabled by default in
upstream and reduces performance by quite a bit.

Source: include/mbedtls/config.h

Enable an implementation of SHA-256 that has lower ROM footprint but also
lower performance.

The default implementation is meant to be a reasonnable compromise between
performance and size. This version optimizes more aggressively for size at
the expense of performance. Eg on Cortex-M4 it reduces the size of
mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of
about 30%.

The size of mbedtls increased a little bit:
ipkg for mips_24kc before:
164.382 Bytes
ipkg for mips_24kc after:
166.240 Bytes

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-07 18:31:13 +02:00
Daniel Engberg
10554cfcc1 mbedtls: Update to 2.11.0
Update mbed TLS to 2.11.0

Disable OFB block mode and XTS block cipher mode, added in 2.11.0.
The soVersion of mbedtls changed, bump PKG_RELEASE for packages that use mbedTLS
This is to avoid having a mismatch between packages when upgrading.

The size of mbedtls increased a little bit:
ipkg for mips_24kc before:
163.846 Bytes
ipkg for mips_24kc after:
164.382 Bytes

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-07 18:29:14 +02:00
Daniel Engberg
f15f3286e3 mbedtls: cleanup config patch
Clean up patch, use "//" consistently.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-07-07 18:19:39 +02:00
Enrico Mioso
231b0177fb libconfig: update to version 1.7.2
The previous link did not work here.

Compile-tested on: bcm47xx
Runtime-tested on: bcm47xx

Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
2018-07-07 18:19:39 +02:00
Felix Fietkau
1e6c30690c libubox: update to the latest version
3c1b33b utils: add const_* byteswapping functions

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-07-07 14:53:26 +02:00
Luiz Angelo Daros de Luca
b724443f9f elfutils: bump to 0.173
- Removed hacks to use standalone argp as upstream now detects it nicely.
- As we are already installing files, use files from PKG_INSTALL_DIR and
  not PKG_BUILD_DIR
- Only changes Makefile.am as PKG_FIXUP:=autoreconf is in use

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2018-07-04 16:18:08 +02:00
Daniel Engberg
5297a759ae mbedtls: Cosmetic cleanups
This is more of a cosmetic change and a reminder that the CMake script hardcodes -O2.
Source:
https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.7/CMakeLists.txt#L73
https://github.com/ARMmbed/mbedtls/blob/master/CMakeLists.txt#L97

Remove the release type option as it's already provided by the toolchain.
Source:
https://github.com/openwrt/openwrt/blob/master/include/cmake.mk#L50

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-06-18 20:28:20 +02:00
Rosy Song
9d6a0352e7 libnftnl: bump to version 1.1.1
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-06-18 18:21:20 +02:00
Daniel Golle
5e9470a93b libjson-c: fix host-build
Add -Wno-implicit-fallthrough to HOST_CFLAGS.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-06-14 22:53:58 +02:00
Daniel Engberg
8428156f48 package/libs/libnfnetlink: Remove dead mirror
Remove mirrors.evolva.ro as it's no longer available

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-06-14 21:48:38 +02:00
Daniel Golle
56e3a19ad6 libubox: make sure blobmsg-json is included in host-build
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-06-14 20:30:47 +02:00
Daniel Golle
6fc8e06078 libjson-c: add host build (for libblobmsg-json)
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-06-14 20:09:29 +02:00
Daniel Engberg
79bab45772 popt: Add backup site
Add Gentoo's distfiles repo as backup site.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-06-13 12:15:38 +02:00
Kevin Darbyshire-Bryant
1ee5051f20 nettle: bump to 3.4
3.4 is mainly a bug fix/maintenance release.

3KB increase in ipk lib size on mips.

Compile tested for: ar71xx, ramips
Run tested on: ar71xx Archer C7 v2, ramips mir3g

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-06-01 08:39:59 +02:00
Daniel Golle
dad39249fb wolfssl: change defaults to cover wpa_supplicant needs
Implicetely selecting the required options via Kconfig snippet from
hostapd worked fine in local builds when using menuconfig but confused
the buildbots which (in phase1) may build wpad-mini and hence already
come with CONFIG_WPA_WOLFSSL being defined as unset which then won't
trigger changing the defaults of wolfssl.

Work around by explicitely reflecting wpa_supplicant's needs in
wolfssl's default settings to make buildbots happy.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-31 00:38:16 +02:00
Daniel Golle
5857088c5e wolfssl: add PKG_CONFIG_DEPENDS symbols
This change will trigger rebuild on buildbots in case of changed config
symbols, like in the case of hostapd selecting some wolfssl symbols
lately.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-25 20:36:46 +02:00
Daniel Golle
4f67c1522d wolfssl: update to version 3.14.4
Use download from github archive corresponding to v3.14.4 tag because
the project's website apparently only offers 3.14.0-stable release
downloads.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-24 21:46:35 +02:00
Daniel Golle
4f442f5f38 ustream-ssl: fix build against wolfSSL
commit 39a6ce205d (ustream-ssl: Enable ECDHE with OpenSSL.) broke
build against wolfSSL because wolfSSL doesn't (yet) support
SSL_CTX_set_ecdh_auto() of the OpenSSL API.

Fix this in ustream-ssl:

 189cd38b41 don't use SSL_CTX_set_ecdh_auto with wolfSSL

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-24 18:55:34 +02:00
John Crispin
346d4c75ea ustream-ssl: update to latest git HEAD
5322f9d mbedtls: Fix setting allowed cipher suites
e8a1469 mbedtls: Add support for a session cache

Signed-off-by: John Crispin <john@phrozen.org>
2018-05-22 20:47:21 +02:00
Hauke Mehrtens
2ea8f9c244 mbedtls: Deactivate platform abstraction
This makes mbedtls use the POSIX API directly and not use the own
abstraction layer.
The size of the ipkg decreased by about 100 bytes.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-05-22 20:47:21 +02:00
Hauke Mehrtens
f2c8f6dc32 mbedtls: Activate the session cache
This make sit possible to store informations about a session and reuse
it later. When used by a server it increases the time to create a new
TLS session from about 1 second to less than 0.1 seconds.

The size of the ipkg file increased by about 800 Bytes.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-05-22 20:47:20 +02:00
Hauke Mehrtens
cb11b23d60 mbedtls: update to version 2.9.0
The soversion was changed in this version again and is now aligned with
the 2.7.2 version.
The size of the ipkg file stayed mostly the same.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-05-22 20:47:20 +02:00
Rodolfo Giometti
2437e0f670 package sysfsutils: add support for sysfs settings at boot
This patch is based on sysfsutils package's behaviour on Debian OS.

Signed-off-by: Rodolfo Giometti <giometti@linux.it>
2018-05-22 20:47:20 +02:00
Rosy Song
c7e9d72f05 libnftnl: bump to 1.1.0
Signed-off-by: Rosy Song <rosysong@rosinson.com>
2018-05-21 18:07:47 +02:00
Hans Dedecker
419238fdb3 nghttp2: bump to 1.32.0
572735e4 Update manual pages
e8d693c3 Bump up version number to 1.32.0, LT revision to 30:2:16
f44dfcd9 Update AUTHORS
1f1b0d93 Update manual pages
ce8c749b Merge pull request #1173 from nghttp2/asio-client-sni
3e4f257b asio: Support client side SNI
86fab997 Upgrade neverbleed to the latest master
c3ecd445 Merge pull request #1171 from nghttp2/h2load-rate-and-duration
c65ca20a h2load: -r and --duration are mutually exclusive
a5c408c5 Ignore all input after calling session_terminate_session
06379b28 Fix treatment of padding
e04de48e Merge pull request #1162 from nghttp2/libressl
00964642 Use LIBRESSL_IN_USE instead of defined(LIBRESSL_VERSION_NUMBER)
8d0b4544 libressl 2.7 has X509_VERIFY_PARAM_*
d8a34131 libressl 2.7 has SSL_CTX_get0_certificate
5db17d0a Compile with libressl 2.7.2
1bf69b56 Define LIBRESSL_LEGACY_API and LIBRESSL_2_7_API
3febaef1 Bump up LT revision to 30:1:16 due to v1.31.1 release
b1bd6035 Fix frame handling
b48bcb21 examples: Use C style comment in .c files
6f3ce2c7 examples: Remove unused lambda capture
2f9121cf Merge branch 'Sp1l-Sp1l/allow-no-npn'
e65e7711 Add comment on #endif
636ef51b Fix compile error with -Wunused-function
400934e5 [PATCH] Allow building without NPN
4c3a3acf Merge pull request #1146 from vszakats/cmakestaticlib
9aa6002c Merge pull request #1144 from hellojaewon/master
f342260b cmake: add ENABLE_STATIC_LIB option to build static lib
a6dd4970 Fix typo
842509da Don't allow 101 HTTP status code because HTTP/2 removes HTTP Upgrade
4add618a Bump up version number to 1.32.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-05-09 11:26:45 +02:00
Rosen Penev
2c4294f786 libusb: Add SourceForge mirror.
SourceForge is still getting updated so might as well have it here.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-05-02 09:18:26 +02:00
Daniel Golle
c67a9bed20 wolfssl: fix options and add support for wpa_supplicant features
Some options' default values have been changed upstream, others were
accidentally inverted (CONFIG_WOLFSSL_HAS_DES3). Also add options
needed to build hostapd/wpa_supplicant against wolfssl.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-02 09:18:26 +02:00
John Crispin
52ba5760b7 ustream-ssl: update to latest git HEAD
527e700 ustream-ssl: Remove RC4 from ciphersuite in server mode.
39a6ce2 ustream-ssl: Enable ECDHE with OpenSSL.
45ac930 remove polarssl support

Signed-off-by: John Crispin <john@phrozen.org>
2018-05-01 11:12:15 +02:00
Hauke Mehrtens
3088c2a63d libnl: Disable debug support
This dereses the size of the libnl pakcage a little bit
old:
   857 bin/packages/mips_24kc/base/libnl_3.4.0-1_mips_24kc.ipk
 41195 bin/packages/mips_24kc/base/libnl-core_3.4.0-1_mips_24kc.ipk
  7818 bin/packages/mips_24kc/base/libnl-genl_3.4.0-1_mips_24kc.ipk
 24322 bin/packages/mips_24kc/base/libnl-nf_3.4.0-1_mips_24kc.ipk
136075 bin/packages/mips_24kc/base/libnl-route_3.4.0-1_mips_24kc.ipk

new:
   852 bin/packages/mips_24kc/base/libnl_3.4.0-1_mips_24kc.ipk
 35020 bin/packages/mips_24kc/base/libnl-core_3.4.0-1_mips_24kc.ipk
  7615 bin/packages/mips_24kc/base/libnl-genl_3.4.0-1_mips_24kc.ipk
 24114 bin/packages/mips_24kc/base/libnl-nf_3.4.0-1_mips_24kc.ipk
131134 bin/packages/mips_24kc/base/libnl-route_3.4.0-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-04-30 09:01:28 +02:00
Rosen Penev
c0574d08da libusb: Update to 1.0.22
Switched download from SourceForge to GitHub. It seems the author migrated to that.

Also fixed the website URL as the SourceForge link is dead.

Compile tested on ar71xx and mvebu. Small size decrease on ar71xx: 30444 vs. 30099 bytes.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-04-30 09:01:12 +02:00
Hauke Mehrtens
8dcd941d8b tools/zlib: move zlib build to tools
This allows us to link the other tools against our libz and we do not
need the system zlib any more.

Only the static linked library is copied to the staging directory so we
have a statically linked library on all systems and not only on Linux.
This also adds the new dependencies of the packages which are depending
on zlib.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-04-28 15:28:59 +02:00
Hauke Mehrtens
7b758f7f4f ustream-ssl: px5g: Rebuild package
mbedtls changed in version 2.7.0 the soversion of the libmbedcrypto.so
library, all applications using this shared library have to be
recompiled to be able to load the new library.

Some binaries got rebuild to for the 2.7.0 release and are now using
libmbedcrypto.so.1, the older ones are still using libmbedcrypto.so.0.

Fixes: 75c5ab4ca ("mbedtls: update to version 2.7.0")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-04-18 23:57:25 +02:00
Hans Dedecker
d78dd1f306 nghttp2: bump to 1.31.1
1e22b36c Update manual pages
0f818baf Bump up version number to 1.31.1
c411d169 Fix frame handling

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-15 20:24:44 +02:00
Hans Dedecker
b28e995fc7 libubox: update to latest git HEAD
6eff829 utils: fix build error with g++

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-04-12 14:02:07 +02:00
Felix Fietkau
08ccfdea78 libubox: update to the latest version
42a8ecd jshn: fix format string for int64 type
92009b7 utils: ensure that byte-order conversion functions evaluate the argument only once
ace6489 switch from typeof to the more portable __typeof__

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-04-07 15:26:11 +02:00
Felix Fietkau
1566dbd57d Revert "libubox: update to the latest version"
This reverts commit def82714d9.
Needs further fixes

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-04-07 15:06:14 +02:00
Felix Fietkau
def82714d9 libubox: update to the latest version
42a8ecd jshn: fix format string for int64 type
92009b7 utils: ensure that byte-order conversion functions evaluate the argument only once

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-04-07 14:47:56 +02:00
Jo-Philipp Wich
1ef0be3e5b Revert "ncurses: Remove obsolete compile fixes"
This reverts commit 4fb684a755.

The compile fixes are still required for host systems using GCC 5.x,
such as Ubuntu 16.04 LTS.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-04-04 17:08:10 +02:00
Rosen Penev
4fb684a755 ncurses: Remove obsolete compile fixes
It seems both issues (GCC5 and Musl) were fixed at some point. Thus, they can be dropped.

Did not bump version as there is no change in functionality or size.

Compile-tested on ar71xx and mvebu, both with musl.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-04-03 23:26:45 +02:00
Paul Wassi
ef6939b0af package/libs/mbedtls: add package with some mbedtls binaries.
Add some basic binaries required for private key and CSR generation.

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2018-03-31 16:31:26 +02:00
Hauke Mehrtens
2e75914bee mbedtls: update to version 2.8.0
This fixes some minor security problems.

Old size:
162262 bin/packages/mips_24kc/base/libmbedtls_2.7.0-1_mips_24kc.ipk

New size:
163162 bin/packages/mips_24kc/base/libmbedtls_2.8.0-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-03-31 16:30:30 +02:00
Rosen Penev
af35ce1065 ncurses: Update to 6.1.
Compile tested on ar71xx.

Old size:
  6527 bin/packages/mips_24kc/base/terminfo_6.0-1_mips_24kc.ipk
141465 bin/packages/mips_24kc/base/libncurses_6.0-1_mips_24kc.ipk

New size:
  6873 bin/packages/mips_24kc/base/terminfo_6.1-1_mips_24kc.ipk
146950 bin/packages/mips_24kc/base/libncurses_6.1-1_mips_24kc.ipk

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-03-31 16:28:36 +02:00
Rosen Penev
2a82db7ed5 libtool: Update to 2.4.6
Compile tested on mvebu.

old size:
12947 bin/packages/mips_24kc/base/libltdl_2.4-2_mips_24kc.ipk

new size:
13002 bin/packages/mips_24kc/base/libltdl_2.4.6-1_mips_24kc.ipk

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2018-03-31 16:27:24 +02:00
Paul Wassi
db893ec7f0 openssl: update to 1.0.2o
Fixes CVE-2018-0739

Signed-off-by: Paul Wassi <p.wassi@gmx.at>
2018-03-31 10:20:20 +02:00
Felix Fietkau
5f7d134454 libubox: update to the latest version
3aad294 libubox: Plug a small memory leak.
eebe3fc utils: use constant byte-order conversion

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-03-23 20:56:34 +01:00
Hans Dedecker
5cbd22bb0f nghttp2: bump to 1.31.0
6e744662 Update bash_completion
478eac09 Update manual pages
88e2029e Bump up version number to 1.31.0, LT revision to 30:0:16
45d76cf5 nghttpx: Close listening socket on graceful shutdown
54573f28 Merge pull request #1137 from nghttp2/session-set-user-data
17793e99 Add nghttp2_session_set_user_data() public API function
5eac3c90 Update manual pages
e70195ae nghttpx: Update doc
fe51e7fa Merge pull request #1130 from nghttp2/avoid-inet_pton-macro
eb951c2c src: Define nghttp2_inet_pton wrapper to avoid inet_pton macro
39f0ce7c Merge pull request #1126 from nghttp2/nghttpx-expired-client-cert
65157811 Merge pull request #1123 from nghttp2/mruby-client-cert-not-before-after
e8af7afc nghttpx: Add an option to accept expired client certificate
38abfd18 nghttpx: Add mruby tls_client_not_before, and tls_client_not_after
ff3edc09 nghttpx: Fix potential memory leak
0bb15406 Bump up version number to 1.31.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-03-05 10:44:20 +01:00
Matthias Schiffer
05dba65569
libunwind: fix build with musl on PPC
Works around two incompatiblities between glibc and (POSIX-compliant) musl:

- missing register definitions from asm/ptrace.h
- non-POSIX-compliant ucontext_t on PPC32 with glibc

Compile tested on mpc85xx.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2018-02-25 16:58:10 +01:00
Felix Fietkau
8cdc71fc92 libnftnl: backport flowtable support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-02-21 20:12:41 +01:00
Hauke Mehrtens
9f5a4f8a42 mbedtls: activate deprecated functions
Some functions used by a lot of other software was renamed and is only
active when deprecated functions are allowed, deactivate the removal of
deprecated functions for now.

Fixes: 75c5ab4caf ("mbedtls: update to version 2.7.0")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-02-16 20:09:34 +01:00
Hauke Mehrtens
75c5ab4caf mbedtls: update to version 2.7.0
This fixes the following security problems:
* CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled
* CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-02-15 21:58:47 +01:00
Hauke Mehrtens
b6d6e3fdf1 bunwind: build for ARM64
ARM64 is supported by libunwind since some versions, allow building it
for aarch64.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-02-10 20:17:21 +01:00
Hans Dedecker
30d34358a9 libubox: bump to git HEAD version
b0c830 sh/jshn.sh: add json_for_each_item()

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-08 13:14:36 +01:00
Hans Dedecker
ecc347dd6e nghttp2: bump to 1.30.0
f0836c7e Update manual pages
25db178b Bump up version number to 1.30.0, LT revision to 29:2:15
1b6713e6 Update AUTHORS
c1a496cf nghttpx: Fix bug that h1 backend idle timeout expires sooner
e098a211 mruby: Fix bug that response header is unexpectedly overwritten
0ba4bf51 Merge pull request #1120 from dylanplecki/issue-1119-mruby-header-overwrite
6deee203 Fix #1119: Stop overwrite of first header on mruby call to env.req.set_header(..)
6761a933 Merge pull request #1105 from nghttp2/nghttpx-upgrade-scheme
5cc3d159 nghttpx: Add upgrade-scheme parameter to backend option
652f57e7 Merge pull request #1104 from nghttp2/allow-ping-after-goaway
acd6b40e Allow PING frame to be sent after GOAWAY
0fbb46ed Merge pull request #1101 from nghttp2/remember-pushed-links
6ad629de Merge pull request #1102 from nghttp2/fix-missing-alpn-validation
74754982 nghttpx: Fix missing ALPN validation (--npn-list)
a31a2e3b nghttpx: Remember which resource is pushed
a776b0db Merge pull request #1092 from nghttp2/define-103
cfd926f0 src: Define 103 status code
72f52716 Bump up version number to 1.30.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2018-02-04 21:19:51 +01:00
Yousong Zhou
c9c2e4d78d openssl: remove call to now absent clean-staging make target
It's not needed now since commit a621b8c ("include: clean package
staging dir files before configure")

Fixes FS#1309

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-01-30 14:36:44 +08:00
Julien Dusser
241e6dd3e9 build: cleanup SSP_SUPPORT configure option
Configure variable SSP_SUPPORT is ambiguous for packages (tor, openssh,
avahi, freeswitch). It means 'toolchain supporting SSP', but for toolchain
and depends it means 'build gcc with libssp'.

Musl no longer uses libssp (1877bc9d8f), it has internal support, so
SSP_SUPPORT was disabled leading some package to not use SSP.

No information why Glibc and uClibc use libssp, but they may also provide
their own SSP support. uClibc used it own with commit 933b588e25 but it was
reverted in f3cacb9e84 without details.

Create an new configure GCC_LIBSSP and automatically enable SSP_SUPPORT
if either USE_MUSL or GCC_LIBSSP.

Signed-off-by: Julien Dusser <julien.dusser@free.fr>
2018-01-27 19:02:48 +01:00
Maxim Gorbachyov
8590a5c06d libunwind: enable build for arm
Tested with perf on mvebu.

Signed-off-by: Maxim Gorbachyov <maxim.gorbachyov@gmail.com>
2018-01-27 16:46:45 +01:00
Yousong Zhou
2c50af0cea openssl: tell the build system that we are doing CROSS_COMPILE
So that it will not try to run c_rehash with the just built binaries on
certs/demo.

Fixes openwrt/packages#5432

Reported-by: Val Kulkov <val.kulkov@gmail.com>
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2018-01-26 18:19:00 +08:00
Philip Prindeville
3d8040e04f libnftnl: update to 1.0.9
Also, drop unsupported configure options.

Don't use git retrieve but released tarball instead.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2018-01-20 20:22:01 +01:00
Jo-Philipp Wich
fe920d01bb treewide: replace LEDE_GIT with PROJECT_GIT
Remove LEDE_GIT references in favor to the new name-agnostic
PROJECT_GIT variable.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-10 21:27:32 +01:00
Jo-Philipp Wich
f089b1fda2 libubox: fix package bump
The previous commit was incorrectly rebased and referred to a not
yet existing PROJECT_GIT variable.

Fixes: d86a269c1f libubox: update to latest git HEAD
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-07 16:34:29 +01:00
Jo-Philipp Wich
d86a269c1f libubox: update to latest git HEAD
1c08e80 jshn: properly support JSON "null" type

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-07 16:28:22 +01:00
Jo-Philipp Wich
3f5e39e960 zlib: only enable NEON optimizations on eligible targets
Instead of inferring the availability of NEON support from the target
optimization flags, use a preprocessor test to decide whether to enable
ARMv8 NEON optimizations.

Fixes the following build error spotted by the mediatek/32 buildbot:

    [ 26%] Building C object CMakeFiles/zlib.dir/contrib/arm/inflate.o
    In file included from .../zlib-1.2.11/contrib/arm/chunkcopy.h:10:0,
                     from .../zlib-1.2.11/contrib/arm/inflate.c:87:
    .../arm_neon.h:31:2: error: #error You must enable NEON instructions (e.g. -mfloat-abi=softfp -mfpu=neon) to use arm_neon.h
     #error You must enable NEON instructions (e.g. -mfloat-abi=softfp -mfpu=neon) to use arm_neon.h
      ^
    In file included from .../zlib-1.2.11/contrib/arm/inflate.c:87:0:
    .../zlib-1.2.11/contrib/arm/chunkcopy.h:18:9: error: unknown type name 'uint8x16_t'
     typedef uint8x16_t chunkcopy_chunk_t;
             ^
    [...]
    CMakeFiles/zlib.dir/build.make:302: recipe for target 'CMakeFiles/zlib.dir/contrib/arm/inflate.o' failed

Fixes: 3acecba520 "package/libs/zlib: Add ARM and NEON optimizations"
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-07 12:33:47 +01:00
Kevin Darbyshire-Bryant
b153dbf046 argp-standalone: clean up patch fuzz
Refresh patches to tidy up fuzz.  No functional changes

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2018-01-05 11:59:59 +01:00
Daniel Engberg
cbe71649bc package/libs/zlib: Add host build
Some packages such as Python/Python3 (host pip/pip3) needs this
to compile.

More detailed explanation provided by Alexandru:

"i need the zlib/host for Python/Python3 ; because, it seems the
host pip/pip3 needs this to work ; i suspect in older versions
this worked, because some of the host's build env would be used
in the build, and then the zlib-dev from the host distro would
be used ; now, the host-build does not seem to have any
-I/usr/include stuff, which is good

and it also seems that Python/Python3 does not like it if the
zlib-dev package is too old, so using this zlib/host would be
good for this as well"

Source:
https://github.com/lede-project/source/pull/1329#issuecomment-351055861

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-01-02 17:11:12 +01:00
Daniel Engberg
0dd439141d package/libs/zlib: Add option for O3 optimization
Add option to use O3 optimization as not all devices have
space constraints. This option is default using GCC in upstream
but isn't in the CMake makefile for some reason.

Source: https://github.com/madler/zlib/blob/master/configure#L170

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-01-02 17:11:12 +01:00
Daniel Engberg
3acecba520 package/libs/zlib: Add ARM and NEON optimizations
This adds two optimizations for ARM:
NEON optimized Adler(-)32 checksum algorithm (ARMv7 and newer NEON CPUs)
ARM(v7+) specific optimization for inflate
I've also connected inflate optimization to the build using the following
source as template.
0397489124 (diff-a62ad2db6c83dbc205d34bb9a8884f16)

Additional info:
https://codereview.chromium.org/2676493007/
https://codereview.chromium.org/2722063002/

Sources:
https://github.com/madler/zlib/pull/251 (only the first commit)
https://github.com/madler/zlib/pull/256

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-01-02 17:11:12 +01:00
Daniel Engberg
383e8aeec7 package/libs/zlib: Use toolchain build logic
Use build logic provided by toolchain instead of doing it manually.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-01-02 17:11:12 +01:00
Hans Dedecker
67c1c145f0 nghttp2: bump to 1.29.0
439b9b6c (tag: v1.29.0) Update manual pages
48498452 Bump up version number to v1.29.0, LT revision to 29:1:15
d30f3816 Update manual pages
4d1139f6 Remove SPDY
48f57407 nghttpx: Update doc
c1f14d73 Update manual pages
216f4dad nghttpx: Remove redundant check
a4e27d76 Revert "nghttpx: Use an existing h2 backend connection as much as possible"
2365f12e Fix CMAKE_MODULE_PATH
03f7ec0f nghttpx: Write API request body in temporary file
2056e812 nghttpx: Increase api-max-request-body
1ebb6810 nghttpx: Faster configuration loading with lots of backends
a3ebeeaf nghttpx: Fix crash with --backend-http-proxy-uri option
422ad1be Use NGHTTP2_REFUSED_STREAM for streams which are closed by GOAWAY
97f1735c Bump up version number to 1.29.0

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-12-24 17:06:16 +01:00
Jake Staehle
e80ab48777 libiconv-full: fix compile-time linking error GCC7
LEDE Flyspray Task 1091:
Fix libiconv-full 'undefined reference' compile linker error using GCC7 Musl
Tested with targets x86 (i386 and x86_64)
Addition of CFLAGS "std=gnu89" fixes the linker issues, credit to harrylwc
Issue found with 'minidlna' package, which depends on 'libiconv-full'
Error in compile log:
../lib/.libs/libiconv.so: undefined reference to `aliases_lookup'
../lib/.libs/libiconv.so: undefined reference to `aliases2_lookup'
collect2: error: ld returned 1 exit status
Makefile:64: recipe for target 'iconv_no_i18n' failed

Signed-off-by: Jake Staehle <jacob@staehle.us>
2017-12-19 22:23:42 +01:00
Jo-Philipp Wich
902961c148 wolfssl: update to 3.12.2 (1 CVE)
Update wolfssl to the latest release v3.12.2 and backport an upstream
pending fix for CVE-2017-13099 ("ROBOT vulnerability").

Ref: https://github.com/wolfSSL/wolfssl/pull/1229
Ref: https://robotattack.org/

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-12-12 17:39:52 +01:00
Peter Wagner
55e70c8b72 openssl: update to 1.0.2n
add no-ssl3-method again as 1.0.2n compiles without the ssl3-method(s)

Fixes CVEs: CVE-2017-3737, CVE-2017-3738

Signed-off-by: Peter Wagner <tripolar@gmx.at>
2017-12-08 10:47:51 +01:00
Hans Dedecker
0b3087eebf nghttp2: bump to 1.28.0
939ad5dd Update manual pages
24d92b97 Add deprecation warning when spdylay support is enabled
4c92ff18 Bump up version number to 1.28.0, LT revision to 29:0:15
280db5c6 Update neverbleed
7fbcb2d0 Merge pull request #1074 from nghttp2/fix-doc
53aeb2c3 Fix doc
ff200bfc clang-format-5.0
fee3151f Switch to clang-format-5.0
99a85159 Update manual pages
2a981a3f Merge pull request #1066 from nghttp2/nghttpx-add-affinity-cookie-secure
0028275d nghttpx: Add affinity-cookie-secure parameter to backend option
ee8bfddf Merge pull request #1063 from nghttp2/error_callback2
194acb1f src: Use nghttp2_error_callback2
43a2a70a Add nghttp2_error_callback2
73344ae9 nghttpx: Use plain hex string format for client serial
c479f612 Merge pull request #1060 from nghttp2/nghttpx-add-client-serial
eca0a302 nghttpx: Add $tls_client_serial log variable
4720c5cb nghttpx: Make client serial available in mruby script
cd55ab28 nghttpx: Add function to get serial number from certificate
d402cfdf Merge pull request #1057 from nghttp2/nghttpx-add-tls-client-issuer-name
22502182 Add tls_client_issuer_name log variable and expose it to mruby
05e1fd5e Update manual pages
943d7923 Add Session Affinity section to nghttpx howto
568ecbfb doc: Add missing port
f5ddd7f4 nghttpx: Make initial_addr_idx_ unsigned
88abbce7 nghttpx: Fix compile error with gcc
16e90365 nghttpx: Fix affinity retry
fa7945c6 nghttpx: Refactor
daca43f0 nghttpx: Fix stalled backend connection on retry
16bc11e6 nghttpx: Remove duplicated util::make_socket_nodelay
6f7e94cd Merge pull request #1047 from PiotrSikora/go_vet
61efa15a integration: Fix issues reported by the `go vet` tool.
8c0ea56b Merge pull request #1036 from nghttp2/nghttpx-affinity-cookie
54905371 nghttpx: Refactor
6010d393 integration: Add tests
be5c39a1 src: Add tests
b8fda680 nghttpx: Cookie based session affinity
e29b9c12 Merge pull request #1045 from nghttp2/nghttpx-sha1-fingerprint
539e2781 nghttpx: Add tls_client_fingerprint_sha1 to mruby and accesslog
7008afd4 nghttpx: Refactor get_x509_fingerprint to accept hash function
77a41756 Merge pull request #1041 from nghttp2/fix-examples-client-server
b15045d6 Merge pull request #1040 from nghttp2/nghttpx-mruby-add-more-tls-vars
03084f75 examples: Make client and server work with libevent-2.1.8
60baca27 nghttpx: Add more TLS related attributes to mruby Env object
86990db2 Merge pull request #1038 from nghttp2/nghttpx-add-more-logging-vars
cb376bcd nghttpx: Add client fingerprint and subject name to accesslog
f2b8edd1 nghttpx: Fix memory leak
c4f8afcf nghttpx: Get TLS info only when it is necessary when writing accesslog
1a1a216d Merge pull request #1037 from nghttp2/nghttpx-mruby-tls-client-vars
9f80a82c nghttpx: Add client fingerprint and subject name to mruby env
c573c80b nghttpx: Pass a pointer to SSL instead of TLSSessionInfo to LogSpec
3cd6817e Fix typos
d4a69658 Add another warning about mruby
8e06fe49 Fix typo
aaeeec8f Fix typos
66d5e246 Bump up version number to 1.28.0-DEV

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-27 10:12:03 +01:00
Rosen Penev
9052dd6534 libusb-compat: Upgrade to 0.1.15
Compile tested on ramips (mt7621)

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2017-11-22 20:45:28 +01:00
Alexander Couzens
bd1ee909d0 wolfssl: add PKG_CPE_ID ids to package and tools
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-11-19 02:29:08 +01:00
Daniel Engberg
dca96b7546 openssl: Add optimization option
Add option to optimize for speed instead of size

cmd: openssl speed md5 sha1 sha256 sha512 des des-ede3 aes-128-cbc \
aes-192-cbc aes-256-cbc rsa2048 dsa2048

=== Linksys WRT3200ACM ===

Default optimization:
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5              14111.49k    47147.75k   123375.02k   206937.09k   258828.97k
sha1             14495.71k    46763.99k   116679.94k   188115.29k   228294.66k
des cbc          22315.63k    23118.98k    23323.14k    23348.22k    23363.58k
des ede3          8085.97k     8217.26k     8255.74k     8266.41k     8273.92k
aes-128 cbc      48740.10k    52606.12k    54224.98k    56263.68k    54774.44k
aes-192 cbc      43410.83k    47325.31k    48994.05k    49377.96k    48532.14k
aes-256 cbc      39132.46k    42512.60k    43692.63k    43997.18k    44070.23k
sha256           19987.80k    47314.69k    86119.08k   109352.28k   119466.67k
sha512            8034.63k    32321.92k    47495.94k    65777.32k    74080.26k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.020387s 0.000528s     49.1   1892.2
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.005920s 0.006396s    168.9    156.3

Optimize for speed (-O3 instead of -Os and disable -DOPENSSL_SMALL_FOOTPRINT):
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5              14655.49k    48561.79k   126953.56k   210741.93k   262430.72k
sha1             14607.90k    47032.15k   117725.87k   188226.22k   228499.46k
des cbc          28041.11k    29586.84k    29939.80k    30047.91k    30067.37k
des ede3         10697.93k    10899.75k    10956.97k    10972.84k    10980.01k
aes-128 cbc      58852.70k    65956.07k    68675.67k    69388.29k    69607.42k
aes-192 cbc      50299.73k    56501.23k    58491.65k    59008.00k    59159.89k
aes-256 cbc      44684.38k    47944.36k    49098.67k    49573.89k    49463.30k
sha256           19673.53k    47248.58k    86775.04k   110053.72k   119382.02k
sha512            8029.67k    32033.02k    47440.04k    65740.12k    74072.06k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.019666s 0.000529s     50.8   1892.0
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.005882s 0.006450s    170.0    155.0

=== D-Link DIR-860L (B1) ===
Default optimization:
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5               3376.97k    11654.74k    32966.76k    60016.27k    80729.43k
sha1              2310.95k     6024.87k    11680.32k    15273.93k    16784.07k
des cbc           6787.21k     7014.36k     7072.49k     7088.73k     7092.48k
des ede3          2462.47k     2499.87k     2509.48k     2511.35k     2514.75k
aes-128 cbc      10014.28k    11018.87k    11308.99k    11381.03k    11406.20k
aes-192 cbc       8930.35k     9675.27k     9895.97k     9954.57k     9971.92k
aes-256 cbc       8022.81k     8624.03k     8799.60k     8843.14k     8856.07k
sha256            2546.33k     5542.19k     9326.99k    11249.03k    11969.57k
sha512             877.22k     3503.44k     4856.01k     6554.96k     7299.32k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.109348s 0.003132s      9.1    319.3
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.032745s 0.037212s     30.5     26.9

Optimize for speed (-O3 instead of -Os and disable -DOPENSSL_SMALL_FOOTPRINT):
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
md5               3660.39k    12401.37k    34501.23k    62438.83k    81786.64k
sha1              3500.20k    10730.70k    25056.19k    37715.86k    44253.13k
des cbc           7189.75k     7545.88k     7641.90k     7665.71k     7672.18k
des ede3          2690.64k     2734.33k     2745.24k     2748.13k     2748.81k
aes-128 cbc      11325.29k    12731.75k    13151.34k    13259.95k    13289.55k
aes-192 cbc       9932.36k    10997.65k    11309.84k    11389.53k    11408.92k
aes-256 cbc       8845.13k     9677.01k     9920.30k     9980.77k     9996.42k
sha256            3200.50k     7107.76k    12230.85k    14933.73k    15962.15k
sha512             879.12k     3510.79k     4956.45k     6711.45k     7484.39k
                  sign    verify    sign/s verify/s
rsa 2048 bits 0.085641s 0.002365s     11.7    422.9
                  sign    verify    sign/s verify/s
dsa 2048 bits 0.023881s 0.026120s     41.9     38.3

-O3 is considered safe for OpenSSL
Ref: https://wiki.openssl.org/index.php/Compilation_and_Installation
Tested hardware: Linksys WRT3200ACM / D-Link DIR-860L (B1)

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-11-18 21:01:26 +01:00
Alexander Couzens
c61a239514
add PKG_CPE_ID ids to package and tools
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/

Thanks to swalker for CPE to package mapping and
keep tracking CVEs.

Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-11-17 02:24:35 +01:00
Felix Fietkau
d5bcd0240a libnl-tiny: use fixed message size instead of using the page size
Simplifies the code and reduces size

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-16 12:54:15 +01:00
Alexander Couzens
6ab4521464
package/elfutils: add CFLAG -Wno-format-nonliteral
When a library is using fortify-packages GCC will complain about
"error: format not a string literal, argument types not checked".

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2017-11-13 01:11:12 +01:00
Peter Wagner
164fe697f7
openssl: update to 1.0.2m
don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:

../libssl.so: undefined reference to `SSLv3_client_method'

Fixes CVE: CVE-2017-3735, CVE-2017-3736

Signed-off-by: Peter Wagner <tripolar@gmx.at>
2017-11-12 23:47:11 +01:00
Ralph Sennhauser
f5468d2486 openssl: fix cryptodev config dependency
Signed-off-by: Ralph Sennhauser <ralph.sennhauser@gmail.com>
2017-11-06 16:39:41 +01:00
John Crispin
bd60c9063d bubox: update to latest git HEAD
729f47f jshn: read and write 64-bit integers

Signed-off-by: John Crispin <john@phrozen.org>
2017-11-06 10:06:35 +01:00
Yousong Zhou
f0c37f6ceb libunwind: disable building with ssp
If we enable -fstack-protector while building libunwind, function
__stack_chk_fail_local will be referred to for i386 and powerpc32
arches.  This will cause link failure because the default gcc build
specs says no link_ssp if -nostdlib is given.

The error message:

    OpenWrt-libtool: link: ccache_cc -shared  -fPIC -DPIC  .libs/os-linux.o mi/.libs/init.o mi/.libs/flush_cache.o mi/.libs/mempool.o mi/.libs/strerror.o x86/.libs/is_fpreg.o x86/.libs/regname.o x86/.libs/Los-linux.o mi/.libs/backtrace.o mi/.libs/dyn-cancel.o mi/.libs/dyn-info-list.o mi/.libs/dyn-register.o mi/.libs/Ldyn-extract.o mi/.libs/Lfind_dynamic_proc_info.o mi/.libs/Lget_accessors.o mi/.libs/Lget_proc_info_by_ip.o mi/.libs/Lget_proc_name.o mi/.libs/Lput_dynamic_unwind_info.o mi/.libs/Ldestroy_addr_space.o mi/.libs/Lget_reg.o mi/.libs/Lset_reg.o mi/.libs/Lget_fpreg.o mi/.libs/Lset_fpreg.o mi/.libs/Lset_caching_policy.o x86/.libs/Lcreate_addr_space.o x86/.libs/Lget_save_loc.o x86/.libs/Lglobal.o x86/.libs/Linit.o x86/.libs/Linit_local.o x86/.libs/Linit_remote.o x86/.libs/Lget_proc_info.o x86/.libs/Lregs.o x86/.libs/Lresume.o x86/.libs/Lstep.o x86/.libs/getcontext-linux.o  -Wl,--whole-archive ./.libs/libunwind-dwarf-local.a ./.libs/libunwind-elf32.a -Wl,--no-whole-archive  -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/target-i386_i486_musl-1.1.16/usr/lib -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/target-i386_i486_musl-1.1.16/lib -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/toolchain-i386_i486_gcc-5.4.0_musl-1.1.16/usr/lib -L/var/lib/bbmnt/buildbot/slaves/dave-builder/i386_i486/build/sdk/staging_dir/toolchain-i386_i486_gcc-5.4.0_musl-1.1.16/lib -lc -lgcc  -Os -march=i486 -fstack-protector -Wl,-z -Wl,now -Wl,-z -Wl,relro -nostartfiles -nostdlib   -Wl,-soname -Wl,libunwind.so.8 -o .libs/libunwind.so.8.0.1
    .libs/os-linux.o: In function `_Ux86_get_elf_image':
    os-linux.c:(.text+0x588): undefined reference to `__stack_chk_fail_local'
    x86/.libs/Lregs.o: In function `_ULx86_access_fpreg':
    Lregs.c:(.text+0x25b): undefined reference to `__stack_chk_fail_local'
    x86/.libs/Lresume.o: In function `_ULx86_resume':
    Lresume.c:(.text+0xdc): undefined reference to `__stack_chk_fail_local'
    collect2: error: ld returned 1 exit status
    Makefile:2249: recipe for target 'libunwind.la' failed

The snippet from gcc -dumpspecs

    %{!nostdlib:%{!nodefaultlibs:%(link_ssp) %(link_gcc_c_sequence)}}

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-11-06 10:49:58 +08:00
Felix Fietkau
eb58eba08b uclient: update to the latest version, fixes fetch of multiple files
4b87d83 uclient-fetch: fix overloading of output_file variable

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-11-02 22:54:09 +01:00
Hans Dedecker
f90f94d2c1 nghttp2: switch to release tarball
Switch from git to xz release tarball as there's no good reason to keep
using git when release tarballs are provided.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-11-01 22:08:14 +01:00
Baptiste Jonglez
098afa1e1b openssl: Enable assembler optimizations for aarch64
OpenSSL is built with the generic linux settings for most targets,
including aarch64.  These generic settings are designed for 32-bit CPU and
provide no assembler optmization: this is widely suboptimal for aarch64.

This patch simply switches to the aarch64 settings that are already
available in OpenSSL.

Here is the output of "openssl speed" before the optimization, with
"(...)" representing build flags that didn't change:

    OpenSSL 1.0.2l  25 May 2017
    options:bn(64,32) rc4(ptr,char) des(idx,cisc,2,int) aes(partial) blowfish(ptr)
    compiler: aarch64-openwrt-linux-musl-gcc  (...)

And after this patch, OpenSSL uses 64 bit mode and assembler optimizations:

    OpenSSL 1.0.2l  25 May 2017
    options:bn(64,64) rc4(ptr,char) des(idx,cisc,2,int) aes(partial) blowfish(ptr)
    compiler: aarch64-openwrt-linux-musl-gcc  (...)  -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM

Here are some benchmarks on a pine64+ running latest LEDE master r5142-20d363aed3:

    before# openssl speed sha aes blowfish
    The 'numbers' are in 1000s of bytes per second processed.
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    sha1              3918.89k     9982.43k    19148.03k    24933.03k    27325.78k
    sha256            4604.51k    10240.64k    17472.51k    21355.18k    22801.07k
    sha512            3662.19k    14539.41k    21443.16k    29544.11k    33177.60k
    blowfish cbc     16266.63k    16940.86k    17176.92k    17237.33k    17252.35k
    aes-128 cbc      19712.95k    21447.40k    22091.09k    22258.35k    22304.09k
    aes-192 cbc      17680.12k    19064.47k    19572.14k    19703.13k    19737.26k
    aes-256 cbc      15986.67k    17132.48k    17537.28k    17657.17k    17689.26k

    after# openssl speed sha aes blowfish
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    sha1              6770.87k    26172.80k    86878.38k   205649.58k   345978.20k
    sha256           20913.93k    74663.85k   184658.18k   290891.09k   351032.66k
    sha512            7633.10k    30110.14k    50083.24k    71883.43k    82485.25k
    blowfish cbc     16224.93k    16933.55k    17173.76k    17234.94k    17252.35k
    aes-128 cbc      19425.74k    21193.31k    22065.74k    22304.77k    22380.54k
    aes-192 cbc      17452.29k    18883.84k    19536.90k    19741.70k    19800.06k
    aes-256 cbc      15815.89k    17003.01k    17530.03k    17695.40k    17746.60k

For some reason AES and blowfish do not benefit, but SHA performance
improves between 1.7x and 15x.  SHA256 clearly benefits the most from the
optimization (4.5x on small blocks, 15x on large blocks!).

When using EVP (with "openssl speed -evp <algo>"):

    # Before, EVP mode
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    sha1              3824.46k    10049.66k    19170.56k    24947.03k    27325.78k
    sha256            3368.33k     8511.15k    16061.44k    20772.52k    22721.88k
    sha512            2845.23k    11381.57k    19467.69k    28512.26k    33008.30k
    bf-cbc           15146.74k    16623.83k    17092.01k    17211.39k    17249.62k
    aes-128-cbc      17873.03k    20870.61k    21933.65k    22216.36k    22301.35k
    aes-192-cbc      16184.18k    18607.15k    19447.13k    19670.02k    19737.26k
    aes-256-cbc      14774.06k    16757.25k    17457.58k    17639.42k    17686.53k

    # After, EVP mode
    type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
    sha1              7056.97k    27142.10k    89515.86k   209155.41k   347419.99k
    sha256            7745.70k    29750.06k    95341.48k   211001.69k   332376.75k
    sha512            4550.47k    18086.06k    39997.10k    65880.75k    81431.21k
    bf-cbc           15129.20k    16619.03k    17090.56k    17212.76k    17246.89k
    aes-128-cbc      99619.74k   269032.34k   450214.23k   567353.00k   613933.06k
    aes-192-cbc      93180.74k   231017.79k   361766.66k   433671.51k   461731.16k
    aes-256-cbc      89343.23k   209858.58k   310160.04k   362234.88k   380878.85k

Blowfish does not seem to have assembler optimization at all, and SHA
still benefits (between 1.6x and 14.5x) but is generally slower than in
non-EVP mode.

However, AES performance is improved between 5.5x and 27.5x, which is
really impressive!  For aes-128-cbc on large blocks, a core i7-6600U
@2.60GHz is only twice as fast...

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
2017-10-31 10:43:10 +08:00
Hans Dedecker
f6c01306cb nghttp2: bump to 1.27.0
Changes in v1.27.0 :

build: Fixed accidental compiler flags concatenation for MSVC (Patch from LazyHamster) (GH-1029)
build: Reduce libxml2 version requirement to 2.6.26 (Patch from Mike Lothian) (GH-1020)
asio: Support for Windows / MinGW (Patch from Daniel Evers) (GH-1027)
h2load: Print out h2 header fields with --verbose option (GH-1015)
nghttpx: Send non-final response to HTTP/1.1 or HTTP/2 client only (GH-1016)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-29 23:05:33 +01:00
Stefan Oberhumer
06e41056aa libs/lzo: Reenable unaligned access on ARM, PPC, ...
Due a compiler bug on ARM targets
 ( https://gcc.gnu.org/bugzilla/show_bug.cgi?id=64516 )
unaligned access was disabled on all targets other than i386 and
x86_64 with commit 061319ec3d .

A fix has been added to lzo-2.09 so it is not necessary to disable
unaligned access within the Makefile anymore.

Signed-off-by: Stefan Oberhumer <stefan@obssys.com>
2017-10-24 13:24:04 +02:00
Daniel Engberg
e4b6900fd6 libs/libnl: Update to 3.3.0
Update libnl to 3.3.0
Import patches to fix compilation
Source: https://git.busybox.net/buildroot/tree/package/libnl
Source: https://gitweb.gentoo.org/proj/musl.git/diff/dev-libs/libnl/files/libnl-3.3.0_rc1-musl.patch?id=48d2a287
Use more automatic toolchain logic

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-10-15 00:24:22 +02:00
Stijn Tintel
7695f144eb libnetfilter_conntrack: switch to git
In order to build conntrack-tools from git, a newer version of
libnetfilter_conntrack is required. As 1.0.6 is currently the latest
release, switch to git.

b0a7cf7 include: expose a copy of nf_conntrack_common.h
f68f7b3 conntrack: fix missing break in setobjopt_undo_dnat()
79dac5a conntrack: revert getobjopt_is_nat() condition
b266523 libnetfilter_conntrack: bump version to 1.0.7
e870432 labels: don't crash on NULL labelmap

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-09 16:12:00 +03:00
Stijn Tintel
bcfc39b763 libnetfilter_queue: bump to git HEAD
b39cac7 src: Correct typo in the location of internal.h in #include
58cb066 src: Declare the define visibility attribute together
e84b559 Revert "src: Declare the define visibility attribute together"
003c2b1 examples: set dummy connmark value to show use of NFQA_CT nested attribute
63973da doc: extend the doxygen section about NFQA_CFG_F_GSO
d7f74c7 build: bump version to 1.0.3
3f9eb57 build: bump library release version too
601abd1 doc: Add information about retrieving UID/GID/SECCTX fields

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-09 16:06:06 +03:00
Stijn Tintel
9e9696afc8 treewide: switch git.netfilter.org to HTTPS
As git.netfilter.org seems to support HTTPS, use that instead of HTTP
which is insecure, or GIT which is blocked on many corporate networks.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-10-08 21:10:36 +03:00
Hans Dedecker
0e265dc0c7 nghttp2: add libnghttp2 package
The nghttp2 library is an implementation of the Hypertext Transfer
Protocol version 2 in C; it supports RFC7540 and RFC7541.
The package enables only the reusable C library; binary size is 130K (X86)

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-07 19:17:44 +02:00
Hans Dedecker
470b13975d libubox: bump to git HEAD version
632688e utils: nuke bitfield functions and macros
f714be1 uloop: make SIGCHLD signal handling optional

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-10-04 21:29:00 +02:00
Hans Dedecker
47f3645930 libubox: fix uloop race condition
7a10576 uloop: Fix race condition in SIGCHLD handling

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-09-21 23:03:36 +02:00
Alexandru Ardelean
7bc80364b7 libs/wolfssl: bump to version 3.12.0 ; add myself as maintainer
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-09-17 00:00:12 +02:00
Alexandru Ardelean
41706d05b9 libs/wolfssl: adjust symbol defaults against libwolfssl defaults
Some symbols have been renamed.
Some are default enabled/disabled, so we need
to adjust semantics against that.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-09-17 00:00:12 +02:00
Alexandru Ardelean
8334a23679 libs/wolfssl: disable hardening check in settings.h
This seems to cause a false-positive warning/error
while building `libwebsockets-cyassl`.

```
make[6]: Leaving directory '/home/sandu/work/lede/build_dir/target-x86_64_musl/libwebsockets-cyassl/libwebsockets-2.2.1'
make[6]: Entering directory '/home/sandu/work/lede/build_dir/target-x86_64_musl/libwebsockets-cyassl/libwebsockets-2.2.1'
[  2%] Building C object CMakeFiles/websockets.dir/lib/base64-decode.c.o
In file included from /home/sandu/work/lede/staging_dir/target-x86_64_musl/usr/include/wolfssl/ssl.h:31:0,
                 from /home/sandu/work/lede/staging_dir/target-x86_64_musl/usr/include/cyassl/ssl.h:33,
                 from /home/sandu/work/lede/staging_dir/target-x86_64_musl/usr/include/cyassl/openssl/ssl.h:30,
                 from /home/sandu/work/lede/build_dir/target-x86_64_musl/libwebsockets-cyassl/libwebsockets-2.2.1/lib/private-libwebsockets.h:256,
                 from /home/sandu/work/lede/build_dir/target-x86_64_musl/libwebsockets-cyassl/libwebsockets-2.2.1/lib/base64-decode.c:43:
/home/sandu/work/lede/staging_dir/target-x86_64_musl/usr/include/wolfssl/wolfcrypt/settings.h:1642:14: error: #warning "For timing resistance / side-channel attack prevention consider using harden options" [-Werror=cpp]
             #warning "For timing resistance / side-channel attack prevention consider using harden options"

```

Hardening is enabled by default in libwolfssl at build-time.

However, the `settings.h` header is exported (along with other headers)
for build (via Build/InstallDev).

This looks like a small bug/issue with wolfssl.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-09-17 00:00:12 +02:00
Alexandru Ardelean
d03c23c8d4 cyassl,curl,libustream-ssl: rename every cyassl to wolfssl
This is to eliminate any ambiguity about the cyassl/wolfssl lib.

The rename happened some time ago (~3+ years).
As time goes by, people will start to forget cyassl and
start to get confused about the wolfSSL vs cyassl thing.

It's a good idea to keep up with the times (moving forward).

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-09-17 00:00:12 +02:00
Alexandru Ardelean
560b7334ec libs/wolfssl: add libcysassl to PROVIDES field (for backwards compat)
Until other packages from feeds decide to rename the
dependency of `+libcyassl` to `+libwolfssl`, this allows
for a bit of backwards compatibility with those packages.

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-09-17 00:00:12 +02:00
Kevin Darbyshire-Bryant
69ac637fbb mbedtls: update to 2.6.0 CVE-2017-14032
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
2017-09-11 01:56:14 +02:00
Matthias Schiffer
f12a5b8f6d
uclient: update to 2017-09-06
24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses
83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-09-06 15:46:03 +02:00
Lucian Cristian
b90fb5ffe1 openssl: update to version 1.0.2l
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
2017-07-28 23:07:17 +02:00
Stijn Tintel
462ca4e059 zlib: use default Build/Configure rule
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-07-14 08:45:55 +02:00
Stijn Tintel
b3cba687a4 lzo: use default Build/Configure rule
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-07-14 08:45:40 +02:00
Daniel Golle
2be603783b ncurses: add libnucrses-dev package
It's needed to use the SDK and IB on an OpenWrt/LEDE host.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-07-08 23:19:31 +02:00
Magnus Kroken
329f6a96b7 mbedtls: update to 2.5.1
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:56:07 +02:00
Daniel Golle
04063820e8 libreadline: add host-build
Also make sure that the PKG_NAME and folder name are equal.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2017-06-24 14:38:14 +02:00
Yousong Zhou
77dc6a2ae7 libunwind: update to version 1.2.1
Changes since 1.2

    a77b0cd Bump version to v1.2.1
    5f354cb mips/tilegx: Add missing unwind_i.h header file
    620d1c3 Add aarch64 getcontext functionality.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-06-19 14:43:09 +08:00
Felix Fietkau
98634205fd libubox: update to the latest version, fixes a runqueue use-after-free bug
7237302 md5: add "const" qualifier to the "file" argument
fa9937c json_script: enable custom expr handler callback
368fd26 uloop: allow specifying a timeout for uloop_run()
6a7fb7d runqueue: fix use-after-free bug
4bc3dec uloop: fix a regression in timeout handling
fd57eea uloop: allow passing 0 as timeout to uloop_run

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-06-17 11:51:41 +02:00
Florian Fainelli
484f768dfa elfutils: Pass -Wno-unused-result to silence warnings as errors
elfutils turns on -Werror by default, and patch 100-musl-compat.patch
changes how strerror_r is used and we no longer use the function's
return value. This causes the following build error/warning to occur
with glibc-based toolchains:

dwfl_error.c: In function 'dwfl_errmsg':
dwfl_error.c:158:18: error: ignoring return value of 'strerror_r',
declared with attribute warn_unused_result [-Werror=unused-result]
       strerror_r (error & 0xffff, s, sizeof(s));
                  ^
cc1: all warnings being treated as errors

Fixing this would be tricky as there are two possible signatures for
strerror_r (XSI and GNU), just turn off unused-result warnings instead.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-05-26 15:42:03 -07:00
Felix Fietkau
e6d4235ae5 json-c: disable implicit fallthrough warning (gcc 7)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-05-25 19:01:07 +02:00
Yousong Zhou
5d48dc1146 libunwind: update to 1.2
Addresses CVE-2015-3239: Off-by-one error in the dwarf_to_unw_regnum
function in include/dwarf_i.h in libunwind 1.1 allows local users to
have unspecified impact via invalid dwarf opcodes.

Upstream stable-v1.2 fixed the missing unwind_i.h issue but no new
tarball is released yet

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2017-05-22 11:07:40 +08:00
Luiz Angelo Daros de Luca
ccc54b2935 elfutils: bump to 0.169
Removed patches (now upstream):
- 004-maybe-uninitialized.patch
- 007-fix_TEMP_FAILURE_RETRY.patch

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2017-05-18 07:59:56 +02:00
Daniel Engberg
74395d97a9 libs/libnftnl: Update to 1.0.7
Update libnftnl to 1.0.7

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-05-16 17:22:58 +02:00
Florian Fainelli
c258bc781f toolchain: Package libgomp
Some external toolchains may be configured to enable OpenMP. Provide a
package for these libraries which can be used by other packages.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-05-11 13:42:55 -07:00
Daniel Engberg
7dc2a581b9 libs/libpcap: Rework URLs
Add mirror and use main site as last resort.
Source: http://www.tcpdump.org/mirrors.html

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-22 09:16:23 +01:00
Daniel Engberg
480a6aec98 libs/openssl: Refresh mirror list
Refresh mirror list, some doesn't offer OpenSSL and add main site as last resort.
Source: https://www.openssl.org/source/mirror.html

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-22 09:16:23 +01:00
Daniel Engberg
cc5721c3b8 lzo: Update to 2.10
Update lzo to 2.10

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-20 08:25:49 +01:00
Alexey Brodkin
51d9ac61c7 libnl: Fix building with uClibc
uClibc doesn't implement strerror_l() and thus libnl starting from
3.2.29 couldn't be compiled with it any longer, see
6c2d111177

To work-around that problem we'll just do a check on strerror_l()
availability during configuration and if it's not there just fall back
to locale-less strerror().

Patch for libnl is alreadfy merged upstream, see
e15966ac7f
and once the next libnl release happens this one must be removed from
Lede/OpenWrt.

Signed-off-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: John Crispin <john@phrozen.org>
Cc: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-03-16 11:28:28 +01:00
Hauke Mehrtens
b6a8b43dd2 toolchain: add musl libc.so to external toolchain
musl provides a /lib/libc.so file which should be integrated into the libc
package when the external toolchain with musl is used.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2017-03-15 22:31:11 +01:00
Hauke Mehrtens
7b52278154 mbedtls: update to version 2.4.2
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-03-13 20:04:32 +01:00
Florian Fainelli
7f0c95a7df toolchain: Allow external toolchains to specify libthread-db
We need to let external toolchains be able to specify the path and
specification file to the libthread-db POSIX thread debugging shared
libraries.

This fixes GDB not being able to be installed because it is depending on
libthread-db:

Collected errors:
 * satisfy_dependencies_for: Cannot satisfy the following dependencies
 * for gdb:
 *      libthread-db *
 * opkg_install_cmd: Cannot install package gdb.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-03-04 11:19:56 -08:00
Florian Fainelli
9e740fa5a5 openssl: Use mkhash for STAMP_CONFIGURED
The current way of creating a STAMP_CONFIGURED filename for OpenSSL can
lead to an extremely long filename that makes touch unable to create it,
and fail the build.

Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a
shortert stamp file,

Fixes #572

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-03-01 17:19:52 -08:00
Ted Hess
23dff07148 libubox: Update to latest version
9d6305a utils: Change calloc_a() to return size_t aligned pointers

Signed-off-by: Ted Hess <thess@kitschensync.net>
2017-02-24 15:32:47 -05:00
Martin Schiller
fdfde3eb21 libpcap: add optional netfilter support
This is needed to use the nflog interface with tcpdump

Signed-off-by: Martin Schiller <mschiller@tdt.de>
2017-02-22 22:52:30 +01:00
Felix Fietkau
7df0069bb5 mbedtls: add --function-sections and --data-sections to CFLAGS
This allows binaries that links these libraries statically to be reduced
by using --gc-sections on link

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-21 16:05:03 +01:00
Felix Fietkau
315498c163 libubox: fix host build on macOS
Use the defaults instead of a custom non-portable Host/Install section

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-20 14:57:20 +01:00
Jo-Philipp Wich
84ceca5148 libubox: add host build
Our opkg fork requires libubox to build, so add a host build for it.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-02-19 19:08:46 +01:00
Felix Fietkau
6c44ac286b libpcap: remove feature dependencies on kmod-* packages
USB support could be built into the kernel as well

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-17 14:09:21 +01:00
Alexey Brodkin
a3408a5271 toolchain/uclibc: Bump version to 1.0.22
Important change was made in 1.0.18: all sub-libs were merged
in one and only libc similarly to musl.

See [1] for more details.

To support that we had to remove refences to those sub-libs like
libpthread, libcrypt, libdl, libm, libutil etc.

[1] http://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/commit/?id=29ff9055c80efe77a7130767a9fcb3ab8c67e8ce

Signed-off-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
2017-02-11 15:38:39 +01:00
Ben Kelly
da0b9110fc uclibc++: patch bugfix erase() on derived __base_associative
When calling erase() on a containers derived from __base_associative
(e.g. multimap) and providing a pair of iterators a segfault will
occur.

Example code to reproduce:

	typedef std::multimap<int, int> testmap;
	testmap t;
	t.insert(std::pair<int, int>(1, 1));
	t.insert(std::pair<int, int>(2, 1));
	t.insert(std::pair<int, int>(3, 1));
	t.erase(t.begin(), t.end());

Signed-off-by: Ben Kelly <ben@benjii.net>
2017-02-09 12:26:55 +01:00
Felix Fietkau
da93c15fd2 libubox: update to the latest version
Adds the following changes:

de3f14b uloop: add uloop_cancelling function
3b6181b utils: fix build on Mac OS X 10.12
7f671b1 blobmsg: add support for double
0fe1374 utils: add helper functions useful for allocating a ring buffer
8fc1c30 libubox: replace strtok with _r version.
4a9f74f libubox: allow reading out the pid of uloop process in lua
372e1e6 uloop: remove useless epoll data assignment
f9db1cb libubox: allow reading out the remaining time of a uloop timer in Lua

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-04 10:19:15 +01:00
Florian Fainelli
200d932322 toolchain: Broaden the executable loader pattern
Some toolchains will produce executables with an interpreter that is e.g:
ld.so.1 (typically a symbolic link). Due to our current LIBC_SPEC_FILE value,
we would not be able to copy this symbolic link/file over to the rootfs and
executables would fail to load. Extend the search pattern to include all
ld*.so* files that could be needed.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-01-29 11:51:02 -08:00
Hauke Mehrtens
12db207e9b openssl: update to version 1.0.2k
This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-01-27 23:38:17 +01:00
Jo-Philipp Wich
f798776188 libtool: don't clobber host libtool infrastructure
The libtool target package stages its files into the host staging directory
and moves the libltdl library parts from there into the target staging
directory afterwards.

By doing so, the package essentially renders the host libtool infrastructure
unusable, leading to the below error in subsequent package builds:

    libtoolize: $pkgltdldir is not a directory: `.../hostpkg/share/libtool`

Prevent this problem by using a dedicated libltdl install prefix in order to
avoid overwriting and moving away preexisting files belonging to tools/libtool.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-01-22 00:40:38 +01:00
Matthias Schiffer
421a6d314a
gettext-full: fix to use $STAGING_DIR_HOSTPKG instead of $STAGING_DIR/host
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-01-19 00:05:10 +01:00
Daniel Engberg
da5d060ac9 zlib: Update to 1.2.11
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback

Note: SF doesn't carry the 1.2.11 update yet.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2017-01-16 19:52:07 +01:00
Domagoj Pintaric
b5b83706be mbedtls: add static files in staging_dir
Signed-off-by: Domagoj Pintaric <domagoj.pintaric@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
2017-01-16 11:41:54 +01:00
Matthias Schiffer
0d8381aea3
ncurses: revert $(STAGING_DIR_HOSTPKG) to $(STAGING_DIR)/host where appropriate
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2017-01-14 18:58:44 +01:00
Felix Fietkau
bd68ddbda4 polarssl: remove package
The mbedTLS 1.3 branch has been EOL since end of 2016 and now all
remaining users have been converted.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-13 12:08:08 +01:00