Commit Graph

1189 Commits

Author SHA1 Message Date
Nick Hainke
2091a76d34 libusb: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:36:38 +01:00
Nick Hainke
f9a502c721 libcap: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:34:52 +01:00
Nick Hainke
e7661c64c3 nettle: add PKG_CPE_ID
Add CPE ID for tracking CVEs.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 16:34:26 +01:00
Ivan Pavlov
3d88f26d74 wolfssl: bump to 5.5.0
Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch

Some low severity vulnerabilities fixed
OpenVPN compatibility fixed (broken in 5.4.0)
Other fixes && improvements

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2022-09-02 21:56:25 +02:00
Nick Hainke
bae87942bc nettle: update to 3.8.1
Release Notes:
https://lists.gnu.org/archive/html/info-gnu/2022-07/msg00010.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-31 23:25:39 +02:00
Nick Hainke
f15137c455 readline: update to 8.1.2
Update to latest version.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-31 23:25:39 +02:00
Hauke Mehrtens
05df135cac wolfssl: Rebuild when libwolfssl-benchmark gets changes
This forces a rebuild of the wolfssl package when the
libwolfssl-benchmark OpenWrt package gets activated or deactivated.
Without this change the wolfssl build will fail when it compiled without
libwolfssl-benchmark before and it gets activated for the next build.

Fixes: 18fd12edb8 ("wolfssl: add benchmark utility")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-28 21:42:26 +02:00
Nick Hainke
85c0cef461 popt: update to 1.18
Changes from popt 1.16:
- fix an ugly and ancient security issue with popt failing to drop privileges on alias exec from a SUID/SGID program
- perform rudimentary sanity checks when reading in popt config files
- collect accumulated misc fixes (memleaks etc) from distros
- convert translations to utf-8 encoding
- convert old postscript documentation to pdf
- dust off ten years worth of autotools sediment
- reorganize and clean up the source tree for clarity
- remove the obnoxious splint annotations from the sources

Switch to new mirror:
http://ftp.rpm.org/popt/releases/

Switch URL to:
https://github.com/rpm-software-management/popt

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-28 18:29:10 +02:00
Nick Hainke
ce28f303e8 libnftnl: update to 1.2.3
Changes:
817c8b6 build: libnftnl 1.2.3 release
84d12cf build: fix clang+glibc snprintf substitution error

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-28 18:29:10 +02:00
Hauke Mehrtens
f3870546a5 mbedtls: update to version 2.28.1
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.1
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.

The build problem was reported upstream:
https://github.com/Mbed-TLS/mbedtls/issues/6243

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-08-28 12:37:54 +02:00
Petr Štetiar
f443e9de70 zlib: backport null dereference fix
The curl developers found test case that crashed in their testing when
using zlib patched against CVE-2022-37434, same patch we've backported
in commit 7df6795d4c ("zlib: backport fix for heap-based buffer
over-read (CVE-2022-37434)"). So we need to backport following patch in
order to fix issue introduced in that previous CVE-2022-37434 fix.

References: https://github.com/curl/curl/issues/9271
Fixes: 7df6795d4c ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-08-09 08:08:08 +02:00
Jo-Philipp Wich
737671bcce jansson: revert ABI version bump
The soversion of the shipped libjansson.so library didn't change, so the
ABI version change is unwarranted and leads to opkg file clashes.

Also stop shipping an unversioned library symlink while we're at it as
it only needed at compile/link time and leading to file level clashes
between packages on future ABI bumps.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-08-09 00:20:09 +02:00
Nick Hainke
6d84e78cd9 libtracefs: add Linux kernel trace file system library
Needed by trace-cmd.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-06 19:58:46 +02:00
Nick Hainke
b108810601 libtraceevent: add Linux kernel trace event library
Needed by trace-cmd.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-06 19:58:46 +02:00
Nick Hainke
0cb1ce9748 elfutils: update to 0.187
Changes:
debuginfod: Support -C option for connection thread pooling.

debuginfod-client: Negative cache file are now zero sized instead of
                   no-permission files.

addr2line: The -A, --absolute option, which shows file names including
           the full compilation directory is now the default.  To get the
           old behavior use the new option --relative.

readelf, elflint: Recognize FDO Packaging Metadata ELF notes

libdw, debuginfo-client: Load libcurl lazily only when files need to
                         be fetched remotely. libcurl is now never
                         loaded when DEBUGINFOD_URLS is unset. And when
                         DEBUGINFOD_URLS is set, libcurl is only loaded
                         when the debuginfod_begin function is called.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-08-06 19:58:46 +02:00
Petr Štetiar
7df6795d4c zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow
in inflate in inflate.c via a large gzip header extra field. NOTE: only
applications that call inflateGetHeader are affected. Some common
applications bundle the affected zlib source code but may be unable to
call inflateGetHeader.

Fixes: CVE-2022-37434
References: https://github.com/ivd38/zlib_overflow
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-08-06 15:00:08 +02:00
Mark Mentovai
beeb49740b libmnl: fix build when bash is not located at /bin/bash
This fixes the libmnl build on macOS, which ships with an outdated bash
at /bin/bash. During the OpenWrt build, a modern host bash is built and
made available at staging_dir/host/bin/bash, which is present before
/bin/bash in the build's PATH.

This is similar to 8f7ce3aa6d, presently appearing at
package/kernel/mac80211/patches/build/001-fix_build.patch.

Signed-off-by: Mark Mentovai <mark@mentovai.com>
2022-07-31 20:30:20 +02:00
Boris Krasnovskiy
d94c94d795 ustream-ssl: prevent unused crypto lib dependencies from being compiled
Prevented unused crypto lib dependencies from being compiled

Signed-off-by: Boris Krasnovskiy <borkra@gmail.com>
2022-07-31 00:11:21 +02:00
John Audia
c2aa816f28 wolfssl: fix math library build
Apply upstream patch[1] to fix breakage around math libraries.
This can likely be removed when 5.5.0-stable is tagged and released.

Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B

1. https://github.com/wolfSSL/wolfssl/pull/5390

Signed-off-by: John Audia <therealgraysky@proton.me>
2022-07-31 00:11:21 +02:00
Nick Hainke
7455457893 libcap: update to 2.65
Changes:
a47d86d Up the release version to 2.65
fc99e56 Include more signatures in pgp.keys.asc.
52288cc Close out this comment in the go/Makefile
eb0f1df Prevent 'capsh --user=xxx --' from generating a bash error.
9a95791 Improve documentation for cap_get_pid and cap_reset_ambient.
21d08b0 Fix syntax error in DEBUG protected setcap.c code.
9425048 More useful captree usage string and man page.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-30 23:50:44 +02:00
Nick Hainke
97daddffd0 libcap: update to 2.64
Changes:
38cfa2e Up the release version to 2.64
7617af6 Avoid a deadlock in forked psx thread exit.
fc029cb Include LIBCAP_{MAJOR,MINOR} #define's in sys/capability.h
ceaa591 Clarify how the cap_get_pid() argument is interpreted.
15cacf2 Fix prctl return code/errno handling in libcap.
aae9374 Be explicit about CGO_ENABLED=1 for compare-cap build.
66a8a14 psx: free allocated memory at exit.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-30 23:50:44 +02:00
Jo-Philipp Wich
0063e3421d wolfssl: make shared again
Disable the usage of target specific CPU crypto instructions by default
to allow the package being shared again. Since WolfSSL does not offer
a stable ABI or a long term support version suitable for OpenWrt release
timeframes, we're forced to frequently update it which is greatly
complicated by the package being nonshared.

People who want or need CPU crypto instruction support can enable it in
menuconfig while building custom images for the few platforms that support
them.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-07-30 12:21:54 +02:00
Hauke Mehrtens
d1b5d17d03 wolfssl: Do not activate HW acceleration on armvirt by default
The armvirt target is also used to run OpenWrt in lxc on other targets
like a Raspberry Pi. If we set WOLFSSL_HAS_CPU_CRYPTO by default the
wolfssl binray is only working when the CPU supports the hardware crypto
extension.

Some targets like the Raspberry Pi do not support the ARM CPU crypto
extension, compile wolfssl without it by default. It is still possible
to activate it in custom builds.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-07-20 17:02:45 +02:00
Rosen Penev
5ad67cc513 libiconv-full: add host build
Now that libiconv-stub is gone, a replacement for its host build is
needed.

Fixes: c0ba4201f8 ("libiconv-stub: remove")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-07-17 14:21:03 +02:00
Rosen Penev
5dca7d7015 mbedtls: build with PIC
Fixes compilation with GCC12 and dependent packages for some reason.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-07-17 13:43:48 +02:00
Eneas U de Queiroz
9710fe70a6
wolfssl: bump to 5.4.0
This version fixes two vulnerabilities:
-CVE-2022-34293[high]: Potential for DTLS DoS attack
-[medium]: Ciphertext side channel attack on ECC and DH operations.

The patch fixing x86 aesni build has been merged upstream.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-07-16 22:22:40 +02:00
Rosen Penev
c0ba4201f8 libiconv-stub: remove
No longer used.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-07-15 15:21:44 +02:00
Nick Hainke
ad0733a7f0 libtool: update to 2.4.7
Changes:
6d7ce133 version 2.4.7
b4a37606 NEWS: roll-back manually filled NEWS versioning
33615a45 NEWS: fill entries for past commits
f5eb6f11 libltdl: bump libltdl.la version-info.
28fbcb6a libtool: correct linter syntax complaints in M4
7e69e441 gnulib: update submodule to new repository.
2dc7dad7 maint: update copyrights across project.
b55b1cc8 libtool: Do not pass '-pthread' to Solaris linker.
960a33e4 docs: manually recording dependencies in Automake
78652682 tests: remove deprecated old-ltdl-iface.at test.
f51eddf0 * libtool: Bump M4 serial versions and add missing AC_PROG_SED to ltdl.m4
ccc878dd libtool: replace raw invocations of sed with $SED
5df7dd49 libtool: add support for MidnightBSD
8f4bdbda libtool: powerpc 10.5 detection without a deployment target
9e8c8825 libtool: support macOS 11
0904164d libtool: correct m4 quoting in sed expression
da2e3527 libtool: replace some references to /usr/bin/file and /bin/sh
1b74d784 libtool: Add -Wa,* link-mode flag for assembler pass-thru
86d71e86 libtool: Pass -Xassembler flag and arguments to compiler
fc7779d7 maint: update Bootstrap git module
0c1bc69d maint: update copyrights across project.
28fb394f maint: update AUTHORS, copyright date.
b9b44533 bootstrap: use $gnulib_clone_since
544fc0e2 maint: update bootstrap, gnulib, copyright dates
b88cebd5 maint: update bootstrap, gnulib, copyright dates
99bd0948 libtool: add icl.exe support
6ca5e224 docs: typo in 'win32-dll' description
1bfb11a4 libtool: quote 'cd' command in shipped relink_command
722b6af0 doc: fix typos in --mode=install invocations
350082b6 libtool: exit verbosely for fatal configure problems
792b6807 maint: update copyright years
f003a1f9 libltdl: handle ENOMEM in lt_dlloader_remove()
08c5524f bootstrap: use the upstream repo as git module
a938703c libtool: set file_list_spec to '@' on OS/2
f10e22c2 tests: fix $objdir hardcoding check with CFLAGS=-g3
f9970d99 libtool: pass through -fuse-ld flags
d7c8d3b4 m4/libtool.m4: FreeBSD elftoolchain strip support
807cbd63 libtoolize: exec automake and autoconf only with --help
40bc0628 edit-readme-alpha: generate the "stable" README properly
b89a47ea maint: fix for 'make sc_immutable_NEWS' hints
bb8e7b4a maint: update copyright years
b5d44b84 libltdl: handle ENOMEM sooner
5944fdcc gl: minor typo fixes
49856679 gl-tests: dash && option-parser test fix
a5c64665 libtool: fix GCC/clang linking with -fsanitize=*
ae816ace gl-tests: make the failure more readable
d15b3214 m4/libtool.m4: export AIX TLS symbols
aabc46ac gl/tests: new tests for options-parser
dc8bd92d gl/funclib.sh: func_quotefast_eval & tilde fix
a3c6e99c syntax-check: fix sed syntax errors
f323f10d gl/tests: new tests for func_quote* family
ed4f739f check: enable gnulib's testsuite
9187e9a2 funclib: refactor quoting methods a bit
16dbc070 libtool: optimizing options-parser hooks
32f0df98 libtool: mitigate the $sed_quote_subst slowdown
b7b6ec33 gnulib: sync with upstream
5859cc50 maint: relax 'sc_prohibit_test_dollar' check
418129bc ARFLAGS: use 'cr' instead of 'cru' by default
4335de1d libool.m4: add ARFLAGS variable
0f842177 maint: put newline after 'Subject' in ChangeLog
03ec5f49 gnulib: sync with upstream
351a88fe libtoolize: fix infinite recursion in m4
de7b2cb2 bootstrap: fix race in temporary Makefile
702a97fb libtool: fix GCC linking with -specs=*
4ff16210 maint: demote myself from maintainer to former maintainer.
c12d38e4 maint: post-release administrivia

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Nick Hainke
ccfb736c23 libusb: update to 1.0.26
Add libatomic as dependency.

Changelog:
2022-04-10: v1.0.26
* Fix regression with transfer free's after closing device
* Fix regression with destroyed context if API is misused
* Workaround for applications using missing default context
* Fix hotplog enumeration regression
* Fix Windows isochronous transfer regression since 1.0.24
* Fix macOS exit crash in some multi-context cases
* Build fixes for various platforms and configurations
* Fix Windows HID multi-interface product string retrieval
* Update isochronous OUT packet actual lengths on Windows
* Add interface bound checking for broken devices
* Add umockdev tests on Linux

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Nick Hainke
d858511723 libusb: update to 1.0.25
Remove upstreamed patche:
- 001-Correct-a-typo-in-the-Changelog-and-clean-up-a-stray.patch
- 002-linux_usbfs-Fix-parsing-of-descriptors-for-multi-con.patch

Changelog:
2022-01-31: v1.0.25
* Linux: Fix regression with some particular devices
* Linux: Fix regression with libusb_handle_events_timeout_completed()
* Linux: Fix regression with cpu usage in libusb_bulk_transfer
* Darwin (macOS): Add support for detaching kernel drivers with authorization.
* Darwin (macOS): Do not drop partial data on timeout.
* Darwin (macOS): Silence pipe error in set_interface_alt_setting().
* Windows: Fix HID backend missing byte
* Windows: Fix segfault with libusbk driver
* Windows: Fix regression when using libusb0 driver
* Windows: Support LIBUSB_TRANSFER_ADD_ZERO_PACKET on winusb
* New NO_DEVICE_DISCOVERY option replaces WEAK_AUTHORITY option
* Various other bug fixes and improvements

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Nick Hainke
5ab22c8b99 jansson: update to 2.14
Changes (2021-09-09):
* New Features:
  - Add `json_object_getn`, `json_object_setn`, `json_object_deln`, and the
    corresponding `nocheck` functions.
* Fixes:
  - Handle `sprintf` corner cases
* Build:
  - Symbol versioning for all exported symbols
  - Fix compiler warnings
* Documentation:
  - Small fixes
  - Sphinx 3 compatibility

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Nick Hainke
59610c214b jansson: cleanup and switch to codeload.github.com
- Rearrange Makefile.
- Switch to codeload.github.com because it looks like new version are
  not longer deployed at www.digip.org

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 19:07:47 +02:00
Jianhui Zhao
6902af4f30 libpcap: fix PKG_CONFIG_DEPENDS for rpcapd
This fix allows trigger a rerun of Build/Configure when
rpcapd was selected.

Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
2022-07-10 18:11:36 +02:00
Nick Hainke
0af4a26918 libnl: update to 3.7.0
Changes:
1bb4162 libnl-3.7.0 release
897ec9c route: act: Allow full set of actions on gact,skbedit,mirred
00e46f1 Use print() function in both Python 2 and Python 3
083c1b6 sriov: fix setting ce_mask when parsing VF stat counter
2e9a4f7 Fix typos and errors
cc87ad2 changelog: update URL to git history
bde0b4c changelog: fix typos in ChangeLog
44988e6 route: format recently added code with clang-format
df6e38b route/act: add NAT action
7304c42 route: format recently added code with clang-format
f8eb218 cls: flower: extend flower API
e5dc111 flower: use correct attribute when filling out flags
df6058c tests: merge branch 'th/test-link'
9772c1d tests: add unit tests for creating links
4713b76 github: run unit tests several times and directly
8025547 github: export NLTST_SEED_RAND= to randomize unit tests
7efeca2 tests: add test utils
f6f4d36 tests: reformat unit test files with clang-format
135a706 utils: add _NL_AUTO_DEFINE_FCN_STRUCT() macro
0ea11be utils: add _nl_thread_local macro
9b04936 route: fix crash caused by parse_multipath() by wrong free()
2effffe route/link: Set the cache ops when cloning a link
5ecd56c route/link: add lock around rtnl_link_af_ops_put()
e1a077a route/link: avoid accessing af_ops after af_free() in rtnl_link_set_family()
3f4f1dd xfrm/sa: fix reference counters of sa selector addresses
d3c783f all: merge branch 'th/coverity-fixes'
23a75c5 xfrm: fix uninitalized variables in build_xfrm_ae_message()
d52dbcb route: fix check for NULL in nh_encap_dump()
1f61096 route/qdisc/mqprio: fix bufferoverflow and argument checking in rtnl_qdisc_mqprio_set_*()
f918c3a route/sriov: fix buffer overflow in rtnl_link_sriov_parse_vflist()
d4c7972 all: fix "-Wformat" warnings for nl_dump*()
6b2f238 netlink/utils.h: mark nl_dump() with __attribute__((format(printf,a,b)))
d3bd278 netlink/utils.h: add internal _nl_attribute_printf macro for public headers
a30b26d socket: workaround undefined behavior coverity warning in generate_local_port()
8acf6d5 nl-pktloc-lookup: fix buffer overflow when printing alignment
bf3585f route/link/sriov: fix initializing vlans in rtnl_link_sriov_clone()
dd06d22 route/qdisc/netem: fix bogus "%" in format string netem_dump_details()
f50a802 route/u32: fix u32_dump_details() to print data
fa79ee3 link/vrf: avoid coverity warning in rtnl_link_vrf_set_tableid() about CONSTANT_EXPRESSION_RESULT
31380f8 utils: suppress coverity warning in nl_cli_load_module() about leaked handle
aa398b5 route/ip6vti,ip6gre: fix printing invalid data in ip6{vti,gre}_dump_details()
40683cc netlink/private: add internal helper utils
6615dc0 route/link: workaround coverity warning about leak in rtnl_link_set_type()
ff5ef61 all: avoid coverity warnings about assigning variable but not using it
f58a3c0 route/mdb: check parser error in mdb_msg_parser() for nested MDBA_MDB attribute
46506d3 route/mdb: add and use rtnl_mdb_entry_free() internal helper method
46e85d2 route/mdb: fix leak in mdb_msg_parser()
b0641dd route/mdb: add _nl_auto_rtnl_mdb cleanup macro
d544105 route/mdb: fix buffer overflow in mdb_msg_parser()
4d12b63 tests: silently ignore EACCES for setting uid_map for test namespace
ec712a4 tests: cleanup unshare_user() and use _nltst_fclose()
85e3c5d tests: add _assert_nltst_netns() helper
39e4d8d github: test out-of-tree build and "--disable-static"
d63e473 github: build documentation in CI test
fa7f97f build: avoid building check-direct with --disable-static
8c741a7 tools: fix aborting on failure in "tools/build_release.sh" script
e2aa409 doc: fix markup error in "doc/route.txt"
4f3b4f9 doc: fix python2-ism in "doc/resolve-asciidoc-refs.py"

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-10 17:55:50 +02:00
Eneas U de Queiroz
639419ec4f
wolfssl: re-enable AES-NI by default for x86_64
Apply an upstream patch that removes unnecessary CFLAGs, avoiding
generation of incompatible code.

Commit 0bd5367233 is reverted so the
accelerated version builds by default on x86_64.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-07-08 01:39:34 +02:00
Dustin Lundquist
3899f68b54 openssl: bump to 1.1.1q
Changes between 1.1.1p and 1.1.1q [5 Jul 2022]

  *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
     implementation would not encrypt the entirety of the data under some
     circumstances.  This could reveal sixteen bytes of data that was
     preexisting in the memory that wasn't written.  In the special case of
     "in place" encryption, sixteen bytes of the plaintext would be revealed.

     Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
     they are both unaffected.
     (CVE-2022-2097)
     [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]

Signed-off-by: Dustin Lundquist <dustin@null-ptr.net>
2022-07-07 21:22:36 +02:00
Pascal Ernster
21825af2da
wolfssl: WOLFSSL_HAS_WPAS requires WOLFSSL_HAS_DH
Without this, WOLFSSL_HAS_DH can be disabled even if WOLFSSL_HAS_WPAS is
enabled, resulting in an "Anonymous suite requires DH" error when trying
to compile wolfssl.

Signed-off-by: Pascal Ernster <git@hardfalcon.net>
Reviewed-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-07-06 15:04:26 +02:00
Andre Heider
eb7d2abbf0 openssl: bump to 1.1.1p
Changes between 1.1.1o and 1.1.1p [21 Jun 2022]

  *) In addition to the c_rehash shell command injection identified in
     CVE-2022-1292, further bugs where the c_rehash script does not
     properly sanitise shell metacharacters to prevent command injection have been
     fixed.

     When the CVE-2022-1292 was fixed it was not discovered that there
     are other places in the script where the file names of certificates
     being hashed were possibly passed to a command executed through the shell.

     This script is distributed by some operating systems in a manner where
     it is automatically executed.  On such operating systems, an attacker
     could execute arbitrary commands with the privileges of the script.

     Use of the c_rehash script is considered obsolete and should be replaced
     by the OpenSSL rehash command line tool.
     (CVE-2022-2068)
     [Daniel Fiala, Tomáš Mráz]

  *) When OpenSSL TLS client is connecting without any supported elliptic
     curves and TLS-1.3 protocol is disabled the connection will no longer fail
     if a ciphersuite that does not use a key exchange based on elliptic
     curves can be negotiated.
     [Tomáš Mráz]

Signed-off-by: Andre Heider <a.heider@gmail.com>
2022-07-04 23:03:09 +02:00
Rosen Penev
341121edd4 libjson-c: disable libbsd
libjson-c is happy to pick up libbsd both on the host and target.
Reproducible with

make package/libbsd/compile;make package/libjson-c/compile

Also fixes host compilation on Arch Linux for a similar reason.
Undefined reference to arc4random.

Fixes: f3a198697f ("libjson-c: update to 0.16")
Acked-by: Thomas Huehn thomas.huehn@hs-nordhausen.de
Acked-by: Nick Hainke vincent@systemli.org
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-07-04 20:37:41 +02:00
Nick Hainke
f3a198697f libjson-c: update to 0.16
Fix:
- 001-dont-build-docs.patch

Remove upstreamed patch:
- 010-clang.patch

Changelog:

Deprecated and removed features:
--------------------------------
* JSON_C_OBJECT_KEY_IS_CONSTANT is deprecated in favor of
  JSON_C_OBJECT_ADD_CONSTANT_KEY
* Direct access to lh_table and lh_entry structure members is deprecated.
  Use access functions instead, lh_table_head(), lh_entry_next(), etc...
* Drop REFCOUNT_DEBUG code.

New features
------------
* The 0.16 release introduces no new features

Build changes
-------------
* Add a DISABLE_EXTRA_LIBS option to skip using libbsd
* Add a DISABLE_JSON_POINTER option to skip compiling in json_pointer support.

Significant changes and bug fixes
---------------------------------
* Cap string length at INT_MAX to avoid various issues with very long strings.
* json_object_deep_copy: fix deep copy of strings containing '\0'
* Fix read past end of buffer in the "json_parse" command
* Avoid out of memory accesses in the locally provided vasprintf() function
  (for those platforms that use it)
* Handle allocation failure in json_tokener_new_ex
* Fix use-after-free in json_tokener_new_ex() in the event of printbuf_new() returning NULL
* printbuf_memset(): set gaps to zero - areas within the print buffer which
  have not been initialized by using printbuf_memset
* printbuf: return -1 on invalid arguments (len < 0 or total buffer > INT_MAX)
* sprintbuf(): propagate printbuf_memappend errors back to the caller

Optimizations
--------------
* Speed up parsing by replacing ctype functions with simplified, faster
  non-locale-sensitive ones in json_tokener and json_object_to_json_string.
* Neither vertical tab nor formfeed are considered whitespace per the JSON spec
* json_object: speed up creation of objects, calloc() -> malloc() + set fields
* Avoid needless extra strlen() call in json_c_shallow_copy_default() and
  json_object_equal() when the object is known to be a json_type_string.

Other changes
-------------
* Validate size arguments in arraylist functions.
* Use getrandom() if available; with GRND_NONBLOCK to allow use of json-c
  very early during boot, such as part of cryptsetup.
* Use arc4random() if it's available.
* random_seed: on error, continue to next method instead of exiting the process
* Close file when unable to read from /dev/urandom in get_dev_random_seed()

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-03 20:25:38 +02:00
Nick Hainke
b32f165048 nettle: update to 3.8
Refresh:
- 100-portability.patch

Changelog:

ea4ea5e6 Document MacOS test workaround.
b14fc902 Add missing file fat-arm64.c to tar file.
6720f433 Update config.guess and config.sub to latest versions.
a2be57f0 NEWS entries for Nettle-3.8.
bff9a605 Update version numbers, for nettle-3.8.
36386678 Fix comment typo
e05fd5a9 Add ChangeLog entry for SM3 contribution.
8739faa8 Document cbc_aes128_encrypt, cbc_aes192_encrypt and cbc_aes256_encrypt.
efb2ec7f Deleted the manual's incomplete and out of date list of authors.
af38c91f New more accurate AUTHORS file.
ba084efa Fix ChangeLog typo.
0fff3097 ChangeLog entries for s390x ghash update.
75b687a8 Fix comment typo.
5d0089ed Refactor s390x-specific code for new ghash organization
2aabd5e2 ppc: Update fat setup for new ghash organization.
8f5fddfb ppc: Update vpmsumd ghash to new organization.
1227381e Comment fix.
9939f866 arm64: Update fat setup for new ghash organization.
ab62f731 Fix comment error
b1645555 arm64: Update pclmul ghash to new organization.
6b80b889 Update fat setup for new ghash organization.
d382fcc0 Delete _ghash_digest.
d11c4cd9 x86_64: Update pclmul ghash to new organization.
f79cc0c1 x86_64: Update table-based ghash to new organization.
bdc2fc31 Move _ghash_digest.
1d438ad4 Refactor GCM C implementation.
bdf820df New function block16_zero.
d966ea0d Delete code for GCM_TABLE_BITS != 8.
60edc290 x86_64: Fat setup for GCM.
be245313 Fix comment typo.
f8fa4f1f x86_64: Initial implementation of gcm using the pclmulqdq instructions.
23f75f58 Rearrange gcm configuration defines, and add tests for internal functions.
483ccbc9 Add tests for edge cases in poly1305 digest folding.
f3656a44 x86_64: Rewrite of poly1305 assembly.
b7268727 ChangeLog entry for arm64 implementation of chacha.
1d4a985c ChangeLog entries for new ppc64 ecc files.
99be366f ecc: Add powerpc64 assembly for ecc_448_modp
53f7ae66 Move a comment.
e643dcf1 ecc: Add powerpc64 assembly for ecc_25519_modp
741191d1 ecc: Add powerpc64 assembly for ecc_224_modp
4adcb4af Simplify poly1305-test, more use of tstring length.
b48217c8 Add randomized tests of poly1305.
dbf178c0 Arrange so that GMP or mini-gmp is always available for tests.
7d83510e ChangeLog entries for new ppc64 ecc files.
02bbf7d1 ecc: Add powerpc64 assembly for ecc_521_modp
2bc7dfad ecc: Add powerpc64 assembly for ecc_384_modp
9b6c0639 ecc: Add powerpc64 assembly for ecc_192_modp
39af7b2e [Arm64] Optimize Chacha20
c82876a5 [S390x] Alerting assembler of machine type
044d24b0 [S390x] Optimize Chacha20
94228f87 tests: Use inline function for dummy definition of test_randomize.
7926debe Share ecc point validation function in testutils.c.
25f73004 Whitespace cleanup
0ec184d8 ppc: Reduce number of registers used for ecc_secp256r1_redc.
c7cf1939 ppc: New configure test for ELFV2_ABI
f57640ea x86_64: Improved ecc_secp256r1_redc
dd65a63e ChangeLog for previous change.
ecd4eacf ppc: Add powerpc64 assembly for ecc_256_redc
b2758f7c doc: documentation for SM3 hash
0ea74c02 Comment improvements for x86_64 ecc_secp256r1_redc
78aabc69 nettle-benchmark: bench SM3 hashes
7f77ccb4 hmac: add support for SM3 hash function
e2edd9be testsuite: add test for SM3 hash function
b72886e5 Add OSCCA SM3 hash algorithm
d2e4e531 Delete function mpz_limbs_read_n.
dd566239 Delete function mpz_limbs_cmp.
07d5e755 gitlab-ci: Enable randomized tests
64ce8c77 Randomize more tests
a6f9bdeb Reduce allocation in modinv test
957482d9 Fix sqrt_ratio test for v = 0 case.
7f730943 Reduce allocation in sqrt tests
2c9a600d Move NETTLE_TEST_SEED logic to testutils.c.
48d61c28 Delete obsolete comment.
ac95be13 Fix and test for sqrt(0) special case.
ffe0f587 eccdata: Output ecc_sqrt_z and ECC_SQRT_E only when computed.
65c95c79 Fix comment typo.
8db66280 Let secp384r1 inverse and sqrt share most of the powering.
5b2758a3 eccdata: Delete generation of unused values ecc_sqrt_t and ECC_SQRT_T_BITS.
b3abfac5 eccdata: Generate both redc and non-redc versions of ecc_sqrt_z.
2dbe065d Implement secp224r1 square root, based on patch by Wim Lewis.
c8daa71c New function ecc_mod_equal_p, based on patch by Wim Lewis.
4be1725f New function ecc_mod_pow_127m1, used for ecc_secp224r1_inv.
4e987de3 Implement secp521r1 square root, based on patch by Wim Lewis.
2adc4268 Implement secp384r1 square root, based on patch by Wim Lewis.
bc07754f Implement secp256r1 square root, based on patch by Wim Lewis.
35f12552 Implement secp192r1 square root, based on patch by Wim Lewis.
c2726388 Renamed sqrt_itch --> sqrt_ratio_itch, and curve25519 and curve448 sqrt functions.
03421be1 Rename ecc sqrt --> sqrt_ratio.
652bdc79 New function ecc_mod_zero_p.
571d2cc2 [S390x] Improvements on documentation and instruction set usage for SHA3 permute
26b0f47b New function sec_zero_p.
259ec19a [S390x] Remove lgr instructions by using xgrk instead of xgr instruction
73722fb0 Rewrite of secp256r1 mod functions.
45028ff2 Extend ecc-mod-test, with improved coverage of corner cases.
806d6f6a [S390x] Optimize SHA3 permute using vector facility
78f44318 Change "signature on digest" --> "of digest".
0f90c076 Doc fixes.
52c86f94 Delete a few old FIXME comments
2b68ee47 Use @url and https consistently for references. Fix overlong lines.
ea4b2e86 Use texi2pdf to generate the pdf manual
54bbc09b ChangeLog entries for doc structure improvements.
cc92638c Divide Cipher section into menu and nodes, and some other minor fixes.
5e6af10b Delete explicit node pointers in nettle.texinfo
55584f4e Change CBC-AES interface
7a966ac3 Test AEAD encrypt/decrypt with message split into pieces.
686fd559 More checks for null pointers in test_aead, to silent static analyzer.
41a72c24 Fix checks of HAVE_NATIVE_cbc_aes*_encrypt
d5b0b9cb Fix fat builds for x86_64 windows
419d7af5 x86_64: Fat setup for assembly CBC AES.
121290e0 x86_64: Assembly CBC AES aesni functions.
1f58b09c Add specialized functions for cbc-aes.
99dffa9c ChangeLog entries for recent contributions.
38092fde gitlab-ci: Use mini-gmp for big-endian powerpc64 cross build
4147279b gitlab-ci: Explicitly install cross libgmp-dev packages
8c2321d2 gitlab-ci: No-assembly cross-build for s390x, to test big-endian
d4cd2965 gitlab-ci: Delete mips build
9765f8b9 [S390x] Optimize SHA256 and SHA512 compress functions
463553ae x86_64: New 2-way aesni loop also for aes256
c7391e5c x86_64: Refactor aesni assembly, with specific functions for each key size.
4ea2a1f8 [S390x] Optimize SHA1 compress
a47813c2 [AArch64] Utilize AES 1-block macros in 4-block macros
5f7740a3 [AArch64] Load AES keys at function prologue
76c7418c ChangeLog entries for previous change.
f7bc3e1b [AArch64] Move AES round macros to machine.m4
39d1e2a3 [AArch64] Optimize AES with fat build support
b8054a1d [S390x] Optimize memxor3 using vector facility with fat support
422219fe [S390x] Optimize memxor
3900fe65 Add fat-s390x.c to OPT_SOURCES.
c2f16582 Fix name of s390x/fat directory in make dist target.
4fc00c4d [S390x] add FAT_TEST_LIST variable to enable fat build testing
856c62ef [S390x] Replace inline assembly and fix fat filenames
3be3ff3e [S390x] Fat build support for AES and GHASH
9f9d4c4b arm64: Add sha2 to aarch64 fat tests.
774917ec ChangeLog entry for arm64 sha256..
7b446327 [AArch64] Fat build support for SHA-256 compress
6c84092d [S390x] wipe parameter block content and leftover bytes of data from stack
7d301d93 [S390x] wipe hash subkey from stack once GHASH operation completed
d1c8417f [AArch64] Optimize SHA-256 compress
33bfc509 [S390x] Use uppercase for macro names in machine.m4 and enhance the documentation for GHASH implementation
94be863c Add sha1 to aarch64 fat tests.
6c89ed3c ChangeLog entry for previous change.
e5a9dbf4 arm64: Fat build support for SHA1 compress
530e4c8d [S390x] Update configure.ac and Makefile.in
b0525367 [S390x] Implement alloc_stack and free_stack macros in machine.m4
72448928 [S390x] Optimize GHASH
20fedc01 Update Nettle-3.7.3 NEWS.
c80961c6 Add input check to rsa_decrypt family of functions.
cd6059ae Change _rsa_sec_compute_root_tr to take a fix input size.
401e0bdd Fix comment typos.
fd6d9ba7 Add check that message length to _pkcs1_sec_decrypt is valid.
e60d8367 ChangeLog entry for arm64 sha1.
47cafcf2 aarch64: Optimize SHA1 Compress
a46a17e9 Fix C++-style comments
022e51a2 ChangeLog entries for aes keywrap.
0145efbc Implement aes key wrap and key unwrap (RFC 3394)
61bcbbf8 gitlab-ci: Explicitly pass --enable-s390x-msa to s390x build.
3b1bb7cb Fix comment typo.
c23701f3 Reorder and indent asm_replace_list.
c2a14fa3 ChangeLog entry for new s390x AES implementation.
1f38723e Append s390x-specific asm file names to asm_replace_list in configure.ac
71dafe91 [S390x] Basic AES-192 and AES-256 optimizations
8247fa21 ppc: Fix macro name SWAP_MASK to use all uppercase.
b9f0ede2 Update config.guess and config.sub.
46515038 [S390x] Basic AES-128 optimization
f4dc5f20 Split aes-encrypt.c and aes-decrypt.c into one file per key size.
0bff7a2b Initial config for s390x, contributed by Mamone Tarsha.
06d6ef33 nettle-benchmark: avoid -Wmaybe-uninitialized warnings
dda3f4fd gitlab-ci: Fix only: variables: check, and quote variables.
c2b56cd7 gitlab-ci: Use pipeline variable S390X_ACCOUNT
c25774e2 gitlab-ci: Add remote tests for s390x.
d5972ced Add forward declaration of struct aes_table.
085317d6 ChangeLog entries for arm64 fat build.
944881d7 ChangeLog entry for nettle-3.7.2 release
f9e0e1f4 NEWS entries for 3.7.2.
1585f6ac [AArch64] Support fat build for GCM optimization
03b8ba39 [AArch64] Use m4 macros in gcm-hash.asm and add documentation comments
3f43c143 [AArch64] Update README to be on par with other architectures
b30e0ca6 Fix canonical reduction in gostdsa_vko.
d9b564e4 Similar fix for eddsa.
fbaefb64 Analogous fix to ecc_gostdsa_verify.
c24b3616 Ensure ecdsa_sign output is canonically reduced.
2397757b Fix bug in ecc_ecdsa_verify.
5b7608fd Use ecc_mod_mul_canonical for point comparison.
2bf497ba New functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical.
a471ae85 aarch64: Rename arm64/v8/ --> arm64/crypto/
0489825e aarch64: Use .arch armv8-a+crypto directive.
d32152f4 aarch64: Move m4 definitions after .file directive
f3dda9f4 ChangeLog entries for arm64 gcm_hash.
b098f19b arch64: Fix clang build
fd9dd9d7 arch64: Fix copyright line and typos
a3f91c0e aarch64: Adjust gcm-hash assembly for big-endian systems
09d77a10 aarch64: Implement GHASH using the crypto extension pmul instructions.
0c5429d3 aarch64: Add README
dbd16501 Add an empty machine.m64 to make configure happy
ebf9ae83 Recognize arm64 in configure

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-03 20:25:38 +02:00
Nick Hainke
353d3eafb6 libiconv-full: update to 1.17
Release Notes:
- The libiconv library is now licensed under the LGPL version 2.1,
  instead of the LGPL version 2.0. The iconv program continues to
  be licensed under GPL version 3.
- Added converters for many single-byte EBCDIC encodings: IBM-{037,
  273,277,278,280,282,284,285,297,423,424,425,500,838,870,871,875},
  IBM-{880,905,924,1025,1026,1047,1097,1112,1122,1123,1130,1132,1137,
  1140}, IBM-{1141,1142,1143,1144,1145,1146,1147,1148,1149,1153,1154,
  1155,1156,1157}, IBM-{1158,1160,1164,1165,1166,4971,12712,16804}.
  They are available through the configure option
  '--enable-extra-encodings'.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-03 20:25:38 +02:00
Joel Low
925c73aab3 wolfssl: add config flag for Curve448
This enables building WolfSSL with Curve448, which can be used by
Strongswan. This has been tested on a Linksys E8450, running OpenWrt
22.03-rc4.

This allows parity with OpenSSL, which already supports Curve448 in
OpenWrt 21.02.

Fixes openwrt/packages#18812.

Signed-off-by: Joel Low <joel@joelsplace.sg>
2022-07-03 20:25:38 +02:00
Nick Hainke
3dbdfed2c4 libnl: update to 3.6.0
Remove upstreamed patch:
- 100-build-add-Libs.private-field-in-libnl-pkg-config-file.patch

cacaa5f libnl-3.6.0 release
855c02f route/mdb: merge branch 'troglobit:mdb-dump-fixes'
930fc11 route/mdb: add support for MAC multicast entries
2d68caf route/mdb: add missing detils and stats dump callbacks
d9ed99b nl-monitor: support for setting libnl debug level
4c41e0d nl-monitor: add missing --help to long_opts[]
7e96356 Check validation type against end of enum
4e153bc route/link: add VLAN bridge binding flag
b7256d3 github: build unit tests also with "clang"
8111933 route: assert that "rtnl_link_info_ops" refcount does not drop below zero
4f5c846 lib: merge branch 'th/object-clone-fixes'
d23fb81 lib: make nl_object_clone() out-of-memory safe
7f7452c route: fix ref counting for l_info_ops and io_clone()
620d024 route: drop unnecessary oo_clone() implementation from netconf
93a02eb netfilter: make log-msg,queue-msg setters robust against ENOMEM
23902d0 xfrm/sa: clone user_offload in xfrm_sa_clone()
29e5092 xfrm/sa: style cleanup xfrm_sa_clone()
14a9ebc utils: add internal _nl_memdup() helper
2e0d7f8 lib: add rtnl_link_info_ops_get() and take lock for rtnl_link_info_ops's io_refcnt
e884286 lib: include <netlink-private/utils.h> in <netlink-private/netlink.h>
7d43191 tests: merge branch 'th/tests-netns'
a7bbdab tests: add unit test for nl_object_clone() and nl_object_diff()
fdb0121 tests: add new "netns" test suite
9102872 tests: add fixture/teardown for tests to run in separate netns
9a42798 tests: cleanup creating test suites
1fc3e07 tests: refactor tests and add n-test-util helper library
7a3d6e2 netlink: add _NL_N_ELEMENTS() macro
3da4f7d netlink: add _nl_streq()/_nl_streq0() helper
1ad8555 netlink: add _nl_auto_nl_socket cleanup macro
c8a5729 lib: add _nl_close() helper
80868e6 clang-format: add ".clang-format" from linux kernel
2782ed3 github: build tests with "-std=gnu11"
af59b9a github: split tests in separate steps
c8f7902 build: add "check-progs" make target to build unit tests
23b4d33 route/cls: add TCA_FLOWER_KEY_VLAN_ETH_TYPE to "flower_policy" policy
1f8dc89 route/cls: return -NLE_INVAL in case rtnl_tc_data_peek() fails
ef5f3eb route/cls: merge branch 'westermo:cls-flower'
c385c84 route/cls: no need to copy simple fields in flower_clone()
79217d8 route/cls: make output pointers in rtnl_flower_get_{src,dst}_mac() optional
64e0836 route/cls: adjust whitspace/indentation
5ac9ce3 route/cls: use SPDX-License-Identifier
1a1c4e5 route/cls: reorder fields in "struct rtnl_flower" and adjust indentation
ef46de1 route/cls: add flower classifier
f0aad20 route: merge branch 'pugo:master'
d0cfecc route: make argument of rtnl_link_can_set_{bittiming,data_bittiming}() const
6a92268 route: add rtnl_link_can_set_data_bittiming_const()
841553b route: drop bitrate,sample-point getters/setters from can link
37998f7 route: rename rtnl_link_can_get_data_bt_const() to rtnl_link_can_get_data_bittiming_const()
96d3a6b route: fix adding rtnl_link_can_* symbols to symbol file
881e329 route: fix indentation
37c10ef route/link: add CAN FD support
d56bf73 route/mdb: merge branch 'rubensfig:mdb'
e0b2406 route/mdb: drop setting ifindex in mdb_clone()
d78a6eb route/mdb: minor cleanup in "mdb.c"
57a6d51 route/mdb: drop extra MDB attributes and rework mdb_compare()
0b44562 route/mdb: hide rtnl_mdb_entry_alloc() from public API
1c65ff7 route/mdb: reorder fields in "rtnl_mdb_entry" for tighther packing
1ac5403 route/mdb: use nl_list_for_each_entry_safe() for destroying list in mdb_free_data()
92035e2 route/mdb: cleanup mdb.h header
6237621 build: sort file names in Makefile.am
0ec6c6c mdb: support bridge multicast database notification
c980034 route/cls: merge branch 'westermo:classifier-api-extension'
a694c33 route/cls: rename rtnl_cls_get{,_by_prio}() API to rtnl_cls_find_by{handle,prio}()
88a5138 route/cls: allow fetching of classifiers from cache
90577b5 route: merge branch 'TummyFish:master'
299f61a license: use SPDX license identifiers and drop license comments
05a540d ip6vti: Add fwmark API
41e4365 ip6gre: Add fwmark API
ebc7df3 sit: Add fwmark API
8e1da8e ipip: Add fwmark API
bda19be ip6_tnl: Add fwmark API
cdc6c0f ipvti: Add fwmark API
2995710 ipgre: Add fwmark API
d9dc6c2 ip6vti: Add IPv6 VTI support
be86170 license: use SPDX license identifiers and drop license comments
919d9c6 route: merge branch 'westermo:fib-lookup'
1ff9b38 route/route: don't report failure when we receive a route in rtnl_route_lookup()
53bc27e route/route: support FIB lookups using rtnl
ed76b9a build: sort files in Makefile.am
46b22c1 route/link: merge branch 'westermo:team-support'
586a6b6 build: fix new symbols in "libnl-route-3.sym"
831f125 route/link: add support for team device
6c59580 route/link: Move LINK_ATTR_IFNAME to a proper location
f77cd25 route/netconf: full API export
f59f443 build: add Libs.private field in libnl pkg-config file
b3333e0 route/qdisc: allow fetching qdiscs by their kind
9a39188 netlink: merge branch 'michael-dev:feature/nflog-vlan-v3'
a93fc5f nflog: add recent missing symbols to "libnl-nf-3.sym"
7b4df53 nflog: add missing symbols to "libnl-nf-3.sym"
8266436 nflog:add conntrack flag and enable flags for nflog
246904d nflog: add CT support
59fc1d7 nflog: add mac_header support
c268c48 nflog: add vlan attribute
2548468 refresh linux/netfilter/nfnetlink_log.h with linux 5.4
4edffbd route/link: Add IPv6 GRE support
5d69587 route: add global sectin in "libnl-route-3.sym"
d0cf3a9 neigh: support to add fdb entry
3bf0a9c cls:u32: fix u32_clone() function
3147d86 route:tc: fix rtnl_tc_clone() calling to_clone() and add comment
c027e54 route:cls: fix dangling pointers in to_clone() implementations
47c04fb route:act: drop unnecessary implementations for to_clone()
79f7c9d tests: add test for cloning cls:u32 object
b1caff8 github: run unit tests under valgrind
38b3be3 tests: cleanup tests and avoid leaks
c2b94b9 lib: add more _nl_auto* cleanup macros
1f05e5a tests: replace libcheck's fail_if() macro by ck_assert*()
6341d89 log: fix typo in dumping msg
bfee88b route: fix memory leak of l_info_ops in link_msg_parser()
431ba83 route: merge branch 'qbdwlr:mplsPR'
cc680d4 route: add accessors for setting/getting ENCAP_MPLS attributes
efe8aad route: remove incorrect nl_addr_valid() from rtnl_route_nh_set_newdst(), etc.
0688bc6 netfilter/ct: fix use of reply/orig for conntrack requests
5d92516 route: don't use internal bit mask constants in NLA_PUT in can_put_attrs()
6fe9418 lib: fix descriptions for nl_cache_pickup()/nl_cache_pickup_checkdup()
d0d91c7 route: merge branch 't0mmmy90:check-if-nh-exists-while-updating-ipv6-multipath-route'
28a652b route: fix duplicate check for next hop for IPv6 multipath routes
03bfd2f route: check if nh exists while updating route
92c9237 ci: add github-actions
3d1fb00 tests/check-addr: replace deprecated fail_if() macro from libcheck with ck_assert_msg()
d9cad53 xfrm: fix naming consistency in xfrmnl_sp_get_curlifetime()
c0e82db cli: Add C++ linkage support
000a3bd yyerror: update to POSIX standard
f865a99 xfrm: merge branch 'spellingmistake:master'
0306ae2 xfrm: fix libnl-xfrm-3.sym linker versioning
8950194 xfrm: ensure minlen in policy for XFRMA_OFFLOAD_DEV
c8f33a4 xfrm: Add support for xfrm user offloading
b6cc13d Supporting Hardware offload capability for MACsec
39944c6 route/link: check calloc() return value
12cc0aa zero stack allocated memory in xfrmnl_build_sa_delete_request
5f39502 merge branch 'bengal/coverity'
26f342d route/qdisc: handle error of calloc()
d1a151e route/qdisc: fix memory leak in netem.c
aa092d1 route/link: fix copy-paste error in geneve.c
30552e8 route/cls: fix cgroup's clone() function
764c30a route: let route/link join RTNLGRP_IPV6_IFINFO mcast group
b24e833 doc: update link to mscgen-filter
0b5d17d addr: merge branch 'lcrestez-dn:dadfailed'
30924e7 tests: Add test for rtnl_addr_flags2str
5c05c75 addr: Add address flag `dadfailed`
2abeec8 xfrm: remove superfluous xfrm_userpolicy_id from dump request
5611487 lib/trivial: whitespace
ab015e1 lib: merge branch 'th/object-identical-fix'
36b0894 lib: allow to compare incomplete objects in nl_object_identical()
5020077 lib: let nl_object_identical() declare the same object as identical
406ebc8 lib: fix using right compare mask in nl_object_diff64()
8637c70 lib/trivial fix indentation
4be6062 route/link: avoid cloning link policy in link_msg_parser()
ba3c51c route/link: fix link_msg_parser() for using the af_ops of the link family
f9d0181 lib: use proper int type for id attributes in nl_object_identical()
68b3431 lib: fix documentation of nl_cache_dump_filter to have @params optional
2375cde lib: fix spelling errors in "netlink/handlers.h"
3faf26c gitignore: fix ignoring check-direct build artifacts
47fb1c0 xfrm: remove superfluous xfrm_usersa_id from dump request
846d288 travis: install "check" in travis
d64a0ec route: convert non-leading tabs to spaces in "include/netlink/route/link.h"
aaefd92 route: add test for valid content of map_stat_id_from_IPSTATS_MIB_v2 array
bab9e77 route/link: add RTNL_LINK_REASM_OVERLAPS stat
bae11ec tests: add "check-direct" test
2d50b04 route: add "netlink-private/route/utils.h" header
9a52b3d gitignore: merge all gitignore files in top level directory
4c5f2d6 merge branch 'th/license-comment-cleanup'
2d3e690 license: update "doc/COPYING" license text
1389188 license: add SPDX license identifer to "configure.ac" files
503aa5e license: fix and add SPDX license identifiers and drop license comments
4333aef license: cleanup copyright comments
956635b license: fix SPDX license identifier for nl-auto.h
5614b4c lib: merge branch 'th/cleanup-errout'
17e09aa rtnl/route: use cleanup attribute in "lib/route/link.c"
b50be8f rtnl/route: use cleanup attribute in "lib/route/route_obj.c"
fca338b rtnl/route: fix NLE_NOMEM handling in parse_multipath()
2957d8f rtnl/link: fix leaking rtnl_link_af_ops in link_msg_parser()
77b4f68 rtnl/route: only consider negative error codes as error
6870ece lib: cleanup nla_parse() to return early on error
a858a0b lib: use _nl_strncpy*() instead of plain strncpy()
018c694 lib: cleanup _nl_strncpy_assert()
e97b990 lib: rename _nl_strncpy() to _nl_strncpy_assert()
5ffbc6f lib: add _NL_RETURN_*() helper macros
abb7391 lib: add "include/netlink-private/nl-auto.h" header
ecd15bc lib: add _nl_assert_not_reached()
9cc38dc lib/route: adjust coding style
01ea9a6 route/link: Check for null pointer in macvlan

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-03 20:25:38 +02:00
Nick Hainke
77d71163b2 libnl: cleanup makefile
- Add PKG_LICENSE_FILES.
- Use SPDX.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-07-03 20:25:38 +02:00
Eneas U de Queiroz
0bd5367233 wolfssl: disable AES-NI by default for x86_64
WolfSSL is crashing with an illegal opcode in some x86_64 CPUs that have
AES instructions but lack other extensions that are used by WolfSSL
when AES-NI is enabled.

Disable the option by default for now until the issue is properly fixed.
People can enable them in a custom build if they are sure it will work
for them.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-06-27 00:57:15 +02:00
Nick Hainke
bde367255c libnftnl: update to 1.2.2
build: libnftnl 1.2.2 release
accee9a set_elem: missing export symbol
e2514c0 exthdr: tcp option reset support

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-24 17:10:24 +02:00
Leo Soares
dc59a22f1d libusb: fix missing link
adds `libusb-1.0.so` link on the target root again.

Fixes: 43539a6aab ("libusb: make InstallDev explicit")
Signed-off-by: Leo Soares <leo@hyper.ag>
(added fixed tag, reworded commit)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-06-19 12:40:30 +02:00
Eneas U de Queiroz
d55f12cc79 wolfssl: make WOLFSSL_HAS_OPENVPN default to y
Openvpn forces CONFIG_WOLFSSL_HAS_OPENVPN=y.  When the phase1 bots build
the now non-shared package, openvpn will not be selected, and WolfSSL
will be built without it.  Then phase2 bots have CONFIG_ALL=y, which
will select openvpn and force CONFIG_WOLFSSL_HAS_OPENVPN=y.  This
changes the version hash, causing dependency failures, as shared
packages expect the phase2 hash.

Fixes: #9738

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-06-09 02:11:37 +02:00
Christian 'Ansuel' Marangi
eac1b8ab69 Revert "wolfssl: set nonshared flag global"
This reverts commit e0cc5b9b3a.
A better and correct solution was found.

Signed-off-by: Christian 'Ansuel' Marangi <ansuelsmth@gmail.com>
2022-06-09 01:35:45 +02:00
Christian 'Ansuel' Marangi
e0cc5b9b3a wolfssl: set nonshared flag global
libwolfssl-benchmark should NOT be compiled as nonshared but
currently there is a bug where, on buildbot stage2, the package
is recompiled to build libwolfssl-benchmark and the dependency
change to the new libwolfssl version.
Each dependant package will now depend on the new wolfssl package
instead of the one previously on stage1 that has a different package
HASH.

Set the nonshared PKGFLAGS global while this gets investigated
and eventually fixed.

Fixes: 0a2edc2714 ("wolfssl: enable CPU crypto instructions")
Signed-off-by: Christian 'Ansuel' Marangi <ansuelsmth@gmail.com>
2022-06-09 00:47:13 +02:00
Eneas U de Queiroz
0a2edc2714 wolfssl: enable CPU crypto instructions
This enables AES & SHA CPU instructions for compatible armv8, and x86_64
architectures.  Add this to the hardware acceleration choice, since they
can't be enabled at the same time.

The package was marked non-shared, since the arm CPUs may or may not
have crypto extensions enabled based on licensing; bcm27xx does not
enable them.  There is no run-time detection of this for arm.

NOTE:
Should this be backported to a release branch, it must be done shortly
before a new minor release, because the change to nonshared will remove
libwolfssl from the shared packages, but the nonshared are only built in
a subsequent release!

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-06-07 10:56:49 +02:00
Eneas U de Queiroz
18fd12edb8 wolfssl: add benchmark utility
This packages the wolfssl benchmark utility.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-06-07 10:56:49 +02:00
Eneas U de Queiroz
677774d445 wolfssl: don't change ABI because of hw crypto
Enabling different hardware crypto acceleration should not change the
library ABI.  Add them to PKG_CONFIG_DEPENDS after the ABI version hash
has been computed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-06-07 10:56:49 +02:00
Felix Fietkau
242b347204 libnl-tiny: update to the latest version
b5b2ba09c4f1 netlink: add NLA_F_NESTED to all nested attributes

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-05-23 14:12:44 +02:00
Stijn Tintel
ad79b92719 elfutils: move host build to tools
The upcoming dwarves host package requires elfutils. As dependencies for
tools must exist in tools, we need to move elfutils host build there.

As there is at least one package that depends on this, and there is no
proper way to create such dependency in the build system, build it
unconditionally when not building on macOS.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-05-18 13:32:06 +03:00
Eneas U de Queiroz
73c1fe2890 wolfssl: bump to v5.3.0-stable
This is mostly a bug fix release, including two that were already
patched here:
- 300-fix-SSL_get_verify_result-regression.patch
- 400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-05-15 20:52:46 +02:00
Eneas U de Queiroz
7a5ddc0d06 openssl: bump to 1.1.1o
This release comes with a security fix related to c_rehash.  OpenWrt
does not ship or use it, so it was not affected by the bug.

There is a fix for a possible crash in ERR_load_strings() when
configured with no-err, which OpenWrt does by default.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-05-15 16:32:40 +02:00
Felix Fietkau
3e300e724b libubox: update to the latest version
f2d6752901f2 blob: clear buf->head when freeing a buffer
45210ce14136 list.h: add container_of_safe macro
cfa372ff8aed blobmsg: implicitly reserve space for 0-terminator in string buf alloc
d2223ef9da71 blobmsg: work around false positive gcc -Warray-bounds warnings

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-05-15 15:20:34 +02:00
Eneas U de Queiroz
c18c6e53b9 wolfssl: fix compilation with /dev/crypto
This is trivial fix of a duplicate definition of 'int ret'.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-04-20 12:36:38 +02:00
Rosen Penev
b363f74886 readline: add host PIC
Python seems to fail to link to libreadline properly because of this.
Not a fatal error but an error nontheless.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-04-16 14:02:11 +02:00
Rosen Penev
fc60b97a77 pcre: pass -fPIC under host as well
static libraries need them as they are not PIC by default.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-04-16 14:02:11 +02:00
Eneas U de Queiroz
e89f3e85eb wolfssl: bump to 5.2.0
Fixes two high-severity vulnerabilities:

- CVE-2022-25640: A TLS v1.3 server who requires mutual authentication
  can be bypassed.  If a malicious client does not send the
  certificate_verify message a client can connect without presenting a
  certificate even if the server requires one.

- CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS
  v1.3 server can have its certificate heck bypassed. If the sig_algo in
  the certificate_verify message is different than the certificate
  message checking may be bypassed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-04-11 21:41:03 +02:00
Nick Hainke
c3b7389339 libmnl: update to 1.0.5
Changes:

Duncan Roe (5):
      nlmsg: Fix a missing doxygen section trailer
      build: doc: "make" builds & installs a full set of man pages
      build: doc: get rid of the need for manual updating of Makefile
      build: If doxygen is not available, be sure to report "doxygen: no" to ./configure
      src: doc: Fix messed-up Netlink message batch diagram

Fernando Fernandez Mancera (1):
      src: fix doxygen function documentation

Florian Westphal (1):
      libmnl: zero attribute padding

Guillaume Nault (1):
      callback: mark cb_ctl_array 'const' in mnl_cb_run2()

Kylie McClain (1):
      examples: nfct-daemon: Fix test building on musl libc

Laura Garcia Liebana (4):
      examples: add arp cache dump example
      examples: fix neigh max attributes
      examples: fix print line format
      examples: reduce LOCs during neigh attributes validation

Pablo Neira Ayuso (3):
      doxygen: remove EXPORT_SYMBOL from the output
      include: add MNL_SOCKET_DUMP_SIZE definition
      build: libmnl 1.0.5 release

Petr Vorel (1):
      examples: Add rtnl-addr-add.c

Stephen Hemminger (1):
      examples: rtnl-addr-dump: fix typo

igo95862 (1):
      doxygen: Fixed link to the git source tree on the website.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-04-09 18:34:04 +02:00
Nick Hainke
aecf088b37 libnfnetlink: update to 1.0.2
Changes:

c63f193 bump version to 1.0.2
3cffa84 libnfnetlink: Check getsockname() return code
90ba679 include: Silence gcc warning in linux_list.h
bb4f6c8 Make it clear that this library is deprecated
e46569c Minimally resurrect doxygen documentation
5087de4 libnfnetlink: hide private symbols
62ca426 autogen: don't convert __u16 to u_int16_t
efa1d8e src: Use stdint types everywhere
7a1a07c include: Sync with kernel headers
7633f0c libnfnetlink: initialize attribute padding to resolve valgrind warnings
94b68f3 configure: uclinux is also linux
617fe82 src: get source code license header in sync with current licensing terms
97a3960 build: resolve automake-1.12 warnings

Removed the patch 100-missing_include.patch, libnfnetlink compiles fine
with musl without this patch.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-04-09 18:33:24 +02:00
Daniel Golle
0d3850dc5a
libselinux: add missing host-build dependency on libsepol/host
The host-build of libselinux requires libsepol/host.
Add the libsepol/host to HOST_BUILD_DEPENDS to allow build on hosts
which don't have libsepol installed.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-04-06 21:54:50 +01:00
Paul Spooren
950bd40a27 toolchain: reproducible libstdcpp
A Python script containing an unreproducible path is copied by default.
Remove it before generating the package.

Signed-off-by: Paul Spooren <mail@aparcar.org>
2022-04-01 12:54:58 +01:00
Petr Štetiar
3eb777e180 libs/zlib: fix implicit function declaration warning
Fixes following warning:

 adler32.c:141:12: warning: implicit declaration of function 'NEON_adler32' [-Wimplicit-function-declaration]
   141 |     return NEON_adler32(adler, buf, len);

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-28 09:27:56 +02:00
Petr Štetiar
8839a939ee libs/zlib: bump to latest stable release 1.2.12 (CVE-2018-25032)
List of changes since previous release from 2018 is quite long:

 * Fix crc32.c to compile local functions only if used.
 * Check for cc masquerading as gcc or clang in configure.
 * Remove destructive aspects of make distclean.
 * Separate out address sanitizing from warnings in configure.
 * Eliminate use of ULL constants.
 * Add fallthrough comments for gcc.
 * Clean up minizip to reduce warnings for testing.
 * Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
 * minizip warning fix if MAXU32 already defined. (gvollant)
 * Replace black/white with allow/block. (theresa-m)
 * Fix indentation in minizip's zip.c.
 * Improve portability of contrib/minizip.
 * Correct typo in blast.c.
 * Change macro name in inflate.c to avoid collision in VxWorks.
 * Clarify gz* function interfaces, referring to parameter names.
 * Fix error in comment on the polynomial representation of a byte.
 * Fix memory leak on error in gzlog.c.
 * Avoid adding empty gzip member after gzflush with Z_FINISH.
 * Explicitly note that the 32-bit check values are 32 bits.
 * Use ARM crc32 instructions if the ARM architecture has them.
 * Add use of the ARMv8 crc32 instructions when requested.
 * Correct comment in crc32.c.
 * Don't bother computing check value after successful inflateSync().
 * Use atomic test and set, if available, for dynamic CRC tables.
 * Speed up software CRC-32 computation by a factor of 1.5 to 3.
 * Add crc32_combine_gen() and crc32_combine_op() for fast combines.
 * Add tables for crc32_combine(), to speed it up by a factor of 200.
 * Fix the zran.c example to work on a multiple-member gzip file.
 * Add gznorm.c example, which normalizes gzip files.
 * Show all the codes for the maximum tables size in enough.c.
 * Clarify that prefix codes are counted in enough.c.
 * Use inline function instead of macro for index in enough.c.
 * Clean up code style in enough.c, update version.
 * Use a macro for the printf format of big_t in enough.c.
 * Use a structure to make globals in enough.c evident.
 * Assure that the number of bits for deflatePrime() is valid.
 * Fix a bug that can crash deflate on some input when using Z_FIXED.
 * Correct the initialization requirements for deflateInit2().
 * Emphasize the need to continue decompressing gzip members.
 * Add legal disclaimer to README.
 * Fix deflateEnd() to not report an error at start of raw deflate.
 * Remove old assembler code in which bugs have manifested.
 * Make the names in functions declarations identical to definitions.
 * Avoid an undefined behavior of memcpy() in _tr_stored_block().
 * Avoid undefined behaviors of memcpy() in gz*printf().
 * Avoid an undefined behavior of memcpy() in gzappend().
 * Avoid the use of ptrdiff_t.
 * Handle case where inflateSync used when header never processed.
 * Don't compute check value for raw inflate if asked to validate.
 * Add address checking in clang to -w option of configure.
 * Return an error if the gzputs string length can't fit in an int.
 * Small speedup to inflate [psumbera].
 * Update use of errno for newer Windows CE versions.
 * Avoid some conversion warnings in gzread.c and gzwrite.c.
 * Have Makefile return non-zero error code on test failure.
 * Avoid a conversion error in gzseek when off_t type too small.
 * Fix CLEAR_HASH macro to be usable as a single statement.
 * Fix bug when window full in deflate_stored().
 * Limit hash table inserts after switch from stored deflate.
 * Permit a deflateParams() parameter change as soon as possible.
 * Cygwin does not have _wopen(), so do not create gzopen_w() there.

Removed 006-fix-compressor-crash-on-certain-inputs.patch which was
hotfix for CVE-2018-25032 and is now included in this release.

This release is not available on @SF (yet?) so the sources are now
pulled from GitHub.

Fixes: CVE-2018-25032
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-28 09:27:56 +02:00
Rosen Penev
8a5d095969 elfutils: fix host compilation with Alpine Linux
intl is not included in libc, disable it as is done with the target
package.

argp is also not included. Add build depends for argp-standalone.

fts is also not included. Add build depends for musl-fts.

Disable shared libraries to avoid having to manually add rpath.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-27 14:38:13 +02:00
Rosen Penev
f8571749a7 pcre: disable shared libraries for host builds
Getting rid of shared libraries for hostpkg avoids having to use rpath
hacks to find the library. It also fixes compilation with host glib2
binaries.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-27 14:38:13 +02:00
Rosen Penev
8a75ed4ba0 musl-fts: remove shared libraries from host
Avoids having to add rpath to the various packages using it. Also add
PIC to fix compilation as static libraries do not use PIC by default.

Fixes: 1fb099341e ("musl-fts: add host build")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-27 14:38:13 +02:00
Rosen Penev
abb2683de3 libselinux: use musl-fts for host builds
Fixes compilation under musl based distros like Alpine Linux.

Also add pcre/host as a build dependency as it's needed.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-25 18:14:13 +01:00
Rosen Penev
1fb099341e musl-fts: add host build
This will be used for libselinux.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-25 18:14:13 +01:00
Stijn Tintel
636cb00ecc gettext-full: add gmsgfmt symlink in host install
Some configure scripts look for msgfmt and gmsgfmt. As we don't install
the latter, configure might pick up one from staging_dir/hostpkg, and
the other from the host:

checking for msgfmt... /home/stijn/Development/OpenWrt/openwrt/staging_dir/hostpkg/bin/msgfmt
checking for gmsgfmt... /usr/bin/gmsgfmt

This could potentially lead to hard to debug undefined behaviour.
Install a symlink in the host install phase to avoid this.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-03-25 17:48:49 +02:00
Petr Štetiar
b3aa2909a7 zlib: backport security fix for a reproducible crash in compressor
Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.

Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.

Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-03-24 08:15:24 +01:00
Eneas U de Queiroz
1bf94b6797 openssl: move engine.mk to INCLUDE_DIR
engine.mk is supposed to be included by engine packages, but it will not
be present in the SDK in the same place as in the main repository.

Move it to include/openssl-engine.mk to avoid this.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-03-23 23:13:51 +00:00
Huangbin Zhan
3bf10bac11 ncurses: update to 6.3
release notes: https://invisible-island.net/ncurses/announce-6.3.html

Signed-off-by: Huangbin Zhan <zhanhb88@gmail.com>
2022-03-19 17:42:29 +01:00
Rosen Penev
80b88b083a argp-standalone: fix compilation with Alpine Linux
This package is a C89 one. Add the proper CFLAG to fix compilation.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-03-16 17:58:24 +01:00
Martin Schiller
e17c6ee627 openssl: bump to 1.1.1n
This is a bugfix release. Changelog:

  *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
     forever for non-prime moduli. (CVE-2022-0778)

  *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
     (RFC 5489) to the list of ciphersuites providing Perfect Forward
     Secrecy as required by SECLEVEL >= 3.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
2022-03-16 16:28:16 +01:00
Ansuel Smith
4393d8c090 libnetfilter-conntrack: backport patch fixing compilation with 5.15
Backport patch fixing compilation with 5.15 and musl provided by Robert Marko

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2022-03-05 21:05:45 +01:00
Sergey V. Lobanov
64d159cdad argp-standalone: add host-compile ability
This patch adds host-compile ability to argp-standalone for build
hosts without glibc and argp lib, e.g. MacOS.

iucode-tool/host can not be built on MacOS due to lack of argp.

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-02-26 19:52:41 +01:00
Lucian Cristian
fbf485e6c6 mbedtls: update to 2.28.0 LTS branch
<https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0>
"Mbed TLS 2.28 is a long-time support branch.
It will be supported with bug-fixes and security
fixes until end of 2024."

<https://github.com/ARMmbed/mbedtls/blob/development/BRANCHES.md>
"Currently, the only supported LTS branch is: mbedtls-2.28.
For a short time we also have the previous LTS, which has
recently ended its support period, mbedtls-2.16.
This branch will move into the archive namespace around the
time of the next release."

this will also add support for uacme ualpn support.

size changes
221586 libmbedtls12_2.28.0-1_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk

Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(remark about 2.16's EOS, slightly reworded)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-02-26 19:52:41 +01:00
Petr Štetiar
b9251e3b40 wolfssl: fix API breakage of SSL_get_verify_result
Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable.  In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:

 $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
 Downloading 'https://letsencrypt.org'
 Connecting to 18.159.128.50:443
 Connection error: Invalid SSL certificate

Fixes: #9283
References: https://github.com/wolfSSL/wolfssl/issues/4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-02-22 20:27:15 +01:00
Eneas U de Queiroz
0134f845da openssl: configure engines with uci
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:

    config engine 'devcrypto'
            option enabled '1'

Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.

The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.

The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped.  It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Eneas U de Queiroz
30b0351039 openssl: configure engine packages during install
This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.

The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Eneas U de Queiroz
17a6ca12d3 openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory.  The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.

Patches were refreshed with --zero-commit.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-02-22 16:37:23 +01:00
Stijn Tintel
add7884cd0 libnetfilter-conntrack: bump to 1.0.9
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
2022-02-17 13:59:44 +02:00
Sergey V. Lobanov
93d91197b9 wolfssl: update to 5.1.1-stable
Bump from 4.8.1-stable to 5.1.1-stable

Detailed release notes: https://github.com/wolfSSL/wolfssl/releases

Upstreamed patches:
001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch -
 fa8f23284d
002-Update-macro-guard-on-SHA256-transform-call.patch -
 f447e4c1fa

Refreshed patches:
100-disable-hardening-check.patch
200-ecc-rng.patch

CFLAG -DWOLFSSL_ALT_CERT_CHAINS replaced to --enable-altcertchains
configure option

The size of the ipk changed on aarch64 like this:
491341 libwolfssl4.8.1.31258522_4.8.1-stable-7_aarch64_cortex-a53.ipk
520322 libwolfssl5.1.1.31258522_5.1.1-stable-1_aarch64_cortex-a53.ipk

Tested-by: Alozxy <alozxy@users.noreply.github.com>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-02-01 23:18:01 +01:00
Hauke Mehrtens
392609543d libcap: Update to version 2.63
The sizes of the ipk changed on MIPS 24Kc like this:
11248 libcap_2.51-1_mips_24kc.ipk
14461 libcap_2.63-1_mips_24kc.ipk

18864 libcap-bin_2.51-1_mips_24kc.ipk
20576 libcap-bin_2.63-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
57f38e2c82 mbedtls: Update to version 2.16.12
This fixes the following security problems:
* Zeroize several intermediate variables used to calculate the expected
  value when verifying a MAC or AEAD tag. This hardens the library in
  case the value leaks through a memory disclosure vulnerability. For
  example, a memory disclosure vulnerability could have allowed a
  man-in-the-middle to inject fake ciphertext into a DTLS connection.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
  mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
  (out of memory). After that, calling mbedtls_ssl_session_free()
  and mbedtls_ssl_free() would cause an internal session buffer to
  be free()'d twice. CVE-2021-44732

The sizes of the ipk changed on MIPS 24Kc like this:
182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-02-01 21:25:02 +01:00
Hauke Mehrtens
e74529552c ustream-ssl: update to Git version 2022-01-16
868fd88 ustream-openssl: wolfSSL: Add compatibility for wolfssl >= 5.0

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-16 21:51:21 +01:00
Florian Fainelli
a372946e60 elfutils: Add missing musl-fts dependency
libdw depends on libfts.so when building with the musl-libc library, add
this missing dependency.

Fixes: 6835ea13f0 ("elfutils: update to 0.186")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2022-01-07 20:50:50 -08:00
Glenn Strauss
a8513e2461 mbedtls: enable session tickets
session tickets are a feature of TLSv1.2 and require less memory
and overhead on the server than does managing a session cache

Building mbedtls with support for session tickets will allow the
feature to be used with lighttpd-1.4.56 and later.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-01-08 00:49:59 +01:00
Sergey V. Lobanov
6835ea13f0 elfutils: update to 0.186
Upstreamed patches (deleted):
0001-ppc_initreg.c-Incliude-asm-ptrace.h-for-pt_regs-defi.patch -
 https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=8382833a257b57b0d288be07d2d5e7af6c102869
110-no-cdefs.patch -
 https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=d390548df1942e98a1d836269a5e41ba52e121f1

Auto-refreshed:
006-Fix-build-on-aarch64-musl.patch
101-no-fts.patch

Manually updated and refreshed:
005-build_only_libs.patch
003-libintl-compatibility.patch
100-musl-compat.patch

Disabled _obstack_free check (via configure vars)

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2022-01-08 00:49:59 +01:00
Hauke Mehrtens
e708bf76d5 toolchain: glibc: Update to version 2.34
glibc version 2.34 does not provide versioned shared libraries any more,
it only provides shared libraries using the ABI version. Do not try to
copy them any more.

The functions from libpthread and librt were integrated into the main
binary, the libpthread.so and librt.so are only used for backwards
compatibility any more.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-07 22:30:40 +01:00
Eneas U de Queiroz
def9565be6 openssl: bump to 1.1.1m
This is a bugfix release.  Changelog:

  *) Avoid loading of a dynamic engine twice.
  *) Fixed building on Debian with kfreebsd kernels
  *) Prioritise DANE TLSA issuer certs over peer certs
  *) Fixed random API for MacOS prior to 10.12

Patches were refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-01-01 18:02:49 +01:00
Sergey V. Lobanov
dfd695f4b9 libs/wolfssl: add SAN (Subject Alternative Name) support
x509v3 SAN extension is required to generate a certificate compatible with
chromium-based web browsers (version >58)

It can be disabled via unsetting CONFIG_WOLFSSL_ALT_NAMES

Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
2021-12-29 22:55:16 +01:00
Hauke Mehrtens
18bdfc803b tcpdump: libpcap: Remove http://www.us.tcpdump.org mirror
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.

Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-12-27 00:49:08 +01:00
Stijn Tintel
052e31ed47 libunwind: add ppc64 support
Backport an upstream patch to make libunwind build on ppc64, and add
powerpc64 to the dependencies.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
2021-12-21 21:37:05 +02:00