aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* build: include BUILD_VARIANT in PKG_BUILD_DIRJeffery To2019-09-041-2/+0
| | | | | | | | | | | | This changes the default PKG_BUILD_DIR to take BUILD_VARIANT into account (if set), so that packages do not need to manually override PKG_BUILD_DIR just to handle variants. This also updates most base packages with variants to use the updated default PKG_BUILD_DIR. Signed-off-by: Jeffery To <jeffery.to@gmail.com> (cherry picked from commit e545fac8d968864a965edb9e50c6f90940b0a6c9)
* libs/toolchain: remove eglibc remnant fileEneas U de Queiroz2019-09-041-13/+0
| | | | | | | This removes package/libs/toolchain/eglibc-files/etc/nsswitch.conf. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit c47eff0df3270199a69552587355834e57d6b782)
* libnftnl: bump to version 1.1.3Konstantin Demin2019-09-041-3/+3
| | | | | | | bump ABI version accordingly (thanks to Jo-Philipp Wich). Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> (cherry picked from commit ce8027ed296f812099be813182f8b2f65ce16abf)
* ustream-ssl: update to 2019-06-24Eneas U de Queiroz2019-09-041-3/+3
| | | | | | | This adds chacha20-poly1305 support to the mbedtls variant. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 82a8ddd603707a130acf5ec1f54d9093d46acad4)
* mbedtls: Update to version 2.16.2Josef Schlehofer2019-09-041-2/+2
| | | | | Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz> (cherry picked from commit a2f54f6d5d98211e9c58420eed8c67f4fca83665)
* nghttp2: deduplicate files in staging_dirEneas U de Queiroz2019-09-041-1/+1
| | | | | | | | '38b22b1e: deduplicate files in libnghttp2' missed duplicates in staging_dir by Build/InstallDev. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> (cherry picked from commit ee1a78331462d0c2394c0e6805e4d12fbfa4882d)
* nghttp2: bump to 1.39.1Hans Dedecker2019-09-041-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 7ffc239b Bump up version number to 1.39.1 bc886a0e Fix FPE with default backend a3a14a9c Fix log-level is not set with cmd-line or configuration file acfb3607 Update manual pages bdfd14c2 Bump up version number to 1.39.0, LT revision to 31:4:17 cddc09fe Update AUTHORS 3c3b6ae8 Add missing colon 2f83aa9e Fix multi-line text travis issue fc591d0c Run nghttpx integration test with cmake build 9a17c3ef travis: use multi-line text b7220f07 cmake: Remove SPDY related files a1556fd1 Merge pull request #1356 from nghttp2/fix-log-level-on-reload 77f1c872 nghttpx: Fix unchanged log level on configuration reload 49ce44e1 Merge pull request #1352 from nghttp2/travis-osx f54b3ffc Fix libxml2 CFLAGS output b0f5e5cc Implement daemon() using fork() for OSX 8d6ecd66 Enable osx build on travis f82fb521 Update doc 2e1975dd clang-format-8 97ce392b Merge pull request #1347 from nghttp2/nghttpx-ignore-cl-te-on-upgrade afefbda5 Ignore content-length in 200 response to CONNECT request 4fca2502 nghttpx: Ignore Content-Length and Transfer-Encoding in 1xx or 200 to CONNECT 6975c336 Update llhttp to 1.1.3 0288093c Fix llhttp_get_error_pos usage a3a03481 Merge pull request #1340 from nghttp2/nghttpx-llhttp c64d2573 Replace http-parser with llhttp f028cc43 clang-format 302e3746 Merge pull request #1337 from nghttp2/upgrade-mruby 3cdbc5f5 Merge pull request #1335 from adamgolebiowski/boost-1.70 a6925186 Fix mruby build error 45d63d20 Upgrade mruby to 2.0.1 cbba1ebf asio: support boost-1.70 e86d1378 Bump up version number to 1.39.0-DEV 4a9d2005 Update manual pages Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (cherry picked from commit 865e25e049f6d5a6488c5e83a7d89d0dc896c876)
* libubox: update to latest git HEADHauke Mehrtens2019-09-041-3/+3
| | | | | | | | 9dd2dcf libubox: add format string checking to ulog() ecf5617 ustream: Add format string checks to ustream_(v)printf() Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit fc454ca15305e332a35c9bc1e60dde18f69ac210)
* nghttp2: deduplicate files in libnghttp2Konstantin Demin2019-09-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | libnghttp2 accidentally ships library twice: $ tar -Oxzf libnghttp2-14_1.38.0-1_mips_24kc.ipk ./data.tar.gz | tar -tzvf - drwxr-xr-x root/root 0 2019-06-07 23:14 ./ drwxr-xr-x root/root 0 2019-06-07 23:14 ./usr/ drwxr-xr-x root/root 0 2019-06-07 23:14 ./usr/lib/ -rw-r--r-- root/root 144412 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14 -rw-r--r-- root/root 144412 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14.17.3 after fix, there's library and symlink (as designed): $ tar -Oxzf libnghttp2-14_1.38.0-2_mips_24kc.ipk ./data.tar.gz | tar -tzvf - drwxr-xr-x root/root 0 2019-06-07 23:14 ./ drwxr-xr-x root/root 0 2019-06-07 23:14 ./usr/ drwxr-xr-x root/root 0 2019-06-07 23:14 ./usr/lib/ lrwxrwxrwx root/root 0 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14 -> libnghttp2.so.14.17.3 -rw-r--r-- root/root 144412 2019-06-07 23:14 ./usr/lib/libnghttp2.so.14.17.3 Binary package size reduced accordingly: 134621 -> 66593. Compile/run-tested: ar71xx/generic. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> (cherry picked from commit 38b22b1e7022d6b386ce25f39d05cc33fc659240)
* musl: ldso/dlsym: fix mips returning undef dlsymLuiz Angelo Daros de Luca2019-08-171-1/+1
| | | | | | | | | | | | | | | | This happens only the second time a library is loaded by dlopen(). After lib1 is loaded, dlsym(lib1,"undef1") correctly resolves the undef symbol from lib1 dependencies. After the second library is loaded, dlsym(lib2,"undef1") was returning the address of "undef1" in lib2 instead of searching lib2 dependencies. Using upstream fix which now uses the same logic for relocation time and dlsym. Fixes openwrt/packages#9297 Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> (cherry picked from commit 0d0617ff14b8b020896680de1f1a49c7ba8a5e0d)
* wolfssl: bump to 4.1.0-stableEneas U de Queiroz2019-08-176-166/+62
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Always build AES-GCM support. Unnecessary patches were removed. This includes two vulnerability fixes: CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK extension parsing. CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack. This brings the package up-to-date with master, so it incorporates changes from 4.0.0 in master: * Removed options that can't be turned off because we're building with --enable-stunnel, some of which affect hostapd's Config.in. * Adjusted the title of OCSP option, as OCSP itself can't be turned off, only the stapling part is selectable. * Mark options turned on when wpad support is selected. * Add building options for TLS 1.0, and TLS 1.3. * Add hardware crypto support, which due to a bug, only works when CCM support is turned off. * Reorganized option conditionals in Makefile. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libroxml: bump to the 3.0.2 versionRafał Miłecki2019-07-161-3/+3
| | | | | | | | * Fix for memory leak regression * Support for (un)escaping Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 430d65c544551f9af88cdc6f0b9c6c12364b28f9)
* wolfssl: Fix package hashHauke Mehrtens2019-07-081-1/+1
| | | | | Fixes: 3167a57f7262 ("wolfssl: update to 3.15.7, fix Makefile") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wolfssl: update to 3.15.7, fix MakefileEneas U de Queiroz2019-07-084-13/+13
| | | | | | | | | | This includes a fix for a medium-level potential cache attack with a variant of Bleichenbacher’s attack. Patches were refreshed. Increased FP_MAX_BITS to allow 4096-bit RSA keys. Fixed poly1305 build option, and some Makefile updates. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 2792daab5ad26e916619052fc7f581cddc1ea53c)
* libunwind: bump to version 1.3.1Yousong Zhou2019-06-052-16/+6
| | | | | | | | | | | | | | | Libunwind provides a sigreturn stub for x86 in version 1.2 [1]. However the arch still depends on setcontext() which is unavailable in musl-libc and which is supposed to be "deprecated everywhere" [2] [1] x86 sigreturn unimplemented for some libcs, https://github.com/libunwind/libunwind/issues/13 [2] setcontext deprecated on x86, https://github.com/libunwind/libunwind/issues/69 Refs: https://github.com/openwrt/packages/issues/8548#issuecomment-497791552 Reported-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* openssl: update to version 1.1.1cEneas U de Queiroz2019-05-312-34/+3
| | | | | | | | | | | Highlights of this version: - Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543) - Fix OPENSSL_config bug (patch removed) - Change the default RSA, DSA and DH size to 2048 bit instead of 1024. - Enable SHA3 pre-hashing for ECDSA and DSA Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [DMARC removal]
* uclient: bump to version 2019-05-30Yousong Zhou2019-05-301-3/+3
| | | | | | | | This version bump contains the following commit to fix FS#2222 3b3e368 uclient-http: set data_eof when content-length is 0 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* libunwind: requires glibc if arch in powerpcYousong Zhou2019-05-301-1/+1
| | | | | | | | | | | | | | libunwind for powerpc depends on getcontext() from libc which musl-libc does not provide because this API and its friends are supposed to be "obsolescent" [1,2] [1] Subject: Re: setcontext/getcontext/makecontext missing? https://www.openwall.com/lists/musl/2016/02/04/5 [2] http://pubs.opengroup.org/onlinepubs/009695399/functions/makecontext.html Refs: https://github.com/openwrt/packages/issues/8548#issuecomment-497200058 Reported-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* libbsd: Fix compilation under ARCRosen Penev2019-05-172-1/+31
| | | | | | | | The 8 year old file does not have any ARC definitions. Signed-off-by: Rosen Penev <rosenp@gmail.com> [updated content of the patch with version sent to upstream] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* zlib: Use relative paths in pkg-config metadata fileJeffery To2019-05-172-1/+15
| | | | | | | | | | | | | | The buildroot pkg-config (in staging_dir/host/bin) overrides the prefix and exec_prefix variables in *.pc files, to supply the correct (buildroot) paths for callers. If other variables are not defined relative to prefix and exec_prefix, then the returned values will be incorrect. The default zlib.pc file generated by cmake contains absolute paths. This patches the file to use relative paths (relative to ${prefix} and ${exec_prefix}). Signed-off-by: Jeffery To <jeffery.to@gmail.com>
* uClibc++: Update to 0.2.5Rosen Penev2019-05-1113-291/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Switched to xz archives for smaller size. Removed upstreamed patches. Reorganized Makefile a little bit for clarity. Build/Prepare is not useful anymore. Upstream converted the file to LF. Refreshed config. Removed -ansi option from the original CFLAGS as this was causing long long support to be missing. Removed fPIC. We have the macro $(FPIC) already used. No point in setting fpic and fPIC together. Removed pedantic -Wlong-long warnings as they are not useful. Removed -std=gnu++98. Not only is it unnecessary (it compiles against all standards), it actually results in a size increase. 75843 vs. 75222 (gcc in OpenWrt defaults to g++14). Added --gc-sections to linker flags to reduce size: 72653 vs 75222. Removed warn linker options. They have been upstreamed. Tested on Archer C7v2 and GnuBee PC1. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* elfutils: Fix compile with uClibc-ngRosen Penev2019-05-052-1/+39
| | | | | | | | Probably glibc too. argp_help takes a char *. not const char *. Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> [updated with upstream version of the patch]
* kernel: Remove support for kernel 3.18Hauke Mehrtens2019-05-032-2/+2
| | | | | | | | | | No target is using kernel 3.18 anymore, remove all the generic support for kernel 3.18. The removed packages are depending on kernel 3.18 only and are not used on any recent kernel. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libroxml: bump to the 3.0.1 versionRafał Miłecki2019-05-011-5/+5
| | | | | | | | | | | | Some of changes: * Support for local-name() * General refactoring * Better parsing performance * Fix possible buffer overflow & memleak * Validation checks * More commit functions (file, buffer, fd) Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* openssl: build kmods only if engines are selectedEneas U de Queiroz2019-04-261-4/+4
| | | | | | | | | | Add a conditional to the individual package's for the kmods in DEPENDS. This avoids the need to compile the kernel modules when the crypto engine packages are not selected. The final binares are not affected by this. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Tested-by: Rosen Penev <rosenp@gmail.com>
* elfutils: bump to 0.176Jose Olivera2019-04-262-4/+4
| | | | | | | | | | | | | | | | *Fixes: -CVE-2019-7150 -CVE-2019-7149 -CVE-2019-7146 -CVE-2019-7665 -CVE-2019-7664 -CVE-2019-7148 *Refresh 003-libintl-compatibility.patch *Also reset PKG_RELEASE. Signed-off-by: Jose Olivera <oliverajeo@gmail.com>
* openssl: add Eneas U de Queiroz as maintainerEneas U de Queiroz2019-04-221-0/+1
| | | | Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* openssl: fix OPENSSL_config bug affecting wgetEneas U de Queiroz2019-04-222-1/+32
| | | | | | | | This applies an upstream patch that fixes a OPENSSL_config() bug that causes SSL initialization to fail when the openssl.cnf file is not found. The config file is not installed by default. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* nghttp2: bump to 1.38.0Hans Dedecker2019-04-221-3/+3
| | | | | | | | | | | | | | | | | | | 4a9d2005 Update manual pages acf6a922 Bump up version number to 1.38.0, LT revision to 31:3:17 4ff45821 Update AUTHORS 42dce01e Merge branch 'nghttpx-fix-backend-selection-on-retry' a35059e3 nghttpx: Fix bug that altered authority and path affect backend selection 5a30fafd Merge branch 'nghttpx-fix-chunked-request-stall' dce91ad3 Merge branch 'nghttpx-dont-log-authorization' 2cff8b43 nghttpx: Fix bug that chunked request stalls be96654d nghttpx: Don't log authorization request header field value with -LINFO ce962c3f Merge branch 'update-http-parser' f931504e Update http-parser to v2.9.1 d978f351 Fix bug that on_header callback is still called after stream is closed ec519f22 Merge pull request #1270 from baitisj/master e8b213e3 Bump up version number to 1.38.0-DEV Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* openssl: change defaults: ENGINE:on, NPN:off, miscEneas U de Queiroz2019-04-172-8/+6
| | | | | | | | | | | | | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Enable engine support by default. Right now, some packages require this, so it is always enabled by the bots. Many packages will compile differently when engine support is detected, needing engine symbols from the libraries. However, being off by default, a user compiling its own image will fail to run some popular packages from the official repo. Note that disabling engines did not work in 1.0.2, so this problem never showed up before. NPN support has been removed in major browsers & servers, and has become a small bloat, so it does not make sense to leave it on by default. Remove deprecated CONFIG_ENGINE_CRYPTO symbol that is no longer needed. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* mbedtls: update to version 2.16.1Josef Schlehofer2019-04-063-28/+28
| | | | | | | Refreshed patches Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz> Tested-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* libnftnl: bump to latest versionRosy Song2019-03-211-3/+3
| | | | Signed-off-by: Rosy Song <rosysong@rosinson.com>
* openssl: revert disallowing parallel buildEneas U de Queiroz2019-03-211-1/+1
| | | | | | | Openssl 1.1.0 made wholesale changes to its building system. Apparently, parallel builds are working now. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* openssl: disable digests by default, misc fixesEneas U de Queiroz2019-03-124-2/+79
| | | | | | | | | | | | | | | | | | | | | | Openssh uses digest contexts across forks, which is not supported by the /dev/crypto engine. The speed of digests is usually not worth enabling them anyway. This changes the default of the DIGESTS option to NONE, so the user still has the option to enable them. Added another patch related to the use of encryption contexts across forks, that ignores a failure to close a previous open session when reinitializing a context, instead of failing the reinitialization. Added a link to the Cryptographic Hardware Accelerators document to the engine pacakges description, to provide more detailed instructions to configure the engines. Revert the removal of the OPENSSL_ENGINE_CRYPTO symbol, currently used by openssh. There is an open PR to update openssh; when merged, this symbol can be safely removed. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [refresh patches]
* nghttp2: bump to 1.37.0Hans Dedecker2019-03-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | cfb47d30 Take into account larger frame size for prioritization dbbe4e01 Remove unused field 371bc3a8 clang-format 5e7889c5 Update manual pages b1b2ad50 Bump up version number to 1.37.0, LT revision to 31:2:17 e043ca83 Update AUTHORS c2434dfb Simplify stream_less 816ad210 Reuse name when indexing header by referencing dynamic table f5feb16e Merge pull request #1295 from bratkartoffel/fix-compile-boringssl adf09f21 Merge pull request #1303 from donny-dont/fix-shared-install 2591960e Explicitly set install location when building shared libs d93842db nghttpx: Fix backend stall if header and request body are sent in 2 packets 8dc2b263 nghttpx: Use std::priority_queue 8d842701 Update manual pages de85b0fd Update README 5d6beed5 Merge branch 'nghttpx-backend-weight' 1ff9de4c nghttpx: Backend address selection with weight 34482ed4 Fix compilation with boringssl 9b6ced66 Bump up version number to 1.37.0-DEV Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* wolfssl: fix build in busybox environmentsMoritz Warning2019-03-102-2/+25
| | | | | | The configure script broke when used in alpine-3.9 based docker containers. Fixed in wolfSSL >3.15.7. Signed-off-by: Moritz Warning <moritzwarning@web.de>
* openssl: backport devcrypto changes from masterEneas U de Queiroz2019-03-099-25/+3678
| | | | | | | | | | | | | | | | | | | The patches to the /dev/crypto engine were commited to openssl master, and will be in the next major version (3.0). Changes: - Optimization in computing a digest in one operation, saving an ioctl - Runtime configuration options for the choice of algorithms to use - Command to dump useful information about the algorithms supported by the engine and the system. - Build the devcrypto engine as a dynamic module, like other engines. The devcrypto engine is built as a separate package by default, but options were added to allow building the engines into the main library. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> [refresh patches] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libubox: bump to version 2019-02-27Yousong Zhou2019-03-011-4/+4
| | | | | | | | | | Contains the following change eeef7b5 blobmsg_json: blobmsg_format_string: do not escape '/' Resolves FS#2147 Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
* package/ncurses: change AR options to fix reproducible buildsAlexander Couzens2019-02-282-1/+23
| | | | | | | | | | ar has a deterministic (-D) and non-deterministic (-U) mode. OpenWrt is already using the deterministic mode by default, but ncurses' configure script force this to be non-deterministic. Since autoreconf fails to generate a new configure, the configure script is directly modified. Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* openssl: bump to release 1.1.1bEneas U de Queiroz2019-02-279-643/+5
| | | | | | | | | | | This is bugfix release that incorporated all of the devcrypto engine patches currently in the tree. The cleaning procedure in Package/Configure was not removing the dependency files, causing linking errors during a rebuild with different options. It was replaced by a simple make clean. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* popt: Use modern toolchain logicDaniel Engberg2019-02-261-6/+1
| | | | | | Replace define Build/Configure with CONFIGURE_ARGS Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* elfutils: fix install .so globMatt Merhar2019-02-261-3/+3
| | | | | | | Only libelf was being packaged correctly - libdw and libasm included just the symlinks. Signed-off-by: Matt Merhar <mattmerhar@protonmail.com>
* elfutils: fix DEPENDS for libelfPeter Wagner2019-02-171-2/+2
| | | | Signed-off-by: Peter Wagner <tripolar@gmx.at>
* openssl: patch to fix devcrypto sessions leakEneas U de Queiroz2019-02-171-0/+115
| | | | | | | | Applies a patch from https://github.com/openssl/openssl/pull/8213 that fixes an error where open /dev/crypto sessions were not closed. Thanks to Ansuel Smith for reporting it. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* openssl: add package for openssl.cnf, misc changesEneas U de Queiroz2019-02-122-8/+28
| | | | | | | | | | | | - Add the /etc/ssl/openssl.cnf as a separate package, to avoid breaking the transitional mechanism, allowing libopenssl_1.0* and libopenssl_1.1* to coexist. - Remove the (selecting) dependency on @KERNEL_AIO - Use global SOURCE_DATE_EPOCH Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* openssl: optimizations based on ARCH/small flashEneas U de Queiroz2019-02-123-1/+98
| | | | | | | | | | | | | | | | | | | Add a patch to enable the option to change the default ciphersuite list ordering to prefer ChaCha20 over AES-GCM. This is used by default for all platforms, except for x86_64 and aarch64. The assumption is that only the latter have AES-specific CPU instructions and asm code that uses them in openssl. Chacha20Poly1305 is 3x faster than AES-256 in systems without AES instructions, with an equivalent strength. Disable error messages by default except for devices with small flash or RAM, to aid debugging. Disable ASM by default on arm platform with small flash. Size difference on mips and powerpc, the other platforms with small flash devices, are not really relevant (using 100K as a threshold). All of the affected platforms are source-only anyway. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* openssl: update to version 1.1.1aEneas U de Queiroz2019-02-1222-492/+774
| | | | | | | | | | | | | | | | | | | | | | | This version adds the following functionality: * TLS 1.3 * AFALG engine support for hardware accelleration * x25519 ECC curve support * CRIME protection: disable use of compression by default * Support for ChaCha20 and Poly1305 Patches fixing bugs in the /dev/crypto engine were applied, from https://github.com/openssl/openssl/pull/7585 This increses the size of the ipk binray on MIPS32 by about 32%: old: 693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk new: 912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk 239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* openssl: add configuration options, disable ssl3Eneas U de Queiroz2019-02-1214-476/+376
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Adds the following configuration options: * using optimized assembler code (was always on before) * use of x86 SSE2 instructions * dyanic engine support * include error messages * Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms * RFC3779, CMS protocols * VIA padlock hardware acceleration engine Installs openssl.cnf with the library as it is used by engines independent of the openssl util. Fixes DTLS option that was innefective before. Disables insecure SSL3 protocol and SHA0. Adds openwrt-specific targets to Configure script, including asm support for i386, ppc and mips64. Strips building dirs from CFLAGS shown in binary. Skips the fuzz directory during build. Removed include/crypto/devcrypto.h that was included here, to use the cryptodev-linux package, now that it was been moved from the packages feed to the main openwrt repository. This decreses the size of the ipk binray on MIPS32 by about 3.3%: old: 706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk new: 693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk 193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
* openssl: update list of mirrorsSven Roederer2019-01-311-2/+2
| | | | | | Host "gd.tuwien.ac.at" does not exists anymore, so we replace it by "ftp.pca.dfn.de" from the official list of mirrors. Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
* openssl: bump to 1.0.2qSven Roederer2019-01-301-2/+2
| | | | | | | | | This fixes the following security problems: * CVE-2018-5407: Microarchitecture timing vulnerability in ECC scalar multiplication * CVE-2018-0734: Timing vulnerability in DSA signature generation * Resolve a compatibility issue in EC_GROUP handling with the FIPS Object Module Signed-off-by: Sven Roederer <freifunk@it-solutions.geroedel.de>