aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* mbedtls: update to 2.6.0 CVE-2017-14032Kevin Darbyshire-Bryant2017-09-302-30/+30
| | | | | | | | | | | | | | | Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional', mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set by mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake was correctly aborted). Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Tested-by: Magnus Kroken <mkroken@gmail.com>
* uclient: update to 2017-09-06Matthias Schiffer2017-09-061-3/+3
| | | | | | | 24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses 83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* mbedtls: Re-allow SHA1-signed certificatesBaptiste Jonglez2017-08-112-1/+10
| | | | | | | | | | | | Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates. This breaks openvpn clients that try to connect to servers that present a TLS certificate signed with SHA1, which is fairly common. Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx. Fixes: FS#942 Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
* mbedtls: update to 2.5.1Magnus Kroken2017-06-262-27/+27
| | | | | | | | | | | | | | | Fixes some security issues (no remote exploits), and introduces some changes. See release notes for details: https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released * Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read() * Adds exponent blinding to RSA private operations * Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()) * Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification. * Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes. * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* openssl: Use mkhash for STAMP_CONFIGUREDFlorian Fainelli2017-04-221-1/+1
| | | | | | | | | | | | | The current way of creating a STAMP_CONFIGURED filename for OpenSSL can lead to an extremely long filename that makes touch unable to create it, and fail the build. Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a shortert stamp file, Fixes #572 Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
* libubox: fix host build on macOSFelix Fietkau2017-04-081-7/+0
| | | | | | Use the defaults instead of a custom non-portable Host/Install section Signed-off-by: Felix Fietkau <nbd@nbd.name>
* libubox: add host buildJo-Philipp Wich2017-04-081-0/+14
| | | | | | Our opkg fork requires libubox to build, so add a host build for it. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* mbedtls: update to version 2.4.2Hauke Mehrtens2017-03-132-4/+4
| | | | | | | | | This fixes the following security problems: * CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve * SLOTH vulnerability * Denial of Service through Certificate Revocation List Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libpcap: add optional netfilter supportMartin Schiller2017-03-012-2/+9
| | | | | | This is needed to use the nflog interface with tcpdump Signed-off-by: Martin Schiller <mschiller@tdt.de>
* mbedtls: add --function-sections and --data-sections to CFLAGSFelix Fietkau2017-03-011-0/+2
| | | | | | | This allows binaries that links these libraries statically to be reduced by using --gc-sections on link Signed-off-by: Felix Fietkau <nbd@nbd.name>
* libpcap: remove feature dependencies on kmod-* packagesFelix Fietkau2017-03-011-2/+0
| | | | | | USB support could be built into the kernel as well Signed-off-by: Felix Fietkau <nbd@nbd.name>
* uclibc++: patch bugfix erase() on derived __base_associativeBen Kelly2017-03-011-0/+40
| | | | | | | | | | | | | | | | | When calling erase() on a containers derived from __base_associative (e.g. multimap) and providing a pair of iterators a segfault will occur. Example code to reproduce: typedef std::multimap<int, int> testmap; testmap t; t.insert(std::pair<int, int>(1, 1)); t.insert(std::pair<int, int>(2, 1)); t.insert(std::pair<int, int>(3, 1)); t.erase(t.begin(), t.end()); Signed-off-by: Ben Kelly <ben@benjii.net>
* libubox: Update to latest versionTed Hess2017-02-251-3/+3
| | | | | | 9d6305a utils: Change calloc_a() to return size_t aligned pointers Signed-off-by: Ted Hess <thess@kitschensync.net>
* libubox: update to the latest versionFelix Fietkau2017-02-251-3/+3
| | | | | | | | | | | | | | | Adds the following changes: de3f14b uloop: add uloop_cancelling function 3b6181b utils: fix build on Mac OS X 10.12 7f671b1 blobmsg: add support for double 0fe1374 utils: add helper functions useful for allocating a ring buffer 8fc1c30 libubox: replace strtok with _r version. 4a9f74f libubox: allow reading out the pid of uloop process in lua 372e1e6 uloop: remove useless epoll data assignment f9db1cb libubox: allow reading out the remaining time of a uloop timer in Lua Signed-off-by: Felix Fietkau <nbd@nbd.name>
* libtool: don't clobber host libtool infrastructureJo-Philipp Wich2017-02-011-7/+7
| | | | | | | | | | | | | | | | The libtool target package stages its files into the host staging directory and moves the libltdl library parts from there into the target staging directory afterwards. By doing so, the package essentially renders the host libtool infrastructure unusable, leading to the below error in subsequent package builds: libtoolize: $pkgltdldir is not a directory: `.../hostpkg/share/libtool` Prevent this problem by using a dedicated libltdl install prefix in order to avoid overwriting and moving away preexisting files belonging to tools/libtool. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* openssl: update to version 1.0.2kHauke Mehrtens2017-01-286-13/+13
| | | | | | | | | This fixes the following security problems: CVE-2017-3731: Truncated packet could crash via OOB read CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64 CVE-2016-7055: Montgomery multiplication may produce incorrect results Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* zlib: Update to 1.2.11Daniel Engberg2017-01-211-3/+3
| | | | | | | | Update to 1.2.11 as suggested by upstream Also add SF as primary source and main site as fallback Note: SF doesn't carry the 1.2.11 update yet. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* mbedtls: add static files in staging_dirDomagoj Pintaric2017-01-161-0/+1
| | | | | Signed-off-by: Domagoj Pintaric <domagoj.pintaric@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
* ncurses: revert $(STAGING_DIR_HOSTPKG) to $(STAGING_DIR)/host where appropriateMatthias Schiffer2017-01-141-1/+1
| | | | | | | Host files installed in Build/InstallDev are target-specific and will stay in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* polarssl: remove packageFelix Fietkau2017-01-132-316/+0
| | | | | | | The mbedTLS 1.3 branch has been EOL since end of 2016 and now all remaining users have been converted. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* gettext-full: avoid using iconv for host buildsJo-Philipp Wich2017-01-111-1/+4
| | | | | | | | | | | The gettext-full host build might pick up iconv-stub host build headers during the build, leading to stray linker errors with unresolved references to libiconv_open(), libiconv() and libiconv_close(). Since we're not needing iconv support on the host, pass the appropriate cache variables to configure to prevent detection and linking of iconv. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* package: replace $(STAGING_DIR)/host with $(STAGING_DIR_HOSTPKG)Matthias Schiffer2017-01-105-14/+14
| | | | | | | | | Cleanup to prepare for changing STAGING_DIR_HOSTPKG. The actual change of STAGING_DIR_HOSTPKG (i.e., moving the host packages back into a common, not target-specific directory) will be done after the first LEDE release, but the cleanup will also be useful for projects like Gluon. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* libnl: Update to 3.2.29Daniel Engberg2017-01-101-3/+3
| | | | | | Update libnl to 3.2.29 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* cyassl: update to wolfssl version 3.10.0Hauke Mehrtens2017-01-101-3/+4
| | | | | | | This fixes a low level security vulnerability. Deactivate MIPS16 support, crypto code gets much slower with MIPS16. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* ustream-ssl: remove legacy polarssl supportFelix Fietkau2017-01-091-12/+0
| | | | | | | The old polarssl 1.3 branch is EOL since end of 2016, and the package for it will be removed soon. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: re-enable CFB supportFelix Fietkau2017-01-091-9/+0
| | | | | | It is safe and required by some software, e.g. shadowsocks Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: re-enable RC4 support (needed by transmission and others)Felix Fietkau2017-01-081-9/+0
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* zlib: update to 1.2.10Magnus Kroken2017-01-071-2/+2
| | | | | | | * Fix bug in deflate_stored() for zero-length input * Fix bug in gzwrite.c that produced corrupt gzip files Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* elfutils: bump to 0.168Luiz Angelo Daros de Luca2017-01-036-218/+183
| | | | | | | | | | | Other changes: - Project moved to sourceware.org - musl patch where cleaned up and submitted upstream - TEMP_FAILURE_RETRY macro fixed and submitted upstream Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> [Jo-Philipp Wich: add missing .patch extension to 007-fix_TEMP_FAILURE_RETRY] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* gmp: Update to 6.1.2Daniel Engberg2017-01-031-2/+2
| | | | | | Update GMP to 6.1.2 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* zlib: Update to 1.2.9Daniel Engberg2017-01-031-3/+3
| | | | | | Update zlib to 1.2.9 and switch to XZ tarballs for download. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* libusb: Update to 1.0.21Daniel Engberg2017-01-031-2/+2
| | | | | | Update libusb to 1.0.21 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* uclient: Update to 2016-12-09Florian Fainelli2017-01-021-3/+3
| | | | | | | | | | Brings in the following changes: 52d955fd802a remove obsolete mac os x /opt/local include/library search path a4e49b4163b2 Fix unused results warnings 48cfff3fbec9 uclient-http: send correct "Host:" header if port is set Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
* ustream-ssl: remove extra DEFAULT_VARIANT from libustream-polarsslHannu Nyman2016-12-301-2/+1
| | | | | | | | | Currently both libustream-polarssl and libustream-mbedtls variants define themselves as the DEFAULT_VARIANT Remove extra DEFAULT_VARIANT from libustream-polarssl. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
* mbedtls: enable DHE-RSA key exchangeMagnus Kroken2016-12-301-9/+0
| | | | | | | | | | | | Later OpenVPN 2.3-openssl versions only enable TLS cipher suites with perfect forward secrecy, i.e. DHE and ECDHE cipher suites. ECDHE key exchange is not supported by OpenVPN 2.3-openssl, enable DHE key exchange to allow LEDE OpenVPN 2.4-mbedtls clients to connect to such servers. Signed-off-by: Magnus Kroken <mkroken@gmail.com> Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Reported-by: Lucian Cristian <luci@createc.ro>
* mbedtls: enable secp384r1 elliptic curve supportMagnus Kroken2016-12-301-2/+1
| | | | | | | | | Secp384r1 is the default curve for OpenVPN 2.4+. Enable this to make OpenVPN-mbedtls clients able to perform ECDHE key exchange with remote OpenVPN 2.4-openssl servers that use the default OpenVPN curve. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: enable support for external private RSA keys to fix openvpn build issueFelix Fietkau2016-12-281-9/+0
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* libpcap: Fix build when PACKAGECONFIG ipv6 is not enabledZefir Kurtisi2016-12-242-0/+108
| | | | | | | | | | | | | | | | | | Add patches provided upstream [1] by Fabio Berton to fix error: > ./gencode.c: In function 'pcap_compile': > ./gencode.c:693:8: error: 'compiler_state_t {aka struct _compiler_state}' has no member named 'ai' > cstate.ai = NULL; > ^ > ./gencode.c: In function 'gen_gateway': > ./gencode.c:4914:13: error: 'cstate' undeclared (first use in this function) > bpf_error(cstate, "direction applied to 'gateway'"); > ^ [1] https://github.com/the-tcpdump-group/libpcap/pull/541 Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br> Tested-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
* ncurses: rename libncursesw to libncurses (more common name)Felix Fietkau2016-12-221-4/+4
| | | | | | provide libncursesw via PROVIDES instead Signed-off-by: Felix Fietkau <nbd@nbd.name>
* treewide: clean up and unify PKG_VERSION for git based downloadsFelix Fietkau2016-12-226-27/+15
| | | | | | Also use default defintions for PKG_SOURCE_SUBDIR, PKG_SOURCE Signed-off-by: Felix Fietkau <nbd@nbd.name>
* gettext-full: enforce only static lib on the host buildAlexandru Ardelean2016-12-221-0/+2
| | | | | | | | | | | | | | | | | | | | Sometimes I'm getting error on the host-side build: ``` /usr/lib64/gcc/x86_64-suse-linux/4.8/../../../../x86_64-suse-linux/bin/ld: /home/sandu/work/lede/staging_dir/host/lib/liblzma.a(liblzma_la-common.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC /home/sandu/work/lede/staging_dir/host/lib/liblzma.a: error adding symbols: Bad value collect2: error: ld returned 1 exit status Makefile:2847: recipe for target 'libgettextlib.la' failed make[9]: *** [libgettextlib.la] Error 1 make[9]: Leaving directory '/home/sandu/work/lede/build_dir/target-x86_64_musl-1.1.15/host/gettext-0.19.8.1/gettext-tools/gnulib-lib' Makefile:2597: recipe for target 'all' failed ``` Disabling the shared-lib build, seems to fix this. This is when building glib2 on the host-side. glib2 is required by newer QEMU package [which is in the feeds]. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* ncurses: set ABI_VERSION to avoid running into rebuild issuesFelix Fietkau2016-12-201-0/+1
| | | | | | | When the version changes, this will force rebuild of packages depending on it. Signed-off-by: Felix Fietkau <nbd@nbd.name>
* libs/cyassl: re-enable the stunnel flagFelix Fietkau2016-12-201-1/+3
| | | | | | | | This partially reverts commit 15734b023b7e04d12d258ea28bfb5e6e735f10b7. --enable-stunnel was actually important and properly described in commit 9b118cde898e. Removing it broke ustream-cyassl Signed-off-by: Felix Fietkau <nbd@nbd.name>
* libnl-tiny: define _GNU_SOURCE if not definedAlexandru Ardelean2016-12-201-0/+2
| | | | | | | | If _GNU_SOURCE was added as part of a package's TARGET_CFLAGS, then compilation would fail for that module (especially if warnings get treated as errors). Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* libs/cyassl: Enable multithreading, drop stunnelDaniel Engberg2016-12-201-3/+1
| | | | | | | More and more platforms are multicore SoCs, don't enforce singlethreading. Drop stunnel option as stunnel code isn't available for download from upstream website. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* libs/ncurses: update to 6.0p-wassi2016-12-207-116/+32
| | | | | | Update libncurses to upstream release 6.0 Signed-off-by: Paul Wassi <p.wassi@gmx.at>
* treewide: clean up download hashesFelix Fietkau2016-12-1640-39/+40
| | | | | | Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* libs/libpcap: update to 1.8.1p-wassi2016-12-148-202/+81
| | | | | | | | | | Update libpcap to upstream release 1.8.1 Change the name from libpcap.so.1.3 to libpcap.so.1 Remove parts of patch 201 which moved code among src files. Import patch 204 from Debian to update the USB path. Signed-off-by: Paul Wassi <p.wassi@gmx.at> Signed-off-by: Felix Fietkau <nbd@nbd.name> [fix parallel build bug]
* mbedtls: tune config to reduce size and improve performanceFelix Fietkau2016-12-121-5/+43
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: sync with polarssl configFelix Fietkau2016-12-121-9/+80
| | | | | | | One of those changes is re-enabling blowfish support to make openvpn-mbedtls compatible with common configurations Signed-off-by: Felix Fietkau <nbd@nbd.name>