aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* wolfssl: fix API breakage of SSL_get_verify_resultPetr Štetiar2022-02-221-0/+26
| | | | | | | | | | | | | | | | | | Backport fix for API breakage of SSL_get_verify_result() introduced in v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return X509_V_OK when used on LE powered sites or other sites utilizing relaxed/alternative cert chain validation feature. After an update to v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA error and thus rendered all such connection attempts imposible: $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org" Downloading 'https://letsencrypt.org' Connecting to 18.159.128.50:443 Connection error: Invalid SSL certificate Fixes: #9283 References: https://github.com/wolfSSL/wolfssl/issues/4879 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* openssl: configure engines with uciEneas U de Queiroz2022-02-225-62/+54
| | | | | | | | | | | | | | | | | | | | | | | | This uses uci to configure engines, by generating a list of enabled engines in /var/etc/ssl/engines.cnf from engines configured in /etc/config/openssl: config engine 'devcrypto' option enabled '1' Currently the only options implemented are 'enabled', which defaults to true and enables the named engine, and the 'force' option, that enables the engine even if the init script thinks the engine does not exist. The existence test is to check for either a configuration file /etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file /usr/lib/engines-1.1/%ENGINE%.so. The engine list is generated by an init script which is set to run after 'log' because it informs the engines being enabled or skipped. It should run before any service using OpenSSL as the crypto library, otherwise the service will not use any engine. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: configure engine packages during installEneas U de Queiroz2022-02-224-43/+111
| | | | | | | | | | | This enables an engine during its package's installation, by adding it to the engines list in /etc/ssl/engines.cnf.d/engines.cnf. The engine build system was reworked, with the addition of an engine.mk file that groups some of the engine packages' definitions, and could be used by out of tree engines as well. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: config engines in /etc/ssl/engines.cnf.dEneas U de Queiroz2022-02-2216-119/+82
| | | | | | | | | | | This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. Patches were refreshed with --zero-commit. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libnetfilter-conntrack: bump to 1.0.9Stijn Tintel2022-02-171-2/+2
| | | | | Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Jo-Philipp Wich <jo@mein.io>
* wolfssl: update to 5.1.1-stableSergey V. Lobanov2022-02-015-144/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | Bump from 4.8.1-stable to 5.1.1-stable Detailed release notes: https://github.com/wolfSSL/wolfssl/releases Upstreamed patches: 001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch - https://github.com/wolfSSL/wolfssl/commit/fa8f23284d4689c2a737204b337b58d966dcbd8c 002-Update-macro-guard-on-SHA256-transform-call.patch - https://github.com/wolfSSL/wolfssl/commit/f447e4c1fa4c932c0286fa0331966756e243db81 Refreshed patches: 100-disable-hardening-check.patch 200-ecc-rng.patch CFLAG -DWOLFSSL_ALT_CERT_CHAINS replaced to --enable-altcertchains configure option The size of the ipk changed on aarch64 like this: 491341 libwolfssl4.8.1.31258522_4.8.1-stable-7_aarch64_cortex-a53.ipk 520322 libwolfssl5.1.1.31258522_5.1.1-stable-1_aarch64_cortex-a53.ipk Tested-by: Alozxy <alozxy@users.noreply.github.com> Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com> Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* libcap: Update to version 2.63Hauke Mehrtens2022-02-012-3/+5
| | | | | | | | | | | The sizes of the ipk changed on MIPS 24Kc like this: 11248 libcap_2.51-1_mips_24kc.ipk 14461 libcap_2.63-1_mips_24kc.ipk 18864 libcap-bin_2.51-1_mips_24kc.ipk 20576 libcap-bin_2.63-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: Update to version 2.16.12Hauke Mehrtens2022-02-011-2/+2
| | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * Zeroize several intermediate variables used to calculate the expected value when verifying a MAC or AEAD tag. This hardens the library in case the value leaks through a memory disclosure vulnerability. For example, a memory disclosure vulnerability could have allowed a man-in-the-middle to inject fake ciphertext into a DTLS connection. * Fix a double-free that happened after mbedtls_ssl_set_session() or mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED (out of memory). After that, calling mbedtls_ssl_session_free() and mbedtls_ssl_free() would cause an internal session buffer to be free()'d twice. CVE-2021-44732 The sizes of the ipk changed on MIPS 24Kc like this: 182454 libmbedtls12_2.16.11-2_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* ustream-ssl: update to Git version 2022-01-16Hauke Mehrtens2022-01-161-4/+4
| | | | | | 868fd88 ustream-openssl: wolfSSL: Add compatibility for wolfssl >= 5.0 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* elfutils: Add missing musl-fts dependencyFlorian Fainelli2022-01-071-1/+1
| | | | | | | | libdw depends on libfts.so when building with the musl-libc library, add this missing dependency. Fixes: 6835ea13f0fa ("elfutils: update to 0.186") Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
* mbedtls: enable session ticketsGlenn Strauss2022-01-081-18/+0
| | | | | | | | | | session tickets are a feature of TLSv1.2 and require less memory and overhead on the server than does managing a session cache Building mbedtls with support for session tickets will allow the feature to be used with lighttpd-1.4.56 and later. Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* elfutils: update to 0.186Sergey V. Lobanov2022-01-087-145/+30
| | | | | | | | | | | | | | | | | | | | | Upstreamed patches (deleted): 0001-ppc_initreg.c-Incliude-asm-ptrace.h-for-pt_regs-defi.patch - https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=8382833a257b57b0d288be07d2d5e7af6c102869 110-no-cdefs.patch - https://sourceware.org/git/?p=elfutils.git;a=commitdiff;h=d390548df1942e98a1d836269a5e41ba52e121f1 Auto-refreshed: 006-Fix-build-on-aarch64-musl.patch 101-no-fts.patch Manually updated and refreshed: 005-build_only_libs.patch 003-libintl-compatibility.patch 100-musl-compat.patch Disabled _obstack_free check (via configure vars) Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* toolchain: glibc: Update to version 2.34Hauke Mehrtens2022-01-071-4/+1
| | | | | | | | | | | | glibc version 2.34 does not provide versioned shared libraries any more, it only provides shared libraries using the ABI version. Do not try to copy them any more. The functions from libpthread and librt were integrated into the main binary, the libpthread.so and librt.so are only used for backwards compatibility any more. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* openssl: bump to 1.1.1mEneas U de Queiroz2022-01-013-14/+7
| | | | | | | | | | | | | This is a bugfix release. Changelog: *) Avoid loading of a dynamic engine twice. *) Fixed building on Debian with kfreebsd kernels *) Prioritise DANE TLSA issuer certs over peer certs *) Fixed random API for MacOS prior to 10.12 Patches were refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libs/wolfssl: add SAN (Subject Alternative Name) supportSergey V. Lobanov2021-12-292-2/+7
| | | | | | | | | x509v3 SAN extension is required to generate a certificate compatible with chromium-based web browsers (version >58) It can be disabled via unsetting CONFIG_WOLFSSL_ALT_NAMES Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* tcpdump: libpcap: Remove http://www.us.tcpdump.org mirrorHauke Mehrtens2021-12-271-2/+1
| | | | | | | | The http://www.us.tcpdump.org mirror will go offline soon, only use the normal download URL. Reported-by: Denis Ovsienko <denis@ovsienko.info> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libunwind: add ppc64 supportStijn Tintel2021-12-212-2/+31
| | | | | | | | Backport an upstream patch to make libunwind build on ppc64, and add powerpc64 to the dependencies. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
* nettle: disable assembler on ppc64Stijn Tintel2021-12-211-1/+2
| | | | | | | | | | | | As of version 3.7, Nettle added PowerPC64 assembly for several algorithms. Unfortunately, they cause build to fail due to ABI mismatch: gcm-hash.o: ABI version 1 is not compatible with ABI version 2 output Disable assembler when ppc64 and musl are used for now. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
* openssl: add ppc64 supportStijn Tintel2021-12-213-2/+69
| | | | | | | | | | | | | | Backport an upstream patch that adds support for ELFv2 ABI on big endian ppc64. As musl only supports ELFv2 ABI on ppc64 regardless of endianness, this is required to be able to build OpenSSL for ppc64be. Modify our targets patch to add linux-powerpc64-openwrt, which will use the linux64v2 perlasm scheme. This will probably break the combination ppc64 with glibc, but as we really only want to support musl, this shouldn't be a problem. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
* libnl-tiny: update to the latest versionHauke Mehrtens2021-12-141-4/+4
| | | | | | 8e0555f attr.h: Add NLA_PUT_S32 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libnftnl: bump to 1.2.1Stijn Tintel2021-12-011-2/+2
| | | | | | This version is required by nftables 1.0.1. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* gettext: remove packageRosen Penev2021-11-2011-1403/+0
| | | | | | | This package was necessary when uClibc was in the tree. Now that uClibc is gone, this can go too. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* pcre: bring back C++ bindingsRosen Penev2021-11-201-2/+15
| | | | | | | It seems some people use them privately. Reported-by: Jan Kardell <jan.kardell@telliq.com> Signed-off-by: Rosen Penev <rosenp@gmail.com>
* readline: disable shared library for hostRosen Penev2021-11-201-0/+1
| | | | | | | | | Allows to avoid rpath hacks with at least softethervpn. --with-pic is needed as it's not default with static libraries, only shared ones. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* libjson-c: don't build shared host librariesRosen Penev2021-11-201-3/+1
| | | | | | Avoids having to deal with various rpath hacks. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* libubox: update to git HEADDaniel Golle2021-11-201-4/+4
| | | | | | | | | cce5e35 vlist: define vlist_for_each_element_safe This is change affects only a macro in headers and hence it is not required to bump ABI_VERSION. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libubox: bump to git HEADStijn Tintel2021-11-041-3/+3
| | | | | | | | | 123e976 uloop: restore return type of uloop_timeout_remaining 3344157 uloop: add uloop_timeout_remaining64 c87d3e1 lua/uloop: use uloop_timeout_remaining64 c86a894 uloop: deprecate uloop_timeout_remaining Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* libubox: bump to git HEADStijn Tintel2021-11-041-4/+4
| | | | | | | be3dc72 uloop: avoid integer overflow in tv_diff Fixes: FS#3943 Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* toolchain: Allow sanitizer on mips and mipselHauke Mehrtens2021-11-031-2/+2
| | | | | | | Support for libsanitizer on MIPS 32 and MIPSEL 32 was added with GCC 9. MIPS 64 and ARC are still not supported. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* elfutils: enable host buildLucian Cristian2021-11-011-0/+8
| | | | | | | | | | frr 8.0 needs host libelf dev add option for host build tested on x86, ramips, kirkwood Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com> [changed commit author's email] Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* libsepol: update to version 3.3Dominick Grift2021-10-311-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update VERSIONs to 3.3 for release. libsepol/cil: Fix potential undefined shifts libsepol: Fix potential undefined shifts Update VERSIONs to 3.3-rc3 for release. libsepol/cil: Do not skip macros when resolving until later passes libsepol/cil: Limit the amount of reporting for bounds failures libsepol/cil: silence clang void-pointer-to-enum-cast warning libsepol: resolve GCC warning about null-dereference libsepol: use correct cast libsepol: ebitmap: mark nodes of const ebitmaps const Update VERSIONs to 3.3-rc2 for release. libsepol/cil: Handle operations in a class mapping when verifying libsepol/cil: Do not use original type and typeattribute datums libsepol: free memory after policy validation libsepol: avoid implicit conversions libsepol: fix typo libsepol/cil: Free duplicate datums in original calling function libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772) Update VERSIONs and Python bindings version to 3.3-rc1 for release libsepol/cil: Limit the number of active line marks libsepol/cil: Add function to get number of items in a stack libsepol: Fix detected RESOURCE_LEAKs libsepol/cil: Fix syntax checking in __cil_verify_syntax() libsepol/cil: Use size_t for len in __cil_verify_syntax() libsepol/cil: Remove redundant syntax checking libsepol/cil: Improve in-statement to allow use after inheritance libsepol/cil: Simplify cil_tree_children_destroy() libsepol/cil: Refactor the function __cil_build_ast_node_helper() libsepol/cil: Don't destroy optionals whose parent will be destroyed libsepol/cil: Properly check for parameter when inserting name libsepol/cil: Reset expandtypeattribute rules when resetting AST libsepol/cil: Properly check parse tree when printing error messages libsepol/cil: Allow some duplicate macro and block declarations libsepol/cil: When writing AST use line marks for src_info nodes libsepol/cil: Report correct high-level language line numbers libsepol/cil: Add line mark kind and line number to src info libsepol/cil: Create common string-to-unsigned-integer functions libsepol/cil: Push line mark state first when processing a line mark libsepol/cil: Check for valid line mark type immediately libsepol/cil: Check the token type after getting the next token libsepol/cil: Check syntax of src_info statement libsepol/cil: move the fuzz target and build script to the selinux repository libsepol: replace strerror by %m libsepol/cil: remove obsolete comment libsepol/cil: do not allow \0 in quoted strings libsepol/cil: Fix handling category sets in an expression libsepol: assure string NUL-termination of ibdev_name libsepol: avoid implicit conversions libsepol: ignore UBSAN false-positives libsepol: avoid unsigned integer overflow libsepol/cil: Improve checking for bad inheritance patterns libsepol: silence -Wextra-semi-stmt warning libsepol/cil: do not override previous results of __cil_verify_classperms libsepol/cil: Provide option to allow qualified names in declarations libsepol/cil: make array cil_sym_sizes const libsepol/cil: Only reset AST if optional has a declaration libsepol/cil: Add function to determine if a subtree has a declaration libsepol/cil: Improve degenerate inheritance check libsepol/cil: Reduce the initial symtab sizes for blocks libsepol/cil: Check for empty list when marking neverallow attributes libsepol/cil: Fix syntax checking of defaultrange rule libsepol/cil: Properly check for loops in sets libsepol/cil: Allow duplicate optional blocks in most cases libsepol: declare read-only arrays const libsepol: declare file local variable static libsepol: drop unnecessary casts libsepol: drop repeated semicolons libsepol/cil: avoid using maybe uninitialized variables libsepol/cil: drop unnecessary casts libsepol/cil: drop dead store libsepol/cil: drop extra semicolon libsepol/cil: silence cast warning libsepol: remove dead stores libsepol: do not allocate memory of size 0 libsepol: mark read-only parameters of type_set_ interfaces const libsepol: mark read-only parameters of ebitmap interfaces const libsepol: remove dead stores libsepol/cil: follow declaration-after-statement libsepol: follow declaration-after-statement libsepol: avoid unsigned integer overflow libsepol: remove unused functions libsepol: resolve missing prototypes libsepol: fix typos libsepol: Quote paths when generating policy.conf from binary policy libsepol/cil: Account for anonymous category sets in an expression libsepol/cil: Fix anonymous IP address call arguments libsepol: quote paths in CIL conversion libsepol/cil: Resolve anonymous levels only once libsepol/cil: Pointers to datums should be set to NULL when resetting libsepol/cil: Resolve anonymous class permission sets only once libsepol/cil: Limit the number of open parenthesis allowed libsepol/cil: Destroy the permission nodes when exiting with an error libsepol/cil: Handle disabled optional blocks in earlier passes libsepol/cil: Do not resolve arguments to declarations in the call libsepo/cil: Refactor macro call resolution libsepol/cil: Do not add NULL node when inserting key into symtab libsepol/cil: Make name resolution in macros work as documented libsepol/cil: Fix name resolution involving inherited blocks libsepol/cil: Check for self-referential loops in sets libsepol/cil: Return an error if a call argument fails to resolve libsepol/cil: Check datum in ordered list for expected flavor libsepol/cil: Detect degenerate inheritance and exit with an error libsepol/cil: Fix instances where an error returns SEPOL_OK libsepol/cil: Properly reset an anonymous classperm set libsepol: use checked arithmetic builtin to perform safe addition libsepol/cil: Add functions to make use of cil_write_ast() libsepol/cil: Create functions to write the CIL AST libsepol/cil: Use CIL_ERR for error messages in cil_compile() libsepol/cil: Make invalid statement error messages consistent libsepol/cil: Do not allow tunable declarations in in-statements libsepol/cil: Sync checks for invalid rules in macros libsepol/cil: Check for statements not allowed in optional blocks libsepol/cil: Sync checks for invalid rules in booleanifs libsepol/cil: Reorder checks for invalid rules when resolving AST libsepol/cil: Use AST to track blocks and optionals when resolving libsepol/cil: Create new first child helper function for building AST libsepol/cil: Cleanup build AST helper functions libsepol/cil: Reorder checks for invalid rules when building AST libsepol/cil: Move check for the shadowing of macro parameters libsepol/cil: Create function cil_add_decl_to_symtab() and refactor libsepol/cil: Refactor helper function for cil_gen_node() libsepol/cil: Allow permission expressions when using map classes libsepol/cil: Exit with an error if declaration name is a reserved word libsepol/cil: More strict verification of constraint leaf expressions libsepol/cil: Set class field to NULL when resetting struct cil_classperms libsepol/cil: cil_reset_classperms_set() should not reset classpermission libsepol/cil: Destroy classperm list when resetting map perms libsepol/cil: Destroy classperms list when resetting classpermission libsepol/cil: Fix out-of-bound read of file context pattern ending with "\" libsepol/cil: Check for duplicate blocks, optionals, and macros libsepol: Write "NO_IDENTIFIER" for empty CIL constraint expression libsepol: Enclose identifier lists in CIL constraint expressions libsepol/cil: Allow lists in constraint expressions libsepol: Enclose identifier lists in constraint expressions libsepol: Write "NO_IDENTIFIER" for empty constraint expression libsepol: make num_* unsigned int in module_to_cil libsepol/cil: do not leak avrulex_ioctl_table memory when an error occurs libsepol/cil: fix NULL pointer dereference in __cil_insert_name libsepol/cil: replace printf with proper cil_tree_log libsepol/cil: remove stray printf libsepol/cil: make cil_post_fc_fill_data static libsepol: Check kernel to CIL and Conf functions for supported versions libsepol: Remove unnecessary copying of declarations from link.c libsepol: Properly handle types associated to role attributes libsepol: Expand role attributes in constraint expressions Signed-off-by: Daniel Golle <daniel@makrotopia.org> [re-apply now that buildbot phase1 has caught up] Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
* Revert "libsepol: update to version 3.3"Daniel Golle2021-10-291-3/+3
| | | | | | | | | This reverts commit de8a800ca9bda1171bfe17ee7653532465a8b596. Host build uses host includes instead of staging/hostpkg. This breaks the build in case of selinux host libs being older than version 3.3. Revert for now until better fix is found. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libsemanage: update to version 3.3Dominick Grift2021-10-281-4/+4
| | | | | | | | | | | | Update VERSIONs to 3.3 for release. Update VERSIONs to 3.3-rc3 for release. Update VERSIONs to 3.3-rc2 for release. Update VERSIONs and Python bindings version to 3.3-rc1 for release libsemanage: Fix USE_AFTER_FREE (CWE-672) in semanage_direct_write_langext() libsemanage: silence -Wextra-semi-stmt warning libsemanage: fix use-after-free in parse_module_store() Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
* libselinux: update to version 3.3Dominick Grift2021-10-281-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update VERSIONs to 3.3 for release. libselinux: Fix potential undefined shifts Update VERSIONs to 3.3-rc3 for release. Update VERSIONs to 3.3-rc2 for release. libselinux/utils: drop requirement to combine compiling and linking Update VERSIONs and Python bindings version to 3.3-rc1 for release Improve error message for label file validation libselinux: replace strerror by %m libselinux: silence -Wextra-semi-stmt warning libselinux/utils/getseuser.c: fix build with gcc 4.8 selinux.8: document how mount flag nosuid affects SELinux libselinux: fix typo libselinux: improve getcon(3) man page libselinux: selinux_status_open: return 1 in fallback mode libselinux: do not use status page fallback mode internally libselinux: make selinux_status_open(3) reentrant libselinux: avc_destroy(3) closes status page libselinux: label_file.c: fix indent libselinux: regex: unify parameter names libselinux: sidtab_sid_stats(): unify parameter name libselinux: drop redundant casts to the same type libselinux: label_db::db_init(): open file with CLOEXEC mode libselinux: matchpathcon: free memory on realloc failure libselinux: label_file::init(): do not pass NULL to strdup libselinux: init_selinux_config(): free resources on error libselinux: matchmediacon(): close file on error libselinux: store_stem(): do not free possible non-heap object libselinux: getdefaultcon: free memory on multiple same arguments libselinux: setexecfilecon(): drop dead assignment libselinux: label_media::init(): drop dead assignment libselinux: label_x::init(): drop dead assignment libselinux: context_new(): drop dead assignment libselinux: exclude_non_seclabel_mounts(): drop unused variable libselinux: getconlist: free memory on multiple level arguments libselinux: selabel_get_digests_all_partial_matches: free memory after FTS_D block libselinux: selinux_restorecon: mark local variable static libselinux: avcstat: use standard length modifier for unsigned long long libselinux: sefcontext_compile: mark local variable static libselinux: Sha1Finalise(): do not discard const qualifier libselinux: label_common(): do not discard const qualifier libselinux: selinux_file_context_cmp(): do not discard const qualifier libselinux: sidtab_hash(): do not discard const qualifier libselinux: silence -Wstringop-overflow warning from gcc 10.3.1 libselinux: selinux_check_passwd_access_internal(): respect deny_unknown libselinux: do not duplicate make target when going into subdirectory Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
* libsepol: update to version 3.3Dominick Grift2021-10-281-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Update VERSIONs to 3.3 for release. libsepol/cil: Fix potential undefined shifts libsepol: Fix potential undefined shifts Update VERSIONs to 3.3-rc3 for release. libsepol/cil: Do not skip macros when resolving until later passes libsepol/cil: Limit the amount of reporting for bounds failures libsepol/cil: silence clang void-pointer-to-enum-cast warning libsepol: resolve GCC warning about null-dereference libsepol: use correct cast libsepol: ebitmap: mark nodes of const ebitmaps const Update VERSIONs to 3.3-rc2 for release. libsepol/cil: Handle operations in a class mapping when verifying libsepol/cil: Do not use original type and typeattribute datums libsepol: free memory after policy validation libsepol: avoid implicit conversions libsepol: fix typo libsepol/cil: Free duplicate datums in original calling function libsepol/cil: Fix detected RESOURCE_LEAK (CWE-772) Update VERSIONs and Python bindings version to 3.3-rc1 for release libsepol/cil: Limit the number of active line marks libsepol/cil: Add function to get number of items in a stack libsepol: Fix detected RESOURCE_LEAKs libsepol/cil: Fix syntax checking in __cil_verify_syntax() libsepol/cil: Use size_t for len in __cil_verify_syntax() libsepol/cil: Remove redundant syntax checking libsepol/cil: Improve in-statement to allow use after inheritance libsepol/cil: Simplify cil_tree_children_destroy() libsepol/cil: Refactor the function __cil_build_ast_node_helper() libsepol/cil: Don't destroy optionals whose parent will be destroyed libsepol/cil: Properly check for parameter when inserting name libsepol/cil: Reset expandtypeattribute rules when resetting AST libsepol/cil: Properly check parse tree when printing error messages libsepol/cil: Allow some duplicate macro and block declarations libsepol/cil: When writing AST use line marks for src_info nodes libsepol/cil: Report correct high-level language line numbers libsepol/cil: Add line mark kind and line number to src info libsepol/cil: Create common string-to-unsigned-integer functions libsepol/cil: Push line mark state first when processing a line mark libsepol/cil: Check for valid line mark type immediately libsepol/cil: Check the token type after getting the next token libsepol/cil: Check syntax of src_info statement libsepol/cil: move the fuzz target and build script to the selinux repository libsepol: replace strerror by %m libsepol/cil: remove obsolete comment libsepol/cil: do not allow \0 in quoted strings libsepol/cil: Fix handling category sets in an expression libsepol: assure string NUL-termination of ibdev_name libsepol: avoid implicit conversions libsepol: ignore UBSAN false-positives libsepol: avoid unsigned integer overflow libsepol/cil: Improve checking for bad inheritance patterns libsepol: silence -Wextra-semi-stmt warning libsepol/cil: do not override previous results of __cil_verify_classperms libsepol/cil: Provide option to allow qualified names in declarations libsepol/cil: make array cil_sym_sizes const libsepol/cil: Only reset AST if optional has a declaration libsepol/cil: Add function to determine if a subtree has a declaration libsepol/cil: Improve degenerate inheritance check libsepol/cil: Reduce the initial symtab sizes for blocks libsepol/cil: Check for empty list when marking neverallow attributes libsepol/cil: Fix syntax checking of defaultrange rule libsepol/cil: Properly check for loops in sets libsepol/cil: Allow duplicate optional blocks in most cases libsepol: declare read-only arrays const libsepol: declare file local variable static libsepol: drop unnecessary casts libsepol: drop repeated semicolons libsepol/cil: avoid using maybe uninitialized variables libsepol/cil: drop unnecessary casts libsepol/cil: drop dead store libsepol/cil: drop extra semicolon libsepol/cil: silence cast warning libsepol: remove dead stores libsepol: do not allocate memory of size 0 libsepol: mark read-only parameters of type_set_ interfaces const libsepol: mark read-only parameters of ebitmap interfaces const libsepol: remove dead stores libsepol/cil: follow declaration-after-statement libsepol: follow declaration-after-statement libsepol: avoid unsigned integer overflow libsepol: remove unused functions libsepol: resolve missing prototypes libsepol: fix typos libsepol: Quote paths when generating policy.conf from binary policy libsepol/cil: Account for anonymous category sets in an expression libsepol/cil: Fix anonymous IP address call arguments libsepol: quote paths in CIL conversion libsepol/cil: Resolve anonymous levels only once libsepol/cil: Pointers to datums should be set to NULL when resetting libsepol/cil: Resolve anonymous class permission sets only once libsepol/cil: Limit the number of open parenthesis allowed libsepol/cil: Destroy the permission nodes when exiting with an error libsepol/cil: Handle disabled optional blocks in earlier passes libsepol/cil: Do not resolve arguments to declarations in the call libsepo/cil: Refactor macro call resolution libsepol/cil: Do not add NULL node when inserting key into symtab libsepol/cil: Make name resolution in macros work as documented libsepol/cil: Fix name resolution involving inherited blocks libsepol/cil: Check for self-referential loops in sets libsepol/cil: Return an error if a call argument fails to resolve libsepol/cil: Check datum in ordered list for expected flavor libsepol/cil: Detect degenerate inheritance and exit with an error libsepol/cil: Fix instances where an error returns SEPOL_OK libsepol/cil: Properly reset an anonymous classperm set libsepol: use checked arithmetic builtin to perform safe addition libsepol/cil: Add functions to make use of cil_write_ast() libsepol/cil: Create functions to write the CIL AST libsepol/cil: Use CIL_ERR for error messages in cil_compile() libsepol/cil: Make invalid statement error messages consistent libsepol/cil: Do not allow tunable declarations in in-statements libsepol/cil: Sync checks for invalid rules in macros libsepol/cil: Check for statements not allowed in optional blocks libsepol/cil: Sync checks for invalid rules in booleanifs libsepol/cil: Reorder checks for invalid rules when resolving AST libsepol/cil: Use AST to track blocks and optionals when resolving libsepol/cil: Create new first child helper function for building AST libsepol/cil: Cleanup build AST helper functions libsepol/cil: Reorder checks for invalid rules when building AST libsepol/cil: Move check for the shadowing of macro parameters libsepol/cil: Create function cil_add_decl_to_symtab() and refactor libsepol/cil: Refactor helper function for cil_gen_node() libsepol/cil: Allow permission expressions when using map classes libsepol/cil: Exit with an error if declaration name is a reserved word libsepol/cil: More strict verification of constraint leaf expressions libsepol/cil: Set class field to NULL when resetting struct cil_classperms libsepol/cil: cil_reset_classperms_set() should not reset classpermission libsepol/cil: Destroy classperm list when resetting map perms libsepol/cil: Destroy classperms list when resetting classpermission libsepol/cil: Fix out-of-bound read of file context pattern ending with "\" libsepol/cil: Check for duplicate blocks, optionals, and macros libsepol: Write "NO_IDENTIFIER" for empty CIL constraint expression libsepol: Enclose identifier lists in CIL constraint expressions libsepol/cil: Allow lists in constraint expressions libsepol: Enclose identifier lists in constraint expressions libsepol: Write "NO_IDENTIFIER" for empty constraint expression libsepol: make num_* unsigned int in module_to_cil libsepol/cil: do not leak avrulex_ioctl_table memory when an error occurs libsepol/cil: fix NULL pointer dereference in __cil_insert_name libsepol/cil: replace printf with proper cil_tree_log libsepol/cil: remove stray printf libsepol/cil: make cil_post_fc_fill_data static libsepol: Check kernel to CIL and Conf functions for supported versions libsepol: Remove unnecessary copying of declarations from link.c libsepol: Properly handle types associated to role attributes libsepol: Expand role attributes in constraint expressions Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
* wolfssl: enable ECC Curve 25519 by defaultStan Grishin2021-10-241-1/+1
| | | | | | | * fixes https://github.com/openwrt/packages/issues/16652 see https://github.com/openwrt/packages/issues/16674#issuecomment-934983898 Signed-off-by: Stan Grishin <stangri@melmac.net>
* uclibc++: removeRosen Penev2021-10-247-398/+0
| | | | | | | | | | | | | | | No package here depends on it. Furthermore, uClibc++ is a fairly buggy C++ library and seems to be relatively inactive upstream. It also lacks proper support for modern C++11 features. The main benefit of it is size: 66.6 KB vs 287.3 KB on mips24kc. Static linking and LTO can help bring the size down of packages that need it. Added warning message to uclibc++.mk Signed-off-by: Rosen Penev <rosenp@gmail.com> Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
* wolfssl: fix compile when enable-devcrypto is setIvan Pavlov2021-10-211-0/+22
| | | | | | | fixing linking error when --enable-devcrypto=yes fixes: 7d92bb050961 wolfssl: update to 4.8.1-stable Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
* ncurses: add tmux terminfoJitao Lu2021-10-191-1/+3
| | | | | | | | | | They're preferred terminal descriptions for tmux, with additional support to some special characters and italic fonts. More info can be found at: https://github.com/tmux/tmux/wiki/FAQ Fixes: FS#3404 Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
* wolfssl: remove --enable-sha512 configure switchAndre Heider2021-10-171-2/+2
| | | | | | | | | | It's the default anyway and this just looks confusing, as if it wasn't. Switch to AUTORELEASE while at it. The binary size is unchanged. Signed-off-by: Andre Heider <a.heider@gmail.com>
* wolfssl: always build with --enable-reproducible-buildAndre Heider2021-10-171-0/+1
| | | | | | | | | | | This gates out anything that might introduce semantically frivolous jitter, maximizing chance of identical object files. The binary size shrinks by 8kb: 1244352 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f Signed-off-by: Andre Heider <a.heider@gmail.com>
* wolfssl: build with WOLFSSL_ALT_CERT_CHAINSAndre Heider2021-10-171-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | "Alternate certification chains, as oppossed to requiring full chain validataion. Certificate validation behavior is relaxed, similar to openssl and browsers. Only the peer certificate must validate to a trusted certificate. Without this, all certificates sent by a peer must be used in the trust chain or the connection will be rejected." This fixes e.g. uclient-fetch and curl connecting to servers using a Let's Encrypt certificate which are cross-signed by the now expired DST Root CA X3, see [0]. This is the recommended solution from upstream [1]. The binary size increases by ~12.3kb: 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f [0] https://github.com/openwrt/packages/issues/16674 [1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793 Signed-off-by: Andre Heider <a.heider@gmail.com> [bump PKG_RELEASE] Signed-off-by: David Bauer <mail@david-bauer.net>
* wolfssl: update to 4.8.1-stableIvan Pavlov2021-09-134-18/+11
| | | | | | | | | | | Changes from 4.7.0: Fix one high (OCSP verification issue) and two low vulnerabilities Improve compatibility layer Other improvements and fixes For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
* libjson-c: remove old math patchRosen Penev2021-08-302-45/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove old math patch meant for old GCC versions. It's not needed for GCC and causes issues with clang. Add CMake patch to identify clang properly and apply the proper flags. Fixes the following warnings/errors: json_pointer.c:230:7: warning: implicit declaration of function 'vasprintf' is invalid in C99 [-Wimplicit-function-declaration] rc = vasprintf(&path_copy, path_fmt, args); ^ json_pointer.c:317:7: warning: implicit declaration of function 'vasprintf' is invalid in C99 [-Wimplicit-function-declaration] rc = vasprintf(&path_copy, path_fmt, args); ^ /usr/include/bits/mathcalls.h:177:23: error: cannot redeclare builtin function '__builtin_isinf' __MATHDECL_ALIAS (int,isinf,, (_Mdouble_ __value), isinf) ^ /usr/include/bits/mathcalls.h:177:23: note: '__builtin_isinf' is a builtin with type 'int ()' /usr/include/bits/mathcalls.h:213:23: error: cannot redeclare builtin function '__builtin_isnan' __MATHDECL_ALIAS (int,isnan,, (_Mdouble_ __value), isnan) The clang patch is an upstream backport. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* openssl: bump to 1.1.1lEneas U de Queiroz2021-08-262-5/+4
| | | | | | | | | | | This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libubox: update to the latest versionFelix Fietkau2021-08-241-3/+3
| | | | | | d716ac4bc423 list.h: add a few missing iterator macros Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wolfssl: fix build with GCC 10 on 32 x86 targetsStijn Tintel2021-08-201-0/+123
| | | | | | Backport upstream patch to fix build with GCC 10 on 32 x86 targets. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* pcre: update to 8.45Rosen Penev2021-08-081-3/+3
| | | | | | Switch to AUTORELEASE to avoid manual increments. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* nettle: update to 3.7.3Rosen Penev2021-08-082-7/+7
| | | | | | | | Switch to AUTORELEASE to avoid manual increments. Refreshed patches. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* mbedtls: update to 2.16.11Rosen Penev2021-08-081-3/+3
| | | | | | | | | Switched to AUTORELEASE to avoid manual increments. Release notes: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11 Signed-off-by: Rosen Penev <rosenp@gmail.com>