aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* openssl: fix CVE-2023-464 and CVE-2023-465Eneas U de Queiroz2023-04-173-1/+263
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Apply two patches fixing low-severity vulnerabilities related to certificate policies validation: - Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. - Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Note: OpenSSL also released a fix for low-severity security advisory CVE-2023-466. It is not included here because the fix only changes the documentation, which is not built nor included in any OpenWrt package. Due to the low-severity of these issues, there will be not be an immediate new release of OpenSSL. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* uclient: update to Git version 2023-04-13Matthias Schiffer2023-04-131-3/+3
| | | | | | | | | 007d94546749 uclient: cancel state change timeout in uclient_disconnect() 644d3c7e13c6 ci: improve wolfSSL test coverage dc54d2b544a1 tests: add certificate check against letsencrypt.org Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> (cherry picked from commit 4f1c2e8deef10e9ca34ceff5a096e62aaa668e90)
* openssl: fix variable reference in conffilesEneas U de Queiroz2023-04-021-3/+3
| | | | | | | | | | | | | Fix the trivial abscence of $() when assigning engine config files to the main libopenssl-config package even if the corresponding engines were not built into the main library. This is mostly cosmetic, since scripts/ipkg-build tests the file's presence before it is actually included in the package's conffiles. Fixes: 30b0351039 "openssl: configure engine packages during install" Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit c75cd5f6028da6ceb1fb3438da93e2305cd720b1)
* openssl: bump to 1.1.1tJohn Audia2023-02-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes between 1.1.1s and 1.1.1t [7 Feb 2023] *) Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. (CVE-2023-0286) This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. [Hugo Landau] *) Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215) [Viktor Dukhovni, Matt Caswell] *) Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. (CVE-2022-4450) [Kurt Roeckx, Matt Caswell] *) Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304) [Dmitry Belyavsky, Hubert Kario] Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit 4ae86b3358a149a17411657b12103ccebfbdb11b) The original commit removed the upstreamed patch 010-padlock.patch, but it's not on OpenWrt 22.03, so it doesn't have to be removed. Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
* mbedtls: move source modification to patchDavid Bauer2023-01-182-3/+15
| | | | | | | | Patch the mbedtls source instead of modifying the compile-targets in the prepare buildstep within OpenWrt. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 00f1463df7e690862403208082f71fb4741baf02)
* treewide: Trigger reinstall of all wolfssl dependenciesHauke Mehrtens2023-01-011-1/+1
| | | | | | | | | The ABI of the wolfssl library changed a bit between version 5.5.3 and 5.5.4. This release update will trigger a rebuild of all packages which are using wolfssl to make sure they are adapted to the new ABI. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit ee47a28cec01c7943238bae45f65a98e4fc9abbe)
* wolfssl: update to 5.5.4-stableNick Hainke2023-01-013-36/+3
| | | | | | | | | | | | | | Remove upstreamed: - 001-Fix-enable-devcrypto-build-error.patch Refresh patch: - 100-disable-hardening-check.patch Release notes: https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.4-stable Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit 04634b2d8253972a3e7b663231474eb564e69077)
* mbedtls: update to version 2.28.2Hauke Mehrtens2022-12-312-6/+6
| | | | | | | | | | | | | | | | | | | | Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues. Fixes the following CVEs: * CVE-2022-46393: Fix potential heap buffer overread and overwrite in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. * CVE-2022-46392: An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) could recover an RSA private key after observing the victim performing a single private-key operation if the window size used for the exponentiation was 3 or smaller. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit af3c9b74e177019b18055c263099a42c1c6c3453)
* wolfssl: fix build with /dev/cryptoChukun Pan2022-12-221-0/+33
| | | | | | | | | | | Backport upstream patch to fix build error when /dev/crypto enabled. https://github.com/wolfSSL/wolfssl/commit/dc9f46a3be00b5e82684a158605189d1278e324c Fixes: #10944 Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> (cherry picked from commit 171691500eca0737c59d4fff50578b74a90583be)
* Revert "mbedtls: import patch to fix illegal instruction on mpc85xx"Nick Hainke2022-12-201-30/+0
| | | | | | | | | The commit was pushed into the branch to early. It does not help fixing illegal instruction bug on mpc85xx. That's why it should be reverted. This reverts commit de6c3cca4d2b523937403ae2959597a1e48c7351. Signed-off-by: Nick Hainke <vincent@systemli.org>
* ustream-ssl: update to Git version 2022-12-07Hauke Mehrtens2022-12-081-4/+4
| | | | | | | | | | 9217ab4 ustream-openssl: Disable renegotiation in TLSv1.2 and earlier 2ce1d48 ci: fix building with i.MX6 SDK 584f1f6 ustream-openssl: wolfSSL: provide detailed information in debug builds aa8c48e cmake: add a possibility to set library version Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 69f0c29b8b3339ef93c04f6c7f92481e8e223e2f)
* wolfssl: update to v5.5.3Nick Hainke2022-11-273-53/+3
| | | | | | | | | | | | | | | Remove "200-ecc-rng.patch" because it was upstramed by: https://github.com/wolfSSL/wolfssl/commit/e2566bab2122949a6a0bb2276d0a52598794d7d0 Refreshed "100-disable-hardening-check.patch". Fixes CVE 2022-42905. Release Notes: - https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-stable - https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.3-stable Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit 745f1ca9767716c43864a2b7a43ed60b16c25560)
* mbedtls: import patch to fix illegal instruction on mpc85xxNick Hainke2022-11-271-0/+30
| | | | | | Import patch as workaround for gcc-11.2.0. Signed-off-by: Nick Hainke <vincent@systemli.org>
* openssl: bump to 1.1.1sJohn Audia2022-11-0514-168/+2527
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes between 1.1.1r and 1.1.1s [1 Nov 2022] *) Fixed a regression introduced in 1.1.1r version not refreshing the certificate data to be signed before signing the certificate. [Gibeom Gwon] Changes between 1.1.1q and 1.1.1r [11 Oct 2022] *) Fixed the linux-mips64 Configure target which was missing the SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that platform. [Adam Joseph] *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was causing incorrect results in some cases as a result. [Paul Dale] *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to report correct results in some cases [Matt Caswell] *) Fixed a regression introduced in 1.1.1o for re-signing certificates with different key sizes [Todd Short] *) Added the loongarch64 target [Shi Pujin] *) Fixed a DRBG seed propagation thread safety issue [Bernd Edlinger] *) Fixed a memory leak in tls13_generate_secret [Bernd Edlinger] *) Fixed reported performance degradation on aarch64. Restored the implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode") for 64bit targets only, since it is reportedly 2-17% slower and the silicon errata only affects 32bit targets. The new algorithm is still used for 32 bit targets. [Bernd Edlinger] *) Added a missing header for memcmp that caused compilation failure on some platforms [Gregor Jasny] Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit a0814f04ed955eb10b25df0ce6666ed91f11ca1b)
* ncurses: add package CPE IDPetr Štetiar2022-10-231-0/+1
| | | | | | | | | Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 3826e72b8e100f1f1df742cce6e5567b98c080e4)
* libnftnl: add package CPE IDPetr Štetiar2022-10-231-0/+1
| | | | | | | | | Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit efb4324c36a024ae6340d85352fb6c766a27a821)
* treewide: fix security issues by bumping all packages using libwolfsslPetr Štetiar2022-10-041-1/+1
| | | | | | | | | | | | | | | | | | As wolfSSL is having hard time maintaining ABI compatibility between releases, we need to manually force rebuild of packages depending on libwolfssl and thus force their upgrade. Otherwise due to the ABI handling we would endup with possibly two libwolfssl libraries in the system, including the patched libwolfssl-5.5.1, but still have vulnerable services running using the vulnerable libwolfssl-5.4.0. So in order to propagate update of libwolfssl to latest stable release done in commit ec8fb542ec3e4 ("wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely exploitable vulnerabilities, we need to bump PKG_RELEASE of all packages using wolfSSL library. Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit f1b7e1434f66a3cb09cb9e70b40add354a22e458)
* wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)Petr Štetiar2022-10-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Fixes denial of service attack and buffer overflow against TLS 1.3 servers using session ticket resumption. When built with --enable-session-ticket and making use of TLS 1.3 server code in wolfSSL, there is the possibility of a malicious client to craft a malformed second ClientHello packet that causes the server to crash. This issue is limited to when using both --enable-session-ticket and TLS 1.3 on the server side. Users with TLS 1.3 servers, and having --enable-session-ticket, should update to the latest version of wolfSSL. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin. Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable Fixes: CVE-2022-39173 Fixes: https://github.com/openwrt/luci/issues/5962 References: https://github.com/wolfSSL/wolfssl/issues/5629 Tested-by: Kien Truong <duckientruong@gmail.com> Reported-by: Kien Truong <duckientruong@gmail.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit ec8fb542ec3e4f584444a97de5ac05dbc2a9cde5)
* wolfssl: refresh patchesPetr Štetiar2022-10-042-3/+3
| | | | | | | So they're tidy and apply cleanly. Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 8ad9a72cbed07643c7a8e4febbea71c7122b29a4)
* wolfssl: bump to 5.5.0Ivan Pavlov2022-10-044-28/+5
| | | | | | | | | | | Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch Some low severity vulnerabilities fixed OpenVPN compatibility fixed (broken in 5.4.0) Other fixes && improvements Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com> (cherry picked from commit 3d88f26d74f7771b808082cef541ed8286c40491)
* mbedtls: update to version 2.28.1Hauke Mehrtens2022-08-283-24/+46
| | | | | | | | | | | | Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.1 This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues. The build problem was reported upstream: https://github.com/Mbed-TLS/mbedtls/issues/6243 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit f3870546a544c39c6fde2e7e014394aa085d8057)
* zlib: backport null dereference fixPetr Štetiar2022-08-092-1/+30
| | | | | | | | | | | | | The curl developers found test case that crashed in their testing when using zlib patched against CVE-2022-37434, same patch we've backported in commit 7df6795d4c25 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)"). So we need to backport following patch in order to fix issue introduced in that previous CVE-2022-37434 fix. References: https://github.com/curl/curl/issues/9271 Fixes: 7df6795d4c25 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)") Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit f443e9de7003c00a935b9ea12f168e09e83b48cd)
* zlib: bump PKG_RELEASE after CVE fixPetr Štetiar2022-08-081-1/+1
| | | | | | | | | Fixing missed bump of PKG_RELEASE while backporting commit 7561eab8e86e ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)") as package in master is using AUTORELEASE. Fixes: 7561eab8e86e ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)Petr Štetiar2022-08-081-0/+32
| | | | | | | | | | | | | zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader. Fixes: CVE-2022-37434 References: https://github.com/ivd38/zlib_overflow Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 7df6795d4c25447683fd4b4a4813bebcddaea547)
* libmnl: fix build when bash is not located at /bin/bashMark Mentovai2022-08-051-0/+11
| | | | | | | | | | | | | This fixes the libmnl build on macOS, which ships with an outdated bash at /bin/bash. During the OpenWrt build, a modern host bash is built and made available at staging_dir/host/bin/bash, which is present before /bin/bash in the build's PATH. This is similar to 8f7ce3aa6dda, presently appearing at package/kernel/mac80211/patches/build/001-fix_build.patch. Signed-off-by: Mark Mentovai <mark@mentovai.com> (cherry picked from commit beeb49740bb4f68aadf92095984a2d1f9a488956)
* wolfssl: fix math library buildJohn Audia2022-07-311-0/+23
| | | | | | | | | | | | | | Apply upstream patch[1] to fix breakage around math libraries. This can likely be removed when 5.5.0-stable is tagged and released. Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B 1. https://github.com/wolfSSL/wolfssl/pull/5390 Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit c2aa816f28e0fe2f6f77d0c6da4eba19ea8db4ea)
* wolfssl: make shared againJo-Philipp Wich2022-07-302-2/+0
| | | | | | | | | | | | | | | Disable the usage of target specific CPU crypto instructions by default to allow the package being shared again. Since WolfSSL does not offer a stable ABI or a long term support version suitable for OpenWrt release timeframes, we're forced to frequently update it which is greatly complicated by the package being nonshared. People who want or need CPU crypto instruction support can enable it in menuconfig while building custom images for the few platforms that support them. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 0063e3421de4575e088bb428e758751931bbe6fd)
* wolfssl: Do not activate HW acceleration on armvirt by defaultHauke Mehrtens2022-07-201-1/+1
| | | | | | | | | | | | | | The armvirt target is also used to run OpenWrt in lxc on other targets like a Raspberry Pi. If we set WOLFSSL_HAS_CPU_CRYPTO by default the wolfssl binray is only working when the CPU supports the hardware crypto extension. Some targets like the Raspberry Pi do not support the ARM CPU crypto extension, compile wolfssl without it by default. It is still possible to activate it in custom builds. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit d1b5d17d03c844ad578bb53b90ea17377bdc5eee)
* libpcap: fix PKG_CONFIG_DEPENDS for rpcapdJianhui Zhao2022-07-201-0/+2
| | | | | | | | This fix allows trigger a rerun of Build/Configure when rpcapd was selected. Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com> (cherry picked from commit 6902af4f3075154b5d1de207452a8a5668f95203)
* wolfssl: WOLFSSL_HAS_WPAS requires WOLFSSL_HAS_DHPascal Ernster2022-07-201-0/+1
| | | | | | | | | | Without this, WOLFSSL_HAS_DH can be disabled even if WOLFSSL_HAS_WPAS is enabled, resulting in an "Anonymous suite requires DH" error when trying to compile wolfssl. Signed-off-by: Pascal Ernster <git@hardfalcon.net> Reviewed-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 21825af2dad0070affc2444ff56dc84a976945a2)
* openssl: bump to 1.1.1qDustin Lundquist2022-07-171-2/+2
| | | | | | | | | | | | | | | | | | Changes between 1.1.1p and 1.1.1q [5 Jul 2022] *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation would not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. (CVE-2022-2097) [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño] Signed-off-by: Dustin Lundquist <dustin@null-ptr.net> (cherry picked from commit 3899f68b54b31de4b4fef4f575f7ea56dc93d965)
* wolfssl: bump to 5.4.0Eneas U de Queiroz2022-07-164-48/+4
| | | | | | | | | | | | This version fixes two vulnerabilities: -CVE-2022-34293[high]: Potential for DTLS DoS attack -[medium]: Ciphertext side channel attack on ECC and DH operations. The patch fixing x86 aesni build has been merged upstream. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 9710fe70a68e0a004b1906db192d7a6c8f810ac5) Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* wolfssl: re-enable AES-NI by default for x86_64Eneas U de Queiroz2022-07-152-6/+45
| | | | | | | | | | | Apply an upstream patch that removes unnecessary CFLAGs, avoiding generation of incompatible code. Commit 0bd536723303ccd178e289690d073740c928bb34 is reverted so the accelerated version builds by default on x86_64. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 639419ec4fd1501a9b9857cea96474271ef737b1)
* openssl: bump to 1.1.1pAndre Heider2022-07-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes between 1.1.1o and 1.1.1p [21 Jun 2022] *) In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. (CVE-2022-2068) [Daniel Fiala, Tomáš Mráz] *) When OpenSSL TLS client is connecting without any supported elliptic curves and TLS-1.3 protocol is disabled the connection will no longer fail if a ciphersuite that does not use a key exchange based on elliptic curves can be negotiated. [Tomáš Mráz] Signed-off-by: Andre Heider <a.heider@gmail.com> (cherry picked from commit eb7d2abbf06f0a3fe700df5dc6b57ee90016f1f1)
* wolfssl: disable AES-NI by default for x86_64Eneas U de Queiroz2022-06-271-1/+6
| | | | | | | | | | | | | WolfSSL is crashing with an illegal opcode in some x86_64 CPUs that have AES instructions but lack other extensions that are used by WolfSSL when AES-NI is enabled. Disable the option by default for now until the issue is properly fixed. People can enable them in a custom build if they are sure it will work for them. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 0bd536723303ccd178e289690d073740c928bb34)
* libusb: fix missing linkLeo Soares2022-06-251-1/+1
| | | | | | | | | | adds `libusb-1.0.so` link on the target root again. Fixes: 43539a6aabbe ("libusb: make InstallDev explicit") Signed-off-by: Leo Soares <leo@hyper.ag> (added fixed tag, reworded commit) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (cherry picked from commit dc59a22f1d0f3a98eee9fa2043f03a764fbefe10)
* wolfssl: make WOLFSSL_HAS_OPENVPN default to yEneas U de Queiroz2022-06-091-1/+1
| | | | | | | | | | | | | Openvpn forces CONFIG_WOLFSSL_HAS_OPENVPN=y. When the phase1 bots build the now non-shared package, openvpn will not be selected, and WolfSSL will be built without it. Then phase2 bots have CONFIG_ALL=y, which will select openvpn and force CONFIG_WOLFSSL_HAS_OPENVPN=y. This changes the version hash, causing dependency failures, as shared packages expect the phase2 hash. Fixes: #9738 Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: enable CPU crypto instructionsEneas U de Queiroz2022-06-092-0/+23
| | | | | | | | | | | | | | | | | | | This enables AES & SHA CPU instructions for compatible armv8, and x86_64 architectures. Add this to the hardware acceleration choice, since they can't be enabled at the same time. The package was marked non-shared, since the arm CPUs may or may not have crypto extensions enabled based on licensing; bcm27xx does not enable them. There is no run-time detection of this for arm. NOTE: Should this be backported to a release branch, it must be done shortly before a new minor release, because the change to nonshared will remove libwolfssl from the shared packages, but the nonshared are only built in a subsequent release! Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 0a2edc2714dcda10be902c32525723ce2cbcb138)
* wolfssl: add benchmark utilityEneas U de Queiroz2022-06-091-3/+23
| | | | | | | This packages the wolfssl benchmark utility. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 18fd12edb810f9dfbf8410bb81f639df052134cb)
* wolfssl: don't change ABI because of hw cryptoEneas U de Queiroz2022-06-091-10/+21
| | | | | | | | | Enabling different hardware crypto acceleration should not change the library ABI. Add them to PKG_CONFIG_DEPENDS after the ABI version hash has been computed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 677774d445ced1a56e73fe62df47b4eb66441721)
* libubox: update to the latest versionFelix Fietkau2022-06-071-3/+3
| | | | | | | | | | f2d6752901f2 blob: clear buf->head when freeing a buffer 45210ce14136 list.h: add container_of_safe macro cfa372ff8aed blobmsg: implicitly reserve space for 0-terminator in string buf alloc d2223ef9da71 blobmsg: work around false positive gcc -Warray-bounds warnings Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit 3e300e724b674b299d055d172a268c8cfa8489d2)
* openssl: bump to 1.1.1oEneas U de Queiroz2022-05-172-6/+6
| | | | | | | | | | | This release comes with a security fix related to c_rehash. OpenWrt does not ship or use it, so it was not affected by the bug. There is a fix for a possible crash in ERR_load_strings() when configured with no-err, which OpenWrt does by default. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 7a5ddc0d06895bde7538d78c8dad2c863d70f946)
* wolfssl: bump to v5.3.0-stableEneas U de Queiroz2022-05-173-45/+2
| | | | | | | | | | This is mostly a bug fix release, including two that were already patched here: - 300-fix-SSL_get_verify_result-regression.patch - 400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 73c1fe2890baa5c0bfa46f53c5387f5e47de1acb)
* wolfssl: fix compilation with /dev/cryptoEneas U de Queiroz2022-04-201-0/+19
| | | | | | This is trivial fix of a duplicate definition of 'int ret'. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* readline: add host PICRosen Penev2022-04-171-0/+1
| | | | | | | | Python seems to fail to link to libreadline properly because of this. Not a fatal error but an error nontheless. Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit b363f7488643882b9c53a1e2c6db2a110703cc1d)
* musl-fts: add host buildRosen Penev2022-04-111-0/+2
| | | | | | | This will be used for libselinux. Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit 1fb099341e5879a8c5247020e5056676ba2f0745)
* wolfssl: bump to 5.2.0Eneas U de Queiroz2022-04-114-9/+7
| | | | | | | | | | | | | | | | | Fixes two high-severity vulnerabilities: - CVE-2022-25640: A TLS v1.3 server who requires mutual authentication can be bypassed. If a malicious client does not send the certificate_verify message a client can connect without presenting a certificate even if the server requires one. - CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS v1.3 server can have its certificate heck bypassed. If the sig_algo in the certificate_verify message is different than the certificate message checking may be bypassed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit e89f3e85eb1c1d81294e5d430a91b0ba625e2ec0)
* libmnl: update to 1.0.5Nick Hainke2022-04-101-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: Duncan Roe (5): nlmsg: Fix a missing doxygen section trailer build: doc: "make" builds & installs a full set of man pages build: doc: get rid of the need for manual updating of Makefile build: If doxygen is not available, be sure to report "doxygen: no" to ./configure src: doc: Fix messed-up Netlink message batch diagram Fernando Fernandez Mancera (1): src: fix doxygen function documentation Florian Westphal (1): libmnl: zero attribute padding Guillaume Nault (1): callback: mark cb_ctl_array 'const' in mnl_cb_run2() Kylie McClain (1): examples: nfct-daemon: Fix test building on musl libc Laura Garcia Liebana (4): examples: add arp cache dump example examples: fix neigh max attributes examples: fix print line format examples: reduce LOCs during neigh attributes validation Pablo Neira Ayuso (3): doxygen: remove EXPORT_SYMBOL from the output include: add MNL_SOCKET_DUMP_SIZE definition build: libmnl 1.0.5 release Petr Vorel (1): examples: Add rtnl-addr-add.c Stephen Hemminger (1): examples: rtnl-addr-dump: fix typo igo95862 (1): doxygen: Fixed link to the git source tree on the website. Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit c3b738933981de601389794152534628b04555dc)
* libnfnetlink: update to 1.0.2Nick Hainke2022-04-102-23/+3
| | | | | | | | | | | | | | | | | | | | | | | | Changes: c63f193 bump version to 1.0.2 3cffa84 libnfnetlink: Check getsockname() return code 90ba679 include: Silence gcc warning in linux_list.h bb4f6c8 Make it clear that this library is deprecated e46569c Minimally resurrect doxygen documentation 5087de4 libnfnetlink: hide private symbols 62ca426 autogen: don't convert __u16 to u_int16_t efa1d8e src: Use stdint types everywhere 7a1a07c include: Sync with kernel headers 7633f0c libnfnetlink: initialize attribute padding to resolve valgrind warnings 94b68f3 configure: uclinux is also linux 617fe82 src: get source code license header in sync with current licensing terms 97a3960 build: resolve automake-1.12 warnings Removed the patch 100-missing_include.patch, libnfnetlink compiles fine with musl without this patch. Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit aecf088b3792d556c717510304729fa542ceb770)
* libselinux: add missing host-build dependency on libsepol/hostDaniel Golle2022-04-101-1/+1
| | | | | | | | | The host-build of libselinux requires libsepol/host. Add the libsepol/host to HOST_BUILD_DEPENDS to allow build on hosts which don't have libsepol installed. Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit 0d3850dc5af4896ab3679dc4d8ef9a664e5e705f)