aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* libunwind: update to 1.6.2Nick Hainke2022-09-072-32/+3
| | | | | | | Remove upstreamed: - 001-Don-t-force-exec_prefix-lib64-libdir-on-ppc64.patch Signed-off-by: Nick Hainke <vincent@systemli.org>
* libsepol: add PKG_CPE_IDNick Hainke2022-09-061-0/+1
| | | | | | Add CPE ID for tracking CVEs. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libselinux: add PKG_CPE_IDNick Hainke2022-09-061-0/+1
| | | | | | Add CPE ID for tracking CVEs. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libnfnetlink: add PKG_CPE_IDNick Hainke2022-09-061-0/+1
| | | | | | Add CPE ID for tracking CVEs. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libmnl: add PKG_CPE_IDNick Hainke2022-09-061-0/+1
| | | | | | Add CPE ID for tracking CVEs. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libnl: add PKG_CPE_IDNick Hainke2022-09-061-0/+1
| | | | | | Add CPE ID for tracking CVEs. Signed-off-by: Nick Hainke <vincent@systemli.org>
* jansson: add PKG_CPE_IDNick Hainke2022-09-061-0/+1
| | | | | | Add CPE ID for tracking CVEs. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libusb: add PKG_CPE_IDNick Hainke2022-09-061-0/+1
| | | | | | Add CPE ID for tracking CVEs. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libcap: add PKG_CPE_IDNick Hainke2022-09-061-0/+1
| | | | | | Add CPE ID for tracking CVEs. Signed-off-by: Nick Hainke <vincent@systemli.org>
* nettle: add PKG_CPE_IDNick Hainke2022-09-061-0/+1
| | | | | | Add CPE ID for tracking CVEs. Signed-off-by: Nick Hainke <vincent@systemli.org>
* wolfssl: bump to 5.5.0Ivan Pavlov2022-09-024-28/+5
| | | | | | | | | | Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch Some low severity vulnerabilities fixed OpenVPN compatibility fixed (broken in 5.4.0) Other fixes && improvements Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
* nettle: update to 3.8.1Nick Hainke2022-08-311-2/+2
| | | | | | | Release Notes: https://lists.gnu.org/archive/html/info-gnu/2022-07/msg00010.html Signed-off-by: Nick Hainke <vincent@systemli.org>
* readline: update to 8.1.2Nick Hainke2022-08-311-2/+2
| | | | | | Update to latest version. Signed-off-by: Nick Hainke <vincent@systemli.org>
* wolfssl: Rebuild when libwolfssl-benchmark gets changesHauke Mehrtens2022-08-281-0/+1
| | | | | | | | | | This forces a rebuild of the wolfssl package when the libwolfssl-benchmark OpenWrt package gets activated or deactivated. Without this change the wolfssl build will fail when it compiled without libwolfssl-benchmark before and it gets activated for the next build. Fixes: 18fd12edb810 ("wolfssl: add benchmark utility") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* popt: update to 1.18Nick Hainke2022-08-281-8/+5
| | | | | | | | | | | | | | | | | | | | Changes from popt 1.16: - fix an ugly and ancient security issue with popt failing to drop privileges on alias exec from a SUID/SGID program - perform rudimentary sanity checks when reading in popt config files - collect accumulated misc fixes (memleaks etc) from distros - convert translations to utf-8 encoding - convert old postscript documentation to pdf - dust off ten years worth of autotools sediment - reorganize and clean up the source tree for clarity - remove the obnoxious splint annotations from the sources Switch to new mirror: http://ftp.rpm.org/popt/releases/ Switch URL to: https://github.com/rpm-software-management/popt Signed-off-by: Nick Hainke <vincent@systemli.org>
* libnftnl: update to 1.2.3Nick Hainke2022-08-281-2/+2
| | | | | | | | Changes: 817c8b6 build: libnftnl 1.2.3 release 84d12cf build: fix clang+glibc snprintf substitution error Signed-off-by: Nick Hainke <vincent@systemli.org>
* mbedtls: update to version 2.28.1Hauke Mehrtens2022-08-283-24/+46
| | | | | | | | | | | Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.1 This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues. The build problem was reported upstream: https://github.com/Mbed-TLS/mbedtls/issues/6243 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* zlib: backport null dereference fixPetr Štetiar2022-08-091-0/+29
| | | | | | | | | | | | The curl developers found test case that crashed in their testing when using zlib patched against CVE-2022-37434, same patch we've backported in commit 7df6795d4c25 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)"). So we need to backport following patch in order to fix issue introduced in that previous CVE-2022-37434 fix. References: https://github.com/curl/curl/issues/9271 Fixes: 7df6795d4c25 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* jansson: revert ABI version bumpJo-Philipp Wich2022-08-091-3/+3
| | | | | | | | | | | The soversion of the shipped libjansson.so library didn't change, so the ABI version change is unwarranted and leads to opkg file clashes. Also stop shipping an unversioned library symlink while we're at it as it only needed at compile/link time and leading to file level clashes between packages on future ABI bumps. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* libtracefs: add Linux kernel trace file system libraryNick Hainke2022-08-061-0/+49
| | | | | | Needed by trace-cmd. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libtraceevent: add Linux kernel trace event libraryNick Hainke2022-08-061-0/+74
| | | | | | Needed by trace-cmd. Signed-off-by: Nick Hainke <vincent@systemli.org>
* elfutils: update to 0.187Nick Hainke2022-08-061-2/+2
| | | | | | | | | | | | | | | | | | | | | | Changes: debuginfod: Support -C option for connection thread pooling. debuginfod-client: Negative cache file are now zero sized instead of no-permission files. addr2line: The -A, --absolute option, which shows file names including the full compilation directory is now the default. To get the old behavior use the new option --relative. readelf, elflint: Recognize FDO Packaging Metadata ELF notes libdw, debuginfo-client: Load libcurl lazily only when files need to be fetched remotely. libcurl is now never loaded when DEBUGINFOD_URLS is unset. And when DEBUGINFOD_URLS is set, libcurl is only loaded when the debuginfod_begin function is called. Signed-off-by: Nick Hainke <vincent@systemli.org>
* zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)Petr Štetiar2022-08-061-0/+32
| | | | | | | | | | | | zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader. Fixes: CVE-2022-37434 References: https://github.com/ivd38/zlib_overflow Signed-off-by: Petr Štetiar <ynezz@true.cz>
* libmnl: fix build when bash is not located at /bin/bashMark Mentovai2022-07-311-0/+11
| | | | | | | | | | | | This fixes the libmnl build on macOS, which ships with an outdated bash at /bin/bash. During the OpenWrt build, a modern host bash is built and made available at staging_dir/host/bin/bash, which is present before /bin/bash in the build's PATH. This is similar to 8f7ce3aa6dda, presently appearing at package/kernel/mac80211/patches/build/001-fix_build.patch. Signed-off-by: Mark Mentovai <mark@mentovai.com>
* ustream-ssl: prevent unused crypto lib dependencies from being compiledBoris Krasnovskiy2022-07-311-1/+1
| | | | | | Prevented unused crypto lib dependencies from being compiled Signed-off-by: Boris Krasnovskiy <borkra@gmail.com>
* wolfssl: fix math library buildJohn Audia2022-07-311-0/+23
| | | | | | | | | | | | | Apply upstream patch[1] to fix breakage around math libraries. This can likely be removed when 5.5.0-stable is tagged and released. Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B 1. https://github.com/wolfSSL/wolfssl/pull/5390 Signed-off-by: John Audia <therealgraysky@proton.me>
* libcap: update to 2.65Nick Hainke2022-07-301-2/+2
| | | | | | | | | | | | | Changes: a47d86d Up the release version to 2.65 fc99e56 Include more signatures in pgp.keys.asc. 52288cc Close out this comment in the go/Makefile eb0f1df Prevent 'capsh --user=xxx --' from generating a bash error. 9a95791 Improve documentation for cap_get_pid and cap_reset_ambient. 21d08b0 Fix syntax error in DEBUG protected setcap.c code. 9425048 More useful captree usage string and man page. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libcap: update to 2.64Nick Hainke2022-07-301-2/+2
| | | | | | | | | | | | | Changes: 38cfa2e Up the release version to 2.64 7617af6 Avoid a deadlock in forked psx thread exit. fc029cb Include LIBCAP_{MAJOR,MINOR} #define's in sys/capability.h ceaa591 Clarify how the cap_get_pid() argument is interpreted. 15cacf2 Fix prctl return code/errno handling in libcap. aae9374 Be explicit about CGO_ENABLED=1 for compare-cap build. 66a8a14 psx: free allocated memory at exit. Signed-off-by: Nick Hainke <vincent@systemli.org>
* wolfssl: make shared againJo-Philipp Wich2022-07-302-2/+0
| | | | | | | | | | | | | | Disable the usage of target specific CPU crypto instructions by default to allow the package being shared again. Since WolfSSL does not offer a stable ABI or a long term support version suitable for OpenWrt release timeframes, we're forced to frequently update it which is greatly complicated by the package being nonshared. People who want or need CPU crypto instruction support can enable it in menuconfig while building custom images for the few platforms that support them. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wolfssl: Do not activate HW acceleration on armvirt by defaultHauke Mehrtens2022-07-201-1/+1
| | | | | | | | | | | | | The armvirt target is also used to run OpenWrt in lxc on other targets like a Raspberry Pi. If we set WOLFSSL_HAS_CPU_CRYPTO by default the wolfssl binray is only working when the CPU supports the hardware crypto extension. Some targets like the Raspberry Pi do not support the ARM CPU crypto extension, compile wolfssl without it by default. It is still possible to activate it in custom builds. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libiconv-full: add host buildRosen Penev2022-07-171-0/+7
| | | | | | | | | Now that libiconv-stub is gone, a replacement for its host build is needed. Fixes: c0ba4201f837 ("libiconv-stub: remove") Signed-off-by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* mbedtls: build with PICRosen Penev2022-07-171-0/+1
| | | | | | Fixes compilation with GCC12 and dependent packages for some reason. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* wolfssl: bump to 5.4.0Eneas U de Queiroz2022-07-164-48/+4
| | | | | | | | | | This version fixes two vulnerabilities: -CVE-2022-34293[high]: Potential for DTLS DoS attack -[medium]: Ciphertext side channel attack on ECC and DH operations. The patch fixing x86 aesni build has been merged upstream. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libiconv-stub: removeRosen Penev2022-07-1531-1942/+0
| | | | | | No longer used. Signed-off-by: Rosen Penev <rosenp@gmail.com>
* libtool: update to 2.4.7Nick Hainke2022-07-101-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: 6d7ce133 version 2.4.7 b4a37606 NEWS: roll-back manually filled NEWS versioning 33615a45 NEWS: fill entries for past commits f5eb6f11 libltdl: bump libltdl.la version-info. 28fbcb6a libtool: correct linter syntax complaints in M4 7e69e441 gnulib: update submodule to new repository. 2dc7dad7 maint: update copyrights across project. b55b1cc8 libtool: Do not pass '-pthread' to Solaris linker. 960a33e4 docs: manually recording dependencies in Automake 78652682 tests: remove deprecated old-ltdl-iface.at test. f51eddf0 * libtool: Bump M4 serial versions and add missing AC_PROG_SED to ltdl.m4 ccc878dd libtool: replace raw invocations of sed with $SED 5df7dd49 libtool: add support for MidnightBSD 8f4bdbda libtool: powerpc 10.5 detection without a deployment target 9e8c8825 libtool: support macOS 11 0904164d libtool: correct m4 quoting in sed expression da2e3527 libtool: replace some references to /usr/bin/file and /bin/sh 1b74d784 libtool: Add -Wa,* link-mode flag for assembler pass-thru 86d71e86 libtool: Pass -Xassembler flag and arguments to compiler fc7779d7 maint: update Bootstrap git module 0c1bc69d maint: update copyrights across project. 28fb394f maint: update AUTHORS, copyright date. b9b44533 bootstrap: use $gnulib_clone_since 544fc0e2 maint: update bootstrap, gnulib, copyright dates b88cebd5 maint: update bootstrap, gnulib, copyright dates 99bd0948 libtool: add icl.exe support 6ca5e224 docs: typo in 'win32-dll' description 1bfb11a4 libtool: quote 'cd' command in shipped relink_command 722b6af0 doc: fix typos in --mode=install invocations 350082b6 libtool: exit verbosely for fatal configure problems 792b6807 maint: update copyright years f003a1f9 libltdl: handle ENOMEM in lt_dlloader_remove() 08c5524f bootstrap: use the upstream repo as git module a938703c libtool: set file_list_spec to '@' on OS/2 f10e22c2 tests: fix $objdir hardcoding check with CFLAGS=-g3 f9970d99 libtool: pass through -fuse-ld flags d7c8d3b4 m4/libtool.m4: FreeBSD elftoolchain strip support 807cbd63 libtoolize: exec automake and autoconf only with --help 40bc0628 edit-readme-alpha: generate the "stable" README properly b89a47ea maint: fix for 'make sc_immutable_NEWS' hints bb8e7b4a maint: update copyright years b5d44b84 libltdl: handle ENOMEM sooner 5944fdcc gl: minor typo fixes 49856679 gl-tests: dash && option-parser test fix a5c64665 libtool: fix GCC/clang linking with -fsanitize=* ae816ace gl-tests: make the failure more readable d15b3214 m4/libtool.m4: export AIX TLS symbols aabc46ac gl/tests: new tests for options-parser dc8bd92d gl/funclib.sh: func_quotefast_eval & tilde fix a3c6e99c syntax-check: fix sed syntax errors f323f10d gl/tests: new tests for func_quote* family ed4f739f check: enable gnulib's testsuite 9187e9a2 funclib: refactor quoting methods a bit 16dbc070 libtool: optimizing options-parser hooks 32f0df98 libtool: mitigate the $sed_quote_subst slowdown b7b6ec33 gnulib: sync with upstream 5859cc50 maint: relax 'sc_prohibit_test_dollar' check 418129bc ARFLAGS: use 'cr' instead of 'cru' by default 4335de1d libool.m4: add ARFLAGS variable 0f842177 maint: put newline after 'Subject' in ChangeLog 03ec5f49 gnulib: sync with upstream 351a88fe libtoolize: fix infinite recursion in m4 de7b2cb2 bootstrap: fix race in temporary Makefile 702a97fb libtool: fix GCC linking with -specs=* 4ff16210 maint: demote myself from maintainer to former maintainer. c12d38e4 maint: post-release administrivia Signed-off-by: Nick Hainke <vincent@systemli.org>
* libusb: update to 1.0.26Nick Hainke2022-07-101-3/+3
| | | | | | | | | | | | | | | | | | | | Add libatomic as dependency. Changelog: 2022-04-10: v1.0.26 * Fix regression with transfer free's after closing device * Fix regression with destroyed context if API is misused * Workaround for applications using missing default context * Fix hotplog enumeration regression * Fix Windows isochronous transfer regression since 1.0.24 * Fix macOS exit crash in some multi-context cases * Build fixes for various platforms and configurations * Fix Windows HID multi-interface product string retrieval * Update isochronous OUT packet actual lengths on Windows * Add interface bound checking for broken devices * Add umockdev tests on Linux Signed-off-by: Nick Hainke <vincent@systemli.org>
* libusb: update to 1.0.25Nick Hainke2022-07-103-92/+2
| | | | | | | | | | | | | | | | | | | | | | | Remove upstreamed patche: - 001-Correct-a-typo-in-the-Changelog-and-clean-up-a-stray.patch - 002-linux_usbfs-Fix-parsing-of-descriptors-for-multi-con.patch Changelog: 2022-01-31: v1.0.25 * Linux: Fix regression with some particular devices * Linux: Fix regression with libusb_handle_events_timeout_completed() * Linux: Fix regression with cpu usage in libusb_bulk_transfer * Darwin (macOS): Add support for detaching kernel drivers with authorization. * Darwin (macOS): Do not drop partial data on timeout. * Darwin (macOS): Silence pipe error in set_interface_alt_setting(). * Windows: Fix HID backend missing byte * Windows: Fix segfault with libusbk driver * Windows: Fix regression when using libusb0 driver * Windows: Support LIBUSB_TRANSFER_ADD_ZERO_PACKET on winusb * New NO_DEVICE_DISCOVERY option replaces WEAK_AUTHORITY option * Various other bug fixes and improvements Signed-off-by: Nick Hainke <vincent@systemli.org>
* jansson: update to 2.14Nick Hainke2022-07-101-3/+3
| | | | | | | | | | | | | | | | | Changes (2021-09-09): * New Features: - Add `json_object_getn`, `json_object_setn`, `json_object_deln`, and the corresponding `nocheck` functions. * Fixes: - Handle `sprintf` corner cases * Build: - Symbol versioning for all exported symbols - Fix compiler warnings * Documentation: - Small fixes - Sphinx 3 compatibility Signed-off-by: Nick Hainke <vincent@systemli.org>
* jansson: cleanup and switch to codeload.github.comNick Hainke2022-07-101-4/+5
| | | | | | | | - Rearrange Makefile. - Switch to codeload.github.com because it looks like new version are not longer deployed at www.digip.org Signed-off-by: Nick Hainke <vincent@systemli.org>
* libpcap: fix PKG_CONFIG_DEPENDS for rpcapdJianhui Zhao2022-07-101-0/+2
| | | | | | | This fix allows trigger a rerun of Build/Configure when rpcapd was selected. Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
* libnl: update to 3.7.0Nick Hainke2022-07-101-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes: 1bb4162 libnl-3.7.0 release 897ec9c route: act: Allow full set of actions on gact,skbedit,mirred 00e46f1 Use print() function in both Python 2 and Python 3 083c1b6 sriov: fix setting ce_mask when parsing VF stat counter 2e9a4f7 Fix typos and errors cc87ad2 changelog: update URL to git history bde0b4c changelog: fix typos in ChangeLog 44988e6 route: format recently added code with clang-format df6e38b route/act: add NAT action 7304c42 route: format recently added code with clang-format f8eb218 cls: flower: extend flower API e5dc111 flower: use correct attribute when filling out flags df6058c tests: merge branch 'th/test-link' 9772c1d tests: add unit tests for creating links 4713b76 github: run unit tests several times and directly 8025547 github: export NLTST_SEED_RAND= to randomize unit tests 7efeca2 tests: add test utils f6f4d36 tests: reformat unit test files with clang-format 135a706 utils: add _NL_AUTO_DEFINE_FCN_STRUCT() macro 0ea11be utils: add _nl_thread_local macro 9b04936 route: fix crash caused by parse_multipath() by wrong free() 2effffe route/link: Set the cache ops when cloning a link 5ecd56c route/link: add lock around rtnl_link_af_ops_put() e1a077a route/link: avoid accessing af_ops after af_free() in rtnl_link_set_family() 3f4f1dd xfrm/sa: fix reference counters of sa selector addresses d3c783f all: merge branch 'th/coverity-fixes' 23a75c5 xfrm: fix uninitalized variables in build_xfrm_ae_message() d52dbcb route: fix check for NULL in nh_encap_dump() 1f61096 route/qdisc/mqprio: fix bufferoverflow and argument checking in rtnl_qdisc_mqprio_set_*() f918c3a route/sriov: fix buffer overflow in rtnl_link_sriov_parse_vflist() d4c7972 all: fix "-Wformat" warnings for nl_dump*() 6b2f238 netlink/utils.h: mark nl_dump() with __attribute__((format(printf,a,b))) d3bd278 netlink/utils.h: add internal _nl_attribute_printf macro for public headers a30b26d socket: workaround undefined behavior coverity warning in generate_local_port() 8acf6d5 nl-pktloc-lookup: fix buffer overflow when printing alignment bf3585f route/link/sriov: fix initializing vlans in rtnl_link_sriov_clone() dd06d22 route/qdisc/netem: fix bogus "%" in format string netem_dump_details() f50a802 route/u32: fix u32_dump_details() to print data fa79ee3 link/vrf: avoid coverity warning in rtnl_link_vrf_set_tableid() about CONSTANT_EXPRESSION_RESULT 31380f8 utils: suppress coverity warning in nl_cli_load_module() about leaked handle aa398b5 route/ip6vti,ip6gre: fix printing invalid data in ip6{vti,gre}_dump_details() 40683cc netlink/private: add internal helper utils 6615dc0 route/link: workaround coverity warning about leak in rtnl_link_set_type() ff5ef61 all: avoid coverity warnings about assigning variable but not using it f58a3c0 route/mdb: check parser error in mdb_msg_parser() for nested MDBA_MDB attribute 46506d3 route/mdb: add and use rtnl_mdb_entry_free() internal helper method 46e85d2 route/mdb: fix leak in mdb_msg_parser() b0641dd route/mdb: add _nl_auto_rtnl_mdb cleanup macro d544105 route/mdb: fix buffer overflow in mdb_msg_parser() 4d12b63 tests: silently ignore EACCES for setting uid_map for test namespace ec712a4 tests: cleanup unshare_user() and use _nltst_fclose() 85e3c5d tests: add _assert_nltst_netns() helper 39e4d8d github: test out-of-tree build and "--disable-static" d63e473 github: build documentation in CI test fa7f97f build: avoid building check-direct with --disable-static 8c741a7 tools: fix aborting on failure in "tools/build_release.sh" script e2aa409 doc: fix markup error in "doc/route.txt" 4f3b4f9 doc: fix python2-ism in "doc/resolve-asciidoc-refs.py" Signed-off-by: Nick Hainke <vincent@systemli.org>
* wolfssl: re-enable AES-NI by default for x86_64Eneas U de Queiroz2022-07-082-6/+45
| | | | | | | | | | Apply an upstream patch that removes unnecessary CFLAGs, avoiding generation of incompatible code. Commit 0bd536723303ccd178e289690d073740c928bb34 is reverted so the accelerated version builds by default on x86_64. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: bump to 1.1.1qDustin Lundquist2022-07-071-2/+2
| | | | | | | | | | | | | | | | | Changes between 1.1.1p and 1.1.1q [5 Jul 2022] *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation would not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. (CVE-2022-2097) [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño] Signed-off-by: Dustin Lundquist <dustin@null-ptr.net>
* wolfssl: WOLFSSL_HAS_WPAS requires WOLFSSL_HAS_DHPascal Ernster2022-07-061-0/+1
| | | | | | | | | Without this, WOLFSSL_HAS_DH can be disabled even if WOLFSSL_HAS_WPAS is enabled, resulting in an "Anonymous suite requires DH" error when trying to compile wolfssl. Signed-off-by: Pascal Ernster <git@hardfalcon.net> Reviewed-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: bump to 1.1.1pAndre Heider2022-07-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes between 1.1.1o and 1.1.1p [21 Jun 2022] *) In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. (CVE-2022-2068) [Daniel Fiala, Tomáš Mráz] *) When OpenSSL TLS client is connecting without any supported elliptic curves and TLS-1.3 protocol is disabled the connection will no longer fail if a ciphersuite that does not use a key exchange based on elliptic curves can be negotiated. [Tomáš Mráz] Signed-off-by: Andre Heider <a.heider@gmail.com>
* libjson-c: disable libbsdRosen Penev2022-07-041-1/+5
| | | | | | | | | | | | | | | libjson-c is happy to pick up libbsd both on the host and target. Reproducible with make package/libbsd/compile;make package/libjson-c/compile Also fixes host compilation on Arch Linux for a similar reason. Undefined reference to arc4random. Fixes: f3a198697f60 ("libjson-c: update to 0.16") Acked-by: Thomas Huehn thomas.huehn@hs-nordhausen.de Acked-by: Nick Hainke vincent@systemli.org Signed-off-by: Rosen Penev <rosenp@gmail.com>
* libjson-c: update to 0.16Nick Hainke2022-07-033-18/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix: - 001-dont-build-docs.patch Remove upstreamed patch: - 010-clang.patch Changelog: Deprecated and removed features: -------------------------------- * JSON_C_OBJECT_KEY_IS_CONSTANT is deprecated in favor of JSON_C_OBJECT_ADD_CONSTANT_KEY * Direct access to lh_table and lh_entry structure members is deprecated. Use access functions instead, lh_table_head(), lh_entry_next(), etc... * Drop REFCOUNT_DEBUG code. New features ------------ * The 0.16 release introduces no new features Build changes ------------- * Add a DISABLE_EXTRA_LIBS option to skip using libbsd * Add a DISABLE_JSON_POINTER option to skip compiling in json_pointer support. Significant changes and bug fixes --------------------------------- * Cap string length at INT_MAX to avoid various issues with very long strings. * json_object_deep_copy: fix deep copy of strings containing '\0' * Fix read past end of buffer in the "json_parse" command * Avoid out of memory accesses in the locally provided vasprintf() function (for those platforms that use it) * Handle allocation failure in json_tokener_new_ex * Fix use-after-free in json_tokener_new_ex() in the event of printbuf_new() returning NULL * printbuf_memset(): set gaps to zero - areas within the print buffer which have not been initialized by using printbuf_memset * printbuf: return -1 on invalid arguments (len < 0 or total buffer > INT_MAX) * sprintbuf(): propagate printbuf_memappend errors back to the caller Optimizations -------------- * Speed up parsing by replacing ctype functions with simplified, faster non-locale-sensitive ones in json_tokener and json_object_to_json_string. * Neither vertical tab nor formfeed are considered whitespace per the JSON spec * json_object: speed up creation of objects, calloc() -> malloc() + set fields * Avoid needless extra strlen() call in json_c_shallow_copy_default() and json_object_equal() when the object is known to be a json_type_string. Other changes ------------- * Validate size arguments in arraylist functions. * Use getrandom() if available; with GRND_NONBLOCK to allow use of json-c very early during boot, such as part of cryptsetup. * Use arc4random() if it's available. * random_seed: on error, continue to next method instead of exiting the process * Close file when unable to read from /dev/urandom in get_dev_random_seed() Signed-off-by: Nick Hainke <vincent@systemli.org>
* nettle: update to 3.8Nick Hainke2022-07-032-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Refresh: - 100-portability.patch Changelog: ea4ea5e6 Document MacOS test workaround. b14fc902 Add missing file fat-arm64.c to tar file. 6720f433 Update config.guess and config.sub to latest versions. a2be57f0 NEWS entries for Nettle-3.8. bff9a605 Update version numbers, for nettle-3.8. 36386678 Fix comment typo e05fd5a9 Add ChangeLog entry for SM3 contribution. 8739faa8 Document cbc_aes128_encrypt, cbc_aes192_encrypt and cbc_aes256_encrypt. efb2ec7f Deleted the manual's incomplete and out of date list of authors. af38c91f New more accurate AUTHORS file. ba084efa Fix ChangeLog typo. 0fff3097 ChangeLog entries for s390x ghash update. 75b687a8 Fix comment typo. 5d0089ed Refactor s390x-specific code for new ghash organization 2aabd5e2 ppc: Update fat setup for new ghash organization. 8f5fddfb ppc: Update vpmsumd ghash to new organization. 1227381e Comment fix. 9939f866 arm64: Update fat setup for new ghash organization. ab62f731 Fix comment error b1645555 arm64: Update pclmul ghash to new organization. 6b80b889 Update fat setup for new ghash organization. d382fcc0 Delete _ghash_digest. d11c4cd9 x86_64: Update pclmul ghash to new organization. f79cc0c1 x86_64: Update table-based ghash to new organization. bdc2fc31 Move _ghash_digest. 1d438ad4 Refactor GCM C implementation. bdf820df New function block16_zero. d966ea0d Delete code for GCM_TABLE_BITS != 8. 60edc290 x86_64: Fat setup for GCM. be245313 Fix comment typo. f8fa4f1f x86_64: Initial implementation of gcm using the pclmulqdq instructions. 23f75f58 Rearrange gcm configuration defines, and add tests for internal functions. 483ccbc9 Add tests for edge cases in poly1305 digest folding. f3656a44 x86_64: Rewrite of poly1305 assembly. b7268727 ChangeLog entry for arm64 implementation of chacha. 1d4a985c ChangeLog entries for new ppc64 ecc files. 99be366f ecc: Add powerpc64 assembly for ecc_448_modp 53f7ae66 Move a comment. e643dcf1 ecc: Add powerpc64 assembly for ecc_25519_modp 741191d1 ecc: Add powerpc64 assembly for ecc_224_modp 4adcb4af Simplify poly1305-test, more use of tstring length. b48217c8 Add randomized tests of poly1305. dbf178c0 Arrange so that GMP or mini-gmp is always available for tests. 7d83510e ChangeLog entries for new ppc64 ecc files. 02bbf7d1 ecc: Add powerpc64 assembly for ecc_521_modp 2bc7dfad ecc: Add powerpc64 assembly for ecc_384_modp 9b6c0639 ecc: Add powerpc64 assembly for ecc_192_modp 39af7b2e [Arm64] Optimize Chacha20 c82876a5 [S390x] Alerting assembler of machine type 044d24b0 [S390x] Optimize Chacha20 94228f87 tests: Use inline function for dummy definition of test_randomize. 7926debe Share ecc point validation function in testutils.c. 25f73004 Whitespace cleanup 0ec184d8 ppc: Reduce number of registers used for ecc_secp256r1_redc. c7cf1939 ppc: New configure test for ELFV2_ABI f57640ea x86_64: Improved ecc_secp256r1_redc dd65a63e ChangeLog for previous change. ecd4eacf ppc: Add powerpc64 assembly for ecc_256_redc b2758f7c doc: documentation for SM3 hash 0ea74c02 Comment improvements for x86_64 ecc_secp256r1_redc 78aabc69 nettle-benchmark: bench SM3 hashes 7f77ccb4 hmac: add support for SM3 hash function e2edd9be testsuite: add test for SM3 hash function b72886e5 Add OSCCA SM3 hash algorithm d2e4e531 Delete function mpz_limbs_read_n. dd566239 Delete function mpz_limbs_cmp. 07d5e755 gitlab-ci: Enable randomized tests 64ce8c77 Randomize more tests a6f9bdeb Reduce allocation in modinv test 957482d9 Fix sqrt_ratio test for v = 0 case. 7f730943 Reduce allocation in sqrt tests 2c9a600d Move NETTLE_TEST_SEED logic to testutils.c. 48d61c28 Delete obsolete comment. ac95be13 Fix and test for sqrt(0) special case. ffe0f587 eccdata: Output ecc_sqrt_z and ECC_SQRT_E only when computed. 65c95c79 Fix comment typo. 8db66280 Let secp384r1 inverse and sqrt share most of the powering. 5b2758a3 eccdata: Delete generation of unused values ecc_sqrt_t and ECC_SQRT_T_BITS. b3abfac5 eccdata: Generate both redc and non-redc versions of ecc_sqrt_z. 2dbe065d Implement secp224r1 square root, based on patch by Wim Lewis. c8daa71c New function ecc_mod_equal_p, based on patch by Wim Lewis. 4be1725f New function ecc_mod_pow_127m1, used for ecc_secp224r1_inv. 4e987de3 Implement secp521r1 square root, based on patch by Wim Lewis. 2adc4268 Implement secp384r1 square root, based on patch by Wim Lewis. bc07754f Implement secp256r1 square root, based on patch by Wim Lewis. 35f12552 Implement secp192r1 square root, based on patch by Wim Lewis. c2726388 Renamed sqrt_itch --> sqrt_ratio_itch, and curve25519 and curve448 sqrt functions. 03421be1 Rename ecc sqrt --> sqrt_ratio. 652bdc79 New function ecc_mod_zero_p. 571d2cc2 [S390x] Improvements on documentation and instruction set usage for SHA3 permute 26b0f47b New function sec_zero_p. 259ec19a [S390x] Remove lgr instructions by using xgrk instead of xgr instruction 73722fb0 Rewrite of secp256r1 mod functions. 45028ff2 Extend ecc-mod-test, with improved coverage of corner cases. 806d6f6a [S390x] Optimize SHA3 permute using vector facility 78f44318 Change "signature on digest" --> "of digest". 0f90c076 Doc fixes. 52c86f94 Delete a few old FIXME comments 2b68ee47 Use @url and https consistently for references. Fix overlong lines. ea4b2e86 Use texi2pdf to generate the pdf manual 54bbc09b ChangeLog entries for doc structure improvements. cc92638c Divide Cipher section into menu and nodes, and some other minor fixes. 5e6af10b Delete explicit node pointers in nettle.texinfo 55584f4e Change CBC-AES interface 7a966ac3 Test AEAD encrypt/decrypt with message split into pieces. 686fd559 More checks for null pointers in test_aead, to silent static analyzer. 41a72c24 Fix checks of HAVE_NATIVE_cbc_aes*_encrypt d5b0b9cb Fix fat builds for x86_64 windows 419d7af5 x86_64: Fat setup for assembly CBC AES. 121290e0 x86_64: Assembly CBC AES aesni functions. 1f58b09c Add specialized functions for cbc-aes. 99dffa9c ChangeLog entries for recent contributions. 38092fde gitlab-ci: Use mini-gmp for big-endian powerpc64 cross build 4147279b gitlab-ci: Explicitly install cross libgmp-dev packages 8c2321d2 gitlab-ci: No-assembly cross-build for s390x, to test big-endian d4cd2965 gitlab-ci: Delete mips build 9765f8b9 [S390x] Optimize SHA256 and SHA512 compress functions 463553ae x86_64: New 2-way aesni loop also for aes256 c7391e5c x86_64: Refactor aesni assembly, with specific functions for each key size. 4ea2a1f8 [S390x] Optimize SHA1 compress a47813c2 [AArch64] Utilize AES 1-block macros in 4-block macros 5f7740a3 [AArch64] Load AES keys at function prologue 76c7418c ChangeLog entries for previous change. f7bc3e1b [AArch64] Move AES round macros to machine.m4 39d1e2a3 [AArch64] Optimize AES with fat build support b8054a1d [S390x] Optimize memxor3 using vector facility with fat support 422219fe [S390x] Optimize memxor 3900fe65 Add fat-s390x.c to OPT_SOURCES. c2f16582 Fix name of s390x/fat directory in make dist target. 4fc00c4d [S390x] add FAT_TEST_LIST variable to enable fat build testing 856c62ef [S390x] Replace inline assembly and fix fat filenames 3be3ff3e [S390x] Fat build support for AES and GHASH 9f9d4c4b arm64: Add sha2 to aarch64 fat tests. 774917ec ChangeLog entry for arm64 sha256.. 7b446327 [AArch64] Fat build support for SHA-256 compress 6c84092d [S390x] wipe parameter block content and leftover bytes of data from stack 7d301d93 [S390x] wipe hash subkey from stack once GHASH operation completed d1c8417f [AArch64] Optimize SHA-256 compress 33bfc509 [S390x] Use uppercase for macro names in machine.m4 and enhance the documentation for GHASH implementation 94be863c Add sha1 to aarch64 fat tests. 6c89ed3c ChangeLog entry for previous change. e5a9dbf4 arm64: Fat build support for SHA1 compress 530e4c8d [S390x] Update configure.ac and Makefile.in b0525367 [S390x] Implement alloc_stack and free_stack macros in machine.m4 72448928 [S390x] Optimize GHASH 20fedc01 Update Nettle-3.7.3 NEWS. c80961c6 Add input check to rsa_decrypt family of functions. cd6059ae Change _rsa_sec_compute_root_tr to take a fix input size. 401e0bdd Fix comment typos. fd6d9ba7 Add check that message length to _pkcs1_sec_decrypt is valid. e60d8367 ChangeLog entry for arm64 sha1. 47cafcf2 aarch64: Optimize SHA1 Compress a46a17e9 Fix C++-style comments 022e51a2 ChangeLog entries for aes keywrap. 0145efbc Implement aes key wrap and key unwrap (RFC 3394) 61bcbbf8 gitlab-ci: Explicitly pass --enable-s390x-msa to s390x build. 3b1bb7cb Fix comment typo. c23701f3 Reorder and indent asm_replace_list. c2a14fa3 ChangeLog entry for new s390x AES implementation. 1f38723e Append s390x-specific asm file names to asm_replace_list in configure.ac 71dafe91 [S390x] Basic AES-192 and AES-256 optimizations 8247fa21 ppc: Fix macro name SWAP_MASK to use all uppercase. b9f0ede2 Update config.guess and config.sub. 46515038 [S390x] Basic AES-128 optimization f4dc5f20 Split aes-encrypt.c and aes-decrypt.c into one file per key size. 0bff7a2b Initial config for s390x, contributed by Mamone Tarsha. 06d6ef33 nettle-benchmark: avoid -Wmaybe-uninitialized warnings dda3f4fd gitlab-ci: Fix only: variables: check, and quote variables. c2b56cd7 gitlab-ci: Use pipeline variable S390X_ACCOUNT c25774e2 gitlab-ci: Add remote tests for s390x. d5972ced Add forward declaration of struct aes_table. 085317d6 ChangeLog entries for arm64 fat build. 944881d7 ChangeLog entry for nettle-3.7.2 release f9e0e1f4 NEWS entries for 3.7.2. 1585f6ac [AArch64] Support fat build for GCM optimization 03b8ba39 [AArch64] Use m4 macros in gcm-hash.asm and add documentation comments 3f43c143 [AArch64] Update README to be on par with other architectures b30e0ca6 Fix canonical reduction in gostdsa_vko. d9b564e4 Similar fix for eddsa. fbaefb64 Analogous fix to ecc_gostdsa_verify. c24b3616 Ensure ecdsa_sign output is canonically reduced. 2397757b Fix bug in ecc_ecdsa_verify. 5b7608fd Use ecc_mod_mul_canonical for point comparison. 2bf497ba New functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical. a471ae85 aarch64: Rename arm64/v8/ --> arm64/crypto/ 0489825e aarch64: Use .arch armv8-a+crypto directive. d32152f4 aarch64: Move m4 definitions after .file directive f3dda9f4 ChangeLog entries for arm64 gcm_hash. b098f19b arch64: Fix clang build fd9dd9d7 arch64: Fix copyright line and typos a3f91c0e aarch64: Adjust gcm-hash assembly for big-endian systems 09d77a10 aarch64: Implement GHASH using the crypto extension pmul instructions. 0c5429d3 aarch64: Add README dbd16501 Add an empty machine.m64 to make configure happy ebf9ae83 Recognize arm64 in configure Signed-off-by: Nick Hainke <vincent@systemli.org>
* libiconv-full: update to 1.17Nick Hainke2022-07-031-2/+2
| | | | | | | | | | | | | | | | Release Notes: - The libiconv library is now licensed under the LGPL version 2.1, instead of the LGPL version 2.0. The iconv program continues to be licensed under GPL version 3. - Added converters for many single-byte EBCDIC encodings: IBM-{037, 273,277,278,280,282,284,285,297,423,424,425,500,838,870,871,875}, IBM-{880,905,924,1025,1026,1047,1097,1112,1122,1123,1130,1132,1137, 1140}, IBM-{1141,1142,1143,1144,1145,1146,1147,1148,1149,1153,1154, 1155,1156,1157}, IBM-{1158,1160,1164,1165,1166,4971,12712,16804}. They are available through the configure option '--enable-extra-encodings'. Signed-off-by: Nick Hainke <vincent@systemli.org>
* wolfssl: add config flag for Curve448Joel Low2022-07-032-0/+5
| | | | | | | | | | | | | This enables building WolfSSL with Curve448, which can be used by Strongswan. This has been tested on a Linksys E8450, running OpenWrt 22.03-rc4. This allows parity with OpenSSL, which already supports Curve448 in OpenWrt 21.02. Fixes openwrt/packages#18812. Signed-off-by: Joel Low <joel@joelsplace.sg>