aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* uclient: update to Git version 2023-04-13Matthias Schiffer2023-04-131-3/+3
| | | | | | | | 007d94546749 uclient: cancel state change timeout in uclient_disconnect() 644d3c7e13c6 ci: improve wolfSSL test coverage dc54d2b544a1 tests: add certificate check against letsencrypt.org Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* mbedtls: Update to version 2.28.3Hauke Mehrtens2023-04-103-96/+90
| | | | | | | | | | | | | | | This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3 The 100-fix-compile.patch patch was merged upstream, see: https://github.com/Mbed-TLS/mbedtls/issues/6243 https://github.com/Mbed-TLS/mbedtls/pull/7013 The code style of all files in mbedtls 2.28.3 was changed. I took a new version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this pull request: https://github.com/Mbed-TLS/mbedtls/pull/6475 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libcap: update to 2.68Nick Hainke2023-04-081-2/+2
| | | | | | | Release Notes: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.vdh3d47czmle Signed-off-by: Nick Hainke <vincent@systemli.org>
* openssl: fix CVE-2023-464 and CVE-2023-465Eneas U de Queiroz2023-04-073-1/+252
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Apply two patches fixing low-severity vulnerabilities related to certificate policies validation: - Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. - Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Note: OpenSSL also released a fix for low-severity security advisory CVE-2023-466. It is not included here because the fix only changes the documentation, which is not built nor included in any OpenWrt package. Due to the low-severity of these issues, there will be not be an immediate new release of OpenSSL. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: add legacy providerEneas U de Queiroz2023-04-058-45/+123
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adapts the engine build infrastructure to allow building providers, and packages the legacy provider. Providers are the successors of engines, which have been deprecated. The legacy provider supplies OpenSSL implementations of algorithms that have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool. Even though these algorithms are implemented in a separate package, their removal makes the regular library smaller by 3%, so the build options will remain to allow lean custom builds. Their defaults will change to 'y' if not bulding for a small flash, so that the regular legacy package will contain a complete set of algorithms. The engine build and configuration structure was changed to accomodate providers, and adapt to the new style of openssl.cnf in version 3.0. There is not a clean upgrade path for the /etc/ssl/openssl.cnf file, installed by the openssl-conf package. It is recommended to rename or remove the old config file when flashing an image with the updated openssl-conf package, then apply the changes manually. An old openssl.cnf file will silently work, but new engine or provider packages will not be enabled. Any remaining engine config files under /etc/ssl/engines.cnf.d can be removed. On the build side, the include file used by engine packages was renamed to openssl-module.mk, so the engine packages in other feeds need to adapt. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: make UCI config aware of built-in enginesEneas U de Queiroz2023-04-052-8/+43
| | | | | | | | | Engines that are built into the main libcrypto OpenSSL library can't be disabled through UCI. Add a 'builtin' setting to signal that the engine can't be disabled through UCI, and show a message explaining this in case buitin=1 and enabled=0. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: avoid OPENSSL_SMALL_FOOTPRINT, no-asmEneas U de Queiroz2023-04-052-4/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Building openssl with OPENSSL_SMALL_FOOTPRINT yelds only from 1% to 3% decrease in size, dropping performance from 2% to 91%, depending on the target and algorithm. For example, using AES256-GCM with 1456-bytes operations, X86_64 appears to be the least affected with 2% performance penalty and 1% reduction in size; mips drops performance by 13%, size by 3%; Arm drops 29% in performance, 2% in size. On aarch64, it slows down ghash so much that I consider it broken (-91%). SMALL_FOOTPRINT will reduce AES256-GCM performance by 88%, and size by only 1%. It makes an AES-capable CPU run AES128-GCM at 35% of the speed of Chacha20-Poly1305: Block-size=1456 bytes AES256-GCM AES128-GCM ChaCha20-Poly1305 SMALL_FOOTPRINT 62014.44 65063.23 177090.50 regular 504220.08 565630.28 182706.16 OpenSSL 1.1.1 numbers are about the same, so this should have been noticed a long time ago. This creates an option to use OPENSSL_SMALL_FOOTPRINT, but it is turned off by default unless SMALL_FLASH or LOW_MEMORY_FOOTPRINT is used. Compiling with -O3 instead of -Os, for comparison, will increase size by about 14-15%, with no measureable effect on AES256-GCM performance, and about 2% increase in Chacha20-Poly1305 performance on Aarch64. There are no Arm devices with the small flash feature, so drop the conditional default. The package is built on phase2, so even if we include an Arm device with small flash later, a no-asm library would have to be built from source anyway. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* libnl-tiny: update to the latest versionHauke Mehrtens2023-04-021-3/+3
| | | | | | | f5d9b7e libnl-tiny: fix duplicated branch in family.h 11b7c5f attr: add NLA_S* definitions Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libtraceevent: update to 1.7.2Nick Hainke2023-04-011-2/+2
| | | | | | | | | | | Changes: 1c6f0f3 libtraceevent: version 1.7.2 73f6a8a libtraceevent: Fix some missing commas in big endian blocks da2ea6b libtraceevent: Rename "ok" to "token_has_paren" in process_sizeof() e6f7cfa libtraceevent: No need for testing ok in else if (!ok) in process_sizeof() a4b1ba5 libtraceevent: Fix double free in parsing sizeof() Signed-off-by: Nick Hainke <vincent@systemli.org>
* treewide: opt-out of tree-wide LTO usageAndre Heider2023-03-212-1/+3
| | | | | | These fail to build with LTO enabled or packages depending on them do. Signed-off-by: Andre Heider <a.heider@gmail.com>
* treewide: add support for "lto" in PKG_BUILD_FLAGSAndre Heider2023-03-214-12/+8
| | | | | | | | | | | | | | | | This reduces open coding and allows to easily add a knob to enable it treewide, where chosen packages can still opt-out via "no-lto". Some packages used LTO, but not the linker plugin. This unifies 'em all to attempt to produce better code. Quoting man gcc(1): "This improves the quality of optimization by exposing more code to the link-time optimizer." Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed that every buildsystem uses +$(MAKE) correctly. Signed-off-by: Andre Heider <a.heider@gmail.com>
* treewide: add support for "gc-sections" in PKG_BUILD_FLAGSAndre Heider2023-03-214-8/+10
| | | | | | | | | | | | | | | This reduces open coding and allows to easily add a knob to enable it treewide, where chosen packages can still opt-out via "no-gc-sections". Note: libnl, mbedtls and opkg only used the CFLAGS part without the LDFLAGS counterpart. That doesn't help at all if the goal is to produce smaller binaries. I consider that an accident, and this fixes it. Note: there are also packages using only the LDFLAGS part. I didn't touch those, as gc might have been disabled via CFLAGS intentionally. Signed-off-by: Andre Heider <a.heider@gmail.com>
* treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16Andre Heider2023-03-217-7/+6
| | | | | | | Keep backwards compatibility via PKG_USE_MIPS16 for now, as this is used in all package feeds. Signed-off-by: Andre Heider <a.heider@gmail.com>
* libnftnl: update to 1.2.5Nick Hainke2023-03-191-3/+3
| | | | | | | | | Upstream switched to "tar.xz". Release Notes: https://www.spinics.net/lists/netfilter/msg61016.html Signed-off-by: Nick Hainke <vincent@systemli.org>
* elfutils: update to 1.89Nick Hainke2023-03-122-4/+6
| | | | | | | | | | Release Notes: https://sourceware.org/pipermail/elfutils-devel/2023q1/006023.html Refresh patch: - 003-libintl-compatibility.patch Signed-off-by: Nick Hainke <vincent@systemli.org>
* openssl: fix variable reference in conffilesEneas U de Queiroz2023-03-061-3/+3
| | | | | | | | | | | | Fix the trivial abscence of $() when assigning engine config files to the main libopenssl-config package even if the corresponding engines were not built into the main library. This is mostly cosmetic, since scripts/ipkg-build tests the file's presence before it is actually included in the package's conffiles. Fixes: 30b0351039 "openssl: configure engine packages during install" Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: fix sysupgrade failure with devcryptoEneas U de Queiroz2023-03-064-5/+73
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The bump to 3.0.8 inadvertently removed patches that are needed here, but were not adopted upstream. The most important one changes the default value of the DIGESTS setting from ALL to NONE. The absence of this patch causes a sysupgrade failure while the engine is in use with digests enabled. When this happens, the system fails to boot with a kernel panic. Also, explicitly set DIGESTS to NONE in the provided config file, and change the default ciphers setting to disable ECB, which has been recommended for a long time and may cause trouble with some apps. The config file change by itself is not enough because the config file may be preserved during sysupgrade. For people affected by this bug: You can either: 1. remove, the libopenssl-devcrypto package 2. disable the engine in /etc/config/openssl; 3. change /etc/ssl/engines.cnf.d/devcrypto.cnf to set DIGESTS=NONE; 4. update libopenssl-devcrypto to >=3.0.8-3 However, after doing any of the above, **you must reboot the device before running sysupgrade** to ensure no running application is using the engine. Running `/etc/init.d/openssl restart` is not enough. Fixes: 7e7e76afca "openssl: bump to 3.0.8" Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* ncurses: add alacritty terminfoTobias Hilbig2023-02-261-1/+2
| | | | | | | | Add terminfo file for the terminal emulator alacritty. https://github.com/alacritty/alacritty Signed-off-by: Tobias Hilbig <web.tobias@hilbig-ffb.de>
* ustream-ssl: update to Git version 2023-02-25Hauke Mehrtens2023-02-251-4/+4
| | | | | | 498f6e2 ustream-mbedtls: Use getrandom() instead of /dev/urandom Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libcap: update to 2.67Nick Hainke2023-02-251-3/+3
| | | | | | | | | | Release notes: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.o8papfkfh1x9 While working on it, remove $(AUTORELEASE). Tested-by: Linhui Liu liulinhui36@gmail.com # Xiaomi AX3600 Signed-off-by: Nick Hainke <vincent@systemli.org>
* openssl: fix powerpc & arc libatomic dependenciesEneas U de Queiroz2023-02-222-3/+3
| | | | | | | | | | | PowerPC CONFIG_ARCH is defined as powerpc, not ppc. Fix that in the DEPENDS condition. Arc needs to be built with libatomic. Change the OpenSSL configuration file, and add it to the libatomic DEPENDS condition. Fixes: 7e7e76afca "openssl: bump to 3.0.8" Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: bump to 3.0.8Eneas U de Queiroz2023-02-2015-3833/+85
| | | | | | | | | | This is a major update to the current LTS version, supported until 2026-09-07. Changelog: https://github.com/openssl/openssl/blob/openssl-3.0.8/CHANGES.md Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* elfutils: fix build with GCC 11Andre Heider2023-02-181-1/+9
| | | | | | | | GCC 11 doesn't know about -Wno-error=use-after-free and aborts compilation. Fixes: 2748c45d "elfutils: Ignore wrong use-after-free error" Signed-off-by: Andre Heider <a.heider@gmail.com>
* openssl: bump to 1.1.1tJohn Audia2023-02-122-55/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removed upstreamed patch: 010-padlock.patch Changes between 1.1.1s and 1.1.1t [7 Feb 2023] *) Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This vulnerability may allow an attacker who can provide a certificate chain and CRL (neither of which need have a valid signature) to pass arbitrary pointers to a memcmp call, creating a possible read primitive, subject to some constraints. Refer to the advisory for more information. Thanks to David Benjamin for discovering this issue. (CVE-2023-0286) This issue has been fixed by changing the public header file definition of GENERAL_NAME so that x400Address reflects the implementation. It was not possible for any existing application to successfully use the existing definition; however, if any application references the x400Address field (e.g. in dead code), note that the type of this field has changed. There is no ABI change. [Hugo Landau] *) Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. (CVE-2023-0215) [Viktor Dukhovni, Matt Caswell] *) Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. (CVE-2022-4450) [Kurt Roeckx, Matt Caswell] *) Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. (CVE-2022-4304) [Dmitry Belyavsky, Hubert Kario] Signed-off-by: John Audia <therealgraysky@proton.me>
* wolfssl: fix build with make < 4.2Chen Minqiang2023-02-032-28/+28
| | | | | | | | Inline the preinst.arm-ce script. Support for including was added in make 4.2 and is not working with older make versions. Fixes: https://github.com/openwrt/openwrt/issues/11866 Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
* mbedtls: x509 crt verify SAN iPAddressGlenn Strauss2023-02-032-1/+182
| | | | | | | | | | | | | | | | backport from X509 crt verify SAN iPAddress https://github.com/Mbed-TLS/mbedtls/pull/6475 addresses curl built with mbedtls fails on https://1.1.1.1/ (IP address in SubjectAltName) https://github.com/Mbed-TLS/mbedtls/issues/6473 filed for mbedTLS: BADCERT_CN_MISMATCH on https://1.1.1.1 with curl+mbedtls https://github.com/openwrt/packages/issues/19677 Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* openssl: fix VIA Padlock AES-192 and 256 encryptionValdikSS ValdikSS2023-01-221-0/+52
| | | | | | | | | | | | | | Byte swapping code incorrectly uses the number of AES rounds to swap expanded AES key, while swapping only a single dword in a loop, resulting in swapped key and partially swapped expanded keys, breaking AES encryption and decryption on VIA Padlock hardware. This commit correctly sets the number of swapping loops to be done. Upstream: https://github.com/openssl/openssl/commit/2bcf8e69bd92e33d84c48e7d108d3d46b22f8a6d Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com> Signed-off-by: ValdikSS ValdikSS <iam@valdikss.org.ru>
* mbedtls: move source modification to patchDavid Bauer2023-01-182-7/+15
| | | | | | | Patch the mbedtls source instead of modifying the compile-targets in the prepare buildstep within OpenWrt. Signed-off-by: David Bauer <mail@david-bauer.net>
* libpcap: update to 1.10.3Nick Hainke2023-01-172-3/+3
| | | | | | | | | | Changelog: https://git.tcpdump.org/libpcap/blob/95691ebe7564afa3faa5c6ba0dbd17e351be455a:/CHANGES Refresh patch: - 300-Add-support-for-B.A.T.M.A.N.-Advanced.patch Signed-off-by: Nick Hainke <vincent@systemli.org>
* libtracefs: update to 1.6.4Nick Hainke2023-01-131-2/+2
| | | | | | Update to latest release. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libtraceevent: update to 1.7.1Nick Hainke2023-01-131-2/+2
| | | | | | Update to latest release. Signed-off-by: Nick Hainke <vincent@systemli.org>
* elfutils: Ignore wrong use-after-free errorHauke Mehrtens2023-01-091-1/+1
| | | | | | | | | | | | | | | | | | | GCC 12.2.0 shows this false positive error message: ```` In function 'bigger_buffer', inlined from '__libdw_gunzip' at gzip.c:374:12: gzip.c:96:9: error: pointer may be used after 'realloc' [-Werror=use-after-free] 96 | b = realloc (state->buffer, more -= 1024); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gzip.c:94:13: note: call to 'realloc' here 94 | char *b = realloc (state->buffer, more); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors ```` GCC bug report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104069 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libpcap: update to 1.20.2Nick Hainke2023-01-065-46/+20
| | | | | | | | | | | | | | | | | | | | | | | | | A huge rewrite in libpcap was introduced by dc14a7babca1 ("rpcap: have the server tell the client its byte order.") [0]. The patch "201-space_optimization.patch" does not apply at all anymore. So remove it. Refresh: - 100-no-openssl.patch - 102-skip-manpages.patch Update the "300-Add-support-for-B.A.T.M.A.N.-Advanced.patch" with latest PR [1]. old ipkg size: 90964 bin/packages/mips_24kc/base/libpcap1_1.10.1-5_mips_24kc.ipk new ipkg size: 93340 bin/packages/mips_24kc/base/libpcap1_1.10.2-1_mips_24kc.ipk [0] - https://github.com/the-tcpdump-group/libpcap/commit/dc14a7babca1471809bee6872539ff836937840e [1] - https://github.com/the-tcpdump-group/libpcap/pull/980 Signed-off-by: Nick Hainke <vincent@systemli.org>
* ncurses: update to 6.4Linhui Liu2023-01-056-21/+21
| | | | | | Update to the latest released version. Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
* treewide: Trigger reinstall of all wolfssl dependenciesHauke Mehrtens2023-01-011-1/+1
| | | | | | | | The ABI of the wolfssl library changed a bit between version 5.5.3 and 5.5.4. This release update will trigger a rebuild of all packages which are using wolfssl to make sure they are adapted to the new ABI. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wolfssl: update to 5.5.4-stableNick Hainke2023-01-013-36/+3
| | | | | | | | | | | | | Remove upstreamed: - 001-Fix-enable-devcrypto-build-error.patch Refresh patch: - 100-disable-hardening-check.patch Release notes: https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.4-stable Signed-off-by: Nick Hainke <vincent@systemli.org>
* mbedtls: update to version 2.28.2Hauke Mehrtens2022-12-312-6/+6
| | | | | | | | | | | | | | | | | | | Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2 This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues. Fixes the following CVEs: * CVE-2022-46393: Fix potential heap buffer overread and overwrite in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. * CVE-2022-46392: An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) could recover an RSA private key after observing the victim performing a single private-key operation if the window size used for the exponentiation was 3 or smaller. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* libbsd: fix libpath to not use host pathXuefer H2022-12-262-0/+14
| | | | | | | | | | libpath.so uses host path in ld script causing other packages fail to cross compile, e.g. perl: "ld: cannot find /usr/lib/libbsd.so.0.11.6: No such file or directory" Fixes: openwrt/packages#19390 Signed-off-by: Xuefer H <xuefer@gmail.com>
* libtracefs: update to 1.6.3Nick Hainke2022-12-171-2/+2
| | | | | | Update to latest release. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libtraceevent: update to 1.7.0Nick Hainke2022-12-171-2/+2
| | | | | | Update to latest release. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libpcap: add support for B.A.T.M.A.N. AdvancedLinus Lüssing2022-12-141-0/+642
| | | | | | | | | | | | | | | | | | | | | | This adds support for the layer 2 mesh routing protocol B.A.T.M.A.N. Advanced. "batadv" can be used to filter on batman-adv packets. It also allows later filters to look at frames inside the tunnel when both "version" and "type" are specified. Documentation for the batman-adv protocol can be found at the following locations: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/networking/batman-adv.rst https://www.open-mesh.org/ -- This is a backport of the following upstream pull request: https://github.com/the-tcpdump-group/libpcap/pull/980 -> "Add support for B.A.T.M.A.N. Advanced #980" Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
* wolfssl: fix build with /dev/cryptoChukun Pan2022-12-111-0/+33
| | | | | | | | | | Backport upstream patch to fix build error when /dev/crypto enabled. https://github.com/wolfSSL/wolfssl/commit/dc9f46a3be00b5e82684a158605189d1278e324c Fixes: #10944 Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
* libtracefs: update to 1.6.2Nick Hainke2022-12-111-2/+2
| | | | | | | | 378a9dd libtracefs: version 1.6.2 e6daa60 libtracefs: Add unit test to test mounting of tracefs_{tracing,debug}_dir() 32acbbf libtracefs: Have tracefs_{tracing,debug}_dir() mount {tracefs,debugfs} if not mounted Signed-off-by: Nick Hainke <vincent@systemli.org>
* ustream-ssl: update to Git version 2022-12-07Hauke Mehrtens2022-12-081-4/+4
| | | | | | | | | 9217ab4 ustream-openssl: Disable renegotiation in TLSv1.2 and earlier 2ce1d48 ci: fix building with i.MX6 SDK 584f1f6 ustream-openssl: wolfSSL: provide detailed information in debug builds aa8c48e cmake: add a possibility to set library version Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wolfssl: fix Config.in typoTony Butler2022-11-271-1/+1
| | | | | | Fix simple typo `/crytpo/crypto/` in a description string Signed-off-by: Tony Butler <spudz76@gmail.com>
* wolfssl: update to v5.5.3Nick Hainke2022-11-273-53/+3
| | | | | | | | | | | | | | Remove "200-ecc-rng.patch" because it was upstramed by: https://github.com/wolfSSL/wolfssl/commit/e2566bab2122949a6a0bb2276d0a52598794d7d0 Refreshed "100-disable-hardening-check.patch". Fixes CVE 2022-42905. Release Notes: - https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-stable - https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.3-stable Signed-off-by: Nick Hainke <vincent@systemli.org>
* libtracefs: update to 1.6.1Nick Hainke2022-11-181-2/+2
| | | | | | Update to latest version. Signed-off-by: Nick Hainke <vincent@systemli.org>
* libmbedtls: use defaults if no build opts selectedGlenn Strauss2022-11-161-2/+3
| | | | | | | use defaults if no build opts selected (allows build with defaults when mbedtls not selected and configured) Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* libmbedtls: disable older RSA ciphersGlenn Strauss2022-11-131-2/+2
| | | | | | disable older RSA ciphers Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
* libmbedtls: enable crypto algorithms for hostapGlenn Strauss2022-11-131-6/+6
| | | | | | | | | enable additional crypto algorithms for hostap hostap uses local implementations if not provided by crypto library, so might as well enable in the crypto library for shared use by others. Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>