aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs
Commit message (Collapse)AuthorAgeFilesLines
* uclibc++: fix compilation with long file pathsAlois Klink2022-08-281-0/+86
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, uClic++ 0.2.5 fails to compile when using a long filepath. For example, if the openwrt directory is in the path: /tmp/this_directory_name_is_very_long/more_long_paths/.../openwrt, then uclibc++ will cause a very obtuse error. Although the uclibc++ makefiles do print a "File name too long" error, it's not the final error that's printed, so it's a bit confusing: > /bin/sh: 1: > cannot create src/abi/libsupc/<SNIP>_libsupc++.a.dep: File name too long > <SNIP: some other makefile output here> > array_type_info.o: No such file or directory Although OpenWRT 22.03 and current master branch have removed uClib++, I thought I'd make a PR for OpenWRT 21.02, since I encountered it and there seems to be quite a few other people experiencing the same issue. It especially happens when using the SDK, (or when using an encrypted fs) since the pre-packaged SDKs have very long filenames. This patch is already in upstream [1], but has not yet been released. [1]: https://git.busybox.net/uClibc++/commit/?id=6687fc9276fa52defaf8592f2001c19b826aec93 Signed-off-by: Alois Klink <alois@aloisklink.com>
* zlib: backport null dereference fixPetr Štetiar2022-08-092-1/+30
| | | | | | | | | | | | | | The curl developers found test case that crashed in their testing when using zlib patched against CVE-2022-37434, same patch we've backported in commit 7df6795d4c25 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)"). So we need to backport following patch in order to fix issue introduced in that previous CVE-2022-37434 fix. References: https://github.com/curl/curl/issues/9271 Fixes: 7df6795d4c25 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)") Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit f443e9de7003c00a935b9ea12f168e09e83b48cd) (cherry picked from commit 707ec48ab3db6d08bd022df1bc720aee68b3b99d)
* zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)Petr Štetiar2022-08-082-1/+33
| | | | | | | | | | | | | zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader. Fixes: CVE-2022-37434 References: https://github.com/ivd38/zlib_overflow Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 7df6795d4c25447683fd4b4a4813bebcddaea547)
* openssl: bump to 1.1.1qDustin Lundquist2022-07-171-2/+2
| | | | | | | | | | | | | | | | | | Changes between 1.1.1p and 1.1.1q [5 Jul 2022] *) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation would not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. (CVE-2022-2097) [Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño] Signed-off-by: Dustin Lundquist <dustin@null-ptr.net> (cherry picked from commit 3899f68b54b31de4b4fef4f575f7ea56dc93d965)
* openssl: bump to 1.1.1pAndre Heider2022-07-151-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes between 1.1.1o and 1.1.1p [21 Jun 2022] *) In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. (CVE-2022-2068) [Daniel Fiala, Tomáš Mráz] *) When OpenSSL TLS client is connecting without any supported elliptic curves and TLS-1.3 protocol is disabled the connection will no longer fail if a ciphersuite that does not use a key exchange based on elliptic curves can be negotiated. [Tomáš Mráz] Signed-off-by: Andre Heider <a.heider@gmail.com> (cherry picked from commit eb7d2abbf06f0a3fe700df5dc6b57ee90016f1f1)
* openssl: bump to 1.1.1oEneas U de Queiroz2022-07-032-6/+6
| | | | | | | | | | | This release comes with a security fix related to c_rehash. OpenWrt does not ship or use it, so it was not affected by the bug. There is a fix for a possible crash in ERR_load_strings() when configured with no-err, which OpenWrt does by default. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 7a5ddc0d06895bde7538d78c8dad2c863d70f946)
* wolfssl: fix compilation with /dev/cryptoEneas U de Queiroz2022-04-201-0/+19
| | | | | | | This is trivial fix of a duplicate definition of 'int ret'. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit df622768da10f36ceeb20346b4c4ee4eb9a8a9ad)
* wolfssl: bump to 5.2.0Eneas U de Queiroz2022-04-114-9/+7
| | | | | | | | | | | | | | | | | Fixes two high-severity vulnerabilities: - CVE-2022-25640: A TLS v1.3 server who requires mutual authentication can be bypassed. If a malicious client does not send the certificate_verify message a client can connect without presenting a certificate even if the server requires one. - CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS v1.3 server can have its certificate heck bypassed. If the sig_algo in the certificate_verify message is different than the certificate message checking may be bypassed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit e89f3e85eb1c1d81294e5d430a91b0ba625e2ec0)
* zlib: backport security fix for a reproducible crash in compressorPetr Štetiar2022-03-242-1/+344
| | | | | | | | | | | | | | | | Tavis has just reported, that he was recently trying to track down a reproducible crash in a compressor. Believe it or not, it really was a bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs. Tavis has reported it upstream, but it turns out the issue has been public since 2018, but the patch never made it into a release. As far as he knows, nobody ever assigned it a CVE. Suggested-by: Tavis Ormandy <taviso@gmail.com> References: https://www.openwall.com/lists/oss-security/2022/03/24/1 Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit b3aa2909a79aeff20d594160b207a89dc807c033) (cherry picked from commit 3965dda0fa70dc9408f1a2e55a3ddefde78bd50e)
* openssl: bump to 1.1.1nMartin Schiller2022-03-161-2/+2
| | | | | | | | | | | | | | This is a bugfix release. Changelog: *) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop forever for non-prime moduli. (CVE-2022-0778) *) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3. Signed-off-by: Martin Schiller <ms@dev.tdt.de> (cherry picked from commit e17c6ee62770005e398364ee5d955c9a8ab6f016)
* wolfssl: fix API breakage of SSL_get_verify_resultPetr Štetiar2022-02-221-0/+26
| | | | | | | | | | | | | | | | | | | Backport fix for API breakage of SSL_get_verify_result() introduced in v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return X509_V_OK when used on LE powered sites or other sites utilizing relaxed/alternative cert chain validation feature. After an update to v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA error and thus rendered all such connection attempts imposible: $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org" Downloading 'https://letsencrypt.org' Connecting to 18.159.128.50:443 Connection error: Invalid SSL certificate Fixes: #9283 References: https://github.com/wolfSSL/wolfssl/issues/4879 Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit b9251e3b407592f3114e739231088c3d27663c4c)
* wolfssl: update to 5.1.1-stableSergey V. Lobanov2022-02-135-144/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Bump from 4.8.1-stable to 5.1.1-stable Detailed release notes: https://github.com/wolfSSL/wolfssl/releases Upstreamed patches: 001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch - https://github.com/wolfSSL/wolfssl/commit/fa8f23284d4689c2a737204b337b58d966dcbd8c 002-Update-macro-guard-on-SHA256-transform-call.patch - https://github.com/wolfSSL/wolfssl/commit/f447e4c1fa4c932c0286fa0331966756e243db81 Refreshed patches: 100-disable-hardening-check.patch 200-ecc-rng.patch CFLAG -DWOLFSSL_ALT_CERT_CHAINS replaced to --enable-altcertchains configure option The size of the ipk changed on aarch64 like this: 491341 libwolfssl4.8.1.31258522_4.8.1-stable-7_aarch64_cortex-a53.ipk 520322 libwolfssl5.1.1.31258522_5.1.1-stable-1_aarch64_cortex-a53.ipk Tested-by: Alozxy <alozxy@users.noreply.github.com> Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com> Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in> (cherry picked from commit 93d91197b98463277b601ec2653351666a4ca4bd)
* libs/wolfssl: add SAN (Subject Alternative Name) supportSergey V. Lobanov2022-02-122-2/+8
| | | | | | | | | | x509v3 SAN extension is required to generate a certificate compatible with chromium-based web browsers (version >58) It can be disabled via unsetting CONFIG_WOLFSSL_ALT_NAMES Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in> (cherry picked from commit dfd695f4b9f364a7c7db646d2cada10fdf304f02)
* wolfssl: enable ECC Curve 25519 by defaultStan Grishin2022-02-121-1/+1
| | | | | | | | * fixes https://github.com/openwrt/packages/issues/16652 see https://github.com/openwrt/packages/issues/16674#issuecomment-934983898 Signed-off-by: Stan Grishin <stangri@melmac.net> (cherry picked from commit 05a7af9ca0dd9c42eafbca5aa988b141e0e06053)
* ustream-ssl: update to Git version 2022-01-16Hauke Mehrtens2022-02-121-4/+4
| | | | | | | 868fd88 ustream-openssl: wolfSSL: Add compatibility for wolfssl >= 5.0 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit e74529552cf8fa16bd40b3db9d5cc82a913a49b4)
* mbedtls: Update to version 2.16.12Hauke Mehrtens2022-02-121-2/+2
| | | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * Zeroize several intermediate variables used to calculate the expected value when verifying a MAC or AEAD tag. This hardens the library in case the value leaks through a memory disclosure vulnerability. For example, a memory disclosure vulnerability could have allowed a man-in-the-middle to inject fake ciphertext into a DTLS connection. * Fix a double-free that happened after mbedtls_ssl_set_session() or mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED (out of memory). After that, calling mbedtls_ssl_session_free() and mbedtls_ssl_free() would cause an internal session buffer to be free()'d twice. CVE-2021-44732 The sizes of the ipk changed on MIPS 24Kc like this: 182454 libmbedtls12_2.16.11-2_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 57f38e2c827e3be71d8b1709073e366afe011985)
* ustream-ssl: variants conflict with each otherKarel Kočí2022-01-161-1/+3
| | | | | | | | | This adds conflicts between variants of libustream pacakge. They provide the same file and thus it should not be possible to install them side by side. Signed-off-by: Karel Kočí <karel.koci@nic.cz> (cherry picked from commit 219e17a35088a90eea664fbb4c66549d701a3cb4)
* openssl: bump to 1.1.1mEneas U de Queiroz2022-01-032-3/+3
| | | | | | | | | | | | | | This is a bugfix release. Changelog: *) Avoid loading of a dynamic engine twice. *) Fixed building on Debian with kfreebsd kernels *) Prioritise DANE TLSA issuer certs over peer certs *) Fixed random API for MacOS prior to 10.12 Patches were refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit def9565be632b316c82ffc5a7b28c789e9df75b4)
* tcpdump: libpcap: Remove http://www.us.tcpdump.org mirrorHauke Mehrtens2021-12-291-2/+1
| | | | | | | | | | | The http://www.us.tcpdump.org mirror will go offline soon, only use the normal download URL. Reported-by: Denis Ovsienko <denis@ovsienko.info> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 18bdfc803bef00fad03f90b73b6e65c3c79cb397) Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com> [rebased for OpenWrt 21.02 branch]
* libpcap: add rpcapd as packageStephan Schmidtmer2021-11-051-1/+20
| | | | | | | | | | | | | | This enables building of rpcapd and adds it as a package. It is a daemon that allows remote packet capturing from another machine. E.g. Wireshark can talk to it using the Remote Capture Protocol (RPCAP). https://www.tcpdump.org/manpages/rpcapd.8.html Compile and run tested: OpenWrt 21.02.0-rc4 r16256-2d5ee43dc6 on x86/64 and mvebu/cortexa9 Signed-off-by: Stephan Schmidtmer <hurz@gmx.org> (cherry picked from commit 891c8676a1602d31adf3ab9f913664ae0d3b4029)
* wolfssl: fix compile when enable-devcrypto is setIvan Pavlov2021-10-231-0/+22
| | | | | | | | fixing linking error when --enable-devcrypto=yes fixes: 7d92bb050961 wolfssl: update to 4.8.1-stable Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com> (cherry picked from commit be3e260f92643a841f4f83b03cbb07b9a26cff66)
* wolfssl: remove --enable-sha512 configure switchAndre Heider2021-10-231-2/+2
| | | | | | | | | | | It's the default anyway and this just looks confusing, as if it wasn't. Switch to AUTORELEASE while at it. The binary size is unchanged. Signed-off-by: Andre Heider <a.heider@gmail.com> (cherry picked from commit 7cb5af30f48d6788cd471138820a772610a7f8e0)
* wolfssl: always build with --enable-reproducible-buildAndre Heider2021-10-231-0/+1
| | | | | | | | | | | | This gates out anything that might introduce semantically frivolous jitter, maximizing chance of identical object files. The binary size shrinks by 8kb: 1244352 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f Signed-off-by: Andre Heider <a.heider@gmail.com> (cherry picked from commit c76300707e8d705d9efc7ed4bb1b7449d0a5fe00)
* wolfssl: update to 4.8.1-stableIvan Pavlov2021-10-225-18/+24
| | | | | | | | | | | | | | Changes from 4.7.0: Fix one high (OCSP verification issue) and two low vulnerabilities Improve compatibility layer Other improvements and fixes For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com> (cherry picked from commit 7d92bb0509615550b98e2dc71091073c8258d564) [Added patch to allow compilation with libtool 2.4] Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: fix build with GCC 10 on 32 x86 targetsStijn Tintel2021-10-221-0/+123
| | | | | | | Backport upstream patch to fix build with GCC 10 on 32 x86 targets. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> (cherry picked from commit 718a4f47806da8f68cb8f1fe2ebecf403e14ae96)
* ncurses: add tmux terminfoJitao Lu2021-10-211-1/+3
| | | | | | | | | | | They're preferred terminal descriptions for tmux, with additional support to some special characters and italic fonts. More info can be found at: https://github.com/tmux/tmux/wiki/FAQ Fixes: FS#3404 Signed-off-by: Jitao Lu <dianlujitao@gmail.com> (cherry picked from commit 917126ff4cfb1ea4795cfc93820ed5d304b084c3)
* ncurses: add screen-256color terminfoPaul Spooren2021-10-211-1/+2
| | | | | | | | The terminfo is required by the popular terminal multiplexer screen and tmux, offer it by default as the size impact is minimal with 885 Bytes. Signed-off-by: Paul Spooren <mail@aparcar.org> (cherry picked from commit 6a6b5a677e8c245f6c82ad40cc718e614aa9f7a1)
* ncurses: split long line of supported terminfoPaul Spooren2021-10-211-1/+12
| | | | | | | | The terminfo files were all in one row which is terrible to read. Split them over multiple lines to improve readability. Signed-off-by: Paul Spooren <mail@aparcar.org> (cherry picked from commit 75ea474b9002c758e9a23023f7636258a467704c)
* wolfssl: bump PKG_RELEASEDavid Bauer2021-10-191-1/+1
| | | | | | Fixes commit 4b212b1306a9 ("wolfssl: build with WOLFSSL_ALT_CERT_CHAINS") Signed-off-by: David Bauer <mail@david-bauer.net>
* wolfssl: build with WOLFSSL_ALT_CERT_CHAINSAndre Heider2021-10-171-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | "Alternate certification chains, as oppossed to requiring full chain validataion. Certificate validation behavior is relaxed, similar to openssl and browsers. Only the peer certificate must validate to a trusted certificate. Without this, all certificates sent by a peer must be used in the trust chain or the connection will be rejected." This fixes e.g. uclient-fetch and curl connecting to servers using a Let's Encrypt certificate which are cross-signed by the now expired DST Root CA X3, see [0]. This is the recommended solution from upstream [1]. The binary size increases by ~12.3kb: 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f [0] https://github.com/openwrt/packages/issues/16674 [1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793 Signed-off-by: Andre Heider <a.heider@gmail.com> [bump PKG_RELEASE] Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3)
* openssl: bump to 1.1.1lEneas U de Queiroz2021-08-282-5/+4
| | | | | | | | | | | | This version fixes two vulnerabilities: - SM2 Decryption Buffer Overflow (CVE-2021-3711) Severity: High - Read buffer overruns processing ASN.1 strings (CVE-2021-3712) Severity: Medium Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 7119fd32d397567931e63dbbf72014e95624018f)
* mbedtls: update to 2.16.11Rosen Penev2021-08-081-3/+3
| | | | | | | | | | Switched to AUTORELEASE to avoid manual increments. Release notes: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11 Signed-off-by: Rosen Penev <rosenp@gmail.com> (cherry picked from commit fcfd741eb83520e496eb09de5f8b2f2b62792a80)
* treewide: unmark selected packages nonsharedPetr Štetiar2021-07-023-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This partially reverts changes done in commit 72cc44958ef4 ("treewide: mark selected packages nonshared") as it removes the nonshared flag, but keeps the PKG_RELEASE as the PKG_RELEASE bump while adding nonshared flag was incorrect. Unmark uci, ubus, libubox, lua, libnl-tiny and libjson-c as nonshared packages as this fix attempt didn't worked out. Currently the imagebuilder is broken again: openwrt-imagebuilder-21.02.0-rc3-ipq40xx-generic.Linux-x86_64$ make image PROFILE=avm_fritzbox-7530 PACKAGES=luci-ssl-openssl ... Collected errors: * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for luci-mod-status * pkg_hash_fetch_best_installation_candidate: Packages for luci-mod-status found, but incompatible with the architectures configured * pkg_hash_check_unresolved: cannot find dependency libiwinfo20210430 for rpcd-mod-iwinfo * pkg_hash_fetch_best_installation_candidate: Packages for rpcd-mod-iwinfo found, but incompatible with the architectures configured * satisfy_dependencies_for: Cannot satisfy the following dependencies for luci-ssl-openssl: * libiwinfo20210430 * opkg_install_cmd: Cannot install package luci-ssl-openssl. Everything because iwinfo's ABI was changed two times since rc3 release: +IWINFO_ABI_VERSION:=20210430 +IWINFO_ABI_VERSION:=20210420 Since iwinfo is marked as nonshared, it wasn't built by phase2 builders, but luci-mod-status was already updated 2 times since rc3 and was thus rebuilt by phase2 builders: d1d452ed2fb3 luci-mod-status: don't set '-' hostname when creating static lease 95b3633055c1 luci-mod-status: switch to html table for wlan channel analysis So now luci-mod-status depends on libiwinfo20210430 but only libiwinfo20210106 can be downloaded. This is first part of the fix, in the upcoming commit Jo is going to remove nonshared flag from iwinfo package as well. References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035736.html References: https://lists.infradead.org/pipermail/openwrt-devel/2021-July/035741.html Acked-by: Jo-Philipp Wich <jo@mein.io> Reported-by: Nick Hainke <vincent@systemli.org> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 8307da3dbdaff13d5ce99f8aefa32f5b7a2e18e6)
* libusb: Fix parsing of descriptors for multi-configuration devicesGeorgi Valkov2021-06-263-1/+91
| | | | | | | | | | | | | | | | Prerequisite patch: Correct a typo in the Changelog and clean up a stray file Fix changes in libusb which introduced a regression: Commit e2be556bd2 ("linux_usbfs: Parse config descriptors during device initialization") introduced a regression for devices with multiple configurations. The logic that verifies the reported length of the configuration descriptors failed to count the length of the configuration descriptor itself and would truncate the actual length by 9 bytes, leading to a parsing error for subsequent descriptors. Signed-off-by: Georgi Valkov <gvalkov@abv.bg> (cherry picked from commit 4b37e3bc2b2a079c996b6d97b8d3dbbd4ba6eb62)
* wolfssl: always export wc_ecc_set_rngDavid Bauer2021-06-212-1/+51
| | | | | | | | | | | | | | | | Since commit 6467de5a8840 ("Randomize z ordinates in scalar mult when timing resistant") wolfssl requires a RNG for an EC key when the hardened built option is selected. wc_ecc_set_rng is only available when built hardened, so there is no safe way to install the RNG to the key regardless whether or not wolfssl is compiled hardened. Always export wc_ecc_set_rng so tools such as hostapd can install RNG regardless of the built settings for wolfssl. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit ef9b103107aebd1a54f4360af3d9cf28d0544f13)
* treewide: mark selected packages nonsharedHannu Nyman2021-06-143-3/+8
| | | | | | | | | | | | | | | | | | | | | Mark uci, ubus, libubox, lua, libnl-tiny and libjson-c as nonshared packages. This helps to keep coherent dependencies if these ABI versioned packages are later updated. Before this commit it is possible to get missing dependencies in target-specific nonshared packages (like iwinfo) that depend on these shared ABI versioned packages. If these are later updated and rebuilt, only the new ABI version will be available for download, while the target-specific packages in releases continue to depend on the old ABI version. After this commit the packages are built along the other nonshared packages by the phase1 images buildbot and will be available at the target/ download directories instead of packages/base dir. That will help to keep a coherent set available. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> (cherry picked from commit 72cc44958ef4e0df1a152178514c92899d6a957a)
* libubox: update to the latest versionFelix Fietkau2021-05-261-3/+3
| | | | | | | | | | | | | 870acee325fe tests: cram: test_base64: fix failing tests 4d8995e91d56 tests: cram: test_base64: really fix failing tests 551d75b5662c libubox: tests: add more blobmsg/json test cases a0dbcf8b8f96 tests: add blob-buffer overflow test b36a3a90098d blob: fix exceeding maximum buffer length b8abed749423 utils.h: add fallthrough macro b14c4688612c json_script: fix unannotated fall-through warning Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry picked from commit 04d21604fd72f337c8a0410d13b3d878914b7e7e)
* libubox: update to git HEADDaniel Golle2021-05-261-3/+3
| | | | | | | 2e52c7e libubox: fix BLOBMSG_CAST_INT64 (do not override BLOBMSG_TYPE_DOUBLE) Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit c82cc4407adebd683593d8f0b71d10e694ff8804)
* uclient: update to Git version 2021-05-14Baptiste Jonglez2021-05-171-3/+3
| | | | | | | | | 6a6011d uclient-http: set eof mark when content-length is 0 19571e4 tests: fix help usage test for uclient built with sanitizer c5fc04b tests: fix help usage test Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> (cherry picked from commit 1ec6fc4dcba16045a6bfcc493bdbe892de1265a9)
* uclient: update to Git version 2021-04-03Hauke Mehrtens2021-05-171-3/+3
| | | | | | | | 83efca2 tests: fix possibly longer start of HTTP server 64e00d6 uclient-fetch: document missing options Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 1371910b76f021486810b18f371b3dc528d952ea)
* libnfnetlink: quote $(FPIC) on command linePhilip Prindeville2021-04-121-2/+2
| | | | | | | | | | | When $(FPIC) gets expanded on the command line (for instance when setting environment variables for libtool, configure, or make) we can't count on it not needing quoting (i.e. it could contain multiple flags separated with spaces). Fixes: dc31191ec3e5 ("build: make sure asm gets built with -DPIC") Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com> (cherry picked from commit 7fae64cc065738b73a1dddc2fc28adde36c1ae3d)
* libunwind: Add MIPS64 dep checkDonald Hoskins2021-03-291-1/+1
| | | | | | | | | | | | libunwind dependency check does not allow for MIPS64 arch. Add MIPS64 awareness. libunwind seems to support MIPS64 without issues, it was limited by the dep arch check in the Makefile. Used to compile Suricata6/Rust locally without issue. Signed-off-by: Donald Hoskins <grommish@gmail.com> (cherry picked from commit ea6d4bdde20a3fecbfc44b99f53373e1d0666e34)
* openssl: bump to 1.1.1kEneas U de Queiroz2021-03-272-24/+23
| | | | | | | | | | | | | This version fixes 2 security vulnerabilities, among other changes: - CVE-2021-3450: problem with verifying a certificate chain when using the X509_V_FLAG_X509_STRICT flag. - CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 0bd0de7d43b3846ad0d7006294e1daaadfa7b532)
* mbedtls: update to 2.16.10Magnus Kroken2021-03-212-13/+13
| | | | | | | | | | | | | | | | | | | | This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues. Security fixes: * Fix a buffer overflow in mbedtls_mpi_sub_abs() * Fix an errorneous estimation for an internal buffer in mbedtls_pk_write_key_pem() * Fix a stack buffer overflow with mbedtls_net_poll() and mbedtls_net_recv_timeout() * Guard against strong local side channel attack against base64 tables by making access aceess to them use constant flow code Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10 Signed-off-by: Magnus Kroken <mkroken@gmail.com> (cherry picked from commit dbde2bcf60b5d5f54501a4b440f25fe7d02fbe5d)
* libsemanage: update to version 3.2Dominick Grift2021-03-151-3/+3
| | | | | | | | | | | | | | c35919a7 libsemanage: sync filesystem with sandbox 5b05e829 Revert "libsemanage/genhomedircon: check usepasswd" edae9275 libsemanage: Free contents of modkey in semanage_direct_remove ce46daab libsemanage/genhomedircon: check usepasswd 6ebb35d2 libsemanage: Bump libsemanage.so version c08b73d7 libsemanage: Drop deprecated functions b46406de libsemanage: Remove legacy and duplicate symbols Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> (cherry picked from commit 4670492ad72e54e0608ef5f92d7066c1c7fa8f45) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libselinux: update to version 3.2Dominick Grift2021-03-151-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 142826a3 libselinux: fix segfault in add_xattr_entry() 398d2cee libselinux: rename gettid() to something which never conflicts with the libc 8f0f0a28 selinux(8,5): Describe fcontext regular expressions 9cc6b5cf libselinux/getconlist: report failures 156dd0de libselinux: update getseuser e2dca5df libselinux: accept const fromcon in get_context API da4829d0 libselinux: Always close status page fd 45b15c22 selinux(8): explain that runtime disable is deprecated 3c16aaef selinux(8): mark up SELINUX values c2a58cc5 libselinux: LABEL_BACKEND_ANDROID add option to enable db0f2f38 libselinux: Add build option to disable X11 backend 4a142ac4 libsepol: Bump libsepol.so version d23342a9 libselinux: convert matchpathcon to selabel_lookup() 7ef5b185 libselinux: Change userspace AVC setenforce and policy load messages to audit format. f5d644c7 libselinux: Add additional log callback details in man page for auditing. 075f9cfe libselinux: Fix selabel_lookup() for the root dir. a4149e0e libselinux: Add new log callback levels for enforcing and policy load notices. a63f93d8 libselinux: initialize last_policyload in selinux_status_open() ef902db9 libselinux: safely access shared memory in selinux_status_updated() 9e4480b9 libselinux: Remove trailing slash on selabel_file lookups. 21fb5f20 libselinux: use full argument specifiers for security_check_context in man page e7abd802 libselinux: fix build order 05bdc031 libselinux: use kernel status page by default Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> (cherry picked from commit b1fc2b5b0be61d994d6a0429fd78331c0c57639a) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* libsepol: update to version 3.2Dominick Grift2021-03-151-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | a9e0004f libsepol: invalidate the pointer to the policydb if policydb_init fails 6238e025 libsepol/cil: fix NULL pointer dereference in cil_fill_ipaddr b69d77bc libsepol/cil: handle SID without assigned context when writing policy.conf 0861c659 libsepol: Validate policydb values when reading binary policy 8f5409cf libsepol: Create function ebitmap_highest_set_bit() 0451adeb libsepol/cil: Destroy disabled optional blocks after pass is complete 32f8ed3d libsepol/cil: introduce intermediate cast to silence -Wvoid-pointer-to-enum-cast 4662bdc1 libsepol/cil: be more robust when encountering <src_info> 6b561058 libsepol/cil: fix NULL pointer dereference with empty macro argument 0d0e47c7 libsepol/cil: Fix integer overflow in the handling of hll line marks 1b36ace2 libsepol: include header files in source files when matching declarations 1f1fa9d4 libsepol: uniformize prototypes of sepol_mls_contains and sepol_mls_check 72a88d75 libsepol: remove unused files eba0ffee libsepol/cil: Fix heap-use-after-free when using optional blockinherit 1048f8d3 libsepol/cil: unlink blockinherit->block link when destroying a block b3202918 libsepol/cil: fix memory leak when a constraint expression is too deep f0d98f83 libsepol/cil: Fix heap-use-after-free in __class_reset_perm_values() 5d021d66 libsepol/cil: Update symtab nprim field when adding or removing datums 34bd9a9d libsepol: destroy filename_trans list properly bdf4e332 libsepol/cil: fix NULL pointer dereference when parsing an improper integer b7ea65f5 libsepol/cil: destroy perm_datums when __cil_resolve_perms fails 228c06d9 libsepol/cil: fix out-of-bound read in cil_print_recursive_blockinherit a25d9104 libsepol/cil: constify some strings e2d01842 libsepol/cil: propagate failure of cil_fill_list() 6c8fca10 libsepol/cil: do not add a stack variable to a list 38a09b74 libsepol/cil: fix NULL pointer dereference when using an unused alias 3c357285 libsepol/cil: remove useless print statement 90809674 libsepol/cil: always destroy the lexer state d16a1e46 libsepol/cil: Use the macro FLAVOR() whenever possible 2aac859a libsepol/cil: Use the macro NODE() whenever possible d317b470 libsepol/cil: Remove unnecessary assignment in cil_resolve_name_keep_aliases() 9b9761cf libsepol/cil: Remove unused field from struct cil_args_resolve e257d4c7 libsepol/cil: Get rid of unnecessary check in cil_gen_node() ebba2b00 libsepol/cil: cil_tree_walk() helpers should use CIL_TREE_SKIP_* 89dab467 libsepol: free memory when realloc() fails 2d353bd5 libsepol/cil: Give error for more than one true or false block 4a142ac4 libsepol: Bump libsepol.so version 506c7b95 libsepol: Drop deprecated functions ae58e84b libsepol: Get rid of the old and duplicated symbols c97d63c6 libsepol: silence potential NULL pointer dereference warning 64387cb3 libsepol: drop confusing BUG_ON macro 521e6a2f libsepol/cil: fix signed overflow caused by using (1 << 31) - 1 a152653b libsepol/cil: Fix neverallow checking involving classmaps 734e4beb libsepol/cil: Validate conditional expressions before adding to binary policy 685f577a libsepol/cil: Validate constraint expressions before adding to binary policy 8206b8cb libsepol: implement POLICYDB_VERSION_COMP_FTRANS 42ae834a libsepol,checkpolicy: optimize storage of filename transitions Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> (cherry picked from commit 2a1bdde0d05dd97aa58da546d15197409d481bb3) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* zlib: properly split patchesAdrian Schmutzler2021-02-254-502/+501
| | | | | | | | | | | This package had two patches (with two headers etc.) in one file, which would have quilt merging them during a refresh. Separate these patches into two files, as the original intent seems to be having them separate. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> (cherry picked from commit 221eefaf6b301043c491aab8815fcfa24e8a5583)
* openssl: update package sourcesDavid Bauer2021-02-241-3/+5
| | | | | | | | | | | | | OpenSSL downloads itself are distributed using Akamai CDN, so use these sources as the highest priority. Remove a stale mirror which seems to be offline for a longer time already. Add fallbacks to the old release path also for the mirrors. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 10e84bde369d7cfb60d6ac6ee5c7211474bd4179)
* wolfssl: fix Ed25519 typo in config promptChristian Lamparter2021-02-241-1/+1
| | | | | Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (cherry picked from commit 09e66112f1ea9f5838ce80533f3850523dc30230)