Until other packages from feeds decide to rename the
dependency of `+libcyassl` to `+libwolfssl`, this allows
for a bit of backwards compatibility with those packages.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released
* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
elfutils turns on -Werror by default, and patch 100-musl-compat.patch
changes how strerror_r is used and we no longer use the function's
return value. This causes the following build error/warning to occur
with glibc-based toolchains:
dwfl_error.c: In function 'dwfl_errmsg':
dwfl_error.c:158:18: error: ignoring return value of 'strerror_r',
declared with attribute warn_unused_result [-Werror=unused-result]
strerror_r (error & 0xffff, s, sizeof(s));
^
cc1: all warnings being treated as errors
Fixing this would be tricky as there are two possible signatures for
strerror_r (XSI and GNU), just turn off unused-result warnings instead.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Addresses CVE-2015-3239: Off-by-one error in the dwarf_to_unw_regnum
function in include/dwarf_i.h in libunwind 1.1 allows local users to
have unspecified impact via invalid dwarf opcodes.
Upstream stable-v1.2 fixed the missing unwind_i.h issue but no new
tarball is released yet
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Some external toolchains may be configured to enable OpenMP. Provide a
package for these libraries which can be used by other packages.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Add mirror and use main site as last resort.
Source: http://www.tcpdump.org/mirrors.html
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Refresh mirror list, some doesn't offer OpenSSL and add main site as last resort.
Source: https://www.openssl.org/source/mirror.html
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
uClibc doesn't implement strerror_l() and thus libnl starting from
3.2.29 couldn't be compiled with it any longer, see
6c2d111177
To work-around that problem we'll just do a check on strerror_l()
availability during configuration and if it's not there just fall back
to locale-less strerror().
Patch for libnl is alreadfy merged upstream, see
e15966ac7f
and once the next libnl release happens this one must be removed from
Lede/OpenWrt.
Signed-off-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: John Crispin <john@phrozen.org>
Cc: Daniel Engberg <daniel.engberg.lists@pyret.net>
musl provides a /lib/libc.so file which should be integrated into the libc
package when the external toolchain with musl is used.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Jo-Philipp Wich <jo@mein.io>
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
We need to let external toolchains be able to specify the path and
specification file to the libthread-db POSIX thread debugging shared
libraries.
This fixes GDB not being able to be installed because it is depending on
libthread-db:
Collected errors:
* satisfy_dependencies_for: Cannot satisfy the following dependencies
* for gdb:
* libthread-db *
* opkg_install_cmd: Cannot install package gdb.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
The current way of creating a STAMP_CONFIGURED filename for OpenSSL can
lead to an extremely long filename that makes touch unable to create it,
and fail the build.
Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a
shortert stamp file,
Fixes#572
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Important change was made in 1.0.18: all sub-libs were merged
in one and only libc similarly to musl.
See [1] for more details.
To support that we had to remove refences to those sub-libs like
libpthread, libcrypt, libdl, libm, libutil etc.
[1] http://cgit.uclibc-ng.org/cgi/cgit/uclibc-ng.git/commit/?id=29ff9055c80efe77a7130767a9fcb3ab8c67e8ce
Signed-off-by: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
When calling erase() on a containers derived from __base_associative
(e.g. multimap) and providing a pair of iterators a segfault will
occur.
Example code to reproduce:
typedef std::multimap<int, int> testmap;
testmap t;
t.insert(std::pair<int, int>(1, 1));
t.insert(std::pair<int, int>(2, 1));
t.insert(std::pair<int, int>(3, 1));
t.erase(t.begin(), t.end());
Signed-off-by: Ben Kelly <ben@benjii.net>
Adds the following changes:
de3f14b uloop: add uloop_cancelling function
3b6181b utils: fix build on Mac OS X 10.12
7f671b1 blobmsg: add support for double
0fe1374 utils: add helper functions useful for allocating a ring buffer
8fc1c30 libubox: replace strtok with _r version.
4a9f74f libubox: allow reading out the pid of uloop process in lua
372e1e6 uloop: remove useless epoll data assignment
f9db1cb libubox: allow reading out the remaining time of a uloop timer in Lua
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Some toolchains will produce executables with an interpreter that is e.g:
ld.so.1 (typically a symbolic link). Due to our current LIBC_SPEC_FILE value,
we would not be able to copy this symbolic link/file over to the rootfs and
executables would fail to load. Extend the search pattern to include all
ld*.so* files that could be needed.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The libtool target package stages its files into the host staging directory
and moves the libltdl library parts from there into the target staging
directory afterwards.
By doing so, the package essentially renders the host libtool infrastructure
unusable, leading to the below error in subsequent package builds:
libtoolize: $pkgltdldir is not a directory: `.../hostpkg/share/libtool`
Prevent this problem by using a dedicated libltdl install prefix in order to
avoid overwriting and moving away preexisting files belonging to tools/libtool.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback
Note: SF doesn't carry the 1.2.11 update yet.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The gettext-full host build might pick up iconv-stub host build headers
during the build, leading to stray linker errors with unresolved references
to libiconv_open(), libiconv() and libiconv_close().
Since we're not needing iconv support on the host, pass the appropriate
cache variables to configure to prevent detection and linking of iconv.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Cleanup to prepare for changing STAGING_DIR_HOSTPKG. The actual change of
STAGING_DIR_HOSTPKG (i.e., moving the host packages back into a common, not
target-specific directory) will be done after the first LEDE release, but
the cleanup will also be useful for projects like Gluon.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* Fix bug in deflate_stored() for zero-length input
* Fix bug in gzwrite.c that produced corrupt gzip files
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Other changes:
- Project moved to sourceware.org
- musl patch where cleaned up and submitted upstream
- TEMP_FAILURE_RETRY macro fixed and submitted upstream
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[Jo-Philipp Wich: add missing .patch extension to 007-fix_TEMP_FAILURE_RETRY]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Brings in the following changes:
52d955fd802a remove obsolete mac os x /opt/local include/library search path
a4e49b4163b2 Fix unused results warnings
48cfff3fbec9 uclient-http: send correct "Host:" header if port is set
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Currently both libustream-polarssl and libustream-mbedtls
variants define themselves as the DEFAULT_VARIANT
Remove extra DEFAULT_VARIANT from libustream-polarssl.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Later OpenVPN 2.3-openssl versions only enable
TLS cipher suites with perfect forward secrecy, i.e. DHE and ECDHE
cipher suites. ECDHE key exchange is not supported by
OpenVPN 2.3-openssl, enable DHE key exchange to allow LEDE
OpenVPN 2.4-mbedtls clients to connect to such servers.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reported-by: Lucian Cristian <luci@createc.ro>
Secp384r1 is the default curve for OpenVPN 2.4+. Enable this to
make OpenVPN-mbedtls clients able to perform ECDHE key exchange
with remote OpenVPN 2.4-openssl servers that use the default
OpenVPN curve.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Add patches provided upstream [1] by Fabio Berton to fix error:
> ./gencode.c: In function 'pcap_compile':
> ./gencode.c:693:8: error: 'compiler_state_t {aka struct _compiler_state}' has no member named 'ai'
> cstate.ai = NULL;
> ^
> ./gencode.c: In function 'gen_gateway':
> ./gencode.c:4914:13: error: 'cstate' undeclared (first use in this function)
> bpf_error(cstate, "direction applied to 'gateway'");
> ^
[1] https://github.com/the-tcpdump-group/libpcap/pull/541
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Tested-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Sometimes I'm getting error on the host-side build:
```
/usr/lib64/gcc/x86_64-suse-linux/4.8/../../../../x86_64-suse-linux/bin/ld: /home/sandu/work/lede/staging_dir/host/lib/liblzma.a(liblzma_la-common.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/home/sandu/work/lede/staging_dir/host/lib/liblzma.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:2847: recipe for target 'libgettextlib.la' failed
make[9]: *** [libgettextlib.la] Error 1
make[9]: Leaving directory '/home/sandu/work/lede/build_dir/target-x86_64_musl-1.1.15/host/gettext-0.19.8.1/gettext-tools/gnulib-lib'
Makefile:2597: recipe for target 'all' failed
```
Disabling the shared-lib build, seems to fix this.
This is when building glib2 on the host-side.
glib2 is required by newer QEMU package [which is in the feeds].
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This partially reverts commit 15734b023b.
--enable-stunnel was actually important and properly described in
commit 9b118cde89. Removing it broke ustream-cyassl
Signed-off-by: Felix Fietkau <nbd@nbd.name>
If _GNU_SOURCE was added as part of a package's TARGET_CFLAGS,
then compilation would fail for that module (especially if
warnings get treated as errors).
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
More and more platforms are multicore SoCs, don't enforce singlethreading.
Drop stunnel option as stunnel code isn't available for download from upstream website.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Update libpcap to upstream release 1.8.1
Change the name from libpcap.so.1.3 to libpcap.so.1
Remove parts of patch 201 which moved code among src files.
Import patch 204 from Debian to update the USB path.
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [fix parallel build bug]
One of those changes is re-enabling blowfish support to make
openvpn-mbedtls compatible with common configurations
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This option is required by OpenVPN, and OpenVPN 2.4 uses mbedTLS 2.x.
DHM_C is also already enabled in the PolarSSL 1.3.x config.h.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Last release of libnetfilter-queue was in 2012.
There don't seem to be any release tarballs since then.
This updates it to a more recent version, pointing to the git repo.
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This fixes the following security problems:
CVE-2016-7440: Software AES table lookups do not properly consider cache-bank access times
CVE-2016-7439: Software RSA does not properly consider cache-bank monitoring
CVE-2016-7438: Software ECC does not properly consider cache-bank monitoring
SWEET32 Attack
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This constant was always defined to 0, and recently got removed in
upstream commit a07ea4d9941af5a0c6f0be2a71b51ac9c083c5e5 ("genetlink: no
longer support using static family IDs")
Fixes libnl-tiny builds with latest upstream kernels.
Fixes: d723f2573a ("libnl-tiny: remove include/linux overrides to fix various build issues")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This allows to include optimizations such as ARM neon which
are detected on run-time.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
[Jo-Philipp Wich: picked from openwrt#191 and rebased onto LEDE master]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Switch to xz tarball, there's no point pulling two different tarballs of the same source code (tools/libtool uses xz).
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
luci using ustream-mbedtls is extremely slow vs ustream-polarssl.
polarssl alias mbedtls v1 is configured to use NIST prime speed
optimisation, so no longer disable the default optimisation for
mbedtls v2.
Compile & run tested: Archer C7v2
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
[Jo-Philipp Wich: refresh patch to use common format]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
For 64-bit capable systems, a symbolic link is set up for /lib64 to point to
/lib, so make sure the installation goes into /lib, irrespective of where the C
library files come from in an external toolchain.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
Patches applied upstream:
* 301-fix_no_nextprotoneg_build.patch
* 302-Fix_typo_introduced_by_a03f81f4.patch
Security advisory: https://www.openssl.org/news/secadv/20160926.txt
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
The default configuration might not be suitable for
every use case. Add options to enable/disable additional
options.
Signed-off-by: Andreas Schultz <aschultz@tpip.net>
The default configuration might not be suitable for
every use case. Add options to enable/disable additional
options.
Signed-off-by: Andreas Schultz <aschultz@tpip.net>
When PKG_CONFIG_LIBDIR was unset in the environment, the configure
script was deducing the PKG_CONFIG_LIBDIR from the location of the
pkg-config binary, which doesn't make a lot of sense, and isn't done
by other autotools based packages.
Patch imported from the Buildroot project:
https://github.com/buildroot/buildroot/blob/master/package/ncurses/0001-fixup-pkg-config-handling.patch
Also refresh patches while we're at.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Change the error message about missing SSL support to be more explicit by
mentioning required package names.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The patch needed for this commit has been sent upstream:
https://github.com/openssl/openssl/pull/1155
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [add back bf and srp]
NPN has been superseded by ALPN so NPN is disabled by default
The patch has been sent to OpenSSL for inclusion, see
https://github.com/openssl/openssl/pull/1100
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
There seems to be a situation in which a rebuild of libpcap.so is triggered
in the install step of the libpcap Makefile. libpcap.so is the wrong
target, leading to the build failure reported in [1].
Fix the dependency of install-shared-so to $(SHAREDLIB) so the build can
succeed in this case.
[1] https://dev.openwrt.org/ticket/19894
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
This reverts commit abf0768131.
The description is wrong, there is no recursive dependency here. The
conditions were added intentionally to avoid bogus build dependencies.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Two variants incorrectly include themselves in
conditional depends on ssl libraries, which results
in a recursive dependency.
Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
This adds this commit from normal libnl to libnl-tiny:
2dbc1ca76c
commit 2dbc1ca76c5b82c40749e609eb83877418abb006
Author: dima <dima.ky@gmail.com>
Date: Wed Oct 13 17:53:34 2010 +0300
Generic Netlink multicast groups support
I have a patch against commit d378220c96c3c8b6f27dca33e7d8ba03318f9c2d
extending libnl with a facility to receive generic netlink messages sent
to multicast groups.
Essentially it add one new function genl_ctrl_resolve_grp which
prototype looks like this
int genl_ctrl_resolve_grp(struct nl_sock *sk, const char *family_name,
const char *grp_name)
It resolves the family name and the group name to group id. Then
the returned id can be used in nl_socket_add_membership to subscribe
to multicast messages.
Besides that it adds two more functions
uint32_t nl_socket_get_peer_groups(struct nl_sock *sk)
void nl_socket_set_peer_groups(struct nl_sock *sk, uint32_t groups)
allowing to modify the socket peer groups field. So it's possible to
multicast messages from the user space using the legacy interface.
Looks like there is no way (or I was not able to find one?) to modify
the netlink socket destination group from the user space, when the
group id is greater then 32.
Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cosmetic style fix]
There are 2 issues fixed by this patch:
- UDP checksum is computed incorrectly, the used pseudo IP header
contains transport protocol 6 iso 17
- on big endian arches the UDP/TCP checksum is incorrectly
computed when payload length is odd
Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [refresh patch]
The package Makefile was based on work at link [1] with the following
changes
1. Disable minidebuginfo support thus no dependency on liblzma
2. Add 2 patches for building against musl-libc and building with
mips16 enabled
3. Add LICENSE and DEPENDS info, etc.
[1] https://github.com/rpi-openwrt/rpi-packages/tree/master/libs/libunwind
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Recent versions of Chrome require this ciphers to successfully handshake with
a TLS enabled uhttpd server using the ustream-polarssl backend.
If `CONFIG_GCM` is disabled, `ssl_ciphersuite_from_id()` will return `NULL`
when cipher `0x9d` is looked up, causing the calling `ssl_ciphersuite_match()`
to fail with `POLARSSL_ERR_SSL_INTERNAL_ERROR`.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
>From wolfssl/openssl/opensslv.h, and from skimming the contents of what
"--enable-stunnel" actually does, it seems that --enable-opensslextra
doesn't give you the "full" openssl compatibility that you may wish for
these days. Unfortuantely, while wolfssl writes the build time options
into wolfssl/options.h, it doesn't include that file itself. User
applications must include that directly.
Signed-off-by: Karl Palsson <karlp@etactica.com>
