Commit graph

468 commits

Author SHA1 Message Date
Magnus Kroken
b1f39d3d7e openssl: update to 1.0.2j
A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.

Patches applied upstream:
* 301-fix_no_nextprotoneg_build.patch
* 302-Fix_typo_introduced_by_a03f81f4.patch

Security advisory: https://www.openssl.org/news/secadv/20160926.txt

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2016-09-27 17:50:22 +02:00
Rosen Penev
c0b15b3072 openssl: Make DTLS configurable.
Signed-off by: Rosen Penev <rosenp@gmail.com>
2016-09-27 17:50:22 +02:00
Rosen Penev
aaa067ab0b openssl: Remove J-PAKE. Nothing uses it.
Signed-off by: Rosen Penev <rosenp@gmail.com>
2016-09-27 17:50:22 +02:00
Daniel Engberg
edbc8fec8a libjson-c: Update to 0.12.1
Updates libjson-c and removes backport patch.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-09-27 17:50:21 +02:00
diizzyy
509708889c libunwind: use url alias
Use alias instead of hardcoded URL

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-09-27 17:50:21 +02:00
Hauke Mehrtens
ea288126db openssl: backport build fix when hardware support is used
This fix added to the openssl 1.0.2 branch.
In addition add the header for the existing backport.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-09-24 19:53:00 +02:00
Magnus Kroken
6926325829 openssl: update to 1.0.2i
Drop 302-fix_no_cmac_build.patch, it has been applied upstream.

Security fixes:
* (Severity: High) OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
* (Severity: Moderate) SSL_peek() hang on empty record (CVE-2016-6305)
* 10 Low severity issues

Security advisory: https://www.openssl.org/news/secadv/20160922.txt
Changelog: https://www.openssl.org/news/cl102.txt

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-09-24 13:28:59 +02:00
John Crispin
edf5b2955e cyassl: remove duplicate submenu level
Signed-off-by: John Crispin <john@phrozen.org>
2016-09-19 16:07:58 +02:00
Andreas Schultz
b9e3e38e79 cyassl: make CyaSSL/WolfSSL more configurable
The default configuration might not be suitable for
every use case. Add options to enable/disable additional
options.

Signed-off-by: Andreas Schultz <aschultz@tpip.net>
2016-09-19 15:30:32 +02:00
Felix Fietkau
00a1056c3f openssl: re-enable ARM assembly
The original reason for disabling it seems to have been fixed
Related discussion: https://github.com/lede-project/source/pull/307

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-31 13:57:05 +02:00
Andreas Schultz
277f85c21a cyassl: make CyaSSL/WolfSSL more configurable
The default configuration might not be suitable for
every use case. Add options to enable/disable additional
options.

Signed-off-by: Andreas Schultz <aschultz@tpip.net>
2016-08-22 17:30:35 +02:00
Hannu Nyman
a77ce8ba96 libs/gmp: update to 6.1.1
Update libgmp to 6.1.1

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-08-15 15:32:38 +02:00
Jo-Philipp Wich
d36c5152ef ncurses: change handling of PKG_CONFIG_LIBDIR
When PKG_CONFIG_LIBDIR was unset in the environment, the configure
script was deducing the PKG_CONFIG_LIBDIR from the location of the
pkg-config binary, which doesn't make a lot of sense, and isn't done
by other autotools based packages.

Patch imported from the Buildroot project:
https://github.com/buildroot/buildroot/blob/master/package/ncurses/0001-fixup-pkg-config-handling.patch

Also refresh patches while we're at.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-15 13:34:17 +02:00
Felix Fietkau
7ee9222770 openssl: re-enable CMAC support
Needed by a few packages

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-08-09 07:18:03 +02:00
Jo-Philipp Wich
27dffa0b0c uclient: change SSL support error message
Change the error message about missing SSL support to be more explicit by
mentioning required package names.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-08-08 12:20:15 +02:00
Felix Fietkau
11d47e615b libubox: update to the latest version, adds a few utility functions
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-29 16:41:08 +02:00
Hauke Mehrtens
bdf9243c1b cyassl: update to wolfssl version 3.9.6
Changelog: https://www.wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html

old size:
libcyassl_3.9.0-1_mips_34kc_dsp.ipk     147552

new size:
libcyassl_3.9.6-1_mips_34kc_dsp.ipk     150087

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-07-24 15:05:03 +02:00
Felix Fietkau
cd91f384ac openssl: re-enable NPN by default
Several packages rely on it

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-24 14:43:44 +02:00
Felix Fietkau
cb8f322d93 openssl: add back the CAST cipher by default
At least netatalk and some ipsec packages use it

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-24 14:42:18 +02:00
Felix Fietkau
600fd467d8 openssl: revert the no-ripemd change, openssh needs that cipher
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-23 19:03:47 +02:00
Dirk Feytons
3ad8bc4366 openssl: add option to disable SRP support
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
2016-07-23 12:10:41 +02:00
Dirk Feytons
057b116e09 openssl: add --gc-sections
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
2016-07-23 12:10:08 +02:00
Dirk Feytons
41da31ac2c openssl: remove some unneeded functionality and algorithms
The patch needed for this commit has been sent upstream:
https://github.com/openssl/openssl/pull/1155

Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [add back bf and srp]
2016-07-23 12:09:51 +02:00
Dirk Feytons
f16fc21675 openssl: add option to disable PSK support
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
2016-07-23 11:59:31 +02:00
Dirk Feytons
0099748fd6 openssl: add option for NPN support
NPN has been superseded by ALPN so NPN is disabled by default
The patch has been sent to OpenSSL for inclusion, see
https://github.com/openssl/openssl/pull/1100

Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
2016-07-23 11:59:31 +02:00
Dirk Feytons
eb4fc91a81 openssl: add option to disable compression support
By default it's disabled. After the CRIME attack it seems the use of
compression is discouraged.

Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
2016-07-23 11:59:31 +02:00
Dirk Feytons
db11695aa6 openssl: add option to omit deprecated APIs
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
2016-07-23 11:59:30 +02:00
Matthias Schiffer
b82c8ddf8c
libpcap: fix dependency of install-shared-so make target
There seems to be a situation in which a rebuild of libpcap.so is triggered
in the install step of the libpcap Makefile. libpcap.so is the wrong
target, leading to the build failure reported in [1].

Fix the dependency of install-shared-so to $(SHAREDLIB) so the build can
succeed in this case.

[1] https://dev.openwrt.org/ticket/19894

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2016-07-21 17:57:17 +02:00
Felix Fietkau
b948c9371b uclibc++: fix build with gcc 6.1.0, which defaults to using C++14 ABI
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-15 14:18:01 +02:00
Hauke Mehrtens
d43075710b mbedtls: fix missing mbedtls_time_t bug in mbedtls 2.3.0
This backports a commit from mbedtls current git which adds missing
include for platform.h.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-07-14 09:19:56 +02:00
Hauke Mehrtens
05cc72944c mbedtls: update to version 2.3.0
This fixes 3 minor security problems.
SSLv3 is deactivated by default now.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-07-13 23:03:03 +02:00
Hauke Mehrtens
bd20cb272e polarssl: update to version 1.3.17
This fixes 3 minor security problems.
SSLv3 is deactivated by default now.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-07-13 23:03:02 +02:00
John Crispin
1a06dc6dc2 libubox: update to latest git HEAD
Signed-off-by: John Crispin <john@phrozen.org>
2016-07-05 22:59:13 +02:00
Felix Fietkau
bd7289af38 uclient: update to the latest version, fixes HTTP redirect support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-05 12:40:30 +02:00
Felix Fietkau
71753a8286 Revert "ustream-ssl: Fix recursive dependency"
This reverts commit abf0768131.
The description is wrong, there is no recursive dependency here. The
conditions were added intentionally to avoid bogus build dependencies.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-04 16:47:56 +02:00
Daniel Dickinson
abf0768131 ustream-ssl: Fix recursive dependency
Two variants incorrectly include themselves in
conditional depends on ssl libraries, which results
in a recursive dependency.

Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
2016-07-04 10:51:41 +02:00
John Crispin
1e9c066595 ustream-ssl: update to latest git HEAD
Signed-off-by: John Crispin <john@phrozen.org>
2016-07-02 10:16:17 +02:00
Hauke Mehrtens
f28502a485 libnl-tiny: Generic Netlink multicast groups support
This adds this commit from normal libnl to libnl-tiny:
2dbc1ca76c

commit 2dbc1ca76c5b82c40749e609eb83877418abb006
Author: dima <dima.ky@gmail.com>
Date:   Wed Oct 13 17:53:34 2010 +0300

    Generic Netlink multicast groups support

    I have a patch against commit d378220c96c3c8b6f27dca33e7d8ba03318f9c2d
    extending libnl with a facility to receive generic netlink messages sent
    to multicast groups.

    Essentially it add one new function genl_ctrl_resolve_grp which
    prototype looks like this
    int genl_ctrl_resolve_grp(struct nl_sock *sk, const char *family_name,
            const char *grp_name)
    It resolves  the family name and the group name to group id. Then
    the returned id can be used in nl_socket_add_membership to subscribe
    to multicast messages.

    Besides that it adds two more functions

    uint32_t nl_socket_get_peer_groups(struct nl_sock *sk)
    void nl_socket_set_peer_groups(struct nl_sock *sk, uint32_t groups)

    allowing to modify the socket peer groups field. So it's possible to
    multicast messages from the user space using the legacy interface.
    Looks like there is no way (or I was not able to find one?) to modify
    the netlink socket destination group from the user space, when the
    group id is greater then 32.

Signed-off-by: Hauke Mehrtens <hauke.mehrtens@intel.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [cosmetic style fix]
2016-07-02 10:12:04 +02:00
Alin Năstac
86a2702a00 libnetfilter_queue: fix checksum computation
There are 2 issues fixed by this patch:
  - UDP checksum is computed incorrectly, the used pseudo IP header
    contains transport protocol 6 iso 17
  - on big endian arches the UDP/TCP checksum is incorrectly
    computed when payload length is odd

Signed-off-by: Alin Nastac <alin.nastac@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [refresh patch]
2016-06-26 16:09:48 +02:00
Rafał Miłecki
952beca4aa uclient: update to the latest version with better help and DELETE
This slightly improves output of help messages and supports sending
message body for DELETE.

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
2016-06-16 14:54:25 +02:00
Felix Fietkau
a3cde627f8 libubox: update to the latest version, fixes an uloop signal handling race condition
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-15 17:01:15 +02:00
Yousong Zhou
987f14ab23 libunwind: initial version 1.1
The package Makefile was based on work at link [1] with the following
changes

 1. Disable minidebuginfo support thus no dependency on liblzma
 2. Add 2 patches for building against musl-libc and building with
    mips16 enabled
 3. Add LICENSE and DEPENDS info, etc.

[1] https://github.com/rpi-openwrt/rpi-packages/tree/master/libs/libunwind

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2016-06-13 22:51:43 +02:00
John Crispin
62dc9831d3 package/*: update git urls for project repos
Signed-off-by: John Crispin <john@phrozen.org>
2016-06-13 22:51:41 +02:00
Jo-Philipp Wich
9e45f9d63c polarssl: enable AES-GCM and CAMELLIA-GCM ciphersuites
Recent versions of Chrome require this ciphers to successfully handshake with
a TLS enabled uhttpd server using the ustream-polarssl backend.

If `CONFIG_GCM` is disabled, `ssl_ciphersuite_from_id()` will return `NULL`
when cipher `0x9d` is looked up, causing the calling `ssl_ciphersuite_match()`
to fail with `POLARSSL_ERR_SSL_INTERNAL_ERROR`.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-11 03:24:57 +02:00
Jo-Philipp Wich
24a7ccb056 treewide: replace jow@openwrt.org with jo@mein.io
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-07 11:42:52 +02:00
Karl Palsson
9b118cde89 wolfssl: enable openssl 1.0.1 compatibility
>From wolfssl/openssl/opensslv.h, and from skimming the contents of what
"--enable-stunnel" actually does, it seems that --enable-opensslextra
doesn't give you the "full" openssl compatibility that you may wish for
these days.  Unfortuantely, while wolfssl writes the build time options
into wolfssl/options.h, it doesn't include that file itself.  User
applications must include that directly.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2016-06-07 09:22:16 +02:00
Felix Fietkau
d84bf324ba ustream-ssl: update to the latest version, adds cyassl/wolfssl fixes
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-07 09:22:11 +02:00
Felix Fietkau
7eeb254cc4 treewide: replace nbd@openwrt.org with nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-07 08:58:42 +02:00
Dirk Neukirchen
872075c761 elfutils: remove unrecognized config option
fixes:
configure: WARNING: unrecognized options: --disable-werror

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
2016-06-01 15:18:42 +02:00
Dirk Neukirchen
75dc12dac1 libpcap: remove unrecognized configure options
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
2016-06-01 15:18:42 +02:00