f9a28a9ce864 ustream-ssl: poll connection on incomplete reads
3c49e70c4622 ustream-ssl: increase number of read buffers
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This reverts commit a9e22ffa50.
After doing a clean rebuild, it turns out that this change is not necessary
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Update to the latest upstream release to include recent improvements and
bugfixes, and update copyright. Remove MAKE_VARS usage in Makefile and drop
001-cflags.patch which are no longer needed. Also add flags to disable LTO,
mistakenly dropped earlier.
Link: https://github.com/libbpf/libbpf/releases/tag/v1.4.0
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
e209a4ced1d8 add strdupa macro for compatibility
af1962b9a609 uclient: add helper function for getting ustream-ssl context/ops
488f1d52cfd2 http: add helper function for checking redirect status
b6e5548a3ecc uclient: defer read notifications to uloop timer
352fb3eeb408 http: call ustream_poll if not enough read data is available
e611e6d0ff0b add ucode binding
ddb18d265757 uclient: add function for getting the amount of pending read/write data
980220ad1762 ucode: fix a few ucode binding issues
6c16331e4bf5 ucode: add support for using a prototype for cb, pass it to callbacks
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When using zst instead of xz, the hash changes. This commit fixes the
hash for packages and tools in core.
Signed-off-by: Paul Spooren <mail@aparcar.org>
On Fedora 40 system, some compile error happens when
building iconv-ostream.c. Linking to libiconv-full
fixes this.
Signed-off-by: Yanase Yuki <dev@zpc.st>
The PKG_MIRROR_HASH was wrong (again), likely due to an old set of tools
which did not contain the downgrade of xz.
Ref 2070049 unetd: fix PKG_MIRROR_HASH
Fix 89c594e libubox: update to Git HEAD (2024-03-29)"
Signed-off-by: Paul Spooren <mail@aparcar.org>
a2fce001819e CI: add build test run
12bda4bdb197 CI: add CodeQL workflow tests
eb9bcb64185a ustream: prevent recursive calls to the read callback
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Different from OPKG, APK uses a deterministic version schema which chips
the version into chunks and compares them individually. This enforces a
certain schema which was previously entirely flexible.
- Releases are added at the very and end prefixed with an `r` like
`1.2.3-r3`.
- Hashes are prefixed with a `~` like `1.2.3~abc123`.
- Dates become semantic versions, like `2024.04.01`
- Extra tags are possible like `_git`, `_alpha` and more.
For full details see the APK test list:
https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/master/test/version.data
Signed-off-by: Paul Spooren <mail@aparcar.org>
libevent2's cmake use absolute path, then cmake cannot find it when cross compiling:
```
-- Found libevent include directory: /builder/staging_dir/target-mips_24kc_musl/usr/include
-- Found libevent component: /builder/staging_dir/target-mips_24kc_musl/usr/lib/libevent_core.so
-- Found libevent component: /builder/staging_dir/target-mips_24kc_musl/usr/lib/libevent_extra.so
-- Found libevent component: /builder/staging_dir/target-mips_24kc_musl/usr/lib/libevent_openssl.so
-- Found libevent 2.1.12 in /builder/staging_dir/target-mips_24kc_musl/usr
CMake Error at /builder/staging_dir/target-mips_24kc_musl/usr/lib/cmake/libevent/LibeventTargets-shared.cmake:102 (message):
The imported target "libevent::core" references the file
"/usr/lib/libevent_core-2.1.so.7.0.1"
but this file does not exist. Possible reasons include:
* The file was deleted, renamed, or moved to another location.
* An install or uninstall procedure did not complete successfully.
* The installation package was faulty and contained
"/builder/staging_dir/target-mips_24kc_musl/usr/lib/cmake/libevent/LibeventTargets-shared.cmake"
but not all the files it references.
Call Stack (most recent call first):
/builder/staging_dir/target-mips_24kc_musl/usr/lib/cmake/libevent/LibeventConfig.cmake:168 (include)
CMakeLists.txt:34 (find_package)
```
This patch make cmake use relative imported path, so it can find libevent.
Signed-off-by: Liu Dongmiao <liudongmiao@gmail.com>
Fixes libssh, which requires it. Bump ABI_VERSION, since enabling this
option affects data structures in mbedtls include files.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Major changes between OpenSSL 3.0.12 and OpenSSL 3.0.13 [30 Jan 2024]
* Fixed PKCS12 Decoding crashes
([CVE-2024-0727])
* Fixed Excessive time spent checking invalid RSA public keys
([CVE-2023-6237])
* Fixed POLY1305 MAC implementation corrupting vector registers on PowerPC
CPUs which support PowerISA 2.07
([CVE-2023-6129])
* Fix excessive time spent in DH check / generation with large Q parameter
value ([CVE-2023-5678])
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Changelog:
edddd80 Release libbsd 0.11.8
dd0bdb5 test: Close all descriptors before initializing them for closefrom()
0813f37 build: Check out-of-tree builds in CI
df116b5 Adjust strlcpy() and strlcat() per glibc adoption
ecb44e1 Do not add a pointer to the NULL constant
459b7f7 Do not confuse code analyzers with out-of-bounds array access look alike
a44f885 test: Fix short-lived memory leak
3f5ca0a build: Add a coverage regex to the CI job
9d3e59a man: Use VARIANTS instead of ALTERNATIVES in libbsd(7)
f02562d man: Markup function references with Xr instead of Fn
b7367c9 build: Add missing dash to macro title bar
6777eb6 pwcache: Do not declare uidtb and gidtb when not used
d4e0cdc fgetln: Include <stdio.h> after <sys/*>
f41d6c1 build: Refactor GNU .init_array support check into a new m4 function
30b48ed build: Refactor linker script detection into a new m4 function
d0d8d01 build: Do not provide prototypes for arc4random() on Solaris
cf61ebb build: Do not build the progname module if it is not needed
73b25a8 build: Sort entries alphabetically
5434ba1 build: Conditionalize wcslcpy() and wcslcat() functions on macOS
dc1bd1a build: Conditionalize only id-from-name functions not the entire pwcache
edc746e build: Conditionalize getprogname()/setprogname on macOS
8f998d1 progname: Include <procinfo.h> if available
d08163b build: Check whether we need libperfstat on AIX
1186cf8 build: Annotate droppable functions for musl on next SOVERSION bump
6385ccc build: Conditionalize bsd_getopt() on macOS
c120681 Move the version script comments before the symbols
9fa0676 Port getprogname() to AIX
92337b1 Make getprogname() porting mandatory
90b7f3a test: Do not use /dev/null as compiler output file
426bf45 build: Add generated *.sym files to .gitignore
21d12b0 build: On macOS do not build functions provided by the system
bc65806 build: Select whether to include funopen() in the build system
8b7a4d9 build: Move Windows OS detection to the OS features section
ccbfd1c build: Remove __MUSL__ definition from configure
e0976d7 build: Add a new libbsd_strong_alias() macro and switch users to it
49c7dd1 build: Only emit link warnings for ELF objects
8622767 build: Use an export symbols file if there is no version script support
8f61036 build: Add -no-undefined libtool flag
ae7942b build: Do not override the default DEPENDENCIES for libbsd
a5faf17 Only use <stdio_ext.h> if present
06e8a1b Define _NSIG if it is not defined by the system
44824ac Declare environ if the system does not do so
1fb6c3f Use lockf() when flock() is not available
fe16f38 test: Use open_memstream() only if available
7c652a9 test: Do not hardcode root:root user and group names
ed2eb31 test: Fix closefrom() test on macOS
0f8bcdf test: Fix closefrom() test to handle open file descriptor limits
07192b3 test: Disable blank_stack_side_effects() on non-Hurd systems
ca3db5e build: Do not enable ASAN for musl CI pipelines
ff46386 man: Add HISTORY section to arc4random(3bsd)
4c6da57 man: Switch arc4random(3bsd) man page from OpenBSD to NetBSD
830dd88 doc: Remove written-by attribution
257800a build: Add support for sanitizer compiler flags
536a7d4 test: Exempt blank_stack_side_effects() from sanitizer checks
7ed5de0 test: Import explicit_bzero() sanitizer support changes from OpenBSD
05a802a test: Fix memory leaks in fpurge test
5962e03 man: Fix BSD and glibc versions
59a21c7 man: Update STANDARDS and HISTORY sections
7b4ebd6 include: Adjust closefrom() per glibc adoption
0dfbe76 build: Switch to debian:latest Docker image
dec783d build: Fix version script linker support detection
fe21244 include: Use __has_builtin to detect __builtin_offsetof support
ec88b7b funopen: Replace off64_t with off_t in funopen_seek()
2337719 man: Prune unneeded <sys/types.h> include in setproctitle(3)
5dea9da build: Improve C99 compatibility of __progname configure check
b9bf42d build: Enable -Wall for automake
e57c078 build: Add missing AM_PROG_AR macro call to configure.ac
80f1927 build: Fix configure.ac indentation
b7a8bc2 build: Require automake 1.11
e508962 build: Do not require funopen() to be ported
00b538f build: Terminate lists in variables with «# EOL»
5cfa39e build: Use «yes» instead of «true» for AC_CHECK_FUNCS cache value
Signed-off-by: Nick Hainke <vincent@systemli.org>
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for following security issues:
* Timing side channel in private key RSA operations (CVE-2024-23170)
Mbed TLS is vulnerable to a timing side channel in private key RSA
operations. This side channel could be sufficient for an attacker to
recover the plaintext. A local attacker or a remote attacker who is
close to the victim on the network might have precise enough timing
measurements to exploit this. It requires the attacker to send a large
number of messages for decryption.
* Buffer overflow in mbedtls_x509_set_extension() (CVE-2024-23775)
When writing x509 extensions we failed to validate inputs passed in to
mbedtls_x509_set_extension(), which could result in an integer overflow,
causing a zero-length buffer to be allocated to hold the extension. The
extension would then be copied into the buffer, causing a heap buffer
overflow.
Fixes: CVE-2024-23170, CVE-2024-23775
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/
References: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-2/
Signed-off-by: orangepizza <tjtncks@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [formal fixes]
6339204c212b CMakeLists.txt: bump minimum cmake version
c1be505732e6 udebug: fix crash in udebug_entry_vprintf with longer strings
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Changes:
67f3b2a libtracefs: version 1.8
8a1322f libtracefs utest: Add tests to use mapping if supported
0a65b79 libtracefs: Add tracefs_mapped_is_supported() API
805f650 libtracefs: Call mmap ioctl if a refresh happens
cf7e2a5 libtracefs: Fix tracefs_mmap() kbuf usage
3a26b26 libtracefs: Have nonblock tracefs_cpu reads set errno EAGAIN
2b5bb09 libtracefs: Have tracefs_mmap_read() include subbuf meta data
dee0448 libtracefs: Have mapping work with the other tracefs_cpu* functions
28eebc1 libtracefs: Have tracefs_cpu_flush(_buf)() use mapping
065d914 libtracefs: Use mmapping for iterating raw events
1124e0e libtracefs: Use tracefs_cpu_*_buf() calls for iterator
f43b293 libtracefs: Unmap mmap mapping on tracefs_cpu close
0d24516 libtracefs Documentation: Fix tracefs_cpu_snapshot_open() man pages
5ff31c0 libtracefs Documentation: Add tracefs_follow_events_clear() to main man page
0c7d9f7 libtracefs: Add man pages for tracefs_snapshot_*() functions
b2dc3e0 libtracefs sql: Rename TIMESTAMP_USECS_DELTA to TIMESTAMP_DELTA_USECS
585ec77 libtracefs: Force off trace mmapping
2ed14b5 libtracefs: Add ring buffer memory mapping APIs
173ffc0 libtracefs meson: Add option to disable samples
a55e2e8 libtracefs meson: Add option to disable documentation
93e20af libtracefs: Fix tracefs_instance_reset to clear synthetic events
a1ecbff libtracefs utest: Add more tests to test tracefs_sql()
975c37c libtracefs utest: Add matches to trace_sql() tests
0567e2d libtracefs synthetic: Handle hashed name variables
fcb3a83 libtracefs synthetic: Remove multiple adding of action in tracefs_synth_save()
a9dae65 libtracefs: Fix sqlhist used uninitialized error
fe7a467 libtracefs: Add updating and reading snapshot buffers
1ad57ab libtracefs: Add PID filtering API
d8726bf libtracefs: Also clear max_graph_depth on reset
eb4dd60 libtracefs: Add TIMESTAMP_USECS_DELTA to simplify SQL timestamp compares
8c57eb4 libtracefs: Add tracefs_instance_set/get_subbuf_size()
9bafb21 libtracefs: Add API to extract ring buffer statistics
141d25e libtracefs: Add tracefs_load_headers() API
ef3fae7 libtracefs: Add kerneldoc comments to tracefs_instance_set_buffer_size()
31acfe1 libtracefs utest: Add test to test tracefs_instance_set/get_buffer_percent()
3e6d975 libtracefs: Add tracefs_instance_clear() API
c4efaaf libtracefs: Add tracefs_instance_get/set_buffer_percent()
1e1cc54 libtracefs: Add API to read tracefs_cpu and return a kbuffer
7d395b1 libtracefs: Add tracefs_instance_file_write_number()
e34cbd8 libtracefs: Increase splice to use pipe max size
1f50965 libtracefs: Add API to remove followers from an instance or toplevel
576ee0b libtracefs: Reset tracing before and after unit tests
118b694 libtracefs: Free dynamic event list in utest
5159973 libtracefs: Free tracing_dir in case of remount
df563eb libtracefs: Free buf in clear_func_filter()
3cbac37 libtracefs: Free "missed_followers" of instance
0cbe56e libtracefs testing: Use one tep handle for most tests
adac30f libtracefs Documentation: Fix tracefs_event_file_exists() issues
07ab199 libtracefs: Pass enum value where expected instead of int
bb299b4 libtracefs: fix cscope makefile rule
420d677 libtracefs: Free "followers" when freeing instance
3f436fc libtracefs: Fix documentation of tracefs_trace_pipe_stream() flags
1fde9df libtracefs: Add explicit pthread dependency to meson
d1989ae tracefs-perf: Add missing headers for syscall() and SYS_* defines
Signed-off-by: Nick Hainke <vincent@systemli.org>
To prevent use of host's library path on Void Linux:
/usr/lib/libacl.so: file not recognized: file format not recognized
collect2: error: ld returned 1 exit status
libtool: error: error: relink 'libgettextlib.la' with the above command before installing it
Signed-off-by: Alexander Egorenkov <egorenar-dev@posteo.net>
rpath handling seems to be more restrictive now. To deal with this,
link the libubox library from STAGING_DIR_HOST to STAGING_DIR_HOSTPKG, so that
packages installed to STAGING_DIR_HOSTPKG can pick it up. This mainly affects
ucode, but possibly other host builds as well
Signed-off-by: Felix Fietkau <nbd@nbd.name>
af57bb123f93 socket: add debug callbacks for rx/tx
785e11aee7dd socket: call rx debug callback once per packet instead of per batch
965c4bf49658 socket: change debug callbacks to pass struct nl_msg
Signed-off-by: Felix Fietkau <nbd@nbd.name>
d27acfe416d6 udebug: add more checks for uninitialized buffers
df5b7147f47a udebug: add mips specific quirk
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Update to the latest upstream release to include recent improvements and
bugfixes. Also refresh local patches.
Link: https://github.com/libbpf/libbpf/releases/tag/v1.3.0
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
325fea5c57cf udebug: add functions for manipulating entry length
e84c000c4756 udebug: add inline helper function to test if a buffer is allocated
40acbe34632b udebug: wait for response after buffer add/remove
Signed-off-by: Felix Fietkau <nbd@nbd.name>
d49aadabb7a1 lib: fix dealing with udebugd restarts
9ec5fbb6aaad ubus: report ring size and data size via ubus api
86b4396baa44 ring: add debug messages for ring alloc errors
e02306af7c50 lib: add helper function for applying ring config
b613879cb049 client: send confirmation messages for ring add/remove
Signed-off-by: Felix Fietkau <nbd@nbd.name>
b77f2a4ce903 uloop: fix build using C++ compilers
260ad5bd1566 udebug: add ulog support
e80dc00ee90c link librt if needed for shm_open
Signed-off-by: Felix Fietkau <nbd@nbd.name>
82fa6480de7a uloop: add support for interval timers
13d9b04fb09d uloop: add support for user defined signal handlers
f7d156911311 uloop: properly initialize signal handler mask
8a5a4319a85c uloop: fix typo in signal handling rework
b3fa3d92e3eb uloop: reset flags after __uloop_fd_delete call
d4c3066e7c5e udebug: add udebug library code
Signed-off-by: Felix Fietkau <nbd@nbd.name>
91666a3 ustream-mbedtls: Add compatibility with Mbed TLS 3.0.0
263b9a9 cmake: Fail if undefined symbols are used
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Activate the secp521r1 ecliptic curve by default. This curve is allowed
by the CA/Browser forum, see
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.1-redlined.pdf#page=110
This increases the size of libmbedtls12_2.28.5-1_aarch64_generic.ipk by
about 400 bytes:
Without:
252,696 libmbedtls12_2.28.5-1_aarch64_generic.ipk
With:
253,088 libmbedtls12_2.28.5-2_aarch64_generic.ipk
Fixes: #13774
Acked-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes building with USE_LTO enabled.
<artificial>:(.text+0x4194): relocation R_MIPS16_26 against `cil_printf.lto_priv.0' cannot be used when making a shared object; recompile with -fPIC
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: non-dynamic relocations refer to dynamic symbol memcmp
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: failed to set dynamic section sizes: bad value
collect2: error: ld returned 1 exit status
Signed-off-by: Anari Jalakas <anari.jalakas@gmail.com>
This fixes building with USE_LTO enabled:
<artificial>:(.text.exit+0x6e): relocation R_MIPS16_26 against `pthread_key_delete' cannot be used when making a shared object; recompile with -fPIC
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: non-dynamic relocations refer to dynamic symbol stpcpy
./openwrt/staging_dir/toolchain-mips_24kc_gcc-12.3.0_musl/lib/gcc/mips-openwrt-linux-musl/12.3.0/../../../../mips-openwrt-linux-musl/bin/ld.bfd: failed to set dynamic section sizes: bad value
collect2: error: ld returned 1 exit status
Signed-off-by: Anari Jalakas <anari.jalakas@gmail.com>
Major changes between OpenSSL 3.0.11 and OpenSSL 3.0.12 [24 Oct 2023]
* Mitigate incorrect resize handling for symmetric cipher keys and IVs. (CVE-2023-5363)
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Some packages (like wavemon >= 0.9.4) depend on libnl-cli. Add support
for this part of the lib. libnl-cli itself depends on libnl-genl and
libnl-nf. On MIPS, this component adds 81kB.
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
(punctuation correction and reorganisation of commit message)
Signed-off-by: Nick Hainke <vincent@systemli.org>
When using an external toolchain, ldd is not linked into the rootfs.
This causes subsequent upgrades to fail with 'Failed to exec upgraded'.
This patch adds the symlink when using an external toolchain and musl.
Signed-off-by: Arien Judge <arienjudge@outlook.com>
Some packages won't ever have something to patch as they normally
install files or are meta-packages.
For these special packages, disable QUILT refresh.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Changes in 1.3 (18 Aug 2023)
- Remove K&R function definitions and zlib2ansi
- Fix bug in deflateBound() for level 0 and memLevel 9
- Fix bug when gzungetc() is used immediately after gzopen()
- Fix bug when using gzflush() with a very small buffer
- Fix crash when gzsetparams() attempted for transparent write
- Fix test/example.c to work with FORCE_STORED
- Rewrite of zran in examples (see zran.c version history)
- Fix minizip to allow it to open an empty zip file
- Fix reading disk number start on zip64 files in minizip
- Fix logic error in minizip argument processing
- Add minizip testing to Makefile
- Read multiple bytes instead of byte-by-byte in minizip unzip.c
- Add memory sanitizer to configure (--memory)
- Various portability improvements
- Various documentation improvements
- Various spelling and typo corrections
Signed-off-by: Nick Hainke <vincent@systemli.org>
Changes:
6b2533c0 libnl-3.8.0 release
1558bd62 build: replace old "NOTE" in configure output and add summary
f66383a4 build: avoid aclocal warning about missing "m4" directory
e4402a4c build: run `autoupdate` for AM_PROG_LIBTOOL
5761b6af build: add "-Wno-portability" to AC_INIT_AUTOMAKE()
661f10a1 license: fix/adjust license for "src/nl-cls-add.c"
c8fcb412 license: fix/adjust license for "src/nl-addr-{add,delete,list}.c"
e3e6fd6d tests: use thread-safe localtime_r() instead of localtime()
f520471c lib/xfrm: use thread-safe gmtime_r() instead of gmtime()
be5add72 tests: avoid srandom()/random() in favor of _nltst_rand_u32()
40578a62 lib: use getprotobyname_r(), getprotobynumber_r() if available
8ee8b05f lib: fix error handling in nl_str2ip_proto()
09f03f29 tests: check nl_str2ip_proto()
74bffbf6 route: fix documentation comment for nl_nh_group_info
59f8db0d clang-format: add "-l" alias for option in "tools/clang-format.sh"
935cc90a clang-format: ignore reformatting commit in ".git-blame-ignore-revs"
53da4712 clang-format: reformat files with new format
65c43bfe clang-format: update ".clang-format" from linux kernel
4c39a2ce include: use <linux/$file> instead of <linux-private/linux/$file>
a1e9fb3d include/linux: add all linux headers that we use
d37ffe15 include/linux: update all linux headers
1af767a8 include: add missing "extern "C"" specifier to public headers
e0a5d12b all: drop "extern "C"" from internal code
d9a1e0ce build: add "check-local-build-headers" test target to build public headers
02b87012 build: add a "check-local" build target
f9413915 include: fix headers "include/netlink/route/{netconf.h,route/qdisc/red.h}" to be self-contained
680df173 idiag: "fix" license for "idiag-socket-details" tool
2f210d9a github: test build on alpine:latest for musl
dcc4c0a5 Revert "gitignore: ignore patch files"
39106309 github: add test for linking with mold and fail on unknown versions
f475c3b2 route/nh: drop not implemented "nh" API from headers
4c681e77 build: fix exporting symbol rtnl_link_info_ops_get
260c9575 include: don't explicitly include headers from "nl-default.h"
98c1e696 tests: cleanup include of netlink headers
42bec462 build: cleanup default include list in Makefile.am
4c1a119a include: include private linux headers with explicit path
ca063725 python: add make target for python build
25c90193 python: drop unused "python/netlink/fixes.h"
3f3da7fd gitignore: ignore python build artifacts
61ef5609 gitignore: ignore generated doc files
298c5dc6 include: drop "netlink-private/netlink.h" and move declarations
862eed54 all: cleanup includes and use "nm-default.h"
2b3cd741 include: add "nl-default.h" header
8952ce6f build: move "lib/defs.h" to "include/config.h"
1010776d include: split and drop "netlink-private/types.h"
d1d57846 include: rename "nl-shared-core" to "nl-priv-dynamic-core"
fc91c4f8 include: rename "nl-hidden-route" to "nl-priv-dynamic-route"
9bb6f770 include: rename "nl-intern-route" to "nl-priv-static-route"
b5195db9 genl: rename private header "nl-priv-genl.h" to "nl-genl.h"
0eacf658 include: make "netlink/route/link/{inet,inet6}.h" self-contained
ad014ad1 route/tc: avoid unalinged access in rtnl_tc_msg_parse()
05bd6366 add support for TC action statistics
776fc5a6 lib: move "include/netlink-private/object-api" to include/nl-shared-core
fad34560 lib: move "include/netlink-private/cache-api" to include/nl-shared-core
ed2be537 route: move "include/netlink-private/route/link/sriov.h" to lib/route/link-sriov.h
97f61eda lib: move "include/netlink-private/socket.h" to lib/nl-core.h
96e1cc5b route: move "include/netlink-private/route/nexthop-encap.h" to lib/route
391e03d3 route: merge "include/netlink-private/tc.h" to lib/route/tc-api.h
7fc4f5b3 route: move rtnl_tc_build_rate_table() to "tc-api.h"
cf41e14d route: move "include/netlink-private/route/tc-api.h" to lib/route
db810cfb route: move hidden symbols from "include/netlink-private/route/tc-api.h"
ff08e618 build: don't add lib/route to include directory for all libs
eb8da16d include: move "include/netlink-private/route/link/api.h" to lib/route
8b2074aa include: move "include/netlink-private/route/utils.h" to nl-intern-route
fd470c06 include: move "include/netlink-private/route/mpls.h" to "lib/mpls.h"
78056ad2 genl: add comment about wrongly exported symbol genl_resolve_id()
befc4ab4 include: move "include/netlink-private/genl.h" to "lib/genl/nl-priv-genl.h"
f6c26127 nl-aux: add "include/nl-aux-{core,route}" headers
2da8481b base: move "netlink-private/utils.h" to "base/nl-base-utils.h"
d3e9b513 include/utils: move nl-auto base defines to "utils.h"
543b9f8f clang-format: reformat "include/netlink-private/nl-auto.h"
aa565460 route: cleanup ATTR_DIFF() macros
beba5a18 cli: add nl-nh-list utility
780d06ae route: add nh type
1b6433d9 neigh: add support of NHID attribute
e0140c5f include: import kernel headers "linux/{neighbour,nexthop,rtnetlink}.h"
eef06744 utils: add static-assert for signedness of arguments of _NL_CMP_DIRECT() macro
679c4c51 cli: use <netlink-private/utils.h> in cli and _nl_{init,exit}
a9c5de52 lib: use _nl_{init,exit} instead of __{init,exit}
102f9bd2 include/private: add _nl_init/_nl_exit macros
6782678e include/private: drop unused __deprecated macro
a0535a58 all: use "_nl_packed" macro instead of "__attribute__((packed))"
8c9f98cf all: rework ATTR_DIFF() macros to not generate attribute names
ca34ad52 lib: handle negative and zero size in nla_memcpy()
859b89dc include: drop now unused min()/max()/min_t()/max_t() macros
2e0ae977 all: use _NL_{MIN,MAX}() macros
57c451fa utils: add various helpers to "include/netlink-private/utils.h"
a9a9dcea style: format "include/netlink-private/utils.h" with clang-format
590e8a61 tools: improve failure message with "tools/clang-format.sh -n"
06dc5ae0 github: fix format checking with clang-format
7738f239 route/trivial: sort entries in "libnl-route-3.sym" asciibetically
fc805c56 route/bond: Add support for link_info for bond
6af26981 lib: accept NULL argument in nla_nest_cancel() for robustness
e9662091 macsec: Drop offload capability validation check
35a68109 github: update flake8 linter to not explicitly select checks
9a266405 python: add ".flake8" file for configuring "flake8"
e6b934a5 python: fix flake8 warnings E712
2cea738b python: fix flake8 warnings E711
d561096c python: fix flake8 warnings E302
29b06d0f python: fix flake8 warnings E741
4dc1f498 python: fix flake8 warnings F841
f4875c69 python: fix flake8 warnings W605
9a3d91df python: fix flake8 warnings F401
6baf2339 clang-format: add "tools/clang-format-container.sh" script
ee2876e3 github: add test for checking clang-format style
45c7aae3 clang-format: add "tools/clang-format.sh" script
02e0fd3f github: check python-black code formatting in github actions
2dd53895 build: add ".git-blame-ignore-revs" file for "blame.ignoreRevsFile" git config
3c753e3c python: reformat all Python files with python-black
298ee58e python add "pyproject.toml" for configuring black
a0e4b7f9 github: skip Python flake8 test with clang build
c4240c0b github: run "Build Release" test also with clang
143cee1d bridge: fix bridge info parsing
96bbe55c test-cache-mngr: Flush output after object dumps
cf5dcbcd test-cache-mngr: Add option to print timestamps
bd570952 test-cache-mngr: Add an option to iterate over all supported address families
bf80da90 test-cache-mngr: Add dump interval options
80febeea test-cache-mngr: Add an option to control which oo_dump function is used
6519a917 route/link: prevent segfault in af_request_type()
a68260f8 github: fix installing python dependencies via pip
39c04bc7 build: drop redundant "autogen.sh" call from "tools/build_release.sh"
d411b88d build: change proper working directory in "doc/autogen.sh"
2fa73ce0 build: ensure "autogen.sh" scripts fail on error
fc786296 gitignore: ignore "*~" files
4c4e614b docs: rtnl_link_put() 'releases' instead of 'returns'
336b15dc include/linux: update copy of kernel header "linux/ipv6.h"
e2cacc26 route/link: improve handling of IFLA_INET6_CONF
ec8c493c route/link: remove rtnl_link_inet6_set_conf() API
e790f8ad route/link: various fixes for rtnl_link_inet6_get_conf() API
d83c6d54 route/link: add accessor API for IPv6 DEVCONF
9167504d bridge: drop unnecessary goto in bridge_info_parse()
984d6e93 bridge: don't normalize the u8 argument in rtnl_link_bridge_set_vlan_filtering() to boolean
3662a5da bridge: expose rtnl_link_bridge_get_vlan_protocol() in host byte order
5a1ef219 bridge: fix parsing vlan-protocol in bridge_info_parse()
ad1c2927 bridge: minor cleanups in "bridge_info.c"
1c74725a bridge: use SPDX license identifiers in bridge_info files
26ca549d bridge: reformat bridge_info file with clang-format
08dc5d9c bridge: extend libnl with options needed for VLAN aware forwarding
7391a38e bridge: Add support for link_info of a bridge
1f1e8385 route/vlan: drop unnecessary "else" in vlan_put_attrs()
2bc30e57 route/vlan: fix error handling in 'lib/route/link/vlan.c'
8273d6ce build: add comments to linker version scripts about the version tags
6ac7a812 doc: fix typo
07d274ab doc: fix typo
0461a425 attr: reject zero length addresses
8d40d9eb route: construct all-zero addresses for default route destination
25d42a4f addr: allow constructing all-zero addresses
0c0aee82 addr: create an all-zero addresses when parsing "any" or "default"
Signed-off-by: Nick Hainke <vincent@systemli.org>
Changes:
16d68ab Release libmd 1.1.0
054bca1 build: Terminate lists in variables with «# EOL»
84d269e test: Add cases for SHA224 and SHA512-256
a677e68 test: Add a new test_eq() helper function
4c5931f Sync SHA2 changes from OpenBSD
9934d94 Sync SHA1 changes from OpenBSD
457e30a Sync RMD160 changes from OpenBSD
b2e54bc Sync MD5 changes from OpenBSD
ee56a52 Sync MD4 changes from OpenBSD
b9496ac Sync MD2 changes from NetBSD
09d5824 Remove unused <assert.h>
08b2c5d build: Rename libmd_alias() to libmd_strong_alias()
ed69599 On Darwin use assembler to support symbol aliases
b74b777 build: Do not use strong aliases on macOS
94838ec build: Require automake 1.11
39cbc7b build: Fix configure.ac indentation
4620a04 build: Switch to debian:latest Docker image
e408786 build: Fix version script linker support detection
0ef1e4d doc: Move mailing list reference to the end
a3f1671 man: Add new libmd(7) man page
Signed-off-by: Nick Hainke <vincent@systemli.org>
Changes between 3.0.10 and 3.0.11 [19 Sep 2023]
* Fix POLY1305 MAC implementation corrupting XMM registers on Windows. ([CVE-2023-4807])
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
The PKG_CPE_ID links to NIST CPE version 2.2.
Assign PKG_CPE_ID to all remaining package which have a CPE ID.
Not every package has CPE id.
Related: https://github.com/openwrt/packages/issues/8534
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
Changes between 3.0.9 and 3.0.10 [1 Aug 2023]
* Fix excessive time spent checking DH q parameter value ([CVE-2023-3817])
* Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446])
* Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975])
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
ChangeLog:
aebab37 libtracefs: version 1.7
a3237c3 libtracefs: Add initial support for meson
b25019f libtarcefs doc: Add tracefs_kprobe_destroy() to index man page
4c2194f libtracefs doc: State that tracefs_dynevent_create() is needed for tracefs_kprobe_alloc()
df53d43 libtracefs Documentation: Add missing prototypes in top level man page
9a2df4a libtracefs: Update version to 1.7.dev
18ede68 libtracefs: Add tracefs_kprobe_destory() API
309b1ba libtracefs tests: Add helper function to destroy dynamic events
53dce80 tracefs: Add tracefs_time_conversion() API
5ea4128 libtracefs: Add tracefs_find_cid_pid() API
857dd3e libtracefs/utest: Fix crashing of synth test when synths exist
6332309 libtracefs/utest: Do not use synth for test_synth element
25cd206 libtracefs: Clarify the tracefs_synth_create() man page
6b6d43f libtracefs: Do not allow tracefs_synth_set_instance() on created synth
c860f93 libtracefs: Documentation for tracefs_synth_set_instance
0039173 libtracefs: New API to set synthetic event instance
e97c311 libtracefs: Do not segfault in tests if synthetic events are not configured
185019c libtracefs: Add tracefs_instance_tracers() API
6775d23 libtracefs: Do not use hwlat tracer and fdb_delete event for tests
5a1a01e libtracefs: Add stacktrace to tracefs_sql()
b1b234e libtracefs: Unit test for tracefs_instance_reset()
dd620f4 libtracefs: Documentation for tracefs_instance_reset()
789e82d libtracefs: New API to reset ftrace instance
Signed-off-by: Nick Hainke <vincent@systemli.org>
8667347 build: allow passing SOVERSION value for dynamic library
Also adjust packaging of the library to only ship the SOVERSION
suffixed library object, to allow for concurrent installation of
ABI-incompible versions in the future.
Fixes: #13082
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
openssl sets additional cflags in its configuration script. We need to
make it aware of our custom cflags to avoid adding conflicting cflags.
Fixes: #12866
Signed-off-by: Jitao Lu <dianlujitao@gmail.com>
CVE-2023-2650 fix
Remove upstreamed patches
Major changes between OpenSSL 3.0.8 and OpenSSL 3.0.9 [30 May 2023]
* Mitigate for very slow OBJ_obj2txt() performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
* Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms (CVE-2023-1255)
* Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
* Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465)
* Limited the number of nodes created in a policy tree (CVE-2023-0464)
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
b09b316aeaf6 blobmsg: add blobmsg_parse_attr function
eac92a4d5d82 blobmsg: add blobmsg_parse_array_attr
ef5e8e38bd38 usock: fix poll return code check
6fc29d1c4292 jshn.sh: Add pretty-printing to json_dump
5893cf78da40 blobmsg: Don't do at run-time what can be done at compile-time
362951a2d96e uloop: fix uloop_run_timeout
75a3b870cace uloop: add support for integrating with a different event loop
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Built-in engine configs are added in libopenssl-conf/install stage
already, postinst/add_engine_config is just duplicating them, and
due to the lack of `config` header it results a broken uci config:
> uci: Parse error (invalid command) at line 3, byte 0
```
config engine 'devcrypto'
option enabled '1'
engine 'devcrypto'
option enabled '1'
option builtin '1'
```
Add `builtin` option in libopenssl-conf/install stage and remove
duplicate engine configuration in postinst/add_engine_config to
fix this issue.
Fixes: 0b70d55a64 ("openssl: make UCI config aware of built-in engines")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
My original bpftools package made "variant" builds of bpftool and libbpf
as a convenience, since both used the same local kernel sources with the
same versioning. This is no longer the case, since the commit below
switched to using an out-of-tree build mirror hosting repos for each.
Replace bpftools with separate bpftool and libbpf packages, each simplified
and correctly versioned. Also fix the broken libbpf ABI introduced in the
same commit. Existing build .config files are not impacted.
Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Fixes errors in the form of:
/Users/user/src/openwrt/openwrt/build_dir/hostpkg/json-c-0.16/json_util.c:63:35: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
const char *json_util_get_last_err()
^
void
1 error generated.
ninja: build stopped: subcommand failed.
Reported-by: Paul Spooren <mail@aparcar.org>
Suggested-by: Paul Spooren <mail@aparcar.org>
Signed-off-by: Nick Hainke <vincent@systemli.org>
Based on Paul Fertser <fercerpav@gmail.com>'s guidance:
Change AUTORELEASE in rules.mk to:
```
AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
```
then update all affected packages by:
```
for i in $(git grep -l PKG_RELEASE:=.*AUTORELEASE | sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
make package/$i/clean
done
```
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
With the update of selinux no package depends anymore on pcre in the
base repository. Move it to packages feed.
Signed-off-by: Nick Hainke <vincent@systemli.org>
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.
_LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used
to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Fixes: fff878c5bc ("toolchain/musl: update to 1.2.4")
Signed-off-by: Robert Marko <robimarko@gmail.com>
musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so
just having _GNU_SOURCE defined is not enough anymore.
_LARGEFILE64_SOURCE has to be defined in the source, or CFLAGS can be used
to pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Running autoreconf or autogen.sh is causing
the gettext-runtime subdirectory to have a configure script
that looks for and attempts to link to an external libunistring.
However, the macros and symbols for supporting that configuration
are not present in this subdirectory yet.
This results in some host machines to not build the
included libunistring objects for libgrt,
but at the same time, also not input the proper flag to the linker
for linking to an external library when it is found or even when
explicitly setting configuration to use a prefix for libunistring,
resulting in the common linking failure "undefined reference".
Some similar (and old...) upstream commits do the same thing,
but only for gettext-tools and libgettextpo.
Ref: ae943bcc1 ("Link with libunistring, if it exists.") # gettext.git
Ref: 61e21a72f ("Avoid link error in programs that use libgettextpo.") # gettext.git
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Add libunistring in order to link to gettext
and other packages directly
instead of the built-in substitute for it.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Using the local gnulib source during autogen.sh
allows for fine-grained control over the macros
and source files for use with gettext
but part of gnulib instead of gettext,
without having to wait for a release
or deal with gnulib as a git submodule.
This is an alternative to running autoreconf.
It also removes the need to patch macros
in the case where there is a conflict
between the source and our aclocal directory.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Some users have reported that gettext builds
are attempting to link to libxml2
while it was supposed to be configured
to use it's own built-in substitute.
Configure gettext to require and link
to our local libxml2 explicitly.
Add a patch to revert upstream commit 87927a4e2
which forces libtextstyle to use the built-in libxml,
no matter what the configuration is,
making that option configurable again
after the configure script is regenerated.
Reported-by: Tianling Shen <cnsztl@immortalwrt.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Instead of editing the SUBDIRS variable with a patch,
it can be overriden at the end of the command line when invoking Make.
This tool has a series of recursive Makefiles in each subdirectory,
therefore SUBDIRS is set to a pattern of Make functions
so that the result is variable depending on the current subdirectory
that Make is being invoked in.
Some of the subdirectories don't have a Makefile and are just storing files
for another subdirectory Makefile target,
therefore we have to place a fake Makefile that does nothing.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
This applies commit 02ac9c94 to fix this OpenSSL Security Advisory
issued on 20th April 2023[1]:
Input buffer over-read in AES-XTS implementation on 64 bit ARM
(CVE-2023-1255)
==============================================================
Severity: Low
Issue summary: The AES-XTS cipher decryption implementation for 64 bit
ARM platform contains a bug that could cause it to read past the input
buffer, leading to a crash.
Impact summary: Applications that use the AES-XTS algorithm on the 64
bit ARM platform can crash in rare circumstances. The AES-XTS algorithm
is usually used for disk encryption.
The AES-XTS cipher decryption implementation for 64 bit ARM platform
will read past the end of the ciphertext buffer if the ciphertext size
is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the
memory after the ciphertext buffer is unmapped, this will trigger a
crash which results in a denial of service.
If an attacker can control the size and location of the ciphertext
buffer being decrypted by an application using AES-XTS on 64 bit ARM,
the application is affected. This is fairly unlikely making this issue a
Low severity one.
1. https://www.openssl.org/news/secadv/20230420.txt
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:
- Excessive Resource Usage Verifying X.509 Policy Constraints
(CVE-2023-0464)
Severity: Low
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. Attackers may be able to exploit
this vulnerability by creating a malicious certificate chain that
triggers exponential use of computational resources, leading to a
denial-of-service (DoS) attack on affected systems.
Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
- Invalid certificate policies in leaf certificates are silently ignored
(CVE-2023-0465)
Severity: Low
Applications that use a non-default option when verifying certificates
may be vulnerable to an attack from a malicious CA to circumvent
certain checks.
Invalid certificate policies in leaf certificates are silently ignored
by OpenSSL and other certificate policy checks are skipped for that
certificate. A malicious CA could use this to deliberately assert
invalid certificate policies in order to circumvent policy checking on
the certificate altogether.
Policy processing is disabled by default but can be enabled by passing
the `-policy' argument to the command line utilities or by calling the
`X509_VERIFY_PARAM_set1_policies()' function.
Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466. It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.
Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This adapts the engine build infrastructure to allow building providers,
and packages the legacy provider. Providers are the successors of
engines, which have been deprecated.
The legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool.
Even though these algorithms are implemented in a separate package,
their removal makes the regular library smaller by 3%, so the build
options will remain to allow lean custom builds. Their defaults will
change to 'y' if not bulding for a small flash, so that the regular
legacy package will contain a complete set of algorithms.
The engine build and configuration structure was changed to accomodate
providers, and adapt to the new style of openssl.cnf in version 3.0.
There is not a clean upgrade path for the /etc/ssl/openssl.cnf file,
installed by the openssl-conf package. It is recommended to rename or
remove the old config file when flashing an image with the updated
openssl-conf package, then apply the changes manually.
An old openssl.cnf file will silently work, but new engine or provider
packages will not be enabled. Any remaining engine config files under
/etc/ssl/engines.cnf.d can be removed.
On the build side, the include file used by engine packages was renamed
to openssl-module.mk, so the engine packages in other feeds need to
adapt.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Engines that are built into the main libcrypto OpenSSL library can't be
disabled through UCI. Add a 'builtin' setting to signal that the engine
can't be disabled through UCI, and show a message explaining this in
case buitin=1 and enabled=0.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Building openssl with OPENSSL_SMALL_FOOTPRINT yelds only from 1% to 3%
decrease in size, dropping performance from 2% to 91%, depending on the
target and algorithm.
For example, using AES256-GCM with 1456-bytes operations, X86_64 appears
to be the least affected with 2% performance penalty and 1% reduction in
size; mips drops performance by 13%, size by 3%; Arm drops 29% in
performance, 2% in size.
On aarch64, it slows down ghash so much that I consider it broken
(-91%). SMALL_FOOTPRINT will reduce AES256-GCM performance by 88%, and
size by only 1%. It makes an AES-capable CPU run AES128-GCM at 35% of
the speed of Chacha20-Poly1305:
Block-size=1456 bytes AES256-GCM AES128-GCM ChaCha20-Poly1305
SMALL_FOOTPRINT 62014.44 65063.23 177090.50
regular 504220.08 565630.28 182706.16
OpenSSL 1.1.1 numbers are about the same, so this should have been
noticed a long time ago.
This creates an option to use OPENSSL_SMALL_FOOTPRINT, but it is turned
off by default unless SMALL_FLASH or LOW_MEMORY_FOOTPRINT is used.
Compiling with -O3 instead of -Os, for comparison, will increase size by
about 14-15%, with no measureable effect on AES256-GCM performance, and
about 2% increase in Chacha20-Poly1305 performance on Aarch64.
There are no Arm devices with the small flash feature, so drop the
conditional default. The package is built on phase2, so even if we
include an Arm device with small flash later, a no-asm library would
have to be built from source anyway.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Changes:
1c6f0f3 libtraceevent: version 1.7.2
73f6a8a libtraceevent: Fix some missing commas in big endian blocks
da2ea6b libtraceevent: Rename "ok" to "token_has_paren" in process_sizeof()
e6f7cfa libtraceevent: No need for testing ok in else if (!ok) in process_sizeof()
a4b1ba5 libtraceevent: Fix double free in parsing sizeof()
Signed-off-by: Nick Hainke <vincent@systemli.org>
This reduces open coding and allows to easily add a knob to enable
it treewide, where chosen packages can still opt-out via "no-lto".
Some packages used LTO, but not the linker plugin. This unifies 'em
all to attempt to produce better code.
Quoting man gcc(1):
"This improves the quality of optimization by exposing more code to the
link-time optimizer."
Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed
that every buildsystem uses +$(MAKE) correctly.
Signed-off-by: Andre Heider <a.heider@gmail.com>
This reduces open coding and allows to easily add a knob to
enable it treewide, where chosen packages can still opt-out via
"no-gc-sections".
Note: libnl, mbedtls and opkg only used the CFLAGS part without the
LDFLAGS counterpart. That doesn't help at all if the goal is to produce
smaller binaries. I consider that an accident, and this fixes it.
Note: there are also packages using only the LDFLAGS part. I didn't
touch those, as gc might have been disabled via CFLAGS intentionally.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Fix the trivial abscence of $() when assigning engine config files to
the main libopenssl-config package even if the corresponding engines
were not built into the main library.
This is mostly cosmetic, since scripts/ipkg-build tests the file's
presence before it is actually included in the package's conffiles.
Fixes: 30b0351039 "openssl: configure engine packages during install"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The bump to 3.0.8 inadvertently removed patches that are needed here,
but were not adopted upstream. The most important one changes the
default value of the DIGESTS setting from ALL to NONE. The absence of
this patch causes a sysupgrade failure while the engine is in use with
digests enabled. When this happens, the system fails to boot with a
kernel panic.
Also, explicitly set DIGESTS to NONE in the provided config file, and
change the default ciphers setting to disable ECB, which has been
recommended for a long time and may cause trouble with some apps.
The config file change by itself is not enough because the config file
may be preserved during sysupgrade.
For people affected by this bug:
You can either:
1. remove, the libopenssl-devcrypto package
2. disable the engine in /etc/config/openssl;
3. change /etc/ssl/engines.cnf.d/devcrypto.cnf to set DIGESTS=NONE;
4. update libopenssl-devcrypto to >=3.0.8-3
However, after doing any of the above, **you must reboot the device
before running sysupgrade** to ensure no running application is using
the engine. Running `/etc/init.d/openssl restart` is not enough.
Fixes: 7e7e76afca "openssl: bump to 3.0.8"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
PowerPC CONFIG_ARCH is defined as powerpc, not ppc. Fix that in the
DEPENDS condition.
Arc needs to be built with libatomic. Change the OpenSSL configuration
file, and add it to the libatomic DEPENDS condition.
Fixes: 7e7e76afca "openssl: bump to 3.0.8"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Removed upstreamed patch: 010-padlock.patch
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
Inline the preinst.arm-ce script. Support for including was added in
make 4.2 and is not working with older make versions.
Fixes: https://github.com/openwrt/openwrt/issues/11866
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Byte swapping code incorrectly uses the number of AES rounds to swap expanded
AES key, while swapping only a single dword in a loop, resulting in swapped
key and partially swapped expanded keys, breaking AES encryption and
decryption on VIA Padlock hardware.
This commit correctly sets the number of swapping loops to be done.
Upstream: 2bcf8e69bd
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: ValdikSS ValdikSS <iam@valdikss.org.ru>
Patch the mbedtls source instead of modifying the compile-targets
in the prepare buildstep within OpenWrt.
Signed-off-by: David Bauer <mail@david-bauer.net>
GCC 12.2.0 shows this false positive error message:
````
In function 'bigger_buffer',
inlined from '__libdw_gunzip' at gzip.c:374:12:
gzip.c:96:9: error: pointer may be used after 'realloc' [-Werror=use-after-free]
96 | b = realloc (state->buffer, more -= 1024);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gzip.c:94:13: note: call to 'realloc' here
94 | char *b = realloc (state->buffer, more);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
````
GCC bug report: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104069
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
A huge rewrite in libpcap was introduced by dc14a7babca1 ("rpcap: have
the server tell the client its byte order.") [0]. The patch
"201-space_optimization.patch" does not apply at all anymore. So remove
it.
Refresh:
- 100-no-openssl.patch
- 102-skip-manpages.patch
Update the "300-Add-support-for-B.A.T.M.A.N.-Advanced.patch" with latest
PR [1].
old ipkg size:
90964 bin/packages/mips_24kc/base/libpcap1_1.10.1-5_mips_24kc.ipk
new ipkg size:
93340 bin/packages/mips_24kc/base/libpcap1_1.10.2-1_mips_24kc.ipk
[0] - dc14a7babc
[1] - https://github.com/the-tcpdump-group/libpcap/pull/980
Signed-off-by: Nick Hainke <vincent@systemli.org>
