* build: fix incomplete initramfs compression options
Requires: tools/lz4, tools/lzop
complete the wiring so that these options work:
* `CONFIG_KERNEL_INITRAMFS_COMPRESSION_LZO`
* `CONFIG_KERNEL_INITRAMFS_COMPRESSION_LZ4`
Signed-off-by: Tony Butler <spudz76@gmail.com>
[remove blocking dependencies for separate ramdisk, fix lzop options]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* include: sync with upstream
* toolchain/binutils: add support for version 2.40
Release notes:
https://sourceware.org/pipermail/binutils/2023-January/125671.html
Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
* toolchain/gcc: switch to version 12 by default
Also fix build error with gcc 12.
* toolchain/nasm: update to 2.16.01
ChangeLog:
Version 2.16.01
_This is a documentation update release only._
(*) Fix the creation of the table of contents in the HTML version of
the documentation.
Version 2.16
(*) Support for the `rdf' format has been discontinued and all the
RDOFF utilities has been removed.
(*) The `--reproducible' option now leaves the filename field in the
COFF object format blank. This was always rather useless since
it is only 18 characters long; as such debug formats have to
carry their own filename information anyway.
(*) Fix handling of MASM-syntax reserved memory (e.g. `dw ?') when
used in structure definitions.
(*) The preprocessor now supports functions, which can be less
verbose and more convenient than the equivalent code implemented
using directives. See section 4.4.
(*) Fix the handling of `%00' in the preprocessor.
(*) Fix incorrect handling of path names affecting error messages,
dependency generation, and debug format output.
(*) Support for the RDOFF output format and the RDOFF tools have
been removed. The RDOFF tools had already been broken since at
least NASM 2.14. For flat code the ELF output format
recommended; for segmented code the `obj' (OMF) output format.
(*) New facility: preprocessor functions. Preprocessor functions,
which are expanded similarly to single-line macros, can greatly
simplify code that in the past would have required a lengthy
list of directives and intermediate macros. See section 4.4.
(*) Single-line macros can now declare parameters (using a `&&'
prefix) that creates a quoted string, but does _not_ requote an
already quoted string. See section 4.2.1.
(*) Instruction table updated per public information available as of
November 2022.
(*) All warnings in the preprocessor have now been assigned warning
classes. See appendix A.
(*) Fix the invalid use of `RELA'-type relocations instead of `REL'-
type relocations when generating DWARF debug information for the
`elf32' output format.
(*) Fix the handling `at' in `istruc' when the structure contains
local labels. See section 5.9.2.
(*) When assembling with `--reproducible', don't encode the filename
in the COFF header for the `coff', `win32' or `win64' output
formats. The COFF header only has space for an 18-character
filename, which makes this field rather useless in the first
place. Debug output data, if enabled, is not affected.
(*) Fix incorrect size calculation when using MASM syntax for non-
byte reservations (e.g. `dw ?'.)
(*) Allow forcing an instruction in 64-bit mode to have a (possibly
redundant) REX prefix, using the syntax `{rex}' as a prefix.
(*) Add a `{vex}' prefix to enforce VEX (AVX) encoding of an
instruction, either using the 2- or 3-byte VEX prefixes.
(*) The `CPU' directive has been augmented to allow control of
generation of VEX (AVX) versus EVEX (AVX-512) instruction
formats, see section 7.11.
(*) Some recent instructions that previously have been only
available using EVEX encodings are now also encodable using VEX
(AVX) encodings. For backwards compatibility these encodings are
not enabled by default, but can be generated either via an
explicit `{vex}' prefix or by specifying either `CPU LATEVEX' or
`CPU NOEVEX'; see section 7.11.
(*) Document the already existing `%unimacro' directive. See section
4.5.12.
(*) Fix a code range generation bug in the DWARF debug format
(incorrect information in the `DW_AT_high_pc' field) for the ELF
output formats. This bug happened to cancel out with a bug in
older versions of the GNU binutils linker, but breaks with other
linkers and updated or other linkers that expect the spec to be
followed.
(*) Fix segment symbols with addends, e.g. `jmp _TEXT+10h:0' in
output formats that support segment relocations, e.g. the `obj'
format.
(*) Fix various crashes and hangs on invalid input.
Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
* toolchain: musl: Fix symbol loading in gdb
Fix DT_DEBUG handling on MIPS in musl libc.
With this change gdb will load the symbol files for shared libraries on MIPS too.
This patch was taken from this thread: https://www.openwall.com/lists/musl/2022/01/09/4
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
* tools: sync with upstream
* build: fix issues with targets installed via feeds
- fix including modules.mk when a target is being replaced
- fix calling make targets from target/linux
Signed-off-by: Felix Fietkau <nbd@nbd.name>
* package: sync with upstream
Signed-off-by: Tony Butler <spudz76@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Linhui Liu <liulinhui36@gmail.com>
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Co-authored-by: Tony Butler <spudz76@gmail.com>
Co-authored-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
Co-authored-by: Felix Fietkau <nbd@nbd.name>
Changes between 1.1.1r and 1.1.1s [1 Nov 2022]
*) Fixed a regression introduced in 1.1.1r version not refreshing the
certificate data to be signed before signing the certificate.
[Gibeom Gwon]
Changes between 1.1.1q and 1.1.1r [11 Oct 2022]
*) Fixed the linux-mips64 Configure target which was missing the
SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
platform.
[Adam Joseph]
*) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was
causing incorrect results in some cases as a result.
[Paul Dale]
*) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
report correct results in some cases
[Matt Caswell]
*) Fixed a regression introduced in 1.1.1o for re-signing certificates with
different key sizes
[Todd Short]
*) Added the loongarch64 target
[Shi Pujin]
*) Fixed a DRBG seed propagation thread safety issue
[Bernd Edlinger]
*) Fixed a memory leak in tls13_generate_secret
[Bernd Edlinger]
*) Fixed reported performance degradation on aarch64. Restored the
implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
32-bit lane assignment in CTR mode") for 64bit targets only, since it is
reportedly 2-17% slower and the silicon errata only affects 32bit targets.
The new algorithm is still used for 32 bit targets.
[Bernd Edlinger]
*) Added a missing header for memcmp that caused compilation failure on some
platforms
[Gregor Jasny]
Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B
Signed-off-by: John Audia <therealgraysky@proton.me>
Changes between 1.1.1p and 1.1.1q [5 Jul 2022]
*) AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation would not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written. In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
they are both unaffected.
(CVE-2022-2097)
[Alex Chernyakhovsky, David Benjamin, Alejandro Sedeño]
Signed-off-by: Dustin Lundquist <dustin@null-ptr.net>
This release comes with a security fix related to c_rehash. OpenWrt
does not ship or use it, so it was not affected by the bug.
There is a fix for a possible crash in ERR_load_strings() when
configured with no-err, which OpenWrt does by default.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
engine.mk is supposed to be included by engine packages, but it will not
be present in the SDK in the same place as in the main repository.
Move it to include/openssl-engine.mk to avoid this.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This is a bugfix release. Changelog:
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
forever for non-prime moduli. (CVE-2022-0778)
*) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
(RFC 5489) to the list of ciphersuites providing Perfect Forward
Secrecy as required by SECLEVEL >= 3.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.
The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.
Patches were refreshed with --zero-commit.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This is a bugfix release. Changelog:
*) Avoid loading of a dynamic engine twice.
*) Fixed building on Debian with kfreebsd kernels
*) Prioritise DANE TLSA issuer certs over peer certs
*) Fixed random API for MacOS prior to 10.12
Patches were refreshed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Backport an upstream patch that adds support for ELFv2 ABI on big endian
ppc64. As musl only supports ELFv2 ABI on ppc64 regardless of
endianness, this is required to be able to build OpenSSL for ppc64be.
Modify our targets patch to add linux-powerpc64-openwrt, which will use
the linux64v2 perlasm scheme. This will probably break the combination
ppc64 with glibc, but as we really only want to support musl, this
shouldn't be a problem.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
Co-authored-by: Stijn Tintel <stijn@linux-ipv6.be>
This version fixes two vulnerabilities:
- SM2 Decryption Buffer Overflow (CVE-2021-3711)
Severity: High
- Read buffer overruns processing ASN.1 strings (CVE-2021-3712)
Severity: Medium
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This version fixes 2 security vulnerabilities, among other changes:
- CVE-2021-3450: problem with verifying a certificate chain when using
the X509_V_FLAG_X509_STRICT flag.
- CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This fixes 4 security vulnerabilities/bugs:
- CVE-2021-2839 - SSLv2 vulnerability. Openssl 1.1.1 does not support
SSLv2, but the affected functions still exist. Considered just a bug.
- CVE-2021-2840 - calls EVP_CipherUpdate, EVP_EncryptUpdate and
EVP_DecryptUpdate may overflow the output length argument in some
cases where the input length is close to the maximum permissable
length for an integer on the platform. In such cases the return value
from the function call will be 1 (indicating success), but the output
length value will be negative.
- CVE-2021-2841 - The X509_issuer_and_serial_hash() function attempts to
create a unique hash value based on the issuer and serial number data
contained within an X509 certificate. However it was failing to
correctly handle any errors that may occur while parsing the issuer
field (which might occur if the issuer field is maliciously
constructed). This may subsequently result in a NULL pointer deref and
a crash leading to a potential denial of service attack.
- Fixed SRP_Calc_client_key so that it runs in constant time. This could
be exploited in a side channel attack to recover the password.
The 3 CVEs above are currently awaiting analysis.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Fixes: CVE-2020-1971, defined as high severity, summarized as:
NULL pointer deref in GENERAL_NAME_cmp function can lead to a DOS
attack.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This is a bug-fix release. Patches were refreshed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Fixes NULL dereference in SSL_check_chain() for TLS 1.3, marked with
high severity, assigned CVE-2020-1967.
Ref: https://www.openssl.org/news/secadv/20200421.txt
Cherry-pick from openwrt/openwrt@3773ae1.
Also add mirror for mainland China user in this commit.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Signed-off-by: CN_SZTL <cnsztl@project-openwrt.eu.org>
Co-authored-by: Petr Štetiar <ynezz@true.cz>
This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e. It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443
Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read(). Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct. Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.
The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Co-authored-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This version includes bug and security fixes, including medium-severity
CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64.
Ref: openwrt/openwrt@dcef8d6
Signed-off-by: CN_SZTL <cnsztl@project-openwrt.eu.org>
