Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:
$ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
Downloading 'https://letsencrypt.org'
Connecting to 18.159.128.50:443
Connection error: Invalid SSL certificate
Fixes: #9283
References: https://github.com/wolfSSL/wolfssl/issues/4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.
The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.
Patches were refreshed with --zero-commit.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
ksmbd is an upstream linux alternative to Samba which is lighterweight
and more performant, especially on underpowered devices.
Moving it here from the packages feed as it is now an upstream kernel
module. Also easier to update as version updates can be coordinated better
The next LTS kernel (5.15) has this included. A depend on kernel < 5.15
will need to be added later.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
* Rockchip:Fix dtsi of doornet2
phy:
Modify phy timing;The manufacturer's board requires two timing modes: 125m and 25m ---stmmac_mdio.c stmmac_main.c
Among them, stmmac_main.c is added with 1.5 reset, and the compilation of other devices is not affected
emmc:
In emmc hs400 mode, the performance test effect is the same as hs200, so it is safer to reduce hs200
* Rockchip:Add doornet2 to overclock to 2.2GHz/1.8GHz
* Create 105-rockchip-rk3399-Add-support-for-EmbedFire-DoorNet2.patch
Modify the startup method: SD starts first, which is convenient for saving bricks. If there is no system in SD, it will automatically jump to the next emmc boot
* Update with kernel 5.4
* Update 992-rockchip-rk3399-overclock-to-2.2-1.8-GHz-for-NanoPi4.patch
fdt* utils are needed by targets that use U-Boot FIT images for
sysupgrade. It includes all recent BCM4908 SoC routers as Broadcom
switched from CFE to U-Boot.
fdtget is required for extracting images (bootfs & rootfs) from
Broadcom's ITB. Extracted images can be then flashed to UBI volumes.
sysupgrade is core functionality so it needs dtc as part of base code
base.
Cc: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
a29bad9 compiler: fix patchlist corruption on switch statement syntax errors
86f0662 lib: change `ord()` to always return single byte value
116a8ce vallist: fix storing/retrieving short strings with 8bit byte value
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* glibc: update to latest 2.33 HEAD (bug 28011)
b5711025bc x86_64: Remove unneeded static PIE check for undefined weak diagnostic
edfd11197e wordexp: handle overflow in positional parameter number (bug 28011)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* glibc: update to latest 2.33 HEAD (bug 28213)
9b01145592 MIPS: Setup errno for {f,l,}xstat
9c676ef514 RISC-V: Update rv64 ULPs
c6cadbf83a linux: Remove shmmax check from tst-sysvshm-linux
22d37364ae librt: add test (bug 28213)
27a78fd712 librt: fix NULL pointer dereference (bug 28213)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* toolchain: glibc: Update to version 2.34
glibc version 2.34 does not provide versioned shared libraries any more,
it only provides shared libraries using the ABI version. Do not try to
copy them any more.
The functions from libpthread and librt were integrated into the main
binary, the libpthread.so and librt.so are only used for backwards
compatibility any more.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* toolchain: glibc: Increase minimum kernel version to 5.4
Increase the minimum kernel version needed by the glibc compiled for
OpenWrt to version 5.4. With this setting the glibc build will remove
all code needed to support older kernel versions.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* toolchain: glibc: Enable --enable-bind-now
Enable --enable-bind-now when CONFIG_PKG_RELRO_FULL is set. This option
is activated by default. This will enable full RELRO protection.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* glibc: update to 2.34 HEAD
72123e1b56 NEWS: Add a bug entry for BZ #28755
08beb3a3f4 x86: Fix __wcsncmp_evex in strcmp-evex.S [BZ# 28755]
b50d5b746c x86: Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ# 28755]
1b9cd6a721 NEWS: add bug entry for BZ #28769 and BZ #28770
3438bbca90 Linux: Detect user namespace support in io/tst-getcwd-smallbuff
d084965adc realpath: Avoid overwriting preexisting error (CVE-2021-3998)
472e799a5f getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
8c8a71c85f tst-realpath-toolong: Fix hurd build
f7a79879c0 realpath: Set errno to ENAMETOOLONG for result larger than PATH_MAX [BZ #28770]
73c362840c stdlib: Fix formatting of tests list in Makefile
269eb9d930 stdlib: Sort tests in Makefile
062ff490c1 support: Add helpers to create paths longer than PATH_MAX
82b1acd9de powerpc: Fix unrecognized instruction errors with recent binutils
1d401d1fcc x86: use default cache size if it cannot be determined [BZ #28784]
6890b8a3ae CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)
1081f1d3dd sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542)
7b5d433fd0 CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542)
5575daae50 socket: Add the __sockaddr_un_set function
03e6e02e6a Disable debuginfod in printer tests [BZ #28757]
705f1e4606 Update syscall lists for Linux 5.16
2fe2af88ab i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bug 28771)
73558ffe84 Update syscall lists for Linux 5.15
e64235ff42 powerpc: Fix unrecognized instruction errors with recent GCC
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* toolchain: glibc: Remove patch for ARC700
The ARC700 target was renoved, this patch is not needed any more.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Co-authored-by: Hans Dedecker <dedeckeh@gmail.com>
Co-authored-by: Hauke Mehrtens <hauke@hauke-m.de>