This adds conflicts between variants of libustream pacakge.
They provide the same file and thus it should not be possible to install
them side by side.
Signed-off-by: Karel Kočí <karel.koci@nic.cz>
(cherry picked from commit 219e17a350)
Mark uci, ubus, libubox, lua, libnl-tiny and libjson-c
as nonshared packages. This helps to keep coherent dependencies
if these ABI versioned packages are later updated.
Before this commit it is possible to get missing dependencies
in target-specific nonshared packages (like iwinfo) that depend
on these shared ABI versioned packages. If these are later updated
and rebuilt, only the new ABI version will be available for download,
while the target-specific packages in releases continue to depend on
the old ABI version.
After this commit the packages are built along the other nonshared
packages by the phase1 images buildbot and will be available at the
target/ download directories instead of packages/base dir. That will
help to keep a coherent set available.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Support for wolfSSL has been upstreamed to the master OpenVPN branch
in f6dca235ae560597a0763f0c98fcc9130b80ccf4, so we can use wolfSSL
directly in OpenVPN. So no more needed differnt SSL engine for OpenVPN
in systems based on wolfSSL library
Compiled && tested on ramips/mt7620, ramips/mt7621
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Since commit 6467de5a8840 ("Randomize z ordinates in scalar
mult when timing resistant") wolfssl requires a RNG for an EC
key when the hardened built option is selected.
wc_ecc_set_rng is only available when built hardened, so there
is no safe way to install the RNG to the key regardless whether
or not wolfssl is compiled hardened.
Always export wc_ecc_set_rng so tools such as hostapd can install
RNG regardless of the built settings for wolfssl.
Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Since commit 6467de5a8840 ("Randomize z ordinates in scalar
mult when timing resistant") wolfssl requires a RNG for an EC
key when the hardened built option is selected.
wc_ecc_set_rng is only available when built hardened, so there
is no safe way to install the RNG to the key regardless whether
or not wolfssl is compiled hardened.
Always export wc_ecc_set_rng so tools such as hostapd can install
RNG regardless of the built settings for wolfssl.
Signed-off-by: David Bauer <mail@david-bauer.net>
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if
make TOPDIR="$(pwd)" -C "$pkgdir" compile
was called manually. In most of the cases, I just saw warnings like this:
make: Entering directory '/home/.../package/gluon-status-page'
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
[...]
While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.
After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Having libcap in OpenWrt base allows us to enable libcap support in
other packages in base.
In lldpd, this would allow the monitor process to drop its privileges
instead of running as root, improving security. It will also allow us to
drop our patch to disable libcap.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
The terminfo is required by the popular terminal multiplexer screen and
tmux, offer it by default as the size impact is minimal with 885 Bytes.
Signed-off-by: Paul Spooren <mail@aparcar.org>
The terminfo files were all in one row which is terrible to read.
Split them over multiple lines to improve readability.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This version fixes 2 security vulnerabilities, among other changes:
- CVE-2021-3450: problem with verifying a certificate chain when using
the X509_V_FLAG_X509_STRICT flag.
- CVE-2021-3449: OpenSSL TLS server may crash if sent a maliciously
crafted renegotiation ClientHello message from a client.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Building with MIPS16 was disabled in 2013 due to an issue with GCC TLS:
https://dev.archive.openwrt.org/ticket/13572. But after the problematic
GCC version was retired, this change wasn't revisited.
Re-enable MIPS16 builds to reduce average elfutils library sizes ~10%.
This was compile-tested on malta/mips32be and malta/mips32le, and linked
with iproute2 for run-testing. Package sizes follow:
Library MIPS16:=0 MIPS16:=1
------- --------- ---------
libelf1 43217 37492
libasm1 12481 11658
libdw1 229723 205793
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
When $(FPIC) gets expanded on the command line (for instance
when setting environment variables for libtool, configure, or
make) we can't count on it not needing quoting (i.e. it could
contain multiple flags separated with spaces).
Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.
Security fixes:
* Fix a buffer overflow in mbedtls_mpi_sub_abs()
* Fix an errorneous estimation for an internal buffer in
mbedtls_pk_write_key_pem()
* Fix a stack buffer overflow with mbedtls_net_poll() and
mbedtls_net_recv_timeout()
* Guard against strong local side channel attack against base64 tables
by making access aceess to them use constant flow code
Full release announcement:
https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Commit f4da28c301 ("elfutils: Add host build") supplied a libelf host
library to fix a glib2 host build error, but this need was later removed
by b6212c8769 ("glib2: don't use libelf during host build").
More importantly, there are already two sources for libelf host libraries:
OpenWRT build prerequisites [1] and tools/libelf. A third is not needed.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
A compact patch that provides AES and GCM implementations that utilize the
ARMv8 Crypto Extensions. The config flag is MBEDTLS_ARMV8CE_AES_C, which
is disabled by default as we don't do runtime checking for the feature.
The new implementation lives in armv8ce_aes.c.
Provides similar functionality to https://github.com/ARMmbed/mbedtls/pull/432
Thanks to Barry O'Rourke and others for that contribtion.
Tested on a Cortex A53 device and QEMU. On a midrange phone the real AES-GCM
throughput increases about 4x, while raw AES speed is up to 10x faster.
[updated Makefile to enable this function, adjusted commit message]
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
libunwind dependency check does not allow for MIPS64 arch. Add MIPS64 awareness.
libunwind seems to support MIPS64 without issues, it was limited by the dep arch
check in the Makefile.
Used to compile Suricata6/Rust locally without issue.
Signed-off-by: Donald Hoskins <grommish@gmail.com>
Simplify cmake option handling by putting everything in blocks.
Add openssl patch as there's no easy way to disable.
Rebase the skip manpages patch.
Remove the monitor mode patch as it no longer applies.
Remove flex patch as normal Makefile is no longer used.
Remove USB path patch. While it is deprecated, the codepath is never
taken. /sys/bus/usb/devices is checked before hand. If it exists, the
function does stuff and returns. Additionally, this path is used
elsewhere in the code.
Refresh other patches.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
