3d953628bf17 udebugd: add support for setting an override config
93f6df0240e5 udebug-cli: add support for overriding config on the command line
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit c4e7b9b9b7)
This enables software that requires this cipher suite (e.g. OpenThread Border
Router) to be compiled against the shared library rather than a separate copy.
Signed-off-by: Karsten Sperling <ksperling@apple.com>
Link: https://github.com/openwrt/openwrt/pull/19489
(cherry picked from commit 97dc9f8dbf)
Link: https://github.com/openwrt/openwrt/pull/19839
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
5d10084ea885 lib-ucode.c: add #define _GNU_SOURCE
a95364b41d52 udebug-cli: fix terminating uloop
c00eb9b685a8 ucode: use FILE handle for pcap output
4265167cb6e8 ucode: add error reporting to pcap_write
4a908ee731a6 udebug-cli: stop event loop on write failure
6e04f4187231 ucode: use ucv_resource_create_ex for remote rings
c297f04e1852 ucode: drop use ucv_resource_create
f207d37a1055 ucode: add support for specifying ring format
98683a94bcdd ucode: support appending array data, similar to socket.send()
a7ecd483ed38 ucode: allow calling udebug.init() multiple times
d4a4c788c416 ucode: fix allocation size of local ring meta
184706abaf50 ucode: add timestamp argument to foreach()
8442c948c193 ucode: add function for getting ring information
f4958a4c591a ucode: add const entries for enum udebug_format
14d4fec36993 udebug-cli: add logstream command
6ed8536142bb ucode: fix entries/size confusion
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 7b0ce213e9)
This release incorporates the following bug fixes and mitigations:
Miscellaneous minor bug fixes.
Link: https://github.com/openwrt/openwrt/pull/19325
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Backport upstream commit dropping external definition of mbrtowc. The
said definition conflicts with one provided by GCC 15. Issue found on
24.10 SDK.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
Trying to tcpdump DSA conduits results in errors such as
"unsupported DSA tag: mtk".
Backport two commits adding support for various DSA tags to libpcap.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit fad94e8cda)
Currently, enabling USB, BT or Netfilter support after initial compilation
will not trigger a rebuild, so add the missing PKG_CONFIG_DEPENDS so
that rebuild gets triggered.
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
(cherry picked from commit fe37574be6)
Changes between 3.0.15 and 3.0.16 [11 Feb 2025]
CVE-2024-13176[1] - Fixed timing side-channel in ECDSA signature
computation.
There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In
particular the NIST P-521 curve is affected. To be able to measure this
leak, the attacker process must either be located in the same physical
computer or must have a very fast network connection with low latency.
CVE-2024-9143[2] - Fixed possible OOB memory access with invalid
low-level GF(2^m) elliptic curve parameters.
Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit
values for the field polynomial can lead to out-of-bounds memory reads
or writes. Applications working with "exotic" explicit binary (GF(2^m))
curve parameters, that make it possible to represent invalid field
polynomials with a zero constant term, via the above or similar APIs,
may terminate abruptly as a result of reading or writing outside of
array bounds. Remote code execution cannot easily be ruled out.
1. https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
2. https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143
Build system: x86/64
Build-tested: bcm27xx/bcm2712
Run-tested: bcm27xx/bcm2712
Signed-off-by: John Audia <therealgraysky@proton.me>
Link: https://github.com/openwrt/openwrt/pull/17947
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit b4e6fd7b76)
Adjust wolfssl version for apk by removing the "-stable"
from the OpenWrt version, although it is still needed for
upstream download archive name.
Define PKG_BUILD_DIR accordingly.
Utilize new short version to simplify ABI_VERSION calculation.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/16906
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit be952e98bc)
The ARIA block cipher is pretty uncommon in TLS, deactivate it for now.
This saves some space and reduces the possible variations and attack
vectors of mbedtls.
ARIA support was deactivated in OpenWrt 23.05 by default.
Link: https://github.com/openwrt/openwrt/pull/17342
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 3c0ef48bc8)
On aarch64 musl gcc 14.x compiler, trying compiling elfutils 0.192 with
lto option enabled will cause null-dereference error.
Example error message:
...
elf_compress.c: In function 'elf_compress':
elf_compress.c:675:26: error: potential null pointer dereference [-Werror=null-dereference]
675 | shdr->sh_flags |= SHF_COMPRESSED;
| ^
elf_compress_gnu.c: In function 'elf_compress_gnu':
elf_compress_gnu.c:127:25: error: potential null pointer dereference [-Werror=null-dereference]
127 | shdr->sh_size = new_size;
| ^ ^
...
This is a false postive warning but will abort compilation if gcc has
`-Werror` flag. This commit add a patch for this, see the bugzilla
report below.
This commit backports a series of patches to fix some errors.
Add patch:
- 007-add-libeu-symbols-to-libelf.patch
- 008-fix-autoconf-ENABLE_IMA_VERIFICATION.patch
- 009-fix-null-dereference-with-lto.patch
Link: https://sourceware.org/bugzilla/show_bug.cgi?id=32311
Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16886
Signed-off-by: Robert Marko <robimarko@gmail.com>
(cherry picked from commit afffcd09e5)
Link: https://github.com/openwrt/openwrt/pull/17097
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Currently, libreadline only installs
```
/usr/lib/libhistory.so.8 -> libhistory.so.8.2
/usr/lib/libhistory.so.8.2
/usr/lib/libreadline.so.8 -> libreadline.so.8.2
/usr/lib/libreadline.so.8.2
```
But there is no `libreadline.so` or `libhistory.so` available.
So this happens:
```
root@OpenWRT:~# cat a.c
int main() {
}
root@OpenWRT:~# gcc a.c -lreadline
/usr/bin/ld: cannot find -lreadline: No such file or directory
collect2: error: ld returned 1 exit status
```
Unless, of course, one uses `-l:libreadline.so.8`... But that
doesn't help with binaries that try to dynamically open
`libreadline.so`. I have one of those here (the STklos Scheme
compiler -- I didn't make a PR for it because it's far from
being ready, but one issue is that it does use dlopen to use
readline...)
With the symlink, it works:
```
root@OpenWRT:~# ln -s /usr/lib/libreadline.so.8 /usr/lib/libreadline.so
root@OpenWRT:~#
root@OpenWRT:~# gcc a.c -lreadline
root@OpenWRT:~#
```
Another example: when trying to package rlwrap, the build failed
complaining it could not find readline (using `-lreadline`).
It would then be necessary to change rlwrap's `configure.ac`
(and also in all packages that use readline), but it seems
simpler to add the symlinks...
This PR changes the Makefile so it will include the links.
Signed-off-by: Jeronimo Pellegrini <j_p@aleph0.info>
Link: https://github.com/openwrt/openwrt/pull/16445
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 0000ba6ab8)
Link: https://github.com/openwrt/openwrt/pull/17097
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes the following security problem:
* CVE-2024-49195: Fix a buffer underrun in mbedtls_pk_write_key_der()
when called on an opaque key, MBEDTLS_USE_PSA_CRYPTO is enabled, and
the output buffer is smaller than the actual output. Fix a related
buffer underrun in mbedtls_pk_write_key_pem() when called on an opaque
RSA key, MBEDTLS_USE_PSA_CRYPTO is enabled and MBEDTLS_MPI_MAX_SIZE is
smaller than needed for a 4096-bit RSA key.
Link: https://github.com/openwrt/openwrt/pull/16768
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Changes:
fa05d58e (tag: libnl3_10_0) libnl-3.10.0 release
490ffa07 python: fix flake8 warnings
6fc66dd8 doc: workaround LINK_DOC with empty libnl.dict
914812a9 lib: avoid overflow in computation of s_seq_next
5248e1a4 all: fix and enable "-Wsign-compare" warning
9451842e build: use AC_USE_SYSTEM_EXTENSIONS instead of defining _GNU_SOURCE
20664e1e build: move "-DPGKLIBDIR" and rename
81cab7da build: cleanup defining SYSCONFDIR on command line
cf47571c build: drop unnecessary "-Wno-missing-field-initializers" from default CFLAGS
131008f7 build: add "-Wvla" and "-Wdeclaration-after-statement" to default CFLAGS
7e05b622 lib: add internal _nla_len() helper
32688201 route: treat routes with via nexthops as universe scoped as well
c36c7faa format: reformat "include/base/nl-base-utils.h"
49f78229 tests: add a very basic test for route cache
2ebbc034 tests: add NLTstSelectRoute test helper
d784f2cb tests: set NLTST_IN_CI for not skipping tests accidentally
dcb9e2ef route: add missing priority to route_keygen() debug print
d44505ed tests: add helper to detect availablility of iproute2
774863b4 tests: add helper functions for tests
45a10f96 route: move "struct rtnl_nexthop" to "nl-priv-dynamic-route"
153f213b build: fix "check-progs" target in "Makefile.am"
a1e0b8b2 github: print test-suite.log in case of test failure
3e080631 route: expose nexthop id attribute
401c2488 tests: fix _nltst_object_to_string() to print one line only
529c2ab8 route: drop unused fields from "struct rtnl_route"
71e59e14 build: separate build tests from unit tests
8539b7d3 format: reformat "tests/nl-test-util.h" file
6db85366 route: merge branch 'bisdn:jogo_route_nh_cmp'
861fb809 route: use the new helper function for comparing nexthops
8cf29d7b nexthop: add a identical helper function
7cc72d19 utils: reserve the nl_has_capabiliy numbers for releases 3.10 - 3.12
30da5107 github,clang-format: update fedora version for clang-format
2301992b route: fix IPv6 ecmp route deleted nexthop matching
72e4d73f cache: merge branch 'ievenbach:aurora/cache-mgr-cb'
3381acef cache: use cleanup attribute in nl_cache_mngr_alloc_ex()
32cb9f39 cache: cleanup nl_cache_mngr_alloc_ex()
1dbdc30a cache: allow to allocate cache manager with custom refill socket
18b74e08 tests: test compiling all public headers with C++ compiler
691202bf tests: don't use $COMPILE for building header tests
15d90cbf include: add _NL_NO_WARN_DEPRECATED_HEADER for suppressing warning about deprecated headers
8a5f671a tests: avoid "-Wunused-parameter" warning in build headers test
db1a9d7d route: avoid compiler warning about calloc() arguments in rtnl_netem_set_delay_distribution()
3a43faa1 cache: fix new object in callback v2 on updated objects
46cae1bf socket: fix ubsan complaint about incorrect left-shift in generate_local_port()
96ddcd99 all: merge branch 'th/nl-debug'
13ab0122 github: test with --enable-debug=no configure option
264b244e utils: always define nl_debug_dp
dbe21b8d core: always define statements for NL_DBG()
e592dd89 build: always define NL_DEBUG
58734974 all: use defines for attributes
0c16c9cb route/bison: include "nl-default.h" in lex/yacc files
19d48b0f route: add support for layer 3 filtering on bridges
3646398d route: merge branch 'Cordell-O:main'
e21278ed tests: add test for bridge vlan attributes.
4f324f73 route: add support for vlan filtering on bridge ports.
bf071f2b route: Add support to set ageing time for dynamic bridge table entries
b76c3a5d tests: add unit test for `nl_addr_parse("default", AF_INET6, &addr6)`
8693347f lib/xfrm: add missing #include <time.h>
Small size increase:
955 bin/packages/mips_24kc-old/base/libnl200_3.9.0-r1_mips_24kc.ipk
11157 bin/packages/mips_24kc-old/base/libnl-cli200_3.9.0-r1_mips_24kc.ipk
34896 bin/packages/mips_24kc-old/base/libnl-core200_3.9.0-r1_mips_24kc.ipk
7698 bin/packages/mips_24kc-old/base/libnl-genl200_3.9.0-r1_mips_24kc.ipk
25400 bin/packages/mips_24kc-old/base/libnl-nf200_3.9.0-r1_mips_24kc.ipk
148366 bin/packages/mips_24kc-old/base/libnl-route200_3.9.0-r1_mips_24kc.ipk
956 bin/packages/mips_24kc-new/base/libnl200_3.10.0-r1_mips_24kc.ipk
11154 bin/packages/mips_24kc-new/base/libnl-cli200_3.10.0-r1_mips_24kc.ipk
34965 bin/packages/mips_24kc-new/base/libnl-core200_3.10.0-r1_mips_24kc.ipk
7699 bin/packages/mips_24kc-new/base/libnl-genl200_3.10.0-r1_mips_24kc.ipk
25385 bin/packages/mips_24kc-new/base/libnl-nf200_3.10.0-r1_mips_24kc.ipk
149852 bin/packages/mips_24kc-new/base/libnl-route200_3.10.0-r1_mips_24kc.ipk
Link: https://github.com/openwrt/openwrt/pull/16592
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
New releases of openssl are only published on GitHub, and official
downloads are also redirected to GitHub. So remove the old download
mirrors (file 404), and replace the current address with https.
Link: https://openssl-library.org/source/
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
Link: https://github.com/openwrt/openwrt/pull/16470
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
OpenSSL 3.0.15 is a security patch release. The most severe CVE fixed in this release is Moderate.
This release incorporates the following bug fixes and mitigations:
* Fixed possible denial of service in X.509 name checks (CVE-2024-6119)
* Fixed possible buffer overread in SSL_select_next_proto() (CVE-2024-5535)
Added github releases url as source mirror
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16332
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The file contains the the /usr/lib path from the toolchain directory and
not from the target directory. The /usr/lib directory for the toolchain
is empty and the shared library is not in the specified paths. On RISCV
the linker of util-linux was finding the libncursesw.so in my host
system, tried to link against it and failed. Fix the .pc file.
Fixes: #15942
Co-authored-by: Thomas Weißschuh <thomas@t-8ch.de>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Link: https://github.com/openwrt/openwrt/pull/16018
Signed-off-by: Robert Marko <robimarko@gmail.com>
This fixes multiple security problems:
* [Medium] CVE-2024-1544
Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls.
* [Medium] CVE-2024-5288
A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations.
* [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS.
* [Low] CVE-2024-5991
In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.
* [Medium] CVE-2024-5814
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection.
* [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received.
* [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt.
Unset DISABLE_NLS to prevent setting the unsupported configuration
option --disable-nls which breaks the build now.
Link: https://github.com/openwrt/openwrt/pull/15948
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
For some reason, it's not working right locally. Override as is done
with the target build.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15916
Signed-off-by: Robert Marko <robimarko@gmail.com>
ncurses is built with wide support enabled, which enables libncursesw.
The problem is, the ncurses build system only supplies ncursesw or
ncurses.pc but not both. The other problem is, the readline build tests
for libncurses before the w variant, making its pc file unusable as
there is no ncurses.pc file to satisfy the Required: ncurses section.
Just override the library.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15864
Signed-off-by: Robert Marko <robimarko@gmail.com>
Needed for things such as readline that depend on ncurses.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15864
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently, the build option to enable/disable engine support isn't
reflected in the final '/etc/ssl/openssl.cnf' config. It assumes `engines`
is always enabled, producing an error whenever running any
commands in openssl util or programs that explicitly use settings
from '/etc/ssl/openssl.cnf'.
```
➤ openssl version
FATAL: Startup failure (dev note: apps_startup()) for openssl
307D1EA97F000000:error:12800067:lib(37):dlfcn_load:reason(103):crypto/dso/dso_dlfcn.c:118:filename(libengines.so):
Error loading shared library libengines.so: No such file or directory
307D1EA97F000000:error:12800067:lib(37):DSO_load:reason(103):crypto/dso/dso_lib.c:152:
307D1EA97F000000:error:0700006E:lib(14):module_load_dso:reason(110):crypto/conf/conf_mod.c:321:module=engines, path=engines
307D1EA97F000000:error:07000071:lib(14):module_run:reason(113):crypto/conf/conf_mod.c:266:module=engines
```
Build should check for the `CONFIG_OPENSSL_ENGINE` option, and comment out `engines`
if not explicitly enabled.
Example:
```
[openssl_init]
providers = provider_sect
```
After this change, openssl util works correctly.
```
➤ openssl version
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
```
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/15661
Signed-off-by: Robert Marko <robimarko@gmail.com>
This commit makes the libquadmath library available to the GCC
toolchain. This library is important for libraries such as
Boost.charconv
Signed-off-by: Carlos Miguel Ferreira <carlosmf.pt@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15637
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
