webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-13 04:22:58 +02:00
Code Issues Packages Projects Releases Wiki Activity
14,959 Commits 2 Branches 1 Tag
48aae162c65f508dee4ec2b7ad3c00f5dc5ca2cd
Commit Graph

14959 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Stephan Feddersen
48aae162c6 WIO: code cleanup 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:08:14 +00:00
Peter Müller
159cab272a OpenSSL: remove ciphers without Forward Secrecy from default ciphersuite 
Ciphers not supplying (Perfect) Forward Secrecy are considered dangerous
since they allow content decryption in retrospect, if an attacker is
able to gain access to the servers' private key used for the
corresponding TLS session.

Since IPFire machines establish very few TLS connections by themselves, and
destinations (IPFire.org infrastructure, mirrors, IPS rule sources, etc.)
provide support for Forward Secrecy ciphers - some are even enforcing
them -, it is safe to drop support for anything else.

This patch reduces the OpenSSL default cipher list to:
TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(256) Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-RSA-CAMELLIA256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(256) Mac=SHA384
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=Camellia(128) Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=Camellia(128) Mac=SHA256
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-RSA-CAMELLIA256-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-CAMELLIA128-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA256
ECDHE-ECDSA-AES256-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  TLSv1 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES256-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES128-SHA    TLSv1 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(256) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH       Au=RSA  Enc=Camellia(128) Mac=SHA1

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:07:56 +00:00
Michael Tremer
44bfc40640 glibc: aarch64: Ignore uninitialised variables in the stage2 build, too 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-17 10:05:40 +00:00
Michael Tremer
815ca15dc4 make.sh: Increase maximum size of ramdisk to 8GB 
The previous 4GB were not enough for a full GCC bootstrap
in the toolchain stage.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
6d6f306179 perl: Fix build in toolchain stage 
perl searches for headers and libraries in the wrong paths
and detects GCC 10 as GCC 1.x.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
c9e4607e88 make: Run autoreconf after applying patches 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
de57b780be glibc: Pass -Wno-error=maybe-uninitialized 
This is required to build glibc in the toolchain stage on
aarch64 due to messy headers on the host system.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
a7f6809c7f glibc: Drop any custom CFLAGS 
glibc is nothing special and can and should be built with
the same flags than the rest of the system.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
d9d28c2c35 make.sh: Bump toolchain version 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
5eec0f21a6 make.sh: Add -fcf-protection for x86_64/i586 
Instrument binaries to guard against ROP/JOP attacks.

This flag in only available on x86_64 and i586.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
87f3b1e568 make.sh: Enable -fstack-clash-protection for x86_64/aarch64 
This patch turns on instrumentation to avoid skipping the guard page
in large stack frames.

Without this flag, vulnerabilities can result in where the stack
overlaps with the heap, or thread stacks spill into other regions
of memory.

This flag in only available on x86_64 and aarch64.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
854df4df81 gcc: Bundle against OS versions of gmp/mpfr 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
465e54a37b mpfr: Update to 4.1.0 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
50f77459a7 cmake: Do not limit compile processes to only two 
We can launch more when we have the memory for it

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
14d0106c9b nfs: Update to 2.5.1 and remove bundled libnfsidmap 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
8af744bcf7 libnfsidmap: Split into a separate package 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:43 +00:00
Michael Tremer
757de9a175 xinetd: Fix build against glibc 2.32 (without RPC) 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
f33eca42c3 conntrack-tools: Fix build against libtirpc 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
1ce519cabc squid: Remove basic_nis_auth 
This depends on SunRPC in glibc which was removed in 2.32.

We do not use this file.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
704199d23d python(2/3): Remove nis module 
This requires SunRPC and we do not use it.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
29370584a0 Build libtirpc earlier because RPC does not come with glibc any more 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
8cc0ef4b40 rpcsvc-proto: New package 
This is required since it is no longer included in glibc

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
6843949dac Update glibc to 2.32 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
b24d630bc1 make.sh: Remove -mindirect-branch=thunk and -mfunction-return=thunk as default 
I cannot find any evidence that this is helpful and no other
distribution has this as default. Packages that are vulnerable to these
attacks (i.e. the kernel) add these flags as appropriate automatically.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
0c30619a95 Update GCC to 10.2.0 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
e39437b25e bacula: Fix build with GCC 10 
GCC 10 aborts compilation when nunbers are (potentially) out of range
when casted from one type to another:

fstype.c: In function 'bool fstype(FF_PKT*, char*, int)':
fstype.c:207:12: error: narrowing conversion of '4283649346' from
'unsigned int' to 'int' [-Wnarrowing]
  207 |       case 0xFF534D42:     fstype = "cifs"; break;          /*
CIFS_MAGIC_NUMBER */
      |            ^~~~~~~~~~
fstype.c:216:12: error: narrowing conversion of '4187351113' from
'unsigned int' to 'int' [-Wnarrowing]
  216 |       case 0xf995e849:     fstype = "hpfs"; break;          /*
HPFS_SUPER_MAGIC */
      |            ^~~~~~~~~~
fstype.c:217:12: error: narrowing conversion of '2508478710' from
'unsigned int' to 'int' [-Wnarrowing]
  217 |       case 0x958458f6:     fstype = "hugetlbfs"; break;     /*
HUGETLBFS_MAGIC */
      |            ^~~~~~~~~~
fstype.c:234:12: error: narrowing conversion of '2768370933' from
'unsigned int' to 'int' [-Wnarrowing]
  234 |       case 0xa501FCF5:     fstype = "vxfs"; break;
      |            ^~~~~~~~~~
fstype.c:237:12: error: narrowing conversion of '2435016766' from
'unsigned int' to 'int' [-Wnarrowing]
  237 |       case 0x9123683e:     fstype = "btrfs"; break;
      |            ^~~~~~~~~~

Does nobody build this for 32 bit any more?

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
30ddc2e27a kbd: Update to 2.2.0 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
a644f18bec u-boot: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
8ba15ff89a syslinux: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
ac2d807d1c ipfire-netboot: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
806ded02f9 lcdproc: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
b061abae1e iftop: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
f0bd381fad frr: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
dbbd72a3b1 bird: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
44e04f34ff sarg: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
0f385cea48 minidlna: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
db5ea90869 w_scan: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
7c60608232 tftpd: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
4074660fa6 motion: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
103e2dfa5c openvmtools: Update to 11.1.0 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
cb30084fac icinga: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
42823878bb collectd: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
fed525f280 7zip: Fix build against GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
64b4d15738 netatalk: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
01876bda94 squidguard: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
aa499d7fb4 htop: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
9739875e05 foomatic: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
2d6548b277 cups-filters: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
dd1f9c0fc1 sysfsutils: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00
Michael Tremer
40ccdee86c libtirpc: Fix build with GCC 10 
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
 2020-08-16 10:29:42 +00:00