| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Refreshed patches
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
Tested-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This introduces a new Kconfig option to switch on/off mbedtls' support
for debug functions.
The idea behind is to inspect TLS traffic with Wireshark for debug
purposes. At the moment, there is no native or 'nice' support for
this, but at
https://github.com/Lekensteyn/mbedtls/commit/68aea15833e1ac9290b8f52a4223fb4585fb3986
an example implementation can be found which uses the debug functions
of the library. However, this requires to have this debug stuff enabled
in the library, but at the moment it is staticly patched out.
So this patch removes the static part from the configuration patch
and introduces a dynamic config file editing during build.
When enabled, this heavily increases the library size, so I added
a warning in the Kconfig help section.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
|
| |
|
|
|
|
|
|
| |
Refresh patch
https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.0-2.7.9-and-2.1.18-released
Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
|
| |
|
|
|
|
|
|
|
|
|
| |
- Annotate versionless libraries (such as libubox, libuci etc.) with a fixed
ABI_VERSION resembling the source date of the last incompatible change
- Annotate packages shipping versioned library objects with ABI_VERSION
- Stop shipping unversioned library symlinks for packages with ABI_VERSION
Ref: https://openwrt.org/docs/guide-developer/package-policies#shared_libraries
Ref: https://github.com/KanjiMonster/maintainer-tools/blob/master/check-abi-versions.pl
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the case of upstream libraries, set the ABI_VERSION variable to the
soname value of the first version version after the last backwards
incompatible change.
For custom OpenWrt libraries, set the ABI_VERSION to the date of the
last Git commit doing backwards incompatible changes to the source,
such as changing function singatures or dropping exported symbols.
The soname values have been determined by either checking
https://abi-laboratory.pro/index.php?view=tracker or - in the case
of OpenWrt libraries - by carefully reviewing the changes made to
header files thorough the corresponding Git history.
In the future, the ABI_VERSION values must be bumped whenever the
library is updated to an incpompatible version but not with every
package update, in order to reduce the dependency churn in the
binary package repository.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
|
| |
|
|
|
|
|
|
|
|
|
| |
Update mbedtls to 2.14.1
This fixes:
* CVE-2018-19608: Local timing attack on RSA decryption
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
[Update to 2.14.1]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
| |
* Fixed a security issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing.
* Several bugfixes.
* Improvements for better support for DTLS on low-bandwidth, high latency networks with high packet loss.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update mbedtls to 2.12.0
Multiple security fixes
Add support for Chacha20 and Poly1305 cryptographic primitives and their
associated ciphersuites
Difference in size on mips_24kc (ipk):
164kbytes (167882 bytes)
170kbytes (173563 bytes)
https://tls.mbed.org/tech-updates/releases/mbedtls-2.12.0-2.7.5-and-2.1.14-released
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update mbed TLS to 2.11.0
Disable OFB block mode and XTS block cipher mode, added in 2.11.0.
The soVersion of mbedtls changed, bump PKG_RELEASE for packages that use mbedTLS
This is to avoid having a mismatch between packages when upgrading.
The size of mbedtls increased a little bit:
ipkg for mips_24kc before:
163.846 Bytes
ipkg for mips_24kc after:
164.382 Bytes
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is more of a cosmetic change and a reminder that the CMake script hardcodes -O2.
Source:
https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.7/CMakeLists.txt#L73
https://github.com/ARMmbed/mbedtls/blob/master/CMakeLists.txt#L97
Remove the release type option as it's already provided by the toolchain.
Source:
https://github.com/openwrt/openwrt/blob/master/include/cmake.mk#L50
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
|
| |
|
|
|
|
|
|
| |
The soversion was changed in this version again and is now aligned with
the 2.7.2 version.
The size of the ipkg file stayed mostly the same.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
| |
Add some basic binaries required for private key and CSR generation.
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This fixes some minor security problems.
Old size:
162262 bin/packages/mips_24kc/base/libmbedtls_2.7.0-1_mips_24kc.ipk
New size:
163162 bin/packages/mips_24kc/base/libmbedtls_2.8.0-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
| |
This fixes the following security problems:
* CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled
* CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
|
|
|
|
| |
CPE ids helps to tracks CVE in packages.
https://cpe.mitre.org/specification/
Thanks to swalker for CPE to package mapping and
keep tracking CVEs.
Acked-by: Jo-Philipp Wich <jo@mein.io>
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released
* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
| |
This allows binaries that links these libraries statically to be reduced
by using --gc-sections on link
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
| |
Signed-off-by: Domagoj Pintaric <domagoj.pintaric@sartura.hr>
Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
|
| |
|
|
|
|
| |
Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| |
|
|
|
|
|
| |
This option is required by OpenVPN, and OpenVPN 2.4 uses mbedTLS 2.x.
DHM_C is also already enabled in the PolarSSL 1.3.x config.h.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
|
| |
|
|
|
|
| |
This fixes two minor security problems.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
| |
This backports a commit from mbedtls current git which adds missing
include for platform.h.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
|
| |
This fixes 3 minor security problems.
SSLv3 is deactivated by default now.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
| |
|
|
|
|
| |
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 48254
|
| |
|
|
|
|
|
|
| |
This fixes some non critical bugs.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 47725
|
| |
|
|
|
|
|
|
| |
This fixes CVE-2015-5291 and some other smaller security issues.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 47200
|
| |
|
|
|
|
| |
Signed-off-by: Luka Perkov <luka@openwrt.org>
SVN-Revision: 47197
|
|
|
Signed-off-by: Steven Barth <steven@midlink.org>
SVN-Revision: 46484
|
