aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/mbedtls/Makefile
Commit message (Collapse)AuthorAgeFilesLines
* mbedtls: Update to version 2.16.12Hauke Mehrtens2022-02-011-2/+2
| | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * Zeroize several intermediate variables used to calculate the expected value when verifying a MAC or AEAD tag. This hardens the library in case the value leaks through a memory disclosure vulnerability. For example, a memory disclosure vulnerability could have allowed a man-in-the-middle to inject fake ciphertext into a DTLS connection. * Fix a double-free that happened after mbedtls_ssl_set_session() or mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED (out of memory). After that, calling mbedtls_ssl_session_free() and mbedtls_ssl_free() would cause an internal session buffer to be free()'d twice. CVE-2021-44732 The sizes of the ipk changed on MIPS 24Kc like this: 182454 libmbedtls12_2.16.11-2_mips_24kc.ipk 182742 libmbedtls12_2.16.12-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to 2.16.11Rosen Penev2021-08-081-3/+3
| | | | | | | | | Switched to AUTORELEASE to avoid manual increments. Release notes: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.11 Signed-off-by: Rosen Penev <rosenp@gmail.com>
* treewide: remove PKG_INSTALL from CMake packagesRosen Penev2021-06-191-2/+0
| | | | | | | | | | | | It's already default with cmake.mk Found with: git grep PKG_INSTALL\: | cut -d ':' -f 1 | sort -u > ins git grep cmake.mk | cut -d ':' -f 1 > cmake comm -1 -2 ins cmake Signed-off-by: Rosen Penev <rosenp@gmail.com>
* treewide: remove BUILD_PARALLEL from CMake packagesRosen Penev2021-06-191-1/+0
| | | | | | | | | | | | | It's already default. The only exception is mt76 which has Ninja disabled. Found with: git grep BUILD_PARALLEL | cut -d ':' -f 1 | sort -u > par git grep cmake.mk | cut -d ':' -f 1 > cmake comm -1 -2 par cmake Signed-off-by: Rosen Penev <rosenp@gmail.com>
* mbedtls: update to 2.16.10Magnus Kroken2021-03-161-2/+2
| | | | | | | | | | | | | | | | | | | This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues. Security fixes: * Fix a buffer overflow in mbedtls_mpi_sub_abs() * Fix an errorneous estimation for an internal buffer in mbedtls_pk_write_key_pem() * Fix a stack buffer overflow with mbedtls_net_poll() and mbedtls_net_recv_timeout() * Guard against strong local side channel attack against base64 tables by making access aceess to them use constant flow code Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.10 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to 2.16.9Rosen Penev2021-01-181-2/+2
| | | | Signed-off-by: Rosen Penev <rosenp@gmail.com>
* mbedtls: add config option to compile with hkdfEtan Kissling2021-01-141-1/+18
| | | | | | | This adds a config option to allow compiling with HKDF algorithm support to support applications that require this feature. Signed-off-by: Etan Kissling <etan_kissling@apple.com>
* mbedtls: update to 2.16.8Magnus Kroken2020-09-021-2/+2
| | | | | | | | | | | | | | | | | This release of Mbed TLS provides bug fixes and minor enhancements. This release includes fixes for security issues and the most notable of them are described in more detail in the security advisories. * Local side channel attack on RSA and static Diffie-Hellman * Local side channel attack on classical CBC decryption in (D)TLS * When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. Full release announcement: https://github.com/ARMmbed/mbedtls/releases/tag/v2.16.8 Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to 2.16.7Magnus Kroken2020-08-241-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Mbed TLS 2.16.7 is a maintenance release of the Mbed TLS 2.16 branch, and provides bug fixes and minor enhancements. This release includes fixes for security issues and the most severe one is described in more detail in a security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-07 * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). Due to Mbed TLS moving from ARMmbed to the Trusted Firmware project, some changes to the download URLs are required. For the time being, the ARMmbed/mbedtls Github repository is the canonical source for Mbed TLS. Signed-off-by: Magnus Kroken <mkroken@gmail.com> [Use https://codeload.github.com and new tar.gz file] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to 2.16.6Magnus Kroken2020-04-171-2/+2
| | | | | | | | | | | | Security fixes for: * CVE-2020-10932 * a potentially remotely exploitable buffer overread in a DTLS client * bug in DTLS handling of new associations with the same parameters Full release announement: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.6-and-2.7.15-released Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: use correct SPDX License Identifier and add License fileJosef Schlehofer2020-02-241-1/+2
| | | | | | | | | | License "GPL-2.0+" is deprecated License Identifier according to SPDX License list [1]. The correct one is GPL-2.0-or-later. While at it, also add the License file. [1] https://spdx.org/licenses/ Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* mbedtls: update to version 2.16.5Josef Schlehofer2020-02-241-2/+2
| | | | | | | | | | Changelog: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.5-and-2.7.14-released Security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2020-02 Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
* mbedtls: update to 2.16.4Magnus Kroken2020-01-261-2/+2
| | | | | | | | | | | | | | | Fixes side channel vulnerabilities in mbed TLS' implementation of ECDSA. Release announcement: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.4-and-2.7.13-released Security advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2019-12 Fixes: * CVE-2019-18222: Side channel attack on ECDSA Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to 2.16.3Magnus Kroken2019-09-201-2/+2
| | | | | | | Remove 300-bn_mul.h-Use-optimized-MULADDC-code-only-on-ARM-6.patch, the issue has been fixed upstream. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: Update to version 2.16.2Josef Schlehofer2019-06-241-2/+2
| | | | Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
* mbedtls: update to version 2.16.1Josef Schlehofer2019-04-061-5/+5
| | | | | | | Refreshed patches Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz> Tested-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* mbedtls: Kconfig option to enable/disable debug functionsMichael Heimpold2019-01-271-1/+28
| | | | | | | | | | | | | | | | | | | | | This introduces a new Kconfig option to switch on/off mbedtls' support for debug functions. The idea behind is to inspect TLS traffic with Wireshark for debug purposes. At the moment, there is no native or 'nice' support for this, but at https://github.com/Lekensteyn/mbedtls/commit/68aea15833e1ac9290b8f52a4223fb4585fb3986 an example implementation can be found which uses the debug functions of the library. However, this requires to have this debug stuff enabled in the library, but at the moment it is staticly patched out. So this patch removes the static part from the configuration patch and introduces a dynamic config file editing during build. When enabled, this heavily increases the library size, so I added a warning in the Kconfig help section. Signed-off-by: Michael Heimpold <mhei@heimpold.de>
* mbedtls: update to 2.16.0Deng Qingfang2019-01-271-3/+3
| | | | | | | | Refresh patch https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.0-2.7.9-and-2.1.18-released Signed-off-by: Deng Qingfang <dengqf6@mail2.sysu.edu.cn>
* treewide: revise library packagingJo-Philipp Wich2019-01-241-2/+2
| | | | | | | | | | | - Annotate versionless libraries (such as libubox, libuci etc.) with a fixed ABI_VERSION resembling the source date of the last incompatible change - Annotate packages shipping versioned library objects with ABI_VERSION - Stop shipping unversioned library symlinks for packages with ABI_VERSION Ref: https://openwrt.org/docs/guide-developer/package-policies#shared_libraries Ref: https://github.com/KanjiMonster/maintainer-tools/blob/master/check-abi-versions.pl Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* packages: set more explicit ABI_VERSION valuesJo-Philipp Wich2019-01-191-1/+1
| | | | | | | | | | | | | | | | | | | | | | In the case of upstream libraries, set the ABI_VERSION variable to the soname value of the first version version after the last backwards incompatible change. For custom OpenWrt libraries, set the ABI_VERSION to the date of the last Git commit doing backwards incompatible changes to the source, such as changing function singatures or dropping exported symbols. The soname values have been determined by either checking https://abi-laboratory.pro/index.php?view=tracker or - in the case of OpenWrt libraries - by carefully reviewing the changes made to header files thorough the corresponding Git history. In the future, the ABI_VERSION values must be bumped whenever the library is updated to an incpompatible version but not with every package update, in order to reduce the dependency churn in the binary package repository. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* mbedtls: Update to 2.14.1Daniel Engberg2018-12-161-2/+2
| | | | | | | | | | | Update mbedtls to 2.14.1 This fixes: * CVE-2018-19608: Local timing attack on RSA decryption Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net> [Update to 2.14.1] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to 2.13.0Magnus Kroken2018-09-221-2/+2
| | | | | | | | * Fixed a security issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing. * Several bugfixes. * Improvements for better support for DTLS on low-bandwidth, high latency networks with high packet loss. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: Update to 2.12.0Daniel Engberg2018-07-301-2/+2
| | | | | | | | | | | | | | | Update mbedtls to 2.12.0 Multiple security fixes Add support for Chacha20 and Poly1305 cryptographic primitives and their associated ciphersuites Difference in size on mips_24kc (ipk): 164kbytes (167882 bytes) 170kbytes (173563 bytes) https://tls.mbed.org/tech-updates/releases/mbedtls-2.12.0-2.7.5-and-2.1.14-released Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* mbedtls: Update to 2.11.0Daniel Engberg2018-07-071-2/+2
| | | | | | | | | | | | | | | | Update mbed TLS to 2.11.0 Disable OFB block mode and XTS block cipher mode, added in 2.11.0. The soVersion of mbedtls changed, bump PKG_RELEASE for packages that use mbedTLS This is to avoid having a mismatch between packages when upgrading. The size of mbedtls increased a little bit: ipkg for mips_24kc before: 163.846 Bytes ipkg for mips_24kc after: 164.382 Bytes Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* mbedtls: Cosmetic cleanupsDaniel Engberg2018-06-181-1/+1
| | | | | | | | | | | | | This is more of a cosmetic change and a reminder that the CMake script hardcodes -O2. Source: https://github.com/ARMmbed/mbedtls/blob/mbedtls-2.7/CMakeLists.txt#L73 https://github.com/ARMmbed/mbedtls/blob/master/CMakeLists.txt#L97 Remove the release type option as it's already provided by the toolchain. Source: https://github.com/openwrt/openwrt/blob/master/include/cmake.mk#L50 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
* mbedtls: update to version 2.9.0Hauke Mehrtens2018-05-221-2/+2
| | | | | | | | The soversion was changed in this version again and is now aligned with the 2.7.2 version. The size of the ipkg file stayed mostly the same. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* package/libs/mbedtls: add package with some mbedtls binaries.Paul Wassi2018-03-311-2/+23
| | | | | | Add some basic binaries required for private key and CSR generation. Signed-off-by: Paul Wassi <p.wassi@gmx.at>
* mbedtls: update to version 2.8.0Hauke Mehrtens2018-03-311-2/+2
| | | | | | | | | | | | This fixes some minor security problems. Old size: 162262 bin/packages/mips_24kc/base/libmbedtls_2.7.0-1_mips_24kc.ipk New size: 163162 bin/packages/mips_24kc/base/libmbedtls_2.8.0-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.7.0Hauke Mehrtens2018-02-151-2/+2
| | | | | | | | This fixes the following security problems: * CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled * CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* add PKG_CPE_ID ids to package and toolsAlexander Couzens2017-11-171-0/+1
| | | | | | | | | | | CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Thanks to swalker for CPE to package mapping and keep tracking CVEs. Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* mbedtls: update to 2.6.0 CVE-2017-14032Kevin Darbyshire-Bryant2017-09-111-2/+2
| | | | | | | | | | | | | | | Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional', mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set by mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake was correctly aborted). Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Tested-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to 2.5.1Magnus Kroken2017-06-261-2/+2
| | | | | | | | | | | | | | | Fixes some security issues (no remote exploits), and introduces some changes. See release notes for details: https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released * Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read() * Adds exponent blinding to RSA private operations * Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()) * Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification. * Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes. * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to version 2.4.2Hauke Mehrtens2017-03-131-3/+3
| | | | | | | | | This fixes the following security problems: * CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve * SLOTH vulnerability * Denial of Service through Certificate Revocation List Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: add --function-sections and --data-sections to CFLAGSFelix Fietkau2017-02-211-0/+2
| | | | | | | This allows binaries that links these libraries statically to be reduced by using --gc-sections on link Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: add static files in staging_dirDomagoj Pintaric2017-01-161-0/+1
| | | | | Signed-off-by: Domagoj Pintaric <domagoj.pintaric@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
* treewide: clean up download hashesFelix Fietkau2016-12-161-1/+1
| | | | | | Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: enable MBEDTLS_DHM_CMagnus Kroken2016-12-121-1/+1
| | | | | | | This option is required by OpenVPN, and OpenVPN 2.4 uses mbedTLS 2.x. DHM_C is also already enabled in the PolarSSL 1.3.x config.h. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to version 2.4.0Hauke Mehrtens2016-12-031-3/+3
| | | | | | This fixes two minor security problems. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: fix missing mbedtls_time_t bug in mbedtls 2.3.0Hauke Mehrtens2016-07-141-1/+1
| | | | | | | This backports a commit from mbedtls current git which adds missing include for platform.h. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.3.0Hauke Mehrtens2016-07-131-2/+2
| | | | | | | This fixes 3 minor security problems. SSLv3 is deactivated by default now. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.2.1Felix Fietkau2016-01-161-2/+2
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48254
* mbedtls: update to version 2.1.3Hauke Mehrtens2015-12-031-2/+2
| | | | | | | | This fixes some non critical bugs. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 47725
* mbedtls: update to version 2.1.2Hauke Mehrtens2015-10-181-2/+2
| | | | | | | | This fixes CVE-2015-5291 and some other smaller security issues. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 47200
* cosmetic: remove trailing whitespacesLuka Perkov2015-10-151-1/+1
| | | | | | Signed-off-by: Luka Perkov <luka@openwrt.org> SVN-Revision: 47197
* mbedtls: package version 2.0, make polarssl compatibleSteven Barth2015-07-241-0/+69
Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46484