aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/mbedtls/patches
Commit message (Collapse)AuthorAgeFilesLines
* mbedtls: update to version 2.7.10Hauke Mehrtens2019-06-182-28/+28
| | | | | | | This fixes multiple bugs and this security problem: * CVE-2018-19608 Local timing attack on RSA decryption Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.7.5Hauke Mehrtens2018-08-101-2/+2
| | | | | | | | This fixes the following security problems: * CVE-2018-0497: Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel * CVE-2018-0498: Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: Activate the session cacheHauke Mehrtens2018-06-051-10/+0
| | | | | | | | | | | | Upstream commit: f2c8f6dc3249b506b915741d12905402dfffe162 This make sit possible to store informations about a session and reuse it later. When used by a server it increases the time to create a new TLS session from about 1 second to less than 0.1 seconds. The size of the ipkg file increased by about 800 Bytes. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update mbedtls to version 2.7.3Hauke Mehrtens2018-06-051-4/+4
| | | | | | This fixes some minor security problems and other bugs. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: change libmbedcrypto.so soversion back to 0Hauke Mehrtens2018-04-141-0/+26
| | | | | | | | | | | | | | | | | | mbedtls changed in version 2.7.0 and 2.7.2 the soversion of the libmbedcrypto.so library, use the old version again to be able to use the new library with binaries compiled against the old mbedtls library. Some binaries got rebuild to for the 2.7.0 release and are now using libmbedcrypto.so.1, the older ones are still using libmbedcrypto.so.0. Go back to libmbedcrypto.so.0 and make the system rebuild the binaries which were rebuild for 2.7.0 again. This should make the libmbedcrypto.so library be compatible with the old version shipped with 17.01. Fixes: 3ca1438ae0 ("mbedtls: update to version 2.7.2") Fixes: f609913b5c ("mbedtls: update to version 2.7.0") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.7.2Hauke Mehrtens2018-04-011-21/+21
| | | | | | This fixes some minor security problems. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.7.0Hauke Mehrtens2018-03-101-47/+36
| | | | | | | | | | | | | | | | | | | This fixes the following security problems: * CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled * CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures This release is also ABI incompatible with the previous one, but it is API compatible. Some functions used by a lot of other software was renamed and the old function names are provided as a static inline now, but they are only active when deprecated functions are allowed, deactivate the removal of deprecated functions for now. Also increase the PKG_RELEASE version to force a rebuild and update of packages depending on mbedtls to handle the changed ABI. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to 2.6.0 CVE-2017-14032Kevin Darbyshire-Bryant2017-09-301-27/+27
| | | | | | | | | | | | | | | Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional', mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set by mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake was correctly aborted). Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Tested-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: Re-allow SHA1-signed certificatesBaptiste Jonglez2017-08-111-0/+9
| | | | | | | | | | | | Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates. This breaks openvpn clients that try to connect to servers that present a TLS certificate signed with SHA1, which is fairly common. Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx. Fixes: FS#942 Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
* mbedtls: update to 2.5.1Magnus Kroken2017-06-261-25/+25
| | | | | | | | | | | | | | | Fixes some security issues (no remote exploits), and introduces some changes. See release notes for details: https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released * Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read() * Adds exponent blinding to RSA private operations * Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()) * Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification. * Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes. * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to version 2.4.2Hauke Mehrtens2017-03-131-1/+1
| | | | | | | | | This fixes the following security problems: * CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve * SLOTH vulnerability * Denial of Service through Certificate Revocation List Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: re-enable CFB supportFelix Fietkau2017-01-091-9/+0
| | | | | | It is safe and required by some software, e.g. shadowsocks Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: re-enable RC4 support (needed by transmission and others)Felix Fietkau2017-01-081-9/+0
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: enable DHE-RSA key exchangeMagnus Kroken2016-12-301-9/+0
| | | | | | | | | | | | Later OpenVPN 2.3-openssl versions only enable TLS cipher suites with perfect forward secrecy, i.e. DHE and ECDHE cipher suites. ECDHE key exchange is not supported by OpenVPN 2.3-openssl, enable DHE key exchange to allow LEDE OpenVPN 2.4-mbedtls clients to connect to such servers. Signed-off-by: Magnus Kroken <mkroken@gmail.com> Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Reported-by: Lucian Cristian <luci@createc.ro>
* mbedtls: enable secp384r1 elliptic curve supportMagnus Kroken2016-12-301-2/+1
| | | | | | | | | Secp384r1 is the default curve for OpenVPN 2.4+. Enable this to make OpenVPN-mbedtls clients able to perform ECDHE key exchange with remote OpenVPN 2.4-openssl servers that use the default OpenVPN curve. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: enable support for external private RSA keys to fix openvpn build issueFelix Fietkau2016-12-281-9/+0
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: tune config to reduce size and improve performanceFelix Fietkau2016-12-121-5/+43
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: sync with polarssl configFelix Fietkau2016-12-121-9/+80
| | | | | | | One of those changes is re-enabling blowfish support to make openvpn-mbedtls compatible with common configurations Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: enable MBEDTLS_DHM_CMagnus Kroken2016-12-121-9/+0
| | | | | | | This option is required by OpenVPN, and OpenVPN 2.4 uses mbedTLS 2.x. DHM_C is also already enabled in the PolarSSL 1.3.x config.h. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to version 2.4.0Hauke Mehrtens2016-12-032-43/+22
| | | | | | This fixes two minor security problems. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: enable NIST curves optimisation.Kevin Darbyshire-Bryant2016-10-131-9/+0
| | | | | | | | | | | | | luci using ustream-mbedtls is extremely slow vs ustream-polarssl. polarssl alias mbedtls v1 is configured to use NIST prime speed optimisation, so no longer disable the default optimisation for mbedtls v2. Compile & run tested: Archer C7v2 Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> [Jo-Philipp Wich: refresh patch to use common format] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* mbedtls: fix missing mbedtls_time_t bug in mbedtls 2.3.0Hauke Mehrtens2016-07-141-0/+21
| | | | | | | This backports a commit from mbedtls current git which adds missing include for platform.h. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.3.0Hauke Mehrtens2016-07-131-31/+22
| | | | | | | This fixes 3 minor security problems. SSLv3 is deactivated by default now. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.2.1Felix Fietkau2016-01-161-17/+17
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48254
* mbedtls: update to version 2.1.2Hauke Mehrtens2015-10-181-32/+23
| | | | | | | | This fixes CVE-2015-5291 and some other smaller security issues. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 47200
* mbedtls: package version 2.0, make polarssl compatibleSteven Barth2015-07-241-0/+235
Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46484