aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/mbedtls
Commit message (Collapse)AuthorAgeFilesLines
* mbedtls: Update to 2.12.0Hauke Mehrtens2018-08-083-29/+119
| | | | | | | | | | | | | | | | | | | Multiple security fixes * CVE-2018-0497 Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel * CVE-2018-0498 Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel Disable OFB block mode and XTS block cipher mode, added in 2.11.0. Disable Chacha20 and Poly1305 cryptographic primitives, added in 2.12.0 Patch the so version back to the original one, the API changes are looking no so invasive. The size of mbedtls increased a little bit: ipkg for mips_24kc before: 163.967 Bytes ipkg for mips_24kc after: 164.753 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: Activate the session cacheHauke Mehrtens2018-08-081-9/+0
| | | | | | | | | | | | | | This make sit possible to store informations about a session and reuse it later. When used by a server it increases the time to create a new TLS session from about 1 second to less than 0.1 seconds. The size of the ipkg file increased by about 800 Bytes. ipkg for mips_24kc before: 163.140 Bytes ipkg for mips_24kc after: 163.967 Bytes Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: cleanup config patchDaniel Engberg2018-08-081-40/+32
| | | | | | | Clean up patch, use "//" consistently. Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: Deactivate platform abstractionHauke Mehrtens2018-08-081-0/+9
| | | | | | | | This makes mbedtls use the POSIX API directly and not use the own abstraction layer. The size of the ipkg decreased by about 100 bytes. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* package/libs/mbedtls: add package with some mbedtls binaries.Paul Wassi2018-03-311-2/+23
| | | | | | Add some basic binaries required for private key and CSR generation. Signed-off-by: Paul Wassi <p.wassi@gmx.at>
* mbedtls: update to version 2.8.0Hauke Mehrtens2018-03-312-20/+20
| | | | | | | | | | | | This fixes some minor security problems. Old size: 162262 bin/packages/mips_24kc/base/libmbedtls_2.7.0-1_mips_24kc.ipk New size: 163162 bin/packages/mips_24kc/base/libmbedtls_2.8.0-1_mips_24kc.ipk Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: activate deprecated functionsHauke Mehrtens2018-02-161-9/+0
| | | | | | | | | Some functions used by a lot of other software was renamed and is only active when deprecated functions are allowed, deactivate the removal of deprecated functions for now. Fixes: 75c5ab4caf9 ("mbedtls: update to version 2.7.0") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.7.0Hauke Mehrtens2018-02-152-41/+39
| | | | | | | | This fixes the following security problems: * CVE-2018-0488: Risk of remote code execution when truncated HMAC is enabled * CVE-2018-0487: Risk of remote code execution when verifying RSASSA-PSS signatures Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* add PKG_CPE_ID ids to package and toolsAlexander Couzens2017-11-171-0/+1
| | | | | | | | | | | CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Thanks to swalker for CPE to package mapping and keep tracking CVEs. Acked-by: Jo-Philipp Wich <jo@mein.io> Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* mbedtls: update to 2.6.0 CVE-2017-14032Kevin Darbyshire-Bryant2017-09-112-28/+28
| | | | | | | | | | | | | | | Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional', mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set by mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake was correctly aborted). Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Tested-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to 2.5.1Magnus Kroken2017-06-262-27/+27
| | | | | | | | | | | | | | | Fixes some security issues (no remote exploits), and introduces some changes. See release notes for details: https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released * Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read() * Adds exponent blinding to RSA private operations * Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()) * Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification. * Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes. * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to version 2.4.2Hauke Mehrtens2017-03-132-4/+4
| | | | | | | | | This fixes the following security problems: * CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve * SLOTH vulnerability * Denial of Service through Certificate Revocation List Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: add --function-sections and --data-sections to CFLAGSFelix Fietkau2017-02-211-0/+2
| | | | | | | This allows binaries that links these libraries statically to be reduced by using --gc-sections on link Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: add static files in staging_dirDomagoj Pintaric2017-01-161-0/+1
| | | | | Signed-off-by: Domagoj Pintaric <domagoj.pintaric@sartura.hr> Signed-off-by: Luka Perkov <luka.perkov@sartura.hr>
* mbedtls: re-enable CFB supportFelix Fietkau2017-01-091-9/+0
| | | | | | It is safe and required by some software, e.g. shadowsocks Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: re-enable RC4 support (needed by transmission and others)Felix Fietkau2017-01-081-9/+0
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: enable DHE-RSA key exchangeMagnus Kroken2016-12-301-9/+0
| | | | | | | | | | | | Later OpenVPN 2.3-openssl versions only enable TLS cipher suites with perfect forward secrecy, i.e. DHE and ECDHE cipher suites. ECDHE key exchange is not supported by OpenVPN 2.3-openssl, enable DHE key exchange to allow LEDE OpenVPN 2.4-mbedtls clients to connect to such servers. Signed-off-by: Magnus Kroken <mkroken@gmail.com> Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Reported-by: Lucian Cristian <luci@createc.ro>
* mbedtls: enable secp384r1 elliptic curve supportMagnus Kroken2016-12-301-2/+1
| | | | | | | | | Secp384r1 is the default curve for OpenVPN 2.4+. Enable this to make OpenVPN-mbedtls clients able to perform ECDHE key exchange with remote OpenVPN 2.4-openssl servers that use the default OpenVPN curve. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: enable support for external private RSA keys to fix openvpn build issueFelix Fietkau2016-12-281-9/+0
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* treewide: clean up download hashesFelix Fietkau2016-12-161-1/+1
| | | | | | Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: tune config to reduce size and improve performanceFelix Fietkau2016-12-121-5/+43
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: sync with polarssl configFelix Fietkau2016-12-121-9/+80
| | | | | | | One of those changes is re-enabling blowfish support to make openvpn-mbedtls compatible with common configurations Signed-off-by: Felix Fietkau <nbd@nbd.name>
* mbedtls: enable MBEDTLS_DHM_CMagnus Kroken2016-12-122-10/+1
| | | | | | | This option is required by OpenVPN, and OpenVPN 2.4 uses mbedTLS 2.x. DHM_C is also already enabled in the PolarSSL 1.3.x config.h. Signed-off-by: Magnus Kroken <mkroken@gmail.com>
* mbedtls: update to version 2.4.0Hauke Mehrtens2016-12-033-46/+25
| | | | | | This fixes two minor security problems. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: enable NIST curves optimisation.Kevin Darbyshire-Bryant2016-10-131-9/+0
| | | | | | | | | | | | | luci using ustream-mbedtls is extremely slow vs ustream-polarssl. polarssl alias mbedtls v1 is configured to use NIST prime speed optimisation, so no longer disable the default optimisation for mbedtls v2. Compile & run tested: Archer C7v2 Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> [Jo-Philipp Wich: refresh patch to use common format] Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* mbedtls: fix missing mbedtls_time_t bug in mbedtls 2.3.0Hauke Mehrtens2016-07-142-1/+22
| | | | | | | This backports a commit from mbedtls current git which adds missing include for platform.h. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.3.0Hauke Mehrtens2016-07-132-33/+24
| | | | | | | This fixes 3 minor security problems. SSLv3 is deactivated by default now. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* mbedtls: update to version 2.2.1Felix Fietkau2016-01-162-19/+19
| | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> SVN-Revision: 48254
* mbedtls: update to version 2.1.3Hauke Mehrtens2015-12-031-2/+2
| | | | | | | | This fixes some non critical bugs. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 47725
* mbedtls: update to version 2.1.2Hauke Mehrtens2015-10-182-34/+25
| | | | | | | | This fixes CVE-2015-5291 and some other smaller security issues. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> SVN-Revision: 47200
* cosmetic: remove trailing whitespacesLuka Perkov2015-10-151-1/+1
| | | | | | Signed-off-by: Luka Perkov <luka@openwrt.org> SVN-Revision: 47197
* mbedtls: package version 2.0, make polarssl compatibleSteven Barth2015-07-242-0/+304
Signed-off-by: Steven Barth <steven@midlink.org> SVN-Revision: 46484