aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/wolfssl/Makefile
Commit message (Collapse)AuthorAgeFilesLines
* wolfssl: bump to v4.7.0-stableEneas U de Queiroz2021-03-061-3/+3
| | | | | | | | | | | | | | | Biggest fix for this version is CVE-2021-3336, which has already been applied here. There are a couple of low severity security bug fixes as well. Three patches are no longer needed, and were removed; the one remaining was refreshed. This tool shows no ABI changes: https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0 Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit d1dfb577f1c0d5b1f1fa35000c9ad7abdb7d10ed)
* wolfssl: Backport fix for CVE-2021-3336Hauke Mehrtens2021-02-101-1/+1
| | | | | | | | | | | | | This should fix CVE-2021-3336: DoTls13CertificateVerify in tls13.c in wolfSSL through 4.6.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The patch is backported from the upstream wolfssl development branch. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 1f559cafe5cc1193a5962d40a2d938c66c783171)
* wolfssl: Update to v4.6.0-stableEneas U de Queiroz2021-02-021-2/+2
| | | | | | | | | | | | | | | | | | | This version fixes a large number of bugs and fixes CVE-2020-36177. Full changelog at: https://www.wolfssl.com/docs/wolfssl-changelog/ or, as part of the version's README.md: https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md Due a number of API additions, size increases from 374.7K to 408.8K for arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version. Backported patches were removed; remaining patch was refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> [added reference to CVE] Signed-off-by: Petr Å tetiar <ynezz@true.cz> (cherry picked from commit ba40da9045f77feb04abe63eb8a92f13f9efe471)
* wolfssl: Update to version 4.5.0Hauke Mehrtens2020-09-021-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * In earlier versions of wolfSSL there exists a potential man in the middle attack on TLS 1.3 clients. * Denial of service attack on TLS 1.3 servers from repetitively sending ChangeCipherSpecs messages. (CVE-2020-12457) * Potential cache timing attacks on public key operations in builds that are not using SP (single precision). (CVE-2020-15309) * When using SGX with EC scalar multiplication the possibility of side- channel attacks are present. * Leak of private key in the case that PEM format private keys are bundled in with PEM certificates into a single file. * During the handshake, clear application_data messages in epoch 0 are processed and returned to the application. Full changelog: https://www.wolfssl.com/docs/wolfssl-changelog/ Fix a build error on big endian systems by backporting a pull request: https://github.com/wolfSSL/wolfssl/pull/3255 The size of the ipk increases on mips BE by 1.4% old: libwolfssl24_4.4.0-stable-2_mips_24kc.ipk: 386246 new: libwolfssl24_4.5.0-stable-1_mips_24kc.ipk: 391528 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 00722a720c778e623d6f37af3a3b4e43b29c3fe8)
* wolfssl: use -fomit-frame-pointer to fix asm errorEneas U de Queiroz2020-09-021-2/+2
| | | | | | | | | | | | 32-bit x86 fail to compile fast-math feature when compiled with frame pointer, which uses a register used in a couple of inline asm functions. Previous versions of wolfssl had this by default. Keeping an extra register available may increase performance, so it's being restored for all architectures. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 750d52f6c90e2a144c250779741607f0cb306a94)
* wolfssl: update to 4.4.0-stableEneas U de Queiroz2020-09-021-2/+2
| | | | | | | | | | | | | This version adds many bugfixes, including a couple of security vulnerabilities: - For fast math (enabled by wpa_supplicant option), use a constant time modular inverse when mapping to affine when operation involves a private key - keygen, calc shared secret, sign. - Change constant time and cache resistant ECC mulmod. Ensure points being operated on change to make constant time. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 3481f6ffc79f46fc7ba86a4cc15ad958e99b5a82)
* wolfssl: bump to 4.3.0-stableEneas U de Queiroz2020-01-041-3/+3
| | | | | | | | This update fixes many bugs, and six security vulnerabilities, including CVE-2019-18840. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit d5ede68f8b67f8fa2b4102b90e5dd3722172299a)
* wolfssl: update to v4.2.0-stableEneas U de Queiroz2019-11-101-4/+4
| | | | | | | | | | | | | | | | Many bugs were fixed--2 patches removed here. This release of wolfSSL includes fixes for 5 security vulnerabilities, including two CVEs with high/critical base scores: - potential invalid read with TLS 1.3 PSK, including session tickets - potential hang with ocspstaping2 (always enabled in openwrt) - CVE-2019-15651: 1-byte overread when decoding certificate extensions - CVE-2019-16748: 1-byte overread when checking certificate signatures - DSA attack to recover DSA private keys Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit f4853f7cca816214cd6e64cffe2b73d0b8c16def)
* wolfssl: allow building with hw-crytpo and AES-CCMEneas U de Queiroz2019-11-101-2/+4
| | | | | | | | | Hardware acceleration was disabled when AES-CCM was selected as a workaround for a build failure. This applies a couple of upstream patches fixing this. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit ab19627ecc3923687fd339f4f23dc45572d00ce0)
* wolfssl: bump to 4.1.0-stableEneas U de Queiroz2019-08-171-90/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Always build AES-GCM support. Unnecessary patches were removed. This includes two vulnerability fixes: CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK extension parsing. CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack. This brings the package up-to-date with master, so it incorporates changes from 4.0.0 in master: * Removed options that can't be turned off because we're building with --enable-stunnel, some of which affect hostapd's Config.in. * Adjusted the title of OCSP option, as OCSP itself can't be turned off, only the stapling part is selectable. * Mark options turned on when wpad support is selected. * Add building options for TLS 1.0, and TLS 1.3. * Add hardware crypto support, which due to a bug, only works when CCM support is turned off. * Reorganized option conditionals in Makefile. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: Fix package hashHauke Mehrtens2019-07-081-1/+1
| | | | | Fixes: 3167a57f7262 ("wolfssl: update to 3.15.7, fix Makefile") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wolfssl: update to 3.15.7, fix MakefileEneas U de Queiroz2019-07-081-9/+9
| | | | | | | | | | This includes a fix for a medium-level potential cache attack with a variant of Bleichenbacher’s attack. Patches were refreshed. Increased FP_MAX_BITS to allow 4096-bit RSA keys. Fixed poly1305 build option, and some Makefile updates. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 2792daab5ad26e916619052fc7f581cddc1ea53c)
* treewide: revise library packagingJo-Philipp Wich2019-01-241-3/+3
| | | | | | | | | | | - Annotate versionless libraries (such as libubox, libuci etc.) with a fixed ABI_VERSION resembling the source date of the last incompatible change - Annotate packages shipping versioned library objects with ABI_VERSION - Stop shipping unversioned library symlinks for packages with ABI_VERSION Ref: https://openwrt.org/docs/guide-developer/package-policies#shared_libraries Ref: https://github.com/KanjiMonster/maintainer-tools/blob/master/check-abi-versions.pl Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wolfssl: update to version 3.15.3-stableDaniel Golle2018-10-151-3/+3
| | | | Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* wolfssl: remove myself as maintainerAlexandru Ardelean2018-07-301-1/+0
| | | | | | | I no longer have the time, nor the desire to maintain this package. Remove myself as maintainer. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* wolfssl: change defaults to cover wpa_supplicant needsDaniel Golle2018-05-311-1/+1
| | | | | | | | | | | | | Implicetely selecting the required options via Kconfig snippet from hostapd worked fine in local builds when using menuconfig but confused the buildbots which (in phase1) may build wpad-mini and hence already come with CONFIG_WPA_WOLFSSL being defined as unset which then won't trigger changing the defaults of wolfssl. Work around by explicitely reflecting wpa_supplicant's needs in wolfssl's default settings to make buildbots happy. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* wolfssl: add PKG_CONFIG_DEPENDS symbolsDaniel Golle2018-05-251-1/+10
| | | | | | | | This change will trigger rebuild on buildbots in case of changed config symbols, like in the case of hostapd selecting some wolfssl symbols lately. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* wolfssl: update to version 3.14.4Daniel Golle2018-05-241-4/+5
| | | | | | | | Use download from github archive corresponding to v3.14.4 tag because the project's website apparently only offers 3.14.0-stable release downloads. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* wolfssl: fix options and add support for wpa_supplicant featuresDaniel Golle2018-05-021-5/+28
| | | | | | | | Some options' default values have been changed upstream, others were accidentally inverted (CONFIG_WOLFSSL_HAS_DES3). Also add options needed to build hostapd/wpa_supplicant against wolfssl. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* wolfssl: update to 3.12.2 (1 CVE)Jo-Philipp Wich2017-12-121-2/+2
| | | | | | | | | | Update wolfssl to the latest release v3.12.2 and backport an upstream pending fix for CVE-2017-13099 ("ROBOT vulnerability"). Ref: https://github.com/wolfSSL/wolfssl/pull/1229 Ref: https://robotattack.org/ Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wolfssl: add PKG_CPE_ID ids to package and toolsAlexander Couzens2017-11-191-0/+1
| | | | | | | CPE ids helps to tracks CVE in packages. https://cpe.mitre.org/specification/ Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* libs/wolfssl: bump to version 3.12.0 ; add myself as maintainerAlexandru Ardelean2017-09-171-3/+4
| | | | Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* libs/wolfssl: adjust symbol defaults against libwolfssl defaultsAlexandru Ardelean2017-09-171-7/+7
| | | | | | | | Some symbols have been renamed. Some are default enabled/disabled, so we need to adjust semantics against that. Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
* cyassl,curl,libustream-ssl: rename every `cyassl` to `wolfssl`Alexandru Ardelean2017-09-171-0/+140
This is to eliminate any ambiguity about the cyassl/wolfssl lib. The rename happened some time ago (~3+ years). As time goes by, people will start to forget cyassl and start to get confused about the wolfSSL vs cyassl thing. It's a good idea to keep up with the times (moving forward). Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>