aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/wolfssl
Commit message (Collapse)AuthorAgeFilesLines
* wolfssl: update to 5.5.4-stableNick Hainke2023-01-013-36/+3
| | | | | | | | | | | | | | Remove upstreamed: - 001-Fix-enable-devcrypto-build-error.patch Refresh patch: - 100-disable-hardening-check.patch Release notes: https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.4-stable Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit 04634b2d8253972a3e7b663231474eb564e69077)
* wolfssl: fix build with /dev/cryptoChukun Pan2022-12-221-0/+33
| | | | | | | | | | | Backport upstream patch to fix build error when /dev/crypto enabled. https://github.com/wolfSSL/wolfssl/commit/dc9f46a3be00b5e82684a158605189d1278e324c Fixes: #10944 Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> (cherry picked from commit 171691500eca0737c59d4fff50578b74a90583be)
* wolfssl: update to v5.5.3Nick Hainke2022-11-273-53/+3
| | | | | | | | | | | | | | | Remove "200-ecc-rng.patch" because it was upstramed by: https://github.com/wolfSSL/wolfssl/commit/e2566bab2122949a6a0bb2276d0a52598794d7d0 Refreshed "100-disable-hardening-check.patch". Fixes CVE 2022-42905. Release Notes: - https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.2-stable - https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.3-stable Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit 745f1ca9767716c43864a2b7a43ed60b16c25560)
* wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)Petr Štetiar2022-10-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | Fixes denial of service attack and buffer overflow against TLS 1.3 servers using session ticket resumption. When built with --enable-session-ticket and making use of TLS 1.3 server code in wolfSSL, there is the possibility of a malicious client to craft a malformed second ClientHello packet that causes the server to crash. This issue is limited to when using both --enable-session-ticket and TLS 1.3 on the server side. Users with TLS 1.3 servers, and having --enable-session-ticket, should update to the latest version of wolfSSL. Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France" for research on tlspuffin. Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable Fixes: CVE-2022-39173 Fixes: https://github.com/openwrt/luci/issues/5962 References: https://github.com/wolfSSL/wolfssl/issues/5629 Tested-by: Kien Truong <duckientruong@gmail.com> Reported-by: Kien Truong <duckientruong@gmail.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit ec8fb542ec3e4f584444a97de5ac05dbc2a9cde5)
* wolfssl: refresh patchesPetr Štetiar2022-10-042-3/+3
| | | | | | | So they're tidy and apply cleanly. Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 8ad9a72cbed07643c7a8e4febbea71c7122b29a4)
* wolfssl: bump to 5.5.0Ivan Pavlov2022-10-044-28/+5
| | | | | | | | | | | Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch Some low severity vulnerabilities fixed OpenVPN compatibility fixed (broken in 5.4.0) Other fixes && improvements Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com> (cherry picked from commit 3d88f26d74f7771b808082cef541ed8286c40491)
* wolfssl: fix math library buildJohn Audia2022-07-311-0/+23
| | | | | | | | | | | | | | Apply upstream patch[1] to fix breakage around math libraries. This can likely be removed when 5.5.0-stable is tagged and released. Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B 1. https://github.com/wolfSSL/wolfssl/pull/5390 Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit c2aa816f28e0fe2f6f77d0c6da4eba19ea8db4ea)
* wolfssl: make shared againJo-Philipp Wich2022-07-302-2/+0
| | | | | | | | | | | | | | | Disable the usage of target specific CPU crypto instructions by default to allow the package being shared again. Since WolfSSL does not offer a stable ABI or a long term support version suitable for OpenWrt release timeframes, we're forced to frequently update it which is greatly complicated by the package being nonshared. People who want or need CPU crypto instruction support can enable it in menuconfig while building custom images for the few platforms that support them. Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 0063e3421de4575e088bb428e758751931bbe6fd)
* wolfssl: Do not activate HW acceleration on armvirt by defaultHauke Mehrtens2022-07-201-1/+1
| | | | | | | | | | | | | | The armvirt target is also used to run OpenWrt in lxc on other targets like a Raspberry Pi. If we set WOLFSSL_HAS_CPU_CRYPTO by default the wolfssl binray is only working when the CPU supports the hardware crypto extension. Some targets like the Raspberry Pi do not support the ARM CPU crypto extension, compile wolfssl without it by default. It is still possible to activate it in custom builds. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit d1b5d17d03c844ad578bb53b90ea17377bdc5eee)
* wolfssl: WOLFSSL_HAS_WPAS requires WOLFSSL_HAS_DHPascal Ernster2022-07-201-0/+1
| | | | | | | | | | Without this, WOLFSSL_HAS_DH can be disabled even if WOLFSSL_HAS_WPAS is enabled, resulting in an "Anonymous suite requires DH" error when trying to compile wolfssl. Signed-off-by: Pascal Ernster <git@hardfalcon.net> Reviewed-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 21825af2dad0070affc2444ff56dc84a976945a2)
* wolfssl: bump to 5.4.0Eneas U de Queiroz2022-07-164-48/+4
| | | | | | | | | | | | This version fixes two vulnerabilities: -CVE-2022-34293[high]: Potential for DTLS DoS attack -[medium]: Ciphertext side channel attack on ECC and DH operations. The patch fixing x86 aesni build has been merged upstream. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 9710fe70a68e0a004b1906db192d7a6c8f810ac5) Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* wolfssl: re-enable AES-NI by default for x86_64Eneas U de Queiroz2022-07-152-6/+45
| | | | | | | | | | | Apply an upstream patch that removes unnecessary CFLAGs, avoiding generation of incompatible code. Commit 0bd536723303ccd178e289690d073740c928bb34 is reverted so the accelerated version builds by default on x86_64. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 639419ec4fd1501a9b9857cea96474271ef737b1)
* wolfssl: disable AES-NI by default for x86_64Eneas U de Queiroz2022-06-271-1/+6
| | | | | | | | | | | | | WolfSSL is crashing with an illegal opcode in some x86_64 CPUs that have AES instructions but lack other extensions that are used by WolfSSL when AES-NI is enabled. Disable the option by default for now until the issue is properly fixed. People can enable them in a custom build if they are sure it will work for them. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 0bd536723303ccd178e289690d073740c928bb34)
* wolfssl: make WOLFSSL_HAS_OPENVPN default to yEneas U de Queiroz2022-06-091-1/+1
| | | | | | | | | | | | | Openvpn forces CONFIG_WOLFSSL_HAS_OPENVPN=y. When the phase1 bots build the now non-shared package, openvpn will not be selected, and WolfSSL will be built without it. Then phase2 bots have CONFIG_ALL=y, which will select openvpn and force CONFIG_WOLFSSL_HAS_OPENVPN=y. This changes the version hash, causing dependency failures, as shared packages expect the phase2 hash. Fixes: #9738 Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: enable CPU crypto instructionsEneas U de Queiroz2022-06-092-0/+23
| | | | | | | | | | | | | | | | | | | This enables AES & SHA CPU instructions for compatible armv8, and x86_64 architectures. Add this to the hardware acceleration choice, since they can't be enabled at the same time. The package was marked non-shared, since the arm CPUs may or may not have crypto extensions enabled based on licensing; bcm27xx does not enable them. There is no run-time detection of this for arm. NOTE: Should this be backported to a release branch, it must be done shortly before a new minor release, because the change to nonshared will remove libwolfssl from the shared packages, but the nonshared are only built in a subsequent release! Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 0a2edc2714dcda10be902c32525723ce2cbcb138)
* wolfssl: add benchmark utilityEneas U de Queiroz2022-06-091-3/+23
| | | | | | | This packages the wolfssl benchmark utility. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 18fd12edb810f9dfbf8410bb81f639df052134cb)
* wolfssl: don't change ABI because of hw cryptoEneas U de Queiroz2022-06-091-10/+21
| | | | | | | | | Enabling different hardware crypto acceleration should not change the library ABI. Add them to PKG_CONFIG_DEPENDS after the ABI version hash has been computed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 677774d445ced1a56e73fe62df47b4eb66441721)
* wolfssl: bump to v5.3.0-stableEneas U de Queiroz2022-05-173-45/+2
| | | | | | | | | | This is mostly a bug fix release, including two that were already patched here: - 300-fix-SSL_get_verify_result-regression.patch - 400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit 73c1fe2890baa5c0bfa46f53c5387f5e47de1acb)
* wolfssl: fix compilation with /dev/cryptoEneas U de Queiroz2022-04-201-0/+19
| | | | | | This is trivial fix of a duplicate definition of 'int ret'. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: bump to 5.2.0Eneas U de Queiroz2022-04-114-9/+7
| | | | | | | | | | | | | | | | | Fixes two high-severity vulnerabilities: - CVE-2022-25640: A TLS v1.3 server who requires mutual authentication can be bypassed. If a malicious client does not send the certificate_verify message a client can connect without presenting a certificate even if the server requires one. - CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS v1.3 server can have its certificate heck bypassed. If the sig_algo in the certificate_verify message is different than the certificate message checking may be bypassed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> (cherry picked from commit e89f3e85eb1c1d81294e5d430a91b0ba625e2ec0)
* wolfssl: fix API breakage of SSL_get_verify_resultPetr Štetiar2022-02-221-0/+26
| | | | | | | | | | | | | | | | | | Backport fix for API breakage of SSL_get_verify_result() introduced in v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return X509_V_OK when used on LE powered sites or other sites utilizing relaxed/alternative cert chain validation feature. After an update to v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA error and thus rendered all such connection attempts imposible: $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org" Downloading 'https://letsencrypt.org' Connecting to 18.159.128.50:443 Connection error: Invalid SSL certificate Fixes: #9283 References: https://github.com/wolfSSL/wolfssl/issues/4879 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* wolfssl: update to 5.1.1-stableSergey V. Lobanov2022-02-015-144/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | Bump from 4.8.1-stable to 5.1.1-stable Detailed release notes: https://github.com/wolfSSL/wolfssl/releases Upstreamed patches: 001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch - https://github.com/wolfSSL/wolfssl/commit/fa8f23284d4689c2a737204b337b58d966dcbd8c 002-Update-macro-guard-on-SHA256-transform-call.patch - https://github.com/wolfSSL/wolfssl/commit/f447e4c1fa4c932c0286fa0331966756e243db81 Refreshed patches: 100-disable-hardening-check.patch 200-ecc-rng.patch CFLAG -DWOLFSSL_ALT_CERT_CHAINS replaced to --enable-altcertchains configure option The size of the ipk changed on aarch64 like this: 491341 libwolfssl4.8.1.31258522_4.8.1-stable-7_aarch64_cortex-a53.ipk 520322 libwolfssl5.1.1.31258522_5.1.1-stable-1_aarch64_cortex-a53.ipk Tested-by: Alozxy <alozxy@users.noreply.github.com> Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com> Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* libs/wolfssl: add SAN (Subject Alternative Name) supportSergey V. Lobanov2021-12-292-2/+7
| | | | | | | | | x509v3 SAN extension is required to generate a certificate compatible with chromium-based web browsers (version >58) It can be disabled via unsetting CONFIG_WOLFSSL_ALT_NAMES Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
* wolfssl: enable ECC Curve 25519 by defaultStan Grishin2021-10-241-1/+1
| | | | | | | * fixes https://github.com/openwrt/packages/issues/16652 see https://github.com/openwrt/packages/issues/16674#issuecomment-934983898 Signed-off-by: Stan Grishin <stangri@melmac.net>
* wolfssl: fix compile when enable-devcrypto is setIvan Pavlov2021-10-211-0/+22
| | | | | | | fixing linking error when --enable-devcrypto=yes fixes: 7d92bb050961 wolfssl: update to 4.8.1-stable Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
* wolfssl: remove --enable-sha512 configure switchAndre Heider2021-10-171-2/+2
| | | | | | | | | | It's the default anyway and this just looks confusing, as if it wasn't. Switch to AUTORELEASE while at it. The binary size is unchanged. Signed-off-by: Andre Heider <a.heider@gmail.com>
* wolfssl: always build with --enable-reproducible-buildAndre Heider2021-10-171-0/+1
| | | | | | | | | | | This gates out anything that might introduce semantically frivolous jitter, maximizing chance of identical object files. The binary size shrinks by 8kb: 1244352 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f Signed-off-by: Andre Heider <a.heider@gmail.com>
* wolfssl: build with WOLFSSL_ALT_CERT_CHAINSAndre Heider2021-10-171-2/+8
| | | | | | | | | | | | | | | | | | | | | | | | | "Alternate certification chains, as oppossed to requiring full chain validataion. Certificate validation behavior is relaxed, similar to openssl and browsers. Only the peer certificate must validate to a trusted certificate. Without this, all certificates sent by a peer must be used in the trust chain or the connection will be rejected." This fixes e.g. uclient-fetch and curl connecting to servers using a Let's Encrypt certificate which are cross-signed by the now expired DST Root CA X3, see [0]. This is the recommended solution from upstream [1]. The binary size increases by ~12.3kb: 1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f 1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f [0] https://github.com/openwrt/packages/issues/16674 [1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793 Signed-off-by: Andre Heider <a.heider@gmail.com> [bump PKG_RELEASE] Signed-off-by: David Bauer <mail@david-bauer.net>
* wolfssl: update to 4.8.1-stableIvan Pavlov2021-09-134-18/+11
| | | | | | | | | | | Changes from 4.7.0: Fix one high (OCSP verification issue) and two low vulnerabilities Improve compatibility layer Other improvements and fixes For detailed changes refer to https://github.com/wolfSSL/wolfssl/releases Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
* wolfssl: fix build with GCC 10 on 32 x86 targetsStijn Tintel2021-08-201-0/+123
| | | | | | Backport upstream patch to fix build with GCC 10 on 32 x86 targets. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* wolfssl: add support for OpenVPNIvan Pavlov2021-05-232-1/+7
| | | | | | | | | | Support for wolfSSL has been upstreamed to the master OpenVPN branch in f6dca235ae560597a0763f0c98fcc9130b80ccf4, so we can use wolfSSL directly in OpenVPN. So no more needed differnt SSL engine for OpenVPN in systems based on wolfSSL library Compiled && tested on ramips/mt7620, ramips/mt7621 Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
* wolfssl: always export wc_ecc_set_rngDavid Bauer2021-05-212-1/+51
| | | | | | | | | | | | | | | Since commit 6467de5a8840 ("Randomize z ordinates in scalar mult when timing resistant") wolfssl requires a RNG for an EC key when the hardened built option is selected. wc_ecc_set_rng is only available when built hardened, so there is no safe way to install the RNG to the key regardless whether or not wolfssl is compiled hardened. Always export wc_ecc_set_rng so tools such as hostapd can install RNG regardless of the built settings for wolfssl. Signed-off-by: David Bauer <mail@david-bauer.net>
* wolfssl: bump to v4.7.0-stableEneas U de Queiroz2021-02-235-92/+4
| | | | | | | | | | | | | | Biggest fix for this version is CVE-2021-3336, which has already been applied here. There are a couple of low severity security bug fixes as well. Three patches are no longer needed, and were removed; the one remaining was refreshed. This tool shows no ABI changes: https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0 Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: fix Ed25519 typo in config promptChristian Lamparter2021-02-201-1/+1
| | | | Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
* wolfssl: use libtool patch for PKG_ABI_VERSIONFelix Fietkau2021-02-151-1/+1
| | | | | | Makes it unnecessary to patch .so files after build Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wolfssl: use dynamic ABI_VERSION depending on the configuration and package ↵Felix Fietkau2021-02-151-1/+3
| | | | | | version Signed-off-by: Felix Fietkau <nbd@nbd.name>
* Revert "wolfssl: use dynamic ABI_VERSION depending on the configuration and ↵Hauke Mehrtens2021-02-151-3/+1
| | | | | | | | | | | | | | | | package version" This fixes the build on MIPS BE like ath25 and ath79 target. We get this error message when linking libwolfssl: mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so: unknown type [0x7000002a] section `.MIPS.abiflags' mips-openwrt-linux-musl/bin/ld: /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so: unknown type [0x7000002a] section `.MIPS.abiflags' mips-openwrt-linux-musl/bin/ld: skipping incompatible /home/hauke/openwrt/openwrt/staging_dir/target-mips_mips32_musl/usr/lib/libwolfssl.so when searching for -lwolfssl mips-openwrt-linux-musl/bin/ld: cannot find -lwolfssl collect2: error: ld returned 1 exit status This reverts commit 2591c83b3406c16d3c1cd2dc7fa59c3c1b901d3c. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wolfssl: use dynamic ABI_VERSION depending on the configuration and package ↵Felix Fietkau2021-02-141-1/+3
| | | | | | version Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wolfssl: Backport fix for CVE-2021-3336Hauke Mehrtens2021-02-092-1/+54
| | | | | | | | | | | | This should fix CVE-2021-3336: DoTls13CertificateVerify in tls13.c in wolfSSL through 4.6.0 does not cease processing for certain anomalous peer behavior (sending an ED22519, ED448, ECC, or RSA signature without the corresponding certificate). The patch is backported from the upstream wolfssl development branch. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wolfssl: enable HAVE_SECRET_CALLBACKFelix Fietkau2021-01-021-0/+10
| | | | | | Fixes wpad-wolfssl build Signed-off-by: Felix Fietkau <nbd@nbd.name>
* wolfssl: Fix hostapd build with wolfssl 4.6.0Hauke Mehrtens2021-01-011-0/+25
| | | | | | | | | | | | This fixes the following build problem in hostapd: mipsel-openwrt-linux-musl/bin/ld: /builder/shared-workdir/build/tmp/ccN4Wwer.ltrans7.ltrans.o: in function `crypto_ec_point_add': <artificial>:(.text.crypto_ec_point_add+0x170): undefined reference to `ecc_projective_add_point' mipsel-openwrt-linux-musl/bin/ld: <artificial>:(.text.crypto_ec_point_add+0x18c): undefined reference to `ecc_map' mipsel-openwrt-linux-musl/bin/ld: /builder/shared-workdir/build/tmp/ccN4Wwer.ltrans7.ltrans.o: in function `crypto_ec_point_to_bin': <artificial>:(.text.crypto_ec_point_to_bin+0x40): undefined reference to `ecc_map' Fixes: ba40da9045f7 ("wolfssl: Update to v4.6.0-stable") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wolfssl: Update to v4.6.0-stableEneas U de Queiroz2021-01-014-154/+4
| | | | | | | | | | | | | | | | | This version fixes a large number of bugs, although no security vulnerabilities are listed. Full changelog at: https://www.wolfssl.com/docs/wolfssl-changelog/ or, as part of the version's README.md: https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md Due a number of API additions, size increases from 374.7K to 408.8K for arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version. Backported patches were removed; remaining patch was refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: fix broken wolfSSL_X509_check_hostPetr Štetiar2020-12-112-1/+124
| | | | | | | Backport upstream post 4.5.0 fix for broken wolfSSL_X509_check_host(). References: https://github.com/wolfSSL/wolfssl/issues/3329 Signed-off-by: Petr Štetiar <ynezz@true.cz>
* wolfssl: compile with --enable-opensslallEneas U de Queiroz2020-12-111-1/+2
| | | | | | | | | | This enables all OpenSSL API available. It is required to avoid some silent failures, such as when performing client certificate validation. Package size increases from 356.6K to 374.7K for arm_cortex-a9_vfpv3-d16. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: add lighty support, skip crypttestsEneas U de Queiroz2020-12-111-1/+3
| | | | | | | | | | Tnis adds the --enable-lighty option to configure, enabling the minimum API needed to run lighttpd, in the packages feed. Size increase is about 120 bytes for arm_cortex-a9_vfpv3-d16. While at it, speed up build by disabling crypt bench/test. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: Activate link time optimization (LTO)Hauke Mehrtens2020-09-061-2/+3
| | | | | | | | | | | The ipk sizes for mips_24Kc change like this: old: libwolfssl24_4.5.0-stable-1_mips_24kc.ipk 391.545 new: libwolfssl24_4.5.0-stable-2_mips_24kc.ipk 387.439 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wolfssl: add certgen config optionPaul Spooren2020-08-312-1/+6
| | | | | | The option allows to generate certificates. Signed-off-by: Paul Spooren <mail@aparcar.org>
* wolfssl: Update to version 4.5.0Hauke Mehrtens2020-08-263-4/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes the following security problems: * In earlier versions of wolfSSL there exists a potential man in the middle attack on TLS 1.3 clients. * Denial of service attack on TLS 1.3 servers from repetitively sending ChangeCipherSpecs messages. (CVE-2020-12457) * Potential cache timing attacks on public key operations in builds that are not using SP (single precision). (CVE-2020-15309) * When using SGX with EC scalar multiplication the possibility of side- channel attacks are present. * Leak of private key in the case that PEM format private keys are bundled in with PEM certificates into a single file. * During the handshake, clear application_data messages in epoch 0 are processed and returned to the application. Full changelog: https://www.wolfssl.com/docs/wolfssl-changelog/ Fix a build error on big endian systems by backporting a pull request: https://github.com/wolfSSL/wolfssl/pull/3255 The size of the ipk increases on mips BE by 1.4% old: libwolfssl24_4.4.0-stable-2_mips_24kc.ipk: 386246 new: libwolfssl24_4.5.0-stable-1_mips_24kc.ipk: 391528 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* wolfssl: use -fomit-frame-pointer to fix asm errorEneas U de Queiroz2020-06-031-2/+2
| | | | | | | | | | | 32-bit x86 fail to compile fast-math feature when compiled with frame pointer, which uses a register used in a couple of inline asm functions. Previous versions of wolfssl had this by default. Keeping an extra register available may increase performance, so it's being restored for all architectures. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* wolfssl: update to 4.4.0-stableEneas U de Queiroz2020-05-201-2/+2
| | | | | | | | | | | | This version adds many bugfixes, including a couple of security vulnerabilities: - For fast math (enabled by wpa_supplicant option), use a constant time modular inverse when mapping to affine when operation involves a private key - keygen, calc shared secret, sign. - Change constant time and cache resistant ECC mulmod. Ensure points being operated on change to make constant time. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-07 02:46:14 +0000