Commit Graph

19 Commits

Author SHA1 Message Date
Hauke Mehrtens
ea22e3df3e mbedtls: Update to 2.12.0
Multiple security fixes
* CVE-2018-0497 Remote plaintext recovery on use of CBC based ciphersuites through a timing side-channel
* CVE-2018-0498 Plaintext recovery on use of CBC based ciphersuites through a cache based side-channel

Disable OFB block mode and XTS block cipher mode, added in 2.11.0.
Disable Chacha20 and Poly1305 cryptographic primitives, added in 2.12.0
Patch the so version back to the original one, the API changes are
looking no so invasive.

The size of mbedtls increased a little bit:
ipkg for mips_24kc before:
163.967 Bytes
ipkg for mips_24kc after:
164.753 Bytes

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-08-08 22:49:59 +02:00
Hauke Mehrtens
7b758f7f4f ustream-ssl: px5g: Rebuild package
mbedtls changed in version 2.7.0 the soversion of the libmbedcrypto.so
library, all applications using this shared library have to be
recompiled to be able to load the new library.

Some binaries got rebuild to for the 2.7.0 release and are now using
libmbedcrypto.so.1, the older ones are still using libmbedcrypto.so.0.

Fixes: 75c5ab4ca ("mbedtls: update to version 2.7.0")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-04-18 23:57:25 +02:00
Florian Fainelli
306ee64361 px5g: Fix TARGET_LDFLAGS and add TARGET_CPPFLAGS
Make sure we pass down TARGET_CPPFLAGS to let toolchains with no default
search paths to find the mbdetls headers, and override TARGET_LDFLAGS to
include libraries we are linking against.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
2017-03-01 17:19:51 -08:00
Felix Fietkau
709d10e220 px5g: replace px5g-standalone with a statically linked variant of px5g-mbedtls
px5g-standalone only supports SHA1 for certificates, which is strongly
deprecated. The new px5g-standalone is about 27k bigger (compressed),
and has identical behavior to px5g-mbedtls (it uses SHA256).

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-02-21 16:05:42 +01:00
Felix Fietkau
589a16fdb6 px5g: remove obsolete reference to $(BUILD_VARIANT)
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-09 16:37:33 +01:00
Felix Fietkau
1cf64e210f px5g: remove legacy polarssl support
The old polarssl 1.3 branch is EOL since end of 2016, and the package
for it will be removed soon.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-09 14:35:08 +01:00
Alberto Bursi
7fa89d7f3c px5g: move to Encryption submenu
moved px5g to Encryption submenu of Utilities, in an effort to tidy up a bit the Utilities section of make menuconfig.

Signed-off-by: Alberto Bursi <alberto.bursi@outlook.it>
2016-10-26 14:06:48 +02:00
Daniel Dickinson
a7f6dc9f8b px5g: Create mbedtls variant
px5g has been listed as a blocker for switching to new mbedtls
as the default, therefore make and mbedtls variant of px5g so
that an new mbedtls-only image can be created.

Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
2016-07-05 22:59:12 +02:00
Jo-Philipp Wich
24a7ccb056 treewide: replace jow@openwrt.org with jo@mein.io
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2016-06-07 11:42:52 +02:00
Felix Fietkau
7eeb254cc4 treewide: replace nbd@openwrt.org with nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-07 08:58:42 +02:00
Florian Eckert
5ac43d6ec2 px5g: add license tag
show the license for this package in opkg

Signed-off-by: Florian Eckert <Eckert.Florian@googlemail.com>
2016-05-31 14:54:19 -04:00
Felix Fietkau
4205078a78 px5g: Use SHA-256 when generating self-signed certificates
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>

SVN-Revision: 47391
2015-11-06 10:52:52 +00:00
Jo-Philipp Wich
542b6c30e5 fix subject in generated certificates
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 44149
2015-01-25 23:33:49 +00:00
Jo-Philipp Wich
0ceece4c82 px5g: generate unique serial numbers
Generate a random serial from /dev/urandom when creating selfsigned certs.
Fixes "sec_error_reused_issuer_and_serial" with Firefox.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 43168
2014-11-03 18:12:42 +00:00
John Crispin
74a3a77bcd license info - revert r43155
turns out that r43155 adds duplicate info.

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 43167
2014-11-03 09:56:44 +00:00
John Crispin
c10d97484a Add more license tags with SPDX identifiers
Note, that licensing stuff is a nightmare: many packages does not clearly
state their licenses, and often multiple source files are simply copied
together - each with different licensing information in the file headers.

I tried hard to ensure, that the license information extracted into the OpenWRT's
makefiles fit the "spirit" of the packages, e.g. such small packages which
come without a dedicated source archive "inherites" the OpenWRT's own license
in my opinion.

However, I can not garantee that I always picked the correct information
and/or did not miss license information.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

SVN-Revision: 43155
2014-11-03 08:01:08 +00:00
Felix Fietkau
eb225996ee px5g: rename the old package to px5g-standalone, add a new one that links against polarssl
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 40000
2014-03-21 15:55:23 +00:00
John Crispin
62cd76ab2c px5g: creates certificates that expire in the past
the attached patch fixes a bug of px5g when instructed to build
certificates that expire after 2038-01-19, caused a multiplication that
may overflow the "to" variable of type time_t

Attached patch checks if "to" precedes "from": if so sets "to" to its
maximum value. Pretty rude, but works well even if certificate is set to
expire in a century

Signed-off-by: Federico Fissore <federico@fissore.org>
Patchork: http://patchwork.openwrt.org/patch/3749/

SVN-Revision: 37165
2013-07-04 13:31:32 +00:00
John Crispin
4ebf19b48f packages: clean up the package folder
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 37007
2013-06-21 16:54:37 +00:00