Commit Graph

32 Commits

Author SHA1 Message Date
Jo-Philipp Wich
207bcea1de cyassl: update to wolfssl 3.12.2 (1 CVE)
Update wolfssl to the latest release v3.12.2 and backport an upstream
pending fix for CVE-2017-13099 ("ROBOT vulnerability").

Ref: https://github.com/wolfSSL/wolfssl/pull/1229
Ref: https://robotattack.org/

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 902961c148)
2017-12-13 13:08:38 +01:00
Hauke Mehrtens
e9f0b75976 cyassl: update to wolfssl version 3.10.0
This fixes a low level security vulnerability.
Deactivate MIPS16 support, crypto code gets much slower with MIPS16.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-01-10 00:10:15 +01:00
Felix Fietkau
cbca3ae92e libs/cyassl: re-enable the stunnel flag
This partially reverts commit 15734b023b.
--enable-stunnel was actually important and properly described in
commit 9b118cde89. Removing it broke ustream-cyassl

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-20 10:42:23 +01:00
Daniel Engberg
15734b023b libs/cyassl: Enable multithreading, drop stunnel
More and more platforms are multicore SoCs, don't enforce singlethreading.
Drop stunnel option as stunnel code isn't available for download from upstream website.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-12-20 09:35:36 +01:00
Felix Fietkau
720b99215d treewide: clean up download hashes
Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-16 22:39:22 +01:00
Hauke Mehrtens
abedd718aa cyassl: update to wolfssl version 3.9.10
This fixes the following security problems:
CVE-2016-7440: Software AES table lookups do not properly consider cache-bank access times
CVE-2016-7439: Software RSA does not properly consider cache-bank monitoring
CVE-2016-7438: Software ECC does not properly consider cache-bank monitoring
SWEET32 Attack

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-12-03 21:35:35 +01:00
Andreas Schultz
b9e3e38e79 cyassl: make CyaSSL/WolfSSL more configurable
The default configuration might not be suitable for
every use case. Add options to enable/disable additional
options.

Signed-off-by: Andreas Schultz <aschultz@tpip.net>
2016-09-19 15:30:32 +02:00
Andreas Schultz
277f85c21a cyassl: make CyaSSL/WolfSSL more configurable
The default configuration might not be suitable for
every use case. Add options to enable/disable additional
options.

Signed-off-by: Andreas Schultz <aschultz@tpip.net>
2016-08-22 17:30:35 +02:00
Hauke Mehrtens
bdf9243c1b cyassl: update to wolfssl version 3.9.6
Changelog: https://www.wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html

old size:
libcyassl_3.9.0-1_mips_34kc_dsp.ipk     147552

new size:
libcyassl_3.9.6-1_mips_34kc_dsp.ipk     150087

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2016-07-24 15:05:03 +02:00
Karl Palsson
9b118cde89 wolfssl: enable openssl 1.0.1 compatibility
>From wolfssl/openssl/opensslv.h, and from skimming the contents of what
"--enable-stunnel" actually does, it seems that --enable-opensslextra
doesn't give you the "full" openssl compatibility that you may wish for
these days.  Unfortuantely, while wolfssl writes the build time options
into wolfssl/options.h, it doesn't include that file itself.  User
applications must include that directly.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2016-06-07 09:22:16 +02:00
Dirk Neukirchen
de27a1adae cyassl/wolfssl: update to 3.9.0
wolfssl has a fine grained feature and compatibility control
for compiling stunnel, lighthttp or (partly) openssl dropin
ustream-ssl uses features that require normally
HAVE_SNI, HAVE_STUNNEL and the openssl compatibility headers

ar71xx ipkg sizes of wolfssl 3.9.0:
- with stunnel: 144022
- this patch (w.o. stunnel): 131712
- without openssl(extra): 111104
- w.o openssl/sni:108515
- w.o openssl/sni/ecc: 93954

so patch 300 saves around 12k compressed ipkg size

v2: keep & rename patch 300 for clarity, fixes ustream-ssl/cyassl
that broke with v1

Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
2016-05-21 09:57:12 +02:00
Jo-Philipp Wich
c042adcf74 cyassl: disable Intel ASM for now
With ASM support enabled, CyaSSL fails to build on all x86 subtargets.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 48876
2016-03-02 10:01:27 +00:00
Hauke Mehrtens
6329349cd0 cyassl: update to wolfssl version 3.8.0
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 48616
2016-02-01 22:38:28 +00:00
Hauke Mehrtens
52df3181c1 cyassl: update to wolfSSL version 3.7.0
This version and version 3.6.8 are fixing the following security problems:
* CVE-2015-7744
* CVE-2015-6925

The activation of SSLv3 support is needed for curl.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 47791
2015-12-05 15:45:31 +00:00
Hauke Mehrtens
252bcd379a cyassl: the upstream package in version 4.6.0 changed
Update the md5sum to the new version.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 46551
2015-08-03 20:34:28 +00:00
Hauke Mehrtens
69a2459c66 cyassl: update to wolfssl 3.6.0
Upstream wolfssl already has better checks to detect broken ssl v2
ClientHellos, we can remove our hack.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 46168
2015-07-03 23:20:36 +00:00
Hauke Mehrtens
9177e16098 cyassl: version bump to 3.4.6
This patch introduces a new build error into coova-chilli, but
coova-chilli already fails to build even without it anyway. CyaSSL is
now called wolfSSL, and all the API's have been renamed, and
backward-compatibility headers added.

Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 46167
2015-07-03 23:20:01 +00:00
John Crispin
426d3abe8f cyassl: add --enable-ecc as its needed when using the CA certificates
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45217
2015-04-01 13:00:45 +00:00
John Crispin
b233fdcfa2 cyassl: add support for SSL_set_tlsext_host_name
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45215
2015-04-01 10:42:28 +00:00
Steven Barth
21bf45edd2 cyassl: bump to 3.3.0
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 43728
2014-12-16 09:16:00 +00:00
John Crispin
74a3a77bcd license info - revert r43155
turns out that r43155 adds duplicate info.

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 43167
2014-11-03 09:56:44 +00:00
John Crispin
c10d97484a Add more license tags with SPDX identifiers
Note, that licensing stuff is a nightmare: many packages does not clearly
state their licenses, and often multiple source files are simply copied
together - each with different licensing information in the file headers.

I tried hard to ensure, that the license information extracted into the OpenWRT's
makefiles fit the "spirit" of the packages, e.g. such small packages which
come without a dedicated source archive "inherites" the OpenWRT's own license
in my opinion.

However, I can not garantee that I always picked the correct information
and/or did not miss license information.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>

SVN-Revision: 43155
2014-11-03 08:01:08 +00:00
Steven Barth
bec9d38fa4 Add a few SPDX tags
Signed-off-by: Steven Barth <steven@midlink.org>

SVN-Revision: 43151
2014-11-02 12:20:54 +00:00
Hauke Mehrtens
c8bc803189 cyassl: update to version 3.2.0
This fixes a security problem:
Security fix for RSA Padding check vulnerability

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 42526
2014-09-13 20:56:55 +00:00
Steven Barth
415284ca1c cyassl: update to 3.1.0
SVN-Revision: 42063
2014-08-08 05:25:52 +00:00
Hauke Mehrtens
9be00fc256 cyassl: update to version 3.0.0
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

SVN-Revision: 40621
2014-05-01 14:04:15 +00:00
Imre Kaloz
72f00c8de4 change fixup method and fix CFLAGS handling
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>

SVN-Revision: 39151
2013-12-20 20:25:44 +00:00
Jo-Philipp Wich
5e8abac86f cyassl: upgrade to v2.8.0
Un-reverts the previous update commit and forward-ports the patch
to improve legacy SSLv2 handshake handling.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 38609
2013-10-30 13:19:48 +00:00
Jo-Philipp Wich
8e2106488a Revert "[cyassl]: upgrade to 2.8.0"
Reverts the CyaSSL version bump for now since the update completely broke
trunk building due to incompatible changes in the IO callback API which in
turn breaks the core ustream-ssl package.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 38576
2013-10-29 09:53:48 +00:00
Imre Kaloz
688ac024ac upgrade to 2.8.0
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>

SVN-Revision: 38558
2013-10-28 14:34:59 +00:00
Jo-Philipp Wich
6945d722e6 cyassl: add a patch to better check legacy SSLv2 client hello records
If junk data is received during SSL_accept(), cyassl will treat it as legacy SSLv2
record without performing further plausibility checks. Change the legacy code path
to return UNKNOWN_HANDSHAKE_TYPE if the value of the third byte isn't 0x01 the
hello message type.

SVN-Revision: 33675
2012-10-09 16:41:36 +00:00
Felix Fietkau
48db59fab7 move library packages to package/libs/
SVN-Revision: 33657
2012-10-08 11:24:12 +00:00