Commit Graph

39417 Commits

Author SHA1 Message Date
Mirko Parthey
1dace8cbe0 brcm47xx: resolve GPIO conflict for WRT54GSv1
On the Linksys WRT54GSv1, the adm6996 switch driver and the
gpio_button_hotplug module both claim GPIO 6, which is connected to the
Reset button.  When the switch driver's request wins, the Reset button
cannot work. This makes it impossible to enter failsafe mode without a
serial console.

Stop requesting the "adm_rc" GPIO in the switch driver, since it is not
used anywhere.

Fixes FS#792.

Signed-off-by: Mirko Parthey <mirko.parthey@web.de>
2017-07-02 22:44:06 +02:00
Rafał Miłecki
896246b8c5 firmware-utils: mktplinkfw2: fix support for -w option
This fixes copy & paste typo when reading -w argument.

Fixes: 4b35e174ca ("firmware-utils: mktplinkfw2: support additional hardware version")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-07-02 22:31:13 +02:00
Jonas Gorski
eaaba94bf6 kernel: add missing symbol to generic
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2017-06-30 12:14:10 +02:00
Jonas Gorski
beaaf214f7 brcm63xx: refresh smp config
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2017-06-30 12:13:08 +02:00
Jonas Gorski
d131e36e41 brcm63xx: enable KEXEC for SMP again
It seems it compiles again, so there is no reason to keep it disabled.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2017-06-30 12:12:38 +02:00
Jonas Gorski
2983576bae brcm63xx: disable commandline parts parser
We don't use it, so no need to have it enabled.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2017-06-30 12:12:32 +02:00
Anthony Sepa
f9b67b89d3 brcm63xx: add support for the Actiontec R1000H gateway
SOC: Broadcom BCM6368 (2 * Broadcom BMIPS4350 V3.1 / 400 MHz)
Flash size: 32MB (split 16/16 dual boot)
RAM size: 64MB
Wireless: BCM432x 802.11a/b/g/n(pci)
Ethernet: Broadcom BCM53115
USB: 1 x USB 2.0

Known issues:
 - Unable to detect 53115 switch attached to MDIO. Not supported
 - No support for the cable port

More info on the device and the research can be found at:
http://www.actiontec.com/212.html

Same FCC ID as:
https://wikidevi.com/wiki/Actiontec_V1000H_(Telus)

Signed-off-by: Anthony Sepa <anthonysepa@yahoo.ca>
[jonas.gorski: fix commit subject/message]
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2017-06-30 12:12:17 +02:00
Jonas Gorski
1dc7a0cfd5 brcm63xx: fix bcm6328 pinmux other register
The pinmux register is at relative offset 0x8, not 0xc. Fixes hang
when trying to modify pins >= 32.

Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
2017-06-30 12:12:06 +02:00
Jo-Philipp Wich
28cb6ed949 ar71xx: fix typo in network defaults
Commit 9fec39a (ar71xx: add support for TP-Link TL-WA855RE v1) introduced a
typo in 02_network, fix it by removing the stray paren.

Reported-by: Henryk Heisig <hyniu@o2.pl>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-29 18:04:29 +02:00
Piotr Dymacz
a73471dea7 ar71xx: image: specify TPLINK_HWID for TP-Link RE450
TPLINK_HWID hasn't been specified for TP-Link RE450 since the begin.
As we don't want to break sysupgrade (all existing LEDE release images
for this board have TPLINK_HWID set to 0x0), set it explicitly to 0x0.

Fixes FS#852

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-06-29 10:46:08 +02:00
Piotr Dymacz
24043a0d2e ramips: add support for TP-Link TL-WR840N v4 and TL-WR841N v13
TP-Link TL-WR840N v4 and TL-WR841N v13 are simple N300 routers with
5-port FE switch and non-detachable antennas. Both are very similar
and are based on MediaTek MT7628NN (aka MT7628N) WiSoC.

The difference between these two models is in number of available
LEDs, buttons and power input switch.

This work is partially based on GitHub PR#974.

Specification:

- MT7628N/N (580 MHz)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH
- 2T2R 2.4 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- TL-WR840N v4: 5x LED (GPIO-controlled), 1x button
- TL-WR841N v13: 8x LED (GPIO-controlled*), 2x button, power input
  switch

* WAN LED in TL-WR841N v13 is a dual-color, dual-leads type which isn't
  (fully) supported by gpio-leds driver. This type of LED requires both
  GPIOs state change at the same time to select color or turn it off.
  For now, we support/use only the green part of the LED.

Factory image notes:

These devices use version 3 of TP-Link header, fortunately without RSA
signature (at least in case of devices sold in Europe). The difference
lays in the requirement for a non-zero value in "Additional Hardware
Version" field. Ideally, it should match the value stored in vendor
firmware header on device ("0x4"/"0x13" for these devices) but it seems
that anything other than "0" is correct.

We are able to prepare factory firwmare file which is accepted and
(almost) correctly flashed from the vendor GUI. As it turned out, it
accepts files without U-Boot image with second header at the beginning
but due to some kind of bug in upgrade routine, flashed image gets
corrupted before it's written to flash.

Tests showed that the GUI upgrade routine copies value of "Additional
Hardware Version" from existing firmware into offset "0x2023c" in
provided file, _before_ storing it in flash. In case of vendor firmware
upgrade files (which all include U-Boot image and two headers), this
offset points to the matching field in kernel+rootfs firmware part
header. Unfortunately, in case of LEDE factory image file which contains
only one header, it points to the offset "0x2023c" in kernel image. This
leads to a corrupted kernel and ends up with a "soft-bricked" device.

The good news is that U-Boot in these devices contains well known tftp
recovery mode, which can be triggered with "reset" button. What's more,
in comparison to some of older MediaTek based TP-Link devices, this
recovery mode doesn't write whole file at offset "0x0" in flash, without
verifying provided file in advance. In case of recovery mode in these
devices, first "0x20000" bytes are always skipped and "0x7a0000" bytes
from rest of the file are stored in flash at offset "0x20000".

Flash instruction:

Until (if at all) TP-Link fixes described problem, the only way to flash
LEDE image in these devices is to use tftp recovery mode in U-Boot:

1. Configure PC with static IP 192.168.0.66/24 and tftp server.
2. Rename "lede-ramips-mt7628-tl-wr84...-squashfs-tftp-recovery.bin"
   to "tp_recovery.bin" and place it in tftp server directory.
3. Connect PC with one of LAN ports, press the reset button, power up
   the router and keep button pressed for around 6-7 seconds, until
   device starts downloading the file.
4. Router will download file from server, write it to flash and reboot.

To access U-Boot CLI, keep pressed "4" key during boot.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-06-29 10:37:36 +02:00
Piotr Dymacz
c55fadcacb ramips: image: simplify TP-Link Archer devices definitions
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-06-29 10:37:36 +02:00
Piotr Dymacz
5b7f592251 build: move mktplinkfw2 related commands to image-commands.mk
There are already two targets (lantiq, ramips) which use mktplinkfw2
tool for creating images. This de-duplicates code, introduces two new
build commands: tplink-v2-header, tplink-v2-image and makes use of
them in place of old, (sub)target specific ones.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-06-29 10:37:36 +02:00
Piotr Dymacz
7d6c63d875 build: rename TPLINK_BOARD_NAME to TPLINK_BOARD_ID
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-06-29 10:37:36 +02:00
Piotr Dymacz
4b35e174ca firmware-utils: mktplinkfw2: support additional hardware version
As it turned out, some of new MediaTek based TP-Link devices use value
from field at 0x3c offset in version 3 of TP-Link header to specify
"Additional Hardware Version".

Value from this field is validated during regular (GUI) firmware upgrade
on devices like TL-WR840N v4 or TL-WR841N v13. If it's zero (based on
some tests, it seems that firmware will accept anything != 0), errors
like below are printed on console and upgrade fails:

[ rsl_sys_updateFirmware ] 2137:  Firmware Additional HardwareVersion
check failed

[ rdp_updateFirmware ] 345:  perror:4506

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-06-29 10:37:36 +02:00
Piotr Dymacz
ad8c315812 ar71xx: fix switch port mapping for TP-Link TL-WR74xN/D series
Fixes FS#843

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-06-29 10:37:36 +02:00
Henryk Heisig
b05c7193fd ar71xx: add support for TP-Link Archer C58 v1
TP-Link Archer C58 v1 is a dual-band AC1350 router, based on Qualcomm
QCA9561 + QCA9886. It looks like Archer C59 v1 without USB port.

Specification:

- 775/650/258 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- 6x LED, 3x button
- UART header on PCB, RX, TX at TP4+5 (backside)

QCA9886 wlan needs pre_cal_data file and enable ieee80211 phy hotplug to
patch macaddress.

Flash instruction:

Use "factory" image directly in vendor GUI.

Recovery method:

1. Set PC to fixed ip address 192.168.0.66/24.
2. Download "lede-ar71xx-generic-archer-c58-v1-squashfs-factory.bin" and
   rename it to "tp_recovery.bin".
3. Start a tftp server with the file "tp_recovery.bin" in its root
   directory.
4. Turn off the router.
5. Press and hold Reset button.
6. Turn on router with the reset button pressed and wait ~15 seconds.
7. Release the reset button and after a short time the firmware should
   be transferred from the tftp server.
8. Wait ~30 second to complete recovery.

Flash instruction under U-Boot, using UART:

tftp 0x81000000 lede-ar71xx-...-sysupgrade.bin
erase 0x9f020000 +$filesize
cp.b $fileaddr 0x9f020000 $filesize
reset

This commit is based on GitHub PR#1112

Signed-off-by: Henryk Heisig <hyniu@o2.pl>
2017-06-29 10:37:36 +02:00
Jean-Pierre St-Yves
01280bc8dc firmware-utils: tplink-safeloader: add support for Archer C5 v2 JP/US
Add support for Japan and US versions of TP-Link Archer C5 v2

Signed-off-by: Jean-Pierre St-Yves <jpstyves@gmail.com>
2017-06-29 10:37:36 +02:00
Henryk Heisig
7d21b4eed0 firmware-utils: tplink-safeloader: add support for Archer C59/C60 RU
Add support for Russian version of TP-Link Archer C59/C60 v1

Signed-off-by: Henryk Heisig <hyniu@o2.pl>
2017-06-29 10:37:36 +02:00
Federico Cappon
9fec39a033 ar71xx: add support for TP-Link TL-WA855RE v1
TP-Link TL-WA855RE v1 is a wall-plug N300 Wi-Fi range extender,
based on Qualcomm/Atheros QCA9533 v2.

Short specification:

- 550/397/198 MHz (CPU/DDR/AHB)
- 1x 10/100 Mbps Ethernet
- 32 MB of RAM (DDR1)
- 4 MB of FLASH
- 2T2R 2.4 GHz
- 2x external antennas
- 2x LED (green and orange in the same package), 2x button
- UART: TP5(TX) and TP4(RX) test points on PCB

Flash instruction: use "factory" image directly in vendor GUI.

Warning: this device does not include any kind of recovery mechanism
in the bootloader and disassembling process is not trivial.

You can access vendor firmware over serial line using:
- login: root
- password: sohoadmin

Image was tested only in EU version of the device, but should work
also with the same device version sold in other countries.

Signed-off-by: Federico Cappon <dududede371@gmail.com>
2017-06-29 10:37:36 +02:00
Piotr Dymacz
656ed7544f ar71xx: fix EnGenius ENS202EXT mtd definition
Use statically defined sizes for kernel and rootfs mtd partitions.
Vendor upgrade script writes both firmware parts independently which
ends up in a gap between kernel and rootfs images. This results in
incorrectly calculated rootfs_data start offset.

Also, fix IMAGE_SIZE, DEVICE_PACKAGES and drop redundant KERNEL
definition.

Fixes FS#835

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2017-06-29 10:37:36 +02:00
Camille Bilodeau
bdd3c94872 uboot-envtools: add Arduino Yun support
Signed-off-by: Camille Bilodeau <camille.bilodeau@protonmail.com>
2017-06-29 10:37:36 +02:00
Camille Bilodeau
bb46b635df ar71xx: move Arduino Yun to generic building code
Migrate Arduino Yun from legacy to generic building code.

Note: the mtd partitioning is changed to adopt the LEDE default
partitioning. It allows to have a kernel bigger than 1280k. It is
necessary as kernel > 4.4 with default LEDE configuration grows
bigger.

To use the new partitioning, you need to update your U-Boot env in
advance:

setenv mtdparts "spi0.0:256k(u-boot)ro,64k(u-boot-env),15936k(firmware),64k(nvram),64k(art)ro"
setenv bootcmd "run addboard; run addtty; run addparts; run addrootfs; bootm 0x9f050000 || bootm 0x9fea0000"
saveenv

Signed-off-by: Camille Bilodeau <camille.bilodeau@protonmail.com>
2017-06-29 10:37:36 +02:00
Camille Bilodeau
2fa58a8d7c ar71xx: remove Arduino Yun 8 MiB prototype
The Arduino Yun has 16 MiB flash. Early prototype boards with 8 MiB were
not available for sell:

https://blog.arduino.cc/2013/08/21/updating-about-arduino-yun-and-arduino-robot/

Signed-off-by: Camille Bilodeau <camille.bilodeau@protonmail.com>
2017-06-29 10:37:36 +02:00
Leon M. George
3e12ca2355 ar71xx: wpj344: set MAC on wan
Signed-off-by: Leon M. George <leon@georgemail.eu>
2017-06-29 10:37:36 +02:00
Leon M. George
98c5a71dfd ar71xx: wpj344: remove unused eth1 device
Signed-off-by: Leon M. George <leon@georgemail.eu>
2017-06-29 10:37:36 +02:00
Leon M. George
c777fd8a7e ar71xx: wpj344: read MAC addresses from u-boot mtd
This way, the assigned addresses match those on the barcode labels.
Otherwise, the addresses appear to vary on boot.

Signed-off-by: Leon M. George <leon@georgemail.eu>
2017-06-29 10:37:36 +02:00
Hans Dedecker
1d45ec2784 dhcpv6: add missing dollar sign in dhcpv6 script (FS#874)
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-29 09:56:19 +02:00
Stijn Tintel
880f73c327 kernel: cleanup CONFIG_SCHED_HRTICK
Remove CONFIG_SCHED_HRTICK from target configs, as it was added to the
generic config in b47fd76563.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-29 04:46:59 +02:00
Stijn Tintel
1e91855af2 armvirt: rename config-default to config-4.9
The kernel configs for all targets should have the version in the
filename, for clearness and consistency across all targets.
It is also expected by the update_kernel.sh script.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-29 03:36:19 +02:00
Hans Dedecker
7d31fe6068 dnsmasq: backport patch fixing DNS failover (FS#841)
Backport upstream dnsmasq patch fixing DNS failover when first servers
returns REFUSED in strict mode; fixes issue FS#841.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-28 11:33:42 +02:00
Rafał Miłecki
76c460b584 kernel: backport usbport LED trigger driver support for DT
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2017-06-28 11:31:38 +02:00
Stijn Tintel
6371159b4a dropbear: add option to set max auth tries
Add a uci option to set the new max auth tries paramater in dropbear.
Set the default to 3, as 10 seems excessive.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-28 02:18:20 +02:00
Kevin Darbyshire-Bryant
9aaf3d3501 dropbear: server support option '-T' max auth tries
Add support for '-T n' for a run-time specification for maximum number
of authentication attempts where 'n' is between 1 and compile time
option MAX_AUTH_TRIES.

A default number of tries can be specified at compile time using
'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for
backwards compatibility.

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
2017-06-28 02:18:20 +02:00
Yury Shvedov
37c1513b1f hostapd: configure NAS ID regardless of encryption
RADIUS protocol could be used not only for authentication but for
accounting too. Accounting could be configured for any type of networks.
However there is no way to configure NAS Identifier for non-WPA
networks without this patch.

Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
[cleanup commit message]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-28 02:18:20 +02:00
Yury Shvedov
0e7bbcd43b hostapd: add acct_interval option
Make an ability to configure Accounting-Interim-Interval via UCI

Signed-off-by: Yury Shvedov <yshvedov@wimarksystems.com>
[add hostapd prefix, cleanup commit message]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-28 02:18:20 +02:00
Michael Heimpold
f788fd0fd3 mxs: drop 4.4 support
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2017-06-27 23:22:25 +02:00
Michael Heimpold
9eb68f020b mxs: add support for 4.9 and switch over
I did not port the regulator and power patches from Stefan Wahren
because I talked to him and he told me that work on this is currently
stalled. And since AFAIK nothing depends on these patches, leaving them
out seems reasonable.

I build minimum default configurations and run-tested them on both
I2SE Duckbill devices and Olimex Olinuxino Maxi boards successfully [1].

[1] Tested:
- debug uart is working
- boot without any obvious kernel problem
- network is coming up and data transfer is possible
- Olinuxino: USB detects a plugged-in pen drive

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
[refreshed config and patches]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2017-06-27 23:22:25 +02:00
Michael Heimpold
8794954d10 kernel: disable various symbols for v4.9
In preparation for bumping mxs target to 4.9, disable a bunch of configuration
symbols that provoked config prompts.

Signed-off-by: Michael Heimpold <mhei@heimpold.de>
2017-06-27 23:22:25 +02:00
John Crispin
6da4f03f02 ath10k-firmware: add qca9888 firmware
ath10k-firmware: add qca9888 firmware

the firmware files for qca9888 were previously not packaged. add the meta
information for doing so.

Signed-off-by: John Crispin <john@phrozen.org>
2017-06-27 11:47:07 +02:00
Stijn Tintel
f80963d4d1 kernel: update kernel 4.4 to 4.4.74
Refresh patches.
Compile-tested on ar71xx.
Runtime-tested on ar71xx.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-27 07:42:50 +02:00
Koen Vandeputte
69649a1b45 kernel: update kernel 4.9 to 4.9.34
- Refreshed all patches
- Adapted 1 (0031-mtd-add-SMEM-parser-for-QCOM-platforms.patch)

Compile tested on: brcm2708, cns3xxx, imx6
Run tested on: brcm2708, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
[Compile and run tested on brcm2708]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-27 07:21:03 +02:00
Stijn Tintel
d18f76f762 kernel: use .patch extension for all patches
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-06-27 06:37:46 +02:00
Mathias Kresin
06741411e0 firmware-utils: fix dgn3500sum compiler warnings
The sum variable need to be initialised, otherwise it will points to
random stack memory and a bogus image checksum might be calculated.

While at it, fix the segfault in case the product region code isn't
specified and enable compiler warnings which had revealed all the code
issues.

Signed-off-by: Mathias Kresin <dev@kresin.me>
2017-06-26 20:08:36 +02:00
Hans Dedecker
f33de80232 dnsmasq: backport tweak ICMP ping logic for DHCPv4
Don't start ping-check of address in DHCP discover if there already
exists a lease for the address. It has been reported under some
circumstances android and netbooted windows devices can reply to
ICMP pings if they have a lease and thus block the allocation of
the IP address the device already has during boot.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
2017-06-26 10:49:13 +02:00
Jo-Philipp Wich
2c5f16ecac procd: support term_timeout parameter
Expose "term_timeout" parameter in procd.sh to allow init scripts to
request a longer termination timeout.

This is required to fix FS#859 in a later commit.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-26 10:02:20 +02:00
Jo-Philipp Wich
124ab1dc0a procd: assign /dev/tty* nodes to "tty" group
Adjust default permissions and ownership of /dev/tty* nodes from
0600/root:root to 0660/root:tty in order to support granting
unprivileged user access when needed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-26 10:02:20 +02:00
Jo-Philipp Wich
5523ee3459 base-files: add "tty" user group
This is needed for an upcoming change to the hotplug default rules which
will cause /dev/tty* nodes to get assigned to the "tty" group in order
to support unprivileged user access when needed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2017-06-26 10:02:20 +02:00
Magnus Kroken
45f4f6649a openvpn: update to 2.4.3
Fixes for security and other issues. See security announcement for more details:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

* Remotely-triggerable ASSERT() on malformed IPv6 packet (CVE-2017-7508)
* Pre-authentication remote crash/information disclosure for clients (CVE-2017-7520)
* Potential double-free in --x509-alt-username (CVE-2017-7521)
* Remote-triggerable memory leaks (CVE-2017-7512)
* Post-authentication remote DoS when using the --x509-track option (CVE-2017-7522)
* Null-pointer dereference in establish_http_proxy_passthru()
* Restrict --x509-alt-username extension types
* Fix potential 1-byte overread in TCP option parsing
* Fix mbedtls fingerprint calculation
* openssl: fix overflow check for long --tls-cipher option
* Ensure option array p[] is always NULL-terminated
* Pass correct buffer size to GetModuleFileNameW() (Quarkslabs finding 5.6)

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:56:07 +02:00
Magnus Kroken
329f6a96b7 mbedtls: update to 2.5.1
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
2017-06-26 09:56:07 +02:00