Commit Graph

58 Commits

Author SHA1 Message Date
Petr Štetiar
f1b7e1434f treewide: fix security issues by bumping all packages using libwolfssl
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.

So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2022-10-03 17:52:06 +02:00
Boris Krasnovskiy
d94c94d795 ustream-ssl: prevent unused crypto lib dependencies from being compiled
Prevented unused crypto lib dependencies from being compiled

Signed-off-by: Boris Krasnovskiy <borkra@gmail.com>
2022-07-31 00:11:21 +02:00
Hauke Mehrtens
e74529552c ustream-ssl: update to Git version 2022-01-16
868fd88 ustream-openssl: wolfSSL: Add compatibility for wolfssl >= 5.0

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2022-01-16 21:51:21 +01:00
Karel Kočí
219e17a350 ustream-ssl: variants conflict with each other
This adds conflicts between variants of libustream pacakge.
They provide the same file and thus it should not be possible to install
them side by side.

Signed-off-by: Karel Kočí <karel.koci@nic.cz>
2021-06-21 18:48:03 -10:00
Petr Štetiar
23bbaa02a9 ustream-ssl: update to Git version 2020-12-10
68d09243b6fd Add initial GitLab CI support
8280140db9d1 wolfssl: remove now deprecated compatibility code
cee6791b362a ustream-mbedtls: fix certificate verification
55c3fd89d508 ustream-mbedtls: implement set_require_validation
c6b4c48689a3 ustream-openssl: wolfSSL: fix certificate validation
3bc05402bfab cmake: enable extra compiler checks
cd2c3d12db43 ustream-mbedtls: fix comparison of integers of different signs
5896991e46a3 ustream-openssl: fix BIO_method memory leak
2c342ae57c5b ustream-openssl: fix wolfSSL includes
fa8ecd6ed140 cmake: fix linking when mbed TLS not in default paths
63656f81045f cmake: fix linking when wolfSSL not in default paths
c26f71e844df cmake: fix building out of the tree

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-14 09:41:39 +01:00
Jo-Philipp Wich
cd23dc1d21 ustream-ssl: bump to latest Git HEAD
5e1bc34 ustream-openssl: clear error stack before SSL_read/SSL_write
f7f93ad add support for specifying usable ciphers

Also bump the ABI version since the layout of `struct ustream_ssl_ops`
changed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2020-03-25 19:16:19 +01:00
Hauke Mehrtens
ccd7e2dfb2 ustream-ssl: Update to version 2020-01-05
30cebb4 ustream-ssl: mbedtls: fix ssl client verification
77de09f ustream-ssl: mbedtls: fix net_sockets.h include warning

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-01-05 20:04:37 +01:00
Jo-Philipp Wich
6f9157e6bd ustream-ssl: update to latest Git HEAD
c9b6668 ustream-ssl: skip writing pending data if .eof is true after connect

Fixes: CVE-2019-5101, CVE-2019-5102
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-11-05 14:43:20 +01:00
Hauke Mehrtens
57ff06405e ustream-ssl: Update to latest git HEAD
465f8dc wolfssl: adjust to new API in v4.2.0
3b06c65 Update example certificate & key, fix typo
1c38fd8 wolfssl: enable CN validation
33308ee ustream-io-cyassl.c: fix client-mode connections
79d91aa Remove CyaSSL, WolfSSL < 3.10.4 support

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-11-01 21:19:40 +01:00
Hauke Mehrtens
ced2b7bb98 ustream-ssl: update to latest git HEAD
e8f9c22 Revise supported ciphersuites
7e9e269 wolfssl, openssl: use TLS 1.3, set ciphersuites

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2019-08-17 17:09:42 +02:00
Jeffery To
e545fac8d9 build: include BUILD_VARIANT in PKG_BUILD_DIR
This changes the default PKG_BUILD_DIR to take BUILD_VARIANT into
account (if set), so that packages do not need to manually override
PKG_BUILD_DIR just to handle variants.

This also updates most base packages with variants to use the updated
default PKG_BUILD_DIR.

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
2019-08-05 23:22:26 +02:00
Eneas U de Queiroz
82a8ddd603 ustream-ssl: update to 2019-06-24
This adds chacha20-poly1305 support to the mbedtls variant.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2019-06-24 22:01:17 +02:00
Jo-Philipp Wich
797e5c1c48 packages: set more explicit ABI_VERSION values
In the case of upstream libraries, set the ABI_VERSION variable to the
soname value of the first version version after the last backwards
incompatible change.

For custom OpenWrt libraries, set the ABI_VERSION to the date of the
last Git commit doing backwards incompatible changes to the source,
such as changing function singatures or dropping exported symbols.

The soname values have been determined by either checking
https://abi-laboratory.pro/index.php?view=tracker or - in the case
of OpenWrt libraries - by carefully reviewing the changes made to
header files thorough the corresponding Git history.

In the future, the ABI_VERSION values must be bumped whenever the
library is updated to an incpompatible version but not with every
package update, in order to reduce the dependency churn in the
binary package repository.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2019-01-19 14:31:51 +01:00
Eneas U de Queiroz
33fd1d0d91 ustream-ssl: update to latest git HEAD
23a3f28 openssl, wolfssl: match mbedTLS ciphersuite list
450ada0 ustream-ssl: Revised security on mbedtls
34b0b80 ustream-ssl: add openssl-1.1.0 compatibility

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2018-08-07 14:28:16 +02:00
Daniel Engberg
5647cc7bd4 treewide: Bump PKG_RELEASE due to mbedtls update
Bump PKG_RELEASE on packages that depends on (lib)mbedtls to avoid library
mismatch.

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-30 10:35:12 +02:00
Daniel Engberg
10554cfcc1 mbedtls: Update to 2.11.0
Update mbed TLS to 2.11.0

Disable OFB block mode and XTS block cipher mode, added in 2.11.0.
The soVersion of mbedtls changed, bump PKG_RELEASE for packages that use mbedTLS
This is to avoid having a mismatch between packages when upgrading.

The size of mbedtls increased a little bit:
ipkg for mips_24kc before:
163.846 Bytes
ipkg for mips_24kc after:
164.382 Bytes

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2018-07-07 18:29:14 +02:00
Daniel Golle
4f442f5f38 ustream-ssl: fix build against wolfSSL
commit 39a6ce205d (ustream-ssl: Enable ECDHE with OpenSSL.) broke
build against wolfSSL because wolfSSL doesn't (yet) support
SSL_CTX_set_ecdh_auto() of the OpenSSL API.

Fix this in ustream-ssl:

 189cd38b41 don't use SSL_CTX_set_ecdh_auto with wolfSSL

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2018-05-24 18:55:34 +02:00
John Crispin
346d4c75ea ustream-ssl: update to latest git HEAD
5322f9d mbedtls: Fix setting allowed cipher suites
e8a1469 mbedtls: Add support for a session cache

Signed-off-by: John Crispin <john@phrozen.org>
2018-05-22 20:47:21 +02:00
Hauke Mehrtens
cb11b23d60 mbedtls: update to version 2.9.0
The soversion was changed in this version again and is now aligned with
the 2.7.2 version.
The size of the ipkg file stayed mostly the same.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-05-22 20:47:20 +02:00
John Crispin
52ba5760b7 ustream-ssl: update to latest git HEAD
527e700 ustream-ssl: Remove RC4 from ciphersuite in server mode.
39a6ce2 ustream-ssl: Enable ECDHE with OpenSSL.
45ac930 remove polarssl support

Signed-off-by: John Crispin <john@phrozen.org>
2018-05-01 11:12:15 +02:00
Hauke Mehrtens
7b758f7f4f ustream-ssl: px5g: Rebuild package
mbedtls changed in version 2.7.0 the soversion of the libmbedcrypto.so
library, all applications using this shared library have to be
recompiled to be able to load the new library.

Some binaries got rebuild to for the 2.7.0 release and are now using
libmbedcrypto.so.1, the older ones are still using libmbedcrypto.so.0.

Fixes: 75c5ab4ca ("mbedtls: update to version 2.7.0")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-04-18 23:57:25 +02:00
Jo-Philipp Wich
fe920d01bb treewide: replace LEDE_GIT with PROJECT_GIT
Remove LEDE_GIT references in favor to the new name-agnostic
PROJECT_GIT variable.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2018-01-10 21:27:32 +01:00
Alexandru Ardelean
d03c23c8d4 cyassl,curl,libustream-ssl: rename every cyassl to wolfssl
This is to eliminate any ambiguity about the cyassl/wolfssl lib.

The rename happened some time ago (~3+ years).
As time goes by, people will start to forget cyassl and
start to get confused about the wolfSSL vs cyassl thing.

It's a good idea to keep up with the times (moving forward).

Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
2017-09-17 00:00:12 +02:00
Felix Fietkau
3e7b894ac0 ustream-ssl: remove legacy polarssl support
The old polarssl 1.3 branch is EOL since end of 2016, and the package
for it will be removed soon.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2017-01-09 14:35:09 +01:00
Hannu Nyman
b7677f05d6 ustream-ssl: remove extra DEFAULT_VARIANT from libustream-polarssl
Currently both libustream-polarssl and libustream-mbedtls
variants define themselves as the DEFAULT_VARIANT

Remove extra DEFAULT_VARIANT from libustream-polarssl.

Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
2016-12-30 17:38:39 +01:00
Felix Fietkau
c7c1cf5618 treewide: clean up and unify PKG_VERSION for git based downloads
Also use default defintions for PKG_SOURCE_SUBDIR, PKG_SOURCE

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-22 16:42:21 +01:00
Felix Fietkau
720b99215d treewide: clean up download hashes
Replace *MD5SUM with *HASH, replace MD5 hashes with SHA256

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-16 22:39:22 +01:00
Daniel Engberg
9edfe7dd13 source: Switch to xz for packages and tools where possible
* Change git packages to xz
* Update mirror checksums in packages where they are used
* Change a few source tarballs to xz if available upstream
* Remove unused lines in packages we're touching, requested by jow- and blogic
* We're relying more on xz-utils so add official mirror as primary source, master site as secondary.
* Add SHA256 checksums to multiple git tarball packages

Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
2016-10-06 12:16:56 +02:00
Felix Fietkau
71753a8286 Revert "ustream-ssl: Fix recursive dependency"
This reverts commit abf0768131.
The description is wrong, there is no recursive dependency here. The
conditions were added intentionally to avoid bogus build dependencies.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-07-04 16:47:56 +02:00
Daniel Dickinson
abf0768131 ustream-ssl: Fix recursive dependency
Two variants incorrectly include themselves in
conditional depends on ssl libraries, which results
in a recursive dependency.

Signed-off-by: Daniel Dickinson <lede@daniel.thecshore.com>
2016-07-04 10:51:41 +02:00
John Crispin
1e9c066595 ustream-ssl: update to latest git HEAD
Signed-off-by: John Crispin <john@phrozen.org>
2016-07-02 10:16:17 +02:00
John Crispin
62dc9831d3 package/*: update git urls for project repos
Signed-off-by: John Crispin <john@phrozen.org>
2016-06-13 22:51:41 +02:00
Felix Fietkau
d84bf324ba ustream-ssl: update to the latest version, adds cyassl/wolfssl fixes
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-07 09:22:11 +02:00
Felix Fietkau
7eeb254cc4 treewide: replace nbd@openwrt.org with nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-06-07 08:58:42 +02:00
Felix Fietkau
b77a72ce0c ustream-ssl: update to the latest version, fixes openssl TLS version selection
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48752
2016-02-22 08:54:46 +00:00
Felix Fietkau
487efe2508 ustream-ssl: update to the latest version, fixes hostname validation with openssl
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48503
2016-01-26 00:10:19 +00:00
Felix Fietkau
87456ff286 ustream-ssl: update to the latest version, fixes handling SSL connection close notification
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48462
2016-01-23 18:53:12 +00:00
Felix Fietkau
54baefc480 ustream-ssl: update to the latest version, fixes connection with servers requiring DHE
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48380
2016-01-19 22:41:36 +00:00
Felix Fietkau
b075688953 ustream-ssl: fix copy&paste mistake in mbedtls variant title
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48258
2016-01-16 09:14:03 +00:00
Felix Fietkau
d9494cdf6d ustream-ssl: update to the latest version, adds mbedtls variant
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48256
2016-01-16 00:20:01 +00:00
Felix Fietkau
04d7cf87e3 ustream-ssl: move to git.openwrt.org
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 48126
2016-01-04 15:12:53 +00:00
Jo-Philipp Wich
645635801d ustream-ssl: fix compilation against current PolarSSL/mbedTLS version
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>

SVN-Revision: 45934
2015-06-09 16:52:12 +00:00
Felix Fietkau
af9672cfde ustream-ssl: correct year in PKG_VERSION string
ustream-ssl: correct the year in the PKG_VERSION string, as both r45157 and
r45441 left the old year 2014 there. For a casual user it may seem that the
current code is from April 2014, although
a4ca61527236e89eb9efb782fd9bfd04796144e3 is from April 2015.

http://nbd.name/gitweb.cgi?p=ustream-ssl.git;a=commit;h=a4ca61527236e89eb9efb782fd9bfd04796144e3
https://dev.openwrt.org/changeset/45441/
https://dev.openwrt.org/changeset/45157/

signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>

SVN-Revision: 45623
2015-05-08 10:43:48 +00:00
John Crispin
da2742db3b ustream-ssl: update to latest git HEAD
fixes long writes when using polarssl

Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45441
2015-04-14 19:01:24 +00:00
Nicolas Thill
b8dccba8f2 ustream-ssl: fix SNI when building against cyassl
Signed-off-by: Nicolas Thill <nico@openwrt.org>

SVN-Revision: 45224
2015-04-01 15:11:38 +00:00
John Crispin
97b3237307 ustream-ssl: enable SNI when building for cyassl
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45216
2015-04-01 10:42:33 +00:00
John Crispin
67bf89324d ustream-ssl: properly handle return codes
Signed-off-by: John Crispin <blogic@openwrt.org>

SVN-Revision: 45157
2015-03-30 13:17:27 +00:00
Felix Fietkau
0b148a331b ustream-ssl: select polarssl as default variant, skip openssl/cyassl dependencies if unused
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 42655
2014-09-23 10:41:24 +00:00
Felix Fietkau
e7de56916a ustream-ssl: update to latest version, adds certificate validation support
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 40017
2014-03-25 15:06:24 +00:00
Felix Fietkau
8a17353e75 ustream-ssl: update to the latest version, fixes cyassl build
Signed-off-by: Felix Fietkau <nbd@openwrt.org>

SVN-Revision: 40004
2014-03-21 23:39:47 +00:00