mtk-20170518/package/libs, branch v17.01.4 MTK 20170518 : Mediatek SDK based on OpenWRT Barrier Breaker mbedtls: update to 2.6.0 CVE-2017-14032 2017-09-30T13:24:52+00:00 Kevin Darbyshire-Bryant kevin@darbyshire-bryant.me.uk 2017-09-01T18:04:29+00:00 e232c6754d6e0cbde3892aa1fa243f4707d7ad5e Fixed an authentication bypass issue in SSL/TLS. When the TLS authentication mode was set to 'optional', mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when it was not trusted. This could be triggered remotely on both the client and server side. (Note, with the authentication mode set by mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake was correctly aborted). Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk> Tested-by: Magnus Kroken <mkroken@gmail.com> 
Fixed an authentication bypass issue in SSL/TLS. When the TLS
authentication mode was set to 'optional',
mbedtls_ssl_get_verify_result() would incorrectly return 0 when the
peer's X.509 certificate chain had more than
MBEDTLS_X509_MAX_INTERMEDIATE_CA intermediates (default: 8), even when
it was not trusted. This could be triggered remotely on both the client
and server side. (Note, with the authentication mode set by
mbedtls_ssl_conf_authmode()to be 'required' (the default), the handshake
was correctly aborted).

Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Tested-by: Magnus Kroken <mkroken@gmail.com>
uclient: update to 2017-09-06 2017-09-06T13:48:05+00:00 Matthias Schiffer mschiffer@universe-factory.net 2017-09-06T13:44:14+00:00 bb6a8b2cbf55759ef383e52216aa96dfef377f76 24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses 83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> 
24d6eded73de uclient-http: fix Host: header for literal IPv6 addresses
83ce236dab86 uclient-fetch: read_data_cb: fix a potential buffer overflow

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
mbedtls: Re-allow SHA1-signed certificates 2017-08-11T18:45:28+00:00 Baptiste Jonglez git@bitsofnetworks.org 2017-07-30T15:57:37+00:00 3e35eb13ada3b87e87cd108f9d459b9484446e9c Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates. This breaks openvpn clients that try to connect to servers that present a TLS certificate signed with SHA1, which is fairly common. Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx. Fixes: FS#942 Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org> 
Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.

Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.

Fixes: FS#942

Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
mbedtls: update to 2.5.1 2017-06-26T07:57:11+00:00 Magnus Kroken mkroken@gmail.com 2017-06-21T19:05:09+00:00 73e81a8318d1038cbcb2ad788bf8d956f338f587 Fixes some security issues (no remote exploits), and introduces some changes. See release notes for details: https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released * Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read() * Adds exponent blinding to RSA private operations * Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()) * Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification. * Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes. * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack. Signed-off-by: Magnus Kroken <mkroken@gmail.com> 
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released

* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.

Signed-off-by: Magnus Kroken <mkroken@gmail.com>
openssl: Use mkhash for STAMP_CONFIGURED 2017-04-22T10:43:51+00:00 Florian Fainelli f.fainelli@gmail.com 2017-03-01T18:48:32+00:00 72fcdb6286ad7be24296acbd36043ee3e96e5ec4 The current way of creating a STAMP_CONFIGURED filename for OpenSSL can lead to an extremely long filename that makes touch unable to create it, and fail the build. Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a shortert stamp file, Fixes #572 Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> 
The current way of creating a STAMP_CONFIGURED filename for OpenSSL can
lead to an extremely long filename that makes touch unable to create it,
and fail the build.

Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a
shortert stamp file,

Fixes #572

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
libubox: fix host build on macOS 2017-04-08T12:49:05+00:00 Felix Fietkau nbd@nbd.name 2017-02-20T11:32:45+00:00 5866ff8be8ef961cf17c4469f5afb54f91570b95 Use the defaults instead of a custom non-portable Host/Install section Signed-off-by: Felix Fietkau <nbd@nbd.name> 
Use the defaults instead of a custom non-portable Host/Install section

Signed-off-by: Felix Fietkau <nbd@nbd.name>
libubox: add host build 2017-04-08T12:48:55+00:00 Jo-Philipp Wich jo@mein.io 2017-02-17T09:49:14+00:00 293c54c5677cb7db21a53df7fae0a1fd2f663b04 Our opkg fork requires libubox to build, so add a host build for it. Signed-off-by: Jo-Philipp Wich <jo@mein.io> 
Our opkg fork requires libubox to build, so add a host build for it.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
mbedtls: update to version 2.4.2 2017-03-13T21:35:48+00:00 Hauke Mehrtens hauke@hauke-m.de 2017-03-13T19:04:32+00:00 c4ed92ae7d9568b42490eeba540e68684c6ed981 This fixes the following security problems: * CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve * SLOTH vulnerability * Denial of Service through Certificate Revocation List Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> 
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
libpcap: add optional netfilter support 2017-03-01T19:37:37+00:00 Martin Schiller mschiller@tdt.de 2017-02-20T05:27:41+00:00 87e021e6e3eecb8dcaf1e38d5f63264629696743 This is needed to use the nflog interface with tcpdump Signed-off-by: Martin Schiller <mschiller@tdt.de> 
This is needed to use the nflog interface with tcpdump

Signed-off-by: Martin Schiller <mschiller@tdt.de>
mbedtls: add --function-sections and --data-sections to CFLAGS 2017-03-01T19:37:37+00:00 Felix Fietkau nbd@nbd.name 2017-02-21T13:33:14+00:00 2e8545333a356a413c44fd8c673039807b780c42 This allows binaries that links these libraries statically to be reduced by using --gc-sections on link Signed-off-by: Felix Fietkau <nbd@nbd.name> 
This allows binaries that links these libraries statically to be reduced
by using --gc-sections on link

Signed-off-by: Felix Fietkau <nbd@nbd.name>