Since mbedtls 2.5.1, SHA1 has been disallowed in TLS certificates.
This breaks openvpn clients that try to connect to servers that
present a TLS certificate signed with SHA1, which is fairly common.
Run-tested with openvpn-mbedtls 2.4.3, LEDE 17.01.2, on ar71xx.
Fixes: FS#942
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
Fixes some security issues (no remote exploits), and introduces
some changes. See release notes for details:
https://tls.mbed.org/tech-updates/releases/mbedtls-2.5.1-2.1.8-and-1.3.20-released
* Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read()
* Adds exponent blinding to RSA private operations
* Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt())
* Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification.
* Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes.
* Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
The current way of creating a STAMP_CONFIGURED filename for OpenSSL can
lead to an extremely long filename that makes touch unable to create it,
and fail the build.
Use mkhash to produce a hash against OPENSSL_OPTIONS which creates a
shortert stamp file,
Fixes#572
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This fixes the following security problems:
* CVE-2017-2784: Freeing of memory allocated on stack when validating a public key with a secp224k1 curve
* SLOTH vulnerability
* Denial of Service through Certificate Revocation List
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
When calling erase() on a containers derived from __base_associative
(e.g. multimap) and providing a pair of iterators a segfault will
occur.
Example code to reproduce:
typedef std::multimap<int, int> testmap;
testmap t;
t.insert(std::pair<int, int>(1, 1));
t.insert(std::pair<int, int>(2, 1));
t.insert(std::pair<int, int>(3, 1));
t.erase(t.begin(), t.end());
Signed-off-by: Ben Kelly <ben@benjii.net>
Adds the following changes:
de3f14b uloop: add uloop_cancelling function
3b6181b utils: fix build on Mac OS X 10.12
7f671b1 blobmsg: add support for double
0fe1374 utils: add helper functions useful for allocating a ring buffer
8fc1c30 libubox: replace strtok with _r version.
4a9f74f libubox: allow reading out the pid of uloop process in lua
372e1e6 uloop: remove useless epoll data assignment
f9db1cb libubox: allow reading out the remaining time of a uloop timer in Lua
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The libtool target package stages its files into the host staging directory
and moves the libltdl library parts from there into the target staging
directory afterwards.
By doing so, the package essentially renders the host libtool infrastructure
unusable, leading to the below error in subsequent package builds:
libtoolize: $pkgltdldir is not a directory: `.../hostpkg/share/libtool`
Prevent this problem by using a dedicated libltdl install prefix in order to
avoid overwriting and moving away preexisting files belonging to tools/libtool.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Update to 1.2.11 as suggested by upstream
Also add SF as primary source and main site as fallback
Note: SF doesn't carry the 1.2.11 update yet.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Host files installed in Build/InstallDev are target-specific and will stay
in $(STAGING_DIR)/host after the STAGING_DIR_HOSTPKG unification.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
The gettext-full host build might pick up iconv-stub host build headers
during the build, leading to stray linker errors with unresolved references
to libiconv_open(), libiconv() and libiconv_close().
Since we're not needing iconv support on the host, pass the appropriate
cache variables to configure to prevent detection and linking of iconv.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Cleanup to prepare for changing STAGING_DIR_HOSTPKG. The actual change of
STAGING_DIR_HOSTPKG (i.e., moving the host packages back into a common, not
target-specific directory) will be done after the first LEDE release, but
the cleanup will also be useful for projects like Gluon.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* Fix bug in deflate_stored() for zero-length input
* Fix bug in gzwrite.c that produced corrupt gzip files
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Other changes:
- Project moved to sourceware.org
- musl patch where cleaned up and submitted upstream
- TEMP_FAILURE_RETRY macro fixed and submitted upstream
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
[Jo-Philipp Wich: add missing .patch extension to 007-fix_TEMP_FAILURE_RETRY]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Brings in the following changes:
52d955fd802a remove obsolete mac os x /opt/local include/library search path
a4e49b4163b2 Fix unused results warnings
48cfff3fbec9 uclient-http: send correct "Host:" header if port is set
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Currently both libustream-polarssl and libustream-mbedtls
variants define themselves as the DEFAULT_VARIANT
Remove extra DEFAULT_VARIANT from libustream-polarssl.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Later OpenVPN 2.3-openssl versions only enable
TLS cipher suites with perfect forward secrecy, i.e. DHE and ECDHE
cipher suites. ECDHE key exchange is not supported by
OpenVPN 2.3-openssl, enable DHE key exchange to allow LEDE
OpenVPN 2.4-mbedtls clients to connect to such servers.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Reported-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Reported-by: Lucian Cristian <luci@createc.ro>
Secp384r1 is the default curve for OpenVPN 2.4+. Enable this to
make OpenVPN-mbedtls clients able to perform ECDHE key exchange
with remote OpenVPN 2.4-openssl servers that use the default
OpenVPN curve.
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
Add patches provided upstream [1] by Fabio Berton to fix error:
> ./gencode.c: In function 'pcap_compile':
> ./gencode.c:693:8: error: 'compiler_state_t {aka struct _compiler_state}' has no member named 'ai'
> cstate.ai = NULL;
> ^
> ./gencode.c: In function 'gen_gateway':
> ./gencode.c:4914:13: error: 'cstate' undeclared (first use in this function)
> bpf_error(cstate, "direction applied to 'gateway'");
> ^
[1] https://github.com/the-tcpdump-group/libpcap/pull/541
Signed-off-by: Fabio Berton <fabio.berton@ossystems.com.br>
Tested-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Sometimes I'm getting error on the host-side build:
```
/usr/lib64/gcc/x86_64-suse-linux/4.8/../../../../x86_64-suse-linux/bin/ld: /home/sandu/work/lede/staging_dir/host/lib/liblzma.a(liblzma_la-common.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/home/sandu/work/lede/staging_dir/host/lib/liblzma.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status
Makefile:2847: recipe for target 'libgettextlib.la' failed
make[9]: *** [libgettextlib.la] Error 1
make[9]: Leaving directory '/home/sandu/work/lede/build_dir/target-x86_64_musl-1.1.15/host/gettext-0.19.8.1/gettext-tools/gnulib-lib'
Makefile:2597: recipe for target 'all' failed
```
Disabling the shared-lib build, seems to fix this.
This is when building glib2 on the host-side.
glib2 is required by newer QEMU package [which is in the feeds].
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
This partially reverts commit 15734b023b.
--enable-stunnel was actually important and properly described in
commit 9b118cde89. Removing it broke ustream-cyassl
Signed-off-by: Felix Fietkau <nbd@nbd.name>
If _GNU_SOURCE was added as part of a package's TARGET_CFLAGS,
then compilation would fail for that module (especially if
warnings get treated as errors).
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
More and more platforms are multicore SoCs, don't enforce singlethreading.
Drop stunnel option as stunnel code isn't available for download from upstream website.
Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Update libpcap to upstream release 1.8.1
Change the name from libpcap.so.1.3 to libpcap.so.1
Remove parts of patch 201 which moved code among src files.
Import patch 204 from Debian to update the USB path.
Signed-off-by: Paul Wassi <p.wassi@gmx.at>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [fix parallel build bug]
