During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.
This issue will impact any application that verifies certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Backport of r46285
git-svn-id: svn://svn.openwrt.org/openwrt/branches/chaos_calmer@46286 3c298f89-4303-0410-b956-a3cf2f4a3e73
Tested myself on ixp4xx and mvebu, and (originally)
by Daniel on i.MX6. Also tested on a MIPS target,
to make sure the change to ASFLAGS does not break things.
Based on a patch submitted by Daniel Drown:
https://lists.openwrt.org/pipermail/openwrt-devel/2014-July/026639.html
Signed-off-by: Claudio Leite <leitec@staticky.com>
Signed-off-by: Daniel Drown <dan-openwrt@drown.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@44618 3c298f89-4303-0410-b956-a3cf2f4a3e73
turns out that r43155 adds duplicate info.
Signed-off-by: John Crispin <blogic@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@43167 3c298f89-4303-0410-b956-a3cf2f4a3e73
Note, that licensing stuff is a nightmare: many packages does not clearly
state their licenses, and often multiple source files are simply copied
together - each with different licensing information in the file headers.
I tried hard to ensure, that the license information extracted into the OpenWRT's
makefiles fit the "spirit" of the packages, e.g. such small packages which
come without a dedicated source archive "inherites" the OpenWRT's own license
in my opinion.
However, I can not garantee that I always picked the correct information
and/or did not miss license information.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@43155 3c298f89-4303-0410-b956-a3cf2f4a3e73
Based on a patchset by Etienne CHAMPETIER <champetier.etienne@gmail.com>
Signed-off-by: Steven Barth <steven@midlink.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@43123 3c298f89-4303-0410-b956-a3cf2f4a3e73
Only support Linux at the moment.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@42988 3c298f89-4303-0410-b956-a3cf2f4a3e73
Also refresh patches and bump copyright year in Makefile.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@42929 3c298f89-4303-0410-b956-a3cf2f4a3e73
today appeared another serious vulnerability in openssl. More info is
here http://ccsinjection.lepidum.co.jp. Users are advised to update to
openssl 1.0.1h.
Signed-off-by: Martin Strbacka <martin.strbacka@nic.cz>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@41026 3c298f89-4303-0410-b956-a3cf2f4a3e73
On some build hosts openssl fails to install since openssl installs itself into
lib64 while the openwrt Makefile expects the libs to end up in lib.
install -m0644 .../openwrt/build_dir/target-x86_64_uClibc-0.9.33.2/openssl-1.0.1e/ipkg-install/usr/lib/libcrypto.so.* .../openwrt/build_dir/target-x86_64_uClibc-0.9.33.2/openssl-1.0.1e/ipkg-x86_64/libopenssl/usr/lib/
install: cannot stat '.../openwrt/build_dir/target-x86_64_uClibc-0.9.33.2/openssl-1.0.1e/ipkg-install/usr/lib/libcrypto.so.*': No such file or directory
make[2]: *** [/openwrt/bin/x86_64/packages/libopenssl_1.0.1e-2_x86_64.ipk] Error 1
make[2]: Leaving directory `/openwrt/package/libs/openssl'
make[1]: *** [package/libs/openssl/compile] Error 2
make[1]: Leaving directory `/openwrt'
Set LIBDIR accordingly to fix this.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39885 3c298f89-4303-0410-b956-a3cf2f4a3e73
This version includes this changes:
Don't include gmt_unix_time in TLS server and client random values
Fix for TLS record tampering bug CVE-2013-4353
Fix for TLS version checking bug CVE-2013-6449
Fix for DTLS retransmission bug CVE-2013-6450
Signed-off-by: Peter Wagner <tripolar@gmx.at>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39853 3c298f89-4303-0410-b956-a3cf2f4a3e73
Allow multi-threaded applications to work properly by
removing the "no-threads" flag that is enabled by default.
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@39048 3c298f89-4303-0410-b956-a3cf2f4a3e73
RIPEMD is needed to update erlang and i'd like to enable RIPEMD160 support in openssh.
Size compared:
openssl without RIPEMD/160 support:
647K 29. Okt 20:00 bin/ar71xx/packages/libopenssl_1.0.1e-2_ar71xx.ipk
openssl with RIPEMD/160 support:
652K 8. Nov 15:11 bin/ar71xx/packages/libopenssl_1.0.1e-2_ar71xx.ipk
So the file size just grows ~5kb, which shouldn't be a problem.
Signed-off-by: Peter Wagner <tripolar@gmx.at>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@38809 3c298f89-4303-0410-b956-a3cf2f4a3e73
This patch adds EC compilation options to openssl
OPENSSL_WITH_EC is needed for authsae (OPENSSL_WITH_EC2M isn't)
Activating ec (but not ec2m) in openssl take 35Ko more on ar71xx (ipk size)
Activating both take 52Ko.
Signed-off-by: Etienne CHAMPETIER <etienne.champetier@free.fr>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@37523 3c298f89-4303-0410-b956-a3cf2f4a3e73
make the syntax more compatible with kernel menuconfig
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36351 3c298f89-4303-0410-b956-a3cf2f4a3e73
Packages not picking up the regular TARGET_AS need their openwrt
Makefiles tweaked. For a basic build, that's just openssl.
This depends on patch 1/5.
Signed-off-by: Jay Carlson <nop@nop.com>
Signed-off-by: Florian Fainelli <florian@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@36201 3c298f89-4303-0410-b956-a3cf2f4a3e73
The etrax target has been removed in r34768.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@35684 3c298f89-4303-0410-b956-a3cf2f4a3e73
1.0.1d had a rushed fix for CVE-2013-0169 which broke in certain
circumstances. 1.0.1e has the fix for TLS.
Also include a further patch from the 1.0.1 branch which fixes the
breakage this introduced for Cisco's outdated pre-standard version of
DTLS, as used by OpenConnect.
Update mirror URLs to reflect current reality.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Florian Fainelli <florian@openwrt.org>
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@35600 3c298f89-4303-0410-b956-a3cf2f4a3e73
Two new variables are introduces to many packages, namely PKG_LICENSE and
PKG_LICENSE_FILES - there may be more than one license applied to packages,
and these are listed in the PKG_LICENSE variable and separated by spaces.
All relevant license files are also added to the PKG_LICENSE_FILES variable,
also space separated.
The licensing metadata is put into the bin/<platform>/packages/Packages file
for later parsing. A script for that is on it's way!
git-svn-id: svn://svn.openwrt.org/openwrt/trunk@33861 3c298f89-4303-0410-b956-a3cf2f4a3e73
