Fix bug in certificate validation that caused valid chains to be
rejected when the first intermediate certificate has
pathLenConstraint=0.
Removed potential leak in rsa_rsassa_pkcs1_v15_sign().
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
http://autobuild.buildroot.net/results/c34/c343c68d3e0dae4a7ecd59693298a9622bc56662/
Is not yet supported and the compilation will fail like this:
[ 4%] Building C object library/CMakeFiles/polarssl.dir/bignum.c.o
/tmp/ccLDxl9G.s: Assembler messages:
/tmp/ccLDxl9G.s:92: Error: opcode not supported on this processor:
mips32r6 (mips32r6) `multu $13,$14'
/tmp/ccLDxl9G.s:93: Error: opcode not supported on this processor:
mips32r6 (mips32r6) `addi $10,$10,4'
/tmp/ccLDxl9G.s:94: Error: opcode not supported on this processor:
mips32r6 (mips32r6) `mflo $14'
/tmp/ccLDxl9G.s:95: Error: opcode not supported on this processor:
mips32r6 (mips32r6) `mfhi $9'
[...]
Signed-off-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes a potential heap corruption on Windows when
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. This
cannot be triggered remotely. Found by Guido Vranken, Intelworks.
Fixes a potential buffer overflow in some asn1_write_xxx() functions.
This cannot be triggered remotely unless you create X.509 certificates
based on untrusted input or write keys of untrusted origin. Found by
Guido Vranken, Intelworks.
The X509 max_pathlen constraint was not enforced on intermediate
certificates. Found by Nicholas Wilson, and fix and tests provided by
Janos Follath.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2015-5291 - Remote attack on clients using session tickets or SNI
Also includes countermeasures against Lenstra's RSA-CRT attach for
PKCS#1 v1.5 signatures (1.2.16) and the Logjam attack (1.2.15).
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Reviewed-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Tested-by: Vicente Olivert Riera <Vincent.Riera@imgtec.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes one remotely-triggerable issue that was found by the Codenomicon
Defensics tool, one potential remote crash and countermeasures against
the "Lucky 13 strikes back" cache-based attack.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Old wget versions aren't very happy with https moves/alt names hence
complain when trying to download from said sites.
Since polarssl is now mbed tls and everything got renamed switch to the
new URL to avoid this.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Includes the previous CVE-2015-1182 fix (patch dropped) and other fixes
(security and non) from the 1.3 branch (no CVEs yet), see release notes:
https://polarssl.org/tech-updates/releases/polarssl-1.2.13-released
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Disable assembly optimizations for:
Microblaze in general (previously a patch).
ARM with debugging in Thumb1/2 mode. This one fixes:
http://autobuild.buildroot.net/results/31e/31e8c4e29d51039cd5d213c2fe176a9cc39879da/
Do so in a nicer way with a one-liner sed and drop the patch.
And rename patches around, numbering was off.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes several memory leaks.
No assigned CVE or Polar-SA yet.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Test build is already disabled by the cmake-package infrastructure.
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
To be consistent with the recent change of FOO_MAKE_OPT into FOO_MAKE_OPTS,
make the same change for FOO_CONF_OPT.
Sed command used:
find * -type f | xargs sed -i 's#_CONF_OPT\>#&S#g'
Signed-off-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- disable shared object build when BR2_PREFER_STATIC_LIB is set
- patch the CMake code for handling static/shared object build using
standard CMake flags, instead of the ucstom ones.
Fixes:
http://autobuild.buildroot.net/results/754/754947d2a77a4dbe91057d8ce64fc4996e716ece/
Signed-off-by: Samuel Martin <s.martin49@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2014-4911 and a few other issues that don't have a CVE assigned
(backports from 1.3.x branch).
The no programs & shared/static patches are now upstream albeit in a
slightly different form.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
* Correctly handle empty SSL/TLS packets (Found by James Yonan)
* Fixed potential heap corruption in x509_name allocation
* Fixed single RSA test that failed on Big Endian systems
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
