[PATCH 21.02 4/5] wolfssl: fix TLSv1.3 RCE in uhttpd by using 5.5.1-stable (CVE-2022-39173)

Fixes denial of service attack and buffer overflow against TLS 1.3 servers using session ticket resumption. When built with --enable-session-ticket and making use of TLS 1.3 server code in wolfSSL, there is the possibility of a malicious client to craft a malformed second ClientHello packet that ca

[PATCH 21.02 1/5] wolfssl: bump to v5.3.0-stable

From: Eneas U de Queiroz This is mostly a bug fix release, including two that were already patched here: - 300-fix-SSL_get_verify_result-regression.patch - 400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch Signed-off-by: Eneas U de Queiroz (cherry picked from commit 73c1fe2890baa5c

[PATCH 21.02 0/5] backport fix for TLSv1.3 RCE in uhttpd by using 5.5.1-stable

Hi, we need to upgrade wolfSSL to version 5.5.1 as it fixes several remotely exploitable vulnerabilities in TLS v1.3 protocol handling, so I suggest to do so by backporting following commits from 22.03 release. I've tested this change in x86/64 QEMU, using openwrt-21.02.3-x86-64-generic-squashfs

[PATCH 21.02 3/5] wolfssl: bump to 5.5.0

From: Ivan Pavlov Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch Some low severity vulnerabilities fixed OpenVPN compatibility fixed (broken in 5.4.0) Other fixes && improvements Signed-off-by: Ivan Pavlov (cherry picked from commit 3d88f26d74f7771b808082cef54

[PATCH 21.02 2/5] wolfssl: bump to 5.4.0

From: Eneas U de Queiroz This version fixes two vulnerabilities: -CVE-2022-34293[high]: Potential for DTLS DoS attack -[medium]: Ciphertext side channel attack on ECC and DH operations. The patch fixing x86 aesni build has been merged upstream. Signed-off-by: Eneas U de Queiroz (cherry picked

[PATCH 21.02 5/5] treewide: fix security issues by bumping all packages using libwolfssl

As wolfSSL is having hard time maintaining ABI compatibility between releases, we need to manually force rebuild of packages depending on libwolfssl and thus force their upgrade. Otherwise due to the ABI handling we would endup with possibly two libwolfssl libraries in the system, including the pat

qoriq: Problem with u-boot compilation (dual arch issue)

Hi everybody, I am preparing support for the T4240RDB board. But I'm stuck with one problem: Qoriq target is powerpc64. But T4240RDB in u-boot is supported as mpc85xx family and requires a 32-bit compiler. I tried setting OpenWrt config: EXTRA_TARGET_ARCH to y and EXTRA_TARGET_ARCH_NAME to pow

[RFC] Refactoring OpenWrt's build infra

Hi, Following an earlier conversation on IRC with Petr, I’m willing to work on refactoring our buildbot setup as follows: - single master for each stage (images and packages) - latent workers attached to either master, thus able to build opportunistically from either master or release branches

Re: [PATCH] ipq40xx: luma_wrtq-329acn: convert to DSA

On Mon, 3 Oct 2022 at 15:00, Tomasz Maciej Nowak wrote: > > From: Tomasz Maciej Nowak > > And enable the device. > > Signed-off-by: Tomasz Maciej Nowak LGTM, so: Reviewed-by: Robert Marko > --- > .../ipq40xx/base-files/etc/board.d/02_network | 1 + > .../arm/boot/dts/qcom-ipq4018-wrtq-329acn

Re: [PATCH] ipq40xx: pakedge_wr-1: convert to DSA

On Mon, 3 Oct 2022 at 15:00, Tomasz Maciej Nowak wrote: > > From: Tomasz Maciej Nowak > > And enable the device. > > Signed-off-by: Tomasz Maciej Nowak LGTM, so: Reviewed-by: Robert Marko > --- > .../ipq40xx/base-files/etc/board.d/02_network | 1 + > .../arch/arm/boot/dts/qcom-ipq4018-wr-1.d

Re: [PATCH] ipq40xx: luma_wrtq-329acn: convert to DSA

On Mon, Oct 03, 2022 at 02:58:53PM +0200, Tomasz Maciej Nowak wrote: > From: Tomasz Maciej Nowak > > And enable the device. > > Signed-off-by: Tomasz Maciej Nowak Hi, merged with 70d9193b511f957054245195857cfbc5d5632c42 with minor changes to the commit description. Thanks! > --- > .../ipq40

Re: [PATCH] ipq40xx: pakedge_wr-1: convert to DSA

On Mon, Oct 03, 2022 at 02:59:15PM +0200, Tomasz Maciej Nowak wrote: > From: Tomasz Maciej Nowak > > And enable the device. > > Signed-off-by: Tomasz Maciej Nowak Hi, merged with ee38573093563a11569afd98495f7a7a85e9a02f with minor changes to the commit description. Thanks! > --- > .../ipq40

Re: [PATCH 21.02 0/5] backport fix for TLSv1.3 RCE in uhttpd by using 5.5.1-stable

On 10/5/22 11:46, Petr Štetiar wrote: Hi, we need to upgrade wolfSSL to version 5.5.1 as it fixes several remotely exploitable vulnerabilities in TLS v1.3 protocol handling, so I suggest to do so by backporting following commits from 22.03 release. I've tested this change in x86/64 QEMU, using

OpenWrt 21.02.4 and OpenWrt 22.03.1 release planning

Hi, I would like to do an OpenWrt 21.02.4 and OpenWrt 22.03.1 release on the next weekend or some days later. Are there still some commits missing which should get backported? I will wait for the wolfssl update from Petr. I do not see much on github: https://github.com/openwrt/openwrt/pulls?

Re: [RFC] Refactoring OpenWrt's build infra

On 10/5/22 17:56, Thibaut wrote: Hi, Following an earlier conversation on IRC with Petr, I’m willing to work on refactoring our buildbot setup as follows: - single master for each stage (images and packages) - latent workers attached to either master, thus able to build opportunistically from