wolfssl: bump to 5.1.1-stable
authorPetr Štetiar <ynezz@true.cz>
Thu, 17 Feb 2022 14:51:26 +0000 (15:51 +0100)
committerPetr Štetiar <ynezz@true.cz>
Mon, 21 Feb 2022 06:37:57 +0000 (07:37 +0100)
This is amalgamation of backported changes since 4.7.0-stable release:

 Sergey V. Lobanov (2):

  5b13b0b02c70 wolfssl: update to 5.1.1-stable
  7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support

 Andre Heider (3):

  3f8adcb215ed wolfssl: remove --enable-sha512 configure switch
  249478ec4850 wolfssl: always build with --enable-reproducible-build
  4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS

 Ivan Pavlov (1):

  16414718f9ae wolfssl: update to 4.8.1-stable

 David Bauer (1):

  f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng

 Christian Lamparter (1):

  86801bd3d806 wolfssl: fix Ed25519 typo in config prompt

The diff of security related changes we would need to backport would be
so huge, that there would be a high probability of introducing new
vulnerabilities, so it was decided, that bumping to latest stable
release is the prefered way for fixing following security issues:

 * OCSP request/response verification issue. (fixed in 4.8.0)
 * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1)
 * Issue with incorrectly validating a certificate (fixed in 5.0.0)
 * Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0)
 * Client side session resumption issue (fixed in 5.1.0)
 * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0)
 * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1)

Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
package/libs/wolfssl/Config.in
package/libs/wolfssl/Makefile
package/libs/wolfssl/patches/100-disable-hardening-check.patch
package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch [new file with mode: 0644]
package/libs/wolfssl/patches/200-ecc-rng.patch [new file with mode: 0644]

index 4ac69f821a3dc9e173aa72ecd91dfb2ca80f60da..99ceb6c4630edd426a6b6e4c01040cfb0f0abe3e 100644 (file)
@@ -44,9 +44,13 @@ config WOLFSSL_HAS_WPAS
        default y
 
 config WOLFSSL_HAS_ECC25519
-       bool "Include ECC Curve 22519 support"
+       bool "Include ECC Curve 25519 support"
        default n
 
+config WOLFSSL_ALT_NAMES
+       bool "Include SAN (Subject Alternative Name) support"
+       default y
+
 config WOLFSSL_HAS_DEVCRYPTO
        bool
 
index 57fcaa03b2e21d0160c2d0bdac54728d885e8a3b..de6b707b952d61aeb282e36f09c2ece8df7c9657 100644 (file)
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
+PKG_VERSION:=5.1.1-stable
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=d3e0544dbe7e9587c0f6538cdc671b6492663bb7a4281819538abe6c99cdbd92
 
 PKG_FIXUP:=libtool
 PKG_INSTALL:=1
@@ -31,7 +31,7 @@ PKG_CONFIG_DEPENDS:=\
        CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \
        CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \
        CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \
-       CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS
+       CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS CONFIG_WOLFSSL_ALT_NAMES
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -44,7 +44,7 @@ define Package/libwolfssl
   MENU:=1
   PROVIDES:=libcyassl
   DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user
-  ABI_VERSION:=24
+  ABI_VERSION:=30
 endef
 
 define Package/libwolfssl/description
@@ -56,13 +56,24 @@ define Package/libwolfssl/config
        source "$(SOURCE)/Config.in"
 endef
 
-TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer
+TARGET_CFLAGS += \
+       $(FPIC) \
+       -fomit-frame-pointer \
+       -flto \
+       -DFP_MAX_BITS=8192 \
+       $(if $(CONFIG_WOLFSSL_ALT_NAMES),-DWOLFSSL_ALT_NAMES)
+
+TARGET_LDFLAGS += -flto
 
 # --enable-stunnel needed for OpenSSL API compatibility bits
 CONFIGURE_ARGS += \
+       --enable-reproducible-build \
+       --enable-opensslall \
        --enable-opensslextra \
        --enable-sni \
        --enable-stunnel \
+       --enable-altcertchains \
+       --disable-crypttests \
        --disable-examples \
        --disable-jobserver \
        --$(if $(CONFIG_IPV6),enable,disable)-ipv6 \
@@ -88,7 +99,7 @@ endif
 
 ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y)
 CONFIGURE_ARGS += \
-       --enable-wpas --enable-sha512 --enable-fortress --enable-fastmath
+       --enable-wpas --enable-fortress --enable-fastmath
 endif
 
 define Build/InstallDev
index c89ff1be9df9e3e1dec8b507d4668aed1bab6970..79d0d6f759fbf509d6a65899c31a6e89f9fd94a1 100644 (file)
@@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2346,7 +2346,7 @@ extern void uITRON4_free(void *p) ;
  #endif
  
  /* warning for not using harden build options (default with ./configure) */
diff --git a/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch
new file mode 100644 (file)
index 0000000..206c6da
--- /dev/null
@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index 144c857e4..de7f6b45a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -32,7 +32,7 @@ AC_ARG_PROGRAM
+ AC_CONFIG_HEADERS([config.h:config.in])
+-LT_PREREQ([2.4.2])
++LT_PREREQ([2.4])
+ LT_INIT([disable-static win32-dll])
+ #shared library versioning
diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch
new file mode 100644 (file)
index 0000000..78ff4b1
--- /dev/null
@@ -0,0 +1,50 @@
+Since commit 6467de5a8840 ("Randomize z ordinates in scalar
+mult when timing resistant") wolfssl requires a RNG for an EC
+key when the hardened built option is selected.
+
+wc_ecc_set_rng is only available when built hardened, so there
+is no safe way to install the RNG to the key regardless whether
+or not wolfssl is compiled hardened.
+
+Always export wc_ecc_set_rng so tools such as hostapd can install
+RNG regardless of the built settings for wolfssl.
+
+--- a/wolfcrypt/src/ecc.c
++++ b/wolfcrypt/src/ecc.c
+@@ -11647,21 +11647,21 @@ void wc_ecc_fp_free(void)
+ #endif /* FP_ECC */
+-#ifdef ECC_TIMING_RESISTANT
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng)
+ {
+     int err = 0;
++#ifdef ECC_TIMING_RESISTANT
+     if (key == NULL) {
+         err = BAD_FUNC_ARG;
+     }
+     else {
+         key->rng = rng;
+     }
++#endif
+     return err;
+ }
+-#endif
+ #ifdef HAVE_ECC_ENCRYPT
+--- a/wolfssl/wolfcrypt/ecc.h
++++ b/wolfssl/wolfcrypt/ecc.h
+@@ -647,10 +647,8 @@ WOLFSSL_API
+ void wc_ecc_fp_free(void);
+ WOLFSSL_LOCAL
+ void wc_ecc_fp_init(void);
+-#ifdef ECC_TIMING_RESISTANT
+ WOLFSSL_API
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
+-#endif
+ WOLFSSL_API
+ int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);