From: Eneas U de Queiroz Date: Mon, 5 Aug 2019 14:47:58 +0000 (-0300) Subject: wolfssl: bump to 4.1.0-stable X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=77e0e99d3104debc7ce31d6c15ff1e10e19ceb7c;p=openwrt%2Fstaging%2Fjow.git wolfssl: bump to 4.1.0-stable Always build AES-GCM support. Unnecessary patches were removed. This includes two vulnerability fixes: CVE-2019-11873: a potential buffer overflow case with the TLSv1.3 PSK extension parsing. CVE-2019-13628 (currently assigned-only): potential leak of nonce sizes when performing ECDSA signing operations. The leak is considered to be difficult to exploit but it could potentially be used maliciously to perform a lattice based timing attack. Signed-off-by: Eneas U de Queiroz --- diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 875ff5e6a3..a729f73a1d 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -4,10 +4,6 @@ config WOLFSSL_HAS_AES_CCM bool "Include AES-CCM support" default y -config WOLFSSL_HAS_AES_GCM - bool "Include AES-GCM support" - default y - config WOLFSSL_HAS_CHACHA_POLY bool "Include ChaCha20-Poly1305 cipher suite support" default y @@ -24,13 +20,8 @@ config WOLFSSL_HAS_TLSV10 bool "Include TLS 1.0 support" default y -if !(WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY) - comment "! TLS 1.3 support needs one of: AES-CCM, AES-GCM, ChaCha20-Poly1305" -endif - config WOLFSSL_HAS_TLSV13 bool "Include TLS 1.3 support" - depends on WOLFSSL_HAS_AES_CCM||WOLFSSL_HAS_AES_GCM||WOLFSSL_HAS_CHACHA_POLY default y config WOLFSSL_HAS_SESSION_TICKET @@ -56,6 +47,9 @@ config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 22519 support" default n +config WOLFSSL_HAS_DEVCRYPTO + bool + if WOLFSSL_HAS_AES_CCM comment "! Hardware Acceleration does not build with AES-CCM enabled" endif @@ -72,9 +66,11 @@ if !WOLFSSL_HAS_AES_CCM config WOLFSSL_HAS_DEVCRYPTO_AES bool "/dev/crypto - AES-only" + select WOLFSSL_HAS_DEVCRYPTO config WOLFSSL_HAS_DEVCRYPTO_FULL bool "/dev/crypto - full" + select WOLFSSL_HAS_DEVCRYPTO endchoice endif diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 678eb4936b..2ad03a5aca 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.0.0-stable +PKG_VERSION:=4.1.0-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=6cf678c72b485d1904047c40c20f85104c96b5f39778822783a2c407ccb23657 +PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -25,14 +25,13 @@ PKG_MAINTAINER:=Eneas U de Queiroz PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl PKG_CONFIG_DEPENDS:=\ - CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AES_GCM \ - CONFIG_WOLFSSL_HAS_AFALG CONFIG_WOLFSSL_HAS_ARC4 \ - CONFIG_WOLFSSL_HAS_CHACHA_POLY CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES \ - CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL, CONFIG_WOLFSSL_HAS_DH \ - CONFIG_WOLFSSL_HAS_DTLS CONFIG_WOLFSSL_HAS_ECC25519 \ - CONFIG_WOLFSSL_HAS_OCSP CONFIG_WOLFSSL_HAS_SESSION_TICKET \ - CONFIG_WOLFSSL_HAS_TLSV10 CONFIG_WOLFSSL_HAS_TLSV13 \ - CONFIG_WOLFSSL_HAS_WPAS + CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AFALG \ + CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA_POLY \ + CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL \ + CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ + CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \ + CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \ + CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS include $(INCLUDE_DIR)/package.mk @@ -65,11 +64,9 @@ CONFIGURE_ARGS += \ --enable-sni \ --enable-stunnel \ --disable-examples \ - --disable-leanpsk \ - --disable-leantls \ + --disable-jobserver \ --$(if $(CONFIG_IPV6),enable,disable)-ipv6 \ --$(if $(CONFIG_WOLFSSL_HAS_AES_CCM),enable,disable)-aesccm \ - --$(if $(CONFIG_WOLFSSL_HAS_AES_GCM),enable,disable)-aesgcm \ --$(if $(CONFIG_WOLFSSL_HAS_CHACHA_POLY),enable,disable)-chacha \ --$(if $(CONFIG_WOLFSSL_HAS_CHACHA_POLY),enable,disable)-poly1305 \ --$(if $(CONFIG_WOLFSSL_HAS_DH),enable,disable)-dh \ diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 6cecb6b7d6..5d83eca770 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -1880,7 +1880,7 @@ extern void uITRON4_free(void *p) ; +@@ -1930,7 +1930,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/400-additional_compatibility.patch b/package/libs/wolfssl/patches/400-additional_compatibility.patch deleted file mode 100644 index 1464e9d2a8..0000000000 --- a/package/libs/wolfssl/patches/400-additional_compatibility.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/cyassl/openssl/ssl.h -+++ b/cyassl/openssl/ssl.h -@@ -28,6 +28,9 @@ - #define CYASSL_OPENSSL_H_ - - #include -+#ifndef HAVE_SNI -+#undef CYASSL_SNI_HOST_NAME -+#endif - #include - - #endif diff --git a/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch b/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch deleted file mode 100644 index 34d3e62361..0000000000 --- a/package/libs/wolfssl/patches/900-remove-broken-autoconf-macros.patch +++ /dev/null @@ -1,21 +0,0 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -4740,7 +4740,6 @@ AC_CONFIG_FILES([stamp-h], [echo timesta - AC_CONFIG_FILES([Makefile wolfssl/version.h wolfssl/options.h cyassl/options.h support/wolfssl.pc rpm/spec]) - - AX_CREATE_GENERIC_CONFIG --AX_AM_JOBSERVER([yes]) - - AC_OUTPUT - ---- a/Makefile.am -+++ b/Makefile.am -@@ -20,8 +20,6 @@ dist_noinst_SCRIPTS = - noinst_SCRIPTS = - check_SCRIPTS = - --#includes additional rules from aminclude.am --@INC_AMINCLUDE@ - DISTCLEANFILES+= aminclude.am - - CLEANFILES+= cert.der \