From: Eneas U de Queiroz Date: Wed, 6 Nov 2019 21:22:52 +0000 (-0300) Subject: wolfssl: update to v4.2.0-stable X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=f4853f7cca816214cd6e64cffe2b73d0b8c16def;p=openwrt%2Fstaging%2Fstintel.git wolfssl: update to v4.2.0-stable Many bugs were fixed--2 patches removed here. This release of wolfSSL includes fixes for 5 security vulnerabilities, including two CVEs with high/critical base scores: - potential invalid read with TLS 1.3 PSK, including session tickets - potential hang with ocspstaping2 (always enabled in openwrt) - CVE-2019-15651: 1-byte overread when decoding certificate extensions - CVE-2019-16748: 1-byte overread when checking certificate signatures - DSA attack to recover DSA private keys Signed-off-by: Eneas U de Queiroz --- diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 778754ffdc..3d2a56a97f 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.1.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.2.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8 +PKG_HASH:=3562af485c26cd7abe94d9404fbfc0c5c9bceb4aab29b81ebf5e6c2467507e12 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -44,7 +44,7 @@ define Package/libwolfssl MENU:=1 PROVIDES:=libcyassl DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user - ABI_VERSION:=19 + ABI_VERSION:=23 endef define Package/libwolfssl/description diff --git a/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch b/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch deleted file mode 100644 index a9b8aee918..0000000000 --- a/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch +++ /dev/null @@ -1,74 +0,0 @@ -From e8e1d35744c68b165e172a687e870a549438bdf0 Mon Sep 17 00:00:00 2001 -From: Jacob Barthelmeh -Date: Tue, 13 Aug 2019 14:12:45 -0600 -Subject: [PATCH] build with devcrypto and aesccm - - -diff --git a/configure.ac b/configure.ac -index f943cc6ef..cf03e7f52 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1096,6 +1096,10 @@ then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES" -+ if test "$ENABLED_AESCCM" = "yes" -+ then -+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT" -+ fi - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_HASH_RAW" - ENABLED_DEVCRYPTO=yes -@@ -1106,6 +1110,10 @@ then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC" -+ if test "$ENABLED_AESCCM" = "yes" -+ then -+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT" -+ fi - ENABLED_DEVCRYPTO=yes - fi - if test "$ENABLED_DEVCRYPTO" = "cbc" -diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c -index beeae72a6..b583d03e9 100644 ---- a/wolfcrypt/src/aes.c -+++ b/wolfcrypt/src/aes.c -@@ -760,6 +760,14 @@ - #elif defined(WOLFSSL_DEVCRYPTO_AES) - /* if all AES is enabled with devcrypto then tables are not needed */ - -+ #if defined(HAVE_AESCCM) -+ static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) -+ { -+ wc_AesEncryptDirect(aes, outBlock, inBlock); -+ return 0; -+ } -+ #endif -+ - #else - - /* using wolfCrypt software implementation */ -@@ -1314,7 +1322,8 @@ static const word32 Td[4][256] = { - }; - - --#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT) -+#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) \ -+ || defined(WOLFSSL_AES_DIRECT) - static const byte Td4[256] = - { - 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U, -diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c -index 5c63421e2..d5061f364 100644 ---- a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c -+++ b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c -@@ -168,7 +168,7 @@ static int wc_DevCrypto_AesDirect(Aes* aes, byte* out, const byte* in, - #endif - - --#if defined(WOLFSSL_AES_DIRECT) -+#if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESCCM) - void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in) - { - wc_DevCrypto_AesDirect(aes, out, in, AES_BLOCK_SIZE, COP_ENCRYPT); diff --git a/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch b/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch deleted file mode 100644 index bb4c6fd04b..0000000000 --- a/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 9fd38dc340c38dee6e5935da174f90270a63bfbf Mon Sep 17 00:00:00 2001 -From: Jacob Barthelmeh -Date: Fri, 30 Aug 2019 16:15:48 -0600 -Subject: [PATCH] build fix for aesccm + devcrypto=cbc + wpas and afalg - - -diff --git a/configure.ac b/configure.ac -index 61fad39dd..30731eb52 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -1045,6 +1045,10 @@ AC_ARG_ENABLE([afalg], - - if test "$ENABLED_AFALG" = "yes" - then -+ if test "$ENABLED_AESCCM" = "yes" -+ then -+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT" -+ fi - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_HASH" - fi -diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c -index fef2f9c74..d294f6236 100644 ---- a/wolfcrypt/src/aes.c -+++ b/wolfcrypt/src/aes.c -@@ -759,7 +759,9 @@ - } - #endif /* HAVE_AES_DECRYPT */ - --#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES) -+#elif (defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)) || \ -+ ((defined(WOLFSSL_AFALG) || defined(WOLFSSL_DEVCRYPTO_AES)) && \ -+ defined(HAVE_AESCCM)) - static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) - { - wc_AesEncryptDirect(aes, outBlock, inBlock); -@@ -768,16 +770,6 @@ - - #elif defined(WOLFSSL_AFALG) - #elif defined(WOLFSSL_DEVCRYPTO_AES) -- /* if all AES is enabled with devcrypto then tables are not needed */ -- -- #if defined(HAVE_AESCCM) -- static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) -- { -- wc_AesEncryptDirect(aes, outBlock, inBlock); -- return 0; -- } -- #endif -- - #else - - /* using wolfCrypt software implementation */ -@@ -1593,8 +1585,8 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) - #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT || HAVE_AESGCM */ - - #if defined(HAVE_AES_DECRYPT) --#if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \ -- !defined(WOLFSSL_DEVCRYPTO_CBC) -+#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) || \ -+ defined(WOLFSSL_AES_DIRECT) - - /* load 4 Td Tables into cache by cache line stride */ - static WC_INLINE word32 PreFetchTd(void)