From 0e8d67023bb7d21f9c4b3db86e9d983b15530ae0 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Sun, 21 Feb 2021 18:33:30 -0300 Subject: [PATCH] wolfssl: bump to v4.7.0-stable Biggest fix for this version is CVE-2021-3336, which has already been applied here. There are a couple of low severity security bug fixes as well. Three patches are no longer needed, and were removed; the one remaining was refreshed. This tool shows no ABI changes: https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0 Signed-off-by: Eneas U de Queiroz (cherry picked from commit d1dfb577f1c0d5b1f1fa35000c9ad7abdb7d10ed) --- package/libs/wolfssl/Makefile | 6 +-- .../wolfssl/patches/010-CVE-2021-3336.patch | 53 ------------------- .../patches/100-disable-hardening-check.patch | 2 +- ...Fix-linking-against-hostapd-with-LTO.patch | 25 --------- .../patches/120-enable-secret-callback.patch | 10 ---- 5 files changed, 4 insertions(+), 92 deletions(-) delete mode 100644 package/libs/wolfssl/patches/010-CVE-2021-3336.patch delete mode 100644 package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch delete mode 100644 package/libs/wolfssl/patches/120-enable-secret-callback.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 846351f06d..53cd932d1f 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.6.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.7.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848 +PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch deleted file mode 100644 index abb9bfdd9b..0000000000 --- a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch +++ /dev/null @@ -1,53 +0,0 @@ -From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001 -From: Sean Parkinson -Date: Thu, 21 Jan 2021 08:24:38 +1000 -Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify - ---- - src/tls13.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - ---- a/src/tls13.c -+++ b/src/tls13.c -@@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF - #ifdef HAVE_ED25519 - if (args->sigAlgo == ed25519_sa_algo && - !ssl->peerEd25519KeyPresent) { -- WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); -+ WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - #ifdef HAVE_ED448 - if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) { -- WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify"); -+ WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - #ifdef HAVE_ECC - if (args->sigAlgo == ecc_dsa_sa_algo && - !ssl->peerEccDsaKeyPresent) { -- WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); -+ WOLFSSL_MSG("Peer sent ECC sig but not ECC cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - #ifndef NO_RSA - if (args->sigAlgo == rsa_sa_algo) { -- WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature"); -+ WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate"); - ERROR_OUT(INVALID_PARAMETER, exit_dcv); - } - if (args->sigAlgo == rsa_pss_sa_algo && - (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) { -- WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); -+ WOLFSSL_MSG("Peer sent RSA sig but not RSA cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index c2793285e7..c89ff1be9d 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ; +@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch b/package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch deleted file mode 100644 index c24a15116f..0000000000 --- a/package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 391ecbd647c121300dc7dcf209e412ccb7b8d432 Mon Sep 17 00:00:00 2001 -From: Hauke Mehrtens -Date: Fri, 1 Jan 2021 21:57:56 +0100 -Subject: [PATCH] Fix linking against hostapd with LTO - -When running LTO on wolfssl the ecc_map() function is removed from the -binary by GCC 8.4.0. This function is used by multiple functions from -the crypto_wolfssl.c implementation of hostapd master. - -Fixes: 780e8a4619b6 ("Fixes for building `--enable-wpas=small` with WPA Supplicant v2.7.") -Signed-off-by: Hauke Mehrtens ---- - configure.ac | 1 + - 1 file changed, 1 insertion(+) - ---- a/configure.ac -+++ b/configure.ac -@@ -947,6 +947,7 @@ then - AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL" - - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP" -+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_ECC_ADD_DBL" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DER_LOAD" - AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN" diff --git a/package/libs/wolfssl/patches/120-enable-secret-callback.patch b/package/libs/wolfssl/patches/120-enable-secret-callback.patch deleted file mode 100644 index 9c9b361d01..0000000000 --- a/package/libs/wolfssl/patches/120-enable-secret-callback.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -943,6 +943,7 @@ then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI" - AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA" - AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE" -+ AM_CFLAGS="$AM_CFLAGS -DHAVE_SECRET_CALLBACK" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EITHER_SIDE" - AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL" - -- 2.30.2