From 31bb27f35b952097ed949f59f3a6fe0dfd2d58c5 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Petr=20=C5=A0tetiar?= Date: Thu, 17 Feb 2022 15:51:26 +0100 Subject: [PATCH] wolfssl: bump to 5.1.1-stable MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This is amalgamation of backported changes since 4.7.0-stable release: Sergey V. Lobanov (2): 5b13b0b02c70 wolfssl: update to 5.1.1-stable 7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support Andre Heider (3): 3f8adcb215ed wolfssl: remove --enable-sha512 configure switch 249478ec4850 wolfssl: always build with --enable-reproducible-build 4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS Ivan Pavlov (1): 16414718f9ae wolfssl: update to 4.8.1-stable David Bauer (1): f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng Christian Lamparter (1): 86801bd3d806 wolfssl: fix Ed25519 typo in config prompt The diff of security related changes we would need to backport would be so huge, that there would be a high probability of introducing new vulnerabilities, so it was decided, that bumping to latest stable release is the prefered way for fixing following security issues: * OCSP request/response verification issue. (fixed in 4.8.0) * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1) * Issue with incorrectly validating a certificate (fixed in 5.0.0) * Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0) * Client side session resumption issue (fixed in 5.1.0) * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0) * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1) Cc: Hauke Mehrtens Cc: Eneas U de Queiroz Signed-off-by: Petr Å tetiar Acked-by: Hauke Mehrtens Acked-by: Eneas U de Queiroz --- package/libs/wolfssl/Config.in | 6 ++- package/libs/wolfssl/Makefile | 23 ++++++--- .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-build-with-libtool-2.4.patch | 13 +++++ .../libs/wolfssl/patches/200-ecc-rng.patch | 50 +++++++++++++++++++ 5 files changed, 86 insertions(+), 8 deletions(-) create mode 100644 package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch create mode 100644 package/libs/wolfssl/patches/200-ecc-rng.patch diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 4ac69f821a..99ceb6c463 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -44,9 +44,13 @@ config WOLFSSL_HAS_WPAS default y config WOLFSSL_HAS_ECC25519 - bool "Include ECC Curve 22519 support" + bool "Include ECC Curve 25519 support" default n +config WOLFSSL_ALT_NAMES + bool "Include SAN (Subject Alternative Name) support" + default y + config WOLFSSL_HAS_DEVCRYPTO bool diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 57fcaa03b2..de6b707b95 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable +PKG_VERSION:=5.1.1-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=d3e0544dbe7e9587c0f6538cdc671b6492663bb7a4281819538abe6c99cdbd92 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -31,7 +31,7 @@ PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \ CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \ - CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS + CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS CONFIG_WOLFSSL_ALT_NAMES include $(INCLUDE_DIR)/package.mk @@ -44,7 +44,7 @@ define Package/libwolfssl MENU:=1 PROVIDES:=libcyassl DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user - ABI_VERSION:=24 + ABI_VERSION:=30 endef define Package/libwolfssl/description @@ -56,13 +56,24 @@ define Package/libwolfssl/config source "$(SOURCE)/Config.in" endef -TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer +TARGET_CFLAGS += \ + $(FPIC) \ + -fomit-frame-pointer \ + -flto \ + -DFP_MAX_BITS=8192 \ + $(if $(CONFIG_WOLFSSL_ALT_NAMES),-DWOLFSSL_ALT_NAMES) + +TARGET_LDFLAGS += -flto # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ + --enable-reproducible-build \ + --enable-opensslall \ --enable-opensslextra \ --enable-sni \ --enable-stunnel \ + --enable-altcertchains \ + --disable-crypttests \ --disable-examples \ --disable-jobserver \ --$(if $(CONFIG_IPV6),enable,disable)-ipv6 \ @@ -88,7 +99,7 @@ endif ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y) CONFIGURE_ARGS += \ - --enable-wpas --enable-sha512 --enable-fortress --enable-fastmath + --enable-wpas --enable-fortress --enable-fastmath endif define Build/InstallDev diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index c89ff1be9d..79d0d6f759 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ; +@@ -2346,7 +2346,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch new file mode 100644 index 0000000000..206c6dac6a --- /dev/null +++ b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch @@ -0,0 +1,13 @@ +diff --git a/configure.ac b/configure.ac +index 144c857e4..de7f6b45a 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -32,7 +32,7 @@ AC_ARG_PROGRAM + + AC_CONFIG_HEADERS([config.h:config.in]) + +-LT_PREREQ([2.4.2]) ++LT_PREREQ([2.4]) + LT_INIT([disable-static win32-dll]) + + #shared library versioning diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch new file mode 100644 index 0000000000..78ff4b1f4a --- /dev/null +++ b/package/libs/wolfssl/patches/200-ecc-rng.patch @@ -0,0 +1,50 @@ +Since commit 6467de5a8840 ("Randomize z ordinates in scalar +mult when timing resistant") wolfssl requires a RNG for an EC +key when the hardened built option is selected. + +wc_ecc_set_rng is only available when built hardened, so there +is no safe way to install the RNG to the key regardless whether +or not wolfssl is compiled hardened. + +Always export wc_ecc_set_rng so tools such as hostapd can install +RNG regardless of the built settings for wolfssl. + +--- a/wolfcrypt/src/ecc.c ++++ b/wolfcrypt/src/ecc.c +@@ -11647,21 +11647,21 @@ void wc_ecc_fp_free(void) + + #endif /* FP_ECC */ + +-#ifdef ECC_TIMING_RESISTANT + int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng) + { + int err = 0; + ++#ifdef ECC_TIMING_RESISTANT + if (key == NULL) { + err = BAD_FUNC_ARG; + } + else { + key->rng = rng; + } ++#endif + + return err; + } +-#endif + + #ifdef HAVE_ECC_ENCRYPT + +--- a/wolfssl/wolfcrypt/ecc.h ++++ b/wolfssl/wolfcrypt/ecc.h +@@ -647,10 +647,8 @@ WOLFSSL_API + void wc_ecc_fp_free(void); + WOLFSSL_LOCAL + void wc_ecc_fp_init(void); +-#ifdef ECC_TIMING_RESISTANT + WOLFSSL_API + int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng); +-#endif + + WOLFSSL_API + int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id); -- 2.30.2