[OpenWrt-Devel] [PATCH] wolfssl: update to v4.2.0-stable
Eneas U de Queiroz
cotequeiroz at gmail.com
Wed Nov 6 16:22:52 EST 2019
Many bugs were fixed--2 patches removed here.
This release of wolfSSL includes fixes for 5 security vulnerabilities,
including two CVEs with high/critical base scores:
- potential invalid read with TLS 1.3 PSK, including session tickets
- potential hang with ocspstaping2 (always enabled in openwrt)
- CVE-2019-15651: 1-byte overread when decoding certificate extensions
- CVE-2019-16748: 1-byte overread when checking certificate signatures
- DSA attack to recover DSA private keys
Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
---
This was run-tested on WRT3200ACM, using uhttpdi, uclient-fetch, curl &
wpad-wolfssl.
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 778754ffdc..3d2a56a97f 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
-PKG_VERSION:=4.1.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.2.0-stable
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8
+PKG_HASH:=3562af485c26cd7abe94d9404fbfc0c5c9bceb4aab29b81ebf5e6c2467507e12
PKG_FIXUP:=libtool
PKG_INSTALL:=1
@@ -44,7 +44,7 @@ define Package/libwolfssl
MENU:=1
PROVIDES:=libcyassl
DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user
- ABI_VERSION:=19
+ ABI_VERSION:=23
endef
define Package/libwolfssl/description
diff --git a/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch b/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch
deleted file mode 100644
index a9b8aee918..0000000000
--- a/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From e8e1d35744c68b165e172a687e870a549438bdf0 Mon Sep 17 00:00:00 2001
-From: Jacob Barthelmeh <jacob at wolfssl.com>
-Date: Tue, 13 Aug 2019 14:12:45 -0600
-Subject: [PATCH] build with devcrypto and aesccm
-
-
-diff --git a/configure.ac b/configure.ac
-index f943cc6ef..cf03e7f52 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1096,6 +1096,10 @@ then
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES"
-+ if test "$ENABLED_AESCCM" = "yes"
-+ then
-+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
-+ fi
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_HASH_RAW"
- ENABLED_DEVCRYPTO=yes
-@@ -1106,6 +1110,10 @@ then
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
-+ if test "$ENABLED_AESCCM" = "yes"
-+ then
-+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
-+ fi
- ENABLED_DEVCRYPTO=yes
- fi
- if test "$ENABLED_DEVCRYPTO" = "cbc"
-diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
-index beeae72a6..b583d03e9 100644
---- a/wolfcrypt/src/aes.c
-+++ b/wolfcrypt/src/aes.c
-@@ -760,6 +760,14 @@
- #elif defined(WOLFSSL_DEVCRYPTO_AES)
- /* if all AES is enabled with devcrypto then tables are not needed */
-
-+ #if defined(HAVE_AESCCM)
-+ static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
-+ {
-+ wc_AesEncryptDirect(aes, outBlock, inBlock);
-+ return 0;
-+ }
-+ #endif
-+
- #else
-
- /* using wolfCrypt software implementation */
-@@ -1314,7 +1322,8 @@ static const word32 Td[4][256] = {
- };
-
-
--#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)
-+#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) \
-+ || defined(WOLFSSL_AES_DIRECT)
- static const byte Td4[256] =
- {
- 0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U,
-diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
-index 5c63421e2..d5061f364 100644
---- a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
-+++ b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
-@@ -168,7 +168,7 @@ static int wc_DevCrypto_AesDirect(Aes* aes, byte* out, const byte* in,
- #endif
-
-
--#if defined(WOLFSSL_AES_DIRECT)
-+#if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESCCM)
- void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
- {
- wc_DevCrypto_AesDirect(aes, out, in, AES_BLOCK_SIZE, COP_ENCRYPT);
diff --git a/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch b/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch
deleted file mode 100644
index bb4c6fd04b..0000000000
--- a/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 9fd38dc340c38dee6e5935da174f90270a63bfbf Mon Sep 17 00:00:00 2001
-From: Jacob Barthelmeh <jacob at wolfssl.com>
-Date: Fri, 30 Aug 2019 16:15:48 -0600
-Subject: [PATCH] build fix for aesccm + devcrypto=cbc + wpas and afalg
-
-
-diff --git a/configure.ac b/configure.ac
-index 61fad39dd..30731eb52 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1045,6 +1045,10 @@ AC_ARG_ENABLE([afalg],
-
- if test "$ENABLED_AFALG" = "yes"
- then
-+ if test "$ENABLED_AESCCM" = "yes"
-+ then
-+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
-+ fi
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG"
- AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_HASH"
- fi
-diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
-index fef2f9c74..d294f6236 100644
---- a/wolfcrypt/src/aes.c
-+++ b/wolfcrypt/src/aes.c
-@@ -759,7 +759,9 @@
- }
- #endif /* HAVE_AES_DECRYPT */
-
--#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
-+#elif (defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)) || \
-+ ((defined(WOLFSSL_AFALG) || defined(WOLFSSL_DEVCRYPTO_AES)) && \
-+ defined(HAVE_AESCCM))
- static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
- {
- wc_AesEncryptDirect(aes, outBlock, inBlock);
-@@ -768,16 +770,6 @@
-
- #elif defined(WOLFSSL_AFALG)
- #elif defined(WOLFSSL_DEVCRYPTO_AES)
-- /* if all AES is enabled with devcrypto then tables are not needed */
--
-- #if defined(HAVE_AESCCM)
-- static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
-- {
-- wc_AesEncryptDirect(aes, outBlock, inBlock);
-- return 0;
-- }
-- #endif
--
- #else
-
- /* using wolfCrypt software implementation */
-@@ -1593,8 +1585,8 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
- #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT || HAVE_AESGCM */
-
- #if defined(HAVE_AES_DECRYPT)
--#if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \
-- !defined(WOLFSSL_DEVCRYPTO_CBC)
-+#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) || \
-+ defined(WOLFSSL_AES_DIRECT)
-
- /* load 4 Td Tables into cache by cache line stride */
- static WC_INLINE word32 PreFetchTd(void)
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list