[PATCH v2] wolfssl: Update to version 4.5.0

Andre Heider a.heider at gmail.com
Thu Aug 27 03:25:16 EDT 2020


Hi,

On 26/08/2020 00:19, Hauke Mehrtens wrote:
> This fixes the following security problems:
> * In earlier versions of wolfSSL there exists a potential man in the
>    middle attack on TLS 1.3 clients.
> * Denial of service attack on TLS 1.3 servers from repetitively sending
>    ChangeCipherSpecs messages. (CVE-2020-12457)
> * Potential cache timing attacks on public key operations in builds that
>    are not using SP (single precision). (CVE-2020-15309)
> * When using SGX with EC scalar multiplication the possibility of side-
>    channel attacks are present.
> * Leak of private key in the case that PEM format private keys are
>    bundled in with PEM certificates into a single file.
> * During the handshake, clear application_data messages in epoch 0 are
>    processed and returned to the application.
> 
> Full changelog:
> https://www.wolfssl.com/docs/wolfssl-changelog/
> 
> Add a patch which fixes a build problem on big endian systems, see
> https://github.com/wolfSSL/wolfssl/issues/3240 for details.
> 
> Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>

I think due to this hostapd (CONFIG_PACKAGE_wpad-wolfssl=y) now fails to 
compile:
../src/crypto/tls_wolfssl.c: In function 'tls_match_alt_subject':
../src/crypto/tls_wolfssl.c:610:11: error: 'GEN_EMAIL' undeclared (first 
use in this function); did you mean 'ENAVAIL'?
     type = GEN_EMAIL;
            ^~~~~~~~~
            ENAVAIL
../src/crypto/tls_wolfssl.c:610:11: note: each undeclared identifier is 
reported only once for each function it appears in
../src/crypto/tls_wolfssl.c:613:11: error: 'GEN_DNS' undeclared (first 
use in this function)
     type = GEN_DNS;
            ^~~~~~~
../src/crypto/tls_wolfssl.c:616:11: error: 'GEN_URI' undeclared (first 
use in this function)
     type = GEN_URI;
            ^~~~~~~
../src/crypto/tls_wolfssl.c: In function 'wolfssl_tls_cert_event':
../src/crypto/tls_wolfssl.c:902:20: error: 'GEN_EMAIL' undeclared (first 
use in this function); did you mean 'ENAVAIL'?
    if (gen->type != GEN_EMAIL &&
                     ^~~~~~~~~
                     ENAVAIL
../src/crypto/tls_wolfssl.c:903:20: error: 'GEN_DNS' undeclared (first 
use in this function)
        gen->type != GEN_DNS &&
                     ^~~~~~~
../src/crypto/tls_wolfssl.c:904:20: error: 'GEN_URI' undeclared (first 
use in this function)
        gen->type != GEN_URI)
                     ^~~~~~~
make[3]: *** [Makefile:1302: ../src/crypto/tls_wolfssl.o] Error 1

The attached patch fixes it me.

> ---
>   package/libs/wolfssl/Makefile                 |  6 +++---
>   .../patches/100-disable-hardening-check.patch |  2 +-
>   .../patches/110-fix-build-on-big-endian.patch | 20 +++++++++++++++++++
>   3 files changed, 24 insertions(+), 4 deletions(-)
>   create mode 100644 package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
> 
> diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
> index 159cfbc53f74..eb77caee3392 100644
> --- a/package/libs/wolfssl/Makefile
> +++ b/package/libs/wolfssl/Makefile
> @@ -8,12 +8,12 @@
>   include $(TOPDIR)/rules.mk
>   
>   PKG_NAME:=wolfssl
> -PKG_VERSION:=4.4.0-stable
> -PKG_RELEASE:=2
> +PKG_VERSION:=4.5.0-stable
> +PKG_RELEASE:=1
>   
>   PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
>   PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
> -PKG_HASH:=7f854804c8ae0ca49cc77809e38e9a3b5a8c91ba7855ea928e6d6651b0d35f18
> +PKG_HASH:=7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c
>   
>   PKG_FIXUP:=libtool
>   PKG_INSTALL:=1
> diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
> index 5d83eca770ea..43337ba97024 100644
> --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
> +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
> @@ -1,6 +1,6 @@
>   --- a/wolfssl/wolfcrypt/settings.h
>   +++ b/wolfssl/wolfcrypt/settings.h
> -@@ -1930,7 +1930,7 @@ extern void uITRON4_free(void *p) ;
> +@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ;
>    #endif
>    
>    /* warning for not using harden build options (default with ./configure) */
> diff --git a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
> new file mode 100644
> index 000000000000..820501d2bb5d
> --- /dev/null
> +++ b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
> @@ -0,0 +1,20 @@
> +See https://github.com/wolfSSL/wolfssl/issues/3240 for details
> +
> +--- a/wolfcrypt/src/misc.c
> ++++ b/wolfcrypt/src/misc.c
> +@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWo
> +     return rotlFixed(value, 16U);
> + #endif
> + }
> +-#if defined(LITTLE_ENDIAN_ORDER)
> + /* This routine performs a byte swap of words array of a given count. */
> + WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in,
> +                                     word32 byteCount)
> +@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWord
> +         out[i] = ByteReverseWord32(in[i]);
> +
> + }
> +-#endif /* LITTLE_ENDIAN_ORDER */
> +
> + #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS)
> +
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: wolfssl.patch
Type: text/x-patch
Size: 563 bytes
Desc: not available
URL: <http://lists.openwrt.org/pipermail/openwrt-devel/attachments/20200827/aebfea30/attachment.bin>


More information about the openwrt-devel mailing list