[PATCH] wolfssl: bump to v4.7.0-stable

Eneas U de Queiroz cotequeiroz at gmail.com
Sun Feb 21 16:33:30 EST 2021 

Biggest fix for this version is CVE-2021-3336, which has already been
applied here.  There are a couple of low severity security bug fixes as
well.

Three patches are no longer needed, and were removed; the one remaining
was refreshed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
---
This was run-tested with master on mvebu using uhttpd and hostapd, and
should be cherry-picked to 21.02, and 19.07.  It was compile-tested with
21.02 and 19.07.

---
 package/libs/wolfssl/Makefile                 |  6 +--
 .../wolfssl/patches/010-CVE-2021-3336.patch   | 53 -------------------
 .../patches/100-disable-hardening-check.patch |  2 +-
 ...Fix-linking-against-hostapd-with-LTO.patch | 25 ---------
 .../patches/120-enable-secret-callback.patch  | 10 ----
 5 files changed, 4 insertions(+), 92 deletions(-)
 delete mode 100644 package/libs/wolfssl/patches/010-CVE-2021-3336.patch
 delete mode 100644 package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch
 delete mode 100644 package/libs/wolfssl/patches/120-enable-secret-callback.patch

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 846351f06d..53cd932d1f 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.6.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.7.0-stable
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848
+PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
 
 PKG_FIXUP:=libtool libtool-abiver
 PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch
deleted file mode 100644
index abb9bfdd9b..0000000000
--- a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001
-From: Sean Parkinson <sean at wolfssl.com>
-Date: Thu, 21 Jan 2021 08:24:38 +1000
-Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify
-
----
- src/tls13.c | 18 +++++++++++++-----
- 1 file changed, 13 insertions(+), 5 deletions(-)
-
---- a/src/tls13.c
-+++ b/src/tls13.c
-@@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF
-         #ifdef HAVE_ED25519
-             if (args->sigAlgo == ed25519_sa_algo &&
-                                                   !ssl->peerEd25519KeyPresent) {
--                WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
-+                WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert");
-+                ret = SIG_VERIFY_E;
-+                goto exit_dcv;
-             }
-         #endif
-         #ifdef HAVE_ED448
-             if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) {
--                WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify");
-+                WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert");
-+                ret = SIG_VERIFY_E;
-+                goto exit_dcv;
-             }
-         #endif
-         #ifdef HAVE_ECC
-             if (args->sigAlgo == ecc_dsa_sa_algo &&
-                                                    !ssl->peerEccDsaKeyPresent) {
--                WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
-+                WOLFSSL_MSG("Peer sent ECC sig but not ECC cert");
-+                ret = SIG_VERIFY_E;
-+                goto exit_dcv;
-             }
-         #endif
-         #ifndef NO_RSA
-             if (args->sigAlgo == rsa_sa_algo) {
--                WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature");
-+                WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate");
-                 ERROR_OUT(INVALID_PARAMETER, exit_dcv);
-             }
-             if (args->sigAlgo == rsa_pss_sa_algo &&
-                          (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
--                WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
-+                WOLFSSL_MSG("Peer sent RSA sig but not RSA cert");
-+                ret = SIG_VERIFY_E;
-+                goto exit_dcv;
-             }
-         #endif
- 
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index c2793285e7..c89ff1be9d 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ;
  #endif
  
  /* warning for not using harden build options (default with ./configure) */
diff --git a/package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch b/package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch
deleted file mode 100644
index c24a15116f..0000000000
--- a/package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From 391ecbd647c121300dc7dcf209e412ccb7b8d432 Mon Sep 17 00:00:00 2001
-From: Hauke Mehrtens <hauke at hauke-m.de>
-Date: Fri, 1 Jan 2021 21:57:56 +0100
-Subject: [PATCH] Fix linking against hostapd with LTO
-
-When running LTO on wolfssl the ecc_map() function is removed from the
-binary by GCC 8.4.0. This function is used by multiple functions from
-the crypto_wolfssl.c implementation of hostapd master.
-
-Fixes: 780e8a4619b6 ("Fixes for building `--enable-wpas=small` with WPA Supplicant v2.7.")
-Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
----
- configure.ac | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/configure.ac
-+++ b/configure.ac
-@@ -947,6 +947,7 @@ then
-     AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL"
- 
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP"
-+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_ECC_ADD_DBL"
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DER_LOAD"
-     AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER"
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN"
diff --git a/package/libs/wolfssl/patches/120-enable-secret-callback.patch b/package/libs/wolfssl/patches/120-enable-secret-callback.patch
deleted file mode 100644
index 9c9b361d01..0000000000
--- a/package/libs/wolfssl/patches/120-enable-secret-callback.patch
+++ /dev/null
@@ -1,10 +0,0 @@
---- a/configure.ac
-+++ b/configure.ac
-@@ -943,6 +943,7 @@ then
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI"
-     AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA"
-     AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE"
-+    AM_CFLAGS="$AM_CFLAGS -DHAVE_SECRET_CALLBACK"
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EITHER_SIDE"
-     AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL"
-

More information about the openwrt-devel mailing list