[PATCH 19.07 v2 0/3] wolfssl security updates
Eneas U de Queiroz
cotequeiroz at gmail.com
Thu Feb 17 14:49:34 PST 2022
On Mon, Feb 14, 2022 at 10:16 PM Luiz Angelo Daros de Luca
<luizluca at gmail.com> wrote:
> Sure. And I do have interest in getting it fixed.
I've done most of the work here:
https://github.com/cotequeiroz/openwrt/tree/wolfssl-4.7.0-backport
However, I got stuck with this issue, about MitM attack when the
client-side resumption cache is full:
https://www.cybersecurity-help.cz/vulnerabilities/59103/
The patch for it is over 1,500 lines, and I would not be so confident
that backporting changes in many places will not create a new problem.
https://github.com/wolfSSL/wolfssl/commit/569c066fabbddd59e407ff5cf6be8156149df69a
libcurl and hostapd use client-side session resumption, so openwrt is
possibly impacted. I don't know if the session cache can get filled
by hostapd or not, but with libcurl, anything is possible. They both
use the wolfSSL_get_session call, not the wolfSSL_get1_session that
would avoid/work around the problem.
Wolfssl should get bumped to 5.1.1 despite the API/ABI/soname change.
Cheers
More information about the openwrt-devel
mailing list