[PATCH 19.07 v2 0/3] wolfssl security updates

Eneas U de Queiroz cotequeiroz at gmail.com
Thu Feb 17 14:49:34 PST 2022


On Mon, Feb 14, 2022 at 10:16 PM Luiz Angelo Daros de Luca
<luizluca at gmail.com> wrote:

> Sure. And I do have interest in getting it fixed.

I've done most of the work here:
https://github.com/cotequeiroz/openwrt/tree/wolfssl-4.7.0-backport

However, I got stuck with this issue, about MitM attack when the
client-side resumption cache is full:
https://www.cybersecurity-help.cz/vulnerabilities/59103/

The patch for it is over 1,500 lines, and I would not be so confident
that backporting changes in many places will not create a new problem.
https://github.com/wolfSSL/wolfssl/commit/569c066fabbddd59e407ff5cf6be8156149df69a

libcurl and hostapd use client-side session resumption, so openwrt is
possibly impacted.  I don't know if the session cache can get filled
by hostapd or not, but with libcurl, anything is possible.  They both
use the wolfSSL_get_session call, not the wolfSSL_get1_session that
would avoid/work around the problem.

Wolfssl should get bumped to 5.1.1 despite the API/ABI/soname change.

Cheers



More information about the openwrt-devel mailing list