[OpenWrt-Devel] [PATCH v2 0/3] wolfssl update

Eneas U de Queiroz cotequeiroz at gmail.com
Mon Jul 1 12:39:58 EDT 2019 

This series starts with an update to version 3.15.7, which includes a
security fix, and should be cherry-picked to 19.07.  I'm not
cherry-picking it to 18.06 because it changes ABI, and it would cause
package breakage because 18.06 is not ABI version-aware.

I've increased the FP_MAX_BITS parameter to 8192, to allow usage of
4096-bit RSA keys.  Otherwise it would fail to verify many CA
certificates that use 4096-bit keys, including Microsoft's.

Update master to 4.0.0.  This version adds support to TLS 1.3, hardware
acceleration using /dev/crypto and AF_ALG.  The features were added in
3.15.7, but only enabled here in 4.0.0.

Many of the current build options were not effective, they were always
built into the library because of an unconditional --enable-stunnel
parameter to configure, so they can be removed.  Since hostapd selected
some of these options, they are being removed there as well.  The
hostapd change includes the removal of the selection of the library
itself, allowing libwolfssl to be built as a module when hostapd depends
on it, and is built as a module.

I've ensured dependent packages are successfully built with this
version, opening a couple of PRs in the packages feed.  They had been
broken for a while now, which makes me wonder how many people are
actually using wolfssl today.  Nonetheless, a TLS library supporting hw
crypto acceleration and TLS 1.3 under 300KB seems interesting.

The library was run-tested on WRT-3200ACM using uhttpd, uclient-fetch,
and curl with different build options, turning them on one by one
cumulatively.  The size varied from 227K with all options off, to 312K
with all options on, and defaults to 297K.

Enabling hardware acelleration and AES-CCM at the same time results in a
build failure, which dents my confidence.  Nonetheless, uhttpd connects
without a problem, and I can confirm /dev/crypto or AF_ALG sockets open.

The package currently lacks a maintainer, so I've added myself.

--
Changelog:
v1->v2:

* Increased FP_MAX_BITS to allow 4096-bit RSA keys.
* Update master to 4.0.0

Eneas U de Queiroz (3):
  wolfssl: update to 3.15.7, fix Makefile
  wolfssl: update to 4.0.0-stable
  hostapd: adjust removed wolfssl options

 package/libs/wolfssl/Config.in                |  51 ++++---
 package/libs/wolfssl/Makefile                 | 124 +++++-------------
 .../patches/100-disable-hardening-check.patch |   4 +-
 .../101-AR-flags-configure-update.patch       |  23 ----
 .../900-remove-broken-autoconf-macros.patch   |   2 +-
 package/network/services/hostapd/Config.in    |   4 -
 6 files changed, 70 insertions(+), 138 deletions(-)
 delete mode 100644 package/libs/wolfssl/patches/101-AR-flags-configure-update.patch


_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list