[openwrt/openwrt] wolfssl: Update to version 4.5.0

LEDE Commits lede-commits at lists.infradead.org
Thu Sep 3 18:43:12 EDT 2020


hauke pushed a commit to openwrt/openwrt.git, branch openwrt-19.07:
https://git.openwrt.org/403039c562e16f4242e3485d8f076ea726dd8744

commit 403039c562e16f4242e3485d8f076ea726dd8744
Author: Hauke Mehrtens <hauke at hauke-m.de>
AuthorDate: Mon Aug 24 12:11:29 2020 +0200

    wolfssl: Update to version 4.5.0
    
    This fixes the following security problems:
    * In earlier versions of wolfSSL there exists a potential man in the
      middle attack on TLS 1.3 clients.
    * Denial of service attack on TLS 1.3 servers from repetitively sending
      ChangeCipherSpecs messages. (CVE-2020-12457)
    * Potential cache timing attacks on public key operations in builds that
      are not using SP (single precision). (CVE-2020-15309)
    * When using SGX with EC scalar multiplication the possibility of side-
      channel attacks are present.
    * Leak of private key in the case that PEM format private keys are
      bundled in with PEM certificates into a single file.
    * During the handshake, clear application_data messages in epoch 0 are
      processed and returned to the application.
    
    Full changelog:
    https://www.wolfssl.com/docs/wolfssl-changelog/
    
    Fix a build error on big endian systems by backporting a pull request:
    https://github.com/wolfSSL/wolfssl/pull/3255
    
    The size of the ipk increases on mips BE by 1.4%
    old:
    libwolfssl24_4.4.0-stable-2_mips_24kc.ipk:      386246
    new:
    libwolfssl24_4.5.0-stable-1_mips_24kc.ipk:      391528
    
    Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
    (cherry picked from commit 00722a720c778e623d6f37af3a3b4e43b29c3fe8)
---
 package/libs/wolfssl/Makefile                      |  6 ++---
 .../patches/100-disable-hardening-check.patch      |  2 +-
 .../patches/110-fix-build-on-big-endian.patch      | 27 ++++++++++++++++++++++
 3 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 159cfbc53f..eb77caee33 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.4.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.5.0-stable
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=7f854804c8ae0ca49cc77809e38e9a3b5a8c91ba7855ea928e6d6651b0d35f18
+PKG_HASH:=7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c
 
 PKG_FIXUP:=libtool
 PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index 5d83eca770..43337ba970 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -1930,7 +1930,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ;
  #endif
  
  /* warning for not using harden build options (default with ./configure) */
diff --git a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
new file mode 100644
index 0000000000..3838865559
--- /dev/null
+++ b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch
@@ -0,0 +1,27 @@
+From b90acc91d0cd276befe7f08f87ba2dc5ee7122ff Mon Sep 17 00:00:00 2001
+From: Tesfa Mael <tesfa at wolfssl.com>
+Date: Wed, 26 Aug 2020 10:13:06 -0700
+Subject: [PATCH] Make ByteReverseWords available for big and little endian
+
+---
+ wolfcrypt/src/misc.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/wolfcrypt/src/misc.c
++++ b/wolfcrypt/src/misc.c
+@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWo
+     return rotlFixed(value, 16U);
+ #endif
+ }
+-#if defined(LITTLE_ENDIAN_ORDER)
+ /* This routine performs a byte swap of words array of a given count. */
+ WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in,
+                                     word32 byteCount)
+@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWord
+         out[i] = ByteReverseWord32(in[i]);
+ 
+ }
+-#endif /* LITTLE_ENDIAN_ORDER */
+ 
+ #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS)
+ 



More information about the lede-commits mailing list