[openwrt/openwrt] wolfssl: always export wc_ecc_set_rng
LEDE Commits
lede-commits at lists.infradead.org
Fri May 21 06:44:31 PDT 2021
blocktrron pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/ef9b103107aebd1a54f4360af3d9cf28d0544f13
commit ef9b103107aebd1a54f4360af3d9cf28d0544f13
Author: David Bauer <mail at david-bauer.net>
AuthorDate: Thu May 6 01:48:04 2021 +0200
wolfssl: always export wc_ecc_set_rng
Since commit 6467de5a8840 ("Randomize z ordinates in scalar
mult when timing resistant") wolfssl requires a RNG for an EC
key when the hardened built option is selected.
wc_ecc_set_rng is only available when built hardened, so there
is no safe way to install the RNG to the key regardless whether
or not wolfssl is compiled hardened.
Always export wc_ecc_set_rng so tools such as hostapd can install
RNG regardless of the built settings for wolfssl.
Signed-off-by: David Bauer <mail at david-bauer.net>
---
package/libs/wolfssl/Makefile | 2 +-
package/libs/wolfssl/patches/200-ecc-rng.patch | 50 ++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 1 deletion(-)
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 53cd932d1f..030a0224f5 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch
new file mode 100644
index 0000000000..2d33c06209
--- /dev/null
+++ b/package/libs/wolfssl/patches/200-ecc-rng.patch
@@ -0,0 +1,50 @@
+Since commit 6467de5a8840 ("Randomize z ordinates in scalar
+mult when timing resistant") wolfssl requires a RNG for an EC
+key when the hardened built option is selected.
+
+wc_ecc_set_rng is only available when built hardened, so there
+is no safe way to install the RNG to the key regardless whether
+or not wolfssl is compiled hardened.
+
+Always export wc_ecc_set_rng so tools such as hostapd can install
+RNG regardless of the built settings for wolfssl.
+
+--- a/wolfcrypt/src/ecc.c
++++ b/wolfcrypt/src/ecc.c
+@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void)
+
+ #endif /* FP_ECC */
+
+-#ifdef ECC_TIMING_RESISTANT
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng)
+ {
+ int err = 0;
+
++#ifdef ECC_TIMING_RESISTANT
+ if (key == NULL) {
+ err = BAD_FUNC_ARG;
+ }
+ else {
+ key->rng = rng;
+ }
++#endif
+
+ return err;
+ }
+-#endif
+
+ #ifdef HAVE_ECC_ENCRYPT
+
+--- a/wolfssl/wolfcrypt/ecc.h
++++ b/wolfssl/wolfcrypt/ecc.h
+@@ -584,10 +584,8 @@ WOLFSSL_API
+ void wc_ecc_fp_free(void);
+ WOLFSSL_LOCAL
+ void wc_ecc_fp_init(void);
+-#ifdef ECC_TIMING_RESISTANT
+ WOLFSSL_API
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
+-#endif
+
+ WOLFSSL_API
+ int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);
More information about the lede-commits
mailing list