[openwrt/openwrt] wolfssl: always export wc_ecc_set_rng

LEDE Commits lede-commits at lists.infradead.org
Fri May 21 06:44:31 PDT 2021


blocktrron pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/ef9b103107aebd1a54f4360af3d9cf28d0544f13

commit ef9b103107aebd1a54f4360af3d9cf28d0544f13
Author: David Bauer <mail at david-bauer.net>
AuthorDate: Thu May 6 01:48:04 2021 +0200

    wolfssl: always export wc_ecc_set_rng
    
    Since commit 6467de5a8840 ("Randomize z ordinates in scalar
    mult when timing resistant") wolfssl requires a RNG for an EC
    key when the hardened built option is selected.
    
    wc_ecc_set_rng is only available when built hardened, so there
    is no safe way to install the RNG to the key regardless whether
    or not wolfssl is compiled hardened.
    
    Always export wc_ecc_set_rng so tools such as hostapd can install
    RNG regardless of the built settings for wolfssl.
    
    Signed-off-by: David Bauer <mail at david-bauer.net>
---
 package/libs/wolfssl/Makefile                  |  2 +-
 package/libs/wolfssl/patches/200-ecc-rng.patch | 50 ++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 53cd932d1f..030a0224f5 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
 PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch
new file mode 100644
index 0000000000..2d33c06209
--- /dev/null
+++ b/package/libs/wolfssl/patches/200-ecc-rng.patch
@@ -0,0 +1,50 @@
+Since commit 6467de5a8840 ("Randomize z ordinates in scalar
+mult when timing resistant") wolfssl requires a RNG for an EC
+key when the hardened built option is selected.
+
+wc_ecc_set_rng is only available when built hardened, so there
+is no safe way to install the RNG to the key regardless whether
+or not wolfssl is compiled hardened.
+
+Always export wc_ecc_set_rng so tools such as hostapd can install
+RNG regardless of the built settings for wolfssl.
+
+--- a/wolfcrypt/src/ecc.c
++++ b/wolfcrypt/src/ecc.c
+@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void)
+ 
+ #endif /* FP_ECC */
+ 
+-#ifdef ECC_TIMING_RESISTANT
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng)
+ {
+     int err = 0;
+ 
++#ifdef ECC_TIMING_RESISTANT
+     if (key == NULL) {
+         err = BAD_FUNC_ARG;
+     }
+     else {
+         key->rng = rng;
+     }
++#endif
+ 
+     return err;
+ }
+-#endif
+ 
+ #ifdef HAVE_ECC_ENCRYPT
+ 
+--- a/wolfssl/wolfcrypt/ecc.h
++++ b/wolfssl/wolfcrypt/ecc.h
+@@ -584,10 +584,8 @@ WOLFSSL_API
+ void wc_ecc_fp_free(void);
+ WOLFSSL_LOCAL
+ void wc_ecc_fp_init(void);
+-#ifdef ECC_TIMING_RESISTANT
+ WOLFSSL_API
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
+-#endif
+ 
+ WOLFSSL_API
+ int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);



More information about the lede-commits mailing list