[OpenWrt-Devel] [PATCH] wolfssl: update to v4.2.0-stable

Eneas U de Queiroz cotequeiroz at gmail.com
Wed Nov 6 16:22:52 EST 2019 

Many bugs were fixed--2 patches removed here.

This release of wolfSSL includes fixes for 5 security vulnerabilities,
including two CVEs with high/critical base scores:

- potential invalid read with TLS 1.3 PSK, including session tickets
- potential hang with ocspstaping2 (always enabled in openwrt)
- CVE-2019-15651: 1-byte overread when decoding certificate extensions
- CVE-2019-16748: 1-byte overread when checking certificate signatures
- DSA attack to recover DSA private keys

Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
---
This was run-tested on WRT3200ACM, using uhttpdi, uclient-fetch, curl &
wpad-wolfssl.

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 778754ffdc..3d2a56a97f 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.1.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.2.0-stable
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=f0d630c3ddfeb692b8ae38cc739f47d5e9f0fb708662aa241ede0c42a5eb3dd8
+PKG_HASH:=3562af485c26cd7abe94d9404fbfc0c5c9bceb4aab29b81ebf5e6c2467507e12
 
 PKG_FIXUP:=libtool
 PKG_INSTALL:=1
@@ -44,7 +44,7 @@ define Package/libwolfssl
   MENU:=1
   PROVIDES:=libcyassl
   DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user
-  ABI_VERSION:=19
+  ABI_VERSION:=23
 endef
 
 define Package/libwolfssl/description
diff --git a/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch b/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch
deleted file mode 100644
index a9b8aee918..0000000000
--- a/package/libs/wolfssl/patches/010-build-with-devcrypto-and-aesccm.patch
+++ /dev/null
@@ -1,74 +0,0 @@
-From e8e1d35744c68b165e172a687e870a549438bdf0 Mon Sep 17 00:00:00 2001
-From: Jacob Barthelmeh <jacob at wolfssl.com>
-Date: Tue, 13 Aug 2019 14:12:45 -0600
-Subject: [PATCH] build with devcrypto and aesccm
-
-
-diff --git a/configure.ac b/configure.ac
-index f943cc6ef..cf03e7f52 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1096,6 +1096,10 @@ then
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES"
-+    if test "$ENABLED_AESCCM" = "yes"
-+    then
-+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
-+    fi
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_HASH"
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_NO_HASH_RAW"
-     ENABLED_DEVCRYPTO=yes
-@@ -1106,6 +1110,10 @@ then
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO"
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_AES"
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DEVCRYPTO_CBC"
-+    if test "$ENABLED_AESCCM" = "yes"
-+    then
-+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
-+    fi
-     ENABLED_DEVCRYPTO=yes
- fi
- if test "$ENABLED_DEVCRYPTO" = "cbc"
-diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
-index beeae72a6..b583d03e9 100644
---- a/wolfcrypt/src/aes.c
-+++ b/wolfcrypt/src/aes.c
-@@ -760,6 +760,14 @@
- #elif defined(WOLFSSL_DEVCRYPTO_AES)
-     /* if all AES is enabled with devcrypto then tables are not needed */
- 
-+    #if defined(HAVE_AESCCM)
-+    static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
-+    {
-+        wc_AesEncryptDirect(aes, outBlock, inBlock);
-+        return 0;
-+    }
-+    #endif
-+
- #else
- 
-     /* using wolfCrypt software implementation */
-@@ -1314,7 +1322,8 @@ static const word32 Td[4][256] = {
- };
- 
- 
--#if defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)
-+#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) \
-+			|| defined(WOLFSSL_AES_DIRECT)
- static const byte Td4[256] =
- {
-     0x52U, 0x09U, 0x6aU, 0xd5U, 0x30U, 0x36U, 0xa5U, 0x38U,
-diff --git a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
-index 5c63421e2..d5061f364 100644
---- a/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
-+++ b/wolfcrypt/src/port/devcrypto/devcrypto_aes.c
-@@ -168,7 +168,7 @@ static int wc_DevCrypto_AesDirect(Aes* aes, byte* out, const byte* in,
- #endif
- 
- 
--#if defined(WOLFSSL_AES_DIRECT)
-+#if defined(WOLFSSL_AES_DIRECT) || defined(HAVE_AESCCM)
- void wc_AesEncryptDirect(Aes* aes, byte* out, const byte* in)
- {
-     wc_DevCrypto_AesDirect(aes, out, in, AES_BLOCK_SIZE, COP_ENCRYPT);
diff --git a/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch b/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch
deleted file mode 100644
index bb4c6fd04b..0000000000
--- a/package/libs/wolfssl/patches/020-build-fix-for-aesccm-devcrypto-cbc-wpas-and-afalg.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 9fd38dc340c38dee6e5935da174f90270a63bfbf Mon Sep 17 00:00:00 2001
-From: Jacob Barthelmeh <jacob at wolfssl.com>
-Date: Fri, 30 Aug 2019 16:15:48 -0600
-Subject: [PATCH] build fix for aesccm + devcrypto=cbc + wpas and afalg
-
-
-diff --git a/configure.ac b/configure.ac
-index 61fad39dd..30731eb52 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -1045,6 +1045,10 @@ AC_ARG_ENABLE([afalg],
- 
- if test "$ENABLED_AFALG" = "yes"
- then
-+    if test "$ENABLED_AESCCM" = "yes"
-+    then
-+        AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
-+    fi
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG"
-     AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AFALG_HASH"
- fi
-diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
-index fef2f9c74..d294f6236 100644
---- a/wolfcrypt/src/aes.c
-+++ b/wolfcrypt/src/aes.c
-@@ -759,7 +759,9 @@
-         }
-     #endif /* HAVE_AES_DECRYPT */
- 
--#elif defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)
-+#elif (defined(WOLFSSL_IMX6_CAAM) && !defined(NO_IMX6_CAAM_AES)) || \
-+      ((defined(WOLFSSL_AFALG) || defined(WOLFSSL_DEVCRYPTO_AES)) && \
-+        defined(HAVE_AESCCM))
-         static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
-         {
-             wc_AesEncryptDirect(aes, outBlock, inBlock);
-@@ -768,16 +770,6 @@
- 
- #elif defined(WOLFSSL_AFALG)
- #elif defined(WOLFSSL_DEVCRYPTO_AES)
--    /* if all AES is enabled with devcrypto then tables are not needed */
--
--    #if defined(HAVE_AESCCM)
--    static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
--    {
--        wc_AesEncryptDirect(aes, outBlock, inBlock);
--        return 0;
--    }
--    #endif
--
- #else
- 
-     /* using wolfCrypt software implementation */
-@@ -1593,8 +1585,8 @@ static void wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
- #endif /* HAVE_AES_CBC || WOLFSSL_AES_DIRECT || HAVE_AESGCM */
- 
- #if defined(HAVE_AES_DECRYPT)
--#if (defined(HAVE_AES_CBC) || defined(WOLFSSL_AES_DIRECT)) && \
--    !defined(WOLFSSL_DEVCRYPTO_CBC)
-+#if (defined(HAVE_AES_CBC) && !defined(WOLFSSL_DEVCRYPTO_CBC)) || \
-+     defined(WOLFSSL_AES_DIRECT)
- 
- /* load 4 Td Tables into cache by cache line stride */
- static WC_INLINE word32 PreFetchTd(void)

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list