| Message ID | 1432158126.4416.19.camel@chimera |
|---|---|
| State | Accepted |
| Headers | show |
On 05/20/2015 11:42 PM, Daniel Gimpelevich wrote: > This patch introduces a new build error into coova-chilli, but > coova-chilli already fails to build even without it anyway. CyaSSL is > now called wolfSSL, and all the API's have been renamed, and > backward-compatibility headers added. Does this fix any security Issues? Otherwise I would wait till the branch to update this library. Hauke
On Thu, 2015-05-21 at 00:19 +0200, Hauke Mehrtens wrote: > On 05/20/2015 11:42 PM, Daniel Gimpelevich wrote: > > This patch introduces a new build error into coova-chilli, but > > coova-chilli already fails to build even without it anyway. CyaSSL is > > now called wolfSSL, and all the API's have been renamed, and > > backward-compatibility headers added. > > Does this fix any security Issues? Otherwise I would wait till the > branch to update this library. > > Hauke > It's mostly new features and many bug fixes, though there are a few minor security-related changes relating to obsolete algorithms and protocols. The changelog contains the following note: - No high level security fixes that requires an update though we always recommend updating to the latest (except note 6 use case of ecc/normal math) It should be noted that since version 3.3.0, there have been versions 3.3.2, 3.4.0, and 3.4.6 now. It might be worth fixing the coova-chilli package to build before the branch so that it isn't stuck with a broken package, but if anyone does that without this patch, applying this patch will re-break it, so it might pay to do this a priori. If you disagree, I believe the branch is scheduled for this week, so the wait wouldn't be long.
On Wed, 2015-05-20 at 15:34 -0700, Daniel Gimpelevich wrote: > On Thu, 2015-05-21 at 00:19 +0200, Hauke Mehrtens wrote: > > On 05/20/2015 11:42 PM, Daniel Gimpelevich wrote: > > > This patch introduces a new build error into coova-chilli, but > > > coova-chilli already fails to build even without it anyway. CyaSSL is > > > now called wolfSSL, and all the API's have been renamed, and > > > backward-compatibility headers added. > > > > Does this fix any security Issues? Otherwise I would wait till the > > branch to update this library. > > > > Hauke > > > > It's mostly new features and many bug fixes, though there are a few > minor security-related changes relating to obsolete algorithms and > protocols. The changelog contains the following note: > > - No high level security fixes that requires an update though we always > recommend updating to the latest (except note 6 use case of ecc/normal math) > > It should be noted that since version 3.3.0, there have been versions > 3.3.2, 3.4.0, and 3.4.6 now. > > It might be worth fixing the coova-chilli package to build before the > branch so that it isn't stuck with a broken package, but if anyone does > that without this patch, applying this patch will re-break it, so it > might pay to do this a priori. If you disagree, I believe the branch is > scheduled for this week, so the wait wouldn't be long. Chaos Calmer has been branched. Time to apply the patch?
--- a/package/libs/cyassl/Makefile (revision 45705) +++ b/package/libs/cyassl/Makefile (working copy) @@ -7,13 +7,13 @@ include $(TOPDIR)/rules.mk -PKG_NAME:=cyassl -PKG_VERSION:=3.3.0 -PKG_RELEASE:=2 +PKG_NAME:=wolfssl +PKG_VERSION:=3.4.6 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip PKG_SOURCE_URL:=http://www.yassl.com/ -PKG_MD5SUM:=0303eb0f2f9065a1207d9104ab0eba7c +PKG_MD5SUM:=0410b3841588d635e9ecacb2d42c38f5 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -45,17 +45,27 @@ --enable-ecc \ --disable-examples +ifneq ($(CONFIG_TARGET_x86),) + CONFIGURE_ARGS += --enable-intelasm +endif +ifneq ($(CONFIG_TARGET_x86_64),) + CONFIGURE_ARGS += --enable-intelasm +endif + define Build/InstallDev $(INSTALL_DIR) $(1)/usr/include $(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libcyassl.{so*,la} $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libwolfssl.{so*,la} $(1)/usr/lib/ + ln -s libwolfssl.so $(1)/usr/lib/libcyassl.so + ln -s libwolfssl.la $(1)/usr/lib/libcyassl.la endef define Package/libcyassl/install $(INSTALL_DIR) $(1)/usr/lib - $(CP) $(PKG_INSTALL_DIR)/usr/lib/libcyassl.so* $(1)/usr/lib/ + $(CP) $(PKG_INSTALL_DIR)/usr/lib/libwolfssl.so* $(1)/usr/lib/ + ln -s libwolfssl.so $(1)/usr/lib/libcyassl.so endef $(eval $(call BuildPackage,libcyassl)) --- a/package/libs/cyassl/patches/200-SSL_accept-handle-hello-garbage.patch (revision 45705) +++ b/package/libs/cyassl/patches/200-SSL_accept-handle-hello-garbage.patch (working copy) @@ -1,6 +1,6 @@ --- a/src/internal.c +++ b/src/internal.c -@@ -6037,6 +6037,10 @@ int ProcessReply(CYASSL* ssl) +@@ -6353,6 +6353,10 @@ int ProcessReply(CYASSL* ssl) b1 = ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++]; ssl->curSize = (word16)(((b0 & 0x7f) << 8) | b1); --- a/package/libs/cyassl/patches/300-SSL_set_tlsext_host_name.patch (revision 45705) +++ b/package/libs/cyassl/patches/300-SSL_set_tlsext_host_name.patch (working copy) @@ -1,10 +1,10 @@ ---- a/cyassl/openssl/ssl.h -+++ b/cyassl/openssl/ssl.h -@@ -372,6 +373,7 @@ - #define SSL_CTX_get_ex_new_index CyaSSL_CTX_get_ex_new_index +--- a/wolfssl/openssl/ssl.h ++++ b/wolfssl/openssl/ssl.h +@@ -398,6 +398,7 @@ + #define SSL_get_default_timeout(ctx) 500 -+#define SSL_set_tlsext_host_name(x, y) CyaSSL_UseSNI(x, CYASSL_SNI_HOST_NAME, y, strlen(y)) ++#define SSL_set_tlsext_host_name(x, y) wolfSSL_UseSNI(x, WOLFSSL_SNI_HOST_NAME, y, strlen(y)) #ifdef __cplusplus } /* extern "C" */ --- /dev/null (revision 0) +++ b/package/libs/cyassl/patches/400-additional_compatibility.patch (working copy) @@ -0,0 +1,15 @@ +--- a/cyassl/openssl/ssl.h 2015-02-25 13:04:52.000000000 -0800 ++++ b/cyassl/openssl/ssl.h 2015-05-20 11:13:44.476628943 -0700 +@@ -25,3 +25,12 @@ + */ + ++#ifndef CYASSL_OPENSSL_H_ ++#define CYASSL_OPENSSL_H_ ++ ++#include <cyassl/ssl.h> ++#ifndef HAVE_SNI ++#undef CYASSL_SNI_HOST_NAME ++#endif + #include <wolfssl/openssl/ssl.h> ++ ++#endif
This patch introduces a new build error into coova-chilli, but coova-chilli already fails to build even without it anyway. CyaSSL is now called wolfSSL, and all the API's have been renamed, and backward-compatibility headers added. Signed-off-by: Daniel Gimpelevich <daniel@gimpelevich.san-francisco.ca.us>