From patchwork Mon Aug 24 18:12:11 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hauke Mehrtens <hauke@hauke-m.de>
X-Patchwork-Id: 1350594
X-Patchwork-Delegate: hauke@hauke-m.de
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org
 (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org;
 envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
 receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=hauke-m.de
Received: from merlin.infradead.org (merlin.infradead.org
 [IPv6:2001:8b0:10b:1231::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Bb0dJ6rvlz9sR4
	for <incoming@patchwork.ozlabs.org>; Tue, 25 Aug 2020 04:14:28 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding:
	Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive:
	List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From:
	Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender
	:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner;
	bh=irOw5/f5Ptdcrn0JaaJQvI3kb+/qdVuEMOMqENWTBww=; b=PH1QUKwLKverYJkNhbu2SVnvnj
	p2x8tVtQws4KdfRdlYNAg/IxAiU5AxsH/sKnF/KC7wkBJ7AtDFt0dpR9MxBz6tNm7ys4a10JbXo2Z
	8+ZGY7H/MQ68Ox5TtPh8M6zyO8jSIr5WcIoGqFqF6Q98izLcH3g8Us51KkwY/wxzUIh3+LiYXr/xr
	QeQKmrOdAaomd06AXVjj/MUDyQhmRylaD+wWe6FcHs0KzZCzTORbs8aHyTNKAzA4l/LszCD9+3GSc
	esB5l5cc55qW/HkFxfewCZuQ8i+Ga4cc9JTmdnRUDFjO7x8j/jZIUvZhvpEx6a8cmPhQoXFrqotf1
	rJzQGO3A==;
Received: from localhost ([::1] helo=merlin.infradead.org)
	by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux))
	id 1kAGxV-0007Lf-A3; Mon, 24 Aug 2020 18:12:41 +0000
Received: from mout-p-202.mailbox.org ([80.241.56.172])
 by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux))
 id 1kAGxR-0007Kg-Co
 for openwrt-devel@lists.openwrt.org; Mon, 24 Aug 2020 18:12:39 +0000
Received: from smtp1.mailbox.org (smtp1.mailbox.org [80.241.60.240])
 (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
 (No client certificate requested)
 by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4Bb0b51W2NzQlGw;
 Mon, 24 Aug 2020 20:12:33 +0200 (CEST)
X-Virus-Scanned: amavisd-new at heinlein-support.de
Received: from smtp1.mailbox.org ([80.241.60.240])
 by hefe.heinlein-support.de (hefe.heinlein-support.de [91.198.250.172])
 (amavisd-new, port 10030)
 with ESMTP id hWZs_b7o0TdT; Mon, 24 Aug 2020 20:12:29 +0200 (CEST)
From: Hauke Mehrtens <hauke@hauke-m.de>
To: openwrt-devel@lists.openwrt.org
Subject: [PATCH] wolfssl: Update to version 4.5.0
Date: Mon, 24 Aug 2020 20:12:11 +0200
Message-Id: <20200824181211.3790-1-hauke@hauke-m.de>
MIME-Version: 1.0
X-MBO-SPAM-Probability: 
X-Rspamd-Score: -7.71 / 15.00 / 15.00
X-Rspamd-Queue-Id: 13CDF68E
X-Rspamd-UID: b3d80e
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20200824_141237_571496_3C7FAD67 
X-CRM114-Status: GOOD (  15.48  )
X-Spam-Score: -0.7 (/)
X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary:
 Content analysis details:   (-0.7 points)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 RCVD_IN_MSPIKE_H4      RBL: Very Good reputation (+4)
 [80.241.56.172 listed in wl.mailspike.net]
 -0.7 RCVD_IN_DNSWL_LOW      RBL: Sender listed at https://www.dnswl.org/,
 low trust [80.241.56.172 listed in list.dnswl.org]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OpenWrt Development List <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <https://lists.openwrt.org/mailman/options/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.openwrt.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <https://lists.openwrt.org/mailman/listinfo/openwrt-devel>,
 <mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

This fixes the following security problems:
* In earlier versions of wolfSSL there exists a potential man in the
  middle attack on TLS 1.3 clients.
* Denial of service attack on TLS 1.3 servers from repetitively sending
  ChangeCipherSpecs messages. (CVE-2020-12457)
* Potential cache timing attacks on public key operations in builds that
  are not using SP (single precision). (CVE-2020-15309)
* When using SGX with EC scalar multiplication the possibility of side-
  channel attacks are present.
* Leak of private key in the case that PEM format private keys are
  bundled in with PEM certificates into a single file.
* During the handshake, clear application_data messages in epoch 0 are
  processed and returned to the application.

Full changelog:
https://www.wolfssl.com/docs/wolfssl-changelog/

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---
 package/libs/wolfssl/Makefile                               | 6 +++---
 .../libs/wolfssl/patches/100-disable-hardening-check.patch  | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 159cfbc53f74..eb77caee3392 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.4.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.5.0-stable
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=7f854804c8ae0ca49cc77809e38e9a3b5a8c91ba7855ea928e6d6651b0d35f18
+PKG_HASH:=7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c
 
 PKG_FIXUP:=libtool
 PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index 5d83eca770ea..43337ba97024 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -1930,7 +1930,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ;
  #endif
  
  /* warning for not using harden build options (default with ./configure) */