Message ID | 20201229174920.29215-1-cotequeiroz@gmail.com |
---|---|
State | Accepted |
Delegated to: | Hauke Mehrtens |
Headers | show |
Series | wolfssl: Update to v4.6.0-stable | expand |
On Tue, Dec 29, 2020 at 9:53 AM Eneas U de Queiroz <cotequeiroz@gmail.com> wrote: > > This version fixes a large number of bugs, although no security > vulnerabilities are listed. > > Full changelog at: > https://www.wolfssl.com/docs/wolfssl-changelog/ > or, as part of the version's README.md: > https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md > > Due a number of API additions, size increases from 374.7K to 408.8K for > arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version. > > Backported patches were removed; remaining patch was refreshed. > > Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> https://github.com/transmission/transmission/issues/1537 is still an issue. I was hoping an update would fix it but it did not. I tried fixing it here: https://github.com/openwrt/packages/pull/14342 but no dice. > --- > > Run-tested on a Linksys WRT3200ACM (arm) with uhttpd, uclient-fetch, and > wpad-wolfssl. > > diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile > index 6758f7dd08..dcc6aca40c 100644 > --- a/package/libs/wolfssl/Makefile > +++ b/package/libs/wolfssl/Makefile > @@ -8,12 +8,12 @@ > include $(TOPDIR)/rules.mk > > PKG_NAME:=wolfssl > -PKG_VERSION:=4.5.0-stable > -PKG_RELEASE:=5 > +PKG_VERSION:=4.6.0-stable > +PKG_RELEASE:=1 > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz > PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) > -PKG_HASH:=7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c > +PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848 > > PKG_FIXUP:=libtool > PKG_INSTALL:=1 > diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch > index 43337ba970..c2793285e7 100644 > --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch > +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch > @@ -1,6 +1,6 @@ > --- a/wolfssl/wolfcrypt/settings.h > +++ b/wolfssl/wolfcrypt/settings.h > -@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ; > +@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ; > #endif > > /* warning for not using harden build options (default with ./configure) */ > diff --git a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch > deleted file mode 100644 > index 3838865559..0000000000 > --- a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch > +++ /dev/null > @@ -1,27 +0,0 @@ > -From b90acc91d0cd276befe7f08f87ba2dc5ee7122ff Mon Sep 17 00:00:00 2001 > -From: Tesfa Mael <tesfa@wolfssl.com> > -Date: Wed, 26 Aug 2020 10:13:06 -0700 > -Subject: [PATCH] Make ByteReverseWords available for big and little endian > - > ---- > - wolfcrypt/src/misc.c | 2 -- > - 1 file changed, 2 deletions(-) > - > ---- a/wolfcrypt/src/misc.c > -+++ b/wolfcrypt/src/misc.c > -@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWo > - return rotlFixed(value, 16U); > - #endif > - } > --#if defined(LITTLE_ENDIAN_ORDER) > - /* This routine performs a byte swap of words array of a given count. */ > - WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, > - word32 byteCount) > -@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWord > - out[i] = ByteReverseWord32(in[i]); > - > - } > --#endif /* LITTLE_ENDIAN_ORDER */ > - > - #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS) > - > diff --git a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch b/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch > deleted file mode 100644 > index aaf14e46d9..0000000000 > --- a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch > +++ /dev/null > @@ -1,123 +0,0 @@ > -From ea5c290d605b2af7b10d6e5ce69aa3534f52385f Mon Sep 17 00:00:00 2001 > -From: Eric Blankenhorn <eric@wolfssl.com> > -Date: Fri, 17 Jul 2020 08:37:02 -0500 > -Subject: [PATCH] Fix CheckHostName matching > - > ---- > - src/internal.c | 18 ++++++++++++------ > - src/ssl.c | 5 +++++ > - tests/api.c | 30 ++++++++++++++++++++++++++++++ > - 3 files changed, 47 insertions(+), 6 deletions(-) > - > -diff --git a/src/internal.c b/src/internal.c > -index dc57df0242..cda815d875 100644 > ---- a/src/internal.c > -+++ b/src/internal.c > -@@ -9346,7 +9346,7 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) > - altName = dCert->altNames; > - > - if (checkCN != NULL) { > -- *checkCN = altName == NULL; > -+ *checkCN = (altName == NULL) ? 1 : 0; > - } > - > - while (altName) { > -@@ -9415,23 +9415,29 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) > - int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen) > - { > - int checkCN; > -+ int ret = DOMAIN_NAME_MISMATCH; > - > - /* Assume name is NUL terminated. */ > - (void)domainNameLen; > - > - if (CheckForAltNames(dCert, domainName, &checkCN) != 1) { > -- WOLFSSL_MSG("DomainName match on alt names failed too"); > -- return DOMAIN_NAME_MISMATCH; > -+ WOLFSSL_MSG("DomainName match on alt names failed"); > - } > -+ else { > -+ ret = 0; > -+ } > -+ > - if (checkCN == 1) { > - if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen, > -- domainName) == 0) { > -+ domainName) == 1) { > -+ ret = 0; > -+ } > -+ else { > - WOLFSSL_MSG("DomainName match on common name failed"); > -- return DOMAIN_NAME_MISMATCH; > - } > - } > - > -- return 0; > -+ return ret; > - } > - > - int CheckIPAddr(DecodedCert* dCert, const char* ipasc) > -diff --git a/src/ssl.c b/src/ssl.c > -index 11bc08a3cb..59ad9bae60 100644 > ---- a/src/ssl.c > -+++ b/src/ssl.c > -@@ -43661,6 +43661,11 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen, > - (void)flags; > - (void)peername; > - > -+ if ((x == NULL) || (chk == NULL)) { > -+ WOLFSSL_MSG("Invalid parameter"); > -+ return WOLFSSL_FAILURE; > -+ } > -+ > - if (flags == WOLFSSL_NO_WILDCARDS) { > - WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented"); > - return WOLFSSL_FAILURE; > -diff --git a/tests/api.c b/tests/api.c > -index 774a332968..db888952d4 100644 > ---- a/tests/api.c > -+++ b/tests/api.c > -@@ -23875,6 +23875,35 @@ static void test_wolfSSL_X509_issuer_name_hash(void) > - #endif > - } > - > -+static void test_wolfSSL_X509_check_host(void) > -+{ > -+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ > -+ && !defined(NO_SHA) && !defined(NO_RSA) > -+ > -+ X509* x509; > -+ const char altName[] = "example.com"; > -+ > -+ printf(testingFmt, "wolfSSL_X509_check_host()"); > -+ > -+ AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, > -+ SSL_FILETYPE_PEM)); > -+ > -+ AssertIntEQ(X509_check_host(x509, altName, XSTRLEN(altName), 0, NULL), > -+ WOLFSSL_SUCCESS); > -+ > -+ AssertIntEQ(X509_check_host(x509, NULL, 0, 0, NULL), > -+ WOLFSSL_FAILURE); > -+ > -+ X509_free(x509); > -+ > -+ AssertIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), 0, NULL), > -+ WOLFSSL_FAILURE); > -+ > -+ printf(resultFmt, passed); > -+ > -+#endif > -+} > -+ > - static void test_wolfSSL_DES(void) > - { > - #if defined(OPENSSL_EXTRA) && !defined(NO_DES3) > -@@ -36407,6 +36436,7 @@ void ApiTest(void) > - test_wolfSSL_X509_INFO(); > - test_wolfSSL_X509_subject_name_hash(); > - test_wolfSSL_X509_issuer_name_hash(); > -+ test_wolfSSL_X509_check_host(); > - test_wolfSSL_DES(); > - test_wolfSSL_certs(); > - test_wolfSSL_ASN1_TIME_print(); > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/mailman/listinfo/openwrt-devel
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 6758f7dd08..dcc6aca40c 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.5.0-stable -PKG_RELEASE:=5 +PKG_VERSION:=4.6.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c +PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848 PKG_FIXUP:=libtool PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 43337ba970..c2793285e7 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ; +@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch deleted file mode 100644 index 3838865559..0000000000 --- a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b90acc91d0cd276befe7f08f87ba2dc5ee7122ff Mon Sep 17 00:00:00 2001 -From: Tesfa Mael <tesfa@wolfssl.com> -Date: Wed, 26 Aug 2020 10:13:06 -0700 -Subject: [PATCH] Make ByteReverseWords available for big and little endian - ---- - wolfcrypt/src/misc.c | 2 -- - 1 file changed, 2 deletions(-) - ---- a/wolfcrypt/src/misc.c -+++ b/wolfcrypt/src/misc.c -@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWo - return rotlFixed(value, 16U); - #endif - } --#if defined(LITTLE_ENDIAN_ORDER) - /* This routine performs a byte swap of words array of a given count. */ - WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, - word32 byteCount) -@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWord - out[i] = ByteReverseWord32(in[i]); - - } --#endif /* LITTLE_ENDIAN_ORDER */ - - #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS) - diff --git a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch b/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch deleted file mode 100644 index aaf14e46d9..0000000000 --- a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch +++ /dev/null @@ -1,123 +0,0 @@ -From ea5c290d605b2af7b10d6e5ce69aa3534f52385f Mon Sep 17 00:00:00 2001 -From: Eric Blankenhorn <eric@wolfssl.com> -Date: Fri, 17 Jul 2020 08:37:02 -0500 -Subject: [PATCH] Fix CheckHostName matching - ---- - src/internal.c | 18 ++++++++++++------ - src/ssl.c | 5 +++++ - tests/api.c | 30 ++++++++++++++++++++++++++++++ - 3 files changed, 47 insertions(+), 6 deletions(-) - -diff --git a/src/internal.c b/src/internal.c -index dc57df0242..cda815d875 100644 ---- a/src/internal.c -+++ b/src/internal.c -@@ -9346,7 +9346,7 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) - altName = dCert->altNames; - - if (checkCN != NULL) { -- *checkCN = altName == NULL; -+ *checkCN = (altName == NULL) ? 1 : 0; - } - - while (altName) { -@@ -9415,23 +9415,29 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) - int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen) - { - int checkCN; -+ int ret = DOMAIN_NAME_MISMATCH; - - /* Assume name is NUL terminated. */ - (void)domainNameLen; - - if (CheckForAltNames(dCert, domainName, &checkCN) != 1) { -- WOLFSSL_MSG("DomainName match on alt names failed too"); -- return DOMAIN_NAME_MISMATCH; -+ WOLFSSL_MSG("DomainName match on alt names failed"); - } -+ else { -+ ret = 0; -+ } -+ - if (checkCN == 1) { - if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen, -- domainName) == 0) { -+ domainName) == 1) { -+ ret = 0; -+ } -+ else { - WOLFSSL_MSG("DomainName match on common name failed"); -- return DOMAIN_NAME_MISMATCH; - } - } - -- return 0; -+ return ret; - } - - int CheckIPAddr(DecodedCert* dCert, const char* ipasc) -diff --git a/src/ssl.c b/src/ssl.c -index 11bc08a3cb..59ad9bae60 100644 ---- a/src/ssl.c -+++ b/src/ssl.c -@@ -43661,6 +43661,11 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen, - (void)flags; - (void)peername; - -+ if ((x == NULL) || (chk == NULL)) { -+ WOLFSSL_MSG("Invalid parameter"); -+ return WOLFSSL_FAILURE; -+ } -+ - if (flags == WOLFSSL_NO_WILDCARDS) { - WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented"); - return WOLFSSL_FAILURE; -diff --git a/tests/api.c b/tests/api.c -index 774a332968..db888952d4 100644 ---- a/tests/api.c -+++ b/tests/api.c -@@ -23875,6 +23875,35 @@ static void test_wolfSSL_X509_issuer_name_hash(void) - #endif - } - -+static void test_wolfSSL_X509_check_host(void) -+{ -+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ -+ && !defined(NO_SHA) && !defined(NO_RSA) -+ -+ X509* x509; -+ const char altName[] = "example.com"; -+ -+ printf(testingFmt, "wolfSSL_X509_check_host()"); -+ -+ AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, -+ SSL_FILETYPE_PEM)); -+ -+ AssertIntEQ(X509_check_host(x509, altName, XSTRLEN(altName), 0, NULL), -+ WOLFSSL_SUCCESS); -+ -+ AssertIntEQ(X509_check_host(x509, NULL, 0, 0, NULL), -+ WOLFSSL_FAILURE); -+ -+ X509_free(x509); -+ -+ AssertIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), 0, NULL), -+ WOLFSSL_FAILURE); -+ -+ printf(resultFmt, passed); -+ -+#endif -+} -+ - static void test_wolfSSL_DES(void) - { - #if defined(OPENSSL_EXTRA) && !defined(NO_DES3) -@@ -36407,6 +36436,7 @@ void ApiTest(void) - test_wolfSSL_X509_INFO(); - test_wolfSSL_X509_subject_name_hash(); - test_wolfSSL_X509_issuer_name_hash(); -+ test_wolfSSL_X509_check_host(); - test_wolfSSL_DES(); - test_wolfSSL_certs(); - test_wolfSSL_ASN1_TIME_print();
This version fixes a large number of bugs, although no security vulnerabilities are listed. Full changelog at: https://www.wolfssl.com/docs/wolfssl-changelog/ or, as part of the version's README.md: https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md Due a number of API additions, size increases from 374.7K to 408.8K for arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version. Backported patches were removed; remaining patch was refreshed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> --- Run-tested on a Linksys WRT3200ACM (arm) with uhttpd, uclient-fetch, and wpad-wolfssl.