From patchwork Sun Feb 21 21:33:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eneas U de Queiroz X-Patchwork-Id: 1442887 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=wGOS9nbP; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=FpH+TRfi; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DkJYG2Wrfz9sBJ for ; Mon, 22 Feb 2021 08:36:50 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=iMSUNfKobEU8fgnuWr87xSOvZpE50Zs+GFS14UEZhMI=; b=wGOS9nbPCGnBkjcdLRNI2UMxE5 7g6WAW/lufivV6dwrggSZP9+LCeCUD0ySsvqYsOU9AsVc97+5/ShE9x+FTrhOH9t3Mu5asfSgij7Q DDVYp2yQisYH8B52SH0uJFSHgAg1Y0yzFb9HfeV5o0aU8qc4WLz/sqqgkf7KsiBdvodConkmGngzl arCSmcm7tRby7jC/dkmA2xlOUSiZojSUa9jsi1H/4btNmddzRZ//7tDjl7s6a4o1wf+KB377AZ9eV 1OPIXu9lusyMGVJmeiwaoazP5e0Gxz7ceHiEHCWdJ6MWasnnxNOdfJVI6433QJNZLKFV98o8he8pw tYnbndvA==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1lDwN6-0002wK-TN; Sun, 21 Feb 2021 21:34:32 +0000 Received: from mail-qk1-x72f.google.com ([2607:f8b0:4864:20::72f]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1lDwN1-0002vv-IM for openwrt-devel@lists.openwrt.org; Sun, 21 Feb 2021 21:34:30 +0000 Received: by mail-qk1-x72f.google.com with SMTP id x14so10922136qkm.2 for ; Sun, 21 Feb 2021 13:34:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Yu27Fw8BPdcyseEnSvhS3WyESYM4TjZyY4OYaIpZovM=; b=FpH+TRfiWKqzXG65kboUulEGnEcg113pvHSqmZTTuLmHj63cy/WPyoMexkcN3sJcHC fzJwTSPN5c4GweHmzI8EJth9GUHveDmmh/ubvHcZSILkV+HtBoc0lIwuG/bYb7BPQDHH CfZWUP1BVya7kgRUywOQ21FRhReXBPgc6bBAPvzb0zluCfTKrO0C22N2VaL1Gr+ab/0r uHTr3Y3xTsgU0YNVamHapHeZzwfyZ5ZNyEehSGJ5LK/90+nj17CqRJUKREsseLYor+PY qMjyTlWYcDX0J0LErpWRdV8ARKfRO5PINY/0UhyVFfdPdyKx88pTF7rwqS00pZd3Sfxp xsiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=Yu27Fw8BPdcyseEnSvhS3WyESYM4TjZyY4OYaIpZovM=; b=HzmLzmZZgl09rd5+kX0xnAFLo4NFk/vvSNMoXG/A5SLBwfDiprSm3ko3kvpTaRXUbg U0Kt/nnxAJuiuhv7J6zvw6eDVH7seTws4IRtno71vR2Bdn4ABEnLHPEZqSepYM3sYAPS ++5tNiGunbQH9kL59BwQB1jxg9DesalVX+cV9VaBxEuA5f/ijqnZuTWc9TlqNxMTvu4u ZGtw2pdBMBTMrjLhDiwmXOzrfyottEg2TtHs7vpbRnHfi/me8LKjb5O9op/z9F3KF+xz K4kQn4Gd0PFR2I/l2M+9r2yBmB3oTVHu9TWSOxqtqAC3ZASWFYPzXzd2h2WJMpzM2Fdf SZzA== X-Gm-Message-State: AOAM531x04CZLBQyQYv9d+m03xwGJeME7dZIXEa6r4XmZg+08KXhlWBn B0AgUuugFzoO3+kPG0RowYthyMAN7UU= X-Google-Smtp-Source: ABdhPJwjGhnQJE22E9N+nMN8T3AR92fPzIHH7QreI75JW1Wz+vb017TgwSJ9oZlZBzHzCpb4gwmnIg== X-Received: by 2002:a05:620a:403:: with SMTP id 3mr11481071qkp.96.1613943262892; Sun, 21 Feb 2021 13:34:22 -0800 (PST) Received: from gateway.troianet.com.br (ipv6.troianet.com.br. [2804:688:21:4::2]) by smtp.gmail.com with ESMTPSA id t19sm10915197qke.109.2021.02.21.13.34.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 21 Feb 2021 13:34:22 -0800 (PST) From: Eneas U de Queiroz To: openwrt-devel@lists.openwrt.org Subject: [PATCH] wolfssl: bump to v4.7.0-stable Date: Sun, 21 Feb 2021 18:33:30 -0300 Message-Id: <20210221213330.7599-1-cotequeiroz@gmail.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210221_163427_671590_C500FFBA X-CRM114-Status: GOOD ( 17.21 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:72f listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [cotequeiroz[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Eneas U de Queiroz Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Biggest fix for this version is CVE-2021-3336, which has already been applied here. There are a couple of low severity security bug fixes as well. Three patches are no longer needed, and were removed; the one remaining was refreshed. Signed-off-by: Eneas U de Queiroz --- This was run-tested with master on mvebu using uhttpd and hostapd, and should be cherry-picked to 21.02, and 19.07. It was compile-tested with 21.02 and 19.07. --- package/libs/wolfssl/Makefile | 6 +-- .../wolfssl/patches/010-CVE-2021-3336.patch | 53 ------------------- .../patches/100-disable-hardening-check.patch | 2 +- ...Fix-linking-against-hostapd-with-LTO.patch | 25 --------- .../patches/120-enable-secret-callback.patch | 10 ---- 5 files changed, 4 insertions(+), 92 deletions(-) delete mode 100644 package/libs/wolfssl/patches/010-CVE-2021-3336.patch delete mode 100644 package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch delete mode 100644 package/libs/wolfssl/patches/120-enable-secret-callback.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 846351f06d..53cd932d1f 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.6.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.7.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848 +PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch deleted file mode 100644 index abb9bfdd9b..0000000000 --- a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch +++ /dev/null @@ -1,53 +0,0 @@ -From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001 -From: Sean Parkinson -Date: Thu, 21 Jan 2021 08:24:38 +1000 -Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify - ---- - src/tls13.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - ---- a/src/tls13.c -+++ b/src/tls13.c -@@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF - #ifdef HAVE_ED25519 - if (args->sigAlgo == ed25519_sa_algo && - !ssl->peerEd25519KeyPresent) { -- WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); -+ WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - #ifdef HAVE_ED448 - if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) { -- WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify"); -+ WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - #ifdef HAVE_ECC - if (args->sigAlgo == ecc_dsa_sa_algo && - !ssl->peerEccDsaKeyPresent) { -- WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); -+ WOLFSSL_MSG("Peer sent ECC sig but not ECC cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - #ifndef NO_RSA - if (args->sigAlgo == rsa_sa_algo) { -- WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature"); -+ WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate"); - ERROR_OUT(INVALID_PARAMETER, exit_dcv); - } - if (args->sigAlgo == rsa_pss_sa_algo && - (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) { -- WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); -+ WOLFSSL_MSG("Peer sent RSA sig but not RSA cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index c2793285e7..c89ff1be9d 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ; +@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch b/package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch deleted file mode 100644 index c24a15116f..0000000000 --- a/package/libs/wolfssl/patches/110-Fix-linking-against-hostapd-with-LTO.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 391ecbd647c121300dc7dcf209e412ccb7b8d432 Mon Sep 17 00:00:00 2001 -From: Hauke Mehrtens -Date: Fri, 1 Jan 2021 21:57:56 +0100 -Subject: [PATCH] Fix linking against hostapd with LTO - -When running LTO on wolfssl the ecc_map() function is removed from the -binary by GCC 8.4.0. This function is used by multiple functions from -the crypto_wolfssl.c implementation of hostapd master. - -Fixes: 780e8a4619b6 ("Fixes for building `--enable-wpas=small` with WPA Supplicant v2.7.") -Signed-off-by: Hauke Mehrtens ---- - configure.ac | 1 + - 1 file changed, 1 insertion(+) - ---- a/configure.ac -+++ b/configure.ac -@@ -947,6 +947,7 @@ then - AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL" - - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_MP" -+ AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_PUBLIC_ECC_ADD_DBL" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_DER_LOAD" - AM_CFLAGS="$AM_CFLAGS -DATOMIC_USER" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_KEY_GEN" diff --git a/package/libs/wolfssl/patches/120-enable-secret-callback.patch b/package/libs/wolfssl/patches/120-enable-secret-callback.patch deleted file mode 100644 index 9c9b361d01..0000000000 --- a/package/libs/wolfssl/patches/120-enable-secret-callback.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/configure.ac -+++ b/configure.ac -@@ -943,6 +943,7 @@ then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALWAYS_KEEP_SNI" - AM_CFLAGS="$AM_CFLAGS -DHAVE_EX_DATA" - AM_CFLAGS="$AM_CFLAGS -DHAVE_EXT_CACHE" -+ AM_CFLAGS="$AM_CFLAGS -DHAVE_SECRET_CALLBACK" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_EITHER_SIDE" - AM_CFLAGS="$AM_CFLAGS -DOPENSSL_EXTRA_X509_SMALL" -