From patchwork Tue Aug 25 22:19:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hauke Mehrtens X-Patchwork-Id: 1351554 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2001:8b0:10b:1231::1; helo=merlin.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=hauke-m.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=merlin.20170209 header.b=zrvzKv4L; dkim-atps=neutral Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Bbk3h3Hw8z9sSJ for ; Wed, 26 Aug 2020 08:21:20 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=merlin.20170209; h=Sender:Content-Transfer-Encoding: Content-Type:Cc:List-Subscribe:List-Help:List-Post:List-Archive: List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:To:From: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=NtMKzdtGW2kQ8R9+CL6QzCTemWQCWwxjYXyz50HYe8I=; b=zrvzKv4LaunIgWsQN9/bp34yLP mnYuEdJ+m2D+6QUO6nmd46LB2DSexIeBCCyiNM1LBJjPAHL/V9ARfcLsjvWxh90U+i6FWnkYJRES2 QxK5SyMyT4q3eSDGZG7kKRQFpHkgdG0imMHt6Jn+SHkYrksVc1PzARFkop2fcq1GpSDXlO4mNYNpJ hZK/2er+SIfcSVT0o6/tYXvgijuNc3C3j1Uh/51vlzOBHB4oWM1DdOnxZooRrWJMU9ZNwmWoaedQF H/5cjc/WRHxWoSiIzaYFAEKKxzj6FtkoM62O9fr4ovRoBKB4dV1VJxRPk4hsSnW420WeLb211/8Mc DMGdFAww==; Received: from localhost ([::1] helo=merlin.infradead.org) by merlin.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1kAhIg-0002s1-DK; Tue, 25 Aug 2020 22:20:18 +0000 Received: from mout-p-102.mailbox.org ([2001:67c:2050::465:102]) by merlin.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1kAhId-0002qp-OB for openwrt-devel@lists.openwrt.org; Tue, 25 Aug 2020 22:20:17 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [80.241.60.241]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4Bbk2P0XcCzKmZ0; Wed, 26 Aug 2020 00:20:13 +0200 (CEST) X-Virus-Scanned: amavisd-new at heinlein-support.de Received: from smtp2.mailbox.org ([80.241.60.241]) by spamfilter05.heinlein-hosting.de (spamfilter05.heinlein-hosting.de [80.241.56.123]) (amavisd-new, port 10030) with ESMTP id 9e6D6XYZAE4F; Wed, 26 Aug 2020 00:20:08 +0200 (CEST) From: Hauke Mehrtens To: openwrt-devel@lists.openwrt.org Subject: [PATCH v2] wolfssl: Update to version 4.5.0 Date: Wed, 26 Aug 2020 00:19:59 +0200 Message-Id: <20200825221959.11790-1-hauke@hauke-m.de> MIME-Version: 1.0 X-MBO-SPAM-Probability: X-Rspamd-Score: -6.83 / 15.00 / 15.00 X-Rspamd-Queue-Id: 22F881796 X-Rspamd-UID: 2eaa93 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20200825_182015_912820_AA02C705 X-CRM114-Status: GOOD ( 17.78 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.4 on merlin.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2001:67c:2050:0:0:0:465:102 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Hauke Mehrtens Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org This fixes the following security problems: * In earlier versions of wolfSSL there exists a potential man in the middle attack on TLS 1.3 clients. * Denial of service attack on TLS 1.3 servers from repetitively sending ChangeCipherSpecs messages. (CVE-2020-12457) * Potential cache timing attacks on public key operations in builds that are not using SP (single precision). (CVE-2020-15309) * When using SGX with EC scalar multiplication the possibility of side- channel attacks are present. * Leak of private key in the case that PEM format private keys are bundled in with PEM certificates into a single file. * During the handshake, clear application_data messages in epoch 0 are processed and returned to the application. Full changelog: https://www.wolfssl.com/docs/wolfssl-changelog/ Add a patch which fixes a build problem on big endian systems, see https://github.com/wolfSSL/wolfssl/issues/3240 for details. Signed-off-by: Hauke Mehrtens --- package/libs/wolfssl/Makefile | 6 +++--- .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-fix-build-on-big-endian.patch | 20 +++++++++++++++++++ 3 files changed, 24 insertions(+), 4 deletions(-) create mode 100644 package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 159cfbc53f74..eb77caee3392 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.4.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.5.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=7f854804c8ae0ca49cc77809e38e9a3b5a8c91ba7855ea928e6d6651b0d35f18 +PKG_HASH:=7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c PKG_FIXUP:=libtool PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 5d83eca770ea..43337ba97024 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -1930,7 +1930,7 @@ extern void uITRON4_free(void *p) ; +@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch new file mode 100644 index 000000000000..820501d2bb5d --- /dev/null +++ b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch @@ -0,0 +1,20 @@ +See https://github.com/wolfSSL/wolfssl/issues/3240 for details + +--- a/wolfcrypt/src/misc.c ++++ b/wolfcrypt/src/misc.c +@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWo + return rotlFixed(value, 16U); + #endif + } +-#if defined(LITTLE_ENDIAN_ORDER) + /* This routine performs a byte swap of words array of a given count. */ + WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, + word32 byteCount) +@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWord + out[i] = ByteReverseWord32(in[i]); + + } +-#endif /* LITTLE_ENDIAN_ORDER */ + + #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS) +