From patchwork Wed Jul 28 21:22:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eneas U de Queiroz X-Patchwork-Id: 1510977 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=eq7zV3O4; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=H5avrQZJ; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GZmsx4G0Xz9sX3 for ; Thu, 29 Jul 2021 07:25:41 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=nDvBgV/uwB6FMhAZHr6tQQN14pAOCn5/qOWCskLhtyQ=; b=eq7zV3O4OquH6E nsxgrsfdCX23qcR0iYW7xOLA+xlmIMEv5flBAW4HgEbHvAutRNrFGZ8TLIakxG7V2Fbgw95RvMyst 3M+dDGD6CpLxSlzKZj9LQii8lXx5T+HWysJXZQzv44ZZWMpZ2q8ZIYBtZBGH/vOOtu7FtxHX4i7/v b/aboTt++tNLruzqfkYb5KHSCjBK2nPYIHqVzzmr1pvbOVXUC/GbyT1ZFgO8UUeKDrj4l4ZKqlzy+ Hwj5CBujVywylyvnFAg4p51yhAEmAh+nJ1x1FzofPjCsh3q/3pHB6wr6QtX6Sqkra2zVq+BUWUOXo 4UueBJ9z48e3f/0c/qvw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1m8r12-002P0F-II; Wed, 28 Jul 2021 21:23:00 +0000 Received: from mail-pl1-x633.google.com ([2607:f8b0:4864:20::633]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1m8r0r-002OyM-Fh for openwrt-devel@lists.openwrt.org; Wed, 28 Jul 2021 21:22:51 +0000 Received: by mail-pl1-x633.google.com with SMTP id i10so4336653pla.3 for ; Wed, 28 Jul 2021 14:22:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=14qIjwegz9Qd91YdX8QgrsPZq8jFwP0fsGiCoO0YtEM=; b=H5avrQZJ7JEFi+N56c8AFud57B7bLUf+Wdufy3+ivwy6pyqtuAgBzK7V2yb2N6GXGq XtlOyLbskpoRbi9UP8wi2cSb3AEKp9z7En+SQTyaIUAQZipGoi7LT8vAu5W8MeX3o4IV xwcSDdOXfa9oN/UBkveg82f+dRqhfuELcCnXtFX1R1zh/8Bawsh1jQybt2HD6COLXgU1 zJXc/PFmRPd8CejqahUvZJg+3+lHOUCRxv42Pd8tYwqEtIqHFNlmU44aL7rxxn2Yzxyr D/ZB7N0dUryqKis0dGBp6EgqmQJGnCMuvK/sbW60ijiocbM9MzQSgqtOdGR8uJI+uIth 0HmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=14qIjwegz9Qd91YdX8QgrsPZq8jFwP0fsGiCoO0YtEM=; b=ftUr7YZhrFpnAdyhw4YeW0F0yW9Hg8u4ZLBaTNwl0zpa9xC7se+hDd8Y7IpBVM8l0P e8vwv0y+dR0SNEsT5aDsXqpbvrV/wn4tAnY6SgybKyJRpIfHCxa2q1eED+JumyKjKNxl EFM2CeEdrZG9TX+DF2MwOqJiIxUfXSCalR6GPMmSukyb/Wh35XosMij+RFSCBDEJL3Uv nhqy0ooVr9/yuMvz276kWiHhsvy4kvsmsgThbkey6tL5kfEfDYCz9nRnFRg+A2aFpdqL iu2DkekEly7LFbqPlb3nUFJeuQ+0bAxIq6ACEpB9h7tmWS3sgFJPZ+kKTyKFOjChQZRv HY2w== X-Gm-Message-State: AOAM5330X+KK3hCCdjkLXvoY9fUKnPKArzmbEYIQOmEAEtgUMgONOOEB YhUh+b5NUMeij/6ik2rO+UgxWS3EVaSzDQ== X-Google-Smtp-Source: ABdhPJxE7RKtxAi54OODSBIzRvnD80a//Foobsmc1caPBCB++x8l0/a7GHRnUEkJjfuzmCf4socWbw== X-Received: by 2002:a17:90a:bc4b:: with SMTP id t11mr1757208pjv.139.1627507368137; Wed, 28 Jul 2021 14:22:48 -0700 (PDT) Received: from gateway.troianet.com.br (ipv6.troianet.com.br. [2804:688:21:4::2]) by smtp.gmail.com with ESMTPSA id b18sm6846139pji.39.2021.07.28.14.22.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Jul 2021 14:22:47 -0700 (PDT) From: Eneas U de Queiroz To: openwrt-devel@lists.openwrt.org Cc: Eneas U de Queiroz Subject: [PATCH v2 2/2] wolfssl: bump to v4.8.1-stable Date: Wed, 28 Jul 2021 18:22:24 -0300 Message-Id: <20210728212224.12242-3-cotequeiroz@gmail.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210722194420.7413-1-cotequeiroz@gmail.com> References: <20210722194420.7413-1-cotequeiroz@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20210728_142249_574400_A40DAED4 X-CRM114-Status: GOOD ( 14.02 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Release 4.8.1 of wolfSSL embedded TLS has bug fixes and new features including this vulnerability: * [high] OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verificati [...] Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2607:f8b0:4864:20:0:0:0:633 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [cotequeiroz[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Release 4.8.1 of wolfSSL embedded TLS has bug fixes and new features including this vulnerability: * [high] OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert. * [Low] OCSP request/response verification issue. In the case that the serial number in the OCSP request differs from the serial number in the OCSP response the error from the comparison was not resulting in a failed verification. (fixed in 4.8.0) Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 6 +++--- .../libs/wolfssl/patches/100-disable-hardening-check.patch | 2 +- package/libs/wolfssl/patches/200-ecc-rng.patch | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 0c95288a2a..6ef80e88a9 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_VERSION:=4.8.1-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444 PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index c89ff1be9d..4141e28750 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ; +@@ -2274,7 +2274,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch index 2d33c06209..d8581be7eb 100644 --- a/package/libs/wolfssl/patches/200-ecc-rng.patch +++ b/package/libs/wolfssl/patches/200-ecc-rng.patch @@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c -@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void) +@@ -10938,21 +10938,21 @@ void wc_ecc_fp_free(void) #endif /* FP_ECC */ @@ -37,7 +37,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h -@@ -584,10 +584,8 @@ WOLFSSL_API +@@ -616,10 +616,8 @@ WOLFSSL_API void wc_ecc_fp_free(void); WOLFSSL_LOCAL void wc_ecc_fp_init(void);