From patchwork Thu May 24 16:34:46 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Daniel Golle <daniel@makrotopia.org>
X-Patchwork-Id: 919982
X-Patchwork-Delegate: blogic@openwrt.org
Return-Path: 
 <openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=lists.openwrt.org
	(client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org;
	envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none)
	header.from=makrotopia.org
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=lists.infradead.org
	header.i=@lists.infradead.org header.b="jN8eEgtI";
	dkim-atps=neutral
Received: from bombadil.infradead.org (bombadil.infradead.org
	[IPv6:2607:7c80:54:e::133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 40sFPR5XZ6z9s0q
	for <incoming@patchwork.ozlabs.org>;
	Fri, 25 May 2018 02:35:55 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:Message-ID:To:From
	:Date:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=4A6+c/ST9ZbjO5PNN1RtTkWFUk/HgBXEOY8qNXzvKyM=;
	b=jN8eEgtIBp/k9+
	QZWksR9btPhnbWMAPzR9SVXp6saxy/kjjdXFTfn84cRn9jVTp8K7f6q4MOReEcZcFL5O/8GbhGiMH
	4nfSQN3K+HxmonVR7b+pepClUOWrnOtJpbS6i1F1HpYKP9qxLXvXz2cbJZSJLbClJwB/LQjhU1COF
	axbCk4IVNR0CyuCfR90Es4vvJznd9KmRTxDvdWEwfZBsoxYmok+v+h0lyQ6Rgg66rjk9mA4tg68UO
	hOpeYkABgyIoA4mfcNeorgJrapHvvrvf61owZpZ4xNKmixJCx3R7lZHQtDRiZT/EORxHZ1s5e4vlo
	mhXxYH4IV7k90VaKxfkA==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux))
	id 1fLtDH-0008Tb-Ma; Thu, 24 May 2018 16:35:39 +0000
Received: from fudo.makrotopia.org ([2a07:2ec0:3002::71])
	by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat
	Linux)) id 1fLtCn-00075M-3x
	for openwrt-devel@lists.openwrt.org; Thu, 24 May 2018 16:35:18 +0000
Received: from local by fudo.makrotopia.org with esmtpsa
	(TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.90_1) (envelope-from <daniel@makrotopia.org>)
	id 1fLtCX-0008Cp-57; Thu, 24 May 2018 18:34:53 +0200
Date: Thu, 24 May 2018 18:34:46 +0200
From: Daniel Golle <daniel@makrotopia.org>
To: openwrt-devel@lists.openwrt.org, openwrt-devel@lists.openwrt.org
Message-ID: <20180524163437.GA16880@makrotopia.org>
MIME-Version: 1.0
Content-Disposition: inline
User-Agent: Mutt/1.10.0 (2018-05-17)
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20180524_093509_379318_4BE9BB92 
X-CRM114-Status: GOOD (  13.99  )
X-Spam-Score: -0.0 (/)
X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary:
	Content analysis details:   (-0.0 points)
	pts rule name              description
	---- ----------------------
	--------------------------------------------------
	-0.0 SPF_PASS               SPF: sender matches SPF record
Subject: [OpenWrt-Devel] [PATCH] wolfssl: update to version 3.14.4
X-BeenThere: openwrt-devel@lists.openwrt.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openwrt-devel.lists.openwrt.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/openwrt-devel/>
List-Post: <mailto:openwrt-devel@lists.openwrt.org>
List-Help: <mailto:openwrt-devel-request@lists.openwrt.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/openwrt-devel>,
	<mailto:openwrt-devel-request@lists.openwrt.org?subject=subscribe>
Cc: Alexandru Ardelean <ardeleanalex@gmail.com>
Sender: "openwrt-devel" <openwrt-devel-bounces@lists.openwrt.org>
Errors-To: 
 openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org

Use download from github archive corresponding to v3.14.4 tag because
the project's website apparently only offers 3.14.0-stable release
downloads.
Drop local patch for CVE-2017-13099 as it was merged upstream.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
---
 package/libs/wolfssl/Makefile                 |   9 +-
 .../wolfssl/patches/001-CVE-2017-13099.patch  | 144 ------------------
 .../patches/100-disable-hardening-check.patch |   2 +-
 3 files changed, 6 insertions(+), 149 deletions(-)
 delete mode 100644 package/libs/wolfssl/patches/001-CVE-2017-13099.patch

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index d0bd3b5a35..41296dd0f2 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=3.12.2
-PKG_RELEASE:=2
+PKG_VERSION:=3.14.4
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip
-PKG_SOURCE_URL:=https://www.wolfssl.com/
-PKG_HASH:=4993844c4b7919007c4511ec3f987fb06543536c3fc933cb53491bffe9150e49
+# PKG_SOURCE_URL:=https://www.wolfssl.com/
+PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
+PKG_HASH:=1da1b45dec4a455716c8547074ad883c737865225f69443bb173c0dc21683fd1
 
 PKG_FIXUP:=libtool
 PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/001-CVE-2017-13099.patch b/package/libs/wolfssl/patches/001-CVE-2017-13099.patch
deleted file mode 100644
index e7b63cb8d4..0000000000
--- a/package/libs/wolfssl/patches/001-CVE-2017-13099.patch
+++ /dev/null
@@ -1,144 +0,0 @@
-From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001
-From: David Garske <david@wolfssl.com>
-Date: Tue, 14 Nov 2017 14:05:50 -0800
-Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so
- they are indistinguishable from from correctly formatted RSA blocks (per
- RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG
- creation for consistency in client case. Removed obsolete
- `PMS_VERSION_ERROR`.
-
----
- src/internal.c      | 70 +++++++++++++++++++++++++++++++++++++++++++++--------
- wolfssl/error-ssl.h |  2 +-
- 2 files changed, 61 insertions(+), 11 deletions(-)
-
---- a/src/internal.c
-+++ b/src/internal.c
-@@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str
-     case NOT_READY_ERROR :
-         return "handshake layer not ready yet, complete first";
- 
--    case PMS_VERSION_ERROR :
--        return "premaster secret version mismatch error";
--
-     case VERSION_ERROR :
-         return "record layer version error";
- 
-@@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
-             #ifndef NO_RSA
-                 case rsa_kea:
-                 {
-+                    /* build PreMasterSecret with RNG data */
-                     ret = wc_RNG_GenerateBlock(ssl->rng,
--                        ssl->arrays->preMasterSecret, SECRET_LEN);
-+                        &ssl->arrays->preMasterSecret[VERSION_SZ],
-+                        SECRET_LEN - VERSION_SZ);
-                     if (ret != 0) {
-                         goto exit_scke;
-                     }
-@@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl,
-         word32 idx;
-         word32 begin;
-         word32 sigSz;
-+    #ifndef NO_RSA
-+        int    lastErr;
-+    #endif
-     } DckeArgs;
- 
-     static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
-@@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl,
-                             ERROR_OUT(BUFFER_ERROR, exit_dcke);
-                         }
- 
-+                        /* pre-load PreMasterSecret with RNG data */
-+                        ret = wc_RNG_GenerateBlock(ssl->rng,
-+                            &ssl->arrays->preMasterSecret[VERSION_SZ],
-+                            SECRET_LEN - VERSION_SZ);
-+                        if (ret != 0) {
-+                            goto exit_dcke;
-+                        }
-+
-                         args->output = NULL;
-                         break;
-                     } /* rsa_kea */
-@@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl,
-                             NULL, 0, NULL
-                         #endif
-                         );
-+
-+                        /*  Errors that can occur here that should be
-+                         *  indistinguishable:
-+                         *       RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
-+                         */
-+                        if (ret < 0 && ret != BAD_FUNC_ARG) {
-+                        #ifdef WOLFSSL_ASYNC_CRYPT
-+                            if (ret == WC_PENDING_E)
-+                                goto exit_dcke;
-+                        #endif
-+                            /* store error code for handling below */
-+                            args->lastErr = ret;
-+                            ret = 0;
-+                        }
-                         break;
-                     } /* rsa_kea */
-                 #endif /* !NO_RSA */
-@@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl,
-                         /* Add the signature length to idx */
-                         args->idx += args->length;
- 
--                        if (args->sigSz == SECRET_LEN && args->output != NULL) {
--                            XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN);
--                            if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major ||
--                                ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) {
--                                ERROR_OUT(PMS_VERSION_ERROR, exit_dcke);
-+                    #ifdef DEBUG_WOLFSSL
-+                        /* check version (debug warning message only) */
-+                        if (args->output != NULL) {
-+                            if (args->output[0] != ssl->chVersion.major ||
-+                                args->output[1] != ssl->chVersion.minor) {
-+                                WOLFSSL_MSG("preMasterSecret version mismatch");
-                             }
-                         }
-+                    #endif
-+
-+                        /* RFC5246 7.4.7.1:
-+                         * Treat incorrectly formatted message blocks and/or
-+                         * mismatched version numbers in a manner
-+                         * indistinguishable from correctly formatted RSA blocks
-+                         */
-+
-+                        ret = args->lastErr;
-+                        args->lastErr = 0; /* reset */
-+
-+                        /* build PreMasterSecret */
-+                        ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
-+                        ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
-+                        if (ret == 0 && args->sigSz == SECRET_LEN &&
-+                                                         args->output != NULL) {
-+                            XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
-+                                &args->output[VERSION_SZ],
-+                                SECRET_LEN - VERSION_SZ);
-+                        }
-                         else {
--                            ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
-+                            /* preMasterSecret has RNG and version set */
-+                            /* return proper length and ignore error */
-+                            /* error will be caught as decryption error */
-+                            args->sigSz = SECRET_LEN;
-+                            ret = 0;
-                         }
-+
-                         break;
-                     } /* rsa_kea */
-                 #endif /* !NO_RSA */
---- a/wolfssl/error-ssl.h
-+++ b/wolfssl/error-ssl.h
-@@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes {
-     DOMAIN_NAME_MISMATCH         = -322,   /* peer subject name mismatch */
-     WANT_READ                    = -323,   /* want read, call again    */
-     NOT_READY_ERROR              = -324,   /* handshake layer not ready */
--    PMS_VERSION_ERROR            = -325,   /* pre m secret version error */
-+
-     VERSION_ERROR                = -326,   /* record layer version error */
-     WANT_WRITE                   = -327,   /* want write, call again   */
-     BUFFER_ERROR                 = -328,   /* malformed buffer input   */
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index 83d51b1d5c..d913b5fdea 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -1553,7 +1553,7 @@ extern void uITRON4_free(void *p) ;
+@@ -1624,7 +1624,7 @@ extern void uITRON4_free(void *p) ;
  #endif
  
  /* warning for not using harden build options (default with ./configure) */