[OpenWrt-Devel] [PATCH] wolfssl: update to version 3.14.4
Alexandru Ardelean
ardeleanalex at gmail.com
Thu May 24 15:38:45 EDT 2018
On Thu, May 24, 2018 at 7:34 PM, Daniel Golle <daniel at makrotopia.org> wrote:
> Use download from github archive corresponding to v3.14.4 tag because
> the project's website apparently only offers 3.14.0-stable release
> downloads.
> Drop local patch for CVE-2017-13099 as it was merged upstream.
>
Looks good.
On a related note, would you like to take over the package ?
I don't seem to find time for it at the moment.
> Signed-off-by: Daniel Golle <daniel at makrotopia.org>
> ---
> package/libs/wolfssl/Makefile | 9 +-
> .../wolfssl/patches/001-CVE-2017-13099.patch | 144 ------------------
> .../patches/100-disable-hardening-check.patch | 2 +-
> 3 files changed, 6 insertions(+), 149 deletions(-)
> delete mode 100644 package/libs/wolfssl/patches/001-CVE-2017-13099.patch
>
> diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
> index d0bd3b5a35..41296dd0f2 100644
> --- a/package/libs/wolfssl/Makefile
> +++ b/package/libs/wolfssl/Makefile
> @@ -8,12 +8,13 @@
> include $(TOPDIR)/rules.mk
>
> PKG_NAME:=wolfssl
> -PKG_VERSION:=3.12.2
> -PKG_RELEASE:=2
> +PKG_VERSION:=3.14.4
> +PKG_RELEASE:=1
>
> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip
> -PKG_SOURCE_URL:=https://www.wolfssl.com/
> -PKG_HASH:=4993844c4b7919007c4511ec3f987fb06543536c3fc933cb53491bffe9150e49
> +# PKG_SOURCE_URL:=https://www.wolfssl.com/
> +PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
> +PKG_HASH:=1da1b45dec4a455716c8547074ad883c737865225f69443bb173c0dc21683fd1
>
> PKG_FIXUP:=libtool
> PKG_INSTALL:=1
> diff --git a/package/libs/wolfssl/patches/001-CVE-2017-13099.patch b/package/libs/wolfssl/patches/001-CVE-2017-13099.patch
> deleted file mode 100644
> index e7b63cb8d4..0000000000
> --- a/package/libs/wolfssl/patches/001-CVE-2017-13099.patch
> +++ /dev/null
> @@ -1,144 +0,0 @@
> -From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001
> -From: David Garske <david at wolfssl.com>
> -Date: Tue, 14 Nov 2017 14:05:50 -0800
> -Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so
> - they are indistinguishable from from correctly formatted RSA blocks (per
> - RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG
> - creation for consistency in client case. Removed obsolete
> - `PMS_VERSION_ERROR`.
> -
> ----
> - src/internal.c | 70 +++++++++++++++++++++++++++++++++++++++++++++--------
> - wolfssl/error-ssl.h | 2 +-
> - 2 files changed, 61 insertions(+), 11 deletions(-)
> -
> ---- a/src/internal.c
> -+++ b/src/internal.c
> -@@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str
> - case NOT_READY_ERROR :
> - return "handshake layer not ready yet, complete first";
> -
> -- case PMS_VERSION_ERROR :
> -- return "premaster secret version mismatch error";
> --
> - case VERSION_ERROR :
> - return "record layer version error";
> -
> -@@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
> - #ifndef NO_RSA
> - case rsa_kea:
> - {
> -+ /* build PreMasterSecret with RNG data */
> - ret = wc_RNG_GenerateBlock(ssl->rng,
> -- ssl->arrays->preMasterSecret, SECRET_LEN);
> -+ &ssl->arrays->preMasterSecret[VERSION_SZ],
> -+ SECRET_LEN - VERSION_SZ);
> - if (ret != 0) {
> - goto exit_scke;
> - }
> -@@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl,
> - word32 idx;
> - word32 begin;
> - word32 sigSz;
> -+ #ifndef NO_RSA
> -+ int lastErr;
> -+ #endif
> - } DckeArgs;
> -
> - static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
> -@@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl,
> - ERROR_OUT(BUFFER_ERROR, exit_dcke);
> - }
> -
> -+ /* pre-load PreMasterSecret with RNG data */
> -+ ret = wc_RNG_GenerateBlock(ssl->rng,
> -+ &ssl->arrays->preMasterSecret[VERSION_SZ],
> -+ SECRET_LEN - VERSION_SZ);
> -+ if (ret != 0) {
> -+ goto exit_dcke;
> -+ }
> -+
> - args->output = NULL;
> - break;
> - } /* rsa_kea */
> -@@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl,
> - NULL, 0, NULL
> - #endif
> - );
> -+
> -+ /* Errors that can occur here that should be
> -+ * indistinguishable:
> -+ * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
> -+ */
> -+ if (ret < 0 && ret != BAD_FUNC_ARG) {
> -+ #ifdef WOLFSSL_ASYNC_CRYPT
> -+ if (ret == WC_PENDING_E)
> -+ goto exit_dcke;
> -+ #endif
> -+ /* store error code for handling below */
> -+ args->lastErr = ret;
> -+ ret = 0;
> -+ }
> - break;
> - } /* rsa_kea */
> - #endif /* !NO_RSA */
> -@@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl,
> - /* Add the signature length to idx */
> - args->idx += args->length;
> -
> -- if (args->sigSz == SECRET_LEN && args->output != NULL) {
> -- XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN);
> -- if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major ||
> -- ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) {
> -- ERROR_OUT(PMS_VERSION_ERROR, exit_dcke);
> -+ #ifdef DEBUG_WOLFSSL
> -+ /* check version (debug warning message only) */
> -+ if (args->output != NULL) {
> -+ if (args->output[0] != ssl->chVersion.major ||
> -+ args->output[1] != ssl->chVersion.minor) {
> -+ WOLFSSL_MSG("preMasterSecret version mismatch");
> - }
> - }
> -+ #endif
> -+
> -+ /* RFC5246 7.4.7.1:
> -+ * Treat incorrectly formatted message blocks and/or
> -+ * mismatched version numbers in a manner
> -+ * indistinguishable from correctly formatted RSA blocks
> -+ */
> -+
> -+ ret = args->lastErr;
> -+ args->lastErr = 0; /* reset */
> -+
> -+ /* build PreMasterSecret */
> -+ ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
> -+ ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
> -+ if (ret == 0 && args->sigSz == SECRET_LEN &&
> -+ args->output != NULL) {
> -+ XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
> -+ &args->output[VERSION_SZ],
> -+ SECRET_LEN - VERSION_SZ);
> -+ }
> - else {
> -- ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
> -+ /* preMasterSecret has RNG and version set */
> -+ /* return proper length and ignore error */
> -+ /* error will be caught as decryption error */
> -+ args->sigSz = SECRET_LEN;
> -+ ret = 0;
> - }
> -+
> - break;
> - } /* rsa_kea */
> - #endif /* !NO_RSA */
> ---- a/wolfssl/error-ssl.h
> -+++ b/wolfssl/error-ssl.h
> -@@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes {
> - DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */
> - WANT_READ = -323, /* want read, call again */
> - NOT_READY_ERROR = -324, /* handshake layer not ready */
> -- PMS_VERSION_ERROR = -325, /* pre m secret version error */
> -+
> - VERSION_ERROR = -326, /* record layer version error */
> - WANT_WRITE = -327, /* want write, call again */
> - BUFFER_ERROR = -328, /* malformed buffer input */
> diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
> index 83d51b1d5c..d913b5fdea 100644
> --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
> +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
> @@ -1,6 +1,6 @@
> --- a/wolfssl/wolfcrypt/settings.h
> +++ b/wolfssl/wolfcrypt/settings.h
> -@@ -1553,7 +1553,7 @@ extern void uITRON4_free(void *p) ;
> +@@ -1624,7 +1624,7 @@ extern void uITRON4_free(void *p) ;
> #endif
>
> /* warning for not using harden build options (default with ./configure) */
> --
> 2.17.0
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
http://lists.infradead.org/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list