[PATCH v2 2/2] wolfssl: bump to v4.8.1-stable

Eneas U de Queiroz cotequeiroz at gmail.com
Wed Jul 28 14:22:24 PDT 2021 

Release 4.8.1 of wolfSSL embedded TLS has bug fixes and new features
including this vulnerability:

* [high] OCSP verification issue when response is for a certificate with
  no relation to the chain in question BUT that response contains the
  NoCheck extension which effectively disables ALL verification of that
  one cert.

* [Low] OCSP request/response verification issue. In the case that the
  serial number in the OCSP request differs from the serial number in
  the OCSP response the error from the comparison was not resulting in a
  failed verification. (fixed in 4.8.0)

Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
---
 package/libs/wolfssl/Makefile                               | 6 +++---
 .../libs/wolfssl/patches/100-disable-hardening-check.patch  | 2 +-
 package/libs/wolfssl/patches/200-ecc-rng.patch              | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 0c95288a2a..6ef80e88a9 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=2
+PKG_VERSION:=4.8.1-stable
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444
 
 PKG_FIXUP:=libtool libtool-abiver
 PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index c89ff1be9d..4141e28750 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2274,7 +2274,7 @@ extern void uITRON4_free(void *p) ;
  #endif
  
  /* warning for not using harden build options (default with ./configure) */
diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch
index 2d33c06209..d8581be7eb 100644
--- a/package/libs/wolfssl/patches/200-ecc-rng.patch
+++ b/package/libs/wolfssl/patches/200-ecc-rng.patch
@@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl.
 
 --- a/wolfcrypt/src/ecc.c
 +++ b/wolfcrypt/src/ecc.c
-@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void)
+@@ -10938,21 +10938,21 @@ void wc_ecc_fp_free(void)
  
  #endif /* FP_ECC */
  
@@ -37,7 +37,7 @@ RNG regardless of the built settings for wolfssl.
  
 --- a/wolfssl/wolfcrypt/ecc.h
 +++ b/wolfssl/wolfcrypt/ecc.h
-@@ -584,10 +584,8 @@ WOLFSSL_API
+@@ -616,10 +616,8 @@ WOLFSSL_API
  void wc_ecc_fp_free(void);
  WOLFSSL_LOCAL
  void wc_ecc_fp_init(void);

More information about the openwrt-devel mailing list