projects / librecmc / librecmc.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3bbf980) | patch
wolfssl: bump to 5.1.1-stable
authorRISCi_ATOM <bob@bobcall.me>
Mon, 28 Mar 2022 17:09:17 +0000 (13:09 -0400)
committerRISCi_ATOM <bob@bobcall.me>
Mon, 28 Mar 2022 17:09:17 +0000 (13:09 -0400)
commit8b346e0aacedd42626d6ee28f3497c37225bd3fc
tree03f70711bb7ddc5d1cee6cb2052a10a18f4aba23tree | snapshot
parent3bbf980d81449e5f73b4caacbf1482ec14890497commit | diff
wolfssl: bump to 5.1.1-stable

This is amalgamation of backported changes since 4.7.0-stable release:

 Sergey V. Lobanov (2):

  5b13b0b wolfssl: update to 5.1.1-stable
  7d376e6 libs/wolfssl: add SAN (Subject Alternative Name) support

 Andre Heider (3):

  3f8adcb wolfssl: remove --enable-sha512 configure switch
  249478e wolfssl: always build with --enable-reproducible-build
  4b212b1 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS

 Ivan Pavlov (1):

  1641471 wolfssl: update to 4.8.1-stable

 David Bauer (1):

  f6d8c0c wolfssl: always export wc_ecc_set_rng

 Christian Lamparter (1):

  86801bd wolfssl: fix Ed25519 typo in config prompt

The diff of security related changes we would need to backport would be
so huge, that there would be a high probability of introducing new
vulnerabilities, so it was decided, that bumping to latest stable
release is the prefered way for fixing following security issues:

 * OCSP request/response verification issue. (fixed in 4.8.0)
 * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1)
 * Issue with incorrectly validating a certificate (fixed in 5.0.0)
 * Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0)
 * Client side session resumption issue (fixed in 5.1.0)
 * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0)
 * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1)

Cc: Hauke Mehrtens <hauke@hauke-m.de>
Cc: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Includes upstream commit : f49eec6335ea9c0d652e8525a04c166f1fe3eedd

 wolfssl: fix API breakage of SSL_get_verify_result

Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable.  In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:

 $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
 Downloading 'https://letsencrypt.org'
 Connecting to 18.159.128.50:443
 Connection error: Invalid SSL certificate

Fixes: #9283
References: wolfSSL/wolfssl#4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit b9251e3)
(cherry picked from commit b99d7ae)
package/libs/wolfssl/Config.in diff | blob | history
package/libs/wolfssl/Makefile diff | blob | history
package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch [deleted file] blob | history
package/libs/wolfssl/patches/002-Update-macro-guard-on-SHA256-transform-call.patch [deleted file] blob | history
package/libs/wolfssl/patches/100-disable-hardening-check.patch diff | blob | history
package/libs/wolfssl/patches/200-ecc-rng.patch diff | blob | history
package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch [new file with mode: 0644] blob