From 8b346e0aacedd42626d6ee28f3497c37225bd3fc Mon Sep 17 00:00:00 2001 From: RISCi_ATOM Date: Mon, 28 Mar 2022 13:09:17 -0400 Subject: [PATCH] wolfssl: bump to 5.1.1-stable MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This is amalgamation of backported changes since 4.7.0-stable release: Sergey V. Lobanov (2): 5b13b0b wolfssl: update to 5.1.1-stable 7d376e6 libs/wolfssl: add SAN (Subject Alternative Name) support Andre Heider (3): 3f8adcb wolfssl: remove --enable-sha512 configure switch 249478e wolfssl: always build with --enable-reproducible-build 4b212b1 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS Ivan Pavlov (1): 1641471 wolfssl: update to 4.8.1-stable David Bauer (1): f6d8c0c wolfssl: always export wc_ecc_set_rng Christian Lamparter (1): 86801bd wolfssl: fix Ed25519 typo in config prompt The diff of security related changes we would need to backport would be so huge, that there would be a high probability of introducing new vulnerabilities, so it was decided, that bumping to latest stable release is the prefered way for fixing following security issues: * OCSP request/response verification issue. (fixed in 4.8.0) * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1) * Issue with incorrectly validating a certificate (fixed in 5.0.0) * Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0) * Client side session resumption issue (fixed in 5.1.0) * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0) * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1) Cc: Hauke Mehrtens Cc: Eneas U de Queiroz Signed-off-by: Petr Å tetiar Acked-by: Hauke Mehrtens Acked-by: Eneas U de Queiroz Includes upstream commit : f49eec6335ea9c0d652e8525a04c166f1fe3eedd wolfssl: fix API breakage of SSL_get_verify_result Backport fix for API breakage of SSL_get_verify_result() introduced in v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return X509_V_OK when used on LE powered sites or other sites utilizing relaxed/alternative cert chain validation feature. After an update to v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA error and thus rendered all such connection attempts imposible: $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org" Downloading 'https://letsencrypt.org' Connecting to 18.159.128.50:443 Connection error: Invalid SSL certificate Fixes: #9283 References: wolfSSL/wolfssl#4879 Signed-off-by: Petr Å tetiar (cherry picked from commit b9251e3) (cherry picked from commit b99d7ae) --- package/libs/wolfssl/Config.in | 8 +- package/libs/wolfssl/Makefile | 25 ++-- ...change-asm-snippets-to-get-compiling.patch | 116 ------------------ ...macro-guard-on-SHA256-transform-call.patch | 22 ---- .../patches/100-disable-hardening-check.patch | 2 +- .../libs/wolfssl/patches/200-ecc-rng.patch | 4 +- ...fix-SSL_get_verify_result-regression.patch | 26 ++++ 7 files changed, 50 insertions(+), 153 deletions(-) delete mode 100644 package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch delete mode 100644 package/libs/wolfssl/patches/002-Update-macro-guard-on-SHA256-transform-call.patch create mode 100644 package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 5d1f119ac4..99ceb6c463 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -16,10 +16,6 @@ config WOLFSSL_HAS_ARC4 bool "Include ARC4 support" default y -config WOLFSSL_HAS_CERTGEN - bool "Include certificate generation support" - default y - config WOLFSSL_HAS_TLSV10 bool "Include TLS 1.0 support" default y @@ -51,6 +47,10 @@ config WOLFSSL_HAS_ECC25519 bool "Include ECC Curve 25519 support" default n +config WOLFSSL_ALT_NAMES + bool "Include SAN (Subject Alternative Name) support" + default y + config WOLFSSL_HAS_DEVCRYPTO bool diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index f11ee39d5c..5c3ea8d76c 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.8.1-stable -PKG_RELEASE:=1 +PKG_VERSION:=5.1.1-stable +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=50db45f348f47e00c93dd244c24108220120cb3cc9d01434789229c32937c444 +PKG_HASH:=d3e0544dbe7e9587c0f6538cdc671b6492663bb7a4281819538abe6c99cdbd92 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -31,7 +31,7 @@ PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \ CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \ - CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS CONFIG_WOLFSSL_HAS_CERTGEN + CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS CONFIG_WOLFSSL_ALT_NAMES include $(INCLUDE_DIR)/package.mk @@ -44,7 +44,7 @@ define Package/libwolfssl MENU:=1 PROVIDES:=libcyassl DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user - ABI_VERSION:=24 + ABI_VERSION:=30 endef define Package/libwolfssl/description @@ -56,19 +56,28 @@ define Package/libwolfssl/config source "$(SOURCE)/Config.in" endef -TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer -flto +TARGET_CFLAGS += \ + $(FPIC) \ + -fomit-frame-pointer \ + -flto \ + -DFP_MAX_BITS=8192 \ + $(if $(CONFIG_WOLFSSL_ALT_NAMES),-DWOLFSSL_ALT_NAMES) + TARGET_LDFLAGS += -flto # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ + --enable-reproducible-build \ + --enable-opensslall \ --enable-opensslextra \ --enable-sni \ --enable-stunnel \ + --enable-altcertchains \ + --disable-crypttests \ --disable-examples \ --disable-jobserver \ --$(if $(CONFIG_IPV6),enable,disable)-ipv6 \ --$(if $(CONFIG_WOLFSSL_HAS_AES_CCM),enable,disable)-aesccm \ - --$(if $(CONFIG_WOLFSSL_HAS_CERTGEN),enable,disable)-certgen \ --$(if $(CONFIG_WOLFSSL_HAS_CHACHA_POLY),enable,disable)-chacha \ --$(if $(CONFIG_WOLFSSL_HAS_CHACHA_POLY),enable,disable)-poly1305 \ --$(if $(CONFIG_WOLFSSL_HAS_DH),enable,disable)-dh \ @@ -90,7 +99,7 @@ endif ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y) CONFIGURE_ARGS += \ - --enable-wpas --enable-sha512 --enable-fortress --enable-fastmath + --enable-wpas --enable-fortress --enable-fastmath endif define Build/InstallDev diff --git a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch b/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch deleted file mode 100644 index 763f9e8d06..0000000000 --- a/package/libs/wolfssl/patches/001-Maths-x86-asm-change-asm-snippets-to-get-compiling.patch +++ /dev/null @@ -1,116 +0,0 @@ -From fa8f23284d4689c2a737204b337b58d966dcbd8c Mon Sep 17 00:00:00 2001 -From: Sean Parkinson -Date: Fri, 20 Aug 2021 10:23:38 +1000 -Subject: [PATCH] Maths x86 asm: change asm snippets to get compiling - -TFM: - Use register or memory for c0, c1, c2 in SQRADD and SQRADD2. -SP: - Use register or memory for vl, vh, vo in SP_ASM_MUL_ADD, -SP_ASM_MUL_ADD2 and SP_ASM_SQR_ADD. ---- - wolfcrypt/src/asm.c | 29 ++++++++++++++++++++--------- - wolfcrypt/src/sp_int.c | 6 +++--- - 2 files changed, 23 insertions(+), 12 deletions(-) - ---- a/wolfcrypt/src/asm.c -+++ b/wolfcrypt/src/asm.c -@@ -698,33 +698,39 @@ __asm__( \ - - #define SQRADD(i, j) \ - __asm__( \ -- "movl %6,%%eax \n\t" \ -+ "movl %3,%%eax \n\t" \ - "mull %%eax \n\t" \ - "addl %%eax,%0 \n\t" \ - "adcl %%edx,%1 \n\t" \ - "adcl $0,%2 \n\t" \ -- :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i) :"%eax","%edx","cc"); -+ :"+rm"(c0), "+rm"(c1), "+rm"(c2) \ -+ : "m"(i) \ -+ :"%eax","%edx","cc"); - - #define SQRADD2(i, j) \ - __asm__( \ -- "movl %6,%%eax \n\t" \ -- "mull %7 \n\t" \ -+ "movl %3,%%eax \n\t" \ -+ "mull %4 \n\t" \ - "addl %%eax,%0 \n\t" \ - "adcl %%edx,%1 \n\t" \ - "adcl $0,%2 \n\t" \ - "addl %%eax,%0 \n\t" \ - "adcl %%edx,%1 \n\t" \ - "adcl $0,%2 \n\t" \ -- :"=r"(c0), "=r"(c1), "=r"(c2): "0"(c0), "1"(c1), "2"(c2), "m"(i), "m"(j) :"%eax","%edx", "cc"); -+ :"+rm"(c0), "+rm"(c1), "+rm"(c2) \ -+ : "m"(i), "m"(j) \ -+ :"%eax","%edx", "cc"); - - #define SQRADDSC(i, j) \ --__asm__( \ -+__asm__( \ - "movl %3,%%eax \n\t" \ - "mull %4 \n\t" \ - "movl %%eax,%0 \n\t" \ - "movl %%edx,%1 \n\t" \ - "xorl %2,%2 \n\t" \ -- :"=r"(sc0), "=r"(sc1), "=r"(sc2): "g"(i), "g"(j) :"%eax","%edx","cc"); -+ :"=r"(sc0), "=r"(sc1), "=r"(sc2) \ -+ : "g"(i), "g"(j) \ -+ :"%eax","%edx","cc"); - - #define SQRADDAC(i, j) \ - __asm__( \ -@@ -733,7 +739,9 @@ __asm__( - "addl %%eax,%0 \n\t" \ - "adcl %%edx,%1 \n\t" \ - "adcl $0,%2 \n\t" \ -- :"=r"(sc0), "=r"(sc1), "=r"(sc2): "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) :"%eax","%edx","cc"); -+ :"=r"(sc0), "=r"(sc1), "=r"(sc2) \ -+ : "0"(sc0), "1"(sc1), "2"(sc2), "g"(i), "g"(j) \ -+ :"%eax","%edx","cc"); - - #define SQRADDDB \ - __asm__( \ -@@ -743,7 +751,10 @@ __asm__( - "addl %6,%0 \n\t" \ - "adcl %7,%1 \n\t" \ - "adcl %8,%2 \n\t" \ -- :"=r"(c0), "=r"(c1), "=r"(c2) : "0"(c0), "1"(c1), "2"(c2), "r"(sc0), "r"(sc1), "r"(sc2) : "cc"); -+ :"=r"(c0), "=r"(c1), "=r"(c2) \ -+ : "0"(c0), "1"(c1), "2"(c2), "r"(sc0), "r"(sc1), \ -+ "r"(sc2) \ -+ : "cc"); - - #elif defined(TFM_X86_64) - /* x86-64 optimized */ ---- a/wolfcrypt/src/sp_int.c -+++ b/wolfcrypt/src/sp_int.c -@@ -476,7 +476,7 @@ static WC_INLINE sp_int_digit sp_div_wor - "addl %%eax, %[l] \n\t" \ - "adcl %%edx, %[h] \n\t" \ - "adcl $0 , %[o] \n\t" \ -- : [l] "+r" (vl), [h] "+r" (vh), [o] "+r" (vo) \ -+ : [l] "+rm" (vl), [h] "+rm" (vh), [o] "+rm" (vo) \ - : [a] "r" (va), [b] "r" (vb) \ - : "eax", "edx", "cc" \ - ) -@@ -502,7 +502,7 @@ static WC_INLINE sp_int_digit sp_div_wor - "addl %%eax, %[l] \n\t" \ - "adcl %%edx, %[h] \n\t" \ - "adcl $0 , %[o] \n\t" \ -- : [l] "+r" (vl), [h] "+r" (vh), [o] "+r" (vo) \ -+ : [l] "+rm" (vl), [h] "+rm" (vh), [o] "+rm" (vo) \ - : [a] "r" (va), [b] "r" (vb) \ - : "eax", "edx", "cc" \ - ) -@@ -541,7 +541,7 @@ static WC_INLINE sp_int_digit sp_div_wor - "addl %%eax, %[l] \n\t" \ - "adcl %%edx, %[h] \n\t" \ - "adcl $0 , %[o] \n\t" \ -- : [l] "+r" (vl), [h] "+r" (vh), [o] "+r" (vo) \ -+ : [l] "+rm" (vl), [h] "+rm" (vh), [o] "+rm" (vo) \ - : [a] "m" (va) \ - : "eax", "edx", "cc" \ - ) diff --git a/package/libs/wolfssl/patches/002-Update-macro-guard-on-SHA256-transform-call.patch b/package/libs/wolfssl/patches/002-Update-macro-guard-on-SHA256-transform-call.patch deleted file mode 100644 index f986b72798..0000000000 --- a/package/libs/wolfssl/patches/002-Update-macro-guard-on-SHA256-transform-call.patch +++ /dev/null @@ -1,22 +0,0 @@ -From f447e4c1fa4c932c0286fa0331966756e243db81 Mon Sep 17 00:00:00 2001 -From: JacobBarthelmeh -Date: Fri, 17 Sep 2021 15:06:13 -0700 -Subject: [PATCH] update macro guard on SHA256 transform call - ---- - src/ssl.c | 3 ++- - tests/api.c | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - ---- a/src/ssl.c -+++ b/src/ssl.c -@@ -17639,7 +17639,8 @@ size_t wolfSSL_get_client_random(const W - - #if defined(OPENSSL_EXTRA) - #if !defined(HAVE_SELFTEST) && (!defined(HAVE_FIPS) || \ -- (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) -+ (defined(HAVE_FIPS_VERSION) && (HAVE_FIPS_VERSION > 2))) && \ -+ !defined(WOLFSSL_DEVCRYPTO_HASH) && !defined(WOLFSSL_AFALG_HASH) - /* Apply SHA256 transformation to the data */ - int wolfSSL_SHA256_Transform(WOLFSSL_SHA256_CTX* sha256, - const unsigned char* data) diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 4141e28750..79d0d6f759 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2274,7 +2274,7 @@ extern void uITRON4_free(void *p) ; +@@ -2346,7 +2346,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch index d8581be7eb..78ff4b1f4a 100644 --- a/package/libs/wolfssl/patches/200-ecc-rng.patch +++ b/package/libs/wolfssl/patches/200-ecc-rng.patch @@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c -@@ -10938,21 +10938,21 @@ void wc_ecc_fp_free(void) +@@ -11647,21 +11647,21 @@ void wc_ecc_fp_free(void) #endif /* FP_ECC */ @@ -37,7 +37,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h -@@ -616,10 +616,8 @@ WOLFSSL_API +@@ -647,10 +647,8 @@ WOLFSSL_API void wc_ecc_fp_free(void); WOLFSSL_LOCAL void wc_ecc_fp_init(void); diff --git a/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch b/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch new file mode 100644 index 0000000000..9651c03af6 --- /dev/null +++ b/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch @@ -0,0 +1,26 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Juliusz Sosinowicz +Date: Sat, 12 Feb 2022 00:34:24 +0100 +Subject: [PATCH] Reported in ZD13631 + +`ssl->peerVerifyRet` wasn't being cleared when retrying with an alternative cert chain + +References: https://github.com/wolfSSL/wolfssl/issues/4879 +--- + src/internal.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/internal.c b/src/internal.c +index 0dded42a76c4..f5814d30607c 100644 +--- a/src/internal.c ++++ b/src/internal.c +@@ -12372,6 +12372,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, + } + + ret = 0; /* clear errors and continue */ ++ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) ++ ssl->peerVerifyRet = 0; ++ #endif + args->verifyErr = 0; + } + -- 2.25.1