domenico/openwrt_NSS_ACW
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wolfssl: update to version 3.14.4

Browse Source 
Use download from github archive corresponding to v3.14.4 tag because
the project's website apparently only offers 3.14.0-stable release
downloads.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This commit is contained in:
Daniel Golle
2018-05-23 23:26:41 +02:00
parent 4f442f5f38
commit 4f67c1522d
3 changed files with 6 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
package/libs/wolfssl/Makefile
View File

@@ -8,12 +8,13 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl PKG_NAME:=wolfssl
PKG_VERSION:=3.12.2 PKG_VERSION:=3.14.4
PKG_RELEASE:=2 PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip
PKG_SOURCE_URL:=https://www.wolfssl.com/ # PKG_SOURCE_URL:=https://www.wolfssl.com/
PKG_HASH:=4993844c4b7919007c4511ec3f987fb06543536c3fc933cb53491bffe9150e49 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
PKG_HASH:=1da1b45dec4a455716c8547074ad883c737865225f69443bb173c0dc21683fd1
PKG_FIXUP:=libtool PKG_FIXUP:=libtool
PKG_INSTALL:=1 PKG_INSTALL:=1

144
package/libs/wolfssl/patches/001-CVE-2017-13099.patch
View File

@@ -1,144 +0,0 @@
From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Tue, 14 Nov 2017 14:05:50 -0800
Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so
they are indistinguishable from from correctly formatted RSA blocks (per
RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG
creation for consistency in client case. Removed obsolete
`PMS_VERSION_ERROR`.
---
src/internal.c | 70 +++++++++++++++++++++++++++++++++++++++++++++--------
wolfssl/error-ssl.h | 2 +-
2 files changed, 61 insertions(+), 11 deletions(-)
--- a/src/internal.c
+++ b/src/internal.c
@@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str
case NOT_READY_ERROR :
return "handshake layer not ready yet, complete first";
- case PMS_VERSION_ERROR :
- return "premaster secret version mismatch error";
-
case VERSION_ERROR :
return "record layer version error";
@@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
#ifndef NO_RSA
case rsa_kea:
{
+ /* build PreMasterSecret with RNG data */
ret = wc_RNG_GenerateBlock(ssl->rng,
- ssl->arrays->preMasterSecret, SECRET_LEN);
+ &ssl->arrays->preMasterSecret[VERSION_SZ],
+ SECRET_LEN - VERSION_SZ);
if (ret != 0) {
goto exit_scke;
}
@@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl,
word32 idx;
word32 begin;
word32 sigSz;
+ #ifndef NO_RSA
+ int lastErr;
+ #endif
} DckeArgs;
static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
@@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl,
ERROR_OUT(BUFFER_ERROR, exit_dcke);
}
+ /* pre-load PreMasterSecret with RNG data */
+ ret = wc_RNG_GenerateBlock(ssl->rng,
+ &ssl->arrays->preMasterSecret[VERSION_SZ],
+ SECRET_LEN - VERSION_SZ);
+ if (ret != 0) {
+ goto exit_dcke;
+ }
+
args->output = NULL;
break;
} /* rsa_kea */
@@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl,
NULL, 0, NULL
#endif
);
+
+ /* Errors that can occur here that should be
+ * indistinguishable:
+ * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
+ */
+ if (ret < 0 && ret != BAD_FUNC_ARG) {
+ #ifdef WOLFSSL_ASYNC_CRYPT
+ if (ret == WC_PENDING_E)
+ goto exit_dcke;
+ #endif
+ /* store error code for handling below */
+ args->lastErr = ret;
+ ret = 0;
+ }
break;
} /* rsa_kea */
#endif /* !NO_RSA */
@@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl,
/* Add the signature length to idx */
args->idx += args->length;
- if (args->sigSz == SECRET_LEN && args->output != NULL) {
- XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN);
- if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major ||
- ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) {
- ERROR_OUT(PMS_VERSION_ERROR, exit_dcke);
+ #ifdef DEBUG_WOLFSSL
+ /* check version (debug warning message only) */
+ if (args->output != NULL) {
+ if (args->output[0] != ssl->chVersion.major ||
+ args->output[1] != ssl->chVersion.minor) {
+ WOLFSSL_MSG("preMasterSecret version mismatch");
}
}
+ #endif
+
+ /* RFC5246 7.4.7.1:
+ * Treat incorrectly formatted message blocks and/or
+ * mismatched version numbers in a manner
+ * indistinguishable from correctly formatted RSA blocks
+ */
+
+ ret = args->lastErr;
+ args->lastErr = 0; /* reset */
+
+ /* build PreMasterSecret */
+ ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
+ ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
+ if (ret == 0 && args->sigSz == SECRET_LEN &&
+ args->output != NULL) {
+ XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
+ &args->output[VERSION_SZ],
+ SECRET_LEN - VERSION_SZ);
+ }
else {
- ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
+ /* preMasterSecret has RNG and version set */
+ /* return proper length and ignore error */
+ /* error will be caught as decryption error */
+ args->sigSz = SECRET_LEN;
+ ret = 0;
}
+
break;
} /* rsa_kea */
#endif /* !NO_RSA */
--- a/wolfssl/error-ssl.h
+++ b/wolfssl/error-ssl.h
@@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes {
DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */
WANT_READ = -323, /* want read, call again */
NOT_READY_ERROR = -324, /* handshake layer not ready */
- PMS_VERSION_ERROR = -325, /* pre m secret version error */
+
VERSION_ERROR = -326, /* record layer version error */
WANT_WRITE = -327, /* want write, call again */
BUFFER_ERROR = -328, /* malformed buffer input */

2
package/libs/wolfssl/patches/100-disable-hardening-check.patch
View File

@@ -1,6 +1,6 @@
--- a/wolfssl/wolfcrypt/settings.h --- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h
@@ -1553,7 +1553,7 @@ extern void uITRON4_free(void *p) ; @@ -1624,7 +1624,7 @@ extern void uITRON4_free(void *p) ;
#endif #endif
/* warning for not using harden build options (default with ./configure) */ /* warning for not using harden build options (default with ./configure) */