aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/wolfssl
diff options
context:
space:
mode:
authorDavid Bauer <mail@david-bauer.net>2021-05-06 01:48:04 +0200
committerDavid Bauer <mail@david-bauer.net>2021-05-21 15:43:57 +0200
commitef9b103107aebd1a54f4360af3d9cf28d0544f13 (patch)
tree7c001897b830f1ec00a3fc862323349c193fe6cd /package/libs/wolfssl
parenta9ebd3a0ea968c7f28f9c0763089b67610ce1c1b (diff)
downloadupstream-ef9b103107aebd1a54f4360af3d9cf28d0544f13.tar.gz
upstream-ef9b103107aebd1a54f4360af3d9cf28d0544f13.tar.bz2
upstream-ef9b103107aebd1a54f4360af3d9cf28d0544f13.zip
wolfssl: always export wc_ecc_set_rng
Since commit 6467de5a8840 ("Randomize z ordinates in scalar mult when timing resistant") wolfssl requires a RNG for an EC key when the hardened built option is selected. wc_ecc_set_rng is only available when built hardened, so there is no safe way to install the RNG to the key regardless whether or not wolfssl is compiled hardened. Always export wc_ecc_set_rng so tools such as hostapd can install RNG regardless of the built settings for wolfssl. Signed-off-by: David Bauer <mail@david-bauer.net>
Diffstat (limited to 'package/libs/wolfssl')
-rw-r--r--package/libs/wolfssl/Makefile2
-rw-r--r--package/libs/wolfssl/patches/200-ecc-rng.patch50
2 files changed, 51 insertions, 1 deletions
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 53cd932d1f..030a0224f5 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch
new file mode 100644
index 0000000000..2d33c06209
--- /dev/null
+++ b/package/libs/wolfssl/patches/200-ecc-rng.patch
@@ -0,0 +1,50 @@
+Since commit 6467de5a8840 ("Randomize z ordinates in scalar
+mult when timing resistant") wolfssl requires a RNG for an EC
+key when the hardened built option is selected.
+
+wc_ecc_set_rng is only available when built hardened, so there
+is no safe way to install the RNG to the key regardless whether
+or not wolfssl is compiled hardened.
+
+Always export wc_ecc_set_rng so tools such as hostapd can install
+RNG regardless of the built settings for wolfssl.
+
+--- a/wolfcrypt/src/ecc.c
++++ b/wolfcrypt/src/ecc.c
+@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void)
+
+ #endif /* FP_ECC */
+
+-#ifdef ECC_TIMING_RESISTANT
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng)
+ {
+ int err = 0;
+
++#ifdef ECC_TIMING_RESISTANT
+ if (key == NULL) {
+ err = BAD_FUNC_ARG;
+ }
+ else {
+ key->rng = rng;
+ }
++#endif
+
+ return err;
+ }
+-#endif
+
+ #ifdef HAVE_ECC_ENCRYPT
+
+--- a/wolfssl/wolfcrypt/ecc.h
++++ b/wolfssl/wolfcrypt/ecc.h
+@@ -584,10 +584,8 @@ WOLFSSL_API
+ void wc_ecc_fp_free(void);
+ WOLFSSL_LOCAL
+ void wc_ecc_fp_init(void);
+-#ifdef ECC_TIMING_RESISTANT
+ WOLFSSL_API
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
+-#endif
+
+ WOLFSSL_API
+ int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);