aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/wolfssl
diff options
context:
space:
mode:
Diffstat (limited to 'package/libs/wolfssl')
-rw-r--r--package/libs/wolfssl/Config.in6
-rw-r--r--package/libs/wolfssl/Makefile23
-rw-r--r--package/libs/wolfssl/patches/100-disable-hardening-check.patch2
-rw-r--r--package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch13
-rw-r--r--package/libs/wolfssl/patches/200-ecc-rng.patch50
5 files changed, 86 insertions, 8 deletions
diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in
index 4ac69f821a..99ceb6c463 100644
--- a/package/libs/wolfssl/Config.in
+++ b/package/libs/wolfssl/Config.in
@@ -44,9 +44,13 @@ config WOLFSSL_HAS_WPAS
default y
config WOLFSSL_HAS_ECC25519
- bool "Include ECC Curve 22519 support"
+ bool "Include ECC Curve 25519 support"
default n
+config WOLFSSL_ALT_NAMES
+ bool "Include SAN (Subject Alternative Name) support"
+ default y
+
config WOLFSSL_HAS_DEVCRYPTO
bool
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 57fcaa03b2..de6b707b95 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
+PKG_VERSION:=5.1.1-stable
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=d3e0544dbe7e9587c0f6538cdc671b6492663bb7a4281819538abe6c99cdbd92
PKG_FIXUP:=libtool
PKG_INSTALL:=1
@@ -31,7 +31,7 @@ PKG_CONFIG_DEPENDS:=\
CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \
CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \
CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \
- CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS
+ CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS CONFIG_WOLFSSL_ALT_NAMES
include $(INCLUDE_DIR)/package.mk
@@ -44,7 +44,7 @@ define Package/libwolfssl
MENU:=1
PROVIDES:=libcyassl
DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user
- ABI_VERSION:=24
+ ABI_VERSION:=30
endef
define Package/libwolfssl/description
@@ -56,13 +56,24 @@ define Package/libwolfssl/config
source "$(SOURCE)/Config.in"
endef
-TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer
+TARGET_CFLAGS += \
+ $(FPIC) \
+ -fomit-frame-pointer \
+ -flto \
+ -DFP_MAX_BITS=8192 \
+ $(if $(CONFIG_WOLFSSL_ALT_NAMES),-DWOLFSSL_ALT_NAMES)
+
+TARGET_LDFLAGS += -flto
# --enable-stunnel needed for OpenSSL API compatibility bits
CONFIGURE_ARGS += \
+ --enable-reproducible-build \
+ --enable-opensslall \
--enable-opensslextra \
--enable-sni \
--enable-stunnel \
+ --enable-altcertchains \
+ --disable-crypttests \
--disable-examples \
--disable-jobserver \
--$(if $(CONFIG_IPV6),enable,disable)-ipv6 \
@@ -88,7 +99,7 @@ endif
ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y)
CONFIGURE_ARGS += \
- --enable-wpas --enable-sha512 --enable-fortress --enable-fastmath
+ --enable-wpas --enable-fortress --enable-fastmath
endif
define Build/InstallDev
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index c89ff1be9d..79d0d6f759 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,6 +1,6 @@
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
-@@ -2255,7 +2255,7 @@ extern void uITRON4_free(void *p) ;
+@@ -2346,7 +2346,7 @@ extern void uITRON4_free(void *p) ;
#endif
/* warning for not using harden build options (default with ./configure) */
diff --git a/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch
new file mode 100644
index 0000000000..206c6dac6a
--- /dev/null
+++ b/package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index 144c857e4..de7f6b45a 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -32,7 +32,7 @@ AC_ARG_PROGRAM
+
+ AC_CONFIG_HEADERS([config.h:config.in])
+
+-LT_PREREQ([2.4.2])
++LT_PREREQ([2.4])
+ LT_INIT([disable-static win32-dll])
+
+ #shared library versioning
diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch
new file mode 100644
index 0000000000..78ff4b1f4a
--- /dev/null
+++ b/package/libs/wolfssl/patches/200-ecc-rng.patch
@@ -0,0 +1,50 @@
+Since commit 6467de5a8840 ("Randomize z ordinates in scalar
+mult when timing resistant") wolfssl requires a RNG for an EC
+key when the hardened built option is selected.
+
+wc_ecc_set_rng is only available when built hardened, so there
+is no safe way to install the RNG to the key regardless whether
+or not wolfssl is compiled hardened.
+
+Always export wc_ecc_set_rng so tools such as hostapd can install
+RNG regardless of the built settings for wolfssl.
+
+--- a/wolfcrypt/src/ecc.c
++++ b/wolfcrypt/src/ecc.c
+@@ -11647,21 +11647,21 @@ void wc_ecc_fp_free(void)
+
+ #endif /* FP_ECC */
+
+-#ifdef ECC_TIMING_RESISTANT
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng)
+ {
+ int err = 0;
+
++#ifdef ECC_TIMING_RESISTANT
+ if (key == NULL) {
+ err = BAD_FUNC_ARG;
+ }
+ else {
+ key->rng = rng;
+ }
++#endif
+
+ return err;
+ }
+-#endif
+
+ #ifdef HAVE_ECC_ENCRYPT
+
+--- a/wolfssl/wolfcrypt/ecc.h
++++ b/wolfssl/wolfcrypt/ecc.h
+@@ -647,10 +647,8 @@ WOLFSSL_API
+ void wc_ecc_fp_free(void);
+ WOLFSSL_LOCAL
+ void wc_ecc_fp_init(void);
+-#ifdef ECC_TIMING_RESISTANT
+ WOLFSSL_API
+ int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
+-#endif
+
+ WOLFSSL_API
+ int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);