From ade7c6db1e6c2c0c8d2338948c37cfa7429ebccc Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Fri, 15 Jul 2022 16:09:58 -0300 Subject: wolfssl: bump to 5.4.0 This version fixes two vulnerabilities: -CVE-2022-34293[high]: Potential for DTLS DoS attack -[medium]: Ciphertext side channel attack on ECC and DH operations. The patch fixing x86 aesni build has been merged upstream. Signed-off-by: Eneas U de Queiroz (cherry picked from commit 9710fe70a68e0a004b1906db192d7a6c8f810ac5) Signed-off-by: Christian Marangi --- package/libs/wolfssl/Makefile | 4 +- .../patches/100-disable-hardening-check.patch | 2 +- package/libs/wolfssl/patches/200-ecc-rng.patch | 2 +- ...x-configure-to-use-minimal-compiler-flags.patch | 44 ---------------------- 4 files changed, 4 insertions(+), 48 deletions(-) delete mode 100644 package/libs/wolfssl/patches/300-AESNI-fix-configure-to-use-minimal-compiler-flags.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 3edd526364..486eaf70ae 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=5.3.0-stable +PKG_VERSION:=5.4.0-stable PKG_RELEASE:=$(AUTORELEASE) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=1a3bb310dc01d3e73d9ad91b6ea8249d081016f8eef4ae8f21d3421f91ef1de9 +PKG_HASH:=dc36cc19dad197253e5c2ecaa490c7eef579ad448706e55d73d79396e814098b PKG_FIXUP:=libtool libtool-abiver PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 7e473b390b..d3ad2e27bc 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2338,7 +2338,7 @@ extern void uITRON4_free(void *p) ; +@@ -2442,7 +2442,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch index f1f156a8ae..2e09e6d273 100644 --- a/package/libs/wolfssl/patches/200-ecc-rng.patch +++ b/package/libs/wolfssl/patches/200-ecc-rng.patch @@ -11,7 +11,7 @@ RNG regardless of the built settings for wolfssl. --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c -@@ -11655,21 +11655,21 @@ void wc_ecc_fp_free(void) +@@ -12288,21 +12288,21 @@ void wc_ecc_fp_free(void) #endif /* FP_ECC */ diff --git a/package/libs/wolfssl/patches/300-AESNI-fix-configure-to-use-minimal-compiler-flags.patch b/package/libs/wolfssl/patches/300-AESNI-fix-configure-to-use-minimal-compiler-flags.patch deleted file mode 100644 index d65a117d1e..0000000000 --- a/package/libs/wolfssl/patches/300-AESNI-fix-configure-to-use-minimal-compiler-flags.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 9ba77300f9f5dea9f53aed00bf6c33d10b7b2fce Mon Sep 17 00:00:00 2001 -From: Sean Parkinson -Date: Thu, 7 Jul 2022 09:30:48 +1000 -Subject: [PATCH] AESNI: fix configure to use minimal compiler flags - - -diff --git a/configure.ac b/configure.ac -index df97ac75c..6abb0c744 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2142,21 +2142,19 @@ then - if test "$ENABLED_AESNI" = "yes" || test "$ENABLED_INTELASM" = "yes" - then - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AESNI" -- if test "$GCC" = "yes" -+ if test "$CC" != "icc" - then -- # clang needs these flags -- if test "$CC" = "clang" -- then -- AM_CFLAGS="$AM_CFLAGS -maes -mpclmul" -- else -- # GCC needs these flags, icc doesn't -- # opt levels greater than 2 may cause problems on systems w/o -- # aesni -- if test "$CC" != "icc" -- then -- AM_CFLAGS="$AM_CFLAGS -maes -msse4 -mpclmul" -- fi -- fi -+ case $host_os in -+ mingw*) -+ # Windows uses intrinsics for GCM which uses SSE4 instructions. -+ # MSVC has own build files. -+ AM_CFLAGS="$AM_CFLAGS -maes -msse4 -mpclmul" -+ ;; -+ *) -+ # Intrinsics used in AES_set_decrypt_key (TODO: rework) -+ AM_CFLAGS="$AM_CFLAGS -maes" -+ ;; -+ esac - fi - AS_IF([test "x$ENABLED_AESGCM" != "xno"],[AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"]) - fi -- cgit v1.2.3