diff options
author | David Bauer <mail@david-bauer.net> | 2021-05-06 01:48:04 +0200 |
---|---|---|
committer | David Bauer <mail@david-bauer.net> | 2021-06-21 22:43:15 +0200 |
commit | f6d8c0cf2b47b55474f6f2604ac57bc8aedfeb08 (patch) | |
tree | 8418e7aca3592c0cf49a7704d0d311a62a45e7d1 | |
parent | 56228e939365d543933a87cac11109a7d5ccc619 (diff) | |
download | upstream-f6d8c0cf2b47b55474f6f2604ac57bc8aedfeb08.tar.gz upstream-f6d8c0cf2b47b55474f6f2604ac57bc8aedfeb08.tar.bz2 upstream-f6d8c0cf2b47b55474f6f2604ac57bc8aedfeb08.zip |
wolfssl: always export wc_ecc_set_rng
Since commit 6467de5a8840 ("Randomize z ordinates in scalar
mult when timing resistant") wolfssl requires a RNG for an EC
key when the hardened built option is selected.
wc_ecc_set_rng is only available when built hardened, so there
is no safe way to install the RNG to the key regardless whether
or not wolfssl is compiled hardened.
Always export wc_ecc_set_rng so tools such as hostapd can install
RNG regardless of the built settings for wolfssl.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit ef9b103107aebd1a54f4360af3d9cf28d0544f13)
-rw-r--r-- | package/libs/wolfssl/Makefile | 2 | ||||
-rw-r--r-- | package/libs/wolfssl/patches/200-ecc-rng.patch | 50 |
2 files changed, 51 insertions, 1 deletions
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 53cd932d1f..030a0224f5 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) diff --git a/package/libs/wolfssl/patches/200-ecc-rng.patch b/package/libs/wolfssl/patches/200-ecc-rng.patch new file mode 100644 index 0000000000..2d33c06209 --- /dev/null +++ b/package/libs/wolfssl/patches/200-ecc-rng.patch @@ -0,0 +1,50 @@ +Since commit 6467de5a8840 ("Randomize z ordinates in scalar +mult when timing resistant") wolfssl requires a RNG for an EC +key when the hardened built option is selected. + +wc_ecc_set_rng is only available when built hardened, so there +is no safe way to install the RNG to the key regardless whether +or not wolfssl is compiled hardened. + +Always export wc_ecc_set_rng so tools such as hostapd can install +RNG regardless of the built settings for wolfssl. + +--- a/wolfcrypt/src/ecc.c ++++ b/wolfcrypt/src/ecc.c +@@ -10293,21 +10293,21 @@ void wc_ecc_fp_free(void) + + #endif /* FP_ECC */ + +-#ifdef ECC_TIMING_RESISTANT + int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng) + { + int err = 0; + ++#ifdef ECC_TIMING_RESISTANT + if (key == NULL) { + err = BAD_FUNC_ARG; + } + else { + key->rng = rng; + } ++#endif + + return err; + } +-#endif + + #ifdef HAVE_ECC_ENCRYPT + +--- a/wolfssl/wolfcrypt/ecc.h ++++ b/wolfssl/wolfcrypt/ecc.h +@@ -584,10 +584,8 @@ WOLFSSL_API + void wc_ecc_fp_free(void); + WOLFSSL_LOCAL + void wc_ecc_fp_init(void); +-#ifdef ECC_TIMING_RESISTANT + WOLFSSL_API + int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng); +-#endif + + WOLFSSL_API + int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id); |