From 00722a720c778e623d6f37af3a3b4e43b29c3fe8 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Mon, 24 Aug 2020 12:11:29 +0200 Subject: wolfssl: Update to version 4.5.0 This fixes the following security problems: * In earlier versions of wolfSSL there exists a potential man in the middle attack on TLS 1.3 clients. * Denial of service attack on TLS 1.3 servers from repetitively sending ChangeCipherSpecs messages. (CVE-2020-12457) * Potential cache timing attacks on public key operations in builds that are not using SP (single precision). (CVE-2020-15309) * When using SGX with EC scalar multiplication the possibility of side- channel attacks are present. * Leak of private key in the case that PEM format private keys are bundled in with PEM certificates into a single file. * During the handshake, clear application_data messages in epoch 0 are processed and returned to the application. Full changelog: https://www.wolfssl.com/docs/wolfssl-changelog/ Fix a build error on big endian systems by backporting a pull request: https://github.com/wolfSSL/wolfssl/pull/3255 The size of the ipk increases on mips BE by 1.4% old: libwolfssl24_4.4.0-stable-2_mips_24kc.ipk: 386246 new: libwolfssl24_4.5.0-stable-1_mips_24kc.ipk: 391528 Signed-off-by: Hauke Mehrtens --- .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-fix-build-on-big-endian.patch | 27 ++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch (limited to 'package/libs/wolfssl/patches') diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 5d83eca770..43337ba970 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -1930,7 +1930,7 @@ extern void uITRON4_free(void *p) ; +@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch new file mode 100644 index 0000000000..3838865559 --- /dev/null +++ b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch @@ -0,0 +1,27 @@ +From b90acc91d0cd276befe7f08f87ba2dc5ee7122ff Mon Sep 17 00:00:00 2001 +From: Tesfa Mael +Date: Wed, 26 Aug 2020 10:13:06 -0700 +Subject: [PATCH] Make ByteReverseWords available for big and little endian + +--- + wolfcrypt/src/misc.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/wolfcrypt/src/misc.c ++++ b/wolfcrypt/src/misc.c +@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWo + return rotlFixed(value, 16U); + #endif + } +-#if defined(LITTLE_ENDIAN_ORDER) + /* This routine performs a byte swap of words array of a given count. */ + WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, + word32 byteCount) +@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWord + out[i] = ByteReverseWord32(in[i]); + + } +-#endif /* LITTLE_ENDIAN_ORDER */ + + #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS) + -- cgit v1.2.3