From ba40da9045f77feb04abe63eb8a92f13f9efe471 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Tue, 29 Dec 2020 14:49:20 -0300 Subject: wolfssl: Update to v4.6.0-stable This version fixes a large number of bugs, although no security vulnerabilities are listed. Full changelog at: https://www.wolfssl.com/docs/wolfssl-changelog/ or, as part of the version's README.md: https://github.com/wolfSSL/wolfssl/blob/v4.6.0-stable/README.md Due a number of API additions, size increases from 374.7K to 408.8K for arm_cortex_a9_vfpv3-d16. The ABI does not change from previous version. Backported patches were removed; remaining patch was refreshed. Signed-off-by: Eneas U de Queiroz --- package/libs/wolfssl/Makefile | 6 +- .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-fix-build-on-big-endian.patch | 27 ----- .../patches/200-fix-checkhostname-matching.patch | 123 --------------------- 4 files changed, 4 insertions(+), 154 deletions(-) delete mode 100644 package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch delete mode 100644 package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch (limited to 'package') diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 6758f7dd08..dcc6aca40c 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.5.0-stable -PKG_RELEASE:=5 +PKG_VERSION:=4.6.0-stable +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=7de62300ce14daa0051bfefc7c4d6302f96cabc768b6ae49eda77523b118250c +PKG_HASH:=053aefbb02d0b06b27c5e2df6875b4b587318755b7db9d6aa8d72206b310a848 PKG_FIXUP:=libtool PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 43337ba970..c2793285e7 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,6 +1,6 @@ --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -2128,7 +2128,7 @@ extern void uITRON4_free(void *p) ; +@@ -2248,7 +2248,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ diff --git a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch b/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch deleted file mode 100644 index 3838865559..0000000000 --- a/package/libs/wolfssl/patches/110-fix-build-on-big-endian.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b90acc91d0cd276befe7f08f87ba2dc5ee7122ff Mon Sep 17 00:00:00 2001 -From: Tesfa Mael -Date: Wed, 26 Aug 2020 10:13:06 -0700 -Subject: [PATCH] Make ByteReverseWords available for big and little endian - ---- - wolfcrypt/src/misc.c | 2 -- - 1 file changed, 2 deletions(-) - ---- a/wolfcrypt/src/misc.c -+++ b/wolfcrypt/src/misc.c -@@ -120,7 +120,6 @@ WC_STATIC WC_INLINE word32 ByteReverseWo - return rotlFixed(value, 16U); - #endif - } --#if defined(LITTLE_ENDIAN_ORDER) - /* This routine performs a byte swap of words array of a given count. */ - WC_STATIC WC_INLINE void ByteReverseWords(word32* out, const word32* in, - word32 byteCount) -@@ -131,7 +130,6 @@ WC_STATIC WC_INLINE void ByteReverseWord - out[i] = ByteReverseWord32(in[i]); - - } --#endif /* LITTLE_ENDIAN_ORDER */ - - #if defined(WORD64_AVAILABLE) && !defined(WOLFSSL_NO_WORD64_OPS) - diff --git a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch b/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch deleted file mode 100644 index aaf14e46d9..0000000000 --- a/package/libs/wolfssl/patches/200-fix-checkhostname-matching.patch +++ /dev/null @@ -1,123 +0,0 @@ -From ea5c290d605b2af7b10d6e5ce69aa3534f52385f Mon Sep 17 00:00:00 2001 -From: Eric Blankenhorn -Date: Fri, 17 Jul 2020 08:37:02 -0500 -Subject: [PATCH] Fix CheckHostName matching - ---- - src/internal.c | 18 ++++++++++++------ - src/ssl.c | 5 +++++ - tests/api.c | 30 ++++++++++++++++++++++++++++++ - 3 files changed, 47 insertions(+), 6 deletions(-) - -diff --git a/src/internal.c b/src/internal.c -index dc57df0242..cda815d875 100644 ---- a/src/internal.c -+++ b/src/internal.c -@@ -9346,7 +9346,7 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) - altName = dCert->altNames; - - if (checkCN != NULL) { -- *checkCN = altName == NULL; -+ *checkCN = (altName == NULL) ? 1 : 0; - } - - while (altName) { -@@ -9415,23 +9415,29 @@ int CheckForAltNames(DecodedCert* dCert, const char* domain, int* checkCN) - int CheckHostName(DecodedCert* dCert, const char *domainName, size_t domainNameLen) - { - int checkCN; -+ int ret = DOMAIN_NAME_MISMATCH; - - /* Assume name is NUL terminated. */ - (void)domainNameLen; - - if (CheckForAltNames(dCert, domainName, &checkCN) != 1) { -- WOLFSSL_MSG("DomainName match on alt names failed too"); -- return DOMAIN_NAME_MISMATCH; -+ WOLFSSL_MSG("DomainName match on alt names failed"); - } -+ else { -+ ret = 0; -+ } -+ - if (checkCN == 1) { - if (MatchDomainName(dCert->subjectCN, dCert->subjectCNLen, -- domainName) == 0) { -+ domainName) == 1) { -+ ret = 0; -+ } -+ else { - WOLFSSL_MSG("DomainName match on common name failed"); -- return DOMAIN_NAME_MISMATCH; - } - } - -- return 0; -+ return ret; - } - - int CheckIPAddr(DecodedCert* dCert, const char* ipasc) -diff --git a/src/ssl.c b/src/ssl.c -index 11bc08a3cb..59ad9bae60 100644 ---- a/src/ssl.c -+++ b/src/ssl.c -@@ -43661,6 +43661,11 @@ int wolfSSL_X509_check_host(WOLFSSL_X509 *x, const char *chk, size_t chklen, - (void)flags; - (void)peername; - -+ if ((x == NULL) || (chk == NULL)) { -+ WOLFSSL_MSG("Invalid parameter"); -+ return WOLFSSL_FAILURE; -+ } -+ - if (flags == WOLFSSL_NO_WILDCARDS) { - WOLFSSL_MSG("X509_CHECK_FLAG_NO_WILDCARDS not yet implemented"); - return WOLFSSL_FAILURE; -diff --git a/tests/api.c b/tests/api.c -index 774a332968..db888952d4 100644 ---- a/tests/api.c -+++ b/tests/api.c -@@ -23875,6 +23875,35 @@ static void test_wolfSSL_X509_issuer_name_hash(void) - #endif - } - -+static void test_wolfSSL_X509_check_host(void) -+{ -+#if defined(OPENSSL_EXTRA) && !defined(NO_CERTS) && !defined(NO_FILESYSTEM) \ -+ && !defined(NO_SHA) && !defined(NO_RSA) -+ -+ X509* x509; -+ const char altName[] = "example.com"; -+ -+ printf(testingFmt, "wolfSSL_X509_check_host()"); -+ -+ AssertNotNull(x509 = wolfSSL_X509_load_certificate_file(cliCertFile, -+ SSL_FILETYPE_PEM)); -+ -+ AssertIntEQ(X509_check_host(x509, altName, XSTRLEN(altName), 0, NULL), -+ WOLFSSL_SUCCESS); -+ -+ AssertIntEQ(X509_check_host(x509, NULL, 0, 0, NULL), -+ WOLFSSL_FAILURE); -+ -+ X509_free(x509); -+ -+ AssertIntEQ(X509_check_host(NULL, altName, XSTRLEN(altName), 0, NULL), -+ WOLFSSL_FAILURE); -+ -+ printf(resultFmt, passed); -+ -+#endif -+} -+ - static void test_wolfSSL_DES(void) - { - #if defined(OPENSSL_EXTRA) && !defined(NO_DES3) -@@ -36407,6 +36436,7 @@ void ApiTest(void) - test_wolfSSL_X509_INFO(); - test_wolfSSL_X509_subject_name_hash(); - test_wolfSSL_X509_issuer_name_hash(); -+ test_wolfSSL_X509_check_host(); - test_wolfSSL_DES(); - test_wolfSSL_certs(); - test_wolfSSL_ASN1_TIME_print(); -- cgit v1.2.3