This is amalgamation of backported changes since 4.7.0-stable release:
Sergey V. Lobanov (2):
5b13b0b02c70 wolfssl: update to 5.1.1-stable
7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support
Andre Heider (3):
3f8adcb215ed wolfssl: remove --enable-sha512 configure switch
249478ec4850 wolfssl: always build with --enable-reproducible-build
4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
Ivan Pavlov (1):
16414718f9ae wolfssl: update to 4.8.1-stable
David Bauer (1):
f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng
Christian Lamparter (1):
86801bd3d806 wolfssl: fix Ed25519 typo in config prompt
The diff of security related changes we would need to backport would be
so huge, that there would be a high probability of introducing new
vulnerabilities, so it was decided, that bumping to latest stable
release is the prefered way for fixing following security issues:
* OCSP request/response verification issue. (fixed in 4.8.0)
* Incorrectly skips OCSP verification in certain situations CVE-2021-38597
(fixed in 4.8.1)
* Issue with incorrectly validating a certificate (fixed in 5.0.0)
* Hang with DSA signature creation when a specific q value is used (fixed in
5.0.0)
* Client side session resumption issue (fixed in 5.1.0)
* Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0)
* Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1)
Cc: Hauke Mehrtens
Cc: Eneas U de Queiroz
Signed-off-by: Petr Štetiar
---
package/libs/wolfssl/Config.in| 6 ++-
package/libs/wolfssl/Makefile | 23 ++---
.../patches/100-disable-hardening-check.patch | 2 +-
.../patches/110-build-with-libtool-2.4.patch | 13 +
.../libs/wolfssl/patches/200-ecc-rng.patch| 50 +++
5 files changed, 86 insertions(+), 8 deletions(-)
create mode 100644
package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch
create mode 100644 package/libs/wolfssl/patches/200-ecc-rng.patch
diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in
index 4ac69f821a3d..99ceb6c4630e 100644
--- a/package/libs/wolfssl/Config.in
+++ b/package/libs/wolfssl/Config.in
@@ -44,9 +44,13 @@ config WOLFSSL_HAS_WPAS
default y
config WOLFSSL_HAS_ECC25519
- bool "Include ECC Curve 22519 support"
+ bool "Include ECC Curve 25519 support"
default n
+config WOLFSSL_ALT_NAMES
+ bool "Include SAN (Subject Alternative Name) support"
+ default y
+
config WOLFSSL_HAS_DEVCRYPTO
bool
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 57fcaa03b2e2..de6b707b952d 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
+PKG_VERSION:=5.1.1-stable
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=d3e0544dbe7e9587c0f6538cdc671b6492663bb7a4281819538abe6c99cdbd92
PKG_FIXUP:=libtool
PKG_INSTALL:=1
@@ -31,7 +31,7 @@ PKG_CONFIG_DEPENDS:=\
CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \
CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \
CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \
- CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS
+ CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS
CONFIG_WOLFSSL_ALT_NAMES
include $(INCLUDE_DIR)/package.mk
@@ -44,7 +44,7 @@ define Package/libwolfssl
MENU:=1
PROVIDES:=libcyassl
DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev
+WOLFSSL_HAS_AFALG:kmod-crypto-user
- ABI_VERSION:=24
+ ABI_VERSION:=30
endef
define Package/libwolfssl/description
@@ -56,13 +56,24 @@ define Package/libwolfssl/config
source "$(SOURCE)/Config.in"
endef
-TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer
+TARGET_CFLAGS += \
+ $(FPIC) \
+ -fomit-frame-pointer \
+ -flto \
+ -DFP_MAX_BITS=8192 \
+ $(if $(CONFIG_WOLFSSL_ALT_NAMES),-DWOLFSSL_ALT_NAMES)
+
+TARGET_LDFLAGS += -flto
# --enable-stunnel needed for OpenSSL API compatibility bits
CONFIGURE_ARGS += \
+ --enable-reproducible-build \
+ --enable-opensslall \
--enable-opensslextra \
--enable-sni \
--enable-stunnel \
+ --enable-altcertchains \
+ --disable-crypttests \
--disable-examples \
--disable-jobserver \
--$(if $(CONFIG_IPV6),enable,disable)-ipv6 \
@@ -88,7 +99,7 @@ endif
ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y)
CONFIGURE_ARGS += \
- --enable-wpas --enable-sha512 --enable-fortress --enable-fastmath
+ --enable-wpas --enable-fortress --enable-fastmath
endif
define Build/InstallDev
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch