mirror of
https://github.com/openwrt/openwrt.git
synced 2025-02-15 15:12:17 +00:00
31bb27f35b
This is amalgamation of backported changes since 4.7.0-stable release: Sergey V. Lobanov (2): 5b13b0b02c70 wolfssl: update to 5.1.1-stable 7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support Andre Heider (3): 3f8adcb215ed wolfssl: remove --enable-sha512 configure switch 249478ec4850 wolfssl: always build with --enable-reproducible-build 4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS Ivan Pavlov (1): 16414718f9ae wolfssl: update to 4.8.1-stable David Bauer (1): f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng Christian Lamparter (1): 86801bd3d806 wolfssl: fix Ed25519 typo in config prompt The diff of security related changes we would need to backport would be so huge, that there would be a high probability of introducing new vulnerabilities, so it was decided, that bumping to latest stable release is the prefered way for fixing following security issues: * OCSP request/response verification issue. (fixed in 4.8.0) * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1) * Issue with incorrectly validating a certificate (fixed in 5.0.0) * Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0) * Client side session resumption issue (fixed in 5.1.0) * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0) * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1) Cc: Hauke Mehrtens <hauke@hauke-m.de> Cc: Eneas U de Queiroz <cotequeiroz@gmail.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> Acked-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
51 lines
1.2 KiB
Diff
51 lines
1.2 KiB
Diff
Since commit 6467de5a8840 ("Randomize z ordinates in scalar
|
|
mult when timing resistant") wolfssl requires a RNG for an EC
|
|
key when the hardened built option is selected.
|
|
|
|
wc_ecc_set_rng is only available when built hardened, so there
|
|
is no safe way to install the RNG to the key regardless whether
|
|
or not wolfssl is compiled hardened.
|
|
|
|
Always export wc_ecc_set_rng so tools such as hostapd can install
|
|
RNG regardless of the built settings for wolfssl.
|
|
|
|
--- a/wolfcrypt/src/ecc.c
|
|
+++ b/wolfcrypt/src/ecc.c
|
|
@@ -11647,21 +11647,21 @@ void wc_ecc_fp_free(void)
|
|
|
|
#endif /* FP_ECC */
|
|
|
|
-#ifdef ECC_TIMING_RESISTANT
|
|
int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng)
|
|
{
|
|
int err = 0;
|
|
|
|
+#ifdef ECC_TIMING_RESISTANT
|
|
if (key == NULL) {
|
|
err = BAD_FUNC_ARG;
|
|
}
|
|
else {
|
|
key->rng = rng;
|
|
}
|
|
+#endif
|
|
|
|
return err;
|
|
}
|
|
-#endif
|
|
|
|
#ifdef HAVE_ECC_ENCRYPT
|
|
|
|
--- a/wolfssl/wolfcrypt/ecc.h
|
|
+++ b/wolfssl/wolfcrypt/ecc.h
|
|
@@ -647,10 +647,8 @@ WOLFSSL_API
|
|
void wc_ecc_fp_free(void);
|
|
WOLFSSL_LOCAL
|
|
void wc_ecc_fp_init(void);
|
|
-#ifdef ECC_TIMING_RESISTANT
|
|
WOLFSSL_API
|
|
int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
|
|
-#endif
|
|
|
|
WOLFSSL_API
|
|
int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);
|