mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-07 14:28:50 +00:00
31bb27f35b
This is amalgamation of backported changes since 4.7.0-stable release: Sergey V. Lobanov (2):5b13b0b02cwolfssl: update to 5.1.1-stable7d376e6e52libs/wolfssl: add SAN (Subject Alternative Name) support Andre Heider (3):3f8adcb215wolfssl: remove --enable-sha512 configure switch249478ec48wolfssl: always build with --enable-reproducible-build4b212b1306wolfssl: build with WOLFSSL_ALT_CERT_CHAINS Ivan Pavlov (1):16414718f9wolfssl: update to 4.8.1-stable David Bauer (1):f6d8c0cf2bwolfssl: always export wc_ecc_set_rng Christian Lamparter (1):86801bd3d8wolfssl: fix Ed25519 typo in config prompt The diff of security related changes we would need to backport would be so huge, that there would be a high probability of introducing new vulnerabilities, so it was decided, that bumping to latest stable release is the prefered way for fixing following security issues: * OCSP request/response verification issue. (fixed in 4.8.0) * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1) * Issue with incorrectly validating a certificate (fixed in 5.0.0) * Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0) * Client side session resumption issue (fixed in 5.1.0) * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0) * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1) Cc: Hauke Mehrtens <hauke@hauke-m.de> Cc: Eneas U de Queiroz <cotequeiroz@gmail.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> Acked-by: Hauke Mehrtens <hauke@hauke-m.de> Acked-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
123 lines
3.8 KiB
Makefile
123 lines
3.8 KiB
Makefile
#
|
|
# Copyright (C) 2006-2017 OpenWrt.org
|
|
#
|
|
# This is free software, licensed under the GNU General Public License v2.
|
|
# See /LICENSE for more information.
|
|
#
|
|
|
|
include $(TOPDIR)/rules.mk
|
|
|
|
PKG_NAME:=wolfssl
|
|
PKG_VERSION:=5.1.1-stable
|
|
PKG_RELEASE:=1
|
|
|
|
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
|
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
|
|
PKG_HASH:=d3e0544dbe7e9587c0f6538cdc671b6492663bb7a4281819538abe6c99cdbd92
|
|
|
|
PKG_FIXUP:=libtool
|
|
PKG_INSTALL:=1
|
|
PKG_USE_MIPS16:=0
|
|
PKG_BUILD_PARALLEL:=1
|
|
PKG_LICENSE:=GPL-2.0-or-later
|
|
PKG_LICENSE_FILES:=LICENSING COPYING
|
|
PKG_MAINTAINER:=Eneas U de Queiroz <cotequeiroz@gmail.com>
|
|
PKG_CPE_ID:=cpe:/a:wolfssl:wolfssl
|
|
|
|
PKG_CONFIG_DEPENDS:=\
|
|
CONFIG_WOLFSSL_HAS_AES_CCM CONFIG_WOLFSSL_HAS_AFALG \
|
|
CONFIG_WOLFSSL_HAS_ARC4 CONFIG_WOLFSSL_HAS_CHACHA_POLY \
|
|
CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL \
|
|
CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \
|
|
CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \
|
|
CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \
|
|
CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS CONFIG_WOLFSSL_ALT_NAMES
|
|
|
|
include $(INCLUDE_DIR)/package.mk
|
|
|
|
define Package/libwolfssl
|
|
SECTION:=libs
|
|
SUBMENU:=SSL
|
|
CATEGORY:=Libraries
|
|
TITLE:=wolfSSL library
|
|
URL:=http://www.wolfssl.com/
|
|
MENU:=1
|
|
PROVIDES:=libcyassl
|
|
DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user
|
|
ABI_VERSION:=30
|
|
endef
|
|
|
|
define Package/libwolfssl/description
|
|
wolfSSL (formerly CyaSSL) is an SSL library optimized for small
|
|
footprint, both on disk and for memory use.
|
|
endef
|
|
|
|
define Package/libwolfssl/config
|
|
source "$(SOURCE)/Config.in"
|
|
endef
|
|
|
|
TARGET_CFLAGS += \
|
|
$(FPIC) \
|
|
-fomit-frame-pointer \
|
|
-flto \
|
|
-DFP_MAX_BITS=8192 \
|
|
$(if $(CONFIG_WOLFSSL_ALT_NAMES),-DWOLFSSL_ALT_NAMES)
|
|
|
|
TARGET_LDFLAGS += -flto
|
|
|
|
# --enable-stunnel needed for OpenSSL API compatibility bits
|
|
CONFIGURE_ARGS += \
|
|
--enable-reproducible-build \
|
|
--enable-opensslall \
|
|
--enable-opensslextra \
|
|
--enable-sni \
|
|
--enable-stunnel \
|
|
--enable-altcertchains \
|
|
--disable-crypttests \
|
|
--disable-examples \
|
|
--disable-jobserver \
|
|
--$(if $(CONFIG_IPV6),enable,disable)-ipv6 \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_AES_CCM),enable,disable)-aesccm \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_CHACHA_POLY),enable,disable)-chacha \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_CHACHA_POLY),enable,disable)-poly1305 \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_DH),enable,disable)-dh \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_ARC4),enable,disable)-arc4 \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_TLSV10),enable,disable)-tlsv10 \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_TLSV13),enable,disable)-tls13 \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_SESSION_TICKET),enable,disable)-session-ticket \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_DTLS),enable,disable)-dtls \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_ECC25519),enable,disable)-curve25519 \
|
|
--$(if $(CONFIG_WOLFSSL_HAS_AFALG),enable,disable)-afalg \
|
|
--enable-devcrypto=$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_CBC),cbc\
|
|
,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES),aes\
|
|
,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL),yes,no)))
|
|
|
|
ifeq ($(CONFIG_WOLFSSL_HAS_OCSP),y)
|
|
CONFIGURE_ARGS += \
|
|
--enable-ocsp --enable-ocspstapling --enable-ocspstapling2
|
|
endif
|
|
|
|
ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y)
|
|
CONFIGURE_ARGS += \
|
|
--enable-wpas --enable-fortress --enable-fastmath
|
|
endif
|
|
|
|
define Build/InstallDev
|
|
$(INSTALL_DIR) $(1)/usr/include $(1)/usr/lib/pkgconfig
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
|
|
|
|
$(INSTALL_DIR) $(1)/usr/lib
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libwolfssl.{so*,la} $(1)/usr/lib/
|
|
ln -s libwolfssl.so $(1)/usr/lib/libcyassl.so
|
|
ln -s libwolfssl.la $(1)/usr/lib/libcyassl.la
|
|
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/lib/pkgconfig/*.pc $(1)/usr/lib/pkgconfig
|
|
endef
|
|
|
|
define Package/libwolfssl/install
|
|
$(INSTALL_DIR) $(1)/usr/lib
|
|
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libwolfssl.so.* $(1)/usr/lib/
|
|
endef
|
|
|
|
$(eval $(call BuildPackage,libwolfssl))
|