openwrt/package/libs/wolfssl/patches/200-ecc-rng.patch
Ivan Pavlov 3d88f26d74 wolfssl: bump to 5.5.0
Remove upstreamed: 101-update-sp_rand_prime-s-preprocessor-gating-to-match.patch

Some low severity vulnerabilities fixed
OpenVPN compatibility fixed (broken in 5.4.0)
Other fixes && improvements

Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
2022-09-02 21:56:25 +02:00

51 lines
1.2 KiB
Diff

Since commit 6467de5a8840 ("Randomize z ordinates in scalar
mult when timing resistant") wolfssl requires a RNG for an EC
key when the hardened built option is selected.
wc_ecc_set_rng is only available when built hardened, so there
is no safe way to install the RNG to the key regardless whether
or not wolfssl is compiled hardened.
Always export wc_ecc_set_rng so tools such as hostapd can install
RNG regardless of the built settings for wolfssl.
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -12348,21 +12348,21 @@ void wc_ecc_fp_free(void)
#endif /* FP_ECC */
-#ifdef ECC_TIMING_RESISTANT
int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng)
{
int err = 0;
+#ifdef ECC_TIMING_RESISTANT
if (key == NULL) {
err = BAD_FUNC_ARG;
}
else {
key->rng = rng;
}
+#endif
return err;
}
-#endif
#ifdef HAVE_ECC_ENCRYPT
--- a/wolfssl/wolfcrypt/ecc.h
+++ b/wolfssl/wolfcrypt/ecc.h
@@ -650,10 +650,8 @@ WOLFSSL_ABI WOLFSSL_API
void wc_ecc_fp_free(void);
WOLFSSL_LOCAL
void wc_ecc_fp_init(void);
-#ifdef ECC_TIMING_RESISTANT
WOLFSSL_API
int wc_ecc_set_rng(ecc_key* key, WC_RNG* rng);
-#endif
WOLFSSL_API
int wc_ecc_set_curve(ecc_key* key, int keysize, int curve_id);