ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-01-14 17:00:18 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity
7e42fdcafe
openwrt/package/libs/wolfssl/patches/100-disable-hardening-check.patch
Hauke Mehrtens 84b000e5d0 wolfssl: Update to version 5.7.2 
This fixes multiple security problems:
 * [Medium] CVE-2024-1544
   Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls.

 * [Medium] CVE-2024-5288
   A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations.

 * [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS.

 * [Low] CVE-2024-5991
   In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked.

 * [Medium] CVE-2024-5814
   A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection.

 * [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received.

 * [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt.

Unset DISABLE_NLS to prevent setting the unsupported configuration
option --disable-nls which breaks the build now.

Link: https://github.com/openwrt/openwrt/pull/15948
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 3a0232ffd3)
2024-07-16 00:05:18 +02:00

12 lines
545 B
Diff
Raw Blame History

--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -3046,7 +3046,7 @@ extern void uITRON4_free(void *p) ;
/* warning for not using harden build options (default with ./configure) */
/* do not warn if big integer support is disabled */
-#if !defined(WC_NO_HARDEN) && !defined(NO_BIG_INT)
+#if 0
#if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \
(defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \
(!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS) && \
Reference in New Issue View Git Blame Copy Permalink