mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-30 18:47:06 +00:00
3a0232ffd3
This fixes multiple security problems: * [Medium] CVE-2024-1544 Potential ECDSA nonce side channel attack in versions of wolfSSL before 5.6.6 with wc_ecc_sign_hash calls. * [Medium] CVE-2024-5288 A private key blinding operation, enabled by defining the macro WOLFSSL_BLIND_PRIVATE_KEY, was added to mitigate a potential row hammer attack on ECC operations. * [Low] When parsing a provided maliciously crafted certificate directly using wolfSSL API, outside of a TLS connection, a certificate with an excessively large number of extensions could lead to a potential DoS. * [Low] CVE-2024-5991 In the function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. * [Medium] CVE-2024-5814 A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. * [Medium] OCSP stapling version 2 response verification bypass issue when a crafted response of length 0 is received. * [Medium] OCSP stapling version 2 revocation bypass with a retry of a TLS connection attempt. Unset DISABLE_NLS to prevent setting the unsupported configuration option --disable-nls which breaks the build now. Link: https://github.com/openwrt/openwrt/pull/15948 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
12 lines
545 B
Diff
12 lines
545 B
Diff
--- a/wolfssl/wolfcrypt/settings.h
|
|
+++ b/wolfssl/wolfcrypt/settings.h
|
|
@@ -3046,7 +3046,7 @@ extern void uITRON4_free(void *p) ;
|
|
|
|
/* warning for not using harden build options (default with ./configure) */
|
|
/* do not warn if big integer support is disabled */
|
|
-#if !defined(WC_NO_HARDEN) && !defined(NO_BIG_INT)
|
|
+#if 0
|
|
#if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \
|
|
(defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \
|
|
(!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS) && \
|