1891419db3
Fix the following security vulnerabilities: - [Low] Fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users doing operations with private ECC keys such as server side TLS connections and creating ECC signatures, who also have hardware that could be targeted with a sophisticated Rowhammer attack should update the version of wolfSSL and compile using the macro WOLFSSL_CHECK_SIG_FAULTS. - [Low] In wolfSSL version 5.3.0 if compiled with --enable-session-ticket and the client has non-empty session cache, with TLS 1.2 there is the possibility oàf a man in the middle passing a large session ticket to the client and causing a crash due to an invalid free. There is also the potential for a malicious TLS 1.3 server to crash a client in a similar manner except in TLS 1.3 it is not susceptible to a man in the middle attack. Users on the client side with –enable-session-ticket compiled in and using wolfSSL version 5.3.0 should update their version of wolfSSL. - [Low] If using wolfSSL_clear to reset a WOLFSSL object (vs the normal wolfSSL_free/wolfSSL_new) it can result in runtime issues. This exists with builds using the wolfSSL compatibility layer (--enable-opnesslextra) and only when the application is making use of wolfSSL_clear instead of SSL_free/SSL_new. In the case of a TLS 1.3 resumption, after continuing to use the WOLFSSH object after having called wolfSSL_clear, an application could crash. It is suggested that users calling wolfSSL_clear update the version of wolfSSL used. - Potential DoS attack on DTLS 1.2. In the case of receiving a malicious plaintext handshake message at epoch 0 the connection will enter an error state reporting a duplicate message. This affects both server and client side. Users that have DTLS enabled and in use should update their version of wolfSSL to mitigate the potential for a DoS attack. https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
49 lines
1.3 KiB
Makefile
49 lines
1.3 KiB
Makefile
################################################################################
|
|
#
|
|
# wolfssl
|
|
#
|
|
################################################################################
|
|
|
|
WOLFSSL_VERSION = 5.5.0
|
|
WOLFSSL_SITE = $(call github,wolfSSL,wolfssl,v$(WOLFSSL_VERSION)-stable)
|
|
WOLFSSL_INSTALL_STAGING = YES
|
|
|
|
WOLFSSL_LICENSE = GPL-2.0+
|
|
WOLFSSL_LICENSE_FILES = COPYING LICENSING
|
|
WOLFSSL_CPE_ID_VENDOR = wolfssl
|
|
WOLFSSL_CONFIG_SCRIPTS = wolfssl-config
|
|
WOLFSSL_DEPENDENCIES = host-pkgconf
|
|
|
|
# wolfssl's source code is released without a configure
|
|
# script, so we need autoreconf
|
|
WOLFSSL_AUTORECONF = YES
|
|
|
|
WOLFSSL_CONF_OPTS = --disable-examples --disable-crypttests
|
|
|
|
ifeq ($(BR2_PACKAGE_WOLFSSL_ALL),y)
|
|
WOLFSSL_CONF_OPTS += --enable-all
|
|
else
|
|
WOLFSSL_CONF_OPTS += --disable-all
|
|
endif
|
|
|
|
ifeq ($(BR2_PACKAGE_WOLFSSL_SSLV3),y)
|
|
WOLFSSL_CONF_OPTS += --enable-sslv3
|
|
else
|
|
WOLFSSL_CONF_OPTS += --disable-sslv3
|
|
endif
|
|
|
|
# enable ARMv8 hardware acceleration
|
|
ifeq ($(BR2_ARM_CPU_ARMV8A),y)
|
|
WOLFSSL_CONF_OPTS += --enable-armasm
|
|
# the flag -mstrict-align is needed to prevent build errors caused by
|
|
# some inline assembly in parts of the AES structure using the "m"
|
|
# constraint
|
|
ifeq ($(BR2_aarch64),y)
|
|
WOLFSSL_CONF_ENV += CPPFLAGS="$(TARGET_CPPFLAGS) -mstrict-align"
|
|
endif
|
|
else
|
|
WOLFSSL_CONF_OPTS += --disable-armasm
|
|
endif
|
|
|
|
$(eval $(autotools-package))
|