Re: [PATCH 19.07 v2 0/3] wolfssl security updates

[Eneas U de Queiroz]

On Mon, Feb 14, 2022 at 10:16 PM Luiz Angelo Daros de Luca
 wrote:

> Sure. And I do have interest in getting it fixed.

I've done most of the work here:
https://github.com/cotequeiroz/openwrt/tree/wolfssl-4.7.0-backport

However, I got stuck with this issue, about MitM attack when the
client-side resumption cache is full:
https://www.cybersecurity-help.cz/vulnerabilities/59103/

The patch for it is over 1,500 lines, and I would not be so confident
that backporting changes in many places will not create a new problem.
https://github.com/wolfSSL/wolfssl/commit/569c066fabbddd59e407ff5cf6be8156149df69a

libcurl and hostapd use client-side session resumption, so openwrt is
possibly impacted.  I don't know if the session cache can get filled
by hostapd or not, but with libcurl, anything is possible.  They both
use the wolfSSL_get_session call, not the wolfSSL_get1_session that
would avoid/work around the problem.

Wolfssl should get bumped to 5.1.1 despite the API/ABI/soname change.

Cheers

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[openwrt] Patch notification: 1 patch updated

[Patchwork]

Hello,

The following patch (submitted by you) has been updated in Patchwork:

 * openwrt: arc770: update kernel version to 5.10
 - 
http://patchwork.ozlabs.org/project/openwrt/patch/mailman.11570.1635883327.1923571.openwrt-de...@lists.openwrt.org/
 - for: OpenWrt development
was: New
now: Not Applicable

This email is a notification only - you do not need to respond.

Happy patchworking.

--

This is an automated mail sent by the Patchwork system at
patchwork.ozlabs.org. To stop receiving these notifications, edit
your mail settings at:
  http://patchwork.ozlabs.org/mail/

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

[PATCH 19.07] wolfssl: bump to 5.1.1-stable

[Petr Štetiar]

This is amalgamation of backported changes since 4.7.0-stable release:

 Sergey V. Lobanov (2):

  5b13b0b02c70 wolfssl: update to 5.1.1-stable
  7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support

 Andre Heider (3):

  3f8adcb215ed wolfssl: remove --enable-sha512 configure switch
  249478ec4850 wolfssl: always build with --enable-reproducible-build
  4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS

 Ivan Pavlov (1):

  16414718f9ae wolfssl: update to 4.8.1-stable

 David Bauer (1):

  f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng

 Christian Lamparter (1):

  86801bd3d806 wolfssl: fix Ed25519 typo in config prompt

The diff of security related changes we would need to backport would be
so huge, that there would be a high probability of introducing new
vulnerabilities, so it was decided, that bumping to latest stable
release is the prefered way for fixing following security issues:

 * OCSP request/response verification issue. (fixed in 4.8.0)
 * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 
(fixed in 4.8.1)
 * Issue with incorrectly validating a certificate (fixed in 5.0.0)
 * Hang with DSA signature creation when a specific q value is used (fixed in 
5.0.0)
 * Client side session resumption issue (fixed in 5.1.0)
 * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0)
 * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1)

Cc: Hauke Mehrtens 
Cc: Eneas U de Queiroz 
Signed-off-by: Petr Štetiar 
---
 package/libs/wolfssl/Config.in|  6 ++-
 package/libs/wolfssl/Makefile | 23 ++---
 .../patches/100-disable-hardening-check.patch |  2 +-
 .../patches/110-build-with-libtool-2.4.patch  | 13 +
 .../libs/wolfssl/patches/200-ecc-rng.patch| 50 +++
 5 files changed, 86 insertions(+), 8 deletions(-)
 create mode 100644 
package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch
 create mode 100644 package/libs/wolfssl/patches/200-ecc-rng.patch

diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in
index 4ac69f821a3d..99ceb6c4630e 100644
--- a/package/libs/wolfssl/Config.in
+++ b/package/libs/wolfssl/Config.in
@@ -44,9 +44,13 @@ config WOLFSSL_HAS_WPAS
default y
 
 config WOLFSSL_HAS_ECC25519
-   bool "Include ECC Curve 22519 support"
+   bool "Include ECC Curve 25519 support"
default n
 
+config WOLFSSL_ALT_NAMES
+   bool "Include SAN (Subject Alternative Name) support"
+   default y
+
 config WOLFSSL_HAS_DEVCRYPTO
bool
 
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 57fcaa03b2e2..de6b707b952d 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=4.7.0-stable
+PKG_VERSION:=5.1.1-stable
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31
+PKG_HASH:=d3e0544dbe7e9587c0f6538cdc671b6492663bb7a4281819538abe6c99cdbd92
 
 PKG_FIXUP:=libtool
 PKG_INSTALL:=1
@@ -31,7 +31,7 @@ PKG_CONFIG_DEPENDS:=\
CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \
CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \
CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \
-   CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS
+   CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS 
CONFIG_WOLFSSL_ALT_NAMES
 
 include $(INCLUDE_DIR)/package.mk
 
@@ -44,7 +44,7 @@ define Package/libwolfssl
   MENU:=1
   PROVIDES:=libcyassl
   DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev 
+WOLFSSL_HAS_AFALG:kmod-crypto-user
-  ABI_VERSION:=24
+  ABI_VERSION:=30
 endef
 
 define Package/libwolfssl/description
@@ -56,13 +56,24 @@ define Package/libwolfssl/config
source "$(SOURCE)/Config.in"
 endef
 
-TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer
+TARGET_CFLAGS += \
+   $(FPIC) \
+   -fomit-frame-pointer \
+   -flto \
+   -DFP_MAX_BITS=8192 \
+   $(if $(CONFIG_WOLFSSL_ALT_NAMES),-DWOLFSSL_ALT_NAMES)
+
+TARGET_LDFLAGS += -flto
 
 # --enable-stunnel needed for OpenSSL API compatibility bits
 CONFIGURE_ARGS += \
+   --enable-reproducible-build \
+   --enable-opensslall \
--enable-opensslextra \
--enable-sni \
--enable-stunnel \
+   --enable-altcertchains \
+   --disable-crypttests \
--disable-examples \
--disable-jobserver \
--$(if $(CONFIG_IPV6),enable,disable)-ipv6 \
@@ -88,7 +99,7 @@ endif
 
 ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y)
 CONFIGURE_ARGS += \
-   --enable-wpas --enable-sha512 --enable-fortress --enable-fastmath
+   --enable-wpas --enable-fortress --enable-fastmath
 endif
 
 define Build/InstallDev
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch 

Re: [PATCH] firewall3: remove unnecessary fw3_has_table

[Ansuel Smith]

>
> Hi, guys,
>
> On Fri, 11 Feb 2022 at 19:12, Wenli Looi  wrote:
> >
> > Sorry, forgot to reply all
> >
> > On Fri, Feb 11, 2022 at 11:09 AM Wenli Looi  wrote:
> > >
> > > Hi Rui,
> > >
> > > Yes, I believe it still works. Every place where fw3_has_table is
> > > called, we check immediately after if fw3_ipt_open succeeds, which
> > > makes fw3_has_table superfluous?
> > >
> > > I added a few print statements to fw3_ipt_open to check the case you 
> > > mentioned:
> > >
> > > root@OpenWrt:~# fw3 restart 2>/dev/null
> > > fw3_ipt_open SUCCESS for v4 filter
> > > fw3_ipt_open SUCCESS for v4 nat
> > > fw3_ipt_open SUCCESS for v4 mangle
> > > fw3_ipt_open FAILED for v4 raw
> > > fw3_ipt_open FAILED for v6 filter
> > > fw3_ipt_open FAILED for v6 nat
> > > fw3_ipt_open FAILED for v6 mangle
> > > fw3_ipt_open FAILED for v6 raw
> > > fw3_ipt_open SUCCESS for v4 filter
> > > fw3_ipt_open SUCCESS for v4 nat
> > > fw3_ipt_open SUCCESS for v4 mangle
> > > fw3_ipt_open FAILED for v4 raw
> > > fw3_ipt_open FAILED for v6 filter
> > > fw3_ipt_open FAILED for v6 nat
> > > fw3_ipt_open FAILED for v6 mangle
> > > fw3_ipt_open FAILED for v6 raw
> > > root@OpenWrt:~# opkg install kmod-ipt-raw
> > > Installing kmod-ipt-raw (5.10.96-1) to root...
> > > Downloading 
> > > https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.96-1-d70ff298d8114a0df4de3fc8fa861191/kmod-ipt-raw_5.10.96-1_x86_64.ipk
> > > Configuring kmod-ipt-raw.
> > > root@OpenWrt:~# fw3 restart 2>/dev/null
> > > fw3_ipt_open SUCCESS for v4 filter
> > > fw3_ipt_open SUCCESS for v4 nat
> > > fw3_ipt_open SUCCESS for v4 mangle
> > > fw3_ipt_open SUCCESS for v4 raw
> > > fw3_ipt_open FAILED for v6 filter
> > > fw3_ipt_open FAILED for v6 nat
> > > fw3_ipt_open FAILED for v6 mangle
> > > fw3_ipt_open FAILED for v6 raw
> > > fw3_ipt_open SUCCESS for v4 filter
> > > fw3_ipt_open SUCCESS for v4 nat
> > > fw3_ipt_open SUCCESS for v4 mangle
> > > fw3_ipt_open SUCCESS for v4 raw
> > > fw3_ipt_open FAILED for v6 filter
> > > fw3_ipt_open FAILED for v6 nat
> > > fw3_ipt_open FAILED for v6 mangle
> > > fw3_ipt_open FAILED for v6 raw
>
> Ansuel, mind giving Wenli's fw3 patch [1] a spin on your 5.15 setup?
> I've reverted your fix [2], tested it on 5.10 and had no regressions.
> If it also works fine on 5.15, it's definitely a more elegant
> solution.

Sure I will test this today and give a response ASAP.

>
> [1] 
> https://patchwork.ozlabs.org/project/openwrt/patch/20210610045106.285820-1-wl...@ucalgary.ca/
> [2] 
> https://git.openwrt.org/?p=project/firewall3.git;a=commit;h=3624c3786601699b6e7f9d18209fad0d7c6fe4e9
>
> Thanks in advance,
> Rui

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: [PATCH] firewall3: remove unnecessary fw3_has_table

[Rui Salvaterra]

Hi, guys,

On Fri, 11 Feb 2022 at 19:12, Wenli Looi  wrote:
>
> Sorry, forgot to reply all
>
> On Fri, Feb 11, 2022 at 11:09 AM Wenli Looi  wrote:
> >
> > Hi Rui,
> >
> > Yes, I believe it still works. Every place where fw3_has_table is
> > called, we check immediately after if fw3_ipt_open succeeds, which
> > makes fw3_has_table superfluous?
> >
> > I added a few print statements to fw3_ipt_open to check the case you 
> > mentioned:
> >
> > root@OpenWrt:~# fw3 restart 2>/dev/null
> > fw3_ipt_open SUCCESS for v4 filter
> > fw3_ipt_open SUCCESS for v4 nat
> > fw3_ipt_open SUCCESS for v4 mangle
> > fw3_ipt_open FAILED for v4 raw
> > fw3_ipt_open FAILED for v6 filter
> > fw3_ipt_open FAILED for v6 nat
> > fw3_ipt_open FAILED for v6 mangle
> > fw3_ipt_open FAILED for v6 raw
> > fw3_ipt_open SUCCESS for v4 filter
> > fw3_ipt_open SUCCESS for v4 nat
> > fw3_ipt_open SUCCESS for v4 mangle
> > fw3_ipt_open FAILED for v4 raw
> > fw3_ipt_open FAILED for v6 filter
> > fw3_ipt_open FAILED for v6 nat
> > fw3_ipt_open FAILED for v6 mangle
> > fw3_ipt_open FAILED for v6 raw
> > root@OpenWrt:~# opkg install kmod-ipt-raw
> > Installing kmod-ipt-raw (5.10.96-1) to root...
> > Downloading 
> > https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.96-1-d70ff298d8114a0df4de3fc8fa861191/kmod-ipt-raw_5.10.96-1_x86_64.ipk
> > Configuring kmod-ipt-raw.
> > root@OpenWrt:~# fw3 restart 2>/dev/null
> > fw3_ipt_open SUCCESS for v4 filter
> > fw3_ipt_open SUCCESS for v4 nat
> > fw3_ipt_open SUCCESS for v4 mangle
> > fw3_ipt_open SUCCESS for v4 raw
> > fw3_ipt_open FAILED for v6 filter
> > fw3_ipt_open FAILED for v6 nat
> > fw3_ipt_open FAILED for v6 mangle
> > fw3_ipt_open FAILED for v6 raw
> > fw3_ipt_open SUCCESS for v4 filter
> > fw3_ipt_open SUCCESS for v4 nat
> > fw3_ipt_open SUCCESS for v4 mangle
> > fw3_ipt_open SUCCESS for v4 raw
> > fw3_ipt_open FAILED for v6 filter
> > fw3_ipt_open FAILED for v6 nat
> > fw3_ipt_open FAILED for v6 mangle
> > fw3_ipt_open FAILED for v6 raw

Ansuel, mind giving Wenli's fw3 patch [1] a spin on your 5.15 setup?
I've reverted your fix [2], tested it on 5.10 and had no regressions.
If it also works fine on 5.15, it's definitely a more elegant
solution.

[1] 
https://patchwork.ozlabs.org/project/openwrt/patch/20210610045106.285820-1-wl...@ucalgary.ca/
[2] 
https://git.openwrt.org/?p=project/firewall3.git;a=commit;h=3624c3786601699b6e7f9d18209fad0d7c6fe4e9

Thanks in advance,
Rui

___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Re: OpenWrt 21.02 and 19.07 minor release

[Josef Schlehofer]

Hello guys,

On 14. 02. 22 21:00, Hauke Mehrtens wrote:

Is there anything else missing? 


I am not sure if I am not late to this discussion, but would it be 
possible to get there backported 802.11ax support [1] for rpcd? This is 
required to detect ax modes and more HT modes for mini PCIe Wi-Fi card: 
MT7915E 802.11ax PCI Express Wireless Network Adapter. It can be 
reproduced before and after applying the PR by using following commands:


a) iwinfo device htmodelist

b) ubus call iwinfo info '{"device":"radio2"}'

Tested on Turris Omnia/mvebu.

[1] https://github.com/openwrt/openwrt/pull/5043

Regards,

Josef



smime.p7s
Description: S/MIME Cryptographic Signature
___
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel