Re: [PATCH 19.07 v2 0/3] wolfssl security updates
On Mon, Feb 14, 2022 at 10:16 PM Luiz Angelo Daros de Luca wrote: > Sure. And I do have interest in getting it fixed. I've done most of the work here: https://github.com/cotequeiroz/openwrt/tree/wolfssl-4.7.0-backport However, I got stuck with this issue, about MitM attack when the client-side resumption cache is full: https://www.cybersecurity-help.cz/vulnerabilities/59103/ The patch for it is over 1,500 lines, and I would not be so confident that backporting changes in many places will not create a new problem. https://github.com/wolfSSL/wolfssl/commit/569c066fabbddd59e407ff5cf6be8156149df69a libcurl and hostapd use client-side session resumption, so openwrt is possibly impacted. I don't know if the session cache can get filled by hostapd or not, but with libcurl, anything is possible. They both use the wolfSSL_get_session call, not the wolfSSL_get1_session that would avoid/work around the problem. Wolfssl should get bumped to 5.1.1 despite the API/ABI/soname change. Cheers ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[openwrt] Patch notification: 1 patch updated
Hello, The following patch (submitted by you) has been updated in Patchwork: * openwrt: arc770: update kernel version to 5.10 - http://patchwork.ozlabs.org/project/openwrt/patch/mailman.11570.1635883327.1923571.openwrt-de...@lists.openwrt.org/ - for: OpenWrt development was: New now: Not Applicable This email is a notification only - you do not need to respond. Happy patchworking. -- This is an automated mail sent by the Patchwork system at patchwork.ozlabs.org. To stop receiving these notifications, edit your mail settings at: http://patchwork.ozlabs.org/mail/ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
[PATCH 19.07] wolfssl: bump to 5.1.1-stable
This is amalgamation of backported changes since 4.7.0-stable release: Sergey V. Lobanov (2): 5b13b0b02c70 wolfssl: update to 5.1.1-stable 7d376e6e528f libs/wolfssl: add SAN (Subject Alternative Name) support Andre Heider (3): 3f8adcb215ed wolfssl: remove --enable-sha512 configure switch 249478ec4850 wolfssl: always build with --enable-reproducible-build 4b212b1306a9 wolfssl: build with WOLFSSL_ALT_CERT_CHAINS Ivan Pavlov (1): 16414718f9ae wolfssl: update to 4.8.1-stable David Bauer (1): f6d8c0cf2b47 wolfssl: always export wc_ecc_set_rng Christian Lamparter (1): 86801bd3d806 wolfssl: fix Ed25519 typo in config prompt The diff of security related changes we would need to backport would be so huge, that there would be a high probability of introducing new vulnerabilities, so it was decided, that bumping to latest stable release is the prefered way for fixing following security issues: * OCSP request/response verification issue. (fixed in 4.8.0) * Incorrectly skips OCSP verification in certain situations CVE-2021-38597 (fixed in 4.8.1) * Issue with incorrectly validating a certificate (fixed in 5.0.0) * Hang with DSA signature creation when a specific q value is used (fixed in 5.0.0) * Client side session resumption issue (fixed in 5.1.0) * Potential for DoS attack on a wolfSSL client CVE-2021-44718 (fixed in 5.1.0) * Non-random IV values in certain situations CVE-2022-23408 (fixed in 5.1.1) Cc: Hauke Mehrtens Cc: Eneas U de Queiroz Signed-off-by: Petr Štetiar --- package/libs/wolfssl/Config.in| 6 ++- package/libs/wolfssl/Makefile | 23 ++--- .../patches/100-disable-hardening-check.patch | 2 +- .../patches/110-build-with-libtool-2.4.patch | 13 + .../libs/wolfssl/patches/200-ecc-rng.patch| 50 +++ 5 files changed, 86 insertions(+), 8 deletions(-) create mode 100644 package/libs/wolfssl/patches/110-build-with-libtool-2.4.patch create mode 100644 package/libs/wolfssl/patches/200-ecc-rng.patch diff --git a/package/libs/wolfssl/Config.in b/package/libs/wolfssl/Config.in index 4ac69f821a3d..99ceb6c4630e 100644 --- a/package/libs/wolfssl/Config.in +++ b/package/libs/wolfssl/Config.in @@ -44,9 +44,13 @@ config WOLFSSL_HAS_WPAS default y config WOLFSSL_HAS_ECC25519 - bool "Include ECC Curve 22519 support" + bool "Include ECC Curve 25519 support" default n +config WOLFSSL_ALT_NAMES + bool "Include SAN (Subject Alternative Name) support" + default y + config WOLFSSL_HAS_DEVCRYPTO bool diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 57fcaa03b2e2..de6b707b952d 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=4.7.0-stable +PKG_VERSION:=5.1.1-stable PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) -PKG_HASH:=b0e740b31d4d877d540ad50cc539a8873fc41af02bd3091c4357b403f7106e31 +PKG_HASH:=d3e0544dbe7e9587c0f6538cdc671b6492663bb7a4281819538abe6c99cdbd92 PKG_FIXUP:=libtool PKG_INSTALL:=1 @@ -31,7 +31,7 @@ PKG_CONFIG_DEPENDS:=\ CONFIG_WOLFSSL_HAS_DH CONFIG_WOLFSSL_HAS_DTLS \ CONFIG_WOLFSSL_HAS_ECC25519 CONFIG_WOLFSSL_HAS_OCSP \ CONFIG_WOLFSSL_HAS_SESSION_TICKET CONFIG_WOLFSSL_HAS_TLSV10 \ - CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS + CONFIG_WOLFSSL_HAS_TLSV13 CONFIG_WOLFSSL_HAS_WPAS CONFIG_WOLFSSL_ALT_NAMES include $(INCLUDE_DIR)/package.mk @@ -44,7 +44,7 @@ define Package/libwolfssl MENU:=1 PROVIDES:=libcyassl DEPENDS:=+WOLFSSL_HAS_DEVCRYPTO:kmod-cryptodev +WOLFSSL_HAS_AFALG:kmod-crypto-user - ABI_VERSION:=24 + ABI_VERSION:=30 endef define Package/libwolfssl/description @@ -56,13 +56,24 @@ define Package/libwolfssl/config source "$(SOURCE)/Config.in" endef -TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer +TARGET_CFLAGS += \ + $(FPIC) \ + -fomit-frame-pointer \ + -flto \ + -DFP_MAX_BITS=8192 \ + $(if $(CONFIG_WOLFSSL_ALT_NAMES),-DWOLFSSL_ALT_NAMES) + +TARGET_LDFLAGS += -flto # --enable-stunnel needed for OpenSSL API compatibility bits CONFIGURE_ARGS += \ + --enable-reproducible-build \ + --enable-opensslall \ --enable-opensslextra \ --enable-sni \ --enable-stunnel \ + --enable-altcertchains \ + --disable-crypttests \ --disable-examples \ --disable-jobserver \ --$(if $(CONFIG_IPV6),enable,disable)-ipv6 \ @@ -88,7 +99,7 @@ endif ifeq ($(CONFIG_WOLFSSL_HAS_WPAS),y) CONFIGURE_ARGS += \ - --enable-wpas --enable-sha512 --enable-fortress --enable-fastmath + --enable-wpas --enable-fortress --enable-fastmath endif define Build/InstallDev diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
Re: [PATCH] firewall3: remove unnecessary fw3_has_table
> > Hi, guys, > > On Fri, 11 Feb 2022 at 19:12, Wenli Looi wrote: > > > > Sorry, forgot to reply all > > > > On Fri, Feb 11, 2022 at 11:09 AM Wenli Looi wrote: > > > > > > Hi Rui, > > > > > > Yes, I believe it still works. Every place where fw3_has_table is > > > called, we check immediately after if fw3_ipt_open succeeds, which > > > makes fw3_has_table superfluous? > > > > > > I added a few print statements to fw3_ipt_open to check the case you > > > mentioned: > > > > > > root@OpenWrt:~# fw3 restart 2>/dev/null > > > fw3_ipt_open SUCCESS for v4 filter > > > fw3_ipt_open SUCCESS for v4 nat > > > fw3_ipt_open SUCCESS for v4 mangle > > > fw3_ipt_open FAILED for v4 raw > > > fw3_ipt_open FAILED for v6 filter > > > fw3_ipt_open FAILED for v6 nat > > > fw3_ipt_open FAILED for v6 mangle > > > fw3_ipt_open FAILED for v6 raw > > > fw3_ipt_open SUCCESS for v4 filter > > > fw3_ipt_open SUCCESS for v4 nat > > > fw3_ipt_open SUCCESS for v4 mangle > > > fw3_ipt_open FAILED for v4 raw > > > fw3_ipt_open FAILED for v6 filter > > > fw3_ipt_open FAILED for v6 nat > > > fw3_ipt_open FAILED for v6 mangle > > > fw3_ipt_open FAILED for v6 raw > > > root@OpenWrt:~# opkg install kmod-ipt-raw > > > Installing kmod-ipt-raw (5.10.96-1) to root... > > > Downloading > > > https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.96-1-d70ff298d8114a0df4de3fc8fa861191/kmod-ipt-raw_5.10.96-1_x86_64.ipk > > > Configuring kmod-ipt-raw. > > > root@OpenWrt:~# fw3 restart 2>/dev/null > > > fw3_ipt_open SUCCESS for v4 filter > > > fw3_ipt_open SUCCESS for v4 nat > > > fw3_ipt_open SUCCESS for v4 mangle > > > fw3_ipt_open SUCCESS for v4 raw > > > fw3_ipt_open FAILED for v6 filter > > > fw3_ipt_open FAILED for v6 nat > > > fw3_ipt_open FAILED for v6 mangle > > > fw3_ipt_open FAILED for v6 raw > > > fw3_ipt_open SUCCESS for v4 filter > > > fw3_ipt_open SUCCESS for v4 nat > > > fw3_ipt_open SUCCESS for v4 mangle > > > fw3_ipt_open SUCCESS for v4 raw > > > fw3_ipt_open FAILED for v6 filter > > > fw3_ipt_open FAILED for v6 nat > > > fw3_ipt_open FAILED for v6 mangle > > > fw3_ipt_open FAILED for v6 raw > > Ansuel, mind giving Wenli's fw3 patch [1] a spin on your 5.15 setup? > I've reverted your fix [2], tested it on 5.10 and had no regressions. > If it also works fine on 5.15, it's definitely a more elegant > solution. Sure I will test this today and give a response ASAP. > > [1] > https://patchwork.ozlabs.org/project/openwrt/patch/20210610045106.285820-1-wl...@ucalgary.ca/ > [2] > https://git.openwrt.org/?p=project/firewall3.git;a=commit;h=3624c3786601699b6e7f9d18209fad0d7c6fe4e9 > > Thanks in advance, > Rui ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: [PATCH] firewall3: remove unnecessary fw3_has_table
Hi, guys, On Fri, 11 Feb 2022 at 19:12, Wenli Looi wrote: > > Sorry, forgot to reply all > > On Fri, Feb 11, 2022 at 11:09 AM Wenli Looi wrote: > > > > Hi Rui, > > > > Yes, I believe it still works. Every place where fw3_has_table is > > called, we check immediately after if fw3_ipt_open succeeds, which > > makes fw3_has_table superfluous? > > > > I added a few print statements to fw3_ipt_open to check the case you > > mentioned: > > > > root@OpenWrt:~# fw3 restart 2>/dev/null > > fw3_ipt_open SUCCESS for v4 filter > > fw3_ipt_open SUCCESS for v4 nat > > fw3_ipt_open SUCCESS for v4 mangle > > fw3_ipt_open FAILED for v4 raw > > fw3_ipt_open FAILED for v6 filter > > fw3_ipt_open FAILED for v6 nat > > fw3_ipt_open FAILED for v6 mangle > > fw3_ipt_open FAILED for v6 raw > > fw3_ipt_open SUCCESS for v4 filter > > fw3_ipt_open SUCCESS for v4 nat > > fw3_ipt_open SUCCESS for v4 mangle > > fw3_ipt_open FAILED for v4 raw > > fw3_ipt_open FAILED for v6 filter > > fw3_ipt_open FAILED for v6 nat > > fw3_ipt_open FAILED for v6 mangle > > fw3_ipt_open FAILED for v6 raw > > root@OpenWrt:~# opkg install kmod-ipt-raw > > Installing kmod-ipt-raw (5.10.96-1) to root... > > Downloading > > https://downloads.openwrt.org/snapshots/targets/x86/64/kmods/5.10.96-1-d70ff298d8114a0df4de3fc8fa861191/kmod-ipt-raw_5.10.96-1_x86_64.ipk > > Configuring kmod-ipt-raw. > > root@OpenWrt:~# fw3 restart 2>/dev/null > > fw3_ipt_open SUCCESS for v4 filter > > fw3_ipt_open SUCCESS for v4 nat > > fw3_ipt_open SUCCESS for v4 mangle > > fw3_ipt_open SUCCESS for v4 raw > > fw3_ipt_open FAILED for v6 filter > > fw3_ipt_open FAILED for v6 nat > > fw3_ipt_open FAILED for v6 mangle > > fw3_ipt_open FAILED for v6 raw > > fw3_ipt_open SUCCESS for v4 filter > > fw3_ipt_open SUCCESS for v4 nat > > fw3_ipt_open SUCCESS for v4 mangle > > fw3_ipt_open SUCCESS for v4 raw > > fw3_ipt_open FAILED for v6 filter > > fw3_ipt_open FAILED for v6 nat > > fw3_ipt_open FAILED for v6 mangle > > fw3_ipt_open FAILED for v6 raw Ansuel, mind giving Wenli's fw3 patch [1] a spin on your 5.15 setup? I've reverted your fix [2], tested it on 5.10 and had no regressions. If it also works fine on 5.15, it's definitely a more elegant solution. [1] https://patchwork.ozlabs.org/project/openwrt/patch/20210610045106.285820-1-wl...@ucalgary.ca/ [2] https://git.openwrt.org/?p=project/firewall3.git;a=commit;h=3624c3786601699b6e7f9d18209fad0d7c6fe4e9 Thanks in advance, Rui ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: OpenWrt 21.02 and 19.07 minor release
Hello guys, On 14. 02. 22 21:00, Hauke Mehrtens wrote: Is there anything else missing? I am not sure if I am not late to this discussion, but would it be possible to get there backported 802.11ax support [1] for rpcd? This is required to detect ax modes and more HT modes for mini PCIe Wi-Fi card: MT7915E 802.11ax PCI Express Wireless Network Adapter. It can be reproduced before and after applying the PR by using following commands: a) iwinfo device htmodelist b) ubus call iwinfo info '{"device":"radio2"}' Tested on Turris Omnia/mvebu. [1] https://github.com/openwrt/openwrt/pull/5043 Regards, Josef smime.p7s Description: S/MIME Cryptographic Signature ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel