From: David Bauer Date: Mon, 3 May 2021 22:53:18 +0000 (+0200) Subject: wolfssl: disable hardening X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=9c900fd03f7a58e09c5a88001a4278077fe956fc;p=openwrt%2Fstaging%2Fblocktrron.git wolfssl: disable hardening OWE with hostapd versions compiled using wolfssl are currently broken. Clients receive Association Rejects when attempting to connect to the AP. This is due to WolfSSL returning MISING_RNG_E in wc_ecc_shared_secret_gen_sync when hardened builds are enabled, as hostapd does not provide an initialized rng with the ecc key. Other approaches would be to patch out enabling ECC_TIMING_RESISTANT on a hardened build or patching hostapd to store the rng with the ECC key. However, it looks like there is no interface in WolfSSL to store the rng regardless of whether or not hardened builds are enabled. So the latter solution would probably also end up being a downstream patch unless someone implements such an interface in WolfSSL. FWIW it looks like this is broken since at least commit 6467de5a8840 ("Randomize z ordinates in scalar mult when timing resistant") Run-tested: ath9k / OCEDO Raccoon Signed-off-by: David Bauer --- diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 53cd932d1f..de30fe0065 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -70,6 +70,7 @@ CONFIGURE_ARGS += \ --enable-stunnel \ --disable-crypttests \ --disable-examples \ + --disable-harden \ --disable-jobserver \ --$(if $(CONFIG_IPV6),enable,disable)-ipv6 \ --$(if $(CONFIG_WOLFSSL_HAS_AES_CCM),enable,disable)-aesccm \