Package: wolfssl / 4.6.0+p1-0+deb11u2

Metadata

Package Version Patches format
wolfssl 4.6.0+p1-0+deb11u2 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
wolfssl callbacks sanity check.patch | (download)

examples/client/client.c | 4 4 + 0 - 0 !
examples/server/server.c | 4 4 + 0 - 0 !
src/internal.c | 87 51 + 36 - 0 !
src/tls13.c | 23 12 + 11 - 0 !
wolfssl/internal.h | 3 2 + 1 - 0 !
wolfssl/test.h | 20 20 + 0 - 0 !
6 files changed, 93 insertions(+), 48 deletions(-)

 
 pr 5682: cve-2022-42905
 additional sanity checks on debug callback
tls13 cipher suites.patch | (download)

src/internal.c | 13 13 + 0 - 0 !
src/ssl.c | 3 3 + 0 - 0 !
src/tls13.c | 36 29 + 7 - 0 !
3 files changed, 45 insertions(+), 7 deletions(-)

 
 pr 5588: cve-2022-39173
 TLSv1.3 cipher suites
 .
 Handle multiple instances of the same cipher suite being in the server's
 list.
 Fix client order negotiation of cipher suite when doing pre-shared keys.
 .
 wolfSSL_clear: check return from InitSSL_Suites() call.
 TLS13: check ClientHello cipher suite length is even.
 Silently remove duplicate cipher suites from user input.
 Add tests of duplicate cipher suite removal.
add WOLFSSL_CHECK_SIG_FAULTS macro.patch | (download)

src/internal.c | 70 62 + 8 - 0 !
src/tls13.c | 19 18 + 1 - 0 !
2 files changed, 80 insertions(+), 9 deletions(-)

 
 pr 5498: cve-2022-42961
 Check ECC signature in TLS
 .
 Verifying gnerated ECC signature in TLS handshake code to mitigate when
 an attacker can gain knowledge of the private key through fault
 injection in the signing process.
 Requires WOLFSSL_CHECK_SIG_FAULTS to be defined.
no build path in library.patch | (download)

wolfcrypt/src/logging.c | 10 0 + 10 - 0 !
1 file changed, 10 deletions(-)

 
 do not store build path in library
 Storing the build path as part of the '-ffile-prefix-map' option [1]
 in the library breaks reproducible builds. This patch drops the two
 strings so that the two involved functions now return NULL.
 .
 The consequence of the build option here is somewhat ironic because
 it was originally intended to improve reproducible builds. [2]
 .
 A better solution might be to replace the path with a fixed string
 like the literal "BUILD_PATH". That would allow a debugging party to
 recognize that the option was used without rendering the library
 non-reproducible.
 .
 Since Lintian spotted the issue [3], Debian's downstream tooling
 could likely replace the path with ease, but that would not address
 related problems in other distributions, such as in NixOS. [4]
 .
 Libtool's '.la' file and the 'wolfssl-config' script may also
 include the build path, but neither ships in Debian. It is
 furthermore not clear that those files are needed in any distribution
 that offers dynamic symbol resolution via 'ldd' and automatic build
 options via 'pkg-config'. It may therefore not be necessary to remove
 the build path from those files.
 .
 [1] https://gcc.gnu.org/onlinedocs/gcc/Debugging-Options.html
 [2] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70268#c7
 [3] https://github.com/NixOS/nixpkgs/pull/111687#issuecomment-772694125
 [4] https://github.com/NixOS/nixpkgs/pull/111687#issuecomment-773881191
utf8.patch | (download)

cyassl/ctaocrypt/tfm.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 convert a source file to utf-8 encoding.
multi arch.patch | (download)

configure.ac | 6 6 + 0 - 0 !
1 file changed, 6 insertions(+)

 
 make header files multi-arch compatible
 Exclude architecture dependent option HAVE___UINT128 from config.h
reproducible build.patch | (download)

configure.ac | 4 0 + 4 - 0 !
1 file changed, 4 deletions(-)

 
 make the build reproducible
 Acceptance of this patch was declined by John Safranek after the conversation
 documented in the Zendesk support request. The upshot was that, in balance,
 it is easier to maintain the Debian patch.
improve clean target.patch | (download)

cyassl/include.am | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 
 fix clean target for repeated builds
dfsg.patch | (download)

Makefile.am | 19 0 + 19 - 0 !
1 file changed, 19 deletions(-)

 
 strike references to removed non-dfsg sources from build files
fix hurd i386 flags.patch | (download)

wolfssl/test.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 fix type definition for socklen_t on hurd-i386
 Based on http://bugs.mysql.com/bug.php?id=22326
turn off fastmath for amd64.patch | (download)

configure.ac | 4 0 + 4 - 0 !
1 file changed, 4 deletions(-)

 
 turn off fastmath for amd64, where it is default
 Enabling fastmath just for amd64 causes the shared library symbols to
 become architecture-dependent.
disable crl monitor.patch | (download)

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 disable crl monitor on all architectures
 CRL monitor is unavailable on Debian architecture kFreeBSD, causes FTBFS
disable jobserver.patch | (download)

configure.ac | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 
 disable job server for autopkgtest.
 The Debian CI system kept showing regressions for using multiple make jobs:
 .
     FAIL stderr: make[2]: warning: -j3 forced in submake: resetting jobserver mode.
 .
 Perhaps this will disable the jobserver.
cve 2023 3724.patch | (download)

src/tls.c | 3 3 + 0 - 0 !
src/tls13.c | 16 14 + 2 - 0 !
wolfssl/internal.h | 3 3 + 0 - 0 !
3 files changed, 20 insertions(+), 2 deletions(-)

 
---