Merge pull request #148 from expressvpn/wolfssl-patches

wolfssl: add wolfssl patches
expressvpn · Nov 22, 2023 · 1bb55f8 · 1bb55f8
2 parents e508dfe + 50c6079
commit 1bb55f8
Show file tree

Hide file tree

Showing 15 changed files with 796 additions and 1 deletion.
diff --git a/android.yml b/android.yml
@@ -36,6 +36,7 @@
         - C_EXTRA_FLAGS= -fPIC -D_FORTIFY_SOURCE=2 -DWOLFSSL_MIN_RSA_BITS=2048 -DWOLFSSL_MIN_ECC_BITS=256 -DFP_MAX_BITS=8192 -fomit-frame-pointer -DWOLFSSL_NO_SPHINCS
         - LIBS=-llog -landroid
       :build:
+        - git apply ../../wolfssl/*.patch
         - autoreconf -i
         - ./configure $CROSS_OPTS C_EXTRA_FLAGS="$C_EXTRA_FLAGS" --prefix=$(pwd)/../builds/wolfssl_build $HE_WOLFSSL_CONF_FLAGS --with-liboqs=$(pwd)/../liboqs/build --disable-crypttests
         - make

diff --git a/ios.yml b/ios.yml
@@ -34,6 +34,7 @@
         :tag: $HE_WOLFSSL_TAG
       :build:
         # For some reason this attempts to run twice as a result the git apply will fail the second time
+        - git apply ../../wolfssl/*.patch || true
         - autoreconf -i
         - "cp ../../ios/autotools-ios-helper.sh ./autotools-ios-helper.sh"
         - "./autotools-ios-helper.sh -iphoneuniversal"

diff --git a/ios/autotools-ios-helper.sh b/ios/autotools-ios-helper.sh
@@ -24,7 +24,7 @@ OQS_BUILD=${OQS_BUILD:-"$(pwd)/../liboqs/build_universal"}
 
 build() {
     # Compiler options
-    export OPT_FLAGS="-O3 -fno-inline"
+    export OPT_FLAGS="-O3"
     export MAKE_JOBS="$(/usr/sbin/sysctl -n hw.ncpu)"
 
     # WolfSSL + Helium

diff --git a/linux.yml b/linux.yml
@@ -35,6 +35,7 @@
       :environment:
         - CFLAGS=-O3 -fPIC -D_FORTIFY_SOURCE=2 -DWOLFSSL_MIN_RSA_BITS=2048 -DWOLFSSL_MIN_ECC_BITS=256 -DUSE_CERT_BUFFERS_4096 -DUSE_CERT_BUFFERS_256 -DWOLFSSL_NO_SPHINCS -Wno-error=stringop-overflow
       :build:
+        - git apply ../../wolfssl/*.patch
         - "autoreconf -i"
         - "./configure $HE_WOLFSSL_CONF_FLAGS --prefix=$(pwd)/../builds/wolfssl_build --with-liboqs=$(pwd)/../liboqs/build --enable-aesni --enable-sp-asm --enable-intelasm"
         - "make"

diff --git a/linux_386.yml b/linux_386.yml
@@ -36,6 +36,7 @@
         - CFLAGS=-O3 -fPIC -D_FORTIFY_SOURCE=2 -DWOLFSSL_MIN_RSA_BITS=2048 -DWOLFSSL_MIN_ECC_BITS=256 -m32 -DUSE_CERT_BUFFERS_4096 -DUSE_CERT_BUFFERS_256 -DWOLFSSL_NO_SPHINCS
         - LDFLAGS= -m32
       :build:
+        - git apply ../../wolfssl/*.patch
         - "autoreconf -i"
         - "./configure $HE_WOLFSSL_CONF_FLAGS --prefix=$(pwd)/../builds/wolfssl_build --with-liboqs=$(pwd)/../liboqs/build --disable-asm --disable-sp-asm --disable-intelasm"
         - "make"

diff --git a/linux_arm.yml b/linux_arm.yml
@@ -35,6 +35,7 @@
       :environment:
         - CFLAGS=-O3 -fPIC -D_FORTIFY_SOURCE=2 -DWOLFSSL_MIN_RSA_BITS=2048 -DWOLFSSL_MIN_ECC_BITS=256 -DUSE_CERT_BUFFERS_4096 -DUSE_CERT_BUFFERS_256 -DWOLFSSL_NO_ATOMICS -DWOLFSSL_NO_SPHINCS
       :build:
+        - git apply ../../wolfssl/*.patch
         - "autoreconf -i"
         - "./configure --host=$CROSS_COMPILE $HE_WOLFSSL_CONF_FLAGS --prefix=$(pwd)/../builds/wolfssl_build --with-liboqs=$(pwd)/../liboqs/build"
         - "make"

diff --git a/linux_arm64.yml b/linux_arm64.yml
@@ -35,6 +35,7 @@
       :environment:
         - CFLAGS=-O3 -fPIC -D_FORTIFY_SOURCE=2 -DWOLFSSL_MIN_RSA_BITS=2048 -DWOLFSSL_MIN_ECC_BITS=256 -DUSE_CERT_BUFFERS_4096 -DUSE_CERT_BUFFERS_256 -DWOLFSSL_NO_ATOMICS -DWOLFSSL_NO_SPHINCS
       :build:
+        - git apply ../../wolfssl/*.patch
         - "autoreconf -i"
         - "./configure --host=$CROSS_COMPILE $HE_WOLFSSL_CONF_FLAGS --prefix=$(pwd)/../builds/wolfssl_build --with-liboqs=$(pwd)/../liboqs/build --enable-sp-asm --enable-armasm"
         - "make"

diff --git a/linux_arm_no_pqc.yml b/linux_arm_no_pqc.yml
@@ -26,6 +26,7 @@
       :environment:
         - CFLAGS=-O3 -fPIC -D_FORTIFY_SOURCE=2 -DWOLFSSL_MIN_RSA_BITS=2048 -DWOLFSSL_MIN_ECC_BITS=256 -DUSE_CERT_BUFFERS_4096 -DUSE_CERT_BUFFERS_256 -DWOLFSSL_NO_ATOMICS -DWOLFSSL_NO_SPHINCS
       :build:
+        - git apply ../../wolfssl/*.patch
         - "autoreconf -i"
         - "./configure --host=$CROSS_COMPILE $HE_WOLFSSL_CONF_FLAGS --prefix=$(pwd)/../builds/wolfssl_build"
         - "make"

diff --git a/macos.yml b/macos.yml
@@ -38,6 +38,7 @@
         - CFLAGS=-O3 -fPIC -D_FORTIFY_SOURCE=2 -DWOLFSSL_MIN_RSA_BITS=2048 -DWOLFSSL_MIN_ECC_BITS=256 -target x86_64-apple-darwin -DWOLFSSL_NO_SPHINCS
         - CC=clang
       :build:
+        - git apply ../../wolfssl/*.patch
         - "autoreconf -i"
         - "./configure --host=x86_64-apple-darwin $HE_WOLFSSL_CONF_FLAGS --prefix=$(pwd)/../builds/wolfssl_build --with-liboqs=$(pwd)/../liboqs/build --enable-aesni --enable-sp-asm --enable-intelasm"
         - "make"

diff --git a/macos_arm64.yml b/macos_arm64.yml
@@ -38,6 +38,7 @@
         - CFLAGS=-O3 -fPIC -D_FORTIFY_SOURCE=2 -DWOLFSSL_MIN_RSA_BITS=2048 -DWOLFSSL_MIN_ECC_BITS=256 -DFP_MAX_BITS=8192 -target arm64-apple-darwin -DWOLFSSL_NO_SPHINCS
         - CC=clang
       :build:
+        - git apply ../../wolfssl/*.patch
         - "autoreconf -i"
         - "./configure --host=aarch64-apple-darwin $HE_WOLFSSL_CONF_FLAGS --prefix=$(pwd)/../builds/wolfssl_build --with-liboqs=$(pwd)/../liboqs/build --enable-sp-asm --enable-armasm"
         - "make"

diff --git a/tvos.yml b/tvos.yml
@@ -33,6 +33,7 @@
         :source: $HE_WOLFSSL_SOURCE
         :tag: $HE_WOLFSSL_TAG
       :build:
+        - git apply ../../wolfssl/*.patch
         - autoreconf -i
         - cp ../../ios/autotools-ios-helper.sh ./autotools-ios-helper.sh
         - PREFIX=$(pwd)/../builds/wolfssl_tvos ./autotools-ios-helper.sh -appletvuniversal

diff --git a/windows_32.yml b/windows_32.yml
@@ -27,6 +27,8 @@
         :source: "%HE_WOLFSSL_SOURCE%"
         :tag: "%HE_WOLFSSL_TAG%"
       :build:
+        - git apply ../../wolfssl/0001-tls-return-immediately-if-kyber_id2type-fails.patch
+        - git apply ../../wolfssl/0002-SP-ARM64-P-256-mark-functions-as-SP_NOINLINE.patch
         - "cp ../../windows/wolfssl-user_settings-32.h wolfssl/user_settings.h"
         - "cp -f ../../windows/wolfssl-user_settings-32.h IDE/WIN/user_settings.h"
         - "cp -f ../../windows/wolfssl.vcxproj ./wolfssl.vcxproj"

diff --git a/windows_64.yml b/windows_64.yml
@@ -27,6 +27,8 @@
         :source: "%HE_WOLFSSL_SOURCE%"
         :tag: "%HE_WOLFSSL_TAG%"
       :build:
+        - git apply ../../wolfssl/0001-tls-return-immediately-if-kyber_id2type-fails.patch
+        - git apply ../../wolfssl/0002-SP-ARM64-P-256-mark-functions-as-SP_NOINLINE.patch
         - "cp ../../windows/wolfssl-user_settings-64.h wolfssl/user_settings.h"
         - "cp -f ../../windows/wolfssl-user_settings-64.h IDE/WIN/user_settings.h"
         - "cp -f ../../windows/wolfssl.vcxproj ./wolfssl.vcxproj"

diff --git a/wolfssl/0001-tls-return-immediately-if-kyber_id2type-fails.patch b/wolfssl/0001-tls-return-immediately-if-kyber_id2type-fails.patch
@@ -0,0 +1,38 @@
+From b55443bb5f12c5ef99fe0307bcd0702b3817debe Mon Sep 17 00:00:00 2001
+From: res0nance <[email protected]>
+Date: Sat, 18 Nov 2023 15:41:47 +0800
+Subject: [PATCH 1/2] tls: return immediately if kyber_id2type() fails
+
+This prevents a crash as ecc_key is not initialized but the
+free function is still called.
+
+(cherry picked from commit 98789dc000eed2e4128c4f3e44929cef4bf711ca)
+---
+ src/tls.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tls.c b/src/tls.c
+index 9a42a3912..eaa06a18b 100644
+--- a/src/tls.c
++++ b/src/tls.c
+@@ -8396,7 +8396,7 @@ static int TLSX_KeyShare_ProcessPqc(WOLFSSL* ssl, KeyShareEntry* keyShareEntry)
+     ret = kyber_id2type(oqs_group, &type);
+     if (ret != 0) {
+         WOLFSSL_MSG("Invalid OQS algorithm specified.");
+-        ret = BAD_FUNC_ARG;
++        return BAD_FUNC_ARG;
+     }
+     if (ret == 0) {
+         ret = wc_KyberKey_Init(type, kem, ssl->heap, INVALID_DEVID);
+@@ -8887,7 +8887,7 @@ static int server_generate_pqc_ciphertext(WOLFSSL* ssl,
+     ret = kyber_id2type(oqs_group, &type);
+     if (ret != 0) {
+         WOLFSSL_MSG("Invalid Kyber algorithm specified.");
+-        ret = BAD_FUNC_ARG;
++        return BAD_FUNC_ARG;
+     }
+
+     if (ret == 0) {
+-- 
+2.43.0
+