wolfssl : Bump to 5.6.3

Wolfssl is now the default in luci

package/libs/wolfssl/Config.in

@@ -85,7 +85,7 @@ choice
 		bool "AF_ALG"
 
 	config WOLFSSL_HAS_DEVCRYPTO_CBC
-		bool "/dev/crytpo - AES-CBC-only"
+		bool "/dev/crypto - AES-CBC-only"
 		select WOLFSSL_HAS_DEVCRYPTO
 
 	config WOLFSSL_HAS_DEVCRYPTO_AES

package/libs/wolfssl/Makefile

@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=5.5.4-stable
+PKG_VERSION:=5.6.3-stable
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
-PKG_HASH:=b7ee150e49def77c765bc02aac92ddeb0bebefd4cb12aa263d8f95e405221fb8
+PKG_HASH:=2e74a397fa797c2902d7467d500de904907666afb4ff80f6464f6efd5afb114a
 
 PKG_FIXUP:=libtool
 PKG_INSTALL:=1
@@ -79,6 +79,7 @@ TARGET_LDFLAGS += -flto
 # --enable-stunnel needed for OpenSSL API compatibility bits
 CONFIGURE_ARGS += \
 	--enable-reproducible-build \
+	--enable-lighty \
 	--enable-opensslall \
 	--enable-opensslextra \
 	--enable-sni \
@@ -99,6 +100,7 @@ CONFIGURE_ARGS += \
 	--$(if $(CONFIG_WOLFSSL_HAS_DTLS),enable,disable)-dtls \
 	--$(if $(CONFIG_WOLFSSL_HAS_ECC25519),enable,disable)-curve25519 \
 	--$(if $(CONFIG_WOLFSSL_HAS_AFALG),enable,disable)-afalg \
+	--$(if $(CONFIG_WOLFSSL_HAS_OPENVPN),enable,disable)-openvpn \
 	--enable-devcrypto=$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_CBC),cbc\
 			  ,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_AES),aes\
 			  ,$(if $(CONFIG_WOLFSSL_HAS_DEVCRYPTO_FULL),yes,no)))

package/libs/wolfssl/patches/001-fix-detection-of-cut-tool-in-configure.ac.patch

@@ -0,0 +1,25 @@
+From 41d248461bd9ad44193a4806ecb5361513e8944e Mon Sep 17 00:00:00 2001
+From: jordan <jordan@wolfssl.com>
+Date: Tue, 27 Jun 2023 13:18:25 -0500
+Subject: [PATCH] fix detection of cut tool in configure.ac
+
+---
+ configure.ac | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -8723,10 +8723,11 @@ echo "extern \"C\" {" >> $OPTION_FILE
+ echo "#endif" >> $OPTION_FILE
+ echo "" >> $OPTION_FILE
+ 
+-# check for supported command to trim option with
++# Check for supported command to trim option with.
++# note: cut requires an argument to exit with success.
+ if colrm >/dev/null 2>&1 </dev/null; then
+     TRIM="colrm 3"
+-elif cut >/dev/null 2>&1 </dev/null; then
++elif cut --version >/dev/null 2>&1 </dev/null; then
+     TRIM="cut -c1-2"
+ else
+     AC_MSG_ERROR([Could not find colrm or cut to make options file])

package/libs/wolfssl/patches/100-disable-hardening-check.patch

@@ -1,10 +1,10 @@
 --- a/wolfssl/wolfcrypt/settings.h
 +++ b/wolfssl/wolfcrypt/settings.h
-@@ -2445,7 +2445,7 @@ extern void uITRON4_free(void *p) ;
- #endif
+@@ -2630,7 +2630,7 @@ extern void uITRON4_free(void *p) ;
  
  /* warning for not using harden build options (default with ./configure) */
--#ifndef WC_NO_HARDEN
+ /* do not warn if big integer support is disabled */
+-#if !defined(WC_NO_HARDEN) && !defined(NO_BIG_INT)
 +#if 0
      #if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \
          (defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \

package/luci/collections/luci-ssl-wolfssl/Makefile

@@ -1,19 +0,0 @@
-#
-# Copyright (C) 2008-2020 The LuCI Team
-#
-# This is free software, licensed under the Apache License, Version 2.0 .
-#
-
-include $(TOPDIR)/rules.mk
-
-LUCI_TYPE:=col
-LUCI_BASENAME:=ssl-wolfssl
-
-LUCI_TITLE:=LuCI with HTTPS support (WolfSSL as SSL backend)
-LUCI_DEPENDS:=+luci +libustream-wolfssl +px5g-wolfssl
-
-PKG_LICENSE:=Apache-2.0
-
-include ../../luci.mk
-
-# call BuildPackage - OpenWrt buildroot signature

package/luci/collections/luci-ssl/Makefile

@@ -9,8 +9,8 @@ include $(TOPDIR)/rules.mk
 LUCI_TYPE:=col
 LUCI_BASENAME:=ssl
 
-LUCI_TITLE:=LuCI with HTTPS support (mbedTLS as SSL backend)
-LUCI_DEPENDS:=+luci +libustream-mbedtls +px5g
+LUCI_TITLE:=LuCI with HTTPS support (WolfSSL as SSL backend)
+LUCI_DEPENDS:=+luci +libustream-wolfssl +px5g-wolfssl
 
 PKG_LICENSE:=Apache-2.0
 

package/utils/px5g-wolfssl/px5g-wolfssl.c

@@ -203,8 +203,23 @@ int selfsigned(WC_RNG *rng, char **arg) {
             strncpy(newCert.subject.org, val, CTC_NAME_SIZE);
           else if (!strcmp(key, "OU"))
             strncpy(newCert.subject.unit, val, CTC_NAME_SIZE);
-          else if (!strcmp(key, "CN"))
+          else if (!strcmp(key, "CN")) {
             strncpy(newCert.subject.commonName, val, CTC_NAME_SIZE);
+
+#ifdef WOLFSSL_ALT_NAMES
+            if(strlen(val) + 2 > 256) {
+              fprintf(stderr, "error: CN is too long: %s\n", val);
+              return 1;
+            }
+
+            newCert.altNames[0] = 0x30; //Sequence with one element
+            newCert.altNames[1] = strlen(val) + 2; // Length of entire sequence
+            newCert.altNames[2] = 0x82; //8 - String, 2 - DNS Name
+            newCert.altNames[3] = strlen(val); //DNS Name length
+            memcpy(newCert.altNames + 4, val, strlen(val)); //DNS Name
+            newCert.altNamesSz = strlen(val) + 4;
+#endif
+          }
           else if (!strcmp(key, "EMAIL"))
             strncpy(newCert.subject.email, val, CTC_NAME_SIZE);
           else
@@ -216,6 +231,9 @@ int selfsigned(WC_RNG *rng, char **arg) {
   }
   newCert.daysValid = days;
 
+  newCert.keyUsage = KEYUSE_DIGITAL_SIG | KEYUSE_CONTENT_COMMIT | KEYUSE_KEY_ENCIPHER;
+  newCert.extKeyUsage = EXTKEYUSE_SERVER_AUTH;
+
   gen_key(rng, &ecKey, &rsaKey, type, keySz, exp, curve);
   write_key(&ecKey, &rsaKey, type, keySz, keypath, pem);
 
@@ -232,8 +250,10 @@ int selfsigned(WC_RNG *rng, char **arg) {
           subject, fstr, tstr);
 
   if (type == EC_KEY_TYPE) {
+    newCert.sigType = CTC_SHA256wECDSA;
     ret = wc_MakeCert(&newCert, derBuf, sizeof(derBuf), NULL, &ecKey, rng);
   } else {
+    newCert.sigType = CTC_SHA256wRSA;
     ret = wc_MakeCert(&newCert, derBuf, sizeof(derBuf), &rsaKey, NULL, rng);
   }
   if (ret <= 0) {
@@ -242,11 +262,9 @@ int selfsigned(WC_RNG *rng, char **arg) {
   }
 
   if (type == EC_KEY_TYPE) {
-    newCert.sigType = CTC_SHA256wECDSA;
     ret = wc_SignCert(newCert.bodySz, newCert.sigType, derBuf, sizeof(derBuf),
                       NULL, &ecKey, rng);
   } else {
-    newCert.sigType = CTC_SHA256wRSA;
     ret = wc_SignCert(newCert.bodySz, newCert.sigType, derBuf, sizeof(derBuf),
                       &rsaKey, NULL, rng);
   }