wolfSSL 5.4.0 fixes CVE-2022-34293 and other issues

[Fabian Keil <freebsd-listen () fabiankeil de>]

Looks like wolfSSL 5.4.0 has been released weeks ago but I only
became aware of it today thanks to the FreeBSD ports commit mail [0].

According to the package status on the GitHub page [1] others projects
haven't imported the update yet either.

Quoting the project page:
| The wolfSSL embedded SSL library (formerly CyaSSL) is a lightweight
| SSL/TLS library written in ANSI C and targeted for embedded, RTOS,
| and resource-constrained environments - primarily because of its
| small size, speed, and feature set. It is commonly used in standard
| operating environments as well because of its royalty-free pricing
| and excellent cross platform support.

Quoting the commit message:
| Release 5.4.0 of wolfSSL embedded TLS has bug fixes and new features including:
|
| Vulnerabilities
|
| * [High] Potential for DTLS DoS attack. In wolfSSL versions before 5.4.0 the
|   return-routability check is wrongly skipped in a specific edge case. The check
|   on the return-routability is there for stopping attacks that either consume
|   excessive resources on the server, or try to use the server as an amplifier
|   sending an excessive amount of messages to a victim IP. If using DTLS 1.0/1.2
|   on the server side users should update to avoid the potential DoS
|   attack. CVE-2022-34293
| * [Medium] Ciphertext side channel attack on ECC and DH operations. Users on
|   systems where rogue agents can monitor memory use should update the version of
|   wolfSSL and change private ECC keys. Thanks to Sen Deng from Southern
|   University of Science and Technology (SUSTech) for the report.
| * [Medium] Public disclosure of a side channel vulnerability that has been fixed
|   since wolfSSL version 5.1.0. When running on AMD there is the potential to
|   leak private key information with ECDSA operations due to a ciphertext side
|   channel attack. Users on AMD doing ECDSA operations with wolfSSL versions less
|   than 5.1.0 should update their wolfSSL version used. Thanks to professor
|   Yinqian Zhang from Southern University of Science and Technology (SUSTech),
|   his Ph.D. student Mengyuan Li from The Ohio State University, and his M.S
|   students Sen Deng and Yining Tang from SUStech along with other collaborators;
|   Luca Wilke, Jan Wichelmann and Professor Thomas Eisenbarth from the University
|   of Lubeck, Professor Shuai Wang from Hong Kong University of Science and
|   Technology, Professor Radu Teodorescu from The Ohio State University, Huibo
|   Wang, Kang Li and Yueqiang Cheng from Baidu Security and Shoumeng Yang from
|   Ant Financial Services Group.
| CVE-2020-12966
| https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1013
| CVE-2021-46744
| https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1033

In somewhat related news I started collecting Privoxy TLS benchmarks using
various TLS libraries a while ago ([3]). WolfSSL appears to be competitive.

Fabian

[0] <https://cgit.freebsd.org/ports/commit/?id=4850ea1e3ca82f63f94654cf1b9790ec476bbb18>
[1] <https://github.com/wolfSSL/wolfssl/>
[2] <https://www.fabiankeil.de/gehacktes/privoxy-tls-benchmarks/>

Attachment: _bin
Description: OpenPGP digital signature