[source] cyassl: update to wolfssl 3.12.2 (1 CVE)
LEDE Commits
lede-commits at lists.infradead.org
Thu Dec 14 09:42:58 PST 2017
jow pushed a commit to source.git, branch lede-17.01:
https://git.lede-project.org/207bcea1de02799b744ddca22d022456123e7566
commit 207bcea1de02799b744ddca22d022456123e7566
Author: Jo-Philipp Wich <jo at mein.io>
AuthorDate: Tue Dec 12 17:30:34 2017 +0100
cyassl: update to wolfssl 3.12.2 (1 CVE)
Update wolfssl to the latest release v3.12.2 and backport an upstream
pending fix for CVE-2017-13099 ("ROBOT vulnerability").
Ref: https://github.com/wolfSSL/wolfssl/pull/1229
Ref: https://robotattack.org/
Signed-off-by: Jo-Philipp Wich <jo at mein.io>
(backported from commit 902961c148b1f6d06a6159090366250281d801d7)
---
package/libs/cyassl/Makefile | 4 +-
.../libs/cyassl/patches/001-CVE-2017-13099.patch | 144 +++++++++++++++++++++
2 files changed, 146 insertions(+), 2 deletions(-)
diff --git a/package/libs/cyassl/Makefile b/package/libs/cyassl/Makefile
index 68646d9..0212ff7 100644
--- a/package/libs/cyassl/Makefile
+++ b/package/libs/cyassl/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
-PKG_VERSION:=3.10.0
+PKG_VERSION:=3.12.2
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip
PKG_SOURCE_URL:=https://www.wolfssl.com/
-PKG_HASH:=66f7f2a8b8ee37d6b4beab3cb0dcb6a6980fd4674373bfd3bf1214b9d0d2c02e
+PKG_HASH:=4993844c4b7919007c4511ec3f987fb06543536c3fc933cb53491bffe9150e49
PKG_FIXUP:=libtool
PKG_INSTALL:=1
diff --git a/package/libs/cyassl/patches/001-CVE-2017-13099.patch b/package/libs/cyassl/patches/001-CVE-2017-13099.patch
new file mode 100644
index 0000000..e7b63cb
--- /dev/null
+++ b/package/libs/cyassl/patches/001-CVE-2017-13099.patch
@@ -0,0 +1,144 @@
+From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001
+From: David Garske <david at wolfssl.com>
+Date: Tue, 14 Nov 2017 14:05:50 -0800
+Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so
+ they are indistinguishable from from correctly formatted RSA blocks (per
+ RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG
+ creation for consistency in client case. Removed obsolete
+ `PMS_VERSION_ERROR`.
+
+---
+ src/internal.c | 70 +++++++++++++++++++++++++++++++++++++++++++++--------
+ wolfssl/error-ssl.h | 2 +-
+ 2 files changed, 61 insertions(+), 11 deletions(-)
+
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str
+ case NOT_READY_ERROR :
+ return "handshake layer not ready yet, complete first";
+
+- case PMS_VERSION_ERROR :
+- return "premaster secret version mismatch error";
+-
+ case VERSION_ERROR :
+ return "record layer version error";
+
+@@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
+ #ifndef NO_RSA
+ case rsa_kea:
+ {
++ /* build PreMasterSecret with RNG data */
+ ret = wc_RNG_GenerateBlock(ssl->rng,
+- ssl->arrays->preMasterSecret, SECRET_LEN);
++ &ssl->arrays->preMasterSecret[VERSION_SZ],
++ SECRET_LEN - VERSION_SZ);
+ if (ret != 0) {
+ goto exit_scke;
+ }
+@@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ word32 idx;
+ word32 begin;
+ word32 sigSz;
++ #ifndef NO_RSA
++ int lastErr;
++ #endif
+ } DckeArgs;
+
+ static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
+@@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ ERROR_OUT(BUFFER_ERROR, exit_dcke);
+ }
+
++ /* pre-load PreMasterSecret with RNG data */
++ ret = wc_RNG_GenerateBlock(ssl->rng,
++ &ssl->arrays->preMasterSecret[VERSION_SZ],
++ SECRET_LEN - VERSION_SZ);
++ if (ret != 0) {
++ goto exit_dcke;
++ }
++
+ args->output = NULL;
+ break;
+ } /* rsa_kea */
+@@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ NULL, 0, NULL
+ #endif
+ );
++
++ /* Errors that can occur here that should be
++ * indistinguishable:
++ * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
++ */
++ if (ret < 0 && ret != BAD_FUNC_ARG) {
++ #ifdef WOLFSSL_ASYNC_CRYPT
++ if (ret == WC_PENDING_E)
++ goto exit_dcke;
++ #endif
++ /* store error code for handling below */
++ args->lastErr = ret;
++ ret = 0;
++ }
+ break;
+ } /* rsa_kea */
+ #endif /* !NO_RSA */
+@@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ /* Add the signature length to idx */
+ args->idx += args->length;
+
+- if (args->sigSz == SECRET_LEN && args->output != NULL) {
+- XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN);
+- if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major ||
+- ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) {
+- ERROR_OUT(PMS_VERSION_ERROR, exit_dcke);
++ #ifdef DEBUG_WOLFSSL
++ /* check version (debug warning message only) */
++ if (args->output != NULL) {
++ if (args->output[0] != ssl->chVersion.major ||
++ args->output[1] != ssl->chVersion.minor) {
++ WOLFSSL_MSG("preMasterSecret version mismatch");
+ }
+ }
++ #endif
++
++ /* RFC5246 7.4.7.1:
++ * Treat incorrectly formatted message blocks and/or
++ * mismatched version numbers in a manner
++ * indistinguishable from correctly formatted RSA blocks
++ */
++
++ ret = args->lastErr;
++ args->lastErr = 0; /* reset */
++
++ /* build PreMasterSecret */
++ ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
++ ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
++ if (ret == 0 && args->sigSz == SECRET_LEN &&
++ args->output != NULL) {
++ XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
++ &args->output[VERSION_SZ],
++ SECRET_LEN - VERSION_SZ);
++ }
+ else {
+- ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
++ /* preMasterSecret has RNG and version set */
++ /* return proper length and ignore error */
++ /* error will be caught as decryption error */
++ args->sigSz = SECRET_LEN;
++ ret = 0;
+ }
++
+ break;
+ } /* rsa_kea */
+ #endif /* !NO_RSA */
+--- a/wolfssl/error-ssl.h
++++ b/wolfssl/error-ssl.h
+@@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes {
+ DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */
+ WANT_READ = -323, /* want read, call again */
+ NOT_READY_ERROR = -324, /* handshake layer not ready */
+- PMS_VERSION_ERROR = -325, /* pre m secret version error */
++
+ VERSION_ERROR = -326, /* record layer version error */
+ WANT_WRITE = -327, /* want write, call again */
+ BUFFER_ERROR = -328, /* malformed buffer input */
More information about the lede-commits
mailing list