aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJo-Philipp Wich <jo@mein.io>2017-12-12 17:30:34 +0100
committerJo-Philipp Wich <jo@mein.io>2017-12-12 17:39:52 +0100
commit902961c148b1f6d06a6159090366250281d801d7 (patch)
treed4d9f9292266cc7f1e8194adaaf499efe21b0b45
parent905bbc96efdef696c33d8a8bc202a7a35fe7fe35 (diff)
downloadupstream-902961c148b1f6d06a6159090366250281d801d7.tar.gz
upstream-902961c148b1f6d06a6159090366250281d801d7.tar.bz2
upstream-902961c148b1f6d06a6159090366250281d801d7.zip
wolfssl: update to 3.12.2 (1 CVE)
Update wolfssl to the latest release v3.12.2 and backport an upstream pending fix for CVE-2017-13099 ("ROBOT vulnerability"). Ref: https://github.com/wolfSSL/wolfssl/pull/1229 Ref: https://robotattack.org/ Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-rw-r--r--package/libs/wolfssl/Makefile4
-rw-r--r--package/libs/wolfssl/patches/001-CVE-2017-13099.patch144
-rw-r--r--package/libs/wolfssl/patches/100-disable-hardening-check.patch4
3 files changed, 147 insertions, 5 deletions
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 9f5c5f66d6..1d4b7f5579 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
-PKG_VERSION:=3.12.0
+PKG_VERSION:=3.12.2
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip
PKG_SOURCE_URL:=https://www.wolfssl.com/
-PKG_HASH:=5bb196056ac0086efbf07ecea7d3e73b1c31722eb52a88b85879f920428a9a0f
+PKG_HASH:=4993844c4b7919007c4511ec3f987fb06543536c3fc933cb53491bffe9150e49
PKG_FIXUP:=libtool
PKG_INSTALL:=1
diff --git a/package/libs/wolfssl/patches/001-CVE-2017-13099.patch b/package/libs/wolfssl/patches/001-CVE-2017-13099.patch
new file mode 100644
index 0000000000..e7b63cb8d4
--- /dev/null
+++ b/package/libs/wolfssl/patches/001-CVE-2017-13099.patch
@@ -0,0 +1,144 @@
+From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001
+From: David Garske <david@wolfssl.com>
+Date: Tue, 14 Nov 2017 14:05:50 -0800
+Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so
+ they are indistinguishable from from correctly formatted RSA blocks (per
+ RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG
+ creation for consistency in client case. Removed obsolete
+ `PMS_VERSION_ERROR`.
+
+---
+ src/internal.c | 70 +++++++++++++++++++++++++++++++++++++++++++++--------
+ wolfssl/error-ssl.h | 2 +-
+ 2 files changed, 61 insertions(+), 11 deletions(-)
+
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str
+ case NOT_READY_ERROR :
+ return "handshake layer not ready yet, complete first";
+
+- case PMS_VERSION_ERROR :
+- return "premaster secret version mismatch error";
+-
+ case VERSION_ERROR :
+ return "record layer version error";
+
+@@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
+ #ifndef NO_RSA
+ case rsa_kea:
+ {
++ /* build PreMasterSecret with RNG data */
+ ret = wc_RNG_GenerateBlock(ssl->rng,
+- ssl->arrays->preMasterSecret, SECRET_LEN);
++ &ssl->arrays->preMasterSecret[VERSION_SZ],
++ SECRET_LEN - VERSION_SZ);
+ if (ret != 0) {
+ goto exit_scke;
+ }
+@@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ word32 idx;
+ word32 begin;
+ word32 sigSz;
++ #ifndef NO_RSA
++ int lastErr;
++ #endif
+ } DckeArgs;
+
+ static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
+@@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ ERROR_OUT(BUFFER_ERROR, exit_dcke);
+ }
+
++ /* pre-load PreMasterSecret with RNG data */
++ ret = wc_RNG_GenerateBlock(ssl->rng,
++ &ssl->arrays->preMasterSecret[VERSION_SZ],
++ SECRET_LEN - VERSION_SZ);
++ if (ret != 0) {
++ goto exit_dcke;
++ }
++
+ args->output = NULL;
+ break;
+ } /* rsa_kea */
+@@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ NULL, 0, NULL
+ #endif
+ );
++
++ /* Errors that can occur here that should be
++ * indistinguishable:
++ * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
++ */
++ if (ret < 0 && ret != BAD_FUNC_ARG) {
++ #ifdef WOLFSSL_ASYNC_CRYPT
++ if (ret == WC_PENDING_E)
++ goto exit_dcke;
++ #endif
++ /* store error code for handling below */
++ args->lastErr = ret;
++ ret = 0;
++ }
+ break;
+ } /* rsa_kea */
+ #endif /* !NO_RSA */
+@@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl,
+ /* Add the signature length to idx */
+ args->idx += args->length;
+
+- if (args->sigSz == SECRET_LEN && args->output != NULL) {
+- XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN);
+- if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major ||
+- ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) {
+- ERROR_OUT(PMS_VERSION_ERROR, exit_dcke);
++ #ifdef DEBUG_WOLFSSL
++ /* check version (debug warning message only) */
++ if (args->output != NULL) {
++ if (args->output[0] != ssl->chVersion.major ||
++ args->output[1] != ssl->chVersion.minor) {
++ WOLFSSL_MSG("preMasterSecret version mismatch");
+ }
+ }
++ #endif
++
++ /* RFC5246 7.4.7.1:
++ * Treat incorrectly formatted message blocks and/or
++ * mismatched version numbers in a manner
++ * indistinguishable from correctly formatted RSA blocks
++ */
++
++ ret = args->lastErr;
++ args->lastErr = 0; /* reset */
++
++ /* build PreMasterSecret */
++ ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
++ ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
++ if (ret == 0 && args->sigSz == SECRET_LEN &&
++ args->output != NULL) {
++ XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
++ &args->output[VERSION_SZ],
++ SECRET_LEN - VERSION_SZ);
++ }
+ else {
+- ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
++ /* preMasterSecret has RNG and version set */
++ /* return proper length and ignore error */
++ /* error will be caught as decryption error */
++ args->sigSz = SECRET_LEN;
++ ret = 0;
+ }
++
+ break;
+ } /* rsa_kea */
+ #endif /* !NO_RSA */
+--- a/wolfssl/error-ssl.h
++++ b/wolfssl/error-ssl.h
+@@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes {
+ DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */
+ WANT_READ = -323, /* want read, call again */
+ NOT_READY_ERROR = -324, /* handshake layer not ready */
+- PMS_VERSION_ERROR = -325, /* pre m secret version error */
++
+ VERSION_ERROR = -326, /* record layer version error */
+ WANT_WRITE = -327, /* want write, call again */
+ BUFFER_ERROR = -328, /* malformed buffer input */
diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
index 4acce8a399..83d51b1d5c 100644
--- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch
+++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch
@@ -1,8 +1,6 @@
-diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
-index 039c238..73537e0 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
-@@ -1633,7 +1633,7 @@ extern void uITRON4_free(void *p) ;
+@@ -1553,7 +1553,7 @@ extern void uITRON4_free(void *p) ;
#endif
/* warning for not using harden build options (default with ./configure) */