From 902961c148b1f6d06a6159090366250281d801d7 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 12 Dec 2017 17:30:34 +0100 Subject: [PATCH] wolfssl: update to 3.12.2 (1 CVE) Update wolfssl to the latest release v3.12.2 and backport an upstream pending fix for CVE-2017-13099 ("ROBOT vulnerability"). Ref: https://github.com/wolfSSL/wolfssl/pull/1229 Ref: https://robotattack.org/ Signed-off-by: Jo-Philipp Wich --- package/libs/wolfssl/Makefile | 4 +- .../wolfssl/patches/001-CVE-2017-13099.patch | 144 ++++++++++++++++++ .../patches/100-disable-hardening-check.patch | 4 +- 3 files changed, 147 insertions(+), 5 deletions(-) create mode 100644 package/libs/wolfssl/patches/001-CVE-2017-13099.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 9f5c5f66d6d..1d4b7f5579b 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.12.0 +PKG_VERSION:=3.12.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip PKG_SOURCE_URL:=https://www.wolfssl.com/ -PKG_HASH:=5bb196056ac0086efbf07ecea7d3e73b1c31722eb52a88b85879f920428a9a0f +PKG_HASH:=4993844c4b7919007c4511ec3f987fb06543536c3fc933cb53491bffe9150e49 PKG_FIXUP:=libtool PKG_INSTALL:=1 diff --git a/package/libs/wolfssl/patches/001-CVE-2017-13099.patch b/package/libs/wolfssl/patches/001-CVE-2017-13099.patch new file mode 100644 index 00000000000..e7b63cb8d4f --- /dev/null +++ b/package/libs/wolfssl/patches/001-CVE-2017-13099.patch @@ -0,0 +1,144 @@ +From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001 +From: David Garske +Date: Tue, 14 Nov 2017 14:05:50 -0800 +Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so + they are indistinguishable from from correctly formatted RSA blocks (per + RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG + creation for consistency in client case. Removed obsolete + `PMS_VERSION_ERROR`. + +--- + src/internal.c | 70 +++++++++++++++++++++++++++++++++++++++++++++-------- + wolfssl/error-ssl.h | 2 +- + 2 files changed, 61 insertions(+), 11 deletions(-) + +--- a/src/internal.c ++++ b/src/internal.c +@@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str + case NOT_READY_ERROR : + return "handshake layer not ready yet, complete first"; + +- case PMS_VERSION_ERROR : +- return "premaster secret version mismatch error"; +- + case VERSION_ERROR : + return "record layer version error"; + +@@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl) + #ifndef NO_RSA + case rsa_kea: + { ++ /* build PreMasterSecret with RNG data */ + ret = wc_RNG_GenerateBlock(ssl->rng, +- ssl->arrays->preMasterSecret, SECRET_LEN); ++ &ssl->arrays->preMasterSecret[VERSION_SZ], ++ SECRET_LEN - VERSION_SZ); + if (ret != 0) { + goto exit_scke; + } +@@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl, + word32 idx; + word32 begin; + word32 sigSz; ++ #ifndef NO_RSA ++ int lastErr; ++ #endif + } DckeArgs; + + static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs) +@@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl, + ERROR_OUT(BUFFER_ERROR, exit_dcke); + } + ++ /* pre-load PreMasterSecret with RNG data */ ++ ret = wc_RNG_GenerateBlock(ssl->rng, ++ &ssl->arrays->preMasterSecret[VERSION_SZ], ++ SECRET_LEN - VERSION_SZ); ++ if (ret != 0) { ++ goto exit_dcke; ++ } ++ + args->output = NULL; + break; + } /* rsa_kea */ +@@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl, + NULL, 0, NULL + #endif + ); ++ ++ /* Errors that can occur here that should be ++ * indistinguishable: ++ * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR ++ */ ++ if (ret < 0 && ret != BAD_FUNC_ARG) { ++ #ifdef WOLFSSL_ASYNC_CRYPT ++ if (ret == WC_PENDING_E) ++ goto exit_dcke; ++ #endif ++ /* store error code for handling below */ ++ args->lastErr = ret; ++ ret = 0; ++ } + break; + } /* rsa_kea */ + #endif /* !NO_RSA */ +@@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl, + /* Add the signature length to idx */ + args->idx += args->length; + +- if (args->sigSz == SECRET_LEN && args->output != NULL) { +- XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN); +- if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major || +- ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) { +- ERROR_OUT(PMS_VERSION_ERROR, exit_dcke); ++ #ifdef DEBUG_WOLFSSL ++ /* check version (debug warning message only) */ ++ if (args->output != NULL) { ++ if (args->output[0] != ssl->chVersion.major || ++ args->output[1] != ssl->chVersion.minor) { ++ WOLFSSL_MSG("preMasterSecret version mismatch"); + } + } ++ #endif ++ ++ /* RFC5246 7.4.7.1: ++ * Treat incorrectly formatted message blocks and/or ++ * mismatched version numbers in a manner ++ * indistinguishable from correctly formatted RSA blocks ++ */ ++ ++ ret = args->lastErr; ++ args->lastErr = 0; /* reset */ ++ ++ /* build PreMasterSecret */ ++ ssl->arrays->preMasterSecret[0] = ssl->chVersion.major; ++ ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; ++ if (ret == 0 && args->sigSz == SECRET_LEN && ++ args->output != NULL) { ++ XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ], ++ &args->output[VERSION_SZ], ++ SECRET_LEN - VERSION_SZ); ++ } + else { +- ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke); ++ /* preMasterSecret has RNG and version set */ ++ /* return proper length and ignore error */ ++ /* error will be caught as decryption error */ ++ args->sigSz = SECRET_LEN; ++ ret = 0; + } ++ + break; + } /* rsa_kea */ + #endif /* !NO_RSA */ +--- a/wolfssl/error-ssl.h ++++ b/wolfssl/error-ssl.h +@@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes { + DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ + WANT_READ = -323, /* want read, call again */ + NOT_READY_ERROR = -324, /* handshake layer not ready */ +- PMS_VERSION_ERROR = -325, /* pre m secret version error */ ++ + VERSION_ERROR = -326, /* record layer version error */ + WANT_WRITE = -327, /* want write, call again */ + BUFFER_ERROR = -328, /* malformed buffer input */ diff --git a/package/libs/wolfssl/patches/100-disable-hardening-check.patch b/package/libs/wolfssl/patches/100-disable-hardening-check.patch index 4acce8a3995..83d51b1d5cb 100644 --- a/package/libs/wolfssl/patches/100-disable-hardening-check.patch +++ b/package/libs/wolfssl/patches/100-disable-hardening-check.patch @@ -1,8 +1,6 @@ -diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h -index 039c238..73537e0 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h -@@ -1633,7 +1633,7 @@ extern void uITRON4_free(void *p) ; +@@ -1553,7 +1553,7 @@ extern void uITRON4_free(void *p) ; #endif /* warning for not using harden build options (default with ./configure) */ -- 2.30.2