From 207bcea1de02799b744ddca22d022456123e7566 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Tue, 12 Dec 2017 17:30:34 +0100 Subject: [PATCH] cyassl: update to wolfssl 3.12.2 (1 CVE) Update wolfssl to the latest release v3.12.2 and backport an upstream pending fix for CVE-2017-13099 ("ROBOT vulnerability"). Ref: https://github.com/wolfSSL/wolfssl/pull/1229 Ref: https://robotattack.org/ Signed-off-by: Jo-Philipp Wich (backported from commit 902961c148b1f6d06a6159090366250281d801d7) --- package/libs/cyassl/Makefile | 4 +- .../cyassl/patches/001-CVE-2017-13099.patch | 144 ++++++++++++++++++ 2 files changed, 146 insertions(+), 2 deletions(-) create mode 100644 package/libs/cyassl/patches/001-CVE-2017-13099.patch diff --git a/package/libs/cyassl/Makefile b/package/libs/cyassl/Makefile index 68646d9b00..0212ff73d4 100644 --- a/package/libs/cyassl/Makefile +++ b/package/libs/cyassl/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl -PKG_VERSION:=3.10.0 +PKG_VERSION:=3.12.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip PKG_SOURCE_URL:=https://www.wolfssl.com/ -PKG_HASH:=66f7f2a8b8ee37d6b4beab3cb0dcb6a6980fd4674373bfd3bf1214b9d0d2c02e +PKG_HASH:=4993844c4b7919007c4511ec3f987fb06543536c3fc933cb53491bffe9150e49 PKG_FIXUP:=libtool PKG_INSTALL:=1 diff --git a/package/libs/cyassl/patches/001-CVE-2017-13099.patch b/package/libs/cyassl/patches/001-CVE-2017-13099.patch new file mode 100644 index 0000000000..e7b63cb8d4 --- /dev/null +++ b/package/libs/cyassl/patches/001-CVE-2017-13099.patch @@ -0,0 +1,144 @@ +From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001 +From: David Garske +Date: Tue, 14 Nov 2017 14:05:50 -0800 +Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so + they are indistinguishable from from correctly formatted RSA blocks (per + RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG + creation for consistency in client case. Removed obsolete + `PMS_VERSION_ERROR`. + +--- + src/internal.c | 70 +++++++++++++++++++++++++++++++++++++++++++++-------- + wolfssl/error-ssl.h | 2 +- + 2 files changed, 61 insertions(+), 11 deletions(-) + +--- a/src/internal.c ++++ b/src/internal.c +@@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str + case NOT_READY_ERROR : + return "handshake layer not ready yet, complete first"; + +- case PMS_VERSION_ERROR : +- return "premaster secret version mismatch error"; +- + case VERSION_ERROR : + return "record layer version error"; + +@@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl) + #ifndef NO_RSA + case rsa_kea: + { ++ /* build PreMasterSecret with RNG data */ + ret = wc_RNG_GenerateBlock(ssl->rng, +- ssl->arrays->preMasterSecret, SECRET_LEN); ++ &ssl->arrays->preMasterSecret[VERSION_SZ], ++ SECRET_LEN - VERSION_SZ); + if (ret != 0) { + goto exit_scke; + } +@@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl, + word32 idx; + word32 begin; + word32 sigSz; ++ #ifndef NO_RSA ++ int lastErr; ++ #endif + } DckeArgs; + + static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs) +@@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl, + ERROR_OUT(BUFFER_ERROR, exit_dcke); + } + ++ /* pre-load PreMasterSecret with RNG data */ ++ ret = wc_RNG_GenerateBlock(ssl->rng, ++ &ssl->arrays->preMasterSecret[VERSION_SZ], ++ SECRET_LEN - VERSION_SZ); ++ if (ret != 0) { ++ goto exit_dcke; ++ } ++ + args->output = NULL; + break; + } /* rsa_kea */ +@@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl, + NULL, 0, NULL + #endif + ); ++ ++ /* Errors that can occur here that should be ++ * indistinguishable: ++ * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR ++ */ ++ if (ret < 0 && ret != BAD_FUNC_ARG) { ++ #ifdef WOLFSSL_ASYNC_CRYPT ++ if (ret == WC_PENDING_E) ++ goto exit_dcke; ++ #endif ++ /* store error code for handling below */ ++ args->lastErr = ret; ++ ret = 0; ++ } + break; + } /* rsa_kea */ + #endif /* !NO_RSA */ +@@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl, + /* Add the signature length to idx */ + args->idx += args->length; + +- if (args->sigSz == SECRET_LEN && args->output != NULL) { +- XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN); +- if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major || +- ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) { +- ERROR_OUT(PMS_VERSION_ERROR, exit_dcke); ++ #ifdef DEBUG_WOLFSSL ++ /* check version (debug warning message only) */ ++ if (args->output != NULL) { ++ if (args->output[0] != ssl->chVersion.major || ++ args->output[1] != ssl->chVersion.minor) { ++ WOLFSSL_MSG("preMasterSecret version mismatch"); + } + } ++ #endif ++ ++ /* RFC5246 7.4.7.1: ++ * Treat incorrectly formatted message blocks and/or ++ * mismatched version numbers in a manner ++ * indistinguishable from correctly formatted RSA blocks ++ */ ++ ++ ret = args->lastErr; ++ args->lastErr = 0; /* reset */ ++ ++ /* build PreMasterSecret */ ++ ssl->arrays->preMasterSecret[0] = ssl->chVersion.major; ++ ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; ++ if (ret == 0 && args->sigSz == SECRET_LEN && ++ args->output != NULL) { ++ XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ], ++ &args->output[VERSION_SZ], ++ SECRET_LEN - VERSION_SZ); ++ } + else { +- ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke); ++ /* preMasterSecret has RNG and version set */ ++ /* return proper length and ignore error */ ++ /* error will be caught as decryption error */ ++ args->sigSz = SECRET_LEN; ++ ret = 0; + } ++ + break; + } /* rsa_kea */ + #endif /* !NO_RSA */ +--- a/wolfssl/error-ssl.h ++++ b/wolfssl/error-ssl.h +@@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes { + DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ + WANT_READ = -323, /* want read, call again */ + NOT_READY_ERROR = -324, /* handshake layer not ready */ +- PMS_VERSION_ERROR = -325, /* pre m secret version error */ ++ + VERSION_ERROR = -326, /* record layer version error */ + WANT_WRITE = -327, /* want write, call again */ + BUFFER_ERROR = -328, /* malformed buffer input */