cyassl: update to wolfssl 3.12.2 (1 CVE)
authorJo-Philipp Wich <jo@mein.io>
Tue, 12 Dec 2017 16:30:34 +0000 (17:30 +0100)
committerJo-Philipp Wich <jo@mein.io>
Wed, 13 Dec 2017 12:08:38 +0000 (13:08 +0100)
Update wolfssl to the latest release v3.12.2 and backport an upstream
pending fix for CVE-2017-13099 ("ROBOT vulnerability").

Ref: https://github.com/wolfSSL/wolfssl/pull/1229
Ref: https://robotattack.org/

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commit 902961c148b1f6d06a6159090366250281d801d7)

package/libs/cyassl/Makefile
package/libs/cyassl/patches/001-CVE-2017-13099.patch [new file with mode: 0644]

index 68646d9b00299e9c9974da1cbde08bb04de80f41..0212ff73d43f173b66707b5d57a0643894915bd1 100644 (file)
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
-PKG_VERSION:=3.10.0
+PKG_VERSION:=3.12.2
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).zip
 PKG_SOURCE_URL:=https://www.wolfssl.com/
-PKG_HASH:=66f7f2a8b8ee37d6b4beab3cb0dcb6a6980fd4674373bfd3bf1214b9d0d2c02e
+PKG_HASH:=4993844c4b7919007c4511ec3f987fb06543536c3fc933cb53491bffe9150e49
 
 PKG_FIXUP:=libtool
 PKG_INSTALL:=1
diff --git a/package/libs/cyassl/patches/001-CVE-2017-13099.patch b/package/libs/cyassl/patches/001-CVE-2017-13099.patch
new file mode 100644 (file)
index 0000000..e7b63cb
--- /dev/null
@@ -0,0 +1,144 @@
+From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001
+From: David Garske <david@wolfssl.com>
+Date: Tue, 14 Nov 2017 14:05:50 -0800
+Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so
+ they are indistinguishable from from correctly formatted RSA blocks (per
+ RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG
+ creation for consistency in client case. Removed obsolete
+ `PMS_VERSION_ERROR`.
+
+---
+ src/internal.c      | 70 +++++++++++++++++++++++++++++++++++++++++++++--------
+ wolfssl/error-ssl.h |  2 +-
+ 2 files changed, 61 insertions(+), 11 deletions(-)
+
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str
+     case NOT_READY_ERROR :
+         return "handshake layer not ready yet, complete first";
+-    case PMS_VERSION_ERROR :
+-        return "premaster secret version mismatch error";
+-
+     case VERSION_ERROR :
+         return "record layer version error";
+@@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
+             #ifndef NO_RSA
+                 case rsa_kea:
+                 {
++                    /* build PreMasterSecret with RNG data */
+                     ret = wc_RNG_GenerateBlock(ssl->rng,
+-                        ssl->arrays->preMasterSecret, SECRET_LEN);
++                        &ssl->arrays->preMasterSecret[VERSION_SZ],
++                        SECRET_LEN - VERSION_SZ);
+                     if (ret != 0) {
+                         goto exit_scke;
+                     }
+@@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl,
+         word32 idx;
+         word32 begin;
+         word32 sigSz;
++    #ifndef NO_RSA
++        int    lastErr;
++    #endif
+     } DckeArgs;
+     static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
+@@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl,
+                             ERROR_OUT(BUFFER_ERROR, exit_dcke);
+                         }
++                        /* pre-load PreMasterSecret with RNG data */
++                        ret = wc_RNG_GenerateBlock(ssl->rng,
++                            &ssl->arrays->preMasterSecret[VERSION_SZ],
++                            SECRET_LEN - VERSION_SZ);
++                        if (ret != 0) {
++                            goto exit_dcke;
++                        }
++
+                         args->output = NULL;
+                         break;
+                     } /* rsa_kea */
+@@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl,
+                             NULL, 0, NULL
+                         #endif
+                         );
++
++                        /*  Errors that can occur here that should be
++                         *  indistinguishable:
++                         *       RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
++                         */
++                        if (ret < 0 && ret != BAD_FUNC_ARG) {
++                        #ifdef WOLFSSL_ASYNC_CRYPT
++                            if (ret == WC_PENDING_E)
++                                goto exit_dcke;
++                        #endif
++                            /* store error code for handling below */
++                            args->lastErr = ret;
++                            ret = 0;
++                        }
+                         break;
+                     } /* rsa_kea */
+                 #endif /* !NO_RSA */
+@@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl,
+                         /* Add the signature length to idx */
+                         args->idx += args->length;
+-                        if (args->sigSz == SECRET_LEN && args->output != NULL) {
+-                            XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN);
+-                            if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major ||
+-                                ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) {
+-                                ERROR_OUT(PMS_VERSION_ERROR, exit_dcke);
++                    #ifdef DEBUG_WOLFSSL
++                        /* check version (debug warning message only) */
++                        if (args->output != NULL) {
++                            if (args->output[0] != ssl->chVersion.major ||
++                                args->output[1] != ssl->chVersion.minor) {
++                                WOLFSSL_MSG("preMasterSecret version mismatch");
+                             }
+                         }
++                    #endif
++
++                        /* RFC5246 7.4.7.1:
++                         * Treat incorrectly formatted message blocks and/or
++                         * mismatched version numbers in a manner
++                         * indistinguishable from correctly formatted RSA blocks
++                         */
++
++                        ret = args->lastErr;
++                        args->lastErr = 0; /* reset */
++
++                        /* build PreMasterSecret */
++                        ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
++                        ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
++                        if (ret == 0 && args->sigSz == SECRET_LEN &&
++                                                         args->output != NULL) {
++                            XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
++                                &args->output[VERSION_SZ],
++                                SECRET_LEN - VERSION_SZ);
++                        }
+                         else {
+-                            ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
++                            /* preMasterSecret has RNG and version set */
++                            /* return proper length and ignore error */
++                            /* error will be caught as decryption error */
++                            args->sigSz = SECRET_LEN;
++                            ret = 0;
+                         }
++
+                         break;
+                     } /* rsa_kea */
+                 #endif /* !NO_RSA */
+--- a/wolfssl/error-ssl.h
++++ b/wolfssl/error-ssl.h
+@@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes {
+     DOMAIN_NAME_MISMATCH         = -322,   /* peer subject name mismatch */
+     WANT_READ                    = -323,   /* want read, call again    */
+     NOT_READY_ERROR              = -324,   /* handshake layer not ready */
+-    PMS_VERSION_ERROR            = -325,   /* pre m secret version error */
++
+     VERSION_ERROR                = -326,   /* record layer version error */
+     WANT_WRITE                   = -327,   /* want write, call again   */
+     BUFFER_ERROR                 = -328,   /* malformed buffer input   */