This repository has been archived by the owner on Feb 16, 2024. It is now read-only.
forked from openwrt/openwrt
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cyassl: update to wolfssl 3.12.2 (1 CVE)
Update wolfssl to the latest release v3.12.2 and backport an upstream pending fix for CVE-2017-13099 ("ROBOT vulnerability"). Ref: wolfSSL/wolfssl#1229 Ref: https://robotattack.org/ Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commit aa091cd)
- Loading branch information
Showing
2 changed files
with
146 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,144 @@ | ||
From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001 | ||
From: David Garske <david@wolfssl.com> | ||
Date: Tue, 14 Nov 2017 14:05:50 -0800 | ||
Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so | ||
they are indistinguishable from from correctly formatted RSA blocks (per | ||
RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG | ||
creation for consistency in client case. Removed obsolete | ||
`PMS_VERSION_ERROR`. | ||
|
||
--- | ||
src/internal.c | 70 +++++++++++++++++++++++++++++++++++++++++++++-------- | ||
wolfssl/error-ssl.h | 2 +- | ||
2 files changed, 61 insertions(+), 11 deletions(-) | ||
|
||
--- a/src/internal.c | ||
+++ b/src/internal.c | ||
@@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str | ||
case NOT_READY_ERROR : | ||
return "handshake layer not ready yet, complete first"; | ||
|
||
- case PMS_VERSION_ERROR : | ||
- return "premaster secret version mismatch error"; | ||
- | ||
case VERSION_ERROR : | ||
return "record layer version error"; | ||
|
||
@@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl) | ||
#ifndef NO_RSA | ||
case rsa_kea: | ||
{ | ||
+ /* build PreMasterSecret with RNG data */ | ||
ret = wc_RNG_GenerateBlock(ssl->rng, | ||
- ssl->arrays->preMasterSecret, SECRET_LEN); | ||
+ &ssl->arrays->preMasterSecret[VERSION_SZ], | ||
+ SECRET_LEN - VERSION_SZ); | ||
if (ret != 0) { | ||
goto exit_scke; | ||
} | ||
@@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl, | ||
word32 idx; | ||
word32 begin; | ||
word32 sigSz; | ||
+ #ifndef NO_RSA | ||
+ int lastErr; | ||
+ #endif | ||
} DckeArgs; | ||
|
||
static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs) | ||
@@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl, | ||
ERROR_OUT(BUFFER_ERROR, exit_dcke); | ||
} | ||
|
||
+ /* pre-load PreMasterSecret with RNG data */ | ||
+ ret = wc_RNG_GenerateBlock(ssl->rng, | ||
+ &ssl->arrays->preMasterSecret[VERSION_SZ], | ||
+ SECRET_LEN - VERSION_SZ); | ||
+ if (ret != 0) { | ||
+ goto exit_dcke; | ||
+ } | ||
+ | ||
args->output = NULL; | ||
break; | ||
} /* rsa_kea */ | ||
@@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl, | ||
NULL, 0, NULL | ||
#endif | ||
); | ||
+ | ||
+ /* Errors that can occur here that should be | ||
+ * indistinguishable: | ||
+ * RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR | ||
+ */ | ||
+ if (ret < 0 && ret != BAD_FUNC_ARG) { | ||
+ #ifdef WOLFSSL_ASYNC_CRYPT | ||
+ if (ret == WC_PENDING_E) | ||
+ goto exit_dcke; | ||
+ #endif | ||
+ /* store error code for handling below */ | ||
+ args->lastErr = ret; | ||
+ ret = 0; | ||
+ } | ||
break; | ||
} /* rsa_kea */ | ||
#endif /* !NO_RSA */ | ||
@@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl, | ||
/* Add the signature length to idx */ | ||
args->idx += args->length; | ||
|
||
- if (args->sigSz == SECRET_LEN && args->output != NULL) { | ||
- XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN); | ||
- if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major || | ||
- ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) { | ||
- ERROR_OUT(PMS_VERSION_ERROR, exit_dcke); | ||
+ #ifdef DEBUG_WOLFSSL | ||
+ /* check version (debug warning message only) */ | ||
+ if (args->output != NULL) { | ||
+ if (args->output[0] != ssl->chVersion.major || | ||
+ args->output[1] != ssl->chVersion.minor) { | ||
+ WOLFSSL_MSG("preMasterSecret version mismatch"); | ||
} | ||
} | ||
+ #endif | ||
+ | ||
+ /* RFC5246 7.4.7.1: | ||
+ * Treat incorrectly formatted message blocks and/or | ||
+ * mismatched version numbers in a manner | ||
+ * indistinguishable from correctly formatted RSA blocks | ||
+ */ | ||
+ | ||
+ ret = args->lastErr; | ||
+ args->lastErr = 0; /* reset */ | ||
+ | ||
+ /* build PreMasterSecret */ | ||
+ ssl->arrays->preMasterSecret[0] = ssl->chVersion.major; | ||
+ ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor; | ||
+ if (ret == 0 && args->sigSz == SECRET_LEN && | ||
+ args->output != NULL) { | ||
+ XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ], | ||
+ &args->output[VERSION_SZ], | ||
+ SECRET_LEN - VERSION_SZ); | ||
+ } | ||
else { | ||
- ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke); | ||
+ /* preMasterSecret has RNG and version set */ | ||
+ /* return proper length and ignore error */ | ||
+ /* error will be caught as decryption error */ | ||
+ args->sigSz = SECRET_LEN; | ||
+ ret = 0; | ||
} | ||
+ | ||
break; | ||
} /* rsa_kea */ | ||
#endif /* !NO_RSA */ | ||
--- a/wolfssl/error-ssl.h | ||
+++ b/wolfssl/error-ssl.h | ||
@@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes { | ||
DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ | ||
WANT_READ = -323, /* want read, call again */ | ||
NOT_READY_ERROR = -324, /* handshake layer not ready */ | ||
- PMS_VERSION_ERROR = -325, /* pre m secret version error */ | ||
+ | ||
VERSION_ERROR = -326, /* record layer version error */ | ||
WANT_WRITE = -327, /* want write, call again */ | ||
BUFFER_ERROR = -328, /* malformed buffer input */ |