mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-17 04:37:19 +00:00
nginx: Fix CVE-2025-23419 for 1.25.5
Updates nginx.inc to apply CVE-2025-23419.patch to both 1.24.0 and 1.25.5. However, a unique patch is provided for 1.25.5 since the upstream patch for CVE-2025-23419 can be cleanly applied to 1.25.5. Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com> Change-Id: Ia7b8e16067781776cf0a39fac757f8d25ac118fa Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
63e2e60787
commit
1477114ae4
@@ -0,0 +1,119 @@
|
|||||||
|
From 2de0d3fd114e9d3d6a56bd7298aff8c637063509 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sergey Kandaurov <pluknet@nginx.com>
|
||||||
|
Date: Wed, 22 Jan 2025 18:55:44 +0400
|
||||||
|
Subject: [PATCH] SNI: added restriction for TLSv1.3 cross-SNI session
|
||||||
|
resumption.
|
||||||
|
|
||||||
|
In OpenSSL, session resumption always happens in the default SSL context,
|
||||||
|
prior to invoking the SNI callback. Further, unlike in TLSv1.2 and older
|
||||||
|
protocols, SSL_get_servername() returns values received in the resumption
|
||||||
|
handshake, which may be different from the value in the initial handshake.
|
||||||
|
Notably, this makes the restriction added in b720f650b insufficient for
|
||||||
|
sessions resumed with different SNI server name.
|
||||||
|
|
||||||
|
Considering the example from b720f650b, previously, a client was able to
|
||||||
|
request example.org by presenting a certificate for example.org, then to
|
||||||
|
resume and request example.com.
|
||||||
|
|
||||||
|
The fix is to reject handshakes resumed with a different server name, if
|
||||||
|
verification of client certificates is enabled in a corresponding server
|
||||||
|
configuration.
|
||||||
|
|
||||||
|
CVE: CVE-2025-23419
|
||||||
|
Upstream-Status: Backport [https://github.com/nginx/nginx/commit/13935cf9fdc3c8d8278c70716417d3b71c36140e]
|
||||||
|
Signed-off-by: Colin Pinnell McAllister <colin.mcallister@garmin.com>
|
||||||
|
---
|
||||||
|
src/http/ngx_http_request.c | 27 +++++++++++++++++++++++++--
|
||||||
|
src/stream/ngx_stream_ssl_module.c | 27 +++++++++++++++++++++++++--
|
||||||
|
2 files changed, 50 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
|
||||||
|
index 3cca57cf5..9593b7fb5 100644
|
||||||
|
--- a/src/http/ngx_http_request.c
|
||||||
|
+++ b/src/http/ngx_http_request.c
|
||||||
|
@@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
|
||||||
|
+
|
||||||
|
+#if (defined TLS1_3_VERSION \
|
||||||
|
+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
|
||||||
|
+ * but servername being negotiated in every TLSv1.3 handshake
|
||||||
|
+ * is only returned in OpenSSL 1.1.1+ as well
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ if (sscf->verify) {
|
||||||
|
+ const char *hostname;
|
||||||
|
+
|
||||||
|
+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
|
||||||
|
+
|
||||||
|
+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
|
||||||
|
+ c->ssl->handshake_rejected = 1;
|
||||||
|
+ *ad = SSL_AD_ACCESS_DENIED;
|
||||||
|
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
|
||||||
|
if (hc->ssl_servername == NULL) {
|
||||||
|
goto error;
|
||||||
|
@@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
||||||
|
|
||||||
|
ngx_set_connection_log(c, clcf->error_log);
|
||||||
|
|
||||||
|
- sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
|
||||||
|
-
|
||||||
|
c->ssl->buffer_size = sscf->buffer_size;
|
||||||
|
|
||||||
|
if (sscf->ssl.ctx) {
|
||||||
|
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
|
||||||
|
index ba444776a..6dee106de 100644
|
||||||
|
--- a/src/stream/ngx_stream_ssl_module.c
|
||||||
|
+++ b/src/stream/ngx_stream_ssl_module.c
|
||||||
|
@@ -521,12 +521,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
|
||||||
|
+
|
||||||
|
+#if (defined TLS1_3_VERSION \
|
||||||
|
+ && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
|
||||||
|
+ * but servername being negotiated in every TLSv1.3 handshake
|
||||||
|
+ * is only returned in OpenSSL 1.1.1+ as well
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ if (sscf->verify) {
|
||||||
|
+ const char *hostname;
|
||||||
|
+
|
||||||
|
+ hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
|
||||||
|
+
|
||||||
|
+ if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
|
||||||
|
+ c->ssl->handshake_rejected = 1;
|
||||||
|
+ *ad = SSL_AD_ACCESS_DENIED;
|
||||||
|
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
s->srv_conf = cscf->ctx->srv_conf;
|
||||||
|
|
||||||
|
ngx_set_connection_log(c, cscf->error_log);
|
||||||
|
|
||||||
|
- sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
|
||||||
|
-
|
||||||
|
if (sscf->ssl.ctx) {
|
||||||
|
if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
|
||||||
|
goto error;
|
||||||
|
--
|
||||||
|
2.52.0
|
||||||
|
|
||||||
@@ -26,6 +26,7 @@ SRC_URI = " \
|
|||||||
file://CVE-2024-7347-1.patch \
|
file://CVE-2024-7347-1.patch \
|
||||||
file://CVE-2024-7347-2.patch \
|
file://CVE-2024-7347-2.patch \
|
||||||
file://CVE-2025-53859.patch \
|
file://CVE-2025-53859.patch \
|
||||||
|
file://CVE-2025-23419.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
inherit siteinfo update-rc.d useradd systemd
|
inherit siteinfo update-rc.d useradd systemd
|
||||||
|
|||||||
@@ -2,8 +2,7 @@ require nginx.inc
|
|||||||
|
|
||||||
LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
|
LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
|
||||||
|
|
||||||
SRC_URI:append = " file://CVE-2023-44487.patch \
|
SRC_URI:append = " file://CVE-2023-44487.patch"
|
||||||
file://CVE-2025-23419.patch"
|
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
|
SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user