mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
wolfssl: patch CVE-2025-7395
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395 Backport patches from the PR[1] mentioned in the changelog[2] [1] github.com/wolfSSL/wolfssl/pull/8833 [2] https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
@@ -0,0 +1,85 @@
|
|||||||
|
From 420f3390c4922febaf54d02a81da1fdab0ad5f04 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ruby Martin <ruby@wolfssl.com>
|
||||||
|
Date: Mon, 2 Jun 2025 16:38:32 -0600
|
||||||
|
Subject: [PATCH] create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION,
|
||||||
|
domain name checking
|
||||||
|
|
||||||
|
CVE: CVE-2025-7395
|
||||||
|
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9864959e41bd9259f258c09171ae2ec1c43fbc7f]
|
||||||
|
(cherry picked from commit 9864959e41bd9259f258c09171ae2ec1c43fbc7f)
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/internal.c | 25 ++++++++++++++++++++-----
|
||||||
|
1 file changed, 20 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/internal.c b/src/internal.c
|
||||||
|
index 6b3a227bc..1b9a469ee 100644
|
||||||
|
--- a/src/internal.c
|
||||||
|
+++ b/src/internal.c
|
||||||
|
@@ -211,7 +211,7 @@ int writeAeadAuthData(WOLFSSL* ssl, word16 sz, byte type, byte* additional,
|
||||||
|
#include <Security/SecCertificate.h>
|
||||||
|
#include <Security/SecTrust.h>
|
||||||
|
#include <Security/SecPolicy.h>
|
||||||
|
-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
|
||||||
|
+static int DoAppleNativeCertValidation(WOLFSSL* ssl, const WOLFSSL_BUFFER_INFO* certs,
|
||||||
|
int totalCerts);
|
||||||
|
#endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
|
||||||
|
|
||||||
|
@@ -16775,7 +16775,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||||
|
* into wolfSSL, try to validate against the system certificates
|
||||||
|
* using Apple's native trust APIs */
|
||||||
|
if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
|
||||||
|
- if (DoAppleNativeCertValidation(args->certs,
|
||||||
|
+ if (DoAppleNativeCertValidation(ssl, args->certs,
|
||||||
|
args->totalCerts)) {
|
||||||
|
WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
|
||||||
|
ret = 0;
|
||||||
|
@@ -42665,7 +42665,8 @@ cleanup:
|
||||||
|
* wolfSSL's built-in certificate validation mechanisms anymore. We instead
|
||||||
|
* must call into the Security Framework APIs to authenticate peer certificates
|
||||||
|
*/
|
||||||
|
-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
|
||||||
|
+static int DoAppleNativeCertValidation(WOLFSSL* ssl,
|
||||||
|
+ const WOLFSSL_BUFFER_INFO* certs,
|
||||||
|
int totalCerts)
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
@@ -42674,7 +42675,8 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
|
||||||
|
CFMutableArrayRef certArray = NULL;
|
||||||
|
SecCertificateRef secCert = NULL;
|
||||||
|
SecTrustRef trust = NULL;
|
||||||
|
- SecPolicyRef policy = NULL ;
|
||||||
|
+ SecPolicyRef policy = NULL;
|
||||||
|
+ CFStringRef hostname = NULL;
|
||||||
|
|
||||||
|
WOLFSSL_ENTER("DoAppleNativeCertValidation");
|
||||||
|
|
||||||
|
@@ -42703,7 +42705,17 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Create trust object for SecCertifiate Ref */
|
||||||
|
- policy = SecPolicyCreateSSL(true, NULL);
|
||||||
|
+ if (ssl->buffers.domainName.buffer &&
|
||||||
|
+ ssl->buffers.domainName.length > 0) {
|
||||||
|
+ /* Create policy with specified value to require host name match */
|
||||||
|
+ hostname = CFStringCreateWithCString(kCFAllocatorDefault,
|
||||||
|
+ (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8);
|
||||||
|
+ }
|
||||||
|
+ if (hostname != NULL) {
|
||||||
|
+ policy = SecPolicyCreateSSL(true, hostname);
|
||||||
|
+ } else {
|
||||||
|
+ policy = SecPolicyCreateSSL(true, NULL);
|
||||||
|
+ }
|
||||||
|
status = SecTrustCreateWithCertificates(certArray, policy, &trust);
|
||||||
|
if (status != errSecSuccess) {
|
||||||
|
WOLFSSL_MSG_EX("Error creating trust object, "
|
||||||
|
@@ -42734,6 +42746,9 @@ cleanup:
|
||||||
|
if (policy) {
|
||||||
|
CFRelease(policy);
|
||||||
|
}
|
||||||
|
+ if (hostname) {
|
||||||
|
+ CFRelease(hostname);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret);
|
||||||
|
|
||||||
@@ -0,0 +1,28 @@
|
|||||||
|
From 7867076975aa84ebaed4001fae1ebffd013322d5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brett <bigbrett@users.noreply.github.com>
|
||||||
|
Date: Wed, 4 Jun 2025 15:48:15 -0600
|
||||||
|
Subject: [PATCH] prevent apple native cert validation from overriding error
|
||||||
|
codes other than ASN_NO_SIGNER_E
|
||||||
|
|
||||||
|
CVE: CVE-2025-7395
|
||||||
|
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050]
|
||||||
|
(cherry picked from commit bc8eeea703253bd65d472a9541b54fef326e8050)
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/internal.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/internal.c b/src/internal.c
|
||||||
|
index 1b9a469ee..6a76eb130 100644
|
||||||
|
--- a/src/internal.c
|
||||||
|
+++ b/src/internal.c
|
||||||
|
@@ -16774,7 +16774,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||||
|
/* If we can't validate the peer cert chain against the CAs loaded
|
||||||
|
* into wolfSSL, try to validate against the system certificates
|
||||||
|
* using Apple's native trust APIs */
|
||||||
|
- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
|
||||||
|
+ if ((ret == ASN_NO_SIGNER_E) &&
|
||||||
|
+ (ssl->ctx->doAppleNativeCertValidationFlag)) {
|
||||||
|
if (DoAppleNativeCertValidation(ssl, args->certs,
|
||||||
|
args->totalCerts)) {
|
||||||
|
WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
|
||||||
@@ -0,0 +1,26 @@
|
|||||||
|
From 70302af2c21a121845e1e721ed27b3b106f186f6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brett <bigbrett@users.noreply.github.com>
|
||||||
|
Date: Wed, 4 Jun 2025 16:56:16 -0600
|
||||||
|
Subject: [PATCH] add missing error trace macro
|
||||||
|
|
||||||
|
CVE: CVE-2025-7395
|
||||||
|
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b]
|
||||||
|
(cherry picked from commit 0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b)
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/internal.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/internal.c b/src/internal.c
|
||||||
|
index 6a76eb130..1d01ee095 100644
|
||||||
|
--- a/src/internal.c
|
||||||
|
+++ b/src/internal.c
|
||||||
|
@@ -16774,7 +16774,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
||||||
|
/* If we can't validate the peer cert chain against the CAs loaded
|
||||||
|
* into wolfSSL, try to validate against the system certificates
|
||||||
|
* using Apple's native trust APIs */
|
||||||
|
- if ((ret == ASN_NO_SIGNER_E) &&
|
||||||
|
+ if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
|
||||||
|
(ssl->ctx->doAppleNativeCertValidationFlag)) {
|
||||||
|
if (DoAppleNativeCertValidation(ssl, args->certs,
|
||||||
|
args->totalCerts)) {
|
||||||
@@ -0,0 +1,27 @@
|
|||||||
|
From 71d4cb57ceada7830457938787583c2aa6ba3555 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Brett <bigbrett@users.noreply.github.com>
|
||||||
|
Date: Wed, 4 Jun 2025 18:29:05 -0600
|
||||||
|
Subject: [PATCH] formatting
|
||||||
|
|
||||||
|
CVE: CVE-2025-7395
|
||||||
|
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/89be92f1a8b255d85c0d8bfb8849571d259c199c]
|
||||||
|
(cherry picked from commit 89be92f1a8b255d85c0d8bfb8849571d259c199c)
|
||||||
|
Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
|
||||||
|
---
|
||||||
|
src/internal.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/internal.c b/src/internal.c
|
||||||
|
index 1d01ee095..992c10d2c 100644
|
||||||
|
--- a/src/internal.c
|
||||||
|
+++ b/src/internal.c
|
||||||
|
@@ -42710,7 +42710,8 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl,
|
||||||
|
ssl->buffers.domainName.length > 0) {
|
||||||
|
/* Create policy with specified value to require host name match */
|
||||||
|
hostname = CFStringCreateWithCString(kCFAllocatorDefault,
|
||||||
|
- (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8);
|
||||||
|
+ (const char*)ssl->buffers.domainName.buffer,
|
||||||
|
+ kCFStringEncodingUTF8);
|
||||||
|
}
|
||||||
|
if (hostname != NULL) {
|
||||||
|
policy = SecPolicyCreateSSL(true, hostname);
|
||||||
@@ -17,6 +17,10 @@ SRC_URI = " \
|
|||||||
file://0001-wolfssl-wolfcrypt-logging.h-and-wolfcrypt-src-loggin.patch \
|
file://0001-wolfssl-wolfcrypt-logging.h-and-wolfcrypt-src-loggin.patch \
|
||||||
file://run-ptest \
|
file://run-ptest \
|
||||||
file://CVE-2025-13912.patch \
|
file://CVE-2025-13912.patch \
|
||||||
|
file://CVE-2025-7395-1.patch \
|
||||||
|
file://CVE-2025-7395-2.patch \
|
||||||
|
file://CVE-2025-7395-3.patch \
|
||||||
|
file://CVE-2025-7395-4.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"
|
SRCREV = "b077c81eb635392e694ccedbab8b644297ec0285"
|
||||||
|
|||||||
Reference in New Issue
Block a user