Files
Gyorgy Sarvari b7180060eb wolfssl: patch CVE-2025-7395
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395

Backport the patches from the PR[1] that is referenced by the project's
changelog[2] to fix this issue.

[1]: https://github.com/wolfSSL/wolfssl/pull/8833
[2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2025-12-30 07:08:15 +05:30

28 lines
1.3 KiB
Diff

From aad4e7c38f3784942923f4871d61a7e41d3de842 Mon Sep 17 00:00:00 2001
From: Brett <bigbrett@users.noreply.github.com>
Date: Wed, 4 Jun 2025 15:48:15 -0600
Subject: [PATCH] prevent apple native cert validation from overriding error
codes other than ASN_NO_SIGNER_E
CVE: CVE-2025-7395
Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050]
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
src/internal.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/internal.c b/src/internal.c
index 2b090382f..79f584a0a 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -15991,7 +15991,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* If we can't validate the peer cert chain against the CAs loaded
* into wolfSSL, try to validate against the system certificates
* using Apple's native trust APIs */
- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
+ if ((ret == ASN_NO_SIGNER_E) &&
+ (ssl->ctx->doAppleNativeCertValidationFlag)) {
if (DoAppleNativeCertValidation(ssl, args->certs,
args->totalCerts)) {
WOLFSSL_MSG("Apple native cert chain validation SUCCESS");