Home Explore Help
Register Sign In
wareck
/
openwrt_lede
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
openwrt_lede
/
package
/
libs
/
cyassl
/
patches
/
001-CVE-2017-13099.patch

001-CVE-2017-13099.patch 6.5 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144 
  1. From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001
    2. 

  2. From: David Garske <david@wolfssl.com>
    3. 

  3. Date: Tue, 14 Nov 2017 14:05:50 -0800
    4. 

  4. Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so
    5. 

  5.  they are indistinguishable from from correctly formatted RSA blocks (per
    6. 

  6.  RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG
    7. 

  7.  creation for consistency in client case. Removed obsolete
    8. 

  8.  `PMS_VERSION_ERROR`.
    9. 

  9. 

  10. ---
    11. 

  11.  src/internal.c      | 70 +++++++++++++++++++++++++++++++++++++++++++++--------
    12. 

  12.  wolfssl/error-ssl.h |  2 +-
    13. 

  13.  2 files changed, 61 insertions(+), 11 deletions(-)
    14. 

  14. 

  15. --- a/src/internal.c
    16. 

  16. +++ b/src/internal.c
    17. 

  17. @@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str
    18. 

  18.      case NOT_READY_ERROR :
    19. 

  19.          return "handshake layer not ready yet, complete first";
    20. 

  20.  
    21. 

  21. -    case PMS_VERSION_ERROR :
    22. 

  22. -        return "premaster secret version mismatch error";
    23. 

  23. -
    24. 

  24.      case VERSION_ERROR :
    25. 

  25.          return "record layer version error";
    26. 

  26.  
    27. 

  27. @@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
    28. 

  28.              #ifndef NO_RSA
    29. 

  29.                  case rsa_kea:
    30. 

  30.                  {
    31. 

  31. +                    /* build PreMasterSecret with RNG data */
    32. 

  32.                      ret = wc_RNG_GenerateBlock(ssl->rng,
    33. 

  33. -                        ssl->arrays->preMasterSecret, SECRET_LEN);
    34. 

  34. +                        &ssl->arrays->preMasterSecret[VERSION_SZ],
    35. 

  35. +                        SECRET_LEN - VERSION_SZ);
    36. 

  36.                      if (ret != 0) {
    37. 

  37.                          goto exit_scke;
    38. 

  38.                      }
    39. 

  39. @@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl,
    40. 

  40.          word32 idx;
    41. 

  41.          word32 begin;
    42. 

  42.          word32 sigSz;
    43. 

  43. +    #ifndef NO_RSA
    44. 

  44. +        int    lastErr;
    45. 

  45. +    #endif
    46. 

  46.      } DckeArgs;
    47. 

  47.  
    48. 

  48.      static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
    49. 

  49. @@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl,
    50. 

  50.                              ERROR_OUT(BUFFER_ERROR, exit_dcke);
    51. 

  51.                          }
    52. 

  52.  
    53. 

  53. +                        /* pre-load PreMasterSecret with RNG data */
    54. 

  54. +                        ret = wc_RNG_GenerateBlock(ssl->rng,
    55. 

  55. +                            &ssl->arrays->preMasterSecret[VERSION_SZ],
    56. 

  56. +                            SECRET_LEN - VERSION_SZ);
    57. 

  57. +                        if (ret != 0) {
    58. 

  58. +                            goto exit_dcke;
    59. 

  59. +                        }
    60. 

  60. +
    61. 

  61.                          args->output = NULL;
    62. 

  62.                          break;
    63. 

  63.                      } /* rsa_kea */
    64. 

  64. @@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl,
    65. 

  65.                              NULL, 0, NULL
    66. 

  66.                          #endif
    67. 

  67.                          );
    68. 

  68. +
    69. 

  69. +                        /*  Errors that can occur here that should be
    70. 

  70. +                         *  indistinguishable:
    71. 

  71. +                         *       RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
    72. 

  72. +                         */
    73. 

  73. +                        if (ret < 0 && ret != BAD_FUNC_ARG) {
    74. 

  74. +                        #ifdef WOLFSSL_ASYNC_CRYPT
    75. 

  75. +                            if (ret == WC_PENDING_E)
    76. 

  76. +                                goto exit_dcke;
    77. 

  77. +                        #endif
    78. 

  78. +                            /* store error code for handling below */
    79. 

  79. +                            args->lastErr = ret;
    80. 

  80. +                            ret = 0;
    81. 

  81. +                        }
    82. 

  82.                          break;
    83. 

  83.                      } /* rsa_kea */
    84. 

  84.                  #endif /* !NO_RSA */
    85. 

  85. @@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl,
    86. 

  86.                          /* Add the signature length to idx */
    87. 

  87.                          args->idx += args->length;
    88. 

  88.  
    89. 

  89. -                        if (args->sigSz == SECRET_LEN && args->output != NULL) {
    90. 

  90. -                            XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN);
    91. 

  91. -                            if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major ||
    92. 

  92. -                                ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) {
    93. 

  93. -                                ERROR_OUT(PMS_VERSION_ERROR, exit_dcke);
    94. 

  94. +                    #ifdef DEBUG_WOLFSSL
    95. 

  95. +                        /* check version (debug warning message only) */
    96. 

  96. +                        if (args->output != NULL) {
    97. 

  97. +                            if (args->output[0] != ssl->chVersion.major ||
    98. 

  98. +                                args->output[1] != ssl->chVersion.minor) {
    99. 

  99. +                                WOLFSSL_MSG("preMasterSecret version mismatch");
    100. 

  100.                              }
    101. 

  101.                          }
    102. 

  102. +                    #endif
    103. 

  103. +
    104. 

  104. +                        /* RFC5246 7.4.7.1:
    105. 

  105. +                         * Treat incorrectly formatted message blocks and/or
    106. 

  106. +                         * mismatched version numbers in a manner
    107. 

  107. +                         * indistinguishable from correctly formatted RSA blocks
    108. 

  108. +                         */
    109. 

  109. +
    110. 

  110. +                        ret = args->lastErr;
    111. 

  111. +                        args->lastErr = 0; /* reset */
    112. 

  112. +
    113. 

  113. +                        /* build PreMasterSecret */
    114. 

  114. +                        ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
    115. 

  115. +                        ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
    116. 

  116. +                        if (ret == 0 && args->sigSz == SECRET_LEN &&
    117. 

  117. +                                                         args->output != NULL) {
    118. 

  118. +                            XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
    119. 

  119. +                                &args->output[VERSION_SZ],
    120. 

  120. +                                SECRET_LEN - VERSION_SZ);
    121. 

  121. +                        }
    122. 

  122.                          else {
    123. 

  123. -                            ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
    124. 

  124. +                            /* preMasterSecret has RNG and version set */
    125. 

  125. +                            /* return proper length and ignore error */
    126. 

  126. +                            /* error will be caught as decryption error */
    127. 

  127. +                            args->sigSz = SECRET_LEN;
    128. 

  128. +                            ret = 0;
    129. 

  129.                          }
    130. 

  130. +
    131. 

  131.                          break;
    132. 

  132.                      } /* rsa_kea */
    133. 

  133.                  #endif /* !NO_RSA */
    134. 

  134. --- a/wolfssl/error-ssl.h
    135. 

  135. +++ b/wolfssl/error-ssl.h
    136. 

  136. @@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes {
    137. 

  137.      DOMAIN_NAME_MISMATCH         = -322,   /* peer subject name mismatch */
    138. 

  138.      WANT_READ                    = -323,   /* want read, call again    */
    139. 

  139.      NOT_READY_ERROR              = -324,   /* handshake layer not ready */
    140. 

  140. -    PMS_VERSION_ERROR            = -325,   /* pre m secret version error */
    141. 

  141. +
    142. 

  142.      VERSION_ERROR                = -326,   /* record layer version error */
    143. 

  143.      WANT_WRITE                   = -327,   /* want write, call again   */
    144. 

  144.      BUFFER_ERROR                 = -328,   /* malformed buffer input   */
    145.