package/libs/cyassl/patches/001-CVE-2017-13099.patch

   1 From fd455d5a5e9fef24c208e7ac7d3a4bc58834cbf1 Mon Sep 17 00:00:00 2001
   2 From: David Garske <david@wolfssl.com>
   3 Date: Tue, 14 Nov 2017 14:05:50 -0800
   4 Subject: [PATCH] Fix for handling of static RSA PKCS formatting failures so
   5  they are indistinguishable from from correctly formatted RSA blocks (per
   6  RFC5246 section 7.4.7.1). Adjusted the static RSA preMasterSecret RNG
   7  creation for consistency in client case. Removed obsolete
   8  `PMS_VERSION_ERROR`.
   9
  10 ---
  11  src/internal.c      | 70 +++++++++++++++++++++++++++++++++++++++++++++--------
  12  wolfssl/error-ssl.h |  2 +-
  13  2 files changed, 61 insertions(+), 11 deletions(-)
  14
  15 --- a/src/internal.c
  16 +++ b/src/internal.c
  17 @@ -14190,9 +14190,6 @@ const char* wolfSSL_ERR_reason_error_str
  18      case NOT_READY_ERROR :
  19          return "handshake layer not ready yet, complete first";
  20
  21 -    case PMS_VERSION_ERROR :
  22 -        return "premaster secret version mismatch error";
  23 -
  24      case VERSION_ERROR :
  25          return "record layer version error";
  26
  27 @@ -18758,8 +18755,10 @@ int SendClientKeyExchange(WOLFSSL* ssl)
  28              #ifndef NO_RSA
  29                  case rsa_kea:
  30                  {
  31 +                    /* build PreMasterSecret with RNG data */
  32                      ret = wc_RNG_GenerateBlock(ssl->rng,
  33 -                        ssl->arrays->preMasterSecret, SECRET_LEN);
  34 +                        &ssl->arrays->preMasterSecret[VERSION_SZ],
  35 +                        SECRET_LEN - VERSION_SZ);
  36                      if (ret != 0) {
  37                          goto exit_scke;
  38                      }
  39 @@ -23545,6 +23544,9 @@ static int DoSessionTicket(WOLFSSL* ssl,
  40          word32 idx;
  41          word32 begin;
  42          word32 sigSz;
  43 +    #ifndef NO_RSA
  44 +        int    lastErr;
  45 +    #endif
  46      } DckeArgs;
  47
  48      static void FreeDckeArgs(WOLFSSL* ssl, void* pArgs)
  49 @@ -23770,6 +23772,14 @@ static int DoSessionTicket(WOLFSSL* ssl,
  50                              ERROR_OUT(BUFFER_ERROR, exit_dcke);
  51                          }
  52
  53 +                        /* pre-load PreMasterSecret with RNG data */
  54 +                        ret = wc_RNG_GenerateBlock(ssl->rng,
  55 +                            &ssl->arrays->preMasterSecret[VERSION_SZ],
  56 +                            SECRET_LEN - VERSION_SZ);
  57 +                        if (ret != 0) {
  58 +                            goto exit_dcke;
  59 +                        }
  60 +
  61                          args->output = NULL;
  62                          break;
  63                      } /* rsa_kea */
  64 @@ -24234,6 +24244,20 @@ static int DoSessionTicket(WOLFSSL* ssl,
  65                              NULL, 0, NULL
  66                          #endif
  67                          );
  68 +
  69 +                        /*  Errors that can occur here that should be
  70 +                         *  indistinguishable:
  71 +                         *       RSA_BUFFER_E, RSA_PAD_E and RSA_PRIVATE_ERROR
  72 +                         */
  73 +                        if (ret < 0 && ret != BAD_FUNC_ARG) {
  74 +                        #ifdef WOLFSSL_ASYNC_CRYPT
  75 +                            if (ret == WC_PENDING_E)
  76 +                                goto exit_dcke;
  77 +                        #endif
  78 +                            /* store error code for handling below */
  79 +                            args->lastErr = ret;
  80 +                            ret = 0;
  81 +                        }
  82                          break;
  83                      } /* rsa_kea */
  84                  #endif /* !NO_RSA */
  85 @@ -24380,16 +24404,42 @@ static int DoSessionTicket(WOLFSSL* ssl,
  86                          /* Add the signature length to idx */
  87                          args->idx += args->length;
  88
  89 -                        if (args->sigSz == SECRET_LEN && args->output != NULL) {
  90 -                            XMEMCPY(ssl->arrays->preMasterSecret, args->output, SECRET_LEN);
  91 -                            if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major ||
  92 -                                ssl->arrays->preMasterSecret[1] != ssl->chVersion.minor) {
  93 -                                ERROR_OUT(PMS_VERSION_ERROR, exit_dcke);
  94 +                    #ifdef DEBUG_WOLFSSL
  95 +                        /* check version (debug warning message only) */
  96 +                        if (args->output != NULL) {
  97 +                            if (args->output[0] != ssl->chVersion.major ||
  98 +                                args->output[1] != ssl->chVersion.minor) {
  99 +                                WOLFSSL_MSG("preMasterSecret version mismatch");
 100                              }
 101                          }
 102 +                    #endif
 103 +
 104 +                        /* RFC5246 7.4.7.1:
 105 +                         * Treat incorrectly formatted message blocks and/or
 106 +                         * mismatched version numbers in a manner
 107 +                         * indistinguishable from correctly formatted RSA blocks
 108 +                         */
 109 +
 110 +                        ret = args->lastErr;
 111 +                        args->lastErr = 0; /* reset */
 112 +
 113 +                        /* build PreMasterSecret */
 114 +                        ssl->arrays->preMasterSecret[0] = ssl->chVersion.major;
 115 +                        ssl->arrays->preMasterSecret[1] = ssl->chVersion.minor;
 116 +                        if (ret == 0 && args->sigSz == SECRET_LEN &&
 117 +                                                         args->output != NULL) {
 118 +                            XMEMCPY(&ssl->arrays->preMasterSecret[VERSION_SZ],
 119 +                                &args->output[VERSION_SZ],
 120 +                                SECRET_LEN - VERSION_SZ);
 121 +                        }
 122                          else {
 123 -                            ERROR_OUT(RSA_PRIVATE_ERROR, exit_dcke);
 124 +                            /* preMasterSecret has RNG and version set */
 125 +                            /* return proper length and ignore error */
 126 +                            /* error will be caught as decryption error */
 127 +                            args->sigSz = SECRET_LEN;
 128 +                            ret = 0;
 129                          }
 130 +
 131                          break;
 132                      } /* rsa_kea */
 133                  #endif /* !NO_RSA */
 134 --- a/wolfssl/error-ssl.h
 135 +++ b/wolfssl/error-ssl.h
 136 @@ -57,7 +57,7 @@ enum wolfSSL_ErrorCodes {
 137      DOMAIN_NAME_MISMATCH         = -322,   /* peer subject name mismatch */
 138      WANT_READ                    = -323,   /* want read, call again    */
 139      NOT_READY_ERROR              = -324,   /* handshake layer not ready */
 140 -    PMS_VERSION_ERROR            = -325,   /* pre m secret version error */
 141 +
 142      VERSION_ERROR                = -326,   /* record layer version error */
 143      WANT_WRITE                   = -327,   /* want write, call again   */
 144      BUFFER_ERROR                 = -328,   /* malformed buffer input   */