summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2025-12-24 13:53:26 +0100
committerAnuj Mittal <anuj.mittal@oss.qualcomm.com>2025-12-30 07:08:15 +0530
commitb7180060eb8a1da2731a74c9b66ea1a3050143cd (patch)
treefba547d635e6b739c4b9f49d1c0cf99663b6be81
parente7b55c84bb89aa5f61ec5738f4869b7366afd06e (diff)
downloadmeta-openembedded-b7180060eb8a1da2731a74c9b66ea1a3050143cd.tar.gz
wolfssl: patch CVE-2025-7395
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395 Backport the patches from the PR[1] that is referenced by the project's changelog[2] to fix this issue. [1]: https://github.com/wolfSSL/wolfssl/pull/8833 [2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
-rw-r--r--meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch84
-rw-r--r--meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch27
-rw-r--r--meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch25
-rw-r--r--meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb10
4 files changed, 142 insertions, 4 deletions
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch
new file mode 100644
index 0000000000..9c661d6b57
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch
@@ -0,0 +1,84 @@
1From e6c0d1ac7b480c0b5e36f660dd3c0f2b45e4c3ab Mon Sep 17 00:00:00 2001
2From: Ruby Martin <ruby@wolfssl.com>
3Date: Mon, 2 Jun 2025 16:38:32 -0600
4Subject: [PATCH] create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION,
5 domain name checking
6
7CVE: CVE-2025-7395
8Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9864959e41bd9259f258c09171ae2ec1c43fbc7f]
9Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
10---
11 src/internal.c | 25 ++++++++++++++++++++-----
12 1 file changed, 20 insertions(+), 5 deletions(-)
13
14diff --git a/src/internal.c b/src/internal.c
15index 6bbd38fa8..2b090382f 100644
16--- a/src/internal.c
17+++ b/src/internal.c
18@@ -221,7 +221,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
19 #include <Security/SecCertificate.h>
20 #include <Security/SecTrust.h>
21 #include <Security/SecPolicy.h>
22-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
23+static int DoAppleNativeCertValidation(WOLFSSL* ssl, const WOLFSSL_BUFFER_INFO* certs,
24 int totalCerts);
25 #endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
26
27@@ -15992,7 +15992,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
28 * into wolfSSL, try to validate against the system certificates
29 * using Apple's native trust APIs */
30 if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
31- if (DoAppleNativeCertValidation(args->certs,
32+ if (DoAppleNativeCertValidation(ssl, args->certs,
33 args->totalCerts)) {
34 WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
35 ret = 0;
36@@ -41246,7 +41246,8 @@ cleanup:
37 * wolfSSL's built-in certificate validation mechanisms anymore. We instead
38 * must call into the Security Framework APIs to authenticate peer certificates
39 */
40-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
41+static int DoAppleNativeCertValidation(WOLFSSL* ssl,
42+ const WOLFSSL_BUFFER_INFO* certs,
43 int totalCerts)
44 {
45 int i;
46@@ -41255,7 +41256,8 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
47 CFMutableArrayRef certArray = NULL;
48 SecCertificateRef secCert = NULL;
49 SecTrustRef trust = NULL;
50- SecPolicyRef policy = NULL ;
51+ SecPolicyRef policy = NULL;
52+ CFStringRef hostname = NULL;
53
54 WOLFSSL_ENTER("DoAppleNativeCertValidation");
55
56@@ -41283,7 +41285,17 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
57 }
58
59 /* Create trust object for SecCertifiate Ref */
60- policy = SecPolicyCreateSSL(true, NULL);
61+ if (ssl->buffers.domainName.buffer &&
62+ ssl->buffers.domainName.length > 0) {
63+ /* Create policy with specified value to require host name match */
64+ hostname = CFStringCreateWithCString(kCFAllocatorDefault,
65+ (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8);
66+ }
67+ if (hostname != NULL) {
68+ policy = SecPolicyCreateSSL(true, hostname);
69+ } else {
70+ policy = SecPolicyCreateSSL(true, NULL);
71+ }
72 status = SecTrustCreateWithCertificates(certArray, policy, &trust);
73 if (status != errSecSuccess) {
74 WOLFSSL_MSG_EX("Error creating trust object, "
75@@ -41314,6 +41326,9 @@ cleanup:
76 if (policy) {
77 CFRelease(policy);
78 }
79+ if (hostname) {
80+ CFRelease(hostname);
81+ }
82
83 WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret);
84
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch
new file mode 100644
index 0000000000..857f6bb367
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch
@@ -0,0 +1,27 @@
1From aad4e7c38f3784942923f4871d61a7e41d3de842 Mon Sep 17 00:00:00 2001
2From: Brett <bigbrett@users.noreply.github.com>
3Date: Wed, 4 Jun 2025 15:48:15 -0600
4Subject: [PATCH] prevent apple native cert validation from overriding error
5 codes other than ASN_NO_SIGNER_E
6
7CVE: CVE-2025-7395
8Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050]
9Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
10---
11 src/internal.c | 3 ++-
12 1 file changed, 2 insertions(+), 1 deletion(-)
13
14diff --git a/src/internal.c b/src/internal.c
15index 2b090382f..79f584a0a 100644
16--- a/src/internal.c
17+++ b/src/internal.c
18@@ -15991,7 +15991,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
19 /* If we can't validate the peer cert chain against the CAs loaded
20 * into wolfSSL, try to validate against the system certificates
21 * using Apple's native trust APIs */
22- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
23+ if ((ret == ASN_NO_SIGNER_E) &&
24+ (ssl->ctx->doAppleNativeCertValidationFlag)) {
25 if (DoAppleNativeCertValidation(ssl, args->certs,
26 args->totalCerts)) {
27 WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch
new file mode 100644
index 0000000000..a7e1c336f3
--- /dev/null
+++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch
@@ -0,0 +1,25 @@
1From f2a85e37e552d8dfafa2cbf32507b2fa545ee593 Mon Sep 17 00:00:00 2001
2From: Brett <bigbrett@users.noreply.github.com>
3Date: Wed, 4 Jun 2025 16:56:16 -0600
4Subject: [PATCH] add missing error trace macro
5
6CVE: CVE-2025-7395
7Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b]
8Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
9---
10 src/internal.c | 2 +-
11 1 file changed, 1 insertion(+), 1 deletion(-)
12
13diff --git a/src/internal.c b/src/internal.c
14index 79f584a0a..5557b5698 100644
15--- a/src/internal.c
16+++ b/src/internal.c
17@@ -15991,7 +15991,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
18 /* If we can't validate the peer cert chain against the CAs loaded
19 * into wolfSSL, try to validate against the system certificates
20 * using Apple's native trust APIs */
21- if ((ret == ASN_NO_SIGNER_E) &&
22+ if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
23 (ssl->ctx->doAppleNativeCertValidationFlag)) {
24 if (DoAppleNativeCertValidation(ssl, args->certs,
25 args->totalCerts)) {
diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
index 8f484d6098..5e66c8b186 100644
--- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
+++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
@@ -12,10 +12,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
12PROVIDES += "cyassl" 12PROVIDES += "cyassl"
13RPROVIDES:${PN} = "cyassl" 13RPROVIDES:${PN} = "cyassl"
14 14
15SRC_URI = " \ 15SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
16 git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \ 16 file://run-ptest \
17 file://run-ptest \ 17 file://CVE-2025-7395-1.patch \
18" 18 file://CVE-2025-7395-2.patch \
19 file://CVE-2025-7395-3.patch \
20 "
19SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472" 21SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472"
20 22
21S = "${WORKDIR}/git" 23S = "${WORKDIR}/git"