diff options
| author | Gyorgy Sarvari <skandigraun@gmail.com> | 2025-12-24 13:53:26 +0100 |
|---|---|---|
| committer | Anuj Mittal <anuj.mittal@oss.qualcomm.com> | 2025-12-30 07:08:15 +0530 |
| commit | b7180060eb8a1da2731a74c9b66ea1a3050143cd (patch) | |
| tree | fba547d635e6b739c4b9f49d1c0cf99663b6be81 | |
| parent | e7b55c84bb89aa5f61ec5738f4869b7366afd06e (diff) | |
| download | meta-openembedded-b7180060eb8a1da2731a74c9b66ea1a3050143cd.tar.gz | |
wolfssl: patch CVE-2025-7395
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395
Backport the patches from the PR[1] that is referenced by the project's
changelog[2] to fix this issue.
[1]: https://github.com/wolfSSL/wolfssl/pull/8833
[2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
4 files changed, 142 insertions, 4 deletions
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch new file mode 100644 index 0000000000..9c661d6b57 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch | |||
| @@ -0,0 +1,84 @@ | |||
| 1 | From e6c0d1ac7b480c0b5e36f660dd3c0f2b45e4c3ab Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Ruby Martin <ruby@wolfssl.com> | ||
| 3 | Date: Mon, 2 Jun 2025 16:38:32 -0600 | ||
| 4 | Subject: [PATCH] create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION, | ||
| 5 | domain name checking | ||
| 6 | |||
| 7 | CVE: CVE-2025-7395 | ||
| 8 | Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9864959e41bd9259f258c09171ae2ec1c43fbc7f] | ||
| 9 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 10 | --- | ||
| 11 | src/internal.c | 25 ++++++++++++++++++++----- | ||
| 12 | 1 file changed, 20 insertions(+), 5 deletions(-) | ||
| 13 | |||
| 14 | diff --git a/src/internal.c b/src/internal.c | ||
| 15 | index 6bbd38fa8..2b090382f 100644 | ||
| 16 | --- a/src/internal.c | ||
| 17 | +++ b/src/internal.c | ||
| 18 | @@ -221,7 +221,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS | ||
| 19 | #include <Security/SecCertificate.h> | ||
| 20 | #include <Security/SecTrust.h> | ||
| 21 | #include <Security/SecPolicy.h> | ||
| 22 | -static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs, | ||
| 23 | +static int DoAppleNativeCertValidation(WOLFSSL* ssl, const WOLFSSL_BUFFER_INFO* certs, | ||
| 24 | int totalCerts); | ||
| 25 | #endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ | ||
| 26 | |||
| 27 | @@ -15992,7 +15992,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, | ||
| 28 | * into wolfSSL, try to validate against the system certificates | ||
| 29 | * using Apple's native trust APIs */ | ||
| 30 | if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) { | ||
| 31 | - if (DoAppleNativeCertValidation(args->certs, | ||
| 32 | + if (DoAppleNativeCertValidation(ssl, args->certs, | ||
| 33 | args->totalCerts)) { | ||
| 34 | WOLFSSL_MSG("Apple native cert chain validation SUCCESS"); | ||
| 35 | ret = 0; | ||
| 36 | @@ -41246,7 +41246,8 @@ cleanup: | ||
| 37 | * wolfSSL's built-in certificate validation mechanisms anymore. We instead | ||
| 38 | * must call into the Security Framework APIs to authenticate peer certificates | ||
| 39 | */ | ||
| 40 | -static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs, | ||
| 41 | +static int DoAppleNativeCertValidation(WOLFSSL* ssl, | ||
| 42 | + const WOLFSSL_BUFFER_INFO* certs, | ||
| 43 | int totalCerts) | ||
| 44 | { | ||
| 45 | int i; | ||
| 46 | @@ -41255,7 +41256,8 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs, | ||
| 47 | CFMutableArrayRef certArray = NULL; | ||
| 48 | SecCertificateRef secCert = NULL; | ||
| 49 | SecTrustRef trust = NULL; | ||
| 50 | - SecPolicyRef policy = NULL ; | ||
| 51 | + SecPolicyRef policy = NULL; | ||
| 52 | + CFStringRef hostname = NULL; | ||
| 53 | |||
| 54 | WOLFSSL_ENTER("DoAppleNativeCertValidation"); | ||
| 55 | |||
| 56 | @@ -41283,7 +41285,17 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs, | ||
| 57 | } | ||
| 58 | |||
| 59 | /* Create trust object for SecCertifiate Ref */ | ||
| 60 | - policy = SecPolicyCreateSSL(true, NULL); | ||
| 61 | + if (ssl->buffers.domainName.buffer && | ||
| 62 | + ssl->buffers.domainName.length > 0) { | ||
| 63 | + /* Create policy with specified value to require host name match */ | ||
| 64 | + hostname = CFStringCreateWithCString(kCFAllocatorDefault, | ||
| 65 | + (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8); | ||
| 66 | + } | ||
| 67 | + if (hostname != NULL) { | ||
| 68 | + policy = SecPolicyCreateSSL(true, hostname); | ||
| 69 | + } else { | ||
| 70 | + policy = SecPolicyCreateSSL(true, NULL); | ||
| 71 | + } | ||
| 72 | status = SecTrustCreateWithCertificates(certArray, policy, &trust); | ||
| 73 | if (status != errSecSuccess) { | ||
| 74 | WOLFSSL_MSG_EX("Error creating trust object, " | ||
| 75 | @@ -41314,6 +41326,9 @@ cleanup: | ||
| 76 | if (policy) { | ||
| 77 | CFRelease(policy); | ||
| 78 | } | ||
| 79 | + if (hostname) { | ||
| 80 | + CFRelease(hostname); | ||
| 81 | + } | ||
| 82 | |||
| 83 | WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret); | ||
| 84 | |||
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch new file mode 100644 index 0000000000..857f6bb367 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch | |||
| @@ -0,0 +1,27 @@ | |||
| 1 | From aad4e7c38f3784942923f4871d61a7e41d3de842 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Brett <bigbrett@users.noreply.github.com> | ||
| 3 | Date: Wed, 4 Jun 2025 15:48:15 -0600 | ||
| 4 | Subject: [PATCH] prevent apple native cert validation from overriding error | ||
| 5 | codes other than ASN_NO_SIGNER_E | ||
| 6 | |||
| 7 | CVE: CVE-2025-7395 | ||
| 8 | Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050] | ||
| 9 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 10 | --- | ||
| 11 | src/internal.c | 3 ++- | ||
| 12 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
| 13 | |||
| 14 | diff --git a/src/internal.c b/src/internal.c | ||
| 15 | index 2b090382f..79f584a0a 100644 | ||
| 16 | --- a/src/internal.c | ||
| 17 | +++ b/src/internal.c | ||
| 18 | @@ -15991,7 +15991,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, | ||
| 19 | /* If we can't validate the peer cert chain against the CAs loaded | ||
| 20 | * into wolfSSL, try to validate against the system certificates | ||
| 21 | * using Apple's native trust APIs */ | ||
| 22 | - if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) { | ||
| 23 | + if ((ret == ASN_NO_SIGNER_E) && | ||
| 24 | + (ssl->ctx->doAppleNativeCertValidationFlag)) { | ||
| 25 | if (DoAppleNativeCertValidation(ssl, args->certs, | ||
| 26 | args->totalCerts)) { | ||
| 27 | WOLFSSL_MSG("Apple native cert chain validation SUCCESS"); | ||
diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch new file mode 100644 index 0000000000..a7e1c336f3 --- /dev/null +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch | |||
| @@ -0,0 +1,25 @@ | |||
| 1 | From f2a85e37e552d8dfafa2cbf32507b2fa545ee593 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Brett <bigbrett@users.noreply.github.com> | ||
| 3 | Date: Wed, 4 Jun 2025 16:56:16 -0600 | ||
| 4 | Subject: [PATCH] add missing error trace macro | ||
| 5 | |||
| 6 | CVE: CVE-2025-7395 | ||
| 7 | Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b] | ||
| 8 | Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> | ||
| 9 | --- | ||
| 10 | src/internal.c | 2 +- | ||
| 11 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
| 12 | |||
| 13 | diff --git a/src/internal.c b/src/internal.c | ||
| 14 | index 79f584a0a..5557b5698 100644 | ||
| 15 | --- a/src/internal.c | ||
| 16 | +++ b/src/internal.c | ||
| 17 | @@ -15991,7 +15991,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, | ||
| 18 | /* If we can't validate the peer cert chain against the CAs loaded | ||
| 19 | * into wolfSSL, try to validate against the system certificates | ||
| 20 | * using Apple's native trust APIs */ | ||
| 21 | - if ((ret == ASN_NO_SIGNER_E) && | ||
| 22 | + if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) && | ||
| 23 | (ssl->ctx->doAppleNativeCertValidationFlag)) { | ||
| 24 | if (DoAppleNativeCertValidation(ssl, args->certs, | ||
| 25 | args->totalCerts)) { | ||
diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb index 8f484d6098..5e66c8b186 100644 --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb | |||
| @@ -12,10 +12,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" | |||
| 12 | PROVIDES += "cyassl" | 12 | PROVIDES += "cyassl" |
| 13 | RPROVIDES:${PN} = "cyassl" | 13 | RPROVIDES:${PN} = "cyassl" |
| 14 | 14 | ||
| 15 | SRC_URI = " \ | 15 | SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \ |
| 16 | git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \ | 16 | file://run-ptest \ |
| 17 | file://run-ptest \ | 17 | file://CVE-2025-7395-1.patch \ |
| 18 | " | 18 | file://CVE-2025-7395-2.patch \ |
| 19 | file://CVE-2025-7395-3.patch \ | ||
| 20 | " | ||
| 19 | SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472" | 21 | SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472" |
| 20 | 22 | ||
| 21 | S = "${WORKDIR}/git" | 23 | S = "${WORKDIR}/git" |
