* Re: [oe] [meta-networking][scarthgap][PATCH] wolfssl: patch CVE-2025-7395
[not found] <188427E30A49A476.1342979@lists.openembedded.org>
@ 2025-12-24 13:01 ` Gyorgy Sarvari
0 siblings, 0 replies; only message in thread
From: Gyorgy Sarvari @ 2025-12-24 13:01 UTC (permalink / raw)
To: openembedded-devel
While testing this patch, I noticed that a ptest failed
(test_wolfSSL_CTX_load_verify_locations) - but it's not a regression
from this change, because upon looking a bit more, it fails without this
patch also. (I suspect this *may* be fixed by the patch from [1], but
it's long and it seems to come with some build flag changes, so... that
test fails for now)
[1]:
https://git.openembedded.org/meta-openembedded/commit/meta-networking/recipes-connectivity/wolfssl?id=5cf87bcb8704b7ed1fe4aa5953870a2e627dd50a
On 12/24/25 13:53, Gyorgy Sarvari via lists.openembedded.org wrote:
> Details: https://nvd.nist.gov/vuln/detail/CVE-2025-7395
>
> Backport the patches from the PR[1] that is referenced by the project's
> changelog[2] to fix this issue.
>
> [1]: https://github.com/wolfSSL/wolfssl/pull/8833
> [2]: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md
>
> Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> ---
> .../wolfssl/files/CVE-2025-7395-1.patch | 84 +++++++++++++++++++
> .../wolfssl/files/CVE-2025-7395-2.patch | 27 ++++++
> .../wolfssl/files/CVE-2025-7395-3.patch | 25 ++++++
> .../wolfssl/wolfssl_5.7.2.bb | 10 ++-
> 4 files changed, 142 insertions(+), 4 deletions(-)
> create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch
> create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch
> create mode 100644 meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch
>
> diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch
> new file mode 100644
> index 0000000000..9c661d6b57
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-1.patch
> @@ -0,0 +1,84 @@
> +From e6c0d1ac7b480c0b5e36f660dd3c0f2b45e4c3ab Mon Sep 17 00:00:00 2001
> +From: Ruby Martin <ruby@wolfssl.com>
> +Date: Mon, 2 Jun 2025 16:38:32 -0600
> +Subject: [PATCH] create policy for WOLFSSL_APPLE_NATIVE_CERT_VALIDATION,
> + domain name checking
> +
> +CVE: CVE-2025-7395
> +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/9864959e41bd9259f258c09171ae2ec1c43fbc7f]
> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + src/internal.c | 25 ++++++++++++++++++++-----
> + 1 file changed, 20 insertions(+), 5 deletions(-)
> +
> +diff --git a/src/internal.c b/src/internal.c
> +index 6bbd38fa8..2b090382f 100644
> +--- a/src/internal.c
> ++++ b/src/internal.c
> +@@ -221,7 +221,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
> + #include <Security/SecCertificate.h>
> + #include <Security/SecTrust.h>
> + #include <Security/SecPolicy.h>
> +-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
> ++static int DoAppleNativeCertValidation(WOLFSSL* ssl, const WOLFSSL_BUFFER_INFO* certs,
> + int totalCerts);
> + #endif /* #if defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
> +
> +@@ -15992,7 +15992,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
> + * into wolfSSL, try to validate against the system certificates
> + * using Apple's native trust APIs */
> + if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
> +- if (DoAppleNativeCertValidation(args->certs,
> ++ if (DoAppleNativeCertValidation(ssl, args->certs,
> + args->totalCerts)) {
> + WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
> + ret = 0;
> +@@ -41246,7 +41246,8 @@ cleanup:
> + * wolfSSL's built-in certificate validation mechanisms anymore. We instead
> + * must call into the Security Framework APIs to authenticate peer certificates
> + */
> +-static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
> ++static int DoAppleNativeCertValidation(WOLFSSL* ssl,
> ++ const WOLFSSL_BUFFER_INFO* certs,
> + int totalCerts)
> + {
> + int i;
> +@@ -41255,7 +41256,8 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
> + CFMutableArrayRef certArray = NULL;
> + SecCertificateRef secCert = NULL;
> + SecTrustRef trust = NULL;
> +- SecPolicyRef policy = NULL ;
> ++ SecPolicyRef policy = NULL;
> ++ CFStringRef hostname = NULL;
> +
> + WOLFSSL_ENTER("DoAppleNativeCertValidation");
> +
> +@@ -41283,7 +41285,17 @@ static int DoAppleNativeCertValidation(const WOLFSSL_BUFFER_INFO* certs,
> + }
> +
> + /* Create trust object for SecCertifiate Ref */
> +- policy = SecPolicyCreateSSL(true, NULL);
> ++ if (ssl->buffers.domainName.buffer &&
> ++ ssl->buffers.domainName.length > 0) {
> ++ /* Create policy with specified value to require host name match */
> ++ hostname = CFStringCreateWithCString(kCFAllocatorDefault,
> ++ (const char*)ssl->buffers.domainName.buffer, kCFStringEncodingUTF8);
> ++ }
> ++ if (hostname != NULL) {
> ++ policy = SecPolicyCreateSSL(true, hostname);
> ++ } else {
> ++ policy = SecPolicyCreateSSL(true, NULL);
> ++ }
> + status = SecTrustCreateWithCertificates(certArray, policy, &trust);
> + if (status != errSecSuccess) {
> + WOLFSSL_MSG_EX("Error creating trust object, "
> +@@ -41314,6 +41326,9 @@ cleanup:
> + if (policy) {
> + CFRelease(policy);
> + }
> ++ if (hostname) {
> ++ CFRelease(hostname);
> ++ }
> +
> + WOLFSSL_LEAVE("DoAppleNativeCertValidation", ret);
> +
> diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch
> new file mode 100644
> index 0000000000..857f6bb367
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-2.patch
> @@ -0,0 +1,27 @@
> +From aad4e7c38f3784942923f4871d61a7e41d3de842 Mon Sep 17 00:00:00 2001
> +From: Brett <bigbrett@users.noreply.github.com>
> +Date: Wed, 4 Jun 2025 15:48:15 -0600
> +Subject: [PATCH] prevent apple native cert validation from overriding error
> + codes other than ASN_NO_SIGNER_E
> +
> +CVE: CVE-2025-7395
> +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/bc8eeea703253bd65d472a9541b54fef326e8050]
> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + src/internal.c | 3 ++-
> + 1 file changed, 2 insertions(+), 1 deletion(-)
> +
> +diff --git a/src/internal.c b/src/internal.c
> +index 2b090382f..79f584a0a 100644
> +--- a/src/internal.c
> ++++ b/src/internal.c
> +@@ -15991,7 +15991,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
> + /* If we can't validate the peer cert chain against the CAs loaded
> + * into wolfSSL, try to validate against the system certificates
> + * using Apple's native trust APIs */
> +- if ((ret != 0) && (ssl->ctx->doAppleNativeCertValidationFlag)) {
> ++ if ((ret == ASN_NO_SIGNER_E) &&
> ++ (ssl->ctx->doAppleNativeCertValidationFlag)) {
> + if (DoAppleNativeCertValidation(ssl, args->certs,
> + args->totalCerts)) {
> + WOLFSSL_MSG("Apple native cert chain validation SUCCESS");
> diff --git a/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch
> new file mode 100644
> index 0000000000..a7e1c336f3
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/wolfssl/files/CVE-2025-7395-3.patch
> @@ -0,0 +1,25 @@
> +From f2a85e37e552d8dfafa2cbf32507b2fa545ee593 Mon Sep 17 00:00:00 2001
> +From: Brett <bigbrett@users.noreply.github.com>
> +Date: Wed, 4 Jun 2025 16:56:16 -0600
> +Subject: [PATCH] add missing error trace macro
> +
> +CVE: CVE-2025-7395
> +Upstream-Status: Backport [https://github.com/wolfSSL/wolfssl/commit/0e2a3fd0b64bc6ba633aa9227e92ecacb42b5b1b]
> +Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
> +---
> + src/internal.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/src/internal.c b/src/internal.c
> +index 79f584a0a..5557b5698 100644
> +--- a/src/internal.c
> ++++ b/src/internal.c
> +@@ -15991,7 +15991,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
> + /* If we can't validate the peer cert chain against the CAs loaded
> + * into wolfSSL, try to validate against the system certificates
> + * using Apple's native trust APIs */
> +- if ((ret == ASN_NO_SIGNER_E) &&
> ++ if ((ret == WC_NO_ERR_TRACE(ASN_NO_SIGNER_E)) &&
> + (ssl->ctx->doAppleNativeCertValidationFlag)) {
> + if (DoAppleNativeCertValidation(ssl, args->certs,
> + args->totalCerts)) {
> diff --git a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
> index 8f484d6098..5e66c8b186 100644
> --- a/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
> +++ b/meta-networking/recipes-connectivity/wolfssl/wolfssl_5.7.2.bb
> @@ -12,10 +12,12 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263"
> PROVIDES += "cyassl"
> RPROVIDES:${PN} = "cyassl"
>
> -SRC_URI = " \
> - git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
> - file://run-ptest \
> -"
> +SRC_URI = "git://github.com/wolfSSL/wolfssl.git;protocol=https;branch=master \
> + file://run-ptest \
> + file://CVE-2025-7395-1.patch \
> + file://CVE-2025-7395-2.patch \
> + file://CVE-2025-7395-3.patch \
> + "
> SRCREV = "00e42151ca061463ba6a95adb2290f678cbca472"
>
> S = "${WORKDIR}/git"
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#122883): https://lists.openembedded.org/g/openembedded-devel/message/122883
> Mute This Topic: https://lists.openembedded.org/mt/116928357/6084445
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [skandigraun@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-12-24 13:01 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <188427E30A49A476.1342979@lists.openembedded.org>
2025-12-24 13:01 ` [oe] [meta-networking][scarthgap][PATCH] wolfssl: patch CVE-2025-7395 Gyorgy Sarvari
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.