[PATCH 19.07 v2 2/3] wolfssl: Fix CVE-2021-38597

Eneas U de Queiroz cotequeiroz at gmail.com
Mon Feb 14 13:19:09 PST 2022


OCSP verification issue when response is for a certificate with no
relation to the chain in question BUT that response contains the NoCheck
extension which effectively disables ALL verification of that one cert.

Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
---
 package/libs/wolfssl/Makefile                 |  2 +-
 ...-handling-of-OCSP-no-check-extension.patch | 49 +++++++++++++++++++
 2 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 631576a58e..d123e7a875 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=wolfssl
 PKG_VERSION:=4.7.0-stable
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git a/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch b/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch
new file mode 100644
index 0000000000..6fb62b2033
--- /dev/null
+++ b/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch
@@ -0,0 +1,49 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Sean Parkinson <sean at wolfssl.com>
+Date: Fri, 16 Jul 2021 12:19:39 +1000
+Subject: [PATCH] OCSP: improve handling of OCSP no check extension
+
+(cherry picked from commit f93083be72a3b3d956b52a7ec13f307a27b6e093)
+
+diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
+index bbf71e3c1..966035f5b 100644
+--- a/wolfcrypt/src/asn.c
++++ b/wolfcrypt/src/asn.c
+@@ -9751,9 +9751,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
+             }
+ 
+         #ifdef HAVE_OCSP
+-            /* trust for the lifetime of the responder's cert*/
+-            if (cert->ocspNoCheckSet && verify == VERIFY_OCSP)
+-                verify = NO_VERIFY;
++            if (verify == VERIFY_OCSP_CERT) {
++                /* trust for the lifetime of the responder's cert*/
++                if (cert->ocspNoCheckSet)
++                    verify = VERIFY;
++                else
++                    verify = VERIFY_OCSP;
++            }
+         #endif
+             /* advance past extensions */
+             cert->srcIdx = cert->sigIndex;
+@@ -17542,7 +17546,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
+ 
+         /* Don't verify if we don't have access to Cert Manager. */
+         ret = ParseCertRelative(&cert, CERT_TYPE,
+-                                noVerify ? NO_VERIFY : VERIFY_OCSP, cm);
++                                noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm);
+         if (ret < 0) {
+             WOLFSSL_MSG("\tOCSP Responder certificate parsing failed");
+             FreeDecodedCert(&cert);
+diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
+index e412c1d06..e3cddf5b4 100644
+--- a/wolfssl/wolfcrypt/asn.h
++++ b/wolfssl/wolfcrypt/asn.h
+@@ -589,6 +589,7 @@ enum VerifyType {
+     VERIFY_OCSP = 3,
+     VERIFY_NAME = 4,
+     VERIFY_SKIP_DATE = 5,
++    VERIFY_OCSP_CERT = 6,
+ };
+ 
+ #ifdef WOLFSSL_CERT_EXT



More information about the openwrt-devel mailing list