diff options
| author | Eneas U de Queiroz <cotequeiroz@gmail.com> | 2021-02-21 18:33:30 -0300 |
|---|---|---|
| committer | Hauke Mehrtens <hauke@hauke-m.de> | 2021-02-24 20:24:04 +0100 |
| commit | 0e8d67023bb7d21f9c4b3db86e9d983b15530ae0 (patch) | |
| tree | 593855b95c4af3654a320c7ac5ec6d7da097c81e /package/libs/wolfssl/patches/010-CVE-2021-3336.patch | |
| parent | c53a86806d33a16fe8101719f44e13a53630d887 (diff) | |
| download | upstream-0e8d67023bb7d21f9c4b3db86e9d983b15530ae0.tar.gz upstream-0e8d67023bb7d21f9c4b3db86e9d983b15530ae0.tar.bz2 upstream-0e8d67023bb7d21f9c4b3db86e9d983b15530ae0.zip | |
wolfssl: bump to v4.7.0-stable
Biggest fix for this version is CVE-2021-3336, which has already been
applied here. There are a couple of low severity security bug fixes as
well.
Three patches are no longer needed, and were removed; the one remaining
was refreshed.
This tool shows no ABI changes:
https://abi-laboratory.pro/index.php?view=objects_report&l=wolfssl&v1=4.6.0&v2=4.7.0
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit d1dfb577f1c0d5b1f1fa35000c9ad7abdb7d10ed)
Diffstat (limited to 'package/libs/wolfssl/patches/010-CVE-2021-3336.patch')
| -rw-r--r-- | package/libs/wolfssl/patches/010-CVE-2021-3336.patch | 53 |
1 files changed, 0 insertions, 53 deletions
diff --git a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch deleted file mode 100644 index abb9bfdd9b..0000000000 --- a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch +++ /dev/null @@ -1,53 +0,0 @@ -From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001 -From: Sean Parkinson <sean@wolfssl.com> -Date: Thu, 21 Jan 2021 08:24:38 +1000 -Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify - ---- - src/tls13.c | 18 +++++++++++++----- - 1 file changed, 13 insertions(+), 5 deletions(-) - ---- a/src/tls13.c -+++ b/src/tls13.c -@@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF - #ifdef HAVE_ED25519 - if (args->sigAlgo == ed25519_sa_algo && - !ssl->peerEd25519KeyPresent) { -- WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); -+ WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - #ifdef HAVE_ED448 - if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) { -- WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify"); -+ WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - #ifdef HAVE_ECC - if (args->sigAlgo == ecc_dsa_sa_algo && - !ssl->peerEccDsaKeyPresent) { -- WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); -+ WOLFSSL_MSG("Peer sent ECC sig but not ECC cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - #ifndef NO_RSA - if (args->sigAlgo == rsa_sa_algo) { -- WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature"); -+ WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate"); - ERROR_OUT(INVALID_PARAMETER, exit_dcv); - } - if (args->sigAlgo == rsa_pss_sa_algo && - (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) { -- WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); -+ WOLFSSL_MSG("Peer sent RSA sig but not RSA cert"); -+ ret = SIG_VERIFY_E; -+ goto exit_dcv; - } - #endif - |