diff options
-rw-r--r-- | package/libs/wolfssl/Makefile | 2 | ||||
-rw-r--r-- | package/libs/wolfssl/patches/010-CVE-2021-3336.patch | 53 |
2 files changed, 54 insertions, 1 deletions
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index dcc6aca40c..ff01fca663 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.6.0-stable -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) diff --git a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch new file mode 100644 index 0000000000..abb9bfdd9b --- /dev/null +++ b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch @@ -0,0 +1,53 @@ +From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001 +From: Sean Parkinson <sean@wolfssl.com> +Date: Thu, 21 Jan 2021 08:24:38 +1000 +Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify + +--- + src/tls13.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +--- a/src/tls13.c ++++ b/src/tls13.c +@@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF + #ifdef HAVE_ED25519 + if (args->sigAlgo == ed25519_sa_algo && + !ssl->peerEd25519KeyPresent) { +- WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify"); ++ WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert"); ++ ret = SIG_VERIFY_E; ++ goto exit_dcv; + } + #endif + #ifdef HAVE_ED448 + if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) { +- WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify"); ++ WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert"); ++ ret = SIG_VERIFY_E; ++ goto exit_dcv; + } + #endif + #ifdef HAVE_ECC + if (args->sigAlgo == ecc_dsa_sa_algo && + !ssl->peerEccDsaKeyPresent) { +- WOLFSSL_MSG("Oops, peer sent ECC key but not in verify"); ++ WOLFSSL_MSG("Peer sent ECC sig but not ECC cert"); ++ ret = SIG_VERIFY_E; ++ goto exit_dcv; + } + #endif + #ifndef NO_RSA + if (args->sigAlgo == rsa_sa_algo) { +- WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature"); ++ WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate"); + ERROR_OUT(INVALID_PARAMETER, exit_dcv); + } + if (args->sigAlgo == rsa_pss_sa_algo && + (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) { +- WOLFSSL_MSG("Oops, peer sent RSA key but not in verify"); ++ WOLFSSL_MSG("Peer sent RSA sig but not RSA cert"); ++ ret = SIG_VERIFY_E; ++ goto exit_dcv; + } + #endif + |