aboutsummaryrefslogtreecommitdiffstats
path: root/package/libs/wolfssl
diff options
context:
space:
mode:
Diffstat (limited to 'package/libs/wolfssl')
-rw-r--r--package/libs/wolfssl/Makefile2
-rw-r--r--package/libs/wolfssl/patches/010-CVE-2021-3336.patch53
2 files changed, 54 insertions, 1 deletions
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 8bd9189e5e..9bc7e671b2 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
PKG_VERSION:=4.6.0-stable
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git a/package/libs/wolfssl/patches/010-CVE-2021-3336.patch b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch
new file mode 100644
index 0000000000..abb9bfdd9b
--- /dev/null
+++ b/package/libs/wolfssl/patches/010-CVE-2021-3336.patch
@@ -0,0 +1,53 @@
+From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001
+From: Sean Parkinson <sean@wolfssl.com>
+Date: Thu, 21 Jan 2021 08:24:38 +1000
+Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify
+
+---
+ src/tls13.c | 18 +++++++++++++-----
+ 1 file changed, 13 insertions(+), 5 deletions(-)
+
+--- a/src/tls13.c
++++ b/src/tls13.c
+@@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF
+ #ifdef HAVE_ED25519
+ if (args->sigAlgo == ed25519_sa_algo &&
+ !ssl->peerEd25519KeyPresent) {
+- WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
++ WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert");
++ ret = SIG_VERIFY_E;
++ goto exit_dcv;
+ }
+ #endif
+ #ifdef HAVE_ED448
+ if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) {
+- WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify");
++ WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert");
++ ret = SIG_VERIFY_E;
++ goto exit_dcv;
+ }
+ #endif
+ #ifdef HAVE_ECC
+ if (args->sigAlgo == ecc_dsa_sa_algo &&
+ !ssl->peerEccDsaKeyPresent) {
+- WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
++ WOLFSSL_MSG("Peer sent ECC sig but not ECC cert");
++ ret = SIG_VERIFY_E;
++ goto exit_dcv;
+ }
+ #endif
+ #ifndef NO_RSA
+ if (args->sigAlgo == rsa_sa_algo) {
+- WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature");
++ WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate");
+ ERROR_OUT(INVALID_PARAMETER, exit_dcv);
+ }
+ if (args->sigAlgo == rsa_pss_sa_algo &&
+ (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
+- WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
++ WOLFSSL_MSG("Peer sent RSA sig but not RSA cert");
++ ret = SIG_VERIFY_E;
++ goto exit_dcv;
+ }
+ #endif
+