abb9bfdd9bcb43016296161371fecd25148ff3f3
[openwrt/openwrt.git] / package / libs / wolfssl / patches / 010-CVE-2021-3336.patch
1 From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001
2 From: Sean Parkinson <sean@wolfssl.com>
3 Date: Thu, 21 Jan 2021 08:24:38 +1000
4 Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify
5
6 ---
7 src/tls13.c | 18 +++++++++++++-----
8 1 file changed, 13 insertions(+), 5 deletions(-)
9
10 --- a/src/tls13.c
11 +++ b/src/tls13.c
12 @@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF
13 #ifdef HAVE_ED25519
14 if (args->sigAlgo == ed25519_sa_algo &&
15 !ssl->peerEd25519KeyPresent) {
16 - WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
17 + WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert");
18 + ret = SIG_VERIFY_E;
19 + goto exit_dcv;
20 }
21 #endif
22 #ifdef HAVE_ED448
23 if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) {
24 - WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify");
25 + WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert");
26 + ret = SIG_VERIFY_E;
27 + goto exit_dcv;
28 }
29 #endif
30 #ifdef HAVE_ECC
31 if (args->sigAlgo == ecc_dsa_sa_algo &&
32 !ssl->peerEccDsaKeyPresent) {
33 - WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
34 + WOLFSSL_MSG("Peer sent ECC sig but not ECC cert");
35 + ret = SIG_VERIFY_E;
36 + goto exit_dcv;
37 }
38 #endif
39 #ifndef NO_RSA
40 if (args->sigAlgo == rsa_sa_algo) {
41 - WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature");
42 + WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate");
43 ERROR_OUT(INVALID_PARAMETER, exit_dcv);
44 }
45 if (args->sigAlgo == rsa_pss_sa_algo &&
46 (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
47 - WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
48 + WOLFSSL_MSG("Peer sent RSA sig but not RSA cert");
49 + ret = SIG_VERIFY_E;
50 + goto exit_dcv;
51 }
52 #endif
53