openwrt/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch
Eneas U de Queiroz e89f3e85eb wolfssl: bump to 5.2.0
Fixes two high-severity vulnerabilities:

- CVE-2022-25640: A TLS v1.3 server who requires mutual authentication
  can be bypassed.  If a malicious client does not send the
  certificate_verify message a client can connect without presenting a
  certificate even if the server requires one.

- CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS
  v1.3 server can have its certificate heck bypassed. If the sig_algo in
  the certificate_verify message is different than the certificate
  message checking may be bypassed.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2022-04-11 21:41:03 +02:00

25 lines
858 B
Diff

From 87e43dd63ba429297e439f2dfd1ee8b45981e18b Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Sat, 12 Feb 2022 00:34:24 +0100
Subject: [PATCH] Reported in ZD13631
`ssl->peerVerifyRet` wasn't being cleared when retrying with an alternative cert chain
References: https://github.com/wolfSSL/wolfssl/issues/4879
---
src/internal.c | 3 +++
1 file changed, 3 insertions(+)
--- a/src/internal.c
+++ b/src/internal.c
@@ -12342,6 +12342,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte*
}
ret = 0; /* clear errors and continue */
+ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+ ssl->peerVerifyRet = 0;
+ #endif
args->verifyErr = 0;
}