mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-25 00:11:13 +00:00
e89f3e85eb
Fixes two high-severity vulnerabilities: - CVE-2022-25640: A TLS v1.3 server who requires mutual authentication can be bypassed. If a malicious client does not send the certificate_verify message a client can connect without presenting a certificate even if the server requires one. - CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS v1.3 server can have its certificate heck bypassed. If the sig_algo in the certificate_verify message is different than the certificate message checking may be bypassed. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
25 lines
858 B
Diff
25 lines
858 B
Diff
From 87e43dd63ba429297e439f2dfd1ee8b45981e18b Mon Sep 17 00:00:00 2001
|
|
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
|
|
Date: Sat, 12 Feb 2022 00:34:24 +0100
|
|
Subject: [PATCH] Reported in ZD13631
|
|
|
|
`ssl->peerVerifyRet` wasn't being cleared when retrying with an alternative cert chain
|
|
|
|
References: https://github.com/wolfSSL/wolfssl/issues/4879
|
|
---
|
|
src/internal.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
--- a/src/internal.c
|
|
+++ b/src/internal.c
|
|
@@ -12342,6 +12342,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte*
|
|
}
|
|
|
|
ret = 0; /* clear errors and continue */
|
|
+ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
|
+ ssl->peerVerifyRet = 0;
|
|
+ #endif
|
|
args->verifyErr = 0;
|
|
}
|
|
|