package/libs/wolfssl/patches/010-CVE-2021-3336.patch

   1 From fad1e67677bf7797b6bd6e1f21a513c289d963a7 Mon Sep 17 00:00:00 2001
   2 From: Sean Parkinson <sean@wolfssl.com>
   3 Date: Thu, 21 Jan 2021 08:24:38 +1000
   4 Subject: [PATCH] TLS 1.3: ensure key for signature in CertificateVerify
   5
   6 ---
   7  src/tls13.c | 18 +++++++++++++-----
   8  1 file changed, 13 insertions(+), 5 deletions(-)
   9
  10 --- a/src/tls13.c
  11 +++ b/src/tls13.c
  12 @@ -5624,28 +5624,36 @@ static int DoTls13CertificateVerify(WOLF
  13          #ifdef HAVE_ED25519
  14              if (args->sigAlgo == ed25519_sa_algo &&
  15                                                    !ssl->peerEd25519KeyPresent) {
  16 -                WOLFSSL_MSG("Oops, peer sent ED25519 key but not in verify");
  17 +                WOLFSSL_MSG("Peer sent ED22519 sig but not ED22519 cert");
  18 +                ret = SIG_VERIFY_E;
  19 +                goto exit_dcv;
  20              }
  21          #endif
  22          #ifdef HAVE_ED448
  23              if (args->sigAlgo == ed448_sa_algo && !ssl->peerEd448KeyPresent) {
  24 -                WOLFSSL_MSG("Oops, peer sent ED448 key but not in verify");
  25 +                WOLFSSL_MSG("Peer sent ED448 sig but not ED448 cert");
  26 +                ret = SIG_VERIFY_E;
  27 +                goto exit_dcv;
  28              }
  29          #endif
  30          #ifdef HAVE_ECC
  31              if (args->sigAlgo == ecc_dsa_sa_algo &&
  32                                                     !ssl->peerEccDsaKeyPresent) {
  33 -                WOLFSSL_MSG("Oops, peer sent ECC key but not in verify");
  34 +                WOLFSSL_MSG("Peer sent ECC sig but not ECC cert");
  35 +                ret = SIG_VERIFY_E;
  36 +                goto exit_dcv;
  37              }
  38          #endif
  39          #ifndef NO_RSA
  40              if (args->sigAlgo == rsa_sa_algo) {
  41 -                WOLFSSL_MSG("Oops, peer sent PKCS#1.5 signature");
  42 +                WOLFSSL_MSG("Peer sent PKCS#1.5 algo but not in certificate");
  43                  ERROR_OUT(INVALID_PARAMETER, exit_dcv);
  44              }
  45              if (args->sigAlgo == rsa_pss_sa_algo &&
  46                           (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)) {
  47 -                WOLFSSL_MSG("Oops, peer sent RSA key but not in verify");
  48 +                WOLFSSL_MSG("Peer sent RSA sig but not RSA cert");
  49 +                ret = SIG_VERIFY_E;
  50 +                goto exit_dcv;
  51              }
  52          #endif
  53