2393b09b59
Fixes two high-severity vulnerabilities:
- CVE-2022-25640: A TLS v1.3 server who requires mutual authentication
can be bypassed. If a malicious client does not send the
certificate_verify message a client can connect without presenting a
certificate even if the server requires one.
- CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS
v1.3 server can have its certificate heck bypassed. If the sig_algo in
the certificate_verify message is different than the certificate
message checking may be bypassed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
(cherry picked from commit e89f3e85eb)
12 lines
469 B
Diff
12 lines
469 B
Diff
--- a/wolfssl/wolfcrypt/settings.h
|
|
+++ b/wolfssl/wolfcrypt/settings.h
|
|
@@ -2338,7 +2338,7 @@ extern void uITRON4_free(void *p) ;
|
|
#endif
|
|
|
|
/* warning for not using harden build options (default with ./configure) */
|
|
-#ifndef WC_NO_HARDEN
|
|
+#if 0
|
|
#if (defined(USE_FAST_MATH) && !defined(TFM_TIMING_RESISTANT)) || \
|
|
(defined(HAVE_ECC) && !defined(ECC_TIMING_RESISTANT)) || \
|
|
(!defined(NO_RSA) && !defined(WC_RSA_BLINDING) && !defined(HAVE_FIPS) && \
|