[PATCH 19.07 v2 0/3] wolfssl security updates

Luiz Angelo Daros de Luca luizluca at gmail.com
Mon Feb 14 17:16:36 PST 2022

> I've started to look at the first vulnerability, but it is not as
> straightforward as I was hoping.  Perhaps Luiz Angelo Daros de Luca,
> reporter and author of the fixes, can help me out with this.

Sure. And I do have interest in getting it fixed. It is both a
security fix (when it does not block what it should) and a bug fix
(when it blocks what it shouldn't). It affects special certificates
with multiple name constraints, used mostly to limit the power of an
internal CA. It is normally not used in public CA.

The fix is a drop-in replacement for the validation function
ConfirmNameConstraints() and a small applicable change to
MatchBaseName(). There are some required commits to get that change
cleanly applied and I don't think it is worth it (a55e94cf6f touches
almost all the tree). I think you can use this standalone backport:


When applied to 4.7.0, it will have the same final result for
ConfirmNameConstraints() and MatchBaseName() as the upstream patch.



More information about the openwrt-devel mailing list