I am updating the debdiff because the first submission had trixie-security in the changelog. This has to be trixie obviously. The Security Team asked us to go the stable release route.
diff -Nru wolfssl-5.7.2/debian/changelog wolfssl-5.7.2/debian/changelog --- wolfssl-5.7.2/debian/changelog 2025-08-10 15:17:47.000000000 +0200 +++ wolfssl-5.7.2/debian/changelog 2026-07-05 23:43:31.000000000 +0200 @@ -1,3 +1,30 @@ +wolfssl (5.7.2-0.1+deb13u2) trixie; urgency=high + + * Backport upstream security fixes. (See #1140765, #1140815) + * CVE-2026-5194: require certificate signature OID to match issuer key + OID. + * CVE-2026-55960: validate negotiated certificate type for raw public + keys. + * CVE-2026-55961: reject degenerate certs-only PKCS#7 in PKCS7_verify. + * CVE-2026-55962: require client cert on outstanding TLS 1.3 post- + handshake auth. + * CVE-2026-55967: reject AES-GCM cumulative size overflow in streaming + update. + * CVE-2026-6092: enforce Encrypt-then-MAC on the TLS resumption path. + * CVE-2026-6094: bound encrypted content size in PKCS7 EnvelopedData. + * CVE-2026-6325: bound index in SetSuitesHashSigAlgo to prevent OOB + write. + * CVE-2026-6329: reject PKCS#12 MAC length mismatch. + * CVE-2026-6331: require exact HMAC tag length in + EVP_DigestVerifyFinal. + * CVE-2026-6450: reject CRLs with unrecognized critical extensions. + * CVE-2026-6678: fix integer underflow in wc_PKCS7_DecryptOri. + * CVE-2026-6681: respect caller output buffer size in PKCS7 decode. + * CVE-2026-6731: apply DNS name constraints to Subject CN when no SAN. + * CVE-2026-7511: report the verifying cert as the PKCS#7 signer. + + -- Jacob Barthelmeh <[email protected]> Sun, 05 Jul 2026 15:43:31 -0600 + wolfssl (5.7.2-0.1+deb13u1) trixie; urgency=medium * Fix CVE-2025-7394: weak/predictable random numbers. (Closes: #1109549) diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-5194-digest-sizes.patch wolfssl-5.7.2/debian/patches/CVE-2026-5194-digest-sizes.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-5194-digest-sizes.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-5194-digest-sizes.patch 2026-07-05 23:43:31.000000000 +0200 @@ -0,0 +1,382 @@ +Description: CVE-2026-5194 - enforce minimum/maximum digest sizes in signature ops + Companion to CVE-2026-5194.patch (asn.c signature-OID match). Backports the + wolfcrypt-level digest-size enforcement half of upstream commit abce5be9: adds + WC_MIN_DIGEST_SIZE (hash.h) and rejects too-small/too-large hash inputs in the + ECC and DSA sign/verify primitives, the Ed25519ph/Ed448ph prehash length, + wc_SignatureVerifyHash and the PKCS7 ECDSA verify path. The upstream internal.c + EccVerify guard is omitted: it is redundant (EccVerify calls the now-guarded + wc_ecc_verify_hash) and its context mis-binds to Ed25519Sign on 5.7.2. The + enum->define header refactor, kernel module port, dilithium (not built) and + test-only hunks are likewise omitted. +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/abce5be989ccd0665e2b9445abb856886975dfd1 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-5194 +Author: wolfSSL +Forwarded: not-needed +Index: wolfssl-5.7.2/wolfcrypt/src/dsa.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/dsa.c ++++ wolfssl-5.7.2/wolfcrypt/src/dsa.c +@@ -34,6 +34,7 @@ + #include <wolfssl/wolfcrypt/logging.h> + #include <wolfssl/wolfcrypt/sha.h> + #include <wolfssl/wolfcrypt/dsa.h> ++#include <wolfssl/wolfcrypt/hash.h> + + #ifdef NO_INLINE + #include <wolfssl/wolfcrypt/misc.h> +@@ -680,6 +681,12 @@ int wc_DsaSign_ex(const byte* digest, wo + if (digest == NULL || out == NULL || key == NULL || rng == NULL) + return BAD_FUNC_ARG; + ++ if ((digestSz > WC_MAX_DIGEST_SIZE) || ++ (digestSz < WC_MIN_DIGEST_SIZE)) ++ { ++ return BAD_LENGTH_E; ++ } ++ + SAVE_VECTOR_REGISTERS(return _svr_ret;); + + do { +@@ -1013,6 +1020,16 @@ int wc_DsaVerify_ex(const byte* digest, + if (digest == NULL || sig == NULL || key == NULL || answer == NULL) + return BAD_FUNC_ARG; + ++ /* Note the min allowed digestSz here is WC_SHA_DIGEST_SIZE, not ++ * WC_MIN_DIGEST_SIZE, to allow verify-only legacy DSA operations, as ++ * expressly allowed under FIPS 186-5, FIPS 140-3, and SP 800-131A. ++ */ ++ if ((digestSz > WC_MAX_DIGEST_SIZE) || ++ (digestSz < WC_SHA_DIGEST_SIZE)) ++ { ++ return BAD_LENGTH_E; ++ } ++ + do { + #ifdef WOLFSSL_SMALL_STACK + w = (mp_int *)XMALLOC(sizeof *w, key->heap, DYNAMIC_TYPE_TMP_BUFFER); +Index: wolfssl-5.7.2/wolfcrypt/src/ecc.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/ecc.c ++++ wolfssl-5.7.2/wolfcrypt/src/ecc.c +@@ -6726,6 +6726,11 @@ int wc_ecc_sign_hash(const byte* in, wor + if (in == NULL || out == NULL || outlen == NULL || key == NULL) { + return ECC_BAD_ARG_E; + } ++ if ((inlen > WC_MAX_DIGEST_SIZE) || ++ (inlen < WC_MIN_DIGEST_SIZE)) ++ { ++ return BAD_LENGTH_E; ++ } + + #ifdef WOLF_CRYPTO_CB + #ifndef WOLF_CRYPTO_CB_FIND +@@ -7224,6 +7229,11 @@ int wc_ecc_sign_hash_ex(const byte* in, + if (in == NULL || r == NULL || s == NULL || key == NULL || rng == NULL) { + return ECC_BAD_ARG_E; + } ++ if ((inlen > WC_MAX_DIGEST_SIZE) || ++ (inlen < WC_MIN_DIGEST_SIZE)) ++ { ++ return BAD_LENGTH_E; ++ } + + /* is this a private key? */ + if (key->type != ECC_PRIVATEKEY && key->type != ECC_PRIVATEKEY_ONLY) { +@@ -8466,6 +8476,12 @@ int wc_ecc_verify_hash(const byte* sig, + return ECC_BAD_ARG_E; + } + ++ /* Check hash length */ ++ if ((hashlen > WC_MAX_DIGEST_SIZE) || ++ (hashlen < WC_MIN_DIGEST_SIZE)) { ++ return BAD_LENGTH_E; ++ } ++ + #ifdef WOLF_CRYPTO_CB + #ifndef WOLF_CRYPTO_CB_FIND + if (key->devId != INVALID_DEVID) +@@ -9073,6 +9089,12 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_ + if (r == NULL || s == NULL || hash == NULL || res == NULL || key == NULL) + return ECC_BAD_ARG_E; + ++ /* Check hash length */ ++ if ((hashlen > WC_MAX_DIGEST_SIZE) || ++ (hashlen < WC_MIN_DIGEST_SIZE)) { ++ return BAD_LENGTH_E; ++ } ++ + /* default to invalid signature */ + *res = 0; + +Index: wolfssl-5.7.2/wolfcrypt/src/ed25519.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/ed25519.c ++++ wolfssl-5.7.2/wolfcrypt/src/ed25519.c +@@ -396,6 +396,12 @@ int wc_ed25519_sign_msg_ex(const byte* i + return BAD_FUNC_ARG; + } + ++ if ((type == Ed25519ph) && ++ (inLen != WC_SHA512_DIGEST_SIZE)) ++ { ++ return BAD_LENGTH_E; ++ } ++ + #ifdef WOLF_CRYPTO_CB + if (key->devId != INVALID_DEVID) { + ret = wc_CryptoCb_Ed25519Sign(in, inLen, out, outLen, key, type, +@@ -854,6 +860,12 @@ int wc_ed25519_verify_msg_ex(const byte* + (context == NULL && contextLen != 0)) + return BAD_FUNC_ARG; + ++ if ((type == Ed25519ph) && ++ (msgLen != WC_SHA512_DIGEST_SIZE)) ++ { ++ return BAD_LENGTH_E; ++ } ++ + #ifdef WOLF_CRYPTO_CB + if (key->devId != INVALID_DEVID) { + ret = wc_CryptoCb_Ed25519Verify(sig, sigLen, msg, msgLen, res, key, +Index: wolfssl-5.7.2/wolfcrypt/src/ed448.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/ed448.c ++++ wolfssl-5.7.2/wolfcrypt/src/ed448.c +@@ -374,6 +374,11 @@ int wc_ed448_sign_msg_ex(const byte* in, + ret = BAD_FUNC_ARG; + } + ++ if ((ret == 0) && (type == Ed448ph) && (inLen != ED448_PREHASH_SIZE)) ++ { ++ ret = BAD_LENGTH_E; ++ } ++ + /* check and set up out length */ + if ((ret == 0) && (*outLen < ED448_SIG_SIZE)) { + *outLen = ED448_SIG_SIZE; +@@ -799,6 +804,12 @@ int wc_ed448_verify_msg_ex(const byte* s + if (key == NULL) + return BAD_FUNC_ARG; + ++ if ((type == Ed448ph) && ++ (msgLen != ED448_PREHASH_SIZE)) ++ { ++ return BAD_LENGTH_E; ++ } ++ + #ifdef WOLFSSL_ED448_PERSISTENT_SHA + sha = &key->sha; + #else +Index: wolfssl-5.7.2/wolfcrypt/src/hash.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/hash.c ++++ wolfssl-5.7.2/wolfcrypt/src/hash.c +@@ -405,6 +405,12 @@ int wc_HashGetDigestSize(enum wc_HashTyp + #endif + break; + case WC_HASH_TYPE_BLAKE2B: ++ #if defined(HAVE_BLAKE2B) ++ dig_size = BLAKE2B_OUTBYTES; ++ #else ++ dig_size = HASH_TYPE_E; ++ #endif ++ break; + case WC_HASH_TYPE_BLAKE2S: + #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S) + dig_size = BLAKE2S_OUTBYTES; +@@ -524,6 +530,12 @@ int wc_HashGetBlockSize(enum wc_HashType + #endif + break; + case WC_HASH_TYPE_BLAKE2B: ++ #if defined(HAVE_BLAKE2B) ++ block_size = BLAKE2B_BLOCKBYTES; ++ #else ++ block_size = HASH_TYPE_E; ++ #endif ++ break; + case WC_HASH_TYPE_BLAKE2S: + #if defined(HAVE_BLAKE2) || defined(HAVE_BLAKE2S) + block_size = BLAKE2S_BLOCKBYTES; +Index: wolfssl-5.7.2/wolfcrypt/src/pkcs7.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/pkcs7.c ++++ wolfssl-5.7.2/wolfcrypt/src/pkcs7.c +@@ -4107,6 +4107,12 @@ static int wc_PKCS7_EcdsaVerify(PKCS7* p + if (pkcs7 == NULL || sig == NULL) + return BAD_FUNC_ARG; + ++ /* Check hash length */ ++ if ((hashSz > WC_MAX_DIGEST_SIZE) || ++ (hashSz < WC_MIN_DIGEST_SIZE)) { ++ return BAD_LENGTH_E; ++ } ++ + #ifdef WOLFSSL_SMALL_STACK + digest = (byte*)XMALLOC(MAX_PKCS7_DIGEST_SZ, pkcs7->heap, + DYNAMIC_TYPE_TMP_BUFFER); +Index: wolfssl-5.7.2/wolfcrypt/src/signature.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/signature.c ++++ wolfssl-5.7.2/wolfcrypt/src/signature.c +@@ -151,6 +151,35 @@ int wc_SignatureVerifyHash( + WOLFSSL_MSG("wc_SignatureVerify: Invalid hash type/len"); + return ret; + } ++ ++#if !defined(NO_RSA) && !defined(WOLFSSL_RSA_PUBLIC_ONLY) ++ /* For WC_SIGNATURE_TYPE_RSA_W_ENC, we need to extract the actual size of ++ * the ASN.1-encoded hash. ++ */ ++ if (sig_type == WC_SIGNATURE_TYPE_RSA_W_ENC) { ++ int hash_dec_len; ++ word32 idx = 0; ++ if (GetSequence(hash_data, &idx, &hash_dec_len, hash_len) < 0) ++ return ASN_PARSE_E; ++ /* skip the AlgorithmIdentifier */ ++ if (GetSequence(hash_data, &idx, &hash_dec_len, hash_len) < 0) ++ return ASN_PARSE_E; ++ idx += (word32)hash_dec_len; ++ /* now sitting at the OCTET STRING containing the digest */ ++ if (GetOctetString(hash_data, &idx, &hash_dec_len, hash_len) < 0) ++ return ASN_PARSE_E; ++ if (hash_dec_len != ret) ++ return BAD_LENGTH_E; ++ } ++ else ++#endif ++ { ++ if (hash_len != (word32)ret) { ++ WOLFSSL_MSG("wc_SignatureVerify: Invalid hash size"); ++ return BAD_LENGTH_E; ++ } ++ } ++ + ret = 0; + + /* Verify signature using hash */ +Index: wolfssl-5.7.2/wolfssl/wolfcrypt/hash.h +=================================================================== +--- wolfssl-5.7.2.orig/wolfssl/wolfcrypt/hash.h ++++ wolfssl-5.7.2/wolfssl/wolfcrypt/hash.h +@@ -156,6 +156,87 @@ typedef union { + #define WC_MAX_BLOCK_SIZE 128 + #endif + ++#if defined(WC_HASH_CUSTOM_MAX_DIGEST_SIZE) && \ ++ defined(WC_HASH_CUSTOM_MIN_DIGEST_SIZE) ++ #if WC_HASH_CUSTOM_MAX_DIGEST_SIZE < \ ++ WC_HASH_CUSTOM_MIN_DIGEST_SIZE ++ #error HASH_CUSTOM_MAX_DIGEST_SIZE < WC_HASH_CUSTOM_MIN_DIGEST_SIZE ++ #endif ++#endif ++#ifdef WC_HASH_CUSTOM_MAX_DIGEST_SIZE ++ #undef WC_MAX_DIGEST_SIZE ++ #define WC_MAX_DIGEST_SIZE WC_HASH_CUSTOM_MAX_DIGEST_SIZE ++#endif ++#ifdef WC_HASH_CUSTOM_MAX_BLOCK_SIZE ++ #undef WC_MAX_BLOCK_SIZE ++ #define WC_MAX_BLOCK_SIZE WC_HASH_CUSTOM_MAX_BLOCK_SIZE ++#endif ++ ++/* wolfssl 5.7.2 md2.h/md4.h predate the WC_-prefixed digest-size names used by ++ * the cascade below (they define only MD2_DIGEST_SIZE/MD4_DIGEST_SIZE). Provide ++ * the WC_-prefixed aliases so the upstream enforcement compiles unchanged. */ ++#if defined(WOLFSSL_MD2) && !defined(WC_MD2_DIGEST_SIZE) ++ #define WC_MD2_DIGEST_SIZE 16 ++#endif ++#if !defined(NO_MD4) && !defined(WC_MD4_DIGEST_SIZE) ++ #define WC_MD4_DIGEST_SIZE 16 ++#endif ++#if defined(WC_HASH_CUSTOM_MIN_DIGEST_SIZE) ++ #if defined(WC_FIPS_186_5_PLUS) && \ ++ (WC_HASH_CUSTOM_MIN_DIGEST_SIZE < 224 / 8) ++ #error FIPS 186-5 requires a minimum hash size >= SHA-224. ++ #elif defined(WC_FIPS_186_4) && \ ++ (WC_HASH_CUSTOM_MIN_DIGEST_SIZE < 160 / 8) ++ #error FIPS 186-4 requires a minimum hash size >= SHA-1. ++ #elif (WC_HASH_CUSTOM_MIN_DIGEST_SIZE < 128 / 8) ++ #error WC_HASH_CUSTOM_MIN_DIGEST_SIZE is too small. ++ #endif ++ /* Let the user override the minimum digest size */ ++ #define WC_MIN_DIGEST_SIZE WC_HASH_CUSTOM_MIN_DIGEST_SIZE ++#elif defined(WOLFSSL_MD2) && !defined(WC_FIPS_186_4_PLUS) ++ #define WC_MIN_DIGEST_SIZE WC_MD2_DIGEST_SIZE /* 16 */ ++#elif !defined(NO_MD4) && !defined(WC_FIPS_186_4_PLUS) ++ #define WC_MIN_DIGEST_SIZE WC_MD4_DIGEST_SIZE /* 16 */ ++#elif !defined(NO_MD5) && !defined(WC_FIPS_186_4_PLUS) ++ #define WC_MIN_DIGEST_SIZE WC_MD5_DIGEST_SIZE /* 16 */ ++#elif !defined(NO_SHA) && !defined(WC_FIPS_186_5_PLUS) ++ #define WC_MIN_DIGEST_SIZE WC_SHA_DIGEST_SIZE /* 20 */ ++#elif defined(WOLFSSL_SHA224) ++ #define WC_MIN_DIGEST_SIZE WC_SHA224_DIGEST_SIZE ++#elif !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \ ++ defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_224) ++ #define WC_MIN_DIGEST_SIZE WC_SHA512_224_DIGEST_SIZE ++#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_224) ++ #define WC_MIN_DIGEST_SIZE WC_SHA3_224_DIGEST_SIZE ++#elif !defined(NO_SHA256) ++ #define WC_MIN_DIGEST_SIZE WC_SHA256_DIGEST_SIZE ++#elif !defined(HAVE_FIPS) && !defined(HAVE_SELFTEST) && \ ++ defined(WOLFSSL_SHA512) && !defined(WOLFSSL_NOSHA512_256) ++ #define WC_MIN_DIGEST_SIZE WC_SHA512_256_DIGEST_SIZE ++#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_256) ++ #define WC_MIN_DIGEST_SIZE WC_SHA3_256_DIGEST_SIZE ++#elif defined(HAVE_BLAKE2S) ++ #define WC_MIN_DIGEST_SIZE BLAKE2S_OUTBYTES /* 32 */ ++#elif defined(WOLFSSL_SM3) ++ #define WC_MIN_DIGEST_SIZE WC_SM3_DIGEST_SIZE /* 32 */ ++#elif defined(WOLFSSL_SHA384) ++ #define WC_MIN_DIGEST_SIZE WC_SHA384_DIGEST_SIZE ++#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_384) ++ #define WC_MIN_DIGEST_SIZE WC_SHA3_384_DIGEST_SIZE ++#elif defined(WOLFSSL_SHA512) ++ #define WC_MIN_DIGEST_SIZE WC_SHA512_DIGEST_SIZE ++#elif defined(WOLFSSL_SHA3) && !defined(WOLFSSL_NOSHA3_512) ++ #define WC_MIN_DIGEST_SIZE WC_SHA3_512_DIGEST_SIZE ++#elif defined(HAVE_BLAKE2B) ++ #define WC_MIN_DIGEST_SIZE BLAKE2B_OUTBYTES /* 64 */ ++#elif defined(WOLFSSL_SHAKE128) || defined(WOLFSSL_SHAKE256) ++ #error SHAKE enabled without SHA-3. ++ #define WC_MIN_DIGEST_SIZE 64 ++#else ++ #error No builtin hashes enabled and no WC_HASH_CUSTOM_MIN_DIGEST_SIZE. ++ #define WC_MIN_DIGEST_SIZE 64 ++#endif ++ + #if !defined(NO_ASN) || !defined(NO_DH) || defined(HAVE_ECC) + WOLFSSL_API int wc_HashGetOID(enum wc_HashType hash_type); + WOLFSSL_API enum wc_HashType wc_OidGetHash(int oid); +Index: wolfssl-5.7.2/wolfssl/wolfcrypt/settings.h +=================================================================== +--- wolfssl-5.7.2.orig/wolfssl/wolfcrypt/settings.h ++++ wolfssl-5.7.2/wolfssl/wolfcrypt/settings.h +@@ -460,6 +460,29 @@ + #define SIZEOF_LONG_LONG 8 + #endif + ++#if defined(HAVE_FIPS) && !defined(WC_FIPS_186_5) && !defined(WC_FIPS_186_4) ++ #if FIPS_VERSION3_GE(7,0,0) ++ #ifndef WC_FIPS_186_5 ++ #define WC_FIPS_186_5 ++ #endif ++ #else ++ #ifndef WC_FIPS_186_4 ++ #define WC_FIPS_186_4 ++ #endif ++ #endif ++#endif ++#if defined(WC_FIPS_186_4) && defined(WC_FIPS_186_5) ++ #error Conflicting FIPS 186 settings. ++#endif ++#if (defined(WC_FIPS_186_4) || defined(WC_FIPS_186_5)) && \ ++ !defined(WC_FIPS_186_4_PLUS) ++ #define WC_FIPS_186_4_PLUS ++#endif ++#if defined(WC_FIPS_186_5) && !defined(WC_FIPS_186_5_PLUS) ++ #define WC_FIPS_186_5_PLUS ++#endif ++ ++ + #ifdef HAVE_NETX + #ifdef NEED_THREADX_TYPES + #include <types.h> diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-5194.patch wolfssl-5.7.2/debian/patches/CVE-2026-5194.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-5194.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-5194.patch 2026-07-05 23:33:37.000000000 +0200 @@ -0,0 +1,142 @@ +Description: CVE-2026-5194 - require certificate signature OID to match issuer key OID +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/abce5be989ccd0665e2b9445abb856886975dfd1 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-5194 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/wolfcrypt/src/asn.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/asn.c ++++ wolfssl-5.7.2/wolfcrypt/src/asn.c +@@ -16545,6 +16545,118 @@ static int HashForSignature(const byte* + } + #endif /* !NO_ASN_CRYPT && !NO_HASH_WRAPPER */ + ++/* The certificate's signatureAlgorithm (sigOID) must match the issuer's ++ * key type (keyOID). sigOID picks the pre-hash; keyOID picks the ++ * verifier. They need to agree or the verifier gets the wrong input. */ ++static int SigOidMatchesKeyOid(word32 sigOID, word32 keyOID) ++{ ++ switch (keyOID) { ++ #ifndef NO_RSA ++ case RSAk: ++ switch (sigOID) { ++ case CTC_MD2wRSA: ++ case CTC_MD5wRSA: ++ case CTC_SHAwRSA: ++ case CTC_SHA224wRSA: ++ case CTC_SHA256wRSA: ++ case CTC_SHA384wRSA: ++ case CTC_SHA512wRSA: ++ case CTC_SHA3_224wRSA: ++ case CTC_SHA3_256wRSA: ++ case CTC_SHA3_384wRSA: ++ case CTC_SHA3_512wRSA: ++ case CTC_RSASSAPSS: ++ return 1; ++ } ++ return 0; ++ #ifdef WC_RSA_PSS ++ case RSAPSSk: ++ return (sigOID == CTC_RSASSAPSS); ++ #endif ++ #endif ++ #if !defined(NO_DSA) && !defined(HAVE_SELFTEST) ++ case DSAk: ++ switch (sigOID) { ++ case CTC_SHAwDSA: ++ case CTC_SHA256wDSA: ++ return 1; ++ } ++ return 0; ++ #endif ++ #if defined(HAVE_ECC) && defined(HAVE_ECC_VERIFY) ++ case ECDSAk: ++ #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) ++ case SM2k: ++ #endif ++ switch (sigOID) { ++ case CTC_SHAwECDSA: ++ case CTC_SHA224wECDSA: ++ case CTC_SHA256wECDSA: ++ case CTC_SHA384wECDSA: ++ case CTC_SHA512wECDSA: ++ case CTC_SHA3_224wECDSA: ++ case CTC_SHA3_256wECDSA: ++ case CTC_SHA3_384wECDSA: ++ case CTC_SHA3_512wECDSA: ++ #if defined(WOLFSSL_SM2) && defined(WOLFSSL_SM3) ++ case CTC_SM3wSM2: ++ #endif ++ return 1; ++ } ++ return 0; ++ #endif ++ #if defined(HAVE_ED25519) && defined(HAVE_ED25519_KEY_IMPORT) ++ case ED25519k: ++ return (sigOID == CTC_ED25519); ++ #endif ++ #if defined(HAVE_ED448) && defined(HAVE_ED448_KEY_IMPORT) ++ case ED448k: ++ return (sigOID == CTC_ED448); ++ #endif ++ #if defined(HAVE_FALCON) ++ case FALCON_LEVEL1k: ++ return (sigOID == CTC_FALCON_LEVEL1); ++ case FALCON_LEVEL5k: ++ return (sigOID == CTC_FALCON_LEVEL5); ++ #endif ++ #if defined(HAVE_DILITHIUM) && !defined(WOLFSSL_DILITHIUM_NO_VERIFY) && \ ++ !defined(WOLFSSL_DILITHIUM_NO_ASN1) ++ #ifdef WOLFSSL_DILITHIUM_FIPS204_DRAFT ++ case DILITHIUM_LEVEL2k: ++ return (sigOID == CTC_DILITHIUM_LEVEL2); ++ case DILITHIUM_LEVEL3k: ++ return (sigOID == CTC_DILITHIUM_LEVEL3); ++ case DILITHIUM_LEVEL5k: ++ return (sigOID == CTC_DILITHIUM_LEVEL5); ++ #endif ++ case ML_DSA_LEVEL2k: ++ return (sigOID == CTC_ML_DSA_LEVEL2); ++ case ML_DSA_LEVEL3k: ++ return (sigOID == CTC_ML_DSA_LEVEL3); ++ case ML_DSA_LEVEL5k: ++ return (sigOID == CTC_ML_DSA_LEVEL5); ++ #endif ++ #if defined(HAVE_SPHINCS) ++ case SPHINCS_FAST_LEVEL1k: ++ return (sigOID == CTC_SPHINCS_FAST_LEVEL1); ++ case SPHINCS_FAST_LEVEL3k: ++ return (sigOID == CTC_SPHINCS_FAST_LEVEL3); ++ case SPHINCS_FAST_LEVEL5k: ++ return (sigOID == CTC_SPHINCS_FAST_LEVEL5); ++ case SPHINCS_SMALL_LEVEL1k: ++ return (sigOID == CTC_SPHINCS_SMALL_LEVEL1); ++ case SPHINCS_SMALL_LEVEL3k: ++ return (sigOID == CTC_SPHINCS_SMALL_LEVEL3); ++ case SPHINCS_SMALL_LEVEL5k: ++ return (sigOID == CTC_SPHINCS_SMALL_LEVEL5); ++ #endif ++ } ++ ++ /* Default to reject unknown key types */ ++ (void)sigOID; ++ return 0; ++} ++ + /* Return codes: 0=Success, Negative (see error-crypt.h), ASN_SIG_CONFIRM_E */ + static int ConfirmSignature(SignatureCtx* sigCtx, + const byte* buf, word32 bufSz, +@@ -16610,6 +16722,11 @@ static int ConfirmSignature(SignatureCtx + + case SIG_STATE_HASH: + { ++ if (!SigOidMatchesKeyOid(sigOID, keyOID)) { ++ WOLFSSL_MSG("sigOID incompatible with issuer keyOID"); ++ ERROR_OUT(ASN_SIG_OID_E, exit_cs); ++ } ++ + #if !defined(NO_RSA) && defined(WC_RSA_PSS) + if (sigOID == RSAPSSk) { + word32 fakeSigOID = 0; diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-55960.patch wolfssl-5.7.2/debian/patches/CVE-2026-55960.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-55960.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-55960.patch 2026-07-05 23:40:41.000000000 +0200 @@ -0,0 +1,61 @@ +Description: CVE-2026-55960 - validate negotiated certificate type for raw public keys +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/c929798460656431bdeeffbf701a74521f403f36 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-55960 +Author: wolfSSL +Forwarded: not-needed +--- +Index: wolfssl-5.7.2/src/internal.c +=================================================================== +--- wolfssl-5.7.2.orig/src/internal.c ++++ wolfssl-5.7.2/src/internal.c +@@ -14146,31 +14146,29 @@ PRAGMA_GCC_DIAG_POP + ret = ParseCertRelative(args->dCert, certType, verify, SSL_CM(ssl), extraSigners); + + #if defined(HAVE_RPK) +- /* if cert type has negotiated with peer, confirm the cert received has +- * the same type. +- */ +- if (ret == 0 ) { +- if (ssl->options.side == WOLFSSL_CLIENT_END) { +- if (ssl->options.rpkState.received_ServerCertTypeCnt == 1) { ++ /* Confirm the received certificate's form (X.509 vs raw public key) matches ++ * the type negotiated with the peer. A raw public key (RFC 7250) has no ++ * chain, so ParseCertRelative() accepts it without any trust verification; ++ * it must only be accepted when RPK was negotiated for this peer. When no ++ * type was negotiated the default is X.509 (RFC 7250/8446), so an ++ * un-negotiated bare key is rejected. The negotiated type is the received ++ * server cert type (client) or the selected client cert type (server). */ ++ if (ret == 0) { ++ cType = WOLFSSL_CERT_TYPE_X509; ++ if (ssl->options.side == WOLFSSL_CLIENT_END) { ++ if (ssl->options.rpkState.received_ServerCertTypeCnt == 1) + cType = ssl->options.rpkState.received_ServerCertTypes[0]; +- if ((cType == WOLFSSL_CERT_TYPE_RPK && !args->dCert->isRPK) || +- (cType == WOLFSSL_CERT_TYPE_X509 && args->dCert->isRPK)) { +- /* cert type mismatch */ +- WOLFSSL_MSG("unsupported certificate type received"); +- ret = UNSUPPORTED_CERTIFICATE; +- } +- } + } + else if (ssl->options.side == WOLFSSL_SERVER_END) { +- if (ssl->options.rpkState.received_ClientCertTypeCnt == 1) { ++ if (ssl->options.rpkState.sending_ClientCertTypeCnt == 1) + cType = ssl->options.rpkState.sending_ClientCertTypes[0]; +- if ((cType == WOLFSSL_CERT_TYPE_RPK && !args->dCert->isRPK) || +- (cType == WOLFSSL_CERT_TYPE_X509 && args->dCert->isRPK)) { +- /* cert type mismatch */ +- WOLFSSL_MSG("unsupported certificate type received"); +- ret = UNSUPPORTED_CERTIFICATE; +- } +- } ++ } ++ ++ if ((cType == WOLFSSL_CERT_TYPE_RPK && !args->dCert->isRPK) || ++ (cType != WOLFSSL_CERT_TYPE_RPK && args->dCert->isRPK)) { ++ /* cert type mismatch - includes an un-negotiated raw public key */ ++ WOLFSSL_MSG("unsupported certificate type received"); ++ ret = UNSUPPORTED_CERTIFICATE; + } + } + #endif /* HAVE_RPK */ diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-55961.patch wolfssl-5.7.2/debian/patches/CVE-2026-55961.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-55961.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-55961.patch 2026-07-05 23:37:14.000000000 +0200 @@ -0,0 +1,31 @@ +Description: CVE-2026-55961 - reject degenerate certs-only PKCS#7 in wolfSSL_PKCS7_verify +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/d382439c7c63c07294cf4fcece0aa56a35399d15 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-55961 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/src/ssl_p7p12.c +=================================================================== +--- wolfssl-5.7.2.orig/src/ssl_p7p12.c ++++ wolfssl-5.7.2/src/ssl_p7p12.c +@@ -806,6 +806,19 @@ int wolfSSL_PKCS7_verify(PKCS7* pkcs7, W + if (ret != 0) + return WOLFSSL_FAILURE; + ++ /* Reject a degenerate (certs-only) PKCS#7 with no verified signer. Such an ++ * object has empty signerInfos, so wc_PKCS7_VerifySignedData() succeeds ++ * without authenticating the content. pkcs7.verifyCert is only set once a ++ * signer's signature has actually been verified, so a NULL value here means ++ * the content carries no valid signature and must not be reported as ++ * verified - regardless of PKCS7_NOVERIFY, which only suppresses signer ++ * certificate chain validation, not the requirement that a signature exist. ++ */ ++ if (p7->pkcs7.verifyCert == NULL) { ++ WOLFSSL_MSG("PKCS7 has no verified signer (degenerate/certs-only)"); ++ return WOLFSSL_FAILURE; ++ } ++ + if ((flags & PKCS7_NOVERIFY) != PKCS7_NOVERIFY) { + /* Verify signer certificates */ + if (store == NULL || store->cm == NULL) { diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-55962.patch wolfssl-5.7.2/debian/patches/CVE-2026-55962.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-55962.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-55962.patch 2026-07-05 23:33:37.000000000 +0200 @@ -0,0 +1,44 @@ +Description: CVE-2026-55962 - require client cert on outstanding TLS1.3 post-handshake auth +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/f23544f09476d420becdfabd781eec0dd1a9c597 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-55962 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/src/tls13.c +=================================================================== +--- wolfssl-5.7.2.orig/src/tls13.c ++++ wolfssl-5.7.2/src/tls13.c +@@ -10649,7 +10649,10 @@ int DoTls13Finished(WOLFSSL* ssl, const + #endif + if ( + #ifdef WOLFSSL_POST_HANDSHAKE_AUTH +- !ssl->options.verifyPostHandshake && ++ /* Exempt only the initial handshake; a pending post-handshake ++ * CertificateRequest (certReqCtx != NULL) still requires a peer ++ * certificate and a valid CertificateVerify. */ ++ (!ssl->options.verifyPostHandshake || ssl->certReqCtx != NULL) && + #endif + (!ssl->options.havePeerCert || !ssl->options.havePeerVerify)) { + ret = NO_PEER_CERT; /* NO_PEER_VERIFY */ +@@ -12228,7 +12231,19 @@ static int SanityCheckTls13MsgReceived(W + */ + if (ssl->options.verifyPeer && + #ifdef WOLFSSL_POST_HANDSHAKE_AUTH +- !ssl->options.verifyPostHandshake && ++ /* The post-handshake-auth exemption is only valid during ++ * the initial handshake. On the server, once a ++ * post-handshake CertificateRequest is outstanding ++ * (certReqCtx != NULL), a Certificate is required again. ++ * Scoped to the server: certReqCtx means something ++ * different on the client (a received request) and the ++ * client does not process an inbound Finished in that ++ * state. Whether an empty Certificate is then accepted ++ * follows the verify mode (FAIL_IF_NO_PEER_CERT), exactly ++ * as for first-handshake client authentication. */ ++ (!ssl->options.verifyPostHandshake || ++ (ssl->options.side == WOLFSSL_SERVER_END && ++ ssl->certReqCtx != NULL)) && + #endif + !ssl->msgsReceived.got_certificate) { + WOLFSSL_MSG("Finished received out of order - " diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-55967.patch wolfssl-5.7.2/debian/patches/CVE-2026-55967.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-55967.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-55967.patch 2026-07-05 23:33:37.000000000 +0200 @@ -0,0 +1,49 @@ +Description: CVE-2026-55967 - reject AES-GCM cumulative size overflow in streaming update +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/5def276e07e23b7b3b5842afbe526b4d3703ce13 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-55967 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/wolfcrypt/src/aes.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/aes.c ++++ wolfssl-5.7.2/wolfcrypt/src/aes.c +@@ -10001,6 +10001,18 @@ int wc_AesGcmEncryptUpdate(Aes* aes, byt + ret = MISSING_IV; + } + ++ /* Prevent overflow of aes->cSz and ->aSz. Per NIST SP 800-38D section ++ * 5.2.1.1, the maximum allowed ciphertext limit is 2^32 - 2 blocks, but we ++ * currently pass around the cunulative sizes in bytes as word32s, so we ++ * can't currently support the maximum allowed. ++ */ ++ if ((ret == 0) && ++ (((aes->cSz > 0xffffffff - sz)) || ++ ((aes->aSz > 0xffffffff - authInSz)))) ++ { ++ ret = AES_GCM_OVERFLOW_E; ++ } ++ + if ((ret == 0) && aes->ctrSet && (aes->aSz == 0) && (aes->cSz == 0)) { + aes->invokeCtr[0]++; + if (aes->invokeCtr[0] == 0) { +@@ -10147,6 +10159,18 @@ int wc_AesGcmDecryptUpdate(Aes* aes, byt + ret = MISSING_IV; + } + ++ /* Prevent overflow of aes->cSz and ->aSz. Per NIST SP 800-38D section ++ * 5.2.1.1, the maximum allowed ciphertext limit is 2^32 - 2 blocks, but we ++ * currently pass around the cunulative sizes in bytes as word32s, so we ++ * can't currently support the maximum allowed. ++ */ ++ if ((ret == 0) && ++ (((aes->cSz > 0xffffffff - sz)) || ++ ((aes->aSz > 0xffffffff - authInSz)))) ++ { ++ ret = AES_GCM_OVERFLOW_E; ++ } ++ + if (ret == 0) { + /* Decrypt with AAD and/or cipher text. */ + #ifdef WOLFSSL_AESNI diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6092.patch wolfssl-5.7.2/debian/patches/CVE-2026-6092.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-6092.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-6092.patch 2026-07-05 23:33:37.000000000 +0200 @@ -0,0 +1,39 @@ +Description: CVE-2026-6092 - enforce Encrypt-then-MAC on TLS resumption path +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/af5369636a938faf4a79d1f550d3b206c51fafec +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6092 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/src/internal.c +=================================================================== +--- wolfssl-5.7.2.orig/src/internal.c ++++ wolfssl-5.7.2/src/internal.c +@@ -37052,13 +37052,21 @@ static int DoSessionTicket(WOLFSSL* ssl, + + #if defined(HAVE_TLS_EXTENSIONS) && defined(HAVE_ENCRYPT_THEN_MAC) && \ + !defined(WOLFSSL_AEAD_ONLY) +- if (ssl->options.encThenMac && ssl->specs.cipher_type == block) { +- ret = TLSX_EncryptThenMac_Respond(ssl); +- if (ret != 0) +- goto out; ++ /* Only respond to ETM here when resumption actually succeeded; ++ * HandleTlsResumption populates ssl->specs via SetCipherSpecs only ++ * on the success path. If resumption failed, resuming has been ++ * cleared and ssl->specs.cipher_type is still zero-initialized, ++ * so we must defer the ETM decision until after MatchSuite. */ ++ if (ssl->options.resuming) { ++ if (ssl->options.encThenMac && ++ ssl->specs.cipher_type == block) { ++ ret = TLSX_EncryptThenMac_Respond(ssl); ++ if (ret != 0) ++ goto out; ++ } ++ else ++ ssl->options.encThenMac = 0; + } +- else +- ssl->options.encThenMac = 0; + #endif + if (ssl->options.clientState == CLIENT_KEYEXCHANGE_COMPLETE) { + WOLFSSL_LEAVE("DoClientHello", ret); diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6094.patch wolfssl-5.7.2/debian/patches/CVE-2026-6094.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-6094.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-6094.patch 2026-07-05 23:33:37.000000000 +0200 @@ -0,0 +1,23 @@ +Description: CVE-2026-6094 - bound encrypted content size in PKCS7 EnvelopedData +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/1397268aa12e2cf3f80c3acfa9b6036b809c08ef +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6094 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/wolfcrypt/src/pkcs7.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/pkcs7.c ++++ wolfssl-5.7.2/wolfcrypt/src/pkcs7.c +@@ -12393,6 +12393,11 @@ WOLFSSL_API int wc_PKCS7_DecodeEnveloped + } + + } else { ++ if ((idx + (word32)encryptedContentTotalSz) > pkiMsgSz) { ++ ret = BUFFER_E; ++ break; ++ } ++ + /* cache encrypted content, no OCTET STRING */ + ret = PKCS7_CacheEncryptedContent(pkcs7, &pkiMsg[idx], + (word32)encryptedContentTotalSz); diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6325.patch wolfssl-5.7.2/debian/patches/CVE-2026-6325.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-6325.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-6325.patch 2026-07-05 23:34:07.000000000 +0200 @@ -0,0 +1,28 @@ +Description: CVE-2026-6325 - bound index in SetSuitesHashSigAlgo to prevent OOB write +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/f540bb3ddfef89db637809392522247ce3e8200c +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6325 +Author: wolfSSL +Forwarded: not-needed +--- +Index: wolfssl-5.7.2/src/internal.c +=================================================================== +--- wolfssl-5.7.2.orig/src/internal.c ++++ wolfssl-5.7.2/src/internal.c +@@ -27378,6 +27378,17 @@ int SetSuitesHashSigAlgo(Suites* suites, + break; + } + } ++ { ++ word32 needed = 2; ++#if defined(WC_RSA_PSS) && defined(WOLFSSL_TLS13) ++ if (sig_alg == rsa_pss_sa_algo) ++ needed = 4; ++#endif ++ if ((word32)idx + needed > WOLFSSL_MAX_SIGALGO) { ++ ret = 0; ++ break; ++ } ++ } + AddSuiteHashSigAlgo(suites->hashSigAlgo, mac_alg, sig_alg, 0, &idx); + sig_alg = 0; + mac_alg = no_mac; diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6329.patch wolfssl-5.7.2/debian/patches/CVE-2026-6329.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-6329.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-6329.patch 2026-07-05 23:33:37.000000000 +0200 @@ -0,0 +1,24 @@ +Description: CVE-2026-6329 - reject PKCS#12 MAC length mismatch +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/9c304bdc099140ad2fdc41ef2f2602af9768c8a1 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6329 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/wolfcrypt/src/pkcs12.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/pkcs12.c ++++ wolfssl-5.7.2/wolfcrypt/src/pkcs12.c +@@ -652,6 +652,12 @@ static int wc_PKCS12_verify(WC_PKCS12* p + return ret; + } + ++ if ((word32)ret != mac->digestSz) { ++ WOLFSSL_MSG("PKCS12 MAC digest size mismatch"); ++ ForceZero(digest, sizeof(digest)); ++ return MAC_CMP_FAILED_E; ++ } ++ + #ifdef WOLFSSL_DEBUG_PKCS12 + { + byte* p; diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6331.patch wolfssl-5.7.2/debian/patches/CVE-2026-6331.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-6331.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-6331.patch 2026-07-05 23:33:38.000000000 +0200 @@ -0,0 +1,26 @@ +Description: CVE-2026-6331 - require exact HMAC tag length in EVP_DigestVerifyFinal + A zero-length or truncated tag passed to wolfSSL_EVP_DigestVerifyFinal() was + accepted, because the length check only rejected oversized tags and an + XMEMCMP() of length zero returns a match. Require the supplied tag length to + equal the MAC length exactly. +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/0749f20c33516897d8c5e2ab083b855e2d17d665 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6331 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/wolfcrypt/src/evp.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/evp.c ++++ wolfssl-5.7.2/wolfcrypt/src/evp.c +@@ -4636,9 +4636,8 @@ int wolfSSL_EVP_DigestVerifyFinal(WOLFSS + + hashLen = wolfssl_mac_len(ctx->hash.hmac.macType); + +- if (siglen > hashLen) ++ if (hashLen == 0 || siglen != hashLen) + return WOLFSSL_FAILURE; +- /* May be a truncated signature. */ + } + + if (wolfssl_evp_digest_pk_final(ctx, digest, &hashLen) <= 0) diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6450.patch wolfssl-5.7.2/debian/patches/CVE-2026-6450.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-6450.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-6450.patch 2026-07-05 23:39:35.000000000 +0200 @@ -0,0 +1,29 @@ +Description: CVE-2026-6450 - reject CRLs with unrecognized critical extensions +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/857141da35b67a14a580fb26ec57af1efa68a1d9 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6450 +Author: wolfSSL +Forwarded: not-needed +Index: wolfssl-5.7.2/wolfcrypt/src/asn.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/asn.c ++++ wolfssl-5.7.2/wolfcrypt/src/asn.c +@@ -38426,14 +38426,17 @@ static int ParseCRL_Extensions(DecodedCR + } + #endif + } ++ else if (critical) { ++ WOLFSSL_MSG("Unknown critical CRL extension"); ++ ret = ASN_CRIT_EXT_E; ++ } + /* TODO: Parse CRL Number extension */ +- /* TODO: check criticality */ + /* Move index on to next extension. */ + idx += (word32)length; + } + } + +- if (ret < 0) { ++ if (ret < 0 && ret != ASN_CRIT_EXT_E) { + ret = ASN_PARSE_E; + } + diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6678.patch wolfssl-5.7.2/debian/patches/CVE-2026-6678.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-6678.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-6678.patch 2026-07-05 23:33:38.000000000 +0200 @@ -0,0 +1,34 @@ +Description: CVE-2026-6678 - fix integer underflow in wc_PKCS7_DecryptOri +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/84fb0f694cfaac4187c0beba4298a4a8a7995235 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6678 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/wolfcrypt/src/pkcs7.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/pkcs7.c ++++ wolfssl-5.7.2/wolfcrypt/src/pkcs7.c +@@ -10861,9 +10861,21 @@ static int wc_PKCS7_DecryptOri(PKCS7* pk + XMEMCPY(oriOID, pkiMsg + *idx, oriOIDSz); + *idx += oriOIDSz; + ++ /* Validate OID did not consume more than the SEQUENCE declared */ ++ if ((*idx - tmpIdx) > (word32)seqSz) { ++ WOLFSSL_MSG("ORI oriType OID exceeds SEQUENCE boundary"); ++ return ASN_PARSE_E; ++ } ++ + /* get oriValue, increment idx */ + oriValue = pkiMsg + *idx; +- oriValueSz = seqSz - (*idx - tmpIdx); ++ oriValueSz = (word32)seqSz - (*idx - tmpIdx); ++ ++ /* Validate oriValue region is within input buffer */ ++ if (*idx > pkiMsgSz || oriValueSz > pkiMsgSz - *idx) { ++ WOLFSSL_MSG("ORI oriValue exceeds input buffer"); ++ return ASN_PARSE_E; ++ } + *idx += oriValueSz; + + /* pass oriOID and oriValue to user callback, expect back diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6681.patch wolfssl-5.7.2/debian/patches/CVE-2026-6681.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-6681.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-6681.patch 2026-07-05 23:33:38.000000000 +0200 @@ -0,0 +1,34 @@ +Description: CVE-2026-6681 - respect caller output buffer size in PKCS7 decode +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/1de4020fe4f3f911641ac0477227249d4dda2157 +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6681 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/wolfcrypt/src/pkcs7.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/pkcs7.c ++++ wolfssl-5.7.2/wolfcrypt/src/pkcs7.c +@@ -13632,6 +13632,10 @@ authenv_atrbend: + } + + /* copy plaintext to output */ ++ if ((word32)encryptedContentSz > outputSz) { ++ ret = BUFFER_E; ++ break; ++ } + XMEMCPY(output, encryptedContent, encryptedContentSz); + + /* free memory, zero out keys */ +@@ -14284,6 +14288,11 @@ int wc_PKCS7_DecodeEncryptedData(PKCS7* + } + + /* copy plaintext to output */ ++ if ((word32)(encryptedContentSz - padLen) > outputSz) { ++ XFREE(encryptedContent, pkcs7->heap, DYNAMIC_TYPE_PKCS7); ++ ret = BUFFER_E; ++ break; ++ } + XMEMCPY(output, encryptedContent, encryptedContentSz - padLen); + + /* get implicit[1] unprotected attributes, optional */ diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-6731.patch wolfssl-5.7.2/debian/patches/CVE-2026-6731.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-6731.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-6731.patch 2026-07-05 23:33:38.000000000 +0200 @@ -0,0 +1,30 @@ +Description: CVE-2026-6731 - apply DNS name constraints to Subject CN when no SAN +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/e7b7fddacb4cc794e5dfc7693586d87a539f5aad +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-6731 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/wolfcrypt/src/asn.c +=================================================================== +--- wolfssl-5.7.2.orig/wolfcrypt/src/asn.c ++++ wolfssl-5.7.2/wolfcrypt/src/asn.c +@@ -18017,9 +18017,16 @@ static int ConfirmNameConstraints(Signer + XMEMSET(&subjectDnsName, 0, sizeof(DNS_entry)); + switch (nameType) { + case ASN_DNS_TYPE: +- /* Should it also consider CN in subject? It could use +- * subjectDnsName too */ + name = cert->altNames; ++ ++ /* When no SAN is present, apply DNS name constraints to the ++ * Subject CN. */ ++ if (cert->subjectCN != NULL && cert->altNames == NULL) { ++ subjectDnsName.next = NULL; ++ subjectDnsName.type = ASN_DNS_TYPE; ++ subjectDnsName.len = cert->subjectCNLen; ++ subjectDnsName.name = cert->subjectCN; ++ } + break; + case ASN_RFC822_TYPE: + /* Shouldn't it validate E= in subject as well? */ diff -Nru wolfssl-5.7.2/debian/patches/CVE-2026-7511.patch wolfssl-5.7.2/debian/patches/CVE-2026-7511.patch --- wolfssl-5.7.2/debian/patches/CVE-2026-7511.patch 1970-01-01 01:00:00.000000000 +0100 +++ wolfssl-5.7.2/debian/patches/CVE-2026-7511.patch 2026-07-05 23:37:14.000000000 +0200 @@ -0,0 +1,59 @@ +Description: CVE-2026-7511 - report the verifying cert as the PKCS#7 signer +Origin: upstream, https://github.com/wolfSSL/wolfssl/commit/b7f6e77a95bfeda306b22dd34394e49c0a6c8a8c +Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-7511 +Forwarded: not-needed +Author: wolfSSL +Last-Update: 2026-06-29 + +Index: wolfssl-5.7.2/src/ssl_p7p12.c +=================================================================== +--- wolfssl-5.7.2.orig/src/ssl_p7p12.c ++++ wolfssl-5.7.2/src/ssl_p7p12.c +@@ -273,24 +273,42 @@ WOLFSSL_STACK* wolfSSL_PKCS7_get0_signer + WOLFSSL_X509* x509 = NULL; + WOLFSSL_STACK* signers = NULL; + WOLFSSL_PKCS7* p7 = (WOLFSSL_PKCS7*)pkcs7; ++ byte* signerCert; ++ word32 signerCertSz; + + if (p7 == NULL) + return NULL; + +- /* Only PKCS#7 messages with a single cert that is the verifying certificate +- * is supported. +- */ + if (flags & PKCS7_NOINTERN) { + WOLFSSL_MSG("PKCS7_NOINTERN flag not supported"); + return NULL; + } + ++ /* Prefer the certificate that actually verified the signature. Falling ++ * back to singleCert (cert[0]) would let an attacker that bundles a ++ * trusted cert ahead of their own attacker cert have the trusted cert ++ * reported as the signer even though it did not produce the signature. ++ * ++ * Copy the chosen pointer into a local before passing its address to ++ * wolfSSL_d2i_X509; d2i_X509 advances *in by the DER length, and if ++ * we handed it the address of the struct field directly it would ++ * permanently corrupt the field, producing a heap-OOB read on the ++ * next use (pointer advanced, singleCertSz unchanged). */ ++ if (p7->pkcs7.verifyCert != NULL && p7->pkcs7.verifyCertSz > 0) { ++ signerCert = p7->pkcs7.verifyCert; ++ signerCertSz = p7->pkcs7.verifyCertSz; ++ } ++ else { ++ signerCert = p7->pkcs7.singleCert; ++ signerCertSz = p7->pkcs7.singleCertSz; ++ } ++ + signers = wolfSSL_sk_X509_new_null(); + if (signers == NULL) + return NULL; + +- if (wolfSSL_d2i_X509(&x509, (const byte**)&p7->pkcs7.singleCert, +- p7->pkcs7.singleCertSz) == NULL) { ++ if (wolfSSL_d2i_X509(&x509, (const byte**)&signerCert, ++ signerCertSz) == NULL) { + wolfSSL_sk_X509_pop_free(signers, NULL); + return NULL; + } diff -Nru wolfssl-5.7.2/debian/patches/series wolfssl-5.7.2/debian/patches/series --- wolfssl-5.7.2/debian/patches/series 2025-08-10 15:17:47.000000000 +0200 +++ wolfssl-5.7.2/debian/patches/series 2026-07-05 23:43:31.000000000 +0200 @@ -5,3 +5,19 @@ disable-crl-monitor.patch disable-jobserver.patch handle-debian-files.diff +CVE-2026-5194.patch +CVE-2026-55962.patch +CVE-2026-55967.patch +CVE-2026-6092.patch +CVE-2026-6094.patch +CVE-2026-6329.patch +CVE-2026-6331.patch +CVE-2026-6678.patch +CVE-2026-6681.patch +CVE-2026-6731.patch +CVE-2026-6325.patch +CVE-2026-55961.patch +CVE-2026-7511.patch +CVE-2026-6450.patch +CVE-2026-55960.patch +CVE-2026-5194-digest-sizes.patch

