[OpenWrt-Devel] [PATCH ustream-ssl] wolfssl: adjust to new API in v4.2.0

Eneas U de Queiroz cotequeiroz at gmail.com
Tue Oct 29 17:24:16 EDT 2019

WolfSSL has recently added many openssl 1.1+ calls, including
TLS_server_method & TLS_client_method, which were being redefined,
causing compilation failure:
ustream-openssl.c:113:0: error: "TLS_server_method" redefined [-Werror]
ustream-openssl.c:114:0: error: "TLS_client_method" redefined [-Werror]

Only define the symbols if not previously defined.

Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
There are two CVEs with critical(CVSS 3.1)/high(CVSS2.0) base scores
that have been fixed in wolfssl 4.2.0: CVE-2019-16748 & CVE-2019-15651.

Before we can update wolfssl, this needs to be applied, along with
https://patchwork.ozlabs.org/patch/1164316/.  It's also possible to come
up with a shorter patch than 1164316, doing just what's necessary for
compilation.  Let me know how I should go ahead with this.

Here's the error after this, but without 1164316 applied:
/ustream-openssl.h:47:2: error: implicit declaration of function
'SSL_set_tlsext_host_name'; did you mean 'SSL_set_tlsext_debug_arg'?
  SSL_set_tlsext_host_name(us->ssl, us->server_name);

It's been tested on WRT3200ACM with master, using current wolfssl 4.1.0,
and also with 4.2.0 + https://patchwork.ozlabs.org/patch/1164316/
running uhttpd.

diff --git a/ustream-openssl.c b/ustream-openssl.c
index b2df362..c09106f 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -110,8 +110,12 @@ __ustream_ssl_context_new(bool server)
 		_init = true;
-# define TLS_server_method SSLv23_server_method
-# define TLS_client_method SSLv23_client_method
+# ifndef TLS_server_method
+#  define TLS_server_method SSLv23_server_method
+# endif
+# ifndef TLS_client_method
+#  define TLS_client_method SSLv23_client_method
+# endif
 	if (server) {

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list