[OpenWrt-Devel] [PATCH ustream-ssl v2 3/3] wolfssl: enable CN validation

Hauke Mehrtens hauke at hauke-m.de
Fri Sep 20 16:43:42 EDT 2019


On 9/19/19 4:18 AM, Eneas U de Queiroz wrote:
> WolfSSL added a wolfSSL_X509_check_host function to perform CN
> validation in v3.10.4, depending on the build-time configure options:
> --enable-nginx enables it for all supported versions;
> --enable-opensslextra, since v3.14.2.
> 
> If the function is unavailable, then SSL_get_verify_result will be
> called, and 'valid_cert' will be true if that call suceeds and we
> have a peer certificate, just as it happens with openssl. Only
> 'valid_cn' will not be set.
> 
> Signed-off-by: Eneas U de Queiroz <cotequeiroz at gmail.com>
> 
> diff --git a/CMakeLists.txt b/CMakeLists.txt
> index 6b3fc8c..86e1b07 100644
> --- a/CMakeLists.txt
> +++ b/CMakeLists.txt
> @@ -21,6 +21,12 @@ ELSEIF(WOLFSSL)
>    IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
>      ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
>    ENDIF()
> +  CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host
> +		       "wolfssl/options.h;wolfssl/ssl.h"
> +		       HAVE_WOLFSSL_X509_CHECK_HOST)
> +  IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST)
> +    ADD_DEFINITIONS(-DNO_X509_CHECK_HOST)
> +  ENDIF()
>  ELSE()
>    SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
>    SET(SSL_LIB crypto ssl)
> diff --git a/ustream-openssl.c b/ustream-openssl.c
> index 21abf61..c830618 100644
> --- a/ustream-openssl.c
> +++ b/ustream-openssl.c
> @@ -203,7 +203,7 @@ static void ustream_ssl_error(struct ustream_ssl *us, int ret)
>  	uloop_timeout_set(&us->error_timer, 0);
>  }
>  
> -#ifndef WOLFSSL_OPENSSL_H_
> +#ifndef NO_X509_CHECK_HOST
>  
>  static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
>  {
> @@ -212,10 +212,15 @@ static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
>  	if (!us->peer_cn)
>  		return false;
>  
> +# ifndef WOLFSSL_OPENSSL_H_
>  	ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
> +# else
> +	ret = wolfSSL_X509_check_host(cert, us->peer_cn, 0, 0, NULL);
> +# endif
>  	return ret == 1;
>  }
>  
> +#endif
>  
>  static void ustream_ssl_verify_cert(struct ustream_ssl *us)
>  {
> @@ -235,11 +240,12 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
>  		return;
>  
>  	us->valid_cert = true;
> +#ifndef NO_X509_CHECK_HOST
>  	us->valid_cn = ustream_ssl_verify_cn(us, cert);
> +#endif
>  	X509_free(cert);
>  }
>  
> -#endif
>  
>  __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
>  {
> @@ -252,9 +258,7 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
>  		r = SSL_connect(ssl);
>  
>  	if (r == 1) {
> -#ifndef WOLFSSL_OPENSSL_H_
>  		ustream_ssl_verify_cert(us);
> -#endif
>  		return U_SSL_OK;
>  	}

I am getting this error message with this patch:

[ 12%] Building C object CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o
In file included from
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-internal.h:27:0,
                 from
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-ssl.c:25:
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:
In function '__ustream_ssl_set_server_name':
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:48:2:
error: implicit declaration of function 'SSL_set_tlsext_host_name'; did
you mean 'SSL_set_tlsext_debug_arg'? [-Werror=implicit-function-declaration]
  SSL_set_tlsext_host_name(us->ssl, us->server_name);
  ^~~~~~~~~~~~~~~~~~~~~~~~
  SSL_set_tlsext_debug_arg
cc1: all warnings being treated as errors
make[6]: *** [CMakeFiles/ustream-ssl.dir/build.make:63:
CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o] Error 1


and this config:
CONFIG_WOLFSSL_HAS_AES_CCM=y
CONFIG_WOLFSSL_HAS_ARC4=y
CONFIG_WOLFSSL_HAS_CHACHA_POLY=y
CONFIG_WOLFSSL_HAS_DH=y
CONFIG_WOLFSSL_HAS_NO_HW=y
CONFIG_WOLFSSL_HAS_OCSP=y
CONFIG_WOLFSSL_HAS_SESSION_TICKET=y
CONFIG_WOLFSSL_HAS_TLSV10=y
CONFIG_WOLFSSL_HAS_TLSV13=y
CONFIG_WOLFSSL_HAS_WPAS=y


Hauke



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20190920/99c344f7/attachment.sig>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list