[PATCH 19.07] wolfssl: update to 4.8.1-stable

Eneas U de Queiroz cotequeiroz at gmail.com
Tue Dec 14 09:54:44 PST 2021


On Sun, Dec 12, 2021 at 12:11 PM Petr Štetiar <ynezz at true.cz> wrote:
>
> I'm wondering if we can do such an upgrade as the binary compatibility report for
> wolfSSL 4.7.0 vs 4.8.0 looks quite scary to me. Would it be possible to just
> backport those patches which fixes those security related issues?
>

Most wolfSSL releases have binary compatibility issues.  I would not
recommend anyone to update just the package, even if the
abi-laboratory report was less scary.  This illustrates well the
problem with binary package updates that jow wants to address.

I was not sure if it would be acceptable to do the version update, but
then we went from 4.3.0 in 19.07.0 to 4.5.0 in 19.07.4, then 4.6.0 in
19.07.5, and 4.7.0 in 19.07.8, so why not 4.8.1?

OpenWrt 19.07 support is officially limited to security maintenance,
so we can cherry-pick a couple of wolfssl commits instead:
73076940a Fix CompareOcspReqResp.
f93083be7 OCSP: improve handling of OCSP no check extension

(excluding tests):
src/ssl.c               |  2 +-
 wolfcrypt/src/asn.c     | 19 ++++++++++++-------
 wolfssl/wolfcrypt/asn.h |  1 +
3 files changed, 14 insertions(+), 8 deletions(-)

Just let me know what's the best approach here.

After this is done--whether update or patch--I intend to propose a
patch to build with WOLFSSL_ALT_CERT_CHAINS to avoid the problems with
letsencrypt certificates.  One can argue that it is a security fix,
considering that the alternative is to skip certificate validation.
If this is going to be NAKed, then I'll skip the trouble.

BTW, wolfssl, 5.0.0 is out, but I've been unable to make it work with
the letsencrypt certificates even with the build-option active--there
may be other problems that I don't recall now, I haven't looked at it
lately.  I'll return to it when able.  Meanwhile, I'll try to get
patches for the security problems that were fixed.

Cheers,

Eneas



More information about the openwrt-devel mailing list