Home Explore Help
Register Sign In
OpenWrt
/
openwrt
mirror of https://github.com/openwrt/openwrt.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

wolfssl: fix API breakage of SSL_get_verify_result

Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable.  In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:

 $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
 Downloading 'https://letsencrypt.org'
 Connecting to 18.159.128.50:443
 Connection error: Invalid SSL certificate

Fixes: #9283
References: https://github.com/wolfSSL/wolfssl/issues/4879
Signed-off-by: Petr Štetiar <[email protected]>
(cherry picked from commit b9251e3b407592f3114e739231088c3d27663c4c)
(cherry picked from commit b99d7aecc83fd180f7a3c3efaae00845e7a73129)
Petr Štetiar 3 years ago
parent
cc344f1513
commit
f49eec6335
2 changed files with 27 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      package/libs/wolfssl/Makefile
  2. 26 0
      package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch

+ 1 - 1
package/libs/wolfssl/Makefile
View File 

@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 
 PKG_NAME:=wolfssl
 
 PKG_VERSION:=5.1.1-stable
 
-PKG_RELEASE:=1
 
+PKG_RELEASE:=2
 
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 
 PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)

+ 26 - 0
package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch
View File 

@@ -0,0 +1,26 @@
 
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 
+From: Juliusz Sosinowicz <[email protected]>
 
+Date: Sat, 12 Feb 2022 00:34:24 +0100
 
+Subject: [PATCH] Reported in ZD13631
 
+
 
+`ssl->peerVerifyRet` wasn't being cleared when retrying with an alternative cert chain
 
+
 
+References: https://github.com/wolfSSL/wolfssl/issues/4879
 
+---
 
+ src/internal.c | 3 +++
 
+ 1 file changed, 3 insertions(+)
 
+
 
+diff --git a/src/internal.c b/src/internal.c
 
+index 0dded42a76c4..f5814d30607c 100644
 
+--- a/src/internal.c
 
++++ b/src/internal.c
 
+@@ -12372,6 +12372,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
 
+                             }
 
+ 
+                             ret = 0; /* clear errors and continue */
 
++                    #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 
++                            ssl->peerVerifyRet = 0;
 
++                    #endif
 
+                             args->verifyErr = 0;
 
+                         }
 
+