aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPetr Štetiar <ynezz@true.cz>2022-02-22 20:00:28 +0100
committerPetr Štetiar <ynezz@true.cz>2022-02-22 20:32:11 +0100
commitf49eec6335ea9c0d652e8525a04c166f1fe3eedd (patch)
tree800bdc7c120df08feb47edc58e2fdc93aaa88926
parentcc344f1513eeefc555a0e5965ea50cac95fdfe7d (diff)
downloadupstream-f49eec6335ea9c0d652e8525a04c166f1fe3eedd.tar.gz
upstream-f49eec6335ea9c0d652e8525a04c166f1fe3eedd.tar.bz2
upstream-f49eec6335ea9c0d652e8525a04c166f1fe3eedd.zip
wolfssl: fix API breakage of SSL_get_verify_result
Backport fix for API breakage of SSL_get_verify_result() introduced in v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return X509_V_OK when used on LE powered sites or other sites utilizing relaxed/alternative cert chain validation feature. After an update to v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA error and thus rendered all such connection attempts imposible: $ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org" Downloading 'https://letsencrypt.org' Connecting to 18.159.128.50:443 Connection error: Invalid SSL certificate Fixes: #9283 References: https://github.com/wolfSSL/wolfssl/issues/4879 Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit b9251e3b407592f3114e739231088c3d27663c4c) (cherry picked from commit b99d7aecc83fd180f7a3c3efaae00845e7a73129)
-rw-r--r--package/libs/wolfssl/Makefile2
-rw-r--r--package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch26
2 files changed, 27 insertions, 1 deletions
diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index de6b707b95..5c3ea8d76c 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=wolfssl
PKG_VERSION:=5.1.1-stable
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION)
diff --git a/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch b/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch
new file mode 100644
index 0000000000..9651c03af6
--- /dev/null
+++ b/package/libs/wolfssl/patches/300-fix-SSL_get_verify_result-regression.patch
@@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Juliusz Sosinowicz <juliusz@wolfssl.com>
+Date: Sat, 12 Feb 2022 00:34:24 +0100
+Subject: [PATCH] Reported in ZD13631
+
+`ssl->peerVerifyRet` wasn't being cleared when retrying with an alternative cert chain
+
+References: https://github.com/wolfSSL/wolfssl/issues/4879
+---
+ src/internal.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/internal.c b/src/internal.c
+index 0dded42a76c4..f5814d30607c 100644
+--- a/src/internal.c
++++ b/src/internal.c
+@@ -12372,6 +12372,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+ }
+
+ ret = 0; /* clear errors and continue */
++ #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
++ ssl->peerVerifyRet = 0;
++ #endif
+ args->verifyErr = 0;
+ }
+