[OpenWrt-Devel,ustream-ssl,v2,3/3] wolfssl: enable CN validation
diff mbox series

Message ID 20190919021803.31271-4-cotequeiroz@gmail.com
State Accepted
Delegated to: Hauke Mehrtens
Headers show
Series
  • [OpenWrt-Devel,ustream-ssl,1/2] ustream-io-cyassl.c: fix client-mode connections
Related show

Commit Message

Eneas U de Queiroz Sept. 19, 2019, 2:18 a.m. UTC
WolfSSL added a wolfSSL_X509_check_host function to perform CN
validation in v3.10.4, depending on the build-time configure options:
--enable-nginx enables it for all supported versions;
--enable-opensslextra, since v3.14.2.

If the function is unavailable, then SSL_get_verify_result will be
called, and 'valid_cert' will be true if that call suceeds and we
have a peer certificate, just as it happens with openssl. Only
'valid_cn' will not be set.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>

Comments

Hauke Mehrtens Sept. 20, 2019, 8:43 p.m. UTC | #1
On 9/19/19 4:18 AM, Eneas U de Queiroz wrote:
> WolfSSL added a wolfSSL_X509_check_host function to perform CN
> validation in v3.10.4, depending on the build-time configure options:
> --enable-nginx enables it for all supported versions;
> --enable-opensslextra, since v3.14.2.
> 
> If the function is unavailable, then SSL_get_verify_result will be
> called, and 'valid_cert' will be true if that call suceeds and we
> have a peer certificate, just as it happens with openssl. Only
> 'valid_cn' will not be set.
> 
> Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
> 
> diff --git a/CMakeLists.txt b/CMakeLists.txt
> index 6b3fc8c..86e1b07 100644
> --- a/CMakeLists.txt
> +++ b/CMakeLists.txt
> @@ -21,6 +21,12 @@ ELSEIF(WOLFSSL)
>    IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
>      ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
>    ENDIF()
> +  CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host
> +		       "wolfssl/options.h;wolfssl/ssl.h"
> +		       HAVE_WOLFSSL_X509_CHECK_HOST)
> +  IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST)
> +    ADD_DEFINITIONS(-DNO_X509_CHECK_HOST)
> +  ENDIF()
>  ELSE()
>    SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
>    SET(SSL_LIB crypto ssl)
> diff --git a/ustream-openssl.c b/ustream-openssl.c
> index 21abf61..c830618 100644
> --- a/ustream-openssl.c
> +++ b/ustream-openssl.c
> @@ -203,7 +203,7 @@ static void ustream_ssl_error(struct ustream_ssl *us, int ret)
>  	uloop_timeout_set(&us->error_timer, 0);
>  }
>  
> -#ifndef WOLFSSL_OPENSSL_H_
> +#ifndef NO_X509_CHECK_HOST
>  
>  static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
>  {
> @@ -212,10 +212,15 @@ static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
>  	if (!us->peer_cn)
>  		return false;
>  
> +# ifndef WOLFSSL_OPENSSL_H_
>  	ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
> +# else
> +	ret = wolfSSL_X509_check_host(cert, us->peer_cn, 0, 0, NULL);
> +# endif
>  	return ret == 1;
>  }
>  
> +#endif
>  
>  static void ustream_ssl_verify_cert(struct ustream_ssl *us)
>  {
> @@ -235,11 +240,12 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
>  		return;
>  
>  	us->valid_cert = true;
> +#ifndef NO_X509_CHECK_HOST
>  	us->valid_cn = ustream_ssl_verify_cn(us, cert);
> +#endif
>  	X509_free(cert);
>  }
>  
> -#endif
>  
>  __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
>  {
> @@ -252,9 +258,7 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
>  		r = SSL_connect(ssl);
>  
>  	if (r == 1) {
> -#ifndef WOLFSSL_OPENSSL_H_
>  		ustream_ssl_verify_cert(us);
> -#endif
>  		return U_SSL_OK;
>  	}

I am getting this error message with this patch:

[ 12%] Building C object CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o
In file included from
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-internal.h:27:0,
                 from
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-ssl.c:25:
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:
In function '__ustream_ssl_set_server_name':
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:48:2:
error: implicit declaration of function 'SSL_set_tlsext_host_name'; did
you mean 'SSL_set_tlsext_debug_arg'? [-Werror=implicit-function-declaration]
  SSL_set_tlsext_host_name(us->ssl, us->server_name);
  ^~~~~~~~~~~~~~~~~~~~~~~~
  SSL_set_tlsext_debug_arg
cc1: all warnings being treated as errors
make[6]: *** [CMakeFiles/ustream-ssl.dir/build.make:63:
CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o] Error 1


and this config:
CONFIG_WOLFSSL_HAS_AES_CCM=y
CONFIG_WOLFSSL_HAS_ARC4=y
CONFIG_WOLFSSL_HAS_CHACHA_POLY=y
CONFIG_WOLFSSL_HAS_DH=y
CONFIG_WOLFSSL_HAS_NO_HW=y
CONFIG_WOLFSSL_HAS_OCSP=y
CONFIG_WOLFSSL_HAS_SESSION_TICKET=y
CONFIG_WOLFSSL_HAS_TLSV10=y
CONFIG_WOLFSSL_HAS_TLSV13=y
CONFIG_WOLFSSL_HAS_WPAS=y


Hauke
Eneas U de Queiroz Sept. 21, 2019, 3:08 a.m. UTC | #2
I just realized now that my reply went to Hauke only, so I'm sending
it again to the mailing list, as it may be useful for more people.

On Fri, Sep 20, 2019 at 5:43 PM Hauke Mehrtens <hauke@hauke-m.de> wrote:
>
> On 9/19/19 4:18 AM, Eneas U de Queiroz wrote:
> > WolfSSL added a wolfSSL_X509_check_host function to perform CN
> > validation in v3.10.4, depending on the build-time configure options:
> > --enable-nginx enables it for all supported versions;
> > --enable-opensslextra, since v3.14.2.
> >
> > If the function is unavailable, then SSL_get_verify_result will be
> > called, and 'valid_cert' will be true if that call suceeds and we
> > have a peer certificate, just as it happens with openssl. Only
> > 'valid_cn' will not be set.
> >
> > Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
> >
> > diff --git a/CMakeLists.txt b/CMakeLists.txt
> > index 6b3fc8c..86e1b07 100644
> > --- a/CMakeLists.txt
> > +++ b/CMakeLists.txt
> > @@ -21,6 +21,12 @@ ELSEIF(WOLFSSL)
> >    IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
> >      ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
> >    ENDIF()
> > +  CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host
> > +                    "wolfssl/options.h;wolfssl/ssl.h"
> > +                    HAVE_WOLFSSL_X509_CHECK_HOST)
> > +  IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST)
> > +    ADD_DEFINITIONS(-DNO_X509_CHECK_HOST)
> > +  ENDIF()
> >  ELSE()
> >    SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
> >    SET(SSL_LIB crypto ssl)
> > diff --git a/ustream-openssl.c b/ustream-openssl.c
> > index 21abf61..c830618 100644
> > --- a/ustream-openssl.c
> > +++ b/ustream-openssl.c
> > @@ -203,7 +203,7 @@ static void ustream_ssl_error(struct ustream_ssl *us, int ret)
> >       uloop_timeout_set(&us->error_timer, 0);
> >  }
> >
> > -#ifndef WOLFSSL_OPENSSL_H_
> > +#ifndef NO_X509_CHECK_HOST
> >
> >  static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
> >  {
> > @@ -212,10 +212,15 @@ static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
> >       if (!us->peer_cn)
> >               return false;
> >
> > +# ifndef WOLFSSL_OPENSSL_H_
> >       ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
> > +# else
> > +     ret = wolfSSL_X509_check_host(cert, us->peer_cn, 0, 0, NULL);
> > +# endif
> >       return ret == 1;
> >  }
> >
> > +#endif
> >
> >  static void ustream_ssl_verify_cert(struct ustream_ssl *us)
> >  {
> > @@ -235,11 +240,12 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
> >               return;
> >
> >       us->valid_cert = true;
> > +#ifndef NO_X509_CHECK_HOST
> >       us->valid_cn = ustream_ssl_verify_cn(us, cert);
> > +#endif
> >       X509_free(cert);
> >  }
> >
> > -#endif
> >
> >  __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
> >  {
> > @@ -252,9 +258,7 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
> >               r = SSL_connect(ssl);
> >
> >       if (r == 1) {
> > -#ifndef WOLFSSL_OPENSSL_H_
> >               ustream_ssl_verify_cert(us);
> > -#endif
> >               return U_SSL_OK;
> >       }
>
> I am getting this error message with this patch:
>
> [ 12%] Building C object CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o
> In file included from
> /home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-internal.h:27:0,
>                  from
> /home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-ssl.c:25:
> /home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:
> In function '__ustream_ssl_set_server_name':
> /home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:48:2:
> error: implicit declaration of function 'SSL_set_tlsext_host_name'; did
> you mean 'SSL_set_tlsext_debug_arg'? [-Werror=implicit-function-declaration]
>   SSL_set_tlsext_host_name(us->ssl, us->server_name);
>   ^~~~~~~~~~~~~~~~~~~~~~~~
>   SSL_set_tlsext_debug_arg
> cc1: all warnings being treated as errors
> make[6]: *** [CMakeFiles/ustream-ssl.dir/build.make:63:
> CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o] Error 1
>
>
> and this config:
> CONFIG_WOLFSSL_HAS_AES_CCM=y
> CONFIG_WOLFSSL_HAS_ARC4=y
> CONFIG_WOLFSSL_HAS_CHACHA_POLY=y
> CONFIG_WOLFSSL_HAS_DH=y
> CONFIG_WOLFSSL_HAS_NO_HW=y
> CONFIG_WOLFSSL_HAS_OCSP=y
> CONFIG_WOLFSSL_HAS_SESSION_TICKET=y
> CONFIG_WOLFSSL_HAS_TLSV10=y
> CONFIG_WOLFSSL_HAS_TLSV13=y
> CONFIG_WOLFSSL_HAS_WPAS=y
>
>
> Hauke
>
>

I should have mentioned it before, but you need to update the
references from cyassl to wolfssl in openwrt to be able to compile it.
I will send the patch to openwrt once ustream-ssl is updated.
Meanwhile, this should do the trick:

--- a/package/libs/ustream-ssl/Makefile
+++ b/package/libs/ustream-ssl/Makefile
@@ -49,8 +49,8 @@ define Package/libustream-mbedtls
 endef

 ifeq ($(BUILD_VARIANT),wolfssl)
-  TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/cyassl -DHAVE_SNI
-  CMAKE_OPTIONS += -DCYASSL=on
+  TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/wolfssl
+  CMAKE_OPTIONS += -DWOLFSSL=on
 endif
 ifeq ($(BUILD_VARIANT),mbedtls)
   CMAKE_OPTIONS += -DMBEDTLS=on

Patch
diff mbox series

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 6b3fc8c..86e1b07 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -21,6 +21,12 @@  ELSEIF(WOLFSSL)
   IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
     ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
   ENDIF()
+  CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host
+		       "wolfssl/options.h;wolfssl/ssl.h"
+		       HAVE_WOLFSSL_X509_CHECK_HOST)
+  IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST)
+    ADD_DEFINITIONS(-DNO_X509_CHECK_HOST)
+  ENDIF()
 ELSE()
   SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
   SET(SSL_LIB crypto ssl)
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 21abf61..c830618 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -203,7 +203,7 @@  static void ustream_ssl_error(struct ustream_ssl *us, int ret)
 	uloop_timeout_set(&us->error_timer, 0);
 }
 
-#ifndef WOLFSSL_OPENSSL_H_
+#ifndef NO_X509_CHECK_HOST
 
 static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
 {
@@ -212,10 +212,15 @@  static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
 	if (!us->peer_cn)
 		return false;
 
+# ifndef WOLFSSL_OPENSSL_H_
 	ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
+# else
+	ret = wolfSSL_X509_check_host(cert, us->peer_cn, 0, 0, NULL);
+# endif
 	return ret == 1;
 }
 
+#endif
 
 static void ustream_ssl_verify_cert(struct ustream_ssl *us)
 {
@@ -235,11 +240,12 @@  static void ustream_ssl_verify_cert(struct ustream_ssl *us)
 		return;
 
 	us->valid_cert = true;
+#ifndef NO_X509_CHECK_HOST
 	us->valid_cn = ustream_ssl_verify_cn(us, cert);
+#endif
 	X509_free(cert);
 }
 
-#endif
 
 __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
 {
@@ -252,9 +258,7 @@  __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
 		r = SSL_connect(ssl);
 
 	if (r == 1) {
-#ifndef WOLFSSL_OPENSSL_H_
 		ustream_ssl_verify_cert(us);
-#endif
 		return U_SSL_OK;
 	}