[OpenWrt-Devel,ustream-ssl,v2,3/3] wolfssl: enable CN validation

WolfSSL added a wolfSSL_X509_check_host function to perform CN
validation in v3.10.4, depending on the build-time configure options:
--enable-nginx enables it for all supported versions;
--enable-opensslextra, since v3.14.2.

If the function is unavailable, then SSL_get_verify_result will be
called, and 'valid_cert' will be true if that call suceeds and we
have a peer certificate, just as it happens with openssl. Only
'valid_cn' will not be set.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>

On 9/19/19 4:18 AM, Eneas U de Queiroz wrote:
> WolfSSL added a wolfSSL_X509_check_host function to perform CN
> validation in v3.10.4, depending on the build-time configure options:
> --enable-nginx enables it for all supported versions;
> --enable-opensslextra, since v3.14.2.
> 
> If the function is unavailable, then SSL_get_verify_result will be
> called, and 'valid_cert' will be true if that call suceeds and we
> have a peer certificate, just as it happens with openssl. Only
> 'valid_cn' will not be set.
> 
> Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
> 
> diff --git a/CMakeLists.txt b/CMakeLists.txt
> index 6b3fc8c..86e1b07 100644
> --- a/CMakeLists.txt
> +++ b/CMakeLists.txt
> @@ -21,6 +21,12 @@ ELSEIF(WOLFSSL)
>    IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
>      ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
>    ENDIF()
> +  CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host
> +		       "wolfssl/options.h;wolfssl/ssl.h"
> +		       HAVE_WOLFSSL_X509_CHECK_HOST)
> +  IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST)
> +    ADD_DEFINITIONS(-DNO_X509_CHECK_HOST)
> +  ENDIF()
>  ELSE()
>    SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
>    SET(SSL_LIB crypto ssl)
> diff --git a/ustream-openssl.c b/ustream-openssl.c
> index 21abf61..c830618 100644
> --- a/ustream-openssl.c
> +++ b/ustream-openssl.c
> @@ -203,7 +203,7 @@ static void ustream_ssl_error(struct ustream_ssl *us, int ret)
>  	uloop_timeout_set(&us->error_timer, 0);
>  }
>  
> -#ifndef WOLFSSL_OPENSSL_H_
> +#ifndef NO_X509_CHECK_HOST
>  
>  static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
>  {
> @@ -212,10 +212,15 @@ static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
>  	if (!us->peer_cn)
>  		return false;
>  
> +# ifndef WOLFSSL_OPENSSL_H_
>  	ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
> +# else
> +	ret = wolfSSL_X509_check_host(cert, us->peer_cn, 0, 0, NULL);
> +# endif
>  	return ret == 1;
>  }
>  
> +#endif
>  
>  static void ustream_ssl_verify_cert(struct ustream_ssl *us)
>  {
> @@ -235,11 +240,12 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
>  		return;
>  
>  	us->valid_cert = true;
> +#ifndef NO_X509_CHECK_HOST
>  	us->valid_cn = ustream_ssl_verify_cn(us, cert);
> +#endif
>  	X509_free(cert);
>  }
>  
> -#endif
>  
>  __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
>  {
> @@ -252,9 +258,7 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
>  		r = SSL_connect(ssl);
>  
>  	if (r == 1) {
> -#ifndef WOLFSSL_OPENSSL_H_
>  		ustream_ssl_verify_cert(us);
> -#endif
>  		return U_SSL_OK;
>  	}

I am getting this error message with this patch:

[ 12%] Building C object CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o
In file included from
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-internal.h:27:0,
                 from
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-ssl.c:25:
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:
In function '__ustream_ssl_set_server_name':
/home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:48:2:
error: implicit declaration of function 'SSL_set_tlsext_host_name'; did
you mean 'SSL_set_tlsext_debug_arg'? [-Werror=implicit-function-declaration]
  SSL_set_tlsext_host_name(us->ssl, us->server_name);
  ^~~~~~~~~~~~~~~~~~~~~~~~
  SSL_set_tlsext_debug_arg
cc1: all warnings being treated as errors
make[6]: *** [CMakeFiles/ustream-ssl.dir/build.make:63:
CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o] Error 1


and this config:
CONFIG_WOLFSSL_HAS_AES_CCM=y
CONFIG_WOLFSSL_HAS_ARC4=y
CONFIG_WOLFSSL_HAS_CHACHA_POLY=y
CONFIG_WOLFSSL_HAS_DH=y
CONFIG_WOLFSSL_HAS_NO_HW=y
CONFIG_WOLFSSL_HAS_OCSP=y
CONFIG_WOLFSSL_HAS_SESSION_TICKET=y
CONFIG_WOLFSSL_HAS_TLSV10=y
CONFIG_WOLFSSL_HAS_TLSV13=y
CONFIG_WOLFSSL_HAS_WPAS=y


Hauke

I just realized now that my reply went to Hauke only, so I'm sending
it again to the mailing list, as it may be useful for more people.

On Fri, Sep 20, 2019 at 5:43 PM Hauke Mehrtens <hauke@hauke-m.de> wrote:
>
> On 9/19/19 4:18 AM, Eneas U de Queiroz wrote:
> > WolfSSL added a wolfSSL_X509_check_host function to perform CN
> > validation in v3.10.4, depending on the build-time configure options:
> > --enable-nginx enables it for all supported versions;
> > --enable-opensslextra, since v3.14.2.
> >
> > If the function is unavailable, then SSL_get_verify_result will be
> > called, and 'valid_cert' will be true if that call suceeds and we
> > have a peer certificate, just as it happens with openssl. Only
> > 'valid_cn' will not be set.
> >
> > Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
> >
> > diff --git a/CMakeLists.txt b/CMakeLists.txt
> > index 6b3fc8c..86e1b07 100644
> > --- a/CMakeLists.txt
> > +++ b/CMakeLists.txt
> > @@ -21,6 +21,12 @@ ELSEIF(WOLFSSL)
> >    IF (NOT HAVE_WOLFSSL_SSLSETIORECV)
> >      ADD_DEFINITIONS(-DNO_WOLFSSL_SSLSETIO_SEND_RECV)
> >    ENDIF()
> > +  CHECK_SYMBOL_EXISTS (wolfSSL_X509_check_host
> > +                    "wolfssl/options.h;wolfssl/ssl.h"
> > +                    HAVE_WOLFSSL_X509_CHECK_HOST)
> > +  IF (NOT HAVE_WOLFSSL_X509_CHECK_HOST)
> > +    ADD_DEFINITIONS(-DNO_X509_CHECK_HOST)
> > +  ENDIF()
> >  ELSE()
> >    SET(SSL_SRC ustream-io-openssl.c ustream-openssl.c)
> >    SET(SSL_LIB crypto ssl)
> > diff --git a/ustream-openssl.c b/ustream-openssl.c
> > index 21abf61..c830618 100644
> > --- a/ustream-openssl.c
> > +++ b/ustream-openssl.c
> > @@ -203,7 +203,7 @@ static void ustream_ssl_error(struct ustream_ssl *us, int ret)
> >       uloop_timeout_set(&us->error_timer, 0);
> >  }
> >
> > -#ifndef WOLFSSL_OPENSSL_H_
> > +#ifndef NO_X509_CHECK_HOST
> >
> >  static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
> >  {
> > @@ -212,10 +212,15 @@ static bool ustream_ssl_verify_cn(struct ustream_ssl *us, X509 *cert)
> >       if (!us->peer_cn)
> >               return false;
> >
> > +# ifndef WOLFSSL_OPENSSL_H_
> >       ret = X509_check_host(cert, us->peer_cn, 0, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS, NULL);
> > +# else
> > +     ret = wolfSSL_X509_check_host(cert, us->peer_cn, 0, 0, NULL);
> > +# endif
> >       return ret == 1;
> >  }
> >
> > +#endif
> >
> >  static void ustream_ssl_verify_cert(struct ustream_ssl *us)
> >  {
> > @@ -235,11 +240,12 @@ static void ustream_ssl_verify_cert(struct ustream_ssl *us)
> >               return;
> >
> >       us->valid_cert = true;
> > +#ifndef NO_X509_CHECK_HOST
> >       us->valid_cn = ustream_ssl_verify_cn(us, cert);
> > +#endif
> >       X509_free(cert);
> >  }
> >
> > -#endif
> >
> >  __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
> >  {
> > @@ -252,9 +258,7 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct ustream_ssl *us)
> >               r = SSL_connect(ssl);
> >
> >       if (r == 1) {
> > -#ifndef WOLFSSL_OPENSSL_H_
> >               ustream_ssl_verify_cert(us);
> > -#endif
> >               return U_SSL_OK;
> >       }
>
> I am getting this error message with this patch:
>
> [ 12%] Building C object CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o
> In file included from
> /home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-internal.h:27:0,
>                  from
> /home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-ssl.c:25:
> /home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:
> In function '__ustream_ssl_set_server_name':
> /home/hauke/openwrt/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-wolfssl/ustream-ssl-2019-08-17-e8f9c22d/ustream-openssl.h:48:2:
> error: implicit declaration of function 'SSL_set_tlsext_host_name'; did
> you mean 'SSL_set_tlsext_debug_arg'? [-Werror=implicit-function-declaration]
>   SSL_set_tlsext_host_name(us->ssl, us->server_name);
>   ^~~~~~~~~~~~~~~~~~~~~~~~
>   SSL_set_tlsext_debug_arg
> cc1: all warnings being treated as errors
> make[6]: *** [CMakeFiles/ustream-ssl.dir/build.make:63:
> CMakeFiles/ustream-ssl.dir/ustream-ssl.c.o] Error 1
>
>
> and this config:
> CONFIG_WOLFSSL_HAS_AES_CCM=y
> CONFIG_WOLFSSL_HAS_ARC4=y
> CONFIG_WOLFSSL_HAS_CHACHA_POLY=y
> CONFIG_WOLFSSL_HAS_DH=y
> CONFIG_WOLFSSL_HAS_NO_HW=y
> CONFIG_WOLFSSL_HAS_OCSP=y
> CONFIG_WOLFSSL_HAS_SESSION_TICKET=y
> CONFIG_WOLFSSL_HAS_TLSV10=y
> CONFIG_WOLFSSL_HAS_TLSV13=y
> CONFIG_WOLFSSL_HAS_WPAS=y
>
>
> Hauke
>
>

I should have mentioned it before, but you need to update the
references from cyassl to wolfssl in openwrt to be able to compile it.
I will send the patch to openwrt once ustream-ssl is updated.
Meanwhile, this should do the trick:

--- a/package/libs/ustream-ssl/Makefile
+++ b/package/libs/ustream-ssl/Makefile
@@ -49,8 +49,8 @@ define Package/libustream-mbedtls
 endef

 ifeq ($(BUILD_VARIANT),wolfssl)
-  TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/cyassl -DHAVE_SNI
-  CMAKE_OPTIONS += -DCYASSL=on
+  TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/wolfssl
+  CMAKE_OPTIONS += -DWOLFSSL=on
 endif
 ifeq ($(BUILD_VARIANT),mbedtls)
   CMAKE_OPTIONS += -DMBEDTLS=on