Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#4188 - libwolfssl can't authenticate ip address ssl certificates #9168

Open
openwrt-bot opened this issue Dec 16, 2021 · 3 comments
Open
Labels
core packages pull request/issue for core (in-tree) packages flyspray release/21.02 pull request/issue targeted (also) for OpenWrt 21.02 release

Comments

@openwrt-bot
Copy link

Alozxy:

Recently I found that the libwolfssl could not authenticate some ip address ssl certificates.A strange thing is that some URLs(like https://1.1.1.1/) can be authenticated successfully, but others cannot(like https://223.5.5.5/),and it just happen on my mt7621 router Xiaomi Redmi AC2100 but cannot be reproduced on ipq4019 router MobiPromo CM520-79F.

And then i dig deeper into the source code and found the bug.

[[https://raw.githubusercontent.com/wolfSSL/wolfssl/v4.8.1-stable/src/internal.c]]

In line 10097,macro XSNPRINTF would expand to snprintf,and altName->name[i] has a char type.
on different platforms,char is not alway unsigned,if altName->name[i] is signed char and is larger than 127,it will then be convert into unsigned int incorrectly and print the wrong string.

The problem seems be sloved in wolfssl v5.0 because i saw some changes of relevant code,but the wolfssl in openwrt 21.02 is still v4.8.1-stable.I think maybe we can either upgrade the package or add a path to exist code?

@openwrt-bot
Copy link
Author

svlobanov:

Can you try to build firmware from trunk for your xiaomi ac2100 with this patch #4910 ?
If you use ustream-ssl, then you will also need this patch
http://lists.openwrt.org/pipermail/openwrt-devel/2022-January/037485.html

@openwrt-bot
Copy link
Author

Alozxy:

That works,thank you!

@openwrt-bot
Copy link
Author

svlobanov:

@Alozxy could you please add Tested-by: tag to the PR as a comment? it might speedup accepting PR

@aparcar aparcar added release/21.02 pull request/issue targeted (also) for OpenWrt 21.02 release core packages pull request/issue for core (in-tree) packages labels Feb 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core packages pull request/issue for core (in-tree) packages flyspray release/21.02 pull request/issue targeted (also) for OpenWrt 21.02 release
Projects
None yet
Development

No branches or pull requests

2 participants