[openwrt/openwrt] wolfssl: build with WOLFSSL_ALT_CERT_CHAINS

LEDE Commits lede-commits at lists.infradead.org
Sun Oct 17 07:27:24 PDT 2021 

blocktrron pushed a commit to openwrt/openwrt.git, branch openwrt-21.02:
https://git.openwrt.org/4b212b1306a93b6ebd450a4b1066ddf906035f4d

commit 4b212b1306a93b6ebd450a4b1066ddf906035f4d
Author: Andre Heider <a.heider at gmail.com>
AuthorDate: Wed Oct 6 10:54:48 2021 +0200

    wolfssl: build with WOLFSSL_ALT_CERT_CHAINS
    
    "Alternate certification chains, as oppossed to requiring full chain
    validataion. Certificate validation behavior is relaxed, similar to
    openssl and browsers. Only the peer certificate must validate to a trusted
    certificate. Without this, all certificates sent by a peer must be
    used in the trust chain or the connection will be rejected."
    
    This fixes e.g. uclient-fetch and curl connecting to servers using a Let's
    Encrypt certificate which are cross-signed by the now expired
    DST Root CA X3, see [0].
    
    This is the recommended solution from upstream [1].
    
    The binary size increases by ~12.3kb:
    1236160 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
    1248704 staging_dir/target-mipsel_24kc_musl/usr/lib/libwolfssl.so.4.8.1.39c36f2f
    
    [0] https://github.com/openwrt/packages/issues/16674
    [1] https://github.com/wolfSSL/wolfssl/issues/4443#issuecomment-934926793
    
    Signed-off-by: Andre Heider <a.heider at gmail.com>
    [bump PKG_RELEASE]
    Signed-off-by: David Bauer <mail at david-bauer.net>
    (cherry picked from commit 28d8e6a8711ba78f1684a205e11b0dbd4ff2b2f3)
---
 package/libs/wolfssl/Makefile | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile
index 030a0224f5..539f16d399 100644
--- a/package/libs/wolfssl/Makefile
+++ b/package/libs/wolfssl/Makefile
@@ -58,7 +58,13 @@ define Package/libwolfssl/config
 	source "$(SOURCE)/Config.in"
 endef
 
-TARGET_CFLAGS += $(FPIC) -DFP_MAX_BITS=8192 -fomit-frame-pointer -flto
+TARGET_CFLAGS += \
+	$(FPIC) \
+	-fomit-frame-pointer \
+	-flto \
+	-DFP_MAX_BITS=8192 \
+	-DWOLFSSL_ALT_CERT_CHAINS
+
 TARGET_LDFLAGS += -flto
 
 # --enable-stunnel needed for OpenSSL API compatibility bits

More information about the lede-commits mailing list