OCSP verification issue when response is for a certificate with no relation to the chain in question BUT that response contains the NoCheck extension which effectively disables ALL verification of that one cert.
Signed-off-by: Eneas U de Queiroz <cotequei...@gmail.com> --- package/libs/wolfssl/Makefile | 2 +- ...-handling-of-OCSP-no-check-extension.patch | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch diff --git a/package/libs/wolfssl/Makefile b/package/libs/wolfssl/Makefile index 631576a58e..d123e7a875 100644 --- a/package/libs/wolfssl/Makefile +++ b/package/libs/wolfssl/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=wolfssl PKG_VERSION:=4.7.0-stable -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/wolfSSL/wolfssl/archive/v$(PKG_VERSION) diff --git a/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch b/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch new file mode 100644 index 0000000000..6fb62b2033 --- /dev/null +++ b/package/libs/wolfssl/patches/210-OCSP-improve-handling-of-OCSP-no-check-extension.patch @@ -0,0 +1,49 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Sean Parkinson <s...@wolfssl.com> +Date: Fri, 16 Jul 2021 12:19:39 +1000 +Subject: [PATCH] OCSP: improve handling of OCSP no check extension + +(cherry picked from commit f93083be72a3b3d956b52a7ec13f307a27b6e093) + +diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c +index bbf71e3c1..966035f5b 100644 +--- a/wolfcrypt/src/asn.c ++++ b/wolfcrypt/src/asn.c +@@ -9751,9 +9751,13 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) + } + + #ifdef HAVE_OCSP +- /* trust for the lifetime of the responder's cert*/ +- if (cert->ocspNoCheckSet && verify == VERIFY_OCSP) +- verify = NO_VERIFY; ++ if (verify == VERIFY_OCSP_CERT) { ++ /* trust for the lifetime of the responder's cert*/ ++ if (cert->ocspNoCheckSet) ++ verify = VERIFY; ++ else ++ verify = VERIFY_OCSP; ++ } + #endif + /* advance past extensions */ + cert->srcIdx = cert->sigIndex; +@@ -17542,7 +17546,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, + + /* Don't verify if we don't have access to Cert Manager. */ + ret = ParseCertRelative(&cert, CERT_TYPE, +- noVerify ? NO_VERIFY : VERIFY_OCSP, cm); ++ noVerify ? NO_VERIFY : VERIFY_OCSP_CERT, cm); + if (ret < 0) { + WOLFSSL_MSG("\tOCSP Responder certificate parsing failed"); + FreeDecodedCert(&cert); +diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h +index e412c1d06..e3cddf5b4 100644 +--- a/wolfssl/wolfcrypt/asn.h ++++ b/wolfssl/wolfcrypt/asn.h +@@ -589,6 +589,7 @@ enum VerifyType { + VERIFY_OCSP = 3, + VERIFY_NAME = 4, + VERIFY_SKIP_DATE = 5, ++ VERIFY_OCSP_CERT = 6, + }; + + #ifdef WOLFSSL_CERT_EXT _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel