feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Add crl error override callback

Browse Source
This commit is contained in:
Juliusz Sosinowicz
2024-09-18 11:22:04 +02:00
parent c3900470aa
commit ae6c872797
6 changed files with 93 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/crl.c
View File

@ -536,6 +536,13 @@ int CheckCertCRL_ex(WOLFSSL_CRL* crl, byte* issuerHash, byte* serial,
crl->cm->cbMissingCRL(url); crl->cm->cbMissingCRL(url);
} }
if (crl->cm != NULL && crl->cm->crlCb &&
crl->cm->crlCb(ret, crl, crl->cm, crl->cm->crlCbCtx)) {
if (ret != 0)
WOLFSSL_MSG("Overriding CRL error");
ret = 0;
}
} }
return ret; return ret;

20
src/ssl.c
View File

@ -6007,6 +6007,17 @@ int wolfSSL_SetCRL_Cb(WOLFSSL* ssl, CbMissingCRL cb)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
int wolfSSL_SetCRL_ErrorCb(WOLFSSL* ssl, crlErrorCb cb, void* ctx)
{
WOLFSSL_ENTER("wolfSSL_SetCRL_Cb");
if (ssl) {
SSL_CM_WARNING(ssl);
return wolfSSL_CertManagerSetCRL_ErrorCb(SSL_CM(ssl), cb, ctx);
}
else
return BAD_FUNC_ARG;
}
#ifdef HAVE_CRL_IO #ifdef HAVE_CRL_IO
int wolfSSL_SetCRL_IOCb(WOLFSSL* ssl, CbCrlIO cb) int wolfSSL_SetCRL_IOCb(WOLFSSL* ssl, CbCrlIO cb)
{ {
@ -6072,6 +6083,15 @@ int wolfSSL_CTX_SetCRL_Cb(WOLFSSL_CTX* ctx, CbMissingCRL cb)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
int wolfSSL_CTX_SetCRL_ErrorCb(WOLFSSL_CTX* ctx, crlErrorCb cb, void* cbCtx)
{
WOLFSSL_ENTER("wolfSSL_CTX_SetCRL_ErrorCb");
if (ctx)
return wolfSSL_CertManagerSetCRL_ErrorCb(ctx->cm, cb, cbCtx);
else
return BAD_FUNC_ARG;
}
#ifdef HAVE_CRL_IO #ifdef HAVE_CRL_IO
int wolfSSL_CTX_SetCRL_IOCb(WOLFSSL_CTX* ctx, CbCrlIO cb) int wolfSSL_CTX_SetCRL_IOCb(WOLFSSL_CTX* ctx, CbCrlIO cb)
{ {

20
src/ssl_certman.c
View File

@ -1858,6 +1858,26 @@ int wolfSSL_CertManagerSetCRL_Cb(WOLFSSL_CERT_MANAGER* cm, CbMissingCRL cb)
return ret; return ret;
} }
int wolfSSL_CertManagerSetCRL_ErrorCb(WOLFSSL_CERT_MANAGER* cm, crlErrorCb cb,
void* ctx)
{
int ret = WOLFSSL_SUCCESS;
WOLFSSL_ENTER("wolfSSL_CertManagerSetCRL_Cb");
/* Validate parameters. */
if (cm == NULL) {
ret = BAD_FUNC_ARG;
}
if (ret == WOLFSSL_SUCCESS) {
/* Store callback. */
cm->crlCb = cb;
cm->crlCbCtx = ctx;
}
return ret;
}
#ifdef HAVE_CRL_IO #ifdef HAVE_CRL_IO
/* Set the CRL I/O callback. /* Set the CRL I/O callback.
* *

36
tests/api.c
View File

@ -93450,6 +93450,40 @@ static int test_revoked_loaded_int_cert_ctx_ready2(WOLFSSL_CTX* ctx)
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS); WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
return EXPECT_RESULT(); return EXPECT_RESULT();
} }
static int test_revoked_loaded_int_cert_ctx_ready3_crl_missing_cb(int ret,
WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm, void* ctx)
{
(void)crl;
(void)cm;
(void)ctx;
if (ret == WC_NO_ERR_TRACE(CRL_MISSING))
return 1;
return 0;
}
/* Here we are allowing missing CRL's but want to error out when its revoked */
static int test_revoked_loaded_int_cert_ctx_ready3(WOLFSSL_CTX* ctx)
{
EXPECT_DECLS;
wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, myVerify);
myVerifyAction = VERIFY_USE_PREVERFIY;
ExpectIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx,
"./certs/ca-cert.pem", NULL, 0), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx,
"./certs/intermediate/ca-int-cert.pem", NULL, 0), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx,
"./certs/intermediate/ca-int2-cert.pem", NULL, 0), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_EnableCRL(ctx, WOLFSSL_CRL_CHECKALL),
WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_LoadCRLFile(ctx,
"./certs/crl/extra-crls/ca-int-cert-revoked.pem",
WOLFSSL_FILETYPE_PEM), WOLFSSL_SUCCESS);
ExpectIntEQ(wolfSSL_CTX_SetCRL_ErrorCb(ctx,
test_revoked_loaded_int_cert_ctx_ready3_crl_missing_cb, NULL),
WOLFSSL_SUCCESS);
return EXPECT_RESULT();
}
#endif #endif
static int test_revoked_loaded_int_cert(void) static int test_revoked_loaded_int_cert(void)
@ -93471,6 +93505,8 @@ static int test_revoked_loaded_int_cert(void)
"./certs/server-key.pem", test_revoked_loaded_int_cert_ctx_ready2}, "./certs/server-key.pem", test_revoked_loaded_int_cert_ctx_ready2},
{"./certs/intermediate/server-chain-short.pem", {"./certs/intermediate/server-chain-short.pem",
"./certs/server-key.pem", test_revoked_loaded_int_cert_ctx_ready2}, "./certs/server-key.pem", test_revoked_loaded_int_cert_ctx_ready2},
{"./certs/intermediate/server-chain-short.pem",
"./certs/server-key.pem", test_revoked_loaded_int_cert_ctx_ready3},
}; };
size_t i; size_t i;

2
wolfssl/internal.h
View File

@ -2617,6 +2617,8 @@ struct WOLFSSL_CERT_MANAGER {
#endif #endif
CallbackCACache caCacheCallback; /* CA cache addition callback */ CallbackCACache caCacheCallback; /* CA cache addition callback */
CbMissingCRL cbMissingCRL; /* notify thru cb of missing crl */ CbMissingCRL cbMissingCRL; /* notify thru cb of missing crl */
crlErrorCb crlCb; /* Allow user to override error */
void* crlCbCtx;
CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */ CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */
CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */ CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */
wolfSSL_Mutex caLock; /* CA list lock */ wolfSSL_Mutex caLock; /* CA list lock */

8
wolfssl/ssl.h
View File

@ -3314,6 +3314,8 @@ WOLFSSL_API int wolfSSL_SetVersion(WOLFSSL* ssl, int version);
typedef void (*CallbackCACache)(unsigned char* der, int sz, int type); typedef void (*CallbackCACache)(unsigned char* der, int sz, int type);
typedef void (*CbMissingCRL)(const char* url); typedef void (*CbMissingCRL)(const char* url);
typedef int (*crlErrorCb)(int ret, WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm,
void* ctx);
typedef int (*CbOCSPIO)(void*, const char*, int, typedef int (*CbOCSPIO)(void*, const char*, int,
unsigned char*, int, unsigned char**); unsigned char*, int, unsigned char**);
typedef void (*CbOCSPRespFree)(void*,unsigned char*); typedef void (*CbOCSPRespFree)(void*,unsigned char*);
@ -3762,6 +3764,8 @@ WOLFSSL_API void wolfSSL_CTX_SetPerformTlsRecordProcessingCb(WOLFSSL_CTX* ctx,
const unsigned char* buff, long sz, int type); const unsigned char* buff, long sz, int type);
WOLFSSL_API int wolfSSL_CertManagerSetCRL_Cb(WOLFSSL_CERT_MANAGER* cm, WOLFSSL_API int wolfSSL_CertManagerSetCRL_Cb(WOLFSSL_CERT_MANAGER* cm,
CbMissingCRL cb); CbMissingCRL cb);
WOLFSSL_API int wolfSSL_CertManagerSetCRL_ErrorCb(WOLFSSL_CERT_MANAGER* cm,
crlErrorCb cb, void* ctx);
WOLFSSL_API int wolfSSL_CertManagerFreeCRL(WOLFSSL_CERT_MANAGER* cm); WOLFSSL_API int wolfSSL_CertManagerFreeCRL(WOLFSSL_CERT_MANAGER* cm);
#ifdef HAVE_CRL_IO #ifdef HAVE_CRL_IO
WOLFSSL_API int wolfSSL_CertManagerSetCRL_IOCb(WOLFSSL_CERT_MANAGER* cm, WOLFSSL_API int wolfSSL_CertManagerSetCRL_IOCb(WOLFSSL_CERT_MANAGER* cm,
@ -3805,6 +3809,8 @@ WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs(
WOLFSSL_API int wolfSSL_LoadCRLBuffer(WOLFSSL* ssl, WOLFSSL_API int wolfSSL_LoadCRLBuffer(WOLFSSL* ssl,
const unsigned char* buff, long sz, int type); const unsigned char* buff, long sz, int type);
WOLFSSL_API int wolfSSL_SetCRL_Cb(WOLFSSL* ssl, CbMissingCRL cb); WOLFSSL_API int wolfSSL_SetCRL_Cb(WOLFSSL* ssl, CbMissingCRL cb);
WOLFSSL_API int wolfSSL_SetCRL_ErrorCb(WOLFSSL* ssl, crlErrorCb cb,
void* ctx);
#ifdef HAVE_CRL_IO #ifdef HAVE_CRL_IO
WOLFSSL_API int wolfSSL_SetCRL_IOCb(WOLFSSL* ssl, CbCrlIO cb); WOLFSSL_API int wolfSSL_SetCRL_IOCb(WOLFSSL* ssl, CbCrlIO cb);
#endif #endif
@ -3822,6 +3828,8 @@ WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_X509_STORE_get1_certs(
WOLFSSL_API int wolfSSL_CTX_LoadCRLBuffer(WOLFSSL_CTX* ctx, WOLFSSL_API int wolfSSL_CTX_LoadCRLBuffer(WOLFSSL_CTX* ctx,
const unsigned char* buff, long sz, int type); const unsigned char* buff, long sz, int type);
WOLFSSL_API int wolfSSL_CTX_SetCRL_Cb(WOLFSSL_CTX* ctx, CbMissingCRL cb); WOLFSSL_API int wolfSSL_CTX_SetCRL_Cb(WOLFSSL_CTX* ctx, CbMissingCRL cb);
WOLFSSL_API int wolfSSL_CTX_SetCRL_ErrorCb(WOLFSSL_CTX* ctx, crlErrorCb cb,
void* cbCtx);
#ifdef HAVE_CRL_IO #ifdef HAVE_CRL_IO
WOLFSSL_API int wolfSSL_CTX_SetCRL_IOCb(WOLFSSL_CTX* ctx, CbCrlIO cb); WOLFSSL_API int wolfSSL_CTX_SetCRL_IOCb(WOLFSSL_CTX* ctx, CbCrlIO cb);
#endif #endif