diff --git a/configure.ac b/configure.ac index 281281cb9..16c2116fc 100644 --- a/configure.ac +++ b/configure.ac @@ -3578,21 +3578,25 @@ fi # CRL AC_ARG_ENABLE([crl], - [AS_HELP_STRING([--enable-crl],[Enable CRL (default: disabled)])], + [AS_HELP_STRING([--enable-crl],[Enable CRL (Use =io for inline CRL HTTP GET) (default: disabled)])], [ ENABLED_CRL=$enableval ], [ ENABLED_CRL=no ], ) - -if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || test "x$ENABLED_WPAS" != "xno" || test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" +if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || \ + test "x$ENABLED_WPAS" != "xno" || test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes" then ENABLED_CRL=yes fi -if test "$ENABLED_CRL" = "yes" +if test "$ENABLED_CRL" != "no" then AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL" fi +if test "$ENABLED_CRL" == "io" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_IO" +fi # CRL Monitor @@ -6745,7 +6749,7 @@ AM_CONDITIONAL([BUILD_INLINE],[test "x$ENABLED_INLINE" = "xyes"]) AM_CONDITIONAL([BUILD_OCSP],[test "x$ENABLED_OCSP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_OCSP_STAPLING],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"]) AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"]) -AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"]) +AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"]) AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"]) AM_CONDITIONAL([BUILD_USER_RSA],[test "x$ENABLED_USER_RSA" = "xyes"] ) AM_CONDITIONAL([BUILD_USER_CRYPTO],[test "x$ENABLED_USER_CRYPTO" = "xyes"]) diff --git a/src/crl.c b/src/crl.c index 6d7ab338f..9b1fb74d0 100644 --- a/src/crl.c +++ b/src/crl.c @@ -385,7 +385,9 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert) #endif if (foundEntry == 0) { WOLFSSL_MSG("Couldn't find CRL for status check"); - ret = CRL_MISSING; + if (ret != CRL_CERT_DATE_ERR) { + ret = CRL_MISSING; + } if (crl->cm->cbMissingCRL) { char url[256]; diff --git a/src/internal.c b/src/internal.c index c7c9c461c..2a85fb191 100644 --- a/src/internal.c +++ b/src/internal.c @@ -11965,7 +11965,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* Do verify callback */ ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); if (ssl->options.verifyNone && - (ret == CRL_MISSING || ret == CRL_CERT_REVOKED)) { + (ret == CRL_MISSING || ret == CRL_CERT_REVOKED || + ret == CRL_CERT_DATE_ERR)) { WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); ret = ssl->error = 0; } @@ -12745,7 +12746,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); if (ssl->options.verifyNone && - (ret == CRL_MISSING || ret == CRL_CERT_REVOKED)) { + (ret == CRL_MISSING || ret == CRL_CERT_REVOKED || + ret == CRL_CERT_DATE_ERR)) { WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); ret = ssl->error = 0; } @@ -19805,9 +19807,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case NOT_CA_ERROR: return "Not a CA by basic constraint error"; - case HTTP_TIMEOUT: - return "HTTP timeout for OCSP or CRL req"; - case BAD_CERT_MANAGER_ERROR: return "Bad Cert Manager error"; @@ -20060,6 +20059,23 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case SOCKET_FILTERED_E: return "Session stopped by network filter"; +#ifdef HAVE_HTTP_CLIENT + case HTTP_TIMEOUT: + return "HTTP timeout for OCSP or CRL req"; + case HTTP_RECV_ERR: + return "HTTP Receive error"; + case HTTP_HEADER_ERR: + return "HTTP Header error"; + case HTTP_PROTO_ERR: + return "HTTP Protocol error"; + case HTTP_STATUS_ERR: + return "HTTP Status error"; + case HTTP_VERSION_ERR: + return "HTTP Version error"; + case HTTP_APPSTR_ERR: + return "HTTP Application string error"; +#endif + default : return "unknown error number"; } diff --git a/src/wolfio.c b/src/wolfio.c index 6f544bb62..e7234075e 100644 --- a/src/wolfio.c +++ b/src/wolfio.c @@ -1138,7 +1138,7 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList, } WOLFSSL_MSG("wolfIO_HttpProcessResponse recv http from peer failed"); - return -1; + return HTTP_RECV_ERR; } } end = XSTRSTR(start, "\r\n"); /* locate end */ @@ -1158,7 +1158,7 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList, } else { WOLFSSL_MSG("wolfIO_HttpProcessResponse header ended early"); - return -1; + return HTTP_HEADER_ERR; } } else { @@ -1176,13 +1176,13 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList, if (XSTRLEN(start) < 12) { WOLFSSL_MSG("wolfIO_HttpProcessResponse HTTP header " "too short."); - return -1; + return HTTP_HEADER_ERR; } if (XSTRNCASECMP(start, HTTP_PROTO, sizeof(HTTP_PROTO) - 1) != 0) { WOLFSSL_MSG("wolfIO_HttpProcessResponse HTTP header " "doesn't start with HTTP/1."); - return -1; + return HTTP_PROTO_ERR; } /* +2 for HTTP minor version and space between version and * status code. */ @@ -1191,7 +1191,7 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList, sizeof(HTTP_STATUS_200) - 1) != 0) { WOLFSSL_MSG("wolfIO_HttpProcessResponse HTTP header " "doesn't have status code 200."); - return -1; + return HTTP_STATUS_ERR; } state = phr_http_start; break; @@ -1201,7 +1201,7 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList, if (XSTRLEN(start) < 13) { /* 13 is the shortest of the following next lines we're checking for. */ WOLFSSL_MSG("wolfIO_HttpProcessResponse content type is too short."); - return -1; + return HTTP_VERSION_ERR; } if (XSTRNCASECMP(start, "Content-Type:", 13) == 0) { @@ -1221,7 +1221,7 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList, } if (appStrList[i] == NULL) { WOLFSSL_MSG("wolfIO_HttpProcessResponse appstr mismatch"); - return -1; + return HTTP_APPSTR_ERR; } state = (state == phr_http_start) ? phr_have_type : phr_wait_end; } @@ -1510,7 +1510,7 @@ int wolfIO_HttpBuildRequestCrl(const char* url, int urlSz, int wolfIO_HttpProcessResponseCrl(WOLFSSL_CRL* crl, int sfd, byte* httpBuf, int httpBufSz) { - int result; + int ret; byte *respBuf = NULL; const char* appStrList[] = { @@ -1519,14 +1519,15 @@ int wolfIO_HttpProcessResponseCrl(WOLFSSL_CRL* crl, int sfd, byte* httpBuf, NULL }; - result = wolfIO_HttpProcessResponse(sfd, appStrList, + + ret = wolfIO_HttpProcessResponse(sfd, appStrList, &respBuf, httpBuf, httpBufSz, DYNAMIC_TYPE_CRL, crl->heap); - if (result >= 0) { - result = BufferLoadCRL(crl, respBuf, result, WOLFSSL_FILETYPE_ASN1, 0); + if (ret >= 0) { + ret = BufferLoadCRL(crl, respBuf, ret, WOLFSSL_FILETYPE_ASN1, 0); } XFREE(respBuf, crl->heap, DYNAMIC_TYPE_CRL); - return result; + return ret; } int EmbedCrlLookup(WOLFSSL_CRL* crl, const char* url, int urlSz) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index bfa112152..9ecbe0a87 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -29554,13 +29554,13 @@ static int ParseCRL_CertList(DecodedCRL* dcrl, const byte* buf, } #ifdef WOLFSSL_NO_CRL_NEXT_DATE - if (doNextDate)x + if (doNextDate) #endif { #ifndef NO_ASN_TIME if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) { WOLFSSL_MSG("CRL after date is no longer valid"); - return ASN_AFTER_DATE_E; + return CRL_CERT_DATE_ERR; } #endif } @@ -29990,7 +29990,7 @@ end: /* Next date was set, so validate it. */ if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) { WOLFSSL_MSG("CRL after date is no longer valid"); - ret = ASN_AFTER_DATE_E; + ret = CRL_CERT_DATE_ERR; } } } diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 7b1252bcf..000d4ca7f 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -260,6 +260,9 @@ const char* wc_GetErrorString(int error) case ASN_CRL_NO_SIGNER_E : return "ASN CRL no signer error to confirm failure"; + case CRL_CERT_DATE_ERR: + return "CRL date error"; + case ASN_OCSP_CONFIRM_E : return "ASN OCSP sig error, confirm failure"; diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 6ed321220..a323d2909 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -1641,7 +1641,7 @@ WOLFSSL_TEST_SUBROUTINE int error_test(void) /* Values that are not or no longer error codes. */ int missing[] = { -122, -123, -124, -127, -128, -129, -163, -164, -165, -166, -167, -168, -169, - -179, -233, + -233, 0 }; /* Check that all errors have a string and it's the same through the two diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 0c3399d3e..019447493 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -52,7 +52,6 @@ enum wolfSSL_ErrorCodes { RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */ NO_DH_PARAMS = -319, /* server missing DH params */ BUILD_MSG_ERROR = -320, /* build message failure */ - BAD_HELLO = -321, /* client hello malformed */ DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ WANT_READ = -323, /* want read, call again */ @@ -113,6 +112,7 @@ enum wolfSSL_ErrorCodes { UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */ UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */ KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */ + KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */ EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */ SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */ @@ -171,8 +171,13 @@ enum wolfSSL_ErrorCodes { NO_CERT_ERROR = -440, /* TLS1.3 - no cert set error */ APP_DATA_READY = -441, /* DTLS1.2 application data ready for read */ TOO_MUCH_EARLY_DATA = -442, /* Too much Early data */ - SOCKET_FILTERED_E = -443, /* Session stopped by network filter */ + HTTP_RECV_ERR = -444, /* HTTP Receive error */ + HTTP_HEADER_ERR = -445, /* HTTP Header error */ + HTTP_PROTO_ERR = -446, /* HTTP Protocol error */ + HTTP_STATUS_ERR = -447, /* HTTP Status error */ + HTTP_VERSION_ERR = -448, /* HTTP Version error */ + HTTP_APPSTR_ERR = -449, /* HTTP Application string error */ /* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */ diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index dd6ac1726..f03c6d473 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -117,6 +117,7 @@ enum { NO_PASSWORD = -176, /* no password provided by user */ ALT_NAME_E = -177, /* alt name size problem, too big */ BAD_OCSP_RESPONDER = -178, /* missing key usage extensions */ + CRL_CERT_DATE_ERR = -179, /* CRL date error */ AES_GCM_AUTH_E = -180, /* AES-GCM Authentication check failure */ AES_CCM_AUTH_E = -181, /* AES-CCM Authentication check failure */