feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #3673 from elms/ssl_api/get_verify_mode

Browse Source 
SSL: add support for `SSL_get_verify_mode`
This commit is contained in:
toddouska
2021-02-08 15:40:19 -08:00
committed by GitHub
parent 58f9b6ec01 234bf0c209
commit f14f1f37d2
4 changed files with 138 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
src/ssl.c
View File

@ -10655,23 +10655,24 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
if (ctx == NULL)
return;
if (mode & WOLFSSL_VERIFY_PEER) {
ctx->verifyPeer = 1;
ctx->verifyNone = 0; /* in case previously set */
}
ctx->verifyPeer = 0;
ctx->verifyNone = 0;
ctx->failNoCert = 0;
ctx->failNoCertxPSK = 0;
if (mode == WOLFSSL_VERIFY_NONE) {
ctx->verifyNone = 1;
ctx->verifyPeer = 0; /* in case previously set */
}
if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
ctx->failNoCert = 1;
}
if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
ctx->failNoCert = 0; /* fail on all is set to fail on PSK */
ctx->failNoCertxPSK = 1;
else {
if (mode & WOLFSSL_VERIFY_PEER) {
ctx->verifyPeer = 1;
}
if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
ctx->failNoCertxPSK = 1;
}
if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
ctx->failNoCert = 1;
}
}
ctx->verifyCallback = vc;
@ -10697,22 +10698,24 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc)
if (ssl == NULL)
return;
if (mode & WOLFSSL_VERIFY_PEER) {
ssl->options.verifyPeer = 1;
ssl->options.verifyNone = 0; /* in case previously set */
}
ssl->options.verifyPeer = 0;
ssl->options.verifyNone = 0;
ssl->options.failNoCert = 0;
ssl->options.failNoCertxPSK = 0;
if (mode == WOLFSSL_VERIFY_NONE) {
ssl->options.verifyNone = 1;
ssl->options.verifyPeer = 0; /* in case previously set */
}
if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT)
ssl->options.failNoCert = 1;
if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
ssl->options.failNoCert = 0; /* fail on all is set to fail on PSK */
ssl->options.failNoCertxPSK = 1;
else {
if (mode & WOLFSSL_VERIFY_PEER) {
ssl->options.verifyPeer = 1;
}
if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
ssl->options.failNoCertxPSK = 1;
}
if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
ssl->options.failNoCert = 1;
}
}
ssl->verifyCallback = vc;
@ -45764,24 +45767,57 @@ int wolfSSL_SESSION_print(WOLFSSL_BIO *bp, const WOLFSSL_SESSION *x)
#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL)) \
|| defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)
int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx)
/* TODO: Doesn't currently track SSL_VERIFY_CLIENT_ONCE */
int wolfSSL_get_verify_mode(const WOLFSSL* ssl) {
int mode = 0;
WOLFSSL_ENTER("wolfSSL_get_verify_mode");
if (!ssl) {
return WOLFSSL_FAILURE;
}
if (ssl->options.verifyNone) {
mode = WOLFSSL_VERIFY_NONE;
}
else {
if (ssl->options.verifyPeer) {
mode |= WOLFSSL_VERIFY_PEER;
}
if (ssl->options.failNoCert) {
mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
}
if (ssl->options.failNoCertxPSK) {
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
}
}
WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode);
return mode;
}
int wolfSSL_CTX_get_verify_mode(const WOLFSSL_CTX* ctx)
{
int mode = 0;
WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode");
if(!ctx)
return WOLFSSL_FATAL_ERROR;
if (!ctx) {
return WOLFSSL_FAILURE;
}
if (ctx->verifyPeer)
mode |= WOLFSSL_VERIFY_PEER;
else if (ctx->verifyNone)
mode |= WOLFSSL_VERIFY_NONE;
if (ctx->failNoCert)
mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
if (ctx->failNoCertxPSK)
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
if (ctx->verifyNone) {
mode = WOLFSSL_VERIFY_NONE;
}
else {
if (ctx->verifyPeer) {
mode |= WOLFSSL_VERIFY_PEER;
}
if (ctx->failNoCert) {
mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
}
if (ctx->failNoCertxPSK) {
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
}
}
WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode);
return mode;

61
tests/api.c
View File

@ -32095,6 +32095,66 @@ static void test_wolfSSL_RSA_meth(void)
#endif
}
static void test_wolfSSL_verify_mode(void)
{
#if defined(OPENSSL_ALL)
WOLFSSL* ssl;
WOLFSSL_CTX* ctx;
printf(testingFmt, "test_wolfSSL_verify()");
AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM));
AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM));
AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), SSL_SUCCESS);
AssertNotNull(ssl = SSL_new(ctx));
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx));
SSL_free(ssl);
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0);
AssertNotNull(ssl = SSL_new(ctx));
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx));
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER);
wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0);
AssertIntEQ(SSL_CTX_get_verify_mode(ctx), SSL_VERIFY_PEER);
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE);
SSL_free(ssl);
wolfSSL_CTX_set_verify(ctx,
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
AssertNotNull(ssl = SSL_new(ctx));
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx));
AssertIntEQ(SSL_get_verify_mode(ssl),
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);
wolfSSL_set_verify(ssl, SSL_VERIFY_PEER, 0);
AssertIntEQ(SSL_CTX_get_verify_mode(ctx),
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER);
wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0);
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE);
wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0);
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK);
AssertIntEQ(SSL_CTX_get_verify_mode(ctx),
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);
SSL_free(ssl);
SSL_CTX_free(ctx);
printf(resultFmt, passed);
#endif
}
static void test_wolfSSL_verify_depth(void)
{
#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_WOLFSSL_CLIENT)
@ -40164,6 +40224,7 @@ void ApiTest(void)
test_wolfSSL_RSA_DER();
test_wolfSSL_RSA_get0_key();
test_wolfSSL_RSA_meth();
test_wolfSSL_verify_mode();
test_wolfSSL_verify_depth();
test_wolfSSL_HMAC_CTX();
test_wolfSSL_msg_callback();

2
wolfssl/openssl/ssl.h
View File

@ -173,7 +173,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS;
/* at the moment only returns ok */
#define SSL_get_verify_result wolfSSL_get_verify_result
#define SSL_get_verify_mode wolfSSL_SSL_get_mode
#define SSL_get_verify_mode wolfSSL_get_verify_mode
#define SSL_get_verify_depth wolfSSL_get_verify_depth
#define SSL_CTX_get_verify_mode wolfSSL_CTX_get_verify_mode
#define SSL_CTX_get_verify_depth wolfSSL_CTX_get_verify_depth

3
wolfssl/ssl.h
View File

@ -3837,7 +3837,8 @@ WOLFSSL_API int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names);
defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
WOLFSSL_API int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx);
WOLFSSL_API int wolfSSL_get_verify_mode(const WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_CTX_get_verify_mode(const WOLFSSL_CTX* ctx);
#endif