From af3d8426634f65e208c2f0e042e11f9524ef30a9 Mon Sep 17 00:00:00 2001 From: Elms Date: Thu, 21 Jan 2021 13:37:17 -0800 Subject: [PATCH 1/6] SSL: add support for `SSL_get_verify_mode` --- src/ssl.c | 8 ++++++++ wolfssl/openssl/ssl.h | 2 +- wolfssl/ssl.h | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 15d78c4f3..1ed7e1140 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -45677,6 +45677,14 @@ int wolfSSL_SESSION_print(WOLFSSL_BIO *bp, const WOLFSSL_SESSION *x) #if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL)) \ || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) +int wolfSSL_get_verify_mode(WOLFSSL* ssl) { + if(ssl == NULL) { + return BAD_FUNC_ARG; + } + + return wolfSSL_CTX_get_verify_mode(ssl->ctx); +} + int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) { int mode = 0; diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 95c0fdb57..ccfdc2f9d 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -173,7 +173,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; /* at the moment only returns ok */ #define SSL_get_verify_result wolfSSL_get_verify_result -#define SSL_get_verify_mode wolfSSL_SSL_get_mode +#define SSL_get_verify_mode wolfSSL_SSL_get_verify_mode #define SSL_get_verify_depth wolfSSL_get_verify_depth #define SSL_CTX_get_verify_mode wolfSSL_CTX_get_verify_mode #define SSL_CTX_get_verify_depth wolfSSL_CTX_get_verify_depth diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 16692d010..7d25cef62 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3834,6 +3834,7 @@ WOLFSSL_API int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names); defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) +WOLFSSL_API int wolfSSL_get_verify_mode(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx); #endif From 7112a6dd7880951cda5b19453853a67c3387f320 Mon Sep 17 00:00:00 2001 From: Elms Date: Thu, 21 Jan 2021 14:20:27 -0800 Subject: [PATCH 2/6] SSL: add test and fix `SSL_get_verify_mode` --- tests/api.c | 38 ++++++++++++++++++++++++++++++++++++++ wolfssl/openssl/ssl.h | 2 +- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/tests/api.c b/tests/api.c index acf6deb9b..e7fb058b5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32074,6 +32074,43 @@ static void test_wolfSSL_RSA_meth(void) #endif } +static void test_wolfSSL_verify_mode(void) +{ +#if defined(OPENSSL_ALL) + WOLFSSL* ssl; + WOLFSSL_CTX* ctx; + + printf(testingFmt, "test_wolfSSL_verify()"); + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + + AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); + AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), SSL_SUCCESS); + + AssertNotNull(ssl = SSL_new(ctx)); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + SSL_free(ssl); + + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); + AssertNotNull(ssl = SSL_new(ctx)); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); + SSL_free(ssl); + + wolfSSL_CTX_set_verify(ctx, + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); + AssertNotNull(ssl = SSL_new(ctx)); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + AssertIntEQ(SSL_get_verify_mode(ssl), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + SSL_free(ssl); + + SSL_CTX_free(ctx); + printf(resultFmt, passed); +#endif +} + + static void test_wolfSSL_verify_depth(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_WOLFSSL_CLIENT) @@ -40135,6 +40172,7 @@ void ApiTest(void) test_wolfSSL_RSA_DER(); test_wolfSSL_RSA_get0_key(); test_wolfSSL_RSA_meth(); + test_wolfSSL_verify_mode(); test_wolfSSL_verify_depth(); test_wolfSSL_HMAC_CTX(); test_wolfSSL_msg_callback(); diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index ccfdc2f9d..1f009c11c 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -173,7 +173,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; /* at the moment only returns ok */ #define SSL_get_verify_result wolfSSL_get_verify_result -#define SSL_get_verify_mode wolfSSL_SSL_get_verify_mode +#define SSL_get_verify_mode wolfSSL_get_verify_mode #define SSL_get_verify_depth wolfSSL_get_verify_depth #define SSL_CTX_get_verify_mode wolfSSL_CTX_get_verify_mode #define SSL_CTX_get_verify_depth wolfSSL_CTX_get_verify_depth From 95d83c98565c32e14d58a1ba2ffb9f691a2c2663 Mon Sep 17 00:00:00 2001 From: Elms Date: Thu, 21 Jan 2021 16:03:02 -0800 Subject: [PATCH 3/6] SSL: refactor to allow session override or mode --- src/ssl.c | 32 ++++++++++++++++++++++++++++---- tests/api.c | 11 +++++++++++ 2 files changed, 39 insertions(+), 4 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 1ed7e1140..51256fde7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10632,6 +10632,11 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc) if (ctx == NULL) return; + ctx->verifyPeer = 0; + ctx->verifyNone = 0; + ctx->failNoCert = 0; + ctx->failNoCertxPSK = 0; + if (mode & WOLFSSL_VERIFY_PEER) { ctx->verifyPeer = 1; ctx->verifyNone = 0; /* in case previously set */ @@ -10674,6 +10679,11 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc) if (ssl == NULL) return; + ssl->options.verifyPeer = 0; + ssl->options.verifyNone = 0; + ssl->options.failNoCert = 0; + ssl->options.failNoCertxPSK = 0; + if (mode & WOLFSSL_VERIFY_PEER) { ssl->options.verifyPeer = 1; ssl->options.verifyNone = 0; /* in case previously set */ @@ -45678,11 +45688,25 @@ int wolfSSL_SESSION_print(WOLFSSL_BIO *bp, const WOLFSSL_SESSION *x) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) int wolfSSL_get_verify_mode(WOLFSSL* ssl) { - if(ssl == NULL) { - return BAD_FUNC_ARG; - } + int mode = 0; + WOLFSSL_ENTER("wolfSSL_get_verify_mode"); - return wolfSSL_CTX_get_verify_mode(ssl->ctx); + if(!ssl) + return WOLFSSL_FATAL_ERROR; + + if (ssl->options.verifyPeer) + mode |= WOLFSSL_VERIFY_PEER; + else if (ssl->options.verifyNone) + mode |= WOLFSSL_VERIFY_NONE; + + if (ssl->options.failNoCert) + mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; + + if (ssl->options.failNoCertxPSK) + mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; + + WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode); + return mode; } int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) diff --git a/tests/api.c b/tests/api.c index e7fb058b5..4172dbf67 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32095,6 +32095,11 @@ static void test_wolfSSL_verify_mode(void) AssertNotNull(ssl = SSL_new(ctx)); AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); + + wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); + AssertIntEQ(SSL_CTX_get_verify_mode(ctx), SSL_VERIFY_PEER); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); + SSL_free(ssl); wolfSSL_CTX_set_verify(ctx, @@ -32103,6 +32108,12 @@ static void test_wolfSSL_verify_mode(void) AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); AssertIntEQ(SSL_get_verify_mode(ssl), WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + + wolfSSL_set_verify(ssl, SSL_VERIFY_PEER, 0); + AssertIntEQ(SSL_CTX_get_verify_mode(ctx), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); + SSL_free(ssl); SSL_CTX_free(ctx); From 21ac86adb3b23c9384895e3cfd29873023866b22 Mon Sep 17 00:00:00 2001 From: Elms Date: Fri, 22 Jan 2021 12:12:59 -0800 Subject: [PATCH 4/6] SSL: refactor SSL verify mode to be more compatible This follows the bit flag pattern closer. Still doesn't support `SSL_VERIFY_CLIENT_ONCE` and maybe other flags. --- src/ssl.c | 90 ++++++++++++++++++++++++----------------------------- tests/api.c | 12 +++++++ 2 files changed, 53 insertions(+), 49 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 51256fde7..dceac0a2e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10637,23 +10637,18 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc) ctx->failNoCert = 0; ctx->failNoCertxPSK = 0; - if (mode & WOLFSSL_VERIFY_PEER) { - ctx->verifyPeer = 1; - ctx->verifyNone = 0; /* in case previously set */ - } - if (mode == WOLFSSL_VERIFY_NONE) { ctx->verifyNone = 1; - ctx->verifyPeer = 0; /* in case previously set */ - } - - if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) { - ctx->failNoCert = 1; - } - - if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) { - ctx->failNoCert = 0; /* fail on all is set to fail on PSK */ - ctx->failNoCertxPSK = 1; + } else { + if (mode & WOLFSSL_VERIFY_PEER) { + ctx->verifyPeer = 1; + } + if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) { + ctx->failNoCertxPSK = 1; + } + if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) { + ctx->failNoCert = 1; + } } ctx->verifyCallback = vc; @@ -10684,22 +10679,18 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc) ssl->options.failNoCert = 0; ssl->options.failNoCertxPSK = 0; - if (mode & WOLFSSL_VERIFY_PEER) { - ssl->options.verifyPeer = 1; - ssl->options.verifyNone = 0; /* in case previously set */ - } - if (mode == WOLFSSL_VERIFY_NONE) { ssl->options.verifyNone = 1; - ssl->options.verifyPeer = 0; /* in case previously set */ - } - - if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) - ssl->options.failNoCert = 1; - - if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) { - ssl->options.failNoCert = 0; /* fail on all is set to fail on PSK */ - ssl->options.failNoCertxPSK = 1; + } else { + if (mode & WOLFSSL_VERIFY_PEER) { + ssl->options.verifyPeer = 1; + } + if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) { + ssl->options.failNoCertxPSK = 1; + } + if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) { + ssl->options.failNoCert = 1; + } } ssl->verifyCallback = vc; @@ -45687,6 +45678,7 @@ int wolfSSL_SESSION_print(WOLFSSL_BIO *bp, const WOLFSSL_SESSION *x) #if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL)) \ || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) +/* TODO: Doesn't currently track SSL_VERIFY_CLIENT_ONCE */ int wolfSSL_get_verify_mode(WOLFSSL* ssl) { int mode = 0; WOLFSSL_ENTER("wolfSSL_get_verify_mode"); @@ -45694,16 +45686,16 @@ int wolfSSL_get_verify_mode(WOLFSSL* ssl) { if(!ssl) return WOLFSSL_FATAL_ERROR; - if (ssl->options.verifyPeer) - mode |= WOLFSSL_VERIFY_PEER; - else if (ssl->options.verifyNone) - mode |= WOLFSSL_VERIFY_NONE; - - if (ssl->options.failNoCert) - mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; - - if (ssl->options.failNoCertxPSK) - mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; + if (ssl->options.verifyNone) { + mode = WOLFSSL_VERIFY_NONE; + } else { + if (ssl->options.verifyPeer) + mode |= WOLFSSL_VERIFY_PEER; + if (ssl->options.failNoCert) + mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; + if (ssl->options.failNoCertxPSK) + mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; + } WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode); return mode; @@ -45717,16 +45709,16 @@ int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) if(!ctx) return WOLFSSL_FATAL_ERROR; - if (ctx->verifyPeer) - mode |= WOLFSSL_VERIFY_PEER; - else if (ctx->verifyNone) - mode |= WOLFSSL_VERIFY_NONE; - - if (ctx->failNoCert) - mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; - - if (ctx->failNoCertxPSK) - mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; + if (ctx->verifyNone) { + mode = WOLFSSL_VERIFY_NONE; + } else { + if (ctx->verifyPeer) + mode |= WOLFSSL_VERIFY_PEER; + if (ctx->failNoCert) + mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; + if (ctx->failNoCertxPSK) + mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; + } WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode); return mode; diff --git a/tests/api.c b/tests/api.c index 4172dbf67..9eb57a3c4 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32114,6 +32114,18 @@ static void test_wolfSSL_verify_mode(void) WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); + wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); + + wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_IF_NO_PEER_CERT); + + wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK); + + AssertIntEQ(SSL_CTX_get_verify_mode(ctx), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + SSL_free(ssl); SSL_CTX_free(ctx); From a2917ae29c6900ae7ca3b63a6b2f0d608dc8db41 Mon Sep 17 00:00:00 2001 From: Elms Date: Mon, 25 Jan 2021 10:19:45 -0800 Subject: [PATCH 5/6] SSL: cleanup verify_mode coding style --- src/ssl.c | 40 ++++++++++++++++++++++++++-------------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index dceac0a2e..4118f2b21 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10639,7 +10639,8 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc) if (mode == WOLFSSL_VERIFY_NONE) { ctx->verifyNone = 1; - } else { + } + else { if (mode & WOLFSSL_VERIFY_PEER) { ctx->verifyPeer = 1; } @@ -10681,7 +10682,8 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc) if (mode == WOLFSSL_VERIFY_NONE) { ssl->options.verifyNone = 1; - } else { + } + else { if (mode & WOLFSSL_VERIFY_PEER) { ssl->options.verifyPeer = 1; } @@ -45683,18 +45685,23 @@ int wolfSSL_get_verify_mode(WOLFSSL* ssl) { int mode = 0; WOLFSSL_ENTER("wolfSSL_get_verify_mode"); - if(!ssl) - return WOLFSSL_FATAL_ERROR; + if (!ssl) { + return WOLFSSL_FAILURE; + } if (ssl->options.verifyNone) { mode = WOLFSSL_VERIFY_NONE; - } else { - if (ssl->options.verifyPeer) + } + else { + if (ssl->options.verifyPeer) { mode |= WOLFSSL_VERIFY_PEER; - if (ssl->options.failNoCert) + } + if (ssl->options.failNoCert) { mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; - if (ssl->options.failNoCertxPSK) + } + if (ssl->options.failNoCertxPSK) { mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; + } } WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode); @@ -45706,18 +45713,23 @@ int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) int mode = 0; WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode"); - if(!ctx) - return WOLFSSL_FATAL_ERROR; + if (!ctx) { + return WOLFSSL_FAILURE; + } if (ctx->verifyNone) { mode = WOLFSSL_VERIFY_NONE; - } else { - if (ctx->verifyPeer) + } + else { + if (ctx->verifyPeer) { mode |= WOLFSSL_VERIFY_PEER; - if (ctx->failNoCert) + } + if (ctx->failNoCert) { mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; - if (ctx->failNoCertxPSK) + } + if (ctx->failNoCertxPSK) { mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; + } } WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode); From 234bf0c209e8fb00090ca02211a7d2e1dc30b754 Mon Sep 17 00:00:00 2001 From: Elms Date: Mon, 25 Jan 2021 10:37:50 -0800 Subject: [PATCH 6/6] SSL: add `const` for `*get_verify_mode` to match openSSL --- src/ssl.c | 4 ++-- wolfssl/ssl.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 4118f2b21..a347a6eef 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -45681,7 +45681,7 @@ int wolfSSL_SESSION_print(WOLFSSL_BIO *bp, const WOLFSSL_SESSION *x) || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) /* TODO: Doesn't currently track SSL_VERIFY_CLIENT_ONCE */ -int wolfSSL_get_verify_mode(WOLFSSL* ssl) { +int wolfSSL_get_verify_mode(const WOLFSSL* ssl) { int mode = 0; WOLFSSL_ENTER("wolfSSL_get_verify_mode"); @@ -45708,7 +45708,7 @@ int wolfSSL_get_verify_mode(WOLFSSL* ssl) { return mode; } -int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) +int wolfSSL_CTX_get_verify_mode(const WOLFSSL_CTX* ctx) { int mode = 0; WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode"); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 7d25cef62..ae2626b61 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3834,8 +3834,8 @@ WOLFSSL_API int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names); defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) -WOLFSSL_API int wolfSSL_get_verify_mode(WOLFSSL* ssl); -WOLFSSL_API int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx); +WOLFSSL_API int wolfSSL_get_verify_mode(const WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_CTX_get_verify_mode(const WOLFSSL_CTX* ctx); #endif