From dd12e5a39ef1f713c8885d47ed78ff5c2599ab2e Mon Sep 17 00:00:00 2001 From: Brett Date: Thu, 19 Oct 2023 13:37:28 -0600 Subject: [PATCH 1/2] Fix WOLFSSL_SYS_CA_CERTS bug that accepted intermediate CA certs with invalid signatures. Also adds --sys-ca-certs to client in unit.test to detect regressions --- src/internal.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 6b4468fb0..d4a493a83 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14223,7 +14223,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* If we are using native Apple CA validation, it is okay * for a CA cert to fail validation here, as we will verify * the entire chain when we hit the peer (leaf) cert */ - if (ssl->ctx->doAppleNativeCertValidationFlag) { + if ((ssl->ctx->doAppleNativeCertValidationFlag) + && (ret == ASN_NO_SIGNER_E)) { + WOLFSSL_MSG("Bypassing errors to allow for Apple native" " CA validation"); ret = 0; /* clear errors and continue */ From 238757988015b3b60333296f001c86c605a4a15e Mon Sep 17 00:00:00 2001 From: Brett Date: Fri, 20 Oct 2023 11:48:50 -0600 Subject: [PATCH 2/2] added FIPS warning for Apple native cert validation --- src/ssl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index 6d0ef95dd..26a58a321 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8576,6 +8576,12 @@ int wolfSSL_CTX_load_system_CA_certs(WOLFSSL_CTX* ctx) ctx->doAppleNativeCertValidationFlag = 1; ret = WOLFSSL_SUCCESS; loaded = 1; + +#if FIPS_VERSION_GE(2,0) /* Gate back to cert 3389 FIPS modules */ +#warning "Cryptographic operations may occur outside the FIPS module boundary" \ + "Please review FIPS claims for cryptography on this Apple device" +#endif /* FIPS_VERSION_GE(2,0) */ + #else /* HAVE_SECURITY_SECXXX_H macros are set by autotools or CMake when searching * system for the required SDK headers. If building with user_settings.h, you