mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-07-30 02:37:28 +02:00
SSL: refactor SSL verify mode to be more compatible
This follows the bit flag pattern closer. Still doesn't support `SSL_VERIFY_CLIENT_ONCE` and maybe other flags.
This commit is contained in:
Elms
90
src/ssl.c
90
src/ssl.c
@ -10637,23 +10637,18 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc)
|
||||
ctx->failNoCert = 0;
|
||||
ctx->failNoCertxPSK = 0;
|
||||
|
||||
if (mode & WOLFSSL_VERIFY_PEER) {
|
||||
ctx->verifyPeer = 1;
|
||||
ctx->verifyNone = 0; /* in case previously set */
|
||||
}
|
||||
|
||||
if (mode == WOLFSSL_VERIFY_NONE) {
|
||||
ctx->verifyNone = 1;
|
||||
ctx->verifyPeer = 0; /* in case previously set */
|
||||
}
|
||||
|
||||
if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
|
||||
ctx->failNoCert = 1;
|
||||
}
|
||||
|
||||
if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
|
||||
ctx->failNoCert = 0; /* fail on all is set to fail on PSK */
|
||||
ctx->failNoCertxPSK = 1;
|
||||
} else {
|
||||
if (mode & WOLFSSL_VERIFY_PEER) {
|
||||
ctx->verifyPeer = 1;
|
||||
}
|
||||
if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
|
||||
ctx->failNoCertxPSK = 1;
|
||||
}
|
||||
if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
|
||||
ctx->failNoCert = 1;
|
||||
}
|
||||
}
|
||||
|
||||
ctx->verifyCallback = vc;
|
||||
@ -10684,22 +10679,18 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc)
|
||||
ssl->options.failNoCert = 0;
|
||||
ssl->options.failNoCertxPSK = 0;
|
||||
|
||||
if (mode & WOLFSSL_VERIFY_PEER) {
|
||||
ssl->options.verifyPeer = 1;
|
||||
ssl->options.verifyNone = 0; /* in case previously set */
|
||||
}
|
||||
|
||||
if (mode == WOLFSSL_VERIFY_NONE) {
|
||||
ssl->options.verifyNone = 1;
|
||||
ssl->options.verifyPeer = 0; /* in case previously set */
|
||||
}
|
||||
|
||||
if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||
ssl->options.failNoCert = 1;
|
||||
|
||||
if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
|
||||
ssl->options.failNoCert = 0; /* fail on all is set to fail on PSK */
|
||||
ssl->options.failNoCertxPSK = 1;
|
||||
} else {
|
||||
if (mode & WOLFSSL_VERIFY_PEER) {
|
||||
ssl->options.verifyPeer = 1;
|
||||
}
|
||||
if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) {
|
||||
ssl->options.failNoCertxPSK = 1;
|
||||
}
|
||||
if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
|
||||
ssl->options.failNoCert = 1;
|
||||
}
|
||||
}
|
||||
|
||||
ssl->verifyCallback = vc;
|
||||
@ -45687,6 +45678,7 @@ int wolfSSL_SESSION_print(WOLFSSL_BIO *bp, const WOLFSSL_SESSION *x)
|
||||
#if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL)) \
|
||||
|| defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX)
|
||||
|
||||
/* TODO: Doesn't currently track SSL_VERIFY_CLIENT_ONCE */
|
||||
int wolfSSL_get_verify_mode(WOLFSSL* ssl) {
|
||||
int mode = 0;
|
||||
WOLFSSL_ENTER("wolfSSL_get_verify_mode");
|
||||
@ -45694,16 +45686,16 @@ int wolfSSL_get_verify_mode(WOLFSSL* ssl) {
|
||||
if(!ssl)
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
|
||||
if (ssl->options.verifyPeer)
|
||||
mode |= WOLFSSL_VERIFY_PEER;
|
||||
else if (ssl->options.verifyNone)
|
||||
mode |= WOLFSSL_VERIFY_NONE;
|
||||
|
||||
if (ssl->options.failNoCert)
|
||||
mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
||||
|
||||
if (ssl->options.failNoCertxPSK)
|
||||
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
|
||||
if (ssl->options.verifyNone) {
|
||||
mode = WOLFSSL_VERIFY_NONE;
|
||||
} else {
|
||||
if (ssl->options.verifyPeer)
|
||||
mode |= WOLFSSL_VERIFY_PEER;
|
||||
if (ssl->options.failNoCert)
|
||||
mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
||||
if (ssl->options.failNoCertxPSK)
|
||||
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
|
||||
}
|
||||
|
||||
WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode);
|
||||
return mode;
|
||||
@ -45717,16 +45709,16 @@ int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx)
|
||||
if(!ctx)
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
|
||||
if (ctx->verifyPeer)
|
||||
mode |= WOLFSSL_VERIFY_PEER;
|
||||
else if (ctx->verifyNone)
|
||||
mode |= WOLFSSL_VERIFY_NONE;
|
||||
|
||||
if (ctx->failNoCert)
|
||||
mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
||||
|
||||
if (ctx->failNoCertxPSK)
|
||||
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
|
||||
if (ctx->verifyNone) {
|
||||
mode = WOLFSSL_VERIFY_NONE;
|
||||
} else {
|
||||
if (ctx->verifyPeer)
|
||||
mode |= WOLFSSL_VERIFY_PEER;
|
||||
if (ctx->failNoCert)
|
||||
mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
||||
if (ctx->failNoCertxPSK)
|
||||
mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK;
|
||||
}
|
||||
|
||||
WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode);
|
||||
return mode;
|
||||
|
||||
12
tests/api.c
12
tests/api.c
@ -32114,6 +32114,18 @@ static void test_wolfSSL_verify_mode(void)
|
||||
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);
|
||||
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER);
|
||||
|
||||
wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0);
|
||||
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE);
|
||||
|
||||
wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
|
||||
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
|
||||
|
||||
wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0);
|
||||
AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK);
|
||||
|
||||
AssertIntEQ(SSL_CTX_get_verify_mode(ctx),
|
||||
WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT);
|
||||
|
||||
SSL_free(ssl);
|
||||
|
||||
SSL_CTX_free(ctx);
|
||||
|
||||
Reference in New Issue
Block a user