Implement wolfSSL_set_client_CA_list and add 'HIGH' cipher suite

src/internal.c

@@ -7075,6 +7075,14 @@ void SSL_ResourceFree(WOLFSSL* ssl)
     wolfSSL_sk_X509_free(ssl->peerCertChain);
     wolfSSL_sk_X509_free(ssl->ourCertChain);
 #endif
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
+    while (ssl->ca_names != NULL) {
+        WOLFSSL_STACK *next = ssl->ca_names->next;
+        wolfSSL_X509_NAME_free(ssl->ca_names->data.name);
+        XFREE(ssl->ca_names, NULL, DYNAMIC_TYPE_OPENSSL);
+        ssl->ca_names = next;
+    }
+#endif
 }
 
 /* Free any handshake resources no longer needed */
@@ -18688,7 +18696,7 @@ int SendCertificateRequest(WOLFSSL* ssl)
 
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
     /* Certificate Authorities */
-    names = ssl->ctx->ca_names;
+    names = SSL_CA_NAMES(ssl);
     while (names != NULL) {
         byte seq[MAX_SEQ_SZ];
         WOLFSSL_X509_NAME* name = names->data.name;
@@ -18759,7 +18767,7 @@ int SendCertificateRequest(WOLFSSL* ssl)
     c16toa((word16)dnLen, &output[i]);  /* auth's */
     i += REQ_HEADER_SZ;
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(HAVE_LIGHTY)
-    names = ssl->ctx->ca_names;
+    names = SSL_CA_NAMES(ssl);
     while (names != NULL) {
         byte seq[MAX_SEQ_SZ];
         WOLFSSL_X509_NAME* name = names->data.name;
@@ -21105,7 +21113,7 @@ int SetCipherList(WOLFSSL_CTX* ctx, Suites* suites, const char* list)
     }
 
     if (next[0] == 0 || XSTRNCMP(next, "ALL", 3) == 0 ||
-                        XSTRNCMP(next, "DEFAULT", 7) == 0)
+        XSTRNCMP(next, "DEFAULT", 7) == 0 || XSTRNCMP(next, "HIGH", 4) == 0)
         return 1; /* wolfSSL default */
 
     do {

src/ssl.c

@@ -16045,6 +16045,19 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
     #endif
     }
 
+    void wolfSSL_set_client_CA_list(WOLFSSL* ssl,
+                                       WOLF_STACK_OF(WOLFSSL_X509_NAME)* names)
+    {
+        WOLFSSL_ENTER("wolfSSL_set_client_CA_list");
+    #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
+        if (ssl != NULL)
+            ssl->ca_names = names;
+    #else
+        (void)ssl;
+        (void)names;
+    #endif
+    }
+
 
     /* returns the CA's set on server side or the CA's sent from server when
      * on client side */
@@ -16089,8 +16102,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
             return NULL;
         }
         else {
-            /* currently only can be set in the CTX */
-            return ssl->ctx->ca_names;
+            return SSL_CA_NAMES(ssl);
         }
     }
 #endif /* SESSION_CERTS */
@@ -16154,14 +16166,14 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
 
 #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
     WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(
-            const WOLFSSL_CTX *s)
+            const WOLFSSL_CTX *ctx)
     {
         WOLFSSL_ENTER("wolfSSL_CTX_get_client_CA_list");
 
-        if (s == NULL)
+        if (ctx == NULL)
             return NULL;
 
-        return s->ca_names;
+        return ctx->ca_names;
     }
 #endif
 

tests/api.c

@@ -30772,16 +30772,17 @@ static void test_wolfSSL_CTX_set_client_CA_list(void)
 #if defined(OPENSSL_ALL) && !defined(NO_RSA) && !defined(NO_CERTS) && \
     !defined(NO_WOLFSSL_CLIENT) && !defined(NO_BIO)
     WOLFSSL_CTX* ctx;
+    WOLFSSL* ssl;
     X509_NAME* name = NULL;
     STACK_OF(X509_NAME)* names = NULL;
     STACK_OF(X509_NAME)* ca_list = NULL;
     int i, names_len;
 
     printf(testingFmt, "wolfSSL_CTX_set_client_CA_list()");
-    AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
+    AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
     names = SSL_load_client_CA_file(cliCertFile);
     AssertNotNull(names);
-    SSL_CTX_set_client_CA_list(ctx,names);
+    SSL_CTX_set_client_CA_list(ctx, names);
     AssertNotNull(ca_list = SSL_CTX_get_client_CA_list(ctx));
 
     AssertIntGT((names_len = sk_X509_NAME_num(names)), 0);
@@ -30790,6 +30791,23 @@ static void test_wolfSSL_CTX_set_client_CA_list(void)
         AssertIntEQ(sk_X509_NAME_find(names, name), i);
     }
 
+    /* Needed to be able to create ssl object */
+    AssertTrue(SSL_CTX_use_certificate_file(ctx, svrCertFile, SSL_FILETYPE_PEM));
+    AssertTrue(SSL_CTX_use_PrivateKey_file(ctx, svrKeyFile, SSL_FILETYPE_PEM));
+    AssertNotNull(ssl = wolfSSL_new(ctx));
+    /* laod again as old names are responsibility of ctx to free */
+    names = SSL_load_client_CA_file(cliCertFile);
+    AssertNotNull(names);
+    SSL_set_client_CA_list(ssl, names);
+    AssertNotNull(ca_list = SSL_get_client_CA_list(ssl));
+
+    AssertIntGT((names_len = sk_X509_NAME_num(names)), 0);
+    for (i=0; i<names_len; i++) {
+        AssertNotNull(name = sk_X509_NAME_value(names, i));
+        AssertIntEQ(sk_X509_NAME_find(names, name), i);
+    }
+
+    wolfSSL_free(ssl);
     wolfSSL_CTX_free(ctx);
     printf(resultFmt, passed);
 #endif /* OPENSSL_EXTRA && !NO_RSA && !NO_CERTS && !NO_WOLFSSL_CLIENT && !NO_BIO */

wolfssl/internal.h

@@ -4508,6 +4508,9 @@ struct WOLFSSL {
     byte clientFinished[TLS_FINISHED_SZ];
     byte serverFinished[TLS_FINISHED_SZ];
 #endif
+#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
+    WOLF_STACK_OF(WOLFSSL_X509_NAME)* ca_names;
+#endif
 };
 
 /*
@@ -4524,6 +4527,9 @@ struct WOLFSSL {
 #define SSL_CM(ssl) ssl->ctx->cm
 #endif
 
+#define SSL_CA_NAMES(ssl) (ssl->ca_names != NULL ? ssl->ca_names : \
+        ssl->ctx->ca_names)
+
 WOLFSSL_LOCAL int  SSL_CTX_RefCount(WOLFSSL_CTX* ctx, int incr);
 WOLFSSL_LOCAL int  SetSSL_CTX(WOLFSSL*, WOLFSSL_CTX*, int);
 WOLFSSL_LOCAL int  InitSSL(WOLFSSL*, WOLFSSL_CTX*, int);

wolfssl/openssl/ssl.h

@@ -835,6 +835,7 @@ wolfSSL_X509_STORE_set_verify_cb((WOLFSSL_X509_STORE *)(s), (WOLFSSL_X509_STORE_
 #define SSL_set1_verify_cert_store      wolfSSL_set1_verify_cert_store
 #define SSL_CTX_get_cert_store(x)       wolfSSL_CTX_get_cert_store ((WOLFSSL_CTX*) (x))
 #define SSL_get_client_CA_list          wolfSSL_get_client_CA_list
+#define SSL_set_client_CA_list          wolfSSL_set_client_CA_list
 #define SSL_get_ex_data_X509_STORE_CTX_idx wolfSSL_get_ex_data_X509_STORE_CTX_idx
 #define SSL_get_ex_data                 wolfSSL_get_ex_data
 

wolfssl/ssl.h

@@ -1807,11 +1807,13 @@ WOLFSSL_API void wolfSSL_ASN1_TIME_free(WOLFSSL_ASN1_TIME* t);
 
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char*);
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(
-        const WOLFSSL_CTX *s);
+        const WOLFSSL_CTX *ctx);
 /* deprecated function name */
 #define wolfSSL_SSL_CTX_get_client_CA_list wolfSSL_CTX_get_client_CA_list
 
-WOLFSSL_API void  wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX*,
+WOLFSSL_API void wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX*,
+                                               WOLF_STACK_OF(WOLFSSL_X509_NAME)*);
+WOLFSSL_API void wolfSSL_set_client_CA_list(WOLFSSL*,
                                                WOLF_STACK_OF(WOLFSSL_X509_NAME)*);
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_get_client_CA_list(
             const WOLFSSL* ssl);