wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-05 05:34:41 +02:00
Code Issues Packages Projects Releases Wiki Activity

additional debugging

Browse Source
This commit is contained in:
Brett
2025-06-11 13:30:53 -06:00
committed by Ruby Martin
parent 7232b3a6bb
commit 877bade216
3 changed files with 45 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/internal.c
View File

@@ -42849,7 +42849,7 @@ static int DisplaySecTrustError(CFErrorRef error, SecTrustRef trust)
info = CFErrorCopyUserInfo(error); info = CFErrorCopyUserInfo(error);
if (info) { if (info) {
printf("Trust error info dump:\n"); WOLFSSL_MSG("Trust error info dump:\n");
CFShow(info); CFShow(info);
CFRelease(info); CFRelease(info);
} }
@@ -42935,6 +42935,7 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl,
#if defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION) #if defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
/* TEST ONLY CODE: /* TEST ONLY CODE:
* Set accumulated list of trusted CA certificates as trust anchors */ * Set accumulated list of trusted CA certificates as trust anchors */
WOLFSSL_MSG("Setting anchor certificates");
if (ssl->ctx->testTrustedCAs != NULL) { if (ssl->ctx->testTrustedCAs != NULL) {
status = SecTrustSetAnchorCertificates(trust, ssl->ctx->testTrustedCAs); status = SecTrustSetAnchorCertificates(trust, ssl->ctx->testTrustedCAs);
if (status != errSecSuccess) { if (status != errSecSuccess) {
@@ -42967,6 +42968,7 @@ static int DoAppleNativeCertValidation(WOLFSSL* ssl,
if (code == errSecCertificateValidityPeriodTooLong) { if (code == errSecCertificateValidityPeriodTooLong) {
WOLFSSL_MSG("Skipping certificate validity period error"); WOLFSSL_MSG("Skipping certificate validity period error");
ret = 1; ret = 1;
/* TODO: ensure other errors aren't masked by this error */
} }
#endif #endif

61
src/ssl_load.c
View File

@@ -2159,9 +2159,14 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
/* CA certificate to verify with. */ /* CA certificate to verify with. */
if (type == CA_TYPE) { if (type == CA_TYPE) {
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION #ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
/* TEST ONLY CODE:
* Store the DER encoding of the CA certificate so we can append it to
* the list of trusted CA certificates if the subsequent call to AddCA
* is successful */
word32 derLen; word32 derLen;
byte* derBuf; byte* derBuf;
if (ctx->doAppleNativeCertValidationFlag == 1) { if (ctx->doAppleNativeCertValidationFlag == 1) {
WOLFSSL_MSG("ANCV Test: copy DER CA cert");
derLen = der->length; derLen = der->length;
derBuf = (byte*)XMALLOC(derLen, NULL, DYNAMIC_TYPE_TMP_BUFFER); derBuf = (byte*)XMALLOC(derLen, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (derBuf == NULL) { if (derBuf == NULL) {
@@ -2176,12 +2181,16 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
#endif #endif
/* verify CA unless user set to no verify */ /* verify CA unless user set to no verify */
ret = AddCA(ctx->cm, &der, WOLFSSL_USER_CA, verify); ret = AddCA(ctx->cm, &der, WOLFSSL_USER_CA, verify);
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION #ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
/* TEST ONLY CODE:
* Append the DER encoded CA certificate to the list of trusted CA
* certificates so we can inject them at verification time */
if (ret == 1 && ctx->doAppleNativeCertValidationFlag == 1) { if (ret == 1 && ctx->doAppleNativeCertValidationFlag == 1) {
WOLFSSL_MSG("Appending CA to cert list for native cert validation test"); WOLFSSL_MSG("ANCV Test: Appending CA to cert list");
ret = wolfSSL_TestAppleNativeCertValidation_AppendCA(ctx, derBuf, (int)derLen); ret = wolfSSL_TestAppleNativeCertValidation_AppendCA(ctx, derBuf, (int)derLen);
if (ret == WOLFSSL_SUCCESS) { if (ret == WOLFSSL_SUCCESS) {
WOLFSSL_MSG("Clearing CA table for native cert validation test"); WOLFSSL_MSG("ANCV Test: Clearing CA table");
/* Clear the CA table so we can ensure they won't be used for /* Clear the CA table so we can ensure they won't be used for
* verification */ * verification */
ret = wolfSSL_CertManagerUnloadCAs(ctx->cm); ret = wolfSSL_CertManagerUnloadCAs(ctx->cm);
@@ -2192,6 +2201,7 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(derBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
} }
#endif /* !WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */ #endif /* !WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION */
if (ret == 1) { if (ret == 1) {
ret = 0; ret = 0;
} }
@@ -2978,6 +2988,14 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
ret = 0; ret = 0;
} }
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
if (ret == 1) {
/* TEST ONLY CODE: force native cert validation on */
WOLFSSL_MSG("ANCV Test: Loading system CA certs");
wolfSSL_CTX_load_system_CA_certs(ctx);
}
#endif
if (ret == 1) { if (ret == 1) {
/* Get setting on how to verify certificates. */ /* Get setting on how to verify certificates. */
verify = GET_VERIFY_SETTING_CTX(ctx); verify = GET_VERIFY_SETTING_CTX(ctx);
@@ -2990,19 +3008,19 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
/* Load the PEM formatted CA file */ /* Load the PEM formatted CA file */
ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0, ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CA_TYPE, NULL, 0,
NULL, verify); NULL, verify);
#ifndef NO_WOLFSSL_DIR #ifndef NO_WOLFSSL_DIR
if (ret == 1) { if (ret == 1) {
/* Include success in overall count. */ /* Include success in overall count. */
successCount++; successCount++;
} }
#endif #endif
#if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS) #if defined(WOLFSSL_TRUST_PEER_CERT) && defined(OPENSSL_COMPATIBLE_DEFAULTS)
/* Load CA as a trusted peer certificate. */ /* Load CA as a trusted peer certificate. */
ret = wolfSSL_CTX_trust_peer_cert(ctx, file, WOLFSSL_FILETYPE_PEM); ret = wolfSSL_CTX_trust_peer_cert(ctx, file, WOLFSSL_FILETYPE_PEM);
if (ret != 1) { if (ret != 1) {
WOLFSSL_MSG("wolfSSL_CTX_trust_peer_cert error"); WOLFSSL_MSG("wolfSSL_CTX_trust_peer_cert error");
} }
#endif #endif
} }
} }
@@ -3015,12 +3033,6 @@ int wolfSSL_CTX_load_verify_locations_ex(WOLFSSL_CTX* ctx, const char* file,
ret = NOT_COMPILED_IN; ret = NOT_COMPILED_IN;
(void)flags; (void)flags;
#endif #endif
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
if (ret == 1) {
wolfSSL_CTX_load_system_CA_certs(ctx);
}
#endif
} }
return ret; return ret;
@@ -3461,16 +3473,15 @@ int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX* ctx, const char* file,
ret = 0; ret = 0;
} }
else { else {
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
/* TEST ONLY CODE: force native cert validation on */
WOLFSSL_MSG("ANCV Test: loading system CA certs");
wolfSSL_CTX_load_system_CA_certs(ctx);
#endif
ret = ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL, ret = ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL,
GET_VERIFY_SETTING_CTX(ctx)); GET_VERIFY_SETTING_CTX(ctx));
} }
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
if (ret == 1) {
wolfSSL_CTX_load_system_CA_certs(ctx);
}
#endif
/* Return 1 on success or 0 on failure. */ /* Return 1 on success or 0 on failure. */
return WS_RC(ret); return WS_RC(ret);
} }
@@ -3975,6 +3986,14 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in,
WOLFSSL_ENTER("wolfSSL_CTX_load_verify_buffer_ex"); WOLFSSL_ENTER("wolfSSL_CTX_load_verify_buffer_ex");
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
/* TEST ONLY CODE: force native cert validation on */
if (ctx != NULL) {
WOLFSSL_MSG("ANCV Test: loading system CA certs");
wolfSSL_CTX_load_system_CA_certs(ctx);
}
#endif
/* Get setting on how to verify certificates. */ /* Get setting on how to verify certificates. */
verify = GET_VERIFY_SETTING_CTX(ctx); verify = GET_VERIFY_SETTING_CTX(ctx);
/* Overwrite setting when flag set. */ /* Overwrite setting when flag set. */
@@ -3999,12 +4018,6 @@ int wolfSSL_CTX_load_verify_buffer_ex(WOLFSSL_CTX* ctx, const unsigned char* in,
} }
#endif #endif
#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION
if (ret == 1) {
wolfSSL_CTX_load_system_CA_certs(ctx);
}
#endif
WOLFSSL_LEAVE("wolfSSL_CTX_load_verify_buffer_ex", ret); WOLFSSL_LEAVE("wolfSSL_CTX_load_verify_buffer_ex", ret);
return ret; return ret;
} }

8
tests/api.c
View File

@@ -68151,7 +68151,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_CertManagerCRL), TEST_DECL(test_wolfSSL_CertManagerCRL),
TEST_DECL(test_wolfSSL_CertManagerCheckOCSPResponse), TEST_DECL(test_wolfSSL_CertManagerCheckOCSPResponse),
TEST_DECL(test_wolfSSL_CheckOCSPResponse), TEST_DECL(test_wolfSSL_CheckOCSPResponse),
#ifdef HAVE_CERT_CHAIN_VALIDATION #if defined(HAVE_CERT_CHAIN_VALIDATION) && !defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
TEST_DECL(test_various_pathlen_chains), TEST_DECL(test_various_pathlen_chains),
#endif #endif
@@ -68201,7 +68201,8 @@ TEST_CASE testCases[] = {
TEST_DECL(test_CONF_CTX_CMDLINE), TEST_DECL(test_CONF_CTX_CMDLINE),
#if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \ #if !defined(NO_CERTS) && (!defined(NO_WOLFSSL_CLIENT) || \
!defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM) !defined(WOLFSSL_NO_CLIENT_AUTH)) && !defined(NO_FILESYSTEM) && \
!defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
/* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */ /* Use the Cert Manager(CM) API to generate the error ASN_SIG_CONFIRM_E */
/* Bad certificate signature tests */ /* Bad certificate signature tests */
TEST_DECL(test_EccSigFailure_cm), TEST_DECL(test_EccSigFailure_cm),
@@ -68246,7 +68247,8 @@ TEST_CASE testCases[] = {
/* Large number of memory allocations. */ /* Large number of memory allocations. */
TEST_DECL(test_wolfSSL_CTX_load_system_CA_certs), TEST_DECL(test_wolfSSL_CTX_load_system_CA_certs),
#ifdef HAVE_CERT_CHAIN_VALIDATION #if defined(HAVE_CERT_CHAIN_VALIDATION) && \
!defined(WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION)
TEST_DECL(test_wolfSSL_CertRsaPss), TEST_DECL(test_wolfSSL_CertRsaPss),
#endif #endif
TEST_DECL(test_wolfSSL_CTX_load_verify_locations_ex), TEST_DECL(test_wolfSSL_CTX_load_verify_locations_ex),