wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-01 03:34:39 +02:00
Code Issues Packages Projects Releases Wiki Activity

Move X509_V errors from enums to defines for HAProxy CLI (#5901)

Browse Source 
* Move X509_V errors to openssl/ssl.h

* Have X509_V define errors in wolfssl/ssl.h

* Refactor X509_V errors

* Add wolfSSL_SESSION_set1_id_*

* Fix overlong line
This commit is contained in:
tmael
2023-01-20 17:50:26 -08:00
committed by GitHub
parent b9a544920d
commit 9d73c197e6
7 changed files with 222 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/internal.c
View File

@@ -13352,7 +13352,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (args->totalCerts >= MAX_CHAIN_DEPTH) {
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ssl->peerVerifyRet =
WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG;
ret = MAX_CHAIN_ERROR;
WOLFSSL_ERROR_VERBOSE(ret);
WOLFSSL_MSG("Too many certs for MAX_CHAIN_DEPTH");
@@ -13581,7 +13582,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("Failed to verify CA from chain");
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_INVALID_CA;
ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_INVALID_CA;
#endif
}
@@ -13656,7 +13657,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
* an ultimately trusted issuer.*/
args->count > (ssl->verifyDepth + 1)) {
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ssl->peerVerifyRet =
WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG;
ret = MAX_CHAIN_ERROR;
WOLFSSL_ERROR_VERBOSE(ret);
}
@@ -13800,7 +13802,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("Verified Peer's cert");
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_OK;
ssl->peerVerifyRet = WOLFSSL_X509_V_OK;
#endif
#if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
/* if using alternate chain, store the cert used */
@@ -13844,7 +13846,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_CERT_REJECTED;
#endif
args->fatal = 1;
}
@@ -13854,16 +13856,16 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (ssl->peerVerifyRet == 0) { /* Return first cert error here */
if (ret == ASN_BEFORE_DATE_E) {
ssl->peerVerifyRet =
(unsigned long)X509_V_ERR_CERT_NOT_YET_VALID;
(unsigned long)WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID;
}
else if (ret == ASN_AFTER_DATE_E) {
ssl->peerVerifyRet =
(unsigned long)X509_V_ERR_CERT_HAS_EXPIRED;
(unsigned long)WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED;
}
else {
ssl->peerVerifyRet =
(unsigned long)
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
}
}
#endif
@@ -13994,8 +13996,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* Return first cert error here */
ssl->peerVerifyRet =
ret == OCSP_CERT_REVOKED
? X509_V_ERR_CERT_REVOKED
: X509_V_ERR_CERT_REJECTED;
? WOLFSSL_X509_V_ERR_CERT_REVOKED
: WOLFSSL_X509_V_ERR_CERT_REJECTED;
}
#endif
}
@@ -14023,8 +14025,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* Return first cert error here */
ssl->peerVerifyRet =
ret == CRL_CERT_REVOKED
? X509_V_ERR_CERT_REVOKED
: X509_V_ERR_CERT_REJECTED;;
? WOLFSSL_X509_V_ERR_CERT_REVOKED
: WOLFSSL_X509_V_ERR_CERT_REJECTED;;
}
#endif
}
@@ -14129,7 +14131,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
SendAlert(ssl, alert_fatal, bad_certificate);
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED;
ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_CERT_REJECTED;
#endif
goto exit_ppc;
}
@@ -14605,11 +14607,11 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* limit compliant with OpenSSL verify Depth + 1
* OpenSSL tries to expand the chain one longer than limit until
* reaching an ultimately trusted issuer. Becoming failure if
* we hit the limit, with X509_V_ERR_CERT_CHAIN_TOO_LONG
* we hit the limit, with WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG
*/
if (args->untrustedDepth > (ssl->options.verifyDepth + 1)) {
if (ssl->peerVerifyRet == 0) /* Return first cert error here */
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG;
ret = MAX_CHAIN_ERROR;
WOLFSSL_ERROR_VERBOSE(ret);
}
@@ -23427,7 +23429,7 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
return "HTTP Application string error";
#endif
#ifdef OPENSSL_EXTRA
case -X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
return "unable to get local issuer certificate";
#endif
case UNSUPPORTED_PROTO_VERSION:

63
src/ssl.c
View File

@@ -24160,11 +24160,44 @@ long wolfSSL_set_tlsext_debug_arg(WOLFSSL* ssl, void *arg)
#endif /* HAVE_PK_CALLBACKS */
#if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY)
const unsigned char *SSL_SESSION_get0_id_context(const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length)
const unsigned char *wolfSSL_SESSION_get0_id_context(
const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length)
{
sess = ClientSessionToSession(sess);
return wolfSSL_SESSION_get_id((WOLFSSL_SESSION *)sess, sid_ctx_length);
}
int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s,
const unsigned char *sid, unsigned int sid_len)
{
if (s == NULL) {
return WOLFSSL_FAILURE;
}
if (sid_len > ID_LEN) {
return WOLFSSL_FAILURE;
}
s->sessionIDSz = sid_len;
if (sid != s->sessionID) {
XMEMCPY(s->sessionID, sid, sid_len);
}
return WOLFSSL_SUCCESS;
}
int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s,
const unsigned char *sid_ctx, unsigned int sid_ctx_len)
{
if (s == NULL) {
return WOLFSSL_FAILURE;
}
if (sid_ctx_len > ID_LEN) {
return WOLFSSL_FAILURE;
}
s->sessionCtxSz = sid_ctx_len;
if (sid_ctx != s->sessionCtx) {
XMEMCPY(s->sessionCtx, sid_ctx, sid_ctx_len);
}
return WOLFSSL_SUCCESS;
}
#endif
/*** TBD ***/
@@ -24253,32 +24286,6 @@ long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg)
}
#endif
/*** TBD ***/
#ifndef NO_WOLFSSL_STUB
int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid,
unsigned int sid_len)
{
(void)s;
(void)sid;
(void)sid_len;
WOLFSSL_STUB("SSL_SESSION_set1_id");
return WOLFSSL_FAILURE;
}
#endif
#ifndef NO_WOLFSSL_STUB
/*** TBD ***/
int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s,
const unsigned char *sid_ctx, unsigned int sid_ctx_len)
{
(void)s;
(void)sid_ctx;
(void)sid_ctx_len;
WOLFSSL_STUB("SSL_SESSION_set1_id_context");
return WOLFSSL_FAILURE;
}
#endif
#if defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD) \
|| defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS)
/**

8
src/x509.c
View File

@@ -12757,23 +12757,23 @@ int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject)
WOLFSSL_X509_NAME *subjectName = wolfSSL_X509_get_subject_name(issuer);
if (issuerName == NULL || subjectName == NULL)
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
return WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
/* Literal matching of encoded names and key ids. */
if (issuerName->sz != subjectName->sz ||
XMEMCMP(issuerName->name, subjectName->name, subjectName->sz) != 0) {
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
return WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
}
if (subject->authKeyId != NULL && issuer->subjKeyId != NULL) {
if (subject->authKeyIdSz != issuer->subjKeyIdSz ||
XMEMCMP(subject->authKeyId, issuer->subjKeyId,
issuer->subjKeyIdSz) != 0) {
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
return WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
}
}
return X509_V_OK;
return WOLFSSL_X509_V_OK;
}
#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */

19
src/x509_str.c
View File

@@ -165,21 +165,21 @@ int GetX509Error(int e)
{
switch (e) {
case ASN_BEFORE_DATE_E:
return X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
case ASN_AFTER_DATE_E:
return X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
case ASN_NO_SIGNER_E: /* get issuer error if no CA found locally */
return X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
return WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
case ASN_SELF_SIGNED_E:
return X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
return WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
case ASN_PATHLEN_INV_E:
case ASN_PATHLEN_SIZE_E:
return X509_V_ERR_PATH_LENGTH_EXCEEDED;
return WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED;
case ASN_SIG_OID_E:
case ASN_SIG_CONFIRM_E:
case ASN_SIG_HASH_E:
case ASN_SIG_KEY_E:
return X509_V_ERR_CERT_SIGNATURE_FAILURE;
return WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE;
default:
#ifdef HAVE_WOLFSSL_MSG_EX
WOLFSSL_MSG_EX("Error not configured or implemented yet: %d", e);
@@ -238,11 +238,11 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
if (XVALIDATE_DATE(afterDate, (byte)ctx->current_cert->notAfter.type,
AFTER) < 1) {
error = X509_V_ERR_CERT_HAS_EXPIRED;
error = WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED;
}
else if (XVALIDATE_DATE(beforeDate,
(byte)ctx->current_cert->notBefore.type, BEFORE) < 1) {
error = X509_V_ERR_CERT_NOT_YET_VALID;
error = WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID;
}
if (error != 0 ) {
@@ -687,7 +687,8 @@ int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer,
if (ctx->chain != NULL) {
for (node = ctx->chain; node != NULL; node = node->next) {
if (wolfSSL_X509_check_issued(node->data.x509, x) == X509_V_OK) {
if (wolfSSL_X509_check_issued(node->data.x509, x) ==
WOLFSSL_X509_V_OK) {
*issuer = x;
return WOLFSSL_SUCCESS;
}

4
wolfssl/openssl/ssl.h
View File

@@ -1360,6 +1360,9 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE;
#define SSL_SESSION_set_ex_data wolfSSL_SESSION_set_ex_data
#define SSL_SESSION_get_ex_new_index wolfSSL_SESSION_get_ex_new_index
#define SSL_SESSION_get_id wolfSSL_SESSION_get_id
#define SSL_SESSION_get0_id_context wolfSSL_SESSION_get0_id_context
#define SSL_SESSION_set1_id wolfSSL_SESSION_set1_id
#define SSL_SESSION_set1_id_context wolfSSL_SESSION_set1_id_context
#define SSL_SESSION_print wolfSSL_SESSION_print
#define sk_GENERAL_NAME_pop_free wolfSSL_sk_GENERAL_NAME_pop_free
#define sk_GENERAL_NAME_free wolfSSL_sk_GENERAL_NAME_free
@@ -1506,7 +1509,6 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE;
#define SSL_R_CERT_CB_ERROR CLIENT_CERT_CB_ERROR
#define SSL_R_NULL_SSL_METHOD_PASSED BAD_FUNC_ARG
#ifdef HAVE_SESSION_TICKET
#define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72
#endif

127
wolfssl/openssl/x509.h
View File

@@ -69,6 +69,133 @@
#define XN_FLAG_MULTILINE 0xFFFF
/*
* All of these aren't actually used in wolfSSL. Some are included to
* satisfy OpenSSL compatibility consumers to prevent compilation errors.
* The list was taken from
* https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in
*/
#define X509_V_OK WOLFSSL_X509_V_OK
#define X509_V_ERR_UNSPECIFIED 1
#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
#define X509_V_ERR_UNABLE_TO_GET_CRL 3
#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4
#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5
#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6
#define X509_V_ERR_CERT_SIGNATURE_FAILURE \
WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE
#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8
#define X509_V_ERR_CERT_NOT_YET_VALID WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID
#define X509_V_ERR_CERT_HAS_EXPIRED WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED
#define X509_V_ERR_CRL_NOT_YET_VALID 11
#define X509_V_ERR_CRL_HAS_EXPIRED 12
#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD \
WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD \
WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15
#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16
#define X509_V_ERR_OUT_OF_MEM 17
#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \
WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19
#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \
WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE \
WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
#define X509_V_ERR_CERT_CHAIN_TOO_LONG WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG
#define X509_V_ERR_CERT_REVOKED WOLFSSL_X509_V_ERR_CERT_REVOKED
#define X509_V_ERR_NO_ISSUER_PUBLIC_KEY WOLFSSL_X509_V_ERR_INVALID_CA
#define X509_V_ERR_PATH_LENGTH_EXCEEDED WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED
#define X509_V_ERR_INVALID_PURPOSE 26
#define X509_V_ERR_CERT_UNTRUSTED 27
#define X509_V_ERR_CERT_REJECTED WOLFSSL_X509_V_ERR_CERT_REJECTED
/* These are 'informational' when looking for issuer cert */
#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH \
WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH
#define X509_V_ERR_AKID_SKID_MISMATCH 30
#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31
#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32
#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33
#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34
#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35
#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36
#define X509_V_ERR_INVALID_NON_CA 37
#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38
#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39
#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40
#define X509_V_ERR_INVALID_EXTENSION 41
#define X509_V_ERR_INVALID_POLICY_EXTENSION 42
#define X509_V_ERR_NO_EXPLICIT_POLICY 43
#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44
#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45
#define X509_V_ERR_UNNESTED_RESOURCE 46
#define X509_V_ERR_PERMITTED_VIOLATION 47
#define X509_V_ERR_EXCLUDED_VIOLATION 48
#define X509_V_ERR_SUBTREE_MINMAX 49
/* The application is not happy */
#define X509_V_ERR_APPLICATION_VERIFICATION 50
#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51
#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52
#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53
#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54
/* Another issuer check debug option */
#define X509_V_ERR_PATH_LOOP 55
/* Suite B mode algorithm violation */
#define X509_V_ERR_SUITE_B_INVALID_VERSION 56
#define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57
#define X509_V_ERR_SUITE_B_INVALID_CURVE 58
#define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59
#define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60
#define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61
/* Host, email and IP check errors */
#define X509_V_ERR_HOSTNAME_MISMATCH 62
#define X509_V_ERR_EMAIL_MISMATCH 63
#define X509_V_ERR_IP_ADDRESS_MISMATCH 64
/* DANE TLSA errors */
#define X509_V_ERR_DANE_NO_MATCH 65
/* security level errors */
#define X509_V_ERR_EE_KEY_TOO_SMALL 66
#define X509_V_ERR_CA_KEY_TOO_SMALL 67
#define X509_V_ERR_CA_MD_TOO_WEAK 68
/* Caller error */
#define X509_V_ERR_INVALID_CALL 69
/* Issuer lookup error */
#define X509_V_ERR_STORE_LOOKUP 70
/* Certificate transparency */
#define X509_V_ERR_NO_VALID_SCTS 71
#define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION 72
/* OCSP status errors */
#define X509_V_ERR_OCSP_VERIFY_NEEDED 73
#define X509_V_ERR_OCSP_VERIFY_FAILED 74
#define X509_V_ERR_OCSP_CERT_UNKNOWN 75
#define X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM 76
#define X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH 77
/* Errors in case a check in X509_V_FLAG_X509_STRICT mode fails */
#define X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY 78
#define X509_V_ERR_INVALID_CA 79
#define X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA 80
#define X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN 81
#define X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA 82
#define X509_V_ERR_ISSUER_NAME_EMPTY 83
#define X509_V_ERR_SUBJECT_NAME_EMPTY 84
#define X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER 85
#define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER 86
#define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME 87
#define X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL 88
#define X509_V_ERR_CA_BCONS_NOT_CRITICAL 89
#define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 90
#define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 91
#define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE 92
#define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 93
#define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS 94
#define X509_R_CERT_ALREADY_IN_HASH_TABLE 101
#define X509_EXTENSION_set_critical wolfSSL_X509_EXTENSION_set_critical
#define X509_EXTENSION_set_object wolfSSL_X509_EXTENSION_set_object
#define X509_EXTENSION_set_data wolfSSL_X509_EXTENSION_set_data

90
wolfssl/ssl.h
View File

@@ -2339,6 +2339,7 @@ enum {
#define SSL_NOTHING 1
#define SSL_WRITING 2
#define SSL_READING 3
#define SSL_MAX_SSL_SESSION_ID_LENGTH 32 /* = ID_LEN */
enum {
#ifdef HAVE_OCSP
@@ -2363,8 +2364,6 @@ enum {
OCSP_BASICRESP = 16,
#endif
SSL_MAX_SSL_SESSION_ID_LENGTH = 32,
SSL_ST_CONNECT = 0x1000,
SSL_ST_ACCEPT = 0x2000,
SSL_ST_MASK = 0x0FFF,
@@ -2393,65 +2392,24 @@ enum {
* limit the possibility of an infinite retry loop
*/
SSL_MODE_RELEASE_BUFFERS = -1, /* For libwebsockets build. No current use. */
/* Not all of these are actually used in wolfSSL. Some are included to
* satisfy OpenSSL compatibility consumers to prevent compilation errors. */
X509_V_OK = 0,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = 2,
X509_V_ERR_UNABLE_TO_GET_CRL = 3,
X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = 4,
X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = 5,
X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = 6,
X509_V_ERR_CERT_SIGNATURE_FAILURE = 7,
X509_V_ERR_CRL_SIGNATURE_FAILURE = 8,
X509_V_ERR_CERT_NOT_YET_VALID = 9,
X509_V_ERR_CERT_HAS_EXPIRED = 10,
X509_V_ERR_CRL_NOT_YET_VALID = 11,
X509_V_ERR_CRL_HAS_EXPIRED = 12,
X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 13,
X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 14,
X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = 15,
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 16,
X509_V_ERR_OUT_OF_MEM = 17,
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = 18,
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = 19,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 20,
X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = 21,
X509_V_ERR_CERT_CHAIN_TOO_LONG = 22,
X509_V_ERR_CERT_REVOKED = 23,
X509_V_ERR_INVALID_CA = 24,
X509_V_ERR_PATH_LENGTH_EXCEEDED = 25,
X509_V_ERR_INVALID_PURPOSE = 26,
X509_V_ERR_CERT_UNTRUSTED = 27,
X509_V_ERR_CERT_REJECTED = 28,
X509_V_ERR_SUBJECT_ISSUER_MISMATCH = 29,
X509_V_ERR_AKID_SKID_MISMATCH = 30,
X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH = 31,
X509_V_ERR_KEYUSAGE_NO_CERTSIGN = 32,
X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER = 33,
X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION = 34,
X509_V_ERR_KEYUSAGE_NO_CRL_SIGN = 35,
X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = 36,
X509_V_ERR_INVALID_NON_CA = 37,
X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED = 38,
X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = 39,
X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED = 40,
X509_V_ERR_INVALID_EXTENSION = 41,
X509_V_ERR_INVALID_POLICY_EXTENSION = 42,
X509_V_ERR_NO_EXPLICIT_POLICY = 43,
X509_V_ERR_DIFFERENT_CRL_SCOPE = 44,
X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE = 45,
X509_V_ERR_UNNESTED_RESOURCE = 46,
X509_V_ERR_PERMITTED_VIOLATION = 47,
X509_V_ERR_EXCLUDED_VIOLATION = 48,
X509_V_ERR_SUBTREE_MINMAX = 49,
X509_V_ERR_APPLICATION_VERIFICATION = 50,
X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE = 51,
X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = 52,
X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = 53,
X509_V_ERR_CRL_PATH_VALIDATION_ERROR = 54,
X509_R_CERT_ALREADY_IN_HASH_TABLE = 101,
/* Errors used in wolfSSL.
* Should map the defines in wolfssl/openssl/x509.h
*/
WOLFSSL_X509_V_OK = 0,
WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE = 7,
WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID = 9,
WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED = 10,
WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 13,
WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 14,
WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = 18,
WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 20,
WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = 21,
WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG = 22,
WOLFSSL_X509_V_ERR_CERT_REVOKED = 23,
WOLFSSL_X509_V_ERR_INVALID_CA = 24,
WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED = 25,
WOLFSSL_X509_V_ERR_CERT_REJECTED = 28,
WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH = 29,
CRYPTO_LOCK = 1,
CRYPTO_NUM_LOCKS = 10,
@@ -5023,14 +4981,16 @@ WOLFSSL_API int wolfSSL_X509_check_email(WOLFSSL_X509 *x, const char *chk,
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS)
WOLFSSL_API const unsigned char *SSL_SESSION_get0_id_context(
const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length);
WOLFSSL_API const unsigned char *wolfSSL_SESSION_get0_id_context(
const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length);
#endif
#endif
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
WOLFSSL_API int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, unsigned int sid_len);
WOLFSSL_API int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len);
WOLFSSL_API int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s,
const unsigned char *sid, unsigned int sid_len);
WOLFSSL_API int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s,
const unsigned char *sid_ctx, unsigned int sid_ctx_len);
WOLFSSL_API WOLFSSL_X509_ALGOR* wolfSSL_X509_ALGOR_new(void);
WOLFSSL_API void wolfSSL_X509_ALGOR_free(WOLFSSL_X509_ALGOR *alg);
WOLFSSL_API const WOLFSSL_X509_ALGOR* wolfSSL_X509_get0_tbs_sigalg(const WOLFSSL_X509 *x);