From 9d73c197e6cdf8ae8569f68760351be0855f6421 Mon Sep 17 00:00:00 2001 From: tmael Date: Fri, 20 Jan 2023 17:50:26 -0800 Subject: [PATCH] Move X509_V errors from enums to defines for HAProxy CLI (#5901) * Move X509_V errors to openssl/ssl.h * Have X509_V define errors in wolfssl/ssl.h * Refactor X509_V errors * Add wolfSSL_SESSION_set1_id_* * Fix overlong line --- src/internal.c | 34 +++++------ src/ssl.c | 63 +++++++++++--------- src/x509.c | 8 +-- src/x509_str.c | 19 +++--- wolfssl/openssl/ssl.h | 4 +- wolfssl/openssl/x509.h | 127 +++++++++++++++++++++++++++++++++++++++++ wolfssl/ssl.h | 90 ++++++++--------------------- 7 files changed, 222 insertions(+), 123 deletions(-) diff --git a/src/internal.c b/src/internal.c index 67fc80128..737bc34d9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -13352,7 +13352,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) if (args->totalCerts >= MAX_CHAIN_DEPTH) { if (ssl->peerVerifyRet == 0) /* Return first cert error here */ - ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; + ssl->peerVerifyRet = + WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG; ret = MAX_CHAIN_ERROR; WOLFSSL_ERROR_VERBOSE(ret); WOLFSSL_MSG("Too many certs for MAX_CHAIN_DEPTH"); @@ -13581,7 +13582,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("Failed to verify CA from chain"); #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) if (ssl->peerVerifyRet == 0) /* Return first cert error here */ - ssl->peerVerifyRet = X509_V_ERR_INVALID_CA; + ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_INVALID_CA; #endif } @@ -13656,7 +13657,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, * an ultimately trusted issuer.*/ args->count > (ssl->verifyDepth + 1)) { if (ssl->peerVerifyRet == 0) /* Return first cert error here */ - ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; + ssl->peerVerifyRet = + WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG; ret = MAX_CHAIN_ERROR; WOLFSSL_ERROR_VERBOSE(ret); } @@ -13800,7 +13802,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("Verified Peer's cert"); #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) if (ssl->peerVerifyRet == 0) /* Return first cert error here */ - ssl->peerVerifyRet = X509_V_OK; + ssl->peerVerifyRet = WOLFSSL_X509_V_OK; #endif #if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS) /* if using alternate chain, store the cert used */ @@ -13844,7 +13846,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) if (ssl->peerVerifyRet == 0) /* Return first cert error here */ - ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; + ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_CERT_REJECTED; #endif args->fatal = 1; } @@ -13854,16 +13856,16 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ssl->peerVerifyRet == 0) { /* Return first cert error here */ if (ret == ASN_BEFORE_DATE_E) { ssl->peerVerifyRet = - (unsigned long)X509_V_ERR_CERT_NOT_YET_VALID; + (unsigned long)WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID; } else if (ret == ASN_AFTER_DATE_E) { ssl->peerVerifyRet = - (unsigned long)X509_V_ERR_CERT_HAS_EXPIRED; + (unsigned long)WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED; } else { ssl->peerVerifyRet = (unsigned long) - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; + WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; } } #endif @@ -13994,8 +13996,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* Return first cert error here */ ssl->peerVerifyRet = ret == OCSP_CERT_REVOKED - ? X509_V_ERR_CERT_REVOKED - : X509_V_ERR_CERT_REJECTED; + ? WOLFSSL_X509_V_ERR_CERT_REVOKED + : WOLFSSL_X509_V_ERR_CERT_REJECTED; } #endif } @@ -14023,8 +14025,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* Return first cert error here */ ssl->peerVerifyRet = ret == CRL_CERT_REVOKED - ? X509_V_ERR_CERT_REVOKED - : X509_V_ERR_CERT_REJECTED;; + ? WOLFSSL_X509_V_ERR_CERT_REVOKED + : WOLFSSL_X509_V_ERR_CERT_REJECTED;; } #endif } @@ -14129,7 +14131,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) SendAlert(ssl, alert_fatal, bad_certificate); if (ssl->peerVerifyRet == 0) /* Return first cert error here */ - ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; + ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_CERT_REJECTED; #endif goto exit_ppc; } @@ -14605,11 +14607,11 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* limit compliant with OpenSSL verify Depth + 1 * OpenSSL tries to expand the chain one longer than limit until * reaching an ultimately trusted issuer. Becoming failure if - * we hit the limit, with X509_V_ERR_CERT_CHAIN_TOO_LONG + * we hit the limit, with WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG */ if (args->untrustedDepth > (ssl->options.verifyDepth + 1)) { if (ssl->peerVerifyRet == 0) /* Return first cert error here */ - ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; + ssl->peerVerifyRet = WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG; ret = MAX_CHAIN_ERROR; WOLFSSL_ERROR_VERBOSE(ret); } @@ -23427,7 +23429,7 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) return "HTTP Application string error"; #endif #ifdef OPENSSL_EXTRA - case -X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: + case -WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: return "unable to get local issuer certificate"; #endif case UNSUPPORTED_PROTO_VERSION: diff --git a/src/ssl.c b/src/ssl.c index 7956801bb..ae6ba8459 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -24160,11 +24160,44 @@ long wolfSSL_set_tlsext_debug_arg(WOLFSSL* ssl, void *arg) #endif /* HAVE_PK_CALLBACKS */ #if defined(OPENSSL_ALL) || defined(WOLFSSL_HAPROXY) -const unsigned char *SSL_SESSION_get0_id_context(const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length) +const unsigned char *wolfSSL_SESSION_get0_id_context( + const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length) { - sess = ClientSessionToSession(sess); return wolfSSL_SESSION_get_id((WOLFSSL_SESSION *)sess, sid_ctx_length); } +int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s, + const unsigned char *sid, unsigned int sid_len) +{ + if (s == NULL) { + return WOLFSSL_FAILURE; + } + if (sid_len > ID_LEN) { + return WOLFSSL_FAILURE; + } + s->sessionIDSz = sid_len; + if (sid != s->sessionID) { + XMEMCPY(s->sessionID, sid, sid_len); + } + return WOLFSSL_SUCCESS; +} + +int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, + const unsigned char *sid_ctx, unsigned int sid_ctx_len) +{ + if (s == NULL) { + return WOLFSSL_FAILURE; + } + if (sid_ctx_len > ID_LEN) { + return WOLFSSL_FAILURE; + } + s->sessionCtxSz = sid_ctx_len; + if (sid_ctx != s->sessionCtx) { + XMEMCPY(s->sessionCtx, sid_ctx, sid_ctx_len); + } + + return WOLFSSL_SUCCESS; +} + #endif /*** TBD ***/ @@ -24253,32 +24286,6 @@ long wolfSSL_set_tlsext_status_ids(WOLFSSL *s, void *arg) } #endif -/*** TBD ***/ -#ifndef NO_WOLFSSL_STUB -int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, - unsigned int sid_len) -{ - (void)s; - (void)sid; - (void)sid_len; - WOLFSSL_STUB("SSL_SESSION_set1_id"); - return WOLFSSL_FAILURE; -} -#endif - -#ifndef NO_WOLFSSL_STUB -/*** TBD ***/ -int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, - const unsigned char *sid_ctx, unsigned int sid_ctx_len) -{ - (void)s; - (void)sid_ctx; - (void)sid_ctx_len; - WOLFSSL_STUB("SSL_SESSION_set1_id_context"); - return WOLFSSL_FAILURE; -} -#endif - #if defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD) \ || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS) /** diff --git a/src/x509.c b/src/x509.c index b4673a9a1..11a03c32c 100644 --- a/src/x509.c +++ b/src/x509.c @@ -12757,23 +12757,23 @@ int wolfSSL_X509_check_issued(WOLFSSL_X509 *issuer, WOLFSSL_X509 *subject) WOLFSSL_X509_NAME *subjectName = wolfSSL_X509_get_subject_name(issuer); if (issuerName == NULL || subjectName == NULL) - return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; + return WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH; /* Literal matching of encoded names and key ids. */ if (issuerName->sz != subjectName->sz || XMEMCMP(issuerName->name, subjectName->name, subjectName->sz) != 0) { - return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; + return WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH; } if (subject->authKeyId != NULL && issuer->subjKeyId != NULL) { if (subject->authKeyIdSz != issuer->subjKeyIdSz || XMEMCMP(subject->authKeyId, issuer->subjKeyId, issuer->subjKeyIdSz) != 0) { - return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; + return WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH; } } - return X509_V_OK; + return WOLFSSL_X509_V_OK; } #endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */ diff --git a/src/x509_str.c b/src/x509_str.c index 5c52d9f9c..e9703bb44 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -165,21 +165,21 @@ int GetX509Error(int e) { switch (e) { case ASN_BEFORE_DATE_E: - return X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; + return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; case ASN_AFTER_DATE_E: - return X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; + return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; case ASN_NO_SIGNER_E: /* get issuer error if no CA found locally */ - return X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; + return WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; case ASN_SELF_SIGNED_E: - return X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; + return WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; case ASN_PATHLEN_INV_E: case ASN_PATHLEN_SIZE_E: - return X509_V_ERR_PATH_LENGTH_EXCEEDED; + return WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED; case ASN_SIG_OID_E: case ASN_SIG_CONFIRM_E: case ASN_SIG_HASH_E: case ASN_SIG_KEY_E: - return X509_V_ERR_CERT_SIGNATURE_FAILURE; + return WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE; default: #ifdef HAVE_WOLFSSL_MSG_EX WOLFSSL_MSG_EX("Error not configured or implemented yet: %d", e); @@ -238,11 +238,11 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx) if (XVALIDATE_DATE(afterDate, (byte)ctx->current_cert->notAfter.type, AFTER) < 1) { - error = X509_V_ERR_CERT_HAS_EXPIRED; + error = WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED; } else if (XVALIDATE_DATE(beforeDate, (byte)ctx->current_cert->notBefore.type, BEFORE) < 1) { - error = X509_V_ERR_CERT_NOT_YET_VALID; + error = WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID; } if (error != 0 ) { @@ -687,7 +687,8 @@ int wolfSSL_X509_STORE_CTX_get1_issuer(WOLFSSL_X509 **issuer, if (ctx->chain != NULL) { for (node = ctx->chain; node != NULL; node = node->next) { - if (wolfSSL_X509_check_issued(node->data.x509, x) == X509_V_OK) { + if (wolfSSL_X509_check_issued(node->data.x509, x) == + WOLFSSL_X509_V_OK) { *issuer = x; return WOLFSSL_SUCCESS; } diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 93e54c4a4..92745973b 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -1360,6 +1360,9 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; #define SSL_SESSION_set_ex_data wolfSSL_SESSION_set_ex_data #define SSL_SESSION_get_ex_new_index wolfSSL_SESSION_get_ex_new_index #define SSL_SESSION_get_id wolfSSL_SESSION_get_id +#define SSL_SESSION_get0_id_context wolfSSL_SESSION_get0_id_context +#define SSL_SESSION_set1_id wolfSSL_SESSION_set1_id +#define SSL_SESSION_set1_id_context wolfSSL_SESSION_set1_id_context #define SSL_SESSION_print wolfSSL_SESSION_print #define sk_GENERAL_NAME_pop_free wolfSSL_sk_GENERAL_NAME_pop_free #define sk_GENERAL_NAME_free wolfSSL_sk_GENERAL_NAME_free @@ -1506,7 +1509,6 @@ typedef WOLFSSL_SRTP_PROTECTION_PROFILE SRTP_PROTECTION_PROFILE; #define SSL_R_CERT_CB_ERROR CLIENT_CERT_CB_ERROR #define SSL_R_NULL_SSL_METHOD_PASSED BAD_FUNC_ARG - #ifdef HAVE_SESSION_TICKET #define SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB 72 #endif diff --git a/wolfssl/openssl/x509.h b/wolfssl/openssl/x509.h index c303fd608..f794a3274 100644 --- a/wolfssl/openssl/x509.h +++ b/wolfssl/openssl/x509.h @@ -69,6 +69,133 @@ #define XN_FLAG_MULTILINE 0xFFFF +/* + * All of these aren't actually used in wolfSSL. Some are included to + * satisfy OpenSSL compatibility consumers to prevent compilation errors. + * The list was taken from + * https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in + */ + +#define X509_V_OK WOLFSSL_X509_V_OK +#define X509_V_ERR_UNSPECIFIED 1 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 +#define X509_V_ERR_UNABLE_TO_GET_CRL 3 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 +#define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 +#define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 +#define X509_V_ERR_CERT_SIGNATURE_FAILURE \ + WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE +#define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 +#define X509_V_ERR_CERT_NOT_YET_VALID WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID +#define X509_V_ERR_CERT_HAS_EXPIRED WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED +#define X509_V_ERR_CRL_NOT_YET_VALID 11 +#define X509_V_ERR_CRL_HAS_EXPIRED 12 +#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD \ + WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD +#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD \ + WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD +#define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 +#define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 +#define X509_V_ERR_OUT_OF_MEM 17 +#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \ + WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT +#define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \ + WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY +#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE \ + WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE +#define X509_V_ERR_CERT_CHAIN_TOO_LONG WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG +#define X509_V_ERR_CERT_REVOKED WOLFSSL_X509_V_ERR_CERT_REVOKED +#define X509_V_ERR_NO_ISSUER_PUBLIC_KEY WOLFSSL_X509_V_ERR_INVALID_CA +#define X509_V_ERR_PATH_LENGTH_EXCEEDED WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED +#define X509_V_ERR_INVALID_PURPOSE 26 +#define X509_V_ERR_CERT_UNTRUSTED 27 +#define X509_V_ERR_CERT_REJECTED WOLFSSL_X509_V_ERR_CERT_REJECTED + +/* These are 'informational' when looking for issuer cert */ +#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH \ + WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH +#define X509_V_ERR_AKID_SKID_MISMATCH 30 +#define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 +#define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 +#define X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER 33 +#define X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION 34 +#define X509_V_ERR_KEYUSAGE_NO_CRL_SIGN 35 +#define X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION 36 +#define X509_V_ERR_INVALID_NON_CA 37 +#define X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED 38 +#define X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE 39 +#define X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED 40 +#define X509_V_ERR_INVALID_EXTENSION 41 +#define X509_V_ERR_INVALID_POLICY_EXTENSION 42 +#define X509_V_ERR_NO_EXPLICIT_POLICY 43 +#define X509_V_ERR_DIFFERENT_CRL_SCOPE 44 +#define X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE 45 +#define X509_V_ERR_UNNESTED_RESOURCE 46 +#define X509_V_ERR_PERMITTED_VIOLATION 47 +#define X509_V_ERR_EXCLUDED_VIOLATION 48 +#define X509_V_ERR_SUBTREE_MINMAX 49 +/* The application is not happy */ +#define X509_V_ERR_APPLICATION_VERIFICATION 50 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE 51 +#define X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX 52 +#define X509_V_ERR_UNSUPPORTED_NAME_SYNTAX 53 +#define X509_V_ERR_CRL_PATH_VALIDATION_ERROR 54 +/* Another issuer check debug option */ +#define X509_V_ERR_PATH_LOOP 55 +/* Suite B mode algorithm violation */ +#define X509_V_ERR_SUITE_B_INVALID_VERSION 56 +#define X509_V_ERR_SUITE_B_INVALID_ALGORITHM 57 +#define X509_V_ERR_SUITE_B_INVALID_CURVE 58 +#define X509_V_ERR_SUITE_B_INVALID_SIGNATURE_ALGORITHM 59 +#define X509_V_ERR_SUITE_B_LOS_NOT_ALLOWED 60 +#define X509_V_ERR_SUITE_B_CANNOT_SIGN_P_384_WITH_P_256 61 +/* Host, email and IP check errors */ +#define X509_V_ERR_HOSTNAME_MISMATCH 62 +#define X509_V_ERR_EMAIL_MISMATCH 63 +#define X509_V_ERR_IP_ADDRESS_MISMATCH 64 +/* DANE TLSA errors */ +#define X509_V_ERR_DANE_NO_MATCH 65 +/* security level errors */ +#define X509_V_ERR_EE_KEY_TOO_SMALL 66 +#define X509_V_ERR_CA_KEY_TOO_SMALL 67 +#define X509_V_ERR_CA_MD_TOO_WEAK 68 +/* Caller error */ +#define X509_V_ERR_INVALID_CALL 69 +/* Issuer lookup error */ +#define X509_V_ERR_STORE_LOOKUP 70 +/* Certificate transparency */ +#define X509_V_ERR_NO_VALID_SCTS 71 + +#define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION 72 +/* OCSP status errors */ +#define X509_V_ERR_OCSP_VERIFY_NEEDED 73 +#define X509_V_ERR_OCSP_VERIFY_FAILED 74 +#define X509_V_ERR_OCSP_CERT_UNKNOWN 75 + +#define X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM 76 +#define X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH 77 + +/* Errors in case a check in X509_V_FLAG_X509_STRICT mode fails */ +#define X509_V_ERR_SIGNATURE_ALGORITHM_INCONSISTENCY 78 +#define X509_V_ERR_INVALID_CA 79 +#define X509_V_ERR_PATHLEN_INVALID_FOR_NON_CA 80 +#define X509_V_ERR_PATHLEN_WITHOUT_KU_KEY_CERT_SIGN 81 +#define X509_V_ERR_KU_KEY_CERT_SIGN_INVALID_FOR_NON_CA 82 +#define X509_V_ERR_ISSUER_NAME_EMPTY 83 +#define X509_V_ERR_SUBJECT_NAME_EMPTY 84 +#define X509_V_ERR_MISSING_AUTHORITY_KEY_IDENTIFIER 85 +#define X509_V_ERR_MISSING_SUBJECT_KEY_IDENTIFIER 86 +#define X509_V_ERR_EMPTY_SUBJECT_ALT_NAME 87 +#define X509_V_ERR_EMPTY_SUBJECT_SAN_NOT_CRITICAL 88 +#define X509_V_ERR_CA_BCONS_NOT_CRITICAL 89 +#define X509_V_ERR_AUTHORITY_KEY_IDENTIFIER_CRITICAL 90 +#define X509_V_ERR_SUBJECT_KEY_IDENTIFIER_CRITICAL 91 +#define X509_V_ERR_CA_CERT_MISSING_KEY_USAGE 92 +#define X509_V_ERR_EXTENSIONS_REQUIRE_VERSION_3 93 +#define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS 94 +#define X509_R_CERT_ALREADY_IN_HASH_TABLE 101 + #define X509_EXTENSION_set_critical wolfSSL_X509_EXTENSION_set_critical #define X509_EXTENSION_set_object wolfSSL_X509_EXTENSION_set_object #define X509_EXTENSION_set_data wolfSSL_X509_EXTENSION_set_data diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 99aa78bac..5747c0906 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2339,6 +2339,7 @@ enum { #define SSL_NOTHING 1 #define SSL_WRITING 2 #define SSL_READING 3 +#define SSL_MAX_SSL_SESSION_ID_LENGTH 32 /* = ID_LEN */ enum { #ifdef HAVE_OCSP @@ -2363,8 +2364,6 @@ enum { OCSP_BASICRESP = 16, #endif - SSL_MAX_SSL_SESSION_ID_LENGTH = 32, - SSL_ST_CONNECT = 0x1000, SSL_ST_ACCEPT = 0x2000, SSL_ST_MASK = 0x0FFF, @@ -2393,65 +2392,24 @@ enum { * limit the possibility of an infinite retry loop */ SSL_MODE_RELEASE_BUFFERS = -1, /* For libwebsockets build. No current use. */ - - /* Not all of these are actually used in wolfSSL. Some are included to - * satisfy OpenSSL compatibility consumers to prevent compilation errors. */ - X509_V_OK = 0, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT = 2, - X509_V_ERR_UNABLE_TO_GET_CRL = 3, - X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE = 4, - X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE = 5, - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY = 6, - X509_V_ERR_CERT_SIGNATURE_FAILURE = 7, - X509_V_ERR_CRL_SIGNATURE_FAILURE = 8, - X509_V_ERR_CERT_NOT_YET_VALID = 9, - X509_V_ERR_CERT_HAS_EXPIRED = 10, - X509_V_ERR_CRL_NOT_YET_VALID = 11, - X509_V_ERR_CRL_HAS_EXPIRED = 12, - X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 13, - X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 14, - X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD = 15, - X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 16, - X509_V_ERR_OUT_OF_MEM = 17, - X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = 18, - X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN = 19, - X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 20, - X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = 21, - X509_V_ERR_CERT_CHAIN_TOO_LONG = 22, - X509_V_ERR_CERT_REVOKED = 23, - X509_V_ERR_INVALID_CA = 24, - X509_V_ERR_PATH_LENGTH_EXCEEDED = 25, - X509_V_ERR_INVALID_PURPOSE = 26, - X509_V_ERR_CERT_UNTRUSTED = 27, - X509_V_ERR_CERT_REJECTED = 28, - X509_V_ERR_SUBJECT_ISSUER_MISMATCH = 29, - X509_V_ERR_AKID_SKID_MISMATCH = 30, - X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH = 31, - X509_V_ERR_KEYUSAGE_NO_CERTSIGN = 32, - X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER = 33, - X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION = 34, - X509_V_ERR_KEYUSAGE_NO_CRL_SIGN = 35, - X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION = 36, - X509_V_ERR_INVALID_NON_CA = 37, - X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED = 38, - X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE = 39, - X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED = 40, - X509_V_ERR_INVALID_EXTENSION = 41, - X509_V_ERR_INVALID_POLICY_EXTENSION = 42, - X509_V_ERR_NO_EXPLICIT_POLICY = 43, - X509_V_ERR_DIFFERENT_CRL_SCOPE = 44, - X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE = 45, - X509_V_ERR_UNNESTED_RESOURCE = 46, - X509_V_ERR_PERMITTED_VIOLATION = 47, - X509_V_ERR_EXCLUDED_VIOLATION = 48, - X509_V_ERR_SUBTREE_MINMAX = 49, - X509_V_ERR_APPLICATION_VERIFICATION = 50, - X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE = 51, - X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX = 52, - X509_V_ERR_UNSUPPORTED_NAME_SYNTAX = 53, - X509_V_ERR_CRL_PATH_VALIDATION_ERROR = 54, - - X509_R_CERT_ALREADY_IN_HASH_TABLE = 101, + /* Errors used in wolfSSL. + * Should map the defines in wolfssl/openssl/x509.h + */ + WOLFSSL_X509_V_OK = 0, + WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE = 7, + WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID = 9, + WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED = 10, + WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD = 13, + WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD = 14, + WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT = 18, + WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY = 20, + WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE = 21, + WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG = 22, + WOLFSSL_X509_V_ERR_CERT_REVOKED = 23, + WOLFSSL_X509_V_ERR_INVALID_CA = 24, + WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED = 25, + WOLFSSL_X509_V_ERR_CERT_REJECTED = 28, + WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH = 29, CRYPTO_LOCK = 1, CRYPTO_NUM_LOCKS = 10, @@ -5023,14 +4981,16 @@ WOLFSSL_API int wolfSSL_X509_check_email(WOLFSSL_X509 *x, const char *chk, #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(WOLFSSL_WPAS) -WOLFSSL_API const unsigned char *SSL_SESSION_get0_id_context( - const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length); +WOLFSSL_API const unsigned char *wolfSSL_SESSION_get0_id_context( + const WOLFSSL_SESSION *sess, unsigned int *sid_ctx_length); #endif #endif #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) -WOLFSSL_API int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s, const unsigned char *sid, unsigned int sid_len); -WOLFSSL_API int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len); +WOLFSSL_API int wolfSSL_SESSION_set1_id(WOLFSSL_SESSION *s, + const unsigned char *sid, unsigned int sid_len); +WOLFSSL_API int wolfSSL_SESSION_set1_id_context(WOLFSSL_SESSION *s, + const unsigned char *sid_ctx, unsigned int sid_ctx_len); WOLFSSL_API WOLFSSL_X509_ALGOR* wolfSSL_X509_ALGOR_new(void); WOLFSSL_API void wolfSSL_X509_ALGOR_free(WOLFSSL_X509_ALGOR *alg); WOLFSSL_API const WOLFSSL_X509_ALGOR* wolfSSL_X509_get0_tbs_sigalg(const WOLFSSL_X509 *x);