mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2025-06-25 00:11:36 +02:00
Merge pull request #8903 from dgarske/cadate_calist
Expose API to access "store" error code and depth for cert failure callback
This commit is contained in:
Daniel Pouzzner
GitHub
9
.github/workflows/os-check.yml
vendored
9
.github/workflows/os-check.yml
vendored
@ -41,16 +41,21 @@ jobs:
|
||||
'--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
|
||||
--enable-dtls-mtu',
|
||||
'--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
|
||||
--enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA',
|
||||
--enable-psk --enable-aesccm --enable-nullcipher
|
||||
CPPFLAGS=-DWOLFSSL_STATIC_RSA',
|
||||
'--enable-ascon --enable-experimental',
|
||||
'--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental',
|
||||
'--enable-all CPPFLAGS=''-DNO_AES_192 -DNO_AES_256'' ',
|
||||
'--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys CFLAGS=-DWOLFSSL_DH_EXTRA',
|
||||
'--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys
|
||||
CPPFLAGS=-DWOLFSSL_DH_EXTRA',
|
||||
'--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
|
||||
--enable-dtls-mtu CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS',
|
||||
'--enable-opensslall --enable-opensslextra CPPFLAGS=-DWC_RNG_SEED_CB',
|
||||
'--enable-opensslall --enable-opensslextra
|
||||
CPPFLAGS=''-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID'' ',
|
||||
'--enable-opensslextra CPPFLAGS=''-DWOLFSSL_NO_CA_NAMES'' ',
|
||||
'--enable-opensslextra=x509small',
|
||||
'CPPFLAGS=''-DWOLFSSL_EXTRA'' '
|
||||
]
|
||||
name: make check
|
||||
if: github.repository_owner == 'wolfssl'
|
||||
|
||||
@ -2905,7 +2905,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
|
||||
defined(WOLFSSL_WPAS_SMALL)
|
||||
wolfSSL_X509_STORE_free(ctx->x509_store_pt);
|
||||
#endif
|
||||
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
|
||||
#ifndef WOLFSSL_NO_CA_NAMES
|
||||
wolfSSL_sk_X509_NAME_pop_free(ctx->client_ca_names, NULL);
|
||||
ctx->client_ca_names = NULL;
|
||||
#endif
|
||||
@ -8784,7 +8784,7 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl)
|
||||
wolfSSL_sk_X509_pop_free(ssl->ourCertChain, NULL);
|
||||
#endif
|
||||
#endif
|
||||
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
|
||||
#ifndef WOLFSSL_NO_CA_NAMES
|
||||
wolfSSL_sk_X509_NAME_pop_free(ssl->client_ca_names, NULL);
|
||||
ssl->client_ca_names = NULL;
|
||||
#endif
|
||||
|
||||
@ -12163,7 +12163,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
||||
#endif /* !NO_BIO */
|
||||
#endif /* OPENSSL_EXTRA */
|
||||
|
||||
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
|
||||
#ifndef WOLFSSL_NO_CA_NAMES
|
||||
void wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX* ctx,
|
||||
WOLF_STACK_OF(WOLFSSL_X509_NAME)* names)
|
||||
{
|
||||
@ -12184,8 +12184,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
||||
ssl->client_ca_names = names;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
#ifdef OPENSSL_EXTRA
|
||||
/* registers client cert callback, called during handshake if server
|
||||
requests client auth but user has not loaded client cert/key */
|
||||
void wolfSSL_CTX_set_client_cert_cb(WOLFSSL_CTX *ctx, client_cert_cb cb)
|
||||
@ -12397,9 +12398,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
#endif /* OPENSSL_EXTRA */
|
||||
|
||||
#endif /* OPENSSL_EXTRA || WOLFSSL_EXTRA || HAVE_WEBSERVER */
|
||||
#endif /* OPENSSL_EXTRA */
|
||||
|
||||
#ifndef WOLFSSL_NO_CA_NAMES
|
||||
WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(
|
||||
|
||||
@ -577,33 +577,15 @@ exit:
|
||||
|
||||
#endif /* OPENSSL_EXTRA */
|
||||
|
||||
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
|
||||
WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
|
||||
WOLFSSL_X509_STORE_CTX* ctx)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert");
|
||||
if (ctx)
|
||||
return ctx->current_cert;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error");
|
||||
if (ctx != NULL)
|
||||
return ctx->error;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error_depth");
|
||||
if(ctx)
|
||||
return ctx->error_depth;
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
||||
WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
|
||||
WOLFSSL_X509_STORE_CTX* ctx)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert");
|
||||
if (ctx)
|
||||
return ctx->current_cert;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/* get X509_STORE_CTX ex_data, max idx is MAX_EX_DATA */
|
||||
void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx)
|
||||
@ -619,7 +601,27 @@ void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx)
|
||||
#endif
|
||||
return NULL;
|
||||
}
|
||||
#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
|
||||
#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
|
||||
|
||||
|
||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
|
||||
defined(WOLFSSL_EXTRA)
|
||||
int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error");
|
||||
if (ctx != NULL)
|
||||
return ctx->error;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error_depth");
|
||||
if (ctx)
|
||||
return ctx->error_depth;
|
||||
return WOLFSSL_FATAL_ERROR;
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
void wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx,
|
||||
|
||||
@ -28110,7 +28110,8 @@ static int test_wolfSSL_CTX_set_client_CA_list(void)
|
||||
static int test_wolfSSL_CTX_add_client_CA(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \
|
||||
#if !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA) && \
|
||||
!defined(NO_RSA) && !defined(NO_CERTS) && \
|
||||
!defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
|
||||
WOLFSSL_CTX* ctx = NULL;
|
||||
WOLFSSL_X509* x509 = NULL;
|
||||
@ -38569,7 +38570,7 @@ static int test_wolfSSL_cert_cb_dyn_ciphers(void)
|
||||
static int test_wolfSSL_ciphersuite_auth(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
|
||||
#if defined(OPENSSL_EXTRA)
|
||||
WOLFSSL_CIPHERSUITE_INFO info;
|
||||
|
||||
(void)info;
|
||||
@ -38659,7 +38660,7 @@ static int test_wolfSSL_ciphersuite_auth(void)
|
||||
static int test_wolfSSL_sigalg_info(void)
|
||||
{
|
||||
EXPECT_DECLS;
|
||||
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
|
||||
#if defined(OPENSSL_EXTRA)
|
||||
byte hashSigAlgo[WOLFSSL_MAX_SIGALGO];
|
||||
word16 len = 0;
|
||||
word16 idx = 0;
|
||||
|
||||
@ -1086,13 +1086,17 @@
|
||||
|
||||
#undef WSSL_HARDEN_TLS
|
||||
|
||||
#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
|
||||
#define SSL_CA_NAMES(ssl) ((ssl)->client_ca_names != NULL ? (ssl)->client_ca_names : \
|
||||
/* Client CA Names feature */
|
||||
#if !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA)
|
||||
#define SSL_CA_NAMES(ssl) ((ssl)->client_ca_names != NULL ? \
|
||||
(ssl)->client_ca_names : \
|
||||
(ssl)->ctx->client_ca_names)
|
||||
#else
|
||||
#define WOLFSSL_NO_CA_NAMES
|
||||
#undef WOLFSSL_NO_CA_NAMES
|
||||
#define WOLFSSL_NO_CA_NAMES
|
||||
#endif
|
||||
|
||||
|
||||
/* actual cipher values, 2nd byte */
|
||||
enum {
|
||||
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16,
|
||||
|
||||
@ -1841,6 +1841,12 @@ WOLFSSL_API const char* wolfSSL_ERR_func_error_string(unsigned long e);
|
||||
WOLFSSL_API const char* wolfSSL_ERR_lib_error_string(unsigned long e);
|
||||
|
||||
/* -------- EXTRAS BEGIN -------- */
|
||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
|
||||
defined(WOLFSSL_EXTRA)
|
||||
WOLFSSL_API int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx);
|
||||
WOLFSSL_API int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx);
|
||||
#endif
|
||||
|
||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
||||
WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio);
|
||||
|
||||
@ -2144,9 +2150,6 @@ WOLFSSL_API int wolfSSL_num_locks(void);
|
||||
|
||||
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
|
||||
WOLFSSL_X509_STORE_CTX* ctx);
|
||||
WOLFSSL_API int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx);
|
||||
WOLFSSL_API int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx);
|
||||
|
||||
WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx,
|
||||
WOLFSSL_X509_STORE_CTX_verify_cb verify_cb);
|
||||
WOLFSSL_API void wolfSSL_X509_STORE_set_verify_cb(WOLFSSL_X509_STORE *st,
|
||||
@ -2407,6 +2410,8 @@ WOLFSSL_API void wolfSSL_ASN1_TIME_free(WOLFSSL_ASN1_TIME* t);
|
||||
#endif
|
||||
|
||||
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char* fname);
|
||||
|
||||
#ifndef WOLFSSL_NO_CA_NAMES
|
||||
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(
|
||||
const WOLFSSL_CTX *ctx);
|
||||
/* deprecated function name */
|
||||
@ -2418,6 +2423,7 @@ WOLFSSL_API void wolfSSL_set_client_CA_list(WOLFSSL* ssl,
|
||||
WOLF_STACK_OF(WOLFSSL_X509_NAME)*);
|
||||
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_get_client_CA_list(
|
||||
const WOLFSSL* ssl);
|
||||
#endif /* !WOLFSSL_NO_CA_NAMES */
|
||||
|
||||
typedef int (*client_cert_cb)(WOLFSSL *ssl, WOLFSSL_X509 **x509,
|
||||
WOLFSSL_EVP_PKEY **pkey);
|
||||
|
||||
@ -2467,14 +2467,14 @@ static THREAD_LS_T int myVerifyAction = VERIFY_OVERRIDE_ERROR;
|
||||
static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
|
||||
{
|
||||
char err_buffer[WOLFSSL_MAX_ERROR_SZ];
|
||||
int err;
|
||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
||||
WOLFSSL_X509* peer;
|
||||
#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
|
||||
!defined(OPENSSL_EXTRA_X509_SMALL)
|
||||
#endif
|
||||
#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
|
||||
WOLFSSL_BIO* bio = NULL;
|
||||
WOLFSSL_STACK* sk = NULL;
|
||||
X509* x509 = NULL;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/* Verify Callback Arguments:
|
||||
@ -2492,10 +2492,17 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
|
||||
will be discarded (only with SESSION_CERTS)
|
||||
*/
|
||||
|
||||
fprintf(stderr, "In verification callback, error = %d, %s\n", store->error,
|
||||
wolfSSL_ERR_error_string((unsigned long) store->error, err_buffer));
|
||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
|
||||
defined(WOLFSSL_EXTRA)
|
||||
err = wolfSSL_X509_STORE_CTX_get_error(store);
|
||||
#else
|
||||
err = store->error;
|
||||
#endif
|
||||
|
||||
fprintf(stderr, "In verification callback, error = %d, %s\n", err,
|
||||
wolfSSL_ERR_error_string((unsigned long) err, err_buffer));
|
||||
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
|
||||
peer = store->current_cert;
|
||||
peer = wolfSSL_X509_STORE_CTX_get_current_cert(store);
|
||||
if (peer) {
|
||||
char* issuer = wolfSSL_X509_NAME_oneline(
|
||||
wolfSSL_X509_get_issuer_name(peer), 0, 0);
|
||||
@ -2515,8 +2522,7 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
|
||||
|
||||
XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
|
||||
XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL);
|
||||
#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
|
||||
!defined(OPENSSL_EXTRA_X509_SMALL)
|
||||
#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
|
||||
/* avoid printing duplicate certs */
|
||||
if (store->depth == 1) {
|
||||
int i;
|
||||
|
||||
@ -54,9 +54,18 @@ public class wolfSSL_TLS_Client
|
||||
/// <param name="x509_ctx">Certificate in WOLFSSL_X509_STORE_CTX format</param>
|
||||
private static int myVerify(int preverify, IntPtr x509_ctx)
|
||||
{
|
||||
/* Use the provided verification */
|
||||
int verify = preverify;
|
||||
|
||||
/* example for overriding an error code */
|
||||
/* X509_STORE_CTX_get_error API can be enabled with
|
||||
* OPENSSL_EXTRA_X509_SMALL or WOLFSSL_EXTRA */
|
||||
int error = wolfssl.X509_STORE_CTX_get_error(x509_ctx);
|
||||
if (error == wolfcrypt.ASN_BEFORE_DATE_E) {
|
||||
verify = 1; /* override error */
|
||||
}
|
||||
|
||||
/* Can optionally override failures by returning non-zero value */
|
||||
return preverify;
|
||||
return verify;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
@ -90,7 +99,7 @@ public class wolfSSL_TLS_Client
|
||||
|
||||
if (caCert == "" || dhparam.Length == 0) {
|
||||
Console.WriteLine("Platform not supported.");
|
||||
return;
|
||||
return;
|
||||
}
|
||||
|
||||
StringBuilder buff = new StringBuilder(1024);
|
||||
@ -133,14 +142,14 @@ public class wolfSSL_TLS_Client
|
||||
}
|
||||
|
||||
int sniArg = haveSNI(args);
|
||||
if (sniArg >= 0)
|
||||
if (sniArg >= 0)
|
||||
{
|
||||
string sniHostNameString = args[sniArg].Trim();
|
||||
sniHostName = Marshal.StringToHGlobalAnsi(sniHostNameString);
|
||||
|
||||
ushort size = (ushort)sniHostNameString.Length;
|
||||
|
||||
if (wolfssl.CTX_UseSNI(ctx, (byte)wolfssl.WOLFSSL_SNI_HOST_NAME, sniHostName, size) != wolfssl.SUCCESS)
|
||||
if (wolfssl.CTX_UseSNI(ctx, (byte)wolfssl.WOLFSSL_SNI_HOST_NAME, sniHostName, size) != wolfssl.SUCCESS)
|
||||
{
|
||||
Console.WriteLine("UseSNI failed");
|
||||
wolfssl.CTX_free(ctx);
|
||||
|
||||
@ -566,11 +566,29 @@ namespace wolfSSL.CSharp
|
||||
public static readonly int AES_BLOCK_SIZE = 16;
|
||||
|
||||
/* Error codes */
|
||||
public static readonly int SUCCESS = 0;
|
||||
public static readonly int SIG_VERIFY_E = -229; /* wolfcrypt signature verify error */
|
||||
public static readonly int MEMORY_E = -125; /* Out of memory error */
|
||||
public static readonly int EXCEPTION_E = -1;
|
||||
public static readonly int BUFFER_E = -131; /* RSA buffer error, output too small/large */
|
||||
public static readonly int SUCCESS = 0;
|
||||
public static readonly int EXCEPTION_E = -1;
|
||||
public static readonly int MEMORY_E = -125; /* Out of memory error */
|
||||
public static readonly int BUFFER_E = -131; /* RSA buffer error, output too small/large */
|
||||
public static readonly int ASN_PARSE_E = -140; /* ASN parsing error, invalid input */
|
||||
public static readonly int ASN_VERSION_E = -141; /* ASN version error, invalid number */
|
||||
public static readonly int ASN_GETINT_E = -142; /* ASN get big int error, invalid data */
|
||||
public static readonly int ASN_RSA_KEY_E = -143; /* ASN key init error, invalid input */
|
||||
public static readonly int ASN_OBJECT_ID_E = -144; /* ASN object id error, invalid id */
|
||||
public static readonly int ASN_TAG_NULL_E = -145; /* ASN tag error, not null */
|
||||
public static readonly int ASN_EXPECT_0_E = -146; /* ASN expect error, not zero */
|
||||
public static readonly int ASN_BITSTR_E = -147; /* ASN bit string error, wrong id */
|
||||
public static readonly int ASN_UNKNOWN_OID_E = -148; /* ASN oid error, unknown sum id */
|
||||
public static readonly int ASN_DATE_SZ_E = -149; /* ASN date error, bad size */
|
||||
public static readonly int ASN_BEFORE_DATE_E = -150; /* ASN date error, current date before */
|
||||
public static readonly int ASN_AFTER_DATE_E = -151; /* ASN date error, current date after */
|
||||
public static readonly int ASN_SIG_OID_E = -152; /* ASN signature error, mismatched oid */
|
||||
public static readonly int ASN_TIME_E = -153; /* ASN time error, unknown time type */
|
||||
public static readonly int ASN_INPUT_E = -154; /* ASN input error, not enough data */
|
||||
public static readonly int ASN_SIG_CONFIRM_E = -155; /* ASN sig error, confirm failure */
|
||||
public static readonly int ASN_SIG_HASH_E = -156; /* ASN sig error, unsupported hash type */
|
||||
public static readonly int ASN_SIG_KEY_E = -157; /* ASN sig error, unsupported key type */
|
||||
public static readonly int SIG_VERIFY_E = -229; /* wolfcrypt signature verify error */
|
||||
|
||||
|
||||
/***********************************************************************
|
||||
|
||||
Reference in New Issue
Block a user