From dcf61bd10e6d0daf2d058f6f9e8edaa995c1e0bf Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 3 Oct 2017 08:46:15 -0700 Subject: [PATCH 1/2] Added new API `wolfSSL_CTX_GetCertManager` for getting the WOLFSSL_CTX certificate manager. --- src/ssl.c | 7 +++++++ wolfssl/ssl.h | 4 +++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 7578ccc4b..d892eb794 100755 --- a/src/ssl.c +++ b/src/ssl.c @@ -2957,6 +2957,13 @@ void FreeDer(DerBuffer** pDer) } } +WOLFSSL_CERT_MANAGER* wolfSSL_CTX_GetCertManager(WOLFSSL_CTX* ctx) +{ + WOLFSSL_CERT_MANAGER* cm = NULL; + if (ctx) + cm = ctx->cm; + return cm; +} WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew_ex(void* heap) { diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 5f5bf56ce..81998f094 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1410,7 +1410,7 @@ WOLFSSL_API WC_RNG* wolfSSL_GetRNG(WOLFSSL*); WOLFSSL_API int wolfSSL_CTX_SetMinVersion(WOLFSSL_CTX* ctx, int version); WOLFSSL_API int wolfSSL_SetMinVersion(WOLFSSL* ssl, int version); WOLFSSL_API int wolfSSL_GetObjectSize(void); /* object size based on build */ -WOLFSSL_API int wolfSSL_CTX_GetObjectSize(void); +WOLFSSL_API int wolfSSL_CTX_GetObjectSize(void); WOLFSSL_API int wolfSSL_METHOD_GetObjectSize(void); WOLFSSL_API int wolfSSL_GetOutputSize(WOLFSSL*, int); WOLFSSL_API int wolfSSL_GetMaxOutputSize(WOLFSSL*); @@ -1641,6 +1641,8 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); #ifndef NO_CERTS WOLFSSL_API void wolfSSL_CTX_SetCACb(WOLFSSL_CTX*, CallbackCACache); + WOLFSSL_API WOLFSSL_CERT_MANAGER* wolfSSL_CTX_GetCertManager(WOLFSSL_CTX*); + WOLFSSL_API WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew_ex(void* heap); WOLFSSL_API WOLFSSL_CERT_MANAGER* wolfSSL_CertManagerNew(void); WOLFSSL_API void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER*); From 19ea4716f372c306c69099b2f0afeb04b35264bc Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 3 Oct 2017 10:00:20 -0700 Subject: [PATCH 2/2] Add unit tests for `wolfSSL_CTX_GetCertManager`, `wolfSSL_CTX_UnloadCAs`, `wolfSSL_CertManagerUnloadCAs` and `wolfSSL_CTX_get_cert_cache_memsize`. Fixed comment typo `PERSISTE_CERT_CACHE`. --- src/ssl.c | 2 +- tests/api.c | 32 +++++++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index d892eb794..965a3f48f 100755 --- a/src/ssl.c +++ b/src/ssl.c @@ -7557,7 +7557,7 @@ int wolfSSL_CTX_get_cert_cache_memsize(WOLFSSL_CTX* ctx) return CM_GetCertCacheMemSize(ctx->cm); } -#endif /* PERSISTE_CERT_CACHE */ +#endif /* PERSIST_CERT_CACHE */ #endif /* !NO_CERTS */ diff --git a/tests/api.c b/tests/api.c index f21098d6b..c1641185a 100644 --- a/tests/api.c +++ b/tests/api.c @@ -451,6 +451,10 @@ static void test_wolfSSL_CTX_load_verify_locations(void) { #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_WOLFSSL_CLIENT) WOLFSSL_CTX *ctx; + WOLFSSL_CERT_MANAGER* cm; +#ifdef PERSIST_CERT_CACHE + int cacheSz; +#endif AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); @@ -468,9 +472,35 @@ static void test_wolfSSL_CTX_load_verify_locations(void) /* AssertFalse(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, bogusFile)); */ #endif - /* success */ + /* load ca cert */ AssertTrue(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); +#ifdef PERSIST_CERT_CACHE + /* Get cert cache size */ + cacheSz = wolfSSL_CTX_get_cert_cache_memsize(ctx); +#endif + /* Test unloading CA's */ + AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_UnloadCAs(ctx)); + +#ifdef PERSIST_CERT_CACHE + /* Verify no certs (result is less than cacheSz) */ + AssertIntGT(cacheSz, wolfSSL_CTX_get_cert_cache_memsize(ctx)); +#endif + + /* load ca cert again */ + AssertTrue(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0)); + + /* Test getting CERT_MANAGER */ + AssertNotNull(cm = wolfSSL_CTX_GetCertManager(ctx)); + + /* Test unloading CA's using CM */ + AssertIntEQ(SSL_SUCCESS, wolfSSL_CertManagerUnloadCAs(cm)); + +#ifdef PERSIST_CERT_CACHE + /* Verify no certs (result is less than cacheSz) */ + AssertIntGT(cacheSz, wolfSSL_CTX_get_cert_cache_memsize(ctx)); +#endif + wolfSSL_CTX_free(ctx); #endif }