wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 02:37:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2471 from dgarske/test_date_override

Browse Source 
Fix for verify callback override not adding to trusted CA list
This commit is contained in:
toddouska
2019-09-19 13:54:24 -07:00
committed by GitHub
parent 33a83cdba0 0e5de0c076
commit c16b02a265
4 changed files with 65 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
examples/client/client.c
View File

@ -2350,7 +2350,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
if (!usePsk && !useAnon && !useVerifyCb && !myVerifyFail) {
#ifndef TEST_LOAD_BUFFER
if (wolfSSL_CTX_load_verify_locations(ctx, verifyCert, 0)
unsigned int verify_flags = 0;
#ifdef TEST_BEFORE_DATE
verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY;
#endif
if (wolfSSL_CTX_load_verify_locations_ex(ctx, verifyCert, 0, verify_flags)
!= WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("can't load ca file, Please run from wolfSSL home dir");
@ -2362,7 +2366,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifdef HAVE_ECC
/* load ecc verify too, echoserver uses it by default w/ ecc */
#ifndef TEST_LOAD_BUFFER
if (wolfSSL_CTX_load_verify_locations(ctx, eccCertFile, 0)
if (wolfSSL_CTX_load_verify_locations_ex(ctx, eccCertFile, 0, verify_flags)
!= WOLFSSL_SUCCESS) {
wolfSSL_CTX_free(ctx); ctx = NULL;
err_sys("can't load ecc ca file, Please run from wolfSSL home dir");

25
examples/server/server.c
View File

@ -924,6 +924,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
unsigned char alpn_opt = 0;
char* cipherList = NULL;
int useDefCipherList = 0;
int overrideDateErrors = 0;
const char* verifyCert = cliCertFile;
const char* ourCert = svrCertFile;
const char* ourKey = svrKeyFile;
@ -1036,6 +1037,7 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
(void)postHandAuth;
(void)mcastID;
(void)loadCertKeyIntoSSLObj;
(void)overrideDateErrors;
#ifdef WOLFSSL_TIRTOS
fdOpenSession(Task_self());
@ -1186,6 +1188,9 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
disallowETM = 1;
#endif
}
else if (XSTRNCMP(myoptarg, "overrideDateErr", 15) == 0) {
overrideDateErrors = 1;
}
else {
Usage();
XEXIT_T(MY_EX_USAGE);
@ -1717,10 +1722,17 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
/* if not using PSK, verify peer with certs
if using PSK Plus then verify peer certs except PSK suites */
if (doCliCertCheck && (usePsk == 0 || usePskPlus) && useAnon == 0) {
unsigned int verify_flags = 0;
SSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER |
(usePskPlus ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK :
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), 0);
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0) != WOLFSSL_SUCCESS)
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT),
overrideDateErrors == 1 ? myDateCb : NULL);
#ifdef TEST_BEFORE_DATE
verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY;
#endif
if (wolfSSL_CTX_load_verify_locations_ex(ctx, verifyCert, 0, verify_flags) != WOLFSSL_SUCCESS)
err_sys_ex(runWithErrors, "can't load ca file, Please run from wolfSSL home dir");
#ifdef WOLFSSL_TRUST_PEER_CERT
if (trustCert) {
@ -2211,10 +2223,17 @@ THREAD_RETURN WOLFSSL_THREAD server_test(void* args)
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_POST_HANDSHAKE_AUTH)
if (postHandAuth) {
unsigned int verify_flags = 0;
SSL_set_verify(ssl, WOLFSSL_VERIFY_PEER |
((usePskPlus) ? WOLFSSL_VERIFY_FAIL_EXCEPT_PSK :
WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT), 0);
if (SSL_CTX_load_verify_locations(ctx, verifyCert, 0)
#ifdef TEST_BEFORE_DATE
verify_flags |= WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY;
#endif
if (wolfSSL_CTX_load_verify_locations_ex(ctx, verifyCert, 0, verify_flags)
!= WOLFSSL_SUCCESS) {
err_sys_ex(runWithErrors, "can't load ca file, Please run from "
"wolfSSL home dir");

61
src/internal.c
View File

@ -9585,7 +9585,8 @@ static int ProcessPeerCertParse(WOLFSSL* ssl, ProcPeerCertArgs* args,
/* Parse Certificate */
ret = ParseCertRelative(args->dCert, certType, verify, ssl->ctx->cm);
if (ret == 0) {
/* perform below checks for date failure cases */
if (ret == 0 || ret == ASN_BEFORE_DATE_E || ret == ASN_AFTER_DATE_E) {
/* get subject and determine if already loaded */
#ifndef NO_SKID
if (args->dCert->extAuthKeyIdSet)
@ -10001,39 +10002,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
"not adding as CA");
}
else if (ret == 0) {
buffer* cert = &args->certs[args->certIdx];
/* Is valid CA */
#if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
/* if using alternate chain, store the cert used */
if (ssl->options.usingAltCertChain) {
AddSessionCertToChain(&ssl->session.altChain,
cert->buffer, cert->length);
}
#endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */
#ifdef OPENSSL_EXTRA
if (args->certIdx > args->untrustedDepth) {
args->untrustedDepth = (char)args->certIdx + 1;
}
#endif
if (!alreadySigner) {
DerBuffer* add = NULL;
ret = AllocDer(&add, cert->length, CA_TYPE, ssl->heap);
if (ret < 0)
goto exit_ppc;
XMEMCPY(add->buffer, cert->buffer, cert->length);
/* CA already verified above in ParseCertRelative */
WOLFSSL_MSG("Adding CA from chain");
ret = AddCA(ssl->ctx->cm, &add, WOLFSSL_CHAIN_CA,
NO_VERIFY);
if (ret == WOLFSSL_SUCCESS) {
ret = 0;
}
}
else {
if (alreadySigner) {
WOLFSSL_MSG("Verified CA from chain and already had it");
}
}
@ -10115,6 +10090,36 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* Do verify callback */
ret = DoVerifyCallback(ssl, ret, args);
/* If valid CA then add to Certificate Manager */
if (ret == 0 && args->dCert->isCA && !ssl->options.verifyNone) {
buffer* cert = &args->certs[args->certIdx];
/* Is valid CA */
#if defined(SESSION_CERTS) && defined(WOLFSSL_ALT_CERT_CHAINS)
/* if using alternate chain, store the cert used */
if (ssl->options.usingAltCertChain) {
AddSessionCertToChain(&ssl->session.altChain,
cert->buffer, cert->length);
}
#endif /* SESSION_CERTS && WOLFSSL_ALT_CERT_CHAINS */
if (!alreadySigner) {
DerBuffer* add = NULL;
ret = AllocDer(&add, cert->length, CA_TYPE, ssl->heap);
if (ret < 0)
goto exit_ppc;
XMEMCPY(add->buffer, cert->buffer, cert->length);
/* CA already verified above in ParseCertRelative */
WOLFSSL_MSG("Adding CA from chain");
ret = AddCA(ssl->ctx->cm, &add, WOLFSSL_CHAIN_CA,
NO_VERIFY);
if (ret == WOLFSSL_SUCCESS) {
ret = 0;
}
}
}
/* Handle error codes */
if (ret != 0 && args->lastErr == 0) {
args->lastErr = ret; /* save error from last time */

4
wolfssl/wolfcrypt/wc_port.h
View File

@ -642,7 +642,11 @@ WOLFSSL_API int wolfCrypt_Cleanup(void);
/* Map default time functions */
#if !defined(XTIME) && !defined(TIME_OVERRIDES) && !defined(USER_TIME)
#ifdef TEST_BEFORE_DATE
#define XTIME(tl) (946681200UL) /* Jan 1, 2000 */
#else
#define XTIME(tl) time((tl))
#endif
#endif
#if !defined(XGMTIME) && !defined(TIME_OVERRIDES)
#if defined(WOLFSSL_GMTIME) || !defined(HAVE_GMTIME_R) || defined(WOLF_C99)