diff --git a/src/ssl.c b/src/ssl.c index 284dad50b..9033db194 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -10655,23 +10655,24 @@ void wolfSSL_CTX_set_verify(WOLFSSL_CTX* ctx, int mode, VerifyCallback vc) if (ctx == NULL) return; - if (mode & WOLFSSL_VERIFY_PEER) { - ctx->verifyPeer = 1; - ctx->verifyNone = 0; /* in case previously set */ - } + ctx->verifyPeer = 0; + ctx->verifyNone = 0; + ctx->failNoCert = 0; + ctx->failNoCertxPSK = 0; if (mode == WOLFSSL_VERIFY_NONE) { ctx->verifyNone = 1; - ctx->verifyPeer = 0; /* in case previously set */ } - - if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) { - ctx->failNoCert = 1; - } - - if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) { - ctx->failNoCert = 0; /* fail on all is set to fail on PSK */ - ctx->failNoCertxPSK = 1; + else { + if (mode & WOLFSSL_VERIFY_PEER) { + ctx->verifyPeer = 1; + } + if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) { + ctx->failNoCertxPSK = 1; + } + if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) { + ctx->failNoCert = 1; + } } ctx->verifyCallback = vc; @@ -10697,22 +10698,24 @@ void wolfSSL_set_verify(WOLFSSL* ssl, int mode, VerifyCallback vc) if (ssl == NULL) return; - if (mode & WOLFSSL_VERIFY_PEER) { - ssl->options.verifyPeer = 1; - ssl->options.verifyNone = 0; /* in case previously set */ - } + ssl->options.verifyPeer = 0; + ssl->options.verifyNone = 0; + ssl->options.failNoCert = 0; + ssl->options.failNoCertxPSK = 0; if (mode == WOLFSSL_VERIFY_NONE) { ssl->options.verifyNone = 1; - ssl->options.verifyPeer = 0; /* in case previously set */ } - - if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) - ssl->options.failNoCert = 1; - - if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) { - ssl->options.failNoCert = 0; /* fail on all is set to fail on PSK */ - ssl->options.failNoCertxPSK = 1; + else { + if (mode & WOLFSSL_VERIFY_PEER) { + ssl->options.verifyPeer = 1; + } + if (mode & WOLFSSL_VERIFY_FAIL_EXCEPT_PSK) { + ssl->options.failNoCertxPSK = 1; + } + if (mode & WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT) { + ssl->options.failNoCert = 1; + } } ssl->verifyCallback = vc; @@ -45764,24 +45767,57 @@ int wolfSSL_SESSION_print(WOLFSSL_BIO *bp, const WOLFSSL_SESSION *x) #if defined(OPENSSL_ALL) || (defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL)) \ || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) -int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) +/* TODO: Doesn't currently track SSL_VERIFY_CLIENT_ONCE */ +int wolfSSL_get_verify_mode(const WOLFSSL* ssl) { + int mode = 0; + WOLFSSL_ENTER("wolfSSL_get_verify_mode"); + + if (!ssl) { + return WOLFSSL_FAILURE; + } + + if (ssl->options.verifyNone) { + mode = WOLFSSL_VERIFY_NONE; + } + else { + if (ssl->options.verifyPeer) { + mode |= WOLFSSL_VERIFY_PEER; + } + if (ssl->options.failNoCert) { + mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; + } + if (ssl->options.failNoCertxPSK) { + mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; + } + } + + WOLFSSL_LEAVE("wolfSSL_get_verify_mode", mode); + return mode; +} + +int wolfSSL_CTX_get_verify_mode(const WOLFSSL_CTX* ctx) { int mode = 0; WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode"); - if(!ctx) - return WOLFSSL_FATAL_ERROR; + if (!ctx) { + return WOLFSSL_FAILURE; + } - if (ctx->verifyPeer) - mode |= WOLFSSL_VERIFY_PEER; - else if (ctx->verifyNone) - mode |= WOLFSSL_VERIFY_NONE; - - if (ctx->failNoCert) - mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; - - if (ctx->failNoCertxPSK) - mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; + if (ctx->verifyNone) { + mode = WOLFSSL_VERIFY_NONE; + } + else { + if (ctx->verifyPeer) { + mode |= WOLFSSL_VERIFY_PEER; + } + if (ctx->failNoCert) { + mode |= WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT; + } + if (ctx->failNoCertxPSK) { + mode |= WOLFSSL_VERIFY_FAIL_EXCEPT_PSK; + } + } WOLFSSL_LEAVE("wolfSSL_CTX_get_verify_mode", mode); return mode; diff --git a/tests/api.c b/tests/api.c index e51b7434d..8b0b3f575 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32095,6 +32095,66 @@ static void test_wolfSSL_RSA_meth(void) #endif } +static void test_wolfSSL_verify_mode(void) +{ +#if defined(OPENSSL_ALL) + WOLFSSL* ssl; + WOLFSSL_CTX* ctx; + + printf(testingFmt, "test_wolfSSL_verify()"); + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + + AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); + AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), SSL_SUCCESS); + + AssertNotNull(ssl = SSL_new(ctx)); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + SSL_free(ssl); + + SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, 0); + AssertNotNull(ssl = SSL_new(ctx)); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); + + wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); + AssertIntEQ(SSL_CTX_get_verify_mode(ctx), SSL_VERIFY_PEER); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); + + SSL_free(ssl); + + wolfSSL_CTX_set_verify(ctx, + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); + AssertNotNull(ssl = SSL_new(ctx)); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_CTX_get_verify_mode(ctx)); + AssertIntEQ(SSL_get_verify_mode(ssl), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + + wolfSSL_set_verify(ssl, SSL_VERIFY_PEER, 0); + AssertIntEQ(SSL_CTX_get_verify_mode(ctx), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_PEER); + + wolfSSL_set_verify(ssl, SSL_VERIFY_NONE, 0); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_NONE); + + wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_IF_NO_PEER_CERT); + + wolfSSL_set_verify(ssl, SSL_VERIFY_FAIL_EXCEPT_PSK, 0); + AssertIntEQ(SSL_get_verify_mode(ssl), SSL_VERIFY_FAIL_EXCEPT_PSK); + + AssertIntEQ(SSL_CTX_get_verify_mode(ctx), + WOLFSSL_VERIFY_PEER | WOLFSSL_VERIFY_FAIL_IF_NO_PEER_CERT); + + SSL_free(ssl); + + SSL_CTX_free(ctx); + printf(resultFmt, passed); +#endif +} + + static void test_wolfSSL_verify_depth(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_WOLFSSL_CLIENT) @@ -40164,6 +40224,7 @@ void ApiTest(void) test_wolfSSL_RSA_DER(); test_wolfSSL_RSA_get0_key(); test_wolfSSL_RSA_meth(); + test_wolfSSL_verify_mode(); test_wolfSSL_verify_depth(); test_wolfSSL_HMAC_CTX(); test_wolfSSL_msg_callback(); diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 95c0fdb57..1f009c11c 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -173,7 +173,7 @@ typedef STACK_OF(ACCESS_DESCRIPTION) AUTHORITY_INFO_ACCESS; /* at the moment only returns ok */ #define SSL_get_verify_result wolfSSL_get_verify_result -#define SSL_get_verify_mode wolfSSL_SSL_get_mode +#define SSL_get_verify_mode wolfSSL_get_verify_mode #define SSL_get_verify_depth wolfSSL_get_verify_depth #define SSL_CTX_get_verify_mode wolfSSL_CTX_get_verify_mode #define SSL_CTX_get_verify_depth wolfSSL_CTX_get_verify_depth diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b32aaf7d9..5babc0048 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -3837,7 +3837,8 @@ WOLFSSL_API int wolfSSL_set1_curves_list(WOLFSSL* ssl, const char* names); defined(HAVE_STUNNEL) || defined(WOLFSSL_MYSQL_COMPATIBLE) || \ defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) -WOLFSSL_API int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx); +WOLFSSL_API int wolfSSL_get_verify_mode(const WOLFSSL* ssl); +WOLFSSL_API int wolfSSL_CTX_get_verify_mode(const WOLFSSL_CTX* ctx); #endif