Skip to content

Commit

Permalink
rebase to master
Browse files Browse the repository at this point in the history 
revert WOLFSSL_X509_STRICT addition
  • Loading branch information
@miyazakh
miyazakh committed Oct 31, 2024
1 parent b265259 commit 58eb339
Show file tree
Hide file tree
Showing 4 changed files with 44 additions and 109 deletions.
16 changes: 2 additions & 14 deletions src/ssl_load.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,13 +202,7 @@ static int ProcessUserCert(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer,

if (type == CA_TYPE) {
/* Add CA to certificate manager */
ret = AddCA(cm, pDer,
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
WOLFSSL_MUST_BE_CA,
#else
WOLFSSL_USER_CA,
#endif
verify);
ret = AddCA(cm, pDer, WOLFSSL_USER_CA, verify);
if (ret == 1) {
ret = 0;
}
Expand Down Expand Up @@ -2060,13 +2054,7 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
/* CA certificate to verify with. */
if (type == CA_TYPE) {
/* verify CA unless user set to no verify */
ret = AddCA(ctx->cm, &der,
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
WOLFSSL_MUST_BE_CA,
#else
WOLFSSL_USER_CA,
#endif
verify);
ret = AddCA(ctx->cm, &der, WOLFSSL_USER_CA, verify);
if (ret == 1) {
ret = 0;
}
Expand Down
47 changes: 33 additions & 14 deletions src/x509_str.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -207,11 +207,7 @@ int GetX509Error(int e)
return WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED;
case WC_NO_ERR_TRACE(ASN_NO_SIGNER_E):
/* get issuer error if no CA found locally */
#if defined(WOLFSSL_QT)
return X509_V_ERR_INVALID_CA;
#else
return WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
#endif
case WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E):
return WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT;
case WC_NO_ERR_TRACE(ASN_PATHLEN_INV_E):
Expand Down Expand Up @@ -243,17 +239,24 @@ int GetX509Error(int e)
}
}

static void SetupStoreCtxError_ex(WOLFSSL_X509_STORE_CTX* ctx, int ret,
int depth)
{
int error = GetX509Error(ret);

wolfSSL_X509_STORE_CTX_set_error(ctx, error);
wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth);
}

static void SetupStoreCtxError(WOLFSSL_X509_STORE_CTX* ctx, int ret)
{
int depth = 0;
int error = GetX509Error(ret);

/* Set error depth */
if (ctx->chain)
depth = (int)ctx->chain->num;

wolfSSL_X509_STORE_CTX_set_error(ctx, error);
wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth);
SetupStoreCtxError_ex(ctx, ret, depth);
}

static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx)
Expand All @@ -269,7 +272,8 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx)
SetupStoreCtxError(ctx, ret);
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
if (ctx->store->verify_cb)
ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1 ? 0 : ret;
ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1 ?
WOLFSSL_SUCCESS : ret;
#endif

#ifndef NO_ASN_TIME
Expand All @@ -294,7 +298,7 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx)
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
if (ctx->store->verify_cb)
ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0,
ctx) == 1 ? 0 : -1;
ctx) == 1 ? WOLFSSL_SUCCESS : -1;
#endif
}
#endif
Expand Down Expand Up @@ -397,21 +401,37 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)

/* We found our issuer in the non-trusted cert list, add it
* to the CM and verify the current cert against it */
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
/* OpenSSL doesn't allow the cert as CA if it is not CA:TRUE for
* intermediate certs.
*/
if (!issuer->isCa) {
/* error depth is curren depth + 1 */
SetupStoreCtxError_ex(ctx, X509_V_ERR_INVALID_CA,
(ctx->chain) ? (ctx->chain->num + 1) : 1);
if (ctx->store->verify_cb) {
ret = ctx->store->verify_cb(0, ctx);
if (ret != WOLFSSL_SUCCESS) {
goto exit;
}
}
} else {
#endif
ret = X509StoreAddCa(ctx->store, issuer,
WOLFSSL_TEMP_CA);
if (ret != WOLFSSL_SUCCESS) {
goto exit;
}

added = 1;

ret = X509StoreVerifyCert(ctx);
if (ret != WOLFSSL_SUCCESS) {
goto exit;
}

/* Add it to the current chain and look at the issuer cert next */
wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert);
#if defined(OPENSSL_ALL) || defined(WOLFSSL_QT)
}
#endif
ctx->current_cert = issuer;
}
else if (ret == WC_NO_ERR_TRACE(WOLFSSL_FAILURE)) {
Expand All @@ -430,6 +450,7 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)

/* Cert verified, finish building the chain */
wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert);

issuer = NULL;
#ifdef WOLFSSL_SIGNER_DER_CERT
x509GetIssuerFromCM(&issuer, ctx->store->cm, ctx->current_cert);
Expand Down Expand Up @@ -1342,11 +1363,9 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509)
}

WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_cert", result);
#if !defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
if (result != WOLFSSL_SUCCESS) {
result = WOLFSSL_FATAL_ERROR;
}
#endif
return result;
}

Expand Down
74 changes: 9 additions & 65 deletions tests/api.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2565,17 +2565,10 @@ static int test_wolfSSL_CTX_load_verify_locations(void)
WC_NO_ERR_TRACE(WOLFSSL_FAILURE));

/* Test loading expired CA certificates */
#if defined(NO_RSA) || defined(WOLFSSL_X509_STRICT)
ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL,
load_expired_path,
WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY | WOLFSSL_LOAD_FLAG_PEM_CA_ONLY),
WOLFSSL_SUCCESS);
#else
ExpectIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL,
load_expired_path,
WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY | WOLFSSL_LOAD_FLAG_PEM_CA_ONLY),
WOLFSSL_SUCCESS);
#endif

/* Test loading CA certificates and ignoring all errors */
#ifdef NO_RSA
Expand Down Expand Up @@ -2998,11 +2991,7 @@ static int test_wolfSSL_CertManagerLoadCABuffer(void)
!defined(NO_ASN_TIME)
ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E));
#else
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
ExpectIntEQ(ret, NOT_CA_ERROR);
#else
ExpectIntEQ(ret, WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(ret, WOLFSSL_SUCCESS);
#endif
#endif
return EXPECT_RESULT();
Expand Down Expand Up @@ -3035,17 +3024,9 @@ static int test_wolfSSL_CertManagerLoadCABuffer_ex(void)
#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \
!defined(NO_ASN_TIME) && defined(WOLFSSL_TRUST_PEER_CERT) && \
defined(OPENSSL_COMPATIBLE_DEFAULTS)
#if defined(WOLFSSL_X509_STRICT)
ExpectIntEQ(ret, WC_NO_ERR_TRACE(NOT_CA_ERROR));
#else
ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E));
#endif
ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E));
#else
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
ExpectIntEQ(ret, NOT_CA_ERROR);
#else
ExpectIntEQ(ret, WOLFSSL_SUCCESS);
#endif
ExpectIntEQ(ret, WOLFSSL_SUCCESS);
#endif

#endif
Expand Down Expand Up @@ -4905,27 +4886,14 @@ static int test_wolfSSL_CTX_load_verify_buffer_ex(void)
sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0,
WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS);
#else
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0,
WOLFSSL_LOAD_FLAG_NONE), NOT_CA_ERROR);
#else
ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0,
WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS);
#endif
#endif
/* test expired CA success */
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0,
WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), NOT_CA_ERROR);
#else
ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert,
sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0,
WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WOLFSSL_SUCCESS);
#endif

/* Fail when ctx is NULL. */
ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(NULL, ca_expired_cert,
sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0,
Expand Down Expand Up @@ -60365,7 +60333,7 @@ static int test_X509_STORE_untrusted_load_cert_to_stack(const char* filename,
return EXPECT_RESULT();
}

#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
#if defined(OPENSSL_ALL)

static int last_errcode;
static int last_errdepth;
Expand Down Expand Up @@ -60421,11 +60389,7 @@ static int test_X509_STORE_InvalidCa(void)

ExpectIntEQ(X509_STORE_CTX_init(ctx, str, cert, untrusted), 1);
ExpectIntEQ(X509_verify_cert(ctx), 1);
#if defined(WOLFSSL_QT)
ExpectIntEQ(last_errcode, X509_V_ERR_INVALID_CA);
#else
ExpectIntEQ(last_errcode, X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY);
#endif

X509_free(cert);
X509_STORE_free(str);
Expand Down Expand Up @@ -60515,13 +60479,8 @@ static int test_X509_STORE_untrusted(void)

/* Only immediate issuer in untrusted chain. Fails since can't build chain
* to loaded CA. */
#if defined(WOLFSSL_QT)
ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted1, 0,
X509_V_ERR_INVALID_CA, 1), TEST_SUCCESS);
#else
ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted1, 0,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 1), TEST_SUCCESS);
#endif
/* Succeeds because path to loaded CA is available. */
ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted2, 1, 0, 1),
TEST_SUCCESS);
Expand All @@ -60531,10 +60490,6 @@ static int test_X509_STORE_untrusted(void)
TEST_SUCCESS);
/* Still needs properly loaded CA, while including it in untrusted
* list is not an error, it also doesnt count for verify */
#if defined(WOLFSSL_QT)
ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 0,
X509_V_ERR_INVALID_CA, 0), TEST_SUCCESS);
#else
ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 0,
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 0), TEST_SUCCESS);
/* Succeeds because path to loaded CA is available. */
Expand Down Expand Up @@ -72696,22 +72651,12 @@ static int test_wolfSSL_X509_CA_num(void)
int ca_num = 0;

ExpectNotNull(store = wolfSSL_X509_STORE_new());
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
ExpectNotNull(x509_1 = wolfSSL_X509_load_certificate_file(caCertFile,
WOLFSSL_FILETYPE_PEM));
#else
ExpectNotNull(x509_1 = wolfSSL_X509_load_certificate_file(svrCertFile,
WOLFSSL_FILETYPE_PEM));
#endif
ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, x509_1), 1);
ExpectIntEQ(ca_num = wolfSSL_X509_CA_num(store), 1);
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
ExpectNotNull(x509_2 = wolfSSL_X509_load_certificate_file(caEccCertFile,
WOLFSSL_FILETYPE_PEM));
#else
ExpectNotNull(x509_2 = wolfSSL_X509_load_certificate_file(eccCertFile,
WOLFSSL_FILETYPE_PEM));
#endif
ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, x509_2), 1);
ExpectIntEQ(ca_num = wolfSSL_X509_CA_num(store), 2);

Expand Down Expand Up @@ -76286,7 +76231,7 @@ static int test_wolfSSL_OCSP_parse_url(void)

#if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && \
defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) && \
!defined(NO_ASN_TIME) && !defined(WOLFSSL_X509_STRICT)
!defined(NO_ASN_TIME)
static time_t test_wolfSSL_OCSP_REQ_CTX_time_cb(time_t* t)
{
if (t != NULL) {
Expand All @@ -76301,8 +76246,7 @@ static int test_wolfSSL_OCSP_REQ_CTX(void)
{
EXPECT_DECLS;
#if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && \
defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) && \
!defined(WOLFSSL_X509_STRICT)
defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM)
/* This buffer was taken from the ocsp-stapling.test test case 1. The ocsp
* response was captured in wireshark. It contains both the http and binary
* parts. The time test_wolfSSL_OCSP_REQ_CTX_time_cb is set exactly so that
Expand Down Expand Up @@ -98117,7 +98061,7 @@ TEST_CASE testCases[] = {
TEST_DECL(test_wolfSSL_X509_STORE_CTX),
TEST_DECL(test_wolfSSL_X509_STORE_CTX_ex),
TEST_DECL(test_X509_STORE_untrusted),
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
#if defined(OPENSSL_ALL)
TEST_DECL(test_X509_STORE_InvalidCa),
#endif
TEST_DECL(test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup),
Expand Down
16 changes: 0 additions & 16 deletions tests/suites.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,11 +263,7 @@ static int IsValidCA(const char* line)
{
int ret = 1;
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
X509_STORE* str = NULL;
#else
WOLFSSL_CTX* ctx;
#endif
size_t i;
const char* begin;
char cert[80];
Expand All @@ -281,23 +277,11 @@ static int IsValidCA(const char* line)
cert[i] = *(begin++);
cert[i] = '\0';

#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
str = X509_STORE_new();
if (str == NULL)
return 0;
#else
ctx = wolfSSL_CTX_new(wolfSSLv23_server_method_ex(NULL));
if (ctx == NULL)
return 0;
#endif
#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT)
/* skip if CA: at basic constraints sets to FALSE */
ret = wolfSSL_X509_STORE_load_locations(str, cert, NULL) == WOLFSSL_SUCCESS;
X509_STORE_free(str);
#else
ret = wolfSSL_CTX_use_certificate_chain_file(ctx, cert) == WOLFSSL_SUCCESS;
wolfSSL_CTX_free(ctx);
#endif
#endif /* !NO_FILESYSTEM && !NO_CERTS */

(void)line;
Expand Down

0 comments on commit 58eb339

Please sign in to comment.