diff --git a/src/ssl_load.c b/src/ssl_load.c index f1952765ec..0361edbdf5 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -202,13 +202,7 @@ static int ProcessUserCert(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, if (type == CA_TYPE) { /* Add CA to certificate manager */ - ret = AddCA(cm, pDer, - #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - WOLFSSL_MUST_BE_CA, - #else - WOLFSSL_USER_CA, - #endif - verify); + ret = AddCA(cm, pDer, WOLFSSL_USER_CA, verify); if (ret == 1) { ret = 0; } @@ -2060,13 +2054,7 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl, /* CA certificate to verify with. */ if (type == CA_TYPE) { /* verify CA unless user set to no verify */ - ret = AddCA(ctx->cm, &der, - #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - WOLFSSL_MUST_BE_CA, - #else - WOLFSSL_USER_CA, - #endif - verify); + ret = AddCA(ctx->cm, &der, WOLFSSL_USER_CA, verify); if (ret == 1) { ret = 0; } diff --git a/src/x509_str.c b/src/x509_str.c index 3a1a198dfa..2660d4f8a4 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -207,11 +207,7 @@ int GetX509Error(int e) return WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED; case WC_NO_ERR_TRACE(ASN_NO_SIGNER_E): /* get issuer error if no CA found locally */ - #if defined(WOLFSSL_QT) - return X509_V_ERR_INVALID_CA; - #else return WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; - #endif case WC_NO_ERR_TRACE(ASN_SELF_SIGNED_E): return WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT; case WC_NO_ERR_TRACE(ASN_PATHLEN_INV_E): @@ -243,17 +239,24 @@ int GetX509Error(int e) } } +static void SetupStoreCtxError_ex(WOLFSSL_X509_STORE_CTX* ctx, int ret, + int depth) +{ + int error = GetX509Error(ret); + + wolfSSL_X509_STORE_CTX_set_error(ctx, error); + wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth); +} + static void SetupStoreCtxError(WOLFSSL_X509_STORE_CTX* ctx, int ret) { int depth = 0; - int error = GetX509Error(ret); /* Set error depth */ if (ctx->chain) depth = (int)ctx->chain->num; - wolfSSL_X509_STORE_CTX_set_error(ctx, error); - wolfSSL_X509_STORE_CTX_set_error_depth(ctx, depth); + SetupStoreCtxError_ex(ctx, ret, depth); } static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) @@ -269,7 +272,8 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) SetupStoreCtxError(ctx, ret); #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) if (ctx->store->verify_cb) - ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1 ? 0 : ret; + ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, ctx) == 1 ? + WOLFSSL_SUCCESS : ret; #endif #ifndef NO_ASN_TIME @@ -294,7 +298,7 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx) #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) if (ctx->store->verify_cb) ret = ctx->store->verify_cb(ret >= 0 ? 1 : 0, - ctx) == 1 ? 0 : -1; + ctx) == 1 ? WOLFSSL_SUCCESS : -1; #endif } #endif @@ -397,21 +401,37 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx) /* We found our issuer in the non-trusted cert list, add it * to the CM and verify the current cert against it */ + #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + /* OpenSSL doesn't allow the cert as CA if it is not CA:TRUE for + * intermediate certs. + */ + if (!issuer->isCa) { + /* error depth is curren depth + 1 */ + SetupStoreCtxError_ex(ctx, X509_V_ERR_INVALID_CA, + (ctx->chain) ? (ctx->chain->num + 1) : 1); + if (ctx->store->verify_cb) { + ret = ctx->store->verify_cb(0, ctx); + if (ret != WOLFSSL_SUCCESS) { + goto exit; + } + } + } else { + #endif ret = X509StoreAddCa(ctx->store, issuer, WOLFSSL_TEMP_CA); if (ret != WOLFSSL_SUCCESS) { goto exit; } - added = 1; - ret = X509StoreVerifyCert(ctx); if (ret != WOLFSSL_SUCCESS) { goto exit; } - /* Add it to the current chain and look at the issuer cert next */ wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert); + #if defined(OPENSSL_ALL) || defined(WOLFSSL_QT) + } + #endif ctx->current_cert = issuer; } else if (ret == WC_NO_ERR_TRACE(WOLFSSL_FAILURE)) { @@ -430,6 +450,7 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx) /* Cert verified, finish building the chain */ wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert); + issuer = NULL; #ifdef WOLFSSL_SIGNER_DER_CERT x509GetIssuerFromCM(&issuer, ctx->store->cm, ctx->current_cert); @@ -1342,11 +1363,9 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509) } WOLFSSL_LEAVE("wolfSSL_X509_STORE_add_cert", result); -#if !defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) if (result != WOLFSSL_SUCCESS) { result = WOLFSSL_FATAL_ERROR; } -#endif return result; } diff --git a/tests/api.c b/tests/api.c index af30dbeee7..663fdf6fe7 100644 --- a/tests/api.c +++ b/tests/api.c @@ -2565,17 +2565,10 @@ static int test_wolfSSL_CTX_load_verify_locations(void) WC_NO_ERR_TRACE(WOLFSSL_FAILURE)); /* Test loading expired CA certificates */ - #if defined(NO_RSA) || defined(WOLFSSL_X509_STRICT) - ExpectIntNE(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, - load_expired_path, - WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY | WOLFSSL_LOAD_FLAG_PEM_CA_ONLY), - WOLFSSL_SUCCESS); - #else ExpectIntEQ(wolfSSL_CTX_load_verify_locations_ex(ctx, NULL, load_expired_path, WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY | WOLFSSL_LOAD_FLAG_PEM_CA_ONLY), WOLFSSL_SUCCESS); - #endif /* Test loading CA certificates and ignoring all errors */ #ifdef NO_RSA @@ -2998,11 +2991,7 @@ static int test_wolfSSL_CertManagerLoadCABuffer(void) !defined(NO_ASN_TIME) ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); #else - #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - ExpectIntEQ(ret, NOT_CA_ERROR); - #else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); - #endif + ExpectIntEQ(ret, WOLFSSL_SUCCESS); #endif #endif return EXPECT_RESULT(); @@ -3035,17 +3024,9 @@ static int test_wolfSSL_CertManagerLoadCABuffer_ex(void) #elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \ !defined(NO_ASN_TIME) && defined(WOLFSSL_TRUST_PEER_CERT) && \ defined(OPENSSL_COMPATIBLE_DEFAULTS) - #if defined(WOLFSSL_X509_STRICT) - ExpectIntEQ(ret, WC_NO_ERR_TRACE(NOT_CA_ERROR)); - #else - ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); - #endif + ExpectIntEQ(ret, WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)); #else - #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - ExpectIntEQ(ret, NOT_CA_ERROR); - #else - ExpectIntEQ(ret, WOLFSSL_SUCCESS); - #endif + ExpectIntEQ(ret, WOLFSSL_SUCCESS); #endif #endif @@ -4905,27 +4886,14 @@ static int test_wolfSSL_CTX_load_verify_buffer_ex(void) sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); #else - #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, - sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, - WOLFSSL_LOAD_FLAG_NONE), NOT_CA_ERROR); - #else - ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, + ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, WOLFSSL_LOAD_FLAG_NONE), WOLFSSL_SUCCESS); - #endif #endif /* test expired CA success */ - #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, - sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, - WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), NOT_CA_ERROR); - #else - ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, + ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(ctx, ca_expired_cert, sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY), WOLFSSL_SUCCESS); - #endif - /* Fail when ctx is NULL. */ ExpectIntEQ(wolfSSL_CTX_load_verify_buffer_ex(NULL, ca_expired_cert, sizeof_ca_expired_cert, WOLFSSL_FILETYPE_ASN1, 0, @@ -60365,7 +60333,7 @@ static int test_X509_STORE_untrusted_load_cert_to_stack(const char* filename, return EXPECT_RESULT(); } -#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) +#if defined(OPENSSL_ALL) static int last_errcode; static int last_errdepth; @@ -60421,11 +60389,7 @@ static int test_X509_STORE_InvalidCa(void) ExpectIntEQ(X509_STORE_CTX_init(ctx, str, cert, untrusted), 1); ExpectIntEQ(X509_verify_cert(ctx), 1); -#if defined(WOLFSSL_QT) ExpectIntEQ(last_errcode, X509_V_ERR_INVALID_CA); -#else - ExpectIntEQ(last_errcode, X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY); -#endif X509_free(cert); X509_STORE_free(str); @@ -60515,13 +60479,8 @@ static int test_X509_STORE_untrusted(void) /* Only immediate issuer in untrusted chain. Fails since can't build chain * to loaded CA. */ -#if defined(WOLFSSL_QT) - ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted1, 0, - X509_V_ERR_INVALID_CA, 1), TEST_SUCCESS); -#else ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted1, 0, X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 1), TEST_SUCCESS); -#endif /* Succeeds because path to loaded CA is available. */ ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted2, 1, 0, 1), TEST_SUCCESS); @@ -60531,10 +60490,6 @@ static int test_X509_STORE_untrusted(void) TEST_SUCCESS); /* Still needs properly loaded CA, while including it in untrusted * list is not an error, it also doesnt count for verify */ -#if defined(WOLFSSL_QT) - ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 0, - X509_V_ERR_INVALID_CA, 0), TEST_SUCCESS); -#else ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 0, X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, 0), TEST_SUCCESS); /* Succeeds because path to loaded CA is available. */ @@ -72696,22 +72651,12 @@ static int test_wolfSSL_X509_CA_num(void) int ca_num = 0; ExpectNotNull(store = wolfSSL_X509_STORE_new()); -#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - ExpectNotNull(x509_1 = wolfSSL_X509_load_certificate_file(caCertFile, - WOLFSSL_FILETYPE_PEM)); -#else ExpectNotNull(x509_1 = wolfSSL_X509_load_certificate_file(svrCertFile, WOLFSSL_FILETYPE_PEM)); -#endif ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, x509_1), 1); ExpectIntEQ(ca_num = wolfSSL_X509_CA_num(store), 1); -#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - ExpectNotNull(x509_2 = wolfSSL_X509_load_certificate_file(caEccCertFile, - WOLFSSL_FILETYPE_PEM)); -#else ExpectNotNull(x509_2 = wolfSSL_X509_load_certificate_file(eccCertFile, WOLFSSL_FILETYPE_PEM)); -#endif ExpectIntEQ(wolfSSL_X509_STORE_add_cert(store, x509_2), 1); ExpectIntEQ(ca_num = wolfSSL_X509_CA_num(store), 2); @@ -76286,7 +76231,7 @@ static int test_wolfSSL_OCSP_parse_url(void) #if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && \ defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) && \ - !defined(NO_ASN_TIME) && !defined(WOLFSSL_X509_STRICT) + !defined(NO_ASN_TIME) static time_t test_wolfSSL_OCSP_REQ_CTX_time_cb(time_t* t) { if (t != NULL) { @@ -76301,8 +76246,7 @@ static int test_wolfSSL_OCSP_REQ_CTX(void) { EXPECT_DECLS; #if defined(OPENSSL_ALL) && defined(HAVE_OCSP) && \ - defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) && \ - !defined(WOLFSSL_X509_STRICT) + defined(WOLFSSL_SIGNER_DER_CERT) && !defined(NO_FILESYSTEM) /* This buffer was taken from the ocsp-stapling.test test case 1. The ocsp * response was captured in wireshark. It contains both the http and binary * parts. The time test_wolfSSL_OCSP_REQ_CTX_time_cb is set exactly so that @@ -98117,7 +98061,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_X509_STORE_CTX), TEST_DECL(test_wolfSSL_X509_STORE_CTX_ex), TEST_DECL(test_X509_STORE_untrusted), -#if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) +#if defined(OPENSSL_ALL) TEST_DECL(test_X509_STORE_InvalidCa), #endif TEST_DECL(test_wolfSSL_X509_STORE_CTX_trusted_stack_cleanup), diff --git a/tests/suites.c b/tests/suites.c index 20a1dfaed0..7328789f46 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -263,11 +263,7 @@ static int IsValidCA(const char* line) { int ret = 1; #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - X509_STORE* str = NULL; - #else WOLFSSL_CTX* ctx; - #endif size_t i; const char* begin; char cert[80]; @@ -281,23 +277,11 @@ static int IsValidCA(const char* line) cert[i] = *(begin++); cert[i] = '\0'; - #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - str = X509_STORE_new(); - if (str == NULL) - return 0; - #else ctx = wolfSSL_CTX_new(wolfSSLv23_server_method_ex(NULL)); if (ctx == NULL) return 0; - #endif - #if defined(OPENSSL_ALL) && defined(WOLFSSL_X509_STRICT) - /* skip if CA: at basic constraints sets to FALSE */ - ret = wolfSSL_X509_STORE_load_locations(str, cert, NULL) == WOLFSSL_SUCCESS; - X509_STORE_free(str); - #else ret = wolfSSL_CTX_use_certificate_chain_file(ctx, cert) == WOLFSSL_SUCCESS; wolfSSL_CTX_free(ctx); - #endif #endif /* !NO_FILESYSTEM && !NO_CERTS */ (void)line;