From 770590a3be6125e4a0a4f521c64fac2b7757f141 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 7 Jul 2023 11:45:43 -0700 Subject: [PATCH] Rebase fix to add back set_verify call in CertManagerLoadCA. Fix API tests for bad date check. Various spelling fixes. --- src/ssl_certman.c | 32 ++++++++++++++++++++------------ tests/api.c | 13 ++++++++----- 2 files changed, 28 insertions(+), 17 deletions(-) diff --git a/src/ssl_certman.c b/src/ssl_certman.c index 03322cc782..ac3a26ff24 100644 --- a/src/ssl_certman.c +++ b/src/ssl_certman.c @@ -518,6 +518,10 @@ int wolfSSL_CertManagerLoadCABuffer_ex(WOLFSSL_CERT_MANAGER* cm, ret = WOLFSSL_FATAL_ERROR; } if (ret == WOLFSSL_SUCCESS) { + /* Some configurations like OPENSSL_COMPATIBLE_DEFAULTS may turn off + * verification by default. Let's restore our desired defaults. */ + wolfSSL_CTX_set_verify(tmp, WOLFSSL_VERIFY_DEFAULT, NULL); + /* Replace certificate manager with one to load certificate/s into. */ wolfSSL_CertManagerFree(tmp->cm); tmp->cm = cm; @@ -663,7 +667,7 @@ int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const unsigned char* buff, buffer certBuf; #ifdef WOLFSSL_SMALL_STACK - /* Allocate memory for object to hold arguements for callback. */ + /* Allocate memory for object to hold arguments for callback. */ args = (ProcPeerCertArgs*)XMALLOC(sizeof(ProcPeerCertArgs), cm->heap, DYNAMIC_TYPE_TMP_BUFFER); if (args == NULL) { @@ -721,7 +725,7 @@ int CM_VerifyBuffer_ex(WOLFSSL_CERT_MANAGER* cm, const unsigned char* buff, * WOLFSSL_FILETYPE_ASN1, WOLFSSL_FILETYPE_PEM. * @param [in] prev_err Previous error. Passed to callback. * @return WOLFSSL_SUCCESS on success. - * @return BAD_FUNC_ARG when cm or buff is NULL ot sz is negativei or zero. + * @return BAD_FUNC_ARG when cm or buff is NULL ot sz is negative or zero. * @return WOLFSSL_BAD_FILETYPE when format is invalid. * @return MEMORY_E when dynamic memory allocation fails. * @return NOT_COMPILED_IN when converting from PEM to DER is not a feature of @@ -848,7 +852,7 @@ int wolfSSL_CertManagerVerify(WOLFSSL_CERT_MANAGER* cm, const char* fname, * @param [in] file Name of CA file. * @param [in] path Path to a directory containing certificates. * @return WOLFSSL_SUCCESS on success. - * @return WOLFSSL_FATAL_ERROR when cm is NULL or unalbe to create WOLFSSL_CTX. + * @return WOLFSSL_FATAL_ERROR when cm is NULL or unable to create WOLFSSL_CTX. * @return Otherwise failure. */ int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, @@ -867,16 +871,20 @@ int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, } /* Create temporary WOLFSSL_CTX. */ if ((ret == WOLFSSL_SUCCESS) && ((tmp = wolfSSL_CTX_new(cm_pick_method())) - == NULL)) { + == NULL)) { WOLFSSL_MSG("CTX new failed"); ret = WOLFSSL_FATAL_ERROR; } - if (ret == WOLFSSL_SUCCESS) { + /* Some configurations like OPENSSL_COMPATIBLE_DEFAULTS may turn off + * verification by default. Let's restore our desired defaults. */ + wolfSSL_CTX_set_verify(tmp, WOLFSSL_VERIFY_DEFAULT, NULL); + /* Replace certificate manager with one to load certificate/s into. */ wolfSSL_CertManagerFree(tmp->cm); tmp->cm = cm; + /* Load certificate from file and path. */ ret = wolfSSL_CTX_load_verify_locations(tmp, file, path); /* Clear certificate manager in WOLFSSL_CTX so it won't be freed. */ @@ -897,11 +905,11 @@ int wolfSSL_CertManagerLoadCA(WOLFSSL_CERT_MANAGER* cm, const char* file, /* CA certificates cache information. */ typedef struct { - /* Cache certficate layout version id. */ + /* Cache certificate layout version id. */ int version; /* Number of hash table rows. Maximum of CA_TABLE_SIZE. */ int rows; - /* Number of colums per row. */ + /* Number of columns per row. */ int columns[CA_TABLE_SIZE]; /* Size of Signer object. */ int signerSz; @@ -987,7 +995,7 @@ static WC_INLINE int cm_get_cert_cache_mem_size(WOLFSSL_CERT_MANAGER* cm) } -/* Get count of colums for each row. +/* Get count of columns for each row. * * Assumes we have locked CA table. * @@ -1827,7 +1835,7 @@ int wolfSSL_CertManagerSetCRL_IOCb(WOLFSSL_CERT_MANAGER* cm, CbCrlIO cb) * WOLFSSL_FILETYPE_ASN1, WOLFSSL_FILETYPE_PEM. * @param [in] monitor Whether to monitor path for changes to files. * @return WOLFSSL_SUCCESS on success. - * @return BAD_FNUC_ARG when cm or path is NULL. + * @return BAD_FUNC_ARG when cm or path is NULL. * @return WOLFSSL_FATAL_ERROR when enabling CRLs fails. */ int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm, const char* path, @@ -1851,7 +1859,7 @@ int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm, const char* path, } if (ret == WOLFSSL_SUCCESS) { - /* Load CRLs from path into CRL object of ceritifcate manager. */ + /* Load CRLs from path into CRL object of certificate manager. */ ret = LoadCRL(cm->crl, path, type, monitor); } @@ -1865,7 +1873,7 @@ int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm, const char* path, * @param [in] type Format of encoding. Valid values: * WOLFSSL_FILETYPE_ASN1, WOLFSSL_FILETYPE_PEM. * @return WOLFSSL_SUCCESS on success. - * @return BAD_FNUC_ARG when cm or file is NULL. + * @return BAD_FUNC_ARG when cm or file is NULL. * @return WOLFSSL_FATAL_ERROR when enabling CRLs fails. */ int wolfSSL_CertManagerLoadCRLFile(WOLFSSL_CERT_MANAGER* cm, const char* file, @@ -1889,7 +1897,7 @@ int wolfSSL_CertManagerLoadCRLFile(WOLFSSL_CERT_MANAGER* cm, const char* file, } if (ret == WOLFSSL_SUCCESS) { - /* Load CRL file into CRL object of ceritifcate manager. */ + /* Load CRL file into CRL object of certificate manager. */ ret = ProcessFile(NULL, file, type, CRL_TYPE, NULL, 0, cm->crl, VERIFY); } diff --git a/tests/api.c b/tests/api.c index 3f2b78900f..527cfc3c58 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1505,7 +1505,7 @@ static int test_wolfSSL_CTX_load_verify_locations(void) ExpectIntEQ(wolfSSL_CTX_memrestore_cert_cache(ctx, cache, cacheSz), CACHE_MATCH_ERROR); p[0] = t; p++; - /* colums[0] */ + /* columns[0] */ t = p[0]; p[0] = -1; ExpectIntEQ(wolfSSL_CTX_memrestore_cert_cache(ctx, cache, cacheSz), PARSE_ERROR); @@ -2003,7 +2003,7 @@ static int test_wolfSSL_CertManagerLoadCABuffer(void) #elif defined(NO_RSA) ExpectIntEQ(ret, ASN_UNKNOWN_OID_E); #elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \ - !defined(OPENSSL_COMPATIBLE_DEFAULTS) && !defined(NO_ASN_TIME) + !defined(NO_ASN_TIME) ExpectIntEQ(ret, ASN_AFTER_DATE_E); #else ExpectIntEQ(ret, WOLFSSL_SUCCESS); @@ -2036,6 +2036,9 @@ static int test_wolfSSL_CertManagerLoadCABuffer_ex(void) ExpectIntEQ(ret, WOLFSSL_FATAL_ERROR); #elif defined(NO_RSA) ExpectIntEQ(ret, ASN_UNKNOWN_OID_E); +#elif !(WOLFSSL_LOAD_VERIFY_DEFAULT_FLAGS & WOLFSSL_LOAD_FLAG_DATE_ERR_OKAY) && \ + !defined(NO_ASN_TIME) + ExpectIntEQ(ret, ASN_AFTER_DATE_E); #else ExpectIntEQ(ret, WOLFSSL_SUCCESS); #endif @@ -58273,7 +58276,7 @@ static int verify_cert_with_cm(WOLFSSL_CERT_MANAGER* cm, char* certA) #define VERIFY_ONE_CERT(a, b, c, d) \ do { \ - (a) = verify_cert_with_cm(c, d); \ + (a) = verify_cert_with_cm(c, d);\ if ((a) != 0) \ return (b); \ else \ @@ -58312,8 +58315,8 @@ static int test_chainG(WOLFSSL_CERT_MANAGER* cm) VERIFY_ONE_CERT(ret, i, cm, chainGArr[7]); /* if failure, i = -15 here */ VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -16 here */ -/* test validating the entity twice, should have no effect on pathLen since - * entity/leaf cert */ + /* test validating the entity twice, should have no effect on pathLen since + * entity/leaf cert */ VERIFY_ONE_CERT(ret, i, cm, chainGArr[8]); /* if failure, i = -17 here */ return ret;