diff --git a/scripts/crl-revoked.test b/scripts/crl-revoked.test index 2f48b11e6d..da245d485f 100755 --- a/scripts/crl-revoked.test +++ b/scripts/crl-revoked.test @@ -22,6 +22,7 @@ cp -rp . $RUNNING_DIR/. cd $RUNNING_DIR revocation_code="-361" +revocation_code_openssl="23" exit_code=1 counter=0 # need a unique resume port since may run the same time as testsuite @@ -112,7 +113,7 @@ run_test() { server_result=$? case "$capture_out" in - *$revocation_code*) + *"$revocation_code"*|*"$revocation_code_openssl"*) # only exit with zero on detection of the expected error code echo "" echo "Successful Revocation!!!!" @@ -178,7 +179,7 @@ run_hashdir_test() { server_result=$? case "$capture_out" in - *$revocation_code*) + *"$revocation_code"*|*"$revocation_code_openssl"*) # only exit with zero on detection of the expected error code echo "" echo "Successful Revocation!!!! with hash dir" diff --git a/src/internal.c b/src/internal.c index 9d8a23a3b2..7792d68de5 100644 --- a/src/internal.c +++ b/src/internal.c @@ -185,8 +185,13 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS #endif /* !WOLFSSL_NO_TLS12 */ -#ifndef NO_WOLFSSL_SERVER - #if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) +#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SESSION_TICKET) + #if defined(WOLFSSL_HAPROXY) + #define SSL_TICKET_CTX(ssl) ssl->initial_ctx->ticketEncCtx + #else + #define SSL_TICKET_CTX(ssl) ssl->ctx->ticketEncCtx + #endif + #if !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB) static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx, TicketEncCbCtx* keyCtx); static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx); @@ -6213,6 +6218,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) if (!newSSL) { WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx."); wolfSSL_CTX_free(ssl->ctx); +#if defined(WOLFSSL_HAPROXY) + wolfSSL_CTX_free(ssl->initial_ctx); +#endif } /* increment CTX reference count */ @@ -6229,6 +6237,20 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) ssl->ctx = ctx; /* only for passing to calls, options could change */ /* Don't change version on a SSL object that has already started a * handshake */ +#if defined(WOLFSSL_HAPROXY) + ret = wolfSSL_CTX_up_ref(ctx); + if (ret == WOLFSSL_SUCCESS) { + ssl->initial_ctx = ctx; /* Save access to session key materials */ + } + else { + #ifdef WOLFSSL_REFCNT_ERROR_RETURN + return ret; + #else + (void)ret; + #endif + } + +#endif if (!ssl->msgsReceived.got_client_hello && !ssl->msgsReceived.got_server_hello) ssl->version = ctx->method->version; @@ -23135,6 +23157,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) #ifdef OPENSSL_EXTRA case 0 : return "ok"; + case -WOLFSSL_X509_V_ERR_CERT_REVOKED : + return "certificate revoked"; #endif case UNSUPPORTED_SUITE : @@ -34650,7 +34674,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (error == 0) { ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac, 1, et->enc_ticket, sizeof(InternalTicket), &encLen, - ssl->ctx->ticketEncCtx); + SSL_TICKET_CTX(ssl)); } else { ret = WOLFSSL_TICKET_RET_FATAL; @@ -34775,7 +34799,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx, ret = ssl->ctx->ticketEncCb((WOLFSSL*)ssl, et->key_name, et->iv, et->enc_ticket + inLen, 0, et->enc_ticket, inLen, &outLen, - ssl->ctx->ticketEncCtx); + SSL_TICKET_CTX(ssl)); } if (ret != WOLFSSL_TICKET_RET_OK) { #ifdef WOLFSSL_ASYNC_CRYPT diff --git a/src/ssl.c b/src/ssl.c index b933f7394b..bf2bd820f8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4509,7 +4509,11 @@ int wolfSSL_get_error(WOLFSSL* ssl, int ret) return WOLFSSL_ERROR_WANT_WRITE; /* convert to OpenSSL type */ else if (ssl->error == ZERO_RETURN || ssl->options.shutdownDone) return WOLFSSL_ERROR_ZERO_RETURN; /* convert to OpenSSL type */ - return ssl->error; +#if defined(WOLFSSL_HAPROXY) + return GetX509Error(ssl->error); +#else + return (ssl->error); +#endif } @@ -8152,7 +8156,8 @@ int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm, return BAD_FUNC_ARG; if (cm->crl == NULL) { - if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) { + if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK) != + WOLFSSL_SUCCESS) { WOLFSSL_MSG("Enable CRL failed"); return WOLFSSL_FATAL_ERROR; } @@ -8204,11 +8209,21 @@ int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options) { int ret = WOLFSSL_SUCCESS; - (void)options; - WOLFSSL_ENTER("wolfSSL_CertManagerEnableCRL"); if (cm == NULL) return BAD_FUNC_ARG; +#if defined(OPENSSL_COMPATIBLE_DEFAULTS) + if (options == 0) { + + /* Turn off doing Leaf CRL check */ + cm->crlEnabled = 0; + /* Turn off all checks */ + cm->crlCheckAll = 0; + return ret; + } +#else + (void)options; +#endif #ifdef HAVE_CRL if (cm->crl == NULL) { @@ -8228,10 +8243,15 @@ int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options) cm->crl->crlIOCb = EmbedCrlLookup; #endif } - - cm->crlEnabled = 1; - if (options & WOLFSSL_CRL_CHECKALL) - cm->crlCheckAll = 1; +#if defined(OPENSSL_COMPATIBLE_DEFAULTS) + if ((options & WOLFSSL_CRL_CHECKALL) || + (options & WOLFSSL_CRL_CHECK)) +#endif + { + cm->crlEnabled = 1; + if (options & WOLFSSL_CRL_CHECKALL) + cm->crlCheckAll = 1; + } #else ret = NOT_COMPILED_IN; #endif @@ -9431,7 +9451,8 @@ int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm, const char* path, return BAD_FUNC_ARG; if (cm->crl == NULL) { - if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) { + if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK) + != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Enable CRL failed"); return WOLFSSL_FATAL_ERROR; } @@ -9448,7 +9469,8 @@ int wolfSSL_CertManagerLoadCRLFile(WOLFSSL_CERT_MANAGER* cm, const char* file, return BAD_FUNC_ARG; if (cm->crl == NULL) { - if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) { + if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK) + != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Enable CRL failed"); return WOLFSSL_FATAL_ERROR; } @@ -14494,12 +14516,17 @@ void SetupSession(WOLFSSL* ssl) WOLFSSL_ENTER("SetupSession"); - if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL && - !session->haveAltSessionID) { + if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) { /* Make sure the session ID is available when the user calls any * get_session API */ - XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN); - session->sessionIDSz = ssl->arrays->sessionIDSz; + if (!session->haveAltSessionID) { + XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN); + session->sessionIDSz = ssl->arrays->sessionIDSz; + } + else { + XMEMCPY(session->sessionID, session->altSessionID, ID_LEN); + session->sessionIDSz = ID_LEN; + } } session->side = (byte)ssl->options.side; if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) @@ -14904,7 +14931,7 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output) if (SslSessionCacheOff(ssl, ssl->session)) return WOLFSSL_FAILURE; - if (ssl->options.haveSessionId == 0) + if (ssl->options.haveSessionId == 0 && !ssl->session->haveAltSessionID) return WOLFSSL_FAILURE; #ifdef HAVE_SESSION_TICKET @@ -14913,7 +14940,8 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output) #endif XMEMSET(bogusID, 0, sizeof(bogusID)); - if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) + if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL + && !ssl->session->haveAltSessionID) id = ssl->arrays->sessionID; else if (ssl->session->haveAltSessionID) { id = ssl->session->altSessionID; @@ -23116,8 +23144,9 @@ int wolfSSL_ERR_GET_REASON(unsigned long err) #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) /* Nginx looks for this error to know to stop parsing certificates. * Same for HAProxy. */ - if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE) - || (err & 0xFFFFFFL) == -ASN_NO_PEM_HEADER) + if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE) || + ((err & 0xFFFFFFL) == -ASN_NO_PEM_HEADER) || + ((err & 0xFFFL) == PEM_R_NO_START_LINE )) return PEM_R_NO_START_LINE; if (err == ((ERR_LIB_SSL << 24) | -SSL_R_HTTP_REQUEST)) return SSL_R_HTTP_REQUEST; @@ -31248,6 +31277,9 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) #endif if (ssl->ctx) { wolfSSL_CTX_free(ssl->ctx); +#if defined(WOLFSSL_HAPROXY) + wolfSSL_CTX_free(ssl->initial_ctx); +#endif } ssl->ctx = ctx; @@ -31450,6 +31482,12 @@ const byte* wolfSSL_SESSION_get_id(const WOLFSSL_SESSION* sess, WOLFSSL_MSG("Bad func args. Please provide idLen"); return NULL; } +#ifdef HAVE_SESSION_TICKET + if (sess->haveAltSessionID) { + *idLen = ID_LEN; + return sess->altSessionID; + } +#endif *idLen = sess->sessionIDSz; return sess->sessionID; } diff --git a/src/x509.c b/src/x509.c index 860eea185c..c8fea53a3f 100644 --- a/src/x509.c +++ b/src/x509.c @@ -7028,7 +7028,8 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup, WOLFSSL_CERT_MANAGER* cm = lookup->store->cm; if (cm->crl == NULL) { - if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) { + if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK) + != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Enable CRL failed"); goto end; } @@ -12440,7 +12441,7 @@ WOLF_STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list( for (i = 0; i < num; i++) { name = wolfSSL_X509_NAME_dup(wolfSSL_sk_X509_NAME_value(sk, i)); - if (name == NULL || 0 != wolfSSL_sk_X509_NAME_push(copy, name)) { + if (name == NULL || WOLFSSL_SUCCESS != wolfSSL_sk_X509_NAME_push(copy, name)) { WOLFSSL_MSG("Memory error"); wolfSSL_sk_X509_NAME_pop_free(copy, wolfSSL_X509_NAME_free); return NULL; diff --git a/src/x509_str.c b/src/x509_str.c index 4ba0ce692d..0071d06acc 100644 --- a/src/x509_str.c +++ b/src/x509_str.c @@ -170,7 +170,7 @@ int GetX509Error(int e) case ASN_BEFORE_DATE_E: return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; case ASN_AFTER_DATE_E: - return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD; + return WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED; case ASN_NO_SIGNER_E: /* get issuer error if no CA found locally */ return WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; case ASN_SELF_SIGNED_E: @@ -183,6 +183,8 @@ int GetX509Error(int e) case ASN_SIG_HASH_E: case ASN_SIG_KEY_E: return WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE; + case CRL_CERT_REVOKED: + return WOLFSSL_X509_V_ERR_CERT_REVOKED; default: #ifdef HAVE_WOLFSSL_MSG_EX WOLFSSL_MSG_EX("Error not configured or implemented yet: %d", e); @@ -980,7 +982,11 @@ int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store, unsigned long flag) if ((flag & WOLFSSL_CRL_CHECKALL) || (flag & WOLFSSL_CRL_CHECK)) { ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag); } - +#if defined(OPENSSL_COMPATIBLE_DEFAULTS) + else if (flag == 0) { + ret = wolfSSL_CertManagerDisableCRL(store->cm); + } +#endif return ret; } @@ -1023,7 +1029,8 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str, #ifdef HAVE_CRL if (str->cm->crl == NULL) { - if (wolfSSL_CertManagerEnableCRL(str->cm, 0) != WOLFSSL_SUCCESS) { + if (wolfSSL_CertManagerEnableCRL(str->cm, WOLFSSL_CRL_CHECK) + != WOLFSSL_SUCCESS) { WOLFSSL_MSG("Enable CRL failed"); wolfSSL_CTX_free(ctx); return WOLFSSL_FAILURE; diff --git a/tests/api.c b/tests/api.c index 2642f276c8..06f7f625a6 100644 --- a/tests/api.c +++ b/tests/api.c @@ -7820,7 +7820,9 @@ static hashTable server_sessionCache; static int twcase_new_sessionCb(WOLFSSL *ssl, WOLFSSL_SESSION *sess) { int i; + unsigned int len; (void)ssl; + /* * This example uses a hash table. * Steps you should take for a non-demo code: @@ -7842,11 +7844,7 @@ static int twcase_new_sessionCb(WOLFSSL *ssl, WOLFSSL_SESSION *sess) } for (i = 0; i < SESSION_CACHE_SIZE; i++) { if (server_sessionCache.entries[i].value == NULL) { - if (sess->haveAltSessionID == 1) - server_sessionCache.entries[i].key = sess->altSessionID; - else - server_sessionCache.entries[i].key = sess->sessionID; - + server_sessionCache.entries[i].key = SSL_SESSION_get_id(sess, &len); server_sessionCache.entries[i].value = sess; server_sessionCache.length++; break; @@ -33083,7 +33081,8 @@ static int test_wolfSSL_X509_STORE(void) SSL_FILETYPE_PEM))); ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS); ExpectIntNE(X509_verify_cert(storeCtx), SSL_SUCCESS); - ExpectIntEQ(X509_STORE_CTX_get_error(storeCtx), CRL_CERT_REVOKED); + ExpectIntEQ(X509_STORE_CTX_get_error(storeCtx), + WOLFSSL_X509_V_ERR_CERT_REVOKED); X509_CRL_free(crl); crl = NULL; X509_STORE_free(store); @@ -50278,7 +50277,43 @@ static int test_wolfSSL_X509_STORE_get1_certs(void) #endif /* OPENSSL_EXTRA && WOLFSSL_SIGNER_DER_CERT && !NO_FILESYSTEM */ return EXPECT_RESULT(); } +static int test_wolfSSL_dup_CA_list(void) +{ + int res = TEST_SKIPPED; +#if defined(OPENSSL_ALL) + EXPECT_DECLS; + STACK_OF(X509_NAME) *originalStack = NULL; + STACK_OF(X509_NAME) *copyStack = NULL; + int originalCount = 0; + int copyCount = 0; + X509_NAME *name = NULL; + int i; + originalStack = sk_X509_NAME_new_null(); + ExpectNotNull(originalStack); + + for (i = 0; i < 3; i++) { + name = X509_NAME_new(); + ExpectNotNull(name); + AssertIntEQ(sk_X509_NAME_push(originalStack, name), WOLFSSL_SUCCESS); + } + + copyStack = SSL_dup_CA_list(originalStack); + ExpectNotNull(copyStack); + originalCount = sk_X509_NAME_num(originalStack); + copyCount = sk_X509_NAME_num(copyStack); + + AssertIntEQ(originalCount, copyCount); + sk_X509_NAME_pop_free(originalStack, X509_NAME_free); + sk_X509_NAME_pop_free(copyStack, X509_NAME_free); + + originalStack = NULL; + copyStack = NULL; + + res = EXPECT_RESULT(); +#endif /* OPENSSL_ALL */ + return res; +} /* include misc.c here regardless of NO_INLINE, because misc.c implementations * have default (hidden) visibility, and in the absence of visibility, it's * benign to mask out the library implementation. @@ -60386,7 +60421,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_GENERAL_NAME_set0_othername), TEST_DECL(test_othername_and_SID_ext), - + TEST_DECL(test_wolfSSL_dup_CA_list), /* OpenSSL sk_X509 API test */ TEST_DECL(test_sk_X509), /* OpenSSL sk_X509_CRL API test */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c01913341e..f5c17641a1 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -5156,6 +5156,9 @@ typedef struct CIDInfo CIDInfo; /* wolfSSL ssl type */ struct WOLFSSL { WOLFSSL_CTX* ctx; +#if defined(WOLFSSL_HAPROXY) + WOLFSSL_CTX* initial_ctx; /* preserve session key materials */ +#endif Suites* suites; /* Only need during handshake. Can be NULL when * re-using the context's object. When WOLFSSL * object needs separate instance of suites use diff --git a/wolfssl/openssl/x509.h b/wolfssl/openssl/x509.h index f794a32749..a603ce681f 100644 --- a/wolfssl/openssl/x509.h +++ b/wolfssl/openssl/x509.h @@ -74,47 +74,41 @@ * satisfy OpenSSL compatibility consumers to prevent compilation errors. * The list was taken from * https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in + * One requirement for HAProxy is that the values should be literal constants. */ -#define X509_V_OK WOLFSSL_X509_V_OK +#define X509_V_OK 0 #define X509_V_ERR_UNSPECIFIED 1 #define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2 #define X509_V_ERR_UNABLE_TO_GET_CRL 3 #define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE 4 #define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE 5 #define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY 6 -#define X509_V_ERR_CERT_SIGNATURE_FAILURE \ - WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE +#define X509_V_ERR_CERT_SIGNATURE_FAILURE 7 #define X509_V_ERR_CRL_SIGNATURE_FAILURE 8 -#define X509_V_ERR_CERT_NOT_YET_VALID WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID -#define X509_V_ERR_CERT_HAS_EXPIRED WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED +#define X509_V_ERR_CERT_NOT_YET_VALID 9 +#define X509_V_ERR_CERT_HAS_EXPIRED 10 #define X509_V_ERR_CRL_NOT_YET_VALID 11 #define X509_V_ERR_CRL_HAS_EXPIRED 12 -#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD \ - WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD -#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD \ - WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD +#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD 13 +#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD 14 #define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD 15 #define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD 16 #define X509_V_ERR_OUT_OF_MEM 17 -#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT \ - WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT +#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT 18 #define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN 19 -#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY \ - WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY -#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE \ - WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE -#define X509_V_ERR_CERT_CHAIN_TOO_LONG WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG -#define X509_V_ERR_CERT_REVOKED WOLFSSL_X509_V_ERR_CERT_REVOKED -#define X509_V_ERR_NO_ISSUER_PUBLIC_KEY WOLFSSL_X509_V_ERR_INVALID_CA -#define X509_V_ERR_PATH_LENGTH_EXCEEDED WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED +#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY 20 +#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE 21 +#define X509_V_ERR_CERT_CHAIN_TOO_LONG 22 +#define X509_V_ERR_CERT_REVOKED 23 +#define X509_V_ERR_NO_ISSUER_PUBLIC_KEY 24 +#define X509_V_ERR_PATH_LENGTH_EXCEEDED 25 #define X509_V_ERR_INVALID_PURPOSE 26 #define X509_V_ERR_CERT_UNTRUSTED 27 -#define X509_V_ERR_CERT_REJECTED WOLFSSL_X509_V_ERR_CERT_REJECTED +#define X509_V_ERR_CERT_REJECTED 28 /* These are 'informational' when looking for issuer cert */ -#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH \ - WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH +#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH 29 #define X509_V_ERR_AKID_SKID_MISMATCH 30 #define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH 31 #define X509_V_ERR_KEYUSAGE_NO_CERTSIGN 32 diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 648cdbceef..cbaad0b003 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -2386,8 +2386,8 @@ enum { * limit the possibility of an infinite retry loop */ SSL_MODE_RELEASE_BUFFERS = -1, /* For libwebsockets build. No current use. */ - /* Errors used in wolfSSL. - * Should map the defines in wolfssl/openssl/x509.h + /* Errors used in wolfSSL. utilize the values from the defines in + * wolfssl/openssl/x509.h, but without the WOLFSSL_ prefix. */ WOLFSSL_X509_V_OK = 0, WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE = 7,