diff --git a/.github/workflows/os-check.yml b/.github/workflows/os-check.yml
index 9cb948101..30556d02a 100644
--- a/.github/workflows/os-check.yml
+++ b/.github/workflows/os-check.yml
@@ -41,16 +41,21 @@ jobs:
'--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
--enable-dtls-mtu',
'--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
- --enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA',
+ --enable-psk --enable-aesccm --enable-nullcipher
+ CPPFLAGS=-DWOLFSSL_STATIC_RSA',
'--enable-ascon --enable-experimental',
'--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental',
'--enable-all CPPFLAGS=''-DNO_AES_192 -DNO_AES_256'' ',
- '--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys CFLAGS=-DWOLFSSL_DH_EXTRA',
+ '--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys
+ CPPFLAGS=-DWOLFSSL_DH_EXTRA',
'--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
--enable-dtls-mtu CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS',
'--enable-opensslall --enable-opensslextra CPPFLAGS=-DWC_RNG_SEED_CB',
'--enable-opensslall --enable-opensslextra
CPPFLAGS=''-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID'' ',
+ '--enable-opensslextra CPPFLAGS=''-DWOLFSSL_NO_CA_NAMES'' ',
+ '--enable-opensslextra=x509small',
+ 'CPPFLAGS=''-DWOLFSSL_EXTRA'' '
]
name: make check
if: github.repository_owner == 'wolfssl'
diff --git a/src/internal.c b/src/internal.c
index befbd0a40..0a48149a7 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -2905,7 +2905,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
defined(WOLFSSL_WPAS_SMALL)
wolfSSL_X509_STORE_free(ctx->x509_store_pt);
#endif
- #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
+ #ifndef WOLFSSL_NO_CA_NAMES
wolfSSL_sk_X509_NAME_pop_free(ctx->client_ca_names, NULL);
ctx->client_ca_names = NULL;
#endif
@@ -8784,7 +8784,7 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl)
wolfSSL_sk_X509_pop_free(ssl->ourCertChain, NULL);
#endif
#endif
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
+#ifndef WOLFSSL_NO_CA_NAMES
wolfSSL_sk_X509_NAME_pop_free(ssl->client_ca_names, NULL);
ssl->client_ca_names = NULL;
#endif
diff --git a/src/ssl.c b/src/ssl.c
index 16acfda1c..c18a5407a 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -12163,7 +12163,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
#endif /* !NO_BIO */
#endif /* OPENSSL_EXTRA */
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
+#ifndef WOLFSSL_NO_CA_NAMES
void wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX* ctx,
WOLF_STACK_OF(WOLFSSL_X509_NAME)* names)
{
@@ -12184,8 +12184,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ssl->client_ca_names = names;
}
}
+#endif
- #ifdef OPENSSL_EXTRA
+#ifdef OPENSSL_EXTRA
/* registers client cert callback, called during handshake if server
requests client auth but user has not loaded client cert/key */
void wolfSSL_CTX_set_client_cert_cb(WOLFSSL_CTX *ctx, client_cert_cb cb)
@@ -12397,9 +12398,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
}
return ret;
}
- #endif /* OPENSSL_EXTRA */
-
-#endif /* OPENSSL_EXTRA || WOLFSSL_EXTRA || HAVE_WEBSERVER */
+#endif /* OPENSSL_EXTRA */
#ifndef WOLFSSL_NO_CA_NAMES
WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(
diff --git a/src/x509_str.c b/src/x509_str.c
index 9fec690b3..2c054c114 100644
--- a/src/x509_str.c
+++ b/src/x509_str.c
@@ -577,33 +577,15 @@ exit:
#endif /* OPENSSL_EXTRA */
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
- WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
- WOLFSSL_X509_STORE_CTX* ctx)
- {
- WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert");
- if (ctx)
- return ctx->current_cert;
- return NULL;
- }
-
-
- int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx)
- {
- WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error");
- if (ctx != NULL)
- return ctx->error;
- return 0;
- }
-
-
- int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx)
- {
- WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error_depth");
- if(ctx)
- return ctx->error_depth;
- return WOLFSSL_FATAL_ERROR;
- }
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
+ WOLFSSL_X509_STORE_CTX* ctx)
+{
+ WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert");
+ if (ctx)
+ return ctx->current_cert;
+ return NULL;
+}
/* get X509_STORE_CTX ex_data, max idx is MAX_EX_DATA */
void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx)
@@ -619,7 +601,27 @@ void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx)
#endif
return NULL;
}
-#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
+
+
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+ defined(WOLFSSL_EXTRA)
+ int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx)
+ {
+ WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error");
+ if (ctx != NULL)
+ return ctx->error;
+ return 0;
+ }
+
+ int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx)
+ {
+ WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error_depth");
+ if (ctx)
+ return ctx->error_depth;
+ return WOLFSSL_FATAL_ERROR;
+ }
+#endif
#ifdef OPENSSL_EXTRA
void wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx,
diff --git a/tests/api.c b/tests/api.c
index 8cadb6af8..5e2e94791 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -28110,7 +28110,8 @@ static int test_wolfSSL_CTX_set_client_CA_list(void)
static int test_wolfSSL_CTX_add_client_CA(void)
{
EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \
+#if !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA) && \
+ !defined(NO_RSA) && !defined(NO_CERTS) && \
!defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
WOLFSSL_CTX* ctx = NULL;
WOLFSSL_X509* x509 = NULL;
@@ -38569,7 +38570,7 @@ static int test_wolfSSL_cert_cb_dyn_ciphers(void)
static int test_wolfSSL_ciphersuite_auth(void)
{
EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
+#if defined(OPENSSL_EXTRA)
WOLFSSL_CIPHERSUITE_INFO info;
(void)info;
@@ -38659,7 +38660,7 @@ static int test_wolfSSL_ciphersuite_auth(void)
static int test_wolfSSL_sigalg_info(void)
{
EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
+#if defined(OPENSSL_EXTRA)
byte hashSigAlgo[WOLFSSL_MAX_SIGALGO];
word16 len = 0;
word16 idx = 0;
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index b834f12df..ca9d4620b 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1086,13 +1086,17 @@
#undef WSSL_HARDEN_TLS
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
-#define SSL_CA_NAMES(ssl) ((ssl)->client_ca_names != NULL ? (ssl)->client_ca_names : \
+/* Client CA Names feature */
+#if !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA)
+ #define SSL_CA_NAMES(ssl) ((ssl)->client_ca_names != NULL ? \
+ (ssl)->client_ca_names : \
(ssl)->ctx->client_ca_names)
#else
-#define WOLFSSL_NO_CA_NAMES
+ #undef WOLFSSL_NO_CA_NAMES
+ #define WOLFSSL_NO_CA_NAMES
#endif
+
/* actual cipher values, 2nd byte */
enum {
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16,
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 820651151..4c13411c1 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -1841,6 +1841,12 @@ WOLFSSL_API const char* wolfSSL_ERR_func_error_string(unsigned long e);
WOLFSSL_API const char* wolfSSL_ERR_lib_error_string(unsigned long e);
/* -------- EXTRAS BEGIN -------- */
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+ defined(WOLFSSL_EXTRA)
+WOLFSSL_API int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx);
+WOLFSSL_API int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx);
+#endif
+
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio);
@@ -2144,9 +2150,6 @@ WOLFSSL_API int wolfSSL_num_locks(void);
WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
WOLFSSL_X509_STORE_CTX* ctx);
-WOLFSSL_API int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx);
-WOLFSSL_API int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx);
-
WOLFSSL_API void wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx,
WOLFSSL_X509_STORE_CTX_verify_cb verify_cb);
WOLFSSL_API void wolfSSL_X509_STORE_set_verify_cb(WOLFSSL_X509_STORE *st,
@@ -2407,6 +2410,8 @@ WOLFSSL_API void wolfSSL_ASN1_TIME_free(WOLFSSL_ASN1_TIME* t);
#endif
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char* fname);
+
+#ifndef WOLFSSL_NO_CA_NAMES
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(
const WOLFSSL_CTX *ctx);
/* deprecated function name */
@@ -2418,6 +2423,7 @@ WOLFSSL_API void wolfSSL_set_client_CA_list(WOLFSSL* ssl,
WOLF_STACK_OF(WOLFSSL_X509_NAME)*);
WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_get_client_CA_list(
const WOLFSSL* ssl);
+#endif /* !WOLFSSL_NO_CA_NAMES */
typedef int (*client_cert_cb)(WOLFSSL *ssl, WOLFSSL_X509 **x509,
WOLFSSL_EVP_PKEY **pkey);
diff --git a/wolfssl/test.h b/wolfssl/test.h
index 70765c4db..7dd83fef0 100644
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@@ -2467,14 +2467,14 @@ static THREAD_LS_T int myVerifyAction = VERIFY_OVERRIDE_ERROR;
static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
{
char err_buffer[WOLFSSL_MAX_ERROR_SZ];
+ int err;
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
WOLFSSL_X509* peer;
-#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
- !defined(OPENSSL_EXTRA_X509_SMALL)
+#endif
+#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
WOLFSSL_BIO* bio = NULL;
WOLFSSL_STACK* sk = NULL;
X509* x509 = NULL;
-#endif
#endif
/* Verify Callback Arguments:
@@ -2492,10 +2492,17 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
will be discarded (only with SESSION_CERTS)
*/
- fprintf(stderr, "In verification callback, error = %d, %s\n", store->error,
- wolfSSL_ERR_error_string((unsigned long) store->error, err_buffer));
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+ defined(WOLFSSL_EXTRA)
+ err = wolfSSL_X509_STORE_CTX_get_error(store);
+#else
+ err = store->error;
+#endif
+
+ fprintf(stderr, "In verification callback, error = %d, %s\n", err,
+ wolfSSL_ERR_error_string((unsigned long) err, err_buffer));
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
- peer = store->current_cert;
+ peer = wolfSSL_X509_STORE_CTX_get_current_cert(store);
if (peer) {
char* issuer = wolfSSL_X509_NAME_oneline(
wolfSSL_X509_get_issuer_name(peer), 0, 0);
@@ -2515,8 +2522,7 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL);
-#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
- !defined(OPENSSL_EXTRA_X509_SMALL)
+#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
/* avoid printing duplicate certs */
if (store->depth == 1) {
int i;
diff --git a/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs b/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs
index d327b6534..496ce0c12 100644
--- a/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs
+++ b/wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs
@@ -54,9 +54,18 @@ public class wolfSSL_TLS_Client
/// Certificate in WOLFSSL_X509_STORE_CTX format
private static int myVerify(int preverify, IntPtr x509_ctx)
{
- /* Use the provided verification */
+ int verify = preverify;
+
+ /* example for overriding an error code */
+ /* X509_STORE_CTX_get_error API can be enabled with
+ * OPENSSL_EXTRA_X509_SMALL or WOLFSSL_EXTRA */
+ int error = wolfssl.X509_STORE_CTX_get_error(x509_ctx);
+ if (error == wolfcrypt.ASN_BEFORE_DATE_E) {
+ verify = 1; /* override error */
+ }
+
/* Can optionally override failures by returning non-zero value */
- return preverify;
+ return verify;
}
///
@@ -90,7 +99,7 @@ public class wolfSSL_TLS_Client
if (caCert == "" || dhparam.Length == 0) {
Console.WriteLine("Platform not supported.");
- return;
+ return;
}
StringBuilder buff = new StringBuilder(1024);
@@ -133,14 +142,14 @@ public class wolfSSL_TLS_Client
}
int sniArg = haveSNI(args);
- if (sniArg >= 0)
+ if (sniArg >= 0)
{
string sniHostNameString = args[sniArg].Trim();
sniHostName = Marshal.StringToHGlobalAnsi(sniHostNameString);
ushort size = (ushort)sniHostNameString.Length;
- if (wolfssl.CTX_UseSNI(ctx, (byte)wolfssl.WOLFSSL_SNI_HOST_NAME, sniHostName, size) != wolfssl.SUCCESS)
+ if (wolfssl.CTX_UseSNI(ctx, (byte)wolfssl.WOLFSSL_SNI_HOST_NAME, sniHostName, size) != wolfssl.SUCCESS)
{
Console.WriteLine("UseSNI failed");
wolfssl.CTX_free(ctx);
diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs
index 8951fcb73..168b1e969 100644
--- a/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs
+++ b/wrapper/CSharp/wolfSSL_CSharp/wolfCrypt.cs
@@ -566,11 +566,29 @@ namespace wolfSSL.CSharp
public static readonly int AES_BLOCK_SIZE = 16;
/* Error codes */
- public static readonly int SUCCESS = 0;
- public static readonly int SIG_VERIFY_E = -229; /* wolfcrypt signature verify error */
- public static readonly int MEMORY_E = -125; /* Out of memory error */
- public static readonly int EXCEPTION_E = -1;
- public static readonly int BUFFER_E = -131; /* RSA buffer error, output too small/large */
+ public static readonly int SUCCESS = 0;
+ public static readonly int EXCEPTION_E = -1;
+ public static readonly int MEMORY_E = -125; /* Out of memory error */
+ public static readonly int BUFFER_E = -131; /* RSA buffer error, output too small/large */
+ public static readonly int ASN_PARSE_E = -140; /* ASN parsing error, invalid input */
+ public static readonly int ASN_VERSION_E = -141; /* ASN version error, invalid number */
+ public static readonly int ASN_GETINT_E = -142; /* ASN get big int error, invalid data */
+ public static readonly int ASN_RSA_KEY_E = -143; /* ASN key init error, invalid input */
+ public static readonly int ASN_OBJECT_ID_E = -144; /* ASN object id error, invalid id */
+ public static readonly int ASN_TAG_NULL_E = -145; /* ASN tag error, not null */
+ public static readonly int ASN_EXPECT_0_E = -146; /* ASN expect error, not zero */
+ public static readonly int ASN_BITSTR_E = -147; /* ASN bit string error, wrong id */
+ public static readonly int ASN_UNKNOWN_OID_E = -148; /* ASN oid error, unknown sum id */
+ public static readonly int ASN_DATE_SZ_E = -149; /* ASN date error, bad size */
+ public static readonly int ASN_BEFORE_DATE_E = -150; /* ASN date error, current date before */
+ public static readonly int ASN_AFTER_DATE_E = -151; /* ASN date error, current date after */
+ public static readonly int ASN_SIG_OID_E = -152; /* ASN signature error, mismatched oid */
+ public static readonly int ASN_TIME_E = -153; /* ASN time error, unknown time type */
+ public static readonly int ASN_INPUT_E = -154; /* ASN input error, not enough data */
+ public static readonly int ASN_SIG_CONFIRM_E = -155; /* ASN sig error, confirm failure */
+ public static readonly int ASN_SIG_HASH_E = -156; /* ASN sig error, unsupported hash type */
+ public static readonly int ASN_SIG_KEY_E = -157; /* ASN sig error, unsupported key type */
+ public static readonly int SIG_VERIFY_E = -229; /* wolfcrypt signature verify error */
/***********************************************************************