WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #4332 from dgarske/zd12791 

Improve CRL error codes
pull/4337/head
John Safranek 2021-08-25 13:57:46 -07:00 committed by GitHub
parent 3f2abef212 700b1c56c1
commit cb3f42482b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 61 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
configure.ac
View File

@ -3578,21 +3578,25 @@ fi
# CRL
AC_ARG_ENABLE([crl],
[AS_HELP_STRING([--enable-crl],[Enable CRL (default: disabled)])],
[AS_HELP_STRING([--enable-crl],[Enable CRL (Use =io for inline CRL HTTP GET) (default: disabled)])],
[ ENABLED_CRL=$enableval ],
[ ENABLED_CRL=no ],
)
if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || test "x$ENABLED_WPAS" != "xno" || test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes"
if test "x$ENABLED_NGINX" = "xyes" || test "x$ENABLED_HAPROXY" = "xyes" || test "x$ENABLED_OPENVPN" = "xyes" || \
test "x$ENABLED_WPAS" != "xno" || test "x$ENABLED_LIGHTY" = "xyes" || test "x$ENABLED_NETSNMP" = "xyes"
then
ENABLED_CRL=yes
fi
if test "$ENABLED_CRL" = "yes"
if test "$ENABLED_CRL" != "no"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL"
fi
if test "$ENABLED_CRL" == "io"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_CRL_IO"
fi
# CRL Monitor
@ -6745,7 +6749,7 @@ AM_CONDITIONAL([BUILD_INLINE],[test "x$ENABLED_INLINE" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP],[test "x$ENABLED_OCSP" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP_STAPLING],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"])
AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2],[test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"])
AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" = "xyes" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CRL],[test "x$ENABLED_CRL" != "xno" || test "x$ENABLED_USERSETTINGS" = "xyes"])
AM_CONDITIONAL([BUILD_CRL_MONITOR],[test "x$ENABLED_CRL_MONITOR" = "xyes"])
AM_CONDITIONAL([BUILD_USER_RSA],[test "x$ENABLED_USER_RSA" = "xyes"] )
AM_CONDITIONAL([BUILD_USER_CRYPTO],[test "x$ENABLED_USER_CRYPTO" = "xyes"])

4
src/crl.c
View File

@ -385,7 +385,9 @@ int CheckCertCRL(WOLFSSL_CRL* crl, DecodedCert* cert)
#endif
if (foundEntry == 0) {
WOLFSSL_MSG("Couldn't find CRL for status check");
ret = CRL_MISSING;
if (ret != CRL_CERT_DATE_ERR) {
ret = CRL_MISSING;
}
if (crl->cm->cbMissingCRL) {
char url[256];

26
src/internal.c
View File

@ -11965,7 +11965,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* Do verify callback */
ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
if (ssl->options.verifyNone &&
(ret == CRL_MISSING || ret == CRL_CERT_REVOKED)) {
(ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
ret == CRL_CERT_DATE_ERR)) {
WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
ret = ssl->error = 0;
}
@ -12745,7 +12746,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
if (ssl->options.verifyNone &&
(ret == CRL_MISSING || ret == CRL_CERT_REVOKED)) {
(ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
ret == CRL_CERT_DATE_ERR)) {
WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
ret = ssl->error = 0;
}
@ -19805,9 +19807,6 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case NOT_CA_ERROR:
return "Not a CA by basic constraint error";
case HTTP_TIMEOUT:
return "HTTP timeout for OCSP or CRL req";
case BAD_CERT_MANAGER_ERROR:
return "Bad Cert Manager error";
@ -20060,6 +20059,23 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case SOCKET_FILTERED_E:
return "Session stopped by network filter";
#ifdef HAVE_HTTP_CLIENT
case HTTP_TIMEOUT:
return "HTTP timeout for OCSP or CRL req";
case HTTP_RECV_ERR:
return "HTTP Receive error";
case HTTP_HEADER_ERR:
return "HTTP Header error";
case HTTP_PROTO_ERR:
return "HTTP Protocol error";
case HTTP_STATUS_ERR:
return "HTTP Status error";
case HTTP_VERSION_ERR:
return "HTTP Version error";
case HTTP_APPSTR_ERR:
return "HTTP Application string error";
#endif
default :
return "unknown error number";
}

25
src/wolfio.c
View File

@ -1138,7 +1138,7 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList,
}
WOLFSSL_MSG("wolfIO_HttpProcessResponse recv http from peer failed");
return -1;
return HTTP_RECV_ERR;
}
}
end = XSTRSTR(start, "\r\n"); /* locate end */
@ -1158,7 +1158,7 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList,
}
else {
WOLFSSL_MSG("wolfIO_HttpProcessResponse header ended early");
return -1;
return HTTP_HEADER_ERR;
}
}
else {
@ -1176,13 +1176,13 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList,
if (XSTRLEN(start) < 12) {
WOLFSSL_MSG("wolfIO_HttpProcessResponse HTTP header "
"too short.");
return -1;
return HTTP_HEADER_ERR;
}
if (XSTRNCASECMP(start, HTTP_PROTO,
sizeof(HTTP_PROTO) - 1) != 0) {
WOLFSSL_MSG("wolfIO_HttpProcessResponse HTTP header "
"doesn't start with HTTP/1.");
return -1;
return HTTP_PROTO_ERR;
}
/* +2 for HTTP minor version and space between version and
* status code. */
@ -1191,7 +1191,7 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList,
sizeof(HTTP_STATUS_200) - 1) != 0) {
WOLFSSL_MSG("wolfIO_HttpProcessResponse HTTP header "
"doesn't have status code 200.");
return -1;
return HTTP_STATUS_ERR;
}
state = phr_http_start;
break;
@ -1201,7 +1201,7 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList,
if (XSTRLEN(start) < 13) { /* 13 is the shortest of the following
next lines we're checking for. */
WOLFSSL_MSG("wolfIO_HttpProcessResponse content type is too short.");
return -1;
return HTTP_VERSION_ERR;
}
if (XSTRNCASECMP(start, "Content-Type:", 13) == 0) {
@ -1221,7 +1221,7 @@ int wolfIO_HttpProcessResponse(int sfd, const char** appStrList,
}
if (appStrList[i] == NULL) {
WOLFSSL_MSG("wolfIO_HttpProcessResponse appstr mismatch");
return -1;
return HTTP_APPSTR_ERR;
}
state = (state == phr_http_start) ? phr_have_type : phr_wait_end;
}
@ -1510,7 +1510,7 @@ int wolfIO_HttpBuildRequestCrl(const char* url, int urlSz,
int wolfIO_HttpProcessResponseCrl(WOLFSSL_CRL* crl, int sfd, byte* httpBuf,
int httpBufSz)
{
int result;
int ret;
byte *respBuf = NULL;
const char* appStrList[] = {
@ -1519,14 +1519,15 @@ int wolfIO_HttpProcessResponseCrl(WOLFSSL_CRL* crl, int sfd, byte* httpBuf,
NULL
};
result = wolfIO_HttpProcessResponse(sfd, appStrList,
ret = wolfIO_HttpProcessResponse(sfd, appStrList,
&respBuf, httpBuf, httpBufSz, DYNAMIC_TYPE_CRL, crl->heap);
if (result >= 0) {
result = BufferLoadCRL(crl, respBuf, result, WOLFSSL_FILETYPE_ASN1, 0);
if (ret >= 0) {
ret = BufferLoadCRL(crl, respBuf, ret, WOLFSSL_FILETYPE_ASN1, 0);
}
XFREE(respBuf, crl->heap, DYNAMIC_TYPE_CRL);
return result;
return ret;
}
int EmbedCrlLookup(WOLFSSL_CRL* crl, const char* url, int urlSz)

6
wolfcrypt/src/asn.c
View File

@ -29554,13 +29554,13 @@ static int ParseCRL_CertList(DecodedCRL* dcrl, const byte* buf,
}
#ifdef WOLFSSL_NO_CRL_NEXT_DATE
if (doNextDate)x
if (doNextDate)
#endif
{
#ifndef NO_ASN_TIME
if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
WOLFSSL_MSG("CRL after date is no longer valid");
return ASN_AFTER_DATE_E;
return CRL_CERT_DATE_ERR;
}
#endif
}
@ -29990,7 +29990,7 @@ end:
/* Next date was set, so validate it. */
if (!XVALIDATE_DATE(dcrl->nextDate, dcrl->nextDateFormat, AFTER)) {
WOLFSSL_MSG("CRL after date is no longer valid");
ret = ASN_AFTER_DATE_E;
ret = CRL_CERT_DATE_ERR;
}
}
}

3
wolfcrypt/src/error.c
View File

@ -260,6 +260,9 @@ const char* wc_GetErrorString(int error)
case ASN_CRL_NO_SIGNER_E :
return "ASN CRL no signer error to confirm failure";
case CRL_CERT_DATE_ERR:
return "CRL date error";
case ASN_OCSP_CONFIRM_E :
return "ASN OCSP sig error, confirm failure";

2
wolfcrypt/test/test.c
View File

@ -1641,7 +1641,7 @@ WOLFSSL_TEST_SUBROUTINE int error_test(void)
/* Values that are not or no longer error codes. */
int missing[] = { -122, -123, -124, -127, -128, -129,
-163, -164, -165, -166, -167, -168, -169,
-179, -233,
-233,
0 };
/* Check that all errors have a string and it's the same through the two

9
wolfssl/error-ssl.h
View File

@ -52,7 +52,6 @@ enum wolfSSL_ErrorCodes {
RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */
NO_DH_PARAMS = -319, /* server missing DH params */
BUILD_MSG_ERROR = -320, /* build message failure */
BAD_HELLO = -321, /* client hello malformed */
DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */
WANT_READ = -323, /* want read, call again */
@ -113,6 +112,7 @@ enum wolfSSL_ErrorCodes {
UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */
UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */
KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */
KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */
EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */
SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */
@ -171,8 +171,13 @@ enum wolfSSL_ErrorCodes {
NO_CERT_ERROR = -440, /* TLS1.3 - no cert set error */
APP_DATA_READY = -441, /* DTLS1.2 application data ready for read */
TOO_MUCH_EARLY_DATA = -442, /* Too much Early data */
SOCKET_FILTERED_E = -443, /* Session stopped by network filter */
HTTP_RECV_ERR = -444, /* HTTP Receive error */
HTTP_HEADER_ERR = -445, /* HTTP Header error */
HTTP_PROTO_ERR = -446, /* HTTP Protocol error */
HTTP_STATUS_ERR = -447, /* HTTP Status error */
HTTP_VERSION_ERR = -448, /* HTTP Version error */
HTTP_APPSTR_ERR = -449, /* HTTP Application string error */
/* add strings to wolfSSL_ERR_reason_error_string in internal.c !!!!! */

1
wolfssl/wolfcrypt/error-crypt.h
View File

@ -117,6 +117,7 @@ enum {
NO_PASSWORD = -176, /* no password provided by user */
ALT_NAME_E = -177, /* alt name size problem, too big */
BAD_OCSP_RESPONDER = -178, /* missing key usage extensions */
CRL_CERT_DATE_ERR = -179, /* CRL date error */
AES_GCM_AUTH_E = -180, /* AES-GCM Authentication check failure */
AES_CCM_AUTH_E = -181, /* AES-CCM Authentication check failure */