Fix to expose API to access "store" error code and error depth for cert failure callback (from set_verify). Useful for C# wrapper or clients that cannot directly dereference X509_STORE. Fixes for building with WOLFSSL_EXTRA and WOLFSSL_NO_CA_NAMES (and added new tests). Added example in CSharp TLS client for overriding a begin date error (useful if date is not set).

Author: dgarske

.github/workflows/os-check.yml

@@ -41,16 +41,21 @@ jobs:
           '--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
            --enable-dtls-mtu',
           '--enable-dtls --enable-dtlscid --enable-dtls13 --enable-secure-renegotiation
-            --enable-psk --enable-aesccm --enable-nullcipher CPPFLAGS=-DWOLFSSL_STATIC_RSA',
+            --enable-psk --enable-aesccm --enable-nullcipher
+            CPPFLAGS=-DWOLFSSL_STATIC_RSA',
           '--enable-ascon --enable-experimental',
           '--enable-ascon CPPFLAGS=-DWOLFSSL_ASCON_UNROLL --enable-experimental',
           '--enable-all CPPFLAGS=''-DNO_AES_192 -DNO_AES_256'' ',
-          '--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys CFLAGS=-DWOLFSSL_DH_EXTRA',
+          '--enable-sniffer --enable-curve25519 --enable-curve448 --enable-enckeys
+            CPPFLAGS=-DWOLFSSL_DH_EXTRA',
           '--enable-dtls --enable-dtls13 --enable-dtls-frag-ch
             --enable-dtls-mtu CPPFLAGS=-DWOLFSSL_DTLS_RECORDS_CAN_SPAN_DATAGRAMS',
           '--enable-opensslall --enable-opensslextra CPPFLAGS=-DWC_RNG_SEED_CB',
           '--enable-opensslall --enable-opensslextra
             CPPFLAGS=''-DWC_RNG_SEED_CB -DWOLFSSL_NO_GETPID'' ',
+          '--enable-opensslextra CPPFLAGS=''-DWOLFSSL_NO_CA_NAMES'' ',
+          '--enable-opensslextra=x509small',
+          'CPPFLAGS=''-DWOLFSSL_EXTRA'' '
         ]
     name: make check
     if: github.repository_owner == 'wolfssl'

src/internal.c

@@ -2905,7 +2905,7 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
         defined(WOLFSSL_WPAS_SMALL)
         wolfSSL_X509_STORE_free(ctx->x509_store_pt);
     #endif
-    #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
+    #ifndef WOLFSSL_NO_CA_NAMES
         wolfSSL_sk_X509_NAME_pop_free(ctx->client_ca_names, NULL);
         ctx->client_ca_names = NULL;
     #endif
@@ -8784,7 +8784,7 @@ void wolfSSL_ResourceFree(WOLFSSL* ssl)
     wolfSSL_sk_X509_pop_free(ssl->ourCertChain, NULL);
     #endif
 #endif
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
+#ifndef WOLFSSL_NO_CA_NAMES
     wolfSSL_sk_X509_NAME_pop_free(ssl->client_ca_names, NULL);
     ssl->client_ca_names = NULL;
 #endif

src/ssl.c

@@ -12163,7 +12163,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
 #endif /* !NO_BIO */
 #endif /* OPENSSL_EXTRA */
 
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
+#ifndef WOLFSSL_NO_CA_NAMES
     void wolfSSL_CTX_set_client_CA_list(WOLFSSL_CTX* ctx,
                                        WOLF_STACK_OF(WOLFSSL_X509_NAME)* names)
     {
@@ -12184,7 +12184,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
             ssl->client_ca_names = names;
         }
     }
+#endif
 
+#if defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY)
     #ifdef OPENSSL_EXTRA
     /* registers client cert callback, called during handshake if server
        requests client auth but user has not loaded client cert/key */
@@ -12399,7 +12401,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
     }
     #endif /* OPENSSL_EXTRA */
 
-#endif /* OPENSSL_EXTRA || WOLFSSL_EXTRA || HAVE_WEBSERVER */
+#endif /* OPENSSL_EXTRA || HAVE_LIGHTY */
 
 #ifndef WOLFSSL_NO_CA_NAMES
     WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(

src/x509_str.c

@@ -577,17 +577,35 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
 
 #endif /* OPENSSL_EXTRA */
 
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_WPAS_SMALL)
-    WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
-                                                WOLFSSL_X509_STORE_CTX* ctx)
-    {
-        WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert");
-        if (ctx)
-            return ctx->current_cert;
-        return NULL;
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
+WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
+                                            WOLFSSL_X509_STORE_CTX* ctx)
+{
+    WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_current_cert");
+    if (ctx)
+        return ctx->current_cert;
+    return NULL;
+}
+
+/* get X509_STORE_CTX ex_data, max idx is MAX_EX_DATA */
+void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx)
+{
+    WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_ex_data");
+#ifdef HAVE_EX_DATA
+    if (ctx != NULL) {
+        return wolfSSL_CRYPTO_get_ex_data(&ctx->ex_data, idx);
     }
+#else
+    (void)ctx;
+    (void)idx;
+#endif
+    return NULL;
+}
+#endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */
 
 
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(WOLFSSL_EXTRA)
     int wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx)
     {
         WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error");
@@ -596,30 +614,14 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
         return 0;
     }
 
-
     int wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx)
     {
         WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_error_depth");
-        if(ctx)
+        if (ctx)
             return ctx->error_depth;
         return WOLFSSL_FATAL_ERROR;
     }
-
-/* get X509_STORE_CTX ex_data, max idx is MAX_EX_DATA */
-void* wolfSSL_X509_STORE_CTX_get_ex_data(WOLFSSL_X509_STORE_CTX* ctx, int idx)
-{
-    WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_ex_data");
-#ifdef HAVE_EX_DATA
-    if (ctx != NULL) {
-        return wolfSSL_CRYPTO_get_ex_data(&ctx->ex_data, idx);
-    }
-#else
-    (void)ctx;
-    (void)idx;
 #endif
-    return NULL;
-}
-#endif /* OPENSSL_EXTRA || WOLFSSL_WPAS_SMALL */
 
 #ifdef OPENSSL_EXTRA
     void wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx,

tests/api.c

@@ -28110,7 +28110,8 @@ static int test_wolfSSL_CTX_set_client_CA_list(void)
 static int test_wolfSSL_CTX_add_client_CA(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) && !defined(NO_CERTS) && \
+#if !defined(WOLFSSL_NO_CA_NAMES) && defined(OPENSSL_EXTRA) && \
+    !defined(NO_RSA) && !defined(NO_CERTS) && \
     !defined(NO_TLS) && !defined(NO_WOLFSSL_CLIENT)
     WOLFSSL_CTX* ctx = NULL;
     WOLFSSL_X509* x509 = NULL;
@@ -38569,7 +38570,7 @@ static int test_wolfSSL_cert_cb_dyn_ciphers(void)
 static int test_wolfSSL_ciphersuite_auth(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
+#if defined(OPENSSL_EXTRA)
     WOLFSSL_CIPHERSUITE_INFO info;
 
     (void)info;
@@ -38659,7 +38660,7 @@ static int test_wolfSSL_ciphersuite_auth(void)
 static int test_wolfSSL_sigalg_info(void)
 {
     EXPECT_DECLS;
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA)
+#if defined(OPENSSL_EXTRA)
     byte hashSigAlgo[WOLFSSL_MAX_SIGALGO];
     word16 len = 0;
     word16 idx = 0;

wolfssl/internal.h

@@ -1086,13 +1086,17 @@
 
 #undef WSSL_HARDEN_TLS
 
-#if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EXTRA) || defined(HAVE_LIGHTY)
-#define SSL_CA_NAMES(ssl) ((ssl)->client_ca_names != NULL ? (ssl)->client_ca_names : \
+#if !defined(WOLFSSL_NO_CA_NAMES) && \
+    (defined(OPENSSL_EXTRA) || defined(HAVE_LIGHTY))
+    #define SSL_CA_NAMES(ssl) ((ssl)->client_ca_names != NULL ? \
+        (ssl)->client_ca_names : \
         (ssl)->ctx->client_ca_names)
 #else
-#define WOLFSSL_NO_CA_NAMES
+    #undef  WOLFSSL_NO_CA_NAMES
+    #define WOLFSSL_NO_CA_NAMES
 #endif
 
+
 /* actual cipher values, 2nd byte */
 enum {
     TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA = 0x16,

wolfssl/ssl.h

@@ -1841,6 +1841,12 @@ WOLFSSL_API const char* wolfSSL_ERR_func_error_string(unsigned long e);
 WOLFSSL_API const char* wolfSSL_ERR_lib_error_string(unsigned long e);
 
 /* -------- EXTRAS BEGIN -------- */
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(WOLFSSL_EXTRA)
+WOLFSSL_API int   wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx);
+WOLFSSL_API int   wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx);
+#endif
+
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
 WOLFSSL_API void wolfSSL_ERR_print_errors(WOLFSSL_BIO *bio);
 
@@ -2144,9 +2150,6 @@ WOLFSSL_API int  wolfSSL_num_locks(void);
 
 WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_CTX_get_current_cert(
                                                         WOLFSSL_X509_STORE_CTX* ctx);
-WOLFSSL_API int   wolfSSL_X509_STORE_CTX_get_error(WOLFSSL_X509_STORE_CTX* ctx);
-WOLFSSL_API int   wolfSSL_X509_STORE_CTX_get_error_depth(WOLFSSL_X509_STORE_CTX* ctx);
-
 WOLFSSL_API void  wolfSSL_X509_STORE_CTX_set_verify_cb(WOLFSSL_X509_STORE_CTX *ctx,
                                   WOLFSSL_X509_STORE_CTX_verify_cb verify_cb);
 WOLFSSL_API void wolfSSL_X509_STORE_set_verify_cb(WOLFSSL_X509_STORE *st,
@@ -2407,6 +2410,8 @@ WOLFSSL_API void wolfSSL_ASN1_TIME_free(WOLFSSL_ASN1_TIME* t);
 #endif
 
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_load_client_CA_file(const char* fname);
+
+#ifndef WOLFSSL_NO_CA_NAMES
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_CTX_get_client_CA_list(
         const WOLFSSL_CTX *ctx);
 /* deprecated function name */
@@ -2418,6 +2423,7 @@ WOLFSSL_API void wolfSSL_set_client_CA_list(WOLFSSL* ssl,
                                                WOLF_STACK_OF(WOLFSSL_X509_NAME)*);
 WOLFSSL_API WOLF_STACK_OF(WOLFSSL_X509_NAME)* wolfSSL_get_client_CA_list(
             const WOLFSSL* ssl);
+#endif /* !WOLFSSL_NO_CA_NAMES */
 
 typedef int (*client_cert_cb)(WOLFSSL *ssl, WOLFSSL_X509 **x509,
                               WOLFSSL_EVP_PKEY **pkey);

wolfssl/test.h

@@ -2467,14 +2467,14 @@ static THREAD_LS_T int myVerifyAction = VERIFY_OVERRIDE_ERROR;
 static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
 {
     char err_buffer[WOLFSSL_MAX_ERROR_SZ];
+    int err;
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
     WOLFSSL_X509* peer;
-#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
-    !defined(OPENSSL_EXTRA_X509_SMALL)
+#endif
+#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
     WOLFSSL_BIO* bio = NULL;
     WOLFSSL_STACK* sk = NULL;
     X509* x509 = NULL;
-#endif
 #endif
 
     /* Verify Callback Arguments:
@@ -2492,10 +2492,17 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
         will be discarded (only with SESSION_CERTS)
      */
 
-    fprintf(stderr, "In verification callback, error = %d, %s\n", store->error,
-            wolfSSL_ERR_error_string((unsigned long) store->error, err_buffer));
+#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) || \
+    defined(WOLFSSL_EXTRA)
+    err = wolfSSL_X509_STORE_CTX_get_error(store);
+#else
+    err = store->error;
+#endif
+
+    fprintf(stderr, "In verification callback, error = %d, %s\n", err,
+            wolfSSL_ERR_error_string((unsigned long) err, err_buffer));
 #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
-    peer = store->current_cert;
+    peer = wolfSSL_X509_STORE_CTX_get_current_cert(store);
     if (peer) {
         char* issuer  = wolfSSL_X509_NAME_oneline(
                                        wolfSSL_X509_get_issuer_name(peer), 0, 0);
@@ -2515,8 +2522,7 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
 
         XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
         XFREE(issuer,  0, DYNAMIC_TYPE_OPENSSL);
-#if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM) && \
-    !defined(OPENSSL_EXTRA_X509_SMALL)
+#if defined(OPENSSL_EXTRA) && defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
         /* avoid printing duplicate certs */
         if (store->depth == 1) {
             int i;

wrapper/CSharp/wolfSSL-TLS-Client/wolfSSL-TLS-Client.cs

@@ -54,9 +54,20 @@ private static void clean(IntPtr ssl, IntPtr ctx)
     /// <param name="x509_ctx">Certificate in WOLFSSL_X509_STORE_CTX format</param>
     private static int myVerify(int preverify, IntPtr x509_ctx)
     {
-        /* Use the provided verification */
+        int verify = preverify;
+
+        /* example for overriding an error code */
+        /* X509_STORE_CTX_get_error API can be enabled with
+         * OPENSSL_EXTRA_X509_SMALL or WOLFSSL_EXTRA */
+        int error = wolfssl.X509_STORE_CTX_get_error(x509_ctx);
+        const int ASN_BEFORE_DATE_E = -150;  /* ASN date error, current date before */
+
+        if (error == ASN_BEFORE_DATE_E) {
+            verify = 1; /* override error */
+        }
+
         /* Can optionally override failures by returning non-zero value */
-        return preverify;
+        return verify;
     }
 
     /// <summary>
@@ -90,7 +101,7 @@ public static void Main(string[] args)
 
         if (caCert == "" || dhparam.Length == 0) {
             Console.WriteLine("Platform not supported.");
-            return; 
+            return;
         }
 
         StringBuilder buff = new StringBuilder(1024);
@@ -133,14 +144,14 @@ public static void Main(string[] args)
         }
 
         int sniArg = haveSNI(args);
-        if (sniArg >= 0) 
+        if (sniArg >= 0)
         {
             string sniHostNameString = args[sniArg].Trim();
             sniHostName = Marshal.StringToHGlobalAnsi(sniHostNameString);
 
             ushort size = (ushort)sniHostNameString.Length;
 
-           if (wolfssl.CTX_UseSNI(ctx, (byte)wolfssl.WOLFSSL_SNI_HOST_NAME, sniHostName, size) != wolfssl.SUCCESS) 
+           if (wolfssl.CTX_UseSNI(ctx, (byte)wolfssl.WOLFSSL_SNI_HOST_NAME, sniHostName, size) != wolfssl.SUCCESS)
            {
                Console.WriteLine("UseSNI failed");
                wolfssl.CTX_free(ctx);