Home Explore Help
Register Sign In
OWEALs
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
2
0
Fork 0
Files Issues 8 Wiki
Browse Source

Implement the option to disable CRL check
Do leaf CRL check by default
Correct wolfSSL_sk_X509_NAME_push return check
Update OpenSSL compatibility errors for HAProxy
Change X509_V to literal constant values
Fix the compat layer with TLS session ticket reuse
Fix for tls1_2 session resume and cache miss
Save intitial wolfSSL ctx
Check for OpenSSL CRL error code 23

Tesfa Mael 1 year ago
parent
23c60b7b9c
commit
fd17fa3e9c
9 changed files with 107 additions and 60 deletions
Split View Show Diff Stats
  1. 3 2
      scripts/crl-revoked.test
  2. 18 4
      src/internal.c
  3. 51 17
      src/ssl.c
  4. 3 2
      src/x509.c
  5. 6 5
      src/x509_str.c
  6. 5 6
      tests/api.c
  7. 3 0
      wolfssl/internal.h
  8. 16 22
      wolfssl/openssl/x509.h
  9. 2 2
      wolfssl/ssl.h

+ 3 - 2
scripts/crl-revoked.test
View File 

@@ -22,6 +22,7 @@ cp -rp . $RUNNING_DIR/.
 
 cd $RUNNING_DIR
 
 
 revocation_code="-361"
 
+revocation_code_openssl="23"
 
 exit_code=1
 
 counter=0
 
 # need a unique resume port since may run the same time as testsuite
 
@@ -112,7 +113,7 @@ run_test() {
 
     server_result=$?
 
 
     case  "$capture_out" in
 
-    *$revocation_code*)
 
+    *"$revocation_code"*|*"$revocation_code_openssl"*)
 
         # only exit with zero on detection of the expected error code
 
         echo ""
 
         echo "Successful Revocation!!!!"
 
@@ -178,7 +179,7 @@ run_hashdir_test() {
 
   server_result=$?
 
 
   case  "$capture_out" in
 
-    *$revocation_code*)
 
+    *"$revocation_code"*|*"$revocation_code_openssl"*)
 
         # only exit with zero on detection of the expected error code
 
         echo ""
 
         echo "Successful Revocation!!!! with hash dir"

+ 18 - 4
src/internal.c
View File 

@@ -185,8 +185,13 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
 
 
 #endif /* !WOLFSSL_NO_TLS12 */
 
 
-#ifndef NO_WOLFSSL_SERVER
 
-    #if defined(HAVE_SESSION_TICKET) && !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
 
+#if !defined(NO_WOLFSSL_SERVER) && defined(HAVE_SESSION_TICKET)
 
+    #if defined(WOLFSSL_HAPROXY)
 
+        #define SSL_TICKET_CTX(ssl) ssl->initial_ctx->ticketEncCtx
 
+    #else
 
+        #define SSL_TICKET_CTX(ssl) ssl->ctx->ticketEncCtx
 
+    #endif
 
+    #if !defined(WOLFSSL_NO_DEF_TICKET_ENC_CB)
 
         static int TicketEncCbCtx_Init(WOLFSSL_CTX* ctx,
 
                                        TicketEncCbCtx* keyCtx);
 
         static void TicketEncCbCtx_Free(TicketEncCbCtx* keyCtx);
 
@@ -6213,6 +6218,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 
     if (!newSSL) {
 
         WOLFSSL_MSG("freeing old ctx to decrement reference count. Switching ctx.");
 
         wolfSSL_CTX_free(ssl->ctx);
 
+#if defined(WOLFSSL_HAPROXY)
 
+        wolfSSL_CTX_free(ssl->initial_ctx);
 
+#endif
 
     }
 
 
     /* increment CTX reference count */
 
@@ -6229,6 +6237,10 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 
     ssl->ctx     = ctx; /* only for passing to calls, options could change */
 
     /* Don't change version on a SSL object that has already started a
 
      * handshake */
 
+#if defined(WOLFSSL_HAPROXY)
 
+    ssl->initial_ctx     = ctx; /* Save access to session key materials */
 
+    wolfSSL_CTX_up_ref(ctx);
 
+#endif
 
     if (!ssl->msgsReceived.got_client_hello &&
 
             !ssl->msgsReceived.got_server_hello)
 
         ssl->version = ctx->method->version;
 
@@ -23135,6 +23147,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
 
 #ifdef OPENSSL_EXTRA
 
     case 0 :
 
         return "ok";
 
+    case -WOLFSSL_X509_V_ERR_CERT_REVOKED :
 
+        return "certificate revoked";
 
 #endif
 
 
     case UNSUPPORTED_SUITE :
 
@@ -34650,7 +34664,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
             if (error == 0) {
 
                 ret = ssl->ctx->ticketEncCb(ssl, et->key_name, et->iv, et->mac,
 
                         1, et->enc_ticket, sizeof(InternalTicket), &encLen,
 
-                        ssl->ctx->ticketEncCtx);
 
+                        SSL_TICKET_CTX(ssl));
 
             }
 
             else {
 
                 ret = WOLFSSL_TICKET_RET_FATAL;
 
@@ -34775,7 +34789,7 @@ static int DoSessionTicket(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
 
             ret = ssl->ctx->ticketEncCb((WOLFSSL*)ssl, et->key_name, et->iv,
 
                                     et->enc_ticket + inLen, 0,
 
                                     et->enc_ticket, inLen, &outLen,
 
-                                    ssl->ctx->ticketEncCtx);
 
+                                    SSL_TICKET_CTX(ssl));
 
         }
 
         if (ret != WOLFSSL_TICKET_RET_OK) {
 
         #ifdef WOLFSSL_ASYNC_CRYPT

+ 51 - 17
src/ssl.c
View File 

@@ -4509,7 +4509,10 @@ int wolfSSL_get_error(WOLFSSL* ssl, int ret)
 
         return WOLFSSL_ERROR_WANT_WRITE;        /* convert to OpenSSL type */
 
     else if (ssl->error == ZERO_RETURN || ssl->options.shutdownDone)
 
         return WOLFSSL_ERROR_ZERO_RETURN;       /* convert to OpenSSL type */
 
-    return ssl->error;
 
+#if defined(WOLFSSL_HAPROXY)
 
+    return GetX509Error(ssl->error);
 
+#endif
 
+    return (ssl->error);
 
 }
 
 
 
@@ -8152,7 +8155,8 @@ int wolfSSL_CertManagerLoadCRLBuffer(WOLFSSL_CERT_MANAGER* cm,
 
         return BAD_FUNC_ARG;
 
 
     if (cm->crl == NULL) {
 
-        if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
 
+        if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK) !=
 
+                                         WOLFSSL_SUCCESS) {
 
             WOLFSSL_MSG("Enable CRL failed");
 
             return WOLFSSL_FATAL_ERROR;
 
         }
 
@@ -8209,7 +8213,14 @@ int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options)
 
     WOLFSSL_ENTER("wolfSSL_CertManagerEnableCRL");
 
     if (cm == NULL)
 
         return BAD_FUNC_ARG;
 
-
 
+#if defined(OPENSSL_COMPATIBLE_DEFAULTS)
 
+    if (options == 0) {
 
+        /* Turn off doing Leaf CRL check */
 
+        cm->crlEnabled = 0;
 
+        /* Turn off all checks */
 
+        cm->crlCheckAll = 0;
 
+    }
 
+#endif
 
     #ifdef HAVE_CRL
 
         if (cm->crl == NULL) {
 
             cm->crl = (WOLFSSL_CRL*)XMALLOC(sizeof(WOLFSSL_CRL), cm->heap,
 
@@ -8228,10 +8239,15 @@ int wolfSSL_CertManagerEnableCRL(WOLFSSL_CERT_MANAGER* cm, int options)
 
             cm->crl->crlIOCb = EmbedCrlLookup;
 
         #endif
 
         }
 
-
 
-        cm->crlEnabled = 1;
 
-        if (options & WOLFSSL_CRL_CHECKALL)
 
-            cm->crlCheckAll = 1;
 
+#if defined(OPENSSL_COMPATIBLE_DEFAULTS)
 
+        if ((options & WOLFSSL_CRL_CHECKALL) ||
 
+            (options & WOLFSSL_CRL_CHECK))
 
+#endif
 
+        {
 
+            cm->crlEnabled = 1;
 
+            if (options & WOLFSSL_CRL_CHECKALL)
 
+                cm->crlCheckAll = 1;
 
+        }
 
     #else
 
         ret = NOT_COMPILED_IN;
 
     #endif
 
@@ -9431,7 +9447,8 @@ int wolfSSL_CertManagerLoadCRL(WOLFSSL_CERT_MANAGER* cm, const char* path,
 
         return BAD_FUNC_ARG;
 
 
     if (cm->crl == NULL) {
 
-        if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
 
+        if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK)
 
+            != WOLFSSL_SUCCESS) {
 
             WOLFSSL_MSG("Enable CRL failed");
 
             return WOLFSSL_FATAL_ERROR;
 
         }
 
@@ -9448,7 +9465,8 @@ int wolfSSL_CertManagerLoadCRLFile(WOLFSSL_CERT_MANAGER* cm, const char* file,
 
         return BAD_FUNC_ARG;
 
 
     if (cm->crl == NULL) {
 
-        if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
 
+        if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK)
 
+            != WOLFSSL_SUCCESS) {
 
             WOLFSSL_MSG("Enable CRL failed");
 
             return WOLFSSL_FATAL_ERROR;
 
         }
 
@@ -14494,12 +14512,17 @@ void SetupSession(WOLFSSL* ssl)
 
 
     WOLFSSL_ENTER("SetupSession");
 
 
-    if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL &&
 
-            !session->haveAltSessionID) {
 
+    if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL) {
 
         /* Make sure the session ID is available when the user calls any
 
          * get_session API */
 
-        XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN);
 
-        session->sessionIDSz = ssl->arrays->sessionIDSz;
 
+        if (!session->haveAltSessionID) {
 
+            XMEMCPY(session->sessionID, ssl->arrays->sessionID, ID_LEN);
 
+            session->sessionIDSz = ssl->arrays->sessionIDSz;
 
+        }
 
+        else {
 
+            XMEMCPY(session->sessionID, session->altSessionID, ID_LEN);
 
+            session->sessionIDSz = ID_LEN;
 
+        }
 
     }
 
     session->side = (byte)ssl->options.side;
 
     if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL)
 
@@ -14904,7 +14927,7 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)
 
     if (SslSessionCacheOff(ssl, ssl->session))
 
         return WOLFSSL_FAILURE;
 
 
-    if (ssl->options.haveSessionId == 0)
 
+    if (ssl->options.haveSessionId == 0 && !ssl->session->haveAltSessionID)
 
         return WOLFSSL_FAILURE;
 
 
 #ifdef HAVE_SESSION_TICKET
 
@@ -14913,7 +14936,8 @@ int wolfSSL_GetSessionFromCache(WOLFSSL* ssl, WOLFSSL_SESSION* output)
 
 #endif
 
 
     XMEMSET(bogusID, 0, sizeof(bogusID));
 
-    if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL)
 
+    if (!IsAtLeastTLSv1_3(ssl->version) && ssl->arrays != NULL
 
+            && !ssl->session->haveAltSessionID)
 
         id = ssl->arrays->sessionID;
 
     else if (ssl->session->haveAltSessionID) {
 
         id = ssl->session->altSessionID;
 
@@ -23116,8 +23140,9 @@ int wolfSSL_ERR_GET_REASON(unsigned long err)
 
 #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
 
     /* Nginx looks for this error to know to stop parsing certificates.
 
      * Same for HAProxy. */
 
-    if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE)
 
-        || (err & 0xFFFFFFL) == -ASN_NO_PEM_HEADER)
 
+    if (err == ((ERR_LIB_PEM << 24) | PEM_R_NO_START_LINE) ||
 
+       ((err & 0xFFFFFFL) == -ASN_NO_PEM_HEADER) ||
 
+       ((err & 0xFFFL) == PEM_R_NO_START_LINE ))
 
         return PEM_R_NO_START_LINE;
 
     if (err == ((ERR_LIB_SSL << 24) | -SSL_R_HTTP_REQUEST))
 
         return SSL_R_HTTP_REQUEST;
 
@@ -31248,6 +31273,9 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
 
 #endif
 
     if (ssl->ctx) {
 
         wolfSSL_CTX_free(ssl->ctx);
 
+#if defined(WOLFSSL_HAPROXY)
 
+        wolfSSL_CTX_free(ssl->initial_ctx);
 
+#endif
 
     }
 
     ssl->ctx = ctx;
 
 
@@ -31450,6 +31478,12 @@ const byte* wolfSSL_SESSION_get_id(const WOLFSSL_SESSION* sess,
 
         WOLFSSL_MSG("Bad func args. Please provide idLen");
 
         return NULL;
 
     }
 
+#ifdef HAVE_SESSION_TICKET
 
+    if (sess->haveAltSessionID) {
 
+        *idLen = ID_LEN;
 
+        return sess->altSessionID;
 
+    }
 
+#endif
 
     *idLen = sess->sessionIDSz;
 
     return sess->sessionID;
 
 }

+ 3 - 2
src/x509.c
View File 

@@ -7028,7 +7028,8 @@ int wolfSSL_X509_LOOKUP_load_file(WOLFSSL_X509_LOOKUP* lookup,
 
             WOLFSSL_CERT_MANAGER* cm = lookup->store->cm;
 
 
             if (cm->crl == NULL) {
 
-                if (wolfSSL_CertManagerEnableCRL(cm, 0) != WOLFSSL_SUCCESS) {
 
+                if (wolfSSL_CertManagerEnableCRL(cm, WOLFSSL_CRL_CHECK)
 
+                    != WOLFSSL_SUCCESS) {
 
                     WOLFSSL_MSG("Enable CRL failed");
 
                     goto end;
 
                 }
 
@@ -12440,7 +12441,7 @@ WOLF_STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list(
 
 
     for (i = 0; i < num; i++) {
 
         name = wolfSSL_X509_NAME_dup(wolfSSL_sk_X509_NAME_value(sk, i));
 
-        if (name == NULL || 0 != wolfSSL_sk_X509_NAME_push(copy, name)) {
 
+        if (name == NULL || WOLFSSL_SUCCESS != wolfSSL_sk_X509_NAME_push(copy, name)) {
 
             WOLFSSL_MSG("Memory error");
 
             wolfSSL_sk_X509_NAME_pop_free(copy, wolfSSL_X509_NAME_free);
 
             return NULL;

+ 6 - 5
src/x509_str.c
View File 

@@ -170,7 +170,7 @@ int GetX509Error(int e)
 
         case ASN_BEFORE_DATE_E:
 
             return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD;
 
         case ASN_AFTER_DATE_E:
 
-            return WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD;
 
+            return WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED;
 
         case ASN_NO_SIGNER_E: /* get issuer error if no CA found locally */
 
             return WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
 
         case ASN_SELF_SIGNED_E:
 
@@ -183,6 +183,8 @@ int GetX509Error(int e)
 
         case ASN_SIG_HASH_E:
 
         case ASN_SIG_KEY_E:
 
             return WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE;
 
+        case CRL_CERT_REVOKED:
 
+            return WOLFSSL_X509_V_ERR_CERT_REVOKED;
 
         default:
 
 #ifdef HAVE_WOLFSSL_MSG_EX
 
             WOLFSSL_MSG_EX("Error not configured or implemented yet: %d", e);
 
@@ -977,9 +979,7 @@ int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store, unsigned long flag)
 
     if (store == NULL)
 
         return WOLFSSL_FAILURE;
 
 
-    if ((flag & WOLFSSL_CRL_CHECKALL) || (flag & WOLFSSL_CRL_CHECK)) {
 
-        ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag);
 
-    }
 
+    ret = wolfSSL_CertManagerEnableCRL(store->cm, (int)flag);
 
 
     return ret;
 
 }
 
@@ -1023,7 +1023,8 @@ WOLFSSL_API int wolfSSL_X509_STORE_load_locations(WOLFSSL_X509_STORE *str,
 
 
 #ifdef HAVE_CRL
 
     if (str->cm->crl == NULL) {
 
-        if (wolfSSL_CertManagerEnableCRL(str->cm, 0) != WOLFSSL_SUCCESS) {
 
+        if (wolfSSL_CertManagerEnableCRL(str->cm, WOLFSSL_CRL_CHECK)
 
+            != WOLFSSL_SUCCESS) {
 
             WOLFSSL_MSG("Enable CRL failed");
 
             wolfSSL_CTX_free(ctx);
 
             return WOLFSSL_FAILURE;

+ 5 - 6
tests/api.c
View File 

@@ -7820,7 +7820,9 @@ static hashTable server_sessionCache;
 
 static int twcase_new_sessionCb(WOLFSSL *ssl, WOLFSSL_SESSION *sess)
 
 {
 
     int i;
 
+    unsigned int len;
 
     (void)ssl;
 
+
 
     /*
 
      * This example uses a hash table.
 
      * Steps you should take for a non-demo code:
 
@@ -7842,11 +7844,7 @@ static int twcase_new_sessionCb(WOLFSSL *ssl, WOLFSSL_SESSION *sess)
 
     }
 
     for (i = 0; i < SESSION_CACHE_SIZE; i++) {
 
         if (server_sessionCache.entries[i].value == NULL) {
 
-            if (sess->haveAltSessionID == 1)
 
-                server_sessionCache.entries[i].key = sess->altSessionID;
 
-            else
 
-                server_sessionCache.entries[i].key = sess->sessionID;
 
-
 
+            server_sessionCache.entries[i].key = SSL_SESSION_get_id(sess, &len);
 
             server_sessionCache.entries[i].value = sess;
 
             server_sessionCache.length++;
 
             break;
 
@@ -33083,7 +33081,8 @@ static int test_wolfSSL_X509_STORE(void)
 
                     SSL_FILETYPE_PEM)));
 
     ExpectIntEQ(X509_STORE_CTX_init(storeCtx, store, cert, NULL), SSL_SUCCESS);
 
     ExpectIntNE(X509_verify_cert(storeCtx), SSL_SUCCESS);
 
-    ExpectIntEQ(X509_STORE_CTX_get_error(storeCtx), CRL_CERT_REVOKED);
 
+    ExpectIntEQ(X509_STORE_CTX_get_error(storeCtx),
 
+                WOLFSSL_X509_V_ERR_CERT_REVOKED);
 
     X509_CRL_free(crl);
 
     crl = NULL;
 
     X509_STORE_free(store);

+ 3 - 0
wolfssl/internal.h
View File 

@@ -5156,6 +5156,9 @@ typedef struct CIDInfo CIDInfo;
 
 /* wolfSSL ssl type */
 
 struct WOLFSSL {
 
     WOLFSSL_CTX*    ctx;
 
+#if defined(WOLFSSL_HAPROXY)
 
+    WOLFSSL_CTX*    initial_ctx; /* preserve session key materials */
 
+#endif
 
     Suites*         suites; /* Only need during handshake. Can be NULL when
 
                              * re-using the context's object. When WOLFSSL
 
                              * object needs separate instance of suites use

+ 16 - 22
wolfssl/openssl/x509.h
View File 

@@ -74,47 +74,41 @@
 
  * satisfy OpenSSL compatibility consumers to prevent compilation errors.
 
  * The list was taken from
 
  * https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in
 
+ * One requirement for HAProxy is that the values should be literal constants.
 
  */
 
 
-#define X509_V_OK                       WOLFSSL_X509_V_OK
 
+#define X509_V_OK                                       0
 
 #define X509_V_ERR_UNSPECIFIED                          1
 
 #define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT            2
 
 #define X509_V_ERR_UNABLE_TO_GET_CRL                    3
 
 #define X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE     4
 
 #define X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE      5
 
 #define X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY   6
 
-#define X509_V_ERR_CERT_SIGNATURE_FAILURE               \
 
-                            WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE
 
+#define X509_V_ERR_CERT_SIGNATURE_FAILURE               7
 
 #define X509_V_ERR_CRL_SIGNATURE_FAILURE                8
 
-#define X509_V_ERR_CERT_NOT_YET_VALID   WOLFSSL_X509_V_ERR_CERT_NOT_YET_VALID
 
-#define X509_V_ERR_CERT_HAS_EXPIRED     WOLFSSL_X509_V_ERR_CERT_HAS_EXPIRED
 
+#define X509_V_ERR_CERT_NOT_YET_VALID                   9
 
+#define X509_V_ERR_CERT_HAS_EXPIRED                     10
 
 #define X509_V_ERR_CRL_NOT_YET_VALID                    11
 
 #define X509_V_ERR_CRL_HAS_EXPIRED                      12
 
-#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD       \
 
-                            WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD
 
-#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD        \
 
-                            WOLFSSL_X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD
 
+#define X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD       13
 
+#define X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD        14
 
 #define X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD       15
 
 #define X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD       16
 
 #define X509_V_ERR_OUT_OF_MEM                           17
 
-#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT          \
 
-                            WOLFSSL_X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
 
+#define X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT          18
 
 #define X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN            19
 
-#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY    \
 
-                            WOLFSSL_X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY
 
-#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE      \
 
-                            WOLFSSL_X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE
 
-#define X509_V_ERR_CERT_CHAIN_TOO_LONG  WOLFSSL_X509_V_ERR_CERT_CHAIN_TOO_LONG
 
-#define X509_V_ERR_CERT_REVOKED         WOLFSSL_X509_V_ERR_CERT_REVOKED
 
-#define X509_V_ERR_NO_ISSUER_PUBLIC_KEY WOLFSSL_X509_V_ERR_INVALID_CA
 
-#define X509_V_ERR_PATH_LENGTH_EXCEEDED WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED
 
+#define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY    20
 
+#define X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE      21
 
+#define X509_V_ERR_CERT_CHAIN_TOO_LONG                  22
 
+#define X509_V_ERR_CERT_REVOKED                         23
 
+#define X509_V_ERR_NO_ISSUER_PUBLIC_KEY                 24
 
+#define X509_V_ERR_PATH_LENGTH_EXCEEDED                 25
 
 #define X509_V_ERR_INVALID_PURPOSE                      26
 
 #define X509_V_ERR_CERT_UNTRUSTED                       27
 
-#define X509_V_ERR_CERT_REJECTED        WOLFSSL_X509_V_ERR_CERT_REJECTED
 
+#define X509_V_ERR_CERT_REJECTED                        28
 
 
 /* These are 'informational' when looking for issuer cert */
 
-#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH              \
 
-                             WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH
 
+#define X509_V_ERR_SUBJECT_ISSUER_MISMATCH              29
 
 #define X509_V_ERR_AKID_SKID_MISMATCH                   30
 
 #define X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH          31
 
 #define X509_V_ERR_KEYUSAGE_NO_CERTSIGN                 32

+ 2 - 2
wolfssl/ssl.h
View File 

@@ -2386,8 +2386,8 @@ enum {
 
                               * limit the possibility of an infinite retry loop
 
                               */
 
     SSL_MODE_RELEASE_BUFFERS = -1, /* For libwebsockets build. No current use. */
 
-    /* Errors used in wolfSSL.
 
-     * Should map the defines in wolfssl/openssl/x509.h
 
+    /* Errors used in wolfSSL. utilize the values from the defines in
 
+     * wolfssl/openssl/x509.h, but without the WOLFSSL_ prefix.
 
      */
 
     WOLFSSL_X509_V_OK                                    = 0,
 
     WOLFSSL_X509_V_ERR_CERT_SIGNATURE_FAILURE            = 7,