diff --git a/configure.ac b/configure.ac index d6c44305d6..a2e98dd352 100644 --- a/configure.ac +++ b/configure.ac @@ -10111,10 +10111,7 @@ fi if test "x$ENABLED_SYS_CA_CERTS" = "xyes" then - if test "x$ENABLED_FILESYSTEM" = "xno" - then - ENABLED_SYS_CA_CERTS="no" - elif test "x$ENABLED_CERTS" = "xno" + if test "x$ENABLED_CERTS" = "xno" then ENABLED_SYS_CA_CERTS="no" fi @@ -10146,6 +10143,16 @@ then AC_MSG_ERROR([Unable to find Apple Security.framework headers]) ]) ;; + mingw*) + ;; + *) + # Only disable on no filesystem non Mac/Windows, as Mac and Windows + # depend on APIs which don't need filesystem support enabled in wolfSSL. + if test "x$ENABLED_FILESYSTEM" = "xno" + then + ENABLED_SYS_CA_CERTS="no" + fi + ;; esac fi diff --git a/src/ssl_load.c b/src/ssl_load.c index 34f328d131..aedc629cd5 100644 --- a/src/ssl_load.c +++ b/src/ssl_load.c @@ -28,7 +28,8 @@ */ #ifdef WOLFSSL_SYS_CA_CERTS -/* Will be turned off automatically when NO_FILESYSTEM is defined */ +/* Will be turned off automatically when NO_FILESYSTEM is defined + * for non Mac/Windows systems */ #ifdef _WIN32 #define _WINSOCKAPI_ /* block inclusion of winsock.h header file */ @@ -3041,6 +3042,231 @@ int wolfSSL_CTX_load_verify_locations_compat(WOLFSSL_CTX* ctx, const char* file, return WS_RETURN_CODE(ret, 0); } +#ifdef WOLFSSL_TRUST_PEER_CERT +/* Load a trusted peer certificate into SSL context. + * + * @param [in, out] ctx SSL context object. + * @param [in] file Name of peer certificate file. + * @param [in] format Format of data: + * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. + * @return 1 on success. + * @return 0 when ctx or file is NULL. + */ +int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int format) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_cert"); + + /* Validate parameters. */ + if ((ctx == NULL) || (file == NULL)) { + ret = 0; + } + else { + ret = ProcessFile(ctx, file, format, TRUSTED_PEER_TYPE, NULL, 0, NULL, + GET_VERIFY_SETTING_CTX(ctx)); + } + + return ret; +} + +/* Load a trusted peer certificate into SSL. + * + * @param [in, out] ssl SSL object. + * @param [in] file Name of peer certificate file. + * @param [in] format Format of data: + * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. + * @return 1 on success. + * @return 0 when ssl or file is NULL. + */ +int wolfSSL_trust_peer_cert(WOLFSSL* ssl, const char* file, int format) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_trust_peer_cert"); + + /* Validate parameters. */ + if ((ssl == NULL) || (file == NULL)) { + ret = 0; + } + else { + ret = ProcessFile(NULL, file, format, TRUSTED_PEER_TYPE, ssl, 0, NULL, + GET_VERIFY_SETTING_SSL(ssl)); + } + + return ret; +} +#endif /* WOLFSSL_TRUST_PEER_CERT */ + + +#ifdef WOLFSSL_DER_LOAD + +/* Load a CA certificate into SSL context. + * + * @param [in, out] ctx SSL context object. + * @param [in] file Name of peer certificate file. + * @param [in] format Format of data: + * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. + * @return 1 on success. + * @return 0 on failure. + */ +int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, + int format) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_CTX_der_load_verify_locations"); + + /* Validate parameters. */ + if ((ctx == NULL) || (file == NULL)) { + ret = 0; + } + else { +#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION + /* TEST ONLY CODE: force native cert validation on */ + WOLFSSL_MSG("ANCV Test: loading system CA certs"); + wolfSSL_CTX_load_system_CA_certs(ctx); +#endif + ret = ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL, + GET_VERIFY_SETTING_CTX(ctx)); + } + + /* Return 1 on success or 0 on failure. */ + return WS_RC(ret); +} + +#endif /* WOLFSSL_DER_LOAD */ + + +/* Load a user certificate into SSL context. + * + * @param [in, out] ctx SSL context object. + * @param [in] file Name of user certificate file. + * @param [in] format Format of data: + * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. + * @return 1 on success. + * @return 0 on failure. + */ +WOLFSSL_ABI +int wolfSSL_CTX_use_certificate_file(WOLFSSL_CTX* ctx, const char* file, + int format) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_file"); + + ret = ProcessFile(ctx, file, format, CERT_TYPE, NULL, 0, NULL, + GET_VERIFY_SETTING_CTX(ctx)); + + /* Return 1 on success or 0 on failure. */ + return WS_RC(ret); +} + + +/* Load a private key into SSL context. + * + * @param [in, out] ctx SSL context object. + * @param [in] file Name of private key file. + * @param [in] format Format of data: + * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. + * @return 1 on success. + * @return 0 on failure. + */ +WOLFSSL_ABI +int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX* ctx, const char* file, + int format) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_file"); + + ret = ProcessFile(ctx, file, format, PRIVATEKEY_TYPE, NULL, 0, NULL, + GET_VERIFY_SETTING_CTX(ctx)); + + /* Return 1 on success or 0 on failure. */ + return WS_RC(ret); +} + +#ifdef WOLFSSL_DUAL_ALG_CERTS +/* Load an alternative private key into SSL context. + * + * @param [in, out] ctx SSL context object. + * @param [in] file Name of private key file. + * @param [in] format Format of data: + * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. + * @return 1 on success. + * @return 0 on failure. + */ +int wolfSSL_CTX_use_AltPrivateKey_file(WOLFSSL_CTX* ctx, const char* file, + int format) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_CTX_use_AltPrivateKey_file"); + + ret = ProcessFile(ctx, file, format, ALT_PRIVATEKEY_TYPE, NULL, 0, NULL, + GET_VERIFY_SETTING_CTX(ctx)); + + /* Return 1 on success or 0 on failure. */ + return WS_RC(ret); +} +#endif /* WOLFSSL_DUAL_ALG_CERTS */ + + +/* Load a PEM certificate chain into SSL context. + * + * @param [in, out] ctx SSL context object. + * @param [in] file Name of PEM certificate chain file. + * @return 1 on success. + * @return 0 on failure. + */ +WOLFSSL_ABI +int wolfSSL_CTX_use_certificate_chain_file(WOLFSSL_CTX* ctx, const char* file) +{ + int ret; + + /* process up to MAX_CHAIN_DEPTH plus subject cert */ + WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_file"); + +#ifdef WOLFSSL_PEM_TO_DER + ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CERT_TYPE, NULL, 1, NULL, + GET_VERIFY_SETTING_CTX(ctx)); +#else + ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_ASN1, CERT_TYPE, NULL, 1, NULL, + GET_VERIFY_SETTING_CTX(ctx)); +#endif + + /* Return 1 on success or 0 on failure. */ + return WS_RC(ret); +} + +/* Load certificate chain into SSL context. + * + * Processes up to MAX_CHAIN_DEPTH plus subject cert. + * + * @param [in, out] ctx SSL context object. + * @param [in] file Name of private key file. + * @param [in] format Format of data: + * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. + * @return 1 on success. + * @return 0 on failure. + */ +int wolfSSL_CTX_use_certificate_chain_file_format(WOLFSSL_CTX* ctx, + const char* file, int format) +{ + int ret; + + WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_file_format"); + + ret = ProcessFile(ctx, file, format, CERT_TYPE, NULL, 1, NULL, + GET_VERIFY_SETTING_CTX(ctx)); + + /* Return 1 on success or 0 on failure. */ + return WS_RC(ret); +} + +#endif /* NO_FILESYSTEM */ + #ifdef WOLFSSL_SYS_CA_CERTS #ifdef USE_WINDOWS_API @@ -3184,7 +3410,7 @@ static int LoadSystemCaCertsMac(WOLFSSL_CTX* ctx, byte* loaded) } #endif /* defined(HAVE_SECURITY_SECTRUSTSETTINGS_H) */ -#else +#elif !defined(NO_FILESYSTEM) /* Potential system CA certs directories on Linux/Unix distros. */ static const char* systemCaDirs[] = { @@ -3338,231 +3564,6 @@ int wolfSSL_CTX_load_system_CA_certs(WOLFSSL_CTX* ctx) #endif /* WOLFSSL_SYS_CA_CERTS */ -#ifdef WOLFSSL_TRUST_PEER_CERT -/* Load a trusted peer certificate into SSL context. - * - * @param [in, out] ctx SSL context object. - * @param [in] file Name of peer certificate file. - * @param [in] format Format of data: - * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. - * @return 1 on success. - * @return 0 when ctx or file is NULL. - */ -int wolfSSL_CTX_trust_peer_cert(WOLFSSL_CTX* ctx, const char* file, int format) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_cert"); - - /* Validate parameters. */ - if ((ctx == NULL) || (file == NULL)) { - ret = 0; - } - else { - ret = ProcessFile(ctx, file, format, TRUSTED_PEER_TYPE, NULL, 0, NULL, - GET_VERIFY_SETTING_CTX(ctx)); - } - - return ret; -} - -/* Load a trusted peer certificate into SSL. - * - * @param [in, out] ssl SSL object. - * @param [in] file Name of peer certificate file. - * @param [in] format Format of data: - * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. - * @return 1 on success. - * @return 0 when ssl or file is NULL. - */ -int wolfSSL_trust_peer_cert(WOLFSSL* ssl, const char* file, int format) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_trust_peer_cert"); - - /* Validate parameters. */ - if ((ssl == NULL) || (file == NULL)) { - ret = 0; - } - else { - ret = ProcessFile(NULL, file, format, TRUSTED_PEER_TYPE, ssl, 0, NULL, - GET_VERIFY_SETTING_SSL(ssl)); - } - - return ret; -} -#endif /* WOLFSSL_TRUST_PEER_CERT */ - - -#ifdef WOLFSSL_DER_LOAD - -/* Load a CA certificate into SSL context. - * - * @param [in, out] ctx SSL context object. - * @param [in] file Name of peer certificate file. - * @param [in] format Format of data: - * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. - * @return 1 on success. - * @return 0 on failure. - */ -int wolfSSL_CTX_der_load_verify_locations(WOLFSSL_CTX* ctx, const char* file, - int format) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_CTX_der_load_verify_locations"); - - /* Validate parameters. */ - if ((ctx == NULL) || (file == NULL)) { - ret = 0; - } - else { -#ifdef WOLFSSL_TEST_APPLE_NATIVE_CERT_VALIDATION - /* TEST ONLY CODE: force native cert validation on */ - WOLFSSL_MSG("ANCV Test: loading system CA certs"); - wolfSSL_CTX_load_system_CA_certs(ctx); -#endif - ret = ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL, - GET_VERIFY_SETTING_CTX(ctx)); - } - - /* Return 1 on success or 0 on failure. */ - return WS_RC(ret); -} - -#endif /* WOLFSSL_DER_LOAD */ - - -/* Load a user certificate into SSL context. - * - * @param [in, out] ctx SSL context object. - * @param [in] file Name of user certificate file. - * @param [in] format Format of data: - * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. - * @return 1 on success. - * @return 0 on failure. - */ -WOLFSSL_ABI -int wolfSSL_CTX_use_certificate_file(WOLFSSL_CTX* ctx, const char* file, - int format) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_file"); - - ret = ProcessFile(ctx, file, format, CERT_TYPE, NULL, 0, NULL, - GET_VERIFY_SETTING_CTX(ctx)); - - /* Return 1 on success or 0 on failure. */ - return WS_RC(ret); -} - - -/* Load a private key into SSL context. - * - * @param [in, out] ctx SSL context object. - * @param [in] file Name of private key file. - * @param [in] format Format of data: - * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. - * @return 1 on success. - * @return 0 on failure. - */ -WOLFSSL_ABI -int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX* ctx, const char* file, - int format) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_CTX_use_PrivateKey_file"); - - ret = ProcessFile(ctx, file, format, PRIVATEKEY_TYPE, NULL, 0, NULL, - GET_VERIFY_SETTING_CTX(ctx)); - - /* Return 1 on success or 0 on failure. */ - return WS_RC(ret); -} - -#ifdef WOLFSSL_DUAL_ALG_CERTS -/* Load an alternative private key into SSL context. - * - * @param [in, out] ctx SSL context object. - * @param [in] file Name of private key file. - * @param [in] format Format of data: - * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. - * @return 1 on success. - * @return 0 on failure. - */ -int wolfSSL_CTX_use_AltPrivateKey_file(WOLFSSL_CTX* ctx, const char* file, - int format) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_CTX_use_AltPrivateKey_file"); - - ret = ProcessFile(ctx, file, format, ALT_PRIVATEKEY_TYPE, NULL, 0, NULL, - GET_VERIFY_SETTING_CTX(ctx)); - - /* Return 1 on success or 0 on failure. */ - return WS_RC(ret); -} -#endif /* WOLFSSL_DUAL_ALG_CERTS */ - - -/* Load a PEM certificate chain into SSL context. - * - * @param [in, out] ctx SSL context object. - * @param [in] file Name of PEM certificate chain file. - * @return 1 on success. - * @return 0 on failure. - */ -WOLFSSL_ABI -int wolfSSL_CTX_use_certificate_chain_file(WOLFSSL_CTX* ctx, const char* file) -{ - int ret; - - /* process up to MAX_CHAIN_DEPTH plus subject cert */ - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_file"); - -#ifdef WOLFSSL_PEM_TO_DER - ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_PEM, CERT_TYPE, NULL, 1, NULL, - GET_VERIFY_SETTING_CTX(ctx)); -#else - ret = ProcessFile(ctx, file, WOLFSSL_FILETYPE_ASN1, CERT_TYPE, NULL, 1, NULL, - GET_VERIFY_SETTING_CTX(ctx)); -#endif - - /* Return 1 on success or 0 on failure. */ - return WS_RC(ret); -} - -/* Load certificate chain into SSL context. - * - * Processes up to MAX_CHAIN_DEPTH plus subject cert. - * - * @param [in, out] ctx SSL context object. - * @param [in] file Name of private key file. - * @param [in] format Format of data: - * WOLFSSL_FILETYPE_PEM or WOLFSSL_FILETYPE_ASN1. - * @return 1 on success. - * @return 0 on failure. - */ -int wolfSSL_CTX_use_certificate_chain_file_format(WOLFSSL_CTX* ctx, - const char* file, int format) -{ - int ret; - - WOLFSSL_ENTER("wolfSSL_CTX_use_certificate_chain_file_format"); - - ret = ProcessFile(ctx, file, format, CERT_TYPE, NULL, 1, NULL, - GET_VERIFY_SETTING_CTX(ctx)); - - /* Return 1 on success or 0 on failure. */ - return WS_RC(ret); -} - -#endif /* NO_FILESYSTEM */ - #ifdef OPENSSL_EXTRA /* Load a private key into SSL.