diff --git a/.github/workflows/libvncserver.yml b/.github/workflows/libvncserver.yml new file mode 100644 index 0000000000..348eb56eb6 --- /dev/null +++ b/.github/workflows/libvncserver.yml @@ -0,0 +1,79 @@ +name: libvncserver Tests + +# START OF COMMON SECTION +on: + push: + branches: [ 'master', 'main', 'release/**' ] + pull_request: + branches: [ '*' ] + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true +# END OF COMMON SECTION + +jobs: + build_wolfssl: + name: Build wolfSSL + # Just to keep it the same as the testing target + runs-on: ubuntu-latest + # This should be a safe limit for the tests to run. + timeout-minutes: 4 + steps: + - name: Build wolfSSL + uses: wolfSSL/actions-build-autotools-project@v1 + with: + path: wolfssl + configure: --enable-all + install: true + # Don't run tests as this config is tested in many other places + check: false + + - name: Upload built lib + uses: actions/upload-artifact@v4 + with: + name: wolf-install-libvncserver + path: build-dir + retention-days: 5 + + build_libvncserver: + strategy: + fail-fast: false + matrix: + ref: [ 0.9.13 ] + name: ${{ matrix.ref }} + runs-on: ubuntu-latest + needs: build_wolfssl + steps: + - name: Download lib + uses: actions/download-artifact@v4 + with: + name: wolf-install-libvncserver + path: build-dir + + - name: Checkout OSP + uses: actions/checkout@v4 + with: + repository: wolfssl/osp + path: osp + + - name: Checkout libvncserver + uses: actions/checkout@v4 + with: + repository: LibVNC/libvncserver + path: libvncserver + ref: LibVNCServer-${{ matrix.ref }} + + - name: Build libvncserver + working-directory: libvncserver + run: | + patch -p1 < ../osp/libvncserver/${{ matrix.ref }}.patch + PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \ + cmake -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON . + make -j -C build VERBOSE=1 + ldd build/libvncclient.so | grep wolfssl + ldd build/libvncserver.so | grep wolfssl + + - name: Run libvncserver tests + working-directory: libvncserver + run: make -C build test diff --git a/src/internal.c b/src/internal.c index f5e1d89ef4..0589fa9ade 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14345,6 +14345,17 @@ static int ProcessPeerCertsChainCRLCheck(WOLFSSL* ssl, ProcPeerCertArgs* args) ca->serialHash, NULL, 0, NULL); if (ret != 0) DoCrlCallback(cm, ssl, args, &ret); + if (ret != 0 && !args->verifyCbCalled) { + ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); + if (ssl->options.verifyNone && + (ret == CRL_MISSING || ret == CRL_CERT_REVOKED || + ret == CRL_CERT_DATE_ERR)) { + WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); + ret = ssl->error = 0; + } + if (ret != 0) + args->verifyCbCalled = 1; + } if (ret != 0){ WOLFSSL_ERROR_VERBOSE(ret); WOLFSSL_MSG("\tCRL check not ok"); @@ -14927,13 +14938,17 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ /* Do verify callback */ - ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); - if (ssl->options.verifyNone && - (ret == WC_NO_ERR_TRACE(CRL_MISSING) || - ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) || - ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) { - WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); - ret = ssl->error = 0; + if (!args->verifyCbCalled) { + ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); + if (ssl->options.verifyNone && + (ret == WC_NO_ERR_TRACE(CRL_MISSING) || + ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) || + ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) { + WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); + ret = ssl->error = 0; + } + if (ret != 0) + args->verifyCbCalled = 1; } #ifdef WOLFSSL_ALT_CERT_CHAINS @@ -15932,15 +15947,19 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ - /* Do verify callback */ - ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); + if (!args->verifyCbCalled) { + /* Do verify callback */ + ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); - if (ssl->options.verifyNone && - (ret == WC_NO_ERR_TRACE(CRL_MISSING) || - ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) || - ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) { - WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); - ret = ssl->error = 0; + if (ssl->options.verifyNone && + (ret == WC_NO_ERR_TRACE(CRL_MISSING) || + ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) || + ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) { + WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); + ret = ssl->error = 0; + } + if (ret != 0) + args->verifyCbCalled = 1; } if (ret != 0) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 0ae722d50f..5c67670ac0 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2686,6 +2686,7 @@ typedef struct ProcPeerCertArgs { #ifdef WOLFSSL_TRUST_PEER_CERT word16 haveTrustPeer:1; /* was cert verified by loaded trusted peer cert */ #endif + word16 verifyCbCalled:1; } ProcPeerCertArgs; WOLFSSL_LOCAL int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret, ProcPeerCertArgs* args);