From 3c8b3332fce648d9f49aec3cac48da65270a4aae Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Fri, 7 Jun 2024 12:39:57 +0200
Subject: [PATCH 1/3] Add libvncserver action

Depends on https://github.com/wolfSSL/osp/pull/176
---
 .github/workflows/libvncserver.yml | 79 ++++++++++++++++++++++++++++++
 1 file changed, 79 insertions(+)
 create mode 100644 .github/workflows/libvncserver.yml

diff --git a/.github/workflows/libvncserver.yml b/.github/workflows/libvncserver.yml
new file mode 100644
index 0000000000..348eb56eb6
--- /dev/null
+++ b/.github/workflows/libvncserver.yml
@@ -0,0 +1,79 @@
+name: libvncserver Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          # Don't run tests as this config is tested in many other places
+          check: false
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-libvncserver
+          path: build-dir
+          retention-days: 5
+
+  build_libvncserver:
+    strategy:
+      fail-fast: false
+      matrix:
+        ref: [ 0.9.13 ]
+    name: ${{ matrix.ref }}
+    runs-on: ubuntu-latest
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-libvncserver
+          path: build-dir
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout libvncserver
+        uses: actions/checkout@v4
+        with:
+          repository: LibVNC/libvncserver
+          path: libvncserver
+          ref: LibVNCServer-${{ matrix.ref }}
+
+      - name: Build libvncserver
+        working-directory: libvncserver
+        run: |
+          patch -p1 < ../osp/libvncserver/${{ matrix.ref }}.patch
+          PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
+            cmake -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON .
+          make -j -C build VERBOSE=1
+          ldd build/libvncclient.so | grep wolfssl
+          ldd build/libvncserver.so | grep wolfssl
+
+      - name: Run libvncserver tests
+        working-directory: libvncserver
+        run: make -C build test

From bec00a46a9ea16d82ec5678792a29cd3a62d7292 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Thu, 23 May 2024 10:42:25 -0700
Subject: [PATCH 2/3] Allow overriding CRL chain errors early so CRL chain
 processing will continue.

---
 src/internal.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index f5e1d89ef4..5a7022f69d 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -14345,6 +14345,15 @@ static int ProcessPeerCertsChainCRLCheck(WOLFSSL* ssl, ProcPeerCertArgs* args)
                 ca->serialHash, NULL, 0, NULL);
         if (ret != 0)
             DoCrlCallback(cm, ssl, args, &ret);
+        if (ret != 0) {
+            ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+            if (ssl->options.verifyNone &&
+                    (ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
+                    ret == CRL_CERT_DATE_ERR)) {
+                WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
+                ret = ssl->error = 0;
+            }
+        }
         if (ret != 0){
             WOLFSSL_ERROR_VERBOSE(ret);
             WOLFSSL_MSG("\tCRL check not ok");

From e3030b514cbbb843e04bc6065d7232f67de8de82 Mon Sep 17 00:00:00 2001
From: Kareem <kareem@wolfssl.com>
Date: Wed, 12 Jun 2024 16:53:12 -0700
Subject: [PATCH 3/3] Add a flag to prevent calling the verify callback twice
 if the error is not overriden.

---
 src/internal.c     | 42 ++++++++++++++++++++++++++----------------
 wolfssl/internal.h |  1 +
 2 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 5a7022f69d..0589fa9ade 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -14345,7 +14345,7 @@ static int ProcessPeerCertsChainCRLCheck(WOLFSSL* ssl, ProcPeerCertArgs* args)
                 ca->serialHash, NULL, 0, NULL);
         if (ret != 0)
             DoCrlCallback(cm, ssl, args, &ret);
-        if (ret != 0) {
+        if (ret != 0 && !args->verifyCbCalled) {
             ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
             if (ssl->options.verifyNone &&
                     (ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
@@ -14353,6 +14353,8 @@ static int ProcessPeerCertsChainCRLCheck(WOLFSSL* ssl, ProcPeerCertArgs* args)
                 WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
                 ret = ssl->error = 0;
             }
+            if (ret != 0)
+                args->verifyCbCalled = 1;
         }
         if (ret != 0){
             WOLFSSL_ERROR_VERBOSE(ret);
@@ -14936,13 +14938,17 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
 
                     /* Do verify callback */
-                    ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
-                    if (ssl->options.verifyNone &&
-                              (ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
-                               ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
-                               ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
-                        WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
-                        ret = ssl->error = 0;
+                    if (!args->verifyCbCalled) {
+                        ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+                        if (ssl->options.verifyNone &&
+                                (ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
+                                 ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
+                                 ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
+                            WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
+                            ret = ssl->error = 0;
+                        }
+                        if (ret != 0)
+                            args->verifyCbCalled = 1;
                     }
 
                 #ifdef WOLFSSL_ALT_CERT_CHAINS
@@ -15941,15 +15947,19 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             }
         #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
 
-            /* Do verify callback */
-            ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+            if (!args->verifyCbCalled) {
+                /* Do verify callback */
+                ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
 
-            if (ssl->options.verifyNone &&
-                              (ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
-                               ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
-                               ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
-                WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
-                ret = ssl->error = 0;
+                if (ssl->options.verifyNone &&
+                                (ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
+                                ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
+                                ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
+                    WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
+                    ret = ssl->error = 0;
+                }
+                if (ret != 0)
+                    args->verifyCbCalled = 1;
             }
 
             if (ret != 0) {
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 0ae722d50f..5c67670ac0 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -2686,6 +2686,7 @@ typedef struct ProcPeerCertArgs {
 #ifdef WOLFSSL_TRUST_PEER_CERT
     word16 haveTrustPeer:1; /* was cert verified by loaded trusted peer cert */
 #endif
+    word16 verifyCbCalled:1;
 } ProcPeerCertArgs;
 WOLFSSL_LOCAL int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl,
         int ret, ProcPeerCertArgs* args);