Allow overriding CRL chain errors early so CRL chain processing will continue.

.github/workflows/libvncserver.yml

@@ -0,0 +1,79 @@
+name: libvncserver Tests
+
+# START OF COMMON SECTION
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+# END OF COMMON SECTION
+
+jobs:
+  build_wolfssl:
+    name: Build wolfSSL
+    # Just to keep it the same as the testing target
+    runs-on: ubuntu-latest
+    # This should be a safe limit for the tests to run.
+    timeout-minutes: 4
+    steps:
+      - name: Build wolfSSL
+        uses: wolfSSL/actions-build-autotools-project@v1
+        with:
+          path: wolfssl
+          configure: --enable-all
+          install: true
+          # Don't run tests as this config is tested in many other places
+          check: false
+
+      - name: Upload built lib
+        uses: actions/upload-artifact@v4
+        with:
+          name: wolf-install-libvncserver
+          path: build-dir
+          retention-days: 5
+
+  build_libvncserver:
+    strategy:
+      fail-fast: false
+      matrix:
+        ref: [ 0.9.13 ]
+    name: ${{ matrix.ref }}
+    runs-on: ubuntu-latest
+    needs: build_wolfssl
+    steps:
+      - name: Download lib
+        uses: actions/download-artifact@v4
+        with:
+          name: wolf-install-libvncserver
+          path: build-dir
+
+      - name: Checkout OSP
+        uses: actions/checkout@v4
+        with:
+          repository: wolfssl/osp
+          path: osp
+
+      - name: Checkout libvncserver
+        uses: actions/checkout@v4
+        with:
+          repository: LibVNC/libvncserver
+          path: libvncserver
+          ref: LibVNCServer-${{ matrix.ref }}
+
+      - name: Build libvncserver
+        working-directory: libvncserver
+        run: |
+          patch -p1 < ../osp/libvncserver/${{ matrix.ref }}.patch
+          PKG_CONFIG_PATH=$GITHUB_WORKSPACE/build-dir/lib/pkgconfig \
+            cmake -B build -DWITH_GNUTLS=OFF -DWITH_OPENSSL=OFF -DWITH_GCRYPT=OFF -DWITH_WOLFSSL=ON .
+          make -j -C build VERBOSE=1
+          ldd build/libvncclient.so | grep wolfssl
+          ldd build/libvncserver.so | grep wolfssl
+
+      - name: Run libvncserver tests
+        working-directory: libvncserver
+        run: make -C build test

src/internal.c

@@ -14345,6 +14345,17 @@ static int ProcessPeerCertsChainCRLCheck(WOLFSSL* ssl, ProcPeerCertArgs* args)
                 ca->serialHash, NULL, 0, NULL);
         if (ret != 0)
             DoCrlCallback(cm, ssl, args, &ret);
+        if (ret != 0 && !args->verifyCbCalled) {
+            ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+            if (ssl->options.verifyNone &&
+                    (ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
+                    ret == CRL_CERT_DATE_ERR)) {
+                WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
+                ret = ssl->error = 0;
+            }
+            if (ret != 0)
+                args->verifyCbCalled = 1;
+        }
         if (ret != 0){
             WOLFSSL_ERROR_VERBOSE(ret);
             WOLFSSL_MSG("\tCRL check not ok");
@@ -14927,13 +14938,17 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                 #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
 
                     /* Do verify callback */
-                    ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
-                    if (ssl->options.verifyNone &&
-                              (ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
-                               ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
-                               ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
-                        WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
-                        ret = ssl->error = 0;
+                    if (!args->verifyCbCalled) {
+                        ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+                        if (ssl->options.verifyNone &&
+                                (ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
+                                 ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
+                                 ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
+                            WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
+                            ret = ssl->error = 0;
+                        }
+                        if (ret != 0)
+                            args->verifyCbCalled = 1;
                     }
 
                 #ifdef WOLFSSL_ALT_CERT_CHAINS
@@ -15932,15 +15947,19 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
             }
         #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */
 
-            /* Do verify callback */
-            ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+            if (!args->verifyCbCalled) {
+                /* Do verify callback */
+                ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
 
-            if (ssl->options.verifyNone &&
-                              (ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
-                               ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
-                               ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
-                WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
-                ret = ssl->error = 0;
+                if (ssl->options.verifyNone &&
+                                (ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
+                                ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
+                                ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
+                    WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
+                    ret = ssl->error = 0;
+                }
+                if (ret != 0)
+                    args->verifyCbCalled = 1;
             }
 
             if (ret != 0) {

wolfssl/internal.h

@@ -2686,6 +2686,7 @@ typedef struct ProcPeerCertArgs {
 #ifdef WOLFSSL_TRUST_PEER_CERT
     word16 haveTrustPeer:1; /* was cert verified by loaded trusted peer cert */
 #endif
+    word16 verifyCbCalled:1;
 } ProcPeerCertArgs;
 WOLFSSL_LOCAL int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl,
         int ret, ProcPeerCertArgs* args);