Implement code review feedback for hostname/IP verify

julek-wolfssl · julek-wolfssl · commit ea2ead8e3760 · 2026-03-18T13:27:15.000+01:00
- Use WOLFSSL_-prefixed error constants (always available) instead of
  OPENSSL_COEXIST-guarded macros, fixing error code mismatch in
  coexist builds
- Set ctx-&gt;current_cert = orig on hostname/IP mismatch so error
  reporting aligns with error_depth = 0 (leaf cert)
- Add IP address verification test cases (match + mismatch)
diff --git a/src/internal.c b/src/internal.c
@@ -26975,6 +26975,12 @@ static const char* wolfSSL_ERR_reason_error_string_OpenSSL(unsigned long e)
     case WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH:
         return "subject issuer mismatch";
 
+    case WOLFSSL_X509_V_ERR_HOSTNAME_MISMATCH:
+        return "hostname mismatch";
+
+    case WOLFSSL_X509_V_ERR_IP_ADDRESS_MISMATCH:
+        return "IP address mismatch";
+
     default:
         return NULL;
     }
diff --git a/src/x509_str.c b/src/x509_str.c
@@ -749,25 +749,19 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
                     ctx->param->hostName,
                     XSTRLEN(ctx->param->hostName),
                     ctx->param->hostFlags, NULL) != WOLFSSL_SUCCESS) {
-#ifndef OPENSSL_COEXIST
-                ctx->error = X509_V_ERR_HOSTNAME_MISMATCH;
-#else
-                ctx->error = 1; /* Return generic error */
-#endif
+                ctx->error = WOLFSSL_X509_V_ERR_HOSTNAME_MISMATCH;
                 ctx->error_depth = 0;
+                ctx->current_cert = orig;
                 ret = WOLFSSL_FAILURE;
             }
         }
         else if (ctx->param->ipasc[0] != '\0') {
             if (wolfSSL_X509_check_ip_asc(orig,
                     ctx->param->ipasc,
                     ctx->param->hostFlags) != WOLFSSL_SUCCESS) {
-#ifndef OPENSSL_COEXIST
-                ctx->error = X509_V_ERR_IP_ADDRESS_MISMATCH;
-#else
-                ctx->error = 1; /* Return generic error */
-#endif
+                ctx->error = WOLFSSL_X509_V_ERR_IP_ADDRESS_MISMATCH;
                 ctx->error_depth = 0;
+                ctx->current_cert = orig;
                 ret = WOLFSSL_FAILURE;
             }
         }
diff --git a/tests/api.c b/tests/api.c
@@ -27057,6 +27057,8 @@ static int error_test(void)
         {17, 15},
         {19, 19},
         {27, 26 },
+        {61, 30},
+        {63, 63},
 #endif
         { -9, WC_SPAN1_FIRST_E + 1 },
         { -124, -124 },
diff --git a/tests/api/test_x509.c b/tests/api/test_x509.c
@@ -300,10 +300,35 @@ int test_x509_verify_cert_hostname_check(void)
     ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_host(param, "wrong.com",
                 XSTRLEN("wrong.com")), WOLFSSL_SUCCESS);
     ExpectIntNE(wolfSSL_X509_verify_cert(ctx), WOLFSSL_SUCCESS);
-    ExpectTrue(wolfSSL_X509_STORE_CTX_get_error(ctx) ==
-                X509_V_ERR_HOSTNAME_MISMATCH ||
-                /* This is the case for OPENSSL_COEXIST */
-                wolfSSL_X509_STORE_CTX_get_error(ctx) == 1);
+    ExpectIntEQ(wolfSSL_X509_STORE_CTX_get_error(ctx),
+                X509_V_ERR_HOSTNAME_MISMATCH);
+    ExpectIntEQ(wolfSSL_X509_STORE_CTX_get_error_depth(ctx), 0);
+    wolfSSL_X509_STORE_CTX_free(ctx);
+    ctx = NULL;
+
+    /* Case 4: IP matches a SAN IP entry - must succeed. */
+    ExpectNotNull(ctx = wolfSSL_X509_STORE_CTX_new());
+    ExpectIntEQ(wolfSSL_X509_STORE_CTX_init(ctx, store, leaf, NULL),
+                WOLFSSL_SUCCESS);
+    param = wolfSSL_X509_STORE_CTX_get0_param(ctx);
+    ExpectNotNull(param);
+    ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, "127.0.0.1"),
+                WOLFSSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_X509_verify_cert(ctx), WOLFSSL_SUCCESS);
+    wolfSSL_X509_STORE_CTX_free(ctx);
+    ctx = NULL;
+
+    /* Case 5: IP does not match - must FAIL with the right error code. */
+    ExpectNotNull(ctx = wolfSSL_X509_STORE_CTX_new());
+    ExpectIntEQ(wolfSSL_X509_STORE_CTX_init(ctx, store, leaf, NULL),
+                WOLFSSL_SUCCESS);
+    param = wolfSSL_X509_STORE_CTX_get0_param(ctx);
+    ExpectNotNull(param);
+    ExpectIntEQ(wolfSSL_X509_VERIFY_PARAM_set1_ip_asc(param, "192.168.1.1"),
+                WOLFSSL_SUCCESS);
+    ExpectIntNE(wolfSSL_X509_verify_cert(ctx), WOLFSSL_SUCCESS);
+    ExpectIntEQ(wolfSSL_X509_STORE_CTX_get_error(ctx),
+                X509_V_ERR_IP_ADDRESS_MISMATCH);
     ExpectIntEQ(wolfSSL_X509_STORE_CTX_get_error_depth(ctx), 0);
     wolfSSL_X509_STORE_CTX_free(ctx);
     ctx = NULL;
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
@@ -2685,7 +2685,9 @@ enum {
     WOLFSSL_X509_V_ERR_PATH_LENGTH_EXCEEDED              = 25,
     WOLFSSL_X509_V_ERR_CERT_REJECTED                     = 28,
     WOLFSSL_X509_V_ERR_SUBJECT_ISSUER_MISMATCH           = 29,
-    WC_OSSL_V509_V_ERR_MAX = 30,
+    WOLFSSL_X509_V_ERR_HOSTNAME_MISMATCH                = 62,
+    WOLFSSL_X509_V_ERR_IP_ADDRESS_MISMATCH              = 64,
+    WC_OSSL_V509_V_ERR_MAX = 65,
 
 #ifdef HAVE_OCSP
     /* OCSP Flags */
