feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #5067 from miyazakh/compat_altcertchain

Browse Source 
"veify ok" if alternate cert chain mode is used
This commit is contained in:
David Garske
2022-05-12 08:54:51 -07:00
committed by GitHub
parent 7a95be1a97 5d93a48ddf
commit 05ce8329c9
2 changed files with 12 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
configure.ac
View File

@ -6985,6 +6985,7 @@ then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRUST_PEER_CERT" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRUST_PEER_CERT"
AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF" AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE"
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS"
ENABLED_TRUSTED_PEER_CERT=yes ENABLED_TRUSTED_PEER_CERT=yes
fi fi

20
src/internal.c
View File

@ -12348,15 +12348,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = MAX_CHAIN_ERROR; ret = MAX_CHAIN_ERROR;
} }
#endif #endif
/* Do verify callback */
ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
if (ssl->options.verifyNone &&
(ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
ret == CRL_CERT_DATE_ERR)) {
WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
ret = ssl->error = 0;
}
#ifdef WOLFSSL_ALT_CERT_CHAINS #ifdef WOLFSSL_ALT_CERT_CHAINS
/* For alternate cert chain, its okay for a CA cert to fail /* For alternate cert chain, its okay for a CA cert to fail
with ASN_NO_SIGNER_E here. The "alternate" certificate with ASN_NO_SIGNER_E here. The "alternate" certificate
@ -12380,6 +12371,17 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
skipAddCA = 1; skipAddCA = 1;
} }
#endif /* WOLFSSL_ALT_CERT_CHAINS */ #endif /* WOLFSSL_ALT_CERT_CHAINS */
/* Do verify callback */
ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
if (ssl->options.verifyNone &&
(ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
ret == CRL_CERT_DATE_ERR)) {
WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
ret = ssl->error = 0;
}
/* If valid CA then add to Certificate Manager */ /* If valid CA then add to Certificate Manager */
if (ret == 0 && args->dCert->isCA && if (ret == 0 && args->dCert->isCA &&