Merge pull request #5067 from miyazakh/compat_altcertchain

"veify ok" if alternate cert chain mode is used
2022-05-12 08:54:51 -07:00
parent 7a95be1a97 5d93a48ddf
commit 05ce8329c9
2 changed files with 12 additions and 9 deletions
--- a/configure.ac
+++ b/configure.ac
@ -6985,6 +6985,7 @@ then
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TRUST_PEER_CERT"
    AM_CFLAGS="$AM_CFLAGS -DNO_SESSION_CACHE_REF"
    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TLS13_NO_PEEK_HANDSHAKE_DONE"
+    AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_ALT_CERT_CHAINS"
    ENABLED_TRUSTED_PEER_CERT=yes
 fi

--- a/src/internal.c
+++ b/src/internal.c
@ -12348,15 +12348,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                        ret = MAX_CHAIN_ERROR;
                    }
            #endif
-                    /* Do verify callback */
-                    ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
-                    if (ssl->options.verifyNone &&
-                              (ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
-                               ret == CRL_CERT_DATE_ERR)) {
-                        WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
-                        ret = ssl->error = 0;
-                    }
-
                #ifdef WOLFSSL_ALT_CERT_CHAINS
                    /* For alternate cert chain, its okay for a CA cert to fail
                        with ASN_NO_SIGNER_E here. The "alternate" certificate
@ -12381,6 +12372,17 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                    }
                #endif /* WOLFSSL_ALT_CERT_CHAINS */
                
+                    /* Do verify callback */
+                    ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
+                    if (ssl->options.verifyNone &&
+                              (ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
+                               ret == CRL_CERT_DATE_ERR)) {
+                        WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
+                        ret = ssl->error = 0;
+                    }
+
+
+
                    /* If valid CA then add to Certificate Manager */
                    if (ret == 0 && args->dCert->isCA &&
                            !ssl->options.verifyNone && !skipAddCA) {