feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

some root CAs loaded by user won't have basic constraint, allow

Browse Source
This commit is contained in:
toddouska
2011-12-06 15:17:10 -08:00
parent 775ca66edd
commit 247d5b5609
6 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ctaocrypt/src/asn.c
View File

@@ -2021,9 +2021,19 @@ static void IsCa(DecodedCert* cert)
return; return;
if (oid == BASIC_CA_OID) { if (oid == BASIC_CA_OID) {
CYASSL_MSG("Found Basic CA constraint");
b = cert->source[cert->srcIdx++]; b = cert->source[cert->srcIdx++];
if (b != ASN_OCTET_STRING)
if (b != ASN_OCTET_STRING) {
CYASSL_MSG("Found optional critical flag, moving past");
cert->srcIdx += ASN_BOOL_SIZE;
b = cert->source[cert->srcIdx++];
if (b != ASN_OCTET_STRING) {
CYASSL_MSG("Unkown Basic CA constraint format");
return; return;
}
}
if (GetLength(cert->source, &cert->srcIdx, &length, if (GetLength(cert->source, &cert->srcIdx, &length,
cert->maxIdx) < 0) cert->maxIdx) < 0)

1
cyassl/ctaocrypt/asn.h
View File

@@ -107,6 +107,7 @@ enum Misc_ASN {
PKCS5v2 = 6, /* PKCS #5 v2.0 */ PKCS5v2 = 6, /* PKCS #5 v2.0 */
PKCS12 = 12, /* PKCS #12 */ PKCS12 = 12, /* PKCS #12 */
MAX_UNICODE_SZ = 256, MAX_UNICODE_SZ = 256,
ASN_BOOL_SIZE = 2, /* including type */
SHA_SIZE = 20, SHA_SIZE = 20,
RSA_INTS = 8, /* RSA ints in private key */ RSA_INTS = 8, /* RSA ints in private key */
MIN_DATE_SIZE = 13, MIN_DATE_SIZE = 13,

1
cyassl/error.h
View File

@@ -89,6 +89,7 @@ enum CyaSSL_ErrorCodes {
ECC_EXPORT_ERROR = -254, /* Bad ECC Export Key */ ECC_EXPORT_ERROR = -254, /* Bad ECC Export Key */
ECC_SHARED_ERROR = -255, /* Bad ECC Shared Secret */ ECC_SHARED_ERROR = -255, /* Bad ECC Shared Secret */
BAD_MUTEX_ERROR = -256, /* Bad mutex */ BAD_MUTEX_ERROR = -256, /* Bad mutex */
NOT_CA_ERROR = -257, /* Not a CA cert error */
/* add strings to SetErrorString !!!!! */ /* add strings to SetErrorString !!!!! */
/* begin negotiation parameter errors */ /* begin negotiation parameter errors */

2
cyassl/internal.h
View File

@@ -615,7 +615,7 @@ CYASSL_LOCAL
int ProcessOldClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx, int ProcessOldClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx,
word32 inSz, word16 sz); word32 inSz, word16 sz);
CYASSL_LOCAL CYASSL_LOCAL
int AddCA(CYASSL_CTX* ctx, buffer der); int AddCA(CYASSL_CTX* ctx, buffer der, int force);
CYASSL_LOCAL CYASSL_LOCAL
int AlreadySigner(CYASSL_CTX* ctx, byte* hash); int AlreadySigner(CYASSL_CTX* ctx, byte* hash);

6
src/internal.c
View File

@@ -1526,7 +1526,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
return MEMORY_E; return MEMORY_E;
XMEMCPY(add.buffer, myCert.buffer, myCert.length); XMEMCPY(add.buffer, myCert.buffer, myCert.length);
ret = AddCA(ssl->ctx, add); ret = AddCA(ssl->ctx, add, 0); /* never force chain add */
if (ret == 1) ret = 0; /* SSL_SUCCESS for external */ if (ret == 1) ret = 0; /* SSL_SUCCESS for external */
} }
else if (ret != 0) { else if (ret != 0) {
@@ -3257,6 +3257,10 @@ void SetErrorString(int error, char* str)
XSTRNCPY(str, "Bad mutex, operation failed", max); XSTRNCPY(str, "Bad mutex, operation failed", max);
break; break;
case NOT_CA_ERROR:
XSTRNCPY(str, "Not a CA by basic constraint error", max);
break;
default : default :
XSTRNCPY(str, "unknown error number", max); XSTRNCPY(str, "unknown error number", max);
} }

10
src/ssl.c
View File

@@ -410,7 +410,9 @@ Signer* GetCA(Signer* signers, byte* hash)
/* owns der, internal now uses too */ /* owns der, internal now uses too */
int AddCA(CYASSL_CTX* ctx, buffer der) /* force flag means override CA check, ok for root certs that user requested
if they're from a chain we don't want to force, ever */
int AddCA(CYASSL_CTX* ctx, buffer der, int force)
{ {
int ret; int ret;
DecodedCert cert; DecodedCert cert;
@@ -421,9 +423,9 @@ int AddCA(CYASSL_CTX* ctx, buffer der)
ret = ParseCert(&cert, CA_TYPE, ctx->verifyPeer, 0); ret = ParseCert(&cert, CA_TYPE, ctx->verifyPeer, 0);
CYASSL_MSG(" Parsed new CA"); CYASSL_MSG(" Parsed new CA");
if (ret == 0 && cert.isCA == 0) { if (ret == 0 && cert.isCA == 0 && !force) {
CYASSL_MSG(" Can't add as CA if not actually one"); CYASSL_MSG(" Can't add as CA if not actually one");
ret = -1; ret = NOT_CA_ERROR;
} }
else if (ret == 0 && AlreadySigner(ctx, cert.subjectHash)) { else if (ret == 0 && AlreadySigner(ctx, cert.subjectHash)) {
CYASSL_MSG(" Already have this CA, not adding again"); CYASSL_MSG(" Already have this CA, not adding again");
@@ -864,7 +866,7 @@ int AddCA(CYASSL_CTX* ctx, buffer der)
#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */ #endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */
if (type == CA_TYPE) if (type == CA_TYPE)
return AddCA(ctx, der); /* takes der over */ return AddCA(ctx, der, 1); /* takes der over, force user request */
else if (type == CERT_TYPE) { else if (type == CERT_TYPE) {
if (ssl) { if (ssl) {
if (ssl->buffers.weOwnCert && ssl->buffers.certificate.buffer) if (ssl->buffers.weOwnCert && ssl->buffers.certificate.buffer)