forked from wolfSSL/wolfssl
remove SSL caList pointer, only use SSL_CTX one as current
This commit is contained in:
Todd A Ouska
@@ -619,7 +619,7 @@ void SSL_CtxResourceFree(SSL_CTX*);
|
|||||||
int DeriveTlsKeys(SSL* ssl);
|
int DeriveTlsKeys(SSL* ssl);
|
||||||
int ProcessOldClientHello(SSL* ssl, const byte* input, word32* inOutIdx,
|
int ProcessOldClientHello(SSL* ssl, const byte* input, word32* inOutIdx,
|
||||||
word32 inSz, word16 sz);
|
word32 inSz, word16 sz);
|
||||||
int AddCA(SSL_CTX* ctx, buffer der, SSL*);
|
int AddCA(SSL_CTX* ctx, buffer der);
|
||||||
int IsCA(SSL_CTX* ctx, byte* hash);
|
int IsCA(SSL_CTX* ctx, byte* hash);
|
||||||
|
|
||||||
/* All cipher suite related info */
|
/* All cipher suite related info */
|
||||||
@@ -983,7 +983,6 @@ struct SSL {
|
|||||||
#endif
|
#endif
|
||||||
Hashes verifyHashes;
|
Hashes verifyHashes;
|
||||||
Hashes certHashes; /* for cert verify */
|
Hashes certHashes; /* for cert verify */
|
||||||
Signer* caList; /* SSL_CTX owns */
|
|
||||||
Buffers buffers;
|
Buffers buffers;
|
||||||
Options options;
|
Options options;
|
||||||
Arrays arrays;
|
Arrays arrays;
|
||||||
|
|||||||
@@ -705,7 +705,6 @@ int InitSSL(SSL* ssl, SSL_CTX* ctx)
|
|||||||
ssl->buffers.key = ctx->privateKey;
|
ssl->buffers.key = ctx->privateKey;
|
||||||
ssl->buffers.weOwnCert = 0;
|
ssl->buffers.weOwnCert = 0;
|
||||||
ssl->buffers.weOwnKey = 0;
|
ssl->buffers.weOwnKey = 0;
|
||||||
ssl->caList = ctx->caList;
|
|
||||||
|
|
||||||
#ifdef OPENSSL_EXTRA
|
#ifdef OPENSSL_EXTRA
|
||||||
ssl->peerCert.issuer.sz = 0;
|
ssl->peerCert.issuer.sz = 0;
|
||||||
@@ -1450,7 +1449,7 @@ static int DoCertificate(SSL* ssl, byte* input, word32* inOutIdx)
|
|||||||
|
|
||||||
InitDecodedCert(&dCert, myCert.buffer, ssl->heap);
|
InitDecodedCert(&dCert, myCert.buffer, ssl->heap);
|
||||||
ret = ParseCertRelative(&dCert, myCert.length, CERT_TYPE,
|
ret = ParseCertRelative(&dCert, myCert.length, CERT_TYPE,
|
||||||
!ssl->options.verifyNone, ssl->caList);
|
!ssl->options.verifyNone, ssl->ctx->caList);
|
||||||
if (ret == 0 && !IsCA(ssl->ctx, dCert.subjectHash)) {
|
if (ret == 0 && !IsCA(ssl->ctx, dCert.subjectHash)) {
|
||||||
buffer add;
|
buffer add;
|
||||||
add.length = myCert.length;
|
add.length = myCert.length;
|
||||||
@@ -1462,9 +1461,13 @@ static int DoCertificate(SSL* ssl, byte* input, word32* inOutIdx)
|
|||||||
return MEMORY_E;
|
return MEMORY_E;
|
||||||
XMEMCPY(add.buffer, myCert.buffer, myCert.length);
|
XMEMCPY(add.buffer, myCert.buffer, myCert.length);
|
||||||
|
|
||||||
ret = AddCA(ssl->ctx, add, ssl);
|
ret = AddCA(ssl->ctx, add);
|
||||||
if (ret == 1) ret = 0; /* SSL_SUCCESS for external */
|
if (ret == 1) ret = 0; /* SSL_SUCCESS for external */
|
||||||
}
|
}
|
||||||
|
else if (ret != 0)
|
||||||
|
CYASSL_MSG("Failed to verify CA from chain");
|
||||||
|
else
|
||||||
|
CYASSL_MSG("Verified CA from chain and already had it");
|
||||||
|
|
||||||
if (ret != 0 && anyError == 0)
|
if (ret != 0 && anyError == 0)
|
||||||
anyError = ret; /* save error from last time */
|
anyError = ret; /* save error from last time */
|
||||||
@@ -1482,7 +1485,9 @@ static int DoCertificate(SSL* ssl, byte* input, word32* inOutIdx)
|
|||||||
|
|
||||||
InitDecodedCert(&dCert, myCert.buffer, ssl->heap);
|
InitDecodedCert(&dCert, myCert.buffer, ssl->heap);
|
||||||
ret = ParseCertRelative(&dCert, myCert.length, CERT_TYPE,
|
ret = ParseCertRelative(&dCert, myCert.length, CERT_TYPE,
|
||||||
!ssl->options.verifyNone, ssl->caList);
|
!ssl->options.verifyNone, ssl->ctx->caList);
|
||||||
|
if (ret != 0)
|
||||||
|
CYASSL_MSG("Failed to verify Peer's cert");
|
||||||
ssl->options.havePeerCert = 1;
|
ssl->options.havePeerCert = 1;
|
||||||
/* set X509 format */
|
/* set X509 format */
|
||||||
#ifdef OPENSSL_EXTRA
|
#ifdef OPENSSL_EXTRA
|
||||||
|
|||||||
@@ -335,7 +335,7 @@ Signer* GetCA(Signer* signers, byte* hash)
|
|||||||
|
|
||||||
|
|
||||||
/* owns der, cyassl_int now uses too */
|
/* owns der, cyassl_int now uses too */
|
||||||
int AddCA(SSL_CTX* ctx, buffer der, SSL* ssl)
|
int AddCA(SSL_CTX* ctx, buffer der)
|
||||||
{
|
{
|
||||||
word32 ret;
|
word32 ret;
|
||||||
DecodedCert cert;
|
DecodedCert cert;
|
||||||
@@ -364,8 +364,6 @@ int AddCA(SSL_CTX* ctx, buffer der, SSL* ssl)
|
|||||||
if (LockMutex(&ca_mutex) == 0) {
|
if (LockMutex(&ca_mutex) == 0) {
|
||||||
signer->next = ctx->caList;
|
signer->next = ctx->caList;
|
||||||
ctx->caList = signer; /* takes ownership */
|
ctx->caList = signer; /* takes ownership */
|
||||||
if (ssl)
|
|
||||||
ssl->caList = ctx->caList;
|
|
||||||
UnLockMutex(&ca_mutex);
|
UnLockMutex(&ca_mutex);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
@@ -719,7 +717,7 @@ int AddCA(SSL_CTX* ctx, buffer der, SSL* ssl)
|
|||||||
#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */
|
#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */
|
||||||
|
|
||||||
if (type == CA_TYPE)
|
if (type == CA_TYPE)
|
||||||
return AddCA(ctx, der, ssl); /* takes der over */
|
return AddCA(ctx, der); /* takes der over */
|
||||||
else if (type == CERT_TYPE) {
|
else if (type == CERT_TYPE) {
|
||||||
if (ssl) {
|
if (ssl) {
|
||||||
if (ssl->buffers.weOwnCert && ssl->buffers.certificate.buffer)
|
if (ssl->buffers.weOwnCert && ssl->buffers.certificate.buffer)
|
||||||
|
|||||||
Reference in New Issue
Block a user