feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Merge pull request #4049 from miyazakh/set_verifyDepth_3

Browse Source 
Set verify depth limit
This commit is contained in:
Chris Conlon
2021-06-22 10:23:43 -06:00
committed by GitHub
parent b70e028200 23fc810b3c
commit 4b3bd3e384
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/internal.c
View File

@@ -12425,7 +12425,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
} }
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL)
if (args->untrustedDepth > ssl->options.verifyDepth) { /* limit compliant with OpenSSL verify Depth + 1
* OpenSSL tries to expand the chain one longer than limit until
* reaching an ultimately trusted issuer. Becoming failure if
* we hit the limit, with X509_V_ERR_CERT_CHAIN_TOO_LONG
*/
if (args->untrustedDepth > (ssl->options.verifyDepth + 1)) {
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ret = MAX_CHAIN_ERROR; ret = MAX_CHAIN_ERROR;
} }

4
tests/api.c
View File

@@ -5101,8 +5101,8 @@ static void test_wolfSSL_CTX_verifyDepth_ServerClient(void)
client_args.argc = -1; client_args.argc = -1;
test_client_verifyDepth(&client_args); test_client_verifyDepth(&client_args);
join_thread(serverThread); join_thread(serverThread);
AssertIntEQ(client_args.return_code, TEST_FAIL); AssertIntEQ(client_args.return_code, TEST_SUCCESS);
AssertIntEQ(server_args.return_code, TEST_FAIL); AssertIntEQ(server_args.return_code, TEST_SUCCESS);
} }
FreeTcpReady(&ready); FreeTcpReady(&ready);