forked from wolfSSL/wolfssl
add crl checkall processing
This commit is contained in:
toddouska
@@ -208,7 +208,7 @@ void client_test(void* args)
|
|||||||
ssl = CyaSSL_new(ctx);
|
ssl = CyaSSL_new(ctx);
|
||||||
CyaSSL_set_fd(ssl, sockfd);
|
CyaSSL_set_fd(ssl, sockfd);
|
||||||
#ifdef HAVE_CRL
|
#ifdef HAVE_CRL
|
||||||
CyaSSL_EnableCRL(ssl, 0);
|
CyaSSL_EnableCRL(ssl, CYASSL_CRL_CHECKALL);
|
||||||
CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0);
|
CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0);
|
||||||
CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
|
CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
|
||||||
#endif
|
#endif
|
||||||
|
|||||||
@@ -1628,11 +1628,9 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
|
|||||||
ssl->ctx->cm);
|
ssl->ctx->cm);
|
||||||
if (ret == 0 && dCert.isCA == 0) {
|
if (ret == 0 && dCert.isCA == 0) {
|
||||||
CYASSL_MSG("Chain cert is not a CA, not adding as one");
|
CYASSL_MSG("Chain cert is not a CA, not adding as one");
|
||||||
(void)ret;
|
|
||||||
}
|
}
|
||||||
else if (ret == 0 && ssl->options.verifyNone) {
|
else if (ret == 0 && ssl->options.verifyNone) {
|
||||||
CYASSL_MSG("Chain cert not verified by option, not adding as CA");
|
CYASSL_MSG("Chain cert not verified by option, not adding as CA");
|
||||||
(void)ret;
|
|
||||||
}
|
}
|
||||||
else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, dCert.subjectHash)) {
|
else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, dCert.subjectHash)) {
|
||||||
buffer add;
|
buffer add;
|
||||||
@@ -1651,13 +1649,22 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
|
|||||||
}
|
}
|
||||||
else if (ret != 0) {
|
else if (ret != 0) {
|
||||||
CYASSL_MSG("Failed to verify CA from chain");
|
CYASSL_MSG("Failed to verify CA from chain");
|
||||||
(void)ret;
|
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
CYASSL_MSG("Verified CA from chain and already had it");
|
CYASSL_MSG("Verified CA from chain and already had it");
|
||||||
(void)ret;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef HAVE_CRL
|
||||||
|
if (ret == 0 && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) {
|
||||||
|
CYASSL_MSG("Doing Non Leaf CRL check");
|
||||||
|
ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
|
||||||
|
|
||||||
|
if (ret != 0) {
|
||||||
|
CYASSL_MSG("\tCRL check not ok");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* HAVE_CRL */
|
||||||
|
|
||||||
if (ret != 0 && anyError == 0)
|
if (ret != 0 && anyError == 0)
|
||||||
anyError = ret; /* save error from last time */
|
anyError = ret; /* save error from last time */
|
||||||
|
|
||||||
@@ -1705,7 +1712,8 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef HAVE_CRL
|
#ifdef HAVE_CRL
|
||||||
if (ssl->ctx->cm->crlEnabled) {
|
if (fatal == 0 && ssl->ctx->cm->crlEnabled) {
|
||||||
|
CYASSL_MSG("Doing Leaf CRL check");
|
||||||
ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
|
ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
|
||||||
|
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
|
|||||||
Reference in New Issue
Block a user