wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

some root CAs loaded by user won't have basic constraint, allow

Browse Source
This commit is contained in:
toddouska
2011-12-06 15:17:10 -08:00
parent 775ca66edd
commit 247d5b5609
6 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
ctaocrypt/src/asn.c
View File

@@ -2021,9 +2021,19 @@ static void IsCa(DecodedCert* cert)
return;
if (oid == BASIC_CA_OID) {
CYASSL_MSG("Found Basic CA constraint");
b = cert->source[cert->srcIdx++];
if (b != ASN_OCTET_STRING)
return;
if (b != ASN_OCTET_STRING) {
CYASSL_MSG("Found optional critical flag, moving past");
cert->srcIdx += ASN_BOOL_SIZE;
b = cert->source[cert->srcIdx++];
if (b != ASN_OCTET_STRING) {
CYASSL_MSG("Unkown Basic CA constraint format");
return;
}
}
if (GetLength(cert->source, &cert->srcIdx, &length,
cert->maxIdx) < 0)

1
cyassl/ctaocrypt/asn.h
View File

@@ -107,6 +107,7 @@ enum Misc_ASN {
PKCS5v2 = 6, /* PKCS #5 v2.0 */
PKCS12 = 12, /* PKCS #12 */
MAX_UNICODE_SZ = 256,
ASN_BOOL_SIZE = 2, /* including type */
SHA_SIZE = 20,
RSA_INTS = 8, /* RSA ints in private key */
MIN_DATE_SIZE = 13,

1
cyassl/error.h
View File

@@ -89,6 +89,7 @@ enum CyaSSL_ErrorCodes {
ECC_EXPORT_ERROR = -254, /* Bad ECC Export Key */
ECC_SHARED_ERROR = -255, /* Bad ECC Shared Secret */
BAD_MUTEX_ERROR = -256, /* Bad mutex */
NOT_CA_ERROR = -257, /* Not a CA cert error */
/* add strings to SetErrorString !!!!! */
/* begin negotiation parameter errors */

2
cyassl/internal.h
View File

@@ -615,7 +615,7 @@ CYASSL_LOCAL
int ProcessOldClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx,
word32 inSz, word16 sz);
CYASSL_LOCAL
int AddCA(CYASSL_CTX* ctx, buffer der);
int AddCA(CYASSL_CTX* ctx, buffer der, int force);
CYASSL_LOCAL
int AlreadySigner(CYASSL_CTX* ctx, byte* hash);

6
src/internal.c
View File

@@ -1526,7 +1526,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
return MEMORY_E;
XMEMCPY(add.buffer, myCert.buffer, myCert.length);
ret = AddCA(ssl->ctx, add);
ret = AddCA(ssl->ctx, add, 0); /* never force chain add */
if (ret == 1) ret = 0; /* SSL_SUCCESS for external */
}
else if (ret != 0) {
@@ -3257,6 +3257,10 @@ void SetErrorString(int error, char* str)
XSTRNCPY(str, "Bad mutex, operation failed", max);
break;
case NOT_CA_ERROR:
XSTRNCPY(str, "Not a CA by basic constraint error", max);
break;
default :
XSTRNCPY(str, "unknown error number", max);
}

10
src/ssl.c
View File

@@ -410,7 +410,9 @@ Signer* GetCA(Signer* signers, byte* hash)
/* owns der, internal now uses too */
int AddCA(CYASSL_CTX* ctx, buffer der)
/* force flag means override CA check, ok for root certs that user requested
if they're from a chain we don't want to force, ever */
int AddCA(CYASSL_CTX* ctx, buffer der, int force)
{
int ret;
DecodedCert cert;
@@ -421,9 +423,9 @@ int AddCA(CYASSL_CTX* ctx, buffer der)
ret = ParseCert(&cert, CA_TYPE, ctx->verifyPeer, 0);
CYASSL_MSG(" Parsed new CA");
if (ret == 0 && cert.isCA == 0) {
if (ret == 0 && cert.isCA == 0 && !force) {
CYASSL_MSG(" Can't add as CA if not actually one");
ret = -1;
ret = NOT_CA_ERROR;
}
else if (ret == 0 && AlreadySigner(ctx, cert.subjectHash)) {
CYASSL_MSG(" Already have this CA, not adding again");
@@ -864,7 +866,7 @@ int AddCA(CYASSL_CTX* ctx, buffer der)
#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */
if (type == CA_TYPE)
return AddCA(ctx, der); /* takes der over */
return AddCA(ctx, der, 1); /* takes der over, force user request */
else if (type == CERT_TYPE) {
if (ssl) {
if (ssl->buffers.weOwnCert && ssl->buffers.certificate.buffer)