Fix for alternate chain logic where presented peer's CA could be marked as trusted.

When building with `WOLFSSL_ALT_CERT_CHAINS` a peer's presented CA could be incorrectly added to the certificate manager, marking it as trusted. Began in PR #1934 ZD 9626
2025-07-31 19:24:42 +02:00 · 2019-12-04 06:56:36 -08:00
parent 7e45ae2ec6
commit 3646051434
1 changed files with 5 additions and 4 deletions
--- a/src/internal.c
+++ b/src/internal.c
@@ -10250,12 +10250,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                    }
            #endif /* HAVE_OCSP || HAVE_CRL */

+                    /* Do verify callback */
+                    ret = DoVerifyCallback(ssl, ret, args);
+
                #ifdef WOLFSSL_ALT_CERT_CHAINS
                    /* For alternate cert chain, its okay for a CA cert to fail
                        with ASN_NO_SIGNER_E here. The "alternate" certificate
                        chain mode only requires that the peer certificate
                        validate to a trusted CA */
-                    if (ret != 0) {
+                    if (ret != 0 && args->dCert->isCA) {
                        if (ret == ASN_NO_SIGNER_E) {
                            if (!ssl->options.usingAltCertChain) {
                                WOLFSSL_MSG("Trying alternate cert chain");
@@ -10265,11 +10268,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                            ret = 0; /* clear error and continue */
                        }
                    }
+                    else /* do not add to certificate manager */
                #endif /* WOLFSSL_ALT_CERT_CHAINS */

-                    /* Do verify callback */
-                    ret = DoVerifyCallback(ssl, ret, args);
-
                    /* If valid CA then add to Certificate Manager */
                    if (ret == 0 && args->dCert->isCA && !ssl->options.verifyNone) {
                        buffer* cert = &args->certs[args->certIdx];