From 3646051434dac02ecc9f59577868e417efd64c4e Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 4 Dec 2019 06:56:36 -0800 Subject: [PATCH] Fix for alternate chain logic where presented peer's CA could be marked as trusted. When building with `WOLFSSL_ALT_CERT_CHAINS` a peer's presented CA could be incorrectly added to the certificate manager, marking it as trusted. Began in PR #1934 ZD 9626 --- src/internal.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/internal.c b/src/internal.c index e230283c7..c3d212fe9 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10250,12 +10250,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif /* HAVE_OCSP || HAVE_CRL */ + /* Do verify callback */ + ret = DoVerifyCallback(ssl, ret, args); + #ifdef WOLFSSL_ALT_CERT_CHAINS /* For alternate cert chain, its okay for a CA cert to fail with ASN_NO_SIGNER_E here. The "alternate" certificate chain mode only requires that the peer certificate validate to a trusted CA */ - if (ret != 0) { + if (ret != 0 && args->dCert->isCA) { if (ret == ASN_NO_SIGNER_E) { if (!ssl->options.usingAltCertChain) { WOLFSSL_MSG("Trying alternate cert chain"); @@ -10265,11 +10268,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, ret = 0; /* clear error and continue */ } } + else /* do not add to certificate manager */ #endif /* WOLFSSL_ALT_CERT_CHAINS */ - /* Do verify callback */ - ret = DoVerifyCallback(ssl, ret, args); - /* If valid CA then add to Certificate Manager */ if (ret == 0 && args->dCert->isCA && !ssl->options.verifyNone) { buffer* cert = &args->certs[args->certIdx];