Small changes per review comments

2025-07-30 02:37:28 +02:00 · 2024-10-22 10:59:35 -07:00
parent 3fc3a84a6b
commit 4c63668295
3 changed files with 9 additions and 5 deletions
--- a/src/x509_str.c
+++ b/src/x509_str.c
@ -43,6 +43,7 @@ static int X509StoreAddCa(WOLFSSL_X509_STORE* store,
                                          WOLFSSL_X509* x509, int type);
 #endif

+/* Based on OpenSSL default max depth */
 #ifndef WOLFSSL_X509_STORE_DEFAULT_MAX_DEPTH
 #define WOLFSSL_X509_STORE_DEFAULT_MAX_DEPTH 100
 #endif
@ -264,9 +265,9 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx)
        if (ret != WC_NO_ERR_TRACE(ASN_BEFORE_DATE_E) &&
            ret != WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)) {
            /* wolfSSL_CertManagerVerifyBuffer only returns ASN_AFTER_DATE_E or
-            ASN_BEFORE_DATE_E if there are no additional errors found in the
-            cert. Therefore, check if the cert is expired or not yet valid
-            in order to return the correct expected error. */
+             * ASN_BEFORE_DATE_E if there are no additional errors found in the
+             * cert. Therefore, check if the cert is expired or not yet valid
+             * in order to return the correct expected error. */
            byte *afterDate = ctx->current_cert->notAfter.data;
            byte *beforeDate = ctx->current_cert->notBefore.data;

@ -333,7 +334,7 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
            ret = wolfSSL_sk_X509_push(certs,
                wolfSSL_sk_X509_value(ctx->ctxIntermediates, i));
            if (ret <= 0) {
-                return WOLFSSL_FAILURE;
+                goto exit;
            }

            numInterAdd++;
--- a/tests/api.c
+++ b/tests/api.c
@ -60424,6 +60424,8 @@ static int test_X509_STORE_untrusted(void)
    /* Root CA in untrusted chain is OK */
    ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 1),
            TEST_SUCCESS);
+    ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 0),
+            TEST_SUCCESS);
    /* Succeeds because path to loaded CA is available. */
    ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted4, 1, 0, 1),
            TEST_SUCCESS);
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@ -3324,7 +3324,8 @@ enum {

    WOLFSSL_USER_CA  = 1,          /* user added as trusted */
    WOLFSSL_CHAIN_CA = 2,          /* added to cache from trusted chain */
-    WOLFSSL_INTER_CA = 3           /* Intermediate CA */
+    WOLFSSL_INTER_CA = 3           /* Intermediate CA, only for use by
+                                    * X509_STORE */
 };

 WOLFSSL_ABI WOLFSSL_API WC_RNG* wolfSSL_GetRNG(WOLFSSL* ssl);