From 5b76a372349b68f43a582117d0270b88ecf0f2a4 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 22 Nov 2016 11:45:00 -0800 Subject: [PATCH] Add the peer cert buffer and count to the X509_STORE_CTX used for the verify callback. Fixes #627. --- src/internal.c | 5 +++++ wolfssl/ssl.h | 2 ++ wolfssl/test.h | 17 ++++++++++------- 3 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/internal.c b/src/internal.c index 913dc1335..46386c242 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6861,6 +6861,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, return MEMORY_E; } #endif + XMEMSET(store, 0, sizeof(WOLFSSL_X509_STORE_CTX)); if (anyError != 0 && ret == 0) ret = anyError; @@ -6879,6 +6880,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, store->discardSessionCerts = 0; store->domain = domain; store->userCtx = ssl->verifyCbCtx; + store->certs = certs; + store->totalCerts = totalCerts; #ifdef KEEP_PEER_CERT store->current_cert = &ssl->peerCert; #else @@ -6916,6 +6919,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, store->discardSessionCerts = 0; store->domain = domain; store->userCtx = ssl->verifyCbCtx; + store->certs = certs; + store->totalCerts = totalCerts; #ifdef KEEP_PEER_CERT store->current_cert = &ssl->peerCert; #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 30ff64912..0b7507fe7 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -175,6 +175,8 @@ typedef struct WOLFSSL_X509_STORE_CTX { int error; /* current error */ int error_depth; /* cert depth for this error */ int discardSessionCerts; /* so verify callback can flag for discard */ + int totalCerts; /* number of peer cert buffers */ + struct buffer* certs; /* peer certs */ } WOLFSSL_X509_STORE_CTX; diff --git a/wolfssl/test.h b/wolfssl/test.h index b6833009e..ec33cca71 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -371,7 +371,7 @@ static INLINE WC_NORETURN void err_sys(const char* msg) * msg pointer can be null even when hardcoded and then it won't exit, * making null pointer checks above the err_sys() call useless. * We could just always exit() but some compilers will complain about no - * possible return, with gcc we know the attribute to handle that with + * possible return, with gcc we know the attribute to handle that with * WC_NORETURN. */ if (msg) #endif @@ -1143,17 +1143,20 @@ static INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store) wolfSSL_X509_get_issuer_name(peer), 0, 0); char* subject = wolfSSL_X509_NAME_oneline( wolfSSL_X509_get_subject_name(peer), 0, 0); - printf("peer's cert info:\n issuer : %s\n subject: %s\n", issuer, + printf("\tPeer's cert info:\n issuer : %s\n subject: %s\n", issuer, subject); XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL); } else - printf("peer has no cert!\n"); + printf("\tPeer has no cert!\n"); +#else + printf("\tPeer certs: %d\n", store->totalCerts); #endif - printf("Subject's domain name is %s\n", store->domain); - printf("Allowing to continue anyway (shouldn't do this, EVER!!!)\n"); + printf("\tSubject's domain name is %s\n", store->domain); + + printf("\tAllowing to continue anyway (shouldn't do this, EVER!!!)\n"); return 1; } @@ -1267,7 +1270,7 @@ static INLINE void CaCb(unsigned char* der, int sz, int type) static INLINE int ChangeToWolfRoot(void) { - #if !defined(NO_FILESYSTEM) + #if !defined(NO_FILESYSTEM) int depth, res; XFILE file; for(depth = 0; depth <= MAX_WOLF_ROOT_DEPTH; depth++) { @@ -1286,7 +1289,7 @@ static INLINE void CaCb(unsigned char* der, int sz, int type) break; } } - + err_sys("wolf root not found"); return -1; #else