From c2c209fb890dca700f172f0ce492ecf51c0b85dd Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 27 Jun 2018 14:09:32 -0600
Subject: [PATCH 1/4] add ca when getting chain from x509 store

---
 src/internal.c | 34 ++++++++++++++++++++++++++++++++++
 src/ssl.c      | 29 +++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

diff --git a/src/internal.c b/src/internal.c
index 6c52f9048..72339878a 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -8739,6 +8739,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                             store->userCtx = ssl->verifyCbCtx;
                             store->certs = args->certs;
                             store->totalCerts = args->totalCerts;
+
+                        #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+                            if (ssl->ctx->x509_store_pt != NULL) {
+                                store->store = ssl->ctx->x509_store_pt;
+                            }
+                            else {
+                                store->store = &ssl->ctx->x509_store;
+                            }
+                        #endif
                         #if !defined(NO_CERTS)
                             InitX509(x509, 1, ssl->heap);
                             #if defined(KEEP_PEER_CERT) || \
@@ -8822,6 +8831,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         store->userCtx = ssl->verifyCbCtx;
                         store->certs = args->certs;
                         store->totalCerts = args->totalCerts;
+
+                    #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+                        if (ssl->ctx->x509_store_pt != NULL) {
+                            store->store = ssl->ctx->x509_store_pt;
+                        }
+                        else {
+                            store->store = &ssl->ctx->x509_store;
+                        }
+                    #endif
                     #if !defined(NO_CERTS)
                         InitX509(x509, 1, ssl->heap);
                         #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)
@@ -9411,6 +9429,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                         store->userCtx = ssl->verifyCbCtx;
                         store->certs = args->certs;
                         store->totalCerts = args->totalCerts;
+
+                    #if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+                        if (ssl->ctx->x509_store_pt != NULL) {
+                            store->store = ssl->ctx->x509_store_pt;
+                        }
+                        else {
+                            store->store = &ssl->ctx->x509_store;
+                        }
+                    #endif
                     #ifdef KEEP_PEER_CERT
                         if (ssl->peerCert.subject.sz > 0)
                             store->current_cert = &ssl->peerCert;
@@ -9464,6 +9491,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
                     store->userCtx = ssl->verifyCbCtx;
                     store->certs = args->certs;
                     store->totalCerts = args->totalCerts;
+
+                    if (ssl->ctx->x509_store_pt != NULL) {
+                        store->store = ssl->ctx->x509_store_pt;
+                    }
+                    else {
+                        store->store = &ssl->ctx->x509_store;
+                    }
                 #ifdef KEEP_PEER_CERT
                     if (ssl->peerCert.subject.sz > 0)
                         store->current_cert = &ssl->peerCert;
diff --git a/src/ssl.c b/src/ssl.c
index 22117db4f..4e27b7a4c 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -17830,6 +17830,8 @@ void wolfSSL_PKCS12_PBE_add(void)
 
 WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
 {
+    WOLFSSL_ENTER("wolfSSL_X509_STORE_CTX_get_chain");
+
     if (ctx == NULL) {
         return NULL;
     }
@@ -17848,6 +17850,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
 
         XMEMSET(sk, 0, sizeof(WOLFSSL_STACK));
         ctx->chain = sk;
+
         for (i = 0; i < c->count && i < MAX_CHAIN_DEPTH; i++) {
             WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, i);
 
@@ -17860,9 +17863,35 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
             if (wolfSSL_sk_X509_push(sk, x509) != SSL_SUCCESS) {
                 WOLFSSL_MSG("Unable to load x509 into stack");
                 wolfSSL_sk_X509_free(sk);
+                wolfSSL_X509_free(x509);
                 return NULL;
             }
         }
+
+        /* add CA used to verify top of chain to the list */
+        if (c->count > 0) {
+            WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, c->count - 1);
+            if (x509 != NULL) {
+                WOLFSSL_X509* issuer = NULL;
+                wolfSSL_X509_STORE_CTX_get1_issuer(&issuer, ctx, x509);
+
+                /* check that the certificate being looked up is not self signed
+                 * and that a issuer was found */
+                if (issuer != NULL && wolfSSL_X509_NAME_cmp(&x509->issuer,
+                            &x509->subject) != 0) {
+                    if (wolfSSL_sk_X509_push(sk, issuer) != SSL_SUCCESS) {
+                        WOLFSSL_MSG("Unable to load CA x509 into stack");
+                        wolfSSL_sk_X509_free(sk);
+                        wolfSSL_X509_free(issuer);
+                        return NULL;
+                    }
+                }
+                else {
+                    WOLFSSL_MSG("could not find CA for cert or is self signed");
+                }
+            }
+        }
+
     }
 #endif /* SESSION_CERTS */
 

From af75145602a613ab5925767f2158d27bfd8cf110 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 27 Jun 2018 16:13:46 -0600
Subject: [PATCH 2/4] adjust macro guards

---
 src/ssl.c          | 11 ++++++++---
 wolfssl/internal.h |  3 ++-
 wolfssl/ssl.h      |  3 ++-
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 4e27b7a4c..8418693e6 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -17868,6 +17868,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
             }
         }
 
+#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)
         /* add CA used to verify top of chain to the list */
         if (c->count > 0) {
             WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, c->count - 1);
@@ -17891,6 +17892,7 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
                 }
             }
         }
+#endif
 
     }
 #endif /* SESSION_CERTS */
@@ -32230,9 +32232,11 @@ int wolfSSL_set_ocsp_url(WOLFSSL* ssl, char* url)
     ssl->url = url;
     return WOLFSSL_SUCCESS;
 }
-#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY */
+#endif /* OCSP */
+#endif /* OPENSSL_ALL / WOLFSSL_NGINX  / WOLFSSL_HAPROXY */
 
-#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)
+#if defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || \
+    defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL)
 int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx, WOLF_STACK_OF(X509)** chain)
 {
     word32         idx;
@@ -32451,8 +32455,9 @@ char* wolfSSL_sk_WOLFSSL_STRING_value(WOLF_STACK_OF(WOLFSSL_STRING)* strings,
         return NULL;
     return strings->data.string;
 }
-#endif /* HAVE_OCSP */
+#endif /* WOLFSSL_NGINX || WOLFSSL_HAPROXY || OPENSSL_EXTRA || OPENSSL_ALL */
 
+#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
 #ifdef HAVE_ALPN
 void wolfSSL_get0_alpn_selected(const WOLFSSL *ssl, const unsigned char **data,
                                 unsigned int *len)
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index f44356029..80d8fc0ec 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -2371,7 +2371,8 @@ struct WOLFSSL_CTX {
     #ifdef OPENSSL_EXTRA
     WOLF_STACK_OF(WOLFSSL_X509_NAME)* ca_names;
     #endif
-    #if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY)
+    #if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
+        defined(WOLFSSL_NGINX) || defined (WOLFSSL_HAPROXY)
     WOLF_STACK_OF(WOLFSSL_X509)* x509Chain;
     #endif
 #ifdef WOLFSSL_TLS13
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 93a5c3904..8e07a2574 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -2836,7 +2836,8 @@ WOLFSSL_API int wolfSSL_CTX_set_tlsext_ticket_key_cb(WOLFSSL_CTX *, int (*)(
     WOLFSSL_EVP_CIPHER_CTX *ectx, WOLFSSL_HMAC_CTX *hctx, int enc));
 #endif
 
-#ifdef HAVE_OCSP
+#if defined(HAVE_OCSP) || defined(OPENSSL_EXTRA) || defined(OPENSSL_ALL) || \
+    defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
 WOLFSSL_API int wolfSSL_CTX_get_extra_chain_certs(WOLFSSL_CTX* ctx,
     WOLF_STACK_OF(X509)** chain);
 WOLFSSL_API int wolfSSL_CTX_set_tlsext_status_cb(WOLFSSL_CTX* ctx,

From e204b19923de2a6ac87db99f866ed1d50cb206d4 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Thu, 28 Jun 2018 14:36:15 -0600
Subject: [PATCH 3/4] add statusCb variable to OPENSSL_EXTRA build

---
 wolfssl/internal.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index 80d8fc0ec..40de92634 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -1707,7 +1707,8 @@ struct WOLFSSL_OCSP {
     WOLFSSL_CERT_MANAGER* cm;            /* pointer back to cert manager */
     OcspEntry*            ocspList;      /* OCSP response list */
     wolfSSL_Mutex         ocspLock;      /* OCSP list lock */
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
+#if defined(OPENSSL_ALL) || defined(OPENSSL_EXTRA) || \
+    defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
     int(*statusCb)(WOLFSSL*, void*);
 #endif
 };

From a9ff79e3210f362620c032371be42ca518ac46eb Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Mon, 2 Jul 2018 10:10:30 -0600
Subject: [PATCH 4/4] check return value

---
 src/ssl.c | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index 8418693e6..bbc8158a4 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -17874,21 +17874,25 @@ WOLFSSL_STACK* wolfSSL_X509_STORE_CTX_get_chain(WOLFSSL_X509_STORE_CTX* ctx)
             WOLFSSL_X509* x509 = wolfSSL_get_chain_X509(c, c->count - 1);
             if (x509 != NULL) {
                 WOLFSSL_X509* issuer = NULL;
-                wolfSSL_X509_STORE_CTX_get1_issuer(&issuer, ctx, x509);
-
-                /* check that the certificate being looked up is not self signed
-                 * and that a issuer was found */
-                if (issuer != NULL && wolfSSL_X509_NAME_cmp(&x509->issuer,
-                            &x509->subject) != 0) {
-                    if (wolfSSL_sk_X509_push(sk, issuer) != SSL_SUCCESS) {
-                        WOLFSSL_MSG("Unable to load CA x509 into stack");
-                        wolfSSL_sk_X509_free(sk);
-                        wolfSSL_X509_free(issuer);
-                        return NULL;
+                if (wolfSSL_X509_STORE_CTX_get1_issuer(&issuer, ctx, x509)
+                        == WOLFSSL_SUCCESS) {
+                    /* check that the certificate being looked up is not self
+                     * signed and that a issuer was found */
+                    if (issuer != NULL && wolfSSL_X509_NAME_cmp(&x509->issuer,
+                                &x509->subject) != 0) {
+                        if (wolfSSL_sk_X509_push(sk, issuer) != SSL_SUCCESS) {
+                            WOLFSSL_MSG("Unable to load CA x509 into stack");
+                            wolfSSL_sk_X509_free(sk);
+                            wolfSSL_X509_free(issuer);
+                            return NULL;
+                        }
+                    }
+                    else {
+                        WOLFSSL_MSG("Certificate is self signed");
                     }
                 }
                 else {
-                    WOLFSSL_MSG("could not find CA for cert or is self signed");
+                    WOLFSSL_MSG("Could not find CA for certificate");
                 }
             }
         }