wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 10:47:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix CheckCertSignature return to be remembered past ParseCertRelative

Browse Source
This commit is contained in:
Sean Parkinson
2018-09-06 10:42:49 +10:00
parent 5ee09f77a1
commit a3cc2119d7
1 changed files with 47 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
src/internal.c
View File

@ -8687,7 +8687,7 @@ static void FreeProcPeerCertArgs(WOLFSSL* ssl, void* pArgs)
int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
word32 totalSz) word32 totalSz)
{ {
int ret = 0; int ret = 0, sigRet = 0;
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
ProcPeerCertArgs* args = (ProcPeerCertArgs*)ssl->async.args; ProcPeerCertArgs* args = (ProcPeerCertArgs*)ssl->async.args;
typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1]; typedef char args_test[sizeof(ssl->async.args) >= sizeof(*args) ? 1 : -1];
@ -9092,6 +9092,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
cert = &args->certs[args->certIdx]; cert = &args->certs[args->certIdx];
#ifdef WOLFSSL_SMALL_CERT_VERIFY #ifdef WOLFSSL_SMALL_CERT_VERIFY
sigRet = 0;
if (!ssl->options.verifyNone) { if (!ssl->options.verifyNone) {
if (args->dCert != NULL) { if (args->dCert != NULL) {
if (args->dCertInit) { if (args->dCertInit) {
@ -9101,10 +9103,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_DCERT); XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_DCERT);
args->dCert = NULL; args->dCert = NULL;
} }
ret = CheckCertSignature(cert->buffer, cert->length, sigRet = CheckCertSignature(cert->buffer, cert->length,
ssl->heap, ssl->ctx->cm); ssl->heap, ssl->ctx->cm);
if (ret != 0)
goto exit_ppc;
} }
#endif #endif
if (!args->dCertInit) { if (!args->dCertInit) {
@ -9140,15 +9140,19 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif #endif
#ifndef WOLFSSL_SMALL_CERT_VERIFY #ifndef WOLFSSL_SMALL_CERT_VERIFY
ret = ParseCertRelative(args->dCert, CERT_TYPE, sigRet = ParseCertRelative(args->dCert, CERT_TYPE,
!ssl->options.verifyNone, ssl->ctx->cm); !ssl->options.verifyNone, ssl->ctx->cm);
#else #else
ret = ParseCertRelative(args->dCert, CERT_TYPE, ret = ParseCertRelative(args->dCert, CERT_TYPE,
!ssl->options.verifyNone ? VERIFY_NAME : NO_VERIFY, !ssl->options.verifyNone ? VERIFY_NAME : NO_VERIFY,
ssl->ctx->cm); ssl->ctx->cm);
if (ret != 0) {
sigRet = ret;
ret = 0;
}
#endif #endif
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_PENDING_E) { if (sigRet == WC_PENDING_E) {
ret = wolfSSL_AsyncPush(ssl, ret = wolfSSL_AsyncPush(ssl,
args->dCert->sigCtx.asyncDev); args->dCert->sigCtx.asyncDev);
goto exit_ppc; goto exit_ppc;
@ -9172,7 +9176,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
(word16)ssl->options.minRsaKeySz) { (word16)ssl->options.minRsaKeySz) {
WOLFSSL_MSG( WOLFSSL_MSG(
"RSA key size in cert chain error"); "RSA key size in cert chain error");
ret = RSA_KEY_SIZE_E; sigRet = RSA_KEY_SIZE_E;
} }
break; break;
#endif /* !NO_RSA */ #endif /* !NO_RSA */
@ -9183,7 +9187,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
(word16)ssl->options.minEccKeySz) { (word16)ssl->options.minEccKeySz) {
WOLFSSL_MSG( WOLFSSL_MSG(
"ECC key size in cert chain error"); "ECC key size in cert chain error");
ret = ECC_KEY_SIZE_E; sigRet = ECC_KEY_SIZE_E;
} }
break; break;
#endif /* HAVE_ECC */ #endif /* HAVE_ECC */
@ -9194,7 +9198,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
(word16)ssl->options.minEccKeySz) { (word16)ssl->options.minEccKeySz) {
WOLFSSL_MSG( WOLFSSL_MSG(
"ECC key size in cert chain error"); "ECC key size in cert chain error");
ret = ECC_KEY_SIZE_E; sigRet = ECC_KEY_SIZE_E;
} }
break; break;
#endif /* HAVE_ED25519 */ #endif /* HAVE_ED25519 */
@ -9206,13 +9210,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
} /* switch (dCert->keyOID) */ } /* switch (dCert->keyOID) */
} /* if (!ssl->options.verifyNone) */ } /* if (!ssl->options.verifyNone) */
if (ret == 0 && args->dCert->isCA == 0) { if (sigRet == 0 && args->dCert->isCA == 0) {
WOLFSSL_MSG("Chain cert is not a CA, not adding as one"); WOLFSSL_MSG("Chain cert is not a CA, not adding as one");
} }
else if (ret == 0 && ssl->options.verifyNone) { else if (sigRet == 0 && ssl->options.verifyNone) {
WOLFSSL_MSG("Chain cert not verified by option, not adding as CA"); WOLFSSL_MSG("Chain cert not verified by option, not adding as CA");
} }
else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, subjectHash)) { else if (sigRet == 0 && !AlreadySigner(ssl->ctx->cm, subjectHash)) {
DerBuffer* add = NULL; DerBuffer* add = NULL;
ret = AllocDer(&add, cert->length, CA_TYPE, ssl->heap); ret = AllocDer(&add, cert->length, CA_TYPE, ssl->heap);
if (ret < 0) if (ret < 0)
@ -9250,7 +9254,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
} }
#endif #endif
} }
else if (ret != 0) { else if (sigRet != 0) {
WOLFSSL_MSG("Failed to verify CA from chain"); WOLFSSL_MSG("Failed to verify CA from chain");
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
ssl->peerVerifyRet = X509_V_ERR_INVALID_CA; ssl->peerVerifyRet = X509_V_ERR_INVALID_CA;
@ -9268,7 +9272,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif #endif
#if defined(HAVE_OCSP) || defined(HAVE_CRL) #if defined(HAVE_OCSP) || defined(HAVE_CRL)
if (ret == 0) { if (ret == 0 && sigRet == 0) {
int doCrlLookup = 1; int doCrlLookup = 1;
#ifdef HAVE_OCSP #ifdef HAVE_OCSP
#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
@ -9315,26 +9319,29 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
} }
#endif /* HAVE_CRL */ #endif /* HAVE_CRL */
(void)doCrlLookup; (void)doCrlLookup;
if (ret != 0)
sigRet = ret;
} }
#endif /* HAVE_OCSP || HAVE_CRL */ #endif /* HAVE_OCSP || HAVE_CRL */
/* Do verify callback */ /* Do verify callback */
ret = DoVerifyCallback(ssl, ret, args); sigRet = DoVerifyCallback(ssl, sigRet, args);
/* Handle error codes */ /* Handle error codes */
#ifdef WOLFSSL_ALT_CERT_CHAINS #ifdef WOLFSSL_ALT_CERT_CHAINS
if (args->lastCaErr == 0) { if (args->lastCaErr == 0) {
/* capture CA error and proceed to next cert */ /* capture CA error and proceed to next cert */
args->lastCaErr = ret; args->lastCaErr = sigRet;
ret = 0; sigRet = 0;
} }
else { else {
args->lastErr = args->lastCaErr; args->lastErr = args->lastCaErr;
} }
#endif #endif
if (ret != 0 && args->lastErr == 0) { if (sigRet != 0 && args->lastErr == 0) {
args->lastErr = ret; /* save error from last time */ args->lastErr = sigRet; /* save error from last time */
ret = 0; /* reset error */ sigRet = 0; /* reset error */
} }
FreeDecodedCert(args->dCert); FreeDecodedCert(args->dCert);
@ -9343,6 +9350,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
} /* while (count > 0 && !haveTrustPeer) */ } /* while (count > 0 && !haveTrustPeer) */
} /* if (count > 0) */ } /* if (count > 0) */
if (sigRet != 0)
ret = sigRet;
/* Check for error */ /* Check for error */
if (ret != 0) { if (ret != 0) {
goto exit_ppc; goto exit_ppc;
@ -9363,6 +9372,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
cert = &args->certs[args->certIdx]; cert = &args->certs[args->certIdx];
#ifdef WOLFSSL_SMALL_CERT_VERIFY #ifdef WOLFSSL_SMALL_CERT_VERIFY
sigRet = 0;
if (!ssl->options.verifyNone) { if (!ssl->options.verifyNone) {
if (args->dCert != NULL) { if (args->dCert != NULL) {
if (args->dCertInit) { if (args->dCertInit) {
@ -9372,10 +9383,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_DCERT); XFREE(args->dCert, ssl->heap, DYNAMIC_TYPE_DCERT);
args->dCert = NULL; args->dCert = NULL;
} }
ret = CheckCertSignature(cert->buffer, cert->length, sigRet = CheckCertSignature(cert->buffer, cert->length,
ssl->heap, ssl->ctx->cm); ssl->heap, ssl->ctx->cm);
if (ret != 0)
goto exit_ppc;
} }
#endif #endif
if (!args->dCertInit) { if (!args->dCertInit) {
@ -9407,15 +9416,19 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
{ {
/* only parse if not already present in dCert from above */ /* only parse if not already present in dCert from above */
#ifndef WOLFSSL_SMALL_CERT_VERIFY #ifndef WOLFSSL_SMALL_CERT_VERIFY
ret = ParseCertRelative(args->dCert, CERT_TYPE, sigRet = ParseCertRelative(args->dCert, CERT_TYPE,
!ssl->options.verifyNone, ssl->ctx->cm); !ssl->options.verifyNone, ssl->ctx->cm);
#else #else
ret = ParseCertRelative(args->dCert, CERT_TYPE, ret = ParseCertRelative(args->dCert, CERT_TYPE,
!ssl->options.verifyNone ? VERIFY_NAME : NO_VERIFY, !ssl->options.verifyNone ? VERIFY_NAME : NO_VERIFY,
ssl->ctx->cm); ssl->ctx->cm);
if (ret != 0) {
sigRet = ret;
ret = 0;
}
#endif #endif
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_PENDING_E) { if (sigRet == WC_PENDING_E) {
ret = wolfSSL_AsyncPush(ssl, ret = wolfSSL_AsyncPush(ssl,
args->dCert->sigCtx.asyncDev); args->dCert->sigCtx.asyncDev);
goto exit_ppc; goto exit_ppc;
@ -9423,7 +9436,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif #endif
} }
if (ret == 0) { if (sigRet == 0) {
WOLFSSL_MSG("Verified Peer's cert"); WOLFSSL_MSG("Verified Peer's cert");
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
ssl->peerVerifyRet = X509_V_OK; ssl->peerVerifyRet = X509_V_OK;
@ -9438,12 +9451,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* check if fatal error */ /* check if fatal error */
if (args->verifyErr) { if (args->verifyErr) {
args->fatal = 1; args->fatal = 1;
if (ret == 0) { if (sigRet == 0) {
ret = args->lastErr; sigRet = args->lastErr;
} }
#ifdef WOLFSSL_ALT_CERT_CHAINS #ifdef WOLFSSL_ALT_CERT_CHAINS
if (ret == 0) { if (sigRet == 0) {
ret = args->lastCaErr; sigRet = args->lastCaErr;
} }
#endif #endif
} }
@ -9451,7 +9464,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
args->fatal = 0; args->fatal = 0;
} }
} }
else if (ret == ASN_PARSE_E || ret == BUFFER_E) { else if (sigRet == ASN_PARSE_E || sigRet == BUFFER_E) {
WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR"); WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR");
#ifdef OPENSSL_EXTRA #ifdef OPENSSL_EXTRA
SendAlert(ssl, alert_fatal, bad_certificate); SendAlert(ssl, alert_fatal, bad_certificate);
@ -9491,7 +9504,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG( WOLFSSL_MSG(
"Peer sent different cert during scr, fatal"); "Peer sent different cert during scr, fatal");
args->fatal = 1; args->fatal = 1;
ret = SCR_DIFFERENT_CERT_E; sigRet = SCR_DIFFERENT_CERT_E;
} }
} }
@ -9504,6 +9517,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif /* HAVE_SECURE_RENEGOTIATION */ #endif /* HAVE_SECURE_RENEGOTIATION */
} /* if (count > 0) */ } /* if (count > 0) */
if (sigRet != 0)
ret = sigRet;
/* Check for error */ /* Check for error */
if (args->fatal && ret != 0) { if (args->fatal && ret != 0) {
goto exit_ppc; goto exit_ppc;