wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-08-02 12:14:38 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix to not send alert until after the verify cert callback and alternate chain logic has been evaluated.

Browse Source
This commit is contained in:
David Garske
2019-12-04 12:41:23 -08:00
parent acd4bc3305
commit b01c558adb
1 changed files with 43 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
src/internal.c
View File

@@ -9368,6 +9368,29 @@ typedef struct ProcPeerCertArgs {
#endif #endif
} ProcPeerCertArgs; } ProcPeerCertArgs;
static void DoCertFatalAlert(WOLFSSL* ssl, int ret)
{
int alertWhy;
if (ssl == NULL || ret == 0) {
return;
}
/* Determine alert reason */
alertWhy = bad_certificate;
if (ret == ASN_AFTER_DATE_E || ret == ASN_BEFORE_DATE_E) {
alertWhy = certificate_expired;
}
#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD))
else if (ret == CRL_CERT_REVOKED) {
alertWhy = certificate_revoked;
}
#endif
/* send fatal alert and mark connection closed */
SendAlert(ssl, alert_fatal, alertWhy); /* try to send */
ssl->options.isClosed = 1;
}
/* WOLFSSL_ALWAYS_VERIFY_CB: Use verify callback for success or failure cases */ /* WOLFSSL_ALWAYS_VERIFY_CB: Use verify callback for success or failure cases */
/* WOLFSSL_VERIFY_CB_ALL_CERTS: Issue callback for all intermediate certificates */ /* WOLFSSL_VERIFY_CB_ALL_CERTS: Issue callback for all intermediate certificates */
@@ -9378,21 +9401,10 @@ typedef struct ProcPeerCertArgs {
static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args) static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args)
{ {
int verify_ok = 0, alertWhy = 0, use_cb = 0; int verify_ok = 0, use_cb = 0;
/* Determine return code and alert reason */ /* Determine if verify was okay */
if (ret != 0) { if (ret == 0) {
alertWhy = bad_certificate;
if (ret == ASN_AFTER_DATE_E ||
ret == ASN_BEFORE_DATE_E) {
alertWhy = certificate_expired;
}
#if (defined(OPENSSL_ALL) || defined(WOLFSSL_APACHE_HTTPD))
else if (ret == CRL_CERT_REVOKED)
alertWhy = certificate_revoked;
#endif
}
else {
verify_ok = 1; verify_ok = 1;
} }
@@ -9618,17 +9630,6 @@ static int DoVerifyCallback(WOLFSSL* ssl, int ret, ProcPeerCertArgs* args)
#endif #endif
} }
if (ret != 0) {
if (!ssl->options.verifyNone) {
/* handle failure */
SendAlert(ssl, alert_fatal, alertWhy); /* try to send */
ssl->options.isClosed = 1;
}
/* Report SSL error */
ssl->error = ret;
}
return ret; return ret;
} }
@@ -10302,9 +10303,16 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
} }
/* Handle error codes */ /* Handle error codes */
if (ret != 0 && args->lastErr == 0) { if (ret != 0) {
args->lastErr = ret; /* save error from last time */ if (!ssl->options.verifyNone) {
ret = 0; /* reset error */ DoCertFatalAlert(ssl, ret);
}
ssl->error = ret; /* Report SSL error */
if (args->lastErr == 0) {
args->lastErr = ret; /* save error from last time */
ret = 0; /* reset error */
}
} }
FreeDecodedCert(args->dCert); FreeDecodedCert(args->dCert);
@@ -10876,6 +10884,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = ssl->error = 0; ret = ssl->error = 0;
} }
if (ret != 0) {
if (!ssl->options.verifyNone) {
DoCertFatalAlert(ssl, ret);
}
ssl->error = ret; /* Report SSL error */
}
if (ret == 0 && ssl->options.side == WOLFSSL_CLIENT_END) { if (ret == 0 && ssl->options.side == WOLFSSL_CLIENT_END) {
ssl->options.serverState = SERVER_CERT_COMPLETE; ssl->options.serverState = SERVER_CERT_COMPLETE;
} }