From d0c2609ebb8a4f5f2b5107940a8cb828b94addeb Mon Sep 17 00:00:00 2001 From: John Bland Date: Mon, 11 Sep 2023 01:56:58 -0400 Subject: [PATCH 1/6] stop ProcessPeerCerts from reseting the cert chain count when an async error was returned --- src/internal.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/internal.c b/src/internal.c index 2324598c5..e724126d3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15237,11 +15237,18 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_ENTER("DoCertificate"); #ifdef SESSION_CERTS - /* Reset the session cert chain count in case the session resume failed. */ - ssl->session->chain.count = 0; - #ifdef WOLFSSL_ALT_CERT_CHAINS + /* Reset the session cert chain count in case the session resume failed, + do not reset if we are resuming after an async wait */ +#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP) + if (((ProcPeerCertArgs*)(ssl->async->args))->lastErr != OCSP_WANT_READ && + ((ProcPeerCertArgs*)(ssl->async->args))->lastErr != WC_PENDING_E) +#endif + { + ssl->session->chain.count = 0; +#ifdef WOLFSSL_ALT_CERT_CHAINS ssl->session->altChain.count = 0; - #endif +#endif + } #endif /* SESSION_CERTS */ ret = ProcessPeerCerts(ssl, input, inOutIdx, size); From b99b1d4cfd5da9cfcfacd3b7480e159c094e21fd Mon Sep 17 00:00:00 2001 From: John Bland Date: Mon, 11 Sep 2023 17:52:07 -0400 Subject: [PATCH 2/6] fix bad error setting and instances where lastErr wasn't set as it should have been --- src/internal.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/internal.c b/src/internal.c index e724126d3..92b9c6474 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14045,8 +14045,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) + if (ret == WC_PENDING_E) { + args->lastErr = ret; goto exit_ppc; + } #endif if (ret == 0) { ret = ProcessPeerCertCheckKey(ssl, args); @@ -14302,8 +14304,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) + if (ret == WC_PENDING_E) { + args->lastErr = ret; goto exit_ppc; + } #endif if (ret == 0) { WOLFSSL_MSG("Verified Peer's cert"); @@ -15124,7 +15128,12 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, case TLS_ASYNC_FINALIZE: { /* load last error */ - if (args->lastErr != 0 && ret == 0) { + if (args->lastErr != 0 && ret == 0 +#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP) + && args->lastErr != WC_PENDING_E && + args->lastErr != OCSP_WANT_READ +#endif + ) { ret = args->lastErr; } @@ -15240,8 +15249,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* Reset the session cert chain count in case the session resume failed, do not reset if we are resuming after an async wait */ #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP) - if (((ProcPeerCertArgs*)(ssl->async->args))->lastErr != OCSP_WANT_READ && - ((ProcPeerCertArgs*)(ssl->async->args))->lastErr != WC_PENDING_E) + if (ssl->async == NULL || ssl->async->args == NULL || + (((ProcPeerCertArgs*)(ssl->async->args))->lastErr != OCSP_WANT_READ && + ((ProcPeerCertArgs*)(ssl->async->args))->lastErr != WC_PENDING_E)) #endif { ssl->session->chain.count = 0; From 937aa3415fa18403a39fd1d050eba28dcc9a4bdc Mon Sep 17 00:00:00 2001 From: John Bland Date: Mon, 11 Sep 2023 18:24:37 -0400 Subject: [PATCH 3/6] set last missing lastErr section --- src/internal.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/internal.c b/src/internal.c index 92b9c6474..05a244c83 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14510,6 +14510,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, args->dCert, ssl); #ifdef WOLFSSL_NONBLOCK_OCSP if (ret == OCSP_WANT_READ) { + args->lastErr = ret; goto exit_ppc; } #endif From 14017bd67ef68babfb9980ef42a7d8e2956e7fc3 Mon Sep 17 00:00:00 2001 From: John Bland Date: Tue, 12 Sep 2023 13:41:23 -0400 Subject: [PATCH 4/6] remove NULL check on non-pointer array --- src/internal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 05a244c83..1498b1625 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15250,7 +15250,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* Reset the session cert chain count in case the session resume failed, do not reset if we are resuming after an async wait */ #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP) - if (ssl->async == NULL || ssl->async->args == NULL || + if (ssl->async == NULL || (((ProcPeerCertArgs*)(ssl->async->args))->lastErr != OCSP_WANT_READ && ((ProcPeerCertArgs*)(ssl->async->args))->lastErr != WC_PENDING_E)) #endif From 6e87fc7f90062e97c4afee0025ba18a9b33a66b8 Mon Sep 17 00:00:00 2001 From: John Bland Date: Tue, 12 Sep 2023 18:25:10 -0400 Subject: [PATCH 5/6] switch to using ssl->error to check for previous error --- src/internal.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index 1498b1625..6808fb34c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -15250,9 +15250,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* Reset the session cert chain count in case the session resume failed, do not reset if we are resuming after an async wait */ #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP) - if (ssl->async == NULL || - (((ProcPeerCertArgs*)(ssl->async->args))->lastErr != OCSP_WANT_READ && - ((ProcPeerCertArgs*)(ssl->async->args))->lastErr != WC_PENDING_E)) + if ((ssl->error != OCSP_WANT_READ && ssl->error != WC_PENDING_E)) #endif { ssl->session->chain.count = 0; From 6c8eaf26f56ddcf152e2432020d9ac77b1a3ebae Mon Sep 17 00:00:00 2001 From: John Bland Date: Tue, 12 Sep 2023 19:43:28 -0400 Subject: [PATCH 6/6] update based on pr comments --- src/internal.c | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/src/internal.c b/src/internal.c index 6808fb34c..6efbfb823 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14045,10 +14045,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - args->lastErr = ret; + if (ret == WC_PENDING_E) goto exit_ppc; - } #endif if (ret == 0) { ret = ProcessPeerCertCheckKey(ssl, args); @@ -14304,10 +14302,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif #ifdef WOLFSSL_ASYNC_CRYPT - if (ret == WC_PENDING_E) { - args->lastErr = ret; + if (ret == WC_PENDING_E) goto exit_ppc; - } #endif if (ret == 0) { WOLFSSL_MSG("Verified Peer's cert"); @@ -14510,7 +14506,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, args->dCert, ssl); #ifdef WOLFSSL_NONBLOCK_OCSP if (ret == OCSP_WANT_READ) { - args->lastErr = ret; goto exit_ppc; } #endif @@ -15129,12 +15124,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, case TLS_ASYNC_FINALIZE: { /* load last error */ - if (args->lastErr != 0 && ret == 0 -#if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP) - && args->lastErr != WC_PENDING_E && - args->lastErr != OCSP_WANT_READ -#endif - ) { + if (args->lastErr != 0 && ret == 0) { ret = args->lastErr; } @@ -15248,9 +15238,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef SESSION_CERTS /* Reset the session cert chain count in case the session resume failed, - do not reset if we are resuming after an async wait */ + * do not reset if we are resuming after an async wait */ #if defined(WOLFSSL_ASYNC_CRYPT) || defined(WOLFSSL_NONBLOCK_OCSP) - if ((ssl->error != OCSP_WANT_READ && ssl->error != WC_PENDING_E)) + if (ssl->error != OCSP_WANT_READ && ssl->error != WC_PENDING_E) #endif { ssl->session->chain.count = 0;