diff --git a/src/internal.c b/src/internal.c index db511a393..eaa750c8f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1459,6 +1459,7 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method, void* heap) #endif ctx->heap = heap; /* wolfSSL_CTX_load_static_memory sets */ + ctx->verifyDepth = MAX_CHAIN_DEPTH; return ret; } @@ -4080,6 +4081,7 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup) #ifdef OPENSSL_EXTRA ssl->readAhead = ctx->readAhead; #endif + ssl->verifyDepth = ctx->verifyDepth; return WOLFSSL_SUCCESS; } @@ -7978,7 +7980,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, while (listSz) { word32 certSz; - if (args->totalCerts >= MAX_CHAIN_DEPTH) { + if (args->totalCerts >= ssl->verifyDepth) { #ifdef OPENSSL_EXTRA ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG; #endif diff --git a/src/ssl.c b/src/ssl.c index 4d86de1ce..9e0f845d7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6770,6 +6770,24 @@ int wolfSSL_CTX_use_PrivateKey_file(WOLFSSL_CTX* ctx, const char* file, } +/* Sets the max chain depth when verifying a certificate chain. Default depth + * is set to MAX_CHAIN_DEPTH. + * + * ctx WOLFSSL_CTX structure to set depth in + * depth max depth + */ +void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx, int depth) { + WOLFSSL_ENTER("wolfSSL_CTX_set_verify_depth"); + + if (ctx == NULL || depth < 0 || depth > MAX_CHAIN_DEPTH) { + WOLFSSL_MSG("Bad depth argument, too large or less than 0"); + return; + } + + ctx->verifyDepth = depth; +} + + /* get cert chaining depth using ssl struct */ long wolfSSL_get_verify_depth(WOLFSSL* ssl) { @@ -28670,17 +28688,6 @@ void* wolfSSL_GetDhAgreeCtx(WOLFSSL* ssl) } - void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx, int depth) { - WOLFSSL_ENTER("wolfSSL_CTX_set_verify_depth"); -#ifndef OPENSSL_EXTRA - (void)ctx; - (void)depth; - WOLFSSL_STUB("wolfSSL_CTX_set_verify_depth"); -#else - ctx->verifyDepth = (byte)depth; -#endif - } - #ifndef NO_WOLFSSL_STUB void wolfSSL_set_verify_depth(WOLFSSL *ssl, int depth) { WOLFSSL_ENTER("wolfSSL_set_verify_depth"); diff --git a/tests/api.c b/tests/api.c index 6c760bcd5..138dc9bc5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -15952,6 +15952,39 @@ static void test_wolfSSL_RSA(void) printf(resultFmt, passed); #endif } + +static void test_wolfSSL_verify_depth(void) +{ +#if defined(OPENSSL_EXTRA) && !defined(NO_RSA) + WOLFSSL* ssl; + WOLFSSL_CTX* ctx; + long depth; + + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + + AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, cliCertFile, SSL_FILETYPE_PEM)); + AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, cliKeyFile, SSL_FILETYPE_PEM)); + AssertIntEQ(wolfSSL_CTX_load_verify_locations(ctx, caCertFile, 0), SSL_SUCCESS); + + AssertIntGT((depth = SSL_CTX_get_verify_depth(ctx)), 0); + AssertNotNull(ssl = SSL_new(ctx)); + AssertIntEQ(SSL_get_verify_depth(ssl), SSL_CTX_get_verify_depth(ctx)); + SSL_free(ssl); + + SSL_CTX_set_verify_depth(ctx, -1); + AssertIntEQ(depth, SSL_CTX_get_verify_depth(ctx)); + + SSL_CTX_set_verify_depth(ctx, 2); + AssertIntEQ(2, SSL_CTX_get_verify_depth(ctx)); + AssertNotNull(ssl = SSL_new(ctx)); + AssertIntEQ(2, SSL_get_verify_depth(ssl)); + + SSL_free(ssl); + SSL_CTX_free(ctx); + printf(resultFmt, passed); +#endif +} + static void test_no_op_functions(void) { #if defined(OPENSSL_EXTRA) @@ -16775,6 +16808,7 @@ void ApiTest(void) test_wolfSSL_sk_GENERAL_NAME(); test_wolfSSL_MD4(); test_wolfSSL_RSA(); + test_wolfSSL_verify_depth(); /* test the no op functions for compatibility */ test_no_op_functions(); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index e6f21d454..6a664adbb 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2258,6 +2258,7 @@ struct WOLFSSL_CTX { #endif Suites* suites; /* make dynamic, user may not need/set */ void* heap; /* for user memory overrides */ + int verifyDepth; byte verifyPeer; byte verifyNone; byte failNoCert; @@ -2310,7 +2311,6 @@ struct WOLFSSL_CTX { unsigned long mask; /* store SSL_OP_ flags */ const unsigned char *alpn_cli_protos;/* ALPN client protocol list */ unsigned int alpn_cli_protos_len; - byte verifyDepth; /* maximum verification depth */ byte sessionCtxSz; CallbackInfoState* CBIS; /* used to get info about SSL state */ #endif @@ -3310,6 +3310,7 @@ struct WOLFSSL { WOLFSSL_SESSION* extSession; #endif WOLFSSL_ALERT_HISTORY alert_history; + int verifyDepth; int error; int rfd; /* read file descriptor */ int wfd; /* write file descriptor */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index bf30c147a..42e164c66 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -484,6 +484,7 @@ WOLFSSL_API int wolfSSL_CTX_use_RSAPrivateKey_file(WOLFSSL_CTX*, const char*, in WOLFSSL_API long wolfSSL_get_verify_depth(WOLFSSL* ssl); WOLFSSL_API long wolfSSL_CTX_get_verify_depth(WOLFSSL_CTX* ctx); +WOLFSSL_API void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx,int depth); WOLFSSL_API int wolfSSL_use_certificate_file(WOLFSSL*, const char*, int); WOLFSSL_API int wolfSSL_use_PrivateKey_file(WOLFSSL*, const char*, int); WOLFSSL_API int wolfSSL_use_certificate_chain_file(WOLFSSL*, const char *file); @@ -2539,7 +2540,6 @@ WOLFSSL_API void wolfSSL_X509_NAME_free(WOLFSSL_X509_NAME* name); WOLFSSL_API char wolfSSL_CTX_use_certificate(WOLFSSL_CTX *ctx, WOLFSSL_X509 *x); WOLFSSL_API int wolfSSL_BIO_read_filename(WOLFSSL_BIO *b, const char *name); /* These are to be merged shortly */ -WOLFSSL_API void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx,int depth); WOLFSSL_API void wolfSSL_set_verify_depth(WOLFSSL *ssl,int depth); WOLFSSL_API void* wolfSSL_get_app_data( const WOLFSSL *ssl); WOLFSSL_API int wolfSSL_set_app_data(WOLFSSL *ssl, void *arg);