wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-30 18:57:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

issue callback when exceeding depth limit rather than error out

Browse Source
This commit is contained in:
Hideki Miyazaki
2021-02-08 08:45:00 +09:00
parent 7eb71b1bb1
commit f13186827a
1 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/internal.c
View File

@ -10834,12 +10834,7 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
while (listSz) { while (listSz) {
word32 certSz; word32 certSz;
#if defined(OPENSSL_EXTRA) || defined(OPENSSL_EXTRA_X509_SMALL) #if !defined(OPENSSL_EXTRA) && !defined(OPENSS_EXTRA_X509_SMALL)
if (args->totalCerts > ssl->verifyDepth) {
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc);
}
#else
if (args->totalCerts >= ssl->verifyDepth || if (args->totalCerts >= ssl->verifyDepth ||
args->totalCerts >= MAX_CHAIN_DEPTH) { args->totalCerts >= MAX_CHAIN_DEPTH) {
ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc); ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc);
@ -11078,7 +11073,15 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
(void)doCrlLookup; (void)doCrlLookup;
} }
#endif /* HAVE_OCSP || HAVE_CRL */ #endif /* HAVE_OCSP || HAVE_CRL */
#ifdef OPENSSL_EXTRA
if (ret == 0 &&
/* extend the limit "+1" until reaching
* an ultimately trusted issuer.*/
args->count > (ssl->verifyDepth + 1)) {
ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
ret = MAX_CHAIN_ERROR;
}
#endif
/* Do verify callback */ /* Do verify callback */
ret = DoVerifyCallback(ssl->ctx->cm, ssl, ret, args); ret = DoVerifyCallback(ssl->ctx->cm, ssl, ret, args);
if (ssl->options.verifyNone && if (ssl->options.verifyNone &&