mirror of https://github.com/wolfSSL/wolfssl
fixs after testing : hash table, using NO_SKID, sanity check, and freeing dCert
This commit is contained in:
parent
d969e2ba11
commit
267dc48d95
|
@ -4631,27 +4631,29 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
|
|||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
/* if using trusted peer certs check before verify chain and CA test */
|
||||
if (count > 0) {
|
||||
TrustedPeerCert* tp = NULL;
|
||||
TrustedPeerCert* tp = NULL;
|
||||
|
||||
InitDecodedCert(dCert, certs[0].buffer, certs[0].length, ssl->heap);
|
||||
ret = ParseCertRelative(dCert, CERT_TYPE, 0, ssl->ctx->cm);
|
||||
#ifndef NO_SKID
|
||||
if (dCert->extAuthKeyIdSet)
|
||||
tp = GetTrustedPeer(ssl->ctx->cm, dCert->extSubjKeyId);
|
||||
#else /* NO_SKID */
|
||||
tp = GetTrustedPeer(ssl->ctx->cm, dCert->issuerHash);
|
||||
#endif /* NO SKID */
|
||||
WOLFSSL_MSG("Checking for trusted peer cert");
|
||||
InitDecodedCert(dCert, certs[0].buffer, certs[0].length, ssl->heap);
|
||||
ret = ParseCertRelative(dCert, CERT_TYPE, 0, ssl->ctx->cm);
|
||||
#ifndef NO_SKID
|
||||
if (dCert->extAuthKeyIdSet)
|
||||
tp = GetTrustedPeer(ssl->ctx->cm, dCert->extSubjKeyId);
|
||||
#else /* NO_SKID */
|
||||
tp = GetTrustedPeer(ssl->ctx->cm, dCert->subjectHash);
|
||||
#endif /* NO SKID */
|
||||
WOLFSSL_MSG("Checking for trusted peer cert");
|
||||
|
||||
if (tp == NULL) {
|
||||
/* no trusted peer cert */
|
||||
WOLFSSL_MSG("No matching trusted peer cert. Checking CAs");
|
||||
} else if (MatchTrustedPeer(tp, dCert)){
|
||||
WOLFSSL_MSG("Found matching trusted peer cert");
|
||||
haveTrustPeer = 1;
|
||||
} else {
|
||||
WOLFSSL_MSG("Trusted peer cert did not match!");
|
||||
}
|
||||
if (tp == NULL) {
|
||||
/* no trusted peer cert */
|
||||
WOLFSSL_MSG("No matching trusted peer cert. Checking CAs");
|
||||
FreeDecodedCert(dCert);
|
||||
} else if (MatchTrustedPeer(tp, dCert)){
|
||||
WOLFSSL_MSG("Found matching trusted peer cert");
|
||||
haveTrustPeer = 1;
|
||||
} else {
|
||||
WOLFSSL_MSG("Trusted peer cert did not match!");
|
||||
FreeDecodedCert(dCert);
|
||||
}
|
||||
}
|
||||
if (!haveTrustPeer) { /* do not verify chain if trusted peer cert found */
|
||||
#endif /* WOLFSSL_TRUST_PEER_CERT */
|
||||
|
|
20
src/ssl.c
20
src/ssl.c
|
@ -2215,12 +2215,18 @@ int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash)
|
|||
|
||||
|
||||
#ifdef WOLFSSL_TRUST_PEER_CERT
|
||||
/* hash is the SHA digest of name, just use first 32 bits as hash */
|
||||
static INLINE word32 TrustedPeerHashSigner(const byte* hash)
|
||||
{
|
||||
return MakeWordFromHash(hash) % TP_TABLE_SIZE;
|
||||
}
|
||||
|
||||
/* does trusted peer already exist on signer list */
|
||||
int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash)
|
||||
{
|
||||
TrustedPeerCert* tp;
|
||||
int ret = 0;
|
||||
word32 row = HashSigner(hash);
|
||||
word32 row = TrustedPeerHashSigner(hash);
|
||||
|
||||
if (LockMutex(&cm->tpLock) != 0)
|
||||
return ret;
|
||||
|
@ -2255,7 +2261,7 @@ TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash)
|
|||
if (cm == NULL || hash == NULL)
|
||||
return NULL;
|
||||
|
||||
row = HashSigner(hash);
|
||||
row = TrustedPeerHashSigner(hash);
|
||||
|
||||
if (LockMutex(&cm->tpLock) != 0)
|
||||
return ret;
|
||||
|
@ -2454,9 +2460,9 @@ int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int verify)
|
|||
#endif
|
||||
|
||||
#ifndef NO_SKID
|
||||
row = HashSigner(peerCert->subjectKeyIdHash);
|
||||
row = TrustedPeerHashSigner(peerCert->subjectKeyIdHash);
|
||||
#else
|
||||
row = HashSigner(peerCert->subjectNameHash);
|
||||
row = TrustedPeerHashSigner(peerCert->subjectNameHash);
|
||||
#endif
|
||||
|
||||
if (LockMutex(&cm->tpLock) == 0) {
|
||||
|
@ -7643,6 +7649,12 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
|
|||
long sz, int format)
|
||||
{
|
||||
WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_buffer");
|
||||
|
||||
/* sanity check on arguments */
|
||||
if (sz < 0 || in == NULL || ctx == NULL) {
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
if (format == SSL_FILETYPE_PEM)
|
||||
return ProcessChainBuffer(ctx, in, sz, format,
|
||||
TRUSTED_PEER_TYPE, NULL);
|
||||
|
|
|
@ -239,7 +239,7 @@ static void test_wolfSSL_CTX_trust_peer_cert(void)
|
|||
|
||||
/* Test of loading certs from buffers */
|
||||
|
||||
/* invalid ca buffer */
|
||||
/* invalid buffer */
|
||||
assert(wolfSSL_CTX_trust_peer_buffer(ctx, NULL, -1,
|
||||
SSL_FILETYPE_ASN1) != SSL_SUCCESS);
|
||||
|
||||
|
|
Loading…
Reference in New Issue