mirrors
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixs after testing : hash table, using NO_SKID, sanity check, and freeing dCert

This commit is contained in:
Jacob Barthelmeh 2016-03-02 15:23:50 -07:00
parent d969e2ba11
commit 267dc48d95
3 changed files with 38 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
src/internal.c
View File

@ -4631,27 +4631,29 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifdef WOLFSSL_TRUST_PEER_CERT
/* if using trusted peer certs check before verify chain and CA test */
if (count > 0) {
TrustedPeerCert* tp = NULL;
TrustedPeerCert* tp = NULL;
InitDecodedCert(dCert, certs[0].buffer, certs[0].length, ssl->heap);
ret = ParseCertRelative(dCert, CERT_TYPE, 0, ssl->ctx->cm);
#ifndef NO_SKID
if (dCert->extAuthKeyIdSet)
tp = GetTrustedPeer(ssl->ctx->cm, dCert->extSubjKeyId);
#else /* NO_SKID */
tp = GetTrustedPeer(ssl->ctx->cm, dCert->issuerHash);
#endif /* NO SKID */
WOLFSSL_MSG("Checking for trusted peer cert");
InitDecodedCert(dCert, certs[0].buffer, certs[0].length, ssl->heap);
ret = ParseCertRelative(dCert, CERT_TYPE, 0, ssl->ctx->cm);
#ifndef NO_SKID
if (dCert->extAuthKeyIdSet)
tp = GetTrustedPeer(ssl->ctx->cm, dCert->extSubjKeyId);
#else /* NO_SKID */
tp = GetTrustedPeer(ssl->ctx->cm, dCert->subjectHash);
#endif /* NO SKID */
WOLFSSL_MSG("Checking for trusted peer cert");
if (tp == NULL) {
/* no trusted peer cert */
WOLFSSL_MSG("No matching trusted peer cert. Checking CAs");
} else if (MatchTrustedPeer(tp, dCert)){
WOLFSSL_MSG("Found matching trusted peer cert");
haveTrustPeer = 1;
} else {
WOLFSSL_MSG("Trusted peer cert did not match!");
}
if (tp == NULL) {
/* no trusted peer cert */
WOLFSSL_MSG("No matching trusted peer cert. Checking CAs");
FreeDecodedCert(dCert);
} else if (MatchTrustedPeer(tp, dCert)){
WOLFSSL_MSG("Found matching trusted peer cert");
haveTrustPeer = 1;
} else {
WOLFSSL_MSG("Trusted peer cert did not match!");
FreeDecodedCert(dCert);
}
}
if (!haveTrustPeer) { /* do not verify chain if trusted peer cert found */
#endif /* WOLFSSL_TRUST_PEER_CERT */

20
src/ssl.c
View File

@ -2215,12 +2215,18 @@ int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash)
#ifdef WOLFSSL_TRUST_PEER_CERT
/* hash is the SHA digest of name, just use first 32 bits as hash */
static INLINE word32 TrustedPeerHashSigner(const byte* hash)
{
return MakeWordFromHash(hash) % TP_TABLE_SIZE;
}
/* does trusted peer already exist on signer list */
int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash)
{
TrustedPeerCert* tp;
int ret = 0;
word32 row = HashSigner(hash);
word32 row = TrustedPeerHashSigner(hash);
if (LockMutex(&cm->tpLock) != 0)
return ret;
@ -2255,7 +2261,7 @@ TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash)
if (cm == NULL || hash == NULL)
return NULL;
row = HashSigner(hash);
row = TrustedPeerHashSigner(hash);
if (LockMutex(&cm->tpLock) != 0)
return ret;
@ -2454,9 +2460,9 @@ int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int verify)
#endif
#ifndef NO_SKID
row = HashSigner(peerCert->subjectKeyIdHash);
row = TrustedPeerHashSigner(peerCert->subjectKeyIdHash);
#else
row = HashSigner(peerCert->subjectNameHash);
row = TrustedPeerHashSigner(peerCert->subjectNameHash);
#endif
if (LockMutex(&cm->tpLock) == 0) {
@ -7643,6 +7649,12 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
long sz, int format)
{
WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_buffer");
/* sanity check on arguments */
if (sz < 0 || in == NULL || ctx == NULL) {
return BAD_FUNC_ARG;
}
if (format == SSL_FILETYPE_PEM)
return ProcessChainBuffer(ctx, in, sz, format,
TRUSTED_PEER_TYPE, NULL);

2
tests/api.c
View File

@ -239,7 +239,7 @@ static void test_wolfSSL_CTX_trust_peer_cert(void)
/* Test of loading certs from buffers */
/* invalid ca buffer */
/* invalid buffer */
assert(wolfSSL_CTX_trust_peer_buffer(ctx, NULL, -1,
SSL_FILETYPE_ASN1) != SSL_SUCCESS);