diff --git a/src/internal.c b/src/internal.c index 523daf1e2..b5f24fcc7 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4631,27 +4631,29 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef WOLFSSL_TRUST_PEER_CERT /* if using trusted peer certs check before verify chain and CA test */ if (count > 0) { - TrustedPeerCert* tp = NULL; + TrustedPeerCert* tp = NULL; - InitDecodedCert(dCert, certs[0].buffer, certs[0].length, ssl->heap); - ret = ParseCertRelative(dCert, CERT_TYPE, 0, ssl->ctx->cm); - #ifndef NO_SKID - if (dCert->extAuthKeyIdSet) - tp = GetTrustedPeer(ssl->ctx->cm, dCert->extSubjKeyId); - #else /* NO_SKID */ - tp = GetTrustedPeer(ssl->ctx->cm, dCert->issuerHash); - #endif /* NO SKID */ - WOLFSSL_MSG("Checking for trusted peer cert"); + InitDecodedCert(dCert, certs[0].buffer, certs[0].length, ssl->heap); + ret = ParseCertRelative(dCert, CERT_TYPE, 0, ssl->ctx->cm); + #ifndef NO_SKID + if (dCert->extAuthKeyIdSet) + tp = GetTrustedPeer(ssl->ctx->cm, dCert->extSubjKeyId); + #else /* NO_SKID */ + tp = GetTrustedPeer(ssl->ctx->cm, dCert->subjectHash); + #endif /* NO SKID */ + WOLFSSL_MSG("Checking for trusted peer cert"); - if (tp == NULL) { - /* no trusted peer cert */ - WOLFSSL_MSG("No matching trusted peer cert. Checking CAs"); - } else if (MatchTrustedPeer(tp, dCert)){ - WOLFSSL_MSG("Found matching trusted peer cert"); - haveTrustPeer = 1; - } else { - WOLFSSL_MSG("Trusted peer cert did not match!"); - } + if (tp == NULL) { + /* no trusted peer cert */ + WOLFSSL_MSG("No matching trusted peer cert. Checking CAs"); + FreeDecodedCert(dCert); + } else if (MatchTrustedPeer(tp, dCert)){ + WOLFSSL_MSG("Found matching trusted peer cert"); + haveTrustPeer = 1; + } else { + WOLFSSL_MSG("Trusted peer cert did not match!"); + FreeDecodedCert(dCert); + } } if (!haveTrustPeer) { /* do not verify chain if trusted peer cert found */ #endif /* WOLFSSL_TRUST_PEER_CERT */ diff --git a/src/ssl.c b/src/ssl.c index 22ed142fd..e896f0be8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2215,12 +2215,18 @@ int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash) #ifdef WOLFSSL_TRUST_PEER_CERT +/* hash is the SHA digest of name, just use first 32 bits as hash */ +static INLINE word32 TrustedPeerHashSigner(const byte* hash) +{ + return MakeWordFromHash(hash) % TP_TABLE_SIZE; +} + /* does trusted peer already exist on signer list */ int AlreadyTrustedPeer(WOLFSSL_CERT_MANAGER* cm, byte* hash) { TrustedPeerCert* tp; int ret = 0; - word32 row = HashSigner(hash); + word32 row = TrustedPeerHashSigner(hash); if (LockMutex(&cm->tpLock) != 0) return ret; @@ -2255,7 +2261,7 @@ TrustedPeerCert* GetTrustedPeer(void* vp, byte* hash) if (cm == NULL || hash == NULL) return NULL; - row = HashSigner(hash); + row = TrustedPeerHashSigner(hash); if (LockMutex(&cm->tpLock) != 0) return ret; @@ -2454,9 +2460,9 @@ int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int verify) #endif #ifndef NO_SKID - row = HashSigner(peerCert->subjectKeyIdHash); + row = TrustedPeerHashSigner(peerCert->subjectKeyIdHash); #else - row = HashSigner(peerCert->subjectNameHash); + row = TrustedPeerHashSigner(peerCert->subjectNameHash); #endif if (LockMutex(&cm->tpLock) == 0) { @@ -7643,6 +7649,12 @@ int wolfSSL_set_compression(WOLFSSL* ssl) long sz, int format) { WOLFSSL_ENTER("wolfSSL_CTX_trust_peer_buffer"); + + /* sanity check on arguments */ + if (sz < 0 || in == NULL || ctx == NULL) { + return BAD_FUNC_ARG; + } + if (format == SSL_FILETYPE_PEM) return ProcessChainBuffer(ctx, in, sz, format, TRUSTED_PEER_TYPE, NULL); diff --git a/tests/api.c b/tests/api.c index 83b77ea3c..59fcb4d51 100644 --- a/tests/api.c +++ b/tests/api.c @@ -239,7 +239,7 @@ static void test_wolfSSL_CTX_trust_peer_cert(void) /* Test of loading certs from buffers */ - /* invalid ca buffer */ + /* invalid buffer */ assert(wolfSSL_CTX_trust_peer_buffer(ctx, NULL, -1, SSL_FILETYPE_ASN1) != SSL_SUCCESS);