Fixes to get Nginx working again.

Only use weOwnDH as Nginx can change from client to server. Allow TLS v1.3 with client method for Nginx.
2018-02-08 11:14:31 +10:00 · 2018-02-08 11:14:31 +10:00 · 297fb1a447
commit 297fb1a447
parent d179e442b4
2 changed files with 14 additions and 6 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -4764,7 +4764,7 @@ void SSL_ResourceFree(WOLFSSL* ssl)
    XFREE(ssl->buffers.serverDH_Priv.buffer, ssl->heap, DYNAMIC_TYPE_PRIVATE_KEY);
    XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
    /* parameters (p,g) may be owned by ctx */
-    if (ssl->buffers.weOwnDH || ssl->options.side == WOLFSSL_CLIENT_END) {
+    if (ssl->buffers.weOwnDH) {
        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
    }
@ -5013,7 +5013,7 @@ void FreeHandshakeResources(WOLFSSL* ssl)
    XFREE(ssl->buffers.serverDH_Pub.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
    ssl->buffers.serverDH_Pub.buffer = NULL;
    /* parameters (p,g) may be owned by ctx */
-    if (ssl->buffers.weOwnDH || ssl->options.side == WOLFSSL_CLIENT_END) {
+    if (ssl->buffers.weOwnDH) {
        XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
        ssl->buffers.serverDH_G.buffer = NULL;
        XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_PUBLIC_KEY);
@ -7990,12 +7990,16 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
            while (listSz) {
                word32 certSz;

-                if (args->totalCerts >= ssl->verifyDepth) {
-                #ifdef OPENSSL_EXTRA
+            #ifdef OPENSSL_EXTRA
+                if (args->totalCerts > ssl->verifyDepth) {
                    ssl->peerVerifyRet = X509_V_ERR_CERT_CHAIN_TOO_LONG;
-                #endif
                    ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc);
                }
+            #else
+                if (args->totalCerts >= ssl->verifyDepth) {
+                    ERROR_OUT(MAX_CHAIN_ERROR, exit_ppc);
+                }
+            #endif

                if ((args->idx - args->begin) + OPAQUE24_LEN > totalSz) {
                    ERROR_OUT(BUFFER_ERROR, exit_ppc);
@ -17842,6 +17846,8 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                                                                        length);
                    args->idx += length;

+                    ssl->buffers.weOwnDH = 1;
+
                    /* pub */
                    if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
@ -18033,6 +18039,8 @@ static int DoServerKeyExchange(WOLFSSL* ssl, const byte* input,
                                                                        length);
                    args->idx += length;

+                    ssl->buffers.weOwnDH = 1;
+
                    /* pub */
                    if ((args->idx - args->begin) + OPAQUE16_LEN > size) {
                        ERROR_OUT(BUFFER_ERROR, exit_dske);
--- a/src/tls.c
+++ b/src/tls.c
@ -8846,7 +8846,7 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte msgType,
        (void)heap;
        if (method) {
 #if !defined(NO_SHA256) || defined(WOLFSSL_SHA384) || defined(WOLFSSL_SHA512)
-#if defined(WOLFSSL_TLS13) && !defined(WOLFSSL_NGINX)
+#if defined(WOLFSSL_TLS13)
            InitSSL_Method(method, MakeTLSv1_3());
 #else
            InitSSL_Method(method, MakeTLSv1_2());