Skip to content

Commit

Permalink
Add a flag to prevent calling the verify callback twice if the error …
Browse files Browse the repository at this point in the history 
…is not overriden.
  • Loading branch information
@kareem-wolfssl
kareem-wolfssl committed Jun 12, 2024
1 parent bec00a4 commit e3030b5
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 16 deletions.
42 changes: 26 additions & 16 deletions src/internal.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14345,14 +14345,16 @@ static int ProcessPeerCertsChainCRLCheck(WOLFSSL* ssl, ProcPeerCertArgs* args)
ca->serialHash, NULL, 0, NULL);
if (ret != 0)
DoCrlCallback(cm, ssl, args, &ret);
if (ret != 0) {
if (ret != 0 && !args->verifyCbCalled) {
ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
if (ssl->options.verifyNone &&
(ret == CRL_MISSING || ret == CRL_CERT_REVOKED ||
ret == CRL_CERT_DATE_ERR)) {
WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
ret = ssl->error = 0;
}
if (ret != 0)
args->verifyCbCalled = 1;
}
if (ret != 0){
WOLFSSL_ERROR_VERBOSE(ret);
Expand Down Expand Up @@ -14936,13 +14938,17 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */

/* Do verify callback */
ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
if (ssl->options.verifyNone &&
(ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
ret = ssl->error = 0;
if (!args->verifyCbCalled) {
ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
if (ssl->options.verifyNone &&
(ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
ret = ssl->error = 0;
}
if (ret != 0)
args->verifyCbCalled = 1;
}

#ifdef WOLFSSL_ALT_CERT_CHAINS
Expand Down Expand Up @@ -15941,15 +15947,19 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
#endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */

/* Do verify callback */
ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);
if (!args->verifyCbCalled) {
/* Do verify callback */
ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args);

if (ssl->options.verifyNone &&
(ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
ret = ssl->error = 0;
if (ssl->options.verifyNone &&
(ret == WC_NO_ERR_TRACE(CRL_MISSING) ||
ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) ||
ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) {
WOLFSSL_MSG("Ignoring CRL problem based on verify setting");
ret = ssl->error = 0;
}
if (ret != 0)
args->verifyCbCalled = 1;
}

if (ret != 0) {
Expand Down
1 change: 1 addition & 0 deletions wolfssl/internal.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2686,6 +2686,7 @@ typedef struct ProcPeerCertArgs {
#ifdef WOLFSSL_TRUST_PEER_CERT
word16 haveTrustPeer:1; /* was cert verified by loaded trusted peer cert */
#endif
word16 verifyCbCalled:1;
} ProcPeerCertArgs;
WOLFSSL_LOCAL int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl,
int ret, ProcPeerCertArgs* args);
Expand Down

0 comments on commit e3030b5

Please sign in to comment.