From e3030b514cbbb843e04bc6065d7232f67de8de82 Mon Sep 17 00:00:00 2001 From: Kareem Date: Wed, 12 Jun 2024 16:53:12 -0700 Subject: [PATCH] Add a flag to prevent calling the verify callback twice if the error is not overriden. --- src/internal.c | 42 ++++++++++++++++++++++++++---------------- wolfssl/internal.h | 1 + 2 files changed, 27 insertions(+), 16 deletions(-) diff --git a/src/internal.c b/src/internal.c index 5a7022f69d..0589fa9ade 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14345,7 +14345,7 @@ static int ProcessPeerCertsChainCRLCheck(WOLFSSL* ssl, ProcPeerCertArgs* args) ca->serialHash, NULL, 0, NULL); if (ret != 0) DoCrlCallback(cm, ssl, args, &ret); - if (ret != 0) { + if (ret != 0 && !args->verifyCbCalled) { ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); if (ssl->options.verifyNone && (ret == CRL_MISSING || ret == CRL_CERT_REVOKED || @@ -14353,6 +14353,8 @@ static int ProcessPeerCertsChainCRLCheck(WOLFSSL* ssl, ProcPeerCertArgs* args) WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); ret = ssl->error = 0; } + if (ret != 0) + args->verifyCbCalled = 1; } if (ret != 0){ WOLFSSL_ERROR_VERBOSE(ret); @@ -14936,13 +14938,17 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ /* Do verify callback */ - ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); - if (ssl->options.verifyNone && - (ret == WC_NO_ERR_TRACE(CRL_MISSING) || - ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) || - ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) { - WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); - ret = ssl->error = 0; + if (!args->verifyCbCalled) { + ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); + if (ssl->options.verifyNone && + (ret == WC_NO_ERR_TRACE(CRL_MISSING) || + ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) || + ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) { + WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); + ret = ssl->error = 0; + } + if (ret != 0) + args->verifyCbCalled = 1; } #ifdef WOLFSSL_ALT_CERT_CHAINS @@ -15941,15 +15947,19 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } #endif /* defined(__APPLE__) && defined(WOLFSSL_SYS_CA_CERTS) */ - /* Do verify callback */ - ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); + if (!args->verifyCbCalled) { + /* Do verify callback */ + ret = DoVerifyCallback(SSL_CM(ssl), ssl, ret, args); - if (ssl->options.verifyNone && - (ret == WC_NO_ERR_TRACE(CRL_MISSING) || - ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) || - ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) { - WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); - ret = ssl->error = 0; + if (ssl->options.verifyNone && + (ret == WC_NO_ERR_TRACE(CRL_MISSING) || + ret == WC_NO_ERR_TRACE(CRL_CERT_REVOKED) || + ret == WC_NO_ERR_TRACE(CRL_CERT_DATE_ERR))) { + WOLFSSL_MSG("Ignoring CRL problem based on verify setting"); + ret = ssl->error = 0; + } + if (ret != 0) + args->verifyCbCalled = 1; } if (ret != 0) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 0ae722d50f..5c67670ac0 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2686,6 +2686,7 @@ typedef struct ProcPeerCertArgs { #ifdef WOLFSSL_TRUST_PEER_CERT word16 haveTrustPeer:1; /* was cert verified by loaded trusted peer cert */ #endif + word16 verifyCbCalled:1; } ProcPeerCertArgs; WOLFSSL_LOCAL int DoVerifyCallback(WOLFSSL_CERT_MANAGER* cm, WOLFSSL* ssl, int ret, ProcPeerCertArgs* args);