Skip to content

Commit 1ddb2ce

Browse files
ColtonWilleydouzzer
authored andcommitted
Properly implement set flags for X509_V_FLAG_PARTIAL_CHAIN
1 parent 87ce965 commit 1ddb2ce

File tree

3 files changed

+60
-4
lines changed

3 files changed

+60
-4
lines changed

src/x509_str.c

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -384,7 +384,8 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
384384
* a trusted CA in the CM */
385385
ret = X509StoreVerifyCert(ctx);
386386
if (ret != WOLFSSL_SUCCESS) {
387-
if ((ctx->store->param->flags & X509_V_FLAG_PARTIAL_CHAIN) &&
387+
if (((ctx->flags & X509_V_FLAG_PARTIAL_CHAIN) ||
388+
(ctx->store->param->flags & X509_V_FLAG_PARTIAL_CHAIN)) &&
388389
(added == 1)) {
389390
wolfSSL_sk_X509_push(ctx->chain, ctx->current_cert);
390391
ret = WOLFSSL_SUCCESS;
@@ -550,9 +551,9 @@ int wolfSSL_X509_STORE_CTX_set_purpose(WOLFSSL_X509_STORE_CTX *ctx,
550551
void wolfSSL_X509_STORE_CTX_set_flags(WOLFSSL_X509_STORE_CTX *ctx,
551552
unsigned long flags)
552553
{
553-
(void)ctx;
554-
(void)flags;
555-
WOLFSSL_STUB("wolfSSL_X509_STORE_CTX_set_flags (not implemented)");
554+
if ((ctx != NULL) && (flags & X509_V_FLAG_PARTIAL_CHAIN)){
555+
ctx->flags |= X509_V_FLAG_PARTIAL_CHAIN;
556+
}
556557
}
557558
#endif /* !NO_WOLFSSL_STUB */
558559

@@ -1329,6 +1330,9 @@ int wolfSSL_X509_STORE_set_flags(WOLFSSL_X509_STORE* store, unsigned long flag)
13291330
ret = wolfSSL_CertManagerDisableCRL(store->cm);
13301331
}
13311332
#endif
1333+
if (flag & X509_V_FLAG_PARTIAL_CHAIN) {
1334+
store->param->flags |= X509_V_FLAG_PARTIAL_CHAIN;
1335+
}
13321336
return ret;
13331337
}
13341338

tests/api.c

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,7 @@
225225
#include <wolfssl/openssl/modes.h>
226226
#include <wolfssl/openssl/fips_rand.h>
227227
#include <wolfssl/openssl/kdf.h>
228+
#include <wolfssl/openssl/x509_vfy.h>
228229
#ifdef OPENSSL_ALL
229230
#include <wolfssl/openssl/txt_db.h>
230231
#include <wolfssl/openssl/lhash.h>
@@ -60207,6 +60208,54 @@ static int test_wolfSSL_X509_STORE_CTX_ex9(X509_STORE_test_data *testData)
6020760208
sk_X509_free(trusted);
6020860209
return EXPECT_RESULT();
6020960210
}
60211+
60212+
static int test_wolfSSL_X509_STORE_CTX_ex10(X509_STORE_test_data *testData)
60213+
{
60214+
EXPECT_DECLS;
60215+
X509_STORE* store = NULL;
60216+
X509_STORE_CTX* ctx = NULL;
60217+
STACK_OF(X509)* chain = NULL;
60218+
60219+
/* Test case 10, ensure partial chain flag works */
60220+
ExpectNotNull(store = X509_STORE_new());
60221+
ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1);
60222+
ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1);
60223+
ExpectNotNull(ctx = X509_STORE_CTX_new());
60224+
ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1);
60225+
/* Fails because chain is incomplete */
60226+
ExpectIntNE(X509_verify_cert(ctx), 1);
60227+
ExpectIntEQ(X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN), 1);
60228+
/* Partial chain now OK */
60229+
ExpectIntEQ(X509_verify_cert(ctx), 1);
60230+
ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx));
60231+
X509_STORE_CTX_free(ctx);
60232+
X509_STORE_free(store);
60233+
return EXPECT_RESULT();
60234+
}
60235+
60236+
static int test_wolfSSL_X509_STORE_CTX_ex11(X509_STORE_test_data *testData)
60237+
{
60238+
EXPECT_DECLS;
60239+
X509_STORE* store = NULL;
60240+
X509_STORE_CTX* ctx = NULL;
60241+
STACK_OF(X509)* chain = NULL;
60242+
60243+
/* Test case 11, test partial chain flag on ctx itself */
60244+
ExpectNotNull(store = X509_STORE_new());
60245+
ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt), 1);
60246+
ExpectIntEQ(X509_STORE_add_cert(store, testData->x509CaInt2), 1);
60247+
ExpectNotNull(ctx = X509_STORE_CTX_new());
60248+
ExpectIntEQ(X509_STORE_CTX_init(ctx, store, testData->x509Leaf, NULL), 1);
60249+
/* Fails because chain is incomplete */
60250+
ExpectIntNE(X509_verify_cert(ctx), 1);
60251+
X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_PARTIAL_CHAIN);
60252+
/* Partial chain now OK */
60253+
ExpectIntEQ(X509_verify_cert(ctx), 1);
60254+
ExpectNotNull(chain = X509_STORE_CTX_get_chain(ctx));
60255+
X509_STORE_CTX_free(ctx);
60256+
X509_STORE_free(store);
60257+
return EXPECT_RESULT();
60258+
}
6021060259
#endif
6021160260

6021260261
static int test_wolfSSL_X509_STORE_CTX_ex(void)
@@ -60244,6 +60293,8 @@ static int test_wolfSSL_X509_STORE_CTX_ex(void)
6024460293
ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex7(&testData), 1);
6024560294
ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex8(&testData), 1);
6024660295
ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex9(&testData), 1);
60296+
ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex10(&testData), 1);
60297+
ExpectIntEQ(test_wolfSSL_X509_STORE_CTX_ex11(&testData), 1);
6024760298

6024860299
if(testData.x509Ca) {
6024960300
X509_free(testData.x509Ca);

wolfssl/ssl.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -701,6 +701,7 @@ struct WOLFSSL_X509_STORE_CTX {
701701
WOLFSSL_BUFFER_INFO* certs; /* peer certs */
702702
WOLFSSL_X509_STORE_CTX_verify_cb verify_cb; /* verify callback */
703703
void* heap;
704+
int flags;
704705
WOLF_STACK_OF(WOLFSSL_X509)* ctxIntermediates; /* Intermediates specified
705706
* on store ctx init */
706707
WOLF_STACK_OF(WOLFSSL_X509)* setTrustedSk;/* A trusted stack override

0 commit comments

Comments
 (0)