@@ -65,7 +65,12 @@ WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new_ex(void* heap)
6565 XMEMSET (ctx , 0 , sizeof (WOLFSSL_X509_STORE_CTX ));
6666 ctx -> heap = heap ;
6767#ifdef OPENSSL_EXTRA
68- if (wolfSSL_X509_STORE_CTX_init (ctx , NULL , NULL , NULL ) !=
68+ if ((ctx -> owned = wolfSSL_sk_X509_new_null ()) == NULL ) {
69+ XFREE (ctx , heap , DYNAMIC_TYPE_X509_CTX );
70+ ctx = NULL ;
71+ }
72+ if (ctx != NULL &&
73+ wolfSSL_X509_STORE_CTX_init (ctx , NULL , NULL , NULL ) !=
6974 WOLFSSL_SUCCESS ) {
7075 XFREE (ctx , heap , DYNAMIC_TYPE_X509_CTX );
7176 ctx = NULL ;
@@ -94,6 +99,9 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx)
9499 if (ctx -> chain != NULL ) {
95100 wolfSSL_sk_X509_free (ctx -> chain );
96101 }
102+ if (ctx -> owned != NULL ) {
103+ wolfSSL_sk_X509_pop_free (ctx -> owned , NULL );
104+ }
97105
98106 if (ctx -> current_issuer != NULL ) {
99107 wolfSSL_X509_free (ctx -> current_issuer );
@@ -292,6 +300,32 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx)
292300 return ret ;
293301}
294302
303+ static int addAllButSelfSigned (WOLF_STACK_OF (WOLFSSL_X509 )* to ,
304+ WOLF_STACK_OF (WOLFSSL_X509 )* from , int * numAdded )
305+ {
306+ int ret = WOLFSSL_SUCCESS ;
307+ int i = 0 ;
308+ int cnt = 0 ;
309+ WOLFSSL_X509 * x = NULL ;
310+
311+ for (i = 0 ; i < wolfSSL_sk_X509_num (from ); i ++ ) {
312+ x = wolfSSL_sk_X509_value (from , i );
313+ if (wolfSSL_X509_NAME_cmp (& x -> issuer , & x -> subject ) != 0 ) {
314+ if (wolfSSL_sk_X509_push (to , x ) <= 0 ) {
315+ ret = WOLFSSL_FAILURE ;
316+ goto exit ;
317+ }
318+ cnt ++ ;
319+ }
320+ }
321+
322+ exit :
323+ if (numAdded != NULL ) {
324+ * numAdded = cnt ;
325+ }
326+ return ret ;
327+ }
328+
295329/* Verifies certificate chain using WOLFSSL_X509_STORE_CTX
296330 * returns 0 on success or < 0 on failure.
297331 */
@@ -305,8 +339,8 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
305339 int depth = 0 ;
306340 WOLFSSL_X509 * issuer = NULL ;
307341 WOLFSSL_X509 * orig = NULL ;
308- WOLFSSL_X509 * tmp = NULL ;
309342 WOLF_STACK_OF (WOLFSSL_X509 )* certs = NULL ;
343+ WOLF_STACK_OF (WOLFSSL_X509 )* certsToUse = NULL ;
310344 WOLFSSL_ENTER ("wolfSSL_X509_verify_cert" );
311345
312346 if (ctx == NULL || ctx -> store == NULL || ctx -> store -> cm == NULL
@@ -315,32 +349,28 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
315349 }
316350
317351 certs = ctx -> store -> certs ;
318- if (ctx -> chain != NULL ) {
319- wolfSSL_sk_X509_free (ctx -> chain );
320- }
321- ctx -> chain = wolfSSL_sk_X509_new_null ();
322-
323352 if (ctx -> setTrustedSk != NULL ) {
324353 certs = ctx -> setTrustedSk ;
325354 }
326355
327356 if (certs == NULL &&
328357 wolfSSL_sk_X509_num (ctx -> ctxIntermediates ) > 0 ) {
329- certs = ctx -> ctxIntermediates ;
358+ certsToUse = wolfSSL_sk_X509_new_null ();
359+ ret = addAllButSelfSigned (certsToUse , ctx -> ctxIntermediates , NULL );
330360 }
331361 else {
332362 /* Add the intermediates provided on init to the list of untrusted
333363 * intermediates to be used */
334- for (i = 0 ; i < wolfSSL_sk_X509_num (ctx -> ctxIntermediates ); i ++ ) {
335- ret = wolfSSL_sk_X509_push (certs ,
336- wolfSSL_sk_X509_value (ctx -> ctxIntermediates , i ));
337- if (ret <= 0 ) {
338- goto exit ;
339- }
364+ ret = addAllButSelfSigned (certs , ctx -> ctxIntermediates , & numInterAdd );
365+ }
366+ if (ret != WOLFSSL_SUCCESS ) {
367+ goto exit ;
368+ }
340369
341- numInterAdd ++ ;
342- }
370+ if ( ctx -> chain != NULL ) {
371+ wolfSSL_sk_X509_free ( ctx -> chain );
343372 }
373+ ctx -> chain = wolfSSL_sk_X509_new_null ();
344374
345375 if (ctx -> depth > 0 ) {
346376 depth = ctx -> depth + 1 ;
@@ -356,26 +386,6 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
356386 /* Try to find an untrusted issuer first */
357387 ret = X509StoreGetIssuerEx (& issuer , certs ,
358388 ctx -> current_cert );
359- if (issuer != NULL &&
360- wolfSSL_X509_NAME_cmp (& issuer -> issuer , & issuer -> subject ) == 0 ) {
361- ret = WOLFSSL_FAILURE ;
362- /* Self signed allowed if in set trusted stack, otherwise
363- * ignore it and fall back to see if its in CM */
364- if ((certs == ctx -> setTrustedSk ) &&
365- (wolfSSL_sk_X509_num (certs ) > numInterAdd )) {
366- for (i = wolfSSL_sk_X509_num (certs ) - 1 ;
367- i > (numInterAdd > 0 ? numInterAdd - 1 : 0 );
368- i -- ) {
369- tmp = wolfSSL_sk_X509_value (certs , i );
370- if (tmp != NULL && wolfSSL_X509_NAME_cmp (
371- & issuer -> subject , & tmp -> subject ) == 0 ) {
372- ret = WOLFSSL_SUCCESS ;
373- break ;
374- }
375- tmp = NULL ;
376- }
377- }
378- }
379389 if (ret == WOLFSSL_SUCCESS ) {
380390 if (ctx -> current_cert == issuer ) {
381391 wolfSSL_sk_X509_push (ctx -> chain , ctx -> current_cert );
@@ -417,10 +427,11 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
417427
418428 /* Cert verified, finish building the chain */
419429 wolfSSL_sk_X509_push (ctx -> chain , ctx -> current_cert );
430+ issuer = NULL ;
420431 #ifdef WOLFSSL_SIGNER_DER_CERT
421432 x509GetIssuerFromCM (& issuer , ctx -> store -> cm , ctx -> current_cert );
422- if (issuer != NULL && ctx -> store -> owned != NULL ) {
423- wolfSSL_sk_X509_push (ctx -> store -> owned , issuer );
433+ if (issuer != NULL && ctx -> owned != NULL ) {
434+ wolfSSL_sk_X509_push (ctx -> owned , issuer );
424435 }
425436 #else
426437 if (ctx -> setTrustedSk == NULL ) {
@@ -463,6 +474,9 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
463474 ctx -> current_cert = orig ;
464475 }
465476 }
477+ if (certsToUse != NULL ) {
478+ wolfSSL_sk_X509_free (certsToUse );
479+ }
466480
467481 return ret == WOLFSSL_SUCCESS ? WOLFSSL_SUCCESS : WOLFSSL_FAILURE ;
468482}
0 commit comments