add discardSessionCerts flag for verify callback

2013-04-18 09:11:35 -07:00 · 2013-04-18 09:11:35 -07:00 · 729fc1e603
parent 71a1abebf5
commit 729fc1e603
2 changed files with 17 additions and 4 deletions
--- a/cyassl/ssl.h
+++ b/cyassl/ssl.h
@ -134,14 +134,13 @@ typedef struct CYASSL_X509_OBJECT {
 } CYASSL_X509_OBJECT;


-/* in internal.h too, change there !! */
 typedef struct CYASSL_X509_STORE_CTX {
-    int   error;
-    int   error_depth;
    CYASSL_X509* current_cert;   /* stunnel dereference */
    char* domain;                /* subject CN domain name */
    void* ex_data;               /* external data, for fortress build */
-    /* in internal.h too, change there !! */
+    int   error;                 /* current error */
+    int   error_depth;           /* cert depth for this error */
+    int   discardSessionCerts;   /* so verify callback can flag for discard */ 
 } CYASSL_X509_STORE_CTX;


--- a/src/internal.c
+++ b/src/internal.c
@ -3107,6 +3107,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)

                store.error = ret;
                store.error_depth = totalCerts;
+                store.discardSessionCerts = 0;
                store.domain = domain;
 #ifdef KEEP_PEER_CERT
                store.current_cert = &ssl->peerCert;
@ -3121,6 +3122,12 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
                    CYASSL_MSG("Verify callback overriding error!"); 
                    ret = 0;
                }
+                #ifdef SESSION_CERTS
+                if (store.discardSessionCerts) {
+                    CYASSL_MSG("Verify callback requested discard sess certs");
+                    ssl->session.chain.count = 0;
+                }
+                #endif
            }
            if (ret != 0) {
                SendAlert(ssl, alert_fatal, why);   /* try to send */
@ -3137,6 +3144,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)

            store.error = ret;
            store.error_depth = totalCerts;
+            store.discardSessionCerts = 0;
            store.domain = domain;
            store.current_cert = &ssl->peerCert;
            store.ex_data = ssl;
@ -3148,6 +3156,12 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
                SendAlert(ssl, alert_fatal, bad_certificate);
                ssl->options.isClosed = 1;
            }
+            #ifdef SESSION_CERTS
+            if (store.discardSessionCerts) {
+                CYASSL_MSG("Verify callback requested discard sess certs");
+                ssl->session.chain.count = 0;
+            }
+            #endif
        }
    }
 #endif