From 729fc1e6039cad39786179afc31e7c8d1e037f2f Mon Sep 17 00:00:00 2001
From: toddouska <todd@wolfssl.com>
Date: Thu, 18 Apr 2013 09:11:35 -0700
Subject: [PATCH] add discardSessionCerts flag for verify callback

---
 cyassl/ssl.h   |  7 +++----
 src/internal.c | 14 ++++++++++++++
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/cyassl/ssl.h b/cyassl/ssl.h
index 28ee12865..bea865344 100644
--- a/cyassl/ssl.h
+++ b/cyassl/ssl.h
@@ -134,14 +134,13 @@ typedef struct CYASSL_X509_OBJECT {
 } CYASSL_X509_OBJECT;
 
 
-/* in internal.h too, change there !! */
 typedef struct CYASSL_X509_STORE_CTX {
-    int   error;
-    int   error_depth;
     CYASSL_X509* current_cert;   /* stunnel dereference */
     char* domain;                /* subject CN domain name */
     void* ex_data;               /* external data, for fortress build */
-    /* in internal.h too, change there !! */
+    int   error;                 /* current error */
+    int   error_depth;           /* cert depth for this error */
+    int   discardSessionCerts;   /* so verify callback can flag for discard */ 
 } CYASSL_X509_STORE_CTX;
 
 
diff --git a/src/internal.c b/src/internal.c
index 03139ac80..c087db328 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -3107,6 +3107,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
 
                 store.error = ret;
                 store.error_depth = totalCerts;
+                store.discardSessionCerts = 0;
                 store.domain = domain;
 #ifdef KEEP_PEER_CERT
                 store.current_cert = &ssl->peerCert;
@@ -3121,6 +3122,12 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
                     CYASSL_MSG("Verify callback overriding error!"); 
                     ret = 0;
                 }
+                #ifdef SESSION_CERTS
+                if (store.discardSessionCerts) {
+                    CYASSL_MSG("Verify callback requested discard sess certs");
+                    ssl->session.chain.count = 0;
+                }
+                #endif
             }
             if (ret != 0) {
                 SendAlert(ssl, alert_fatal, why);   /* try to send */
@@ -3137,6 +3144,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
 
             store.error = ret;
             store.error_depth = totalCerts;
+            store.discardSessionCerts = 0;
             store.domain = domain;
             store.current_cert = &ssl->peerCert;
             store.ex_data = ssl;
@@ -3148,6 +3156,12 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
                 SendAlert(ssl, alert_fatal, bad_certificate);
                 ssl->options.isClosed = 1;
             }
+            #ifdef SESSION_CERTS
+            if (store.discardSessionCerts) {
+                CYASSL_MSG("Verify callback requested discard sess certs");
+                ssl->session.chain.count = 0;
+            }
+            #endif
         }
     }
 #endif