modified client chain at server side

added unit test
2025-03-13 09:10:17 +09:00 · 2025-03-13 09:10:17 +09:00 · b39c2206d7
parent d6c0184fda
commit b39c2206d7
2 changed files with 76 additions and 13 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@ -14495,14 +14495,6 @@ static WOLF_STACK_OF(WOLFSSL_X509)* CreatePeerCertChain(const WOLFSSL* ssl,
    if (sk == NULL) {
        WOLFSSL_MSG("Null session chain");
    }
-#if defined(WOLFSSL_QT)
-    /* Qt handles a peer cert pushing to chain. */
-    else if (ssl->options.side == WOLFSSL_SERVER_END) {
-        /* to be compliant with openssl
-           first element is kept as peer cert on server side.*/
-        wolfSSL_sk_X509_pop(sk);
-    }
-#endif
    return sk;
 }

@ -14520,9 +14512,15 @@ WOLF_STACK_OF(WOLFSSL_X509)* wolfSSL_set_peer_cert_chain(WOLFSSL* ssl)
    sk = CreatePeerCertChain(ssl, 0);

    if (sk != NULL) {
+        if (ssl->options.side == WOLFSSL_SERVER_END) {
+            if (ssl->session->peer)
+                X509_free(ssl->session->peer);
+
+            ssl->session->peer = wolfSSL_sk_X509_pop(sk);
+            ssl->session->peerVerifyRet = ssl->peerVerifyRet;
+        }
        if (ssl->peerCertChain != NULL)
            wolfSSL_sk_X509_pop_free(ssl->peerCertChain, NULL);
-
        /* This is Free'd when ssl is Free'd */
        ssl->peerCertChain = sk;
    }
--- a/tests/api.c
+++ b/tests/api.c
@ -7574,8 +7574,9 @@ void test_ssl_memio_cleanup(test_ssl_memio_ctx* ctx)
    }
 }

-int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
-    test_ssl_cbf* server_cb, cbType client_on_handshake)
+static int test_wolfSSL_client_server_nofail_memio_ex(test_ssl_cbf* client_cb,
+    test_ssl_cbf* server_cb, cbType client_on_handshake,
+    cbType server_on_handshake)
 {
    /* We use EXPECT_DECLS_NO_MSGS() here because this helper routine is used
     * for numerous but varied expected-to-fail scenarios that should not emit
@ -7606,6 +7607,10 @@ int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
        ExpectIntEQ(client_on_handshake(test_ctx.c_ctx, test_ctx.c_ssl),
            TEST_SUCCESS);
    }
+    if (server_on_handshake != NULL) {
+        ExpectIntEQ(server_on_handshake(test_ctx.s_ctx, test_ctx.s_ssl),
+            TEST_SUCCESS);
+    }
    if (client_cb->on_handshake != NULL) {
        ExpectIntEQ(client_cb->on_handshake(&test_ctx.c_ctx, &test_ctx.c_ssl),
            TEST_SUCCESS);
@ -7636,6 +7641,13 @@ int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,

    return EXPECT_RESULT();
 }
+
+int test_wolfSSL_client_server_nofail_memio(test_ssl_cbf* client_cb,
+    test_ssl_cbf* server_cb, cbType client_on_handshake)
+{
+    return (test_wolfSSL_client_server_nofail_memio_ex(client_cb, server_cb,
+        client_on_handshake, NULL));
+}
 #endif

 #ifdef HAVE_IO_TESTS_DEPENDENCIES
@ -51870,6 +51882,57 @@ static void msg_cb(int write_p, int version, int content_type,
 #if defined(SESSION_CERTS)
 #include "wolfssl/internal.h"
 #endif
+static int msgSrvCb(SSL_CTX *ctx, SSL *ssl)
+{
+    EXPECT_DECLS;
+#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO)
+    STACK_OF(X509)* sk = NULL;
+    X509* x509 = NULL;
+    int i, num;
+    BIO* bio = NULL;
+#endif
+
+    ExpectNotNull(ctx);
+    ExpectNotNull(ssl);
+
+    fprintf(stderr, "\n===== msgSrvCb called ====\n");
+#if defined(SESSION_CERTS) && defined(TEST_PEER_CERT_CHAIN)
+    ExpectTrue(SSL_get_peer_cert_chain(ssl) != NULL);
+    chain = (WOLFSSL_X509_CHAIN *)SSL_get_peer_cert_chain(ssl);
+    ExpectIntEQ(chain->count, 2);
+    ExpectNotNull(SSL_get0_verified_chain(ssl));
+#endif
+
+#if defined(OPENSSL_ALL) && defined(SESSION_CERTS) && !defined(NO_BIO)
+    WOLFSSL_X509* peer = NULL;
+
+    ExpectNotNull(peer= wolfSSL_get_peer_certificate(ssl));
+    ExpectNotNull(bio = BIO_new_fp(stderr, BIO_NOCLOSE));
+
+    fprintf(stderr, "Peer Certificate = :\n");
+    X509_print(bio,peer);
+    X509_free(peer);
+
+    ExpectNotNull(sk = SSL_get_peer_cert_chain(ssl));
+    if (sk == NULL) {
+        BIO_free(bio);
+        return TEST_FAIL;
+    }
+    num = sk_X509_num(sk);
+    ExpectTrue(num > 0);
+    for (i = 0; i < num; i++) {
+        ExpectNotNull(x509 = sk_X509_value(sk,i));
+        if (x509 == NULL)
+            break;
+        fprintf(stderr, "Certificate at index [%d] = :\n",i);
+        X509_print(bio,x509);
+        fprintf(stderr, "\n\n");
+    }
+    BIO_free(bio);
+#endif
+    return EXPECT_RESULT();
+}
+
 static int msgCb(SSL_CTX *ctx, SSL *ssl)
 {
    EXPECT_DECLS;
@ -51930,9 +51993,11 @@ static int test_wolfSSL_msgCb(void)
    client_cb.method  = wolfTLSv1_3_client_method;
    server_cb.method  = wolfTLSv1_3_server_method;
 #endif
+    server_cb.caPemFile = caCertFile;
+    client_cb.certPemFile = "./certs/intermediate/client-chain.pem";

-    ExpectIntEQ(test_wolfSSL_client_server_nofail_memio(&client_cb,
-        &server_cb, msgCb), TEST_SUCCESS);
+    ExpectIntEQ(test_wolfSSL_client_server_nofail_memio_ex(&client_cb,
+        &server_cb, msgCb, msgSrvCb), TEST_SUCCESS);
 #endif
    return EXPECT_RESULT();
 }