From be98e3e7f3e99f6ae2e5e9bee11179d0bee7d29f Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 19 Jan 2018 09:48:02 -0700 Subject: [PATCH] build condition for SendAlerts and fix free of x509 store --- src/internal.c | 25 ++++++++++++++----------- wolfssl/ssl.h | 2 +- 2 files changed, 15 insertions(+), 12 deletions(-) diff --git a/src/internal.c b/src/internal.c index e5cdd4c1f..e24dfce85 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8439,10 +8439,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, wolfSSL_sk_X509_free(store->chain); store->chain = NULL; #endif - #ifdef WOLFSSL_SMALL_STACK - XFREE(x509, ssl->heap, DYNAMIC_TYPE_X509); - XFREE(store, ssl->heap, DYNAMIC_TYPE_X509_STORE); - #endif #ifdef SESSION_CERTS if (store->discardSessionCerts) { WOLFSSL_MSG("Verify callback requested discard sess certs"); @@ -8452,6 +8448,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif } #endif /* SESSION_CERTS */ + #ifdef WOLFSSL_SMALL_STACK + XFREE(x509, ssl->heap, DYNAMIC_TYPE_X509); + XFREE(store, ssl->heap, DYNAMIC_TYPE_X509_STORE); + #endif } if (ret != 0) { SendAlert(ssl, alert_fatal, why); /* try to send */ @@ -8525,10 +8525,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, wolfSSL_sk_X509_free(store->chain); store->chain = NULL; #endif - #ifdef WOLFSSL_SMALL_STACK - XFREE(store, ssl->heap, DYNAMIC_TYPE_X509_STORE); - XFREE(x509, ssl->heap, DYNAMIC_TYPE_X509); - #endif #ifdef SESSION_CERTS if (store->discardSessionCerts) { WOLFSSL_MSG("Verify callback requested discard sess certs"); @@ -8538,6 +8534,10 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif } #endif /* SESSION_CERTS */ + #ifdef WOLFSSL_SMALL_STACK + XFREE(store, ssl->heap, DYNAMIC_TYPE_X509_STORE); + XFREE(x509, ssl->heap, DYNAMIC_TYPE_X509); + #endif } } #endif /* WOLFSSL_ALWAYS_VERIFY_CB */ @@ -8614,8 +8614,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else if (ret == ASN_PARSE_E || ret == BUFFER_E) { WOLFSSL_MSG("Got Peer cert ASN PARSE or BUFFER ERROR"); - SendAlert(ssl, alert_fatal, bad_certificate); #ifdef OPENSSL_EXTRA + SendAlert(ssl, alert_fatal, bad_certificate); ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; #endif args->fatal = 1; @@ -8632,10 +8632,13 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, } else { WOLFSSL_MSG("\tNo callback override available, fatal"); - SendAlert(ssl, alert_fatal, bad_certificate); args->fatal = 1; + #ifdef OPENSSL_EXTRA + SendAlert(ssl, alert_fatal, bad_certificate); + #endif } } + #ifdef HAVE_SECURE_RENEGOTIATION if (args->fatal == 0 && ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) { @@ -8805,8 +8808,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (args->fatal) { ssl->error = ret; - SendAlert(ssl, alert_fatal, bad_certificate); #ifdef OPENSSL_EXTRA + SendAlert(ssl, alert_fatal, bad_certificate); ssl->peerVerifyRet = X509_V_ERR_CERT_REJECTED; #endif goto exit_ppc; diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 9b983d779..261e04aab 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -343,7 +343,7 @@ typedef struct WOLFSSL_X509_STORE_CTX { void* ex_data; /* external data, for fortress build */ void* userCtx; /* user ctx */ int error; /* current error */ - int error_depth; /* cert depth for this error */ + int error_depth; /* index of cert depth for this error */ int discardSessionCerts; /* so verify callback can flag for discard */ int totalCerts; /* number of peer cert buffers */ WOLFSSL_BUFFER_INFO* certs; /* peer certs */