Small changes per review comments

wolfSSL · Oct 22, 2024 · 9d69266 · 9d69266
1 parent 176bc6a
commit 9d69266
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 5 deletions.
diff --git a/src/x509_str.c b/src/x509_str.c
@@ -43,6 +43,7 @@ static int X509StoreAddCa(WOLFSSL_X509_STORE* store,
                                           WOLFSSL_X509* x509, int type);
 #endif
 
+/* Based on OpenSSL default max depth */
 #ifndef WOLFSSL_X509_STORE_DEFAULT_MAX_DEPTH
 #define WOLFSSL_X509_STORE_DEFAULT_MAX_DEPTH 100
 #endif
@@ -264,9 +265,9 @@ static int X509StoreVerifyCert(WOLFSSL_X509_STORE_CTX* ctx)
         if (ret != WC_NO_ERR_TRACE(ASN_BEFORE_DATE_E) &&
             ret != WC_NO_ERR_TRACE(ASN_AFTER_DATE_E)) {
             /* wolfSSL_CertManagerVerifyBuffer only returns ASN_AFTER_DATE_E or
-            ASN_BEFORE_DATE_E if there are no additional errors found in the
-            cert. Therefore, check if the cert is expired or not yet valid
-            in order to return the correct expected error. */
+             * ASN_BEFORE_DATE_E if there are no additional errors found in the
+             * cert. Therefore, check if the cert is expired or not yet valid
+             * in order to return the correct expected error. */
             byte *afterDate = ctx->current_cert->notAfter.data;
             byte *beforeDate = ctx->current_cert->notBefore.data;
 
@@ -333,7 +334,7 @@ int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
             ret = wolfSSL_sk_X509_push(certs,
                 wolfSSL_sk_X509_value(ctx->ctxIntermediates, i));
             if (ret <= 0) {
-                return WOLFSSL_FAILURE;
+                goto exit;
             }
 
             numInterAdd++;

diff --git a/tests/api.c b/tests/api.c
@@ -60410,6 +60410,8 @@ static int test_X509_STORE_untrusted(void)
     /* Root CA in untrusted chain is OK */
     ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 1),
             TEST_SUCCESS);
+    ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted3, 1, 0, 0),
+            TEST_SUCCESS);
     /* Succeeds because path to loaded CA is available. */
     ExpectIntEQ(test_X509_STORE_untrusted_certs(untrusted4, 1, 0, 1),
             TEST_SUCCESS);

diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
@@ -3315,7 +3315,8 @@ enum {
 
     WOLFSSL_USER_CA  = 1,          /* user added as trusted */
     WOLFSSL_CHAIN_CA = 2,          /* added to cache from trusted chain */
-    WOLFSSL_INTER_CA = 3           /* Intermediate CA */
+    WOLFSSL_INTER_CA = 3           /* Intermediate CA, only for use by
+                                    * X509_STORE */
 };
 
 WOLFSSL_ABI WOLFSSL_API WC_RNG* wolfSSL_GetRNG(WOLFSSL* ssl);