Skip to content

Commit e562a1c

Browse files
douzzerdouzzer
authored
Merge pull request #7867 from ColtonWilley/cert_copy_option
Add new option to always copy cert buffer for each SSL object
2 parents b412e5f + d056b63 commit e562a1c

4 files changed

Lines changed: 81 additions & 0 deletions

File tree

src/internal.c

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6803,9 +6803,35 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
68036803
#endif /* HAVE_RPK */
68046804

68056805
#ifndef NO_CERTS
6806+
#ifdef WOLFSSL_COPY_CERT
6807+
/* If WOLFSSL_COPY_CERT is defined, always copy the cert */
6808+
if (ctx->certificate != NULL) {
6809+
ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
6810+
ctx->certificate->length, ctx->certificate->type,
6811+
ctx->certificate->heap);
6812+
if (ret != 0) {
6813+
return ret;
6814+
}
6815+
6816+
ssl->buffers.weOwnCert = 1;
6817+
ret = WOLFSSL_SUCCESS;
6818+
}
6819+
if (ctx->certChain != NULL) {
6820+
ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
6821+
ctx->certChain->length, ctx->certChain->type,
6822+
ctx->certChain->heap);
6823+
if (ret != 0) {
6824+
return ret;
6825+
}
6826+
6827+
ssl->buffers.weOwnCertChain = 1;
6828+
ret = WOLFSSL_SUCCESS;
6829+
}
6830+
#else
68066831
/* ctx still owns certificate, certChain, key, dh, and cm */
68076832
ssl->buffers.certificate = ctx->certificate;
68086833
ssl->buffers.certChain = ctx->certChain;
6834+
#endif
68096835
#ifdef WOLFSSL_TLS13
68106836
ssl->buffers.certChainCnt = ctx->certChainCnt;
68116837
#endif

src/ssl.c

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20151,9 +20151,41 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
2015120151
ssl->ctx = ctx;
2015220152

2015320153
#ifndef NO_CERTS
20154+
#ifdef WOLFSSL_COPY_CERT
20155+
/* If WOLFSSL_COPY_CERT defined, always make new copy of cert from ctx */
20156+
if (ctx->certificate != NULL) {
20157+
if (ssl->buffers.certificate != NULL) {
20158+
FreeDer(&ssl->buffers.certificate);
20159+
}
20160+
ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
20161+
ctx->certificate->length, ctx->certificate->type,
20162+
ctx->certificate->heap);
20163+
if (ret != 0) {
20164+
return NULL;
20165+
}
20166+
20167+
ssl->buffers.weOwnCert = 1;
20168+
ret = WOLFSSL_SUCCESS;
20169+
}
20170+
if (ctx->certChain != NULL) {
20171+
if (ssl->buffers.certChain != NULL) {
20172+
FreeDer(&ssl->buffers.certChain);
20173+
}
20174+
ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
20175+
ctx->certChain->length, ctx->certChain->type,
20176+
ctx->certChain->heap);
20177+
if (ret != 0) {
20178+
return NULL;
20179+
}
20180+
20181+
ssl->buffers.weOwnCertChain = 1;
20182+
ret = WOLFSSL_SUCCESS;
20183+
}
20184+
#else
2015420185
/* ctx owns certificate, certChain and key */
2015520186
ssl->buffers.certificate = ctx->certificate;
2015620187
ssl->buffers.certChain = ctx->certChain;
20188+
#endif
2015720189
#ifdef WOLFSSL_TLS13
2015820190
ssl->buffers.certChainCnt = ctx->certChainCnt;
2015920191
#endif

tests/api.c

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77500,9 +77500,18 @@ static int test_wolfSSL_set_SSL_CTX(void)
7750077500
#ifdef WOLFSSL_SESSION_ID_CTX
7750177501
ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id2, 4), 0);
7750277502
#endif
77503+
#ifdef WOLFSSL_COPY_CERT
77504+
if (ctx2 != NULL && ctx2->certificate != NULL) {
77505+
ExpectFalse(ssl->buffers.certificate == ctx2->certificate);
77506+
}
77507+
if (ctx2 != NULL && ctx2->certChain != NULL) {
77508+
ExpectFalse(ssl->buffers.certChain == ctx2->certChain);
77509+
}
77510+
#else
7750377511
ExpectTrue(ssl->buffers.certificate == ctx2->certificate);
7750477512
ExpectTrue(ssl->buffers.certChain == ctx2->certChain);
7750577513
#endif
77514+
#endif
7750677515

7750777516
#ifdef HAVE_SESSION_TICKET
7750877517
ExpectIntNE((wolfSSL_get_options(ssl) & SSL_OP_NO_TICKET), 0);
@@ -77519,8 +77528,17 @@ static int test_wolfSSL_set_SSL_CTX(void)
7751977528
#endif
7752077529
/* MUST change */
7752177530
#ifdef WOLFSSL_INT_H
77531+
#ifdef WOLFSSL_COPY_CERT
77532+
if (ctx1 != NULL && ctx1->certificate != NULL) {
77533+
ExpectFalse(ssl->buffers.certificate == ctx1->certificate);
77534+
}
77535+
if (ctx1 != NULL && ctx1->certChain != NULL) {
77536+
ExpectFalse(ssl->buffers.certChain == ctx1->certChain);
77537+
}
77538+
#else
7752277539
ExpectTrue(ssl->buffers.certificate == ctx1->certificate);
7752377540
ExpectTrue(ssl->buffers.certChain == ctx1->certChain);
77541+
#endif
7752477542
#ifdef WOLFSSL_SESSION_ID_CTX
7752577543
ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id1, 4), 0);
7752677544
#endif

wolfssl/wolfcrypt/settings.h

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3260,6 +3260,11 @@ extern void uITRON4_free(void *p) ;
32603260
#define KEEP_PEER_CERT
32613261
#endif
32623262

3263+
#if defined(OPENSSL_ALL) && !defined(WOLFSSL_NO_COPY_CERT)
3264+
#undef WOLFSSL_COPY_CERT
3265+
#define WOLFSSL_COPY_CERT
3266+
#endif
3267+
32633268
/*
32643269
* Keeps the "Finished" messages after a TLS handshake for use as the so-called
32653270
* "tls-unique" channel binding. See comment in internal.h around clientFinished

0 commit comments

Comments
 (0)