Skip to content

Commit

Permalink
Merge pull request #7867 from ColtonWilley/cert_copy_option
Browse files Browse the repository at this point in the history
Add new option to always copy cert buffer for each SSL object
  • Loading branch information
douzzer authored Aug 17, 2024
2 parents b412e5f + d056b63 commit e562a1c
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 0 deletions.
26 changes: 26 additions & 0 deletions src/internal.c
Original file line number Diff line number Diff line change
Expand Up @@ -6803,9 +6803,35 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
#endif /* HAVE_RPK */

#ifndef NO_CERTS
#ifdef WOLFSSL_COPY_CERT
/* If WOLFSSL_COPY_CERT is defined, always copy the cert */
if (ctx->certificate != NULL) {
ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
ctx->certificate->length, ctx->certificate->type,
ctx->certificate->heap);
if (ret != 0) {
return ret;
}

ssl->buffers.weOwnCert = 1;
ret = WOLFSSL_SUCCESS;
}
if (ctx->certChain != NULL) {
ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
ctx->certChain->length, ctx->certChain->type,
ctx->certChain->heap);
if (ret != 0) {
return ret;
}

ssl->buffers.weOwnCertChain = 1;
ret = WOLFSSL_SUCCESS;
}
#else
/* ctx still owns certificate, certChain, key, dh, and cm */
ssl->buffers.certificate = ctx->certificate;
ssl->buffers.certChain = ctx->certChain;
#endif
#ifdef WOLFSSL_TLS13
ssl->buffers.certChainCnt = ctx->certChainCnt;
#endif
Expand Down
32 changes: 32 additions & 0 deletions src/ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -20151,9 +20151,41 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
ssl->ctx = ctx;

#ifndef NO_CERTS
#ifdef WOLFSSL_COPY_CERT
/* If WOLFSSL_COPY_CERT defined, always make new copy of cert from ctx */
if (ctx->certificate != NULL) {
if (ssl->buffers.certificate != NULL) {
FreeDer(&ssl->buffers.certificate);
}
ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
ctx->certificate->length, ctx->certificate->type,
ctx->certificate->heap);
if (ret != 0) {
return NULL;
}

ssl->buffers.weOwnCert = 1;
ret = WOLFSSL_SUCCESS;
}
if (ctx->certChain != NULL) {
if (ssl->buffers.certChain != NULL) {
FreeDer(&ssl->buffers.certChain);
}
ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
ctx->certChain->length, ctx->certChain->type,
ctx->certChain->heap);
if (ret != 0) {
return NULL;
}

ssl->buffers.weOwnCertChain = 1;
ret = WOLFSSL_SUCCESS;
}
#else
/* ctx owns certificate, certChain and key */
ssl->buffers.certificate = ctx->certificate;
ssl->buffers.certChain = ctx->certChain;
#endif
#ifdef WOLFSSL_TLS13
ssl->buffers.certChainCnt = ctx->certChainCnt;
#endif
Expand Down
18 changes: 18 additions & 0 deletions tests/api.c
Original file line number Diff line number Diff line change
Expand Up @@ -77500,9 +77500,18 @@ static int test_wolfSSL_set_SSL_CTX(void)
#ifdef WOLFSSL_SESSION_ID_CTX
ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id2, 4), 0);
#endif
#ifdef WOLFSSL_COPY_CERT
if (ctx2 != NULL && ctx2->certificate != NULL) {
ExpectFalse(ssl->buffers.certificate == ctx2->certificate);
}
if (ctx2 != NULL && ctx2->certChain != NULL) {
ExpectFalse(ssl->buffers.certChain == ctx2->certChain);
}
#else
ExpectTrue(ssl->buffers.certificate == ctx2->certificate);
ExpectTrue(ssl->buffers.certChain == ctx2->certChain);
#endif
#endif

#ifdef HAVE_SESSION_TICKET
ExpectIntNE((wolfSSL_get_options(ssl) & SSL_OP_NO_TICKET), 0);
Expand All @@ -77519,8 +77528,17 @@ static int test_wolfSSL_set_SSL_CTX(void)
#endif
/* MUST change */
#ifdef WOLFSSL_INT_H
#ifdef WOLFSSL_COPY_CERT
if (ctx1 != NULL && ctx1->certificate != NULL) {
ExpectFalse(ssl->buffers.certificate == ctx1->certificate);
}
if (ctx1 != NULL && ctx1->certChain != NULL) {
ExpectFalse(ssl->buffers.certChain == ctx1->certChain);
}
#else
ExpectTrue(ssl->buffers.certificate == ctx1->certificate);
ExpectTrue(ssl->buffers.certChain == ctx1->certChain);
#endif
#ifdef WOLFSSL_SESSION_ID_CTX
ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id1, 4), 0);
#endif
Expand Down
5 changes: 5 additions & 0 deletions wolfssl/wolfcrypt/settings.h
Original file line number Diff line number Diff line change
Expand Up @@ -3260,6 +3260,11 @@ extern void uITRON4_free(void *p) ;
#define KEEP_PEER_CERT
#endif

#if defined(OPENSSL_ALL) && !defined(WOLFSSL_NO_COPY_CERT)
#undef WOLFSSL_COPY_CERT
#define WOLFSSL_COPY_CERT
#endif

/*
* Keeps the "Finished" messages after a TLS handshake for use as the so-called
* "tls-unique" channel binding. See comment in internal.h around clientFinished
Expand Down

0 comments on commit e562a1c

Please sign in to comment.