From f796b4e58ef2311e11b51f15ef5e8807c84c5272 Mon Sep 17 00:00:00 2001 From: dongheng Date: Thu, 22 Sep 2016 16:41:51 +0800 Subject: [PATCH] components/openssl: SSL load verify data from itself structure when "new" --- components/openssl/include/internal/ssl_types.h | 4 ++++ components/openssl/library/ssl_lib.c | 3 +++ components/openssl/library/ssl_pkey.c | 9 ++++++++- components/openssl/library/ssl_x509.c | 12 ++++++++++-- components/openssl/platform/ssl_pm.c | 6 +++--- 5 files changed, 28 insertions(+), 6 deletions(-) diff --git a/components/openssl/include/internal/ssl_types.h b/components/openssl/include/internal/ssl_types.h index d001befdb9..6f2fb5a2f2 100644 --- a/components/openssl/include/internal/ssl_types.h +++ b/components/openssl/include/internal/ssl_types.h @@ -99,6 +99,8 @@ struct stack_st { struct evp_pkey_st { + int ref; + void *pkey_pm; const PKEY_METHOD *method; @@ -106,6 +108,8 @@ struct evp_pkey_st { struct x509_st { + int ref; + /* X509 certification platform private point */ void *x509_pm; diff --git a/components/openssl/library/ssl_lib.c b/components/openssl/library/ssl_lib.c index 442920f119..7e3b4554d6 100644 --- a/components/openssl/library/ssl_lib.c +++ b/components/openssl/library/ssl_lib.c @@ -282,6 +282,9 @@ SSL *SSL_new(SSL_CTX *ctx) ssl->version = ctx->version; ssl->options = ctx->options; + ssl->cert = ctx->cert; + ssl->client_CA = ctx->client_CA; + ret = SSL_METHOD_CALL(new, ssl); if (ret) SSL_RET(failed2, "ssl_new\n"); diff --git a/components/openssl/library/ssl_pkey.c b/components/openssl/library/ssl_pkey.c index a86a257e98..15c4977b0f 100644 --- a/components/openssl/library/ssl_pkey.c +++ b/components/openssl/library/ssl_pkey.c @@ -177,6 +177,8 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, if (!ret) SSL_RET(failed2, "SSL_CTX_use_PrivateKey\n"); + ctx->cert->pkey->ref++; + return 1; failed2: @@ -203,7 +205,10 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, int ret; EVP_PKEY *pkey; - pkey = d2i_PrivateKey(0, &ssl->cert->pkey, &d, len); + if (ssl->cert->pkey->ref) + SSL_RET(failed1); + + pkey = d2i_PrivateKey(0, NULL, &d, len); if (!pkey) SSL_RET(failed1, "d2i_PrivateKey\n"); @@ -211,6 +216,8 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, if (!ret) SSL_RET(failed2, "SSL_CTX_use_PrivateKey\n"); + ssl->cert->pkey->ref++; + return 1; failed2: diff --git a/components/openssl/library/ssl_x509.c b/components/openssl/library/ssl_x509.c index ba5c924e75..6e249eef58 100644 --- a/components/openssl/library/ssl_x509.c +++ b/components/openssl/library/ssl_x509.c @@ -85,7 +85,7 @@ X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len) } else { x = X509_new(); if (!x) - SSL_RET(failed1, "sk_X509_NAME_new_null\n"); + SSL_RET(failed1, "X509_new\n"); m = 1; } @@ -218,6 +218,7 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, { int ret; X509 *cert; + const unsigned char *pbuf; cert = d2i_X509(&ctx->cert->x509, d, len); if (!cert) @@ -227,6 +228,8 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, if (!ret) SSL_RET(failed2, "SSL_CTX_use_certificate\n"); + ctx->cert->x509->ref++; + return 1; failed2: @@ -252,7 +255,10 @@ int SSL_use_certificate_ASN1(SSL *ssl, int len, int ret; X509 *cert; - cert = d2i_X509(&ssl->cert->x509, d, len); + if (ssl->cert->x509->ref) + SSL_RET(failed1); + + cert = d2i_X509(NULL, d, len); if (!cert) SSL_RET(failed1, "d2i_X509\n"); @@ -260,6 +266,8 @@ int SSL_use_certificate_ASN1(SSL *ssl, int len, if (!ret) SSL_RET(failed2, "SSL_use_certificate\n"); + ssl->cert->x509->ref++; + return 1; failed2: diff --git a/components/openssl/platform/ssl_pm.c b/components/openssl/platform/ssl_pm.c index 17cc080bb6..d4ed2ececb 100644 --- a/components/openssl/platform/ssl_pm.c +++ b/components/openssl/platform/ssl_pm.c @@ -120,7 +120,7 @@ int ssl_pm_new(SSL *ssl) mbedtls_ssl_conf_dbg(&ssl_pm->conf, NULL, NULL); - x509_pm = (struct x509_pm *)ctx->client_CA->x509_pm; + x509_pm = (struct x509_pm *)ssl->client_CA->x509_pm; if (x509_pm->load) { mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, &x509_pm->x509_crt, NULL); @@ -130,9 +130,9 @@ int ssl_pm_new(SSL *ssl) } mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode); - pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm; + pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm; if (pkey_pm->load) { - x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm; + x509_pm = (struct x509_pm *)ssl->cert->x509->x509_pm; ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &x509_pm->x509_crt, &pkey_pm->pkey); if (ret)