option to keepCert for ssl lifetime, refactor of ourCert process

2016-05-02 17:19:25 -06:00
parent d1ab51e10f
commit b2325aad6d
4 changed files with 32 additions and 14 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -2592,6 +2592,7 @@ void SSL_ResourceFree(WOLFSSL* ssl)
    }
 #endif
 #ifndef NO_CERTS
+    ssl->keepCert = 0; /* make sure certificate is free'd */
    wolfSSL_UnloadCertsKeys(ssl);
 #endif
 #ifndef NO_RSA
--- a/src/ssl.c
+++ b/src/ssl.c
@ -81,7 +81,6 @@
    #include <wolfssl/wolfcrypt/idea.h>
    #include <wolfssl/wolfcrypt/curve25519.h>
    #include <wolfssl/wolfcrypt/ed25519.h>
-    #include <wolfssl/openssl/asn1.h>
    #ifdef HAVE_STUNNEL
        #include <wolfssl/openssl/ocsp.h>
    #endif /* WITH_STUNNEL */
@ -3473,14 +3472,13 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
                    FreeX509(ssl->ourCert);
                    if (ssl->ourCert) {
                        XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509);
+                        ssl->ourCert = NULL;
                    }
                #endif
            }
            XMEMCPY(&ssl->buffers.certificate, &der, sizeof(der));
            #ifdef OPENSSL_EXTRA
-                ssl->ourCert = wolfSSL_X509_d2i(NULL,
-                                              ssl->buffers.certificate->buffer,
-                                              ssl->buffers.certificate->length);
+                ssl->keepCert = 1; /* hold cert for ssl lifetime */
            #endif
            ssl->buffers.weOwnCert = 1;
        }
@ -3490,14 +3488,10 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
                FreeX509(ctx->ourCert);
                if (ctx->ourCert) {
                    XFREE(ctx->ourCert, ctx->heap, DYNAMIC_TYPE_X509);
+                    ctx->ourCert = NULL;
                }
            #endif
            XMEMCPY(&ctx->certificate, &der, sizeof(der));
-            #ifdef OPENSSL_EXTRA
-                ctx->ourCert = wolfSSL_X509_d2i(NULL,
-                                               ctx->certificate->buffer,
-                                               ctx->certificate->length);
-            #endif
        }
    }
    else if (type == PRIVATEKEY_TYPE) {
@ -8040,13 +8034,14 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
            return BAD_FUNC_ARG;
        }

-        if (ssl->buffers.weOwnCert) {
+        if (ssl->buffers.weOwnCert && !ssl->keepCert) {
            WOLFSSL_MSG("Unloading cert");
            FreeDer(&ssl->buffers.certificate);
            #ifdef OPENSSL_EXTRA
                FreeX509(ssl->ourCert);
                if (ssl->ourCert) {
                    XFREE(ssl->ourCert, ssl->heap, DYNAMIC_TYPE_X509);
+                    ssl->ourCert = NULL;
                }
            #endif
            ssl->buffers.weOwnCert = 0;
@ -10769,10 +10764,20 @@ WOLFSSL_X509* wolfSSL_get_certificate(WOLFSSL* ssl)
    }

    if (ssl->buffers.weOwnCert) {
+        if (ssl->ourCert == NULL) {
+            ssl->ourCert = wolfSSL_X509_d2i(NULL,
+                                              ssl->buffers.certificate->buffer,
+                                              ssl->buffers.certificate->length);
+        }
        return ssl->ourCert;
    }
    else { /* if cert not owned get parent ctx cert or return null */
        if (ssl->ctx) {
+            if (ssl->ctx->ourCert == NULL) {
+                ssl->ctx->ourCert = wolfSSL_X509_d2i(NULL,
+                                               ssl->ctx->certificate->buffer,
+                                               ssl->ctx->certificate->length);
+            }
            return ssl->ctx->ourCert;
        }
        else {
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@ -2731,6 +2731,7 @@ struct WOLFSSL {
                                            points to ctx if not owned (owned
                                            flag found in buffers.weOwnCert) */
 #endif
+    byte             keepCert;           /* keep certificate after handshake */
 #if defined(FORTRESS) || defined(HAVE_STUNNEL)
    void*           ex_data[MAX_EX_DATA]; /* external data, for Fortress */
 #endif
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@ -441,14 +441,22 @@ static INLINE int PasswordCallBack(char* passwd, int sz, int rw, void* userdata)
 static INLINE void ShowX509(WOLFSSL_X509* x509, const char* hdr)
 {
    char* altName;
-    char* issuer  = wolfSSL_X509_NAME_oneline(
-                                       wolfSSL_X509_get_issuer_name(x509), 0, 0);
-    char* subject = wolfSSL_X509_NAME_oneline(
-                                      wolfSSL_X509_get_subject_name(x509), 0, 0);
+    char* issuer;
+    char* subject;
    byte  serial[32];
    int   ret;
    int   sz = sizeof(serial);

+    if (x509 == NULL) {
+        printf("%s No Cert\n", hdr);
+        return;
+    }
+
+    issuer  = wolfSSL_X509_NAME_oneline(
+                                      wolfSSL_X509_get_issuer_name(x509), 0, 0);
+    subject = wolfSSL_X509_NAME_oneline(
+                                     wolfSSL_X509_get_subject_name(x509), 0, 0);
+
    printf("%s\n issuer : %s\n subject: %s\n", hdr, issuer, subject);

    while ( (altName = wolfSSL_X509_get_next_altname(x509)) != NULL)
@ -487,6 +495,9 @@ static INLINE void showPeer(WOLFSSL* ssl)
        printf("peer has no cert!\n");
    wolfSSL_FreeX509(peer);
 #endif
+#if defined(SHOW_CERTS) && defined(OPENSSL_EXTRA)
+    ShowX509(wolfSSL_get_certificate(ssl), "our cert info:");
+#endif /* SHOW_CERTS */
    printf("SSL version is %s\n", wolfSSL_get_version(ssl));

    cipher = wolfSSL_get_current_cipher(ssl);