Merge pull request #7867 from ColtonWilley/cert_copy_option

Add new option to always copy cert buffer for each SSL object
2025-07-29 18:27:29 +02:00 · 2024-08-17 00:07:00 -05:00
parent b412e5f24e d056b63742
commit e562a1c4d1
4 changed files with 81 additions and 0 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -6803,9 +6803,35 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
 #endif /* HAVE_RPK */

 #ifndef NO_CERTS
+#ifdef WOLFSSL_COPY_CERT
+    /* If WOLFSSL_COPY_CERT is defined, always copy the cert */
+    if (ctx->certificate != NULL) {
+        ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
+            ctx->certificate->length, ctx->certificate->type,
+            ctx->certificate->heap);
+        if (ret != 0) {
+            return ret;
+        }
+
+        ssl->buffers.weOwnCert = 1;
+        ret = WOLFSSL_SUCCESS;
+    }
+    if (ctx->certChain != NULL) {
+        ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
+            ctx->certChain->length, ctx->certChain->type,
+            ctx->certChain->heap);
+        if (ret != 0) {
+            return ret;
+        }
+
+        ssl->buffers.weOwnCertChain = 1;
+        ret = WOLFSSL_SUCCESS;
+    }
+#else
    /* ctx still owns certificate, certChain, key, dh, and cm */
    ssl->buffers.certificate = ctx->certificate;
    ssl->buffers.certChain = ctx->certChain;
+#endif
 #ifdef WOLFSSL_TLS13
    ssl->buffers.certChainCnt = ctx->certChainCnt;
 #endif
--- a/src/ssl.c
+++ b/src/ssl.c
@ -20151,9 +20151,41 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
    ssl->ctx = ctx;

 #ifndef NO_CERTS
+#ifdef WOLFSSL_COPY_CERT
+    /* If WOLFSSL_COPY_CERT defined, always make new copy of cert from ctx */
+    if (ctx->certificate != NULL) {
+        if (ssl->buffers.certificate != NULL) {
+            FreeDer(&ssl->buffers.certificate);
+        }
+        ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
+            ctx->certificate->length, ctx->certificate->type,
+            ctx->certificate->heap);
+        if (ret != 0) {
+            return NULL;
+        }
+
+        ssl->buffers.weOwnCert = 1;
+        ret = WOLFSSL_SUCCESS;
+    }
+    if (ctx->certChain != NULL) {
+        if (ssl->buffers.certChain != NULL) {
+            FreeDer(&ssl->buffers.certChain);
+        }
+        ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
+            ctx->certChain->length, ctx->certChain->type,
+            ctx->certChain->heap);
+        if (ret != 0) {
+            return NULL;
+        }
+
+        ssl->buffers.weOwnCertChain = 1;
+        ret = WOLFSSL_SUCCESS;
+    }
+#else
    /* ctx owns certificate, certChain and key */
    ssl->buffers.certificate = ctx->certificate;
    ssl->buffers.certChain = ctx->certChain;
+#endif
 #ifdef WOLFSSL_TLS13
    ssl->buffers.certChainCnt = ctx->certChainCnt;
 #endif
--- a/tests/api.c
+++ b/tests/api.c
@ -77500,9 +77500,18 @@ static int test_wolfSSL_set_SSL_CTX(void)
 #ifdef WOLFSSL_SESSION_ID_CTX
    ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id2, 4), 0);
 #endif
+#ifdef WOLFSSL_COPY_CERT
+    if (ctx2 != NULL && ctx2->certificate != NULL) {
+        ExpectFalse(ssl->buffers.certificate == ctx2->certificate);
+    }
+    if (ctx2 != NULL && ctx2->certChain != NULL) {
+        ExpectFalse(ssl->buffers.certChain == ctx2->certChain);
+    }
+#else
    ExpectTrue(ssl->buffers.certificate == ctx2->certificate);
    ExpectTrue(ssl->buffers.certChain == ctx2->certChain);
 #endif
+#endif

 #ifdef HAVE_SESSION_TICKET
    ExpectIntNE((wolfSSL_get_options(ssl) & SSL_OP_NO_TICKET), 0);
@ -77519,8 +77528,17 @@ static int test_wolfSSL_set_SSL_CTX(void)
 #endif
    /* MUST change */
 #ifdef WOLFSSL_INT_H
+#ifdef WOLFSSL_COPY_CERT
+    if (ctx1 != NULL && ctx1->certificate != NULL) {
+        ExpectFalse(ssl->buffers.certificate == ctx1->certificate);
+    }
+    if (ctx1 != NULL && ctx1->certChain != NULL) {
+        ExpectFalse(ssl->buffers.certChain == ctx1->certChain);
+    }
+#else
    ExpectTrue(ssl->buffers.certificate == ctx1->certificate);
    ExpectTrue(ssl->buffers.certChain == ctx1->certChain);
+#endif
 #ifdef WOLFSSL_SESSION_ID_CTX
    ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id1, 4), 0);
 #endif
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@ -3260,6 +3260,11 @@ extern void uITRON4_free(void *p) ;
    #define KEEP_PEER_CERT
 #endif

+#if defined(OPENSSL_ALL) && !defined(WOLFSSL_NO_COPY_CERT)
+    #undef WOLFSSL_COPY_CERT
+    #define WOLFSSL_COPY_CERT
+#endif
+
 /*
 * Keeps the "Finished" messages after a TLS handshake for use as the so-called
 * "tls-unique" channel binding. See comment in internal.h around clientFinished