wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-31 19:24:42 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add new option to always copy cert buffer for each SSL object

Browse Source
This commit is contained in:
Colton Willey
2024-08-13 13:32:25 -07:00
parent 9f9e89082f
commit ef500c2e62
4 changed files with 99 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/internal.c
View File

@@ -6803,9 +6803,39 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx, int writeDup)
#endif /* HAVE_RPK */ #endif /* HAVE_RPK */
#ifndef NO_CERTS #ifndef NO_CERTS
#ifdef WOLFSSL_COPY_CERT
/* If WOLFSSL_COPY_CERT is defined, always copy the cert */
if (ctx->certificate != NULL) {
if (ssl->buffers.certificate != NULL) {
FreeDer(&ssl->buffers.certificate);
}
ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
ctx->certificate->length, ctx->certificate->type,
ctx->certificate->heap);
if (ret != 0) {
return ret;
}
ret = WOLFSSL_SUCCESS;
}
if (ctx->certChain != NULL) {
if (ssl->buffers.certChain != NULL) {
FreeDer(&ssl->buffers.certChain);
}
ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
ctx->certChain->length, ctx->certChain->type,
ctx->certChain->heap);
if (ret != 0) {
return ret;
}
ret = WOLFSSL_SUCCESS;
}
#else
/* ctx still owns certificate, certChain, key, dh, and cm */ /* ctx still owns certificate, certChain, key, dh, and cm */
ssl->buffers.certificate = ctx->certificate; ssl->buffers.certificate = ctx->certificate;
ssl->buffers.certChain = ctx->certChain; ssl->buffers.certChain = ctx->certChain;
#endif
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
ssl->buffers.certChainCnt = ctx->certChainCnt; ssl->buffers.certChainCnt = ctx->certChainCnt;
#endif #endif

40
src/ssl.c
View File

@@ -10806,6 +10806,11 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
#ifdef WOLFSSL_COPY_CERT
/* If WOLFSSL_COPY_CERT defined, always free cert buffers in SSL obj */
FreeDer(&ssl->buffers.certificate);
FreeDer(&ssl->buffers.certChain);
#endif
if (ssl->buffers.weOwnCert && !ssl->keepCert) { if (ssl->buffers.weOwnCert && !ssl->keepCert) {
WOLFSSL_MSG("Unloading cert"); WOLFSSL_MSG("Unloading cert");
FreeDer(&ssl->buffers.certificate); FreeDer(&ssl->buffers.certificate);
@@ -19549,6 +19554,11 @@ void wolfSSL_certs_clear(WOLFSSL* ssl)
/* ctx still owns certificate, certChain, key, dh, and cm */ /* ctx still owns certificate, certChain, key, dh, and cm */
if (ssl->buffers.weOwnCert) if (ssl->buffers.weOwnCert)
FreeDer(&ssl->buffers.certificate); FreeDer(&ssl->buffers.certificate);
#ifdef WOLFSSL_COPY_CERT
/* If WOLFSSL_COPY_CERT defined, always free cert buffers in SSL obj */
FreeDer(&ssl->buffers.certificate);
FreeDer(&ssl->buffers.certChain);
#endif
ssl->buffers.certificate = NULL; ssl->buffers.certificate = NULL;
if (ssl->buffers.weOwnCertChain) if (ssl->buffers.weOwnCertChain)
FreeDer(&ssl->buffers.certChain); FreeDer(&ssl->buffers.certChain);
@@ -20151,9 +20161,39 @@ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
ssl->ctx = ctx; ssl->ctx = ctx;
#ifndef NO_CERTS #ifndef NO_CERTS
#ifdef WOLFSSL_COPY_CERT
/* If WOLFSSL_COPY_CERT defined, always make new copy of cert */
if (ctx->certificate != NULL) {
if (ssl->buffers.certificate != NULL) {
FreeDer(&ssl->buffers.certificate);
}
ret = AllocCopyDer(&ssl->buffers.certificate, ctx->certificate->buffer,
ctx->certificate->length, ctx->certificate->type,
ctx->certificate->heap);
if (ret != 0) {
return NULL;
}
ret = WOLFSSL_SUCCESS;
}
if (ctx->certChain != NULL) {
if (ssl->buffers.certChain != NULL) {
FreeDer(&ssl->buffers.certChain);
}
ret = AllocCopyDer(&ssl->buffers.certChain, ctx->certChain->buffer,
ctx->certChain->length, ctx->certChain->type,
ctx->certChain->heap);
if (ret != 0) {
return NULL;
}
ret = WOLFSSL_SUCCESS;
}
#else
/* ctx owns certificate, certChain and key */ /* ctx owns certificate, certChain and key */
ssl->buffers.certificate = ctx->certificate; ssl->buffers.certificate = ctx->certificate;
ssl->buffers.certChain = ctx->certChain; ssl->buffers.certChain = ctx->certChain;
#endif
#ifdef WOLFSSL_TLS13 #ifdef WOLFSSL_TLS13
ssl->buffers.certChainCnt = ctx->certChainCnt; ssl->buffers.certChainCnt = ctx->certChainCnt;
#endif #endif

11
src/ssl_load.c
View File

@@ -236,6 +236,9 @@ static int ProcessUserChainRetain(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
/* Store in SSL object if available. */ /* Store in SSL object if available. */
if (ssl != NULL) { if (ssl != NULL) {
/* Dispose of old chain if not reference to context's. */ /* Dispose of old chain if not reference to context's. */
#ifdef WOLFSSL_COPY_CERT
FreeDer(&ssl->buffers.certChain);
#endif
if (ssl->buffers.weOwnCertChain) { if (ssl->buffers.weOwnCertChain) {
FreeDer(&ssl->buffers.certChain); FreeDer(&ssl->buffers.certChain);
} }
@@ -2079,6 +2082,10 @@ static int ProcessBufferCertHandleDer(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
/* Leaf certificate - our certificate. */ /* Leaf certificate - our certificate. */
else if (type == CERT_TYPE) { else if (type == CERT_TYPE) {
if (ssl != NULL) { if (ssl != NULL) {
#ifdef WOLFSSL_COPY_CERT
/* Always Free previously set if WOLFSSL_COPY_CERT defined */
FreeDer(&ssl->buffers.certificate);
#endif
/* Free previous certificate if we own it. */ /* Free previous certificate if we own it. */
if (ssl->buffers.weOwnCert) { if (ssl->buffers.weOwnCert) {
FreeDer(&ssl->buffers.certificate); FreeDer(&ssl->buffers.certificate);
@@ -4560,6 +4567,10 @@ static int wolfssl_add_to_chain(DerBuffer** chain, int weOwn, const byte* cert,
c32to24(certSz, newChain->buffer + len); c32to24(certSz, newChain->buffer + len);
XMEMCPY(newChain->buffer + len + CERT_HEADER_SZ, cert, certSz); XMEMCPY(newChain->buffer + len + CERT_HEADER_SZ, cert, certSz);
#ifdef WOLFSSL_COPY_CERT
FreeDer(chain);
#endif
/* Dispose of old chain if we own it. */ /* Dispose of old chain if we own it. */
if (weOwn) { if (weOwn) {
FreeDer(chain); FreeDer(chain);

18
tests/api.c
View File

@@ -77291,9 +77291,18 @@ static int test_wolfSSL_set_SSL_CTX(void)
#ifdef WOLFSSL_SESSION_ID_CTX #ifdef WOLFSSL_SESSION_ID_CTX
ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id2, 4), 0); ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id2, 4), 0);
#endif #endif
#ifdef WOLFSSL_COPY_CERT
if (ctx2->certificate != NULL) {
ExpectFalse(ssl->buffers.certificate == ctx2->certificate);
}
if (ctx2->certChain != NULL) {
ExpectFalse(ssl->buffers.certChain == ctx2->certChain);
}
#else
ExpectTrue(ssl->buffers.certificate == ctx2->certificate); ExpectTrue(ssl->buffers.certificate == ctx2->certificate);
ExpectTrue(ssl->buffers.certChain == ctx2->certChain); ExpectTrue(ssl->buffers.certChain == ctx2->certChain);
#endif #endif
#endif
#ifdef HAVE_SESSION_TICKET #ifdef HAVE_SESSION_TICKET
ExpectIntNE((wolfSSL_get_options(ssl) & SSL_OP_NO_TICKET), 0); ExpectIntNE((wolfSSL_get_options(ssl) & SSL_OP_NO_TICKET), 0);
@@ -77310,8 +77319,17 @@ static int test_wolfSSL_set_SSL_CTX(void)
#endif #endif
/* MUST change */ /* MUST change */
#ifdef WOLFSSL_INT_H #ifdef WOLFSSL_INT_H
#ifdef WOLFSSL_COPY_CERT
if (ctx1->certificate != NULL) {
ExpectFalse(ssl->buffers.certificate == ctx1->certificate);
}
if (ctx1->certChain != NULL) {
ExpectFalse(ssl->buffers.certChain == ctx1->certChain);
}
#else
ExpectTrue(ssl->buffers.certificate == ctx1->certificate); ExpectTrue(ssl->buffers.certificate == ctx1->certificate);
ExpectTrue(ssl->buffers.certChain == ctx1->certChain); ExpectTrue(ssl->buffers.certChain == ctx1->certChain);
#endif
#ifdef WOLFSSL_SESSION_ID_CTX #ifdef WOLFSSL_SESSION_ID_CTX
ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id1, 4), 0); ExpectIntEQ(XMEMCMP(ssl->sessionCtx, session_id1, 4), 0);
#endif #endif