components/openssl: SSL low-level reload cert when user add new cert

components/openssl/include/internal/ssl_methods.h

@@ -22,6 +22,7 @@
                     set_fd, get_fd, \
                     set_bufflen, \
                     get_verify_result, \
+                    ssl_reload_crt, \
                     get_state) \
         static const SSL_METHOD_FUNC func_name LOCAL_ATRR = { \
                 new, \
@@ -36,6 +37,7 @@
                 get_fd, \
                 set_bufflen, \
                 get_verify_result, \
+                ssl_reload_crt, \
                 get_state \
         };
 

components/openssl/include/internal/ssl_types.h

@@ -259,6 +259,8 @@ struct ssl_method_func_st {
 
     long (*ssl_get_verify_result)(const SSL *ssl);
 
+    int (*ssl_reload_crt)(SSL *ssl);
+
     OSSL_HANDSHAKE_STATE (*ssl_get_state)(const SSL *ssl);
 };
 

components/openssl/include/platform/ssl_pm.h

@@ -51,4 +51,6 @@ void pkey_pm_unload(EVP_PKEY *pkey);
 
 long ssl_pm_get_verify_result(const SSL *ssl);
 
+int ssl_pm_reload_crt(SSL *ssl);
+
 #endif

components/openssl/library/ssl_methods.c

@@ -26,6 +26,7 @@ IMPLEMENT_TLS_METHOD_FUNC(TLS_method_func,
         ssl_pm_set_fd, ssl_pm_get_fd,
         ssl_pm_set_bufflen,
         ssl_pm_get_verify_result,
+        ssl_pm_reload_crt,
         ssl_pm_get_state);
 
 /*

components/openssl/library/ssl_pkey.c

@@ -127,6 +127,9 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
     SSL_ASSERT(ctx);
     SSL_ASSERT(pkey);
 
+    if (ctx->cert->pkey)
+        EVP_PKEY_free(ctx->cert->pkey);
+
     ctx->cert->pkey = pkey;
 
     return 1;
@@ -144,12 +147,26 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
  */
 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
 {
+    int ret;
+    int ssl_ret;
+
     SSL_ASSERT(ctx);
     SSL_ASSERT(pkey);
 
+    if (!ssl->ca_reload)
+        ssl->ca_reload = 1;
+    else
+        EVP_PKEY_free(ssl->cert->pkey);
+
     ssl->cert->pkey = pkey;
 
-    return 1;
+    ssl_ret = SSL_METHOD_CALL(reload_crt, ssl);
+    if (ssl_ret)
+        ret = 0;
+    else
+        ret = 1;
+
+    return ret;
 }
 
 /*

components/openssl/library/ssl_x509.c

@@ -138,6 +138,9 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
  */
 int SSL_add_client_CA(SSL *ssl, X509 *x)
 {
+    int ret;
+    int ssl_ret;
+
     SSL_ASSERT(ssl);
     SSL_ASSERT(x);
 
@@ -148,7 +151,13 @@ int SSL_add_client_CA(SSL *ssl, X509 *x)
 
     ssl->client_CA = x;
 
-    return 1;
+    ssl_ret = SSL_METHOD_CALL(reload_crt, ssl);
+    if (ssl_ret)
+        ret = 0;
+    else
+        ret = 1;
+
+    return ret;
 }
 
 /*

components/openssl/platform/ssl_pm.c

@@ -475,3 +475,33 @@ long ssl_pm_get_verify_result(const SSL *ssl)
 
     return verify_result;
 }
+
+int ssl_pm_reload_crt(SSL *ssl)
+{
+    int ret;
+    int mode;
+    struct ssl_pm *ssl_pm = ssl->ssl_pm;
+    struct x509_pm *x509_pm;
+    struct pkey_pm *pkey_pm;
+
+    x509_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
+    if (x509_pm->load) {
+        mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, &x509_pm->x509_crt, NULL);
+
+        mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+    } else {
+        mode = MBEDTLS_SSL_VERIFY_NONE;
+    }
+    mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
+
+    pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
+    if (pkey_pm->load) {
+        x509_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
+
+        ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &x509_pm->x509_crt, &pkey_pm->pkey);
+        if (ret)
+            return -1;
+    }
+
+    return 0;
+}