From 9fc054bb553c3df68eb3f956c4496ac178422c3f Mon Sep 17 00:00:00 2001 From: dongheng Date: Fri, 23 Sep 2016 10:33:31 +0800 Subject: [PATCH] components/openssl: SSL load cert with creating new cert object 1. when 'SSL_new' SSL's cert is pointed to SSL context cert If SSL load new cert, it will create a new cert object 2. change some debug informaion --- .../openssl/include/internal/ssl_types.h | 13 ++--- components/openssl/library/ssl_cert.c | 2 +- components/openssl/library/ssl_lib.c | 6 +++ components/openssl/library/ssl_pkey.c | 44 +++++++++++----- components/openssl/library/ssl_x509.c | 50 +++++++++++++------ components/openssl/platform/ssl_pm.c | 32 +++++++----- 6 files changed, 100 insertions(+), 47 deletions(-) diff --git a/components/openssl/include/internal/ssl_types.h b/components/openssl/include/internal/ssl_types.h index 7a0bd0d76f..c872c5191c 100644 --- a/components/openssl/include/internal/ssl_types.h +++ b/components/openssl/include/internal/ssl_types.h @@ -99,8 +99,6 @@ struct stack_st { struct evp_pkey_st { - int ref; - void *pkey_pm; const PKEY_METHOD *method; @@ -108,8 +106,6 @@ struct evp_pkey_st { struct x509_st { - int ref; - /* X509 certification platform private point */ void *x509_pm; @@ -127,6 +123,7 @@ struct cert_st { }; struct ossl_statem_st { + MSG_FLOW_STATE state; int hand_state; @@ -193,8 +190,14 @@ struct ssl_st /* shut things down(0x01 : sent, 0x02 : received) */ int shutdown; + int crt_reload; + CERT *cert; + int ca_reload; + + X509 *client_CA; + SSL_CTX *ctx; const SSL_METHOD *method; @@ -208,8 +211,6 @@ struct ssl_st int rwstate; - X509 *client_CA; - long verify_result; X509_VERIFY_PARAM param; diff --git a/components/openssl/library/ssl_cert.c b/components/openssl/library/ssl_cert.c index caa901b660..2d82e62aaa 100644 --- a/components/openssl/library/ssl_cert.c +++ b/components/openssl/library/ssl_cert.c @@ -39,7 +39,7 @@ CERT *ssl_cert_new(void) cert->x509 = X509_new(); if (!cert->x509) - SSL_RET(failed3, "sk_X509_NAME_new_null\n"); + SSL_RET(failed3, "X509_new\n"); return cert; diff --git a/components/openssl/library/ssl_lib.c b/components/openssl/library/ssl_lib.c index 20c8931457..cc218f9a26 100644 --- a/components/openssl/library/ssl_lib.c +++ b/components/openssl/library/ssl_lib.c @@ -312,6 +312,12 @@ void SSL_free(SSL *ssl) SSL_METHOD_CALL(free, ssl); + if (ssl->ca_reload) + X509_free(ssl->client_CA); + + if (ssl->crt_reload) + ssl_cert_free(ssl->cert); + ssl_free(ssl); } diff --git a/components/openssl/library/ssl_pkey.c b/components/openssl/library/ssl_pkey.c index 7278287a63..c77785f473 100644 --- a/components/openssl/library/ssl_pkey.c +++ b/components/openssl/library/ssl_pkey.c @@ -14,6 +14,7 @@ #include "ssl_lib.h" #include "ssl_pkey.h" +#include "ssl_cert.h" #include "ssl_methods.h" #include "ssl_dbg.h" #include "ssl_port.h" @@ -38,7 +39,7 @@ EVP_PKEY* EVP_PKEY_new(void) ret = EVP_PKEY_METHOD_CALL(new, pkey); if (ret) - SSL_RET(failed2, "pkey_new\n"); + SSL_RET(failed2, "EVP_PKEY_METHOD_CALL\n"); return pkey; @@ -91,13 +92,13 @@ EVP_PKEY *d2i_PrivateKey(int type, } else { pkey = EVP_PKEY_new();; if (!pkey) - SSL_RET(failed1, "ssl_malloc\n"); + SSL_RET(failed1, "EVP_PKEY_new\n"); m = 1; } ret = EVP_PKEY_METHOD_CALL(load, pkey, *pp, length); if (ret) - SSL_RET(failed2, "pkey_pm_load_crt\n"); + SSL_RET(failed2, "EVP_PKEY_METHOD_CALL\n"); if (a) *a = pkey; @@ -177,8 +178,6 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, if (!ret) SSL_RET(failed2, "SSL_CTX_use_PrivateKey\n"); - ctx->cert->pkey->ref = 1; - return 1; failed2: @@ -203,25 +202,44 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len) { int ret; + int reload; EVP_PKEY *pkey; + CERT *cert; + CERT *old_cert; - if (ssl->cert->pkey->ref) - SSL_RET(failed1); + if (!ssl->crt_reload) { + cert = ssl_cert_new(); + if (!cert) + SSL_RET(failed1, "ssl_cert_new\n"); - pkey = d2i_PrivateKey(0, NULL, &d, len); + old_cert = ssl->cert ; + ssl->cert = cert; + + ssl->crt_reload = 1; + + reload = 1; + } else { + reload = 0; + } + + pkey = d2i_PrivateKey(0, &ssl->cert->pkey, &d, len); if (!pkey) - SSL_RET(failed1, "d2i_PrivateKey\n"); + SSL_RET(failed2, "d2i_PrivateKey\n"); ret = SSL_use_PrivateKey(ssl, pkey); if (!ret) - SSL_RET(failed2, "SSL_CTX_use_PrivateKey\n"); - - ssl->cert->pkey->ref = 1; + SSL_RET(failed3, "SSL_use_PrivateKey\n"); return 1; -failed2: +failed3: EVP_PKEY_free(pkey); +failed2: + if (reload) { + ssl->cert = old_cert; + ssl_cert_free(cert); + ssl->crt_reload = 0; + } failed1: return 0; } diff --git a/components/openssl/library/ssl_x509.c b/components/openssl/library/ssl_x509.c index 19c94c3eca..9ca60d8b31 100644 --- a/components/openssl/library/ssl_x509.c +++ b/components/openssl/library/ssl_x509.c @@ -13,6 +13,7 @@ // limitations under the License. #include "ssl_x509.h" +#include "ssl_cert.h" #include "ssl_methods.h" #include "ssl_dbg.h" #include "ssl_port.h" @@ -91,7 +92,7 @@ X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len) ret = X509_METHOD_CALL(load, x, buffer, len); if (ret) - SSL_RET(failed2, "x509_load\n"); + SSL_RET(failed2, "X509_METHOD_CALL\n"); return x; @@ -140,7 +141,9 @@ int SSL_add_client_CA(SSL *ssl, X509 *x) SSL_ASSERT(ssl); SSL_ASSERT(x); - if (ssl->client_CA) + if (!ssl->ca_reload) + ssl->ca_reload = 1; + else X509_free(ssl->client_CA); ssl->client_CA = x; @@ -227,8 +230,6 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, if (!ret) SSL_RET(failed2, "SSL_CTX_use_certificate\n"); - ctx->cert->x509->ref = 1; - return 1; failed2: @@ -252,25 +253,44 @@ int SSL_use_certificate_ASN1(SSL *ssl, int len, const unsigned char *d) { int ret; - X509 *cert; + int reload; + X509 *x; + CERT *cert; + CERT *old_cert; - if (ssl->cert->x509->ref) - SSL_RET(failed1); + if (!ssl->crt_reload) { + cert = ssl_cert_new(); + if (!cert) + SSL_RET(failed1, "ssl_cert_new\n"); - cert = d2i_X509(NULL, d, len); - if (!cert) - SSL_RET(failed1, "d2i_X509\n"); + old_cert = ssl->cert ; + ssl->cert = cert; - ret = SSL_use_certificate(ssl, cert); + ssl->crt_reload = 1; + + reload = 1; + } else { + reload = 0; + } + + x = d2i_X509(&ssl->cert->x509, d, len); + if (!x) + SSL_RET(failed2, "d2i_X509\n"); + + ret = SSL_use_certificate(ssl, x); if (!ret) - SSL_RET(failed2, "SSL_use_certificate\n"); - - ssl->cert->x509->ref = 1; + SSL_RET(failed3, "SSL_use_certificate\n"); return 1; +failed3: + X509_free(x); failed2: - X509_free(cert); + if (reload) { + ssl->cert = old_cert; + ssl_cert_free(cert); + ssl->crt_reload = 0; + } failed1: return 0; } diff --git a/components/openssl/platform/ssl_pm.c b/components/openssl/platform/ssl_pm.c index 04e370f9fc..54e6cba25c 100644 --- a/components/openssl/platform/ssl_pm.c +++ b/components/openssl/platform/ssl_pm.c @@ -43,16 +43,16 @@ struct ssl_pm struct x509_pm { - int load; - mbedtls_x509_crt x509_crt; + + int load; }; struct pkey_pm { - int load; - mbedtls_pk_context pkey; + + int load; }; @@ -79,9 +79,13 @@ int ssl_pm_new(SSL *ssl) struct x509_pm *x509_pm; struct pkey_pm *pkey_pm; + ssl->session.peer = ssl_malloc(sizeof(X509)); + if (!ssl->session.peer) + SSL_ERR(ret, failed1, "ssl_malloc\n"); + ssl_pm = ssl_malloc(sizeof(struct ssl_pm)); if (!ssl_pm) - SSL_ERR(ret, failed1, "ssl_malloc\n"); + SSL_ERR(ret, failed2, "ssl_malloc\n"); mbedtls_net_init(&ssl_pm->fd); mbedtls_net_init(&ssl_pm->cl_fd); @@ -93,7 +97,7 @@ int ssl_pm_new(SSL *ssl) ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len); if (ret) - SSL_ERR(ret, failed1, "mbedtls_ctr_drbg_seed:[-0x%x]\n", -ret); + SSL_ERR(ret, failed3, "mbedtls_ctr_drbg_seed:[-0x%x]\n", -ret); if (method->endpoint) { endpoint = MBEDTLS_SSL_IS_SERVER; @@ -102,7 +106,7 @@ int ssl_pm_new(SSL *ssl) } ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); if (ret) - SSL_ERR(ret, failed2, "mbedtls_ssl_config_defaults:[-0x%x]\n", -ret); + SSL_ERR(ret, failed3, "mbedtls_ssl_config_defaults:[-0x%x]\n", -ret); if (TLS1_2_VERSION == ssl->version) version = MBEDTLS_SSL_MINOR_VERSION_3; @@ -135,12 +139,12 @@ int ssl_pm_new(SSL *ssl) ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &x509_pm->x509_crt, &pkey_pm->pkey); if (ret) - SSL_ERR(ret, failed3, "mbedtls_ssl_conf_own_cert:[%d]\n", ret); + SSL_ERR(ret, failed4, "mbedtls_ssl_conf_own_cert:[%d]\n", ret); } ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf); if (ret) - SSL_ERR(ret, failed4, "mbedtls_ssl_setup:[-0x%x]\n", -ret); + SSL_ERR(ret, failed5, "mbedtls_ssl_setup:[-0x%x]\n", -ret); mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL); @@ -148,12 +152,14 @@ int ssl_pm_new(SSL *ssl) return 0; -failed4: +failed5: mbedtls_ssl_config_free(&ssl_pm->conf); -failed3: +failed4: mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg); -failed2: +failed3: mbedtls_entropy_free(&ssl_pm->entropy); +failed2: + ssl_free(ssl->session.peer); failed1: return -1; } @@ -186,6 +192,8 @@ int ssl_pm_handshake(SSL *ssl) if (!mbed_ret) { ret = 1; + + ssl->session.peer = (X509 *)mbedtls_ssl_get_peer_cert(&ssl_pm->ssl); } else { ret = 0; SSL_DEBUG(1, "mbedtls_ssl_handshake [-0x%x]\n", -mbed_ret);