alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

components/openssl: SSL load cert with creating new cert object

Browse Source 
1. when 'SSL_new' SSL's cert is pointed to SSL context cert
           If SSL load new cert, it will create a new cert object
        2. change some debug informaion
This commit is contained in:
dongheng 2016-09-23 10:33:31 +08:00
parent 1bfedf9816
commit 9fc054bb55
6 changed files with 100 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
components/openssl/include/internal/ssl_types.h
View File

@ -99,8 +99,6 @@ struct stack_st {
struct evp_pkey_st { struct evp_pkey_st {
int ref;
void *pkey_pm; void *pkey_pm;
const PKEY_METHOD *method; const PKEY_METHOD *method;
@ -108,8 +106,6 @@ struct evp_pkey_st {
struct x509_st { struct x509_st {
int ref;
/* X509 certification platform private point */ /* X509 certification platform private point */
void *x509_pm; void *x509_pm;
@ -127,6 +123,7 @@ struct cert_st {
}; };
struct ossl_statem_st { struct ossl_statem_st {
MSG_FLOW_STATE state; MSG_FLOW_STATE state;
int hand_state; int hand_state;
@ -193,8 +190,14 @@ struct ssl_st
/* shut things down(0x01 : sent, 0x02 : received) */ /* shut things down(0x01 : sent, 0x02 : received) */
int shutdown; int shutdown;
int crt_reload;
CERT *cert; CERT *cert;
int ca_reload;
X509 *client_CA;
SSL_CTX *ctx; SSL_CTX *ctx;
const SSL_METHOD *method; const SSL_METHOD *method;
@ -208,8 +211,6 @@ struct ssl_st
int rwstate; int rwstate;
X509 *client_CA;
long verify_result; long verify_result;
X509_VERIFY_PARAM param; X509_VERIFY_PARAM param;

2
components/openssl/library/ssl_cert.c
View File

@ -39,7 +39,7 @@ CERT *ssl_cert_new(void)
cert->x509 = X509_new(); cert->x509 = X509_new();
if (!cert->x509) if (!cert->x509)
SSL_RET(failed3, "sk_X509_NAME_new_null\n"); SSL_RET(failed3, "X509_new\n");
return cert; return cert;

6
components/openssl/library/ssl_lib.c
View File

@ -312,6 +312,12 @@ void SSL_free(SSL *ssl)
SSL_METHOD_CALL(free, ssl); SSL_METHOD_CALL(free, ssl);
if (ssl->ca_reload)
X509_free(ssl->client_CA);
if (ssl->crt_reload)
ssl_cert_free(ssl->cert);
ssl_free(ssl); ssl_free(ssl);
} }

44
components/openssl/library/ssl_pkey.c
View File

@ -14,6 +14,7 @@
#include "ssl_lib.h" #include "ssl_lib.h"
#include "ssl_pkey.h" #include "ssl_pkey.h"
#include "ssl_cert.h"
#include "ssl_methods.h" #include "ssl_methods.h"
#include "ssl_dbg.h" #include "ssl_dbg.h"
#include "ssl_port.h" #include "ssl_port.h"
@ -38,7 +39,7 @@ EVP_PKEY* EVP_PKEY_new(void)
ret = EVP_PKEY_METHOD_CALL(new, pkey); ret = EVP_PKEY_METHOD_CALL(new, pkey);
if (ret) if (ret)
SSL_RET(failed2, "pkey_new\n"); SSL_RET(failed2, "EVP_PKEY_METHOD_CALL\n");
return pkey; return pkey;
@ -91,13 +92,13 @@ EVP_PKEY *d2i_PrivateKey(int type,
} else { } else {
pkey = EVP_PKEY_new();; pkey = EVP_PKEY_new();;
if (!pkey) if (!pkey)
SSL_RET(failed1, "ssl_malloc\n"); SSL_RET(failed1, "EVP_PKEY_new\n");
m = 1; m = 1;
} }
ret = EVP_PKEY_METHOD_CALL(load, pkey, *pp, length); ret = EVP_PKEY_METHOD_CALL(load, pkey, *pp, length);
if (ret) if (ret)
SSL_RET(failed2, "pkey_pm_load_crt\n"); SSL_RET(failed2, "EVP_PKEY_METHOD_CALL\n");
if (a) if (a)
*a = pkey; *a = pkey;
@ -177,8 +178,6 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx,
if (!ret) if (!ret)
SSL_RET(failed2, "SSL_CTX_use_PrivateKey\n"); SSL_RET(failed2, "SSL_CTX_use_PrivateKey\n");
ctx->cert->pkey->ref = 1;
return 1; return 1;
failed2: failed2:
@ -203,25 +202,44 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl,
const unsigned char *d, long len) const unsigned char *d, long len)
{ {
int ret; int ret;
int reload;
EVP_PKEY *pkey; EVP_PKEY *pkey;
CERT *cert;
CERT *old_cert;
if (ssl->cert->pkey->ref) if (!ssl->crt_reload) {
SSL_RET(failed1); cert = ssl_cert_new();
if (!cert)
SSL_RET(failed1, "ssl_cert_new\n");
pkey = d2i_PrivateKey(0, NULL, &d, len); old_cert = ssl->cert ;
ssl->cert = cert;
ssl->crt_reload = 1;
reload = 1;
} else {
reload = 0;
}
pkey = d2i_PrivateKey(0, &ssl->cert->pkey, &d, len);
if (!pkey) if (!pkey)
SSL_RET(failed1, "d2i_PrivateKey\n"); SSL_RET(failed2, "d2i_PrivateKey\n");
ret = SSL_use_PrivateKey(ssl, pkey); ret = SSL_use_PrivateKey(ssl, pkey);
if (!ret) if (!ret)
SSL_RET(failed2, "SSL_CTX_use_PrivateKey\n"); SSL_RET(failed3, "SSL_use_PrivateKey\n");
ssl->cert->pkey->ref = 1;
return 1; return 1;
failed2: failed3:
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
failed2:
if (reload) {
ssl->cert = old_cert;
ssl_cert_free(cert);
ssl->crt_reload = 0;
}
failed1: failed1:
return 0; return 0;
} }

50
components/openssl/library/ssl_x509.c
View File

@ -13,6 +13,7 @@
// limitations under the License. // limitations under the License.
#include "ssl_x509.h" #include "ssl_x509.h"
#include "ssl_cert.h"
#include "ssl_methods.h" #include "ssl_methods.h"
#include "ssl_dbg.h" #include "ssl_dbg.h"
#include "ssl_port.h" #include "ssl_port.h"
@ -91,7 +92,7 @@ X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len)
ret = X509_METHOD_CALL(load, x, buffer, len); ret = X509_METHOD_CALL(load, x, buffer, len);
if (ret) if (ret)
SSL_RET(failed2, "x509_load\n"); SSL_RET(failed2, "X509_METHOD_CALL\n");
return x; return x;
@ -140,7 +141,9 @@ int SSL_add_client_CA(SSL *ssl, X509 *x)
SSL_ASSERT(ssl); SSL_ASSERT(ssl);
SSL_ASSERT(x); SSL_ASSERT(x);
if (ssl->client_CA) if (!ssl->ca_reload)
ssl->ca_reload = 1;
else
X509_free(ssl->client_CA); X509_free(ssl->client_CA);
ssl->client_CA = x; ssl->client_CA = x;
@ -227,8 +230,6 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
if (!ret) if (!ret)
SSL_RET(failed2, "SSL_CTX_use_certificate\n"); SSL_RET(failed2, "SSL_CTX_use_certificate\n");
ctx->cert->x509->ref = 1;
return 1; return 1;
failed2: failed2:
@ -252,25 +253,44 @@ int SSL_use_certificate_ASN1(SSL *ssl, int len,
const unsigned char *d) const unsigned char *d)
{ {
int ret; int ret;
X509 *cert; int reload;
X509 *x;
CERT *cert;
CERT *old_cert;
if (ssl->cert->x509->ref) if (!ssl->crt_reload) {
SSL_RET(failed1); cert = ssl_cert_new();
cert = d2i_X509(NULL, d, len);
if (!cert) if (!cert)
SSL_RET(failed1, "d2i_X509\n"); SSL_RET(failed1, "ssl_cert_new\n");
ret = SSL_use_certificate(ssl, cert); old_cert = ssl->cert ;
ssl->cert = cert;
ssl->crt_reload = 1;
reload = 1;
} else {
reload = 0;
}
x = d2i_X509(&ssl->cert->x509, d, len);
if (!x)
SSL_RET(failed2, "d2i_X509\n");
ret = SSL_use_certificate(ssl, x);
if (!ret) if (!ret)
SSL_RET(failed2, "SSL_use_certificate\n"); SSL_RET(failed3, "SSL_use_certificate\n");
ssl->cert->x509->ref = 1;
return 1; return 1;
failed3:
X509_free(x);
failed2: failed2:
X509_free(cert); if (reload) {
ssl->cert = old_cert;
ssl_cert_free(cert);
ssl->crt_reload = 0;
}
failed1: failed1:
return 0; return 0;
} }

32
components/openssl/platform/ssl_pm.c
View File

@ -43,16 +43,16 @@ struct ssl_pm
struct x509_pm struct x509_pm
{ {
int load;
mbedtls_x509_crt x509_crt; mbedtls_x509_crt x509_crt;
int load;
}; };
struct pkey_pm struct pkey_pm
{ {
int load;
mbedtls_pk_context pkey; mbedtls_pk_context pkey;
int load;
}; };
@ -79,9 +79,13 @@ int ssl_pm_new(SSL *ssl)
struct x509_pm *x509_pm; struct x509_pm *x509_pm;
struct pkey_pm *pkey_pm; struct pkey_pm *pkey_pm;
ssl->session.peer = ssl_malloc(sizeof(X509));
if (!ssl->session.peer)
SSL_ERR(ret, failed1, "ssl_malloc\n");
ssl_pm = ssl_malloc(sizeof(struct ssl_pm)); ssl_pm = ssl_malloc(sizeof(struct ssl_pm));
if (!ssl_pm) if (!ssl_pm)
SSL_ERR(ret, failed1, "ssl_malloc\n"); SSL_ERR(ret, failed2, "ssl_malloc\n");
mbedtls_net_init(&ssl_pm->fd); mbedtls_net_init(&ssl_pm->fd);
mbedtls_net_init(&ssl_pm->cl_fd); mbedtls_net_init(&ssl_pm->cl_fd);
@ -93,7 +97,7 @@ int ssl_pm_new(SSL *ssl)
ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len); ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len);
if (ret) if (ret)
SSL_ERR(ret, failed1, "mbedtls_ctr_drbg_seed:[-0x%x]\n", -ret); SSL_ERR(ret, failed3, "mbedtls_ctr_drbg_seed:[-0x%x]\n", -ret);
if (method->endpoint) { if (method->endpoint) {
endpoint = MBEDTLS_SSL_IS_SERVER; endpoint = MBEDTLS_SSL_IS_SERVER;
@ -102,7 +106,7 @@ int ssl_pm_new(SSL *ssl)
} }
ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
if (ret) if (ret)
SSL_ERR(ret, failed2, "mbedtls_ssl_config_defaults:[-0x%x]\n", -ret); SSL_ERR(ret, failed3, "mbedtls_ssl_config_defaults:[-0x%x]\n", -ret);
if (TLS1_2_VERSION == ssl->version) if (TLS1_2_VERSION == ssl->version)
version = MBEDTLS_SSL_MINOR_VERSION_3; version = MBEDTLS_SSL_MINOR_VERSION_3;
@ -135,12 +139,12 @@ int ssl_pm_new(SSL *ssl)
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &x509_pm->x509_crt, &pkey_pm->pkey); ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &x509_pm->x509_crt, &pkey_pm->pkey);
if (ret) if (ret)
SSL_ERR(ret, failed3, "mbedtls_ssl_conf_own_cert:[%d]\n", ret); SSL_ERR(ret, failed4, "mbedtls_ssl_conf_own_cert:[%d]\n", ret);
} }
ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf); ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
if (ret) if (ret)
SSL_ERR(ret, failed4, "mbedtls_ssl_setup:[-0x%x]\n", -ret); SSL_ERR(ret, failed5, "mbedtls_ssl_setup:[-0x%x]\n", -ret);
mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL); mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL);
@ -148,12 +152,14 @@ int ssl_pm_new(SSL *ssl)
return 0; return 0;
failed4: failed5:
mbedtls_ssl_config_free(&ssl_pm->conf); mbedtls_ssl_config_free(&ssl_pm->conf);
failed3: failed4:
mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg); mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
failed2: failed3:
mbedtls_entropy_free(&ssl_pm->entropy); mbedtls_entropy_free(&ssl_pm->entropy);
failed2:
ssl_free(ssl->session.peer);
failed1: failed1:
return -1; return -1;
} }
@ -186,6 +192,8 @@ int ssl_pm_handshake(SSL *ssl)
if (!mbed_ret) { if (!mbed_ret) {
ret = 1; ret = 1;
ssl->session.peer = (X509 *)mbedtls_ssl_get_peer_cert(&ssl_pm->ssl);
} else { } else {
ret = 0; ret = 0;
SSL_DEBUG(1, "mbedtls_ssl_handshake [-0x%x]\n", -mbed_ret); SSL_DEBUG(1, "mbedtls_ssl_handshake [-0x%x]\n", -mbed_ret);