fix:Fix the failure to obtain the peer certificate during the handshake process &&

fix the issue of not ignoring duplicate certificates when loading them

- In the certificate verification phase, users need to obtain the peer certificate by
calling HITLS_GetPeerCertChain. Currently, the peer certificate is stored in the
finish phase, which needs to be modified.
- When certificates are duplicated, an error should not be reported. Instead, the
duplicated certificates should be ignored and a success message should be returned.

Cherry-picked from: https://gitcode.com/openHiTLS/openhitls/merge_requests/1307

Signed-off-by: Dongjianwei001 <dongjianwei1@huawei.com>
This commit is contained in:
balabala-123
2026-04-25 18:47:44 +08:00
committed by Dongjianwei001
parent b8d4c91f15
commit 58eab462f0
15 changed files with 168 additions and 61 deletions
+3 -1
View File
@@ -335,7 +335,9 @@ typedef enum {
/* clear flag */
HITLS_X509_STORECTX_CLR_PARAM_FLAGS,
HITLS_X509_STORECTX_DEEP_COPY_SET_CA,
HITLS_X509_STORECTX_SHALLOW_COPY_SET_CA,
HITLS_X509_STORECTX_SHALLOW_COPY_SET_CA,/**< After a successful shallow copy, the ownership of the certificate
pointer is transferred, and it is no longer held. The same certificate
pointer cannot be set twice. Otherwise, an error is reported. */
HITLS_X509_STORECTX_SET_CRL,
HITLS_X509_STORECTX_SET_VFY_SM2_USERID,
HITLS_X509_STORECTX_SET_VERIFY_CB,
+4 -1
View File
@@ -84,7 +84,10 @@ typedef struct BslList HITLS_CERT_CRLList;
*/
typedef enum {
CERT_STORE_CTRL_SET_VERIFY_DEPTH = 0, /**< Set the certificate verification depth. */
CERT_STORE_CTRL_ADD_CERT_LIST, /**< Add ca and chain certificate to store */
CERT_STORE_CTRL_ADD_CERT_LIST, /**< Add ca and chain certificate to store. After a successful shallow copy,
the ownership of the certificate pointer is transferred, and it is no
longer held. The same certificate pointer cannot be set twice.
Otherwise, an error is reported. */
CERT_STORE_CTRL_GET_VERIFY_DEPTH, /**< Get the certificate verification depth. */
CERT_STORE_CTRL_ADD_CRL_LIST, /**< Add CRL list to verify store */
CERT_STORE_CTRL_CLEAR_CRL_LIST, /**< Clear all CRLs from verify store */
+14 -3
View File
@@ -333,7 +333,7 @@ static int32_t X509_SetPurpose(HITLS_X509_StoreCtx *storeCtx, int32_t *val, uint
return HITLS_PKI_SUCCESS;
}
static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *cert)
static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *cert, HITLS_X509_Cert **findCert)
{
if (!HITLS_X509_CertIsCA(cert)) {
BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_NOT_CA);
@@ -342,7 +342,7 @@ static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *ce
HITLS_X509_List *certStore = storeCtx->store;
HITLS_X509_Cert *tmp = BSL_LIST_SearchDataConst(certStore, cert, (BSL_LIST_PFUNC_CMP)HITLS_X509_CertCmp, NULL);
if (tmp != NULL) {
BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_EXIST);
*findCert = tmp;
return HITLS_X509_ERR_CERT_EXIST;
}
@@ -351,7 +351,18 @@ static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *ce
static int32_t X509_SetCA(HITLS_X509_StoreCtx *storeCtx, void *val, bool isCopy)
{
int32_t ret = X509_CheckCert(storeCtx, val);
HITLS_X509_Cert *findCert = NULL;
int32_t ret = X509_CheckCert(storeCtx, val, &findCert);
if (ret == HITLS_X509_ERR_CERT_EXIST) {
if (findCert == val) {
BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_EXIST);
return HITLS_X509_ERR_CERT_EXIST;
}
if (!isCopy) {
HITLS_X509_CertFree(val);
}
return HITLS_PKI_SUCCESS;
}
if (ret != HITLS_PKI_SUCCESS) {
return ret;
}
@@ -377,7 +377,7 @@ void SDV_X509_STORE_CTRL_CERT_FUNC_TC002(void)
ASSERT_EQ(cert->references.count, 2);
ASSERT_EQ(BSL_LIST_COUNT(store->store), 1);
ret = HITLS_X509_StoreCtxCtrl(store, HITLS_X509_STORECTX_DEEP_COPY_SET_CA, cert, sizeof(HITLS_X509_Cert));
ASSERT_TRUE(ret != HITLS_PKI_SUCCESS);
ASSERT_EQ(ret, HITLS_X509_ERR_CERT_EXIST);
HITLS_X509_Crl *crl = NULL;
ret = HITLS_X509_CrlParseFile(BSL_FORMAT_ASN1, "../testdata/cert/asn1/ca-empty-rsa-sha256-v2.der", &crl);
ret = HITLS_X509_StoreCtxCtrl(store, HITLS_X509_STORECTX_SET_CRL, crl, sizeof(HITLS_X509_Crl));
@@ -386,6 +386,7 @@ void SDV_X509_STORE_CTRL_CERT_FUNC_TC002(void)
ASSERT_EQ(BSL_LIST_COUNT(store->crl), 1);
ret = HITLS_X509_StoreCtxCtrl(store, HITLS_X509_STORECTX_SET_CRL, crl, sizeof(HITLS_X509_Crl));
ASSERT_TRUE(ret != HITLS_PKI_SUCCESS);
ASSERT_TRUE(TestIsErrStackNotEmpty());
EXIT:
HITLS_X509_StoreCtxFree(store);
@@ -1523,7 +1523,7 @@ EXIT:
* 2. Transfer valid parameters with idx=-1 before handshake. Expected result 2.
* 3. Transfer valid parameters with idx=0 with NULL pointers before handshake. Expected result 3.
* @expect 1. Returns 0
* 2. Returns 0
* 2. Returns 0
* 3. Returns 0
@ */
/* BEGIN_CASE */
@@ -1707,7 +1707,7 @@ void UT_TLS_CM_GET_SHARED_SIGALGS_FUNC_TC002(int version)
ASSERT_EQ(ret, 0);
ASSERT_TRUE(TestIsErrStackEmpty());
EXIT:
HITLS_CFG_FreeConfig(config);
HITLS_Free(ctx);
@@ -2384,6 +2384,7 @@ uint32_t Compare_Certificates(FRAME_LinkObj *client, FRAME_LinkObj *server, bool
HITLS_CERT_X509 *server_PeerChainCert = NULL;
HITLS_CERT_X509 *server_ChainCert = NULL;
HITLS_CERT_X509 *client_PeerEECert = NULL;
HITLS_CERT_X509 *server_PeerEECert = NULL;
HITLS_CERT_X509 *client_PeerChainCert = NULL;
if (!isClientPeerCertNull) {
@@ -2393,7 +2394,8 @@ uint32_t Compare_Certificates(FRAME_LinkObj *client, FRAME_LinkObj *server, bool
}
if (!isServerPeerCertNull) {
client_ChainCert = (HITLS_CERT_X509*)client_Chain->first->data; // client chain cert
server_PeerChainCert = (HITLS_CERT_X509*)server_PeerChain->first->data; // client chain cert
server_PeerEECert = (HITLS_CERT_X509*)server_PeerChain->first->data; // client ee cert
server_PeerChainCert = (HITLS_CERT_X509*)server_PeerChain->last->data; // client chain cert
}
int client_result = 0;
@@ -2417,7 +2419,7 @@ uint32_t Compare_Certificates(FRAME_LinkObj *client, FRAME_LinkObj *server, bool
server_result = 1;
} else {
ASSERT_TRUE(server_PeerCert != NULL);
if (X509_CertCmp(server_PeerCert, client_Cert) == 0 &&
if (X509_CertCmp(server_PeerCert, client_Cert) == 0 && X509_CertCmp(server_PeerEECert, client_Cert) == 0 &&
X509_CertCmp(server_PeerChainCert, client_ChainCert) == 0) {
server_result = 1;
} else {
@@ -3000,7 +3002,7 @@ void SDV_HiTLS_KeepPeerCertificate_TC006(void)
verifyStore = SAL_CERT_StoreNew(s_config->certMgrCtx);
ASSERT_TRUE(verifyStore != NULL);
SAL_CERT_StoreCtrl(s_config, verifyStore, CERT_STORE_CTRL_ADD_CERT_LIST, caCert, NULL);
ASSERT_EQ(HITLS_CFG_SetVerifyStore(&client->ssl->config.tlsConfig, verifyStore, false), HITLS_SUCCESS);
ASSERT_EQ(HITLS_CFG_SetVerifyStore(&server->ssl->config.tlsConfig, verifyStore, true), HITLS_SUCCESS);
@@ -3293,7 +3295,7 @@ void SDV_HiTLS_KeepPeerCertificate_TC009(void)
ASSERT_EQ(Compare_Certificates(client, server, false, true), HITLS_SUCCESS);
ASSERT_TRUE(TestIsErrStackNotEmpty());
EXIT:
HITLS_CFG_FreeConfig(c_config);
HITLS_CFG_FreeConfig(s_config);
@@ -3932,7 +3934,7 @@ void SDV_HiTLS_KeepPeerCertificate_TC014(void)
ASSERT_EQ(Compare_ResumeCertificates(client, server), HITLS_SUCCESS);
ASSERT_TRUE(TestIsErrStackNotEmpty());
EXIT:
HITLS_SESS_Free(Session);
HITLS_CFG_FreeConfig(c_config);
@@ -4291,4 +4293,55 @@ EXIT:
FRAME_FreeLink(client);
FRAME_FreeLink(server);
}
/* END_CASE */
/* @
* @test SDV_HiTLS_HsCtx_Get_PeerCertificate_TC001
* @spec -
* @title The test obtains the peer certificate chain during the handshake process, and it is expected to succeed.
* @precon nan
* @brief
* 1. Initialize the TLS12 client and server.
* 2. Establish a link. Stop the handshake state at the TRY_RECV_SERVER_KEY_EXCHANGE state, the HITLS_GetPeerCertificate
* and HITLS_GetPeerCertChain interfaces are invoked to check the peer certificate cached at both ends.
* @expect
* 1. Initialization succeeded.
* 2. The link is successfully established. The certificate cached on the client is the same as the certificate sent by the
* server.The peer certificate cached on the server is NULL.
* @prior Level 1
* @auto TRUE
@ */
/* BEGIN_CASE */
void SDV_HiTLS_HsCtx_Get_PeerCertificate_TC001(void)
{
FRAME_Init();
FRAME_LinkObj *client = NULL;
FRAME_LinkObj *server = NULL;
HITLS_CERT_X509 *client_PeerCert = NULL;
HITLS_Config *c_config = HITLS_CFG_NewTLS12Config();
ASSERT_TRUE(c_config != NULL);
HITLS_Config *s_config = HITLS_CFG_NewTLS12Config();
ASSERT_TRUE(s_config != NULL);
client = FRAME_CreateLink(c_config, BSL_UIO_TCP);
ASSERT_TRUE(client != NULL);
server = FRAME_CreateLink(s_config, BSL_UIO_TCP);
ASSERT_TRUE(server != NULL);
ASSERT_EQ(FRAME_CreateConnection(client, server, true, TRY_RECV_SERVER_KEY_EXCHANGE), HITLS_SUCCESS);
ASSERT_TRUE(client->ssl->hsCtx->peerCert != NULL);
client_PeerCert = HITLS_GetPeerCertificate(client->ssl);
ASSERT_TRUE(client->ssl->hsCtx->peerCert->cert == client_PeerCert);
ASSERT_TRUE(client->ssl->hsCtx->peerCert->chain == HITLS_GetPeerCertChain(client->ssl));
ASSERT_TRUE(TestIsErrStackEmpty());
EXIT:
HITLS_CFG_FreeCert(c_config, client_PeerCert);
HITLS_CFG_FreeConfig(c_config);
HITLS_CFG_FreeConfig(s_config);
FRAME_FreeLink(client);
FRAME_FreeLink(server);
}
/* END_CASE */
@@ -242,4 +242,4 @@ UT_TLS_PARSE_RECORD_SIZE_LIMIT_LENGTH_TC001
UT_TLS_PARSE_RECORD_SIZE_LIMIT_LENGTH_TC001:
UT_TLS_PROCESS_SERVER_KX_NAMED_CURVE_TC001
UT_TLS_PROCESS_SERVER_KX_NAMED_CURVE_TC001:
UT_TLS_PROCESS_SERVER_KX_NAMED_CURVE_TC001:
@@ -526,7 +526,7 @@ void UT_TLS_CFG_SET_CIPHERSUITES_FUNC_TC001(int tlsVersion)
ASSERT_TRUE(server != NULL);
ASSERT_EQ(FRAME_CreateConnection(client, server, true, HS_STATE_BUTT), HITLS_SUCCESS);
ASSERT_TRUE(TestIsErrStackEmpty());
EXIT:
@@ -1992,7 +1992,7 @@ EXIT:
* 5. Call HITLS_CFG_BuildCertChain to verify the client certificate.
* @expect
* 1. The interface returns success.
* 2. The client certificate verification fails.
* 2. The client certificate verification success.
@ */
/* BEGIN_CASE */
void UT_TLS_CFG_USECERTCHAINFILE_TC003(void)
@@ -2005,7 +2005,7 @@ void UT_TLS_CFG_USECERTCHAINFILE_TC003(void)
int32_t ret = HITLS_CFG_UseCertificateChainFile(config, path);
ASSERT_EQ(ret, HITLS_SUCCESS);
ASSERT_EQ(HITLS_CFG_BuildCertChain(config, HITLS_BUILD_CHAIN_FLAG_CHECK), HITLS_X509_ERR_CERT_EXIST);
ASSERT_EQ(HITLS_CFG_BuildCertChain(config, HITLS_BUILD_CHAIN_FLAG_CHECK), HITLS_SUCCESS);
EXIT:
HITLS_CFG_FreeConfig(config);
}
@@ -3896,3 +3896,43 @@ void SDV_CONFIG_CONCURRENT_READ_WRITE_DTLCP_TC001(void)
#endif
}
/* END_CASE */
/* @
* @test SDV_CONFIG_SET_SAME_CERT_TC001
* @spec -
* @title When setting the same certificate in the test, verify whether the certificate can be successfully set.
* @precon nan
* @brief
* 1. Create one TLS1.2 config. Expected result 1.
* 2. Parse a certificate twice, and then set it to the store through deep copy and shallow copy respectively.
* Expected result 2.
* 3. Set the same certificate pointer twice. Expected result 2.
* @expect
* 1. Shared TLS1.2 config connections complete concurrent I/O successfully.
* 2. Setup successful.
* @prior Level 1
* @auto TRUE
@ */
/* BEGIN_CASE */
void SDV_CONFIG_SET_SAME_CERT_TC001(void)
{
HitlsInit();
HITLS_Config *tlsConfig = NULL;
tlsConfig = HITLS_CFG_NewTLS12Config();
ASSERT_TRUE(tlsConfig != NULL);
const char *path1 = "../testdata/tls/certificate/pem/rsa_sha256/ca.pem";
HITLS_CERT_X509 *caCert = HITLS_CFG_ParseCert(tlsConfig, (const uint8_t *)path1, strlen(path1) + 1,
TLS_PARSE_TYPE_FILE, TLS_PARSE_FORMAT_PEM);
ASSERT_TRUE(caCert != NULL);
HITLS_CERT_X509 *caCert2 = HITLS_CFG_ParseCert(tlsConfig, (const uint8_t *)path1, strlen(path1) + 1,
TLS_PARSE_TYPE_FILE, TLS_PARSE_FORMAT_PEM);
ASSERT_TRUE(caCert2 != NULL);
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_DEFAULT, false), HITLS_SUCCESS);
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_DEFAULT, true), HITLS_X509_ERR_CERT_EXIST);
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_DEFAULT, false), HITLS_X509_ERR_CERT_EXIST);
ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert2, TLS_CERT_STORE_TYPE_DEFAULT, false), HITLS_SUCCESS);
EXIT:
HITLS_CFG_FreeConfig(tlsConfig);
}
/* END_CASE */
@@ -266,3 +266,6 @@ SDV_CONFIG_CONCURRENT_READ_WRITE_TLCP_TC001:
SDV_CONFIG_CONCURRENT_READ_WRITE_DTLCP_TC001
SDV_CONFIG_CONCURRENT_READ_WRITE_DTLCP_TC001:
SDV_CONFIG_SET_SAME_CERT_TC001
SDV_CONFIG_SET_SAME_CERT_TC001:
@@ -760,7 +760,7 @@ void UT_TLS_CERT_GET_CALIST_FUNC_TC001(int version)
ret = BSL_LIST_AddElement((BslList *)certChain, cert3, BSL_LIST_POS_END);
ASSERT_TRUE(ret == 0);
ret = SESS_SetPeerCert(session, peerCert, false);
ret = SESS_SetPeerCert(session, peerCert);
ASSERT_TRUE(ret == HITLS_SUCCESS);
+18 -6
View File
@@ -464,7 +464,8 @@ static bool TlcpCheckEncCertKeyUsage(HITLS_Ctx *ctx, HITLS_CERT_X509 *encCert)
}
#endif
int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HITLS_CERT_X509 **encCert)
int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HITLS_CERT_X509 **encCert,
HITLS_CERT_X509 *signCert)
{
if (ctx == NULL || chain == NULL) {
BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT);
@@ -476,6 +477,11 @@ int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HI
if (newChain == NULL) {
return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMALLOC_FAIL, BINLOG_ID15049, "ChainNew fail");
}
HITLS_CERT_X509 *tempCert = SAL_CERT_X509Ref(config->certMgrCtx, signCert);
if (SAL_CERT_ChainAppend(newChain, tempCert) != HITLS_SUCCESS) {
DestoryParseChain(NULL, tempCert, newChain);
return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMALLOC_FAIL, BINLOG_ID15054, "Append signCert fail");
}
CERT_Item *listNode = item;
while (listNode != NULL) {
@@ -496,9 +502,7 @@ int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HI
#ifdef HITLS_TLS_PROTO_TLCP11
if ((encCert != NULL) && (TlcpCheckEncCertKeyUsage(ctx, cert) == true)) {
SAL_CERT_X509Free(encCertLocal);
encCertLocal = cert;
listNode = listNode->next;
continue;
encCertLocal = SAL_CERT_X509Ref(config->certMgrCtx, cert);
}
#endif
/* Add a certificate to the certificate chain. */
@@ -552,7 +556,7 @@ int32_t SAL_CERT_ParseCertChain(HITLS_Ctx *ctx, CERT_Item *item, CERT_Pair **cer
/* Parse other certificates in the certificate chain. */
HITLS_CERT_Chain *chain = NULL;
HITLS_CERT_X509 **inParseEnc = ctx->negotiatedInfo.version == HITLS_VERSION_TLCP_DTLCP11 ? &encCert : NULL;
int32_t ret = ParseChain(ctx, item->next, &chain, inParseEnc);
int32_t ret = ParseChain(ctx, item->next, &chain, inParseEnc, cert);
if (ret != HITLS_SUCCESS) {
SAL_CERT_X509Free(cert);
return RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16330, "ParseChain fail");
@@ -607,7 +611,15 @@ int32_t SAL_CERT_VerifyCertChain(HITLS_Ctx *ctx, CERT_Pair *certPair, bool isTlc
certPair->cert;
for (BslListNode *chainNode = BSL_LIST_FirstNode(chain); chainNode != NULL;
chainNode = BSL_LIST_GetNextNode(chain, chainNode)) {
certList[i++] = (HITLS_CERT_X509 *)BSL_LIST_GetData(chainNode);
HITLS_CERT_X509 *cert = (HITLS_CERT_X509 *)BSL_LIST_GetData(chainNode);
if (certPair->cert == cert
#ifdef HITLS_TLS_PROTO_TLCP11
|| certPair->encCert == cert
#endif
) {
continue;
}
certList[i++] = cert;
}
/* Verify the certificate chain. */
+5
View File
@@ -38,6 +38,7 @@
#include "conn_init.h"
#include "crypt.h"
#include "cipher_suite.h"
#include "hs_ctx.h"
#ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES
static int32_t PeerInfoInit(HITLS_Ctx *ctx)
@@ -743,6 +744,10 @@ HITLS_CERT_Chain *HITLS_GetPeerCertChain(const HITLS_Ctx *ctx)
return NULL;
}
if (ctx->hsCtx != NULL && ctx->hsCtx->peerCert != NULL) {
return SAL_CERT_PAIR_GET_CHAIN(ctx->hsCtx->peerCert);
}
int32_t ret = SESS_GetPeerCert(ctx->session, &certPair);
if (ret != HITLS_SUCCESS || certPair == NULL) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16478, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
+10 -6
View File
@@ -24,6 +24,7 @@
#endif
#include "cert_method.h"
#include "record.h"
#include "hs_ctx.h"
#ifdef HITLS_TLS_CONNECTION_INFO_NEGOTIATION
int32_t HITLS_GetNegotiatedVersion(const HITLS_Ctx *ctx, uint16_t *version)
@@ -181,12 +182,15 @@ HITLS_CERT_X509 *HITLS_GetPeerCertificate(const HITLS_Ctx *ctx)
}
CERT_Pair *peerCert = NULL;
int32_t ret = SESS_GetPeerCert(ctx->session, &peerCert);
if (ret != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17157, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"GetPeerCert fail", 0, 0, 0, 0);
return NULL;
if (ctx->hsCtx != NULL && ctx->hsCtx->peerCert != NULL) {
peerCert = ctx->hsCtx->peerCert;
} else {
int32_t ret = SESS_GetPeerCert(ctx->session, &peerCert);
if (ret != HITLS_SUCCESS) {
BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17157, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN,
"GetPeerCert fail", 0, 0, 0, 0);
return NULL;
}
}
HITLS_CERT_X509 *cert = SAL_CERT_PAIR_GET_X509_EX(peerCert);
+1 -28
View File
@@ -406,7 +406,7 @@ int32_t HITLS_SESS_GetProtocolVersion(const HITLS_Session *sess, uint16_t *versi
}
#ifdef HITLS_TLS_CONNECTION_INFO_NEGOTIATION
int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert, bool isClient)
int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert)
{
int32_t ret = HITLS_SUCCESS;
if (sess == NULL) {
@@ -417,34 +417,7 @@ int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert, bool isClient
BSL_SAL_ThreadWriteLock(sess->lock);
sess->peerCert = peerCert;
/* The peer_cert_chain of the client stores the device certificate of the server */
if (isClient && peerCert != NULL) {
/* Obtain the cert */
HITLS_CERT_X509 *tmpCert = SAL_CERT_PAIR_GET_X509(peerCert);
if (tmpCert == NULL) {
/* If cert in CERT_Pair is empty, the unlocking is returned */
goto EXIT;
}
/* Obtain the chain */
HITLS_CERT_Chain *tmpChain = SAL_CERT_PAIR_GET_CHAIN(peerCert);
if (tmpChain == NULL) {
/* If the chain in CERT_Pair is empty, the unlocking is returned */
goto EXIT;
}
/* Make a copy of the cert */
HITLS_CERT_X509 *newSubjectCert = SAL_CERT_X509Dup(sess->certMgrCtx, tmpCert);
if (newSubjectCert == NULL) {
ret = HITLS_CERT_ERR_X509_DUP;
goto EXIT;
}
ret = (int32_t)BSL_LIST_AddElement(tmpChain, newSubjectCert, BSL_LIST_POS_BEGIN);
if (ret != 0) {
SAL_CERT_X509Free(newSubjectCert);
}
}
EXIT:
BSL_SAL_ThreadUnlock(sess->lock);
return ret;
}
+2 -2
View File
@@ -147,7 +147,7 @@ static int32_t SessionConfig(TLS_Ctx *ctx)
}
#if defined(HITLS_TLS_CONNECTION_INFO_NEGOTIATION) && defined(HITLS_TLS_FEATURE_SESSION)
if (ctx->config.tlsConfig.isKeepPeerCert) {
ret = SESS_SetPeerCert(ctx->session, hsCtx->peerCert, ctx->isClient);
ret = SESS_SetPeerCert(ctx->session, hsCtx->peerCert);
if (ret != HITLS_SUCCESS) {
return ret;
}
@@ -169,7 +169,7 @@ int32_t HsSetSessionInfo(TLS_Ctx *ctx)
if ((mode & HITLS_SESS_DISABLE_AUTO_CLEANUP) == 0) {
SESSMGR_ClearTimeout(ctx->globalConfig, (uint64_t)BSL_SAL_CurrentSysTimeGet());
}
/* This parameter is not required for session multiplexing */
if (ctx->negotiatedInfo.isResume == true) {
return HITLS_SUCCESS;
+1 -1
View File
@@ -39,7 +39,7 @@ HITLS_Session *SESS_Copy(HITLS_Session *src);
void SESS_Disable(HITLS_Session *sess);
/* set peerCert */
int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert, bool isClient);
int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert);
/* get peerCert */
int32_t SESS_GetPeerCert(HITLS_Session *sess, CERT_Pair **peerCert);