diff --git a/include/pki/hitls_pki_types.h b/include/pki/hitls_pki_types.h index 3514ae26..63fbcb0e 100644 --- a/include/pki/hitls_pki_types.h +++ b/include/pki/hitls_pki_types.h @@ -335,7 +335,9 @@ typedef enum { /* clear flag */ HITLS_X509_STORECTX_CLR_PARAM_FLAGS, HITLS_X509_STORECTX_DEEP_COPY_SET_CA, - HITLS_X509_STORECTX_SHALLOW_COPY_SET_CA, + HITLS_X509_STORECTX_SHALLOW_COPY_SET_CA,/**< After a successful shallow copy, the ownership of the certificate + pointer is transferred, and it is no longer held. The same certificate + pointer cannot be set twice. Otherwise, an error is reported. */ HITLS_X509_STORECTX_SET_CRL, HITLS_X509_STORECTX_SET_VFY_SM2_USERID, HITLS_X509_STORECTX_SET_VERIFY_CB, diff --git a/include/tls/hitls_cert_type.h b/include/tls/hitls_cert_type.h index bbbd122d..b17ecbfc 100644 --- a/include/tls/hitls_cert_type.h +++ b/include/tls/hitls_cert_type.h @@ -84,7 +84,10 @@ typedef struct BslList HITLS_CERT_CRLList; */ typedef enum { CERT_STORE_CTRL_SET_VERIFY_DEPTH = 0, /**< Set the certificate verification depth. */ - CERT_STORE_CTRL_ADD_CERT_LIST, /**< Add ca and chain certificate to store */ + CERT_STORE_CTRL_ADD_CERT_LIST, /**< Add ca and chain certificate to store. After a successful shallow copy, + the ownership of the certificate pointer is transferred, and it is no + longer held. The same certificate pointer cannot be set twice. + Otherwise, an error is reported. */ CERT_STORE_CTRL_GET_VERIFY_DEPTH, /**< Get the certificate verification depth. */ CERT_STORE_CTRL_ADD_CRL_LIST, /**< Add CRL list to verify store */ CERT_STORE_CTRL_CLEAR_CRL_LIST, /**< Clear all CRLs from verify store */ diff --git a/pki/x509_verify/src/hitls_x509_verify.c b/pki/x509_verify/src/hitls_x509_verify.c index d787e16f..0de34622 100644 --- a/pki/x509_verify/src/hitls_x509_verify.c +++ b/pki/x509_verify/src/hitls_x509_verify.c @@ -333,7 +333,7 @@ static int32_t X509_SetPurpose(HITLS_X509_StoreCtx *storeCtx, int32_t *val, uint return HITLS_PKI_SUCCESS; } -static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *cert) +static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *cert, HITLS_X509_Cert **findCert) { if (!HITLS_X509_CertIsCA(cert)) { BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_NOT_CA); @@ -342,7 +342,7 @@ static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *ce HITLS_X509_List *certStore = storeCtx->store; HITLS_X509_Cert *tmp = BSL_LIST_SearchDataConst(certStore, cert, (BSL_LIST_PFUNC_CMP)HITLS_X509_CertCmp, NULL); if (tmp != NULL) { - BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_EXIST); + *findCert = tmp; return HITLS_X509_ERR_CERT_EXIST; } @@ -351,7 +351,18 @@ static int32_t X509_CheckCert(HITLS_X509_StoreCtx *storeCtx, HITLS_X509_Cert *ce static int32_t X509_SetCA(HITLS_X509_StoreCtx *storeCtx, void *val, bool isCopy) { - int32_t ret = X509_CheckCert(storeCtx, val); + HITLS_X509_Cert *findCert = NULL; + int32_t ret = X509_CheckCert(storeCtx, val, &findCert); + if (ret == HITLS_X509_ERR_CERT_EXIST) { + if (findCert == val) { + BSL_ERR_PUSH_ERROR(HITLS_X509_ERR_CERT_EXIST); + return HITLS_X509_ERR_CERT_EXIST; + } + if (!isCopy) { + HITLS_X509_CertFree(val); + } + return HITLS_PKI_SUCCESS; + } if (ret != HITLS_PKI_SUCCESS) { return ret; } diff --git a/testcode/sdv/testcase/pki/verify/test_suite_sdv_x509_vfy.c b/testcode/sdv/testcase/pki/verify/test_suite_sdv_x509_vfy.c index b7b3f75e..e003e377 100644 --- a/testcode/sdv/testcase/pki/verify/test_suite_sdv_x509_vfy.c +++ b/testcode/sdv/testcase/pki/verify/test_suite_sdv_x509_vfy.c @@ -377,7 +377,7 @@ void SDV_X509_STORE_CTRL_CERT_FUNC_TC002(void) ASSERT_EQ(cert->references.count, 2); ASSERT_EQ(BSL_LIST_COUNT(store->store), 1); ret = HITLS_X509_StoreCtxCtrl(store, HITLS_X509_STORECTX_DEEP_COPY_SET_CA, cert, sizeof(HITLS_X509_Cert)); - ASSERT_TRUE(ret != HITLS_PKI_SUCCESS); + ASSERT_EQ(ret, HITLS_X509_ERR_CERT_EXIST); HITLS_X509_Crl *crl = NULL; ret = HITLS_X509_CrlParseFile(BSL_FORMAT_ASN1, "../testdata/cert/asn1/ca-empty-rsa-sha256-v2.der", &crl); ret = HITLS_X509_StoreCtxCtrl(store, HITLS_X509_STORECTX_SET_CRL, crl, sizeof(HITLS_X509_Crl)); @@ -386,6 +386,7 @@ void SDV_X509_STORE_CTRL_CERT_FUNC_TC002(void) ASSERT_EQ(BSL_LIST_COUNT(store->crl), 1); ret = HITLS_X509_StoreCtxCtrl(store, HITLS_X509_STORECTX_SET_CRL, crl, sizeof(HITLS_X509_Crl)); ASSERT_TRUE(ret != HITLS_PKI_SUCCESS); + ASSERT_TRUE(TestIsErrStackNotEmpty()); EXIT: HITLS_X509_StoreCtxFree(store); diff --git a/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_cm_1.c b/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_cm_1.c index b7f3415d..a08b52b2 100644 --- a/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_cm_1.c +++ b/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_cm_1.c @@ -1523,7 +1523,7 @@ EXIT: * 2. Transfer valid parameters with idx=-1 before handshake. Expected result 2. * 3. Transfer valid parameters with idx=0 with NULL pointers before handshake. Expected result 3. * @expect 1. Returns 0 -* 2. Returns 0 +* 2. Returns 0 * 3. Returns 0 @ */ /* BEGIN_CASE */ @@ -1707,7 +1707,7 @@ void UT_TLS_CM_GET_SHARED_SIGALGS_FUNC_TC002(int version) ASSERT_EQ(ret, 0); ASSERT_TRUE(TestIsErrStackEmpty()); - + EXIT: HITLS_CFG_FreeConfig(config); HITLS_Free(ctx); @@ -2384,6 +2384,7 @@ uint32_t Compare_Certificates(FRAME_LinkObj *client, FRAME_LinkObj *server, bool HITLS_CERT_X509 *server_PeerChainCert = NULL; HITLS_CERT_X509 *server_ChainCert = NULL; HITLS_CERT_X509 *client_PeerEECert = NULL; + HITLS_CERT_X509 *server_PeerEECert = NULL; HITLS_CERT_X509 *client_PeerChainCert = NULL; if (!isClientPeerCertNull) { @@ -2393,7 +2394,8 @@ uint32_t Compare_Certificates(FRAME_LinkObj *client, FRAME_LinkObj *server, bool } if (!isServerPeerCertNull) { client_ChainCert = (HITLS_CERT_X509*)client_Chain->first->data; // client chain cert - server_PeerChainCert = (HITLS_CERT_X509*)server_PeerChain->first->data; // client chain cert + server_PeerEECert = (HITLS_CERT_X509*)server_PeerChain->first->data; // client ee cert + server_PeerChainCert = (HITLS_CERT_X509*)server_PeerChain->last->data; // client chain cert } int client_result = 0; @@ -2417,7 +2419,7 @@ uint32_t Compare_Certificates(FRAME_LinkObj *client, FRAME_LinkObj *server, bool server_result = 1; } else { ASSERT_TRUE(server_PeerCert != NULL); - if (X509_CertCmp(server_PeerCert, client_Cert) == 0 && + if (X509_CertCmp(server_PeerCert, client_Cert) == 0 && X509_CertCmp(server_PeerEECert, client_Cert) == 0 && X509_CertCmp(server_PeerChainCert, client_ChainCert) == 0) { server_result = 1; } else { @@ -3000,7 +3002,7 @@ void SDV_HiTLS_KeepPeerCertificate_TC006(void) verifyStore = SAL_CERT_StoreNew(s_config->certMgrCtx); ASSERT_TRUE(verifyStore != NULL); SAL_CERT_StoreCtrl(s_config, verifyStore, CERT_STORE_CTRL_ADD_CERT_LIST, caCert, NULL); - + ASSERT_EQ(HITLS_CFG_SetVerifyStore(&client->ssl->config.tlsConfig, verifyStore, false), HITLS_SUCCESS); ASSERT_EQ(HITLS_CFG_SetVerifyStore(&server->ssl->config.tlsConfig, verifyStore, true), HITLS_SUCCESS); @@ -3293,7 +3295,7 @@ void SDV_HiTLS_KeepPeerCertificate_TC009(void) ASSERT_EQ(Compare_Certificates(client, server, false, true), HITLS_SUCCESS); ASSERT_TRUE(TestIsErrStackNotEmpty()); - + EXIT: HITLS_CFG_FreeConfig(c_config); HITLS_CFG_FreeConfig(s_config); @@ -3932,7 +3934,7 @@ void SDV_HiTLS_KeepPeerCertificate_TC014(void) ASSERT_EQ(Compare_ResumeCertificates(client, server), HITLS_SUCCESS); ASSERT_TRUE(TestIsErrStackNotEmpty()); - + EXIT: HITLS_SESS_Free(Session); HITLS_CFG_FreeConfig(c_config); @@ -4291,4 +4293,55 @@ EXIT: FRAME_FreeLink(client); FRAME_FreeLink(server); } +/* END_CASE */ + +/* @ +* @test SDV_HiTLS_HsCtx_Get_PeerCertificate_TC001 +* @spec - +* @title The test obtains the peer certificate chain during the handshake process, and it is expected to succeed. +* @precon nan +* @brief +* 1. Initialize the TLS12 client and server. +* 2. Establish a link. Stop the handshake state at the TRY_RECV_SERVER_KEY_EXCHANGE state, the HITLS_GetPeerCertificate +* and HITLS_GetPeerCertChain interfaces are invoked to check the peer certificate cached at both ends. +* @expect +* 1. Initialization succeeded. +* 2. The link is successfully established. The certificate cached on the client is the same as the certificate sent by the +* server.The peer certificate cached on the server is NULL. +* @prior Level 1 +* @auto TRUE +@ */ +/* BEGIN_CASE */ +void SDV_HiTLS_HsCtx_Get_PeerCertificate_TC001(void) +{ + FRAME_Init(); + FRAME_LinkObj *client = NULL; + FRAME_LinkObj *server = NULL; + HITLS_CERT_X509 *client_PeerCert = NULL; + + HITLS_Config *c_config = HITLS_CFG_NewTLS12Config(); + ASSERT_TRUE(c_config != NULL); + HITLS_Config *s_config = HITLS_CFG_NewTLS12Config(); + ASSERT_TRUE(s_config != NULL); + + client = FRAME_CreateLink(c_config, BSL_UIO_TCP); + ASSERT_TRUE(client != NULL); + server = FRAME_CreateLink(s_config, BSL_UIO_TCP); + ASSERT_TRUE(server != NULL); + ASSERT_EQ(FRAME_CreateConnection(client, server, true, TRY_RECV_SERVER_KEY_EXCHANGE), HITLS_SUCCESS); + + ASSERT_TRUE(client->ssl->hsCtx->peerCert != NULL); + client_PeerCert = HITLS_GetPeerCertificate(client->ssl); + ASSERT_TRUE(client->ssl->hsCtx->peerCert->cert == client_PeerCert); + ASSERT_TRUE(client->ssl->hsCtx->peerCert->chain == HITLS_GetPeerCertChain(client->ssl)); + + ASSERT_TRUE(TestIsErrStackEmpty()); + +EXIT: + HITLS_CFG_FreeCert(c_config, client_PeerCert); + HITLS_CFG_FreeConfig(c_config); + HITLS_CFG_FreeConfig(s_config); + FRAME_FreeLink(client); + FRAME_FreeLink(server); +} /* END_CASE */ \ No newline at end of file diff --git a/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_cm_1.data b/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_cm_1.data index 0344eb95..fdd51178 100644 --- a/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_cm_1.data +++ b/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_cm_1.data @@ -242,4 +242,4 @@ UT_TLS_PARSE_RECORD_SIZE_LIMIT_LENGTH_TC001 UT_TLS_PARSE_RECORD_SIZE_LIMIT_LENGTH_TC001: UT_TLS_PROCESS_SERVER_KX_NAMED_CURVE_TC001 -UT_TLS_PROCESS_SERVER_KX_NAMED_CURVE_TC001: \ No newline at end of file +UT_TLS_PROCESS_SERVER_KX_NAMED_CURVE_TC001: diff --git a/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_config_1.c b/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_config_1.c index 3377dc45..801e7fa5 100644 --- a/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_config_1.c +++ b/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_config_1.c @@ -526,7 +526,7 @@ void UT_TLS_CFG_SET_CIPHERSUITES_FUNC_TC001(int tlsVersion) ASSERT_TRUE(server != NULL); ASSERT_EQ(FRAME_CreateConnection(client, server, true, HS_STATE_BUTT), HITLS_SUCCESS); - + ASSERT_TRUE(TestIsErrStackEmpty()); EXIT: @@ -1992,7 +1992,7 @@ EXIT: * 5. Call HITLS_CFG_BuildCertChain to verify the client certificate. * @expect * 1. The interface returns success. -* 2. The client certificate verification fails. +* 2. The client certificate verification success. @ */ /* BEGIN_CASE */ void UT_TLS_CFG_USECERTCHAINFILE_TC003(void) @@ -2005,7 +2005,7 @@ void UT_TLS_CFG_USECERTCHAINFILE_TC003(void) int32_t ret = HITLS_CFG_UseCertificateChainFile(config, path); ASSERT_EQ(ret, HITLS_SUCCESS); - ASSERT_EQ(HITLS_CFG_BuildCertChain(config, HITLS_BUILD_CHAIN_FLAG_CHECK), HITLS_X509_ERR_CERT_EXIST); + ASSERT_EQ(HITLS_CFG_BuildCertChain(config, HITLS_BUILD_CHAIN_FLAG_CHECK), HITLS_SUCCESS); EXIT: HITLS_CFG_FreeConfig(config); } @@ -3896,3 +3896,43 @@ void SDV_CONFIG_CONCURRENT_READ_WRITE_DTLCP_TC001(void) #endif } /* END_CASE */ + +/* @ +* @test SDV_CONFIG_SET_SAME_CERT_TC001 +* @spec - +* @title When setting the same certificate in the test, verify whether the certificate can be successfully set. +* @precon nan +* @brief +* 1. Create one TLS1.2 config. Expected result 1. +* 2. Parse a certificate twice, and then set it to the store through deep copy and shallow copy respectively. +* Expected result 2. +* 3. Set the same certificate pointer twice. Expected result 2. +* @expect +* 1. Shared TLS1.2 config connections complete concurrent I/O successfully. +* 2. Setup successful. +* @prior Level 1 +* @auto TRUE +@ */ +/* BEGIN_CASE */ +void SDV_CONFIG_SET_SAME_CERT_TC001(void) +{ + HitlsInit(); + HITLS_Config *tlsConfig = NULL; + tlsConfig = HITLS_CFG_NewTLS12Config(); + ASSERT_TRUE(tlsConfig != NULL); + const char *path1 = "../testdata/tls/certificate/pem/rsa_sha256/ca.pem"; + HITLS_CERT_X509 *caCert = HITLS_CFG_ParseCert(tlsConfig, (const uint8_t *)path1, strlen(path1) + 1, + TLS_PARSE_TYPE_FILE, TLS_PARSE_FORMAT_PEM); + ASSERT_TRUE(caCert != NULL); + HITLS_CERT_X509 *caCert2 = HITLS_CFG_ParseCert(tlsConfig, (const uint8_t *)path1, strlen(path1) + 1, + TLS_PARSE_TYPE_FILE, TLS_PARSE_FORMAT_PEM); + ASSERT_TRUE(caCert2 != NULL); + + ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_DEFAULT, false), HITLS_SUCCESS); + ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_DEFAULT, true), HITLS_X509_ERR_CERT_EXIST); + ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert, TLS_CERT_STORE_TYPE_DEFAULT, false), HITLS_X509_ERR_CERT_EXIST); + ASSERT_EQ(HITLS_CFG_AddCertToStore(tlsConfig, caCert2, TLS_CERT_STORE_TYPE_DEFAULT, false), HITLS_SUCCESS); +EXIT: + HITLS_CFG_FreeConfig(tlsConfig); +} +/* END_CASE */ diff --git a/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_config_1.data b/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_config_1.data index 0664c48c..0cdab941 100644 --- a/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_config_1.data +++ b/testcode/sdv/testcase/tls/interface/test_suite_sdv_frame_tls_config_1.data @@ -266,3 +266,6 @@ SDV_CONFIG_CONCURRENT_READ_WRITE_TLCP_TC001: SDV_CONFIG_CONCURRENT_READ_WRITE_DTLCP_TC001 SDV_CONFIG_CONCURRENT_READ_WRITE_DTLCP_TC001: + +SDV_CONFIG_SET_SAME_CERT_TC001 +SDV_CONFIG_SET_SAME_CERT_TC001: diff --git a/testcode/sdv/testcase/tls/interface_tlcp/test_suite_sdv_frame_cert_interface.c b/testcode/sdv/testcase/tls/interface_tlcp/test_suite_sdv_frame_cert_interface.c index 21dcff10..2e23df38 100644 --- a/testcode/sdv/testcase/tls/interface_tlcp/test_suite_sdv_frame_cert_interface.c +++ b/testcode/sdv/testcase/tls/interface_tlcp/test_suite_sdv_frame_cert_interface.c @@ -760,7 +760,7 @@ void UT_TLS_CERT_GET_CALIST_FUNC_TC001(int version) ret = BSL_LIST_AddElement((BslList *)certChain, cert3, BSL_LIST_POS_END); ASSERT_TRUE(ret == 0); - ret = SESS_SetPeerCert(session, peerCert, false); + ret = SESS_SetPeerCert(session, peerCert); ASSERT_TRUE(ret == HITLS_SUCCESS); diff --git a/tls/cert/cert_adapt/cert.c b/tls/cert/cert_adapt/cert.c index 06f828ec..b7d38690 100644 --- a/tls/cert/cert_adapt/cert.c +++ b/tls/cert/cert_adapt/cert.c @@ -464,7 +464,8 @@ static bool TlcpCheckEncCertKeyUsage(HITLS_Ctx *ctx, HITLS_CERT_X509 *encCert) } #endif -int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HITLS_CERT_X509 **encCert) +int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HITLS_CERT_X509 **encCert, + HITLS_CERT_X509 *signCert) { if (ctx == NULL || chain == NULL) { BSL_ERR_PUSH_ERROR(HITLS_NULL_INPUT); @@ -476,6 +477,11 @@ int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HI if (newChain == NULL) { return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMALLOC_FAIL, BINLOG_ID15049, "ChainNew fail"); } + HITLS_CERT_X509 *tempCert = SAL_CERT_X509Ref(config->certMgrCtx, signCert); + if (SAL_CERT_ChainAppend(newChain, tempCert) != HITLS_SUCCESS) { + DestoryParseChain(NULL, tempCert, newChain); + return RETURN_ERROR_NUMBER_PROCESS(HITLS_MEMALLOC_FAIL, BINLOG_ID15054, "Append signCert fail"); + } CERT_Item *listNode = item; while (listNode != NULL) { @@ -496,9 +502,7 @@ int32_t ParseChain(HITLS_Ctx *ctx, CERT_Item *item, HITLS_CERT_Chain **chain, HI #ifdef HITLS_TLS_PROTO_TLCP11 if ((encCert != NULL) && (TlcpCheckEncCertKeyUsage(ctx, cert) == true)) { SAL_CERT_X509Free(encCertLocal); - encCertLocal = cert; - listNode = listNode->next; - continue; + encCertLocal = SAL_CERT_X509Ref(config->certMgrCtx, cert); } #endif /* Add a certificate to the certificate chain. */ @@ -552,7 +556,7 @@ int32_t SAL_CERT_ParseCertChain(HITLS_Ctx *ctx, CERT_Item *item, CERT_Pair **cer /* Parse other certificates in the certificate chain. */ HITLS_CERT_Chain *chain = NULL; HITLS_CERT_X509 **inParseEnc = ctx->negotiatedInfo.version == HITLS_VERSION_TLCP_DTLCP11 ? &encCert : NULL; - int32_t ret = ParseChain(ctx, item->next, &chain, inParseEnc); + int32_t ret = ParseChain(ctx, item->next, &chain, inParseEnc, cert); if (ret != HITLS_SUCCESS) { SAL_CERT_X509Free(cert); return RETURN_ERROR_NUMBER_PROCESS(ret, BINLOG_ID16330, "ParseChain fail"); @@ -607,7 +611,15 @@ int32_t SAL_CERT_VerifyCertChain(HITLS_Ctx *ctx, CERT_Pair *certPair, bool isTlc certPair->cert; for (BslListNode *chainNode = BSL_LIST_FirstNode(chain); chainNode != NULL; chainNode = BSL_LIST_GetNextNode(chain, chainNode)) { - certList[i++] = (HITLS_CERT_X509 *)BSL_LIST_GetData(chainNode); + HITLS_CERT_X509 *cert = (HITLS_CERT_X509 *)BSL_LIST_GetData(chainNode); + if (certPair->cert == cert +#ifdef HITLS_TLS_PROTO_TLCP11 + || certPair->encCert == cert +#endif + ) { + continue; + } + certList[i++] = cert; } /* Verify the certificate chain. */ diff --git a/tls/cm/src/conn_create.c b/tls/cm/src/conn_create.c index f522464f..6372c771 100644 --- a/tls/cm/src/conn_create.c +++ b/tls/cm/src/conn_create.c @@ -38,6 +38,7 @@ #include "conn_init.h" #include "crypt.h" #include "cipher_suite.h" +#include "hs_ctx.h" #ifdef HITLS_TLS_FEATURE_CERTIFICATE_AUTHORITIES static int32_t PeerInfoInit(HITLS_Ctx *ctx) @@ -743,6 +744,10 @@ HITLS_CERT_Chain *HITLS_GetPeerCertChain(const HITLS_Ctx *ctx) return NULL; } + if (ctx->hsCtx != NULL && ctx->hsCtx->peerCert != NULL) { + return SAL_CERT_PAIR_GET_CHAIN(ctx->hsCtx->peerCert); + } + int32_t ret = SESS_GetPeerCert(ctx->session, &certPair); if (ret != HITLS_SUCCESS || certPair == NULL) { BSL_LOG_BINLOG_FIXLEN(BINLOG_ID16478, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, diff --git a/tls/cm/src/conn_ctrl.c b/tls/cm/src/conn_ctrl.c index 87b42c3f..6906feef 100644 --- a/tls/cm/src/conn_ctrl.c +++ b/tls/cm/src/conn_ctrl.c @@ -24,6 +24,7 @@ #endif #include "cert_method.h" #include "record.h" +#include "hs_ctx.h" #ifdef HITLS_TLS_CONNECTION_INFO_NEGOTIATION int32_t HITLS_GetNegotiatedVersion(const HITLS_Ctx *ctx, uint16_t *version) @@ -181,12 +182,15 @@ HITLS_CERT_X509 *HITLS_GetPeerCertificate(const HITLS_Ctx *ctx) } CERT_Pair *peerCert = NULL; - - int32_t ret = SESS_GetPeerCert(ctx->session, &peerCert); - if (ret != HITLS_SUCCESS) { - BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17157, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, - "GetPeerCert fail", 0, 0, 0, 0); - return NULL; + if (ctx->hsCtx != NULL && ctx->hsCtx->peerCert != NULL) { + peerCert = ctx->hsCtx->peerCert; + } else { + int32_t ret = SESS_GetPeerCert(ctx->session, &peerCert); + if (ret != HITLS_SUCCESS) { + BSL_LOG_BINLOG_FIXLEN(BINLOG_ID17157, BSL_LOG_LEVEL_ERR, BSL_LOG_BINLOG_TYPE_RUN, + "GetPeerCert fail", 0, 0, 0, 0); + return NULL; + } } HITLS_CERT_X509 *cert = SAL_CERT_PAIR_GET_X509_EX(peerCert); diff --git a/tls/feature/session/src/session.c b/tls/feature/session/src/session.c index d17f9caf..f2e3e46d 100644 --- a/tls/feature/session/src/session.c +++ b/tls/feature/session/src/session.c @@ -406,7 +406,7 @@ int32_t HITLS_SESS_GetProtocolVersion(const HITLS_Session *sess, uint16_t *versi } #ifdef HITLS_TLS_CONNECTION_INFO_NEGOTIATION -int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert, bool isClient) +int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert) { int32_t ret = HITLS_SUCCESS; if (sess == NULL) { @@ -417,34 +417,7 @@ int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert, bool isClient BSL_SAL_ThreadWriteLock(sess->lock); sess->peerCert = peerCert; - /* The peer_cert_chain of the client stores the device certificate of the server */ - if (isClient && peerCert != NULL) { - /* Obtain the cert */ - HITLS_CERT_X509 *tmpCert = SAL_CERT_PAIR_GET_X509(peerCert); - if (tmpCert == NULL) { - /* If cert in CERT_Pair is empty, the unlocking is returned */ - goto EXIT; - } - /* Obtain the chain */ - HITLS_CERT_Chain *tmpChain = SAL_CERT_PAIR_GET_CHAIN(peerCert); - if (tmpChain == NULL) { - /* If the chain in CERT_Pair is empty, the unlocking is returned */ - goto EXIT; - } - /* Make a copy of the cert */ - HITLS_CERT_X509 *newSubjectCert = SAL_CERT_X509Dup(sess->certMgrCtx, tmpCert); - if (newSubjectCert == NULL) { - ret = HITLS_CERT_ERR_X509_DUP; - goto EXIT; - } - - ret = (int32_t)BSL_LIST_AddElement(tmpChain, newSubjectCert, BSL_LIST_POS_BEGIN); - if (ret != 0) { - SAL_CERT_X509Free(newSubjectCert); - } - } -EXIT: BSL_SAL_ThreadUnlock(sess->lock); return ret; } diff --git a/tls/handshake/recv/src/recv_finished.c b/tls/handshake/recv/src/recv_finished.c index b4b0dcf0..120b91ef 100644 --- a/tls/handshake/recv/src/recv_finished.c +++ b/tls/handshake/recv/src/recv_finished.c @@ -147,7 +147,7 @@ static int32_t SessionConfig(TLS_Ctx *ctx) } #if defined(HITLS_TLS_CONNECTION_INFO_NEGOTIATION) && defined(HITLS_TLS_FEATURE_SESSION) if (ctx->config.tlsConfig.isKeepPeerCert) { - ret = SESS_SetPeerCert(ctx->session, hsCtx->peerCert, ctx->isClient); + ret = SESS_SetPeerCert(ctx->session, hsCtx->peerCert); if (ret != HITLS_SUCCESS) { return ret; } @@ -169,7 +169,7 @@ int32_t HsSetSessionInfo(TLS_Ctx *ctx) if ((mode & HITLS_SESS_DISABLE_AUTO_CLEANUP) == 0) { SESSMGR_ClearTimeout(ctx->globalConfig, (uint64_t)BSL_SAL_CurrentSysTimeGet()); } - + /* This parameter is not required for session multiplexing */ if (ctx->negotiatedInfo.isResume == true) { return HITLS_SUCCESS; diff --git a/tls/include/session.h b/tls/include/session.h index 89708dd6..5051dd99 100644 --- a/tls/include/session.h +++ b/tls/include/session.h @@ -39,7 +39,7 @@ HITLS_Session *SESS_Copy(HITLS_Session *src); void SESS_Disable(HITLS_Session *sess); /* set peerCert */ -int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert, bool isClient); +int32_t SESS_SetPeerCert(HITLS_Session *sess, CERT_Pair *peerCert); /* get peerCert */ int32_t SESS_GetPeerCert(HITLS_Session *sess, CERT_Pair **peerCert);