diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 86b061da4..695b23328 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -677,15 +677,9 @@ struct mbedtls_ssl_handshake_params size_t psk_len; /*!< Length of PSK from callback */ #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) - /** - * Current key/cert or key/cert list. - * On client: pointer to ssl->key_cert, only the first entry used. - * On server: starts as a pointer to ssl->key_cert, then becomes - * a pointer to the chosen key from this list or the SNI list. - */ - mbedtls_ssl_key_cert *key_cert; + mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ + mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ #endif #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -1579,8 +1573,9 @@ void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, * * \return 0 on success or MBEDTLS_ERR_SSL_MALLOC_FAILED */ -int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, - mbedtls_pk_context *pk_key ); +int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *own_cert, + mbedtls_pk_context *pk_key ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -2355,14 +2350,26 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp #if defined(MBEDTLS_X509_CRT_PARSE_C) static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl ) { - return( ssl->handshake->key_cert == NULL ? NULL - : ssl->handshake->key_cert->key ); + mbedtls_ssl_key_cert *key_cert; + + if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL ) + key_cert = ssl->handshake->key_cert; + else + key_cert = ssl->conf->key_cert; + + return( key_cert == NULL ? NULL : key_cert->key ); } static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl ) { - return( ssl->handshake->key_cert == NULL ? NULL - : ssl->handshake->key_cert->cert ); + mbedtls_ssl_key_cert *key_cert; + + if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL ) + key_cert = ssl->handshake->key_cert; + else + key_cert = ssl->conf->key_cert; + + return( key_cert == NULL ? NULL : key_cert->cert ); } /* diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 8ca3e58f8..0ff3c18ca 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -875,7 +875,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, list = ssl->handshake->sni_key_cert; else #endif - list = ssl->handshake->key_cert; + list = ssl->conf->key_cert; if( pk_alg == MBEDTLS_PK_NONE ) return( 0 ); @@ -943,7 +943,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, cur = fallback; - /* Do not update ssl->handshake->key_cert unless the is a match */ + /* Do not update ssl->handshake->key_cert unless there is a match */ if( cur != NULL ) { ssl->handshake->key_cert = cur; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1d2593b78..1a75deffe 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4901,10 +4901,6 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) ssl_transform_init( ssl->transform_negotiate ); ssl_handshake_params_init( ssl->handshake ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) - ssl->handshake->key_cert = ssl->conf->key_cert; -#endif - /* * We may not know yet if we're using DTLS, * so always initiliase DTLS-specific fields. @@ -5309,33 +5305,42 @@ void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_config *conf, } #if defined(MBEDTLS_X509_CRT_PARSE_C) -/* Add a new (empty) key_cert entry an return a pointer to it */ -static mbedtls_ssl_key_cert *ssl_add_key_cert( mbedtls_ssl_context *ssl ) +/* Append a new keycert entry to a (possibly empty) list */ +static int ssl_append_key_cert( mbedtls_ssl_key_cert **head, + mbedtls_x509_crt *cert, + mbedtls_pk_context *key ) { - mbedtls_ssl_key_cert *key_cert, *last; + mbedtls_ssl_key_cert *new; - key_cert = mbedtls_malloc( sizeof(mbedtls_ssl_key_cert) ); - if( key_cert == NULL ) - return( NULL ); + new = mbedtls_malloc( sizeof( mbedtls_ssl_key_cert ) ); + if( new == NULL ) + return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); - memset( key_cert, 0, sizeof( mbedtls_ssl_key_cert ) ); + new->cert = cert; + new->key = key; + new->next = NULL; - /* Append the new key_cert to the (possibly empty) current list */ - if( ssl->conf->key_cert == NULL ) + /* Update head is the list was null, else add to the end */ + if( *head == NULL ) { - ssl->conf->key_cert = key_cert; - if( ssl->handshake != NULL ) - ssl->handshake->key_cert = key_cert; + *head = new; } else { - last = ssl->conf->key_cert; - while( last->next != NULL ) - last = last->next; - last->next = key_cert; + mbedtls_ssl_key_cert *cur = *head; + while( cur->next != NULL ) + cur = cur->next; + cur->next = new; } - return( key_cert ); + return( 0 ); +} + +int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, + mbedtls_x509_crt *own_cert, + mbedtls_pk_context *pk_key ) +{ + return( ssl_append_key_cert( &ssl->conf->key_cert, own_cert, pk_key ) ); } void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, @@ -5345,20 +5350,6 @@ void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, conf->ca_chain = ca_chain; conf->ca_crl = ca_crl; } - -int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, - mbedtls_pk_context *pk_key ) -{ - mbedtls_ssl_key_cert *key_cert = ssl_add_key_cert( ssl ); - - if( key_cert == NULL ) - return( MBEDTLS_ERR_SSL_MALLOC_FAILED ); - - key_cert->cert = own_cert; - key_cert->key = pk_key; - - return( 0 ); -} #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)