components/openssl: add cert and pkey extra object point

the point is pointed to its father's object and should not free
just set NULL if not use

diff --git a/components/openssl/library/ssl_lib.c b/components/openssl/library/ssl_lib.c
index ded30a33ace71395ab7feb08e8f72c0b5bf2ae89..06bbe270c5526c33be14ede1fd3669a6402bfa6a 100644 (file)
--- a/components/openssl/library/ssl_lib.c
+++ b/components/openssl/library/ssl_lib.c
@@ -246,24 +246,34 @@ SSL *SSL_new(SSL_CTX *ctx)
     if (!ssl->session)
         SSL_RET(failed2, "ssl_zalloc\n");
 
+    ssl->cert = ssl_cert_new();
+    if (!ssl->cert)
+        SSL_RET(failed3, "ssl_cert_new\n");
+
+    ssl->client_CA = X509_new();
+    if (!ssl->client_CA)
+        SSL_RET(failed4, "ssl_cert_new\n");
+
     ssl->ctx = ctx;
     ssl->method = ctx->method;
 
     ssl->version = ctx->version;
     ssl->options = ctx->options;
 
-    ssl->cert = ctx->cert;
-    ssl->client_CA = ctx->client_CA;
     ssl->verify_mode = ctx->verify_mode;
 
     ret = SSL_METHOD_CALL(new, ssl);
     if (ret)
-        SSL_RET(failed3, "ssl_new\n");
+        SSL_RET(failed5, "ssl_new\n");
 
     ssl->rwstate = SSL_NOTHING;
 
     return ssl;
 
+failed5:
+    X509_free(ssl->client_CA);
+failed4:
+    ssl_cert_free(ssl->cert);
 failed3:
     SSL_SESSION_free(ssl->session);
 failed2:
@@ -281,13 +291,11 @@ void SSL_free(SSL *ssl)
 
     SSL_METHOD_CALL(free, ssl);
 
-    SSL_SESSION_free(ssl->session);
+    X509_free(ssl->client_CA);
 
-    if (ssl->ca_reload)
-        X509_free(ssl->client_CA);
+    ssl_cert_free(ssl->cert);
 
-    if (ssl->crt_reload)
-        ssl_cert_free(ssl->cert);
+    SSL_SESSION_free(ssl->session);
 
     ssl_free(ssl);
 }

diff --git a/components/openssl/platform/ssl_pm.c b/components/openssl/platform/ssl_pm.c
index 0cf8f6c0a9307e5869de8b63443db571357f2c5f..311c3a4b6fe2cc77f1e7bea0aae34e7d6ee10cd7 100644 (file)
--- a/components/openssl/platform/ssl_pm.c
+++ b/components/openssl/platform/ssl_pm.c
@@ -78,6 +78,14 @@ int ssl_pm_new(SSL *ssl)
 
     const SSL_METHOD *method = ssl->method;
 
+    struct x509_pm *ctx_ca = (struct x509_pm *)ssl->ctx->client_CA->x509_pm;
+    struct x509_pm *ctx_crt = (struct x509_pm *)ssl->ctx->cert->x509->x509_pm;
+    struct pkey_pm *ctx_pkey = (struct pkey_pm *)ssl->ctx->cert->pkey->pkey_pm;
+
+    struct x509_pm *ssl_ca = (struct x509_pm *)ssl->client_CA->x509_pm;
+    struct x509_pm *ssl_crt = (struct x509_pm *)ssl->cert->x509->x509_pm;
+    struct pkey_pm *ssl_pkey = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
+
     ssl_pm = ssl_zalloc(sizeof(struct ssl_pm));
     if (!ssl_pm)
         SSL_ERR(ret, failed1, "ssl_zalloc\n");
@@ -126,6 +134,10 @@ int ssl_pm_new(SSL *ssl)
 
     ssl->ssl_pm = ssl_pm;
 
+    ssl_ca->ex_crt = ctx_ca->x509_crt;
+    ssl_crt->ex_crt = ctx_crt->x509_crt;
+    ssl_pkey->ex_pkey = ctx_pkey->pkey;
+
     return 0;
 
 failed3:
@@ -179,14 +191,21 @@ static int ssl_pm_reload_crt(SSL *ssl)
 
     if (ca_pm->x509_crt) {
         mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL);
+    } else if (ca_pm->ex_crt) {
+        mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL);
     }
 
     if (crt_pm->x509_crt && pkey_pm->pkey) {
         ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->x509_crt, pkey_pm->pkey);
-        if (ret)
-            return -1;
+    } else if (crt_pm->ex_crt && pkey_pm->ex_pkey) {
+        ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->ex_crt, pkey_pm->ex_pkey);
+    } else {
+        ret = 0;
     }
 
+    if (ret)
+        return -1;
+
     return 0;
 }