Rework ssl_set_own_cert() internals
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 86b061d..695b233 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -677,15 +677,9 @@
size_t psk_len; /*!< Length of PSK from callback */
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
- /**
- * Current key/cert or key/cert list.
- * On client: pointer to ssl->key_cert, only the first entry used.
- * On server: starts as a pointer to ssl->key_cert, then becomes
- * a pointer to the chosen key from this list or the SNI list.
- */
- mbedtls_ssl_key_cert *key_cert;
+ mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
+ mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
#endif
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
@@ -1579,8 +1573,9 @@
*
* \return 0 on success or MBEDTLS_ERR_SSL_MALLOC_FAILED
*/
-int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert,
- mbedtls_pk_context *pk_key );
+int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl,
+ mbedtls_x509_crt *own_cert,
+ mbedtls_pk_context *pk_key );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -2355,14 +2350,26 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
{
- return( ssl->handshake->key_cert == NULL ? NULL
- : ssl->handshake->key_cert->key );
+ mbedtls_ssl_key_cert *key_cert;
+
+ if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
+ key_cert = ssl->handshake->key_cert;
+ else
+ key_cert = ssl->conf->key_cert;
+
+ return( key_cert == NULL ? NULL : key_cert->key );
}
static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
{
- return( ssl->handshake->key_cert == NULL ? NULL
- : ssl->handshake->key_cert->cert );
+ mbedtls_ssl_key_cert *key_cert;
+
+ if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
+ key_cert = ssl->handshake->key_cert;
+ else
+ key_cert = ssl->conf->key_cert;
+
+ return( key_cert == NULL ? NULL : key_cert->cert );
}
/*
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 8ca3e58..0ff3c18 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -875,7 +875,7 @@
list = ssl->handshake->sni_key_cert;
else
#endif
- list = ssl->handshake->key_cert;
+ list = ssl->conf->key_cert;
if( pk_alg == MBEDTLS_PK_NONE )
return( 0 );
@@ -943,7 +943,7 @@
cur = fallback;
- /* Do not update ssl->handshake->key_cert unless the is a match */
+ /* Do not update ssl->handshake->key_cert unless there is a match */
if( cur != NULL )
{
ssl->handshake->key_cert = cur;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 1d2593b..1a75def 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4901,10 +4901,6 @@
ssl_transform_init( ssl->transform_negotiate );
ssl_handshake_params_init( ssl->handshake );
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
- ssl->handshake->key_cert = ssl->conf->key_cert;
-#endif
-
/*
* We may not know yet if we're using DTLS,
* so always initiliase DTLS-specific fields.
@@ -5309,33 +5305,42 @@
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
-/* Add a new (empty) key_cert entry an return a pointer to it */
-static mbedtls_ssl_key_cert *ssl_add_key_cert( mbedtls_ssl_context *ssl )
+/* Append a new keycert entry to a (possibly empty) list */
+static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
+ mbedtls_x509_crt *cert,
+ mbedtls_pk_context *key )
{
- mbedtls_ssl_key_cert *key_cert, *last;
+ mbedtls_ssl_key_cert *new;
- key_cert = mbedtls_malloc( sizeof(mbedtls_ssl_key_cert) );
- if( key_cert == NULL )
- return( NULL );
+ new = mbedtls_malloc( sizeof( mbedtls_ssl_key_cert ) );
+ if( new == NULL )
+ return( MBEDTLS_ERR_SSL_MALLOC_FAILED );
- memset( key_cert, 0, sizeof( mbedtls_ssl_key_cert ) );
+ new->cert = cert;
+ new->key = key;
+ new->next = NULL;
- /* Append the new key_cert to the (possibly empty) current list */
- if( ssl->conf->key_cert == NULL )
+ /* Update head is the list was null, else add to the end */
+ if( *head == NULL )
{
- ssl->conf->key_cert = key_cert;
- if( ssl->handshake != NULL )
- ssl->handshake->key_cert = key_cert;
+ *head = new;
}
else
{
- last = ssl->conf->key_cert;
- while( last->next != NULL )
- last = last->next;
- last->next = key_cert;
+ mbedtls_ssl_key_cert *cur = *head;
+ while( cur->next != NULL )
+ cur = cur->next;
+ cur->next = new;
}
- return( key_cert );
+ return( 0 );
+}
+
+int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl,
+ mbedtls_x509_crt *own_cert,
+ mbedtls_pk_context *pk_key )
+{
+ return( ssl_append_key_cert( &ssl->conf->key_cert, own_cert, pk_key ) );
}
void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf,
@@ -5345,20 +5350,6 @@
conf->ca_chain = ca_chain;
conf->ca_crl = ca_crl;
}
-
-int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert,
- mbedtls_pk_context *pk_key )
-{
- mbedtls_ssl_key_cert *key_cert = ssl_add_key_cert( ssl );
-
- if( key_cert == NULL )
- return( MBEDTLS_ERR_SSL_MALLOC_FAILED );
-
- key_cert->cert = own_cert;
- key_cert->key = pk_key;
-
- return( 0 );
-}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)