HPCC-27255 TLS cert/key as buffers 3a

Signed-off-by: Mark Kelly <[email protected]>
hpcc-systems · Sep 18, 2023 · 40fd720 · 40fd720
1 parent ebddb3c
commit 40fd720
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/system/security/cryptohelper/cryptocommon.hpp b/system/security/cryptohelper/cryptocommon.hpp
@@ -46,14 +46,20 @@ inline void voidSSLCTXfree(SSL_CTX *ctx)
     if (ctx)
         SSL_CTX_free(ctx);
 }
+inline void voidX509StoreFree(X509_STORE *store)
+{
+    if (store)
+        X509_STORE_free(store);
+}
 inline void voidX509StkPopFree(STACK_OF(X509_INFO) *infoStk)
 {
     if (infoStk)
         sk_X509_INFO_pop_free(infoStk, X509_INFO_free);
 }
 
-typedef OwnedPtrCustomFree<STACK_OF(X509_INFO), voidX509StkPopFree> OwnedX509Stkptr;
-typedef OwnedPtrCustomFree<SSL_CTX, voidSSLCTXfree> OwnedSSLCTXptr;
+typedef OwnedPtrCustomFree<X509_STORE, voidX509StoreFree> OwnedX509Store;
+typedef OwnedPtrCustomFree<STACK_OF(X509_INFO), voidX509StkPopFree> OwnedX509StkPtr;
+typedef OwnedPtrCustomFree<SSL_CTX, voidSSLCTXfree> OwnedSSLCTX;
 typedef OwnedPtrCustomFree<BIO, voidBIOfree> OwnedEVPBio;
 typedef OwnedPtrCustomFree<EVP_PKEY, EVP_PKEY_free> OwnedEVPPkey;
 typedef OwnedPtrCustomFree<EVP_PKEY_CTX, EVP_PKEY_CTX_free> OwnedEVPPkeyCtx;

diff --git a/system/security/securesocket/securesocket.cpp b/system/security/securesocket/securesocket.cpp
@@ -1188,7 +1188,7 @@ static bool useCertificateChainPEMBuffer(SSL_CTX *ctx, const char *certBuf, int
     if (!cbio)
         return false;
 
-    OwnedX509Stkptr infoStk(PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL));
+    OwnedX509StkPtr infoStk(PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL));
     if (!infoStk)
         return false;
 
@@ -1242,11 +1242,13 @@ static bool setVerifyCertsPEMBuffer(SSL_CTX *ctx, const char *caCertBuf, int caC
     if (!cbio)
         return false;
 
-    OwnedX509Stkptr infoStk(PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL));
-    if (!infoStk)
+    OwnedX509Store store(X509_STORE_new());
+    if (!store)
         return false;
 
-    X509_STORE *store = SSL_CTX_get_cert_store(ctx);
+    OwnedX509StkPtr infoStk(PEM_X509_INFO_read_bio(cbio, NULL, NULL, NULL));
+    if (!infoStk)
+        return false;
 
     X509_INFO *infoVal;
     for (int i = 0; i < sk_X509_INFO_num(infoStk); i++)
@@ -1261,13 +1263,15 @@ static bool setVerifyCertsPEMBuffer(SSL_CTX *ctx, const char *caCertBuf, int caC
         }
     }
 
+    SSL_CTX_set_cert_store(ctx, store.getClear());
+
     return true;
 }
 
 class CSecureSocketContext : public CInterfaceOf<ISecureSocketContext>
 {
 private:
-    OwnedSSLCTXptr m_ctx;
+    OwnedSSLCTX m_ctx;
 #if (OPENSSL_VERSION_NUMBER > 0x00909000L) 
     const SSL_METHOD* m_meth = nullptr;
 #else