[edk2] [staging/HTTPS-TLS][PATCH] CryptPkg: Cleanup TlsLib X509Store initialization

[Samer El-Haj-Mahmoud]

Cleanup TlsLib to create a new X509 store only if needed in TlsNew(),
and set its flags when created, not every time we are adding a
certificate (in TlsSetCaCertificate)

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Samer El-Haj-Mahmoud <el...@hpe.com>
Signed-off-by: Thomas Palmer <thomas.pal...@hpe.com>
---
 CryptoPkg/Library/TlsLib/TlsLib.c | 41 ++++++++++++++++++++++++++-------------
 1 file changed, 28 insertions(+), 13 deletions(-)

diff --git a/CryptoPkg/Library/TlsLib/TlsLib.c 
b/CryptoPkg/Library/TlsLib/TlsLib.c
index 0818653..b91fee7 100644
--- a/CryptoPkg/Library/TlsLib/TlsLib.c
+++ b/CryptoPkg/Library/TlsLib/TlsLib.c
@@ -130,7 +130,7 @@ TlsInitialize (
   // Loads error strings from both crypto and ssl library.
   //
   SSL_load_error_strings ();
-  
+
   /// OpenSSL_add_all_algorithms();
 
   //
@@ -274,6 +274,7 @@ TlsNew (
   )
 {
   TLS_CONNECTION  *TlsConn;
+  X509_STORE      *X509Store;
 
   TlsConn = NULL;
 
@@ -342,6 +343,28 @@ TlsNew (
   //
   SSL_set_bio (TlsConn->Ssl, TlsConn->InBio, TlsConn->OutBio);
 
+
+  //
+  // Create new X509 store if needed
+  //
+  X509Store = SSL_CTX_get_cert_store (TlsConn->Ssl->ctx);
+  if (X509Store == NULL) {
+    X509Store = X509_STORE_new ();
+    if (X509Store == NULL) {
+      TlsFree ((VOID *) TlsConn);
+      return NULL;
+    }
+    SSL_CTX_set1_verify_cert_store (TlsConn->Ssl->ctx, X509Store);
+    X509_STORE_free (X509Store);
+  }
+
+  //
+  // Set X509_STORE flags used in certificate validation
+  //
+  X509_STORE_set_flags (
+    X509Store,
+    X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME
+    );
   return (VOID *) TlsConn;
 }
 
@@ -1473,15 +1496,13 @@ TlsSetCaCertificate (
 
   X509Store = SSL_CTX_get_cert_store(TlsConn->Ssl->ctx);
   if (X509Store == NULL) {
-    X509Store = X509_STORE_new();
-    if (X509Store == NULL) {
       Status = EFI_ABORTED;
       goto ON_EXIT;
-    }
-    
-    SSL_CTX_set_cert_store(TlsConn->Ssl->ctx, X509Store);
   }
 
+  //
+  // Add certificate to X509 store
+  //
   Ret = X509_STORE_add_cert (X509Store, Cert);
   if (Ret != 1) {
     ErrorCode = ERR_peek_last_error ();
@@ -1493,14 +1514,8 @@ TlsSetCaCertificate (
       Status = EFI_ABORTED;
       goto ON_EXIT;
     }
-
   }
-  
-  X509_STORE_set_flags (
-    X509Store, 
-    X509_V_FLAG_PARTIAL_CHAIN | X509_V_FLAG_NO_CHECK_TIME
-    );
-  
+
 ON_EXIT:
   if (BioCert != NULL) {
     BIO_free (BioCert);
-- 
2.6.3.windows.1

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel