Fixed bug in mbedtls_conf.cpp & openssl_conf.cpp in client mode.

zhengshuxin · zhengshuxin · commit 76f02f0401da · 2023-06-03T15:09:42.000+08:00
diff --git a/lib_acl_cpp/src/stream/mbedtls_conf.cpp b/lib_acl_cpp/src/stream/mbedtls_conf.cpp
@@ -841,6 +841,7 @@ mbedtls_ssl_config* mbedtls_conf::create_ssl_config(void)
 		MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT);
 	__ssl_conf_ciphersuites(conf, ciphers_);
 
+	// conf_ will be set to the first one.
 	if (conf_ == NULL) {
 		conf_ = conf;
 	}
@@ -1020,11 +1021,14 @@ bool mbedtls_conf::load_ca(const char* ca_file, const char* ca_path)
 			ca_path, -ret);
 		free_ca();
 		return false;
-	} else {
-		// Setup ca cert
-		__ssl_conf_ca_chain(conf_, cacert_->next, NULL);
-		return true;
 	}
+
+	if (conf_ == NULL) {
+		conf_ = create_ssl_config();
+	}
+	// Setup ca cert
+	__ssl_conf_ca_chain(conf_, cacert_->next, NULL);
+	return true;
 #else
 	(void) ca_file;
 	(void) ca_path;
@@ -1065,7 +1069,16 @@ bool mbedtls_conf::add_cert(const char* crt_file, const char* key_file,
 	} \
 } while (0)
 
-	mbedtls_ssl_config* conf = create_ssl_config();
+	mbedtls_ssl_config* conf;
+	if (server_side_) {
+		conf = create_ssl_config();
+	}
+	// There's only one cert conf in client side mode.
+	else if (conf_) {
+		conf = conf_;
+	} else {
+		conf = conf_ = create_ssl_config();
+	}
 
 	X509_CRT *cert = NULL;
 	PKEY *pkey = NULL;
@@ -1181,12 +1194,17 @@ bool mbedtls_conf::setup_certs(void* ssl)
 		return false;
 	}
 
+	// If the default conf_ null, maybe the load_ca() and add_cert()
+	// didn't called before, so we just create a new one as the default.
+	if (conf_ == NULL) {
+		conf_ = create_ssl_config();
+	}
+
 	int ret = __ssl_setup((mbedtls_ssl_context*) ssl, conf_);
 	if (ret != 0) {
 		logger_error("ssl_setup error:-0x%04x", -ret);
 		return false;
 	}
-
 	return true;
 #else
 	(void) ssl;
diff --git a/lib_acl_cpp/src/stream/openssl_conf.cpp b/lib_acl_cpp/src/stream/openssl_conf.cpp
@@ -553,7 +553,6 @@ openssl_conf::openssl_conf(bool server_side /* false */, int timeout /* 30 */)
 	(void) timeout_;
 	logger_error("HAS_OPENSSL not defined!");
 #endif // HAS_OPENSSL
-
 }
 
 openssl_conf::~openssl_conf(void)
@@ -874,6 +873,9 @@ bool openssl_conf::load_ca(const char* ca_file, const char* /* ca_path */)
 	}
 
 #ifdef HAS_OPENSSL
+	if (ssl_ctx_ == NULL) {
+		create_ssl_ctx();  // ssl_ctx_ will be set in it.
+	}
 	__ssl_ctx_set_verify_depth(ssl_ctx_, 5);
 
 	STACK_OF(X509_NAME)* list = __ssl_load_client_ca(ca_file);
@@ -913,8 +915,14 @@ bool openssl_conf::add_cert(const char* crt_file, const char* key_file,
 	}
 
 #ifdef HAS_OPENSSL
-	SSL_CTX* ctx = create_ssl_ctx();
-
+	SSL_CTX* ctx;
+	if (server_side_) {
+		ctx = create_ssl_ctx();
+	} else if (ssl_ctx_) {
+		ctx = ssl_ctx_;
+	} else {
+		ctx = ssl_ctx_ = create_ssl_ctx();
+	}
 #if 0
 	if (__ssl_ctx_use_cert_chain(ctx, crt_file) != 1) {
 		logger_error("use crt chain file(%s) error", crt_file);
