Samer, Note: This is not in the EDK2 yet, but in the staging... change [PATCH] to [Staging/HTTPS-TLS PATCH] (or something like that per the rules...)
2 questions inline also. -Jaben > -----Original Message----- > From: edk2-devel [mailto:[email protected]] On Behalf Of > Samer El-Haj-Mahmoud > Sent: Monday, April 25, 2016 10:15 AM > To: [email protected] > Cc: Samer El-Haj-Mahmoud <[email protected]>; Wu, Jiaxin > <[email protected]> > Subject: [edk2] [PATCH] CryptoPkg: Fix TLS Lib issue when certificate is added > to store multiple times > > Removed unnecessary error condition in TLS Lib that that would report an > error if a certificate is being added to the X509_STORE more than once. > This causes HTTPS to fail on second attempt with the same certificate. > > Contributed-under: TianoCore Contribution Agreement 1.0 > Signed-off-by: Samer El-Haj-Mahmoud <[email protected]> > Signed-off-by: Thomas Palmer <[email protected]> > --- > CryptoPkg/Library/TlsLib/TlsLib.c | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > > diff --git a/CryptoPkg/Library/TlsLib/TlsLib.c > b/CryptoPkg/Library/TlsLib/TlsLib.c > index e661375..0818653 100644 > --- a/CryptoPkg/Library/TlsLib/TlsLib.c > +++ b/CryptoPkg/Library/TlsLib/TlsLib.c > @@ -2,6 +2,7 @@ > SSL/TLS Library Wrapper Implementation over OpenSSL. > > Copyright (c) 2016, Intel Corporation. All rights reserved.<BR> > +(C) Copyright 2016 Hewlett Packard Enterprise Development LP<BR> > This program and the accompanying materials > are licensed and made available under the terms and conditions of the BSD > License > which accompanies this distribution. The full text of the license may be > found > at > @@ -16,6 +17,7 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY > KIND, EITHER EXPRESS OR IMPLIED. > > #include <openssl/ssl.h> > #include <openssl/bio.h> > +#include <openssl/err.h> > > #define MAX_BUFFER_SIZE 32768 > > @@ -1429,6 +1431,7 @@ TlsSetCaCertificate ( > EFI_STATUS Status; > TLS_CONNECTION *TlsConn; > INTN Ret; > + unsigned long ErrorCode; > > BioCert = NULL; > Cert = NULL; > @@ -1481,8 +1484,16 @@ TlsSetCaCertificate ( > > Ret = X509_STORE_add_cert (X509Store, Cert); > if (Ret != 1) { [Jaben] do we want to leave hardcoded things like this 1? > - Status = EFI_ABORTED; > - goto ON_EXIT; > + ErrorCode = ERR_peek_last_error (); > + // > + // Ignore "already in table" errors > + // > + if (!(ERR_GET_FUNC (ErrorCode) == X509_F_X509_STORE_ADD_CERT && > + ERR_GET_REASON (ErrorCode) == > X509_R_CERT_ALREADY_IN_HASH_TABLE)) { > + Status = EFI_ABORTED; > + goto ON_EXIT; > + } > + > } > > X509_STORE_set_flags ( [Jaben] Is there a reason to still change the flags on the cert? > -- > 2.6.3.windows.1 > > _______________________________________________ > edk2-devel mailing list > [email protected] > https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list [email protected] https://lists.01.org/mailman/listinfo/edk2-devel
