commit 2e6d34761fde536def4420908dc1b9e9e0eceb5a
author Hanno Becker <hanno.becker@arm.com> Wed Feb 06 15:40:27 2019 +0000
committer Hanno Becker <hanno.becker@arm.com> Wed Jun 19 10:25:01 2019 +0100
tree 11c20485688a2216b62cedab90f1f9e04d517613
parent 4a2f8e584f38c268db5d469655062eef7733c69f

Remove peer CRT from mbedtls_ssl_session if !KEEP_PEER_CERT

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 5df5eb1..0e5c1fe 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -851,14 +851,15 @@
     unsigned char master[48];   /*!< the master secret  */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     mbedtls_x509_crt *peer_cert;       /*!< peer X.509 cert chain */
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
     /*! The digest of the peer's end-CRT. This must be kept to detect CRT
      *  changes during renegotiation, mitigating the triple handshake attack. */
     unsigned char *peer_cert_digest;
     size_t peer_cert_digest_len;
     mbedtls_md_type_t peer_cert_digest_type;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
     uint32_t verify_result;          /*!<  verification result     */