commit 2e6d34761fde536def4420908dc1b9e9e0eceb5a
author Hanno Becker <hanno.becker@arm.com> Wed Feb 06 15:40:27 2019 +0000
committer Hanno Becker <hanno.becker@arm.com> Wed Jun 19 10:25:01 2019 +0100
tree 11c20485688a2216b62cedab90f1f9e04d517613
parent 4a2f8e584f38c268db5d469655062eef7733c69f

Remove peer CRT from mbedtls_ssl_session if !KEEP_PEER_CERT

library/ssl_cache.c

diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index f542594..62a0a29 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -100,7 +100,8 @@
             goto exit;
         }
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
         /*
          * Restore peer certificate (without rest of the original chain)
          */
@@ -127,7 +128,7 @@
                 goto exit;
             }
         }
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 
         ret = 0;
         goto exit;
@@ -247,7 +248,8 @@
 #endif
     }
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     /*
      * If we're reusing an entry, free its certificate first
      */
@@ -256,7 +258,7 @@
         mbedtls_free( cur->peer_cert.p );
         memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
     }
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 
     /* Copy the entire session; this temporarily makes a copy of the
      * X.509 CRT structure even though we only want to store the raw CRT.
@@ -270,7 +272,8 @@
         goto exit;
     }
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     /* If present, free the X.509 structure and only store the raw CRT data. */
     if( cur->session.peer_cert != NULL )
     {
@@ -291,7 +294,7 @@
         mbedtls_free( cur->session.peer_cert );
         cur->session.peer_cert = NULL;
     }
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 
     ret = 0;
 
@@ -333,9 +336,10 @@
 
         mbedtls_ssl_session_free( &prv->session );
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
         mbedtls_free( prv->peer_cert.p );
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 
         mbedtls_free( prv );
     }

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 5e39579..63b79a6 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -9104,8 +9104,10 @@
     uint64_t start;
 #endif
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     size_t cert_len;
 #endif
+#endif
 
     /*
      * Add version identifier
@@ -9175,6 +9177,7 @@
      * Peer's end-entity certificate
      */
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     if( session->peer_cert == NULL )
         cert_len = 0;
     else
@@ -9195,8 +9198,8 @@
         }
     }
 
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
     /* Digest of peer certificate */
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     if( session->peer_cert_digest != NULL )
     {
         used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
@@ -9295,8 +9298,10 @@
     uint64_t start;
 #endif
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     size_t cert_len;
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif
+#endif
 
     /*
      * Check version identifier
@@ -9359,10 +9364,11 @@
     /* Immediately clear invalid pointer values that have been read, in case
      * we exit early before we replaced them with valid ones. */
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     session->peer_cert = NULL;
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#else
     session->peer_cert_digest = NULL;
-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 #endif
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
     session->ticket = NULL;
@@ -9372,6 +9378,7 @@
      * Peer certificate
      */
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     if( 3 > (size_t)( end - p ) )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
 
@@ -9407,8 +9414,7 @@
 
         p += cert_len;
     }
-
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#else /* defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
     /* Deserialize CRT digest from the end of the ticket. */
     if( 2 > (size_t)( end - p ) )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );