TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b90f655a784ee70f4759a8e0ea3e20a5f0cfd2d6^! / . / include / mbedtls
commitb90f655a784ee70f4759a8e0ea3e20a5f0cfd2d6[log] [tgz]
authorHanno Becker <hanno.becker@arm.com>Tue Feb 05 17:04:00 2019 +0000
committerHanno Becker <hanno.becker@arm.com>Wed Jun 19 10:25:01 2019 +0100
tree7bc6ceabb3aa967b984d3acabeb8b4aef158f410
parent869144b3e9627ec06095ebc6d7c7bd7ca4660f58 [diff]
Add configuration option to remove peer CRT after handshake

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 9fc512e..0ea17fb 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h

@@ -1405,6 +1405,28 @@
 #define MBEDTLS_SSL_FALLBACK_SCSV
 
 /**
+ * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+ *
+ * This option controls the presence of the API mbedtls_ssl_get_peer_cert()
+ * giving access to the peer's certificate after completion of the handshake.
+ *
+ * Unless you need mbedtls_ssl_peer_cert() in your application, it is
+ * recommended to disable this option for reduced RAM usage.
+ *
+ * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still
+ *       defined, but always returns \c NULL.
+ *
+ * \note This option has no influence on the protection against the
+ *       triple handshake attack. Even if it is disabled, Mbed TLS will
+ *       still ensure that certificates do not change during renegotiation,
+ *       for exaple by keeping a hash of the peer's certificate.
+ *
+ * Comment this macro to disable storing the peer's certificate
+ * after the handshake.
+ */
+#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+
+/**
  * \def MBEDTLS_SSL_HW_RECORD_ACCEL
  *
  * Enable hooking functions in SSL module for hardware acceleration of

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 5915eae..9ae3ee1 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h

@@ -3240,8 +3240,12 @@
  * \param  ssl     The SSL context to use. This must be initialized and setup.
  *
  * \return         The current peer certificate, or \c NULL if
- *                 none is available. It is owned by the SSL context
- *                 and valid only until the next call to the SSL API.
+ *                 none is available, which might be because the chosen
+ *                 ciphersuite does not use peer certificates, or because
+ *                 #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled.
+ *                 If this functions does not return \c NULL, the returned
+ *                 certificate is owned by the SSL context and valid only
+ *                 until the next call to the SSL API.
  *
  * \note           For one-time inspection of the peer's certificate during
  *                 the handshake, consider registering an X.509 CRT verification