diff options
author | Hanno Becker <hanno.becker@arm.com> | 2019-02-05 17:04:00 +0000 |
---|---|---|
committer | Hanno Becker <hanno.becker@arm.com> | 2019-02-26 14:38:09 +0000 |
commit | bb278f52ca2b32fd80966f4c81257c63010e8eee (patch) | |
tree | 4fb39d8f4439dc145794c79a84877d0f88d96e62 | |
parent | 4a82c1ccb416288579b32269ed60c13e53ba94dc (diff) | |
download | mbedtls-bb278f52ca2b32fd80966f4c81257c63010e8eee.zip mbedtls-bb278f52ca2b32fd80966f4c81257c63010e8eee.tar.gz mbedtls-bb278f52ca2b32fd80966f4c81257c63010e8eee.tar.bz2 |
Add configuration option to remove peer CRT after handshake
-rw-r--r-- | include/mbedtls/config.h | 22 | ||||
-rw-r--r-- | include/mbedtls/ssl.h | 8 |
2 files changed, 28 insertions, 2 deletions
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index e6abf24..091ce01 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1355,6 +1355,28 @@ #define MBEDTLS_SSL_FALLBACK_SCSV /** + * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + * + * This option controls the presence of the API mbedtls_ssl_get_peer_cert() + * giving access to the peer's certificate after completion of the handshake. + * + * Unless you need mbedtls_ssl_peer_cert() in your application, it is + * recommended to disable this option for reduced RAM usage. + * + * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still + * defined, but always returns \c NULL. + * + * \note This option has no influence on the protection against the + * triple handshake attack. Even if it is disabled, Mbed TLS will + * still ensure that certificates do not change during renegotiation, + * for exaple by keeping a hash of the peer's certificate. + * + * Comment this macro to disable storing the peer's certificate + * after the handshake. + */ +#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + +/** * \def MBEDTLS_SSL_HW_RECORD_ACCEL * * Enable hooking functions in SSL module for hardware acceleration of diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index c4d6605..d736c21 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2982,8 +2982,12 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl ); * \param ssl The SSL context to use. This must be initialized and setup. * * \return The current peer certificate, or \c NULL if - * none is available. It is owned by the SSL context - * and valid only until the next call to the SSL API. + * none is available, which might be because the chosen + * ciphersuite does not use peer certificates, or because + * #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled. + * If this functions does not return \c NULL, the returned + * certificate is owned by the SSL context and valid only + * until the next call to the SSL API. * * \note For one-time inspection of the peer's certificate during * the handshake, consider registering an X.509 CRT verification |