diff options
| author | Hanno Becker <hanno.becker@arm.com> | 2019-02-06 15:40:27 +0000 |
|---|---|---|
| committer | Hanno Becker <hanno.becker@arm.com> | 2019-02-26 14:38:09 +0000 |
| commit | c966bd16beb036a2c73b685aed16e82c197ebab6 (patch) | |
| tree | cd1bbf163ad18269e653af131aa5b4169dd59c9f | |
| parent | c5fcbb33c0a6ca1de75a5942a4b3d1d9296f67e7 (diff) | |
| download | mbedtls-c966bd16beb036a2c73b685aed16e82c197ebab6.zip mbedtls-c966bd16beb036a2c73b685aed16e82c197ebab6.tar.gz mbedtls-c966bd16beb036a2c73b685aed16e82c197ebab6.tar.bz2 | |
Remove peer CRT from tickets if !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
| -rw-r--r-- | library/ssl_ticket.c | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index ef9f7e1..e4054b4 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -187,11 +187,16 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, /* * Serialize a session in the following format: - * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) - * n . n+2 peer_cert length = m (0 if no certificate) - * n+3 . n+2+m peer cert ASN.1 - * n+3+m . n+3+m length of peer certificate digest = k (0 if n digest) - * n+4+m . n+4+k peer certificate digest (digest type encoded in session) + * + * - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled: + * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) + * n . n+2 peer_cert length = m (0 if no certificate) + * n+3 . n+2+m peer cert ASN.1 + * + * - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled: + * 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session) + * n . n length of peer certificate digest = k (0 if n digest) + * n+1 . n+k peer certificate digest (digest type encoded in session) */ static int ssl_save_session( const mbedtls_ssl_session *session, unsigned char *buf, size_t buf_len, @@ -200,8 +205,9 @@ static int ssl_save_session( const mbedtls_ssl_session *session, unsigned char *p = buf; size_t left = buf_len; #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) size_t cert_len; -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else size_t cert_digest_len; #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -217,6 +223,7 @@ static int ssl_save_session( const mbedtls_ssl_session *session, left -= sizeof( mbedtls_ssl_session ); #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) if( session->peer_cert == NULL ) cert_len = 0; else @@ -235,8 +242,7 @@ static int ssl_save_session( const mbedtls_ssl_session *session, p += cert_len; left -= cert_len; - -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( session->peer_cert_digest != NULL ) cert_digest_len = 0; else @@ -270,8 +276,9 @@ static int ssl_load_session( mbedtls_ssl_session *session, const unsigned char *p = buf; const unsigned char * const end = buf + len; #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) size_t cert_len; -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else size_t cert_digest_len; #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -295,6 +302,7 @@ static int ssl_load_session( mbedtls_ssl_session *session, #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) /* Deserialize CRT from the end of the ticket. */ if( 3 > (size_t)( end - p ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -327,7 +335,7 @@ static int ssl_load_session( mbedtls_ssl_session *session, p += cert_len; } -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /* Deserialize CRT digest from the end of the ticket. */ if( 1 > (size_t)( end - p ) ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); |