Parse and verify peer CRT chain in local variable `mbedtls_ssl_parse_certificate()` parses the peer's certificate chain directly into the `peer_cert` field of the `mbedtls_ssl_session` structure being established. To allow to optionally remove this field from the session structure, this commit changes this to parse the peer's chain into a local variable instead first, which can then either be freed after CRT verification - in case the chain should not be stored - or mapped to the `peer_cert` if it should be kept. For now, only the latter is implemented.

commit: 3dad311ef02bd98e1a9b388082ec8c1f11bc53fe [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Tue Feb 05 17:19:52 2019 +0000
committer: Hanno Becker <hanno.becker@arm.com> Tue Feb 26 14:38:09 2019 +0000
tree: b50d4a99e893bd64ab73983eb00e0b2075a20611
parent: 177475a3aa5636bd846a9587761b3536c1f4c848 [diff] [blame]
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index e76f4f8..7cd0d1c 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h

@@ -331,6 +331,9 @@
         ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
         ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
     } ecrs_state;                       /*!< current (or last) operation    */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_x509_crt *ecrs_peer_cert;        /*!< The peer's CRT chain.     */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
     size_t ecrs_n;                      /*!< place for saving a length      */
 #endif
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
commit	3dad311ef02bd98e1a9b388082ec8c1f11bc53fe	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Tue Feb 05 17:19:52 2019 +0000
committer	Hanno Becker <hanno.becker@arm.com>	Tue Feb 26 14:38:09 2019 +0000
tree	b50d4a99e893bd64ab73983eb00e0b2075a20611
parent	177475a3aa5636bd846a9587761b3536c1f4c848 [diff] [blame]