commit c966bd16beb036a2c73b685aed16e82c197ebab6
author Hanno Becker <hanno.becker@arm.com> Wed Feb 06 15:40:27 2019 +0000
committer Hanno Becker <hanno.becker@arm.com> Tue Feb 26 14:38:09 2019 +0000
tree cd1bbf163ad18269e653af131aa5b4169dd59c9f
parent c5fcbb33c0a6ca1de75a5942a4b3d1d9296f67e7

Remove peer CRT from tickets if !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE

library/ssl_ticket.c

diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index ef9f7e1..e4054b4 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -187,11 +187,16 @@
 
 /*
  * Serialize a session in the following format:
- *  0       .   n-1     session structure, n = sizeof(mbedtls_ssl_session)
- *  n       .   n+2     peer_cert length = m (0 if no certificate)
- *  n+3     .   n+2+m   peer cert ASN.1
- *  n+3+m   .   n+3+m   length of peer certificate digest = k (0 if n digest)
- *  n+4+m   .   n+4+k   peer certificate digest (digest type encoded in session)
+ *
+ * - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled:
+ *    0       .   n-1   session structure, n = sizeof(mbedtls_ssl_session)
+ *    n       .   n+2   peer_cert length = m (0 if no certificate)
+ *    n+3     .   n+2+m peer cert ASN.1
+ *
+ * - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled:
+ *    0       .   n-1   session structure, n = sizeof(mbedtls_ssl_session)
+ *    n       .   n     length of peer certificate digest = k (0 if n digest)
+ *    n+1     .   n+k   peer certificate digest (digest type encoded in session)
  */
 static int ssl_save_session( const mbedtls_ssl_session *session,
                              unsigned char *buf, size_t buf_len,
@@ -200,8 +205,9 @@
     unsigned char *p = buf;
     size_t left = buf_len;
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     size_t cert_len;
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#else
     size_t cert_digest_len;
 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
@@ -217,6 +223,7 @@
     left -= sizeof( mbedtls_ssl_session );
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     if( session->peer_cert == NULL )
         cert_len = 0;
     else
@@ -235,8 +242,7 @@
 
     p += cert_len;
     left -= cert_len;
-
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
     if( session->peer_cert_digest != NULL )
         cert_digest_len = 0;
     else
@@ -270,8 +276,9 @@
     const unsigned char *p = buf;
     const unsigned char * const end = buf + len;
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     size_t cert_len;
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#else
     size_t cert_digest_len;
 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
@@ -295,6 +302,7 @@
 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
     /* Deserialize CRT from the end of the ticket. */
     if( 3 > (size_t)( end - p ) )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@@ -327,7 +335,7 @@
 
         p += cert_len;
     }
-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
     /* Deserialize CRT digest from the end of the ticket. */
     if( 1 > (size_t)( end - p ) )
         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );