mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-11 07:35:40 +00:00
Remove peer CRT from mbedtls_ssl_session if !KEEP_PEER_CERT
This commit is contained in:
parent
4a2f8e584f
commit
2e6d34761f
|
@ -851,14 +851,15 @@ struct mbedtls_ssl_session
|
||||||
unsigned char master[48]; /*!< the master secret */
|
unsigned char master[48]; /*!< the master secret */
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */
|
mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */
|
||||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
/*! The digest of the peer's end-CRT. This must be kept to detect CRT
|
/*! The digest of the peer's end-CRT. This must be kept to detect CRT
|
||||||
* changes during renegotiation, mitigating the triple handshake attack. */
|
* changes during renegotiation, mitigating the triple handshake attack. */
|
||||||
unsigned char *peer_cert_digest;
|
unsigned char *peer_cert_digest;
|
||||||
size_t peer_cert_digest_len;
|
size_t peer_cert_digest_len;
|
||||||
mbedtls_md_type_t peer_cert_digest_type;
|
mbedtls_md_type_t peer_cert_digest_type;
|
||||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
uint32_t verify_result; /*!< verification result */
|
uint32_t verify_result; /*!< verification result */
|
||||||
|
|
||||||
|
|
|
@ -70,7 +70,8 @@ struct mbedtls_ssl_cache_entry
|
||||||
mbedtls_time_t timestamp; /*!< entry timestamp */
|
mbedtls_time_t timestamp; /*!< entry timestamp */
|
||||||
#endif
|
#endif
|
||||||
mbedtls_ssl_session session; /*!< entry session */
|
mbedtls_ssl_session session; /*!< entry session */
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
mbedtls_x509_buf peer_cert; /*!< entry peer_cert */
|
mbedtls_x509_buf peer_cert; /*!< entry peer_cert */
|
||||||
#endif
|
#endif
|
||||||
mbedtls_ssl_cache_entry *next; /*!< chain pointer */
|
mbedtls_ssl_cache_entry *next; /*!< chain pointer */
|
||||||
|
|
|
@ -100,7 +100,8 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
/*
|
/*
|
||||||
* Restore peer certificate (without rest of the original chain)
|
* Restore peer certificate (without rest of the original chain)
|
||||||
*/
|
*/
|
||||||
|
@ -127,7 +128,7 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
goto exit;
|
goto exit;
|
||||||
|
@ -247,7 +248,8 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
/*
|
/*
|
||||||
* If we're reusing an entry, free its certificate first
|
* If we're reusing an entry, free its certificate first
|
||||||
*/
|
*/
|
||||||
|
@ -256,7 +258,7 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
||||||
mbedtls_free( cur->peer_cert.p );
|
mbedtls_free( cur->peer_cert.p );
|
||||||
memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
|
memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
/* Copy the entire session; this temporarily makes a copy of the
|
/* Copy the entire session; this temporarily makes a copy of the
|
||||||
* X.509 CRT structure even though we only want to store the raw CRT.
|
* X.509 CRT structure even though we only want to store the raw CRT.
|
||||||
|
@ -270,7 +272,8 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
/* If present, free the X.509 structure and only store the raw CRT data. */
|
/* If present, free the X.509 structure and only store the raw CRT data. */
|
||||||
if( cur->session.peer_cert != NULL )
|
if( cur->session.peer_cert != NULL )
|
||||||
{
|
{
|
||||||
|
@ -291,7 +294,7 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
||||||
mbedtls_free( cur->session.peer_cert );
|
mbedtls_free( cur->session.peer_cert );
|
||||||
cur->session.peer_cert = NULL;
|
cur->session.peer_cert = NULL;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
ret = 0;
|
ret = 0;
|
||||||
|
|
||||||
|
@ -333,9 +336,10 @@ void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache )
|
||||||
|
|
||||||
mbedtls_ssl_session_free( &prv->session );
|
mbedtls_ssl_session_free( &prv->session );
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
mbedtls_free( prv->peer_cert.p );
|
mbedtls_free( prv->peer_cert.p );
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
mbedtls_free( prv );
|
mbedtls_free( prv );
|
||||||
}
|
}
|
||||||
|
|
|
@ -9104,7 +9104,9 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
|
||||||
uint64_t start;
|
uint64_t start;
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
size_t cert_len;
|
size_t cert_len;
|
||||||
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -9175,6 +9177,7 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
|
||||||
* Peer's end-entity certificate
|
* Peer's end-entity certificate
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
if( session->peer_cert == NULL )
|
if( session->peer_cert == NULL )
|
||||||
cert_len = 0;
|
cert_len = 0;
|
||||||
else
|
else
|
||||||
|
@ -9195,8 +9198,8 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
/* Digest of peer certificate */
|
/* Digest of peer certificate */
|
||||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
|
||||||
if( session->peer_cert_digest != NULL )
|
if( session->peer_cert_digest != NULL )
|
||||||
{
|
{
|
||||||
used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
|
used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
|
||||||
|
@ -9295,8 +9298,10 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
||||||
uint64_t start;
|
uint64_t start;
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
size_t cert_len;
|
size_t cert_len;
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check version identifier
|
* Check version identifier
|
||||||
|
@ -9359,10 +9364,11 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
||||||
/* Immediately clear invalid pointer values that have been read, in case
|
/* Immediately clear invalid pointer values that have been read, in case
|
||||||
* we exit early before we replaced them with valid ones. */
|
* we exit early before we replaced them with valid ones. */
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
session->peer_cert = NULL;
|
session->peer_cert = NULL;
|
||||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
#else
|
||||||
session->peer_cert_digest = NULL;
|
session->peer_cert_digest = NULL;
|
||||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
||||||
session->ticket = NULL;
|
session->ticket = NULL;
|
||||||
|
@ -9372,6 +9378,7 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
||||||
* Peer certificate
|
* Peer certificate
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
if( 3 > (size_t)( end - p ) )
|
if( 3 > (size_t)( end - p ) )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
@ -9407,8 +9414,7 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
||||||
|
|
||||||
p += cert_len;
|
p += cert_len;
|
||||||
}
|
}
|
||||||
|
#else /* defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
|
||||||
/* Deserialize CRT digest from the end of the ticket. */
|
/* Deserialize CRT digest from the end of the ticket. */
|
||||||
if( 2 > (size_t)( end - p ) )
|
if( 2 > (size_t)( end - p ) )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
|
@ -311,14 +311,14 @@ static int ssl_populate_session( mbedtls_ssl_session *session,
|
||||||
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
|
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
|
||||||
session->peer_cert_digest_len =
|
session->peer_cert_digest_len =
|
||||||
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
|
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
|
||||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
/* Move temporary CRT. */
|
/* Move temporary CRT. */
|
||||||
session->peer_cert = mbedtls_calloc( 1, sizeof( *session->peer_cert ) );
|
session->peer_cert = mbedtls_calloc( 1, sizeof( *session->peer_cert ) );
|
||||||
if( session->peer_cert == NULL )
|
if( session->peer_cert == NULL )
|
||||||
return( -1 );
|
return( -1 );
|
||||||
*session->peer_cert = tmp_crt;
|
*session->peer_cert = tmp_crt;
|
||||||
memset( &tmp_crt, 0, sizeof( tmp_crt ) );
|
memset( &tmp_crt, 0, sizeof( tmp_crt ) );
|
||||||
|
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
mbedtls_x509_crt_free( &tmp_crt );
|
mbedtls_x509_crt_free( &tmp_crt );
|
||||||
}
|
}
|
||||||
|
@ -706,6 +706,7 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
|
||||||
restored.master, sizeof( original.master ) ) == 0 );
|
restored.master, sizeof( original.master ) ) == 0 );
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
TEST_ASSERT( ( original.peer_cert == NULL ) ==
|
TEST_ASSERT( ( original.peer_cert == NULL ) ==
|
||||||
( restored.peer_cert == NULL ) );
|
( restored.peer_cert == NULL ) );
|
||||||
if( original.peer_cert != NULL )
|
if( original.peer_cert != NULL )
|
||||||
|
@ -716,7 +717,7 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
|
||||||
restored.peer_cert->raw.p,
|
restored.peer_cert->raw.p,
|
||||||
original.peer_cert->raw.len ) == 0 );
|
original.peer_cert->raw.len ) == 0 );
|
||||||
}
|
}
|
||||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
TEST_ASSERT( original.peer_cert_digest_type ==
|
TEST_ASSERT( original.peer_cert_digest_type ==
|
||||||
restored.peer_cert_digest_type );
|
restored.peer_cert_digest_type );
|
||||||
TEST_ASSERT( original.peer_cert_digest_len ==
|
TEST_ASSERT( original.peer_cert_digest_len ==
|
||||||
|
|
Loading…
Reference in a new issue