mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 13:35:28 +00:00
Remove peer CRT from mbedtls_ssl_session if !KEEP_PEER_CERT
This commit is contained in:
parent
4a2f8e584f
commit
2e6d34761f
|
@ -851,14 +851,15 @@ struct mbedtls_ssl_session
|
|||
unsigned char master[48]; /*!< the master secret */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */
|
||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
/*! The digest of the peer's end-CRT. This must be kept to detect CRT
|
||||
* changes during renegotiation, mitigating the triple handshake attack. */
|
||||
unsigned char *peer_cert_digest;
|
||||
size_t peer_cert_digest_len;
|
||||
mbedtls_md_type_t peer_cert_digest_type;
|
||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
uint32_t verify_result; /*!< verification result */
|
||||
|
||||
|
|
|
@ -70,7 +70,8 @@ struct mbedtls_ssl_cache_entry
|
|||
mbedtls_time_t timestamp; /*!< entry timestamp */
|
||||
#endif
|
||||
mbedtls_ssl_session session; /*!< entry session */
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
mbedtls_x509_buf peer_cert; /*!< entry peer_cert */
|
||||
#endif
|
||||
mbedtls_ssl_cache_entry *next; /*!< chain pointer */
|
||||
|
|
|
@ -100,7 +100,8 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/*
|
||||
* Restore peer certificate (without rest of the original chain)
|
||||
*/
|
||||
|
@ -127,7 +128,7 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
|
|||
goto exit;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
ret = 0;
|
||||
goto exit;
|
||||
|
@ -247,7 +248,8 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
|||
#endif
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/*
|
||||
* If we're reusing an entry, free its certificate first
|
||||
*/
|
||||
|
@ -256,7 +258,7 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
|||
mbedtls_free( cur->peer_cert.p );
|
||||
memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
/* Copy the entire session; this temporarily makes a copy of the
|
||||
* X.509 CRT structure even though we only want to store the raw CRT.
|
||||
|
@ -270,7 +272,8 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
|||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/* If present, free the X.509 structure and only store the raw CRT data. */
|
||||
if( cur->session.peer_cert != NULL )
|
||||
{
|
||||
|
@ -291,7 +294,7 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
|||
mbedtls_free( cur->session.peer_cert );
|
||||
cur->session.peer_cert = NULL;
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
ret = 0;
|
||||
|
||||
|
@ -333,9 +336,10 @@ void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache )
|
|||
|
||||
mbedtls_ssl_session_free( &prv->session );
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
mbedtls_free( prv->peer_cert.p );
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
mbedtls_free( prv );
|
||||
}
|
||||
|
|
|
@ -9104,7 +9104,9 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
|
|||
uint64_t start;
|
||||
#endif
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
size_t cert_len;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
|
@ -9175,6 +9177,7 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
|
|||
* Peer's end-entity certificate
|
||||
*/
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
if( session->peer_cert == NULL )
|
||||
cert_len = 0;
|
||||
else
|
||||
|
@ -9195,8 +9198,8 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
|
|||
}
|
||||
}
|
||||
|
||||
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
/* Digest of peer certificate */
|
||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
if( session->peer_cert_digest != NULL )
|
||||
{
|
||||
used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
|
||||
|
@ -9295,8 +9298,10 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
|||
uint64_t start;
|
||||
#endif
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
size_t cert_len;
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
#endif
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Check version identifier
|
||||
|
@ -9359,10 +9364,11 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
|||
/* Immediately clear invalid pointer values that have been read, in case
|
||||
* we exit early before we replaced them with valid ones. */
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
session->peer_cert = NULL;
|
||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
#else
|
||||
session->peer_cert_digest = NULL;
|
||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
||||
session->ticket = NULL;
|
||||
|
@ -9372,6 +9378,7 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
|||
* Peer certificate
|
||||
*/
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
if( 3 > (size_t)( end - p ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
|
@ -9407,8 +9414,7 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
|||
|
||||
p += cert_len;
|
||||
}
|
||||
|
||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
#else /* defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
/* Deserialize CRT digest from the end of the ticket. */
|
||||
if( 2 > (size_t)( end - p ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
|
|
@ -311,14 +311,14 @@ static int ssl_populate_session( mbedtls_ssl_session *session,
|
|||
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
|
||||
session->peer_cert_digest_len =
|
||||
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
|
||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
/* Move temporary CRT. */
|
||||
session->peer_cert = mbedtls_calloc( 1, sizeof( *session->peer_cert ) );
|
||||
if( session->peer_cert == NULL )
|
||||
return( -1 );
|
||||
*session->peer_cert = tmp_crt;
|
||||
memset( &tmp_crt, 0, sizeof( tmp_crt ) );
|
||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
mbedtls_x509_crt_free( &tmp_crt );
|
||||
}
|
||||
|
@ -706,6 +706,7 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
|
|||
restored.master, sizeof( original.master ) ) == 0 );
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
TEST_ASSERT( ( original.peer_cert == NULL ) ==
|
||||
( restored.peer_cert == NULL ) );
|
||||
if( original.peer_cert != NULL )
|
||||
|
@ -716,7 +717,7 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
|
|||
restored.peer_cert->raw.p,
|
||||
original.peer_cert->raw.len ) == 0 );
|
||||
}
|
||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
TEST_ASSERT( original.peer_cert_digest_type ==
|
||||
restored.peer_cert_digest_type );
|
||||
TEST_ASSERT( original.peer_cert_digest_len ==
|
||||
|
|
Loading…
Reference in a new issue