Correct compile-time guards for ssl_clear_peer_cert()

It is used in `mbedtls_ssl_session_free()` under `MBEDTLS_X509_CRT_PARSE_C`, but defined only if `MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED`. Issue #2422 tracks the use of `MBEDTLS_KEY_EXCHANGE__WITH_CERT_ENABLED` instead of `MBEDTLS_X509_CRT_PARSE_C` for code and fields related to CRT-based ciphersuites.
2024-10-19 02:21:27 +00:00 · 2019-02-08 07:19:04 +00:00 · 2019-02-08 07:19:04 +00:00 · b9d4479080
parent e31505d64e
commit b9d4479080
1 changed files with 23 additions and 21 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -5570,6 +5570,29 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
    return( 0 );
 }

+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
+{
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    if( session->peer_cert != NULL )
+    {
+        mbedtls_x509_crt_free( session->peer_cert );
+        mbedtls_free( session->peer_cert );
+        session->peer_cert = NULL;
+    }
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    if( session->peer_cert_digest != NULL )
+    {
+        /* Zeroization is not necessary. */
+        mbedtls_free( session->peer_cert_digest );
+        session->peer_cert_digest      = NULL;
+        session->peer_cert_digest_type = MBEDTLS_MD_NONE;
+        session->peer_cert_digest_len  = 0;
+    }
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
 /*
 * Handshake functions
 */
@ -5773,27 +5796,6 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */

-static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
-{
-#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
-    if( session->peer_cert != NULL )
-    {
-        mbedtls_x509_crt_free( session->peer_cert );
-        mbedtls_free( session->peer_cert );
-        session->peer_cert = NULL;
-    }
-#else
-    if( session->peer_cert_digest != NULL )
-    {
-        /* Zeroization is not necessary. */
-        mbedtls_free( session->peer_cert_digest );
-        session->peer_cert_digest      = NULL;
-        session->peer_cert_digest_type = MBEDTLS_MD_NONE;
-        session->peer_cert_digest_len  = 0;
-    }
-#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
-}
-
 /*
 * Once the certificate message is read, parse it into a cert chain and
 * perform basic checks, but leave actual verification to the caller