mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-25 15:25:27 +00:00
5882dd0856
If `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is not set, `mbedtls_ssl_session` contains the digest of the peer's certificate for the sole purpose of detecting a CRT change on renegotiation. Hence, it is not needed if renegotiation is disabled. This commit removes the `peer_cert_digest` fields (and friends) from `mbedtls_ssl_session` if `!MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + !MBEDTLS_SSL_RENEGOTIATION`, which is a sensible configuration for constrained devices. Apart from straightforward replacements of `if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)` by `if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \ defined(MBEDTLS_SSL_RENEGOTIATION)`, there's one notable change: On the server-side, the CertificateVerify parsing function is a no-op if the client hasn't sent a certificate. So far, this was determined by either looking at the peer CRT or the peer CRT digest in the SSL session structure (depending on the setting of `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE`), which now no longer works if `MBEDTLS_SSL_KEEP_PEER_CERTIFICATE` is unset. Instead, this function now checks whether the temporary copy of the peer's public key within the handshake structure is initialized or not (which is also a beneficial simplification in its own right, because the pubkey is all the function needs anyway). |
||
---|---|---|
.. | ||
mbedtls | ||
tinycrypt | ||
.gitignore | ||
CMakeLists.txt |