Clear peer's CRT chain outside before parsing new one
If an attempt for session resumption fails, the `session_negotiate` structure might be partially filled, and in particular already contain a peer certificate structure. This certificate structure needs to be freed before parsing the certificate sent in the `Certificate` message. This commit moves the code-path taking care of this from the helper function `ssl_parse_certificate_chain()`, whose purpose should be parsing only, to the top-level handler `mbedtls_ssl_parse_certificate()`. The fact that we don't know the state of `ssl->session_negotiate` after a failed attempt for session resumption is undesirable, and a separate issue #2414 has been opened to improve on this.
This commit is contained in:
parent
4a55f638e2
commit
7a955a043e
1 changed files with 3 additions and 3 deletions
|
@ -5798,9 +5798,6 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl )
|
||||||
/* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
|
/* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
|
||||||
i += 3;
|
i += 3;
|
||||||
|
|
||||||
/* In case we tried to reuse a session but it failed. */
|
|
||||||
ssl_clear_peer_cert( ssl->session_negotiate );
|
|
||||||
|
|
||||||
/* Iterate through and parse the CRTs in the provided chain. */
|
/* Iterate through and parse the CRTs in the provided chain. */
|
||||||
while( i < ssl->in_hslen )
|
while( i < ssl->in_hslen )
|
||||||
{
|
{
|
||||||
|
@ -6038,6 +6035,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_SRV_C */
|
#endif /* MBEDTLS_SSL_SRV_C */
|
||||||
|
|
||||||
|
/* In case we tried to reuse a session but it failed. */
|
||||||
|
ssl_clear_peer_cert( ssl->session_negotiate );
|
||||||
|
|
||||||
if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 )
|
if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 )
|
||||||
{
|
{
|
||||||
ssl->state++;
|
ssl->state++;
|
||||||
|
|
Loading…
Reference in a new issue