Correct compile-time guards for ssl_clear_peer_cert()
It is used in `mbedtls_ssl_session_free()` under `MBEDTLS_X509_CRT_PARSE_C`, but defined only if `MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED`. Issue #2422 tracks the use of `MBEDTLS_KEY_EXCHANGE__WITH_CERT_ENABLED` instead of `MBEDTLS_X509_CRT_PARSE_C` for code and fields related to CRT-based ciphersuites.
This commit is contained in:
Hanno Becker
parent
e31505d64e
commit
b9d4479080
1 changed files with 23 additions and 21 deletions
|
|
@ -5570,6 +5570,29 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
|
||||
{
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
if( session->peer_cert != NULL )
|
||||
{
|
||||
mbedtls_x509_crt_free( session->peer_cert );
|
||||
mbedtls_free( session->peer_cert );
|
||||
session->peer_cert = NULL;
|
||||
}
|
||||
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
if( session->peer_cert_digest != NULL )
|
||||
{
|
||||
/* Zeroization is not necessary. */
|
||||
mbedtls_free( session->peer_cert_digest );
|
||||
session->peer_cert_digest = NULL;
|
||||
session->peer_cert_digest_type = MBEDTLS_MD_NONE;
|
||||
session->peer_cert_digest_len = 0;
|
||||
}
|
||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
/*
|
||||
* Handshake functions
|
||||
*/
|
||||
|
|
@ -5773,27 +5796,6 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
|
|||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
|
||||
|
||||
static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
|
||||
{
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
if( session->peer_cert != NULL )
|
||||
{
|
||||
mbedtls_x509_crt_free( session->peer_cert );
|
||||
mbedtls_free( session->peer_cert );
|
||||
session->peer_cert = NULL;
|
||||
}
|
||||
#else
|
||||
if( session->peer_cert_digest != NULL )
|
||||
{
|
||||
/* Zeroization is not necessary. */
|
||||
mbedtls_free( session->peer_cert_digest );
|
||||
session->peer_cert_digest = NULL;
|
||||
session->peer_cert_digest_type = MBEDTLS_MD_NONE;
|
||||
session->peer_cert_digest_len = 0;
|
||||
}
|
||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
}
|
||||
|
||||
/*
|
||||
* Once the certificate message is read, parse it into a cert chain and
|
||||
* perform basic checks, but leave actual verification to the caller
|
||||
|
|
|
|||
Loading…
Reference in a new issue