From b9d447908089bce8434766c4ff41144aee7e0865 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 8 Feb 2019 07:19:04 +0000 Subject: [PATCH] Correct compile-time guards for ssl_clear_peer_cert() It is used in `mbedtls_ssl_session_free()` under `MBEDTLS_X509_CRT_PARSE_C`, but defined only if `MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED`. Issue #2422 tracks the use of `MBEDTLS_KEY_EXCHANGE__WITH_CERT_ENABLED` instead of `MBEDTLS_X509_CRT_PARSE_C` for code and fields related to CRT-based ciphersuites. --- library/ssl_tls.c | 44 +++++++++++++++++++++++--------------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index df5e03649..b75101b25 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5570,6 +5570,29 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, return( 0 ); } +#if defined(MBEDTLS_X509_CRT_PARSE_C) +static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) +{ +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + if( session->peer_cert != NULL ) + { + mbedtls_x509_crt_free( session->peer_cert ); + mbedtls_free( session->peer_cert ); + session->peer_cert = NULL; + } +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + if( session->peer_cert_digest != NULL ) + { + /* Zeroization is not necessary. */ + mbedtls_free( session->peer_cert_digest ); + session->peer_cert_digest = NULL; + session->peer_cert_digest_type = MBEDTLS_MD_NONE; + session->peer_cert_digest_len = 0; + } +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +} +#endif /* MBEDTLS_X509_CRT_PARSE_C */ + /* * Handshake functions */ @@ -5773,27 +5796,6 @@ static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ -static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) -{ -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - if( session->peer_cert != NULL ) - { - mbedtls_x509_crt_free( session->peer_cert ); - mbedtls_free( session->peer_cert ); - session->peer_cert = NULL; - } -#else - if( session->peer_cert_digest != NULL ) - { - /* Zeroization is not necessary. */ - mbedtls_free( session->peer_cert_digest ); - session->peer_cert_digest = NULL; - session->peer_cert_digest_type = MBEDTLS_MD_NONE; - session->peer_cert_digest_len = 0; - } -#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ -} - /* * Once the certificate message is read, parse it into a cert chain and * perform basic checks, but leave actual verification to the caller