Parse and verify peer CRT chain in local variable

`mbedtls_ssl_parse_certificate()` parses the peer's certificate chain directly into the `peer_cert` field of the `mbedtls_ssl_session` structure being established. To allow to optionally remove this field from the session structure, this commit changes this to parse the peer's chain into a local variable instead first, which can then either be freed after CRT verification - in case the chain should not be stored - or mapped to the `peer_cert` if it should be kept. For now, only the latter is implemented.
2019-02-05 17:19:52 +00:00 · 2019-02-05 17:19:52 +00:00 · 3dad311ef0
commit 3dad311ef0
parent 177475a3aa
2 changed files with 51 additions and 18 deletions
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@ -331,6 +331,9 @@ struct mbedtls_ssl_handshake_params
        ssl_ecrs_cke_ecdh_calc_secret,  /*!< ClientKeyExchange: ECDH step 2 */
        ssl_ecrs_crt_vrfy_sign,         /*!< CertificateVerify: pk_sign()   */
    } ecrs_state;                       /*!< current (or last) operation    */
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    mbedtls_x509_crt *ecrs_peer_cert;        /*!< The peer's CRT chain.     */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
    size_t ecrs_n;                      /*!< place for saving a length      */
 #endif
 #if defined(MBEDTLS_SSL_PROTO_DTLS)