Simplify session cache implementation via mbedtls_ssl_session_copy()

2025-11-04 04:32:24 -05:00 · 2019-02-06 14:53:19 +00:00 · 2019-02-06 14:53:19 +00:00 · aee8717877
commit aee8717877
parent 52055ae91f
1 changed files with 34 additions and 12 deletions
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@ -40,6 +40,7 @@
 #endif

 #include "mbedtls/ssl_cache.h"
+#include "mbedtls/ssl_internal.h"

 #include <string.h>

@ -92,9 +93,12 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
                    entry->session.id_len ) != 0 )
            continue;

-        memcpy( session->master, entry->session.master, 48 );
-
-        session->verify_result = entry->session.verify_result;
+        ret = mbedtls_ssl_session_copy( session, &entry->session );
+        if( ret != 0 )
+        {
+            ret = 1;
+            goto exit;
+        }

 #if defined(MBEDTLS_X509_CRT_PARSE_C)
        /*
@ -102,6 +106,10 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
         */
        if( entry->peer_cert.p != NULL )
        {
+            /* `session->peer_cert` is NULL after the call to
+             * mbedtls_ssl_session_copy(), because cache entries
+             * have the `peer_cert` field set to NULL. */
+
            if( ( session->peer_cert = mbedtls_calloc( 1,
                                 sizeof(mbedtls_x509_crt) ) ) == NULL )
            {
@ -239,8 +247,6 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
 #endif
    }

-    memcpy( &cur->session, session, sizeof( mbedtls_ssl_session ) );
-
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
    /*
     * If we're reusing an entry, free its certificate first
@ -250,23 +256,39 @@ int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
        mbedtls_free( cur->peer_cert.p );
        memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
    }
+#endif /* MBEDTLS_X509_CRT_PARSE_C */

-    /*
-     * Store peer certificate
-     */
-    if( session->peer_cert != NULL )
+    /* Copy the entire session; this temporarily makes a copy of the
+     * X.509 CRT structure even though we only want to store the raw CRT.
+     * This inefficiency will go away as soon as we implement on-demand
+     * parsing of CRTs, in which case there's no need for the `peer_cert`
+     * field anymore in the first place, and we're done after this call. */
+    ret = mbedtls_ssl_session_copy( &cur->session, session );
+    if( ret != 0 )
    {
-        cur->peer_cert.p = mbedtls_calloc( 1, session->peer_cert->raw.len );
+        ret = 1;
+        goto exit;
+    }
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+    /* If present, free the X.509 structure and only store the raw CRT data. */
+    if( cur->session.peer_cert != NULL )
+    {
+        cur->peer_cert.p =
+            mbedtls_calloc( 1, cur->session.peer_cert->raw.len );
        if( cur->peer_cert.p == NULL )
        {
            ret = 1;
            goto exit;
        }

-        memcpy( cur->peer_cert.p, session->peer_cert->raw.p,
-                session->peer_cert->raw.len );
+        memcpy( cur->peer_cert.p,
+                cur->session.peer_cert->raw.p,
+                cur->session.peer_cert->raw.len );
        cur->peer_cert.len = session->peer_cert->raw.len;

+        mbedtls_x509_crt_free( cur->session.peer_cert );
+        mbedtls_free( cur->session.peer_cert );
        cur->session.peer_cert = NULL;
    }
 #endif /* MBEDTLS_X509_CRT_PARSE_C */