cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-03 20:22:59 -05:00
Code Issues Packages Projects Releases Wiki Activity

Add configuration option to remove peer CRT after handshake

Browse Source
This commit is contained in:
Hanno Becker 2019-02-05 17:04:00 +00:00
parent 4a82c1ccb4
commit bb278f52ca
2 changed files with 28 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
include/mbedtls/config.h
View File

@ -1354,6 +1354,28 @@
*/ */
#define MBEDTLS_SSL_FALLBACK_SCSV #define MBEDTLS_SSL_FALLBACK_SCSV
/**
* \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
*
* This option controls the presence of the API mbedtls_ssl_get_peer_cert()
* giving access to the peer's certificate after completion of the handshake.
*
* Unless you need mbedtls_ssl_peer_cert() in your application, it is
* recommended to disable this option for reduced RAM usage.
*
* \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still
* defined, but always returns \c NULL.
*
* \note This option has no influence on the protection against the
* triple handshake attack. Even if it is disabled, Mbed TLS will
* still ensure that certificates do not change during renegotiation,
* for exaple by keeping a hash of the peer's certificate.
*
* Comment this macro to disable storing the peer's certificate
* after the handshake.
*/
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
/** /**
* \def MBEDTLS_SSL_HW_RECORD_ACCEL * \def MBEDTLS_SSL_HW_RECORD_ACCEL
* *

8
include/mbedtls/ssl.h
View File

@ -2982,8 +2982,12 @@ int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl );
* \param ssl The SSL context to use. This must be initialized and setup. * \param ssl The SSL context to use. This must be initialized and setup.
* *
* \return The current peer certificate, or \c NULL if * \return The current peer certificate, or \c NULL if
* none is available. It is owned by the SSL context * none is available, which might be because the chosen
* and valid only until the next call to the SSL API. * ciphersuite does not use peer certificates, or because
* #MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been disabled.
* If this functions does not return \c NULL, the returned
* certificate is owned by the SSL context and valid only
* until the next call to the SSL API.
* *
* \note For one-time inspection of the peer's certificate during * \note For one-time inspection of the peer's certificate during
* the handshake, consider registering an X.509 CRT verification * the handshake, consider registering an X.509 CRT verification