Merge pull request #583 from ARMmbed/remove_peer_crt_after_handshake-baremetal

[Baremetal] Allow removal of peer certificate to reduce RAM usage
2026-05-11 22:42:23 +02:00 · 2019-06-24 18:11:46 +02:00
parent 8dcd80ec5c 0528f82fa9
commit 79cf74a95f
19 changed files with 945 additions and 451 deletions
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -885,6 +885,22 @@ component_test_no_max_fragment_length () {
    if_build_succeeded tests/ssl-opt.sh -f "Max fragment length"
 }

+component_test_asan_remove_peer_certificate () {
+    msg "build: default config with MBEDTLS_SSL_KEEP_PEER_CERTIFICATE disabled (ASan build)"
+    scripts/config.pl unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+    CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
+    make
+
+    msg "test: !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
+    make test
+
+    msg "test: ssl-opt.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
+    if_build_succeeded tests/ssl-opt.sh
+
+    msg "test: compat.sh, !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE"
+    if_build_succeeded tests/compat.sh
+}
+
 component_test_no_max_fragment_length_small_ssl_out_content_len () {
    msg "build: no MFL extension, small SSL_OUT_CONTENT_LEN (ASan build)"
    scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -1,6 +1,7 @@
 /* BEGIN_HEADER */
 #include <mbedtls/ssl.h>
 #include <mbedtls/ssl_internal.h>
+#include <mbedtls/md.h>

 /*
 * Helper function setting up inverse record transformations
@@ -287,15 +288,40 @@ static int ssl_populate_session( mbedtls_ssl_session *session,
 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_FS_IO)
    if( strlen( crt_file ) != 0 )
    {
+        mbedtls_x509_crt tmp_crt;
        int ret;

+        mbedtls_x509_crt_init( &tmp_crt );
+        ret = mbedtls_x509_crt_parse_file( &tmp_crt, crt_file );
+        if( ret != 0 )
+            return( ret );
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+        /* Calculate digest of temporary CRT. */
+        session->peer_cert_digest =
+            mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
+        if( session->peer_cert_digest == NULL )
+            return( -1 );
+        ret = mbedtls_md( mbedtls_md_info_from_type(
+                              MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
+                          tmp_crt.raw.p, tmp_crt.raw.len,
+                          session->peer_cert_digest );
+        if( ret != 0 )
+            return( ret );
+        session->peer_cert_digest_type =
+            MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
+        session->peer_cert_digest_len =
+            MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+        /* Move temporary CRT. */
        session->peer_cert = mbedtls_calloc( 1, sizeof( *session->peer_cert ) );
        if( session->peer_cert == NULL )
            return( -1 );
+        *session->peer_cert = tmp_crt;
+        memset( &tmp_crt, 0, sizeof( tmp_crt ) );
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */

-        ret = mbedtls_x509_crt_parse_file( session->peer_cert, crt_file );
-        if( ret != 0 )
-            return( ret );
+        mbedtls_x509_crt_free( &tmp_crt );
    }
 #else
    (void) crt_file;
@@ -681,6 +707,7 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
                         restored.master, sizeof( original.master ) ) == 0 );

 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
    TEST_ASSERT( ( original.peer_cert == NULL ) ==
                 ( restored.peer_cert == NULL ) );
    if( original.peer_cert != NULL )
@@ -691,7 +718,21 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
                             restored.peer_cert->raw.p,
                             original.peer_cert->raw.len ) == 0 );
    }
-#endif
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+    TEST_ASSERT( original.peer_cert_digest_type ==
+                 restored.peer_cert_digest_type );
+    TEST_ASSERT( original.peer_cert_digest_len ==
+                 restored.peer_cert_digest_len );
+    TEST_ASSERT( ( original.peer_cert_digest == NULL ) ==
+                 ( restored.peer_cert_digest == NULL ) );
+    if( original.peer_cert_digest != NULL )
+    {
+        TEST_ASSERT( memcmp( original.peer_cert_digest,
+                             restored.peer_cert_digest,
+                             original.peer_cert_digest_len ) == 0 );
+    }
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
    TEST_ASSERT( original.verify_result == restored.verify_result );

 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)