commit e81beda60f1e9931314b270b4cc82dd10eb91d2f
author Paul Bakker <p.j.bakker@polarssl.org> Wed Mar 06 17:40:46 2013 +0100
committer Paul Bakker <p.j.bakker@polarssl.org> Wed Mar 06 18:01:03 2013 +0100
tree 0256b407f388af1b4f608a5516ebd0a8626cfa6f
parent a35aa54967e3b1b9ba7630e9cf6ddd8560aa3db7

The SSL session cache module (ssl_cache) now also retains peer_cert information (not the entire chain)

The real peer certificate is copied into a x509_buf in the
ssl_cache_entry and reinstated upon cache retrieval. The information
about the rest of the certificate chain is lost in the process.

As the handshake (and certificate verification) has already been
performed, no issue is foreseen.

library/ssl_cache.c

diff --git a/library/ssl_cache.c b/library/ssl_cache.c
index ab948d6..f5686be 100644
--- a/library/ssl_cache.c
+++ b/library/ssl_cache.c
@@ -71,6 +71,26 @@
             continue;
 
         memcpy( session->master, entry->session.master, 48 );
+
+        /*
+         * Restore peer certificate (without rest of the original chain)
+         */
+        if( entry->peer_cert.p != NULL )
+        {
+            session->peer_cert = (x509_cert *) malloc( sizeof(x509_cert) );
+            if( session->peer_cert == NULL )
+                return( 1 );
+
+            memset( session->peer_cert, 0, sizeof(x509_cert) );
+            if( x509parse_crt( session->peer_cert, entry->peer_cert.p,
+                               entry->peer_cert.len ) != 0 )
+            {
+                free( session->peer_cert );
+                session->peer_cert = NULL;
+                return( 1 );
+            }
+        }
+
         return( 0 );
     }
 
@@ -119,15 +139,20 @@
         if( old != NULL && count >= cache->max_entries )
         {
             cur = old;
-            memset( &cur->session, 0, sizeof( ssl_session ) );
+            memset( &cur->session, 0, sizeof(ssl_session) );
+            if( cur->peer_cert.p != NULL )
+            {
+                free( cur->peer_cert.p );
+                memset( &cur->peer_cert, 0, sizeof(x509_buf) );
+            }
         }
         else
         {
-            cur = (ssl_cache_entry *) malloc( sizeof( ssl_cache_entry ) );
+            cur = (ssl_cache_entry *) malloc( sizeof(ssl_cache_entry) );
             if( cur == NULL )
                 return( 1 );
 
-            memset( cur, 0, sizeof( ssl_cache_entry ) );
+            memset( cur, 0, sizeof(ssl_cache_entry) );
 
             if( prv == NULL )
                 cache->chain = cur;
@@ -140,9 +165,21 @@
 
     memcpy( &cur->session, session, sizeof( ssl_session ) );
     
-    // Do not include peer_cert in cache entry
-    //
-    cur->session.peer_cert = NULL;
+    /*
+     * Store peer certificate
+     */
+    if( session->peer_cert != NULL )
+    {
+        cur->peer_cert.p = (unsigned char *) malloc( session->peer_cert->raw.len );
+        if( cur->peer_cert.p == NULL )
+            return( 1 );
+
+        memcpy( cur->peer_cert.p, session->peer_cert->raw.p,
+                session->peer_cert->raw.len );
+        cur->peer_cert.len = session->peer_cert->raw.len;
+
+        cur->session.peer_cert = NULL;
+    }
 
     return( 0 );
 }
@@ -173,6 +210,10 @@
         cur = cur->next;
 
         ssl_session_free( &prv->session );
+
+        if( prv->peer_cert.p != NULL )
+            free( prv->peer_cert.p );
+
         free( prv );
     }
 }