From 5ffc220f16bd1c30c9f7f48708b657629aebd128 Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 17 May 2017 18:59:53 +0300 Subject: [PATCH 1/3] Documentation error in `mbedtls_ssl_get_session` Fix Documentation error in `mbedtls_ssl_get_session`. This function supports deep copying of the session, and the peer certificate is not lost anymore, Resolves #926 --- ChangeLog | 3 +++ include/mbedtls/ssl.h | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 44533d2ae..10f07736d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,9 @@ Bugfix return value. Found by @davidwu2000. #839 * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber, Philippe Antoine. Fixes #1623. + * Remove wrong documentation for `mbedtls_ssl_get_session`. + This API has deep copy of the session, and the peer + certificate is not lost. #926 Changes * Change the shebang line in Perl scripts to look up perl in the PATH. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 39b7f290a..ac9a3f3ce 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2737,7 +2737,6 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ss * \brief Save session in order to resume it later (client-side only) * Session data is copied to presented session structure. * - * \warning Currently, peer certificate is lost in the operation. * * \param ssl SSL context * \param session session context @@ -2747,6 +2746,11 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ss * MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or * arguments are otherwise invalid * + * \note Only the server certificate is copied, and not the chain + * but this is not a problem because the result of the chain + * verification is stored in `verify_result` and can be checked + * with \c mbedtls_ssl_get_verify_result() + * * \sa mbedtls_ssl_set_session() */ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *session ); From 382c1db6c0a5209416ec66a17e34bc8b3c15fc3c Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Wed, 4 Jul 2018 17:42:47 +0300 Subject: [PATCH 2/3] Minor fixes 1. Rephrase ChangeLog entry. 2. Add a full stop at the end of the fuinction documentation. --- ChangeLog | 4 ++-- include/mbedtls/ssl.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 10f07736d..c0c4cd2a7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,9 +18,9 @@ Bugfix return value. Found by @davidwu2000. #839 * Fix a memory leak in mbedtls_x509_csr_parse(), found by catenacyber, Philippe Antoine. Fixes #1623. - * Remove wrong documentation for `mbedtls_ssl_get_session`. + * Correct the documentation for `mbedtls_ssl_get_session()`. This API has deep copy of the session, and the peer - certificate is not lost. #926 + certificate is not lost. Fixes #926. Changes * Change the shebang line in Perl scripts to look up perl in the PATH. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index ac9a3f3ce..4c9f9e839 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2744,12 +2744,12 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ss * \return 0 if successful, * MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed, * MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or - * arguments are otherwise invalid + * arguments are otherwise invalid. * * \note Only the server certificate is copied, and not the chain * but this is not a problem because the result of the chain * verification is stored in `verify_result` and can be checked - * with \c mbedtls_ssl_get_verify_result() + * with \c mbedtls_ssl_get_verify_result(). * * \sa mbedtls_ssl_set_session() */ From 00115034ea00d8df8d3c009c4e76e98cb1dd893d Mon Sep 17 00:00:00 2001 From: Ron Eldor Date: Tue, 17 Jul 2018 11:21:50 +0300 Subject: [PATCH 3/3] Repharse comments Rephrase comments to clarify them. --- include/mbedtls/ssl.h | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 4c9f9e839..8b6e0491e 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2746,10 +2746,16 @@ const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ss * MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used server-side or * arguments are otherwise invalid. * - * \note Only the server certificate is copied, and not the chain - * but this is not a problem because the result of the chain - * verification is stored in `verify_result` and can be checked - * with \c mbedtls_ssl_get_verify_result(). + * \note Only the server certificate is copied, and not the full chain, + * so you should not attempt to validate the certificate again + * by calling \c mbedtls_x509_crt_verify() on it. + * Instead, you should use the results from the verification + * in the original handshake by calling \c mbedtls_ssl_get_verify_result() + * after loading the session again into a new SSL context + * using \c mbedtls_ssl_set_session(). + * + * \note Once the session object is not needed anymore, you should + * free it by calling \c mbedtls_ssl_session_free(). * * \sa mbedtls_ssl_set_session() */ @@ -3027,6 +3033,9 @@ void mbedtls_ssl_session_init( mbedtls_ssl_session *session ); * \brief Free referenced items in an SSL session including the * peer certificate and clear memory * + * \note A session object can be freed even if the SSL context + * that was used to retrieve the session is still in use. + * * \param session SSL session */ void mbedtls_ssl_session_free( mbedtls_ssl_session *session );