Allow config'n of incl of CertificateReq CA list Y/N at compile-time

Introduces MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST which allows to configure at compile-time whether a CA list should be included in the CertificateRequest message sent by the server. Impact on code-size: | | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 | | --- | --- | --- | --- | | `libmbedtls.a` before | 23131 | 23805 | 26673 | | `libmbedtls.a` after | 23099 | 23781 | 26639 | | gain in Bytes | 32 | 24 | 34 |
2025-01-11 06:05:39 +00:00 · 2019-06-13 12:33:03 +01:00 · 2019-06-13 12:33:03 +01:00 · c2cfdaa693
parent 2d9623f7d5
commit c2cfdaa693
8 changed files with 53 additions and 8 deletions
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@ -80,6 +80,7 @@
 #define MBEDTLS_SSL_DTLS_CONNECTION_ID

 /* Compile-time fixed parts of the SSL configuration */
+#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
 #define MBEDTLS_SSL_CONF_READ_TIMEOUT 0
 #define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN 1000
 #define MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX 16000
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -3458,7 +3458,9 @@
 //#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0

 /* Endpoint (Client/Server) */
-//#define MBEDTLS_SSL_CONF_ENDPOINT MBED
+//#define MBEDTLS_SSL_CONF_ENDPOINT MBEDTLS_SSL_IS_CLIENT
+
+//#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED

 /* DTLS-specific settings */
 //#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1106,8 +1106,10 @@ struct mbedtls_ssl_config
    unsigned int fallback : 1;      /*!< is this a fallback?                */
 #endif
 #if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
    unsigned int cert_req_ca_list : 1;  /*!< enable sending CA list in
                                          Certificate Request messages?     */
+#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
 #endif
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
 #if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
@ -2965,19 +2967,22 @@ void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
 #endif /* MBEDTLS_ARC4_C */

-#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
 /**
 * \brief          Whether to send a list of acceptable CAs in
 *                 CertificateRequest messages.
 *                 (Default: do send)
 *
+ * \note           On constrained systems, this options can also be configured
+ *                 at compile-time via MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST.
+ *
 * \param conf     SSL configuration
 * \param cert_req_ca_list   MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
 *                          MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
 */
 void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
                                          char cert_req_ca_list );
-#endif /* MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */

 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 /**
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@ -1085,6 +1085,23 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
 * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
 */

+#if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
+    mbedtls_ssl_config  const *conf )
+{
+    return( conf->cert_req_ca_list );
+}
+#else /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
+    mbedtls_ssl_config  const *conf )
+{
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST );
+}
+#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+#endif /* MBEDTLS_SSL_SRV_C */
+
 #if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
 static inline unsigned int mbedtls_ssl_conf_get_endpoint(
    mbedtls_ssl_config  const *conf )
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -2947,7 +2947,8 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )

    total_dn_size = 0;

-    if( ssl->conf->cert_req_ca_list ==  MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
+    if( mbedtls_ssl_conf_get_cert_req_ca_list( ssl->conf )
+        == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
    {
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
        if( ssl->handshake->sni_ca_chain != NULL )
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -8665,7 +8665,7 @@ void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
 }
 #endif

-#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
 void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
                                          char cert_req_ca_list )
 {
@ -10829,8 +10829,10 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
 #endif

 #if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
    conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
-#endif
+#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+#endif /* MBEDTLS_SSL_SRV_C */

 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 #if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@ -2610,6 +2610,14 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_SSL_CONF_ENDPOINT */

+#if defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+    if( strcmp( "MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST );
+        return( 0 );
+    }
+#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+
 #if defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
    if( strcmp( "MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN", config ) == 0 )
    {
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -422,6 +422,14 @@ int main( void )
 #define USAGE_READ_TIMEOUT ""
 #endif

+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+#define USAGE_CERT_REQ_CA_LIST                              \
+    "    cert_req_ca_list=%%d default: 1 (send ca list)\n"  \
+    "                        options: 1 (send ca list), 0 (don't send)\n"
+#else
+#define USAGE_CERT_REQ_CA_LIST ""
+#endif
+
 #define USAGE \
    "\n usage: ssl_server2 param=<>...\n"                   \
    "\n acceptable parameters:\n"                           \
@ -445,8 +453,7 @@ int main( void )
    USAGE_BADMAC_LIMIT                                      \
    "\n"                                                    \
    USAGE_AUTH_MODE                                         \
-    "    cert_req_ca_list=%%d default: 1 (send ca list)\n"  \
-    "                        options: 1 (send ca list), 0 (don't send)\n" \
+    USAGE_CERT_REQ_CA_LIST                                  \
    USAGE_IO                                                \
    USAGE_SSL_ASYNC                                         \
    USAGE_SNI                                               \
@ -2479,8 +2486,10 @@ int main( int argc, char *argv[] )
        mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
 #endif /* !MBEDTLS_SSL_CONF_AUTHMODE */

+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
    if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST )
        mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list );
+#endif

 #if defined(MBEDTLS_SSL_PROTO_DTLS)
    if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )