Allow config'n of incl of CertificateReq CA list Y/N at compile-time
Introduces MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST which allows to configure
at compile-time whether a CA list should be included in the
CertificateRequest message sent by the server.
Impact on code-size:
| | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23131 | 23805 | 26673 |
| `libmbedtls.a` after | 23099 | 23781 | 26639 |
| gain in Bytes | 32 | 24 | 34 |
diff --git a/configs/baremetal.h b/configs/baremetal.h
index 37e2444..399b6e5 100644
--- a/configs/baremetal.h
+++ b/configs/baremetal.h
@@ -80,6 +80,7 @@
#define MBEDTLS_SSL_DTLS_CONNECTION_ID
/* Compile-time fixed parts of the SSL configuration */
+#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0
#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN 1000
#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MAX 16000
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index fcb92f2..3e70260 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3458,7 +3458,9 @@
//#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0
/* Endpoint (Client/Server) */
-//#define MBEDTLS_SSL_CONF_ENDPOINT MBED
+//#define MBEDTLS_SSL_CONF_ENDPOINT MBEDTLS_SSL_IS_CLIENT
+
+//#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
/* DTLS-specific settings */
//#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 86759e5..7c5cadc 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1106,8 +1106,10 @@
unsigned int fallback : 1; /*!< is this a fallback? */
#endif
#if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in
Certificate Request messages? */
+#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
@@ -2965,19 +2967,22 @@
void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
#endif /* MBEDTLS_ARC4_C */
-#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
/**
* \brief Whether to send a list of acceptable CAs in
* CertificateRequest messages.
* (Default: do send)
*
+ * \note On constrained systems, this options can also be configured
+ * at compile-time via MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST.
+ *
* \param conf SSL configuration
* \param cert_req_ca_list MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
* MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
*/
void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
char cert_req_ca_list );
-#endif /* MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
/**
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index b08aae2..138b6fd 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -1085,6 +1085,23 @@
* be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
*/
+#if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->cert_req_ca_list );
+}
+#else /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST );
+}
+#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+#endif /* MBEDTLS_SSL_SRV_C */
+
#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
static inline unsigned int mbedtls_ssl_conf_get_endpoint(
mbedtls_ssl_config const *conf )
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index b6b7750..f8d2ec4 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2947,7 +2947,8 @@
total_dn_size = 0;
- if( ssl->conf->cert_req_ca_list == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
+ if( mbedtls_ssl_conf_get_cert_req_ca_list( ssl->conf )
+ == MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED )
{
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_ca_chain != NULL )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index cfd6589..dc0eaf9 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8665,7 +8665,7 @@
}
#endif
-#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
char cert_req_ca_list )
{
@@ -10829,8 +10829,10 @@
#endif
#if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
-#endif
+#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#if !defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index 29b778c..bcdafb6 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -2610,6 +2610,14 @@
}
#endif /* MBEDTLS_SSL_CONF_ENDPOINT */
+#if defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+ if( strcmp( "MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST );
+ return( 0 );
+ }
+#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+
#if defined(MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN)
if( strcmp( "MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN", config ) == 0 )
{
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 707660f..5fbbddd 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -422,6 +422,14 @@
#define USAGE_READ_TIMEOUT ""
#endif
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+#define USAGE_CERT_REQ_CA_LIST \
+ " cert_req_ca_list=%%d default: 1 (send ca list)\n" \
+ " options: 1 (send ca list), 0 (don't send)\n"
+#else
+#define USAGE_CERT_REQ_CA_LIST ""
+#endif
+
#define USAGE \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
@@ -445,8 +453,7 @@
USAGE_BADMAC_LIMIT \
"\n" \
USAGE_AUTH_MODE \
- " cert_req_ca_list=%%d default: 1 (send ca list)\n" \
- " options: 1 (send ca list), 0 (don't send)\n" \
+ USAGE_CERT_REQ_CA_LIST \
USAGE_IO \
USAGE_SSL_ASYNC \
USAGE_SNI \
@@ -2479,8 +2486,10 @@
mbedtls_ssl_conf_authmode( &conf, opt.auth_mode );
#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST )
mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list );
+#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )