Allow config'n of incl of CertificateReq CA list Y/N at compile-time
Introduces MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST which allows to configure
at compile-time whether a CA list should be included in the
CertificateRequest message sent by the server.
Impact on code-size:
| | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23131 | 23805 | 26673 |
| `libmbedtls.a` after | 23099 | 23781 | 26639 |
| gain in Bytes | 32 | 24 | 34 |
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index fcb92f2..3e70260 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3458,7 +3458,9 @@
//#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0
/* Endpoint (Client/Server) */
-//#define MBEDTLS_SSL_CONF_ENDPOINT MBED
+//#define MBEDTLS_SSL_CONF_ENDPOINT MBEDTLS_SSL_IS_CLIENT
+
+//#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
/* DTLS-specific settings */
//#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 86759e5..7c5cadc 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1106,8 +1106,10 @@
unsigned int fallback : 1; /*!< is this a fallback? */
#endif
#if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in
Certificate Request messages? */
+#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
@@ -2965,19 +2967,22 @@
void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
#endif /* MBEDTLS_ARC4_C */
-#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
/**
* \brief Whether to send a list of acceptable CAs in
* CertificateRequest messages.
* (Default: do send)
*
+ * \note On constrained systems, this options can also be configured
+ * at compile-time via MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST.
+ *
* \param conf SSL configuration
* \param cert_req_ca_list MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
* MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
*/
void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
char cert_req_ca_list );
-#endif /* MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
/**
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index b08aae2..138b6fd 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -1085,6 +1085,23 @@
* be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
*/
+#if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
+ mbedtls_ssl_config const *conf )
+{
+ return( conf->cert_req_ca_list );
+}
+#else /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
+ mbedtls_ssl_config const *conf )
+{
+ ((void) conf);
+ return( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST );
+}
+#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+#endif /* MBEDTLS_SSL_SRV_C */
+
#if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
static inline unsigned int mbedtls_ssl_conf_get_endpoint(
mbedtls_ssl_config const *conf )