Allow config'n of incl of CertificateReq CA list Y/N at compile-time

Introduces MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST which allows to configure at compile-time whether a CA list should be included in the CertificateRequest message sent by the server. Impact on code-size: | | GCC 8.2.1 | ARMC5 5.06 | ARMC6 6.12 | | --- | --- | --- | --- | | `libmbedtls.a` before | 23131 | 23805 | 26673 | | `libmbedtls.a` after | 23099 | 23781 | 26639 | | gain in Bytes | 32 | 24 | 34 |
2026-05-11 06:28:17 +02:00 · 2019-06-13 12:33:03 +01:00
parent 2d9623f7d5
commit c2cfdaa693
8 changed files with 53 additions and 8 deletions
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -3458,7 +3458,9 @@
 //#define MBEDTLS_SSL_CONF_READ_TIMEOUT 0

 /* Endpoint (Client/Server) */
-//#define MBEDTLS_SSL_CONF_ENDPOINT MBED
+//#define MBEDTLS_SSL_CONF_ENDPOINT MBEDTLS_SSL_IS_CLIENT
+
+//#define MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED

 /* DTLS-specific settings */
 //#define MBEDTLS_SSL_CONF_HS_TIMEOUT_MIN MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -1106,8 +1106,10 @@ struct mbedtls_ssl_config
    unsigned int fallback : 1;      /*!< is this a fallback?                */
 #endif
 #if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
    unsigned int cert_req_ca_list : 1;  /*!< enable sending CA list in
                                          Certificate Request messages?     */
+#endif /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
 #endif
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
 #if !defined(MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID)
@@ -2965,19 +2967,22 @@ void mbedtls_ssl_conf_extended_master_secret_enforce( mbedtls_ssl_config *conf,
 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 );
 #endif /* MBEDTLS_ARC4_C */

-#if defined(MBEDTLS_SSL_SRV_C)
+#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
 /**
 * \brief          Whether to send a list of acceptable CAs in
 *                 CertificateRequest messages.
 *                 (Default: do send)
 *
+ * \note           On constrained systems, this options can also be configured
+ *                 at compile-time via MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST.
+ *
 * \param conf     SSL configuration
 * \param cert_req_ca_list   MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED or
 *                          MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED
 */
 void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
                                          char cert_req_ca_list );
-#endif /* MBEDTLS_SSL_SRV_C */
+#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */

 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 /**
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -1085,6 +1085,23 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
 * be fixed at compile time via one of MBEDTLS_SSL_SSL_CONF_XXX.
 */

+#if defined(MBEDTLS_SSL_SRV_C)
+#if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST)
+static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
+    mbedtls_ssl_config  const *conf )
+{
+    return( conf->cert_req_ca_list );
+}
+#else /* !MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+static inline unsigned int mbedtls_ssl_conf_get_cert_req_ca_list(
+    mbedtls_ssl_config  const *conf )
+{
+    ((void) conf);
+    return( MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST );
+}
+#endif /* MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST */
+#endif /* MBEDTLS_SSL_SRV_C */
+
 #if !defined(MBEDTLS_SSL_CONF_ENDPOINT)
 static inline unsigned int mbedtls_ssl_conf_get_endpoint(
    mbedtls_ssl_config  const *conf )