Reduce code size when mbedtls_x509_*_info() unused

Introduce MBEDTLS_X509_INFO to indicate the availability of the mbedtls_x509_*_info() function and closely related APIs. When this is not defined, also omit name and description from mbedtls_oid_descriptor_t, and omit OID arrays, macros, and types that are entirely unused. This saves several KB of code space. Signed-off-by: Hanno Becker <hanno.becker@arm.com> Signed-off-by: Chris Jones <christopher.jones@arm.com>
2025-07-29 11:41:15 +03:00 · 2018-12-11 13:55:56 -06:00
parent 12f93f4fc2
commit 9a969b66c1
28 changed files with 322 additions and 206 deletions
--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@ -241,13 +241,17 @@ int main( int argc, char *argv[] )
     * MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
    if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
    {
+#if defined(MBEDTLS_X509_INFO)
        char vrfy_buf[512];
+#endif

        mbedtls_printf( " failed\n" );

+#if defined(MBEDTLS_X509_INFO)
        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );

        mbedtls_printf( "%s\n", vrfy_buf );
+#endif
    }
    else
        mbedtls_printf( " ok\n" );
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@ -216,13 +216,17 @@ int main( void )
    /* In real life, we probably want to bail out when ret != 0 */
    if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
    {
+#if defined(MBEDTLS_X509_INFO)
        char vrfy_buf[512];
+#endif

        mbedtls_printf( " failed\n" );

+#if defined(MBEDTLS_X509_INFO)
        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );

        mbedtls_printf( "%s\n", vrfy_buf );
+#endif
    }
    else
        mbedtls_printf( " ok\n" );
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -529,9 +529,12 @@ static unsigned char peer_crt_info[1024];
 static int my_verify( void *data, mbedtls_x509_crt *crt,
                      int depth, uint32_t *flags )
 {
+#if defined(MBEDTLS_X509_INFO)
    char buf[1024];
+#endif
    ((void) data);

+#if defined(MBEDTLS_X509_INFO)
    mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
    if( depth == 0 )
        memcpy( peer_crt_info, buf, sizeof( buf ) );
@ -541,13 +544,19 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,

    mbedtls_printf( "\nVerify requested for (Depth %d):\n", depth );
    mbedtls_printf( "%s", buf );
+#else
+    ((void) crt);
+    ((void) depth);
+#endif

    if ( ( *flags ) == 0 )
        mbedtls_printf( "  This certificate has no flags\n" );
    else
    {
+#if defined(MBEDTLS_X509_INFO)
        mbedtls_x509_crt_verify_info( buf, sizeof( buf ), "  ! ", *flags );
        mbedtls_printf( "%s\n", buf );
+#endif
    }

    return( 0 );
@ -2275,14 +2284,18 @@ int main( int argc, char *argv[] )

    if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
    {
+#if defined(MBEDTLS_X509_INFO)
        char vrfy_buf[512];
+#endif

        mbedtls_printf( " failed\n" );

+#if defined(MBEDTLS_X509_INFO)
        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ),
                                      "  ! ", flags );

        mbedtls_printf( "%s\n", vrfy_buf );
+#endif
    }
    else
        mbedtls_printf( " ok\n" );
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@ -208,21 +208,27 @@ static int do_handshake( mbedtls_ssl_context *ssl )
    /* In real life, we probably want to bail out when ret != 0 */
    if( ( flags = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
    {
+#if defined(MBEDTLS_X509_INFO)
        char vrfy_buf[512];
+#endif

        mbedtls_printf( " failed\n" );

+#if defined(MBEDTLS_X509_INFO)
        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );

        mbedtls_printf( "%s\n", vrfy_buf );
+#endif
    }
    else
        mbedtls_printf( " ok\n" );

+#if defined(MBEDTLS_X509_INFO)
    mbedtls_printf( "  . Peer certificate information    ...\n" );
    mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, "      ",
                   mbedtls_ssl_get_peer_cert( ssl ) );
    mbedtls_printf( "%s\n", buf );
+#endif

    return( 0 );
 }
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -3134,7 +3134,7 @@ handshake:
    {
        mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret );

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_X509_INFO)
        if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
        {
            char vrfy_buf[512];
@ -3188,17 +3188,22 @@ handshake:

    if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
    {
+#if defined(MBEDTLS_X509_INFO)
        char vrfy_buf[512];
+#endif

        mbedtls_printf( " failed\n" );

+#if defined(MBEDTLS_X509_INFO)
        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );

        mbedtls_printf( "%s\n", vrfy_buf );
+#endif
    }
    else
        mbedtls_printf( " ok\n" );

+#if defined(MBEDTLS_X509_INFO)
    if( mbedtls_ssl_get_peer_cert( &ssl ) != NULL )
    {
        char crt_buf[512];
@ -3208,6 +3213,7 @@ handshake:
                       mbedtls_ssl_get_peer_cert( &ssl ) );
        mbedtls_printf( "%s\n", crt_buf );
    }
+#endif /* MBEDTLS_X509_INFO */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */

 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@ -1643,6 +1643,14 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */

+#if defined(MBEDTLS_X509_INFO)
+    if( strcmp( "MBEDTLS_X509_INFO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_INFO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_INFO */
+
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
    if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 )
    {
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@ -41,14 +41,14 @@
    !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
    !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) ||         \
    !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) ||  \
-    !defined(MBEDTLS_CTR_DRBG_C)
+    !defined(MBEDTLS_X509_INFO) || !defined(MBEDTLS_CTR_DRBG_C)
 int main( void )
 {
    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
           "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
           "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
           "MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_FS_IO and/or "
-           "MBEDTLS_CTR_DRBG_C not defined.\n");
+           "MBEDTLS_X509_INFO and/or MBEDTLS_CTR_DRBG_C not defined.\n");
    mbedtls_exit( 0 );
 }
 #else
--- a/programs/x509/crl_app.c
+++ b/programs/x509/crl_app.c
@ -35,11 +35,13 @@
 #endif /* MBEDTLS_PLATFORM_C */

 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) ||  \
-    !defined(MBEDTLS_X509_CRL_PARSE_C) || !defined(MBEDTLS_FS_IO)
+    !defined(MBEDTLS_X509_CRL_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
+    !defined(MBEDTLS_X509_INFO)
 int main( void )
 {
    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
-           "MBEDTLS_X509_CRL_PARSE_C and/or MBEDTLS_FS_IO not defined.\n");
+           "MBEDTLS_X509_CRL_PARSE_C and/or MBEDTLS_FS_IO and/or "
+           "MBEDTLS_X509_INFO not defined.\n");
    mbedtls_exit( 0 );
 }
 #else
--- a/programs/x509/req_app.c
+++ b/programs/x509/req_app.c
@ -35,11 +35,13 @@
 #endif /* MBEDTLS_PLATFORM_C */

 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) ||  \
-    !defined(MBEDTLS_X509_CSR_PARSE_C) || !defined(MBEDTLS_FS_IO)
+    !defined(MBEDTLS_X509_CSR_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
+    !defined(MBEDTLS_X509_INFO)
 int main( void )
 {
    mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
-           "MBEDTLS_X509_CSR_PARSE_C and/or MBEDTLS_FS_IO not defined.\n");
+           "MBEDTLS_X509_CSR_PARSE_C and/or MBEDTLS_FS_IO and/or "
+           "MBEDTLS_X509_INFO not defined.\n");
    mbedtls_exit( 0 );
 }
 #else