Merge pull request #3777 from hanno-arm/x509-info-optimization_rebased

Reduce ROM usage due to X.509 info

programs/fuzz/fuzz_x509crl.c

@@ -9,9 +9,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 
     mbedtls_x509_crl_init( &crl );
     ret = mbedtls_x509_crl_parse( &crl, Data, Size );
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
     if (ret == 0) {
         ret = mbedtls_x509_crl_info( (char *) buf, sizeof( buf ) - 1, " ", &crl );
     }
+#else
+    ((void) ret);
+    ((void) buf);
+#endif /* !MBEDTLS_X509_REMOVE_INFO */
     mbedtls_x509_crl_free( &crl );
 #else
     (void) Data;

programs/fuzz/fuzz_x509crt.c

@@ -9,9 +9,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 
     mbedtls_x509_crt_init( &crt );
     ret = mbedtls_x509_crt_parse( &crt, Data, Size );
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
     if (ret == 0) {
         ret = mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", &crt );
     }
+#else
+    ((void) ret);
+    ((void) buf);
+#endif /* !MBEDTLS_X509_REMOVE_INFO */
     mbedtls_x509_crt_free( &crt );
 #else
     (void) Data;

programs/fuzz/fuzz_x509csr.c

@@ -9,9 +9,14 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 
     mbedtls_x509_csr_init( &csr );
     ret = mbedtls_x509_csr_parse( &csr, Data, Size );
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
     if (ret == 0) {
         ret = mbedtls_x509_csr_info( (char *) buf, sizeof( buf ) - 1, " ", &csr );
     }
+#else
+    ((void) ret);
+    ((void) buf);
+#endif /* !MBEDTLS_X509_REMOVE_INFO */
     mbedtls_x509_csr_free( &csr );
 #else
     (void) Data;

programs/ssl/dtls_client.c

@@ -241,13 +241,17 @@ int main( int argc, char *argv[] )
      * MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
     if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
     {
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
         char vrfy_buf[512];
+#endif
 
         mbedtls_printf( " failed\n" );
 
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
         mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
 
         mbedtls_printf( "%s\n", vrfy_buf );
+#endif
     }
     else
         mbedtls_printf( " ok\n" );

programs/ssl/ssl_client1.c

@@ -216,13 +216,17 @@ int main( void )
     /* In real life, we probably want to bail out when ret != 0 */
     if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
     {
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
         char vrfy_buf[512];
+#endif
 
         mbedtls_printf( " failed\n" );
 
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
         mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
 
         mbedtls_printf( "%s\n", vrfy_buf );
+#endif
     }
     else
         mbedtls_printf( " ok\n" );

programs/ssl/ssl_client2.c

@@ -532,6 +532,9 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,
     char buf[1024];
     ((void) data);
 
+    mbedtls_printf( "\nVerify requested for (Depth %d):\n", depth );
+
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
     mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
     if( depth == 0 )
         memcpy( peer_crt_info, buf, sizeof( buf ) );
@@ -539,14 +542,17 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,
     if( opt.debug_level == 0 )
         return( 0 );
 
-    mbedtls_printf( "\nVerify requested for (Depth %d):\n", depth );
     mbedtls_printf( "%s", buf );
+#else
+    ((void) crt);
+    ((void) depth);
+#endif
 
     if ( ( *flags ) == 0 )
         mbedtls_printf( "  This certificate has no flags\n" );
     else
     {
-        mbedtls_x509_crt_verify_info( buf, sizeof( buf ), "  ! ", *flags );
+        x509_crt_verify_info( buf, sizeof( buf ), "  ! ", *flags );
         mbedtls_printf( "%s\n", buf );
     }
 
@@ -2276,10 +2282,9 @@ int main( int argc, char *argv[] )
     if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
     {
         char vrfy_buf[512];
-
         mbedtls_printf( " failed\n" );
 
-        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ),
+        x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ),
                                       "  ! ", flags );
 
         mbedtls_printf( "%s\n", vrfy_buf );
@@ -2287,8 +2292,10 @@ int main( int argc, char *argv[] )
     else
         mbedtls_printf( " ok\n" );
 
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
     mbedtls_printf( "  . Peer certificate information    ...\n" );
     mbedtls_printf( "%s\n", peer_crt_info );
+#endif /* !MBEDTLS_X509_REMOVE_INFO */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)

programs/ssl/ssl_context_info.c

@@ -494,6 +494,7 @@ size_t read_next_b64_code( uint8_t **b64, size_t *max_len )
     return 0;
 }
 
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
 /*
  * This function deserializes and prints to the stdout all obtained information
  * about the certificates from provided data.
@@ -548,6 +549,7 @@ void print_deserialized_ssl_cert( const uint8_t *ssl, uint32_t len )
 
    mbedtls_x509_crt_free( &crt );
 }
+#endif /* !MBEDTLS_X509_REMOVE_INFO */
 
 /*
  * This function deserializes and prints to the stdout all obtained information
@@ -680,7 +682,9 @@ void print_deserialized_ssl_session( const uint8_t *ssl, uint32_t len,
             if( cert_len > 0 )
             {
                 CHECK_SSL_END( cert_len );
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
                 print_deserialized_ssl_cert( ssl, cert_len );
+#endif
                 ssl += cert_len;
             }
         }

programs/ssl/ssl_mail_client.c

@@ -208,21 +208,27 @@ static int do_handshake( mbedtls_ssl_context *ssl )
     /* In real life, we probably want to bail out when ret != 0 */
     if( ( flags = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
     {
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
         char vrfy_buf[512];
+#endif
 
         mbedtls_printf( " failed\n" );
 
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
         mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
 
         mbedtls_printf( "%s\n", vrfy_buf );
+#endif
     }
     else
         mbedtls_printf( " ok\n" );
 
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
     mbedtls_printf( "  . Peer certificate information    ...\n" );
     mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, "      ",
                    mbedtls_ssl_get_peer_cert( ssl ) );
     mbedtls_printf( "%s\n", buf );
+#endif
 
     return( 0 );
 }

programs/ssl/ssl_server2.c

@@ -3140,7 +3140,7 @@ handshake:
             char vrfy_buf[512];
             flags = mbedtls_ssl_get_verify_result( &ssl );
 
-            mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
+            x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
 
             mbedtls_printf( "%s\n", vrfy_buf );
         }
@@ -3192,13 +3192,13 @@ handshake:
 
         mbedtls_printf( " failed\n" );
 
-        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
-
+        x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
         mbedtls_printf( "%s\n", vrfy_buf );
     }
     else
         mbedtls_printf( " ok\n" );
 
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
     if( mbedtls_ssl_get_peer_cert( &ssl ) != NULL )
     {
         char crt_buf[512];
@@ -3208,6 +3208,7 @@ handshake:
                        mbedtls_ssl_get_peer_cert( &ssl ) );
         mbedtls_printf( "%s\n", crt_buf );
     }
+#endif /* MBEDTLS_X509_REMOVE_INFO */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_SSL_EXPORT_KEYS)

programs/ssl/ssl_test_common_source.c

@@ -303,3 +303,41 @@ int ssl_sig_hashes_for_test[] = {
     MBEDTLS_MD_NONE
 };
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/** Functionally equivalent to mbedtls_x509_crt_verify_info, see that function
+ *  for more info.
+ */
+int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+                          uint32_t flags )
+{
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+    return( mbedtls_x509_crt_verify_info( buf, size, prefix, flags ) );
+
+#else /* !MBEDTLS_X509_REMOVE_INFO */
+    int ret;
+    char *p = buf;
+    size_t n = size;
+
+#define X509_CRT_ERROR_INFO( err, err_str, info )                      \
+    if( ( flags & err ) != 0 )                                         \
+    {                                                                  \
+        ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, info );        \
+        MBEDTLS_X509_SAFE_SNPRINTF;                                    \
+        flags ^= err;                                                  \
+    }
+
+    MBEDTLS_X509_CRT_ERROR_INFO_LIST
+#undef X509_CRT_ERROR_INFO
+
+    if( flags != 0 )
+    {
+        ret = mbedtls_snprintf( p, n, "%sUnknown reason "
+                                       "(this should not happen)\n", prefix );
+        MBEDTLS_X509_SAFE_SNPRINTF;
+    }
+
+    return( (int) ( size - n ) );
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+}
+#endif /* MBEDTLS_X509_CRT_PARSE_C */

programs/test/query_config.c

@@ -1643,6 +1643,14 @@ int query_config( const char *config )
     }
 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
 
+#if defined(MBEDTLS_X509_REMOVE_INFO)
+    if( strcmp( "MBEDTLS_X509_REMOVE_INFO", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_REMOVE_INFO );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
     if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 )
     {

programs/x509/cert_app.c

@@ -41,14 +41,14 @@
     !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
     !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) ||         \
     !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) ||  \
-    !defined(MBEDTLS_CTR_DRBG_C)
+    !defined(MBEDTLS_CTR_DRBG_C) || defined(MBEDTLS_X509_REMOVE_INFO)
 int main( void )
 {
     mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
            "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
            "MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
            "MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_FS_IO and/or "
-           "MBEDTLS_CTR_DRBG_C not defined.\n");
+           "MBEDTLS_CTR_DRBG_C not defined and/or MBEDTLS_X509_REMOVE_INFO defined.\n");
     mbedtls_exit( 0 );
 }
 #else

programs/x509/crl_app.c

@@ -35,11 +35,13 @@
 #endif /* MBEDTLS_PLATFORM_C */
 
 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) ||  \
-    !defined(MBEDTLS_X509_CRL_PARSE_C) || !defined(MBEDTLS_FS_IO)
+    !defined(MBEDTLS_X509_CRL_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
+    defined(MBEDTLS_X509_REMOVE_INFO)
 int main( void )
 {
     mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
-           "MBEDTLS_X509_CRL_PARSE_C and/or MBEDTLS_FS_IO not defined.\n");
+           "MBEDTLS_X509_CRL_PARSE_C and/or MBEDTLS_FS_IO not defined and/or "
+           "MBEDTLS_X509_REMOVE_INFO defined.\n");
     mbedtls_exit( 0 );
 }
 #else

programs/x509/req_app.c

@@ -35,11 +35,13 @@
 #endif /* MBEDTLS_PLATFORM_C */
 
 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) ||  \
-    !defined(MBEDTLS_X509_CSR_PARSE_C) || !defined(MBEDTLS_FS_IO)
+    !defined(MBEDTLS_X509_CSR_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
+    defined(MBEDTLS_X509_REMOVE_INFO)
 int main( void )
 {
     mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
-           "MBEDTLS_X509_CSR_PARSE_C and/or MBEDTLS_FS_IO not defined.\n");
+           "MBEDTLS_X509_CSR_PARSE_C and/or MBEDTLS_FS_IO not defined and/or "
+           "MBEDTLS_X509_REMOVE_INFO defined.\n");
     mbedtls_exit( 0 );
 }
 #else