diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index e5d593312..4b8913ba7 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1757,6 +1757,38 @@ */ #define MBEDTLS_VERSION_FEATURES +/** + * \def MBEDTLS_X509_ON_DEMAND_PARSING + * + * Save RAM by reducing mbedtls_x509_crt to a pointer + * to the raw CRT data and parsing CRTs on demand only. + * + * \warning This option changes the API by removing most of + * the structure fields of mbedtls_x509_crt. + * + * \warning This option and its corresponding X.509 API are currently + * under development and may change at any time. + * + * Regardless of whether this option is enabled or not, direct access of + * structure fields of `mbedtls_x509_crt` should be replaced by calls to + * one of the following functions: + * - mbedtls_x509_crt_get_frame(), to obtain a CRT frame giving + * access to several basic CRT fields (such as the CRT version), + * as well as pointers to the raw ASN.1 data of more complex fields + * (such as the issuer). + * - mbedtls_x509_crt_get_pk(), to obtain a public key context + * for the public key contained in the certificate. + * - mbedtls_x509_crt_get_issuer(), to obtain the issuer name. + * - mbedtls_x509_crt_get_subject(), to obtain the subject name. + * - mbedtls_x509_crt_get_subject_alt_names(), to obtain the + * alternative names from the subject alternative names extension. + * - mbedtls_x509_crt_get_ext_key_usage(), to obtain the state of + * the extended key usage extension. + * + * Uncomment this to enable on-demand CRT parsing to save RAM. + */ +//#define MBEDTLS_X509_ON_DEMAND_PARSING + /** * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 * diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 3f8350a4a..db99aabba 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -122,8 +122,14 @@ typedef struct mbedtls_x509_crt_cache typedef struct mbedtls_x509_crt { int own_buffer; /**< Indicates if \c raw is owned - * by the structure or not. */ - mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ + * by the structure or not. */ + mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ + mbedtls_x509_crt_cache *cache; /**< Internal parsing cache. */ + + struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */ + + /* Legacy fields */ +#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING) mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ @@ -166,10 +172,7 @@ typedef struct mbedtls_x509_crt mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ - - mbedtls_x509_crt_cache *cache; /**< Internal parsing cache. */ - - struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */ +#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */ } mbedtls_x509_crt; @@ -746,7 +749,7 @@ static inline void mbedtls_x509_crt_frame_release( #endif } -static inline int mbedtls_x509_crt_pk_acquire( mbedtls_x509_crt *crt, +static inline int mbedtls_x509_crt_pk_acquire( mbedtls_x509_crt const *crt, mbedtls_pk_context **pk_ptr ) { #if defined(MBEDTLS_THREADING_C) @@ -772,7 +775,7 @@ static inline int mbedtls_x509_crt_pk_acquire( mbedtls_x509_crt *crt, return( 0 ); } -static inline void mbedtls_x509_crt_pk_release( mbedtls_x509_crt *crt, +static inline void mbedtls_x509_crt_pk_release( mbedtls_x509_crt const *crt, mbedtls_pk_context *pk ) { ((void) pk); diff --git a/library/version_features.c b/library/version_features.c index 5e9d9239b..e19e31455 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -534,6 +534,9 @@ static const char *features[] = { #if defined(MBEDTLS_VERSION_FEATURES) "MBEDTLS_VERSION_FEATURES", #endif /* MBEDTLS_VERSION_FEATURES */ +#if defined(MBEDTLS_X509_ON_DEMAND_PARSING) + "MBEDTLS_X509_ON_DEMAND_PARSING", +#endif /* MBEDTLS_X509_ON_DEMAND_PARSING */ #if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3) "MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3", #endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */ diff --git a/library/x509_crt.c b/library/x509_crt.c index 6c87959b6..20f0bb020 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -116,10 +116,19 @@ int mbedtls_x509_crt_cache_provide_pk( mbedtls_x509_crt const *crt ) pk = mbedtls_calloc( 1, sizeof( mbedtls_pk_context ) ); if( pk == NULL ) return( MBEDTLS_ERR_X509_ALLOC_FAILED ); - *pk = crt->pk; - cache->pk = pk; + +#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING) + *pk = crt->pk; return( 0 ); +#else + { + mbedtls_x509_buf_raw pk_raw = cache->pk_raw; + return( mbedtls_pk_parse_subpubkey( &pk_raw.p, + pk_raw.p + pk_raw.len, + pk ) ); + } +#endif /* MBEDTLS_X509_ON_DEMAND_PARSING */ } static void x509_crt_cache_init( mbedtls_x509_crt_cache *cache ) @@ -133,9 +142,15 @@ static void x509_crt_cache_init( mbedtls_x509_crt_cache *cache ) static void x509_crt_cache_clear_pk( mbedtls_x509_crt_cache *cache ) { +#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING) /* The cache holds a shallow copy of the PK context * in the legacy struct, so don't free PK context. */ mbedtls_free( cache->pk ); +#else + mbedtls_pk_free( cache->pk ); + mbedtls_free( cache->pk ); +#endif /* MBEDTLS_X509_ON_DEMAND_PARSING */ + cache->pk = NULL; } @@ -1182,6 +1197,7 @@ static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame *frame, return( 0 ); } +#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING) static int x509_crt_pk_from_frame( mbedtls_x509_crt_frame *frame, mbedtls_pk_context *pk ) { @@ -1189,6 +1205,7 @@ static int x509_crt_pk_from_frame( mbedtls_x509_crt_frame *frame, unsigned char *end = p + frame->pubkey_raw.len; return( mbedtls_pk_parse_subpubkey( &p, end, pk ) ); } +#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */ /* * Parse and fill a single X.509 certificate in DER format @@ -1248,6 +1265,7 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, cache->pk_raw = frame->pubkey_raw; +#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING) /* Copy frame to legacy CRT structure -- that's inefficient, but if * memory matters, the new CRT structure should be used anyway. */ crt->tbs.p = frame->tbs.p; @@ -1336,7 +1354,7 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, ret = x509_crt_ext_key_usage_from_frame( frame, &crt->ext_key_usage ); if( ret != 0 ) goto exit; - +#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */ /* The cache just references the PK structure from the legacy * implementation, so set up the latter first before setting up @@ -3330,6 +3348,8 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) { x509_crt_cache_free( cert_cur->cache ); mbedtls_free( cert_cur->cache ); + +#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING) mbedtls_pk_free( &cert_cur->pk ); #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) @@ -3340,6 +3360,7 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) x509_free_name( cert_cur->subject.next ); x509_free_sequence( cert_cur->ext_key_usage.next ); x509_free_sequence( cert_cur->subject_alt_names.next ); +#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */ if( cert_cur->raw.p != NULL && cert_cur->own_buffer ) {