Add compile-time option to remove legacy CRT fields

This commit is contained in:
Hanno Becker 2019-02-28 13:23:38 +00:00
parent b6c39fca5c
commit 180f7bf60b
4 changed files with 70 additions and 11 deletions

View File

@ -1757,6 +1757,38 @@
*/
#define MBEDTLS_VERSION_FEATURES
/**
* \def MBEDTLS_X509_ON_DEMAND_PARSING
*
* Save RAM by reducing mbedtls_x509_crt to a pointer
* to the raw CRT data and parsing CRTs on demand only.
*
* \warning This option changes the API by removing most of
* the structure fields of mbedtls_x509_crt.
*
* \warning This option and its corresponding X.509 API are currently
* under development and may change at any time.
*
* Regardless of whether this option is enabled or not, direct access of
* structure fields of `mbedtls_x509_crt` should be replaced by calls to
* one of the following functions:
* - mbedtls_x509_crt_get_frame(), to obtain a CRT frame giving
* access to several basic CRT fields (such as the CRT version),
* as well as pointers to the raw ASN.1 data of more complex fields
* (such as the issuer).
* - mbedtls_x509_crt_get_pk(), to obtain a public key context
* for the public key contained in the certificate.
* - mbedtls_x509_crt_get_issuer(), to obtain the issuer name.
* - mbedtls_x509_crt_get_subject(), to obtain the subject name.
* - mbedtls_x509_crt_get_subject_alt_names(), to obtain the
* alternative names from the subject alternative names extension.
* - mbedtls_x509_crt_get_ext_key_usage(), to obtain the state of
* the extended key usage extension.
*
* Uncomment this to enable on-demand CRT parsing to save RAM.
*/
//#define MBEDTLS_X509_ON_DEMAND_PARSING
/**
* \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3
*

View File

@ -124,6 +124,12 @@ typedef struct mbedtls_x509_crt
int own_buffer; /**< Indicates if \c raw is owned
* by the structure or not. */
mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
mbedtls_x509_crt_cache *cache; /**< Internal parsing cache. */
struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */
/* Legacy fields */
#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING)
mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
@ -166,10 +172,7 @@ typedef struct mbedtls_x509_crt
mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
mbedtls_x509_crt_cache *cache; /**< Internal parsing cache. */
struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */
#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */
}
mbedtls_x509_crt;
@ -746,7 +749,7 @@ static inline void mbedtls_x509_crt_frame_release(
#endif
}
static inline int mbedtls_x509_crt_pk_acquire( mbedtls_x509_crt *crt,
static inline int mbedtls_x509_crt_pk_acquire( mbedtls_x509_crt const *crt,
mbedtls_pk_context **pk_ptr )
{
#if defined(MBEDTLS_THREADING_C)
@ -772,7 +775,7 @@ static inline int mbedtls_x509_crt_pk_acquire( mbedtls_x509_crt *crt,
return( 0 );
}
static inline void mbedtls_x509_crt_pk_release( mbedtls_x509_crt *crt,
static inline void mbedtls_x509_crt_pk_release( mbedtls_x509_crt const *crt,
mbedtls_pk_context *pk )
{
((void) pk);

View File

@ -534,6 +534,9 @@ static const char *features[] = {
#if defined(MBEDTLS_VERSION_FEATURES)
"MBEDTLS_VERSION_FEATURES",
#endif /* MBEDTLS_VERSION_FEATURES */
#if defined(MBEDTLS_X509_ON_DEMAND_PARSING)
"MBEDTLS_X509_ON_DEMAND_PARSING",
#endif /* MBEDTLS_X509_ON_DEMAND_PARSING */
#if defined(MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3)
"MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3",
#endif /* MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 */

View File

@ -116,10 +116,19 @@ int mbedtls_x509_crt_cache_provide_pk( mbedtls_x509_crt const *crt )
pk = mbedtls_calloc( 1, sizeof( mbedtls_pk_context ) );
if( pk == NULL )
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
*pk = crt->pk;
cache->pk = pk;
#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING)
*pk = crt->pk;
return( 0 );
#else
{
mbedtls_x509_buf_raw pk_raw = cache->pk_raw;
return( mbedtls_pk_parse_subpubkey( &pk_raw.p,
pk_raw.p + pk_raw.len,
pk ) );
}
#endif /* MBEDTLS_X509_ON_DEMAND_PARSING */
}
static void x509_crt_cache_init( mbedtls_x509_crt_cache *cache )
@ -133,9 +142,15 @@ static void x509_crt_cache_init( mbedtls_x509_crt_cache *cache )
static void x509_crt_cache_clear_pk( mbedtls_x509_crt_cache *cache )
{
#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING)
/* The cache holds a shallow copy of the PK context
* in the legacy struct, so don't free PK context. */
mbedtls_free( cache->pk );
#else
mbedtls_pk_free( cache->pk );
mbedtls_free( cache->pk );
#endif /* MBEDTLS_X509_ON_DEMAND_PARSING */
cache->pk = NULL;
}
@ -1182,6 +1197,7 @@ static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame *frame,
return( 0 );
}
#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING)
static int x509_crt_pk_from_frame( mbedtls_x509_crt_frame *frame,
mbedtls_pk_context *pk )
{
@ -1189,6 +1205,7 @@ static int x509_crt_pk_from_frame( mbedtls_x509_crt_frame *frame,
unsigned char *end = p + frame->pubkey_raw.len;
return( mbedtls_pk_parse_subpubkey( &p, end, pk ) );
}
#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */
/*
* Parse and fill a single X.509 certificate in DER format
@ -1248,6 +1265,7 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
cache->pk_raw = frame->pubkey_raw;
#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING)
/* Copy frame to legacy CRT structure -- that's inefficient, but if
* memory matters, the new CRT structure should be used anyway. */
crt->tbs.p = frame->tbs.p;
@ -1336,7 +1354,7 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
ret = x509_crt_ext_key_usage_from_frame( frame, &crt->ext_key_usage );
if( ret != 0 )
goto exit;
#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */
/* The cache just references the PK structure from the legacy
* implementation, so set up the latter first before setting up
@ -3330,6 +3348,8 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
{
x509_crt_cache_free( cert_cur->cache );
mbedtls_free( cert_cur->cache );
#if !defined(MBEDTLS_X509_ON_DEMAND_PARSING)
mbedtls_pk_free( &cert_cur->pk );
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
@ -3340,6 +3360,7 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
x509_free_name( cert_cur->subject.next );
x509_free_sequence( cert_cur->ext_key_usage.next );
x509_free_sequence( cert_cur->subject_alt_names.next );
#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */
if( cert_cur->raw.p != NULL && cert_cur->own_buffer )
{