Allow compile-time configuration of authentication mode
Introduces MBEDTLS_SSL_CONF_AUTHMODE to fix the authentication
mode (none, optional, mandatory) at compile-time.
Impact on code-size:
| | GCC | ARMC5 | ARMC6 |
| --- | --- | --- | --- |
| `libmbedtls.a` before | 23487 | 24025 | 27885 |
| `libmbedtls.a` after | 23379 | 23929 | 27727 |
| gain in Bytes | 108 | 96 | 157 |
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index ecde1b0..9cc8be7 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -2848,7 +2848,7 @@
authmode = ssl->handshake->sni_authmode;
else
#endif
- authmode = ssl->conf->authmode;
+ authmode = mbedtls_ssl_conf_get_authmode( ssl->conf );
if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ||
authmode == MBEDTLS_SSL_VERIFY_NONE )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index a79ce8d..0c05b50 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6664,9 +6664,9 @@
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
? ssl->handshake->sni_authmode
- : ssl->conf->authmode;
+ : mbedtls_ssl_conf_get_authmode( ssl->conf );
#else
- const int authmode = ssl->conf->authmode;
+ const int authmode = mbedtls_ssl_conf_get_authmode( ssl->conf );
#endif
void *rs_ctx = NULL;
mbedtls_x509_crt *chain = NULL;
@@ -8095,7 +8095,12 @@
void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
{
- conf->authmode = authmode;
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
+ conf->authmode = authmode;
+#else
+ ((void) conf);
+ ((void) authmode);
+#endif /* MBEDTLS_SSL_CONF_AUTHMODE */
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -10713,7 +10718,9 @@
#if defined(MBEDTLS_SSL_CLI_C)
if( endpoint == MBEDTLS_SSL_IS_CLIENT )
{
+#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
+#endif /* !MBEDTLS_SSL_CONF_AUTHMODE */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
#endif