michaelh/zephyr
1
0
Fork 0
Code Releases Activity

net: sockets: tls: Support for DER cert chain and NOCOPY optimisation

Browse source 
Add TLS socket option "TLS_CERT_NOCOPY" to prevent the copy of
certificates to mbedTLS heap if possible.

Add support to provide a chain of DER certificates by registering
them with multiple tags.

Signed-off-by: Lucas Dietrich <ld.adecy@gmail.com>
This commit is contained in:
Lucas Dietrich 2021-11-19 09:46:22 +01:00 committed by Anas Nashif
commit 4e103bcb20
2 changed files with 118 additions and 29 deletions
Download patch file Download diff file Expand all files Collapse all files

10
include/net/socket.h
View file

@ -139,6 +139,12 @@ struct zsock_pollfd {
#define TLS_DTLS_HANDSHAKE_TIMEOUT_MIN 8
#define TLS_DTLS_HANDSHAKE_TIMEOUT_MAX 9
/** Socket option for preventing certificates from being copied to the mbedTLS
* heap if possible. The option is only effective for DER certificates and is
* ignored for PEM certificates.
*/
#define TLS_CERT_NOCOPY 10
/** @} */
/* Valid values for TLS_PEER_VERIFY option */
@ -150,6 +156,10 @@ struct zsock_pollfd {
#define TLS_DTLS_ROLE_CLIENT 0 /**< Client role in a DTLS session. */
#define TLS_DTLS_ROLE_SERVER 1 /**< Server role in a DTLS session. */
/* Valid values for TLS_CERT_NOCOPY option */
#define TLS_CERT_NOCOPY_NONE 0 /**< Cert duplicated in heap */
#define TLS_CERT_NOCOPY_OPTIONAL 1 /**< Cert not copied in heap if DER */
struct zsock_addrinfo {
struct zsock_addrinfo *ai_next;
int ai_flags;