Move the new config optimization defines to be optional

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>

configs/baremetal.h

@@ -160,6 +160,10 @@
 /* Fault Injection Countermeasures */
 #define MBEDTLS_FI_COUNTERMEASURES
 #define MBEDTLS_CCM_SHUFFLING_MASKING
+/* Further optimizations */
+#define MBEDTLS_SSL_FREE_SERVER_CERTIFICATE
+#define MBEDTLS_IMMEDIATE_TRANSMISSION
+#define MBEDTLS_EARLY_KEY_COMPUTATION
 
 #if defined(MBEDTLS_USER_CONFIG_FILE)
 #include MBEDTLS_USER_CONFIG_FILE

include/mbedtls/config.h

@@ -43,8 +43,8 @@
 /**
  * \def MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION
  *
- * Enable the delayed verification of server 
+ * Enable the delayed verification of server
- * certificates on the client side. 
+ * certificates on the client side.
  *
  */
 #define MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION
@@ -1612,7 +1612,7 @@
  * but not afterwards.
  *
  */
-#define MBEDTLS_SSL_FREE_SERVER_CERTIFICATE
+//#define MBEDTLS_SSL_FREE_SERVER_CERTIFICATE
 
 
 /**
@@ -1622,7 +1622,7 @@
  *
  * Requires: MBEDTLS_SSL_PROTO_DTLS
  */
-#define MBEDTLS_IMMEDIATE_TRANSMISSION
+//#define MBEDTLS_IMMEDIATE_TRANSMISSION
 
 /**
  * \def MBEDTLS_EARLY_KEY_COMPUTATION
@@ -1630,9 +1630,9 @@
  * Create ephemeral Diffie-Hellman key pair after
  * the ClientHello has been successfully transmitted.
  *
- * Requires: 
+ * Requires:
  */
-#define MBEDTLS_EARLY_KEY_COMPUTATION
+//#define MBEDTLS_EARLY_KEY_COMPUTATION
 
 /**
  * \def MBEDTLS_SSL_HW_RECORD_ACCEL

library/ssl_tls.c

@@ -7989,7 +7989,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
 
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) && defined(MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION)
 /* ssl_parse_delayed_certificate_verify() defines a wrapper around ssl_parse_certificate_verify
- * to call it in ssl_cli.c rather than purely internal to ssl_tls.c. 
+ * to call it in ssl_cli.c rather than purely internal to ssl_tls.c.
  */
 int ssl_parse_delayed_certificate_verify( mbedtls_ssl_context *ssl,
                                          int authmode,
@@ -8003,7 +8003,7 @@ int ssl_parse_delayed_certificate_verify( mbedtls_ssl_context *ssl,
                                           rs_ctx ) );
 
 }
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED && MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION */
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED && MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION */
 
 
 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)

scripts/config.pl

@@ -61,6 +61,10 @@
 #   MBEDTLS_VALIDATE_SSL_KEYS_INTEGRITY
 #   MBEDTLS_OPTIMIZE_TINYCRYPT_ASM
 #   MBEDTLS_AES_128_BIT_MASKED
+#   MBEDTLS_PLATFORM_FAULT_CALLBACKS
+#   MBEDTLS_SSL_FREE_SERVER_CERTIFICATE
+#   MBEDTLS_IMMEDIATE_TRANSMISSION
+#   MBEDTLS_EARLY_KEY_COMPUTATION
 #   and any symbol beginning _ALT
 #
 # The baremetal configuration excludes options that require a library or
@@ -149,6 +153,9 @@ MBEDTLS_VALIDATE_SSL_KEYS_INTEGRITY
 MBEDTLS_OPTIMIZE_TINYCRYPT_ASM
 MBEDTLS_AES_128_BIT_MASKED
 MBEDTLS_PLATFORM_FAULT_CALLBACKS
+MBEDTLS_SSL_FREE_SERVER_CERTIFICATE
+MBEDTLS_IMMEDIATE_TRANSMISSION
+MBEDTLS_EARLY_KEY_COMPUTATION
 _ALT\s*$
 );