Change data structure of profiles to bitfields

- allows to express 'none' or 'all' more easily than lists - more compact and easier to declare statically - easier to check too Only drawback: if we ever have more than 32 curves, we'll need an ABI change to make that field a uint64_t.
2015-06-15 15:33:19 +02:00 · 2015-06-15 15:33:19 +02:00 · f8ea856296
commit f8ea856296
parent 88db5da117
2 changed files with 50 additions and 99 deletions
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@ -94,18 +94,23 @@ typedef struct mbedtls_x509_crt
 }
 mbedtls_x509_crt;

+/**
+ * Build flag from an algorithm/curve identifier (pk, md, ecp)
+ * Since 0 is always XXX_NONE, ignore it.
+ */
+#define MBEDTLS_X509_ID_FLAG( id )   ( 1 << ( id - 1 ) )
+
 /**
 * Security profile for certificate verification.
 *
- * All lists are terminated by the respective _NONE value.
+ * All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
 */
 typedef struct
 {
-    const mbedtls_md_type_t *allowed_mds;   /**< MDs for signatures         */
-    const mbedtls_pk_type_t *allowed_pks;   /**< PK algs for signatures     */
-    const mbedtls_ecp_group_id *allowed_curves; /**< Elliptic curves        */
-    size_t rsa_min_bitlen;                  /**< Minimum size for RSA keys
-                                                 (must be non-zero)         */
+    uint32_t allowed_mds;       /**< MDs for signatures         */
+    uint32_t allowed_pks;       /**< PK algs for signatures     */
+    uint32_t allowed_curves;    /**< Elliptic curves for ECDSA  */
+    uint32_t rsa_min_bitlen;    /**< Minimum size for RSA keys  */
 }
 mbedtls_x509_crt_profile;