feat(mbedtls): add kconfig option for MBEDTLS_ERROR_C

Disabling this config can reduce footprint for the cases where mbedtls_strerror() is used and hence the debug strings are getting pulled into the application image.
2024-10-05 20:47:46 -04:00 · 2024-04-03 18:49:19 +05:30 · 2024-04-03 18:49:19 +05:30 · 64fd14e787
commit 64fd14e787
parent 2bfef64fc6
2 changed files with 29 additions and 17 deletions
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@ -123,7 +123,7 @@ menu "mbedTLS"

            The option will decrease heap cost when handshake, but also lead to problem:

-            Becasue all certificate, private key and DHM data are freed so users should register
+            Because all certificate, private key and DHM data are freed so users should register
            certificate and private key to ssl config object again.

    config MBEDTLS_DYNAMIC_FREE_CA_CERT
@ -463,6 +463,17 @@ menu "mbedTLS"

            These operations are used by RSA.

+    config MBEDTLS_LARGE_KEY_SOFTWARE_MPI
+        bool "Fallback to software implementation for larger MPI values"
+        depends on MBEDTLS_HARDWARE_MPI
+        default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits
+        default n
+        help
+            Fallback to software implementation for RSA key lengths
+            larger than SOC_RSA_MAX_BIT_LEN. If this is not active
+            then the ESP will be unable to process keys greater
+            than SOC_RSA_MAX_BIT_LEN.
+
    config MBEDTLS_MPI_USE_INTERRUPT
        bool "Use interrupt for MPI exp-mod operations"
        depends on !IDF_TARGET_ESP32 && MBEDTLS_HARDWARE_MPI
@ -903,13 +914,13 @@ menu "mbedTLS"
            bool "X.509 CRL parsing"
            default y
            help
-                Support for parsing X.509 Certifificate Revocation Lists.
+                Support for parsing X.509 Certificate Revocation Lists.

        config MBEDTLS_X509_CSR_PARSE_C
            bool "X.509 CSR parsing"
            default y
            help
-                Support for parsing X.509 Certifificate Signing Requests
+                Support for parsing X.509 Certificate Signing Requests

    endmenu # Certificates

@ -1100,16 +1111,13 @@ menu "mbedTLS"
        help
            Enable the pthread wrapper layer for the threading layer.

-    config MBEDTLS_LARGE_KEY_SOFTWARE_MPI
-        bool "Fallback to software implementation for larger MPI values"
-        depends on MBEDTLS_HARDWARE_MPI
-        default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits
-        default n
+    config MBEDTLS_ERROR_STRINGS
+        bool "Enable error code to error string conversion"
+        default y
        help
-            Fallback to software implementation for RSA key lengths
-            larger than SOC_RSA_MAX_BIT_LEN. If this is not active
-            then the ESP will be unable to process keys greater
-            than SOC_RSA_MAX_BIT_LEN.
+            Enables mbedtls_strerror() for converting error codes to error strings.
+            Disabling this config can save some code/rodata size as the error
+            string conversion implementation is replaced with an empty stub.

    config MBEDTLS_USE_CRYPTO_ROM_IMPL
        bool "Use ROM implementation of the crypto algorithm"
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@ -71,7 +71,7 @@
 * \def MBEDTLS_HAVE_TIME_DATE
 *
 * System has time.h and time(), gmtime() and the clock is correct.
- * The time needs to be correct (not necesarily very accurate, but at least
+ * The time needs to be correct (not necessarily very accurate, but at least
 * the date should be correct). This is used to verify the validity period of
 * X.509 certificates.
 *
@ -996,7 +996,7 @@
 * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load().
 *
 * This pair of functions allows one side of a connection to serialize the
- * context associated with the connection, then free or re-use that context
+ * context associated with the connection, then free or reuse that context
 * while the serialized state is persisted elsewhere, and finally deserialize
 * that state to a live context for resuming read/write operations on the
 * connection. From a protocol perspective, the state of the connection is
@ -1494,7 +1494,7 @@
 * \def MBEDTLS_SSL_SESSION_TICKETS
 *
 * Enable support for RFC 5077 session tickets in SSL.
- * Client-side, provides full support for session tickets (maintainance of a
+ * Client-side, provides full support for session tickets (maintenance of a
 * session store remains the responsibility of the application, though).
 * Server-side, you also need to provide callbacks for writing and parsing
 * tickets, including authenticated encryption and key management. Example
@ -2076,7 +2076,11 @@
 *
 * This module enables mbedtls_strerror().
 */
+#if CONFIG_MBEDTLS_ERROR_STRINGS
 #define MBEDTLS_ERROR_C
+#else
+#undef MBEDTLS_ERROR_C
+#endif

 /**
 * \def MBEDTLS_GCM_C
@ -2126,7 +2130,7 @@
 *
 * Requires: MBEDTLS_MD_C
 *
- * Uncomment to enable the HMAC_DRBG random number geerator.
+ * Uncomment to enable the HMAC_DRBG random number generator.
 */
 #define MBEDTLS_HMAC_DRBG_C

@ -2818,7 +2822,7 @@
 /* SSL options */
 #ifndef CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN

-#define MBEDTLS_SSL_MAX_CONTENT_LEN             CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
+#define MBEDTLS_SSL_MAX_CONTENT_LEN             CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maximum fragment length in bytes, determines the size of each of the two internal I/O buffers */

 #else