From 7b6622b5b6665257193288c28191c7ad59f1a3eb Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Wed, 3 Apr 2024 18:49:19 +0530 Subject: [PATCH] feat(mbedtls): add kconfig option for MBEDTLS_ERROR_C Disabling this config can reduce footprint for the cases where mbedtls_strerror() is used and hence the debug strings are getting pulled into the application image. --- components/mbedtls/Kconfig | 32 ++++++++++++------- .../mbedtls/port/include/mbedtls/esp_config.h | 14 +++++--- 2 files changed, 29 insertions(+), 17 deletions(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 4236afa867..a50c6a1441 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -123,7 +123,7 @@ menu "mbedTLS" The option will decrease heap cost when handshake, but also lead to problem: - Becasue all certificate, private key and DHM data are freed so users should register + Because all certificate, private key and DHM data are freed so users should register certificate and private key to ssl config object again. config MBEDTLS_DYNAMIC_FREE_CA_CERT @@ -437,6 +437,17 @@ menu "mbedTLS" These operations are used by RSA. + config MBEDTLS_LARGE_KEY_SOFTWARE_MPI + bool "Fallback to software implementation for larger MPI values" + depends on MBEDTLS_HARDWARE_MPI + default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits + default n + help + Fallback to software implementation for RSA key lengths + larger than SOC_RSA_MAX_BIT_LEN. If this is not active + then the ESP will be unable to process keys greater + than SOC_RSA_MAX_BIT_LEN. + config MBEDTLS_MPI_USE_INTERRUPT bool "Use interrupt for MPI exp-mod operations" depends on !IDF_TARGET_ESP32 && MBEDTLS_HARDWARE_MPI @@ -866,13 +877,13 @@ menu "mbedTLS" bool "X.509 CRL parsing" default y help - Support for parsing X.509 Certifificate Revocation Lists. + Support for parsing X.509 Certificate Revocation Lists. config MBEDTLS_X509_CSR_PARSE_C bool "X.509 CSR parsing" default y help - Support for parsing X.509 Certifificate Signing Requests + Support for parsing X.509 Certificate Signing Requests endmenu # Certificates @@ -1063,16 +1074,13 @@ menu "mbedTLS" help Enable the pthread wrapper layer for the threading layer. - config MBEDTLS_LARGE_KEY_SOFTWARE_MPI - bool "Fallback to software implementation for larger MPI values" - depends on MBEDTLS_HARDWARE_MPI - default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits - default n + config MBEDTLS_ERROR_STRINGS + bool "Enable error code to error string conversion" + default y help - Fallback to software implementation for RSA key lengths - larger than SOC_RSA_MAX_BIT_LEN. If this is not active - then the ESP will be unable to process keys greater - than SOC_RSA_MAX_BIT_LEN. + Enables mbedtls_strerror() for converting error codes to error strings. + Disabling this config can save some code/rodata size as the error + string conversion implementation is replaced with an empty stub. config MBEDTLS_USE_CRYPTO_ROM_IMPL bool "Use ROM implementation of the crypto algorithm" diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 1b7c7e7119..5e7717a3a5 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -71,7 +71,7 @@ * \def MBEDTLS_HAVE_TIME_DATE * * System has time.h and time(), gmtime() and the clock is correct. - * The time needs to be correct (not necesarily very accurate, but at least + * The time needs to be correct (not necessarily very accurate, but at least * the date should be correct). This is used to verify the validity period of * X.509 certificates. * @@ -992,7 +992,7 @@ * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load(). * * This pair of functions allows one side of a connection to serialize the - * context associated with the connection, then free or re-use that context + * context associated with the connection, then free or reuse that context * while the serialized state is persisted elsewhere, and finally deserialize * that state to a live context for resuming read/write operations on the * connection. From a protocol perspective, the state of the connection is @@ -1490,7 +1490,7 @@ * \def MBEDTLS_SSL_SESSION_TICKETS * * Enable support for RFC 5077 session tickets in SSL. - * Client-side, provides full support for session tickets (maintainance of a + * Client-side, provides full support for session tickets (maintenance of a * session store remains the responsibility of the application, though). * Server-side, you also need to provide callbacks for writing and parsing * tickets, including authenticated encryption and key management. Example @@ -2072,7 +2072,11 @@ * * This module enables mbedtls_strerror(). */ +#if CONFIG_MBEDTLS_ERROR_STRINGS #define MBEDTLS_ERROR_C +#else +#undef MBEDTLS_ERROR_C +#endif /** * \def MBEDTLS_GCM_C @@ -2122,7 +2126,7 @@ * * Requires: MBEDTLS_MD_C * - * Uncomment to enable the HMAC_DRBG random number geerator. + * Uncomment to enable the HMAC_DRBG random number generator. */ #define MBEDTLS_HMAC_DRBG_C @@ -2814,7 +2818,7 @@ /* SSL options */ #ifndef CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN -#define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ +#define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maximum fragment length in bytes, determines the size of each of the two internal I/O buffers */ #else