diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index d6ddca49cf..67cf8cc483 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -123,7 +123,7 @@ menu "mbedTLS" The option will decrease heap cost when handshake, but also lead to problem: - Becasue all certificate, private key and DHM data are freed so users should register + Because all certificate, private key and DHM data are freed so users should register certificate and private key to ssl config object again. config MBEDTLS_DYNAMIC_FREE_CA_CERT @@ -463,6 +463,17 @@ menu "mbedTLS" These operations are used by RSA. + config MBEDTLS_LARGE_KEY_SOFTWARE_MPI + bool "Fallback to software implementation for larger MPI values" + depends on MBEDTLS_HARDWARE_MPI + default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits + default n + help + Fallback to software implementation for RSA key lengths + larger than SOC_RSA_MAX_BIT_LEN. If this is not active + then the ESP will be unable to process keys greater + than SOC_RSA_MAX_BIT_LEN. + config MBEDTLS_MPI_USE_INTERRUPT bool "Use interrupt for MPI exp-mod operations" depends on !IDF_TARGET_ESP32 && MBEDTLS_HARDWARE_MPI @@ -903,13 +914,13 @@ menu "mbedTLS" bool "X.509 CRL parsing" default y help - Support for parsing X.509 Certifificate Revocation Lists. + Support for parsing X.509 Certificate Revocation Lists. config MBEDTLS_X509_CSR_PARSE_C bool "X.509 CSR parsing" default y help - Support for parsing X.509 Certifificate Signing Requests + Support for parsing X.509 Certificate Signing Requests endmenu # Certificates @@ -1100,16 +1111,13 @@ menu "mbedTLS" help Enable the pthread wrapper layer for the threading layer. - config MBEDTLS_LARGE_KEY_SOFTWARE_MPI - bool "Fallback to software implementation for larger MPI values" - depends on MBEDTLS_HARDWARE_MPI - default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits - default n + config MBEDTLS_ERROR_STRINGS + bool "Enable error code to error string conversion" + default y help - Fallback to software implementation for RSA key lengths - larger than SOC_RSA_MAX_BIT_LEN. If this is not active - then the ESP will be unable to process keys greater - than SOC_RSA_MAX_BIT_LEN. + Enables mbedtls_strerror() for converting error codes to error strings. + Disabling this config can save some code/rodata size as the error + string conversion implementation is replaced with an empty stub. config MBEDTLS_USE_CRYPTO_ROM_IMPL bool "Use ROM implementation of the crypto algorithm" diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 33a097b2b3..376b636d92 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -71,7 +71,7 @@ * \def MBEDTLS_HAVE_TIME_DATE * * System has time.h and time(), gmtime() and the clock is correct. - * The time needs to be correct (not necesarily very accurate, but at least + * The time needs to be correct (not necessarily very accurate, but at least * the date should be correct). This is used to verify the validity period of * X.509 certificates. * @@ -996,7 +996,7 @@ * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load(). * * This pair of functions allows one side of a connection to serialize the - * context associated with the connection, then free or re-use that context + * context associated with the connection, then free or reuse that context * while the serialized state is persisted elsewhere, and finally deserialize * that state to a live context for resuming read/write operations on the * connection. From a protocol perspective, the state of the connection is @@ -1494,7 +1494,7 @@ * \def MBEDTLS_SSL_SESSION_TICKETS * * Enable support for RFC 5077 session tickets in SSL. - * Client-side, provides full support for session tickets (maintainance of a + * Client-side, provides full support for session tickets (maintenance of a * session store remains the responsibility of the application, though). * Server-side, you also need to provide callbacks for writing and parsing * tickets, including authenticated encryption and key management. Example @@ -2076,7 +2076,11 @@ * * This module enables mbedtls_strerror(). */ +#if CONFIG_MBEDTLS_ERROR_STRINGS #define MBEDTLS_ERROR_C +#else +#undef MBEDTLS_ERROR_C +#endif /** * \def MBEDTLS_GCM_C @@ -2126,7 +2130,7 @@ * * Requires: MBEDTLS_MD_C * - * Uncomment to enable the HMAC_DRBG random number geerator. + * Uncomment to enable the HMAC_DRBG random number generator. */ #define MBEDTLS_HMAC_DRBG_C @@ -2818,7 +2822,7 @@ /* SSL options */ #ifndef CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN -#define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ +#define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maximum fragment length in bytes, determines the size of each of the two internal I/O buffers */ #else diff --git a/docs/en/api-guides/performance/size.rst b/docs/en/api-guides/performance/size.rst index c545eb5f50..c48eb3309f 100644 --- a/docs/en/api-guides/performance/size.rst +++ b/docs/en/api-guides/performance/size.rst @@ -507,6 +507,7 @@ These include: - :ref:`CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM` - Change :ref:`CONFIG_MBEDTLS_TLS_MODE` if both server & client functionalities are not needed - Consider disabling some cipher suites listed in the ``TLS Key Exchange Methods`` sub-menu (i.e., :ref:`CONFIG_MBEDTLS_KEY_EXCHANGE_RSA`) +- Consider disabling :ref:`CONFIG_MBEDTLS_ERROR_STRINGS` if the application is pulling in mbedTLS error strings because of :cpp:func:`mbedtls_strerror` usage The help text for each option has some more information for reference.