From b6f5573e0f2d6fc6f80eec895c9910d7ee63166e Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Wed, 3 Apr 2024 18:49:19 +0530 Subject: [PATCH 1/2] feat(mbedtls): add kconfig option for MBEDTLS_ERROR_C Disabling this config can reduce footprint for the cases where mbedtls_strerror() is used and hence the debug strings are getting pulled into the application image. --- components/mbedtls/Kconfig | 32 ++++++++++++------- .../mbedtls/port/include/mbedtls/esp_config.h | 14 +++++--- 2 files changed, 29 insertions(+), 17 deletions(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 3194415a78c..6ecd720e0ac 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -123,7 +123,7 @@ menu "mbedTLS" The option will decrease heap cost when handshake, but also lead to problem: - Becasue all certificate, private key and DHM data are freed so users should register + Because all certificate, private key and DHM data are freed so users should register certificate and private key to ssl config object again. config MBEDTLS_DYNAMIC_FREE_CA_CERT @@ -425,6 +425,17 @@ menu "mbedTLS" These operations are used by RSA. + config MBEDTLS_LARGE_KEY_SOFTWARE_MPI + bool "Fallback to software implementation for larger MPI values" + depends on MBEDTLS_HARDWARE_MPI + default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits + default n + help + Fallback to software implementation for RSA key lengths + larger than SOC_RSA_MAX_BIT_LEN. If this is not active + then the ESP will be unable to process keys greater + than SOC_RSA_MAX_BIT_LEN. + config MBEDTLS_MPI_USE_INTERRUPT bool "Use interrupt for MPI exp-mod operations" depends on !IDF_TARGET_ESP32 && MBEDTLS_HARDWARE_MPI @@ -865,13 +876,13 @@ menu "mbedTLS" bool "X.509 CRL parsing" default y help - Support for parsing X.509 Certifificate Revocation Lists. + Support for parsing X.509 Certificate Revocation Lists. config MBEDTLS_X509_CSR_PARSE_C bool "X.509 CSR parsing" default y help - Support for parsing X.509 Certifificate Signing Requests + Support for parsing X.509 Certificate Signing Requests endmenu # Certificates @@ -1062,16 +1073,13 @@ menu "mbedTLS" help Enable the pthread wrapper layer for the threading layer. - config MBEDTLS_LARGE_KEY_SOFTWARE_MPI - bool "Fallback to software implementation for larger MPI values" - depends on MBEDTLS_HARDWARE_MPI - default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits - default n + config MBEDTLS_ERROR_STRINGS + bool "Enable error code to error string conversion" + default y help - Fallback to software implementation for RSA key lengths - larger than SOC_RSA_MAX_BIT_LEN. If this is not active - then the ESP will be unable to process keys greater - than SOC_RSA_MAX_BIT_LEN. + Enables mbedtls_strerror() for converting error codes to error strings. + Disabling this config can save some code/rodata size as the error + string conversion implementation is replaced with an empty stub. config MBEDTLS_USE_CRYPTO_ROM_IMPL bool "Use ROM implementation of the crypto algorithm" diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 9aebf99e299..beb0feed07e 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -71,7 +71,7 @@ * \def MBEDTLS_HAVE_TIME_DATE * * System has time.h and time(), gmtime() and the clock is correct. - * The time needs to be correct (not necesarily very accurate, but at least + * The time needs to be correct (not necessarily very accurate, but at least * the date should be correct). This is used to verify the validity period of * X.509 certificates. * @@ -986,7 +986,7 @@ * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load(). * * This pair of functions allows one side of a connection to serialize the - * context associated with the connection, then free or re-use that context + * context associated with the connection, then free or reuse that context * while the serialized state is persisted elsewhere, and finally deserialize * that state to a live context for resuming read/write operations on the * connection. From a protocol perspective, the state of the connection is @@ -1484,7 +1484,7 @@ * \def MBEDTLS_SSL_SESSION_TICKETS * * Enable support for RFC 5077 session tickets in SSL. - * Client-side, provides full support for session tickets (maintainance of a + * Client-side, provides full support for session tickets (maintenance of a * session store remains the responsibility of the application, though). * Server-side, you also need to provide callbacks for writing and parsing * tickets, including authenticated encryption and key management. Example @@ -2066,7 +2066,11 @@ * * This module enables mbedtls_strerror(). */ +#if CONFIG_MBEDTLS_ERROR_STRINGS #define MBEDTLS_ERROR_C +#else +#undef MBEDTLS_ERROR_C +#endif /** * \def MBEDTLS_GCM_C @@ -2116,7 +2120,7 @@ * * Requires: MBEDTLS_MD_C * - * Uncomment to enable the HMAC_DRBG random number geerator. + * Uncomment to enable the HMAC_DRBG random number generator. */ #define MBEDTLS_HMAC_DRBG_C @@ -2808,7 +2812,7 @@ /* SSL options */ #ifndef CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN -#define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */ +#define MBEDTLS_SSL_MAX_CONTENT_LEN CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maximum fragment length in bytes, determines the size of each of the two internal I/O buffers */ #else From 4893ae3c111f8cddb86369714ec87ff2fa33e1bd Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Thu, 4 Apr 2024 09:23:05 +0530 Subject: [PATCH 2/2] docs: add note about newly added mbedtls config to reduce app size footprint --- docs/en/api-guides/performance/size.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/en/api-guides/performance/size.rst b/docs/en/api-guides/performance/size.rst index d14ec93d1eb..da37705e0c7 100644 --- a/docs/en/api-guides/performance/size.rst +++ b/docs/en/api-guides/performance/size.rst @@ -507,6 +507,7 @@ These include: - :ref:`CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM` - Change :ref:`CONFIG_MBEDTLS_TLS_MODE` if both server & client functionalities are not needed - Consider disabling some cipher suites listed in the ``TLS Key Exchange Methods`` sub-menu (i.e., :ref:`CONFIG_MBEDTLS_KEY_EXCHANGE_RSA`) +- Consider disabling :ref:`CONFIG_MBEDTLS_ERROR_STRINGS` if the application is pulling in mbedTLS error strings because of :cpp:func:`mbedtls_strerror` usage The help text for each option has some more information for reference.