From d2549d425fecd17d9a1b8f82d5fa14036c5f5fcd Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Thu, 10 Oct 2024 12:34:32 +0530 Subject: [PATCH] feat(mbedtls/esp_crt_bundle): Move dummy cert to .rodata to save 408B from dram Co-authored-by: Hanno --- components/mbedtls/CMakeLists.txt | 8 +++++++- .../mbedtls/esp_crt_bundle/esp_crt_bundle.c | 13 ++++++++----- .../esp_crt_bundle/include/esp_crt_bundle.h | 15 ++++++++++++--- .../port/dynamic/esp_mbedtls_dynamic_impl.c | 18 +++++++++++++++++- .../port/dynamic/esp_mbedtls_dynamic_impl.h | 1 + 5 files changed, 45 insertions(+), 10 deletions(-) diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt index 65721344db..3187a50e95 100644 --- a/components/mbedtls/CMakeLists.txt +++ b/components/mbedtls/CMakeLists.txt @@ -88,7 +88,13 @@ idf_build_get_property(python PYTHON) set(Python3_EXECUTABLE ${python}) # Needed to for include_next includes to work from within mbedtls -include_directories("${COMPONENT_DIR}/port/include") +set(include_dirs "${COMPONENT_DIR}/port/include") + +if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE) + list(APPEND include_dirs "${COMPONENT_DIR}/esp_crt_bundle/include") +endif() + +include_directories(${include_dirs}) # Needed to for mbedtls_rom includes to work from within mbedtls if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL) diff --git a/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c b/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c index b0b144c294..cd08982402 100644 --- a/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c +++ b/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2018-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -15,8 +15,7 @@ static const char *TAG = "esp-x509-crt-bundle"; /* a dummy certificate so that * cacert_ptr passes non-NULL check during handshake */ -static mbedtls_x509_crt s_dummy_crt; - +static const mbedtls_x509_crt s_dummy_crt; extern const uint8_t x509_crt_imported_bundle_bin_start[] asm("_binary_x509_crt_bundle_start"); extern const uint8_t x509_crt_imported_bundle_bin_end[] asm("_binary_x509_crt_bundle_end"); @@ -218,8 +217,7 @@ esp_err_t esp_crt_bundle_attach(void *conf) * cacert_ptr passes non-NULL check during handshake */ mbedtls_ssl_config *ssl_conf = (mbedtls_ssl_config *)conf; - mbedtls_x509_crt_init(&s_dummy_crt); - mbedtls_ssl_conf_ca_chain(ssl_conf, &s_dummy_crt, NULL); + mbedtls_ssl_conf_ca_chain(ssl_conf, (mbedtls_x509_crt*)&s_dummy_crt, NULL); mbedtls_ssl_conf_verify(ssl_conf, esp_crt_verify_callback, NULL); } @@ -239,3 +237,8 @@ esp_err_t esp_crt_bundle_set(const uint8_t *x509_bundle, size_t bundle_size) { return esp_crt_bundle_init(x509_bundle, bundle_size); } + +bool esp_crt_bundle_in_use(const mbedtls_x509_crt* ca_chain) +{ + return ((ca_chain == &s_dummy_crt) ? true : false); +} diff --git a/components/mbedtls/esp_crt_bundle/include/esp_crt_bundle.h b/components/mbedtls/esp_crt_bundle/include/esp_crt_bundle.h index 49069185b3..61c09f0bd0 100644 --- a/components/mbedtls/esp_crt_bundle/include/esp_crt_bundle.h +++ b/components/mbedtls/esp_crt_bundle/include/esp_crt_bundle.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -27,7 +27,7 @@ extern "C" { * * @return * - ESP_OK if adding certificates was successful. - * - Other if an error occured or an action must be taken by the calling process. + * - Other if an error occurred or an action must be taken by the calling process. */ esp_err_t esp_crt_bundle_attach(void *conf); @@ -55,10 +55,19 @@ void esp_crt_bundle_detach(mbedtls_ssl_config *conf); * * @return * - ESP_OK if adding certificates was successful. - * - Other if an error occured or an action must be taken by the calling process. + * - Other if an error occurred or an action must be taken by the calling process. */ esp_err_t esp_crt_bundle_set(const uint8_t *x509_bundle, size_t bundle_size); +/** + * @brief Check if the given CA certificate chain is the default "dummy" + * certificate chain attached by the esp_crt_bundle + * + * @param ca_chain A pointer to the CA chain. + * @return true if the ca_chain is the dummy CA chain attached by esp_crt_bundle + * @return false otherwise + */ +bool esp_crt_bundle_in_use(const mbedtls_x509_crt* ca_chain); #ifdef __cplusplus } diff --git a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c index a44723d33c..71b3db7b08 100644 --- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c +++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c @@ -1,11 +1,16 @@ /* - * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ #include #include "esp_mbedtls_dynamic_impl.h" +#include "sdkconfig.h" + +#if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE +#include "esp_crt_bundle.h" +#endif #define COUNTER_SIZE (8) #define CACHE_IV_SIZE (16) @@ -529,7 +534,18 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl) if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) { mbedtls_ssl_config *conf = (mbedtls_ssl_config *)ssl->MBEDTLS_PRIVATE(conf); +#if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE + /* In case of mbedtls certificate bundle, we attach a "static const" + * dummy cert, thus we need to avoid the write operations (memset()) + * performed by `mbedtls_x509_crt_free()` + */ + if (!esp_crt_bundle_in_use(conf->MBEDTLS_PRIVATE(ca_chain))) { + mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain)); + } +#else mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain)); +#endif + conf->MBEDTLS_PRIVATE(ca_chain) = NULL; } } diff --git a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h index 6adda7bb84..4b3a1300ac 100644 --- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h +++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h @@ -20,6 +20,7 @@ which are undefined if the following flag is not defined */ #include "ssl_misc.h" // located at mbedtls/library/ssl_misc.h #include "mbedtls/platform.h" #include "esp_log.h" +#include "sdkconfig.h" #define TRACE_CHECK(_fn, _state) \ ({ \