blackbeard420/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf synced 2025-03-10 01:29:21 -04:00
Code Issues Projects Releases Wiki Activity

feat(mbedtls/esp_crt_bundle): Move dummy cert to .rodata to save 408B from dram

Browse Source 
Co-authored-by: Hanno <h.binder@web.de>
This commit is contained in:
harshal.patil 2024-10-10 12:34:32 +05:30
parent 4db9c8779f
commit 3957e59f1a
No known key found for this signature in database
GPG Key ID: 5B5EC97C35B9A2E5
5 changed files with 43 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
components/mbedtls/CMakeLists.txt
View File

@ -96,7 +96,13 @@ idf_build_get_property(python PYTHON)
set(Python3_EXECUTABLE ${python}) set(Python3_EXECUTABLE ${python})
# Needed to for include_next includes to work from within mbedtls # Needed to for include_next includes to work from within mbedtls
include_directories("${COMPONENT_DIR}/port/include") set(include_dirs "${COMPONENT_DIR}/port/include")
if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE)
list(APPEND include_dirs "${COMPONENT_DIR}/esp_crt_bundle/include")
endif()
include_directories(${include_dirs})
# Needed to for mbedtls_rom includes to work from within mbedtls # Needed to for mbedtls_rom includes to work from within mbedtls
if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL) if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL)

7
components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
View File

@ -54,7 +54,7 @@ static const char *TAG = "esp-x509-crt-bundle";
/* a dummy certificate so that /* a dummy certificate so that
* cacert_ptr passes non-NULL check during handshake */ * cacert_ptr passes non-NULL check during handshake */
static mbedtls_x509_crt s_dummy_crt; static const mbedtls_x509_crt s_dummy_crt;
extern const uint8_t x509_crt_imported_bundle_bin_start[] asm("_binary_x509_crt_bundle_start"); extern const uint8_t x509_crt_imported_bundle_bin_start[] asm("_binary_x509_crt_bundle_start");
extern const uint8_t x509_crt_imported_bundle_bin_end[] asm("_binary_x509_crt_bundle_end"); extern const uint8_t x509_crt_imported_bundle_bin_end[] asm("_binary_x509_crt_bundle_end");
@ -368,3 +368,8 @@ esp_err_t esp_crt_bundle_set(const uint8_t *x509_bundle, size_t bundle_size)
{ {
return esp_crt_bundle_init(x509_bundle, bundle_size); return esp_crt_bundle_init(x509_bundle, bundle_size);
} }
bool esp_crt_bundle_in_use(const mbedtls_x509_crt* ca_chain)
{
return ((ca_chain == &s_dummy_crt) ? true : false);
}

15
components/mbedtls/esp_crt_bundle/include/esp_crt_bundle.h
View File

@ -1,5 +1,5 @@
/* /*
* SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD * SPDX-FileCopyrightText: 2017-2024 Espressif Systems (Shanghai) CO LTD
* *
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
@ -27,7 +27,7 @@ extern "C" {
* *
* @return * @return
* - ESP_OK if adding certificates was successful. * - ESP_OK if adding certificates was successful.
* - Other if an error occured or an action must be taken by the calling process. * - Other if an error occurred or an action must be taken by the calling process.
*/ */
esp_err_t esp_crt_bundle_attach(void *conf); esp_err_t esp_crt_bundle_attach(void *conf);
@ -55,10 +55,19 @@ void esp_crt_bundle_detach(mbedtls_ssl_config *conf);
* *
* @return * @return
* - ESP_OK if adding certificates was successful. * - ESP_OK if adding certificates was successful.
* - Other if an error occured or an action must be taken by the calling process. * - Other if an error occurred or an action must be taken by the calling process.
*/ */
esp_err_t esp_crt_bundle_set(const uint8_t *x509_bundle, size_t bundle_size); esp_err_t esp_crt_bundle_set(const uint8_t *x509_bundle, size_t bundle_size);
/**
* @brief Check if the given CA certificate chain is the default "dummy"
* certificate chain attached by the esp_crt_bundle
*
* @param ca_chain A pointer to the CA chain.
* @return true if the ca_chain is the dummy CA chain attached by esp_crt_bundle
* @return false otherwise
*/
bool esp_crt_bundle_in_use(const mbedtls_x509_crt* ca_chain);
#ifdef __cplusplus #ifdef __cplusplus
} }

18
components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
View File

@ -1,11 +1,16 @@
/* /*
* SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
* *
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
#include <string.h> #include <string.h>
#include "esp_mbedtls_dynamic_impl.h" #include "esp_mbedtls_dynamic_impl.h"
#include "sdkconfig.h"
#if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
#include "esp_crt_bundle.h"
#endif
#define COUNTER_SIZE (8) #define COUNTER_SIZE (8)
#define CACHE_IV_SIZE (16) #define CACHE_IV_SIZE (16)
@ -532,7 +537,18 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) { if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) {
mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl); mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
#if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
/* In case of mbedtls certificate bundle, we attach a "static const"
* dummy cert, thus we need to avoid the write operations (memset())
* performed by `mbedtls_x509_crt_free()`
*/
if (!esp_crt_bundle_in_use(conf->MBEDTLS_PRIVATE(ca_chain))) {
mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain)); mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
}
#else
mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
#endif
conf->MBEDTLS_PRIVATE(ca_chain) = NULL; conf->MBEDTLS_PRIVATE(ca_chain) = NULL;
} }
} }

1
components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
View File

@ -24,6 +24,7 @@
#include "mbedtls/ssl.h" #include "mbedtls/ssl.h"
#include "mbedtls/platform.h" #include "mbedtls/platform.h"
#include "esp_log.h" #include "esp_log.h"
#include "sdkconfig.h"
#define TRACE_CHECK(_fn, _state) \ #define TRACE_CHECK(_fn, _state) \
({ \ ({ \