feat(mbedtls/esp_crt_bundle): Move dummy cert to .rodata to save 408B from dram

Co-authored-by: Hanno <h.binder@web.de>
2025-03-09 17:19:09 -04:00 · 2024-10-10 12:34:32 +05:30 · 2024-10-10 12:34:32 +05:30 · d2549d425f
commit d2549d425f
parent e5617c26f7
5 changed files with 45 additions and 10 deletions
--- a/components/mbedtls/CMakeLists.txt
+++ b/components/mbedtls/CMakeLists.txt
@ -88,7 +88,13 @@ idf_build_get_property(python PYTHON)
 set(Python3_EXECUTABLE ${python})

 # Needed to for include_next includes to work from within mbedtls
-include_directories("${COMPONENT_DIR}/port/include")
+set(include_dirs "${COMPONENT_DIR}/port/include")
+
+if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE)
+    list(APPEND include_dirs "${COMPONENT_DIR}/esp_crt_bundle/include")
+endif()
+
+include_directories(${include_dirs})

 # Needed to for mbedtls_rom includes to work from within mbedtls
 if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL)
--- a/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
+++ b/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2018-2024 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@ -15,8 +15,7 @@ static const char *TAG = "esp-x509-crt-bundle";

 /* a dummy certificate so that
 * cacert_ptr passes non-NULL check during handshake */
-static mbedtls_x509_crt s_dummy_crt;
-
+static const mbedtls_x509_crt s_dummy_crt;

 extern const uint8_t x509_crt_imported_bundle_bin_start[] asm("_binary_x509_crt_bundle_start");
 extern const uint8_t x509_crt_imported_bundle_bin_end[]   asm("_binary_x509_crt_bundle_end");
@ -218,8 +217,7 @@ esp_err_t esp_crt_bundle_attach(void *conf)
         * cacert_ptr passes non-NULL check during handshake
         */
        mbedtls_ssl_config *ssl_conf = (mbedtls_ssl_config *)conf;
-        mbedtls_x509_crt_init(&s_dummy_crt);
-        mbedtls_ssl_conf_ca_chain(ssl_conf, &s_dummy_crt, NULL);
+        mbedtls_ssl_conf_ca_chain(ssl_conf, (mbedtls_x509_crt*)&s_dummy_crt, NULL);
        mbedtls_ssl_conf_verify(ssl_conf, esp_crt_verify_callback, NULL);
    }

@ -239,3 +237,8 @@ esp_err_t esp_crt_bundle_set(const uint8_t *x509_bundle, size_t bundle_size)
 {
    return esp_crt_bundle_init(x509_bundle, bundle_size);
 }
+
+bool esp_crt_bundle_in_use(const mbedtls_x509_crt* ca_chain)
+{
+    return ((ca_chain == &s_dummy_crt) ? true : false);
+}
--- a/components/mbedtls/esp_crt_bundle/include/esp_crt_bundle.h
+++ b/components/mbedtls/esp_crt_bundle/include/esp_crt_bundle.h
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2024 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@ -27,7 +27,7 @@ extern "C" {
 *
 * @return
 *             - ESP_OK  if adding certificates was successful.
- *             - Other   if an error occured or an action must be taken by the calling process.
+ *             - Other   if an error occurred or an action must be taken by the calling process.
 */
 esp_err_t esp_crt_bundle_attach(void *conf);

@ -55,10 +55,19 @@ void esp_crt_bundle_detach(mbedtls_ssl_config *conf);
 *
 * @return
 *             - ESP_OK  if adding certificates was successful.
- *             - Other   if an error occured or an action must be taken by the calling process.
+ *             - Other   if an error occurred or an action must be taken by the calling process.
 */
 esp_err_t esp_crt_bundle_set(const uint8_t *x509_bundle, size_t bundle_size);

+/**
+ * @brief   Check if the given CA certificate chain is the default "dummy"
+ *          certificate chain attached by the esp_crt_bundle
+ *
+ * @param ca_chain  A pointer to the CA chain.
+ * @return true     if the ca_chain is the dummy CA chain attached by esp_crt_bundle
+ * @return false    otherwise
+ */
+bool esp_crt_bundle_in_use(const mbedtls_x509_crt* ca_chain);

 #ifdef __cplusplus
 }
--- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
+++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
@ -1,11 +1,16 @@
 /*
- * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */

 #include <string.h>
 #include "esp_mbedtls_dynamic_impl.h"
+#include "sdkconfig.h"
+
+#if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+#include "esp_crt_bundle.h"
+#endif

 #define COUNTER_SIZE (8)
 #define CACHE_IV_SIZE (16)
@ -529,7 +534,18 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
    if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) {
        mbedtls_ssl_config *conf = (mbedtls_ssl_config *)ssl->MBEDTLS_PRIVATE(conf);

+#if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+        /* In case of mbedtls certificate bundle, we attach a "static const"
+         * dummy cert, thus we need to avoid the write operations (memset())
+         * performed by `mbedtls_x509_crt_free()`
+         */
+        if (!esp_crt_bundle_in_use(conf->MBEDTLS_PRIVATE(ca_chain))) {
+            mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
+        }
+#else
        mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
+#endif
+
        conf->MBEDTLS_PRIVATE(ca_chain) = NULL;
    }
 }
--- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
+++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
@ -20,6 +20,7 @@ which are undefined if the following flag is not defined */
 #include "ssl_misc.h" // located at mbedtls/library/ssl_misc.h
 #include "mbedtls/platform.h"
 #include "esp_log.h"
+#include "sdkconfig.h"

 #define TRACE_CHECK(_fn, _state) \
 ({ \