Merge branch 'feature/mbedtls_error_str_config_v5.2' into 'release/v5.2'

feat(mbedtls): add kconfig option for MBEDTLS_ERROR_C (v5.2)

See merge request espressif/esp-idf!30104

components/mbedtls/Kconfig

@@ -123,7 +123,7 @@ menu "mbedTLS"
 
             The option will decrease heap cost when handshake, but also lead to problem:
 
-            Becasue all certificate, private key and DHM data are freed so users should register
+            Because all certificate, private key and DHM data are freed so users should register
             certificate and private key to ssl config object again.
 
     config MBEDTLS_DYNAMIC_FREE_CA_CERT
@@ -448,6 +448,17 @@ menu "mbedTLS"
 
             These operations are used by RSA.
 
+    config MBEDTLS_LARGE_KEY_SOFTWARE_MPI
+        bool "Fallback to software implementation for larger MPI values"
+        depends on MBEDTLS_HARDWARE_MPI
+        default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits
+        default n
+        help
+            Fallback to software implementation for RSA key lengths
+            larger than SOC_RSA_MAX_BIT_LEN. If this is not active
+            then the ESP will be unable to process keys greater
+            than SOC_RSA_MAX_BIT_LEN.
+
     config MBEDTLS_MPI_USE_INTERRUPT
         bool "Use interrupt for MPI exp-mod operations"
         depends on !IDF_TARGET_ESP32 && MBEDTLS_HARDWARE_MPI
@@ -888,13 +899,13 @@ menu "mbedTLS"
             bool "X.509 CRL parsing"
             default y
             help
-                Support for parsing X.509 Certifificate Revocation Lists.
+                Support for parsing X.509 Certificate Revocation Lists.
 
         config MBEDTLS_X509_CSR_PARSE_C
             bool "X.509 CSR parsing"
             default y
             help
-                Support for parsing X.509 Certifificate Signing Requests
+                Support for parsing X.509 Certificate Signing Requests
 
     endmenu # Certificates
 
@@ -1085,16 +1096,13 @@ menu "mbedTLS"
         help
             Enable the pthread wrapper layer for the threading layer.
 
-    config MBEDTLS_LARGE_KEY_SOFTWARE_MPI
+    config MBEDTLS_ERROR_STRINGS
-        bool "Fallback to software implementation for larger MPI values"
+        bool "Enable error code to error string conversion"
-        depends on MBEDTLS_HARDWARE_MPI
+        default y
-        default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits
-        default n
         help
-            Fallback to software implementation for RSA key lengths
+            Enables mbedtls_strerror() for converting error codes to error strings.
-            larger than SOC_RSA_MAX_BIT_LEN. If this is not active
+            Disabling this config can save some code/rodata size as the error
-            then the ESP will be unable to process keys greater
+            string conversion implementation is replaced with an empty stub.
-            than SOC_RSA_MAX_BIT_LEN.
 
     config MBEDTLS_USE_CRYPTO_ROM_IMPL
         bool "Use ROM implementation of the crypto algorithm"

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -71,7 +71,7 @@
  * \def MBEDTLS_HAVE_TIME_DATE
  *
  * System has time.h and time(), gmtime() and the clock is correct.
- * The time needs to be correct (not necesarily very accurate, but at least
+ * The time needs to be correct (not necessarily very accurate, but at least
  * the date should be correct). This is used to verify the validity period of
  * X.509 certificates.
  *
@@ -992,7 +992,7 @@
  * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load().
  *
  * This pair of functions allows one side of a connection to serialize the
- * context associated with the connection, then free or re-use that context
+ * context associated with the connection, then free or reuse that context
  * while the serialized state is persisted elsewhere, and finally deserialize
  * that state to a live context for resuming read/write operations on the
  * connection. From a protocol perspective, the state of the connection is
@@ -1490,7 +1490,7 @@
  * \def MBEDTLS_SSL_SESSION_TICKETS
  *
  * Enable support for RFC 5077 session tickets in SSL.
- * Client-side, provides full support for session tickets (maintainance of a
+ * Client-side, provides full support for session tickets (maintenance of a
  * session store remains the responsibility of the application, though).
  * Server-side, you also need to provide callbacks for writing and parsing
  * tickets, including authenticated encryption and key management. Example
@@ -2072,7 +2072,11 @@
  *
  * This module enables mbedtls_strerror().
  */
+#if CONFIG_MBEDTLS_ERROR_STRINGS
 #define MBEDTLS_ERROR_C
+#else
+#undef MBEDTLS_ERROR_C
+#endif
 
 /**
  * \def MBEDTLS_GCM_C
@@ -2122,7 +2126,7 @@
  *
  * Requires: MBEDTLS_MD_C
  *
- * Uncomment to enable the HMAC_DRBG random number geerator.
+ * Uncomment to enable the HMAC_DRBG random number generator.
  */
 #define MBEDTLS_HMAC_DRBG_C
 
@@ -2814,7 +2818,7 @@
 /* SSL options */
 #ifndef CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN
 
-#define MBEDTLS_SSL_MAX_CONTENT_LEN             CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maxium fragment length in bytes, determines the size of each of the two internal I/O buffers */
+#define MBEDTLS_SSL_MAX_CONTENT_LEN             CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN /**< Maximum fragment length in bytes, determines the size of each of the two internal I/O buffers */
 
 #else
 

docs/en/api-guides/performance/size.rst

@@ -507,6 +507,7 @@ These include:
 - :ref:`CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM`
 - Change :ref:`CONFIG_MBEDTLS_TLS_MODE` if both server & client functionalities are not needed
 - Consider disabling some cipher suites listed in the ``TLS Key Exchange Methods`` sub-menu (i.e., :ref:`CONFIG_MBEDTLS_KEY_EXCHANGE_RSA`)
+- Consider disabling :ref:`CONFIG_MBEDTLS_ERROR_STRINGS` if the application is pulling in mbedTLS error strings because of :cpp:func:`mbedtls_strerror` usage
 
 The help text for each option has some more information for reference.