mbedtls: Add CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN

This value allows to set max payload length of a TLS protocol
message, and passed thru to mbedTLS as MBEDTLS_SSL_MAX_CONTENT_LEN
setting. The only safe value is 16384, which translates to 32KB
of RAM required just for mbedTLS input/output buffers. Any other
value can be configured *only* per a particular application
(e.g. knowing that it won't pass more than spefific amount of
data at once and/or won't connect to a server with a long cert
chain). Previosuly, we had quite an adhoc and inflexible config
with random values for that setting, based on protocol.

Note that while the safe value is 16384, "backward compatible"
default of 1500 is used (good for DTLS on the other hand).

Signed-off-by: Paul Sokolovsky <[email protected]>

Author: pfalcon

ext/lib/crypto/mbedtls/Kconfig

@@ -52,6 +52,21 @@ config MBEDTLS_CFG_FILE
 	  relatively many features enabled. To optimize resources for special
 	  TLS usage, an alternative config may be selected.
 
+config MBEDTLS_SSL_MAX_CONTENT_LEN
+	int "Max payload size for TLS protocol message"
+	default 1500
+	depends on MBEDTLS_BUILTIN
+	help
+	  The TLS standards mandate max payload size of 16384 bytes. So, for
+	  maximum operability and for general-purpose usage, that value must
+	  be used. For specific usages, that value can be largely decreased.
+	  E.g. for DTLS, payload size is limited by UDP datagram size, and
+	  even for HTTPS REST API, the payload can be limited to max size of
+	  (REST request, REST response, server certificate(s)).
+	  mbedTLS uses this value separate for input and output buffers, so
+	  twice this value will be allocated (on mbedTLS own heap, so the
+	  value of MBEDTLS_HEAP_SIZE should accommodate that).
+
 config MBEDTLS_DEBUG
 	bool "mbed TLS debug activation"
 	depends on MBEDTLS_BUILTIN
@@ -116,9 +131,10 @@ config MBEDTLS_HEAP_SIZE
 	  MBEDTLS_MEMORY_BUFFER_ALLOC_C option for details. That option is not
 	  enabled by default.
 	  Default value for the heap size is not set as it depends on the
-	  application. For server application 15000 bytes should be enough.
-	  For some dedicated and specific usage of mbedtls API, the 1000 bytes
-	  might be ok.
+	  application. For streaming communication with arbitrary (HTTPS)
+	  servers on the Internet, 32KB + overheads (up to another 20KB) may
+	  be needed. For some dedicated and specific usage of mbedtls API, the
+	  1000 bytes might be ok.
 
 config APP_LINK_WITH_MBEDTLS
 	bool "Link 'app' with MBEDTLS"

ext/lib/crypto/mbedtls/configs/config-mini-tls1_2.h

@@ -72,13 +72,7 @@
 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
 #endif
 
-#if defined(CONFIG_MQTT_LIB_TLS)
-#define MBEDTLS_SSL_MAX_CONTENT_LEN  2500
-#elif defined(CONFIG_HTTPS)
-#define MBEDTLS_SSL_MAX_CONTENT_LEN  2500
-#else
-#define MBEDTLS_SSL_MAX_CONTENT_LEN  1500
-#endif
+#define MBEDTLS_SSL_MAX_CONTENT_LEN  CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN
 
 #include "mbedtls/check_config.h"
 

samples/net/http_client/prj_bt.conf

@@ -31,6 +31,7 @@ CONFIG_HTTPS=n
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_CFG_FILE="config-mini-tls1_2.h"
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2500
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=12000
 

samples/net/http_client/prj_tls.conf

@@ -37,6 +37,7 @@ CONFIG_HTTPS=y
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_CFG_FILE="config-mini-tls1_2.h"
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2500
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=30000
 

samples/net/http_server/prj_bt.conf

@@ -28,6 +28,7 @@ CONFIG_HTTPS=y
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_CFG_FILE="config-mini-tls1_2.h"
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2500
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=12000
 

samples/net/http_server/prj_tls.conf

@@ -35,6 +35,7 @@ CONFIG_HTTPS=y
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_CFG_FILE="config-mini-tls1_2.h"
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2500
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=30000
 

samples/net/mqtt_publisher/prj_frdm_k64f_tls.conf

@@ -39,6 +39,7 @@ CONFIG_NET_BUF_DATA_SIZE=256
 
 CONFIG_MBEDTLS=y
 CONFIG_MBEDTLS_BUILTIN=y
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2500
 CONFIG_MBEDTLS_ENABLE_HEAP=y
 CONFIG_MBEDTLS_HEAP_SIZE=30000
 CONFIG_MBEDTLS_CFG_FILE="config-mini-tls1_2.h"