Fails to compile with certificate bundles disabled

[thetek42]

When compiling a project with CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=n, esp-idf-svc fails to compile with the following error:

error[E0432]: unresolved imports `crate::sys::ESP_TLS_ERR_SSL_WANT_READ`, `crate::sys::ESP_TLS_ERR_SSL_WANT_WRITE`
   --> .cargo\git\checkouts\esp-idf-svc-a28457b0e32c6283\cdfc601\src\tls.rs:128:55
    |
128 |             self, EspError, ESP_ERR_NO_MEM, ESP_FAIL, ESP_TLS_ERR_SSL_WANT_READ,
    |                                                       ^^^^^^^^^^^^^^^^^^^^^^^^^ no `ESP_TLS_ERR_SSL_WANT_READ` in `sys`
129 |             ESP_TLS_ERR_SSL_WANT_WRITE, EWOULDBLOCK,
    |             ^^^^^^^^^^^^^^^^^^^^^^^^^^ no `ESP_TLS_ERR_SSL_WANT_WRITE` in `sys`
    |
help: a similar name exists in the module
    |
128 |             self, EspError, ESP_ERR_NO_MEM, ESP_FAIL, MBEDTLS_ERR_SSL_WANT_READ,
    |                                                       ~~~~~~~~~~~~~~~~~~~~~~~~~
help: a similar name exists in the module
    |
129 |             MBEDTLS_ERR_SSL_WANT_WRITE, EWOULDBLOCK,
    |             ~~~~~~~~~~~~~~~~~~~~~~~~~~

error[E0435]: attempt to use a non-constant value in a constant
   --> .cargo\git\checkouts\esp-idf-svc-a28457b0e32c6283\cdfc601\src\tls.rs:455:23
    |
454 |                 ESP_TLS_ERR_SSL_WANT_READ => Err(EspError::from_infallible::<
    |                 ------------------------- this would need to be a `const`
455 |                     { ESP_TLS_ERR_SSL_WANT_READ as i32 },
    |                       ^^^^^^^^^^^^^^^^^^^^^^^^^

error[E0435]: attempt to use a non-constant value in a constant
   --> .cargo\git\checkouts\esp-idf-svc-a28457b0e32c6283\cdfc601\src\tls.rs:458:23
    |
457 |                 ESP_TLS_ERR_SSL_WANT_WRITE => Err(EspError::from_infallible::<
    |                 -------------------------- this would need to be a `const`
458 |                     { ESP_TLS_ERR_SSL_WANT_WRITE as i32 },
    |                       ^^^^^^^^^^^^^^^^^^^^^^^^^^

In esp-idf, these constants are defined here.

[Vollbrecht]

First of what are you trying to archive? And second what do you actually expected to happen here?

[thetek42]

I am trying to disable the Certificate Bundle API, since it might not be needed for my use case.

I expect esp-idf-svc to compile properly without errors.

[ivmarkov]

I am trying to disable the Certificate Bundle API, since it might not be needed for my use case.

I expect esp-idf-svc to compile properly without errors.

That's fair. I'll fix it shortly.

[Vollbrecht]

the question is, do you mean not using tls itself in your project or not using mbedtls specific ? Our tls module probably should be disabled if we set something like CONFIG_MBEDTLS_TLS_DISABLED=y in sdkconfig ( this currently does not work). Or do you just want to use anothere impl like wolfssl / or use your own certs?

[ivmarkov]

@Vollbrecht - there is (or there should be) nothing in the tls module which is mbedtls specific. Hence it should "just work" with wolfssl as well, or if both are disabled - just not be compiled at all.

Hence why I consider the current compilation issues a bug.

[ivmarkov]

Also the reporter is disabling just the certificate bundle, which should not disable (I think) neither mbedtls, nor wolfssl.

[thetek42]

Correct. The goal is not to disable TLS entirely; only certificate bundles should be disabled.

What I find peculiar is that the constants that cause this problem do not depend on CONFIG_MBEDTLS_CERTIFICATE_BUNDLE (see this).

[ivmarkov]

@thetek42 Just to mention that I can repro the problem, but I'm a bit at a loss how exactly that could even happen... I'm beginning to suspect some sort of bindgen issue/bug here...

[ivmarkov]

OK found the root cause - a bug in ESP IDF. Will follow up shortly with more details once I report it and implement a workaround...

[Vollbrecht]

even if it is not the core problem, i was not able to disable the embedtls support for anything via sdkconfigs in my short test, when i run with cargo rustc -- --print cfg it was always activated no matter what, so bindgen was generated for it and after that it got picked up by svc

[ivmarkov]

even if it is not the core problem, i was not able to disable the embedtls support for anything via sdkconfigs in my short test, when i run with cargo rustc -- --print cfg it was always activated no matter what, so bindgen was generated for it and after that it got picked up by svc

Unless you show exactly how you disable mbedtls support, I can't comment what is going on.

[ivmarkov]

And then again, the user is NOT disabling mbedtls - he is disabling the certificate bundle, which leads to compilation issues, while it should not.

[ivmarkov]

@thetek42:

• ESP IDF issue: Wrong order of includes in esp-tls.h (IDFGH-11403) espressif/esp-idf#12541
• Workaround (in esp-idf-sys, I'll release a patch shortly): esp-rs/esp-idf-sys@2067b8c

[ivmarkov]

New release of esp-idf-sys should be available shortly (Publish action ongoing).
Just do cargo update in the root of your binary crate.

[thetek42]

Thanks!