Merge branch 'bugfix/esp32c2_eap_auth_v5.1' into 'release/v5.1'

fix(wifi): Added low heap usage Kconfig option for eap enterprise (v5.1) See merge request espressif/esp-idf!28825
2024-10-05 20:47:46 -04:00 · 2024-02-27 19:59:52 +08:00 · 2024-02-27 19:59:52 +08:00 · 6481fdf05e
commit 6481fdf05e
parent f8a1cf930e 8a01702d65
2 changed files with 81 additions and 3 deletions
--- a/components/esp_wifi/Kconfig
+++ b/components/esp_wifi/Kconfig
@ -479,6 +479,7 @@ menu "Wi-Fi"
    if ESP_WIFI_MBEDTLS_CRYPTO
        config ESP_WIFI_MBEDTLS_TLS_CLIENT
            bool "Use MbedTLS TLS client for WiFi Enterprise connection"
+            depends on ESP_WIFI_ENTERPRISE_SUPPORT
            default y
            select MBEDTLS_TLS_ENABLED
            help
@ -623,4 +624,13 @@ menu "Wi-Fi"
            disabling this will reduce binary size.
            disabling this will disable the use of any esp_wifi_sta_wpa2_ent_* (as APIs will be meaningless)

+    config ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+        bool "Free dynamic buffers during WiFi enterprise connection"
+        depends on ESP_WIFI_ENTERPRISE_SUPPORT
+        default y if IDF_TARGET_ESP32C2
+        default n if !IDF_TARGET_ESP32C2
+        help
+            Select this configuration to free dynamic buffers during WiFi enterprise connection.
+            This will enable chip to reduce heap consumption during WiFi enterprise connection.
+
 endmenu # Wi-Fi
--- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@ -34,6 +34,7 @@
 #else
 #include "mbedtls/config.h"
 #endif
+#include "mbedtls/platform.h"
 #include "eap_peer/eap.h"


@ -676,6 +677,59 @@ int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
 	return -1;
 }

+#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+static void esp_mbedtls_free_dhm(mbedtls_ssl_context *ssl)
+{
+#ifdef CONFIG_MBEDTLS_DHM_C
+	const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+	mbedtls_mpi_free((mbedtls_mpi *)&conf->MBEDTLS_PRIVATE(dhm_P));
+	mbedtls_mpi_free((mbedtls_mpi *)&conf->MBEDTLS_PRIVATE(dhm_G));
+#endif /* CONFIG_MBEDTLS_DHM_C */
+}
+
+static void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
+{
+	mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
+	mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert), *next;
+
+	while (keycert) {
+		next = keycert->next;
+
+		if (keycert) {
+			mbedtls_free(keycert);
+		}
+
+		keycert = next;
+	}
+
+	conf->MBEDTLS_PRIVATE(key_cert) = NULL;
+}
+
+static void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl)
+{
+	const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+	mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert);
+
+	while (keycert) {
+		if (keycert->key) {
+			mbedtls_pk_free(keycert->key);
+			keycert->key = NULL;
+		}
+		keycert = keycert->next;
+	}
+}
+
+static void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
+{
+	if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) {
+		mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
+
+		mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
+		conf->MBEDTLS_PRIVATE(ca_chain) = NULL;
+	}
+}
+#endif
+
 struct wpabuf * tls_connection_handshake(void *tls_ctx,
 					 struct tls_connection *conn,
 					 const struct wpabuf *in_data,
@ -684,6 +738,7 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 	tls_context_t *tls = conn->tls;
 	int ret = 0;
 	struct wpabuf *resp;
+	int cli_state;

 	/* data freed by sender */
 	conn->tls_io_data.out_data = NULL;
@ -693,7 +748,8 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,

 	/* Multiple reads */
 	while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) {
-		if (tls->ssl.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_CLIENT_CERTIFICATE) {
+		cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
+		if (cli_state == MBEDTLS_SSL_CLIENT_CERTIFICATE) {
 			/* Read random data before session completes, not present after handshake */
 			if (tls->ssl.MBEDTLS_PRIVATE(handshake)) {
 				os_memcpy(conn->randbytes, tls->ssl.MBEDTLS_PRIVATE(handshake)->randbytes,
@ -703,9 +759,21 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 		}
 		ret = mbedtls_ssl_handshake_step(&tls->ssl);

-		if (ret < 0)
+		if (ret < 0) {
 			break;
 		}
+#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+		if (mbedtls_ssl_get_version_number(&tls->ssl) == MBEDTLS_SSL_VERSION_TLS1_2) {
+			if (cli_state == MBEDTLS_SSL_SERVER_CERTIFICATE) {
+				esp_mbedtls_free_cacert(&tls->ssl);
+			} else if (cli_state == MBEDTLS_SSL_CERTIFICATE_VERIFY) {
+				esp_mbedtls_free_dhm(&tls->ssl);
+				esp_mbedtls_free_keycert_key(&tls->ssl);
+				esp_mbedtls_free_keycert(&tls->ssl);
+			}
+		}
+#endif
+	}
 	if (ret < 0 && ret != MBEDTLS_ERR_SSL_WANT_READ) {
 		wpa_printf(MSG_INFO, "%s: ret is %d line:%d", __func__, ret, __LINE__);
 		goto end;