mirror of
https://github.com/espressif/esp-idf.git
synced 2024-09-20 10:46:02 -04:00
Merge branch 'bugfix/mbedtls_dynamic_memory_crash_on_rsa_ciphers' into 'master'
fix(mbedtls): fix ssl server crash when enable mbedtls dynamic buffer and... See merge request espressif/esp-idf!18017
This commit is contained in:
commit
911b310a90
@ -12,6 +12,24 @@ int __wrap_mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
|
|||||||
|
|
||||||
static const char *TAG = "SSL Server";
|
static const char *TAG = "SSL Server";
|
||||||
|
|
||||||
|
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||||
|
/**
|
||||||
|
* Check if ciphersuite uses rsa key exchange methods.
|
||||||
|
*/
|
||||||
|
static bool ssl_ciphersuite_uses_rsa_key_ex(mbedtls_ssl_context *ssl)
|
||||||
|
{
|
||||||
|
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||||
|
ssl->MBEDTLS_PRIVATE(handshake)->ciphersuite_info;
|
||||||
|
|
||||||
|
if (ciphersuite_info->MBEDTLS_PRIVATE(key_exchange) == MBEDTLS_KEY_EXCHANGE_RSA ||
|
||||||
|
ciphersuite_info->MBEDTLS_PRIVATE(key_exchange) == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
|
||||||
|
return true;
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
||||||
{
|
{
|
||||||
int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1;
|
int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1;
|
||||||
@ -65,7 +83,13 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
|||||||
CHECK_OK(esp_mbedtls_add_tx_buffer(ssl, buffer_len));
|
CHECK_OK(esp_mbedtls_add_tx_buffer(ssl, buffer_len));
|
||||||
} else {
|
} else {
|
||||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||||
esp_mbedtls_free_keycert_cert(ssl);
|
/**
|
||||||
|
* Not free keycert->cert until MBEDTLS_SSL_CLIENT_KEY_EXCHANGE for rsa key exchange methods.
|
||||||
|
* For ssl server will use keycert->cert to parse client key exchange.
|
||||||
|
*/
|
||||||
|
if (!ssl_ciphersuite_uses_rsa_key_ex(ssl)) {
|
||||||
|
esp_mbedtls_free_keycert_cert(ssl);
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
@ -77,8 +101,14 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
|||||||
} else {
|
} else {
|
||||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||||
esp_mbedtls_free_dhm(ssl);
|
esp_mbedtls_free_dhm(ssl);
|
||||||
esp_mbedtls_free_keycert_key(ssl);
|
/**
|
||||||
esp_mbedtls_free_keycert(ssl);
|
* Not free keycert->key and keycert until MBEDTLS_SSL_CLIENT_KEY_EXCHANGE for rsa key exchange methods.
|
||||||
|
* For ssl server will use keycert->key to parse client key exchange.
|
||||||
|
*/
|
||||||
|
if (!ssl_ciphersuite_uses_rsa_key_ex(ssl)) {
|
||||||
|
esp_mbedtls_free_keycert_key(ssl);
|
||||||
|
esp_mbedtls_free_keycert(ssl);
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
@ -114,6 +144,18 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
|||||||
CHECK_OK(esp_mbedtls_add_rx_buffer(ssl));
|
CHECK_OK(esp_mbedtls_add_rx_buffer(ssl));
|
||||||
} else {
|
} else {
|
||||||
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
|
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
|
||||||
|
|
||||||
|
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||||
|
/**
|
||||||
|
* Free keycert after MBEDTLS_SSL_CLIENT_KEY_EXCHANGE for rsa key exchange methods.
|
||||||
|
* For ssl server will use keycert->cert and keycert->key to parse client key exchange.
|
||||||
|
*/
|
||||||
|
if (ssl_ciphersuite_uses_rsa_key_ex(ssl)) {
|
||||||
|
esp_mbedtls_free_keycert_cert(ssl);
|
||||||
|
esp_mbedtls_free_keycert_key(ssl);
|
||||||
|
esp_mbedtls_free_keycert(ssl);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
case MBEDTLS_SSL_CERTIFICATE_VERIFY:
|
case MBEDTLS_SSL_CERTIFICATE_VERIFY:
|
||||||
|
@ -132,6 +132,60 @@ def test_examples_protocol_https_server_simple(env, extra_data): # type: (tiny_
|
|||||||
|
|
||||||
ssl_context.load_cert_chain(certfile=CLIENT_CERT_FILE, keyfile=CLIENT_KEY_FILE)
|
ssl_context.load_cert_chain(certfile=CLIENT_CERT_FILE, keyfile=CLIENT_KEY_FILE)
|
||||||
|
|
||||||
|
conn = http.client.HTTPSConnection(got_ip, got_port, context=ssl_context)
|
||||||
|
Utility.console_log('Performing SSL handshake with the server')
|
||||||
|
conn.request('GET','/')
|
||||||
|
resp = conn.getresponse()
|
||||||
|
dut1.expect('performing session handshake')
|
||||||
|
got_resp = resp.read().decode('utf-8')
|
||||||
|
if got_resp != success_response:
|
||||||
|
Utility.console_log('Response obtained does not match with correct response')
|
||||||
|
raise RuntimeError('Failed to test SSL connection')
|
||||||
|
|
||||||
|
current_cipher = dut1.expect(re.compile(r'Current Ciphersuite(.*)'), timeout=5)[0]
|
||||||
|
Utility.console_log('Current Ciphersuite' + current_cipher)
|
||||||
|
|
||||||
|
# Close the connection
|
||||||
|
conn.close()
|
||||||
|
|
||||||
|
Utility.console_log('Checking user callback: Obtaining client certificate...')
|
||||||
|
|
||||||
|
serial_number = dut1.expect(re.compile(r'serial number(.*)'), timeout=5)[0]
|
||||||
|
issuer_name = dut1.expect(re.compile(r'issuer name(.*)'), timeout=5)[0]
|
||||||
|
expiry = dut1.expect(re.compile(r'expires on(.*)'), timeout=5)[0]
|
||||||
|
|
||||||
|
Utility.console_log('Serial No.' + serial_number)
|
||||||
|
Utility.console_log('Issuer Name' + issuer_name)
|
||||||
|
Utility.console_log('Expires on' + expiry)
|
||||||
|
|
||||||
|
Utility.console_log('Correct response obtained')
|
||||||
|
Utility.console_log('SSL connection test successful\nClosing the connection')
|
||||||
|
|
||||||
|
# Test with mbedTLS dynamic buffer feature
|
||||||
|
dut1 = env.get_dut('https_server_simple', 'examples/protocols/https_server/simple', dut_class=ttfw_idf.ESP32DUT, app_config_name='dynamic_buffer')
|
||||||
|
|
||||||
|
# start test
|
||||||
|
dut1.start_app()
|
||||||
|
# Parse IP address and port of the server
|
||||||
|
dut1.expect(re.compile(r'Starting server'))
|
||||||
|
got_port = dut1.expect(re.compile(r'Server listening on port (\d+)'), timeout=30)[0]
|
||||||
|
Utility.console_log('Waiting to connect with AP')
|
||||||
|
|
||||||
|
got_ip = dut1.expect(re.compile(r'IPv4 address: (\d+\.\d+\.\d+\.\d+)'), timeout=30)[0]
|
||||||
|
# Expected logs
|
||||||
|
|
||||||
|
Utility.console_log('Got IP : ' + got_ip)
|
||||||
|
Utility.console_log('Got Port : ' + got_port)
|
||||||
|
|
||||||
|
Utility.console_log('Performing GET request over an SSL connection with the server')
|
||||||
|
|
||||||
|
ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
|
||||||
|
ssl_context.verify_mode = ssl.CERT_REQUIRED
|
||||||
|
ssl_context.check_hostname = False
|
||||||
|
ssl_context.load_verify_locations(cadata=server_cert_pem)
|
||||||
|
|
||||||
|
ssl_context.load_cert_chain(certfile=CLIENT_CERT_FILE, keyfile=CLIENT_KEY_FILE)
|
||||||
|
|
||||||
os.remove(CLIENT_CERT_FILE)
|
os.remove(CLIENT_CERT_FILE)
|
||||||
os.remove(CLIENT_KEY_FILE)
|
os.remove(CLIENT_KEY_FILE)
|
||||||
|
|
||||||
@ -145,6 +199,9 @@ def test_examples_protocol_https_server_simple(env, extra_data): # type: (tiny_
|
|||||||
Utility.console_log('Response obtained does not match with correct response')
|
Utility.console_log('Response obtained does not match with correct response')
|
||||||
raise RuntimeError('Failed to test SSL connection')
|
raise RuntimeError('Failed to test SSL connection')
|
||||||
|
|
||||||
|
current_cipher = dut1.expect(re.compile(r'Current Ciphersuite(.*)'), timeout=5)[0]
|
||||||
|
Utility.console_log('Current Ciphersuite' + current_cipher)
|
||||||
|
|
||||||
# Close the connection
|
# Close the connection
|
||||||
conn.close()
|
conn.close()
|
||||||
|
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
CONFIG_ESP_HTTPS_SERVER_ENABLE=y
|
||||||
|
CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK=y
|
||||||
|
CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
|
||||||
|
CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA=y
|
||||||
|
CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT=y
|
Loading…
Reference in New Issue
Block a user