mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
Fix esp_tls: Prevent freeing of global ca store after each connection
when dynamic ssl buffers are enabled
This commit is contained in:
parent
a0eb455ec3
commit
bf513b6f31
@ -625,6 +625,10 @@ esp_err_t esp_mbedtls_init_global_ca_store(void)
|
||||
|
||||
esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
|
||||
{
|
||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||
ESP_LOGE(TAG, "Please disable dynamic freeing of ca cert in mbedtls (CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT)\n in order to use the global ca_store");
|
||||
return ESP_FAIL;
|
||||
#endif
|
||||
if (cacert_pem_buf == NULL) {
|
||||
ESP_LOGE(TAG, "cacert_pem_buf is null");
|
||||
return ESP_ERR_INVALID_ARG;
|
||||
|
@ -115,17 +115,27 @@ menu "mbedTLS"
|
||||
Free peer certificate after its usage in handshake process.
|
||||
|
||||
config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||
bool "Free certificate, key and DHM data after its usage"
|
||||
bool "Free private key and DHM data after its usage"
|
||||
default n
|
||||
depends on MBEDTLS_DYNAMIC_BUFFER
|
||||
help
|
||||
Free certificate, private key and DHM data after its usage in handshake process.
|
||||
Free private key and DHM data after its usage in handshake process.
|
||||
|
||||
The option will decrease heap cost when handshake, but also lead to problem:
|
||||
|
||||
Becasue all certificate, private key and DHM data are freed so users should register
|
||||
certificate and private key to ssl config object again.
|
||||
|
||||
config MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||
bool "Free SSL ca certificate after its usage"
|
||||
default y
|
||||
depends on MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||
help
|
||||
Free ca certificate after its usage in the handshake process.
|
||||
This option will decrease the heap footprint for the TLS handshake, but may lead to a problem:
|
||||
If the respective ssl object needs to perform the TLS handshake again,
|
||||
the ca certificate should once again be registered to the ssl object.
|
||||
|
||||
config MBEDTLS_DEBUG
|
||||
bool "Enable mbedTLS debugging"
|
||||
default n
|
||||
|
@ -499,7 +499,9 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
|
||||
keycert = keycert->next;
|
||||
}
|
||||
}
|
||||
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA */
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
if (ssl->conf->ca_chain) {
|
||||
@ -509,8 +511,7 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
|
||||
conf->ca_chain = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
|
||||
void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)
|
||||
|
@ -71,7 +71,9 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl);
|
||||
void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl);
|
||||
|
||||
void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
|
||||
#endif
|
||||
|
||||
|
@ -60,7 +60,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
||||
} else {
|
||||
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||
esp_mbedtls_free_cacert(ssl);
|
||||
#endif
|
||||
}
|
||||
|
@ -112,7 +112,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
||||
} else {
|
||||
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||
esp_mbedtls_free_cacert(ssl);
|
||||
#endif
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user