Merge branch 'fix/esp_tls_prevent_freeing_global_CA_store_after_each_request_v4.3' into 'release/v4.3'

fix(esp_tls): prevent freeing global CA store after each request (v4.3) See merge request espressif/esp-idf!12630
2024-10-05 20:47:46 -04:00 · 2021-03-08 04:59:19 +00:00 · 2021-03-08 04:59:19 +00:00 · c5f8fbea02
commit c5f8fbea02
parent cf7891cb93 962ea61d53
7 changed files with 25 additions and 8 deletions
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@ -449,7 +449,7 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t

    if (cfg->alpn_protos) {
 #ifdef CONFIG_MBEDTLS_SSL_ALPN
-        if ((ret = mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos) != 0)) {
+        if ((ret = mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos)) != 0) {
            ESP_LOGE(TAG, "mbedtls_ssl_conf_alpn_protocols returned -0x%x", -ret);
            ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
            return ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED;
@ -625,6 +625,10 @@ esp_err_t esp_mbedtls_init_global_ca_store(void)

 esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
 {
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
+    ESP_LOGE(TAG, "Please disable dynamic freeing of ca cert in mbedtls (CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT)\n in order to use the global ca_store");
+    return ESP_FAIL;
+#endif
    if (cacert_pem_buf == NULL) {
        ESP_LOGE(TAG, "cacert_pem_buf is null");
        return ESP_ERR_INVALID_ARG;
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@ -115,17 +115,27 @@ menu "mbedTLS"
            Free peer certificate after its usage in handshake process.

    config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
-        bool "Free certificate, key and DHM data after its usage"
+        bool "Free private key and DHM data after its usage"
        default n
        depends on MBEDTLS_DYNAMIC_BUFFER
        help
-            Free certificate, private key and DHM data after its usage in handshake process.
+            Free private key and DHM data after its usage in handshake process.

            The option will decrease heap cost when handshake, but also lead to problem:

            Becasue all certificate, private key and DHM data are freed so users should register
            certificate and private key to ssl config object again.

+    config MBEDTLS_DYNAMIC_FREE_CA_CERT
+        bool "Free SSL ca certificate after its usage"
+        default y
+        depends on MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+        help
+            Free ca certificate after its usage in the handshake process.
+            This option will decrease the heap footprint for the TLS handshake, but may lead to a problem:
+            If the respective ssl object needs to perform the TLS handshake again,
+            the ca certificate should once again be registered to the ssl object.
+
    config MBEDTLS_DEBUG
        bool "Enable mbedTLS debugging"
        default n
--- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
+++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
@ -499,7 +499,9 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
        keycert = keycert->next;
    }
 }
+#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA */

+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
 {
    if (ssl->conf->ca_chain) {
@ -509,8 +511,7 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
        conf->ca_chain = NULL;
    }
 }
-
-#endif
+#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */

 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
 void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)
--- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
+++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
@ -71,7 +71,9 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl);
 void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl);

 void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
+#endif

+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
 #endif

--- a/components/mbedtls/port/dynamic/esp_ssl_cli.c
+++ b/components/mbedtls/port/dynamic/esp_ssl_cli.c
@ -60,7 +60,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
            } else {
                CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));

-#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
                esp_mbedtls_free_cacert(ssl);
 #endif
            }
--- a/components/mbedtls/port/dynamic/esp_ssl_srv.c
+++ b/components/mbedtls/port/dynamic/esp_ssl_srv.c
@ -112,7 +112,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
            } else {
                CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));

-#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
                esp_mbedtls_free_cacert(ssl);
 #endif
            }
--- a/components/protocomm/src/common/protocomm.c
+++ b/components/protocomm/src/common/protocomm.c
@ -378,7 +378,7 @@ static int protocomm_version_handler(uint32_t session_id,
    /* Output is a non null terminated string with length specified */
    *outlen = strlen(pc->ver);
    *outbuf = malloc(*outlen);
-    if (outbuf == NULL) {
+    if (*outbuf == NULL) {
        ESP_LOGE(TAG, "Failed to allocate memory for version response");
        return ESP_ERR_NO_MEM;
    }