mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
Merge branch 'fix/esp_tls_prevent_freeing_global_CA_store_after_each_request' into 'master'
fix(esp_tls): prevent freeing global CA store after each request Closes IDFGH-4647 See merge request espressif/esp-idf!12231
This commit is contained in:
commit
daf429c67f
@ -625,6 +625,10 @@ esp_err_t esp_mbedtls_init_global_ca_store(void)
|
|||||||
|
|
||||||
esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
|
esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
|
||||||
{
|
{
|
||||||
|
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||||
|
ESP_LOGE(TAG, "Please disable dynamic freeing of ca cert in mbedtls (CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT)\n in order to use the global ca_store");
|
||||||
|
return ESP_FAIL;
|
||||||
|
#endif
|
||||||
if (cacert_pem_buf == NULL) {
|
if (cacert_pem_buf == NULL) {
|
||||||
ESP_LOGE(TAG, "cacert_pem_buf is null");
|
ESP_LOGE(TAG, "cacert_pem_buf is null");
|
||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
|
@ -115,17 +115,27 @@ menu "mbedTLS"
|
|||||||
Free peer certificate after its usage in handshake process.
|
Free peer certificate after its usage in handshake process.
|
||||||
|
|
||||||
config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||||
bool "Free certificate, key and DHM data after its usage"
|
bool "Free private key and DHM data after its usage"
|
||||||
default n
|
default n
|
||||||
depends on MBEDTLS_DYNAMIC_BUFFER
|
depends on MBEDTLS_DYNAMIC_BUFFER
|
||||||
help
|
help
|
||||||
Free certificate, private key and DHM data after its usage in handshake process.
|
Free private key and DHM data after its usage in handshake process.
|
||||||
|
|
||||||
The option will decrease heap cost when handshake, but also lead to problem:
|
The option will decrease heap cost when handshake, but also lead to problem:
|
||||||
|
|
||||||
Becasue all certificate, private key and DHM data are freed so users should register
|
Becasue all certificate, private key and DHM data are freed so users should register
|
||||||
certificate and private key to ssl config object again.
|
certificate and private key to ssl config object again.
|
||||||
|
|
||||||
|
config MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||||
|
bool "Free SSL ca certificate after its usage"
|
||||||
|
default y
|
||||||
|
depends on MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||||
|
help
|
||||||
|
Free ca certificate after its usage in the handshake process.
|
||||||
|
This option will decrease the heap footprint for the TLS handshake, but may lead to a problem:
|
||||||
|
If the respective ssl object needs to perform the TLS handshake again,
|
||||||
|
the ca certificate should once again be registered to the ssl object.
|
||||||
|
|
||||||
config MBEDTLS_DEBUG
|
config MBEDTLS_DEBUG
|
||||||
bool "Enable mbedTLS debugging"
|
bool "Enable mbedTLS debugging"
|
||||||
default n
|
default n
|
||||||
|
@ -499,7 +499,9 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
|
|||||||
keycert = keycert->next;
|
keycert = keycert->next;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA */
|
||||||
|
|
||||||
|
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||||
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
|
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
if (ssl->conf->ca_chain) {
|
if (ssl->conf->ca_chain) {
|
||||||
@ -509,8 +511,7 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
|
|||||||
conf->ca_chain = NULL;
|
conf->ca_chain = NULL;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */
|
||||||
#endif
|
|
||||||
|
|
||||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
|
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
|
||||||
void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)
|
void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)
|
||||||
|
@ -71,7 +71,9 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl);
|
|||||||
void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl);
|
void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl);
|
||||||
|
|
||||||
void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
|
void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||||
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
|
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -60,7 +60,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
|||||||
} else {
|
} else {
|
||||||
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
|
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
|
||||||
|
|
||||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||||
esp_mbedtls_free_cacert(ssl);
|
esp_mbedtls_free_cacert(ssl);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
@ -112,7 +112,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
|||||||
} else {
|
} else {
|
||||||
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
|
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
|
||||||
|
|
||||||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
|
||||||
esp_mbedtls_free_cacert(ssl);
|
esp_mbedtls_free_cacert(ssl);
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user