Merge branch 'fix/esp_tls_prevent_freeing_global_CA_store_after_each_request' into 'master'

fix(esp_tls): prevent freeing global CA store after each request

Closes IDFGH-4647

See merge request espressif/esp-idf!12231
This commit is contained in:
Mahavir Jain 2021-02-25 01:15:14 +00:00
commit daf429c67f
6 changed files with 23 additions and 6 deletions

View File

@ -625,6 +625,10 @@ esp_err_t esp_mbedtls_init_global_ca_store(void)
esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
{
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
ESP_LOGE(TAG, "Please disable dynamic freeing of ca cert in mbedtls (CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT)\n in order to use the global ca_store");
return ESP_FAIL;
#endif
if (cacert_pem_buf == NULL) {
ESP_LOGE(TAG, "cacert_pem_buf is null");
return ESP_ERR_INVALID_ARG;

View File

@ -115,17 +115,27 @@ menu "mbedTLS"
Free peer certificate after its usage in handshake process.
config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
bool "Free certificate, key and DHM data after its usage"
bool "Free private key and DHM data after its usage"
default n
depends on MBEDTLS_DYNAMIC_BUFFER
help
Free certificate, private key and DHM data after its usage in handshake process.
Free private key and DHM data after its usage in handshake process.
The option will decrease heap cost when handshake, but also lead to problem:
Becasue all certificate, private key and DHM data are freed so users should register
certificate and private key to ssl config object again.
config MBEDTLS_DYNAMIC_FREE_CA_CERT
bool "Free SSL ca certificate after its usage"
default y
depends on MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
help
Free ca certificate after its usage in the handshake process.
This option will decrease the heap footprint for the TLS handshake, but may lead to a problem:
If the respective ssl object needs to perform the TLS handshake again,
the ca certificate should once again be registered to the ssl object.
config MBEDTLS_DEBUG
bool "Enable mbedTLS debugging"
default n

View File

@ -499,7 +499,9 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
keycert = keycert->next;
}
}
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA */
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
{
if (ssl->conf->ca_chain) {
@ -509,8 +511,7 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
conf->ca_chain = NULL;
}
}
#endif
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)

View File

@ -71,7 +71,9 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl);
void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl);
void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
#endif
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
#endif

View File

@ -60,7 +60,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
} else {
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
esp_mbedtls_free_cacert(ssl);
#endif
}

View File

@ -112,7 +112,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
} else {
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
esp_mbedtls_free_cacert(ssl);
#endif
}