esp-idf/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c

540 lines
17 KiB
C

/*
* SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#include <string.h>
#include "esp_mbedtls_dynamic_impl.h"
#define COUNTER_SIZE (8)
#define CACHE_IV_SIZE (16)
#define CACHE_BUFFER_SIZE (CACHE_IV_SIZE + COUNTER_SIZE)
#define TX_IDLE_BUFFER_SIZE (MBEDTLS_SSL_HEADER_LEN + CACHE_BUFFER_SIZE)
static const char *TAG = "Dynamic Impl";
static void esp_mbedtls_set_buf_state(unsigned char *buf, esp_mbedtls_ssl_buf_states state)
{
struct esp_mbedtls_ssl_buf *temp = __containerof(buf, struct esp_mbedtls_ssl_buf, buf[0]);
temp->state = state;
}
static esp_mbedtls_ssl_buf_states esp_mbedtls_get_buf_state(unsigned char *buf)
{
struct esp_mbedtls_ssl_buf *temp = __containerof(buf, struct esp_mbedtls_ssl_buf, buf[0]);
return temp->state;
}
void esp_mbedtls_free_buf(unsigned char *buf)
{
struct esp_mbedtls_ssl_buf *temp = __containerof(buf, struct esp_mbedtls_ssl_buf, buf[0]);
ESP_LOGV(TAG, "free buffer @ %p", temp);
mbedtls_free(temp);
}
static void esp_mbedtls_init_ssl_buf(struct esp_mbedtls_ssl_buf *buf, unsigned int len)
{
if (buf) {
buf->state = ESP_MBEDTLS_SSL_BUF_CACHED;
buf->len = len;
}
}
static void esp_mbedtls_parse_record_header(mbedtls_ssl_context *ssl)
{
ssl->MBEDTLS_PRIVATE(in_msgtype) = ssl->MBEDTLS_PRIVATE(in_hdr)[0];
ssl->MBEDTLS_PRIVATE(in_msglen) = (ssl->MBEDTLS_PRIVATE(in_len)[0] << 8) | ssl->MBEDTLS_PRIVATE(in_len)[1];
}
static int tx_buffer_len(mbedtls_ssl_context *ssl, int len)
{
(void)ssl;
if (!len) {
return MBEDTLS_SSL_OUT_BUFFER_LEN;
} else {
return len + MBEDTLS_SSL_HEADER_LEN
+ MBEDTLS_MAX_IV_LENGTH
+ MBEDTLS_SSL_MAC_ADD
+ MBEDTLS_SSL_PADDING_ADD
+ MBEDTLS_SSL_MAX_CID_EXPANSION;
}
}
static void init_tx_buffer(mbedtls_ssl_context *ssl, unsigned char *buf)
{
/**
* In mbedtls, ssl->MBEDTLS_PRIVATE(out_msg) = ssl->MBEDTLS_PRIVATE(out_buf) + offset;
*/
if (!buf) {
int out_msg_off = (int)ssl->MBEDTLS_PRIVATE(out_msg) - (int)ssl->MBEDTLS_PRIVATE(out_buf);
if (!out_msg_off) {
out_msg_off = MBEDTLS_SSL_HEADER_LEN;
}
ssl->MBEDTLS_PRIVATE(out_buf) = NULL;
ssl->MBEDTLS_PRIVATE(out_ctr) = NULL;
ssl->MBEDTLS_PRIVATE(out_hdr) = NULL;
ssl->MBEDTLS_PRIVATE(out_len) = NULL;
ssl->MBEDTLS_PRIVATE(out_iv) = NULL;
ssl->MBEDTLS_PRIVATE(out_msg) = (unsigned char *)out_msg_off;
} else {
int out_msg_off = (int)ssl->MBEDTLS_PRIVATE(out_msg);
ssl->MBEDTLS_PRIVATE(out_buf) = buf;
ssl->MBEDTLS_PRIVATE(out_ctr) = ssl->MBEDTLS_PRIVATE(out_buf);
ssl->MBEDTLS_PRIVATE(out_hdr) = ssl->MBEDTLS_PRIVATE(out_buf) + 8;
ssl->MBEDTLS_PRIVATE(out_len) = ssl->MBEDTLS_PRIVATE(out_buf) + 11;
ssl->MBEDTLS_PRIVATE(out_iv) = ssl->MBEDTLS_PRIVATE(out_buf) + MBEDTLS_SSL_HEADER_LEN;
ssl->MBEDTLS_PRIVATE(out_msg) = ssl->MBEDTLS_PRIVATE(out_buf) + out_msg_off;
ESP_LOGV(TAG, "out msg offset is %d", out_msg_off);
}
ssl->MBEDTLS_PRIVATE(out_msgtype) = 0;
ssl->MBEDTLS_PRIVATE(out_msglen) = 0;
ssl->MBEDTLS_PRIVATE(out_left) = 0;
}
static void init_rx_buffer(mbedtls_ssl_context *ssl, unsigned char *buf)
{
/**
* In mbedtls, ssl->MBEDTLS_PRIVATE(in_msg) = ssl->MBEDTLS_PRIVATE(in_buf) + offset;
*/
if (!buf) {
int in_msg_off = (int)ssl->MBEDTLS_PRIVATE(in_msg) - (int)ssl->MBEDTLS_PRIVATE(in_buf);
if (!in_msg_off) {
in_msg_off = MBEDTLS_SSL_HEADER_LEN;
}
ssl->MBEDTLS_PRIVATE(in_buf) = NULL;
ssl->MBEDTLS_PRIVATE(in_ctr) = NULL;
ssl->MBEDTLS_PRIVATE(in_hdr) = NULL;
ssl->MBEDTLS_PRIVATE(in_len) = NULL;
ssl->MBEDTLS_PRIVATE(in_iv) = NULL;
ssl->MBEDTLS_PRIVATE(in_msg) = (unsigned char *)in_msg_off;
} else {
int in_msg_off = (int)ssl->MBEDTLS_PRIVATE(in_msg);
ssl->MBEDTLS_PRIVATE(in_buf) = buf;
ssl->MBEDTLS_PRIVATE(in_ctr) = ssl->MBEDTLS_PRIVATE(in_buf);
ssl->MBEDTLS_PRIVATE(in_hdr) = ssl->MBEDTLS_PRIVATE(in_buf) + 8;
ssl->MBEDTLS_PRIVATE(in_len) = ssl->MBEDTLS_PRIVATE(in_buf) + 11;
ssl->MBEDTLS_PRIVATE(in_iv) = ssl->MBEDTLS_PRIVATE(in_buf) + MBEDTLS_SSL_HEADER_LEN;
ssl->MBEDTLS_PRIVATE(in_msg) = ssl->MBEDTLS_PRIVATE(in_buf) + in_msg_off;
ESP_LOGV(TAG, "in msg offset is %d", in_msg_off);
}
ssl->MBEDTLS_PRIVATE(in_msgtype) = 0;
ssl->MBEDTLS_PRIVATE(in_msglen) = 0;
ssl->MBEDTLS_PRIVATE(in_left) = 0;
}
static int esp_mbedtls_alloc_tx_buf(mbedtls_ssl_context *ssl, int len)
{
struct esp_mbedtls_ssl_buf *esp_buf;
if (ssl->MBEDTLS_PRIVATE(out_buf)) {
esp_mbedtls_free_buf(ssl->MBEDTLS_PRIVATE(out_buf));
ssl->MBEDTLS_PRIVATE(out_buf) = NULL;
}
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + len);
if (!esp_buf) {
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + len);
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
ESP_LOGV(TAG, "add out buffer %d bytes @ %p", len, esp_buf->buf);
esp_mbedtls_init_ssl_buf(esp_buf, len);
/**
* Mark the out_msg offset from ssl->MBEDTLS_PRIVATE(out_buf).
*
* In mbedtls, ssl->MBEDTLS_PRIVATE(out_msg) = ssl->MBEDTLS_PRIVATE(out_buf) + offset;
*/
ssl->MBEDTLS_PRIVATE(out_msg) = (unsigned char *)MBEDTLS_SSL_HEADER_LEN;
init_tx_buffer(ssl, esp_buf->buf);
return 0;
}
int esp_mbedtls_setup_tx_buffer(mbedtls_ssl_context *ssl)
{
CHECK_OK(esp_mbedtls_alloc_tx_buf(ssl, TX_IDLE_BUFFER_SIZE));
/* mark the out buffer has no data cached */
esp_mbedtls_set_buf_state(ssl->MBEDTLS_PRIVATE(out_buf), ESP_MBEDTLS_SSL_BUF_NO_CACHED);
return 0;
}
void esp_mbedtls_setup_rx_buffer(mbedtls_ssl_context *ssl)
{
ssl->MBEDTLS_PRIVATE(in_msg) = ssl->MBEDTLS_PRIVATE(in_buf) = NULL;
init_rx_buffer(ssl, NULL);
}
int esp_mbedtls_reset_add_tx_buffer(mbedtls_ssl_context *ssl)
{
return esp_mbedtls_alloc_tx_buf(ssl, MBEDTLS_SSL_OUT_BUFFER_LEN);
}
int esp_mbedtls_reset_free_tx_buffer(mbedtls_ssl_context *ssl)
{
esp_mbedtls_free_buf(ssl->MBEDTLS_PRIVATE(out_buf));
init_tx_buffer(ssl, NULL);
CHECK_OK(esp_mbedtls_setup_tx_buffer(ssl));
return 0;
}
int esp_mbedtls_reset_add_rx_buffer(mbedtls_ssl_context *ssl)
{
struct esp_mbedtls_ssl_buf *esp_buf;
if (ssl->MBEDTLS_PRIVATE(in_buf)) {
esp_mbedtls_free_buf(ssl->MBEDTLS_PRIVATE(in_buf));
ssl->MBEDTLS_PRIVATE(in_buf) = NULL;
}
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + MBEDTLS_SSL_IN_BUFFER_LEN);
if (!esp_buf) {
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + MBEDTLS_SSL_IN_BUFFER_LEN);
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
ESP_LOGV(TAG, "add in buffer %d bytes @ %p", MBEDTLS_SSL_IN_BUFFER_LEN, esp_buf->buf);
esp_mbedtls_init_ssl_buf(esp_buf, MBEDTLS_SSL_IN_BUFFER_LEN);
/**
* Mark the in_msg offset from ssl->MBEDTLS_PRIVATE(in_buf).
*
* In mbedtls, ssl->MBEDTLS_PRIVATE(in_msg) = ssl->MBEDTLS_PRIVATE(in_buf) + offset;
*/
ssl->MBEDTLS_PRIVATE(in_msg) = (unsigned char *)MBEDTLS_SSL_HEADER_LEN;
init_rx_buffer(ssl, esp_buf->buf);
return 0;
}
void esp_mbedtls_reset_free_rx_buffer(mbedtls_ssl_context *ssl)
{
esp_mbedtls_free_buf(ssl->MBEDTLS_PRIVATE(in_buf));
init_rx_buffer(ssl, NULL);
}
int esp_mbedtls_add_tx_buffer(mbedtls_ssl_context *ssl, size_t buffer_len)
{
int ret = 0;
int cached = 0;
struct esp_mbedtls_ssl_buf *esp_buf;
unsigned char cache_buf[CACHE_BUFFER_SIZE];
ESP_LOGV(TAG, "--> add out");
if (ssl->MBEDTLS_PRIVATE(out_buf)) {
if (esp_mbedtls_get_buf_state(ssl->MBEDTLS_PRIVATE(out_buf)) == ESP_MBEDTLS_SSL_BUF_CACHED) {
ESP_LOGV(TAG, "out buffer is not empty");
ret = 0;
goto exit;
} else {
memcpy(cache_buf, ssl->MBEDTLS_PRIVATE(out_buf), CACHE_BUFFER_SIZE);
esp_mbedtls_free_buf(ssl->MBEDTLS_PRIVATE(out_buf));
init_tx_buffer(ssl, NULL);
cached = 1;
}
}
buffer_len = tx_buffer_len(ssl, buffer_len);
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + buffer_len);
if (!esp_buf) {
ESP_LOGE(TAG, "alloc(%zu bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + buffer_len);
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto exit;
}
ESP_LOGV(TAG, "add out buffer %zu bytes @ %p", buffer_len, esp_buf->buf);
esp_mbedtls_init_ssl_buf(esp_buf, buffer_len);
init_tx_buffer(ssl, esp_buf->buf);
if (cached) {
memcpy(ssl->MBEDTLS_PRIVATE(out_ctr), cache_buf, COUNTER_SIZE);
memcpy(ssl->MBEDTLS_PRIVATE(out_iv), cache_buf + COUNTER_SIZE, CACHE_IV_SIZE);
}
ESP_LOGV(TAG, "ssl->MBEDTLS_PRIVATE(out_buf)=%p ssl->MBEDTLS_PRIVATE(out_msg)=%p", ssl->MBEDTLS_PRIVATE(out_buf), ssl->MBEDTLS_PRIVATE(out_msg));
exit:
ESP_LOGV(TAG, "<-- add out");
return ret;
}
int esp_mbedtls_free_tx_buffer(mbedtls_ssl_context *ssl)
{
int ret = 0;
unsigned char buf[CACHE_BUFFER_SIZE];
struct esp_mbedtls_ssl_buf *esp_buf;
ESP_LOGV(TAG, "--> free out");
if (!ssl->MBEDTLS_PRIVATE(out_buf) || (ssl->MBEDTLS_PRIVATE(out_buf) && (esp_mbedtls_get_buf_state(ssl->MBEDTLS_PRIVATE(out_buf)) == ESP_MBEDTLS_SSL_BUF_NO_CACHED))) {
ret = 0;
goto exit;
}
memcpy(buf, ssl->MBEDTLS_PRIVATE(out_ctr), COUNTER_SIZE);
memcpy(buf + COUNTER_SIZE, ssl->MBEDTLS_PRIVATE(out_iv), CACHE_IV_SIZE);
esp_mbedtls_free_buf(ssl->MBEDTLS_PRIVATE(out_buf));
init_tx_buffer(ssl, NULL);
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + TX_IDLE_BUFFER_SIZE);
if (!esp_buf) {
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + TX_IDLE_BUFFER_SIZE);
return MBEDTLS_ERR_SSL_ALLOC_FAILED;
}
esp_mbedtls_init_ssl_buf(esp_buf, TX_IDLE_BUFFER_SIZE);
memcpy(esp_buf->buf, buf, CACHE_BUFFER_SIZE);
init_tx_buffer(ssl, esp_buf->buf);
esp_mbedtls_set_buf_state(ssl->MBEDTLS_PRIVATE(out_buf), ESP_MBEDTLS_SSL_BUF_NO_CACHED);
exit:
ESP_LOGV(TAG, "<-- free out");
return ret;
}
int esp_mbedtls_add_rx_buffer(mbedtls_ssl_context *ssl)
{
int cached = 0;
int ret = 0;
int buffer_len;
struct esp_mbedtls_ssl_buf *esp_buf;
unsigned char cache_buf[16];
unsigned char msg_head[5];
size_t in_msglen, in_left;
ESP_LOGV(TAG, "--> add rx");
if (ssl->MBEDTLS_PRIVATE(in_buf)) {
if (esp_mbedtls_get_buf_state(ssl->MBEDTLS_PRIVATE(in_buf)) == ESP_MBEDTLS_SSL_BUF_CACHED) {
ESP_LOGV(TAG, "in buffer is not empty");
ret = 0;
goto exit;
} else {
cached = 1;
}
}
ssl->MBEDTLS_PRIVATE(in_hdr) = msg_head;
ssl->MBEDTLS_PRIVATE(in_len) = msg_head + 3;
if ((ret = mbedtls_ssl_fetch_input(ssl, mbedtls_ssl_in_hdr_len(ssl))) != 0) {
if (ret == MBEDTLS_ERR_SSL_TIMEOUT) {
ESP_LOGD(TAG, "mbedtls_ssl_fetch_input reads data times out");
} else if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
ESP_LOGD(TAG, "mbedtls_ssl_fetch_input wants to read more data");
} else {
ESP_LOGE(TAG, "mbedtls_ssl_fetch_input error=%d", -ret);
}
goto exit;
}
esp_mbedtls_parse_record_header(ssl);
in_left = ssl->MBEDTLS_PRIVATE(in_left);
in_msglen = ssl->MBEDTLS_PRIVATE(in_msglen);
buffer_len = tx_buffer_len(ssl, in_msglen);
ESP_LOGV(TAG, "message length is %d RX buffer length should be %d left is %d",
(int)in_msglen, (int)buffer_len, (int)ssl->MBEDTLS_PRIVATE(in_left));
if (cached) {
memcpy(cache_buf, ssl->MBEDTLS_PRIVATE(in_buf), 16);
esp_mbedtls_free_buf(ssl->MBEDTLS_PRIVATE(in_buf));
init_rx_buffer(ssl, NULL);
}
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + buffer_len);
if (!esp_buf) {
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + buffer_len);
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto exit;
}
ESP_LOGV(TAG, "add in buffer %d bytes @ %p", buffer_len, esp_buf->buf);
esp_mbedtls_init_ssl_buf(esp_buf, buffer_len);
init_rx_buffer(ssl, esp_buf->buf);
if (cached) {
memcpy(ssl->MBEDTLS_PRIVATE(in_ctr), cache_buf, 8);
memcpy(ssl->MBEDTLS_PRIVATE(in_iv), cache_buf + 8, 8);
}
memcpy(ssl->MBEDTLS_PRIVATE(in_hdr), msg_head, in_left);
ssl->MBEDTLS_PRIVATE(in_left) = in_left;
ssl->MBEDTLS_PRIVATE(in_msglen) = 0;
exit:
ESP_LOGV(TAG, "<-- add rx");
return ret;
}
int esp_mbedtls_free_rx_buffer(mbedtls_ssl_context *ssl)
{
int ret = 0;
unsigned char buf[16];
struct esp_mbedtls_ssl_buf *esp_buf;
ESP_LOGV(TAG, "--> free rx");
/**
* When have read multi messages once, can't free the input buffer directly.
*/
if (!ssl->MBEDTLS_PRIVATE(in_buf) || (ssl->MBEDTLS_PRIVATE(in_hslen) && (ssl->MBEDTLS_PRIVATE(in_hslen) < ssl->MBEDTLS_PRIVATE(in_msglen))) ||
(ssl->MBEDTLS_PRIVATE(in_buf) && (esp_mbedtls_get_buf_state(ssl->MBEDTLS_PRIVATE(in_buf)) == ESP_MBEDTLS_SSL_BUF_NO_CACHED))) {
ret = 0;
goto exit;
}
/**
* The previous processing is just skipped, so "ssl->MBEDTLS_PRIVATE(in_msglen) = 0"
*/
if (!ssl->MBEDTLS_PRIVATE(in_msgtype)
#if defined(MBEDTLS_SSL_SRV_C)
/**
* The ssl server read ClientHello manually without mbedtls_ssl_read_record(), so in_msgtype is not set and is zero.
* ClientHello has been processed and rx buffer should be freed.
* After processing ClientHello, the ssl state has been changed to MBEDTLS_SSL_SERVER_HELLO.
*/
&& !(ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(endpoint) == MBEDTLS_SSL_IS_SERVER && ssl->MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_SERVER_HELLO)
#endif
) {
goto exit;
}
memcpy(buf, ssl->MBEDTLS_PRIVATE(in_ctr), 8);
memcpy(buf + 8, ssl->MBEDTLS_PRIVATE(in_iv), 8);
esp_mbedtls_free_buf(ssl->MBEDTLS_PRIVATE(in_buf));
init_rx_buffer(ssl, NULL);
esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + 16);
if (!esp_buf) {
ESP_LOGE(TAG, "alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + 16);
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto exit;
}
esp_mbedtls_init_ssl_buf(esp_buf, 16);
memcpy(esp_buf->buf, buf, 16);
init_rx_buffer(ssl, esp_buf->buf);
esp_mbedtls_set_buf_state(ssl->MBEDTLS_PRIVATE(in_buf), ESP_MBEDTLS_SSL_BUF_NO_CACHED);
exit:
ESP_LOGV(TAG, "<-- free rx");
return ret;
}
size_t esp_mbedtls_get_crt_size(mbedtls_x509_crt *cert, size_t *num)
{
size_t n = 0;
size_t bytes = 0;
while (cert) {
bytes += cert->raw.len;
n++;
cert = cert->next;
}
*num = n;
return bytes;
}
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
void esp_mbedtls_free_dhm(mbedtls_ssl_context *ssl)
{
#ifdef CONFIG_MBEDTLS_DHM_C
const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
mbedtls_mpi_free((mbedtls_mpi *)conf->MBEDTLS_PRIVATE(dhm_P));
mbedtls_mpi_free((mbedtls_mpi *)conf->MBEDTLS_PRIVATE(dhm_G));
#endif /* CONFIG_MBEDTLS_DHM_C */
}
void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
{
mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert), *next;
while (keycert) {
next = keycert->next;
if (keycert) {
mbedtls_free(keycert);
}
keycert = next;
}
conf->MBEDTLS_PRIVATE(key_cert) = NULL;
}
void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl)
{
const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert);
while (keycert) {
if (keycert->key) {
mbedtls_pk_free(keycert->key);
keycert->key = NULL;
}
keycert = keycert->next;
}
}
void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
{
const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert);
while (keycert) {
if (keycert->cert) {
mbedtls_x509_crt_free(keycert->cert);
keycert->cert = NULL;
}
keycert = keycert->next;
}
}
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA */
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
{
if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) {
mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
conf->MBEDTLS_PRIVATE(ca_chain) = NULL;
}
}
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */