espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-04 21:24:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bugfix/fix_ds_peripheral_rsa_ctx_stack_init' into 'release/v5.1'

Browse Source 
fix(esp_tls): Allocate DS peripheral RSA ALT context on heap for safe usage

See merge request espressif/esp-idf!40436
This commit is contained in:
Mahavir Jain
2025-07-14 15:09:16 +05:30
parent 114c7fc2a5 e609b6fb10
commit 211668cc65
1 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
components/esp-tls/esp_tls_mbedtls.c
View File

@@ -1,5 +1,5 @@
/* /*
* SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD * SPDX-FileCopyrightText: 2019-2025 Espressif Systems (Shanghai) CO LTD
* *
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
@@ -39,6 +39,7 @@ static esp_err_t esp_set_atecc608a_pki_context(esp_tls_t *tls, const void *pki);
#endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */ #endif /* CONFIG_ESP_TLS_USE_SECURE_ELEMENT */
#if defined(CONFIG_ESP_TLS_USE_DS_PERIPHERAL) #if defined(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
#include <pk_wrap.h>
#include "rsa_sign_alt.h" #include "rsa_sign_alt.h"
static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki); static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki);
#endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */ #endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */
@@ -359,6 +360,18 @@ void esp_mbedtls_cleanup(esp_tls_t *tls)
#endif #endif
mbedtls_x509_crt_free(&tls->cacert); mbedtls_x509_crt_free(&tls->cacert);
mbedtls_x509_crt_free(&tls->clientcert); mbedtls_x509_crt_free(&tls->clientcert);
#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
if (mbedtls_pk_get_type(&tls->clientkey) == MBEDTLS_PK_RSA_ALT) {
mbedtls_rsa_alt_context *rsa_alt = tls->clientkey.MBEDTLS_PRIVATE(pk_ctx);
if (rsa_alt && rsa_alt->key != NULL) {
mbedtls_rsa_free(rsa_alt->key);
mbedtls_free(rsa_alt->key);
rsa_alt->key = NULL;
}
}
#endif
mbedtls_pk_free(&tls->clientkey); mbedtls_pk_free(&tls->clientkey);
mbedtls_entropy_free(&tls->entropy); mbedtls_entropy_free(&tls->entropy);
mbedtls_ssl_config_free(&tls->conf); mbedtls_ssl_config_free(&tls->conf);
@@ -1097,12 +1110,18 @@ static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki)
{ {
int ret = -1; int ret = -1;
/* initialize the mbedtls pk context with rsa context */ /* initialize the mbedtls pk context with rsa context */
mbedtls_rsa_context rsakey; mbedtls_rsa_context *rsakey = calloc(1, sizeof(mbedtls_rsa_context));
mbedtls_rsa_init(&rsakey); if (rsakey == NULL) {
if ((ret = mbedtls_pk_setup_rsa_alt(((const esp_tls_pki_t*)pki)->pk_key, &rsakey, NULL, esp_ds_rsa_sign, ESP_LOGE(TAG, "Failed to allocate memory for mbedtls_rsa_context");
return ESP_ERR_NO_MEM;
}
mbedtls_rsa_init(rsakey);
if ((ret = mbedtls_pk_setup_rsa_alt(((const esp_tls_pki_t*)pki)->pk_key, rsakey, NULL, esp_ds_rsa_sign,
esp_ds_get_keylen )) != 0) { esp_ds_get_keylen )) != 0) {
ESP_LOGE(TAG, "Error in mbedtls_pk_setup_rsa_alt, returned -0x%04X", -ret); ESP_LOGE(TAG, "Error in mbedtls_pk_setup_rsa_alt, returned -0x%04X", -ret);
mbedtls_print_error_msg(ret); mbedtls_print_error_msg(ret);
mbedtls_rsa_free(rsakey);
free(rsakey);
ret = ESP_FAIL; ret = ESP_FAIL;
goto exit; goto exit;
} }
@@ -1113,7 +1132,6 @@ static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki)
} }
ESP_LOGD(TAG, "DS peripheral params initialized."); ESP_LOGD(TAG, "DS peripheral params initialized.");
exit: exit:
mbedtls_rsa_free(&rsakey);
return ret; return ret;
} }
#endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */ #endif /* CONFIG_ESP_TLS_USE_DS_PERIPHERAL */