From 37dba2486922accd23ecc7f639e29f23c0e6106a Mon Sep 17 00:00:00 2001
From: "harshal.patil" <harshal.patil@espressif.com>
Date: Wed, 9 Apr 2025 14:42:44 +0530
Subject: [PATCH] fix(esp-tls): Fix build failure when CONFIG_MBEDTLS_SHA1_C is
 disabled

---
 .../esp-tls/esp-tls-crypto/esp_tls_crypto.c   | 31 +++++++++++--
 components/esp_http_server/src/httpd_ws.c     | 45 +++++++++++++++----
 .../src/crypto/crypto_mbedtls.c               |  1 +
 3 files changed, 66 insertions(+), 11 deletions(-)

diff --git a/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c b/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c
index c3a9a1b4fb..64e8246288 100644
--- a/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c
+++ b/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -7,10 +7,12 @@
 #include "esp_tls_crypto.h"
 #include "esp_log.h"
 #include "esp_err.h"
-static const char *TAG = "esp_crypto";
+#include "sdkconfig.h"
+__attribute__((unused)) static const char *TAG = "esp_crypto";
 #ifdef CONFIG_ESP_TLS_USING_MBEDTLS
 #include "mbedtls/sha1.h"
 #include "mbedtls/base64.h"
+#include "mbedtls/error.h"
 #define _esp_crypto_sha1 esp_crypto_sha1_mbedtls
 #define _esp_crypto_base64_encode esp_crypto_bas64_encode_mbedtls
 #elif  CONFIG_ESP_TLS_USING_WOLFSSL
@@ -25,11 +27,34 @@ static int esp_crypto_sha1_mbedtls( const unsigned char *input,
                                     size_t ilen,
                                     unsigned char output[20])
 {
-    int ret = mbedtls_sha1(input, ilen, output);
+#if CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_sha1_context ctx;
+
+    mbedtls_sha1_init(&ctx);
+
+    if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha1_update(&ctx, input, ilen)) != 0) {
+        goto exit;
+    }
+
+    if ((ret = mbedtls_sha1_finish(&ctx, output)) != 0) {
+        goto exit;
+    }
+
+exit:
+    mbedtls_sha1_free(&ctx);
     if (ret != 0) {
         ESP_LOGE(TAG, "Error in calculating sha1 sum , Returned 0x%02X", ret);
     }
     return ret;
+#else
+    ESP_LOGE(TAG, "Please enable CONFIG_MBEDTLS_SHA1_C or CONFIG_MBEDTLS_HARDWARE_SHA to support SHA1 operations");
+    return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+#endif /*  CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA*/
 }
 
 static int esp_crypto_bas64_encode_mbedtls( unsigned char *dst, size_t dlen,
diff --git a/components/esp_http_server/src/httpd_ws.c b/components/esp_http_server/src/httpd_ws.c
index 01e16b62b6..bcf32cf9e6 100644
--- a/components/esp_http_server/src/httpd_ws.c
+++ b/components/esp_http_server/src/httpd_ws.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -13,10 +13,12 @@
 #include <esp_err.h>
 #include <mbedtls/sha1.h>
 #include <mbedtls/base64.h>
+#include <mbedtls/error.h>
 
 #include <esp_http_server.h>
 #include "esp_httpd_priv.h"
 #include "freertos/event_groups.h"
+#include "sdkconfig.h"
 
 #ifdef CONFIG_HTTPD_WS_SUPPORT
 
@@ -51,23 +53,23 @@ static const char *TAG="httpd_ws";
  */
 static const char ws_magic_uuid[] = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
 
-/* Checks if any subprotocols from the comma seperated list matches the supported one
+/* Checks if any subprotocols from the comma separated list matches the supported one
  *
  * Returns true if the response should contain a protocol field
 */
 
 /**
- * @brief Checks if any subprotocols from the comma seperated list matches the supported one
+ * @brief Checks if any subprotocols from the comma separated list matches the supported one
  *
  * @param supported_subprotocol[in] The subprotocol supported by the URI
- * @param subprotocol[in],  [in]: A comma seperate list of subprotocols requested
+ * @param subprotocol[in],  [in]: A comma separate list of subprotocols requested
  * @param buf_len Length of the buffer
  * @return true: found a matching subprotocol
  * @return false
  */
 static bool httpd_ws_get_response_subprotocol(const char *supported_subprotocol, char *subprotocol, size_t buf_len)
 {
-    /* Request didnt contain any subprotocols */
+    /* Request didn't contain any subprotocols */
     if (strnlen(subprotocol, buf_len) == 0) {
         return false;
     }
@@ -77,7 +79,7 @@ static bool httpd_ws_get_response_subprotocol(const char *supported_subprotocol,
         return false;
     }
 
-    /* Get first subprotocol from comma seperated list */
+    /* Get first subprotocol from comma separated list */
     char *rest = NULL;
     char *s = strtok_r(subprotocol, ", ", &rest);
     do {
@@ -143,7 +145,34 @@ esp_err_t httpd_ws_respond_server_handshake(httpd_req_t *req, const char *suppor
 
     /* Generate SHA-1 first and then encode to Base64 */
     size_t key_len = strlen(server_raw_text);
-    mbedtls_sha1((uint8_t *)server_raw_text, key_len, server_key_hash);
+
+#if CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    mbedtls_sha1_context ctx;
+    mbedtls_sha1_init(&ctx);
+
+    if ((ret = mbedtls_sha1_starts(&ctx)) != 0) {
+        goto sha_end;
+    }
+
+    if ((ret = mbedtls_sha1_update(&ctx, (uint8_t *)server_raw_text, key_len)) != 0) {
+        goto sha_end;
+    }
+
+    if ((ret = mbedtls_sha1_finish(&ctx, server_key_hash)) != 0) {
+        goto sha_end;
+    }
+
+sha_end:
+    mbedtls_sha1_free(&ctx);
+    if (ret != 0) {
+        ESP_LOGE(TAG, "Error in calculating SHA1 sum , returned 0x%02X", ret);
+        return ESP_FAIL;
+    }
+#else
+    ESP_LOGE(TAG, "Please enable CONFIG_MBEDTLS_SHA1_C or CONFIG_MBEDTLS_HARDWARE_SHA to support SHA1 operations");
+    return ESP_FAIL;
+#endif /* CONFIG_MBEDTLS_SHA1_C || CONFIG_MBEDTLS_HARDWARE_SHA */
 
     size_t encoded_len = 0;
     mbedtls_base64_encode((uint8_t *)server_key_encoded, sizeof(server_key_encoded), &encoded_len,
@@ -153,7 +182,7 @@ esp_err_t httpd_ws_respond_server_handshake(httpd_req_t *req, const char *suppor
 
     char subprotocol[50] = { '\0' };
     if (httpd_req_get_hdr_value_str(req, "Sec-WebSocket-Protocol", subprotocol, sizeof(subprotocol) - 1) == ESP_ERR_HTTPD_RESULT_TRUNC) {
-        ESP_LOGW(TAG, "Sec-WebSocket-Protocol length exceeded buffer size of %"NEWLIB_NANO_COMPAT_FORMAT", was trunctated", NEWLIB_NANO_COMPAT_CAST(sizeof(subprotocol)));
+        ESP_LOGW(TAG, "Sec-WebSocket-Protocol length exceeded buffer size of %"NEWLIB_NANO_COMPAT_FORMAT", was truncated", NEWLIB_NANO_COMPAT_CAST(sizeof(subprotocol)));
     }
 
 
diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c
index 5fe89410fa..028efd7f58 100644
--- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c
@@ -7,6 +7,7 @@
 #include "esp_system.h"
 #endif
 
+#include <errno.h>
 #include "utils/includes.h"
 #include "utils/common.h"
 #include "crypto.h"