From 636eb4b62f45c0173d2c987e0ea0d555c6e5d652 Mon Sep 17 00:00:00 2001 From: "hrushikesh.bhosale" Date: Mon, 23 Jun 2025 15:09:03 +0530 Subject: [PATCH] feat(mbedtls): Add configuration to control dynamic buffer strategy in mbedtls Problem: 1. In low-memory scenarios, the dynamic buffer feature can fail due to memory fragmentation. 2. It requires a contiguous 16KB heap chunk, but continuous allocation and deallocation of the RX buffer can lead to fragmentation. 3. If another component allocates memory between these operations, it can break up the available 16KB block, causing allocation failure. Solution: 1. Introduce configurable strategy for using dynamic buffers in TLS connections. 2. For example, convert RX buffers to static after the TLS handshake. 3. Allow users to select the strategy via a new field in the esp_http_client_cfg_t structure. 4. The strategy can be controlled independently for each TLS session. --- components/esp-tls/esp_tls.h | 27 +++++++--- components/esp-tls/esp_tls_mbedtls.c | 15 +++++- .../esp-tls/private_include/esp_tls_private.h | 4 ++ components/esp_http_client/esp_http_client.c | 10 ++++ .../esp_http_client/include/esp_http_client.h | 11 +++- .../port/dynamic/esp_mbedtls_dynamic_impl.c | 48 ++++++++++++++++- .../port/dynamic/esp_mbedtls_dynamic_impl.h | 7 ++- .../include/mbedtls/esp_mbedtls_dynamic.h | 28 ++++++++++ .../tcp_transport/include/esp_transport_ssl.h | 11 +++- components/tcp_transport/transport_ssl.c | 10 +++- .../simple_ota_example/main/Kconfig.projbuild | 9 ++++ .../main/simple_ota_example.c | 6 +++ .../simple_ota_example/pytest_simple_ota.py | 51 ++++++++++++++++++- .../sdkconfig.ci.tls1_2_dynamic | 15 ++++++ 14 files changed, 236 insertions(+), 16 deletions(-) create mode 100644 components/mbedtls/port/include/mbedtls/esp_mbedtls_dynamic.h create mode 100644 examples/system/ota/simple_ota_example/sdkconfig.ci.tls1_2_dynamic diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index b4a90b8f4c..a5ea2b354f 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -91,6 +91,12 @@ typedef enum { ESP_TLS_VER_TLS_MAX, /* to indicate max */ } esp_tls_proto_ver_t; +typedef enum { + ESP_TLS_DYN_BUF_RX_STATIC = 1, /*!< Strategy to disable dynamic RX buffer allocations and convert to static allocation post-handshake, reducing memory fragmentation */ + ESP_TLS_DYN_BUF_STRATEGY_MAX, /*!< to indicate max */ +} esp_tls_dyn_buf_strategy_t; + + /** * @brief ESP-TLS configuration parameters * @@ -211,6 +217,11 @@ typedef struct esp_tls_cfg { const int *ciphersuites_list; /*!< Pointer to a zero-terminated array of IANA identifiers of TLS ciphersuites. Please check the list validity by esp_tls_get_ciphersuites_list() API */ esp_tls_proto_ver_t tls_version; /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */ + +#if CONFIG_MBEDTLS_DYNAMIC_BUFFER + esp_tls_dyn_buf_strategy_t esp_tls_dyn_buf_strategy; /*!< ESP-TLS dynamic buffer strategy */ +#endif + } esp_tls_cfg_t; #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS) @@ -464,7 +475,7 @@ int esp_tls_conn_http_new_async(const char *url, const esp_tls_cfg_t *cfg, esp_t * - >=0 if write operation was successful, the return value is the number * of bytes actually written to the TLS/SSL connection. * - <0 if write operation was not successful, because either an - * error occured or an action must be taken by the calling process. + * error occurred or an action must be taken by the calling process. * - ESP_TLS_ERR_SSL_WANT_READ/ * ESP_TLS_ERR_SSL_WANT_WRITE. * if the handshake is incomplete and waiting for data to be available for reading. @@ -485,7 +496,7 @@ ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen); * - 0 if read operation was not successful. The underlying * connection was closed. * - <0 if read operation was not successful, because either an - * error occured or an action must be taken by the calling process. + * error occurred or an action must be taken by the calling process. */ ssize_t esp_tls_conn_read(esp_tls_t *tls, void *data, size_t datalen); @@ -537,7 +548,7 @@ esp_err_t esp_tls_get_conn_sockfd(esp_tls_t *tls, int *sockfd); * * @param[in] sockfd sockfd value to set. * - * @return - ESP_OK on success and value of sockfd for the tls connection shall updated withthe provided value + * @return - ESP_OK on success and value of sockfd for the tls connection shall updated with the provided value * - ESP_ERR_INVALID_ARG if (tls == NULL || sockfd < 0) */ esp_err_t esp_tls_set_conn_sockfd(esp_tls_t *tls, int sockfd); @@ -549,7 +560,7 @@ esp_err_t esp_tls_set_conn_sockfd(esp_tls_t *tls, int sockfd); * * @param[out] conn_state pointer to the connection state value. * - * @return - ESP_OK on success and value of sockfd for the tls connection shall updated withthe provided value + * @return - ESP_OK on success and value of sockfd for the tls connection shall updated with the provided value * - ESP_ERR_INVALID_ARG (Invalid arguments) */ esp_err_t esp_tls_get_conn_state(esp_tls_t *tls, esp_tls_conn_state_t *conn_state); @@ -561,7 +572,7 @@ esp_err_t esp_tls_get_conn_state(esp_tls_t *tls, esp_tls_conn_state_t *conn_stat * * @param[in] conn_state connection state value to set. * - * @return - ESP_OK on success and value of sockfd for the tls connection shall updated withthe provided value + * @return - ESP_OK on success and value of sockfd for the tls connection shall updated with the provided value * - ESP_ERR_INVALID_ARG (Invalid arguments) */ esp_err_t esp_tls_set_conn_state(esp_tls_t *tls, esp_tls_conn_state_t conn_state); @@ -586,7 +597,7 @@ void *esp_tls_get_ssl_context(esp_tls_t *tls); * * @return * - ESP_OK if creating global CA store was successful. - * - ESP_ERR_NO_MEM if an error occured when allocating the mbedTLS resources. + * - ESP_ERR_NO_MEM if an error occurred when allocating the mbedTLS resources. */ esp_err_t esp_tls_init_global_ca_store(void); @@ -605,7 +616,7 @@ esp_err_t esp_tls_init_global_ca_store(void); * * @return * - ESP_OK if adding certificates was successful. - * - Other if an error occured or an action must be taken by the calling process. + * - Other if an error occurred or an action must be taken by the calling process. */ esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes); diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index aab8c8d427..fd8cc5fe2a 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -19,7 +19,7 @@ #include #include "esp_log.h" #include "esp_check.h" - +#include "mbedtls/esp_mbedtls_dynamic.h" #ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN #include "ecdsa/ecdsa_alt.h" #endif @@ -104,6 +104,10 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const mbedtls_ssl_conf_rng(&tls->conf, mbedtls_ctr_drbg_random, &tls->ctr_drbg); +#if CONFIG_MBEDTLS_DYNAMIC_BUFFER + tls->esp_tls_dyn_buf_strategy = ((esp_tls_cfg_t *)cfg)->esp_tls_dyn_buf_strategy; +#endif + if (tls->role == ESP_TLS_CLIENT) { esp_ret = set_client_config(hostname, hostlen, (esp_tls_cfg_t *)cfg, tls); if (esp_ret != ESP_OK) { @@ -219,6 +223,15 @@ int esp_mbedtls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg) #endif ret = mbedtls_ssl_handshake(&tls->ssl); if (ret == 0) { +#if CONFIG_MBEDTLS_DYNAMIC_BUFFER + if (tls->esp_tls_dyn_buf_strategy != 0) { + ret = esp_mbedtls_dynamic_set_rx_buf_static(&tls->ssl); + if (ret != 0) { + ESP_LOGE(TAG, "esp_mbedtls_dynamic_set_rx_buf_static returned -0x%04X", -ret); + return ret; + } + } +#endif tls->conn_state = ESP_TLS_DONE; #ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL diff --git a/components/esp-tls/private_include/esp_tls_private.h b/components/esp-tls/private_include/esp_tls_private.h index 4341557aaf..f42aa30f6e 100644 --- a/components/esp-tls/private_include/esp_tls_private.h +++ b/components/esp-tls/private_include/esp_tls_private.h @@ -94,6 +94,10 @@ struct esp_tls { esp_tls_error_handle_t error_handle; /*!< handle to error descriptor */ +#if CONFIG_MBEDTLS_DYNAMIC_BUFFER + esp_tls_dyn_buf_strategy_t esp_tls_dyn_buf_strategy; /*!< ESP-TLS dynamic buffer strategy */ +#endif + }; // Function pointer for the server configuration API diff --git a/components/esp_http_client/esp_http_client.c b/components/esp_http_client/esp_http_client.c index 1b4652e222..077cabc3ce 100644 --- a/components/esp_http_client/esp_http_client.c +++ b/components/esp_http_client/esp_http_client.c @@ -34,6 +34,8 @@ static const char *TAG = "HTTP_CLIENT"; ESP_STATIC_ASSERT((int)ESP_HTTP_CLIENT_TLS_VER_ANY == (int)ESP_TLS_VER_ANY, "Enum mismatch in esp_http_client and esp-tls"); ESP_STATIC_ASSERT((int)ESP_HTTP_CLIENT_TLS_VER_MAX <= (int)ESP_TLS_VER_TLS_MAX, "HTTP client supported TLS is not supported in esp-tls"); +ESP_STATIC_ASSERT((int)HTTP_TLS_DYN_BUF_RX_STATIC == (int)ESP_TLS_DYN_BUF_RX_STATIC, "Enum mismatch in esp_http_client and esp-tls"); +ESP_STATIC_ASSERT((int)HTTP_TLS_DYN_BUF_STRATEGY_MAX <= (int)ESP_TLS_DYN_BUF_STRATEGY_MAX, "HTTP client supported TLS is not supported in esp-tls"); /** * HTTP Buffer @@ -767,6 +769,14 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co } esp_transport_ssl_set_tls_version(ssl, config->tls_version); +#if CONFIG_MBEDTLS_DYNAMIC_BUFFER + /* When tls_dyn_buf_strategy is 0, mbedTLS dynamic buffer allocation uses default behavior. + * No need to call esp_transport_ssl_set_esp_tls_dyn_buf_strategy() in this case */ + if (config->tls_dyn_buf_strategy != 0 && config->tls_dyn_buf_strategy < HTTP_TLS_DYN_BUF_STRATEGY_MAX) { + esp_transport_ssl_set_esp_tls_dyn_buf_strategy(ssl, config->tls_dyn_buf_strategy); + } +#endif + #if CONFIG_ESP_TLS_USE_SECURE_ELEMENT if (config->use_secure_element) { esp_transport_ssl_use_secure_element(ssl); diff --git a/components/esp_http_client/include/esp_http_client.h b/components/esp_http_client/include/esp_http_client.h index 7defb04fe2..1ce8971f59 100644 --- a/components/esp_http_client/include/esp_http_client.h +++ b/components/esp_http_client/include/esp_http_client.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -137,6 +137,11 @@ typedef enum { HTTP_ADDR_TYPE_INET6 = AF_INET6, /**< IPv6 address family. */ } esp_http_client_addr_type_t; +typedef enum { + HTTP_TLS_DYN_BUF_RX_STATIC = 1, /*!< Strategy to disable dynamic RX buffer allocations and convert to static allocation post-handshake, reducing memory fragmentation */ + HTTP_TLS_DYN_BUF_STRATEGY_MAX, /*!< to indicate max */ +} esp_http_client_tls_dyn_buf_strategy_t; + /** * @brief HTTP configuration */ @@ -199,6 +204,10 @@ typedef struct { struct esp_transport_item_t *transport; #endif esp_http_client_addr_type_t addr_type; /*!< Address type used in http client configurations */ + +#if CONFIG_MBEDTLS_DYNAMIC_BUFFER + esp_http_client_tls_dyn_buf_strategy_t tls_dyn_buf_strategy; /*!< TLS dynamic buffer strategy */ +#endif } esp_http_client_config_t; /** diff --git a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c index d76f6b5049..d3169d4758 100644 --- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c +++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -18,6 +18,17 @@ #define TX_IDLE_BUFFER_SIZE (MBEDTLS_SSL_HEADER_LEN + CACHE_BUFFER_SIZE) +#define ESP_MBEDTLS_RETURN_IF_RX_BUF_STATIC(ssl) \ + do { \ + if (ssl->MBEDTLS_PRIVATE(in_buf)) { \ + esp_mbedtls_ssl_buf_states state = esp_mbedtls_get_buf_state(ssl->MBEDTLS_PRIVATE(in_buf)); \ + if (state == ESP_MBEDTLS_SSL_BUF_STATIC) { \ + return 0; \ + } \ + } \ + } while(0) + + static const char *TAG = "Dynamic Impl"; static void esp_mbedtls_set_buf_state(unsigned char *buf, esp_mbedtls_ssl_buf_states state) @@ -140,6 +151,29 @@ static void init_rx_buffer(mbedtls_ssl_context *ssl, unsigned char *buf) ssl->MBEDTLS_PRIVATE(in_left) = 0; } +esp_err_t esp_mbedtls_dynamic_set_rx_buf_static(mbedtls_ssl_context *ssl) +{ + unsigned char cache_buf[16]; + memcpy(cache_buf, ssl->MBEDTLS_PRIVATE(in_buf), 16); + esp_mbedtls_reset_free_rx_buffer(ssl); + + struct esp_mbedtls_ssl_buf *esp_buf; + int buffer_len = tx_buffer_len(ssl, MBEDTLS_SSL_IN_BUFFER_LEN); + esp_buf = mbedtls_calloc(1, SSL_BUF_HEAD_OFFSET_SIZE + buffer_len); + if (!esp_buf) { + ESP_LOGE(TAG, "rx buf alloc(%d bytes) failed", SSL_BUF_HEAD_OFFSET_SIZE + buffer_len); + return ESP_ERR_NO_MEM; + } + esp_mbedtls_init_ssl_buf(esp_buf, buffer_len); + init_rx_buffer(ssl, esp_buf->buf); + + memcpy(ssl->MBEDTLS_PRIVATE(in_ctr), cache_buf, 8); + memcpy(ssl->MBEDTLS_PRIVATE(in_iv), cache_buf + 8, 8); + esp_mbedtls_set_buf_state(ssl->MBEDTLS_PRIVATE(in_buf), ESP_MBEDTLS_SSL_BUF_STATIC); + return ESP_OK; + +} + static int esp_mbedtls_alloc_tx_buf(mbedtls_ssl_context *ssl, int len) { struct esp_mbedtls_ssl_buf *esp_buf; @@ -324,6 +358,12 @@ exit: int esp_mbedtls_add_rx_buffer(mbedtls_ssl_context *ssl) { + /* + * If RX buffer is set to static mode, this macro will return early + * and skip dynamic buffer allocation logic below + */ + ESP_MBEDTLS_RETURN_IF_RX_BUF_STATIC(ssl); + int cached = 0; int ret = 0; int buffer_len; @@ -403,6 +443,12 @@ exit: int esp_mbedtls_free_rx_buffer(mbedtls_ssl_context *ssl) { + /* + * If RX buffer is set to static mode, this macro will return early + * and skip dynamic buffer free logic below + */ + ESP_MBEDTLS_RETURN_IF_RX_BUF_STATIC(ssl); + int ret = 0; unsigned char buf[16]; struct esp_mbedtls_ssl_buf *esp_buf; diff --git a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h index ad7a716be5..54409766f5 100644 --- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h +++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -26,6 +26,8 @@ #include "esp_log.h" #include "sdkconfig.h" +#include "mbedtls/esp_mbedtls_dynamic.h" + #define TRACE_CHECK(_fn, _state) \ ({ \ ESP_LOGV(TAG, "%d " _state " to do \"%s\"", __LINE__, # _fn); \ @@ -48,8 +50,9 @@ }) typedef enum { - ESP_MBEDTLS_SSL_BUF_CACHED, + ESP_MBEDTLS_SSL_BUF_CACHED = 0, ESP_MBEDTLS_SSL_BUF_NO_CACHED, + ESP_MBEDTLS_SSL_BUF_STATIC, } esp_mbedtls_ssl_buf_states; struct esp_mbedtls_ssl_buf { diff --git a/components/mbedtls/port/include/mbedtls/esp_mbedtls_dynamic.h b/components/mbedtls/port/include/mbedtls/esp_mbedtls_dynamic.h new file mode 100644 index 0000000000..2c00be33c7 --- /dev/null +++ b/components/mbedtls/port/include/mbedtls/esp_mbedtls_dynamic.h @@ -0,0 +1,28 @@ +/* + * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#pragma once + +#include "mbedtls/ssl.h" +#include "esp_err.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @brief Set the dynamic buffer rx statically after the handshake. This is to avoid frequent allocation and deallocation of dynamic buffer. + * + * @param ssl mbedtls ssl context + * @return esp_err_t + * - ESP_OK: Successfully set the rx buffer to static + * - ESP_ERR_NO_MEM: Failed to allocate memory for the rx buffer + */ +esp_err_t esp_mbedtls_dynamic_set_rx_buf_static(mbedtls_ssl_context *ssl); + +#ifdef __cplusplus +} +#endif diff --git a/components/tcp_transport/include/esp_transport_ssl.h b/components/tcp_transport/include/esp_transport_ssl.h index ad339396ff..32020d5ce2 100644 --- a/components/tcp_transport/include/esp_transport_ssl.h +++ b/components/tcp_transport/include/esp_transport_ssl.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -61,6 +61,15 @@ void esp_transport_ssl_crt_bundle_attach(esp_transport_handle_t t, esp_err_t ((* */ void esp_transport_ssl_enable_global_ca_store(esp_transport_handle_t t); +#if CONFIG_MBEDTLS_DYNAMIC_BUFFER +/** + * @brief Set ESP-TLS dynamic buffer strategy for ESP-TLS connection + * + * @param t ssl transport + * @param[in] strategy ESP-TLS dynamic buffer strategy + */ +void esp_transport_ssl_set_esp_tls_dyn_buf_strategy(esp_transport_handle_t t, esp_tls_dyn_buf_strategy_t strategy); +#endif /** * @brief Set TLS protocol version for ESP-TLS connection * diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c index b9e9b38878..b7af7a12b6 100644 --- a/components/tcp_transport/transport_ssl.c +++ b/components/tcp_transport/transport_ssl.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -350,6 +350,14 @@ void esp_transport_ssl_enable_global_ca_store(esp_transport_handle_t t) ssl->cfg.use_global_ca_store = true; } +#if CONFIG_MBEDTLS_DYNAMIC_BUFFER +void esp_transport_ssl_set_esp_tls_dyn_buf_strategy(esp_transport_handle_t t, esp_tls_dyn_buf_strategy_t strategy) +{ + GET_SSL_FROM_TRANSPORT_OR_RETURN(ssl, t); + ssl->cfg.esp_tls_dyn_buf_strategy = strategy; +} +#endif + void esp_transport_ssl_set_tls_version(esp_transport_handle_t t, esp_tls_proto_ver_t tls_version) { GET_SSL_FROM_TRANSPORT_OR_RETURN(ssl, t); diff --git a/examples/system/ota/simple_ota_example/main/Kconfig.projbuild b/examples/system/ota/simple_ota_example/main/Kconfig.projbuild index 491d78429c..4404a99f44 100644 --- a/examples/system/ota/simple_ota_example/main/Kconfig.projbuild +++ b/examples/system/ota/simple_ota_example/main/Kconfig.projbuild @@ -51,4 +51,13 @@ menu "Example Configuration" help Select ethernet interface to pass the OTA data. endchoice + + config EXAMPLE_TLS_DYN_BUF_RX_STATIC + bool "Use static rx buffer for dynamic buffer after TLS handshake" + depends on MBEDTLS_DYNAMIC_BUFFER + default n + help + This converts the dynamic RX buffer to static allocation after the TLS handshake + is complete. This reduces memory fragmentation by avoiding repeated dynamic + allocations during data transfer. endmenu diff --git a/examples/system/ota/simple_ota_example/main/simple_ota_example.c b/examples/system/ota/simple_ota_example/main/simple_ota_example.c index e3e8c732cb..52e1bac6bb 100644 --- a/examples/system/ota/simple_ota_example/main/simple_ota_example.c +++ b/examples/system/ota/simple_ota_example/main/simple_ota_example.c @@ -101,6 +101,12 @@ void simple_ota_example_task(void *pvParameter) #ifdef CONFIG_EXAMPLE_FIRMWARE_UPGRADE_BIND_IF .if_name = &ifr, #endif +#if CONFIG_EXAMPLE_TLS_DYN_BUF_RX_STATIC + /* This part applies static buffer strategy for rx dynamic buffer. + * This is to avoid frequent allocation and deallocation of dynamic buffer. + */ + .tls_dyn_buf_strategy = HTTP_TLS_DYN_BUF_RX_STATIC, +#endif /* CONFIG_EXAMPLE_TLS_DYN_BUF_RX_STATIC */ }; #ifdef CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL_FROM_STDIN diff --git a/examples/system/ota/simple_ota_example/pytest_simple_ota.py b/examples/system/ota/simple_ota_example/pytest_simple_ota.py index f4b005939e..ad9959b449 100644 --- a/examples/system/ota/simple_ota_example/pytest_simple_ota.py +++ b/examples/system/ota/simple_ota_example/pytest_simple_ota.py @@ -1,4 +1,4 @@ -# SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD +# SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD # SPDX-License-Identifier: Unlicense OR CC0-1.0 import http.server import multiprocessing @@ -6,6 +6,7 @@ import os import ssl import subprocess import sys +from typing import Any from typing import Optional from typing import Tuple @@ -13,6 +14,7 @@ import pexpect import pytest from pytest_embedded import Dut + try: from common_test_methods import get_env_config_variable, get_host_ip4_by_dest_ip except ModuleNotFoundError: @@ -130,6 +132,20 @@ def calc_all_sha256(dut: Dut) -> Tuple[str, str]: return str(sha256_bootloader), str(sha256_app) +def setting_connection(dut: Dut, env_name: Optional[str] = None) -> Any: + if env_name is not None and dut.app.sdkconfig.get('EXAMPLE_WIFI_SSID_PWD_FROM_STDIN') is True: + dut.expect('Please input ssid password:') + ap_ssid = get_env_config_variable(env_name, 'ap_ssid') + ap_password = get_env_config_variable(env_name, 'ap_password') + dut.write(f'{ap_ssid} {ap_password}') + try: + ip_address = dut.expect(r'IPv4 address: (\d+\.\d+\.\d+\.\d+)[^\d]', timeout=30)[1].decode() + print(f'Connected to AP/Ethernet with IP: {ip_address}') + except pexpect.exceptions.TIMEOUT: + raise ValueError('ENV_TEST_FAILURE: Cannot connect to AP/Ethernet') + return get_host_ip4_by_dest_ip(ip_address) + + @pytest.mark.esp32 @pytest.mark.esp32c3 @pytest.mark.esp32s3 @@ -387,6 +403,39 @@ def test_examples_protocol_simple_ota_example_tls1_3(dut: Dut) -> None: tls1_3_server.kill() +@pytest.mark.esp32 +@pytest.mark.ethernet_ota +@pytest.mark.parametrize('config', ['tls1_2_dynamic',], indirect=True) +def test_examples_protocol_simple_ota_example_tls1_2_dynamic(dut: Dut) -> None: + """ + steps: | + 1. join AP/Ethernet + 2. Fetch OTA image over HTTPS + 3. Reboot with the new OTA image + """ + sha256_bootloader, sha256_app = calc_all_sha256(dut) + # Start server + thread1 = multiprocessing.Process(target=start_https_server, args=(dut.app.binary_path, '0.0.0.0', 8001)) + thread1.daemon = True + thread1.start() + try: + # start test + dut.expect(f'Loaded app from partition at offset 0x10000', timeout=30) + check_sha256(sha256_bootloader, str(dut.expect(r'SHA-256 for bootloader:\s+([a-f0-9]){64}')[0])) + check_sha256(sha256_app, str(dut.expect(r'SHA-256 for current firmware:\s+([a-f0-9]){64}')[0])) + + host_ip = setting_connection(dut) + + dut.expect('Starting OTA example task', timeout=30) + dut.write(f'https://{host_ip}:8001/simple_ota.bin') + dut.expect('OTA Succeed, Rebooting...', timeout=120) + # after reboot + dut.expect(f'Loaded app from partition at offset 0x110000', timeout=30) + dut.expect('OTA example app_main start', timeout=10) + finally: + thread1.terminate() + + if __name__ == '__main__': if sys.argv[2:]: # if two or more arguments provided: # Usage: pytest_simple_ota.py [cert_di>] diff --git a/examples/system/ota/simple_ota_example/sdkconfig.ci.tls1_2_dynamic b/examples/system/ota/simple_ota_example/sdkconfig.ci.tls1_2_dynamic new file mode 100644 index 0000000000..e8bc3efead --- /dev/null +++ b/examples/system/ota/simple_ota_example/sdkconfig.ci.tls1_2_dynamic @@ -0,0 +1,15 @@ +CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL="FROM_STDIN" +CONFIG_EXAMPLE_SKIP_COMMON_NAME_CHECK=y +CONFIG_EXAMPLE_CONNECT_ETHERNET=y +CONFIG_EXAMPLE_CONNECT_WIFI=n +CONFIG_EXAMPLE_USE_INTERNAL_ETHERNET=y +CONFIG_EXAMPLE_ETH_PHY_IP101=y +CONFIG_EXAMPLE_ETH_MDC_GPIO=23 +CONFIG_EXAMPLE_ETH_MDIO_GPIO=18 +CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5 +CONFIG_EXAMPLE_ETH_PHY_ADDR=1 +CONFIG_EXAMPLE_CONNECT_IPV6=y +CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=y +CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y +CONFIG_MBEDTLS_DYNAMIC_BUFFER=y +CONFIG_EXAMPLE_TLS_DYN_BUF_RX_STATIC=y