diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index 2be611876d..53f10d7de1 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -449,7 +449,7 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t if (cfg->alpn_protos) { #ifdef CONFIG_MBEDTLS_SSL_ALPN - if ((ret = mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos) != 0)) { + if ((ret = mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos)) != 0) { ESP_LOGE(TAG, "mbedtls_ssl_conf_alpn_protocols returned -0x%x", -ret); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret); return ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED; @@ -625,6 +625,10 @@ esp_err_t esp_mbedtls_init_global_ca_store(void) esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes) { +#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT + ESP_LOGE(TAG, "Please disable dynamic freeing of ca cert in mbedtls (CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT)\n in order to use the global ca_store"); + return ESP_FAIL; +#endif if (cacert_pem_buf == NULL) { ESP_LOGE(TAG, "cacert_pem_buf is null"); return ESP_ERR_INVALID_ARG; diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 2dd4e6d82f..fa2e9abeeb 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -115,17 +115,27 @@ menu "mbedTLS" Free peer certificate after its usage in handshake process. config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA - bool "Free certificate, key and DHM data after its usage" + bool "Free private key and DHM data after its usage" default n depends on MBEDTLS_DYNAMIC_BUFFER help - Free certificate, private key and DHM data after its usage in handshake process. + Free private key and DHM data after its usage in handshake process. The option will decrease heap cost when handshake, but also lead to problem: Becasue all certificate, private key and DHM data are freed so users should register certificate and private key to ssl config object again. + config MBEDTLS_DYNAMIC_FREE_CA_CERT + bool "Free SSL ca certificate after its usage" + default y + depends on MBEDTLS_DYNAMIC_FREE_CONFIG_DATA + help + Free ca certificate after its usage in the handshake process. + This option will decrease the heap footprint for the TLS handshake, but may lead to a problem: + If the respective ssl object needs to perform the TLS handshake again, + the ca certificate should once again be registered to the ssl object. + config MBEDTLS_DEBUG bool "Enable mbedTLS debugging" default n diff --git a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c index 36896d386e..09f06d2520 100644 --- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c +++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c @@ -499,7 +499,9 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl) keycert = keycert->next; } } +#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA */ +#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl) { if (ssl->conf->ca_chain) { @@ -509,8 +511,7 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl) conf->ca_chain = NULL; } } - -#endif +#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */ #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl) diff --git a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h index 8f4bb144cc..3cc20efaa7 100644 --- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h +++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h @@ -71,7 +71,9 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl); void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl); void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl); +#endif +#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl); #endif diff --git a/components/mbedtls/port/dynamic/esp_ssl_cli.c b/components/mbedtls/port/dynamic/esp_ssl_cli.c index 0a0997adcc..94ed064d6d 100644 --- a/components/mbedtls/port/dynamic/esp_ssl_cli.c +++ b/components/mbedtls/port/dynamic/esp_ssl_cli.c @@ -60,7 +60,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add) } else { CHECK_OK(esp_mbedtls_free_rx_buffer(ssl)); -#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA +#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT esp_mbedtls_free_cacert(ssl); #endif } diff --git a/components/mbedtls/port/dynamic/esp_ssl_srv.c b/components/mbedtls/port/dynamic/esp_ssl_srv.c index c681e070c0..bc96dcfab0 100644 --- a/components/mbedtls/port/dynamic/esp_ssl_srv.c +++ b/components/mbedtls/port/dynamic/esp_ssl_srv.c @@ -112,7 +112,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add) } else { CHECK_OK(esp_mbedtls_free_rx_buffer(ssl)); -#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA +#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT esp_mbedtls_free_cacert(ssl); #endif } diff --git a/components/protocomm/src/common/protocomm.c b/components/protocomm/src/common/protocomm.c index 683e360903..cdfd8d7965 100644 --- a/components/protocomm/src/common/protocomm.c +++ b/components/protocomm/src/common/protocomm.c @@ -378,7 +378,7 @@ static int protocomm_version_handler(uint32_t session_id, /* Output is a non null terminated string with length specified */ *outlen = strlen(pc->ver); *outbuf = malloc(*outlen); - if (outbuf == NULL) { + if (*outbuf == NULL) { ESP_LOGE(TAG, "Failed to allocate memory for version response"); return ESP_ERR_NO_MEM; }