espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-31 19:24:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix/esp_tls_prevent_freeing_global_CA_store_after_each_request_v4.3' into 'release/v4.3'

Browse Source 
fix(esp_tls): prevent freeing global CA store after each request (v4.3)

See merge request espressif/esp-idf!12630
This commit is contained in:
Mahavir Jain
2021-03-08 04:59:19 +00:00
parent cf7891cb93 962ea61d53
commit c5f8fbea02
7 changed files with 25 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
components/esp-tls/esp_tls_mbedtls.c
View File

@@ -449,7 +449,7 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
if (cfg->alpn_protos) { if (cfg->alpn_protos) {
#ifdef CONFIG_MBEDTLS_SSL_ALPN #ifdef CONFIG_MBEDTLS_SSL_ALPN
if ((ret = mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos) != 0)) { if ((ret = mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos)) != 0) {
ESP_LOGE(TAG, "mbedtls_ssl_conf_alpn_protocols returned -0x%x", -ret); ESP_LOGE(TAG, "mbedtls_ssl_conf_alpn_protocols returned -0x%x", -ret);
ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
return ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED; return ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED;
@@ -625,6 +625,10 @@ esp_err_t esp_mbedtls_init_global_ca_store(void)
esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes) esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
{ {
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
ESP_LOGE(TAG, "Please disable dynamic freeing of ca cert in mbedtls (CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT)\n in order to use the global ca_store");
return ESP_FAIL;
#endif
if (cacert_pem_buf == NULL) { if (cacert_pem_buf == NULL) {
ESP_LOGE(TAG, "cacert_pem_buf is null"); ESP_LOGE(TAG, "cacert_pem_buf is null");
return ESP_ERR_INVALID_ARG; return ESP_ERR_INVALID_ARG;

14
components/mbedtls/Kconfig
View File

@@ -115,17 +115,27 @@ menu "mbedTLS"
Free peer certificate after its usage in handshake process. Free peer certificate after its usage in handshake process.
config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
bool "Free certificate, key and DHM data after its usage" bool "Free private key and DHM data after its usage"
default n default n
depends on MBEDTLS_DYNAMIC_BUFFER depends on MBEDTLS_DYNAMIC_BUFFER
help help
Free certificate, private key and DHM data after its usage in handshake process. Free private key and DHM data after its usage in handshake process.
The option will decrease heap cost when handshake, but also lead to problem: The option will decrease heap cost when handshake, but also lead to problem:
Becasue all certificate, private key and DHM data are freed so users should register Becasue all certificate, private key and DHM data are freed so users should register
certificate and private key to ssl config object again. certificate and private key to ssl config object again.
config MBEDTLS_DYNAMIC_FREE_CA_CERT
bool "Free SSL ca certificate after its usage"
default y
depends on MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
help
Free ca certificate after its usage in the handshake process.
This option will decrease the heap footprint for the TLS handshake, but may lead to a problem:
If the respective ssl object needs to perform the TLS handshake again,
the ca certificate should once again be registered to the ssl object.
config MBEDTLS_DEBUG config MBEDTLS_DEBUG
bool "Enable mbedTLS debugging" bool "Enable mbedTLS debugging"
default n default n

5
components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
View File

@@ -499,7 +499,9 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
keycert = keycert->next; keycert = keycert->next;
} }
} }
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA */
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl) void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
{ {
if (ssl->conf->ca_chain) { if (ssl->conf->ca_chain) {
@@ -509,8 +511,7 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
conf->ca_chain = NULL; conf->ca_chain = NULL;
} }
} }
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */
#endif
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl) void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)

2
components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
View File

@@ -71,7 +71,9 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl);
void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl); void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl);
void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl); void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
#endif
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl); void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
#endif #endif

2
components/mbedtls/port/dynamic/esp_ssl_cli.c
View File

@@ -60,7 +60,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
} else { } else {
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl)); CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
esp_mbedtls_free_cacert(ssl); esp_mbedtls_free_cacert(ssl);
#endif #endif
} }

2
components/mbedtls/port/dynamic/esp_ssl_srv.c
View File

@@ -112,7 +112,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
} else { } else {
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl)); CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
esp_mbedtls_free_cacert(ssl); esp_mbedtls_free_cacert(ssl);
#endif #endif
} }

2
components/protocomm/src/common/protocomm.c
View File

@@ -378,7 +378,7 @@ static int protocomm_version_handler(uint32_t session_id,
/* Output is a non null terminated string with length specified */ /* Output is a non null terminated string with length specified */
*outlen = strlen(pc->ver); *outlen = strlen(pc->ver);
*outbuf = malloc(*outlen); *outbuf = malloc(*outlen);
if (outbuf == NULL) { if (*outbuf == NULL) {
ESP_LOGE(TAG, "Failed to allocate memory for version response"); ESP_LOGE(TAG, "Failed to allocate memory for version response");
return ESP_ERR_NO_MEM; return ESP_ERR_NO_MEM;
} }