mbedtls: Added option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE

- Removed code regarding MBEDTLS_DYNAMIC_FREE_PEER_CERT (config was kept for backward compatibility) - Combined mbedTLS v2.28.x related options under a separate Kconfig menu
2025-07-30 10:47:19 +02:00 · 2022-01-24 10:04:05 +05:30
parent 6957b4815a
commit df9f101792
5 changed files with 122 additions and 196 deletions
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@ -97,19 +97,12 @@ menu "mbedTLS"
            This defines maximum outgoing fragment length, overriding default
            maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN).
    config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
        bool "Variable SSL buffer length"
        default n
        help
            This enables the SSL buffer to be resized automatically
            based on the negotiated maximum fragment length in each direction.
    config MBEDTLS_DYNAMIC_BUFFER
        bool "Using dynamic TX/RX buffer"
        default n
        select MBEDTLS_ASYMMETRIC_CONTENT_LEN
        # Dynamic buffer feature is not supported with DTLS
-        depends on !MBEDTLS_SSL_PROTO_DTLS
+        depends on !MBEDTLS_SSL_PROTO_DTLS && !MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
        help
            Using dynamic TX/RX buffer. After enabling this option, mbedTLS will
            allocate TX buffer when need to send data and then free it if all data
@ -185,6 +178,111 @@ menu "mbedTLS"
        default 3 if MBEDTLS_DEBUG_LEVEL_DEBUG
        default 4 if MBEDTLS_DEBUG_LEVEL_VERBOSE
    menu "mbedTLS v2.28.x related"
        config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
            bool "Variable SSL buffer length"
            default n
            help
                This enables the SSL buffer to be resized automatically
                based on the negotiated maximum fragment length in each direction.
        config MBEDTLS_ECDH_LEGACY_CONTEXT
            bool "Use a backward compatible ECDH context (Experimental)"
            default y
            depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_RESTARTABLE
            help
                Use the legacy ECDH context format.
                Define this option only if you enable MBEDTLS_ECP_RESTARTABLE or if you
                want to access ECDH context fields directly.
        config MBEDTLS_X509_TRUSTED_CERT_CALLBACK
            bool "Enable trusted certificate callbacks"
            default n
            help
                Enables users to configure the set of trusted certificates
                through a callback instead of a linked list.
                See mbedTLS documentation for required API and more details.
        config MBEDTLS_SSL_CONTEXT_SERIALIZATION
            bool "Enable serialization of the TLS context structures"
            default n
            help
                Enable serialization of the TLS context structures
                This is a local optimization in handling a single, potentially long-lived connection.
                See mbedTLS documentation for required API and more details.
                Disabling this option will save some code size.
        config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
            bool "Keep peer certificate after handshake completion"
            default y
            depends on !MBEDTLS_DYNAMIC_FREE_PEER_CERT
            help
                Keep the peer's certificate after completion of the handshake.
                Disabling this option will save about 4kB of heap and some code size.
                See mbedTLS documentation for required API and more details.
        menu "DTLS-based configurations"
            visible if MBEDTLS_SSL_PROTO_DTLS
            config MBEDTLS_SSL_DTLS_CONNECTION_ID
                bool "Support for the DTLS Connection ID extension"
                depends on MBEDTLS_SSL_PROTO_DTLS
                default n
                help
                    Enable support for the DTLS Connection ID extension which allows to
                    identify DTLS connections across changes in the underlying transport.
                    The Connection ID extension is still in draft state.
                    Refer: version draft-ietf-tls-dtls-connection-id-05
            config MBEDTLS_SSL_CID_IN_LEN_MAX
                int "Maximum length of CIDs used for incoming DTLS messages"
                default 32
                range 0 32
                depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
                help
                    Maximum length of CIDs used for incoming DTLS messages
            config MBEDTLS_SSL_CID_OUT_LEN_MAX
                int "Maximum length of CIDs used for outgoing DTLS messages"
                default 32
                range 0 32
                depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
                help
                    Maximum length of CIDs used for outgoing DTLS messages
            config MBEDTLS_SSL_CID_PADDING_GRANULARITY
                int "Record plaintext padding (for DTLS 1.2)"
                default 16
                range 0 32
                depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
                help
                    Controls the use of record plaintext padding when
                    using the Connection ID extension in DTLS 1.2.
                    The padding will always be chosen so that the length of the
                    padded plaintext is a multiple of the value of this option.
                    Notes:
                        A value of 1 means that no padding will be used for outgoing records.
                        On systems lacking division instructions, a power of two should be preferred.
            config MBEDTLS_SSL_DTLS_SRTP
                bool "Enable support for negotiation of DTLS-SRTP (RFC 5764)"
                depends on MBEDTLS_SSL_PROTO_DTLS
                default n
                help
                    Enable support for negotiation of DTLS-SRTP (RFC 5764) through the use_srtp extension.
                    See mbedTLS documentation for required API and more details.
                    Disabling this option will save some code size.
        endmenu
    endmenu
    menu "Certificate Bundle"
@ -233,15 +331,6 @@ menu "mbedTLS"
        help
            Enable "non-blocking" ECC operations that can return early and be resumed.
    config MBEDTLS_ECDH_LEGACY_CONTEXT
        bool "Use a backward compatible ECDH context (Experimental)"
        default y
        depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_RESTARTABLE
        help
            Use the legacy ECDH context format.
            Define this option only if you enable MBEDTLS_ECP_RESTARTABLE or if you
            want to access ECDH context fields directly.
    config MBEDTLS_CMAC_C
        bool "Enable CMAC mode for block ciphers"
        default n
@ -719,94 +808,8 @@ menu "mbedTLS"
            help
                Support for parsing X.509 Certifificate Signing Requests
        config MBEDTLS_X509_TRUSTED_CERT_CALLBACK
            bool "Enable trusted certificate callbacks"
            default n
            help
                Enables users to configure the set of trusted certificates
                through a callback instead of a linked list.
                See mbedTLS documentation for required API and more details.
    endmenu # Certificates
    menu "DTLS-based configurations"
        visible if MBEDTLS_SSL_PROTO_DTLS
        config MBEDTLS_SSL_DTLS_CONNECTION_ID
            bool "Support for the DTLS Connection ID extension"
            depends on MBEDTLS_SSL_PROTO_DTLS
            default n
            help
                Enable support for the DTLS Connection ID extension which allows to
                identify DTLS connections across changes in the underlying transport.
                The Connection ID extension is still in draft state.
                Refer: version draft-ietf-tls-dtls-connection-id-05
        config MBEDTLS_SSL_CID_IN_LEN_MAX
            int "Maximum length of CIDs used for incoming DTLS messages"
            default 32
            range 0 32
            depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
            help
                Maximum length of CIDs used for incoming DTLS messages
        config MBEDTLS_SSL_CID_OUT_LEN_MAX
            int "Maximum length of CIDs used for outgoing DTLS messages"
            default 32
            range 0 32
            depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
            help
                Maximum length of CIDs used for outgoing DTLS messages
        config MBEDTLS_SSL_CID_PADDING_GRANULARITY
            int "Record plaintext padding (for DTLS 1.2)"
            default 16
            range 0 32
            depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
            help
                Controls the use of record plaintext padding when
                using the Connection ID extension in DTLS 1.2.
                The padding will always be chosen so that the length of the
                padded plaintext is a multiple of the value of this option.
                Notes:
                    A value of 1 means that no padding will be used for outgoing records.
                    On systems lacking division instructions, a power of two should be preferred.
        config MBEDTLS_SSL_DTLS_SRTP
            bool "Enable support for negotiation of DTLS-SRTP (RFC 5764)"
            depends on MBEDTLS_SSL_PROTO_DTLS
            default n
            help
                Enable support for negotiation of DTLS-SRTP (RFC 5764) through the use_srtp extension.
                See mbedTLS documentation for required API and more details.
                Disabling this option will save some code size.
    endmenu
    config MBEDTLS_SSL_CONTEXT_SERIALIZATION
        bool "Enable serialization of the TLS context structures"
        default n
        help
            Enable serialization of the TLS context structures
            This is a local optimization in handling a single, potentially long-lived connection.
            See mbedTLS documentation for required API and more details.
            Disabling this option will save some code size.
    config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
        bool "Keep peer certificate after handshake completion"
        default y
        help
            Keep the peer's certificate after completion of the handshake.
            Disabling this option will save about 4kB of heap and some code size.
            See mbedTLS documentation for required API and more details.
    menuconfig MBEDTLS_ECP_C
        bool  "Elliptic Curve Ciphers"
        default y
--- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
+++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
@ -1,16 +1,8 @@
-// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+/*
-//
+ * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
-// Licensed under the Apache License, Version 2.0 (the "License");
+ *
-// you may not use this file except in compliance with the License.
+ * SPDX-License-Identifier: Apache-2.0
-// You may obtain a copy of the License at
+ */
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 #include <string.h>
 #include "esp_mbedtls_dynamic_impl.h"
@ -531,27 +523,3 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
    }
 }
 #endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */
 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
 void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)
 {
    if (ssl->session_negotiate->peer_cert) {
        mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
        mbedtls_free( ssl->session_negotiate->peer_cert );
        ssl->session_negotiate->peer_cert = NULL;
    }
 }
 bool esp_mbedtls_ssl_is_rsa(mbedtls_ssl_context *ssl)
 {
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
        ssl->transform_negotiate->ciphersuite_info;
    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ||
        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
        return true;
    } else {
        return false;
    }
 }
 #endif
--- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
+++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@ -86,10 +86,4 @@ void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
 #endif
 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
 void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl);
 bool esp_mbedtls_ssl_is_rsa(mbedtls_ssl_context *ssl);
 #endif
 #endif /* _DYNAMIC_IMPL_H_ */
--- a/components/mbedtls/port/dynamic/esp_ssl_cli.c
+++ b/components/mbedtls/port/dynamic/esp_ssl_cli.c
@ -1,16 +1,8 @@
-// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+/*
-//
+ * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
-// Licensed under the Apache License, Version 2.0 (the "License");
+ *
-// you may not use this file except in compliance with the License.
+ * SPDX-License-Identifier: Apache-2.0
-// You may obtain a copy of the License at
+ */
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 #include <sys/param.h>
 #include <stdbool.h>
 #include "esp_mbedtls_dynamic_impl.h"
@ -72,19 +64,6 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
                if (!ssl->keep_current_message) {
                    CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
                }
 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
                /**
                 * If current ciphersuite is RSA, we should free peer'
                 * certificate at step  MBEDTLS_SSL_CLIENT_KEY_EXCHANGE.
                 *
                 * And if it is other kinds of ciphersuite, we can free
                 * peer certificate here.
                 */
                if (esp_mbedtls_ssl_is_rsa(ssl) == false) {
                    esp_mbedtls_free_peer_cert(ssl);
                }
 #endif
            }
            break;
        case MBEDTLS_SSL_CERTIFICATE_REQUEST:
@ -133,12 +112,6 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
                size_t buffer_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
                CHECK_OK(esp_mbedtls_add_tx_buffer(ssl, buffer_len));
            } else {
 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
                if (esp_mbedtls_ssl_is_rsa(ssl) == true) {
                    esp_mbedtls_free_peer_cert(ssl);
                }
 #endif
            }
            break;
        case MBEDTLS_SSL_CERTIFICATE_VERIFY:
--- a/components/mbedtls/port/dynamic/esp_ssl_srv.c
+++ b/components/mbedtls/port/dynamic/esp_ssl_srv.c
@ -1,16 +1,8 @@
-// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+/*
-//
+ * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
-// Licensed under the Apache License, Version 2.0 (the "License");
+ *
-// you may not use this file except in compliance with the License.
+ * SPDX-License-Identifier: Apache-2.0
-// You may obtain a copy of the License at
+ */
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 #include <sys/param.h>
 #include "esp_mbedtls_dynamic_impl.h"
@ -136,10 +128,6 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
                CHECK_OK(esp_mbedtls_add_rx_buffer(ssl));
            } else {
                CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
                esp_mbedtls_free_peer_cert(ssl);
 #endif
            }
            break;
        case MBEDTLS_SSL_CLIENT_FINISHED: