Merge branch 'fix/esp_tls_prevent_freeing_global_CA_store_after_each_request_v4.3' into 'release/v4.3'

fix(esp_tls): prevent freeing global CA store after each request (v4.3)

See merge request espressif/esp-idf!12630

components/esp-tls/esp_tls_mbedtls.c

@@ -449,7 +449,7 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
 
     if (cfg->alpn_protos) {
 #ifdef CONFIG_MBEDTLS_SSL_ALPN
-        if ((ret = mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos) != 0)) {
+        if ((ret = mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos)) != 0) {
             ESP_LOGE(TAG, "mbedtls_ssl_conf_alpn_protocols returned -0x%x", -ret);
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
             return ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED;
@@ -625,6 +625,10 @@ esp_err_t esp_mbedtls_init_global_ca_store(void)
 
 esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
 {
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
+    ESP_LOGE(TAG, "Please disable dynamic freeing of ca cert in mbedtls (CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT)\n in order to use the global ca_store");
+    return ESP_FAIL;
+#endif
     if (cacert_pem_buf == NULL) {
         ESP_LOGE(TAG, "cacert_pem_buf is null");
         return ESP_ERR_INVALID_ARG;

components/mbedtls/Kconfig

@@ -115,17 +115,27 @@ menu "mbedTLS"
             Free peer certificate after its usage in handshake process.
 
     config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
-        bool "Free certificate, key and DHM data after its usage"
+        bool "Free private key and DHM data after its usage"
         default n
         depends on MBEDTLS_DYNAMIC_BUFFER
         help
-            Free certificate, private key and DHM data after its usage in handshake process.
+            Free private key and DHM data after its usage in handshake process.
 
             The option will decrease heap cost when handshake, but also lead to problem:
 
             Becasue all certificate, private key and DHM data are freed so users should register
             certificate and private key to ssl config object again.
 
+    config MBEDTLS_DYNAMIC_FREE_CA_CERT
+        bool "Free SSL ca certificate after its usage"
+        default y
+        depends on MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+        help
+            Free ca certificate after its usage in the handshake process.
+            This option will decrease the heap footprint for the TLS handshake, but may lead to a problem:
+            If the respective ssl object needs to perform the TLS handshake again,
+            the ca certificate should once again be registered to the ssl object.
+
     config MBEDTLS_DEBUG
         bool "Enable mbedTLS debugging"
         default n

components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c

@@ -499,7 +499,9 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
         keycert = keycert->next;
     }
 }
+#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA */
 
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
 {
     if (ssl->conf->ca_chain) {
@@ -509,8 +511,7 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
         conf->ca_chain = NULL;
     }
 }
-
-#endif
+#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */
 
 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
 void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)

components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h

@@ -71,7 +71,9 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl);
 void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl);
 
 void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
+#endif
 
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
 #endif
 

components/mbedtls/port/dynamic/esp_ssl_cli.c

@@ -60,7 +60,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
             } else {
                 CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
 
-#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
                 esp_mbedtls_free_cacert(ssl);
 #endif
             }

components/mbedtls/port/dynamic/esp_ssl_srv.c

@@ -112,7 +112,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
             } else {
                 CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
 
-#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
                 esp_mbedtls_free_cacert(ssl);
 #endif
             }

components/protocomm/src/common/protocomm.c

@@ -378,7 +378,7 @@ static int protocomm_version_handler(uint32_t session_id,
     /* Output is a non null terminated string with length specified */
     *outlen = strlen(pc->ver);
     *outbuf = malloc(*outlen);
-    if (outbuf == NULL) {
+    if (*outbuf == NULL) {
         ESP_LOGE(TAG, "Failed to allocate memory for version response");
         return ESP_ERR_NO_MEM;
     }