Quellcode durchsuchen

Merge branch 'fix/esp_tls_prevent_freeing_global_CA_store_after_each_request_v4.3' into 'release/v4.3'

fix(esp_tls): prevent freeing global CA store after each request (v4.3)

See merge request espressif/esp-idf!12630
Mahavir Jain vor 5 Jahren
Ursprung
Commit
c5f8fbea02

+ 5 - 1
components/esp-tls/esp_tls_mbedtls.c

@@ -449,7 +449,7 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
 
 
     if (cfg->alpn_protos) {
     if (cfg->alpn_protos) {
 #ifdef CONFIG_MBEDTLS_SSL_ALPN
 #ifdef CONFIG_MBEDTLS_SSL_ALPN
-        if ((ret = mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos) != 0)) {
+        if ((ret = mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos)) != 0) {
             ESP_LOGE(TAG, "mbedtls_ssl_conf_alpn_protocols returned -0x%x", -ret);
             ESP_LOGE(TAG, "mbedtls_ssl_conf_alpn_protocols returned -0x%x", -ret);
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
             return ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED;
             return ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED;
@@ -625,6 +625,10 @@ esp_err_t esp_mbedtls_init_global_ca_store(void)
 
 
 esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
 esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
 {
 {
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
+    ESP_LOGE(TAG, "Please disable dynamic freeing of ca cert in mbedtls (CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT)\n in order to use the global ca_store");
+    return ESP_FAIL;
+#endif
     if (cacert_pem_buf == NULL) {
     if (cacert_pem_buf == NULL) {
         ESP_LOGE(TAG, "cacert_pem_buf is null");
         ESP_LOGE(TAG, "cacert_pem_buf is null");
         return ESP_ERR_INVALID_ARG;
         return ESP_ERR_INVALID_ARG;

+ 12 - 2
components/mbedtls/Kconfig

@@ -115,17 +115,27 @@ menu "mbedTLS"
             Free peer certificate after its usage in handshake process.
             Free peer certificate after its usage in handshake process.
 
 
     config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
     config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
-        bool "Free certificate, key and DHM data after its usage"
+        bool "Free private key and DHM data after its usage"
         default n
         default n
         depends on MBEDTLS_DYNAMIC_BUFFER
         depends on MBEDTLS_DYNAMIC_BUFFER
         help
         help
-            Free certificate, private key and DHM data after its usage in handshake process.
+            Free private key and DHM data after its usage in handshake process.
 
 
             The option will decrease heap cost when handshake, but also lead to problem:
             The option will decrease heap cost when handshake, but also lead to problem:
 
 
             Becasue all certificate, private key and DHM data are freed so users should register
             Becasue all certificate, private key and DHM data are freed so users should register
             certificate and private key to ssl config object again.
             certificate and private key to ssl config object again.
 
 
+    config MBEDTLS_DYNAMIC_FREE_CA_CERT
+        bool "Free SSL ca certificate after its usage"
+        default y
+        depends on MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+        help
+            Free ca certificate after its usage in the handshake process.
+            This option will decrease the heap footprint for the TLS handshake, but may lead to a problem:
+            If the respective ssl object needs to perform the TLS handshake again,
+            the ca certificate should once again be registered to the ssl object.
+
     config MBEDTLS_DEBUG
     config MBEDTLS_DEBUG
         bool "Enable mbedTLS debugging"
         bool "Enable mbedTLS debugging"
         default n
         default n

+ 3 - 2
components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c

@@ -499,7 +499,9 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
         keycert = keycert->next;
         keycert = keycert->next;
     }
     }
 }
 }
+#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA */
 
 
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
 {
 {
     if (ssl->conf->ca_chain) {
     if (ssl->conf->ca_chain) {
@@ -509,8 +511,7 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
         conf->ca_chain = NULL;
         conf->ca_chain = NULL;
     }
     }
 }
 }
-
-#endif
+#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */
 
 
 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
 void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)
 void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)

+ 2 - 0
components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h

@@ -71,7 +71,9 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl);
 void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl);
 void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl);
 
 
 void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
 void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
+#endif
 
 
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
 #endif
 #endif
 
 

+ 1 - 1
components/mbedtls/port/dynamic/esp_ssl_cli.c

@@ -60,7 +60,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
             } else {
             } else {
                 CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
                 CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
 
 
-#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
                 esp_mbedtls_free_cacert(ssl);
                 esp_mbedtls_free_cacert(ssl);
 #endif
 #endif
             }
             }

+ 1 - 1
components/mbedtls/port/dynamic/esp_ssl_srv.c

@@ -112,7 +112,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
             } else {
             } else {
                 CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
                 CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
 
 
-#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
                 esp_mbedtls_free_cacert(ssl);
                 esp_mbedtls_free_cacert(ssl);
 #endif
 #endif
             }
             }

+ 1 - 1
components/protocomm/src/common/protocomm.c

@@ -378,7 +378,7 @@ static int protocomm_version_handler(uint32_t session_id,
     /* Output is a non null terminated string with length specified */
     /* Output is a non null terminated string with length specified */
     *outlen = strlen(pc->ver);
     *outlen = strlen(pc->ver);
     *outbuf = malloc(*outlen);
     *outbuf = malloc(*outlen);
-    if (outbuf == NULL) {
+    if (*outbuf == NULL) {
         ESP_LOGE(TAG, "Failed to allocate memory for version response");
         ESP_LOGE(TAG, "Failed to allocate memory for version response");
         return ESP_ERR_NO_MEM;
         return ESP_ERR_NO_MEM;
     }
     }