Merge branch 'fix/esp_tls_prevent_freeing_global_CA_store_after_each_request' into 'master'

fix(esp_tls): prevent freeing global CA store after each request

Closes IDFGH-4647

See merge request espressif/esp-idf!12231

components/esp-tls/esp_tls_mbedtls.c

@@ -625,6 +625,10 @@ esp_err_t esp_mbedtls_init_global_ca_store(void)
 
 esp_err_t esp_mbedtls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
 {
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
+    ESP_LOGE(TAG, "Please disable dynamic freeing of ca cert in mbedtls (CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT)\n in order to use the global ca_store");
+    return ESP_FAIL;
+#endif
     if (cacert_pem_buf == NULL) {
         ESP_LOGE(TAG, "cacert_pem_buf is null");
         return ESP_ERR_INVALID_ARG;

components/mbedtls/Kconfig

@@ -115,17 +115,27 @@ menu "mbedTLS"
             Free peer certificate after its usage in handshake process.
 
     config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
-        bool "Free certificate, key and DHM data after its usage"
+        bool "Free private key and DHM data after its usage"
         default n
         depends on MBEDTLS_DYNAMIC_BUFFER
         help
-            Free certificate, private key and DHM data after its usage in handshake process.
+            Free private key and DHM data after its usage in handshake process.
 
             The option will decrease heap cost when handshake, but also lead to problem:
 
             Becasue all certificate, private key and DHM data are freed so users should register
             certificate and private key to ssl config object again.
 
+    config MBEDTLS_DYNAMIC_FREE_CA_CERT
+        bool "Free SSL ca certificate after its usage"
+        default y
+        depends on MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+        help
+            Free ca certificate after its usage in the handshake process.
+            This option will decrease the heap footprint for the TLS handshake, but may lead to a problem:
+            If the respective ssl object needs to perform the TLS handshake again,
+            the ca certificate should once again be registered to the ssl object.
+
     config MBEDTLS_DEBUG
         bool "Enable mbedTLS debugging"
         default n

components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c

@@ -499,7 +499,9 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
         keycert = keycert->next;
     }
 }
+#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA */
 
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
 {
     if (ssl->conf->ca_chain) {
@@ -509,8 +511,7 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
         conf->ca_chain = NULL;
     }
 }
-
-#endif
+#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */
 
 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
 void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)

components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h

@@ -71,7 +71,9 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl);
 void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl);
 
 void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
+#endif
 
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
 #endif
 

components/mbedtls/port/dynamic/esp_ssl_cli.c

@@ -60,7 +60,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
             } else {
                 CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
 
-#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
                 esp_mbedtls_free_cacert(ssl);
 #endif
             }

components/mbedtls/port/dynamic/esp_ssl_srv.c

@@ -112,7 +112,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
             } else {
                 CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
 
-#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
+#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT
                 esp_mbedtls_free_cacert(ssl);
 #endif
             }