Merge branch 'bugfix/esp32c2_eap_auth_v5.1' into 'release/v5.1'

fix(wifi): Added low heap usage Kconfig option for eap enterprise (v5.1) See merge request espressif/esp-idf!28825
espressif · Feb 27, 2024 · 6481fdf · 6481fdf
2 parents f8a1cf9 + 8a01702
commit 6481fdf
Show file tree

Hide file tree

Showing 2 changed files with 81 additions and 3 deletions.
diff --git a/components/esp_wifi/Kconfig b/components/esp_wifi/Kconfig
@@ -479,6 +479,7 @@ menu "Wi-Fi"
     if ESP_WIFI_MBEDTLS_CRYPTO
         config ESP_WIFI_MBEDTLS_TLS_CLIENT
             bool "Use MbedTLS TLS client for WiFi Enterprise connection"
+            depends on ESP_WIFI_ENTERPRISE_SUPPORT
             default y
             select MBEDTLS_TLS_ENABLED
             help
@@ -623,4 +624,13 @@ menu "Wi-Fi"
             disabling this will reduce binary size.
             disabling this will disable the use of any esp_wifi_sta_wpa2_ent_* (as APIs will be meaningless)
 
+    config ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+        bool "Free dynamic buffers during WiFi enterprise connection"
+        depends on ESP_WIFI_ENTERPRISE_SUPPORT
+        default y if IDF_TARGET_ESP32C2
+        default n if !IDF_TARGET_ESP32C2
+        help
+            Select this configuration to free dynamic buffers during WiFi enterprise connection.
+            This will enable chip to reduce heap consumption during WiFi enterprise connection.
+
 endmenu # Wi-Fi
diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -34,6 +34,7 @@
 #else
 #include "mbedtls/config.h"
 #endif
+#include "mbedtls/platform.h"
 #include "eap_peer/eap.h"
 
 
@@ -676,6 +677,59 @@ int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
 	return -1;
 }
 
+#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+static void esp_mbedtls_free_dhm(mbedtls_ssl_context *ssl)
+{
+#ifdef CONFIG_MBEDTLS_DHM_C
+	const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+	mbedtls_mpi_free((mbedtls_mpi *)&conf->MBEDTLS_PRIVATE(dhm_P));
+	mbedtls_mpi_free((mbedtls_mpi *)&conf->MBEDTLS_PRIVATE(dhm_G));
+#endif /* CONFIG_MBEDTLS_DHM_C */
+}
+
+static void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
+{
+	mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
+	mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert), *next;
+
+	while (keycert) {
+		next = keycert->next;
+
+		if (keycert) {
+			mbedtls_free(keycert);
+		}
+
+		keycert = next;
+	}
+
+	conf->MBEDTLS_PRIVATE(key_cert) = NULL;
+}
+
+static void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl)
+{
+	const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+	mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert);
+
+	while (keycert) {
+		if (keycert->key) {
+			mbedtls_pk_free(keycert->key);
+			keycert->key = NULL;
+		}
+		keycert = keycert->next;
+	}
+}
+
+static void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
+{
+	if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) {
+		mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
+
+		mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
+		conf->MBEDTLS_PRIVATE(ca_chain) = NULL;
+	}
+}
+#endif
+
 struct wpabuf * tls_connection_handshake(void *tls_ctx,
 					 struct tls_connection *conn,
 					 const struct wpabuf *in_data,
@@ -684,6 +738,7 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 	tls_context_t *tls = conn->tls;
 	int ret = 0;
 	struct wpabuf *resp;
+	int cli_state;
 
 	/* data freed by sender */
 	conn->tls_io_data.out_data = NULL;
@@ -693,7 +748,8 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 
 	/* Multiple reads */
 	while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) {
-		if (tls->ssl.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_CLIENT_CERTIFICATE) {
+		cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
+		if (cli_state == MBEDTLS_SSL_CLIENT_CERTIFICATE) {
 			/* Read random data before session completes, not present after handshake */
 			if (tls->ssl.MBEDTLS_PRIVATE(handshake)) {
 				os_memcpy(conn->randbytes, tls->ssl.MBEDTLS_PRIVATE(handshake)->randbytes,
@@ -703,8 +759,20 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 		}
 		ret = mbedtls_ssl_handshake_step(&tls->ssl);
 
-		if (ret < 0)
+		if (ret < 0) {
 			break;
+		}
+#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+		if (mbedtls_ssl_get_version_number(&tls->ssl) == MBEDTLS_SSL_VERSION_TLS1_2) {
+			if (cli_state == MBEDTLS_SSL_SERVER_CERTIFICATE) {
+				esp_mbedtls_free_cacert(&tls->ssl);
+			} else if (cli_state == MBEDTLS_SSL_CERTIFICATE_VERIFY) {
+				esp_mbedtls_free_dhm(&tls->ssl);
+				esp_mbedtls_free_keycert_key(&tls->ssl);
+				esp_mbedtls_free_keycert(&tls->ssl);
+			}
+		}
+#endif
 	}
 	if (ret < 0 && ret != MBEDTLS_ERR_SSL_WANT_READ) {
 		wpa_printf(MSG_INFO, "%s: ret is %d line:%d", __func__, ret, __LINE__);