Merge branch 'feature/mbedtls_dynamic_memory' into 'master'

feat(mbedtls): modify __wrap_mbedtls_ssl_setup to decrease SSL peak heap cost

Closes IDF-4402

See merge request espressif/esp-idf!15323

components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h

@@ -1,20 +1,14 @@
-// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
+/*
+ * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
 
 #ifndef _DYNAMIC_IMPL_H_
 #define _DYNAMIC_IMPL_H_
 
 #include <stddef.h>
+#include <string.h>
 #include "mbedtls/ssl.h"
 #include "mbedtls/ssl_internal.h"
 #include "mbedtls/platform.h"

components/mbedtls/port/dynamic/esp_ssl_tls.c

@@ -1,15 +1,8 @@
-// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
+/*
+ * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
 
 #include <sys/param.h>
 #include "esp_mbedtls_dynamic_impl.h"
@@ -51,15 +44,164 @@ static int rx_done(mbedtls_ssl_context *ssl)
     return 0;
 }
 
+static void ssl_transform_init( mbedtls_ssl_transform *transform )
+{
+    memset( transform, 0, sizeof(mbedtls_ssl_transform) );
+
+    mbedtls_cipher_init( &transform->cipher_ctx_enc );
+    mbedtls_cipher_init( &transform->cipher_ctx_dec );
+
+    mbedtls_md_init( &transform->md_ctx_enc );
+    mbedtls_md_init( &transform->md_ctx_dec );
+}
+
+static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
+                                       const unsigned char *buf, size_t len )
+{
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
+    mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+}
+
+static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
+{
+    memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
+
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
+    defined(MBEDTLS_SSL_PROTO_TLS1_1)
+    mbedtls_md5_init(   &handshake->fin_md5  );
+    mbedtls_sha1_init(   &handshake->fin_sha1 );
+    mbedtls_md5_starts_ret( &handshake->fin_md5  );
+    mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
+#endif
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_SHA256_C)
+    mbedtls_sha256_init(   &handshake->fin_sha256    );
+    mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
+#endif
+#if defined(MBEDTLS_SHA512_C)
+    mbedtls_sha512_init(   &handshake->fin_sha512    );
+    mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
+#endif
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    handshake->update_checksum = ssl_update_checksum_start;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
+    defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
+    mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
+#endif
+
+#if defined(MBEDTLS_DHM_C)
+    mbedtls_dhm_init( &handshake->dhm_ctx );
+#endif
+#if defined(MBEDTLS_ECDH_C)
+    mbedtls_ecdh_init( &handshake->ecdh_ctx );
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
+#if defined(MBEDTLS_SSL_CLI_C)
+    handshake->ecjpake_cache = NULL;
+    handshake->ecjpake_cache_len = 0;
+#endif
+#endif
+
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
+#endif
+
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+    handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
+#endif
+}
+
+static int ssl_handshake_init( mbedtls_ssl_context *ssl )
+{
+    /* Clear old handshake information if present */
+    if( ssl->transform_negotiate )
+        mbedtls_ssl_transform_free( ssl->transform_negotiate );
+    if( ssl->session_negotiate )
+        mbedtls_ssl_session_free( ssl->session_negotiate );
+    if( ssl->handshake )
+        mbedtls_ssl_handshake_free( ssl );
+
+    /*
+     * Either the pointers are now NULL or cleared properly and can be freed.
+     * Now allocate missing structures.
+     */
+    if( ssl->transform_negotiate == NULL )
+    {
+        ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
+    }
+
+    if( ssl->session_negotiate == NULL )
+    {
+        ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
+    }
+
+    if( ssl->handshake == NULL )
+    {
+        ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
+    }
+
+    /* All pointers should exist and can be directly freed without issue */
+    if( ssl->handshake == NULL ||
+        ssl->transform_negotiate == NULL ||
+        ssl->session_negotiate == NULL )
+    {
+        ESP_LOGD(TAG, "alloc() of ssl sub-contexts failed");
+
+        mbedtls_free( ssl->handshake );
+        mbedtls_free( ssl->transform_negotiate );
+        mbedtls_free( ssl->session_negotiate );
+
+        ssl->handshake = NULL;
+        ssl->transform_negotiate = NULL;
+        ssl->session_negotiate = NULL;
+
+        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+    }
+
+    /* Initialize structures */
+    mbedtls_ssl_session_init( ssl->session_negotiate );
+    ssl_transform_init( ssl->transform_negotiate );
+    ssl_handshake_params_init( ssl->handshake );
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
+    {
+        ssl->handshake->alt_transform_out = ssl->transform_out;
+
+        if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
+        else
+            ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
+
+        ssl_set_timer( ssl, 0 );
+    }
+#endif
+
+    return( 0 );
+}
+
 int __wrap_mbedtls_ssl_setup(mbedtls_ssl_context *ssl, const mbedtls_ssl_config *conf)
 {
-    CHECK_OK(__real_mbedtls_ssl_setup(ssl, conf));
+    ssl->conf = conf;
+    CHECK_OK(ssl_handshake_init(ssl));
 
-    mbedtls_free(ssl->out_buf);
     ssl->out_buf = NULL;
     CHECK_OK(esp_mbedtls_setup_tx_buffer(ssl));
 
-    mbedtls_free(ssl->in_buf);
     ssl->in_buf = NULL;
     esp_mbedtls_setup_rx_buffer(ssl);
 

tools/ci/check_copyright_ignore.txt

@@ -1442,10 +1442,8 @@ components/mbedtls/port/aes/esp_aes_common.c
 components/mbedtls/port/aes/esp_aes_gcm.c
 components/mbedtls/port/aes/esp_aes_xts.c
 components/mbedtls/port/crypto_shared_gdma/esp_crypto_shared_gdma.c
-components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
 components/mbedtls/port/dynamic/esp_ssl_cli.c
 components/mbedtls/port/dynamic/esp_ssl_srv.c
-components/mbedtls/port/dynamic/esp_ssl_tls.c
 components/mbedtls/port/esp32/bignum.c
 components/mbedtls/port/esp32c3/bignum.c
 components/mbedtls/port/esp32h2/bignum.c