fix(mbedtls): fix mbedtls dynamic resource memory leaks and RSA cert drop earlier

RX process caches the session information in "ssl->in_ctr" not in "ssl->in_buf". So when freeing the SSL, can't free the "ssl->in_ctr", because the "ssl->in_buf" is empty. Make the RX process like TX process, and cache the session information in "ssl->in_buf", so that the cache buffer can be freed when freeing the SSL. Closes https://github.com/espressif/esp-idf/issues/6104
2025-09-25 09:42:35 +00:00 · 2020-11-12 15:17:21 +08:00
parent 2558830339
commit 1c9592efc4
4 changed files with 59 additions and 16 deletions
--- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
+++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
@@ -317,9 +317,13 @@ int esp_mbedtls_add_rx_buffer(mbedtls_ssl_context *ssl)
    ESP_LOGV(TAG, "--> add rx");

    if (ssl->in_buf) {
-        ESP_LOGV(TAG, "in buffer is not empty");
-        ret = 0;
-        goto exit;
+        if (ssl->in_iv) {
+            ESP_LOGV(TAG, "in buffer is not empty");
+            ret = 0;
+            goto exit;
+        } else {
+            cached = 1;
+        }
    }

    ssl->in_hdr = msg_head;
@@ -346,6 +350,12 @@ int esp_mbedtls_add_rx_buffer(mbedtls_ssl_context *ssl)
    ESP_LOGV(TAG, "message length is %d RX buffer length should be %d left is %d",
                (int)in_msglen, (int)buffer_len, (int)ssl->in_left);

+    if (cached) {
+        memcpy(cache_buf, ssl->in_buf, 16);
+        mbedtls_free(ssl->in_buf);
+        init_rx_buffer(ssl, NULL);
+    }
+
    buf = mbedtls_calloc(1, buffer_len);
    if (!buf) {
        ESP_LOGE(TAG, "alloc(%d bytes) failed", buffer_len);
@@ -355,12 +365,6 @@ int esp_mbedtls_add_rx_buffer(mbedtls_ssl_context *ssl)

    ESP_LOGV(TAG, "add in buffer %d bytes @ %p", buffer_len, buf);

-    if (ssl->in_ctr) {
-        memcpy(cache_buf, ssl->in_ctr, 16);
-        mbedtls_free(ssl->in_ctr);
-        cached = 1;
-    }
-
    init_rx_buffer(ssl, buf);

    if (cached) {
@@ -389,7 +393,8 @@ int esp_mbedtls_free_rx_buffer(mbedtls_ssl_context *ssl)
    /**
     * When have read multi messages once, can't free the input buffer directly.
     */
-    if (!ssl->in_buf || (ssl->in_hslen && (ssl->in_hslen < ssl->in_msglen))) {
+    if (!ssl->in_buf || (ssl->in_hslen && (ssl->in_hslen < ssl->in_msglen)) ||
+        (ssl->in_buf && !ssl->in_iv)) {
        ret = 0;
        goto exit;
    }
@@ -418,7 +423,8 @@ int esp_mbedtls_free_rx_buffer(mbedtls_ssl_context *ssl)
    }

    memcpy(pdata, buf, 16);
-    ssl->in_ctr = pdata;
+    init_rx_buffer(ssl, pdata);
+    ssl->in_iv = NULL;

 exit:
    ESP_LOGV(TAG, "<-- free rx");
@@ -515,4 +521,17 @@ void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)
        ssl->session_negotiate->peer_cert = NULL;
    }
 }
+
+bool esp_mbedtls_ssl_is_rsa(mbedtls_ssl_context *ssl)
+{
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
+        ssl->transform_negotiate->ciphersuite_info;
+
+    if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ||
+        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
+        return true;
+    } else {
+        return false;
+    }
+}
 #endif