Merge branch 'bugfix/fix_tls1_3_dynamic_buffer_build_v5.5' into 'release/v5.5'

Jiang Jiang Jian · Jiang Jiang Jian · commit e44e7ce2f929 · 2025-06-17T15:39:50.000+08:00
fix(mbedtls): Fix failing build with TLS1.3 only and dynamic buffer enabled (v5.5)

See merge request espressif/esp-idf!39879
diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
@@ -850,7 +850,9 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
 #ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
     ESP_LOGD(TAG, "Enabling client-side tls session ticket support");
     mbedtls_ssl_conf_session_tickets(&tls->conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
+#ifdef CONFIG_MBEDTLS_SSL_RENEGOTIATION
     mbedtls_ssl_conf_renegotiation(&tls->conf, MBEDTLS_SSL_RENEGOTIATION_ENABLED);
+#endif /* CONFIG_MBEDTLS_SSL_RENEGOTIATION */
 #endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
 
 #if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
diff --git a/components/mbedtls/port/dynamic/esp_ssl_tls.c b/components/mbedtls/port/dynamic/esp_ssl_tls.c
@@ -92,7 +92,8 @@ static int ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
 #if defined(MBEDTLS_DHM_C)
     mbedtls_dhm_init( &handshake->dhm_ctx );
 #endif
-#if defined(MBEDTLS_ECDH_C)
+#if defined(MBEDTLS_ECDH_C) && \
+    defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
     mbedtls_ecdh_init( &handshake->ecdh_ctx );
 #endif
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
@@ -121,9 +122,11 @@ static int ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
 
 static int ssl_handshake_init( mbedtls_ssl_context *ssl )
 {
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
     /* Clear old handshake information if present */
     if( ssl->transform_negotiate )
         mbedtls_ssl_transform_free( ssl->transform_negotiate );
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
     if( ssl->session_negotiate )
         mbedtls_ssl_session_free( ssl->session_negotiate );
     if( ssl->handshake )
@@ -133,10 +136,12 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
      * Either the pointers are now NULL or cleared properly and can be freed.
      * Now allocate missing structures.
      */
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
     if( ssl->transform_negotiate == NULL )
     {
         ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
     }
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 
     if( ssl->session_negotiate == NULL )
     {
@@ -156,25 +161,32 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
 
     /* All pointers should exist and can be directly freed without issue */
     if( ssl->handshake == NULL ||
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
         ssl->transform_negotiate == NULL ||
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
         ssl->session_negotiate == NULL )
     {
         ESP_LOGD(TAG, "alloc() of ssl sub-contexts failed");
 
         mbedtls_free( ssl->handshake );
-        mbedtls_free( ssl->transform_negotiate );
-        mbedtls_free( ssl->session_negotiate );
-
         ssl->handshake = NULL;
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+        mbedtls_free( ssl->transform_negotiate );
         ssl->transform_negotiate = NULL;
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+        mbedtls_free( ssl->session_negotiate );
         ssl->session_negotiate = NULL;
 
         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
     }
 
     /* Initialize structures */
     mbedtls_ssl_session_init( ssl->session_negotiate );
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
     mbedtls_ssl_transform_init( ssl->transform_negotiate );
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
     int ret = ssl_handshake_params_init( ssl->handshake );
     if (ret != 0) {
         return ret;
diff --git a/examples/protocols/https_request/pytest_https_request.py b/examples/protocols/https_request/pytest_https_request.py
@@ -130,6 +130,7 @@ def test_examples_protocol_https_request_cli_session_tickets(dut: Dut) -> None:
     'config',
     [
         'ssldyn_tls1_3',
+        'ssldyn_tls1_3_only',
     ],
     indirect=True,
 )
diff --git a/examples/protocols/https_request/sdkconfig.ci.ssldyn_tls1_3_only b/examples/protocols/https_request/sdkconfig.ci.ssldyn_tls1_3_only
@@ -0,0 +1,16 @@
+CONFIG_SPIRAM=y
+CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC=y
+CONFIG_EXAMPLE_CONNECT_ETHERNET=y
+CONFIG_EXAMPLE_CONNECT_WIFI=n
+CONFIG_EXAMPLE_USE_INTERNAL_ETHERNET=y
+CONFIG_EXAMPLE_ETH_PHY_IP101=y
+CONFIG_EXAMPLE_ETH_MDC_GPIO=23
+CONFIG_EXAMPLE_ETH_MDIO_GPIO=18
+CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
+CONFIG_EXAMPLE_ETH_PHY_ADDR=1
+CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
+CONFIG_EXAMPLE_SSL_PROTO_TLS1_3_CLIENT=y
+CONFIG_EXAMPLE_CLIENT_SESSION_TICKETS=y
+CONFIG_EXAMPLE_LOCAL_SERVER_URL="FROM_STDIN"
+CONFIG_EXAMPLE_LOCAL_SERVER_URL_FROM_STDIN=y
+CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=n

Original file line number	Diff line number	Diff line change
`@@ -130,6 +130,7 @@ def test_examples_protocol_https_request_cli_session_tickets(dut: Dut) -> None:`
`130`	`130`	`'config',`
`131`	`131`	`[`
`132`	`132`	`'ssldyn_tls1_3',`
	`133`	`+ 'ssldyn_tls1_3_only',`
`133`	`134`	`],`
`134`	`135`	`indirect=True,`
`135`	`136`	`)`