From c62022b312fd2ae641e9b577df4b2dba3437d661 Mon Sep 17 00:00:00 2001
From: Kapil Gupta <kapil.gupta@espressif.com>
Date: Tue, 2 Jan 2024 21:08:10 +0530
Subject: [PATCH] fix(wifi): add low memory options for eap enterprise

---
 components/esp_wifi/Kconfig                   |  9 +++
 .../esp_supplicant/src/crypto/tls_mbedtls.c   | 76 ++++++++++++++++++-
 2 files changed, 81 insertions(+), 4 deletions(-)

diff --git a/components/esp_wifi/Kconfig b/components/esp_wifi/Kconfig
index 74efa2fba4..6ca271eec4 100644
--- a/components/esp_wifi/Kconfig
+++ b/components/esp_wifi/Kconfig
@@ -454,4 +454,13 @@ menu "Wi-Fi"
             disabling this will reduce binary size.
             disabling this will disable the use of any esp_wifi_sta_wpa2_ent_* (as APIs will be meaningless)
 
+    config ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+        bool "Free dynamic buffers during WiFi enterprise connection"
+        depends on ESP_WIFI_ENTERPRISE_SUPPORT
+        default y if IDF_TARGET_ESP32C2
+        default n if !IDF_TARGET_ESP32C2
+        help
+            Select this configuration to free dynamic buffers during WiFi enterprise connection.
+            This will enable chip to reduce heap consumption during WiFi enterprise connection.
+
 endmenu # Wi-Fi
diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
index 3b3478a157..9d826a08f5 100644
--- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
+++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -31,6 +31,7 @@ which are undefined if the following flag is not defined */
 #else
 #include "mbedtls/config.h"
 #endif
+#include "mbedtls/platform.h"
 #include "eap_peer/eap.h"
 
 
@@ -677,6 +678,59 @@ int tls_connection_set_verify(void *tls_ctx, struct tls_connection *conn,
 	return -1;
 }
 
+#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+static void esp_mbedtls_free_dhm(mbedtls_ssl_context *ssl)
+{
+#ifdef CONFIG_MBEDTLS_DHM_C
+	const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+	mbedtls_mpi_free((mbedtls_mpi *)&conf->MBEDTLS_PRIVATE(dhm_P));
+	mbedtls_mpi_free((mbedtls_mpi *)&conf->MBEDTLS_PRIVATE(dhm_G));
+#endif /* CONFIG_MBEDTLS_DHM_C */
+}
+
+static void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
+{
+	mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
+	mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert), *next;
+
+	while (keycert) {
+		next = keycert->next;
+
+		if (keycert) {
+			mbedtls_free(keycert);
+		}
+
+		keycert = next;
+	}
+
+	conf->MBEDTLS_PRIVATE(key_cert) = NULL;
+}
+
+static void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl)
+{
+	const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+	mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert);
+
+	while (keycert) {
+		if (keycert->key) {
+			mbedtls_pk_free(keycert->key);
+			keycert->key = NULL;
+		}
+		keycert = keycert->next;
+	}
+}
+
+static void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
+{
+	if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) {
+		mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
+
+		mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
+		conf->MBEDTLS_PRIVATE(ca_chain) = NULL;
+	}
+}
+#endif
+
 struct wpabuf * tls_connection_handshake(void *tls_ctx,
 					 struct tls_connection *conn,
 					 const struct wpabuf *in_data,
@@ -685,6 +739,7 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 	tls_context_t *tls = conn->tls;
 	int ret = 0;
 	struct wpabuf *resp;
+	int cli_state;
 
 	/* data freed by sender */
 	conn->tls_io_data.out_data = NULL;
@@ -693,8 +748,9 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 	}
 
 	/* Multiple reads */
-	while (tls->ssl.MBEDTLS_PRIVATE(state) != MBEDTLS_SSL_HANDSHAKE_OVER) {
-		if (tls->ssl.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_CLIENT_CERTIFICATE) {
+	while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) {
+		cli_state = tls->ssl.MBEDTLS_PRIVATE(state);
+		if (cli_state == MBEDTLS_SSL_CLIENT_CERTIFICATE) {
 			/* Read random data before session completes, not present after handshake */
 			if (tls->ssl.MBEDTLS_PRIVATE(handshake)) {
 				os_memcpy(conn->randbytes, tls->ssl.MBEDTLS_PRIVATE(handshake)->randbytes,
@@ -704,8 +760,20 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 		}
 		ret = mbedtls_ssl_handshake_step(&tls->ssl);
 
-		if (ret < 0)
+		if (ret < 0) {
 			break;
+		}
+#ifdef CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER
+		if (mbedtls_ssl_get_version_number(&tls->ssl) == MBEDTLS_SSL_VERSION_TLS1_2) {
+			if (cli_state == MBEDTLS_SSL_SERVER_CERTIFICATE) {
+				esp_mbedtls_free_cacert(&tls->ssl);
+			} else if (cli_state == MBEDTLS_SSL_CERTIFICATE_VERIFY) {
+				esp_mbedtls_free_dhm(&tls->ssl);
+				esp_mbedtls_free_keycert_key(&tls->ssl);
+				esp_mbedtls_free_keycert(&tls->ssl);
+			}
+		}
+#endif
 	}
 	if (ret < 0 && ret != MBEDTLS_ERR_SSL_WANT_READ) {
 		wpa_printf(MSG_INFO, "%s: ret is %d line:%d", __func__, ret, __LINE__);