From 1f14018c30347725397e8800caaede4b079746ae Mon Sep 17 00:00:00 2001
From: David Cermak <cermak@espressif.com>
Date: Fri, 24 May 2024 11:53:25 +0200
Subject: [PATCH 1/2] feat(lwip): Add support for PPP Auth using mbedTLS

Closes https://github.com/espressif/esp-idf/issues/13597
---
 components/lwip/CMakeLists.txt          | 20 ++++++++++++++------
 components/lwip/Kconfig                 | 11 +++++++++++
 components/lwip/lwip                    |  2 +-
 components/lwip/port/include/lwipopts.h |  9 +++++++++
 4 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/components/lwip/CMakeLists.txt b/components/lwip/CMakeLists.txt
index f45eeab2ed16..8c55884277d4 100644
--- a/components/lwip/CMakeLists.txt
+++ b/components/lwip/CMakeLists.txt
@@ -132,12 +132,7 @@ if(CONFIG_LWIP_ENABLE)
             "lwip/src/netif/ppp/pppos.c"
             "lwip/src/netif/ppp/upap.c"
             "lwip/src/netif/ppp/utils.c"
-            "lwip/src/netif/ppp/vj.c"
-            "lwip/src/netif/ppp/polarssl/arc4.c"
-            "lwip/src/netif/ppp/polarssl/des.c"
-            "lwip/src/netif/ppp/polarssl/md4.c"
-            "lwip/src/netif/ppp/polarssl/md5.c"
-            "lwip/src/netif/ppp/polarssl/sha1.c")
+            "lwip/src/netif/ppp/vj.c")
     endif()
 
     if(NOT ${target} STREQUAL "linux")
@@ -160,6 +155,15 @@ if(CONFIG_LWIP_ENABLE)
             "apps/ping/ping_sock.c")
     endif()
 
+    if(NOT CONFIG_LWIP_USE_EXTERNAL_MBEDTLS)
+        list(APPEND srcs
+                "lwip/src/netif/ppp/polarssl/arc4.c"
+                "lwip/src/netif/ppp/polarssl/des.c"
+                "lwip/src/netif/ppp/polarssl/md4.c"
+                "lwip/src/netif/ppp/polarssl/md5.c"
+                "lwip/src/netif/ppp/polarssl/sha1.c")
+    endif()
+
     if(CONFIG_LWIP_DHCPS)
         list(APPEND srcs "apps/dhcpserver/dhcpserver.c")
     endif()
@@ -211,6 +215,10 @@ if(CONFIG_LWIP_ENABLE)
         idf_component_optional_requires(PRIVATE nvs_flash)
     endif()
 
+    if(CONFIG_LWIP_USE_EXTERNAL_MBEDTLS)
+        idf_component_optional_requires(PRIVATE mbedtls)
+    endif()
+
     if(${target} STREQUAL "linux")
         set(THREADS_PREFER_PTHREAD_FLAG ON)
         find_package(Threads REQUIRED)
diff --git a/components/lwip/Kconfig b/components/lwip/Kconfig
index 2ab55e35c222..90ee12620135 100644
--- a/components/lwip/Kconfig
+++ b/components/lwip/Kconfig
@@ -998,6 +998,17 @@ menu "LWIP"
         help
             Enable PPP debug log output
 
+    config LWIP_USE_EXTERNAL_MBEDTLS
+        bool "Use mbedTLS instead of internal polarSSL"
+        depends on LWIP_PPP_SUPPORT
+        depends on !LWIP_PPP_MPPE_SUPPORT && !LWIP_PPP_MSCHAP_SUPPORT
+        default n
+        help
+            This option uses mbedTLS crypto functions (instead of internal PolarSSL
+            implementation) for PPP authentication modes (PAP, CHAP, etc.).
+            You can use this option to address symbol duplication issues, since
+            the internal functions are not namespaced (e.g. md5_init()).
+
     menuconfig LWIP_SLIP_SUPPORT
         bool "Enable SLIP support (new/experimental)"
         default n
diff --git a/components/lwip/lwip b/components/lwip/lwip
index 3a3d1fb3e3bc..e8d0513898ce 160000
--- a/components/lwip/lwip
+++ b/components/lwip/lwip
@@ -1 +1 @@
-Subproject commit 3a3d1fb3e3bc23cf86cf653ce5928eda47e2c15d
+Subproject commit e8d0513898ce96d7851b41bc6acb7af3259a447b
diff --git a/components/lwip/port/include/lwipopts.h b/components/lwip/port/include/lwipopts.h
index b20b07479bdc..c9a6d5702293 100644
--- a/components/lwip/port/include/lwipopts.h
+++ b/components/lwip/port/include/lwipopts.h
@@ -1151,6 +1151,15 @@ static inline uint32_t timeout_from_offered(uint32_t lease, uint32_t min)
 #define PPP_SUPPORT                     0
 #endif  /* CONFIG_LWIP_PPP_SUPPORT */
 
+/**
+ * LWIP_USE_EXTERNAL_MBEDTLS: Use external mbed TLS library for crypto implementation used in PPP AUTH
+ */
+#ifdef CONFIG_LWIP_USE_EXTERNAL_MBEDTLS
+#define LWIP_USE_EXTERNAL_MBEDTLS 1
+#else
+#define LWIP_USE_EXTERNAL_MBEDTLS 0
+#endif
+
 /*
    --------------------------------------
    ---------- Checksum options ----------

From 562abca17daaf8218d91ae8dad27b8c0da655364 Mon Sep 17 00:00:00 2001
From: David Cermak <cermak@espressif.com>
Date: Fri, 24 May 2024 14:37:57 +0200
Subject: [PATCH 2/2] fix(esp_netif): Remove unused leftover pppapi_set_auth()
 call

---
 components/esp_netif/lwip/esp_netif_lwip.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/components/esp_netif/lwip/esp_netif_lwip.c b/components/esp_netif/lwip/esp_netif_lwip.c
index 5915a3a3cac5..20ce5f5d7f35 100644
--- a/components/esp_netif/lwip/esp_netif_lwip.c
+++ b/components/esp_netif/lwip/esp_netif_lwip.c
@@ -2632,15 +2632,6 @@ esp_err_t esp_netif_ppp_set_auth(esp_netif_t *esp_netif, esp_netif_auth_type_t a
 {
     set_auth_msg_t msg = { .authtype = authtype, .user = user, .passwd = passwd };
     return esp_netif_lwip_ipc_call(esp_netif_ppp_set_auth_api, esp_netif, &msg);
-#if PPP_AUTH_SUPPORT
-        lwip_peer2peer_ctx_t *ppp_ctx = (lwip_peer2peer_ctx_t *)netif->related_data;
-    assert(ppp_ctx->base.netif_type == PPP_LWIP_NETIF);
-    pppapi_set_auth(ppp_ctx->ppp, authtype, user, passwd);
-    return ESP_OK;
-#else
-    ESP_LOGE(TAG, "%s failed: No authorisation enabled in menuconfig", __func__);
-    return ESP_ERR_ESP_NETIF_IF_NOT_READY;
-#endif
 }
 
 esp_err_t esp_netif_napt_disable(esp_netif_t *esp_netif)