yuzu-mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-mirror/mbedtls.git synced 2026-04-04 14:08:39 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'origin/development' into development-restricted

Browse source 
* origin/development: (114 commits)
  Don't redefine calloc and free
  Add changelog entry to record checking
  Fix compiler warning
  Add debug messages
  Remove duplicate entries from ChangeLog
  Fix parameter name in doxygen
  Add missing guards for mac usage
  Improve reability and debugability of large if
  Fix a typo in a comment
  Fix MSVC warning
  Fix compile error in reduced configurations
  Avoid duplication of session format header
  Implement config-checking header to context s11n
  Provide serialisation API only if it's enabled
  Fix compiler warning: comparing signed to unsigned
  Actually reset the context on save as advertised
  Re-use buffer allocated by handshake_init()
  Enable serialisation tests in ssl-opt.sh
  Change requirements for setting timer callback
  Add setting of forced fields when deserializing
  ...
This commit is contained in:
Jaeden Amero 2019-08-27 10:09:10 +01:00
commit f1cdceae0d
18 changed files with 2907 additions and 513 deletions
Download patch file Download diff file Expand all files Collapse all files

8
programs/ssl/query_config.c
View file

@ -1266,6 +1266,14 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if( strcmp( "MBEDTLS_SSL_CONTEXT_SERIALIZATION", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONTEXT_SERIALIZATION );
return( 0 );
}
#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
#if defined(MBEDTLS_SSL_DEBUG_ALL)
if( strcmp( "MBEDTLS_SSL_DEBUG_ALL", config ) == 0 )
{

211
programs/ssl/ssl_client2.c
View file

@ -113,6 +113,7 @@ int main( void )
#define DFL_DHMLEN -1
#define DFL_RECONNECT 0
#define DFL_RECO_DELAY 0
#define DFL_RECO_MODE 1
#define DFL_CID_ENABLED 0
#define DFL_CID_VALUE ""
#define DFL_CID_ENABLED_RENEGO -1
@ -129,6 +130,8 @@ int main( void )
#define DFL_FALLBACK -1
#define DFL_EXTENDED_MS -1
#define DFL_ETM -1
#define DFL_SERIALIZE 0
#define DFL_EXTENDED_MS_ENFORCE -1
#define DFL_CA_CALLBACK 0
#define DFL_EAP_TLS 0
#define DFL_REPRODUCIBLE 0
@ -339,6 +342,15 @@ int main( void )
#define USAGE_ECRESTART ""
#endif
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
#define USAGE_SERIALIZATION \
" serialize=%%d default: 0 (do not serialize/deserialize)\n" \
" options: 1 (serialize)\n" \
" 2 (serialize with re-initialization)\n"
#else
#define USAGE_SERIALIZATION ""
#endif
#define USAGE \
"\n usage: ssl_client2 param=<>...\n" \
"\n acceptable parameters:\n" \
@ -376,8 +388,11 @@ int main( void )
" allow_legacy=%%d default: (library default: no)\n" \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
" reconnect=%%d default: 0 (disabled)\n" \
" reconnect=%%d number of reconnections using session resumption\n" \
" default: 0 (disabled)\n" \
" reco_delay=%%d default: 0 seconds\n" \
" reco_mode=%%d 0: copy session, 1: serialize session\n" \
" default: 1\n" \
" reconnect_hard=%%d default: 0 (disabled)\n" \
USAGE_TICKETS \
USAGE_EAP_TLS \
@ -405,6 +420,7 @@ int main( void )
" configuration macro is defined and 1\n" \
" otherwise. The expansion of the macro\n" \
" is printed if it is defined\n" \
USAGE_SERIALIZATION \
" acceptable ciphersuite names:\n"
#define ALPN_LIST_SIZE 10
@ -458,6 +474,7 @@ struct options
int dhmlen; /* minimum DHM params len in bits */
int reconnect; /* attempt to resume session */
int reco_delay; /* delay in seconds before resuming session */
int reco_mode; /* how to keep the session around */
int reconnect_hard; /* unexpectedly reconnect from the same port */
int tickets; /* enable / disable session tickets */
const char *curves; /* list of supported elliptic curves */
@ -476,6 +493,7 @@ struct options
int cid_enabled_renego; /* whether to use the CID extension or not
* during renegotiation */
const char *cid_val; /* the CID to use for incoming messages */
int serialize; /* serialize/deserialize connection */
const char *cid_val_renego; /* the CID to use for incoming messages
* after renegotiation */
int reproducible; /* make communication reproducible */
@ -1047,6 +1065,8 @@ int main( int argc, char *argv[] )
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ssl_session saved_session;
unsigned char *session_data = NULL;
size_t session_data_len = 0;
#if defined(MBEDTLS_TIMING_C)
mbedtls_timing_delay_context timer;
#endif
@ -1061,6 +1081,10 @@ int main( int argc, char *argv[] )
#endif
char *p, *q;
const int *list;
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
unsigned char *context_buf = NULL;
size_t context_buf_len;
#endif
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
unsigned char eap_tls_keymaterial[16];
unsigned char eap_tls_iv[8];
@ -1164,6 +1188,7 @@ int main( int argc, char *argv[] )
opt.dhmlen = DFL_DHMLEN;
opt.reconnect = DFL_RECONNECT;
opt.reco_delay = DFL_RECO_DELAY;
opt.reco_mode = DFL_RECO_MODE;
opt.reconnect_hard = DFL_RECONNECT_HARD;
opt.tickets = DFL_TICKETS;
opt.alpn_string = DFL_ALPN_STRING;
@ -1176,6 +1201,7 @@ int main( int argc, char *argv[] )
opt.extended_ms = DFL_EXTENDED_MS;
opt.etm = DFL_ETM;
opt.dgram_packing = DFL_DGRAM_PACKING;
opt.serialize = DFL_SERIALIZE;
opt.eap_tls = DFL_EAP_TLS;
opt.reproducible = DFL_REPRODUCIBLE;
@ -1350,6 +1376,12 @@ int main( int argc, char *argv[] )
if( opt.reco_delay < 0 )
goto usage;
}
else if( strcmp( p, "reco_mode" ) == 0 )
{
opt.reco_mode = atoi( q );
if( opt.reco_mode < 0 )
goto usage;
}
else if( strcmp( p, "reconnect_hard" ) == 0 )
{
opt.reconnect_hard = atoi( q );
@ -1558,6 +1590,12 @@ int main( int argc, char *argv[] )
{
return query_config( q );
}
else if( strcmp( p, "serialize") == 0 )
{
opt.serialize = atoi( q );
if( opt.serialize < 0 || opt.serialize > 2)
goto usage;
}
else if( strcmp( p, "eap_tls" ) == 0 )
{
opt.eap_tls = atoi( q );
@ -2440,14 +2478,55 @@ int main( int argc, char *argv[] )
mbedtls_printf(" . Saving session for reuse..." );
fflush( stdout );
if( ( ret = mbedtls_ssl_get_session( &ssl, &saved_session ) ) != 0 )
if( opt.reco_mode == 1 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_get_session returned -0x%x\n\n",
-ret );
goto exit;
/* free any previously saved data */
if( session_data != NULL )
{
mbedtls_platform_zeroize( session_data, session_data_len );
mbedtls_free( session_data );
session_data = NULL;
}
/* get size of the buffer needed */
mbedtls_ssl_session_save( mbedtls_ssl_get_session_pointer( &ssl ),
NULL, 0, &session_data_len );
session_data = mbedtls_calloc( 1, session_data_len );
if( session_data == NULL )
{
mbedtls_printf( " failed\n ! alloc %u bytes for session data\n",
(unsigned) session_data_len );
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto exit;
}
/* actually save session data */
if( ( ret = mbedtls_ssl_session_save( mbedtls_ssl_get_session_pointer( &ssl ),
session_data, session_data_len,
&session_data_len ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_session_saved returned -0x%04x\n\n",
-ret );
goto exit;
}
}
else
{
if( ( ret = mbedtls_ssl_get_session( &ssl, &saved_session ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_get_session returned -0x%x\n\n",
-ret );
goto exit;
}
}
mbedtls_printf( " ok\n" );
if( opt.reco_mode == 1 )
{
mbedtls_printf( " [ Saved %u bytes of session data]\n",
(unsigned) session_data_len );
}
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
@ -2839,7 +2918,103 @@ send_request:
}
/*
* 7c. Continue doing data exchanges?
* 7c. Simulate serialize/deserialize and go back to data exchange
*/
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if( opt.serialize != 0 )
{
size_t buf_len;
mbedtls_printf( " . Serializing live connection..." );
ret = mbedtls_ssl_context_save( &ssl, NULL, 0, &buf_len );
if( ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_context_save returned "
"-0x%x\n\n", -ret );
goto exit;
}
if( ( context_buf = mbedtls_calloc( 1, buf_len ) ) == NULL )
{
mbedtls_printf( " failed\n ! Couldn't allocate buffer for "
"serialized context" );
goto exit;
}
context_buf_len = buf_len;
if( ( ret = mbedtls_ssl_context_save( &ssl, context_buf,
buf_len, &buf_len ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_context_save returned "
"-0x%x\n\n", -ret );
goto exit;
}
mbedtls_printf( " ok\n" );
if( opt.serialize == 1 )
{
/* nothing to do here, done by context_save() already */
mbedtls_printf( " . Context has been reset... ok" );
}
if( opt.serialize == 2 )
{
mbedtls_printf( " . Freeing and reinitializing context..." );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_init( &ssl );
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned "
"-0x%x\n\n", -ret );
goto exit;
}
if( opt.nbio == 2 )
mbedtls_ssl_set_bio( &ssl, &server_fd, delayed_send,
delayed_recv, NULL );
else
mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send,
mbedtls_net_recv,
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL );
#if defined(MBEDTLS_TIMING_C)
mbedtls_ssl_set_timer_cb( &ssl, &timer,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
#endif /* MBEDTLS_TIMING_C */
mbedtls_printf( " ok\n" );
}
mbedtls_printf( " . Deserializing connection..." );
if( ( ret = mbedtls_ssl_context_load( &ssl, context_buf,
buf_len ) ) != 0 )
{
mbedtls_printf( "failed\n ! mbedtls_ssl_context_load returned "
"-0x%x\n\n", -ret );
goto exit;
}
mbedtls_free( context_buf );
context_buf = NULL;
context_buf_len = 0;
mbedtls_printf( " ok\n" );
}
#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
/*
* 7d. Continue doing data exchanges?
*/
if( --opt.exchanges > 0 )
goto send_request;
@ -2886,10 +3061,22 @@ reconnect:
goto exit;
}
if( opt.reco_mode == 1 )
{
if( ( ret = mbedtls_ssl_session_load( &saved_session,
session_data,
session_data_len ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_session_load returned -0x%x\n\n",
-ret );
goto exit;
}
}
if( ( ret = mbedtls_ssl_set_session( &ssl, &saved_session ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session returned %d\n\n",
ret );
mbedtls_printf( " failed\n ! mbedtls_ssl_set_session returned -0x%x\n\n",
-ret );
goto exit;
}
@ -2959,6 +3146,14 @@ exit:
mbedtls_ssl_config_free( &conf );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_entropy_free( &entropy );
if( session_data != NULL )
mbedtls_platform_zeroize( session_data, session_data_len );
mbedtls_free( session_data );
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if( context_buf != NULL )
mbedtls_platform_zeroize( context_buf, context_buf_len );
mbedtls_free( context_buf );
#endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)

149
programs/ssl/ssl_server2.c
View file

@ -171,6 +171,8 @@ int main( void )
#define DFL_DGRAM_PACKING 1
#define DFL_EXTENDED_MS -1
#define DFL_ETM -1
#define DFL_SERIALIZE 0
#define DFL_EXTENDED_MS_ENFORCE -1
#define DFL_CA_CALLBACK 0
#define DFL_EAP_TLS 0
#define DFL_REPRODUCIBLE 0
@ -435,6 +437,15 @@ int main( void )
#define USAGE_CURVES ""
#endif
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
#define USAGE_SERIALIZATION \
" serialize=%%d default: 0 (do not serialize/deserialize)\n" \
" options: 1 (serialize)\n" \
" 2 (serialize with re-initialization)\n"
#else
#define USAGE_SERIALIZATION ""
#endif
#define USAGE \
"\n usage: ssl_server2 param=<>...\n" \
"\n acceptable parameters:\n" \
@ -499,6 +510,7 @@ int main( void )
" configuration macro is defined and 1\n" \
" otherwise. The expansion of the macro\n" \
" is printed if it is defined\n" \
USAGE_SERIALIZATION \
" acceptable ciphersuite names:\n"
#define ALPN_LIST_SIZE 10
@ -590,6 +602,7 @@ struct options
int cid_enabled_renego; /* whether to use the CID extension or not
* during renegotiation */
const char *cid_val; /* the CID to use for incoming messages */
int serialize; /* serialize/deserialize connection */
const char *cid_val_renego; /* the CID to use for incoming messages
* after renegotiation */
int reproducible; /* make communication reproducible */
@ -1714,6 +1727,10 @@ int main( int argc, char *argv[] )
size_t cid_len = 0;
size_t cid_renego_len = 0;
#endif
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
unsigned char *context_buf = NULL;
size_t context_buf_len;
#endif
int i;
char *p, *q;
@ -1872,6 +1889,7 @@ int main( int argc, char *argv[] )
opt.badmac_limit = DFL_BADMAC_LIMIT;
opt.extended_ms = DFL_EXTENDED_MS;
opt.etm = DFL_ETM;
opt.serialize = DFL_SERIALIZE;
opt.eap_tls = DFL_EAP_TLS;
opt.reproducible = DFL_REPRODUCIBLE;
@ -2286,6 +2304,12 @@ int main( int argc, char *argv[] )
{
return query_config( q );
}
else if( strcmp( p, "serialize") == 0 )
{
opt.serialize = atoi( q );
if( opt.serialize < 0 || opt.serialize > 2)
goto usage;
}
else if( strcmp( p, "eap_tls" ) == 0 )
{
opt.eap_tls = atoi( q );
@ -3907,7 +3931,124 @@ data_exchange:
ret = 0;
/*
* 7b. Continue doing data exchanges?
* 7b. Simulate serialize/deserialize and go back to data exchange
*/
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if( opt.serialize != 0 )
{
size_t buf_len;
mbedtls_printf( " . Serializing live connection..." );
ret = mbedtls_ssl_context_save( &ssl, NULL, 0, &buf_len );
if( ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_context_save returned "
"-0x%x\n\n", -ret );
goto exit;
}
if( ( context_buf = mbedtls_calloc( 1, buf_len ) ) == NULL )
{
mbedtls_printf( " failed\n ! Couldn't allocate buffer for "
"serialized context" );
goto exit;
}
context_buf_len = buf_len;
if( ( ret = mbedtls_ssl_context_save( &ssl, context_buf,
buf_len, &buf_len ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_context_save returned "
"-0x%x\n\n", -ret );
goto exit;
}
mbedtls_printf( " ok\n" );
/*
* This simulates a workflow where you have a long-lived server
* instance, potentially with a pool of ssl_context objects, and you
* just want to re-use one while the connection is inactive: in that
* case you can just reset() it, and then it's ready to receive
* serialized data from another connection (or the same here).
*/
if( opt.serialize == 1 )
{
/* nothing to do here, done by context_save() already */
mbedtls_printf( " . Context has been reset... ok" );
}
/*
* This simulates a workflow where you have one server instance per
* connection, and want to release it entire when the connection is
* inactive, and spawn it again when needed again - this would happen
* between ssl_free() and ssl_init() below, together with any other
* teardown/startup code needed - for example, preparing the
* ssl_config again (see section 3 "setup stuff" in this file).
*/
if( opt.serialize == 2 )
{
mbedtls_printf( " . Freeing and reinitializing context..." );
mbedtls_ssl_free( &ssl );
mbedtls_ssl_init( &ssl );
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned "
"-0x%x\n\n", -ret );
goto exit;
}
/*
* This illustrates the minimum amount of things you need to set
* up, however you could set up much more if desired, for example
* if you want to share your set up code between the case of
* establishing a new connection and this case.
*/
if( opt.nbio == 2 )
mbedtls_ssl_set_bio( &ssl, &client_fd, delayed_send,
delayed_recv, NULL );
else
mbedtls_ssl_set_bio( &ssl, &client_fd, mbedtls_net_send,
mbedtls_net_recv,
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL );
#if defined(MBEDTLS_TIMING_C)
mbedtls_ssl_set_timer_cb( &ssl, &timer,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
#endif /* MBEDTLS_TIMING_C */
mbedtls_printf( " ok\n" );
}
mbedtls_printf( " . Deserializing connection..." );
if( ( ret = mbedtls_ssl_context_load( &ssl, context_buf,
buf_len ) ) != 0 )
{
mbedtls_printf( "failed\n ! mbedtls_ssl_context_load returned "
"-0x%x\n\n", -ret );
goto exit;
}
mbedtls_free( context_buf );
context_buf = NULL;
context_buf_len = 0;
mbedtls_printf( " ok\n" );
}
#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
/*
* 7c. Continue doing data exchanges?
*/
if( --exchanges_left > 0 )
goto data_exchange;
@ -4013,6 +4154,12 @@ exit:
mbedtls_free( buf );
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
if( context_buf != NULL )
mbedtls_platform_zeroize( context_buf, context_buf_len );
mbedtls_free( context_buf );
#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#if defined(MBEDTLS_MEMORY_DEBUG)
mbedtls_memory_buffer_alloc_status();