From 7d864c494a466f786c6ac16d7c5b00a4b209e399 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 19 Sep 2019 16:51:41 +0100 Subject: [PATCH 01/12] ssl_client2/ssl_server2: Use heap for various structures This commit modifies the example programs ssl_client2 and ssl_server2 to allocate various structures on the heap instead of the stack. This allows more fine-grained memory usage tracking via valgrind massif. --- programs/ssl/ssl_client2.c | 265 ++++++++++++++----------- programs/ssl/ssl_server2.c | 383 +++++++++++++++++++++---------------- 2 files changed, 367 insertions(+), 281 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 1a07c9dea..3f77b1a4b 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -962,14 +962,14 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #endif - mbedtls_entropy_context entropy; + mbedtls_entropy_context *entropy = NULL; #if defined(MBEDTLS_CTR_DRBG_C) - mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_ctr_drbg_context *ctr_drbg = NULL; #else - mbedtls_hmac_drbg_context hmac_drbg; + mbedtls_hmac_drbg_context *hmac_drbg = NULL; #endif - mbedtls_ssl_context ssl; - mbedtls_ssl_config conf; + mbedtls_ssl_context *ssl; + mbedtls_ssl_config *conf; mbedtls_ssl_session saved_session; unsigned char *session_data = NULL; size_t session_data_len = 0; @@ -978,9 +978,9 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) uint32_t flags; - mbedtls_x509_crt cacert; - mbedtls_x509_crt clicert; - mbedtls_pk_context pkey; + mbedtls_x509_crt *cacert = NULL; + mbedtls_x509_crt *clicert = NULL; + mbedtls_pk_context *pkey = NULL; #endif char *p, *q; const int *list; @@ -989,22 +989,46 @@ int main( int argc, char *argv[] ) size_t context_buf_len; #endif + ssl = mbedtls_calloc( 1, sizeof( *ssl ) ); + conf = mbedtls_calloc( 1, sizeof( *conf ) ); + entropy = mbedtls_calloc( 1, sizeof( *entropy ) ); +#if defined(MBEDTLS_CTR_DRBG_C) + ctr_drbg = mbedtls_calloc( 1, sizeof( *ctr_drbg ) ); +#else + hmac_drbg = mbedtls_calloc( 1, sizeof( *hmac_drbg ) ); +#endif + cacert = mbedtls_calloc( 1, sizeof( *cacert ) ); + clicert = mbedtls_calloc( 1, sizeof( *clicert ) ); + pkey = mbedtls_calloc( 1, sizeof( *pkey ) ); + + if( ssl == NULL || conf == NULL || + entropy == NULL || cacert == NULL || +#if defined(MBEDTLS_CTR_DRBG_C) + ctr_drbg == NULL || +#else + hmac_drbg == NULL || +#endif + clicert == NULL || pkey == NULL ) + { + goto exit; + } + /* * Make sure memory references are valid. */ mbedtls_net_init( &server_fd ); - mbedtls_ssl_init( &ssl ); - mbedtls_ssl_config_init( &conf ); + mbedtls_ssl_init( ssl ); + mbedtls_ssl_config_init( conf ); memset( &saved_session, 0, sizeof( mbedtls_ssl_session ) ); #if defined(MBEDTLS_CTR_DRBG_C) - mbedtls_ctr_drbg_init( &ctr_drbg ); + mbedtls_ctr_drbg_init( ctr_drbg ); #else - mbedtls_hmac_drbg_init( &hmac_drbg ); + mbedtls_hmac_drbg_init( hmac_drbg ); #endif /* MBEDTLS_CTR_DRBG_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) - mbedtls_x509_crt_init( &cacert ); - mbedtls_x509_crt_init( &clicert ); - mbedtls_pk_init( &pkey ); + mbedtls_x509_crt_init( cacert ); + mbedtls_x509_crt_init( clicert ); + mbedtls_pk_init( pkey ); #endif #if defined(MBEDTLS_SSL_ALPN) memset( (void * ) alpn_list, 0, sizeof( alpn_list ) ); @@ -1704,10 +1728,10 @@ int main( int argc, char *argv[] ) mbedtls_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); - mbedtls_entropy_init( &entropy ); + mbedtls_entropy_init( entropy ); #if defined(MBEDTLS_CTR_DRBG_C) - if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, - &entropy, (const unsigned char *) pers, + if( ( ret = mbedtls_ctr_drbg_seed( ctr_drbg, mbedtls_entropy_func, + entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", @@ -1715,11 +1739,11 @@ int main( int argc, char *argv[] ) goto exit; } #else /* MBEDTLS_CTR_DRBG_C */ - if( ( ret = mbedtls_hmac_drbg_seed( &hmac_drbg, + if( ( ret = mbedtls_hmac_drbg_seed( hmac_drbg, mbedtls_md_info_from_type( available_hashes[0] ), mbedtls_entropy_func, - &entropy, (const unsigned char *) pers, + entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", @@ -1745,9 +1769,9 @@ int main( int argc, char *argv[] ) else #if defined(MBEDTLS_FS_IO) if( strlen( opt.ca_path ) ) - ret = mbedtls_x509_crt_parse_path( &cacert, opt.ca_path ); + ret = mbedtls_x509_crt_parse_path( cacert, opt.ca_path ); else if( strlen( opt.ca_file ) ) - ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file ); + ret = mbedtls_x509_crt_parse_file( cacert, opt.ca_file ); else #endif #if defined(MBEDTLS_CERTS_C) @@ -1755,7 +1779,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_PEM_PARSE_C) for( i = 0; mbedtls_test_cas[i] != NULL; i++ ) { - ret = mbedtls_x509_crt_parse( &cacert, + ret = mbedtls_x509_crt_parse( cacert, (const unsigned char *) mbedtls_test_cas[i], mbedtls_test_cas_len[i] ); if( ret != 0 ) @@ -1765,7 +1789,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_PEM_PARSE_C */ for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ ) { - ret = mbedtls_x509_crt_parse_der( &cacert, + ret = mbedtls_x509_crt_parse_der( cacert, (const unsigned char *) mbedtls_test_cas_der[i], mbedtls_test_cas_der_len[i] ); if( ret != 0 ) @@ -1800,7 +1824,7 @@ int main( int argc, char *argv[] ) else #if defined(MBEDTLS_FS_IO) if( strlen( opt.crt_file ) ) - ret = mbedtls_x509_crt_parse_file( &clicert, opt.crt_file ); + ret = mbedtls_x509_crt_parse_file( clicert, opt.crt_file ); else #endif #if defined(MBEDTLS_CERTS_C) @@ -1825,11 +1849,11 @@ int main( int argc, char *argv[] ) else #if defined(MBEDTLS_FS_IO) if( strlen( opt.key_file ) ) - ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" ); + ret = mbedtls_pk_parse_keyfile( pkey, opt.key_file, "" ); else #endif #if defined(MBEDTLS_CERTS_C) - ret = mbedtls_pk_parse_key( &pkey, + ret = mbedtls_pk_parse_key( pkey, (const unsigned char *) mbedtls_test_cli_key, mbedtls_test_cli_key_len, NULL, 0 ); #else @@ -1888,7 +1912,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf, + if( ( ret = mbedtls_ssl_config_defaults( conf, MBEDTLS_SSL_IS_CLIENT, opt.transport, MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 ) @@ -1904,14 +1928,14 @@ int main( int argc, char *argv[] ) if( opt.allow_sha1 > 0 ) { crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ); - mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test ); + mbedtls_ssl_conf_cert_profile( conf, &crt_profile_for_test ); #if !defined(MBEDTLS_SSL_CONF_SINGLE_HASH) - mbedtls_ssl_conf_sig_hashes( &conf, available_hashes ); + mbedtls_ssl_conf_sig_hashes( conf, available_hashes ); #endif } #if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) - mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); + mbedtls_ssl_conf_verify( conf, my_verify, NULL ); memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); #endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -1930,10 +1954,10 @@ int main( int argc, char *argv[] ) } if( opt.cid_enabled == 1 ) - ret = mbedtls_ssl_conf_cid( &conf, cid_len, + ret = mbedtls_ssl_conf_cid( conf, cid_len, MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ); else - ret = mbedtls_ssl_conf_cid( &conf, cid_renego_len, + ret = mbedtls_ssl_conf_cid( conf, cid_renego_len, MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ); if( ret != 0 ) @@ -1948,19 +1972,19 @@ int main( int argc, char *argv[] ) !MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */ if( opt.auth_mode != DFL_AUTH_MODE ) - mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); + mbedtls_ssl_conf_authmode( conf, opt.auth_mode ); #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) - mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, + mbedtls_ssl_conf_handshake_timeout( conf, opt.hs_to_min, opt.hs_to_max ); if( opt.dgram_packing != DFL_DGRAM_PACKING ) - mbedtls_ssl_set_datagram_packing( &ssl, opt.dgram_packing ); + mbedtls_ssl_set_datagram_packing( ssl, opt.dgram_packing ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - if( ( ret = mbedtls_ssl_conf_max_frag_len( &conf, opt.mfl_code ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_max_frag_len( conf, opt.mfl_code ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_max_frag_len returned %d\n\n", ret ); @@ -1970,39 +1994,39 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( opt.trunc_hmac != DFL_TRUNC_HMAC ) - mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac ); + mbedtls_ssl_conf_truncated_hmac( conf, opt.trunc_hmac ); #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \ !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \ !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET) if( opt.extended_ms != DFL_EXTENDED_MS ) - mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms ); + mbedtls_ssl_conf_extended_master_secret( conf, opt.extended_ms ); if( opt.enforce_extended_master_secret != DFL_EXTENDED_MS_ENFORCE ) - mbedtls_ssl_conf_extended_master_secret_enforce( &conf, + mbedtls_ssl_conf_extended_master_secret_enforce( conf, opt.enforce_extended_master_secret ); #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) if( opt.etm != DFL_ETM ) - mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm ); + mbedtls_ssl_conf_encrypt_then_mac( conf, opt.etm ); #endif #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) if( opt.recsplit != DFL_RECSPLIT ) - mbedtls_ssl_conf_cbc_record_splitting( &conf, opt.recsplit + mbedtls_ssl_conf_cbc_record_splitting( conf, opt.recsplit ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ); #endif #if defined(MBEDTLS_DHM_C) if( opt.dhmlen != DFL_DHMLEN ) - mbedtls_ssl_conf_dhm_min_bitlen( &conf, opt.dhmlen ); + mbedtls_ssl_conf_dhm_min_bitlen( conf, opt.dhmlen ); #endif #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) - if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_alpn_protocols( conf, alpn_list ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n", ret ); @@ -2012,58 +2036,58 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_CTR_DRBG_C) #if !defined(MBEDTLS_SSL_CONF_RNG) - mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_rng( conf, mbedtls_ctr_drbg_random, ctr_drbg ); #else - rng_ctx_global = &ctr_drbg; + rng_ctx_global = ctr_drbg; #endif #else /* MBEDTLS_CTR_DRBG_C */ #if !defined(MBEDTLS_SSL_CONF_RNG) - mbedtls_ssl_conf_rng( &conf, mbedtls_hmac_drbg_random, &hmac_drbg ); + mbedtls_ssl_conf_rng( conf, mbedtls_hmac_drbg_random, hmac_drbg ); #else - rng_ctx_global = &hmac_drbg; + rng_ctx_global = hmac_drbg; #endif #endif /* MBEDTLS_CTR_DRBG_C */ #if defined(MBEDTLS_DEBUG_C) - mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_dbg( conf, my_debug, stdout ); #endif #if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) - mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout ); + mbedtls_ssl_conf_read_timeout( conf, opt.read_timeout ); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_conf_session_tickets( &conf, opt.tickets ); + mbedtls_ssl_conf_session_tickets( conf, opt.tickets ); #endif #if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) - mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); + mbedtls_ssl_conf_ciphersuites( conf, opt.force_ciphersuite ); #endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */ #if defined(MBEDTLS_ARC4_C) if( opt.arc4 != DFL_ARC4 ) - mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 ); + mbedtls_ssl_conf_arc4_support( conf, opt.arc4 ); #endif #if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) if( opt.allow_legacy != DFL_ALLOW_LEGACY ) - mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); + mbedtls_ssl_conf_legacy_renegotiation( conf, opt.allow_legacy ); #endif /* !MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION */ #if defined(MBEDTLS_SSL_RENEGOTIATION) - mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation ); + mbedtls_ssl_conf_renegotiation( conf, opt.renegotiation ); #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { - mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_ca_chain( conf, cacert, NULL ); } if( strcmp( opt.crt_file, "none" ) != 0 && strcmp( opt.key_file, "none" ) != 0 ) { - if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_own_cert( conf, clicert, pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); @@ -2077,13 +2101,13 @@ int main( int argc, char *argv[] ) if( opt.curves != NULL && strcmp( opt.curves, "default" ) != 0 ) { - mbedtls_ssl_conf_curves( &conf, curve_list ); + mbedtls_ssl_conf_curves( conf, curve_list ); } #endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */ #endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - if( ( ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len, + if( ( ret = mbedtls_ssl_conf_psk( conf, psk, psk_len, (const unsigned char *) opt.psk_identity, strlen( opt.psk_identity ) ) ) != 0 ) { @@ -2098,20 +2122,20 @@ int main( int argc, char *argv[] ) !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) if( opt.min_version != DFL_MIN_VERSION ) - mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, + mbedtls_ssl_conf_min_version( conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); if( opt.max_version != DFL_MAX_VERSION ) - mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, + mbedtls_ssl_conf_max_version( conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); #endif #if defined(MBEDTLS_SSL_FALLBACK_SCSV) if( opt.fallback != DFL_FALLBACK ) - mbedtls_ssl_conf_fallback( &conf, opt.fallback ); + mbedtls_ssl_conf_fallback( conf, opt.fallback ); #endif - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_setup( ssl, conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret ); @@ -2119,7 +2143,7 @@ int main( int argc, char *argv[] ) } #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) - if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_hostname( ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); @@ -2130,7 +2154,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( opt.ecjpake_pw != DFL_ECJPAKE_PW ) { - if( ( ret = mbedtls_ssl_set_hs_ecjpake_password( &ssl, + if( ( ret = mbedtls_ssl_set_hs_ecjpake_password( ssl, (const unsigned char *) opt.ecjpake_pw, strlen( opt.ecjpake_pw ) ) ) != 0 ) { @@ -2144,18 +2168,18 @@ int main( int argc, char *argv[] ) #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) - io_ctx.ssl = &ssl; + io_ctx.ssl = ssl; io_ctx.net = &server_fd; - mbedtls_ssl_set_bio( &ssl, &io_ctx, send_cb, recv_cb, + mbedtls_ssl_set_bio( ssl, &io_ctx, send_cb, recv_cb, opt.nbio == 0 ? recv_timeout_cb : NULL ); #else - mbedtls_ssl_set_bio_ctx( &ssl, &server_fd ); + mbedtls_ssl_set_bio_ctx( ssl, &server_fd ); #endif #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - if( ( ret = mbedtls_ssl_set_cid( &ssl, opt.cid_enabled, + if( ( ret = mbedtls_ssl_set_cid( ssl, opt.cid_enabled, cid, cid_len ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_cid returned %d\n\n", @@ -2167,16 +2191,16 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.dtls_mtu != DFL_DTLS_MTU ) - mbedtls_ssl_set_mtu( &ssl, opt.dtls_mtu ); + mbedtls_ssl_set_mtu( ssl, opt.dtls_mtu ); #endif #if defined(MBEDTLS_TIMING_C) #if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && \ !defined(MBEDTLS_SSL_CONF_GET_TIMER) - mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay, + mbedtls_ssl_set_timer_cb( ssl, &timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay ); #else - mbedtls_ssl_set_timer_cb_ctx( &ssl, &timer ); + mbedtls_ssl_set_timer_cb_ctx( ssl, &timer ); #endif #endif @@ -2193,7 +2217,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Performing the SSL/TLS handshake..." ); fflush( stdout ); - while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) + while( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) { if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && @@ -2232,23 +2256,23 @@ int main( int argc, char *argv[] ) } mbedtls_printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n", - mbedtls_ssl_get_version( &ssl ), - mbedtls_ssl_get_ciphersuite( &ssl ) ); + mbedtls_ssl_get_version( ssl ), + mbedtls_ssl_get_ciphersuite( ssl ) ); - if( ( ret = mbedtls_ssl_get_record_expansion( &ssl ) ) >= 0 ) + if( ( ret = mbedtls_ssl_get_record_expansion( ssl ) ) >= 0 ) mbedtls_printf( " [ Record expansion is %d ]\n", ret ); else mbedtls_printf( " [ Record expansion is unknown (compression) ]\n" ); #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) mbedtls_printf( " [ Maximum fragment length is %u ]\n", - (unsigned int) mbedtls_ssl_get_max_frag_len( &ssl ) ); + (unsigned int) mbedtls_ssl_get_max_frag_len( ssl ) ); #endif #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { - const char *alp = mbedtls_ssl_get_alpn_protocol( &ssl ); + const char *alp = mbedtls_ssl_get_alpn_protocol( ssl ); mbedtls_printf( " [ Application Layer Protocol is %s ]\n", alp ? alp : "(none)" ); } @@ -2270,7 +2294,7 @@ int main( int argc, char *argv[] ) } /* get size of the buffer needed */ - mbedtls_ssl_session_save( mbedtls_ssl_get_session_pointer( &ssl ), + mbedtls_ssl_session_save( mbedtls_ssl_get_session_pointer( ssl ), NULL, 0, &session_data_len ); session_data = mbedtls_calloc( 1, session_data_len ); if( session_data == NULL ) @@ -2282,7 +2306,7 @@ int main( int argc, char *argv[] ) } /* actually save session data */ - if( ( ret = mbedtls_ssl_session_save( mbedtls_ssl_get_session_pointer( &ssl ), + if( ( ret = mbedtls_ssl_session_save( mbedtls_ssl_get_session_pointer( ssl ), session_data, session_data_len, &session_data_len ) ) != 0 ) { @@ -2293,7 +2317,7 @@ int main( int argc, char *argv[] ) } else { - if( ( ret = mbedtls_ssl_get_session( &ssl, &saved_session ) ) != 0 ) + if( ( ret = mbedtls_ssl_get_session( ssl, &saved_session ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_get_session returned -0x%x\n\n", -ret ); @@ -2316,7 +2340,7 @@ int main( int argc, char *argv[] ) */ mbedtls_printf( " . Verifying peer X.509 certificate..." ); - if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) + if( ( flags = mbedtls_ssl_get_verify_result( ssl ) ) != 0 ) { #if !defined(MBEDTLS_X509_REMOVE_INFO) char vrfy_buf[512]; @@ -2342,13 +2366,13 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - ret = report_cid_usage( &ssl, "initial handshake" ); + ret = report_cid_usage( ssl, "initial handshake" ); if( ret != 0 ) goto exit; if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - if( ( ret = mbedtls_ssl_set_cid( &ssl, opt.cid_enabled_renego, + if( ( ret = mbedtls_ssl_set_cid( ssl, opt.cid_enabled_renego, cid_renego, cid_renego_len ) ) != 0 ) { @@ -2368,7 +2392,7 @@ int main( int argc, char *argv[] ) */ mbedtls_printf( " . Performing renegotiation..." ); fflush( stdout ); - while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 ) + while( ( ret = mbedtls_ssl_renegotiate( ssl ) ) != 0 ) { if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && @@ -2400,7 +2424,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_SSL_RENEGOTIATION */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - ret = report_cid_usage( &ssl, "after renegotiation" ); + ret = report_cid_usage( ssl, "after renegotiation" ); if( ret != 0 ) goto exit; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ @@ -2446,7 +2470,7 @@ send_request: do { - while( ( ret = mbedtls_ssl_write( &ssl, buf + written, + while( ( ret = mbedtls_ssl_write( ssl, buf + written, len - written ) ) < 0 ) { if( ret != MBEDTLS_ERR_SSL_WANT_READ && @@ -2478,7 +2502,7 @@ send_request: { while( 1 ) { - ret = mbedtls_ssl_write( &ssl, buf, len ); + ret = mbedtls_ssl_write( ssl, buf, len ); #if defined(MBEDTLS_ECP_RESTARTABLE) if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS ) @@ -2543,7 +2567,7 @@ send_request: { len = sizeof( buf ) - 1; memset( buf, 0, sizeof( buf ) ); - ret = mbedtls_ssl_read( &ssl, buf, len ); + ret = mbedtls_ssl_read( ssl, buf, len ); #if defined(MBEDTLS_ECP_RESTARTABLE) if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS ) @@ -2608,7 +2632,7 @@ send_request: while( 1 ) { - ret = mbedtls_ssl_read( &ssl, buf, len ); + ret = mbedtls_ssl_read( ssl, buf, len ); #if defined(MBEDTLS_ECP_RESTARTABLE) if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS ) @@ -2672,14 +2696,14 @@ send_request: memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ - if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_session_reset( ssl ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_session_reset returned -0x%x\n\n", -ret ); goto exit; } - while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) + while( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) { if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && @@ -2716,7 +2740,7 @@ send_request: mbedtls_printf( " . Serializing live connection..." ); - ret = mbedtls_ssl_context_save( &ssl, NULL, 0, &buf_len ); + ret = mbedtls_ssl_context_save( ssl, NULL, 0, &buf_len ); if( ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ) { mbedtls_printf( " failed\n ! mbedtls_ssl_context_save returned " @@ -2734,7 +2758,7 @@ send_request: } context_buf_len = buf_len; - if( ( ret = mbedtls_ssl_context_save( &ssl, context_buf, + if( ( ret = mbedtls_ssl_context_save( ssl, context_buf, buf_len, &buf_len ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_context_save returned " @@ -2755,11 +2779,11 @@ send_request: { mbedtls_printf( " . Freeing and reinitializing context..." ); - mbedtls_ssl_free( &ssl ); + mbedtls_ssl_free( ssl ); - mbedtls_ssl_init( &ssl ); + mbedtls_ssl_init( ssl ); - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_setup( ssl, conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned " "-0x%x\n\n", -ret ); @@ -2769,20 +2793,20 @@ send_request: #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) - mbedtls_ssl_set_bio( &ssl, &io_ctx, send_cb, recv_cb, + mbedtls_ssl_set_bio( ssl, &io_ctx, send_cb, recv_cb, opt.nbio == 0 ? recv_timeout_cb : NULL ); #else - mbedtls_ssl_set_bio_ctx( &ssl, &server_fd ); + mbedtls_ssl_set_bio_ctx( ssl, &server_fd ); #endif #if defined(MBEDTLS_TIMING_C) #if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && \ !defined(MBEDTLS_SSL_CONF_GET_TIMER) - mbedtls_ssl_set_timer_cb( &ssl, &timer, + mbedtls_ssl_set_timer_cb( ssl, &timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay ); #else - mbedtls_ssl_set_timer_cb_ctx( &ssl, &timer ); + mbedtls_ssl_set_timer_cb_ctx( ssl, &timer ); #endif #endif /* MBEDTLS_TIMING_C */ @@ -2791,7 +2815,7 @@ send_request: mbedtls_printf( " . Deserializing connection..." ); - if( ( ret = mbedtls_ssl_context_load( &ssl, context_buf, + if( ( ret = mbedtls_ssl_context_load( ssl, context_buf, buf_len ) ) != 0 ) { mbedtls_printf( "failed\n ! mbedtls_ssl_context_load returned " @@ -2822,7 +2846,7 @@ close_notify: fflush( stdout ); /* No error checking, the connection might be closed already */ - do ret = mbedtls_ssl_close_notify( &ssl ); + do ret = mbedtls_ssl_close_notify( ssl ); while( ret == MBEDTLS_ERR_SSL_WANT_WRITE ); ret = 0; @@ -2850,7 +2874,7 @@ reconnect: memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ - if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) + if( ( ret = mbedtls_ssl_session_reset( ssl ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_session_reset returned -0x%x\n\n", -ret ); @@ -2870,7 +2894,7 @@ reconnect: } #if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION) - if( ( ret = mbedtls_ssl_set_session( &ssl, &saved_session ) ) != 0 ) + if( ( ret = mbedtls_ssl_set_session( ssl, &saved_session ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_session returned -0x%x\n\n", -ret ); @@ -2899,7 +2923,7 @@ reconnect: goto exit; } - while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) + while( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) { if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && @@ -2920,6 +2944,7 @@ reconnect: * Cleanup and exit */ exit: + #ifdef MBEDTLS_ERROR_C if( ret != 0 ) { @@ -2932,19 +2957,19 @@ exit: mbedtls_net_free( &server_fd ); #if defined(MBEDTLS_X509_CRT_PARSE_C) - mbedtls_x509_crt_free( &clicert ); - mbedtls_x509_crt_free( &cacert ); - mbedtls_pk_free( &pkey ); + mbedtls_x509_crt_free( clicert ); + mbedtls_x509_crt_free( cacert ); + mbedtls_pk_free( pkey ); #endif mbedtls_ssl_session_free( &saved_session ); - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); + mbedtls_ssl_free( ssl ); + mbedtls_ssl_config_free( conf ); #if defined(MBEDTLS_CTR_DRBG_C) - mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_ctr_drbg_free( ctr_drbg ); #else - mbedtls_hmac_drbg_free( &hmac_drbg ); + mbedtls_hmac_drbg_free( hmac_drbg ); #endif - mbedtls_entropy_free( &entropy ); + mbedtls_entropy_free( entropy ); if( session_data != NULL ) mbedtls_platform_zeroize( session_data, session_data_len ); mbedtls_free( session_data ); @@ -2954,6 +2979,18 @@ exit: mbedtls_free( context_buf ); #endif + mbedtls_free( ssl ); + mbedtls_free( conf ); + mbedtls_free( entropy ); +#if defined(MBEDTLS_CTR_DRBG_C) + mbedtls_free( ctr_drbg ); +#else + mbedtls_free( hmac_drbg ); +#endif + mbedtls_free( cacert ); + mbedtls_free( clicert ); + mbedtls_free( pkey ); + #if defined(_WIN32) mbedtls_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index c0476dc59..64d889d87 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1561,27 +1561,27 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #endif - mbedtls_entropy_context entropy; + mbedtls_entropy_context *entropy; #if defined(MBEDTLS_CTR_DRBG_C) - mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_ctr_drbg_context *ctr_drbg; #else - mbedtls_hmac_drbg_context hmac_drbg; + mbedtls_hmac_drbg_context *hmac_drbg; #endif - mbedtls_ssl_context ssl; - mbedtls_ssl_config conf; + mbedtls_ssl_context *ssl = NULL; + mbedtls_ssl_config *conf = NULL; #if defined(MBEDTLS_TIMING_C) - mbedtls_timing_delay_context timer; + mbedtls_timing_delay_context *timer; #endif #if defined(MBEDTLS_SSL_RENEGOTIATION) unsigned char renego_period[8] = { 0 }; #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) uint32_t flags; - mbedtls_x509_crt cacert; - mbedtls_x509_crt srvcert; - mbedtls_pk_context pkey; - mbedtls_x509_crt srvcert2; - mbedtls_pk_context pkey2; + mbedtls_x509_crt *cacert = NULL; + mbedtls_x509_crt *srvcert = NULL; + mbedtls_pk_context *pkey = NULL; + mbedtls_x509_crt *srvcert2 = NULL; + mbedtls_pk_context *pkey2 = NULL; int key_cert_init = 0, key_cert_init2 = 0; #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) ssl_async_key_context_t ssl_async_keys; @@ -1591,10 +1591,10 @@ int main( int argc, char *argv[] ) mbedtls_dhm_context dhm; #endif #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_cache_context cache; + mbedtls_ssl_cache_context *cache = NULL; #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_ticket_context ticket_ctx; + mbedtls_ssl_ticket_context *ticket_ctx; #endif #if defined(SNI_OPTION) sni_entry *sni_info = NULL; @@ -1629,24 +1629,55 @@ int main( int argc, char *argv[] ) mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); #endif + ssl = mbedtls_calloc( 1, sizeof( *ssl ) ); + conf = mbedtls_calloc( 1, sizeof( *conf ) ); + cacert = mbedtls_calloc( 1, sizeof( *cacert ) ); + srvcert = mbedtls_calloc( 1, sizeof( *srvcert ) ); + pkey = mbedtls_calloc( 1, sizeof( *pkey ) ); + srvcert2 = mbedtls_calloc( 1, sizeof( *srvcert2 ) ); + pkey2 = mbedtls_calloc( 1, sizeof( *pkey2 ) ); + cache = mbedtls_calloc( 1, sizeof( *cache ) ); + timer = mbedtls_calloc( 1, sizeof( *timer ) ); + ticket_ctx = mbedtls_calloc( 1, sizeof( *ticket_ctx ) ); + entropy = mbedtls_calloc( 1, sizeof( *entropy ) ); +#if defined(MBEDTLS_CTR_DRBG_C) + ctr_drbg = mbedtls_calloc( 1, sizeof( *ctr_drbg ) ); +#else + hmac_drbg = mbedtls_calloc( 1, sizeof( *hmac_drbg ) ); +#endif + + if( ssl == NULL || conf == NULL || + cacert == NULL || srvcert == NULL || + pkey == NULL || srvcert2 == NULL || + pkey2 == NULL || cache == NULL || +#if defined(MBEDTLS_CTR_DRBG_C) + ctr_drbg == NULL || +#else + hmac_drbg == NULL || +#endif + entropy == NULL ) + { + goto exit; + } + /* * Make sure memory references are valid in case we exit early. */ mbedtls_net_init( &client_fd ); mbedtls_net_init( &listen_fd ); - mbedtls_ssl_init( &ssl ); - mbedtls_ssl_config_init( &conf ); + mbedtls_ssl_init( ssl ); + mbedtls_ssl_config_init( conf ); #if defined(MBEDTLS_CTR_DRBG_C) - mbedtls_ctr_drbg_init( &ctr_drbg ); + mbedtls_ctr_drbg_init( ctr_drbg ); #else - mbedtls_hmac_drbg_init( &hmac_drbg ); + mbedtls_hmac_drbg_init( hmac_drbg ); #endif /* MBEDTLS_CTR_DRBG_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) - mbedtls_x509_crt_init( &cacert ); - mbedtls_x509_crt_init( &srvcert ); - mbedtls_pk_init( &pkey ); - mbedtls_x509_crt_init( &srvcert2 ); - mbedtls_pk_init( &pkey2 ); + mbedtls_x509_crt_init( cacert ); + mbedtls_x509_crt_init( srvcert ); + mbedtls_pk_init( pkey ); + mbedtls_x509_crt_init( srvcert2 ); + mbedtls_pk_init( pkey2 ); #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) memset( &ssl_async_keys, 0, sizeof( ssl_async_keys ) ); #endif @@ -1655,10 +1686,10 @@ int main( int argc, char *argv[] ) mbedtls_dhm_init( &dhm ); #endif #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_cache_init( &cache ); + mbedtls_ssl_cache_init( cache ); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_ticket_init( &ticket_ctx ); + mbedtls_ssl_ticket_init( ticket_ctx ); #endif #if defined(MBEDTLS_SSL_ALPN) memset( (void *) alpn_list, 0, sizeof( alpn_list ) ); @@ -2453,10 +2484,10 @@ int main( int argc, char *argv[] ) mbedtls_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); - mbedtls_entropy_init( &entropy ); + mbedtls_entropy_init( entropy ); #if defined(MBEDTLS_CTR_DRBG_C) - if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, - &entropy, (const unsigned char *) pers, + if( ( ret = mbedtls_ctr_drbg_seed( ctr_drbg, mbedtls_entropy_func, + entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", @@ -2464,11 +2495,11 @@ int main( int argc, char *argv[] ) goto exit; } #else /* MBEDTLS_CTR_DRBG_C */ - if( ( ret = mbedtls_hmac_drbg_seed( &hmac_drbg, + if( ( ret = mbedtls_hmac_drbg_seed( hmac_drbg, mbedtls_md_info_from_type( available_hashes[0] ), mbedtls_entropy_func, - &entropy, (const unsigned char *) pers, + entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", @@ -2494,9 +2525,9 @@ int main( int argc, char *argv[] ) else #if defined(MBEDTLS_FS_IO) if( strlen( opt.ca_path ) ) - ret = mbedtls_x509_crt_parse_path( &cacert, opt.ca_path ); + ret = mbedtls_x509_crt_parse_path( cacert, opt.ca_path ); else if( strlen( opt.ca_file ) ) - ret = mbedtls_x509_crt_parse_file( &cacert, opt.ca_file ); + ret = mbedtls_x509_crt_parse_file( cacert, opt.ca_file ); else #endif #if defined(MBEDTLS_CERTS_C) @@ -2504,7 +2535,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_PEM_PARSE_C) for( i = 0; mbedtls_test_cas[i] != NULL; i++ ) { - ret = mbedtls_x509_crt_parse( &cacert, + ret = mbedtls_x509_crt_parse( cacert, (const unsigned char *) mbedtls_test_cas[i], mbedtls_test_cas_len[i] ); if( ret != 0 ) @@ -2514,7 +2545,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_PEM_PARSE_C */ for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ ) { - ret = mbedtls_x509_crt_parse_der( &cacert, + ret = mbedtls_x509_crt_parse_der( cacert, (const unsigned char *) mbedtls_test_cas_der[i], mbedtls_test_cas_der_len[i] ); if( ret != 0 ) @@ -2545,7 +2576,7 @@ int main( int argc, char *argv[] ) if( strlen( opt.crt_file ) && strcmp( opt.crt_file, "none" ) != 0 ) { key_cert_init++; - if( ( ret = mbedtls_x509_crt_parse_file( &srvcert, opt.crt_file ) ) != 0 ) + if( ( ret = mbedtls_x509_crt_parse_file( srvcert, opt.crt_file ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file returned -0x%x\n\n", -ret ); @@ -2555,7 +2586,7 @@ int main( int argc, char *argv[] ) if( strlen( opt.key_file ) && strcmp( opt.key_file, "none" ) != 0 ) { key_cert_init++; - if( ( ret = mbedtls_pk_parse_keyfile( &pkey, opt.key_file, "" ) ) != 0 ) + if( ( ret = mbedtls_pk_parse_keyfile( pkey, opt.key_file, "" ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile returned -0x%x\n\n", -ret ); goto exit; @@ -2570,7 +2601,7 @@ int main( int argc, char *argv[] ) if( strlen( opt.crt_file2 ) && strcmp( opt.crt_file2, "none" ) != 0 ) { key_cert_init2++; - if( ( ret = mbedtls_x509_crt_parse_file( &srvcert2, opt.crt_file2 ) ) != 0 ) + if( ( ret = mbedtls_x509_crt_parse_file( srvcert2, opt.crt_file2 ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse_file(2) returned -0x%x\n\n", -ret ); @@ -2580,7 +2611,7 @@ int main( int argc, char *argv[] ) if( strlen( opt.key_file2 ) && strcmp( opt.key_file2, "none" ) != 0 ) { key_cert_init2++; - if( ( ret = mbedtls_pk_parse_keyfile( &pkey2, opt.key_file2, "" ) ) != 0 ) + if( ( ret = mbedtls_pk_parse_keyfile( pkey2, opt.key_file2, "" ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile(2) returned -0x%x\n\n", -ret ); @@ -2605,7 +2636,7 @@ int main( int argc, char *argv[] ) goto exit; #else #if defined(MBEDTLS_RSA_C) - if( ( ret = mbedtls_x509_crt_parse( &srvcert, + if( ( ret = mbedtls_x509_crt_parse( srvcert, (const unsigned char *) mbedtls_test_srv_crt_rsa, mbedtls_test_srv_crt_rsa_len ) ) != 0 ) { @@ -2613,7 +2644,7 @@ int main( int argc, char *argv[] ) -ret ); goto exit; } - if( ( ret = mbedtls_pk_parse_key( &pkey, + if( ( ret = mbedtls_pk_parse_key( pkey, (const unsigned char *) mbedtls_test_srv_key_rsa, mbedtls_test_srv_key_rsa_len, NULL, 0 ) ) != 0 ) { @@ -2624,7 +2655,7 @@ int main( int argc, char *argv[] ) key_cert_init = 2; #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_USE_TINYCRYPT) - if( ( ret = mbedtls_x509_crt_parse( &srvcert2, + if( ( ret = mbedtls_x509_crt_parse( srvcert2, (const unsigned char *) mbedtls_test_srv_crt_ec, mbedtls_test_srv_crt_ec_len ) ) != 0 ) { @@ -2632,7 +2663,7 @@ int main( int argc, char *argv[] ) -ret ); goto exit; } - if( ( ret = mbedtls_pk_parse_key( &pkey2, + if( ( ret = mbedtls_pk_parse_key( pkey2, (const unsigned char *) mbedtls_test_srv_key_ec, mbedtls_test_srv_key_ec_len, NULL, 0 ) ) != 0 ) { @@ -2706,7 +2737,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up the SSL/TLS structure..." ); fflush( stdout ); - if( ( ret = mbedtls_ssl_config_defaults( &conf, + if( ( ret = mbedtls_ssl_config_defaults( conf, MBEDTLS_SSL_IS_SERVER, opt.transport, MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 ) @@ -2722,33 +2753,33 @@ int main( int argc, char *argv[] ) if( opt.allow_sha1 > 0 ) { crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ); - mbedtls_ssl_conf_cert_profile( &conf, &crt_profile_for_test ); + mbedtls_ssl_conf_cert_profile( conf, &crt_profile_for_test ); #if !defined(MBEDTLS_SSL_CONF_SINGLE_HASH) - mbedtls_ssl_conf_sig_hashes( &conf, available_hashes ); + mbedtls_ssl_conf_sig_hashes( conf, available_hashes ); #endif } #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if !defined(MBEDTLS_SSL_CONF_AUTHMODE) if( opt.auth_mode != DFL_AUTH_MODE ) - mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); + mbedtls_ssl_conf_authmode( conf, opt.auth_mode ); #endif /* !MBEDTLS_SSL_CONF_AUTHMODE */ #if !defined(MBEDTLS_SSL_CONF_CERT_REQ_CA_LIST) if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST ) - mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list ); + mbedtls_ssl_conf_cert_req_ca_list( conf, opt.cert_req_ca_list ); #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) - mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max ); + mbedtls_ssl_conf_handshake_timeout( conf, opt.hs_to_min, opt.hs_to_max ); if( opt.dgram_packing != DFL_DGRAM_PACKING ) - mbedtls_ssl_set_datagram_packing( &ssl, opt.dgram_packing ); + mbedtls_ssl_set_datagram_packing( ssl, opt.dgram_packing ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - if( ( ret = mbedtls_ssl_conf_max_frag_len( &conf, opt.mfl_code ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_max_frag_len( conf, opt.mfl_code ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_max_frag_len returned %d\n\n", ret ); goto exit; @@ -2769,10 +2800,10 @@ int main( int argc, char *argv[] ) } if( opt.cid_enabled == 1 ) - ret = mbedtls_ssl_conf_cid( &conf, cid_len, + ret = mbedtls_ssl_conf_cid( conf, cid_len, MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ); else - ret = mbedtls_ssl_conf_cid( &conf, cid_renego_len, + ret = mbedtls_ssl_conf_cid( conf, cid_renego_len, MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ); if( ret != 0 ) @@ -2788,27 +2819,27 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) if( opt.trunc_hmac != DFL_TRUNC_HMAC ) - mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac ); + mbedtls_ssl_conf_truncated_hmac( conf, opt.trunc_hmac ); #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \ !defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET) && \ !defined(MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET) if( opt.extended_ms != DFL_EXTENDED_MS ) - mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms ); + mbedtls_ssl_conf_extended_master_secret( conf, opt.extended_ms ); if( opt.enforce_extended_master_secret != DFL_EXTENDED_MS_ENFORCE ) - mbedtls_ssl_conf_extended_master_secret_enforce( &conf, + mbedtls_ssl_conf_extended_master_secret_enforce( conf, opt.enforce_extended_master_secret ); #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) if( opt.etm != DFL_ETM ) - mbedtls_ssl_conf_encrypt_then_mac( &conf, opt.etm ); + mbedtls_ssl_conf_encrypt_then_mac( conf, opt.etm ); #endif #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) - if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_alpn_protocols( conf, alpn_list ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n", ret ); goto exit; @@ -2817,31 +2848,31 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_CTR_DRBG_C) #if !defined(MBEDTLS_SSL_CONF_RNG) - mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); + mbedtls_ssl_conf_rng( conf, mbedtls_ctr_drbg_random, ctr_drbg ); #else - rng_ctx_global = &ctr_drbg; + rng_ctx_global = ctr_drbg; #endif #else /* MBEDTLS_CTR_DRBG_C */ #if !defined(MBEDTLS_SSL_CONF_RNG) - mbedtls_ssl_conf_rng( &conf, mbedtls_hmac_drbg_random, &hmac_drbg ); + mbedtls_ssl_conf_rng( conf, mbedtls_hmac_drbg_random, hmac_drbg ); #else - rng_ctx_global = &hmac_drbg; + rng_ctx_global = hmac_drbg; #endif #endif /* MBEDTLS_CTR_DRBG_C */ #if defined(MBEDTLS_DEBUG_C) - mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); + mbedtls_ssl_conf_dbg( conf, my_debug, stdout ); #endif #if defined(MBEDTLS_SSL_CACHE_C) if( opt.cache_max != -1 ) - mbedtls_ssl_cache_set_max_entries( &cache, opt.cache_max ); + mbedtls_ssl_cache_set_max_entries( cache, opt.cache_max ); if( opt.cache_timeout != -1 ) - mbedtls_ssl_cache_set_timeout( &cache, opt.cache_timeout ); + mbedtls_ssl_cache_set_timeout( cache, opt.cache_timeout ); #if !defined(MBEDTLS_SSL_NO_SESSION_CACHE) - mbedtls_ssl_conf_session_cache( &conf, &cache, + mbedtls_ssl_conf_session_cache( conf, cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set ); #endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */ @@ -2850,11 +2881,11 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_SESSION_TICKETS) if( opt.tickets == MBEDTLS_SSL_SESSION_TICKETS_ENABLED ) { - if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx, + if( ( ret = mbedtls_ssl_ticket_setup( ticket_ctx, #if defined(MBEDTLS_CTR_DRBG_C) - mbedtls_ctr_drbg_random, &ctr_drbg, + mbedtls_ctr_drbg_random, ctr_drbg, #else - mbedtls_hmac_drbg_random, &hmac_drbg, + mbedtls_hmac_drbg_random, hmac_drbg, #endif MBEDTLS_CIPHER_AES_256_GCM, opt.ticket_timeout ) ) != 0 ) @@ -2863,10 +2894,10 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_ssl_conf_session_tickets_cb( &conf, + mbedtls_ssl_conf_session_tickets_cb( conf, mbedtls_ssl_ticket_write, mbedtls_ssl_ticket_parse, - &ticket_ctx ); + ticket_ctx ); } #endif @@ -2878,9 +2909,9 @@ int main( int argc, char *argv[] ) { if( ( ret = mbedtls_ssl_cookie_setup( &cookie_ctx, #if defined(MBEDTLS_CTR_DRBG_C) - mbedtls_ctr_drbg_random, &ctr_drbg + mbedtls_ctr_drbg_random, ctr_drbg #else - mbedtls_hmac_drbg_random, &hmac_drbg + mbedtls_hmac_drbg_random, hmac_drbg #endif /* MBEDTLS_CTR_DRBG_C */ ) ) != 0 ) { @@ -2888,7 +2919,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, + mbedtls_ssl_conf_dtls_cookies( conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &cookie_ctx ); } else @@ -2896,7 +2927,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) if( opt.cookies == 0 ) { - mbedtls_ssl_conf_dtls_cookies( &conf, NULL, NULL, NULL ); + mbedtls_ssl_conf_dtls_cookies( conf, NULL, NULL, NULL ); } else #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */ @@ -2907,40 +2938,40 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \ !defined(MBEDTLS_SSL_CONF_ANTI_REPLAY) if( opt.anti_replay != DFL_ANTI_REPLAY ) - mbedtls_ssl_conf_dtls_anti_replay( &conf, opt.anti_replay ); + mbedtls_ssl_conf_dtls_anti_replay( conf, opt.anti_replay ); #endif #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \ !defined(MBEDTLS_SSL_CONF_BADMAC_LIMIT) if( opt.badmac_limit != DFL_BADMAC_LIMIT ) - mbedtls_ssl_conf_dtls_badmac_limit( &conf, opt.badmac_limit ); + mbedtls_ssl_conf_dtls_badmac_limit( conf, opt.badmac_limit ); #endif } #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) - mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite ); + mbedtls_ssl_conf_ciphersuites( conf, opt.force_ciphersuite ); #endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */ #if defined(MBEDTLS_ARC4_C) if( opt.arc4 != DFL_ARC4 ) - mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 ); + mbedtls_ssl_conf_arc4_support( conf, opt.arc4 ); #endif #if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) if( opt.version_suites != NULL ) { - mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[0], + mbedtls_ssl_conf_ciphersuites_for_version( conf, version_suites[0], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0 ); - mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[1], + mbedtls_ssl_conf_ciphersuites_for_version( conf, version_suites[1], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1 ); - mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[2], + mbedtls_ssl_conf_ciphersuites_for_version( conf, version_suites[2], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_2 ); - mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[3], + mbedtls_ssl_conf_ciphersuites_for_version( conf, version_suites[3], MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3 ); } @@ -2948,18 +2979,18 @@ int main( int argc, char *argv[] ) #if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION) if( opt.allow_legacy != DFL_ALLOW_LEGACY ) - mbedtls_ssl_conf_legacy_renegotiation( &conf, opt.allow_legacy ); + mbedtls_ssl_conf_legacy_renegotiation( conf, opt.allow_legacy ); #endif #if defined(MBEDTLS_SSL_RENEGOTIATION) - mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation ); + mbedtls_ssl_conf_renegotiation( conf, opt.renegotiation ); if( opt.renego_delay != DFL_RENEGO_DELAY ) - mbedtls_ssl_conf_renegotiation_enforced( &conf, opt.renego_delay ); + mbedtls_ssl_conf_renegotiation_enforced( conf, opt.renego_delay ); if( opt.renego_period != DFL_RENEGO_PERIOD ) { PUT_UINT64_BE( renego_period, opt.renego_period, 0 ); - mbedtls_ssl_conf_renegotiation_period( &conf, renego_period ); + mbedtls_ssl_conf_renegotiation_period( conf, renego_period ); } #endif @@ -2967,15 +2998,15 @@ int main( int argc, char *argv[] ) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { - mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_ca_chain( conf, cacert, NULL ); } if( key_cert_init ) { - mbedtls_pk_context *pk = &pkey; + mbedtls_pk_context *pk = pkey; #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if( opt.async_private_delay1 >= 0 ) { - ret = ssl_async_set_key( &ssl_async_keys, &srvcert, pk, 0, + ret = ssl_async_set_key( ssl_async_keys, srvcert, pk, 0, opt.async_private_delay1 ); if( ret < 0 ) { @@ -2986,7 +3017,7 @@ int main( int argc, char *argv[] ) pk = NULL; } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ - if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, pk ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_own_cert( conf, srvcert, pk ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto exit; @@ -2994,11 +3025,11 @@ int main( int argc, char *argv[] ) } if( key_cert_init2 ) { - mbedtls_pk_context *pk = &pkey2; + mbedtls_pk_context *pk = pkey2; #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if( opt.async_private_delay2 >= 0 ) { - ret = ssl_async_set_key( &ssl_async_keys, &srvcert2, pk, 0, + ret = ssl_async_set_key( ssl_async_keys, srvcert2, pk, 0, opt.async_private_delay2 ); if( ret < 0 ) { @@ -3009,7 +3040,7 @@ int main( int argc, char *argv[] ) pk = NULL; } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ - if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert2, pk ) ) != 0 ) + if( ( ret = mbedtls_ssl_conf_own_cert( conf, srvcert2, pk ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); goto exit; @@ -3038,13 +3069,13 @@ int main( int argc, char *argv[] ) - opt.async_private_error : opt.async_private_error ); ssl_async_keys.f_rng = mbedtls_ctr_drbg_random; - ssl_async_keys.p_rng = &ctr_drbg; - mbedtls_ssl_conf_async_private_cb( &conf, + ssl_async_keys.p_rng = ctr_drbg; + mbedtls_ssl_conf_async_private_cb( conf, sign, decrypt, ssl_async_resume, ssl_async_cancel, - &ssl_async_keys ); + ssl_async_keys ); } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -3052,14 +3083,14 @@ int main( int argc, char *argv[] ) #if defined(SNI_OPTION) if( opt.sni != NULL ) { - mbedtls_ssl_conf_sni( &conf, sni_callback, sni_info ); + mbedtls_ssl_conf_sni( conf, sni_callback, sni_info ); #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if( opt.async_private_delay2 >= 0 ) { sni_entry *cur; for( cur = sni_info; cur != NULL; cur = cur->next ) { - ret = ssl_async_set_key( &ssl_async_keys, + ret = ssl_async_set_key( ssl_async_keys, cur->cert, cur->key, 1, opt.async_private_delay2 ); if( ret < 0 ) @@ -3080,7 +3111,7 @@ int main( int argc, char *argv[] ) if( opt.curves != NULL && strcmp( opt.curves, "default" ) != 0 ) { - mbedtls_ssl_conf_curves( &conf, curve_list ); + mbedtls_ssl_conf_curves( conf, curve_list ); } #endif /* !MBEDTLS_SSL_CONF_SINGLE_EC */ #endif /* MBEDTLS_ECP_C*/ @@ -3088,7 +3119,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) if( strlen( opt.psk ) != 0 && strlen( opt.psk_identity ) != 0 ) { - ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len, + ret = mbedtls_ssl_conf_psk( conf, psk, psk_len, (const unsigned char *) opt.psk_identity, strlen( opt.psk_identity ) ); if( ret != 0 ) @@ -3099,7 +3130,7 @@ int main( int argc, char *argv[] ) } if( opt.psk_list != NULL ) - mbedtls_ssl_conf_psk_cb( &conf, psk_callback, psk_info ); + mbedtls_ssl_conf_psk_cb( conf, psk_callback, psk_info ); #endif #if defined(MBEDTLS_DHM_C) @@ -3108,7 +3139,7 @@ int main( int argc, char *argv[] ) */ #if defined(MBEDTLS_FS_IO) if( opt.dhm_file != NULL ) - ret = mbedtls_ssl_conf_dh_param_ctx( &conf, &dhm ); + ret = mbedtls_ssl_conf_dh_param_ctx( conf, &dhm ); #endif if( ret != 0 ) { @@ -3122,13 +3153,13 @@ int main( int argc, char *argv[] ) !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \ !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) if( opt.min_version != DFL_MIN_VERSION ) - mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); + mbedtls_ssl_conf_min_version( conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); if( opt.max_version != DFL_MIN_VERSION ) - mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); + mbedtls_ssl_conf_max_version( conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); #endif - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_setup( ssl, conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret ); goto exit; @@ -3137,18 +3168,18 @@ int main( int argc, char *argv[] ) #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) - io_ctx.ssl = &ssl; + io_ctx.ssl = ssl; io_ctx.net = &client_fd; - mbedtls_ssl_set_bio( &ssl, &io_ctx, send_cb, recv_cb, + mbedtls_ssl_set_bio( ssl, &io_ctx, send_cb, recv_cb, opt.nbio == 0 ? recv_timeout_cb : NULL ); #else - mbedtls_ssl_set_bio_ctx( &ssl, &client_fd ); + mbedtls_ssl_set_bio_ctx( ssl, &client_fd ); #endif #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - if( ( ret = mbedtls_ssl_set_cid( &ssl, opt.cid_enabled, + if( ( ret = mbedtls_ssl_set_cid( ssl, opt.cid_enabled, cid, cid_len ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_cid returned %d\n\n", @@ -3160,16 +3191,16 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.dtls_mtu != DFL_DTLS_MTU ) - mbedtls_ssl_set_mtu( &ssl, opt.dtls_mtu ); + mbedtls_ssl_set_mtu( ssl, opt.dtls_mtu ); #endif #if defined(MBEDTLS_TIMING_C) #if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && \ !defined(MBEDTLS_SSL_CONF_GET_TIMER) - mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay, + mbedtls_ssl_set_timer_cb( ssl, timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay ); #else - mbedtls_ssl_set_timer_cb_ctx( &ssl, &timer ); + mbedtls_ssl_set_timer_cb_ctx( ssl, timer ); #endif #endif @@ -3204,7 +3235,7 @@ reset: mbedtls_net_free( &client_fd ); - mbedtls_ssl_session_reset( &ssl ); + mbedtls_ssl_session_reset( ssl ); /* * 3. Wait until a client connects @@ -3241,13 +3272,13 @@ reset: } #if !defined(MBEDTLS_SSL_CONF_READ_TIMEOUT) - mbedtls_ssl_conf_read_timeout( &conf, opt.read_timeout ); + mbedtls_ssl_conf_read_timeout( conf, opt.read_timeout ); #endif /* MBEDTLS_SSL_CONF_READ_TIMEOUT */ #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - if( ( ret = mbedtls_ssl_set_client_transport_id( &ssl, + if( ( ret = mbedtls_ssl_set_client_transport_id( ssl, client_ip, cliip_len ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_client_transport_id() returned -0x%x\n\n", @@ -3260,7 +3291,7 @@ reset: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( opt.ecjpake_pw != DFL_ECJPAKE_PW ) { - if( ( ret = mbedtls_ssl_set_hs_ecjpake_password( &ssl, + if( ( ret = mbedtls_ssl_set_hs_ecjpake_password( ssl, (const unsigned char *) opt.ecjpake_pw, strlen( opt.ecjpake_pw ) ) ) != 0 ) { @@ -3279,7 +3310,7 @@ handshake: mbedtls_printf( " . Performing the SSL/TLS handshake..." ); fflush( stdout ); - while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 ) + while( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) { #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS && @@ -3297,7 +3328,7 @@ handshake: if( opt.event == 1 /* level triggered IO */ ) { #if defined(MBEDTLS_TIMING_C) - ret = idle( &client_fd, &timer, ret ); + ret = idle( &client_fd, timer, ret ); #else ret = idle( &client_fd, ret ); #endif @@ -3320,7 +3351,7 @@ handshake: if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) { char vrfy_buf[512]; - flags = mbedtls_ssl_get_verify_result( &ssl ); + flags = mbedtls_ssl_get_verify_result( ssl ); mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); @@ -3338,23 +3369,23 @@ handshake: else /* ret == 0 */ { mbedtls_printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n", - mbedtls_ssl_get_version( &ssl ), mbedtls_ssl_get_ciphersuite( &ssl ) ); + mbedtls_ssl_get_version( ssl ), mbedtls_ssl_get_ciphersuite( ssl ) ); } - if( ( ret = mbedtls_ssl_get_record_expansion( &ssl ) ) >= 0 ) + if( ( ret = mbedtls_ssl_get_record_expansion( ssl ) ) >= 0 ) mbedtls_printf( " [ Record expansion is %d ]\n", ret ); else mbedtls_printf( " [ Record expansion is unknown (compression) ]\n" ); #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) mbedtls_printf( " [ Maximum fragment length is %u ]\n", - (unsigned int) mbedtls_ssl_get_max_frag_len( &ssl ) ); + (unsigned int) mbedtls_ssl_get_max_frag_len( ssl ) ); #endif #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { - const char *alp = mbedtls_ssl_get_alpn_protocol( &ssl ); + const char *alp = mbedtls_ssl_get_alpn_protocol( ssl ); mbedtls_printf( " [ Application Layer Protocol is %s ]\n", alp ? alp : "(none)" ); } @@ -3366,7 +3397,7 @@ handshake: */ mbedtls_printf( " . Verifying peer X.509 certificate..." ); - if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) + if( ( flags = mbedtls_ssl_get_verify_result( ssl ) ) != 0 ) { #if !defined(MBEDTLS_X509_REMOVE_INFO) char vrfy_buf[512]; @@ -3384,26 +3415,26 @@ handshake: mbedtls_printf( " ok\n" ); #if !defined(MBEDTLS_X509_REMOVE_INFO) - if( mbedtls_ssl_get_peer_cert( &ssl ) != NULL ) + if( mbedtls_ssl_get_peer_cert( ssl ) != NULL ) { char crt_buf[512]; mbedtls_printf( " . Peer certificate information ...\n" ); mbedtls_x509_crt_info( crt_buf, sizeof( crt_buf ), " ", - mbedtls_ssl_get_peer_cert( &ssl ) ); + mbedtls_ssl_get_peer_cert( ssl ) ); mbedtls_printf( "%s\n", crt_buf ); } #endif /* !MBEDTLS_X509_REMOVE_INFO */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - ret = report_cid_usage( &ssl, "initial handshake" ); + ret = report_cid_usage( ssl, "initial handshake" ); if( ret != 0 ) goto exit; if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) { - if( ( ret = mbedtls_ssl_set_cid( &ssl, opt.cid_enabled_renego, + if( ( ret = mbedtls_ssl_set_cid( ssl, opt.cid_enabled_renego, cid_renego, cid_renego_len ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_cid returned %d\n\n", @@ -3434,14 +3465,14 @@ data_exchange: int terminated = 0; len = opt.buffer_size - 1; memset( buf, 0, opt.buffer_size ); - ret = mbedtls_ssl_read( &ssl, buf, len ); + ret = mbedtls_ssl_read( ssl, buf, len ); if( mbedtls_status_is_ssl_in_progress( ret ) ) { if( opt.event == 1 /* level triggered IO */ ) { #if defined(MBEDTLS_TIMING_C) - idle( &client_fd, &timer, ret ); + idle( &client_fd, timer, ret ); #else idle( &client_fd, ret ); #endif @@ -3470,7 +3501,7 @@ data_exchange: } } - if( mbedtls_ssl_get_bytes_avail( &ssl ) == 0 ) + if( mbedtls_ssl_get_bytes_avail( ssl ) == 0 ) { len = ret; buf[len] = '\0'; @@ -3487,7 +3518,7 @@ data_exchange: unsigned char *larger_buf; ori_len = ret; - extra_len = (int) mbedtls_ssl_get_bytes_avail( &ssl ); + extra_len = (int) mbedtls_ssl_get_bytes_avail( ssl ); larger_buf = mbedtls_calloc( 1, ori_len + extra_len + 1 ); if( larger_buf == NULL ) @@ -3501,9 +3532,9 @@ data_exchange: memcpy( larger_buf, buf, ori_len ); /* This read should never fail and get the whole cached data */ - ret = mbedtls_ssl_read( &ssl, larger_buf + ori_len, extra_len ); + ret = mbedtls_ssl_read( ssl, larger_buf + ori_len, extra_len ); if( ret != extra_len || - mbedtls_ssl_get_bytes_avail( &ssl ) != 0 ) + mbedtls_ssl_get_bytes_avail( ssl ) != 0 ) { mbedtls_printf( " ! mbedtls_ssl_read failed on cached data\n" ); ret = 1; @@ -3550,17 +3581,17 @@ data_exchange: */ /* For event-driven IO, wait for socket to become available */ - if( mbedtls_ssl_check_pending( &ssl ) == 0 && + if( mbedtls_ssl_check_pending( ssl ) == 0 && opt.event == 1 /* level triggered IO */ ) { #if defined(MBEDTLS_TIMING_C) - idle( &client_fd, &timer, MBEDTLS_ERR_SSL_WANT_READ ); + idle( &client_fd, timer, MBEDTLS_ERR_SSL_WANT_READ ); #else idle( &client_fd, MBEDTLS_ERR_SSL_WANT_READ ); #endif } - ret = mbedtls_ssl_read( &ssl, buf, len ); + ret = mbedtls_ssl_read( ssl, buf, len ); /* Note that even if `mbedtls_ssl_check_pending` returns true, * it can happen that the subsequent call to `mbedtls_ssl_read` @@ -3600,7 +3631,7 @@ data_exchange: mbedtls_printf( " . Requestion renegotiation..." ); fflush( stdout ); - while( ( ret = mbedtls_ssl_renegotiate( &ssl ) ) != 0 ) + while( ( ret = mbedtls_ssl_renegotiate( ssl ) ) != 0 ) { if( ! mbedtls_status_is_ssl_in_progress( ret ) ) { @@ -3612,7 +3643,7 @@ data_exchange: if( opt.event == 1 /* level triggered IO */ ) { #if defined(MBEDTLS_TIMING_C) - idle( &client_fd, &timer, ret ); + idle( &client_fd, timer, ret ); #else idle( &client_fd, ret ); #endif @@ -3624,7 +3655,7 @@ data_exchange: #endif /* MBEDTLS_SSL_RENEGOTIATION */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - ret = report_cid_usage( &ssl, "after renegotiation" ); + ret = report_cid_usage( ssl, "after renegotiation" ); if( ret != 0 ) goto exit; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ @@ -3636,7 +3667,7 @@ data_exchange: fflush( stdout ); len = sprintf( (char *) buf, HTTP_RESPONSE, - mbedtls_ssl_get_ciphersuite( &ssl ) ); + mbedtls_ssl_get_ciphersuite( ssl ) ); /* Add padding to the response to reach opt.response_size in length */ if( opt.response_size != DFL_RESPONSE_SIZE && @@ -3661,7 +3692,7 @@ data_exchange: { for( written = 0, frags = 0; written < len; written += ret, frags++ ) { - while( ( ret = mbedtls_ssl_write( &ssl, buf + written, len - written ) ) + while( ( ret = mbedtls_ssl_write( ssl, buf + written, len - written ) ) <= 0 ) { if( ret == MBEDTLS_ERR_NET_CONN_RESET ) @@ -3680,7 +3711,7 @@ data_exchange: if( opt.event == 1 /* level triggered IO */ ) { #if defined(MBEDTLS_TIMING_C) - idle( &client_fd, &timer, ret ); + idle( &client_fd, timer, ret ); #else idle( &client_fd, ret ); #endif @@ -3692,7 +3723,7 @@ data_exchange: { while( 1 ) { - ret = mbedtls_ssl_write( &ssl, buf, len ); + ret = mbedtls_ssl_write( ssl, buf, len ); if( ! mbedtls_status_is_ssl_in_progress( ret ) ) break; @@ -3701,7 +3732,7 @@ data_exchange: if( opt.event == 1 /* level triggered IO */ ) { #if defined(MBEDTLS_TIMING_C) - idle( &client_fd, &timer, ret ); + idle( &client_fd, timer, ret ); #else idle( &client_fd, ret ); #endif @@ -3732,7 +3763,7 @@ data_exchange: mbedtls_printf( " . Serializing live connection..." ); - ret = mbedtls_ssl_context_save( &ssl, NULL, 0, &buf_len ); + ret = mbedtls_ssl_context_save( ssl, NULL, 0, &buf_len ); if( ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ) { mbedtls_printf( " failed\n ! mbedtls_ssl_context_save returned " @@ -3750,7 +3781,7 @@ data_exchange: } context_buf_len = buf_len; - if( ( ret = mbedtls_ssl_context_save( &ssl, context_buf, + if( ( ret = mbedtls_ssl_context_save( ssl, context_buf, buf_len, &buf_len ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_context_save returned " @@ -3786,11 +3817,11 @@ data_exchange: { mbedtls_printf( " . Freeing and reinitializing context..." ); - mbedtls_ssl_free( &ssl ); + mbedtls_ssl_free( ssl ); - mbedtls_ssl_init( &ssl ); + mbedtls_ssl_init( ssl ); - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) + if( ( ret = mbedtls_ssl_setup( ssl, conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned " "-0x%x\n\n", -ret ); @@ -3807,20 +3838,20 @@ data_exchange: #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) - mbedtls_ssl_set_bio( &ssl, &io_ctx, send_cb, recv_cb, + mbedtls_ssl_set_bio( ssl, &io_ctx, send_cb, recv_cb, opt.nbio == 0 ? recv_timeout_cb : NULL ); #else - mbedtls_ssl_set_bio_ctx( &ssl, &client_fd ); + mbedtls_ssl_set_bio_ctx( ssl, &client_fd ); #endif #if defined(MBEDTLS_TIMING_C) #if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && \ !defined(MBEDTLS_SSL_CONF_GET_TIMER) - mbedtls_ssl_set_timer_cb( &ssl, &timer, + mbedtls_ssl_set_timer_cb( ssl, timer, mbedtls_timing_set_delay, mbedtls_timing_get_delay ); #else - mbedtls_ssl_set_timer_cb_ctx( &ssl, &timer ); + mbedtls_ssl_set_timer_cb_ctx( ssl, timer ); #endif #endif /* MBEDTLS_TIMING_C */ @@ -3829,7 +3860,7 @@ data_exchange: mbedtls_printf( " . Deserializing connection..." ); - if( ( ret = mbedtls_ssl_context_load( &ssl, context_buf, + if( ( ret = mbedtls_ssl_context_load( ssl, context_buf, buf_len ) ) != 0 ) { mbedtls_printf( "failed\n ! mbedtls_ssl_context_load returned " @@ -3859,7 +3890,7 @@ close_notify: mbedtls_printf( " . Closing the connection..." ); /* No error checking, the connection might be closed already */ - do ret = mbedtls_ssl_close_notify( &ssl ); + do ret = mbedtls_ssl_close_notify( ssl ); while( ret == MBEDTLS_ERR_SSL_WANT_WRITE ); ret = 0; @@ -3871,6 +3902,7 @@ close_notify: * Cleanup and exit */ exit: + #ifdef MBEDTLS_ERROR_C if( ret != 0 ) { @@ -3890,11 +3922,11 @@ exit: mbedtls_dhm_free( &dhm ); #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) - mbedtls_x509_crt_free( &cacert ); - mbedtls_x509_crt_free( &srvcert ); - mbedtls_pk_free( &pkey ); - mbedtls_x509_crt_free( &srvcert2 ); - mbedtls_pk_free( &pkey2 ); + mbedtls_x509_crt_free( cacert ); + mbedtls_x509_crt_free( srvcert ); + mbedtls_pk_free( pkey ); + mbedtls_x509_crt_free( srvcert2 ); + mbedtls_pk_free( pkey2 ); #endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) for( i = 0; (size_t) i < ssl_async_keys.slots_used; i++ ) @@ -3917,20 +3949,20 @@ exit: mbedtls_dhm_free( &dhm ); #endif - mbedtls_ssl_free( &ssl ); - mbedtls_ssl_config_free( &conf ); + mbedtls_ssl_free( ssl ); + mbedtls_ssl_config_free( conf ); #if defined(MBEDTLS_CTR_DRBG_C) - mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_ctr_drbg_free( ctr_drbg ); #else - mbedtls_hmac_drbg_free( &hmac_drbg ); + mbedtls_hmac_drbg_free( hmac_drbg ); #endif - mbedtls_entropy_free( &entropy ); + mbedtls_entropy_free( entropy ); #if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_cache_free( &cache ); + mbedtls_ssl_cache_free( cache ); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_ticket_free( &ticket_ctx ); + mbedtls_ssl_ticket_free( ticket_ctx ); #endif #if defined(MBEDTLS_SSL_COOKIE_C) mbedtls_ssl_cookie_free( &cookie_ctx ); @@ -3944,6 +3976,23 @@ exit: mbedtls_free( context_buf ); #endif + mbedtls_free( ssl ); + mbedtls_free( conf ); + mbedtls_free( cacert ); + mbedtls_free( srvcert ); + mbedtls_free( pkey ); + mbedtls_free( srvcert2 ); + mbedtls_free( pkey2 ); + mbedtls_free( cache ); + mbedtls_free( timer ); + mbedtls_free( ticket_ctx ); + mbedtls_free( entropy ); +#if defined(MBEDTLS_CTR_DRBG_C) + mbedtls_free( ctr_drbg ); +#else + mbedtls_free( hmac_drbg ); +#endif + #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) #if defined(MBEDTLS_MEMORY_DEBUG) mbedtls_memory_buffer_alloc_status(); From c8284329208c5928caa88ebffe4226a9da34cac8 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 19 Sep 2019 16:58:57 +0100 Subject: [PATCH 02/12] Make use of copy-less CRT parsing API in ssl_client2/ssl_server2 --- programs/ssl/ssl_client2.c | 10 ++++++++-- programs/ssl/ssl_server2.c | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 3f77b1a4b..eb62fb254 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1789,7 +1789,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_PEM_PARSE_C */ for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ ) { - ret = mbedtls_x509_crt_parse_der( cacert, + ret = mbedtls_x509_crt_parse_der_nocopy( cacert, (const unsigned char *) mbedtls_test_cas_der[i], mbedtls_test_cas_der_len[i] ); if( ret != 0 ) @@ -1828,9 +1828,15 @@ int main( int argc, char *argv[] ) else #endif #if defined(MBEDTLS_CERTS_C) - ret = mbedtls_x509_crt_parse( &clicert, +#if defined(MBEDTLS_PEM_PARSE_C) + ret = mbedtls_x509_crt_parse( clicert, (const unsigned char *) mbedtls_test_cli_crt, mbedtls_test_cli_crt_len ); +#else + ret = mbedtls_x509_crt_parse_der_nocopy( clicert, + (const unsigned char *) mbedtls_test_cli_crt, + mbedtls_test_cli_crt_len ); +#endif #else { ret = 1; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 64d889d87..aaec43402 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2545,7 +2545,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_PEM_PARSE_C */ for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ ) { - ret = mbedtls_x509_crt_parse_der( cacert, + ret = mbedtls_x509_crt_parse_der_nocopy( cacert, (const unsigned char *) mbedtls_test_cas_der[i], mbedtls_test_cas_der_len[i] ); if( ret != 0 ) From ead3aae8d956dbf95a53b9a5fbaa1b47db91990d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 19 Sep 2019 16:59:13 +0100 Subject: [PATCH 03/12] Reduce number of entropy sources to 1 in baremetal configuration --- configs/baremetal.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configs/baremetal.h b/configs/baremetal.h index 64d9e04d8..1f9a1299f 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -45,6 +45,8 @@ #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C +#define MBEDTLS_ENTROPY_MAX_SOURCES 1 + #define MBEDTLS_SSL_CONF_SINGLE_EC #define MBEDTLS_SSL_CONF_SINGLE_UECC_GRP_ID MBEDTLS_UECC_DP_SECP256R1 #define MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID 23 From ff1ce269d0eef5d5bfe09a027ffa4c6b06350892 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Teppo=20J=C3=A4rvelin?= Date: Mon, 14 Oct 2019 08:14:34 +0300 Subject: [PATCH 04/12] Fixed to compile: ssl_async_keys is not a pointer but was treated that way when giving to functions. --- programs/ssl/ssl_server2.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index aaec43402..459216341 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3006,7 +3006,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if( opt.async_private_delay1 >= 0 ) { - ret = ssl_async_set_key( ssl_async_keys, srvcert, pk, 0, + ret = ssl_async_set_key( &ssl_async_keys, srvcert, pk, 0, opt.async_private_delay1 ); if( ret < 0 ) { @@ -3029,7 +3029,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if( opt.async_private_delay2 >= 0 ) { - ret = ssl_async_set_key( ssl_async_keys, srvcert2, pk, 0, + ret = ssl_async_set_key( &ssl_async_keys, srvcert2, pk, 0, opt.async_private_delay2 ); if( ret < 0 ) { @@ -3075,7 +3075,7 @@ int main( int argc, char *argv[] ) decrypt, ssl_async_resume, ssl_async_cancel, - ssl_async_keys ); + &ssl_async_keys ); } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -3090,7 +3090,7 @@ int main( int argc, char *argv[] ) sni_entry *cur; for( cur = sni_info; cur != NULL; cur = cur->next ) { - ret = ssl_async_set_key( ssl_async_keys, + ret = ssl_async_set_key( &ssl_async_keys, cur->cert, cur->key, 1, opt.async_private_delay2 ); if( ret < 0 ) From 52c9ecb408ffcde795af05bee8b4f21ea935423f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Teppo=20J=C3=A4rvelin?= Date: Tue, 15 Oct 2019 10:12:02 +0300 Subject: [PATCH 05/12] Fixed memory leak in ssl_server2.c main Allocations are now done after command line parsing. Added more checks if allocations are needed and fixed baremetal tests with these defines. --- programs/ssl/ssl_server2.c | 172 +++++++++++++++++++++---------------- 1 file changed, 97 insertions(+), 75 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 459216341..15824250a 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1625,79 +1625,6 @@ int main( int argc, char *argv[] ) char *p, *q; const int *list; -#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) - mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); -#endif - - ssl = mbedtls_calloc( 1, sizeof( *ssl ) ); - conf = mbedtls_calloc( 1, sizeof( *conf ) ); - cacert = mbedtls_calloc( 1, sizeof( *cacert ) ); - srvcert = mbedtls_calloc( 1, sizeof( *srvcert ) ); - pkey = mbedtls_calloc( 1, sizeof( *pkey ) ); - srvcert2 = mbedtls_calloc( 1, sizeof( *srvcert2 ) ); - pkey2 = mbedtls_calloc( 1, sizeof( *pkey2 ) ); - cache = mbedtls_calloc( 1, sizeof( *cache ) ); - timer = mbedtls_calloc( 1, sizeof( *timer ) ); - ticket_ctx = mbedtls_calloc( 1, sizeof( *ticket_ctx ) ); - entropy = mbedtls_calloc( 1, sizeof( *entropy ) ); -#if defined(MBEDTLS_CTR_DRBG_C) - ctr_drbg = mbedtls_calloc( 1, sizeof( *ctr_drbg ) ); -#else - hmac_drbg = mbedtls_calloc( 1, sizeof( *hmac_drbg ) ); -#endif - - if( ssl == NULL || conf == NULL || - cacert == NULL || srvcert == NULL || - pkey == NULL || srvcert2 == NULL || - pkey2 == NULL || cache == NULL || -#if defined(MBEDTLS_CTR_DRBG_C) - ctr_drbg == NULL || -#else - hmac_drbg == NULL || -#endif - entropy == NULL ) - { - goto exit; - } - - /* - * Make sure memory references are valid in case we exit early. - */ - mbedtls_net_init( &client_fd ); - mbedtls_net_init( &listen_fd ); - mbedtls_ssl_init( ssl ); - mbedtls_ssl_config_init( conf ); -#if defined(MBEDTLS_CTR_DRBG_C) - mbedtls_ctr_drbg_init( ctr_drbg ); -#else - mbedtls_hmac_drbg_init( hmac_drbg ); -#endif /* MBEDTLS_CTR_DRBG_C */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) - mbedtls_x509_crt_init( cacert ); - mbedtls_x509_crt_init( srvcert ); - mbedtls_pk_init( pkey ); - mbedtls_x509_crt_init( srvcert2 ); - mbedtls_pk_init( pkey2 ); -#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) - memset( &ssl_async_keys, 0, sizeof( ssl_async_keys ) ); -#endif -#endif -#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) - mbedtls_dhm_init( &dhm ); -#endif -#if defined(MBEDTLS_SSL_CACHE_C) - mbedtls_ssl_cache_init( cache ); -#endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_ticket_init( ticket_ctx ); -#endif -#if defined(MBEDTLS_SSL_ALPN) - memset( (void *) alpn_list, 0, sizeof( alpn_list ) ); -#endif -#if defined(MBEDTLS_SSL_COOKIE_C) - mbedtls_ssl_cookie_init( &cookie_ctx ); -#endif - #if !defined(_WIN32) /* Abort cleanly on SIGTERM and SIGINT */ signal( SIGTERM, term_handler ); @@ -2361,6 +2288,99 @@ int main( int argc, char *argv[] ) } } +/* Do all necessary allocations and initializations */ +#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) + mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); +#endif + + ssl = mbedtls_calloc( 1, sizeof( *ssl ) ); + conf = mbedtls_calloc( 1, sizeof( *conf ) ); + cacert = mbedtls_calloc( 1, sizeof( *cacert ) ); + srvcert = mbedtls_calloc( 1, sizeof( *srvcert ) ); + pkey = mbedtls_calloc( 1, sizeof( *pkey ) ); + srvcert2 = mbedtls_calloc( 1, sizeof( *srvcert2 ) ); + pkey2 = mbedtls_calloc( 1, sizeof( *pkey2 ) ); +#if defined(MBEDTLS_SSL_CACHE_C) + cache = mbedtls_calloc( 1, sizeof( *cache ) ); +#endif +#if defined(MBEDTLS_TIMING_C) + timer = mbedtls_calloc( 1, sizeof( *timer ) ); +#endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + ticket_ctx = mbedtls_calloc( 1, sizeof( *ticket_ctx ) ); +#endif + entropy = mbedtls_calloc( 1, sizeof( *entropy ) ); +#if defined(MBEDTLS_CTR_DRBG_C) + ctr_drbg = mbedtls_calloc( 1, sizeof( *ctr_drbg ) ); +#else + hmac_drbg = mbedtls_calloc( 1, sizeof( *hmac_drbg ) ); +#endif + + if( ssl == NULL || conf == NULL || + cacert == NULL || srvcert == NULL || + pkey == NULL || srvcert2 == NULL || + pkey2 == NULL || +#if defined(MBEDTLS_SSL_CACHE_C) + cache == NULL || +#endif +#if defined(MBEDTLS_TIMING_C) + timer == NULL || +#endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + ticket_ctx == NULL || +#endif +#if defined(MBEDTLS_CTR_DRBG_C) + ctr_drbg == NULL || +#else + hmac_drbg == NULL || +#endif + entropy == NULL ) + { + goto exit; + } + + /* + * Make sure memory references are valid in case we exit early. + */ + mbedtls_net_init( &client_fd ); + mbedtls_net_init( &listen_fd ); + mbedtls_ssl_init( ssl ); + mbedtls_ssl_config_init( conf ); +#if defined(MBEDTLS_CTR_DRBG_C) + mbedtls_ctr_drbg_init( ctr_drbg ); +#else + mbedtls_hmac_drbg_init( hmac_drbg ); +#endif /* MBEDTLS_CTR_DRBG_C */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + mbedtls_x509_crt_init( cacert ); + mbedtls_x509_crt_init( srvcert ); + mbedtls_pk_init( pkey ); + mbedtls_x509_crt_init( srvcert2 ); + mbedtls_pk_init( pkey2 ); +#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) + memset( &ssl_async_keys, 0, sizeof( ssl_async_keys ) ); +#endif +#endif +#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) + mbedtls_dhm_init( &dhm ); +#endif +#if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_ssl_cache_init( cache ); +#endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_ticket_init( ticket_ctx ); +#endif +#if defined(MBEDTLS_SSL_ALPN) + memset( (void *) alpn_list, 0, sizeof( alpn_list ) ); +#endif +#if defined(MBEDTLS_SSL_COOKIE_C) + mbedtls_ssl_cookie_init( &cookie_ctx ); +#endif + + + + + #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( unhexify( cid, opt.cid_val, &cid_len ) != 0 ) { @@ -3960,9 +3980,11 @@ exit: #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_free( cache ); + mbedtls_free( cache ); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_ticket_free( ticket_ctx ); + mbedtls_free( ticket_ctx ); #endif #if defined(MBEDTLS_SSL_COOKIE_C) mbedtls_ssl_cookie_free( &cookie_ctx ); @@ -3983,9 +4005,9 @@ exit: mbedtls_free( pkey ); mbedtls_free( srvcert2 ); mbedtls_free( pkey2 ); - mbedtls_free( cache ); +#if defined(MBEDTLS_TIMING_C) mbedtls_free( timer ); - mbedtls_free( ticket_ctx ); +#endif mbedtls_free( entropy ); #if defined(MBEDTLS_CTR_DRBG_C) mbedtls_free( ctr_drbg ); From 8e0fe19a6ab888025c24c325650a70f45006188e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Teppo=20J=C3=A4rvelin?= Date: Wed, 16 Oct 2019 07:43:45 +0300 Subject: [PATCH 06/12] Various changes to get CI passing after changes in ssl_server and client stack to heap --- programs/ssl/ssl_client2.c | 15 +++-- programs/ssl/ssl_server2.c | 112 +++++++++++++++++++------------------ 2 files changed, 70 insertions(+), 57 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index eb62fb254..066f6a5c8 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -997,18 +997,24 @@ int main( int argc, char *argv[] ) #else hmac_drbg = mbedtls_calloc( 1, sizeof( *hmac_drbg ) ); #endif +#if defined(MBEDTLS_X509_CRT_PARSE_C) cacert = mbedtls_calloc( 1, sizeof( *cacert ) ); clicert = mbedtls_calloc( 1, sizeof( *clicert ) ); pkey = mbedtls_calloc( 1, sizeof( *pkey ) ); +#endif - if( ssl == NULL || conf == NULL || - entropy == NULL || cacert == NULL || + if( ssl == NULL || entropy == NULL || +#if defined(MBEDTLS_X509_CRT_PARSE_C) + cacert == NULL || + clicert== NULL || pkey == NULL || +#endif #if defined(MBEDTLS_CTR_DRBG_C) ctr_drbg == NULL || #else hmac_drbg == NULL || #endif - clicert == NULL || pkey == NULL ) + + conf == NULL) { goto exit; } @@ -2993,10 +2999,11 @@ exit: #else mbedtls_free( hmac_drbg ); #endif +#if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_free( cacert ); mbedtls_free( clicert ); mbedtls_free( pkey ); - +#endif #if defined(_WIN32) mbedtls_printf( " + Press Enter to exit this program.\n" ); fflush( stdout ); getchar(); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 15824250a..bfe8749bb 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1561,16 +1561,16 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #endif - mbedtls_entropy_context *entropy; + mbedtls_entropy_context entropy; #if defined(MBEDTLS_CTR_DRBG_C) - mbedtls_ctr_drbg_context *ctr_drbg; + mbedtls_ctr_drbg_context *ctr_drbg = NULL; #else - mbedtls_hmac_drbg_context *hmac_drbg; + mbedtls_hmac_drbg_context *hmac_drbg = NULL; #endif mbedtls_ssl_context *ssl = NULL; mbedtls_ssl_config *conf = NULL; #if defined(MBEDTLS_TIMING_C) - mbedtls_timing_delay_context *timer; + mbedtls_timing_delay_context *timer = NULL; #endif #if defined(MBEDTLS_SSL_RENEGOTIATION) unsigned char renego_period[8] = { 0 }; @@ -1594,7 +1594,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_cache_context *cache = NULL; #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - mbedtls_ssl_ticket_context *ticket_ctx; + mbedtls_ssl_ticket_context *ticket_ctx = NULL; #endif #if defined(SNI_OPTION) sni_entry *sni_info = NULL; @@ -2288,56 +2288,34 @@ int main( int argc, char *argv[] ) } } -/* Do all necessary allocations and initializations */ + #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); #endif - ssl = mbedtls_calloc( 1, sizeof( *ssl ) ); - conf = mbedtls_calloc( 1, sizeof( *conf ) ); - cacert = mbedtls_calloc( 1, sizeof( *cacert ) ); - srvcert = mbedtls_calloc( 1, sizeof( *srvcert ) ); - pkey = mbedtls_calloc( 1, sizeof( *pkey ) ); - srvcert2 = mbedtls_calloc( 1, sizeof( *srvcert2 ) ); - pkey2 = mbedtls_calloc( 1, sizeof( *pkey2 ) ); + ssl = mbedtls_calloc( 1, sizeof( *ssl ) ); + conf = mbedtls_calloc( 1, sizeof( *conf ) ); +#if defined(MBEDTLS_X509_CRT_PARSE_C) + cacert = mbedtls_calloc( 1, sizeof( *cacert ) ); + srvcert = mbedtls_calloc( 1, sizeof( *srvcert ) ); + pkey = mbedtls_calloc( 1, sizeof( *pkey ) ); + srvcert2 = mbedtls_calloc( 1, sizeof( *srvcert2 ) ); + pkey2 = mbedtls_calloc( 1, sizeof( *pkey2 ) ); +#endif #if defined(MBEDTLS_SSL_CACHE_C) - cache = mbedtls_calloc( 1, sizeof( *cache ) ); + cache = mbedtls_calloc( 1, sizeof( *cache ) ); #endif #if defined(MBEDTLS_TIMING_C) - timer = mbedtls_calloc( 1, sizeof( *timer ) ); + timer = mbedtls_calloc( 1, sizeof( *timer ) ); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - ticket_ctx = mbedtls_calloc( 1, sizeof( *ticket_ctx ) ); -#endif - entropy = mbedtls_calloc( 1, sizeof( *entropy ) ); -#if defined(MBEDTLS_CTR_DRBG_C) - ctr_drbg = mbedtls_calloc( 1, sizeof( *ctr_drbg ) ); -#else - hmac_drbg = mbedtls_calloc( 1, sizeof( *hmac_drbg ) ); -#endif - - if( ssl == NULL || conf == NULL || - cacert == NULL || srvcert == NULL || - pkey == NULL || srvcert2 == NULL || - pkey2 == NULL || -#if defined(MBEDTLS_SSL_CACHE_C) - cache == NULL || -#endif -#if defined(MBEDTLS_TIMING_C) - timer == NULL || -#endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - ticket_ctx == NULL || + ticket_ctx = mbedtls_calloc( 1, sizeof( *ticket_ctx ) ); #endif #if defined(MBEDTLS_CTR_DRBG_C) - ctr_drbg == NULL || + ctr_drbg = mbedtls_calloc( 1, sizeof( *ctr_drbg ) ); #else - hmac_drbg == NULL || + hmac_drbg = mbedtls_calloc( 1, sizeof( *hmac_drbg ) ); #endif - entropy == NULL ) - { - goto exit; - } /* * Make sure memory references are valid in case we exit early. @@ -2346,6 +2324,7 @@ int main( int argc, char *argv[] ) mbedtls_net_init( &listen_fd ); mbedtls_ssl_init( ssl ); mbedtls_ssl_config_init( conf ); + mbedtls_entropy_init( &entropy ); #if defined(MBEDTLS_CTR_DRBG_C) mbedtls_ctr_drbg_init( ctr_drbg ); #else @@ -2377,8 +2356,31 @@ int main( int argc, char *argv[] ) mbedtls_ssl_cookie_init( &cookie_ctx ); #endif - - + if( ssl == NULL || +#if defined(MBEDTLS_X509_CRT_PARSE_C) + cacert == NULL || srvcert == NULL || + pkey == NULL || srvcert2 == NULL || + pkey2 == NULL || +#endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + ticket_ctx == NULL || +#endif +#if defined(MBEDTLS_SSL_CACHE_C) + cache == NULL || +#endif +#if defined(MBEDTLS_TIMING_C) + timer == NULL || +#endif +#if defined(MBEDTLS_CTR_DRBG_C) + ctr_drbg == NULL || +#else + hmac_drbg == NULL || +#endif + conf == NULL) + { + mbedtls_printf( "Initial allocations failed!\n" ); + goto exit; + } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -2504,10 +2506,9 @@ int main( int argc, char *argv[] ) mbedtls_printf( "\n . Seeding the random number generator..." ); fflush( stdout ); - mbedtls_entropy_init( entropy ); #if defined(MBEDTLS_CTR_DRBG_C) if( ( ret = mbedtls_ctr_drbg_seed( ctr_drbg, mbedtls_entropy_func, - entropy, (const unsigned char *) pers, + &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", @@ -2519,7 +2520,7 @@ int main( int argc, char *argv[] ) mbedtls_md_info_from_type( available_hashes[0] ), mbedtls_entropy_func, - entropy, (const unsigned char *) pers, + &entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", @@ -2565,7 +2566,7 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_PEM_PARSE_C */ for( i = 0; mbedtls_test_cas_der[i] != NULL; i++ ) { - ret = mbedtls_x509_crt_parse_der_nocopy( cacert, + ret = mbedtls_x509_crt_parse_der( cacert, (const unsigned char *) mbedtls_test_cas_der[i], mbedtls_test_cas_der_len[i] ); if( ret != 0 ) @@ -3922,7 +3923,6 @@ close_notify: * Cleanup and exit */ exit: - #ifdef MBEDTLS_ERROR_C if( ret != 0 ) { @@ -3971,20 +3971,19 @@ exit: mbedtls_ssl_free( ssl ); mbedtls_ssl_config_free( conf ); + #if defined(MBEDTLS_CTR_DRBG_C) mbedtls_ctr_drbg_free( ctr_drbg ); #else mbedtls_hmac_drbg_free( hmac_drbg ); #endif - mbedtls_entropy_free( entropy ); + mbedtls_entropy_free( &entropy ); #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_free( cache ); - mbedtls_free( cache ); #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) mbedtls_ssl_ticket_free( ticket_ctx ); - mbedtls_free( ticket_ctx ); #endif #if defined(MBEDTLS_SSL_COOKIE_C) mbedtls_ssl_cookie_free( &cookie_ctx ); @@ -4000,15 +3999,22 @@ exit: mbedtls_free( ssl ); mbedtls_free( conf ); +#if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_free( cacert ); mbedtls_free( srvcert ); mbedtls_free( pkey ); mbedtls_free( srvcert2 ); mbedtls_free( pkey2 ); +#endif +#if defined(MBEDTLS_SSL_CACHE_C) + mbedtls_free( cache ); +#endif #if defined(MBEDTLS_TIMING_C) mbedtls_free( timer ); #endif - mbedtls_free( entropy ); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_free( ticket_ctx ); +#endif #if defined(MBEDTLS_CTR_DRBG_C) mbedtls_free( ctr_drbg ); #else From 8e0e48199b6afab71a82e41730c688b188ede30d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Teppo=20J=C3=A4rvelin?= Date: Mon, 21 Oct 2019 10:33:11 +0300 Subject: [PATCH 07/12] Changed main buf to be allocated from heap in ssl_client2 --- programs/ssl/ssl_client2.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 066f6a5c8..be64f6ab5 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -935,7 +935,8 @@ int main( int argc, char *argv[] ) io_ctx_t io_ctx; #endif - unsigned char buf[MAX_REQUEST_SIZE + 1]; + unsigned char *buf = NULL; + unsigned int main_buf_len = 0; #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char psk[MBEDTLS_PSK_MAX_LEN]; @@ -1521,6 +1522,13 @@ int main( int argc, char *argv[] ) goto usage; } + main_buf_len = MAX_REQUEST_SIZE + 1; + buf = mbedtls_calloc( 1, MAX_REQUEST_SIZE + 1 ); + if( buf == NULL ) { + mbedtls_printf( "buf allocation failed!\n" ); + goto exit; + } + /* Event-driven IO is incompatible with the above custom * receive and send functions, as the polling builds on * refers to the underlying net_context. */ @@ -2449,7 +2457,7 @@ send_request: mbedtls_printf( " > Write to server:" ); fflush( stdout ); - len = mbedtls_snprintf( (char *) buf, sizeof( buf ) - 1, GET_REQUEST, + len = mbedtls_snprintf( (char *) buf, main_buf_len - 1, GET_REQUEST, opt.request_page ); tail_len = (int) strlen( GET_REQUEST_END ); @@ -2461,7 +2469,7 @@ send_request: len += opt.request_size - len - tail_len; } - strncpy( (char *) buf + len, GET_REQUEST_END, sizeof( buf ) - len - 1 ); + strncpy( (char *) buf + len, GET_REQUEST_END, main_buf_len - len - 1 ); len += tail_len; /* Truncate if request size is smaller than the "natural" size */ @@ -2577,8 +2585,8 @@ send_request: { do { - len = sizeof( buf ) - 1; - memset( buf, 0, sizeof( buf ) ); + len = main_buf_len - 1; + memset( buf, 0, main_buf_len ); ret = mbedtls_ssl_read( ssl, buf, len ); #if defined(MBEDTLS_ECP_RESTARTABLE) @@ -2639,8 +2647,8 @@ send_request: } else /* Not stream, so datagram */ { - len = sizeof( buf ) - 1; - memset( buf, 0, sizeof( buf ) ); + len = main_buf_len - 1; + memset( buf, 0, main_buf_len ); while( 1 ) { @@ -2994,6 +3002,7 @@ exit: mbedtls_free( ssl ); mbedtls_free( conf ); mbedtls_free( entropy ); + mbedtls_free( buf ); #if defined(MBEDTLS_CTR_DRBG_C) mbedtls_free( ctr_drbg ); #else From 11e881b5363fec04d81479e65dfc36c6d4ea4fbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Teppo=20J=C3=A4rvelin?= Date: Mon, 21 Oct 2019 13:00:12 +0300 Subject: [PATCH 08/12] Changed entropy to be allocated from stack to heap in ssl_server2 --- programs/ssl/ssl_server2.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index bfe8749bb..1bd4d66b0 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1561,7 +1561,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #endif - mbedtls_entropy_context entropy; + mbedtls_entropy_context *entropy = NULL; #if defined(MBEDTLS_CTR_DRBG_C) mbedtls_ctr_drbg_context *ctr_drbg = NULL; #else @@ -2295,6 +2295,7 @@ int main( int argc, char *argv[] ) ssl = mbedtls_calloc( 1, sizeof( *ssl ) ); conf = mbedtls_calloc( 1, sizeof( *conf ) ); + entropy = mbedtls_calloc( 1, sizeof( *entropy) ); #if defined(MBEDTLS_X509_CRT_PARSE_C) cacert = mbedtls_calloc( 1, sizeof( *cacert ) ); srvcert = mbedtls_calloc( 1, sizeof( *srvcert ) ); @@ -2324,7 +2325,7 @@ int main( int argc, char *argv[] ) mbedtls_net_init( &listen_fd ); mbedtls_ssl_init( ssl ); mbedtls_ssl_config_init( conf ); - mbedtls_entropy_init( &entropy ); + mbedtls_entropy_init( entropy ); #if defined(MBEDTLS_CTR_DRBG_C) mbedtls_ctr_drbg_init( ctr_drbg ); #else @@ -2356,7 +2357,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_cookie_init( &cookie_ctx ); #endif - if( ssl == NULL || + if( ssl == NULL || conf == NULL || #if defined(MBEDTLS_X509_CRT_PARSE_C) cacert == NULL || srvcert == NULL || pkey == NULL || srvcert2 == NULL || @@ -2376,7 +2377,7 @@ int main( int argc, char *argv[] ) #else hmac_drbg == NULL || #endif - conf == NULL) + entropy == NULL) { mbedtls_printf( "Initial allocations failed!\n" ); goto exit; @@ -2508,7 +2509,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_CTR_DRBG_C) if( ( ret = mbedtls_ctr_drbg_seed( ctr_drbg, mbedtls_entropy_func, - &entropy, (const unsigned char *) pers, + entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", @@ -2520,7 +2521,7 @@ int main( int argc, char *argv[] ) mbedtls_md_info_from_type( available_hashes[0] ), mbedtls_entropy_func, - &entropy, (const unsigned char *) pers, + entropy, (const unsigned char *) pers, strlen( pers ) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", @@ -3977,7 +3978,7 @@ exit: #else mbedtls_hmac_drbg_free( hmac_drbg ); #endif - mbedtls_entropy_free( &entropy ); + mbedtls_entropy_free( entropy ); #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_free( cache ); @@ -3999,6 +4000,7 @@ exit: mbedtls_free( ssl ); mbedtls_free( conf ); + mbedtls_free( entropy ); #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_free( cacert ); mbedtls_free( srvcert ); From 3d414bfb65a4ea9ea739adbd6ce99da17a730e0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Teppo=20J=C3=A4rvelin?= Date: Tue, 22 Oct 2019 12:31:28 +0300 Subject: [PATCH 09/12] Increased MEMORY_HEAP_SIZE to 140000 in ssl_server2 to get CI passing. --- programs/ssl/ssl_server2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1bd4d66b0..a0f6533d9 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -109,7 +109,7 @@ int main( void ) /* Size of memory to be allocated for the heap, when using the library's memory * management and MBEDTLS_MEMORY_BUFFER_ALLOC_C is enabled. */ -#define MEMORY_HEAP_SIZE 120000 +#define MEMORY_HEAP_SIZE 140000 #define DFL_SERVER_ADDR NULL #define DFL_SERVER_PORT "4433" From 99082aeac7a49555ba4c4644b1469d211a8650e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Teppo=20J=C3=A4rvelin?= Date: Wed, 23 Oct 2019 15:02:25 +0300 Subject: [PATCH 10/12] Fixed CI tests by overriding value MBEDTLS_ENTROPY_MAX_SOURCES Override define MBEDTLS_ENTROPY_MAX_SOURCES from 1 to 3 in baremetal_test.h mbedtls_entropy_init adds 2 sources already so max must be 3 so that one source can be added with mbedtls_entropy_add_source. --- configs/baremetal_test.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/configs/baremetal_test.h b/configs/baremetal_test.h index b107bd79a..33b51673d 100644 --- a/configs/baremetal_test.h +++ b/configs/baremetal_test.h @@ -45,4 +45,7 @@ #undef MBEDTLS_NO_PLATFORM_ENTROPY +#undef MBEDTLS_ENTROPY_MAX_SOURCES +#define MBEDTLS_ENTROPY_MAX_SOURCES 3 + #endif /* MBEDTLS_BAREMETAL_USER_CONFIG_H */ From 614efc268e3e71d682bdcf3ffb175be509f9c441 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Teppo=20J=C3=A4rvelin?= Date: Fri, 25 Oct 2019 11:03:20 +0300 Subject: [PATCH 11/12] Moved allocation checks to correct place in ssl_server2.c --- programs/ssl/ssl_server2.c | 53 +++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index a0f6533d9..70d3854c6 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -2318,6 +2318,32 @@ int main( int argc, char *argv[] ) hmac_drbg = mbedtls_calloc( 1, sizeof( *hmac_drbg ) ); #endif + if( ssl == NULL || conf == NULL || +#if defined(MBEDTLS_X509_CRT_PARSE_C) + cacert == NULL || srvcert == NULL || + pkey == NULL || srvcert2 == NULL || + pkey2 == NULL || +#endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + ticket_ctx == NULL || +#endif +#if defined(MBEDTLS_SSL_CACHE_C) + cache == NULL || +#endif +#if defined(MBEDTLS_TIMING_C) + timer == NULL || +#endif +#if defined(MBEDTLS_CTR_DRBG_C) + ctr_drbg == NULL || +#else + hmac_drbg == NULL || +#endif + entropy == NULL) + { + mbedtls_printf( "Initial allocations failed!\n" ); + goto exit; + } + /* * Make sure memory references are valid in case we exit early. */ @@ -2357,33 +2383,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_cookie_init( &cookie_ctx ); #endif - if( ssl == NULL || conf == NULL || -#if defined(MBEDTLS_X509_CRT_PARSE_C) - cacert == NULL || srvcert == NULL || - pkey == NULL || srvcert2 == NULL || - pkey2 == NULL || -#endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - ticket_ctx == NULL || -#endif -#if defined(MBEDTLS_SSL_CACHE_C) - cache == NULL || -#endif -#if defined(MBEDTLS_TIMING_C) - timer == NULL || -#endif -#if defined(MBEDTLS_CTR_DRBG_C) - ctr_drbg == NULL || -#else - hmac_drbg == NULL || -#endif - entropy == NULL) - { - mbedtls_printf( "Initial allocations failed!\n" ); - goto exit; - } - - #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( unhexify( cid, opt.cid_val, &cid_len ) != 0 ) { From 7800719551000b340924a25ccb7cfc7a6573201a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Teppo=20J=C3=A4rvelin?= Date: Fri, 25 Oct 2019 14:30:33 +0300 Subject: [PATCH 12/12] Adjusted buf allocated from heap in ssl_client2 to be as small as possible --- programs/ssl/ssl_client2.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index be64f6ab5..a9c06f404 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1522,9 +1522,23 @@ int main( int argc, char *argv[] ) goto usage; } - main_buf_len = MAX_REQUEST_SIZE + 1; - buf = mbedtls_calloc( 1, MAX_REQUEST_SIZE + 1 ); - if( buf == NULL ) { + /* try to use as small buf from the heap as possible */ + if( opt.request_size <= 0 ) + { + main_buf_len = MBEDTLS_SSL_MAX_CONTENT_LEN + 1; + } + else if( opt.request_size < (int)sizeof(GET_REQUEST) ) + { + main_buf_len = sizeof(GET_REQUEST) + 1; + } + else + { + main_buf_len = opt.request_size + 1; + } + + buf = mbedtls_calloc( 1, main_buf_len ); + if( buf == NULL ) + { mbedtls_printf( "buf allocation failed!\n" ); goto exit; }