mirror of
https://github.com/lwip-tcpip/lwip.git
synced 2024-10-05 22:29:49 +00:00
altcp_tls_mbedtls: remove entropy/ctr_drbg from altcp_tls_config struct
Use only one entropy/ctr_drbg context for all altcp_tls_config structure allocated. (Small adjustments before committing: fix coding style, adapt to changes in master)
This commit is contained in:
parent
2037ec371c
commit
b298afabdc
@ -96,8 +96,6 @@ extern const struct altcp_functions altcp_mbedtls_functions;
|
|||||||
/** Our global mbedTLS configuration (server-specific, not connection-specific) */
|
/** Our global mbedTLS configuration (server-specific, not connection-specific) */
|
||||||
struct altcp_tls_config {
|
struct altcp_tls_config {
|
||||||
mbedtls_ssl_config conf;
|
mbedtls_ssl_config conf;
|
||||||
mbedtls_entropy_context entropy;
|
|
||||||
mbedtls_ctr_drbg_context ctr_drbg;
|
|
||||||
mbedtls_x509_crt *cert;
|
mbedtls_x509_crt *cert;
|
||||||
mbedtls_pk_context *pkey;
|
mbedtls_pk_context *pkey;
|
||||||
u8_t cert_count;
|
u8_t cert_count;
|
||||||
@ -114,6 +112,14 @@ struct altcp_tls_config {
|
|||||||
#endif
|
#endif
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/** Entropy and random generator are shared by all mbedTLS configuration */
|
||||||
|
struct altcp_tls_entropy_rng {
|
||||||
|
mbedtls_entropy_context entropy;
|
||||||
|
mbedtls_ctr_drbg_context ctr_drbg;
|
||||||
|
int ref;
|
||||||
|
};
|
||||||
|
static struct altcp_tls_entropy_rng *altcp_tls_entropy_rng;
|
||||||
|
|
||||||
static err_t altcp_mbedtls_lower_recv(void *arg, struct altcp_pcb *inner_conn, struct pbuf *p, err_t err);
|
static err_t altcp_mbedtls_lower_recv(void *arg, struct altcp_pcb *inner_conn, struct pbuf *p, err_t err);
|
||||||
static err_t altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_conn);
|
static err_t altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_conn);
|
||||||
static err_t altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbedtls_state_t *state);
|
static err_t altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbedtls_state_t *state);
|
||||||
@ -706,28 +712,51 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav
|
|||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_ssl_config_init(&conf->conf);
|
mbedtls_ssl_config_init(&conf->conf);
|
||||||
mbedtls_entropy_init(&conf->entropy);
|
|
||||||
mbedtls_ctr_drbg_init(&conf->ctr_drbg);
|
|
||||||
|
|
||||||
/* Seed the RNG */
|
if (!altcp_tls_entropy_rng) {
|
||||||
ret = mbedtls_ctr_drbg_seed(&conf->ctr_drbg, mbedtls_entropy_func, &conf->entropy, ALTCP_MBEDTLS_ENTROPY_PTR, ALTCP_MBEDTLS_ENTROPY_LEN);
|
altcp_tls_entropy_rng = (struct altcp_tls_entropy_rng *)altcp_mbedtls_alloc_config(sizeof(struct altcp_tls_entropy_rng));
|
||||||
|
if (altcp_tls_entropy_rng) {
|
||||||
|
altcp_tls_entropy_rng->ref = 1;
|
||||||
|
mbedtls_entropy_init(&altcp_tls_entropy_rng->entropy);
|
||||||
|
mbedtls_ctr_drbg_init(&altcp_tls_entropy_rng->ctr_drbg);
|
||||||
|
/* Seed the RNG, only once */
|
||||||
|
ret = mbedtls_ctr_drbg_seed(&altcp_tls_entropy_rng->ctr_drbg,
|
||||||
|
mbedtls_entropy_func, &altcp_tls_entropy_rng->entropy,
|
||||||
|
ALTCP_MBEDTLS_ENTROPY_PTR, ALTCP_MBEDTLS_ENTROPY_LEN);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ctr_drbg_seed failed: %d\n", ret));
|
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ctr_drbg_seed failed: %d\n", ret));
|
||||||
|
mbedtls_ctr_drbg_free(&altcp_tls_entropy_rng->ctr_drbg);
|
||||||
|
mbedtls_entropy_free(&altcp_tls_entropy_rng->entropy);
|
||||||
|
altcp_mbedtls_free_config(altcp_tls_entropy_rng);
|
||||||
|
altcp_tls_entropy_rng = NULL;
|
||||||
altcp_mbedtls_free_config(conf);
|
altcp_mbedtls_free_config(conf);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
altcp_mbedtls_free_config(conf);
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
altcp_tls_entropy_rng->ref++;
|
||||||
|
}
|
||||||
|
|
||||||
/* Setup ssl context (@todo: what's different for a client here? -> might better be done on listen/connect) */
|
/* Setup ssl context (@todo: what's different for a client here? -> might better be done on listen/connect) */
|
||||||
ret = mbedtls_ssl_config_defaults(&conf->conf, is_server ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
|
ret = mbedtls_ssl_config_defaults(&conf->conf, is_server ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
|
||||||
MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
|
MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_config_defaults failed: %d\n", ret));
|
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_config_defaults failed: %d\n", ret));
|
||||||
|
if (altcp_tls_entropy_rng->ref == 1) {
|
||||||
|
mbedtls_ctr_drbg_free(&altcp_tls_entropy_rng->ctr_drbg);
|
||||||
|
mbedtls_entropy_free(&altcp_tls_entropy_rng->entropy);
|
||||||
|
altcp_mbedtls_free_config(altcp_tls_entropy_rng);
|
||||||
|
altcp_tls_entropy_rng = NULL;
|
||||||
|
}
|
||||||
altcp_mbedtls_free_config(conf);
|
altcp_mbedtls_free_config(conf);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
||||||
|
|
||||||
mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &conf->ctr_drbg);
|
mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg);
|
||||||
#if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF
|
#if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF
|
||||||
mbedtls_ssl_conf_dbg(&conf->conf, altcp_mbedtls_debug, stdout);
|
mbedtls_ssl_conf_dbg(&conf->conf, altcp_mbedtls_debug, stdout);
|
||||||
#endif
|
#endif
|
||||||
@ -740,7 +769,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav
|
|||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && ALTCP_MBEDTLS_USE_SESSION_TICKETS
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && ALTCP_MBEDTLS_USE_SESSION_TICKETS
|
||||||
mbedtls_ssl_ticket_init(&conf->ticket_ctx);
|
mbedtls_ssl_ticket_init(&conf->ticket_ctx);
|
||||||
|
|
||||||
ret = mbedtls_ssl_ticket_setup(&conf->ticket_ctx, mbedtls_ctr_drbg_random, &conf->ctr_drbg,
|
ret = mbedtls_ssl_ticket_setup(&conf->ticket_ctx, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg,
|
||||||
ALTCP_MBEDTLS_SESSION_TICKET_CIPHER, ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS);
|
ALTCP_MBEDTLS_SESSION_TICKET_CIPHER, ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS);
|
||||||
if (ret) {
|
if (ret) {
|
||||||
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_ticket_setup failed: %d\n", ret));
|
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_ticket_setup failed: %d\n", ret));
|
||||||
@ -752,7 +781,6 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav
|
|||||||
&conf->ticket_ctx);
|
&conf->ticket_ctx);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
||||||
return conf;
|
return conf;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -929,6 +957,19 @@ altcp_tls_free_config(struct altcp_tls_config *conf)
|
|||||||
mbedtls_x509_crt_free(conf->ca);
|
mbedtls_x509_crt_free(conf->ca);
|
||||||
}
|
}
|
||||||
altcp_mbedtls_free_config(conf);
|
altcp_mbedtls_free_config(conf);
|
||||||
|
if (altcp_tls_entropy_rng && altcp_tls_entropy_rng->ref)
|
||||||
|
altcp_tls_entropy_rng->ref--;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
altcp_tls_free_entropy(void)
|
||||||
|
{
|
||||||
|
if (altcp_tls_entropy_rng && altcp_tls_entropy_rng->ref == 0) {
|
||||||
|
mbedtls_ctr_drbg_free(&altcp_tls_entropy_rng->ctr_drbg);
|
||||||
|
mbedtls_entropy_free(&altcp_tls_entropy_rng->entropy);
|
||||||
|
altcp_mbedtls_free_config(altcp_tls_entropy_rng);
|
||||||
|
altcp_tls_entropy_rng = NULL;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* "virtual" functions */
|
/* "virtual" functions */
|
||||||
|
@ -99,6 +99,17 @@ struct altcp_tls_config *altcp_tls_create_config_client_2wayauth(const u8_t *ca,
|
|||||||
*/
|
*/
|
||||||
void altcp_tls_free_config(struct altcp_tls_config *conf);
|
void altcp_tls_free_config(struct altcp_tls_config *conf);
|
||||||
|
|
||||||
|
/** @ingroup altcp_tls
|
||||||
|
* Free an ALTCP_TLS global entropy instance.
|
||||||
|
* All ALTCP_TLS configuration are linked to one altcp_tls_entropy_rng structure
|
||||||
|
* that handle an unique system entropy & ctr_drbg instance.
|
||||||
|
* This function allow application to free this altcp_tls_entropy_rng structure
|
||||||
|
* when all configuration referencing it were destroyed.
|
||||||
|
* This function does nothing if some ALTCP_TLS configuration handle are still
|
||||||
|
* active.
|
||||||
|
*/
|
||||||
|
void altcp_tls_free_entropy(void);
|
||||||
|
|
||||||
/** @ingroup altcp_tls
|
/** @ingroup altcp_tls
|
||||||
* Create new ALTCP_TLS layer wrapping an existing pcb as inner connection (e.g. TLS over TCP)
|
* Create new ALTCP_TLS layer wrapping an existing pcb as inner connection (e.g. TLS over TCP)
|
||||||
*/
|
*/
|
||||||
|
Loading…
Reference in New Issue
Block a user