From df8e511381f457bb9b2e2c85142585ea86114ffc Mon Sep 17 00:00:00 2001
From: Robert Larsen <robert@the-playground.dk>
Date: Fri, 23 Aug 2019 10:55:47 +0200
Subject: [PATCH 1/2] Added mbedtls_net_close and use it in ssl_fork_server to
 correctly disassociate the client socket from the parent process and the
 server socket from the child process.

---
 include/mbedtls/net_sockets.h  |  7 +++++++
 library/net_sockets.c          | 13 +++++++++++++
 programs/ssl/ssl_fork_server.c |  3 ++-
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h
index df42b450c6..adb589ee96 100644
--- a/include/mbedtls/net_sockets.h
+++ b/include/mbedtls/net_sockets.h
@@ -257,6 +257,13 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
 int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
                       uint32_t timeout );
 
+/**
+ * \brief          Closes down the connection and free associated data
+ *
+ * \param ctx      The context to close
+ */
+void mbedtls_net_close( mbedtls_net_context *ctx );
+
 /**
  * \brief          Gracefully shutdown the connection and free associated data
  *
diff --git a/library/net_sockets.c b/library/net_sockets.c
index 5d538bfd56..c7b358d057 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -651,6 +651,19 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
     return( ret );
 }
 
+/*
+ * Close the connection
+ */
+void mbedtls_net_close( mbedtls_net_context *ctx )
+{
+    if( ctx->fd == -1 )
+        return;
+
+    close( ctx->fd );
+
+    ctx->fd = -1;
+}
+
 /*
  * Gracefully close the connection
  */
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 80407e49aa..851bc05364 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -254,6 +254,7 @@ int main( void )
         if( pid != 0 )
         {
             mbedtls_printf( " ok\n" );
+            mbedtls_net_close( &client_fd );
 
             if( ( ret = mbedtls_ctr_drbg_reseed( &ctr_drbg,
                                          (const unsigned char *) "parent",
@@ -266,7 +267,7 @@ int main( void )
             continue;
         }
 
-        mbedtls_net_init( &listen_fd );
+        mbedtls_net_close( &listen_fd );
 
         pid = getpid();
 

From 52bc1947ffd76a4c937f597c63f5eb4b00e13e69 Mon Sep 17 00:00:00 2001
From: Jaeden Amero <jaeden.amero@arm.com>
Date: Fri, 23 Aug 2019 10:39:07 +0100
Subject: [PATCH 2/2] Add a ChangeLog entry for mbedtls_net_close()

---
 ChangeLog | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index d84769208e..5510c7de12 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,10 @@ Features
      changed its IP or port. The feature is enabled at compile-time by setting
      MBEDTLS_SSL_DTLS_CONNECTION_ID (disabled by default), and at run-time
      through the new APIs mbedtls_ssl_conf_cid() and mbedtls_ssl_set_cid().
+   * Add mbedtls_net_close(), enabling the building of forking servers where
+     the parent process closes the client socket and continue accepting, and
+     the child process closes the listening socket and handles the client
+     socket. Contributed by Robert Larsen in #2803.
 
 API Changes
    * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,