arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-16 11:21:18 +03:00
Code Activity

Terminate connection if increase_bm_data_size fails

Browse Source 
As suggested in https://github.com/igrr/axtls-8266/issues/2#issuecomment-188544798
This commit is contained in:
Ivan Grokhotkov
2016-02-26 17:53:19 +03:00
parent 96fbb39f21
commit 324c2fdade
3 changed files with 20 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
ssl/tls1.c
View File

@ -53,6 +53,7 @@ static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len);
static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt, void* cached); static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt, void* cached);
static int send_raw_packet(SSL *ssl, uint8_t protocol); static int send_raw_packet(SSL *ssl, uint8_t protocol);
static void certificate_free(SSL* ssl); static void certificate_free(SSL* ssl);
static int increase_bm_data_size(SSL *ssl);
/** /**
* The server will pick the cipher based on the order that the order that the * The server will pick the cipher based on the order that the order that the
@ -258,10 +259,11 @@ EXP_FUNC void STDCALL ssl_free(SSL *ssl)
*/ */
EXP_FUNC int STDCALL ssl_read(SSL *ssl, uint8_t **in_data) EXP_FUNC int STDCALL ssl_read(SSL *ssl, uint8_t **in_data)
{ {
if (ssl->hs_status == SSL_OK) { int ret = increase_bm_data_size(ssl);
certificate_free(ssl); if (ret != SSL_OK) {
return ret;
} }
int ret = basic_read(ssl, in_data); ret = basic_read(ssl, in_data);
/* check for return code so we can send an alert */ /* check for return code so we can send an alert */
if (ret < SSL_OK && ret != SSL_CLOSE_NOTIFY) if (ret < SSL_OK && ret != SSL_CLOSE_NOTIFY)
@ -285,8 +287,9 @@ EXP_FUNC int STDCALL ssl_read(SSL *ssl, uint8_t **in_data)
EXP_FUNC int STDCALL ssl_write(SSL *ssl, const uint8_t *out_data, int out_len) EXP_FUNC int STDCALL ssl_write(SSL *ssl, const uint8_t *out_data, int out_len)
{ {
int n = out_len, nw, i, tot = 0; int n = out_len, nw, i, tot = 0;
if (ssl->hs_status == SSL_OK) { int ret = increase_bm_data_size(ssl);
certificate_free(ssl); if (ret != SSL_OK) {
return ret;
} }
/* maximum size of a TLS packet is around 16kB, so fragment */ /* maximum size of a TLS packet is around 16kB, so fragment */
do do
@ -549,6 +552,7 @@ SSL *ssl_new(SSL_CTX *ssl_ctx, int client_fd)
ssl->flag = SSL_NEED_RECORD; ssl->flag = SSL_NEED_RECORD;
ssl->bm_data = ssl->bm_all_data + BM_RECORD_OFFSET; /* space at the start */ ssl->bm_data = ssl->bm_all_data + BM_RECORD_OFFSET; /* space at the start */
ssl->hs_status = SSL_NOT_OK; /* not connected */ ssl->hs_status = SSL_NOT_OK; /* not connected */
ssl->can_increase_data_size = false;
#ifdef CONFIG_ENABLE_VERIFICATION #ifdef CONFIG_ENABLE_VERIFICATION
ssl->ca_cert_ctx = ssl_ctx->ca_cert_ctx; ssl->ca_cert_ctx = ssl_ctx->ca_cert_ctx;
#endif #endif
@ -1405,21 +1409,25 @@ error:
return ret; return ret;
} }
void increase_bm_data_size(SSL *ssl) int increase_bm_data_size(SSL *ssl)
{ {
if (ssl->max_plain_length == RT_MAX_PLAIN_LENGTH) { if (!ssl->can_increase_data_size ||
return; ssl->max_plain_length == RT_MAX_PLAIN_LENGTH) {
return SSL_OK;
} }
ssl->can_increase_data_size = false;
certificate_free(ssl);
free(ssl->bm_all_data); free(ssl->bm_all_data);
ssl->bm_data = 0; ssl->bm_data = 0;
ssl->bm_all_data = malloc(RT_MAX_PLAIN_LENGTH + RT_EXTRA); ssl->bm_all_data = malloc(RT_MAX_PLAIN_LENGTH + RT_EXTRA);
if (!ssl->bm_all_data) { if (!ssl->bm_all_data) {
printf("failed to grow plain buffer\r\n"); printf("failed to grow plain buffer\r\n");
return; ssl->hs_status == SSL_ERROR_DEAD;
return SSL_ERROR_CONN_LOST;
} }
ssl->max_plain_length = RT_MAX_PLAIN_LENGTH; ssl->max_plain_length = RT_MAX_PLAIN_LENGTH;
ssl->bm_data = ssl->bm_all_data + BM_RECORD_OFFSET; ssl->bm_data = ssl->bm_all_data + BM_RECORD_OFFSET;
return SSL_OK;
} }
/** /**
@ -1686,7 +1694,6 @@ static void certificate_free(SSL* ssl)
ssl->x509_ctx = 0; ssl->x509_ctx = 0;
} }
#endif #endif
increase_bm_data_size(ssl);
} }
#ifndef CONFIG_SSL_SKELETON_MODE /* no session resumption in this mode */ #ifndef CONFIG_SSL_SKELETON_MODE /* no session resumption in this mode */

2
ssl/tls1.h
View File

@ -189,6 +189,7 @@ struct _SSL
#endif #endif
#ifdef CONFIG_SSL_CERT_VERIFICATION #ifdef CONFIG_SSL_CERT_VERIFICATION
X509_CTX *x509_ctx; X509_CTX *x509_ctx;
bool can_increase_data_size;
#endif #endif
uint8_t session_id[SSL_SESSION_ID_SIZE]; uint8_t session_id[SSL_SESSION_ID_SIZE];
uint8_t client_mac[SHA1_SIZE]; /* for HMAC verification */ uint8_t client_mac[SHA1_SIZE]; /* for HMAC verification */
@ -261,7 +262,6 @@ void remove_ca_certs(CA_CERT_CTX *ca_cert_ctx);
#ifdef CONFIG_SSL_ENABLE_CLIENT #ifdef CONFIG_SSL_ENABLE_CLIENT
int do_client_connect(SSL *ssl); int do_client_connect(SSL *ssl);
#endif #endif
void increase_bm_data_size(SSL *ssl);
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_FULL_MODE
void DISPLAY_STATE(SSL *ssl, int is_send, uint8_t state, int not_ok); void DISPLAY_STATE(SSL *ssl, int is_send, uint8_t state, int not_ok);

1
ssl/tls1_clnt.c
View File

@ -119,6 +119,7 @@ int do_clnt_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len)
case HS_FINISHED: case HS_FINISHED:
ret = process_finished(ssl, buf, hs_len); ret = process_finished(ssl, buf, hs_len);
ssl->can_increase_data_size = true;
disposable_free(ssl); disposable_free(ssl);
/* note: client renegotiation is not allowed after this */ /* note: client renegotiation is not allowed after this */
break; break;