mirror of
https://github.com/esp8266/Arduino.git
synced 2025-06-10 14:42:08 +03:00
Allow plain buffer size increase during handshake
This commit is contained in:
Ivan Grokhotkov
parent
3fdea2885d
commit
69c757f2a3
45
ssl/tls1.c
45
ssl/tls1.c
@ -53,7 +53,7 @@ static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len);
|
|||||||
static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt, void* cached);
|
static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt, void* cached);
|
||||||
static int send_raw_packet(SSL *ssl, uint8_t protocol);
|
static int send_raw_packet(SSL *ssl, uint8_t protocol);
|
||||||
static void certificate_free(SSL* ssl);
|
static void certificate_free(SSL* ssl);
|
||||||
static int increase_bm_data_size(SSL *ssl);
|
static int increase_bm_data_size(SSL *ssl, size_t size);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The server will pick the cipher based on the order that the order that the
|
* The server will pick the cipher based on the order that the order that the
|
||||||
@ -285,6 +285,11 @@ EXP_FUNC int STDCALL ssl_write(SSL *ssl, const uint8_t *out_data, int out_len)
|
|||||||
{
|
{
|
||||||
int n = out_len, nw, i, tot = 0;
|
int n = out_len, nw, i, tot = 0;
|
||||||
/* maximum size of a TLS packet is around 16kB, so fragment */
|
/* maximum size of a TLS packet is around 16kB, so fragment */
|
||||||
|
|
||||||
|
if (ssl->can_free_certificates) {
|
||||||
|
certificate_free(ssl);
|
||||||
|
}
|
||||||
|
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
nw = n;
|
nw = n;
|
||||||
@ -545,9 +550,9 @@ SSL *ssl_new(SSL_CTX *ssl_ctx, int client_fd)
|
|||||||
ssl->flag = SSL_NEED_RECORD;
|
ssl->flag = SSL_NEED_RECORD;
|
||||||
ssl->bm_data = ssl->bm_all_data + BM_RECORD_OFFSET; /* space at the start */
|
ssl->bm_data = ssl->bm_all_data + BM_RECORD_OFFSET; /* space at the start */
|
||||||
ssl->hs_status = SSL_NOT_OK; /* not connected */
|
ssl->hs_status = SSL_NOT_OK; /* not connected */
|
||||||
ssl->can_increase_data_size = false;
|
|
||||||
#ifdef CONFIG_ENABLE_VERIFICATION
|
#ifdef CONFIG_ENABLE_VERIFICATION
|
||||||
ssl->ca_cert_ctx = ssl_ctx->ca_cert_ctx;
|
ssl->ca_cert_ctx = ssl_ctx->ca_cert_ctx;
|
||||||
|
ssl->can_free_certificates = false;
|
||||||
#endif
|
#endif
|
||||||
disposable_new(ssl);
|
disposable_new(ssl);
|
||||||
|
|
||||||
@ -1214,6 +1219,10 @@ int basic_read(SSL *ssl, uint8_t **in_data)
|
|||||||
int read_len, is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
|
int read_len, is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
|
||||||
uint8_t *buf = ssl->bm_data;
|
uint8_t *buf = ssl->bm_data;
|
||||||
|
|
||||||
|
if (ssl->can_free_certificates) {
|
||||||
|
certificate_free(ssl);
|
||||||
|
}
|
||||||
|
|
||||||
read_len = SOCKET_READ(ssl->client_fd, &buf[ssl->bm_read_index],
|
read_len = SOCKET_READ(ssl->client_fd, &buf[ssl->bm_read_index],
|
||||||
ssl->need_bytes-ssl->got_bytes);
|
ssl->need_bytes-ssl->got_bytes);
|
||||||
|
|
||||||
@ -1287,16 +1296,8 @@ int basic_read(SSL *ssl, uint8_t **in_data)
|
|||||||
if (ssl->need_bytes > ssl->max_plain_length+RT_EXTRA-BM_RECORD_OFFSET)
|
if (ssl->need_bytes > ssl->max_plain_length+RT_EXTRA-BM_RECORD_OFFSET)
|
||||||
{
|
{
|
||||||
printf("ssl->need_bytes=%d > %d\r\n", ssl->need_bytes, ssl->max_plain_length+RT_EXTRA-BM_RECORD_OFFSET);
|
printf("ssl->need_bytes=%d > %d\r\n", ssl->need_bytes, ssl->max_plain_length+RT_EXTRA-BM_RECORD_OFFSET);
|
||||||
if (ssl->can_increase_data_size)
|
ret = increase_bm_data_size(ssl, ssl->need_bytes + BM_RECORD_OFFSET - RT_EXTRA);
|
||||||
{
|
if (ret != SSL_OK)
|
||||||
ret = increase_bm_data_size(ssl);
|
|
||||||
if (ret != SSL_OK)
|
|
||||||
{
|
|
||||||
ret = SSL_ERROR_INVALID_PROT_MSG;
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
{
|
||||||
ret = SSL_ERROR_INVALID_PROT_MSG;
|
ret = SSL_ERROR_INVALID_PROT_MSG;
|
||||||
goto error;
|
goto error;
|
||||||
@ -1414,24 +1415,22 @@ error:
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
int increase_bm_data_size(SSL *ssl)
|
int increase_bm_data_size(SSL *ssl, size_t size)
|
||||||
{
|
{
|
||||||
if (!ssl->can_increase_data_size ||
|
if (ssl->max_plain_length == RT_MAX_PLAIN_LENGTH) {
|
||||||
ssl->max_plain_length == RT_MAX_PLAIN_LENGTH) {
|
|
||||||
return SSL_OK;
|
return SSL_OK;
|
||||||
}
|
}
|
||||||
certificate_free(ssl);
|
size_t required = (size + 1023) & ~(1023); // round up to 1k
|
||||||
free(ssl->bm_all_data);
|
required = (required < RT_MAX_PLAIN_LENGTH) ? required : RT_MAX_PLAIN_LENGTH;
|
||||||
ssl->bm_data = 0;
|
uint8_t* new_bm_all_data = (uint8_t*) realloc(ssl->bm_all_data, required + RT_EXTRA);
|
||||||
ssl->bm_all_data = malloc(RT_MAX_PLAIN_LENGTH + RT_EXTRA);
|
if (!new_bm_all_data) {
|
||||||
if (!ssl->bm_all_data) {
|
|
||||||
printf("failed to grow plain buffer\r\n");
|
printf("failed to grow plain buffer\r\n");
|
||||||
ssl->hs_status = SSL_ERROR_DEAD;
|
ssl->hs_status = SSL_ERROR_DEAD;
|
||||||
return SSL_ERROR_CONN_LOST;
|
return SSL_ERROR_CONN_LOST;
|
||||||
}
|
}
|
||||||
ssl->can_increase_data_size = false;
|
ssl->bm_all_data = new_bm_all_data;
|
||||||
ssl->max_plain_length = RT_MAX_PLAIN_LENGTH;
|
|
||||||
ssl->bm_data = ssl->bm_all_data + BM_RECORD_OFFSET;
|
ssl->bm_data = ssl->bm_all_data + BM_RECORD_OFFSET;
|
||||||
|
ssl->max_plain_length = required;
|
||||||
return SSL_OK;
|
return SSL_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1689,6 +1688,7 @@ void disposable_free(SSL *ssl)
|
|||||||
free(ssl->dc);
|
free(ssl->dc);
|
||||||
ssl->dc = NULL;
|
ssl->dc = NULL;
|
||||||
}
|
}
|
||||||
|
ssl->can_free_certificates = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static void certificate_free(SSL* ssl)
|
static void certificate_free(SSL* ssl)
|
||||||
@ -1698,6 +1698,7 @@ static void certificate_free(SSL* ssl)
|
|||||||
x509_free(ssl->x509_ctx);
|
x509_free(ssl->x509_ctx);
|
||||||
ssl->x509_ctx = 0;
|
ssl->x509_ctx = 0;
|
||||||
}
|
}
|
||||||
|
ssl->can_free_certificates = false;
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -189,7 +189,7 @@ struct _SSL
|
|||||||
#endif
|
#endif
|
||||||
#ifdef CONFIG_SSL_CERT_VERIFICATION
|
#ifdef CONFIG_SSL_CERT_VERIFICATION
|
||||||
X509_CTX *x509_ctx;
|
X509_CTX *x509_ctx;
|
||||||
bool can_increase_data_size;
|
bool can_free_certificates;
|
||||||
#endif
|
#endif
|
||||||
uint8_t session_id[SSL_SESSION_ID_SIZE];
|
uint8_t session_id[SSL_SESSION_ID_SIZE];
|
||||||
uint8_t client_mac[SHA1_SIZE]; /* for HMAC verification */
|
uint8_t client_mac[SHA1_SIZE]; /* for HMAC verification */
|
||||||
|
|||||||
@ -66,7 +66,7 @@ EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
|
|||||||
SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */
|
SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */
|
||||||
}
|
}
|
||||||
|
|
||||||
if(host_name != NULL && strlen(host_name) > 0 || strlen(host_name) < 255 ) {
|
if(host_name != NULL && strlen(host_name) > 0) {
|
||||||
ssl->host_name = (char *)strdup(host_name);
|
ssl->host_name = (char *)strdup(host_name);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -123,7 +123,6 @@ int do_clnt_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len)
|
|||||||
|
|
||||||
case HS_FINISHED:
|
case HS_FINISHED:
|
||||||
ret = process_finished(ssl, buf, hs_len);
|
ret = process_finished(ssl, buf, hs_len);
|
||||||
ssl->can_increase_data_size = true;
|
|
||||||
disposable_free(ssl);
|
disposable_free(ssl);
|
||||||
/* note: client renegotiation is not allowed after this */
|
/* note: client renegotiation is not allowed after this */
|
||||||
break;
|
break;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user