Increased TLS queue size, corrected EUI-64 read and added traces

Increased TLS queue size to three for now (thus disabling it in most cases). The randomization caused by EAP-TLS initial negotiation (identity / TLS start) with ongoing EAP-TLS limit of three, should be enough to limit resources used by TLS calculations on border router. Previous small TLS queue size resulted that failing TLS negotiation prevented other nodes to authenticate for a long time. Corrected null pointer read on border router traces, and added traces to TLS library failure cases.
artokin · May 16, 2019 · e5f1627 · e5f1627
1 parent 67bb748
commit e5f1627
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 11 deletions.
diff --git a/source/Security/protocols/sec_prot_lib.c b/source/Security/protocols/sec_prot_lib.c
@@ -511,7 +511,7 @@ int8_t sec_prot_lib_gtkhash_generate(uint8_t *gtk, uint8_t *gtk_hash)
 
 uint8_t *sec_prot_remote_eui_64_addr_get(sec_prot_t *prot)
 {
-    if (prot->sec_keys->ptk_eui_64_set) {
+    if (prot->sec_keys && prot->sec_keys->ptk_eui_64_set) {
         return prot->sec_keys->ptk_eui_64;
     } else {
         return NULL;

diff --git a/source/Security/protocols/tls_sec_prot/tls_sec_prot.c b/source/Security/protocols/tls_sec_prot/tls_sec_prot.c
@@ -472,16 +472,17 @@ static void server_tls_sec_prot_state_machine(sec_prot_t *prot)
             data->library_init = false;
             break;
 
-        case TLS_STATE_FINISHED:
-            tr_debug("TLS: finished, eui-64: %s free %s", trace_array(sec_prot_remote_eui_64_addr_get(prot), 8), data->library_init ? "T" : "F");
+        case TLS_STATE_FINISHED: {
+            uint8_t *remote_eui_64 = sec_prot_remote_eui_64_addr_get(prot);
+            tr_debug("TLS: finished, eui-64: %s free %s", remote_eui_64 ? trace_array(sec_prot_remote_eui_64_addr_get(prot), 8) : "not set", data->library_init ? "T" : "F");
             if (data->library_init) {
                 tls_sec_prot_lib_free((tls_security_t *) &data->tls_sec_inst);
                 data->library_init = false;
             }
             prot->timer_stop(prot);
             prot->finished(prot);
             break;
-
+        }
         default:
             break;
     }
@@ -597,6 +598,7 @@ static int8_t tls_sec_prot_tls_configure_and_connect(sec_prot_t *prot, bool is_s
     // Must be free if library initialize is done
     data->library_init = true;
     if (tls_sec_prot_lib_init((tls_security_t *)&data->tls_sec_inst) < 0) {
+        tr_error("TLS: library init fail");
         return -1;
     }
 
@@ -605,6 +607,7 @@ static int8_t tls_sec_prot_tls_configure_and_connect(sec_prot_t *prot, bool is_s
                                      tls_sec_prot_tls_set_timer, tls_sec_prot_tls_get_timer);
 
     if (tls_sec_prot_lib_connect((tls_security_t *)&data->tls_sec_inst, is_server, prot->sec_keys->certs) < 0) {
+        tr_error("TLS: library connect fail");
         return -1;
     }
 
@@ -615,30 +618,29 @@ static bool tls_sec_prot_queue_check(sec_prot_t *prot)
 {
     bool queue_add = true;
     bool queue_continue = false;
-    bool first_entry = true;
+    uint8_t entry_index = 0;
 
     // Checks if TLS queue is empty or this instance is the first entry
     if (ns_list_is_empty(&tls_sec_prot_queue)) {
         queue_continue = true;
     } else {
-
         ns_list_foreach(tls_sec_prot_queue_t, entry, &tls_sec_prot_queue) {
             if (entry->prot == prot) {
                 queue_add = false;
-                if (first_entry) {
+                if (entry_index < 3) {
                     queue_continue = true;
                     break;
                 } else {
                     queue_continue = false;
                 }
             }
-            first_entry = false;
+            entry_index++;
         }
     }
 
     // Adds entry to queue if not there already
     if (queue_add) {
-        tr_debug("TLS QUEUE add%s, eui-64: %s", first_entry ? " first" : "", trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
+        tr_debug("TLS QUEUE add index: %i, eui-64: %s", entry_index, trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
         tls_sec_prot_queue_t *entry = ns_dyn_mem_temporary_alloc(sizeof(tls_sec_prot_queue_t));
         if (entry) {
             entry->prot = prot;
@@ -655,11 +657,15 @@ static bool tls_sec_prot_queue_process(sec_prot_t *prot)
         return true;
     }
 
+    uint8_t entry_index = 0;
     ns_list_foreach(tls_sec_prot_queue_t, entry, &tls_sec_prot_queue) {
         if (entry->prot == prot) {
             return true;
         }
-        return false;
+        if (entry_index > 2) {
+            return false;
+        }
+        entry_index++;
     }
 
     return false;

diff --git a/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c b/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c
@@ -126,11 +126,13 @@ int8_t tls_sec_prot_lib_init(tls_security_t *sec)
 
     if (mbedtls_entropy_add_source(&sec->entropy, tls_sec_lib_entropy_poll, NULL,
                                    128, MBEDTLS_ENTROPY_SOURCE_WEAK) < 0) {
+        tr_error("Entropy add fail");
         return -1;
     }
 
     if ((mbedtls_ctr_drbg_seed(&sec->ctr_drbg, mbedtls_entropy_func, &sec->entropy,
                                (const unsigned char *) pers, strlen(pers))) != 0) {
+        tr_error("drbg seed fail");
         return -1;
     }
 
@@ -177,6 +179,7 @@ void tls_sec_prot_lib_free(tls_security_t *sec)
 static int tls_sec_prot_lib_configure_certificates(tls_security_t *sec, const sec_prot_certs_t *certs)
 {
     if (!certs->own_cert_chain.cert[0]) {
+        tr_error("no own cert");
         return -1;
     }
 
@@ -282,6 +285,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
     }
 
     if ((mbedtls_ssl_config_defaults(&sec->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, 0)) != 0) {
+        tr_error("config defaults fail");
         return -1;
     }
 
@@ -294,6 +298,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
 #endif
 
     if ((mbedtls_ssl_setup(&sec->ssl, &sec->conf)) != 0) {
+        tr_error("ssl setup fail");
         return -1;
     }
 
@@ -303,10 +308,10 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
 
     // Configure certificates, keys and certificate revocation list
     if (tls_sec_prot_lib_configure_certificates(sec, certs) != 0) {
+        tr_error("cert conf fail");
         return -1;
     }
 
-
     // Configure ciphersuites
     static const int sec_suites[] = {
         MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
@@ -471,6 +476,7 @@ static int tls_sec_lib_entropy_poll(void *ctx, unsigned char *output, size_t len
 
     char *c = (char *)ns_dyn_mem_temporary_alloc(len);
     if (!c) {
+        tr_error("entropy alloca fail");
         return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
     }
     memset(c, 0, len);