Increased TLS queue size, corrected EUI-64 read and added traces

Mika Leppänen · Mika Leppänen · commit e5f162780d71 · 2019-05-16T10:51:19.000+03:00
Increased TLS queue size to three for now (thus disabling it in most
cases). The randomization caused by EAP-TLS initial negotiation
(identity / TLS start) with ongoing EAP-TLS limit of three, should
be enough to limit resources used by TLS calculations on border
router. Previous small TLS queue size resulted that failing TLS
negotiation prevented other nodes to authenticate for a long time.

Corrected null pointer read on border router traces, and added
traces to TLS library failure cases.
diff --git a/source/Security/protocols/sec_prot_lib.c b/source/Security/protocols/sec_prot_lib.c
@@ -511,7 +511,7 @@ int8_t sec_prot_lib_gtkhash_generate(uint8_t *gtk, uint8_t *gtk_hash)
 
 uint8_t *sec_prot_remote_eui_64_addr_get(sec_prot_t *prot)
 {
-    if (prot->sec_keys->ptk_eui_64_set) {
+    if (prot->sec_keys && prot->sec_keys->ptk_eui_64_set) {
         return prot->sec_keys->ptk_eui_64;
     } else {
         return NULL;
diff --git a/source/Security/protocols/tls_sec_prot/tls_sec_prot.c b/source/Security/protocols/tls_sec_prot/tls_sec_prot.c
@@ -472,16 +472,17 @@ static void server_tls_sec_prot_state_machine(sec_prot_t *prot)
             data->library_init = false;
             break;
 
-        case TLS_STATE_FINISHED:
-            tr_debug("TLS: finished, eui-64: %s free %s", trace_array(sec_prot_remote_eui_64_addr_get(prot), 8), data->library_init ? "T" : "F");
+        case TLS_STATE_FINISHED: {
+            uint8_t *remote_eui_64 = sec_prot_remote_eui_64_addr_get(prot);
+            tr_debug("TLS: finished, eui-64: %s free %s", remote_eui_64 ? trace_array(sec_prot_remote_eui_64_addr_get(prot), 8) : "not set", data->library_init ? "T" : "F");
             if (data->library_init) {
                 tls_sec_prot_lib_free((tls_security_t *) &data->tls_sec_inst);
                 data->library_init = false;
             }
             prot->timer_stop(prot);
             prot->finished(prot);
             break;
-
+        }
         default:
             break;
     }
@@ -597,6 +598,7 @@ static int8_t tls_sec_prot_tls_configure_and_connect(sec_prot_t *prot, bool is_s
     // Must be free if library initialize is done
     data->library_init = true;
     if (tls_sec_prot_lib_init((tls_security_t *)&data->tls_sec_inst) < 0) {
+        tr_error("TLS: library init fail");
         return -1;
     }
 
@@ -605,6 +607,7 @@ static int8_t tls_sec_prot_tls_configure_and_connect(sec_prot_t *prot, bool is_s
                                      tls_sec_prot_tls_set_timer, tls_sec_prot_tls_get_timer);
 
     if (tls_sec_prot_lib_connect((tls_security_t *)&data->tls_sec_inst, is_server, prot->sec_keys->certs) < 0) {
+        tr_error("TLS: library connect fail");
         return -1;
     }
 
@@ -615,30 +618,29 @@ static bool tls_sec_prot_queue_check(sec_prot_t *prot)
 {
     bool queue_add = true;
     bool queue_continue = false;
-    bool first_entry = true;
+    uint8_t entry_index = 0;
 
     // Checks if TLS queue is empty or this instance is the first entry
     if (ns_list_is_empty(&tls_sec_prot_queue)) {
         queue_continue = true;
     } else {
-
         ns_list_foreach(tls_sec_prot_queue_t, entry, &tls_sec_prot_queue) {
             if (entry->prot == prot) {
                 queue_add = false;
-                if (first_entry) {
+                if (entry_index < 3) {
                     queue_continue = true;
                     break;
                 } else {
                     queue_continue = false;
                 }
             }
-            first_entry = false;
+            entry_index++;
         }
     }
 
     // Adds entry to queue if not there already
     if (queue_add) {
-        tr_debug("TLS QUEUE add%s, eui-64: %s", first_entry ? " first" : "", trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
+        tr_debug("TLS QUEUE add index: %i, eui-64: %s", entry_index, trace_array(sec_prot_remote_eui_64_addr_get(prot), 8));
         tls_sec_prot_queue_t *entry = ns_dyn_mem_temporary_alloc(sizeof(tls_sec_prot_queue_t));
         if (entry) {
             entry->prot = prot;
@@ -655,11 +657,15 @@ static bool tls_sec_prot_queue_process(sec_prot_t *prot)
         return true;
     }
 
+    uint8_t entry_index = 0;
     ns_list_foreach(tls_sec_prot_queue_t, entry, &tls_sec_prot_queue) {
         if (entry->prot == prot) {
             return true;
         }
-        return false;
+        if (entry_index > 2) {
+            return false;
+        }
+        entry_index++;
     }
 
     return false;
diff --git a/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c b/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c
@@ -126,11 +126,13 @@ int8_t tls_sec_prot_lib_init(tls_security_t *sec)
 
     if (mbedtls_entropy_add_source(&sec->entropy, tls_sec_lib_entropy_poll, NULL,
                                    128, MBEDTLS_ENTROPY_SOURCE_WEAK) < 0) {
+        tr_error("Entropy add fail");
         return -1;
     }
 
     if ((mbedtls_ctr_drbg_seed(&sec->ctr_drbg, mbedtls_entropy_func, &sec->entropy,
                                (const unsigned char *) pers, strlen(pers))) != 0) {
+        tr_error("drbg seed fail");
         return -1;
     }
 
@@ -177,6 +179,7 @@ void tls_sec_prot_lib_free(tls_security_t *sec)
 static int tls_sec_prot_lib_configure_certificates(tls_security_t *sec, const sec_prot_certs_t *certs)
 {
     if (!certs->own_cert_chain.cert[0]) {
+        tr_error("no own cert");
         return -1;
     }
 
@@ -282,6 +285,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
     }
 
     if ((mbedtls_ssl_config_defaults(&sec->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, 0)) != 0) {
+        tr_error("config defaults fail");
         return -1;
     }
 
@@ -294,6 +298,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
 #endif
 
     if ((mbedtls_ssl_setup(&sec->ssl, &sec->conf)) != 0) {
+        tr_error("ssl setup fail");
         return -1;
     }
 
@@ -303,10 +308,10 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
 
     // Configure certificates, keys and certificate revocation list
     if (tls_sec_prot_lib_configure_certificates(sec, certs) != 0) {
+        tr_error("cert conf fail");
         return -1;
     }
 
-
     // Configure ciphersuites
     static const int sec_suites[] = {
         MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
@@ -471,6 +476,7 @@ static int tls_sec_lib_entropy_poll(void *ctx, unsigned char *output, size_t len
 
     char *c = (char *)ns_dyn_mem_temporary_alloc(len);
     if (!c) {
+        tr_error("entropy alloca fail");
         return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
     }
     memset(c, 0, len);

Original file line number	Diff line number	Diff line change
`@@ -511,7 +511,7 @@ int8_t sec_prot_lib_gtkhash_generate(uint8_t gtk, uint8_t gtk_hash)`
`511`	`511`
`512`	`512`	`uint8_t sec_prot_remote_eui_64_addr_get(sec_prot_t prot)`
`513`	`513`	`{`
`514`		`- if (prot->sec_keys->ptk_eui_64_set) {`
	`514`	`+ if (prot->sec_keys && prot->sec_keys->ptk_eui_64_set) {`
`515`	`515`	`return prot->sec_keys->ptk_eui_64;`
`516`	`516`	`} else {`
`517`	`517`	`return NULL;`
Original file line number	Diff line number	Diff line change
`@@ -126,11 +126,13 @@ int8_t tls_sec_prot_lib_init(tls_security_t *sec)`
`126`	`126`
`127`	`127`	`if (mbedtls_entropy_add_source(&sec->entropy, tls_sec_lib_entropy_poll, NULL,`
`128`	`128`	`128, MBEDTLS_ENTROPY_SOURCE_WEAK) < 0) {`
	`129`	`+ tr_error("Entropy add fail");`
`129`	`130`	`return -1;`
`130`	`131`	`}`
`131`	`132`
`132`	`133`	`if ((mbedtls_ctr_drbg_seed(&sec->ctr_drbg, mbedtls_entropy_func, &sec->entropy,`
`133`	`134`	`(const unsigned char *) pers, strlen(pers))) != 0) {`
	`135`	`+ tr_error("drbg seed fail");`
`134`	`136`	`return -1;`
`135`	`137`	`}`
`136`	`138`
`@@ -177,6 +179,7 @@ void tls_sec_prot_lib_free(tls_security_t *sec)`
`177`	`179`	`static int tls_sec_prot_lib_configure_certificates(tls_security_t sec, const sec_prot_certs_t certs)`
`178`	`180`	`{`
`179`	`181`	`if (!certs->own_cert_chain.cert[0]) {`
	`182`	`+ tr_error("no own cert");`
`180`	`183`	`return -1;`
`181`	`184`	`}`
`182`	`185`
`@@ -282,6 +285,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p`
`282`	`285`	`}`
`283`	`286`
`284`	`287`	`if ((mbedtls_ssl_config_defaults(&sec->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, 0)) != 0) {`
	`288`	`+ tr_error("config defaults fail");`
`285`	`289`	`return -1;`
`286`	`290`	`}`
`287`	`291`
`@@ -294,6 +298,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p`
`294`	`298`	`#endif`
`295`	`299`
`296`	`300`	`if ((mbedtls_ssl_setup(&sec->ssl, &sec->conf)) != 0) {`
	`301`	`+ tr_error("ssl setup fail");`
`297`	`302`	`return -1;`
`298`	`303`	`}`
`299`	`304`
`@@ -303,10 +308,10 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p`
`303`	`308`
`304`	`309`	`// Configure certificates, keys and certificate revocation list`
`305`	`310`	`if (tls_sec_prot_lib_configure_certificates(sec, certs) != 0) {`
	`311`	`+ tr_error("cert conf fail");`
`306`	`312`	`return -1;`
`307`	`313`	`}`
`308`	`314`
`309`		`-`
`310`	`315`	`// Configure ciphersuites`
`311`	`316`	`static const int sec_suites[] = {`
`312`	`317`	`MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,`
`@@ -471,6 +476,7 @@ static int tls_sec_lib_entropy_poll(void ctx, unsigned char output, size_t len`
`471`	`476`
`472`	`477`	`char c = (char )ns_dyn_mem_temporary_alloc(len);`
`473`	`478`	`if (!c) {`
	`479`	`+ tr_error("entropy alloca fail");`
`474`	`480`	`return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;`
`475`	`481`	`}`
`476`	`482`	`memset(c, 0, len);`