Merge branch 'mbedtls_ssl_get_key_exchange_md_ssl_tls-return_hashlen' into tls_async_server-2.9
Conflict resolution:
* ChangeLog: put the new entry from my branch in the proper place.
* include/mbedtls/error.h: counted high-level module error codes again.
* include/mbedtls/ssl.h: picked different numeric codes for the
concurrently added errors; made the new error a full sentence per
current standards.
* library/error.c: ran scripts/generate_errors.pl.
* library/ssl_srv.c:
* ssl_prepare_server_key_exchange "DHE key exchanges": the conflict
was due to style corrections in development
(4cb1f4d49cff999d0c853bc696ad7eea68888c35) which I merged with
my refactoring.
* ssl_prepare_server_key_exchange "For key exchanges involving the
server signing", first case, variable declarations: merged line
by line:
* dig_signed_len: added in async
* signature_len: removed in async
* hashlen: type changed to size_t in development
* hash: size changed to MBEDTLS_MD_MAX_SIZE in async
* ret: added in async
* ssl_prepare_server_key_exchange "For key exchanges involving the
server signing", first cae comment: the conflict was due to style
corrections in development (4cb1f4d49cff999d0c853bc696ad7eea68888c35)
which I merged with my comment changes made as part of refactoring
the function.
* ssl_prepare_server_key_exchange "Compute the hash to be signed" if
`md_alg != MBEDTLS_MD_NONE`: conflict between
ebd652fe2dfc2c82d774bfd334398279d9027492
"ssl_write_server_key_exchange: calculate hashlen explicitly" and
46f5a3e9b4d5db3cacfe2ba33480a27317c62d46 "Check return codes from
MD in ssl code". I took the code from commit
ca1d74290439ec9e2723a911657fd96aa320e219 made on top of development
which makes mbedtls_ssl_get_key_exchange_md_ssl_tls return the
hash length.
* programs/ssl/ssl_server2.c: multiple conflicts between the introduction
of MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and new auxiliary functions and
definitions for async support, and the introduction of idle().
* definitions before main: concurrent additions, kept both.
* main, just after `handshake:`: in the loop around
mbedtls_ssl_handshake(), merge the addition of support for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS and SSL_ASYNC_INJECT_ERROR_CANCEL
with the addition of the idle() call.
* main, if `opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM`: take the
code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS.
* main, loop around mbedtls_ssl_read() in the datagram case:
take the code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
* main, loop around mbedtls_ssl_write() in the datagram case:
take the code from development and add a check for
MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS; revert to a do...while loop.
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 8e2feb1..5d8969d 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -73,6 +73,7 @@
#define DFL_REQUEST_SIZE -1
#define DFL_DEBUG_LEVEL 0
#define DFL_NBIO 0
+#define DFL_EVENT 0
#define DFL_READ_TIMEOUT 0
#define DFL_MAX_RESEND 0
#define DFL_CA_FILE ""
@@ -245,24 +246,26 @@
" server_addr=%%s default: given by name\n" \
" server_port=%%d default: 4433\n" \
" request_page=%%s default: \".\"\n" \
- " request_size=%%d default: about 34 (basic request)\n" \
+ " request_size=%%d default: about 34 (basic request)\n" \
" (minimum: 0, max: " MAX_REQUEST_SIZE_STR " )\n" \
- " debug_level=%%d default: 0 (disabled)\n" \
- " nbio=%%d default: 0 (blocking I/O)\n" \
- " options: 1 (non-blocking), 2 (added delays)\n" \
- " read_timeout=%%d default: 0 ms (no timeout)\n" \
+ " debug_level=%%d default: 0 (disabled)\n" \
+ " nbio=%%d default: 0 (blocking I/O)\n" \
+ " options: 1 (non-blocking), 2 (added delays)\n" \
+ " event=%%d default: 0 (loop)\n" \
+ " options: 1 (level-triggered, implies nbio=1),\n" \
+ " read_timeout=%%d default: 0 ms (no timeout)\n" \
" max_resend=%%d default: 0 (no resend on timeout)\n" \
"\n" \
USAGE_DTLS \
"\n" \
- " auth_mode=%%s default: (library default: none)\n" \
+ " auth_mode=%%s default: (library default: none)\n" \
" options: none, optional, required\n" \
USAGE_IO \
"\n" \
USAGE_PSK \
USAGE_ECJPAKE \
"\n" \
- " allow_legacy=%%d default: (library default: no)\n" \
+ " allow_legacy=%%d default: (library default: no)\n" \
USAGE_RENEGO \
" exchanges=%%d default: 1\n" \
" reconnect=%%d default: 0 (disabled)\n" \
@@ -302,7 +305,8 @@
const char *server_port; /* port on which the ssl service runs */
int debug_level; /* level of debugging */
int nbio; /* should I/O be blocking? */
- uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */
+ int event; /* loop or event-driven IO? level or edge triggered? */
+ uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */
int max_resend; /* DTLS times to resend on read timeout */
const char *request_page; /* page on server to request */
int request_size; /* pad request with header to requested size */
@@ -353,7 +357,8 @@
if( *p == '/' || *p == '\\' )
basename = p + 1;
- mbedtls_fprintf( (FILE *) ctx, "%s:%04d: |%d| %s", basename, line, level, str );
+ mbedtls_fprintf( (FILE *) ctx, "%s:%04d: |%d| %s",
+ basename, line, level, str );
fflush( (FILE *) ctx );
}
@@ -399,7 +404,8 @@
/*
* Enabled if debug_level > 1 in code below
*/
-static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
+static int my_verify( void *data, mbedtls_x509_crt *crt,
+ int depth, uint32_t *flags )
{
char buf[1024];
((void) data);
@@ -436,6 +442,57 @@
};
#endif /* MBEDTLS_X509_CRT_PARSE_C */
+/*
+ * Wait for an event from the underlying transport or the timer
+ * (Used in event-driven IO mode).
+ */
+#if !defined(MBEDTLS_TIMING_C)
+int idle( mbedtls_net_context *fd,
+ int idle_reason )
+#else
+int idle( mbedtls_net_context *fd,
+ mbedtls_timing_delay_context *timer,
+ int idle_reason )
+#endif
+{
+
+ int ret;
+ int poll_type = 0;
+
+ if( idle_reason == MBEDTLS_ERR_SSL_WANT_WRITE )
+ poll_type = MBEDTLS_NET_POLL_WRITE;
+ else if( idle_reason == MBEDTLS_ERR_SSL_WANT_READ )
+ poll_type = MBEDTLS_NET_POLL_READ;
+#if !defined(MBEDTLS_TIMING_C)
+ else
+ return( 0 );
+#endif
+
+ while( 1 )
+ {
+ /* Check if timer has expired */
+#if defined(MBEDTLS_TIMING_C)
+ if( timer != NULL &&
+ mbedtls_timing_get_delay( timer ) == 2 )
+ {
+ break;
+ }
+#endif /* MBEDTLS_TIMING_C */
+
+ /* Check if underlying transport became available */
+ if( poll_type != 0 )
+ {
+ ret = mbedtls_net_poll( fd, poll_type, 0 );
+ if( ret < 0 )
+ return( ret );
+ if( ret == poll_type )
+ break;
+ }
+ }
+
+ return( 0 );
+}
+
int main( int argc, char *argv[] )
{
int ret = 0, len, tail_len, i, written, frags, retry_left;
@@ -521,6 +578,7 @@
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
opt.nbio = DFL_NBIO;
+ opt.event = DFL_EVENT;
opt.read_timeout = DFL_READ_TIMEOUT;
opt.max_resend = DFL_MAX_RESEND;
opt.request_page = DFL_REQUEST_PAGE;
@@ -594,6 +652,12 @@
if( opt.nbio < 0 || opt.nbio > 2 )
goto usage;
}
+ else if( strcmp( p, "event" ) == 0 )
+ {
+ opt.event = atoi( q );
+ if( opt.event < 0 || opt.event > 2 )
+ goto usage;
+ }
else if( strcmp( p, "read_timeout" ) == 0 )
opt.read_timeout = atoi( q );
else if( strcmp( p, "max_resend" ) == 0 )
@@ -638,16 +702,23 @@
}
else if( strcmp( p, "renegotiation" ) == 0 )
{
- opt.renegotiation = (atoi( q )) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED :
- MBEDTLS_SSL_RENEGOTIATION_DISABLED;
+ opt.renegotiation = (atoi( q )) ?
+ MBEDTLS_SSL_RENEGOTIATION_ENABLED :
+ MBEDTLS_SSL_RENEGOTIATION_DISABLED;
}
else if( strcmp( p, "allow_legacy" ) == 0 )
{
switch( atoi( q ) )
{
- case -1: opt.allow_legacy = MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE; break;
- case 0: opt.allow_legacy = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION; break;
- case 1: opt.allow_legacy = MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION; break;
+ case -1:
+ opt.allow_legacy = MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE;
+ break;
+ case 0:
+ opt.allow_legacy = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
+ break;
+ case 1:
+ opt.allow_legacy = MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION;
+ break;
default: goto usage;
}
}
@@ -704,8 +775,12 @@
{
switch( atoi( q ) )
{
- case 0: opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_DISABLED; break;
- case 1: opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; break;
+ case 0:
+ opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_DISABLED;
+ break;
+ case 1:
+ opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+ break;
default: goto usage;
}
}
@@ -864,6 +939,15 @@
goto usage;
}
+ /* Event-driven IO is incompatible with the above custom
+ * receive and send functions, as the polling builds on
+ * refers to the underlying net_context. */
+ if( opt.event == 1 && opt.nbio != 1 )
+ {
+ mbedtls_printf( "Warning: event-driven IO mandates nbio=1 - overwrite\n" );
+ opt.nbio = 1;
+ }
+
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold( opt.debug_level );
#endif
@@ -871,19 +955,20 @@
if( opt.force_ciphersuite[0] > 0 )
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
+ ciphersuite_info =
+ mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
if( opt.max_version != -1 &&
ciphersuite_info->min_minor_ver > opt.max_version )
{
- mbedtls_printf("forced ciphersuite not allowed with this protocol version\n");
+ mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
ret = 2;
goto usage;
}
if( opt.min_version != -1 &&
ciphersuite_info->max_minor_ver < opt.min_version )
{
- mbedtls_printf("forced ciphersuite not allowed with this protocol version\n");
+ mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
ret = 2;
goto usage;
}
@@ -909,7 +994,7 @@
{
if( opt.arc4 == MBEDTLS_SSL_ARC4_DISABLED )
{
- mbedtls_printf("forced RC4 ciphersuite with RC4 disabled\n");
+ mbedtls_printf( "forced RC4 ciphersuite with RC4 disabled\n" );
ret = 2;
goto usage;
}
@@ -929,7 +1014,7 @@
if( strlen( opt.psk ) % 2 != 0 )
{
- mbedtls_printf("pre-shared key not valid hex\n");
+ mbedtls_printf( "pre-shared key not valid hex\n" );
goto exit;
}
@@ -946,7 +1031,7 @@
c -= 'A' - 10;
else
{
- mbedtls_printf("pre-shared key not valid hex\n");
+ mbedtls_printf( "pre-shared key not valid hex\n" );
goto exit;
}
psk[ j / 2 ] = c << 4;
@@ -960,7 +1045,7 @@
c -= 'A' - 10;
else
{
- mbedtls_printf("pre-shared key not valid hex\n");
+ mbedtls_printf( "pre-shared key not valid hex\n" );
goto exit;
}
psk[ j / 2 ] |= c;
@@ -1051,11 +1136,12 @@
fflush( stdout );
mbedtls_entropy_init( &entropy );
- if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
- (const unsigned char *) pers,
- strlen( pers ) ) ) != 0 )
+ if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
+ &entropy, (const unsigned char *) pers,
+ strlen( pers ) ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n",
+ -ret );
goto exit;
}
@@ -1093,12 +1179,13 @@
#else
{
ret = 1;
- mbedtls_printf("MBEDTLS_CERTS_C not defined.");
+ mbedtls_printf( "MBEDTLS_CERTS_C not defined." );
}
#endif
if( ret < 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n",
+ -ret );
goto exit;
}
@@ -1121,7 +1208,8 @@
else
#endif
#if defined(MBEDTLS_CERTS_C)
- ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt,
+ ret = mbedtls_x509_crt_parse( &clicert,
+ (const unsigned char *) mbedtls_test_cli_crt,
mbedtls_test_cli_crt_len );
#else
{
@@ -1131,7 +1219,8 @@
#endif
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n",
+ -ret );
goto exit;
}
@@ -1144,7 +1233,8 @@
else
#endif
#if defined(MBEDTLS_CERTS_C)
- ret = mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_cli_key,
+ ret = mbedtls_pk_parse_key( &pkey,
+ (const unsigned char *) mbedtls_test_cli_key,
mbedtls_test_cli_key_len, NULL, 0 );
#else
{
@@ -1154,7 +1244,8 @@
#endif
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n",
+ -ret );
goto exit;
}
@@ -1172,11 +1263,13 @@
opt.server_addr, opt.server_port );
fflush( stdout );
- if( ( ret = mbedtls_net_connect( &server_fd, opt.server_addr, opt.server_port,
- opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
- MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
+ if( ( ret = mbedtls_net_connect( &server_fd,
+ opt.server_addr, opt.server_port,
+ opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
+ MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_net_connect returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_net_connect returned -0x%x\n\n",
+ -ret );
goto exit;
}
@@ -1186,7 +1279,8 @@
ret = mbedtls_net_set_block( &server_fd );
if( ret != 0 )
{
- mbedtls_printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n",
+ -ret );
goto exit;
}
@@ -1203,7 +1297,8 @@
opt.transport,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_config_defaults returned -0x%x\n\n",
+ -ret );
goto exit;
}
@@ -1226,13 +1321,15 @@
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX )
- mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max );
+ mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min,
+ opt.hs_to_max );
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
if( ( ret = mbedtls_ssl_conf_max_frag_len( &conf, opt.mfl_code ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_conf_max_frag_len returned %d\n\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_conf_max_frag_len returned %d\n\n",
+ ret );
goto exit;
}
#endif
@@ -1255,8 +1352,8 @@
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
if( opt.recsplit != DFL_RECSPLIT )
mbedtls_ssl_conf_cbc_record_splitting( &conf, opt.recsplit
- ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
- : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
+ ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
+ : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
#endif
#if defined(MBEDTLS_DHM_C)
@@ -1268,7 +1365,8 @@
if( opt.alpn_string != NULL )
if( ( ret = mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n",
+ ret );
goto exit;
}
#endif
@@ -1307,7 +1405,8 @@
{
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n",
+ ret );
goto exit;
}
}
@@ -1326,16 +1425,19 @@
(const unsigned char *) opt.psk_identity,
strlen( opt.psk_identity ) ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_conf_psk returned %d\n\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_conf_psk returned %d\n\n",
+ ret );
goto exit;
}
#endif
if( opt.min_version != DFL_MIN_VERSION )
- mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );
+ mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+ opt.min_version );
if( opt.max_version != DFL_MAX_VERSION )
- mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version );
+ mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3,
+ opt.max_version );
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
if( opt.fallback != DFL_FALLBACK )
@@ -1344,14 +1446,16 @@
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n",
+ -ret );
goto exit;
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n",
+ ret );
goto exit;
}
#endif
@@ -1363,7 +1467,8 @@
(const unsigned char *) opt.ecjpake_pw,
strlen( opt.ecjpake_pw ) ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_set_hs_ecjpake_password returned %d\n\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_hs_ecjpake_password returned %d\n\n",
+ ret );
goto exit;
}
}
@@ -1372,7 +1477,8 @@
if( opt.nbio == 2 )
mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL );
else
- mbedtls_ssl_set_bio( &ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv,
+ mbedtls_ssl_set_bio( &ssl, &server_fd,
+ mbedtls_net_send, mbedtls_net_recv,
opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL );
#if defined(MBEDTLS_TIMING_C)
@@ -1390,9 +1496,11 @@
while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
- if( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n",
+ -ret );
if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
mbedtls_printf(
" Unable to verify the server's certificate. "
@@ -1404,10 +1512,23 @@
mbedtls_printf( "\n" );
goto exit;
}
+
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ ret = idle( &server_fd, &timer, ret );
+#else
+ ret = idle( &server_fd, ret );
+#endif
+ if( ret != 0 )
+ goto exit;
+ }
}
mbedtls_printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n",
- mbedtls_ssl_get_version( &ssl ), mbedtls_ssl_get_ciphersuite( &ssl ) );
+ mbedtls_ssl_get_version( &ssl ),
+ mbedtls_ssl_get_ciphersuite( &ssl ) );
if( ( ret = mbedtls_ssl_get_record_expansion( &ssl ) ) >= 0 )
mbedtls_printf( " [ Record expansion is %d ]\n", ret );
@@ -1435,7 +1556,8 @@
if( ( ret = mbedtls_ssl_get_session( &ssl, &saved_session ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_get_session returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_get_session returned -0x%x\n\n",
+ -ret );
goto exit;
}
@@ -1454,7 +1576,8 @@
mbedtls_printf( " failed\n" );
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ),
+ " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
@@ -1484,9 +1607,21 @@
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n",
+ ret );
goto exit;
}
+
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &server_fd, &timer, ret );
+#else
+ idle( &server_fd, ret );
+#endif
+ }
+
}
mbedtls_printf( " ok\n" );
}
@@ -1530,27 +1665,54 @@
{
for( written = 0, frags = 0; written < len; written += ret, frags++ )
{
- while( ( ret = mbedtls_ssl_write( &ssl, buf + written, len - written ) )
- <= 0 )
+ while( ( ret = mbedtls_ssl_write( &ssl, buf + written,
+ len - written ) ) <= 0 )
{
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_write returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_write returned -0x%x\n\n",
+ -ret );
goto exit;
}
+
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &server_fd, &timer, ret );
+#else
+ idle( &server_fd, ret );
+#endif
+ }
}
}
}
else /* Not stream, so datagram */
{
- do ret = mbedtls_ssl_write( &ssl, buf, len );
- while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
- ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+ while( 1 )
+ {
+ ret = mbedtls_ssl_write( &ssl, buf, len );
+
+ if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ break;
+
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &server_fd, &timer, ret );
+#else
+ idle( &server_fd, ret );
+#endif
+ }
+ }
if( ret < 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n",
+ ret );
goto exit;
}
@@ -1565,7 +1727,8 @@
}
buf[written] = '\0';
- mbedtls_printf( " %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf );
+ mbedtls_printf( " %d bytes written in %d fragments\n\n%s\n",
+ written, frags, (char *) buf );
/*
* 7. Read the HTTP response
@@ -1586,7 +1749,18 @@
if( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE )
+ {
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &server_fd, &timer, ret );
+#else
+ idle( &server_fd, ret );
+#endif
+ }
continue;
+ }
if( ret <= 0 )
{
@@ -1604,7 +1778,8 @@
goto reconnect;
default:
- mbedtls_printf( " mbedtls_ssl_read returned -0x%x\n", -ret );
+ mbedtls_printf( " mbedtls_ssl_read returned -0x%x\n",
+ -ret );
goto exit;
}
}
@@ -1628,9 +1803,24 @@
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
- do ret = mbedtls_ssl_read( &ssl, buf, len );
- while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
- ret == MBEDTLS_ERR_SSL_WANT_WRITE );
+ while( 1 )
+ {
+ ret = mbedtls_ssl_read( &ssl, buf, len );
+
+ if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE )
+ break;
+
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &server_fd, &timer, ret );
+#else
+ idle( &server_fd, ret );
+#endif
+ }
+ }
if( ret <= 0 )
{
@@ -1671,7 +1861,8 @@
if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_session_reset returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_session_reset returned -0x%x\n\n",
+ -ret );
goto exit;
}
@@ -1680,9 +1871,20 @@
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n",
+ -ret );
goto exit;
}
+
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &server_fd, &timer, ret );
+#else
+ idle( &server_fd, ret );
+#endif
+ }
}
mbedtls_printf( " ok\n" );
@@ -1729,21 +1931,25 @@
if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_session_reset returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_session_reset returned -0x%x\n\n",
+ -ret );
goto exit;
}
if( ( ret = mbedtls_ssl_set_session( &ssl, &saved_session ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session returned %d\n\n", ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_conf_session returned %d\n\n",
+ ret );
goto exit;
}
- if( ( ret = mbedtls_net_connect( &server_fd, opt.server_addr, opt.server_port,
- opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
- MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
+ if( ( ret = mbedtls_net_connect( &server_fd,
+ opt.server_addr, opt.server_port,
+ opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
+ MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_net_connect returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_net_connect returned -0x%x\n\n",
+ -ret );
goto exit;
}
@@ -1754,7 +1960,7 @@
if( ret != 0 )
{
mbedtls_printf( " failed\n ! net_set_(non)block() returned -0x%x\n\n",
- -ret );
+ -ret );
goto exit;
}
@@ -1763,7 +1969,8 @@
if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
ret != MBEDTLS_ERR_SSL_WANT_WRITE )
{
- mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n",
+ -ret );
goto exit;
}
}
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 2f3908d..02f9633 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -101,6 +101,7 @@
#define DFL_SERVER_PORT "4433"
#define DFL_DEBUG_LEVEL 0
#define DFL_NBIO 0
+#define DFL_EVENT 0
#define DFL_READ_TIMEOUT 0
#define DFL_CA_FILE ""
#define DFL_CA_PATH ""
@@ -347,6 +348,8 @@
" debug_level=%%d default: 0 (disabled)\n" \
" nbio=%%d default: 0 (blocking I/O)\n" \
" options: 1 (non-blocking), 2 (added delays)\n" \
+ " event=%%d default: 0 (loop)\n" \
+ " options: 1 (level-triggered, implies nbio=1),\n" \
" read_timeout=%%d default: 0 ms (no timeout)\n" \
"\n" \
USAGE_DTLS \
@@ -416,6 +419,7 @@
const char *server_port; /* port on which the ssl service runs */
int debug_level; /* level of debugging */
int nbio; /* should I/O be blocking? */
+ int event; /* loop or event-driven IO? level or edge triggered? */
uint32_t read_timeout; /* timeout on mbedtls_ssl_read() in milliseconds */
const char *ca_file; /* the file with the CA certificate(s) */
const char *ca_path; /* the path with the CA certificate(s) reside */
@@ -1041,6 +1045,56 @@
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+/*
+ * Wait for an event from the underlying transport or the timer
+ * (Used in event-driven IO mode).
+ */
+#if !defined(MBEDTLS_TIMING_C)
+int idle( mbedtls_net_context *fd,
+ int idle_reason )
+#else
+int idle( mbedtls_net_context *fd,
+ mbedtls_timing_delay_context *timer,
+ int idle_reason )
+#endif
+{
+ int ret;
+ int poll_type = 0;
+
+ if( idle_reason == MBEDTLS_ERR_SSL_WANT_WRITE )
+ poll_type = MBEDTLS_NET_POLL_WRITE;
+ else if( idle_reason == MBEDTLS_ERR_SSL_WANT_READ )
+ poll_type = MBEDTLS_NET_POLL_READ;
+#if !defined(MBEDTLS_TIMING_C)
+ else
+ return( 0 );
+#endif
+
+ while( 1 )
+ {
+ /* Check if timer has expired */
+#if defined(MBEDTLS_TIMING_C)
+ if( timer != NULL &&
+ mbedtls_timing_get_delay( timer ) == 2 )
+ {
+ break;
+ }
+#endif /* MBEDTLS_TIMING_C */
+
+ /* Check if underlying transport became available */
+ if( poll_type != 0 )
+ {
+ ret = mbedtls_net_poll( fd, poll_type, 0 );
+ if( ret < 0 )
+ return( ret );
+ if( ret == poll_type )
+ break;
+ }
+ }
+
+ return( 0 );
+}
+
int main( int argc, char *argv[] )
{
int ret = 0, len, written, frags, exchanges_left;
@@ -1176,6 +1230,7 @@
opt.server_addr = DFL_SERVER_ADDR;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
+ opt.event = DFL_EVENT;
opt.nbio = DFL_NBIO;
opt.read_timeout = DFL_READ_TIMEOUT;
opt.ca_file = DFL_CA_FILE;
@@ -1258,6 +1313,12 @@
if( opt.nbio < 0 || opt.nbio > 2 )
goto usage;
}
+ else if( strcmp( p, "event" ) == 0 )
+ {
+ opt.event = atoi( q );
+ if( opt.event < 0 || opt.event > 2 )
+ goto usage;
+ }
else if( strcmp( p, "read_timeout" ) == 0 )
opt.read_timeout = atoi( q );
else if( strcmp( p, "ca_file" ) == 0 )
@@ -1318,16 +1379,23 @@
opt.version_suites = q;
else if( strcmp( p, "renegotiation" ) == 0 )
{
- opt.renegotiation = (atoi( q )) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED :
- MBEDTLS_SSL_RENEGOTIATION_DISABLED;
+ opt.renegotiation = (atoi( q )) ?
+ MBEDTLS_SSL_RENEGOTIATION_ENABLED :
+ MBEDTLS_SSL_RENEGOTIATION_DISABLED;
}
else if( strcmp( p, "allow_legacy" ) == 0 )
{
switch( atoi( q ) )
{
- case -1: opt.allow_legacy = MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE; break;
- case 0: opt.allow_legacy = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION; break;
- case 1: opt.allow_legacy = MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION; break;
+ case -1:
+ opt.allow_legacy = MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE;
+ break;
+ case 0:
+ opt.allow_legacy = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
+ break;
+ case 1:
+ opt.allow_legacy = MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION;
+ break;
default: goto usage;
}
}
@@ -1484,8 +1552,12 @@
{
switch( atoi( q ) )
{
- case 0: opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_DISABLED; break;
- case 1: opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; break;
+ case 0:
+ opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_DISABLED;
+ break;
+ case 1:
+ opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
+ break;
default: goto usage;
}
}
@@ -1558,6 +1630,15 @@
goto usage;
}
+ /* Event-driven IO is incompatible with the above custom
+ * receive and send functions, as the polling builds on
+ * refers to the underlying net_context. */
+ if( opt.event == 1 && opt.nbio != 1 )
+ {
+ mbedtls_printf( "Warning: event-driven IO mandates nbio=1 - overwrite\n" );
+ opt.nbio = 1;
+ }
+
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold( opt.debug_level );
#endif
@@ -1565,19 +1646,20 @@
if( opt.force_ciphersuite[0] > 0 )
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
+ ciphersuite_info =
+ mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
if( opt.max_version != -1 &&
ciphersuite_info->min_minor_ver > opt.max_version )
{
- mbedtls_printf("forced ciphersuite not allowed with this protocol version\n");
+ mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
ret = 2;
goto usage;
}
if( opt.min_version != -1 &&
ciphersuite_info->max_minor_ver < opt.min_version )
{
- mbedtls_printf("forced ciphersuite not allowed with this protocol version\n");
+ mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
ret = 2;
goto usage;
}
@@ -1756,11 +1838,12 @@
fflush( stdout );
mbedtls_entropy_init( &entropy );
- if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
- (const unsigned char *) pers,
- strlen( pers ) ) ) != 0 )
+ if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func,
+ &entropy, (const unsigned char *) pers,
+ strlen( pers ) ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n",
+ -ret );
goto exit;
}
@@ -1857,7 +1940,7 @@
if( ( ret = mbedtls_pk_parse_keyfile( &pkey2, opt.key_file2, "" ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_pk_parse_keyfile(2) returned -0x%x\n\n",
- -ret );
+ -ret );
goto exit;
}
}
@@ -1875,8 +1958,7 @@
strcmp( opt.key_file2, "none" ) != 0 )
{
#if !defined(MBEDTLS_CERTS_C)
- mbedtls_printf( "Not certificated or key provided, and \n"
- "MBEDTLS_CERTS_C not defined!\n" );
+ mbedtls_printf( "Not certificated or key provided, and \nMBEDTLS_CERTS_C not defined!\n" );
goto exit;
#else
#if defined(MBEDTLS_RSA_C)
@@ -1884,14 +1966,16 @@
(const unsigned char *) mbedtls_test_srv_crt_rsa,
mbedtls_test_srv_crt_rsa_len ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n",
+ -ret );
goto exit;
}
if( ( ret = mbedtls_pk_parse_key( &pkey,
(const unsigned char *) mbedtls_test_srv_key_rsa,
mbedtls_test_srv_key_rsa_len, NULL, 0 ) ) != 0 )
{
- mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_pk_parse_key returned -0x%x\n\n",
+ -ret );
goto exit;
}
key_cert_init = 2;
@@ -1901,14 +1985,16 @@
(const unsigned char *) mbedtls_test_srv_crt_ec,
mbedtls_test_srv_crt_ec_len ) ) != 0 )
{
- mbedtls_printf( " failed\n ! x509_crt_parse2 returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! x509_crt_parse2 returned -0x%x\n\n",
+ -ret );
goto exit;
}
if( ( ret = mbedtls_pk_parse_key( &pkey2,
(const unsigned char *) mbedtls_test_srv_key_ec,
mbedtls_test_srv_key_ec_len, NULL, 0 ) ) != 0 )
{
- mbedtls_printf( " failed\n ! pk_parse_key2 returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! pk_parse_key2 returned -0x%x\n\n",
+ -ret );
goto exit;
}
key_cert_init2 = 2;
@@ -2303,8 +2389,10 @@
#if !defined(_WIN32)
if( received_sigterm )
{
- mbedtls_printf( " interrupted by SIGTERM\n" );
- ret = 0;
+ mbedtls_printf( " interrupted by SIGTERM (not in net_accept())\n" );
+ if( ret == MBEDTLS_ERR_NET_INVALID_CONTEXT )
+ ret = 0;
+
goto exit;
}
#endif
@@ -2340,8 +2428,10 @@
#if !defined(_WIN32)
if( received_sigterm )
{
- mbedtls_printf( " interrupted by signal\n" );
- ret = 0;
+ mbedtls_printf( " interrupted by SIGTERM (in net_accept())\n" );
+ if( ret == MBEDTLS_ERR_NET_ACCEPT_FAILED )
+ ret = 0;
+
goto exit;
}
#endif
@@ -2368,8 +2458,8 @@
if( ( ret = mbedtls_ssl_set_client_transport_id( &ssl,
client_ip, cliip_len ) ) != 0 )
{
- mbedtls_printf( " failed\n ! "
- "mbedtls_ssl_set_client_transport_id() returned -0x%x\n\n", -ret );
+ mbedtls_printf( " failed\n ! mbedtls_ssl_set_client_transport_id() returned -0x%x\n\n",
+ -ret );
goto exit;
}
}
@@ -2397,9 +2487,8 @@
mbedtls_printf( " . Performing the SSL/TLS handshake..." );
fflush( stdout );
- do
+ while( ( ret = mbedtls_ssl_handshake( &ssl ) ) != 0 )
{
- ret = mbedtls_ssl_handshake( &ssl );
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS &&
ssl_async_keys.inject_error == SSL_ASYNC_INJECT_ERROR_CANCEL )
@@ -2408,10 +2497,24 @@
break;
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
+
+ if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ break;
+
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ ret = idle( &client_fd, &timer, ret );
+#else
+ ret = idle( &client_fd, ret );
+#endif
+ if( ret != 0 )
+ goto reset;
+ }
}
- while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
- ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
- ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
{
@@ -2523,7 +2626,18 @@
if( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ {
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &client_fd, &timer, ret );
+#else
+ idle( &client_fd, ret );
+#endif
+ }
+
continue;
+ }
if( ret <= 0 )
{
@@ -2611,7 +2725,37 @@
len = sizeof( buf ) - 1;
memset( buf, 0, sizeof( buf ) );
- do ret = mbedtls_ssl_read( &ssl, buf, len );
+ do
+ {
+ /* Without the call to `mbedtls_ssl_check_pending`, it might
+ * happen that the client sends application data in the same
+ * datagram as the Finished message concluding the handshake.
+ * In this case, the application data would be ready to be
+ * processed while the underlying transport wouldn't signal
+ * any further incoming data.
+ *
+ * See the test 'Event-driven I/O: session-id resume, UDP packing'
+ * in tests/ssl-opt.sh.
+ */
+
+ /* For event-driven IO, wait for socket to become available */
+ if( mbedtls_ssl_check_pending( &ssl ) == 0 &&
+ opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &client_fd, &timer, MBEDTLS_ERR_SSL_WANT_READ );
+#else
+ idle( &client_fd, MBEDTLS_ERR_SSL_WANT_READ );
+#endif
+ }
+
+ ret = mbedtls_ssl_read( &ssl, buf, len );
+
+ /* Note that even if `mbedtls_ssl_check_pending` returns true,
+ * it can happen that the subsequent call to `mbedtls_ssl_read`
+ * returns `MBEDTLS_ERR_SSL_WANT_READ`, because the pending messages
+ * might be discarded (e.g. because they are retransmissions). */
+ }
while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
@@ -2656,6 +2800,16 @@
mbedtls_printf( " failed\n ! mbedtls_ssl_renegotiate returned %d\n\n", ret );
goto reset;
}
+
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &client_fd, &timer, ret );
+#else
+ idle( &client_fd, ret );
+#endif
+ }
}
mbedtls_printf( " ok\n" );
@@ -2691,15 +2845,40 @@
mbedtls_printf( " failed\n ! mbedtls_ssl_write returned %d\n\n", ret );
goto reset;
}
+
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &client_fd, &timer, ret );
+#else
+ idle( &client_fd, ret );
+#endif
+ }
}
}
}
else /* Not stream, so datagram */
{
- do ret = mbedtls_ssl_write( &ssl, buf, len );
- while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
- ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
- ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS );
+ while( 1 )
+ {
+ ret = mbedtls_ssl_write( &ssl, buf, len );
+
+ if( ret != MBEDTLS_ERR_SSL_WANT_READ &&
+ ret != MBEDTLS_ERR_SSL_WANT_WRITE &&
+ ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS )
+ break;
+
+ /* For event-driven IO, wait for socket to become available */
+ if( opt.event == 1 /* level triggered IO */ )
+ {
+#if defined(MBEDTLS_TIMING_C)
+ idle( &client_fd, &timer, ret );
+#else
+ idle( &client_fd, ret );
+#endif
+ }
+ }
if( ret < 0 )
{