Merge remote-tracking branch 'origin/development' into development-restricted
* origin/development:
Fix uninitialized variable in x509_crt
Add a ChangeLog entry for mbedtls_net_close()
Added mbedtls_net_close and use it in ssl_fork_server to correctly disassociate the client socket from the parent process and the server socket from the child process.
Add ChangeLog entry
fix memory leak in mpi_miller_rabin()
diff --git a/ChangeLog b/ChangeLog
index 8f9523e..e72579d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -25,6 +25,10 @@
verified and significantly faster, but is only supported on x86 platforms
(32-bit and 64-bit) using GCC, Clang or Visual Studio. Contributed by
Christoph Wintersteiger from Microsoft Research.
+ * Add mbedtls_net_close(), enabling the building of forking servers where
+ the parent process closes the client socket and continue accepting, and
+ the child process closes the listening socket and handles the client
+ socket. Contributed by Robert Larsen in #2803.
API Changes
* Add DER-encoded test CRTs to library/certs.c, allowing
@@ -67,6 +71,11 @@
* Fix propagation of restart contexts in restartable EC operations.
This could previously lead to segmentation faults in builds using an
address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
+ * Fix memory leak in in mpi_miller_rabin(). Contributed by
+ Jens Wiklander <jens.wiklander@linaro.org> in #2363
+ * Improve code clarity in x509_crt module, removing false-positive
+ uninitialized variable warnings on some recent toolchains (GCC8, etc).
+ Discovered and fixed by Andy Gross (Linaro), #2392.
Changes
* Replace multiple uses of MD2 by SHA-256 in X.509 test suite. Fixes #821.
diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h
index df42b45..adb589e 100644
--- a/include/mbedtls/net_sockets.h
+++ b/include/mbedtls/net_sockets.h
@@ -258,6 +258,13 @@
uint32_t timeout );
/**
+ * \brief Closes down the connection and free associated data
+ *
+ * \param ctx The context to close
+ */
+void mbedtls_net_close( mbedtls_net_context *ctx );
+
+/**
* \brief Gracefully shutdown the connection and free associated data
*
* \param ctx The context to free
diff --git a/library/net_sockets.c b/library/net_sockets.c
index 5d538bf..c7b358d 100644
--- a/library/net_sockets.c
+++ b/library/net_sockets.c
@@ -652,6 +652,19 @@
}
/*
+ * Close the connection
+ */
+void mbedtls_net_close( mbedtls_net_context *ctx )
+{
+ if( ctx->fd == -1 )
+ return;
+
+ close( ctx->fd );
+
+ ctx->fd = -1;
+}
+
+/*
* Gracefully close the connection
*/
void mbedtls_net_free( mbedtls_net_context *ctx )
diff --git a/library/x509_crt.c b/library/x509_crt.c
index b2c19db..48f244e 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -2611,15 +2611,13 @@
continue;
}
+ *r_parent = parent;
+ *r_signature_is_good = signature_is_good;
+
break;
}
- if( parent != NULL )
- {
- *r_parent = parent;
- *r_signature_is_good = signature_is_good;
- }
- else
+ if( parent == NULL )
{
*r_parent = fallback_parent;
*r_signature_is_good = fallback_signature_is_good;
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 80407e4..851bc05 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -254,6 +254,7 @@
if( pid != 0 )
{
mbedtls_printf( " ok\n" );
+ mbedtls_net_close( &client_fd );
if( ( ret = mbedtls_ctr_drbg_reseed( &ctr_drbg,
(const unsigned char *) "parent",
@@ -266,7 +267,7 @@
continue;
}
- mbedtls_net_init( &listen_fd );
+ mbedtls_net_close( &listen_fd );
pid = getpid();