Corrected TLS library free on failure cases

Mika Leppänen · Mika Leppänen · commit 798b513679d5 · 2019-03-18T12:04:22.000+02:00
TLS library is now correctly freed in case TLS handshake fails to message retry
failures or if ifdown is called while TLS negotiation.
diff --git a/source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c b/source/Security/protocols/eap_tls_sec_prot/auth_eap_tls_sec_prot.c
@@ -336,12 +336,7 @@ static void auth_eap_tls_sec_prot_init_tls(sec_prot_t *prot)
 
 static void auth_eap_tls_sec_prot_delete_tls(sec_prot_t *prot)
 {
-    eap_tls_sec_prot_int_t *data = eap_tls_sec_prot_get(prot);
-    // If initialized, TLS terminates on its own
-    if (data->tls_prot) {
-        return;
-    }
-
+    // Triggers TLS to terminate if it is not already terminating by its own
     sec_prot_t *tls_prot = prot->type_get(prot, SEC_PROT_TYPE_TLS);
     if (tls_prot) {
         tls_prot->finished_send(tls_prot);
diff --git a/source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c b/source/Security/protocols/eap_tls_sec_prot/supp_eap_tls_sec_prot.c
@@ -346,12 +346,7 @@ static void supp_eap_tls_sec_prot_init_tls(sec_prot_t *prot)
 
 static void supp_eap_tls_sec_prot_delete_tls(sec_prot_t *prot)
 {
-    eap_tls_sec_prot_int_t *data = eap_tls_sec_prot_get(prot);
-    // If initialized, TLS terminates on its own
-    if (data->tls_prot) {
-        return;
-    }
-
+    // Triggers TLS to terminate if it is not already terminating by its own
     sec_prot_t *tls_prot = prot->type_get(prot, SEC_PROT_TYPE_TLS);
     if (tls_prot) {
         tls_prot->finished_send(tls_prot);
diff --git a/source/Security/protocols/sec_prot_lib.c b/source/Security/protocols/sec_prot_lib.c
@@ -109,9 +109,12 @@ void sec_prot_state_set(sec_prot_t *prot, sec_prot_common_t *data, uint8_t state
             return;
 
         case SEC_STATE_FINISHED:
-            // Wait for timeout
+            // If not already on finished state
+            if (data->state != SEC_STATE_FINISHED) {
+                // Wait for timeout
+                data->ticks = SEC_FINISHED_TIMEOUT;
+            }
             data->trickle_running = false;
-            data->ticks = SEC_FINISHED_TIMEOUT;
 
             // Disables receiving of messages when state machine sets SEC_STATE_FINISHED
             prot->receive_disable(prot);
diff --git a/source/Security/protocols/tls_sec_prot/tls_sec_prot.c b/source/Security/protocols/tls_sec_prot/tls_sec_prot.c
@@ -63,9 +63,10 @@ typedef struct {
     tls_data_t                    tls_recv;          /**< TLS receive buffer */
     uint32_t                      int_timer;         /**< TLS intermediate timer timeout */
     uint32_t                      fin_timer;         /**< TLS final timer timeout */
-    bool                          timer_running;     /**< TLS timer running */
-    bool                          finished;          /**< TLS finished */
-    bool                          calculating;       /**< TLS is calculating */
+    bool                          timer_running : 1; /**< TLS timer running */
+    bool                          finished : 1;      /**< TLS finished */
+    bool                          calculating : 1;   /**< TLS is calculating */
+    bool                          library_init : 1;  /**< TLS library has been initialized */
     tls_sec_prot_lib_int_t        *tls_sec_inst;     /**< TLS security library storage, SHALL BE THE LAST FIELD */
 } tls_sec_prot_int_t;
 
@@ -149,6 +150,7 @@ static int8_t client_tls_sec_prot_init(sec_prot_t *prot)
     data->fin_timer = 0;
     data->timer_running = false;
     data->calculating = false;
+    data->library_init = false;
     return 0;
 }
 
@@ -176,6 +178,7 @@ static int8_t server_tls_sec_prot_init(sec_prot_t *prot)
     data->fin_timer = 0;
     data->timer_running = false;
     data->calculating = false;
+    data->library_init = false;
     return 0;
 }
 
@@ -184,6 +187,9 @@ static void tls_sec_prot_delete(sec_prot_t *prot)
     tls_sec_prot_int_t *data = tls_sec_prot_get(prot);
     eap_tls_sec_prot_lib_message_free(&data->tls_send);
     eap_tls_sec_prot_lib_message_free(&data->tls_recv);
+    if (data->library_init) {
+        tls_sec_prot_lib_free((tls_security_t *) &data->tls_sec_inst);
+    }
 }
 
 static void tls_sec_prot_create_request(sec_prot_t *prot, sec_prot_keys_t *sec_keys)
@@ -323,9 +329,14 @@ static void client_tls_sec_prot_state_machine(sec_prot_t *prot)
             sec_prot_state_set(prot, &data->common, TLS_STATE_FINISHED);
 
             tls_sec_prot_lib_free((tls_security_t *) &data->tls_sec_inst);
+            data->library_init = false;
             break;
 
         case TLS_STATE_FINISHED:
+            if (data->library_init) {
+                tls_sec_prot_lib_free((tls_security_t *) &data->tls_sec_inst);
+                data->library_init = false;
+            }
             prot->timer_stop(prot);
             prot->finished(prot);
             break;
@@ -418,9 +429,14 @@ static void server_tls_sec_prot_state_machine(sec_prot_t *prot)
             sec_prot_state_set(prot, &data->common, TLS_STATE_FINISHED);
 
             tls_sec_prot_lib_free((tls_security_t *) &data->tls_sec_inst);
+            data->library_init = false;
             break;
 
         case TLS_STATE_FINISHED:
+            if (data->library_init) {
+                tls_sec_prot_lib_free((tls_security_t *) &data->tls_sec_inst);
+                data->library_init = false;
+            }
             prot->timer_stop(prot);
             prot->finished(prot);
             break;
@@ -537,6 +553,8 @@ static int8_t tls_sec_prot_tls_configure_and_connect(sec_prot_t *prot, bool is_s
 {
     tls_sec_prot_int_t *data = tls_sec_prot_get(prot);
 
+    // Must be free if library initialize is done
+    data->library_init = true;
     if (tls_sec_prot_lib_init((tls_security_t *)&data->tls_sec_inst) < 0) {
         return -1;
     }
diff --git a/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c b/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c
@@ -110,6 +110,9 @@ int8_t tls_sec_prot_lib_init(tls_security_t *sec)
     mbedtls_x509_crt_init(&sec->owncert);
     mbedtls_pk_init(&sec->pkey);
 
+    sec->crl = NULL;
+    sec->step = 0;
+
     if (mbedtls_entropy_add_source(&sec->entropy, tls_sec_lib_entropy_poll, NULL,
                                    128, MBEDTLS_ENTROPY_SOURCE_WEAK) < 0) {
         return -1;
@@ -120,9 +123,6 @@ int8_t tls_sec_prot_lib_init(tls_security_t *sec)
         return -1;
     }
 
-    sec->crl = NULL;
-    sec->step = 0;
-
     return 0;
 }
 
