From df13d5c7a6e0e4678075f948499530654ff65d5b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 25 Apr 2018 20:39:48 +0200 Subject: [PATCH] Pass the SSL context to async callbacks When a handshake step starts an asynchronous operation, the application needs to know which SSL connection the operation is for, so that when the operation completes, the application can wake that connection up. Therefore the async start callbacks need to take the SSL context as an argument. It isn't enough to let them set a cookie in the SSL connection, the application needs to be able to find the right SSL connection later. Also pass the SSL context to the other callbacks for consistency. Add a new field to the handshake that the application can use to store a per-connection context. This new field replaces the former context (operation_ctx) that was created by the start function and passed to the resume function. Add a boolean flag to the handshake structure to track whether an asynchronous operation is in progress. This is more robust than relying on the application to set a non-null application context. --- include/mbedtls/ssl.h | 148 ++++++++++++++++++++------------- include/mbedtls/ssl_internal.h | 16 +++- library/ssl_srv.c | 46 +++++----- library/ssl_tls.c | 36 +++++--- programs/ssl/ssl_server2.c | 58 ++++++------- 5 files changed, 179 insertions(+), 125 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index be27b89ca..2dac1da77 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -537,6 +537,22 @@ typedef void mbedtls_ssl_set_timer_t( void * ctx, */ typedef int mbedtls_ssl_get_timer_t( void * ctx ); +/* Defined below */ +typedef struct mbedtls_ssl_session mbedtls_ssl_session; +typedef struct mbedtls_ssl_context mbedtls_ssl_context; +typedef struct mbedtls_ssl_config mbedtls_ssl_config; + +/* Defined in ssl_internal.h */ +typedef struct mbedtls_ssl_transform mbedtls_ssl_transform; +typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params; +typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t; +#if defined(MBEDTLS_X509_CRT_PARSE_C) +typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert; +#endif +#if defined(MBEDTLS_SSL_PROTO_DTLS) +typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; +#endif + #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) #if defined(MBEDTLS_X509_CRT_PARSE_C) /** @@ -553,22 +569,20 @@ typedef int mbedtls_ssl_get_timer_t( void * ctx ); * this function sends or enqueues a request and does * not wait for the operation to complete. * - * The parameters \c connection_ctx and \c cert are + * The parameters \c ssl and \c cert are * guaranteed to remain valid as long as the SSL * configuration remains valid. On the other hand, this * function must save the contents of \c hash, as the * \c hash buffer is no longer valid when this function * returns. * - * \param connection_ctx Pointer to the connection context set in the - * SSL configuration - * \param p_operation_ctx On success, pointer to the operation context. - * This must be a non-null pointer. Success means - * that an operation was started, and the return - * status is 0 or \c MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS. - * This pointer will be passed to later calls to the - * resume or cancel function. If the callback fails, - * the value is ignored. + * This function may call mbedtls_ssl_async_set_data() to + * store an operation context for later retrieval + * by the resume callback. + * + * \param config_data The configuration data parameter passed to + * mbedtls_ssl_conf_async_private_cb(). + * \param ssl The SSL connection instance. * \param cert Certificate containing the public key * \param md_alg Hash algorithm * \param hash Buffer containing the hash. This buffer is @@ -586,8 +600,8 @@ typedef int mbedtls_ssl_get_timer_t( void * ctx ); * - Any other error indicates a fatal failure and is * propagated up the call chain. */ -typedef int mbedtls_ssl_async_sign_t( void *connection_ctx, - void **p_operation_ctx, +typedef int mbedtls_ssl_async_sign_t( void *config_data, + mbedtls_ssl_context *ssl, mbedtls_x509_crt *cert, mbedtls_md_type_t md_alg, const unsigned char *hash, @@ -607,22 +621,20 @@ typedef int mbedtls_ssl_async_sign_t( void *connection_ctx, * this function sends or enqueues a request and does * not wait for the operation to complete. * - * The parameters \c connection_ctx and \c cert are + * The parameters \c ssl and \c cert are * guaranteed to remain valid as long as the SSL * configuration remains valid. On the other hand, this * function must save the contents of \c hash, as the * \c hash buffer is no longer valid when this function * returns. * - * \param connection_ctx Pointer to the connection context set in the - * SSL configuration - * \param p_operation_ctx On success, pointer to the operation context. - * This must be a non-null pointer. Success means - * that an operation was started, and the return - * status is 0 or \c MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS. - * This pointer will be passed to later calls to the - * resume or cancel function. If the callback fails, - * the value is ignored. + * This function may call mbedtls_ssl_async_set_data() to + * store an operation context for later retrieval + * by the resume callback. + * + * \param config_data The configuration data parameter passed to + * mbedtls_ssl_conf_async_private_cb(). + * \param ssl The SSL connection instance. * \param cert Certificate containing the public key * \param input Buffer containing the input ciphertext. This buffer * is no longer valid when the function returns. @@ -639,8 +651,8 @@ typedef int mbedtls_ssl_async_sign_t( void *connection_ctx, * - Any other error indicates a fatal failure and is * propagated up the call chain. */ -typedef int mbedtls_ssl_async_decrypt_t( void *connection_ctx, - void **p_operation_ctx, +typedef int mbedtls_ssl_async_decrypt_t( void *config_data, + mbedtls_ssl_context *ssl, mbedtls_x509_crt *cert, const unsigned char *input, size_t input_len ); @@ -652,13 +664,14 @@ typedef int mbedtls_ssl_async_decrypt_t( void *connection_ctx, * Callback to resume an external operation * started by the \c mbedtls_ssl_async_sign_t callback. * - * \param connection_ctx Pointer to the connection context set in the - * SSL configuration - * \param operation_ctx Pointer to the operation context created by - * the start function. If this callback returns - * any value other than - * \c MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS, it should - * free all resources associated with this context. + * This function may call mbedtls_ssl_async_get_data() to + * retrieve an operation context set by the start callback. + * It may call mbedtls_ssl_async_set_data() to modify this + * context. + * + * \param config_data The configuration data parameter passed to + * mbedtls_ssl_conf_async_private_cb(). + * \param ssl The SSL connection instance. * \param output Buffer containing the output on success * \param output_len On success, number of bytes written to \c output * \param output_size Size of the \c output buffer in bytes @@ -672,8 +685,8 @@ typedef int mbedtls_ssl_async_decrypt_t( void *connection_ctx, * - Any other error means that the operation is aborted. * The SSL handshake is aborted. */ -typedef int mbedtls_ssl_async_resume_t( void *connection_ctx, - void *operation_ctx, +typedef int mbedtls_ssl_async_resume_t( void *config_data, + mbedtls_ssl_context *ssl, unsigned char *output, size_t *output_len, size_t output_size ); @@ -684,32 +697,17 @@ typedef int mbedtls_ssl_async_resume_t( void *connection_ctx, * Callback to cancel an external operation * started by the \c mbedtls_ssl_async_sign_t callback. * - * \param connection_ctx Pointer to the connection context set in the - * SSL configuration - * \param operation_ctx Pointer to the operation context created by - * the start function. The callback should free - * all resources associated with this context. + * This function may call mbedtls_ssl_async_get_data() to + * retrieve an operation context set by the start callback. + * + * \param config_data The configuration data parameter passed to + * mbedtls_ssl_conf_async_private_cb(). + * \param ssl The SSL connection instance. */ -typedef void mbedtls_ssl_async_cancel_t( void *connection_ctx, - void *operation_ctx ); +typedef void mbedtls_ssl_async_cancel_t( void *config_data, + mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -/* Defined below */ -typedef struct mbedtls_ssl_session mbedtls_ssl_session; -typedef struct mbedtls_ssl_context mbedtls_ssl_context; -typedef struct mbedtls_ssl_config mbedtls_ssl_config; - -/* Defined in ssl_internal.h */ -typedef struct mbedtls_ssl_transform mbedtls_ssl_transform; -typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params; -typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t; -#if defined(MBEDTLS_X509_CRT_PARSE_C) -typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert; -#endif -#if defined(MBEDTLS_SSL_PROTO_DTLS) -typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item; -#endif - /* * This structure is used for storing current session data. */ @@ -833,7 +831,7 @@ struct mbedtls_ssl_config #endif /* MBEDTLS_X509_CRT_PARSE_C */ mbedtls_ssl_async_resume_t *f_async_resume; /*!< resume asynchronous operation */ mbedtls_ssl_async_cancel_t *f_async_cancel; /*!< cancel asynchronous operation */ - void *p_async_connection_ctx; /*!< connection context for asynchronous operation callbacks */ + void *p_async_config_data; /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb() and passed to the callbacks. */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) @@ -1505,15 +1503,45 @@ void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf, * \param f_async_cancel Callback to cancel an asynchronous operation. See * the description of \c mbedtls_ssl_async_cancel_t * for more information. - * \param connection_ctx Pointer to the connection context which will be - * passed to the callbacks + * \param config_data A pointer to configuration data which will be + * passed to the callbacks. The library stores and + * passes back this value without dereferencing it. */ void mbedtls_ssl_conf_async_private_cb( mbedtls_ssl_config *conf, mbedtls_ssl_async_sign_t *f_async_sign, mbedtls_ssl_async_decrypt_t *f_async_decrypt, mbedtls_ssl_async_resume_t *f_async_resume, mbedtls_ssl_async_cancel_t *f_async_cancel, - void *connection_ctx ); + void *config_data ); + +/** + * \brief Retrieve the asynchronous operation user context. + * + * \note This function may only be called while a handshake + * is in progress. + * + * \param ssl The SSL context to access. + * + * \return The asynchronous operation user context that was last + * set during the current handshake. If mbedtls_ssl_set_data() + * has not been called during the current handshake yet, + * this function returns \c NULL. + */ +void *mbedtls_ssl_async_get_data( mbedtls_ssl_context *ssl ); + +/** + * \brief Retrieve the asynchronous operation user context. + * + * \note This function may only be called while a handshake + * is in progress. + * + * \param ssl The SSL context to access. + * \param ctx The new value of the asynchronous operation user context. + * Call mbedtls_ssl_get_data() later during the same handshake + * to retrieve this value. + */ +void mbedtls_ssl_async_set_data( mbedtls_ssl_context *ssl, + void *ctx ); #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ /** diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 334b5d852..506aff395 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -243,9 +243,6 @@ struct mbedtls_ssl_handshake_params mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) - void *p_async_operation_ctx; /*!< asynchronous operation context */ -#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #if defined(MBEDTLS_SSL_PROTO_DTLS) unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ @@ -311,6 +308,19 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) int extended_ms; /*!< use Extended Master Secret? */ #endif + +#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) + int async_in_progress : 1; /*!< an asynchronous operation is in progress */ +#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ + +#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) + /** Asynchronous operation context. This field is meant for use by the + * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start, + * mbedtls_ssl_config::f_async_decrypt_start, + * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel). + * The library does not use it internally. */ + void *user_async_ctx; +#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ }; /* diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e1dc5a8e9..8bd332cba 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2841,13 +2841,13 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl, { size_t sig_max_len = ( ssl->out_buf + MBEDTLS_SSL_MAX_CONTENT_LEN - ( ssl->out_msg + ssl->out_msglen + 2 ) ); - int ret = ssl->conf->f_async_resume( ssl->conf->p_async_connection_ctx, - ssl->handshake->p_async_operation_ctx, + int ret = ssl->conf->f_async_resume( ssl->conf->p_async_config_data, ssl, ssl->out_msg + ssl->out_msglen + 2, signature_len, sig_max_len ); if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) { - ssl->handshake->p_async_operation_ctx = NULL; + ssl->handshake->async_in_progress = 0; + mbedtls_ssl_async_set_data( ssl, NULL ); } MBEDTLS_SSL_DEBUG_RET( 2, "ssl_resume_server_key_exchange", ret ); return( ret ); @@ -3167,22 +3167,23 @@ curve_matching_done: #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if( ssl->conf->f_async_sign_start != NULL ) { - ret = ssl->conf->f_async_sign_start( - ssl->conf->p_async_connection_ctx, - &ssl->handshake->p_async_operation_ctx, - mbedtls_ssl_own_cert( ssl ), - md_alg, hash, hashlen ); + ret = ssl->conf->f_async_sign_start( ssl->conf->p_async_config_data, + ssl, + mbedtls_ssl_own_cert( ssl ), + md_alg, hash, hashlen ); switch( ret ) { case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: /* act as if f_async_sign was null */ break; case 0: + ssl->handshake->async_in_progress = 1; return( ssl_resume_server_key_exchange( ssl, signature_len ) ); case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: + ssl->handshake->async_in_progress = 1; return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ); default: - MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign_start", ret ); return( ret ); } } @@ -3251,7 +3252,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) defined(MBEDTLS_SSL_ASYNC_PRIVATE) /* If we have already prepared the message and there is an ongoing signature operation, resume signing. */ - if( ssl->handshake->p_async_operation_ctx != NULL ) + if( ssl->handshake->async_in_progress != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming signature operation" ) ); ret = ssl_resume_server_key_exchange( ssl, &signature_len ); @@ -3385,12 +3386,12 @@ static int ssl_resume_decrypt_pms( mbedtls_ssl_context *ssl, size_t *peer_pmslen, size_t peer_pmssize ) { - int ret = ssl->conf->f_async_resume( ssl->conf->p_async_connection_ctx, - ssl->handshake->p_async_operation_ctx, + int ret = ssl->conf->f_async_resume( ssl->conf->p_async_config_data, ssl, peer_pms, peer_pmslen, peer_pmssize ); if( ret != MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ) { - ssl->handshake->p_async_operation_ctx = NULL; + ssl->handshake->async_in_progress = 0; + mbedtls_ssl_async_set_data( ssl, NULL ); } MBEDTLS_SSL_DEBUG_RET( 2, "ssl_decrypt_encrypted_pms", ret ); return( ret ); @@ -3412,7 +3413,7 @@ static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) /* If we have already started decoding the message and there is an ongoing decryption operation, resume signing. */ - if( ssl->handshake->p_async_operation_ctx != NULL ) + if( ssl->handshake->async_in_progress != 0 ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "resuming decryption operation" ) ); return( ssl_resume_decrypt_pms( ssl, @@ -3448,25 +3449,26 @@ static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if( ssl->conf->f_async_decrypt_start != NULL ) { - ret = ssl->conf->f_async_decrypt_start( - ssl->conf->p_async_connection_ctx, - &ssl->handshake->p_async_operation_ctx, - mbedtls_ssl_own_cert( ssl ), - p, len ); + ret = ssl->conf->f_async_decrypt_start( ssl->conf->p_async_config_data, + ssl, + mbedtls_ssl_own_cert( ssl ), + p, len ); switch( ret ) { case MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH: /* act as if f_async_decrypt_start was null */ break; case 0: + ssl->handshake->async_in_progress = 1; return( ssl_resume_decrypt_pms( ssl, peer_pms, peer_pmslen, peer_pmssize ) ); case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: + ssl->handshake->async_in_progress = 1; return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ); default: - MBEDTLS_SSL_DEBUG_RET( 1, "f_async_sign", ret ); + MBEDTLS_SSL_DEBUG_RET( 1, "f_async_decrypt_start", ret ); return( ret ); } } @@ -3649,7 +3651,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) ) if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) && - ( ssl->handshake->p_async_operation_ctx != NULL ) ) + ( ssl->handshake->async_in_progress != 0 ) ) { /* We've already read a record and there is an asynchronous * operation in progress to decrypt it. So skip reading the @@ -3771,7 +3773,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) { #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) - if ( ssl->handshake->p_async_operation_ctx != NULL ) + if ( ssl->handshake->async_in_progress != 0 ) { /* There is an asynchronous operation in progress to * decrypt the encrypted premaster secret, so skip diff --git a/library/ssl_tls.c b/library/ssl_tls.c index aa48b4538..2c6eef8ec 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6485,13 +6485,28 @@ void mbedtls_ssl_conf_async_private_cb( mbedtls_ssl_async_decrypt_t *f_async_decrypt, mbedtls_ssl_async_resume_t *f_async_resume, mbedtls_ssl_async_cancel_t *f_async_cancel, - void *connection_ctx ) + void *async_config_data ) { conf->f_async_sign_start = f_async_sign; conf->f_async_decrypt_start = f_async_decrypt; conf->f_async_resume = f_async_resume; conf->f_async_cancel = f_async_cancel; - conf->p_async_connection_ctx = connection_ctx; + conf->p_async_config_data = async_config_data; +} + +void *mbedtls_ssl_async_get_data( mbedtls_ssl_context *ssl ) +{ + if( ssl->handshake == NULL ) + return( NULL ); + else + return( ssl->handshake->user_async_ctx ); +} + +void mbedtls_ssl_async_set_data( mbedtls_ssl_context *ssl, + void *ctx ) +{ + if( ssl->handshake != NULL ) + ssl->handshake->user_async_ctx = ctx; } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ @@ -7433,6 +7448,14 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) if( handshake == NULL ) return; +#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) + if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 ) + { + ssl->conf->f_async_cancel( ssl->conf->p_async_config_data, ssl ); + handshake->async_in_progress = 0; + } +#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ + #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_1) mbedtls_md5_free( &handshake->fin_md5 ); @@ -7495,15 +7518,6 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ -#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) - if( ssl->conf->f_async_cancel != NULL && - handshake->p_async_operation_ctx != NULL ) - { - ssl->conf->f_async_cancel( ssl->conf->p_async_connection_ctx, - handshake->p_async_operation_ctx ); - } -#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ - #if defined(MBEDTLS_SSL_PROTO_DTLS) mbedtls_free( handshake->verify_cookie ); mbedtls_free( handshake->hs_msg ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index bf25d4e03..9ff735ad8 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -909,15 +909,15 @@ typedef struct unsigned delay; } ssl_async_operation_context_t; -static int ssl_async_start( void *connection_ctx_arg, - void **p_operation_ctx, +static int ssl_async_start( void *config_data_arg, + mbedtls_ssl_context *ssl, mbedtls_x509_crt *cert, const char *op_name, mbedtls_md_type_t md_alg, const unsigned char *input, size_t input_len ) { - ssl_async_key_context_t *key_ctx = connection_ctx_arg; + ssl_async_key_context_t *config_data = config_data_arg; size_t slot; ssl_async_operation_context_t *ctx = NULL; @@ -927,21 +927,21 @@ static int ssl_async_start( void *connection_ctx_arg, mbedtls_printf( "Async %s callback: looking for DN=%s\n", op_name, dn ); } - for( slot = 0; slot < key_ctx->slots_used; slot++ ) + for( slot = 0; slot < config_data->slots_used; slot++ ) { - if( key_ctx->slots[slot].cert == cert ) + if( config_data->slots[slot].cert == cert ) break; } - if( slot == key_ctx->slots_used ) + if( slot == config_data->slots_used ) { mbedtls_printf( "Async %s callback: no key matches this certificate.\n", op_name ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ); } mbedtls_printf( "Async %s callback: using key slot %zd, delay=%u.\n", - op_name, slot, key_ctx->slots[slot].delay ); + op_name, slot, config_data->slots[slot].delay ); - if( key_ctx->inject_error == SSL_ASYNC_INJECT_ERROR_START ) + if( config_data->inject_error == SSL_ASYNC_INJECT_ERROR_START ) { mbedtls_printf( "Async %s callback: injected error\n", op_name ); return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); @@ -957,8 +957,8 @@ static int ssl_async_start( void *connection_ctx_arg, ctx->md_alg = md_alg; memcpy( ctx->input, input, input_len ); ctx->input_len = input_len; - ctx->delay = key_ctx->slots[slot].delay; - *p_operation_ctx = ctx; + ctx->delay = config_data->slots[slot].delay; + mbedtls_ssl_async_set_data( ssl, ctx ); if( ctx->delay == 0 ) return( 0 ); @@ -966,42 +966,42 @@ static int ssl_async_start( void *connection_ctx_arg, return( MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ); } -static int ssl_async_sign( void *connection_ctx_arg, - void **p_operation_ctx, +static int ssl_async_sign( void *config_data_arg, + mbedtls_ssl_context *ssl, mbedtls_x509_crt *cert, mbedtls_md_type_t md_alg, const unsigned char *hash, size_t hash_len ) { - return( ssl_async_start( connection_ctx_arg, p_operation_ctx, cert, + return( ssl_async_start( config_data_arg, ssl, cert, "sign", md_alg, hash, hash_len ) ); } -static int ssl_async_decrypt( void *connection_ctx_arg, - void **p_operation_ctx, +static int ssl_async_decrypt( void *config_data_arg, + mbedtls_ssl_context *ssl, mbedtls_x509_crt *cert, const unsigned char *input, size_t input_len ) { - return( ssl_async_start( connection_ctx_arg, p_operation_ctx, cert, + return( ssl_async_start( config_data_arg, ssl, cert, "decrypt", MBEDTLS_MD_NONE, input, input_len ) ); } -static int ssl_async_resume( void *connection_ctx_arg, - void *operation_ctx_arg, +static int ssl_async_resume( void *config_data_arg, + mbedtls_ssl_context *ssl, unsigned char *output, size_t *output_len, size_t output_size ) { - ssl_async_operation_context_t *ctx = operation_ctx_arg; - ssl_async_key_context_t *connection_ctx = connection_ctx_arg; - ssl_async_key_slot_t *key_slot = &connection_ctx->slots[ctx->slot]; + ssl_async_operation_context_t *ctx = mbedtls_ssl_async_get_data( ssl ); + ssl_async_key_context_t *config_data = config_data_arg; + ssl_async_key_slot_t *key_slot = &config_data->slots[ctx->slot]; int ret; const char *op_name; - if( connection_ctx->inject_error == SSL_ASYNC_INJECT_ERROR_RESUME ) + if( config_data->inject_error == SSL_ASYNC_INJECT_ERROR_RESUME ) { mbedtls_printf( "Async resume callback: injected error\n" ); return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); @@ -1021,7 +1021,7 @@ static int ssl_async_resume( void *connection_ctx_arg, ret = mbedtls_pk_decrypt( key_slot->pk, ctx->input, ctx->input_len, output, output_len, output_size, - connection_ctx->f_rng, connection_ctx->p_rng ); + config_data->f_rng, config_data->p_rng ); } else { @@ -1030,10 +1030,10 @@ static int ssl_async_resume( void *connection_ctx_arg, ctx->md_alg, ctx->input, ctx->input_len, output, output_len, - connection_ctx->f_rng, connection_ctx->p_rng ); + config_data->f_rng, config_data->p_rng ); } - if( connection_ctx->inject_error == SSL_ASYNC_INJECT_ERROR_PK ) + if( config_data->inject_error == SSL_ASYNC_INJECT_ERROR_PK ) { mbedtls_printf( "Async resume callback: %s done but injected error\n", op_name ); @@ -1046,11 +1046,11 @@ static int ssl_async_resume( void *connection_ctx_arg, return( ret ); } -static void ssl_async_cancel( void *connection_ctx_arg, - void *operation_ctx_arg ) +static void ssl_async_cancel( void *config_data_arg, + mbedtls_ssl_context *ssl ) { - ssl_async_operation_context_t *ctx = operation_ctx_arg; - (void) connection_ctx_arg; + ssl_async_operation_context_t *ctx = mbedtls_ssl_async_get_data( ssl ); + (void) config_data_arg; mbedtls_printf( "Async cancel callback.\n" ); mbedtls_free( ctx ); }