RYTEC
/
libiec61850
mirror of https://github.com/mz-automation/libiec61850.git
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- TLS: fixed memory leak in TLSConiguration (I6PLLCV-99)

Browse Source 
- TLS: configured default TLS 1.3 cipher suites as defined in IEC 62351-3:2023
pull/521/head
Michael Zillgith 1 year ago
parent d5e8382368
commit d309018340
2 changed files with 84 additions and 64 deletions
Show Stats Download Patch File Download Diff File

5
hal/tls/mbedtls/tls_mbedtls.c
Unescape Escape View File

@ -604,6 +604,8 @@ TLSConfiguration_setRenegotiationTime(TLSConfiguration self, int timeInMs)
void void
TLSConfiguration_destroy(TLSConfiguration self) TLSConfiguration_destroy(TLSConfiguration self)
{ {
if (self)
{
if (self->useSessionResumption) if (self->useSessionResumption)
{ {
if (self->conf.endpoint == MBEDTLS_SSL_IS_CLIENT) if (self->conf.endpoint == MBEDTLS_SSL_IS_CLIENT)
@ -639,7 +641,10 @@ TLSConfiguration_destroy(TLSConfiguration self)
LinkedList_destroy(self->allowedCertificates); LinkedList_destroy(self->allowedCertificates);
GLOBAL_FREEMEM(self->ciphersuites);
GLOBAL_FREEMEM(self); GLOBAL_FREEMEM(self);
}
} }
static void static void

37
hal/tls/mbedtls3/tls_mbedtls.c
Unescape Escape View File

@ -364,24 +364,34 @@ TLSConfiguration_create()
if (self->ciphersuites) if (self->ciphersuites)
{ {
self->maxCiphersuites = 20; self->maxCiphersuites = 20;
int cipherIndex = 0;
/* TLS 1.2 cipher suites */
/* mandatory cipher suites by IEC 62351-4:2018 */ /* mandatory cipher suites by IEC 62351-4:2018 */
self->ciphersuites[0] = MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256; self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256;
/* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_GCM_SHA256; */ /* weak - not supported? */ /* self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_GCM_SHA256; */ /* weak - not supported? */
self->ciphersuites[1] = MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256; self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256;
self->ciphersuites[2] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
/* recommended cipher suites by IEC 62351-4:2018 */ /* recommended cipher suites by IEC 62351-4:2018 */
/* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_CBC_SHA256; */ /* weak - not supported?*/ /* self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_DH_RSA_WITH_AES_128_CBC_SHA256; */ /* weak - not supported?*/
/* self->ciphersuites[1] = MBEDTLS_TLS_DH_RSA_WITH_AES_256_GCM_SHA384; */ /* not supported?*/ /* self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_DH_RSA_WITH_AES_256_GCM_SHA384; */ /* not supported?*/
self->ciphersuites[3] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256; self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256;
self->ciphersuites[4] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384; self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384;
self->ciphersuites[5] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
/* additional ciphersuites */ /* additional ciphersuites */
self->ciphersuites[6] = MBEDTLS_TLS_RSA_WITH_NULL_SHA256; self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_RSA_WITH_NULL_SHA256;
self->ciphersuites[7] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; self->ciphersuites[cipherIndex++] = MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
/* TLS 1.3 cipher suites */
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS1_3_AES_128_GCM_SHA256; /* mandatory according IEC 62351-3:2023 */
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS1_3_AES_256_GCM_SHA384; /* mandatory according IEC 62351-3:2023 */
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS1_3_CHACHA20_POLY1305_SHA256; /* optional according IEC 62351-3:2023 */
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS1_3_AES_128_CCM_SHA256; /* mandatory according IEC 62351-3:2023 */
self->ciphersuites[cipherIndex++] = MBEDTLS_TLS1_3_AES_128_CCM_8_SHA256 ; /* optional according IEC 62351-3:2023 */
} }
} }
@ -610,6 +620,8 @@ TLSConfiguration_setRenegotiationTime(TLSConfiguration self, int timeInMs)
void void
TLSConfiguration_destroy(TLSConfiguration self) TLSConfiguration_destroy(TLSConfiguration self)
{ {
if (self)
{
if (self->useSessionResumption) if (self->useSessionResumption)
{ {
if (mbedtls_ssl_conf_get_endpoint(&(self->conf)) == MBEDTLS_SSL_IS_CLIENT) if (mbedtls_ssl_conf_get_endpoint(&(self->conf)) == MBEDTLS_SSL_IS_CLIENT)
@ -647,12 +659,15 @@ TLSConfiguration_destroy(TLSConfiguration self)
LinkedList_destroy(self->allowedCertificates); LinkedList_destroy(self->allowedCertificates);
GLOBAL_FREEMEM(self->ciphersuites);
psaInitCounter--; psaInitCounter--;
if (psaInitCounter < 1) if (psaInitCounter < 1)
mbedtls_psa_crypto_free(); mbedtls_psa_crypto_free();
GLOBAL_FREEMEM(self); GLOBAL_FREEMEM(self);
}
} }
static void static void

Write Preview
Loading…
Cancel
Save