Merge pull request #7298 from lpy4105/issue/6840/add-cache-entry-removal-api

ssl_cache: misc improvements

include/mbedtls/ssl.h

@@ -106,7 +106,8 @@
 /* Error space gap */
 /* Error space gap */
 /* Error space gap */
-/* Error space gap */
+/** Cache entry not found */
+#define MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND             -0x7E80
 /** Memory allocation failed */
 #define MBEDTLS_ERR_SSL_ALLOC_FAILED                      -0x7F00
 /** Hardware acceleration function returned with error */

include/mbedtls/ssl_cache.h

@@ -102,6 +102,11 @@ void mbedtls_ssl_cache_init(mbedtls_ssl_cache_context *cache);
  * \param session_id_len  The length of \p session_id in bytes.
  * \param session         The address at which to store the session
  *                        associated with \p session_id, if present.
+ *
+ * \return                \c 0 on success.
+ * \return                #MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND if there is
+ *                        no cache entry with specified session ID found, or
+ *                        any other negative error code for other failures.
  */
 int mbedtls_ssl_cache_get(void *data,
                           unsigned char const *session_id,
@@ -117,6 +122,9 @@ int mbedtls_ssl_cache_get(void *data,
  *                        associated to \p session.
  * \param session_id_len  The length of \p session_id in bytes.
  * \param session         The session to store.
+ *
+ * \return                \c 0 on success.
+ * \return                A negative error code on failure.
  */
 int mbedtls_ssl_cache_set(void *data,
                           unsigned char const *session_id,
@@ -132,9 +140,10 @@ int mbedtls_ssl_cache_set(void *data,
  *                        associated to \p session.
  * \param session_id_len  The length of \p session_id in bytes.
  *
- * \return                0: The cache entry for session with provided ID
- *                           is removed or does not exist.
- *                        Otherwise: fail.
+ * \return                \c 0 on success. This indicates the cache entry for
+ *                        the session with provided ID is removed or does not
+ *                        exist.
+ * \return                A negative error code on failure.
  */
 int mbedtls_ssl_cache_remove(void *data,
                              unsigned char const *session_id,

library/ssl_cache.c

@@ -29,6 +29,7 @@
 
 #include "mbedtls/ssl_cache.h"
 #include "ssl_misc.h"
+#include "mbedtls/error.h"
 
 #include <string.h>
 
@@ -50,7 +51,7 @@ static int ssl_cache_find_entry(mbedtls_ssl_cache_context *cache,
                                 size_t session_id_len,
                                 mbedtls_ssl_cache_entry **dst)
 {
-    int ret = 1;
+    int ret = MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND;
 #if defined(MBEDTLS_HAVE_TIME)
     mbedtls_time_t t = mbedtls_time(NULL);
 #endif
@@ -87,7 +88,7 @@ int mbedtls_ssl_cache_get(void *data,
                           size_t session_id_len,
                           mbedtls_ssl_session *session)
 {
-    int ret = 1;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
     mbedtls_ssl_cache_entry *entry;
 
@@ -197,7 +198,7 @@ static int ssl_cache_pick_writing_slot(mbedtls_ssl_cache_context *cache,
         /* Create new entry */
         cur = mbedtls_calloc(1, sizeof(mbedtls_ssl_cache_entry));
         if (cur == NULL) {
-            return 1;
+            return MBEDTLS_ERR_SSL_ALLOC_FAILED;
         }
 
         /* Append to the end of the linked list. */
@@ -218,12 +219,13 @@ static int ssl_cache_pick_writing_slot(mbedtls_ssl_cache_context *cache,
     if (old == NULL) {
         /* This should only happen on an ill-configured cache
          * with max_entries == 0. */
-        return 1;
+        return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
     }
 #else /* MBEDTLS_HAVE_TIME */
     /* Reuse first entry in chain, but move to last place. */
     if (cache->chain == NULL) {
-        return 1;
+        /* This should never happen */
+        return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     }
 
     old = cache->chain;
@@ -259,7 +261,7 @@ int mbedtls_ssl_cache_set(void *data,
                           size_t session_id_len,
                           const mbedtls_ssl_session *session)
 {
-    int ret = 1;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
     mbedtls_ssl_cache_entry *cur;
 
@@ -283,7 +285,6 @@ int mbedtls_ssl_cache_set(void *data,
      * and allocate a sufficiently large buffer. */
     ret = mbedtls_ssl_session_save(session, NULL, 0, &session_serialized_len);
     if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
-        ret = 1;
         goto exit;
     }
 
@@ -303,7 +304,7 @@ int mbedtls_ssl_cache_set(void *data,
     }
 
     if (session_id_len > sizeof(cur->session_id)) {
-        ret = 1;
+        ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
         goto exit;
     }
     cur->session_id_len = session_id_len;
@@ -335,7 +336,7 @@ int mbedtls_ssl_cache_remove(void *data,
                              unsigned char const *session_id,
                              size_t session_id_len)
 {
-    int ret = 1;
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
     mbedtls_ssl_cache_entry *entry;
     mbedtls_ssl_cache_entry *prev;

programs/ssl/ssl_server2.c

@@ -671,7 +671,7 @@ struct options {
 #if defined(MBEDTLS_HAVE_TIME)
     int cache_timeout;          /* expiration delay of session cache entries*/
 #endif
-    int cache_remove;           /* enable / disable cache removement        */
+    int cache_remove;           /* enable / disable cache entry removal     */
     char *sni;                  /* string describing sni information        */
     const char *curves;         /* list of supported elliptic curves        */
     const char *sig_algs;       /* supported TLS 1.3 signature algorithms   */