2

I'm updating an IOT device that's been up and running for several years. TLS is performed using mbedTLS 2.9.0, and the application currently serializes all tasks which require TLS so that only one secured connection is established at a time. The update is adding FTPS to its FTP client, and this requires secure connections for both command and data ports.

Filezilla server 1.4.1 complains "TLS session of data connection not resumed" when attempting to secure the data port. This issue is mentioned in the Stack Overflow support topic "How to establish a FTPS data connection to a FileZilla Server 1.2.0." That topic references Filezilla forum topic "forum.filezilla-project.org/viewtopic.php?t=54027," which states a prior session must be resumed.

In scanning through mbedTls header files I noted functions mbedtls_ssl_set_session() and mbedtls_ssl_get_session() which appear to be relevant. If they are relevant, I added a call to mbedtls_ssl_get_session() prior to starting TLS for the data connection, but that call attempts to free() uninitialized objects in the mbedtls_ssl_context.

Since trustedfirmware.org took over the MbedTls project, the prior forum, documentation, support articles, et.al, have disappeared, and their mailing list is pretty much dead. So, can someone please point me to some doc. describing how this is done - or describe what has to be done?

Thx!!

Gilles 'SO- stop being evil'
  • 104,111
  • 38
  • 209
  • 254
Fred W
  • 49
  • 2

1 Answers1

1

that call attempts to free() uninitialized objects in the mbedtls_ssl_context

There shouldn't be any uninitialized objects ever. So I guess the problem is that you forgot to initialize the context. Whenever you have an mbedtls_xxx structure, always call the corresponding mbedtls_xxx_init() function before doing anything else.

With two connections and session loading, the code to set up the connections would look something like this.

mbedtls_ssl_config ssl_config;
mbedtls_ssl_config_init(&ssl_config);
mbedtls_ssl_context ssl_context_control, ssl_context_data;
mbedtls_ssl_init(&ssl_context_control);
mbedtls_ssl_init(&ssl_context_data);
int ret;

// prepare ssl_config here

ret = mbedtls_ssl_setup(&ssl_context_control, &ssl_config);
if (ret != 0) goto error;
ret = mbedtls_ssl_setup(&ssl_context_data, &ssl_config);
if (ret != 0) goto error;

if (have_saved_sessions) {
    mbedtls_ssl_session ssl_session_control, ssl_session_data;
    mbedtls_ssl_session_init(&ssl_session_control);
    mbedtls_ssl_session_init(&ssl_session_data);
    ret = mbedtls_ssl_session_load(&ssl_session_control, ...);
    if (ret != 0) goto session_done;
    ret = mbedtls_ssl_session_load(&ssl_session_data, ...);
    if (ret != 0) goto session_done;
    ret = mbedtls_ssl_set_session(&ssl_context_control, &ssl_session_control);
    if (ret != 0) goto session_done;
    ret = mbedtls_ssl_set_session(&ssl_context_data, &ssl_session_data);
    if (ret != 0) goto session_done;

  session_done:
    mbedtls_ssl_session_free(&ssl_session_control);
    mbedtls_ssl_session_free(&ssl_session_data);
    if (ret != 0) goto error;
}

// the contexts are ready for use here

For cleanup, the rule is that each mbedtls_xxx_init() function has a corresponding mbedtls_xxx_free() function. Note that the name free is misleading: these functions clean up the object and free embedded resources (e.g. malloc'ed sub-structures) but they do not free the argument in the sense of heap free(). If you malloc or calloc an mbedtls_xxx structure, you need to call mbedtls_xxx_free() and then call free(). If the mbedtls_xxx structure is on the stack or global, just call mbedtls_xxx_free().

Regarding documentation, the online documentation of Mbed TLS froze at an old version. And even when the version was current, the online documentation is for one specific compile-time configuration with all features enabled. Typeset the documentation for your version and configuration by running make apidoc in the mbedtls source tree. You need Doxygen (a pretty standard documentation typesetting tool, so it may already be available in your development environment).

TLS is performed using mbedTLS 2.9.0

Beware that this is a very old version which has many unfixed security issues. You should upgrade to 2.28.1 (and keep updating through the 2.28.x long-time support series).

Gilles 'SO- stop being evil'
  • 104,111
  • 38
  • 209
  • 254