From 1a662eb928028452cf3660996e96df1ad2b4c0ae Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 15:05:46 +0100 Subject: [PATCH 01/10] Allow requests of size larger than 16384 in ssl_client2 --- programs/ssl/ssl_client2.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 186e2a07f..390ebae1b 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -60,6 +60,9 @@ int main( void ) #include #include +#define MAX_REQUEST_SIZE 20000 +#define MAX_REQUEST_SIZE_STR "20000" + #define DFL_SERVER_NAME "localhost" #define DFL_SERVER_ADDR NULL #define DFL_SERVER_PORT "4433" @@ -231,8 +234,8 @@ int main( void ) " server_addr=%%s default: given by name\n" \ " server_port=%%d default: 4433\n" \ " request_page=%%s default: \".\"\n" \ - " request_size=%%d default: about 34 (basic request)\n" \ - " (minimum: 0, max: 16384)\n" \ + " request_size=%%d default: about 34 (basic request)\n" \ + " (minimum: 0, max: " MAX_REQUEST_SIZE_STR " )\n" \ " debug_level=%%d default: 0 (disabled)\n" \ " nbio=%%d default: 0 (blocking I/O)\n" \ " options: 1 (non-blocking), 2 (added delays)\n" \ @@ -424,7 +427,9 @@ int main( int argc, char *argv[] ) { int ret = 0, len, tail_len, i, written, frags, retry_left; mbedtls_net_context server_fd; - unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1]; + + unsigned char buf[MAX_REQUEST_SIZE + 1]; + #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; @@ -588,7 +593,8 @@ int main( int argc, char *argv[] ) else if( strcmp( p, "request_size" ) == 0 ) { opt.request_size = atoi( q ); - if( opt.request_size < 0 || opt.request_size > MBEDTLS_SSL_MAX_CONTENT_LEN ) + if( opt.request_size < 0 || + opt.request_size > MAX_REQUEST_SIZE ) goto usage; } else if( strcmp( p, "ca_file" ) == 0 ) @@ -1465,8 +1471,8 @@ send_request: mbedtls_printf( " > Write to server:" ); fflush( stdout ); - len = mbedtls_snprintf( (char *) buf, sizeof(buf) - 1, GET_REQUEST, - opt.request_page ); + len = mbedtls_snprintf( (char *) buf, sizeof( buf ) - 1, GET_REQUEST, + opt.request_page ); tail_len = (int) strlen( GET_REQUEST_END ); /* Add padding to GET request to reach opt.request_size in length */ @@ -1477,7 +1483,7 @@ send_request: len += opt.request_size - len - tail_len; } - strncpy( (char *) buf + len, GET_REQUEST_END, sizeof(buf) - len - 1 ); + strncpy( (char *) buf + len, GET_REQUEST_END, sizeof( buf ) - len - 1 ); len += tail_len; /* Truncate if request size is smaller than the "natural" size */ @@ -1521,6 +1527,12 @@ send_request: frags = 1; written = ret; + + if( written < len ) + { + mbedtls_printf( " warning\n ! request didn't fit into single datagram and " + "was truncated to size %u", (unsigned) written ); + } } buf[written] = '\0'; From 0560778fb08e05fc62149ba0614388d8aeb035e0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 15:00:34 +0100 Subject: [PATCH 02/10] Add missing test-dependencies for MBEDTLS_SSL_MAX_FRAGMENT_LENGTH The tests for the maximum fragment length extension were lacking a dependency on MBEDTLS_SSL_MAX_FRAGMENT_LENGTH being set in the config. --- tests/ssl-opt.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d8f0fd720..46e05dbe4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1219,6 +1219,7 @@ run_test "Session resume using cache: openssl server" \ # Tests for Max Fragment Length extension run_test "Max fragment length: not used, reference" \ +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ 0 \ @@ -1229,6 +1230,7 @@ run_test "Max fragment length: not used, reference" \ -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=4096" \ @@ -1240,6 +1242,7 @@ run_test "Max fragment length: used by client" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3" \ @@ -1251,6 +1254,7 @@ run_test "Max fragment length: used by server" \ -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls run_test "Max fragment length: gnutls server" \ "$G_SRV" \ @@ -1260,6 +1264,7 @@ run_test "Max fragment length: gnutls server" \ -c "client hello, adding max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \ @@ -1273,6 +1278,7 @@ run_test "Max fragment length: client, message just fits" \ -c "2048 bytes written in 1 fragments" \ -s "2048 bytes read" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \ @@ -1287,6 +1293,7 @@ run_test "Max fragment length: client, larger message" \ -s "2048 bytes read" \ -s "297 bytes read" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \ From 2fabe5fb7089b2340138c369c4b19f04e75cbc7c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 15:01:50 +0100 Subject: [PATCH 03/10] Add tests for messages beyond 16384 bytes to ssl-opt.sh This commit adds four tests to ssl-opt.sh testing the library's behavior when `mbedtls_ssl_write` is called with messages beyond 16384 bytes. The combinations tested are TLS vs. DTLS and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH enabled vs. disabled. --- tests/ssl-opt.sh | 50 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 46e05dbe4..32687fbd8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1218,8 +1218,8 @@ run_test "Session resume using cache: openssl server" \ # Tests for Max Fragment Length extension -run_test "Max fragment length: not used, reference" \ requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "Max fragment length: enabled, default" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ 0 \ @@ -1230,6 +1230,54 @@ requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "Max fragment length: enabled, default, larger message" \ + "$P_SRV debug_level=3" \ + "$P_CLI debug_level=3 request_size=20000" \ + 0 \ + -c "Maximum fragment length is 16384" \ + -s "Maximum fragment length is 16384" \ + -C "client hello, adding max_fragment_length extension" \ + -S "found max fragment length extension" \ + -S "server hello, max_fragment_length extension" \ + -C "found max_fragment_length extension" \ + -c "20000 bytes written in 2 fragments" \ + -s "16384 bytes read" \ + -s "3616 bytes read" + +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "Max fragment length, DTLS: enabled, default, larger message" \ + "$P_SRV debug_level=3 dtls=1" \ + "$P_CLI debug_level=3 dtls=1 request_size=20000" \ + 1 \ + -c "Maximum fragment length is 16384" \ + -s "Maximum fragment length is 16384" \ + -C "client hello, adding max_fragment_length extension" \ + -S "found max fragment length extension" \ + -S "server hello, max_fragment_length extension" \ + -C "found max_fragment_length extension" \ + -c "fragment larger than.*maximum " + +requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "Max fragment length: disabled, larger message" \ + "$P_SRV debug_level=3" \ + "$P_CLI debug_level=3 request_size=20000" \ + 0 \ + -C "Maximum fragment length is 16384" \ + -S "Maximum fragment length is 16384" \ + -c "20000 bytes written in 2 fragments" \ + -s "16384 bytes read" \ + -s "3616 bytes read" + +requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "Max fragment length DTLS: disabled, larger message" \ + "$P_SRV debug_level=3 dtls=1" \ + "$P_CLI debug_level=3 dtls=1 request_size=20000" \ + 1 \ + -C "Maximum fragment length is 16384" \ + -S "Maximum fragment length is 16384" \ + -c "fragment larger than.*maximum " + requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ From 0d885d3d8c8f3ac0d0410f31dd31b8efb02de29d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 15:04:19 +0100 Subject: [PATCH 04/10] Add expected number of fragments to 16384-byte packet tests --- tests/ssl-opt.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 32687fbd8..bb3e7c491 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3121,6 +3121,7 @@ run_test "Large packet SSLv3 BlockCipher" \ "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 @@ -3129,6 +3130,7 @@ run_test "Large packet SSLv3 StreamCipher" \ "$P_CLI request_size=16384 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.0 BlockCipher" \ @@ -3136,6 +3138,7 @@ run_test "Large packet TLS 1.0 BlockCipher" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ @@ -3144,6 +3147,7 @@ run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ @@ -3152,6 +3156,7 @@ run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.1 BlockCipher" \ @@ -3159,6 +3164,7 @@ run_test "Large packet TLS 1.1 BlockCipher" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.1 StreamCipher" \ @@ -3166,6 +3172,7 @@ run_test "Large packet TLS 1.1 StreamCipher" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ @@ -3174,6 +3181,7 @@ run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ @@ -3182,6 +3190,7 @@ run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 BlockCipher" \ @@ -3189,6 +3198,7 @@ run_test "Large packet TLS 1.2 BlockCipher" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ @@ -3196,6 +3206,7 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ @@ -3204,6 +3215,7 @@ run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 StreamCipher" \ @@ -3211,6 +3223,7 @@ run_test "Large packet TLS 1.2 StreamCipher" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ @@ -3219,6 +3232,7 @@ run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 AEAD" \ @@ -3226,6 +3240,7 @@ run_test "Large packet TLS 1.2 AEAD" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 AEAD shorter tag" \ @@ -3233,6 +3248,7 @@ run_test "Large packet TLS 1.2 AEAD shorter tag" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" # Tests for DTLS HelloVerifyRequest From e298c8b46c706b93f7caaa0f751bc3d56ffc3aaf Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 14:58:11 +0100 Subject: [PATCH 05/10] Correct typo --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 23689d995..8b774dfaa 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6869,7 +6869,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, * * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, * then the caller will call us again with the same arguments, so - * remember wether we already did the split or not. + * remember whether we already did the split or not. */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) static int ssl_write_split( mbedtls_ssl_context *ssl, From a360411e4f6043440e9555f9717f01c6bf0652c9 Mon Sep 17 00:00:00 2001 From: Florin Date: Sat, 22 Jul 2017 09:01:44 +0200 Subject: [PATCH 06/10] Fixed SIGSEGV problem when writing with ssl_write_real a buffer that is over MBEDTLS_SSL_MAX_CONTENT_LEN bytes Signed-off-by: Florin --- library/ssl_tls.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8b774dfaa..d95180d1a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6823,7 +6823,9 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, int ret; #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) size_t max_len = mbedtls_ssl_get_max_frag_len( ssl ); - +#else + size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN; +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ if( len > max_len ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -6838,7 +6840,6 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, #endif len = max_len; } -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ if( ssl->out_left != 0 ) { From b658ee63c2f548974c638d87e09eb4eb0c9f0197 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 16:07:19 +0100 Subject: [PATCH 07/10] Adapt ChangeLog --- ChangeLog | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ChangeLog b/ChangeLog index da29d7077..0e9fa29b0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,6 +13,16 @@ Bugfix dates on leap years with 100 and 400 intervals are handled correctly. Found by Nicholas Wilson. #694 +Security + * Fix a potential heap buffer overflow in mbedtls_ssl_write. When the (by + default enabled) maximum fragment length extension is disabled in the + config and the application data buffer passed to mbedtls_ssl_write + is larger than the internal message buffer (16384 bytes by default), the + latter overflows. The exploitability of this issue depends on whether the + application layer can be forced into sending such large packets. The issue + was independently reported by Tim Nordell via e-mail and by Florin Petriuc + and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. Fixes #707. + = mbed TLS 2.1.9 branch released 2017-08-10 Security From 64691dc3fc8e1c42c22edc7676ece91d0b9f366c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 22 Sep 2017 16:58:50 +0100 Subject: [PATCH 08/10] Let ssl-opt.sh gracefully fail is SSL_MAX_CONTENT_LEN is not 16384 Some tests in ssl-opt.sh require MBEDTLS_SSL_MAX_CONTENT_LEN to be set to its default value of 16384 to succeed. While ideally such a dependency should not exist, as a short-term remedy this commit adds a small check that will at least lead to graceful exit if that assumption is violated. --- tests/ssl-opt.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bb3e7c491..d53c9ba0c 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1218,6 +1218,21 @@ run_test "Session resume using cache: openssl server" \ # Tests for Max Fragment Length extension +MAX_CONTENT_LEN_EXPECT='16384' +MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN) + +if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then + printf "The ${CONFIG_H} file contains a value for the configuration of\n" + printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n" + printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n" + printf "\n" + printf "The tests assume this value and if it changes, the tests in this\n" + printf "script should also be adjusted.\n" + printf "\n" + + exit 1 +fi + requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: enabled, default" \ "$P_SRV debug_level=3" \ From 6ed76f74d2233987df2eac08a2a12a9f7abdaac5 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 18 Oct 2017 14:42:01 +0100 Subject: [PATCH 09/10] Use a conservative excess of the maximum fragment length in tests This leads to graceful test failure instead of crash when run on the previous code. --- tests/ssl-opt.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index d53c9ba0c..5f47bb5d9 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1248,7 +1248,7 @@ run_test "Max fragment length: enabled, default" \ requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: enabled, default, larger message" \ "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 request_size=20000" \ + "$P_CLI debug_level=3 request_size=16385" \ 0 \ -c "Maximum fragment length is 16384" \ -s "Maximum fragment length is 16384" \ @@ -1256,14 +1256,14 @@ run_test "Max fragment length: enabled, default, larger message" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" \ - -c "20000 bytes written in 2 fragments" \ + -c "16385 bytes written in 2 fragments" \ -s "16384 bytes read" \ - -s "3616 bytes read" + -s "1 bytes read" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length, DTLS: enabled, default, larger message" \ "$P_SRV debug_level=3 dtls=1" \ - "$P_CLI debug_level=3 dtls=1 request_size=20000" \ + "$P_CLI debug_level=3 dtls=1 request_size=16385" \ 1 \ -c "Maximum fragment length is 16384" \ -s "Maximum fragment length is 16384" \ @@ -1276,18 +1276,18 @@ run_test "Max fragment length, DTLS: enabled, default, larger message" \ requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: disabled, larger message" \ "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 request_size=20000" \ + "$P_CLI debug_level=3 request_size=16385" \ 0 \ -C "Maximum fragment length is 16384" \ -S "Maximum fragment length is 16384" \ - -c "20000 bytes written in 2 fragments" \ + -c "16385 bytes written in 2 fragments" \ -s "16384 bytes read" \ - -s "3616 bytes read" + -s "1 bytes read" requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length DTLS: disabled, larger message" \ "$P_SRV debug_level=3 dtls=1" \ - "$P_CLI debug_level=3 dtls=1 request_size=20000" \ + "$P_CLI debug_level=3 dtls=1 request_size=16385" \ 1 \ -C "Maximum fragment length is 16384" \ -S "Maximum fragment length is 16384" \ From 797c0843942844e0661467e63da2d7375c500b6e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 19 Oct 2017 15:49:21 +0100 Subject: [PATCH 10/10] Add tests for disabled MFL-extension to all.sh This commit adds a build with default config except MBEDTLS_SSL_MAX_FRAGMENT_LENGTH to all.sh, as well as a run of the MFL-related tests in ssl-opt.sh. --- tests/scripts/all.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6defcdc2a..f0594a25e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -261,6 +261,16 @@ make msg "test: compat.sh (ASan build)" # ~ 6 min tests/compat.sh +msg "build: default config except MFL extension (ASan build)" # ~ 30s +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . +make + +msg "test: ssl-opt.sh, MFL-related tests" +tests/ssl-opt.sh -f "Max fragment length" + msg "build: Default + SSLv3 (ASan build)" # ~ 6 min cleanup cp "$CONFIG_H" "$CONFIG_BAK" @@ -485,4 +495,3 @@ rm -rf "$OUT_OF_SOURCE_DIR" msg "Done, cleaning up" cleanup -