diff --git a/ChangeLog b/ChangeLog index af8079c67..6d1ec368e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -64,6 +64,10 @@ Bugfix * Don't print X.509 version tag for v1 CRT's, and omit extensions for non-v3 CRT's. * Fix bugs in RSA test suite under MBEDTLS_NO_PLATFORM_ENTROPY. #1023 #1024 + * Fix net_would_block to avoid modification by errno through fcntl call. + Found by nkolban. Fixes #845. + * Fix handling of handshake messages in mbedtls_ssl_read in case + MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp. Changes * Extend cert_write example program by options to set the CRT version diff --git a/library/net.c b/library/net.c index b6b08ed72..f08bbec51 100644 --- a/library/net.c +++ b/library/net.c @@ -259,13 +259,18 @@ static int net_would_block( const mbedtls_net_context *ctx ) */ static int net_would_block( const mbedtls_net_context *ctx ) { + int err = errno; + /* * Never return 'WOULD BLOCK' on a non-blocking socket */ if( ( fcntl( ctx->fd, F_GETFL ) & O_NONBLOCK ) != O_NONBLOCK ) + { + errno = err; return( 0 ); + } - switch( errno ) + switch( errno = err ) { #if defined EAGAIN case EAGAIN: diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1c4540743..7ceee4d6d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6657,7 +6657,6 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } } -#if defined(MBEDTLS_SSL_RENEGOTIATION) if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); @@ -6693,10 +6692,30 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) } #endif - if( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || - ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && - ssl->conf->allow_legacy_renegotiation == - MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) +#if defined(MBEDTLS_SSL_RENEGOTIATION) + if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || + ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && + ssl->conf->allow_legacy_renegotiation == + MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) ) + { + /* DTLS clients need to know renego is server-initiated */ +#if defined(MBEDTLS_SSL_PROTO_DTLS) + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && + ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) + { + ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; + } +#endif + ret = ssl_start_renegotiation( ssl ); + if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && + ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); + return( ret ); + } + } + else +#endif /* MBEDTLS_SSL_RENEGOTIATION */ { MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); @@ -6730,27 +6749,10 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } } - else - { - /* DTLS clients need to know renego is server-initiated */ -#if defined(MBEDTLS_SSL_PROTO_DTLS) - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) - { - ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; - } -#endif - ret = ssl_start_renegotiation( ssl ); - if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && - ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret ); - return( ret ); - } - } return( MBEDTLS_ERR_SSL_WANT_READ ); } +#if defined(MBEDTLS_SSL_RENEGOTIATION) else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) { if( ssl->conf->renego_max_records >= 0 ) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index f0594a25e..692dd70cb 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -289,6 +289,19 @@ OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3' msg "build: SSLv3 - ssl-opt.sh (ASan build)" # ~ 6 min tests/ssl-opt.sh +msg "build: Default + !MBEDTLS_SSL_RENEGOTIATION (ASan build)" # ~ 6 min +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl unset MBEDTLS_SSL_RENEGOTIATION +CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . +make + +msg "test: !MBEDTLS_SSL_RENEGOTIATION - main suites (inc. selftests) (ASan build)" # ~ 50s +make test + +msg "test: !MBEDTLS_SSL_RENEGOTIATION - ssl-opt.sh (ASan build)" # ~ 6 min +tests/ssl-opt.sh + msg "build: cmake, full config, clang" # ~ 50s cleanup cp "$CONFIG_H" "$CONFIG_BAK" diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5f47bb5d9..ff1ab8535 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1384,6 +1384,7 @@ run_test "Renegotiation: none, for reference" \ -S "=> renegotiate" \ -S "write hello request" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: client-initiated" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -1397,6 +1398,7 @@ run_test "Renegotiation: client-initiated" \ -s "=> renegotiate" \ -S "write hello request" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: server-initiated" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ @@ -1413,6 +1415,7 @@ run_test "Renegotiation: server-initiated" \ # Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that # the server did not parse the Signature Algorithm extension. This test is valid only if an MD # algorithm stronger than SHA-1 is enabled in config.h +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -1430,6 +1433,7 @@ run_test "Renegotiation: Signature Algorithms parsing, client-initiated" \ # Checks that no Signature Algorithm with SHA-1 gets negotiated. Negotiating SHA-1 would mean that # the server did not parse the Signature Algorithm extension. This test is valid only if an MD # algorithm stronger than SHA-1 is enabled in config.h +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ @@ -1444,6 +1448,7 @@ run_test "Renegotiation: Signature Algorithms parsing, server-initiated" \ -s "write hello request" \ -S "client hello v3, signature_algorithm ext: 2" # Is SHA-1 negotiated? +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: double" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 auth_mode=optional renegotiate=1" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -1457,6 +1462,7 @@ run_test "Renegotiation: double" \ -s "=> renegotiate" \ -s "write hello request" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: client-initiated, server-rejected" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=0 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -1472,6 +1478,7 @@ run_test "Renegotiation: client-initiated, server-rejected" \ -c "SSL - Unexpected message at ServerHello in renegotiation" \ -c "failed" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: server-initiated, client-rejected, default" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=0" \ @@ -1487,6 +1494,7 @@ run_test "Renegotiation: server-initiated, client-rejected, default" \ -S "SSL - An unexpected message was received from our peer" \ -S "failed" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: server-initiated, client-rejected, not enforced" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ renego_delay=-1 auth_mode=optional" \ @@ -1504,6 +1512,7 @@ run_test "Renegotiation: server-initiated, client-rejected, not enforced" \ -S "failed" # delay 2 for 1 alert record + 1 application data record +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: server-initiated, client-rejected, delay 2" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ renego_delay=2 auth_mode=optional" \ @@ -1520,6 +1529,7 @@ run_test "Renegotiation: server-initiated, client-rejected, delay 2" \ -S "SSL - An unexpected message was received from our peer" \ -S "failed" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: server-initiated, client-rejected, delay 0" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ renego_delay=0 auth_mode=optional" \ @@ -1535,6 +1545,7 @@ run_test "Renegotiation: server-initiated, client-rejected, delay 0" \ -s "write hello request" \ -s "SSL - An unexpected message was received from our peer" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: server-initiated, client-accepted, delay 0" \ "$P_SRV debug_level=3 exchanges=2 renegotiation=1 renegotiate=1 \ renego_delay=0 auth_mode=optional" \ @@ -1551,6 +1562,7 @@ run_test "Renegotiation: server-initiated, client-accepted, delay 0" \ -S "SSL - An unexpected message was received from our peer" \ -S "failed" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: periodic, just below period" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=2 renegotiation=1" \ @@ -1568,6 +1580,7 @@ run_test "Renegotiation: periodic, just below period" \ -S "failed" # one extra exchange to be able to complete renego +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: periodic, just above period" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ @@ -1584,6 +1597,7 @@ run_test "Renegotiation: periodic, just above period" \ -S "SSL - An unexpected message was received from our peer" \ -S "failed" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: periodic, two times period" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=1 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=7 renegotiation=1" \ @@ -1600,6 +1614,7 @@ run_test "Renegotiation: periodic, two times period" \ -S "SSL - An unexpected message was received from our peer" \ -S "failed" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: periodic, above period, disabled" \ "$P_SRV debug_level=3 exchanges=9 renegotiation=0 renego_period=3 auth_mode=optional" \ "$P_CLI debug_level=3 exchanges=4 renegotiation=1" \ @@ -1616,6 +1631,7 @@ run_test "Renegotiation: periodic, above period, disabled" \ -S "SSL - An unexpected message was received from our peer" \ -S "failed" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: nbio, client-initiated" \ "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 auth_mode=optional" \ "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -1629,6 +1645,7 @@ run_test "Renegotiation: nbio, client-initiated" \ -s "=> renegotiate" \ -S "write hello request" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: nbio, server-initiated" \ "$P_SRV debug_level=3 nbio=2 exchanges=2 renegotiation=1 renegotiate=1 auth_mode=optional" \ "$P_CLI debug_level=3 nbio=2 exchanges=2 renegotiation=1" \ @@ -1642,6 +1659,7 @@ run_test "Renegotiation: nbio, server-initiated" \ -s "=> renegotiate" \ -s "write hello request" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: openssl server, client-initiated" \ "$O_SRV -www" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -1654,6 +1672,7 @@ run_test "Renegotiation: openssl server, client-initiated" \ -c "HTTP/1.0 200 [Oo][Kk]" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server strict, client-initiated" \ "$G_SRV --priority=NORMAL:%SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -1666,6 +1685,7 @@ run_test "Renegotiation: gnutls server strict, client-initiated" \ -c "HTTP/1.0 200 [Oo][Kk]" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -1678,6 +1698,7 @@ run_test "Renegotiation: gnutls server unsafe, client-initiated default" \ -C "HTTP/1.0 200 [Oo][Kk]" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ @@ -1691,6 +1712,7 @@ run_test "Renegotiation: gnutls server unsafe, client-inititated no legacy" \ -C "HTTP/1.0 200 [Oo][Kk]" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ "$G_SRV --priority=NORMAL:%DISABLE_SAFE_RENEGOTIATION" \ "$P_CLI debug_level=3 exchanges=1 renegotiation=1 renegotiate=1 \ @@ -1703,6 +1725,7 @@ run_test "Renegotiation: gnutls server unsafe, client-inititated legacy" \ -C "error" \ -c "HTTP/1.0 200 [Oo][Kk]" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: DTLS, client-initiated" \ "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1" \ "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \ @@ -1716,6 +1739,7 @@ run_test "Renegotiation: DTLS, client-initiated" \ -s "=> renegotiate" \ -S "write hello request" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: DTLS, server-initiated" \ "$P_SRV debug_level=3 dtls=1 exchanges=2 renegotiation=1 renegotiate=1" \ "$P_CLI debug_level=3 dtls=1 exchanges=2 renegotiation=1 \ @@ -1730,6 +1754,7 @@ run_test "Renegotiation: DTLS, server-initiated" \ -s "=> renegotiate" \ -s "write hello request" +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: DTLS, renego_period overflow" \ "$P_SRV debug_level=3 dtls=1 exchanges=4 renegotiation=1 renego_period=18446462598732840962 auth_mode=optional" \ "$P_CLI debug_level=3 dtls=1 exchanges=4 renegotiation=1" \ @@ -1741,9 +1766,10 @@ run_test "Renegotiation: DTLS, renego_period overflow" \ -s "record counter limit reached: renegotiate" \ -c "=> renegotiate" \ -s "=> renegotiate" \ - -s "write hello request" \ + -s "write hello request" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "Renegotiation: DTLS, gnutls server, client-initiated" \ "$G_SRV -u --mtu 4096" \ "$P_CLI debug_level=3 dtls=1 exchanges=1 renegotiation=1 renegotiate=1" \ @@ -3431,6 +3457,7 @@ run_test "DTLS reassembly: more fragmentation, nbio (gnutls server)" \ -C "error" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ "$P_CLI debug_level=3 dtls=1 renegotiation=1 renegotiate=1" \ @@ -3444,6 +3471,7 @@ run_test "DTLS reassembly: fragmentation, renego (gnutls server)" \ -s "Extra-header:" requires_gnutls +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ "$G_SRV -u --mtu 256" \ "$P_CLI debug_level=3 nbio=2 dtls=1 renegotiation=1 renegotiate=1" \ @@ -3688,6 +3716,7 @@ run_test "DTLS proxy: 3d, min handshake, resumption, nbio" \ -c "HTTP/1.0 200 OK" needs_more_time 4 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \ @@ -3702,6 +3731,7 @@ run_test "DTLS proxy: 3d, min handshake, client-initiated renego" \ -c "HTTP/1.0 200 OK" needs_more_time 4 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \ @@ -3716,6 +3746,7 @@ run_test "DTLS proxy: 3d, min handshake, client-initiated renego, nbio" \ -c "HTTP/1.0 200 OK" needs_more_time 4 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \ @@ -3731,6 +3762,7 @@ run_test "DTLS proxy: 3d, min handshake, server-initiated renego" \ -c "HTTP/1.0 200 OK" needs_more_time 4 +requires_config_enabled MBEDTLS_SSL_RENEGOTIATION run_test "DTLS proxy: 3d, min handshake, server-initiated renego, nbio" \ -p "$P_PXY drop=5 delay=5 duplicate=5" \ "$P_SRV dtls=1 hs_timeout=250-10000 tickets=0 auth_mode=none \