yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-12-26 12:15:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'mbedtls-2.1' into mbedtls-2.1

Browse source
This commit is contained in:
Simon Butcher 2016-06-27 01:16:16 +01:00
parent df8c386a64 60e2b2fe22
commit 88aa189415
3 changed files with 168 additions and 121 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
ChangeLog
View file

@ -29,6 +29,8 @@ Changes
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, * On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
don't use the optimized assembly for bignum multiplication. This removes don't use the optimized assembly for bignum multiplication. This removes
the need to pass -fomit-frame-pointer to avoid a build error with -O0. the need to pass -fomit-frame-pointer to avoid a build error with -O0.
* Fix non-compliance server extension handling. Extensions for SSLv3 are now
ignored, as required by RFC6101.
= mbed TLS 2.1.4 released 2016-01-05 = mbed TLS 2.1.4 released 2016-01-05

19
library/ssl_srv.c
View file

@ -1460,6 +1460,11 @@ read_record_header:
ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
#endif #endif
/* Do not parse the extensions if the protocol is SSLv3 */
#if defined(MBEDTLS_SSL_PROTO_SSL3)
if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
{
#endif
/* /*
* Check the extension length * Check the extension length
*/ */
@ -1544,7 +1549,6 @@ read_record_header:
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
if( ret != 0 ) if( ret != 0 )
return( ret ); return( ret );
@ -1634,6 +1638,9 @@ read_record_header:
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
} }
} }
#if defined(MBEDTLS_SSL_PROTO_SSL3)
}
#endif
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) #if defined(MBEDTLS_SSL_FALLBACK_SCSV)
for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 ) for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
@ -2259,6 +2266,12 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
ssl->session_negotiate->compression ) ); ssl->session_negotiate->compression ) );
/* Do not write the extensions if the protocol is SSLv3 */
#if defined(MBEDTLS_SSL_PROTO_SSL3)
if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
{
#endif
/* /*
* First write extensions, then the total length * First write extensions, then the total length
*/ */
@ -2309,6 +2322,10 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
p += ext_len; p += ext_len;
} }
#if defined(MBEDTLS_SSL_PROTO_SSL3)
}
#endif
ssl->out_msglen = p - buf; ssl->out_msglen = p - buf;
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;

34
tests/ssl-opt.sh
View file

@ -130,6 +130,13 @@ not_with_valgrind() {
fi fi
} }
# skip the next test if valgrind is NOT in use
only_with_valgrind() {
if [ "$MEMCHECK" -eq 0 ]; then
SKIP_NEXT="YES"
fi
}
# multiply the client timeout delay by the given factor for the next test # multiply the client timeout delay by the given factor for the next test
needs_more_time() { needs_more_time() {
CLI_DELAY_FACTOR=$1 CLI_DELAY_FACTOR=$1
@ -567,12 +574,14 @@ run_test "Default, DTLS" \
# Tests for rc4 option # Tests for rc4 option
requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
run_test "RC4: server disabled, client enabled" \ run_test "RC4: server disabled, client enabled" \
"$P_SRV" \ "$P_SRV" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1 \ 1 \
-s "SSL - The server has no ciphersuites in common" -s "SSL - The server has no ciphersuites in common"
requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
run_test "RC4: server half, client enabled" \ run_test "RC4: server half, client enabled" \
"$P_SRV arc4=1" \ "$P_SRV arc4=1" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
@ -715,7 +724,7 @@ run_test "Encrypt then MAC: client enabled, server SSLv3" \
"$P_CLI debug_level=3 min_version=ssl3" \ "$P_CLI debug_level=3 min_version=ssl3" \
0 \ 0 \
-c "client hello, adding encrypt_then_mac extension" \ -c "client hello, adding encrypt_then_mac extension" \
-s "found encrypt then mac extension" \ -S "found encrypt then mac extension" \
-S "server hello, adding encrypt then mac extension" \ -S "server hello, adding encrypt then mac extension" \
-C "found encrypt_then_mac extension" \ -C "found encrypt_then_mac extension" \
-C "using encrypt then mac" \ -C "using encrypt then mac" \
@ -774,7 +783,7 @@ run_test "Extended Master Secret: client enabled, server SSLv3" \
"$P_CLI debug_level=3 min_version=ssl3" \ "$P_CLI debug_level=3 min_version=ssl3" \
0 \ 0 \
-c "client hello, adding extended_master_secret extension" \ -c "client hello, adding extended_master_secret extension" \
-s "found extended master secret extension" \ -S "found extended master secret extension" \
-S "server hello, adding extended master secret extension" \ -S "server hello, adding extended master secret extension" \
-C "found extended_master_secret extension" \ -C "found extended_master_secret extension" \
-C "using extended master secret" \ -C "using extended master secret" \
@ -2756,6 +2765,16 @@ run_test "Small packet TLS 1.2 AEAD shorter tag" \
0 \ 0 \
-s "Read from client: 1 bytes read" -s "Read from client: 1 bytes read"
# A test for extensions in SSLv3
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
run_test "SSLv3 with extensions, server side" \
"$P_SRV min_version=ssl3 debug_level=3" \
"$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
0 \
-S "dumping 'client hello extensions'" \
-S "server hello, total extension length:"
# Test for large packets # Test for large packets
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
@ -2956,13 +2975,22 @@ run_test "DTLS client reconnect from same port: reconnect" \
-S "The operation timed out" \ -S "The operation timed out" \
-s "Client initiated reconnection from same port" -s "Client initiated reconnection from same port"
run_test "DTLS client reconnect from same port: reconnect, nbio" \ not_with_valgrind # server/client too slow to respond in time (next test has higher timeouts)
run_test "DTLS client reconnect from same port: reconnect, nbio, no valgrind" \
"$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \ "$P_SRV dtls=1 exchanges=2 read_timeout=1000 nbio=2" \
"$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \ "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-1000 reconnect_hard=1" \
0 \ 0 \
-S "The operation timed out" \ -S "The operation timed out" \
-s "Client initiated reconnection from same port" -s "Client initiated reconnection from same port"
only_with_valgrind # Only with valgrind, do previous test but with higher read_timeout and hs_timeout
run_test "DTLS client reconnect from same port: reconnect, nbio, valgrind" \
"$P_SRV dtls=1 exchanges=2 read_timeout=2000 nbio=2 hs_timeout=1500-6000" \
"$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=1500-3000 reconnect_hard=1" \
0 \
-S "The operation timed out" \
-s "Client initiated reconnection from same port"
run_test "DTLS client reconnect from same port: no cookies" \ run_test "DTLS client reconnect from same port: no cookies" \
"$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \ "$P_SRV dtls=1 exchanges=2 read_timeout=1000 cookies=0" \
"$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \ "$P_CLI dtls=1 exchanges=2 debug_level=2 hs_timeout=500-8000 reconnect_hard=1" \