diff --git a/ChangeLog b/ChangeLog index def0f6e97..af857e08f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -46,6 +46,8 @@ Changes * Disabled SSLv3 in the default configuration. * Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey Skalozub). + * Fix non-compliance server extension handling. Extensions for SSLv3 are now + ignored, as required by RFC6101. = mbed TLS 2.2.1 released 2016-01-05 diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index b6448ecef..d31555df7 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -362,6 +362,11 @@ #error "MBEDTLS_RSA_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_PKCS1_V21) && \ + !defined(MBEDTLS_PKCS1_V15) ) +#error "MBEDTLS_RSA_C defined, but none of the PKCS1 versions enabled" +#endif + #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ ( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_PKCS1_V21) ) #error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites" diff --git a/library/aes.c b/library/aes.c index ec9313de3..36660306e 100644 --- a/library/aes.c +++ b/library/aes.c @@ -56,7 +56,7 @@ /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { - volatile unsigned char *p = v; while( n-- ) *p++ = 0; + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } /* diff --git a/library/arc4.c b/library/arc4.c index ff0e993e7..05b33d3fd 100644 --- a/library/arc4.c +++ b/library/arc4.c @@ -49,7 +49,7 @@ /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { - volatile unsigned char *p = v; while( n-- ) *p++ = 0; + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } void mbedtls_arc4_init( mbedtls_arc4_context *ctx ) diff --git a/library/asn1parse.c b/library/asn1parse.c index b37523def..ffa2f5299 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -45,7 +45,7 @@ /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { - volatile unsigned char *p = v; while( n-- ) *p++ = 0; + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } /* @@ -269,7 +269,8 @@ int mbedtls_asn1_get_sequence_of( unsigned char **p, /* Allocate and assign next pointer */ if( *p < end ) { - cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) ); + cur->next = (mbedtls_asn1_sequence*)mbedtls_calloc( 1, + sizeof( mbedtls_asn1_sequence ) ); if( cur->next == NULL ) return( MBEDTLS_ERR_ASN1_ALLOC_FAILED ); diff --git a/library/asn1write.c b/library/asn1write.c index 00ed73c11..027c858e7 100644 --- a/library/asn1write.c +++ b/library/asn1write.c @@ -312,7 +312,9 @@ mbedtls_asn1_named_data *mbedtls_asn1_store_named_data( mbedtls_asn1_named_data { // Add new entry if not present yet based on OID // - if( ( cur = mbedtls_calloc( 1, sizeof(mbedtls_asn1_named_data) ) ) == NULL ) + cur = (mbedtls_asn1_named_data*)mbedtls_calloc( 1, + sizeof(mbedtls_asn1_named_data) ); + if( cur == NULL ) return( NULL ); cur->oid.len = oid_len; diff --git a/library/bignum.c b/library/bignum.c index 4536a3b86..4c99e04d6 100644 --- a/library/bignum.c +++ b/library/bignum.c @@ -120,7 +120,7 @@ int mbedtls_mpi_grow( mbedtls_mpi *X, size_t nblimbs ) if( X->n < nblimbs ) { - if( ( p = mbedtls_calloc( nblimbs, ciL ) ) == NULL ) + if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL ) ) == NULL ) return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); if( X->p != NULL ) @@ -158,7 +158,7 @@ int mbedtls_mpi_shrink( mbedtls_mpi *X, size_t nblimbs ) if( i < nblimbs ) i = nblimbs; - if( ( p = mbedtls_calloc( i, ciL ) ) == NULL ) + if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( i, ciL ) ) == NULL ) return( MBEDTLS_ERR_MPI_ALLOC_FAILED ); if( X->p != NULL ) diff --git a/library/blowfish.c b/library/blowfish.c index 89be4d122..9003f0dfe 100644 --- a/library/blowfish.c +++ b/library/blowfish.c @@ -41,7 +41,7 @@ /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { - volatile unsigned char *p = v; while( n-- ) *p++ = 0; + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } /* diff --git a/library/camellia.c b/library/camellia.c index e015ca24b..d50513fd0 100644 --- a/library/camellia.c +++ b/library/camellia.c @@ -50,7 +50,7 @@ /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { - volatile unsigned char *p = v; while( n-- ) *p++ = 0; + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } /* diff --git a/library/ccm.c b/library/ccm.c index 3463a0b32..13a8fd1a2 100644 --- a/library/ccm.c +++ b/library/ccm.c @@ -51,7 +51,7 @@ /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { - volatile unsigned char *p = v; while( n-- ) *p++ = 0; + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } #define CCM_ENCRYPT 0 diff --git a/library/cipher.c b/library/cipher.c index ccc068503..0dc51520f 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -51,7 +51,7 @@ /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { - volatile unsigned char *p = v; while( n-- ) *p++ = 0; + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } static int supported_init = 0; diff --git a/library/des.c b/library/des.c index 61f214af3..09f95cfc3 100644 --- a/library/des.c +++ b/library/des.c @@ -50,7 +50,7 @@ /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { - volatile unsigned char *p = v; while( n-- ) *p++ = 0; + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } /* diff --git a/library/rsa.c b/library/rsa.c index e7bc0ccab..9611265be 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1685,7 +1685,7 @@ int mbedtls_rsa_self_test( int verbose ) #if defined(MBEDTLS_SHA1_C) if( verbose != 0 ) - mbedtls_printf( "PKCS#1 data sign : " ); + mbedtls_printf( " PKCS#1 data sign : " ); mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum ); diff --git a/library/sha1.c b/library/sha1.c index 8c77cbaa8..2ccf2a2f5 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -49,7 +49,7 @@ /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { - volatile unsigned char *p = v; while( n-- ) *p++ = 0; + volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0; } /* diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 9fc21a5ef..727104529 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1507,192 +1507,200 @@ read_record_header: ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL; #endif - /* - * Check the extension length - */ - ext_offset = comp_offset + 1 + comp_len; - if( msg_len > ext_offset ) + /* Do not parse the extensions if the protocol is SSLv3 */ +#if defined(MBEDTLS_SSL_PROTO_SSL3) + if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) { - if( msg_len < ext_offset + 2 ) +#endif + /* + * Check the extension length + */ + ext_offset = comp_offset + 1 + comp_len; + if( msg_len > ext_offset ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); - return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + if( msg_len < ext_offset + 2 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + + ext_len = ( buf[ext_offset + 0] << 8 ) + | ( buf[ext_offset + 1] ); + + if( ( ext_len > 0 && ext_len < 4 ) || + msg_len != ext_offset + 2 + ext_len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } } + else + ext_len = 0; - ext_len = ( buf[ext_offset + 0] << 8 ) - | ( buf[ext_offset + 1] ); + ext = buf + ext_offset + 2; + MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); - if( ( ext_len > 0 && ext_len < 4 ) || - msg_len != ext_offset + 2 + ext_len ) + while( ext_len != 0 ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); - return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); - } - } - else - ext_len = 0; + unsigned int ext_id = ( ( ext[0] << 8 ) + | ( ext[1] ) ); + unsigned int ext_size = ( ( ext[2] << 8 ) + | ( ext[3] ) ); - ext = buf + ext_offset + 2; - MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len ); - - while( ext_len != 0 ) - { - unsigned int ext_id = ( ( ext[0] << 8 ) - | ( ext[1] ) ); - unsigned int ext_size = ( ( ext[2] << 8 ) - | ( ext[3] ) ); - - if( ext_size + 4 > ext_len ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); - return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); - } - switch( ext_id ) - { + if( ext_size + 4 > ext_len ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } + switch( ext_id ) + { #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - case MBEDTLS_TLS_EXT_SERVERNAME: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); - if( ssl->conf->f_sni == NULL ) - break; + case MBEDTLS_TLS_EXT_SERVERNAME: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) ); + if( ssl->conf->f_sni == NULL ) + break; - ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ - case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); + case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) ); #if defined(MBEDTLS_SSL_RENEGOTIATION) - renegotiation_info_seen = 1; + renegotiation_info_seen = 1; #endif - ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) - case MBEDTLS_TLS_EXT_SIG_ALG: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); + case MBEDTLS_TLS_EXT_SIG_ALG: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) ); #if defined(MBEDTLS_SSL_RENEGOTIATION) - if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) - break; + if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS ) + break; #endif - ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); + case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) ); - ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; - case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); - ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; + case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) ); + ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT; - ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); + case MBEDTLS_TLS_EXT_ECJPAKE_KKPP: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) ); - ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); + case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) ); - ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) - case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); + case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) ); - ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); + case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) ); - ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); + case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) ); - ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) - case MBEDTLS_TLS_EXT_SESSION_TICKET: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); + case MBEDTLS_TLS_EXT_SESSION_TICKET: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) ); - ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #endif /* MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_ALPN) - case MBEDTLS_TLS_EXT_ALPN: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); + case MBEDTLS_TLS_EXT_ALPN: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) ); - ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); - if( ret != 0 ) - return( ret ); - break; + ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size ); + if( ret != 0 ) + return( ret ); + break; #endif /* MBEDTLS_SSL_SESSION_TICKETS */ - default: - MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", - ext_id ) ); - } + default: + MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)", + ext_id ) ); + } - ext_len -= 4 + ext_size; - ext += 4 + ext_size; + ext_len -= 4 + ext_size; + ext += 4 + ext_size; - if( ext_len > 0 && ext_len < 4 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); - return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + if( ext_len > 0 && ext_len < 4 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) ); + return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); + } } +#if defined(MBEDTLS_SSL_PROTO_SSL3) } +#endif #if defined(MBEDTLS_SSL_FALLBACK_SCSV) for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 ) @@ -2363,6 +2371,12 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X", ssl->session_negotiate->compression ) ); + /* Do not write the extensions if the protocol is SSLv3 */ +#if defined(MBEDTLS_SSL_PROTO_SSL3) + if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) ) + { +#endif + /* * First write extensions, then the total length */ @@ -2419,6 +2433,10 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) p += ext_len; } +#if defined(MBEDTLS_SSL_PROTO_SSL3) + } +#endif + ssl->out_msglen = p - buf; ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO; diff --git a/library/x509_crl.c b/library/x509_crl.c index 125a77399..7b2b4733b 100644 --- a/library/x509_crl.c +++ b/library/x509_crl.c @@ -502,14 +502,15 @@ int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, s { mbedtls_pem_init( &pem ); - /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */ - if( buflen == 0 || buf[buflen - 1] != '\0' ) - ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; - else - ret = mbedtls_pem_read_buffer( &pem, - "-----BEGIN X509 CRL-----", - "-----END X509 CRL-----", - buf, NULL, 0, &use_len ); + // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated + // string + if( buflen == 0 || buf[buflen - 1] != '\0' ) + ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT; + else + ret = mbedtls_pem_read_buffer( &pem, + "-----BEGIN X509 CRL-----", + "-----END X509 CRL-----", + buf, NULL, 0, &use_len ); if( ret == 0 ) { diff --git a/scripts/bump_version.sh b/scripts/bump_version.sh index 97d2f1f87..fc8b800c4 100755 --- a/scripts/bump_version.sh +++ b/scripts/bump_version.sh @@ -1,4 +1,17 @@ #!/bin/bash +# +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2012-2016, ARM Limited, All Rights Reserved +# +# Purpose +# +# Sets the version numbers in the source code to those given. +# +# Usage: bump_version.sh [ --version ] [ --so-crypto ] +# [ --so-x509 ] [ --so-tls ] +# [ -v | --verbose ] [ -h | --help ] +# VERSION="" SOVERSION="" @@ -109,10 +122,6 @@ mv tmp include/mbedtls/version.h sed -e "s/version:\".\{1,\}/version:\"$VERSION\"/g" < tests/suites/test_suite_version.data > tmp mv tmp tests/suites/test_suite_version.data -[ $VERBOSE ] && echo "Bumping version in yotta/data/module.json" -sed -e "s/\"version\": \".\{1,\}\"/\"version\": \"$VERSION\"/g" < yotta/data/module.json > tmp -mv tmp yotta/data/module.json - [ $VERBOSE ] && echo "Bumping PROJECT_NAME in doxygen/mbedtls.doxyfile and doxygen/input/doc_mainpage.h" for i in doxygen/mbedtls.doxyfile doxygen/input/doc_mainpage.h; do @@ -128,3 +137,4 @@ scripts/generate_features.pl [ $VERBOSE ] && echo "Re-generating visualc files" scripts/generate_visualc_files.pl + diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index d961230ed..010c0c67f 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -2,6 +2,8 @@ # basic-build-tests.sh # +# This file is part of mbed TLS (https://tls.mbed.org) +# # Copyright (c) 2016, ARM Limited, All Rights Reserved # # Purpose @@ -40,7 +42,7 @@ export CFLAGS=' --coverage -g3 -O0 ' make clean scripts/config.pl full scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE -make +make -j # Step 2 - Execute the tests diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 536add274..863524200 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1,12 +1,23 @@ #!/bin/sh -# Test various options that are not covered by compat.sh +# ssl-opt.sh # -# Here the goal is not to cover every ciphersuite/version, but -# rather specific options (max fragment length, truncated hmac, etc) -# or procedures (session resumption from cache or ticket, renego, etc). +# This file is part of mbed TLS (https://tls.mbed.org) +# +# Copyright (c) 2016, ARM Limited, All Rights Reserved +# +# Purpose +# +# Executes tests to prove various TLS/SSL options and extensions. +# +# The goal is not to cover every ciphersuite/version, but instead to cover +# specific options (max fragment length, truncated hmac, etc) or procedures +# (session resumption from cache or ticket, renego, etc). +# +# The tests assume a build with default options, with exceptions expressed +# with a dependency. The tests focus on functionality and do not consider +# performance. # -# Assumes a build with default options. set -u @@ -33,12 +44,20 @@ MEMCHECK=0 FILTER='.*' EXCLUDE='^$' +SHOW_TEST_NUMBER=0 +RUN_TEST_NUMBER='' + +PRESERVE_LOGS=0 + print_usage() { echo "Usage: $0 [options]" printf " -h|--help\tPrint this help.\n" printf " -m|--memcheck\tCheck memory leaks and errors.\n" printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n" printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n" + printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n" + printf " -s|--show-numbers\tShow test numbers in front of test names\n" + printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n" } get_options() { @@ -53,6 +72,15 @@ get_options() { -m|--memcheck) MEMCHECK=1 ;; + -n|--number) + shift; RUN_TEST_NUMBER=$1 + ;; + -s|--show-numbers) + SHOW_TEST_NUMBER=1 + ;; + -p|--preserve-logs) + PRESERVE_LOGS=1 + ;; -h|--help) print_usage exit 0 @@ -144,12 +172,19 @@ needs_more_time() { # print_name print_name() { - printf "$1 " - LEN=$(( 72 - `echo "$1" | wc -c` )) + TESTS=$(( $TESTS + 1 )) + LINE="" + + if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then + LINE="$TESTS " + fi + + LINE="$LINE$1" + printf "$LINE " + LEN=$(( 72 - `echo "$LINE" | wc -c` )) for i in `seq 1 $LEN`; do printf '.'; done printf ' ' - TESTS=$(( $TESTS + 1 )) } # fail @@ -300,6 +335,13 @@ run_test() { print_name "$NAME" + # Do we only run numbered tests? + if [ "X$RUN_TEST_NUMBER" = "X" ]; then : + elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then : + else + SKIP_NEXT="YES" + fi + # should we skip? if [ "X$SKIP_NEXT" = "XYES" ]; then SKIP_NEXT="NO" @@ -468,6 +510,11 @@ run_test() { # if we're here, everything is ok echo "PASS" + if [ "$PRESERVE_LOGS" -gt 0 ]; then + mv $SRV_OUT o-srv-${TESTS}.log + mv $CLI_OUT o-cli-${TESTS}.log + fi + rm -f $SRV_OUT $CLI_OUT $PXY_OUT } @@ -504,6 +551,12 @@ if [ ! -x "$P_PXY" ]; then echo "Command '$P_PXY' is not an executable file" exit 1 fi +if [ "$MEMCHECK" -gt 0 ]; then + if which valgrind >/dev/null 2>&1; then :; else + echo "Memcheck not possible. Valgrind not found" + exit 1 + fi +fi if which $OPENSSL_CMD >/dev/null 2>&1; then :; else echo "Command '$OPENSSL_CMD' not found" exit 1 @@ -575,12 +628,14 @@ run_test "Default, DTLS" \ # Tests for rc4 option +requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES run_test "RC4: server disabled, client enabled" \ "$P_SRV" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 1 \ -s "SSL - The server has no ciphersuites in common" +requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES run_test "RC4: server half, client enabled" \ "$P_SRV arc4=1" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ @@ -723,7 +778,7 @@ run_test "Encrypt then MAC: client enabled, server SSLv3" \ "$P_CLI debug_level=3 min_version=ssl3" \ 0 \ -c "client hello, adding encrypt_then_mac extension" \ - -s "found encrypt then mac extension" \ + -S "found encrypt then mac extension" \ -S "server hello, adding encrypt then mac extension" \ -C "found encrypt_then_mac extension" \ -C "using encrypt then mac" \ @@ -782,7 +837,7 @@ run_test "Extended Master Secret: client enabled, server SSLv3" \ "$P_CLI debug_level=3 min_version=ssl3" \ 0 \ -c "client hello, adding extended_master_secret extension" \ - -s "found extended master secret extension" \ + -S "found extended master secret extension" \ -S "server hello, adding extended master secret extension" \ -C "found extended_master_secret extension" \ -C "using extended master secret" \ @@ -2856,6 +2911,16 @@ run_test "Small packet TLS 1.2 AEAD shorter tag" \ 0 \ -s "Read from client: 1 bytes read" +# A test for extensions in SSLv3 + +requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 +run_test "SSLv3 with extensions, server side" \ + "$P_SRV min_version=ssl3 debug_level=3" \ + "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \ + 0 \ + -S "dumping 'client hello extensions'" \ + -S "server hello, total extension length:" + # Test for large packets requires_config_enabled MBEDTLS_SSL_PROTO_SSL3