yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-03-23 05:35:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3075 from AndrzejKurek/variable-buffer-size

Browse source 
Variable buffer size
This commit is contained in:
Jaeden Amero 2020-03-10 21:46:35 +04:00 committed by GitHub
parent 0bf6236be5 0937ed29b9
commit c31f970a46
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 591 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
include/mbedtls/config.h
View file

@ -1779,6 +1779,13 @@
*/
#define MBEDTLS_SSL_TRUNCATED_HMAC
/**
* \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
*
* Enable modifying the maximum I/O buffer size.
*/
//#define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
/**
* \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT
*

6
include/mbedtls/ssl.h
View file

@ -1215,6 +1215,9 @@ struct mbedtls_ssl_context
int in_msgtype; /*!< record header: message type */
size_t in_msglen; /*!< record header: message length */
size_t in_left; /*!< amount of data read so far */
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len; /*!< length of input buffer */
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
uint16_t in_epoch; /*!< DTLS epoch for incoming records */
size_t next_record_offset; /*!< offset of the next record in datagram
@ -1254,6 +1257,9 @@ struct mbedtls_ssl_context
int out_msgtype; /*!< record header: message type */
size_t out_msglen; /*!< record header: message length */
size_t out_left; /*!< amount of data not yet written */
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t out_buf_len; /*!< length of output buffer */
#endif
unsigned char cur_out_ctr[8]; /*!< Outgoing record sequence number. */

30
include/mbedtls/ssl_internal.h
View file

@ -238,7 +238,7 @@
implicit sequence number. */
#define MBEDTLS_SSL_HEADER_LEN 13
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#define MBEDTLS_SSL_IN_BUFFER_LEN \
( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
#else
@ -247,7 +247,7 @@
+ ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
#endif
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
#define MBEDTLS_SSL_OUT_BUFFER_LEN \
( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
#else
@ -256,6 +256,32 @@
+ ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
#endif
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
static inline uint32_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
{
#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
return (uint32_t) mbedtls_ssl_get_max_frag_len( ctx )
+ MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
+ MBEDTLS_SSL_CID_OUT_LEN_MAX;
#else
return (uint32_t) mbedtls_ssl_get_max_frag_len( ctx )
+ MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
#endif
}
static inline uint32_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
{
#if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
return (uint32_t) mbedtls_ssl_get_max_frag_len( ctx )
+ MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
+ MBEDTLS_SSL_CID_IN_LEN_MAX;
#else
return (uint32_t) mbedtls_ssl_get_max_frag_len( ctx )
+ MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
#endif
}
#endif
#ifdef MBEDTLS_ZLIB_SUPPORT
/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \

55
library/ssl_msg.c
View file

@ -179,11 +179,16 @@ static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
{
size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t out_buf_len = ssl->out_buf_len;
#else
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
#endif
if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )
if( mtu != 0 && mtu < out_buf_len )
return( mtu );
return( MBEDTLS_SSL_OUT_BUFFER_LEN );
return( out_buf_len );
}
static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
@ -1574,6 +1579,11 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl )
ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
size_t len_pre = ssl->out_msglen;
unsigned char *msg_pre = ssl->compress_buf;
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t out_buf_len = ssl->out_buf_len;
#else
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
#endif
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
@ -1591,7 +1601,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl )
ssl->transform_out->ctx_deflate.next_in = msg_pre;
ssl->transform_out->ctx_deflate.avail_in = len_pre;
ssl->transform_out->ctx_deflate.next_out = msg_post;
ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
ssl->transform_out->ctx_deflate.avail_out = out_buf_len - bytes_written;
ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
if( ret != Z_OK )
@ -1600,7 +1610,7 @@ static int ssl_compress_buf( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
}
ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
ssl->out_msglen = out_buf_len -
ssl->transform_out->ctx_deflate.avail_out - bytes_written;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
@ -1621,6 +1631,11 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
size_t len_pre = ssl->in_msglen;
unsigned char *msg_pre = ssl->compress_buf;
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
#else
size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
#endif
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
@ -1638,8 +1653,7 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
ssl->transform_in->ctx_inflate.next_in = msg_pre;
ssl->transform_in->ctx_inflate.avail_in = len_pre;
ssl->transform_in->ctx_inflate.next_out = msg_post;
ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
header_bytes;
ssl->transform_in->ctx_inflate.avail_out = in_buf_len - header_bytes;
ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
if( ret != Z_OK )
@ -1648,7 +1662,7 @@ static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
}
ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
ssl->in_msglen = in_buf_len -
ssl->transform_in->ctx_inflate.avail_out - header_bytes;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
@ -1682,6 +1696,11 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t len;
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
#else
size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
#endif
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
@ -1692,7 +1711,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
@ -1778,7 +1797,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
}
else
{
len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
len = in_buf_len - ( ssl->in_hdr - ssl->in_buf );
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
timeout = ssl->handshake->retransmit_timeout;
@ -2523,7 +2542,11 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
{
unsigned i;
size_t protected_record_size;
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t out_buf_len = ssl->out_buf_len;
#else
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
#endif
/* Skip writing the record content type to after the encryption,
* as it may change when using the CID extension. */
@ -2539,8 +2562,7 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
mbedtls_record rec;
rec.buf = ssl->out_iv;
rec.buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN -
( ssl->out_iv - ssl->out_buf );
rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf );
rec.data_len = ssl->out_msglen;
rec.data_offset = ssl->out_msg - rec.buf;
@ -4216,7 +4238,11 @@ static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
unsigned char * rec;
size_t rec_len;
unsigned rec_epoch;
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
#else
size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
#endif
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
return( 0 );
@ -4246,8 +4272,7 @@ static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
/* Double-check that the record is not too large */
if( rec_len > MBEDTLS_SSL_IN_BUFFER_LEN -
(size_t)( ssl->in_hdr - ssl->in_buf ) )
if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );

159
library/ssl_tls.c
View file

@ -245,6 +245,29 @@ int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
return( 0 );
}
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
static int resize_buffer( unsigned char **buffer, size_t len_new, size_t *len_old )
{
unsigned char* resized_buffer = mbedtls_calloc( 1, len_new );
if( resized_buffer == NULL )
return -1;
/* We want to copy len_new bytes when downsizing the buffer, and
* len_old bytes when upsizing, so we choose the smaller of two sizes,
* to fit one buffer into another. Size checks, ensuring that no data is
* lost, are done outside of this function. */
memcpy( resized_buffer, *buffer,
( len_new < *len_old ) ? len_new : *len_old );
mbedtls_platform_zeroize( *buffer, *len_old );
mbedtls_free( *buffer );
*buffer = resized_buffer;
*len_old = len_new;
return 0;
}
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
/*
* Key material generation
*/
@ -3643,6 +3666,43 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
{
ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
}
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
/* If the buffers are too small - reallocate */
{
int modified = 0;
if( ssl->in_buf_len < MBEDTLS_SSL_IN_BUFFER_LEN )
{
if( resize_buffer( &ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN,
&ssl->in_buf_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %d", MBEDTLS_SSL_IN_BUFFER_LEN ) );
modified = 1;
}
}
if( ssl->out_buf_len < MBEDTLS_SSL_OUT_BUFFER_LEN )
{
if( resize_buffer( &ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN,
&ssl->out_buf_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %d", MBEDTLS_SSL_OUT_BUFFER_LEN ) );
modified = 1;
}
}
if( modified )
{
/* Update pointers here to avoid doing it twice. */
mbedtls_ssl_reset_in_out_pointers( ssl );
}
}
#endif
/* All pointers should exist and can be directly freed without issue */
if( ssl->handshake == NULL ||
@ -3729,6 +3789,8 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
const mbedtls_ssl_config *conf )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
ssl->conf = conf;
@ -3739,18 +3801,24 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
/* Set to NULL in case of an error condition */
ssl->out_buf = NULL;
ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
ssl->in_buf_len = in_buf_len;
#endif
ssl->in_buf = mbedtls_calloc( 1, in_buf_len );
if( ssl->in_buf == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", in_buf_len ) );
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto error;
}
ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
ssl->out_buf_len = out_buf_len;
#endif
ssl->out_buf = mbedtls_calloc( 1, out_buf_len );
if( ssl->out_buf == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", out_buf_len ) );
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto error;
}
@ -3768,6 +3836,10 @@ error:
ssl->conf = NULL;
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
ssl->in_buf_len = 0;
ssl->out_buf_len = 0;
#endif
ssl->in_buf = NULL;
ssl->out_buf = NULL;
@ -3796,6 +3868,13 @@ error:
int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
size_t out_buf_len = ssl->out_buf_len;
#else
size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
#endif
#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \
!defined(MBEDTLS_SSL_SRV_C)
@ -3851,14 +3930,14 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
ssl->session_in = NULL;
ssl->session_out = NULL;
memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
memset( ssl->out_buf, 0, out_buf_len );
#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
if( partial == 0 )
#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
{
ssl->in_left = 0;
memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
memset( ssl->in_buf, 0, in_buf_len );
}
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
@ -5799,6 +5878,60 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
mbedtls_platform_zeroize( handshake,
sizeof( mbedtls_ssl_handshake_params ) );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
/* If the buffers are too big - reallocate. Because of the way Mbed TLS
* processes datagrams and the fact that a datagram is allowed to have
* several records in it, it is possible that the I/O buffers are not
* empty at this stage */
{
int modified = 0;
uint32_t buf_len = mbedtls_ssl_get_input_buflen( ssl );
size_t written_in = 0;
size_t written_out = 0;
if( ssl->in_buf != NULL &&
ssl->in_buf_len > buf_len &&
ssl->in_left < buf_len )
{
written_in = ssl->in_msg - ssl->in_buf;
if( resize_buffer( &ssl->in_buf, buf_len, &ssl->in_buf_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %d", buf_len ) );
modified = 1;
}
}
buf_len = mbedtls_ssl_get_output_buflen( ssl );
if( ssl->out_buf != NULL &&
ssl->out_buf_len > mbedtls_ssl_get_output_buflen( ssl ) &&
ssl->out_left < buf_len )
{
written_out = ssl->out_msg - ssl->out_buf;
if( resize_buffer( &ssl->out_buf, buf_len, &ssl->out_buf_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %d", buf_len ) );
modified = 1;
}
}
if( modified )
{
/* Update pointers here to avoid doing it twice. */
mbedtls_ssl_reset_in_out_pointers( ssl );
/* Fields below might not be properly updated with record
* splitting, so they are manually updated here. */
ssl->out_msg = ssl->out_buf + written_out;
ssl->in_msg = ssl->in_buf + written_in;
}
}
#endif
}
void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
@ -6463,6 +6596,14 @@ int mbedtls_ssl_context_load( mbedtls_ssl_context *context,
*/
void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
size_t in_buf_len = ssl->in_buf_len;
size_t out_buf_len = ssl->out_buf_len;
#else
size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
#endif
if( ssl == NULL )
return;
@ -6470,14 +6611,16 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
if( ssl->out_buf != NULL )
{
mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
mbedtls_free( ssl->out_buf );
ssl->out_buf = NULL;
}
if( ssl->in_buf != NULL )
{
mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
mbedtls_free( ssl->in_buf );
ssl->in_buf = NULL;
}
#if defined(MBEDTLS_ZLIB_SUPPORT)

3
library/version_features.c
View file

@ -537,6 +537,9 @@ static const char * const features[] = {
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
"MBEDTLS_SSL_TRUNCATED_HMAC",
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
"MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH",
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
"MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT",
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */

12
programs/ssl/ssl_server2.c
View file

@ -1838,7 +1838,10 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) );
#endif
#if defined(MBEDTLS_MEMORY_DEBUG)
size_t current_heap_memory, peak_heap_memory, heap_blocks;
#endif /* MBEDTLS_MEMORY_DEBUG */
#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
/*
* Make sure memory references are valid in case we exit early.
@ -3742,6 +3745,13 @@ handshake:
}
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_MEMORY_DEBUG)
mbedtls_memory_buffer_alloc_cur_get( &current_heap_memory, &heap_blocks );
mbedtls_memory_buffer_alloc_max_get( &peak_heap_memory, &heap_blocks );
mbedtls_printf( "Heap memory usage after handshake: %lu bytes. Peak memory usage was %lu\n",
(unsigned long) current_heap_memory, (unsigned long) peak_heap_memory );
#endif /* MBEDTLS_MEMORY_DEBUG */
if( opt.exchanges == 0 )
goto close_notify;

8
programs/test/query_config.c
View file

@ -1474,6 +1474,14 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
if( strcmp( "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH );
return( 0 );
}
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
if( strcmp( "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT", config ) == 0 )
{

69
tests/scripts/all.sh
View file

@ -1142,6 +1142,75 @@ component_test_no_max_fragment_length_small_ssl_out_content_len () {
if_build_succeeded tests/ssl-opt.sh -f "Max fragment length\|Large buffer"
}
component_test_variable_ssl_in_out_buffer_len () {
msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled (ASan build)"
scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
make test
msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
if_build_succeeded tests/ssl-opt.sh
msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH enabled"
if_build_succeeded tests/compat.sh
}
component_test_variable_ssl_in_out_buffer_len_CID () {
msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled (ASan build)"
scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID"
make test
msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled"
if_build_succeeded tests/ssl-opt.sh
msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_DTLS_CONNECTION_ID enabled"
if_build_succeeded tests/compat.sh
}
component_test_variable_ssl_in_out_buffer_len_record_splitting () {
msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled (ASan build)"
scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
scripts/config.py set MBEDTLS_SSL_CBC_RECORD_SPLITTING
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING"
make test
msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled"
if_build_succeeded tests/ssl-opt.sh
msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled"
if_build_succeeded tests/compat.sh
}
component_test_ssl_alloc_buffer_and_mfl () {
msg "build: default config with memory buffer allocator and MFL extension"
scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
scripts/config.py set MBEDTLS_PLATFORM_MEMORY
scripts/config.py set MBEDTLS_MEMORY_DEBUG
scripts/config.py set MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
CC=gcc cmake .
make
msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH"
make test
msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH, MBEDTLS_MEMORY_BUFFER_ALLOC_C, MBEDTLS_MEMORY_DEBUG and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH"
if_build_succeeded tests/ssl-opt.sh -f "Handshake memory usage"
}
component_test_when_no_ciphersuites_have_mac () {
msg "build: when no ciphersuites have MAC"
scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER

99
tests/ssl-opt.sh
View file

@ -223,7 +223,7 @@ requires_config_value_at_most() {
}
requires_ciphersuite_enabled() {
if [ -z "$($P_CLI --help | grep $1)" ]; then
if [ -z "$($P_CLI --help 2>/dev/null | grep $1)" ]; then
SKIP_NEXT="YES"
fi
}
@ -525,6 +525,45 @@ check_server_hello_time() {
fi
}
# Get handshake memory usage from server or client output and put it into the variable specified by the first argument
handshake_memory_get() {
OUTPUT_VARIABLE="$1"
OUTPUT_FILE="$2"
# Get memory usage from a pattern like "Heap memory usage after handshake: 23112 bytes. Peak memory usage was 33112"
MEM_USAGE=$(sed -n 's/.*Heap memory usage after handshake: //p' < "$OUTPUT_FILE" | grep -o "[0-9]*" | head -1)
# Check if memory usage was read
if [ -z "$MEM_USAGE" ]; then
echo "Error: Can not read the value of handshake memory usage"
return 1
else
eval "$OUTPUT_VARIABLE=$MEM_USAGE"
return 0
fi
}
# Get handshake memory usage from server or client output and check if this value
# is not higher than the maximum given by the first argument
handshake_memory_check() {
MAX_MEMORY="$1"
OUTPUT_FILE="$2"
# Get memory usage
if ! handshake_memory_get "MEMORY_USAGE" "$OUTPUT_FILE"; then
return 1
fi
# Check if memory usage is below max value
if [ "$MEMORY_USAGE" -gt "$MAX_MEMORY" ]; then
echo "\nFailed: Handshake memory usage was $MEMORY_USAGE bytes," \
"but should be below $MAX_MEMORY bytes"
return 1
else
return 0
fi
}
# wait for client to terminate and set CLI_EXIT
# must be called right after starting the client
wait_client_done() {
@ -865,6 +904,58 @@ run_test_psa_force_curve() {
-C "error"
}
# Test that the server's memory usage after a handshake is reduced when a client specifies
# a maximum fragment length.
# first argument ($1) is MFL for SSL client
# second argument ($2) is memory usage for SSL client with default MFL (16k)
run_test_memory_after_hanshake_with_mfl()
{
# The test passes if the difference is around 2*(16k-MFL)
local MEMORY_USAGE_LIMIT="$(( $2 - ( 2 * ( 16384 - $1 )) ))"
# Leave some margin for robustness
MEMORY_USAGE_LIMIT="$(( ( MEMORY_USAGE_LIMIT * 110 ) / 100 ))"
run_test "Handshake memory usage (MFL $1)" \
"$P_SRV debug_level=3 auth_mode=required force_version=tls1_2" \
"$P_CLI debug_level=3 force_version=tls1_2 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM max_frag_len=$1" \
0 \
-F "handshake_memory_check $MEMORY_USAGE_LIMIT"
}
# Test that the server's memory usage after a handshake is reduced when a client specifies
# different values of Maximum Fragment Length: default (16k), 4k, 2k, 1k and 512 bytes
run_tests_memory_after_hanshake()
{
# all tests in this sequence requires the same configuration (see requires_config_enabled())
SKIP_THIS_TESTS="$SKIP_NEXT"
# first test with default MFU is to get reference memory usage
MEMORY_USAGE_MFL_16K=0
run_test "Handshake memory usage initial (MFL 16384 - default)" \
"$P_SRV debug_level=3 auth_mode=required force_version=tls1_2" \
"$P_CLI debug_level=3 force_version=tls1_2 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM" \
0 \
-F "handshake_memory_get MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
run_test_memory_after_hanshake_with_mfl 4096 "$MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
run_test_memory_after_hanshake_with_mfl 2048 "$MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
run_test_memory_after_hanshake_with_mfl 1024 "$MEMORY_USAGE_MFL_16K"
SKIP_NEXT="$SKIP_THIS_TESTS"
run_test_memory_after_hanshake_with_mfl 512 "$MEMORY_USAGE_MFL_16K"
}
cleanup() {
rm -f $CLI_OUT $SRV_OUT $PXY_OUT $SESSION
test -n "${SRV_PID:-}" && kill $SRV_PID >/dev/null 2>&1
@ -8820,6 +8911,12 @@ run_test "export keys functionality" \
-c "exported keylen is " \
-c "exported ivlen is "
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_MEMORY_DEBUG
requires_config_enabled MBEDTLS_MEMORY_BUFFER_ALLOC_C
requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
run_tests_memory_after_hanshake
# Final report
echo "------------------------------------------------------------------------"

48
tests/suites/test_suite_ssl.data
View file

@ -368,6 +368,54 @@ renegotiation:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION
DTLS renegotiation: legacy break handshake
renegotiation:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
DTLS serialization with MFL=512
resize_buffers_serialize_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512
DTLS serialization with MFL=1024
resize_buffers_serialize_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024
DTLS serialization with MFL=2048
resize_buffers_serialize_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048
DTLS serialization with MFL=4096
resize_buffers_serialize_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096
DTLS no legacy renegotiation with MFL=512
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
DTLS no legacy renegotiation with MFL=1024
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
DTLS no legacy renegotiation with MFL=2048
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
DTLS no legacy renegotiation with MFL=4096
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
DTLS legacy allow renegotiation with MFL=512
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION
DTLS legacy allow renegotiation with MFL=1024
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION
DTLS legacy allow renegotiation with MFL=2048
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION
DTLS legacy allow renegotiation with MFL=4096
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION
DTLS legacy break handshake renegotiation with MFL=512
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_512:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
DTLS legacy break handshake renegotiation with MFL=1024
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_1024:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
DTLS legacy break handshake renegotiation with MFL=2048
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_2048:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
DTLS legacy break handshake renegotiation with MFL=4096
resize_buffers_renegotiate_mfl:MBEDTLS_SSL_MAX_FRAG_LEN_4096:MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
SSL DTLS replay: initial state, seqnum 0
ssl_dtls_replay:"":"000000000000":0

123
tests/suites/test_suite_ssl.function
View file

@ -55,6 +55,7 @@ typedef struct handshake_test_options
void *cli_log_obj;
void (*srv_log_fun)(void *, int, const char *, int, const char *);
void (*cli_log_fun)(void *, int, const char *, int, const char *);
int resize_buffers;
} handshake_test_options;
void init_handshake_options( handshake_test_options *opts )
@ -77,6 +78,7 @@ void init_handshake_options( handshake_test_options *opts )
opts->srv_log_obj = NULL;
opts->srv_log_fun = NULL;
opts->cli_log_fun = NULL;
opts->resize_buffers = 1;
}
/*
* Buffer structure for custom I/O callbacks.
@ -1776,6 +1778,17 @@ void perform_handshake( handshake_test_options* options )
&(server.socket),
BUFFSIZE ) == 0 );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
if( options->resize_buffers != 0 )
{
/* Ensure that the buffer sizes are appropriate before resizes */
TEST_ASSERT( client.ssl.out_buf_len == MBEDTLS_SSL_OUT_BUFFER_LEN );
TEST_ASSERT( client.ssl.in_buf_len == MBEDTLS_SSL_IN_BUFFER_LEN );
TEST_ASSERT( server.ssl.out_buf_len == MBEDTLS_SSL_OUT_BUFFER_LEN );
TEST_ASSERT( server.ssl.in_buf_len == MBEDTLS_SSL_IN_BUFFER_LEN );
}
#endif
TEST_ASSERT( mbedtls_move_handshake_to_state( &(client.ssl),
&(server.ssl),
MBEDTLS_SSL_HANDSHAKE_OVER )
@ -1783,6 +1796,31 @@ void perform_handshake( handshake_test_options* options )
TEST_ASSERT( client.ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER );
TEST_ASSERT( server.ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
if( options->resize_buffers != 0 )
{
/* Note - the case below will have to updated, since due to a 1n-1
* split against BEAST the fragment count is different
* than expected when preparing the fragment counting code. */
if( options->version != MBEDTLS_SSL_MINOR_VERSION_0 &&
options->version != MBEDTLS_SSL_MINOR_VERSION_1 )
{
/* A server, when using DTLS, might delay a buffer resize to happen
* after it receives a message, so we force it. */
TEST_ASSERT( exchange_data( &(client.ssl), &(server.ssl) ) == 0 );
TEST_ASSERT( client.ssl.out_buf_len ==
mbedtls_ssl_get_output_buflen( &client.ssl ) );
TEST_ASSERT( client.ssl.in_buf_len ==
mbedtls_ssl_get_input_buflen( &client.ssl ) );
TEST_ASSERT( server.ssl.out_buf_len ==
mbedtls_ssl_get_output_buflen( &server.ssl ) );
TEST_ASSERT( server.ssl.in_buf_len ==
mbedtls_ssl_get_input_buflen( &server.ssl ) );
}
}
#endif
if( options->cli_msg_len != 0 || options->srv_msg_len != 0 )
{
/* Start data exchanging test */
@ -1822,10 +1860,28 @@ void perform_handshake( handshake_test_options* options )
mbedtls_ssl_set_timer_cb( &server.ssl, &timer_server,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
#endif
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
if( options->resize_buffers != 0 )
{
/* Ensure that the buffer sizes are appropriate before resizes */
TEST_ASSERT( server.ssl.out_buf_len == MBEDTLS_SSL_OUT_BUFFER_LEN );
TEST_ASSERT( server.ssl.in_buf_len == MBEDTLS_SSL_IN_BUFFER_LEN );
}
#endif
TEST_ASSERT( mbedtls_ssl_context_load( &( server.ssl ), context_buf,
context_buf_len ) == 0 );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
/* Validate buffer sizes after context deserialization */
if( options->resize_buffers != 0 )
{
TEST_ASSERT( server.ssl.out_buf_len ==
mbedtls_ssl_get_output_buflen( &server.ssl ) );
TEST_ASSERT( server.ssl.in_buf_len ==
mbedtls_ssl_get_input_buflen( &server.ssl ) );
}
#endif
/* Retest writing/reading */
if( options->cli_msg_len != 0 || options->srv_msg_len != 0 )
{
@ -1839,6 +1895,7 @@ void perform_handshake( handshake_test_options* options )
}
}
#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION)
if( options->renegotiate )
{
@ -1868,6 +1925,14 @@ void perform_handshake( handshake_test_options* options )
* function will return waiting error on the socket. All rest of
* renegotiation should happen during data exchanging */
ret = mbedtls_ssl_renegotiate( &(client.ssl) );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
if( options->resize_buffers != 0 )
{
/* Ensure that the buffer sizes are appropriate before resizes */
TEST_ASSERT( client.ssl.out_buf_len == MBEDTLS_SSL_OUT_BUFFER_LEN );
TEST_ASSERT( client.ssl.in_buf_len == MBEDTLS_SSL_IN_BUFFER_LEN );
}
#endif
TEST_ASSERT( ret == 0 ||
ret == MBEDTLS_ERR_SSL_WANT_READ ||
ret == MBEDTLS_ERR_SSL_WANT_WRITE );
@ -1881,6 +1946,20 @@ void perform_handshake( handshake_test_options* options )
MBEDTLS_SSL_RENEGOTIATION_DONE );
TEST_ASSERT( client.ssl.renego_status ==
MBEDTLS_SSL_RENEGOTIATION_DONE );
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
/* Validate buffer sizes after renegotiation */
if( options->resize_buffers != 0 )
{
TEST_ASSERT( client.ssl.out_buf_len ==
mbedtls_ssl_get_output_buflen( &client.ssl ) );
TEST_ASSERT( client.ssl.in_buf_len ==
mbedtls_ssl_get_input_buflen( &client.ssl ) );
TEST_ASSERT( server.ssl.out_buf_len ==
mbedtls_ssl_get_output_buflen( &server.ssl ) );
TEST_ASSERT( server.ssl.in_buf_len ==
mbedtls_ssl_get_input_buflen( &server.ssl ) );
}
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
}
#endif /* MBEDTLS_SSL_RENEGOTIATION */
@ -3771,7 +3850,7 @@ void handshake_serialization( )
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_DEBUG_C:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH:MBEDTLS_CIPHER_MODE_CBC */
void handshake_fragmentation( int mfl, int expected_srv_hs_fragmentation, int expected_cli_hs_fragmentation)
{
handshake_test_options options;
@ -3784,6 +3863,8 @@ void handshake_fragmentation( int mfl, int expected_srv_hs_fragmentation, int ex
init_handshake_options( &options );
options.dtls = 1;
options.mfl = mfl;
/* Set cipher to one using CBC so that record splitting can be tested */
options.cipher = "TLS-DHE-RSA-WITH-AES-256-CBC-SHA256";
options.srv_auth_mode = MBEDTLS_SSL_VERIFY_REQUIRED;
options.srv_log_obj = &srv_pattern;
options.cli_log_obj = &cli_pattern;
@ -3820,3 +3901,43 @@ void renegotiation( int legacy_renegotiation )
goto exit;
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */
void resize_buffers( int mfl, int renegotiation, int legacy_renegotiation,
int serialize, int dtls )
{
handshake_test_options options;
init_handshake_options( &options );
options.mfl = mfl;
options.renegotiate = renegotiation;
options.legacy_renegotiation = legacy_renegotiation;
options.serialize = serialize;
options.dtls = dtls;
options.resize_buffers = 1;
perform_handshake( &options );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_CONTEXT_SERIALIZATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SSL_PROTO_DTLS */
void resize_buffers_serialize_mfl( int mfl )
{
test_resize_buffers( mfl, 0, MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION, 1, 1 );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH:MBEDTLS_SSL_RENEGOTIATION:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_RSA_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED */
void resize_buffers_renegotiate_mfl( int mfl, int legacy_renegotiation )
{
test_resize_buffers( mfl, 1, legacy_renegotiation, 0, 1 );
/* The goto below is used to avoid an "unused label" warning.*/
goto exit;
}
/* END_CASE */