Fix potential integer overflows in the following functions:
* mbedtls_md2_update() to be bypassed and cause
* mbedtls_cipher_update()
* mbedtls_ctr_drbg_reseed()
This overflows would mainly be exploitable in 32-bit systems and could
cause buffer bound checks to be bypassed.
Fix an incorrect condition in ssl_check_ctr_renegotiate() that compared
64 bits of record counter instead of 48 bits as described in RFC 6347
Section 4.3.1. This would cause the function's return value to be
occasionally incorrect and the renegotiation routines to be triggered
at unexpected times.
The tests load certificate chains from files. The CA chains contain a
past or future certificate and an invalid certificate. The test then
checks that the flags set are MBEDTLS_X509_BADCERT_EXPIRED or
MBEDTLS_X509_BADCERT_FUTURE.
Add a test to ssl-opt.sh to ensure that in DTLS a 6 byte record counter
is compared in ssl_check_ctr_renegotiate() instead of a 8 byte one as in
the TLS case. Because currently there are no testing facilities to check
that renegotiation routines are triggered after X number of input/output
messages, the test consists on setting a renegotiation period that
cannot be represented in 6 bytes, but whose least-significant byte is 2.
If the library behaves correctly, the renegotiation routines will be
executed after two exchanged.
Fixes strict C99 builds in all.sh with glibc version >2.19 where platform support
wasn't being compiled in automatically.
Also fixes C99 syntax with armclang.
Pull Request #533 - Use MAKEFLAGS to pass args to make in all.sh
Modify the script at tests/scripts/all.sh to export the variable
MAKEFLAGS with -j if it was not set before. This should decrease the
total runtime of tests/scripts/all.sh by letting make run multiple jobs
in parallel. Also, add a check at the top of the script to cause a
failure if the environment is not Linux.w
Changes use of mklink in Windows test builds, to create junctions instead of
directory symbolic links. This removes the need for an elevated command prompt
when running cmake to create the Visual Studio project files.
Tighten up the test options in all.sh, test-ref-configs.pl and curves.pl
to ensure the builds are strict for all warnings, warnings are treated
as errors, and that wherever possible builds are strict to the C99
standard. (Note that builds that use the Unix sockets API cannot be).
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.
This commit restores this behaviour.
Fixes the test suites to consistently use mbedtls_fprintf to output to
stdout or stderr.
Also redirects output from the tests to /dev/null to avoid confusing
output if the test suite code or library outputs anything to stdout.
Minor fixes following review including:
* formatting changes including indentation and code style
* corrections
* removal of debug code
* clarification of code through variable renaming
* memory leak
* compiler warnings
The library/net.c and its corresponding include/mbedtls/net.h file are
renamed to library/net_sockets.c and include/mbedtls/net_sockets.h
respectively. This is to avoid naming collisions in projects which also
have files with the common name 'net'.
The PKCS#1 standard says nothing about the relation between P and Q
but many libraries guarantee P>Q and mbed TLS did so too in earlier
versions.
This commit restores this behaviour.
Fixes the test suites to consistently use mbedtls_fprintf to output to
stdout or stderr.
Also redirects output from the tests to /dev/null to avoid confusing
output if the test suite code or library outputs anything to stdout.
Minor fixes following review including:
* formatting changes including indentation and code style
* corrections
* removal of debug code
* clarification of code through variable renaming
* memory leak
* compiler warnings
The library/net.c and its corresponding include/mbedtls/net.h file are
renamed to library/net_sockets.c and include/mbedtls/net_sockets.h
respectively. This is to avoid naming collisions in projects which also
have files with the common name 'net'.
Modify the script at tests/scripts/all.sh to export the variable
MAKEFLAGS with -j if it was not set before. This should decrease the
total runtime of tests/scripts/all.sh by letting make run multiple jobs
in parallel. Also, add a check at the top of the script to cause a
failure if the environment is not Linux.
Changes to allow the entropy tests to work for configurations without an
entropy seed file (MBEDTLS_ENTROPY_NV_SEED), and with no entropy sources
configured (MBEDTLS_TEST_NULL_ENTROPY).
In some tests in ssl-opt.sh the client finishes sooner and the server
gets killed before it could reach certain errors. Consequently the
the script doesn't find the error it is looking for and the test fails.
To resolve this issue, we introduce a per-test option to wait after the
client finishes.
Instead of polling the hardware entropy source a single time and
comparing the output with itself, the source is polled at least twice
and make sure that the separate outputs are different.
The self test is a quick way to check at startup whether the entropy
sources are functioning correctly. The self test only polls 8 bytes
from the default entropy source and performs the following checks:
- The bytes are not all 0x00 or 0xFF.
- The hardware does not return an error when polled.
- The entropy does not provide data in a patter. Only check pattern
at byte, word and long word sizes.
