Merge pull request #3430 from bensze01/license
[Forward-port] Add Apache-2.0 headers to all source files
diff --git a/ChangeLog.d/bugfix_PR3405 b/ChangeLog.d/bugfix_PR3405
new file mode 100644
index 0000000..73c57c0
--- /dev/null
+++ b/ChangeLog.d/bugfix_PR3405
@@ -0,0 +1,5 @@
+Bugfix
+ * Update iv and len context pointers manually when reallocating buffers
+ using the MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH feature. This caused issues
+ when receiving a connection with CID, when these fields were shifted
+ in ssl_parse_record_header().
diff --git a/ChangeLog.d/bugfix_PR3421.txt b/ChangeLog.d/bugfix_PR3421.txt
new file mode 100644
index 0000000..b52dee0
--- /dev/null
+++ b/ChangeLog.d/bugfix_PR3421.txt
@@ -0,0 +1,2 @@
+Bugfix
+ * Set _POSIX_C_SOURCE to at least 200112L in C99 code. Reported in #3420 and fix submitted in #3421 by Nia Alarie.
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 77d2757..250ef98 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -3686,11 +3686,13 @@
/* If the buffers are too small - reallocate */
{
int modified = 0;
- size_t written_in = 0;
- size_t written_out = 0;
+ size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
+ size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
if( ssl->in_buf != NULL )
{
written_in = ssl->in_msg - ssl->in_buf;
+ iv_offset_in = ssl->in_iv - ssl->in_buf;
+ len_offset_in = ssl->in_len - ssl->in_buf;
if( ssl->in_buf_len < MBEDTLS_SSL_IN_BUFFER_LEN )
{
if( resize_buffer( &ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN,
@@ -3709,6 +3711,8 @@
if( ssl->out_buf != NULL )
{
written_out = ssl->out_msg - ssl->out_buf;
+ iv_offset_out = ssl->out_iv - ssl->out_buf;
+ len_offset_out = ssl->out_len - ssl->out_buf;
if( ssl->out_buf_len < MBEDTLS_SSL_OUT_BUFFER_LEN )
{
if( resize_buffer( &ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN,
@@ -3728,9 +3732,14 @@
/* Update pointers here to avoid doing it twice. */
mbedtls_ssl_reset_in_out_pointers( ssl );
/* Fields below might not be properly updated with record
- * splitting, so they are manually updated here. */
+ * splitting or with CID, so they are manually updated here. */
ssl->out_msg = ssl->out_buf + written_out;
+ ssl->out_len = ssl->out_buf + len_offset_out;
+ ssl->out_iv = ssl->out_buf + iv_offset_out;
+
ssl->in_msg = ssl->in_buf + written_in;
+ ssl->in_len = ssl->in_buf + len_offset_in;
+ ssl->in_iv = ssl->in_buf + iv_offset_in;
}
}
#endif
@@ -5962,14 +5971,15 @@
{
int modified = 0;
uint32_t buf_len = mbedtls_ssl_get_input_buflen( ssl );
- size_t written_in = 0;
- size_t written_out = 0;
+ size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
+ size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
if( ssl->in_buf != NULL )
{
written_in = ssl->in_msg - ssl->in_buf;
+ iv_offset_in = ssl->in_iv - ssl->in_buf;
+ len_offset_in = ssl->in_len - ssl->in_buf;
if( ssl->in_buf_len > buf_len && ssl->in_left < buf_len )
{
- written_in = ssl->in_msg - ssl->in_buf;
if( resize_buffer( &ssl->in_buf, buf_len, &ssl->in_buf_len ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
@@ -5987,6 +5997,8 @@
if(ssl->out_buf != NULL )
{
written_out = ssl->out_msg - ssl->out_buf;
+ iv_offset_out = ssl->out_iv - ssl->out_buf;
+ len_offset_out = ssl->out_len - ssl->out_buf;
if( ssl->out_buf_len > mbedtls_ssl_get_output_buflen( ssl ) &&
ssl->out_left < buf_len )
{
@@ -6006,9 +6018,14 @@
/* Update pointers here to avoid doing it twice. */
mbedtls_ssl_reset_in_out_pointers( ssl );
/* Fields below might not be properly updated with record
- * splitting, so they are manually updated here. */
+ * splitting or with CID, so they are manually updated here. */
ssl->out_msg = ssl->out_buf + written_out;
+ ssl->out_len = ssl->out_buf + len_offset_out;
+ ssl->out_iv = ssl->out_buf + iv_offset_out;
+
ssl->in_msg = ssl->in_buf + written_in;
+ ssl->in_len = ssl->in_buf + len_offset_in;
+ ssl->in_iv = ssl->in_buf + iv_offset_in;
}
}
#endif
diff --git a/programs/aes/aescrypt2.c b/programs/aes/aescrypt2.c
index f17c641..b0c1fea 100644
--- a/programs/aes/aescrypt2.c
+++ b/programs/aes/aescrypt2.c
@@ -22,7 +22,7 @@
/* Enable definition of fileno() even when compiling with -std=c99. Must be
* set before config.h, which pulls in glibc's features.h indirectly.
* Harmless on other platforms. */
-#define _POSIX_C_SOURCE 1
+#define _POSIX_C_SOURCE 200112L
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c
index 1e03d43..5c70480 100644
--- a/programs/aes/crypt_and_hash.c
+++ b/programs/aes/crypt_and_hash.c
@@ -23,7 +23,7 @@
/* Enable definition of fileno() even when compiling with -std=c99. Must be
* set before config.h, which pulls in glibc's features.h indirectly.
* Harmless on other platforms. */
-#define _POSIX_C_SOURCE 1
+#define _POSIX_C_SOURCE 200112L
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 5dd1871..3fd065e 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -3718,7 +3718,7 @@
{
mbedtls_printf( " failed\n ! mbedtls_ssl_tls_prf returned -0x%x\n\n",
(unsigned int) -ret );
- goto exit;
+ goto reset;
}
mbedtls_printf( " EAP-TLS key material is:" );
@@ -3739,7 +3739,7 @@
{
mbedtls_printf( " failed\n ! mbedtls_ssl_tls_prf returned -0x%x\n\n",
(unsigned int) -ret );
- goto exit;
+ goto reset;
}
mbedtls_printf( " EAP-TLS IV is:" );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 74e2056..8d28b63 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -2214,6 +2214,32 @@
-c "ignoring unexpected CID" \
-s "ignoring unexpected CID"
+requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
+requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
+run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=512" \
+ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \
+ "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=512 dtls=1 cid=1 cid_val=beef" \
+ 0 \
+ -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
+ -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
+ -s "(initial handshake) Use of Connection ID has been negotiated" \
+ -c "(initial handshake) Use of Connection ID has been negotiated" \
+ -s "Reallocating in_buf" \
+ -s "Reallocating out_buf"
+
+requires_config_enabled MBEDTLS_SSL_DTLS_CONNECTION_ID
+requires_config_enabled MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
+run_test "Connection ID: Cli+Srv enabled, variable buffer lengths, MFL=1024" \
+ "$P_SRV dtls=1 cid=1 cid_val=dead debug_level=2" \
+ "$P_CLI force_ciphersuite="TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" max_frag_len=1024 dtls=1 cid=1 cid_val=beef" \
+ 0 \
+ -c "(initial handshake) Peer CID (length 2 Bytes): de ad" \
+ -s "(initial handshake) Peer CID (length 2 Bytes): be ef" \
+ -s "(initial handshake) Use of Connection ID has been negotiated" \
+ -c "(initial handshake) Use of Connection ID has been negotiated" \
+ -s "Reallocating in_buf" \
+ -s "Reallocating out_buf"
+
# Tests for Encrypt-then-MAC extension
run_test "Encrypt then MAC: default" \
@@ -9154,7 +9180,11 @@
-s "exported ivlen is " \
-c "exported maclen is " \
-c "exported keylen is " \
- -c "exported ivlen is "
+ -c "exported ivlen is " \
+ -c "EAP-TLS key material is:"\
+ -s "EAP-TLS key material is:"\
+ -c "EAP-TLS IV is:" \
+ -s "EAP-TLS IV is:"
# Test heap memory usage after handshake
requires_config_enabled MBEDTLS_MEMORY_DEBUG
diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index af4b84e..75656a8 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function
@@ -21,7 +21,7 @@
#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
#if !defined(_POSIX_C_SOURCE)
-#define _POSIX_C_SOURCE 1 // for fileno() from <stdio.h>
+#define _POSIX_C_SOURCE 200112L // for fileno() from <stdio.h>
#endif
#endif
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 833efd4..5cf6e8b 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -1179,6 +1179,7 @@
size_t keylen, maclen, ivlen;
unsigned char *key0 = NULL, *key1 = NULL;
+ unsigned char *md0 = NULL, *md1 = NULL;
unsigned char iv_enc[16], iv_dec[16];
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@@ -1245,7 +1246,6 @@
cipher_info->mode == MBEDTLS_MODE_STREAM )
{
mbedtls_md_info_t const *md_info;
- unsigned char *md0, *md1;
/* Pick hash */
md_info = mbedtls_md_info_from_type( hash_id );
@@ -1283,9 +1283,6 @@
memcpy( &t_out->mac_dec, md0, maclen );
}
#endif
-
- mbedtls_free( md0 );
- mbedtls_free( md1 );
}
#else
((void) hash_id);
@@ -1417,6 +1414,9 @@
mbedtls_free( key0 );
mbedtls_free( key1 );
+ mbedtls_free( md0 );
+ mbedtls_free( md1 );
+
return( ret );
}