Merge branch 'development'
diff --git a/ChangeLog b/ChangeLog
index def0f6e..af857e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -46,6 +46,8 @@
* Disabled SSLv3 in the default configuration.
* Optimized mbedtls_mpi_zeroize() for MPI integer size. (Fix by Alexey
Skalozub).
+ * Fix non-compliance server extension handling. Extensions for SSLv3 are now
+ ignored, as required by RFC6101.
= mbed TLS 2.2.1 released 2016-01-05
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index b6448ec..d31555d 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -362,6 +362,11 @@
#error "MBEDTLS_RSA_C defined, but not all prerequisites"
#endif
+#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_PKCS1_V21) && \
+ !defined(MBEDTLS_PKCS1_V15) )
+#error "MBEDTLS_RSA_C defined, but none of the PKCS1 versions enabled"
+#endif
+
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_PKCS1_V21) )
#error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites"
diff --git a/library/aes.c b/library/aes.c
index ec9313d..3666030 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -56,7 +56,7 @@
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
- volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+ volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
/*
diff --git a/library/arc4.c b/library/arc4.c
index ff0e993..05b33d3 100644
--- a/library/arc4.c
+++ b/library/arc4.c
@@ -49,7 +49,7 @@
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
- volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+ volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
void mbedtls_arc4_init( mbedtls_arc4_context *ctx )
diff --git a/library/asn1parse.c b/library/asn1parse.c
index b37523d..ffa2f52 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@@ -45,7 +45,7 @@
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
- volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+ volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
/*
@@ -269,7 +269,8 @@
/* Allocate and assign next pointer */
if( *p < end )
{
- cur->next = mbedtls_calloc( 1, sizeof( mbedtls_asn1_sequence ) );
+ cur->next = (mbedtls_asn1_sequence*)mbedtls_calloc( 1,
+ sizeof( mbedtls_asn1_sequence ) );
if( cur->next == NULL )
return( MBEDTLS_ERR_ASN1_ALLOC_FAILED );
diff --git a/library/asn1write.c b/library/asn1write.c
index 00ed73c..027c858 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -312,7 +312,9 @@
{
// Add new entry if not present yet based on OID
//
- if( ( cur = mbedtls_calloc( 1, sizeof(mbedtls_asn1_named_data) ) ) == NULL )
+ cur = (mbedtls_asn1_named_data*)mbedtls_calloc( 1,
+ sizeof(mbedtls_asn1_named_data) );
+ if( cur == NULL )
return( NULL );
cur->oid.len = oid_len;
diff --git a/library/bignum.c b/library/bignum.c
index 4536a3b..4c99e04 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -120,7 +120,7 @@
if( X->n < nblimbs )
{
- if( ( p = mbedtls_calloc( nblimbs, ciL ) ) == NULL )
+ if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( nblimbs, ciL ) ) == NULL )
return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
if( X->p != NULL )
@@ -158,7 +158,7 @@
if( i < nblimbs )
i = nblimbs;
- if( ( p = mbedtls_calloc( i, ciL ) ) == NULL )
+ if( ( p = (mbedtls_mpi_uint*)mbedtls_calloc( i, ciL ) ) == NULL )
return( MBEDTLS_ERR_MPI_ALLOC_FAILED );
if( X->p != NULL )
diff --git a/library/blowfish.c b/library/blowfish.c
index 89be4d1..9003f0d 100644
--- a/library/blowfish.c
+++ b/library/blowfish.c
@@ -41,7 +41,7 @@
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
- volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+ volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
/*
diff --git a/library/camellia.c b/library/camellia.c
index e015ca2..d50513f 100644
--- a/library/camellia.c
+++ b/library/camellia.c
@@ -50,7 +50,7 @@
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
- volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+ volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
/*
diff --git a/library/ccm.c b/library/ccm.c
index 3463a0b..13a8fd1 100644
--- a/library/ccm.c
+++ b/library/ccm.c
@@ -51,7 +51,7 @@
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
- volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+ volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
#define CCM_ENCRYPT 0
diff --git a/library/cipher.c b/library/cipher.c
index ccc0685..0dc5152 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -51,7 +51,7 @@
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
- volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+ volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
static int supported_init = 0;
diff --git a/library/des.c b/library/des.c
index 61f214a..09f95cfc 100644
--- a/library/des.c
+++ b/library/des.c
@@ -50,7 +50,7 @@
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
- volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+ volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
/*
diff --git a/library/rsa.c b/library/rsa.c
index e7bc0cc..9611265 100644
--- a/library/rsa.c
+++ b/library/rsa.c
@@ -1685,7 +1685,7 @@
#if defined(MBEDTLS_SHA1_C)
if( verbose != 0 )
- mbedtls_printf( "PKCS#1 data sign : " );
+ mbedtls_printf( " PKCS#1 data sign : " );
mbedtls_sha1( rsa_plaintext, PT_LEN, sha1sum );
diff --git a/library/sha1.c b/library/sha1.c
index 8c77cba..2ccf2a2 100644
--- a/library/sha1.c
+++ b/library/sha1.c
@@ -49,7 +49,7 @@
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
- volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+ volatile unsigned char *p = (unsigned char*)v; while( n-- ) *p++ = 0;
}
/*
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 9fc21a5..7271045 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1507,192 +1507,200 @@
ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
#endif
- /*
- * Check the extension length
- */
- ext_offset = comp_offset + 1 + comp_len;
- if( msg_len > ext_offset )
+ /* Do not parse the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+ if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
{
- if( msg_len < ext_offset + 2 )
+#endif
+ /*
+ * Check the extension length
+ */
+ ext_offset = comp_offset + 1 + comp_len;
+ if( msg_len > ext_offset )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ if( msg_len < ext_offset + 2 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
+
+ ext_len = ( buf[ext_offset + 0] << 8 )
+ | ( buf[ext_offset + 1] );
+
+ if( ( ext_len > 0 && ext_len < 4 ) ||
+ msg_len != ext_offset + 2 + ext_len )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
}
+ else
+ ext_len = 0;
- ext_len = ( buf[ext_offset + 0] << 8 )
- | ( buf[ext_offset + 1] );
+ ext = buf + ext_offset + 2;
+ MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
- if( ( ext_len > 0 && ext_len < 4 ) ||
- msg_len != ext_offset + 2 + ext_len )
+ while( ext_len != 0 )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
- }
- }
- else
- ext_len = 0;
+ unsigned int ext_id = ( ( ext[0] << 8 )
+ | ( ext[1] ) );
+ unsigned int ext_size = ( ( ext[2] << 8 )
+ | ( ext[3] ) );
- ext = buf + ext_offset + 2;
- MBEDTLS_SSL_DEBUG_BUF( 3, "client hello extensions", ext, ext_len );
-
- while( ext_len != 0 )
- {
- unsigned int ext_id = ( ( ext[0] << 8 )
- | ( ext[1] ) );
- unsigned int ext_size = ( ( ext[2] << 8 )
- | ( ext[3] ) );
-
- if( ext_size + 4 > ext_len )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
- }
- switch( ext_id )
- {
+ if( ext_size + 4 > ext_len )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
+ switch( ext_id )
+ {
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
- case MBEDTLS_TLS_EXT_SERVERNAME:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
- if( ssl->conf->f_sni == NULL )
- break;
+ case MBEDTLS_TLS_EXT_SERVERNAME:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ServerName extension" ) );
+ if( ssl->conf->f_sni == NULL )
+ break;
- ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_servername_ext( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
- case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
+ case MBEDTLS_TLS_EXT_RENEGOTIATION_INFO:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found renegotiation extension" ) );
#if defined(MBEDTLS_SSL_RENEGOTIATION)
- renegotiation_info_seen = 1;
+ renegotiation_info_seen = 1;
#endif
- ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_renegotiation_info( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
- case MBEDTLS_TLS_EXT_SIG_ALG:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
+ case MBEDTLS_TLS_EXT_SIG_ALG:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
#if defined(MBEDTLS_SSL_RENEGOTIATION)
- if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
- break;
+ if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
+ break;
#endif
- ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_signature_algorithms_ext( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
+ case MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported elliptic curves extension" ) );
- ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_supported_elliptic_curves( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
- case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
- ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
+ case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found supported point formats extension" ) );
+ ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT;
- ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_supported_point_formats( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
+ case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
- ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
- case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
+ case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );
- ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_max_fragment_length_ext( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
- case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
+ case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
- ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
- case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
+ case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
- ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_encrypt_then_mac_ext( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
- case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
+ case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found extended master secret extension" ) );
- ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- case MBEDTLS_TLS_EXT_SESSION_TICKET:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
+ case MBEDTLS_TLS_EXT_SESSION_TICKET:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found session ticket extension" ) );
- ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_session_ticket_ext( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_ALPN)
- case MBEDTLS_TLS_EXT_ALPN:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
+ case MBEDTLS_TLS_EXT_ALPN:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "found alpn extension" ) );
- ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
- if( ret != 0 )
- return( ret );
- break;
+ ret = ssl_parse_alpn_ext( ssl, ext + 4, ext_size );
+ if( ret != 0 )
+ return( ret );
+ break;
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
- default:
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
- ext_id ) );
- }
+ default:
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
+ ext_id ) );
+ }
- ext_len -= 4 + ext_size;
- ext += 4 + ext_size;
+ ext_len -= 4 + ext_size;
+ ext += 4 + ext_size;
- if( ext_len > 0 && ext_len < 4 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
- return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ if( ext_len > 0 && ext_len < 4 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
+ }
}
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
}
+#endif
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
@@ -2363,6 +2371,12 @@
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
ssl->session_negotiate->compression ) );
+ /* Do not write the extensions if the protocol is SSLv3 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+ if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
+ {
+#endif
+
/*
* First write extensions, then the total length
*/
@@ -2419,6 +2433,10 @@
p += ext_len;
}
+#if defined(MBEDTLS_SSL_PROTO_SSL3)
+ }
+#endif
+
ssl->out_msglen = p - buf;
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 125a773..7b2b473 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -502,14 +502,15 @@
{
mbedtls_pem_init( &pem );
- /* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
- if( buflen == 0 || buf[buflen - 1] != '\0' )
- ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
- else
- ret = mbedtls_pem_read_buffer( &pem,
- "-----BEGIN X509 CRL-----",
- "-----END X509 CRL-----",
- buf, NULL, 0, &use_len );
+ // Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
+ // string
+ if( buflen == 0 || buf[buflen - 1] != '\0' )
+ ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
+ else
+ ret = mbedtls_pem_read_buffer( &pem,
+ "-----BEGIN X509 CRL-----",
+ "-----END X509 CRL-----",
+ buf, NULL, 0, &use_len );
if( ret == 0 )
{
diff --git a/scripts/bump_version.sh b/scripts/bump_version.sh
index 97d2f1f..fc8b800 100755
--- a/scripts/bump_version.sh
+++ b/scripts/bump_version.sh
@@ -1,4 +1,17 @@
#!/bin/bash
+#
+# This file is part of mbed TLS (https://tls.mbed.org)
+#
+# Copyright (c) 2012-2016, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# Sets the version numbers in the source code to those given.
+#
+# Usage: bump_version.sh [ --version <version> ] [ --so-crypto <version>]
+# [ --so-x509 <version> ] [ --so-tls <version> ]
+# [ -v | --verbose ] [ -h | --help ]
+#
VERSION=""
SOVERSION=""
@@ -109,10 +122,6 @@
sed -e "s/version:\".\{1,\}/version:\"$VERSION\"/g" < tests/suites/test_suite_version.data > tmp
mv tmp tests/suites/test_suite_version.data
-[ $VERBOSE ] && echo "Bumping version in yotta/data/module.json"
-sed -e "s/\"version\": \".\{1,\}\"/\"version\": \"$VERSION\"/g" < yotta/data/module.json > tmp
-mv tmp yotta/data/module.json
-
[ $VERBOSE ] && echo "Bumping PROJECT_NAME in doxygen/mbedtls.doxyfile and doxygen/input/doc_mainpage.h"
for i in doxygen/mbedtls.doxyfile doxygen/input/doc_mainpage.h;
do
@@ -128,3 +137,4 @@
[ $VERBOSE ] && echo "Re-generating visualc files"
scripts/generate_visualc_files.pl
+
diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh
index d961230..010c0c6 100755
--- a/tests/scripts/basic-build-test.sh
+++ b/tests/scripts/basic-build-test.sh
@@ -2,6 +2,8 @@
# basic-build-tests.sh
#
+# This file is part of mbed TLS (https://tls.mbed.org)
+#
# Copyright (c) 2016, ARM Limited, All Rights Reserved
#
# Purpose
@@ -40,7 +42,7 @@
make clean
scripts/config.pl full
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE
-make
+make -j
# Step 2 - Execute the tests
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 536add2..8635242 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1,12 +1,23 @@
#!/bin/sh
-# Test various options that are not covered by compat.sh
+# ssl-opt.sh
#
-# Here the goal is not to cover every ciphersuite/version, but
-# rather specific options (max fragment length, truncated hmac, etc)
-# or procedures (session resumption from cache or ticket, renego, etc).
+# This file is part of mbed TLS (https://tls.mbed.org)
#
-# Assumes a build with default options.
+# Copyright (c) 2016, ARM Limited, All Rights Reserved
+#
+# Purpose
+#
+# Executes tests to prove various TLS/SSL options and extensions.
+#
+# The goal is not to cover every ciphersuite/version, but instead to cover
+# specific options (max fragment length, truncated hmac, etc) or procedures
+# (session resumption from cache or ticket, renego, etc).
+#
+# The tests assume a build with default options, with exceptions expressed
+# with a dependency. The tests focus on functionality and do not consider
+# performance.
+#
set -u
@@ -33,12 +44,20 @@
FILTER='.*'
EXCLUDE='^$'
+SHOW_TEST_NUMBER=0
+RUN_TEST_NUMBER=''
+
+PRESERVE_LOGS=0
+
print_usage() {
echo "Usage: $0 [options]"
printf " -h|--help\tPrint this help.\n"
printf " -m|--memcheck\tCheck memory leaks and errors.\n"
printf " -f|--filter\tOnly matching tests are executed (default: '$FILTER')\n"
printf " -e|--exclude\tMatching tests are excluded (default: '$EXCLUDE')\n"
+ printf " -n|--number\tExecute only numbered test (comma-separated, e.g. '245,256')\n"
+ printf " -s|--show-numbers\tShow test numbers in front of test names\n"
+ printf " -p|--preserve-logs\tPreserve logs of successful tests as well\n"
}
get_options() {
@@ -53,6 +72,15 @@
-m|--memcheck)
MEMCHECK=1
;;
+ -n|--number)
+ shift; RUN_TEST_NUMBER=$1
+ ;;
+ -s|--show-numbers)
+ SHOW_TEST_NUMBER=1
+ ;;
+ -p|--preserve-logs)
+ PRESERVE_LOGS=1
+ ;;
-h|--help)
print_usage
exit 0
@@ -144,12 +172,19 @@
# print_name <name>
print_name() {
- printf "$1 "
- LEN=$(( 72 - `echo "$1" | wc -c` ))
+ TESTS=$(( $TESTS + 1 ))
+ LINE=""
+
+ if [ "$SHOW_TEST_NUMBER" -gt 0 ]; then
+ LINE="$TESTS "
+ fi
+
+ LINE="$LINE$1"
+ printf "$LINE "
+ LEN=$(( 72 - `echo "$LINE" | wc -c` ))
for i in `seq 1 $LEN`; do printf '.'; done
printf ' '
- TESTS=$(( $TESTS + 1 ))
}
# fail <message>
@@ -300,6 +335,13 @@
print_name "$NAME"
+ # Do we only run numbered tests?
+ if [ "X$RUN_TEST_NUMBER" = "X" ]; then :
+ elif echo ",$RUN_TEST_NUMBER," | grep ",$TESTS," >/dev/null; then :
+ else
+ SKIP_NEXT="YES"
+ fi
+
# should we skip?
if [ "X$SKIP_NEXT" = "XYES" ]; then
SKIP_NEXT="NO"
@@ -468,6 +510,11 @@
# if we're here, everything is ok
echo "PASS"
+ if [ "$PRESERVE_LOGS" -gt 0 ]; then
+ mv $SRV_OUT o-srv-${TESTS}.log
+ mv $CLI_OUT o-cli-${TESTS}.log
+ fi
+
rm -f $SRV_OUT $CLI_OUT $PXY_OUT
}
@@ -504,6 +551,12 @@
echo "Command '$P_PXY' is not an executable file"
exit 1
fi
+if [ "$MEMCHECK" -gt 0 ]; then
+ if which valgrind >/dev/null 2>&1; then :; else
+ echo "Memcheck not possible. Valgrind not found"
+ exit 1
+ fi
+fi
if which $OPENSSL_CMD >/dev/null 2>&1; then :; else
echo "Command '$OPENSSL_CMD' not found"
exit 1
@@ -575,12 +628,14 @@
# Tests for rc4 option
+requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
run_test "RC4: server disabled, client enabled" \
"$P_SRV" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
1 \
-s "SSL - The server has no ciphersuites in common"
+requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES
run_test "RC4: server half, client enabled" \
"$P_SRV arc4=1" \
"$P_CLI force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \
@@ -723,7 +778,7 @@
"$P_CLI debug_level=3 min_version=ssl3" \
0 \
-c "client hello, adding encrypt_then_mac extension" \
- -s "found encrypt then mac extension" \
+ -S "found encrypt then mac extension" \
-S "server hello, adding encrypt then mac extension" \
-C "found encrypt_then_mac extension" \
-C "using encrypt then mac" \
@@ -782,7 +837,7 @@
"$P_CLI debug_level=3 min_version=ssl3" \
0 \
-c "client hello, adding extended_master_secret extension" \
- -s "found extended master secret extension" \
+ -S "found extended master secret extension" \
-S "server hello, adding extended master secret extension" \
-C "found extended_master_secret extension" \
-C "using extended master secret" \
@@ -2856,6 +2911,16 @@
0 \
-s "Read from client: 1 bytes read"
+# A test for extensions in SSLv3
+
+requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
+run_test "SSLv3 with extensions, server side" \
+ "$P_SRV min_version=ssl3 debug_level=3" \
+ "$P_CLI force_version=ssl3 tickets=1 max_frag_len=4096 alpn=abc,1234" \
+ 0 \
+ -S "dumping 'client hello extensions'" \
+ -S "server hello, total extension length:"
+
# Test for large packets
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3