Merge branch 'mbedtls-1.3' into development
* mbedtls-1.3:
fix bug in ssl_mail_client
Adapt compat.sh to GnuTLS 3.4
Fix undefined behaviour in x509
Conflicts:
programs/ssl/ssl_mail_client.c
tests/compat.sh
diff --git a/ChangeLog b/ChangeLog
index 8415d24..3bc0a6a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -117,6 +117,10 @@
errors on use of deprecated functions.
Bugfix
+ * Fix bug in ssl_mail_client when password is longer that username (found
+ by Bruno Pape).
+ * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules
+ (detected by Clang's 3.6 UBSan).
* mpi_size() and mpi_msb() would segfault when called on an mpi that is
initialized but not set (found by pravic).
* Fix detection of support for getrandom() on Linux (reported by syzzer) by
diff --git a/library/x509_crl.c b/library/x509_crl.c
index 9e4a9e1..a915aba 100644
--- a/library/x509_crl.c
+++ b/library/x509_crl.c
@@ -463,7 +463,8 @@
if( crl->sig_oid.len != sig_oid2.len ||
memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
sig_params1.len != sig_params2.len ||
- memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 )
+ ( sig_params1.len != 0 &&
+ memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
{
mbedtls_x509_crl_free( crl );
return( MBEDTLS_ERR_X509_SIG_MISMATCH );
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 529e96b..6aab3bf 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -758,7 +758,8 @@
if( crt->sig_oid.len != sig_oid2.len ||
memcmp( crt->sig_oid.p, sig_oid2.p, crt->sig_oid.len ) != 0 ||
sig_params1.len != sig_params2.len ||
- memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 )
+ ( sig_params1.len != 0 &&
+ memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
{
mbedtls_x509_crt_free( crt );
return( MBEDTLS_ERR_X509_SIG_MISMATCH );
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 6043b07..8abe740 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -711,7 +711,7 @@
mbedtls_printf( " > Write username to server: %s", opt.user_name );
fflush( stdout );
- n = sizeof( buf );
+ n = sizeof( base );
ret = mbedtls_base64_encode( base, &n, (const unsigned char *) opt.user_name,
strlen( opt.user_name ) );
@@ -732,6 +732,7 @@
mbedtls_printf( " > Write password to server: %s", opt.user_pwd );
fflush( stdout );
+ n = sizeof( base );
ret = mbedtls_base64_encode( base, &n, (const unsigned char *) opt.user_pwd,
strlen( opt.user_pwd ) );
diff --git a/tests/compat.sh b/tests/compat.sh
index 97938e0..eac1891 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -751,7 +751,7 @@
P_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE"
G_SERVER_ARGS="-p $PORT --http $G_MODE"
- G_SERVER_PRIO="EXPORT:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
+ G_SERVER_PRIO="NORMAL:+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
# with OpenSSL 1.0.1h, -www, -WWW and -HTTP break DTLS handshakes
if is_dtls "$MODE"; then