From 52754594b6729c8bc6d1c25a2335949e74b81ed4 Mon Sep 17 00:00:00 2001 From: Simon Butcher Date: Thu, 3 Sep 2015 13:06:01 +0100 Subject: [PATCH] Merging iotssl-457-badtail with development branch --- CMakeLists.txt | 5 +- ChangeLog | 11 ++++ include/mbedtls/ssl.h | 41 ++++++++++++--- library/debug.c | 49 ++++++++++++----- library/entropy_poll.c | 6 +-- library/md2.c | 4 +- library/md4.c | 4 +- library/md5.c | 4 +- library/sha1.c | 4 +- library/sha256.c | 4 +- library/sha512.c | 4 +- library/ssl_cli.c | 22 ++++++++ library/ssl_tls.c | 73 +++++++++++++++++++------- programs/pkey/dh_client.c | 2 +- programs/pkey/dh_server.c | 2 +- programs/pkey/pk_decrypt.c | 7 ++- programs/pkey/pk_encrypt.c | 7 ++- programs/pkey/pk_sign.c | 11 ++-- programs/pkey/pk_verify.c | 17 +++--- programs/pkey/rsa_genkey.c | 2 +- programs/pkey/rsa_sign.c | 12 +++-- programs/pkey/rsa_sign_pss.c | 4 +- programs/pkey/rsa_verify.c | 20 +++---- programs/pkey/rsa_verify_pss.c | 10 ++-- programs/ssl/ssl_client2.c | 5 ++ programs/ssl/ssl_server2.c | 7 ++- programs/test/benchmark.c | 38 +++++++------- programs/test/udp_proxy.c | 2 +- tests/ssl-opt.sh | 13 +++++ tests/suites/test_suite_debug.function | 5 ++ yotta/data/module.json | 2 +- 31 files changed, 280 insertions(+), 117 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 867372923..094d9069b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -29,6 +29,9 @@ if(CMAKE_COMPILER_IS_GNUCC) if (GCC_VERSION VERSION_GREATER 4.5 OR GCC_VERSION VERSION_EQUAL 4.5) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wlogical-op") endif() + if (GCC_VERSION VERSION_GREATER 4.8 OR GCC_VERSION VERSION_EQUAL 4.8) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wshadow") + endif() set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") @@ -39,7 +42,7 @@ if(CMAKE_COMPILER_IS_GNUCC) endif(CMAKE_COMPILER_IS_GNUCC) if(CMAKE_COMPILER_IS_CLANG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -W -Wdeclaration-after-statement -Wwrite-strings -Wpointer-arith -Wimplicit-fallthrough -Wshadow") set(CMAKE_C_FLAGS_RELEASE "-O2") set(CMAKE_C_FLAGS_DEBUG "-O0 -g3") set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage") diff --git a/ChangeLog b/ChangeLog index a997b8871..ef290e7c9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -29,6 +29,13 @@ Bugfix * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could result trying to unlock an unlocked mutex on invalid input (found by Fredrik Axelsson) (#257) + * Fix -Wshadow warnings (found by hnrkp) (#240) + * Fix memory corruption on client with overlong PSK identity, around + SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by + Aleksandrs Saveljevs) (#238) + * Fix unused function warning when using MBEDTLS_MDx_ALT or + MBEDTLS_SHAxxx_ALT (found by Henrik) (#239) + * Fix memory corruption in pkey programs (found by yankuncheng) (#210) Changes * The PEM parser now accepts a trailing space at end of lines (#226). @@ -38,6 +45,10 @@ Changes * When verifying a certificate chain, if an intermediate certificate is trusted, no later cert is checked. (suggested by hannes-landeholm) (#220). + * Prepend a "thread identifier" to debug messages (issue pointed out by + Hugo Leisink) (#210). + * Add mbedtls_ssl_get_max_frag_len() to query the current maximum fragment + length. = mbed TLS 2.0.0 released 2015-07-13 diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 288627bf1..d051035fc 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2027,6 +2027,26 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl ); */ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ); +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) +/** + * \brief Return the maximum fragment length (payload, in bytes). + * This is the value negotiated with peer if any, + * or the locally configured value. + * + * \note With DTLS, \c mbedtls_ssl_write() will return an error if + * called with a larger length value. + * With TLS, \c mbedtls_ssl_write() will fragment the input if + * necessary and return the number of bytes written; it is up + * to the caller to call \c mbedtls_ssl_write() again in + * order to send the remaining bytes if any. + * + * \param ssl SSL context + * + * \return Current maximum fragment length. + */ +size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ); +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ + #if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Return the peer certificate from the current connection @@ -2124,26 +2144,33 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ); int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ); /** - * \brief Write exactly 'len' application data bytes + * \brief Try to write exactly 'len' application data bytes + * + * \warning This function will do partial writes in some cases. If the + * return value is non-negative but less than length, the + * function must be called again with updated arguments: + * buf + ret, len - ret (if ret is the return value) until + * it returns a value equal to the last 'len' argument. * * \param ssl SSL context * \param buf buffer holding the data * \param len how many bytes must be written * - * \return the number of bytes written, - * or a negative error code. + * \return the number of bytes actually written (may be less than len), + * or MBEDTLS_ERR_SSL_WANT_WRITE of MBEDTLS_ERR_SSL_WANT_READ, + * or another negative error code. * - * \note When this function returns MBEDTLS_ERR_SSL_WANT_WRITE, + * \note When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ, * it must be called later with the *same* arguments, * until it returns a positive value. * * \note If the requested length is greater than the maximum * fragment length (either the built-in limit or the one set * or negotiated with the peer), then: - * - with TLS, less bytes than requested are written. (In - * order to write larger messages, this function should be - * called in a loop.) + * - with TLS, less bytes than requested are written. * - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned. + * \c mbedtls_ssl_get_max_frag_len() may be used to query the + * active maximum fragment length. */ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ); diff --git a/library/debug.c b/library/debug.c index 2220e3317..f9b822971 100644 --- a/library/debug.c +++ b/library/debug.c @@ -43,6 +43,10 @@ #define mbedtls_snprintf snprintf #endif +#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && !defined(inline) +#define inline __inline +#endif + #define DEBUG_BUF_SIZE 512 static int debug_threshold = 0; @@ -52,6 +56,27 @@ void mbedtls_debug_set_threshold( int threshold ) debug_threshold = threshold; } +/* + * All calls to f_dbg must be made via this function + */ +static inline void debug_send_line( const mbedtls_ssl_context *ssl, int level, + const char *file, int line, + const char *str ) +{ + /* + * If in a threaded environment, we need a thread identifier. + * Since there is no portable way to get one, use the address of the ssl + * context instead, as it shouldn't be shared between threads. + */ +#if defined(MBEDTLS_THREADING_C) + char idstr[20 + DEBUG_BUF_SIZE]; /* 0x + 16 nibbles + ': ' */ + mbedtls_snprintf( idstr, sizeof( idstr ), "%p: %s", ssl, str ); + ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, idstr ); +#else + ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); +#endif +} + void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level, const char *file, int line, const char *format, ... ) @@ -86,7 +111,7 @@ void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level, str[ret + 1] = '\0'; } - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); } void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, @@ -109,7 +134,7 @@ void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level, mbedtls_snprintf( str, sizeof( str ), "%s() returned %d (-0x%04x)\n", text, ret, -ret ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); } void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, @@ -126,7 +151,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, mbedtls_snprintf( str + idx, sizeof( str ) - idx, "dumping '%s' (%u bytes)\n", text, (unsigned int) len ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); idx = 0; memset( txt, 0, sizeof( txt ) ); @@ -140,7 +165,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, if( i > 0 ) { mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %s\n", txt ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); idx = 0; memset( txt, 0, sizeof( txt ) ); @@ -162,7 +187,7 @@ void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level, idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " " ); mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %s\n", txt ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); } } @@ -207,7 +232,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, mbedtls_snprintf( str + idx, sizeof( str ) - idx, "value of '%s' (%d bits) is:\n", text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); idx = 0; for( i = n + 1, j = 0; i > 0; i-- ) @@ -227,7 +252,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, if( j > 0 ) { mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); idx = 0; } } @@ -244,7 +269,7 @@ void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level, idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " 00" ); mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); } #endif /* MBEDTLS_BIGNUM_C */ @@ -261,7 +286,7 @@ static void debug_print_pk( const mbedtls_ssl_context *ssl, int level, if( mbedtls_pk_debug( pk, items ) != 0 ) { - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, + debug_send_line( ssl, level, file, line, "invalid PK context\n" ); return; } @@ -282,7 +307,7 @@ static void debug_print_pk( const mbedtls_ssl_context *ssl, int level, mbedtls_debug_print_ecp( ssl, level, file, line, name, items[i].value ); else #endif - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, + debug_send_line( ssl, level, file, line, "should not happen\n" ); } } @@ -305,7 +330,7 @@ static void debug_print_line_by_line( const mbedtls_ssl_context *ssl, int level, memcpy( str, start, len ); str[len] = '\0'; - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); start = cur + 1; } @@ -327,7 +352,7 @@ void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level, char buf[1024]; mbedtls_snprintf( str, sizeof( str ), "%s #%d:\n", text, ++i ); - ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str ); + debug_send_line( ssl, level, file, line, str ); mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt ); debug_print_line_by_line( ssl, level, file, line, buf ); diff --git a/library/entropy_poll.c b/library/entropy_poll.c index 42b02e79a..6b3ad3501 100644 --- a/library/entropy_poll.c +++ b/library/entropy_poll.c @@ -140,7 +140,7 @@ int mbedtls_platform_entropy_poll( void *data, unsigned char *output, size_t len, size_t *olen ) { FILE *file; - size_t ret; + size_t read_len; ((void) data); #if defined(HAVE_GETRANDOM) @@ -165,8 +165,8 @@ int mbedtls_platform_entropy_poll( void *data, if( file == NULL ) return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED ); - ret = fread( output, 1, len, file ); - if( ret != len ) + read_len = fread( output, 1, len, file ); + if( read_len != len ) { fclose( file ); return( MBEDTLS_ERR_ENTROPY_SOURCE_FAILED ); diff --git a/library/md2.c b/library/md2.c index 3263a2230..88d679f47 100644 --- a/library/md2.c +++ b/library/md2.c @@ -47,13 +47,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_MD2_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_MD2_ALT) - static const unsigned char PI_SUBST[256] = { 0x29, 0x2E, 0x43, 0xC9, 0xA2, 0xD8, 0x7C, 0x01, 0x3D, 0x36, diff --git a/library/md4.c b/library/md4.c index 563c65317..dcd9313d6 100644 --- a/library/md4.c +++ b/library/md4.c @@ -47,13 +47,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_MD4_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_MD4_ALT) - /* * 32-bit integer manipulation macros (little endian) */ diff --git a/library/md5.c b/library/md5.c index d8f216366..42c7c343c 100644 --- a/library/md5.c +++ b/library/md5.c @@ -46,13 +46,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_MD5_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_MD5_ALT) - /* * 32-bit integer manipulation macros (little endian) */ diff --git a/library/sha1.c b/library/sha1.c index 14331b3ac..ffad2287b 100644 --- a/library/sha1.c +++ b/library/sha1.c @@ -46,13 +46,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_SHA1_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_SHA1_ALT) - /* * 32-bit integer manipulation macros (big endian) */ diff --git a/library/sha256.c b/library/sha256.c index 28f09e5ae..4d8c868e9 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -46,13 +46,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_SHA256_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_SHA256_ALT) - /* * 32-bit integer manipulation macros (big endian) */ diff --git a/library/sha512.c b/library/sha512.c index 9e3e0e0a9..d1dc8faac 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -52,13 +52,13 @@ #endif /* MBEDTLS_PLATFORM_C */ #endif /* MBEDTLS_SELF_TEST */ +#if !defined(MBEDTLS_SHA512_ALT) + /* Implementation that should never be optimized out by the compiler */ static void mbedtls_zeroize( void *v, size_t n ) { volatile unsigned char *p = v; while( n-- ) *p++ = 0; } -#if !defined(MBEDTLS_SHA512_ALT) - /* * 64-bit integer manipulation macros (big endian) */ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index c6f810cd7..75983d19e 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1748,6 +1748,12 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; unsigned char *p = ssl->handshake->premaster + pms_offset; + if( offset + len_bytes > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small for encrypted pms" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + /* * Generate (part of) the pre-master as * struct { @@ -2522,6 +2528,14 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) i = 4; n = ssl->conf->psk_identity_len; + + if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " + "SSL buffer too short" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + ssl->out_msg[i++] = (unsigned char)( n >> 8 ); ssl->out_msg[i++] = (unsigned char)( n ); @@ -2550,6 +2564,14 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) * ClientDiffieHellmanPublic public (DHM send G^X mod P) */ n = ssl->handshake->dhm_ctx.len; + + if( i + 2 + n > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" + " or SSL buffer too short" ) ); + return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); + } + ssl->out_msg[i++] = (unsigned char)( n >> 8 ); ssl->out_msg[i++] = (unsigned char)( n ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9007562fb..bff1b63b8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -694,8 +694,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } else { - int ret; - /* Initialize HMAC contexts */ if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 ) @@ -1455,7 +1453,7 @@ static int ssl_encrypt_buf( mbedtls_ssl_context *ssl ) /* * Generate IV */ - int ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, + ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc, ssl->transform_out->ivlen ); if( ret != 0 ) return( ret ); @@ -3718,6 +3716,9 @@ int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, { int ret; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; @@ -5459,6 +5460,13 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, if( psk_len > MBEDTLS_PSK_MAX_LEN ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + /* Identity len will be encoded on two bytes */ + if( ( psk_identity_len >> 16 ) != 0 || + psk_identity_len > MBEDTLS_SSL_MAX_CONTENT_LEN ) + { + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + } + if( conf->psk != NULL || conf->psk_identity != NULL ) { mbedtls_free( conf->psk ); @@ -5862,6 +5870,29 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) ); } +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) +size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl ) +{ + size_t max_len; + + /* + * Assume mfl_code is correct since it was checked when set + */ + max_len = mfl_code_to_length[ssl->conf->mfl_code]; + + /* + * Check if a smaller max length was negotiated + */ + if( ssl->session_out != NULL && + mfl_code_to_length[ssl->session_out->mfl_code] < max_len ) + { + max_len = mfl_code_to_length[ssl->session_out->mfl_code]; + } + + return max_len; +} +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ + #if defined(MBEDTLS_X509_CRT_PARSE_C) const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl ) { @@ -5894,6 +5925,9 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ret = mbedtls_ssl_handshake_client_step( ssl ); @@ -5913,6 +5947,9 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl ) { int ret = 0; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) ); while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) @@ -6008,6 +6045,9 @@ int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + #if defined(MBEDTLS_SSL_SRV_C) /* On server, just send the request */ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) @@ -6085,6 +6125,9 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) int ret, record_read = 0; size_t n; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -6339,23 +6382,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, { int ret; #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - unsigned int max_len; -#endif - -#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - /* - * Assume mfl_code is correct since it was checked when set - */ - max_len = mfl_code_to_length[ssl->conf->mfl_code]; - - /* - * Check if a smaller max length was negotiated - */ - if( ssl->session_out != NULL && - mfl_code_to_length[ssl->session_out->mfl_code] < max_len ) - { - max_len = mfl_code_to_length[ssl->session_out->mfl_code]; - } + size_t max_len = mbedtls_ssl_get_max_frag_len( ssl ); if( len > max_len ) { @@ -6444,6 +6471,9 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + #if defined(MBEDTLS_SSL_RENEGOTIATION) if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) { @@ -6479,6 +6509,9 @@ int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) { int ret; + if( ssl == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); if( ssl->out_left != 0 ) diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index 10b9b7a48..2909d1dda 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -75,7 +75,7 @@ int main( void ) unsigned char *p, *end; unsigned char buf[2048]; - unsigned char hash[20]; + unsigned char hash[32]; const char *pers = "dh_client"; mbedtls_entropy_context entropy; diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index 6ce1da23d..53a299a49 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -74,7 +74,7 @@ int main( void ) mbedtls_net_context listen_fd, client_fd; unsigned char buf[2048]; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf2[2]; const char *pers = "dh_server"; diff --git a/programs/pkey/pk_decrypt.c b/programs/pkey/pk_decrypt.c index bcfb2c690..2ccbf3b9e 100644 --- a/programs/pkey/pk_decrypt.c +++ b/programs/pkey/pk_decrypt.c @@ -151,8 +151,11 @@ exit: mbedtls_entropy_free( &entropy ); #if defined(MBEDTLS_ERROR_C) - mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); - mbedtls_printf( " ! Last error was: %s\n", buf ); + if( ret != 0 ) + { + mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); + mbedtls_printf( " ! Last error was: %s\n", buf ); + } #endif #if defined(_WIN32) diff --git a/programs/pkey/pk_encrypt.c b/programs/pkey/pk_encrypt.c index 300cb77fa..fe84aee77 100644 --- a/programs/pkey/pk_encrypt.c +++ b/programs/pkey/pk_encrypt.c @@ -151,8 +151,11 @@ exit: mbedtls_entropy_free( &entropy ); #if defined(MBEDTLS_ERROR_C) - mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); - mbedtls_printf( " ! Last error was: %s\n", buf ); + if( ret != 0 ) + { + mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); + mbedtls_printf( " ! Last error was: %s\n", buf ); + } #endif #if defined(_WIN32) diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c index 9efa89709..ce2520975 100644 --- a/programs/pkey/pk_sign.c +++ b/programs/pkey/pk_sign.c @@ -64,7 +64,7 @@ int main( int argc, char *argv[] ) mbedtls_pk_context pk; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; char filename[512]; const char *pers = "mbedtls_pk_sign"; @@ -129,7 +129,7 @@ int main( int argc, char *argv[] ) } /* - * Write the signature into -sig.txt + * Write the signature into .sig */ mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[2] ); @@ -156,8 +156,11 @@ exit: mbedtls_entropy_free( &entropy ); #if defined(MBEDTLS_ERROR_C) - mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); - mbedtls_printf( " ! Last error was: %s\n", buf ); + if( ret != 0 ) + { + mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); + mbedtls_printf( " ! Last error was: %s\n", buf ); + } #endif #if defined(_WIN32) diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c index 8ab5c9372..a1a2389aa 100644 --- a/programs/pkey/pk_verify.c +++ b/programs/pkey/pk_verify.c @@ -59,7 +59,7 @@ int main( int argc, char *argv[] ) int ret = 1; size_t i; mbedtls_pk_context pk; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; char filename[512]; @@ -86,7 +86,7 @@ int main( int argc, char *argv[] ) } /* - * Extract the signature from the text file + * Extract the signature from the file */ ret = 1; mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[2] ); @@ -103,8 +103,8 @@ int main( int argc, char *argv[] ) fclose( f ); /* - * Compute the SHA-256 hash of the input file and compare - * it with the hash decrypted from the signature. + * Compute the SHA-256 hash of the input file and + * verify the signature */ mbedtls_printf( "\n . Verifying the SHA-256 signature" ); fflush( stdout ); @@ -124,7 +124,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_printf( "\n . OK (the decrypted SHA-256 hash matches)\n\n" ); + mbedtls_printf( "\n . OK (the signature is valid)\n\n" ); ret = 0; @@ -132,8 +132,11 @@ exit: mbedtls_pk_free( &pk ); #if defined(MBEDTLS_ERROR_C) - mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); - mbedtls_printf( " ! Last error was: %s\n", buf ); + if( ret != 0 ) + { + mbedtls_strerror( ret, (char *) buf, sizeof(buf) ); + mbedtls_printf( " ! Last error was: %s\n", buf ); + } #endif #if defined(_WIN32) diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c index d0b1f4d97..f691871ea 100644 --- a/programs/pkey/rsa_genkey.c +++ b/programs/pkey/rsa_genkey.c @@ -46,7 +46,7 @@ #include #endif -#define KEY_SIZE 1024 +#define KEY_SIZE 2048 #define EXPONENT 65537 #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \ diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c index d86fe3a7f..54f60c55e 100644 --- a/programs/pkey/rsa_sign.c +++ b/programs/pkey/rsa_sign.c @@ -32,6 +32,7 @@ #include #define mbedtls_fprintf fprintf #define mbedtls_printf printf +#define mbedtls_snprintf snprintf #endif #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \ @@ -58,8 +59,9 @@ int main( int argc, char *argv[] ) int ret; size_t i; mbedtls_rsa_context rsa; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; + char filename[512]; ret = 1; @@ -135,11 +137,11 @@ int main( int argc, char *argv[] ) } /* - * Write the signature into -sig.txt + * Write the signature into .sig */ - memcpy( argv[1] + strlen( argv[1] ), ".sig", 5 ); + mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[1] ); - if( ( f = fopen( argv[1], "wb+" ) ) == NULL ) + if( ( f = fopen( filename, "wb+" ) ) == NULL ) { ret = 1; mbedtls_printf( " failed\n ! Could not create %s\n\n", argv[1] ); @@ -152,7 +154,7 @@ int main( int argc, char *argv[] ) fclose( f ); - mbedtls_printf( "\n . Done (created \"%s\")\n\n", argv[1] ); + mbedtls_printf( "\n . Done (created \"%s\")\n\n", filename ); exit: diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c index 0b3cfbbb7..2b358c16c 100644 --- a/programs/pkey/rsa_sign_pss.c +++ b/programs/pkey/rsa_sign_pss.c @@ -65,7 +65,7 @@ int main( int argc, char *argv[] ) mbedtls_pk_context pk; mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; char filename[512]; const char *pers = "rsa_sign_pss"; @@ -140,7 +140,7 @@ int main( int argc, char *argv[] ) } /* - * Write the signature into -sig.txt + * Write the signature into .sig */ mbedtls_snprintf( filename, 512, "%s.sig", argv[2] ); diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index fefc6e0ff..85892fe17 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -31,6 +31,7 @@ #else #include #define mbedtls_printf printf +#define mbedtls_snprintf snprintf #endif #if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \ @@ -57,8 +58,9 @@ int main( int argc, char *argv[] ) int ret, c; size_t i; mbedtls_rsa_context rsa; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; + char filename[512]; ret = 1; if( argc != 2 ) @@ -99,17 +101,15 @@ int main( int argc, char *argv[] ) * Extract the RSA signature from the text file */ ret = 1; - i = strlen( argv[1] ); - memcpy( argv[1] + i, ".sig", 5 ); + mbedtls_snprintf( filename, sizeof(filename), "%s.sig", argv[1] ); - if( ( f = fopen( argv[1], "rb" ) ) == NULL ) + if( ( f = fopen( filename, "rb" ) ) == NULL ) { - mbedtls_printf( "\n ! Could not open %s\n\n", argv[1] ); + mbedtls_printf( "\n ! Could not open %s\n\n", filename ); goto exit; } - argv[1][i] = '\0', i = 0; - + i = 0; while( fscanf( f, "%02X", &c ) > 0 && i < (int) sizeof( buf ) ) buf[i++] = (unsigned char) c; @@ -123,8 +123,8 @@ int main( int argc, char *argv[] ) } /* - * Compute the SHA-256 hash of the input file and compare - * it with the hash decrypted from the RSA signature. + * Compute the SHA-256 hash of the input file and + * verify the signature */ mbedtls_printf( "\n . Verifying the RSA/SHA-256 signature" ); fflush( stdout ); @@ -144,7 +144,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_printf( "\n . OK (the decrypted SHA-256 hash matches)\n\n" ); + mbedtls_printf( "\n . OK (the signature is valid)\n\n" ); ret = 0; diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c index 50d333b00..0d51be522 100644 --- a/programs/pkey/rsa_verify_pss.c +++ b/programs/pkey/rsa_verify_pss.c @@ -63,7 +63,7 @@ int main( int argc, char *argv[] ) int ret = 1; size_t i; mbedtls_pk_context pk; - unsigned char hash[20]; + unsigned char hash[32]; unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; char filename[512]; @@ -100,7 +100,7 @@ int main( int argc, char *argv[] ) mbedtls_rsa_set_padding( mbedtls_pk_rsa( pk ), MBEDTLS_RSA_PKCS_V21, MBEDTLS_MD_SHA256 ); /* - * Extract the RSA signature from the text file + * Extract the RSA signature from the file */ ret = 1; mbedtls_snprintf( filename, 512, "%s.sig", argv[2] ); @@ -117,8 +117,8 @@ int main( int argc, char *argv[] ) fclose( f ); /* - * Compute the SHA-256 hash of the input file and compare - * it with the hash decrypted from the RSA signature. + * Compute the SHA-256 hash of the input file and + * verify the signature */ mbedtls_printf( "\n . Verifying the RSA/SHA-256 signature" ); fflush( stdout ); @@ -138,7 +138,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_printf( "\n . OK (the decrypted SHA-256 hash matches)\n\n" ); + mbedtls_printf( "\n . OK (the signature is valid)\n\n" ); ret = 0; diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 2e0ac1edc..c60e7100f 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1240,6 +1240,11 @@ int main( int argc, char *argv[] ) else mbedtls_printf( " [ Record expansion is unknown (compression) ]\n" ); +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + mbedtls_printf( " [ Maximum fragment length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_frag_len( &ssl ) ); +#endif + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 3aa05d5f1..86b744eff 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1925,7 +1925,7 @@ reset: if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) { char vrfy_buf[512]; - uint32_t flags = mbedtls_ssl_get_verify_result( &ssl ); + flags = mbedtls_ssl_get_verify_result( &ssl ); mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); @@ -1946,6 +1946,11 @@ reset: else mbedtls_printf( " [ Record expansion is unknown (compression) ]\n" ); +#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) + mbedtls_printf( " [ Maximum fragment length is %u ]\n", + (unsigned int) mbedtls_ssl_get_max_frag_len( &ssl ) ); +#endif + #if defined(MBEDTLS_SSL_ALPN) if( opt.alpn_string != NULL ) { diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index a3c256845..3665df69b 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -108,31 +108,31 @@ int main( void ) #define TIME_AND_TSC( TITLE, CODE ) \ do { \ - unsigned long i, j, tsc; \ + unsigned long ii, jj, tsc; \ \ - mbedtls_printf( HEADER_FORMAT, TITLE ); \ + mbedtls_printf( HEADER_FORMAT, TITLE ); \ fflush( stdout ); \ \ - mbedtls_set_alarm( 1 ); \ - for( i = 1; ! mbedtls_timing_alarmed; i++ ) \ + mbedtls_set_alarm( 1 ); \ + for( ii = 1; ! mbedtls_timing_alarmed; ii++ ) \ { \ CODE; \ } \ \ - tsc = mbedtls_timing_hardclock(); \ - for( j = 0; j < 1024; j++ ) \ + tsc = mbedtls_timing_hardclock(); \ + for( jj = 0; jj < 1024; jj++ ) \ { \ CODE; \ } \ \ - mbedtls_printf( "%9lu Kb/s, %9lu cycles/byte\n", \ - i * BUFSIZE / 1024, \ - ( mbedtls_timing_hardclock() - tsc ) / ( j * BUFSIZE ) ); \ + mbedtls_printf( "%9lu Kb/s, %9lu cycles/byte\n", \ + ii * BUFSIZE / 1024, \ + ( mbedtls_timing_hardclock() - tsc ) / ( jj * BUFSIZE ) ); \ } while( 0 ) #if defined(MBEDTLS_ERROR_C) #define PRINT_ERROR \ - mbedtls_strerror( ret, ( char * )tmp, sizeof( tmp ) ); \ + mbedtls_strerror( ret, ( char * )tmp, sizeof( tmp ) ); \ mbedtls_printf( "FAILED: %s\n", tmp ); #else #define PRINT_ERROR \ @@ -144,12 +144,12 @@ do { \ #define MEMORY_MEASURE_INIT \ size_t max_used, max_blocks, max_bytes; \ size_t prv_used, prv_blocks; \ - mbedtls_memory_buffer_alloc_cur_get( &prv_used, &prv_blocks ); \ + mbedtls_memory_buffer_alloc_cur_get( &prv_used, &prv_blocks ); \ mbedtls_memory_buffer_alloc_max_reset( ); #define MEMORY_MEASURE_PRINT( title_len ) \ - mbedtls_memory_buffer_alloc_max_get( &max_used, &max_blocks ); \ - for( i = 12 - title_len; i != 0; i-- ) mbedtls_printf( " " ); \ + mbedtls_memory_buffer_alloc_max_get( &max_used, &max_blocks ); \ + for( ii = 12 - title_len; ii != 0; ii-- ) mbedtls_printf( " " ); \ max_used -= prv_used; \ max_blocks -= prv_blocks; \ max_bytes = max_used + MEM_BLOCK_OVERHEAD * max_blocks; \ @@ -162,16 +162,16 @@ do { \ #define TIME_PUBLIC( TITLE, TYPE, CODE ) \ do { \ - unsigned long i; \ + unsigned long ii; \ int ret; \ MEMORY_MEASURE_INIT; \ \ - mbedtls_printf( HEADER_FORMAT, TITLE ); \ + mbedtls_printf( HEADER_FORMAT, TITLE ); \ fflush( stdout ); \ - mbedtls_set_alarm( 3 ); \ + mbedtls_set_alarm( 3 ); \ \ ret = 0; \ - for( i = 1; ! mbedtls_timing_alarmed && ! ret ; i++ ) \ + for( ii = 1; ! mbedtls_timing_alarmed && ! ret ; ii++ ) \ { \ CODE; \ } \ @@ -182,9 +182,9 @@ do { \ } \ else \ { \ - mbedtls_printf( "%6lu " TYPE "/s", i / 3 ); \ + mbedtls_printf( "%6lu " TYPE "/s", ii / 3 ); \ MEMORY_MEASURE_PRINT( sizeof( TYPE ) + 1 ); \ - mbedtls_printf( "\n" ); \ + mbedtls_printf( "\n" ); \ } \ } while( 0 ) diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index 645f94d85..c49c46c1e 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -389,7 +389,7 @@ void update_dropped( const packet *p ) while( cur < end ) { - size_t len = ( ( cur[11] << 8 ) | cur[12] ) + 13; + len = ( ( cur[11] << 8 ) | cur[12] ) + 13; id = len % sizeof( dropped ); ++dropped[id]; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bd36e227b..77db588db 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1085,6 +1085,8 @@ run_test "Max fragment length: not used, reference" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ 0 \ + -c "Maximum fragment length is 16384" \ + -s "Maximum fragment length is 16384" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -1094,6 +1096,8 @@ run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ + -c "Maximum fragment length is 4096" \ + -s "Maximum fragment length is 4096" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -1103,6 +1107,8 @@ run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3" \ 0 \ + -c "Maximum fragment length is 16384" \ + -s "Maximum fragment length is 4096" \ -C "client hello, adding max_fragment_length extension" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ @@ -1113,6 +1119,7 @@ run_test "Max fragment length: gnutls server" \ "$G_SRV" \ "$P_CLI debug_level=3 max_frag_len=4096" \ 0 \ + -c "Maximum fragment length is 4096" \ -c "client hello, adding max_fragment_length extension" \ -c "found max_fragment_length extension" @@ -1120,6 +1127,8 @@ run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \ 0 \ + -c "Maximum fragment length is 2048" \ + -s "Maximum fragment length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -1131,6 +1140,8 @@ run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \ 0 \ + -c "Maximum fragment length is 2048" \ + -s "Maximum fragment length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ @@ -1143,6 +1154,8 @@ run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \ 1 \ + -c "Maximum fragment length is 2048" \ + -s "Maximum fragment length is 2048" \ -c "client hello, adding max_fragment_length extension" \ -s "found max fragment length extension" \ -s "server hello, max_fragment_length extension" \ diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 3c77ca56b..98f98b061 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -25,6 +25,11 @@ void string_debug(void *data, int level, const char *file, int line, const char *p++ = ':'; *p++ = ' '; +#if defined(MBEDTLS_THREADING_C) + /* Skip "thread ID" (up to the first space) as it is not predictable */ + while( *str++ != ' ' ); +#endif + memcpy( p, str, strlen( str ) ); p += strlen( str ); diff --git a/yotta/data/module.json b/yotta/data/module.json index 6ed20ffdc..6add3936d 100644 --- a/yotta/data/module.json +++ b/yotta/data/module.json @@ -1,6 +1,6 @@ { "name": "mbedtls", - "version": "2.0.5", + "version": "2.0.6", "description": "The mbed TLS crypto/SSL/TLS library", "private": true, "license": "GPL-2.0",