Commit Graph

836 Commits

Author SHA1 Message Date
Gilles Peskine
0d980b8be8 ssl_test_common_source.c: new source file for common SSL test code
Create a new source file for code that is shared between ssl_client2.c
and ssl_server2.c, but cannot be compiled separately and instead needs
to be #include'd in each program that uses it.

This is for code that references macros or types that are defined
differently in the two programs.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 10:25:35 +01:00
Gilles Peskine
a3ed34fed6 ssl_test_lib.[hc]: new source file for common SSL test code
Create a new source file for code that is shared between ssl_client2.c
and ssl_server2.c. This commit only creates the file; subsequent
commits will populate it.

Add it to the official build systems (make, cmake, VS).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-01-06 10:25:35 +01:00
Bence Szépkúti
880334cba0 Fix use-after-scope error in programs/ssl
mbedtls_ssl_conf_dtls_srtp_protection_profiles stores the pointer to the
profiles in the configuration.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-12-15 10:22:05 +01:00
Gilles Peskine
662deb38d6
Merge pull request #3547 from ronald-cron-arm/psa-openless
Openless PSA crypto APIs implementation
2020-11-20 18:48:33 +01:00
Ronald Cron
c9851141a2 programs: ssl: Fix printf parameter type cast
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-19 16:59:40 +01:00
David Brown
a8e309e01d cmake: Fix added sources to targets
In cmake version < 3.0, the SOURCES property on targets cannot be
modified after the target is defined.  There are several instances in
the code that were using `target_properties()`, which is not available
in the older versions of cmake.  Unfortunately, the workaround in #3801
(381c1078fc) assumes that this SOURCES property can be modified.

Work around this by building up any necessary sources before declaring
the target.  This is more awkward, but needed to continue to be able to
support the old versions of cmake.

Fixes #3788.

Signed-off-by: David Brown <david.brown@linaro.org>
2020-11-18 16:28:00 -07:00
Gilles Peskine
c70431451b
Merge pull request #3867 from gilles-peskine-arm/error-include-string
Fix several configuration-related issues
2020-11-17 20:32:59 +01:00
Ronald Cron
adc2ff28b0 Adapt programs to PSA openless APIs
PSA and SSL programs are PSA clients thus should use
psa_key_id_t as the type for key identifiers, not
mbedtls_svc_key_id_t.

As a consequence, PSA, ssl_server2 and ssl_client2
programs cannot compile and must not be compiled if
MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER is defined.
Thus, add MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
compilation guard to those programs.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
c4d1b514ab Define handles as key identifiers
Define psa_key_handle_t to be equal to
mbedtls_svc_key_id_t. Make the handle of a persistent
key be equal to its key identifier. For volatile keys,
make the key handle equal to the volatile key
identifier of the created volatile key.

The unit tests are modified just to make them compile
not to make them run successfully. They are fixed in
the subsequent commits.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
c26f8d467a Introduce psa_key_handle_is_null inline function
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Ronald Cron
91e9515424 Introduce PSA_KEY_HANDLE_INIT macro
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-11-10 16:00:41 +01:00
Gilles Peskine
f4a6a05e9d ssl_context_info: fix config requirements
Revealed by attempting to build in configs/config-no-entropy.h.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-11-09 15:17:07 +01:00
David Brown
381c1078fc cmake: Avoid using target_properties for old cmake
CMake versions less than 3.0 do not support the `target_sources`
command.  In order to be able to support v2.8.12.2 of cmake, directly
set the SOURCES property instead of using the target_sources command.

A future patch could reverse this, if the project decides to forgo
support for cmake versions less than 3.0.

Fixes #3801

Signed-off-by: David Brown <david.brown@linaro.org>
2020-11-03 15:38:38 -07:00
Johan Pascal
5fbe9e7ac0 remove useless parentheses
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 10:50:54 +01:00
Johan Pascal
5ef72d214f Style and typos
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
2258a4f481 Do not return a structure, use a return parameter
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
0dbcd1d3f0 Make API safer
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
20c7db3a67 API modified so server side can get mki value
+ client side discards self mki if server does not support it

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
76fdf1d60e Minor fix and improvements
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
9bc50b0122 Test check the key material exported match
- include interop with openssl client

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
d387aa0586 style + missing cast
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:50 +01:00
Johan Pascal
253d0263a6 set protection profile API gets a MBEDTLS_TLS_SRTP_UNSET terminated list
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
43f9490a52 SRTP profiles definition use macros only
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
d576fdb1d6 Style + fix bound check in write_use_srt_ext
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
9bc97ca19d SRTP-DTLS protection profile configuration list not copied into ssl_config
+ improve test
+ minor style fix

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
8526957cd5 Minor style modifications
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
48f62e98a8 Fix ssl_client2 after rebase
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
1d957e61eb Fix build warning
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
b64eab7656 fix style
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
65b56ef87f Change key derivation for srtp
Use the export keys functionality, to call the public API
`mbedtls_ssl_tls_prf()`, and remove the function
`mbedtls_ssl_get_dtls_srtp_key_material()`.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
a978804a1b Style fixes
1. Fix indentations.
2. Remove redundant whitespaces.
3. Keep short lines.
4. Grammar fixes.
5. Rephrase function description.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
ef72faf2bb Style fixes
1. Adjust to 80 colums where possible.
2. Add \ remove spaces where needed.
3. Fix alignments.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
311b95aafe Fix compilation errors
Fix compilation errors when `MBEDTLS_DTLS_SRTP` not set
1. Add file missed in previous commmit.
2. In sample applications, set `DFL_FORCE_SRTP_PROFILE` to 0.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
12c6eaddd5 Fix mki issues
1. Set correct mki from the `use_srtp` extension.
2. Use mki value received from the client as the mki used by server.
3. Use `mbedtls_ssl_dtls_srtp_set_mki_value()` as a client API only.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
6ea64518ad Add dtls-srtp to client and server examples
Add dtls-srtp to `ssl_client2` and `ssl_server2` examples,
for reference and for allowing in tests.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Gilles Peskine
935b4f96f9
Merge pull request #3407 from RcColes/development
Increase compatibility with external cmake
2020-10-28 12:29:14 +01:00
Nayna Jain
d696e7d91e programs/ssl: Fix incorrect EOF check in ssl_context_info.c
In `read_next_b64_code()`, the result of fgetc() is stored into a char,
but later compared against EOF, which is generally -1.  On platforms
where char is unsigned, this generates a compiler warning/error that the
comparison will never be true (causing a build failure).  The value will
never match, with the function ultimately bailing with a "Too many bad
symbols are detected" error.

On platforms with signed char, EOF is detected, but a file containing a
0xFF character will causes a premature end of file exit of the loop.

Fix this by changing the result to an int.

Fixes #3794.

Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
2020-10-20 13:31:32 -06:00
Raef Coles
995c66f702 Build: Add MBEDTLS_TARGET_PREFIX
Allows required targets to have prefixes added to them, so that external
projects can avoid target names clashing.

Signed-off-by: Raef Coles <raef.coles@arm.com>
2020-10-20 13:44:44 +01:00
gabor-mezei-arm
de47217580
Do not print any messages if query_config option is used
To preserve the behaviour of the query_config option all message
is omitted it it is used.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-10-05 11:34:50 +02:00
gabor-mezei-arm
f1f7b29d76
Fix overiding of return value.
If MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED is defined, then the return value will be overridden by the extra code running after the removed return instruction.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-10-05 11:34:50 +02:00
gabor-mezei-arm
785958577e
Use goto exit instead of direct return
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-10-05 11:34:50 +02:00
gabor-mezei-arm
a9eecf1b19
If query_config is used only the config value is printed.
The extra code running after the removed return instruction should not generate any output. Only the read config value must be printed.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-10-05 11:34:41 +02:00
Manuel Pégourié-Gonnard
6edfe60e0d
Merge pull request #2182 from hanno-arm/key_pwd
Add support for password protected key files to ssl_server2 and ssl_client2
2020-08-24 09:42:38 +02:00
Bence Szépkúti
1e14827beb Update copyright notices to use Linux Foundation guidance
As a result, the copyright of contributors other than Arm is now
acknowledged, and the years of publishing are no longer tracked in the
source files.

Also remove the now-redundant lines declaring that the files are part of
MbedTLS.

This commit was generated using the following script:

# ========================
#!/bin/sh

# Find files
find '(' -path './.git' -o -path './3rdparty' ')' -prune -o -type f -print | xargs sed -bi '

# Replace copyright attribution line
s/Copyright.*Arm.*/Copyright The Mbed TLS Contributors/I

# Remove redundant declaration and the preceding line
$!N
/This file is part of Mbed TLS/Id
P
D
'
# ========================

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
2020-08-19 10:35:41 +02:00
Hanno Becker
2d3ac68336 Parse key-file and -password parameters in same place in ssl_client2
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-08-17 09:44:44 +01:00
Hanno Becker
bffa54f4eb Add usage string for key_pwd argument in ssl_client2 program
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-08-17 09:44:41 +01:00
Hanno Becker
34ce81f896 Avoid overly long usage string literal in ssl_server2 program
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2020-08-17 09:40:54 +01:00
Hanno Becker
ca04fdc2cc Add support for password protected key file to ssl_client2
The example application programs/ssl/ssl_client2 allows the
configuration of a client CRT through the parameters
- crt_file, key_file
However, password protected key files are not supported.

This commit adds a new command line option
- key_pwd
which allow to specify a password for the key file specified
in the key_file parameter.
2020-08-14 09:58:51 +01:00
Hanno Becker
e58a630cb0 Add support for password protected key file to ssl_server2
The example application programs/ssl/ssl_server2 allows the
configuration of up to two CRTs through the command line
parameters
- crt_file, key_file
- crt_file2, key_file2.
However, password protected key files are not supported.

This commit adds command line options
- key_pwd
- key_pwd2
which allow to specify passwords for the key files specified
in key_file and key_file2, respectively.
2020-08-14 09:58:51 +01:00
Ronald Cron
7d8661618b Use mbedtls_test_unhexify in programs
Use mbedtls_test_unhexify in programs instead of ad-hoc
implementations.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-26 10:45:16 +02:00
Ronald Cron
8dc0af2d4b programs: Link to tests common code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-26 10:45:16 +02:00
Ronald Cron
bfd45f1f11 programs: cmake: Use list of executables
Use list of executables to:
- factorize the code to define executables
- highlight the similarities and differences of the executable definitions
- avoid list duplication

Use alphabetic order for executables in lists.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-26 10:34:35 +02:00
Ronald Cron
0b90c9d747 programs: cmake: Fix relative path warnings
The path to source files were relative which triggered
warnings when generating the build system.

Move to absolute paths based on CMAKE_CURRENT_SOURCE_DIR.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-26 10:34:35 +02:00
Ronald Cron
27731130cf programs: ssl: cmake: Add missing executables
Add the executables missing in the list of executables
to install.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-26 10:34:11 +02:00
Ronald Cron
5df1be91f3 programs: ssl: cmake: Reorder declaration of executables
Reorder declaration of executables in alphabetic order.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2020-06-26 10:33:04 +02:00
Gilles Peskine
e81dc00df4
Merge pull request #3422 from niacat/net-sockets-fixes
NetBSD 9.0 build fixes
2020-06-22 23:33:53 +02:00
Ron Eldor
65d8c2651d Show failure in ssl-opts.sh when key export fails
1. When `ssl_server2` export key functionality fails,
don't exit the server, but reset it, to have the
server recover for next connection.
2. Add text filters for `export keys functionality` test in ssl-opt.sh
to check for additional output, to verify if the export suceeded.

This was discovered in the `ssl-opt.sh` script, where the server exited,
before the test tried to kill the server priocess, resulting in a
`kill: No such process` message.

Fixes #2662

Signed-off-by: Ron Eldor <Ron.Eldor@arm.com>
2020-06-15 11:21:41 +03:00
nia
7eb0e62f64 ssl_mail_client: Define _XOPEN_SOURCE=600 for gethostname
Fixes building this program on NetBSD 9.0.

Signed-off-by: nia <nia@netbsd.org>
2020-06-11 14:05:34 +01:00
Gilles Peskine
e24fc7b0a1
Merge pull request #2595 from k-stachowiak/unified-exit-in-examples
Unify the example programs' termination
2020-05-12 10:46:47 +02:00
Gilles Peskine
d9f694960f
Merge pull request #3190 from gilles-peskine-arm/config-full-clarify-development
Clarify that the full config enables everything that can be tested together
2020-05-04 12:29:09 +02:00
Kenneth Soerensen
518d435e7b Fix GCC format-signedness warnings
Signed-off-by: Kenneth Soerensen <knnthsrnsn@gmail.com>
2020-04-22 16:01:48 +02:00
Jaeden Amero
3a7ca1d0cb
Merge pull request #3194 from piotr-now/serialized_to_file
Saving the serialized context to a file
2020-04-20 15:50:12 +01:00
Gilles Peskine
b2971ff942 Strict C99: don't use extremely large string literals
Don't use string literals that are longer than 4095 bytes, which is
the minimum that C99 compilers are required to support. Compilers are
extremely likely to support longer literals, but `gcc -std=c99 -pedantic`
complains.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-04-20 15:39:36 +02:00
Piotr Nowicki
3de298f18f Saving the serialized context to a file
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-17 16:26:43 +02:00
Piotr Nowicki
136bebf934 Add missing newline character
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-17 14:47:33 +02:00
Manuel Pégourié-Gonnard
6f830251a1 Sort lists in CMakeLists.txt files
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-04-17 11:58:54 +02:00
Piotr Nowicki
97dcb1c8f2 Add required configuration to the ssl_context_info
Required:
  MBEDTLS_X509_CRT_PARSE_C
  MBEDTLS_ERROR_C

Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 16:40:48 +02:00
Piotr Nowicki
02cc3fb070 Add dynamic buffer allocation and size checking
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 16:40:48 +02:00
Piotr Nowicki
bc876d4516 Rename program 'ssl_base64_dump' to 'ssl_context_info'
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 16:40:48 +02:00
Piotr Nowicki
f86192f72a Add support for Microsoft Visual Studio
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 16:40:48 +02:00
Piotr Nowicki
e5fa8b7cdf Add certificate printing
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 16:40:42 +02:00
Piotr Nowicki
4e192000fa Add session deserializing (not completed)
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 10:46:23 +02:00
Piotr Nowicki
ab3ecd8ac2 Print more information and add TODOs
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 10:46:23 +02:00
Piotr Nowicki
6b2baf99f1 Print mbedtls version and configuration
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 10:46:23 +02:00
Piotr Nowicki
c7d681c5bd Add base64 code decoding
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 10:46:23 +02:00
Piotr Nowicki
6842c9bde8 Add printing the read base64 code
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 10:46:23 +02:00
Piotr Nowicki
14d3105f78 Add reading base64 code from file
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 10:46:23 +02:00
Piotr Nowicki
88ebbbf0fe Add function for parsing arguments
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 10:46:23 +02:00
Piotr Nowicki
9370f90d46 Initial work on the ssl dump program from base64 code
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
2020-04-14 10:46:23 +02:00
Andrzej Kurek
90c6e84a9c
Split the maximum fragment length into two - an input and output MFL
Since the server might want to have a different maximum fragment length
for the outgoing messages than the negotiated one - introduce a new way of
computing it. This commit also adds additional ssl-opt.sh tests ensuring
that the maximum fragment lengths are set as expected. 
mbedtls_ssl_get_max_frag_len() is now a deprecated function,
being an alias to mbedtls_ssl_get_output_max_frag_len(). The behaviour
of this function is the same as before.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-04-09 04:30:34 -04:00
Gilles Peskine
5e7d6fd240 Merge 'mbedtls/development' into merge-crypto-unremoved-20200304
Merge the latest state of the target branch (mbedtls/development) into the
pull request to merge mbed-crypto into mbedtls.

Conflicts:

* ChangeLog: add/add conflict. Resolve by using the usual section order.
2020-03-23 18:02:07 +01:00
Gilles Peskine
eccd888717 Rename identifiers containing double-underscore
Rename identifiers containing double-underscore (`__`) to avoid `__`.
The reason to avoid double-underscore is that all identifiers
containing double-underscore are reserved in C++. Rename all such
identifiers that appear in any public header, including ssl_internal.h
which is in principle private but in practice is installed with the
public headers.

This commit makes check-names.sh pass.

```
perl -i -pe 's/\bMBEDTLS_SSL__ECP_RESTARTABLE\b/MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED/g; s/\bMBEDTLS_KEY_EXCHANGE_(_\w+)_(_\w+)\b/MBEDTLS_KEY_EXCHANGE${1}${2}/g' include/mbedtls/*.h library/*.c programs/*/*.c scripts/data_files/rename-1.3-2.0.txt tests/suites/*.function
```
2020-03-23 17:55:32 +01:00
Jaeden Amero
c31f970a46
Merge pull request #3075 from AndrzejKurek/variable-buffer-size
Variable buffer size
2020-03-10 21:46:35 +04:00
Piotr Nowicki
0937ed29b9
Add an acceptance test for memory usage after handshake
Signed-off-by: Piotr Nowicki <piotr.nowicki@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2020-03-04 09:28:35 -05:00
Manuel Pégourié-Gonnard
f03c13c046
Merge pull request #3050 from mpg/skip-close-notify-dev
Fix possible close_notify/ClientHello confusion
2020-03-03 12:11:48 +01:00
Manuel Pégourié-Gonnard
56941fe6a2 Fix possible close_notify/ClientHello confusion
The ssl-opt.sh test cases using session resumption tend to fail occasionally
on the CI due to a race condition in how ssl_server2 and ssl_client2 handle
the reconnection cycle.

The server does the following in order:
- S1 send application data
- S2 send a close_notify alert
- S3 close the client socket
- S4 wait for a "new connection" (actually a new datagram)
- S5 start a handshake

The client does the following in order:
- C1 wait for and read application data from the server
- C2 send a close_notify alert
- C3 close the server socket
- C4 reset session data and re-open a server socket
- C5 start a handshake

If the client has been able to send the close_notify (C2) and if has been
delivered to the server before if closes the client socket (S3), when the
server reaches S4, the datagram that we start the new connection will be the
ClientHello and everything will be fine.

However if S3 wins the race and happens before the close_notify is delivered,
in S4 the close_notify is what will be seen as the first datagram in a new
connection, and then in S5 this will rightfully be rejected as not being a
valid ClientHello and the server will close the connection (and go wait for
another one). The client will then fail to read from the socket and exit
non-zero and the ssl-opt.sh harness will correctly report this as a failure.

In order to avoid this race condition in test using ssl_client2 and
ssl_server2, this commits introduces a new command-line option
skip_close_notify to ssl_client2 and uses it in all ssl-opt.sh tests that use
session resumption with DTLS and ssl_server2.

This works because ssl_server2 knows how many messages it expects in each
direction and in what order, and closes the connection after that rather than
relying on close_notify (which is also why there was a race in the first
place).

Tests that use another server (in practice there are two of them, using
OpenSSL as a server) wouldn't work with skip_close_notify, as the server won't
close the connection until the client sends a close_notify, but for the same
reason they don't need it (there is no race between receiving close_notify and
closing as the former is the cause of the later).

An alternative approach would be to make ssl_server2 keep the connection open
until it receives a close_notify. Unfortunately it creates problems for tests
where we simulate a lossy network, as the close_notify could be lost (and the
client can't retransmit it). We could modify udp_proxy with an option to never
drop alert messages, but when TLS 1.3 comes that would no longer work as the
type of messages will be encrypted.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2020-02-26 09:33:45 +01:00
Jaeden Amero
7cb47de12a query_config: Move to programs/test
As the SSL programs, like ssl_client2 and ssl_server2, are dependent on
SSL and therefore about to be removed, the only consumer of query_config
is the query_compile_time_config test. As such, it makes sense to move
query_config to be next to what uses it.
2020-02-11 19:26:27 +01:00
Gilles Peskine
4e8b594002 Fix uninitialized variable in an edge case
If `context_buf = mbedtls_calloc( 1, buf_len )` failed,
`context_buf_len` was not initialized. Noticed by
`gcc -Os -Werror=maybe-uninitialized`.

This was only a problem in ssl_server2 (a test program), only with
MBEDTLS_SSL_CONTEXT_SERIALIZATION enabled.
2020-02-03 19:49:55 +01:00
Gilles Peskine
2ac4d86040 Fix file leak in test program
A similar bug was fixed earlier in ssl_server2, but we missed the fix
in ssl_client2.
2020-01-21 17:39:52 +01:00
Piotr Nowicki
7d01ef6562 Added buffer-based mbedtls allocator support to ssl_client2 2019-11-25 15:52:48 +01:00
Piotr Nowicki
9926eaf695 Do not allow configuring zero-length PSK
fix error when calloc is called with size 0
2019-11-25 15:49:53 +01:00
k-stachowiak
bbc1c699fc Fix potential resource leak in sslserver2 example 2019-09-26 13:43:31 +02:00
Jaeden Amero
63d813d258 ssl: Disallow modification of hello.random by export
Make client_random and server_random const in
mbedtls_ssl_export_keys_ext_t, so that the key exporter is discouraged
from modifying the client/server hello.

Update examples and tests use const for hello.random as well, to ensure
that the export callbacks are of the proper type.

Fixes #2759
2019-09-12 15:18:25 +01:00
Hanno Becker
bc5308cb9a ssl_cli/srv2: Indicate nss_keylog and eap_tls are mut. exclusive 2019-09-09 11:38:51 +01:00
Hanno Becker
48f3a3d101 Add NSS keylog support to ssl_server2 and ssl_client2
This commit adds command line options

- nss_keylog=0/1
- nss_keylog_file=FILENAME

to the example programs ssl/ssl_client2 and ssl/ssl_server2 which
allow to print and export the session keys in the NSS keylog
for debugging purposes.
2019-09-09 10:30:16 +01:00
Jaeden Amero
8dd6bc7ac4 Merge remote-tracking branch 'origin/pr/2803' into development
* origin/pr/2803:
  Add a ChangeLog entry for mbedtls_net_close()
  Added mbedtls_net_close and use it in ssl_fork_server to correctly disassociate the client socket from the parent process and the server socket from the child process.
2019-09-03 16:41:51 +01:00
Christoph M. Wintersteiger
3669c80a90 Update generated files 2019-08-29 16:12:38 +01:00
Jarno Lamsa
472a2a2fcd Don't redefine calloc and free 2019-08-23 13:13:52 +03:00
Manuel Pégourié-Gonnard
9df5a82079 Actually reset the context on save as advertised
Also fix some wording in the documentation while at it.
2019-08-23 13:11:31 +03:00
Manuel Pégourié-Gonnard
13c8e68477 Change requirements for setting timer callback
The code wants timer callbacks to be set (checked in fetch_input()), and can't
easily check whether we're using nbio, so it seems easier to require the
callbacks to be always set rather than only with nbio as was previously done.
2019-08-23 13:11:31 +03:00