In wait_server_start, fork less. When lsof is present, call it on the
expected process. This saves a few percent of execution time on a
lightly loaded machine. Also, sleep for a short duration rather than
using a tight loop.
Previously, MAC validation for an incoming record proceeded as follows:
1) Make a copy of the MAC contained in the record;
2) Compute the expected MAC in place, overwriting the presented one;
3) Compare both.
This resulted in a record buffer overflow if truncated MAC was used, as in this
case the record buffer only reserved 10 bytes for the MAC, but the MAC
computation routine in 2) always wrote a full digest.
For specially crafted records, this could be used to perform a controlled write of
up to 6 bytes past the boundary of the heap buffer holding the record, thereby
corrupting the heap structures and potentially leading to a crash or remote code
execution.
This commit fixes this by making the following change:
1) Compute the expected MAC in a temporary buffer that has the size of the
underlying message digest.
2) Compare to this to the MAC contained in the record, potentially
restricting to the first 10 bytes if truncated HMAC is used.
A similar fix is applied to the encryption routine `ssl_encrypt_buf`.
This commit adds regression tests for the bug when we didn't parse the
Signature Algorithm extension when renegotiating. (By nature, this bug
affected only the server)
The tests check for the fallback hash (SHA1) in the server log to detect
that the Signature Algorithm extension hasn't been parsed at least in
one of the handshakes.
A more direct way of testing is not possible with the current test
framework, since the Signature Algorithm extension is parsed in the
first handshake and any corresponding debug message is present in the
logs.
The check uses grep, not config.pl, on the x509 headers - not where it should
be configured - config.h. grep syntax isn't very portable. Without config.pl
it's quite hard to do this check properly so removing this check.
Some tests in ssl-opt.sh assumes the value 8 for the maximal number
POLARSSL_X509_MAX_INTERMEDIATE_CA of intermediate CA's. This commit
adds a check before conducting the respective tests.
If the first test to be run according to -e and -f options is just after a
test that would have been skipped due to a require_xxx instruction, then it
would be incorrectly skipped.
This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.
In a USENIX WOOT '16 paper the authors exploit implementation
mistakes that cause Initialisation Vectors (IV) to repeat. This
did not happen in mbed TLS, and this test makes sure that this
won't happen in the future either.
A new test option is introduced to ssl-opt.sh that checks the server
and client logs for a pattern and fails in case there are any
duplicates in the lines following the matching ones. (This is
necessary because of the structure of the logging)
Added a test case as well to utilise the new option. This test forces
the TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384 ciphersuite to make the
client and the server use an AEAD cipher.
Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky and Philipp
Jovanovic, "Nonce-Disrespecting Adversaries: Practical Forgery Attacks
on GCM in TLS", USENIX WOOT '16
Rather than flat-out die when we can't see the server started with lsof, just
stop waiting and try to go ahead with the test. Maybe it'll work if there was
a problem with lsof, most probably it will fail, but at least we'll have the
log, and the results of the following tests.
Note: date +%s isn't POSIX, but it works at least on Linux, Darwin/FreeBSD and
OpenBSD, which should be good enough for a test script.
With exchanges == renego period, sometimes the connection will be closed by
the client before the server had time to read the ClientHello, making the test
fail. The extra exchange avoids that.
Rationale: if people want to disable RC4 but otherwise keep the default suite
list, it was cumbersome. Also, since it uses a global array,
ssl_list_ciphersuite() is not a convenient place. So the SSL modules look like
the best place, even if it means temporarily adding one SSL setting.
Reading the documentation of ssl_set_truncated_hmac() may give the impression
I changed the default for clients but I didn't, the old documentation was
wrong.
