From 5175ac6e133ad9569959bd18001337a46c946c15 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 15:36:25 +0100 Subject: [PATCH 01/10] Add tests for disabled MFL-extension to all.sh This commit adds a build with default config except MBEDTLS_SSL_MAX_FRAGMENT_LENGTH to all.sh, as well as a run of the MFL-related tests in ssl-opt.sh. --- tests/scripts/all.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d9c5bbfa4..258141dff 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -413,6 +413,16 @@ scripts/config.pl unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc. scripts/config.pl set MBEDTLS_NO_PLATFORM_ENTROPY # uses syscall() on GNU/Linux CC=gcc CFLAGS='-Werror -Wall -Wextra -O0 -std=c99 -pedantic' make lib +msg "build: default config except MFL extension (ASan build)" # ~ 30s +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl unset MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . +make + +msg "test: ssl-opt.sh, MFL-related tests" +tests/ssl-opt.sh -f "Max fragment length" + msg "build: default config with MBEDTLS_TEST_NULL_ENTROPY (ASan build)" cleanup cp "$CONFIG_H" "$CONFIG_BAK" @@ -628,4 +638,3 @@ rm -rf "$OUT_OF_SOURCE_DIR" msg "Done, cleaning up" cleanup - From e4ad3e880309a6d52dc7e8733ee002b6bff4aacc Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 15:05:46 +0100 Subject: [PATCH 02/10] Allow requests of size larger than 16384 in ssl_client2 --- programs/ssl/ssl_client2.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 5032a9f3d..8e2feb1a1 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -63,6 +63,9 @@ int main( void ) #include #include +#define MAX_REQUEST_SIZE 20000 +#define MAX_REQUEST_SIZE_STR "20000" + #define DFL_SERVER_NAME "localhost" #define DFL_SERVER_ADDR NULL #define DFL_SERVER_PORT "4433" @@ -242,8 +245,8 @@ int main( void ) " server_addr=%%s default: given by name\n" \ " server_port=%%d default: 4433\n" \ " request_page=%%s default: \".\"\n" \ - " request_size=%%d default: about 34 (basic request)\n" \ - " (minimum: 0, max: 16384)\n" \ + " request_size=%%d default: about 34 (basic request)\n" \ + " (minimum: 0, max: " MAX_REQUEST_SIZE_STR " )\n" \ " debug_level=%%d default: 0 (disabled)\n" \ " nbio=%%d default: 0 (blocking I/O)\n" \ " options: 1 (non-blocking), 2 (added delays)\n" \ @@ -437,7 +440,9 @@ int main( int argc, char *argv[] ) { int ret = 0, len, tail_len, i, written, frags, retry_left; mbedtls_net_context server_fd; - unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1]; + + unsigned char buf[MAX_REQUEST_SIZE + 1]; + #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; @@ -602,7 +607,8 @@ int main( int argc, char *argv[] ) else if( strcmp( p, "request_size" ) == 0 ) { opt.request_size = atoi( q ); - if( opt.request_size < 0 || opt.request_size > MBEDTLS_SSL_MAX_CONTENT_LEN ) + if( opt.request_size < 0 || + opt.request_size > MAX_REQUEST_SIZE ) goto usage; } else if( strcmp( p, "ca_file" ) == 0 ) @@ -1494,8 +1500,8 @@ send_request: mbedtls_printf( " > Write to server:" ); fflush( stdout ); - len = mbedtls_snprintf( (char *) buf, sizeof(buf) - 1, GET_REQUEST, - opt.request_page ); + len = mbedtls_snprintf( (char *) buf, sizeof( buf ) - 1, GET_REQUEST, + opt.request_page ); tail_len = (int) strlen( GET_REQUEST_END ); /* Add padding to GET request to reach opt.request_size in length */ @@ -1506,7 +1512,7 @@ send_request: len += opt.request_size - len - tail_len; } - strncpy( (char *) buf + len, GET_REQUEST_END, sizeof(buf) - len - 1 ); + strncpy( (char *) buf + len, GET_REQUEST_END, sizeof( buf ) - len - 1 ); len += tail_len; /* Truncate if request size is smaller than the "natural" size */ @@ -1550,6 +1556,12 @@ send_request: frags = 1; written = ret; + + if( written < len ) + { + mbedtls_printf( " warning\n ! request didn't fit into single datagram and " + "was truncated to size %u", (unsigned) written ); + } } buf[written] = '\0'; From 4aed27e469172a05ae38a98e6492aabbc4898923 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 15:00:34 +0100 Subject: [PATCH 03/10] Add missing test-dependencies for MBEDTLS_SSL_MAX_FRAGMENT_LENGTH The tests for the maximum fragment length extension were lacking a dependency on MBEDTLS_SSL_MAX_FRAGMENT_LENGTH being set in the config. --- tests/ssl-opt.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 280fc6348..2ea8f9503 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1293,6 +1293,7 @@ run_test "Session resume using cache: openssl server" \ # Tests for Max Fragment Length extension run_test "Max fragment length: not used, reference" \ +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ 0 \ @@ -1303,6 +1304,7 @@ run_test "Max fragment length: not used, reference" \ -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=4096" \ @@ -1314,6 +1316,7 @@ run_test "Max fragment length: used by client" \ -s "server hello, max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by server" \ "$P_SRV debug_level=3 max_frag_len=4096" \ "$P_CLI debug_level=3" \ @@ -1325,6 +1328,7 @@ run_test "Max fragment length: used by server" \ -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH requires_gnutls run_test "Max fragment length: gnutls server" \ "$G_SRV" \ @@ -1334,6 +1338,7 @@ run_test "Max fragment length: gnutls server" \ -c "client hello, adding max_fragment_length extension" \ -c "found max_fragment_length extension" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, message just fits" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2048" \ @@ -1347,6 +1352,7 @@ run_test "Max fragment length: client, message just fits" \ -c "2048 bytes written in 1 fragments" \ -s "2048 bytes read" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: client, larger message" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3 max_frag_len=2048 request_size=2345" \ @@ -1361,6 +1367,7 @@ run_test "Max fragment length: client, larger message" \ -s "2048 bytes read" \ -s "297 bytes read" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: DTLS client, larger message" \ "$P_SRV debug_level=3 dtls=1" \ "$P_CLI debug_level=3 dtls=1 max_frag_len=2048 request_size=2345" \ From c526696c05a7a98b21f8b1aafae268393608e2a2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 15:01:50 +0100 Subject: [PATCH 04/10] Add tests for messages beyond 16384 bytes to ssl-opt.sh This commit adds four tests to ssl-opt.sh testing the library's behavior when `mbedtls_ssl_write` is called with messages beyond 16384 bytes. The combinations tested are TLS vs. DTLS and MBEDTLS_SSL_MAX_FRAGMENT_LENGTH enabled vs. disabled. --- tests/ssl-opt.sh | 50 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 2ea8f9503..9d476b410 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1292,8 +1292,8 @@ run_test "Session resume using cache: openssl server" \ # Tests for Max Fragment Length extension -run_test "Max fragment length: not used, reference" \ requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "Max fragment length: enabled, default" \ "$P_SRV debug_level=3" \ "$P_CLI debug_level=3" \ 0 \ @@ -1304,6 +1304,54 @@ requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "Max fragment length: enabled, default, larger message" \ + "$P_SRV debug_level=3" \ + "$P_CLI debug_level=3 request_size=20000" \ + 0 \ + -c "Maximum fragment length is 16384" \ + -s "Maximum fragment length is 16384" \ + -C "client hello, adding max_fragment_length extension" \ + -S "found max fragment length extension" \ + -S "server hello, max_fragment_length extension" \ + -C "found max_fragment_length extension" \ + -c "20000 bytes written in 2 fragments" \ + -s "16384 bytes read" \ + -s "3616 bytes read" + +requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "Max fragment length, DTLS: enabled, default, larger message" \ + "$P_SRV debug_level=3 dtls=1" \ + "$P_CLI debug_level=3 dtls=1 request_size=20000" \ + 1 \ + -c "Maximum fragment length is 16384" \ + -s "Maximum fragment length is 16384" \ + -C "client hello, adding max_fragment_length extension" \ + -S "found max fragment length extension" \ + -S "server hello, max_fragment_length extension" \ + -C "found max_fragment_length extension" \ + -c "fragment larger than.*maximum " + +requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "Max fragment length: disabled, larger message" \ + "$P_SRV debug_level=3" \ + "$P_CLI debug_level=3 request_size=20000" \ + 0 \ + -C "Maximum fragment length is 16384" \ + -S "Maximum fragment length is 16384" \ + -c "20000 bytes written in 2 fragments" \ + -s "16384 bytes read" \ + -s "3616 bytes read" + +requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +run_test "Max fragment length DTLS: disabled, larger message" \ + "$P_SRV debug_level=3 dtls=1" \ + "$P_CLI debug_level=3 dtls=1 request_size=20000" \ + 1 \ + -C "Maximum fragment length is 16384" \ + -S "Maximum fragment length is 16384" \ + -c "fragment larger than.*maximum " + requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: used by client" \ "$P_SRV debug_level=3" \ From 09930d1f019ded3138087bc1e95d5917c3624629 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 15:04:19 +0100 Subject: [PATCH 05/10] Add expected number of fragments to 16384-byte packet tests --- tests/ssl-opt.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9d476b410..50b7d1536 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3382,6 +3382,7 @@ run_test "Large packet SSLv3 BlockCipher" \ "$P_CLI request_size=16384 force_version=ssl3 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 @@ -3390,6 +3391,7 @@ run_test "Large packet SSLv3 StreamCipher" \ "$P_CLI request_size=16384 force_version=ssl3 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.0 BlockCipher" \ @@ -3397,6 +3399,7 @@ run_test "Large packet TLS 1.0 BlockCipher" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ @@ -3405,6 +3408,7 @@ run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ @@ -3413,6 +3417,7 @@ run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.1 BlockCipher" \ @@ -3420,6 +3425,7 @@ run_test "Large packet TLS 1.1 BlockCipher" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.1 StreamCipher" \ @@ -3427,6 +3433,7 @@ run_test "Large packet TLS 1.1 StreamCipher" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ @@ -3435,6 +3442,7 @@ run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ @@ -3443,6 +3451,7 @@ run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 BlockCipher" \ @@ -3450,6 +3459,7 @@ run_test "Large packet TLS 1.2 BlockCipher" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ @@ -3457,6 +3467,7 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ @@ -3465,6 +3476,7 @@ run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 StreamCipher" \ @@ -3472,6 +3484,7 @@ run_test "Large packet TLS 1.2 StreamCipher" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ @@ -3480,6 +3493,7 @@ run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 AEAD" \ @@ -3487,6 +3501,7 @@ run_test "Large packet TLS 1.2 AEAD" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" run_test "Large packet TLS 1.2 AEAD shorter tag" \ @@ -3494,6 +3509,7 @@ run_test "Large packet TLS 1.2 AEAD shorter tag" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CCM-8" \ 0 \ + -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" # Tests for DTLS HelloVerifyRequest From 2b187c4d5f02e7ff76015c6d1fc9e9c874ee9353 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 14:58:11 +0100 Subject: [PATCH 06/10] Correct typo --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 661ae7065..228f97def 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7100,7 +7100,7 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, * * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, * then the caller will call us again with the same arguments, so - * remember wether we already did the split or not. + * remember whether we already did the split or not. */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) static int ssl_write_split( mbedtls_ssl_context *ssl, From 0b7b83fd91dfa45c446b41f0dfa3b897b5bc4e16 Mon Sep 17 00:00:00 2001 From: Florin Date: Sat, 22 Jul 2017 09:01:44 +0200 Subject: [PATCH 07/10] Fixed SIGSEGV problem when writing with ssl_write_real a buffer that is over MBEDTLS_SSL_MAX_CONTENT_LEN bytes Signed-off-by: Florin --- library/ssl_tls.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 228f97def..b6e0eaa82 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7054,7 +7054,9 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, int ret; #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) size_t max_len = mbedtls_ssl_get_max_frag_len( ssl ); - +#else + size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN; +#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ if( len > max_len ) { #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -7069,7 +7071,6 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, #endif len = max_len; } -#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ if( ssl->out_left != 0 ) { From 930025da6da15d9989a31a93d47c7e84181e370c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Sep 2017 16:07:19 +0100 Subject: [PATCH 08/10] Adapt ChangeLog --- ChangeLog | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ChangeLog b/ChangeLog index 227faed6b..1154075e0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,17 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +Security + * Fix a potential heap buffer overflow in mbedtls_ssl_write. When the (by + default enabled) maximum fragment length extension is disabled in the + config and the application data buffer passed to mbedtls_ssl_write + is larger than the internal message buffer (16384 bytes by default), the + latter overflows. The exploitability of this issue depends on whether the + application layer can be forced into sending such large packets. The issue + was independently reported by Tim Nordell via e-mail and by Florin Petriuc + and sjorsdewit on GitHub. Fix proposed by Florin Petriuc in #1022. Fixes #707. + = mbed TLS 2.6.0 branch released 2017-08-10 Security From 6428f8d78e620c9c4853dd64b14d75b9ce941972 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 22 Sep 2017 16:58:50 +0100 Subject: [PATCH 09/10] Let ssl-opt.sh gracefully fail is SSL_MAX_CONTENT_LEN is not 16384 Some tests in ssl-opt.sh require MBEDTLS_SSL_MAX_CONTENT_LEN to be set to its default value of 16384 to succeed. While ideally such a dependency should not exist, as a short-term remedy this commit adds a small check that will at least lead to graceful exit if that assumption is violated. --- tests/ssl-opt.sh | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 50b7d1536..4865043b2 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1292,6 +1292,21 @@ run_test "Session resume using cache: openssl server" \ # Tests for Max Fragment Length extension +MAX_CONTENT_LEN_EXPECT='16384' +MAX_CONTENT_LEN_CONFIG=$( ../scripts/config.pl get MBEDTLS_SSL_MAX_CONTENT_LEN) + +if [ -n "$MAX_CONTENT_LEN_CONFIG" ] && [ "$MAX_CONTENT_LEN_CONFIG" -ne "$MAX_CONTENT_LEN_EXPECT" ]; then + printf "The ${CONFIG_H} file contains a value for the configuration of\n" + printf "MBEDTLS_SSL_MAX_CONTENT_LEN that is different from the script’s\n" + printf "test value of ${MAX_CONTENT_LEN_EXPECT}. \n" + printf "\n" + printf "The tests assume this value and if it changes, the tests in this\n" + printf "script should also be adjusted.\n" + printf "\n" + + exit 1 +fi + requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: enabled, default" \ "$P_SRV debug_level=3" \ From 9cfabe3597d1fadf5ed7791973d1490c98719157 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 18 Oct 2017 14:42:01 +0100 Subject: [PATCH 10/10] Use a conservative excess of the maximum fragment length in tests This leads to graceful test failure instead of crash when run on the previous code. --- tests/ssl-opt.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 4865043b2..d4096e744 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1322,7 +1322,7 @@ run_test "Max fragment length: enabled, default" \ requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: enabled, default, larger message" \ "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 request_size=20000" \ + "$P_CLI debug_level=3 request_size=16385" \ 0 \ -c "Maximum fragment length is 16384" \ -s "Maximum fragment length is 16384" \ @@ -1330,14 +1330,14 @@ run_test "Max fragment length: enabled, default, larger message" \ -S "found max fragment length extension" \ -S "server hello, max_fragment_length extension" \ -C "found max_fragment_length extension" \ - -c "20000 bytes written in 2 fragments" \ + -c "16385 bytes written in 2 fragments" \ -s "16384 bytes read" \ - -s "3616 bytes read" + -s "1 bytes read" requires_config_enabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length, DTLS: enabled, default, larger message" \ "$P_SRV debug_level=3 dtls=1" \ - "$P_CLI debug_level=3 dtls=1 request_size=20000" \ + "$P_CLI debug_level=3 dtls=1 request_size=16385" \ 1 \ -c "Maximum fragment length is 16384" \ -s "Maximum fragment length is 16384" \ @@ -1350,18 +1350,18 @@ run_test "Max fragment length, DTLS: enabled, default, larger message" \ requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length: disabled, larger message" \ "$P_SRV debug_level=3" \ - "$P_CLI debug_level=3 request_size=20000" \ + "$P_CLI debug_level=3 request_size=16385" \ 0 \ -C "Maximum fragment length is 16384" \ -S "Maximum fragment length is 16384" \ - -c "20000 bytes written in 2 fragments" \ + -c "16385 bytes written in 2 fragments" \ -s "16384 bytes read" \ - -s "3616 bytes read" + -s "1 bytes read" requires_config_disabled MBEDTLS_SSL_MAX_FRAGMENT_LENGTH run_test "Max fragment length DTLS: disabled, larger message" \ "$P_SRV debug_level=3 dtls=1" \ - "$P_CLI debug_level=3 dtls=1 request_size=20000" \ + "$P_CLI debug_level=3 dtls=1 request_size=16385" \ 1 \ -C "Maximum fragment length is 16384" \ -S "Maximum fragment length is 16384" \