commit 2ab5cf658facf614f658391a8370e7cac3fd663f
author Jaeden Amero <jaeden.amero@arm.com> Thu May 23 09:08:55 2019 +0100
committer Jaeden Amero <jaeden.amero@arm.com> Thu May 23 09:08:55 2019 +0100
tree ccd83cda23149f304678a223a2fee0a879972333
parent a542bb6de6edff0fe01a486bf93ab236283b1693
parent a76773fd2d585d69bd5a3c7c2224e95a32aee08e

Merge remote-tracking branch 'origin/pr/2403' into development

* origin/pr/2403: (24 commits)
  crypto: Update to Mbed Crypto 8907b019e756
  Create seedfile before running tests
  crypto: Update to Mbed Crypto 81f953903764
  ssl_cli.c : add explicit casting to unsigned char
  Generating visualc files - let Mbed TLS take precedence over crypto
  Add a link to the seedfile for out-of-tree cmake builds
  Adjust visual studio file generation to always use the crypto submodule
  all.sh: unparallelize mingw tests
  all.sh - disable parallelization for shared target tests
  config.pl: disable PSA_ITS_FILE and PSA_CRYPTO_STORAGE for baremetal
  all.sh: unset crypto storage define in a psa full config cmake asan test
  all.sh: unset FS_IO-dependent defines for tests that do not have it
  curves.pl - change test script to not depend on the implementation
  Export the submodule flag to sub-cmakes
  Disable MBEDTLS_ECP_RESTARTABLE in full config
  Export the submodule flag to sub-makes
  Force the usage of crypto submodule
  Fix crypto submodule usage in Makefile
  Documentation rewording
  Typo fixes in documentation
  ...

ChangeLog

diff --git a/ChangeLog b/ChangeLog
index d333692..764e447 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -46,6 +46,9 @@
      for the parameter.
    * Add a check for MBEDTLS_X509_CRL_PARSE_C in ssl_server2, guarding the crl
      sni entry parameter. Reported by inestlerode in #560.
+   * Set the next sequence of the subject_alt_name to NULL when deleting
+     sequence on failure. Found and fix suggested by Philippe Antoine.
+     Credit to OSS-Fuzz.
 
 API Changes
    * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
@@ -66,6 +69,8 @@
      Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309.
    * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
      Contributed by Peter Kolbus (Garmin).
+   * Change wording in the `mbedtls_ssl_conf_max_frag_len()`'s documentation to
+     improve clarity. Fixes #2258.
 
 = mbed TLS 2.17.0 branch released 2019-03-19
 

include/mbedtls/ssl.h

diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index a460e20..208b6c6 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -2820,13 +2820,19 @@
 
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
 /**
- * \brief          Set the maximum fragment length to emit and/or negotiate
- *                 (Default: the smaller of MBEDTLS_SSL_IN_CONTENT_LEN and
- *                 MBEDTLS_SSL_OUT_CONTENT_LEN, usually 2^14 bytes)
+ * \brief          Set the maximum fragment length to emit and/or negotiate.
+ *                 (Typical: the smaller of #MBEDTLS_SSL_IN_CONTENT_LEN and
+ *                 #MBEDTLS_SSL_OUT_CONTENT_LEN, usually `2^14` bytes)
  *                 (Server: set maximum fragment length to emit,
- *                 usually negotiated by the client during handshake
+ *                 usually negotiated by the client during handshake)
  *                 (Client: set maximum fragment length to emit *and*
  *                 negotiate with the server during handshake)
+ *                 (Default: #MBEDTLS_SSL_MAX_FRAG_LEN_NONE)
+ *
+ * \note           On the client side, the maximum fragment length extension
+ *                 *will not* be used, unless the maximum fragment length has
+ *                 been set via this function to a value different than
+ *                 #MBEDTLS_SSL_MAX_FRAG_LEN_NONE.
  *
  * \note           With TLS, this currently only affects ApplicationData (sent
  *                 with \c mbedtls_ssl_read()), not handshake messages.

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 708dbf7..dfd22f6 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -681,6 +681,7 @@
                                           sizeof( mbedtls_x509_sequence ) );
                 mbedtls_free( seq_prv );
             }
+            subject_alt_name->next = NULL;
             return( ret );
         }
 

tests/scripts/all.sh

diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 11e2b2f..86c0ce5 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -597,7 +597,7 @@
 
 component_check_names () {
     msg "test/build: declared and exported names" # < 3s
-    record_status tests/scripts/check-names.sh
+    record_status tests/scripts/check-names.sh -v
 }
 
 component_check_doxygen_warnings () {

tests/scripts/check-names.sh

diff --git a/tests/scripts/check-names.sh b/tests/scripts/check-names.sh
index f18a162..90ecfd2 100755
--- a/tests/scripts/check-names.sh
+++ b/tests/scripts/check-names.sh
@@ -2,26 +2,42 @@
 #
 # This file is part of mbed TLS (https://tls.mbed.org)
 #
-# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved
-#
-# Purpose
-#
-# This script confirms that the naming of all symbols and identifiers in mbed
-# TLS are consistent with the house style and are also self-consistent.
-#
+# Copyright (c) 2015-2019, ARM Limited, All Rights Reserved
+
 set -eu
 
+if [ $# -ne 0 ] && [ "$1" = "--help" ]; then
+    cat <<EOF
+$0 [-v]
+This script confirms that the naming of all symbols and identifiers in mbed
+TLS are consistent with the house style and are also self-consistent.
+
+  -v    If the script fails unexpectedly, print a command trace.
+EOF
+    exit
+fi
+
 if grep --version|head -n1|grep GNU >/dev/null; then :; else
     echo "This script requires GNU grep.">&2
     exit 1
 fi
 
+trace=
+if [ $# -ne 0 ] && [ "$1" = "-v" ]; then
+  shift
+  trace='-x'
+  exec 2>check-names.err
+  trap 'echo "FAILED UNEXPECTEDLY, status=$?";
+        cat check-names.err' EXIT
+  set -x
+fi
+
 printf "Analysing source code...\n"
 
-tests/scripts/list-macros.sh
+sh $trace tests/scripts/list-macros.sh
 tests/scripts/list-enum-consts.pl
-tests/scripts/list-identifiers.sh
-tests/scripts/list-symbols.sh
+sh $trace tests/scripts/list-identifiers.sh
+sh $trace tests/scripts/list-symbols.sh
 
 FAIL=0
 
@@ -82,6 +98,12 @@
     FAIL=1
 fi
 
+if [ -n "$trace" ]; then
+  set +x
+  trap - EXIT
+  rm check-names.err
+fi
+
 printf "\nOverall: "
 if [ "$FAIL" -eq 0 ]; then
     rm macros actual-macros enum-consts identifiers exported-symbols

tests/scripts/list-symbols.sh

diff --git a/tests/scripts/list-symbols.sh b/tests/scripts/list-symbols.sh
index c258719..ffdce8f 100755
--- a/tests/scripts/list-symbols.sh
+++ b/tests/scripts/list-symbols.sh
@@ -14,8 +14,20 @@
 
 cp include/mbedtls/config.h include/mbedtls/config.h.bak
 scripts/config.pl full
-CFLAGS=-fno-asynchronous-unwind-tables make clean lib >/dev/null 2>&1
+make_ret=
+CFLAGS=-fno-asynchronous-unwind-tables make clean lib \
+      >list-symbols.make.log 2>&1 ||
+  {
+    make_ret=$?
+    echo "Build failure: CFLAGS=-fno-asynchronous-unwind-tables make clean lib"
+    cat list-symbols.make.log >&2
+  }
+rm list-symbols.make.log
 mv include/mbedtls/config.h.bak include/mbedtls/config.h
+if [ -n "$make_ret" ]; then
+    exit "$make_ret"
+fi
+
 if uname | grep -F Darwin >/dev/null; then
     nm -gUj library/libmbed*.a 2>/dev/null | sed -n -e 's/^_//p'
 elif uname | grep -F Linux >/dev/null; then

tests/suites/test_suite_x509parse.data

diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index ab3880a..ec5c057 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -1214,6 +1214,10 @@
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
 x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a301F0603551d2004183020301F0603551D200418301630140604551D2000300C300A06082B0601050507020101010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
 
+X509 Certificate ASN1 (TBSCertificate v3, ext SubjectAlternativeName malformed)
+depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
+x509parse_crt:"30820220308201ffa0030201020209202020202020202020300d06092a864886f70d01010505003045310b30090603202020130220203113301106032020200c0a202020202020202020203121301f06032020200c18202020202020202020202020202020202020202020202020301e170d3134303432333230353034305a170d3137303432323230353034305a3045310b30090603202020130220203113301106032020200c0a202020202020202020203121301f06032020200c1820202020202020202020202020202020202020202020202030819f300d06092a864886f70d010101050003818d003081890281812020202020202020ff20202020202020202020202020202020202020ff202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020ff020320ffffa350304e301d0603202020041620202020202020202020202020202020202020202020301f0603551d11041830169104202020208000be002020202020202020202020202020202020202020202020202020202020202020ff20202020202020202020202020202020202020ff2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020ff2020ff202020202020202020202020202020ff2020202020202020202020202020202020202020202020202020":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA
+
 X509 Certificate ASN1 (TBSCertificate v3, ext BasicContraint tag, bool len missing)
 depends_on:MBEDTLS_RSA_C:MBEDTLS_MD2_C
 x509parse_crt:"308198308195a0030201028204deadbeef300d06092a864886f70d0101020500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa101aaa201bba30c300a30060603551d1301010100":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_OUT_OF_DATA