Merge branch 'development' into development-restricted

CMakeLists.txt

@@ -6,6 +6,7 @@ option(ENABLE_ZLIB_SUPPORT "Build mbed TLS with zlib library." OFF)
 
 option(ENABLE_PROGRAMS "Build mbed TLS programs." ON)
 
+option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF)
 
 # the test suites currently have compile errors with MSVC
 if(MSVC)
@@ -14,6 +15,35 @@ else()
     option(ENABLE_TESTING "Build mbed TLS tests." ON)
 endif()
 
+find_package(Perl)
+if(PERL_FOUND)
+
+    # If NULL Entropy is configured, display an appropriate warning
+    execute_process(COMMAND ${PERL_EXECUTABLE} scripts/config.pl get MBEDTLS_TEST_NULL_ENTROPY
+                        RESULT_VARIABLE result)
+    if(${result} EQUAL 0)
+        message(WARNING "\
+            *******************************************************
+            ****  WARNING!  MBEDTLS_TEST_NULL_ENTROPY defined!
+            ****  THIS BUILD HAS NO DEFINED ENTROPY SOURCES
+            ****  AND IS *NOT* SUITABLE FOR PRODUCTION USE
+            *******************************************************")
+        if(NOT UNSAFE_BUILD)
+            message(FATAL_ERROR "\
+\n\
+Warning! You have enabled MBEDTLS_TEST_NULL_ENTROPY. \
+This option is not safe for production use and negates all security \
+It is intended for development use only. \
+\n\
+To confirm you want to build with this option, re-run cmake with the \
+option: \n\
+  cmake -DUNSAFE_BUILD=ON ")
+
+            return()
+        endif()
+    endif()
+endif()
+
 set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
     CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
     FORCE)

Makefile

@@ -6,7 +6,7 @@ PREFIX=mbedtls_
 
 .PHONY: all no_test programs lib tests install uninstall clean test check covtest lcov apidoc apidoc_clean
 
-all: programs tests
+all: programs tests post_build
 
 no_test: programs
 
@@ -53,6 +53,20 @@ uninstall:
 	done
 endif
 
+WARNING_BORDER      =*******************************************************\n
+NULL_ENTROPY_WARN_L1=****  WARNING!  MBEDTLS_TEST_NULL_ENTROPY defined! ****\n
+NULL_ENTROPY_WARN_L2=****  THIS BUILD HAS NO DEFINED ENTROPY SOURCES    ****\n
+NULL_ENTROPY_WARN_L3=****  AND IS *NOT* SUITABLE FOR PRODUCTION USE     ****\n
+
+NULL_ENTROPY_WARNING=\n$(WARNING_BORDER)$(NULL_ENTROPY_WARN_L1)$(NULL_ENTROPY_WARN_L2)$(NULL_ENTROPY_WARN_L3)$(WARNING_BORDER)
+
+# Post build steps
+post_build:
+	# If NULL Entropy is configured, display an appropriate warning
+	-scripts/config.pl get MBEDTLS_TEST_NULL_ENTROPY && ([ $$? -eq 0 ]) && \
+	    echo '$(NULL_ENTROPY_WARNING)'
+
+
 clean:
 	$(MAKE) -C library clean
 	$(MAKE) -C programs clean

include/mbedtls/ssl.h

@@ -232,7 +232,7 @@
  * Signaling ciphersuite values (SCSV)
  */
 #define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO    0xFF   /**< renegotiation info ext */
-#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE         0x5600 /**< draft-ietf-tls-downgrade-scsv-00 */
+#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE         0x5600 /**< RFC 7507 section 2 */
 
 /*
  * Supported Signature and Hash algorithms (For TLS 1.2)
@@ -466,7 +466,7 @@ typedef int mbedtls_ssl_recv_t( void *ctx,
  * \param buf      Buffer to write the received data to
  * \param len      Length of the receive buffer
  * \param timeout  Maximum nomber of millisecondes to wait for data
- *                 0 means no timeout (potentially wait forever)
+ *                 0 means no timeout (potentially waiting forever)
  *
  * \return         The callback must return the number of bytes received,
  *                 or a non-zero error code:
@@ -514,9 +514,9 @@ typedef void mbedtls_ssl_set_timer_t( void * ctx,
  *
  * \return         This callback must return:
  *                 -1 if cancelled (fin_ms == 0),
- *                  0 if none of the delays is passed,
+ *                  0 if none of the delays have passed,
- *                  1 if only the intermediate delay is passed,
+ *                  1 if only the intermediate delay has passed,
- *                  2 if the final delay is passed.
+ *                  2 if the final delay has passed.
  */
 typedef int mbedtls_ssl_get_timer_t( void * ctx );
 
@@ -958,7 +958,7 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl );
  * \note           No copy of the configuration context is made, it can be
  *                 shared by many mbedtls_ssl_context structures.
  *
- * \warning        Modifying the conf structure after is has been used in this
+ * \warning        Modifying the conf structure after it has been used in this
  *                 function is unsupported!
  *
  * \param ssl      SSL context
@@ -1024,6 +1024,7 @@ void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport );
  *
  *  MBEDTLS_SSL_VERIFY_REQUIRED:  peer *must* present a valid certificate,
  *                        handshake is aborted if verification failed.
+ *                        (default on client)
  *
  * \note On client, MBEDTLS_SSL_VERIFY_REQUIRED is the recommended mode.
  * With MBEDTLS_SSL_VERIFY_OPTIONAL, the user needs to call mbedtls_ssl_get_verify_result() at
@@ -1161,14 +1162,14 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
  * \brief           Callback type: generate and write session ticket
  *
  * \note            This describes what a callback implementation should do.
- *                  This callback should generate and encrypted and
+ *                  This callback should generate an encrypted and
  *                  authenticated ticket for the session and write it to the
  *                  output buffer. Here, ticket means the opaque ticket part
  *                  of the NewSessionTicket structure of RFC 5077.
  *
  * \param p_ticket  Context for the callback
- * \param session   SSL session to bo written in the ticket
+ * \param session   SSL session to be written in the ticket
- * \param start     Start of the outpur buffer
+ * \param start     Start of the output buffer
  * \param end       End of the output buffer
  * \param tlen      On exit, holds the length written
  * \param lifetime  On exit, holds the lifetime of the ticket in seconds
@@ -1419,7 +1420,7 @@ void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limi
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
 /**
- * \brief          Set retransmit timeout values for the DTLS handshale.
+ * \brief          Set retransmit timeout values for the DTLS handshake.
  *                 (DTLS only, no effect on TLS.)
  *
  * \param conf     SSL configuration
@@ -1517,7 +1518,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session
 /**
  * \brief               Set the list of allowed ciphersuites and the preference
  *                      order. First in the list has the highest preference.
- *                      (Overrides all version specific lists)
+ *                      (Overrides all version-specific lists)
  *
  *                      The ciphersuites array is not copied, and must remain
  *                      valid for the lifetime of the ssl_config.
@@ -1897,8 +1898,8 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
  * \param protos   Pointer to a NULL-terminated list of supported protocols,
  *                 in decreasing preference order. The pointer to the list is
  *                 recorded by the library for later reference as required, so
- *                 the lifetime of the table should be as long as the
+ *                 the lifetime of the table must be atleast as long as the
- *                 SSL configuration structure.
+ *                 lifetime of the SSL configuration structure.
  *
  * \return         0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
  */
@@ -2012,7 +2013,7 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
  * \brief          Disable or enable support for RC4
  *                 (Default: MBEDTLS_SSL_ARC4_DISABLED)
  *
- * \warning        Use of RC4 in DTLS/TLS has been prohibited by RFC-7465
+ * \warning        Use of RC4 in DTLS/TLS has been prohibited by RFC 7465
  *                 for security reasons. Use at your own risk.
  *
  * \note           This function is deprecated and will likely be removed in
@@ -2094,7 +2095,7 @@ void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets
  *
  * \warning        It is recommended to always disable renegotation unless you
  *                 know you need it and you know what you're doing. In the
- *                 past, there has been several issues associated with
+ *                 past, there have been several issues associated with
  *                 renegotiation or a poor understanding of its properties.
  *
  * \note           Server-side, enabling renegotiation also makes the server
@@ -2334,8 +2335,8 @@ int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl );
  * \brief          Perform a single step of the SSL handshake
  *
  * \note           The state of the context (ssl->state) will be at
- *                 the following state after execution of this function.
+ *                 the next state after execution of this function. Do not
- *                 Do not call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
+ *                 call this function if state is MBEDTLS_SSL_HANDSHAKE_OVER.
  *
  * \note           If this function returns something other than 0 or
  *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context
@@ -2356,11 +2357,13 @@ int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl );
  * \brief          Initiate an SSL renegotiation on the running connection.
  *                 Client: perform the renegotiation right now.
  *                 Server: request renegotiation, which will be performed
- *                 during the next call to mbedtls_ssl_read() if honored by client.
+ *                 during the next call to mbedtls_ssl_read() if honored by
+ *                 client.
  *
  * \param ssl      SSL context
  *
- * \return         0 if successful, or any mbedtls_ssl_handshake() return value.
+ * \return         0 if successful, or any mbedtls_ssl_handshake() return
+ *                 value.
  *
  * \note           If this function returns something other than 0 or
  *                 MBEDTLS_ERR_SSL_WANT_READ/WRITE, then the ssl context

library/entropy.c

@@ -28,9 +28,9 @@
 #if defined(MBEDTLS_ENTROPY_C)
 
 #if defined(MBEDTLS_TEST_NULL_ENTROPY)
-#warning "**** WARNING!  MBEDTLS_TEST_NULL_ENTROPY defined! ****"
+#warning "**** WARNING!  MBEDTLS_TEST_NULL_ENTROPY defined! "
-#warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES    ****"
+#warning "**** THIS BUILD HAS NO DEFINED ENTROPY SOURCES "
-#warning "**** NOT SUITABLE FOR PRODUCTION                  ****"
+#warning "**** THIS BUILD IS *NOT* SUITABLE FOR PRODUCTION USE "
 #endif
 
 #include "mbedtls/entropy.h"

scripts/config.pl

@@ -7,12 +7,13 @@
 # Purpose
 #
 # Comments and uncomments #define lines in the given header file and optionally
-# sets their value. This is to provide scripting control of what preprocessor
+# sets their value or can get the value. This is to provide scripting control of
-# symbols, and therefore what build time configuration flags are set in the
+# what preprocessor symbols, and therefore what build time configuration flags
-# 'config.h' file.
+# are set in the 'config.h' file.
 #
 # Usage: config.pl [-f <file> | --file <file>] [-o | --force]
-#                   [set <symbol> <value> | unset <symbol> | full | realfull]
+#                   [set <symbol> <value> | unset <symbol> | get <symbol> |
+#                       full | realfull]
 #
 # Full usage description provided below.
 #
@@ -43,16 +44,21 @@ use strict;
 my $config_file = "include/mbedtls/config.h";
 my $usage = <<EOU;
 $0 [-f <file> | --file <file>] [-o | --force]
-                   [set <symbol> <value> | unset <symbol> | full | realfull]
+                   [set <symbol> <value> | unset <symbol> | get <symbol> |
+                        full | realfull]
 
 Commands
-    set <symbol> [<value]   - Uncomments or adds a #define for the <symnol> to
+    set <symbol> [<value>]  - Uncomments or adds a #define for the <symbol> to
                               the configuration file, and optionally making it
                               of <value>.
                               If the symbol isn't present in the file an error
                               is returned.
-    unset <symbol>          - Comments out any #define present in the
+    unset <symbol>          - Comments out the #define for the given symbol if
-                              configuration file.
+                              present in the configuration file.
+    get <symbol>            - Finds the #define for the given symbol, returning
+                              an exitcode of 0 if the symbol is found, and -1 if
+                              not. The value of the symbol is output if one is
+                              specified in the configuration file.
     full                    - Uncomments all #define's in the configuration file
                               excluding some reserved symbols, until the
                               'Module configuration options' section
@@ -122,7 +128,7 @@ while ($arg = shift) {
             die $usage if @ARGV;
 
         }
-        elsif ($action eq "unset") {
+        elsif ($action eq "unset" || $action eq "get") {
             die $usage unless @ARGV;
             $name = shift;
 
@@ -195,6 +201,11 @@ for my $line (@config_lines) {
             $line .= "\n";
             $done = 1;
         }
+    } elsif (!$done && $action eq "get") {
+        if ($line =~ /^\s*#define\s*$name\s*(.*)\s*\b/) {
+            $value = $1;
+            $done = 1;
+        }
     }
 
     print $config_write $line;
@@ -214,6 +225,15 @@ if ($action eq "set"&& $force_option && !$done) {
 
 close $config_write;
 
+if ($action eq "get" && $done) {
+    if ($value ne '') {
+        print $value;
+    }
+    exit 0;
+} else {
+    exit -1;
+}
+
 if ($action eq "full" && !$done) {
     die "Configuration section was not found in $config_file\n";