eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Removal of constants and functions and a new ChangeLog file

Browse source 
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
This commit is contained in:
TRodziewicz 2021-05-13 10:34:48 +02:00
parent 0f82ec6740
commit 28126050f2
8 changed files with 9 additions and 115 deletions
Download patch file Download diff file Expand all files Collapse all files

9
ChangeLog.d/issue4286.txt Normal file
View file

@ -0,0 +1,9 @@
Removals
* Remove the following deprecated library constants
MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1,
MBEDTLS_SSL_CBC_RECORD_SPLITTING,
MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED,
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED and functions
ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting() as well as test
function component_test_variable_ssl_in_out_buffer_len_record_splitting().
Fixes #4286.

12
include/mbedtls/config.h
View file

@ -1592,18 +1592,6 @@
*/ */
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
/**
* \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
*
* Enable 1/n-1 record splitting for CBC mode in TLS.
*
* This is a countermeasure to the BEAST attack, which also minimizes the risk
* of interoperability issues compared to sending 0-length records.
*
* Comment this macro to disable 1/n-1 record splitting.
*/
#define MBEDTLS_SSL_CBC_RECORD_SPLITTING
/** /**
* \def MBEDTLS_SSL_RENEGOTIATION * \def MBEDTLS_SSL_RENEGOTIATION
* *

10
include/mbedtls/ssl.h
View file

@ -198,9 +198,6 @@
#define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0 #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0
#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1
#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED 0
#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED 1
#define MBEDTLS_SSL_PRESET_DEFAULT 0 #define MBEDTLS_SSL_PRESET_DEFAULT 0
#define MBEDTLS_SSL_PRESET_SUITEB 2 #define MBEDTLS_SSL_PRESET_SUITEB 2
@ -1192,9 +1189,6 @@ struct mbedtls_ssl_config
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
unsigned int anti_replay : 1; /*!< detect and prevent replay? */ unsigned int anti_replay : 1; /*!< detect and prevent replay? */
#endif #endif
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
unsigned int cbc_record_splitting : 1; /*!< do cbc record splitting */
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION) #if defined(MBEDTLS_SSL_RENEGOTIATION)
unsigned int disable_renegotiation : 1; /*!< disable renegotiation? */ unsigned int disable_renegotiation : 1; /*!< disable renegotiation? */
#endif #endif
@ -1356,10 +1350,6 @@ struct mbedtls_ssl_context
uint16_t mtu; /*!< path mtu, used to fragment outgoing messages */ uint16_t mtu; /*!< path mtu, used to fragment outgoing messages */
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
signed char split_done; /*!< current record already splitted? */
#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
/* /*
* PKI layer * PKI layer
*/ */

42
library/ssl_msg.c
View file

@ -5475,44 +5475,6 @@ static int ssl_write_real( mbedtls_ssl_context *ssl,
return( (int) len ); return( (int) len );
} }
/*
* Write application data, doing 1/n-1 splitting if necessary.
*
* With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
* then the caller will call us again with the same arguments, so
* remember whether we already did the split or not.
*/
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
static int ssl_write_split( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ssl->conf->cbc_record_splitting ==
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
len <= 1 ||
ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
!= MBEDTLS_MODE_CBC )
{
return( ssl_write_real( ssl, buf, len ) );
}
if( ssl->split_done == 0 )
{
if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
return( ret );
ssl->split_done = 1;
}
if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
return( ret );
ssl->split_done = 0;
return( ret + 1 );
}
#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
/* /*
* Write application data (public-facing wrapper) * Write application data (public-facing wrapper)
*/ */
@ -5542,11 +5504,7 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_
} }
} }
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
ret = ssl_write_split( ssl, buf, len );
#else
ret = ssl_write_real( ssl, buf, len ); ret = ssl_write_real( ssl, buf, len );
#endif
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );

15
library/ssl_tls.c
View file

@ -3307,10 +3307,6 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
ssl->out_msgtype = 0; ssl->out_msgtype = 0;
ssl->out_msglen = 0; ssl->out_msglen = 0;
ssl->out_left = 0; ssl->out_left = 0;
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
ssl->split_done = 0;
#endif
memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) ); memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
@ -4202,13 +4198,6 @@ void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
} }
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
{
conf->cbc_record_splitting = split;
}
#endif
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
{ {
conf->allow_legacy_renegotiation = allow_legacy; conf->allow_legacy_renegotiation = allow_legacy;
@ -6234,10 +6223,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
#endif #endif
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
#endif
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
conf->f_cookie_write = ssl_cookie_write_dummy; conf->f_cookie_write = ssl_cookie_write_dummy;
conf->f_cookie_check = ssl_cookie_check_dummy; conf->f_cookie_check = ssl_cookie_check_dummy;

3
programs/fuzz/fuzz_client.c
View file

@ -109,9 +109,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED); mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED);
#endif #endif
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
mbedtls_ssl_conf_cbc_record_splitting( &conf, (options & 0x40) ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION) #if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED ); mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
#endif #endif

15
programs/ssl/ssl_client2.c
View file

@ -248,13 +248,6 @@ int main( void )
#define USAGE_MAX_FRAG_LEN "" #define USAGE_MAX_FRAG_LEN ""
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
#define USAGE_RECSPLIT \
" recsplit=0/1 default: (library default: on)\n"
#else
#define USAGE_RECSPLIT
#endif
#if defined(MBEDTLS_DHM_C) #if defined(MBEDTLS_DHM_C)
#define USAGE_DHMLEN \ #define USAGE_DHMLEN \
" dhmlen=%%d default: (library default: 1024 bits)\n" " dhmlen=%%d default: (library default: 1024 bits)\n"
@ -414,7 +407,6 @@ int main( void )
USAGE_ETM \ USAGE_ETM \
USAGE_REPRODUCIBLE \ USAGE_REPRODUCIBLE \
USAGE_CURVES \ USAGE_CURVES \
USAGE_RECSPLIT \
USAGE_DHMLEN \ USAGE_DHMLEN \
"\n" "\n"
#define USAGE4 \ #define USAGE4 \
@ -1780,13 +1772,6 @@ int main( int argc, char *argv[] )
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */ #endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
if( opt.recsplit != DFL_RECSPLIT )
mbedtls_ssl_conf_cbc_record_splitting( &conf, opt.recsplit
? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
: MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
#endif
#if defined(MBEDTLS_DHM_C) #if defined(MBEDTLS_DHM_C)
if( opt.dhmlen != DFL_DHMLEN ) if( opt.dhmlen != DFL_DHMLEN )
mbedtls_ssl_conf_dhm_min_bitlen( &conf, opt.dhmlen ); mbedtls_ssl_conf_dhm_min_bitlen( &conf, opt.dhmlen );

18
tests/scripts/all.sh
View file

@ -2043,24 +2043,6 @@ component_test_variable_ssl_in_out_buffer_len_CID () {
if_build_succeeded tests/compat.sh if_build_succeeded tests/compat.sh
} }
component_test_variable_ssl_in_out_buffer_len_record_splitting () {
msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled (ASan build)"
scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
scripts/config.py set MBEDTLS_SSL_CBC_RECORD_SPLITTING
CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING"
make test
msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled"
if_build_succeeded tests/ssl-opt.sh
msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled"
if_build_succeeded tests/compat.sh
}
component_test_ssl_alloc_buffer_and_mfl () { component_test_ssl_alloc_buffer_and_mfl () {
msg "build: default config with memory buffer allocator and MFL extension" msg "build: default config with memory buffer allocator and MFL extension"
scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C