From 0f82ec67409aea9516795e301492a6ab240b4de7 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 12 May 2021 17:49:18 +0200 Subject: [PATCH 01/11] Remove the TLS 1.0 and 1.1 support Signed-off-by: TRodziewicz --- configs/config-mini-tls1_1.h | 79 ---- include/mbedtls/check_config.h | 37 +- include/mbedtls/config.h | 51 +-- include/mbedtls/ssl.h | 30 +- library/ssl_cli.c | 66 +-- library/ssl_cookie.c | 3 +- library/ssl_misc.h | 39 +- library/ssl_msg.c | 84 ++-- library/ssl_srv.c | 45 +- library/ssl_tls.c | 393 +--------------- programs/ssl/ssl_client2.c | 40 +- programs/ssl/ssl_server2.c | 34 +- tests/compat.sh | 18 +- tests/scripts/basic-build-test.sh | 2 +- tests/scripts/test-ref-configs.pl | 3 - tests/ssl-opt.sh | 719 ------------------------------ 16 files changed, 84 insertions(+), 1559 deletions(-) delete mode 100644 configs/config-mini-tls1_1.h diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h deleted file mode 100644 index 83d1ab713..000000000 --- a/configs/config-mini-tls1_1.h +++ /dev/null @@ -1,79 +0,0 @@ -/** - * \file config-mini-tls1_1.h - * - * \brief Minimal configuration for TLS 1.1 (RFC 4346) - */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * Minimal configuration for TLS 1.1 (RFC 4346), implementing only the - * required ciphersuite: MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA - * - * See README.txt for usage instructions. - */ - -#ifndef MBEDTLS_CONFIG_H -#define MBEDTLS_CONFIG_H - -/* System support */ -#define MBEDTLS_HAVE_ASM -#define MBEDTLS_HAVE_TIME - -/* mbed TLS feature support */ -#define MBEDTLS_CIPHER_MODE_CBC -#define MBEDTLS_PKCS1_V15 -#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -#define MBEDTLS_SSL_PROTO_TLS1_1 - -/* mbed TLS modules */ -#define MBEDTLS_AES_C -#define MBEDTLS_ASN1_PARSE_C -#define MBEDTLS_ASN1_WRITE_C -#define MBEDTLS_BIGNUM_C -#define MBEDTLS_CIPHER_C -#define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_DES_C -#define MBEDTLS_ENTROPY_C -#define MBEDTLS_MD_C -#define MBEDTLS_MD5_C -#define MBEDTLS_NET_C -#define MBEDTLS_OID_C -#define MBEDTLS_PK_C -#define MBEDTLS_PK_PARSE_C -#define MBEDTLS_RSA_C -#define MBEDTLS_SHA1_C -/* The library does not currently support enabling SHA-224 without SHA-256. - * A future version of the library will have this option disabled - * by default. */ -#define MBEDTLS_SHA224_C -#define MBEDTLS_SHA256_C -#define MBEDTLS_SSL_CLI_C -#define MBEDTLS_SSL_SRV_C -#define MBEDTLS_SSL_TLS_C -#define MBEDTLS_X509_CRT_PARSE_C -#define MBEDTLS_X509_USE_C - -/* For test certificates */ -#define MBEDTLS_BASE64_C -#define MBEDTLS_PEM_PARSE_C - -/* For testing with compat.sh */ -#define MBEDTLS_FS_IO - -#include "mbedtls/check_config.h" - -#endif /* MBEDTLS_CONFIG_H */ diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 7cb6967b2..389ae2a71 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -621,16 +621,6 @@ #error "MBEDTLS_SHA256_C defined without MBEDTLS_SHA224_C" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1) && ( !defined(MBEDTLS_MD5_C) || \ - !defined(MBEDTLS_SHA1_C) ) -#error "MBEDTLS_SSL_PROTO_TLS1 defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) && ( !defined(MBEDTLS_MD5_C) || \ - !defined(MBEDTLS_SHA1_C) ) -#error "MBEDTLS_SSL_PROTO_TLS1_1 defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && ( !defined(MBEDTLS_SHA1_C) && \ !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) ) #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites" @@ -641,8 +631,7 @@ #error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites" #endif -#if (defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) ||\ - defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ !(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ @@ -659,7 +648,6 @@ #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_PROTO_DTLS defined, but not all prerequisites" #endif @@ -677,16 +665,10 @@ #error "MBEDTLS_SSL_SRV_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_TLS1) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1_1) && !defined(MBEDTLS_SSL_PROTO_TLS1_2)) +#if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_TLS_C defined, but no protocols are active" #endif -#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_TLS1) && \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) && !defined(MBEDTLS_SSL_PROTO_TLS1_1)) -#error "Illegal protocol selection" -#endif - #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && !defined(MBEDTLS_SSL_PROTO_DTLS) #error "MBEDTLS_SSL_DTLS_HELLO_VERIFY defined, but not all prerequisites" #endif @@ -724,15 +706,11 @@ #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites" #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequsites" #endif @@ -741,10 +719,6 @@ #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) && !defined(MBEDTLS_SSL_PROTO_TLS1) -#error "MBEDTLS_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ !defined(MBEDTLS_X509_CRT_PARSE_C) #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites" @@ -859,6 +833,13 @@ #error "MBEDTLS_ZLIB_SUPPORT was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4031" #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1) //no-check-names +#error "MBEDTLS_SSL_PROTO_TLS1 (TLS v1.0 support) was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4286" +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_1) //no-check-names +#error "MBEDTLS_SSL_PROTO_TLS1_1 (TLS v1.1 support) was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4286" +#endif /* * Avoid warning from -pedantic. This is a convenient place for this diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 2c6ae3d1d..4905b9243 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1530,9 +1530,7 @@ * * This only affects CBC ciphersuites, and is useless if none is defined. * - * Requires: MBEDTLS_SSL_PROTO_TLS1 or - * MBEDTLS_SSL_PROTO_TLS1_1 or - * MBEDTLS_SSL_PROTO_TLS1_2 + * Requires: MBEDTLS_SSL_PROTO_TLS1_2 * * Comment this macro to disable support for Encrypt-then-MAC */ @@ -1548,9 +1546,7 @@ * renegotiation), since it actually fixes a more fundamental issue in the * original SSL/TLS design, and has implications beyond Triple Handshake. * - * Requires: MBEDTLS_SSL_PROTO_TLS1 or - * MBEDTLS_SSL_PROTO_TLS1_1 or - * MBEDTLS_SSL_PROTO_TLS1_2 + * Requires: MBEDTLS_SSL_PROTO_TLS1_2 * * Comment this macro to disable support for Extended Master Secret. */ @@ -1599,7 +1595,7 @@ /** * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING * - * Enable 1/n-1 record splitting for CBC mode in TLS 1.0. + * Enable 1/n-1 record splitting for CBC mode in TLS. * * This is a countermeasure to the BEAST attack, which also minimizes the risk * of interoperability issues compared to sending 0-length records. @@ -1649,30 +1645,6 @@ */ #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -/** - * \def MBEDTLS_SSL_PROTO_TLS1 - * - * Enable support for TLS 1.0. - * - * Requires: MBEDTLS_MD5_C - * MBEDTLS_SHA1_C - * - * Comment this macro to disable support for TLS 1.0 - */ -#define MBEDTLS_SSL_PROTO_TLS1 - -/** - * \def MBEDTLS_SSL_PROTO_TLS1_1 - * - * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). - * - * Requires: MBEDTLS_MD5_C - * MBEDTLS_SHA1_C - * - * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 - */ -#define MBEDTLS_SSL_PROTO_TLS1_1 - /** * \def MBEDTLS_SSL_PROTO_TLS1_2 * @@ -1709,11 +1681,9 @@ * * Enable support for DTLS (all available versions). * - * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, - * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. + * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. * - * Requires: MBEDTLS_SSL_PROTO_TLS1_1 - * or MBEDTLS_SSL_PROTO_TLS1_2 + * Requires: MBEDTLS_SSL_PROTO_TLS1_2 * * Comment this macro to disable support for DTLS */ @@ -2738,10 +2708,9 @@ * library/pem.c * library/ssl_tls.c * - * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2 - * depending on the handshake parameters. Further, it is used for checking - * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded - * encrypted keys. + * This module is required for TLS 1.2 depending on the handshake parameters. + * Further, it is used for checking MD5-signed certificates, and for PBKDF1 + * when decrypting PEM-encoded encrypted keys. * * \warning MD5 is considered a weak message digest and its use constitutes a * security risk. If possible, we recommend avoiding dependencies on @@ -3061,8 +3030,8 @@ * library/ssl_tls.c * library/x509write_crt.c * - * This module is required for SSL/TLS up to version 1.1, for TLS 1.2 - * depending on the handshake parameters, and for SHA1-signed certificates. + * This module is required for TLS 1.2 depending on the handshake parameters, + * and for SHA1-signed certificates. * * \warning SHA-1 is considered a weak message digest and its use constitutes * a security risk. If possible, we recommend avoiding dependencies diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 88a599c18..39661cbac 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -131,8 +131,8 @@ * - RFC 8446: see section 4.2.1 */ #define MBEDTLS_SSL_MAJOR_VERSION_3 3 -#define MBEDTLS_SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 */ -#define MBEDTLS_SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 */ +#define MBEDTLS_SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 deprecated */ +#define MBEDTLS_SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 deprecated */ #define MBEDTLS_SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */ #define MBEDTLS_SSL_MINOR_VERSION_4 4 /*!< TLS v1.3 (experimental) */ @@ -2602,8 +2602,7 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len, * MBEDTLS_SSL_MINOR_VERSION_2, * MBEDTLS_SSL_MINOR_VERSION_3 supported) * - * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 - * and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 + * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, const int *ciphersuites, @@ -3253,8 +3252,7 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ss * * \note This ignores ciphersuites from higher versions. * - * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and - * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 + * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 * * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) @@ -3265,13 +3263,12 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino /** * \brief Set the minimum accepted SSL/TLS protocol version - * (Default: TLS 1.0) + * (Default: TLS 1.2) * * \note Input outside of the SSL_MAX_XXXXX_VERSION and * SSL_MIN_XXXXX_VERSION range is ignored. * - * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and - * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 + * \note With DTLS, MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 * * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) @@ -3398,21 +3395,6 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ); #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) -/** - * \brief Enable / Disable 1/n-1 record splitting - * (Default: MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED) - * - * \note Only affects TLS 1.0, not higher versions. - * Does not affect non-CBC ciphersuites in any version. - * - * \param conf SSL configuration - * \param split MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED or - * MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED - */ -void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ); -#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ - #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) /** * \brief Enable / Disable session tickets (client only). diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 0bb959270..3f7f68474 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1951,12 +1951,8 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); p += 2; - /* - * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) - * even is lower than our min version. - */ if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || - minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || + minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 || major_ver > ssl->conf->max_major_ver || minor_ver > ssl->conf->max_minor_ver ) { @@ -2843,8 +2839,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, return( ret ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( len_bytes == 2 ) { ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); @@ -3238,17 +3233,6 @@ start_processing: } else #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) - { - pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); - - /* Default hash for ECDSA is SHA-1 */ - if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) - md_alg = MBEDTLS_MD_SHA1; - } - else -#endif { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -3285,19 +3269,7 @@ start_processing: /* * Compute the hash that has been signed */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( md_alg == MBEDTLS_MD_NONE ) - { - hashlen = 36; - ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, - params_len ); - if( ret != 0 ) - return( ret ); - } - else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( md_alg != MBEDTLS_MD_NONE ) { ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, @@ -3307,8 +3279,7 @@ start_processing: return( ret ); } else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -4113,35 +4084,6 @@ sign: ssl->handshake->calc_verify( ssl, hash, &hashlen ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) - { - /* - * digitally-signed struct { - * opaque md5_hash[16]; - * opaque sha_hash[20]; - * }; - * - * md5_hash - * MD5(handshake_messages); - * - * sha_hash - * SHA(handshake_messages); - */ - md_alg = MBEDTLS_MD_NONE; - - /* - * For ECDSA, default hash is SHA-1 only - */ - if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) - { - hash_start += 16; - hashlen -= 16; - md_alg = MBEDTLS_MD_SHA1; - } - } - else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c index b0b2eb303..40b8913b8 100644 --- a/library/ssl_cookie.c +++ b/library/ssl_cookie.c @@ -41,8 +41,7 @@ /* * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is - * available. Try SHA-256 first, 512 wastes resources since we need to stay - * with max 32 bytes of cookie for DTLS 1.0 + * available. Try SHA-256 first, 512 wastes resources */ #if defined(MBEDTLS_SHA224_C) #define COOKIE_MD MBEDTLS_MD_SHA224 diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 180f4d8dc..a5a12ceb2 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -68,17 +68,9 @@ /* Determine minimum supported version */ #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 -#if defined(MBEDTLS_SSL_PROTO_TLS1) -#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 -#else -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) -#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2 -#else #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */ -#endif /* MBEDTLS_SSL_PROTO_TLS1 */ #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 @@ -88,15 +80,6 @@ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 -#else -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) -#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2 -#else -#if defined(MBEDTLS_SSL_PROTO_TLS1) -#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 -#else -#endif /* MBEDTLS_SSL_PROTO_TLS1 */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ /* Shorthand for restartable ECC */ @@ -153,11 +136,9 @@ #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM #endif -/* This macro determines whether the CBC construct used in TLS 1.0-1.2 is supported. */ +/* This macro determines whether the CBC construct used in TLS 1.2 is supported. */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ - ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) ) + defined(MBEDTLS_SSL_PROTO_TLS1_2) #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC #endif @@ -550,10 +531,6 @@ struct mbedtls_ssl_handshake_params /* * Checksum contexts */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_context fin_md5; - mbedtls_sha1_context fin_sha1; -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1202,21 +1179,13 @@ static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t return( diff ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, - unsigned char *output, - unsigned char *data, size_t data_len ); -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hashlen, unsigned char *data, size_t data_len, mbedtls_md_type_t md_alg ); -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #ifdef __cplusplus } diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 609aa9864..540d5d1f6 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -519,9 +519,9 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, #endif /* The PRNG is used for dynamic IV generation that's used - * for CBC transformations in TLS 1.1 and TLS 1.2. */ + * for CBC transformations in TLS 1.2. */ #if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ - ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) ) + defined(MBEDTLS_SSL_PROTO_TLS1_2) ) ((void) f_rng); ((void) p_rng); #endif @@ -644,8 +644,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { unsigned char mac[MBEDTLS_SSL_MAC_ADD]; @@ -835,12 +834,12 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, rec->data_len += padlen + 1; post_avail -= padlen + 1; -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* - * Prepend per-record IV for block cipher in TLS v1.1 and up as per + * Prepend per-record IV for block cipher in TLS v1.2 * Method 1 (6.2.3.2. in RFC4346 and RFC5246) */ - if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) + if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) { if( f_rng == NULL ) { @@ -865,7 +864,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, transform->ivlen ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " "including %" MBEDTLS_PRINTF_SIZET @@ -889,22 +888,9 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) - if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - { - /* - * Save IV in TLS1 - */ - memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv, - transform->ivlen ); - } - else -#endif - { - data -= transform->ivlen; - rec->data_offset -= transform->ivlen; - rec->data_len += transform->ivlen; - } + data -= transform->ivlen; + rec->data_offset -= transform->ivlen; + rec->data_len += transform->ivlen; #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) if( auth_done == 0 ) @@ -1381,8 +1367,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, /* * Check immediate ciphertext sanity */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) { /* The ciphertext is prefixed with the CBC IV. */ minlen += transform->ivlen; @@ -1487,11 +1473,11 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, return( MBEDTLS_ERR_SSL_INVALID_MAC ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* - * Initialize for prepended IV for block cipher in TLS v1.1 and up + * Initialize for prepended IV for block cipher in TLS v1.2 */ - if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) + if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) { /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */ memcpy( transform->iv_dec, data, transform->ivlen ); @@ -1500,7 +1486,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, rec->data_offset += transform->ivlen; rec->data_len -= transform->ivlen; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */ @@ -1519,20 +1505,6 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) - if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - { - /* - * Save IV in TLS1, where CBC decryption of consecutive - * records is equivalent to CBC decryption of the concatenation - * of the records; in other words, IVs are maintained across - * record decryptions. - */ - memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv, - transform->ivlen ); - } -#endif - /* Safe since data_len >= minlen + maclen + 1, so after having * subtracted at most minlen and maclen up to this point, * data_len > 0 (because of data_len % ivlen == 0, it's actually @@ -1573,8 +1545,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, /* Regardless of the validity of the padding, * we have data_len >= padlen here. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* The padding check involves a series of up to 256 * consecutive memory reads at the end of the record * plaintext buffer. In order to hide the length and @@ -1609,8 +1580,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, #endif padlen &= mbedtls_ssl_cf_mask_from_bit( correct ); -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ /* If the padding was found to be invalid, padlen == 0 * and the subtraction is safe. If the padding was found valid, @@ -1657,8 +1627,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, ssl_extract_add_data_from_record( add_data, &add_data_len, rec, transform->minor_ver ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* * The next two sizes are the minimum and maximum values of * data_len over all padlen values. @@ -1686,8 +1655,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, rec->data_len, min_len, max_len, transform->maclen ); -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_SSL_DEBUG_ALL) MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen ); @@ -5058,10 +5026,10 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) /* For TLS 1.1 or higher, an explicit IV is added * after the record header. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) transform_expansion += block_size; -#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ break; @@ -5201,8 +5169,7 @@ static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { if( ( ret = mbedtls_ssl_send_alert_message( ssl, @@ -5213,8 +5180,7 @@ static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) } } else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 73b79daf8..fb7ba975f 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3199,14 +3199,6 @@ curve_matching_done: } else #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) - { - /* B: Default hash SHA1 */ - md_alg = MBEDTLS_MD_SHA1; - } - else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ { /* C: MD5 + SHA1 */ md_alg = MBEDTLS_MD_NONE; @@ -3217,20 +3209,7 @@ curve_matching_done: /* * 2.2: Compute the hash to be signed */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( md_alg == MBEDTLS_MD_NONE ) - { - hashlen = 36; - ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, - dig_signed, - dig_signed_len ); - if( ret != 0 ) - return( ret ); - } - else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( md_alg != MBEDTLS_MD_NONE ) { ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, @@ -3241,8 +3220,7 @@ curve_matching_done: return( ret ); } else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -3556,8 +3534,7 @@ static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl, /* * Prepare to decrypt the premaster using own private RSA key */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if ( p + 2 > end ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); @@ -4177,22 +4154,6 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) * opaque signature<0..2^16-1>; * } DigitallySigned; */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) - { - md_alg = MBEDTLS_MD_NONE; - hashlen = 36; - - /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ - if( mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECDSA ) ) - { - hash_start += 16; - hashlen -= 16; - md_alg = MBEDTLS_MD_SHA1; - } - } - else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 170d563bd..58675dbed 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -324,122 +324,6 @@ static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing, } #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -static int tls1_prf( const unsigned char *secret, size_t slen, - const char *label, - const unsigned char *random, size_t rlen, - unsigned char *dstbuf, size_t dlen ) -{ - size_t nb, hs; - size_t i, j, k; - const unsigned char *S1, *S2; - unsigned char *tmp; - size_t tmp_len = 0; - unsigned char h_i[20]; - const mbedtls_md_info_t *md_info; - mbedtls_md_context_t md_ctx; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - mbedtls_md_init( &md_ctx ); - - tmp_len = 20 + strlen( label ) + rlen; - tmp = mbedtls_calloc( 1, tmp_len ); - if( tmp == NULL ) - { - ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; - goto exit; - } - - hs = ( slen + 1 ) / 2; - S1 = secret; - S2 = secret + slen - hs; - - nb = strlen( label ); - memcpy( tmp + 20, label, nb ); - memcpy( tmp + 20 + nb, random, rlen ); - nb += rlen; - - /* - * First compute P_md5(secret,label+random)[0..dlen] - */ - if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL ) - { - ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; - goto exit; - } - - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) - { - goto exit; - } - - mbedtls_md_hmac_starts( &md_ctx, S1, hs ); - mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); - mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); - - for( i = 0; i < dlen; i += 16 ) - { - mbedtls_md_hmac_reset ( &md_ctx ); - mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb ); - mbedtls_md_hmac_finish( &md_ctx, h_i ); - - mbedtls_md_hmac_reset ( &md_ctx ); - mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 ); - mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); - - k = ( i + 16 > dlen ) ? dlen % 16 : 16; - - for( j = 0; j < k; j++ ) - dstbuf[i + j] = h_i[j]; - } - - mbedtls_md_free( &md_ctx ); - - /* - * XOR out with P_sha1(secret,label+random)[0..dlen] - */ - if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL ) - { - ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; - goto exit; - } - - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) - { - goto exit; - } - - mbedtls_md_hmac_starts( &md_ctx, S2, hs ); - mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); - mbedtls_md_hmac_finish( &md_ctx, tmp ); - - for( i = 0; i < dlen; i += 20 ) - { - mbedtls_md_hmac_reset ( &md_ctx ); - mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb ); - mbedtls_md_hmac_finish( &md_ctx, h_i ); - - mbedtls_md_hmac_reset ( &md_ctx ); - mbedtls_md_hmac_update( &md_ctx, tmp, 20 ); - mbedtls_md_hmac_finish( &md_ctx, tmp ); - - k = ( i + 20 > dlen ) ? dlen % 20 : 20; - - for( j = 0; j < k; j++ ) - dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); - } - -exit: - mbedtls_md_free( &md_ctx ); - - mbedtls_platform_zeroize( tmp, tmp_len ); - mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); - - mbedtls_free( tmp ); - return( ret ); -} -#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -667,15 +551,6 @@ static int tls_prf_sha384( const unsigned char *secret, size_t slen, static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t ); -#endif - -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -static void ssl_calc_verify_tls( const mbedtls_ssl_context *, unsigned char*, size_t * ); -static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int ); -#endif - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); @@ -715,13 +590,6 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl ) #if defined(MBEDTLS_SSL_EXPORT_KEYS) static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( tls_prf == tls1_prf ) - { - return( MBEDTLS_SSL_TLS_PRF_TLS1 ); - } - else -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA384_C) if( tls_prf == tls_prf_sha384 ) @@ -752,12 +620,6 @@ int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf, switch( prf ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - case MBEDTLS_SSL_TLS_PRF_TLS1: - tls_prf = tls1_prf; - break; -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA384_C) case MBEDTLS_SSL_TLS_PRF_SHA384: @@ -1023,14 +885,8 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, - transform->maclen % cipher_info->block_size; } -#if defined(MBEDTLS_SSL_PROTO_TLS1) - if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 ) - ; /* No need to adjust minlen */ - else -#endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 || - minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { transform->minlen += transform->ivlen; } @@ -1105,9 +961,8 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, goto end; } -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { /* For HMAC-based ciphersuites, initialize the HMAC transforms. @@ -1280,7 +1135,7 @@ end: } /* - * Set appropriate PRF function and other SSL / TLS 1.0/1.1 / TLS1.2 functions + * Set appropriate PRF function and other SSL / TLS1.2 functions * * Inputs: * - SSL/TLS minor version @@ -1297,15 +1152,6 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake, (void) hash; #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) - { - handshake->tls_prf = tls1_prf; - handshake->calc_verify = ssl_calc_verify_tls; - handshake->calc_finished = ssl_calc_finished_tls; - } - else -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA384_C) if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && @@ -1546,37 +1392,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( 0 ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -void ssl_calc_verify_tls( const mbedtls_ssl_context *ssl, - unsigned char *hash, - size_t *hlen ) -{ - mbedtls_md5_context md5; - mbedtls_sha1_context sha1; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) ); - - mbedtls_md5_init( &md5 ); - mbedtls_sha1_init( &sha1 ); - - mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); - mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); - - mbedtls_md5_finish_ret( &md5, hash ); - mbedtls_sha1_finish_ret( &sha1, hash + 16 ); - - *hlen = 36; - - MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); - - mbedtls_md5_free( &md5 ); - mbedtls_sha1_free( &sha1 ); - - return; -} -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl, @@ -2203,8 +2018,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) return( -1 ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && @@ -2215,8 +2029,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) } return( -1 ); -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } #endif /* MBEDTLS_SSL_SRV_C */ @@ -2651,11 +2464,6 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, { ((void) ciphersuite_info); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) - ssl->handshake->update_checksum = ssl_update_checksum_md5sha1; - else -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA384_C) if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) @@ -2676,10 +2484,6 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 ); - mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 ); -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -2703,10 +2507,6 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len ); - mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len ); -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -2725,15 +2525,6 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len ) -{ - mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len ); - mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len ); -} -#endif - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, @@ -2760,65 +2551,6 @@ static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -static void ssl_calc_finished_tls( - mbedtls_ssl_context *ssl, unsigned char *buf, int from ) -{ - int len = 12; - const char *sender; - mbedtls_md5_context md5; - mbedtls_sha1_context sha1; - unsigned char padbuf[36]; - - mbedtls_ssl_session *session = ssl->session_negotiate; - if( !session ) - session = ssl->session; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) ); - - mbedtls_md5_init( &md5 ); - mbedtls_sha1_init( &sha1 ); - - mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); - mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); - - /* - * TLSv1: - * hash = PRF( master, finished_label, - * MD5( handshake ) + SHA1( handshake ) )[0..11] - */ - -#if !defined(MBEDTLS_MD5_ALT) - MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) - md5.state, sizeof( md5.state ) ); -#endif - -#if !defined(MBEDTLS_SHA1_ALT) - MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) - sha1.state, sizeof( sha1.state ) ); -#endif - - sender = ( from == MBEDTLS_SSL_IS_CLIENT ) - ? "client finished" - : "server finished"; - - mbedtls_md5_finish_ret( &md5, padbuf ); - mbedtls_sha1_finish_ret( &sha1, padbuf + 16 ); - - ssl->handshake->tls_prf( session->master, 48, sender, - padbuf, 36, buf, len ); - - MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); - - mbedtls_md5_free( &md5 ); - mbedtls_sha1_free( &sha1 ); - - mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); -} -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) static void ssl_calc_finished_tls_sha256( @@ -3249,12 +2981,6 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) { memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_init( &handshake->fin_md5 ); - mbedtls_sha1_init( &handshake->fin_sha1 ); - mbedtls_md5_starts_ret( &handshake->fin_md5 ); - mbedtls_sha1_starts_ret( &handshake->fin_sha1 ); -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -5583,10 +5309,6 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_free( &handshake->fin_md5 ); - mbedtls_sha1_free( &handshake->fin_sha1 ); -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -6985,17 +6707,6 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) switch( md ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -#if defined(MBEDTLS_MD5_C) - case MBEDTLS_SSL_HASH_MD5: - return( -1 ); -#endif -#if defined(MBEDTLS_SHA1_C) - case MBEDTLS_SSL_HASH_SHA1: - ssl->handshake->calc_verify = ssl_calc_verify_tls; - break; -#endif -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ #if defined(MBEDTLS_SHA384_C) case MBEDTLS_SSL_HASH_SHA384: ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; @@ -7019,92 +6730,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, - unsigned char *output, - unsigned char *data, size_t data_len ) -{ - int ret = 0; - mbedtls_md5_context mbedtls_md5; - mbedtls_sha1_context mbedtls_sha1; - - mbedtls_md5_init( &mbedtls_md5 ); - mbedtls_sha1_init( &mbedtls_sha1 ); - - /* - * digitally-signed struct { - * opaque md5_hash[16]; - * opaque sha_hash[20]; - * }; - * - * md5_hash - * MD5(ClientHello.random + ServerHello.random - * + ServerParams); - * sha_hash - * SHA(ClientHello.random + ServerHello.random - * + ServerParams); - */ - if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, - ssl->handshake->randbytes, 64 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret ); - goto exit; - } - - if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, - ssl->handshake->randbytes, 64 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data, - data_len ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1, - output + 16 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret ); - goto exit; - } - -exit: - mbedtls_md5_free( &mbedtls_md5 ); - mbedtls_sha1_free( &mbedtls_sha1 ); - - if( ret != 0 ) - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); - - return( ret ); - -} -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, @@ -7227,7 +6853,6 @@ exit: } #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 2ce858837..fb3cce19f 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -422,7 +422,7 @@ int main( void ) " min_version=%%s default: (library default: tls1)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \ + " options: tls1_2, dtls1_2\n" \ "\n" \ " force_ciphersuite= default: all enabled\n"\ " query_config= return 0 if the specified\n" \ @@ -1098,12 +1098,7 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "min_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_1; - else if( strcmp( q, "tls1_1" ) == 0 || - strcmp( q, "dtls1" ) == 0 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - else if( strcmp( q, "tls1_2" ) == 0 || + if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; else @@ -1111,12 +1106,7 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "max_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_1; - else if( strcmp( q, "tls1_1" ) == 0 || - strcmp( q, "dtls1" ) == 0 ) - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - else if( strcmp( q, "tls1_2" ) == 0 || + if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; else @@ -1133,27 +1123,11 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "force_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_1; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_1; - } - else if( strcmp( q, "tls1_1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - } - else if( strcmp( q, "tls1_2" ) == 0 ) + if( strcmp( q, "tls1_2" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; } - else if( strcmp( q, "dtls1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; - } else if( strcmp( q, "dtls1_2" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; @@ -1375,10 +1349,10 @@ int main( int argc, char *argv[] ) if( opt.min_version < ciphersuite_info->min_minor_ver ) { opt.min_version = ciphersuite_info->min_minor_ver; - /* DTLS starts with TLS 1.1 */ + /* for DTLS 1.2 */ if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; + opt.min_version < MBEDTLS_SSL_MINOR_VERSION_3 ) + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; } #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1ff27fb8b..70421b985 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -503,7 +503,7 @@ int main( void ) " min_version=%%s default: (library default: tls1)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \ + " options: tls1, dtls1_2\n" \ "\n" \ " version_suites=a,b,c per-version ciphersuites\n" \ " in order from tls1 to tls1_2\n" \ @@ -1726,12 +1726,7 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "min_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_1; - else if( strcmp( q, "tls1_1" ) == 0 || - strcmp( q, "dtls1" ) == 0 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - else if( strcmp( q, "tls1_2" ) == 0 || + if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; else @@ -1739,12 +1734,7 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "max_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_1; - else if( strcmp( q, "tls1_1" ) == 0 || - strcmp( q, "dtls1" ) == 0 ) - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - else if( strcmp( q, "tls1_2" ) == 0 || + if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; else @@ -1761,27 +1751,11 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "force_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_1; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_1; - } - else if( strcmp( q, "tls1_1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - } - else if( strcmp( q, "tls1_2" ) == 0 ) + if( strcmp( q, "tls1_2" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; } - else if( strcmp( q, "dtls1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; - } else if( strcmp( q, "dtls1_2" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; diff --git a/tests/compat.sh b/tests/compat.sh index 6a2bbb270..c57ec4fdc 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -67,7 +67,7 @@ else fi # default values for options -MODES="tls1 tls1_1 tls1_2 dtls1 dtls1_2" +MODES="tls1_2 dtls1_2" VERIFIES="NO YES" TYPES="ECDSA RSA PSK" FILTER="" @@ -162,12 +162,6 @@ is_dtls() minor_ver() { case "$1" in - tls1) - echo 1 - ;; - tls1_1|dtls1) - echo 2 - ;; tls1_2|dtls1_2) echo 3 ;; @@ -841,19 +835,9 @@ setup_arguments() { G_MODE="" case "$MODE" in - "tls1") - G_PRIO_MODE="+VERS-TLS1.0" - ;; - "tls1_1") - G_PRIO_MODE="+VERS-TLS1.1" - ;; "tls1_2") G_PRIO_MODE="+VERS-TLS1.2" ;; - "dtls1") - G_PRIO_MODE="+VERS-DTLS1.0" - G_MODE="-u" - ;; "dtls1_2") G_PRIO_MODE="+VERS-DTLS1.2" G_MODE="-u" diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index 5f13b2249..93b7e1dd5 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -115,7 +115,7 @@ echo echo '################ compat.sh ################' { echo '#### compat.sh: Default versions' - sh compat.sh -m 'tls1 tls1_1 tls1_2 dtls1 dtls1_2' + sh compat.sh -m 'tls1_2 dtls1_2' echo echo '#### compat.sh: legacy (null, DES, RC4)' diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 57263a334..a79604e9f 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -31,9 +31,6 @@ my %configs = ( 'config-ccm-psk-tls1_2.h' => { 'compat' => '-m tls1_2 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', }, - 'config-mini-tls1_1.h' => { - 'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', #' - }, 'config-no-entropy.h' => { }, 'config-suite-b.h' => { diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1041c87d4..13db30b44 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1402,22 +1402,6 @@ run_test "Context-specific CRT verification callback" \ -C "Use configuration-specific verification callback" \ -C "error" -# Test empty CA list in CertificateRequest in TLS 1.1 and earlier - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \ - "$G_SRV"\ - "$P_CLI force_version=tls1_1" \ - 0 - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 -run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ - "$G_SRV"\ - "$P_CLI force_version=tls1" \ - 0 - # Tests for SHA-1 support run_test "SHA-1 forbidden by default in server certificate" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ @@ -2460,33 +2444,6 @@ run_test "Extended Master Secret: client disabled, server enabled" \ # Tests for FALLBACK_SCSV -run_test "Fallback SCSV: default" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 force_version=tls1_1" \ - 0 \ - -C "adding FALLBACK_SCSV" \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" \ - -C "is a fatal alert message (msg 86)" - -run_test "Fallback SCSV: explicitly disabled" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \ - 0 \ - -C "adding FALLBACK_SCSV" \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" \ - -C "is a fatal alert message (msg 86)" - -run_test "Fallback SCSV: enabled" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \ - 1 \ - -c "adding FALLBACK_SCSV" \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" \ - -c "is a fatal alert message (msg 86)" - run_test "Fallback SCSV: enabled, max version" \ "$P_SRV debug_level=2" \ "$P_CLI debug_level=3 fallback=1" \ @@ -2496,38 +2453,6 @@ run_test "Fallback SCSV: enabled, max version" \ -S "inapropriate fallback" \ -C "is a fatal alert message (msg 86)" -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: default, openssl server" \ - "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \ - 0 \ - -C "adding FALLBACK_SCSV" \ - -C "is a fatal alert message (msg 86)" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: enabled, openssl server" \ - "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \ - 1 \ - -c "adding FALLBACK_SCSV" \ - -c "is a fatal alert message (msg 86)" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: disabled, openssl client" \ - "$P_SRV debug_level=2" \ - "$O_CLI -tls1_1" \ - 0 \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: enabled, openssl client" \ - "$P_SRV debug_level=2" \ - "$O_CLI -tls1_1 -fallback_scsv" \ - 1 \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" - requires_openssl_with_fallback_scsv run_test "Fallback SCSV: enabled, max version, openssl client" \ "$P_SRV debug_level=2" \ @@ -2568,37 +2493,6 @@ run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \ -s "dumping 'input payload after decrypt' (0 bytes)" \ -c "0 bytes written in 1 fragments" -## ClientHello generated with -## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..." -## then manually twiddling the ciphersuite list. -## The ClientHello content is spelled out below as a hex string as -## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix". -## The expected response is an inappropriate_fallback alert. -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: beginning of list" \ - "$P_SRV debug_level=2" \ - "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \ - 0 \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: end of list" \ - "$P_SRV debug_level=2" \ - "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \ - 0 \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" - -## Here the expected response is a valid ServerHello prefix, up to the random. -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: not in list" \ - "$P_SRV debug_level=2" \ - "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \ - 0 \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" - # Tests for CBC 1/n-1 record splitting run_test "CBC Record splitting: TLS 1.2, no splitting" \ @@ -2610,42 +2504,6 @@ run_test "CBC Record splitting: TLS 1.2, no splitting" \ -S "Read from client: 1 bytes read" \ -S "122 bytes read" -run_test "CBC Record splitting: TLS 1.1, no splitting" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1_1" \ - 0 \ - -s "Read from client: 123 bytes read" \ - -S "Read from client: 1 bytes read" \ - -S "122 bytes read" - -run_test "CBC Record splitting: TLS 1.0, splitting" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1" \ - 0 \ - -S "Read from client: 123 bytes read" \ - -s "Read from client: 1 bytes read" \ - -s "122 bytes read" - -run_test "CBC Record splitting: TLS 1.0, splitting disabled" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1 recsplit=0" \ - 0 \ - -s "Read from client: 123 bytes read" \ - -S "Read from client: 1 bytes read" \ - -S "122 bytes read" - -run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \ - "$P_SRV nbio=2" \ - "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1" \ - 0 \ - -S "Read from client: 123 bytes read" \ - -s "Read from client: 1 bytes read" \ - -s "122 bytes read" - # Tests for Session Tickets run_test "Session resume using tickets: basic" \ @@ -4464,52 +4322,6 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ -c "signed using.*ECDSA with SHA256" \ -C "signed using.*ECDSA with SHA1" -requires_config_disabled MBEDTLS_X509_REMOVE_INFO -run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ - "$P_SRV crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server5-sha1.crt \ - key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -C "signed using.*ECDSA with SHA256" \ - -c "signed using.*ECDSA with SHA1" - -requires_config_disabled MBEDTLS_X509_REMOVE_INFO -run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ - "$P_SRV crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server5-sha1.crt \ - key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1" \ - 0 \ - -C "signed using.*ECDSA with SHA256" \ - -c "signed using.*ECDSA with SHA1" - -requires_config_disabled MBEDTLS_X509_REMOVE_INFO -run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ - "$P_SRV crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server6.crt \ - key_file2=data_files/server6.key" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -c "serial number.*09" \ - -c "signed using.*ECDSA with SHA256" \ - -C "signed using.*ECDSA with SHA1" - -requires_config_disabled MBEDTLS_X509_REMOVE_INFO -run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ - "$P_SRV crt_file=data_files/server6.crt \ - key_file=data_files/server6.key \ - crt_file2=data_files/server5.crt \ - key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -c "serial number.*0A" \ - -c "signed using.*ECDSA with SHA256" \ - -C "signed using.*ECDSA with SHA1" - # tests for SNI requires_config_disabled MBEDTLS_X509_REMOVE_INFO @@ -4970,67 +4782,6 @@ run_test "Version check: all -> 1.2" \ -s "Protocol is TLSv1.2" \ -c "Protocol is TLSv1.2" -run_test "Version check: cli max 1.1 -> 1.1" \ - "$P_SRV" \ - "$P_CLI max_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: srv max 1.1 -> 1.1" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli+srv max 1.1 -> 1.1" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI max_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \ - "$P_SRV min_version=tls1_1" \ - "$P_CLI max_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI min_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI min_version=tls1_2" \ - 1 \ - -s "mbedtls_ssl_handshake returned" \ - -c "mbedtls_ssl_handshake returned" \ - -c "SSL - Handshake protocol not within min/max boundaries" - -run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \ - "$P_SRV min_version=tls1_2" \ - "$P_CLI max_version=tls1_1" \ - 1 \ - -s "mbedtls_ssl_handshake returned" \ - -c "mbedtls_ssl_handshake returned" \ - -s "SSL - Handshake protocol not within min/max boundaries" - # Tests for ALPN extension run_test "ALPN: none" \ @@ -5884,24 +5635,6 @@ run_test "ECJPAKE: working, DTLS, nolog" \ # Tests for ciphersuites per version -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 -requires_config_enabled MBEDTLS_CAMELLIA_C -requires_config_enabled MBEDTLS_AES_C -run_test "Per-version suites: TLS 1.0" \ - "$P_SRV version_suites=TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ - "$P_CLI force_version=tls1" \ - 0 \ - -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -requires_config_enabled MBEDTLS_CAMELLIA_C -requires_config_enabled MBEDTLS_AES_C -run_test "Per-version suites: TLS 1.1" \ - "$P_SRV version_suites=TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA" - requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_CAMELLIA_C requires_config_enabled MBEDTLS_AES_C @@ -5936,66 +5669,6 @@ run_test "mbedtls_ssl_get_bytes_avail: extra data" \ # Tests for small client packets -run_test "Small client packet TLS 1.0 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.1 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - run_test "Small client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ @@ -6049,40 +5722,6 @@ run_test "Small client packet TLS 1.2 AEAD shorter tag" \ # Tests for small client packets in DTLS -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small client packet DTLS 1.0" \ - "$P_SRV dtls=1 force_version=dtls1" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small client packet DTLS 1.0, without EtM" \ - "$P_SRV dtls=1 force_version=dtls1 etm=0" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet DTLS 1.0, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \ - "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \ - "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ - 0 \ - -s "Read from client: 1 bytes read" - requires_config_enabled MBEDTLS_SSL_PROTO_DTLS run_test "Small client packet DTLS 1.2" \ "$P_SRV dtls=1 force_version=dtls1_2" \ @@ -6119,66 +5758,6 @@ run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \ # Tests for small server packets -run_test "Small server packet TLS 1.0 BlockCipher" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.1 BlockCipher" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - run_test "Small server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=1" \ "$P_CLI force_version=tls1_2 \ @@ -6232,40 +5811,6 @@ run_test "Small server packet TLS 1.2 AEAD shorter tag" \ # Tests for small server packets in DTLS -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small server packet DTLS 1.0" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small server packet DTLS 1.0, without EtM" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet DTLS 1.0, truncated hmac" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \ - "$P_CLI dtls=1 trunc_hmac=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ - 0 \ - -c "Read from server: 1 bytes read" - requires_config_enabled MBEDTLS_SSL_PROTO_DTLS run_test "Small server packet DTLS 1.2" \ "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \ @@ -6307,69 +5852,6 @@ fragments_for_write() { echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))" } -run_test "Large client packet TLS 1.0 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.1 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - run_test "Large client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -6426,69 +5908,6 @@ run_test "Large client packet TLS 1.2 AEAD shorter tag" \ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ -s "Read from client: $MAX_CONTENT_LEN bytes read" -# Checking next 3 tests logs for 1n-1 split against BEAST too -run_test "Large server packet TLS 1.0 BlockCipher" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read"\ - -c "16383 bytes read"\ - -C "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read"\ - -c "16383 bytes read"\ - -C "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read"\ - -c "16383 bytes read"\ - -C "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.1 BlockCipher" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ - 0 \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=16384 trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - run_test "Large server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ @@ -6710,18 +6129,6 @@ run_test "SSL async private: sign, delay=2" \ -s "Async resume (slot [0-9]): call 0 more times." \ -s "Async resume (slot [0-9]): sign done, status=0" -# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1 -# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1. -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "SSL async private: sign, RSA, TLS 1.1" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \ - async_operations=s async_private_delay1=0 async_private_delay2=0" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -s "Async sign callback: using key slot " \ - -s "Async resume (slot [0-9]): sign done, status=0" - requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SSL async private: sign, SNI" \ @@ -7999,21 +7406,6 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ -c "fragmenting handshake message" \ -C "error" -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -requires_gnutls -run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ - "$G_SRV -u" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - # We use --insecure for the GnuTLS client because it expects # the hostname / IP it connects to to be the name used in the # certificate obtained from the server. Here, however, it @@ -8036,22 +7428,6 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ 0 \ -s "fragmenting handshake message" -# See previous test for the reason to use --insecure -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -requires_gnutls -requires_not_i686 -run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - mtu=512 force_version=dtls1" \ - "$G_CLI -u --insecure 127.0.0.1" \ - 0 \ - -s "fragmenting handshake message" - requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -8066,20 +7442,6 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ -c "fragmenting handshake message" \ -C "error" -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "DTLS fragmenting: openssl server, DTLS 1.0" \ - "$O_SRV -dtls1 -verify 10" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -8093,19 +7455,6 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ 0 \ -s "fragmenting handshake message" -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "DTLS fragmenting: openssl client, DTLS 1.0" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - mtu=512 force_version=dtls1" \ - "$O_CLI -dtls1" \ - 0 \ - -s "fragmenting handshake message" - # interop tests for DTLS fragmentating with unreliable connection # # again we just want to test that the we fragment in a way that @@ -8127,23 +7476,6 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ -c "fragmenting handshake message" \ -C "error" -requires_gnutls_next -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$G_NEXT_SRV -u" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C @@ -8160,22 +7492,6 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ 0 \ -s "fragmenting handshake message" -requires_gnutls_next -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - "$G_NEXT_CLI -u --insecure 127.0.0.1" \ - 0 \ - -s "fragmenting handshake message" - ## Interop test with OpenSSL might trigger a bug in recent versions (including ## all versions installed on the CI machines), reported here: ## Bug report: https://github.com/openssl/openssl/issues/6902 @@ -8198,23 +7514,6 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ -c "fragmenting handshake message" \ -C "error" -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$O_SRV -dtls1 -verify 10" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C @@ -8231,24 +7530,6 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ 0 \ -s "fragmenting handshake message" -# -nbio is added to prevent s_client from blocking in case of duplicated -# messages at the end of the handshake -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - "$O_CLI -nbio -dtls1" \ - 0 \ - -s "fragmenting handshake message" - # Tests for DTLS-SRTP (RFC 5764) requires_config_enabled MBEDTLS_SSL_DTLS_SRTP run_test "DTLS-SRTP all profiles supported" \ From 28126050f2937ff69e02c35ca50ee30af6a0ad14 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 10:34:48 +0200 Subject: [PATCH 02/11] Removal of constants and functions and a new ChangeLog file Signed-off-by: TRodziewicz --- ChangeLog.d/issue4286.txt | 9 ++++++++ include/mbedtls/config.h | 12 ----------- include/mbedtls/ssl.h | 10 --------- library/ssl_msg.c | 42 ------------------------------------- library/ssl_tls.c | 15 ------------- programs/fuzz/fuzz_client.c | 3 --- programs/ssl/ssl_client2.c | 15 ------------- tests/scripts/all.sh | 18 ---------------- 8 files changed, 9 insertions(+), 115 deletions(-) create mode 100644 ChangeLog.d/issue4286.txt diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt new file mode 100644 index 000000000..3fb958563 --- /dev/null +++ b/ChangeLog.d/issue4286.txt @@ -0,0 +1,9 @@ +Removals + * Remove the following deprecated library constants + MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1, + MBEDTLS_SSL_CBC_RECORD_SPLITTING, + MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED, + MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED and functions + ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting() as well as test + function component_test_variable_ssl_in_out_buffer_len_record_splitting(). + Fixes #4286. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 4905b9243..993b90ff6 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1592,18 +1592,6 @@ */ #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE -/** - * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING - * - * Enable 1/n-1 record splitting for CBC mode in TLS. - * - * This is a countermeasure to the BEAST attack, which also minimizes the risk - * of interoperability issues compared to sending 0-length records. - * - * Comment this macro to disable 1/n-1 record splitting. - */ -#define MBEDTLS_SSL_CBC_RECORD_SPLITTING - /** * \def MBEDTLS_SSL_RENEGOTIATION * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 39661cbac..b5200426f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -198,9 +198,6 @@ #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1 -#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED 0 -#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED 1 - #define MBEDTLS_SSL_PRESET_DEFAULT 0 #define MBEDTLS_SSL_PRESET_SUITEB 2 @@ -1192,9 +1189,6 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) unsigned int anti_replay : 1; /*!< detect and prevent replay? */ #endif -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - unsigned int cbc_record_splitting : 1; /*!< do cbc record splitting */ -#endif #if defined(MBEDTLS_SSL_RENEGOTIATION) unsigned int disable_renegotiation : 1; /*!< disable renegotiation? */ #endif @@ -1356,10 +1350,6 @@ struct mbedtls_ssl_context uint16_t mtu; /*!< path mtu, used to fragment outgoing messages */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - signed char split_done; /*!< current record already splitted? */ -#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ - /* * PKI layer */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 540d5d1f6..081a0b2b9 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5475,44 +5475,6 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, return( (int) len ); } -/* - * Write application data, doing 1/n-1 splitting if necessary. - * - * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, - * then the caller will call us again with the same arguments, so - * remember whether we already did the split or not. - */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) -static int ssl_write_split( mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - if( ssl->conf->cbc_record_splitting == - MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || - len <= 1 || - ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 || - mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ) - != MBEDTLS_MODE_CBC ) - { - return( ssl_write_real( ssl, buf, len ) ); - } - - if( ssl->split_done == 0 ) - { - if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 ) - return( ret ); - ssl->split_done = 1; - } - - if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 ) - return( ret ); - ssl->split_done = 0; - - return( ret + 1 ); -} -#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ - /* * Write application data (public-facing wrapper) */ @@ -5542,11 +5504,7 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ } } -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - ret = ssl_write_split( ssl, buf, len ); -#else ret = ssl_write_real( ssl, buf, len ); -#endif MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 58675dbed..771e01a2a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3307,10 +3307,6 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) ssl->out_msgtype = 0; ssl->out_msglen = 0; ssl->out_left = 0; -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ) - ssl->split_done = 0; -#endif memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) ); @@ -4202,13 +4198,6 @@ void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) } #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) -void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) -{ - conf->cbc_record_splitting = split; -} -#endif - void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) { conf->allow_legacy_renegotiation = allow_legacy; @@ -6234,10 +6223,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; #endif -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; -#endif - #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) conf->f_cookie_write = ssl_cookie_write_dummy; conf->f_cookie_check = ssl_cookie_check_dummy; diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c index 618eda265..a6371736b 100644 --- a/programs/fuzz/fuzz_client.c +++ b/programs/fuzz/fuzz_client.c @@ -109,9 +109,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED); #endif -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - mbedtls_ssl_conf_cbc_record_splitting( &conf, (options & 0x40) ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ); -#endif #if defined(MBEDTLS_SSL_RENEGOTIATION) mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED ); #endif diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index fb3cce19f..a643900b9 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -248,13 +248,6 @@ int main( void ) #define USAGE_MAX_FRAG_LEN "" #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) -#define USAGE_RECSPLIT \ - " recsplit=0/1 default: (library default: on)\n" -#else -#define USAGE_RECSPLIT -#endif - #if defined(MBEDTLS_DHM_C) #define USAGE_DHMLEN \ " dhmlen=%%d default: (library default: 1024 bits)\n" @@ -414,7 +407,6 @@ int main( void ) USAGE_ETM \ USAGE_REPRODUCIBLE \ USAGE_CURVES \ - USAGE_RECSPLIT \ USAGE_DHMLEN \ "\n" #define USAGE4 \ @@ -1780,13 +1772,6 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_EXPORT_KEYS */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - if( opt.recsplit != DFL_RECSPLIT ) - mbedtls_ssl_conf_cbc_record_splitting( &conf, opt.recsplit - ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED - : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ); -#endif - #if defined(MBEDTLS_DHM_C) if( opt.dhmlen != DFL_DHMLEN ) mbedtls_ssl_conf_dhm_min_bitlen( &conf, opt.dhmlen ); diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1653ad8b3..ef2b6363b 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2043,24 +2043,6 @@ component_test_variable_ssl_in_out_buffer_len_CID () { if_build_succeeded tests/compat.sh } -component_test_variable_ssl_in_out_buffer_len_record_splitting () { - msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH - scripts/config.py set MBEDTLS_SSL_CBC_RECORD_SPLITTING - - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING" - make test - - msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled" - if_build_succeeded tests/ssl-opt.sh - - msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled" - if_build_succeeded tests/compat.sh -} - component_test_ssl_alloc_buffer_and_mfl () { msg "build: default config with memory buffer allocator and MFL extension" scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C From 55bd84bebc9b038b30eb807c3f55d335a1003ec4 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 11:40:46 +0200 Subject: [PATCH 03/11] Correction to the ssl client/server usage comment. Signed-off-by: TRodziewicz --- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index a643900b9..3de9665f5 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -411,7 +411,7 @@ int main( void ) "\n" #define USAGE4 \ " allow_sha1=%%d default: 0\n" \ - " min_version=%%s default: (library default: tls1)\n" \ + " min_version=%%s default: (library default: tls1_2)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ " options: tls1_2, dtls1_2\n" \ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 70421b985..2cf2d73be 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -500,10 +500,10 @@ int main( void ) USAGE_SSL_ASYNC \ USAGE_SNI \ " allow_sha1=%%d default: 0\n" \ - " min_version=%%s default: (library default: tls1)\n" \ + " min_version=%%s default: (library default: tls1_2)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1, dtls1_2\n" \ + " options: tls1_2, dtls1_2\n" \ "\n" \ " version_suites=a,b,c per-version ciphersuites\n" \ " in order from tls1 to tls1_2\n" \ From ef73f01927d755066c995f265d7643af55b5d3fa Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 14:53:36 +0200 Subject: [PATCH 04/11] Removing strayed dtls1 after doing tests Signed-off-by: TRodziewicz --- library/ssl_msg.c | 2 +- library/ssl_tls.c | 4 +- tests/ssl-opt.sh | 255 ---------------------------------------------- 3 files changed, 3 insertions(+), 258 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 081a0b2b9..8c9caa9ef 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4811,7 +4811,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) static size_t ssl_transform_get_explicit_iv_len( mbedtls_ssl_transform const *transform ) { - if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) + if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) return( 0 ); return( transform->ivlen - transform->fixed_ivlen ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 771e01a2a..2fcd99d5e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3579,7 +3579,7 @@ void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, if( major != MBEDTLS_SSL_MAJOR_VERSION_3 ) return; - if( minor < MBEDTLS_SSL_MINOR_VERSION_1 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) + if( minor != MBEDTLS_SSL_MINOR_VERSION_3 ) return; set_protocol_version_ciphersuites(conf, minor, ciphersuites); @@ -6315,7 +6315,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_SSL_PROTO_DTLS) if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; + conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; #endif const int* default_ciphersuites = mbedtls_ssl_list_ciphersuites(); set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_1, diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 13db30b44..f107938c8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2641,27 +2641,6 @@ run_test "Session resume using tickets, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -run_test "Session resume using tickets, DTLS: openssl server" \ - "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -c "found session_ticket extension" \ - -c "parse new session ticket" \ - -c "a session has been resumed" - -run_test "Session resume using tickets, DTLS: openssl client" \ - "$P_SRV dtls=1 debug_level=3 tickets=1" \ - "( $O_CLI -dtls1 -sess_out $SESSION; \ - $O_CLI -dtls1 -sess_in $SESSION; \ - rm -f $SESSION )" \ - 0 \ - -s "found session ticket extension" \ - -s "server hello, adding session ticket extension" \ - -S "session successfully restored from cache" \ - -s "session successfully restored from ticket" \ - -s "a session has been resumed" - # Tests for Session Resume based on session-ID and cache run_test "Session resume using cache: tickets enabled on client" \ @@ -2850,26 +2829,6 @@ run_test "Session resume using cache, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -run_test "Session resume using cache, DTLS: openssl client" \ - "$P_SRV dtls=1 debug_level=3 tickets=0" \ - "( $O_CLI -dtls1 -sess_out $SESSION; \ - $O_CLI -dtls1 -sess_in $SESSION; \ - rm -f $SESSION )" \ - 0 \ - -s "found session ticket extension" \ - -S "server hello, adding session ticket extension" \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" - -run_test "Session resume using cache, DTLS: openssl server" \ - "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ - 0 \ - -C "found session_ticket extension" \ - -C "parse new session ticket" \ - -c "a session has been resumed" - # Tests for Max Fragment Length extension if [ "$MAX_IN_LEN" -lt "4096" ]; then @@ -6683,34 +6642,6 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ -C "error" \ -s "Extra-header:" -run_test "DTLS reassembly: no fragmentation (openssl server)" \ - "$O_SRV -dtls1 -mtu 2048" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -C "found fragmented DTLS handshake message" \ - -C "error" - -run_test "DTLS reassembly: some fragmentation (openssl server)" \ - "$O_SRV -dtls1 -mtu 768" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -run_test "DTLS reassembly: more fragmentation (openssl server)" \ - "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ - "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - # Tests for sending fragmented handshake messages with DTLS # # Use client auth when we need the client to send large messages, @@ -7681,192 +7612,6 @@ run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \ -C "dumping 'received mki' (8 bytes)" \ -C "error" -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP all profiles supported. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -s "selected srtp profile" \ - -s "server hello, adding use_srtp extension" \ - -s "DTLS-SRTP key material is"\ - -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ - -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_80" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -s "selected srtp profile" \ - -s "server hello, adding use_srtp extension" \ - -s "DTLS-SRTP key material is"\ - -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ - -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -s "selected srtp profile" \ - -s "server hello, adding use_srtp extension" \ - -s "DTLS-SRTP key material is"\ - -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ - -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -s "selected srtp profile" \ - -s "server hello, adding use_srtp extension" \ - -s "DTLS-SRTP key material is"\ - -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ - -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server and Client support only one matching profile. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -s "selected srtp profile" \ - -s "server hello, adding use_srtp extension" \ - -s "DTLS-SRTP key material is"\ - -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ - -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server and Client support only one different profile. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -S "selected srtp profile" \ - -S "server hello, adding use_srtp extension" \ - -S "DTLS-SRTP key material is"\ - -C "SRTP Extension negotiated, profile" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl client" \ - "$P_SRV dtls=1 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -S "server hello, adding use_srtp extension" \ - -S "DTLS-SRTP key material is"\ - -C "SRTP Extension negotiated, profile" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP all profiles supported. openssl server" \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile" \ - -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \ - -c "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile" \ - -c "selected srtp profile" \ - -c "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ - -c "selected srtp profile" \ - -c "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ - -c "selected srtp profile" \ - -c "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server and Client support only one matching profile. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ - -c "selected srtp profile" \ - -c "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server and Client support only one different profile. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -C "found use_srtp extension" \ - -C "found srtp profile" \ - -C "selected srtp profile" \ - -C "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" \ - "$O_SRV -dtls1" \ - "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -C "found use_srtp extension" \ - -C "found srtp profile" \ - -C "selected srtp profile" \ - -C "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile" \ - -c "selected srtp profile" \ - -c "DTLS-SRTP key material is"\ - -c "DTLS-SRTP no mki value negotiated"\ - -c "dumping 'sending mki' (8 bytes)" \ - -C "dumping 'received mki' (8 bytes)" \ - -C "error" - requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls run_test "DTLS-SRTP all profiles supported. gnutls client." \ From b5850c52166351c43eb65bc71266c6c6984dd992 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 17:11:23 +0200 Subject: [PATCH 05/11] Correction of too restrictive ssl cli minor check Signed-off-by: TRodziewicz --- library/ssl_cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 3f7f68474..b0285d7ab 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1952,7 +1952,7 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) p += 2; if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || - minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 || + minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || major_ver > ssl->conf->max_major_ver || minor_ver > ssl->conf->max_minor_ver ) { From 2d8800e2278bcf7a39a14a88bc7a36724ad26f79 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 19:14:19 +0200 Subject: [PATCH 06/11] Small corrections in the comments Signed-off-by: TRodziewicz --- library/ssl_cli.c | 4 ++++ library/ssl_msg.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index b0285d7ab..81c0d6b08 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1951,6 +1951,10 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); p += 2; + /* + * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) + * even is lower than our min version. + */ if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || major_ver > ssl->conf->max_major_ver || diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 8c9caa9ef..9896ad014 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -836,7 +836,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* - * Prepend per-record IV for block cipher in TLS v1.2 + * Prepend per-record IV for block cipher in TLS v1.2 as per * Method 1 (6.2.3.2. in RFC4346 and RFC5246) */ if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) From 6370dbeb1dd1c8d9278025388cc9acb810accff2 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 22:56:31 +0200 Subject: [PATCH 07/11] Remove the _SSL_FALLBACK_ parts Signed-off-by: TRodziewicz --- include/mbedtls/config.h | 18 --------- include/mbedtls/ssl.h | 78 -------------------------------------- library/ssl_cli.c | 13 ------- library/ssl_msg.c | 64 ------------------------------- library/ssl_srv.c | 23 ----------- library/ssl_tls.c | 7 ---- programs/ssl/ssl_client2.c | 22 ----------- tests/compat.sh | 2 +- 8 files changed, 1 insertion(+), 226 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 993b90ff6..715c73ada 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1552,24 +1552,6 @@ */ #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET -/** - * \def MBEDTLS_SSL_FALLBACK_SCSV - * - * Enable support for RFC 7507: Fallback Signaling Cipher Suite Value (SCSV) - * for Preventing Protocol Downgrade Attacks. - * - * For servers, it is recommended to always enable this, unless you support - * only one version of TLS, or know for sure that none of your clients - * implements a fallback strategy. - * - * For clients, you only need this if you're using a fallback strategy, which - * is not recommended in the first place, unless you absolutely need it to - * interoperate with buggy (version-intolerant) servers. - * - * Comment this macro to disable support for FALLBACK_SCSV - */ -#define MBEDTLS_SSL_FALLBACK_SCSV - /** * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b5200426f..8e6c1ee13 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -156,9 +156,6 @@ #define MBEDTLS_SSL_IS_CLIENT 0 #define MBEDTLS_SSL_IS_SERVER 1 -#define MBEDTLS_SSL_IS_NOT_FALLBACK 0 -#define MBEDTLS_SSL_IS_FALLBACK 1 - #define MBEDTLS_SSL_EXTENDED_MS_DISABLED 0 #define MBEDTLS_SSL_EXTENDED_MS_ENABLED 1 @@ -279,7 +276,6 @@ * Signaling ciphersuite values (SCSV) */ #define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO 0xFF /**< renegotiation info ext */ -#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE 0x5600 /**< RFC 7507 section 2 */ /* * Supported Signature and Hash algorithms (For TLS 1.2) @@ -1198,9 +1194,6 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_SSL_SESSION_TICKETS) unsigned int session_tickets : 1; /*!< use session tickets? */ #endif -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) - unsigned int fallback : 1; /*!< is this a fallback? */ -#endif #if defined(MBEDTLS_SSL_SRV_C) unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in Certificate Request messages? */ @@ -1832,54 +1825,6 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, */ void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ); -/** - * \brief Check whether a buffer contains a valid and authentic record - * that has not been seen before. (DTLS only). - * - * This function does not change the user-visible state - * of the SSL context. Its sole purpose is to provide - * an indication of the legitimacy of an incoming record. - * - * This can be useful e.g. in distributed server environments - * using the DTLS Connection ID feature, in which connections - * might need to be passed between service instances on a change - * of peer address, but where such disruptive operations should - * only happen after the validity of incoming records has been - * confirmed. - * - * \param ssl The SSL context to use. - * \param buf The address of the buffer holding the record to be checked. - * This must be a read/write buffer of length \p buflen Bytes. - * \param buflen The length of \p buf in Bytes. - * - * \note This routine only checks whether the provided buffer begins - * with a valid and authentic record that has not been seen - * before, but does not check potential data following the - * initial record. In particular, it is possible to pass DTLS - * datagrams containing multiple records, in which case only - * the first record is checked. - * - * \note This function modifies the input buffer \p buf. If you need - * to preserve the original record, you have to maintain a copy. - * - * \return \c 0 if the record is valid and authentic and has not been - * seen before. - * \return MBEDTLS_ERR_SSL_INVALID_MAC if the check completed - * successfully but the record was found to be not authentic. - * \return MBEDTLS_ERR_SSL_INVALID_RECORD if the check completed - * successfully but the record was found to be invalid for - * a reason different from authenticity checking. - * \return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD if the check completed - * successfully but the record was found to be unexpected - * in the state of the SSL context, including replayed records. - * \return Another negative error code on different kinds of failure. - * In this case, the SSL context becomes unusable and needs - * to be freed or reset before reuse. - */ -int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, - unsigned char *buf, - size_t buflen ); - /** * \brief Set the timer callbacks (Mandatory for DTLS.) * @@ -3268,29 +3213,6 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino */ void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ); -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) -/** - * \brief Set the fallback flag (client-side only). - * (Default: MBEDTLS_SSL_IS_NOT_FALLBACK). - * - * \note Set to MBEDTLS_SSL_IS_FALLBACK when preparing a fallback - * connection, that is a connection with max_version set to a - * lower value than the value you're willing to use. Such - * fallback connections are not recommended but are sometimes - * necessary to interoperate with buggy (version-intolerant) - * servers. - * - * \warning You should NOT set this to MBEDTLS_SSL_IS_FALLBACK for - * non-fallback connections! This would appear to work for a - * while, then cause failures when the server is upgraded to - * support a newer TLS version. - * - * \param conf SSL configuration - * \param fallback MBEDTLS_SSL_IS_NOT_FALLBACK or MBEDTLS_SSL_IS_FALLBACK - */ -void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ); -#endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */ - #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) /** * \brief Enable or disable Encrypt-then-MAC diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 81c0d6b08..6cf283e1d 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1206,19 +1206,6 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) n++; } - /* Some versions of OpenSSL don't handle it correctly if not at end */ -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) - if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); - - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); - *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); - n++; - } -#endif - *q++ = (unsigned char)( n >> 7 ); *q++ = (unsigned char)( n << 1 ); diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 9896ad014..b629d79cb 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -86,70 +86,6 @@ int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl ) return( 0 ); } -static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, - unsigned char *buf, - size_t len, - mbedtls_record *rec ); - -int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, - unsigned char *buf, - size_t buflen ) -{ - int ret = 0; - MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) ); - MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen ); - - /* We don't support record checking in TLS because - * (a) there doesn't seem to be a usecase for it, and - * (b) In TLS 1.0, CBC record decryption has state - * and we'd need to backup the transform here. - */ - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) - { - ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; - goto exit; - } -#if defined(MBEDTLS_SSL_PROTO_DTLS) - else - { - mbedtls_record rec; - - ret = ssl_parse_record_header( ssl, buf, buflen, &rec ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret ); - goto exit; - } - - if( ssl->transform_in != NULL ) - { - ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret ); - goto exit; - } - } - } -#endif /* MBEDTLS_SSL_PROTO_DTLS */ - -exit: - /* On success, we have decrypted the buffer in-place, so make - * sure we don't leak any plaintext data. */ - mbedtls_platform_zeroize( buf, buflen ); - - /* For the purpose of this API, treat messages with unexpected CID - * as well as such from future epochs as unexpected. */ - if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID || - ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) - { - ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; - } - - MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) ); - return( ret ); -} - #define SSL_DONT_FORCE_FLUSH 0 #define SSL_FORCE_FLUSH 1 diff --git a/library/ssl_srv.c b/library/ssl_srv.c index fb7ba975f..e2b2757d6 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1781,29 +1781,6 @@ read_record_header: ext += 4 + ext_size; } -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) - for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) - { - if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && - p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) ); - - if( ssl->minor_ver < ssl->conf->max_minor_ver ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); - - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); - - return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); - } - - break; - } - } -#endif /* MBEDTLS_SSL_FALLBACK_SCSV */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2fcd99d5e..edb41efec 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4147,13 +4147,6 @@ void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int mino conf->min_minor_ver = minor; } -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) -void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) -{ - conf->fallback = fallback; -} -#endif - #if defined(MBEDTLS_SSL_SRV_C) void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, char cert_req_ca_list ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 3de9665f5..af86838e9 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -287,13 +287,6 @@ int main( void ) #define USAGE_DTLS "" #endif -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) -#define USAGE_FALLBACK \ - " fallback=0/1 default: (library default: off)\n" -#else -#define USAGE_FALLBACK "" -#endif - #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) #define USAGE_EMS \ " extended_ms=0/1 default: (library default: on)\n" @@ -402,7 +395,6 @@ int main( void ) USAGE_TRUNC_HMAC \ USAGE_CONTEXT_CRT_CB \ USAGE_ALPN \ - USAGE_FALLBACK \ USAGE_EMS \ USAGE_ETM \ USAGE_REPRODUCIBLE \ @@ -1055,15 +1047,6 @@ int main( int argc, char *argv[] ) { opt.alpn_string = q; } - else if( strcmp( p, "fallback" ) == 0 ) - { - switch( atoi( q ) ) - { - case 0: opt.fallback = MBEDTLS_SSL_IS_NOT_FALLBACK; break; - case 1: opt.fallback = MBEDTLS_SSL_IS_FALLBACK; break; - default: goto usage; - } - } else if( strcmp( p, "extended_ms" ) == 0 ) { switch( atoi( q ) ) @@ -1894,11 +1877,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) - if( opt.fallback != DFL_FALLBACK ) - mbedtls_ssl_conf_fallback( &conf, opt.fallback ); -#endif - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", diff --git a/tests/compat.sh b/tests/compat.sh index c57ec4fdc..6c1e0d4da 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -155,7 +155,7 @@ log() { # is_dtls is_dtls() { - test "$1" = "dtls1" -o "$1" = "dtls1_2" + test "$1" = "dtls1_2" } # minor_ver From 97e41723fa876eba6445efffe2e57488e7a8ddb4 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 23:20:17 +0200 Subject: [PATCH 08/11] Remove the _SSL_FALLBACK_ tests Signed-off-by: TRodziewicz --- tests/ssl-opt.sh | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f107938c8..59cb834ba 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2442,25 +2442,6 @@ run_test "Extended Master Secret: client disabled, server enabled" \ -C "session hash for extended master secret" \ -S "session hash for extended master secret" -# Tests for FALLBACK_SCSV - -run_test "Fallback SCSV: enabled, max version" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 fallback=1" \ - 0 \ - -c "adding FALLBACK_SCSV" \ - -s "received FALLBACK_SCSV" \ - -S "inapropriate fallback" \ - -C "is a fatal alert message (msg 86)" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: enabled, max version, openssl client" \ - "$P_SRV debug_level=2" \ - "$O_CLI -fallback_scsv" \ - 0 \ - -s "received FALLBACK_SCSV" \ - -S "inapropriate fallback" - # Test sending and receiving empty application data records run_test "Encrypt then MAC: empty application data record" \ From d807060e0a2528547c278ed9cea9e184e52c5b0d Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Fri, 14 May 2021 11:09:44 +0200 Subject: [PATCH 09/11] Addition of migration guide and corrections to the ChangeLog file Signed-off-by: TRodziewicz --- ChangeLog.d/issue4286.txt | 15 ++++++++++----- ...remove_support_for_tls_1.0_1.1_and_dtls_1.0.md | 11 +++++++++++ 2 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt index 3fb958563..f2f2be218 100644 --- a/ChangeLog.d/issue4286.txt +++ b/ChangeLog.d/issue4286.txt @@ -1,9 +1,14 @@ Removals - * Remove the following deprecated library constants - MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1, - MBEDTLS_SSL_CBC_RECORD_SPLITTING, + * Remove the TLS 1.0, TLS 1.1 and DTLS 1.0 support by removing the following + deprecated library constants: MBEDTLS_SSL_PROTO_TLS1, + MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING, MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED, - MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED and functions - ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting() as well as test + MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED, MBEDTLS_SSL_RECORD_CHECKING, + MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE, + MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions: + ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting(), tls1_prf(), + ssl_update_checksum_md5sha1(), mbedtls_ssl_get_key_exchange_md_ssl_tls(), + mbedtls_ssl_check_record(), ssl_check_record(), ssl_calc_verify_tls(), + ssl_calc_finished_tls(), mbedtls_ssl_conf_fallback() as well as test function component_test_variable_ssl_in_out_buffer_len_record_splitting(). Fixes #4286. diff --git a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md new file mode 100644 index 000000000..899f79aa0 --- /dev/null +++ b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md @@ -0,0 +1,11 @@ +Remove suport for TLS 1.0, 1.1 and DLTS 1.0 +------------------------------------------- + +This change affects users of the TLS 1.0, 1.1 and DTLS 1.0. + +The versions of (D)TLS that are being removed are not as secure as the latest +versions. Keeping them in the library creates opportunities for misconfiguration +and possibly downgrade attacks. More generally, more code means a larger attack +surface, even if the code is supposedly not used. + +The migration path is to adopt the latest versions of the protocol. From 4ca18aae38a307a0c88262db74715c9c07f953b5 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 20 May 2021 14:46:20 +0200 Subject: [PATCH 10/11] Corrections after the code review Signed-off-by: TRodziewicz --- ChangeLog.d/issue4286.txt | 9 +- ...ve_support_for_tls_1.0_1.1_and_dtls_1.0.md | 4 +- include/mbedtls/ssl.h | 7 +- library/ssl_misc.h | 12 +- library/ssl_msg.c | 66 ++++- library/ssl_srv.c | 15 +- library/ssl_tls.c | 2 +- programs/ssl/ssl_client2.c | 2 +- tests/ssl-opt.sh | 255 ++++++++++++++++++ 9 files changed, 339 insertions(+), 33 deletions(-) diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt index f2f2be218..8fc1af266 100644 --- a/ChangeLog.d/issue4286.txt +++ b/ChangeLog.d/issue4286.txt @@ -6,9 +6,6 @@ Removals MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED, MBEDTLS_SSL_RECORD_CHECKING, MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE, MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions: - ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting(), tls1_prf(), - ssl_update_checksum_md5sha1(), mbedtls_ssl_get_key_exchange_md_ssl_tls(), - mbedtls_ssl_check_record(), ssl_check_record(), ssl_calc_verify_tls(), - ssl_calc_finished_tls(), mbedtls_ssl_conf_fallback() as well as test - function component_test_variable_ssl_in_out_buffer_len_record_splitting(). - Fixes #4286. + mbedtls_ssl_conf_cbc_record_splitting(), + mbedtls_ssl_get_key_exchange_md_ssl_tls(), + mbedtls_ssl_check_record(), mbedtls_ssl_conf_fallback(). Fixes #4286. diff --git a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md index 899f79aa0..4beebe240 100644 --- a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md +++ b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md @@ -1,7 +1,7 @@ -Remove suport for TLS 1.0, 1.1 and DLTS 1.0 +Remove suport for TLS 1.0, 1.1 and DTLS 1.0 ------------------------------------------- -This change affects users of the TLS 1.0, 1.1 and DTLS 1.0. +This change affects users of the TLS 1.0, 1.1 and DTLS 1.0 protocols. The versions of (D)TLS that are being removed are not as secure as the latest versions. Keeping them in the library creates opportunities for misconfiguration diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8e6c1ee13..66cbd48e1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2533,9 +2533,8 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len, * \param ciphersuites 0-terminated list of allowed ciphersuites * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 * supported) - * \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_1, - * MBEDTLS_SSL_MINOR_VERSION_2, - * MBEDTLS_SSL_MINOR_VERSION_3 supported) + * \param minor Minor version number (only MBEDTLS_SSL_MINOR_VERSION_3 + * supported) * * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ @@ -3203,7 +3202,7 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino * \note Input outside of the SSL_MAX_XXXXX_VERSION and * SSL_MIN_XXXXX_VERSION range is ignored. * - * \note With DTLS, MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 + * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 * * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a5a12ceb2..1f1de2bfd 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -72,7 +72,7 @@ #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 +#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 /* Determine maximum supported version */ @@ -113,13 +113,7 @@ * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256). */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) -#define MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER -#endif - -#if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* This macro determines whether CBC is supported. */ #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ @@ -147,7 +141,7 @@ #define MBEDTLS_SSL_SOME_SUITES_USE_MAC #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) /* Ciphersuites using HMAC */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index b629d79cb..a75b9190b 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -86,6 +86,70 @@ int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl ) return( 0 ); } +static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, + unsigned char *buf, + size_t len, + mbedtls_record *rec ); + +int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, + unsigned char *buf, + size_t buflen ) +{ + int ret = 0; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen ); + + /* We don't support record checking in TLS because + * (a) there doesn't seem to be a usecase for it, and + * (b) In TLS 1.0, CBC record decryption has state + * and we'd need to backup the transform here. + */ + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) + { + ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + goto exit; + } +#if defined(MBEDTLS_SSL_PROTO_DTLS) + else + { + mbedtls_record rec; + + ret = ssl_parse_record_header( ssl, buf, buflen, &rec ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret ); + goto exit; + } + + if( ssl->transform_in != NULL ) + { + ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret ); + goto exit; + } + } + } +#endif /* MBEDTLS_SSL_PROTO_DTLS */ + +exit: + /* On success, we have decrypted the buffer in-place, so make + * sure we don't leak any plaintext data. */ + mbedtls_platform_zeroize( buf, buflen ); + + /* For the purpose of this API, treat messages with unexpected CID + * as well as such from future epochs as unexpected. */ + if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID || + ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) + { + ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; + } + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) ); + return( ret ); +} + #define SSL_DONT_FORCE_FLUSH 0 #define SSL_FORCE_FLUSH 1 @@ -4960,7 +5024,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) * more than the block size of the underlying cipher. */ transform_expansion += block_size; - /* For TLS 1.1 or higher, an explicit IV is added + /* For TLS 1.2 or higher, an explicit IV is added * after the record header. */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e2b2757d6..8f13a2cec 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3148,11 +3148,8 @@ curve_matching_done: /* * 2.1: Choose hash algorithm: - * A: For TLS 1.2, obey signature-hash-algorithm extension - * to choose appropriate hash. - * B: For TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1 - * (RFC 4492, Sec. 5.4) - * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3) + * For TLS 1.2, obey signature-hash-algorithm extension + * to choose appropriate hash. */ mbedtls_md_type_t md_alg; @@ -3162,7 +3159,7 @@ curve_matching_done: mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { - /* A: For TLS 1.2, obey signature-hash-algorithm extension + /* For TLS 1.2, obey signature-hash-algorithm extension * (RFC 5246, Sec. 7.4.1.4.1). */ if( sig_alg == MBEDTLS_PK_NONE || ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, @@ -3175,11 +3172,11 @@ curve_matching_done: } } else -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { - /* C: MD5 + SHA1 */ - md_alg = MBEDTLS_MD_NONE; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %u for signing", (unsigned) md_alg ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index edb41efec..e60c0726f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -961,7 +961,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, goto end; } -#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index af86838e9..12b4bdf7e 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1324,7 +1324,7 @@ int main( int argc, char *argv[] ) if( opt.min_version < ciphersuite_info->min_minor_ver ) { opt.min_version = ciphersuite_info->min_minor_ver; - /* for DTLS 1.2 */ + /* DTLS starts with TLS 1.2 */ if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && opt.min_version < MBEDTLS_SSL_MINOR_VERSION_3 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 59cb834ba..1d49dc5cb 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2622,6 +2622,27 @@ run_test "Session resume using tickets, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" +run_test "Session resume using tickets, DTLS: openssl server" \ + "$O_SRV -dtls" \ + "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ + 0 \ + -c "client hello, adding session ticket extension" \ + -c "found session_ticket extension" \ + -c "parse new session ticket" \ + -c "a session has been resumed" + +run_test "Session resume using tickets, DTLS: openssl client" \ + "$P_SRV dtls=1 debug_level=3 tickets=1" \ + "( $O_CLI -dtls -sess_out $SESSION; \ + $O_CLI -dtls -sess_in $SESSION; \ + rm -f $SESSION )" \ + 0 \ + -s "found session ticket extension" \ + -s "server hello, adding session ticket extension" \ + -S "session successfully restored from cache" \ + -s "session successfully restored from ticket" \ + -s "a session has been resumed" + # Tests for Session Resume based on session-ID and cache run_test "Session resume using cache: tickets enabled on client" \ @@ -2810,6 +2831,26 @@ run_test "Session resume using cache, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" +run_test "Session resume using cache, DTLS: openssl client" \ + "$P_SRV dtls=1 debug_level=3 tickets=0" \ + "( $O_CLI -dtls -sess_out $SESSION; \ + $O_CLI -dtls -sess_in $SESSION; \ + rm -f $SESSION )" \ + 0 \ + -s "found session ticket extension" \ + -S "server hello, adding session ticket extension" \ + -s "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -s "a session has been resumed" + +run_test "Session resume using cache, DTLS: openssl server" \ + "$O_SRV -dtls" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ + 0 \ + -C "found session_ticket extension" \ + -C "parse new session ticket" \ + -c "a session has been resumed" + # Tests for Max Fragment Length extension if [ "$MAX_IN_LEN" -lt "4096" ]; then @@ -6623,6 +6664,34 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ -C "error" \ -s "Extra-header:" +run_test "DTLS reassembly: no fragmentation (openssl server)" \ + "$O_SRV -dtls -mtu 2048" \ + "$P_CLI dtls=1 debug_level=2" \ + 0 \ + -C "found fragmented DTLS handshake message" \ + -C "error" + +run_test "DTLS reassembly: some fragmentation (openssl server)" \ + "$O_SRV -dtls -mtu 768" \ + "$P_CLI dtls=1 debug_level=2" \ + 0 \ + -c "found fragmented DTLS handshake message" \ + -C "error" + +run_test "DTLS reassembly: more fragmentation (openssl server)" \ + "$O_SRV -dtls -mtu 256" \ + "$P_CLI dtls=1 debug_level=2" \ + 0 \ + -c "found fragmented DTLS handshake message" \ + -C "error" + +run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ + "$O_SRV -dtls -mtu 256" \ + "$P_CLI dtls=1 nbio=2 debug_level=2" \ + 0 \ + -c "found fragmented DTLS handshake message" \ + -C "error" + # Tests for sending fragmented handshake messages with DTLS # # Use client auth when we need the client to send large messages, @@ -7593,6 +7662,192 @@ run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \ -C "dumping 'received mki' (8 bytes)" \ -C "error" +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP all profiles supported. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "DTLS-SRTP key material is"\ + -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ + -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_80" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "DTLS-SRTP key material is"\ + -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ + -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "DTLS-SRTP key material is"\ + -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ + -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "DTLS-SRTP key material is"\ + -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ + -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server and Client support only one matching profile. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "DTLS-SRTP key material is"\ + -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ + -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server and Client support only one different profile. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -S "selected srtp profile" \ + -S "server hello, adding use_srtp extension" \ + -S "DTLS-SRTP key material is"\ + -C "SRTP Extension negotiated, profile" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl client" \ + "$P_SRV dtls=1 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -S "server hello, adding use_srtp extension" \ + -S "DTLS-SRTP key material is"\ + -C "SRTP Extension negotiated, profile" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP all profiles supported. openssl server" \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile" \ + -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \ + -c "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile" \ + -c "selected srtp profile" \ + -c "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ + -c "selected srtp profile" \ + -c "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ + -c "selected srtp profile" \ + -c "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server and Client support only one matching profile. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ + -c "selected srtp profile" \ + -c "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server and Client support only one different profile. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -C "found use_srtp extension" \ + -C "found srtp profile" \ + -C "selected srtp profile" \ + -C "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" \ + "$O_SRV -dtls" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -C "found use_srtp extension" \ + -C "found srtp profile" \ + -C "selected srtp profile" \ + -C "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile" \ + -c "selected srtp profile" \ + -c "DTLS-SRTP key material is"\ + -c "DTLS-SRTP no mki value negotiated"\ + -c "dumping 'sending mki' (8 bytes)" \ + -C "dumping 'received mki' (8 bytes)" \ + -C "error" + requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls run_test "DTLS-SRTP all profiles supported. gnutls client." \ From 9d1ce40898ec514533369f9ab0b12f69f197542d Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Mon, 24 May 2021 14:07:17 +0200 Subject: [PATCH 11/11] Additional corrections Signed-off-by: TRodziewicz --- ChangeLog.d/issue4286.txt | 4 ++-- include/mbedtls/ssl.h | 48 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt index 8fc1af266..68eb66764 100644 --- a/ChangeLog.d/issue4286.txt +++ b/ChangeLog.d/issue4286.txt @@ -7,5 +7,5 @@ Removals MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE, MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions: mbedtls_ssl_conf_cbc_record_splitting(), - mbedtls_ssl_get_key_exchange_md_ssl_tls(), - mbedtls_ssl_check_record(), mbedtls_ssl_conf_fallback(). Fixes #4286. + mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(). + Fixes #4286. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 66cbd48e1..bdc2b4797 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1825,6 +1825,54 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, */ void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ); +/** + * \brief Check whether a buffer contains a valid and authentic record + * that has not been seen before. (DTLS only). + * + * This function does not change the user-visible state + * of the SSL context. Its sole purpose is to provide + * an indication of the legitimacy of an incoming record. + * + * This can be useful e.g. in distributed server environments + * using the DTLS Connection ID feature, in which connections + * might need to be passed between service instances on a change + * of peer address, but where such disruptive operations should + * only happen after the validity of incoming records has been + * confirmed. + * + * \param ssl The SSL context to use. + * \param buf The address of the buffer holding the record to be checked. + * This must be a read/write buffer of length \p buflen Bytes. + * \param buflen The length of \p buf in Bytes. + * + * \note This routine only checks whether the provided buffer begins + * with a valid and authentic record that has not been seen + * before, but does not check potential data following the + * initial record. In particular, it is possible to pass DTLS + * datagrams containing multiple records, in which case only + * the first record is checked. + * + * \note This function modifies the input buffer \p buf. If you need + * to preserve the original record, you have to maintain a copy. + * + * \return \c 0 if the record is valid and authentic and has not been + * seen before. + * \return MBEDTLS_ERR_SSL_INVALID_MAC if the check completed + * successfully but the record was found to be not authentic. + * \return MBEDTLS_ERR_SSL_INVALID_RECORD if the check completed + * successfully but the record was found to be invalid for + * a reason different from authenticity checking. + * \return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD if the check completed + * successfully but the record was found to be unexpected + * in the state of the SSL context, including replayed records. + * \return Another negative error code on different kinds of failure. + * In this case, the SSL context becomes unusable and needs + * to be freed or reset before reuse. + */ +int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, + unsigned char *buf, + size_t buflen ); + /** * \brief Set the timer callbacks (Mandatory for DTLS.) *