Merge pull request #4664 from tom-daubney-arm/rm_truncated_HMAC_ext
Remove truncated HMAC extension
This commit is contained in:
commit
508d3a5824
17 changed files with 18 additions and 460 deletions
|
@ -32,8 +32,6 @@ API changes
|
|||
* Drop support for parsing SSLv2 ClientHello
|
||||
(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO).
|
||||
* Drop support for SSLv3 (MBEDTLS_SSL_PROTO_SSL3).
|
||||
* Drop support for compatibility with our own previous buggy
|
||||
implementation of truncated HMAC (MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT).
|
||||
* Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
|
||||
* Drop support for RC4 TLS ciphersuites.
|
||||
* Drop support for single-DES ciphersuites.
|
||||
|
|
5
ChangeLog.d/rm-truncated-hmac-ext.txt
Normal file
5
ChangeLog.d/rm-truncated-hmac-ext.txt
Normal file
|
@ -0,0 +1,5 @@
|
|||
Removals
|
||||
* Remove MBEDTLS_SSL_TRUNCATED_HMAC and also remove
|
||||
MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT config option. Users are better served by
|
||||
using a CCM-8 ciphersuite than a CBC ciphersuite with truncated HMAC.
|
||||
See issue #4341 for more details.
|
|
@ -137,17 +137,16 @@ and relied on that version in order to communicate with peers that are not up
|
|||
to date. If one of your peers is in that case, please try contacting them and
|
||||
encouraging them to upgrade their software.
|
||||
|
||||
Remove support for compatibility with old Mbed TLS's truncated HMAC
|
||||
-------------------------------------------------------------------
|
||||
Remove support for truncated HMAC
|
||||
---------------------------------
|
||||
|
||||
This doesn't affect people using the default configuration as it was already
|
||||
disabled by default.
|
||||
This affects users of truncated HMAC, that is, users who called
|
||||
`mbedtls_ssl_conf_truncated_hmac( ..., MBEDTLS_SSL_TRUNC_HMAC_ENABLED)`,
|
||||
regardless of whether the standard version was used or compatibility version
|
||||
(`MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT`).
|
||||
|
||||
This only affects TLS users who enabled `MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT` and
|
||||
used the Truncated HMAC extension to communicate with peers using old version
|
||||
of Mbed TLS. Please consider using a CCM-8 ciphersuite instead of the
|
||||
Truncated HMAC extension, or convincing your peer to upgrade their version of
|
||||
Mbed TLS.
|
||||
The recommended migration path for people who want minimal overhead is to use a
|
||||
CCM-8 ciphersuite.
|
||||
|
||||
Remove support for TLS record-level compression
|
||||
-----------------------------------------------
|
||||
|
|
|
@ -829,6 +829,10 @@
|
|||
#error "MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4335"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) //no-check-names
|
||||
#error "MBEDTLS_SSL_TRUNCATED_HMAC was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4341"
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Avoid warning from -pedantic. This is a convenient place for this
|
||||
* workaround since this is included by every single file before the
|
||||
|
|
|
@ -1617,15 +1617,6 @@
|
|||
*/
|
||||
#define MBEDTLS_SSL_SERVER_NAME_INDICATION
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
*
|
||||
* Enable support for RFC 6066 truncated HMAC in SSL.
|
||||
*
|
||||
* Comment this macro to disable support for truncated HMAC in SSL
|
||||
*/
|
||||
#define MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
|
||||
*
|
||||
|
|
|
@ -958,10 +958,6 @@ struct mbedtls_ssl_session
|
|||
unsigned char MBEDTLS_PRIVATE(mfl_code); /*!< MaxFragmentLength negotiated by peer */
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
int MBEDTLS_PRIVATE(trunc_hmac); /*!< flag for truncated hmac activation */
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
int MBEDTLS_PRIVATE(encrypt_then_mac); /*!< flag for EtM activation */
|
||||
#endif
|
||||
|
@ -1182,9 +1178,6 @@ struct mbedtls_ssl_config
|
|||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||
unsigned int MBEDTLS_PRIVATE(disable_renegotiation) : 1; /*!< disable renegotiation? */
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
unsigned int MBEDTLS_PRIVATE(trunc_hmac) : 1; /*!< negotiate truncated hmac? */
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
unsigned int MBEDTLS_PRIVATE(session_tickets) : 1; /*!< use session tickets? */
|
||||
#endif
|
||||
|
@ -3330,18 +3323,6 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c
|
|||
void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order );
|
||||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
/**
|
||||
* \brief Activate negotiation of truncated HMAC
|
||||
* (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param truncate Enable or disable (MBEDTLS_SSL_TRUNC_HMAC_ENABLED or
|
||||
* MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
|
||||
*/
|
||||
void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate );
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
||||
/**
|
||||
* \brief Enable / Disable session tickets (client only).
|
||||
|
|
|
@ -559,36 +559,6 @@ static int ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
static int ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
const unsigned char *end,
|
||||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
|
||||
return( 0 );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3,
|
||||
( "client hello, adding truncated_hmac extension" ) );
|
||||
|
||||
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
|
||||
|
||||
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
|
||||
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
|
||||
|
||||
*p++ = 0x00;
|
||||
*p++ = 0x00;
|
||||
|
||||
*olen = 4;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
static int ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
|
@ -1304,16 +1274,6 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
|||
ext_len += olen;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
if( ( ret = ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len,
|
||||
end, &olen ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_truncated_hmac_ext", ret );
|
||||
return( ret );
|
||||
}
|
||||
ext_len += olen;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
if( ( ret = ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len,
|
||||
end, &olen ) ) != 0 )
|
||||
|
@ -1479,31 +1439,6 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
size_t len )
|
||||
{
|
||||
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED ||
|
||||
len != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1,
|
||||
( "non-matching truncated HMAC extension" ) );
|
||||
mbedtls_ssl_send_alert_message(
|
||||
ssl,
|
||||
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
}
|
||||
|
||||
((void) buf);
|
||||
|
||||
ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
|
@ -2346,19 +2281,6 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||
break;
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
|
||||
|
||||
if( ( ret = ssl_parse_truncated_hmac_ext( ssl,
|
||||
ext + 4, ext_size ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
case MBEDTLS_TLS_EXT_CID:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
|
||||
|
|
|
@ -543,28 +543,6 @@ static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
size_t len )
|
||||
{
|
||||
if( len != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||
}
|
||||
|
||||
((void) buf);
|
||||
|
||||
if( ssl->conf->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
|
||||
ssl->session_negotiate->trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
|
@ -1703,16 +1681,6 @@ read_record_header:
|
|||
break;
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
|
||||
|
||||
ret = ssl_parse_truncated_hmac_ext( ssl, ext + 4, ext_size );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
case MBEDTLS_TLS_EXT_CID:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
|
||||
|
@ -1721,7 +1689,7 @@ read_record_header:
|
|||
if( ret != 0 )
|
||||
return( ret );
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
|
||||
|
@ -1967,31 +1935,6 @@ have_ciphersuite:
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
|
||||
if( ssl->session_negotiate->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_DISABLED )
|
||||
{
|
||||
*olen = 0;
|
||||
return;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding truncated hmac extension" ) );
|
||||
|
||||
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC >> 8 ) & 0xFF );
|
||||
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_TRUNCATED_HMAC ) & 0xFF );
|
||||
|
||||
*p++ = 0x00;
|
||||
*p++ = 0x00;
|
||||
|
||||
*olen = 4;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
|
@ -2654,11 +2597,6 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||
ext_len += olen;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
|
||||
ext_len += olen;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||
ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
|
||||
ext_len += olen;
|
||||
|
|
|
@ -672,9 +672,6 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
|||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
int encrypt_then_mac,
|
||||
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
int trunc_hmac,
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
|
||||
ssl_tls_prf_t tls_prf,
|
||||
const unsigned char randbytes[64],
|
||||
|
@ -845,18 +842,6 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
|||
mac_key_len = mbedtls_md_get_size( md_info );
|
||||
transform->maclen = mac_key_len;
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
/*
|
||||
* If HMAC is to be truncated, we shall keep the leftmost bytes,
|
||||
* (rfc 6066 page 13 or rfc 2104 section 4),
|
||||
* so we only need to adjust the length here.
|
||||
*/
|
||||
if( trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
|
||||
{
|
||||
transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
/* IV length */
|
||||
transform->ivlen = cipher_info->iv_size;
|
||||
|
||||
|
@ -1368,9 +1353,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
ssl->session_negotiate->encrypt_then_mac,
|
||||
#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
ssl->session_negotiate->trunc_hmac,
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
|
||||
ssl->handshake->tls_prf,
|
||||
ssl->handshake->randbytes,
|
||||
|
@ -4141,13 +4123,6 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
|
||||
{
|
||||
conf->trunc_hmac = truncate;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
|
||||
{
|
||||
conf->allow_legacy_renegotiation = allow_legacy;
|
||||
|
@ -4536,11 +4511,7 @@ int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
|
|||
#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 1
|
||||
#else
|
||||
#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 0
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
|
||||
|
@ -4783,13 +4754,6 @@ static int ssl_session_save( const mbedtls_ssl_session *session,
|
|||
*p++ = session->mfl_code;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
used += 1;
|
||||
|
||||
if( used <= buf_len )
|
||||
*p++ = (unsigned char)( ( session->trunc_hmac ) & 0xFF );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
used += 1;
|
||||
|
||||
|
@ -5025,13 +4989,6 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
|||
session->mfl_code = *p++;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
if( 1 > (size_t)( end - p ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
session->trunc_hmac = *p++;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
if( 1 > (size_t)( end - p ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
@ -5848,9 +5805,6 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
|
|||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
ssl->session->encrypt_then_mac,
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
ssl->session->trunc_hmac,
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
|
||||
ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
|
||||
p, /* currently pointing to randbytes */
|
||||
|
|
|
@ -102,9 +102,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
|||
{
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
|
||||
}
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
mbedtls_ssl_conf_truncated_hmac( &conf, (options & 8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
|
||||
#endif
|
||||
|
|
|
@ -128,9 +128,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
|||
&ticket_ctx );
|
||||
}
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
mbedtls_ssl_conf_truncated_hmac( &conf, (options & 0x8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
|
||||
#endif
|
||||
|
|
|
@ -235,13 +235,6 @@ int main( void )
|
|||
#define USAGE_SRTP ""
|
||||
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
#define USAGE_TRUNC_HMAC \
|
||||
" trunc_hmac=%%d default: library default\n"
|
||||
#else
|
||||
#define USAGE_TRUNC_HMAC ""
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||
#define USAGE_MAX_FRAG_LEN \
|
||||
" max_frag_len=%%d default: 16384 (tls default)\n" \
|
||||
|
@ -394,7 +387,6 @@ int main( void )
|
|||
USAGE_TICKETS \
|
||||
USAGE_EAP_TLS \
|
||||
USAGE_MAX_FRAG_LEN \
|
||||
USAGE_TRUNC_HMAC \
|
||||
USAGE_CONTEXT_CRT_CB \
|
||||
USAGE_ALPN \
|
||||
USAGE_EMS \
|
||||
|
@ -1721,11 +1713,6 @@ int main( int argc, char *argv[] )
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
if( opt.trunc_hmac != DFL_TRUNC_HMAC )
|
||||
mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
if( opt.extended_ms != DFL_EXTENDED_MS )
|
||||
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
|
||||
|
|
|
@ -862,7 +862,6 @@ void print_deserialized_ssl_context( const uint8_t *ssl, size_t len )
|
|||
print_if_bit( "MBEDTLS_HAVE_TIME", SESSION_CONFIG_TIME_BIT, session_cfg_flag );
|
||||
print_if_bit( "MBEDTLS_X509_CRT_PARSE_C", SESSION_CONFIG_CRT_BIT, session_cfg_flag );
|
||||
print_if_bit( "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH", SESSION_CONFIG_MFL_BIT, session_cfg_flag );
|
||||
print_if_bit( "MBEDTLS_SSL_TRUNCATED_HMAC", SESSION_CONFIG_TRUNC_HMAC_BIT, session_cfg_flag );
|
||||
print_if_bit( "MBEDTLS_SSL_ENCRYPT_THEN_MAC", SESSION_CONFIG_ETM_BIT, session_cfg_flag );
|
||||
print_if_bit( "MBEDTLS_SSL_SESSION_TICKETS", SESSION_CONFIG_TICKET_BIT, session_cfg_flag );
|
||||
print_if_bit( "MBEDTLS_SSL_SESSION_TICKETS and client", SESSION_CONFIG_CLIENT_TICKET_BIT, session_cfg_flag );
|
||||
|
|
|
@ -334,13 +334,6 @@ int main( void )
|
|||
#define USAGE_MAX_FRAG_LEN ""
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
#define USAGE_TRUNC_HMAC \
|
||||
" trunc_hmac=%%d default: library default\n"
|
||||
#else
|
||||
#define USAGE_TRUNC_HMAC ""
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_ALPN)
|
||||
#define USAGE_ALPN \
|
||||
" alpn=%%s default: \"\" (disabled)\n" \
|
||||
|
@ -487,7 +480,6 @@ int main( void )
|
|||
USAGE_NSS_KEYLOG_FILE \
|
||||
USAGE_CACHE \
|
||||
USAGE_MAX_FRAG_LEN \
|
||||
USAGE_TRUNC_HMAC \
|
||||
USAGE_ALPN \
|
||||
USAGE_EMS \
|
||||
USAGE_ETM \
|
||||
|
@ -2510,11 +2502,6 @@ int main( int argc, char *argv[] )
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_DTLS_SRTP */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
if( opt.trunc_hmac != DFL_TRUNC_HMAC )
|
||||
mbedtls_ssl_conf_truncated_hmac( &conf, opt.trunc_hmac );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
if( opt.extended_ms != DFL_EXTENDED_MS )
|
||||
mbedtls_ssl_conf_extended_master_secret( &conf, opt.extended_ms );
|
||||
|
|
|
@ -210,7 +210,6 @@ run_test "Default configuration, server" \
|
|||
-u "MBEDTLS_HAVE_TIME$" \
|
||||
-u "MBEDTLS_X509_CRT_PARSE_C$" \
|
||||
-u "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH$" \
|
||||
-u "MBEDTLS_SSL_TRUNCATED_HMAC$" \
|
||||
-u "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
|
||||
-u "MBEDTLS_SSL_SESSION_TICKETS$" \
|
||||
-u "MBEDTLS_SSL_SESSION_TICKETS and client$" \
|
||||
|
@ -233,7 +232,6 @@ run_test "Default configuration, client" \
|
|||
-u "MBEDTLS_HAVE_TIME$" \
|
||||
-u "MBEDTLS_X509_CRT_PARSE_C$" \
|
||||
-u "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH$" \
|
||||
-u "MBEDTLS_SSL_TRUNCATED_HMAC$" \
|
||||
-u "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
|
||||
-u "MBEDTLS_SSL_SESSION_TICKETS$" \
|
||||
-u "MBEDTLS_SSL_SESSION_TICKETS and client$" \
|
||||
|
@ -339,7 +337,6 @@ run_test "Minimal configuration, server" \
|
|||
"srv_min_cfg.txt" \
|
||||
-n "ERROR" \
|
||||
-n "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH$" \
|
||||
-n "MBEDTLS_SSL_TRUNCATED_HMAC$" \
|
||||
-n "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
|
||||
-n "MBEDTLS_SSL_SESSION_TICKETS$" \
|
||||
-n "MBEDTLS_SSL_SESSION_TICKETS and client$" \
|
||||
|
@ -350,7 +347,6 @@ run_test "Minimal configuration, client" \
|
|||
"cli_min_cfg.txt" \
|
||||
-n "ERROR" \
|
||||
-n "MBEDTLS_SSL_MAX_FRAGMENT_LENGTH$" \
|
||||
-n "MBEDTLS_SSL_TRUNCATED_HMAC$" \
|
||||
-n "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \
|
||||
-n "MBEDTLS_SSL_SESSION_TICKETS$" \
|
||||
-n "MBEDTLS_SSL_SESSION_TICKETS and client$" \
|
||||
|
|
190
tests/ssl-opt.sh
190
tests/ssl-opt.sh
|
@ -1464,102 +1464,6 @@ run_test "DTLS: multiple records in same datagram, neither client nor server"
|
|||
-S "next record in same datagram" \
|
||||
-C "next record in same datagram"
|
||||
|
||||
# Tests for Truncated HMAC extension
|
||||
|
||||
run_test "Truncated HMAC: client default, server default" \
|
||||
"$P_SRV debug_level=4" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-s "dumping 'expected mac' (20 bytes)" \
|
||||
-S "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Truncated HMAC: client disabled, server default" \
|
||||
"$P_SRV debug_level=4" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
|
||||
0 \
|
||||
-s "dumping 'expected mac' (20 bytes)" \
|
||||
-S "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Truncated HMAC: client enabled, server default" \
|
||||
"$P_SRV debug_level=4" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "dumping 'expected mac' (20 bytes)" \
|
||||
-S "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Truncated HMAC: client enabled, server disabled" \
|
||||
"$P_SRV debug_level=4 trunc_hmac=0" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "dumping 'expected mac' (20 bytes)" \
|
||||
-S "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Truncated HMAC: client disabled, server enabled" \
|
||||
"$P_SRV debug_level=4 trunc_hmac=1" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
|
||||
0 \
|
||||
-s "dumping 'expected mac' (20 bytes)" \
|
||||
-S "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Truncated HMAC: client enabled, server enabled" \
|
||||
"$P_SRV debug_level=4 trunc_hmac=1" \
|
||||
"$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-S "dumping 'expected mac' (20 bytes)" \
|
||||
-s "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
run_test "Truncated HMAC, DTLS: client default, server default" \
|
||||
"$P_SRV dtls=1 debug_level=4" \
|
||||
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-s "dumping 'expected mac' (20 bytes)" \
|
||||
-S "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Truncated HMAC, DTLS: client disabled, server default" \
|
||||
"$P_SRV dtls=1 debug_level=4" \
|
||||
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
|
||||
0 \
|
||||
-s "dumping 'expected mac' (20 bytes)" \
|
||||
-S "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Truncated HMAC, DTLS: client enabled, server default" \
|
||||
"$P_SRV dtls=1 debug_level=4" \
|
||||
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "dumping 'expected mac' (20 bytes)" \
|
||||
-S "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Truncated HMAC, DTLS: client enabled, server disabled" \
|
||||
"$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \
|
||||
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "dumping 'expected mac' (20 bytes)" \
|
||||
-S "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Truncated HMAC, DTLS: client disabled, server enabled" \
|
||||
"$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
|
||||
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \
|
||||
0 \
|
||||
-s "dumping 'expected mac' (20 bytes)" \
|
||||
-S "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
|
||||
"$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \
|
||||
"$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-S "dumping 'expected mac' (20 bytes)" \
|
||||
-s "dumping 'expected mac' (10 bytes)"
|
||||
|
||||
# Tests for Context serialization
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
||||
|
@ -5660,22 +5564,6 @@ run_test "Small client packet TLS 1.2 BlockCipher larger MAC" \
|
|||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Small client packet TLS 1.2 BlockCipher, truncated MAC" \
|
||||
"$P_SRV trunc_hmac=1" \
|
||||
"$P_CLI request_size=1 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Small client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
|
||||
"$P_SRV trunc_hmac=1" \
|
||||
"$P_CLI request_size=1 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
run_test "Small client packet TLS 1.2 AEAD" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=1 force_version=tls1_2 \
|
||||
|
@ -5708,24 +5596,6 @@ run_test "Small client packet DTLS 1.2, without EtM" \
|
|||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Small client packet DTLS 1.2, truncated hmac" \
|
||||
"$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \
|
||||
"$P_CLI dtls=1 request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \
|
||||
"$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
|
||||
"$P_CLI dtls=1 request_size=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
|
||||
0 \
|
||||
-s "Read from client: 1 bytes read"
|
||||
|
||||
# Tests for small server packets
|
||||
|
||||
run_test "Small server packet TLS 1.2 BlockCipher" \
|
||||
|
@ -5749,22 +5619,6 @@ run_test "Small server packet TLS 1.2 BlockCipher larger MAC" \
|
|||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Small server packet TLS 1.2 BlockCipher, truncated MAC" \
|
||||
"$P_SRV response_size=1 trunc_hmac=1" \
|
||||
"$P_CLI force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Small server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
|
||||
"$P_SRV response_size=1 trunc_hmac=1" \
|
||||
"$P_CLI force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
run_test "Small server packet TLS 1.2 AEAD" \
|
||||
"$P_SRV response_size=1" \
|
||||
"$P_CLI force_version=tls1_2 \
|
||||
|
@ -5797,24 +5651,6 @@ run_test "Small server packet DTLS 1.2, without EtM" \
|
|||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Small server packet DTLS 1.2, truncated hmac" \
|
||||
"$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1" \
|
||||
"$P_CLI dtls=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Small server packet DTLS 1.2, without EtM, truncated MAC" \
|
||||
"$P_SRV dtls=1 response_size=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \
|
||||
"$P_CLI dtls=1 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\
|
||||
0 \
|
||||
-c "Read from server: 1 bytes read"
|
||||
|
||||
# Test for large client packets
|
||||
|
||||
# How many fragments do we expect to write $1 bytes?
|
||||
|
@ -5845,23 +5681,6 @@ run_test "Large client packet TLS 1.2 BlockCipher larger MAC" \
|
|||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large client packet TLS 1.2 BlockCipher, truncated MAC" \
|
||||
"$P_SRV trunc_hmac=1" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \
|
||||
0 \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large client packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
|
||||
"$P_SRV trunc_hmac=1" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \
|
||||
0 \
|
||||
-c "16384 bytes written in $(fragments_for_write 16384) fragments" \
|
||||
-s "Read from client: $MAX_CONTENT_LEN bytes read"
|
||||
|
||||
run_test "Large client packet TLS 1.2 AEAD" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI request_size=16384 force_version=tls1_2 \
|
||||
|
@ -5900,15 +5719,6 @@ run_test "Large server packet TLS 1.2 BlockCipher larger MAC" \
|
|||
0 \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC
|
||||
run_test "Large server packet TLS 1.2 BlockCipher truncated MAC" \
|
||||
"$P_SRV response_size=16384" \
|
||||
"$P_CLI force_version=tls1_2 \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \
|
||||
trunc_hmac=1" \
|
||||
0 \
|
||||
-c "Read from server: 16384 bytes read"
|
||||
|
||||
run_test "Large server packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \
|
||||
"$P_SRV response_size=16384 trunc_hmac=1" \
|
||||
"$P_CLI force_version=tls1_2 \
|
||||
|
|
|
@ -1508,9 +1508,6 @@ static int ssl_populate_session( mbedtls_ssl_session *session,
|
|||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||
session->mfl_code = 1;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
session->trunc_hmac = 1;
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
session->encrypt_then_mac = 1;
|
||||
#endif
|
||||
|
@ -4082,10 +4079,6 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
|
|||
TEST_ASSERT( original.mfl_code == restored.mfl_code );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
TEST_ASSERT( original.trunc_hmac == restored.trunc_hmac );
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
TEST_ASSERT( original.encrypt_then_mac == restored.encrypt_then_mac );
|
||||
#endif
|
||||
|
|
Loading…
Reference in a new issue