From c32e2b0921dafb07412628ca1460a2a5999608a1 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Thu, 13 May 2021 17:03:47 +0100 Subject: [PATCH 01/59] Removal and modification of tests Changes for tests involving mbedtls_rsa_pkcs1_encrypt. Removal of test in test_suite_rsa.function where invalid mode is used. Also modification of other tests to use the constant MBEDTLS_RSA_PUBLIC instead of the mode variable. Signed-off-by: Thomas Daubney --- tests/suites/test_suite_rsa.function | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 1182cc6e6..1eca3148a 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -103,22 +103,17 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_encrypt( NULL, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_encrypt( &ctx, NULL, NULL, - invalid_mode, - sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_encrypt( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_encrypt( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, sizeof( buf ), buf, NULL ) ); From 2177277ddab7896b295205ed5d5e15180b6aca08 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Thu, 13 May 2021 17:30:32 +0100 Subject: [PATCH 02/59] Removes mode param from mbedtls_rsa_pkcs1_encrypt Removal of the mode parameter from mbedtls_rsa_pkcs1_encrypt function. This change is propagated throughout the codebase and to relevant tests. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 17 +++-------------- library/pk_wrap.c | 2 +- library/psa_crypto.c | 1 - library/rsa.c | 16 ++++++++-------- programs/pkey/rsa_encrypt.c | 3 +-- tests/suites/test_suite_pkcs1_v15.function | 4 ++-- tests/suites/test_suite_pkcs1_v21.function | 4 ++-- tests/suites/test_suite_rsa.function | 11 ++++------- 8 files changed, 21 insertions(+), 37 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index a54ac4dd0..943321544 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -571,12 +571,7 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * operation. * * It is the generic wrapper for performing a PKCS#1 encryption - * operation using the \p mode from the context. - * - * \deprecated It is deprecated and discouraged to call this function - * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library - * are likely to remove the \p mode argument and have it - * implicitly set to #MBEDTLS_RSA_PUBLIC. + * operation. * * \note Alternative implementations of RSA need not support * mode being set to #MBEDTLS_RSA_PRIVATE and might instead @@ -584,16 +579,10 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * * \param ctx The initialized RSA context to use. * \param f_rng The RNG to use. It is mandatory for PKCS#1 v2.1 padding - * encoding, and for PKCS#1 v1.5 padding encoding when used - * with \p mode set to #MBEDTLS_RSA_PUBLIC. For PKCS#1 v1.5 - * padding encoding and \p mode set to #MBEDTLS_RSA_PRIVATE, - * it is used for blinding and should be provided in this - * case; see mbedtls_rsa_private() for more. + * encoding, and for PKCS#1 v1.5 padding encoding. * \param p_rng The RNG context to be passed to \p f_rng. May be * \c NULL if \p f_rng is \c NULL or if \p f_rng doesn't * need a context argument. - * \param mode The mode of operation. This must be either - * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param ilen The length of the plaintext in Bytes. * \param input The input data to encrypt. This must be a readable * buffer of size \p ilen Bytes. It may be \c NULL if @@ -608,7 +597,7 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, size_t ilen, + size_t ilen, const unsigned char *input, unsigned char *output ); diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 8e4f25123..e1ad50795 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -149,7 +149,7 @@ static int rsa_encrypt_wrap( void *ctx, if( *olen > osize ) return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE ); - return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, MBEDTLS_RSA_PUBLIC, + return( mbedtls_rsa_pkcs1_encrypt( rsa, f_rng, p_rng, ilen, input, output ) ); } diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 64ead5b6e..c4354d758 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3064,7 +3064,6 @@ psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key, mbedtls_rsa_pkcs1_encrypt( rsa, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE, - MBEDTLS_RSA_PUBLIC, input_length, input, output ) ); diff --git a/library/rsa.c b/library/rsa.c index 6761fbdb7..5ecc77835 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1317,13 +1317,11 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, size_t ilen, + size_t ilen, const unsigned char *input, unsigned char *output ) { RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || - mode == MBEDTLS_RSA_PUBLIC ); RSA_VALIDATE_RET( output != NULL ); RSA_VALIDATE_RET( ilen == 0 || input != NULL ); @@ -1331,14 +1329,16 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, { #if defined(MBEDTLS_PKCS1_V15) case MBEDTLS_RSA_PKCS_V15: - return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, mode, ilen, - input, output ); + return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, + MBEDTLS_RSA_PUBLIC, ilen, + input, output ); #endif #if defined(MBEDTLS_PKCS1_V21) case MBEDTLS_RSA_PKCS_V21: - return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, mode, NULL, 0, - ilen, input, output ); + return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, + MBEDTLS_RSA_PUBLIC, NULL, 0, + ilen, input, output ); #endif default: @@ -2691,7 +2691,7 @@ int mbedtls_rsa_self_test( int verbose ) memcpy( rsa_plaintext, RSA_PT, PT_LEN ); - if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, MBEDTLS_RSA_PUBLIC, + if( mbedtls_rsa_pkcs1_encrypt( &rsa, myrand, NULL, PT_LEN, rsa_plaintext, rsa_ciphertext ) != 0 ) { diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c index ba0120172..6c654ad18 100644 --- a/programs/pkey/rsa_encrypt.c +++ b/programs/pkey/rsa_encrypt.c @@ -143,8 +143,7 @@ int main( int argc, char *argv[] ) fflush( stdout ); ret = mbedtls_rsa_pkcs1_encrypt( &rsa, mbedtls_ctr_drbg_random, - &ctr_drbg, MBEDTLS_RSA_PUBLIC, - strlen( argv[1] ), input, buf ); + &ctr_drbg, strlen( argv[1] ), input, buf ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_encrypt returned %d\n\n", diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index b03bddac6..878c414ad 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -36,8 +36,8 @@ void pkcs1_rsaes_v15_encrypt( int mod, int radix_N, char * input_N, message_str->x = NULL; TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &mbedtls_test_rnd_buffer_rand, - &info, MBEDTLS_RSA_PUBLIC, - message_str->len, message_str->x, + &info, message_str->len, + message_str->x, output ) == result ); if( result == 0 ) diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index 2e7f3399d..623f7bc55 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -35,8 +35,8 @@ void pkcs1_rsaes_oaep_encrypt( int mod, data_t * input_N, data_t * input_E, message_str->x = NULL; TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &mbedtls_test_rnd_buffer_rand, - &info, MBEDTLS_RSA_PUBLIC, - message_str->len, message_str->x, + &info, message_str->len, + message_str->x, output ) == result ); if( result == 0 ) { diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 1eca3148a..c051ed350 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -103,17 +103,14 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_encrypt( NULL, NULL, NULL, - MBEDTLS_RSA_PUBLIC, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_encrypt( &ctx, NULL, NULL, - MBEDTLS_RSA_PUBLIC, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_encrypt( &ctx, NULL, NULL, - MBEDTLS_RSA_PUBLIC, sizeof( buf ), buf, NULL ) ); @@ -703,8 +700,8 @@ void mbedtls_rsa_pkcs1_encrypt( data_t * message_str, int padding_mode, TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &mbedtls_test_rnd_pseudo_rand, - &rnd_info, MBEDTLS_RSA_PUBLIC, - message_str->len, message_str->x, + &rnd_info, message_str->len, + message_str->x, output ) == result ); if( result == 0 ) { @@ -743,8 +740,8 @@ void rsa_pkcs1_encrypt_bad_rng( data_t * message_str, int padding_mode, TEST_ASSERT( mbedtls_rsa_pkcs1_encrypt( &ctx, &mbedtls_test_rnd_zero_rand, - NULL, MBEDTLS_RSA_PUBLIC, - message_str->len, message_str->x, + NULL, message_str->len, + message_str->x, output ) == result ); if( result == 0 ) { From 69a8c3809e1a6b5fd2a234da2771a89210734180 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Thu, 13 May 2021 17:59:50 +0100 Subject: [PATCH 03/59] Removes and modifies tests Removal and modification of tests relating to mbedtls_rsa_rsaes_pkcs1_v15_encrypt. Signed-off-by: Thomas Daubney --- tests/suites/test_suite_rsa.function | 40 +++------------------------- 1 file changed, 3 insertions(+), 37 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index c051ed350..4a818c59a 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -117,25 +117,19 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_pkcs1_v15_encrypt( NULL, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, NULL, NULL, - invalid_mode, - sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, NULL, - NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, sizeof( buf ), buf, NULL ) ); @@ -605,34 +599,6 @@ void rsa_pkcs1_sign_raw( data_t * hash_result, TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, ctx.len, result_str->len ) == 0 ); -#if defined(MBEDTLS_PKCS1_V15) - /* For PKCS#1 v1.5, there is an alternative way to generate signatures */ - if( padding_mode == MBEDTLS_RSA_PKCS_V15 ) - { - int res; - memset( output, 0x00, sizeof( output) ); - - res = mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, - &mbedtls_test_rnd_pseudo_rand, &rnd_info, - MBEDTLS_RSA_PRIVATE, hash_result->len, - hash_result->x, output ); - -#if !defined(MBEDTLS_RSA_ALT) - TEST_ASSERT( res == 0 ); -#else - TEST_ASSERT( ( res == 0 ) || - ( res == MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED ) ); -#endif - - if( res == 0 ) - { - TEST_ASSERT( mbedtls_test_hexcmp( output, result_str->x, - ctx.len, - result_str->len ) == 0 ); - } - } -#endif /* MBEDTLS_PKCS1_V15 */ - exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q ); mbedtls_mpi_free( &E ); From 53e4ac64b7dd34e537ddf7b203629dd4cde89eda Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Thu, 13 May 2021 18:26:49 +0100 Subject: [PATCH 04/59] Removes mode param from mbedtls_rsa_rsaes_pkcs1_v15_encrypt Removal of mode parameter from mbedtls_rsa_rsaes_pkcs1_v15_encrypt. This commit propagates the change to all relevant function calls and tests. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 14 ++------ library/rsa.c | 54 ++++++++++------------------ tests/suites/test_suite_rsa.function | 18 ++++------ 3 files changed, 26 insertions(+), 60 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 943321544..47726ec72 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -605,25 +605,15 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, * \brief This function performs a PKCS#1 v1.5 encryption operation * (RSAES-PKCS1-v1_5-ENCRYPT). * - * \deprecated It is deprecated and discouraged to call this function - * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library - * are likely to remove the \p mode argument and have it - * implicitly set to #MBEDTLS_RSA_PUBLIC. - * * \note Alternative implementations of RSA need not support * mode being set to #MBEDTLS_RSA_PRIVATE and might instead * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function to use. It is needed for padding generation - * if \p mode is #MBEDTLS_RSA_PUBLIC. If \p mode is - * #MBEDTLS_RSA_PRIVATE (discouraged), it is used for - * blinding and should be provided; see mbedtls_rsa_private(). + * \param f_rng The RNG function to use. It is needed for padding generation. * \param p_rng The RNG context to be passed to \p f_rng. This may * be \c NULL if \p f_rng is \c NULL or if \p f_rng * doesn't need a context argument. - * \param mode The mode of operation. This must be either - * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param ilen The length of the plaintext in Bytes. * \param input The input data to encrypt. This must be a readable * buffer of size \p ilen Bytes. It may be \c NULL if @@ -638,7 +628,7 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, size_t ilen, + size_t ilen, const unsigned char *input, unsigned char *output ); diff --git a/library/rsa.c b/library/rsa.c index 5ecc77835..6651c880a 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1244,8 +1244,7 @@ exit: */ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng, - int mode, size_t ilen, + void *p_rng, size_t ilen, const unsigned char *input, unsigned char *output ) { @@ -1254,14 +1253,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, unsigned char *p = output; RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || - mode == MBEDTLS_RSA_PUBLIC ); RSA_VALIDATE_RET( output != NULL ); RSA_VALIDATE_RET( ilen == 0 || input != NULL ); - if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - olen = ctx->len; /* first comparison checks for overflow */ @@ -1271,43 +1265,32 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, nb_pad = olen - 3 - ilen; *p++ = 0; - if( mode == MBEDTLS_RSA_PUBLIC ) + + if( f_rng == NULL ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + + *p++ = MBEDTLS_RSA_CRYPT; + + while( nb_pad-- > 0 ) { - if( f_rng == NULL ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + int rng_dl = 100; - *p++ = MBEDTLS_RSA_CRYPT; + do { + ret = f_rng( p_rng, p, 1 ); + } while( *p == 0 && --rng_dl && ret == 0 ); - while( nb_pad-- > 0 ) - { - int rng_dl = 100; + /* Check if RNG failed to generate data */ + if( rng_dl == 0 || ret != 0 ) + return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) ); - do { - ret = f_rng( p_rng, p, 1 ); - } while( *p == 0 && --rng_dl && ret == 0 ); - - /* Check if RNG failed to generate data */ - if( rng_dl == 0 || ret != 0 ) - return( MBEDTLS_ERROR_ADD( MBEDTLS_ERR_RSA_RNG_FAILED, ret ) ); - - p++; - } - } - else - { - *p++ = MBEDTLS_RSA_SIGN; - - while( nb_pad-- > 0 ) - *p++ = 0xFF; + p++; } *p++ = 0; if( ilen != 0 ) memcpy( p, input, ilen ); - return( ( mode == MBEDTLS_RSA_PUBLIC ) - ? mbedtls_rsa_public( ctx, output, output ) - : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); + return( mbedtls_rsa_public( ctx, output, output ) ); } #endif /* MBEDTLS_PKCS1_V15 */ @@ -1330,8 +1313,7 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, #if defined(MBEDTLS_PKCS1_V15) case MBEDTLS_RSA_PKCS_V15: return mbedtls_rsa_rsaes_pkcs1_v15_encrypt( ctx, f_rng, p_rng, - MBEDTLS_RSA_PUBLIC, ilen, - input, output ); + ilen, input, output ); #endif #if defined(MBEDTLS_PKCS1_V21) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 4a818c59a..d3b65b205 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -116,22 +116,16 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_pkcs1_v15_encrypt( NULL, NULL, - NULL, - MBEDTLS_RSA_PUBLIC, - sizeof( buf ), buf, - buf ) ); + NULL, sizeof( buf ), + buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, NULL, - NULL, - MBEDTLS_RSA_PUBLIC, - sizeof( buf ), NULL, - buf ) ); + NULL, sizeof( buf ), + NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_pkcs1_v15_encrypt( &ctx, NULL, - NULL, - MBEDTLS_RSA_PUBLIC, - sizeof( buf ), buf, - NULL ) ); + NULL, sizeof( buf ), + buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_oaep_encrypt( NULL, NULL, NULL, From 3c487f4b8eefc20e6bda94ed4fd5dd1603a4ba89 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Thu, 13 May 2021 18:45:01 +0100 Subject: [PATCH 05/59] Removes and modifies tests Removes and modifies tests for mbedtls_rsa_rsaes_oaep_encrypt. Signed-off-by: Thomas Daubney --- tests/suites/test_suite_rsa.function | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index d3b65b205..6da946e0c 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -129,31 +129,25 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_oaep_encrypt( NULL, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, buf, sizeof( buf ), sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL, - invalid_mode, - buf, sizeof( buf ), - sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, NULL, sizeof( buf ), sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, buf, sizeof( buf ), sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, buf, sizeof( buf ), sizeof( buf ), buf, NULL ) ); From 141700f0573fc2711709dfc05b97b1c44280545c Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Thu, 13 May 2021 19:06:10 +0100 Subject: [PATCH 06/59] Removes mode param from mbedtls_rsa_rsaes_oaep_encrypt Removes mode parameter from mbedtls_rsa_rsaes_oaep_encrypt and propagates changes throughout the codebase. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 12 ------------ library/psa_crypto.c | 1 - library/rsa.c | 13 ++----------- tests/suites/test_suite_rsa.function | 4 ---- 4 files changed, 2 insertions(+), 28 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 47726ec72..c250525d7 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -639,22 +639,11 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, * \note The output buffer must be as large as the size * of ctx->N. For example, 128 Bytes if RSA-1024 is used. * - * \deprecated It is deprecated and discouraged to call this function - * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library - * are likely to remove the \p mode argument and have it - * implicitly set to #MBEDTLS_RSA_PUBLIC. - * - * \note Alternative implementations of RSA need not support - * mode being set to #MBEDTLS_RSA_PRIVATE and might instead - * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. - * * \param ctx The initnialized RSA context to use. * \param f_rng The RNG function to use. This is needed for padding * generation and must be provided. * \param p_rng The RNG context to be passed to \p f_rng. This may * be \c NULL if \p f_rng doesn't need a context argument. - * \param mode The mode of operation. This must be either - * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param label The buffer holding the custom label to use. * This must be a readable buffer of length \p label_len * Bytes. It may be \c NULL if \p label_len is \c 0. @@ -673,7 +662,6 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, const unsigned char *label, size_t label_len, size_t ilen, const unsigned char *input, diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c4354d758..098c4bba8 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3078,7 +3078,6 @@ psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key, mbedtls_rsa_rsaes_oaep_encrypt( rsa, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE, - MBEDTLS_RSA_PUBLIC, salt, salt_length, input_length, input, diff --git a/library/rsa.c b/library/rsa.c index 6651c880a..86bd71d47 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1156,7 +1156,6 @@ exit: int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, const unsigned char *label, size_t label_len, size_t ilen, const unsigned char *input, @@ -1170,15 +1169,10 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, mbedtls_md_context_t md_ctx; RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || - mode == MBEDTLS_RSA_PUBLIC ); RSA_VALIDATE_RET( output != NULL ); RSA_VALIDATE_RET( ilen == 0 || input != NULL ); RSA_VALIDATE_RET( label_len == 0 || label != NULL ); - if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - if( f_rng == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -1232,9 +1226,7 @@ exit: if( ret != 0 ) return( ret ); - return( ( mode == MBEDTLS_RSA_PUBLIC ) - ? mbedtls_rsa_public( ctx, output, output ) - : mbedtls_rsa_private( ctx, f_rng, p_rng, output, output ) ); + return( mbedtls_rsa_public( ctx, output, output ) ); } #endif /* MBEDTLS_PKCS1_V21 */ @@ -1318,8 +1310,7 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, #if defined(MBEDTLS_PKCS1_V21) case MBEDTLS_RSA_PKCS_V21: - return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, - MBEDTLS_RSA_PUBLIC, NULL, 0, + return mbedtls_rsa_rsaes_oaep_encrypt( ctx, f_rng, p_rng, NULL, 0, ilen, input, output ); #endif diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 6da946e0c..1bf185002 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -129,25 +129,21 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_oaep_encrypt( NULL, NULL, NULL, - MBEDTLS_RSA_PUBLIC, buf, sizeof( buf ), sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL, - MBEDTLS_RSA_PUBLIC, NULL, sizeof( buf ), sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL, - MBEDTLS_RSA_PUBLIC, buf, sizeof( buf ), sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsaes_oaep_encrypt( &ctx, NULL, NULL, - MBEDTLS_RSA_PUBLIC, buf, sizeof( buf ), sizeof( buf ), buf, NULL ) ); From 11425347f0b40e7ce2225789a8619352d95aacba Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 11:57:05 +0100 Subject: [PATCH 07/59] Modifies tests in rsa test suite Modification of tests in test_suite_rsa.function to adept them for the removal of the mode param from mbedtls_rsa_pkcs1_sign function. Signed-off-by: Thomas Daubney --- tests/suites/test_suite_rsa.function | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 1bf185002..f8bf859bf 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -205,27 +205,22 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_sign( NULL, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL, - invalid_mode, - 0, sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); From fa1581ea03395212b9fef2b01ba957a0d26502ab Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 12:38:33 +0100 Subject: [PATCH 08/59] Modifies typedef of mbedtls_pk_rsa_alt_sign_func This commit modifies the typedef of mbedtls_pk_rsa_alt_sign_func and propagates the associated changes throughout the codebase. Signed-off-by: Thomas Daubney --- include/mbedtls/pk.h | 2 +- library/pk_wrap.c | 2 +- tests/suites/test_suite_pk.function | 4 ++-- tests/suites/test_suite_x509write.function | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 093b3bc6d..25f02ff69 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -234,7 +234,7 @@ typedef int (*mbedtls_pk_rsa_alt_decrypt_func)( void *ctx, size_t *olen, size_t output_max_len ); typedef int (*mbedtls_pk_rsa_alt_sign_func)( void *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, + mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig ); typedef size_t (*mbedtls_pk_rsa_alt_key_len_func)( void *ctx ); #endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */ diff --git a/library/pk_wrap.c b/library/pk_wrap.c index e1ad50795..ec07c6024 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -770,7 +770,7 @@ static int rsa_alt_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, if( *sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); - return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, + return( rsa_alt->sign_func( rsa_alt->key, f_rng, p_rng, md_alg, (unsigned int) hash_len, hash, sig ) ); } diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index b81bd7be4..27d73ff9a 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -70,13 +70,13 @@ int mbedtls_rsa_decrypt_func( void *ctx, size_t *olen, } int mbedtls_rsa_sign_func( void *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, + mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig ) { ((void) f_rng); ((void) p_rng); return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, - mbedtls_test_rnd_std_rand, NULL, mode, + mbedtls_test_rnd_std_rand, NULL, MBEDTLS_RSA_PRIVATE, md_alg, hashlen, hash, sig ) ); } size_t mbedtls_rsa_key_len_func( void *ctx ) diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 04ea69b1a..a36fa4376 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -16,10 +16,10 @@ int mbedtls_rsa_decrypt_func( void *ctx, size_t *olen, } int mbedtls_rsa_sign_func( void *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, + mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig ) { - return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, mode, + return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, md_alg, hashlen, hash, sig ) ); } size_t mbedtls_rsa_key_len_func( void *ctx ) From b9eaa7369ba7db91a1077634db3be1362ef6b361 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 15:42:16 +0100 Subject: [PATCH 09/59] Modifies tests in test suite RSA Modifies tests for mbedtls_rsa_rsassa_pkcs1_v15_sign function in test_suite_rsa.function Signed-off-by: Thomas Daubney --- tests/suites/test_suite_rsa.function | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index f8bf859bf..e70faac72 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -227,27 +227,22 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_sign( NULL, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL, - invalid_mode, - 0, sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); From 9a66d5c1817792e30d39911cd6781c21f8e0cc65 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 15:50:21 +0100 Subject: [PATCH 10/59] Modifies tests in RSA test suite Tests for mbedtls_rsa_rsassa_pss_sign in test_suite_rsa.function have been modified to allow for upcoming removal of mode param. Signed-off-by: Thomas Daubney --- tests/suites/test_suite_rsa.function | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index e70faac72..7c7d8f9b6 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -249,27 +249,22 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_sign( NULL, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL, - invalid_mode, - 0, sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); From 140184d0293bf14e004c78f6cc722d563f9b0079 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 16:04:07 +0100 Subject: [PATCH 11/59] Removes mode param from mbedtls_rsa_pkcs1_sign Commit removes the mode parameter from mbedtls_rsa_pkcs1_sign and progagates the change to all relevant parts of the codebase. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 21 ++++----------------- library/pk_wrap.c | 5 +++-- library/psa_crypto_rsa.c | 1 - library/rsa.c | 13 +++++-------- programs/pkey/dh_server.c | 2 +- programs/pkey/rsa_sign.c | 2 +- tests/suites/test_suite_pk.function | 2 +- tests/suites/test_suite_pkcs1_v15.function | 4 ++-- tests/suites/test_suite_pkcs1_v21.function | 4 ++-- tests/suites/test_suite_rsa.function | 12 ++++-------- tests/suites/test_suite_x509write.function | 4 ++-- 11 files changed, 25 insertions(+), 45 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index c250525d7..96548bd4d 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -790,7 +790,7 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, * a message digest using PKCS#1. * * It is the generic wrapper for performing a PKCS#1 - * signature using the \p mode from the context. + * signature. * * \note The \p sig buffer must be as large as the size * of \p ctx->N. For example, 128 Bytes if RSA-1024 is used. @@ -799,25 +799,13 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, * mbedtls_rsa_rsassa_pss_sign() for details on * \p md_alg and \p hash_id. * - * \deprecated It is deprecated and discouraged to call this function - * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library - * are likely to remove the \p mode argument and have it - * implicitly set to #MBEDTLS_RSA_PRIVATE. - * - * \note Alternative implementations of RSA need not support - * mode being set to #MBEDTLS_RSA_PUBLIC and might instead - * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. - * * \param ctx The initialized RSA context to use. * \param f_rng The RNG function to use. If the padding mode is PKCS#1 v2.1, - * this must be provided. If the padding mode is PKCS#1 v1.5 and - * \p mode is #MBEDTLS_RSA_PRIVATE, it is used for blinding - * and should be provided; see mbedtls_rsa_private() for more - * more. It is ignored otherwise. + * this must be provided. If the padding mode is PKCS#1 v1.5 + * it is used for blinding and should be provided; + * see mbedtls_rsa_private() for more. * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL * if \p f_rng is \c NULL or doesn't need a context argument. - * \param mode The mode of operation. This must be either - * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. * \param hashlen The length of the message digest. @@ -838,7 +826,6 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, diff --git a/library/pk_wrap.c b/library/pk_wrap.c index ec07c6024..9f4c187b0 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -120,8 +120,9 @@ static int rsa_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, *sig_len = mbedtls_rsa_get_len( rsa ); - return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, - md_alg, (unsigned int) hash_len, hash, sig ) ); + return( mbedtls_rsa_pkcs1_sign( rsa, f_rng, p_rng, + md_alg, (unsigned int) hash_len, + hash, sig ) ); } static int rsa_decrypt_wrap( void *ctx, diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 686f07d33..192f4a397 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -419,7 +419,6 @@ static psa_status_t rsa_sign_hash( ret = mbedtls_rsa_pkcs1_sign( rsa, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE, - MBEDTLS_RSA_PRIVATE, md_alg, (unsigned int) hash_length, hash, diff --git a/library/rsa.c b/library/rsa.c index 86bd71d47..22880a23d 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2129,15 +2129,12 @@ cleanup: int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig ) { RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || - mode == MBEDTLS_RSA_PUBLIC ); RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hashlen == 0 ) || hash != NULL ); @@ -2147,14 +2144,14 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, { #if defined(MBEDTLS_PKCS1_V15) case MBEDTLS_RSA_PKCS_V15: - return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, mode, md_alg, - hashlen, hash, sig ); + return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, + md_alg, hashlen, hash, sig ); #endif #if defined(MBEDTLS_PKCS1_V21) case MBEDTLS_RSA_PKCS_V21: - return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, - hashlen, hash, sig ); + return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, + md_alg, hashlen, hash, sig ); #endif default: @@ -2714,7 +2711,7 @@ int mbedtls_rsa_self_test( int verbose ) } if( mbedtls_rsa_pkcs1_sign( &rsa, myrand, NULL, - MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, + MBEDTLS_MD_SHA1, 0, sha1sum, rsa_ciphertext ) != 0 ) { if( verbose != 0 ) diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index dccf0951c..63df77ee0 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -229,7 +229,7 @@ int main( void ) buf[n ] = (unsigned char)( rsa.len >> 8 ); buf[n + 1] = (unsigned char)( rsa.len ); - if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA256, + if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_MD_SHA256, 0, hash, buf + n + 2 ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_sign returned %d\n\n", ret ); diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c index c9522c8c2..1cfa0a8dd 100644 --- a/programs/pkey/rsa_sign.c +++ b/programs/pkey/rsa_sign.c @@ -146,7 +146,7 @@ int main( int argc, char *argv[] ) goto exit; } - if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA256, + if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_MD_SHA256, 20, hash, buf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_sign returned -0x%0x\n\n", (unsigned int) -ret ); diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 27d73ff9a..0038a5863 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -76,7 +76,7 @@ int mbedtls_rsa_sign_func( void *ctx, ((void) f_rng); ((void) p_rng); return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, - mbedtls_test_rnd_std_rand, NULL, MBEDTLS_RSA_PRIVATE, + mbedtls_test_rnd_std_rand, NULL, md_alg, hashlen, hash, sig ) ); } size_t mbedtls_rsa_key_len_func( void *ctx ) diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index 878c414ad..0c2547d2e 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -293,8 +293,8 @@ void pkcs1_rsassa_v15_sign( int mod, int radix_P, char * input_P, int radix_Q, TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &mbedtls_test_rnd_buffer_rand, - &info, MBEDTLS_RSA_PRIVATE, digest, - 0, hash_result, output ) == result ); + &info, digest, 0, hash_result, + output ) == result ); if( result == 0 ) { diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index 623f7bc55..e64f22290 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -148,8 +148,8 @@ void pkcs1_rsassa_pss_sign( int mod, data_t * input_P, data_t * input_Q, if (fixed_salt_length == MBEDTLS_RSA_SALT_LEN_ANY) { TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &mbedtls_test_rnd_buffer_rand, - &info, MBEDTLS_RSA_PRIVATE, digest, 0, - hash_result, output ) == result ); + &info, digest, 0,hash_result, + output ) == result ); if( result == 0 ) { ASSERT_COMPARE( output, ctx.len, result_str->x, result_str->len ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 7c7d8f9b6..e4f962562 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -205,22 +205,18 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_sign( NULL, NULL, NULL, - MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL, - MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL, - MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_sign( &ctx, NULL, NULL, - MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); @@ -479,8 +475,8 @@ void mbedtls_rsa_pkcs1_sign( data_t * message_str, int padding_mode, TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &mbedtls_test_rnd_pseudo_rand, - &rnd_info, MBEDTLS_RSA_PRIVATE, digest, - 0, hash_result, output ) == result ); + &rnd_info, digest, 0, hash_result, + output ) == result ); if( result == 0 ) { @@ -560,8 +556,8 @@ void rsa_pkcs1_sign_raw( data_t * hash_result, TEST_ASSERT( mbedtls_rsa_pkcs1_sign( &ctx, &mbedtls_test_rnd_pseudo_rand, - &rnd_info, MBEDTLS_RSA_PRIVATE, - MBEDTLS_MD_NONE, hash_result->len, + &rnd_info, MBEDTLS_MD_NONE, + hash_result->len, hash_result->x, output ) == 0 ); diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index a36fa4376..44f846fd3 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -19,8 +19,8 @@ int mbedtls_rsa_sign_func( void *ctx, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig ) { - return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, - md_alg, hashlen, hash, sig ) ); + return( mbedtls_rsa_pkcs1_sign( (mbedtls_rsa_context *) ctx, f_rng, p_rng, + md_alg, hashlen, hash, sig ) ); } size_t mbedtls_rsa_key_len_func( void *ctx ) { From 526549854c79c721d4eefcece6756102f125a6bb Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 16:54:00 +0100 Subject: [PATCH 12/59] Removes mode param from mbedtls_rsa_rsassa_pkcs1_v15_sign Commit removes the mode parameter from mbedtls_rsa_rsassa_pkcs1_v15_sign and propagates the change throughout the codebase. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 18 ++---------------- library/rsa.c | 18 +----------------- tests/suites/test_suite_rsa.function | 4 ---- 3 files changed, 3 insertions(+), 37 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 96548bd4d..e7ab073b0 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -835,24 +835,11 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, * \brief This function performs a PKCS#1 v1.5 signature * operation (RSASSA-PKCS1-v1_5-SIGN). * - * \deprecated It is deprecated and discouraged to call this function - * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library - * are likely to remove the \p mode argument and have it - * implicitly set to #MBEDTLS_RSA_PRIVATE. - * - * \note Alternative implementations of RSA need not support - * mode being set to #MBEDTLS_RSA_PUBLIC and might instead - * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. - * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function. If \p mode is #MBEDTLS_RSA_PRIVATE, - * this is used for blinding and should be provided; see - * mbedtls_rsa_private() for more. If \p mode is - * #MBEDTLS_RSA_PUBLIC, it is ignored. + * \param f_rng The RNG function. This is used for blinding and should be + * provided; see mbedtls_rsa_private() for more. * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL * if \p f_rng is \c NULL or doesn't need a context argument. - * \param mode The mode of operation. This must be either - * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. * \param hashlen The length of the message digest. @@ -873,7 +860,6 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, diff --git a/library/rsa.c b/library/rsa.c index 22880a23d..8129429b9 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2049,7 +2049,6 @@ static int rsa_rsassa_pkcs1_v15_encode( mbedtls_md_type_t md_alg, int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, @@ -2059,16 +2058,11 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, unsigned char *sig_try = NULL, *verif = NULL; RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || - mode == MBEDTLS_RSA_PUBLIC ); RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hashlen == 0 ) || hash != NULL ); RSA_VALIDATE_RET( sig != NULL ); - if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - /* * Prepare PKCS1-v1.5 encoding (padding and hash identifier) */ @@ -2077,16 +2071,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, ctx->len, sig ) ) != 0 ) return( ret ); - /* - * Call respective RSA primitive - */ - - if( mode == MBEDTLS_RSA_PUBLIC ) - { - /* Skip verification on a public key operation */ - return( mbedtls_rsa_public( ctx, sig, sig ) ); - } - /* Private key operation * * In order to prevent Lenstra's attack, make the signature in a @@ -2144,7 +2128,7 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, { #if defined(MBEDTLS_PKCS1_V15) case MBEDTLS_RSA_PKCS_V15: - return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, + return mbedtls_rsa_rsassa_pkcs1_v15_sign( ctx, f_rng, p_rng, md_alg, hashlen, hash, sig ); #endif diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index e4f962562..440c57174 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -223,22 +223,18 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_sign( NULL, NULL, NULL, - MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL, - MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL, - MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_sign( &ctx, NULL, NULL, - MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); From de9fdc4b12c2f83a32c3bc5e16148970d37c303a Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 17:10:04 +0100 Subject: [PATCH 13/59] Removes mode param from mbedtls_rsa_rsassa_pss_sign Commit removes the mode param from mbedtls_rsa_rsassa_pss_sign and propagates the changes throughout the codebase. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 12 ------------ library/psa_crypto_rsa.c | 1 - library/rsa.c | 7 +++---- tests/suites/test_suite_rsa.function | 4 ---- 4 files changed, 3 insertions(+), 21 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index e7ab073b0..103d6915f 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -939,21 +939,10 @@ int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx, * the key size in bytes), this function returns * #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. * - * \deprecated It is deprecated and discouraged to call this function - * in #MBEDTLS_RSA_PUBLIC mode. Future versions of the library - * are likely to remove the \p mode argument and have it - * implicitly set to #MBEDTLS_RSA_PRIVATE. - * - * \note Alternative implementations of RSA need not support - * mode being set to #MBEDTLS_RSA_PUBLIC and might instead - * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. - * * \param ctx The initialized RSA context to use. * \param f_rng The RNG function. It must not be \c NULL. * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL * if \p f_rng doesn't need a context argument. - * \param mode The mode of operation. This must be either - * #MBEDTLS_RSA_PRIVATE or #MBEDTLS_RSA_PUBLIC (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. * \param hashlen The length of the message digest. @@ -974,7 +963,6 @@ int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx, int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 192f4a397..4f4159654 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -433,7 +433,6 @@ static psa_status_t rsa_sign_hash( ret = mbedtls_rsa_rsassa_pss_sign( rsa, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE, - MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_NONE, (unsigned int) hash_length, hash, diff --git a/library/rsa.c b/library/rsa.c index 8129429b9..b241b8fee 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1897,13 +1897,12 @@ int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx, int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, unsigned char *sig ) { - return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, mode, md_alg, + return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, md_alg, hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig ); } #endif /* MBEDTLS_PKCS1_V21 */ @@ -2134,8 +2133,8 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, #if defined(MBEDTLS_PKCS1_V21) case MBEDTLS_RSA_PKCS_V21: - return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, - md_alg, hashlen, hash, sig ); + return mbedtls_rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg, + hashlen, hash, sig ); #endif default: diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 440c57174..814385baa 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -241,22 +241,18 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_sign( NULL, NULL, NULL, - MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL, - MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL, - MBEDTLS_RSA_PRIVATE, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_sign( &ctx, NULL, NULL, - MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); From 28b55850bdf836d83fe240a455c819a7f3bd7174 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 18:30:00 +0100 Subject: [PATCH 14/59] Modifies tests for verify functions Relevant tests have been modified and in some cases removed in preparation for removal of mode parameter from verify functions. Signed-off-by: Thomas Daubney --- tests/suites/test_suite_rsa.function | 55 ++++++++-------------------- 1 file changed, 16 insertions(+), 39 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 814385baa..96a8cbf02 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -281,118 +281,95 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_verify( NULL, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, - invalid_mode, - 0, sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( NULL, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL, NULL, - invalid_mode, - 0, sizeof( buf ), buf, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL, - NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify( NULL, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL, - invalid_mode, - 0, sizeof( buf ), - buf, buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify_ext( NULL, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, 0, 0, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, - invalid_mode, - 0, sizeof( buf ), - buf, - 0, 0, - buf ) ); - TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, 0, 0, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, 0, 0, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, - valid_mode, + MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, 0, 0, From ac1331211e9f9c9d371a8e327c2fc8a95e90b239 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 19:26:39 +0100 Subject: [PATCH 15/59] Removes f_rng parameter from mbedtls_rsa_pkcs1_verify Commit removes f_rng parameter from mbedtls_rsa_pkcs1_verify as a prerequisite to removing the mode parameter. f_rng no longer has relevance in this function if mode is removed. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 4 ---- library/pk_wrap.c | 2 +- library/psa_crypto_rsa.c | 1 - library/rsa.c | 7 +++---- programs/pkey/dh_client.c | 2 +- programs/pkey/rsa_verify.c | 2 +- tests/suites/test_suite_pkcs1_v15.function | 2 +- tests/suites/test_suite_pkcs1_v21.function | 4 ++-- tests/suites/test_suite_rsa.function | 12 ++++++------ 9 files changed, 15 insertions(+), 21 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 103d6915f..f4e7d965f 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -989,9 +989,6 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. * * \param ctx The initialized RSA public key context to use. - * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, - * this is used for blinding and should be provided; see - * mbedtls_rsa_private() for more. Otherwise, it is ignored. * \param p_rng The RNG context to be passed to \p f_rng. This may be * \c NULL if \p f_rng is \c NULL or doesn't need a context. * \param mode The mode of operation. This must be either @@ -1013,7 +1010,6 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. */ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 9f4c187b0..fbcfdb157 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -90,7 +90,7 @@ static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, if( sig_len < rsa_len ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, NULL, + if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, MBEDTLS_RSA_PUBLIC, md_alg, (unsigned int) hash_len, hash, sig ) ) != 0 ) return( ret ); diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 4f4159654..1ab57c61a 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -490,7 +490,6 @@ static psa_status_t rsa_verify_hash( mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE ); ret = mbedtls_rsa_pkcs1_verify( rsa, - mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE, MBEDTLS_RSA_PUBLIC, md_alg, diff --git a/library/rsa.c b/library/rsa.c index b241b8fee..7545a799a 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2414,7 +2414,6 @@ cleanup: * Do an RSA operation and check the message digest */ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, int mode, mbedtls_md_type_t md_alg, @@ -2434,13 +2433,13 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, { #if defined(MBEDTLS_PKCS1_V15) case MBEDTLS_RSA_PKCS_V15: - return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, f_rng, p_rng, mode, md_alg, + return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, NULL, p_rng, mode, md_alg, hashlen, hash, sig ); #endif #if defined(MBEDTLS_PKCS1_V21) case MBEDTLS_RSA_PKCS_V21: - return mbedtls_rsa_rsassa_pss_verify( ctx, f_rng, p_rng, mode, md_alg, + return mbedtls_rsa_rsassa_pss_verify( ctx, NULL, p_rng, mode, md_alg, hashlen, hash, sig ); #endif @@ -2707,7 +2706,7 @@ int mbedtls_rsa_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); - if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, + if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, sha1sum, rsa_ciphertext ) != 0 ) { diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index d6e4990a9..eb21566f6 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -220,7 +220,7 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, + if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, 0, hash, p ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret ); diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index fbc0779b2..60e1377bc 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -140,7 +140,7 @@ int main( int argc, char *argv[] ) goto exit; } - if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, NULL, NULL, MBEDTLS_RSA_PUBLIC, + if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, 20, hash, buf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_verify returned -0x%0x\n\n", (unsigned int) -ret ); diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index 0c2547d2e..83604285c 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -334,7 +334,7 @@ void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N, if( mbedtls_md_info_from_type( digest ) != NULL ) TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index e64f22290..f291a5fbb 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -199,7 +199,7 @@ void pkcs1_rsassa_pss_verify( int mod, data_t * input_N, data_t * input_E, if( mbedtls_md_info_from_type( digest ) != NULL ) TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); @@ -244,7 +244,7 @@ void pkcs1_rsassa_pss_verify_ext( int mod, data_t * input_N, data_t * input_E, hash_len = message_str->len; } - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, msg_digest_id, hash_len, hash_result, result_str->x ) == result_simple ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 96a8cbf02..873ce8a47 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -280,22 +280,22 @@ void rsa_invalid_param( ) buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( NULL, NULL, NULL, + mbedtls_rsa_pkcs1_verify( NULL, NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, + mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, + mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, + mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); @@ -485,7 +485,7 @@ void mbedtls_rsa_pkcs1_verify( data_t * message_str, int padding_mode, if( mbedtls_md_info_from_type( digest ) != NULL ) TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); @@ -564,7 +564,7 @@ void rsa_pkcs1_verify_raw( data_t * hash_result, TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_NONE, hash_result->len, hash_result->x, result_str->x ) == correct ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_NONE, hash_result->len, hash_result->x, result_str->x ) == correct ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); From 613d1a4fb7ce0a4c172b5f30e0b1220594ca0a9b Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 19:34:03 +0100 Subject: [PATCH 16/59] Removes p_rng param from mbedtls_rsa_pkcs1_verify Commit removes p_rng from mbedtls_rsa_pkcs1_verify since p_rng has no relevance following the removal of f_rng from this function. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 3 --- library/pk_wrap.c | 6 +++--- library/psa_crypto_rsa.c | 1 - library/rsa.c | 7 +++---- programs/pkey/dh_client.c | 2 +- programs/pkey/rsa_verify.c | 2 +- tests/suites/test_suite_pkcs1_v15.function | 2 +- tests/suites/test_suite_pkcs1_v21.function | 4 ++-- tests/suites/test_suite_rsa.function | 12 ++++++------ 9 files changed, 17 insertions(+), 22 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index f4e7d965f..b41af89a2 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -989,8 +989,6 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. * * \param ctx The initialized RSA public key context to use. - * \param p_rng The RNG context to be passed to \p f_rng. This may be - * \c NULL if \p f_rng is \c NULL or doesn't need a context. * \param mode The mode of operation. This must be either * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. @@ -1010,7 +1008,6 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. */ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, - void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, diff --git a/library/pk_wrap.c b/library/pk_wrap.c index fbcfdb157..b536b6615 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -90,9 +90,9 @@ static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, if( sig_len < rsa_len ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, NULL, - MBEDTLS_RSA_PUBLIC, md_alg, - (unsigned int) hash_len, hash, sig ) ) != 0 ) + if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, MBEDTLS_RSA_PUBLIC, + md_alg, (unsigned int) hash_len, + hash, sig ) ) != 0 ) return( ret ); /* The buffer contains a valid signature followed by extra data. diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 1ab57c61a..25157d261 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -490,7 +490,6 @@ static psa_status_t rsa_verify_hash( mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE ); ret = mbedtls_rsa_pkcs1_verify( rsa, - MBEDTLS_PSA_RANDOM_STATE, MBEDTLS_RSA_PUBLIC, md_alg, (unsigned int) hash_length, diff --git a/library/rsa.c b/library/rsa.c index 7545a799a..ba164ffa9 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2414,7 +2414,6 @@ cleanup: * Do an RSA operation and check the message digest */ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, - void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, @@ -2433,13 +2432,13 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, { #if defined(MBEDTLS_PKCS1_V15) case MBEDTLS_RSA_PKCS_V15: - return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, NULL, p_rng, mode, md_alg, + return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, NULL, NULL, mode, md_alg, hashlen, hash, sig ); #endif #if defined(MBEDTLS_PKCS1_V21) case MBEDTLS_RSA_PKCS_V21: - return mbedtls_rsa_rsassa_pss_verify( ctx, NULL, p_rng, mode, md_alg, + return mbedtls_rsa_rsassa_pss_verify( ctx, NULL, NULL, mode, md_alg, hashlen, hash, sig ); #endif @@ -2706,7 +2705,7 @@ int mbedtls_rsa_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); - if( mbedtls_rsa_pkcs1_verify( &rsa, NULL, + if( mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, sha1sum, rsa_ciphertext ) != 0 ) { diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index eb21566f6..bdbabb620 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -220,7 +220,7 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, NULL, MBEDTLS_RSA_PUBLIC, + if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, 0, hash, p ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret ); diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index 60e1377bc..8f207c78b 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -140,7 +140,7 @@ int main( int argc, char *argv[] ) goto exit; } - if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, NULL, MBEDTLS_RSA_PUBLIC, + if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA256, 20, hash, buf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_verify returned -0x%0x\n\n", (unsigned int) -ret ); diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index 83604285c..2e22bdd33 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -334,7 +334,7 @@ void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N, if( mbedtls_md_info_from_type( digest ) != NULL ) TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index f291a5fbb..ad8f319e4 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -199,7 +199,7 @@ void pkcs1_rsassa_pss_verify( int mod, data_t * input_N, data_t * input_E, if( mbedtls_md_info_from_type( digest ) != NULL ) TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); @@ -244,7 +244,7 @@ void pkcs1_rsassa_pss_verify_ext( int mod, data_t * input_N, data_t * input_E, hash_len = message_str->len; } - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, msg_digest_id, hash_len, hash_result, result_str->x ) == result_simple ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 873ce8a47..764d21a95 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -280,22 +280,22 @@ void rsa_invalid_param( ) buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( NULL, NULL, + mbedtls_rsa_pkcs1_verify( NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( &ctx, NULL, + mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( &ctx, NULL, + mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_pkcs1_verify( &ctx, NULL, + mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); @@ -485,7 +485,7 @@ void mbedtls_rsa_pkcs1_verify( data_t * message_str, int padding_mode, if( mbedtls_md_info_from_type( digest ) != NULL ) TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); @@ -564,7 +564,7 @@ void rsa_pkcs1_verify_raw( data_t * hash_result, TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_NONE, hash_result->len, hash_result->x, result_str->x ) == correct ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_NONE, hash_result->len, hash_result->x, result_str->x ) == correct ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); From 68d9cbca97aa9aaf495318904096f8a2a15e90cd Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 18 May 2021 18:45:09 +0100 Subject: [PATCH 17/59] Removes mode param from mbedtls_rsa_pkcs1_verify Commit removes mode parameter from mbedtls_rsa_pkcs1_verify and propagates the change throughout the codebase. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 14 +------------- library/pk_wrap.c | 4 ++-- library/psa_crypto_rsa.c | 1 - library/rsa.c | 10 +++------- programs/pkey/dh_client.c | 4 ++-- programs/pkey/rsa_verify.c | 4 ++-- tests/suites/test_suite_pkcs1_v15.function | 2 +- tests/suites/test_suite_pkcs1_v21.function | 8 ++++---- tests/suites/test_suite_rsa.function | 8 ++------ 9 files changed, 17 insertions(+), 38 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index b41af89a2..f1696c2eb 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -973,24 +973,13 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, * the message digest. * * This is the generic wrapper for performing a PKCS#1 - * verification using the mode from the context. + * verification. * * \note For PKCS#1 v2.1 encoding, see comments on * mbedtls_rsa_rsassa_pss_verify() about \p md_alg and * \p hash_id. * - * \deprecated It is deprecated and discouraged to call this function - * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library - * are likely to remove the \p mode argument and have it - * set to #MBEDTLS_RSA_PUBLIC. - * - * \note Alternative implementations of RSA need not support - * mode being set to #MBEDTLS_RSA_PRIVATE and might instead - * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. - * * \param ctx The initialized RSA public key context to use. - * \param mode The mode of operation. This must be either - * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. * \param hashlen The length of the message digest. @@ -1008,7 +997,6 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. */ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, diff --git a/library/pk_wrap.c b/library/pk_wrap.c index b536b6615..c351113e0 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -90,8 +90,8 @@ static int rsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg, if( sig_len < rsa_len ) return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); - if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, MBEDTLS_RSA_PUBLIC, - md_alg, (unsigned int) hash_len, + if( ( ret = mbedtls_rsa_pkcs1_verify( rsa, md_alg, + (unsigned int) hash_len, hash, sig ) ) != 0 ) return( ret ); diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 25157d261..11c9ab29c 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -490,7 +490,6 @@ static psa_status_t rsa_verify_hash( mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V15, MBEDTLS_MD_NONE ); ret = mbedtls_rsa_pkcs1_verify( rsa, - MBEDTLS_RSA_PUBLIC, md_alg, (unsigned int) hash_length, hash, diff --git a/library/rsa.c b/library/rsa.c index ba164ffa9..4619f0207 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2414,15 +2414,12 @@ cleanup: * Do an RSA operation and check the message digest */ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, const unsigned char *sig ) { RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || - mode == MBEDTLS_RSA_PUBLIC ); RSA_VALIDATE_RET( sig != NULL ); RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hashlen == 0 ) || @@ -2432,13 +2429,13 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, { #if defined(MBEDTLS_PKCS1_V15) case MBEDTLS_RSA_PKCS_V15: - return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, NULL, NULL, mode, md_alg, + return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, md_alg, hashlen, hash, sig ); #endif #if defined(MBEDTLS_PKCS1_V21) case MBEDTLS_RSA_PKCS_V21: - return mbedtls_rsa_rsassa_pss_verify( ctx, NULL, NULL, mode, md_alg, + return mbedtls_rsa_rsassa_pss_verify( ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, md_alg, hashlen, hash, sig ); #endif @@ -2705,8 +2702,7 @@ int mbedtls_rsa_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n PKCS#1 sig. verify: " ); - if( mbedtls_rsa_pkcs1_verify( &rsa, - MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, + if( mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA1, 0, sha1sum, rsa_ciphertext ) != 0 ) { if( verbose != 0 ) diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index bdbabb620..c6b313200 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -220,8 +220,8 @@ int main( void ) goto exit; } - if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_RSA_PUBLIC, - MBEDTLS_MD_SHA256, 0, hash, p ) ) != 0 ) + if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA256, + 0, hash, p ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_verify returned %d\n\n", ret ); goto exit; diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index 8f207c78b..6aca17134 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -140,8 +140,8 @@ int main( int argc, char *argv[] ) goto exit; } - if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_RSA_PUBLIC, - MBEDTLS_MD_SHA256, 20, hash, buf ) ) != 0 ) + if( ( ret = mbedtls_rsa_pkcs1_verify( &rsa, MBEDTLS_MD_SHA256, + 20, hash, buf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_rsa_pkcs1_verify returned -0x%0x\n\n", (unsigned int) -ret ); goto exit; diff --git a/tests/suites/test_suite_pkcs1_v15.function b/tests/suites/test_suite_pkcs1_v15.function index 2e22bdd33..d1c0fc129 100644 --- a/tests/suites/test_suite_pkcs1_v15.function +++ b/tests/suites/test_suite_pkcs1_v15.function @@ -334,7 +334,7 @@ void pkcs1_rsassa_v15_verify( int mod, int radix_N, char * input_N, if( mbedtls_md_info_from_type( digest ) != NULL ) TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, 0, hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index ad8f319e4..0983a4232 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -199,7 +199,7 @@ void pkcs1_rsassa_pss_verify( int mod, data_t * input_N, data_t * input_E, if( mbedtls_md_info_from_type( digest ) != NULL ) TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, 0, hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); @@ -244,9 +244,9 @@ void pkcs1_rsassa_pss_verify_ext( int mod, data_t * input_N, data_t * input_E, hash_len = message_str->len; } - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, - msg_digest_id, hash_len, hash_result, - result_str->x ) == result_simple ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, msg_digest_id, + hash_len, hash_result, + result_str->x ) == result_simple ); TEST_ASSERT( mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, msg_digest_id, hash_len, hash_result, diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 764d21a95..112c4fc7b 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -281,22 +281,18 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_verify( NULL, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_verify( &ctx, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_verify( &ctx, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_pkcs1_verify( &ctx, - MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); @@ -485,7 +481,7 @@ void mbedtls_rsa_pkcs1_verify( data_t * message_str, int padding_mode, if( mbedtls_md_info_from_type( digest ) != NULL ) TEST_ASSERT( mbedtls_md( mbedtls_md_info_from_type( digest ), message_str->x, message_str->len, hash_result ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, digest, 0, hash_result, result_str->x ) == result ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, digest, 0, hash_result, result_str->x ) == result ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); @@ -564,7 +560,7 @@ void rsa_pkcs1_verify_raw( data_t * hash_result, TEST_ASSERT( mbedtls_rsa_check_pubkey( &ctx ) == 0 ); - TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_NONE, hash_result->len, hash_result->x, result_str->x ) == correct ); + TEST_ASSERT( mbedtls_rsa_pkcs1_verify( &ctx, MBEDTLS_MD_NONE, hash_result->len, hash_result->x, result_str->x ) == correct ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); From cbc088f5d0c522ecf3fb6b9cab370ee7e3bef42c Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 11:39:58 +0100 Subject: [PATCH 18/59] Removes p_rng from mbedtls_rsa_rsassa_pkcs1_v15_verify Commit removes p_rng from mbedtls_rsa_rsassa_pkcs1_v15_verify function in preparation of removal of mode parameter. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 3 --- library/rsa.c | 5 ++--- tests/suites/test_suite_rsa.function | 4 ---- 3 files changed, 2 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index f1696c2eb..37fddddee 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1019,8 +1019,6 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, * this is used for blinding and should be provided; see * mbedtls_rsa_private() for more. Otherwise, it is ignored. - * \param p_rng The RNG context to be passed to \p f_rng. This may be - * \c NULL if \p f_rng is \c NULL or doesn't need a context. * \param mode The mode of operation. This must be either * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. @@ -1041,7 +1039,6 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, */ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, diff --git a/library/rsa.c b/library/rsa.c index 4619f0207..9e2d054b8 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2332,7 +2332,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, */ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, @@ -2377,7 +2376,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, ret = ( mode == MBEDTLS_RSA_PUBLIC ) ? mbedtls_rsa_public( ctx, sig, encoded ) - : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, encoded ); + : mbedtls_rsa_private( ctx, f_rng, NULL, sig, encoded ); if( ret != 0 ) goto cleanup; @@ -2429,7 +2428,7 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, { #if defined(MBEDTLS_PKCS1_V15) case MBEDTLS_RSA_PKCS_V15: - return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, md_alg, + return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, NULL, MBEDTLS_RSA_PUBLIC, md_alg, hashlen, hash, sig ); #endif diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 112c4fc7b..a529c55ce 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -298,25 +298,21 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( NULL, NULL, - NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL, - NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL, - NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL, - NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, From 475053df2c9188ae8ead34de32e620451d4e8d07 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 11:44:27 +0100 Subject: [PATCH 19/59] Removes f_rng from mbedtls_rsa_rsassa_pkcs1_v15_verify Commit performs removal of f_rng parameter from mbedtls_rsa_rsassa_pkcs1_v15_verify function in preparation for removal of mode parameter. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 4 ---- library/rsa.c | 5 ++--- tests/suites/test_suite_rsa.function | 8 ++++---- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 37fddddee..6a0309af0 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1016,9 +1016,6 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. * * \param ctx The initialized RSA public key context to use. - * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, - * this is used for blinding and should be provided; see - * mbedtls_rsa_private() for more. Otherwise, it is ignored. * \param mode The mode of operation. This must be either * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. @@ -1038,7 +1035,6 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. */ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, diff --git a/library/rsa.c b/library/rsa.c index 9e2d054b8..4d569704a 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2331,7 +2331,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function */ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, @@ -2376,7 +2375,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, ret = ( mode == MBEDTLS_RSA_PUBLIC ) ? mbedtls_rsa_public( ctx, sig, encoded ) - : mbedtls_rsa_private( ctx, f_rng, NULL, sig, encoded ); + : mbedtls_rsa_private( ctx, NULL, NULL, sig, encoded ); if( ret != 0 ) goto cleanup; @@ -2428,7 +2427,7 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, { #if defined(MBEDTLS_PKCS1_V15) case MBEDTLS_RSA_PKCS_V15: - return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, NULL, MBEDTLS_RSA_PUBLIC, md_alg, + return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, MBEDTLS_RSA_PUBLIC, md_alg, hashlen, hash, sig ); #endif diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index a529c55ce..8f952b38f 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -297,22 +297,22 @@ void rsa_invalid_param( ) buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_verify( NULL, NULL, + mbedtls_rsa_rsassa_pkcs1_v15_verify( NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL, + mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL, + mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, NULL, + mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, From 2e1262517cb7e11e508c5cf20b49dfd399d77410 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 11:48:53 +0100 Subject: [PATCH 20/59] Removes mode parameter from mbedtls_rsa_rsassa_pkcs1_v15_verify Commit removes mode parameter from mbedtls_rsa_rsassa_pkcs1_v15_verify and propagates the change throughout the codebase. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 12 ------------ library/rsa.c | 14 +++----------- tests/suites/test_suite_rsa.function | 4 ---- 3 files changed, 3 insertions(+), 27 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 6a0309af0..869bfd923 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1006,18 +1006,7 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, * \brief This function performs a PKCS#1 v1.5 verification * operation (RSASSA-PKCS1-v1_5-VERIFY). * - * \deprecated It is deprecated and discouraged to call this function - * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library - * are likely to remove the \p mode argument and have it - * set to #MBEDTLS_RSA_PUBLIC. - * - * \note Alternative implementations of RSA need not support - * mode being set to #MBEDTLS_RSA_PRIVATE and might instead - * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. - * * \param ctx The initialized RSA public key context to use. - * \param mode The mode of operation. This must be either - * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. * \param hashlen The length of the message digest. @@ -1035,7 +1024,6 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. */ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, diff --git a/library/rsa.c b/library/rsa.c index 4d569704a..bdb2b7ef3 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2331,7 +2331,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, * Implementation of the PKCS#1 v2.1 RSASSA-PKCS1-v1_5-VERIFY function */ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, @@ -2342,8 +2341,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, unsigned char *encoded = NULL, *encoded_expected = NULL; RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || - mode == MBEDTLS_RSA_PUBLIC ); RSA_VALIDATE_RET( sig != NULL ); RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hashlen == 0 ) || @@ -2351,9 +2348,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, sig_len = ctx->len; - if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V15 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - /* * Prepare expected PKCS1 v1.5 encoding of hash. */ @@ -2373,9 +2367,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * Apply RSA primitive to get what should be PKCS1 encoded hash. */ - ret = ( mode == MBEDTLS_RSA_PUBLIC ) - ? mbedtls_rsa_public( ctx, sig, encoded ) - : mbedtls_rsa_private( ctx, NULL, NULL, sig, encoded ); + ret = mbedtls_rsa_public( ctx, sig, encoded ); if( ret != 0 ) goto cleanup; @@ -2427,8 +2419,8 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, { #if defined(MBEDTLS_PKCS1_V15) case MBEDTLS_RSA_PKCS_V15: - return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, MBEDTLS_RSA_PUBLIC, md_alg, - hashlen, hash, sig ); + return mbedtls_rsa_rsassa_pkcs1_v15_verify( ctx, md_alg, + hashlen, hash, sig ); #endif #if defined(MBEDTLS_PKCS1_V21) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 8f952b38f..f6aaa7a02 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -298,22 +298,18 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( NULL, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pkcs1_v15_verify( &ctx, - MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); From 08f4c9c571685bd44dfd5ad5c6a916e2589cedfc Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 11:56:02 +0100 Subject: [PATCH 21/59] Removes p_rng param from mbedtls_rsa_rsassa_pss_verify Commit removes p_rng parameter from mbedtls_rsa_rsassa_pss_verify function as preparation for removing the mode parameter. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 3 --- library/psa_crypto_rsa.c | 1 - library/rsa.c | 5 ++--- tests/suites/test_suite_rsa.function | 8 ++++---- 4 files changed, 6 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 869bfd923..a89c1f59b 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1057,8 +1057,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, * this is used for blinding and should be provided; see * mbedtls_rsa_private() for more. Otherwise, it is ignored. - * \param p_rng The RNG context to be passed to \p f_rng. This may be - * \c NULL if \p f_rng is \c NULL or doesn't need a context. * \param mode The mode of operation. This must be either * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. @@ -1079,7 +1077,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, */ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 11c9ab29c..464e027d7 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -503,7 +503,6 @@ static psa_status_t rsa_verify_hash( mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ); ret = mbedtls_rsa_rsassa_pss_verify( rsa, mbedtls_psa_get_random, - MBEDTLS_PSA_RANDOM_STATE, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_NONE, (unsigned int) hash_length, diff --git a/library/rsa.c b/library/rsa.c index bdb2b7ef3..333747e49 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2298,7 +2298,6 @@ exit: */ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, @@ -2318,7 +2317,7 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, ? (mbedtls_md_type_t) ctx->hash_id : md_alg; - return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, p_rng, mode, + return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, NULL, mode, md_alg, hashlen, hash, mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, sig ) ); @@ -2425,7 +2424,7 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, #if defined(MBEDTLS_PKCS1_V21) case MBEDTLS_RSA_PKCS_V21: - return mbedtls_rsa_rsassa_pss_verify( ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, md_alg, + return mbedtls_rsa_rsassa_pss_verify( ctx, NULL, MBEDTLS_RSA_PUBLIC, md_alg, hashlen, hash, sig ); #endif diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index f6aaa7a02..41cef9383 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -315,22 +315,22 @@ void rsa_invalid_param( ) buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( NULL, NULL, NULL, + mbedtls_rsa_rsassa_pss_verify( NULL, NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL, + mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL, + mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, NULL, + mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, From 718a53db2c5bf4d615ce8e73aed3ba68fb1a8b9e Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 12:01:35 +0100 Subject: [PATCH 22/59] Removed f_rng param from mbedtls_rsa_rsassa_pss_verify Commit removes f_rng parameter from mbedtls_rsa_rsassa_pss_verify function in preparation of mode parameter removal. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 4 ---- library/psa_crypto_rsa.c | 1 - library/rsa.c | 5 ++--- tests/suites/test_suite_rsa.function | 8 ++++---- 4 files changed, 6 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index a89c1f59b..ab2d5a53b 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1054,9 +1054,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. * * \param ctx The initialized RSA public key context to use. - * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, - * this is used for blinding and should be provided; see - * mbedtls_rsa_private() for more. Otherwise, it is ignored. * \param mode The mode of operation. This must be either * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. @@ -1076,7 +1073,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. */ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 464e027d7..410870390 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -502,7 +502,6 @@ static psa_status_t rsa_verify_hash( { mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ); ret = mbedtls_rsa_rsassa_pss_verify( rsa, - mbedtls_psa_get_random, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_NONE, (unsigned int) hash_length, diff --git a/library/rsa.c b/library/rsa.c index 333747e49..99a56b799 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2297,7 +2297,6 @@ exit: * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function */ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, @@ -2317,7 +2316,7 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, ? (mbedtls_md_type_t) ctx->hash_id : md_alg; - return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, f_rng, NULL, mode, + return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, NULL, NULL, mode, md_alg, hashlen, hash, mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, sig ) ); @@ -2424,7 +2423,7 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, #if defined(MBEDTLS_PKCS1_V21) case MBEDTLS_RSA_PKCS_V21: - return mbedtls_rsa_rsassa_pss_verify( ctx, NULL, MBEDTLS_RSA_PUBLIC, md_alg, + return mbedtls_rsa_rsassa_pss_verify( ctx, MBEDTLS_RSA_PUBLIC, md_alg, hashlen, hash, sig ); #endif diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 41cef9383..b9d7b5900 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -315,22 +315,22 @@ void rsa_invalid_param( ) buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( NULL, NULL, + mbedtls_rsa_rsassa_pss_verify( NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, + mbedtls_rsa_rsassa_pss_verify( &ctx, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, + mbedtls_rsa_rsassa_pss_verify( &ctx, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify( &ctx, NULL, + mbedtls_rsa_rsassa_pss_verify( &ctx, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, From 5ee4cc031c590df8fb4e5c36c2652af9d9d80e34 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 12:07:42 +0100 Subject: [PATCH 23/59] Removes mode param from mbedtls_rsa_rsassa_pss_verify Commit removes the mode parameter from the mbedtls_rsa_rsassa_pss_verify function and propagates the change throughout the process. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 12 ------------ library/psa_crypto_rsa.c | 1 - library/rsa.c | 17 ++++++++--------- tests/suites/test_suite_rsa.function | 4 ---- 4 files changed, 8 insertions(+), 26 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index ab2d5a53b..0b53eb7a0 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1044,18 +1044,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * same. If \p hash_id in the RSA context is unset, * the \p md_alg from the function call is used. * - * \deprecated It is deprecated and discouraged to call this function - * in #MBEDTLS_RSA_PRIVATE mode. Future versions of the library - * are likely to remove the \p mode argument and have it - * implicitly set to #MBEDTLS_RSA_PUBLIC. - * - * \note Alternative implementations of RSA need not support - * mode being set to #MBEDTLS_RSA_PRIVATE and might instead - * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. - * * \param ctx The initialized RSA public key context to use. - * \param mode The mode of operation. This must be either - * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE (deprecated). * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. * \param hashlen The length of the message digest. @@ -1073,7 +1062,6 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. */ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 410870390..10ce30e38 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -502,7 +502,6 @@ static psa_status_t rsa_verify_hash( { mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg ); ret = mbedtls_rsa_rsassa_pss_verify( rsa, - MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_NONE, (unsigned int) hash_length, hash, diff --git a/library/rsa.c b/library/rsa.c index 99a56b799..d3b4bf0fc 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2297,7 +2297,6 @@ exit: * Simplified PKCS#1 v2.1 RSASSA-PSS-VERIFY function */ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, @@ -2305,8 +2304,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, { mbedtls_md_type_t mgf1_hash_id; RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || - mode == MBEDTLS_RSA_PUBLIC ); RSA_VALIDATE_RET( sig != NULL ); RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hashlen == 0 ) || @@ -2316,10 +2313,12 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, ? (mbedtls_md_type_t) ctx->hash_id : md_alg; - return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, NULL, NULL, mode, - md_alg, hashlen, hash, - mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, - sig ) ); + return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, NULL, NULL, + MBEDTLS_RSA_PUBLIC, + md_alg, hashlen, hash, + mgf1_hash_id, + MBEDTLS_RSA_SALT_LEN_ANY, + sig ) ); } #endif /* MBEDTLS_PKCS1_V21 */ @@ -2423,8 +2422,8 @@ int mbedtls_rsa_pkcs1_verify( mbedtls_rsa_context *ctx, #if defined(MBEDTLS_PKCS1_V21) case MBEDTLS_RSA_PKCS_V21: - return mbedtls_rsa_rsassa_pss_verify( ctx, MBEDTLS_RSA_PUBLIC, md_alg, - hashlen, hash, sig ); + return mbedtls_rsa_rsassa_pss_verify( ctx, md_alg, + hashlen, hash, sig ); #endif default: diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index b9d7b5900..847503681 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -316,22 +316,18 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify( NULL, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify( &ctx, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify( &ctx, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify( &ctx, - MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, buf ) ); From 578e9abcbda986bcdc48fb76a010f12278a874b7 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 12:14:57 +0100 Subject: [PATCH 24/59] Removes p_rng param from mbedtls_rsa_rsassa_pss_verify_ext Commit removes p_rng parameter from the mbedtls_rsa_rsassa_pss_verify_ext function in preparation for removal of the mode parameter. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 3 --- library/pk.c | 2 +- library/rsa.c | 5 ++--- tests/suites/test_suite_pkcs1_v21.function | 2 +- tests/suites/test_suite_rsa.function | 8 ++++---- 5 files changed, 8 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 0b53eb7a0..0fde575f4 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1083,8 +1083,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, * this is used for blinding and should be provided; see * mbedtls_rsa_private() for more. Otherwise, it is ignored. - * \param p_rng The RNG context to be passed to \p f_rng. This may be - * \c NULL if \p f_rng is \c NULL or doesn't need a context. * \param mode The mode of operation. This must be either * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. * \param md_alg The message-digest algorithm used to hash the original data. @@ -1108,7 +1106,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, */ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, diff --git a/library/pk.c b/library/pk.c index 6d296638d..e0dedecc3 100644 --- a/library/pk.c +++ b/library/pk.c @@ -367,7 +367,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); ret = mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_pk_rsa( *ctx ), - NULL, NULL, MBEDTLS_RSA_PUBLIC, + NULL, MBEDTLS_RSA_PUBLIC, md_alg, (unsigned int) hash_len, hash, pss_opts->mgf1_hash_id, pss_opts->expected_salt_len, diff --git a/library/rsa.c b/library/rsa.c index d3b4bf0fc..6b18fe7cf 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2148,7 +2148,6 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, */ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), - void *p_rng, int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, @@ -2187,7 +2186,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, ret = ( mode == MBEDTLS_RSA_PUBLIC ) ? mbedtls_rsa_public( ctx, sig, buf ) - : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, buf ); + : mbedtls_rsa_private( ctx, f_rng, NULL, sig, buf ); if( ret != 0 ) return( ret ); @@ -2313,7 +2312,7 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, ? (mbedtls_md_type_t) ctx->hash_id : md_alg; - return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, NULL, NULL, + return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, NULL, MBEDTLS_RSA_PUBLIC, md_alg, hashlen, hash, mgf1_hash_id, diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index 0983a4232..82f33d610 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -248,7 +248,7 @@ void pkcs1_rsassa_pss_verify_ext( int mod, data_t * input_N, data_t * input_E, hash_len, hash_result, result_str->x ) == result_simple ); - TEST_ASSERT( mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, MBEDTLS_RSA_PUBLIC, + TEST_ASSERT( mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, MBEDTLS_RSA_PUBLIC, msg_digest_id, hash_len, hash_result, mgf_hash, salt_len, result_str->x ) == result_full ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 847503681..05886ffba 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -333,26 +333,26 @@ void rsa_invalid_param( ) buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( NULL, NULL, NULL, + mbedtls_rsa_rsassa_pss_verify_ext( NULL, NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, 0, 0, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, + mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, 0, 0, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, + mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, 0, 0, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, NULL, + mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, From 9e65f791b56634e1bc4fd0b2edebd50cc1beab46 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 12:18:58 +0100 Subject: [PATCH 25/59] Removes f_rng param from mbedtls_rsa_rsassa_pss_verify_ext Commit removes the f_rng parameter from the mbedtls_rsa_rsassa_pss_verify_ext function. This is in preparation for the removal of the mode parameter. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 4 ---- library/pk.c | 2 +- library/rsa.c | 5 ++--- tests/suites/test_suite_pkcs1_v21.function | 2 +- tests/suites/test_suite_rsa.function | 8 ++++---- 5 files changed, 8 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 0fde575f4..3f453f684 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1080,9 +1080,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, * \note The \p hash_id in the RSA context is ignored. * * \param ctx The initialized RSA public key context to use. - * \param f_rng The RNG function to use. If \p mode is #MBEDTLS_RSA_PRIVATE, - * this is used for blinding and should be provided; see - * mbedtls_rsa_private() for more. Otherwise, it is ignored. * \param mode The mode of operation. This must be either * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. * \param md_alg The message-digest algorithm used to hash the original data. @@ -1105,7 +1102,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. */ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, diff --git a/library/pk.c b/library/pk.c index e0dedecc3..65a4d0c0f 100644 --- a/library/pk.c +++ b/library/pk.c @@ -367,7 +367,7 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); ret = mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_pk_rsa( *ctx ), - NULL, MBEDTLS_RSA_PUBLIC, + MBEDTLS_RSA_PUBLIC, md_alg, (unsigned int) hash_len, hash, pss_opts->mgf1_hash_id, pss_opts->expected_salt_len, diff --git a/library/rsa.c b/library/rsa.c index 6b18fe7cf..db684c8fa 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2147,7 +2147,6 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function */ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - int (*f_rng)(void *, unsigned char *, size_t), int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, @@ -2186,7 +2185,7 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, ret = ( mode == MBEDTLS_RSA_PUBLIC ) ? mbedtls_rsa_public( ctx, sig, buf ) - : mbedtls_rsa_private( ctx, f_rng, NULL, sig, buf ); + : mbedtls_rsa_private( ctx, NULL, NULL, sig, buf ); if( ret != 0 ) return( ret ); @@ -2312,7 +2311,7 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, ? (mbedtls_md_type_t) ctx->hash_id : md_alg; - return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, NULL, + return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, MBEDTLS_RSA_PUBLIC, md_alg, hashlen, hash, mgf1_hash_id, diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index 82f33d610..c52edcb89 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -248,7 +248,7 @@ void pkcs1_rsassa_pss_verify_ext( int mod, data_t * input_N, data_t * input_E, hash_len, hash_result, result_str->x ) == result_simple ); - TEST_ASSERT( mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, MBEDTLS_RSA_PUBLIC, + TEST_ASSERT( mbedtls_rsa_rsassa_pss_verify_ext( &ctx, MBEDTLS_RSA_PUBLIC, msg_digest_id, hash_len, hash_result, mgf_hash, salt_len, result_str->x ) == result_full ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 05886ffba..b822ed9ea 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -333,26 +333,26 @@ void rsa_invalid_param( ) buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( NULL, NULL, + mbedtls_rsa_rsassa_pss_verify_ext( NULL, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, 0, 0, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, + mbedtls_rsa_rsassa_pss_verify_ext( &ctx, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, 0, 0, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, + mbedtls_rsa_rsassa_pss_verify_ext( &ctx, MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, 0, 0, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, - mbedtls_rsa_rsassa_pss_verify_ext( &ctx, NULL, + mbedtls_rsa_rsassa_pss_verify_ext( &ctx, MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, From 782a7f5bd6f40ec919baba159661e1977f562ccf Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 12:27:35 +0100 Subject: [PATCH 26/59] Removes mode param from mbedtls_rsa_rsassa_pss_verify_ext Commit removes the mode parameter from the mbedtls_rsa_rsassa_pss_verify_ext function. This change is propagated throughout the codebase. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 3 --- library/pk.c | 9 ++++----- library/rsa.c | 11 +---------- tests/suites/test_suite_pkcs1_v21.function | 7 +++---- tests/suites/test_suite_rsa.function | 4 ---- 5 files changed, 8 insertions(+), 26 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 3f453f684..2c2af3f96 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -1080,8 +1080,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, * \note The \p hash_id in the RSA context is ignored. * * \param ctx The initialized RSA public key context to use. - * \param mode The mode of operation. This must be either - * #MBEDTLS_RSA_PUBLIC or #MBEDTLS_RSA_PRIVATE. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. * \param hashlen The length of the message digest. @@ -1102,7 +1100,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, * \return An \c MBEDTLS_ERR_RSA_XXX error code on failure. */ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, diff --git a/library/pk.c b/library/pk.c index 65a4d0c0f..06021e26c 100644 --- a/library/pk.c +++ b/library/pk.c @@ -367,11 +367,10 @@ int mbedtls_pk_verify_ext( mbedtls_pk_type_t type, const void *options, return( MBEDTLS_ERR_RSA_VERIFY_FAILED ); ret = mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_pk_rsa( *ctx ), - MBEDTLS_RSA_PUBLIC, - md_alg, (unsigned int) hash_len, hash, - pss_opts->mgf1_hash_id, - pss_opts->expected_salt_len, - sig ); + md_alg, (unsigned int) hash_len, hash, + pss_opts->mgf1_hash_id, + pss_opts->expected_salt_len, + sig ); if( ret != 0 ) return( ret ); diff --git a/library/rsa.c b/library/rsa.c index db684c8fa..14eb9205c 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2147,7 +2147,6 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, * Implementation of the PKCS#1 v2.1 RSASSA-PSS-VERIFY function */ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, @@ -2168,24 +2167,17 @@ int mbedtls_rsa_rsassa_pss_verify_ext( mbedtls_rsa_context *ctx, unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || - mode == MBEDTLS_RSA_PUBLIC ); RSA_VALIDATE_RET( sig != NULL ); RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hashlen == 0 ) || hash != NULL ); - if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - siglen = ctx->len; if( siglen < 16 || siglen > sizeof( buf ) ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - ret = ( mode == MBEDTLS_RSA_PUBLIC ) - ? mbedtls_rsa_public( ctx, sig, buf ) - : mbedtls_rsa_private( ctx, NULL, NULL, sig, buf ); + ret = mbedtls_rsa_public( ctx, sig, buf ); if( ret != 0 ) return( ret ); @@ -2312,7 +2304,6 @@ int mbedtls_rsa_rsassa_pss_verify( mbedtls_rsa_context *ctx, : md_alg; return( mbedtls_rsa_rsassa_pss_verify_ext( ctx, - MBEDTLS_RSA_PUBLIC, md_alg, hashlen, hash, mgf1_hash_id, MBEDTLS_RSA_SALT_LEN_ANY, diff --git a/tests/suites/test_suite_pkcs1_v21.function b/tests/suites/test_suite_pkcs1_v21.function index c52edcb89..8f22f2094 100644 --- a/tests/suites/test_suite_pkcs1_v21.function +++ b/tests/suites/test_suite_pkcs1_v21.function @@ -248,10 +248,9 @@ void pkcs1_rsassa_pss_verify_ext( int mod, data_t * input_N, data_t * input_E, hash_len, hash_result, result_str->x ) == result_simple ); - TEST_ASSERT( mbedtls_rsa_rsassa_pss_verify_ext( &ctx, MBEDTLS_RSA_PUBLIC, - msg_digest_id, hash_len, hash_result, - mgf_hash, salt_len, - result_str->x ) == result_full ); + TEST_ASSERT( mbedtls_rsa_rsassa_pss_verify_ext( &ctx, msg_digest_id, hash_len, + hash_result, mgf_hash, salt_len, + result_str->x ) == result_full ); exit: mbedtls_mpi_free( &N ); mbedtls_mpi_free( &E ); diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index b822ed9ea..442e857ed 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -334,26 +334,22 @@ void rsa_invalid_param( ) TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify_ext( NULL, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, 0, 0, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify_ext( &ctx, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), NULL, 0, 0, buf ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify_ext( &ctx, - MBEDTLS_RSA_PUBLIC, 0, sizeof( buf ), buf, 0, 0, NULL ) ); TEST_INVALID_PARAM_RET( MBEDTLS_ERR_RSA_BAD_INPUT_DATA, mbedtls_rsa_rsassa_pss_verify_ext( &ctx, - MBEDTLS_RSA_PUBLIC, MBEDTLS_MD_SHA1, 0, NULL, 0, 0, From 10bc18e3b417632878613648bbd4194e50c1d1a0 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 12:40:20 +0100 Subject: [PATCH 27/59] Corrects outstanding documentation issues Commit removes any remaining superfluous documentation that was not yet removed. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 8 -------- 1 file changed, 8 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 2c2af3f96..dda0a61b8 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -573,10 +573,6 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * It is the generic wrapper for performing a PKCS#1 encryption * operation. * - * \note Alternative implementations of RSA need not support - * mode being set to #MBEDTLS_RSA_PRIVATE and might instead - * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. - * * \param ctx The initialized RSA context to use. * \param f_rng The RNG to use. It is mandatory for PKCS#1 v2.1 padding * encoding, and for PKCS#1 v1.5 padding encoding. @@ -605,10 +601,6 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, * \brief This function performs a PKCS#1 v1.5 encryption operation * (RSAES-PKCS1-v1_5-ENCRYPT). * - * \note Alternative implementations of RSA need not support - * mode being set to #MBEDTLS_RSA_PRIVATE and might instead - * return #MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED. - * * \param ctx The initialized RSA context to use. * \param f_rng The RNG function to use. It is needed for padding generation. * \param p_rng The RNG context to be passed to \p f_rng. This may From cad59ed48e4e6bb1fa0f8f25c5e9b25f79eda527 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 15:04:08 +0100 Subject: [PATCH 28/59] Removes mode param from rsa_rsassa_pss_sign Commit removes the mode parameter from the internal function rsa_rsassa_pss_sign. Signed-off-by: Thomas Daubney --- library/rsa.c | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/library/rsa.c b/library/rsa.c index 14eb9205c..2f9438ad0 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1744,7 +1744,6 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng, - int mode, mbedtls_md_type_t md_alg, unsigned int hashlen, const unsigned char *hash, @@ -1760,16 +1759,11 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, const mbedtls_md_info_t *md_info; mbedtls_md_context_t md_ctx; RSA_VALIDATE_RET( ctx != NULL ); - RSA_VALIDATE_RET( mode == MBEDTLS_RSA_PRIVATE || - mode == MBEDTLS_RSA_PUBLIC ); RSA_VALIDATE_RET( ( md_alg == MBEDTLS_MD_NONE && hashlen == 0 ) || hash != NULL ); RSA_VALIDATE_RET( sig != NULL ); - if( mode == MBEDTLS_RSA_PRIVATE && ctx->padding != MBEDTLS_RSA_PKCS_V21 ) - return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); - if( f_rng == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -1868,9 +1862,7 @@ exit: if( ret != 0 ) return( ret ); - return( ( mode == MBEDTLS_RSA_PUBLIC ) - ? mbedtls_rsa_public( ctx, sig, sig ) - : mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ) ); + return mbedtls_rsa_private( ctx, f_rng, p_rng, sig, sig ); } /* @@ -1886,7 +1878,7 @@ int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx, int saltlen, unsigned char *sig ) { - return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, md_alg, + return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg, hashlen, hash, saltlen, sig ); } @@ -1902,7 +1894,7 @@ int mbedtls_rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, const unsigned char *hash, unsigned char *sig ) { - return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, MBEDTLS_RSA_PRIVATE, md_alg, + return rsa_rsassa_pss_sign( ctx, f_rng, p_rng, md_alg, hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig ); } #endif /* MBEDTLS_PKCS1_V21 */ From 41e4ce4884a95235b04f1ef899de7881dba55310 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Wed, 19 May 2021 15:10:05 +0100 Subject: [PATCH 29/59] Removes RSA constants This commit removes the RSA constants MBEDTLS_RSA_PUBLIC and MBEDTLS_RSA_PRIVATE because they are now superfluous given that the mode parameter has been removed. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 2 -- library/rsa.c | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index dda0a61b8..ecf345e64 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -57,8 +57,6 @@ /* * RSA constants */ -#define MBEDTLS_RSA_PUBLIC 0 /**< Request private key operation. */ -#define MBEDTLS_RSA_PRIVATE 1 /**< Request public key operation. */ #define MBEDTLS_RSA_PKCS_V15 0 /**< Use PKCS#1 v1.5 encoding. */ #define MBEDTLS_RSA_PKCS_V21 1 /**< Use PKCS#1 v2.1 encoding. */ diff --git a/library/rsa.c b/library/rsa.c index 2f9438ad0..c3b54afda 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -2345,7 +2345,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_verify( mbedtls_rsa_context *ctx, * Apply RSA primitive to get what should be PKCS1 encoded hash. */ - ret = mbedtls_rsa_public( ctx, sig, encoded ); + ret = mbedtls_rsa_public( ctx, sig, encoded ); if( ret != 0 ) goto cleanup; From f505b0e30717172ec1abcebcf4c4eeadfa9e8878 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Thu, 20 May 2021 12:20:55 +0100 Subject: [PATCH 30/59] Removes unused variables in test_suite_rsa.function CI was failing on check_params due to MBEDTLS_RSA_PRIVATE being assigned to a now superfluous variable. The variable has been as well as another superfluous variable. This should correct the CI issue. Signed-off-by: Thomas Daubney --- tests/suites/test_suite_rsa.function | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/suites/test_suite_rsa.function b/tests/suites/test_suite_rsa.function index 442e857ed..efea5c169 100644 --- a/tests/suites/test_suite_rsa.function +++ b/tests/suites/test_suite_rsa.function @@ -23,8 +23,6 @@ void rsa_invalid_param( ) mbedtls_rsa_context ctx; const int valid_padding = MBEDTLS_RSA_PKCS_V21; const int invalid_padding = 42; - const int valid_mode = MBEDTLS_RSA_PRIVATE; - const int invalid_mode = 42; unsigned char buf[42] = { 0 }; size_t olen; From 03412787e16c1e248501286764b4f690ef21d6cf Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Thu, 20 May 2021 15:31:17 +0100 Subject: [PATCH 31/59] Modifies documentation in rsa.h Changes to documentation to show that f_rng is no longer going to be optional in 3.0. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 31 +++++++++++-------------------- 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index ecf345e64..9b5c1db1a 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -542,11 +542,9 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx, * of a PRNG. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function, used for blinding. It is discouraged - * and deprecated to pass \c NULL here, in which case - * blinding will be omitted. + * \param f_rng The RNG function, used for blinding. * \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL - * if \p f_rng is \c NULL or if \p f_rng doesn't need a context. + * if \p f_rng doesn't need a context. * \param input The input buffer. This must be a readable buffer * of length \c ctx->len Bytes. For example, \c 256 Bytes * for an 2048-bit RSA modulus. @@ -572,11 +570,9 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * operation. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG to use. It is mandatory for PKCS#1 v2.1 padding - * encoding, and for PKCS#1 v1.5 padding encoding. + * \param f_rng The RNG to use. It is needed for padding generation. * \param p_rng The RNG context to be passed to \p f_rng. May be - * \c NULL if \p f_rng is \c NULL or if \p f_rng doesn't - * need a context argument. + * \c NULL if \p f_rng doesn't need a context argument. * \param ilen The length of the plaintext in Bytes. * \param input The input data to encrypt. This must be a readable * buffer of size \p ilen Bytes. It may be \c NULL if @@ -602,8 +598,7 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, * \param ctx The initialized RSA context to use. * \param f_rng The RNG function to use. It is needed for padding generation. * \param p_rng The RNG context to be passed to \p f_rng. This may - * be \c NULL if \p f_rng is \c NULL or if \p f_rng - * doesn't need a context argument. + * be \c NULL if \p f_rng doesn't need a context argument. * \param ilen The length of the plaintext in Bytes. * \param input The input data to encrypt. This must be a readable * buffer of size \p ilen Bytes. It may be \c NULL if @@ -675,7 +670,7 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, * \param f_rng The RNG function. This is used for blinding and should * be provided; see mbedtls_rsa_private() for more. * \param p_rng The RNG context to be passed to \p f_rng. This may be - * \c NULL if \p f_rng is \c NULL or doesn't need a context. + * \c NULL if \p f_rng doesn't need a context. * \param olen The address at which to store the length of * the plaintext. This must not be \c NULL. * \param input The ciphertext buffer. This must be a readable buffer @@ -711,7 +706,7 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, * \param f_rng The RNG function. This is used for blinding and should * be provided; see mbedtls_rsa_private() for more. * \param p_rng The RNG context to be passed to \p f_rng. This may be - * \c NULL if \p f_rng is \c NULL or doesn't need a context. + * \c NULL if \p f_rng doesn't need a context. * \param olen The address at which to store the length of * the plaintext. This must not be \c NULL. * \param input The ciphertext buffer. This must be a readable buffer @@ -746,10 +741,9 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, * #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function. This is used for blinding and should - * be provided; see mbedtls_rsa_private() for more. + * \param f_rng The RNG function. This is used for blinding. * \param p_rng The RNG context to be passed to \p f_rng. This may be - * \c NULL if \p f_rng is \c NULL or doesn't need a context. + * \c NULL if \p f_rng doesn't need a context. * \param label The buffer holding the custom label to use. * This must be a readable buffer of length \p label_len * Bytes. It may be \c NULL if \p label_len is \c 0. @@ -790,12 +784,9 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, * \p md_alg and \p hash_id. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function to use. If the padding mode is PKCS#1 v2.1, - * this must be provided. If the padding mode is PKCS#1 v1.5 - * it is used for blinding and should be provided; - * see mbedtls_rsa_private() for more. + * \param f_rng The RNG function to use. This must not be \c NULL. * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - * if \p f_rng is \c NULL or doesn't need a context argument. + * if \p f_rng doesn't need a context argument. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. * \param hashlen The length of the message digest. From ff143c0a348e3ffc603009bb4c1c3b73038c2dd5 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 20 May 2021 15:56:59 +0100 Subject: [PATCH 32/59] psa: Add missing RSA test dependency The test "PSA generate key: RSA, 1024 bits, good, encrypt (OAEP SHA-256)" had a dependency on MBEDTLS_GENPRIME, but this was not listed in the dependencies. Add MBEDTLS_GENPRIME to the test's dependencies to ensure it has what it needs to run. Signed-off-by: Jaeden Amero --- tests/suites/test_suite_psa_crypto.data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 7b86185b9..6fa25d35e 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -3097,7 +3097,7 @@ depends_on:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTL generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:512:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:PSA_SUCCESS:0 PSA generate key: RSA, 1024 bits, good, encrypt (OAEP SHA-256) -depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_MD_C +depends_on:PSA_WANT_ALG_RSA_OAEP:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_GENPRIME:MBEDTLS_MD_C generate_key:PSA_KEY_TYPE_RSA_KEY_PAIR:1024:PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):PSA_SUCCESS:0 PSA generate key: RSA, 0 bits: invalid From 424fa93efdd8ef1efb2d459f3ca99f88f8ef4e43 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 14 May 2021 08:34:32 +0100 Subject: [PATCH 33/59] psa: Support RSA signature without MBEDTLS_GENPRIME On space-constrained platforms, it is a useful configuration to be able to import/export and perform RSA key pair operations, but to exclude RSA key generation, potentially saving flash space. It is not possible to express this with the PSA_WANT_ configuration system at the present time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it was possible to configure a software PSA implementation which was capable of making RSA signatures but not capable of generating RSA keys. To do this, one unset MBEDTLS_GENPRIME. Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this expressivity was lost. Expressing that you wanted to work with RSA key pairs forced you to include the ability to generate key pairs as well. Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. It left as a future exercise to add the ability to PSA to be able to express a desire for a software or accelerator configuration that includes RSA key pair operations, like signature, but excludes key pair generation. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes #4512 Signed-off-by: Jaeden Amero --- ChangeLog.d/psa-without-genprime-fix.txt | 5 +++++ library/psa_crypto.c | 6 ++++-- library/psa_crypto_rsa.c | 12 ++++++++---- tests/scripts/all.sh | 9 +++++++++ 4 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 ChangeLog.d/psa-without-genprime-fix.txt diff --git a/ChangeLog.d/psa-without-genprime-fix.txt b/ChangeLog.d/psa-without-genprime-fix.txt new file mode 100644 index 000000000..8a7153a9c --- /dev/null +++ b/ChangeLog.d/psa-without-genprime-fix.txt @@ -0,0 +1,5 @@ +Bugfix + * Restore the ability to configure PSA via Mbed TLS options to support RSA + key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME + is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key(). + Fixes #4512. diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 2583735fe..b887bbd74 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -4637,7 +4637,8 @@ psa_status_t psa_generate_key_internal( } else -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \ + defined(MBEDTLS_GENPRIME) if ( type == PSA_KEY_TYPE_RSA_KEY_PAIR ) { return( mbedtls_psa_rsa_generate_key( attributes, @@ -4646,7 +4647,8 @@ psa_status_t psa_generate_key_internal( key_buffer_length ) ); } else -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) + * defined(MBEDTLS_GENPRIME) */ #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR) if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) ) diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 686f07d33..c62294a9a 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -274,7 +274,8 @@ static psa_status_t rsa_export_public_key( #endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ -#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) +#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \ + defined(MBEDTLS_GENPRIME) static psa_status_t psa_rsa_read_exponent( const uint8_t *domain_parameters, size_t domain_parameters_size, int *exponent ) @@ -332,7 +333,8 @@ static psa_status_t rsa_generate_key( return( status ); } -#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */ +#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) + * defined(MBEDTLS_GENPRIME) */ /****************************************************************/ /* Sign/verify hashes */ @@ -565,7 +567,8 @@ psa_status_t mbedtls_psa_rsa_export_public_key( #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \ + defined(MBEDTLS_GENPRIME) psa_status_t mbedtls_psa_rsa_generate_key( const psa_key_attributes_t *attributes, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) @@ -573,7 +576,8 @@ psa_status_t mbedtls_psa_rsa_generate_key( return( rsa_generate_key( attributes, key_buffer, key_buffer_size, key_buffer_length ) ); } -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) + * defined(MBEDTLS_GENPRIME) */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8b9d7d172..a012c0f8d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -809,6 +809,15 @@ component_test_psa_crypto_client () { make test } +component_test_psa_crypto_rsa_no_genprime() { + msg "build: default config minus MBEDTLS_GENPRIME" + scripts/config.py unset MBEDTLS_GENPRIME + make + + msg "test: default config minus MBEDTLS_GENPRIME" + make test +} + component_test_ref_configs () { msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . From 2c65db96553e15438b8a7c43ea3d76aaa68f5643 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Fri, 21 May 2021 10:58:28 +0100 Subject: [PATCH 34/59] Corrects documentation in rsa.h Some documentation in rsa.h was still incorrect regarding f_rng being mandatory. This has now been corrected. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 36 ++++++++++++++++++++---------------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 9b5c1db1a..494e2f2c2 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -421,7 +421,7 @@ size_t mbedtls_rsa_get_len( const mbedtls_rsa_context *ctx ); * * \param ctx The initialized RSA context used to hold the key. * \param f_rng The RNG function to be used for key generation. - * This must not be \c NULL. + * This is mandatory and must not be \c NULL. * \param p_rng The RNG context to be passed to \p f_rng. * This may be \c NULL if \p f_rng doesn't need a context. * \param nbits The size of the public key in bits. @@ -542,7 +542,7 @@ int mbedtls_rsa_public( mbedtls_rsa_context *ctx, * of a PRNG. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function, used for blinding. + * \param f_rng The RNG function, used for blinding. It is mandatory. * \param p_rng The RNG context to pass to \p f_rng. This may be \c NULL * if \p f_rng doesn't need a context. * \param input The input buffer. This must be a readable buffer @@ -570,7 +570,8 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * operation. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG to use. It is needed for padding generation. + * \param f_rng The RNG to use. It used for padding generation + * and it is mandatory. * \param p_rng The RNG context to be passed to \p f_rng. May be * \c NULL if \p f_rng doesn't need a context argument. * \param ilen The length of the plaintext in Bytes. @@ -596,7 +597,8 @@ int mbedtls_rsa_pkcs1_encrypt( mbedtls_rsa_context *ctx, * (RSAES-PKCS1-v1_5-ENCRYPT). * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function to use. It is needed for padding generation. + * \param f_rng The RNG function to use. It is mandatory and used for + * padding generation. * \param p_rng The RNG context to be passed to \p f_rng. This may * be \c NULL if \p f_rng doesn't need a context argument. * \param ilen The length of the plaintext in Bytes. @@ -626,7 +628,7 @@ int mbedtls_rsa_rsaes_pkcs1_v15_encrypt( mbedtls_rsa_context *ctx, * * \param ctx The initnialized RSA context to use. * \param f_rng The RNG function to use. This is needed for padding - * generation and must be provided. + * generation and is mandatory. * \param p_rng The RNG context to be passed to \p f_rng. This may * be \c NULL if \p f_rng doesn't need a context argument. * \param label The buffer holding the custom label to use. @@ -667,8 +669,8 @@ int mbedtls_rsa_rsaes_oaep_encrypt( mbedtls_rsa_context *ctx, * the function returns \c MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function. This is used for blinding and should - * be provided; see mbedtls_rsa_private() for more. + * \param f_rng The RNG function. This is used for blinding and is + * mandatory; see mbedtls_rsa_private() for more. * \param p_rng The RNG context to be passed to \p f_rng. This may be * \c NULL if \p f_rng doesn't need a context. * \param olen The address at which to store the length of @@ -703,8 +705,8 @@ int mbedtls_rsa_pkcs1_decrypt( mbedtls_rsa_context *ctx, * the function returns #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function. This is used for blinding and should - * be provided; see mbedtls_rsa_private() for more. + * \param f_rng The RNG function. This is used for blinding and is + * mandatory; see mbedtls_rsa_private() for more. * \param p_rng The RNG context to be passed to \p f_rng. This may be * \c NULL if \p f_rng doesn't need a context. * \param olen The address at which to store the length of @@ -741,7 +743,8 @@ int mbedtls_rsa_rsaes_pkcs1_v15_decrypt( mbedtls_rsa_context *ctx, * #MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function. This is used for blinding. + * \param f_rng The RNG function. This is used for blinding and is + * mandatory. * \param p_rng The RNG context to be passed to \p f_rng. This may be * \c NULL if \p f_rng doesn't need a context. * \param label The buffer holding the custom label to use. @@ -784,7 +787,8 @@ int mbedtls_rsa_rsaes_oaep_decrypt( mbedtls_rsa_context *ctx, * \p md_alg and \p hash_id. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function to use. This must not be \c NULL. + * \param f_rng The RNG function to use. This is mandatory and + * must not be \c NULL. * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL * if \p f_rng doesn't need a context argument. * \param md_alg The message-digest algorithm used to hash the original data. @@ -817,10 +821,10 @@ int mbedtls_rsa_pkcs1_sign( mbedtls_rsa_context *ctx, * operation (RSASSA-PKCS1-v1_5-SIGN). * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function. This is used for blinding and should be - * provided; see mbedtls_rsa_private() for more. + * \param f_rng The RNG function. This is used for blinding and is + * mandatory; see mbedtls_rsa_private() for more. * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL - * if \p f_rng is \c NULL or doesn't need a context argument. + * if \p f_rng doesn't need a context argument. * \param md_alg The message-digest algorithm used to hash the original data. * Use #MBEDTLS_MD_NONE for signing raw data. * \param hashlen The length of the message digest. @@ -865,7 +869,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, * #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function. It must not be \c NULL. + * \param f_rng The RNG function. It is mandatory and must not be \c NULL. * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL * if \p f_rng doesn't need a context argument. * \param md_alg The message-digest algorithm used to hash the original data. @@ -921,7 +925,7 @@ int mbedtls_rsa_rsassa_pss_sign_ext( mbedtls_rsa_context *ctx, * #MBEDTLS_ERR_RSA_BAD_INPUT_DATA. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG function. It must not be \c NULL. + * \param f_rng The RNG function. It is mandatory and must not be \c NULL. * \param p_rng The RNG context to be passed to \p f_rng. This may be \c NULL * if \p f_rng doesn't need a context argument. * \param md_alg The message-digest algorithm used to hash the original data. From d58ed587fda2059fc30a56e140de2d654b4d5637 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Fri, 21 May 2021 11:50:39 +0100 Subject: [PATCH 35/59] Restores erroneously removed checks Some padding checks in rsa.c were erroneously removed in a previous commit and are restored in this commit. Signed-off-by: Thomas Daubney --- library/rsa.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/rsa.c b/library/rsa.c index c3b54afda..36424bd19 100644 --- a/library/rsa.c +++ b/library/rsa.c @@ -1764,6 +1764,9 @@ static int rsa_rsassa_pss_sign( mbedtls_rsa_context *ctx, hash != NULL ); RSA_VALIDATE_RET( sig != NULL ); + if( ctx->padding != MBEDTLS_RSA_PKCS_V21 ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + if( f_rng == NULL ) return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); @@ -2054,6 +2057,9 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign( mbedtls_rsa_context *ctx, hash != NULL ); RSA_VALIDATE_RET( sig != NULL ); + if( ctx->padding != MBEDTLS_RSA_PKCS_V15 ) + return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA ); + /* * Prepare PKCS1-v1.5 encoding (padding and hash identifier) */ From 62b0d1dbc83fa49d8b84f9eeacd37d6f637093b1 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Fri, 21 May 2021 16:55:03 +0100 Subject: [PATCH 36/59] Adds ChangeLog and Migration guide entry Commit adds relevant entry to the ChangeLog and to the Migration guide. Signed-off-by: Thomas Daubney --- ChangeLog.d/remove-rsa-mode-parameter.txt | 6 ++++++ .../remove-rsa-mode-parameter.md | 20 +++++++++++++++++++ 2 files changed, 26 insertions(+) create mode 100644 ChangeLog.d/remove-rsa-mode-parameter.txt create mode 100644 docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md diff --git a/ChangeLog.d/remove-rsa-mode-parameter.txt b/ChangeLog.d/remove-rsa-mode-parameter.txt new file mode 100644 index 000000000..7ee3adb95 --- /dev/null +++ b/ChangeLog.d/remove-rsa-mode-parameter.txt @@ -0,0 +1,6 @@ +API changes + * Remove mode parameter from RSA functions. All encryption, + decryption, sign and verify functions are affected. Also + removes the RNG parameters from the RSA verify functions. + Existing user code which utilises these RSA functions must + remove the mode parameter. diff --git a/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md b/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md new file mode 100644 index 000000000..61100d3f3 --- /dev/null +++ b/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md @@ -0,0 +1,20 @@ +Remove the mode parameter from RSA functions +-------------------------------------------- + +This affects all users who use the RSA encryption, decryption, sign and +verify APIs. + +If you were using the mode parameter to specify the wrong mode then +this behaviour is no longer supported. You must delete the mode +parameter from your RSA function calls. + + +Remove the RNG parameter from RSA functions +-------------------------------------------- + +This affects all users who use the RSA verify functions. + +If you were using the RNG parameters then you must remove +them from your function calls. Since usiong the wrong mode +is no longer supported, the RNG parameters namely f_rng +and p_rng are no longer needed. From f54c5c5547483789f06c6337b5f4f52dec76dc61 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Fri, 21 May 2021 17:00:30 +0100 Subject: [PATCH 37/59] Fixes typo Commit fixes typo in rsa.h found in review. Signed-off-by: Thomas Daubney --- include/mbedtls/rsa.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 494e2f2c2..ba00bff31 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -570,7 +570,7 @@ int mbedtls_rsa_private( mbedtls_rsa_context *ctx, * operation. * * \param ctx The initialized RSA context to use. - * \param f_rng The RNG to use. It used for padding generation + * \param f_rng The RNG to use. It is used for padding generation * and it is mandatory. * \param p_rng The RNG context to be passed to \p f_rng. May be * \c NULL if \p f_rng doesn't need a context argument. From 2fbbe1d2fe395ff7d9aa20f7101168ffb9b82404 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Mon, 24 May 2021 10:53:57 +0100 Subject: [PATCH 38/59] Corrections to ChangeLog and Migration guide This commit fixes typos and re-words the migration guide. It also adds the issue number to the ChangeLog. Signed-off-by: Thomas Daubney --- ChangeLog.d/remove-rsa-mode-parameter.txt | 2 +- .../remove-rsa-mode-parameter.md | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ChangeLog.d/remove-rsa-mode-parameter.txt b/ChangeLog.d/remove-rsa-mode-parameter.txt index 7ee3adb95..b7c6f327f 100644 --- a/ChangeLog.d/remove-rsa-mode-parameter.txt +++ b/ChangeLog.d/remove-rsa-mode-parameter.txt @@ -3,4 +3,4 @@ API changes decryption, sign and verify functions are affected. Also removes the RNG parameters from the RSA verify functions. Existing user code which utilises these RSA functions must - remove the mode parameter. + remove the mode parameter. Fixes #4278. diff --git a/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md b/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md index 61100d3f3..406004f45 100644 --- a/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md +++ b/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md @@ -4,10 +4,13 @@ Remove the mode parameter from RSA functions This affects all users who use the RSA encryption, decryption, sign and verify APIs. -If you were using the mode parameter to specify the wrong mode then -this behaviour is no longer supported. You must delete the mode -parameter from your RSA function calls. - +You must delete the mode parameter from your RSA function calls. +Using the correct modes are now the default and only behaviour, and this +cannot be changed. If you were using the mode parameter to specify the +wrong mode then this behaviour is no longer supported. For reference the +correct, supported modes are: Public keys for encryption and verification +functions and private keys for decryption and signing functions, but the +user does not have to specify this. Remove the RNG parameter from RSA functions -------------------------------------------- @@ -15,6 +18,6 @@ Remove the RNG parameter from RSA functions This affects all users who use the RSA verify functions. If you were using the RNG parameters then you must remove -them from your function calls. Since usiong the wrong mode +them from your function calls. Since using the wrong mode is no longer supported, the RNG parameters namely f_rng and p_rng are no longer needed. From 0f82ec67409aea9516795e301492a6ab240b4de7 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 12 May 2021 17:49:18 +0200 Subject: [PATCH 39/59] Remove the TLS 1.0 and 1.1 support Signed-off-by: TRodziewicz --- configs/config-mini-tls1_1.h | 79 ---- include/mbedtls/check_config.h | 37 +- include/mbedtls/config.h | 51 +-- include/mbedtls/ssl.h | 30 +- library/ssl_cli.c | 66 +-- library/ssl_cookie.c | 3 +- library/ssl_misc.h | 39 +- library/ssl_msg.c | 84 ++-- library/ssl_srv.c | 45 +- library/ssl_tls.c | 393 +--------------- programs/ssl/ssl_client2.c | 40 +- programs/ssl/ssl_server2.c | 34 +- tests/compat.sh | 18 +- tests/scripts/basic-build-test.sh | 2 +- tests/scripts/test-ref-configs.pl | 3 - tests/ssl-opt.sh | 719 ------------------------------ 16 files changed, 84 insertions(+), 1559 deletions(-) delete mode 100644 configs/config-mini-tls1_1.h diff --git a/configs/config-mini-tls1_1.h b/configs/config-mini-tls1_1.h deleted file mode 100644 index 83d1ab713..000000000 --- a/configs/config-mini-tls1_1.h +++ /dev/null @@ -1,79 +0,0 @@ -/** - * \file config-mini-tls1_1.h - * - * \brief Minimal configuration for TLS 1.1 (RFC 4346) - */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * Minimal configuration for TLS 1.1 (RFC 4346), implementing only the - * required ciphersuite: MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA - * - * See README.txt for usage instructions. - */ - -#ifndef MBEDTLS_CONFIG_H -#define MBEDTLS_CONFIG_H - -/* System support */ -#define MBEDTLS_HAVE_ASM -#define MBEDTLS_HAVE_TIME - -/* mbed TLS feature support */ -#define MBEDTLS_CIPHER_MODE_CBC -#define MBEDTLS_PKCS1_V15 -#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED -#define MBEDTLS_SSL_PROTO_TLS1_1 - -/* mbed TLS modules */ -#define MBEDTLS_AES_C -#define MBEDTLS_ASN1_PARSE_C -#define MBEDTLS_ASN1_WRITE_C -#define MBEDTLS_BIGNUM_C -#define MBEDTLS_CIPHER_C -#define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_DES_C -#define MBEDTLS_ENTROPY_C -#define MBEDTLS_MD_C -#define MBEDTLS_MD5_C -#define MBEDTLS_NET_C -#define MBEDTLS_OID_C -#define MBEDTLS_PK_C -#define MBEDTLS_PK_PARSE_C -#define MBEDTLS_RSA_C -#define MBEDTLS_SHA1_C -/* The library does not currently support enabling SHA-224 without SHA-256. - * A future version of the library will have this option disabled - * by default. */ -#define MBEDTLS_SHA224_C -#define MBEDTLS_SHA256_C -#define MBEDTLS_SSL_CLI_C -#define MBEDTLS_SSL_SRV_C -#define MBEDTLS_SSL_TLS_C -#define MBEDTLS_X509_CRT_PARSE_C -#define MBEDTLS_X509_USE_C - -/* For test certificates */ -#define MBEDTLS_BASE64_C -#define MBEDTLS_PEM_PARSE_C - -/* For testing with compat.sh */ -#define MBEDTLS_FS_IO - -#include "mbedtls/check_config.h" - -#endif /* MBEDTLS_CONFIG_H */ diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 7cb6967b2..389ae2a71 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -621,16 +621,6 @@ #error "MBEDTLS_SHA256_C defined without MBEDTLS_SHA224_C" #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1) && ( !defined(MBEDTLS_MD5_C) || \ - !defined(MBEDTLS_SHA1_C) ) -#error "MBEDTLS_SSL_PROTO_TLS1 defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) && ( !defined(MBEDTLS_MD5_C) || \ - !defined(MBEDTLS_SHA1_C) ) -#error "MBEDTLS_SSL_PROTO_TLS1_1 defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && ( !defined(MBEDTLS_SHA1_C) && \ !defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) ) #error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites" @@ -641,8 +631,7 @@ #error "MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL defined, but not all prerequisites" #endif -#if (defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) ||\ - defined(MBEDTLS_SSL_PROTO_TLS1_2)) && \ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ !(defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ @@ -659,7 +648,6 @@ #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_PROTO_DTLS defined, but not all prerequisites" #endif @@ -677,16 +665,10 @@ #error "MBEDTLS_SSL_SRV_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_TLS1) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1_1) && !defined(MBEDTLS_SSL_PROTO_TLS1_2)) +#if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_TLS_C defined, but no protocols are active" #endif -#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_TLS1) && \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) && !defined(MBEDTLS_SSL_PROTO_TLS1_1)) -#error "Illegal protocol selection" -#endif - #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && !defined(MBEDTLS_SSL_PROTO_DTLS) #error "MBEDTLS_SSL_DTLS_HELLO_VERIFY defined, but not all prerequisites" #endif @@ -724,15 +706,11 @@ #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites" #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1) && \ - !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequsites" #endif @@ -741,10 +719,6 @@ #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) && !defined(MBEDTLS_SSL_PROTO_TLS1) -#error "MBEDTLS_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ !defined(MBEDTLS_X509_CRT_PARSE_C) #error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites" @@ -859,6 +833,13 @@ #error "MBEDTLS_ZLIB_SUPPORT was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4031" #endif +#if defined(MBEDTLS_SSL_PROTO_TLS1) //no-check-names +#error "MBEDTLS_SSL_PROTO_TLS1 (TLS v1.0 support) was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4286" +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_1) //no-check-names +#error "MBEDTLS_SSL_PROTO_TLS1_1 (TLS v1.1 support) was removed in Mbed TLS 3.0. See https://github.com/ARMmbed/mbedtls/issues/4286" +#endif /* * Avoid warning from -pedantic. This is a convenient place for this diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 2c6ae3d1d..4905b9243 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1530,9 +1530,7 @@ * * This only affects CBC ciphersuites, and is useless if none is defined. * - * Requires: MBEDTLS_SSL_PROTO_TLS1 or - * MBEDTLS_SSL_PROTO_TLS1_1 or - * MBEDTLS_SSL_PROTO_TLS1_2 + * Requires: MBEDTLS_SSL_PROTO_TLS1_2 * * Comment this macro to disable support for Encrypt-then-MAC */ @@ -1548,9 +1546,7 @@ * renegotiation), since it actually fixes a more fundamental issue in the * original SSL/TLS design, and has implications beyond Triple Handshake. * - * Requires: MBEDTLS_SSL_PROTO_TLS1 or - * MBEDTLS_SSL_PROTO_TLS1_1 or - * MBEDTLS_SSL_PROTO_TLS1_2 + * Requires: MBEDTLS_SSL_PROTO_TLS1_2 * * Comment this macro to disable support for Extended Master Secret. */ @@ -1599,7 +1595,7 @@ /** * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING * - * Enable 1/n-1 record splitting for CBC mode in TLS 1.0. + * Enable 1/n-1 record splitting for CBC mode in TLS. * * This is a countermeasure to the BEAST attack, which also minimizes the risk * of interoperability issues compared to sending 0-length records. @@ -1649,30 +1645,6 @@ */ #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH -/** - * \def MBEDTLS_SSL_PROTO_TLS1 - * - * Enable support for TLS 1.0. - * - * Requires: MBEDTLS_MD5_C - * MBEDTLS_SHA1_C - * - * Comment this macro to disable support for TLS 1.0 - */ -#define MBEDTLS_SSL_PROTO_TLS1 - -/** - * \def MBEDTLS_SSL_PROTO_TLS1_1 - * - * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). - * - * Requires: MBEDTLS_MD5_C - * MBEDTLS_SHA1_C - * - * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 - */ -#define MBEDTLS_SSL_PROTO_TLS1_1 - /** * \def MBEDTLS_SSL_PROTO_TLS1_2 * @@ -1709,11 +1681,9 @@ * * Enable support for DTLS (all available versions). * - * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, - * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. + * Enable this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. * - * Requires: MBEDTLS_SSL_PROTO_TLS1_1 - * or MBEDTLS_SSL_PROTO_TLS1_2 + * Requires: MBEDTLS_SSL_PROTO_TLS1_2 * * Comment this macro to disable support for DTLS */ @@ -2738,10 +2708,9 @@ * library/pem.c * library/ssl_tls.c * - * This module is required for SSL/TLS up to version 1.1, and for TLS 1.2 - * depending on the handshake parameters. Further, it is used for checking - * MD5-signed certificates, and for PBKDF1 when decrypting PEM-encoded - * encrypted keys. + * This module is required for TLS 1.2 depending on the handshake parameters. + * Further, it is used for checking MD5-signed certificates, and for PBKDF1 + * when decrypting PEM-encoded encrypted keys. * * \warning MD5 is considered a weak message digest and its use constitutes a * security risk. If possible, we recommend avoiding dependencies on @@ -3061,8 +3030,8 @@ * library/ssl_tls.c * library/x509write_crt.c * - * This module is required for SSL/TLS up to version 1.1, for TLS 1.2 - * depending on the handshake parameters, and for SHA1-signed certificates. + * This module is required for TLS 1.2 depending on the handshake parameters, + * and for SHA1-signed certificates. * * \warning SHA-1 is considered a weak message digest and its use constitutes * a security risk. If possible, we recommend avoiding dependencies diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 88a599c18..39661cbac 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -131,8 +131,8 @@ * - RFC 8446: see section 4.2.1 */ #define MBEDTLS_SSL_MAJOR_VERSION_3 3 -#define MBEDTLS_SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 */ -#define MBEDTLS_SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 */ +#define MBEDTLS_SSL_MINOR_VERSION_1 1 /*!< TLS v1.0 deprecated */ +#define MBEDTLS_SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 deprecated */ #define MBEDTLS_SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */ #define MBEDTLS_SSL_MINOR_VERSION_4 4 /*!< TLS v1.3 (experimental) */ @@ -2602,8 +2602,7 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len, * MBEDTLS_SSL_MINOR_VERSION_2, * MBEDTLS_SSL_MINOR_VERSION_3 supported) * - * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 - * and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 + * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, const int *ciphersuites, @@ -3253,8 +3252,7 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ss * * \note This ignores ciphersuites from higher versions. * - * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and - * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 + * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 * * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) @@ -3265,13 +3263,12 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino /** * \brief Set the minimum accepted SSL/TLS protocol version - * (Default: TLS 1.0) + * (Default: TLS 1.2) * * \note Input outside of the SSL_MAX_XXXXX_VERSION and * SSL_MIN_XXXXX_VERSION range is ignored. * - * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and - * MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 + * \note With DTLS, MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 * * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) @@ -3398,21 +3395,6 @@ int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_c void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ); #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) -/** - * \brief Enable / Disable 1/n-1 record splitting - * (Default: MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED) - * - * \note Only affects TLS 1.0, not higher versions. - * Does not affect non-CBC ciphersuites in any version. - * - * \param conf SSL configuration - * \param split MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED or - * MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED - */ -void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ); -#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ - #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) /** * \brief Enable / Disable session tickets (client only). diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 0bb959270..3f7f68474 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1951,12 +1951,8 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); p += 2; - /* - * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) - * even is lower than our min version. - */ if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || - minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || + minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 || major_ver > ssl->conf->max_major_ver || minor_ver > ssl->conf->max_minor_ver ) { @@ -2843,8 +2839,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, return( ret ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( len_bytes == 2 ) { ssl->out_msg[offset+0] = (unsigned char)( *olen >> 8 ); @@ -3238,17 +3233,6 @@ start_processing: } else #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) - { - pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); - - /* Default hash for ECDSA is SHA-1 */ - if( pk_alg == MBEDTLS_PK_ECDSA && md_alg == MBEDTLS_MD_NONE ) - md_alg = MBEDTLS_MD_SHA1; - } - else -#endif { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -3285,19 +3269,7 @@ start_processing: /* * Compute the hash that has been signed */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( md_alg == MBEDTLS_MD_NONE ) - { - hashlen = 36; - ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, params, - params_len ); - if( ret != 0 ) - return( ret ); - } - else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( md_alg != MBEDTLS_MD_NONE ) { ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, @@ -3307,8 +3279,7 @@ start_processing: return( ret ); } else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -4113,35 +4084,6 @@ sign: ssl->handshake->calc_verify( ssl, hash, &hashlen ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) - { - /* - * digitally-signed struct { - * opaque md5_hash[16]; - * opaque sha_hash[20]; - * }; - * - * md5_hash - * MD5(handshake_messages); - * - * sha_hash - * SHA(handshake_messages); - */ - md_alg = MBEDTLS_MD_NONE; - - /* - * For ECDSA, default hash is SHA-1 only - */ - if( mbedtls_pk_can_do( mbedtls_ssl_own_key( ssl ), MBEDTLS_PK_ECDSA ) ) - { - hash_start += 16; - hashlen -= 16; - md_alg = MBEDTLS_MD_SHA1; - } - } - else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { diff --git a/library/ssl_cookie.c b/library/ssl_cookie.c index b0b2eb303..40b8913b8 100644 --- a/library/ssl_cookie.c +++ b/library/ssl_cookie.c @@ -41,8 +41,7 @@ /* * If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is - * available. Try SHA-256 first, 512 wastes resources since we need to stay - * with max 32 bytes of cookie for DTLS 1.0 + * available. Try SHA-256 first, 512 wastes resources */ #if defined(MBEDTLS_SHA224_C) #define COOKIE_MD MBEDTLS_MD_SHA224 diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 180f4d8dc..a5a12ceb2 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -68,17 +68,9 @@ /* Determine minimum supported version */ #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 -#if defined(MBEDTLS_SSL_PROTO_TLS1) -#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 -#else -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) -#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2 -#else #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */ -#endif /* MBEDTLS_SSL_PROTO_TLS1 */ #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 @@ -88,15 +80,6 @@ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 -#else -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) -#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2 -#else -#if defined(MBEDTLS_SSL_PROTO_TLS1) -#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 -#else -#endif /* MBEDTLS_SSL_PROTO_TLS1 */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ /* Shorthand for restartable ECC */ @@ -153,11 +136,9 @@ #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM #endif -/* This macro determines whether the CBC construct used in TLS 1.0-1.2 is supported. */ +/* This macro determines whether the CBC construct used in TLS 1.2 is supported. */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ - ( defined(MBEDTLS_SSL_PROTO_TLS1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) ) + defined(MBEDTLS_SSL_PROTO_TLS1_2) #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC #endif @@ -550,10 +531,6 @@ struct mbedtls_ssl_handshake_params /* * Checksum contexts */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_context fin_md5; - mbedtls_sha1_context fin_sha1; -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -1202,21 +1179,13 @@ static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t return( diff ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, - unsigned char *output, - unsigned char *data, size_t data_len ); -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hashlen, unsigned char *data, size_t data_len, mbedtls_md_type_t md_alg ); -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #ifdef __cplusplus } diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 609aa9864..540d5d1f6 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -519,9 +519,9 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, #endif /* The PRNG is used for dynamic IV generation that's used - * for CBC transformations in TLS 1.1 and TLS 1.2. */ + * for CBC transformations in TLS 1.2. */ #if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ - ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) ) + defined(MBEDTLS_SSL_PROTO_TLS1_2) ) ((void) f_rng); ((void) p_rng); #endif @@ -644,8 +644,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { unsigned char mac[MBEDTLS_SSL_MAC_ADD]; @@ -835,12 +834,12 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, rec->data_len += padlen + 1; post_avail -= padlen + 1; -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* - * Prepend per-record IV for block cipher in TLS v1.1 and up as per + * Prepend per-record IV for block cipher in TLS v1.2 * Method 1 (6.2.3.2. in RFC4346 and RFC5246) */ - if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) + if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) { if( f_rng == NULL ) { @@ -865,7 +864,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, transform->ivlen ); } -#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " "including %" MBEDTLS_PRINTF_SIZET @@ -889,22 +888,9 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) - if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - { - /* - * Save IV in TLS1 - */ - memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv, - transform->ivlen ); - } - else -#endif - { - data -= transform->ivlen; - rec->data_offset -= transform->ivlen; - rec->data_len += transform->ivlen; - } + data -= transform->ivlen; + rec->data_offset -= transform->ivlen; + rec->data_len += transform->ivlen; #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) if( auth_done == 0 ) @@ -1381,8 +1367,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, /* * Check immediate ciphertext sanity */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) { /* The ciphertext is prefixed with the CBC IV. */ minlen += transform->ivlen; @@ -1487,11 +1473,11 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, return( MBEDTLS_ERR_SSL_INVALID_MAC ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* - * Initialize for prepended IV for block cipher in TLS v1.1 and up + * Initialize for prepended IV for block cipher in TLS v1.2 */ - if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) + if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) { /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */ memcpy( transform->iv_dec, data, transform->ivlen ); @@ -1500,7 +1486,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, rec->data_offset += transform->ivlen; rec->data_len -= transform->ivlen; } -#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */ @@ -1519,20 +1505,6 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) - if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) - { - /* - * Save IV in TLS1, where CBC decryption of consecutive - * records is equivalent to CBC decryption of the concatenation - * of the records; in other words, IVs are maintained across - * record decryptions. - */ - memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv, - transform->ivlen ); - } -#endif - /* Safe since data_len >= minlen + maclen + 1, so after having * subtracted at most minlen and maclen up to this point, * data_len > 0 (because of data_len % ivlen == 0, it's actually @@ -1573,8 +1545,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, /* Regardless of the validity of the padding, * we have data_len >= padlen here. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* The padding check involves a series of up to 256 * consecutive memory reads at the end of the record * plaintext buffer. In order to hide the length and @@ -1609,8 +1580,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, #endif padlen &= mbedtls_ssl_cf_mask_from_bit( correct ); -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ /* If the padding was found to be invalid, padlen == 0 * and the subtraction is safe. If the padding was found valid, @@ -1657,8 +1627,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, ssl_extract_add_data_from_record( add_data, &add_data_len, rec, transform->minor_ver ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* * The next two sizes are the minimum and maximum values of * data_len over all padlen values. @@ -1686,8 +1655,7 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, rec->data_len, min_len, max_len, transform->maclen ); -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_SSL_DEBUG_ALL) MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen ); @@ -5058,10 +5026,10 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) /* For TLS 1.1 or higher, an explicit IV is added * after the record header. */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) transform_expansion += block_size; -#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ break; @@ -5201,8 +5169,7 @@ static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { if( ( ret = mbedtls_ssl_send_alert_message( ssl, @@ -5213,8 +5180,7 @@ static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl ) } } else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 73b79daf8..fb7ba975f 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3199,14 +3199,6 @@ curve_matching_done: } else #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) - { - /* B: Default hash SHA1 */ - md_alg = MBEDTLS_MD_SHA1; - } - else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ { /* C: MD5 + SHA1 */ md_alg = MBEDTLS_MD_NONE; @@ -3217,20 +3209,7 @@ curve_matching_done: /* * 2.2: Compute the hash to be signed */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( md_alg == MBEDTLS_MD_NONE ) - { - hashlen = 36; - ret = mbedtls_ssl_get_key_exchange_md_ssl_tls( ssl, hash, - dig_signed, - dig_signed_len ); - if( ret != 0 ) - return( ret ); - } - else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( md_alg != MBEDTLS_MD_NONE ) { ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, @@ -3241,8 +3220,7 @@ curve_matching_done: return( ret ); } else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); @@ -3556,8 +3534,7 @@ static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl, /* * Prepare to decrypt the premaster using own private RSA key */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if ( p + 2 > end ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE ); @@ -4177,22 +4154,6 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) * opaque signature<0..2^16-1>; * } DigitallySigned; */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 ) - { - md_alg = MBEDTLS_MD_NONE; - hashlen = 36; - - /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ - if( mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECDSA ) ) - { - hash_start += 16; - hashlen -= 16; - md_alg = MBEDTLS_MD_SHA1; - } - } - else -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 170d563bd..58675dbed 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -324,122 +324,6 @@ static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing, } #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -static int tls1_prf( const unsigned char *secret, size_t slen, - const char *label, - const unsigned char *random, size_t rlen, - unsigned char *dstbuf, size_t dlen ) -{ - size_t nb, hs; - size_t i, j, k; - const unsigned char *S1, *S2; - unsigned char *tmp; - size_t tmp_len = 0; - unsigned char h_i[20]; - const mbedtls_md_info_t *md_info; - mbedtls_md_context_t md_ctx; - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - mbedtls_md_init( &md_ctx ); - - tmp_len = 20 + strlen( label ) + rlen; - tmp = mbedtls_calloc( 1, tmp_len ); - if( tmp == NULL ) - { - ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; - goto exit; - } - - hs = ( slen + 1 ) / 2; - S1 = secret; - S2 = secret + slen - hs; - - nb = strlen( label ); - memcpy( tmp + 20, label, nb ); - memcpy( tmp + 20 + nb, random, rlen ); - nb += rlen; - - /* - * First compute P_md5(secret,label+random)[0..dlen] - */ - if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL ) - { - ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; - goto exit; - } - - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) - { - goto exit; - } - - mbedtls_md_hmac_starts( &md_ctx, S1, hs ); - mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); - mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); - - for( i = 0; i < dlen; i += 16 ) - { - mbedtls_md_hmac_reset ( &md_ctx ); - mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb ); - mbedtls_md_hmac_finish( &md_ctx, h_i ); - - mbedtls_md_hmac_reset ( &md_ctx ); - mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 ); - mbedtls_md_hmac_finish( &md_ctx, 4 + tmp ); - - k = ( i + 16 > dlen ) ? dlen % 16 : 16; - - for( j = 0; j < k; j++ ) - dstbuf[i + j] = h_i[j]; - } - - mbedtls_md_free( &md_ctx ); - - /* - * XOR out with P_sha1(secret,label+random)[0..dlen] - */ - if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL ) - { - ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; - goto exit; - } - - if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 ) - { - goto exit; - } - - mbedtls_md_hmac_starts( &md_ctx, S2, hs ); - mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb ); - mbedtls_md_hmac_finish( &md_ctx, tmp ); - - for( i = 0; i < dlen; i += 20 ) - { - mbedtls_md_hmac_reset ( &md_ctx ); - mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb ); - mbedtls_md_hmac_finish( &md_ctx, h_i ); - - mbedtls_md_hmac_reset ( &md_ctx ); - mbedtls_md_hmac_update( &md_ctx, tmp, 20 ); - mbedtls_md_hmac_finish( &md_ctx, tmp ); - - k = ( i + 20 > dlen ) ? dlen % 20 : 20; - - for( j = 0; j < k; j++ ) - dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] ); - } - -exit: - mbedtls_md_free( &md_ctx ); - - mbedtls_platform_zeroize( tmp, tmp_len ); - mbedtls_platform_zeroize( h_i, sizeof( h_i ) ); - - mbedtls_free( tmp ); - return( ret ); -} -#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -667,15 +551,6 @@ static int tls_prf_sha384( const unsigned char *secret, size_t slen, static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t ); -#endif - -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -static void ssl_calc_verify_tls( const mbedtls_ssl_context *, unsigned char*, size_t * ); -static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int ); -#endif - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); @@ -715,13 +590,6 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl ) #if defined(MBEDTLS_SSL_EXPORT_KEYS) static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( tls_prf == tls1_prf ) - { - return( MBEDTLS_SSL_TLS_PRF_TLS1 ); - } - else -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA384_C) if( tls_prf == tls_prf_sha384 ) @@ -752,12 +620,6 @@ int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf, switch( prf ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - case MBEDTLS_SSL_TLS_PRF_TLS1: - tls_prf = tls1_prf; - break; -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA384_C) case MBEDTLS_SSL_TLS_PRF_SHA384: @@ -1023,14 +885,8 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, - transform->maclen % cipher_info->block_size; } -#if defined(MBEDTLS_SSL_PROTO_TLS1) - if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 ) - ; /* No need to adjust minlen */ - else -#endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 || - minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { transform->minlen += transform->ivlen; } @@ -1105,9 +961,8 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, goto end; } -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { /* For HMAC-based ciphersuites, initialize the HMAC transforms. @@ -1280,7 +1135,7 @@ end: } /* - * Set appropriate PRF function and other SSL / TLS 1.0/1.1 / TLS1.2 functions + * Set appropriate PRF function and other SSL / TLS1.2 functions * * Inputs: * - SSL/TLS minor version @@ -1297,15 +1152,6 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake, (void) hash; #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) - { - handshake->tls_prf = tls1_prf; - handshake->calc_verify = ssl_calc_verify_tls; - handshake->calc_finished = ssl_calc_finished_tls; - } - else -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA384_C) if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && @@ -1546,37 +1392,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( 0 ); } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -void ssl_calc_verify_tls( const mbedtls_ssl_context *ssl, - unsigned char *hash, - size_t *hlen ) -{ - mbedtls_md5_context md5; - mbedtls_sha1_context sha1; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) ); - - mbedtls_md5_init( &md5 ); - mbedtls_sha1_init( &sha1 ); - - mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); - mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); - - mbedtls_md5_finish_ret( &md5, hash ); - mbedtls_sha1_finish_ret( &sha1, hash + 16 ); - - *hlen = 36; - - MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen ); - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) ); - - mbedtls_md5_free( &md5 ); - mbedtls_sha1_free( &sha1 ); - - return; -} -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl, @@ -2203,8 +2018,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) return( -1 ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) && ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && @@ -2215,8 +2029,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) } return( -1 ); -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } #endif /* MBEDTLS_SSL_SRV_C */ @@ -2651,11 +2464,6 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, { ((void) ciphersuite_info); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) - ssl->handshake->update_checksum = ssl_update_checksum_md5sha1; - else -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA384_C) if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) @@ -2676,10 +2484,6 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 ); - mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 ); -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -2703,10 +2507,6 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len ); - mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len ); -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -2725,15 +2525,6 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len ) -{ - mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len ); - mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len ); -} -#endif - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, @@ -2760,65 +2551,6 @@ static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl, #endif #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -static void ssl_calc_finished_tls( - mbedtls_ssl_context *ssl, unsigned char *buf, int from ) -{ - int len = 12; - const char *sender; - mbedtls_md5_context md5; - mbedtls_sha1_context sha1; - unsigned char padbuf[36]; - - mbedtls_ssl_session *session = ssl->session_negotiate; - if( !session ) - session = ssl->session; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) ); - - mbedtls_md5_init( &md5 ); - mbedtls_sha1_init( &sha1 ); - - mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 ); - mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 ); - - /* - * TLSv1: - * hash = PRF( master, finished_label, - * MD5( handshake ) + SHA1( handshake ) )[0..11] - */ - -#if !defined(MBEDTLS_MD5_ALT) - MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *) - md5.state, sizeof( md5.state ) ); -#endif - -#if !defined(MBEDTLS_SHA1_ALT) - MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *) - sha1.state, sizeof( sha1.state ) ); -#endif - - sender = ( from == MBEDTLS_SSL_IS_CLIENT ) - ? "client finished" - : "server finished"; - - mbedtls_md5_finish_ret( &md5, padbuf ); - mbedtls_sha1_finish_ret( &sha1, padbuf + 16 ); - - ssl->handshake->tls_prf( session->master, 48, sender, - padbuf, 36, buf, len ); - - MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len ); - - mbedtls_md5_free( &md5 ); - mbedtls_sha1_free( &sha1 ); - - mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) ); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); -} -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) static void ssl_calc_finished_tls_sha256( @@ -3249,12 +2981,6 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) { memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_init( &handshake->fin_md5 ); - mbedtls_sha1_init( &handshake->fin_sha1 ); - mbedtls_md5_starts_ret( &handshake->fin_md5 ); - mbedtls_sha1_starts_ret( &handshake->fin_sha1 ); -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -5583,10 +5309,6 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) - mbedtls_md5_free( &handshake->fin_md5 ); - mbedtls_sha1_free( &handshake->fin_sha1 ); -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -6985,17 +6707,6 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) switch( md ) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -#if defined(MBEDTLS_MD5_C) - case MBEDTLS_SSL_HASH_MD5: - return( -1 ); -#endif -#if defined(MBEDTLS_SHA1_C) - case MBEDTLS_SSL_HASH_SHA1: - ssl->handshake->calc_verify = ssl_calc_verify_tls; - break; -#endif -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ #if defined(MBEDTLS_SHA384_C) case MBEDTLS_SSL_HASH_SHA384: ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; @@ -7019,92 +6730,7 @@ int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md ) #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ } -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) -int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl, - unsigned char *output, - unsigned char *data, size_t data_len ) -{ - int ret = 0; - mbedtls_md5_context mbedtls_md5; - mbedtls_sha1_context mbedtls_sha1; - - mbedtls_md5_init( &mbedtls_md5 ); - mbedtls_sha1_init( &mbedtls_sha1 ); - - /* - * digitally-signed struct { - * opaque md5_hash[16]; - * opaque sha_hash[20]; - * }; - * - * md5_hash - * MD5(ClientHello.random + ServerHello.random - * + ServerParams); - * sha_hash - * SHA(ClientHello.random + ServerHello.random - * + ServerParams); - */ - if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, - ssl->handshake->randbytes, 64 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret ); - goto exit; - } - - if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, - ssl->handshake->randbytes, 64 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data, - data_len ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret ); - goto exit; - } - if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1, - output + 16 ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret ); - goto exit; - } - -exit: - mbedtls_md5_free( &mbedtls_md5 ); - mbedtls_sha1_free( &mbedtls_sha1 ); - - if( ret != 0 ) - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); - - return( ret ); - -} -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, @@ -7227,7 +6853,6 @@ exit: } #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ - MBEDTLS_SSL_PROTO_TLS1_2 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 2ce858837..fb3cce19f 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -422,7 +422,7 @@ int main( void ) " min_version=%%s default: (library default: tls1)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \ + " options: tls1_2, dtls1_2\n" \ "\n" \ " force_ciphersuite= default: all enabled\n"\ " query_config= return 0 if the specified\n" \ @@ -1098,12 +1098,7 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "min_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_1; - else if( strcmp( q, "tls1_1" ) == 0 || - strcmp( q, "dtls1" ) == 0 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - else if( strcmp( q, "tls1_2" ) == 0 || + if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; else @@ -1111,12 +1106,7 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "max_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_1; - else if( strcmp( q, "tls1_1" ) == 0 || - strcmp( q, "dtls1" ) == 0 ) - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - else if( strcmp( q, "tls1_2" ) == 0 || + if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; else @@ -1133,27 +1123,11 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "force_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_1; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_1; - } - else if( strcmp( q, "tls1_1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - } - else if( strcmp( q, "tls1_2" ) == 0 ) + if( strcmp( q, "tls1_2" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; } - else if( strcmp( q, "dtls1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; - } else if( strcmp( q, "dtls1_2" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; @@ -1375,10 +1349,10 @@ int main( int argc, char *argv[] ) if( opt.min_version < ciphersuite_info->min_minor_ver ) { opt.min_version = ciphersuite_info->min_minor_ver; - /* DTLS starts with TLS 1.1 */ + /* for DTLS 1.2 */ if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && - opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; + opt.min_version < MBEDTLS_SSL_MINOR_VERSION_3 ) + opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; } #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1ff27fb8b..70421b985 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -503,7 +503,7 @@ int main( void ) " min_version=%%s default: (library default: tls1)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \ + " options: tls1, dtls1_2\n" \ "\n" \ " version_suites=a,b,c per-version ciphersuites\n" \ " in order from tls1 to tls1_2\n" \ @@ -1726,12 +1726,7 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "min_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_1; - else if( strcmp( q, "tls1_1" ) == 0 || - strcmp( q, "dtls1" ) == 0 ) - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - else if( strcmp( q, "tls1_2" ) == 0 || + if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; else @@ -1739,12 +1734,7 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "max_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_1; - else if( strcmp( q, "tls1_1" ) == 0 || - strcmp( q, "dtls1" ) == 0 ) - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - else if( strcmp( q, "tls1_2" ) == 0 || + if( strcmp( q, "tls1_2" ) == 0 || strcmp( q, "dtls1_2" ) == 0 ) opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; else @@ -1761,27 +1751,11 @@ int main( int argc, char *argv[] ) } else if( strcmp( p, "force_version" ) == 0 ) { - if( strcmp( q, "tls1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_1; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_1; - } - else if( strcmp( q, "tls1_1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - } - else if( strcmp( q, "tls1_2" ) == 0 ) + if( strcmp( q, "tls1_2" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; opt.max_version = MBEDTLS_SSL_MINOR_VERSION_3; } - else if( strcmp( q, "dtls1" ) == 0 ) - { - opt.min_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.max_version = MBEDTLS_SSL_MINOR_VERSION_2; - opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM; - } else if( strcmp( q, "dtls1_2" ) == 0 ) { opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; diff --git a/tests/compat.sh b/tests/compat.sh index 6a2bbb270..c57ec4fdc 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -67,7 +67,7 @@ else fi # default values for options -MODES="tls1 tls1_1 tls1_2 dtls1 dtls1_2" +MODES="tls1_2 dtls1_2" VERIFIES="NO YES" TYPES="ECDSA RSA PSK" FILTER="" @@ -162,12 +162,6 @@ is_dtls() minor_ver() { case "$1" in - tls1) - echo 1 - ;; - tls1_1|dtls1) - echo 2 - ;; tls1_2|dtls1_2) echo 3 ;; @@ -841,19 +835,9 @@ setup_arguments() { G_MODE="" case "$MODE" in - "tls1") - G_PRIO_MODE="+VERS-TLS1.0" - ;; - "tls1_1") - G_PRIO_MODE="+VERS-TLS1.1" - ;; "tls1_2") G_PRIO_MODE="+VERS-TLS1.2" ;; - "dtls1") - G_PRIO_MODE="+VERS-DTLS1.0" - G_MODE="-u" - ;; "dtls1_2") G_PRIO_MODE="+VERS-DTLS1.2" G_MODE="-u" diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index 5f13b2249..93b7e1dd5 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -115,7 +115,7 @@ echo echo '################ compat.sh ################' { echo '#### compat.sh: Default versions' - sh compat.sh -m 'tls1 tls1_1 tls1_2 dtls1 dtls1_2' + sh compat.sh -m 'tls1_2 dtls1_2' echo echo '#### compat.sh: legacy (null, DES, RC4)' diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 57263a334..a79604e9f 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -31,9 +31,6 @@ my %configs = ( 'config-ccm-psk-tls1_2.h' => { 'compat' => '-m tls1_2 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', }, - 'config-mini-tls1_1.h' => { - 'compat' => '-m tls1_1 -f \'^DES-CBC3-SHA$\|^TLS-RSA-WITH-3DES-EDE-CBC-SHA$\'', #' - }, 'config-no-entropy.h' => { }, 'config-suite-b.h' => { diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 1041c87d4..13db30b44 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1402,22 +1402,6 @@ run_test "Context-specific CRT verification callback" \ -C "Use configuration-specific verification callback" \ -C "error" -# Test empty CA list in CertificateRequest in TLS 1.1 and earlier - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "CertificateRequest with empty CA list, TLS 1.1 (GnuTLS server)" \ - "$G_SRV"\ - "$P_CLI force_version=tls1_1" \ - 0 - -requires_gnutls -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 -run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ - "$G_SRV"\ - "$P_CLI force_version=tls1" \ - 0 - # Tests for SHA-1 support run_test "SHA-1 forbidden by default in server certificate" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ @@ -2460,33 +2444,6 @@ run_test "Extended Master Secret: client disabled, server enabled" \ # Tests for FALLBACK_SCSV -run_test "Fallback SCSV: default" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 force_version=tls1_1" \ - 0 \ - -C "adding FALLBACK_SCSV" \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" \ - -C "is a fatal alert message (msg 86)" - -run_test "Fallback SCSV: explicitly disabled" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \ - 0 \ - -C "adding FALLBACK_SCSV" \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" \ - -C "is a fatal alert message (msg 86)" - -run_test "Fallback SCSV: enabled" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \ - 1 \ - -c "adding FALLBACK_SCSV" \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" \ - -c "is a fatal alert message (msg 86)" - run_test "Fallback SCSV: enabled, max version" \ "$P_SRV debug_level=2" \ "$P_CLI debug_level=3 fallback=1" \ @@ -2496,38 +2453,6 @@ run_test "Fallback SCSV: enabled, max version" \ -S "inapropriate fallback" \ -C "is a fatal alert message (msg 86)" -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: default, openssl server" \ - "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \ - 0 \ - -C "adding FALLBACK_SCSV" \ - -C "is a fatal alert message (msg 86)" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: enabled, openssl server" \ - "$O_SRV" \ - "$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \ - 1 \ - -c "adding FALLBACK_SCSV" \ - -c "is a fatal alert message (msg 86)" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: disabled, openssl client" \ - "$P_SRV debug_level=2" \ - "$O_CLI -tls1_1" \ - 0 \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: enabled, openssl client" \ - "$P_SRV debug_level=2" \ - "$O_CLI -tls1_1 -fallback_scsv" \ - 1 \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" - requires_openssl_with_fallback_scsv run_test "Fallback SCSV: enabled, max version, openssl client" \ "$P_SRV debug_level=2" \ @@ -2568,37 +2493,6 @@ run_test "Encrypt then MAC, DTLS: disabled, empty application data record" \ -s "dumping 'input payload after decrypt' (0 bytes)" \ -c "0 bytes written in 1 fragments" -## ClientHello generated with -## "openssl s_client -CAfile tests/data_files/test-ca.crt -tls1_1 -connect localhost:4433 -cipher ..." -## then manually twiddling the ciphersuite list. -## The ClientHello content is spelled out below as a hex string as -## "prefix ciphersuite1 ciphersuite2 ciphersuite3 ciphersuite4 suffix". -## The expected response is an inappropriate_fallback alert. -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: beginning of list" \ - "$P_SRV debug_level=2" \ - "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 5600 0031 0032 0033 0100000900230000000f000101' '15030200020256'" \ - 0 \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: end of list" \ - "$P_SRV debug_level=2" \ - "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0031 0032 0033 5600 0100000900230000000f000101' '15030200020256'" \ - 0 \ - -s "received FALLBACK_SCSV" \ - -s "inapropriate fallback" - -## Here the expected response is a valid ServerHello prefix, up to the random. -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: not in list" \ - "$P_SRV debug_level=2" \ - "$TCP_CLIENT localhost $SRV_PORT '160301003e0100003a03022aafb94308dc22ca1086c65acc00e414384d76b61ecab37df1633b1ae1034dbe000008 0056 0031 0032 0033 0100000900230000000f000101' '16030200300200002c0302'" \ - 0 \ - -S "received FALLBACK_SCSV" \ - -S "inapropriate fallback" - # Tests for CBC 1/n-1 record splitting run_test "CBC Record splitting: TLS 1.2, no splitting" \ @@ -2610,42 +2504,6 @@ run_test "CBC Record splitting: TLS 1.2, no splitting" \ -S "Read from client: 1 bytes read" \ -S "122 bytes read" -run_test "CBC Record splitting: TLS 1.1, no splitting" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1_1" \ - 0 \ - -s "Read from client: 123 bytes read" \ - -S "Read from client: 1 bytes read" \ - -S "122 bytes read" - -run_test "CBC Record splitting: TLS 1.0, splitting" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1" \ - 0 \ - -S "Read from client: 123 bytes read" \ - -s "Read from client: 1 bytes read" \ - -s "122 bytes read" - -run_test "CBC Record splitting: TLS 1.0, splitting disabled" \ - "$P_SRV" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1 recsplit=0" \ - 0 \ - -s "Read from client: 123 bytes read" \ - -S "Read from client: 1 bytes read" \ - -S "122 bytes read" - -run_test "CBC Record splitting: TLS 1.0, splitting, nbio" \ - "$P_SRV nbio=2" \ - "$P_CLI nbio=2 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - request_size=123 force_version=tls1" \ - 0 \ - -S "Read from client: 123 bytes read" \ - -s "Read from client: 1 bytes read" \ - -s "122 bytes read" - # Tests for Session Tickets run_test "Session resume using tickets: basic" \ @@ -4464,52 +4322,6 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ -c "signed using.*ECDSA with SHA256" \ -C "signed using.*ECDSA with SHA1" -requires_config_disabled MBEDTLS_X509_REMOVE_INFO -run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ - "$P_SRV crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server5-sha1.crt \ - key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -C "signed using.*ECDSA with SHA256" \ - -c "signed using.*ECDSA with SHA1" - -requires_config_disabled MBEDTLS_X509_REMOVE_INFO -run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ - "$P_SRV crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server5-sha1.crt \ - key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1" \ - 0 \ - -C "signed using.*ECDSA with SHA256" \ - -c "signed using.*ECDSA with SHA1" - -requires_config_disabled MBEDTLS_X509_REMOVE_INFO -run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ - "$P_SRV crt_file=data_files/server5.crt \ - key_file=data_files/server5.key \ - crt_file2=data_files/server6.crt \ - key_file2=data_files/server6.key" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -c "serial number.*09" \ - -c "signed using.*ECDSA with SHA256" \ - -C "signed using.*ECDSA with SHA1" - -requires_config_disabled MBEDTLS_X509_REMOVE_INFO -run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ - "$P_SRV crt_file=data_files/server6.crt \ - key_file=data_files/server6.key \ - crt_file2=data_files/server5.crt \ - key_file2=data_files/server5.key" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -c "serial number.*0A" \ - -c "signed using.*ECDSA with SHA256" \ - -C "signed using.*ECDSA with SHA1" - # tests for SNI requires_config_disabled MBEDTLS_X509_REMOVE_INFO @@ -4970,67 +4782,6 @@ run_test "Version check: all -> 1.2" \ -s "Protocol is TLSv1.2" \ -c "Protocol is TLSv1.2" -run_test "Version check: cli max 1.1 -> 1.1" \ - "$P_SRV" \ - "$P_CLI max_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: srv max 1.1 -> 1.1" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli+srv max 1.1 -> 1.1" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI max_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli max 1.1, srv min 1.1 -> 1.1" \ - "$P_SRV min_version=tls1_1" \ - "$P_CLI max_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli min 1.1, srv max 1.1 -> 1.1" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI min_version=tls1_1" \ - 0 \ - -S "mbedtls_ssl_handshake returned" \ - -C "mbedtls_ssl_handshake returned" \ - -s "Protocol is TLSv1.1" \ - -c "Protocol is TLSv1.1" - -run_test "Version check: cli min 1.2, srv max 1.1 -> fail" \ - "$P_SRV max_version=tls1_1" \ - "$P_CLI min_version=tls1_2" \ - 1 \ - -s "mbedtls_ssl_handshake returned" \ - -c "mbedtls_ssl_handshake returned" \ - -c "SSL - Handshake protocol not within min/max boundaries" - -run_test "Version check: srv min 1.2, cli max 1.1 -> fail" \ - "$P_SRV min_version=tls1_2" \ - "$P_CLI max_version=tls1_1" \ - 1 \ - -s "mbedtls_ssl_handshake returned" \ - -c "mbedtls_ssl_handshake returned" \ - -s "SSL - Handshake protocol not within min/max boundaries" - # Tests for ALPN extension run_test "ALPN: none" \ @@ -5884,24 +5635,6 @@ run_test "ECJPAKE: working, DTLS, nolog" \ # Tests for ciphersuites per version -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1 -requires_config_enabled MBEDTLS_CAMELLIA_C -requires_config_enabled MBEDTLS_AES_C -run_test "Per-version suites: TLS 1.0" \ - "$P_SRV version_suites=TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ - "$P_CLI force_version=tls1" \ - 0 \ - -c "Ciphersuite is TLS-RSA-WITH-AES-256-CBC-SHA" - -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -requires_config_enabled MBEDTLS_CAMELLIA_C -requires_config_enabled MBEDTLS_AES_C -run_test "Per-version suites: TLS 1.1" \ - "$P_SRV version_suites=TLS-RSA-WITH-AES-256-CBC-SHA,TLS-RSA-WITH-AES-128-CBC-SHA,TLS-RSA-WITH-AES-128-GCM-SHA256" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -c "Ciphersuite is TLS-RSA-WITH-AES-128-CBC-SHA" - requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2 requires_config_enabled MBEDTLS_CAMELLIA_C requires_config_enabled MBEDTLS_AES_C @@ -5936,66 +5669,6 @@ run_test "mbedtls_ssl_get_bytes_avail: extra data" \ # Tests for small client packets -run_test "Small client packet TLS 1.0 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.1 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -run_test "Small client packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: 1 bytes read" - run_test "Small client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ @@ -6049,40 +5722,6 @@ run_test "Small client packet TLS 1.2 AEAD shorter tag" \ # Tests for small client packets in DTLS -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small client packet DTLS 1.0" \ - "$P_SRV dtls=1 force_version=dtls1" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small client packet DTLS 1.0, without EtM" \ - "$P_SRV dtls=1 force_version=dtls1 etm=0" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet DTLS 1.0, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \ - "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small client packet DTLS 1.0, without EtM, truncated MAC" \ - "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \ - "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ - 0 \ - -s "Read from client: 1 bytes read" - requires_config_enabled MBEDTLS_SSL_PROTO_DTLS run_test "Small client packet DTLS 1.2" \ "$P_SRV dtls=1 force_version=dtls1_2" \ @@ -6119,66 +5758,6 @@ run_test "Small client packet DTLS 1.2, without EtM, truncated MAC" \ # Tests for small server packets -run_test "Small server packet TLS 1.0 BlockCipher" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.1 BlockCipher" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -run_test "Small server packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV response_size=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=1 trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -c "Read from server: 1 bytes read" - run_test "Small server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=1" \ "$P_CLI force_version=tls1_2 \ @@ -6232,40 +5811,6 @@ run_test "Small server packet TLS 1.2 AEAD shorter tag" \ # Tests for small server packets in DTLS -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small server packet DTLS 1.0" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -run_test "Small server packet DTLS 1.0, without EtM" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1 etm=0" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet DTLS 1.0, truncated hmac" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1" \ - "$P_CLI dtls=1 trunc_hmac=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read" - -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small server packet DTLS 1.0, without EtM, truncated MAC" \ - "$P_SRV dtls=1 response_size=1 force_version=dtls1 trunc_hmac=1 etm=0" \ - "$P_CLI dtls=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ - 0 \ - -c "Read from server: 1 bytes read" - requires_config_enabled MBEDTLS_SSL_PROTO_DTLS run_test "Small server packet DTLS 1.2" \ "$P_SRV dtls=1 response_size=1 force_version=dtls1_2" \ @@ -6307,69 +5852,6 @@ fragments_for_write() { echo "$(( ( $1 + $MAX_OUT_LEN - 1 ) / $MAX_OUT_LEN ))" } -run_test "Large client packet TLS 1.0 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.1 BlockCipher" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -run_test "Large client packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV" \ - "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large client packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV trunc_hmac=1" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "Read from client: $MAX_CONTENT_LEN bytes read" - run_test "Large client packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -6426,69 +5908,6 @@ run_test "Large client packet TLS 1.2 AEAD shorter tag" \ -c "16384 bytes written in $(fragments_for_write 16384) fragments" \ -s "Read from client: $MAX_CONTENT_LEN bytes read" -# Checking next 3 tests logs for 1n-1 split against BEAST too -run_test "Large server packet TLS 1.0 BlockCipher" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read"\ - -c "16383 bytes read"\ - -C "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.0 BlockCipher, without EtM" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 1 bytes read"\ - -c "16383 bytes read"\ - -C "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.0 BlockCipher truncated MAC" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ - 0 \ - -c "Read from server: 1 bytes read"\ - -c "16383 bytes read"\ - -C "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.1 BlockCipher" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -c "Read from server: 16384 bytes read" - -run_test "Large server packet TLS 1.1 BlockCipher, without EtM" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.1 BlockCipher truncated MAC" \ - "$P_SRV response_size=16384" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ - 0 \ - -c "Read from server: 16384 bytes read" - -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large server packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV response_size=16384 trunc_hmac=1" \ - "$P_CLI force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ - 0 \ - -s "16384 bytes written in 1 fragments" \ - -c "Read from server: 16384 bytes read" - run_test "Large server packet TLS 1.2 BlockCipher" \ "$P_SRV response_size=16384" \ "$P_CLI force_version=tls1_2 \ @@ -6710,18 +6129,6 @@ run_test "SSL async private: sign, delay=2" \ -s "Async resume (slot [0-9]): call 0 more times." \ -s "Async resume (slot [0-9]): sign done, status=0" -# Test that the async callback correctly signs the 36-byte hash of TLS 1.0/1.1 -# with RSA PKCS#1v1.5 as used in TLS 1.0/1.1. -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "SSL async private: sign, RSA, TLS 1.1" \ - "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt \ - async_operations=s async_private_delay1=0 async_private_delay2=0" \ - "$P_CLI force_version=tls1_1" \ - 0 \ - -s "Async sign callback: using key slot " \ - -s "Async resume (slot [0-9]): sign done, status=0" - requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_disabled MBEDTLS_X509_REMOVE_INFO run_test "SSL async private: sign, SNI" \ @@ -7999,21 +7406,6 @@ run_test "DTLS fragmenting: gnutls server, DTLS 1.2" \ -c "fragmenting handshake message" \ -C "error" -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -requires_gnutls -run_test "DTLS fragmenting: gnutls server, DTLS 1.0" \ - "$G_SRV -u" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - # We use --insecure for the GnuTLS client because it expects # the hostname / IP it connects to to be the name used in the # certificate obtained from the server. Here, however, it @@ -8036,22 +7428,6 @@ run_test "DTLS fragmenting: gnutls client, DTLS 1.2" \ 0 \ -s "fragmenting handshake message" -# See previous test for the reason to use --insecure -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -requires_gnutls -requires_not_i686 -run_test "DTLS fragmenting: gnutls client, DTLS 1.0" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - mtu=512 force_version=dtls1" \ - "$G_CLI -u --insecure 127.0.0.1" \ - 0 \ - -s "fragmenting handshake message" - requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -8066,20 +7442,6 @@ run_test "DTLS fragmenting: openssl server, DTLS 1.2" \ -c "fragmenting handshake message" \ -C "error" -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "DTLS fragmenting: openssl server, DTLS 1.0" \ - "$O_SRV -dtls1 -verify 10" \ - "$P_CLI dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C @@ -8093,19 +7455,6 @@ run_test "DTLS fragmenting: openssl client, DTLS 1.2" \ 0 \ -s "fragmenting handshake message" -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -run_test "DTLS fragmenting: openssl client, DTLS 1.0" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - mtu=512 force_version=dtls1" \ - "$O_CLI -dtls1" \ - 0 \ - -s "fragmenting handshake message" - # interop tests for DTLS fragmentating with unreliable connection # # again we just want to test that the we fragment in a way that @@ -8127,23 +7476,6 @@ run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.2" \ -c "fragmenting handshake message" \ -C "error" -requires_gnutls_next -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, gnutls server, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$G_NEXT_SRV -u" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - requires_gnutls_next requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C @@ -8160,22 +7492,6 @@ run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.2" \ 0 \ -s "fragmenting handshake message" -requires_gnutls_next -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, gnutls client, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$P_SRV dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - "$G_NEXT_CLI -u --insecure 127.0.0.1" \ - 0 \ - -s "fragmenting handshake message" - ## Interop test with OpenSSL might trigger a bug in recent versions (including ## all versions installed on the CI machines), reported here: ## Bug report: https://github.com/openssl/openssl/issues/6902 @@ -8198,23 +7514,6 @@ run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.2" \ -c "fragmenting handshake message" \ -C "error" -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, openssl server, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$O_SRV -dtls1 -verify 10" \ - "$P_CLI dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server8_int-ca2.crt \ - key_file=data_files/server8.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - 0 \ - -c "fragmenting handshake message" \ - -C "error" - skip_next_test requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C @@ -8231,24 +7530,6 @@ run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.2" \ 0 \ -s "fragmenting handshake message" -# -nbio is added to prevent s_client from blocking in case of duplicated -# messages at the end of the handshake -skip_next_test -requires_config_enabled MBEDTLS_SSL_PROTO_DTLS -requires_config_enabled MBEDTLS_RSA_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_1 -client_needs_more_time 4 -run_test "DTLS fragmenting: 3d, openssl client, DTLS 1.0" \ - -p "$P_PXY drop=8 delay=8 duplicate=8" \ - "$P_SRV dgram_packing=0 dtls=1 debug_level=2 \ - crt_file=data_files/server7_int-ca.crt \ - key_file=data_files/server7.key \ - hs_timeout=250-60000 mtu=512 force_version=dtls1" \ - "$O_CLI -nbio -dtls1" \ - 0 \ - -s "fragmenting handshake message" - # Tests for DTLS-SRTP (RFC 5764) requires_config_enabled MBEDTLS_SSL_DTLS_SRTP run_test "DTLS-SRTP all profiles supported" \ From 28126050f2937ff69e02c35ca50ee30af6a0ad14 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 10:34:48 +0200 Subject: [PATCH 40/59] Removal of constants and functions and a new ChangeLog file Signed-off-by: TRodziewicz --- ChangeLog.d/issue4286.txt | 9 ++++++++ include/mbedtls/config.h | 12 ----------- include/mbedtls/ssl.h | 10 --------- library/ssl_msg.c | 42 ------------------------------------- library/ssl_tls.c | 15 ------------- programs/fuzz/fuzz_client.c | 3 --- programs/ssl/ssl_client2.c | 15 ------------- tests/scripts/all.sh | 18 ---------------- 8 files changed, 9 insertions(+), 115 deletions(-) create mode 100644 ChangeLog.d/issue4286.txt diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt new file mode 100644 index 000000000..3fb958563 --- /dev/null +++ b/ChangeLog.d/issue4286.txt @@ -0,0 +1,9 @@ +Removals + * Remove the following deprecated library constants + MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1, + MBEDTLS_SSL_CBC_RECORD_SPLITTING, + MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED, + MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED and functions + ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting() as well as test + function component_test_variable_ssl_in_out_buffer_len_record_splitting(). + Fixes #4286. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 4905b9243..993b90ff6 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1592,18 +1592,6 @@ */ #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE -/** - * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING - * - * Enable 1/n-1 record splitting for CBC mode in TLS. - * - * This is a countermeasure to the BEAST attack, which also minimizes the risk - * of interoperability issues compared to sending 0-length records. - * - * Comment this macro to disable 1/n-1 record splitting. - */ -#define MBEDTLS_SSL_CBC_RECORD_SPLITTING - /** * \def MBEDTLS_SSL_RENEGOTIATION * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 39661cbac..b5200426f 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -198,9 +198,6 @@ #define MBEDTLS_SSL_SESSION_TICKETS_DISABLED 0 #define MBEDTLS_SSL_SESSION_TICKETS_ENABLED 1 -#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED 0 -#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED 1 - #define MBEDTLS_SSL_PRESET_DEFAULT 0 #define MBEDTLS_SSL_PRESET_SUITEB 2 @@ -1192,9 +1189,6 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) unsigned int anti_replay : 1; /*!< detect and prevent replay? */ #endif -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - unsigned int cbc_record_splitting : 1; /*!< do cbc record splitting */ -#endif #if defined(MBEDTLS_SSL_RENEGOTIATION) unsigned int disable_renegotiation : 1; /*!< disable renegotiation? */ #endif @@ -1356,10 +1350,6 @@ struct mbedtls_ssl_context uint16_t mtu; /*!< path mtu, used to fragment outgoing messages */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - signed char split_done; /*!< current record already splitted? */ -#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ - /* * PKI layer */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 540d5d1f6..081a0b2b9 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -5475,44 +5475,6 @@ static int ssl_write_real( mbedtls_ssl_context *ssl, return( (int) len ); } -/* - * Write application data, doing 1/n-1 splitting if necessary. - * - * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, - * then the caller will call us again with the same arguments, so - * remember whether we already did the split or not. - */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) -static int ssl_write_split( mbedtls_ssl_context *ssl, - const unsigned char *buf, size_t len ) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - if( ssl->conf->cbc_record_splitting == - MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || - len <= 1 || - ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 || - mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ) - != MBEDTLS_MODE_CBC ) - { - return( ssl_write_real( ssl, buf, len ) ); - } - - if( ssl->split_done == 0 ) - { - if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 ) - return( ret ); - ssl->split_done = 1; - } - - if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 ) - return( ret ); - ssl->split_done = 0; - - return( ret + 1 ); -} -#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ - /* * Write application data (public-facing wrapper) */ @@ -5542,11 +5504,7 @@ int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_ } } -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - ret = ssl_write_split( ssl, buf, len ); -#else ret = ssl_write_real( ssl, buf, len ); -#endif MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 58675dbed..771e01a2a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3307,10 +3307,6 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) ssl->out_msgtype = 0; ssl->out_msglen = 0; ssl->out_left = 0; -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ) - ssl->split_done = 0; -#endif memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) ); @@ -4202,13 +4198,6 @@ void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate ) } #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) -void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split ) -{ - conf->cbc_record_splitting = split; -} -#endif - void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy ) { conf->allow_legacy_renegotiation = allow_legacy; @@ -6234,10 +6223,6 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; #endif -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; -#endif - #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) conf->f_cookie_write = ssl_cookie_write_dummy; conf->f_cookie_check = ssl_cookie_check_dummy; diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c index 618eda265..a6371736b 100644 --- a/programs/fuzz/fuzz_client.c +++ b/programs/fuzz/fuzz_client.c @@ -109,9 +109,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED); #endif -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - mbedtls_ssl_conf_cbc_record_splitting( &conf, (options & 0x40) ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ); -#endif #if defined(MBEDTLS_SSL_RENEGOTIATION) mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED ); #endif diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index fb3cce19f..a643900b9 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -248,13 +248,6 @@ int main( void ) #define USAGE_MAX_FRAG_LEN "" #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) -#define USAGE_RECSPLIT \ - " recsplit=0/1 default: (library default: on)\n" -#else -#define USAGE_RECSPLIT -#endif - #if defined(MBEDTLS_DHM_C) #define USAGE_DHMLEN \ " dhmlen=%%d default: (library default: 1024 bits)\n" @@ -414,7 +407,6 @@ int main( void ) USAGE_ETM \ USAGE_REPRODUCIBLE \ USAGE_CURVES \ - USAGE_RECSPLIT \ USAGE_DHMLEN \ "\n" #define USAGE4 \ @@ -1780,13 +1772,6 @@ int main( int argc, char *argv[] ) #endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_EXPORT_KEYS */ -#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - if( opt.recsplit != DFL_RECSPLIT ) - mbedtls_ssl_conf_cbc_record_splitting( &conf, opt.recsplit - ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED - : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ); -#endif - #if defined(MBEDTLS_DHM_C) if( opt.dhmlen != DFL_DHMLEN ) mbedtls_ssl_conf_dhm_min_bitlen( &conf, opt.dhmlen ); diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1653ad8b3..ef2b6363b 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2043,24 +2043,6 @@ component_test_variable_ssl_in_out_buffer_len_CID () { if_build_succeeded tests/compat.sh } -component_test_variable_ssl_in_out_buffer_len_record_splitting () { - msg "build: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH - scripts/config.py set MBEDTLS_SSL_CBC_RECORD_SPLITTING - - CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING" - make test - - msg "test: ssl-opt.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled" - if_build_succeeded tests/ssl-opt.sh - - msg "test: compat.sh, MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH and MBEDTLS_SSL_CBC_RECORD_SPLITTING enabled" - if_build_succeeded tests/compat.sh -} - component_test_ssl_alloc_buffer_and_mfl () { msg "build: default config with memory buffer allocator and MFL extension" scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C From 55bd84bebc9b038b30eb807c3f55d335a1003ec4 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 11:40:46 +0200 Subject: [PATCH 41/59] Correction to the ssl client/server usage comment. Signed-off-by: TRodziewicz --- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index a643900b9..3de9665f5 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -411,7 +411,7 @@ int main( void ) "\n" #define USAGE4 \ " allow_sha1=%%d default: 0\n" \ - " min_version=%%s default: (library default: tls1)\n" \ + " min_version=%%s default: (library default: tls1_2)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ " options: tls1_2, dtls1_2\n" \ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 70421b985..2cf2d73be 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -500,10 +500,10 @@ int main( void ) USAGE_SSL_ASYNC \ USAGE_SNI \ " allow_sha1=%%d default: 0\n" \ - " min_version=%%s default: (library default: tls1)\n" \ + " min_version=%%s default: (library default: tls1_2)\n" \ " max_version=%%s default: (library default: tls1_2)\n" \ " force_version=%%s default: \"\" (none)\n" \ - " options: tls1, dtls1_2\n" \ + " options: tls1_2, dtls1_2\n" \ "\n" \ " version_suites=a,b,c per-version ciphersuites\n" \ " in order from tls1 to tls1_2\n" \ From ef73f01927d755066c995f265d7643af55b5d3fa Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 14:53:36 +0200 Subject: [PATCH 42/59] Removing strayed dtls1 after doing tests Signed-off-by: TRodziewicz --- library/ssl_msg.c | 2 +- library/ssl_tls.c | 4 +- tests/ssl-opt.sh | 255 ---------------------------------------------- 3 files changed, 3 insertions(+), 258 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 081a0b2b9..8c9caa9ef 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4811,7 +4811,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) static size_t ssl_transform_get_explicit_iv_len( mbedtls_ssl_transform const *transform ) { - if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) + if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ) return( 0 ); return( transform->ivlen - transform->fixed_ivlen ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 771e01a2a..2fcd99d5e 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3579,7 +3579,7 @@ void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf, if( major != MBEDTLS_SSL_MAJOR_VERSION_3 ) return; - if( minor < MBEDTLS_SSL_MINOR_VERSION_1 || minor > MBEDTLS_SSL_MINOR_VERSION_3 ) + if( minor != MBEDTLS_SSL_MINOR_VERSION_3 ) return; set_protocol_version_ciphersuites(conf, minor, ciphersuites); @@ -6315,7 +6315,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_SSL_PROTO_DTLS) if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) - conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2; + conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; #endif const int* default_ciphersuites = mbedtls_ssl_list_ciphersuites(); set_protocol_version_ciphersuites(conf, MBEDTLS_SSL_MINOR_VERSION_1, diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 13db30b44..f107938c8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2641,27 +2641,6 @@ run_test "Session resume using tickets, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -run_test "Session resume using tickets, DTLS: openssl server" \ - "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ - 0 \ - -c "client hello, adding session ticket extension" \ - -c "found session_ticket extension" \ - -c "parse new session ticket" \ - -c "a session has been resumed" - -run_test "Session resume using tickets, DTLS: openssl client" \ - "$P_SRV dtls=1 debug_level=3 tickets=1" \ - "( $O_CLI -dtls1 -sess_out $SESSION; \ - $O_CLI -dtls1 -sess_in $SESSION; \ - rm -f $SESSION )" \ - 0 \ - -s "found session ticket extension" \ - -s "server hello, adding session ticket extension" \ - -S "session successfully restored from cache" \ - -s "session successfully restored from ticket" \ - -s "a session has been resumed" - # Tests for Session Resume based on session-ID and cache run_test "Session resume using cache: tickets enabled on client" \ @@ -2850,26 +2829,6 @@ run_test "Session resume using cache, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" -run_test "Session resume using cache, DTLS: openssl client" \ - "$P_SRV dtls=1 debug_level=3 tickets=0" \ - "( $O_CLI -dtls1 -sess_out $SESSION; \ - $O_CLI -dtls1 -sess_in $SESSION; \ - rm -f $SESSION )" \ - 0 \ - -s "found session ticket extension" \ - -S "server hello, adding session ticket extension" \ - -s "session successfully restored from cache" \ - -S "session successfully restored from ticket" \ - -s "a session has been resumed" - -run_test "Session resume using cache, DTLS: openssl server" \ - "$O_SRV -dtls1" \ - "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ - 0 \ - -C "found session_ticket extension" \ - -C "parse new session ticket" \ - -c "a session has been resumed" - # Tests for Max Fragment Length extension if [ "$MAX_IN_LEN" -lt "4096" ]; then @@ -6683,34 +6642,6 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ -C "error" \ -s "Extra-header:" -run_test "DTLS reassembly: no fragmentation (openssl server)" \ - "$O_SRV -dtls1 -mtu 2048" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -C "found fragmented DTLS handshake message" \ - -C "error" - -run_test "DTLS reassembly: some fragmentation (openssl server)" \ - "$O_SRV -dtls1 -mtu 768" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -run_test "DTLS reassembly: more fragmentation (openssl server)" \ - "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - -run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ - "$O_SRV -dtls1 -mtu 256" \ - "$P_CLI dtls=1 nbio=2 debug_level=2" \ - 0 \ - -c "found fragmented DTLS handshake message" \ - -C "error" - # Tests for sending fragmented handshake messages with DTLS # # Use client auth when we need the client to send large messages, @@ -7681,192 +7612,6 @@ run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \ -C "dumping 'received mki' (8 bytes)" \ -C "error" -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP all profiles supported. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -s "selected srtp profile" \ - -s "server hello, adding use_srtp extension" \ - -s "DTLS-SRTP key material is"\ - -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ - -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_80" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -s "selected srtp profile" \ - -s "server hello, adding use_srtp extension" \ - -s "DTLS-SRTP key material is"\ - -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ - -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -s "selected srtp profile" \ - -s "server hello, adding use_srtp extension" \ - -s "DTLS-SRTP key material is"\ - -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ - -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -s "selected srtp profile" \ - -s "server hello, adding use_srtp extension" \ - -s "DTLS-SRTP key material is"\ - -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ - -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server and Client support only one matching profile. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -s "selected srtp profile" \ - -s "server hello, adding use_srtp extension" \ - -s "DTLS-SRTP key material is"\ - -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ - -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server and Client support only one different profile. openssl client." \ - "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -s "found srtp profile" \ - -S "selected srtp profile" \ - -S "server hello, adding use_srtp extension" \ - -S "DTLS-SRTP key material is"\ - -C "SRTP Extension negotiated, profile" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl client" \ - "$P_SRV dtls=1 debug_level=3" \ - "$O_CLI -dtls1 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - 0 \ - -s "found use_srtp extension" \ - -S "server hello, adding use_srtp extension" \ - -S "DTLS-SRTP key material is"\ - -C "SRTP Extension negotiated, profile" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP all profiles supported. openssl server" \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile" \ - -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \ - -c "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile" \ - -c "selected srtp profile" \ - -c "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ - -c "selected srtp profile" \ - -c "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ - -c "selected srtp profile" \ - -c "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server and Client support only one matching profile. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ - -c "selected srtp profile" \ - -c "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server and Client support only one different profile. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -C "found use_srtp extension" \ - -C "found srtp profile" \ - -C "selected srtp profile" \ - -C "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" \ - "$O_SRV -dtls1" \ - "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -C "found use_srtp extension" \ - -C "found srtp profile" \ - -C "selected srtp profile" \ - -C "DTLS-SRTP key material is"\ - -C "error" - -requires_config_enabled MBEDTLS_SSL_DTLS_SRTP -run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl server." \ - "$O_SRV -dtls1 -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ - "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \ - 0 \ - -c "client hello, adding use_srtp extension" \ - -c "found use_srtp extension" \ - -c "found srtp profile" \ - -c "selected srtp profile" \ - -c "DTLS-SRTP key material is"\ - -c "DTLS-SRTP no mki value negotiated"\ - -c "dumping 'sending mki' (8 bytes)" \ - -C "dumping 'received mki' (8 bytes)" \ - -C "error" - requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls run_test "DTLS-SRTP all profiles supported. gnutls client." \ From b5850c52166351c43eb65bc71266c6c6984dd992 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 17:11:23 +0200 Subject: [PATCH 43/59] Correction of too restrictive ssl cli minor check Signed-off-by: TRodziewicz --- library/ssl_cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 3f7f68474..b0285d7ab 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1952,7 +1952,7 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) p += 2; if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || - minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 || + minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || major_ver > ssl->conf->max_major_ver || minor_ver > ssl->conf->max_minor_ver ) { From 2d8800e2278bcf7a39a14a88bc7a36724ad26f79 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 19:14:19 +0200 Subject: [PATCH 44/59] Small corrections in the comments Signed-off-by: TRodziewicz --- library/ssl_cli.c | 4 ++++ library/ssl_msg.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index b0285d7ab..81c0d6b08 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1951,6 +1951,10 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl ) mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, p ); p += 2; + /* + * Since the RFC is not clear on this point, accept DTLS 1.0 (TLS 1.1) + * even is lower than our min version. + */ if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 || minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 || major_ver > ssl->conf->max_major_ver || diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 8c9caa9ef..9896ad014 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -836,7 +836,7 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* - * Prepend per-record IV for block cipher in TLS v1.2 + * Prepend per-record IV for block cipher in TLS v1.2 as per * Method 1 (6.2.3.2. in RFC4346 and RFC5246) */ if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) From 6370dbeb1dd1c8d9278025388cc9acb810accff2 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 22:56:31 +0200 Subject: [PATCH 45/59] Remove the _SSL_FALLBACK_ parts Signed-off-by: TRodziewicz --- include/mbedtls/config.h | 18 --------- include/mbedtls/ssl.h | 78 -------------------------------------- library/ssl_cli.c | 13 ------- library/ssl_msg.c | 64 ------------------------------- library/ssl_srv.c | 23 ----------- library/ssl_tls.c | 7 ---- programs/ssl/ssl_client2.c | 22 ----------- tests/compat.sh | 2 +- 8 files changed, 1 insertion(+), 226 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 993b90ff6..715c73ada 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1552,24 +1552,6 @@ */ #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET -/** - * \def MBEDTLS_SSL_FALLBACK_SCSV - * - * Enable support for RFC 7507: Fallback Signaling Cipher Suite Value (SCSV) - * for Preventing Protocol Downgrade Attacks. - * - * For servers, it is recommended to always enable this, unless you support - * only one version of TLS, or know for sure that none of your clients - * implements a fallback strategy. - * - * For clients, you only need this if you're using a fallback strategy, which - * is not recommended in the first place, unless you absolutely need it to - * interoperate with buggy (version-intolerant) servers. - * - * Comment this macro to disable support for FALLBACK_SCSV - */ -#define MBEDTLS_SSL_FALLBACK_SCSV - /** * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b5200426f..8e6c1ee13 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -156,9 +156,6 @@ #define MBEDTLS_SSL_IS_CLIENT 0 #define MBEDTLS_SSL_IS_SERVER 1 -#define MBEDTLS_SSL_IS_NOT_FALLBACK 0 -#define MBEDTLS_SSL_IS_FALLBACK 1 - #define MBEDTLS_SSL_EXTENDED_MS_DISABLED 0 #define MBEDTLS_SSL_EXTENDED_MS_ENABLED 1 @@ -279,7 +276,6 @@ * Signaling ciphersuite values (SCSV) */ #define MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO 0xFF /**< renegotiation info ext */ -#define MBEDTLS_SSL_FALLBACK_SCSV_VALUE 0x5600 /**< RFC 7507 section 2 */ /* * Supported Signature and Hash algorithms (For TLS 1.2) @@ -1198,9 +1194,6 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_SSL_SESSION_TICKETS) unsigned int session_tickets : 1; /*!< use session tickets? */ #endif -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) - unsigned int fallback : 1; /*!< is this a fallback? */ -#endif #if defined(MBEDTLS_SSL_SRV_C) unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in Certificate Request messages? */ @@ -1832,54 +1825,6 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, */ void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ); -/** - * \brief Check whether a buffer contains a valid and authentic record - * that has not been seen before. (DTLS only). - * - * This function does not change the user-visible state - * of the SSL context. Its sole purpose is to provide - * an indication of the legitimacy of an incoming record. - * - * This can be useful e.g. in distributed server environments - * using the DTLS Connection ID feature, in which connections - * might need to be passed between service instances on a change - * of peer address, but where such disruptive operations should - * only happen after the validity of incoming records has been - * confirmed. - * - * \param ssl The SSL context to use. - * \param buf The address of the buffer holding the record to be checked. - * This must be a read/write buffer of length \p buflen Bytes. - * \param buflen The length of \p buf in Bytes. - * - * \note This routine only checks whether the provided buffer begins - * with a valid and authentic record that has not been seen - * before, but does not check potential data following the - * initial record. In particular, it is possible to pass DTLS - * datagrams containing multiple records, in which case only - * the first record is checked. - * - * \note This function modifies the input buffer \p buf. If you need - * to preserve the original record, you have to maintain a copy. - * - * \return \c 0 if the record is valid and authentic and has not been - * seen before. - * \return MBEDTLS_ERR_SSL_INVALID_MAC if the check completed - * successfully but the record was found to be not authentic. - * \return MBEDTLS_ERR_SSL_INVALID_RECORD if the check completed - * successfully but the record was found to be invalid for - * a reason different from authenticity checking. - * \return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD if the check completed - * successfully but the record was found to be unexpected - * in the state of the SSL context, including replayed records. - * \return Another negative error code on different kinds of failure. - * In this case, the SSL context becomes unusable and needs - * to be freed or reset before reuse. - */ -int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, - unsigned char *buf, - size_t buflen ); - /** * \brief Set the timer callbacks (Mandatory for DTLS.) * @@ -3268,29 +3213,6 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino */ void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor ); -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) -/** - * \brief Set the fallback flag (client-side only). - * (Default: MBEDTLS_SSL_IS_NOT_FALLBACK). - * - * \note Set to MBEDTLS_SSL_IS_FALLBACK when preparing a fallback - * connection, that is a connection with max_version set to a - * lower value than the value you're willing to use. Such - * fallback connections are not recommended but are sometimes - * necessary to interoperate with buggy (version-intolerant) - * servers. - * - * \warning You should NOT set this to MBEDTLS_SSL_IS_FALLBACK for - * non-fallback connections! This would appear to work for a - * while, then cause failures when the server is upgraded to - * support a newer TLS version. - * - * \param conf SSL configuration - * \param fallback MBEDTLS_SSL_IS_NOT_FALLBACK or MBEDTLS_SSL_IS_FALLBACK - */ -void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ); -#endif /* MBEDTLS_SSL_FALLBACK_SCSV && MBEDTLS_SSL_CLI_C */ - #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) /** * \brief Enable or disable Encrypt-then-MAC diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 81c0d6b08..6cf283e1d 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1206,19 +1206,6 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) n++; } - /* Some versions of OpenSSL don't handle it correctly if not at end */ -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) - if( ssl->conf->fallback == MBEDTLS_SSL_IS_FALLBACK ) - { - MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding FALLBACK_SCSV" ) ); - - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ); - *p++ = (unsigned char)( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ); - n++; - } -#endif - *q++ = (unsigned char)( n >> 7 ); *q++ = (unsigned char)( n << 1 ); diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 9896ad014..b629d79cb 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -86,70 +86,6 @@ int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl ) return( 0 ); } -static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, - unsigned char *buf, - size_t len, - mbedtls_record *rec ); - -int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, - unsigned char *buf, - size_t buflen ) -{ - int ret = 0; - MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) ); - MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen ); - - /* We don't support record checking in TLS because - * (a) there doesn't seem to be a usecase for it, and - * (b) In TLS 1.0, CBC record decryption has state - * and we'd need to backup the transform here. - */ - if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) - { - ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; - goto exit; - } -#if defined(MBEDTLS_SSL_PROTO_DTLS) - else - { - mbedtls_record rec; - - ret = ssl_parse_record_header( ssl, buf, buflen, &rec ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret ); - goto exit; - } - - if( ssl->transform_in != NULL ) - { - ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret ); - goto exit; - } - } - } -#endif /* MBEDTLS_SSL_PROTO_DTLS */ - -exit: - /* On success, we have decrypted the buffer in-place, so make - * sure we don't leak any plaintext data. */ - mbedtls_platform_zeroize( buf, buflen ); - - /* For the purpose of this API, treat messages with unexpected CID - * as well as such from future epochs as unexpected. */ - if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID || - ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) - { - ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; - } - - MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) ); - return( ret ); -} - #define SSL_DONT_FORCE_FLUSH 0 #define SSL_FORCE_FLUSH 1 diff --git a/library/ssl_srv.c b/library/ssl_srv.c index fb7ba975f..e2b2757d6 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1781,29 +1781,6 @@ read_record_header: ext += 4 + ext_size; } -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) - for( i = 0, p = buf + ciph_offset + 2; i < ciph_len; i += 2, p += 2 ) - { - if( p[0] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE >> 8 ) & 0xff ) && - p[1] == (unsigned char)( ( MBEDTLS_SSL_FALLBACK_SCSV_VALUE ) & 0xff ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) ); - - if( ssl->minor_ver < ssl->conf->max_minor_ver ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) ); - - mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_INAPROPRIATE_FALLBACK ); - - return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); - } - - break; - } - } -#endif /* MBEDTLS_SSL_FALLBACK_SCSV */ - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2fcd99d5e..edb41efec 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4147,13 +4147,6 @@ void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int mino conf->min_minor_ver = minor; } -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) -void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback ) -{ - conf->fallback = fallback; -} -#endif - #if defined(MBEDTLS_SSL_SRV_C) void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf, char cert_req_ca_list ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 3de9665f5..af86838e9 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -287,13 +287,6 @@ int main( void ) #define USAGE_DTLS "" #endif -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) -#define USAGE_FALLBACK \ - " fallback=0/1 default: (library default: off)\n" -#else -#define USAGE_FALLBACK "" -#endif - #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) #define USAGE_EMS \ " extended_ms=0/1 default: (library default: on)\n" @@ -402,7 +395,6 @@ int main( void ) USAGE_TRUNC_HMAC \ USAGE_CONTEXT_CRT_CB \ USAGE_ALPN \ - USAGE_FALLBACK \ USAGE_EMS \ USAGE_ETM \ USAGE_REPRODUCIBLE \ @@ -1055,15 +1047,6 @@ int main( int argc, char *argv[] ) { opt.alpn_string = q; } - else if( strcmp( p, "fallback" ) == 0 ) - { - switch( atoi( q ) ) - { - case 0: opt.fallback = MBEDTLS_SSL_IS_NOT_FALLBACK; break; - case 1: opt.fallback = MBEDTLS_SSL_IS_FALLBACK; break; - default: goto usage; - } - } else if( strcmp( p, "extended_ms" ) == 0 ) { switch( atoi( q ) ) @@ -1894,11 +1877,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version ); -#if defined(MBEDTLS_SSL_FALLBACK_SCSV) - if( opt.fallback != DFL_FALLBACK ) - mbedtls_ssl_conf_fallback( &conf, opt.fallback ); -#endif - if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned -0x%x\n\n", diff --git a/tests/compat.sh b/tests/compat.sh index c57ec4fdc..6c1e0d4da 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -155,7 +155,7 @@ log() { # is_dtls is_dtls() { - test "$1" = "dtls1" -o "$1" = "dtls1_2" + test "$1" = "dtls1_2" } # minor_ver From 97e41723fa876eba6445efffe2e57488e7a8ddb4 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 13 May 2021 23:20:17 +0200 Subject: [PATCH 46/59] Remove the _SSL_FALLBACK_ tests Signed-off-by: TRodziewicz --- tests/ssl-opt.sh | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f107938c8..59cb834ba 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2442,25 +2442,6 @@ run_test "Extended Master Secret: client disabled, server enabled" \ -C "session hash for extended master secret" \ -S "session hash for extended master secret" -# Tests for FALLBACK_SCSV - -run_test "Fallback SCSV: enabled, max version" \ - "$P_SRV debug_level=2" \ - "$P_CLI debug_level=3 fallback=1" \ - 0 \ - -c "adding FALLBACK_SCSV" \ - -s "received FALLBACK_SCSV" \ - -S "inapropriate fallback" \ - -C "is a fatal alert message (msg 86)" - -requires_openssl_with_fallback_scsv -run_test "Fallback SCSV: enabled, max version, openssl client" \ - "$P_SRV debug_level=2" \ - "$O_CLI -fallback_scsv" \ - 0 \ - -s "received FALLBACK_SCSV" \ - -S "inapropriate fallback" - # Test sending and receiving empty application data records run_test "Encrypt then MAC: empty application data record" \ From d807060e0a2528547c278ed9cea9e184e52c5b0d Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Fri, 14 May 2021 11:09:44 +0200 Subject: [PATCH 47/59] Addition of migration guide and corrections to the ChangeLog file Signed-off-by: TRodziewicz --- ChangeLog.d/issue4286.txt | 15 ++++++++++----- ...remove_support_for_tls_1.0_1.1_and_dtls_1.0.md | 11 +++++++++++ 2 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt index 3fb958563..f2f2be218 100644 --- a/ChangeLog.d/issue4286.txt +++ b/ChangeLog.d/issue4286.txt @@ -1,9 +1,14 @@ Removals - * Remove the following deprecated library constants - MBEDTLS_SSL_PROTO_TLS1, MBEDTLS_SSL_PROTO_TLS1_1, - MBEDTLS_SSL_CBC_RECORD_SPLITTING, + * Remove the TLS 1.0, TLS 1.1 and DTLS 1.0 support by removing the following + deprecated library constants: MBEDTLS_SSL_PROTO_TLS1, + MBEDTLS_SSL_PROTO_TLS1_1, MBEDTLS_SSL_CBC_RECORD_SPLITTING, MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED, - MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED and functions - ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting() as well as test + MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED, MBEDTLS_SSL_RECORD_CHECKING, + MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE, + MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions: + ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting(), tls1_prf(), + ssl_update_checksum_md5sha1(), mbedtls_ssl_get_key_exchange_md_ssl_tls(), + mbedtls_ssl_check_record(), ssl_check_record(), ssl_calc_verify_tls(), + ssl_calc_finished_tls(), mbedtls_ssl_conf_fallback() as well as test function component_test_variable_ssl_in_out_buffer_len_record_splitting(). Fixes #4286. diff --git a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md new file mode 100644 index 000000000..899f79aa0 --- /dev/null +++ b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md @@ -0,0 +1,11 @@ +Remove suport for TLS 1.0, 1.1 and DLTS 1.0 +------------------------------------------- + +This change affects users of the TLS 1.0, 1.1 and DTLS 1.0. + +The versions of (D)TLS that are being removed are not as secure as the latest +versions. Keeping them in the library creates opportunities for misconfiguration +and possibly downgrade attacks. More generally, more code means a larger attack +surface, even if the code is supposedly not used. + +The migration path is to adopt the latest versions of the protocol. From 4ca18aae38a307a0c88262db74715c9c07f953b5 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Thu, 20 May 2021 14:46:20 +0200 Subject: [PATCH 48/59] Corrections after the code review Signed-off-by: TRodziewicz --- ChangeLog.d/issue4286.txt | 9 +- ...ve_support_for_tls_1.0_1.1_and_dtls_1.0.md | 4 +- include/mbedtls/ssl.h | 7 +- library/ssl_misc.h | 12 +- library/ssl_msg.c | 66 ++++- library/ssl_srv.c | 15 +- library/ssl_tls.c | 2 +- programs/ssl/ssl_client2.c | 2 +- tests/ssl-opt.sh | 255 ++++++++++++++++++ 9 files changed, 339 insertions(+), 33 deletions(-) diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt index f2f2be218..8fc1af266 100644 --- a/ChangeLog.d/issue4286.txt +++ b/ChangeLog.d/issue4286.txt @@ -6,9 +6,6 @@ Removals MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED, MBEDTLS_SSL_RECORD_CHECKING, MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE, MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions: - ssl_write_split(), mbedtls_ssl_conf_cbc_record_splitting(), tls1_prf(), - ssl_update_checksum_md5sha1(), mbedtls_ssl_get_key_exchange_md_ssl_tls(), - mbedtls_ssl_check_record(), ssl_check_record(), ssl_calc_verify_tls(), - ssl_calc_finished_tls(), mbedtls_ssl_conf_fallback() as well as test - function component_test_variable_ssl_in_out_buffer_len_record_splitting(). - Fixes #4286. + mbedtls_ssl_conf_cbc_record_splitting(), + mbedtls_ssl_get_key_exchange_md_ssl_tls(), + mbedtls_ssl_check_record(), mbedtls_ssl_conf_fallback(). Fixes #4286. diff --git a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md index 899f79aa0..4beebe240 100644 --- a/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md +++ b/docs/3.0-migration-guide.d/remove_support_for_tls_1.0_1.1_and_dtls_1.0.md @@ -1,7 +1,7 @@ -Remove suport for TLS 1.0, 1.1 and DLTS 1.0 +Remove suport for TLS 1.0, 1.1 and DTLS 1.0 ------------------------------------------- -This change affects users of the TLS 1.0, 1.1 and DTLS 1.0. +This change affects users of the TLS 1.0, 1.1 and DTLS 1.0 protocols. The versions of (D)TLS that are being removed are not as secure as the latest versions. Keeping them in the library creates opportunities for misconfiguration diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8e6c1ee13..66cbd48e1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -2533,9 +2533,8 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len, * \param ciphersuites 0-terminated list of allowed ciphersuites * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 * supported) - * \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_1, - * MBEDTLS_SSL_MINOR_VERSION_2, - * MBEDTLS_SSL_MINOR_VERSION_3 supported) + * \param minor Minor version number (only MBEDTLS_SSL_MINOR_VERSION_3 + * supported) * * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 */ @@ -3203,7 +3202,7 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino * \note Input outside of the SSL_MAX_XXXXX_VERSION and * SSL_MIN_XXXXX_VERSION range is ignored. * - * \note With DTLS, MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 + * \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2 * * \param conf SSL configuration * \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a5a12ceb2..1f1de2bfd 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -72,7 +72,7 @@ #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ -#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1 +#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 /* Determine maximum supported version */ @@ -113,13 +113,7 @@ * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256). */ -#if defined(MBEDTLS_SSL_PROTO_TLS1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ - defined(MBEDTLS_SSL_PROTO_TLS1_2) -#define MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER -#endif - -#if defined(MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) /* This macro determines whether CBC is supported. */ #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ @@ -147,7 +141,7 @@ #define MBEDTLS_SSL_SOME_SUITES_USE_MAC #endif -#endif /* MBEDTLS_SSL_PROTO_TLS1_2_OR_EARLIER */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) /* Ciphersuites using HMAC */ diff --git a/library/ssl_msg.c b/library/ssl_msg.c index b629d79cb..a75b9190b 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -86,6 +86,70 @@ int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl ) return( 0 ); } +static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, + unsigned char *buf, + size_t len, + mbedtls_record *rec ); + +int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, + unsigned char *buf, + size_t buflen ) +{ + int ret = 0; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) ); + MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen ); + + /* We don't support record checking in TLS because + * (a) there doesn't seem to be a usecase for it, and + * (b) In TLS 1.0, CBC record decryption has state + * and we'd need to backup the transform here. + */ + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) + { + ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; + goto exit; + } +#if defined(MBEDTLS_SSL_PROTO_DTLS) + else + { + mbedtls_record rec; + + ret = ssl_parse_record_header( ssl, buf, buflen, &rec ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret ); + goto exit; + } + + if( ssl->transform_in != NULL ) + { + ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec ); + if( ret != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret ); + goto exit; + } + } + } +#endif /* MBEDTLS_SSL_PROTO_DTLS */ + +exit: + /* On success, we have decrypted the buffer in-place, so make + * sure we don't leak any plaintext data. */ + mbedtls_platform_zeroize( buf, buflen ); + + /* For the purpose of this API, treat messages with unexpected CID + * as well as such from future epochs as unexpected. */ + if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID || + ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) + { + ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; + } + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) ); + return( ret ); +} + #define SSL_DONT_FORCE_FLUSH 0 #define SSL_FORCE_FLUSH 1 @@ -4960,7 +5024,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) * more than the block size of the underlying cipher. */ transform_expansion += block_size; - /* For TLS 1.1 or higher, an explicit IV is added + /* For TLS 1.2 or higher, an explicit IV is added * after the record header. */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_3 ) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e2b2757d6..8f13a2cec 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3148,11 +3148,8 @@ curve_matching_done: /* * 2.1: Choose hash algorithm: - * A: For TLS 1.2, obey signature-hash-algorithm extension - * to choose appropriate hash. - * B: For TLS1.0, TLS1.1 and ECDHE_ECDSA, use SHA1 - * (RFC 4492, Sec. 5.4) - * C: Otherwise, use MD5 + SHA1 (RFC 4346, Sec. 7.4.3) + * For TLS 1.2, obey signature-hash-algorithm extension + * to choose appropriate hash. */ mbedtls_md_type_t md_alg; @@ -3162,7 +3159,7 @@ curve_matching_done: mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { - /* A: For TLS 1.2, obey signature-hash-algorithm extension + /* For TLS 1.2, obey signature-hash-algorithm extension * (RFC 5246, Sec. 7.4.1.4.1). */ if( sig_alg == MBEDTLS_PK_NONE || ( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs, @@ -3175,11 +3172,11 @@ curve_matching_done: } } else -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ { - /* C: MD5 + SHA1 */ - md_alg = MBEDTLS_MD_NONE; + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %u for signing", (unsigned) md_alg ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index edb41efec..e60c0726f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -961,7 +961,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, goto end; } -#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) #if defined(MBEDTLS_SSL_PROTO_TLS1_2) if( minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index af86838e9..12b4bdf7e 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1324,7 +1324,7 @@ int main( int argc, char *argv[] ) if( opt.min_version < ciphersuite_info->min_minor_ver ) { opt.min_version = ciphersuite_info->min_minor_ver; - /* for DTLS 1.2 */ + /* DTLS starts with TLS 1.2 */ if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && opt.min_version < MBEDTLS_SSL_MINOR_VERSION_3 ) opt.min_version = MBEDTLS_SSL_MINOR_VERSION_3; diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 59cb834ba..1d49dc5cb 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2622,6 +2622,27 @@ run_test "Session resume using tickets, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" +run_test "Session resume using tickets, DTLS: openssl server" \ + "$O_SRV -dtls" \ + "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \ + 0 \ + -c "client hello, adding session ticket extension" \ + -c "found session_ticket extension" \ + -c "parse new session ticket" \ + -c "a session has been resumed" + +run_test "Session resume using tickets, DTLS: openssl client" \ + "$P_SRV dtls=1 debug_level=3 tickets=1" \ + "( $O_CLI -dtls -sess_out $SESSION; \ + $O_CLI -dtls -sess_in $SESSION; \ + rm -f $SESSION )" \ + 0 \ + -s "found session ticket extension" \ + -s "server hello, adding session ticket extension" \ + -S "session successfully restored from cache" \ + -s "session successfully restored from ticket" \ + -s "a session has been resumed" + # Tests for Session Resume based on session-ID and cache run_test "Session resume using cache: tickets enabled on client" \ @@ -2810,6 +2831,26 @@ run_test "Session resume using cache, DTLS: session copy" \ -s "a session has been resumed" \ -c "a session has been resumed" +run_test "Session resume using cache, DTLS: openssl client" \ + "$P_SRV dtls=1 debug_level=3 tickets=0" \ + "( $O_CLI -dtls -sess_out $SESSION; \ + $O_CLI -dtls -sess_in $SESSION; \ + rm -f $SESSION )" \ + 0 \ + -s "found session ticket extension" \ + -S "server hello, adding session ticket extension" \ + -s "session successfully restored from cache" \ + -S "session successfully restored from ticket" \ + -s "a session has been resumed" + +run_test "Session resume using cache, DTLS: openssl server" \ + "$O_SRV -dtls" \ + "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \ + 0 \ + -C "found session_ticket extension" \ + -C "parse new session ticket" \ + -c "a session has been resumed" + # Tests for Max Fragment Length extension if [ "$MAX_IN_LEN" -lt "4096" ]; then @@ -6623,6 +6664,34 @@ run_test "DTLS reassembly: fragmentation, nbio, renego (gnutls server)" \ -C "error" \ -s "Extra-header:" +run_test "DTLS reassembly: no fragmentation (openssl server)" \ + "$O_SRV -dtls -mtu 2048" \ + "$P_CLI dtls=1 debug_level=2" \ + 0 \ + -C "found fragmented DTLS handshake message" \ + -C "error" + +run_test "DTLS reassembly: some fragmentation (openssl server)" \ + "$O_SRV -dtls -mtu 768" \ + "$P_CLI dtls=1 debug_level=2" \ + 0 \ + -c "found fragmented DTLS handshake message" \ + -C "error" + +run_test "DTLS reassembly: more fragmentation (openssl server)" \ + "$O_SRV -dtls -mtu 256" \ + "$P_CLI dtls=1 debug_level=2" \ + 0 \ + -c "found fragmented DTLS handshake message" \ + -C "error" + +run_test "DTLS reassembly: fragmentation, nbio (openssl server)" \ + "$O_SRV -dtls -mtu 256" \ + "$P_CLI dtls=1 nbio=2 debug_level=2" \ + 0 \ + -c "found fragmented DTLS handshake message" \ + -C "error" + # Tests for sending fragmented handshake messages with DTLS # # Use client auth when we need the client to send large messages, @@ -7593,6 +7662,192 @@ run_test "DTLS-SRTP all profiles supported. server doesn't support mki." \ -C "dumping 'received mki' (8 bytes)" \ -C "error" +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP all profiles supported. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "DTLS-SRTP key material is"\ + -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ + -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_80" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "DTLS-SRTP key material is"\ + -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ + -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "DTLS-SRTP key material is"\ + -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ + -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "DTLS-SRTP key material is"\ + -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ + -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server and Client support only one matching profile. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -s "selected srtp profile" \ + -s "server hello, adding use_srtp extension" \ + -s "DTLS-SRTP key material is"\ + -g "find_in_both '^ *Keying material: [0-9A-F]*$'"\ + -c "SRTP Extension negotiated, profile=SRTP_AES128_CM_SHA1_32" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server and Client support only one different profile. openssl client." \ + "$P_SRV dtls=1 use_srtp=1 srtp_force_profile=1 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -s "found srtp profile" \ + -S "selected srtp profile" \ + -S "server hello, adding use_srtp extension" \ + -S "DTLS-SRTP key material is"\ + -C "SRTP Extension negotiated, profile" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl client" \ + "$P_SRV dtls=1 debug_level=3" \ + "$O_CLI -dtls -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + 0 \ + -s "found use_srtp extension" \ + -S "server hello, adding use_srtp extension" \ + -S "DTLS-SRTP key material is"\ + -C "SRTP Extension negotiated, profile" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP all profiles supported. openssl server" \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile" \ + -c "selected srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80" \ + -c "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports all profiles. Client supports all profiles, in different order. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32:SRTP_AES128_CM_SHA1_80 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile" \ + -c "selected srtp profile" \ + -c "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports all profiles. Client supports one profile. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ + -c "selected srtp profile" \ + -c "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server supports one profile. Client supports all profiles. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ + -c "selected srtp profile" \ + -c "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server and Client support only one matching profile. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=2 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile: MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32" \ + -c "selected srtp profile" \ + -c "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server and Client support only one different profile. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 srtp_force_profile=6 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -C "found use_srtp extension" \ + -C "found srtp profile" \ + -C "selected srtp profile" \ + -C "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP server doesn't support use_srtp extension. openssl server" \ + "$O_SRV -dtls" \ + "$P_CLI dtls=1 use_srtp=1 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -C "found use_srtp extension" \ + -C "found srtp profile" \ + -C "selected srtp profile" \ + -C "DTLS-SRTP key material is"\ + -C "error" + +requires_config_enabled MBEDTLS_SSL_DTLS_SRTP +run_test "DTLS-SRTP all profiles supported. server doesn't support mki. openssl server." \ + "$O_SRV -dtls -verify 0 -use_srtp SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32 -keymatexport 'EXTRACTOR-dtls_srtp' -keymatexportlen 60" \ + "$P_CLI dtls=1 use_srtp=1 mki=542310ab34290481 debug_level=3" \ + 0 \ + -c "client hello, adding use_srtp extension" \ + -c "found use_srtp extension" \ + -c "found srtp profile" \ + -c "selected srtp profile" \ + -c "DTLS-SRTP key material is"\ + -c "DTLS-SRTP no mki value negotiated"\ + -c "dumping 'sending mki' (8 bytes)" \ + -C "dumping 'received mki' (8 bytes)" \ + -C "error" + requires_config_enabled MBEDTLS_SSL_DTLS_SRTP requires_gnutls run_test "DTLS-SRTP all profiles supported. gnutls client." \ From 9d1ce40898ec514533369f9ab0b12f69f197542d Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Mon, 24 May 2021 14:07:17 +0200 Subject: [PATCH 49/59] Additional corrections Signed-off-by: TRodziewicz --- ChangeLog.d/issue4286.txt | 4 ++-- include/mbedtls/ssl.h | 48 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/issue4286.txt b/ChangeLog.d/issue4286.txt index 8fc1af266..68eb66764 100644 --- a/ChangeLog.d/issue4286.txt +++ b/ChangeLog.d/issue4286.txt @@ -7,5 +7,5 @@ Removals MBEDTLS_SSL_FALLBACK_SCSV, MBEDTLS_SSL_FALLBACK_SCSV_VALUE, MBEDTLS_SSL_IS_FALLBACK, MBEDTLS_SSL_IS_NOT_FALLBACK, and functions: mbedtls_ssl_conf_cbc_record_splitting(), - mbedtls_ssl_get_key_exchange_md_ssl_tls(), - mbedtls_ssl_check_record(), mbedtls_ssl_conf_fallback(). Fixes #4286. + mbedtls_ssl_get_key_exchange_md_ssl_tls(), mbedtls_ssl_conf_fallback(). + Fixes #4286. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 66cbd48e1..bdc2b4797 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1825,6 +1825,54 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, */ void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout ); +/** + * \brief Check whether a buffer contains a valid and authentic record + * that has not been seen before. (DTLS only). + * + * This function does not change the user-visible state + * of the SSL context. Its sole purpose is to provide + * an indication of the legitimacy of an incoming record. + * + * This can be useful e.g. in distributed server environments + * using the DTLS Connection ID feature, in which connections + * might need to be passed between service instances on a change + * of peer address, but where such disruptive operations should + * only happen after the validity of incoming records has been + * confirmed. + * + * \param ssl The SSL context to use. + * \param buf The address of the buffer holding the record to be checked. + * This must be a read/write buffer of length \p buflen Bytes. + * \param buflen The length of \p buf in Bytes. + * + * \note This routine only checks whether the provided buffer begins + * with a valid and authentic record that has not been seen + * before, but does not check potential data following the + * initial record. In particular, it is possible to pass DTLS + * datagrams containing multiple records, in which case only + * the first record is checked. + * + * \note This function modifies the input buffer \p buf. If you need + * to preserve the original record, you have to maintain a copy. + * + * \return \c 0 if the record is valid and authentic and has not been + * seen before. + * \return MBEDTLS_ERR_SSL_INVALID_MAC if the check completed + * successfully but the record was found to be not authentic. + * \return MBEDTLS_ERR_SSL_INVALID_RECORD if the check completed + * successfully but the record was found to be invalid for + * a reason different from authenticity checking. + * \return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD if the check completed + * successfully but the record was found to be unexpected + * in the state of the SSL context, including replayed records. + * \return Another negative error code on different kinds of failure. + * In this case, the SSL context becomes unusable and needs + * to be freed or reset before reuse. + */ +int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, + unsigned char *buf, + size_t buflen ); + /** * \brief Set the timer callbacks (Mandatory for DTLS.) * From 3ca92b182ce46c630304aafa1448a6863ac0ccb7 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Mon, 24 May 2021 14:11:39 +0100 Subject: [PATCH 50/59] Re-wording of Migration guide entry Commit re-words the migration guide entry as requested in review. Signed-off-by: Thomas Daubney --- .../remove-rsa-mode-parameter.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md b/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md index 406004f45..2a849a30c 100644 --- a/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md +++ b/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md @@ -5,12 +5,12 @@ This affects all users who use the RSA encryption, decryption, sign and verify APIs. You must delete the mode parameter from your RSA function calls. -Using the correct modes are now the default and only behaviour, and this -cannot be changed. If you were using the mode parameter to specify the -wrong mode then this behaviour is no longer supported. For reference the -correct, supported modes are: Public keys for encryption and verification -functions and private keys for decryption and signing functions, but the -user does not have to specify this. +Using the correct mode is now the default behaviour. Encryption +and verification functions are now equivalent to their 2.x +counterparts with mode=MBEDTLS_RSA_PUBLIC. Decryption and signing +functions are now equivalent to their 2.x counterparts with +mode=MBEDTLS_RSA_PRIVATE. Note that the constants +MBEDTLS_RSA_PUBLIC and MBEDTLS_RSA_PRIVATE have been removed in 3.0. Remove the RNG parameter from RSA functions -------------------------------------------- From 59392b0075c7ad79572c04a51cca621fae8cab16 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 24 May 2021 22:58:37 +0200 Subject: [PATCH 51/59] Fix misplaced extern "C" affecting MBEDTLS_ARIA_ALT Reported via Mbed OS: https://github.com/ARMmbed/mbed-os/issues/14694 Signed-off-by: Gilles Peskine --- include/mbedtls/aria.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 7dd960f29..e98414760 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -51,14 +51,14 @@ #define MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH -0x005E /**< Invalid data input length. */ -#if !defined(MBEDTLS_ARIA_ALT) -// Regular implementation -// - #ifdef __cplusplus extern "C" { #endif +#if !defined(MBEDTLS_ARIA_ALT) +// Regular implementation +// + /** * \brief The ARIA context-type definition. */ From be89fea1a7b2046c97a85a8328bc840616026a52 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 25 May 2021 09:17:22 +0200 Subject: [PATCH 52/59] ARIA: add missing context init/free This fixes the self-test with alternative implementations. Signed-off-by: Gilles Peskine --- library/aria.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/library/aria.c b/library/aria.c index 187563552..a5786b37a 100644 --- a/library/aria.c +++ b/library/aria.c @@ -921,7 +921,7 @@ static const uint8_t aria_test2_ctr_ct[3][48] = // CTR ciphertext { \ if( verbose ) \ mbedtls_printf( "failed\n" ); \ - return( 1 ); \ + goto exit; \ } else { \ if( verbose ) \ mbedtls_printf( "passed\n" ); \ @@ -935,6 +935,7 @@ int mbedtls_aria_self_test( int verbose ) int i; uint8_t blk[MBEDTLS_ARIA_BLOCKSIZE]; mbedtls_aria_context ctx; + int ret = 1; #if (defined(MBEDTLS_CIPHER_MODE_CFB) || defined(MBEDTLS_CIPHER_MODE_CTR)) size_t j; @@ -946,6 +947,8 @@ int mbedtls_aria_self_test( int verbose ) uint8_t buf[48], iv[MBEDTLS_ARIA_BLOCKSIZE]; #endif + mbedtls_aria_init( &ctx ); + /* * Test set 1 */ @@ -1065,7 +1068,11 @@ int mbedtls_aria_self_test( int verbose ) mbedtls_printf( "\n" ); #endif /* MBEDTLS_CIPHER_MODE_CTR */ - return( 0 ); + ret = 0; + +exit: + mbedtls_aria_free( &ctx ); + return( ret ); } #endif /* MBEDTLS_SELF_TEST */ From c537aa83f42f537eeb7dc2818a28849298de2e9e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 25 May 2021 09:17:46 +0200 Subject: [PATCH 53/59] CAMELLIA: add missing context init/free This fixes the self-test with alternative implementations. Signed-off-by: Gilles Peskine --- library/camellia.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/library/camellia.c b/library/camellia.c index d60f93188..f7e013611 100644 --- a/library/camellia.c +++ b/library/camellia.c @@ -942,9 +942,11 @@ int mbedtls_camellia_self_test( int verbose ) unsigned char nonce_counter[16]; unsigned char stream_block[16]; #endif + int ret = 1; mbedtls_camellia_context ctx; + mbedtls_camellia_init( &ctx ); memset( key, 0, 32 ); for( j = 0; j < 6; j++ ) { @@ -974,8 +976,7 @@ int mbedtls_camellia_self_test( int verbose ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); - - return( 1 ); + goto exit; } } @@ -1027,8 +1028,7 @@ int mbedtls_camellia_self_test( int verbose ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); - - return( 1 ); + goto exit; } } @@ -1071,8 +1071,7 @@ int mbedtls_camellia_self_test( int verbose ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); - - return( 1 ); + goto exit; } } else @@ -1087,8 +1086,7 @@ int mbedtls_camellia_self_test( int verbose ) { if( verbose != 0 ) mbedtls_printf( "failed\n" ); - - return( 1 ); + goto exit; } } @@ -1100,7 +1098,11 @@ int mbedtls_camellia_self_test( int verbose ) mbedtls_printf( "\n" ); #endif /* MBEDTLS_CIPHER_MODE_CTR */ - return( 0 ); + ret = 0; + +exit: + mbedtls_camellia_free( &ctx ); + return( ret ); } #endif /* MBEDTLS_SELF_TEST */ From 0e1f05d34bf8c0bf2729188a32efa8743d0a9a03 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 25 May 2021 09:28:54 +0200 Subject: [PATCH 54/59] Changelog entry for the ARIA_ALT and CAMELLIA_ALT fixes Fix ARMmbed/mbed-os#14694 Signed-off-by: Gilles Peskine --- ChangeLog.d/aria-alt.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/aria-alt.txt diff --git a/ChangeLog.d/aria-alt.txt b/ChangeLog.d/aria-alt.txt new file mode 100644 index 000000000..20aaa2b71 --- /dev/null +++ b/ChangeLog.d/aria-alt.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced + directive in a header and a missing initialization in the self-test. + * Fix a missing initialization in the Camellia self-test, affecting + MBEDTLS_CAMELLIA_ALT implementations. From 6f966112c7c90c461cc6646305ef74ebd4c06cfd Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 25 May 2021 15:00:19 +0100 Subject: [PATCH 55/59] Corrections to ChangeLog and Migration guide Corrections to address wording of ChangeLog and Migration guide. Signed-off-by: Thomas Daubney --- ChangeLog.d/remove-rsa-mode-parameter.txt | 11 +++++- .../remove-rsa-mode-parameter.md | 34 +++++++++++-------- 2 files changed, 30 insertions(+), 15 deletions(-) diff --git a/ChangeLog.d/remove-rsa-mode-parameter.txt b/ChangeLog.d/remove-rsa-mode-parameter.txt index b7c6f327f..6b32f6550 100644 --- a/ChangeLog.d/remove-rsa-mode-parameter.txt +++ b/ChangeLog.d/remove-rsa-mode-parameter.txt @@ -1,6 +1,15 @@ +Removals + * The RSA module no longer supports private-key operations with the public + key and vice versa. This change only affects applications which use the + wrong mode. In this case the wrong mode is to use mode=MBEDTLS_RSA_PUBLIC + with decryption and signing functions and mode=MBEDTLS_RSA_PRIVATE with + encryption and verification functions. Addresses issue #4278. API changes * Remove mode parameter from RSA functions. All encryption, decryption, sign and verify functions are affected. Also removes the RNG parameters from the RSA verify functions. Existing user code which utilises these RSA functions must - remove the mode parameter. Fixes #4278. + remove the mode parameter. + * RNG is now mandatory for all private-key RSA operations. Existing user code + which does not use an RNG with private-key RSA functions must now be + updated to do so. diff --git a/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md b/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md index 2a849a30c..e400650dd 100644 --- a/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md +++ b/docs/3.0-migration-guide.d/remove-rsa-mode-parameter.md @@ -4,20 +4,26 @@ Remove the mode parameter from RSA functions This affects all users who use the RSA encryption, decryption, sign and verify APIs. -You must delete the mode parameter from your RSA function calls. -Using the correct mode is now the default behaviour. Encryption -and verification functions are now equivalent to their 2.x -counterparts with mode=MBEDTLS_RSA_PUBLIC. Decryption and signing -functions are now equivalent to their 2.x counterparts with -mode=MBEDTLS_RSA_PRIVATE. Note that the constants -MBEDTLS_RSA_PUBLIC and MBEDTLS_RSA_PRIVATE have been removed in 3.0. +The RSA module no longer supports private-key operations with the public key or +vice versa. As a consequence, RSA operation functions no longer have a mode +parameter. If you were calling RSA operations with the normal mode (public key +for verification or encryption, private key for signature or decryption), remove +the `MBEDTLS_MODE_PUBLIC` or `MBEDTLS_MODE_PRIVATE` argument. If you were calling +RSA operations with the wrong mode, which rarely makes sense from a security +perspective, this is no longer supported. -Remove the RNG parameter from RSA functions --------------------------------------------- +Remove the RNG parameter from RSA verify functions +-------------------------------------------------- -This affects all users who use the RSA verify functions. +RSA verification functions also no longer take random generator arguments (this +was only needed when using a private key). This affects all applications using +the RSA verify functions. -If you were using the RNG parameters then you must remove -them from your function calls. Since using the wrong mode -is no longer supported, the RNG parameters namely f_rng -and p_rng are no longer needed. +RNG is now mandatory in all RSA private key operations +------------------------------------------------------ + +The random generator is now mandatory for blinding in all RSA private-key +operations (`mbedtls_rsa_private`, `mbedtls_rsa_xxx_sign`, +`mbedtls_rsa_xxx_decrypt`) as well as for encryption +(`mbedtls_rsa_xxx_encrypt`). This means that passing a null `f_rng` is no longer +supported. From 731b952b692564c23b69ab9284e4981daf222334 Mon Sep 17 00:00:00 2001 From: Thomas Daubney Date: Tue, 25 May 2021 16:26:24 +0100 Subject: [PATCH 56/59] Additional corrections to ChangeLog Commit makes further corrections to the wording in the ChangeLog entry. Signed-off-by: Thomas Daubney --- ChangeLog.d/remove-rsa-mode-parameter.txt | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/ChangeLog.d/remove-rsa-mode-parameter.txt b/ChangeLog.d/remove-rsa-mode-parameter.txt index 6b32f6550..854dda34b 100644 --- a/ChangeLog.d/remove-rsa-mode-parameter.txt +++ b/ChangeLog.d/remove-rsa-mode-parameter.txt @@ -1,15 +1,9 @@ Removals * The RSA module no longer supports private-key operations with the public - key and vice versa. This change only affects applications which use the - wrong mode. In this case the wrong mode is to use mode=MBEDTLS_RSA_PUBLIC - with decryption and signing functions and mode=MBEDTLS_RSA_PRIVATE with - encryption and verification functions. Addresses issue #4278. + key and vice versa. API changes - * Remove mode parameter from RSA functions. All encryption, - decryption, sign and verify functions are affected. Also - removes the RNG parameters from the RSA verify functions. - Existing user code which utilises these RSA functions must - remove the mode parameter. - * RNG is now mandatory for all private-key RSA operations. Existing user code - which does not use an RNG with private-key RSA functions must now be - updated to do so. + * Remove the mode parameter from RSA operation functions. Signature and + decryption functions now always use the private key and verification and + encryption use the public key. Verification functions also no longer have + RNG parameters. + * The RNG is now mandatory for all private-key RSA operations. From 46cccb8f39bdebef6b7067052dfea550e7461309 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Tue, 11 May 2021 13:13:51 +0200 Subject: [PATCH 57/59] _SSL_DTLS_BADMAC_LIMIT config.h option removed Signed-off-by: TRodziewicz --- include/mbedtls/check_config.h | 5 ----- include/mbedtls/config.h | 11 ----------- include/mbedtls/ssl.h | 7 ------- library/ssl_msg.c | 2 -- library/ssl_tls.c | 10 ---------- programs/ssl/ssl_context_info.c | 1 - programs/ssl/ssl_server2.c | 6 ------ tests/context-info.sh | 4 ---- 8 files changed, 46 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 389ae2a71..ae23602a0 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -700,11 +700,6 @@ #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)" #endif -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \ - ( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) ) -#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 715c73ada..10140915e 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1748,17 +1748,6 @@ */ #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE -/** - * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT - * - * Enable support for a limit of records with bad MAC. - * - * See mbedtls_ssl_conf_dtls_badmac_limit(). - * - * Requires: MBEDTLS_SSL_PROTO_DTLS - */ -#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT - /** * \def MBEDTLS_SSL_SESSION_TICKETS * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index bdc2b4797..6a908f271 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1151,9 +1151,7 @@ struct mbedtls_ssl_config that triggers renegotiation */ #endif -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) unsigned int badmac_limit; /*!< limit of records with a bad MAC */ -#endif #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) unsigned int dhm_min_bitlen; /*!< min. bit length of the DHM prime */ @@ -1226,10 +1224,7 @@ struct mbedtls_ssl_context int major_ver; /*!< equal to MBEDTLS_SSL_MAJOR_VERSION_3 */ int minor_ver; /*!< one of MBEDTLS_SSL_MINOR_VERSION_x macros */ - -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) unsigned badmac_seen; /*!< records with a bad MAC received */ -#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ #if defined(MBEDTLS_X509_CRT_PARSE_C) /** Callback to customize X.509 certificate chain verification */ @@ -2261,7 +2256,6 @@ int mbedtls_ssl_set_client_transport_id( mbedtls_ssl_context *ssl, void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ); #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) /** * \brief Set a limit on the number of records with a bad MAC * before terminating the connection. @@ -2286,7 +2280,6 @@ void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ); * many bogus packets. */ void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ); -#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ #if defined(MBEDTLS_SSL_PROTO_DTLS) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index a75b9190b..ff628b9f4 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -4499,14 +4499,12 @@ static int ssl_get_next_record( mbedtls_ssl_context *ssl ) return( ret ); } -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) if( ssl->conf->badmac_limit != 0 && ++ssl->badmac_seen >= ssl->conf->badmac_limit ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); return( MBEDTLS_ERR_SSL_INVALID_MAC ); } -#endif /* As above, invalid records cause * dismissal of the whole datagram. */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e60c0726f..a7e5b4cd8 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3390,12 +3390,10 @@ void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode ) } #endif -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit ) { conf->badmac_limit = limit; } -#endif #if defined(MBEDTLS_SSL_PROTO_DTLS) @@ -5418,11 +5416,7 @@ void mbedtls_ssl_session_free( mbedtls_ssl_session *session ) #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u -#else -#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 0u -#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u @@ -5639,7 +5633,6 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl, /* * Saved fields from top-level ssl_context structure */ -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) used += 4; if( used <= buf_len ) { @@ -5648,7 +5641,6 @@ int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl, *p++ = (unsigned char)( ( ssl->badmac_seen >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( ssl->badmac_seen ) & 0xFF ); } -#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) used += 16; @@ -5904,7 +5896,6 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, /* * Saved fields from top-level ssl_context structure */ -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) if( (size_t)( end - p ) < 4 ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -5913,7 +5904,6 @@ static int ssl_context_load( mbedtls_ssl_context *ssl, ( (uint32_t) p[2] << 8 ) | ( (uint32_t) p[3] ); p += 4; -#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) if( (size_t)( end - p ) < 16 ) diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c index ec24fa8e0..855102de7 100644 --- a/programs/ssl/ssl_context_info.c +++ b/programs/ssl/ssl_context_info.c @@ -872,7 +872,6 @@ void print_deserialized_ssl_context( const uint8_t *ssl, size_t len ) print_if_bit( "MBEDTLS_SSL_SESSION_TICKETS and client", SESSION_CONFIG_CLIENT_TICKET_BIT, session_cfg_flag ); print_if_bit( "MBEDTLS_SSL_DTLS_CONNECTION_ID", CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT, context_cfg_flag ); - print_if_bit( "MBEDTLS_SSL_DTLS_BADMAC_LIMIT", CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT, context_cfg_flag ); print_if_bit( "MBEDTLS_SSL_DTLS_ANTI_REPLAY", CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT, context_cfg_flag ); print_if_bit( "MBEDTLS_SSL_ALPN", CONTEXT_CONFIG_ALPN_BIT, context_cfg_flag ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 2cf2d73be..ef55a7c25 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -363,12 +363,8 @@ int main( void ) #define USAGE_ANTI_REPLAY "" #endif -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) #define USAGE_BADMAC_LIMIT \ " badmac_limit=%%d default: (library default: disabled)\n" -#else -#define USAGE_BADMAC_LIMIT "" -#endif #if defined(MBEDTLS_SSL_PROTO_DTLS) #define USAGE_DTLS \ @@ -2685,10 +2681,8 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_dtls_anti_replay( &conf, opt.anti_replay ); #endif -#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) if( opt.badmac_limit != DFL_BADMAC_LIMIT ) mbedtls_ssl_conf_dtls_badmac_limit( &conf, opt.badmac_limit ); -#endif } #endif /* MBEDTLS_SSL_PROTO_DTLS */ diff --git a/tests/context-info.sh b/tests/context-info.sh index 346529845..e02d33084 100755 --- a/tests/context-info.sh +++ b/tests/context-info.sh @@ -214,7 +214,6 @@ run_test "Default configuration, server" \ -u "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \ -u "MBEDTLS_SSL_SESSION_TICKETS$" \ -u "MBEDTLS_SSL_SESSION_TICKETS and client$" \ - -u "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \ -u "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \ -u "MBEDTLS_SSL_ALPN$" \ -u "ciphersuite.* TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256$" \ @@ -238,7 +237,6 @@ run_test "Default configuration, client" \ -u "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \ -u "MBEDTLS_SSL_SESSION_TICKETS$" \ -u "MBEDTLS_SSL_SESSION_TICKETS and client$" \ - -u "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \ -u "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \ -u "MBEDTLS_SSL_ALPN$" \ -u "ciphersuite.* TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256$" \ @@ -345,7 +343,6 @@ run_test "Minimal configuration, server" \ -n "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \ -n "MBEDTLS_SSL_SESSION_TICKETS$" \ -n "MBEDTLS_SSL_SESSION_TICKETS and client$" \ - -n "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \ -n "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \ -n "MBEDTLS_SSL_ALPN$" \ @@ -357,7 +354,6 @@ run_test "Minimal configuration, client" \ -n "MBEDTLS_SSL_ENCRYPT_THEN_MAC$" \ -n "MBEDTLS_SSL_SESSION_TICKETS$" \ -n "MBEDTLS_SSL_SESSION_TICKETS and client$" \ - -n "MBEDTLS_SSL_DTLS_BADMAC_LIMIT$" \ -n "MBEDTLS_SSL_DTLS_ANTI_REPLAY$" \ -n "MBEDTLS_SSL_ALPN$" \ From 5c251c6a5e2175cd0570471d543acd842698b7f8 Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Tue, 11 May 2021 14:27:28 +0200 Subject: [PATCH 58/59] Add the ChangeLog file Signed-off-by: TRodziewicz --- ChangeLog.d/issue4403.txt | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 ChangeLog.d/issue4403.txt diff --git a/ChangeLog.d/issue4403.txt b/ChangeLog.d/issue4403.txt new file mode 100644 index 000000000..08ac60e69 --- /dev/null +++ b/ChangeLog.d/issue4403.txt @@ -0,0 +1,2 @@ +Removals + * Remove the MBEDTLS_SSL_DTLS_BADMAC_LIMIT config.h option. Fixes #4403. From a86c312d9266f9c6d6be67fba8d059ae6aa1b2fb Mon Sep 17 00:00:00 2001 From: TRodziewicz Date: Wed, 26 May 2021 15:29:36 +0200 Subject: [PATCH 59/59] Addition of the migration guide entry. Signed-off-by: TRodziewicz --- .../remove_SSL_DTLS_BADMAC_LIMIT_option.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/3.0-migration-guide.d/remove_SSL_DTLS_BADMAC_LIMIT_option.md diff --git a/docs/3.0-migration-guide.d/remove_SSL_DTLS_BADMAC_LIMIT_option.md b/docs/3.0-migration-guide.d/remove_SSL_DTLS_BADMAC_LIMIT_option.md new file mode 100644 index 000000000..f81bdadba --- /dev/null +++ b/docs/3.0-migration-guide.d/remove_SSL_DTLS_BADMAC_LIMIT_option.md @@ -0,0 +1,11 @@ +Remove MBEDTLS_SSL_DTLS_BADMAC_LIMIT option +------------------------------------------- + +This change does not affect users who used the default `config.h`, as the option +MBEDTLS_SSL_DTLS_BADMAC_LIMIT was already on by default. + +This option was a trade-off between functionality and code size: it allowed +users who didn't need that feature to avoid paying the cost in code size, by +disabling it. + +This option is no longer present, but its functionality is now always enabled.