From b541da6ef394d1da303a7408821c100a56a27bc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 17 Jun 2015 11:43:30 +0200 Subject: [PATCH] Fix define for ssl_conf_curves() This is a security feature, it shouldn't be optional. --- include/mbedtls/compat-1.3.h | 3 --- include/mbedtls/config.h | 14 -------------- include/mbedtls/ssl.h | 6 +++--- include/mbedtls/ssl_internal.h | 2 +- library/ssl_cli.c | 6 +++--- library/ssl_srv.c | 2 +- library/ssl_tls.c | 12 ++++++------ library/version_features.c | 3 --- scripts/data_files/rename-1.3-2.0.txt | 1 - 9 files changed, 14 insertions(+), 35 deletions(-) diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h index 8a3ab96dc..0af0a9eb5 100644 --- a/include/mbedtls/compat-1.3.h +++ b/include/mbedtls/compat-1.3.h @@ -585,9 +585,6 @@ #if defined MBEDTLS_SSL_SESSION_TICKETS #define POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS #endif -#if defined MBEDTLS_SSL_SET_CURVES -#define POLARSSL_SSL_SET_CURVES MBEDTLS_SSL_SET_CURVES -#endif #if defined MBEDTLS_SSL_SRV_C #define POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C #endif diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index f0d293c08..02dd96934 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1154,20 +1154,6 @@ */ #define MBEDTLS_SSL_TRUNCATED_HMAC -/** - * \def MBEDTLS_SSL_SET_CURVES - * - * Enable mbedtls_ssl_conf_curves(). - * - * This is disabled by default since it breaks binary compatibility with the - * 1.3.x line. If you choose to enable it, you will need to rebuild your - * application against the new header files, relinking will not be enough. - * It will be enabled by default, or no longer an option, in the 1.4 branch. - * - * Uncomment to make mbedtls_ssl_conf_curves() available. - */ -//#define MBEDTLS_SSL_SET_CURVES - /** * \def MBEDTLS_THREADING_ALT * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 4bca71c8c..318ca4622 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -535,7 +535,7 @@ struct mbedtls_ssl_config mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ #endif @@ -1504,7 +1504,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, unsigned int bitlen ); #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) /** * \brief Set the allowed curves in order of preference. * (Default: all defined curves.) @@ -1524,7 +1524,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, * terminated by MBEDTLS_ECP_DP_NONE. */ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); -#endif /* MBEDTLS_SSL_SET_CURVES */ +#endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) /** diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 122c1ee83..e074ce29e 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -375,7 +375,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig ); mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ); -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); #endif diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 72ce76f7f..3d3f3d17f 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -255,7 +255,7 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, unsigned char *elliptic_curve_list = p + 6; size_t elliptic_curve_len = 0; const mbedtls_ecp_curve_info *info; -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) const mbedtls_ecp_group_id *grp_id; #else ((void) ssl); @@ -265,7 +265,7 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) { info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); @@ -1683,7 +1683,7 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) if( ! mbedtls_ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) ) #else if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 7db5a3ca6..554a55239 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -2641,7 +2641,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) * } ServerECDHParams; */ const mbedtls_ecp_curve_info **curve = NULL; -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) const mbedtls_ecp_group_id *gid; /* Match our preference list against the offered curves */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9ce9739e7..7a1284aab 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4081,7 +4081,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) * Secondary checks: always done, but change 'ret' only if it was 0 */ -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) { const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; @@ -4094,7 +4094,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; } } -#endif /* MBEDTLS_SSL_SET_CURVES */ +#endif /* MBEDTLS_ECP_C */ if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, ciphersuite_info, @@ -5478,7 +5478,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf, } #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) /* * Set the allowed elliptic curves */ @@ -6665,7 +6665,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; #endif -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) conf->curve_list = mbedtls_ecp_grp_id_list( ); #endif @@ -6804,7 +6804,7 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ) } } -#if defined(MBEDTLS_SSL_SET_CURVES) +#if defined(MBEDTLS_ECP_C) /* * Check is a curve proposed by the peer is in our list. * Return 1 if we're willing to use it, 0 otherwise. @@ -6819,7 +6819,7 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp return( 0 ); } -#endif /* MBEDTLS_SSL_SET_CURVES */ +#endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, diff --git a/library/version_features.c b/library/version_features.c index e534b3219..7ad0f02b3 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -385,9 +385,6 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) "MBEDTLS_SSL_TRUNCATED_HMAC", #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ -#if defined(MBEDTLS_SSL_SET_CURVES) - "MBEDTLS_SSL_SET_CURVES", -#endif /* MBEDTLS_SSL_SET_CURVES */ #if defined(MBEDTLS_THREADING_ALT) "MBEDTLS_THREADING_ALT", #endif /* MBEDTLS_THREADING_ALT */ diff --git a/scripts/data_files/rename-1.3-2.0.txt b/scripts/data_files/rename-1.3-2.0.txt index d39509154..bfe2eb2d7 100644 --- a/scripts/data_files/rename-1.3-2.0.txt +++ b/scripts/data_files/rename-1.3-2.0.txt @@ -881,7 +881,6 @@ POLARSSL_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_2 POLARSSL_SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION POLARSSL_SSL_SERVER_NAME_INDICATION MBEDTLS_SSL_SERVER_NAME_INDICATION POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS -POLARSSL_SSL_SET_CURVES MBEDTLS_SSL_SET_CURVES POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO