From 64f0aed9665fc06b1a6b59755231f1bc1fcdf9e9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 9 Nov 2017 18:39:33 +0000 Subject: [PATCH 01/18] Don't truncate MAC key when truncated HMAC is negotiated The truncated HMAC extension as described in https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated HMAC is used, only the HMAC output should be truncated, while the HMAC key generation stays unmodified. This commit fixes Mbed TLS's behavior of also truncating the key, potentially leading to compatibility issues with peers running other stacks than Mbed TLS. Details: The keys for the MAC are pieces of the keyblock that's generated from the master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being specified as the size of the digest used for the MAC, regardless of whether truncated HMAC is enabled or not. /----- MD size ------\ /------- MD size ----\ Keyblock +----------------------+----------------------+------------------+--- now | MAC enc key | MAC dec key | Enc key | ... (correct) +----------------------+----------------------+------------------+--- In the previous code, when truncated HMAC was enabled, the HMAC keys were truncated to 10 bytes: /-10 bytes-\ /-10 bytes-\ Keyblock +-------------+-------------+------------------+--- previously | MAC enc key | MAC dec key | Enc key | ... (wrong) +-------------+-------------+------------------+--- The reason for this was that a single variable `transform->maclen` was used for both the keysize and the size of the final MAC, and its value was reduced from the MD size to 10 bytes in case truncated HMAC was negotiated. This commit fixes this by introducing a temporary variable `mac_key_len` which permanently holds the MD size irrespective of the presence of truncated HMAC, and using this temporary to obtain the MAC key chunks from the keyblock. --- library/ssl_tls.c | 29 ++++++++++++++++------------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 1b8d7df585..f27b95ce6d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -491,6 +491,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) unsigned char *key2; unsigned char *mac_enc; unsigned char *mac_dec; + size_t mac_key_len; size_t iv_copy_len; const mbedtls_cipher_info_t *cipher_info; const mbedtls_md_info_t *md_info; @@ -682,6 +683,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) cipher_info->mode == MBEDTLS_MODE_CCM ) { transform->maclen = 0; + mac_key_len = 0; transform->ivlen = 12; transform->fixed_ivlen = 4; @@ -702,7 +704,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } /* Get MAC length */ - transform->maclen = mbedtls_md_get_size( md_info ); + mac_key_len = mbedtls_md_get_size( md_info ); + transform->maclen = mac_key_len; #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) /* @@ -773,11 +776,11 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - key1 = keyblk + transform->maclen * 2; - key2 = keyblk + transform->maclen * 2 + transform->keylen; + key1 = keyblk + mac_key_len * 2; + key2 = keyblk + mac_key_len * 2 + transform->keylen; mac_enc = keyblk; - mac_dec = keyblk + transform->maclen; + mac_dec = keyblk + mac_key_len; /* * This is not used in TLS v1.1. @@ -793,10 +796,10 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SRV_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - key1 = keyblk + transform->maclen * 2 + transform->keylen; - key2 = keyblk + transform->maclen * 2; + key1 = keyblk + mac_key_len * 2 + transform->keylen; + key2 = keyblk + mac_key_len * 2; - mac_enc = keyblk + transform->maclen; + mac_enc = keyblk + mac_key_len; mac_dec = keyblk; /* @@ -818,14 +821,14 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_SSL3) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { - if( transform->maclen > sizeof transform->mac_enc ) + if( mac_key_len > sizeof transform->mac_enc ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - memcpy( transform->mac_enc, mac_enc, transform->maclen ); - memcpy( transform->mac_dec, mac_dec, transform->maclen ); + memcpy( transform->mac_enc, mac_enc, mac_key_len ); + memcpy( transform->mac_dec, mac_dec, mac_key_len ); } else #endif /* MBEDTLS_SSL_PROTO_SSL3 */ @@ -833,8 +836,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { - mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen ); - mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen ); + mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); + mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); } else #endif @@ -854,7 +857,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) transform->iv_enc, transform->iv_dec, iv_copy_len, mac_enc, mac_dec, - transform->maclen ) ) != 0 ) + mac_key_len ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); From a83fafa5dfed30949730915c0df4e0822bc53dd6 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 10 Nov 2017 08:42:54 +0000 Subject: [PATCH 02/18] Add missing dependencies on trunc HMAC ext in ssl-opt.sh Noticed that the test cases in ssl-opt.sh exercising the truncated HMAC extension do not depend on MBEDTLS_SSL_TRUNCATED_HMAC being enabled in config.h. This commit fixes this. --- tests/ssl-opt.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5a1ef5bfb7..40eb33e8a8 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -702,6 +702,7 @@ run_test "Truncated HMAC: client default, server default" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client disabled, server default" \ "$P_SRV debug_level=4" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -710,6 +711,7 @@ run_test "Truncated HMAC: client disabled, server default" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server default" \ "$P_SRV debug_level=4" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -718,6 +720,7 @@ run_test "Truncated HMAC: client enabled, server default" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server disabled" \ "$P_SRV debug_level=4 trunc_hmac=0" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -726,6 +729,7 @@ run_test "Truncated HMAC: client enabled, server disabled" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server enabled" \ "$P_SRV debug_level=4 trunc_hmac=1" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -2937,6 +2941,7 @@ run_test "Small packet TLS 1.0 BlockCipher without EtM" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 \ @@ -2945,6 +2950,7 @@ run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ @@ -2974,6 +2980,7 @@ run_test "Small packet TLS 1.1 StreamCipher" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ @@ -2982,6 +2989,7 @@ run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ @@ -3011,6 +3019,7 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ @@ -3026,6 +3035,7 @@ run_test "Small packet TLS 1.2 StreamCipher" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ @@ -3083,6 +3093,7 @@ run_test "Large packet TLS 1.0 BlockCipher" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ @@ -3091,6 +3102,7 @@ run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ @@ -3113,6 +3125,7 @@ run_test "Large packet TLS 1.1 StreamCipher" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 \ @@ -3121,6 +3134,7 @@ run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ @@ -3143,6 +3157,7 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -3158,6 +3173,7 @@ run_test "Large packet TLS 1.2 StreamCipher" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ From 7aae46c05aeded46f54bbb689ba8b0668d292a8b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 10 Nov 2017 08:59:04 +0000 Subject: [PATCH 03/18] Extend small packet tests for TLS This commit ensures that there is a small packet test for at least any combination of - SSL/TLS version: SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 - Stream cipher (RC4) or Block cipher (AES) - Usage of Encrypt then MAC extension [TLS only] - Usage of truncated HMAC extension [TLS only] --- tests/ssl-opt.sh | 127 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 110 insertions(+), 17 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 40eb33e8a8..f4cd19d601 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2934,7 +2934,7 @@ run_test "Small packet TLS 1.0 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 BlockCipher without EtM" \ +run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -2942,7 +2942,7 @@ run_test "Small packet TLS 1.0 BlockCipher without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \ +run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -2951,7 +2951,32 @@ run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \ +run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1 \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +run_test "Small packet TLS 1.0 StreamCipher" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ @@ -2959,6 +2984,16 @@ run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + run_test "Small packet TLS 1.1 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ @@ -2966,10 +3001,30 @@ run_test "Small packet TLS 1.1 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 BlockCipher without EtM" \ +run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1 \ + etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -2980,21 +3035,30 @@ run_test "Small packet TLS 1.1 StreamCipher" \ 0 \ -s "Read from client: 1 bytes read" -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \ - "$P_SRV" \ +run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \ +run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + trunc_hmac=1 \ + etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3005,10 +3069,11 @@ run_test "Small packet TLS 1.2 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher without EtM" \ +run_test "Small packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3020,7 +3085,7 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \ +run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3028,6 +3093,16 @@ run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1 \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + run_test "Small packet TLS 1.2 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ @@ -3035,8 +3110,16 @@ run_test "Small packet TLS 1.2 StreamCipher" \ 0 \ -s "Read from client: 1 bytes read" +run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \ +run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ @@ -3044,6 +3127,16 @@ run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + run_test "Small packet TLS 1.2 AEAD" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ From 0b9d913ac6d10cd83b2d0b30f404d6194660b084 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 10 Nov 2017 09:16:28 +0000 Subject: [PATCH 04/18] Extend large packet tests for TLS Same as previous commit, but for large packet tests. --- tests/ssl-opt.sh | 125 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 115 insertions(+), 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f4cd19d601..f87a742720 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3186,8 +3186,15 @@ run_test "Large packet TLS 1.0 BlockCipher" \ 0 \ -s "Read from client: 16384 bytes read" +run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ +run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3196,7 +3203,31 @@ run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ +run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -s "Read from client: 16384 bytes read" + +run_test "Large packet TLS 1.0 StreamCipher" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + +run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ @@ -3204,6 +3235,15 @@ run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.1 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 \ @@ -3211,15 +3251,15 @@ run_test "Large packet TLS 1.1 BlockCipher" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 StreamCipher" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ +run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ +run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3228,7 +3268,31 @@ run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ +run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + +run_test "Large packet TLS 1.1 StreamCipher" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + +run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ @@ -3236,6 +3300,15 @@ run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -3243,6 +3316,13 @@ run_test "Large packet TLS 1.2 BlockCipher" \ 0 \ -s "Read from client: 16384 bytes read" +run_test "Large packet TLS 1.2 BlockCipher, without EtM" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -3251,7 +3331,7 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ +run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3259,6 +3339,15 @@ run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.2 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -3266,8 +3355,15 @@ run_test "Large packet TLS 1.2 StreamCipher" \ 0 \ -s "Read from client: 16384 bytes read" +run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ +run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ @@ -3275,6 +3371,15 @@ run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.2 AEAD" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ From 461cb81a55b3977f111c5a706692a3768ad036c8 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 10 Nov 2017 08:59:18 +0000 Subject: [PATCH 05/18] Add small packet tests for DTLS Add a DTLS small packet test for each of the following combinations: - DTLS version: 1.0 or 1.2 - Encrypt then MAC extension enabled - Truncated HMAC extension enabled Large packets tests for DTLS are currently not possible due to parameter constraints in ssl_server2. --- tests/ssl-opt.sh | 76 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index f87a742720..364e16c0f2 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3151,6 +3151,82 @@ run_test "Small packet TLS 1.2 AEAD shorter tag" \ 0 \ -s "Read from client: 1 bytes read" +# Tests for small packets in DTLS + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.0" \ + "$P_SRV dtls=1 force_version=dtls1" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.0, without EtM" \ + "$P_SRV dtls=1 force_version=dtls1 etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.0, truncated hmac" \ + "$P_SRV dtls=1 force_version=dtls1" \ + "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ + "$P_SRV dtls=1 force_version=dtls1 \ + etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1"\ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.2" \ + "$P_SRV dtls=1 force_version=dtls1_2" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.2, without EtM" \ + "$P_SRV dtls=1 force_version=dtls1_2 \ + etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.2, truncated hmac" \ + "$P_SRV dtls=1 force_version=dtls1_2" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \ + "$P_SRV dtls=1 force_version=dtls1_2 \ + etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1"\ + 0 \ + -s "Read from client: 1 bytes read" + # A test for extensions in SSLv3 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 From d51bec701bd85a77a6e5cd972d9c152db2befb18 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 17 Nov 2017 15:46:24 +0000 Subject: [PATCH 06/18] Add missing truncated HMAC test for TLS The case 'Client disabled, Server enabled' was missing. --- tests/ssl-opt.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 364e16c0f2..5c441bc92b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -729,6 +729,15 @@ run_test "Truncated HMAC: client enabled, server disabled" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC: client disabled, server enabled" \ + "$P_SRV debug_level=4 trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=0" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server enabled" \ "$P_SRV debug_level=4 trunc_hmac=1" \ From 02f632ecce341dcb7fac32aac3e5e83c3205d3e2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 10 Nov 2017 09:16:05 +0000 Subject: [PATCH 07/18] Add truncated HMAC extension tests for DTLS --- tests/ssl-opt.sh | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5c441bc92b..887be4f008 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -747,6 +747,58 @@ run_test "Truncated HMAC: client enabled, server enabled" \ -S "dumping 'expected mac' (20 bytes)" \ -s "dumping 'expected mac' (10 bytes)" +run_test "Truncated HMAC, DTLS: client default, server default" \ + "$P_SRV dtls=1 debug_level=4" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client disabled, server default" \ + "$P_SRV dtls=1 debug_level=4" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=0" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client enabled, server default" \ + "$P_SRV dtls=1 debug_level=4" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client enabled, server disabled" \ + "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client disabled, server enabled" \ + "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=0" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client enabled, server enabled" \ + "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -S "dumping 'expected mac' (20 bytes)" \ + -s "dumping 'expected mac' (10 bytes)" + # Tests for Encrypt-then-MAC extension run_test "Encrypt then MAC: default" \ From e9dcb843b258cfe71c4ee25575f07f511e8100a1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 16 Nov 2017 17:39:34 +0000 Subject: [PATCH 08/18] Adapt ChangeLog --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index e5ba2139b9..6fdabbae6f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -12,6 +12,9 @@ Security side in both TLS and DTLS. Bugfix + * Fix wrong implementation of truncated HMAC extension leading to + compatibility problems with peers not running Mbed TLS. Found by + Andreas Walz. * Fix ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section 4.1.2.7. * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. From 053b3459d41070717f1ef79bdeae0e5d439f7d89 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 20 Nov 2017 16:36:41 +0000 Subject: [PATCH 09/18] Add fallback to non-compliant truncated HMAC for compatibiltiy In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to temporarily fall back to the old, non-compliant implementation of the truncated HMAC extension. --- include/mbedtls/check_config.h | 4 ++++ include/mbedtls/config.h | 16 ++++++++++++++++ library/ssl_tls.c | 8 ++++++++ 3 files changed, 28 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 8dadbe1c57..33ea22a77f 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -77,6 +77,10 @@ #error "MBEDTLS_DHM_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC) +#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C) #error "MBEDTLS_ECDH_C defined, but not all prerequisites" #endif diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 0c51fead7e..b174d8a2ff 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1183,6 +1183,22 @@ */ #define MBEDTLS_SSL_TRUNCATED_HMAC +/** + * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT + * + * Fallback to old, non-conforming implementation of the truncated + * HMAC extension which also truncates the HMAC key. + * + * \warning This should only be enabled temporarily when the use + * of truncated HMAC is mandatory *and* the peer is an Mbed TLS + * stack that doesn't use the fixed implementation yet. + * + * Uncomment to fallback to old, non-compliant truncated HMAC implementation. + * + * Requires: MBEDTLS_SSL_TRUNCATED_HMAC + */ +//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT + /** * \def MBEDTLS_THREADING_ALT * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f27b95ce6d..f0cc95f9c3 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -714,7 +714,15 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) * so we only need to adjust the length here. */ if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) + { transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN; + +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) + /* Fall back to old, non-compliant version of the truncated + * HMAC implementation which also truncates the key. */ + mac_key_len = transform->maclen; +#endif + } #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ /* IV length */ From b018723d3e9d47de929389f0b312948c723ecacf Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 20 Nov 2017 16:45:37 +0000 Subject: [PATCH 10/18] Correct truncated HMAC tests in ssl-opt.sh Many truncated HMAC tests were missing the `trunc_hmac=1` for the server application, thereby not testing the extension. --- tests/ssl-opt.sh | 83 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 56 insertions(+), 27 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 887be4f008..632c0c6168 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3004,7 +3004,8 @@ run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3013,7 +3014,8 @@ run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1 \ @@ -3038,7 +3040,8 @@ run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3047,7 +3050,8 @@ run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 \ @@ -3072,7 +3076,8 @@ run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3081,7 +3086,8 @@ run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1 \ @@ -3106,7 +3112,8 @@ run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3115,7 +3122,8 @@ run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 \ @@ -3147,7 +3155,8 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3156,7 +3165,8 @@ run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1 \ @@ -3181,7 +3191,8 @@ run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3190,7 +3201,8 @@ run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 \ @@ -3233,8 +3245,10 @@ run_test "Small packet DTLS 1.0, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.0, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1" \ - "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ + "$P_SRV dtls=1 force_version=dtls1 \ + trunc_hmac=1" \ + "$P_CLI dtls=1 request_size=1 \ + trunc_hmac=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" @@ -3243,6 +3257,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ "$P_SRV dtls=1 force_version=dtls1 \ + trunc_hmac=1 \ etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3270,7 +3285,8 @@ run_test "Small packet DTLS 1.2, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.2, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1_2" \ + "$P_SRV dtls=1 force_version=dtls1_2 \ + trunc_hmac=1" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3281,6 +3297,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \ "$P_SRV dtls=1 force_version=dtls1_2 \ + trunc_hmac=1 \ etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3332,7 +3349,8 @@ run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3341,7 +3359,8 @@ run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3365,7 +3384,8 @@ run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3374,7 +3394,8 @@ run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 etm=0" \ @@ -3397,7 +3418,8 @@ run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3406,7 +3428,8 @@ run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1 etm=0" \ @@ -3430,7 +3453,8 @@ run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3439,7 +3463,8 @@ run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 etm=0" \ @@ -3469,7 +3494,8 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3478,7 +3504,8 @@ run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1 etm=0" \ @@ -3501,7 +3528,8 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3510,7 +3538,8 @@ run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 etm=0" \ From 8e75b6ce568e00021e5c1d0a8cecba63feaebaf1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 21 Nov 2017 17:10:12 +0000 Subject: [PATCH 11/18] Improve style in tests/ssl-opt.sh Try to avoid line breaks in server and client command line arguments to ease reading of test cases. --- tests/ssl-opt.sh | 232 +++++++++++++++-------------------------------- 1 file changed, 75 insertions(+), 157 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 632c0c6168..21dd45d9e7 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -705,8 +705,7 @@ run_test "Truncated HMAC: client default, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client disabled, server default" \ "$P_SRV debug_level=4" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=0" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -714,8 +713,7 @@ run_test "Truncated HMAC: client disabled, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server default" \ "$P_SRV debug_level=4" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -723,8 +721,7 @@ run_test "Truncated HMAC: client enabled, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server disabled" \ "$P_SRV debug_level=4 trunc_hmac=0" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -732,8 +729,7 @@ run_test "Truncated HMAC: client enabled, server disabled" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client disabled, server enabled" \ "$P_SRV debug_level=4 trunc_hmac=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=0" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -741,8 +737,7 @@ run_test "Truncated HMAC: client disabled, server enabled" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server enabled" \ "$P_SRV debug_level=4 trunc_hmac=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -S "dumping 'expected mac' (20 bytes)" \ -s "dumping 'expected mac' (10 bytes)" @@ -757,8 +752,7 @@ run_test "Truncated HMAC, DTLS: client default, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC, DTLS: client disabled, server default" \ "$P_SRV dtls=1 debug_level=4" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=0" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -766,8 +760,7 @@ run_test "Truncated HMAC, DTLS: client disabled, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC, DTLS: client enabled, server default" \ "$P_SRV dtls=1 debug_level=4" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -775,8 +768,7 @@ run_test "Truncated HMAC, DTLS: client enabled, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC, DTLS: client enabled, server disabled" \ "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -784,8 +776,7 @@ run_test "Truncated HMAC, DTLS: client enabled, server disabled" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC, DTLS: client disabled, server enabled" \ "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=0" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -793,8 +784,7 @@ run_test "Truncated HMAC, DTLS: client disabled, server enabled" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC, DTLS: client enabled, server enabled" \ "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -S "dumping 'expected mac' (20 bytes)" \ -s "dumping 'expected mac' (10 bytes)" @@ -3004,22 +2994,17 @@ run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1 \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3033,29 +3018,23 @@ run_test "Small packet TLS 1.0 StreamCipher" \ run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 \ - etm=0" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3069,29 +3048,23 @@ run_test "Small packet TLS 1.1 BlockCipher" \ run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1 \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3105,29 +3078,23 @@ run_test "Small packet TLS 1.1 StreamCipher" \ run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3141,8 +3108,7 @@ run_test "Small packet TLS 1.2 BlockCipher" \ run_test "Small packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3155,22 +3121,17 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1 \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3184,29 +3145,23 @@ run_test "Small packet TLS 1.2 StreamCipher" \ run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3245,10 +3200,8 @@ run_test "Small packet DTLS 1.0, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.0, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1 \ - trunc_hmac=1" \ - "$P_CLI dtls=1 request_size=1 \ - trunc_hmac=1 \ + "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \ + "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" @@ -3256,12 +3209,9 @@ run_test "Small packet DTLS 1.0, truncated hmac" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ - "$P_SRV dtls=1 force_version=dtls1 \ - trunc_hmac=1 \ - etm=0" \ + "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1"\ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ 0 \ -s "Read from client: 1 bytes read" @@ -3275,8 +3225,7 @@ run_test "Small packet DTLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS run_test "Small packet DTLS 1.2, without EtM" \ - "$P_SRV dtls=1 force_version=dtls1_2 \ - etm=0" \ + "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ @@ -3285,23 +3234,18 @@ run_test "Small packet DTLS 1.2, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.2, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1_2 \ - trunc_hmac=1" \ + "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \ "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \ - "$P_SRV dtls=1 force_version=dtls1_2 \ - trunc_hmac=1 \ - etm=0" \ + "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1"\ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ 0 \ -s "Read from client: 1 bytes read" @@ -3349,21 +3293,17 @@ run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" @@ -3377,28 +3317,23 @@ run_test "Large packet TLS 1.0 StreamCipher" \ run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" @@ -3418,21 +3353,17 @@ run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1 etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" @@ -3446,28 +3377,23 @@ run_test "Large packet TLS 1.1 StreamCipher" \ run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" @@ -3494,21 +3420,17 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1 etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" @@ -3528,21 +3450,17 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" From adb30b945390fb57292611d46bc37a786fd8b49a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 21 Nov 2017 17:20:17 +0000 Subject: [PATCH 12/18] Improve documentation of MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT option Explain more clearly when this option should be used and which versions of Mbed TLS build on the non-compliant implementation. --- include/mbedtls/config.h | 15 ++++++++++----- library/ssl_tls.c | 2 +- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index b174d8a2ff..b8980f20fd 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1186,12 +1186,17 @@ /** * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT * - * Fallback to old, non-conforming implementation of the truncated - * HMAC extension which also truncates the HMAC key. + * Fallback to old (pre-2.1.10), non-conforming implementation of the truncated + * HMAC extension which also truncates the HMAC key. Note that this option is + * only meant for a transitory upgrade period and is likely to be removed in + * a future version of the library. * - * \warning This should only be enabled temporarily when the use - * of truncated HMAC is mandatory *and* the peer is an Mbed TLS - * stack that doesn't use the fixed implementation yet. + * \warning The old implementation is non-compliant and has a security weakness + * (2^80 brute force attack on the HMAC key used for a single, + * uninterrupted connection). This should only be enabled temporarily + * when (1) the use of truncated HMAC is essential in order to save + * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use + * the fixed implementation yet (pre-2.1.10). * * Uncomment to fallback to old, non-compliant truncated HMAC implementation. * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f0cc95f9c3..c72ee1dc02 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -719,7 +719,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) /* Fall back to old, non-compliant version of the truncated - * HMAC implementation which also truncates the key. */ + * HMAC implementation which also truncates the key (pre 2.1.10) */ mac_key_len = transform->maclen; #endif } From e53dc43d3af5ff114b6e1183ca339532eadff883 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 21 Nov 2017 18:22:53 +0000 Subject: [PATCH 13/18] Deprecate MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT --- include/mbedtls/config.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index b8980f20fd..e8a2f3601e 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1198,6 +1198,9 @@ * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use * the fixed implementation yet (pre-2.1.10). * + * \deprecated This option is deprecated and will likely be removed in a + * future version of Mbed TLS. + * * Uncomment to fallback to old, non-compliant truncated HMAC implementation. * * Requires: MBEDTLS_SSL_TRUNCATED_HMAC From e84d90181643806d91acfe39452d93bed153d67a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 29 Nov 2017 16:57:06 +0000 Subject: [PATCH 14/18] Update ChangeLog --- ChangeLog | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6fdabbae6f..1e339dc411 100644 --- a/ChangeLog +++ b/ChangeLog @@ -10,11 +10,13 @@ Security corrupt 6 bytes on the peer's heap, potentially leading to crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS. + * Fix implementation of truncated HMAC extension leading to + compatibility problems with non Mbed TLS peers and allowing + an offline 2^80 brute force attack on the HMAC key of a single, + uninterrupted (excluding session resumption) connection. + Found by Andreas Walz. Bugfix - * Fix wrong implementation of truncated HMAC extension leading to - compatibility problems with peers not running Mbed TLS. Found by - Andreas Walz. * Fix ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section 4.1.2.7. * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. From 7862cd0ca469b9cda027b7d8dcc6fbe54b57d08d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 1 Dec 2017 17:10:31 +0000 Subject: [PATCH 15/18] Remove deprecation statement for TRUNC_HMAC_COMPAT from config.h --- include/mbedtls/config.h | 3 --- 1 file changed, 3 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index e8a2f3601e..b8980f20fd 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1198,9 +1198,6 @@ * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use * the fixed implementation yet (pre-2.1.10). * - * \deprecated This option is deprecated and will likely be removed in a - * future version of Mbed TLS. - * * Uncomment to fallback to old, non-compliant truncated HMAC implementation. * * Requires: MBEDTLS_SSL_TRUNCATED_HMAC From de42c59b9173413e5d0c743196c308ecbef74d2f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Dec 2017 15:03:22 +0000 Subject: [PATCH 16/18] Add affiliation of bug reporter to credits in the ChangeLog --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1e339dc411..f4e71221b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,7 +14,8 @@ Security compatibility problems with non Mbed TLS peers and allowing an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted (excluding session resumption) connection. - Found by Andreas Walz. + Found by Andreas Walz (ivESK, Offenburg University of Applied + Sciences). Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records From e9256c5f4632d66aaa38082e2e6cf73068cf5d4d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2018 16:17:52 +0100 Subject: [PATCH 17/18] Note incompatibility of truncated HMAC extension in ChangeLog The change in the truncated HMAC extension aligns Mbed TLS with the standard, but breaks interoperability with previous versions. Indicate this in the ChangeLog, as well as how to restore the old behavior. --- ChangeLog | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index f4e71221b2..0f4df6525f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,16 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 2.1.10 branch released 2017-xx-xx +Default behavior changes + * The truncated HMAC extension now conforms to RFC 6066. This means + that when both sides of a TLS connection negotiate the truncated + HMAC extension, Mbed TLS can now interoperate with other + compliant implementations, but this breaks interoperability with + prior versions of Mbed TLS. To restore the old behavior, enable + the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in + config.h. Found by Andreas Walz (ivESK, Offenburg University of + Applied Sciences). + Security * Fix heap corruption in implementation of truncated HMAC extension. When the truncated HMAC extension is enabled and CBC is used, @@ -10,12 +20,10 @@ Security corrupt 6 bytes on the peer's heap, potentially leading to crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS. - * Fix implementation of truncated HMAC extension leading to - compatibility problems with non Mbed TLS peers and allowing - an offline 2^80 brute force attack on the HMAC key of a single, - uninterrupted (excluding session resumption) connection. - Found by Andreas Walz (ivESK, Offenburg University of Applied - Sciences). + * Fix implementation of the truncated HMAC extension. The previous + implementation allowed an offline 2^80 brute force attack on the + HMAC key of a single, uninterrupted connection (with no + resumption of the session). Bugfix * Fix ssl_parse_record_header() to silently discard invalid DTLS records From f59902624867397179c50c086407362fd0f730b9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 22 Feb 2018 15:04:03 +0000 Subject: [PATCH 18/18] Adapt version_features.c --- library/version_features.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/version_features.c b/library/version_features.c index f9d99af693..b96238ff06 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -381,6 +381,9 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) "MBEDTLS_SSL_TRUNCATED_HMAC", #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) + "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT", +#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */ #if defined(MBEDTLS_THREADING_ALT) "MBEDTLS_THREADING_ALT", #endif /* MBEDTLS_THREADING_ALT */