Merge pull request #2263 from andresag01/iotssl-2544-deprecate-record-accel-2

Deprecate feature MBEDTLS_SSL_HW_RECORD_ACCEL
2024-10-19 07:41:15 +00:00 · 2020-02-26 09:18:48 +01:00 · 2020-02-26 09:18:48 +01:00 · 0d20740437
parent 6fb7bd0228 a4522e8467
commit 0d20740437
4 changed files with 54 additions and 18 deletions
--- a/6
+++ b/6
@ -1,5 +1,11 @@
 mbed TLS ChangeLog (Sorted per branch, date)

+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+New deprecations
+   * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the
+     SSL module for hardware acceleration of individual records.
+
 = mbed TLS 2.21.0 branch released 2020-02-20

 New deprecations
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@ -798,6 +798,14 @@
 #endif
 #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */

+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
+#if defined(MBEDTLS_DEPRECATED_REMOVED)
+#error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
+#elif defined(MBEDTLS_DEPRECATED_WARNING)
+#warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
+
 /*
 * Avoid warning from -pedantic. This is a convenient place for this
 * workaround since this is included by every single file before the
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@ -1527,6 +1527,9 @@
 * Enable hooking functions in SSL module for hardware acceleration of
 * individual records.
 *
+ * \deprecated This option is deprecated and will be removed in a future
+ *             version of Mbed TLS.
+ *
 * Uncomment this macro to enable hooking functions.
 */
 //#define MBEDTLS_SSL_HW_RECORD_ACCEL
@ -1781,8 +1784,8 @@
 *
 * Fallback to old (pre-2.7), non-conforming implementation of the truncated
 * HMAC extension which also truncates the HMAC key. Note that this option is
- * only meant for a transitory upgrade period and is likely to be removed in
- * a future version of the library.
+ * only meant for a transitory upgrade period and will be removed in a future
+ * version of the library.
 *
 * \warning The old implementation is non-compliant and has a security weakness
 *          (2^80 brute force attack on the HMAC key used for a single,
@ -1791,7 +1794,7 @@
 *          bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
 *          the fixed implementation yet (pre-2.7).
 *
- * \deprecated This option is deprecated and will likely be removed in a
+ * \deprecated This option is deprecated and will be removed in a
 *             future version of Mbed TLS.
 *
 * Uncomment to fallback to old, non-compliant truncated HMAC implementation.
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -1323,21 +1323,40 @@ struct mbedtls_ssl_context

 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)

-#define MBEDTLS_SSL_CHANNEL_OUTBOUND    0
-#define MBEDTLS_SSL_CHANNEL_INBOUND     1
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)

-extern int (*mbedtls_ssl_hw_record_init)(mbedtls_ssl_context *ssl,
+#define MBEDTLS_SSL_CHANNEL_OUTBOUND   MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( 0 )
+#define MBEDTLS_SSL_CHANNEL_INBOUND    MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( 1 )
+
+#if defined(MBEDTLS_DEPRECATED_WARNING)
+#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
+#else
+#define MBEDTLS_DEPRECATED
+#endif /* MBEDTLS_DEPRECATED_WARNING */
+
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_init)(
+                    mbedtls_ssl_context *ssl,
                    const unsigned char *key_enc, const unsigned char *key_dec,
                    size_t keylen,
                    const unsigned char *iv_enc,  const unsigned char *iv_dec,
                    size_t ivlen,
                    const unsigned char *mac_enc, const unsigned char *mac_dec,
                    size_t maclen);
-extern int (*mbedtls_ssl_hw_record_activate)(mbedtls_ssl_context *ssl, int direction);
-extern int (*mbedtls_ssl_hw_record_reset)(mbedtls_ssl_context *ssl);
-extern int (*mbedtls_ssl_hw_record_write)(mbedtls_ssl_context *ssl);
-extern int (*mbedtls_ssl_hw_record_read)(mbedtls_ssl_context *ssl);
-extern int (*mbedtls_ssl_hw_record_finish)(mbedtls_ssl_context *ssl);
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_activate)(
+                                                    mbedtls_ssl_context *ssl,
+                                                    int direction );
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_reset)(
+                                                    mbedtls_ssl_context *ssl );
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_write)(
+                                                    mbedtls_ssl_context *ssl );
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_read)(
+                                                    mbedtls_ssl_context *ssl );
+MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_finish)(
+                                                    mbedtls_ssl_context *ssl );
+
+#undef MBEDTLS_DEPRECATED
+#endif /* !MBEDTLS_DEPRECATED_REMOVED */
+
 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */

 /**
@ -3169,7 +3188,7 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
 * \warning        Use of RC4 in DTLS/TLS has been prohibited by RFC 7465
 *                 for security reasons. Use at your own risk.
 *
- * \note           This function is deprecated and will likely be removed in
+ * \note           This function is deprecated and will be removed in
 *                 a future version of the library.
 *                 RC4 is disabled by default at compile time and needs to be
 *                 actively enabled for use with legacy systems.