Merge pull request #2263 from andresag01/iotssl-2544-deprecate-record-accel-2

Deprecate feature MBEDTLS_SSL_HW_RECORD_ACCEL
This commit is contained in:
Manuel Pégourié-Gonnard 2020-02-26 09:18:48 +01:00 committed by GitHub
commit 0d20740437
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 54 additions and 18 deletions

View file

@ -1,5 +1,11 @@
mbed TLS ChangeLog (Sorted per branch, date)
= mbed TLS x.x.x branch released xxxx-xx-xx
New deprecations
* Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the
SSL module for hardware acceleration of individual records.
= mbed TLS 2.21.0 branch released 2020-02-20
New deprecations

View file

@ -798,6 +798,14 @@
#endif
#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
#if defined(MBEDTLS_DEPRECATED_REMOVED)
#error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
#elif defined(MBEDTLS_DEPRECATED_WARNING)
#warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
/*
* Avoid warning from -pedantic. This is a convenient place for this
* workaround since this is included by every single file before the

View file

@ -1527,6 +1527,9 @@
* Enable hooking functions in SSL module for hardware acceleration of
* individual records.
*
* \deprecated This option is deprecated and will be removed in a future
* version of Mbed TLS.
*
* Uncomment this macro to enable hooking functions.
*/
//#define MBEDTLS_SSL_HW_RECORD_ACCEL
@ -1781,8 +1784,8 @@
*
* Fallback to old (pre-2.7), non-conforming implementation of the truncated
* HMAC extension which also truncates the HMAC key. Note that this option is
* only meant for a transitory upgrade period and is likely to be removed in
* a future version of the library.
* only meant for a transitory upgrade period and will be removed in a future
* version of the library.
*
* \warning The old implementation is non-compliant and has a security weakness
* (2^80 brute force attack on the HMAC key used for a single,
@ -1791,7 +1794,7 @@
* bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use
* the fixed implementation yet (pre-2.7).
*
* \deprecated This option is deprecated and will likely be removed in a
* \deprecated This option is deprecated and will be removed in a
* future version of Mbed TLS.
*
* Uncomment to fallback to old, non-compliant truncated HMAC implementation.

View file

@ -1323,21 +1323,40 @@ struct mbedtls_ssl_context
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
#define MBEDTLS_SSL_CHANNEL_OUTBOUND 0
#define MBEDTLS_SSL_CHANNEL_INBOUND 1
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#define MBEDTLS_SSL_CHANNEL_OUTBOUND MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( 0 )
#define MBEDTLS_SSL_CHANNEL_INBOUND MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( 1 )
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif /* MBEDTLS_DEPRECATED_WARNING */
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_init)(
mbedtls_ssl_context *ssl,
const unsigned char *key_enc, const unsigned char *key_dec,
size_t keylen,
const unsigned char *iv_enc, const unsigned char *iv_dec,
size_t ivlen,
const unsigned char *mac_enc, const unsigned char *mac_dec,
size_t maclen);
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_activate)(
mbedtls_ssl_context *ssl,
int direction );
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_reset)(
mbedtls_ssl_context *ssl );
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_write)(
mbedtls_ssl_context *ssl );
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_read)(
mbedtls_ssl_context *ssl );
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_finish)(
mbedtls_ssl_context *ssl );
#undef MBEDTLS_DEPRECATED
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
extern int (*mbedtls_ssl_hw_record_init)(mbedtls_ssl_context *ssl,
const unsigned char *key_enc, const unsigned char *key_dec,
size_t keylen,
const unsigned char *iv_enc, const unsigned char *iv_dec,
size_t ivlen,
const unsigned char *mac_enc, const unsigned char *mac_dec,
size_t maclen);
extern int (*mbedtls_ssl_hw_record_activate)(mbedtls_ssl_context *ssl, int direction);
extern int (*mbedtls_ssl_hw_record_reset)(mbedtls_ssl_context *ssl);
extern int (*mbedtls_ssl_hw_record_write)(mbedtls_ssl_context *ssl);
extern int (*mbedtls_ssl_hw_record_read)(mbedtls_ssl_context *ssl);
extern int (*mbedtls_ssl_hw_record_finish)(mbedtls_ssl_context *ssl);
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
/**
@ -3169,7 +3188,7 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems
* \warning Use of RC4 in DTLS/TLS has been prohibited by RFC 7465
* for security reasons. Use at your own risk.
*
* \note This function is deprecated and will likely be removed in
* \note This function is deprecated and will be removed in
* a future version of the library.
* RC4 is disabled by default at compile time and needs to be
* actively enabled for use with legacy systems.