From 09634248cb73f6cefac9bec432a7bdc642dd420c Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 29 Nov 2018 09:55:41 +0000 Subject: [PATCH 1/6] Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO --- ChangeLog | 4 ++++ include/mbedtls/check_config.h | 8 ++++++++ include/mbedtls/config.h | 23 +++++++++++++---------- 3 files changed, 25 insertions(+), 10 deletions(-) diff --git a/ChangeLog b/ChangeLog index e184c9670..b9f592a70 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,10 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS X.X.X branch released XXXX-XX-XX +New deprecations + * Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO that enables parsing + SSLv2 ClientHello messages. + Bugfix * Allow loading symlinked certificates. Fixes #3005. Reported and fixed by Jonathan Bennett via #3008. diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 6ebe6b7b6..489ba55fe 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -774,6 +774,14 @@ #error "MBEDTLS_HAVE_INT32/MBEDTLS_HAVE_INT64 and MBEDTLS_HAVE_ASM cannot be defined simultaneously" #endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */ +#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will likely be removed in a future version of Mbed TLS" +#elif defined(MBEDTLS_DEPRECATED_REMOVED) +#error "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will likely be removed in a future version of Mbed TLS" +#endif +#endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ + /* * Avoid warning from -pedantic. This is a convenient place for this * workaround since this is included by every single file before the diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 058969b73..7ed590270 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -233,27 +233,27 @@ /** * \def MBEDTLS_DEPRECATED_WARNING * - * Mark deprecated functions so that they generate a warning if used. - * Functions deprecated in one version will usually be removed in the next - * version. You can enable this to help you prepare the transition to a new - * major version by making sure your code is not using these functions. + * Mark deprecated functions and features so that they generate a warning if + * used. Functionality deprecated in one version will usually be removed in the + * next version. You can enable this to help you prepare the transition to a + * new major version by making sure your code is not using this functionality. * * This only works with GCC and Clang. With other compilers, you may want to * use MBEDTLS_DEPRECATED_REMOVED * - * Uncomment to get warnings on using deprecated functions. + * Uncomment to get warnings on using deprecated functions and features. */ //#define MBEDTLS_DEPRECATED_WARNING /** * \def MBEDTLS_DEPRECATED_REMOVED * - * Remove deprecated functions so that they generate an error if used. - * Functions deprecated in one version will usually be removed in the next - * version. You can enable this to help you prepare the transition to a new - * major version by making sure your code is not using these functions. + * Remove deprecated functions and features so that they generate an error if + * used. Functionality deprecated in one version will usually be removed in the + * next version. You can enable this to help you prepare the transition to a + * new major version by making sure your code is not using this functionality. * - * Uncomment to get errors on using deprecated functions. + * Uncomment to get errors on using deprecated functions and features. */ //#define MBEDTLS_DEPRECATED_REMOVED @@ -1571,6 +1571,9 @@ * Enable support for receiving and parsing SSLv2 Client Hello messages for the * SSL Server module (MBEDTLS_SSL_SRV_C). * + * \deprecated This option is deprecated and will likely be removed in a + * future version of Mbed TLS. + * * Uncomment this macro to enable support for SSLv2 Client Hello messages. */ //#define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO From 88c2cc721300700e024c81f2c9deb1cf660b1b4f Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 29 Nov 2018 09:56:02 +0000 Subject: [PATCH 2/6] Deprecate MBEDTLS_SSL_PROTO_SSL3 --- ChangeLog | 1 + include/mbedtls/check_config.h | 8 ++++++++ include/mbedtls/config.h | 3 +++ 3 files changed, 12 insertions(+) diff --git a/ChangeLog b/ChangeLog index b9f592a70..b3bb5f861 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,7 @@ mbed TLS ChangeLog (Sorted per branch, date) New deprecations * Deprecate MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO that enables parsing SSLv2 ClientHello messages. + * Deprecate MBEDTLS_SSL_PROTO_SSL3 that enables support for SSLv3. Bugfix * Allow loading symlinked certificates. Fixes #3005. Reported and fixed diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 489ba55fe..9372891c5 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -774,6 +774,14 @@ #error "MBEDTLS_HAVE_INT32/MBEDTLS_HAVE_INT64 and MBEDTLS_HAVE_ASM cannot be defined simultaneously" #endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */ +#if defined(MBEDTLS_SSL_PROTO_SSL3) +#if defined(MBEDTLS_DEPRECATED_WARNING) +#warning "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will likely be removed in a future version of Mbed TLS" +#elif defined(MBEDTLS_DEPRECATED_REMOVED) +#error "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will likely be removed in a future version of Mbed TLS" +#endif +#endif /* MBEDTLS_SSL_PROTO_SSL3 */ + #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) #if defined(MBEDTLS_DEPRECATED_WARNING) #warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will likely be removed in a future version of Mbed TLS" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 7ed590270..6eb37f7ba 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1605,6 +1605,9 @@ * Requires: MBEDTLS_MD5_C * MBEDTLS_SHA1_C * + * \deprecated This option is deprecated and will likely be removed in a + * future version of Mbed TLS. + * * Comment this macro to disable support for SSL 3.0 */ //#define MBEDTLS_SSL_PROTO_SSL3 From e58532e1dbe737dc8549940e1ddb29fe64e63ae9 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 5 Dec 2018 20:29:07 +0000 Subject: [PATCH 3/6] Favour DEPRECATED_REMOVED over DEPRECATED_WARNING --- include/mbedtls/check_config.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 9372891c5..ca827dc19 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -775,18 +775,18 @@ #endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */ #if defined(MBEDTLS_SSL_PROTO_SSL3) -#if defined(MBEDTLS_DEPRECATED_WARNING) -#warning "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will likely be removed in a future version of Mbed TLS" -#elif defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_REMOVED) #error "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will likely be removed in a future version of Mbed TLS" +#elif defined(MBEDTLS_DEPRECATED_WARNING) +#warning "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will likely be removed in a future version of Mbed TLS" #endif #endif /* MBEDTLS_SSL_PROTO_SSL3 */ #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) -#if defined(MBEDTLS_DEPRECATED_WARNING) -#warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will likely be removed in a future version of Mbed TLS" -#elif defined(MBEDTLS_DEPRECATED_REMOVED) +#if defined(MBEDTLS_DEPRECATED_REMOVED) #error "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will likely be removed in a future version of Mbed TLS" +#elif defined(MBEDTLS_DEPRECATED_WARNING) +#warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will likely be removed in a future version of Mbed TLS" #endif #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ From 835b299e5eab7bbe01ae7b4129bc2ee59eb58dda Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 15 Jan 2019 19:36:00 +0000 Subject: [PATCH 4/6] Fix wording of deprecated docs for SSL2 and SSL3 features --- include/mbedtls/check_config.h | 8 ++++---- include/mbedtls/config.h | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index ca827dc19..d95b71e53 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -776,17 +776,17 @@ #if defined(MBEDTLS_SSL_PROTO_SSL3) #if defined(MBEDTLS_DEPRECATED_REMOVED) -#error "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will likely be removed in a future version of Mbed TLS" +#error "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will be removed in a future version of Mbed TLS" #elif defined(MBEDTLS_DEPRECATED_WARNING) -#warning "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will likely be removed in a future version of Mbed TLS" +#warning "MBEDTLS_SSL_PROTO_SSL3 is deprecated and will be removed in a future version of Mbed TLS" #endif #endif /* MBEDTLS_SSL_PROTO_SSL3 */ #if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO) #if defined(MBEDTLS_DEPRECATED_REMOVED) -#error "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will likely be removed in a future version of Mbed TLS" +#error "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS" #elif defined(MBEDTLS_DEPRECATED_WARNING) -#warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will likely be removed in a future version of Mbed TLS" +#warning "MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO is deprecated and will be removed in a future version of Mbed TLS" #endif #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 6eb37f7ba..a11a4f3b0 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1571,8 +1571,8 @@ * Enable support for receiving and parsing SSLv2 Client Hello messages for the * SSL Server module (MBEDTLS_SSL_SRV_C). * - * \deprecated This option is deprecated and will likely be removed in a - * future version of Mbed TLS. + * \deprecated This option is deprecated and will be removed in a future + * version of Mbed TLS. * * Uncomment this macro to enable support for SSLv2 Client Hello messages. */ @@ -1605,8 +1605,8 @@ * Requires: MBEDTLS_MD5_C * MBEDTLS_SHA1_C * - * \deprecated This option is deprecated and will likely be removed in a - * future version of Mbed TLS. + * \deprecated This option is deprecated and will be removed in a future + * version of Mbed TLS. * * Comment this macro to disable support for SSL 3.0 */ From 2b9ebce4e18f576043a1b35c5fd45abc223ed7d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 28 Jan 2020 12:30:06 +0100 Subject: [PATCH 5/6] Remove deprecated modules from config.py full --- scripts/config.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/config.py b/scripts/config.py index e01b9d541..e3ecfc62e 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -183,6 +183,8 @@ def include_in_full(name): 'MBEDTLS_REMOVE_ARC4_CIPHERSUITES', 'MBEDTLS_RSA_NO_CRT', 'MBEDTLS_SSL_HW_RECORD_ACCEL', + 'MBEDTLS_SSL_PROTO_SSL3', + 'MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO', 'MBEDTLS_TEST_NULL_ENTROPY', 'MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3', 'MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION', From 03035eb94354fb2c5c67054e218dc9ee85e7afef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 31 Jan 2020 12:40:36 +0100 Subject: [PATCH 6/6] Stop testing ssl3 when it isn't enabled We already have a specific component in all.sh for testing SSLv3, we don't need to also test it in components that aren't specifically about it. Previously config.py full enabled SSLv3, but it no longer does since it is deprecated. --- tests/scripts/all.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index e76b9d422..628953482 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -912,9 +912,6 @@ component_test_no_use_psa_crypto_full_cmake_asan() { msg "test: compat.sh default (full minus MBEDTLS_USE_PSA_CRYPTO)" if_build_succeeded tests/compat.sh - msg "test: compat.sh ssl3 (full minus MBEDTLS_USE_PSA_CRYPTO)" - if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" tests/compat.sh -m 'ssl3' - msg "test: compat.sh RC4, DES & NULL (full minus MBEDTLS_USE_PSA_CRYPTO)" if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_CLI" GNUTLS_SERV="$GNUTLS_LEGACY_SERV" tests/compat.sh -e '3DES\|DES-CBC3' -f 'NULL\|DES\|RC4\|ARCFOUR'