diff --git a/ChangeLog b/ChangeLog index d9027eb61..09bb3cb03 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,22 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS 2.7.x branch released 2018-xx-xx +Default behavior changes + * The truncated HMAC extension now conforms to RFC 6066. This means + that when both sides of a TLS connection negotiate the truncated + HMAC extension, Mbed TLS can now interoperate with other + compliant implementations, but this breaks interoperability with + prior versions of Mbed TLS. To restore the old behavior, enable + the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in + config.h. Found by Andreas Walz (ivESK, Offenburg University of + Applied Sciences). + +Security + * Fix implementation of the truncated HMAC extension. The previous + implementation allowed an offline 2^80 brute force attack on the + HMAC key of a single, uninterrupted connection (with no + resumption of the session). + Bugfix * Fix the name of a DHE parameter that was accidentally changed in 2.7.0. Fixes #1358. diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1143aa268..be8033296 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -78,6 +78,10 @@ #error "MBEDTLS_DHM_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC) +#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_CMAC_C) && \ !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C) #error "MBEDTLS_CMAC_C defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 79eedffdd..1c98558eb 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1411,6 +1411,30 @@ */ #define MBEDTLS_SSL_TRUNCATED_HMAC +/** + * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT + * + * Fallback to old (pre-2.7), non-conforming implementation of the truncated + * HMAC extension which also truncates the HMAC key. Note that this option is + * only meant for a transitory upgrade period and is likely to be removed in + * a future version of the library. + * + * \warning The old implementation is non-compliant and has a security weakness + * (2^80 brute force attack on the HMAC key used for a single, + * uninterrupted connection). This should only be enabled temporarily + * when (1) the use of truncated HMAC is essential in order to save + * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use + * the fixed implementation yet (pre-2.7). + * + * \deprecated This option is deprecated and will likely be removed in a + * future version of Mbed TLS. + * + * Uncomment to fallback to old, non-compliant truncated HMAC implementation. + * + * Requires: MBEDTLS_SSL_TRUNCATED_HMAC + */ +//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT + /** * \def MBEDTLS_THREADING_ALT * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 617dedb1b..ff52104ff 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -501,6 +501,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) unsigned char *key2; unsigned char *mac_enc; unsigned char *mac_dec; + size_t mac_key_len; size_t iv_copy_len; const mbedtls_cipher_info_t *cipher_info; const mbedtls_md_info_t *md_info; @@ -692,6 +693,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) cipher_info->mode == MBEDTLS_MODE_CCM ) { transform->maclen = 0; + mac_key_len = 0; transform->ivlen = 12; transform->fixed_ivlen = 4; @@ -712,7 +714,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } /* Get MAC length */ - transform->maclen = mbedtls_md_get_size( md_info ); + mac_key_len = mbedtls_md_get_size( md_info ); + transform->maclen = mac_key_len; #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) /* @@ -721,7 +724,16 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) * so we only need to adjust the length here. */ if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) + { transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN; + +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) + /* Fall back to old, non-compliant version of the truncated + * HMAC implementation which also truncates the key + * (Mbed TLS versions from 1.3 to 2.6.0) */ + mac_key_len = transform->maclen; +#endif + } #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ /* IV length */ @@ -783,11 +795,11 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - key1 = keyblk + transform->maclen * 2; - key2 = keyblk + transform->maclen * 2 + transform->keylen; + key1 = keyblk + mac_key_len * 2; + key2 = keyblk + mac_key_len * 2 + transform->keylen; mac_enc = keyblk; - mac_dec = keyblk + transform->maclen; + mac_dec = keyblk + mac_key_len; /* * This is not used in TLS v1.1. @@ -803,10 +815,10 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SRV_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - key1 = keyblk + transform->maclen * 2 + transform->keylen; - key2 = keyblk + transform->maclen * 2; + key1 = keyblk + mac_key_len * 2 + transform->keylen; + key2 = keyblk + mac_key_len * 2; - mac_enc = keyblk + transform->maclen; + mac_enc = keyblk + mac_key_len; mac_dec = keyblk; /* @@ -828,14 +840,14 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_SSL3) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { - if( transform->maclen > sizeof transform->mac_enc ) + if( mac_key_len > sizeof transform->mac_enc ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - memcpy( transform->mac_enc, mac_enc, transform->maclen ); - memcpy( transform->mac_dec, mac_dec, transform->maclen ); + memcpy( transform->mac_enc, mac_enc, mac_key_len ); + memcpy( transform->mac_dec, mac_dec, mac_key_len ); } else #endif /* MBEDTLS_SSL_PROTO_SSL3 */ @@ -843,8 +855,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { - mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen ); - mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen ); + mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); + mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); } else #endif @@ -864,7 +876,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) transform->iv_enc, transform->iv_dec, iv_copy_len, mac_enc, mac_dec, - transform->maclen ) ) != 0 ) + mac_key_len ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); @@ -877,7 +889,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) { ssl->conf->f_export_keys( ssl->conf->p_export_keys, session->master, keyblk, - transform->maclen, transform->keylen, + mac_key_len, transform->keylen, iv_copy_len ); } #endif diff --git a/library/version_features.c b/library/version_features.c index 72afec2da..da47e3d75 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -468,6 +468,9 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) "MBEDTLS_SSL_TRUNCATED_HMAC", #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) + "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT", +#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */ #if defined(MBEDTLS_THREADING_ALT) "MBEDTLS_THREADING_ALT", #endif /* MBEDTLS_THREADING_ALT */ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fbdd69402..2d6b71af0 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -839,34 +839,89 @@ run_test "Truncated HMAC: client default, server default" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client disabled, server default" \ "$P_SRV debug_level=4" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=0" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server default" \ "$P_SRV debug_level=4" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server disabled" \ "$P_SRV debug_level=4 trunc_hmac=0" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC: client disabled, server enabled" \ + "$P_SRV debug_level=4 trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server enabled" \ "$P_SRV debug_level=4 trunc_hmac=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ + 0 \ + -S "dumping 'expected mac' (20 bytes)" \ + -s "dumping 'expected mac' (10 bytes)" + +run_test "Truncated HMAC, DTLS: client default, server default" \ + "$P_SRV dtls=1 debug_level=4" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client disabled, server default" \ + "$P_SRV dtls=1 debug_level=4" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client enabled, server default" \ + "$P_SRV dtls=1 debug_level=4" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client enabled, server disabled" \ + "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client disabled, server enabled" \ + "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client enabled, server enabled" \ + "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -S "dumping 'expected mac' (20 bytes)" \ -s "dumping 'expected mac' (10 bytes)" @@ -3385,26 +3440,56 @@ run_test "Small packet TLS 1.0 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 BlockCipher without EtM" \ +run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \ - "$P_SRV" \ +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \ +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +run_test "Small packet TLS 1.0 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3415,10 +3500,26 @@ run_test "Small packet TLS 1.1 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 BlockCipher without EtM" \ +run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3429,19 +3530,26 @@ run_test "Small packet TLS 1.1 StreamCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \ - "$P_SRV" \ +run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3452,10 +3560,10 @@ run_test "Small packet TLS 1.2 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher without EtM" \ +run_test "Small packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3466,11 +3574,19 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \ - "$P_SRV" \ +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3481,11 +3597,26 @@ run_test "Small packet TLS 1.2 StreamCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \ +run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3503,6 +3634,76 @@ run_test "Small packet TLS 1.2 AEAD shorter tag" \ 0 \ -s "Read from client: 1 bytes read" +# Tests for small packets in DTLS + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.0" \ + "$P_SRV dtls=1 force_version=dtls1" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.0, without EtM" \ + "$P_SRV dtls=1 force_version=dtls1 etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.0, truncated hmac" \ + "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \ + "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ + "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.2" \ + "$P_SRV dtls=1 force_version=dtls1_2" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.2, without EtM" \ + "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.2, truncated hmac" \ + "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \ + "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ + 0 \ + -s "Read from client: 1 bytes read" + # A test for extensions in SSLv3 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 @@ -3541,20 +3742,57 @@ run_test "Large packet TLS 1.0 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ +run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ + "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 16384 bytes read" + +run_test "Large packet TLS 1.0 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + +run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=16384 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=16384 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" @@ -3567,6 +3805,29 @@ run_test "Large packet TLS 1.1 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" +run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.1 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ @@ -3575,20 +3836,27 @@ run_test "Large packet TLS 1.1 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ - "$P_SRV" \ +run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" @@ -3601,6 +3869,13 @@ run_test "Large packet TLS 1.2 BlockCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" +run_test "Large packet TLS 1.2 BlockCipher, without EtM" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -3609,11 +3884,19 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ - "$P_SRV" \ +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV trunc_hmac=1" \ + "$P_CLI request_size=16384 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" @@ -3626,11 +3909,26 @@ run_test "Large packet TLS 1.2 StreamCipher" \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ +run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=16384 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=16384 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -c "16384 bytes written in 1 fragments" \ -s "Read from client: 16384 bytes read"