From 81c7b183517100bd94a2c21e121f63acbf18d620 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 9 Nov 2017 18:39:33 +0000 Subject: [PATCH 01/19] Don't truncate MAC key when truncated HMAC is negotiated The truncated HMAC extension as described in https://tools.ietf.org/html/rfc6066.html#section-7 specifies that when truncated HMAC is used, only the HMAC output should be truncated, while the HMAC key generation stays unmodified. This commit fixes Mbed TLS's behavior of also truncating the key, potentially leading to compatibility issues with peers running other stacks than Mbed TLS. Details: The keys for the MAC are pieces of the keyblock that's generated from the master secret in `mbedtls_ssl_derive_keys` through the PRF, their size being specified as the size of the digest used for the MAC, regardless of whether truncated HMAC is enabled or not. /----- MD size ------\ /------- MD size ----\ Keyblock +----------------------+----------------------+------------------+--- now | MAC enc key | MAC dec key | Enc key | ... (correct) +----------------------+----------------------+------------------+--- In the previous code, when truncated HMAC was enabled, the HMAC keys were truncated to 10 bytes: /-10 bytes-\ /-10 bytes-\ Keyblock +-------------+-------------+------------------+--- previously | MAC enc key | MAC dec key | Enc key | ... (wrong) +-------------+-------------+------------------+--- The reason for this was that a single variable `transform->maclen` was used for both the keysize and the size of the final MAC, and its value was reduced from the MD size to 10 bytes in case truncated HMAC was negotiated. This commit fixes this by introducing a temporary variable `mac_key_len` which permanently holds the MD size irrespective of the presence of truncated HMAC, and using this temporary to obtain the MAC key chunks from the keyblock. --- library/ssl_tls.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 341eb7d01..eda49d656 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -490,6 +490,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) unsigned char *key2; unsigned char *mac_enc; unsigned char *mac_dec; + size_t mac_key_len; size_t iv_copy_len; const mbedtls_cipher_info_t *cipher_info; const mbedtls_md_info_t *md_info; @@ -681,6 +682,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) cipher_info->mode == MBEDTLS_MODE_CCM ) { transform->maclen = 0; + mac_key_len = 0; transform->ivlen = 12; transform->fixed_ivlen = 4; @@ -701,7 +703,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) } /* Get MAC length */ - transform->maclen = mbedtls_md_get_size( md_info ); + mac_key_len = mbedtls_md_get_size( md_info ); + transform->maclen = mac_key_len; #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) /* @@ -772,11 +775,11 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - key1 = keyblk + transform->maclen * 2; - key2 = keyblk + transform->maclen * 2 + transform->keylen; + key1 = keyblk + mac_key_len * 2; + key2 = keyblk + mac_key_len * 2 + transform->keylen; mac_enc = keyblk; - mac_dec = keyblk + transform->maclen; + mac_dec = keyblk + mac_key_len; /* * This is not used in TLS v1.1. @@ -792,10 +795,10 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_SRV_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - key1 = keyblk + transform->maclen * 2 + transform->keylen; - key2 = keyblk + transform->maclen * 2; + key1 = keyblk + mac_key_len * 2 + transform->keylen; + key2 = keyblk + mac_key_len * 2; - mac_enc = keyblk + transform->maclen; + mac_enc = keyblk + mac_key_len; mac_dec = keyblk; /* @@ -817,14 +820,14 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_PROTO_SSL3) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) { - if( transform->maclen > sizeof transform->mac_enc ) + if( mac_key_len > sizeof transform->mac_enc ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - memcpy( transform->mac_enc, mac_enc, transform->maclen ); - memcpy( transform->mac_dec, mac_dec, transform->maclen ); + memcpy( transform->mac_enc, mac_enc, mac_key_len ); + memcpy( transform->mac_dec, mac_dec, mac_key_len ); } else #endif /* MBEDTLS_SSL_PROTO_SSL3 */ @@ -832,8 +835,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) defined(MBEDTLS_SSL_PROTO_TLS1_2) if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) { - mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, transform->maclen ); - mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, transform->maclen ); + mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len ); + mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len ); } else #endif @@ -853,7 +856,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) transform->iv_enc, transform->iv_dec, iv_copy_len, mac_enc, mac_dec, - transform->maclen ) ) != 0 ) + mac_key_len ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); @@ -866,7 +869,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) { ssl->conf->f_export_keys( ssl->conf->p_export_keys, session->master, keyblk, - transform->maclen, transform->keylen, + mac_key_len, transform->keylen, iv_copy_len ); } #endif From 32c550141fb1fe36f1ed0d027f7007a459237a1e Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 10 Nov 2017 08:42:54 +0000 Subject: [PATCH 02/19] Add missing dependencies on trunc HMAC ext in ssl-opt.sh Noticed that the test cases in ssl-opt.sh exercising the truncated HMAC extension do not depend on MBEDTLS_SSL_TRUNCATED_HMAC being enabled in config.h. This commit fixes this. --- tests/ssl-opt.sh | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index bbf117272..93fa3c426 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -832,6 +832,7 @@ run_test "Truncated HMAC: client default, server default" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client disabled, server default" \ "$P_SRV debug_level=4" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -840,6 +841,7 @@ run_test "Truncated HMAC: client disabled, server default" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server default" \ "$P_SRV debug_level=4" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -848,6 +850,7 @@ run_test "Truncated HMAC: client enabled, server default" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server disabled" \ "$P_SRV debug_level=4 trunc_hmac=0" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -856,6 +859,7 @@ run_test "Truncated HMAC: client enabled, server disabled" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server enabled" \ "$P_SRV debug_level=4 trunc_hmac=1" \ "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ @@ -3288,6 +3292,7 @@ run_test "Small packet TLS 1.0 BlockCipher without EtM" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 \ @@ -3296,6 +3301,7 @@ run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ @@ -3325,6 +3331,7 @@ run_test "Small packet TLS 1.1 StreamCipher" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ @@ -3333,6 +3340,7 @@ run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ @@ -3362,6 +3370,7 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ @@ -3377,6 +3386,7 @@ run_test "Small packet TLS 1.2 StreamCipher" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ @@ -3434,6 +3444,7 @@ run_test "Large packet TLS 1.0 BlockCipher" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ @@ -3442,6 +3453,7 @@ run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ @@ -3464,6 +3476,7 @@ run_test "Large packet TLS 1.1 StreamCipher" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 \ @@ -3472,6 +3485,7 @@ run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ @@ -3494,6 +3508,7 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -3509,6 +3524,7 @@ run_test "Large packet TLS 1.2 StreamCipher" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ From 8501f98ec48d045b2b3b8a3116aaf02772b6c34f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 10 Nov 2017 08:59:04 +0000 Subject: [PATCH 03/19] Extend small packet tests for TLS This commit ensures that there is a small packet test for at least any combination of - SSL/TLS version: SSLv3, TLS 1.0, TLS 1.1 or TLS 1.2 - Stream cipher (RC4) or Block cipher (AES) - Usage of Encrypt then MAC extension [TLS only] - Usage of truncated HMAC extension [TLS only] --- tests/ssl-opt.sh | 127 ++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 110 insertions(+), 17 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 93fa3c426..558f6daca 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3285,7 +3285,7 @@ run_test "Small packet TLS 1.0 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.0 BlockCipher without EtM" \ +run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 etm=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ @@ -3293,7 +3293,7 @@ run_test "Small packet TLS 1.0 BlockCipher without EtM" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \ +run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3302,7 +3302,32 @@ run_test "Small packet TLS 1.0 BlockCipher truncated MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \ +run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1 \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +run_test "Small packet TLS 1.0 StreamCipher" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ @@ -3310,6 +3335,16 @@ run_test "Small packet TLS 1.0 StreamCipher truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + run_test "Small packet TLS 1.1 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ @@ -3317,10 +3352,30 @@ run_test "Small packet TLS 1.1 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.1 BlockCipher without EtM" \ +run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_1 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1 \ + etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3331,21 +3386,30 @@ run_test "Small packet TLS 1.1 StreamCipher" \ 0 \ -s "Read from client: 1 bytes read" -requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 BlockCipher truncated MAC" \ - "$P_SRV" \ +run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.1 StreamCipher truncated MAC" \ +run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + trunc_hmac=1 \ + etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3356,10 +3420,11 @@ run_test "Small packet TLS 1.2 BlockCipher" \ 0 \ -s "Read from client: 1 bytes read" -run_test "Small packet TLS 1.2 BlockCipher without EtM" \ +run_test "Small packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ - "$P_CLI request_size=1 force_version=tls1_2 etm=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3371,7 +3436,7 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \ +run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3379,6 +3444,16 @@ run_test "Small packet TLS 1.2 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1 \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + run_test "Small packet TLS 1.2 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ @@ -3386,8 +3461,16 @@ run_test "Small packet TLS 1.2 StreamCipher" \ 0 \ -s "Read from client: 1 bytes read" +run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \ +run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ @@ -3395,6 +3478,16 @@ run_test "Small packet TLS 1.2 StreamCipher truncated MAC" \ 0 \ -s "Read from client: 1 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=1 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 \ + etm=0" \ + 0 \ + -s "Read from client: 1 bytes read" + run_test "Small packet TLS 1.2 AEAD" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ From 278fc7aedd9d4c274abc849c297e91ba58d7f79b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 10 Nov 2017 09:16:28 +0000 Subject: [PATCH 04/19] Extend large packet tests for TLS Same as previous commit, but for large packet tests. --- tests/ssl-opt.sh | 125 +++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 115 insertions(+), 10 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 558f6daca..9a28de20b 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3537,8 +3537,15 @@ run_test "Large packet TLS 1.0 BlockCipher" \ 0 \ -s "Read from client: 16384 bytes read" +run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ +run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3547,7 +3554,31 @@ run_test "Large packet TLS 1.0 BlockCipher truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ +run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -s "Read from client: 16384 bytes read" + +run_test "Large packet TLS 1.0 StreamCipher" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + +run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ @@ -3555,6 +3586,15 @@ run_test "Large packet TLS 1.0 StreamCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.1 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 \ @@ -3562,15 +3602,15 @@ run_test "Large packet TLS 1.1 BlockCipher" \ 0 \ -s "Read from client: 16384 bytes read" -run_test "Large packet TLS 1.1 StreamCipher" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ - "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ +run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1_1 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ +run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3579,7 +3619,31 @@ run_test "Large packet TLS 1.1 BlockCipher truncated MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ +run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + +run_test "Large packet TLS 1.1 StreamCipher" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + +run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ @@ -3587,6 +3651,15 @@ run_test "Large packet TLS 1.1 StreamCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1_1 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.2 BlockCipher" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -3594,6 +3667,13 @@ run_test "Large packet TLS 1.2 BlockCipher" \ 0 \ -s "Read from client: 16384 bytes read" +run_test "Large packet TLS 1.2 BlockCipher, without EtM" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1_2 etm=0 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -3602,7 +3682,7 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ +run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3610,6 +3690,15 @@ run_test "Large packet TLS 1.2 BlockCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ + "$P_SRV" \ + "$P_CLI request_size=16384 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.2 StreamCipher" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ @@ -3617,8 +3706,15 @@ run_test "Large packet TLS 1.2 StreamCipher" \ 0 \ -s "Read from client: 16384 bytes read" +run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC -run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ +run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ @@ -3626,6 +3722,15 @@ run_test "Large packet TLS 1.2 StreamCipher truncated MAC" \ 0 \ -s "Read from client: 16384 bytes read" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_CLI request_size=16384 force_version=tls1_2 \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ + 0 \ + -s "Read from client: 16384 bytes read" + run_test "Large packet TLS 1.2 AEAD" \ "$P_SRV" \ "$P_CLI request_size=16384 force_version=tls1_2 \ From e2148046250e13b0e7235aa6871e410b6ff2462f Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 10 Nov 2017 08:59:18 +0000 Subject: [PATCH 05/19] Add small packet tests for DTLS Add a DTLS small packet test for each of the following combinations: - DTLS version: 1.0 or 1.2 - Encrypt then MAC extension enabled - Truncated HMAC extension enabled Large packets tests for DTLS are currently not possible due to parameter constraints in ssl_server2. --- tests/ssl-opt.sh | 76 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9a28de20b..0082f6a32 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3502,6 +3502,82 @@ run_test "Small packet TLS 1.2 AEAD shorter tag" \ 0 \ -s "Read from client: 1 bytes read" +# Tests for small packets in DTLS + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.0" \ + "$P_SRV dtls=1 force_version=dtls1" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.0, without EtM" \ + "$P_SRV dtls=1 force_version=dtls1 etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.0, truncated hmac" \ + "$P_SRV dtls=1 force_version=dtls1" \ + "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ + "$P_SRV dtls=1 force_version=dtls1 \ + etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1"\ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.2" \ + "$P_SRV dtls=1 force_version=dtls1_2" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +run_test "Small packet DTLS 1.2, without EtM" \ + "$P_SRV dtls=1 force_version=dtls1_2 \ + etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.2, truncated hmac" \ + "$P_SRV dtls=1 force_version=dtls1_2" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -s "Read from client: 1 bytes read" + +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \ + "$P_SRV dtls=1 force_version=dtls1_2 \ + etm=0" \ + "$P_CLI dtls=1 request_size=1 \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ + trunc_hmac=1"\ + 0 \ + -s "Read from client: 1 bytes read" + # A test for extensions in SSLv3 requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 From 34d0c3f02e79b13806da43e380a9bf42a556dba1 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 17 Nov 2017 15:46:24 +0000 Subject: [PATCH 06/19] Add missing truncated HMAC test for TLS The case 'Client disabled, Server enabled' was missing. --- tests/ssl-opt.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0082f6a32..8697db922 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -859,6 +859,15 @@ run_test "Truncated HMAC: client enabled, server disabled" \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC: client disabled, server enabled" \ + "$P_SRV debug_level=4 trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=0" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server enabled" \ "$P_SRV debug_level=4 trunc_hmac=1" \ From 4c4f41030cc2ac0869832a8b40dc3d3cf3b1cba7 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 10 Nov 2017 09:16:05 +0000 Subject: [PATCH 07/19] Add truncated HMAC extension tests for DTLS --- tests/ssl-opt.sh | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 8697db922..46c267dd4 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -877,6 +877,58 @@ run_test "Truncated HMAC: client enabled, server enabled" \ -S "dumping 'expected mac' (20 bytes)" \ -s "dumping 'expected mac' (10 bytes)" +run_test "Truncated HMAC, DTLS: client default, server default" \ + "$P_SRV dtls=1 debug_level=4" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client disabled, server default" \ + "$P_SRV dtls=1 debug_level=4" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=0" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client enabled, server default" \ + "$P_SRV dtls=1 debug_level=4" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client enabled, server disabled" \ + "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client disabled, server enabled" \ + "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=0" \ + 0 \ + -s "dumping 'expected mac' (20 bytes)" \ + -S "dumping 'expected mac' (10 bytes)" + +requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC +run_test "Truncated HMAC, DTLS: client enabled, server enabled" \ + "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ + trunc_hmac=1" \ + 0 \ + -S "dumping 'expected mac' (20 bytes)" \ + -s "dumping 'expected mac' (10 bytes)" + # Tests for Encrypt-then-MAC extension run_test "Encrypt then MAC: default" \ From 8d19bcf37ff7fe26127d2a6c2f2e52c44137fe8d Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 16 Nov 2017 17:39:34 +0000 Subject: [PATCH 08/19] Adapt ChangeLog --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index ee85a9ba3..fcf101956 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,9 @@ Features * Allow comments in test data files. Bugfix + * Fix wrong implementation of truncated HMAC extension leading to + compatibility problems with peers not running Mbed TLS. Found by + Andreas Walz. * Fix ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section 4.1.2.7. * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. From e89353a6b4aaa91a9e7a89ae047174928699fa19 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 20 Nov 2017 16:36:41 +0000 Subject: [PATCH 09/19] Add fallback to non-compliant truncated HMAC for compatibiltiy In case truncated HMAC must be used but the Mbed TLS peer hasn't been updated yet, one can use the compile-time option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT to temporarily fall back to the old, non-compliant implementation of the truncated HMAC extension. --- include/mbedtls/check_config.h | 4 ++++ include/mbedtls/config.h | 16 ++++++++++++++++ library/ssl_tls.c | 8 ++++++++ 3 files changed, 28 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index fa72454e5..bc77b216f 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -77,6 +77,10 @@ #error "MBEDTLS_DHM_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) && !defined(MBEDTLS_SSL_TRUNCATED_HMAC) +#error "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_CMAC_C) && \ !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C) #error "MBEDTLS_CMAC_C defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 47c719640..de49d3af9 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1363,6 +1363,22 @@ */ #define MBEDTLS_SSL_TRUNCATED_HMAC +/** + * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT + * + * Fallback to old, non-conforming implementation of the truncated + * HMAC extension which also truncates the HMAC key. + * + * \warning This should only be enabled temporarily when the use + * of truncated HMAC is mandatory *and* the peer is an Mbed TLS + * stack that doesn't use the fixed implementation yet. + * + * Uncomment to fallback to old, non-compliant truncated HMAC implementation. + * + * Requires: MBEDTLS_SSL_TRUNCATED_HMAC + */ +//#define MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT + /** * \def MBEDTLS_THREADING_ALT * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index eda49d656..62de5f274 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -713,7 +713,15 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) * so we only need to adjust the length here. */ if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED ) + { transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN; + +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) + /* Fall back to old, non-compliant version of the truncated + * HMAC implementation which also truncates the key. */ + mac_key_len = transform->maclen; +#endif + } #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ /* IV length */ From 45ee7877d0e5abdae81eb5388069a032ddafa3df Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 20 Nov 2017 16:45:37 +0000 Subject: [PATCH 10/19] Correct truncated HMAC tests in ssl-opt.sh Many truncated HMAC tests were missing the `trunc_hmac=1` for the server application, thereby not testing the extension. --- tests/ssl-opt.sh | 83 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 56 insertions(+), 27 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 46c267dd4..fa10e0e62 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3355,7 +3355,8 @@ run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3364,7 +3365,8 @@ run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1 \ @@ -3389,7 +3391,8 @@ run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3398,7 +3401,8 @@ run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 \ @@ -3423,7 +3427,8 @@ run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3432,7 +3437,8 @@ run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1 \ @@ -3457,7 +3463,8 @@ run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3466,7 +3473,8 @@ run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 \ @@ -3498,7 +3506,8 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3507,7 +3516,8 @@ run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1 \ @@ -3532,7 +3542,8 @@ run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3541,7 +3552,8 @@ run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 \ @@ -3584,8 +3596,10 @@ run_test "Small packet DTLS 1.0, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.0, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1" \ - "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ + "$P_SRV dtls=1 force_version=dtls1 \ + trunc_hmac=1" \ + "$P_CLI dtls=1 request_size=1 \ + trunc_hmac=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" @@ -3594,6 +3608,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ "$P_SRV dtls=1 force_version=dtls1 \ + trunc_hmac=1 \ etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3621,7 +3636,8 @@ run_test "Small packet DTLS 1.2, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.2, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1_2" \ + "$P_SRV dtls=1 force_version=dtls1_2 \ + trunc_hmac=1" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3632,6 +3648,7 @@ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \ "$P_SRV dtls=1 force_version=dtls1_2 \ + trunc_hmac=1 \ etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ @@ -3683,7 +3700,8 @@ run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3692,7 +3710,8 @@ run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3716,7 +3735,8 @@ run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3725,7 +3745,8 @@ run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 etm=0" \ @@ -3748,7 +3769,8 @@ run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3757,7 +3779,8 @@ run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1 etm=0" \ @@ -3781,7 +3804,8 @@ run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3790,7 +3814,8 @@ run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 etm=0" \ @@ -3820,7 +3845,8 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1" \ @@ -3829,7 +3855,8 @@ run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV" \ + "$P_SRV \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ trunc_hmac=1 etm=0" \ @@ -3852,7 +3879,8 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1" \ @@ -3861,7 +3889,8 @@ run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ trunc_hmac=1 etm=0" \ From 909f9a389a8f5ac5feff1977f7b85e90687373f3 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 21 Nov 2017 17:10:12 +0000 Subject: [PATCH 11/19] Improve style in tests/ssl-opt.sh Try to avoid line breaks in server and client command line arguments to ease reading of test cases. --- tests/ssl-opt.sh | 232 +++++++++++++++-------------------------------- 1 file changed, 75 insertions(+), 157 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index fa10e0e62..b19cf6084 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -835,8 +835,7 @@ run_test "Truncated HMAC: client default, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client disabled, server default" \ "$P_SRV debug_level=4" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=0" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -844,8 +843,7 @@ run_test "Truncated HMAC: client disabled, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server default" \ "$P_SRV debug_level=4" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -853,8 +851,7 @@ run_test "Truncated HMAC: client enabled, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server disabled" \ "$P_SRV debug_level=4 trunc_hmac=0" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -862,8 +859,7 @@ run_test "Truncated HMAC: client enabled, server disabled" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client disabled, server enabled" \ "$P_SRV debug_level=4 trunc_hmac=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=0" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -871,8 +867,7 @@ run_test "Truncated HMAC: client disabled, server enabled" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC: client enabled, server enabled" \ "$P_SRV debug_level=4 trunc_hmac=1" \ - "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -S "dumping 'expected mac' (20 bytes)" \ -s "dumping 'expected mac' (10 bytes)" @@ -887,8 +882,7 @@ run_test "Truncated HMAC, DTLS: client default, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC, DTLS: client disabled, server default" \ "$P_SRV dtls=1 debug_level=4" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=0" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -896,8 +890,7 @@ run_test "Truncated HMAC, DTLS: client disabled, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC, DTLS: client enabled, server default" \ "$P_SRV dtls=1 debug_level=4" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -905,8 +898,7 @@ run_test "Truncated HMAC, DTLS: client enabled, server default" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC, DTLS: client enabled, server disabled" \ "$P_SRV dtls=1 debug_level=4 trunc_hmac=0" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -914,8 +906,7 @@ run_test "Truncated HMAC, DTLS: client enabled, server disabled" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC, DTLS: client disabled, server enabled" \ "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=0" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=0" \ 0 \ -s "dumping 'expected mac' (20 bytes)" \ -S "dumping 'expected mac' (10 bytes)" @@ -923,8 +914,7 @@ run_test "Truncated HMAC, DTLS: client disabled, server enabled" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Truncated HMAC, DTLS: client enabled, server enabled" \ "$P_SRV dtls=1 debug_level=4 trunc_hmac=1" \ - "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA \ - trunc_hmac=1" \ + "$P_CLI dtls=1 force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA trunc_hmac=1" \ 0 \ -S "dumping 'expected mac' (20 bytes)" \ -s "dumping 'expected mac' (10 bytes)" @@ -3355,22 +3345,17 @@ run_test "Small packet TLS 1.0 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1 \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3384,29 +3369,23 @@ run_test "Small packet TLS 1.0 StreamCipher" \ run_test "Small packet TLS 1.0 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ - "$P_CLI request_size=1 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 \ - etm=0" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ + "$P_CLI request_size=1 force_version=tls1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ + trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3420,29 +3399,23 @@ run_test "Small packet TLS 1.1 BlockCipher" \ run_test "Small packet TLS 1.1 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1 \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3456,29 +3429,23 @@ run_test "Small packet TLS 1.1 StreamCipher" \ run_test "Small packet TLS 1.1 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3492,8 +3459,7 @@ run_test "Small packet TLS 1.2 BlockCipher" \ run_test "Small packet TLS 1.2 BlockCipher, without EtM" \ "$P_SRV" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3506,22 +3472,17 @@ run_test "Small packet TLS 1.2 BlockCipher larger MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1 \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3535,29 +3496,23 @@ run_test "Small packet TLS 1.2 StreamCipher" \ run_test "Small packet TLS 1.2 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=1 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 1 bytes read" @@ -3596,10 +3551,8 @@ run_test "Small packet DTLS 1.0, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.0, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1 \ - trunc_hmac=1" \ - "$P_CLI dtls=1 request_size=1 \ - trunc_hmac=1 \ + "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1" \ + "$P_CLI dtls=1 request_size=1 trunc_hmac=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ -s "Read from client: 1 bytes read" @@ -3607,12 +3560,9 @@ run_test "Small packet DTLS 1.0, truncated hmac" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.0, without EtM, truncated MAC" \ - "$P_SRV dtls=1 force_version=dtls1 \ - trunc_hmac=1 \ - etm=0" \ + "$P_SRV dtls=1 force_version=dtls1 trunc_hmac=1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1"\ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ 0 \ -s "Read from client: 1 bytes read" @@ -3626,8 +3576,7 @@ run_test "Small packet DTLS 1.2" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS run_test "Small packet DTLS 1.2, without EtM" \ - "$P_SRV dtls=1 force_version=dtls1_2 \ - etm=0" \ + "$P_SRV dtls=1 force_version=dtls1_2 etm=0" \ "$P_CLI dtls=1 request_size=1 \ force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA" \ 0 \ @@ -3636,23 +3585,18 @@ run_test "Small packet DTLS 1.2, without EtM" \ requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.2, truncated hmac" \ - "$P_SRV dtls=1 force_version=dtls1_2 \ - trunc_hmac=1" \ + "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1" \ "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 1 bytes read" requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Small packet DTLS 1.2, without EtM, truncated MAC" \ - "$P_SRV dtls=1 force_version=dtls1_2 \ - trunc_hmac=1 \ - etm=0" \ + "$P_SRV dtls=1 force_version=dtls1_2 trunc_hmac=1 etm=0" \ "$P_CLI dtls=1 request_size=1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1"\ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1"\ 0 \ -s "Read from client: 1 bytes read" @@ -3700,21 +3644,17 @@ run_test "Large packet TLS 1.0 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 etm=0 recsplit=0 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" @@ -3728,28 +3668,23 @@ run_test "Large packet TLS 1.0 StreamCipher" \ run_test "Large packet TLS 1.0 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.0 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" @@ -3769,21 +3704,17 @@ run_test "Large packet TLS 1.1 BlockCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1 etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" @@ -3797,28 +3728,23 @@ run_test "Large packet TLS 1.1 StreamCipher" \ run_test "Large packet TLS 1.1 StreamCipher, without EtM" \ "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA etm=0" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.1 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_1 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" @@ -3845,21 +3771,17 @@ run_test "Large packet TLS 1.2 BlockCipher larger MAC" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 BlockCipher, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 BlockCipher, without EtM, truncated MAC" \ - "$P_SRV \ - trunc_hmac=1" \ + "$P_SRV trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA \ - trunc_hmac=1 etm=0" \ + force_ciphersuite=TLS-RSA-WITH-AES-256-CBC-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" @@ -3879,21 +3801,17 @@ run_test "Large packet TLS 1.2 StreamCipher, without EtM" \ requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 StreamCipher, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ 0 \ -s "Read from client: 16384 bytes read" requires_config_enabled MBEDTLS_SSL_TRUNCATED_HMAC run_test "Large packet TLS 1.2 StreamCipher, without EtM, truncated MAC" \ - "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1" \ + "$P_SRV arc4=1 force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1" \ "$P_CLI request_size=16384 force_version=tls1_2 \ - force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA \ - trunc_hmac=1 etm=0" \ + force_ciphersuite=TLS-RSA-WITH-RC4-128-SHA trunc_hmac=1 etm=0" \ 0 \ -s "Read from client: 16384 bytes read" From 563423fb21d6d5dcbdd616af496038e2209c6f65 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 21 Nov 2017 17:20:17 +0000 Subject: [PATCH 12/19] Improve documentation of MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT option Explain more clearly when this option should be used and which versions of Mbed TLS build on the non-compliant implementation. --- include/mbedtls/config.h | 7 ++++--- library/ssl_tls.c | 3 ++- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index de49d3af9..fa935c798 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1369,9 +1369,10 @@ * Fallback to old, non-conforming implementation of the truncated * HMAC extension which also truncates the HMAC key. * - * \warning This should only be enabled temporarily when the use - * of truncated HMAC is mandatory *and* the peer is an Mbed TLS - * stack that doesn't use the fixed implementation yet. + * \warning This should only be enabled temporarily when (1) the use of + * truncated HMAC is essential in order to save bandwidth, and + * (2) the peer is an Mbed TLS stack that doesn't use the fixed + * implementation yet (version number <= 2.6.0). * * Uncomment to fallback to old, non-compliant truncated HMAC implementation. * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 62de5f274..3cd1d6299 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -718,7 +718,8 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) /* Fall back to old, non-compliant version of the truncated - * HMAC implementation which also truncates the key. */ + * HMAC implementation which also truncates the key + * (Mbed TLS versions from 1.3 to 2.6.0) */ mac_key_len = transform->maclen; #endif } From 4c2ac7ef582505c780d957b96ee951e835d0e4e4 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 21 Nov 2017 18:22:53 +0000 Subject: [PATCH 13/19] Deprecate MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT --- include/mbedtls/config.h | 3 +++ library/ssl_tls.c | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index fa935c798..6082d46b8 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1374,6 +1374,9 @@ * (2) the peer is an Mbed TLS stack that doesn't use the fixed * implementation yet (version number <= 2.6.0). * + * \deprecated This option is deprecated and will likely be removed in a + * future version of Mbed TLS. + * * Uncomment to fallback to old, non-compliant truncated HMAC implementation. * * Requires: MBEDTLS_SSL_TRUNCATED_HMAC diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3cd1d6299..8bab9139f 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -721,6 +721,13 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) * HMAC implementation which also truncates the key * (Mbed TLS versions from 1.3 to 2.6.0) */ mac_key_len = transform->maclen; + +#if defined(MBEDTLS_DEPRECATED_WARNING) +#warning MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT is deprecated and should only be \ + enabled temporarily when (1) the use of truncated HMAC is essential in order \ + to save bandwidth, and (2) the peer is an Mbed TLS stack that doesn not use the \ + fixed implementation yet (version number <= 2.6.0). +#endif #endif } #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ From 702dfbcf1374ad4af09df291b4dad217ee78ef72 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 29 Nov 2017 16:35:46 +0000 Subject: [PATCH 14/19] Improve documentation of truncated HMAC fallback option --- include/mbedtls/config.h | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 6082d46b8..6a04d6e65 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1366,13 +1366,17 @@ /** * \def MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT * - * Fallback to old, non-conforming implementation of the truncated - * HMAC extension which also truncates the HMAC key. + * Fallback to old (pre-2.7), non-conforming implementation of the truncated + * HMAC extension which also truncates the HMAC key. Note that this option is + * only meant for a transitory upgrade period and is likely to be removed in + * a future version of the library. * - * \warning This should only be enabled temporarily when (1) the use of - * truncated HMAC is essential in order to save bandwidth, and - * (2) the peer is an Mbed TLS stack that doesn't use the fixed - * implementation yet (version number <= 2.6.0). + * \warning The old implementation is non-compliant and has a security weakness + * (2^80 brute force attack on the HMAC key used for a single, + * uninterrupted connection). This should only be enabled temporarily + * when (1) the use of truncated HMAC is essential in order to save + * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use + * the fixed implementation yet (pre-2.7). * * \deprecated This option is deprecated and will likely be removed in a * future version of Mbed TLS. From 1df4923eb16086585c16102a9862f88b6108ac4b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 29 Nov 2017 16:36:02 +0000 Subject: [PATCH 15/19] Remove compile-time deprecation warning for TRUNCATED_HMAC_COMPAT --- library/ssl_tls.c | 7 ------- 1 file changed, 7 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8bab9139f..3cd1d6299 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -721,13 +721,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) * HMAC implementation which also truncates the key * (Mbed TLS versions from 1.3 to 2.6.0) */ mac_key_len = transform->maclen; - -#if defined(MBEDTLS_DEPRECATED_WARNING) -#warning MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT is deprecated and should only be \ - enabled temporarily when (1) the use of truncated HMAC is essential in order \ - to save bandwidth, and (2) the peer is an Mbed TLS stack that doesn not use the \ - fixed implementation yet (version number <= 2.6.0). -#endif #endif } #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ From 004198adb348f1c0de079065096267d95b833f95 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 29 Nov 2017 16:57:06 +0000 Subject: [PATCH 16/19] Update ChangeLog --- ChangeLog | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index fcf101956..1ea2a2ba2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,14 +9,16 @@ Security corrupt 6 bytes on the peer's heap, potentially leading to crash or remote code execution. This can be triggered remotely from either side in both TLS and DTLS. + * Fix implementation of truncated HMAC extension leading to + compatibility problems with non Mbed TLS peers and allowing + an offline 2^80 brute force attack on the HMAC key of a single, + uninterrupted (excluding session resumption) connection. + Found by Andreas Walz. Features * Allow comments in test data files. Bugfix - * Fix wrong implementation of truncated HMAC extension leading to - compatibility problems with peers not running Mbed TLS. Found by - Andreas Walz. * Fix ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section 4.1.2.7. * Fix memory leak in mbedtls_ssl_set_hostname() when called multiple times. From 5dcae51cd981bafefc7c6546543267f7944b3008 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Dec 2017 15:03:22 +0000 Subject: [PATCH 17/19] Add affiliation of bug reporter to credits in the ChangeLog --- ChangeLog | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 1ea2a2ba2..a15bdd153 100644 --- a/ChangeLog +++ b/ChangeLog @@ -13,7 +13,8 @@ Security compatibility problems with non Mbed TLS peers and allowing an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted (excluding session resumption) connection. - Found by Andreas Walz. + Found by Andreas Walz (ivESK, Offenburg University of Applied + Sciences). Features * Allow comments in test data files. From 04f9bd028f7c687888f339dcd7b895315a460c03 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 22 Feb 2018 15:22:44 +0100 Subject: [PATCH 18/19] Note incompatibility of truncated HMAC extension in ChangeLog The change in the truncated HMAC extension aligns Mbed TLS with the standard, but breaks interoperability with previous versions. Indicate this in the ChangeLog, as well as how to restore the old behavior. --- ChangeLog | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/ChangeLog b/ChangeLog index a15bdd153..635b509c3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,19 +2,21 @@ mbed TLS ChangeLog (Sorted per branch, date) = mbed TLS x.x.x branch released xxxx-xx-xx +Default behavior changes + * The truncated HMAC extension now conforms to RFC 6066. This means + that when both sides of a TLS connection negotiate the truncated + HMAC extension, Mbed TLS can now interoperate with other + compliant implementations, but this breaks interoperability with + prior versions of Mbed TLS. To restore the old behavior, enable + the (deprecated) option MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT in + config.h. Found by Andreas Walz (ivESK, Offenburg University of + Applied Sciences). + Security - * Fix heap corruption in implementation of truncated HMAC extension. - When the truncated HMAC extension is enabled and CBC is used, - sending a malicious application packet can be used to selectively - corrupt 6 bytes on the peer's heap, potentially leading to crash or - remote code execution. This can be triggered remotely from either - side in both TLS and DTLS. - * Fix implementation of truncated HMAC extension leading to - compatibility problems with non Mbed TLS peers and allowing - an offline 2^80 brute force attack on the HMAC key of a single, - uninterrupted (excluding session resumption) connection. - Found by Andreas Walz (ivESK, Offenburg University of Applied - Sciences). + * Fix implementation of the truncated HMAC extension. The previous + implementation allowed an offline 2^80 brute force attack on the + HMAC key of a single, uninterrupted connection (with no + resumption of the session). Features * Allow comments in test data files. From e80cd463efcf8388dfa929affcfefa9b7f8e0218 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 22 Feb 2018 15:02:47 +0000 Subject: [PATCH 19/19] Adapt version_features.c --- library/version_features.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/version_features.c b/library/version_features.c index 5cbe8aca3..22e84b52e 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -435,6 +435,9 @@ static const char *features[] = { #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) "MBEDTLS_SSL_TRUNCATED_HMAC", #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT) + "MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT", +#endif /* MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT */ #if defined(MBEDTLS_THREADING_ALT) "MBEDTLS_THREADING_ALT", #endif /* MBEDTLS_THREADING_ALT */