mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-10 06:44:28 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #4989 from AndrzejKurek/remove-ssl-export-keys

Browse Source 
Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on
This commit is contained in:
Gilles Peskine 2021-10-18 17:53:56 +02:00 committed by GitHub
commit 6210320215
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 28 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog.d/remove-ssl-export-keys.txt Normal file
View File

@ -0,0 +1,5 @@
Changes
* Remove MBEDTLS_SSL_EXPORT_KEYS, making it always on and increasing the
code size by about 80B on an M0 build. This option only gated an ability
to set a callback, but was deemed unnecessary as it was yet another define
to remember when writing tests, or test configurations. Fixes #4653.

1
configs/config-thread.h
View File

@ -45,7 +45,6 @@
#define MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_PROTO_DTLS
#define MBEDTLS_SSL_DTLS_ANTI_REPLAY #define MBEDTLS_SSL_DTLS_ANTI_REPLAY
#define MBEDTLS_SSL_DTLS_HELLO_VERIFY #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
#define MBEDTLS_SSL_EXPORT_KEYS
/* mbed TLS modules */ /* mbed TLS modules */
#define MBEDTLS_AES_C #define MBEDTLS_AES_C

10
include/mbedtls/mbedtls_config.h
View File

@ -1621,16 +1621,6 @@
*/ */
#define MBEDTLS_SSL_SESSION_TICKETS #define MBEDTLS_SSL_SESSION_TICKETS
/**
* \def MBEDTLS_SSL_EXPORT_KEYS
*
* Enable support for exporting key block and master secret.
* This is required for certain users of TLS, e.g. EAP-TLS.
*
* Comment this macro to disable support for key export
*/
#define MBEDTLS_SSL_EXPORT_KEYS
/** /**
* \def MBEDTLS_SSL_SERVER_NAME_INDICATION * \def MBEDTLS_SSL_SERVER_NAME_INDICATION
* *

6
include/mbedtls/ssl.h
View File

@ -1143,7 +1143,6 @@ typedef enum
} }
mbedtls_tls_prf_types; mbedtls_tls_prf_types;
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
typedef enum typedef enum
{ {
MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET = 0, MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET = 0,
@ -1179,7 +1178,6 @@ typedef void mbedtls_ssl_export_keys_t( void *p_expkey,
const unsigned char client_random[32], const unsigned char client_random[32],
const unsigned char server_random[32], const unsigned char server_random[32],
mbedtls_tls_prf_types tls_prf_type ); mbedtls_tls_prf_types tls_prf_type );
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
/** /**
* SSL/TLS configuration to be shared between mbedtls_ssl_context structures. * SSL/TLS configuration to be shared between mbedtls_ssl_context structures.
@ -1634,11 +1632,9 @@ struct mbedtls_ssl_context
* and #MBEDTLS_SSL_CID_DISABLED. */ * and #MBEDTLS_SSL_CID_DISABLED. */
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
/** Callback to export key block and master secret */ /** Callback to export key block and master secret */
mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys); mbedtls_ssl_export_keys_t *MBEDTLS_PRIVATE(f_export_keys);
void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */ void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */
#endif
}; };
/** /**
@ -2211,7 +2207,6 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
void *p_ticket ); void *p_ticket );
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
/** /**
* \brief Configure a key export callback. * \brief Configure a key export callback.
* (Default: none.) * (Default: none.)
@ -2233,7 +2228,6 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl, void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl,
mbedtls_ssl_export_keys_t *f_export_keys, mbedtls_ssl_export_keys_t *f_export_keys,
void *p_export_keys ); void *p_export_keys );
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
/** /**

24
library/ssl_tls.c
View File

@ -587,7 +587,6 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
#endif /* MBEDTLS_USE_PSA_CRYPTO && #endif /* MBEDTLS_USE_PSA_CRYPTO &&
MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
{ {
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
@ -608,7 +607,6 @@ static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
return( MBEDTLS_SSL_TLS_PRF_NONE ); return( MBEDTLS_SSL_TLS_PRF_NONE );
} }
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf, int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
const unsigned char *secret, size_t slen, const unsigned char *secret, size_t slen,
@ -660,8 +658,9 @@ typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
* - [in] randbytes: buffer holding ServerHello.random + ClientHello.random * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
* - [in] minor_ver: SSL/TLS minor version * - [in] minor_ver: SSL/TLS minor version
* - [in] endpoint: client or server * - [in] endpoint: client or server
* - [in] ssl: optionally used for: * - [in] ssl: used for:
* - MBEDTLS_SSL_EXPORT_KEYS: ssl->conf->{f,p}_export_keys * - ssl->conf->{f,p}_export_keys
* [in] optionally used for:
* - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
*/ */
static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
@ -694,10 +693,13 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
const mbedtls_cipher_info_t *cipher_info; const mbedtls_cipher_info_t *cipher_info;
const mbedtls_md_info_t *md_info; const mbedtls_md_info_t *md_info;
#if !defined(MBEDTLS_SSL_EXPORT_KEYS) && \ #if !defined(MBEDTLS_DEBUG_C) && \
!defined(MBEDTLS_DEBUG_C) !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ssl = NULL; /* make sure we don't use it except for those cases */ if( ssl->f_export_keys == NULL )
(void) ssl; {
ssl = NULL; /* make sure we don't use it except for these cases */
(void) ssl;
}
#endif #endif
/* /*
@ -960,8 +962,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
((void) mac_dec); ((void) mac_dec);
((void) mac_enc); ((void) mac_enc);
#if defined(MBEDTLS_SSL_EXPORT_KEYS) if( ssl != NULL && ssl->f_export_keys != NULL )
if( ssl->f_export_keys != NULL )
{ {
ssl->f_export_keys( ssl->p_export_keys, ssl->f_export_keys( ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET, MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
@ -970,7 +971,6 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
randbytes, randbytes,
tls_prf_get_type( tls_prf ) ); tls_prf_get_type( tls_prf ) );
} }
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
@ -4231,7 +4231,6 @@ void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
#endif #endif
#endif /* MBEDTLS_SSL_SESSION_TICKETS */ #endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl, void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl,
mbedtls_ssl_export_keys_t *f_export_keys, mbedtls_ssl_export_keys_t *f_export_keys,
void *p_export_keys ) void *p_export_keys )
@ -4239,7 +4238,6 @@ void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl,
ssl->f_export_keys = f_export_keys; ssl->f_export_keys = f_export_keys;
ssl->p_export_keys = p_export_keys; ssl->p_export_keys = p_export_keys;
} }
#endif
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
void mbedtls_ssl_conf_async_private_cb( void mbedtls_ssl_conf_async_private_cb(

13
programs/ssl/ssl_client2.c
View File

@ -207,7 +207,6 @@ int main( void )
#define USAGE_TICKETS "" #define USAGE_TICKETS ""
#endif /* MBEDTLS_SSL_SESSION_TICKETS */ #endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
#define USAGE_EAP_TLS \ #define USAGE_EAP_TLS \
" eap_tls=%%d default: 0 (disabled)\n" " eap_tls=%%d default: 0 (disabled)\n"
#define USAGE_NSS_KEYLOG \ #define USAGE_NSS_KEYLOG \
@ -230,12 +229,6 @@ int main( void )
#else /* MBEDTLS_SSL_DTLS_SRTP */ #else /* MBEDTLS_SSL_DTLS_SRTP */
#define USAGE_SRTP "" #define USAGE_SRTP ""
#endif #endif
#else /* MBEDTLS_SSL_EXPORT_KEYS */
#define USAGE_EAP_TLS ""
#define USAGE_NSS_KEYLOG ""
#define USAGE_NSS_KEYLOG_FILE ""
#define USAGE_SRTP ""
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
#define USAGE_MAX_FRAG_LEN \ #define USAGE_MAX_FRAG_LEN \
@ -729,7 +722,6 @@ int main( int argc, char *argv[] )
unsigned char *context_buf = NULL; unsigned char *context_buf = NULL;
size_t context_buf_len; size_t context_buf_len;
#endif #endif
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
unsigned char eap_tls_keymaterial[16]; unsigned char eap_tls_keymaterial[16];
unsigned char eap_tls_iv[8]; unsigned char eap_tls_iv[8];
const char* eap_tls_label = "client EAP encryption"; const char* eap_tls_label = "client EAP encryption";
@ -747,7 +739,6 @@ int main( int argc, char *argv[] )
MBEDTLS_TLS_SRTP_UNSET MBEDTLS_TLS_SRTP_UNSET
}; };
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) );
@ -1962,7 +1953,6 @@ int main( int argc, char *argv[] )
goto exit; goto exit;
} }
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 ) if( opt.eap_tls != 0 )
{ {
mbedtls_ssl_set_export_keys_cb( &ssl, eap_tls_key_derivation, mbedtls_ssl_set_export_keys_cb( &ssl, eap_tls_key_derivation,
@ -1981,7 +1971,6 @@ int main( int argc, char *argv[] )
&dtls_srtp_keying ); &dtls_srtp_keying );
} }
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
@ -2169,7 +2158,6 @@ int main( int argc, char *argv[] )
} }
#endif #endif
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 ) if( opt.eap_tls != 0 )
{ {
size_t j = 0; size_t j = 0;
@ -2286,7 +2274,6 @@ int main( int argc, char *argv[] )
} }
} }
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
if( opt.reconnect != 0 ) if( opt.reconnect != 0 )
{ {
mbedtls_printf(" . Saving session for reuse..." ); mbedtls_printf(" . Saving session for reuse..." );

13
programs/ssl/ssl_server2.c
View File

@ -278,7 +278,6 @@ int main( void )
#define USAGE_TICKETS "" #define USAGE_TICKETS ""
#endif /* MBEDTLS_SSL_SESSION_TICKETS */ #endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
#define USAGE_EAP_TLS \ #define USAGE_EAP_TLS \
" eap_tls=%%d default: 0 (disabled)\n" " eap_tls=%%d default: 0 (disabled)\n"
#define USAGE_NSS_KEYLOG \ #define USAGE_NSS_KEYLOG \
@ -299,12 +298,6 @@ int main( void )
#else /* MBEDTLS_SSL_DTLS_SRTP */ #else /* MBEDTLS_SSL_DTLS_SRTP */
#define USAGE_SRTP "" #define USAGE_SRTP ""
#endif #endif
#else /* MBEDTLS_SSL_EXPORT_KEYS */
#define USAGE_EAP_TLS ""
#define USAGE_NSS_KEYLOG ""
#define USAGE_NSS_KEYLOG_FILE ""
#define USAGE_SRTP ""
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_CACHE_C) #if defined(MBEDTLS_SSL_CACHE_C)
#define USAGE_CACHE \ #define USAGE_CACHE \
@ -1365,7 +1358,6 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status; psa_status_t status;
#endif #endif
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
unsigned char eap_tls_keymaterial[16]; unsigned char eap_tls_keymaterial[16];
unsigned char eap_tls_iv[8]; unsigned char eap_tls_iv[8];
const char* eap_tls_label = "client EAP encryption"; const char* eap_tls_label = "client EAP encryption";
@ -1383,7 +1375,6 @@ int main( int argc, char *argv[] )
MBEDTLS_TLS_SRTP_UNSET MBEDTLS_TLS_SRTP_UNSET
}; };
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) ); mbedtls_memory_buffer_alloc_init( alloc_buf, sizeof(alloc_buf) );
@ -2966,7 +2957,6 @@ int main( int argc, char *argv[] )
goto exit; goto exit;
} }
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 ) if( opt.eap_tls != 0 )
{ {
mbedtls_ssl_set_export_keys_cb( &ssl, eap_tls_key_derivation, mbedtls_ssl_set_export_keys_cb( &ssl, eap_tls_key_derivation,
@ -2985,7 +2975,6 @@ int main( int argc, char *argv[] )
&dtls_srtp_keying ); &dtls_srtp_keying );
} }
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
io_ctx.ssl = &ssl; io_ctx.ssl = &ssl;
io_ctx.net = &client_fd; io_ctx.net = &client_fd;
@ -3251,7 +3240,6 @@ handshake:
#endif /* MBEDTLS_X509_REMOVE_INFO */ #endif /* MBEDTLS_X509_REMOVE_INFO */
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( opt.eap_tls != 0 ) if( opt.eap_tls != 0 )
{ {
size_t j = 0; size_t j = 0;
@ -3369,7 +3357,6 @@ handshake:
} }
} }
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
ret = report_cid_usage( &ssl, "initial handshake" ); ret = report_cid_usage( &ssl, "initial handshake" );

3
programs/ssl/ssl_test_common_source.c
View File

@ -24,7 +24,6 @@
* limitations under the License. * limitations under the License.
*/ */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
void eap_tls_key_derivation( void *p_expkey, void eap_tls_key_derivation( void *p_expkey,
mbedtls_ssl_key_export_type secret_type, mbedtls_ssl_key_export_type secret_type,
const unsigned char *secret, const unsigned char *secret,
@ -140,8 +139,6 @@ void dtls_srtp_key_derivation( void *p_expkey,
} }
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
int ssl_check_record( mbedtls_ssl_context const *ssl, int ssl_check_record( mbedtls_ssl_context const *ssl,
unsigned char const *buf, size_t len ) unsigned char const *buf, size_t len )
{ {

4
programs/ssl/ssl_test_lib.h
View File

@ -95,8 +95,6 @@
#include "../test/query_config.h" #include "../test/query_config.h"
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
typedef struct eap_tls_keys typedef struct eap_tls_keys
{ {
unsigned char master_secret[48]; unsigned char master_secret[48];
@ -122,8 +120,6 @@ typedef struct dtls_srtp_keys
#endif /* MBEDTLS_SSL_DTLS_SRTP */ #endif /* MBEDTLS_SSL_DTLS_SRTP */
#endif /* MBEDTLS_SSL_EXPORT_KEYS */
typedef struct typedef struct
{ {
mbedtls_ssl_context *ssl; mbedtls_ssl_context *ssl;

12
tests/scripts/all.sh
View File

@ -2085,6 +2085,18 @@ component_test_variable_ssl_in_out_buffer_len_CID () {
tests/compat.sh tests/compat.sh
} }
component_test_CID_no_debug() {
msg "build: Connection ID enabled, debug disabled"
scripts/config.py unset MBEDTLS_DEBUG_C
scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID
CC=gcc cmake .
make
msg "test: Connection ID enabled, debug disabled"
make test
}
component_test_ssl_alloc_buffer_and_mfl () { component_test_ssl_alloc_buffer_and_mfl () {
msg "build: default config with memory buffer allocator and MFL extension" msg "build: default config with memory buffer allocator and MFL extension"
scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C

1
tests/ssl-opt.sh
View File

@ -8621,7 +8621,6 @@ run_test "DTLS proxy: 3d, gnutls server, fragmentation, nbio" \
-s "Extra-header:" \ -s "Extra-header:" \
-c "Extra-header:" -c "Extra-header:"
requires_config_enabled MBEDTLS_SSL_EXPORT_KEYS
run_test "export keys functionality" \ run_test "export keys functionality" \
"$P_SRV eap_tls=1 debug_level=3" \ "$P_SRV eap_tls=1 debug_level=3" \
"$P_CLI eap_tls=1 debug_level=3" \ "$P_CLI eap_tls=1 debug_level=3" \