From 84b4e796a34496d314b089b13eadf5c39ca92a22 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 5 Dec 2018 22:39:38 +0000 Subject: [PATCH 1/6] Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog | 6 ++++++ include/mbedtls/check_config.h | 8 ++++++++ include/mbedtls/config.h | 3 +++ 3 files changed, 17 insertions(+) diff --git a/ChangeLog b/ChangeLog index a4660acbee..3f2f593713 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.x.x branch released xxxx-xx-xx + +New deprecations + * Deprecate MBEDTLS_SSL_HW_RECORD_ACCEL that enables function hooks in the + SSL module for hardware acceleration of individual records. + = mbed TLS 2.21.0 branch released 2020-02-20 New deprecations diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index ec11426688..27e8c30ac5 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -798,6 +798,14 @@ #endif #endif /* MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO */ +#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) +#if defined(MBEDTLS_DEPRECATED_REMOVED) +#error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will likely be removed in a future version of Mbed TLS" +#elif defined(MBEDTLS_DEPRECATED_WARNING) +#warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will likely be removed in a future version of Mbed TLS" +#endif +#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ + /* * Avoid warning from -pedantic. This is a convenient place for this * workaround since this is included by every single file before the diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 7abdaa5e73..a57eac958e 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1527,6 +1527,9 @@ * Enable hooking functions in SSL module for hardware acceleration of * individual records. * + * \deprecated This option is deprecated and will likely be removed in a + * future version of Mbed TLS. + * * Uncomment this macro to enable hooking functions. */ //#define MBEDTLS_SSL_HW_RECORD_ACCEL From 3f6cc5f7861836f14a3e74edb116e1e26352bb42 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Wed, 5 Dec 2018 22:40:09 +0000 Subject: [PATCH 2/6] Deprecate global func ptrs for MBEDTLS_SSL_HW_RECORD_ACCEL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl.h | 40 ++++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 655f59d328..bc9c68f2e9 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1326,18 +1326,34 @@ struct mbedtls_ssl_context #define MBEDTLS_SSL_CHANNEL_OUTBOUND 0 #define MBEDTLS_SSL_CHANNEL_INBOUND 1 -extern int (*mbedtls_ssl_hw_record_init)(mbedtls_ssl_context *ssl, - const unsigned char *key_enc, const unsigned char *key_dec, - size_t keylen, - const unsigned char *iv_enc, const unsigned char *iv_dec, - size_t ivlen, - const unsigned char *mac_enc, const unsigned char *mac_dec, - size_t maclen); -extern int (*mbedtls_ssl_hw_record_activate)(mbedtls_ssl_context *ssl, int direction); -extern int (*mbedtls_ssl_hw_record_reset)(mbedtls_ssl_context *ssl); -extern int (*mbedtls_ssl_hw_record_write)(mbedtls_ssl_context *ssl); -extern int (*mbedtls_ssl_hw_record_read)(mbedtls_ssl_context *ssl); -extern int (*mbedtls_ssl_hw_record_finish)(mbedtls_ssl_context *ssl); +#if defined(MBEDTLS_DEPRECATED_WARNING) +#define MBEDTLS_DEPRECATED __attribute__((deprecated)) +#else +#define MBEDTLS_DEPRECATED +#endif + +MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_init)( + mbedtls_ssl_context *ssl, + const unsigned char *key_enc, const unsigned char *key_dec, + size_t keylen, + const unsigned char *iv_enc, const unsigned char *iv_dec, + size_t ivlen, + const unsigned char *mac_enc, const unsigned char *mac_dec, + size_t maclen); +MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_activate)( + mbedtls_ssl_context *ssl, + int direction ); +MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_reset)( + mbedtls_ssl_context *ssl ); +MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_write)( + mbedtls_ssl_context *ssl ); +MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_read)( + mbedtls_ssl_context *ssl ); +MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_finish)( + mbedtls_ssl_context *ssl ); + +#undef MBEDTLS_DEPRECATED + #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ /** From 4156ac18d7c0cd3d066651c0cd4531cb78efef85 Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Thu, 3 Jan 2019 20:48:54 +0000 Subject: [PATCH 3/6] Wrap deprecations for HW_RECORD_ACCEL with DEPRECATED_REMOVED MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index bc9c68f2e9..8daa267e27 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1323,8 +1323,10 @@ struct mbedtls_ssl_context #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) -#define MBEDTLS_SSL_CHANNEL_OUTBOUND 0 -#define MBEDTLS_SSL_CHANNEL_INBOUND 1 +#if !defined(MBEDTLS_DEPRECATED_REMOVED) + +#define MBEDTLS_SSL_CHANNEL_OUTBOUND MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( 0 ) +#define MBEDTLS_SSL_CHANNEL_INBOUND MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( 1 ) #if defined(MBEDTLS_DEPRECATED_WARNING) #define MBEDTLS_DEPRECATED __attribute__((deprecated)) @@ -1353,6 +1355,7 @@ MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ); #undef MBEDTLS_DEPRECATED +#endif /* !MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ From da15409aeace1ab763584f1e2342144030cb1a7c Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 15 Jan 2019 18:43:48 +0000 Subject: [PATCH 4/6] Remove the word likely from deprecated documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 4 ++-- include/mbedtls/config.h | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 27e8c30ac5..33687c689b 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -800,9 +800,9 @@ #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) #if defined(MBEDTLS_DEPRECATED_REMOVED) -#error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will likely be removed in a future version of Mbed TLS" +#error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS" #elif defined(MBEDTLS_DEPRECATED_WARNING) -#warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will likely be removed in a future version of Mbed TLS" +#warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS" #endif #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index a57eac958e..40f9d6b1a8 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1527,8 +1527,8 @@ * Enable hooking functions in SSL module for hardware acceleration of * individual records. * - * \deprecated This option is deprecated and will likely be removed in a - * future version of Mbed TLS. + * \deprecated This option is deprecated and will be removed in a future + * version of Mbed TLS. * * Uncomment this macro to enable hooking functions. */ From 10edb3e8da5d83c980d57379c400042fdd1cf2ff Mon Sep 17 00:00:00 2001 From: Andres Amaya Garcia Date: Tue, 15 Jan 2019 18:44:06 +0000 Subject: [PATCH 5/6] Add comment to matching #endif MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/check_config.h | 2 +- include/mbedtls/ssl.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 33687c689b..99363b3f24 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -803,7 +803,7 @@ #error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS" #elif defined(MBEDTLS_DEPRECATED_WARNING) #warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS" -#endif +#endif /* MBEDTLS_DEPRECATED_REMOVED */ #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ /* diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8daa267e27..b5ad4453ba 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1332,7 +1332,7 @@ struct mbedtls_ssl_context #define MBEDTLS_DEPRECATED __attribute__((deprecated)) #else #define MBEDTLS_DEPRECATED -#endif +#endif /* MBEDTLS_DEPRECATED_WARNING */ MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl, From a4522e84670352f6beda00735624a82d7b5c554e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 25 Feb 2020 12:46:10 +0100 Subject: [PATCH 6/6] Uniformize wording for removal of deprecated things MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/config.h | 6 +++--- include/mbedtls/ssl.h | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 40f9d6b1a8..70a97405a7 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1784,8 +1784,8 @@ * * Fallback to old (pre-2.7), non-conforming implementation of the truncated * HMAC extension which also truncates the HMAC key. Note that this option is - * only meant for a transitory upgrade period and is likely to be removed in - * a future version of the library. + * only meant for a transitory upgrade period and will be removed in a future + * version of the library. * * \warning The old implementation is non-compliant and has a security weakness * (2^80 brute force attack on the HMAC key used for a single, @@ -1794,7 +1794,7 @@ * bandwidth, and (2) the peer is an Mbed TLS stack that doesn't use * the fixed implementation yet (pre-2.7). * - * \deprecated This option is deprecated and will likely be removed in a + * \deprecated This option is deprecated and will be removed in a * future version of Mbed TLS. * * Uncomment to fallback to old, non-compliant truncated HMAC implementation. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b5ad4453ba..1666f8c864 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3188,7 +3188,7 @@ void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems * \warning Use of RC4 in DTLS/TLS has been prohibited by RFC 7465 * for security reasons. Use at your own risk. * - * \note This function is deprecated and will likely be removed in + * \note This function is deprecated and will be removed in * a future version of the library. * RC4 is disabled by default at compile time and needs to be * actively enabled for use with legacy systems.