From 93d4591255f0da0bb7e7d7cdd6c0de8ab0bd6399 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 14 Jan 2025 11:45:44 +0100 Subject: [PATCH 1/7] Remove deprecated function mbedtls_ssl_conf_curves() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl.h | 55 ---------------------------- library/ssl_tls.c | 21 +---------- tests/scripts/analyze_outcomes.py | 16 -------- tests/suites/test_suite_ssl.data | 3 -- tests/suites/test_suite_ssl.function | 50 ------------------------- 5 files changed, 1 insertion(+), 144 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index fff53399b7..2922f378aa 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3813,54 +3813,6 @@ void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf, unsigned int bitlen); #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ -#if defined(MBEDTLS_ECP_C) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -/** - * \brief Set the allowed curves in order of preference. - * - * On server: this only affects selection of the ECDHE curve; - * the curves used for ECDH and ECDSA are determined by the - * list of available certificates instead. - * - * On client: this affects the list of curves offered for any - * use. The server can override our preference order. - * - * Both sides: limits the set of curves accepted for use in - * ECDHE and in the peer's end-entity certificate. - * - * \deprecated Superseded by mbedtls_ssl_conf_groups(). - * - * \note This has no influence on which curves are allowed inside the - * certificate chains, see \c mbedtls_ssl_conf_cert_profile() - * for that. For the end-entity certificate however, the key - * will be accepted only if it is allowed both by this list - * and by the cert profile. - * - * \note This list should be ordered by decreasing preference - * (preferred curve first). - * - * \note The default list is the same set of curves that - * #mbedtls_x509_crt_profile_default allows, plus - * ECDHE-only curves selected according to the same criteria. - * The order favors curves with the lowest resource usage. - * - * \note New minor versions of Mbed TLS may extend this list, - * for example if new curves are added to the library. - * New minor versions of Mbed TLS will not remove items - * from this list unless serious security concerns require it. - * New minor versions of Mbed TLS may change the order in - * keeping with the general principle of favoring the lowest - * resource usage. - * - * \param conf SSL configuration - * \param curves Ordered list of allowed curves, - * terminated by MBEDTLS_ECP_DP_NONE. - */ -void MBEDTLS_DEPRECATED mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf, - const mbedtls_ecp_group_id *curves); -#endif /* MBEDTLS_DEPRECATED_REMOVED */ -#endif /* MBEDTLS_ECP_C */ - /** * \brief Set the allowed groups in order of preference. * @@ -3872,13 +3824,6 @@ void MBEDTLS_DEPRECATED mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf, * Both sides: limits the set of groups accepted for use in * key sharing. * - * \note This function replaces the deprecated mbedtls_ssl_conf_curves(), - * which only allows ECP curves to be configured. - * - * \note The most recent invocation of either mbedtls_ssl_conf_curves() - * or mbedtls_ssl_conf_groups() nullifies all previous invocations - * of both. - * * \note This list should be ordered by decreasing preference * (preferred group first). * diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5031c77a56..ad2edae308 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2735,25 +2735,6 @@ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_ECP_C) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -/* - * Set the allowed elliptic curves - * - * mbedtls_ssl_setup() takes the provided list - * and translates it to a list of IANA TLS group identifiers, - * stored in ssl->handshake->group_list. - * - */ -void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf, - const mbedtls_ecp_group_id *curve_list) -{ - conf->curve_list = curve_list; - conf->group_list = NULL; -} -#endif /* MBEDTLS_DEPRECATED_REMOVED */ -#endif /* MBEDTLS_ECP_C */ - /* * Set the allowed groups */ @@ -5594,7 +5575,7 @@ void mbedtls_ssl_config_init(mbedtls_ssl_config *conf) /* The selection should be the same as mbedtls_x509_crt_profile_default in * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: * curves with a lower resource usage come first. - * See the documentation of mbedtls_ssl_conf_curves() for what we promise + * See the documentation of mbedtls_ssl_conf_groups() for what we promise * about this list. */ static const uint16_t ssl_preset_default_groups[] = { diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 721ac4a7d6..a3b18c6d4e 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -429,10 +429,6 @@ class DriverVSReference_ecp_light_only(outcome_analysis.DriverVSReference): re.compile(r'ECP point multiplication .*'), re.compile(r'ECP test vectors .*'), ], - 'test_suite_ssl': [ - # This deprecated function is only present when ECP_C is On. - 'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()', - ], } class DriverVSReference_no_ecp_at_all(outcome_analysis.DriverVSReference): @@ -469,10 +465,6 @@ class DriverVSReference_no_ecp_at_all(outcome_analysis.DriverVSReference): re.compile(r'Parse EC Key .*compressed\)'), re.compile(r'Parse Public EC Key .*compressed\)'), ], - # See ecp_light_only - 'test_suite_ssl': [ - 'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()', - ], } class DriverVSReference_ecc_no_bignum(outcome_analysis.DriverVSReference): @@ -516,10 +508,6 @@ class DriverVSReference_ecc_no_bignum(outcome_analysis.DriverVSReference): 'test_suite_debug': [ re.compile(r'Debug print mbedtls_mpi.*'), ], - # See ecp_light_only - 'test_suite_ssl': [ - 'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()', - ], } class DriverVSReference_ecc_ffdh_no_bignum(outcome_analysis.DriverVSReference): @@ -571,10 +559,6 @@ class DriverVSReference_ecc_ffdh_no_bignum(outcome_analysis.DriverVSReference): 'test_suite_debug': [ re.compile(r'Debug print mbedtls_mpi.*'), ], - # See ecp_light_only - 'test_suite_ssl': [ - 'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()', - ], } class DriverVSReference_ffdh_alg(outcome_analysis.DriverVSReference): diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 8135ef17ad..2eeb17290c 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -3086,9 +3086,6 @@ TLS 1.3: SRV: Session serialization, load buffer size depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_SRV_C ssl_serialize_session_load_buf_size:0:"":MBEDTLS_SSL_IS_SERVER:MBEDTLS_SSL_VERSION_TLS1_3 -Test configuration of groups for DHE through mbedtls_ssl_conf_curves() -conf_curve: - Test configuration of groups for DHE through mbedtls_ssl_conf_groups() conf_group: diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 3a2d61becd..121c6eab09 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3009,56 +3009,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_ECP_C:!MBEDTLS_DEPRECATED_REMOVED:!MBEDTLS_DEPRECATED_WARNING:PSA_WANT_ECC_SECP_R1_192:PSA_WANT_ECC_SECP_R1_224:PSA_WANT_ECC_SECP_R1_256 */ -void conf_curve() -{ - - mbedtls_ecp_group_id curve_list[] = { MBEDTLS_ECP_DP_SECP192R1, - MBEDTLS_ECP_DP_SECP224R1, - MBEDTLS_ECP_DP_SECP256R1, - MBEDTLS_ECP_DP_NONE }; - uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, - MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, - MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, - MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; - - mbedtls_ssl_config conf; - mbedtls_ssl_config_init(&conf); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); - mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); -#else - mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); - mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); -#endif - mbedtls_ssl_conf_curves(&conf, curve_list); - - mbedtls_ssl_context ssl; - mbedtls_ssl_init(&ssl); - MD_OR_USE_PSA_INIT(); - - mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - - TEST_ASSERT(mbedtls_ssl_setup(&ssl, &conf) == 0); - - TEST_ASSERT(ssl.handshake != NULL && ssl.handshake->group_list != NULL); - TEST_ASSERT(ssl.conf != NULL && ssl.conf->group_list == NULL); - - TEST_EQUAL(ssl.handshake-> - group_list[ARRAY_LENGTH(iana_tls_group_list) - 1], - MBEDTLS_SSL_IANA_TLS_GROUP_NONE); - - for (size_t i = 0; i < ARRAY_LENGTH(iana_tls_group_list); i++) { - TEST_EQUAL(iana_tls_group_list[i], ssl.handshake->group_list[i]); - } - -exit: - mbedtls_ssl_free(&ssl); - mbedtls_ssl_config_free(&conf); - MD_OR_USE_PSA_DONE(); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_DEPRECATED_REMOVED */ void conf_group() { From 6b720161ca32c382ddb0f6153021b44ebd0b04b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 14 Jan 2025 12:17:20 +0100 Subject: [PATCH 2/7] Remove mbedtls_ssl_conf::curve_list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/mbedtls/ssl.h | 4 ---- library/ssl_misc.h | 16 +------------- library/ssl_tls.c | 51 ------------------------------------------- 3 files changed, 1 insertion(+), 70 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2922f378aa..c0ec6fb4c2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1567,10 +1567,6 @@ struct mbedtls_ssl_config { const uint16_t *MBEDTLS_PRIVATE(sig_algs); /*!< allowed signature algorithms */ #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) - const mbedtls_ecp_group_id *MBEDTLS_PRIVATE(curve_list); /*!< allowed curves */ -#endif - const uint16_t *MBEDTLS_PRIVATE(group_list); /*!< allowed IANA NamedGroups */ #if defined(MBEDTLS_DHM_C) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 5bda91a281..4d6ac2b6ec 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2270,25 +2270,11 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, /* * Return supported groups. * - * In future, invocations can be changed to ssl->conf->group_list - * when mbedtls_ssl_conf_curves() is deleted. - * - * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group - * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to - * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked. - * + * In future, invocations can be changed to ssl->conf->group_list. */ static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl) { - #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C) return ssl->conf->group_list; - #else - if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) { - return ssl->handshake->group_list; - } else { - return ssl->conf->group_list; - } - #endif } /* diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ad2edae308..9ea58330be 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1154,48 +1154,6 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) } #endif -/* - * curve_list is translated to IANA TLS group identifiers here because - * mbedtls_ssl_conf_curves returns void and so can't return - * any error codes. - */ -#if defined(MBEDTLS_ECP_C) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - /* Heap allocate and translate curve_list from internal to IANA group ids */ - if (ssl->conf->curve_list != NULL) { - size_t length; - const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list; - - for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) { - } - - /* Leave room for zero termination */ - uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t)); - if (group_list == NULL) { - return MBEDTLS_ERR_SSL_ALLOC_FAILED; - } - - for (size_t i = 0; i < length; i++) { - uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( - curve_list[i]); - if (tls_id == 0) { - mbedtls_free(group_list); - return MBEDTLS_ERR_SSL_BAD_CONFIG; - } - group_list[i] = tls_id; - } - - group_list[length] = 0; - - ssl->handshake->group_list = group_list; - ssl->handshake->group_list_heap_allocated = 1; - } else { - ssl->handshake->group_list = ssl->conf->group_list; - ssl->handshake->group_list_heap_allocated = 0; - } -#endif /* MBEDTLS_DEPRECATED_REMOVED */ -#endif /* MBEDTLS_ECP_C */ - #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if !defined(MBEDTLS_DEPRECATED_REMOVED) #if defined(MBEDTLS_SSL_PROTO_TLS1_2) @@ -2741,9 +2699,6 @@ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, const uint16_t *group_list) { -#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) - conf->curve_list = NULL; -#endif conf->group_list = group_list; } @@ -5964,9 +5919,6 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, conf->sig_algs = ssl_preset_suiteb_sig_algs; #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) - conf->curve_list = NULL; -#endif conf->group_list = ssl_preset_suiteb_groups; break; @@ -5990,9 +5942,6 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, conf->sig_algs = ssl_preset_default_sig_algs; #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) - conf->curve_list = NULL; -#endif conf->group_list = ssl_preset_default_groups; #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) From 6402c35ecafa72f6e1fe37673752b755dfb4d8b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 14 Jan 2025 12:23:56 +0100 Subject: [PATCH 3/7] =?UTF-8?q?Remove=20internal=20helper=20mbedtls=5Fssl?= =?UTF-8?q?=5Fget=5Fgroups()=20Signed-off-by:=20Manuel=20P=C3=A9gouri?= =?UTF-8?q?=C3=A9-Gonnard=20?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- library/ssl_client.c | 2 +- library/ssl_misc.h | 12 +----------- library/ssl_tls.c | 2 +- library/ssl_tls12_server.c | 2 +- library/ssl_tls13_client.c | 4 ++-- 5 files changed, 6 insertions(+), 16 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 823708173c..be4d621d6c 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -222,7 +222,7 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl, unsigned char *p = buf; unsigned char *named_group_list; /* Start of named_group_list */ size_t named_group_list_len; /* Length of named_group_list */ - const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); + const uint16_t *group_list = ssl->conf->group_list; *out_len = 0; diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 4d6ac2b6ec..9bdd104254 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2267,16 +2267,6 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, size_t dst_len, size_t *olen); -/* - * Return supported groups. - * - * In future, invocations can be changed to ssl->conf->group_list. - */ -static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl) -{ - return ssl->conf->group_list; -} - /* * Helper functions for NamedGroup. */ @@ -2319,7 +2309,7 @@ static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group) static inline int mbedtls_ssl_named_group_is_offered( const mbedtls_ssl_context *ssl, uint16_t named_group) { - const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); + const uint16_t *group_list = ssl->conf->group_list; if (group_list == NULL) { return 0; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 9ea58330be..159f2c3205 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6119,7 +6119,7 @@ unsigned char mbedtls_ssl_hash_from_md_alg(int md) */ int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id) { - const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); + const uint16_t *group_list = ssl->conf->group_list; if (group_list == NULL) { return -1; diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 9e7c52c5e6..191031eac6 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2966,7 +2966,7 @@ static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl, * } ServerECDHParams; */ uint16_t *curr_tls_id = ssl->handshake->curves_tls_id; - const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); + const uint16_t *group_list = ssl->conf->group_list; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 919db7d465..9386801512 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -216,7 +216,7 @@ static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl, #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) - const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); + const uint16_t *group_list = ssl->conf->group_list; /* Pick first available ECDHE group compatible with TLS 1.3 */ if (group_list == NULL) { return MBEDTLS_ERR_SSL_BAD_CONFIG; @@ -382,7 +382,7 @@ static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl, int selected_group; int found = 0; - const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); + const uint16_t *group_list = ssl->conf->group_list; if (group_list == NULL) { return MBEDTLS_ERR_SSL_BAD_CONFIG; } From 4c3134a39676d64dc03f154f24364c3eb83efe10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 14 Jan 2025 12:25:52 +0100 Subject: [PATCH 4/7] Remove useless dependency from test function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This dependency was never right in the first place. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 121c6eab09..f960235e39 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3009,7 +3009,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_DEPRECATED_REMOVED */ +/* BEGIN_CASE */ void conf_group() { uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, From 4787b4012c864d578ce57190106f47b3899c4279 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 14 Jan 2025 12:28:01 +0100 Subject: [PATCH 5/7] Add ChangeLog entry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- ChangeLog.d/rm-ssl-conf-curves.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/rm-ssl-conf-curves.txt diff --git a/ChangeLog.d/rm-ssl-conf-curves.txt b/ChangeLog.d/rm-ssl-conf-curves.txt new file mode 100644 index 0000000000..4b29adc4c9 --- /dev/null +++ b/ChangeLog.d/rm-ssl-conf-curves.txt @@ -0,0 +1,4 @@ +Removals + * Remove the function mbedtls_ssl_conf_curves() which had been deprecated + in favour of mbedtls_ssl_conf_groups() since Mbed TLS 3.1. + From c4e768a8a60375e1ee5de5810f0f2e8b89bef6d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 22 Jan 2025 10:04:43 +0100 Subject: [PATCH 6/7] Fix incorrect test function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We should not manually set the TLS version, the tests are supposed to pass in 1.3-only builds as well. Instead do the normal thing of setting defaults. This doesn't interfere with the rest of the testing, so I'm not sure why we were not doing it. Signed-off-by: Manuel Pégourié-Gonnard --- tests/suites/test_suite_ssl.function | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index f960235e39..0781ceff84 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3021,8 +3021,9 @@ void conf_group() mbedtls_ssl_config_init(&conf); mbedtls_ssl_conf_rng(&conf, mbedtls_test_random, NULL); - mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); - mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_2); + mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT); mbedtls_ssl_conf_groups(&conf, iana_tls_group_list); From 490e30599bd3be91ce4a5500ac68c2fc95a4c90e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 14 Jan 2025 12:36:50 +0100 Subject: [PATCH 7/7] Stop recommended deprecated function in migration guide MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- docs/3.0-migration-guide.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/3.0-migration-guide.md b/docs/3.0-migration-guide.md index 63a13ad876..42af9dbaf2 100644 --- a/docs/3.0-migration-guide.md +++ b/docs/3.0-migration-guide.md @@ -748,7 +748,7 @@ for both DTLS-CID and TLS 1.3. The default preference order for curves in TLS now favors resource usage (performance and memory consumption) over size. The exact order is unspecified and may change, but generally you can expect 256-bit curves to be preferred over larger curves. -If you prefer a different order, call `mbedtls_ssl_conf_curves()` when configuring a TLS connection. +If you prefer a different order, call `mbedtls_ssl_conf_groups()` when configuring a TLS connection. ### SSL key export interface change @@ -1025,7 +1025,7 @@ mbedtls_x509_crt_profile my_profile = mbedtls_x509_crt_profile_default; my_profile.allowed_mds |= MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ); ``` -If you still need to allow hashes and curves in TLS that have been removed from the default configuration, call `mbedtls_ssl_conf_sig_hashes()` and `mbedtls_ssl_conf_curves()` with the desired lists. +If you still need to allow hashes and curves in TLS that have been removed from the default configuration, call `mbedtls_ssl_conf_sig_hashes()` and `mbedtls_ssl_conf_groups()` with the desired lists. ### Remove 3DES ciphersuites