AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.

Browse Source 
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
This commit is contained in:
Mateusz Starzyk 2021-03-15 17:57:20 +01:00
parent 7e37338dda
commit e204dbf272
11 changed files with 3 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog.d/remove_obsolete_tls_features.txt
View File

@ -5,3 +5,4 @@ API changes
* Drop support for TLS record-level compression (MBEDTLS_ZLIB_SUPPORT).
* Drop support for RC4 TLS ciphersuites.
* Drop single-DES ciphersuites.
* Drop support for MBEDTLS_SSL_HW_RECORD_ACCEL.

10
configs/config-psa-crypto.h
View File

@ -1343,16 +1343,6 @@
*/
#define MBEDTLS_SSL_FALLBACK_SCSV
/**
* \def MBEDTLS_SSL_HW_RECORD_ACCEL
*
* Enable hooking functions in SSL module for hardware acceleration of
* individual records.
*
* Uncomment this macro to enable hooking functions.
*/
//#define MBEDTLS_SSL_HW_RECORD_ACCEL
/**
* \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
*

8
include/mbedtls/check_config.h
View File

@ -831,14 +831,6 @@
#error "MBEDTLS_HAVE_INT32/MBEDTLS_HAVE_INT64 and MBEDTLS_HAVE_ASM cannot be defined simultaneously"
#endif /* (MBEDTLS_HAVE_INT32 || MBEDTLS_HAVE_INT64) && MBEDTLS_HAVE_ASM */
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
#if defined(MBEDTLS_DEPRECATED_REMOVED)
#error "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
#elif defined(MBEDTLS_DEPRECATED_WARNING)
#warning "MBEDTLS_SSL_HW_RECORD_ACCEL is deprecated and will be removed in a future version of Mbed TLS"
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
#if defined(MBEDTLS_SSL_DTLS_SRTP) && ( !defined(MBEDTLS_SSL_PROTO_DTLS) )
#error "MBEDTLS_SSL_DTLS_SRTP defined, but not all prerequisites"
#endif

13
include/mbedtls/config.h
View File

@ -1617,19 +1617,6 @@
*/
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
/**
* \def MBEDTLS_SSL_HW_RECORD_ACCEL
*
* Enable hooking functions in SSL module for hardware acceleration of
* individual records.
*
* \deprecated This option is deprecated and will be removed in a future
* version of Mbed TLS.
*
* Uncomment this macro to enable hooking functions.
*/
//#define MBEDTLS_SSL_HW_RECORD_ACCEL
/**
* \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
*

38
include/mbedtls/ssl.h
View File

@ -1377,44 +1377,6 @@ struct mbedtls_ssl_context
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
};
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#define MBEDTLS_SSL_CHANNEL_OUTBOUND MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( 0 )
#define MBEDTLS_SSL_CHANNEL_INBOUND MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( 1 )
#if defined(MBEDTLS_DEPRECATED_WARNING)
#define MBEDTLS_DEPRECATED __attribute__((deprecated))
#else
#define MBEDTLS_DEPRECATED
#endif /* MBEDTLS_DEPRECATED_WARNING */
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_init)(
mbedtls_ssl_context *ssl,
const unsigned char *key_enc, const unsigned char *key_dec,
size_t keylen,
const unsigned char *iv_enc, const unsigned char *iv_dec,
size_t ivlen,
const unsigned char *mac_enc, const unsigned char *mac_dec,
size_t maclen);
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_activate)(
mbedtls_ssl_context *ssl,
int direction );
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_reset)(
mbedtls_ssl_context *ssl );
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_write)(
mbedtls_ssl_context *ssl );
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_read)(
mbedtls_ssl_context *ssl );
MBEDTLS_DEPRECATED extern int (*mbedtls_ssl_hw_record_finish)(
mbedtls_ssl_context *ssl );
#undef MBEDTLS_DEPRECATED
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
/**
* \brief Return the name of the ciphersuite associated with the
* given ID

72
library/ssl_msg.c
View File

@ -293,21 +293,6 @@ static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
}
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
const unsigned char *key_enc, const unsigned char *key_dec,
size_t keylen,
const unsigned char *iv_enc, const unsigned char *iv_dec,
size_t ivlen,
const unsigned char *mac_enc, const unsigned char *mac_dec,
size_t maclen ) = NULL;
int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
/*
* Encryption/decryption functions
*/
@ -2150,18 +2135,6 @@ static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
/* Adjust to the newly activated transform */
mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_activate != NULL )
{
int ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
}
#endif
return( 0 );
}
@ -2584,22 +2557,6 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_write != NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
ret = mbedtls_ssl_hw_record_write( ssl );
if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
if( ret == 0 )
done = 1;
}
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
if( !done )
{
unsigned i;
@ -3619,22 +3576,6 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
rec->buf, rec->buf_len );
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_read != NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
ret = mbedtls_ssl_hw_record_read( ssl );
if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
if( ret == 0 )
done = 1;
}
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
if( !done && ssl->transform_in != NULL )
{
unsigned char const old_msg_type = rec->type;
@ -4856,19 +4797,6 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
mbedtls_ssl_update_in_pointers( ssl );
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_activate != NULL )
{
if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
}
#endif
ssl->state++;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );

60
library/ssl_tls.c
View File

@ -798,7 +798,6 @@ typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
* - [in] minor_ver: SSL/TLS minor version
* - [in] endpoint: client or server
* - [in] ssl: optionally used for:
* - MBEDTLS_SSL_HW_RECORD_ACCEL: whole context (non-const)
* - MBEDTLS_SSL_EXPORT_KEYS: ssl->conf->{f,p}_export_keys
* - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
*/
@ -817,10 +816,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
const unsigned char randbytes[64],
int minor_ver,
unsigned endpoint,
#if !defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
const
#endif
mbedtls_ssl_context *ssl )
const mbedtls_ssl_context *ssl )
{
int ret = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
@ -838,8 +834,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
const mbedtls_cipher_info_t *cipher_info;
const mbedtls_md_info_t *md_info;
#if !defined(MBEDTLS_SSL_HW_RECORD_ACCEL) && \
!defined(MBEDTLS_SSL_EXPORT_KEYS) && \
#if !defined(MBEDTLS_SSL_EXPORT_KEYS) && \
!defined(MBEDTLS_DEBUG_C)
ssl = NULL; /* make sure we don't use it except for those cases */
(void) ssl;
@ -1130,28 +1125,8 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
}
#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_init != NULL )
{
ret = 0;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, keylen,
transform->iv_enc, transform->iv_dec,
iv_copy_len,
mac_enc, mac_dec,
mac_key_len ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto end;
}
}
#else
((void) mac_dec);
((void) mac_enc);
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
#if defined(MBEDTLS_SSL_EXPORT_KEYS)
if( ssl->conf->f_export_keys != NULL )
@ -3171,17 +3146,6 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
ssl->transform_out = ssl->transform_negotiate;
ssl->session_out = ssl->session_negotiate;
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_activate != NULL )
{
if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
}
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
mbedtls_ssl_send_flight_completed( ssl );
@ -3641,18 +3605,6 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
memset( ssl->in_buf, 0, in_buf_len );
}
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_reset != NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
}
#endif
if( ssl->transform )
{
mbedtls_ssl_transform_free( ssl->transform );
@ -6485,14 +6437,6 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
}
#endif
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( mbedtls_ssl_hw_record_finish != NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
mbedtls_ssl_hw_record_finish( ssl );
}
#endif
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
mbedtls_free( ssl->cli_id );
#endif

3
library/version_features.c
View File

@ -489,9 +489,6 @@ static const char * const features[] = {
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
"MBEDTLS_SSL_KEEP_PEER_CERTIFICATE",
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
"MBEDTLS_SSL_HW_RECORD_ACCEL",
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
"MBEDTLS_SSL_CBC_RECORD_SPLITTING",
#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */

8
programs/test/query_config.c
View File

@ -1361,14 +1361,6 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
if( strcmp( "MBEDTLS_SSL_HW_RECORD_ACCEL", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_HW_RECORD_ACCEL );
return( 0 );
}
#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
if( strcmp( "MBEDTLS_SSL_CBC_RECORD_SPLITTING", config ) == 0 )
{

1
scripts/config.py
View File

@ -192,7 +192,6 @@ EXCLUDE_FROM_FULL = frozenset([
'MBEDTLS_REMOVE_3DES_CIPHERSUITES', # removes a feature
'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS
'MBEDTLS_SHA512_NO_SHA384', # removes a feature
'MBEDTLS_SSL_HW_RECORD_ACCEL', # build dependency (hook functions)
'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan)
'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers)
'MBEDTLS_TEST_NULL_ENTROPY', # removes a feature

6
tests/scripts/all.sh
View File

@ -2314,12 +2314,6 @@ component_build_armcc () {
armc6_build_test "--target=aarch64-arm-none-eabi -march=armv8.2-a"
}
component_build_ssl_hw_record_accel() {
msg "build: default config with MBEDTLS_SSL_HW_RECORD_ACCEL enabled"
scripts/config.pl set MBEDTLS_SSL_HW_RECORD_ACCEL
make CFLAGS='-Werror -O1'
}
component_test_allow_sha1 () {
msg "build: allow SHA1 in certificates by default"
scripts/config.py set MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES