mbedtls icon indicating copy to clipboard operation
mbedtls copied to clipboard

Published 20 hours ago verified publisher icon Mbed-TLS

Disable MBEDTLS_SSL_RENEGOTIATION in TLS-1.3-only builds

Open gilles-peskine-arm opened this issue 2 years ago • 2 comments

Fixes #6200

Not applicable to 2.28.

gilles-peskine-arm avatar Aug 12 '22 21:08 gilles-peskine-arm

I also get err when compile tag v3.2.1:

[ 90%] Building C object library/CMakeFiles/mbedtls.dir/ssl_msg.c.o
/w/library/ssl_msg.c:5303:9: error: unused variable 'ret' [-Werror,-Wunused-variable]
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
        ^
1 error generated.

Reproduce errors

  1. docker pull --platform=linux/amd64 visionular/wzffm-centos7:20220819T093710Z-3e40654a
  2. docker run --rm -it -w /w -v "/path/to/mbedtls:/w" visionular/wzffm-centos7:20220819T093710Z-3e40654a
  3. (container) python3 /w/scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
  4. (container) python3 /w/scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
  5. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_2
  6. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_RENEGOTIATION
  7. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
  8. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_EXTENDED_MASTER_SECRET
  9. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_PROTO_DTLS
  10. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_DTLS_SRTP
  11. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY
  12. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_DTLS_HELLO_VERIFY
  13. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
  14. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID
  15. (container) export CC="clang"
  16. (container) export CXX="clang++"
  17. (container) cmake -S "/w" -B "/w/build" \
    -D CMAKE_INSTALL_PREFIX="/w/install" \
    -D CMAKE_BUILD_TYPE=Release \
    -D BUILD_SHARED_LIBS:BOOL=0 \
    -D MBEDTLS_AS_SUBPROJECT:BOOL=1 \
    -D ENABLE_PROGRAMS:BOOL=0 \
    -D ENABLE_TESTING:BOOL=0
  18. (container) cmake --build "/w/build" -j

valord577 avatar Sep 13 '22 12:09 valord577

I get err when compile tag v3.2.1:

[ 94%] Building C object library/CMakeFiles/mbedtls.dir/ssl_tls12_server.c.o
/w/library/ssl_msg.c:5303:9: error: unused variable 'ret' [-Werror,-Wunused-variable]
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
        ^
1 error generated.
make[2]: *** [library/CMakeFiles/mbedtls.dir/build.make:160: library/CMakeFiles/mbedtls.dir/ssl_msg.c.o] Error 1
make[2]: *** Waiting for unfinished jobs....
/w/library/ssl_tls.c:2856:13: error: code will never be executed [-Werror,-Wunreachable-code]
    *olen = used;
            ^~~~
1 error generated.
make[2]: *** [library/CMakeFiles/mbedtls.dir/build.make:188: library/CMakeFiles/mbedtls.dir/ssl_tls.c.o] Error 1
make[1]: *** [CMakeFiles/Makefile2:219: library/CMakeFiles/mbedtls.dir/all] Error 2
make: *** [Makefile:136: all] Error 2

Reproduce errors

  1. ...
  2. ...
  3. (container) python3 /w/scripts/config.py set MBEDTLS_HAVE_SSE2
  4. (container) python3 /w/scripts/config.py unset MBEDTLS_DEBUG_C
  5. (container) python3 /w/scripts/config.py unset MBEDTLS_SSL_SRV_C
  6. ...
  7. ...
  8. ...
  9. ...(use tls 1.3 only)
  10. ...
  11. ...
  12. cmake ...

valord577 avatar Sep 13 '22 13:09 valord577

@gilles-peskine-arm This PR has conflicts

tom-cosgrove-arm avatar Nov 21 '22 10:11 tom-cosgrove-arm