Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SHA384 cipher suites are offered when MBEDTLS_SHA512_NO_SHA384 is enabled #4499

Closed
gilles-peskine-arm opened this issue May 12, 2021 · 0 comments · Fixed by #4304
Closed

SHA384 cipher suites are offered when MBEDTLS_SHA512_NO_SHA384 is enabled #4499

gilles-peskine-arm opened this issue May 12, 2021 · 0 comments · Fixed by #4304
Labels
bug component-tls

Comments

@gilles-peskine-arm
Copy link
Contributor

gilles-peskine-arm commented May 12, 2021
edited
Loading

When the configuration option MBEDTLS_SHA512_NO_SHA384 is enabled, the SHA-384 algorithm is disabled, and in particular TLS cipher suites that use SHA-384 cannot be used. However they are still offered by mbedtls_ssl_list_ciphersuites, leading to an internal error when selected.

Steps to reproduce:

$ scripts/config.py set MBEDTLS_SHA512_NO_SHA384
$ make
$ programs/ssl/ssl_client2 force_ciphersuite=TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384

  . Seeding the random number generator... ok
  . Loading the CA root certificate ... ok (0 skipped)
  . Loading the client cert. and key... ok (key type: RSA)
  . Connecting to tcp/localhost/4433... ok
  . Setting up the SSL/TLS structure... ok
  . Performing the SSL/TLS handshake... failed
  ! mbedtls_ssl_handshake returned -0x6c00

Last error was: -0x6C00 - SSL - Internal error (eg, unexpected failure in lower-level module)

This only applies to 2.2x. In 2.16, MBEDTLS_SHA512_NO_SHA384 did not exist yet. In 3.0 this is fixed by #4304.
This was referenced May 12, 2021
Open
Merged
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue May 12, 2021
@gilles-peskine-arm
Fix dependencies on SHA384 cipher suites
01001a7 
They depended on MBEDTLS_SHA512_C only. A check for !MBEDTLS_SHA512_NO_SHA384
was missing.

Fix Mbed-TLS#4499.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm gilles-peskine-arm mentioned this issue May 12, 2021
Merged
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue May 19, 2021
@gilles-peskine-arm
Fix dependencies on SHA384 cipher suites
ab72d56 
They depended on MBEDTLS_SHA512_C only. A check for !MBEDTLS_SHA512_NO_SHA384
was missing.

Fix Mbed-TLS#4499.

Signed-off-by: Gilles Peskine <[email protected]>
gilles-peskine-arm added a commit to gilles-peskine-arm/mbedtls that referenced this issue May 19, 2021
@gilles-peskine-arm
Fix dependencies on SHA384 cipher suites
367379d 
They depended on MBEDTLS_SHA512_C only. A check for !MBEDTLS_SHA512_NO_SHA384
was missing.

Fix Mbed-TLS#4499.

Signed-off-by: Gilles Peskine <[email protected]>
lhuang04 pushed a commit to lhuang04/mbedtls that referenced this issue May 19, 2023
@gilles-peskine-arm @lhuang04
Fix dependencies on SHA384 cipher suites
7b355c1 
They depended on MBEDTLS_SHA512_C only. A check for !MBEDTLS_SHA512_NO_SHA384
was missing.

Fix Mbed-TLS#4499.

Signed-off-by: Gilles Peskine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug component-tls
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Modify config option for SHA384. mstarzyk-mobica/mbedtls
1 participant
@gilles-peskine-arm