mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-23 02:30:59 +00:00
Merge remote-tracking branch 'public/pr/2642' into HEAD
This commit is contained in:
commit
150deca7b9
|
@ -646,6 +646,18 @@
|
|||
#error "MBEDTLS_SSL_CID defined, but not all prerequisites"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID) && \
|
||||
defined(MBEDTLS_SSL_CID_IN_LEN_MAX) && \
|
||||
MBEDTLS_SSL_CID_IN_LEN_MAX > 255
|
||||
#error "MBEDTLS_SSL_CID_IN_LEN_MAX too large (max 255)"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID) && \
|
||||
defined(MBEDTLS_SSL_CID_OUT_LEN_MAX) && \
|
||||
MBEDTLS_SSL_CID_OUT_LEN_MAX > 255
|
||||
#error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
|
||||
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
|
||||
#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT defined, but not all prerequisites"
|
||||
|
|
|
@ -386,6 +386,10 @@
|
|||
|
||||
#define MBEDTLS_TLS_EXT_SESSION_TICKET 35
|
||||
|
||||
/* The value of the CID extension is still TBD as of
|
||||
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04. */
|
||||
#define MBEDTLS_TLS_EXT_CID 254 /* TBD */
|
||||
|
||||
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */
|
||||
|
||||
#define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO 0xFF01
|
||||
|
@ -1266,6 +1270,21 @@ struct mbedtls_ssl_context
|
|||
char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */
|
||||
char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */
|
||||
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
/* CID configuration to use in subsequent handshakes. */
|
||||
|
||||
/*! The next incoming CID, chosen by the user and applying to
|
||||
* all subsequent handshakes. This may be different from the
|
||||
* CID currently used in case the user has re-configured the CID
|
||||
* after an initial handshake. */
|
||||
unsigned char own_cid[ MBEDTLS_SSL_CID_IN_LEN_MAX ];
|
||||
uint8_t own_cid_len; /*!< The length of \c own_cid. */
|
||||
uint8_t negotiate_cid; /*!< This indicates whether the CID extension should
|
||||
* be negotiated in the next handshake or not.
|
||||
* Possible values are #MBEDTLS_SSL_CID_ENABLED
|
||||
* and #MBEDTLS_SSL_CID_DISABLED. */
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
};
|
||||
|
||||
#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
|
||||
|
@ -1609,6 +1628,13 @@ int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
|
|||
* progress, this function will attempt to complete
|
||||
* the handshake first.
|
||||
*
|
||||
* \note If CID extensions have been exchanged but both client
|
||||
* and server chose to use an empty CID, this function
|
||||
* sets `*enabled` to #MBEDTLS_SSL_CID_DISABLED
|
||||
* (the rationale for this is that the resulting
|
||||
* communication is the same as if the CID extensions
|
||||
* hadn't been used).
|
||||
*
|
||||
* \return \c 0 on success.
|
||||
* \return A negative error code on failure.
|
||||
*/
|
||||
|
@ -3135,7 +3161,7 @@ void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_
|
|||
* (Default: 2^48 - 1)
|
||||
*
|
||||
* Renegotiation is automatically triggered when a record
|
||||
* counter (outgoing or ingoing) crosses the defined
|
||||
* counter (outgoing or incoming) crosses the defined
|
||||
* threshold. The default value is meant to prevent the
|
||||
* connection from being closed when the counter is about to
|
||||
* reached its maximal value (it is not allowed to wrap).
|
||||
|
|
|
@ -372,6 +372,18 @@ struct mbedtls_ssl_handshake_params
|
|||
unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
|
||||
for resending messages */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
/* The state of CID configuration in this handshake. */
|
||||
|
||||
uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
|
||||
* has been negotited. Possible values are
|
||||
* #MBEDTLS_SSL_CID_ENABLED and
|
||||
* #MBEDTLS_SSL_CID_DISABLED. */
|
||||
unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
|
||||
uint8_t peer_cid_len; /*!< The length of
|
||||
* \c peer_cid. */
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
struct
|
||||
{
|
||||
size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
|
||||
|
@ -597,6 +609,13 @@ struct mbedtls_ssl_transform
|
|||
mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
|
||||
int minor_ver;
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
uint8_t in_cid_len;
|
||||
uint8_t out_cid_len;
|
||||
unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
|
||||
unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
/*
|
||||
* Session specific compression layer
|
||||
*/
|
||||
|
|
|
@ -475,6 +475,54 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
|
|||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
size_t ext_len;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
/*
|
||||
* Quoting
|
||||
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04:
|
||||
*
|
||||
* struct {
|
||||
* opaque cid<0..2^8-1>;
|
||||
* } ConnectionId;
|
||||
*/
|
||||
|
||||
*olen = 0;
|
||||
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
|
||||
ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
|
||||
{
|
||||
return;
|
||||
}
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding CID extension" ) );
|
||||
|
||||
/* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
|
||||
* which is at most 255, so the increment cannot overflow. */
|
||||
if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
|
||||
return;
|
||||
}
|
||||
|
||||
/* Add extension ID + size */
|
||||
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
|
||||
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
|
||||
ext_len = (size_t) ssl->own_cid_len + 1;
|
||||
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
|
||||
*p++ = (unsigned char)( ( ext_len ) & 0xFF );
|
||||
|
||||
*p++ = (uint8_t) ssl->own_cid_len;
|
||||
memcpy( p, ssl->own_cid, ssl->own_cid_len );
|
||||
|
||||
*olen = ssl->own_cid_len + 5;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||
static void ssl_write_max_fragment_length_ext( mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
|
@ -1085,6 +1133,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
|||
ext_len += olen;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
|
||||
ext_len += olen;
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
|
||||
ssl_write_max_fragment_length_ext( ssl, p + 2 + ext_len, &olen );
|
||||
ext_len += olen;
|
||||
|
@ -1242,6 +1295,62 @@ static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
size_t len )
|
||||
{
|
||||
size_t peer_cid_len;
|
||||
|
||||
if( /* CID extension only makes sense in DTLS */
|
||||
ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
|
||||
/* The server must only send the CID extension if we have offered it. */
|
||||
ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension unexpected" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
}
|
||||
|
||||
if( len == 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
}
|
||||
|
||||
peer_cid_len = *buf++;
|
||||
len--;
|
||||
|
||||
if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
}
|
||||
|
||||
if( len != peer_cid_len )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "CID extension invalid" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
}
|
||||
|
||||
ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
|
||||
ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
|
||||
memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "Server CID", buf, peer_cid_len );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
|
@ -1893,6 +2002,20 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||
break;
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
case MBEDTLS_TLS_EXT_CID:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
|
||||
|
||||
if( ( ret = ssl_parse_cid_ext( ssl,
|
||||
ext + 4,
|
||||
ext_size ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt_then_mac extension" ) );
|
||||
|
|
|
@ -475,6 +475,78 @@ static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
static int ssl_parse_cid_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
size_t len )
|
||||
{
|
||||
size_t peer_cid_len;
|
||||
|
||||
/* CID extension only makes sense in DTLS */
|
||||
if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||
}
|
||||
|
||||
/*
|
||||
* Quoting
|
||||
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04:
|
||||
*
|
||||
* struct {
|
||||
* opaque cid<0..2^8-1>;
|
||||
* } ConnectionId;
|
||||
*/
|
||||
|
||||
if( len < 1 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||
}
|
||||
|
||||
peer_cid_len = *buf++;
|
||||
len--;
|
||||
|
||||
if( len != peer_cid_len )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||
}
|
||||
|
||||
/* Ignore CID if the user has disabled its use. */
|
||||
if( ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED )
|
||||
{
|
||||
/* Leave ssl->handshake->cid_in_use in its default
|
||||
* value of MBEDTLS_SSL_CID_DISABLED. */
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Client sent CID extension, but CID disabled" ) );
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
if( peer_cid_len > MBEDTLS_SSL_CID_OUT_LEN_MAX )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||
}
|
||||
|
||||
ssl->handshake->cid_in_use = MBEDTLS_SSL_CID_ENABLED;
|
||||
ssl->handshake->peer_cid_len = (uint8_t) peer_cid_len;
|
||||
memcpy( ssl->handshake->peer_cid, buf, peer_cid_len );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use of CID extension negotiated" ) );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "Client CID", buf, peer_cid_len );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
static int ssl_parse_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
|
@ -1823,6 +1895,16 @@ read_record_header:
|
|||
break;
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
case MBEDTLS_TLS_EXT_CID:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found CID extension" ) );
|
||||
|
||||
ret = ssl_parse_cid_ext( ssl, ext + 4, ext_size );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
break;
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found encrypt then mac extension" ) );
|
||||
|
@ -2100,6 +2182,54 @@ static void ssl_write_truncated_hmac_ext( mbedtls_ssl_context *ssl,
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
static void ssl_write_cid_ext( mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
size_t ext_len;
|
||||
const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN;
|
||||
|
||||
*olen = 0;
|
||||
|
||||
/* Skip writing the extension if we don't want to use it or if
|
||||
* the client hasn't offered it. */
|
||||
if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_DISABLED )
|
||||
return;
|
||||
|
||||
/* ssl->own_cid_len is at most MBEDTLS_SSL_CID_IN_LEN_MAX
|
||||
* which is at most 255, so the increment cannot overflow. */
|
||||
if( end < p || (size_t)( end - p ) < (unsigned)( ssl->own_cid_len + 5 ) )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "buffer too small" ) );
|
||||
return;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding CID extension" ) );
|
||||
|
||||
/*
|
||||
* Quoting
|
||||
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-04:
|
||||
*
|
||||
* struct {
|
||||
* opaque cid<0..2^8-1>;
|
||||
* } ConnectionId;
|
||||
*/
|
||||
|
||||
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID >> 8 ) & 0xFF );
|
||||
*p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_CID ) & 0xFF );
|
||||
ext_len = (size_t) ssl->own_cid_len + 1;
|
||||
*p++ = (unsigned char)( ( ext_len >> 8 ) & 0xFF );
|
||||
*p++ = (unsigned char)( ( ext_len ) & 0xFF );
|
||||
|
||||
*p++ = (uint8_t) ssl->own_cid_len;
|
||||
memcpy( p, ssl->own_cid, ssl->own_cid_len );
|
||||
|
||||
*olen = ssl->own_cid_len + 5;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
|
@ -2621,6 +2751,11 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||
ext_len += olen;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
ssl_write_cid_ext( ssl, p + 2 + ext_len, &olen );
|
||||
ext_len += olen;
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
ssl_write_encrypt_then_mac_ext( ssl, p + 2 + ext_len, &olen );
|
||||
ext_len += olen;
|
||||
|
|
|
@ -121,34 +121,66 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
|
|||
#if defined(MBEDTLS_SSL_CID)
|
||||
/* Top-level Connection ID API */
|
||||
|
||||
/* WARNING: This implementation is a stub and doesn't do anything!
|
||||
* It is included solely to allow review and coding against
|
||||
* the new Connection CID API. */
|
||||
/* WARNING: The CID feature isn't fully implemented yet
|
||||
* and will not be used. */
|
||||
int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
|
||||
int enable,
|
||||
unsigned char const *own_cid,
|
||||
size_t own_cid_len )
|
||||
{
|
||||
((void) ssl);
|
||||
((void) enable);
|
||||
((void) own_cid);
|
||||
((void) own_cid_len);
|
||||
ssl->negotiate_cid = enable;
|
||||
if( enable == MBEDTLS_SSL_CID_DISABLED )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Disable use of CID extension." ) );
|
||||
return( 0 );
|
||||
}
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
|
||||
|
||||
if( own_cid_len > MBEDTLS_SSL_CID_IN_LEN_MAX )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID too large: Maximum %u, actual %u",
|
||||
(unsigned) MBEDTLS_SSL_CID_IN_LEN_MAX,
|
||||
(unsigned) own_cid_len ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
memcpy( ssl->own_cid, own_cid, own_cid_len );
|
||||
/* Truncation is not an issue here because
|
||||
* MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
|
||||
ssl->own_cid_len = (uint8_t) own_cid_len;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/* WARNING: This implementation is a stub and doesn't do anything!
|
||||
* It is included solely to allow review and coding against
|
||||
* the new Connection CID API. */
|
||||
/* WARNING: The CID feature isn't fully implemented yet
|
||||
* and will not be used. */
|
||||
int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
|
||||
int *enabled,
|
||||
unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
|
||||
size_t *peer_cid_len )
|
||||
{
|
||||
((void) ssl);
|
||||
((void) peer_cid);
|
||||
((void) peer_cid_len);
|
||||
|
||||
*enabled = MBEDTLS_SSL_CID_DISABLED;
|
||||
|
||||
if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
/* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
|
||||
* were used, but client and server requested the empty CID.
|
||||
* This is indistinguishable from not using the CID extension
|
||||
* in the first place. */
|
||||
if( ssl->transform_in->in_cid_len == 0 &&
|
||||
ssl->transform_in->out_cid_len == 0 )
|
||||
{
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
*peer_cid_len = ssl->transform_in->out_cid_len;
|
||||
memcpy( peer_cid, ssl->transform_in->out_cid,
|
||||
ssl->transform_in->out_cid_len );
|
||||
|
||||
*enabled = MBEDTLS_SSL_CID_ENABLED;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
@ -918,6 +950,25 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_CID)
|
||||
/* Copy own and peer's CID if the use of the CID
|
||||
* extension has been negotiated. */
|
||||
if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
|
||||
transform->in_cid_len = ssl->own_cid_len;
|
||||
transform->out_cid_len = ssl->handshake->peer_cid_len;
|
||||
memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
|
||||
memcpy( transform->out_cid, ssl->handshake->peer_cid,
|
||||
ssl->handshake->peer_cid_len );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
|
||||
transform->out_cid_len );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "Incoming CID", transform->in_cid,
|
||||
transform->in_cid_len );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CID */
|
||||
|
||||
/*
|
||||
* Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
|
||||
*/
|
||||
|
|
|
@ -2180,7 +2180,7 @@ int main( int argc, char *argv[] )
|
|||
(unsigned) peer_cid_len );
|
||||
while( idx < peer_cid_len )
|
||||
{
|
||||
mbedtls_printf( "%#02x ", peer_cid[ idx ] );
|
||||
mbedtls_printf( "%02x ", peer_cid[ idx ] );
|
||||
idx++;
|
||||
}
|
||||
mbedtls_printf( "\n" );
|
||||
|
|
|
@ -924,7 +924,8 @@ int sni_callback( void *p_info, mbedtls_ssl_context *ssl,
|
|||
|
||||
#endif /* SNI_OPTION */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) || \
|
||||
defined(MBEDTLS_SSL_CID)
|
||||
|
||||
#define HEX2NUM( c ) \
|
||||
do \
|
||||
|
@ -967,6 +968,10 @@ int unhexify( unsigned char *output, const char *input, size_t *olen )
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
|
||||
typedef struct _psk_entry psk_entry;
|
||||
|
||||
struct _psk_entry
|
||||
|
@ -3330,7 +3335,7 @@ handshake:
|
|||
(unsigned) peer_cid_len );
|
||||
while( idx < peer_cid_len )
|
||||
{
|
||||
mbedtls_printf( "%#02x ", peer_cid[ idx ] );
|
||||
mbedtls_printf( "%02x ", peer_cid[ idx ] );
|
||||
idx++;
|
||||
}
|
||||
mbedtls_printf( "\n" );
|
||||
|
|
285
tests/ssl-opt.sh
285
tests/ssl-opt.sh
|
@ -1278,94 +1278,289 @@ run_test "Truncated HMAC, DTLS: client enabled, server enabled" \
|
|||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client enabled, server disabled" \
|
||||
"$P_SRV dtls=1 cid=0" \
|
||||
"$P_CLI dtls=1 cid=1 cid_val=deadbeef" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=0" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
|
||||
0 \
|
||||
-s "Disable use of CID extension." \
|
||||
-s "found CID extension" \
|
||||
-s "Client sent CID extension, but CID disabled" \
|
||||
-c "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-S "server hello, adding CID extension" \
|
||||
-C "found CID extension" \
|
||||
-S "Copy CIDs into SSL transform" \
|
||||
-C "Copy CIDs into SSL transform" \
|
||||
-c "Use of Connection ID was rejected by the server"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client disabled, server enabled" \
|
||||
"$P_SRV dtls=1 cid=1 cid_val=deadbeef" \
|
||||
"$P_CLI dtls=1 cid=0" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=0" \
|
||||
0 \
|
||||
-c "Disable use of CID extension." \
|
||||
-C "client hello, adding CID extension" \
|
||||
-S "found CID extension" \
|
||||
-s "Enable use of CID extension." \
|
||||
-S "server hello, adding CID extension" \
|
||||
-C "found CID extension" \
|
||||
-S "Copy CIDs into SSL transform" \
|
||||
-C "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID was not offered by the client"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID nonempty" \
|
||||
"$P_SRV dtls=1 cid=1 cid_val=dead" \
|
||||
"$P_CLI dtls=1 cid=1 cid_val=beef" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID has been negotiated" \
|
||||
-c "Use of Connection ID has been negotiated" \
|
||||
-c "Peer CID (length 2 Bytes): de ad" \
|
||||
-s "Peer CID (length 2 Bytes): be ef"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty" \
|
||||
"$P_SRV dtls=1 cid=1 cid_val=deadbeef" \
|
||||
"$P_CLI dtls=1 cid=1" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID has been negotiated" \
|
||||
-c "Use of Connection ID has been negotiated" \
|
||||
-c "Peer CID (length 4 Bytes): de ad be ef" \
|
||||
-s "Peer CID (length 0 Bytes):"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty" \
|
||||
"$P_SRV dtls=1 cid=1" \
|
||||
"$P_CLI dtls=1 cid=1 cid_val=deadbeef" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID has been negotiated" \
|
||||
-c "Use of Connection ID has been negotiated" \
|
||||
-s "Peer CID (length 4 Bytes): de ad be ef" \
|
||||
-c "Peer CID (length 0 Bytes):"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty" \
|
||||
"$P_SRV dtls=1 cid=1" \
|
||||
"$P_CLI dtls=1 cid=1" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-S "Use of Connection ID has been negotiated" \
|
||||
-C "Use of Connection ID has been negotiated"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID nonempty, AES-128-CCM-8" \
|
||||
"$P_SRV dtls=1 cid=1 cid_val=dead" \
|
||||
"$P_CLI dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID has been negotiated" \
|
||||
-c "Use of Connection ID has been negotiated" \
|
||||
-c "Peer CID (length 2 Bytes): de ad" \
|
||||
-s "Peer CID (length 2 Bytes): be ef"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CCM-8" \
|
||||
"$P_SRV dtls=1 cid=1 cid_val=deadbeef" \
|
||||
"$P_CLI dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID has been negotiated" \
|
||||
-c "Use of Connection ID has been negotiated" \
|
||||
-c "Peer CID (length 4 Bytes): de ad be ef" \
|
||||
-s "Peer CID (length 0 Bytes):"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CCM-8" \
|
||||
"$P_SRV dtls=1 cid=1" \
|
||||
"$P_CLI dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID has been negotiated" \
|
||||
-c "Use of Connection ID has been negotiated" \
|
||||
-s "Peer CID (length 4 Bytes): de ad be ef" \
|
||||
-c "Peer CID (length 0 Bytes):"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CCM-8" \
|
||||
"$P_SRV dtls=1 cid=1" \
|
||||
"$P_CLI dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-S "Use of Connection ID has been negotiated" \
|
||||
-C "Use of Connection ID has been negotiated"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID nonempty, AES-128-CBC" \
|
||||
"$P_SRV dtls=1 cid=1 cid_val=dead" \
|
||||
"$P_CLI dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID has been negotiated" \
|
||||
-c "Use of Connection ID has been negotiated" \
|
||||
-c "Peer CID (length 2 Bytes): de ad" \
|
||||
-s "Peer CID (length 2 Bytes): be ef"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CBC" \
|
||||
"$P_SRV dtls=1 cid=1 cid_val=deadbeef" \
|
||||
"$P_CLI dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=deadbeef" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID has been negotiated" \
|
||||
-c "Use of Connection ID has been negotiated" \
|
||||
-c "Peer CID (length 4 Bytes): de ad be ef" \
|
||||
-s "Peer CID (length 0 Bytes):"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CBC" \
|
||||
"$P_SRV dtls=1 cid=1" \
|
||||
"$P_CLI dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=deadbeef force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID has been negotiated" \
|
||||
-c "Use of Connection ID has been negotiated" \
|
||||
-s "Peer CID (length 4 Bytes): de ad be ef" \
|
||||
-c "Peer CID (length 0 Bytes):"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CBC" \
|
||||
"$P_SRV dtls=1 cid=1" \
|
||||
"$P_CLI dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-S "Use of Connection ID has been negotiated" \
|
||||
-C "Use of Connection ID has been negotiated"
|
||||
|
||||
requires_config_enabled MBEDTLS_SSL_CID
|
||||
requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
|
||||
run_test "(STUB) Connection ID: Client+Server enabled, renegotiate" \
|
||||
"$P_SRV dtls=1 cid=1 cid_val=dead renegotiation=1" \
|
||||
"$P_CLI dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
|
||||
0
|
||||
"$P_SRV debug_level=3 dtls=1 cid=1 cid_val=dead renegotiation=1" \
|
||||
"$P_CLI debug_level=3 dtls=1 cid=1 cid_val=beef renegotiation=1 renegotiate=1" \
|
||||
0 \
|
||||
-c "Enable use of CID extension." \
|
||||
-s "Enable use of CID extension." \
|
||||
-c "client hello, adding CID extension" \
|
||||
-s "found CID extension" \
|
||||
-s "Use of CID extension negotiated" \
|
||||
-s "server hello, adding CID extension" \
|
||||
-c "found CID extension" \
|
||||
-c "Use of CID extension negotiated" \
|
||||
-s "Copy CIDs into SSL transform" \
|
||||
-c "Copy CIDs into SSL transform" \
|
||||
-s "Use of Connection ID has been negotiated" \
|
||||
-c "Use of Connection ID has been negotiated" \
|
||||
-c "Peer CID (length 2 Bytes): de ad" \
|
||||
-s "Peer CID (length 2 Bytes): be ef"
|
||||
|
||||
# Tests for Encrypt-then-MAC extension
|
||||
|
||||
|
|
Loading…
Reference in a new issue