Allow to configure the stack's behaviour on unexpected CIDs

This commit modifies the CID configuration API mbedtls_ssl_conf_cid_len()
to allow the configuration of the stack's behaviour when receiving an
encrypted DTLS record with unexpected CID.
This commit is contained in:
Hanno Becker 2019-05-14 11:30:10 +01:00
parent c37c96a3c5
commit 8367ccc03b
5 changed files with 46 additions and 15 deletions

View file

@ -1335,7 +1335,7 @@
* in the underlying transport.
*
* Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
* `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid_len()`.
* `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`.
* See their documentation for more information.
*
* \warning The Connection ID extension is still in draft state.

View file

@ -1114,6 +1114,11 @@ struct mbedtls_ssl_config
unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in
Certificate Request messages? */
#endif
#if defined(MBEDTLS_SSL_CID)
unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
* record with unexpected CID
* should lead to failure. */
#endif /* MBEDTLS_SSL_CID */
};
@ -1572,7 +1577,7 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
* MBEDTLS_SSL_CID_DISABLED.
*
* \note The value of \p own_cid_len must match the value of the
* \c len parameter passed to mbedtls_ssl_conf_cid_len()
* \c len parameter passed to mbedtls_ssl_conf_cid()
* when configuring the ::mbedtls_ssl_config that \p ssl
* is bound to.
*
@ -2305,14 +2310,27 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
const int *ciphersuites );
#if defined(MBEDTLS_SSL_CID)
#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 0
#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 1
/**
* \brief Specify the length of CIDs for incoming encrypted
* DTLS records. (Default: \c 0)
* \brief Specify the length of CIDs for incoming encrypted DTLS
* records and specify the behaviour on unexpected CIDs.
*
* By default, the CID length is set to \c 0,
* and unexpected CIDs are silently ignored.
*
* \param conf The SSL configuration to modify.
* \param len The length in Bytes of the CID fields in encrypted
* DTLS records using the CID mechanism. This must
* not be larger than #MBEDTLS_SSL_CID_OUT_LEN_MAX.
* \param ignore_other_cid This determines the stack's behaviour when
* receiving a record with an unexpected CID.
* Possible values are:
* - #MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
* In this case, the record is silently ignored.
* - #MBEDTLS_SSL_UNEXPECTED_CID_FAIL
* In this case, the stack fails with the specific
* error code #MBEDTLS_ERR_SSL_UNEXPECTED_CID.
*
* \note The CID specification allows implementations to either
* use a common length for all incoming connection IDs or
@ -2325,7 +2343,8 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
* is too large.
*/
int mbedtls_ssl_conf_cid_len( mbedtls_ssl_config *conf, size_t len );
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
int ignore_other_cids );
#endif /* MBEDTLS_SSL_CID */
/**

View file

@ -122,12 +122,15 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );
/* WARNING: The CID feature isn't fully implemented yet
* and will not be used. */
int mbedtls_ssl_conf_cid_len( mbedtls_ssl_config *conf,
size_t len )
int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
size_t len,
int ignore_other_cid )
{
if( len > MBEDTLS_SSL_CID_IN_LEN_MAX )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
conf->ignore_unexpected_cid =
( ignore_other_cid == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
conf->cid_len = len;
return( 0 );
}
@ -2570,12 +2573,10 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
/*
* Match record's CID with incoming CID.
*/
if( rec->cid_len != transform->in_cid_len ||
memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
{
/* Silently skip over record with mismatching CID. */
return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
}
#endif /* MBEDTLS_SSL_CID */
@ -5094,8 +5095,15 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
&rec ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
#if defined(MBEDTLS_SSL_CID)
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
ssl->conf->ignore_unexpected_cid
== MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
{
ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
}
#endif /* MBEDTLS_SSL_CID */
return( ret );
}

View file

@ -1842,9 +1842,11 @@ int main( int argc, char *argv[] )
if( opt.cid_enabled == 1 )
ret = mbedtls_ssl_conf_cid_len( &conf, cid_len );
ret = mbedtls_ssl_conf_cid( &conf, cid_len,
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
else
ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len );
ret = mbedtls_ssl_conf_cid( &conf, cid_renego_len,
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
if( ret != 0 )
{

View file

@ -2727,9 +2727,11 @@ int main( int argc, char *argv[] )
}
if( opt.cid_enabled == 1 )
ret = mbedtls_ssl_conf_cid_len( &conf, cid_len );
ret = mbedtls_ssl_conf_cid( &conf, cid_len,
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
else
ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len );
ret = mbedtls_ssl_conf_cid( &conf, cid_renego_len,
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
if( ret != 0 )
{