Allow to configure the stack's behaviour on unexpected CIDs

This commit modifies the CID configuration API mbedtls_ssl_conf_cid_len()
to allow the configuration of the stack's behaviour when receiving an
encrypted DTLS record with unexpected CID.
This commit is contained in:
Hanno Becker 2019-05-14 11:30:10 +01:00
parent c37c96a3c5
commit 8367ccc03b
5 changed files with 46 additions and 15 deletions

View file

@ -1335,7 +1335,7 @@
* in the underlying transport. * in the underlying transport.
* *
* Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
* `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid_len()`. * `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`.
* See their documentation for more information. * See their documentation for more information.
* *
* \warning The Connection ID extension is still in draft state. * \warning The Connection ID extension is still in draft state.

View file

@ -1114,6 +1114,11 @@ struct mbedtls_ssl_config
unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in
Certificate Request messages? */ Certificate Request messages? */
#endif #endif
#if defined(MBEDTLS_SSL_CID)
unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS
* record with unexpected CID
* should lead to failure. */
#endif /* MBEDTLS_SSL_CID */
}; };
@ -1572,7 +1577,7 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
* MBEDTLS_SSL_CID_DISABLED. * MBEDTLS_SSL_CID_DISABLED.
* *
* \note The value of \p own_cid_len must match the value of the * \note The value of \p own_cid_len must match the value of the
* \c len parameter passed to mbedtls_ssl_conf_cid_len() * \c len parameter passed to mbedtls_ssl_conf_cid()
* when configuring the ::mbedtls_ssl_config that \p ssl * when configuring the ::mbedtls_ssl_config that \p ssl
* is bound to. * is bound to.
* *
@ -2305,14 +2310,27 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
const int *ciphersuites ); const int *ciphersuites );
#if defined(MBEDTLS_SSL_CID) #if defined(MBEDTLS_SSL_CID)
#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 0
#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 1
/** /**
* \brief Specify the length of CIDs for incoming encrypted * \brief Specify the length of CIDs for incoming encrypted DTLS
* DTLS records. (Default: \c 0) * records and specify the behaviour on unexpected CIDs.
*
* By default, the CID length is set to \c 0,
* and unexpected CIDs are silently ignored.
* *
* \param conf The SSL configuration to modify. * \param conf The SSL configuration to modify.
* \param len The length in Bytes of the CID fields in encrypted * \param len The length in Bytes of the CID fields in encrypted
* DTLS records using the CID mechanism. This must * DTLS records using the CID mechanism. This must
* not be larger than #MBEDTLS_SSL_CID_OUT_LEN_MAX. * not be larger than #MBEDTLS_SSL_CID_OUT_LEN_MAX.
* \param ignore_other_cid This determines the stack's behaviour when
* receiving a record with an unexpected CID.
* Possible values are:
* - #MBEDTLS_SSL_UNEXPECTED_CID_IGNORE
* In this case, the record is silently ignored.
* - #MBEDTLS_SSL_UNEXPECTED_CID_FAIL
* In this case, the stack fails with the specific
* error code #MBEDTLS_ERR_SSL_UNEXPECTED_CID.
* *
* \note The CID specification allows implementations to either * \note The CID specification allows implementations to either
* use a common length for all incoming connection IDs or * use a common length for all incoming connection IDs or
@ -2325,7 +2343,8 @@ void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p own_cid_len
* is too large. * is too large.
*/ */
int mbedtls_ssl_conf_cid_len( mbedtls_ssl_config *conf, size_t len ); int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
int ignore_other_cids );
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
/** /**

View file

@ -122,12 +122,15 @@ static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );
/* WARNING: The CID feature isn't fully implemented yet /* WARNING: The CID feature isn't fully implemented yet
* and will not be used. */ * and will not be used. */
int mbedtls_ssl_conf_cid_len( mbedtls_ssl_config *conf, int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
size_t len ) size_t len,
int ignore_other_cid )
{ {
if( len > MBEDTLS_SSL_CID_IN_LEN_MAX ) if( len > MBEDTLS_SSL_CID_IN_LEN_MAX )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
conf->ignore_unexpected_cid =
( ignore_other_cid == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
conf->cid_len = len; conf->cid_len = len;
return( 0 ); return( 0 );
} }
@ -2570,12 +2573,10 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
/* /*
* Match record's CID with incoming CID. * Match record's CID with incoming CID.
*/ */
if( rec->cid_len != transform->in_cid_len || if( rec->cid_len != transform->in_cid_len ||
memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
{ {
/* Silently skip over record with mismatching CID. */ return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
} }
#endif /* MBEDTLS_SSL_CID */ #endif /* MBEDTLS_SSL_CID */
@ -5094,8 +5095,15 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
&rec ) ) != 0 ) &rec ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
#if defined(MBEDTLS_SSL_CID)
if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
ssl->conf->ignore_unexpected_cid
== MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
{
ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
}
#endif /* MBEDTLS_SSL_CID */
return( ret ); return( ret );
} }

View file

@ -1842,9 +1842,11 @@ int main( int argc, char *argv[] )
if( opt.cid_enabled == 1 ) if( opt.cid_enabled == 1 )
ret = mbedtls_ssl_conf_cid_len( &conf, cid_len ); ret = mbedtls_ssl_conf_cid( &conf, cid_len,
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
else else
ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len ); ret = mbedtls_ssl_conf_cid( &conf, cid_renego_len,
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
if( ret != 0 ) if( ret != 0 )
{ {

View file

@ -2727,9 +2727,11 @@ int main( int argc, char *argv[] )
} }
if( opt.cid_enabled == 1 ) if( opt.cid_enabled == 1 )
ret = mbedtls_ssl_conf_cid_len( &conf, cid_len ); ret = mbedtls_ssl_conf_cid( &conf, cid_len,
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
else else
ret = mbedtls_ssl_conf_cid_len( &conf, cid_renego_len ); ret = mbedtls_ssl_conf_cid( &conf, cid_renego_len,
MBEDTLS_SSL_UNEXPECTED_CID_IGNORE );
if( ret != 0 ) if( ret != 0 )
{ {