Skip copying CIDs to SSL transforms until CID feature is complete

This commit temporarily comments the copying of the negotiated CIDs
into the established ::mbedtls_ssl_transform in mbedtls_ssl_derive_keys()
until the CID feature has been fully implemented.

While mbedtls_ssl_decrypt_buf() and mbedtls_ssl_encrypt_buf() do
support CID-based record protection by now and can be unit tested,
the following two changes in the rest of the stack are still missing
before CID-based record protection can be integrated:
- Parsing of CIDs in incoming records.
- Allowing the new CID record content type for incoming records.
- Dealing with a change of record content type during record
  decryption.

Further, since mbedtls_ssl_get_peer_cid() judges the use of CIDs by
the CID fields in the currently transforms, this change also requires
temporarily disabling some grepping for ssl_client2 / ssl_server2
debug output in ssl-opt.sh.

library/ssl_tls.c

@@ -956,11 +956,14 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
     if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
-        transform->in_cid_len = ssl->own_cid_len;
-        transform->out_cid_len = ssl->handshake->peer_cid_len;
-        memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
-        memcpy( transform->out_cid, ssl->handshake->peer_cid,
-                ssl->handshake->peer_cid_len );
+
+        /* Uncomment this once CID-parsing and support for a change
+         * record content type during record decryption are added. */
+        /* transform->in_cid_len = ssl->own_cid_len; */
+        /* transform->out_cid_len = ssl->handshake->peer_cid_len; */
+        /* memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len ); */
+        /* memcpy( transform->out_cid, ssl->handshake->peer_cid, */
+        /*         ssl->handshake->peer_cid_len ); */
 
         MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
                                transform->out_cid_len );

tests/ssl-opt.sh

@@ -1321,11 +1321,12 @@ run_test    "(STUB) Connection ID: Client+Server enabled, Client+Server CID none
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 2 Bytes): de ad" \
-            -s "Peer CID (length 2 Bytes): be ef"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 2 Bytes): de ad" \
+#            -s "Peer CID (length 2 Bytes): be ef"
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client CID empty" \
@@ -1341,11 +1342,12 @@ run_test    "(STUB) Connection ID: Client+Server enabled, Client CID empty" \
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 4 Bytes): de ad be ef" \
-            -s "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 4 Bytes): de ad be ef" \
+#            -s "Peer CID (length 0 Bytes):" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Server CID empty" \
@@ -1361,11 +1363,12 @@ run_test    "(STUB) Connection ID: Client+Server enabled, Server CID empty" \
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -s "Peer CID (length 4 Bytes): de ad be ef" \
-            -c "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -s "Peer CID (length 4 Bytes): de ad be ef" \
+#            -c "Peer CID (length 0 Bytes):"
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty" \
@@ -1399,11 +1402,12 @@ run_test    "(STUB) Connection ID: Client+Server enabled, Client+Server CID none
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 2 Bytes): de ad" \
-            -s "Peer CID (length 2 Bytes): be ef"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 2 Bytes): de ad" \
+#            -s "Peer CID (length 2 Bytes): be ef" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CCM-8" \
@@ -1419,11 +1423,12 @@ run_test    "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 4 Bytes): de ad be ef" \
-            -s "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 4 Bytes): de ad be ef" \
+#            -s "Peer CID (length 0 Bytes):" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CCM-8" \
@@ -1439,11 +1444,12 @@ run_test    "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -s "Peer CID (length 4 Bytes): de ad be ef" \
-            -c "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -s "Peer CID (length 4 Bytes): de ad be ef" \
+#            -c "Peer CID (length 0 Bytes):" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CCM-8" \
@@ -1477,11 +1483,12 @@ run_test    "(STUB) Connection ID: Client+Server enabled, Client+Server CID none
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 2 Bytes): de ad" \
-            -s "Peer CID (length 2 Bytes): be ef"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 2 Bytes): de ad" \
+#            -s "Peer CID (length 2 Bytes): be ef" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-128-CBC" \
@@ -1497,11 +1504,12 @@ run_test    "(STUB) Connection ID: Client+Server enabled, Client CID empty, AES-
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 4 Bytes): de ad be ef" \
-            -s "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 4 Bytes): de ad be ef" \
+#            -s "Peer CID (length 0 Bytes):" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-128-CBC" \
@@ -1517,11 +1525,12 @@ run_test    "(STUB) Connection ID: Client+Server enabled, Server CID empty, AES-
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -s "Peer CID (length 4 Bytes): de ad be ef" \
-            -c "Peer CID (length 0 Bytes):"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -s "Peer CID (length 4 Bytes): de ad be ef" \
+#            -c "Peer CID (length 0 Bytes):" \
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 requires_config_enabled MBEDTLS_SSL_CID
 run_test    "(STUB) Connection ID: Client+Server enabled, Client+Server CID empty, AES-128-CBC" \
@@ -1556,11 +1565,12 @@ run_test    "(STUB) Connection ID: Client+Server enabled, renegotiate" \
             -c "found CID extension" \
             -c "Use of CID extension negotiated" \
             -s "Copy CIDs into SSL transform" \
-            -c "Copy CIDs into SSL transform" \
-            -s "Use of Connection ID has been negotiated" \
-            -c "Use of Connection ID has been negotiated" \
-            -c "Peer CID (length 2 Bytes): de ad" \
-            -s "Peer CID (length 2 Bytes): be ef"
+            -c "Copy CIDs into SSL transform"
+# Uncomment once CID is fully implemented
+#            -c "Peer CID (length 2 Bytes): de ad" \
+#            -s "Peer CID (length 2 Bytes): be ef"
+#            -s "Use of Connection ID has been negotiated" \
+#            -c "Use of Connection ID has been negotiated" \
 
 # Tests for Encrypt-then-MAC extension